From 96e90256757c73ccf349d144e410ddf651a74cbc Mon Sep 17 00:00:00 2001
From: Landon Fuller <landonf@plausible.coop>
Date: Wed, 17 Apr 2013 14:01:20 -0400
Subject: [PATCH] Add support for specifying bind DN and password.

This uses a seperate hdb-ldap-secret-file configuration value, which
specifies an external file that may be used to supply the LDAP bind dn
and password. This allows that specific file to be configured with more
restrictive permissions than the global krb5.conf.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/hdb/hdb-ldap.c | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c
index 34956c8ed..c0dfe84a2 100644
--- a/lib/hdb/hdb-ldap.c
+++ b/lib/hdb/hdb-ldap.c
@@ -58,6 +58,8 @@ struct hdbldapdb {
     int   h_msgid;
     char *h_base;
     char *h_url;
+    char *h_bind_dn;
+    char *h_bind_password;
     char *h_createbase;
 };
 
@@ -67,6 +69,8 @@ struct hdbldapdb {
 	do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
+#define HDB2BINDDN(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_dn)
+#define HDB2BINDPW(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_password)
 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
 
 /*
@@ -1543,6 +1547,16 @@ LDAP__connect(krb5_context context, HDB * db)
      * bind in progress message.
      */
     struct berval bv = { 0, "" };
+    const char *sasl_method = "EXTERNAL";
+    const char *bind_dn = NULL;
+
+    if (HDB2BINDDN(db) != NULL && HDB2BINDPW(db) != NULL) {
+	/* A bind DN was specified; use SASL SIMPLE */
+	bind_dn = HDB2BINDDN(db);
+	sasl_method = LDAP_SASL_SIMPLE;
+	bv.bv_val = HDB2BINDPW(db);
+	bv.bv_len = strlen(bv.bv_val);
+    }
 
     if (HDB2LDAP(db)) {
 	/* connection has been opened. ping server. */
@@ -1576,7 +1590,7 @@ LDAP__connect(krb5_context context, HDB * db)
 	return HDB_ERR_BADVERSION;
     }
 
-    rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
+    rc = ldap_sasl_bind_s(HDB2LDAP(db), bind_dn, sasl_method, &bv,
 			  NULL, NULL, NULL);
     if (rc != LDAP_SUCCESS) {
 	krb5_set_error_message(context, HDB_ERR_BADVERSION,
@@ -1807,6 +1821,7 @@ hdb_ldap_common(krb5_context context,
 {
     struct hdbldapdb *h;
     const char *create_base = NULL;
+    const char *ldap_secret_file = NULL;
 
     if (url == NULL || url[0] == '\0') {
 	const char *p;
@@ -1874,6 +1889,30 @@ hdb_ldap_common(krb5_context context,
 	return ENOMEM;
     }
 
+    ldap_secret_file = krb5_config_get_string(context, NULL, "kdc",
+					      "hdb-ldap-secret-file", NULL);
+    if (ldap_secret_file != NULL) {
+	krb5_config_binding *tmp;
+	krb5_error_code ret;
+	const char *p;
+	
+	ret = krb5_config_parse_file(context, ldap_secret_file, &tmp);
+	if (ret)
+	    return ret;
+
+	p = krb5_config_get_string(context, tmp, "kdc",
+				   "hdb-ldap-bind-dn", NULL);
+	if (p != NULL)
+	    h->h_bind_dn = strdup(p);
+	
+	p = krb5_config_get_string(context, tmp, "kdc",
+				   "hdb-ldap-bind-password", NULL);
+	if (p != NULL)
+	    h->h_bind_password = strdup(p);
+
+	krb5_config_file_free(context, tmp);
+    }
+
     create_base = krb5_config_get_string(context, NULL, "kdc",
 					 "hdb-ldap-create-base", NULL);
     if (create_base == NULL)