2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
51 #include "lib/util/server_id.h"
52 #include "lib/util/server_id_db.h"
53 #include "lib/messaging/messaging_internal.h"
57 static void ldapsrv_terminate_connection_done(struct tevent_req
*subreq
);
60 close the socket and shutdown a server_context
62 static void ldapsrv_terminate_connection(struct ldapsrv_connection
*conn
,
65 struct tevent_req
*subreq
;
67 if (conn
->limits
.reason
) {
71 DLIST_REMOVE(conn
->service
->connections
, conn
);
73 conn
->limits
.endtime
= timeval_current_ofs(0, 500);
75 tevent_queue_stop(conn
->sockets
.send_queue
);
76 TALLOC_FREE(conn
->sockets
.read_req
);
77 TALLOC_FREE(conn
->deferred_expire_disconnect
);
78 if (conn
->active_call
) {
79 tevent_req_cancel(conn
->active_call
);
80 conn
->active_call
= NULL
;
83 conn
->limits
.reason
= talloc_strdup(conn
, reason
);
84 if (conn
->limits
.reason
== NULL
) {
85 TALLOC_FREE(conn
->sockets
.tls
);
86 TALLOC_FREE(conn
->sockets
.sasl
);
87 TALLOC_FREE(conn
->sockets
.raw
);
88 stream_terminate_connection(conn
->connection
, reason
);
92 subreq
= tstream_disconnect_send(conn
,
93 conn
->connection
->event
.ctx
,
94 conn
->sockets
.active
);
96 TALLOC_FREE(conn
->sockets
.tls
);
97 TALLOC_FREE(conn
->sockets
.sasl
);
98 TALLOC_FREE(conn
->sockets
.raw
);
99 stream_terminate_connection(conn
->connection
, reason
);
102 tevent_req_set_endtime(subreq
,
103 conn
->connection
->event
.ctx
,
104 conn
->limits
.endtime
);
105 tevent_req_set_callback(subreq
, ldapsrv_terminate_connection_done
, conn
);
108 static void ldapsrv_terminate_connection_done(struct tevent_req
*subreq
)
110 struct ldapsrv_connection
*conn
=
111 tevent_req_callback_data(subreq
,
112 struct ldapsrv_connection
);
116 tstream_disconnect_recv(subreq
, &sys_errno
);
119 if (conn
->sockets
.active
== conn
->sockets
.raw
) {
120 TALLOC_FREE(conn
->sockets
.tls
);
121 TALLOC_FREE(conn
->sockets
.sasl
);
122 TALLOC_FREE(conn
->sockets
.raw
);
123 stream_terminate_connection(conn
->connection
,
124 conn
->limits
.reason
);
128 TALLOC_FREE(conn
->sockets
.tls
);
129 TALLOC_FREE(conn
->sockets
.sasl
);
130 conn
->sockets
.active
= conn
->sockets
.raw
;
132 subreq
= tstream_disconnect_send(conn
,
133 conn
->connection
->event
.ctx
,
134 conn
->sockets
.active
);
135 if (subreq
== NULL
) {
136 TALLOC_FREE(conn
->sockets
.raw
);
137 stream_terminate_connection(conn
->connection
,
138 conn
->limits
.reason
);
141 ok
= tevent_req_set_endtime(subreq
,
142 conn
->connection
->event
.ctx
,
143 conn
->limits
.endtime
);
145 TALLOC_FREE(conn
->sockets
.raw
);
146 stream_terminate_connection(conn
->connection
,
147 conn
->limits
.reason
);
150 tevent_req_set_callback(subreq
, ldapsrv_terminate_connection_done
, conn
);
154 called when a LDAP socket becomes readable
156 void ldapsrv_recv(struct stream_connection
*c
, uint16_t flags
)
158 smb_panic(__location__
);
162 called when a LDAP socket becomes writable
164 static void ldapsrv_send(struct stream_connection
*c
, uint16_t flags
)
166 smb_panic(__location__
);
169 static int ldapsrv_load_limits(struct ldapsrv_connection
*conn
)
172 const char *attrs
[] = { "configurationNamingContext", NULL
};
173 const char *attrs2
[] = { "lDAPAdminLimits", NULL
};
174 struct ldb_message_element
*el
;
175 struct ldb_result
*res
= NULL
;
176 struct ldb_dn
*basedn
;
177 struct ldb_dn
*conf_dn
;
178 struct ldb_dn
*policy_dn
;
182 /* set defaults limits in case of failure */
183 conn
->limits
.initial_timeout
= 120;
184 conn
->limits
.conn_idle_time
= 900;
185 conn
->limits
.max_page_size
= 1000;
186 conn
->limits
.max_notifications
= 5;
187 conn
->limits
.search_timeout
= 120;
188 conn
->limits
.expire_time
= (struct timeval
) {
189 .tv_sec
= get_time_t_max(),
193 tmp_ctx
= talloc_new(conn
);
194 if (tmp_ctx
== NULL
) {
198 basedn
= ldb_dn_new(tmp_ctx
, conn
->ldb
, NULL
);
199 if (basedn
== NULL
) {
203 ret
= ldb_search(conn
->ldb
, tmp_ctx
, &res
, basedn
, LDB_SCOPE_BASE
, attrs
, NULL
);
204 if (ret
!= LDB_SUCCESS
) {
208 if (res
->count
!= 1) {
212 conf_dn
= ldb_msg_find_attr_as_dn(conn
->ldb
, tmp_ctx
, res
->msgs
[0], "configurationNamingContext");
213 if (conf_dn
== NULL
) {
217 policy_dn
= ldb_dn_copy(tmp_ctx
, conf_dn
);
218 ldb_dn_add_child_fmt(policy_dn
, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
219 if (policy_dn
== NULL
) {
223 ret
= ldb_search(conn
->ldb
, tmp_ctx
, &res
, policy_dn
, LDB_SCOPE_BASE
, attrs2
, NULL
);
224 if (ret
!= LDB_SUCCESS
) {
228 if (res
->count
!= 1) {
232 el
= ldb_msg_find_element(res
->msgs
[0], "lDAPAdminLimits");
237 for (i
= 0; i
< el
->num_values
; i
++) {
238 char policy_name
[256];
241 s
= sscanf((const char *)el
->values
[i
].data
, "%255[^=]=%d", policy_name
, &policy_value
);
242 if (s
!= 2 || policy_value
== 0)
244 if (strcasecmp("InitRecvTimeout", policy_name
) == 0) {
245 conn
->limits
.initial_timeout
= policy_value
;
248 if (strcasecmp("MaxConnIdleTime", policy_name
) == 0) {
249 conn
->limits
.conn_idle_time
= policy_value
;
252 if (strcasecmp("MaxPageSize", policy_name
) == 0) {
253 conn
->limits
.max_page_size
= policy_value
;
256 if (strcasecmp("MaxNotificationPerConn", policy_name
) == 0) {
257 conn
->limits
.max_notifications
= policy_value
;
260 if (strcasecmp("MaxQueryDuration", policy_name
) == 0) {
261 if (policy_value
> 0) {
262 conn
->limits
.search_timeout
= policy_value
;
271 DBG_ERR("Failed to load ldap server query policies\n");
272 talloc_free(tmp_ctx
);
276 static int ldapsrv_call_destructor(struct ldapsrv_call
*call
)
278 if (call
->conn
== NULL
) {
282 DLIST_REMOVE(call
->conn
->pending_calls
, call
);
288 static struct tevent_req
*ldapsrv_process_call_send(TALLOC_CTX
