diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-01-15 13:11:01 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2015-01-19 12:05:52 +0100 |
| commit | 5672eb14def7b2010f1d08825eec58ff1444073f (patch) | |
| tree | 974fdf09b0b4d578637760da9e7965016df0397f /ipapython/ipavalidate.py | |
| parent | d57efb74bb6ad91b029fffff39ed4e482c41f8ba (diff) | |
| download | freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.tar.gz freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.tar.xz freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.zip | |
ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.
The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer. If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.
Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.
https://fedorahosted.org/freeipa/ticket/4827
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipapython/ipavalidate.py')
0 files changed, 0 insertions, 0 deletions