search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
python:tests: Store keys as bytes rather than as tuples
[Samba.git] / source4 / ldap_server / ldap_server.c
blob90316fd6b68cd2578cd57e07235775fda0484497
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
39 #include <ldb.h>
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
51 #include "lib/util/server_id.h"
52 #include "lib/util/server_id_db.h"
53 #include "lib/messaging/messaging_internal.h"
54
55 #undef strcasecmp
56
57 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
58
59 /*
60 close the socket and shutdown a server_context
61 */
62 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
63 const char *reason)
64 {
65 struct tevent_req *subreq;
66
67 if (conn->limits.reason) {
68 return;
69 }
70
71 DLIST_REMOVE(conn->service->connections, conn);
72
73 conn->limits.endtime = timeval_current_ofs(0, 500);
74
75 tevent_queue_stop(conn->sockets.send_queue);
76 TALLOC_FREE(conn->sockets.read_req);
77 TALLOC_FREE(conn->deferred_expire_disconnect);
78 if (conn->active_call) {
79 tevent_req_cancel(conn->active_call);
80 conn->active_call = NULL;
81 }
82
83 conn->limits.reason = talloc_strdup(conn, reason);
84 if (conn->limits.reason == NULL) {
85 TALLOC_FREE(conn->sockets.tls);
86 TALLOC_FREE(conn->sockets.sasl);
87 TALLOC_FREE(conn->sockets.raw);
88 stream_terminate_connection(conn->connection, reason);
89 return;
90 }
91
92 subreq = tstream_disconnect_send(conn,
93 conn->connection->event.ctx,
94 conn->sockets.active);
95 if (subreq == NULL) {
96 TALLOC_FREE(conn->sockets.tls);
97 TALLOC_FREE(conn->sockets.sasl);
98 TALLOC_FREE(conn->sockets.raw);
99 stream_terminate_connection(conn->connection, reason);
100 return;
101 }
102 tevent_req_set_endtime(subreq,
103 conn->connection->event.ctx,
104 conn->limits.endtime);
105 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
106 }
107
108 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
109 {
110 struct ldapsrv_connection *conn =
111 tevent_req_callback_data(subreq,
112 struct ldapsrv_connection);
113 int sys_errno;
114 bool ok;
115
116 tstream_disconnect_recv(subreq, &sys_errno);
117 TALLOC_FREE(subreq);
118
119 if (conn->sockets.active == conn->sockets.raw) {
120 TALLOC_FREE(conn->sockets.tls);
121 TALLOC_FREE(conn->sockets.sasl);
122 TALLOC_FREE(conn->sockets.raw);
123 stream_terminate_connection(conn->connection,
124 conn->limits.reason);
125 return;
126 }
127
128 TALLOC_FREE(conn->sockets.tls);
129 TALLOC_FREE(conn->sockets.sasl);
130 conn->sockets.active = conn->sockets.raw;
131
132 subreq = tstream_disconnect_send(conn,
133 conn->connection->event.ctx,
134 conn->sockets.active);
135 if (subreq == NULL) {
136 TALLOC_FREE(conn->sockets.raw);
137 stream_terminate_connection(conn->connection,
138 conn->limits.reason);
139 return;
140 }
141 ok = tevent_req_set_endtime(subreq,
142 conn->connection->event.ctx,
143 conn->limits.endtime);
144 if (!ok) {
145 TALLOC_FREE(conn->sockets.raw);
146 stream_terminate_connection(conn->connection,
147 conn->limits.reason);
148 return;
149 }
150 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
151 }
152
153 /*
154 called when a LDAP socket becomes readable
155 */
156 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
157 {
158 smb_panic(__location__);
159 }
160
161 /*
162 called when a LDAP socket becomes writable
163 */
164 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
165 {
166 smb_panic(__location__);
167 }
168
169 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
170 {
171 TALLOC_CTX *tmp_ctx;
172 const char *attrs[] = { "configurationNamingContext", NULL };
173 const char *attrs2[] = { "lDAPAdminLimits", NULL };
174 struct ldb_message_element *el;
175 struct ldb_result *res = NULL;
176 struct ldb_dn *basedn;
177 struct ldb_dn *conf_dn;
178 struct ldb_dn *policy_dn;
179 unsigned int i;
180 int ret;
181
182 /* set defaults limits in case of failure */
183 conn->limits.initial_timeout = 120;
184 conn->limits.conn_idle_time = 900;
185 conn->limits.max_page_size = 1000;
186 conn->limits.max_notifications = 5;
187 conn->limits.search_timeout = 120;
188 conn->limits.expire_time = (struct timeval) {
189 .tv_sec = get_time_t_max(),
190 };
191
192
193 tmp_ctx = talloc_new(conn);
194 if (tmp_ctx == NULL) {
195 return -1;
196 }
197
198 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
199 if (basedn == NULL) {
200 goto failed;
201 }
202
203 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
204 if (ret != LDB_SUCCESS) {
205 goto failed;
206 }
207
208 if (res->count != 1) {
209 goto failed;
210 }
211
212 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
213 if (conf_dn == NULL) {
214 goto failed;
215 }
216
217 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
218 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
219 if (policy_dn == NULL) {
220 goto failed;
221 }
222
223 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
224 if (ret != LDB_SUCCESS) {
225 goto failed;
226 }
227
228 if (res->count != 1) {
229 goto failed;
230 }
231
232 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
233 if (el == NULL) {
234 goto failed;
235 }
236
237 for (i = 0; i < el->num_values; i++) {
238 char policy_name[256];
239 int policy_value, s;
240
241 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
242 if (s != 2 || policy_value == 0)
243 continue;
244 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
245 conn->limits.initial_timeout = policy_value;
246 continue;
247 }
248 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
249 conn->limits.conn_idle_time = policy_value;
250 continue;
251 }
252 if (strcasecmp("MaxPageSize", policy_name) == 0) {
253 conn->limits.max_page_size = policy_value;
254 continue;
255 }
256 if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
257 conn->limits.max_notifications = policy_value;
258 continue;
259 }
260 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
261 if (policy_value > 0) {
262 conn->limits.search_timeout = policy_value;
263 }
264 continue;
265 }
266 }
267
268 return 0;
269
270 failed:
271 DBG_ERR("Failed to load ldap server query policies\n");
272 talloc_free(tmp_ctx);
273 return -1;
274 }
275
276 static int ldapsrv_call_destructor(struct ldapsrv_call *call)
277 {
278 if (call->conn == NULL) {
279 return 0;
280 }
281
282 DLIST_REMOVE(call->conn->pending_calls, call);
