search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Remove references to get_Protocol()
[Samba.git] / source4 / ldap_server / ldap_extended.c
blobc37c9a9d89a2bfa8710ae040f28ef1c84346b225
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP server
4 Copyright (C) Stefan Metzmacher 2004
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "ldap_server/ldap_server.h"
22 #include "../lib/util/dlinklist.h"
23 #include "lib/tls/tls.h"
24 #include "samba/service_stream.h"
25 #include "../lib/util/tevent_ntstatus.h"
26 #include "librpc/gen_ndr/auth.h"
27 #include "libcli/security/security_token.h"
28
29 struct ldapsrv_starttls_postprocess_context {
30 struct ldapsrv_connection *conn;
31 };
32
33 struct ldapsrv_starttls_postprocess_state {
34 struct ldapsrv_connection *conn;
35 };
36
37 static void ldapsrv_starttls_postprocess_done(struct tevent_req *subreq);
38
39 static struct tevent_req *ldapsrv_starttls_postprocess_send(TALLOC_CTX *mem_ctx,
40 struct tevent_context *ev,
41 void *private_data)
42 {
43 struct ldapsrv_starttls_postprocess_context *context =
44 talloc_get_type_abort(private_data,
45 struct ldapsrv_starttls_postprocess_context);
46 struct ldapsrv_connection *conn = context->conn;
47 struct tevent_req *req;
48 struct ldapsrv_starttls_postprocess_state *state;
49 struct tevent_req *subreq;
50
51 req = tevent_req_create(mem_ctx, &state,
52 struct ldapsrv_starttls_postprocess_state);
53 if (req == NULL) {
54 return NULL;
55 }
56
57 state->conn = conn;
58
59 subreq = tstream_tls_accept_send(conn,
60 conn->connection->event.ctx,
61 conn->sockets.raw,
62 conn->service->tls_params);
63 if (tevent_req_nomem(subreq, req)) {
64 return tevent_req_post(req, ev);
65 }
66 tevent_req_set_callback(subreq, ldapsrv_starttls_postprocess_done, req);
67
68 return req;
69 }
70
71 static void ldapsrv_starttls_postprocess_done(struct tevent_req *subreq)
72 {
73 struct tevent_req *req =
74 tevent_req_callback_data(subreq,
75 struct tevent_req);
76 struct ldapsrv_starttls_postprocess_state *state =
77 tevent_req_data(req,
78 struct ldapsrv_starttls_postprocess_state);
79 struct ldapsrv_connection *conn = state->conn;
80 int ret;
81 int sys_errno;
82
83 ret = tstream_tls_accept_recv(subreq, &sys_errno,
84 conn, &conn->sockets.tls);
85 TALLOC_FREE(subreq);
86 if (ret == -1) {
87 NTSTATUS status = map_nt_error_from_unix_common(sys_errno);
88
89 DEBUG(1,("ldapsrv_starttls_postprocess_done: accept_tls_loop: "
90 "tstream_tls_accept_recv() - %d:%s => %s",
91 sys_errno, strerror(sys_errno), nt_errstr(status)));
92
93 tevent_req_nterror(req, status);
94 return;
95 }
96
97 conn->sockets.active = conn->sockets.tls;
98
99 tevent_req_done(req);
100 }
101
102 static NTSTATUS ldapsrv_starttls_postprocess_recv(struct tevent_req *req)
103 {
104 return tevent_req_simple_recv_ntstatus(req);
105 }
106
107 static NTSTATUS ldapsrv_StartTLS(struct ldapsrv_call *call,
108 struct ldapsrv_reply *reply,
109 const char **errstr)
110 {
111 struct ldapsrv_starttls_postprocess_context *context;
112
113 (*errstr) = NULL;
114
115 /*
116 * TODO: give LDAP_OPERATIONS_ERROR also when
117 * there's a SASL bind in progress
118 * (see rfc4513 section 3.1.1)
119 */
120 if (call->conn->sockets.tls) {
121 (*errstr) = talloc_asprintf(reply, "START-TLS: TLS is already enabled on this LDAP session");
122 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
123 }
124
125 if (call->conn->sockets.sasl) {
126 (*errstr) = talloc_asprintf(reply, "START-TLS: SASL is already enabled on this LDAP session");
127 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
128 }
129
130 if (call->conn->pending_calls != NULL) {
131 (*errstr) = talloc_asprintf(reply, "START-TLS: pending requests on this LDAP session");
132 return NT_STATUS_LDAP(LDAP_BUSY);
133 }
134
135 context = talloc(call, struct ldapsrv_starttls_postprocess_context);
