summaryrefslogtreecommitdiff
path: root/source4/ldap_server
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2017-03-06 14:10:17 +1300
committerAndrew Bartlett <abartlet@samba.org>2017-03-29 02:37:27 +0200
commit366f8cf0903e3583fda42696df62a5337f22131f (patch)
tree3df24e4d721df9d9ca7c19b5aed6d642899df642 /source4/ldap_server
parentf4a4522d1f8c19fdf142e12760160b15de1557ec (diff)
downloadsamba-366f8cf0903e3583fda42696df62a5337f22131f.tar.gz
auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/ldap_server')
-rw-r--r--source4/ldap_server/ldap_backend.c6
-rw-r--r--source4/ldap_server/ldap_bind.c9
2 files changed, 14 insertions, 1 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index b023eb4dd7c..7aa51f293ed 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -1280,10 +1280,16 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
if (log) {
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (call->conn->sockets.active == call->conn->sockets.tls) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ }
+
log_successful_authz_event(call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
+ transport_protection,
call->conn->session_info);
call->conn->authz_logged = true;
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 5fc50dce538..986ecbfcebb 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -73,6 +73,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
NTSTATUS status;
+ bool using_tls = call->conn->sockets.active == call->conn->sockets.tls;
+
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
@@ -83,7 +85,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
if (req->dn != NULL &&
strlen(req->dn) != 0 &&
call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO &&
- call->conn->sockets.active != call->conn->sockets.tls)
+ !using_tls)
{
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
@@ -98,6 +100,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
call->conn->lp_ctx,
call->conn->connection->remote_address,
call->conn->connection->local_address,
+ using_tls,
req->dn,
req->creds.password,
&session_info);
@@ -218,6 +221,10 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn,
gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
+ if (conn->sockets.active == conn->sockets.tls) {
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
+ }
+
status = gensec_start_mech_by_sasl_name(gensec_security, sasl_mech);
if (!NT_STATUS_IS_OK(status)) {
View Lorry Controller Status