2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "lib/util/dlinklist.h"
31 #include "libcli/util/asn_1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "smbd/service_task.h"
34 #include "smbd/service_stream.h"
35 #include "smbd/service.h"
36 #include "smbd/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
39 #include "lib/ldb/include/ldb.h"
40 #include "lib/ldb/include/ldb_errors.h"
41 #include "system/network.h"
42 #include "lib/socket/netif.h"
45 close the socket and shutdown a server_context
47 void ldapsrv_terminate_connection(struct ldapsrv_connection
*conn
,
50 stream_terminate_connection(conn
->connection
, reason
);
56 static void ldapsrv_error_handler(void *private, NTSTATUS status
)
58 struct ldapsrv_connection
*conn
= talloc_get_type(private,
59 struct ldapsrv_connection
);
60 ldapsrv_terminate_connection(conn
, nt_errstr(status
));
64 process a decoded ldap message
66 static void ldapsrv_process_message(struct ldapsrv_connection
*conn
,
67 struct ldap_message
*msg
)
69 struct ldapsrv_call
*call
;
73 call
= talloc(conn
, struct ldapsrv_call
);
75 ldapsrv_terminate_connection(conn
, "no memory");
79 call
->request
= talloc_steal(call
, msg
);
82 call
->send_callback
= NULL
;
83 call
->send_private
= NULL
;
86 status
= ldapsrv_do_call(call
);
87 if (!NT_STATUS_IS_OK(status
)) {
92 blob
= data_blob(NULL
, 0);
94 if (call
->replies
== NULL
) {
99 /* build all the replies into a single blob */
100 while (call
->replies
) {
103 msg
= call
->replies
->msg
;
104 if (!ldap_encode(msg
, &b
, call
)) {
105 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg
->type
));
110 status
= data_blob_append(call
, &blob
, b
.data
, b
.length
);
113 talloc_set_name_const(blob
.data
, "Outgoing, encoded LDAP packet");
115 if (!NT_STATUS_IS_OK(status
)) {
120 DLIST_REMOVE(call
->replies
, call
->replies
);
123 packet_send_callback(conn
->packet
, blob
,
124 call
->send_callback
, call
->send_private
);
132 static NTSTATUS
ldapsrv_decode(void *private, DATA_BLOB blob
)
134 struct ldapsrv_connection
*conn
= talloc_get_type(private,
135 struct ldapsrv_connection
);
136 struct asn1_data asn1
;
137 struct ldap_message
*msg
= talloc(conn
, struct ldap_message
);
140 return NT_STATUS_NO_MEMORY
;
143 if (!asn1_load(&asn1
, blob
)) {
144 return NT_STATUS_NO_MEMORY
;
147 if (!ldap_decode(&asn1
, msg
)) {
149 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR
);
152 data_blob_free(&blob
);
153 ldapsrv_process_message(conn
, msg
);
161 static void ldapsrv_conn_idle_timeout(struct event_context
*ev
,
162 struct timed_event
*te
,
166 struct ldapsrv_connection
*conn
= talloc_get_type(private, struct ldapsrv_connection
);
168 ldapsrv_terminate_connection(conn
, "Timeout. No requests after bind");
172 called when a LDAP socket becomes readable
174 void ldapsrv_recv(struct stream_connection
*c
, uint16_t flags
)
176 struct ldapsrv_connection
*conn
=
177 talloc_get_type(c
->private, struct ldapsrv_connection
);
179 if (conn
->limits
.ite
) { /* clean initial timeout if any */
180 talloc_free(conn
->limits
.ite
);
181 conn
->limits
.ite
= NULL
;
184 if (conn
->limits
.te
) { /* clean idle timeout if any */
185 talloc_free(conn
->limits
.te
);
186 conn
->limits
.te
= NULL
;
189 packet_recv(conn
->packet
);
191 /* set idle timeout */
192 conn
->limits
.te
= event_add_timed(c
->event
.ctx
, conn
,
193 timeval_current_ofs(conn
->limits
.conn_idle_time
, 0),
194 ldapsrv_conn_idle_timeout
, conn
);
198 called when a LDAP socket becomes writable
200 static void ldapsrv_send(struct stream_connection
*c
, uint16_t flags
)
202 struct ldapsrv_connection
*conn
=
203 talloc_get_type(c
->private, struct ldapsrv_connection
);
205 packet_queue_run(conn
->packet
);
208 static void ldapsrv_conn_init_timeout(struct event_context
*ev
,
209 struct timed_event
*te
,
213 struct ldapsrv_connection
*conn
= talloc_get_type(private, struct ldapsrv_connection
);
215 ldapsrv_terminate_connection(conn
, "Timeout. No requests after initial connection");
218 static int ldapsrv_load_limits(struct ldapsrv_connection
*conn
)
221 const char *attrs
[] = { "configurationNamingContext", NULL
};
222 const char *attrs2
