diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2019-05-21 13:17:22 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2019-05-24 05:12:14 +0000 |
| commit | 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa (patch) | |
| tree | ea8549602bd10a9ac32369e2eda480373a222b1e | |
| parent | 6ccf74cf878c295903673e3a1d1ed924a5e87547 (diff) | |
| download | samba-1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa.tar.gz | |
ldap server: generate correct referral schemes
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
| -rw-r--r-- | lib/ldb/include/ldb_module.h | 5 | ||||
| -rw-r--r-- | selftest/knownfail.d/ldap_referrals | 1 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/partition.c | 16 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_backend.c | 18 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 1 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.h | 6 |
6 files changed, 41 insertions, 6 deletions
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h index 3b728614909..7f8b57dfeec 100644 --- a/lib/ldb/include/ldb_module.h +++ b/lib/ldb/include/ldb_module.h @@ -104,6 +104,11 @@ struct ldb_module; #define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST" /* + * The scheme to be used for referral entries, i.e. ldap or ldaps + */ +#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME" + +/* these function pointers define the operations that a ldb module can intercept */ struct ldb_module_ops { diff --git a/selftest/knownfail.d/ldap_referrals b/selftest/knownfail.d/ldap_referrals deleted file mode 100644 index 403f0d3bd6d..00000000000 --- a/selftest/knownfail.d/ldap_referrals +++ /dev/null @@ -1 +0,0 @@ -^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index c9d815b4fb0..4cfcf6f3ba7 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -902,11 +902,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) data->partitions[i]->ctrl->dn) == 0) && (ldb_dn_compare(req->op.search.base, data->partitions[i]->ctrl->dn) != 0)) { - char *ref = talloc_asprintf(ac, - "ldap://%s/%s%s", - lpcfg_dnsdomain(lp_ctx), - ldb_dn_get_linearized(data->partitions[i]->ctrl->dn), - req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : ""); + const char *scheme = ldb_get_opaque( + ldb, LDAP_REFERRAL_SCHEME_OPAQUE); + char *ref = talloc_asprintf( + ac, + "%s://%s/%s%s", + scheme == NULL ? "ldap" : scheme, + lpcfg_dnsdomain(lp_ctx), + ldb_dn_get_linearized( + data->partitions[i]->ctrl->dn), + req->op.search.scope == + LDB_SCOPE_ONELEVEL ? "??base" : ""); if (ref == NULL) { return ldb_oom(ldb); diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index ef7fb15179d..c6a65122ab0 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -853,6 +853,24 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) call->notification.busy = true; } + { + const char *scheme = NULL; + switch (call->conn->referral_scheme) { + case LDAP_REFERRAL_SCHEME_LDAPS: + scheme = "ldaps"; + break; + default: + scheme = "ldap"; + } + ldb_ret = ldb_set_opaque( + samdb, + LDAP_REFERRAL_SCHEME_OPAQUE, + discard_const_p(char *, scheme)); + if (ldb_ret != LDB_SUCCESS) { + goto reply; + } + } + ldb_set_timeout(samdb, lreq, req->timelimit); if (!call->conn->is_privileged) { diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 4d3d8cd1188..709b7bcacfa 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -436,6 +436,7 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq) } conn->sockets.active = conn->sockets.tls; + conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS; ldapsrv_call_read_next(conn); } diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h index bee6ce7d5be..e1efe8a4943 100644 --- a/source4/ldap_server/ldap_server.h +++ b/source4/ldap_server/ldap_server.h @@ -24,6 +24,11 @@ #include "system/network.h" #include "lib/param/loadparm.h" +enum ldap_server_referral_scheme { + LDAP_REFERRAL_SCHEME_LDAP, + LDAP_REFERRAL_SCHEME_LDAPS +}; + struct ldapsrv_connection { struct ldapsrv_connection *next, *prev; struct loadparm_context *lp_ctx; @@ -47,6 +52,7 @@ struct ldapsrv_connection { bool is_privileged; enum ldap_server_require_strong_auth require_strong_auth; bool authz_logged; + enum ldap_server_referral_scheme referral_scheme; struct { int initial_timeout; |