Use secrets.ldb to store credentials to contact LDAP backend.

This makes Samba4 behave much like Samba3 did, and use a single set of
administrative credentials for it's connection to LDAP.

Andrew Bartlett
(This used to be commit e396a59788d77aa2fbf3b523c3773fe0e5c976c0)

1 files changed, 26 insertions, 1 deletions

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index acc2c2a9a1..b5b7ddfdc6 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -39,6 +39,8 @@
 #include "dsdb/common/flags.h"
 #include "param/param.h"
 #include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
 
 char *samdb_relative_path(struct ldb_context *ldb,
 				 TALLOC_CTX *mem_ctx, 
@@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb,
 	return full_name;
 }
 
+struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, 
+					  struct event_context *event_ctx, 
+					  struct loadparm_context *lp_ctx) 
+{
+	struct cli_credentials *cred = cli_credentials_init(mem_ctx);
+	if (!cred) {
+		return NULL;
+	}
+	cli_credentials_set_conf(cred, lp_ctx);
+
+	/* We don't want to use krb5 to talk to our samdb - recursion
+	 * here would be bad, and this account isn't in the KDC
+	 * anyway */
+	cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+	if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+							 SECRETS_LDAP_FILTER))) {
+		/* Perfectly OK - if not against an LDAP backend */
+		return NULL;
+	}
+	return cred;
+}
 
 /*
   connect to the SAM database
@@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
 	struct ldb_context *ldb;
 	ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, 
 			       lp_sam_url(lp_ctx), session_info,
-			       NULL, 0, NULL);
+			       samdb_credentials(mem_ctx, ev_ctx, lp_ctx), 
+			       0, NULL);
 	if (!ldb) {
 		return NULL;
 	}