benny/wmic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

wmi-1.3.16 from opsview.com

Browse Source
This commit is contained in:
Are Casilla
2019-02-16 00:16:52 +01:00
parent 163fdd3d1b
commit 17b3af2911
2146 changed files with 678824 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Samba/source/ldap_server/config.mk
+18
View File
@@ -0,0 +1,18 @@
# LDAP server subsystem
#######################
# Start SUBSYSTEM LDAP
[MODULE::LDAP]
INIT_FUNCTION = server_service_ldap_init
SUBSYSTEM = service
PRIVATE_PROTO_HEADER = proto.h
OBJ_FILES = \
ldap_server.o \
ldap_backend.o \
ldap_bind.o \
ldap_extended.o
PRIVATE_DEPENDENCIES = CREDENTIALS
PUBLIC_DEPENDENCIES = \
LIBCLI_LDAP SAMDB process_model auth GENSEC_SOCKET
# End SUBSYSTEM SMB
#######################
Samba/source/ldap_server/ldap_backend.c
+740
View File
@@ -0,0 +1,740 @@
/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "ldap_server/ldap_server.h"
#include "lib/util/dlinklist.h"
#include "libcli/ldap/ldap.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/db_wrap.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#define VALID_DN_SYNTAX(dn,i) do {\
if (!(dn)) {\
return NT_STATUS_NO_MEMORY;\
} else if ( ! ldb_dn_validate(dn)) {\
result = LDAP_INVALID_DN_SYNTAX;\
errstr = "Invalid DN format";\
goto reply;\
} else if (ldb_dn_get_comp_num(dn) < (i)) {\
result = LDAP_INVALID_DN_SYNTAX;\
errstr = "Invalid DN (" #i " components needed for '" #dn "')";\
goto reply;\
}\
} while(0)
static int map_ldb_error(struct ldb_context *ldb, int err, const char **errstring)
{
*errstring = ldb_errstring(ldb);
/* its 1:1 for now */
return err;
}
/*
connect to the sam database
*/
NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
{
conn->ldb = ldb_wrap_connect(conn, lp_sam_url(), conn->session_info,
NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (conn->server_credentials) {
char **sasl_mechs = NULL;
struct gensec_security_ops **backends = gensec_security_all();
enum credentials_use_kerberos use_kerberos
= cli_credentials_get_kerberos_state(conn->server_credentials);
struct gensec_security_ops **ops
= gensec_use_kerberos_mechs(conn, backends, use_kerberos);
int i, j = 0;
for (i = 0; ops && ops[i]; i++) {
if (ops[i]->sasl_name && ops[i]->server_start) {
char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
if (!sasl_name) {
return NT_STATUS_NO_MEMORY;
}
sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2);
if (!sasl_mechs) {
return NT_STATUS_NO_MEMORY;
}
sasl_mechs[j] = sasl_name;
talloc_steal(sasl_mechs, sasl_name);
sasl_mechs[j+1] = NULL;
j++;
}
}
talloc_free(ops);
ldb_set_opaque(conn->ldb, "supportedSASLMechanims", sasl_mechs);
}
if (conn->global_catalog) {
ldb_set_opaque(conn->ldb, "global_catalog", (void *)(-1));
}
return NT_STATUS_OK;
}
struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
{
struct ldapsrv_reply *reply;
reply = talloc(call, struct ldapsrv_reply);
if (!reply) {
return NULL;
}
reply->msg = talloc(reply, struct ldap_message);
if (reply->msg == NULL) {
talloc_free(reply);
return NULL;
}
reply->msg->messageid = call->request->messageid;
reply->msg->type = type;
reply->msg->controls = NULL;
return reply;
}
void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
{
DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
}
NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
{
struct ldapsrv_reply *reply;
struct ldap_ExtendedResponse *r;
DEBUG(10,("Unwilling type[%d] id[%d]\n", call->request->type, call->request->messageid));
reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
}
r = &reply->msg->r.ExtendedResponse;
r->response.resultcode = error;
r->response.dn = NULL;
r->response.errormessage = NULL;
r->response.referral = NULL;
r->oid = NULL;
r->value = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
{
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
struct ldap_SearchResEntry *ent;
struct ldap_Result *done;
struct ldapsrv_reply *ent_r, *done_r;
void *local_ctx;
struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
struct ldb_dn *basedn;
struct ldb_result *res = NULL;
struct ldb_request *lreq;
enum ldb_scope scope = LDB_SCOPE_DEFAULT;
const char **attrs = NULL;
const char *errstr = NULL;
int success_limit = 1;
int result = -1;
int ldb_ret = -1;
int i, j;
DEBUG(10, ("SearchRequest"));
DEBUGADD(10, (" basedn: %s", req->basedn));
DEBUGADD(10, (" filter: %s\n", ldb_filter_from_tree(call, req->tree)));
local_ctx = talloc_new(call);
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
VALID_DN_SYNTAX(basedn, 0);
DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
switch (req->scope) {
case LDAP_SEARCH_SCOPE_BASE:
DEBUG(10,("SearchRequest: scope: [BASE]\n"));
scope = LDB_SCOPE_BASE;
success_limit = 0;
break;
case LDAP_SEARCH_SCOPE_SINGLE:
DEBUG(10,("SearchRequest: scope: [ONE]\n"));
scope = LDB_SCOPE_ONELEVEL;
success_limit = 0;
break;
case LDAP_SEARCH_SCOPE_SUB:
DEBUG(10,("SearchRequest: scope: [SUB]\n"));
scope = LDB_SCOPE_SUBTREE;
success_limit = 0;
break;
default:
result = LDAP_PROTOCOL_ERROR;
errstr = "Invalid scope";
break;
}
if (req->num_attributes >= 1) {
attrs = talloc_array(local_ctx, const char *, req->num_attributes+1);
NT_STATUS_HAVE_NO_MEMORY(attrs);
for (i=0; i < req->num_attributes; i++) {
DEBUG(10,("SearchRequest: attrs: [%s]\n",req->attributes[i]));