*mem_ctx
,
289 struct tevent_context
*ev
,
290 struct tevent_queue
*call_queue
,
291 struct ldapsrv_call
*call
);
292 static NTSTATUS
ldapsrv_process_call_recv(struct tevent_req
*req
);
294 static bool ldapsrv_call_read_next(struct ldapsrv_connection
*conn
);
295 static void ldapsrv_accept_tls_done(struct tevent_req
*subreq
);
298 initialise a server_context from a open socket and register a event handler
299 for reading from that socket
301 static void ldapsrv_accept(struct stream_connection
*c
,
302 struct auth_session_info
*session_info
,
306 struct ldapsrv_service
*ldapsrv_service
=
307 talloc_get_type(c
->private_data
, struct ldapsrv_service
);
308 struct ldapsrv_connection
*conn
;
309 struct cli_credentials
*server_credentials
;
310 struct socket_address
*socket_address
;
313 struct tevent_req
*subreq
;
314 struct timeval endtime
;
315 char *errstring
= NULL
;
317 conn
= talloc_zero(c
, struct ldapsrv_connection
);
319 stream_terminate_connection(c
, "ldapsrv_accept: out of memory");
322 conn
->is_privileged
= is_privileged
;
323 conn
->is_ldapi
= is_ldapi
;
325 conn
->sockets
.send_queue
= tevent_queue_create(conn
, "ldapsrv send queue");
326 if (conn
->sockets
.send_queue
== NULL
) {
327 stream_terminate_connection(c
,
328 "ldapsrv_accept: tevent_queue_create failed");
332 TALLOC_FREE(c
->event
.fde
);
334 ret
= tstream_bsd_existing_socket(conn
,
335 socket_get_fd(c
->socket
),
338 stream_terminate_connection(c
,
339 "ldapsrv_accept: out of memory");
342 socket_set_flags(c
->socket
, SOCKET_FLAG_NOCLOSE
);
343 /* as server we want to fail early */
344 tstream_bsd_fail_readv_first_error(conn
->sockets
.raw
, true);
346 conn
->connection
= c
;
347 conn
->service
= ldapsrv_service
;
348 conn
->lp_ctx
= ldapsrv_service
->lp_ctx
;
350 c
->private_data
= conn
;
352 socket_address
= socket_get_my_addr(c
->socket
, conn
);
353 if (!socket_address
) {
354 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: failed to obtain local socket address!");
357 port
= socket_address
->port
;
358 talloc_free(socket_address
);
359 if (port
== 3268 || port
== 3269) /* Global catalog */ {
360 conn
->global_catalog
= true;
363 server_credentials
= cli_credentials_init_server(conn
, conn
->lp_ctx
);
364 if (!server_credentials
) {
365 stream_terminate_connection(c
, "Failed to init server credentials\n");
369 conn
->server_credentials
= server_credentials
;
371 conn
->session_info
= session_info
;
373 conn
->sockets
.active
= conn
->sockets
.raw
;
375 if (conn
->is_privileged
) {
376 conn
->require_strong_auth
= LDAP_SERVER_REQUIRE_STRONG_AUTH_NO
;
378 conn
->require_strong_auth
= lpcfg_ldap_server_require_strong_auth(conn
->lp_ctx
);
381 if (conn
->require_strong_auth
==
382 LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS
)
384 D_ERR("WARNING: You have not configured "
385 "'ldap server require strong auth = "
386 "allow_sasl_over_tls'.\n"
387 "Please change to 'yes' (preferred and default) or "
388 "'allow_sasl_without_tls_channel_bindings' "
389 "(if really needed)\n\n");
392 ret
= ldapsrv_backend_Init(conn
, &errstring
);
393 if (ret
!= LDB_SUCCESS
) {
394 char *reason
= talloc_asprintf(conn
,
395 "LDB backend for LDAP Init "
397 errstring
, ldb_strerror(ret
));
398 ldapsrv_terminate_connection(conn
, reason
);
402 /* load limits from the conf partition */
403 ldapsrv_load_limits(conn
); /* should we fail on error ? */
405 /* register the server */
406 irpc_add_name(c
->msg_ctx
, "ldap_server");
408 DLIST_ADD_END(ldapsrv_service
->connections
, conn
);
410 if (port
!= 636 && port
!= 3269) {
411 ldapsrv_call_read_next(conn
);
415 endtime
= timeval_current_ofs(conn
->limits
.conn_idle_time
, 0);
417 subreq
= tstream_tls_accept_send(conn
,
418 conn
->connection
->event
.ctx
,
420 conn
->service
->tls_params
);
421 if (subreq
== NULL
) {
422 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: "
423 "no memory for tstream_tls_accept_send");
426 tevent_req_set_endtime(subreq
,
427 conn
->connection
->event
.ctx
,
429 tevent_req_set_callback(subreq
, ldapsrv_accept_tls_done
, conn
);
432 static void ldapsrv_accept_tls_done(struct tevent_req
*subreq
)
434 struct ldapsrv_connection
*conn
=
435 tevent_req_callback_data(subreq
,
436 struct ldapsrv_connection
);
440 ret
= tstream_tls_accept_recv(subreq
, &sys_errno
,
441 conn
, &conn
->sockets
.tls
);
446 reason
= talloc_asprintf(conn
, "ldapsrv_accept_tls_loop: "
447 "tstream_tls_accept_recv() - %d:%s",
448 sys_errno
, strerror(sys_errno
));
450 reason
= "ldapsrv_accept_tls_loop: "
451 "tstream_tls_accept_recv() - failed";
454 ldapsrv_terminate_connection(conn
, reason
);
458 conn
->sockets
.active
= conn
->sockets
.tls
;
459 conn
->referral_scheme
= LDAP_REFERRAL_SCHEME_LDAPS
;
460 ldapsrv_call_read_next(conn
);
463 static void ldapsrv_call_read_done(struct tevent_req
*subreq
);
464 static NTSTATUS
ldapsrv_packet_check(
465 struct tstream_context
*stream
,
468 size_t *packet_size
);
470 static bool ldapsrv_call_read_next(struct ldapsrv_connection
*conn
)
472 struct tevent_req
*subreq
;
474 if (conn
->pending_calls
!= NULL
) {
475 conn
->limits
.endtime
= timeval_zero();
477 ldapsrv_notification_retry_setup(conn
->service
, false);
478 } else if (timeval_is_zero(&conn
->limits
.endtime
)) {
479 conn
->limits
.endtime
=
480 timeval_current_ofs(conn
->limits
.initial_timeout
, 0);
482 conn
->limits
.endtime
=
483 timeval_current_ofs(conn
->limits
.conn_idle_time
, 0);
486 if (conn
->sockets
.read_req
!= NULL
) {
491 * The minimum size of a LDAP pdu is 7 bytes
493 * dumpasn1 -hh ldap-unbind-min.dat
495 * <30 05 02 01 09 42 00>
500 * 5 0: [APPLICATION 2]
501 * : Error: Object has zero length.
