mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher
parent
be771670eb
commit
b3110ec049
@ -206,7 +206,7 @@ ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
|
||||
NTSTATUS ads_legacy_creds(ADS_STRUCT *ads,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct cli_credentials **_creds);
|
||||
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
|
||||
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds);
|
||||
|
||||
/* The following definitions come from libads/sasl_wrapping.c */
|
||||
|
||||
|
||||
@ -34,6 +34,7 @@
|
||||
#include "lib/param/loadparm.h"
|
||||
#include "libsmb/namequery.h"
|
||||
#include "../librpc/gen_ndr/ndr_ads.h"
|
||||
#include "auth/credentials/credentials.h"
|
||||
|
||||
#ifdef HAVE_LDAP
|
||||
|
||||
@ -810,12 +811,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
|
||||
c_realm, c_domain, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Connect to the LDAP server
|
||||
* @param ads Pointer to an existing ADS_STRUCT
|
||||
* @return status of connection
|
||||
**/
|
||||
ADS_STATUS ads_connect(ADS_STRUCT *ads)
|
||||
static ADS_STATUS ads_connect_internal(ADS_STRUCT *ads,
|
||||
struct cli_credentials *creds)
|
||||
{
|
||||
int version = LDAP_VERSION3;
|
||||
ADS_STATUS status;
|
||||
@ -827,6 +830,18 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
|
||||
|
||||
zero_sockaddr(&existing_ss);
|
||||
|
||||
if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
|
||||
SMB_ASSERT(creds != NULL);
|
||||
}
|
||||
|
||||
if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
|
||||
/*
|
||||
* Simple anonyous binds are only
|
||||
* allowed for anonymous credentials
|
||||
*/
|
||||
SMB_ASSERT(cli_credentials_is_anonymous(creds));
|
||||
}
|
||||
|
||||
/*
|
||||
* ads_connect can be passed in a reused ADS_STRUCT
|
||||
* with an existing non-zero ads->ldap.ss IP address
|
||||
@ -1076,7 +1091,7 @@ got_connection:
|
||||
goto out;
|
||||
}
|
||||
|
||||
status = ads_sasl_bind(ads);
|
||||
status = ads_sasl_bind(ads, creds);
|
||||
|
||||
out:
|
||||
if (DEBUGLEVEL >= 11) {
|
||||
@ -1090,6 +1105,29 @@ got_connection:
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
* Connect to the LDAP server
|
||||
* @param ads Pointer to an existing ADS_STRUCT
|
||||
* @return status of connection
|
||||
**/
|
||||
ADS_STATUS ads_connect(ADS_STRUCT *ads)
|
||||
{
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
struct cli_credentials *creds = NULL;
|
||||
ADS_STATUS status;
|
||||
NTSTATUS ntstatus;
|
||||
|
||||
ntstatus = ads_legacy_creds(ads, frame, &creds);
|
||||
if (!NT_STATUS_IS_OK(ntstatus)) {
|
||||
TALLOC_FREE(frame);
|
||||
return ADS_ERROR_NT(ntstatus);
|
||||
}
|
||||
|
||||
status = ads_connect_internal(ads, creds);
|
||||
TALLOC_FREE(frame);
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Connect to the LDAP server using given credentials
|
||||
* @param ads Pointer to an existing ADS_STRUCT
|
||||
|
||||
@ -634,36 +634,29 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
|
||||
/*
|
||||
this performs a SASL/SPNEGO bind
|
||||
*/
|
||||
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads,
|
||||
struct cli_credentials *creds)
|
||||
{
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
struct ads_service_principal p = {0};
|
||||
struct cli_credentials *creds = NULL;
|
||||
NTSTATUS nt_status;
|
||||
ADS_STATUS status;
|
||||
const char *mech = NULL;
|
||||
const char *debug_username = NULL;
|
||||
enum credentials_use_kerberos krb5_state;
|
||||
|
||||
krb5_state = cli_credentials_get_kerberos_state(creds);
|
||||
|
||||
status = ads_generate_service_principal(ads, &p);
|
||||
if (!ADS_ERR_OK(status)) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
nt_status = ads_legacy_creds(ads, frame, &creds);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
status = ADS_ERROR_NT(nt_status);
|
||||
goto done;
|
||||
}
|
||||
|
||||
debug_username = cli_credentials_get_unparsed_name(creds, frame);
|
||||
if (debug_username == NULL) {
|
||||
status = ADS_ERROR_SYSTEM(errno);
|
||||
goto done;
|
||||
}
|
||||
|
||||
krb5_state = cli_credentials_get_kerberos_state(creds);
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
if (krb5_state != CRED_USE_KERBEROS_DISABLED &&
|
||||
!is_ipaddress(p.hostname))
|
||||
@ -760,7 +753,7 @@ done:
|
||||
return status;
|
||||
}
|
||||
|
||||
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
|
||||
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds)
|
||||
{
|
||||
ADS_STATUS status;
|
||||
struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
|
||||
@ -791,7 +784,7 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
|
||||
}
|
||||
|
||||
retry:
|
||||
status = ads_sasl_spnego_bind(ads);
|
||||
status = ads_sasl_spnego_bind(ads, creds);
|
||||
if (status.error_type == ENUM_ADS_ERROR_LDAP &&
|
||||
status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
|
||||
!tls &&
|
||||
|
||||
Loading…
Reference in New Issue
Block a user