summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHoward Chu <hyc@symas.com>2013-09-17 14:04:06 -0700
committerNadezhda Ivanova <nivanova@samba.org>2013-09-18 19:47:55 +0200
commit743d4a474e1d80783f658fa1001a6d077fcfbede (patch)
tree506570ff9bb9488a860544edaf2d76b8bab869cf
parent6bf59b03d72b94b71e53fc2404c11e0d237e41b2 (diff)
downloadsamba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.gz
samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.bz2
samba-743d4a474e1d80783f658fa1001a6d077fcfbede.zip
Use SASL/EXTERNAL over ldapi://
The provision script will map the uid of the user running the script to the samba-admin LDAP DN. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
-rw-r--r--python/samba/provision/backend.py7
-rw-r--r--source4/dsdb/samdb/ldb_modules/samba_dsdb.c128
-rw-r--r--source4/setup/slapd.conf4
3 files changed, 86 insertions, 53 deletions
diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py
index 24d8675258..5360ef41f5 100644
--- a/python/samba/provision/backend.py
+++ b/python/samba/provision/backend.py
@@ -255,7 +255,7 @@ class LDAPBackend(ProvisionBackend):
# Kerberos to an ldapi:// backend makes no sense
self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.credentials.set_password(self.ldapadminpass)
- self.credentials.set_forced_sasl_mech("DIGEST-MD5")
+ self.credentials.set_forced_sasl_mech("EXTERNAL")
self.secrets_credentials = Credentials()
self.secrets_credentials.guess(self.lp)
@@ -263,7 +263,7 @@ class LDAPBackend(ProvisionBackend):
self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.secrets_credentials.set_username("samba-admin")
self.secrets_credentials.set_password(self.ldapadminpass)
- self.secrets_credentials.set_forced_sasl_mech("DIGEST-MD5")
+ self.secrets_credentials.set_forced_sasl_mech("EXTERNAL")
self.provision()
@@ -533,7 +533,8 @@ class OpenLDAPBackend(LDAPBackend):
"OLC_MMR_CONFIG": olc_mmr_config,
"REFINT_CONFIG": refint_config,
"INDEX_CONFIG": index_config,
- "NOSYNC": nosync_config})
+ "ADMIN_UID": str(os.getuid()),
+ "NOSYNC": nosync_config,})
self.setup_db_config(os.path.join(self.ldapdir, "db", "forestdns"))
self.setup_db_config(os.path.join(self.ldapdir, "db", "domaindns"))
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 060a9d75fb..bc8e71bf87 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -138,7 +138,7 @@ static int prepare_modules_line(struct ldb_context *ldb,
* ldapi socket to an LDAP backend
*/
-static int set_ldap_credentials(struct ldb_context *ldb)
+static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
{
const char *secrets_ldb_path, *sam_ldb_path;
char *private_dir, *p, *error_string;
@@ -157,56 +157,60 @@ static int set_ldap_credentials(struct ldb_context *ldb)
return ldb_oom(ldb);
}
cli_credentials_set_anonymous(cred);
- cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
-
- /*
- * We don't want to use krb5 to talk to our samdb - recursion
- * here would be bad, and this account isn't in the KDC
- * anyway
- */
- cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
-
- /*
- * Work out where *our* secrets.ldb is. It must be in
- * the same directory as sam.ldb
- */
- sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
- if (!sam_ldb_path) {
- talloc_free(tmp_ctx);
- return ldb_operr(ldb);
- }
- if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
- sam_ldb_path += 6;
- }
- private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
- p = strrchr(private_dir, '/');
- if (p) {
- *p = '\0';
+ if (use_external) {
+ cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
} else {
- private_dir = talloc_strdup(tmp_ctx, ".");
- }
+ cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
+
+ /*
+ * We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway
+ */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ /*
+ * Work out where *our* secrets.ldb is. It must be in
+ * the same directory as sam.ldb
+ */
+ sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
+ if (!sam_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
+ sam_ldb_path += 6;
+ }
+ private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
