diff options
-rw-r--r-- | auth/credentials/credentials.c | 8 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_bind.c | 13 |
2 files changed, 19 insertions, 2 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index e98dfbdae4..d15cee6b77 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -365,6 +365,14 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c return true; } + /* + * If we forced the mech we clearly want authentication. E.g. to use + * SASL/EXTERNAL which has no credentials. + */ + if (cred->forced_sasl_mech) { + return true; + } + if (cli_credentials_is_anonymous(cred)){ return false; } diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index f0a498b620..d82b7a1156 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -215,6 +215,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct ldap_message **sasl_mechs_msgs; struct ldap_SearchResEntry *search; int count, i; + bool first = true; const char **sasl_names; uint32_t old_gensec_features; @@ -337,7 +338,13 @@ try_logon_again: * avoid mutal authentication requirements. * * Likewise, you must not feed GENSEC too much (after the OK), - * it doesn't like that either + * it doesn't like that either. + * + * For SASL/EXTERNAL, there is no data to send, but we still + * must send the actual Bind request the first time around. + * Otherwise, a result of NT_STATUS_OK with 0 output means the + * end of a multi-step authentication, and no message must be + * sent. */ gensec_status = status; @@ -347,8 +354,10 @@ try_logon_again: break; } if (NT_STATUS_IS_OK(status) && output.length == 0) { - break; + if (!first) + break; } + first = false; /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL)); |