idmap_ad: Honor "client ldap sasl wrapping" config setting

Instead of hard-coding SIGN and SEAL for the connections from this idmap
module, query the desired wrapping from "client ldap sasl wrapping".

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 10 23:19:56 UTC 2020 on sn-devel-184

1 files changed, 26 insertions, 1 deletions

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index bd5add9aca2..0595a7b270a 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -290,6 +290,30 @@ static void PRINTF_ATTRIBUTE(3, 0) idmap_ad_tldap_debug(
        }
 }
 
+static uint32_t gensec_features_from_ldap_sasl_wrapping(void)
+{
+	int wrap_flags;
+	uint32_t gensec_features = 0;
+
+	wrap_flags = lp_client_ldap_sasl_wrapping();
+	if (wrap_flags == -1) {
+		wrap_flags = 0;
+	}
+
+	if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+		gensec_features |= GENSEC_FEATURE_SEAL;
+	}
+	if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+		gensec_features |= GENSEC_FEATURE_SIGN;
+	}
+
+	if (gensec_features != 0) {
+		gensec_features |= GENSEC_FEATURE_LDAP_STYLE;
+	}
+
+	return gensec_features;
+}
+
 static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 				       const char *domname,
 				       struct tldap_context **pld)
@@ -299,6 +323,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	struct cli_credentials *creds;
 	struct loadparm_context *lp_ctx;
 	struct tldap_context *ld;
+	uint32_t gensec_features = gensec_features_from_ldap_sasl_wrapping();
 	int fd;
 	NTSTATUS status;
 	bool ok;
@@ -368,7 +393,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	}
 
 	rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
-			       GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+			       gensec_features);
 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
 		DBG_DEBUG("tldap_gensec_bind failed: %s\n",
 			  tldap_errstr(dcinfo, ld, rc));