search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19598: Ahead of a merge to current lorikeet-heimdal:
[Samba.git] / source / ldap_server / ldap_server.c
blob29555b14e16f68a6127dffca8fa8116a6588859d
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "lib/util/dlinklist.h"
31 #include "libcli/util/asn_1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "smbd/service_task.h"
34 #include "smbd/service_stream.h"
35 #include "smbd/service.h"
36 #include "smbd/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
39 #include "lib/ldb/include/ldb.h"
40 #include "lib/ldb/include/ldb_errors.h"
41 #include "system/network.h"
42 #include "lib/socket/netif.h"
43
44 /*
45 close the socket and shutdown a server_context
46 */
47 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
48 const char *reason)
49 {
50 stream_terminate_connection(conn->connection, reason);
51 }
52
53 /*
54 handle packet errors
55 */
56 static void ldapsrv_error_handler(void *private, NTSTATUS status)
57 {
58 struct ldapsrv_connection *conn = talloc_get_type(private,
59 struct ldapsrv_connection);
60 ldapsrv_terminate_connection(conn, nt_errstr(status));
61 }
62
63 /*
64 process a decoded ldap message
65 */
66 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
67 struct ldap_message *msg)
68 {
69 struct ldapsrv_call *call;
70 NTSTATUS status;
71 DATA_BLOB blob;
72
73 call = talloc(conn, struct ldapsrv_call);
74 if (!call) {
75 ldapsrv_terminate_connection(conn, "no memory");
76 return;
77 }
78
79 call->request = talloc_steal(call, msg);
80 call->conn = conn;
81 call->replies = NULL;
82 call->send_callback = NULL;
83 call->send_private = NULL;
84
85 /* make the call */
86 status = ldapsrv_do_call(call);
87 if (!NT_STATUS_IS_OK(status)) {
88 talloc_free(call);
89 return;
90 }
91
92 blob = data_blob(NULL, 0);
93
94 if (call->replies == NULL) {
95 talloc_free(call);
96 return;
97 }
98
99 /* build all the replies into a single blob */
100 while (call->replies) {
101 DATA_BLOB b;
102
103 msg = call->replies->msg;
104 if (!ldap_encode(msg, &b, call)) {
105 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
106 talloc_free(call);
107 return;
108 }
109
110 status = data_blob_append(call, &blob, b.data, b.length);
111 data_blob_free(&b);
112
113 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
114
115 if (!NT_STATUS_IS_OK(status)) {
116 talloc_free(call);
117 return;
118 }
119
120 DLIST_REMOVE(call->replies, call->replies);
121 }
122
123 packet_send_callback(conn->packet, blob,
124 call->send_callback, call->send_private);
125 talloc_free(call);
126 return;
127 }
128
129 /*
130 decode/process data
131 */
132 static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
133 {
134 struct ldapsrv_connection *conn = talloc_get_type(private,
135 struct ldapsrv_connection);
136 struct asn1_data asn1;
137 struct ldap_message *msg = talloc(conn, struct ldap_message);
138
139 if (msg == NULL) {
140 return NT_STATUS_NO_MEMORY;
141 }
142
143 if (!asn1_load(&asn1, blob)) {
144 return NT_STATUS_NO_MEMORY;
145 }
146
147 if (!ldap_decode(&asn1, msg)) {
148 asn1_free(&asn1);
149 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
150 }
151
152 data_blob_free(&blob);
153 ldapsrv_process_message(conn, msg);
154 asn1_free(&asn1);
155 return NT_STATUS_OK;
156 }
157
158 /*
159 Idle timeout handler
160 */
161 static void ldapsrv_conn_idle_timeout(struct event_context *ev,
162 struct timed_event *te,
163 struct timeval t,
164 void *private)
165 {
166 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
167
168 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
169 }
170
171 /*
172 called when a LDAP socket becomes readable
173 */
174 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
175 {
176 struct ldapsrv_connection *conn =
177 talloc_get_type(c->private, struct ldapsrv_connection);
178
179 if (conn->limits.ite) { /* clean initial timeout if any */
180 talloc_free(conn->limits.ite);
181 conn->limits.ite = NULL;
182 }
183
184 if (conn->limits.te) { /* clean idle timeout if any */
185 talloc_free(conn->limits.te);
186 conn->limits.te = NULL;
187 }
188
189 packet_recv(conn->packet);
190
191 /* set idle timeout */
192 conn->limits.te = event_add_timed(c->event.ctx, conn,
193 timeval_current_ofs(conn->limits.conn_idle_time, 0),
194 ldapsrv_conn_idle_timeout, conn);
195 }
196
197 /*
198 called when a LDAP socket becomes writable
199 */
200 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
201 {
202 struct ldapsrv_connection *conn =
203 talloc_get_type(c->private, struct ldapsrv_connection);
204
205 packet_queue_run(conn->packet);
206 }
207
208 static void ldapsrv_conn_init_timeout(struct event_context *ev,