283
284 call->conn = NULL;
285 return 0;
286 }
287
288 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
289 struct tevent_context *ev,
290 struct tevent_queue *call_queue,
291 struct ldapsrv_call *call);
292 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
293
294 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
295 static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
296
297 /*
298 initialise a server_context from a open socket and register a event handler
299 for reading from that socket
300 */
301 static void ldapsrv_accept(struct stream_connection *c,
302 struct auth_session_info *session_info,
303 bool is_privileged,
304 bool is_ldapi)
305 {
306 struct ldapsrv_service *ldapsrv_service =
307 talloc_get_type(c->private_data, struct ldapsrv_service);
308 struct ldapsrv_connection *conn;
309 struct cli_credentials *server_credentials;
310 struct socket_address *socket_address;
311 int port;
312 int ret;
313 struct tevent_req *subreq;
314 struct timeval endtime;
315 char *errstring = NULL;
316
317 conn = talloc_zero(c, struct ldapsrv_connection);
318 if (!conn) {
319 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
320 return;
321 }
322 conn->is_privileged = is_privileged;
323 conn->is_ldapi = is_ldapi;
324
325 conn->sockets.send_queue = tevent_queue_create(conn, "ldapsrv send queue");
326 if (conn->sockets.send_queue == NULL) {
327 stream_terminate_connection(c,
328 "ldapsrv_accept: tevent_queue_create failed");
329 return;
330 }
331
332 TALLOC_FREE(c->event.fde);
333
334 ret = tstream_bsd_existing_socket(conn,
335 socket_get_fd(c->socket),
336 &conn->sockets.raw);
337 if (ret == -1) {
338 stream_terminate_connection(c,
339 "ldapsrv_accept: out of memory");
340 return;
341 }
342 socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
343 /* as server we want to fail early */
344 tstream_bsd_fail_readv_first_error(conn->sockets.raw, true);
345
346 conn->connection = c;
347 conn->service = ldapsrv_service;
348 conn->lp_ctx = ldapsrv_service->lp_ctx;
349
350 c->private_data = conn;
351
352 socket_address = socket_get_my_addr(c->socket, conn);
353 if (!socket_address) {
354 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
355 return;
356 }
357 port = socket_address->port;
358 talloc_free(socket_address);
359 if (port == 3268 || port == 3269) /* Global catalog */ {
360 conn->global_catalog = true;
361 }
362
363 server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
364 if (!server_credentials) {
365 stream_terminate_connection(c, "Failed to init server credentials\n");
366 return;
367 }
368
369 conn->server_credentials = server_credentials;
370
371 conn->session_info = session_info;
372
373 conn->sockets.active = conn->sockets.raw;
374
375 if (conn->is_privileged) {
376 conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
377 } else {
378 conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
379 }
380
381 if (conn->require_strong_auth ==
382 LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
383 {
384 D_ERR("WARNING: You have not configured "
385 "'ldap server require strong auth = "
386 "allow_sasl_over_tls'.\n"
387 "Please change to 'yes' (preferred and default) or "
388 "'allow_sasl_without_tls_channel_bindings' "
389 "(if really needed)\n\n");
390 }
391
392 ret = ldapsrv_backend_Init(conn, &errstring);
393 if (ret != LDB_SUCCESS) {
394 char *reason = talloc_asprintf(conn,
395 "LDB backend for LDAP Init "
396 "failed: %s: %s",
397 errstring, ldb_strerror(ret));
398 ldapsrv_terminate_connection(conn, reason);
399 return;
400 }
401
402 /* load limits from the conf partition */
403 ldapsrv_load_limits(conn); /* should we fail on error ? */
404
405 /* register the server */
406 irpc_add_name(c->msg_ctx, "ldap_server");
407
408 DLIST_ADD_END(ldapsrv_service->connections, conn);
409
410 if (port != 636 && port != 3269) {
411 ldapsrv_call_read_next(conn);
412 return;
413 }
414
415 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
416
417 subreq = tstream_tls_accept_send(conn,
418 conn->connection->event.ctx,
419 conn->sockets.raw,
420 conn->service->tls_params);
421 if (subreq == NULL) {
422 ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
423 "no memory for tstream_tls_accept_send");
424 return;
425 }
426 tevent_req_set_endtime(subreq,
427 conn->connection->event.ctx,
428 endtime);
429 tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
430 }
431
432 static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
433 {
434 struct ldapsrv_connection *conn =
435 tevent_req_callback_data(subreq,
436 struct ldapsrv_connection);
437 int ret;
438 int sys_errno;
439
440 ret = tstream_tls_accept_recv(subreq, &sys_errno,
441 conn, &conn->sockets.tls);
442 TALLOC_FREE(subreq);
443 if (ret == -1) {
444 const char *reason;
445
446 reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
447 "tstream_tls_accept_recv() - %d:%s",
448 sys_errno, strerror(sys_errno));
449 if (!reason) {
450 reason = "ldapsrv_accept_tls_loop: "
451 "tstream_tls_accept_recv() - failed";
452 }
453
454 ldapsrv_terminate_connection(conn, reason);
455 return;
456 }
457
458 conn->sockets.active = conn->sockets.tls;
459 conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
460 ldapsrv_call_read_next(conn);
461 }
462
463 static void ldapsrv_call_read_done(struct tevent_req *subreq);
464 static NTSTATUS ldapsrv_packet_check(
465 struct tstream_context *stream,
466 void *private_data,
467 DATA_BLOB blob,
468 size_t *packet_size);
469
470 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
471 {
472 struct tevent_req *subreq;
473
474 if (conn->pending_calls != NULL) {
475 conn->limits.endtime = timeval_zero();
476
477 ldapsrv_notification_retry_setup(conn->service, false);
478 } else if (timeval_is_zero(&conn->limits.endtime)) {
479 conn->limits.endtime =
480 timeval_current_ofs(conn->limits.initial_timeout, 0);
481 } else {
482 conn->limits.endtime =
483 timeval_current_ofs(conn->limits.conn_idle_time, 0);
484 }
485
486 if (conn->sockets.read_req != NULL) {
487 return true;
488 }
489
490 /*
491 * The minimum size of a LDAP pdu is 7 bytes
492 *
493 * dumpasn1 -hh ldap-unbind-min.dat
494 *
495 * <30 05 02 01 09 42 00>
496 * 0 5: SEQUENCE {
497 * <02 01 09>
498 * 2 1: INTEGER 9
499 * <42 00>
500 * 5 0: [APPLICATION 2]
501 * : Error: Object has zero length.