[] = { "lDAPAdminLimits", NULL
};
223 struct ldb_message_element
*el
;
224 struct ldb_result
*res
= NULL
;
225 struct ldb_dn
*basedn
;
226 struct ldb_dn
*conf_dn
;
227 struct ldb_dn
*policy_dn
;
230 /* set defaults limits in case of failure */
231 conn
->limits
.initial_timeout
= 120;
232 conn
->limits
.conn_idle_time
= 900;
233 conn
->limits
.max_page_size
= 1000;
234 conn
->limits
.search_timeout
= 120;
237 tmp_ctx
= talloc_new(conn
);
238 if (tmp_ctx
== NULL
) {
242 basedn
= ldb_dn_new(tmp_ctx
);
243 if (basedn
== NULL
) {
247 ret
= ldb_search(conn
->ldb
, basedn
, LDB_SCOPE_BASE
, NULL
, attrs
, &res
);
248 talloc_steal(tmp_ctx
, res
);
249 if (ret
!= LDB_SUCCESS
|| res
->count
!= 1) {
253 conf_dn
= ldb_msg_find_attr_as_dn(tmp_ctx
, res
->msgs
[0], "configurationNamingContext");
254 if (conf_dn
== NULL
) {
258 policy_dn
= ldb_dn_string_compose(tmp_ctx
, conf_dn
, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
259 if (policy_dn
== NULL
) {
263 ret
= ldb_search(conn
->ldb
, policy_dn
, LDB_SCOPE_BASE
, NULL
, attrs2
, &res
);
264 talloc_steal(tmp_ctx
, res
);
265 if (ret
!= LDB_SUCCESS
|| res
->count
!= 1) {
269 el
= ldb_msg_find_element(res
->msgs
[0], "lDAPAdminLimits");
274 for (i
= 0; i
< el
->num_values
; i
++) {
275 char policy_name
[256];
278 s
= sscanf((const char *)el
->values
[i
].data
, "%255[^=]=%d", policy_name
, &policy_value
);
279 if (ret
!= 2 || policy_value
== 0)
282 if (strcasecmp("InitRecvTimeout", policy_name
) == 0) {
283 conn
->limits
.initial_timeout
= policy_value
;
286 if (strcasecmp("MaxConnIdleTime", policy_name
) == 0) {
287 conn
->limits
.conn_idle_time
= policy_value
;
290 if (strcasecmp("MaxPageSize", policy_name
) == 0) {
291 conn
->limits
.max_page_size
= policy_value
;
294 if (strcasecmp("MaxQueryDuration", policy_name
) == 0) {
295 conn
->limits
.search_timeout
= policy_value
;
303 DEBUG(0, ("Failed to load ldap server query policies\n"));
304 talloc_free(tmp_ctx
);
309 initialise a server_context from a open socket and register a event handler
310 for reading from that socket
312 static void ldapsrv_accept(struct stream_connection
*c
)
314 struct ldapsrv_service
*ldapsrv_service
=
315 talloc_get_type(c
->private, struct ldapsrv_service
);
316 struct ldapsrv_connection
*conn
;
317 struct cli_credentials
*server_credentials
;
318 struct socket_address
*socket_address
;
322 conn
= talloc_zero(c
, struct ldapsrv_connection
);
324 stream_terminate_connection(c
, "ldapsrv_accept: out of memory");
329 conn
->connection
= c
;
330 conn
->service
= ldapsrv_service
;
331 conn
->sockets
.raw
= c
->socket
;
335 socket_address
= socket_get_my_addr(c
->socket
, conn
);
336 if (!socket_address
) {
337 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: failed to obtain local socket address!");
340 port
= socket_address
->port
;
341 talloc_free(socket_address
);
344 struct socket_context
*tls_socket
= tls_init_server(ldapsrv_service
->tls_params
, c
->socket
,
347 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: tls_init_server() failed");
350 talloc_unlink(c
, c
->socket
);
351 talloc_steal(c
, tls_socket
);
352 c
->socket
= tls_socket
;
353 conn
->sockets
.tls
= tls_socket
;
355 } else if (port
== 3268) /* Global catalog */ {
356 conn
->global_catalog
= True
;
358 conn
->packet
= packet_init(conn
);
359 if (conn
->packet
== NULL
) {
360 ldapsrv_terminate_connection(conn
, "out of memory");
364 packet_set_private(conn
->packet
, conn
);
365 packet_set_socket(conn
->packet
, c
->socket
);
366 packet_set_callback(conn
->packet
, ldapsrv_decode
);
367 packet_set_full_request(conn
->packet
, ldap_full_packet
);
368 packet_set_error_handler(conn
->packet
, ldapsrv_error_handler
);
369 packet_set_event_context(conn
->packet
, c
->event
.ctx
);
370 packet_set_fde(conn
->packet
, c
->event
.fde
);
371 packet_set_serialise(conn
->packet
);
373 /* Ensure we don't get packets until the database is ready below */
374 packet_recv_disable(conn
->packet
);
377 = cli_credentials_init(conn
);
378 if (!server_credentials
) {
379 stream_terminate_connection(c
, "Failed to init server credentials\n");
383 cli_credentials_set_conf(server_credentials
);
