summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-07-25 02:57:51 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:10:21 -0500
commita6629e037a35c0e36e5bf8c38f88e675e8a40cbd (patch)
tree1ea07979638e69750e091d9b6d679a1752a2fa2e /source4
parent1ea4f560fc46703bf2ea98b348b6fb54ab08b839 (diff)
downloadsamba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.tar.gz
samba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.tar.bz2
samba-a6629e037a35c0e36e5bf8c38f88e675e8a40cbd.zip
r17224: Accept the start-tls extended request. Getting OpenLDAP to recognise
our certificate, and proceed with the connection is left as an exercise for the reader... Andrew Bartlett (This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
Diffstat (limited to 'source4')
-rw-r--r--source4/ldap_server/ldap_backend.c59
1 files changed, 58 insertions, 1 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 6e4df86b88..d6aeedfde8 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -25,6 +25,10 @@
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/db_wrap.h"
+#include "lib/tls/tls.h"
+#include "smbd/service_task.h"
+#include "smbd/service_stream.h"
+#include "smbd/service.h"
#define VALID_DN_SYNTAX(dn,i) do {\
if (!(dn)) {\
@@ -731,9 +735,25 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
return NT_STATUS_OK;
}
+
+struct ldapsrv_starttls_context {
+ struct ldapsrv_connection *conn;
+ struct socket_context *tls_socket;
+};
+
+static void ldapsrv_start_tls(void *private)
+{
+ struct ldapsrv_starttls_context *ctx = talloc_get_type(private, struct ldapsrv_starttls_context);
+ talloc_steal(ctx->conn->connection, ctx->tls_socket);
+ talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
+
+ ctx->conn->connection->socket = ctx->tls_socket;
+ packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
+}
+
static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
{
-/* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/
+ struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
struct ldapsrv_reply *reply;
DEBUG(10, ("Extended\n"));
@@ -745,6 +765,43 @@ static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
ZERO_STRUCT(reply->msg->r);
+ /* check if we have a START_TLS call */
+ if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
+ NTSTATUS status;
+ struct ldapsrv_starttls_context *ctx;
+ int result = 0;
+ const char *errstr;
+ ctx = talloc(call, struct ldapsrv_starttls_context);
+
+ if (ctx) {
+ ctx->conn = call->conn;
+ ctx->tls_socket = tls_init_server(call->conn->service->tls_params,
+ call->conn->connection->socket,
+ call->conn->connection->event.fde,
+ NULL);
+ }
+
+ if (!ctx || !ctx->tls_socket) {
+ result = LDAP_OPERATIONS_ERROR;
+ errstr = talloc_asprintf(reply,
+ "START-TLS: Failed to setup TLS socket");
+ } else {
+ result = LDAP_SUCCESS;
+ errstr = NULL;
+ call->send_callback = ldapsrv_start_tls;
+ call->send_private = ctx;
+ }
+
+ reply->msg->r.ExtendedResponse.response.resultcode = result;
+ reply->msg->r.ExtendedResponse.response.errormessage = errstr;
+ reply->msg->r.ExtendedResponse.oid = talloc_strdup(reply, req->oid);
+ if (!reply->msg->r.ExtendedResponse.oid) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ /* TODO: OID not recognized, return a protocol error */
+
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}