2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Simo Sorce 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #include "libcli/util/asn_1.h"
28 #include "lib/util/dlinklist.h"
29 #include "lib/events/events.h"
30 #include "lib/socket/socket.h"
31 #include "libcli/ldap/ldap.h"
32 #include "libcli/ldap/ldap_client.h"
33 #include "libcli/composite/composite.h"
34 #include "lib/stream/packet.h"
35 #include "lib/tls/tls.h"
36 #include "auth/gensec/gensec.h"
37 #include "system/time.h"
41 create a new ldap_connection stucture. The event context is optional
43 struct ldap_connection
*ldap4_new_connection(TALLOC_CTX
*mem_ctx
,
44 struct event_context
*ev
)
46 struct ldap_connection
*conn
;
48 conn
= talloc_zero(mem_ctx
, struct ldap_connection
);
54 ev
= event_context_init(conn
);
61 conn
->next_messageid
= 1;
62 conn
->event
.event_ctx
= ev
;
64 /* set a reasonable request timeout */
67 /* explicitly avoid reconnections by default */
68 conn
->reconnect
.max_retries
= 0;
74 the connection is dead
76 static void ldap_connection_dead(struct ldap_connection
*conn
)
78 struct ldap_request
*req
;
80 /* return an error for any pending request ... */
81 while (conn
->pending
) {
83 DLIST_REMOVE(req
->conn
->pending
, req
);
84 req
->state
= LDAP_REQUEST_DONE
;
85 req
->status
= NT_STATUS_UNEXPECTED_NETWORK_ERROR
;
91 talloc_free(conn
->sock
); /* this will also free event.fde */
92 talloc_free(conn
->packet
);
94 conn
->event
.fde
= NULL
;
98 static void ldap_reconnect(struct ldap_connection
*conn
);
103 static void ldap_error_handler(void *private_data
, NTSTATUS status
)
105 struct ldap_connection
*conn
= talloc_get_type(private_data
,
106 struct ldap_connection
);
107 ldap_connection_dead(conn
);
109 /* but try to reconnect so that the ldb client can go on */
110 ldap_reconnect(conn
);
115 match up with a pending message, adding to the replies list
117 static void ldap_match_message(struct ldap_connection
*conn
, struct ldap_message
*msg
)
119 struct ldap_request
*req
;
121 for (req
=conn
->pending
; req
; req
=req
->next
) {
122 if (req
->messageid
== msg
->messageid
) break;
124 /* match a zero message id to the last request sent.
125 It seems that servers send 0 if unable to parse */
126 if (req
== NULL
&& msg
->messageid
== 0) {
130 DEBUG(0,("ldap: no matching message id for %u\n",
136 /* add to the list of replies received */
137 talloc_steal(req
, msg
);
138 req
->replies
= talloc_realloc(req
, req
->replies
,
139 struct ldap_message
*, req
->num_replies
+1);
140 if (req
->replies
== NULL
) {
141 req
->status
= NT_STATUS_NO_MEMORY
;
142 req
->state
= LDAP_REQUEST_DONE
;
143 DLIST_REMOVE(conn
->pending
, req
);
150 req
->replies
[req
->num_replies
] = talloc_steal(req
->replies
, msg
);
153 if (msg
->type
!= LDAP_TAG_SearchResultEntry
&&
154 msg
->type
!= LDAP_TAG_SearchResultReference
) {
155 /* currently only search results expect multiple
157 req
->state
= LDAP_REQUEST_DONE
;
158 DLIST_REMOVE(conn
->pending
, req
);
168 decode/process LDAP data
170 static NTSTATUS
ldap_recv_handler(void *private_data
