From 09b69a12a6456589ceefdfa941e2184ecf2e28ae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 26 Jan 2024 18:08:55 +0100 Subject: [PATCH] s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway, so remove an unused roundtrip. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source3/libads/sasl.c | 54 ++++++++----------------------------------- 1 file changed, 10 insertions(+), 44 deletions(-) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 5ae8b999e66..da66d7d0a20 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -790,30 +790,11 @@ done: return status; } -/* mapping between SASL mechanisms and functions */ -static struct { - const char *name; - ADS_STATUS (*fn)(ADS_STRUCT *); -} sasl_mechanisms[] = { - {"GSS-SPNEGO", ads_sasl_spnego_bind}, - {NULL, NULL} -}; - ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) { - const char *attrs[] = {"supportedSASLMechanisms", NULL}; - char **values; ADS_STATUS status; - int i, j; - LDAPMessage *res; struct ads_saslwrap *wrap = &ads->ldap_wrap_data; - /* get a list of supported SASL mechanisms */ - status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); - if (!ADS_ERR_OK(status)) return status; - - values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms"); - if (ads->auth.flags & ADS_AUTH_SASL_SEAL) { wrap->wrap_type = ADS_SASLWRAP_TYPE_SEAL; } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) { @@ -822,33 +803,18 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN; } - /* try our supported mechanisms in order */ - for (i=0;sasl_mechanisms[i].name;i++) { - /* see if the server supports it */ - for (j=0;values && values[j];j++) { - if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { - DEBUG(4,("Found SASL mechanism %s\n", values[j])); retry: - status = sasl_mechanisms[i].fn(ads); - if (status.error_type == ENUM_ADS_ERROR_LDAP && - status.err.rc == LDAP_STRONG_AUTH_REQUIRED && - wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN) - { - DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED " - "retrying with signing enabled\n")); - wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; - goto retry; - } - ldap_value_free(values); - ldap_msgfree(res); - return status; - } - } + status = ads_sasl_spnego_bind(ads); + if (status.error_type == ENUM_ADS_ERROR_LDAP && + status.err.rc == LDAP_STRONG_AUTH_REQUIRED && + wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN) + { + DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED " + "retrying with signing enabled\n")); + wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; + goto retry; } - - ldap_value_free(values); - ldap_msgfree(res); - return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); + return status; } #endif /* HAVE_LDAP */ -- 2.47.3