1 --- a/source3/param/loadparm.c 2013-03-18 01:59:37.000000000 -0700 |
|
2 +++ b/source3/param/loadparm.c 2013-05-10 23:59:37.528279300 +0200 |
|
3 @@ -278,6 +278,9 @@ |
|
4 int ldap_follow_referral; |
|
5 char *szLdapSuffix; |
|
6 char *szLdapAdminDn; |
|
7 + char *szLdapCertDBdir; |
|
8 + char *szLdapKeyDBdir; |
|
9 + bool ldap_privkey_open; |
|
10 int ldap_debug_level; |
|
11 int ldap_debug_threshold; |
|
12 int iAclCompat; |
|
13 @@ -3701,6 +3704,33 @@ |
|
14 .flags = FLAG_ADVANCED, |
|
15 }, |
|
16 { |
|
17 + .label = "ldap certdb dir", |
|
18 + .type = P_STRING, |
|
19 + .p_class = P_GLOBAL, |
|
20 + .ptr = &Globals.szLdapCertDBdir, |
|
21 + .special = NULL, |
|
22 + .enum_list = NULL, |
|
23 + .flags = FLAG_ADVANCED, |
|
24 + }, |
|
25 + { |
|
26 + .label = "ldap keydb dir", |
|
27 + .type = P_STRING, |
|
28 + .p_class = P_GLOBAL, |
|
29 + .ptr = &Globals.szLdapKeyDBdir, |
|
30 + .special = NULL, |
|
31 + .enum_list = NULL, |
|
32 + .flags = FLAG_ADVANCED, |
|
33 + }, |
|
34 + { |
|
35 + .label = "ldap privkey open", |
|
36 + .type = P_BOOL, |
|
37 + .p_class = P_GLOBAL, |
|
38 + .ptr = &Globals.ldap_privkey_open, |
|
39 + .special = NULL, |
|
40 + .enum_list = NULL, |
|
41 + .flags = FLAG_ADVANCED, |
|
42 + }, |
|
43 + { |
|
44 .label = "ldap delete dn", |
|
45 .type = P_BOOL, |
|
46 .p_class = P_GLOBAL, |
|
47 @@ -5366,6 +5396,9 @@ |
|
48 string_set(&Globals.szLdapIdmapSuffix, ""); |
|
49 |
|
50 string_set(&Globals.szLdapAdminDn, ""); |
|
51 + string_set(&Globals.szLdapCertDBdir, get_dyn_PRIVATE_DIR()); |
|
52 + string_set(&Globals.szLdapKeyDBdir, get_dyn_PRIVATE_DIR()); |
|
53 + Globals.ldap_privkey_open = False; |
|
54 Globals.ldap_ssl = LDAP_SSL_START_TLS; |
|
55 Globals.ldap_ssl_ads = False; |
|
56 Globals.ldap_deref = -1; |
|
57 @@ -5747,6 +5780,9 @@ |
|
58 |
|
59 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) |
|
60 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) |
|
61 +FN_GLOBAL_STRING(lp_ldap_certdb_dir, &Globals.szLdapCertDBdir) |
|
62 +FN_GLOBAL_STRING(lp_ldap_keydb_dir, &Globals.szLdapKeyDBdir) |
|
63 +FN_GLOBAL_BOOL(lp_ldap_privkey_open, &Globals.ldap_privkey_open) |
|
64 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) |
|
65 FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads) |
|
66 FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref) |
|
67 --- a/source3/include/proto.h 2013-03-18 01:59:37.000000000 -0700 |
|
68 +++ b/source3/include/proto.h 2013-05-11 00:04:26.565521200 +0200 |
|
69 @@ -1429,6 +1429,9 @@ |
|
70 bool lp_passdb_expand_explicit(void); |
|
71 char *lp_ldap_suffix(void); |
|
72 char *lp_ldap_admin_dn(void); |
|
73 +char *lp_ldap_certdb_dir(void); |
|
74 +char *lp_ldap_keydb_dir(void); |
|
75 +bool lp_ldap_privkey_open(void); |
|
76 int lp_ldap_ssl(void); |
|
77 bool lp_ldap_ssl_ads(void); |
|
78 int lp_ldap_deref(void); |
|
79 --- a/source3/include/smb_ldap.h 2013-03-18 01:59:37.000000000 -0700 |
|
80 +++ b/source3/include/smb_ldap.h 2013-04-29 13:33:34.602541500 -0700 |
|
81 @@ -63,6 +63,10 @@ |
|
82 |
|
83 #endif /* HAVE_LDAP_H */ |
|
84 |
|
85 +#if HAVE_LDAP_SSL_H |
|
86 +#include <ldap_ssl.h> |
|
87 +#endif /* HAVE_LDAP_SSL_H */ |
|
88 + |
|
89 #ifndef HAVE_LDAP |
|
90 #define LDAP void |
|
91 #define LDAPMessage void |
|
92 --- a/source3/lib/smbldap.c 2013-05-08 10:16:26.000000000 +0200 |
|
93 +++ b/source3/lib/smbldap.c 2013-07-03 09:00:28.482477500 +0200 |
|
94 @@ -780,7 +780,7 @@ |
|
95 |
|
96 int smb_ldap_start_tls(LDAP *ldap_struct, int version) |
|
97 { |
|
98 -#ifdef LDAP_OPT_X_TLS |
|
99 +#ifdef HAVE_LDAP_START_TLS_S |
|
100 int rc; |
|
101 #endif |
|
102 |
|
103 @@ -788,12 +788,24 @@ |
|
104 return LDAP_SUCCESS; |
|
105 } |
|
106 |
|
107 -#ifdef LDAP_OPT_X_TLS |
|
108 +#ifdef HAVE_LDAP_START_TLS_S |
