summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth/credentials/credentials.c8
-rw-r--r--source4/libcli/ldap/ldap_bind.c13
2 files changed, 19 insertions, 2 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index e98dfbdae4..d15cee6b77 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -365,6 +365,14 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
+ /*
+ * If we forced the mech we clearly want authentication. E.g. to use
+ * SASL/EXTERNAL which has no credentials.
+ */
+ if (cred->forced_sasl_mech) {
+ return true;
+ }
+
if (cli_credentials_is_anonymous(cred)){
return false;
}
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index f0a498b620..d82b7a1156 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -215,6 +215,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
struct ldap_message **sasl_mechs_msgs;
struct ldap_SearchResEntry *search;
int count, i;
+ bool first = true;
const char **sasl_names;
uint32_t old_gensec_features;
@@ -337,7 +338,13 @@ try_logon_again:
* avoid mutal authentication requirements.
*
* Likewise, you must not feed GENSEC too much (after the OK),
- * it doesn't like that either
+ * it doesn't like that either.
+ *
+ * For SASL/EXTERNAL, there is no data to send, but we still
+ * must send the actual Bind request the first time around.
+ * Otherwise, a result of NT_STATUS_OK with 0 output means the
+ * end of a multi-step authentication, and no message must be
+ * sent.
*/
gensec_status = status;
@@ -347,8 +354,10 @@ try_logon_again:
break;
}
if (NT_STATUS_IS_OK(status) && output.length == 0) {
- break;
+ if (!first)
+ break;
}
+ first = false;
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));