--- a/components/samba/samba/patches/mozldap.patch Mon Jul 15 15:21:48 2013 -0700
+++ b/components/samba/samba/patches/mozldap.patch Mon Jul 15 17:22:36 2013 -0700
@@ -1,57 +1,400 @@
---- a/source3/configure.in 2011-12-12 10:59:00.851079500 -0800
-+++ b/source3/configure.in 2011-12-12 11:29:54.993566333 -0800
[email protected]@ -3368,6 +3368,20 @@
- with_ldap_support=yes
- AC_MSG_CHECKING(whether LDAP support is used)
- AC_MSG_RESULT(yes)
+--- a/source3/param/loadparm.c 2013-03-18 01:59:37.000000000 -0700
++++ b/source3/param/loadparm.c 2013-05-10 23:59:37.528279300 +0200
[email protected]@ -278,6 +278,9 @@
+ int ldap_follow_referral;
+ char *szLdapSuffix;
+ char *szLdapAdminDn;
++ char *szLdapCertDBdir;
++ char *szLdapKeyDBdir;
++ bool ldap_privkey_open;
+ int ldap_debug_level;
+ int ldap_debug_threshold;
+ int iAclCompat;
[email protected]@ -3701,6 +3704,33 @@
+ .flags = FLAG_ADVANCED,
+ },
+ {
++ .label = "ldap certdb dir",
++ .type = P_STRING,
++ .p_class = P_GLOBAL,
++ .ptr = &Globals.szLdapCertDBdir,
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
++ {
++ .label = "ldap keydb dir",
++ .type = P_STRING,
++ .p_class = P_GLOBAL,
++ .ptr = &Globals.szLdapKeyDBdir,
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
++ {
++ .label = "ldap privkey open",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .ptr = &Globals.ldap_privkey_open,
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
++ {
+ .label = "ldap delete dn",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
[email protected]@ -5366,6 +5396,9 @@
+ string_set(&Globals.szLdapIdmapSuffix, "");
+
+ string_set(&Globals.szLdapAdminDn, "");
++ string_set(&Globals.szLdapCertDBdir, get_dyn_PRIVATE_DIR());
++ string_set(&Globals.szLdapKeyDBdir, get_dyn_PRIVATE_DIR());
++ Globals.ldap_privkey_open = False;
+ Globals.ldap_ssl = LDAP_SSL_START_TLS;
+ Globals.ldap_ssl_ads = False;
+ Globals.ldap_deref = -1;
[email protected]@ -5747,6 +5780,9 @@
+
+ FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
+ FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
++FN_GLOBAL_STRING(lp_ldap_certdb_dir, &Globals.szLdapCertDBdir)
++FN_GLOBAL_STRING(lp_ldap_keydb_dir, &Globals.szLdapKeyDBdir)
++FN_GLOBAL_BOOL(lp_ldap_privkey_open, &Globals.ldap_privkey_open)
+ FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
+ FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads)
+ FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref)
+--- a/source3/include/proto.h 2013-03-18 01:59:37.000000000 -0700
++++ b/source3/include/proto.h 2013-05-11 00:04:26.565521200 +0200
[email protected]@ -1429,6 +1429,9 @@
+ bool lp_passdb_expand_explicit(void);
+ char *lp_ldap_suffix(void);
+ char *lp_ldap_admin_dn(void);
++char *lp_ldap_certdb_dir(void);
++char *lp_ldap_keydb_dir(void);
++bool lp_ldap_privkey_open(void);
+ int lp_ldap_ssl(void);
+ bool lp_ldap_ssl_ads(void);
+ int lp_ldap_deref(void);
+--- a/source3/include/smb_ldap.h 2013-03-18 01:59:37.000000000 -0700
++++ b/source3/include/smb_ldap.h 2013-04-29 13:33:34.602541500 -0700
[email protected]@ -63,6 +63,10 @@
+
+ #endif /* HAVE_LDAP_H */
+
++#if HAVE_LDAP_SSL_H
++#include <ldap_ssl.h>
++#endif /* HAVE_LDAP_SSL_H */
++
+ #ifndef HAVE_LDAP
+ #define LDAP void
+ #define LDAPMessage void
+--- a/source3/lib/smbldap.c 2013-05-08 10:16:26.000000000 +0200
++++ b/source3/lib/smbldap.c 2013-07-03 09:00:28.482477500 +0200
[email protected]@ -780,7 +780,7 @@
+
+ int smb_ldap_start_tls(LDAP *ldap_struct, int version)
+ {
+-#ifdef LDAP_OPT_X_TLS
