From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 13 Feb 2024 21:53:29 +0000 (+0100)
Subject: s3:torture: add ldaps/starttls support to run_tldap()
X-Git-Tag: tdb-1.4.11~936
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d189952f0ef45be8dc6b2dcc14e606d50bf90bad;p=thirdparty%2Fsamba.git

s3:torture: add ldaps/starttls support to run_tldap()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 240934f8263..b986d44d168 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -27,6 +27,7 @@
 #include "tldap.h"
 #include "tldap_util.h"
 #include "tldap_gensec_bind.h"
+#include "tldap_tls_connect.h"
 #include "../librpc/gen_ndr/svcctl.h"
 #include "../lib/util/memcache.h"
 #include "nsswitch/winbind_client.h"
@@ -53,6 +54,7 @@
 #include "auth/gensec/gensec.h"
 #include "lib/util/string_wrappers.h"
 #include "source3/lib/substitute.h"
+#include "ads.h"
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -12346,12 +12348,40 @@ static bool run_tldap(int dummy)
 	struct tevent_req *req;
 	char *basedn;
 	const char *filter;
+	struct loadparm_context *lp_ctx = NULL;
+	int tcp_port = 389;
+	bool use_tls = false;
+	bool use_starttls = false;
+	int wrap_flags = -1;
+	uint32_t gensec_features = 0;
+
+	lp_ctx = loadparm_init_s3(talloc_tos(), loadparm_s3_helpers());
+
+	wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
+
+	if (wrap_flags & ADS_AUTH_SASL_LDAPS) {
+		use_tls = true;
+		tcp_port = 636;
+	} else if (wrap_flags & ADS_AUTH_SASL_STARTTLS) {
+		use_tls = true;
+		use_starttls = true;
+	}
+	if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+		gensec_features |= GENSEC_FEATURE_SEAL;
+	}
+	if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+		gensec_features |= GENSEC_FEATURE_SIGN;
+	}
+
+	if (gensec_features != 0) {
+		gensec_features |= GENSEC_FEATURE_LDAP_STYLE;
+	}
 
 	if (!resolve_name(host, &addr, 0, false)) {
 		d_printf("could not find host %s\n", host);
 		return false;
 	}
-	status = open_socket_out(&addr, 389, 9999, &fd);
+	status = open_socket_out(&addr, tcp_port, 9999, &fd);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf("open_socket_out failed: %s\n", nt_errstr(status));
 		return false;
@@ -12364,6 +12394,17 @@ static bool run_tldap(int dummy)
 		return false;
 	}
 
+	if (use_tls && !tldap_has_tls_tstream(ld)) {
+		tldap_set_starttls_needed(ld, use_starttls);
+
+		rc = tldap_tls_connect(ld, lp_ctx, host);
+		if (!TLDAP_RC_IS_SUCCESS(rc)) {
+			DBG_ERR("tldap_tls_connect(%s) failed: %s\n",
+				host, tldap_errstr(talloc_tos(), ld, rc));
+			return false;
+		}
+	}
+
 	rc = tldap_fetch_rootdse(ld);
 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
 		d_printf("tldap_fetch_rootdse failed: %s\n",
@@ -12386,10 +12427,7 @@ static bool run_tldap(int dummy)
 	}
 
 	rc = tldap_gensec_bind(ld, torture_creds, "ldap", host, NULL,
-			       loadparm_init_s3(talloc_tos(),
-						loadparm_s3_helpers()),
-			       GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
-
+			       lp_ctx, gensec_features);
 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
 		d_printf("tldap_gensec_bind failed\n");
 		return false;