search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
[Samba.git] / source4 / ldap_server / ldap_backend.c
blobcb033e823b45772d4b21684be529fcf4c97a30c8
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP server
4 Copyright (C) Stefan Metzmacher 2004
5 Copyright (C) Matthias Dieter Wallnöfer 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include <talloc.h>
23 #include "ldap_server/ldap_server.h"
24 #include "../lib/util/dlinklist.h"
25 #include "auth/credentials/credentials.h"
26 #include "auth/gensec/gensec.h"
27 #include "auth/common_auth.h"
28 #include "param/param.h"
29 #include "samba/service_stream.h"
30 #include "dsdb/gmsa/util.h"
31 #include "dsdb/samdb/samdb.h"
32 #include <ldb_errors.h>
33 #include <ldb_module.h>
34 #include "ldb_wrap.h"
35 #include "lib/tsocket/tsocket.h"
36 #include "libcli/ldap/ldap_proto.h"
37 #include "source4/auth/auth.h"
38
39 static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
40 const char *add_err_string, const char **errstring)
41 {
42 WERROR err;
43
44 /* Certain LDB modules need to return very special WERROR codes. Proof
45 * for them here and if they exist skip the rest of the mapping. */
46 if (add_err_string != NULL) {
47 char *endptr;
48 strtol(add_err_string, &endptr, 16);
49 if (endptr != add_err_string) {
50 *errstring = add_err_string;
51 return ldb_err;
52 }
53 }
54
55 /* Otherwise we calculate here a generic, but appropriate WERROR. */
56
57 switch (ldb_err) {
58 case LDB_SUCCESS:
59 err = WERR_OK;
60 break;
61 case LDB_ERR_OPERATIONS_ERROR:
62 err = WERR_DS_OPERATIONS_ERROR;
63 break;
64 case LDB_ERR_PROTOCOL_ERROR:
65 err = WERR_DS_PROTOCOL_ERROR;
66 break;
67 case LDB_ERR_TIME_LIMIT_EXCEEDED:
68 err = WERR_DS_TIMELIMIT_EXCEEDED;
69 break;
70 case LDB_ERR_SIZE_LIMIT_EXCEEDED:
71 err = WERR_DS_SIZELIMIT_EXCEEDED;
72 break;
73 case LDB_ERR_COMPARE_FALSE:
74 err = WERR_DS_COMPARE_FALSE;
75 break;
76 case LDB_ERR_COMPARE_TRUE:
77 err = WERR_DS_COMPARE_TRUE;
78 break;
79 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
80 err = WERR_DS_AUTH_METHOD_NOT_SUPPORTED;
81 break;
82 case LDB_ERR_STRONG_AUTH_REQUIRED:
83 err = WERR_DS_STRONG_AUTH_REQUIRED;
84 break;
85 case LDB_ERR_REFERRAL:
86 err = WERR_DS_REFERRAL;
87 break;
88 case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
89 err = WERR_DS_ADMIN_LIMIT_EXCEEDED;
90 break;
91 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
92 err = WERR_DS_UNAVAILABLE_CRIT_EXTENSION;
93 break;
94 case LDB_ERR_CONFIDENTIALITY_REQUIRED:
95 err = WERR_DS_CONFIDENTIALITY_REQUIRED;
96 break;
97 case LDB_ERR_SASL_BIND_IN_PROGRESS:
98 err = WERR_DS_BUSY;
99 break;
100 case LDB_ERR_NO_SUCH_ATTRIBUTE:
101 err = WERR_DS_NO_ATTRIBUTE_OR_VALUE;
102 break;
103 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
104 err = WERR_DS_ATTRIBUTE_TYPE_UNDEFINED;
105 break;
106 case LDB_ERR_INAPPROPRIATE_MATCHING:
107 err = WERR_DS_INAPPROPRIATE_MATCHING;
108 break;
109 case LDB_ERR_CONSTRAINT_VIOLATION:
110 err = WERR_DS_CONSTRAINT_VIOLATION;
111 break;
112 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
