2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "ldap_server/ldap_server.h"
23 #include "lib/util/dlinklist.h"
24 #include "libcli/ldap/ldap.h"
25 #include "lib/tls/tls.h"
26 #include "smbd/service_stream.h"
28 struct ldapsrv_starttls_context
{
29 struct ldapsrv_connection
*conn
;
30 struct socket_context
*tls_socket
;
33 static void ldapsrv_start_tls(void *private)
35 struct ldapsrv_starttls_context
*ctx
= talloc_get_type(private, struct ldapsrv_starttls_context
);
36 talloc_steal(ctx
->conn
->connection
, ctx
->tls_socket
);
37 talloc_unlink(ctx
->conn
->connection
, ctx
->conn
->connection
->socket
);
39 ctx
->conn
->sockets
.tls
= ctx
->tls_socket
;
40 ctx
->conn
->connection
->socket
= ctx
->tls_socket
;
41 packet_set_socket(ctx
->conn
->packet
, ctx
->conn
->connection
->socket
);
44 static NTSTATUS
ldapsrv_StartTLS(struct ldapsrv_call
*call
,
45 struct ldapsrv_reply
*reply
,
48 struct ldapsrv_starttls_context
*ctx
;
53 * TODO: give LDAP_OPERATIONS_ERROR also when
54 * there're pending requests or there's
55 * a SASL bind in progress
56 * (see rfc4513 section 3.1.1)
58 if (call
->conn
->sockets
.tls
) {
59 (*errstr
) = talloc_asprintf(reply
, "START-TLS: TLS is already enabled on this LDAP session");
60 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR
);
63 ctx
= talloc(call
, struct ldapsrv_starttls_context
);
64 NT_STATUS_HAVE_NO_MEMORY(ctx
);
66 ctx
->conn
= call
->conn
;
67 ctx
->tls_socket
= tls_init_server(call
->conn
->service
->tls_params
,
68 call
->conn
->connection
->socket
,
69 call
->conn
->connection
->event
.fde
,
71 if (!ctx
->tls_socket
) {
72 (*errstr
) = talloc_asprintf(reply
, "START-TLS: Failed to setup TLS socket");
73 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR
);
76 call
->send_callback
= ldapsrv_start_tls
;
77 call
->send_private
= ctx
;
79 reply
->msg
->r
.ExtendedResponse
.response
.resultcode
= LDAP_SUCCESS
;
80 reply
->msg
->r
.ExtendedResponse
.response
.errormessage
= NULL
;
82 ldapsrv_queue_reply(call
, reply
);
86 struct ldapsrv_extended_operation
{
88 NTSTATUS (*fn
)(struct ldapsrv_call
*call
, struct ldapsrv_reply
*reply
, const char **errorstr
);
91 static struct ldapsrv_extended_operation extended_ops
[] = {
93 .oid
= LDB_EXTENDED_START_TLS_OID
,
94 .fn
= ldapsrv_StartTLS
,
101 NTSTATUS
ldapsrv_ExtendedRequest(struct ldapsrv_call
*call
)
103 struct ldap_ExtendedRequest
*req
= &call
->request
->r
.ExtendedRequest
;
104 struct ldapsrv_reply
*reply
;
105 int result
= LDAP_PROTOCOL_ERROR
;
106 const char *error_str
= NULL
;
107 NTSTATUS status
= NT_STATUS_OK
;
110 DEBUG(10, ("Extended\n"));
112 reply
= ldapsrv_init_reply(call
, LDAP_TAG_ExtendedResponse
);
113 NT_STATUS_HAVE_NO_MEMORY(reply
);
115 ZERO_STRUCT(reply
->msg
->r
);
116 reply
->msg
->r
.ExtendedResponse
.oid
= talloc_steal(reply
, req
->oid
);
117 reply
->msg
->r
.ExtendedResponse
.response
.resultcode
= LDAP_PROTOCOL_ERROR
;
118 reply
->msg
->r
.ExtendedResponse
.response
.errormessage
= NULL
;
120 for (i
=0; extended_ops
[i
].oid
; i
++) {
121 if (strcmp(extended_ops
[i
].oid
,req
->oid
) != 0) continue;
124 * if the backend function returns an error we
125 * need to send the reply otherwise the reply is already
126 * send and we need to return directly
128 status
= extended_ops
[i
].fn(call
, reply
, &error_str
);
129 NT_STATUS_IS_OK_RETURN(status
);
131 if (NT_STATUS_IS_LDAP(status
)) {
132 result
= NT_STATUS_LDAP_CODE(status
);
134 result
= LDAP_OPERATIONS_ERROR
;
135 error_str
= talloc_asprintf(reply
, "Extended Operation(%s) failed: %s",
136 req
->oid
, nt_errstr(status
));
139 /* if we haven't found the oid, then status is still NT_STATUS_OK */
140 if (NT_STATUS_IS_OK(status
)) {
141 error_str
= talloc_asprintf(reply
, "Extended Operation(%s) not supported",
145 reply
->msg
->r
.ExtendedResponse
.response
.resultcode
= result
;
146 reply
->msg
->r
.ExtendedResponse
.response
.errormessage
= error_str
;
148 ldapsrv_queue_reply(call
, reply
);