svn commit: samba r11876 - branches/SAMBA_3_0/source/lib trunk/source/lib

gd at samba.org gd at samba.org
Wed Nov 23 11:29:56 GMT 2005 

Author: gd
Date: 2005-11-23 11:29:55 +0000 (Wed, 23 Nov 2005)
New Revision: 11876

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11876

Log:
When we are using START_TLS to secure the LDAP connection, we *have* to
call START_TLS again after rebinding to another LDAP server. (ldaps://
uri's are handled at by recent versions of OpenLDAP).

Guenther


Modified:
   branches/SAMBA_3_0/source/lib/smbldap.c
   trunk/source/lib/smbldap.c


Changeset:
Modified: branches/SAMBA_3_0/source/lib/smbldap.c
===================================================================
--- branches/SAMBA_3_0/source/lib/smbldap.c	2005-11-23 11:21:16 UTC (rev 11875)
+++ branches/SAMBA_3_0/source/lib/smbldap.c	2005-11-23 11:29:55 UTC (rev 11876)
@@ -777,9 +777,18 @@
 {
 	struct smbldap_state *ldap_state = arg;
 	int rc;
-	DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n", 
-		 ldap_state->bind_dn));
-	
+	int version;
+
+	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n", 
+		 url, ldap_state->bind_dn));
+
+	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
+	 * itself) before rebinding to another LDAP server to avoid to expose
+	 * our credentials. At least *try* to secure the connection - Guenther */
+
+	smb_ldap_upgrade_conn(ldap_struct, &version);
+	smb_ldap_start_tls(ldap_struct, version);
+
 	/** @TODO Should we be doing something to check what servers we rebind to?
 	    Could we get a referral to a machine that we don't want to give our
 	    username and password to? */

Modified: trunk/source/lib/smbldap.c
===================================================================
--- trunk/source/lib/smbldap.c	2005-11-23 11:21:16 UTC (rev 11875)
+++ trunk/source/lib/smbldap.c	2005-11-23 11:29:55 UTC (rev 11876)
@@ -777,9 +777,18 @@
 {
 	struct smbldap_state *ldap_state = arg;
 	int rc;
-	DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n", 
-		 ldap_state->bind_dn));
-	
+	int version;
+
+	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n", 
+		 url, ldap_state->bind_dn));
+
+	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
+	 * itself) before rebinding to another LDAP server to avoid to expose
+	 * our credentials. At least *try* to secure the connection - Guenther */
+
+	smb_ldap_upgrade_conn(ldap_struct, &version);
+	smb_ldap_start_tls(ldap_struct, version);
+
 	/** @TODO Should we be doing something to check what servers we rebind to?
 	    Could we get a referral to a machine that we don't want to give our
 	    username and password to? */

More information about the samba-cvs mailing list