diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-07-25 02:57:51 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:10:21 -0500 |
| commit | a6629e037a35c0e36e5bf8c38f88e675e8a40cbd (patch) | |
| tree | 1ea07979638e69750e091d9b6d679a1752a2fa2e /source4/ldap_server | |
| parent | 1ea4f560fc46703bf2ea98b348b6fb54ab08b839 (diff) | |
| download | samba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.tar.gz samba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.tar.bz2 samba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.zip | |
r17224: Accept the start-tls extended request. Getting OpenLDAP to recognise
our certificate, and proceed with the connection is left as an
exercise for the reader...
Andrew Bartlett
(This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
Diffstat (limited to 'source4/ldap_server')
| -rw-r--r-- | source4/ldap_server/ldap_backend.c | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 6e4df86b88..d6aeedfde8 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -25,6 +25,10 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "lib/db_wrap.h" +#include "lib/tls/tls.h" +#include "smbd/service_task.h" +#include "smbd/service_stream.h" +#include "smbd/service.h" #define VALID_DN_SYNTAX(dn,i) do {\ if (!(dn)) {\ @@ -731,9 +735,25 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call) return NT_STATUS_OK; } + +struct ldapsrv_starttls_context { + struct ldapsrv_connection *conn; + struct socket_context *tls_socket; +}; + +static void ldapsrv_start_tls(void *private) +{ + struct ldapsrv_starttls_context *ctx = talloc_get_type(private, struct ldapsrv_starttls_context); + talloc_steal(ctx->conn->connection, ctx->tls_socket); + talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket); + + ctx->conn->connection->socket = ctx->tls_socket; + packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket); +} + static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call) { -/* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/ + struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest; struct ldapsrv_reply *reply; DEBUG(10, ("Extended\n")); @@ -745,6 +765,43 @@ static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call) ZERO_STRUCT(reply->msg->r); + /* check if we have a START_TLS call */ + if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) { + NTSTATUS status; + struct ldapsrv_starttls_context *ctx; + int result = 0; + const char *errstr; + ctx = talloc(call, struct ldapsrv_starttls_context); + + if (ctx) { + ctx->conn = call->conn; + ctx->tls_socket = tls_init_server(call->conn->service->tls_params, + call->conn->connection->socket, + call->conn->connection->event.fde, + NULL); + } + + if (!ctx || !ctx->tls_socket) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, + "START-TLS: Failed to setup TLS socket"); + } else { + result = LDAP_SUCCESS; + errstr = NULL; + call->send_callback = ldapsrv_start_tls; + call->send_private = ctx; + } + + reply->msg->r.ExtendedResponse.response.resultcode = result; + reply->msg->r.ExtendedResponse.response.errormessage = errstr; + reply->msg->r.ExtendedResponse.oid = talloc_strdup(reply, req->oid); + if (!reply->msg->r.ExtendedResponse.oid) { + return NT_STATUS_NO_MEMORY; + } + } + + /* TODO: OID not recognized, return a protocol error */ + ldapsrv_queue_reply(call, reply); return NT_STATUS_OK; } |