private void BindSecure(System.String username, System.String password, AuthenticationTypes authenticationTypes)
{
if ((authenticationTypes & AuthenticationTypes.Secure) != 0) {
LoginContext loginContext = null;
try {
if (username != null && password != null) {
AuthenticationCallbackHandler callbackHandler = new AuthenticationCallbackHandler (username,password);
loginContext = new LoginContext (SecurityAppName, callbackHandler);
}
else
loginContext = new LoginContext (SecurityAppName);
loginContext.login ();
}
catch (Exception e) {
throw new LdapException ("Failed to create login security context", 80, "", e);
}
Krb5Helper krb5Helper = null;
try {
krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech);
}
finally {
loginContext.logout();
}
sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken);
for (;;) {
LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech);
LdapResponse res = (LdapResponse) queue.getResponse ();
if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS &&
res.ResultCode != LdapException.SUCCESS) {
krb5Helper.Dispose();
throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage);
}
Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds;
token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null;
token = krb5Helper.ExchangeTokens(token == null ? Krb5Helper.EmptyToken : token);
if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS)
break;
conn.ReplaceStreams (conn.InputStream,conn.OutputStream);
}
System.IO.Stream inStream = conn.InputStream;
System.IO.Stream newIn = new SecureStream (inStream, krb5Helper);
System.IO.Stream outStream = conn.OutputStream;
System.IO.Stream newOut = new SecureStream (outStream, krb5Helper);
conn.ReplaceStreams (newIn,newOut);
}
}
public sbyte [] ExchangeTokens(sbyte [] clientToken)
{
if (Context.isEstablished())
{
if (clientToken == null || clientToken.Length == 0)
{
return(Krb5Helper.EmptyToken);
}
//final handshake
byte [] challengeData = (byte [])TypeUtils.ToByteArray(clientToken);
byte [] gssOutToken = Unwrap(challengeData, 0, challengeData.Length, new MessageProp(false));
QOP myCop = QOP.NO_PROTECTION;
if (_encryption)
{
myCop = QOP.PRIVACY_PROTECTION;
}
else if (_signing || (((QOP)gssOutToken [0] & QOP.INTEGRITY_ONLY_PROTECTION) != 0))
{
myCop = QOP.INTEGRITY_ONLY_PROTECTION;
}
if ((myCop & (QOP)gssOutToken [0]) == 0)
{
throw new LdapException("Server does not support the requested security level", 80, "");
}
int srvMaxBufSize = SecureStream.NetworkByteOrderToInt(gssOutToken, 1, 3);
//int rawSendSize = Context.getWrapSizeLimit(0, _encryption, srvMaxBufSize);
byte [] gssInToken = new byte [4];
gssInToken [0] = (byte)myCop;
SecureStream.IntToNetworkByteOrder(srvMaxBufSize, gssInToken, 1, 3);
gssOutToken = Wrap(gssInToken, 0, gssInToken.Length, new MessageProp(true));
return(TypeUtils.ToSByteArray(gssOutToken));
}
sbyte [] token = Context.initSecContext(clientToken, 0, clientToken.Length);
if (Context.isEstablished())
{
if (Context.getConfState() != _encryption)
{
throw new LdapException("Encryption protocol was not established layer between client and server", 80, "");
}
if (Context.getCredDelegState() != _delegation)
{
throw new LdapException("Credential delegation was not established layer between client and server", 80, "");
}
if (_signing && (Context.getIntegState() != _signing))
{
throw new LdapException("Signing protocol was not established layer between client and server", 80, "");
}
if (token == null)
{
return(EmptyToken);
}
}
return(token);
}
