diff -ur /export/home/devel/tmp/samba-3.0.21b/source/configure.in /export/home/devel/build/samba-3.0.21b/source/configure.in --- /export/home/devel/tmp/samba-3.0.21b/source/configure.in Mon Jan 30 17:45:07 2006 +++ /export/home/devel/build/samba-3.0.21b/source/configure.in Sun Feb 12 16:17:14 2006 @@ -2829,6 +2829,10 @@ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) ######################################################## + # check for Netscape SSL API + AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS) + + ######################################################## # If we have LDAP, does it's rebind procedure take 2 or 3 arguments? # Check found in pam_ldap 145. AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS) diff -ur /export/home/devel/tmp/samba-3.0.21b/source/include/config.h.in /export/home/devel/build/samba-3.0.21b/source/include/config.h.in --- /export/home/devel/tmp/samba-3.0.21b/source/include/config.h.in Mon Jan 30 22:39:36 2006 +++ /export/home/devel/build/samba-3.0.21b/source/include/config.h.in Sun Feb 12 16:25:04 2006 @@ -740,6 +740,9 @@ /* Whether ldap is available */ #undef HAVE_LDAP +/* Define to 1 if you have the `ldapssl_init' function. */ +#undef HAVE_LDAPSSL_INIT + /* Define to 1 if you have the `ldap_add_result_entry' function. */ #undef HAVE_LDAP_ADD_RESULT_ENTRY diff -ur /export/home/devel/tmp/samba-3.0.21b/source/include/smbldap.h /export/home/devel/build/samba-3.0.21b/source/include/smbldap.h --- /export/home/devel/tmp/samba-3.0.21b/source/include/smbldap.h Tue Oct 18 06:45:05 2005 +++ /export/home/devel/build/samba-3.0.21b/source/include/smbldap.h Sun Feb 12 03:50:33 2006 @@ -211,7 +211,8 @@ #endif /* HAVE_LDAP */ -#define LDAP_CONNECT_DEFAULT_TIMEOUT 15 +#define LDAP_CONNECTION_DEFAULT_TIMEOUT 1 +#define LDAP_OPERATION_DEFAULT_TIMEOUT 15 #define LDAP_PAGE_SIZE 1024 #endif /* _SMBLDAP_H */ diff -ur /export/home/devel/tmp/samba-3.0.21b/source/lib/smbldap.c /export/home/devel/build/samba-3.0.21b/source/lib/smbldap.c --- /export/home/devel/tmp/samba-3.0.21b/source/lib/smbldap.c Wed Jan 25 02:46:34 2006 +++ /export/home/devel/build/samba-3.0.21b/source/lib/smbldap.c Mon Feb 13 09:21:24 2006 @@ -6,6 +6,7 @@ Copyright (C) Shahms King 2001 Copyright (C) Andrew Bartlett 2002-2003 Copyright (C) Stefan (metze) Metzmacher 2002-2003 + Copyright (C) Alex Deiter 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -562,67 +563,102 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) { int rc; - - DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri)); - + int ot = lp_ldap_operation_timeout() * 1000; + int ct = lp_ldap_connection_timeout() * 1000; +#ifndef HAVE_LDAP_INITIALIZE + int port = 0; + fstring protocol; + fstring host; +#endif + DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri)); #ifdef HAVE_LDAP_INITIALIZE - - rc = ldap_initialize(ldap_struct, uri); - if (rc) { - DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc))); + if ((rc = ldap_initialize(ldap_struct, uri)) != LDAP_SUCCESS) { + DEBUG(0, ("ldap_initialize with %s failed: %s\n", + uri, ldap_err2string(rc))); + return rc; } - return rc; + DEBUG(3,("Successfully setup ldap_initialize with %s\n", uri)); #else - /* Parse the string manually */ + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); - { - int port = 0; - fstring protocol; - fstring host; - SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); + /* skip leading "URL:" (if any) */ + if ( strnequal( uri, "URL:", 4 ) ) { + uri += 4; + } + sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); - /* skip leading "URL:" (if any) */ - if ( strnequal( uri, "URL:", 4 ) ) { - uri += 4; + if (port == 0) { + if (strequal(protocol, "ldap")) { + port = LDAP_PORT; + } else if (strequal(protocol, "ldaps")) { + port = LDAPS_PORT; + } else { + DEBUG(0, ("Unrecognised protocol: %s\n", protocol)); } - - sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); - - if (port == 0) { - if (strequal(protocol, "ldap")) { - port = LDAP_PORT; - } else if (strequal(protocol, "ldaps")) { - port = LDAPS_PORT; - } else { - DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); - } + } + + if (strequal(protocol, "ldaps")) { +#ifdef LDAP_OPT_X_TLS + int tls = LDAP_OPT_X_TLS_HARD; + + if ((*ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init with %s:%d failed\n", host, port)); + return LDAP_OPERATIONS_ERROR; } - - if ((*ldap_struct = ldap_init(host, port)) == NULL) { - DEBUG(0, ("ldap_init failed !