From d65a0335e5cb947dc527d62eccf7c2a3cdbcc788 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 28 Sep 2022 09:43:25 +0200
Subject: dirmngr: New server flag "areconly" (A-record-only)

* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--

This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE.  It is ignored on other systems.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/ks-engine-ldap.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'dirmngr/ks-engine-ldap.c')

diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index b3f7f8ff5..8f6144994 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -405,6 +405,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
   int port;            /* Port to use.  */
   int use_tls;         /* 1 = starttls, 2 = ldap-over-tls  */
   int use_ntds;        /* Use Active Directory authentication.  */
+  int use_areconly;    /* Lookup only via A record (Windows).  */
   const char *bindname;
   const char *password;
   const char *basedn_arg;
@@ -432,6 +433,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       basedn_arg = server->base;
       use_tls = server->starttls? 1 : server->ldap_over_tls? 2 : 0;
       use_ntds = server->ntds;
+      use_areconly = server->areconly;
     }
   else
     {
@@ -442,6 +444,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       basedn_arg = uri->path;
       use_tls = uri->use_tls ? 1 : 0;
       use_ntds = uri->ad_current;
+      use_areconly = 0;
     }
 
   if (!port)
@@ -459,13 +462,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
     }
 
   if (opt.verbose)
-    log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
+    log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s%s'\n",
               host, port,
               basedn_arg ? basedn_arg : "",
               bindname ? bindname : "",
               password ? "*****" : "",
               use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
-              use_ntds ? ",ntds":"");
+              use_ntds ? ",ntds":"",
+              use_areconly? ",areconly":"");
 
 
   /* If the uri specifies a secure connection and we don't support
@@ -494,6 +498,18 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
                  host, port, ldap_err2string (lerr));
       goto out;
     }
+  if (use_areconly)
+    {
+      lerr = ldap_set_option (ldap_conn, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
+      if (lerr != LDAP_SUCCESS)
+        {
+          log_error ("ks-ldap: unable to set LDAP_OPT_AREC_EXLUSIVE: %s\n",
+                     ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+          goto out;
+        }
+    }
+
 #else /* Unix */
   tmpstr = xtryasprintf ("%s://%s:%d",
                          use_tls == 2? "ldaps" : "ldap",
-- 
cgit v1.2.3