search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbd: fix NULL dereference in case of readlink failure
[Samba.git] / source4 / ldap_server / ldap_backend.c
blob986bc1db94172be73044a5bd133bf985a38c440f
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP server
4 Copyright (C) Stefan Metzmacher 2004
5 Copyright (C) Matthias Dieter Wallnöfer 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include <talloc.h>
23 #include "ldap_server/ldap_server.h"
24 #include "../lib/util/dlinklist.h"
25 #include "auth/credentials/credentials.h"
26 #include "auth/gensec/gensec.h"
27 #include "auth/common_auth.h"
28 #include "param/param.h"
29 #include "samba/service_stream.h"
30 #include "dsdb/gmsa/util.h"
31 #include "dsdb/samdb/samdb.h"
32 #include <ldb_errors.h>
33 #include <ldb_module.h>
34 #include "ldb_wrap.h"
35 #include "lib/tsocket/tsocket.h"
36 #include "libcli/ldap/ldap_proto.h"
37 #include "source4/auth/auth.h"
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_LDAPSRV
41
42 static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
43 const char *add_err_string, const char **errstring)
44 {
45 WERROR err;
46
47 /* Certain LDB modules need to return very special WERROR codes. Proof
48 * for them here and if they exist skip the rest of the mapping. */
49 if (add_err_string != NULL) {
50 char *endptr;
51 strtol(add_err_string, &endptr, 16);
52 if (endptr != add_err_string) {
53 *errstring = add_err_string;
54 return ldb_err;
55 }
56 }
57
58 /* Otherwise we calculate here a generic, but appropriate WERROR. */
59
60 switch (ldb_err) {
61 case LDB_SUCCESS:
62 err = WERR_OK;
63 break;
64 case LDB_ERR_OPERATIONS_ERROR:
65 err = WERR_DS_OPERATIONS_ERROR;
66 break;
67 case LDB_ERR_PROTOCOL_ERROR:
68 err = WERR_DS_PROTOCOL_ERROR;
69 break;
70 case LDB_ERR_TIME_LIMIT_EXCEEDED:
71 err = WERR_DS_TIMELIMIT_EXCEEDED;
72 break;
73 case LDB_ERR_SIZE_LIMIT_EXCEEDED:
74 err = WERR_DS_SIZELIMIT_EXCEEDED;
75 break;
76 case LDB_ERR_COMPARE_FALSE:
77 err = WERR_DS_COMPARE_FALSE;
78 break;
79 case LDB_ERR_COMPARE_TRUE:
80 err = WERR_DS_COMPARE_TRUE;
81 break;
82 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
83 err = WERR_DS_AUTH_METHOD_NOT_SUPPORTED;
84 break;
85 case LDB_ERR_STRONG_AUTH_REQUIRED:
86 err = WERR_DS_STRONG_AUTH_REQUIRED;
87 break;
88 case LDB_ERR_REFERRAL:
89 err = WERR_DS_REFERRAL;
90 break;
91 case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
92 err = WERR_DS_ADMIN_LIMIT_EXCEEDED;
93 break;
94 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
95 err = WERR_DS_UNAVAILABLE_CRIT_EXTENSION;
96 break;
97 case LDB_ERR_CONFIDENTIALITY_REQUIRED:
98 err = WERR_DS_CONFIDENTIALITY_REQUIRED;
99 break;
100 case LDB_ERR_SASL_BIND_IN_PROGRESS:
101 err = WERR_DS_BUSY;
102 break;
103 case LDB_ERR_NO_SUCH_ATTRIBUTE:
104 err = WERR_DS_NO_ATTRIBUTE_OR_VALUE;
105 break;
106 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
107 err = WERR_DS_ATTRIBUTE_TYPE_UNDEFINED;
108 break;
109 case LDB_ERR_INAPPROPRIATE_MATCHING:
110 err = WERR_DS_INAPPROPRIATE_MATCHING;
111 break;
112 case LDB_ERR_CONSTRAINT_VIOLATION:
113 err = WERR_DS_CONSTRAINT_VIOLATION;
114 break;
115 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
116 err = WERR_DS_ATTRIBUTE_OR_VALUE_EXISTS;
117 break;
118 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
119 err = WERR_DS_INVALID_ATTRIBUTE_SYNTAX;
120 break;
121 case LDB_ERR_NO_SUCH_OBJECT:
122 err = WERR_DS_NO_SUCH_OBJECT;
123 break;
124 case LDB_ERR_ALIAS_PROBLEM:
125 err = WERR_DS_ALIAS_PROBLEM;
126 break;
127 case LDB_ERR_INVALID_DN_SYNTAX:
128 err = WERR_DS_INVALID_DN_SYNTAX;
129 break;
130 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
131 err = WERR_DS_ALIAS_DEREF_PROBLEM;
132 break;
133 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
134 err = WERR_DS_INAPPROPRIATE_AUTH;
135 break;
136 case LDB_ERR_INVALID_CREDENTIALS:
137 err = WERR_ACCESS_DENIED;
138 break;
139 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
140 err = WERR_DS_INSUFF_ACCESS_RIGHTS;
141 break;
142 case LDB_ERR_BUSY:
143 err = WERR_DS_BUSY;
144 break;
145 case LDB_ERR_UNAVAILABLE:
146 err = WERR_DS_UNAVAILABLE;
147 break;
148 case LDB_ERR_UNWILLING_TO_PERFORM:
149 err = WERR_DS_UNWILLING_TO_PERFORM;
150 break;
151 case LDB_ERR_LOOP_DETECT:
152 err = WERR_DS_LOOP_DETECT;
153 break;
154 case LDB_ERR_NAMING_VIOLATION:
155 err = WERR_DS_NAMING_VIOLATION;
156 break;
157 case LDB_ERR_OBJECT_CLASS_VIOLATION:
158 err = WERR_DS_OBJ_CLASS_VIOLATION;
159 break;
160 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
161 err = WERR_DS_CANT_ON_NON_LEAF;
162 break;
163 case LDB_ERR_NOT_ALLOWED_ON_RDN:
164 err = WERR_DS_CANT_ON_RDN;
165 break;
166 case LDB_ERR_ENTRY_ALREADY_EXISTS:
167 err = WERR_DS_OBJ_STRING_NAME_EXISTS;
168 break;
169 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
170 err = WERR_DS_CANT_MOD_OBJ_CLASS;
171 break;
172 case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
173 err = WERR_DS_AFFECTS_MULTIPLE_DSAS;
174 break;
175 default:
176 err = WERR_DS_GENERIC_ERROR;
177 break;
178 }
179
180 *errstring = talloc_asprintf(mem_ctx, "%08X: %s", W_ERROR_V(err),
181 add_err_string != NULL ? add_err_string : ldb_strerror(ldb_err));
182
183 /* result is 1:1 for now */
184 return ldb_err;
185 }
186
187 /*
188 connect to the sam database
189 */
190 int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
191 char **errstring)
192 {
193 bool using_tls = conn->sockets.active == conn->sockets.tls;
194 bool using_seal = conn->gensec != NULL && gensec_have_feature(conn->gensec,
195 GENSEC_FEATURE_SEAL);
196 struct dsdb_encrypted_connection_state *opaque_connection_state = NULL;
197
198 int ret = samdb_connect_url(conn,
199 conn->connection->event.ctx,
200 conn->lp_ctx,
201 conn->session_info,
202 conn->global_catalog ? LDB_FLG_RDONLY : 0,
203 "sam.ldb",
204 conn->connection->remote_address,
205 &conn->ldb,
206 errstring);
207 if (ret != LDB_SUCCESS) {
208 return ret;
209 }
210
211 /*
212 * We can safely call ldb_set_opaque() on this ldb as we have
213 * set remote_address above which avoids the ldb handle cache
214 */