502 * : }
503 *
504 * dumpasn1 -hh ldap-unbind-windows.dat
505 *
506 * <30 84 00 00 00 05 02 01 09 42 00>
507 * 0 5: SEQUENCE {
508 * <02 01 09>
509 * 6 1: INTEGER 9
510 * <42 00>
511 * 9 0: [APPLICATION 2]
512 * : Error: Object has zero length.
513 * : }
514 *
515 * This means using an initial read size
516 * of 7 is ok.
517 */
518 subreq = tstream_read_pdu_blob_send(conn,
519 conn->connection->event.ctx,
520 conn->sockets.active,
521 7, /* initial_read_size */
522 ldapsrv_packet_check,
523 conn);
524 if (subreq == NULL) {
525 ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
526 "no memory for tstream_read_pdu_blob_send");
527 return false;
528 }
529 if (!timeval_is_zero(&conn->limits.endtime)) {
530 bool ok;
531 ok = tevent_req_set_endtime(subreq,
532 conn->connection->event.ctx,
533 conn->limits.endtime);
534 if (!ok) {
535 ldapsrv_terminate_connection(
536 conn,
537 "ldapsrv_call_read_next: "
538 "no memory for tevent_req_set_endtime");
539 return false;
540 }
541 }
542 tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
543 conn->sockets.read_req = subreq;
544 return true;
545 }
546
547 static void ldapsrv_call_process_done(struct tevent_req *subreq);
548 static int ldapsrv_check_packet_size(
549 struct ldapsrv_connection *conn,
550 size_t size);
551
552 static void ldapsrv_call_read_done(struct tevent_req *subreq)
553 {
554 struct ldapsrv_connection *conn =
555 tevent_req_callback_data(subreq,
556 struct ldapsrv_connection);
557 NTSTATUS status;
558 struct ldapsrv_call *call;
559 struct asn1_data *asn1;
560 DATA_BLOB blob;
561 int ret = LDAP_SUCCESS;
562 struct ldap_request_limits limits = {0};
563
564 conn->sockets.read_req = NULL;
565
566 call = talloc_zero(conn, struct ldapsrv_call);
567 if (!call) {
568 ldapsrv_terminate_connection(conn, "no memory");
569 return;
570 }
571 talloc_set_destructor(call, ldapsrv_call_destructor);
572
573 call->conn = conn;
574
575 status = tstream_read_pdu_blob_recv(subreq,
576 call,
577 &blob);
578 TALLOC_FREE(subreq);
579 if (!NT_STATUS_IS_OK(status)) {
580 const char *reason;
581
582 reason = talloc_asprintf(call, "ldapsrv_call_loop: "
583 "tstream_read_pdu_blob_recv() - %s",
584 nt_errstr(status));
585 if (!reason) {
586 reason = nt_errstr(status);
587 }
588
589 ldapsrv_terminate_connection(conn, reason);
590 return;
591 }
592
593 ret = ldapsrv_check_packet_size(conn, blob.length);
594 if (ret != LDAP_SUCCESS) {
595 ldapsrv_terminate_connection(
596 conn,
597 "Request packet too large");
598 return;
599 }
600
601 asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
602 if (asn1 == NULL) {
603 ldapsrv_terminate_connection(conn, "no memory");
604 return;
605 }
606
607 call->request = talloc(call, struct ldap_message);
608 if (call->request == NULL) {
609 ldapsrv_terminate_connection(conn, "no memory");
610 return;
611 }
612
613 asn1_load_nocopy(asn1, blob.data, blob.length);
614
615 limits.max_search_size =
616 lpcfg_ldap_max_search_request_size(conn->lp_ctx);
617 status = ldap_decode(
618 asn1,
619 &limits,
620 samba_ldap_control_handlers(),
621 call->request);
622 if (!NT_STATUS_IS_OK(status)) {
623 ldapsrv_terminate_connection(conn, nt_errstr(status));
624 return;
625 }
626
627 data_blob_free(&blob);
628 TALLOC_FREE(asn1);
629
630
631 /* queue the call in the global queue */
632 subreq = ldapsrv_process_call_send(call,
633 conn->connection->event.ctx,
634 conn->service->call_queue,
635 call);
636 if (subreq == NULL) {
637 ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
638 return;
639 }
640 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
641 conn->active_call = subreq;
642 }
643
644 static void ldapsrv_call_wait_done(struct tevent_req *subreq);
645 static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
646 static void ldapsrv_call_writev_done(struct tevent_req *subreq);
647
648 static void ldapsrv_call_process_done(struct tevent_req *subreq)
649 {
650 struct ldapsrv_call *call =
651 tevent_req_callback_data(subreq,
652 struct ldapsrv_call);
653 struct ldapsrv_connection *conn = call->conn;
654 NTSTATUS status;
655
656 conn->active_call = NULL;
657
658 status = ldapsrv_process_call_recv(subreq);
659 TALLOC_FREE(subreq);
660 if (!NT_STATUS_IS_OK(status)) {
661 ldapsrv_terminate_connection(conn, nt_errstr(status));
662 return;
663 }
664
665 if (call->wait_send != NULL) {
666 subreq = call->wait_send(call,
667 conn->connection->event.ctx,
668 call->wait_private);
669 if (subreq == NULL) {
670 ldapsrv_terminate_connection(conn,
671 "ldapsrv_call_process_done: "
672 "call->wait_send - no memory");
673 return;
674 }
675 tevent_req_set_callback(subreq,
676 ldapsrv_call_wait_done,
677 call);
678 conn->active_call = subreq;
679 return;
680 }
681
682 ldapsrv_call_writev_start(call);
683 }
684
685 static void ldapsrv_call_wait_done(struct tevent_req *subreq)
686 {
687 struct ldapsrv_call *call =
688 tevent_req_callback_data(subreq,
689 struct ldapsrv_call);
690 struct ldapsrv_connection *conn = call->conn;
691 NTSTATUS status;
692
693 conn->active_call = NULL;
694
695 status = call->wait_recv(subreq);
696 TALLOC_FREE(subreq);
697 if (!NT_STATUS_IS_OK(status)) {
698 const char *reason;
699
700 reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
701 "call->wait_recv() - %s",
702 nt_errstr(status));
703 if (reason == NULL) {
704 reason = nt_errstr(status);
705 }
706
707 ldapsrv_terminate_connection(conn, reason);
708 return;
709 }
710
711 ldapsrv_call_writev_start(call);
712 }
713
714 static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
715 {
716 struct ldapsrv_connection *conn = call->conn;
717 struct ldapsrv_reply *reply = NULL;
718 struct tevent_req *subreq = NULL;
719 struct timeval endtime;
720 size_t length = 0;
721 size_t i;
722
723 call->iov_count = 0;