++#ifdef HAVE_LDAP_START_TLS_S
+ int rc;
+ #endif
+
[email protected]@ -788,12 +788,24 @@
+ return LDAP_SUCCESS;
+ }
+
+-#ifdef LDAP_OPT_X_TLS
++#ifdef HAVE_LDAP_START_TLS_S
+ if (version != LDAP_VERSION3) {
+ DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
++#ifdef HAVE_LDAPSSL_INIT /* Netscape */
++ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
++ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
++ if (rc != LDAP_SUCCESS) {
++ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
++ "%s key db, failed: %s\n",
++ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
++ ldap_err2string(rc)));
++ return rc;
++ }
++#endif /* HAVE_LDAPSSL_INIT */
++
+ if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
+ DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
+ ldap_err2string(rc)));
[email protected]@ -802,12 +814,14 @@
+
+ DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
+ return LDAP_SUCCESS;
+-#else
++
++#else /* ! HAVE_LDAP_START_TLS_S */
+ DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+-#endif
++#endif /* HAVE_LDAP_START_TLS_S */
+ }
+
++
+ /********************************************************************
+ setup a connection to the LDAP server based on a uri
+ *******************************************************************/
[email protected]@ -815,8 +829,24 @@
+ static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
+ {
+ int rc;
++#ifdef LDAP_OPT_TIMELIMIT
++ int ot = lp_ldap_timeout();
++#endif
++#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
++ int ct = lp_ldap_connection_timeout() * 1000;
++#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
++ struct timeval ct;
++#endif
++#ifndef HAVE_LDAP_INITIALIZE
++ int port = 0;
++ fstring protocol;
++ fstring host;
++ /* Following symbols are only available if Mozldap */
++ /* is compiled with LDAP_DEBUG on */
++ /* extern int lber_debug, ldap_debug; */
++#endif
+
+- DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
++ DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri));
+
+ #ifdef HAVE_LDAP_INITIALIZE
+
[email protected]@ -837,74 +867,105 @@
+ return LDAP_SUCCESS;
+ #else
+
++ /* lber_debug = 255 ; */
++ /* ldap_debug = 1023 | 0x4000 ; */
+
-+ ##############################
-+ # Check if LDAP SDK is Mozilla
-+ AC_CACHE_CHECK([for LDAP_OPT_SIZELIMIT macro],samba_cv_HAVE_LDAP_MOZ,[
-+ AC_TRY_COMPILE([
-+#include <stdio.h>
-+#include <ldap.h>],
-+ [printf("%s\n", LDAP_OPT_SIZELIMIT);],
-+ samba_cv_HAVE_LDAP_MOZ=yes,samba_cv_HAVE_LDAP_MOZ=no)])
-+ if test x"$samba_cv_HAVE_LDAP_MOZ" = x"yes"; then
-+ AC_DEFINE(HAVE_HAVE_LDAP_MOZ,1,
-+ [Whether the LDAP SDK is Mozilla])
-+ fi
+ /* Parse the string manually */
+
+- {
+- int port = 0;
+- fstring protocol;
+- fstring host;
+- SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
++ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+
+- /* skip leading "URL:" (if any) */
+- if ( strnequal( uri, "URL:", 4 ) ) {
+- uri += 4;
+- }
++ /* skip leading "URL:" (if any) */
++ if ( strnequal( uri, "URL:", 4 ) ) {
++ uri += 4;
++ }
+
+- sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
++ sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
+
+- if (port == 0) {
+- if (strequal(protocol, "ldap")) {
+- port = LDAP_PORT;
+- } else if (strequal(protocol, "ldaps")) {
+- port = LDAPS_PORT;
+- } else {
+- DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+- }
++ if (port == 0) {
++ if (strequal(protocol, "ldap")) {
++ port = LDAP_PORT;
++ } else if (strequal(protocol, "ldaps")) {