attrs[i] = req->attributes[i];
}
attrs[i] = NULL;
}
DEBUG(5,("ldb_request dn=%s filter=%s\n",
req->basedn, ldb_filter_from_tree(call, req->tree)));
lreq = talloc(local_ctx, struct ldb_request);
NT_STATUS_HAVE_NO_MEMORY(lreq);
res = talloc_zero(local_ctx, struct ldb_result);
NT_STATUS_HAVE_NO_MEMORY(res);
lreq->operation = LDB_SEARCH;
lreq->op.search.base = basedn;
lreq->op.search.scope = scope;
lreq->op.search.tree = req->tree;
lreq->op.search.attrs = attrs;
lreq->controls = call->request->controls;
lreq->context = res;
lreq->callback = ldb_search_default_callback;
/* Copy the timeout from the incoming call */
ldb_set_timeout(samdb, lreq, req->timelimit);
ldb_ret = ldb_request(samdb, lreq);
if (ldb_ret != LDB_SUCCESS) {
goto reply;
}
ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
if (ldb_ret == LDB_SUCCESS) {
for (i = 0; i < res->count; i++) {
ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
NT_STATUS_HAVE_NO_MEMORY(ent_r);
ent = &ent_r->msg->r.SearchResultEntry;
ent->dn = ldb_dn_alloc_linearized(ent_r, res->msgs[i]->dn);
ent->num_attributes = 0;
ent->attributes = NULL;
if (res->msgs[i]->num_elements == 0) {
goto queue_reply;
}
ent->num_attributes = res->msgs[i]->num_elements;
ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
for (j=0; j < ent->num_attributes; j++) {
ent->attributes[j].name = talloc_steal(ent->attributes, res->msgs[i]->elements[j].name);
ent->attributes[j].num_values = 0;
ent->attributes[j].values = NULL;
if (req->attributesonly && (res->msgs[i]->elements[j].num_values == 0)) {
continue;
}
ent->attributes[j].num_values = res->msgs[i]->elements[j].num_values;
ent->attributes[j].values = res->msgs[i]->elements[j].values;
talloc_steal(ent->attributes, res->msgs[i]->elements[j].values);
}
queue_reply:
ldapsrv_queue_reply(call, ent_r);
}
}
reply:
done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
NT_STATUS_HAVE_NO_MEMORY(done_r);
done = &done_r->msg->r.SearchResultDone;
done->dn = NULL;
done->referral = NULL;
if (result != -1) {
} else if (ldb_ret == LDB_SUCCESS) {
if (res->count >= success_limit) {
DEBUG(10,("SearchRequest: results: [%d]\n", res->count));
result = LDAP_SUCCESS;
errstr = NULL;
} else if (res->count == 0) {
DEBUG(10,("SearchRequest: no results\n"));
result = LDAP_NO_SUCH_OBJECT;
errstr = ldb_errstring(samdb);
}
if (res->controls) {
done_r->msg->controls = res->controls;
talloc_steal(done_r, res->controls);
}
} else {
DEBUG(10,("SearchRequest: error\n"));
result = map_ldb_error(samdb, ldb_ret, &errstr);
}
done->resultcode = result;
done->errormessage = (errstr?talloc_strdup(done_r, errstr):NULL);
talloc_free(local_ctx);
ldapsrv_queue_reply(call, done_r);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
{
struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
struct ldap_Result *modify_result;
struct ldapsrv_reply *modify_reply;
void *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_message *msg = NULL;
struct ldb_dn *dn;
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
int i,j;
DEBUG(10, ("ModifyRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
VALID_DN_SYNTAX(dn, 1);
DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
msg = talloc(local_ctx, struct ldb_message);
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->dn = dn;
msg->private_data = NULL;
msg->num_elements = 0;
msg->elements = NULL;
if (req->num_mods > 0) {
msg->num_elements = req->num_mods;
msg->elements = talloc_array(msg, struct ldb_message_element, req->num_mods);
NT_STATUS_HAVE_NO_MEMORY(msg->elements);
for (i=0; i < msg->num_elements; i++) {
msg->elements[i].name = discard_const_p(char, req->mods[i].attrib.name);
msg->elements[i].num_values = 0;
msg->elements[i].values = NULL;
switch (req->mods[i].type) {
default:
result = LDAP_PROTOCOL_ERROR;
errstr = "Invalid LDAP_MODIFY_* type";
goto reply;
case LDAP_MODIFY_ADD:
msg->elements[i].flags = LDB_FLAG_MOD_ADD;
break;
case LDAP_MODIFY_DELETE:
msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
break;
case LDAP_MODIFY_REPLACE:
msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
break;
}
msg->elements[i].num_values = req->mods[i].attrib.num_values;
if (msg->elements[i].num_values > 0) {
msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
msg->elements[i].num_values);
NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
for (j=0; j < msg->elements[i].num_values; j++) {
if (!(req->mods[i].attrib.values[j].length > 0)) {
result = LDAP_OTHER;
errstr = "Empty attribute values are not allowed";
goto reply;
}
msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
}
}
}
} else {
result = LDAP_OTHER;
errstr = "No mods are not allowed";
goto reply;
}
reply:
modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
NT_STATUS_HAVE_NO_MEMORY(modify_reply);
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_modify(samdb, msg);
result = map_ldb_error(samdb, ldb_ret, &errstr);
}
modify_result = &modify_reply->msg->r.AddResponse;
modify_result->dn = NULL;
modify_result->resultcode = result;
modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
modify_result->referral = NULL;
talloc_free(local_ctx);
ldapsrv_queue_reply(call, modify_reply);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call)
{
struct ldap_AddRequest *req = &call->request->r.AddRequest;
struct ldap_Result *add_result;