724
725 /* build all the replies into an IOV (no copy) */
726 for (reply = call->replies;
727 reply != NULL;
728 reply = reply->next) {
729
730 /* Cap output at 25MB per writev() */
731 if (length > length + reply->blob.length
732 || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
733 break;
734 }
735
736 /*
737 * Overflow is harmless here, just used below to
738 * decide if to read or write, but checked above anyway
739 */
740 length += reply->blob.length;
741
742 /*
743 * At worst an overflow would mean we send less
744 * replies
745 */
746 call->iov_count++;
747 }
748
749 if (length == 0) {
750 if (!call->notification.busy) {
751 TALLOC_FREE(call);
752 }
753
754 ldapsrv_call_read_next(conn);
755 return;
756 }
757
758 /* Cap call->iov_count at IOV_MAX */
759 call->iov_count = MIN(call->iov_count, IOV_MAX);
760
761 call->out_iov = talloc_array(call,
762 struct iovec,
763 call->iov_count);
764 if (!call->out_iov) {
765 /* This is not ideal */
766 ldapsrv_terminate_connection(conn,
767 "failed to allocate "
768 "iovec array");
769 return;
770 }
771
772 /* We may have had to cap the number of replies at IOV_MAX */
773 for (i = 0;
774 i < call->iov_count && call->replies != NULL;
775 i++) {
776 reply = call->replies;
777 call->out_iov[i].iov_base = reply->blob.data;
778 call->out_iov[i].iov_len = reply->blob.length;
779
780 /* Keep only the ASN.1 encoded data */
781 talloc_steal(call->out_iov, reply->blob.data);
782
783 DLIST_REMOVE(call->replies, reply);
784 TALLOC_FREE(reply);
785 }
786
787 if (i > call->iov_count) {
788 /* This is not ideal, but also (essentially) impossible */
789 ldapsrv_terminate_connection(conn,
790 "call list ended"
791 "before iov_count");
792 return;
793 }
794
795 subreq = tstream_writev_queue_send(call,
796 conn->connection->event.ctx,
797 conn->sockets.active,
798 conn->sockets.send_queue,
799 call->out_iov, call->iov_count);
800 if (subreq == NULL) {
801 ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
802 return;
803 }
804 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
805 tevent_req_set_endtime(subreq,
806 conn->connection->event.ctx,
807 endtime);
808 tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
809 }
810
811 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
812
813 static void ldapsrv_call_writev_done(struct tevent_req *subreq)
814 {
815 struct ldapsrv_call *call =
816 tevent_req_callback_data(subreq,
817 struct ldapsrv_call);
818 struct ldapsrv_connection *conn = call->conn;
819 int sys_errno;
820 int rc;
821
822 rc = tstream_writev_queue_recv(subreq, &sys_errno);
823 TALLOC_FREE(subreq);
824
825 /* This releases the ASN.1 encoded packets from memory */
826 TALLOC_FREE(call->out_iov);
827 if (rc == -1) {
828 const char *reason;
829
830 reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
831 "tstream_writev_queue_recv() - %d:%s",
832 sys_errno, strerror(sys_errno));
833 if (reason == NULL) {
834 reason = "ldapsrv_call_writev_done: "
835 "tstream_writev_queue_recv() failed";
836 }
837
838 ldapsrv_terminate_connection(conn, reason);
839 return;
840 }
841
842 if (call->postprocess_send) {
843 subreq = call->postprocess_send(call,
844 conn->connection->event.ctx,
845 call->postprocess_private);
846 if (subreq == NULL) {
847 ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
848 "call->postprocess_send - no memory");
849 return;
850 }
851 tevent_req_set_callback(subreq,
852 ldapsrv_call_postprocess_done,
853 call);
854 return;
855 }
856
857 /* Perhaps still some more to send */
858 if (call->replies != NULL) {
859 ldapsrv_call_writev_start(call);
860 return;
861 }
862
863 if (!call->notification.busy) {
864 TALLOC_FREE(call);
865 }
866
867 ldapsrv_call_read_next(conn);
868 }
869
870 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
871 {
872 struct ldapsrv_call *call =
873 tevent_req_callback_data(subreq,
874 struct ldapsrv_call);
875 struct ldapsrv_connection *conn = call->conn;
876 NTSTATUS status;
877
878 status = call->postprocess_recv(subreq);
879 TALLOC_FREE(subreq);
880 if (!NT_STATUS_IS_OK(status)) {
881 const char *reason;
882
883 reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
884 "call->postprocess_recv() - %s",
885 nt_errstr(status));
886 if (reason == NULL) {
887 reason = nt_errstr(status);
888 }
889
890 ldapsrv_terminate_connection(conn, reason);
891 return;
892 }
893
894 TALLOC_FREE(call);
895
896 ldapsrv_call_read_next(conn);
897 }
898
899 static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
900
901 void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
902 {
903 struct ldapsrv_connection *conn = NULL;
904 struct timeval retry;
905 size_t num_pending = 0;
906 size_t num_active = 0;
907
908 if (force) {
909 TALLOC_FREE(service->notification.retry);
910 service->notification.generation += 1;
911 }
912
913 if (service->notification.retry != NULL) {
914 return;
915 }
916
917 for (conn = service->connections; conn != NULL; conn = conn->next) {
918 if (conn->pending_calls == NULL) {
919 continue;
920 }
921
922 num_pending += 1;
923
924 if (conn->pending_calls->notification.generation !=
925 service->notification.generation)
926 {
927 num_active += 1;
928 }
929 }
930
931 if (num_pending == 0) {
932 return;
933 }
934
935 if (num_active != 0) {
936 retry = timeval_current_ofs(0, 100);
937 } else {
938 retry = timeval_current_ofs(5, 0);
939 }
940
941 service->notification.retry = tevent_wakeup_send(service,
942 service->current_ev,
943 retry);
944 if (service->notification.retry == NULL) {
945 /* retry later */
946 return;
947 }
948
949 tevent_req_set_callback(service->notification.retry,
950 ldapsrv_notification_retry_done,
951 service);
952 }
953
954 static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
955 {
