--- source/configure.in.orig Mon Jun 26 11:06:06 2006 +++ source/configure.in Mon Jun 26 11:09:29 2006 @@ -3184,6 +3184,10 @@ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init) ######################################################## + # check for Netscape SSL API + AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS) + + ######################################################## # If we have LDAP, does it's rebind procedure take 2 or 3 arguments? # Check found in pam_ldap 145. AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS) --- source/include/config.h.in.orig Mon Jun 26 11:10:19 2006 +++ source/include/config.h.in Mon Jun 26 11:10:46 2006 @@ -804,6 +804,9 @@ /* Whether ldap is available */ #undef HAVE_LDAP +/* Define to 1 if you have the `ldapssl_init' function. */ +#undef HAVE_LDAPSSL_INIT + /* Define to 1 if you have the `ldap_add_result_entry' function. */ #undef HAVE_LDAP_ADD_RESULT_ENTRY --- source/include/smbldap.h.orig Mon Jun 26 11:10:58 2006 +++ source/include/smbldap.h Mon Jun 26 11:11:34 2006 @@ -216,7 +216,8 @@ #endif /* HAVE_LDAP */ -#define LDAP_CONNECT_DEFAULT_TIMEOUT 15 +#define LDAP_CONNECTION_DEFAULT_TIMEOUT 1 +#define LDAP_OPERATION_DEFAULT_TIMEOUT 15 #define LDAP_PAGE_SIZE 1024 #endif /* _SMBLDAP_H */ --- source/lib/smbldap.c.orig Mon Jun 26 11:11:44 2006 +++ source/lib/smbldap.c Mon Jun 26 11:25:58 2006 @@ -6,6 +6,7 @@ Copyright (C) Shahms King 2001 Copyright (C) Andrew Bartlett 2002-2003 Copyright (C) Stefan (metze) Metzmacher 2002-2003 + Copyright (C) Alex Deiter 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -628,67 +629,102 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) { int rc; - - DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri)); - + int ot = lp_ldap_operation_timeout() * 1000; + int ct = lp_ldap_connection_timeout() * 1000; +#ifndef HAVE_LDAP_INITIALIZE + int port = 0; + fstring protocol; + fstring host; +#endif + DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri)); #ifdef HAVE_LDAP_INITIALIZE - - rc = ldap_initialize(ldap_struct, uri); - if (rc) { - DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc))); + if ((rc = ldap_initialize(ldap_struct, uri)) != LDAP_SUCCESS) { + DEBUG(0, ("ldap_initialize with %s failed: %s\n", + uri, ldap_err2string(rc))); + return rc; } - return rc; + DEBUG(3,("Successfully setup ldap_initialize with %s\n", uri)); #else - /* Parse the string manually */ + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); - { - int port = 0; - fstring protocol; - fstring host; - SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); + /* skip leading "URL:" (if any) */ + if ( strnequal( uri, "URL:", 4 ) ) { + uri += 4; + } + sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); - /* skip leading "URL:" (if any) */ - if ( strnequal( uri, "URL:", 4 ) ) { - uri += 4; + if (port == 0) { + if (strequal(protocol, "ldap")) { + port = LDAP_PORT; + } else if (strequal(protocol, "ldaps")) { + port = LDAPS_PORT; + } else { + DEBUG(0, ("Unrecognised protocol: %s\n", protocol)); } - - sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port); - - if (port == 0) { - if (strequal(protocol, "ldap")) { - port = LDAP_PORT; - } else if (strequal(protocol, "ldaps")) { - port = LDAPS_PORT; - } else { - DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); - } + } + + if (strequal(protocol, "ldaps")) { +#ifdef LDAP_OPT_X_TLS + int tls = LDAP_OPT_X_TLS_HARD; + + if ((*ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init with %s:%d failed\n", host, port)); + return LDAP_OPERATIONS_ERROR; } - - if ((*ldap_struct = ldap_init(host, port)) == NULL) { - DEBUG(0, ("ldap_init failed !