diff options
-rw-r--r-- | src/providers/ipa/ipa_auth.c | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_id.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.h | 10 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 35 | ||||
-rw-r--r-- | src/providers/ldap/sdap_id_op.c | 4 |
5 files changed, 43 insertions, 11 deletions
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index f0bdd429e..713bf3e76 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -92,7 +92,7 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts, sdap_auth_ctx->be, sdap_auth_ctx->service, - true); + true, CON_TLS_DFL, false); if (subreq == NULL) { DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto fail; diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index bd46dc9d8..a1984cefd 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req) struct sdap_id_ctx); req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts, - be_req->be_ctx, ctx->service, false); + be_req->be_ctx, ctx->service, false, + CON_TLS_DFL, false); if (req == NULL) { DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto done; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 5da2cff4e..4ba2770c9 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -131,12 +131,20 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, enum sdap_result *result, char **user_error_msg); +enum connect_tls { + CON_TLS_DFL, + CON_TLS_ON, + CON_TLS_OFF +}; + struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse); + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth); int sdap_cli_connect_recv(struct tevent_req *req, TALLOC_CTX *memctx, bool *can_retry, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 0d3fd25cb..1f829f176 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state { struct fo_server *srv; struct sdap_server_opts *srv_opts; + + enum connect_tls force_tls; + bool do_auth; }; static int sdap_cli_resolve_next(struct tevent_req *req); @@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse) + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth) { struct sdap_cli_connect_state *state; struct tevent_req *req; @@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, state->srv_opts = NULL; state->be = be; state->use_rootdse = !skip_rootdse; + state->force_tls = force_tls; + state->do_auth = !skip_auth; ret = sdap_cli_resolve_next(req); if (ret) { @@ -1196,8 +1203,16 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); int ret; - bool use_tls = dp_opt_get_bool(state->opts->basic, - SDAP_ID_TLS); + bool use_tls; + + switch (state->force_tls) { + case CON_TLS_DFL: + use_tls = dp_opt_get_bool(state->opts->basic, SDAP_ID_TLS); + case CON_TLS_ON: + use_tls = true; + case CON_TLS_OFF: + use_tls = false; + } ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -1256,7 +1271,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1264,7 +1279,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1367,7 +1382,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1375,7 +1390,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1459,6 +1474,12 @@ static void sdap_cli_auth_step(struct tevent_req *req) struct sdap_cli_connect_state); struct tevent_req *subreq; + if (!state->do_auth) { + /* No authentication requested or GSSAPI auth forced off */ + tevent_req_done(req); + return; + } + subreq = sdap_auth_send(state, state->ev, state->sh, diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c index 11a379cc9..5087cddc6 100644 --- a/src/providers/ldap/sdap_id_op.c +++ b/src/providers/ldap/sdap_id_op.c @@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req) subreq = sdap_cli_connect_send(conn_data, state->ev, state->id_ctx->opts, state->id_ctx->be, - state->id_ctx->service, false); + state->id_ctx->service, false, + CON_TLS_DFL, false); + if (!subreq) { ret = ENOMEM; goto done; |