215 opaque_connection_state = talloc_zero(conn, struct dsdb_encrypted_connection_state);
216 if (opaque_connection_state == NULL) {
217 return LDB_ERR_OPERATIONS_ERROR;
218 }
219 opaque_connection_state->using_encrypted_connection = using_tls || using_seal || conn->is_ldapi;
220 ret = ldb_set_opaque(conn->ldb,
221 DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME,
222 opaque_connection_state);
223 if (ret != LDB_SUCCESS) {
224 DBG_ERR("ldb_set_opaque() failed to store our "
225 "encrypted connection state!\n");
226 return ret;
227 }
228
229 if (conn->server_credentials) {
230 struct gensec_security *gensec_security = NULL;
231 const char **sasl_mechs = NULL;
232 NTSTATUS status;
233
234 status = samba_server_gensec_start(conn,
235 conn->connection->event.ctx,
236 conn->connection->msg_ctx,
237 conn->lp_ctx,
238 conn->server_credentials,
239 "ldap",
240 &gensec_security);
241 if (!NT_STATUS_IS_OK(status)) {
242 DBG_ERR("samba_server_gensec_start failed: %s\n",
243 nt_errstr(status));
244 return LDB_ERR_OPERATIONS_ERROR;
245 }
246
247 /* ldb can have a different lifetime to conn, so we
248 need to ensure that sasl_mechs lives as long as the
249 ldb does */
250 sasl_mechs = gensec_security_sasl_names(gensec_security,
251 conn->ldb);
252 TALLOC_FREE(gensec_security);
253 if (sasl_mechs == NULL) {
254 DBG_ERR("Failed to get sasl mechs!\n");
255 return LDB_ERR_OPERATIONS_ERROR;
256 }
257
258 ldb_set_opaque(conn->ldb, "supportedSASLMechanisms", sasl_mechs);
259 }
260
261 return LDB_SUCCESS;
262 }
263
264 struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
265 {
266 struct ldapsrv_reply *reply;
267
268 reply = talloc_zero(call, struct ldapsrv_reply);
269 if (!reply) {
270 return NULL;
271 }
272 reply->msg = talloc_zero(reply, struct ldap_message);
273 if (reply->msg == NULL) {
274 talloc_free(reply);
275 return NULL;
276 }
277
278 reply->msg->messageid = call->request->messageid;
279 reply->msg->type = type;
280 reply->msg->controls = NULL;
281
282 return reply;
283 }
284
285 /*
286 * Encode a reply to an LDAP client as ASN.1, free the original memory
287 */
288 static NTSTATUS ldapsrv_encode(TALLOC_CTX *mem_ctx,
289 struct ldapsrv_reply *reply)
290 {
291 bool bret = ldap_encode(reply->msg,
292 samba_ldap_control_handlers(),
293 &reply->blob,
294 mem_ctx);
295 if (!bret) {
296 DBG_ERR("Failed to encode ldap reply of type %d: "
297 "ldap_encode() failed\n",
298 reply->msg->type);
299 TALLOC_FREE(reply->msg);
300 return NT_STATUS_NO_MEMORY;
301 }
302
303 TALLOC_FREE(reply->msg);
304 talloc_set_name_const(reply->blob.data,
305 "Outgoing, encoded single LDAP reply");
306
307 return NT_STATUS_OK;
308 }
309
310 /*
311 * Queue a reply (encoding it also), even if it would exceed the
312 * limit. This allows the error packet with LDAP_SIZE_LIMIT_EXCEEDED
313 * to be sent
314 */
315 static NTSTATUS ldapsrv_queue_reply_forced(struct ldapsrv_call *call,
316 struct ldapsrv_reply *reply)
317 {
318 NTSTATUS status = ldapsrv_encode(call, reply);
319
320 if (NT_STATUS_IS_OK(status)) {
321 DLIST_ADD_END(call->replies, reply);
322 }
323 return status;
324 }
325
326 /*
327 * Queue a reply (encoding it also) but check we do not send more than
328 * LDAP_SERVER_MAX_REPLY_SIZE of responses as a way to limit the
329 * amount of data a client can make us allocate.
330 */
331 NTSTATUS ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
332 {
333 NTSTATUS status = ldapsrv_encode(call, reply);
334
335 if (!NT_STATUS_IS_OK(status)) {
336 return status;
337 }
338
339 if (call->reply_size > call->reply_size + reply->blob.length
340 || call->reply_size + reply->blob.length > LDAP_SERVER_MAX_REPLY_SIZE) {
341 DBG_WARNING("Refusing to queue LDAP search response size "
342 "of more than %zu bytes\n",
343 LDAP_SERVER_MAX_REPLY_SIZE);
344 TALLOC_FREE(reply->blob.data);
345 return NT_STATUS_FILE_TOO_LARGE;
346 }
347
348 call->reply_size += reply->blob.length;
349
350 DLIST_ADD_END(call->replies, reply);
351
352 return status;
353 }
354
355 static NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
356 {
357 struct ldapsrv_reply *reply;
358 struct ldap_ExtendedResponse *r;
359
360 DBG_DEBUG("type[%d] id[%d]\n", call->request->type, call->request->messageid);
361
362 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
363 if (!reply) {
364 return NT_STATUS_NO_MEMORY;
365 }
366
367 r = &reply->msg->r.ExtendedResponse;
368 r->response.resultcode = error;
369 r->response.dn = NULL;
370 r->response.errormessage = NULL;
371 r->response.referral = NULL;
372 r->oid = NULL;
373 r->value = NULL;
374
375 ldapsrv_queue_reply(call, reply);
376 return NT_STATUS_OK;
377 }
378
379 static int ldapsrv_add_with_controls(struct ldapsrv_call *call,
380 const struct ldb_message *message,
381 struct ldb_control **controls,
382 struct ldb_result *res)
383 {
384 struct ldb_context *ldb = call->conn->ldb;
385 struct ldb_request *req;
386 int ret;
387
388 ret = ldb_msg_sanity_check(ldb, message);
389 if (ret != LDB_SUCCESS) {
390 return ret;
391 }
392
393 ret = ldb_build_add_req(&req, ldb, ldb,
394 message,
395 controls,
396 res,
397 ldb_modify_default_callback,
398 NULL);
399
400 if (ret != LDB_SUCCESS) return ret;
401
402 if (call->conn->global_catalog) {
403 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
404 }
405 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
406
407 ret = ldb_transaction_start(ldb);
408 if (ret != LDB_SUCCESS) {
409 return ret;
410 }
411
412 if (!call->conn->is_privileged) {
413 ldb_req_mark_untrusted(req);
414 }
415
416 LDB_REQ_SET_LOCATION(req);
417
418 ret = ldb_request(ldb, req);
419 if (ret == LDB_SUCCESS) {
420 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
421 }
422
423 if (ret == LDB_SUCCESS) {
424 ret = ldb_transaction_commit(ldb);
425 }
426 else {
427 ldb_transaction_cancel(ldb);
428 }
429
430 talloc_free(req);
431 return ret;
432 }
433
434 /* create and execute a modify request */
435 static int ldapsrv_mod_with_controls(struct ldapsrv_call *call,
436 const struct ldb_message *message,
437 struct ldb_control **controls,
438 struct ldb_result *res)
439 {
440 struct ldb_context *ldb = call->conn->ldb;