113 err = WERR_DS_ATTRIBUTE_OR_VALUE_EXISTS;
114 break;
115 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
116 err = WERR_DS_INVALID_ATTRIBUTE_SYNTAX;
117 break;
118 case LDB_ERR_NO_SUCH_OBJECT:
119 err = WERR_DS_NO_SUCH_OBJECT;
120 break;
121 case LDB_ERR_ALIAS_PROBLEM:
122 err = WERR_DS_ALIAS_PROBLEM;
123 break;
124 case LDB_ERR_INVALID_DN_SYNTAX:
125 err = WERR_DS_INVALID_DN_SYNTAX;
126 break;
127 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
128 err = WERR_DS_ALIAS_DEREF_PROBLEM;
129 break;
130 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
131 err = WERR_DS_INAPPROPRIATE_AUTH;
132 break;
133 case LDB_ERR_INVALID_CREDENTIALS:
134 err = WERR_ACCESS_DENIED;
135 break;
136 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
137 err = WERR_DS_INSUFF_ACCESS_RIGHTS;
138 break;
139 case LDB_ERR_BUSY:
140 err = WERR_DS_BUSY;
141 break;
142 case LDB_ERR_UNAVAILABLE:
143 err = WERR_DS_UNAVAILABLE;
144 break;
145 case LDB_ERR_UNWILLING_TO_PERFORM:
146 err = WERR_DS_UNWILLING_TO_PERFORM;
147 break;
148 case LDB_ERR_LOOP_DETECT:
149 err = WERR_DS_LOOP_DETECT;
150 break;
151 case LDB_ERR_NAMING_VIOLATION:
152 err = WERR_DS_NAMING_VIOLATION;
153 break;
154 case LDB_ERR_OBJECT_CLASS_VIOLATION:
155 err = WERR_DS_OBJ_CLASS_VIOLATION;
156 break;
157 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
158 err = WERR_DS_CANT_ON_NON_LEAF;
159 break;
160 case LDB_ERR_NOT_ALLOWED_ON_RDN:
161 err = WERR_DS_CANT_ON_RDN;
162 break;
163 case LDB_ERR_ENTRY_ALREADY_EXISTS:
164 err = WERR_DS_OBJ_STRING_NAME_EXISTS;
165 break;
166 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
167 err = WERR_DS_CANT_MOD_OBJ_CLASS;
168 break;
169 case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
170 err = WERR_DS_AFFECTS_MULTIPLE_DSAS;
171 break;
172 default:
173 err = WERR_DS_GENERIC_ERROR;
174 break;
175 }
176
177 *errstring = talloc_asprintf(mem_ctx, "%08X: %s", W_ERROR_V(err),
178 add_err_string != NULL ? add_err_string : ldb_strerror(ldb_err));
179
180 /* result is 1:1 for now */
181 return ldb_err;
182 }
183
184 /*
185 connect to the sam database
186 */
187 int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
188 char **errstring)
189 {
190 bool using_tls = conn->sockets.active == conn->sockets.tls;
191 bool using_seal = conn->gensec != NULL && gensec_have_feature(conn->gensec,
192 GENSEC_FEATURE_SEAL);
193 struct dsdb_encrypted_connection_state *opaque_connection_state = NULL;
194
195 int ret = samdb_connect_url(conn,
196 conn->connection->event.ctx,
197 conn->lp_ctx,
198 conn->session_info,
199 conn->global_catalog ? LDB_FLG_RDONLY : 0,
200 "sam.ldb",
201 conn->connection->remote_address,
202 &conn->ldb,
203 errstring);
204 if (ret != LDB_SUCCESS) {
205 return ret;
206 }
207
208 /*
209 * We can safely call ldb_set_opaque() on this ldb as we have
210 * set remote_address above which avoids the ldb handle cache
211 */
212 opaque_connection_state = talloc_zero(conn, struct dsdb_encrypted_connection_state);
213 if (opaque_connection_state == NULL) {
214 return LDB_ERR_OPERATIONS_ERROR;
215 }