504 * dumpasn1 -hh ldap-unbind-windows.dat
506 * <30 84 00 00 00 05 02 01 09 42 00>
511 * 9 0: [APPLICATION 2]
512 * : Error: Object has zero length.
515 * This means using an initial read size
518 subreq
= tstream_read_pdu_blob_send(conn
,
519 conn
->connection
->event
.ctx
,
520 conn
->sockets
.active
,
521 7, /* initial_read_size */
522 ldapsrv_packet_check
,
524 if (subreq
== NULL
) {
525 ldapsrv_terminate_connection(conn
, "ldapsrv_call_read_next: "
526 "no memory for tstream_read_pdu_blob_send");
529 if (!timeval_is_zero(&conn
->limits
.endtime
)) {
531 ok
= tevent_req_set_endtime(subreq
,
532 conn
->connection
->event
.ctx
,
533 conn
->limits
.endtime
);
535 ldapsrv_terminate_connection(
537 "ldapsrv_call_read_next: "
538 "no memory for tevent_req_set_endtime");
542 tevent_req_set_callback(subreq
, ldapsrv_call_read_done
, conn
);
543 conn
->sockets
.read_req
= subreq
;
547 static void ldapsrv_call_process_done(struct tevent_req
*subreq
);
548 static int ldapsrv_check_packet_size(
549 struct ldapsrv_connection
*conn
,
552 static void ldapsrv_call_read_done(struct tevent_req
*subreq
)
554 struct ldapsrv_connection
*conn
=
555 tevent_req_callback_data(subreq
,
556 struct ldapsrv_connection
);
558 struct ldapsrv_call
*call
;
559 struct asn1_data
*asn1
;
561 int ret
= LDAP_SUCCESS
;
562 struct ldap_request_limits limits
= {0};
564 conn
->sockets
.read_req
= NULL
;
566 call
= talloc_zero(conn
, struct ldapsrv_call
);
568 ldapsrv_terminate_connection(conn
, "no memory");
571 talloc_set_destructor(call
, ldapsrv_call_destructor
);
575 status
= tstream_read_pdu_blob_recv(subreq
,
579 if (!NT_STATUS_IS_OK(status
)) {
582 reason
= talloc_asprintf(call
, "ldapsrv_call_loop: "
583 "tstream_read_pdu_blob_recv() - %s",
586 reason
= nt_errstr(status
);
589 ldapsrv_terminate_connection(conn
, reason
);
593 ret
= ldapsrv_check_packet_size(conn
, blob
.length
);
594 if (ret
!= LDAP_SUCCESS
) {
595 ldapsrv_terminate_connection(
597 "Request packet too large");
601 asn1
= asn1_init(call
, ASN1_MAX_TREE_DEPTH
);
603 ldapsrv_terminate_connection(conn
, "no memory");
607 call
->request
= talloc(call
, struct ldap_message
);
608 if (call
->request
== NULL
) {
609 ldapsrv_terminate_connection(conn
, "no memory");
613 asn1_load_nocopy(asn1
, blob
.data
, blob
.length
);
615 limits
.max_search_size
=
616 lpcfg_ldap_max_search_request_size(conn
->lp_ctx
);
617 status
= ldap_decode(
620 samba_ldap_control_handlers(),
622 if (!NT_STATUS_IS_OK(status
)) {
623 ldapsrv_terminate_connection(conn
, nt_errstr(status
));
627 data_blob_free(&blob
);
631 /* queue the call in the global queue */
632 subreq
= ldapsrv_process_call_send(call
,
633 conn
->connection
->event
.ctx
,
634 conn
->service
->call_queue
,
636 if (subreq
== NULL
) {
637 ldapsrv_terminate_connection(conn
, "ldapsrv_process_call_send failed");
640 tevent_req_set_callback(subreq
, ldapsrv_call_process_done
, call
);
641 conn
->active_call
= subreq
;
644 static void ldapsrv_call_wait_done(struct tevent_req
*subreq
);
645 static void ldapsrv_call_writev_start(struct ldapsrv_call
*call
);
646 static void ldapsrv_call_writev_done(struct tevent_req
*subreq
);
648 static void ldapsrv_call_process_done(struct tevent_req
*subreq
)
650 struct ldapsrv_call
*call
=
651 tevent_req_callback_data(subreq
,
652 struct ldapsrv_call
);
653 struct ldapsrv_connection
*conn
= call
->conn
;
656 conn
->active_call
= NULL
;
658 status
= ldapsrv_process_call_recv(subreq
);
660 if (!NT_STATUS_IS_OK(status
)) {
661 ldapsrv_terminate_connection(conn
, nt_errstr(status
));
665 if (call
->wait_send
!= NULL
) {
666 subreq
= call
->wait_send(call
,
667 conn
->connection
->event
.ctx
,
669 if (subreq
== NULL
) {
670 ldapsrv_terminate_connection(conn
,
671 "ldapsrv_call_process_done: "
672 "call->wait_send - no memory");
675 tevent_req_set_callback(subreq
,
676 ldapsrv_call_wait_done
,
678 conn
->active_call
= subreq
;
682 ldapsrv_call_writev_start(call
);
685 static void ldapsrv_call_wait_done(struct tevent_req
*subreq
)
687 struct ldapsrv_call
*call
=
688 tevent_req_callback_data(subreq
,
689 struct ldapsrv_call
);
690 struct ldapsrv_connection
*conn
= call
->conn
;
693 conn
->active_call
= NULL
;
695 status
= call
->wait_recv(subreq
);
697 if (!NT_STATUS_IS_OK(status
)) {
700 reason
= talloc_asprintf(call
, "ldapsrv_call_wait_done: "
701 "call->wait_recv() - %s",
703 if (reason
== NULL
) {
704 reason
= nt_errstr(status
);
707 ldapsrv_terminate_connection(conn
, reason
);
711 ldapsrv_call_writev_start(call
);
714 static void ldapsrv_call_writev_start(struct ldapsrv_call
*call
)
716 struct ldapsrv_connection
*conn
= call
->conn
;
717 struct ldapsrv_reply
*reply
= NULL
;
718 struct tevent_req
*subreq
= NULL
;
719 struct timeval endtime
;
725 /* build all the replies into an IOV (no copy) */
726 for (reply
= call
->replies
;
728 reply
= reply
->next
) {
