auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()

This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 3ae64d5683..81b6abc2a4 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -668,6 +668,20 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
 NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
 {
 	NTSTATUS status;
+
+	if (gensec_security->credentials) {
+		const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials);
+		if (forced_mech &&
+		    (gensec_security->ops->sasl_name == NULL ||
+		     strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) {
+			DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it "
+				  "did not match forced mechanism %s\n",
+				  gensec_security->ops->name,
+				  gensec_security->ops->sasl_name,
+				  forced_mech));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
 	DEBUG(5, ("Starting GENSEC %smechanism %s\n",
 		  gensec_security->subcontext ? "sub" : "",
 		  gensec_security->ops->name));