struct ldapsrv_reply *add_reply;
void *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_message *msg = NULL;
struct ldb_dn *dn;
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
int i,j;
DEBUG(10, ("AddRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
local_ctx = talloc_named(call, 0, "AddRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
VALID_DN_SYNTAX(dn,1);
DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
msg = talloc(local_ctx, struct ldb_message);
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->dn = dn;
msg->private_data = NULL;
msg->num_elements = 0;
msg->elements = NULL;
if (req->num_attributes > 0) {
msg->num_elements = req->num_attributes;
msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
NT_STATUS_HAVE_NO_MEMORY(msg->elements);
for (i=0; i < msg->num_elements; i++) {
msg->elements[i].name = discard_const_p(char, req->attributes[i].name);
msg->elements[i].flags = 0;
msg->elements[i].num_values = 0;
msg->elements[i].values = NULL;
if (req->attributes[i].num_values > 0) {
msg->elements[i].num_values = req->attributes[i].num_values;
msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
msg->elements[i].num_values);
NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
for (j=0; j < msg->elements[i].num_values; j++) {
if (!(req->attributes[i].values[j].length > 0)) {
result = LDAP_OTHER;
errstr = "Empty attribute values are not allowed";
goto reply;
}
msg->elements[i].values[j].length = req->attributes[i].values[j].length;
msg->elements[i].values[j].data = req->attributes[i].values[j].data;
}
} else {
result = LDAP_OTHER;
errstr = "No attribute values are not allowed";
goto reply;
}
}
} else {
result = LDAP_OTHER;
errstr = "No attributes are not allowed";
goto reply;
}
reply:
add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
NT_STATUS_HAVE_NO_MEMORY(add_reply);
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_add(samdb, msg);
result = map_ldb_error(samdb, ldb_ret, &errstr);
}
add_result = &add_reply->msg->r.AddResponse;
add_result->dn = NULL;
add_result->resultcode = result;
add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
add_result->referral = NULL;
talloc_free(local_ctx);
ldapsrv_queue_reply(call, add_reply);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call)
{
struct ldap_DelRequest *req = &call->request->r.DelRequest;
struct ldap_Result *del_result;
struct ldapsrv_reply *del_reply;
void *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_dn *dn;
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
DEBUG(10, ("DelRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
local_ctx = talloc_named(call, 0, "DelRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
VALID_DN_SYNTAX(dn,1);
DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
reply:
del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
NT_STATUS_HAVE_NO_MEMORY(del_reply);
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_delete(samdb, dn);
result = map_ldb_error(samdb, ldb_ret, &errstr);
}
del_result = &del_reply->msg->r.DelResponse;
del_result->dn = NULL;
del_result->resultcode = result;
del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
del_result->referral = NULL;
talloc_free(local_ctx);
ldapsrv_queue_reply(call, del_reply);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
{
struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
struct ldap_Result *modifydn;
struct ldapsrv_reply *modifydn_r;
void *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_dn *olddn, *newdn=NULL, *newrdn;
struct ldb_dn *parentdn = NULL;
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
DEBUG(10, ("ModifyDNRequrest"));
DEBUGADD(10, (" dn: %s", req->dn));
DEBUGADD(10, (" newrdn: %s", req->newrdn));
local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
olddn = ldb_dn_new(local_ctx, samdb, req->dn);
VALID_DN_SYNTAX(olddn, 2);
newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
VALID_DN_SYNTAX(newrdn, 1);
DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
/* we can't handle the rename if we should not remove the old dn */
if (!req->deleteolddn) {
result = LDAP_UNWILLING_TO_PERFORM;
errstr = "Old RDN must be deleted";
goto reply;
}
if (req->newsuperior) {
parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
VALID_DN_SYNTAX(parentdn, 0);
DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
if (ldb_dn_get_comp_num(parentdn) < 1) {
result = LDAP_AFFECTS_MULTIPLE_DSAS;
errstr = "Error new Superior DN invalid";
goto reply;
}
}
if (!parentdn) {
parentdn = ldb_dn_get_parent(local_ctx, olddn);
NT_STATUS_HAVE_NO_MEMORY(parentdn);
}
if ( ! ldb_dn_add_child_fmt(parentdn,
"%s=%s",
ldb_dn_get_rdn_name(newrdn),
(char *)ldb_dn_get_rdn_val(newrdn)->data)) {
result = LDAP_OTHER;
goto reply;
}
reply:
modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_rename(samdb, olddn, newdn);
result = map_ldb_error(samdb, ldb_ret, &errstr);
}
modifydn = &modifydn_r->msg->r.ModifyDNResponse;
modifydn->dn = NULL;
modifydn->resultcode = result;
modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
modifydn->referral = NULL;
talloc_free(local_ctx);
ldapsrv_queue_reply(call, modifydn_r);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
{
struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
struct ldap_Result *compare;
struct ldapsrv_reply *compare_r;
