[PATCH] add ldap parameter referral, scope ,tls ...

Stefan Metzmacher stefan.metzmacher at metzemix.de
Wed Dec 19 16:01:33 GMT 2001


Hello,

I have a patch witch add the following ldap parameter:

ldap version
ldap scope
ldap deref
ldap referrals
ldap restart
ldap timelimit
ldap bindtimelimit

ldap tls checkpeer
ldap tls cacertfile
ldap tls cacertdir
ldap tls ciphers
ldap tls certfile
ldap tls keyfile

in the way they are used by pam_ldap:

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap version = 3

#deref LDAP aliases
ldap deref = never
ldap deref = searching
ldap deref = finding
ldap deref = always

#Enable LDAP referrals
ldap referrals = yes

#Enable LDAP restart
ldap restart = yes

# The search scope.
ldap scope = sub
ldap scope = one
ldap scope = base

# Search timelimit
ldap timelimit = 30

# Bind timelimit
ldap bindtimelimit = 30

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
ldap tls checkpeer = yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
ldap tls cacertfile = /etc/ssl/ca.cert
ldap tls cacertdir = /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
ldap tls ciphers = TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
ldap tls cert = /etc/ssl/client.cert
ldap tls key = /etc/ssl/client.key


Hope it's usefull!

metze

patch is for samba-2.2.2:

-------------------------------------------------------------------------------------------------------------------------------------------
diff -urN samba-2.2.2/source/include/proto.h samba-2.2.2-MX/source/include/proto.h
--- samba-2.2.2/source/include/proto.h  Sat Oct 13 23:09:22 2001
+++ samba-2.2.2-MX/source/include/proto.h       Mon Nov  5 14:39:32 2001
@@ -1775,12 +1775,27 @@
 BOOL lp_winbind_enum_users(void);
 BOOL lp_winbind_enum_groups(void);
 char *lp_codepagedir(void);
+/*WITH_LDAP_SAM*/
 char *lp_ldap_server(void);
 char *lp_ldap_suffix(void);
 char *lp_ldap_filter(void);
 char *lp_ldap_admin_dn(void);
 int lp_ldap_port(void);
+int lp_ldap_version(void);
+int lp_ldap_scope(void);
+int lp_ldap_deref(void);
+int lp_ldap_timelimit(void);
+int lp_ldap_bindtimelimit(void);
+BOOL lp_ldap_tls_referrals(void);
+BOOL lp_ldap_tls_restart();
 int lp_ldap_ssl(void);
+BOOL lp_ldap_tls_checkpeer(void);
+char *lp_ldap_tls_cacertfile(void);
+char *lp_ldap_tls_cacertdir(void);
+char *lp_ldap_tls_ciphers(void);
+char *lp_ldap_tls_certfile(void);
+char *lp_ldap_tls_keyfile(void);
+/*end WITH_LDAP_SAM*/
 char *lp_add_share_cmd(void);
 char *lp_change_share_cmd(void);
 char *lp_delete_share_cmd(void);
diff -urN samba-2.2.2/source/param/loadparm.c samba-2.2.2-MX/source/param/loadparm.c
--- samba-2.2.2/source/param/loadparm.c Sat Oct 13 23:09:31 2001
+++ samba-2.2.2-MX/source/param/loadparm.c      Wed Dec 19 23:38:06 2001
@@ -208,12 +208,39 @@
        int oplock_break_wait_time;
        int winbind_cache_time;
 #ifdef WITH_LDAP_SAM
+#define LDAP_NO_LIMIT          0
+
+#define LDAP_VERSION1  1
+#define LDAP_VERSION2  2
+#define LDAP_VERSION3  3
+
+#define LDAP_DEREF_NEVER       0x00
+#define LDAP_DEREF_SEARCHING   0x01
+#define LDAP_DEREF_FINDING     0x02
+#define LDAP_DEREF_ALWAYS      0x03
+
+#define LDAP_SCOPE_BASE                0x0000
+#define LDAP_SCOPE_ONELEVEL    0x0001
+#define LDAP_SCOPE_SUBTREE     0x0002
        int ldap_port;
        int ldap_ssl;
+   int ldap_scope;
+   int ldap_deref;
+   int ldap_version;
+   int ldap_timelimit;
+   int ldap_bindtimelimit;
+   BOOL bldap_referrals;
+   BOOL bldap_restart;
+   BOOL bldap_tls_checkpeer;
        char *szLdapServer;
        char *szLdapSuffix;
        char *szLdapFilter;
        char *szLdapAdminDn;
+   char *szLdapTls_cacertfile;
+   char *szLdapTls_cacertdir;
+   char *szLdapTls_ciphers;
+   char *szLdapTls_certfile;
+   char *szLdapTls_keyfile;
 #endif                         /* WITH_LDAP */
 