730 /* Cap output at 25MB per writev() */
731 if (length
> length
+ reply
->blob
.length
732 || length
+ reply
->blob
.length
> LDAP_SERVER_MAX_CHUNK_SIZE
) {
737 * Overflow is harmless here, just used below to
738 * decide if to read or write, but checked above anyway
740 length
+= reply
->blob
.length
;
743 * At worst an overflow would mean we send less
750 if (!call
->notification
.busy
) {
754 ldapsrv_call_read_next(conn
);
758 /* Cap call->iov_count at IOV_MAX */
759 call
->iov_count
= MIN(call
->iov_count
, IOV_MAX
);
761 call
->out_iov
= talloc_array(call
,
764 if (!call
->out_iov
) {
765 /* This is not ideal */
766 ldapsrv_terminate_connection(conn
,
767 "failed to allocate "
772 /* We may have had to cap the number of replies at IOV_MAX */
774 i
< call
->iov_count
&& call
->replies
!= NULL
;
776 reply
= call
->replies
;
777 call
->out_iov
[i
].iov_base
= reply
->blob
.data
;
778 call
->out_iov
[i
].iov_len
= reply
->blob
.length
;
780 /* Keep only the ASN.1 encoded data */
781 talloc_steal(call
->out_iov
, reply
->blob
.data
);
783 DLIST_REMOVE(call
->replies
, reply
);
787 if (i
> call
->iov_count
) {
788 /* This is not ideal, but also (essentially) impossible */
789 ldapsrv_terminate_connection(conn
,
795 subreq
= tstream_writev_queue_send(call
,
796 conn
->connection
->event
.ctx
,
797 conn
->sockets
.active
,
798 conn
->sockets
.send_queue
,
799 call
->out_iov
, call
->iov_count
);
800 if (subreq
== NULL
) {
801 ldapsrv_terminate_connection(conn
, "stream_writev_queue_send failed");
804 endtime
= timeval_current_ofs(conn
->limits
.conn_idle_time
, 0);
805 tevent_req_set_endtime(subreq
,
806 conn
->connection
->event
.ctx
,
808 tevent_req_set_callback(subreq
, ldapsrv_call_writev_done
, call
);
811 static void ldapsrv_call_postprocess_done(struct tevent_req
*subreq
);
813 static void ldapsrv_call_writev_done(struct tevent_req
*subreq
)
815 struct ldapsrv_call
*call
=
816 tevent_req_callback_data(subreq
,
817 struct ldapsrv_call
);
818 struct ldapsrv_connection
*conn
= call
->conn
;
822 rc
= tstream_writev_queue_recv(subreq
, &sys_errno
);
825 /* This releases the ASN.1 encoded packets from memory */
826 TALLOC_FREE(call
->out_iov
);
830 reason
= talloc_asprintf(call
, "ldapsrv_call_writev_done: "
831 "tstream_writev_queue_recv() - %d:%s",
832 sys_errno
, strerror(sys_errno
));
833 if (reason
== NULL
) {
834 reason
= "ldapsrv_call_writev_done: "
835 "tstream_writev_queue_recv() failed";
838 ldapsrv_terminate_connection(conn
, reason
);
842 if (call
->postprocess_send
) {
843 subreq
= call
->postprocess_send(call
,
844 conn
->connection
->event
.ctx
,
845 call
->postprocess_private
);
846 if (subreq
== NULL
) {
847 ldapsrv_terminate_connection(conn
, "ldapsrv_call_writev_done: "
848 "call->postprocess_send - no memory");
851 tevent_req_set_callback(subreq
,
852 ldapsrv_call_postprocess_done
,
857 /* Perhaps still some more to send */
858 if (call
->replies
!= NULL
) {
859 ldapsrv_call_writev_start(call
);
863 if (!call
->notification
.busy
) {
867 ldapsrv_call_read_next(conn
);
870 static void ldapsrv_call_postprocess_done(struct tevent_req
*subreq
)
872 struct ldapsrv_call
*call
=
873 tevent_req_callback_data(subreq
,
874 struct ldapsrv_call
);
875 struct ldapsrv_connection
*conn
= call
->conn
;
878 status
= call
->postprocess_recv(subreq
);
880 if (!NT_STATUS_IS_OK(status
)) {
883 reason
= talloc_asprintf(call
, "ldapsrv_call_postprocess_done: "
884 "call->postprocess_recv() - %s",
886 if (reason
== NULL
) {
887 reason
= nt_errstr(status
);
890 ldapsrv_terminate_connection(conn
, reason
);
896 ldapsrv_call_read_next(conn
);
899 static void ldapsrv_notification_retry_done(struct tevent_req
*subreq
);
901 void ldapsrv_notification_retry_setup(struct ldapsrv_service
*service
, bool force
)
903 struct ldapsrv_connection
*conn
= NULL
;
904 struct timeval retry
;
905 size_t num_pending
= 0;
906 size_t num_active
= 0;
909 TALLOC_FREE(service
->notification
.retry
);
910 service
->notification
.generation
+= 1;
913 if (service
->notification
.retry
!= NULL
) {
917 for (conn
= service
->connections
; conn
!= NULL
; conn
= conn
->next
) {
918 if (conn
->pending_calls
== NULL
) {
924 if (conn
->pending_calls
->notification
.generation
!=
925 service
->notification
.generation
)
931 if (num_pending
== 0) {
935 if (num_active
!= 0) {
936 retry
= timeval_current_ofs(0, 100);
938 retry
= timeval_current_ofs(5, 0);
941 service
->notification
.retry
= tevent_wakeup_send(service
,
944 if (service
->notification
.retry
== NULL
) {
949 tevent_req_set_callback(service
->notification
.retry
,
950 ldapsrv_notification_retry_done
,
954 static void ldapsrv_notification_retry_done(struct tevent_req
*subreq
)
956 struct ldapsrv_service
*service
=
957 tevent_req_callback_data(subreq
,
958 struct ldapsrv_service
);
959 struct ldapsrv_connection
*conn
= NULL
;
960 struct ldapsrv_connection