|
109 if (version != LDAP_VERSION3) { |
|
110 DEBUG(0, ("Need LDAPv3 for Start TLS\n")); |
|
111 return LDAP_OPERATIONS_ERROR; |
|
112 } |
|
113 |
|
114 +#ifdef HAVE_LDAPSSL_INIT /* Netscape */ |
|
115 + rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL, |
|
116 + lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL); |
|
117 + if (rc != LDAP_SUCCESS) { |
|
118 + DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, " |
|
119 + "%s key db, failed: %s\n", |
|
120 + lp_ldap_certdb_dir(), lp_ldap_keydb_dir(), |
|
121 + ldap_err2string(rc))); |
|
122 + return rc; |
|
123 + } |
|
124 +#endif /* HAVE_LDAPSSL_INIT */ |
|
125 + |
|
126 if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) { |
|
127 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n", |
|
128 ldap_err2string(rc))); |
|
129 @@ -802,12 +814,14 @@ |
|
130 |
|
131 DEBUG (3, ("StartTLS issued: using a TLS connection\n")); |
|
132 return LDAP_SUCCESS; |
|
133 -#else |
|
134 + |
|
135 +#else /* ! HAVE_LDAP_START_TLS_S */ |
|
136 DEBUG(0,("StartTLS not supported by LDAP client libraries!\n")); |
|
137 return LDAP_OPERATIONS_ERROR; |
|
138 -#endif |
|
139 +#endif /* HAVE_LDAP_START_TLS_S */ |
|
140 } |
|
141 |
|
142 + |
|
143 /******************************************************************** |
|
144 setup a connection to the LDAP server based on a uri |
|
145 *******************************************************************/ |
|
146 @@ -815,8 +829,24 @@ |
|
147 static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) |
|
148 { |
|
149 int rc; |
|
150 +#ifdef LDAP_OPT_TIMELIMIT |
|
151 + int ot = lp_ldap_timeout(); |
|
152 +#endif |
|
153 +#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */ |
|
154 + int ct = lp_ldap_connection_timeout() * 1000; |
|
155 +#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */ |
|
156 + struct timeval ct; |
|
157 +#endif |
|
158 +#ifndef HAVE_LDAP_INITIALIZE |
|
159 + int port = 0; |
|
160 + fstring protocol; |
|
161 + fstring host; |
|
162 + /* Following symbols are only available if Mozldap */ |
|
163 + /* is compiled with LDAP_DEBUG on */ |
|
164 + /* extern int lber_debug, ldap_debug; */ |
|
165 +#endif |
|
166 |
|
167 - DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri)); |
|
168 + DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri)); |
|
169 |
|
170 #ifdef HAVE_LDAP_INITIALIZE |
|
171 |
|
172 @@ -837,74 +867,105 @@ |
|
173 return LDAP_SUCCESS; |
|
174 #else |
|
175 |
|
176 + /* lber_debug = 255 ; */ |
|
177 + /* ldap_debug = 1023 | 0x4000 ; */ |
|
178 + |
|
179 /* Parse the string manually */ |
|
180 |
|
181 - { |
|
182 - int port = 0; |
|
183 - fstring protocol; |
|
184 - fstring host; |
|
185 - SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); |
|
186 + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); |
|
187 |
|
188 |
|
189 - /* skip leading "URL:" (if any) */ |
|
190 - if ( strnequal( uri, "URL:", 4 ) ) { |
|
191 - uri += 4; |
|
192 - } |
|
193 + /* skip leading "URL:" (if any) */ |
|
194 + if ( strnequal( uri, "URL:", 4 ) ) { |
|
195 + uri += 4; |
|
196 + } |
|
197 |
|
198 - sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); |
|
199 + sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); |
|
200 |
|
201 - if (port == 0) { |
|
202 - if (strequal(protocol, "ldap")) { |
|
203 - port = LDAP_PORT; |
|
204 - } else if (strequal(protocol, "ldaps")) { |
|
205 - port = LDAPS_PORT; |
|
206 - } else { |
|
207 - DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); |
|
208 - } |
|
209 + if (port == 0) { |
|
210 + if (strequal(protocol, "ldap")) { |
|
211 + port = LDAP_PORT; |
|
212 + } else if (strequal(protocol, "ldaps")) { |
|
213 + port = LDAPS_PORT; |
|
214 + } else { |
|
215 + DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); |
|
216 + return LDAP_OPERATIONS_ERROR; |
|
217 } |
|
218 + } |
|
219 |
|
220 + if (strequal(protocol, "ldap")) { |
|
221 if ((*ldap_struct = ldap_init(host, port)) == NULL) { |
|
222 DEBUG(0, ("ldap_init failed !\n")); |
|
223 return LDAP_OPERATIONS_ERROR; |
|
224 } |
|
225 - |
|
226 - if (strequal(protocol, "ldaps")) { |
|
227 + } else if (strequal(protocol, "ldaps")) { |
|
228 #ifdef LDAP_OPT_X_TLS |
|
229 - int tls = LDAP_OPT_X_TLS_HARD; |
|
230 - if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) |
|
231 - { |
|
232 - DEBUG(0, ("Failed to setup a TLS session\n")); |
|
233 + int tls = LDAP_OPT_X_TLS_HARD; |
|
234 + if ((*ldap_struct = ldap_init(host, port)) == NULL) { |
|
235 + DEBUG(0, ("ldap_init failed !\n")); |
|
236 + return LDAP_OPERATIONS_ERROR; |
|
237 + } |
|
238 + if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) { |
|
239 + DEBUG(0, ("Failed to setup a TLS session\n")); |
|
240 + } |
|
241 + |
|
242 + DEBUG(3,("LDAPS option set...!\n")); |
|
243 + |
|
244 +#elif defined(HAVE_LDAPSSL_INIT) /* Netscape */ |
|
245 + if (*ldap_struct != NULL) { |
|
246 + rc = ldap_unbind_s(*ldap_struct); |
|
247 + if (rc == LDAP_SUCCESS) { |
|
248 + DEBUG(10, ("LDAP already bound... unbound.\n")); |
|
249 + } else { |
|
250 + DEBUG(10, ("ldap_unbind_s failed: %s\n", |
|
251 + ldap_err2string(rc))); |
|
252 } |
|
253 + *ldap_struct = NULL; |
|
254 + } |
|
255 + rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL, |
|
256 + lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL); |
|
257 + if (rc != LDAP_SUCCESS) { |
|
258 + DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, " |
|
259 + "%s key db, failed: %s\n", |
|
260 + lp_ldap_certdb_dir(), lp_ldap_keydb_dir(), |
|
261 + ldap_err2string(rc))); |
|
262 + return rc; |
|
263 + } |
|
264 |
|
265 - DEBUG(3,("LDAPS option set...!\n")); |
|
266 + if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) { |
|
267 + DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host, |
|
268 + port)); |
|
269 + return LDAP_OPERATIONS_ERROR; |
|
270 + } |
|
271 #else |
|
272 - DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); |
|
273 + DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); |
|
274 return LDAP_OPERATIONS_ERROR; |
|
275 #endif /* LDAP_OPT_X_TLS */ |
|
276 - } |
|
277 } |
|
278 #endif /* HAVE_LDAP_INITIALIZE */ |
|
279 |
|
280 +#ifdef LDAP_OPT_TIMELIMIT |
|
281 + rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot); |
|
282 + if (rc != LDAP_SUCCESS) { |
|
283 + DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n", |
|
284 + ot, ldap_err2string(rc))); |
|
285 + } |
|
286 +#endif |
|
287 + |
|
288 /* now set connection timeout */ |
|
289 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */ |
|
290 - { |
|
291 - int ct = lp_ldap_connection_timeout()*1000; |
|
292 - rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct); |
|
293 - if (rc != LDAP_SUCCESS) { |
|
294 - DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
295 - ct, ldap_err2string(rc))); |
|
296 - } |
|
297 + rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct); |
|
298 + if (rc != LDAP_SUCCESS) { |
|
299 + DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
300 + ct, ldap_err2string(rc))); |
|
301 } |
|
302 #elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */ |
|
303 - { |
|
304 - struct timeval ct; |
|
305 - ct.tv_usec = 0; |
|
306 - ct.tv_sec = lp_ldap_connection_timeout(); |
|
307 - rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct); |
|
308 - if (rc != LDAP_SUCCESS) { |
|
309 - DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
310 - (int)ct.tv_sec, ldap_err2string(rc))); |
|
311 - } |
|
312 + ct.tv_usec = 0; |
|
313 + ct.tv_sec = lp_ldap_connection_timeout(); |
|
