r4460: Add a new GENSEC module: gensec_gssapi

(disabled by default, set parametric option: gensec:gssapi=yes to enable).

This module backs directly onto GSSAPI, and allows us to sign and seal
GSSAPI/Krb5 connections in particular.  This avoids me reinventing the
entire GSSAPI wheel.

Currently a lot of things are left as default - we will soon start
specifiying OIDs as well as passwords (it uses the keytab only at the
moment).  Tested with our LDAP-* torture tests against Win2k3.

My hope is to use this module to access the new SPNEGO implementation
in Heimdal, to avoid having to standards-verify our own.

Andrew Bartlett
(This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35)

1 files changed, 7 insertions, 3 deletions

diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 77356cbe70..9ca9e4b5c4 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -459,9 +459,13 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha
 			break;
 		}
 
-		status = gensec_update(conn->gensec, mem_ctx,
-				       response->r.BindResponse.SASL.secblob,
-				       &output);
+		if (!NT_STATUS_IS_OK(status)) {
+			status = gensec_update(conn->gensec, mem_ctx,
+					       response->r.BindResponse.SASL.secblob,
+					       &output);
+		} else {
+			output.length = 0;
+		}
 
 		talloc_free(response);
 	}