security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.

Browse source 
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given.  Fix minor
error in error code handling.
--

Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered.  Thus for correctness the OID can be
used:

  1.3.6.1.4.1.11591.2.5          LDAP URL extensions
  1.3.6.1.4.1.11591.2.5.1          gpgNtds=1 (auth. with current user)

Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
This commit is contained in:
Werner Koch 2021-02-17 17:31:36 +01:00
parent cdc828f690
commit 55f46b33df
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 32 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

18
dirmngr/ldap-parse-uri.c
View file

@ -74,6 +74,7 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
char *dn = NULL;
char *bindname = NULL;
char *password = NULL;
char *gpg_ntds = NULL;
char **s;
@ -110,6 +111,15 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
else
password = *s + 9;
}
else if (!ascii_strncasecmp (*s, "gpgNtds=", 8)
|| !strncmp (*s, "1.3.6.1.4.1.11591.2.5.1=", 24))
{
if (gpg_ntds)
log_error ("gpgNtds given multiple times in URL '%s', ignoring.\n",
uri);
else
gpg_ntds = *s + (**s == 'g'? 8 : 24);
}
else
log_error ("Unhandled extension (%s) in URL '%s', ignoring.",
*s, uri);
@ -170,10 +180,14 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
puri->port = lud->lud_port;
/* On Windows detect whether this is ldap:// or ldaps:// to indicate
* that authentication via AD and the current user is requested. */
* that authentication via AD and the current user is requested.
* This is shortform of adding "gpgNtDs=1" as extension parameter to
* the URL. */
puri->ad_current = 0;
if (gpg_ntds && atoi (gpg_ntds) == 1)
puri->ad_current = 1;
#ifdef HAVE_W32_SYSTEM
if ((!puri->host || !*puri->host)
else if ((!puri->host || !*puri->host)
&& (!puri->path || !*puri->path)
&& (!puri->auth || !*puri->auth)
&& !password