security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr: Support "ldap:///" for the current AD user. 

* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
--

Ported from 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-12-17 16:09:31 +01:00
parent 2cadcce3e8
commit 1194e4f7e2
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 54 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
dirmngr/http.h
View File

@ -57,6 +57,7 @@ struct parsed_uri_s
unsigned int v6lit:1; /* Host was given as a literal v6 address. */ unsigned int v6lit:1; /* Host was given as a literal v6 address. */
unsigned int onion:1; /* .onion address given. */ unsigned int onion:1; /* .onion address given. */
unsigned int explicit_port :1; /* The port was explicitly specified. */ unsigned int explicit_port :1; /* The port was explicitly specified. */
unsigned int ad_current:1; /* Use Active Directory's current user. */
char *auth; /* username/password for basic auth. */ char *auth; /* username/password for basic auth. */
char *host; /* Host (converted to lowercase). */ char *host; /* Host (converted to lowercase). */
unsigned short port; /* Port (always set if the host is set). */ unsigned short port; /* Port (always set if the host is set). */

54
dirmngr/ks-engine-ldap.c
View File

@ -485,13 +485,15 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
password = password_param ? password_param->value : NULL; password = password_param ? password_param->value : NULL;
if (opt.debug) if (opt.debug)
log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n", log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s%s)\n",
uri->host, uri->port, uri->host, uri->port,
uri->path ?: "", uri->path ? uri->path : "",
uri->auth ? "bindname=" : "", uri->auth ?: "", uri->auth ? "bindname=" : "",
uri->auth ? uri->auth : "",
uri->auth && password ? "," : "", uri->auth && password ? "," : "",
password ? "password=" : "", password ? "password=" : "",
password ? ">not shown<": ""); password ? ">not shown<": "",
uri->ad_current? " auth=>current_user<":"");
/* If the uri specifies a secure connection and we don't support /* If the uri specifies a secure connection and we don't support
TLS, then fail; don't silently revert to an insecure TLS, then fail; don't silently revert to an insecure
@ -505,12 +507,18 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
#endif #endif
} }
ldap_conn = ldap_init (uri->host, uri->port); if (uri->ad_current)
if (! ldap_conn) ldap_conn = ldap_init (NULL, uri->port);
else
ldap_conn = ldap_init (uri->host, uri->port);
if (!ldap_conn)
{ {
err = gpg_err_code_from_syserror (); err = gpg_err_code_from_syserror ();
log_error ("Failed to open connection to LDAP server (%s://%s:%d)\n", if (uri->ad_current)
uri->scheme, uri->host, uri->port); log_error ("error initializing LDAP for current user\n");
else
log_error ("error initializing LDAP for (%s://%s:%d)\n",
uri->scheme, uri->host, uri->port);
goto out; goto out;
} }
@ -555,7 +563,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert); LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
if (err) if (err)
{ {
log_error ("Failed to set TLS option on LDAP connection.\n"); log_error ("error setting TLS option on LDAP connection\n");
goto out; goto out;
} }
#else #else
@ -575,14 +583,29 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
NULL, NULL); NULL, NULL);
if (err) if (err)
{ {
log_error ("Failed to connect to LDAP server with TLS.\n"); log_error ("error connecting to LDAP server with TLS\n");
goto out; goto out;
} }
} }
#endif #endif
/* By default we don't bind as there is usually no need to. */ if (uri->ad_current)
if (uri->auth) {
if (opt.debug)
log_debug ("LDAP bind to current user via AD\n");
#ifdef HAVE_W32_SYSTEM
err = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
#else
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
#endif
if (err != LDAP_SUCCESS)
{
log_error ("error binding to LDAP via AD: %s\n",
ldap_err2string (err));
goto out;
}
}
else if (uri->auth)
{ {
if (opt.debug) if (opt.debug)
log_debug ("LDAP bind to %s, password %s\n", log_debug ("LDAP bind to %s, password %s\n",
@ -591,11 +614,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
err = ldap_simple_bind_s (ldap_conn, user, password); err = ldap_simple_bind_s (ldap_conn, user, password);
if (err != LDAP_SUCCESS) if (err != LDAP_SUCCESS)
{ {
log_error ("Internal LDAP bind error: %s\n", log_error ("error binding to LDAP: %s\n", ldap_err2string (err));
ldap_err2string (err));
goto out; goto out;
} }
} }
else
{
/* By default we don't bind as there is usually no need to. */
}
if (uri->path && *uri->path) if (uri->path && *uri->path)
{ {

14
dirmngr/ldap-parse-uri.c
View File

@ -163,9 +163,21 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
puri->query->valuelen = strlen (password) + 1; puri->query->valuelen = strlen (password) + 1;
} }
puri->use_tls = strcmp (puri->scheme, "ldaps") == 0; puri->use_tls = !strcmp (puri->scheme, "ldaps");
puri->port = lud->lud_port; puri->port = lud->lud_port;
/* On Windows detect whether this is ldap:// or ldaps:// to indicate
* that authentication via AD and the current user is requested. */
puri->ad_current = 0;
#ifdef HAVE_W32_SYSTEM
if ((!puri->host || !*puri->host)
&& (!puri->path || !*puri->path)
&& (!puri->auth || !*puri->auth)
&& !password
)
puri->ad_current = 1;
#endif
out: out:
if (lud) if (lud)
ldap_free_urldesc (lud); ldap_free_urldesc (lud);