From 53a368c58d006e50309127dd1e1c5adde47368bb Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Wed, 22 Jul 2020 11:18:20 -0700 Subject: [PATCH] idmap_ad: Honor "client ldap sasl wrapping" config setting Instead of hard-coding SIGN and SEAL for the connections from this idmap module, query the desired wrapping from "client ldap sasl wrapping". Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Sep 10 23:19:56 UTC 2020 on sn-devel-184 --- source3/winbindd/idmap_ad.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index bd5add9aca2..0595a7b270a 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -290,6 +290,30 @@ static void PRINTF_ATTRIBUTE(3, 0) idmap_ad_tldap_debug( } } +static uint32_t gensec_features_from_ldap_sasl_wrapping(void) +{ + int wrap_flags; + uint32_t gensec_features = 0; + + wrap_flags = lp_client_ldap_sasl_wrapping(); + if (wrap_flags == -1) { + wrap_flags = 0; + } + + if (wrap_flags & ADS_AUTH_SASL_SEAL) { + gensec_features |= GENSEC_FEATURE_SEAL; + } + if (wrap_flags & ADS_AUTH_SASL_SIGN) { + gensec_features |= GENSEC_FEATURE_SIGN; + } + + if (gensec_features != 0) { + gensec_features |= GENSEC_FEATURE_LDAP_STYLE; + } + + return gensec_features; +} + static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, const char *domname, struct tldap_context **pld) @@ -299,6 +323,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, struct cli_credentials *creds; struct loadparm_context *lp_ctx; struct tldap_context *ld; + uint32_t gensec_features = gensec_features_from_ldap_sasl_wrapping(); int fd; NTSTATUS status; bool ok; @@ -368,7 +393,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, } rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx, - GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); + gensec_features); if (!TLDAP_RC_IS_SUCCESS(rc)) { DBG_DEBUG("tldap_gensec_bind failed: %s\n", tldap_errstr(dcinfo, ld, rc)); -- 2.47.3