 #ifdef WITH_SSL
@@ -595,6 +622,25 @@
        {LDAP_SSL_START_TLS, "start tls"},
        {-1, NULL}
 };
+static struct enum_list enum_ldap_version[] = {
+       {LDAP_VERSION1, "1"},
+   {LDAP_VERSION2, "2"},
+   {LDAP_VERSION3, "3"},
+   {-1,NULL}
+};
+static struct enum_list enum_ldap_scope[] = {
+       {LDAP_SCOPE_BASE, "base"},
+   {LDAP_SCOPE_ONELEVEL, "one"},
+   {LDAP_SCOPE_SUBTREE, "sub"},
+   {-1,NULL}
+};
+static struct enum_list enum_ldap_deref[] = {
+       {LDAP_DEREF_NEVER, "never"},
+   {LDAP_DEREF_SEARCHING, "searching"},
+   {LDAP_DEREF_FINDING, "finding"},
+   {LDAP_DEREF_ALWAYS, "always"},
+   {-1,NULL}
+};
 #endif
 
 /* Types of machine we can announce as. */
@@ -629,7 +675,7 @@
        {-1, NULL}
 };
 
-/* 
+/*
    Do you want session setups at user level security with a invalid
    password to be rejected or allowed in as guest? WinNT rejects them
    but it can be a pain as it means "net view" needs to use a password
@@ -670,7 +716,7 @@
 /* note that we do not initialise the defaults union - it is not allowed in ANSI C */
 static struct parm_struct parm_table[] = {
        {"Base Options", P_SEP, P_SEPARATOR},
-       
+
        {"coding system", P_STRING, P_GLOBAL, &Globals.szCodingSystem, handle_coding_system, NULL, 0},
        {"client code page", P_INTEGER, P_GLOBAL, &Globals.client_code_page, handle_client_code_page, NULL, 0},
        {"code page directory", P_STRING, P_GLOBAL, &Globals.szCodePageDir,   NULL,   NULL,  0},
@@ -686,7 +732,7 @@
        {"bind interfaces only", P_BOOL, P_GLOBAL, &Globals.bBindInterfacesOnly, NULL, NULL, 0},
 
        {"Security Options", P_SEP, P_SEPARATOR},
-       
+
        {"security", P_ENUM, P_GLOBAL, &Globals.security, NULL, enum_security, FLAG_BASIC},
        {"encrypt passwords", P_BOOL, P_GLOBAL, &Globals.bEncryptPasswords, NULL, NULL, FLAG_BASIC},
        {"update encrypted", P_BOOL, P_GLOBAL, &Globals.bUpdateEncrypt, NULL, NULL, FLAG_BASIC},
@@ -699,6 +745,7 @@
        {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
        {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0},
        {"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
+       {"sam database", P_ENUM, P_GLOBAL, &Globals.SAMDB, NULL, enum_samdb, 0},
 #ifdef WITH_TDB_SAM
        {"tdb passwd file", P_STRING, P_GLOBAL, &Globals.szTDBPasswdFile, NULL, NULL, 0},
 #else
@@ -707,7 +754,7 @@
        {"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0},
        {"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0},
        {"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0},
-       
+
        {"pam password change", P_BOOL, P_GLOBAL, &Globals.bPamPasswordChange, NULL, NULL, 0},
        {"passwd program", P_STRING, P_GLOBAL, &Globals.szPasswdProgram, NULL, NULL, 0},
        {"passwd chat", P_STRING, P_GLOBAL, &Globals.szPasswdChat, NULL, NULL, 0},
@@ -719,11 +766,11 @@
        {"restrict anonymous", P_BOOL, P_GLOBAL, &Globals.bRestrictAnonymous, NULL, NULL, 0},
        {"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, 0},
        {"use rhosts", P_BOOL, P_GLOBAL, &Globals.bUseRhosts, NULL, NULL, 0},
-       
+
        {"username", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
        {"user", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, 0},
        {"users", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, 0},
-       
+
        {"guest account", P_STRING, P_LOCAL, &sDefault.szGuestaccount, NULL, NULL, FLAG_BASIC | FLAG_SHARE | FLAG_PRINT | FLAG_GLOBAL},
        {"invalid users", P_STRING, P_LOCAL, &sDefault.szInvalidUsers, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
        {"valid users", P_STRING, P_LOCAL, &sDefault.szValidUsers, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
@@ -734,12 +781,12 @@
        {"force user", P_STRING, P_LOCAL, &sDefault.force_user, NULL, NULL, FLAG_SHARE},
        {"force group", P_STRING, P_LOCAL, &sDefault.force_group, NULL, NULL, FLAG_SHARE},
        {"group", P_STRING, P_LOCAL, &sDefault.force_group, NULL, NULL, 0},
-       
+
        {"read only", P_BOOL, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_BASIC | FLAG_SHARE},
        {"write ok", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, 0},
        {"writeable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, 0},
        {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, 0},
-       
+
        {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
        {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_GLOBAL},
        {"force create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_force_mode, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
@@ -756,7 +803,7 @@
 