384 status
= cli_credentials_set_machine_account(server_credentials
);
385 if (!NT_STATUS_IS_OK(status
)) {
386 stream_terminate_connection(c
, talloc_asprintf(conn
, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status
)));
389 conn
->server_credentials
= server_credentials
;
391 /* Connections start out anonymous */
392 if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn
, &conn
->session_info
))) {
393 ldapsrv_terminate_connection(conn
, "failed to setup anonymous session info");
397 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn
))) {
398 ldapsrv_terminate_connection(conn
, "backend Init failed");
402 /* load limits from the conf partition */
403 ldapsrv_load_limits(conn
); /* should we fail on error ? */
405 /* register the server */
406 irpc_add_name(c
->msg_ctx
, "ldap_server");
408 /* set connections limits */
409 conn
->limits
.ite
= event_add_timed(c
->event
.ctx
, conn
,
410 timeval_current_ofs(conn
->limits
.initial_timeout
, 0),
411 ldapsrv_conn_init_timeout
, conn
);
413 packet_recv_enable(conn
->packet
);
417 static const struct stream_server_ops ldap_stream_ops
= {
419 .accept_connection
= ldapsrv_accept
,
420 .recv_handler
= ldapsrv_recv
,
421 .send_handler
= ldapsrv_send
,
425 add a socket address to the list of events, one event per port
427 static NTSTATUS
add_socket(struct event_context
*event_context
,
428 const struct model_ops
*model_ops
,
429 const char *address
, struct ldapsrv_service
*ldap_service
)
434 status
= stream_setup_socket(event_context
, model_ops
, &ldap_stream_ops
,
435 "ipv4", address
, &port
, ldap_service
);
436 if (!NT_STATUS_IS_OK(status
)) {
437 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
438 address
, port
, nt_errstr(status
)));
441 if (tls_support(ldap_service
->tls_params
)) {
442 /* add ldaps server */
444 status
= stream_setup_socket(event_context
, model_ops
, &ldap_stream_ops
,
445 "ipv4", address
, &port
, ldap_service
);
446 if (!NT_STATUS_IS_OK(status
)) {
447 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
448 address
, port
, nt_errstr(status
)));
452 /* if we are a PDC, then also enable the global catalog server port, 3268 */
453 if (lp_server_role() == ROLE_DOMAIN_PDC
) {
455 status
= stream_setup_socket(event_context
, model_ops
, &ldap_stream_ops
,
456 "ipv4", address
, &port
, ldap_service
);
457 if (!NT_STATUS_IS_OK(status
)) {
458 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
459 address
, port
, nt_errstr(status
)));
467 open the ldap server sockets
469 static void ldapsrv_task_init(struct task_server
*task
)
471 struct ldapsrv_service
*ldap_service
;
473 const struct model_ops
*model_ops
;
475 task_server_set_title(task
, "task[ldapsrv]");
477 /* run the ldap server as a single process */
478 model_ops
= process_model_byname("single");
479 if (!model_ops
) goto failed
;
481 ldap_service
= talloc_zero(task
, struct ldapsrv_service
);
482 if (ldap_service
== NULL
) goto failed
;
484 ldap_service
->tls_params
= tls_initialise(ldap_service
);
485 if (ldap_service
->tls_params
== NULL
) goto failed
;
487 if (lp_interfaces() && lp_bind_interfaces_only()) {
488 int num_interfaces
= iface_count();
491 /* We have been given an interfaces line, and been
492 told to only bind to those interfaces. Create a
493 socket per interface and bind to only these.
495 for(i
= 0; i
< num_interfaces
; i
++) {
496 const char *address
= iface_n_ip(i
);
497 status
= add_socket(task
->event_ctx
, model_ops
, address
, ldap_service
);
498 if (!NT_STATUS_IS_OK(status
)) goto failed
;
501 status
= add_socket(task
->event_ctx
, model_ops
, lp_socket_address(), ldap_service
);
502 if (!NT_STATUS_IS_OK(status
)) goto failed
;
508 task_server_terminate(task
, "Failed to startup ldap server task");
512 called on startup of the web server service It's job is to start
513 listening on all configured sockets
515 static NTSTATUS
ldapsrv_init(struct event_context
*event_context
,
516 const struct model_ops
*model_ops
)
518 return task_server_startup(event_context
, model_ops
, ldapsrv_task_init
);
522 NTSTATUS
server_service_ldap_init(void)
524 return register_server_service("ldap", ldapsrv_init
);