dirmngr: Support "ldap:///" for the current AD user.

* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
--

Ported from 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>

3 files changed, 54 insertions, 15 deletions

diff --git a/dirmngr/http.h b/dirmngr/http.h
index 31e3a880a..4ad0351e2 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -57,6 +57,7 @@ struct parsed_uri_s
   unsigned int v6lit:1;   /* Host was given as a literal v6 address.  */
   unsigned int onion:1;   /* .onion address given.  */
   unsigned int explicit_port :1; /* The port was explicitly specified.  */
+  unsigned int ad_current:1;    /* Use Active Directory's current user.  */
   char *auth;           /* username/password for basic auth.  */
   char *host; 	        /* Host (converted to lowercase). */
   unsigned short port;  /* Port (always set if the host is set). */
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index b9410351a..7dfd7ea94 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -485,13 +485,15 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
   password = password_param ? password_param->value : NULL;
 
   if (opt.debug)
-    log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n",
+    log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s%s)\n",
                uri->host, uri->port,
-               uri->path ?: "",
-               uri->auth ? "bindname=" : "", uri->auth ?: "",
+               uri->path ? uri->path : "",
+               uri->auth ? "bindname=" : "",
+               uri->auth ? uri->auth : "",
                uri->auth && password ? "," : "",
                password ? "password=" : "",
-               password ? ">not shown<": "");
+               password ? ">not shown<": "",
+               uri->ad_current? " auth=>current_user<":"");
 
   /* If the uri specifies a secure connection and we don't support
      TLS, then fail; don't silently revert to an insecure
@@ -505,12 +507,18 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 #endif
     }
 
-  ldap_conn = ldap_init (uri->host, uri->port);
-  if (! ldap_conn)
+  if (uri->ad_current)
+    ldap_conn = ldap_init (NULL, uri->port);
+  else
+    ldap_conn = ldap_init (uri->host, uri->port);
+  if (!ldap_conn)
     {
       err = gpg_err_code_from_syserror ();
-      log_error ("Failed to open connection to LDAP server (%s://%s:%d)\n",
-		 uri->scheme, uri->host, uri->port);
+      if (uri->ad_current)
+        log_error ("error initializing LDAP for current user\n");
+      else
+        log_error ("error initializing LDAP for (%s://%s:%d)\n",
+                   uri->scheme, uri->host, uri->port);
       goto out;
     }
 
@@ -555,7 +563,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 			     LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
       if (err)
 	{
-	  log_error ("Failed to set TLS option on LDAP connection.\n");
+	  log_error ("error setting TLS option on LDAP connection\n");
 	  goto out;
 	}
 #else
@@ -575,14 +583,29 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 			      NULL, NULL);
       if (err)
 	{
-	  log_error ("Failed to connect to LDAP server with TLS.\n");
+	  log_error ("error connecting to LDAP server with TLS\n");
 	  goto out;
 	}
     }
 #endif
 
-  /* By default we don't bind as there is usually no need to.  */
-  if (uri->auth)
+  if (uri->ad_current)
+    {
+      if (opt.debug)
+        log_debug ("LDAP bind to current user via AD\n");
+#ifdef HAVE_W32_SYSTEM
+      err = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
+#else
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+#endif
+      if (err != LDAP_SUCCESS)
+	{
+	  log_error ("error binding to LDAP via AD: %s\n",
+                     ldap_err2string (err));
+	  goto out;
+	}
+    }
+  else if (uri->auth)
     {
       if (opt.debug)
         log_debug ("LDAP bind to %s, password %s\n",
@@ -591,11 +614,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       err = ldap_simple_bind_s (ldap_conn, user, password);
       if (err != LDAP_SUCCESS)
 	{
-	  log_error ("Internal LDAP bind error: %s\n",
-		     ldap_err2string (err));
+	  log_error ("error binding to LDAP: %s\n", ldap_err2string (err));
 	  goto out;
 	}
     }
+  else
+    {
+      /* By default we don't bind as there is usually no need to.  */
+    }
 
   if (uri->path && *uri->path)
     {
diff --git a/dirmngr/ldap-parse-uri.c b/dirmngr/ldap-parse-uri.c
index 240b98def..41633acf0 100644
--- a/dirmngr/ldap-parse-uri.c
+++ b/dirmngr/ldap-parse-uri.c
@@ -163,9 +163,21 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
       puri->query->valuelen = strlen (password) + 1;
     }
 
-  puri->use_tls = strcmp (puri->scheme, "ldaps") == 0;
+  puri->use_tls = !strcmp (puri->scheme, "ldaps");
   puri->port = lud->lud_port;
 
+  /* On Windows detect whether this is ldap:// or ldaps:// to indicate
+   * that authentication via AD and the current user is requested.  */
+  puri->ad_current = 0;
+#ifdef HAVE_W32_SYSTEM
+  if ((!puri->host || !*puri->host)
+      && (!puri->path || !*puri->path)
+      && (!puri->auth || !*puri->auth)
+      && !password
+      )
+    puri->ad_current = 1;
+#endif
+
  out:
   if (lud)
     ldap_free_urldesc (lud);