++ port = LDAPS_PORT;
++ } else {
++ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
++ return LDAP_OPERATIONS_ERROR;
+ }
++ }
+
++ if (strequal(protocol, "ldap")) {
+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+-
+- if (strequal(protocol, "ldaps")) {
++ } else if (strequal(protocol, "ldaps")) {
+ #ifdef LDAP_OPT_X_TLS
+- int tls = LDAP_OPT_X_TLS_HARD;
+- if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+- {
+- DEBUG(0, ("Failed to setup a TLS session\n"));
++ int tls = LDAP_OPT_X_TLS_HARD;
++ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
++ DEBUG(0, ("ldap_init failed !\n"));
++ return LDAP_OPERATIONS_ERROR;
++ }
++ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) {
++ DEBUG(0, ("Failed to setup a TLS session\n"));
++ }
++
++ DEBUG(3,("LDAPS option set...!\n"));
+
- else
- if test x"$with_ldap_support" = x"yes"; then
- AC_MSG_ERROR(libldap is needed for LDAP support)
[email protected]@ -3415,8 +3429,21 @@
++#elif defined(HAVE_LDAPSSL_INIT) /* Netscape */
++ if (*ldap_struct != NULL) {
++ rc = ldap_unbind_s(*ldap_struct);
++ if (rc == LDAP_SUCCESS) {
++ DEBUG(10, ("LDAP already bound... unbound.\n"));
++ } else {
++ DEBUG(10, ("ldap_unbind_s failed: %s\n",
++ ldap_err2string(rc)));
+ }
++ *ldap_struct = NULL;
++ }
++ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
++ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
++ if (rc != LDAP_SUCCESS) {
++ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
++ "%s key db, failed: %s\n",
++ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
++ ldap_err2string(rc)));
++ return rc;
++ }
+
+- DEBUG(3,("LDAPS option set...!\n"));
++ if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) {
++ DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host,
++ port));
++ return LDAP_OPERATIONS_ERROR;
++ }
+ #else
+- DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
++ DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+ #endif /* LDAP_OPT_X_TLS */
+- }
+ }
+ #endif /* HAVE_LDAP_INITIALIZE */
+
++#ifdef LDAP_OPT_TIMELIMIT
++ rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot);
++ if (rc != LDAP_SUCCESS) {
++ DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n",
++ ot, ldap_err2string(rc)));
++ }
++#endif
++
+ /* now set connection timeout */
+ #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
+- {
+- int ct = lp_ldap_connection_timeout()*1000;
+- rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
+- if (rc != LDAP_SUCCESS) {
+- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+- ct, ldap_err2string(rc)));
+- }
++ rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
++ if (rc != LDAP_SUCCESS) {
++ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
++ ct, ldap_err2string(rc)));
+ }
+ #elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
+- {
+- struct timeval ct;
+- ct.tv_usec = 0;
+- ct.tv_sec = lp_ldap_connection_timeout();
+- rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
+- if (rc != LDAP_SUCCESS) {
+- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+- (int)ct.tv_sec, ldap_err2string(rc)));
+- }
++ ct.tv_usec = 0;
++ ct.tv_sec = lp_ldap_connection_timeout();
++ rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
++ if (rc != LDAP_SUCCESS) {
++ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
++ (int)ct.tv_sec, ldap_err2string(rc)));
+ }
+ #endif
+
[email protected]@ -1094,7 +1155,7 @@
+ * our credentials. At least *try* to secure the connection - Guenther */
+
+ smb_ldap_upgrade_conn(ldap_struct, &version);