        {"guest ok", P_BOOL, P_LOCAL, &sDefault.bGuest_ok, NULL, NULL, FLAG_BASIC | FLAG_SHARE | FLAG_PRINT},
        {"public", P_BOOL, P_LOCAL, &sDefault.bGuest_ok, NULL, NULL, 0},
-       
+
        {"only user", P_BOOL, P_LOCAL, &sDefault.bOnlyUser, NULL, NULL, FLAG_SHARE},
        {"hosts allow", P_STRING, P_LOCAL, &sDefault.szHostsallow, NULL, NULL, FLAG_GLOBAL | FLAG_BASIC | FLAG_SHARE | FLAG_PRINT},
        {"allow hosts", P_STRING, P_LOCAL, &sDefault.szHostsallow, NULL, NULL, 0},
@@ -766,7 +813,7 @@
 #ifdef WITH_SSL
        {"Secure Socket Layer Options", P_SEP, P_SEPARATOR},
        {"ssl", P_BOOL, P_GLOBAL, &Globals.sslEnabled, NULL, NULL, 0},
-       
+
        {"ssl hosts", P_STRING, P_GLOBAL, &Globals.sslHostsRequire, NULL, NULL, 0},
        {"ssl hosts resign", P_STRING, P_GLOBAL, &Globals.sslHostsResign, NULL, NULL, 0},
        {"ssl CA certDir", P_STRING, P_GLOBAL, &Globals.sslCaCertDir, NULL, NULL, 0},
@@ -791,18 +838,18 @@
        {"syslog", P_INTEGER, P_GLOBAL, &Globals.syslog, NULL, NULL, 0},
        {"syslog only", P_BOOL, P_GLOBAL, &Globals.bSyslogOnly, NULL, NULL, 0},
        {"log file", P_STRING, P_GLOBAL, &Globals.szLogFile, NULL, NULL, 0},
-       
+
        {"max log size", P_INTEGER, P_GLOBAL, &Globals.max_log_size, NULL, NULL, 0},
        {"timestamp logs", P_BOOL, P_GLOBAL, &Globals.bTimestampLogs, NULL, NULL, 0},
        {"debug timestamp", P_BOOL, P_GLOBAL, &Globals.bTimestampLogs, NULL, NULL, 0},
        {"debug hires timestamp", P_BOOL, P_GLOBAL, &Globals.bDebugHiresTimestamp, NULL, NULL, 0},
        {"debug pid", P_BOOL, P_GLOBAL, &Globals.bDebugPid, NULL, NULL, 0},
        {"debug uid", P_BOOL, P_GLOBAL, &Globals.bDebugUid, NULL, NULL, 0},
-       
+
        {"status", P_BOOL, P_LOCAL, &sDefault.status, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_PRINT},
 
        {"Protocol Options", P_SEP, P_SEPARATOR},
-       
+
        {"protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0},
        {"large readwrite", P_BOOL, P_GLOBAL, &Globals.bLargeReadwrite, NULL, NULL, 0},
        {"max protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0},
@@ -810,7 +857,7 @@
        {"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
        {"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
        {"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
-       
+
        {"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
        {"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
        {"nt acl support", P_BOOL,  P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, 0},
@@ -818,22 +865,22 @@
        {"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, 0},
        {"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, 0},
        {"max xmit", P_INTEGER, P_GLOBAL, &Globals.max_xmit, NULL, NULL, 0},
-       
+
        {"name resolve order", P_STRING, P_GLOBAL, &Globals.szNameResolveOrder, NULL, NULL, 0},
        {"max packet", P_INTEGER, P_GLOBAL, &Globals.max_packet, NULL, NULL, 0},
        {"packet size", P_INTEGER, P_GLOBAL, &Globals.max_packet, NULL, NULL, 0},
-       {"max ttl", P_INTEGER, P_GLOBAL, &Globals.max_ttl, NULL, NULL, 0}, 
+       {"max ttl", P_INTEGER, P_GLOBAL, &Globals.max_ttl, NULL, NULL, 0},
        {"max wins ttl", P_INTEGER, P_GLOBAL, &Globals.max_wins_ttl, NULL, NULL, 0},
        {"min wins ttl", P_INTEGER, P_GLOBAL, &Globals.min_wins_ttl, NULL, NULL, 0},
        {"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, 0},
 
