From ddcbb85ed4402b6e877b22d60610d206b1a19bc8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 27 Jun 2011 10:03:03 +0200
Subject: Fix TLS/SSL validation after switch to ldap_init_fd

Add sockaddr_storage to sdap_service

Add sdap_call_conn_cb() to call add connection callback directly

Use name based URI instead of IP address based URIs

Use ldap_init_fd() instead of ldap_initialize() if available

Do not access state after tevent_req_done() is called.

Call ldap_install_tls() on ldaps connections
---
 src/providers/ldap/ldap_common.c | 42 +++++++++-------------------------------
 1 file changed, 9 insertions(+), 33 deletions(-)

(limited to 'src/providers/ldap/ldap_common.c')

diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 950c6e5aa..17b85c3f0 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -530,12 +530,9 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
     TALLOC_CTX *tmp_ctx = NULL;
     struct sdap_service *service;
     struct resolv_hostent *srvaddr;
-    char *address;
-    const char *safe_address;
+    struct sockaddr_storage *sockaddr;
     const char *tmp;
     char *new_uri;
-    LDAPURLDesc *lud;
-    int ret;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -559,19 +556,10 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
         return;
     }
 
-    address = resolv_get_string_address(tmp_ctx, srvaddr);
-    if (address == NULL) {
-        DEBUG(1, ("resolv_get_string_address failed.\n"));
-        talloc_free(tmp_ctx);
-        return;
-    }
-
-    safe_address = sss_ldap_escape_ip_address(tmp_ctx,
-                                              srvaddr->family,
-                                              address);
-    talloc_zfree(address);
-    if (safe_address == NULL) {
-        DEBUG(1, ("sss_ldap_escape_ip_address failed.\n"));
+    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr,
+                                           fo_get_server_port(server));
+    if (sockaddr == NULL) {
+        DEBUG(1, ("resolv_get_sockaddr_address failed.\n"));
         talloc_free(tmp_ctx);
         return;
     }
@@ -582,24 +570,10 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
             tmp = SSS_LDAP_SRV_NAME;
         }
         new_uri = talloc_asprintf(service, "%s://%s:%d",
-                                  tmp, safe_address,
+                                  tmp, fo_get_server_name(server),
                                   fo_get_server_port(server));
     } else {
-        if (tmp && ldap_is_ldap_url(tmp)) {
-            ret = ldap_url_parse(tmp, &lud);
-            if (ret != LDAP_SUCCESS) {
-                DEBUG(0, ("Failed to parse ldap URI (%s)!\n", tmp));
-                talloc_free(tmp_ctx);
-                return;
-            }
-            new_uri = talloc_asprintf(service, "%s://%s:%d",
-                                      lud->lud_scheme,
-                                      safe_address,
-                                      fo_get_server_port(server));
-            ldap_free_urldesc(lud);
-        } else {
-            new_uri = talloc_asprintf(service, "ldap://%s", safe_address);
-        }
+        new_uri = talloc_strdup(service, tmp);
     }
 
     if (!new_uri) {
@@ -613,6 +587,8 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
     /* free old one and replace with new one */
     talloc_zfree(service->uri);
     service->uri = new_uri;
+    talloc_zfree(service->sockaddr);
+    service->sockaddr = talloc_steal(service, sockaddr);
     talloc_free(tmp_ctx);
 }
 
-- 
cgit