summaryrefslogtreecommitdiff
path: root/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-09-16 09:38:09 -0700
committerNadezhda Ivanova <nivanova@symas.com>2013-09-16 14:44:28 -0700
commit3f464ca1f5672491edf5daf15389cf7f2dc68e2b (patch)
treef9dd6d6390632ac5968e084ef7c5cae7f5c12ec3 /auth/gensec
parent68f7cd1724480a9bae36692d19b94e10fb1b9e73 (diff)
downloadsamba-3f464ca1f5672491edf5daf15389cf7f2dc68e2b.tar.gz
samba-3f464ca1f5672491edf5daf15389cf7f2dc68e2b.tar.bz2
samba-3f464ca1f5672491edf5daf15389cf7f2dc68e2b.zip
auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
Diffstat (limited to 'auth/gensec')
-rw-r--r--auth/gensec/gensec_start.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 3ae64d5683..81b6abc2a4 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -668,6 +668,20 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
{
NTSTATUS status;
+
+ if (gensec_security->credentials) {
+ const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials);
+ if (forced_mech &&
+ (gensec_security->ops->sasl_name == NULL ||
+ strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) {
+ DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it "
+ "did not match forced mechanism %s\n",
+ gensec_security->ops->name,
+ gensec_security->ops->sasl_name,
+ forced_mech));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
DEBUG(5, ("Starting GENSEC %smechanism %s\n",
gensec_security->subcontext ? "sub" : "",
gensec_security->ops->name));