*conn_next
= NULL
;
963 service
->notification
.retry
= NULL
;
965 ok
= tevent_wakeup_recv(subreq
);
971 for (conn
= service
->connections
; conn
!= NULL
; conn
= conn_next
) {
972 struct ldapsrv_call
*call
= conn
->pending_calls
;
974 conn_next
= conn
->next
;
976 if (conn
->pending_calls
== NULL
) {
980 if (conn
->active_call
!= NULL
) {
984 DLIST_DEMOTE(conn
->pending_calls
, call
);
985 call
->notification
.generation
=
986 service
->notification
.generation
;
988 /* queue the call in the global queue */
989 subreq
= ldapsrv_process_call_send(call
,
990 conn
->connection
->event
.ctx
,
991 conn
->service
->call_queue
,
993 if (subreq
== NULL
) {
994 ldapsrv_terminate_connection(conn
,
995 "ldapsrv_process_call_send failed");
998 tevent_req_set_callback(subreq
, ldapsrv_call_process_done
, call
);
999 conn
->active_call
= subreq
;
1002 ldapsrv_notification_retry_setup(service
, false);
1005 struct ldapsrv_process_call_state
{
1006 struct ldapsrv_call
*call
;
1009 static void ldapsrv_process_call_trigger(struct tevent_req
*req
,
1010 void *private_data
);
1012 static struct tevent_req
*ldapsrv_process_call_send(TALLOC_CTX
*mem_ctx
,
1013 struct tevent_context
*ev
,
1014 struct tevent_queue
*call_queue
,
1015 struct ldapsrv_call
*call
)
1017 struct tevent_req
*req
;
1018 struct ldapsrv_process_call_state
*state
;
1021 req
= tevent_req_create(mem_ctx
, &state
,
1022 struct ldapsrv_process_call_state
);
1029 ok
= tevent_queue_add(call_queue
, ev
, req
,
1030 ldapsrv_process_call_trigger
, NULL
);
1032 tevent_req_oom(req
);
1033 return tevent_req_post(req
, ev
);
1039 static void ldapsrv_disconnect_ticket_expired(struct tevent_req
*subreq
);
1041 static void ldapsrv_process_call_trigger(struct tevent_req
*req
,
1044 struct ldapsrv_process_call_state
*state
=
1045 tevent_req_data(req
,
1046 struct ldapsrv_process_call_state
);
1047 struct ldapsrv_connection
*conn
= state
->call
->conn
;
1050 if (conn
->deferred_expire_disconnect
!= NULL
) {
1052 * Just drop this on the floor
1054 tevent_req_done(req
);
1059 status
= ldapsrv_do_call(state
->call
);
1061 if (NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_SESSION_EXPIRED
)) {
1063 * For testing purposes, defer the TCP disconnect
1064 * after having sent the msgid 0
1065 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1066 * should not wait for the TCP connection to close but
1067 * handle this packet equivalent to a TCP
1068 * disconnect. This delay enables testing both cases
1069 * in LDAP client libraries.
1072 int defer_msec
= lpcfg_parm_int(
1076 "delay_expire_disconnect",
1079 conn
->deferred_expire_disconnect
= tevent_wakeup_send(
1081 conn
->connection
->event
.ctx
,
1082 timeval_current_ofs_msec(defer_msec
));
1083 if (tevent_req_nomem(conn
->deferred_expire_disconnect
, req
)) {
1086 tevent_req_set_callback(
1087 conn
->deferred_expire_disconnect
,
1088 ldapsrv_disconnect_ticket_expired
,
1091 tevent_req_done(req
);
1095 if (!NT_STATUS_IS_OK(status
)) {
1096 tevent_req_nterror(req
, status
);
1100 tevent_req_done(req
);
1103 static void ldapsrv_disconnect_ticket_expired(struct tevent_req
*subreq
)
1105 struct ldapsrv_connection
*conn
= tevent_req_callback_data(
1106 subreq
, struct ldapsrv_connection
);
1109 ok
= tevent_wakeup_recv(subreq
);
1110 TALLOC_FREE(subreq
);
1112 DBG_WARNING("tevent_wakeup_recv failed\n");
1114 conn
->deferred_expire_disconnect
= NULL
;
1115 ldapsrv_terminate_connection(conn
, "network session expired");
1118 static NTSTATUS
ldapsrv_process_call_recv(struct tevent_req
*req
)
1122 if (tevent_req_is_nterror(req
, &status
)) {
1123 tevent_req_received(req
);
1127 tevent_req_received(req
);
1128 return NT_STATUS_OK
;
1131 static void ldapsrv_accept_nonpriv(struct stream_connection
*c
)
1133 struct ldapsrv_service
*ldapsrv_service
= talloc_get_type_abort(
1134 c
->private_data
, struct ldapsrv_service
);
1135 struct auth_session_info
*session_info
;
1138 status
= auth_anonymous_session_info(
1139 c
, ldapsrv_service
->lp_ctx
, &session_info
);
1140 if (!NT_STATUS_IS_OK(status
)) {
1141 stream_terminate_connection(c
, "failed to setup anonymous "
1145 ldapsrv_accept(c
, session_info
, false, false);
1148 static const struct stream_server_ops ldap_stream_nonpriv_ops
= {
1150 .accept_connection
= ldapsrv_accept_nonpriv
,
1151 .recv_handler
= ldapsrv_recv
,
1152 .send_handler
= ldapsrv_send
,
1155 static void ldapsrv_accept_nonpriv_ldapi(struct stream_connection
*c
)
1157 struct ldapsrv_service
*ldapsrv_service
= talloc_get_type_abort(
1158 c
->private_data
, struct ldapsrv_service
);
1159 struct auth_session_info
*session_info
;
1162 status
= auth_anonymous_session_info(
1163 c
, ldapsrv_service
->lp_ctx
, &session_info
);
1164 if (!NT_STATUS_IS_OK(status
)) {
1165 stream_terminate_connection(c
, "failed to setup anonymous "
1169 ldapsrv_accept(c
, session_info
, false, true);
