search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WHATSNEW: Update changes.
[Samba.git] / source4 / ldap_server / ldap_bind.c
blob1b235f2a1bdacb5f67abd2eb5b59f2efe83df369
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP server
4 Copyright (C) Stefan Metzmacher 2004
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "ldap_server/ldap_server.h"
22 #include "auth/auth.h"
23 #include "smbd/service.h"
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_errors.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "auth/gensec/gensec.h"
28 #include "param/param.h"
29
30 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
31 {
32 struct ldap_BindRequest *req = &call->request->r.BindRequest;
33 struct ldapsrv_reply *reply;
34 struct ldap_BindResponse *resp;
35
36 int result;
37 const char *errstr;
38 const char *nt4_domain, *nt4_account;
39
40 struct auth_session_info *session_info;
41
42 NTSTATUS status;
43
44 DEBUG(10, ("BindSimple dn: %s\n",req->dn));
45
46 status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account);
47 if (NT_STATUS_IS_OK(status)) {
48 status = authenticate_username_pw(call,
49 call->conn->connection->event.ctx,
50 call->conn->connection->msg_ctx,
51 call->conn->lp_ctx,
52 nt4_domain, nt4_account,
53 req->creds.password,
54 &session_info);
55 }
56
57 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
58 if (!reply) {
59 return NT_STATUS_NO_MEMORY;
60 }
61
62 if (NT_STATUS_IS_OK(status)) {
63 result = LDAP_SUCCESS;
64 errstr = NULL;
65
66 talloc_free(call->conn->session_info);
67 call->conn->session_info = session_info;
68 talloc_steal(call->conn, session_info);
69
70 /* don't leak the old LDB */
71 talloc_free(call->conn->ldb);
72
73 status = ldapsrv_backend_Init(call->conn);
74
75 if (!NT_STATUS_IS_OK(status)) {
76 result = LDAP_OPERATIONS_ERROR;
77 errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
78 }
79 } else {
80 status = auth_nt_status_squash(status);
81
82 result = LDAP_INVALID_CREDENTIALS;
83 errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
84 }
85
86 resp = &reply->msg->r.BindResponse;
87 resp->response.resultcode = result;
88 resp->response.errormessage = errstr;
89 resp->response.dn = NULL;
90 resp->response.referral = NULL;
91 resp->SASL.secblob = NULL;
92
93 ldapsrv_queue_reply(call, reply);
94 return NT_STATUS_OK;
95 }
96
97 struct ldapsrv_sasl_context {
98 struct ldapsrv_connection *conn;
99 struct socket_context *sasl_socket;
100 };
101
102 static void ldapsrv_set_sasl(void *private_data)
103 {
104 struct ldapsrv_sasl_context *ctx = talloc_get_type(private_data, struct ldapsrv_sasl_context);
105 talloc_steal(ctx->conn->connection, ctx->sasl_socket);
106 talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
107
108 ctx->conn->sockets.sasl = ctx->sasl_socket;
109 ctx->conn->connection->socket = ctx->sasl_socket;
110 packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
111 }
112
113 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
114 {
115 struct ldap_BindRequest *req = &call->request->r.BindRequest;
116 struct ldapsrv_reply *reply;
117 struct ldap_BindResponse *resp;
118 struct ldapsrv_connection *conn;
119 int result = 0;
120 const char *errstr=NULL;
121 NTSTATUS status = NT_STATUS_OK;
122
123 DEBUG(10, ("BindSASL dn: %s\n",req->dn));
124
125 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
126 if (!reply) {
127 return NT_STATUS_NO_MEMORY;
128 }
129 resp = &reply->msg->r.BindResponse;
130
131 conn = call->conn;
132
133 /*
134 * TODO: a SASL bind with a different mechanism
135 * should cancel an inprogress SASL bind.