        {"Tuning Options", P_SEP, P_SEPARATOR},
-       
+
        {"change notify timeout", P_INTEGER, P_GLOBAL, &Globals.change_notify_timeout, NULL, NULL, 0},
        {"deadtime", P_INTEGER, P_GLOBAL, &Globals.deadtime, NULL, NULL, 0},
        {"getwd cache", P_BOOL, P_GLOBAL, &use_getwd_cache, NULL, NULL, 0},
        {"keepalive", P_INTEGER, P_GLOBAL, &keepalive, NULL, NULL, 0},
-       
+
        {"lpq cache time", P_INTEGER, P_GLOBAL, &Globals.lpqcachetime, NULL, NULL, 0},
        {"max smbd processes", P_INTEGER, P_GLOBAL, &Globals.iMaxSmbdProcesses, NULL, NULL, 0},
        {"max connections", P_INTEGER, P_LOCAL, &sDefault.iMaxConnections, NULL, NULL, FLAG_SHARE},
@@ -841,7 +888,7 @@
        {"max open files", P_INTEGER, P_GLOBAL, &Globals.max_open_files, NULL, NULL, 0},
        {"min print space", P_INTEGER, P_LOCAL, &sDefault.iMinPrintSpace, NULL, NULL, FLAG_PRINT},
        {"read size", P_INTEGER, P_GLOBAL, &Globals.ReadSize, NULL, NULL, 0},
-       
+
        {"socket options", P_GSTRING, P_GLOBAL, user_socket_options, NULL, NULL, 0},
        {"stat cache size", P_INTEGER, P_GLOBAL, &Globals.stat_cache_size, NULL, NULL, 0},
        {"strict allocate", P_BOOL, P_LOCAL, &sDefault.bStrictAllocate, NULL, NULL, FLAG_SHARE},
@@ -851,7 +898,7 @@
        {"write cache size", P_INTEGER, P_LOCAL, &sDefault.iWriteCacheSize, NULL, NULL, FLAG_SHARE},
 
        {"Printing Options", P_SEP, P_SEPARATOR},
-       
+
        {"total print jobs", P_INTEGER, P_GLOBAL, &Globals.iTotalPrintJobs, NULL, NULL, FLAG_PRINT},
        {"max print jobs", P_INTEGER, P_LOCAL, &sDefault.iMaxPrintJobs, NULL, NULL, FLAG_PRINT},
        {"load printers", P_BOOL, P_GLOBAL, &Globals.bLoadPrinters, NULL, NULL, FLAG_PRINT},
@@ -875,7 +922,7 @@
        {"deleteprinter command", P_STRING, P_GLOBAL, &Globals.szDeletePrinterCommand, NULL, NULL, 0},
        {"show add printer wizard", P_BOOL, P_GLOBAL, &Globals.bMsAddPrinterWizard, NULL, NULL, 0},
        {"os2 driver map", P_STRING, P_GLOBAL, &Globals.szOs2DriverMap, NULL, NULL, 0},
-       
+
        {"printer name", P_STRING, P_LOCAL, &sDefault.szPrintername, NULL, NULL, FLAG_PRINT|FLAG_DOS_STRING},
        {"printer", P_STRING, P_LOCAL, &sDefault.szPrintername, NULL, NULL, FLAG_DOS_STRING},
        {"use client driver", P_BOOL, P_LOCAL, &sDefault.bUseClientDriver, NULL, NULL, FLAG_PRINT},
@@ -885,7 +932,7 @@
 
        {"Filename Handling", P_SEP, P_SEPARATOR},
        {"strip dot", P_BOOL, P_GLOBAL, &Globals.bStripDot, NULL, NULL, 0},
-       
+
        {"character set", P_STRING, P_GLOBAL, &Globals.szCharacterSet, handle_character_set, NULL, 0},
        {"mangled stack", P_INTEGER, P_GLOBAL, &Globals.mangled_stack, NULL, NULL, 0},
        {"default case", P_ENUM, P_LOCAL, &sDefault.iDefaultCase, NULL, enum_case, FLAG_SHARE},
@@ -909,18 +956,18 @@
        {"stat cache", P_BOOL, P_GLOBAL, &Globals.bStatCache, NULL, NULL, 0},
 
        {"Domain Options", P_SEP, P_SEPARATOR},
-       
+
        {"domain admin group", P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL, NULL, 0},
        {"domain guest group", P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0},
 #ifdef USING_GROUPNAME_MAP
-       
+
        {"groupname map", P_STRING, P_GLOBAL, &Globals.szGroupnameMap, NULL, NULL, 0},
 #endif /* USING_GROUPNAME_MAP */
-       
+
        {"machine password timeout", P_INTEGER, P_GLOBAL, &Globals.machine_password_timeout, NULL, NULL, 0},
 
        {"Logon Options", P_SEP, P_SEPARATOR},
-       
+
        {"add user script", P_STRING, P_GLOBAL, &Globals.szAddUserScript, NULL, NULL, 0},
        {"delete user script", P_STRING, P_GLOBAL, &Globals.szDelUserScript, NULL, NULL, 0},
        {"logon script", P_STRING, P_GLOBAL, &Globals.szLogonScript, NULL, NULL, FLAG_DOS_STRING},
@@ -930,7 +977,7 @@
        {"domain logons", P_BOOL, P_GLOBAL, &Globals.bDomainLogons, NULL, NULL, 0},
 
