r12179: Allow our KDC to use LDAP to get to the backend database.

To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list.  An
extension to the credentials system allows this function.

Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.

Andrew Bartlett

2 files changed, 51 insertions, 3 deletions

diff --git a/source/auth/credentials/credentials_gensec.c b/source/auth/credentials/credentials_gensec.c
index 077e4689ec0..fcaa760ed4c 100644
--- a/source/auth/credentials/credentials_gensec.c
+++ b/source/auth/credentials/credentials_gensec.c
@@ -24,8 +24,53 @@
 
 const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) 
 {
-	if (!creds->gensec_list) {
+	if (!creds || !creds->gensec_list) {
 		return gensec_security_all();
 	}
 	return creds->gensec_list;
 }
+
+static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
+						   const struct gensec_security_ops *remove_mech) 
+{
+	const struct gensec_security_ops **gensec_list;
+	const struct gensec_security_ops **new_gensec_list;
+	int i, j;
+
+	gensec_list = cli_credentials_gensec_list(creds);
+
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		/* noop */
+	}
+
+	new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
+	if (!new_gensec_list) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	j = 0;
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		if (gensec_list[i] != remove_mech) {
+			new_gensec_list[j] = gensec_list[i];
+			j++;
+		}
+	}
+	new_gensec_list[j] = NULL; 
+	
+	creds->gensec_list = new_gensec_list;
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
+					   const char *oid) 
+{
+	const struct gensec_security_ops *gensec_by_oid;
+
+	gensec_by_oid = gensec_security_by_oid(NULL, oid);
+	if (!gensec_by_oid) {
+		return NT_STATUS_OK;
+	}
+
+	return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
+}
diff --git a/source/auth/gensec/gensec.c b/source/auth/gensec/gensec.c
index 0d79cb892cb..26f245787be 100644
--- a/source/auth/gensec/gensec.c
+++ b/source/auth/gensec/gensec.c
@@ -53,8 +53,8 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
 	return NULL;
 }
 
-static const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
-								const char *oid_string)
+const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
+							 const char *oid_string)
 {
 	int i, j;
 	const struct gensec_security_ops **backends;
@@ -805,6 +805,9 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct
 
 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) 
 {
+	if (!gensec_security) {
+		return NULL;
+	}
 	return gensec_security->credentials;
 }