void *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_result *res = NULL;
struct ldb_dn *dn;
const char *attrs[1];
const char *errstr = NULL;
const char *filter = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
DEBUG(10, ("CompareRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
VALID_DN_SYNTAX(dn, 1);
DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
(int)req->value.length, req->value.data);
NT_STATUS_HAVE_NO_MEMORY(filter);
DEBUGADD(10, ("CompareRequest: attribute: [%s]\n", filter));
attrs[0] = NULL;
reply:
compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
NT_STATUS_HAVE_NO_MEMORY(compare_r);
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_search(samdb, dn, LDB_SCOPE_BASE, filter, attrs, &res);
talloc_steal(local_ctx, res);
if (ldb_ret != LDB_SUCCESS) {
result = map_ldb_error(samdb, ldb_ret, &errstr);
DEBUG(10,("CompareRequest: error: %s\n", errstr));
} else if (res->count == 0) {
DEBUG(10,("CompareRequest: doesn't matched\n"));
result = LDAP_COMPARE_FALSE;
errstr = NULL;
} else if (res->count == 1) {
DEBUG(10,("CompareRequest: matched\n"));
result = LDAP_COMPARE_TRUE;
errstr = NULL;
} else if (res->count > 1) {
result = LDAP_OTHER;
errstr = "too many objects match";
DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
}
}
compare = &compare_r->msg->r.CompareResponse;
compare->dn = NULL;
compare->resultcode = result;
compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
compare->referral = NULL;
talloc_free(local_ctx);
ldapsrv_queue_reply(call, compare_r);
return NT_STATUS_OK;
}
static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
{
/* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
DEBUG(10, ("AbandonRequest\n"));
return NT_STATUS_OK;
}
NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
{
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);
case LDAP_TAG_UnbindRequest:
return ldapsrv_UnbindRequest(call);
case LDAP_TAG_SearchRequest:
return ldapsrv_SearchRequest(call);
case LDAP_TAG_ModifyRequest:
return ldapsrv_ModifyRequest(call);
case LDAP_TAG_AddRequest:
return ldapsrv_AddRequest(call);
case LDAP_TAG_DelRequest:
return ldapsrv_DelRequest(call);
case LDAP_TAG_ModifyDNRequest:
return ldapsrv_ModifyDNRequest(call);
case LDAP_TAG_CompareRequest:
return ldapsrv_CompareRequest(call);
case LDAP_TAG_AbandonRequest:
return ldapsrv_AbandonRequest(call);
case LDAP_TAG_ExtendedRequest:
return ldapsrv_ExtendedRequest(call);
default:
return ldapsrv_unwilling(call, 2);
}
}
Samba/source/ldap_server/ldap_bind.c
+320
View File
@@ -0,0 +1,320 @@
/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "ldap_server/ldap_server.h"
#include "auth/auth.h"
#include "libcli/ldap/ldap.h"
#include "smbd/service.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "dsdb/samdb/samdb.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/socket.h"
static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
{
struct ldap_BindRequest *req = &call->request->r.BindRequest;
struct ldapsrv_reply *reply;
struct ldap_BindResponse *resp;
int result;
const char *errstr;
const char *nt4_domain, *nt4_account;
struct auth_session_info *session_info;
NTSTATUS status;
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
status = crack_dn_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account);
if (NT_STATUS_IS_OK(status)) {
status = authenticate_username_pw(call,
call->conn->connection->event.ctx,
call->conn->connection->msg_ctx,
nt4_domain, nt4_account,
req->creds.password,
&session_info);
}
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
}
if (NT_STATUS_IS_OK(status)) {
result = LDAP_SUCCESS;
errstr = NULL;
talloc_free(call->conn->session_info);
call->conn->session_info = session_info;
talloc_steal(call->conn, session_info);
/* don't leak the old LDB */
talloc_free(call->conn->ldb);
status = ldapsrv_backend_Init(call->conn);
if (!NT_STATUS_IS_OK(status)) {
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
}
} else {
status = auth_nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
}
resp = &reply->msg->r.BindResponse;
resp->response.resultcode = result;
resp->response.errormessage = errstr;
resp->response.dn = NULL;
resp->response.referral = NULL;
resp->SASL.secblob = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
struct ldapsrv_sasl_context {
struct ldapsrv_connection *conn;
struct socket_context *sasl_socket;
};
static void ldapsrv_set_sasl(void *private)
{
struct ldapsrv_sasl_context *ctx = talloc_get_type(private, struct ldapsrv_sasl_context);
talloc_steal(ctx->conn->connection, ctx->sasl_socket);
talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
ctx->conn->sockets.sasl = ctx->sasl_socket;
ctx->conn->connection->socket = ctx->sasl_socket;
packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
}
static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
{
struct ldap_BindRequest *req = &call->request->r.BindRequest;
struct ldapsrv_reply *reply;
struct ldap_BindResponse *resp;
struct ldapsrv_connection *conn;
int result = 0;
const char *errstr=NULL;
NTSTATUS status = NT_STATUS_OK;
DEBUG(10, ("BindSASL dn: %s\n",req->dn));
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
}
resp = &reply->msg->r.BindResponse;
conn = call->conn;
/*
* TODO: a SASL bind with a different mechanism
* should cancel an inprogress SASL bind.
* (see RFC 4513)
*/
if (!conn->gensec) {
conn->session_info = NULL;
status = gensec_server_start(conn,
conn->connection->event.ctx,
conn->connection->msg_ctx,
&conn->gensec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s",
nt_errstr(status));
} else {
gensec_set_target_service(conn->gensec, "ldap");
gensec_set_credentials(conn->gensec, conn->server_credentials);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n",
req->creds.SASL.mechanism, nt_errstr(status)));
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s",
req->creds.SASL.mechanism, nt_errstr(status));
}
}
}
if (NT_STATUS_IS_OK(status)) {
DATA_BLOB input = data_blob(NULL, 0);
DATA_BLOB output = data_blob(NULL, 0);
if (req->creds.SASL.secblob) {
input = *req->creds.SASL.secblob;
}
resp->SASL.secblob = talloc(reply, DATA_BLOB);
NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
status = gensec_update(conn->gensec, reply,
input, &output);
/* TODO: gensec should really handle the difference between NULL and length=0 better! */
if (output.data) {
resp->SASL.secblob = talloc(reply, DATA_BLOB);
NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
*resp->SASL.secblob = output;
} else {
resp->SASL.secblob = NULL;
}
} else {
resp->SASL.secblob = NULL;
}
if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
result = LDAP_SASL_BIND_IN_PROGRESS;
errstr = NULL;
} else if (NT_STATUS_IS_OK(status)) {
struct auth_session_info *old_session_info=NULL;
struct ldapsrv_sasl_context *ctx;
result = LDAP_SUCCESS;
errstr = NULL;
ctx = talloc(call, struct ldapsrv_sasl_context);
if (!ctx) {
status = NT_STATUS_NO_MEMORY;
} else {
ctx->conn = conn;
status = gensec_socket_init(conn->gensec,
conn->connection->socket,
conn->connection->event.ctx,
stream_io_handler_callback,
conn->connection,
&ctx->sasl_socket);
}
if (!ctx || !NT_STATUS_IS_OK(status)) {
conn->session_info = old_session_info;
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply,
"SASL:[%s]: Failed to setup SASL socket: %s",
req->creds.SASL.mechanism, nt_errstr(status));
} else {
call->send_callback = ldapsrv_set_sasl;
call->send_private = ctx;
old_session_info = conn->session_info;
conn->session_info = NULL;
status = gensec_session_info(conn->gensec, &conn->session_info);
if (!NT_STATUS_IS_OK(status)) {
conn->session_info = old_session_info;
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply,
"SASL:[%s]: Failed to get session info: %s",
req->creds.SASL.mechanism, nt_errstr(status));
} else {
talloc_free(old_session_info);
talloc_steal(conn, conn->session_info);
/* don't leak the old LDB */
talloc_free(conn->ldb);
status = ldapsrv_backend_Init(conn);
if (!NT_STATUS_IS_OK(status)) {
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply,
"SASL:[%s]: Failed to advise samdb of new credentials: %s",
req->creds.SASL.mechanism,
nt_errstr(status));
}
}
}
} else {
status = auth_nt_status_squash(status);
if (result == 0) {
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
}
}
resp->response.resultcode = result;
resp->response.dn = NULL;
resp->response.errormessage = errstr;
resp->response.referral = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call)
{
struct ldap_BindRequest *req = &call->request->r.BindRequest;
struct ldapsrv_reply *reply;
struct ldap_BindResponse *resp;
/*
* TODO: we should fail the bind request
* if there're any pending requests.
*
* also a simple bind should cancel an
* inprogress SASL bind.
