dsdb: When using an LDAP backend, force use of the password from secrets.ldb

This makes testing from the command line much easier, as ldbsearch -H sam.ldb will now just work as well as it did with a tdb-based provision. This code was removed from it's previous location outside the ldb module stack in aabda85a2fc9f6763abd56d61ff819012f2225ad. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Wed Sep 11 21:15:50 CEST 2013 on sn-devel-104
author: Andrew Bartlett <abartlet@samba.org> 2013-09-10 11:38:10 +1200
committer: Nadezhda Ivanova <nivanova@samba.org> 2013-09-11 21:15:50 +0200
commit: 403ddac6c899deeb452b32266e1b2169b1a09abe (patch)
tree: 9a8e63e8f081b3b84bc83e675953c7e94ef5cd42 /source4/dsdb
parent: 73278cd19bc80854a2b23ef787c3ebdc3fa56bfd (diff)
download: samba-403ddac6c899deeb452b32266e1b2169b1a09abe.tar.gz
samba-403ddac6c899deeb452b32266e1b2169b1a09abe.tar.bz2
samba-403ddac6c899deeb452b32266e1b2169b1a09abe.zip
1 files changed, 99 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index ee7f694c73..ac993db4d7 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -37,6 +37,9 @@
 #include "dsdb/samdb/ldb_modules/util.h"
 #include "dsdb/samdb/samdb.h"
 #include "librpc/ndr/libndr.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
+#include "lib/ldb-samba/ldb_wrap.h"
 
 static int read_at_rootdse_record(struct ldb_context *ldb, struct ldb_module *module, TALLOC_CTX *mem_ctx,
 				  struct ldb_message **msg, struct ldb_request *parent)
@@ -129,7 +132,94 @@ static int prepare_modules_line(struct ldb_context *ldb,
 	return ret;
 }
 
+/*
+ * Force overwrite of the credentials with those
+ * specified in secrets.ldb, to connect across the
+ * ldapi socket to an LDAP backend
+ */
 
+static int set_ldap_credentials(struct ldb_context *ldb)
+{
+	const char *secrets_ldb_path, *sam_ldb_path;
+	char *private_dir, *p, *error_string;
+	struct ldb_context *secrets_ldb;
+	struct cli_credentials *cred;
+	struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
+	TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+
+	if (!tmp_ctx) {
+		return ldb_oom(ldb);
+	}
+
+	cred = cli_credentials_init(ldb);
+	if (!cred) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+	cli_credentials_set_anonymous(cred);
+
+	/*
+	 * We don't want to use krb5 to talk to our samdb - recursion
+	 * here would be bad, and this account isn't in the KDC
+	 * anyway
+	 */
+	cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+	/*
+	 * Work out where *our* secrets.ldb is.  It must be in
+	 * the same directory as sam.ldb
+	 */
+	sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
+	if (!sam_ldb_path) {
+		talloc_free(tmp_ctx);
+		return ldb_operr(ldb);
+	}
+	if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
+		sam_ldb_path += 6;
+	}
+	private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
+	p = strrchr(private_dir, '/');
+	if (p) {
+		*p = '\0';
+	} else {
+		private_dir = talloc_strdup(tmp_ctx, ".");
+	}
+
+	secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
+					   private_dir);
+
+	if (!secrets_ldb_path) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+
+	/*
+	 * Now that we have found the location, connect to
+	 * secrets.ldb so we can read the SamDB Credentials
+	 * record
+	 */
+	secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
+				       NULL, NULL, 0);
+
+	if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
+							 SECRETS_LDAP_FILTER, &error_string))) {
+		ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
+		talloc_free(tmp_ctx);
+		return LDB_ERR_STRONG_AUTH_REQUIRED;
+	}
+
+	/*
+	 * Finally overwrite any supplied credentials with
+	 * these ones, as only secrets.ldb contains the magic
+	 * credentials to talk on the ldapi socket
+	 */
+	if (ldb_set_opaque(ldb, "credentials", cred)) {
+		talloc_free(tmp_ctx);
+		return ldb_operr(ldb);
+	}
+	talloc_free(tmp_ctx);
+	return LDB_SUCCESS;
+}
 
 static int samba_dsdb_init(struct ldb_module *module)
 {
@@ -257,6 +347,7 @@ static int samba_dsdb_init(struct ldb_module *module)
 		extended_dn_module = extended_dn_module_ldb;
 		link_modules = tdb_modules_list;
 	} else {
+		struct cli_credentials *cred;
 		if (strcasecmp(backendType, "fedora-ds") == 0) {
 			link_modules = fedora_ds_modules;
 			backend_modules = fedora_ds_backend_modules;
@@ -272,6 +363,14 @@ static int samba_dsdb_init(struct ldb_module *module)
 		if (ret != LDB_SUCCESS) {
 			ldb_set_errstring(ldb, "Failed to set readOnlySchema opaque");
 		}
+
+		cred = ldb_get_opaque(ldb, "credentials");
+		if (!cred || !cli_credentials_authentication_requested(cred)) {
+			ret = set_ldap_credentials(ldb);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+		}
 	}
 
 #define CHECK_MODULE_LIST \
author	Andrew Bartlett <abartlet@samba.org>	2013-09-10 11:38:10 +1200
committer	Nadezhda Ivanova <nivanova@samba.org>	2013-09-11 21:15:50 +0200
commit	403ddac6c899deeb452b32266e1b2169b1a09abe (patch)
tree	9a8e63e8f081b3b84bc83e675953c7e94ef5cd42 /source4/dsdb
parent	73278cd19bc80854a2b23ef787c3ebdc3fa56bfd (diff)
download	samba-403ddac6c899deeb452b32266e1b2169b1a09abe.tar.gz samba-403ddac6c899deeb452b32266e1b2169b1a09abe.tar.bz2 samba-403ddac6c899deeb452b32266e1b2169b1a09abe.zip