216 opaque_connection_state->using_encrypted_connection = using_tls || using_seal || conn->is_ldapi;
217 ret = ldb_set_opaque(conn->ldb,
218 DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME,
219 opaque_connection_state);
220 if (ret != LDB_SUCCESS) {
221 DBG_ERR("ldb_set_opaque() failed to store our "
222 "encrypted connection state!\n");
223 return ret;
224 }
225
226 if (conn->server_credentials) {
227 struct gensec_security *gensec_security = NULL;
228 const char **sasl_mechs = NULL;
229 NTSTATUS status;
230
231 status = samba_server_gensec_start(conn,
232 conn->connection->event.ctx,
233 conn->connection->msg_ctx,
234 conn->lp_ctx,
235 conn->server_credentials,
236 "ldap",
237 &gensec_security);
238 if (!NT_STATUS_IS_OK(status)) {
239 DBG_ERR("samba_server_gensec_start failed: %s\n",
240 nt_errstr(status));
241 return LDB_ERR_OPERATIONS_ERROR;
242 }
243
244 /* ldb can have a different lifetime to conn, so we
245 need to ensure that sasl_mechs lives as long as the
246 ldb does */
247 sasl_mechs = gensec_security_sasl_names(gensec_security,
248 conn->ldb);
249 TALLOC_FREE(gensec_security);
250 if (sasl_mechs == NULL) {
251 DBG_ERR("Failed to get sasl mechs!\n");
252 return LDB_ERR_OPERATIONS_ERROR;
253 }
254
255 ldb_set_opaque(conn->ldb, "supportedSASLMechanisms", sasl_mechs);
256 }
257
258 return LDB_SUCCESS;
259 }
260
261 struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
262 {
263 struct ldapsrv_reply *reply;
264
265 reply = talloc_zero(call, struct ldapsrv_reply);
266 if (!reply) {
267 return NULL;
268 }
269 reply->msg = talloc_zero(reply, struct ldap_message);
270 if (reply->msg == NULL) {
271 talloc_free(reply);
272 return NULL;
273 }
274
275 reply->msg->messageid = call->request->messageid;
276 reply->msg->type = type;
277 reply->msg->controls = NULL;
278
279 return reply;
280 }
281
282 /*
283 * Encode a reply to an LDAP client as ASN.1, free the original memory
284 */
285 static NTSTATUS ldapsrv_encode(TALLOC_CTX *mem_ctx,
286 struct ldapsrv_reply *reply)
287 {
288 bool bret = ldap_encode(reply->msg,
289 samba_ldap_control_handlers(),
290 &reply->blob,
291 mem_ctx);
292 if (!bret) {
293 DBG_ERR("Failed to encode ldap reply of type %d: "
294 "ldap_encode() failed\n",
295 reply->msg->type);
296 TALLOC_FREE(reply->msg);
297 return NT_STATUS_NO_MEMORY;
298 }
299
300 TALLOC_FREE(reply->msg);
301 talloc_set_name_const(reply->blob.data,
302 "Outgoing, encoded single LDAP reply");
303
304 return NT_STATUS_OK;
305 }
306
307 /*
308 * Queue a reply (encoding it also), even if it would exceed the
309 * limit. This allows the error packet with LDAP_SIZE_LIMIT_EXCEEDED
310 * to be sent
311 */
312 static NTSTATUS ldapsrv_queue_reply_forced(struct ldapsrv_call *call,
313 struct ldapsrv_reply *reply)
314 {
315 NTSTATUS status = ldapsrv_encode(call, reply);
316
317 if (NT_STATUS_IS_OK(status)) {
318 DLIST_ADD_END(call->replies, reply);
319 }
320 return status;
321 }
322
323 /*
324 * Queue a reply (encoding it also) but check we do not send more than
325 * LDAP_SERVER_MAX_REPLY_SIZE of responses as a way to limit the
326 * amount of data a client can make us allocate.