, DATA_BLOB blob
)
172 struct asn1_data asn1
;
173 struct ldap_connection
*conn
= talloc_get_type(private_data
,
174 struct ldap_connection
);
175 struct ldap_message
*msg
= talloc(conn
, struct ldap_message
);
178 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR
);
181 if (!asn1_load(&asn1
, blob
)) {
182 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR
);
185 if (!ldap_decode(&asn1
, msg
)) {
186 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR
);
189 ldap_match_message(conn
, msg
);
191 data_blob_free(&blob
);
196 /* Handle read events, from the GENSEC socket callback, or real events */
197 void ldap_read_io_handler(void *private_data
, uint16_t flags
)
199 struct ldap_connection
*conn
= talloc_get_type(private_data
,
200 struct ldap_connection
);
201 packet_recv(conn
->packet
);
205 handle ldap socket events
207 static void ldap_io_handler(struct event_context
*ev
, struct fd_event
*fde
,
208 uint16_t flags
, void *private_data
)
210 struct ldap_connection
*conn
= talloc_get_type(private_data
,
211 struct ldap_connection
);
212 if (flags
& EVENT_FD_WRITE
) {
213 packet_queue_run(conn
->packet
);
214 if (!tls_enabled(conn
->sock
)) return;
216 if (flags
& EVENT_FD_READ
) {
217 ldap_read_io_handler(private_data
, flags
);
224 static NTSTATUS
ldap_parse_basic_url(TALLOC_CTX
*mem_ctx
, const char *url
,
225 char **host
, uint16_t *port
, BOOL
*ldaps
)
233 SMB_ASSERT(sizeof(protocol
)>10 && sizeof(tmp_host
)>254);
235 ret
= sscanf(url
, "%10[^:]://%254[^:/]:%d", protocol
, tmp_host
, &tmp_port
);
237 return NT_STATUS_INVALID_PARAMETER
;
240 if (strequal(protocol
, "ldap")) {
243 } else if (strequal(protocol
, "ldaps")) {
247 DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol
));
248 return NT_STATUS_PROTOCOL_UNREACHABLE
;
254 *host
= talloc_strdup(mem_ctx
, tmp_host
);
255 NT_STATUS_HAVE_NO_MEMORY(*host
);
261 connect to a ldap server
264 struct ldap_connect_state
{
265 struct composite_context
*ctx
;
266 struct ldap_connection
*conn
;
269 static void ldap_connect_recv_unix_conn(struct composite_context
*ctx
);
270 static void ldap_connect_recv_tcp_conn(struct composite_context
*ctx
);
272 struct composite_context
*ldap_connect_send(struct ldap_connection
*conn
,
275 struct composite_context
*result
, *ctx
;
276 struct ldap_connect_state
*state
;
280 result
= talloc_zero(NULL
, struct composite_context
);
281 if (result
== NULL
) goto failed
;
282 result
->state
= COMPOSITE_STATE_IN_PROGRESS
;
283 result
->async
.fn
= NULL
;
284 result
->event_ctx
= conn
->event
.event_ctx
;
286 state
= talloc(result
, struct ldap_connect_state
);
287 if (state
== NULL
) goto failed
;
289 result
->private_data
= state
;
293 if (conn
->reconnect
.url
== NULL
) {
294 conn
->reconnect
.url
= talloc_strdup(conn
, url
);
295 if (conn
->reconnect
.url
== NULL
) goto failed
;
299 SMB_ASSERT(sizeof(protocol
)>10);
301 ret
= sscanf(url
, "%10[^:]://", protocol
);
306 if (strequal(protocol
, "ldapi")) {
307 struct socket_address
*unix_addr
;
310 NTSTATUS status