        {"Browse Options", P_SEP, P_SEPARATOR},
-       
+
        {"os level", P_INTEGER, P_GLOBAL, &Globals.os_level, NULL, NULL, FLAG_BASIC},
        {"lm announce", P_ENUM, P_GLOBAL, &Globals.lm_announce, NULL, enum_bool_auto, 0},
        {"lm interval", P_INTEGER, P_GLOBAL, &Globals.lm_interval, NULL, NULL, 0},
@@ -946,18 +993,18 @@
        {"WINS Options", P_SEP, P_SEPARATOR},
        {"dns proxy", P_BOOL, P_GLOBAL, &Globals.bDNSproxy, NULL, NULL, 0},
        {"wins proxy", P_BOOL, P_GLOBAL, &Globals.bWINSproxy, NULL, NULL, 0},
-       
+
        {"wins server", P_STRING, P_GLOBAL, &Globals.szWINSserver, handle_wins_server_list, NULL, FLAG_BASIC},
        {"wins support", P_BOOL, P_GLOBAL, &Globals.bWINSsupport, NULL, NULL, FLAG_BASIC},
        {"wins hook", P_STRING, P_GLOBAL, &Globals.szWINSHook, NULL, NULL, 0},
 
        {"Locking Options", P_SEP, P_SEPARATOR},
-       
+
        {"blocking locks", P_BOOL, P_LOCAL, &sDefault.bBlockingLocks, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
        {"fake oplocks", P_BOOL, P_LOCAL, &sDefault.bFakeOplocks, NULL, NULL, FLAG_SHARE},
        {"kernel oplocks", P_BOOL, P_GLOBAL, &Globals.bKernelOplocks, NULL, NULL, FLAG_GLOBAL},
        {"locking", P_BOOL, P_LOCAL, &sDefault.bLocking, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
-       
+
        {"oplocks", P_BOOL, P_LOCAL, &sDefault.bOpLocks, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
        {"level2 oplocks", P_BOOL, P_LOCAL, &sDefault.bLevel2OpLocks, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
        {"oplock break wait time", P_INTEGER, P_GLOBAL, &Globals.oplock_break_wait_time, NULL, NULL, FLAG_GLOBAL},
@@ -967,31 +1014,44 @@
 
 #ifdef WITH_LDAP_SAM
        {"Ldap Options", P_SEP, P_SEPARATOR},
-       
+
        {"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0},
-       {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, 
+       {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0},
+       {"ldap version", P_ENUM, P_GLOBAL, &Globals.ldap_version, NULL, enum_ldap_version, 0},
+   {"ldap scope", P_ENUM, P_GLOBAL, &Globals.ldap_scope, NULL, enum_ldap_scope, 0},
+       {"ldap deref", P_ENUM, P_GLOBAL, &Globals.ldap_deref, NULL, enum_ldap_deref, 0},
+       {"ldap referrals", P_BOOL, P_GLOBAL, &Globals.bldap_referrals, NULL, NULL, 0},
+       {"ldap restart", P_BOOL, P_GLOBAL, &Globals.bldap_restart, NULL, NULL, 0},
+       {"ldap timelimit", P_INTEGER, P_GLOBAL, &Globals.ldap_timelimit, NULL, NULL, 0},
+       {"ldap bindtimelimit", P_INTEGER, P_GLOBAL, &Globals.ldap_bindtimelimit, NULL, NULL, 0},
        {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, 0},
        {"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0},
        {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0},
        {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0},
+       {"ldap tls checkpeer", P_BOOL, P_GLOBAL, &Globals.bldap_tls_checkpeer, NULL, NULL, 0},
+       {"ldap tls cacertfile", P_STRING, P_GLOBAL, &Globals.szLdapTls_cacertfile, NULL, NULL, 0},
+       {"ldap tls cacertdir", P_STRING, P_GLOBAL, &Globals.szLdapTls_cacertdir, NULL, NULL, 0},
+       {"ldap tls ciphers", P_STRING, P_GLOBAL, &Globals.szLdapTls_ciphers, NULL, NULL, 0},
+       {"ldap tls certfile", P_STRING, P_GLOBAL, &Globals.szLdapTls_certfile, NULL, NULL, 0},
+       {"ldap tls keyfile", P_STRING, P_GLOBAL, &Globals.szLdapTls_keyfile, NULL, NULL, 0},
 #endif /* WITH_LDAP_SAM */
 