\n")); + + DEBUG(3,("Successfully setup ldap session with %s:%d\n", + host, port)); + + if ((rc = ldap_set_option(*ldap_struct, LDAP_OPT_X_TLS, &tls)) != LDAP_SUCCESS) { + DEBUG(0, ("Failed to setup a TLS option: %s\n", + ldap_err2string(rc))); + return rc; + } + + DEBUG(3,("Successfully setup TLS option\n")); +#elif defined(HAVE_LDAPSSL_INIT) + if ((rc = ldapssl_client_init(lp_ldap_cert_db(), NULL)) != LDAP_SUCCESS) { + DEBUG(0,("ldapssl_client_init with '%s' cert db failed: %s\n", + lp_ldap_cert_db(), ldap_err2string(rc))); + return rc; + } + + if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) { + DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host, port)); return LDAP_OPERATIONS_ERROR; } - - if (strequal(protocol, "ldaps")) { -#ifdef LDAP_OPT_X_TLS - int tls = LDAP_OPT_X_TLS_HARD; - if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) - { - DEBUG(0, ("Failed to setup a TLS session\n")); - } - - DEBUG(3,("LDAPS option set...!\n")); + + DEBUG(3,("Successfully setup ldapssl session with %s:%d\n", + host, port )); #else - DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n")); - return LDAP_OPERATIONS_ERROR; + DEBUG(0,("Secure connection not supported by LDAP client libraries\n")); + return LDAP_OPERATIONS_ERROR; #endif /* LDAP_OPT_X_TLS */ + } else { + if ((*ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init with %s:%d failed\n", host, port)); + return LDAP_OPERATIONS_ERROR; } + DEBUG(3,("Successfully setup ldap session with %s:%d\n", host, port)); } #endif /* HAVE_LDAP_INITIALIZE */ +#ifdef LDAP_OPT_TIMELIMIT + if ((rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot)) != LDAP_SUCCESS) { + DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n", + ot, ldap_err2string(rc))); + } +#endif /* LDAP_OPT_TIMELIMIT */ +#ifdef LDAP_X_OPT_CONNECT_TIMEOUT + if ((rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct)) != LDAP_SUCCESS) { + DEBUG(0,("Failed to setup a ldap connection timeout %d: %s\n", + ct, ldap_err2string(rc))); + } +#endif /* LDAP_X_OPT_CONNECT_TIMEOUT */ + return LDAP_SUCCESS; } @@ -1170,7 +1206,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_filter; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); struct timeval timeout; SMB_ASSERT(ldap_state); @@ -1207,7 +1243,7 @@ } /* Setup timeout for the ldap_search_ext_s call - local and remote. */ - timeout.tv_sec = lp_ldap_timeout(); + timeout.tv_sec = lp_ldap_operation_timeout(); timeout.tv_usec = 0; /* Setup alarm timeout.... Do we need both of these ? JRA. @@ -1219,7 +1255,7 @@ got_alarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); - alarm(lp_ldap_timeout()); + alarm(lp_ldap_operation_timeout()); /* End setup timeout. */ while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) { @@ -1356,7 +1392,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1388,7 +1424,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1420,7 +1456,7 @@ int rc = LDAP_SERVER_DOWN; int attempts = 0; char *utf8_dn; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); SMB_ASSERT(ldap_state); @@ -1454,7 +1490,7 @@ { int rc = LDAP_SERVER_DOWN; int attempts = 0; - time_t endtime = time(NULL)+lp_ldap_timeout(); + time_t endtime = time(NULL)+lp_ldap_operation_timeout(); if (!ldap_state) return (-1); --- source/libads/ldap.c.orig Mon Jun 26 11:26:39 2006 +++ source/libads/ldap.c Mon Jun 26 11:27:57 2006 @@ -86,13 +86,13 @@ int result; /* Setup timeout for the ldap_search_ext_s call - local and remote. */ - timeout.tv_sec = lp_ldap_timeout(); + timeout.tv_sec = lp_ldap_operation_timeout(); timeout.tv_usec = 0; /* Setup alarm timeout.... Do we need both of these ? JRA. */ gotalarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); - alarm(lp_ldap_timeout()); + alarm(lp_ldap_operation_timeout()); /* End setup timeout. */ result = ldap_search_ext_s(ld, base, scope, filter, attrs, @@ -324,7 +324,7 @@ /* Otherwise setup the TCP LDAP session */ if ( (ads->ld = ldap_open_with_timeout(ads->config.ldap_server_name, - LDAP_PORT, lp_ldap_timeout())) == NULL ) + LDAP_PORT, lp_ldap_operation_timeout())) == NULL ) { return ADS_ERROR(LDAP_OPERATIONS_ERROR); } --- source/nsswitch/winbindd_rpc.c.orig