From 4dacaef2eae46a8d5d4729c8a607b9d928c70c25 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Sep 2013 09:39:12 -0700 Subject: [PATCH] dsdb: Use credentials.get_forced_sasl_mech() This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett Reviewed-by: Nadezhda Ivanova Autobuild-User(master): Nadezhda Ivanova Autobuild-Date(master): Tue Sep 17 01:41:41 CEST 2013 on sn-devel-104 --- python/samba/provision/backend.py | 2 ++ source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 + 2 files changed, 3 insertions(+) diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py index 3fe947fdbe9..b50055de9f4 100644 --- a/python/samba/provision/backend.py +++ b/python/samba/provision/backend.py @@ -255,6 +255,7 @@ class LDAPBackend(ProvisionBackend): # Kerberos to an ldapi:// backend makes no sense self.credentials.set_kerberos_state(DONT_USE_KERBEROS) self.credentials.set_password(self.ldapadminpass) + self.credentials.set_forced_sasl_mech("DIGEST-MD5") self.secrets_credentials = Credentials() self.secrets_credentials.guess(self.lp) @@ -262,6 +263,7 @@ class LDAPBackend(ProvisionBackend): self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS) self.secrets_credentials.set_username("samba-admin") self.secrets_credentials.set_password(self.ldapadminpass) + self.secrets_credentials.set_forced_sasl_mech("DIGEST-MD5") self.provision() diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index ac993db4d78..cde53bc9cec 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c @@ -157,6 +157,7 @@ static int set_ldap_credentials(struct ldb_context *ldb) return ldb_oom(ldb); } cli_credentials_set_anonymous(cred); + cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5"); /* * We don't want to use krb5 to talk to our samdb - recursion