125 lines
4.7 KiB
Diff
125 lines
4.7 KiB
Diff
autofs-5.0.5 - add simple bind authentication
|
|
|
|
From: James Y Knight <foom@fuhm.net>
|
|
|
|
This patch adds the ability to do a simple bind against an LDAP server with
|
|
the configured username and password.
|
|
---
|
|
|
|
CHANGELOG | 1 +
|
|
include/lookup_ldap.h | 1 +
|
|
modules/lookup_ldap.c | 21 +++++++++++++--------
|
|
samples/autofs_ldap_auth.conf | 15 +++++++++------
|
|
4 files changed, 24 insertions(+), 14 deletions(-)
|
|
|
|
|
|
--- autofs-5.0.5.orig/CHANGELOG
|
|
+++ autofs-5.0.5/CHANGELOG
|
|
@@ -27,6 +27,7 @@
|
|
- fix ampersand escape in auto.smb.
|
|
- add locality as valid ldap master map attribute.
|
|
- add locality as valid ldap master map attribute fix.
|
|
+- add simple bind authentication.
|
|
|
|
03/09/2009 autofs-5.0.5
|
|
-----------------------
|
|
--- autofs-5.0.5.orig/include/lookup_ldap.h
|
|
+++ autofs-5.0.5/include/lookup_ldap.h
|
|
@@ -97,6 +97,7 @@ struct lookup_context {
|
|
#define LDAP_AUTH_NOTREQUIRED 0x0001
|
|
#define LDAP_AUTH_REQUIRED 0x0002
|
|
#define LDAP_AUTH_AUTODETECT 0x0004
|
|
+#define LDAP_AUTH_USESIMPLE 0x0008
|
|
|
|
/* lookup_ldap.c */
|
|
LDAP *init_ldap_connection(unsigned logopt, const char *uri, struct lookup_context *ctxt);
|
|
--- autofs-5.0.5.orig/modules/lookup_ldap.c
|
|
+++ autofs-5.0.5/modules/lookup_ldap.c
|
|
@@ -137,11 +137,13 @@ static void uris_mutex_unlock(struct loo
|
|
return;
|
|
}
|
|
|
|
-int bind_ldap_anonymous(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_context *ctxt)
|
|
+int bind_ldap_simple(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_context *ctxt)
|
|
{
|
|
int rv;
|
|
|
|
- if (ctxt->version == 2)
|
|
+ if (ctxt->auth_required == LDAP_AUTH_USESIMPLE)
|
|
+ rv = ldap_simple_bind_s(ldap, ctxt->user, ctxt->secret);
|
|
+ else if (ctxt->version == 2)
|
|
rv = ldap_simple_bind_s(ldap, ctxt->base, NULL);
|
|
else
|
|
rv = ldap_simple_bind_s(ldap, NULL, NULL);
|
|
@@ -517,12 +519,12 @@ static int do_bind(unsigned logopt, LDAP
|
|
rv = autofs_sasl_bind(logopt, ldap, ctxt);
|
|
debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
|
|
} else {
|
|
- rv = bind_ldap_anonymous(logopt, ldap, uri, ctxt);
|
|
- debug(logopt, MODPREFIX "ldap anonymous bind returned %d", rv);
|
|
+ rv = bind_ldap_simple(logopt, ldap, uri, ctxt);
|
|
+ debug(logopt, MODPREFIX "ldap simple bind returned %d", rv);
|
|
}
|
|
#else
|
|
- rv = bind_ldap_anonymous(logopt, ldap, uri, ctxt);
|
|
- debug(logopt, MODPREFIX "ldap anonymous bind returned %d", rv);
|
|
+ rv = bind_ldap_simple(logopt, ldap, uri, ctxt);
|
|
+ debug(logopt, MODPREFIX "ldap simple bind returned %d", rv);
|
|
#endif
|
|
|
|
if (rv != 0)
|
|
@@ -971,11 +973,13 @@ int parse_ldap_config(unsigned logopt, s
|
|
auth_required = LDAP_AUTH_NOTREQUIRED;
|
|
else if (!strcasecmp(authrequired, "autodetect"))
|
|
auth_required = LDAP_AUTH_AUTODETECT;
|
|
+ else if (!strcasecmp(authrequired, "simple"))
|
|
+ auth_required = LDAP_AUTH_USESIMPLE;
|
|
else {
|
|
error(logopt,
|
|
MODPREFIX
|
|
"The authrequired property must have value "
|
|
- "\"yes\", \"no\" or \"autodetect\".");
|
|
+ "\"yes\", \"no\", \"autodetect\", or \"simple\".");
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
@@ -991,7 +995,8 @@ int parse_ldap_config(unsigned logopt, s
|
|
goto out;
|
|
}
|
|
|
|
- if (authtype && authtype_requires_creds(authtype)) {
|
|
+ if (auth_required == LDAP_AUTH_USESIMPLE ||
|
|
+ (authtype && authtype_requires_creds(authtype))) {
|
|
ret = get_property(logopt, root, "user", &user);
|
|
ret |= get_property(logopt, root, "secret", &secret);
|
|
if (ret != 0 || (!user || !secret)) {
|
|
--- autofs-5.0.5.orig/samples/autofs_ldap_auth.conf
|
|
+++ autofs-5.0.5/samples/autofs_ldap_auth.conf
|
|
@@ -17,17 +17,20 @@ tlsrequired - This flag tells whether
|
|
|
|
authrequired - This option tells whether an authenticated connection to
|
|
the ldap server is required in order to perform ldap queries.
|
|
- If this flag is set to yes, then only authenticated connections
|
|
+ If the flag is set to yes, only sasl authenticated connections
|
|
will be allowed. If it is set to no then authentication is not
|
|
- needed for ldap server connections. Finally, if it is set to
|
|
- autodetect then the ldap server will be queried to establish
|
|
- a suitable authentication mechanism. If no suitable mechanism
|
|
- can be found, connections to the ldap server are made without
|
|
- authentication.
|
|
+ needed for ldap server connections. If it is set to autodetect
|
|
+ then the ldap server will be queried to establish a suitable
|
|
+ sasl authentication mechanism. If no suitable mechanism can be
|
|
+ found, connections to the ldap server are made without
|
|
+ authentication. Finally, if it is set to simple, then simple
|
|
+ authentication will be used instead of SASL.
|
|
+
|
|
Legal values for this option include:
|
|
"yes"
|
|
"no"
|
|
"autodetect"
|
|
+ "simple"
|
|
|
|
authtype - This attribute can be used to specify a preferred
|
|
authentication mechanism. In normal operations, the
|