diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-03-06 14:10:17 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
commit | 366f8cf0903e3583fda42696df62a5337f22131f (patch) | |
tree | 3df24e4d721df9d9ca7c19b5aed6d642899df642 /source4/ldap_server | |
parent | f4a4522d1f8c19fdf142e12760160b15de1557ec (diff) | |
download | samba-366f8cf0903e3583fda42696df62a5337f22131f.tar.gz |
auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/ldap_server')
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 6 | ||||
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index b023eb4dd7c..7aa51f293ed 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -1280,10 +1280,16 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) } if (log) { + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + if (call->conn->sockets.active == call->conn->sockets.tls) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } + log_successful_authz_event(call->conn->connection->remote_address, call->conn->connection->local_address, "LDAP", "no bind", + transport_protection, call->conn->session_info); call->conn->authz_logged = true; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 5fc50dce538..986ecbfcebb 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -73,6 +73,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) NTSTATUS status; + bool using_tls = call->conn->sockets.active == call->conn->sockets.tls; + DEBUG(10, ("BindSimple dn: %s\n",req->dn)); reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); @@ -83,7 +85,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) if (req->dn != NULL && strlen(req->dn) != 0 && call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO && - call->conn->sockets.active != call->conn->sockets.tls) + !using_tls) { status = NT_STATUS_NETWORK_ACCESS_DENIED; result = LDAP_STRONG_AUTH_REQUIRED; @@ -98,6 +100,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) call->conn->lp_ctx, call->conn->connection->remote_address, call->conn->connection->local_address, + using_tls, req->dn, req->creds.password, &session_info); @@ -218,6 +221,10 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn, gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES); gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE); + if (conn->sockets.active == conn->sockets.tls) { + gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT); + } + status = gensec_start_mech_by_sasl_name(gensec_security, sasl_mech); if (!NT_STATUS_IS_OK(status)) { |