        {"Miscellaneous Options", P_SEP, P_SEPARATOR},
        {"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, 0},
        {"change share command", P_STRING, P_GLOBAL, &Globals.szChangeShareCommand, NULL, NULL, 0},
        {"delete share command", P_STRING, P_GLOBAL, &Globals.szDeleteShareCommand, NULL, NULL, 0},
-       
+
        {"config file", P_STRING, P_GLOBAL, &Globals.szConfigFile, NULL, NULL, FLAG_HIDE},
        {"preload", P_STRING, P_GLOBAL, &Globals.szAutoServices, NULL, NULL, FLAG_DOS_STRING},
        {"auto services", P_STRING, P_GLOBAL, &Globals.szAutoServices, NULL, NULL, FLAG_DOS_STRING},
-       {"lock dir", P_STRING, P_GLOBAL, &Globals.szLockDir, NULL, NULL, 0}, 
+       {"lock dir", P_STRING, P_GLOBAL, &Globals.szLockDir, NULL, NULL, 0},
        {"lock directory", P_STRING, P_GLOBAL, &Globals.szLockDir, NULL, NULL, 0},
 #ifdef WITH_UTMP
        {"utmp directory", P_STRING, P_GLOBAL, &Globals.szUtmpDir, NULL, NULL, 0},
        {"wtmp directory", P_STRING, P_GLOBAL, &Globals.szWtmpDir, NULL, NULL, 0},
        {"utmp",          P_BOOL, P_GLOBAL, &Globals.bUtmp, NULL, NULL, 0},
 #endif
-       
+
        {"default service", P_STRING, P_GLOBAL, &Globals.szDefaultService, NULL, NULL, FLAG_DOS_STRING},
        {"default", P_STRING, P_GLOBAL, &Globals.szDefaultService, NULL, NULL, FLAG_DOS_STRING},
        {"message command", P_STRING, P_GLOBAL, &Globals.szMsgCommand, NULL, NULL, 0},
@@ -1004,7 +1064,7 @@
        {"time offset", P_INTEGER, P_GLOBAL, &extra_time_offset, NULL, NULL, 0},
        {"NIS homedir", P_BOOL, P_GLOBAL, &Globals.bNISHomeMap, NULL, NULL, 0},
        {"-valid", P_BOOL, P_LOCAL, &sDefault.valid, NULL, NULL, FLAG_HIDE},
-       
+
        {"copy", P_STRING, P_LOCAL, &sDefault.szCopy, handle_copy, NULL, FLAG_HIDE},
        {"include", P_STRING, P_LOCAL, &sDefault.szInclude, handle_include, NULL, FLAG_HIDE},
        {"exec", P_STRING, P_LOCAL, &sDefault.szPreExec, NULL, NULL, FLAG_SHARE | FLAG_PRINT},
@@ -1207,11 +1267,13 @@
 
        DEBUG(3, ("Initialising global parameters\n"));
 
+
 #ifdef WITH_TDB_SAM
        string_set(&Globals.szTDBPasswdFile, TDB_PASSWD_FILE);
 #else
        string_set(&Globals.szSMBPasswdFile, SMB_PASSWD_FILE);
 #endif
+
        /*
         * Allow the default PASSWD_CHAT to be overridden in local.h.
         */
@@ -1342,7 +1404,20 @@
        string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))");
        string_set(&Globals.szLdapAdminDn, "");
        Globals.ldap_port = 389;
+   Globals.ldap_version = LDAP_VERSION3;
+   Globals.ldap_scope = LDAP_SCOPE_SUBTREE;
+   Globals.ldap_deref = LDAP_DEREF_NEVER;
+   Globals.bldap_referrals = True;
+   Globals.bldap_restart = True;
+   Globals.ldap_timelimit = LDAP_NO_LIMIT;
+   Globals.ldap_bindtimelimit = 10;
        Globals.ldap_ssl = LDAP_SSL_OFF;
+   Globals.bldap_tls_checkpeer = True;
+   string_set(&Globals.szLdapTls_cacertfile, "");
+   string_set(&Globals.szLdapTls_cacertdir, "");
+   string_set(&Globals.szLdapTls_ciphers, "");
+   string_set(&Globals.szLdapTls_certfile, "");
+   string_set(&Globals.szLdapTls_keyfile, "");
 #endif /* WITH_LDAP_SAM */
 /* these parameters are set to defaults that are more appropriate
    for the increasing samba install base:
@@ -1457,6 +1532,7 @@
 
 FN_GLOBAL_STRING(lp_logfile, &Globals.szLogFile)
 FN_GLOBAL_STRING(lp_configfile, &Globals.szConfigFile)
+FN_GLOBAL_INTEGER(lp_samdb, &Globals.SAMDB)
 #ifdef WITH_TDB_SAM
 FN_GLOBAL_STRING(lp_tdb_passwd_file, &Globals.szTDBPasswdFile)
 #else
@@ -1522,7 +1598,20 @@
 FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
 FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
+FN_GLOBAL_INTEGER(lp_ldap_version, &Globals.ldap_version)
+FN_GLOBAL_INTEGER(lp_ldap_scope, &Globals.ldap_scope)
+FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref)
+FN_GLOBAL_INTEGER(lp_ldap_timelimit, &Globals.ldap_timelimit)
+FN_GLOBAL_INTEGER(lp_ldap_bindtimelimit, &Globals.ldap_bindtimelimit)
+FN_GLOBAL_BOOL(lp_ldap_tls_referrals, &Globals.bldap_referrals)
+FN_GLOBAL_BOOL(lp_ldap_tls_restart, &Globals.bldap_restart)
 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
+FN_GLOBAL_BOOL(lp_ldap_tls_checkpeer, &Globals.bldap_tls_checkpeer)
+FN_GLOBAL_STRING(lp_ldap_tls_cacertfile, &Globals.szLdapTls_cacertfile)
+FN_GLOBAL_STRING(lp_ldap_tls_cacertdir, &Globals.szLdapTls_cacertdir)
+FN_GLOBAL_STRING(lp_ldap_tls_ciphers, &Globals.szLdapTls_ciphers)
+FN_GLOBAL_STRING(lp_ldap_tls_certfile, &Globals.szLdapTls_certfile)
+FN_GLOBAL_STRING(lp_ldap_tls_keyfile, &Globals.szLdapTls_keyfile)
 #endif /* WITH_LDAP_SAM */
 FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
 FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
@@ -3683,6 +3772,7 @@
 #else
        pstrcpy(priv_dir, lp_smb_passwd_file());
 #endif
+
 
