From b236d54c42a01343c4b0ec68d70a47a48531e71d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Dec 2006 22:43:35 +0000 Subject: r20141: use the gensec_features of the cli_credentials for ildap connections, instead of hardcoded GENSEC_FEATURE_SEAL. That means plain LDAP is now the default. metze (This used to be commit b69471866c2a6c61002147938f233f2f63963ba4) --- source4/libcli/ldap/ldap_bind.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index c4c731e4f5..addc8cf91e 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -28,6 +28,7 @@ #include "lib/tls/tls.h" #include "auth/gensec/gensec.h" #include "auth/gensec/socket.h" +#include "auth/credentials/credentials.h" #include "lib/stream/packet.h" struct ldap_simple_creds { @@ -211,7 +212,7 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr int count, i; const char **sasl_names; - + uint32_t old_gensec_features; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", NULL @@ -225,10 +226,12 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr /* require Kerberos SIGN/SEAL only if we don't use SSL * Windows seem not to like double encryption */ - if (!tls_enabled(conn->sock)) { - gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); + old_gensec_features = cli_credentials_get_gensec_features(creds); + if (tls_enabled(conn->sock)) { + cli_credentials_set_gensec_features(creds, 0); } + /* this call also sets the gensec_want_features */ status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC creds: %s\n", @@ -236,6 +239,9 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr goto failed; } + /* reset the original gensec_features */ + cli_credentials_set_gensec_features(creds, old_gensec_features); + if (conn->host) { status = gensec_set_target_hostname(conn->gensec, conn->host); if (!NT_STATUS_IS_OK(status)) { -- cgit