1172 static const struct stream_server_ops ldapi_stream_nonpriv_ops
= {
1174 .accept_connection
= ldapsrv_accept_nonpriv_ldapi
,
1175 .recv_handler
= ldapsrv_recv
,
1176 .send_handler
= ldapsrv_send
,
1179 /* The feature removed behind an #ifdef until we can do it properly
1180 * with an EXTERNAL bind. */
1182 #define WITH_LDAPI_PRIV_SOCKET
1184 #ifdef WITH_LDAPI_PRIV_SOCKET
1185 static void ldapsrv_accept_priv_ldapi(struct stream_connection
*c
)
1187 struct ldapsrv_service
*ldapsrv_service
= talloc_get_type_abort(
1188 c
->private_data
, struct ldapsrv_service
);
1189 struct auth_session_info
*session_info
;
1191 session_info
= system_session(ldapsrv_service
->lp_ctx
);
1192 if (!session_info
) {
1193 stream_terminate_connection(c
, "failed to setup system "
1197 ldapsrv_accept(c
, session_info
, true, true);
1200 static const struct stream_server_ops ldapi_stream_priv_ops
= {
1202 .accept_connection
= ldapsrv_accept_priv_ldapi
,
1203 .recv_handler
= ldapsrv_recv
,
1204 .send_handler
= ldapsrv_send
,
1211 add a socket address to the list of events, one event per port
1213 static NTSTATUS
add_socket(struct task_server
*task
,
1214 struct loadparm_context
*lp_ctx
,
1215 const struct model_ops
*model_ops
,
1216 const char *address
, struct ldapsrv_service
*ldap_service
)
1218 uint16_t port
= 389;
1220 struct ldb_context
*ldb
;
1222 status
= stream_setup_socket(task
, task
->event_ctx
, lp_ctx
,
1223 model_ops
, &ldap_stream_nonpriv_ops
,
1224 "ip", address
, &port
,
1225 lpcfg_socket_options(lp_ctx
),
1226 ldap_service
, task
->process_context
);
1227 if (!NT_STATUS_IS_OK(status
)) {
1228 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1229 address
, port
, nt_errstr(status
));
1233 if (tstream_tls_params_enabled(ldap_service
->tls_params
)) {
1234 /* add ldaps server */
1236 status
= stream_setup_socket(task
, task
->event_ctx
, lp_ctx
,
1238 &ldap_stream_nonpriv_ops
,
1239 "ip", address
, &port
,
1240 lpcfg_socket_options(lp_ctx
),
1242 task
->process_context
);
1243 if (!NT_STATUS_IS_OK(status
)) {
1244 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1245 address
, port
, nt_errstr(status
));
1250 /* Load LDAP database, but only to read our settings */
1251 ldb
= samdb_connect(ldap_service
,
1252 ldap_service
->current_ev
,
1254 system_session(lp_ctx
),
1258 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
1261 if (samdb_is_gc(ldb
)) {
1263 status
= stream_setup_socket(task
, task
->event_ctx
, lp_ctx
,
1265 &ldap_stream_nonpriv_ops
,
1266 "ip", address
, &port
,
1267 lpcfg_socket_options(lp_ctx
),
1269 task
->process_context
);
1270 if (!NT_STATUS_IS_OK(status
)) {
1271 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1272 address
, port
, nt_errstr(status
));
1275 if (tstream_tls_params_enabled(ldap_service
->tls_params
)) {
1276 /* add ldaps server for the global catalog */
1278 status
= stream_setup_socket(task
, task
->event_ctx
, lp_ctx
,
1280 &ldap_stream_nonpriv_ops
,
1281 "ip", address
, &port
,
1282 lpcfg_socket_options(lp_ctx
),
1284 task
->process_context
);
1285 if (!NT_STATUS_IS_OK(status
)) {
1286 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1287 address
, port
, nt_errstr(status
));
1293 /* And once we are bound, free the temporary ldb, it will
1294 * connect again on each incoming LDAP connection */
1295 talloc_unlink(ldap_service
, ldb
);
1297 return NT_STATUS_OK
;
1300 static void ldap_reload_certs(struct imessaging_context
*msg_ctx
,
1303 struct server_id server_id
,
1308 TALLOC_CTX
*frame
= talloc_stackframe();
1309 struct ldapsrv_service
*ldap_service
=
1310 talloc_get_type_abort(private_data
,
1311 struct ldapsrv_service
);
1312 int default_children
;
1316 struct server_id ldap_master_id
;
1318 struct tstream_tls_params
*new_tls_params
= NULL
;
1320 SMB_ASSERT(msg_ctx
== ldap_service
->current_msg
);
1322 /* reload certificates */
1323 status
= tstream_tls_params_server(ldap_service
,
1324 ldap_service
->dns_host_name
,
1325 lpcfg_tls_enabled(ldap_service
->lp_ctx
),
1326 lpcfg_tls_keyfile(frame
, ldap_service
->lp_ctx
),
1327 lpcfg_tls_certfile(frame
, ldap_service
->lp_ctx
),
1328 lpcfg_tls_cafile(frame
, ldap_service
->lp_ctx
),
1329 lpcfg_tls_crlfile(frame
, ldap_service
->lp_ctx
),
1330 lpcfg_tls_dhpfile(frame
, ldap_service
->lp_ctx
),
1331 lpcfg_tls_priority(ldap_service
->lp_ctx
),
1333 if (!NT_STATUS_IS_OK(status
)) {
1334 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1340 TALLOC_FREE(ldap_service
->tls_params
);
1341 ldap_service
->tls_params
= new_tls_params
;
1343 if (getpid() != ldap_service
->parent_pid
) {
1345 * If we are not the master process we are done
1352 * Check we're running under the prefork model,
1353 * by checking if the prefork-master-ldap name
1356 ok
= server_id_db_lookup_one(msg_ctx
->names
, "prefork-master-ldap", &ldap_master_id
);
1359 * We are done if another process model is in use.