956 struct ldapsrv_service *service =
957 tevent_req_callback_data(subreq,
958 struct ldapsrv_service);
959 struct ldapsrv_connection *conn = NULL;
960 struct ldapsrv_connection *conn_next = NULL;
961 bool ok;
962
963 service->notification.retry = NULL;
964
965 ok = tevent_wakeup_recv(subreq);
966 TALLOC_FREE(subreq);
967 if (!ok) {
968 /* ignore */
969 }
970
971 for (conn = service->connections; conn != NULL; conn = conn_next) {
972 struct ldapsrv_call *call = conn->pending_calls;
973
974 conn_next = conn->next;
975
976 if (conn->pending_calls == NULL) {
977 continue;
978 }
979
980 if (conn->active_call != NULL) {
981 continue;
982 }
983
984 DLIST_DEMOTE(conn->pending_calls, call);
985 call->notification.generation =
986 service->notification.generation;
987
988 /* queue the call in the global queue */
989 subreq = ldapsrv_process_call_send(call,
990 conn->connection->event.ctx,
991 conn->service->call_queue,
992 call);
993 if (subreq == NULL) {
994 ldapsrv_terminate_connection(conn,
995 "ldapsrv_process_call_send failed");
996 continue;
997 }
998 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
999 conn->active_call = subreq;
1000 }
1001
1002 ldapsrv_notification_retry_setup(service, false);
1003 }
1004
1005 struct ldapsrv_process_call_state {
1006 struct ldapsrv_call *call;
1007 };
1008
1009 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1010 void *private_data);
1011
1012 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
1013 struct tevent_context *ev,
1014 struct tevent_queue *call_queue,
1015 struct ldapsrv_call *call)
1016 {
1017 struct tevent_req *req;
1018 struct ldapsrv_process_call_state *state;
1019 bool ok;
1020
1021 req = tevent_req_create(mem_ctx, &state,
1022 struct ldapsrv_process_call_state);
1023 if (req == NULL) {
1024 return req;
1025 }
1026
1027 state->call = call;
1028
1029 ok = tevent_queue_add(call_queue, ev, req,
1030 ldapsrv_process_call_trigger, NULL);
1031 if (!ok) {
1032 tevent_req_oom(req);
1033 return tevent_req_post(req, ev);
1034 }
1035
1036 return req;
1037 }
1038
1039 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1040
1041 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1042 void *private_data)
1043 {
1044 struct ldapsrv_process_call_state *state =
1045 tevent_req_data(req,
1046 struct ldapsrv_process_call_state);
1047 struct ldapsrv_connection *conn = state->call->conn;
1048 NTSTATUS status;
1049
1050 if (conn->deferred_expire_disconnect != NULL) {
1051 /*
1052 * Just drop this on the floor
1053 */
1054 tevent_req_done(req);
1055 return;
1056 }
1057
1058 /* make the call */
1059 status = ldapsrv_do_call(state->call);
1060
1061 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1062 /*
1063 * For testing purposes, defer the TCP disconnect
1064 * after having sent the msgid 0
1065 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1066 * should not wait for the TCP connection to close but
1067 * handle this packet equivalent to a TCP
1068 * disconnect. This delay enables testing both cases
1069 * in LDAP client libraries.
1070 */
1071
1072 int defer_msec = lpcfg_parm_int(
1073 conn->lp_ctx,
1074 NULL,
1075 "ldap_server",
1076 "delay_expire_disconnect",
1077 0);
1078
1079 conn->deferred_expire_disconnect = tevent_wakeup_send(
1080 conn,
1081 conn->connection->event.ctx,
1082 timeval_current_ofs_msec(defer_msec));
1083 if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1084 return;
1085 }
1086 tevent_req_set_callback(
1087 conn->deferred_expire_disconnect,
1088 ldapsrv_disconnect_ticket_expired,
1089 conn);
1090
1091 tevent_req_done(req);
1092 return;
1093 }
1094
1095 if (!NT_STATUS_IS_OK(status)) {
1096 tevent_req_nterror(req, status);
1097 return;
1098 }
1099
1100 tevent_req_done(req);
1101 }
1102
1103 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1104 {
1105 struct ldapsrv_connection *conn = tevent_req_callback_data(
1106 subreq, struct ldapsrv_connection);
1107 bool ok;
1108
1109 ok = tevent_wakeup_recv(subreq);
1110 TALLOC_FREE(subreq);
1111 if (!ok) {
1112 DBG_WARNING("tevent_wakeup_recv failed\n");
1113 }
1114 conn->deferred_expire_disconnect = NULL;
1115 ldapsrv_terminate_connection(conn, "network session expired");
1116 }
1117
1118 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1119 {
1120 NTSTATUS status;
1121
1122 if (tevent_req_is_nterror(req, &status)) {
1123 tevent_req_received(req);
1124 return status;
1125 }
1126
1127 tevent_req_received(req);
1128 return NT_STATUS_OK;
1129 }
1130
1131 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1132 {
1133 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1134 c->private_data, struct ldapsrv_service);
1135 struct auth_session_info *session_info;
1136 NTSTATUS status;
1137
1138 status = auth_anonymous_session_info(
1139 c, ldapsrv_service->lp_ctx, &session_info);
1140 if (!NT_STATUS_IS_OK(status)) {
1141 stream_terminate_connection(c, "failed to setup anonymous "
1142 "session info");
1143 return;
1144 }
1145 ldapsrv_accept(c, session_info, false, false);
1146 }
1147
1148 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1149 .name = "ldap",
1150 .accept_connection = ldapsrv_accept_nonpriv,
1151 .recv_handler = ldapsrv_recv,
1152 .send_handler = ldapsrv_send,
1153 };
1154
1155 static void ldapsrv_accept_nonpriv_ldapi(struct stream_connection *c)
1156 {
1157 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1158 c->private_data, struct ldapsrv_service);
1159 struct auth_session_info *session_info;
1160 NTSTATUS status;
1161
1162 status = auth_anonymous_session_info(
1163 c, ldapsrv_service->lp_ctx, &session_info);
1164 if (!NT_STATUS_IS_OK(status)) {
1165 stream_terminate_connection(c, "failed to setup anonymous "
1166 "session info");
1167 return;
1168 }
1169 ldapsrv_accept(c, session_info, false, true);