\n")); + + DEBUG(3,("Successfully setup ldap session with %s:%d\n", + host, port)); + + if ((rc = ldap_set_option(*ldap_struct, LDAP_OPT_X_TLS, &tls)) != LDAP_SUCCESS) { + DEBUG(0, ("Failed to setup a TLS option: %s\n", + ldap_err2string(rc))); + return rc; + } + + DEBUG(3,("Successfully setup TLS option\n")); +#elif defined(HAVE_LDAPSSL_INIT) + if ((rc = ldapssl_client_init(lp_ldap_cert_db(), NULL)) != LDAP_SUCCESS) { + DEBUG(0,("ldapssl_client_init with '%s' cert db failed: %s\n", + lp_ldap_cert_db(), ldap_err2string(rc))); + return rc; + } + + if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) { + DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host, port)); return LDAP_OPERATIONS_ERROR; } - - if (strequal(protocol, "ldaps")) { -#ifdef LDAP_OPT_X_TLS - int tls = LDAP_OPT_X_TLS_HARD; - if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) - { - DEBUG(0, ("Failed to setup a TLS session\n")); - } - - DEBUG(3,("LDAPS option set...!\n")); + + DEBUG(3,("Successfully setup ldapssl session with %s:%d\n", + host, port )); #else - DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); - return LDAP_OPERATIONS_ERROR; + DEBUG(0,("Secure connection not supported by LDAP client libraries\n")); + return LDAP_OPERATIONS_ERROR; #endif /* LDAP_OPT_X_TLS */ + } else { + if ((*ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init with %s:%d failed\n", host, port)); + return LDAP_OPERATIONS_ERROR; } + DEBUG(3,("Successfully setup ldap session with %s:%d\n", host, port)); } #endif /* HAVE_LDAP_INITIALIZE */ +#ifdef LDAP_OPT_TIMELIMIT + if ((rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot)) != LDAP_SUCCESS) { + DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n", + ot, ldap_err2string(rc))); + } +#endif /* LDAP_OPT_TIMELIMIT */ +#ifdef LDAP_X_OPT_CONNECT_TIMEOUT + if ((rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct)) != LDAP_SUCCESS) { + DEBUG(0,("Failed to setup a ldap connection timeout %d: %s\n", + ct, ldap_err2string(rc))); + } +#endif /* LDAP_X_OPT_CONNECT_TIMEOUT */ + return LDAP_SUCCESS; } @@ -1071,7 +1107,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_filter; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); struct timeval timeout; SMB_ASSERT(ldap_state); @@ -1108,7 +1144,7 @@ } /* Setup timeout for the ldap_search_ext_s call - local and remote. */ - timeout.tv_sec = lp_ldap_timeout(); + timeout.tv_sec = lp_ldap_operation_timeout(); timeout.tv_usec = 0; /* Setup alarm timeout.... Do we need both of these ? JRA. @@ -1120,7 +1156,7 @@ got_alarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); - alarm(lp_ldap_timeout()); + alarm(lp_ldap_operation_timeout()); /* End setup timeout. */ while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) @@ -1247,7 +1283,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1269,7 +1305,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1291,7 +1327,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1315,7 +1351,7 @@ { int rc = LDAP_SERVER_DOWN; int attempts = 0; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); if (!ldap_state) return (-1); diff -ur /export/home/devel/tmp/samba-3.0.21b/source/libads/ldap.c /export/home/devel/build/samba-3.0.21b/source/libads/ldap.c --- /export/home/devel/tmp/samba-3.0.21b/source/libads/ldap.c Wed Jan 25 02:46:39 2006 +++ /export/home/devel/build/samba-3.0.21b/source/libads/ldap.c Sun Feb 12 04:25:59 2006 @@ -85,13 +85,13 @@ int result; /* Setup timeout for the ldap_search_ext_s call - local and remote. */ - timeout.tv_sec = lp_ldap_timeout(); + timeout.tv_sec = lp_ldap_operation_timeout(); timeout.tv_usec = 0; /* Setup alarm timeout.... Do we need both of these ? JRA. */ gotalarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); - alarm(lp_ldap_timeout()); + alarm(lp_ldap_operation_timeout()); /* End setup timeout. */ result = ldap_search_ext_s(ld, base, scope, filter, attrs, @@ -128,7 +128,7 @@ /* this copes with inet_ntoa brokenness */ srv = SMB_STRDUP(server); - ads->ld = ldap_open_with_timeout(srv, port, lp_ldap_timeout()); + ads->ld = ldap_open_with_timeout(srv, port, lp_ldap_operation_timeout()); if (!ads->ld) { free(srv); return False; diff -ur /export/home/devel/tmp/samba-3.0.21b/source/nsswitch/winbindd_rpc.c /export/home/devel/build/samba-3.0.21b/source/nsswitch/winbindd_rpc.c --- /export/home/devel/tmp/samba-3.0.21b/source/nsswitch/winbindd_rpc.c Fri Dec 2 22:21:45 2005 +++ /export/home/devel/build/samba-3.0.21b/source/nsswitch/winbindd_rpc.c Sun Feb 12 04:28:01 2006 @@ -648,7 +648,7 @@ * search timeout doesn't seem to apply to doing an open as well. JRA. */ - ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout()); + ldp = ldap_open_with_timeout(server, port, lp_ldap_operation_timeout()); if (ldp == NULL) return -1; diff -ur /export/home/devel/tmp/samba-3.0.21b/source/param/loadparm.c /export/home/devel/build/samba-3.0.21b/source/param/loadparm.c --- /export/home/devel/tmp/samba-3.0.21b/source/param/loadparm.c Wed Jan 25 02:46:33 2006 +++ /export/home/devel/build/samba-3.0.21b/source/param/loadparm.c Sun Feb 12 04:24:33 2006 @@ -233,12 +233,14 @@ int ldap_ssl; char *szLdapSuffix; char *szLdapAdminDn; + char *ldap_cert_db; char *szAclCompat; char *szCupsServer; char *szIPrintServer; int ldap_passwd_sync; int ldap_replication_sleep; - int ldap_timeout; /* This is initialised in init_globals */ + int ldap_connection_timeout; + int ldap_operation_timeout; int ldap_page_size; BOOL ldap_delete_dn; BOOL bMsAddPrinterWizard; @@ -1150,6 +1152,7 @@ {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, FLAG_ADVANCED}, #endif {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED}, + {"ldap cert db", P_STRING, P_GLOBAL, &Globals.ldap_cert_db, NULL, NULL, FLAG_ADVANCED}, {"ldap delete dn", P_BOOL, P_GLOBAL, &Globals.ldap_delete_dn, NULL, NULL, FLAG_ADVANCED}, {"ldap group suffix", P_STRING, P_GLOBAL, &Globals.szLdapGroupSuffix, NULL, NULL, FLAG_ADVANCED}, {"ldap idmap suffix", P_STRING, P_GLOBAL, &Globals.szLdapIdmapSuffix, NULL, NULL, FLAG_ADVANCED}, @@ -1159,7 +1162,8 @@ {"ldap replication sleep", P_INTEGER, P_GLOBAL, &Globals.ldap_replication_sleep, NULL, NULL, FLAG_ADVANCED}, {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, FLAG_ADVANCED}, {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED}, - {"ldap timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_timeout, NULL, NULL, FLAG_ADVANCED}, + {"ldap connection timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_connection_timeout, NULL, NULL, FLAG_ADVANCED}, + {"ldap operation timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_operation_timeout, NULL, NULL, FLAG_ADVANCED}, {"ldap page size", P_INTEGER, P_GLOBAL, &Globals.ldap_page_size, NULL, NULL, FLAG_ADVANCED}, {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, NULL, NULL, FLAG_ADVANCED}, @@ -1547,11 +1551,13 @@ string_set(&Globals.szLdapIdmapSuffix, ""); string_set(&Globals.szLdapAdminDn, ""); + string_set(&Globals.ldap_cert_db, ""); Globals.ldap_ssl = LDAP_SSL_ON; Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF; Globals.ldap_delete_dn = False; Globals.ldap_replication_sleep = 1000; /* wait 1 sec for replication */ - Globals.ldap_timeout = LDAP_CONNECT_DEFAULT_TIMEOUT; + Globals.ldap_connection_timeout = LDAP_CONNECTION_DEFAULT_TIMEOUT; + Globals.ldap_operation_timeout = LDAP_OPERATION_DEFAULT_TIMEOUT; Globals.ldap_page_size = LDAP_PAGE_SIZE; /* This is what we tell the afs client. in reality we set the token @@ -1803,11 +1809,13 @@ #endif FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) +FN_GLOBAL_STRING(lp_ldap_cert_db, &Globals.ldap_cert_db) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync) FN_GLOBAL_BOOL(lp_ldap_delete_dn, &Globals.ldap_delete_dn) FN_GLOBAL_INTEGER(lp_ldap_replication_sleep, &Globals.ldap_replication_sleep) -FN_GLOBAL_INTEGER(lp_ldap_timeout, &Globals.ldap_timeout) +FN_GLOBAL_INTEGER(lp_ldap_connection_timeout, &Globals.ldap_connection_timeout) +FN_GLOBAL_INTEGER(lp_ldap_operation_timeout, &Globals.ldap_operation_timeout) FN_GLOBAL_INTEGER(lp_ldap_page_size, &Globals.ldap_page_size) FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand) FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)