136 NT_STATUS_HAVE_NO_MEMORY(context);
137
138 context->conn = call->conn;
139
140 call->postprocess_send = ldapsrv_starttls_postprocess_send;
141 call->postprocess_recv = ldapsrv_starttls_postprocess_recv;
142 call->postprocess_private = context;
143
144 reply->msg->r.ExtendedResponse.response.resultcode = LDAP_SUCCESS;
145 reply->msg->r.ExtendedResponse.response.errormessage = NULL;
146
147 ldapsrv_queue_reply(call, reply);
148 return NT_STATUS_OK;
149 }
150
151 struct ldapsrv_extended_operation {
152 const char *oid;
153 NTSTATUS (*fn)(struct ldapsrv_call *call, struct ldapsrv_reply *reply, const char **errorstr);
154 };
155
156 static NTSTATUS ldapsrv_whoami(struct ldapsrv_call *call,
157 struct ldapsrv_reply *reply,
158 const char **errstr)
159 {
160 struct ldapsrv_connection *conn = call->conn;
161 struct auth_session_info *session_info = conn->session_info;
162 struct ldap_ExtendedResponse *ext_resp =
163 &reply->msg->r.ExtendedResponse;
164
165 *errstr = NULL;
166
167 if (!security_token_is_anonymous(session_info->security_token)) {
168 struct auth_user_info *uinfo = session_info->info;
169 DATA_BLOB *value = talloc_zero(call, DATA_BLOB);
170
171 if (value == NULL) {
172 goto nomem;
173 }
174
175 value->data = (uint8_t *)talloc_asprintf(value,
176 "u:%s\\%s",
177 uinfo->domain_name,
178 uinfo->account_name);
179 if (value->data == NULL) {
180 goto nomem;
181 }
182 value->length = talloc_get_size(value->data) - 1;
183
184 ext_resp->value = value;
185 }
186
187 ext_resp->response.resultcode = LDAP_SUCCESS;
188 ext_resp->response.errormessage = NULL;
189
190 ldapsrv_queue_reply(call, reply);
191
192 return NT_STATUS_OK;
193 nomem:
194 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
195 }
196
197
198 static struct ldapsrv_extended_operation extended_ops[] = {
199 {
200 .oid = LDB_EXTENDED_START_TLS_OID,
201 .fn = ldapsrv_StartTLS,
202 },{
203 .oid = LDB_EXTENDED_WHOAMI_OID,
204 .fn = ldapsrv_whoami,
205 },
206 {
207 .oid = NULL,
208 .fn = NULL,
209 }
210 };
211
212 NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
213 {
214 struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
215 struct ldapsrv_reply *reply;
216 int result = LDAP_PROTOCOL_ERROR;
217 const char *error_str = NULL;
218 NTSTATUS status = NT_STATUS_OK;
219 unsigned int i;
220
221 DEBUG(10, ("Extended\n"));
222
223 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
224 NT_STATUS_HAVE_NO_MEMORY(reply);
225
226 ZERO_STRUCT(reply->msg->r);
227 reply->msg->r.ExtendedResponse.oid = talloc_steal(reply, req->oid);
228 reply->msg->r.ExtendedResponse.response.resultcode = LDAP_PROTOCOL_ERROR;
229 reply->msg->r.ExtendedResponse.response.errormessage = NULL;
230
231 for (i=0; extended_ops[i].oid; i++) {
232 if (strcmp(extended_ops[i].oid,req->oid) != 0) continue;
233
234 /*
235 * if the backend function returns an error we
236 * need to send the reply otherwise the reply is already
237 * sent and we need to return directly
238 */
239 status = extended_ops[i].fn(call, reply, &error_str);
240 if (NT_STATUS_IS_OK(status)) {
241 return status;
242 }
243
244 if (NT_STATUS_IS_LDAP(status)) {
245 result = NT_STATUS_LDAP_CODE(status);
246 } else {
247 result = LDAP_OPERATIONS_ERROR;
248 error_str = talloc_asprintf(reply, "Extended Operation(%s) failed: %s",
249 req->oid, nt_errstr(status));
250 }
251 }
252 /* if we haven't found the oid, then status is still NT_STATUS_OK */
253 if (NT_STATUS_IS_OK(status)) {
254 error_str = talloc_asprintf(reply, "Extended Operation(%s) not supported",
255 req->oid);
256 }
257
258 reply->msg->r.ExtendedResponse.response.resultcode = result;
259 reply->msg->r.ExtendedResponse.response.errormessage = error_str;
260
261 ldapsrv_queue_reply(call, reply);
262 return NT_STATUS_OK;
263 }
Samba GIT mirror