Mon Jun 26 11:28:32 2006 +++ source/nsswitch/winbindd_rpc.c Mon Jun 26 11:29:00 2006 @@ -677,7 +677,7 @@ * search timeout doesn't seem to apply to doing an open as well. JRA. */ - ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout()); + ldp = ldap_open_with_timeout(server, port, lp_ldap_operation_timeout()); if (ldp == NULL) return -1; --- source/param/loadparm.c.orig Mon Jun 26 11:29:14 2006 +++ source/param/loadparm.c Mon Jun 26 11:31:50 2006 @@ -234,12 +234,14 @@ int ldap_ssl; char *szLdapSuffix; char *szLdapAdminDn; + char *ldap_cert_db; int iAclCompat; char *szCupsServer; char *szIPrintServer; int ldap_passwd_sync; int ldap_replication_sleep; - int ldap_timeout; /* This is initialised in init_globals */ + int ldap_connection_timeout; + int ldap_operation_timeout; int ldap_page_size; BOOL ldap_delete_dn; BOOL bMsAddPrinterWizard; @@ -1162,6 +1164,7 @@ {N_("Ldap Options"), P_SEP, P_SEPARATOR}, {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED}, + {"ldap cert db", P_STRING, P_GLOBAL, &Globals.ldap_cert_db, NULL, NULL, FLAG_ADVANCED}, {"ldap delete dn", P_BOOL, P_GLOBAL, &Globals.ldap_delete_dn, NULL, NULL, FLAG_ADVANCED}, {"ldap group suffix", P_STRING, P_GLOBAL, &Globals.szLdapGroupSuffix, NULL, NULL, FLAG_ADVANCED}, {"ldap idmap suffix", P_STRING, P_GLOBAL, &Globals.szLdapIdmapSuffix, NULL, NULL, FLAG_ADVANCED}, @@ -1171,7 +1174,8 @@ {"ldap replication sleep", P_INTEGER, P_GLOBAL, &Globals.ldap_replication_sleep, NULL, NULL, FLAG_ADVANCED}, {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, FLAG_ADVANCED}, {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED}, - {"ldap timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_timeout, NULL, NULL, FLAG_ADVANCED}, + {"ldap connection timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_connection_timeout, NULL, NULL, FLAG_ADVANCED}, + {"ldap operation timeout", P_INTEGER, P_GLOBAL, &Globals.ldap_operation_timeout, NULL, NULL, FLAG_ADVANCED}, {"ldap page size", P_INTEGER, P_GLOBAL, &Globals.ldap_page_size, NULL, NULL, FLAG_ADVANCED}, {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, NULL, NULL, FLAG_ADVANCED}, @@ -1567,11 +1571,13 @@ string_set(&Globals.szLdapIdmapSuffix, ""); string_set(&Globals.szLdapAdminDn, ""); + string_set(&Globals.ldap_cert_db, ""); Globals.ldap_ssl = LDAP_SSL_ON; Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF; Globals.ldap_delete_dn = False; Globals.ldap_replication_sleep = 1000; /* wait 1 sec for replication */ - Globals.ldap_timeout = LDAP_CONNECT_DEFAULT_TIMEOUT; + Globals.ldap_connection_timeout = LDAP_CONNECTION_DEFAULT_TIMEOUT; + Globals.ldap_operation_timeout = LDAP_OPERATION_DEFAULT_TIMEOUT; Globals.ldap_page_size = LDAP_PAGE_SIZE; /* This is what we tell the afs client. in reality we set the token @@ -1835,11 +1841,13 @@ FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) +FN_GLOBAL_STRING(lp_ldap_cert_db, &Globals.ldap_cert_db) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync) FN_GLOBAL_BOOL(lp_ldap_delete_dn, &Globals.ldap_delete_dn) FN_GLOBAL_INTEGER(lp_ldap_replication_sleep, &Globals.ldap_replication_sleep) -FN_GLOBAL_INTEGER(lp_ldap_timeout, &Globals.ldap_timeout) +FN_GLOBAL_INTEGER(lp_ldap_connection_timeout, &Globals.ldap_connection_timeout) +FN_GLOBAL_INTEGER(lp_ldap_operation_timeout, &Globals.ldap_operation_timeout) FN_GLOBAL_INTEGER(lp_ldap_page_size, &Globals.ldap_page_size) FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand) FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand) --- source/libads/cldap.c.orig Mon Jun 26 12:31:35 2006 +++ source/libads/cldap.c Mon Jun 26 12:32:28 2006 @@ -193,7 +193,7 @@ /* Setup timeout */ gotalarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); - alarm(lp_ldap_timeout()); + alarm(lp_ldap_operation_timeout()); /* End setup timeout. */ ret = read(sock, blob.data, blob.length);