summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/providers/ipa/ipa_auth.c2
-rw-r--r--src/providers/ldap/ldap_id.c3
-rw-r--r--src/providers/ldap/sdap_async.h10
-rw-r--r--src/providers/ldap/sdap_async_connection.c35
-rw-r--r--src/providers/ldap/sdap_id_op.c4
5 files changed, 43 insertions, 11 deletions
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index f0bdd429e..713bf3e76 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -92,7 +92,7 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx,
subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts,
sdap_auth_ctx->be, sdap_auth_ctx->service,
- true);
+ true, CON_TLS_DFL, false);
if (subreq == NULL) {
DEBUG(1, ("sdap_cli_connect_send failed.\n"));
goto fail;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index bd46dc9d8..a1984cefd 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req)
struct sdap_id_ctx);
req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts,
- be_req->be_ctx, ctx->service, false);
+ be_req->be_ctx, ctx->service, false,
+ CON_TLS_DFL, false);
if (req == NULL) {
DEBUG(1, ("sdap_cli_connect_send failed.\n"));
goto done;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 5da2cff4e..4ba2770c9 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -131,12 +131,20 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
enum sdap_result *result,
char **user_error_msg);
+enum connect_tls {
+ CON_TLS_DFL,
+ CON_TLS_ON,
+ CON_TLS_OFF
+};
+
struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
struct be_ctx *be,
struct sdap_service *service,
- bool skip_rootdse);
+ bool skip_rootdse,
+ enum connect_tls force_tls,
+ bool skip_auth);
int sdap_cli_connect_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
bool *can_retry,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 0d3fd25cb..1f829f176 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state {
struct fo_server *srv;
struct sdap_server_opts *srv_opts;
+
+ enum connect_tls force_tls;
+ bool do_auth;
};
static int sdap_cli_resolve_next(struct tevent_req *req);
@@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx,
struct sdap_options *opts,
struct be_ctx *be,
struct sdap_service *service,
- bool skip_rootdse)
+ bool skip_rootdse,
+ enum connect_tls force_tls,
+ bool skip_auth)
{
struct sdap_cli_connect_state *state;
struct tevent_req *req;
@@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx,
state->srv_opts = NULL;
state->be = be;
state->use_rootdse = !skip_rootdse;
+ state->force_tls = force_tls;
+ state->do_auth = !skip_auth;
ret = sdap_cli_resolve_next(req);
if (ret) {
@@ -1196,8 +1203,16 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
struct sdap_cli_connect_state *state = tevent_req_data(req,
struct sdap_cli_connect_state);
int ret;
- bool use_tls = dp_opt_get_bool(state->opts->basic,
- SDAP_ID_TLS);
+ bool use_tls;
+
+ switch (state->force_tls) {
+ case CON_TLS_DFL:
+ use_tls = dp_opt_get_bool(state->opts->basic, SDAP_ID_TLS);
+ case CON_TLS_ON:
+ use_tls = true;
+ case CON_TLS_OFF:
+ use_tls = false;
+ }
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
@@ -1256,7 +1271,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq)
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
- if (sasl_mech && state->use_rootdse) {
+ if (state->do_auth && sasl_mech && state->use_rootdse) {
/* check if server claims to support GSSAPI */
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
tevent_req_error(req, ENOTSUP);
@@ -1264,7 +1279,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq)
}
}
- if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+ if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
sdap_cli_kinit_step(req);
return;
@@ -1367,7 +1382,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq)
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
- if (sasl_mech && state->use_rootdse) {
+ if (state->do_auth && sasl_mech && state->use_rootdse) {
/* check if server claims to support GSSAPI */
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
tevent_req_error(req, ENOTSUP);
@@ -1375,7 +1390,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq)
}
}
- if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+ if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
sdap_cli_kinit_step(req);
return;
@@ -1459,6 +1474,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
struct sdap_cli_connect_state);
struct tevent_req *subreq;
+ if (!state->do_auth) {
+ /* No authentication requested or GSSAPI auth forced off */
+ tevent_req_done(req);
+ return;
+ }
+
subreq = sdap_auth_send(state,
state->ev,
state->sh,
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index 11a379cc9..5087cddc6 100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req)
subreq = sdap_cli_connect_send(conn_data, state->ev,
state->id_ctx->opts,
state->id_ctx->be,
- state->id_ctx->service, false);
+ state->id_ctx->service, false,
+ CON_TLS_DFL, false);
+
if (!subreq) {
ret = ENOMEM;
goto done;