|
1 Source: Home brewed |
|
2 Allow using of mozldap C-SDK. |
|
3 |
|
4 --- a/source3/param/loadparm.c 2013-03-18 01:59:37.000000000 -0700 |
|
5 +++ b/source3/param/loadparm.c 2013-05-10 23:59:37.528279300 +0200 |
|
6 @@ -278,6 +278,9 @@ |
|
7 int ldap_follow_referral; |
|
8 char *szLdapSuffix; |
|
9 char *szLdapAdminDn; |
|
10 + char *szLdapCertDBdir; |
|
11 + char *szLdapKeyDBdir; |
|
12 + bool ldap_privkey_open; |
|
13 int ldap_debug_level; |
|
14 int ldap_debug_threshold; |
|
15 int iAclCompat; |
|
16 @@ -3701,6 +3704,33 @@ |
|
17 .flags = FLAG_ADVANCED, |
|
18 }, |
|
19 { |
|
20 + .label = "ldap certdb dir", |
|
21 + .type = P_STRING, |
|
22 + .p_class = P_GLOBAL, |
|
23 + .ptr = &Globals.szLdapCertDBdir, |
|
24 + .special = NULL, |
|
25 + .enum_list = NULL, |
|
26 + .flags = FLAG_ADVANCED, |
|
27 + }, |
|
28 + { |
|
29 + .label = "ldap keydb dir", |
|
30 + .type = P_STRING, |
|
31 + .p_class = P_GLOBAL, |
|
32 + .ptr = &Globals.szLdapKeyDBdir, |
|
33 + .special = NULL, |
|
34 + .enum_list = NULL, |
|
35 + .flags = FLAG_ADVANCED, |
|
36 + }, |
|
37 + { |
|
38 + .label = "ldap privkey open", |
|
39 + .type = P_BOOL, |
|
40 + .p_class = P_GLOBAL, |
|
41 + .ptr = &Globals.ldap_privkey_open, |
|
42 + .special = NULL, |
|
43 + .enum_list = NULL, |
|
44 + .flags = FLAG_ADVANCED, |
|
45 + }, |
|
46 + { |
|
47 .label = "ldap delete dn", |
|
48 .type = P_BOOL, |
|
49 .p_class = P_GLOBAL, |
|
50 @@ -5366,6 +5396,9 @@ |
|
51 string_set(&Globals.szLdapIdmapSuffix, ""); |
|
52 |
|
53 string_set(&Globals.szLdapAdminDn, ""); |
|
54 + string_set(&Globals.szLdapCertDBdir, get_dyn_PRIVATE_DIR()); |
|
55 + string_set(&Globals.szLdapKeyDBdir, get_dyn_PRIVATE_DIR()); |
|
56 + Globals.ldap_privkey_open = False; |
|
57 Globals.ldap_ssl = LDAP_SSL_START_TLS; |
|
58 Globals.ldap_ssl_ads = False; |
|
59 Globals.ldap_deref = -1; |
|
60 @@ -5747,6 +5780,9 @@ |
|
61 |
|
62 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) |
|
63 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) |
|
64 +FN_GLOBAL_STRING(lp_ldap_certdb_dir, &Globals.szLdapCertDBdir) |
|
65 +FN_GLOBAL_STRING(lp_ldap_keydb_dir, &Globals.szLdapKeyDBdir) |
|
66 +FN_GLOBAL_BOOL(lp_ldap_privkey_open, &Globals.ldap_privkey_open) |
|
67 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) |
|
68 FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads) |
|
69 FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref) |
|
70 --- a/source3/include/proto.h 2013-03-18 01:59:37.000000000 -0700 |
|
71 +++ b/source3/include/proto.h 2013-05-11 00:04:26.565521200 +0200 |
|
72 @@ -1429,6 +1429,9 @@ |
|
73 bool lp_passdb_expand_explicit(void); |
|
74 char *lp_ldap_suffix(void); |
|
75 char *lp_ldap_admin_dn(void); |
|
76 +char *lp_ldap_certdb_dir(void); |
|
77 +char *lp_ldap_keydb_dir(void); |
|
78 +bool lp_ldap_privkey_open(void); |
|
79 int lp_ldap_ssl(void); |
|
80 bool lp_ldap_ssl_ads(void); |
|
81 int lp_ldap_deref(void); |
|
82 --- a/source3/include/smb_ldap.h 2013-03-18 01:59:37.000000000 -0700 |
|
83 +++ b/source3/include/smb_ldap.h 2013-04-29 13:33:34.602541500 -0700 |
|
84 @@ -63,6 +63,10 @@ |
|
85 |
|
86 #endif /* HAVE_LDAP_H */ |
|
87 |
|
88 +#if HAVE_LDAP_SSL_H |
|
89 +#include <ldap_ssl.h> |
|
90 +#endif /* HAVE_LDAP_SSL_H */ |
|
91 + |
|
92 #ifndef HAVE_LDAP |
|
93 #define LDAP void |
|
94 #define LDAPMessage void |
|
95 --- a/source3/lib/smbldap.c 2013-05-08 10:16:26.000000000 +0200 |
|
96 +++ b/source3/lib/smbldap.c 2013-07-03 09:00:28.482477500 +0200 |
|
97 @@ -780,7 +780,7 @@ |
|
98 |
|
99 int smb_ldap_start_tls(LDAP *ldap_struct, int version) |
|
100 { |
|
101 -#ifdef LDAP_OPT_X_TLS |
|
102 +#ifdef HAVE_LDAP_START_TLS_S |
|
103 int rc; |
|
104 #endif |
|
105 |
|
106 @@ -788,12 +788,24 @@ |
|
107 return LDAP_SUCCESS; |
|
108 } |
|
109 |
|
110 -#ifdef LDAP_OPT_X_TLS |
|
111 +#ifdef HAVE_LDAP_START_TLS_S |
|
112 if (version != LDAP_VERSION3) { |
|
113 DEBUG(0, ("Need LDAPv3 for Start TLS\n")); |
|
114 return LDAP_OPERATIONS_ERROR; |
|
115 } |
|
116 |
|
117 +#ifdef HAVE_LDAPSSL_INIT /* Netscape */ |
|
118 + rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL, |
|
119 + lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL); |
|
120 + if (rc != LDAP_SUCCESS) { |
|
121 + DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, " |
|
122 + "%s key db, failed: %s\n", |
|
123 + lp_ldap_certdb_dir(), lp_ldap_keydb_dir(), |
|
124 + ldap_err2string(rc))); |
|
125 + return rc; |
|
126 + } |
|
127 +#endif /* HAVE_LDAPSSL_INIT */ |
|
128 + |
|
129 if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) { |
|
130 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n", |
|
131 ldap_err2string(rc))); |
|
132 @@ -802,12 +814,14 @@ |
|
133 |
|
134 DEBUG (3, ("StartTLS issued: using a TLS connection\n")); |
|
135 return LDAP_SUCCESS; |
|
136 -#else |
|
137 + |
|
138 +#else /* ! HAVE_LDAP_START_TLS_S */ |
|
139 DEBUG(0,("StartTLS not supported by LDAP client libraries!\n")); |
|
140 return LDAP_OPERATIONS_ERROR; |
|
141 -#endif |
|
142 +#endif /* HAVE_LDAP_START_TLS_S */ |
|
143 } |
|
144 |
|
145 + |
|
146 /******************************************************************** |
|
147 setup a connection to the LDAP server based on a uri |
|
148 *******************************************************************/ |
|
149 @@ -815,8 +829,24 @@ |
|
150 static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) |
|
151 { |
|
152 int rc; |
|
153 +#ifdef LDAP_OPT_TIMELIMIT |
|
154 + int ot = lp_ldap_timeout(); |
|
155 +#endif |
|
156 +#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */ |
|
157 + int ct = lp_ldap_connection_timeout() * 1000; |
|
158 +#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */ |
|
159 + struct timeval ct; |
|
160 +#endif |
|
161 +#ifndef HAVE_LDAP_INITIALIZE |
|
162 + int port = 0; |
|
163 + fstring protocol; |
|
164 + fstring host; |
|
165 + /* Following symbols are only available if Mozldap */ |
|
166 + /* is compiled with LDAP_DEBUG on */ |
|
167 + /* extern int lber_debug, ldap_debug; */ |
|
168 +#endif |
|
169 |
|
170 - DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri)); |
|
171 + DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri)); |
|
172 |
|
173 #ifdef HAVE_LDAP_INITIALIZE |
|
174 |
|
175 @@ -837,74 +867,105 @@ |
|
176 return LDAP_SUCCESS; |
|
177 #else |
|
178 |
|
179 + /* lber_debug = 255 ; */ |
|
180 + /* ldap_debug = 1023 | 0x4000 ; */ |
|
181 + |
|
182 /* Parse the string manually */ |
|
183 |
|
184 - { |
|
185 - int port = 0; |
|
186 - fstring protocol; |
|
187 - fstring host; |
|
188 - SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); |
|
189 + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); |
|
190 |
|
191 |
|
192 - /* skip leading "URL:" (if any) */ |
|
193 - if ( strnequal( uri, "URL:", 4 ) ) { |
|
194 - uri += 4; |
|
195 - } |
|
196 + /* skip leading "URL:" (if any) */ |
|
197 + if ( strnequal( uri, "URL:", 4 ) ) { |
|
198 + uri += 4; |
|
199 + } |
|
200 |
|
201 - sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); |
|
202 + sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); |
|
203 |
|
204 - if (port == 0) { |
|
205 - if (strequal(protocol, "ldap")) { |
|
206 - port = LDAP_PORT; |
|
207 - } else if (strequal(protocol, "ldaps")) { |
|
208 - port = LDAPS_PORT; |
|
209 - } else { |
|
210 - DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); |
|
211 - } |
|
212 + if (port == 0) { |
|
213 + if (strequal(protocol, "ldap")) { |
|
214 + port = LDAP_PORT; |
|
215 + } else if (strequal(protocol, "ldaps")) { |
|
216 + port = LDAPS_PORT; |
|
217 + } else { |
|
218 + DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); |
|
219 + return LDAP_OPERATIONS_ERROR; |
|
220 } |
|
221 + } |
|
222 |
|
223 + if (strequal(protocol, "ldap")) { |
|
224 if ((*ldap_struct = ldap_init(host, port)) == NULL) { |
|
225 DEBUG(0, ("ldap_init failed !\n")); |
|
226 return LDAP_OPERATIONS_ERROR; |
|
227 } |
|
228 - |
|
229 - if (strequal(protocol, "ldaps")) { |
|
230 + } else if (strequal(protocol, "ldaps")) { |
|
231 #ifdef LDAP_OPT_X_TLS |
|
232 - int tls = LDAP_OPT_X_TLS_HARD; |
|
233 - if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) |
|
234 - { |
|
235 - DEBUG(0, ("Failed to setup a TLS session\n")); |
|
236 + int tls = LDAP_OPT_X_TLS_HARD; |
|
237 + if ((*ldap_struct = ldap_init(host, port)) == NULL) { |
|
238 + DEBUG(0, ("ldap_init failed !\n")); |
|
239 + return LDAP_OPERATIONS_ERROR; |
|
240 + } |
|
241 + if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) { |
|
242 + DEBUG(0, ("Failed to setup a TLS session\n")); |
|
243 + } |
|
244 + |
|
245 + DEBUG(3,("LDAPS option set...!\n")); |
|
246 + |
|
247 +#elif defined(HAVE_LDAPSSL_INIT) /* Netscape */ |
|
248 + if (*ldap_struct != NULL) { |
|
249 + rc = ldap_unbind_s(*ldap_struct); |
|
250 + if (rc == LDAP_SUCCESS) { |
|
251 + DEBUG(10, ("LDAP already bound... unbound.\n")); |
|
252 + } else { |
|
253 + DEBUG(10, ("ldap_unbind_s failed: %s\n", |
|
254 + ldap_err2string(rc))); |
|
255 } |
|
256 + *ldap_struct = NULL; |
|
257 + } |
|
258 + rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL, |
|
259 + lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL); |
|
260 + if (rc != LDAP_SUCCESS) { |
|
261 + DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, " |
|
262 + "%s key db, failed: %s\n", |
|
263 + lp_ldap_certdb_dir(), lp_ldap_keydb_dir(), |
|
264 + ldap_err2string(rc))); |
|
265 + return rc; |
|
266 + } |
|
267 |
|
268 - DEBUG(3,("LDAPS option set...!\n")); |
|
269 + if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) { |
|
270 + DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host, |
|
271 + port)); |
|
272 + return LDAP_OPERATIONS_ERROR; |
|
273 + } |
|
274 #else |
|
275 - DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); |
|
276 + DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); |
|
277 return LDAP_OPERATIONS_ERROR; |
|
278 #endif /* LDAP_OPT_X_TLS */ |
|
279 - } |
|
280 } |
|
281 #endif /* HAVE_LDAP_INITIALIZE */ |
|
282 |
|
283 +#ifdef LDAP_OPT_TIMELIMIT |
|
284 + rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot); |
|
285 + if (rc != LDAP_SUCCESS) { |
|
286 + DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n", |
|
287 + ot, ldap_err2string(rc))); |
|
288 + } |
|
289 +#endif |
|
290 + |
|
291 /* now set connection timeout */ |
|
292 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */ |
|
293 - { |
|
294 - int ct = lp_ldap_connection_timeout()*1000; |
|
295 - rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct); |
|
296 - if (rc != LDAP_SUCCESS) { |
|
297 - DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
298 - ct, ldap_err2string(rc))); |
|
299 - } |
|
300 + rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct); |
|
301 + if (rc != LDAP_SUCCESS) { |
|
302 + DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
303 + ct, ldap_err2string(rc))); |
|
304 } |
|
305 #elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */ |
|
306 - { |
|
307 - struct timeval ct; |
|
308 - ct.tv_usec = 0; |
|
309 - ct.tv_sec = lp_ldap_connection_timeout(); |
|
310 - rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct); |
|
311 - if (rc != LDAP_SUCCESS) { |
|
312 - DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
313 - (int)ct.tv_sec, ldap_err2string(rc))); |
|
314 - } |
|
315 + ct.tv_usec = 0; |
|
316 + ct.tv_sec = lp_ldap_connection_timeout(); |
|
317 + rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct); |
|
318 + if (rc != LDAP_SUCCESS) { |
|
319 + DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n", |
|
320 + (int)ct.tv_sec, ldap_err2string(rc))); |
|
321 } |
|
322 #endif |
|
323 |
|
324 @@ -1094,7 +1155,7 @@ |
|
325 * our credentials. At least *try* to secure the connection - Guenther */ |
|
326 |
|
327 smb_ldap_upgrade_conn(ldap_struct, &version); |
|
328 - smb_ldap_start_tls(ldap_struct, version); |
|
329 + /* smb_ldap_start_tls(ldap_struct, version); */ |
|
330 |
|
331 /** @TODO Should we be doing something to check what servers we rebind to? |
|
332 Could we get a referral to a machine that we don't want to give our |
|
333 --- a/source3/configure.in 2013-04-26 03:05:37.000000000 -0700 |
|
334 +++ b/source3/configure.in 2013-05-09 13:54:35.613605329 -0700 |
|
335 @@ -3485,6 +3485,14 @@ |
|
336 fi |
|
337 |
|
338 ################################################################## |
|
339 + # check for ldap_ssl.h (Mozldap) |
|
340 + AC_CHECK_HEADERS([ldap_ssl.h], [], [], |
|
341 + [[#if HAVE_LDAP_H |
|
342 + #include <ldap.h> |
|
343 + #endif |
|
344 + ]]) |
|
345 + |
|
346 + ################################################################## |
|
347 # HP/UX does not have ber_tag_t in lber.h - it must be configured as |
|
348 # unsigned int in include/includes.h |
|
349 case $host_os in |
|
350 @@ -3551,6 +3562,14 @@ |
|
351 AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) |
|
352 |
|
353 ######################################################## |
|
354 + # check for Netscape mozldap SSL API |
|
355 + AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS) |
|
356 + |
|
357 + ######################################################## |
|
358 + # check for StartTLS on API |
|
359 + AC_CHECK_FUNC_EXT(ldap_start_tls_s,$LDAP_LIBS) |
|
360 + |
|
361 + ######################################################## |
|
362 # If we have LDAP, does it's rebind procedure take 2 or 3 arguments? |
|
363 # Check found in pam_ldap 145. |
|
364 AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS) |
|
365 @@ -3627,33 +3646,17 @@ |
|
366 # Check to see whether there is enough LDAP functionality to be able |
|
367 # to build AD support. |
|
368 |
|
369 -# HPUX only has ldap_init; ok, we take care of this in smbldap.c |
|
370 -case "$host_os" in |
|
371 - *hpux*) |
|
372 - AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS) |
|
373 + # URL-open support is added into smbldap.c so ldap_init is enough |
|
374 + AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) |
|
375 |
|
376 - if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then |
|
377 + if test x"$ac_cv_lib_ext_ldap_ldap_init" != x"yes"; then |
|
378 if test x"$with_ads_support" = x"yes"; then |
|
379 - AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init) |
|
380 + AC_MSG_ERROR(Active Directory support requires ldap_init) |
|
381 elif test x"$with_ads_support" = x"auto"; then |
|
382 - AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX)) |
|
383 + AC_MSG_WARN(Disabling Active Directory support (requires ldap_init)) |
|
384 with_ads_support=no |
|
385 fi |
|
386 fi |
|
387 - ;; |
|
388 - *) |
|
389 - AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS) |
|
390 - |
|
391 - if test x"$ac_cv_func_ext_ldap_initialize" != x"yes"; then |
|
392 - if test x"$with_ads_support" = x"yes"; then |
|
393 - AC_MSG_ERROR(Active Directory support requires ldap_initialize) |
|
394 - elif test x"$with_ads_support" = x"auto"; then |
|
395 - AC_MSG_WARN(Disabling Active Directory support (requires ldap_initialize)) |
|
396 - with_ads_support=no |
|
397 - fi |
|
398 - fi |
|
399 - ;; |
|
400 -esac |
|
401 |
|
402 |
|
403 AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS) |