Use SASL/EXTERNAL over ldapi://

The provision script will map the uid of the user running the script to the samba-admin LDAP DN. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
author: Howard Chu <hyc@symas.com> 2013-09-17 14:04:06 -0700
committer: Nadezhda Ivanova <nivanova@samba.org> 2013-09-18 19:47:55 +0200
commit: 743d4a474e1d80783f658fa1001a6d077fcfbede (patch)
tree: 506570ff9bb9488a860544edaf2d76b8bab869cf /source4/dsdb
parent: 6bf59b03d72b94b71e53fc2404c11e0d237e41b2 (diff)
download: samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.gz
samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.bz2
samba-743d4a474e1d80783f658fa1001a6d077fcfbede.zip
1 files changed, 78 insertions, 50 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 060a9d75fb..bc8e71bf87 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -138,7 +138,7 @@ static int prepare_modules_line(struct ldb_context *ldb,
  * ldapi socket to an LDAP backend
  */
 
-static int set_ldap_credentials(struct ldb_context *ldb)
+static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
 {
 	const char *secrets_ldb_path, *sam_ldb_path;
 	char *private_dir, *p, *error_string;
@@ -157,56 +157,60 @@ static int set_ldap_credentials(struct ldb_context *ldb)
 		return ldb_oom(ldb);
 	}
 	cli_credentials_set_anonymous(cred);
-	cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
-
-	/*
-	 * We don't want to use krb5 to talk to our samdb - recursion
-	 * here would be bad, and this account isn't in the KDC
-	 * anyway
-	 */
-	cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
-
-	/*
-	 * Work out where *our* secrets.ldb is.  It must be in
-	 * the same directory as sam.ldb
-	 */
-	sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
-	if (!sam_ldb_path) {
-		talloc_free(tmp_ctx);
-		return ldb_operr(ldb);
-	}
-	if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
-		sam_ldb_path += 6;
-	}
-	private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
-	p = strrchr(private_dir, '/');
-	if (p) {
-		*p = '\0';
+	if (use_external) {
+		cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
 	} else {
-		private_dir = talloc_strdup(tmp_ctx, ".");
-	}
+		cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
+
+		/*
+		 * We don't want to use krb5 to talk to our samdb - recursion
+		 * here would be bad, and this account isn't in the KDC
+		 * anyway
+		 */
+		cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+		/*
+		 * Work out where *our* secrets.ldb is.  It must be in
+		 * the same directory as sam.ldb
+		 */
+		sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
+		if (!sam_ldb_path) {
+			talloc_free(tmp_ctx);
+			return ldb_operr(ldb);
+		}
+		if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
+			sam_ldb_path += 6;
+		}
+		private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
+		p = strrchr(private_dir, '/');
+		if (p) {
+			*p = '\0';
+		} else {
+			private_dir = talloc_strdup(tmp_ctx, ".");
+		}
 
-	secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
-					   private_dir);
+		secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
+						   private_dir);
 
-	if (!secrets_ldb_path) {
-		talloc_free(tmp_ctx);
-		return ldb_oom(ldb);
-	}
-
-	/*
-	 * Now that we have found the location, connect to
-	 * secrets.ldb so we can read the SamDB Credentials
-	 * record
-	 */
-	secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
-				       NULL, NULL, 0);
+		if (!secrets_ldb_path) {
+			talloc_free(tmp_ctx);
+			return ldb_oom(ldb);
+		}
 
-	if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
-							 SECRETS_LDAP_FILTER, &error_string))) {
-		ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
-		talloc_free(tmp_ctx);
-		return LDB_ERR_STRONG_AUTH_REQUIRED;
+		/*
+		 * Now that we have found the location, connect to
+		 * secrets.ldb so we can read the SamDB Credentials
+		 * record
+		 */
+		secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
+					       NULL, NULL, 0);
+
+		if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
+								 SECRETS_LDAP_FILTER, &error_string))) {
+			ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
+			talloc_free(tmp_ctx);
+			return LDB_ERR_STRONG_AUTH_REQUIRED;
+		}
 	}
 
 	/*
@@ -229,7 +233,7 @@ static int samba_dsdb_init(struct ldb_module *module)
 	TALLOC_CTX *tmp_ctx = talloc_new(module);
 	struct ldb_result *res;
 	struct ldb_message *rootdse_msg, *partition_msg;
-	struct ldb_dn *samba_dsdb_dn;
+	struct ldb_dn *samba_dsdb_dn, *partition_dn;
 	struct ldb_module *backend_module, *module_chain;
 	const char **final_module_list, **reverse_module_list;
 	/*
@@ -308,7 +312,9 @@ static int samba_dsdb_init(struct ldb_module *module)
 		"entryuuid", "paged_searches", "simple_dn", NULL };
 
 	static const char *samba_dsdb_attrs[] = { "backendType", NULL };
-	const char *backendType;
+	static const char *partition_attrs[] = { "ldapBackend", NULL };
+	const char *backendType, *backendUrl;
+	bool use_sasl_external = false;
 
 	if (!tmp_ctx) {
 		return ldb_oom(ldb);
@@ -326,6 +332,12 @@ static int samba_dsdb_init(struct ldb_module *module)
 		return ldb_oom(ldb);
 	}
 
+	partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN);
+	if (!partition_dn) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+
 #define CHECK_LDB_RET(check_ret)				\
 	do {							\
 		if (check_ret != LDB_SUCCESS) {			\
@@ -351,6 +363,19 @@ static int samba_dsdb_init(struct ldb_module *module)
 		link_modules = tdb_modules_list;
 	} else {
 		struct cli_credentials *cred;
+		bool is_ldapi = false;
+
+		ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn,
+					    partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
+		if (ret == LDB_SUCCESS) {
+			backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://");
+			if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) {
+				is_ldapi = true;
+			}
+		} else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+			talloc_free(tmp_ctx);
+			return ret;
+		}
 		if (strcasecmp(backendType, "fedora-ds") == 0) {
 			link_modules = fedora_ds_modules;
 			backend_modules = fedora_ds_backend_modules;
@@ -360,6 +385,9 @@ static int samba_dsdb_init(struct ldb_module *module)
 			backend_modules = openldap_backend_modules;
 			extended_dn_module = extended_dn_module_openldap;
 			extended_dn_in_module = "extended_dn_in_openldap";
+			if (is_ldapi) {
+				use_sasl_external = true;
+			}
 		} else {
 			return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type");
 		}
@@ -370,7 +398,7 @@ static int samba_dsdb_init(struct ldb_module *module)
 
 		cred = ldb_get_opaque(ldb, "credentials");
 		if (!cred || !cli_credentials_authentication_requested(cred)) {
-			ret = set_ldap_credentials(ldb);
+			ret = set_ldap_credentials(ldb, use_sasl_external);
 			if (ret != LDB_SUCCESS) {
 				return ret;
 			}
author	Howard Chu <hyc@symas.com>	2013-09-17 14:04:06 -0700
committer	Nadezhda Ivanova <nivanova@samba.org>	2013-09-18 19:47:55 +0200
commit	743d4a474e1d80783f658fa1001a6d077fcfbede (patch)
tree	506570ff9bb9488a860544edaf2d76b8bab869cf /source4/dsdb
parent	6bf59b03d72b94b71e53fc2404c11e0d237e41b2 (diff)
download	samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.gz samba-743d4a474e1d80783f658fa1001a6d077fcfbede.tar.bz2 samba-743d4a474e1d80783f658fa1001a6d077fcfbede.zip