From 39b293c2d0bb64f11f63a41fbbc5031e5a2922e2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 09:33:12 +0200
Subject: ads: set sasl-wrapping to plain when over TLS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 WHATSNEW.txt                     | 5 +++++
 selftest/knownfail.d/net_ads_tls | 1 -
 source3/libads/ldap.c            | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/net_ads_tls

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 219afb712c8..e7b46a7b159 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -22,6 +22,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
 With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
 is off.
 
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
+-----------------------------------------------------------------------
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
+does not need to be set to "plain" in order for it to work.
+
 
 REMOVED FEATURES
 ================
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
deleted file mode 100644
index 251c948b6a9..00000000000
--- a/selftest/knownfail.d/net_ads_tls
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads_tls
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 099a6a2ee1d..1ffe96d32c9 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -707,6 +707,10 @@ got_connection:
 		if (!ADS_ERR_OK(status)) {
 			goto out;
 		}
+		if (!ads_set_sasl_wrap_flags(ads, 0)) {
+			status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+			goto out;
+		}
 	}
 
 	/* fill in the current time and offsets */
-- 
cgit v1.2.1