From 98cd8edc565cae464edd257bb811a792eea6849e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 23 Nov 2005 11:29:55 +0000 Subject: r11876: When we are using START_TLS to secure the LDAP connection, we *have* to call START_TLS again after rebinding to another LDAP server. (ldaps:// uri's are handled at by recent versions of OpenLDAP). Guenther (This used to be commit 3ccea032cb681426a1b29907a44b87b8a94e0840) --- source3/lib/smbldap.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source3') diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 75842ec193..a3ebe72df2 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -777,9 +777,18 @@ static int rebindproc_connect_with_state (LDAP *ldap_struct, { struct smbldap_state *ldap_state = arg; int rc; - DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n", - ldap_state->bind_dn)); - + int version; + + DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n", + url, ldap_state->bind_dn)); + + /* call START_TLS again (ldaps:// is handled by the OpenLDAP library + * itself) before rebinding to another LDAP server to avoid to expose + * our credentials. At least *try* to secure the connection - Guenther */ + + smb_ldap_upgrade_conn(ldap_struct, &version); + smb_ldap_start_tls(ldap_struct, version); + /** @TODO Should we be doing something to check what servers we rebind to? Could we get a referral to a machine that we don't want to give our username and password to? */ -- cgit