= socket_create("unix", SOCKET_TYPE_STREAM
, &conn
->sock
, 0);
311 if (!NT_STATUS_IS_OK(status
)) {
314 talloc_steal(conn
, conn
->sock
);
315 SMB_ASSERT(sizeof(protocol
)>10);
316 SMB_ASSERT(sizeof(path
)>1024);
318 /* The %c specifier doesn't null terminate :-( */
320 ret
= sscanf(url
, "%10[^:]://%1025c", protocol
, path
);
322 composite_error(state
->ctx
, NT_STATUS_INVALID_PARAMETER
);
326 rfc1738_unescape(path
);
328 unix_addr
= socket_address_from_strings(conn
, conn
->sock
->backend_name
,
334 ctx
= socket_connect_send(conn
->sock
, NULL
, unix_addr
,
335 0, conn
->event
.event_ctx
);
336 ctx
->async
.fn
= ldap_connect_recv_unix_conn
;
337 ctx
->async
.private_data
= state
;
340 NTSTATUS status
= ldap_parse_basic_url(conn
, url
, &conn
->host
,
341 &conn
->port
, &conn
->ldaps
);
342 if (!NT_STATUS_IS_OK(state
->ctx
->status
)) {
343 composite_error(state
->ctx
, status
);
347 ctx
= socket_connect_multi_send(state
, conn
->host
, 1, &conn
->port
,
348 conn
->event
.event_ctx
);
349 if (ctx
== NULL
) goto failed
;
351 ctx
->async
.fn
= ldap_connect_recv_tcp_conn
;
352 ctx
->async
.private_data
= state
;
360 static void ldap_connect_got_sock(struct composite_context
*ctx
, struct ldap_connection
*conn
)
362 /* setup a handler for events on this socket */
363 conn
->event
.fde
= event_add_fd(conn
->event
.event_ctx
, conn
->sock
,
364 socket_get_fd(conn
->sock
),
365 EVENT_FD_READ
, ldap_io_handler
, conn
);
366 if (conn
->event
.fde
== NULL
) {
367 composite_error(ctx
, NT_STATUS_INTERNAL_ERROR
);
371 talloc_steal(conn
, conn
->sock
);
373 struct socket_context
*tls_socket
= tls_init_client(conn
->sock
, conn
->event
.fde
);
374 if (tls_socket
== NULL
) {
375 talloc_free(conn
->sock
);
378 talloc_unlink(conn
, conn
->sock
);
379 conn
->sock
= tls_socket
;
380 talloc_steal(conn
, conn
->sock
);
383 conn
->packet
= packet_init(conn
);
384 if (conn
->packet
== NULL
) {
385 talloc_free(conn
->sock
);
389 packet_set_private(conn
->packet
, conn
);
390 packet_set_socket(conn
->packet
, conn
->sock
);
391 packet_set_callback(conn
->packet
, ldap_recv_handler
);
392 packet_set_full_request(conn
->packet
, ldap_full_packet
);
393 packet_set_error_handler(conn
->packet
, ldap_error_handler
);
394 packet_set_event_context(conn
->packet
, conn
->event
.event_ctx
);
395 packet_set_fde(conn
->packet
, conn
->event
.fde
);
396 packet_set_serialise(conn
->packet
);
401 static void ldap_connect_recv_tcp_conn(struct composite_context
*ctx
)
403 struct ldap_connect_state
*state
=
404 talloc_get_type(ctx
->async
.private_data
,
405 struct ldap_connect_state
);
406 struct ldap_connection
*conn
= state
->conn
;
408 NTSTATUS status
= socket_connect_multi_recv(ctx
, state
, &conn
->sock
,
410 if (!NT_STATUS_IS_OK(status
)) {
411 composite_error(state
->ctx
, status
);
415 ldap_connect_got_sock(state
->ctx
, conn
);
418 static void ldap_connect_recv_unix_conn(struct composite_context
*ctx
)
420 struct ldap_connect_state
*state
=
421 talloc_get_type(ctx
->async
.private_data
,
422 struct ldap_connect_state
);
423 struct ldap_connection