+- smb_ldap_start_tls(ldap_struct, version);
++ /* smb_ldap_start_tls(ldap_struct, version); */
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+--- a/source3/configure.in 2013-04-26 03:05:37.000000000 -0700
++++ b/source3/configure.in 2013-05-09 13:54:35.613605329 -0700
[email protected]@ -3485,6 +3485,14 @@
+ fi
+
+ ##################################################################
++ # check for ldap_ssl.h (Mozldap)
++ AC_CHECK_HEADERS([ldap_ssl.h], [], [],
++ [[#if HAVE_LDAP_H
++ #include <ldap.h>
++ #endif
++ ]])
++
++ ##################################################################
+ # HP/UX does not have ber_tag_t in lber.h - it must be configured as
+ # unsigned int in include/includes.h
+ case $host_os in
[email protected]@ -3551,6 +3562,14 @@
+ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
+
+ ########################################################
++ # check for Netscape mozldap SSL API
++ AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS)
++
++ ########################################################
++ # check for StartTLS on API
++ AC_CHECK_FUNC_EXT(ldap_start_tls_s,$LDAP_LIBS)
++
++ ########################################################
+ # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
+ # Check found in pam_ldap 145.
+ AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
[email protected]@ -3627,33 +3646,17 @@
# Check to see whether there is enough LDAP functionality to be able
# to build AD support.
-# HPUX only has ldap_init; ok, we take care of this in smbldap.c
-case "$host_os" in
-+ if test x"$samba_cv_HAVE_LDAP_MOZ" = x"yes"; then
-+ # Mozilla LDAP C-SDK has only has ldap_open/ldap_init; ok, we take care of this in smbldap.c
-+ AC_CHECK_FUNC_EXT(ldap_open,$LDAP_LIBS)
-+
-+ if test x"$ac_cv_func_ext_ldap_open" != x"yes"; then
-+ if test x"$with_ads_support" = x"yes"; then
-+ AC_MSG_ERROR(Active Directory support with Mozldap C-SDK requires ldap_open)
-+ elif test x"$with_ads_support" = x"auto"; then
-+ AC_MSG_WARN(Disabling Active Directory support (requires ldap_open with Mozldap C-SDK))
-+ with_ads_support=no
-+ fi
-+ fi
-+ else
-+ # HPUX only has ldap_init; ok, we take care of this in smbldap.c
-+ case "$host_os" in
- *hpux*)
- AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS)
+- *hpux*)
+- AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS)
++ # URL-open support is added into smbldap.c so ldap_init is enough
++ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
[email protected]@ -3441,7 +3468,8 @@
+- if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then
++ if test x"$ac_cv_lib_ext_ldap_ldap_init" != x"yes"; then
+ if test x"$with_ads_support" = x"yes"; then
+- AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init)
++ AC_MSG_ERROR(Active Directory support requires ldap_init)
+ elif test x"$with_ads_support" = x"auto"; then
+- AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX))
++ AC_MSG_WARN(Disabling Active Directory support (requires ldap_init))
+ with_ads_support=no
fi
fi
- ;;
+- ;;
+- *)
+- AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)
+-
+- if test x"$ac_cv_func_ext_ldap_initialize" != x"yes"; then
+- if test x"$with_ads_support" = x"yes"; then
+- AC_MSG_ERROR(Active Directory support requires ldap_initialize)
+- elif test x"$with_ads_support" = x"auto"; then
+- AC_MSG_WARN(Disabling Active Directory support (requires ldap_initialize))
+- with_ads_support=no
+- fi
+- fi
+- ;;
-esac
-+ esac
-+ fi
AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS)