diff options
author | Howard Chu <hyc@symas.com> | 2013-09-17 14:04:06 -0700 |
---|---|---|
committer | Nadezhda Ivanova <nivanova@samba.org> | 2013-09-18 19:47:55 +0200 |
commit | 743d4a474e1d80783f658fa1001a6d077fcfbede (patch) | |
tree | 506570ff9bb9488a860544edaf2d76b8bab869cf | |
parent | 6bf59b03d72b94b71e53fc2404c11e0d237e41b2 (diff) | |
download | samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.gz samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.bz2 samba-743d4a474e1d80783f658fa1001a6d077fcfbede.zip |
Use SASL/EXTERNAL over ldapi://
The provision script will map the uid of the user running the
script to the samba-admin LDAP DN.
Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
-rw-r--r-- | python/samba/provision/backend.py | 7 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 128 | ||||
-rw-r--r-- | source4/setup/slapd.conf | 4 |
3 files changed, 86 insertions, 53 deletions
diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py index 24d8675258..5360ef41f5 100644 --- a/python/samba/provision/backend.py +++ b/python/samba/provision/backend.py @@ -255,7 +255,7 @@ class LDAPBackend(ProvisionBackend): # Kerberos to an ldapi:// backend makes no sense self.credentials.set_kerberos_state(DONT_USE_KERBEROS) self.credentials.set_password(self.ldapadminpass) - self.credentials.set_forced_sasl_mech("DIGEST-MD5") + self.credentials.set_forced_sasl_mech("EXTERNAL") self.secrets_credentials = Credentials() self.secrets_credentials.guess(self.lp) @@ -263,7 +263,7 @@ class LDAPBackend(ProvisionBackend): self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS) self.secrets_credentials.set_username("samba-admin") self.secrets_credentials.set_password(self.ldapadminpass) - self.secrets_credentials.set_forced_sasl_mech("DIGEST-MD5") + self.secrets_credentials.set_forced_sasl_mech("EXTERNAL") self.provision() @@ -533,7 +533,8 @@ class OpenLDAPBackend(LDAPBackend): "OLC_MMR_CONFIG": olc_mmr_config, "REFINT_CONFIG": refint_config, "INDEX_CONFIG": index_config, - "NOSYNC": nosync_config}) + "ADMIN_UID": str(os.getuid()), + "NOSYNC": nosync_config,}) self.setup_db_config(os.path.join(self.ldapdir, "db", "forestdns")) self.setup_db_config(os.path.join(self.ldapdir, "db", "domaindns")) diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index 060a9d75fb..bc8e71bf87 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c @@ -138,7 +138,7 @@ static int prepare_modules_line(struct ldb_context *ldb, * ldapi socket to an LDAP backend */ -static int set_ldap_credentials(struct ldb_context *ldb) +static int set_ldap_credentials(struct ldb_context *ldb, bool use_external) { const char *secrets_ldb_path, *sam_ldb_path; char *private_dir, *p, *error_string; @@ -157,56 +157,60 @@ static int set_ldap_credentials(struct ldb_context *ldb) return ldb_oom(ldb); } cli_credentials_set_anonymous(cred); - cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5"); - - /* - * We don't want to use krb5 to talk to our samdb - recursion - * here would be bad, and this account isn't in the KDC - * anyway - */ - cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); - - /* - * Work out where *our* secrets.ldb is. It must be in - * the same directory as sam.ldb - */ - sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url"); - if (!sam_ldb_path) { - talloc_free(tmp_ctx); - return ldb_operr(ldb); - } - if (strncmp("tdb://", sam_ldb_path, 6) == 0) { - sam_ldb_path += 6; - } - private_dir = talloc_strdup(tmp_ctx, sam_ldb_path); - p = strrchr(private_dir, '/'); - if (p) { - *p = '\0'; + if (use_external) { + cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL"); } else { - private_dir = talloc_strdup(tmp_ctx, "."); - } + cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5"); + + /* + * We don't want to use krb5 to talk to our samdb - recursion + * here would be bad, and this account isn't in the KDC + * anyway + */ + cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + + /* + * Work out where *our* secrets.ldb is. It must be in + * the same directory as sam.ldb + */ + sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url"); + if (!sam_ldb_path) { + talloc_free(tmp_ctx); + return ldb_operr(ldb); + } + if (strncmp("tdb://", sam_ldb_path, 6) == 