1366 * Now we loop over all possible prefork workers
1367 * in order to notify them about the reload
1369 default_children
= lpcfg_prefork_children(ldap_service
->lp_ctx
);
1370 num_children
= lpcfg_parm_int(ldap_service
->lp_ctx
,
1371 NULL
, "prefork children", "ldap",
1373 for (i
= 0; i
< num_children
; i
++) {
1374 char child_name
[64] = { 0, };
1375 struct server_id ldap_worker_id
;
1377 snprintf(child_name
, sizeof(child_name
), "prefork-worker-ldap-%d", i
);
1378 ok
= server_id_db_lookup_one(msg_ctx
->names
, child_name
, &ldap_worker_id
);
1380 DBG_ERR("server_id_db_lookup_one(%s) - failed\n",
1385 status
= imessaging_send(msg_ctx
, ldap_worker_id
,
1386 MSG_RELOAD_TLS_CERTIFICATES
, NULL
);
1387 if (!NT_STATUS_IS_OK(status
)) {
1388 struct server_id_buf id_buf
;
1389 DBG_ERR("ldapsrv failed imessaging_send(%s, %s) - %s\n",
1391 server_id_str_buf(ldap_worker_id
, &id_buf
),
1401 open the ldap server sockets
1403 static NTSTATUS
ldapsrv_task_init(struct task_server
*task
)
1406 #ifdef WITH_LDAPI_PRIV_SOCKET
1409 struct ldapsrv_service
*ldap_service
;
1412 switch (lpcfg_server_role(task
->lp_ctx
)) {
1413 case ROLE_STANDALONE
:
1414 task_server_terminate(task
, "ldap_server: no LDAP server required in standalone configuration",
1416 return NT_STATUS_INVALID_DOMAIN_ROLE
;
1417 case ROLE_DOMAIN_MEMBER
:
1418 task_server_terminate(task
, "ldap_server: no LDAP server required in member server configuration",
1420 return NT_STATUS_INVALID_DOMAIN_ROLE
;
1421 case ROLE_ACTIVE_DIRECTORY_DC
:
1422 /* Yes, we want an LDAP server */
1426 task_server_set_title(task
, "task[ldapsrv]");
1428 ldap_service
= talloc_zero(task
, struct ldapsrv_service
);
1429 if (ldap_service
== NULL
) {
1430 status
= NT_STATUS_NO_MEMORY
;
1434 ldap_service
->lp_ctx
= task
->lp_ctx
;
1435 ldap_service
->current_ev
= task
->event_ctx
;
1436 ldap_service
->current_msg
= task
->msg_ctx
;
1438 ldap_service
->dns_host_name
= talloc_asprintf(ldap_service
, "%s.%s",
1439 lpcfg_netbios_name(task
->lp_ctx
),
1440 lpcfg_dnsdomain(task
->lp_ctx
));
1441 if (ldap_service
->dns_host_name
== NULL
) {
1442 status
= NT_STATUS_NO_MEMORY
;
1446 ldap_service
->parent_pid
= getpid();
1448 status
= tstream_tls_params_server(ldap_service
,
1449 ldap_service
->dns_host_name
,
1450 lpcfg_tls_enabled(task
->lp_ctx
),
1451 lpcfg_tls_keyfile(ldap_service
, task
->lp_ctx
),
1452 lpcfg_tls_certfile(ldap_service
, task
->lp_ctx
),
1453 lpcfg_tls_cafile(ldap_service
, task
->lp_ctx
),
1454 lpcfg_tls_crlfile(ldap_service
, task
->lp_ctx
),
1455 lpcfg_tls_dhpfile(ldap_service
, task
->lp_ctx
),
1456 lpcfg_tls_priority(task
->lp_ctx
),
1457 &ldap_service
->tls_params
);
1458 if (!NT_STATUS_IS_OK(status
)) {
1459 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1464 ldap_service
->call_queue
= tevent_queue_create(ldap_service
, "ldapsrv_call_queue");
1465 if (ldap_service
->call_queue
== NULL
) {
1466 status
= NT_STATUS_NO_MEMORY
;
1470 if (lpcfg_interfaces(task
->lp_ctx
) && lpcfg_bind_interfaces_only(task
->lp_ctx
)) {
1471 struct interface
*ifaces
;
1475 load_interface_list(task
, task
->lp_ctx
, &ifaces
);
1476 num_interfaces
= iface_list_count(ifaces
);
1478 /* We have been given an interfaces line, and been
1479 told to only bind to those interfaces. Create a
1480 socket per interface and bind to only these.
1482 for(i
= 0; i
< num_interfaces
; i
++) {
1483 const char *address
= iface_list_n_ip(ifaces
, i
);
1484 status
= add_socket(task
, task
->lp_ctx
, task
->model_ops
,
1485 address
, ldap_service
);
1486 if (!NT_STATUS_IS_OK(status
)) goto failed
;
1491 size_t num_binds
= 0;
1492 wcard
= iface_list_wildcard(task
);
1493 if (wcard
== NULL
) {
1494 DBG_ERR("No wildcard addresses available\n");
1495 status
= NT_STATUS_UNSUCCESSFUL
;
1498 for (i
=0; wcard
[i
]; i
++) {
1499 status
= add_socket(task
, task
->lp_ctx
, task
->model_ops
,
1500 wcard
[i
], ldap_service
);
1501 if (NT_STATUS_IS_OK(status
)) {
1506 if (num_binds
== 0) {
1507 status
= NT_STATUS_UNSUCCESSFUL
;
1512 ldapi_path
= lpcfg_private_path(ldap_service
, task
->lp_ctx
, "ldapi");
1514 status
= NT_STATUS_UNSUCCESSFUL
;
1518 status
= stream_setup_socket(task
, task
->event_ctx
, task
->lp_ctx
,
1519 task
->model_ops
, &ldapi_stream_nonpriv_ops
,
1520 "unix", ldapi_path
, NULL
,
1521 lpcfg_socket_options(task
->lp_ctx
),
1522 ldap_service
, task
->process_context
);
1523 talloc_free(ldapi_path
);
1524 if (!NT_STATUS_IS_OK(status
)) {
1525 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1526 ldapi_path
, nt_errstr(status
));
1529 #ifdef WITH_LDAPI_PRIV_SOCKET
1530 priv_dir
= lpcfg_private_path(ldap_service
, task
->lp_ctx
, "ldap_priv");
1531 if (priv_dir
== NULL
) {
1532 status
= NT_STATUS_UNSUCCESSFUL
;
1536 * Make sure the directory for the privileged ldapi socket exists, and
1537 * is of the correct permissions
1539 if (!directory_create_or_exist(priv_dir
, 0750)) {
1540 task_server_terminate(task
, "Cannot create ldap "
1541 "privileged ldapi directory", true);
1542 return NT_STATUS_UNSUCCESSFUL
;
1544 ldapi_path
= talloc_asprintf(ldap_service
, "%s/ldapi", priv_dir
);
1545 talloc_free(priv_dir
);
1546 if (ldapi_path
== NULL
) {
1547 status
= NT_STATUS_NO_MEMORY
;
1551 status
= stream_setup_socket(task
, task
->event_ctx
, task
->lp_ctx
,
1552 task
->model_ops
, &ldapi_stream_priv_ops
,
1553 "unix", ldapi_path
, NULL
,
1554 lpcfg_socket_options(task
->lp_ctx
),
1556 task
->process_context
);
1557 talloc_free(ldapi_path
);
1558 if (!NT_STATUS_IS_OK(status
)) {
1559 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1560 ldapi_path
, nt_errstr(status
));
1565 /* register the server */
1566 irpc_add_name(task
->msg_ctx
, "ldap_server");
1568 task
->private_data
= ldap_service
;
1570 return NT_STATUS_OK
;
1573 task_server_terminate(task
, "Failed to startup ldap server task", true);
1578 * Open a database to be later used by LDB wrap code (although it should be
1579 * plumbed through correctly eventually).
