dirmngr: Support "ldap:///" for the current AD user.

* dirmngr/http.h (struct parsed_uri_s): Add field ad_current. * dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it. * dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current. -- Ported from 2.2. Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 16:09:31 +01:00 · 2020-12-17 16:09:31 +01:00 · 1194e4f7e2
parent 2cadcce3e8
commit 1194e4f7e2
3 changed files with 54 additions and 15 deletions
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@ -57,6 +57,7 @@ struct parsed_uri_s
  unsigned int v6lit:1;   /* Host was given as a literal v6 address.  */
  unsigned int onion:1;   /* .onion address given.  */
  unsigned int explicit_port :1; /* The port was explicitly specified.  */
+  unsigned int ad_current:1;    /* Use Active Directory's current user.  */
  char *auth;           /* username/password for basic auth.  */
  char *host; 	        /* Host (converted to lowercase). */
  unsigned short port;  /* Port (always set if the host is set). */
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@ -485,13 +485,15 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
  password = password_param ? password_param->value : NULL;

  if (opt.debug)
-    log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n",
+    log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s%s)\n",
               uri->host, uri->port,
-               uri->path ?: "",
-               uri->auth ? "bindname=" : "", uri->auth ?: "",
+               uri->path ? uri->path : "",
+               uri->auth ? "bindname=" : "",
+               uri->auth ? uri->auth : "",
               uri->auth && password ? "," : "",
               password ? "password=" : "",
-               password ? ">not shown<": "");
+               password ? ">not shown<": "",
+               uri->ad_current? " auth=>current_user<":"");

  /* If the uri specifies a secure connection and we don't support
     TLS, then fail; don't silently revert to an insecure
@ -505,12 +507,18 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 #endif
    }

-  ldap_conn = ldap_init (uri->host, uri->port);
-  if (! ldap_conn)
+  if (uri->ad_current)
+    ldap_conn = ldap_init (NULL, uri->port);
+  else
+    ldap_conn = ldap_init (uri->host, uri->port);
+  if (!ldap_conn)
    {
      err = gpg_err_code_from_syserror ();
-      log_error ("Failed to open connection to LDAP server (%s://%s:%d)\n",
-		 uri->scheme, uri->host, uri->port);
+      if (uri->ad_current)
+        log_error ("error initializing LDAP for current user\n");
+      else
+        log_error ("error initializing LDAP for (%s://%s:%d)\n",
+                   uri->scheme, uri->host, uri->port);
      goto out;
    }

@ -555,7 +563,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 			     LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
      if (err)
 	{
-	  log_error ("Failed to set TLS option on LDAP connection.\n");
+	  log_error ("error setting TLS option on LDAP connection\n");
 	  goto out;
 	}
 #else
@ -575,14 +583,29 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 			      NULL, NULL);
      if (err)
 	{
-	  log_error ("Failed to connect to LDAP server with TLS.\n");
+	  log_error ("error connecting to LDAP server with TLS\n");
 	  goto out;
 	}
    }
 #endif

-  /* By default we don't bind as there is usually no need to.  */
-  if (uri->auth)
+  if (uri->ad_current)
+    {
+      if (opt.debug)
+        log_debug ("LDAP bind to current user via AD\n");
+#ifdef HAVE_W32_SYSTEM
+      err = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
+#else
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+#endif
+      if (err != LDAP_SUCCESS)
+	{
+	  log_error ("error binding to LDAP via AD: %s\n",
+                     ldap_err2string (err));
+	  goto out;
+	}
+    }
+  else if (uri->auth)
    {
      if (opt.debug)
        log_debug ("LDAP bind to %s, password %s\n",
@ -591,11 +614,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
      err = ldap_simple_bind_s (ldap_conn, user, password);
      if (err != LDAP_SUCCESS)
 	{
-	  log_error ("Internal LDAP bind error: %s\n",
-		     ldap_err2string (err));
+	  log_error ("error binding to LDAP: %s\n", ldap_err2string (err));
 	  goto out;
 	}
    }
+  else
+    {
+      /* By default we don't bind as there is usually no need to.  */
+    }

  if (uri->path && *uri->path)
    {
--- a/dirmngr/ldap-parse-uri.c
+++ b/dirmngr/ldap-parse-uri.c
@ -163,9 +163,21 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
      puri->query->valuelen = strlen (password) + 1;
    }

-  puri->use_tls = strcmp (puri->scheme, "ldaps") == 0;
+  puri->use_tls = !strcmp (puri->scheme, "ldaps");
  puri->port = lud->lud_port;

+  /* On Windows detect whether this is ldap:// or ldaps:// to indicate
+   * that authentication via AD and the current user is requested.  */
+  puri->ad_current = 0;
+#ifdef HAVE_W32_SYSTEM
+  if ((!puri->host || !*puri->host)
+      && (!puri->path || !*puri->path)
+      && (!puri->auth || !*puri->auth)
+      && !password
+      )
+    puri->ad_current = 1;
+#endif
+
 out:
  if (lud)
    ldap_free_urldesc (lud);