Enable SASL authentication

3 files changed, 30 insertions, 5 deletions

diff --git a/src/ldappasswddlg.cpp b/src/ldappasswddlg.cpp
index 8246d18..445956a 100644
--- a/src/ldappasswddlg.cpp
+++ b/src/ldappasswddlg.cpp
@@ -33,7 +33,7 @@
 #include "ldappasswddlg.h"
 
 LDAPPasswordDialog::LDAPPasswordDialog(TQWidget* parent, const char* name)
-	: KDialogBase(parent, name, true, i18n("LDAP Authentication"), Ok|Cancel, Ok, true)
+	: KDialogBase(parent, name, true, i18n("LDAP Authentication"), Ok|Cancel|User1, Ok, true, i18n("Authenticate with SASL/GSSAPI"))
 {
 	m_base = new LDAPLogin(this);
 
@@ -41,6 +41,12 @@ LDAPPasswordDialog::LDAPPasswordDialog(TQWidget* parent, const char* name)
 }
 
 void LDAPPasswordDialog::slotOk() {
+	use_gssapi = false;
+	accept();
+}
+
+void LDAPPasswordDialog::slotUser1() {
+	use_gssapi = true;
 	accept();
 }
 
diff --git a/src/ldappasswddlg.h b/src/ldappasswddlg.h
index 2a653d6..c9ece35 100644
--- a/src/ldappasswddlg.h
+++ b/src/ldappasswddlg.h
@@ -35,9 +35,11 @@ public:
 
 public slots:
 	void slotOk();
+	void slotUser1();
 
 public:
 	LDAPLogin *m_base;
+	bool use_gssapi;
 };
 
 #endif
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 47f5057..1f1bf7a 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -50,7 +50,6 @@
 #define LDAP_FILE "/etc/ldap/ldap.conf"
 
 int requested_ldap_version = LDAP_VERSION3;
-int requested_ldap_auth_method = LDAP_AUTH_SIMPLE;	// Is this safe and secure over an untrusted connection?
 char* ldap_user_and_operational_attributes[2] = {"*", "+"};
 
 enum ErrorCauseLocation {
@@ -114,6 +113,12 @@ TQString ldapLikelyErrorCause(int errcode, int location) {
 	return ret;
 }
 
+int sasl_bind_interact_callback(LDAP* ld, unsigned flags, void* defaults, void* sasl_interact) {
+	// FIXME
+	// This currently does nothing and hopes for the best!
+	return LDAP_SUCCESS;
+}
+
 int LDAPManager::bind(TQString* errstr) {
 printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout);
 	if (m_ldap) {
@@ -121,6 +126,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
 	}
 
 	bool using_ldapi = false;
+	bool using_gssapi = false;
 	if (m_host.startsWith("ldapi://")) {
 		using_ldapi = true;
 	}
@@ -129,7 +135,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
 		havepass = true;
 	}
 	else {
-printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
+printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
 		LDAPPasswordDialog passdlg(0);
 		passdlg.m_base->ldapAdminRealm->setEnabled(false);
 		passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
@@ -143,6 +149,12 @@ printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
 				m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
 				m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn();
 			}
+			if (passdlg.use_gssapi) {
+				using_gssapi = true;
+			}
+		}
+		else {
+			return -1;
 		}
 	}
 
@@ -191,7 +203,7 @@ printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout);
 		cred.bv_val = pass.data();
 		cred.bv_len = pass.length();
 printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
-		if (!using_ldapi) {
+		if ((!using_ldapi && !using_gssapi)) {
 			if (!ldap_dn.contains(",")) {
 				// Look for a POSIX account with anonymous bind and the specified account name
 				TQString uri;
@@ -255,7 +267,12 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
 			}
 		}
 
-		retcode = ldap_sasl_bind_s(m_ldap, ldap_dn.ascii(), mechanism, &cred, NULL, NULL, NULL);
+		if (using_gssapi) {
+			retcode = ldap_sasl_interactive_bind_s(m_ldap, "", "GSSAPI", NULL, NULL, LDAP_SASL_AUTOMATIC, sasl_bind_interact_callback, NULL);
+		}
+		else {
+			retcode = ldap_sasl_bind_s(m_ldap, ldap_dn.ascii(), mechanism, &cred, NULL, NULL, NULL);
+		}
 printf("[RAJA DEBUG 600.2] ldap_dn: %s\n\r", ldap_dn.ascii()); fflush(stdout);
 
 		if (retcode != LDAP_SUCCESS ) {