*conn
= state
->conn
;
425 NTSTATUS status
= socket_connect_recv(ctx
);
427 if (!NT_STATUS_IS_OK(state
->ctx
->status
)) {
428 composite_error(state
->ctx
, status
);
432 ldap_connect_got_sock(state
->ctx
, conn
);
435 _PUBLIC_ NTSTATUS
ldap_connect_recv(struct composite_context
*ctx
)
437 NTSTATUS status
= composite_wait(ctx
);
442 NTSTATUS
ldap_connect(struct ldap_connection
*conn
, const char *url
)
444 struct composite_context
*ctx
= ldap_connect_send(conn
, url
);
445 return ldap_connect_recv(ctx
);
448 /* set reconnect parameters */
450 void ldap_set_reconn_params(struct ldap_connection
*conn
, int max_retries
)
453 conn
->reconnect
.max_retries
= max_retries
;
454 conn
->reconnect
.retries
= 0;
455 conn
->reconnect
.previous
= time(NULL
);
459 /* Actually this function is NOT ASYNC safe, FIXME? */
460 static void ldap_reconnect(struct ldap_connection
*conn
)
463 time_t now
= time(NULL
);
465 /* do we have set up reconnect ? */
466 if (conn
->reconnect
.max_retries
== 0) return;
468 /* is the retry time expired ? */
469 if (now
> conn
->reconnect
.previous
+ 30) {
470 conn
->reconnect
.retries
= 0;
471 conn
->reconnect
.previous
= now
;
474 /* are we reconnectind too often and too fast? */
475 if (conn
->reconnect
.retries
> conn
->reconnect
.max_retries
) return;
477 /* keep track of the number of reconnections */
478 conn
->reconnect
.retries
++;
481 status
= ldap_connect(conn
, conn
->reconnect
.url
);
482 if ( ! NT_STATUS_IS_OK(status
)) {
487 status
= ldap_rebind(conn
);
488 if ( ! NT_STATUS_IS_OK(status
)) {
489 ldap_connection_dead(conn
);
493 /* destroy an open ldap request */
494 static int ldap_request_destructor(struct ldap_request
*req
)
496 if (req
->state
== LDAP_REQUEST_PENDING
) {
497 DLIST_REMOVE(req
->conn
->pending
, req
);
503 called on timeout of a ldap request
505 static void ldap_request_timeout(struct event_context
*ev
, struct timed_event
*te
,
506 struct timeval t
, void *private_data
)
508 struct ldap_request
*req
= talloc_get_type(private_data
, struct ldap_request
);
509 req
->status
= NT_STATUS_IO_TIMEOUT
;
510 if (req
->state
== LDAP_REQUEST_PENDING
) {
511 DLIST_REMOVE(req
->conn
->pending
, req
);
513 req
->state
= LDAP_REQUEST_DONE
;
521 called on completion of a one-way ldap request
523 static void ldap_request_complete(struct event_context
*ev
, struct timed_event
*te
,
524 struct timeval t
, void *private_data
)
526 struct ldap_request
*req
= talloc_get_type(private_data
, struct ldap_request
);
533 send a ldap message - async interface
535 struct ldap_request
*ldap_request_send(struct ldap_connection
*conn
,
536 struct ldap_message
*msg
)
538 struct ldap_request
*req
;
539 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
541 req
= talloc_zero(conn
, struct ldap_request
);
542 if (req
== NULL
) return NULL
;
544 if (conn
->sock
== NULL
) {
545 status
= NT_STATUS_INVALID_CONNECTION
;
549 req
->state
= LDAP_REQUEST_SEND
;
551 req
->messageid
= conn
->next_messageid
++;
552 if (conn
->next_messageid
== 0) {
553 conn
->next_messageid
= 1;
555 req
->type
= msg
->type
;
556 if (req
->messageid
== -1) {
560 talloc_set_destructor(req
, ldap_request_destructor
);
562 msg
->messageid
= req
->messageid
;
564 if (!ldap_encode(msg
, &req
->data
, req
)) {
565 status
= NT_STATUS_INTERNAL_ERROR
;
569 status
= packet_send(conn
->packet
, req
->data
);
570 if (!NT_STATUS_IS_OK(status
)) {
574 /* some requests don't expect a reply, so don't add those to the
576 if (req
->type
== LDAP_TAG_AbandonRequest
||
577 req
->type
== LDAP_TAG_UnbindRequest
) {
578 req
->status
= NT_STATUS_OK
;
579 req
->state
= LDAP_REQUEST_DONE
;
580 /* we can't call the async callback now, as it isn't setup, so
581 call it as next event */
582 event_add_timed(conn
->event
.event_ctx
, req
, timeval_zero(),
583 ldap_request_complete
, req
);
587 req
->state
= LDAP_REQUEST_PENDING
;
588 DLIST_ADD(conn
->pending
, req
);
590 /* put a timeout on the request */
591 req
->time_event
= event_add_timed(conn
->event
.event_ctx
, req
,
592 timeval_current_ofs(conn
->timeout
, 0),
593 ldap_request_timeout
, req
);
598 req
->status
= status
;
599 req
->state
= LDAP_REQUEST_ERROR
;
600 event_add_timed(conn
->event
.event_ctx
, req
, timeval_zero(),
601 ldap_request_complete
, req
);
608 wait for a request to complete
609 note that this does not destroy the request
611 NTSTATUS
ldap_request_wait(struct ldap_request
*req
)
613 while (req
->state
< LDAP_REQUEST_DONE
) {
614 if (event_loop_once(req
->conn
->event
.event_ctx
) != 0) {
615 req
->status
= NT_STATUS_UNEXPECTED_NETWORK_ERROR
;
624 a mapping of ldap response code to strings
626 static const struct {
627 enum ldap_result_code code
;
629 } ldap_code_map
[] = {
630 #define _LDAP_MAP_CODE(c) { c, #c }
631 _LDAP_MAP_CODE(LDAP_SUCCESS
),
632 _LDAP_MAP_CODE(LDAP_OPERATIONS_ERROR
),
633 _LDAP_MAP_CODE(LDAP_PROTOCOL_ERROR
),
634 _LDAP_MAP_CODE(LDAP_TIME_LIMIT_EXCEEDED
),
635 _LDAP_MAP_CODE(LDAP_SIZE_LIMIT_EXCEEDED
),
636 _LDAP_MAP_CODE(LDAP_COMPARE_FALSE
),
637 _LDAP_MAP_CODE(LDAP_COMPARE_TRUE
),
638 _LDAP_MAP_CODE(LDAP_AUTH_METHOD_NOT_SUPPORTED
),
639 _LDAP_MAP_CODE(LDAP_STRONG_AUTH_REQUIRED
),
640 _LDAP_MAP_CODE(LDAP_REFERRAL
),
641 _LDAP_MAP_CODE(LDAP_ADMIN_LIMIT_EXCEEDED
),
642 _LDAP_MAP_CODE(LDAP_UNAVAILABLE_CRITICAL_EXTENSION
),
643 _LDAP_MAP_CODE(LDAP_CONFIDENTIALITY_REQUIRED
),
644 _LDAP_MAP_CODE(LDAP_SASL_BIND_IN_PROGRESS
),
645 _LDAP_MAP_CODE(LDAP_NO_SUCH_ATTRIBUTE
),
646 _LDAP_MAP_CODE(LDAP_UNDEFINED_ATTRIBUTE_TYPE
),
647 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_MATCHING
),
648 _LDAP_MAP_CODE(LDAP_CONSTRAINT_VIOLATION
),
649 _LDAP_MAP_CODE(LDAP_ATTRIBUTE_OR_VALUE_EXISTS
),
650 _LDAP_MAP_CODE(LDAP_INVALID_ATTRIBUTE_SYNTAX
),
651 _LDAP_MAP_CODE(LDAP_NO_SUCH_OBJECT
),
652 _LDAP_MAP_CODE(LDAP_ALIAS_PROBLEM
),
653 _LDAP_MAP_CODE(LDAP_INVALID_DN_SYNTAX
),
654 _LDAP_MAP_CODE(LDAP_ALIAS_DEREFERENCING_PROBLEM
),
655 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_AUTHENTICATION
),
656 _LDAP_MAP_CODE(LDAP_INVALID_CREDENTIALS
),
657 _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTs
),
658 _LDAP_MAP_CODE(LDAP_BUSY