209 struct timed_event *te,
210 struct timeval t,
211 void *private)
212 {
213 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
214
215 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
216 }
217
218 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
219 {
220 TALLOC_CTX *tmp_ctx;
221 const char *attrs[] = { "configurationNamingContext", NULL };
222 const char *attrs2[] = { "lDAPAdminLimits", NULL };
223 struct ldb_message_element *el;
224 struct ldb_result *res = NULL;
225 struct ldb_dn *basedn;
226 struct ldb_dn *conf_dn;
227 struct ldb_dn *policy_dn;
228 int i,ret;
229
230 /* set defaults limits in case of failure */
231 conn->limits.initial_timeout = 120;
232 conn->limits.conn_idle_time = 900;
233 conn->limits.max_page_size = 1000;
234 conn->limits.search_timeout = 120;
235
236
237 tmp_ctx = talloc_new(conn);
238 if (tmp_ctx == NULL) {
239 return -1;
240 }
241
242 basedn = ldb_dn_new(tmp_ctx);
243 if (basedn == NULL) {
244 goto failed;
245 }
246
247 ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
248 talloc_steal(tmp_ctx, res);
249 if (ret != LDB_SUCCESS || res->count != 1) {
250 goto failed;
251 }
252
253 conf_dn = ldb_msg_find_attr_as_dn(tmp_ctx, res->msgs[0], "configurationNamingContext");
254 if (conf_dn == NULL) {
255 goto failed;
256 }
257
258 policy_dn = ldb_dn_string_compose(tmp_ctx, conf_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
259 if (policy_dn == NULL) {
260 goto failed;
261 }
262
263 ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
264 talloc_steal(tmp_ctx, res);
265 if (ret != LDB_SUCCESS || res->count != 1) {
266 goto failed;
267 }
268
269 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
270 if (el == NULL) {
271 goto failed;
272 }
273
274 for (i = 0; i < el->num_values; i++) {
275 char policy_name[256];
276 int policy_value, s;
277
278 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
279 if (ret != 2 || policy_value == 0)
280 continue;
281
282 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
283 conn->limits.initial_timeout = policy_value;
284 continue;
285 }
286 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
287 conn->limits.conn_idle_time = policy_value;
288 continue;
289 }
290 if (strcasecmp("MaxPageSize", policy_name) == 0) {
291 conn->limits.max_page_size = policy_value;
292 continue;
293 }
294 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
295 conn->limits.search_timeout = policy_value;
296 continue;
297 }
298 }
299
300 return 0;
301
302 failed:
303 DEBUG(0, ("Failed to load ldap server query policies\n"));
304 talloc_free(tmp_ctx);
305 return -1;
306 }
307
308 /*
309 initialise a server_context from a open socket and register a event handler
310 for reading from that socket
311 */
312 static void ldapsrv_accept(struct stream_connection *c)
313 {
314 struct ldapsrv_service *ldapsrv_service =
315 talloc_get_type(c->private, struct ldapsrv_service);
316 struct ldapsrv_connection *conn;
317 struct cli_credentials *server_credentials;
318 struct socket_address *socket_address;
319 NTSTATUS status;
320 int port;
321
322 conn = talloc_zero(c, struct ldapsrv_connection);
323 if (!conn) {
324 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
325 return;
326 }
327
328 conn->packet = NULL;
329 conn->connection = c;
330 conn->service = ldapsrv_service;
331 conn->sockets.raw = c->socket;
332
333 c->private = conn;
334
335 socket_address = socket_get_my_addr(c->socket, conn);
336 if (!socket_address) {
337 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
338 return;
339 }
340 port = socket_address->port;
341 talloc_free(socket_address);
342
343 if (port == 636) {
344 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
345 c->event.fde, NULL);
346 if (!tls_socket) {
347 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
348 return;
349 }
350 talloc_unlink(c, c->socket);
351 talloc_steal(c, tls_socket);
352 c->socket = tls_socket;
353 conn->sockets.tls = tls_socket;
354
355 } else if (port == 3268) /* Global catalog */ {
356 conn->global_catalog = True;
357 }
358 conn->packet = packet_init(conn);
359 if (conn->packet == NULL) {
360 ldapsrv_terminate_connection(conn, "out of memory");
361 return;
362 }
363
364 packet_set_private(conn->packet, conn);
365 packet_set_socket(conn->packet, c->socket);
366 packet_set_callback(conn->packet, ldapsrv_decode);
367 packet_set_full_request(conn->packet, ldap_full_packet);
368 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
369 packet_set_event_context(conn->packet, c->event.ctx);
370 packet_set_fde(conn->packet, c->event.fde);
371 packet_set_serialise(conn->packet);
372
373 /* Ensure we don't get packets until the database is ready below */