1170 }
1171
1172 static const struct stream_server_ops ldapi_stream_nonpriv_ops = {
1173 .name = "ldap",
1174 .accept_connection = ldapsrv_accept_nonpriv_ldapi,
1175 .recv_handler = ldapsrv_recv,
1176 .send_handler = ldapsrv_send,
1177 };
1178
1179 /* The feature removed behind an #ifdef until we can do it properly
1180 * with an EXTERNAL bind. */
1181
1182 #define WITH_LDAPI_PRIV_SOCKET
1183
1184 #ifdef WITH_LDAPI_PRIV_SOCKET
1185 static void ldapsrv_accept_priv_ldapi(struct stream_connection *c)
1186 {
1187 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1188 c->private_data, struct ldapsrv_service);
1189 struct auth_session_info *session_info;
1190
1191 session_info = system_session(ldapsrv_service->lp_ctx);
1192 if (!session_info) {
1193 stream_terminate_connection(c, "failed to setup system "
1194 "session info");
1195 return;
1196 }
1197 ldapsrv_accept(c, session_info, true, true);
1198 }
1199
1200 static const struct stream_server_ops ldapi_stream_priv_ops = {
1201 .name = "ldap",
1202 .accept_connection = ldapsrv_accept_priv_ldapi,
1203 .recv_handler = ldapsrv_recv,
1204 .send_handler = ldapsrv_send,
1205 };
1206
1207 #endif
1208
1209
1210 /*
1211 add a socket address to the list of events, one event per port
1212 */
1213 static NTSTATUS add_socket(struct task_server *task,
1214 struct loadparm_context *lp_ctx,
1215 const struct model_ops *model_ops,
1216 const char *address, struct ldapsrv_service *ldap_service)
1217 {
1218 uint16_t port = 389;
1219 NTSTATUS status;
1220 struct ldb_context *ldb;
1221
1222 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1223 model_ops, &ldap_stream_nonpriv_ops,
1224 "ip", address, &port,
1225 lpcfg_socket_options(lp_ctx),
1226 ldap_service, task->process_context);
1227 if (!NT_STATUS_IS_OK(status)) {
1228 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1229 address, port, nt_errstr(status));
1230 return status;
1231 }
1232
1233 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1234 /* add ldaps server */
1235 port = 636;
1236 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1237 model_ops,
1238 &ldap_stream_nonpriv_ops,
1239 "ip", address, &port,
1240 lpcfg_socket_options(lp_ctx),
1241 ldap_service,
1242 task->process_context);
1243 if (!NT_STATUS_IS_OK(status)) {
1244 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1245 address, port, nt_errstr(status));
1246 return status;
1247 }
1248 }
1249
1250 /* Load LDAP database, but only to read our settings */
1251 ldb = samdb_connect(ldap_service,
1252 ldap_service->current_ev,
1253 lp_ctx,
1254 system_session(lp_ctx),
1255 NULL,
1256 0);
1257 if (!ldb) {
1258 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1259 }
1260
1261 if (samdb_is_gc(ldb)) {
1262 port = 3268;
1263 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1264 model_ops,
1265 &ldap_stream_nonpriv_ops,
1266 "ip", address, &port,
1267 lpcfg_socket_options(lp_ctx),
1268 ldap_service,
1269 task->process_context);
1270 if (!NT_STATUS_IS_OK(status)) {
1271 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1272 address, port, nt_errstr(status));
1273 return status;
1274 }
1275 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1276 /* add ldaps server for the global catalog */
1277 port = 3269;
1278 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1279 model_ops,
1280 &ldap_stream_nonpriv_ops,
1281 "ip", address, &port,
1282 lpcfg_socket_options(lp_ctx),
1283 ldap_service,
1284 task->process_context);
1285 if (!NT_STATUS_IS_OK(status)) {
1286 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1287 address, port, nt_errstr(status));
1288 return status;
1289 }
1290 }
1291 }
1292
1293 /* And once we are bound, free the temporary ldb, it will
1294 * connect again on each incoming LDAP connection */
1295 talloc_unlink(ldap_service, ldb);
1296
1297 return NT_STATUS_OK;
1298 }
1299
1300 static void ldap_reload_certs(struct imessaging_context *msg_ctx,
1301 void *private_data,
1302 uint32_t msg_type,
1303 struct server_id server_id,
1304 size_t num_fds,
1305 int *fds,
1306 DATA_BLOB *data)
1307 {
1308 TALLOC_CTX *frame = talloc_stackframe();
1309 struct ldapsrv_service *ldap_service =
1310 talloc_get_type_abort(private_data,
1311 struct ldapsrv_service);
1312 int default_children;
1313 int num_children;
1314 int i;
1315 bool ok;
1316 struct server_id ldap_master_id;
1317 NTSTATUS status;
1318 struct tstream_tls_params *new_tls_params = NULL;
1319
1320 SMB_ASSERT(msg_ctx == ldap_service->current_msg);
1321
1322 /* reload certificates */
1323 status = tstream_tls_params_server(ldap_service,
1324 ldap_service->dns_host_name,
1325 lpcfg_tls_enabled(ldap_service->lp_ctx),
1326 lpcfg_tls_keyfile(frame, ldap_service->lp_ctx),
1327 lpcfg_tls_certfile(frame, ldap_service->lp_ctx),
1328 lpcfg_tls_cafile(frame, ldap_service->lp_ctx),
1329 lpcfg_tls_crlfile(frame, ldap_service->lp_ctx),
1330 lpcfg_tls_dhpfile(frame, ldap_service->lp_ctx),
1331 lpcfg_tls_priority(ldap_service->lp_ctx),
1332 &new_tls_params);
1333 if (!NT_STATUS_IS_OK(status)) {
1334 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1335 nt_errstr(status));
1336 TALLOC_FREE(frame);
1337 return;
1338 }
1339
1340 TALLOC_FREE(ldap_service->tls_params);
1341 ldap_service->tls_params = new_tls_params;
1342
1343 if (getpid() != ldap_service->parent_pid) {
1344 /*
1345 * If we are not the master process we are done
1346 */
1347 TALLOC_FREE(frame);
1348 return;
1349 }
1350
1351 /*
1352 * Check we're running under the prefork model,
1353 * by checking if the prefork-master-ldap name
1354 * was registered
1355 */
1356 ok = server_id_db_lookup_one(msg_ctx->names, "prefork-master-ldap", &ldap_master_id);
1357 if (!ok) {
1358 /*
1359 * We are done if another process model is in use.
