This patch (hopefully) fixes an interop issues with AD servers where they fail to realize the connection is indeed integrity protected.
It's a bit of a hack as we need to work around openldap initialization of cyrus sasl libraries. But it should work unitl we get openldap libraries to expose SASL_CB_GETOPT to us. Ticket: https://fedorahosted.org/sssd/ticket/2040 Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 67e8a82cc3ccd0111442fa0369f61a0d794a5ffe Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 2 Aug 2013 09:26:10 -0400 Subject: [PATCH] sssd_ad: Add hackish workaround for sasl ad_compat This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040 --- src/providers/ad/ad_init.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index 3923076781e71b738c08e3db66489f6a0107317a..ef39eaf747dccd8d22e147ad50383a780b5b0375 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -26,6 +26,8 @@ #include <sys/stat.h> #include <fcntl.h> +#include <sasl/sasl.h> + #include "util/util.h" #include "providers/ad/ad_common.h" #include "providers/ad/ad_access.h" @@ -65,6 +67,43 @@ struct bet_ops ad_access_ops = { .finalize = NULL }; +#define AD_COMPAT_ON "1" +static int ad_sasl_getopt(void *context, const char *plugin_name, + const char *option, + const char **result, unsigned *len) +{ + if (!plugin_name || !result) { + return SASL_FAIL; + } + if (strcmp(plugin_name, "GSSAPI") != 0) { + return SASL_FAIL; + } + if (strcmp(option, "ad_compat") != 0) { + return SASL_FAIL; + } + *result = AD_COMPAT_ON; + if (len) { + *len = 2; + } + return SASL_OK; +} + +static const sasl_callback_t ad_sasl_callbacks[] = { + { SASL_CB_GETOPT, ad_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } +}; +/* This is quite a hack, we *try* to fool openldap libraries by initializing + * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some + * options. Should be removed as soon as openldap exposes a way to do that */ +static void ad_sasl_initialize(void) +{ + /* NOTE: this may fail if soe other library in the system happens to + * initialize and use openldap libraries or directly the cyrus-sasl + * library as this initialization function can be called only once per + * process */ + (void)sasl_client_init(ad_sasl_callbacks); +} + static errno_t common_ad_init(struct be_ctx *bectx) { @@ -73,6 +112,8 @@ common_ad_init(struct be_ctx *bectx) char *ad_backup_servers = NULL; char *ad_realm; + ad_sasl_initialize(); + /* Get AD-specific options */ ret = ad_get_common_options(bectx, bectx->cdb, bectx->conf_path, -- 1.8.3.1
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