374 packet_recv_disable(conn->packet);
375
376 server_credentials
377 = cli_credentials_init(conn);
378 if (!server_credentials) {
379 stream_terminate_connection(c, "Failed to init server credentials\n");
380 return;
381 }
382
383 cli_credentials_set_conf(server_credentials);
384 status = cli_credentials_set_machine_account(server_credentials);
385 if (!NT_STATUS_IS_OK(status)) {
386 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
387 return;
388 }
389 conn->server_credentials = server_credentials;
390
391 /* Connections start out anonymous */
392 if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
393 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
394 return;
395 }
396
397 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
398 ldapsrv_terminate_connection(conn, "backend Init failed");
399 return;
400 }
401
402 /* load limits from the conf partition */
403 ldapsrv_load_limits(conn); /* should we fail on error ? */
404
405 /* register the server */
406 irpc_add_name(c->msg_ctx, "ldap_server");
407
408 /* set connections limits */
409 conn->limits.ite = event_add_timed(c->event.ctx, conn,
410 timeval_current_ofs(conn->limits.initial_timeout, 0),
411 ldapsrv_conn_init_timeout, conn);
412
413 packet_recv_enable(conn->packet);
414
415 }
416
417 static const struct stream_server_ops ldap_stream_ops = {
418 .name = "ldap",
419 .accept_connection = ldapsrv_accept,
420 .recv_handler = ldapsrv_recv,
421 .send_handler = ldapsrv_send,
422 };
423
424 /*
425 add a socket address to the list of events, one event per port
426 */
427 static NTSTATUS add_socket(struct event_context *event_context,
428 const struct model_ops *model_ops,
429 const char *address, struct ldapsrv_service *ldap_service)
430 {
431 uint16_t port = 389;
432 NTSTATUS status;
433
434 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
435 "ipv4", address, &port, ldap_service);
436 if (!NT_STATUS_IS_OK(status)) {
437 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
438 address, port, nt_errstr(status)));
439 }
440
441 if (tls_support(ldap_service->tls_params)) {
442 /* add ldaps server */
443 port = 636;
444 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
445 "ipv4", address, &port, ldap_service);
446 if (!NT_STATUS_IS_OK(status)) {
447 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
448 address, port, nt_errstr(status)));
449 }
450 }
451
452 /* if we are a PDC, then also enable the global catalog server port, 3268 */
453 if (lp_server_role() == ROLE_DOMAIN_PDC) {
454 port = 3268;
455 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
456 "ipv4", address, &port, ldap_service);
457 if (!NT_STATUS_IS_OK(status)) {
458 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
459 address, port, nt_errstr(status)));
460 }
461 }
462
463 return status;
464 }
465
466 /*
467 open the ldap server sockets
468 */
469 static void ldapsrv_task_init(struct task_server *task)
470 {
471 struct ldapsrv_service *ldap_service;
472 NTSTATUS status;
473 const struct model_ops *model_ops;
474
475 task_server_set_title(task, "task[ldapsrv]");
476
477 /* run the ldap server as a single process */
478 model_ops = process_model_byname("single");
479 if (!model_ops) goto failed;
480
481 ldap_service = talloc_zero(task, struct ldapsrv_service);
482 if (ldap_service == NULL) goto failed;
483
484 ldap_service->tls_params = tls_initialise(ldap_service);
485 if (ldap_service->tls_params == NULL) goto failed;
486
487 if (lp_interfaces() && lp_bind_interfaces_only()) {
488 int num_interfaces = iface_count();
489 int i;
490
491 /* We have been given an interfaces line, and been
492 told to only bind to those interfaces. Create a
493 socket per interface and bind to only these.
494 */
495 for(i = 0; i < num_interfaces; i++) {
496 const char *address = iface_n_ip(i);
497 status = add_socket(task->event_ctx, model_ops, address, ldap_service);
498 if (!NT_STATUS_IS_OK(status)) goto failed;
499 }
500 } else {
501 status = add_socket(task->event_ctx, model_ops, lp_socket_address(), ldap_service);
502 if (!NT_STATUS_IS_OK(status)) goto failed;
503 }
504
505 return;
506
507 failed:
508 task_server_terminate(task, "Failed to startup ldap server task");
509 }
510
511 /*
512 called on startup of the web server service It's job is to start
513 listening on all configured sockets
514 */
515 static NTSTATUS ldapsrv_init(struct event_context *event_context,
516 const struct model_ops *model_ops)
517 {
518 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
519 }
520
521
522 NTSTATUS server_service_ldap_init(void)
523 {
524 return register_server_service("ldap", ldapsrv_init);
525 }
Samba GIT mirror