125 lines
3.9 KiB
Diff
125 lines
3.9 KiB
Diff
From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 11 Oct 2019 16:39:25 +0200
|
|
Subject: [PATCH 1/2] Use GSS-SPNEGO if available
|
|
|
|
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
|
|
and to establish encryption. While this works in general it does not
|
|
handle some of the more advanced features which can be required by AD
|
|
DCs.
|
|
|
|
The GSS-SPNEGO mechanism can handle them and is used with this patch by
|
|
adcli if the AD DC indicates that it supports it.
|
|
|
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
|
|
---
|
|
library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
|
|
library/adconn.h | 3 +++
|
|
2 files changed, 37 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/library/adconn.c b/library/adconn.c
|
|
index bcaced8..ffb54f9 100644
|
|
--- a/library/adconn.c
|
|
+++ b/library/adconn.c
|
|
@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
|
|
char *default_naming_context;
|
|
char *configuration_naming_context;
|
|
char **supported_capabilities;
|
|
+ char **supported_sasl_mechs;
|
|
|
|
/* Connect state */
|
|
LDAP *ldap;
|
|
@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
|
|
"defaultNamingContext",
|
|
"configurationNamingContext",
|
|
"supportedCapabilities",
|
|
+ "supportedSASLMechanisms",
|
|
NULL
|
|
};
|
|
|
|
@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
|
|
"supportedCapabilities");
|
|
}
|
|
|
|
+ if (conn->supported_sasl_mechs == NULL) {
|
|
+ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
|
|
+ "supportedSASLMechanisms");
|
|
+ }
|
|
+
|
|
ldap_msgfree (results);
|
|
|
|
if (conn->default_naming_context == NULL) {
|
|
@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
|
|
OM_uint32 minor;
|
|
ber_len_t ssf;
|
|
int ret;
|
|
+ const char *mech = "GSSAPI";
|
|
|
|
if (conn->ldap_authenticated)
|
|
return ADCLI_SUCCESS;
|
|
@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
|
|
ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
|
|
return_unexpected_if_fail (ret == 0);
|
|
|
|
- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
|
|
+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
|
|
+ mech = "GSS-SPNEGO";
|
|
+ }
|
|
+
|
|
+ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
|
|
LDAP_SASL_QUIET, sasl_interact, NULL);
|
|
|
|
/* Clear the credential cache GSSAPI to use (for this thread) */
|
|
@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
|
|
free (conn->default_naming_context);
|
|
free (conn->configuration_naming_context);
|
|
_adcli_strv_free (conn->supported_capabilities);
|
|
+ _adcli_strv_free (conn->supported_sasl_mechs);
|
|
|
|
free (conn->computer_name);
|
|
free (conn->host_fqdn);
|
|
@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
|
|
return 0;
|
|
}
|
|
|
|
+bool
|
|
+adcli_conn_server_has_sasl_mech (adcli_conn *conn,
|
|
+ const char *mech)
|
|
+{
|
|
+ int i;
|
|
+
|
|
+ return_val_if_fail (conn != NULL, false);
|
|
+ return_val_if_fail (mech != NULL, false);
|
|
+
|
|
+ if (!conn->supported_sasl_mechs)
|
|
+ return false;
|
|
+
|
|
+ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
|
|
+ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ return false;
|
|
+}
|
|
+
|
|
bool adcli_conn_is_writeable (adcli_conn *conn)
|
|
{
|
|
disco_dance_if_necessary (conn);
|
|
diff --git a/library/adconn.h b/library/adconn.h
|
|
index 1ad5715..37ebdd9 100644
|
|
--- a/library/adconn.h
|
|
+++ b/library/adconn.h
|
|
@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn,
|
|
int adcli_conn_server_has_capability (adcli_conn *conn,
|
|
const char *capability);
|
|
|
|
+bool adcli_conn_server_has_sasl_mech (adcli_conn *conn,
|
|
+ const char *mech);
|
|
+
|
|
bool adcli_conn_is_writeable (adcli_conn *conn);
|
|
|
|
#endif /* ADCONN_H_ */
|
|
--
|
|
2.21.0
|
|
|