--- a/source3/param/loadparm.c 2013-03-18 01:59:37.000000000 -0700
+++ b/source3/param/loadparm.c 2013-05-10 23:59:37.528279300 +0200
@@ -278,6 +278,9 @@
int ldap_follow_referral;
char *szLdapSuffix;
char *szLdapAdminDn;
+ char *szLdapCertDBdir;
+ char *szLdapKeyDBdir;
+ bool ldap_privkey_open;
int ldap_debug_level;
int ldap_debug_threshold;
int iAclCompat;
@@ -3701,6 +3704,33 @@
.flags = FLAG_ADVANCED,
},
{
+ .label = "ldap certdb dir",
+ .type = P_STRING,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.szLdapCertDBdir,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "ldap keydb dir",
+ .type = P_STRING,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.szLdapKeyDBdir,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "ldap privkey open",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.ldap_privkey_open,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "ldap delete dn",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5366,6 +5396,9 @@
string_set(&Globals.szLdapIdmapSuffix, "");
string_set(&Globals.szLdapAdminDn, "");
+ string_set(&Globals.szLdapCertDBdir, get_dyn_PRIVATE_DIR());
+ string_set(&Globals.szLdapKeyDBdir, get_dyn_PRIVATE_DIR());
+ Globals.ldap_privkey_open = False;
Globals.ldap_ssl = LDAP_SSL_START_TLS;
Globals.ldap_ssl_ads = False;
Globals.ldap_deref = -1;
@@ -5747,6 +5780,9 @@
FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
+FN_GLOBAL_STRING(lp_ldap_certdb_dir, &Globals.szLdapCertDBdir)
+FN_GLOBAL_STRING(lp_ldap_keydb_dir, &Globals.szLdapKeyDBdir)
+FN_GLOBAL_BOOL(lp_ldap_privkey_open, &Globals.ldap_privkey_open)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads)
FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref)
--- a/source3/include/proto.h 2013-03-18 01:59:37.000000000 -0700
+++ b/source3/include/proto.h 2013-05-11 00:04:26.565521200 +0200
@@ -1429,6 +1429,9 @@
bool lp_passdb_expand_explicit(void);
char *lp_ldap_suffix(void);
char *lp_ldap_admin_dn(void);
+char *lp_ldap_certdb_dir(void);
+char *lp_ldap_keydb_dir(void);
+bool lp_ldap_privkey_open(void);
int lp_ldap_ssl(void);
bool lp_ldap_ssl_ads(void);
int lp_ldap_deref(void);
--- a/source3/include/smb_ldap.h 2013-03-18 01:59:37.000000000 -0700
+++ b/source3/include/smb_ldap.h 2013-04-29 13:33:34.602541500 -0700
@@ -63,6 +63,10 @@
#endif /* HAVE_LDAP_H */
+#if HAVE_LDAP_SSL_H
+#include <ldap_ssl.h>
+#endif /* HAVE_LDAP_SSL_H */
+
#ifndef HAVE_LDAP
#define LDAP void
#define LDAPMessage void
--- a/source3/lib/smbldap.c 2013-05-08 10:16:26.000000000 +0200
+++ b/source3/lib/smbldap.c 2013-07-03 09:00:28.482477500 +0200
@@ -780,7 +780,7 @@
int smb_ldap_start_tls(LDAP *ldap_struct, int version)
{
-#ifdef LDAP_OPT_X_TLS
+#ifdef HAVE_LDAP_START_TLS_S
int rc;
#endif
@@ -788,12 +788,24 @@
return LDAP_SUCCESS;
}
-#ifdef LDAP_OPT_X_TLS
+#ifdef HAVE_LDAP_START_TLS_S
if (version != LDAP_VERSION3) {
DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
return LDAP_OPERATIONS_ERROR;
}
+#ifdef HAVE_LDAPSSL_INIT /* Netscape */
+ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
+ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
+ "%s key db, failed: %s\n",
+ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
+ ldap_err2string(rc)));
+ return rc;
+ }
+#endif /* HAVE_LDAPSSL_INIT */
+
if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
ldap_err2string(rc)));
@@ -802,12 +814,14 @@
DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
return LDAP_SUCCESS;
-#else
+
+#else /* ! HAVE_LDAP_START_TLS_S */
DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
return LDAP_OPERATIONS_ERROR;
-#endif
+#endif /* HAVE_LDAP_START_TLS_S */
}
+
/********************************************************************
setup a connection to the LDAP server based on a uri
*******************************************************************/
@@ -815,8 +829,24 @@
static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
{
int rc;
+#ifdef LDAP_OPT_TIMELIMIT
+ int ot = lp_ldap_timeout();
+#endif
+#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
+ int ct = lp_ldap_connection_timeout() * 1000;
+#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
+ struct timeval ct;
+#endif
+#ifndef HAVE_LDAP_INITIALIZE
+ int port = 0;
+ fstring protocol;
+ fstring host;
+ /* Following symbols are only available if Mozldap */
+ /* is compiled with LDAP_DEBUG on */
+ /* extern int lber_debug, ldap_debug; */
+#endif
- DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
+ DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri));
#ifdef HAVE_LDAP_INITIALIZE
@@ -837,74 +867,105 @@
return LDAP_SUCCESS;
#else
+ /* lber_debug = 255 ; */
+ /* ldap_debug = 1023 | 0x4000 ; */
+
/* Parse the string manually */
- {
- int port = 0;
- fstring protocol;
- fstring host;
- SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
- /* skip leading "URL:" (if any) */
- if ( strnequal( uri, "URL:", 4 ) ) {
- uri += 4;
- }
+ /* skip leading "URL:" (if any) */
+ if ( strnequal( uri, "URL:", 4 ) ) {
+ uri += 4;
+ }
- sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
+ sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
- if (port == 0) {
- if (strequal(protocol, "ldap")) {
- port = LDAP_PORT;
- } else if (strequal(protocol, "ldaps")) {
- port = LDAPS_PORT;
- } else {
- DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
- }
+ if (port == 0) {
+ if (strequal(protocol, "ldap")) {
+ port = LDAP_PORT;
+ } else if (strequal(protocol, "ldaps")) {
+ port = LDAPS_PORT;
+ } else {
+ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+ return LDAP_OPERATIONS_ERROR;
}
+ }
+ if (strequal(protocol, "ldap")) {
if ((*ldap_struct = ldap_init(host, port)) == NULL) {
DEBUG(0, ("ldap_init failed !\n"));
return LDAP_OPERATIONS_ERROR;
}
-
- if (strequal(protocol, "ldaps")) {
+ } else if (strequal(protocol, "ldaps")) {
#ifdef LDAP_OPT_X_TLS
- int tls = LDAP_OPT_X_TLS_HARD;
- if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
- {
- DEBUG(0, ("Failed to setup a TLS session\n"));
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) {
+ DEBUG(0, ("Failed to setup a TLS session\n"));
+ }
+
+ DEBUG(3,("LDAPS option set...!\n"));
+
+#elif defined(HAVE_LDAPSSL_INIT) /* Netscape */
+ if (*ldap_struct != NULL) {
+ rc = ldap_unbind_s(*ldap_struct);
+ if (rc == LDAP_SUCCESS) {
+ DEBUG(10, ("LDAP already bound... unbound.\n"));
+ } else {
+ DEBUG(10, ("ldap_unbind_s failed: %s\n",
+ ldap_err2string(rc)));
}
+ *ldap_struct = NULL;
+ }
+ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
+ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
+ "%s key db, failed: %s\n",
+ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
+ ldap_err2string(rc)));
+ return rc;
+ }
- DEBUG(3,("LDAPS option set...!\n"));
+ if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) {
+ DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host,
+ port));
+ return LDAP_OPERATIONS_ERROR;
+ }
#else
- DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+ DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
return LDAP_OPERATIONS_ERROR;
#endif /* LDAP_OPT_X_TLS */
- }
}
#endif /* HAVE_LDAP_INITIALIZE */
+#ifdef LDAP_OPT_TIMELIMIT
+ rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n",
+ ot, ldap_err2string(rc)));
+ }
+#endif
+
/* now set connection timeout */
#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
- {
- int ct = lp_ldap_connection_timeout()*1000;
- rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
- if (rc != LDAP_SUCCESS) {
- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
- ct, ldap_err2string(rc)));
- }
+ rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+ ct, ldap_err2string(rc)));
}
#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
- {
- struct timeval ct;
- ct.tv_usec = 0;
- ct.tv_sec = lp_ldap_connection_timeout();
- rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
- if (rc != LDAP_SUCCESS) {
- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
- (int)ct.tv_sec, ldap_err2string(rc)));
- }
+ ct.tv_usec = 0;
+ ct.tv_sec = lp_ldap_connection_timeout();
+ rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+ (int)ct.tv_sec, ldap_err2string(rc)));
}
#endif
@@ -1094,7 +1155,7 @@
* our credentials. At least *try* to secure the connection - Guenther */
smb_ldap_upgrade_conn(ldap_struct, &version);
- smb_ldap_start_tls(ldap_struct, version);
+ /* smb_ldap_start_tls(ldap_struct, version); */
/** @TODO Should we be doing something to check what servers we rebind to?
Could we get a referral to a machine that we don't want to give our
--- a/source3/configure.in 2013-04-26 03:05:37.000000000 -0700
+++ b/source3/configure.in 2013-05-09 13:54:35.613605329 -0700
@@ -3485,6 +3485,14 @@
fi
##################################################################
+ # check for ldap_ssl.h (Mozldap)
+ AC_CHECK_HEADERS([ldap_ssl.h], [], [],
+ [[#if HAVE_LDAP_H
+ #include <ldap.h>
+ #endif
+ ]])
+
+ ##################################################################
# HP/UX does not have ber_tag_t in lber.h - it must be configured as
# unsigned int in include/includes.h
case $host_os in
@@ -3551,6 +3562,14 @@
AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
########################################################
+ # check for Netscape mozldap SSL API
+ AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS)
+
+ ########################################################
+ # check for StartTLS on API
+ AC_CHECK_FUNC_EXT(ldap_start_tls_s,$LDAP_LIBS)
+
+ ########################################################
# If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
# Check found in pam_ldap 145.
AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
@@ -3627,33 +3646,17 @@
# Check to see whether there is enough LDAP functionality to be able
# to build AD support.
-# HPUX only has ldap_init; ok, we take care of this in smbldap.c
-case "$host_os" in
- *hpux*)
- AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS)
+ # URL-open support is added into smbldap.c so ldap_init is enough
+ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
- if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then
+ if test x"$ac_cv_lib_ext_ldap_ldap_init" != x"yes"; then
if test x"$with_ads_support" = x"yes"; then
- AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init)
+ AC_MSG_ERROR(Active Directory support requires ldap_init)
elif test x"$with_ads_support" = x"auto"; then
- AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX))
+ AC_MSG_WARN(Disabling Active Directory support (requires ldap_init))
with_ads_support=no
fi
fi
- ;;
- *)
- AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)
-
- if test x"$ac_cv_func_ext_ldap_initialize" != x"yes"; then
- if test x"$with_ads_support" = x"yes"; then
- AC_MSG_ERROR(Active Directory support requires ldap_initialize)
- elif test x"$with_ads_support" = x"auto"; then
- AC_MSG_WARN(Disabling Active Directory support (requires ldap_initialize))
- with_ads_support=no
- fi
- fi
- ;;
-esac
AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS)