diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2019-05-21 13:17:22 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-06-21 07:56:17 +0000 |
| commit | 11b1f405ee9d41abf7d801494dbee3d8efc8935d (patch) | |
| tree | 368fd516572fc297a295ee1149acb6f9275cd264 | |
| parent | 670b864e908a52f14437f7f63e70bf9603906528 (diff) | |
| download | samba-11b1f405ee9d41abf7d801494dbee3d8efc8935d.tar.gz | |
ldap server: generate correct referral schemes
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
(cherry picked from commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa)
| -rw-r--r-- | lib/ldb/include/ldb_module.h | 5 | ||||
| -rw-r--r-- | selftest/knownfail.d/ldap_referrals | 1 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/partition.c | 16 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_backend.c | 18 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 1 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.h | 6 |
6 files changed, 41 insertions, 6 deletions
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h index 6ba2a49300a..c73fc37f3aa 100644 --- a/lib/ldb/include/ldb_module.h +++ b/lib/ldb/include/ldb_module.h @@ -104,6 +104,11 @@ struct ldb_module; #define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST" /* + * The scheme to be used for referral entries, i.e. ldap or ldaps + */ +#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME" + +/* these function pointers define the operations that a ldb module can intercept */ struct ldb_module_ops { diff --git a/selftest/knownfail.d/ldap_referrals b/selftest/knownfail.d/ldap_referrals deleted file mode 100644 index 403f0d3bd6d..00000000000 --- a/selftest/knownfail.d/ldap_referrals +++ /dev/null @@ -1 +0,0 @@ -^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index 49bdeb04fa5..f66ccab1dd5 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -902,11 +902,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) data->partitions[i]->ctrl->dn) == 0) && (ldb_dn_compare(req->op.search.base, data->partitions[i]->ctrl->dn) != 0)) { - char *ref = talloc_asprintf(ac, - "ldap://%s/%s%s", - lpcfg_dnsdomain(lp_ctx), - ldb_dn_get_linearized(data->partitions[i]->ctrl->dn), - req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : ""); + const char *scheme = ldb_get_opaque( + ldb, LDAP_REFERRAL_SCHEME_OPAQUE); + char *ref = talloc_asprintf( + ac, + "%s://%s/%s%s", + scheme == NULL ? "ldap" : scheme, + lpcfg_dnsdomain(lp_ctx), + ldb_dn_get_linearized( + data->partitions[i]->ctrl->dn), + req->op.search.scope == + LDB_SCOPE_ONELEVEL ? "??base" : ""); if (ref == NULL) { return ldb_oom(ldb); diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 39f1aa2a2a6..573472c0f7f 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -647,6 +647,24 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) call->notification.busy = true; } + { + const char *scheme = NULL; + switch (call->conn->referral_scheme) { + case LDAP_REFERRAL_SCHEME_LDAPS: + scheme = "ldaps"; + break; + default: + scheme = "ldap"; + } + ldb_ret = ldb_set_opaque( + samdb, + LDAP_REFERRAL_SCHEME_OPAQUE, + discard_const_p(char *, scheme)); + if (ldb_ret != LDB_SUCCESS) { + goto reply; + } + } + ldb_set_timeout(samdb, lreq, req->timelimit); if (!call->conn->is_privileged) { diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index bc2f54bc146..9599e0dacac 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -436,6 +436,7 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq) } conn->sockets.active = conn->sockets.tls; + conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS; ldapsrv_call_read_next(conn); } diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h index d3e31fb1eec..5b944f5ab9b 100644 --- a/source4/ldap_server/ldap_server.h +++ b/source4/ldap_server/ldap_server.h @@ -24,6 +24,11 @@ #include "system/network.h" #include "lib/param/loadparm.h" +enum ldap_server_referral_scheme { + LDAP_REFERRAL_SCHEME_LDAP, + LDAP_REFERRAL_SCHEME_LDAPS +}; + struct ldapsrv_connection { struct ldapsrv_connection *next, *prev; struct loadparm_context *lp_ctx; @@ -47,6 +52,7 @@ struct ldapsrv_connection { bool is_privileged; enum ldap_server_require_strong_auth require_strong_auth; bool authz_logged; + enum ldap_server_referral_scheme referral_scheme; struct { int initial_timeout; |