),
659 _LDAP_MAP_CODE(LDAP_UNAVAILABLE
),
660 _LDAP_MAP_CODE(LDAP_UNWILLING_TO_PERFORM
),
661 _LDAP_MAP_CODE(LDAP_LOOP_DETECT
),
662 _LDAP_MAP_CODE(LDAP_NAMING_VIOLATION
),
663 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_VIOLATION
),
664 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_NON_LEAF
),
665 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_RDN
),
666 _LDAP_MAP_CODE(LDAP_ENTRY_ALREADY_EXISTS
),
667 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_MODS_PROHIBITED
),
668 _LDAP_MAP_CODE(LDAP_AFFECTS_MULTIPLE_DSAS
),
669 _LDAP_MAP_CODE(LDAP_OTHER
)
673 used to setup the status code from a ldap response
675 NTSTATUS
ldap_check_response(struct ldap_connection
*conn
, struct ldap_Result
*r
)
678 const char *codename
= "unknown";
680 if (r
->resultcode
== LDAP_SUCCESS
) {
684 if (conn
->last_error
) {
685 talloc_free(conn
->last_error
);
688 for (i
=0;i
<ARRAY_SIZE(ldap_code_map
);i
++) {
689 if (r
->resultcode
== ldap_code_map
[i
].code
) {
690 codename
= ldap_code_map
[i
].str
;
695 conn
->last_error
= talloc_asprintf(conn
, "LDAP error %u %s - %s <%s> <%s>",
698 r
->dn
?r
->dn
:"(NULL)",
699 r
->errormessage
?r
->errormessage
:"",
700 r
->referral
?r
->referral
:"");
702 return NT_STATUS_LDAP(r
->resultcode
);
706 return error string representing the last error
708 const char *ldap_errstr(struct ldap_connection
*conn
,
712 if (NT_STATUS_IS_LDAP(status
) && conn
->last_error
!= NULL
) {
713 return talloc_strdup(mem_ctx
, conn
->last_error
);
715 return talloc_asprintf(mem_ctx
, "LDAP client internal error: %s", nt_errstr(status
));
720 return the Nth result message, waiting if necessary
722 NTSTATUS
ldap_result_n(struct ldap_request
*req
, int n
, struct ldap_message
**msg
)
726 NT_STATUS_HAVE_NO_MEMORY(req
);
728 while (req
->state
< LDAP_REQUEST_DONE
&& n
>= req
->num_replies
) {
729 if (event_loop_once(req
->conn
->event
.event_ctx
) != 0) {
730 return NT_STATUS_UNEXPECTED_NETWORK_ERROR
;
734 if (n
< req
->num_replies
) {
735 *msg
= req
->replies
[n
];
739 if (!NT_STATUS_IS_OK(req
->status
)) {
743 return NT_STATUS_NO_MORE_ENTRIES
;
748 return a single result message, checking if it is of the expected LDAP type
750 NTSTATUS
ldap_result_one(struct ldap_request
*req
, struct ldap_message
**msg
, int type
)
753 status
= ldap_result_n(req
, 0, msg
);
754 if (!NT_STATUS_IS_OK(status
)) {
757 if ((*msg
)->type
!= type
) {
759 return NT_STATUS_UNEXPECTED_NETWORK_ERROR
;
765 a simple ldap transaction, for single result requests that only need a status code
766 this relies on single valued requests having the response type == request type + 1
768 NTSTATUS
ldap_transaction(struct ldap_connection
*conn
, struct ldap_message
*msg
)
770 struct ldap_request
*req
= ldap_request_send(conn
, msg
);
771 struct ldap_message
*res
;
773 status
= ldap_result_n(req
, 0, &res
);
774 if (!NT_STATUS_IS_OK(status
)) {
778 if (res
->type
!= msg
->type
+ 1) {
780 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR
);
782 status
= ldap_check_response(conn
, &res
->r
.GeneralResult
);