1360 */
1361 TALLOC_FREE(frame);
1362 return;
1363 }
1364
1365 /*
1366 * Now we loop over all possible prefork workers
1367 * in order to notify them about the reload
1368 */
1369 default_children = lpcfg_prefork_children(ldap_service->lp_ctx);
1370 num_children = lpcfg_parm_int(ldap_service->lp_ctx,
1371 NULL, "prefork children", "ldap",
1372 default_children);
1373 for (i = 0; i < num_children; i++) {
1374 char child_name[64] = { 0, };
1375 struct server_id ldap_worker_id;
1376
1377 snprintf(child_name, sizeof(child_name), "prefork-worker-ldap-%d", i);
1378 ok = server_id_db_lookup_one(msg_ctx->names, child_name, &ldap_worker_id);
1379 if (!ok) {
1380 DBG_ERR("server_id_db_lookup_one(%s) - failed\n",
1381 child_name);
1382 continue;
1383 }
1384
1385 status = imessaging_send(msg_ctx, ldap_worker_id,
1386 MSG_RELOAD_TLS_CERTIFICATES, NULL);
1387 if (!NT_STATUS_IS_OK(status)) {
1388 struct server_id_buf id_buf;
1389 DBG_ERR("ldapsrv failed imessaging_send(%s, %s) - %s\n",
1390 child_name,
1391 server_id_str_buf(ldap_worker_id, &id_buf),
1392 nt_errstr(status));
1393 continue;
1394 }
1395 }
1396
1397 TALLOC_FREE(frame);
1398 }
1399
1400 /*
1401 open the ldap server sockets
1402 */
1403 static NTSTATUS ldapsrv_task_init(struct task_server *task)
1404 {
1405 char *ldapi_path;
1406 #ifdef WITH_LDAPI_PRIV_SOCKET
1407 char *priv_dir;
1408 #endif
1409 struct ldapsrv_service *ldap_service;
1410 NTSTATUS status;
1411
1412 switch (lpcfg_server_role(task->lp_ctx)) {
1413 case ROLE_STANDALONE:
1414 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1415 false);
1416 return NT_STATUS_INVALID_DOMAIN_ROLE;
1417 case ROLE_DOMAIN_MEMBER:
1418 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1419 false);
1420 return NT_STATUS_INVALID_DOMAIN_ROLE;
1421 case ROLE_ACTIVE_DIRECTORY_DC:
1422 /* Yes, we want an LDAP server */
1423 break;
1424 }
1425
1426 task_server_set_title(task, "task[ldapsrv]");
1427
1428 ldap_service = talloc_zero(task, struct ldapsrv_service);
1429 if (ldap_service == NULL) {
1430 status = NT_STATUS_NO_MEMORY;
1431 goto failed;
1432 }
1433
1434 ldap_service->lp_ctx = task->lp_ctx;
1435 ldap_service->current_ev = task->event_ctx;
1436 ldap_service->current_msg = task->msg_ctx;
1437
1438 ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1439 lpcfg_netbios_name(task->lp_ctx),
1440 lpcfg_dnsdomain(task->lp_ctx));
1441 if (ldap_service->dns_host_name == NULL) {
1442 status = NT_STATUS_NO_MEMORY;
1443 goto failed;
1444 }
1445
1446 ldap_service->parent_pid = getpid();
1447
1448 status = tstream_tls_params_server(ldap_service,
1449 ldap_service->dns_host_name,
1450 lpcfg_tls_enabled(task->lp_ctx),
1451 lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1452 lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1453 lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1454 lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1455 lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1456 lpcfg_tls_priority(task->lp_ctx),
1457 &ldap_service->tls_params);
1458 if (!NT_STATUS_IS_OK(status)) {
1459 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1460 nt_errstr(status));
1461 goto failed;
1462 }
1463
1464 ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1465 if (ldap_service->call_queue == NULL) {
1466 status = NT_STATUS_NO_MEMORY;
1467 goto failed;
1468 }
1469
1470 if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1471 struct interface *ifaces;
1472 int num_interfaces;
1473 int i;
1474
1475 load_interface_list(task, task->lp_ctx, &ifaces);
1476 num_interfaces = iface_list_count(ifaces);
1477
1478 /* We have been given an interfaces line, and been
1479 told to only bind to those interfaces. Create a
1480 socket per interface and bind to only these.
1481 */
1482 for(i = 0; i < num_interfaces; i++) {
1483 const char *address = iface_list_n_ip(ifaces, i);
1484 status = add_socket(task, task->lp_ctx, task->model_ops,
1485 address, ldap_service);
1486 if (!NT_STATUS_IS_OK(status)) goto failed;
1487 }
1488 } else {
1489 char **wcard;
1490 size_t i;
1491 size_t num_binds = 0;
1492 wcard = iface_list_wildcard(task);
1493 if (wcard == NULL) {
1494 DBG_ERR("No wildcard addresses available\n");
1495 status = NT_STATUS_UNSUCCESSFUL;
1496 goto failed;
1497 }
1498 for (i=0; wcard[i]; i++) {
1499 status = add_socket(task, task->lp_ctx, task->model_ops,
1500 wcard[i], ldap_service);
1501 if (NT_STATUS_IS_OK(status)) {
1502 num_binds++;
1503 }
1504 }
1505 talloc_free(wcard);
1506 if (num_binds == 0) {
1507 status = NT_STATUS_UNSUCCESSFUL;
1508 goto failed;
1509 }
1510 }
1511
1512 ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1513 if (!ldapi_path) {
1514 status = NT_STATUS_UNSUCCESSFUL;
1515 goto failed;
1516 }
1517
1518 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1519 task->model_ops, &ldapi_stream_nonpriv_ops,
1520 "unix", ldapi_path, NULL,
1521 lpcfg_socket_options(task->lp_ctx),
1522 ldap_service, task->process_context);
1523 talloc_free(ldapi_path);
1524 if (!NT_STATUS_IS_OK(status)) {
1525 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1526 ldapi_path, nt_errstr(status));
1527 }
1528
1529 #ifdef WITH_LDAPI_PRIV_SOCKET
1530 priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1531 if (priv_dir == NULL) {
1532 status = NT_STATUS_UNSUCCESSFUL;
1533 goto failed;
1534 }
1535 /*
1536 * Make sure the directory for the privileged ldapi socket exists, and
1537 * is of the correct permissions
1538 */
1539 if (!directory_create_or_exist(priv_dir, 0750)) {
1540 task_server_terminate(task, "Cannot create ldap "
1541 "privileged ldapi directory", true);
1542 return NT_STATUS_UNSUCCESSFUL;
1543 }
1544 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1545 talloc_free(priv_dir);
1546 if (ldapi_path == NULL) {
1547 status = NT_STATUS_NO_MEMORY;
1548 goto failed;
1549 }
1550
1551 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1552 task->model_ops, &ldapi_stream_priv_ops,
1553 "unix", ldapi_path, NULL,
1554 lpcfg_socket_options(task->lp_ctx),
1555 ldap_service,
1556 task->process_context);
1557 talloc_free(ldapi_path);
1558 if (!NT_STATUS_IS_OK(status)) {
1559 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1560 ldapi_path, nt_errstr(status));
1561 }
1562
1563 #endif
1564
1565 /* register the server */
1566 irpc_add_name(task->msg_ctx, "ldap_server");
1567
1568 task->private_data = ldap_service;
1569
1570 return NT_STATUS_OK;
1571
1572 failed:
1573 task_server_terminate(task, "Failed to startup ldap server task", true);
1574 return status;
1575 }
1576
1577 /*
1578 * Open a database to be later used by LDB wrap code (although it should be
1579 * plumbed through correctly eventually).