+ p = strrchr(private_dir, '/');
+ if (p) {
+ *p = '\0';
+ } else {
+ private_dir = talloc_strdup(tmp_ctx, ".");
+ }
- secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
- private_dir);
+ secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
+ private_dir);
- if (!secrets_ldb_path) {
- talloc_free(tmp_ctx);
- return ldb_oom(ldb);
- }
-
- /*
- * Now that we have found the location, connect to
- * secrets.ldb so we can read the SamDB Credentials
- * record
- */
- secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
- NULL, NULL, 0);
+ if (!secrets_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
- if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
- SECRETS_LDAP_FILTER, &error_string))) {
- ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
- talloc_free(tmp_ctx);
- return LDB_ERR_STRONG_AUTH_REQUIRED;
+ /*
+ * Now that we have found the location, connect to
+ * secrets.ldb so we can read the SamDB Credentials
+ * record
+ */
+ secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
+ NULL, NULL, 0);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
+ SECRETS_LDAP_FILTER, &error_string))) {
+ ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
+ talloc_free(tmp_ctx);
+ return LDB_ERR_STRONG_AUTH_REQUIRED;
+ }
}
/*
@@ -229,7 +233,7 @@ static int samba_dsdb_init(struct ldb_module *module)
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_result *res;
struct ldb_message *rootdse_msg, *partition_msg;
- struct ldb_dn *samba_dsdb_dn;
+ struct ldb_dn *samba_dsdb_dn, *partition_dn;
struct ldb_module *backend_module, *module_chain;
const char **final_module_list, **reverse_module_list;
/*
@@ -308,7 +312,9 @@ static int samba_dsdb_init(struct ldb_module *module)
"entryuuid", "paged_searches", "simple_dn", NULL };
static const char *samba_dsdb_attrs[] = { "backendType", NULL };
- const char *backendType;
+ static const char *partition_attrs[] = { "ldapBackend", NULL };
+ const char *backendType, *backendUrl;
+ bool use_sasl_external = false;
if (!tmp_ctx) {
return ldb_oom(ldb);
@@ -326,6 +332,12 @@ static int samba_dsdb_init(struct ldb_module *module)
return ldb_oom(ldb);
}
+ partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN);
+ if (!partition_dn) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+
#define CHECK_LDB_RET(check_ret) \
do { \
if (check_ret != LDB_SUCCESS) { \
@@ -351,6 +363,19 @@ static int samba_dsdb_init(struct ldb_module *module)
link_modules = tdb_modules_list;
} else {
struct cli_credentials *cred;
+ bool is_ldapi = false;
+
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn,
+ partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret == LDB_SUCCESS) {
+ backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://");
+ if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) {
+ is_ldapi = true;
+ }
+ } else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
if (strcasecmp(backendType, "fedora-ds") == 0) {
link_modules = fedora_ds_modules;
backend_modules = fedora_ds_backend_modules;
@@ -360,6 +385,9 @@ static int samba_dsdb_init(struct ldb_module *module)
backend_modules = openldap_backend_modules;
extended_dn_module = extended_dn_module_openldap;
extended_dn_in_module = "extended_dn_in_openldap";
+ if (is_ldapi) {
+ use_sasl_external = true;
+ }
} else {
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type");
}
@@ -370,7 +398,7 @@ static int samba_dsdb_init(struct ldb_module *module)
cred = ldb_get_opaque(ldb, "credentials");
if (!cred || !cli_credentials_authentication_requested(cred)) {
- ret = set_ldap_credentials(ldb);
+ ret = set_ldap_credentials(ldb, use_sasl_external);
if (ret != LDB_SUCCESS) {
return ret;
}
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf
index 2eb65a3773..231ef82386 100644
--- a/source4/setup/slapd.conf
+++ b/source4/setup/slapd.conf
@@ -29,6 +29,10 @@ authz-regexp
uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
ldap:///cn=samba??one?(cn=\$1)
+authz-regexp
+ gidNumber=.*\\\+uidNumber=${ADMIN_UID},cn=peercred,cn=external,cn=auth
+ cn=samba-admin,cn=samba
+
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read