From 9b9c7f8caddf2b57adfbef8741651ee5063fa3bd Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 27 Jul 2011 18:34:04 +0200 Subject: Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections --- src/providers/ldap/ldap_id.c | 3 ++- src/providers/ldap/sdap_async.h | 10 ++++++++- src/providers/ldap/sdap_async_connection.c | 35 ++++++++++++++++++++++++------ src/providers/ldap/sdap_id_op.c | 4 +++- 4 files changed, 42 insertions(+), 10 deletions(-) (limited to 'src/providers/ldap') diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index bd46dc9d..a1984cef 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req) struct sdap_id_ctx); req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts, - be_req->be_ctx, ctx->service, false); + be_req->be_ctx, ctx->service, false, + CON_TLS_DFL, false); if (req == NULL) { DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto done; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 5da2cff4..4ba2770c 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -131,12 +131,20 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, enum sdap_result *result, char **user_error_msg); +enum connect_tls { + CON_TLS_DFL, + CON_TLS_ON, + CON_TLS_OFF +}; + struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse); + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth); int sdap_cli_connect_recv(struct tevent_req *req, TALLOC_CTX *memctx, bool *can_retry, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 0d3fd25c..1f829f17 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state { struct fo_server *srv; struct sdap_server_opts *srv_opts; + + enum connect_tls force_tls; + bool do_auth; }; static int sdap_cli_resolve_next(struct tevent_req *req); @@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse) + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth) { struct sdap_cli_connect_state *state; struct tevent_req *req; @@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, state->srv_opts = NULL; state->be = be; state->use_rootdse = !skip_rootdse; + state->force_tls = force_tls; + state->do_auth = !skip_auth; ret = sdap_cli_resolve_next(req); if (ret) { @@ -1196,8 +1203,16 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); int ret; - bool use_tls = dp_opt_get_bool(state->opts->basic, - SDAP_ID_TLS); + bool use_tls; + + switch (state->force_tls) { + case CON_TLS_DFL: + use_tls = dp_opt_get_bool(state->opts->basic, SDAP_ID_TLS); + case CON_TLS_ON: + use_tls = true; + case CON_TLS_OFF: + use_tls = false; + } ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -1256,7 +1271,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1264,7 +1279,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1367,7 +1382,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1375,7 +1390,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1459,6 +1474,12 @@ static void sdap_cli_auth_step(struct tevent_req *req) struct sdap_cli_connect_state); struct tevent_req *subreq; + if (!state->do_auth) { + /* No authentication requested or GSSAPI auth forced off */ + tevent_req_done(req); + return; + } + subreq = sdap_auth_send(state, state->ev, state->sh, diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c index 11a379cc..5087cddc 100644 --- a/src/providers/ldap/sdap_id_op.c +++ b/src/providers/ldap/sdap_id_op.c @@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req) subreq = sdap_cli_connect_send(conn_data, state->ev, state->id_ctx->opts, state->id_ctx->be, - state->id_ctx->service, false); + state->id_ctx->service, false, + CON_TLS_DFL, false); + if (!subreq) { ret = ENOMEM; goto done; -- cgit