* (see RFC 4513)
*/
switch (req->mechanism) {
case LDAP_AUTH_MECH_SIMPLE:
return ldapsrv_BindSimple(call);
case LDAP_AUTH_MECH_SASL:
return ldapsrv_BindSASL(call);
}
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
}
resp = &reply->msg->r.BindResponse;
resp->response.resultcode = 7;
resp->response.dn = NULL;
resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
resp->response.referral = NULL;
resp->SASL.secblob = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call)
{
DEBUG(10, ("UnbindRequest\n"));
return NT_STATUS_OK;
}
Samba/source/ldap_server/ldap_extended.c
+150
View File
@@ -0,0 +1,150 @@
/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "ldap_server/ldap_server.h"
#include "lib/util/dlinklist.h"
#include "libcli/ldap/ldap.h"
#include "lib/tls/tls.h"
#include "smbd/service_stream.h"
struct ldapsrv_starttls_context {
struct ldapsrv_connection *conn;
struct socket_context *tls_socket;
};
static void ldapsrv_start_tls(void *private)
{
struct ldapsrv_starttls_context *ctx = talloc_get_type(private, struct ldapsrv_starttls_context);
talloc_steal(ctx->conn->connection, ctx->tls_socket);
talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
ctx->conn->sockets.tls = ctx->tls_socket;
ctx->conn->connection->socket = ctx->tls_socket;
packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
}
static NTSTATUS ldapsrv_StartTLS(struct ldapsrv_call *call,
struct ldapsrv_reply *reply,
const char **errstr)
{
struct ldapsrv_starttls_context *ctx;
(*errstr) = NULL;
/*
* TODO: give LDAP_OPERATIONS_ERROR also when
* there're pending requests or there's
* a SASL bind in progress
* (see rfc4513 section 3.1.1)
*/
if (call->conn->sockets.tls) {
(*errstr) = talloc_asprintf(reply, "START-TLS: TLS is already enabled on this LDAP session");
return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
}
ctx = talloc(call, struct ldapsrv_starttls_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
ctx->conn = call->conn;
ctx->tls_socket = tls_init_server(call->conn->service->tls_params,
call->conn->connection->socket,
call->conn->connection->event.fde,
NULL);
if (!ctx->tls_socket) {
(*errstr) = talloc_asprintf(reply, "START-TLS: Failed to setup TLS socket");
return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
}
call->send_callback = ldapsrv_start_tls;
call->send_private = ctx;
reply->msg->r.ExtendedResponse.response.resultcode = LDAP_SUCCESS;
reply->msg->r.ExtendedResponse.response.errormessage = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
struct ldapsrv_extended_operation {
const char *oid;
NTSTATUS (*fn)(struct ldapsrv_call *call, struct ldapsrv_reply *reply, const char **errorstr);
};
static struct ldapsrv_extended_operation extended_ops[] = {
{
.oid = LDB_EXTENDED_START_TLS_OID,
.fn = ldapsrv_StartTLS,
},{
.oid = NULL,
.fn = NULL,
}
};
NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
{
struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
struct ldapsrv_reply *reply;
int result = LDAP_PROTOCOL_ERROR;
const char *error_str = NULL;
NTSTATUS status = NT_STATUS_OK;
uint32_t i;
DEBUG(10, ("Extended\n"));
reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
NT_STATUS_HAVE_NO_MEMORY(reply);
ZERO_STRUCT(reply->msg->r);
reply->msg->r.ExtendedResponse.oid = talloc_steal(reply, req->oid);
reply->msg->r.ExtendedResponse.response.resultcode = LDAP_PROTOCOL_ERROR;
reply->msg->r.ExtendedResponse.response.errormessage = NULL;
for (i=0; extended_ops[i].oid; i++) {
if (strcmp(extended_ops[i].oid,req->oid) != 0) continue;
/*
* if the backend function returns an error we
* need to send the reply otherwise the reply is already
* send and we need to return directly
*/
status = extended_ops[i].fn(call, reply, &error_str);
NT_STATUS_IS_OK_RETURN(status);
if (NT_STATUS_IS_LDAP(status)) {
result = NT_STATUS_LDAP_CODE(status);
} else {
result = LDAP_OPERATIONS_ERROR;
error_str = talloc_asprintf(reply, "Extended Operation(%s) failed: %s",
req->oid, nt_errstr(status));
}
}
/* if we haven't found the oid, then status is still NT_STATUS_OK */
if (NT_STATUS_IS_OK(status)) {
error_str = talloc_asprintf(reply, "Extended Operation(%s) not supported",
req->oid);
}
reply->msg->r.ExtendedResponse.response.resultcode = result;
reply->msg->r.ExtendedResponse.response.errormessage = error_str;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
Samba/source/ldap_server/ldap_server.c
+526
View File
@@ -0,0 +1,526 @@
/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Andrew Tridgell 2005
Copyright (C) Volker Lendecke 2004
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "lib/events/events.h"
#include "auth/auth.h"
#include "auth/credentials/credentials.h"
#include "librpc/gen_ndr/ndr_samr.h"
#include "lib/util/dlinklist.h"
#include "libcli/util/asn_1.h"
#include "ldap_server/ldap_server.h"
#include "smbd/service_task.h"
#include "smbd/service_stream.h"
#include "smbd/service.h"
#include "smbd/process_model.h"
#include "lib/tls/tls.h"
#include "lib/messaging/irpc.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "system/network.h"
#include "lib/socket/netif.h"
/*
close the socket and shutdown a server_context
*/
void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
const char *reason)
{
stream_terminate_connection(conn->connection, reason);
}
/*
handle packet errors
*/
static void ldapsrv_error_handler(void *private, NTSTATUS status)
{
struct ldapsrv_connection *conn = talloc_get_type(private,
struct ldapsrv_connection);
ldapsrv_terminate_connection(conn, nt_errstr(status));
}
/*
process a decoded ldap message
*/
static void ldapsrv_process_message(struct ldapsrv_connection *conn,
struct ldap_message *msg)
{
struct ldapsrv_call *call;
NTSTATUS status;
DATA_BLOB blob;
call = talloc(conn, struct ldapsrv_call);
if (!call) {
ldapsrv_terminate_connection(conn, "no memory");
return;
}
call->request = talloc_steal(call, msg);
call->conn = conn;
call->replies = NULL;
call->send_callback = NULL;
call->send_private = NULL;
/* make the call */
status = ldapsrv_do_call(call);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(call);
return;
}
blob = data_blob(NULL, 0);
if (call->replies == NULL) {
talloc_free(call);
return;
}
/* build all the replies into a single blob */
while (call->replies) {
DATA_BLOB b;
msg = call->replies->msg;
if (!ldap_encode(msg, &b, call)) {
DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
talloc_free(call);
return;
}
status = data_blob_append(call, &blob, b.data, b.length);
data_blob_free(&b);
talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
if (!NT_STATUS_IS_OK(status)) {
talloc_free(call);
return;
}
DLIST_REMOVE(call->replies, call->replies);
}
packet_send_callback(conn->packet, blob,
call->send_callback, call->send_private);
talloc_free(call);
return;
}
/*
decode/process data
*/
static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
{
struct ldapsrv_connection *conn = talloc_get_type(private,
struct ldapsrv_connection);
struct asn1_data asn1;
struct ldap_message *msg = talloc(conn, struct ldap_message);
if (msg == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (!asn1_load(&asn1, blob)) {
return NT_STATUS_NO_MEMORY;
}
if (!ldap_decode(&asn1, msg)) {
asn1_free(&asn1);
return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
data_blob_free(&blob);
ldapsrv_process_message(conn, msg);
asn1_free(&asn1);
return NT_STATUS_OK;
}
/*
Idle timeout handler
*/
static void ldapsrv_conn_idle_timeout(struct event_context *ev,
struct timed_event *te,
struct timeval t,
void *private)
{
struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
}
/*
called when a LDAP socket becomes readable
*/
void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
{
struct ldapsrv_connection *conn =
talloc_get_type(c->private, struct ldapsrv_connection);
if (conn->limits.ite) { /* clean initial timeout if any */
talloc_free(conn->limits.ite);
conn->limits.ite = NULL;
}
if (conn->limits.te) { /* clean idle timeout if any */
talloc_free(conn->limits.te);
conn->limits.te = NULL;
}
packet_recv(conn->packet);
/* set idle timeout */
conn->limits.te = event_add_timed(c->event.ctx, conn,
timeval_current_ofs(conn->limits.conn_idle_time, 0),
ldapsrv_conn_idle_timeout, conn);
}
/*
called when a LDAP socket becomes writable
*/
static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
{
struct ldapsrv_connection *conn =
talloc_get_type(c->private, struct ldapsrv_connection);
packet_queue_run(conn->packet);
}
static void ldapsrv_conn_init_timeout(struct event_context *ev,
struct timed_event *te,
struct timeval t,
void *private)
{
struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
}
static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
{
TALLOC_CTX *tmp_ctx;
const char *attrs[] = { "configurationNamingContext", NULL };
const char *attrs2[] = { "lDAPAdminLimits", NULL };
struct ldb_message_element *el;
struct ldb_result *res = NULL;
struct ldb_dn *basedn;
struct ldb_dn *conf_dn;
struct ldb_dn *policy_dn;
int i,ret;
/* set defaults limits in case of failure */
conn->limits.initial_timeout = 120;
conn->limits.conn_idle_time = 900;
conn->limits.max_page_size = 1000;
conn->limits.search_timeout = 120;
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) {
return -1;
}
basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
if ( ! ldb_dn_validate(basedn)) {
goto failed;
}
ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
talloc_steal(tmp_ctx, res);
if (ret != LDB_SUCCESS || res->count != 1) {
goto failed;
}
conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
if (conf_dn == NULL) {
goto failed;
}
policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
if (policy_dn == NULL) {
goto failed;
}
ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
talloc_steal(tmp_ctx, res);
if (ret != LDB_SUCCESS || res->count != 1) {
goto failed;
}
el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
if (el == NULL) {
goto failed;
}
for (i = 0; i < el->num_values; i++) {
char policy_name[256];
int policy_value, s;
s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
if (ret != 2 || policy_value == 0)
continue;
if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
conn->limits.initial_timeout = policy_value;
continue;
}
if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
conn->limits.conn_idle_time = policy_value;
continue;
}
if (strcasecmp("MaxPageSize", policy_name) == 0) {
conn->limits.max_page_size = policy_value;
continue;
}
if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
conn->limits.search_timeout = policy_value;
continue;
}
}
return 0;
failed:
DEBUG(0, ("Failed to load ldap server query policies\n"));
talloc_free(tmp_ctx);
return -1;
}
/*
initialise a server_context from a open socket and register a event handler
for reading from that socket
*/
static void ldapsrv_accept(struct stream_connection *c)
{
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private, struct ldapsrv_service);
struct ldapsrv_connection *conn;
struct cli_credentials *server_credentials;
struct socket_address *socket_address;
NTSTATUS status;
int port;
conn = talloc_zero(c, struct ldapsrv_connection);
if (!conn) {
stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
conn->packet = NULL;
conn->connection = c;
conn->service = ldapsrv_service;
conn->sockets.raw = c->socket;
c->private = conn;
socket_address = socket_get_my_addr(c->socket, conn);
if (!socket_address) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
return;
}
port = socket_address->port;
talloc_free(socket_address);
if (port == 636) {
struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
c->event.fde, NULL);
if (!tls_socket) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
return;
}
