[PATCH] some cleanups for smbldap.c

Alexander Bokovoy ab at samba.org
Wed Apr 19 16:00:52 UTC 2017

On ke, 19 huhti 2017, vl at samba.org wrote:
> On Wed, Apr 19, 2017 at 06:39:18PM +0300, Alexander Bokovoy via samba-technical wrote:
> > We do SASL GSSAPI authentication against IPA LDAP server. The reason for
> > that is because cifs/... principal has special rights in LDAP to read
> > and write keys of TDO objects and ability to set up access to them for
> > SSSD on IPA master.
> > 
> > Thus, BIND callback is really important to have to FreeIPA.
> > 
> > Would a similar 
> > 
> >  void smbldap_set_bind_callback(struct smbldap_state*, bindproc, void  *binddata);
> > 
> > where bindproc is what we have already
> > 
> > int (*bind_callback)(LDAP *ldap_struct, struct smbldap_state *ldap_state, void *data);
> > 
> > be acceptable?
> As a quick workaround, sure. I would however highly appreciate to get
> proper authentication (based on gensec?) into smbldap proper. That's
> one of the reasons why I started working on that: I want to get rid of
> the special code in source3/libads/ldap.c. That also does "proper"
> authentication, and I want that to use smbldap, or vice-versa. But
> because smbldap looks more basic to me, the initial idea is to layer
> ads_struct on top of smbldap. So smbldap needs to learn sasl.
I can make a patch that introduces SASL GSSAPI similar what we have in
ipasam. A general helper should be fine but I need to think more on
how to pass authentication information as 

bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char *dn, const char *secret);

is not enough -- we should probably move to a better way to specify

/ Alexander Bokovoy

More information about the samba-technical mailing list