1581 static void ldapsrv_post_fork(struct task_server
*task
, struct process_details
*pd
)
1583 struct ldapsrv_service
*ldap_service
=
1584 talloc_get_type_abort(task
->private_data
, struct ldapsrv_service
);
1587 * As ldapsrv_before_loop() may changed the values for the parent loop
1588 * we need to adjust the pointers to the correct value in the child
1590 ldap_service
->lp_ctx
= task
->lp_ctx
;
1591 ldap_service
->current_ev
= task
->event_ctx
;
1592 ldap_service
->current_msg
= task
->msg_ctx
;
1594 ldap_service
->sam_ctx
= samdb_connect(ldap_service
,
1595 ldap_service
->current_ev
,
1596 ldap_service
->lp_ctx
,
1597 system_session(ldap_service
->lp_ctx
),
1600 if (ldap_service
->sam_ctx
== NULL
) {
1601 task_server_terminate(task
, "Cannot open system session LDB",
1607 static void ldapsrv_before_loop(struct task_server
*task
)
1609 struct ldapsrv_service
*ldap_service
=
1610 talloc_get_type_abort(task
->private_data
, struct ldapsrv_service
);
1613 if (ldap_service
->sam_ctx
!= NULL
) {
1615 * Make sure the values are still the same
1616 * as set in ldapsrv_post_fork()
1618 SMB_ASSERT(task
->lp_ctx
== ldap_service
->lp_ctx
);
1619 SMB_ASSERT(task
->event_ctx
== ldap_service
->current_ev
);
1620 SMB_ASSERT(task
->msg_ctx
== ldap_service
->current_msg
);
1623 * We need to adjust the pointers to the correct value
1624 * in the parent loop.
1626 ldap_service
->lp_ctx
= task
->lp_ctx
;
1627 ldap_service
->current_ev
= task
->event_ctx
;
1628 ldap_service
->current_msg
= task
->msg_ctx
;
1631 status
= imessaging_register(ldap_service
->current_msg
,
1633 MSG_RELOAD_TLS_CERTIFICATES
,
1635 if (!NT_STATUS_IS_OK(status
)) {
1636 task_server_terminate(task
, "Cannot register ldap_reload_certs",
1643 * Check the size of an ldap request packet.
1645 * For authenticated connections the maximum packet size is controlled by
1646 * the smb.conf parameter "ldap max authenticated request size"
1648 * For anonymous connections the maximum packet size is controlled by
1649 * the smb.conf parameter "ldap max anonymous request size"
1651 static int ldapsrv_check_packet_size(
1652 struct ldapsrv_connection
*conn
,
1655 bool is_anonymous
= false;
1656 size_t max_size
= 0;
1658 max_size
= lpcfg_ldap_max_anonymous_request_size(conn
->lp_ctx
);
1659 if (size
<= max_size
) {
1660 return LDAP_SUCCESS
;
1664 * Request is larger than the maximum unauthenticated request size.
1665 * As this code is called frequently we avoid calling
1666 * security_token_is_anonymous if possible
1668 if (conn
->session_info
!= NULL
&&
1669 conn
->session_info
->security_token
!= NULL
) {
1670 is_anonymous
= security_token_is_anonymous(
1671 conn
->session_info
->security_token
);
1676 "LDAP request size (%zu) exceeds (%zu)\n",
1679 return LDAP_UNWILLING_TO_PERFORM
;
1682 max_size
= lpcfg_ldap_max_authenticated_request_size(conn
->lp_ctx
);
1683 if (size
> max_size
) {
1685 "LDAP request size (%zu) exceeds (%zu)\n",
1688 return LDAP_UNWILLING_TO_PERFORM
;
1690 return LDAP_SUCCESS
;
1695 * Check that the blob contains enough data to be a valid packet
1696 * If there is a packet header check the size to ensure that it does not
1697 * exceed the maximum sizes.
1700 static NTSTATUS
ldapsrv_packet_check(
1701 struct tstream_context
*stream
,
1704 size_t *packet_size
)
1707 struct ldapsrv_connection
*conn
= private_data
;
1708 int result
= LDB_SUCCESS
;
1710 ret
= ldap_full_packet(stream
, private_data
, blob
, packet_size
);
1711 if (!NT_STATUS_IS_OK(ret
)) {
1714 result
= ldapsrv_check_packet_size(conn
, *packet_size
);
1715 if (result
!= LDAP_SUCCESS
) {
1716 return NT_STATUS_LDAP(result
);
1718 return NT_STATUS_OK
;
1721 NTSTATUS
server_service_ldap_init(TALLOC_CTX
*ctx
)
1723 static const struct service_details details
= {
1724 .inhibit_fork_on_accept
= false,
1725 .inhibit_pre_fork
= false,
1726 .task_init
= ldapsrv_task_init
,
1727 .post_fork
= ldapsrv_post_fork
,
1728 .before_loop
= ldapsrv_before_loop
,
1730 return register_server_service(ctx
, "ldap", &details
);