314 + rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct); |
|
315 + if (rc != LDAP_SUCCESS) { |
|
316 + DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
317 + (int)ct.tv_sec, ldap_err2string(rc))); |
|
318 } |
|
319 #endif |
|
320 |
|
321 @@ -1094,7 +1155,7 @@ |
|
322 * our credentials. At least *try* to secure the connection - Guenther */ |
|
323 |
|
324 smb_ldap_upgrade_conn(ldap_struct, &version); |
|
325 - smb_ldap_start_tls(ldap_struct, version); |
|
326 + /* smb_ldap_start_tls(ldap_struct, version); */ |
|
327 |
|
328 /** @TODO Should we be doing something to check what servers we rebind to? |
|
329 Could we get a referral to a machine that we don't want to give our |
|
330 --- a/source3/configure.in 2013-04-26 03:05:37.000000000 -0700 |
|
331 +++ b/source3/configure.in 2013-05-09 13:54:35.613605329 -0700 |
|
332 @@ -3485,6 +3485,14 @@ |
|
333 fi |
|
334 |
|
335 ################################################################## |
|
336 + # check for ldap_ssl.h (Mozldap) |
|
337 + AC_CHECK_HEADERS([ldap_ssl.h], [], [], |
|
338 + [[#if HAVE_LDAP_H |
|
339 + #include <ldap.h> |
|
340 + #endif |
|
341 + ]]) |
|
342 + |
|
343 + ################################################################## |
|
344 # HP/UX does not have ber_tag_t in lber.h - it must be configured as |
|
345 # unsigned int in include/includes.h |
|
346 case $host_os in |
|
347 @@ -3551,6 +3562,14 @@ |
|
348 AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) |
|
349 |
|
350 ######################################################## |
|
351 + # check for Netscape mozldap SSL API |
|
352 + AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS) |
|
353 + |
|
354 + ######################################################## |
|
355 + # check for StartTLS on API |
|
356 + AC_CHECK_FUNC_EXT(ldap_start_tls_s,$LDAP_LIBS) |
|
357 + |
|
358 + ######################################################## |
|
359 # If we have LDAP, does it's rebind procedure take 2 or 3 arguments? |
|
360 # Check found in pam_ldap 145. |
|
361 AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS) |
|
362 @@ -3627,33 +3646,17 @@ |
|
363 # Check to see whether there is enough LDAP functionality to be able |
|
364 # to build AD support. |
|
365 |
|
366 -# HPUX only has ldap_init; ok, we take care of this in smbldap.c |
|
367 -case "$host_os" in |
|
368 - *hpux*) |
|
369 - AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS) |
|
370 + # URL-open support is added into smbldap.c so ldap_init is enough |
|
371 + AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) |
|
372 |
|
373 - if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then |
|
374 + if test x"$ac_cv_lib_ext_ldap_ldap_init" != x"yes"; then |
|
375 if test x"$with_ads_support" = x"yes"; then |
|
376 - AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init) |
|
377 + AC_MSG_ERROR(Active Directory support requires ldap_init) |
|
378 elif test x"$with_ads_support" = x"auto"; then |
|
379 - AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX)) |
|
380 + AC_MSG_WARN(Disabling Active Directory support (requires ldap_init)) |
|
381 with_ads_support=no |
|
382 fi |
|
383 fi |
|
384 - ;; |
|
385 - *) |
|
386 - AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS) |
|
387 - |
|
388 - if test x"$ac_cv_func_ext_ldap_initialize" != x"yes"; then |
|
389 - if test x"$with_ads_support" = x"yes"; then |
|
390 - AC_MSG_ERROR(Active Directory support requires ldap_initialize) |
|
391 - elif test x"$with_ads_support" = x"auto"; then |
|
392 - AC_MSG_WARN(Disabling Active Directory support (requires ldap_initialize)) |
|
393 - with_ads_support=no |
|
394 - fi |
|
395 - fi |
|
396 - ;; |
|
397 -esac |
|
398 |
|
399 |
|
400 AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS) |
|