136 * (see RFC 4513)
137 */
138
139 if (!conn->gensec) {
140 conn->session_info = NULL;
141
142 status = samba_server_gensec_start(conn,
143 conn->connection->event.ctx,
144 conn->connection->msg_ctx,
145 conn->lp_ctx,
146 conn->server_credentials,
147 "ldap",
148 &conn->gensec);
149 if (!NT_STATUS_IS_OK(status)) {
150 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
151 result = LDAP_OPERATIONS_ERROR;
152 errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s",
153 nt_errstr(status));
154 } else {
155
156 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
157 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
158 gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
159
160 status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism);
161
162 if (!NT_STATUS_IS_OK(status)) {
163 DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n",
164 req->creds.SASL.mechanism, nt_errstr(status)));
165 result = LDAP_OPERATIONS_ERROR;
166 errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s",
167 req->creds.SASL.mechanism, nt_errstr(status));
168 }
169 }
170 }
171
172 if (NT_STATUS_IS_OK(status)) {
173 DATA_BLOB input = data_blob(NULL, 0);
174 DATA_BLOB output = data_blob(NULL, 0);
175
176 if (req->creds.SASL.secblob) {
177 input = *req->creds.SASL.secblob;
178 }
179
180 status = gensec_update(conn->gensec, reply,
181 input, &output);
182
183 /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */
184 resp->SASL.secblob = talloc(reply, DATA_BLOB);
185 NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
186 *resp->SASL.secblob = output;
187 } else {
188 resp->SASL.secblob = NULL;
189 }
190
191 if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
192 result = LDAP_SASL_BIND_IN_PROGRESS;
193 errstr = NULL;
194 } else if (NT_STATUS_IS_OK(status)) {
195 struct auth_session_info *old_session_info=NULL;
196 struct ldapsrv_sasl_context *ctx;
197
198 result = LDAP_SUCCESS;
199 errstr = NULL;
200
201 ctx = talloc(call, struct ldapsrv_sasl_context);
202
203 if (!ctx) {
204 status = NT_STATUS_NO_MEMORY;
205 } else {
206 ctx->conn = conn;
207 status = gensec_socket_init(conn->gensec,
208 conn->connection,
209 conn->connection->socket,
210 conn->connection->event.ctx,
211 stream_io_handler_callback,
212 conn->connection,
213 &ctx->sasl_socket);
214 }
215
216 if (!ctx || !NT_STATUS_IS_OK(status)) {
217 conn->session_info = old_session_info;
218 result = LDAP_OPERATIONS_ERROR;
219 errstr = talloc_asprintf(reply,
220 "SASL:[%s]: Failed to setup SASL socket: %s",
221 req->creds.SASL.mechanism, nt_errstr(status));
222 } else {
223
224 call->send_callback = ldapsrv_set_sasl;
225 call->send_private = ctx;
226
227 old_session_info = conn->session_info;
228 conn->session_info = NULL;
229 status = gensec_session_info(conn->gensec, &conn->session_info);
230 if (!NT_STATUS_IS_OK(status)) {
231 conn->session_info = old_session_info;
232 result = LDAP_OPERATIONS_ERROR;
233 errstr = talloc_asprintf(reply,
234 "SASL:[%s]: Failed to get session info: %s",
235 req->creds.SASL.mechanism, nt_errstr(status));
236 } else {
237 talloc_free(old_session_info);
238 talloc_steal(conn, conn->session_info);
239
240 /* don't leak the old LDB */
241 talloc_free(conn->ldb);
242
243 status = ldapsrv_backend_Init(conn);
244
245 if (!NT_STATUS_IS_OK(status)) {
246 result = LDAP_OPERATIONS_ERROR;
247 errstr = talloc_asprintf(reply,
248 "SASL:[%s]: Failed to advise samdb of new credentials: %s",
249 req->creds.SASL.mechanism,
250 nt_errstr(status));
251 }
252 }
253 }
254 } else {
255 status = auth_nt_status_squash(status);
256 if (result == 0) {
257 result = LDAP_INVALID_CREDENTIALS;
258 errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
259 }
260 }
261
262 resp->response.resultcode = result;
263 resp->response.dn = NULL;
264 resp->response.errormessage = errstr;
265 resp->response.referral = NULL;
266
267 ldapsrv_queue_reply(call, reply);
268 return NT_STATUS_OK;
269 }
270
271 NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call)
272 {
273 struct ldap_BindRequest *req = &call->request->r.BindRequest;
274 struct ldapsrv_reply *reply;
275 struct ldap_BindResponse *resp;
276
277 /*
278 * TODO: we should fail the bind request
279 * if there're any pending requests.
280 *
281 * also a simple bind should cancel an
282 * inprogress SASL bind.
283 * (see RFC 4513)
284 */
285 switch (req->mechanism) {
286 case LDAP_AUTH_MECH_SIMPLE:
287 return ldapsrv_BindSimple(call);
288 case LDAP_AUTH_MECH_SASL:
289 return ldapsrv_BindSASL(call);
290 }
291
292 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
293 if (!reply) {
294 return NT_STATUS_NO_MEMORY;
295 }
296
297 resp = &reply->msg->r.BindResponse;
298 resp->response.resultcode = 7;
299 resp->response.dn = NULL;
300 resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
301 resp->response.referral = NULL;
302 resp->SASL.secblob = NULL;
303
304 ldapsrv_queue_reply(call, reply);
305 return NT_STATUS_OK;
306 }
307
308 NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call)
309 {
310 DEBUG(10, ("UnbindRequest\n"));
311 return NT_STATUS_OK;
312 }
Samba GIT mirror