441 struct ldb_request *req;
442 int ret;
443
444 ret = ldb_msg_sanity_check(ldb, message);
445 if (ret != LDB_SUCCESS) {
446 return ret;
447 }
448
449 ret = ldb_build_mod_req(&req, ldb, ldb,
450 message,
451 controls,
452 res,
453 ldb_modify_default_callback,
454 NULL);
455
456 if (ret != LDB_SUCCESS) {
457 return ret;
458 }
459
460 if (call->conn->global_catalog) {
461 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
462 }
463 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
464
465 ret = ldb_transaction_start(ldb);
466 if (ret != LDB_SUCCESS) {
467 return ret;
468 }
469
470 if (!call->conn->is_privileged) {
471 ldb_req_mark_untrusted(req);
472 }
473
474 LDB_REQ_SET_LOCATION(req);
475
476 ret = ldb_request(ldb, req);
477 if (ret == LDB_SUCCESS) {
478 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
479 }
480
481 if (ret == LDB_SUCCESS) {
482 ret = ldb_transaction_commit(ldb);
483 }
484 else {
485 ldb_transaction_cancel(ldb);
486 }
487
488 talloc_free(req);
489 return ret;
490 }
491
492 /* create and execute a delete request */
493 static int ldapsrv_del_with_controls(struct ldapsrv_call *call,
494 struct ldb_dn *dn,
495 struct ldb_control **controls,
496 struct ldb_result *res)
497 {
498 struct ldb_context *ldb = call->conn->ldb;
499 struct ldb_request *req;
500 int ret;
501
502 ret = ldb_build_del_req(&req, ldb, ldb,
503 dn,
504 controls,
505 res,
506 ldb_modify_default_callback,
507 NULL);
508
509 if (ret != LDB_SUCCESS) return ret;
510
511 if (call->conn->global_catalog) {
512 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
513 }
514 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
515
516 ret = ldb_transaction_start(ldb);
517 if (ret != LDB_SUCCESS) {
518 return ret;
519 }
520
521 if (!call->conn->is_privileged) {
522 ldb_req_mark_untrusted(req);
523 }
524
525 LDB_REQ_SET_LOCATION(req);
526
527 ret = ldb_request(ldb, req);
528 if (ret == LDB_SUCCESS) {
529 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
530 }
531
532 if (ret == LDB_SUCCESS) {
533 ret = ldb_transaction_commit(ldb);
534 }
535 else {
536 ldb_transaction_cancel(ldb);
537 }
538
539 talloc_free(req);
540 return ret;
541 }
542
543 static int ldapsrv_rename_with_controls(struct ldapsrv_call *call,
544 struct ldb_dn *olddn,
545 struct ldb_dn *newdn,
546 struct ldb_control **controls,
547 struct ldb_result *res)
548 {
549 struct ldb_context *ldb = call->conn->ldb;
550 struct ldb_request *req;
551 int ret;
552
553 ret = ldb_build_rename_req(&req, ldb, ldb,
554 olddn,
555 newdn,
556 controls,
557 res,
558 ldb_modify_default_callback,
559 NULL);
560
561 if (ret != LDB_SUCCESS) return ret;
562
563 if (call->conn->global_catalog) {
564 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
565 }
566 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
567
568 ret = ldb_transaction_start(ldb);
569 if (ret != LDB_SUCCESS) {
570 return ret;
571 }
572
573 if (!call->conn->is_privileged) {
574 ldb_req_mark_untrusted(req);
575 }
576
577 LDB_REQ_SET_LOCATION(req);
578
579 ret = ldb_request(ldb, req);
580 if (ret == LDB_SUCCESS) {
581 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
582 }
583
584 if (ret == LDB_SUCCESS) {
585 ret = ldb_transaction_commit(ldb);
586 }
587 else {
588 ldb_transaction_cancel(ldb);
589 }
590
591 talloc_free(req);
592 return ret;
593 }
594
595
596
597 struct ldapsrv_context {
598 struct ldapsrv_call *call;
599 int extended_type;
600 bool attributesonly;
601 struct ldb_control **controls;
602 size_t count; /* For notification only */
603 const struct gmsa_update **updates;
604 };
605
606 static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
607 {
608 struct ldapsrv_context *ctx = talloc_get_type(req->context, struct ldapsrv_context);
609 struct ldapsrv_call *call = ctx->call;
610 struct ldb_context *ldb = call->conn->ldb;
611 unsigned int j;
612 struct ldapsrv_reply *ent_r = NULL;
613 struct ldap_SearchResEntry *ent;
614 int ret;
615 NTSTATUS status;
616
617 if (!ares) {
618 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
619 }
620 if (ares->error != LDB_SUCCESS) {
621 return ldb_request_done(req, ares->error);
622 }
623
624 switch (ares->type) {
625 case LDB_REPLY_ENTRY:
626 {
627 struct ldb_message *msg = ares->message;
628 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
629 if (ent_r == NULL) {
630 return ldb_oom(ldb);
631 }
632
633 ctx->count++;
634
635 /*
636 * Put the LDAP search response data under ent_r->msg
637 * so we can free that later once encoded
638 */
639 talloc_steal(ent_r->msg, msg);
640
641 ent = &ent_r->msg->r.SearchResultEntry;
642 ent->dn = ldb_dn_get_extended_linearized(ent_r, msg->dn,
643 ctx->extended_type);
644 ent->num_attributes = 0;
645 ent->attributes = NULL;
646 if (msg->num_elements == 0) {
647 goto queue_reply;
648 }
649 ent->num_attributes = msg->num_elements;
650 ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
651 if (ent->attributes == NULL) {
652 return ldb_oom(ldb);
653 }
654
655 for (j=0; j < ent->num_attributes; j++) {
656 ent->attributes[j].name = msg->elements[j].name;
657 ent->attributes[j].num_values = 0;
658 ent->attributes[j].values = NULL;
659 if (ctx->attributesonly && (msg->elements[j].num_values == 0)) {
660 continue;
661 }
662 ent->attributes[j].num_values = msg->elements[j].num_values;
663 ent->attributes[j].values = msg->elements[j].values;
664 }
665
666 {
667 const struct ldb_control
668 *ctrl = ldb_controls_get_control(
669 ares->controls,
670 DSDB_CONTROL_GMSA_UPDATE_OID);
671
672 if (ctrl != NULL) {
673 const struct gmsa_update **updates = NULL;
674 const size_t len = talloc_array_length(
675 ctx->updates);
676
677 updates = talloc_realloc(
678 ctx,
679 ctx->updates,
680 const struct gmsa_update *,
681 len + 1);
682 if (updates != NULL) {
683 updates[len] = talloc_steal(updates,
684 ctrl->data);
685 ctx->updates = updates;
686 }
687 }
688 }
689
690 queue_reply:
691 status = ldapsrv_queue_reply(call, ent_r);
692 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
693 ret = ldb_request_done(req,
694 LDB_ERR_SIZE_LIMIT_EXCEEDED);
695 ldb_asprintf_errstring(ldb,
696 "LDAP search response size "
697 "limited to %zu bytes\n",
698 LDAP_SERVER_MAX_REPLY_SIZE);
699 } else if (!NT_STATUS_IS_OK(status)) {
700 ret = ldb_request_done(req,
701 ldb_operr(ldb));
702 } else {
703 ret = LDB_SUCCESS;
704 }
705 break;
706 }
707 case LDB_REPLY_REFERRAL:
708 {
709 struct ldap_SearchResRef *ent_ref;
710
711 /*
712 * TODO: This should be handled by the notification
713 * module not here
714 */
715 if (call->notification.busy) {
716 ret = LDB_SUCCESS;
717 break;
718 }
719
720 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultReference);
721 if (ent_r == NULL) {
722 return ldb_oom(ldb);
723 }
724
725 /*
726 * Put the LDAP referral data under ent_r->msg
727 * so we can free that later once encoded
728 */
729 talloc_steal(ent_r->msg, ares->referral);
730
731 ent_ref = &ent_r->msg->r.SearchResultReference;
732 ent_ref->referral = ares->referral;
733
734 status = ldapsrv_queue_reply(call, ent_r);
735 if (!NT_STATUS_IS_OK(status)) {
736 ret = LDB_ERR_OPERATIONS_ERROR;
737 } else {
738 ret = LDB_SUCCESS;
739 }
740 break;
741 }
742 case LDB_REPLY_DONE:
743 {
744 /*
745 * We don't queue the reply for this one, we let that
746 * happen outside
747 */
748 ctx->controls = talloc_move(ctx, &ares->controls);
749
750 TALLOC_FREE(ares);
751 return ldb_request_done(req, LDB_SUCCESS);
752 }
753 default:
754 /* Doesn't happen */
755 ret = LDB_ERR_OPERATIONS_ERROR;
756 }
757 TALLOC_FREE(ares);
758
759 return ret;
760 }
761
762
763 static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
764 {
765 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
766 struct ldap_Result *done;
767 struct ldapsrv_reply *done_r;
768 TALLOC_CTX *local_ctx;
769 struct ldapsrv_context *callback_ctx = NULL;
770 struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
771 struct ldb_dn *basedn;
772 struct ldb_request *lreq;
773 struct ldb_control *search_control;
774 struct ldb_search_options_control *search_options;
775 struct ldb_control *extended_dn_control;
776 struct ldb_extended_dn_control *extended_dn_decoded = NULL;
777 struct ldb_control *notification_control = NULL;
778 enum ldb_scope scope = LDB_SCOPE_DEFAULT;
779 const char **attrs = NULL;
780 const char *scope_str, *errstr = NULL;
781 int result = -1;
782 int ldb_ret = -1;
783 unsigned int i;
784 int extended_type = 1;
785
786 /*
787 * Warn for searches that are longer than 1/4 of the
788 * search_timeout, being 30sec by default
789 */
790 struct timeval start_time = timeval_current();
791 struct timeval warning_time
792 = timeval_add(&start_time,
793 call->conn->limits.search_timeout / 4,
794 0);
795
796 local_ctx = talloc_new(call);
797 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
798
799 basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
800 NT_STATUS_HAVE_NO_MEMORY(basedn);
801
802 switch (req->scope) {
803 case LDAP_SEARCH_SCOPE_BASE:
804 scope = LDB_SCOPE_BASE;
805 break;
806 case LDAP_SEARCH_SCOPE_SINGLE:
807 scope = LDB_SCOPE_ONELEVEL;
808 break;
809 case LDAP_SEARCH_SCOPE_SUB:
810 scope = LDB_SCOPE_SUBTREE;
811 break;
812 default:
813 result = LDAP_PROTOCOL_ERROR;
814 map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
815 &errstr);
816 scope_str = "<Invalid scope>";
817 errstr = talloc_asprintf(local_ctx,
818 "%s. Invalid scope", errstr);
819 goto reply;
820 }
821 scope_str = dsdb_search_scope_as_string(scope);
822
823 DBG_DEBUG("scope: [%s]\n", scope_str);
824
825 if (req->num_attributes >= 1) {
826 attrs = talloc_array(local_ctx, const char *, req->num_attributes+1);
827 NT_STATUS_HAVE_NO_MEMORY(attrs);
828
829 for (i=0; i < req->num_attributes; i++) {
830 DBG_DEBUG("attrs: [%s]\n",req->attributes[i]);
831 attrs[i] = req->attributes[i];
832 }
833 attrs[i] = NULL;
834 }
835
836 DBG_INFO("ldb_request %s dn=%s filter=%s\n",
837 scope_str, req->basedn, ldb_filter_from_tree(call, req->tree));
838
839 callback_ctx = talloc_zero(local_ctx, struct ldapsrv_context);
840 NT_STATUS_HAVE_NO_MEMORY(callback_ctx);
841 callback_ctx->call = call;
842 callback_ctx->extended_type = extended_type;
843 callback_ctx->attributesonly = req->attributesonly;
844
845 ldb_ret = ldb_build_search_req_ex(&lreq, samdb, local_ctx,
846 basedn, scope,
847 req->tree, attrs,
848 call->request->controls,
849 callback_ctx,
850 ldap_server_search_callback,
851 NULL);
852
853 if (ldb_ret != LDB_SUCCESS) {
854 goto reply;
855 }
856
857 if (call->conn->global_catalog) {
858 search_control = ldb_request_get_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID);
859
860 search_options = NULL;
861 if (search_control) {
862 search_options = talloc_get_type(search_control->data, struct ldb_search_options_control);
863 search_options->search_options |= LDB_SEARCH_OPTION_PHANTOM_ROOT;
864 } else {
865 search_options = talloc(lreq, struct ldb_search_options_control);
866 NT_STATUS_HAVE_NO_MEMORY(search_options);
867 search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
868 ldb_request_add_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
869 }
870 } else {
871 ldb_request_add_control(lreq, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
872 }
873
874 extended_dn_control = ldb_request_get_control(lreq, LDB_CONTROL_EXTENDED_DN_OID);
875
876 if (extended_dn_control) {
877 if (extended_dn_control->data) {
878 extended_dn_decoded = talloc_get_type(extended_dn_control->data, struct ldb_extended_dn_control);
879 extended_type = extended_dn_decoded->type;
880 } else {
881 extended_type = 0;
882 }
883 callback_ctx->extended_type = extended_type;
884 }
885
886 notification_control = ldb_request_get_control(lreq, LDB_CONTROL_NOTIFICATION_OID);
887 if (notification_control != NULL) {
888 const struct ldapsrv_call *pc = NULL;
889 size_t count = 0;
890
891 for (pc = call->conn->pending_calls; pc != NULL; pc = pc->next) {
892 count += 1;
893 }
894
895 if (count >= call->conn->limits.max_notifications) {
896 DBG_DEBUG("error MaxNotificationPerConn\n");
897 result = map_ldb_error(local_ctx,
898 LDB_ERR_ADMIN_LIMIT_EXCEEDED,
899 "MaxNotificationPerConn reached",
900 &errstr);
901 goto reply;
902 }
903
904 /*
905 * For now we need to do periodic retries on our own.
906 * As the dsdb_notification module will return after each run.
907 */
908 call->notification.busy = true;
909 }
910
911 {
912 const char *scheme = NULL;
913 switch (call->conn->referral_scheme) {
914 case LDAP_REFERRAL_SCHEME_LDAPS:
915 scheme = "ldaps";
916 break;
917 default:
918 scheme = "ldap";
919 }
920 ldb_ret = ldb_set_opaque(
921 samdb,
922 LDAP_REFERRAL_SCHEME_OPAQUE,
923 discard_const_p(char *, scheme));
924 if (ldb_ret != LDB_SUCCESS) {
925 goto reply;
926 }
927 }
928
929 {
930 time_t timeout = call->conn->limits.search_timeout;
931
932 if (timeout == 0
933 || (req->timelimit != 0
934 && req->timelimit < timeout))
935 {
936 timeout = req->timelimit;
937 }
938 ldb_set_timeout(samdb, lreq, timeout);
939 }
940
941 if (!call->conn->is_privileged) {
942 ldb_req_mark_untrusted(lreq);
943 }
944
945 LDB_REQ_SET_LOCATION(lreq);
946
947 ldb_ret = ldb_request(samdb, lreq);
948
949 if (ldb_ret != LDB_SUCCESS) {
950 goto reply;
951 }
952
953 ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
954
955 if (ldb_ret == LDB_SUCCESS) {
956 size_t n;
957 const size_t len = talloc_array_length(callback_ctx->updates);
958
959 for (n = 0; n < len; ++n) {
960 int ret;
961
962 ret = dsdb_update_gmsa_entry_keys(local_ctx,
963 samdb,
964 callback_ctx->updates[n]);
965 if (ret) {
966 /* Ignore the error. */
967 DBG_WARNING("Failed to update keys for Group "
968 "Managed Service Account: %s\n",
969 ldb_strerror(ret));
970 }
971 }
972
973 if (call->notification.busy) {
974 /* Move/Add it to the end */
975 DLIST_DEMOTE(call->conn->pending_calls, call);
976 call->notification.generation =
977 call->conn->service->notification.generation;
978
979 if (callback_ctx->count != 0) {
980 call->notification.generation += 1;
981 ldapsrv_notification_retry_setup(call->conn->service,
982 true);
983 }
984
985 talloc_free(local_ctx);
986 return NT_STATUS_OK;
987 }
988 }
989
990 reply:
991
992 /*
993 * This looks like duplicated code - because it is - but
994 * otherwise the work in the parameters will be done
995 * regardless, this way the functions only execute when the
996 * log level is set.
997 *
998 * The basedn is re-obtained as a string to escape it
999 */
1000 if ((req->timelimit == 0 || call->conn->limits.search_timeout < req->timelimit)
1001 && ldb_ret == LDB_ERR_TIME_LIMIT_EXCEEDED) {
1002 struct dom_sid_buf sid_buf;
1003 DBG_WARNING("MaxQueryDuration(%d) timeout exceeded "
1004 "in SearchRequest by %s from %s filter: [%s] "
1005 "basedn: [%s] "
1006 "scope: [%s]\n",
1007 call->conn->limits.search_timeout,
1008 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1009 &sid_buf),
1010 tsocket_address_string(call->conn->connection->remote_address,
1011 call),
1012 ldb_filter_from_tree(call, req->tree),
1013 ldb_dn_get_extended_linearized(call, basedn, 1),
1014 scope_str);
1015 for (i=0; i < req->num_attributes; i++) {
1016 DBG_WARNING("MaxQueryDuration timeout exceeded attrs: [%s]\n",
1017 req->attributes[i]);
1018 }
1019
1020 } else if (timeval_expired(&warning_time)) {
1021 struct dom_sid_buf sid_buf;
1022 DBG_NOTICE("Long LDAP Query: Duration was %.2fs, "
1023 "MaxQueryDuration(%d)/4 == %d "
1024 "in SearchRequest by %s from %s filter: [%s] "
1025 "basedn: [%s] "
1026 "scope: [%s] "
1027 "result: %s\n",
1028 timeval_elapsed(&start_time),
1029 call->conn->limits.search_timeout,
1030 call->conn->limits.search_timeout / 4,
1031 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1032 &sid_buf),
1033 tsocket_address_string(call->conn->connection->remote_address,
1034 call),
1035 ldb_filter_from_tree(call, req->tree),
1036 ldb_dn_get_extended_linearized(call, basedn, 1),
1037 scope_str,
1038 ldb_strerror(ldb_ret));
1039 for (i=0; i < req->num_attributes; i++) {
1040 DBG_NOTICE("Long LDAP Query attrs: [%s]\n",
1041 req->attributes[i]);
1042 }
1043 } else {
1044 struct dom_sid_buf sid_buf;
1045 DBG_INFO("LDAP Query: Duration was %.2fs, "
1046 "SearchRequest by %s from %s filter: [%s] "
1047 "basedn: [%s] "
1048 "scope: [%s] "
1049 "result: %s\n",
1050 timeval_elapsed(&start_time),
1051 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1052 &sid_buf),
1053 tsocket_address_string(call->conn->connection->remote_address,
1054 call),
1055 ldb_filter_from_tree(call, req->tree),
1056 ldb_dn_get_extended_linearized(call, basedn, 1),
1057 scope_str,
1058 ldb_strerror(ldb_ret));
1059 }
1060
1061 DLIST_REMOVE(call->conn->pending_calls, call);
1062 call->notification.busy = false;
1063
1064 done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
1065 NT_STATUS_HAVE_NO_MEMORY(done_r);
1066
1067 done = &done_r->msg->r.SearchResultDone;
1068 done->dn = NULL;
1069 done->referral = NULL;
1070
1071 if (result != -1) {
1072 } else if (ldb_ret == LDB_SUCCESS) {
1073 if (callback_ctx->controls) {
1074 done_r->msg->controls = callback_ctx->controls;
1075 talloc_steal(done_r->msg, callback_ctx->controls);
1076 }
1077 result = LDB_SUCCESS;
1078 } else {
1079 DBG_DEBUG("error\n");
1080 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1081 &errstr);
1082 }
1083
1084 done->resultcode = result;
1085 done->errormessage = (errstr?talloc_strdup(done_r, errstr):NULL);
1086
1087 talloc_free(local_ctx);
1088
1089 return ldapsrv_queue_reply_forced(call, done_r);
1090 }
1091
1092 static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
1093 {
1094 struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
1095 struct ldap_Result *modify_result;
1096 struct ldapsrv_reply *modify_reply;
1097 TALLOC_CTX *local_ctx;
1098 struct ldb_context *samdb = call->conn->ldb;
1099 struct ldb_message *msg = NULL;
1100 struct ldb_dn *dn;
1101 const char *errstr = NULL;
1102 int result = LDAP_SUCCESS;
1103 int ldb_ret;
1104 unsigned int i,j;
1105 struct ldb_result *res = NULL;
1106
1107 DBG_DEBUG("dn: %s\n", req->dn);
1108
1109 local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
1110 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1111
1112 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1113 NT_STATUS_HAVE_NO_MEMORY(dn);
1114
1115 DBG_DEBUG("dn: [%s]\n", req->dn);
1116
1117 msg = ldb_msg_new(local_ctx);
1118 NT_STATUS_HAVE_NO_MEMORY(msg);
1119
1120 msg->dn = dn;
1121
1122 if (req->num_mods > 0) {
1123 msg->num_elements = req->num_mods;
1124 msg->elements = talloc_array(msg, struct ldb_message_element, req->num_mods);
1125 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
1126
1127 for (i=0; i < msg->num_elements; i++) {
1128 msg->elements[i].name = discard_const_p(char, req->mods[i].attrib.name);
1129 msg->elements[i].num_values = 0;
1130 msg->elements[i].values = NULL;
1131
1132 switch (req->mods[i].type) {
1133 default:
1134 result = LDAP_PROTOCOL_ERROR;
1135 map_ldb_error(local_ctx,
1136 LDB_ERR_PROTOCOL_ERROR, NULL, &errstr);
1137 errstr = talloc_asprintf(local_ctx,
1138 "%s. Invalid LDAP_MODIFY_* type", errstr);
1139 goto reply;
1140 case LDAP_MODIFY_ADD:
1141 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
1142 break;
1143 case LDAP_MODIFY_DELETE:
1144 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
1145 break;
1146 case LDAP_MODIFY_REPLACE:
1147 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
1148 break;
1149 }
1150
1151 msg->elements[i].num_values = req->mods[i].attrib.num_values;
1152 if (msg->elements[i].num_values > 0) {
1153 msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
1154 msg->elements[i].num_values);
1155 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
1156
1157 for (j=0; j < msg->elements[i].num_values; j++) {
1158 msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
1159 msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
1160 }
1161 }
1162 }
1163 }
1164
1165 reply:
1166 modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
1167 NT_STATUS_HAVE_NO_MEMORY(modify_reply);
1168
1169 if (result == LDAP_SUCCESS) {
1170 res = talloc_zero(local_ctx, struct ldb_result);
1171 NT_STATUS_HAVE_NO_MEMORY(res);
1172 ldb_ret = ldapsrv_mod_with_controls(call, msg, call->request->controls, res);
1173 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1174 &errstr);
1175 }
1176
1177 modify_result = &modify_reply->msg->r.ModifyResponse;
1178 modify_result->dn = NULL;
1179 if ((res != NULL) && (res->refs != NULL)) {
1180 modify_result->resultcode = map_ldb_error(local_ctx,
1181 LDB_ERR_REFERRAL,
1182 NULL, &errstr);
1183 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
1184 modify_result->referral = talloc_strdup(call, *res->refs);
1185 } else {
1186 modify_result->resultcode = result;
1187 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
1188 modify_result->referral = NULL;
1189 }
1190 talloc_free(local_ctx);
1191
1192 return ldapsrv_queue_reply(call, modify_reply);
1193
1194 }
1195
1196 static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call)
1197 {
1198 struct ldap_AddRequest *req = &call->request->r.AddRequest;
1199 struct ldap_Result *add_result;
1200 struct ldapsrv_reply *add_reply;
1201 TALLOC_CTX *local_ctx;
1202 struct ldb_context *samdb = call->conn->ldb;
1203 struct ldb_message *msg = NULL;
1204 struct ldb_dn *dn;
1205 const char *errstr = NULL;
1206 int result = LDAP_SUCCESS;
1207 int ldb_ret;
1208 unsigned int i,j;
1209 struct ldb_result *res = NULL;
1210
1211 DBG_DEBUG("dn: %s\n", req->dn);
1212
1213 local_ctx = talloc_named(call, 0, "AddRequest local memory context");
1214 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1215
1216 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1217 NT_STATUS_HAVE_NO_MEMORY(dn);
1218
1219 DBG_DEBUG("dn: [%s]\n", req->dn);
1220
1221 msg = talloc(local_ctx, struct ldb_message);
1222 NT_STATUS_HAVE_NO_MEMORY(msg);
1223
1224 msg->dn = dn;
1225 msg->num_elements = 0;
1226 msg->elements = NULL;
1227
1228 if (req->num_attributes > 0) {
1229 msg->num_elements = req->num_attributes;
1230 msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
1231 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
1232
1233 for (i=0; i < msg->num_elements; i++) {
1234 msg->elements[i].name = discard_const_p(char, req->attributes[i].name);
1235 msg->elements[i].flags = 0;
1236 msg->elements[i].num_values = 0;
1237 msg->elements[i].values = NULL;
1238
1239 if (req->attributes[i].num_values > 0) {
1240 msg->elements[i].num_values = req->attributes[i].num_values;
1241 msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
1242 msg->elements[i].num_values);
1243 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
1244
1245 for (j=0; j < msg->elements[i].num_values; j++) {
1246 msg->elements[i].values[j].length = req->attributes[i].values[j].length;
1247 msg->elements[i].values[j].data = req->attributes[i].values[j].data;
1248 }
1249 }
1250 }
1251 }
1252
1253 add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
1254 NT_STATUS_HAVE_NO_MEMORY(add_reply);
1255
1256 if (result == LDAP_SUCCESS) {
1257 res = talloc_zero(local_ctx, struct ldb_result);
1258 NT_STATUS_HAVE_NO_MEMORY(res);
1259 ldb_ret = ldapsrv_add_with_controls(call, msg, call->request->controls, res);
1260 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1261 &errstr);
1262 }
1263
1264 add_result = &add_reply->msg->r.AddResponse;
1265 add_result->dn = NULL;
1266 if ((res != NULL) && (res->refs != NULL)) {
1267 add_result->resultcode = map_ldb_error(local_ctx,
1268 LDB_ERR_REFERRAL, NULL,
1269 &errstr);
1270 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
1271 add_result->referral = talloc_strdup(call, *res->refs);
1272 } else {
1273 add_result->resultcode = result;
1274 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
1275 add_result->referral = NULL;
1276 }
1277 talloc_free(local_ctx);
1278
1279 return ldapsrv_queue_reply(call, add_reply);
1280
1281 }
1282
1283 static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call)
1284 {
1285 struct ldap_DelRequest *req = &call->request->r.DelRequest;
1286 struct ldap_Result *del_result;
1287 struct ldapsrv_reply *del_reply;
1288 TALLOC_CTX *local_ctx;
1289 struct ldb_context *samdb = call->conn->ldb;
1290 struct ldb_dn *dn;
1291 const char *errstr = NULL;
1292 int result = LDAP_SUCCESS;
1293 int ldb_ret;
1294 struct ldb_result *res = NULL;
1295
1296 DBG_DEBUG("dn: %s\n", req->dn);
1297
1298 local_ctx = talloc_named(call, 0, "DelRequest local memory context");
1299 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1300
1301 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1302 NT_STATUS_HAVE_NO_MEMORY(dn);
1303
1304 DBG_DEBUG("dn: [%s]\n", req->dn);
1305
1306 del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
1307 NT_STATUS_HAVE_NO_MEMORY(del_reply);
1308
1309 if (result == LDAP_SUCCESS) {
1310 res = talloc_zero(local_ctx, struct ldb_result);
1311 NT_STATUS_HAVE_NO_MEMORY(res);
1312 ldb_ret = ldapsrv_del_with_controls(call, dn, call->request->controls, res);
1313 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1314 &errstr);
1315 }
1316
1317 del_result = &del_reply->msg->r.DelResponse;
1318 del_result->dn = NULL;
1319 if ((res != NULL) && (res->refs != NULL)) {
1320 del_result->resultcode = map_ldb_error(local_ctx,
1321 LDB_ERR_REFERRAL, NULL,
1322 &errstr);
1323 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
1324 del_result->referral = talloc_strdup(call, *res->refs);
1325 } else {
1326 del_result->resultcode = result;
1327 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
1328 del_result->referral = NULL;
1329 }
1330
1331 talloc_free(local_ctx);
1332
1333 return ldapsrv_queue_reply(call, del_reply);
1334 }
1335
1336 static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
1337 {
1338 struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
1339 struct ldap_Result *modifydn;
1340 struct ldapsrv_reply *modifydn_r;
1341 TALLOC_CTX *local_ctx;
1342 struct ldb_context *samdb = call->conn->ldb;
1343 struct ldb_dn *olddn, *newdn=NULL, *newrdn;
1344 struct ldb_dn *parentdn = NULL;
1345 const char *errstr = NULL;
1346 int result = LDAP_SUCCESS;
1347 int ldb_ret;
1348 struct ldb_result *res = NULL;
1349
1350 DBG_DEBUG("dn: %s newrdn: %s\n",
1351 req->dn, req->newrdn);
1352
1353 local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
1354 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1355
1356 olddn = ldb_dn_new(local_ctx, samdb, req->dn);
1357 NT_STATUS_HAVE_NO_MEMORY(olddn);
1358
1359 newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
1360 NT_STATUS_HAVE_NO_MEMORY(newrdn);
1361
1362 DBG_DEBUG("olddn: [%s] newrdn: [%s]\n",
1363 req->dn, req->newrdn);
1364
1365 if (ldb_dn_get_comp_num(newrdn) == 0) {
1366 result = LDAP_PROTOCOL_ERROR;
1367 map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
1368 &errstr);
1369 goto reply;
1370 }
1371
1372 if (ldb_dn_get_comp_num(newrdn) > 1) {
1373 result = LDAP_NAMING_VIOLATION;
1374 map_ldb_error(local_ctx, LDB_ERR_NAMING_VIOLATION, NULL,
1375 &errstr);
1376 goto reply;
1377 }
1378
1379 /* we can't handle the rename if we should not remove the old dn */
1380 if (!req->deleteolddn) {
1381 result = LDAP_UNWILLING_TO_PERFORM;
1382 map_ldb_error(local_ctx, LDB_ERR_UNWILLING_TO_PERFORM, NULL,
1383 &errstr);
1384 errstr = talloc_asprintf(local_ctx,
1385 "%s. Old RDN must be deleted", errstr);
1386 goto reply;
1387 }
1388
1389 if (req->newsuperior) {
1390 DBG_DEBUG("newsuperior: [%s]\n", req->newsuperior);
1391 parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
1392 }
1393
1394 if (!parentdn) {
1395 parentdn = ldb_dn_get_parent(local_ctx, olddn);
1396 }
1397 if (!parentdn) {
1398 result = LDAP_NO_SUCH_OBJECT;
1399 map_ldb_error(local_ctx, LDB_ERR_NO_SUCH_OBJECT, NULL, &errstr);
1400 goto reply;
1401 }
1402
1403 if ( ! ldb_dn_add_child(parentdn, newrdn)) {
1404 result = LDAP_OTHER;
1405 map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
1406 goto reply;
1407 }
1408 newdn = parentdn;
1409
1410 reply:
1411 modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
1412 NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
1413
1414 if (result == LDAP_SUCCESS) {
1415 res = talloc_zero(local_ctx, struct ldb_result);
1416 NT_STATUS_HAVE_NO_MEMORY(res);
1417 ldb_ret = ldapsrv_rename_with_controls(call, olddn, newdn, call->request->controls, res);
1418 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1419 &errstr);
1420 }
1421
1422 modifydn = &modifydn_r->msg->r.ModifyDNResponse;
1423 modifydn->dn = NULL;
1424 if ((res != NULL) && (res->refs != NULL)) {
1425 modifydn->resultcode = map_ldb_error(local_ctx,
1426 LDB_ERR_REFERRAL, NULL,
1427 &errstr);;
1428 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
1429 modifydn->referral = talloc_strdup(call, *res->refs);
1430 } else {
1431 modifydn->resultcode = result;
1432 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
1433 modifydn->referral = NULL;
1434 }
1435
1436 talloc_free(local_ctx);
1437
1438 return ldapsrv_queue_reply(call, modifydn_r);
1439 }
1440
1441 static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
1442 {
1443 struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
1444 struct ldap_Result *compare;
1445 struct ldapsrv_reply *compare_r;
1446 TALLOC_CTX *local_ctx;
1447 struct ldb_context *samdb = call->conn->ldb;
1448 struct ldb_result *res = NULL;
1449 struct ldb_dn *dn;
1450 const char *attrs[1];
1451 const char *errstr = NULL;
1452 const char *filter = NULL;
1453 int result = LDAP_SUCCESS;
1454 int ldb_ret;
1455
1456 DBG_DEBUG("dn: %s\n", req->dn);
1457
1458 local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
1459 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1460
1461 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1462 NT_STATUS_HAVE_NO_MEMORY(dn);
1463
1464 DBG_DEBUG("dn: [%s]\n", req->dn);
1465 filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
1466 (int)req->value.length, req->value.data);
1467 NT_STATUS_HAVE_NO_MEMORY(filter);
1468
1469 DBG_DEBUG("attribute: [%s]\n", filter);
1470
1471 attrs[0] = NULL;
1472
1473 compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
1474 NT_STATUS_HAVE_NO_MEMORY(compare_r);
1475
1476 if (result == LDAP_SUCCESS) {
1477 ldb_ret = ldb_search(samdb, local_ctx, &res,
1478 dn, LDB_SCOPE_BASE, attrs, "%s", filter);
1479 if (ldb_ret != LDB_SUCCESS) {
1480 result = map_ldb_error(local_ctx, ldb_ret,
1481 ldb_errstring(samdb), &errstr);
1482 DBG_DEBUG("error: %s\n", errstr);
1483 } else if (res->count == 0) {
1484 DBG_DEBUG("didn't match\n");
1485 result = LDAP_COMPARE_FALSE;
1486 errstr = NULL;
1487 } else if (res->count == 1) {
1488 DBG_DEBUG("matched\n");
1489 result = LDAP_COMPARE_TRUE;
1490 errstr = NULL;
1491 } else if (res->count > 1) {
1492 result = LDAP_OTHER;
1493 map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
1494 errstr = talloc_asprintf(local_ctx,
1495 "%s. Too many objects match!", errstr);
1496 DBG_DEBUG("%u results: %s\n", res->count, errstr);
1497 }
1498 }
1499
1500 compare = &compare_r->msg->r.CompareResponse;
1501 compare->dn = NULL;
1502 compare->resultcode = result;
1503 compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
1504 compare->referral = NULL;
1505
1506 talloc_free(local_ctx);
1507
1508 return ldapsrv_queue_reply(call, compare_r);
1509 }
1510
1511 static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
1512 {
1513 struct ldap_AbandonRequest *req = &call->request->r.AbandonRequest;
1514 struct ldapsrv_call *c = NULL;
1515 struct ldapsrv_call *n = NULL;
1516
1517 DBG_DEBUG("abandoned\n");
1518
1519 for (c = call->conn->pending_calls; c != NULL; c = n) {
1520 n = c->next;
1521
1522 if (c->request->messageid != req->messageid) {
1523 continue;
1524 }
1525
1526 DLIST_REMOVE(call->conn->pending_calls, c);
1527 TALLOC_FREE(c);
1528 }
1529
1530 return NT_STATUS_OK;
1531 }
1532
1533 static NTSTATUS ldapsrv_expired(struct ldapsrv_call *call)
1534 {
1535 struct ldapsrv_reply *reply = NULL;
1536 struct ldap_ExtendedResponse *r = NULL;
1537
1538 DBG_DEBUG("Sending connection expired message\n");
1539
1540 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
1541 if (reply == NULL) {
1542 return NT_STATUS_NO_MEMORY;
1543 }
1544
1545 /*
1546 * According to RFC4511 section 4.4.1 this has a msgid of 0
1547 */
1548 reply->msg->messageid = 0;
1549
1550 r = &reply->msg->r.ExtendedResponse;
1551 r->response.resultcode = LDB_ERR_UNAVAILABLE;
1552 r->response.errormessage = "The server has timed out this connection";
1553 r->oid = "1.3.6.1.4.1.1466.20036"; /* see rfc4511 section 4.4.1 */
1554
1555 ldapsrv_queue_reply(call, reply);
1556 return NT_STATUS_OK;
1557 }
1558
1559 NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
1560 {
1561 unsigned int i;
1562 struct ldap_message *msg = call->request;
1563 struct ldapsrv_connection *conn = call->conn;
1564 NTSTATUS status;
1565 bool expired;
1566
1567 expired = timeval_expired(&conn->limits.expire_time);
1568 if (expired) {
1569 status = ldapsrv_expired(call);
1570 if (!NT_STATUS_IS_OK(status)) {
1571 return status;
1572 }
1573 return NT_STATUS_NETWORK_SESSION_EXPIRED;
1574 }
1575
1576 /* Check for undecoded critical extensions */
1577 for (i=0; msg->controls && msg->controls[i]; i++) {
1578 if (!msg->controls_decoded[i] &&
1579 msg->controls[i]->critical) {
1580 DBG_NOTICE("Critical extension %s is not known to this server\n",
1581 msg->controls[i]->oid);
1582 return ldapsrv_unwilling(call, LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
1583 }
1584 }
1585
1586 if (call->conn->authz_logged == false) {
1587 bool log = true;
1588
1589 /*
1590 * We do not want to log anonymous access if the query
1591 * is just for the rootDSE, or it is a startTLS or a
1592 * Bind.
1593 *
1594 * A rootDSE search could also be done over
1595 * CLDAP anonymously for example, so these don't
1596 * really count.
1597 * Essentially we want to know about
1598 * access beyond that normally done prior to a
1599 * bind.
1600 */
1601
1602 switch(call->request->type) {
1603 case LDAP_TAG_BindRequest:
1604 case LDAP_TAG_UnbindRequest:
1605 case LDAP_TAG_AbandonRequest:
1606 log = false;
1607 break;
1608 case LDAP_TAG_ExtendedResponse: {
1609 struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
1610 if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
1611 log = false;
1612 }
1613 break;
1614 }
1615 case LDAP_TAG_SearchRequest: {
1616 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
1617 if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
1618 if (req->basedn[0] == '\0') {
1619 log = false;
1620 }
1621 }
1622 break;
1623 }
1624 default:
1625 break;
1626 }
1627
1628 if (log) {
1629 const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
1630 if (call->conn->sockets.active == call->conn->sockets.tls) {
1631 transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
1632 }
1633
1634 log_successful_authz_event(call->conn->connection->msg_ctx,
1635 call->conn->connection->lp_ctx,
1636 call->conn->connection->remote_address,
1637 call->conn->connection->local_address,
1638 "LDAP",
1639 "no bind",
1640 transport_protection,
1641 call->conn->session_info,
1642 NULL /* client_audit_info */,
1643 NULL /* server_audit_info */);
1644
1645 call->conn->authz_logged = true;
1646 }
1647 }
1648
1649 switch(call->request->type) {
1650 case LDAP_TAG_BindRequest:
1651 return ldapsrv_BindRequest(call);
1652 case LDAP_TAG_UnbindRequest:
1653 return ldapsrv_UnbindRequest(call);
1654 case LDAP_TAG_SearchRequest:
1655 return ldapsrv_SearchRequest(call);
1656 case LDAP_TAG_ModifyRequest:
1657 status = ldapsrv_ModifyRequest(call);
1658 break;
1659 case LDAP_TAG_AddRequest:
1660 status = ldapsrv_AddRequest(call);
1661 break;
1662 case LDAP_TAG_DelRequest:
1663 status = ldapsrv_DelRequest(call);
1664 break;
1665 case LDAP_TAG_ModifyDNRequest:
1666 status = ldapsrv_ModifyDNRequest(call);
1667 break;
1668 case LDAP_TAG_CompareRequest:
1669 return ldapsrv_CompareRequest(call);
1670 case LDAP_TAG_AbandonRequest:
1671 return ldapsrv_AbandonRequest(call);
1672 case LDAP_TAG_ExtendedRequest:
1673 status = ldapsrv_ExtendedRequest(call);
1674 break;
1675 default:
1676 return ldapsrv_unwilling(call, LDAP_PROTOCOL_ERROR);
1677 }
1678
1679 if (NT_STATUS_IS_OK(status)) {
1680 ldapsrv_notification_retry_setup(call->conn->service, true);
1681 }
1682
1683 return status;
1684 }
Samba GIT mirror