summaryrefslogtreecommitdiff
path: root/server/providers/ldap/ldap_id.c
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2009-09-25 09:46:30 -0400
committerStephen Gallagher <sgallagh@redhat.com>2009-10-01 08:42:36 -0400
commitbc58f5892d3a8f6b28e2148c5a0cca34b63ef354 (patch)
treee7db3c657227adb86f49abd84ca4fa426e929621 /server/providers/ldap/ldap_id.c
parentd4341d654beb1f6c87d7f70ef0142f23aadac957 (diff)
downloadsssd-bc58f5892d3a8f6b28e2148c5a0cca34b63ef354.tar.gz
sssd-bc58f5892d3a8f6b28e2148c5a0cca34b63ef354.tar.bz2
sssd-bc58f5892d3a8f6b28e2148c5a0cca34b63ef354.zip
Initial implementation of sasl bind support
Inits krb5 credentials, if sasl mech is GSSAPI. Tested with GSSAPI and host keytab as well as user credentials. Updates also manpages with the new options.
Diffstat (limited to 'server/providers/ldap/ldap_id.c')
-rw-r--r--server/providers/ldap/ldap_id.c132
1 files changed, 80 insertions, 52 deletions
diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c
index 12fb476b..271eaea1 100644
--- a/server/providers/ldap/ldap_id.c
+++ b/server/providers/ldap/ldap_id.c
@@ -95,24 +95,17 @@ static bool connected(struct sdap_id_ctx *ctx)
struct sdap_id_connect_state {
struct tevent_context *ev;
struct sdap_id_ctx *ctx;
- bool use_start_tls;
- char *defaultBindDn;
- char *defaultAuthtokType;
- struct sdap_blob defaultAuthtok;
struct sdap_handle *sh;
};
static void sdap_id_connect_done(struct tevent_req *subreq);
+static void sdap_id_kinit_done(struct tevent_req *subreq);
static void sdap_id_bind_done(struct tevent_req *subreq);
static struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
- struct sdap_id_ctx *ctx,
- bool use_start_tls,
- char *defaultBindDn,
- char *defaultAuthtokType,
- struct sdap_blob defaultAuthtok)
+ struct sdap_id_ctx *ctx)
{
struct tevent_req *req, *subreq;
struct sdap_id_connect_state *state;
@@ -122,12 +115,9 @@ static struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx,
state->ev = ev;
state->ctx = ctx;
- state->use_start_tls = use_start_tls;
- state->defaultBindDn = defaultBindDn;
- state->defaultAuthtokType = defaultAuthtokType;
- state->defaultAuthtok = defaultAuthtok;
- subreq = sdap_connect_send(state, ev, ctx->opts, use_start_tls);
+ subreq = sdap_connect_send(state, ev, ctx->opts,
+ sdap_go_get_bool(ctx->opts->basic, SDAP_ID_TLS));
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -143,6 +133,7 @@ static void sdap_id_connect_done(struct tevent_req *subreq)
struct tevent_req);
struct sdap_id_connect_state *state = tevent_req_data(req,
struct sdap_id_connect_state);
+ const char *sasl_mech;
int ret;
ret = sdap_connect_recv(subreq, state, &state->sh);
@@ -152,14 +143,81 @@ static void sdap_id_connect_done(struct tevent_req *subreq)
return;
}
- /* TODO: use authentication (SASL/GSSAPI) when necessary */
- subreq = sdap_auth_send(state, state->ev, state->sh, state->defaultBindDn,
- state->defaultAuthtokType, state->defaultAuthtok);
+ sasl_mech = sdap_go_get_string(state->ctx->opts->basic, SDAP_SASL_MECH);
+ if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+ if (sdap_go_get_bool(state->ctx->opts->basic, SDAP_KRB5_KINIT)) {
+ subreq = sdap_kinit_send(state, state->ev, state->sh,
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_KRB5_KEYTAB),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_SASL_AUTHID),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_KRB5_REALM));
+ if (!subreq) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ tevent_req_set_callback(subreq, sdap_id_kinit_done, req);
+ return;
+ }
+ }
+
+ subreq = sdap_auth_send(state,
+ state->ev,
+ state->sh,
+ sasl_mech,
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_SASL_AUTHID),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_DEFAULT_BIND_DN),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_DEFAULT_AUTHTOK_TYPE),
+ sdap_go_get_blob(state->ctx->opts->basic,
+ SDAP_DEFAULT_AUTHTOK));
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
}
+ tevent_req_set_callback(subreq, sdap_id_bind_done, req);
+}
+
+static void sdap_id_kinit_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct sdap_id_connect_state *state = tevent_req_data(req,
+ struct sdap_id_connect_state);
+ enum sdap_result result;
+ int ret;
+ ret = sdap_kinit_recv(subreq, &result);
+ talloc_zfree(subreq);
+ if (ret) {
+ tevent_req_error(req, ret);
+ return;
+ }
+ if (result != SDAP_AUTH_SUCCESS) {
+ tevent_req_error(req, EACCES);
+ return;
+ }
+
+ subreq = sdap_auth_send(state,
+ state->ev,
+ state->sh,
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_SASL_MECH),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_SASL_AUTHID),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_DEFAULT_BIND_DN),
+ sdap_go_get_string(state->ctx->opts->basic,
+ SDAP_DEFAULT_AUTHTOK_TYPE),
+ sdap_go_get_blob(state->ctx->opts->basic,
+ SDAP_DEFAULT_AUTHTOK));
+ if (!subreq) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
tevent_req_set_callback(subreq, sdap_id_bind_done, req);
}
@@ -267,13 +325,7 @@ static struct tevent_req *users_get_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false,
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_BIND_DN),
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK_TYPE),
- sdap_go_get_blob(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK));
+ subreq = sdap_id_connect_send(state, ev, ctx);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -436,13 +488,7 @@ static struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false,
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_BIND_DN),
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK_TYPE),
- sdap_go_get_blob(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK));
+ subreq = sdap_id_connect_send(state, ev, ctx);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -579,13 +625,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false,
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_BIND_DN),
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK_TYPE),
- sdap_go_get_blob(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK));
+ subreq = sdap_id_connect_send(state, ev, ctx);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -1039,13 +1079,7 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false,
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_BIND_DN),
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK_TYPE),
- sdap_go_get_blob(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK));
+ subreq = sdap_id_connect_send(state, ev, ctx);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -1192,13 +1226,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false,
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_BIND_DN),
- sdap_go_get_string(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK_TYPE),
- sdap_go_get_blob(ctx->opts->basic,
- SDAP_DEFAULT_AUTHTOK));
+ subreq = sdap_id_connect_send(state, ev, ctx);
if (!subreq) {
ret = ENOMEM;
goto fail;