        p = strrchr(priv_dir, '/');
        if (p)  *p = 0;
diff -urN samba-2.2.2/source/passdb/pdb_ldap.c samba-2.2.2-MX/source/passdb/pdb_ldap.c
--- samba-2.2.2/source/passdb/pdb_ldap.c        Thu Oct 11 11:40:00 2001
+++ samba-2.2.2-MX/source/passdb/pdb_ldap.c     Wed Dec 19 23:32:50 2001
@@ -62,6 +62,168 @@
 
 static struct ldap_enum_info global_ldap_ent;
 
+/*******************************************************************
+  Some global TLS-specific options need to be set before we create our
+  session context, so we set them here.
+******************************************************************/
+static int
+set_tls_default_options (LDAP ** ldap_struct)
+{
+  int rc;
+
+  /* ca cert file */
+  if (strcmp(lp_ldap_tls_cacertfile(),"") != NULL)
+    {
+      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
+                           lp_ldap_tls_cacertfile());
+      if (rc != LDAP_SUCCESS)
+       {
+         DEBUG(0,(
+                 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s\n",
+                 ldap_err2string (rc)));
+         return LDAP_OPERATIONS_ERROR;
+       }
+    }
+
+  if (strcmp(lp_ldap_tls_cacertdir(),"") != NULL)
+    {
+      /* ca cert directory */
+      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
+                           lp_ldap_tls_cacertdir());
+      if (rc != LDAP_SUCCESS)
+       {
+         DEBUG(0,(
+                 "ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s\n",
+                 ldap_err2string (rc)));
+         return LDAP_OPERATIONS_ERROR;
+       }
+    }
+
+  /* require cert? */
+{ int checkpeer = lp_ldap_tls_checkpeer();
+
+  rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+                       &checkpeer);
+
+  if (rc != LDAP_SUCCESS)
+    {
+      DEBUG(0,(
+             "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
+             ldap_err2string (rc)));
+      return LDAP_OPERATIONS_ERROR;
+    }
+} 
+  if (strcmp(lp_ldap_tls_ciphers(),"") != NULL)
+    {
+      /* set cipher suite, certificate and private key: */
+      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
+                           lp_ldap_tls_ciphers());
+      if (rc != LDAP_SUCCESS)
+       {
+         DEBUG(0,(
+                 "ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s\n",
+                 ldap_err2string (rc)));
+         return LDAP_OPERATIONS_ERROR;
+       }
+    }
+
+  if (strcmp(lp_ldap_tls_certfile(),"") != NULL)
+    {
+      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
+                           lp_ldap_tls_certfile());
+      if (rc != LDAP_SUCCESS)
+       {
+         DEBUG(0,(
+                 "ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s\n",
+                 ldap_err2string (rc)));
+         return LDAP_OPERATIONS_ERROR;
+       }
+    }
+
+  if (strcmp(lp_ldap_tls_keyfile(),"") != NULL)
+    {
+      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
+                           lp_ldap_tls_keyfile());
+      if (rc != LDAP_SUCCESS)
+       {
+         DEBUG(0,(
+                 "ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s\n",
+                 ldap_err2string (rc)));
+         return LDAP_OPERATIONS_ERROR;
+       }
+    }
+
+  return LDAP_SUCCESS;
+}
+
+/*******************************************************************
+ Now we can set the per-context TLS-specific options.
+******************************************************************/
+static int
+set_tls_options (LDAP ** ldap_struct)
+{
+               return LDAP_SUCCESS;
+}
+
+/*******************************************************************
+ Now we can set the per-context TLS-specific options.
+******************************************************************/
+static int
+set_connection_options (LDAP ** ldap_struct)
+{
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
+  (void) ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, lp_ldap_version());
+#endif
+
+/*#if LDAP_SET_REBIND_PROC_ARGS == 3
+  ldap_set_rebind_proc (session->ld, _rebind_proc, (void *) session);
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
+  ldap_set_rebind_proc (session->ld, _rebind_proc);
+#endif */
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
+       (void) ldap_set_option (*ldap_struct, LDAP_OPT_DEREF, lp_ldap_deref());
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
+       (void) ldap_set_option (*ldap_struct, LDAP_OPT_TIMELIMIT, lp_ldap_timelimit());
+#endif
+
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+       /*
+    * This is a new option in the Netscape SDK which sets
+    * the TCP connect timeout. For want of a better value,
+    * we use the bind_timelimit to control this.
+    */
+       {
+        int timeout;
+    timeout = lp_ldap_bind_timelimit() * 1000;
+    (void) ldap_set_option (*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
+   }
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
+       {
+   struct timeval tv;
+       tv.tv_sec = lp_ldap_bind_timelimit();
+       tv.tv_usec = 0;
+       (void) ldap_set_option (*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+       }
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
+       (void) ldap_set_option (*ldap_struct, LDAP_OPT_REFERRALS,
+                         lp_ldap_referrals() ? LDAP_OPT_ON : LDAP_OPT_OFF);
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
+       (void) ldap_set_option (*ldap_struct, LDAP_OPT_RESTART,
+                         lp_ldap_restart() ? LDAP_OPT_ON : LDAP_OPT_OFF);
+#endif
+
+       return LDAP_SUCCESS;
+}
 
