diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-02-04 09:53:50 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:46 -0500 |
| commit | f256a9c55e4785e4383a0546e75bba355a51fa04 (patch) | |
| tree | f64770ce0ce0ed7577c754e455f52f828ddf7365 /source4/libcli/ldap | |
| parent | cc23a9ba6247fd1c648bffdf29c17358d941ef69 (diff) | |
| download | samba-f256a9c55e4785e4383a0546e75bba355a51fa04.tar.gz samba-f256a9c55e4785e4383a0546e75bba355a51fa04.tar.bz2 samba-f256a9c55e4785e4383a0546e75bba355a51fa04.zip | |
r13342: Make the GSSAPI SASL mech actually work, by (shock horror) reading the spec.
GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating
a buffer size and what integrity protection/privacy should be used.
I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3.
I'm doing this in the hope that Apple clients as well as SASL-based
LDAP tools may get a bit further.
I still can't get ldapsearch to work, it fails with the ever-helpful
'Local error'.
Andrew Bartlett
(This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
Diffstat (limited to 'source4/libcli/ldap')
| -rw-r--r-- | source4/libcli/ldap/ldap_bind.c | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index 1f6ef77631..2880298dd5 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -152,7 +152,6 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr int count, i; const char **sasl_names; - const struct gensec_security_ops **mechs; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", @@ -225,17 +224,10 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr } sasl_names[i] = NULL; - mechs = gensec_security_by_sasl(conn->gensec, tmp_ctx, sasl_names); - if (!mechs || !mechs[0]) { - DEBUG(1, ("None of the %d proposed SASL mechs were acceptable\n", - count)); - goto failed; - } - - status = gensec_start_mech_by_ops(conn->gensec, mechs[0]); + status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to set GENSEC client mechanism: %s/%s %s\n", - mechs[0]->name, mechs[0]->sasl_name, nt_errstr(status))); + DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n", + count, nt_errstr(status))); goto failed; } @@ -265,11 +257,12 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr !NT_STATUS_IS_OK(status)) { break; } - if (output.length == 0) { + if (NT_STATUS_IS_OK(status) && output.length == 0) { break; } - msg = new_ldap_sasl_bind_msg(tmp_ctx, "GSS-SPNEGO", &output); + /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ + msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, &output); if (msg == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; |