7eb18ab LDAP: Only authenticate the auth connection if we need to look up user information

Authored and Committed by jhrozek 5 years ago
    LDAP: Only authenticate the auth connection if we need to look up user information
    
    Related:
    https://pagure.io/SSSD/sssd/issue/3451
    
    Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by
    using the full sdap_cli_connect() request during LDAP authentication. This
    was a good idea as it addressed the case where the authentication connection
    must also look up some user information (typically with id_provider=proxy
    where you don't know the DN to bind as during authentication), but this
    approach also broke the use-case of id_provider=ldap and auth_provider=ldap
    with ldap_sasl_auth=gssapi.
    
    This is because (for reason I don't know) AD doesn't like if you use
    both GSSAPI and startTLS on the same connection. But the code would
    force TLS during the authentication as a general measure to not transmit
    passwords in the clear, but then, the connection would also see that
    ldap_sasl_auth=gssapi is set and also bind with GSSAPI.
    
    This patch checks if the user DN is already known and if yes, then
    doesn't authenticate the connection as the connection will then only be
    used for the user simple bind.
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 57fc60c9dc77698cf824813c36eb0f90d767b315)
    
        
file modified
+42 -11