diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-05-11 21:11:00 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-06-15 09:13:23 +0200 |
commit | 00a387272afe6939948669174ec61277d310c290 (patch) | |
tree | edef95a6fb93cc53abc4b632d3fd2d08301ab40f /source4/ldap_server | |
parent | 7605c67e079339c5e1b5b13199a705ece23c0ad6 (diff) | |
download | samba-00a387272afe6939948669174ec61277d310c290.tar.gz |
s4:ldap_server: remove indentation level for the valid credential case
Check with git show -w.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/ldap_server')
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 181 |
1 files changed, 89 insertions, 92 deletions
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 5c390b61fda..337ce125125 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -371,6 +371,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; struct ldapsrv_connection *conn; + struct ldapsrv_sasl_postprocess_context *context = NULL; int result = 0; const char *errstr=NULL; NTSTATUS status = NT_STATUS_OK; @@ -434,127 +435,123 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) goto do_reply; } - { - struct ldapsrv_sasl_postprocess_context *context = NULL; + result = LDAP_SUCCESS; + errstr = NULL; - result = LDAP_SUCCESS; - errstr = NULL; + if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { + context = talloc(call, struct ldapsrv_sasl_postprocess_context); + + if (!context) { + status = NT_STATUS_NO_MEMORY; + } + } - context = talloc(call, struct ldapsrv_sasl_postprocess_context); + if (context && conn->sockets.tls) { + TALLOC_FREE(context); + status = NT_STATUS_NOT_SUPPORTED; + result = LDAP_UNWILLING_TO_PERFORM; + errstr = talloc_asprintf(reply, + "SASL:[%s]: Sign or Seal are not allowed if TLS is used", + req->creds.SASL.mechanism); + goto do_reply; + } - if (!context) { + if (context && conn->sockets.sasl) { + TALLOC_FREE(context); + status = NT_STATUS_NOT_SUPPORTED; + result = LDAP_UNWILLING_TO_PERFORM; + errstr = talloc_asprintf(reply, + "SASL:[%s]: Sign or Seal are not allowed if SASL encryption has already been set up", + req->creds.SASL.mechanism); + goto do_reply; + } + + if (context) { + context->conn = conn; + status = gensec_create_tstream(context, + context->conn->gensec, + context->conn->sockets.raw, + &context->sasl); + if (NT_STATUS_IS_OK(status)) { + if (!talloc_reference(context->sasl, conn->gensec)) { status = NT_STATUS_NO_MEMORY; } } - - if (context && conn->sockets.tls) { - TALLOC_FREE(context); - status = NT_STATUS_NOT_SUPPORTED; - result = LDAP_UNWILLING_TO_PERFORM; + } else { + switch (call->conn->require_strong_auth) { + case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO: + break; + case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS: + if (call->conn->sockets.active == call->conn->sockets.tls) { + break; + } + status = NT_STATUS_NETWORK_ACCESS_DENIED; + result = LDAP_STRONG_AUTH_REQUIRED; errstr = talloc_asprintf(reply, - "SASL:[%s]: Sign or Seal are not allowed if TLS is used", - req->creds.SASL.mechanism); + "SASL:[%s]: not allowed if TLS is used.", + req->creds.SASL.mechanism); goto do_reply; - } - if (context && conn->sockets.sasl) { - TALLOC_FREE(context); - status = NT_STATUS_NOT_SUPPORTED; - result = LDAP_UNWILLING_TO_PERFORM; + case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES: + status = NT_STATUS_NETWORK_ACCESS_DENIED; + result = LDAP_STRONG_AUTH_REQUIRED; errstr = talloc_asprintf(reply, - "SASL:[%s]: Sign or Seal are not allowed if SASL encryption has already been set up", - req->creds.SASL.mechanism); + "SASL:[%s]: Sign or Seal are required.", + req->creds.SASL.mechanism); goto do_reply; } + } - if (context) { - context->conn = conn; - status = gensec_create_tstream(context, - context->conn->gensec, - context->conn->sockets.raw, - &context->sasl); - if (NT_STATUS_IS_OK(status)) { - if (!talloc_reference(context->sasl, conn->gensec)) { - status = NT_STATUS_NO_MEMORY; - } - } - } else { - switch (call->conn->require_strong_auth) { - case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO: - break; - case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS: - if (call->conn->sockets.active == call->conn->sockets.tls) { - break; - } - status = NT_STATUS_NETWORK_ACCESS_DENIED; - result = LDAP_STRONG_AUTH_REQUIRED; - errstr = talloc_asprintf(reply, - "SASL:[%s]: not allowed if TLS is used.", - req->creds.SASL.mechanism); - goto do_reply; - - case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES: - status = NT_STATUS_NETWORK_ACCESS_DENIED; - result = LDAP_STRONG_AUTH_REQUIRED; - errstr = talloc_asprintf(reply, - "SASL:[%s]: Sign or Seal are required.", - req->creds.SASL.mechanism); - goto do_reply; - } - } + if (result != LDAP_SUCCESS) { + } else if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, + "SASL:[%s]: Failed to setup SASL socket: %s", + req->creds.SASL.mechanism, nt_errstr(status)); + goto do_reply; + } else { + struct auth_session_info *old_session_info=NULL; - if (result != LDAP_SUCCESS) { - } else if (!NT_STATUS_IS_OK(status)) { + old_session_info = conn->session_info; + conn->session_info = NULL; + status = gensec_session_info(conn->gensec, conn, &conn->session_info); + if (!NT_STATUS_IS_OK(status)) { + conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; errstr = talloc_asprintf(reply, - "SASL:[%s]: Failed to setup SASL socket: %s", + "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); goto do_reply; } else { - struct auth_session_info *old_session_info=NULL; + talloc_unlink(conn, old_session_info); + + /* don't leak the old LDB */ + talloc_unlink(conn, conn->ldb); + + call->conn->authz_logged = true; + + status = ldapsrv_backend_Init(conn); - old_session_info = conn->session_info; - conn->session_info = NULL; - status = gensec_session_info(conn->gensec, conn, &conn->session_info); if (!NT_STATUS_IS_OK(status)) { - conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; errstr = talloc_asprintf(reply, - "SASL:[%s]: Failed to get session info: %s", - req->creds.SASL.mechanism, nt_errstr(status)); + "SASL:[%s]: Failed to advise samdb of new credentials: %s", + req->creds.SASL.mechanism, + nt_errstr(status)); goto do_reply; - } else { - talloc_unlink(conn, old_session_info); - - /* don't leak the old LDB */ - talloc_unlink(conn, conn->ldb); - - call->conn->authz_logged = true; - - status = ldapsrv_backend_Init(conn); - - if (!NT_STATUS_IS_OK(status)) { - result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, - "SASL:[%s]: Failed to advise samdb of new credentials: %s", - req->creds.SASL.mechanism, - nt_errstr(status)); - goto do_reply; - } } } + } - if (NT_STATUS_IS_OK(status) && context) { - call->postprocess_send = ldapsrv_sasl_postprocess_send; - call->postprocess_recv = ldapsrv_sasl_postprocess_recv; - call->postprocess_private = context; - } - talloc_unlink(conn, conn->gensec); - conn->gensec = NULL; + if (NT_STATUS_IS_OK(status) && context) { + call->postprocess_send = ldapsrv_sasl_postprocess_send; + call->postprocess_recv = ldapsrv_sasl_postprocess_recv; + call->postprocess_private = context; } + talloc_unlink(conn, conn->gensec); + conn->gensec = NULL; do_reply: if (result != LDAP_SASL_BIND_IN_PROGRESS) { |