0) { + sam_ldb_path += 6; + } + private_dir = talloc_strdup(tmp_ctx, sam_ldb_path); + p = strrchr(private_dir, '/'); + if (p) { + *p = '\0'; + } else { + private_dir = talloc_strdup(tmp_ctx, "."); + } - secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb", - private_dir); + secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb", + private_dir); - if (!secrets_ldb_path) { - talloc_free(tmp_ctx); - return ldb_oom(ldb); - } - - /* - * Now that we have found the location, connect to - * secrets.ldb so we can read the SamDB Credentials - * record - */ - secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path, - NULL, NULL, 0); + if (!secrets_ldb_path) { + talloc_free(tmp_ctx); + return ldb_oom(ldb); + } - if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL, - SECRETS_LDAP_FILTER, &error_string))) { - ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path); - talloc_free(tmp_ctx); - return LDB_ERR_STRONG_AUTH_REQUIRED; + /* + * Now that we have found the location, connect to + * secrets.ldb so we can read the SamDB Credentials + * record + */ + secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path, + NULL, NULL, 0); + + if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL, + SECRETS_LDAP_FILTER, &error_string))) { + ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path); + talloc_free(tmp_ctx); + return LDB_ERR_STRONG_AUTH_REQUIRED; + } } /* @@ -229,7 +233,7 @@ static int samba_dsdb_init(struct ldb_module *module) TALLOC_CTX *tmp_ctx = talloc_new(module); struct ldb_result *res; struct ldb_message *rootdse_msg, *partition_msg; - struct ldb_dn *samba_dsdb_dn; + struct ldb_dn *samba_dsdb_dn, *partition_dn; struct ldb_module *backend_module, *module_chain; const char **final_module_list, **reverse_module_list; /* @@ -308,7 +312,9 @@ static int samba_dsdb_init(struct ldb_module *module) "entryuuid", "paged_searches", "simple_dn", NULL }; static const char *samba_dsdb_attrs[] = { "backendType", NULL }; - const char *backendType; + static const char *partition_attrs[] = { "ldapBackend", NULL }; + const char *backendType, *backendUrl; + bool use_sasl_external = false; if (!tmp_ctx) { return ldb_oom(ldb); @@ -326,6 +332,12 @@ static int samba_dsdb_init(struct ldb_module *module) return ldb_oom(ldb); } + partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN); + if (!partition_dn) { + talloc_free(tmp_ctx); + return ldb_oom(ldb); + } + #define CHECK_LDB_RET(check_ret) \ do { \ if (check_ret != LDB_SUCCESS) { \ @@ -351,6 +363,19 @@ static int samba_dsdb_init(struct ldb_module *module) link_modules = tdb_modules_list; } else { struct cli_credentials *cred; + bool is_ldapi = false; + + ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn, + partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL); + if (ret == LDB_SUCCESS) { + backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://"); + if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) { + is_ldapi = true; + } + } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { + talloc_free(tmp_ctx); + return ret; + } if (strcasecmp(backendType, "fedora-ds") == 0) { link_modules = fedora_ds_modules; backend_modules = fedora_ds_backend_modules; @@ -360,6 +385,9 @@ static int samba_dsdb_init(struct ldb_module *module) backend_modules = openldap_backend_modules; extended_dn_module = extended_dn_module_openldap; extended_dn_in_module = "extended_dn_in_openldap"; + if (is_ldapi) { + use_sasl_external = true; + } } else { return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type"); } @@ -370,7 +398,7 @@ static int samba_dsdb_init(struct ldb_module *module) cred = ldb_get_opaque(ldb, "credentials"); if (!cred || !cli_credentials_authentication_requested(cred)) { - ret = set_ldap_credentials(ldb); + ret = set_ldap_credentials(ldb, use_sasl_external); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 2eb65a3773..231ef82386 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -29,6 +29,10 @@ authz-regexp uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth ldap:///cn=samba??one?(cn=\$1) +authz-regexp + gidNumber=.*\\\+uidNumber=${ADMIN_UID},cn=peercred,cn=external,cn=auth + cn=samba-admin,cn=samba + access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read |