talloc_unlink(c, c->socket);
talloc_steal(c, tls_socket);
c->socket = tls_socket;
conn->sockets.tls = tls_socket;
} else if (port == 3268) /* Global catalog */ {
conn->global_catalog = True;
}
conn->packet = packet_init(conn);
if (conn->packet == NULL) {
ldapsrv_terminate_connection(conn, "out of memory");
return;
}
packet_set_private(conn->packet, conn);
packet_set_socket(conn->packet, c->socket);
packet_set_callback(conn->packet, ldapsrv_decode);
packet_set_full_request(conn->packet, ldap_full_packet);
packet_set_error_handler(conn->packet, ldapsrv_error_handler);
packet_set_event_context(conn->packet, c->event.ctx);
packet_set_fde(conn->packet, c->event.fde);
packet_set_serialise(conn->packet);
/* Ensure we don't get packets until the database is ready below */
packet_recv_disable(conn->packet);
server_credentials
= cli_credentials_init(conn);
if (!server_credentials) {
stream_terminate_connection(c, "Failed to init server credentials\n");
return;
}
cli_credentials_set_conf(server_credentials);
status = cli_credentials_set_machine_account(server_credentials);
if (!NT_STATUS_IS_OK(status)) {
stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
return;
}
conn->server_credentials = server_credentials;
/* Connections start out anonymous */
if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
return;
}
if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
ldapsrv_terminate_connection(conn, "backend Init failed");
return;
}
/* load limits from the conf partition */
ldapsrv_load_limits(conn); /* should we fail on error ? */
/* register the server */
irpc_add_name(c->msg_ctx, "ldap_server");
/* set connections limits */
conn->limits.ite = event_add_timed(c->event.ctx, conn,
timeval_current_ofs(conn->limits.initial_timeout, 0),
ldapsrv_conn_init_timeout, conn);
packet_recv_enable(conn->packet);
}
static const struct stream_server_ops ldap_stream_ops = {
.name = "ldap",
.accept_connection = ldapsrv_accept,
.recv_handler = ldapsrv_recv,
.send_handler = ldapsrv_send,
};
/*
add a socket address to the list of events, one event per port
*/
static NTSTATUS add_socket(struct event_context *event_context,
const struct model_ops *model_ops,
const char *address, struct ldapsrv_service *ldap_service)
{
uint16_t port = 389;
NTSTATUS status;
status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
"ipv4", address, &port, ldap_service);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
address, port, nt_errstr(status)));
}
if (tls_support(ldap_service->tls_params)) {
/* add ldaps server */
port = 636;
status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
"ipv4", address, &port, ldap_service);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
address, port, nt_errstr(status)));
}
}
/* if we are a PDC, then also enable the global catalog server port, 3268 */
if (lp_server_role() == ROLE_DOMAIN_PDC) {
port = 3268;
status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
"ipv4", address, &port, ldap_service);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
address, port, nt_errstr(status)));
}
}
return status;
}
/*
open the ldap server sockets
*/
static void ldapsrv_task_init(struct task_server *task)
{
struct ldapsrv_service *ldap_service;
NTSTATUS status;
const struct model_ops *model_ops;
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */
model_ops = process_model_byname("single");
if (!model_ops) goto failed;
ldap_service = talloc_zero(task, struct ldapsrv_service);
if (ldap_service == NULL) goto failed;
ldap_service->tls_params = tls_initialise(ldap_service);
if (ldap_service->tls_params == NULL) goto failed;
if (lp_interfaces() && lp_bind_interfaces_only()) {
int num_interfaces = iface_count();
int i;
/* We have been given an interfaces line, and been
told to only bind to those interfaces. Create a
socket per interface and bind to only these.
*/
for(i = 0; i < num_interfaces; i++) {
const char *address = iface_n_ip(i);
status = add_socket(task->event_ctx, model_ops, address, ldap_service);
if (!NT_STATUS_IS_OK(status)) goto failed;
}
} else {
status = add_socket(task->event_ctx, model_ops, lp_socket_address(), ldap_service);
if (!NT_STATUS_IS_OK(status)) goto failed;
}
return;
failed:
task_server_terminate(task, "Failed to startup ldap server task");
}
/*
called on startup of the web server service It's job is to start
listening on all configured sockets
*/
static NTSTATUS ldapsrv_init(struct event_context *event_context,
const struct model_ops *model_ops)
{
return task_server_startup(event_context, model_ops, ldapsrv_task_init);
}
NTSTATUS server_service_ldap_init(void)
{
return register_server_service("ldap", ldapsrv_init);
}
Samba/source/ldap_server/ldap_server.h
+70
View File
@@ -0,0 +1,70 @@
/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Volker Lendecke 2004
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "libcli/ldap/ldap.h"
#include "lib/socket/socket.h"
#include "lib/stream/packet.h"
struct ldapsrv_connection {
struct stream_connection *connection;
struct gensec_security *gensec;
struct auth_session_info *session_info;
struct ldapsrv_service *service;
struct cli_credentials *server_credentials;
struct ldb_context *ldb;
struct {
struct socket_context *raw;
struct socket_context *tls;
struct socket_context *sasl;
} sockets;
BOOL global_catalog;
struct packet_context *packet;
struct {
int initial_timeout;
int conn_idle_time;
int max_page_size;
int search_timeout;
struct timed_event *ite;
struct timed_event *te;
} limits;
};
struct ldapsrv_call {
struct ldapsrv_connection *conn;
struct ldap_message *request;
struct ldapsrv_reply {
struct ldapsrv_reply *prev, *next;
struct ldap_message *msg;
} *replies;
packet_send_callback_fn_t send_callback;
void *send_private;
};
struct ldapsrv_service {
struct tls_params *tls_params;
};
#include "ldap_server/proto.h"