1580 */
1581 static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1582 {
1583 struct ldapsrv_service *ldap_service =
1584 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1585
1586 /*
1587 * As ldapsrv_before_loop() may changed the values for the parent loop
1588 * we need to adjust the pointers to the correct value in the child
1589 */
1590 ldap_service->lp_ctx = task->lp_ctx;
1591 ldap_service->current_ev = task->event_ctx;
1592 ldap_service->current_msg = task->msg_ctx;
1593
1594 ldap_service->sam_ctx = samdb_connect(ldap_service,
1595 ldap_service->current_ev,
1596 ldap_service->lp_ctx,
1597 system_session(ldap_service->lp_ctx),
1598 NULL,
1599 0);
1600 if (ldap_service->sam_ctx == NULL) {
1601 task_server_terminate(task, "Cannot open system session LDB",
1602 true);
1603 return;
1604 }
1605 }
1606
1607 static void ldapsrv_before_loop(struct task_server *task)
1608 {
1609 struct ldapsrv_service *ldap_service =
1610 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1611 NTSTATUS status;
1612
1613 if (ldap_service->sam_ctx != NULL) {
1614 /*
1615 * Make sure the values are still the same
1616 * as set in ldapsrv_post_fork()
1617 */
1618 SMB_ASSERT(task->lp_ctx == ldap_service->lp_ctx);
1619 SMB_ASSERT(task->event_ctx == ldap_service->current_ev);
1620 SMB_ASSERT(task->msg_ctx == ldap_service->current_msg);
1621 } else {
1622 /*
1623 * We need to adjust the pointers to the correct value
1624 * in the parent loop.
1625 */
1626 ldap_service->lp_ctx = task->lp_ctx;
1627 ldap_service->current_ev = task->event_ctx;
1628 ldap_service->current_msg = task->msg_ctx;
1629 }
1630
1631 status = imessaging_register(ldap_service->current_msg,
1632 ldap_service,
1633 MSG_RELOAD_TLS_CERTIFICATES,
1634 ldap_reload_certs);
1635 if (!NT_STATUS_IS_OK(status)) {
1636 task_server_terminate(task, "Cannot register ldap_reload_certs",
1637 true);
1638 return;
1639 }
1640 }
1641
1642 /*
1643 * Check the size of an ldap request packet.
1644 *
1645 * For authenticated connections the maximum packet size is controlled by
1646 * the smb.conf parameter "ldap max authenticated request size"
1647 *
1648 * For anonymous connections the maximum packet size is controlled by
1649 * the smb.conf parameter "ldap max anonymous request size"
1650 */
1651 static int ldapsrv_check_packet_size(
1652 struct ldapsrv_connection *conn,
1653 size_t size)
1654 {
1655 bool is_anonymous = false;
1656 size_t max_size = 0;
1657
1658 max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1659 if (size <= max_size) {
1660 return LDAP_SUCCESS;
1661 }
1662
1663 /*
1664 * Request is larger than the maximum unauthenticated request size.
1665 * As this code is called frequently we avoid calling
1666 * security_token_is_anonymous if possible
1667 */
1668 if (conn->session_info != NULL &&
1669 conn->session_info->security_token != NULL) {
1670 is_anonymous = security_token_is_anonymous(
1671 conn->session_info->security_token);
1672 }
1673
1674 if (is_anonymous) {
1675 DBG_WARNING(
1676 "LDAP request size (%zu) exceeds (%zu)\n",
1677 size,
1678 max_size);
1679 return LDAP_UNWILLING_TO_PERFORM;
1680 }
1681
1682 max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1683 if (size > max_size) {
1684 DBG_WARNING(
1685 "LDAP request size (%zu) exceeds (%zu)\n",
1686 size,
1687 max_size);
1688 return LDAP_UNWILLING_TO_PERFORM;
1689 }
1690 return LDAP_SUCCESS;
1691
1692 }
1693
1694 /*
1695 * Check that the blob contains enough data to be a valid packet
1696 * If there is a packet header check the size to ensure that it does not
1697 * exceed the maximum sizes.
1698 *
1699 */
1700 static NTSTATUS ldapsrv_packet_check(
1701 struct tstream_context *stream,
1702 void *private_data,
1703 DATA_BLOB blob,
1704 size_t *packet_size)
1705 {
1706 NTSTATUS ret;
1707 struct ldapsrv_connection *conn = private_data;
1708 int result = LDB_SUCCESS;
1709
1710 ret = ldap_full_packet(stream, private_data, blob, packet_size);
1711 if (!NT_STATUS_IS_OK(ret)) {
1712 return ret;
1713 }
1714 result = ldapsrv_check_packet_size(conn, *packet_size);
1715 if (result != LDAP_SUCCESS) {
1716 return NT_STATUS_LDAP(result);
1717 }
1718 return NT_STATUS_OK;
1719 }
1720
1721 NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1722 {
1723 static const struct service_details details = {
1724 .inhibit_fork_on_accept = false,
1725 .inhibit_pre_fork = false,
1726 .task_init = ldapsrv_task_init,
1727 .post_fork = ldapsrv_post_fork,
1728 .before_loop = ldapsrv_before_loop,
1729 };
1730 return register_server_service(ctx, "ldap", &details);
1731 }
Samba GIT mirror