 /*******************************************************************
  open a connection to the ldap server.
@@ -72,7 +234,7 @@
        int port;
        int version, rc;
        int tls = LDAP_OPT_X_TLS_HARD;
-       
+
        if (lp_ldap_ssl() == LDAP_SSL_ON && lp_ldap_port() == 389) {
                port = 636;
        }
@@ -80,11 +242,23 @@
                port = lp_ldap_port();
        }
 
+   if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
+       if (set_tls_default_options(ldap_struct) != LDAP_SUCCESS) {
+         DEBUG(0, ("Can't set TLS default options!\n"));
+      }
+   }
+
        if ((*ldap_struct = ldap_init(lp_ldap_server(), port)) == NULL) {
                DEBUG(0, ("The LDAP server is not responding !\n"));
                return (False);
        }
 
+   if (set_connection_options(ldap_struct) != LDAP_SUCCESS)  {
+       DEBUG(0, ("Can't set default connection options!\n"));
+      return (False);
+   }
+
+
        /* Connect to older servers using SSL and V2 rather than Start TLS */
        if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
        {
@@ -98,7 +272,7 @@
        switch (lp_ldap_ssl())
        {
                case LDAP_SSL_START_TLS:
-                       if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, 
+                       if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
                                &version) == LDAP_OPT_SUCCESS)
                        {
                                if (version < LDAP_VERSION3)
@@ -108,7 +282,14 @@
                                                        &version);
                                }
                        }
-                       if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
+                 /* set up TLS context */
+                       if (set_tls_options (ldap_struct) != LDAP_SUCCESS)
+               {
+               DEBUG(0,("set_tls_options failed"));
+               }
+
+                       rc = ldap_start_tls_s (*ldap_struct, NULL, NULL);
+                       if (rc != LDAP_SUCCESS)
                        {
                                DEBUG(0,
                                      ("Failed to issue the StartTLS instruction: %s\n",
@@ -141,22 +322,22 @@
        static pstring ldap_secret;
 
        /* get the password if we don't have it already */
-       if (!got_pw && !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring)))) 
+       if (!got_pw && !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
        {
                DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
                        lp_ldap_admin_dn()));
                return False;
        }
 
-       /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite 
+       /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
           (OpenLDAP) doesnt' seem to support it */
-       if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(), 
+       if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
                ldap_secret)) != LDAP_SUCCESS)
        {
                DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
                return (False);
        }
-       
+
        DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
        return (True);
 }
@@ -171,13 +352,13 @@
 
        DEBUG(2, ("ldap_search_one_user: searching for:[%s]\n", filter));
 
-       rc = ldap_search_s (ldap_struct, lp_ldap_suffix (), scope, 
+       rc = ldap_search_s (ldap_struct, lp_ldap_suffix (), scope,
                filter, NULL, 0, result);
 
        if (rc != LDAP_SUCCESS) {
-               DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n", 
+               DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n",
                        ldap_err2string (rc)));
-               DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(), 
+               DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
                        filter));
        }
        return (rc);
@@ -190,7 +371,7 @@
                             LDAPMessage ** result)
 {
        pstring filter;
-       
+
        /*
           in the filter expression, replace %u with the real name
           so in ldap filter, %u MUST exist :-)
-------------------------------------------------------------------------------------------------------------------------------------------

MfG
Stefan Metzmacher

stefan.metzmacher at metzemix.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-2.2.2-MX-ldap-tls.patch
Type: application/octet-stream
Size: 30224 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20011219/b9950f49/samba-2.2.2-MX-ldap-tls.obj


More information about the samba-technical mailing list