[PATCH] some cleanups for smbldap.c
Alexander Bokovoy
ab at samba.org
Wed Apr 19 16:00:52 UTC 2017
On ke, 19 huhti 2017, vl at samba.org wrote:
> On Wed, Apr 19, 2017 at 06:39:18PM +0300, Alexander Bokovoy via samba-technical wrote:
> > We do SASL GSSAPI authentication against IPA LDAP server. The reason for
> > that is because cifs/... principal has special rights in LDAP to read
> > and write keys of TDO objects and ability to set up access to them for
> > SSSD on IPA master.
> >
> > Thus, BIND callback is really important to have to FreeIPA.
> >
> > Would a similar
> >
> > void smbldap_set_bind_callback(struct smbldap_state*, bindproc, void *binddata);
> >
> > where bindproc is what we have already
> >
> > int (*bind_callback)(LDAP *ldap_struct, struct smbldap_state *ldap_state, void *data);
> >
> > be acceptable?
>
> As a quick workaround, sure. I would however highly appreciate to get
> proper authentication (based on gensec?) into smbldap proper. That's
> one of the reasons why I started working on that: I want to get rid of
> the special code in source3/libads/ldap.c. That also does "proper"
> authentication, and I want that to use smbldap, or vice-versa. But
> because smbldap looks more basic to me, the initial idea is to layer
> ads_struct on top of smbldap. So smbldap needs to learn sasl.
I can make a patch that introduces SASL GSSAPI similar what we have in
ipasam. A general helper should be fine but I need to think more on
how to pass authentication information as
bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char *dn, const char *secret);
is not enough -- we should probably move to a better way to specify
creds.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list