327 */
328 NTSTATUS ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
329 {
330 NTSTATUS status = ldapsrv_encode(call, reply);
331
332 if (!NT_STATUS_IS_OK(status)) {
333 return status;
334 }
335
336 if (call->reply_size > call->reply_size + reply->blob.length
337 || call->reply_size + reply->blob.length > LDAP_SERVER_MAX_REPLY_SIZE) {
338 DBG_WARNING("Refusing to queue LDAP search response size "
339 "of more than %zu bytes\n",
340 LDAP_SERVER_MAX_REPLY_SIZE);
341 TALLOC_FREE(reply->blob.data);
342 return NT_STATUS_FILE_TOO_LARGE;
343 }
344
345 call->reply_size += reply->blob.length;
346
347 DLIST_ADD_END(call->replies, reply);
348
349 return status;
350 }
351
352 static NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
353 {
354 struct ldapsrv_reply *reply;
355 struct ldap_ExtendedResponse *r;
356
357 DBG_DEBUG("type[%d] id[%d]\n", call->request->type, call->request->messageid);
358
359 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
360 if (!reply) {
361 return NT_STATUS_NO_MEMORY;
362 }
363
364 r = &reply->msg->r.ExtendedResponse;
365 r->response.resultcode = error;
366 r->response.dn = NULL;
367 r->response.errormessage = NULL;
368 r->response.referral = NULL;
369 r->oid = NULL;
370 r->value = NULL;
371
372 ldapsrv_queue_reply(call, reply);
373 return NT_STATUS_OK;
374 }
375
376 static int ldapsrv_add_with_controls(struct ldapsrv_call *call,
377 const struct ldb_message *message,
378 struct ldb_control **controls,
379 struct ldb_result *res)
380 {
381 struct ldb_context *ldb = call->conn->ldb;
382 struct ldb_request *req;
383 int ret;
384
385 ret = ldb_msg_sanity_check(ldb, message);
386 if (ret != LDB_SUCCESS) {
387 return ret;
388 }
389
390 ret = ldb_build_add_req(&req, ldb, ldb,
391 message,
392 controls,
393 res,
394 ldb_modify_default_callback,
395 NULL);
396
397 if (ret != LDB_SUCCESS) return ret;
398
399 if (call->conn->global_catalog) {
400 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
401 }
402 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
403
404 ret = ldb_transaction_start(ldb);
405 if (ret != LDB_SUCCESS) {
406 return ret;
407 }
408
409 if (!call->conn->is_privileged) {
410 ldb_req_mark_untrusted(req);
411 }
412
413 LDB_REQ_SET_LOCATION(req);
414
415 ret = ldb_request(ldb, req);
416 if (ret == LDB_SUCCESS) {
417 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
418 }
419
420 if (ret == LDB_SUCCESS) {
421 ret = ldb_transaction_commit(ldb);
422 }
423 else {
424 ldb_transaction_cancel(ldb);
425 }
426
427 talloc_free(req);
428 return ret;
429 }
430
431 /* create and execute a modify request */
432 static int ldapsrv_mod_with_controls(struct ldapsrv_call *call,
433 const struct ldb_message *message,
434 struct ldb_control **controls,
435 struct ldb_result *res)
436 {
437 struct ldb_context *ldb = call->conn->ldb;
438 struct ldb_request *req;
439 int ret;
440
441 ret = ldb_msg_sanity_check(ldb, message);
442 if (ret != LDB_SUCCESS) {
443 return ret;
444 }
445
446 ret = ldb_build_mod_req(&req, ldb, ldb,
447 message,
448 controls,
449 res,
450 ldb_modify_default_callback,
451 NULL);
452
453 if (ret != LDB_SUCCESS) {
454 return ret;
455 }
456
457 if (call->conn->global_catalog) {
458 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
459 }
460 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
461
462 ret = ldb_transaction_start(ldb);
463 if (ret != LDB_SUCCESS) {
464 return ret;
465 }
466
467 if (!call->conn->is_privileged) {
468 ldb_req_mark_untrusted(req);
469 }
470
471 LDB_REQ_SET_LOCATION(req);
472
473 ret = ldb_request(ldb, req);
474 if (ret == LDB_SUCCESS) {
475 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
476 }
477
478 if (ret == LDB_SUCCESS) {
479 ret = ldb_transaction_commit(ldb);
480 }
481 else {
482 ldb_transaction_cancel(ldb);
483 }
484
485 talloc_free(req);
486 return ret;
487 }
488
489 /* create and execute a delete request */
490 static int ldapsrv_del_with_controls(struct ldapsrv_call *call,
491 struct ldb_dn *dn,
492 struct ldb_control **controls,
493 struct ldb_result *res)
494 {
495 struct ldb_context *ldb = call->conn->ldb;
496 struct ldb_request *req;
497 int ret;
498
499 ret = ldb_build_del_req(&req, ldb, ldb,
500 dn,
501 controls,
502 res,
503 ldb_modify_default_callback,
504 NULL);
505
506 if (ret != LDB_SUCCESS) return ret;
507
508 if (call->conn->global_catalog) {
509 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
510 }
511 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
512
513 ret = ldb_transaction_start(ldb);
514 if (ret != LDB_SUCCESS) {
515 return ret;
516 }
517
518 if (!call->conn->is_privileged) {
519 ldb_req_mark_untrusted(req);
520 }
521
522 LDB_REQ_SET_LOCATION(req);
523
524 ret = ldb_request(ldb, req);
525 if (ret == LDB_SUCCESS) {
526 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
527 }
528
529 if (ret == LDB_SUCCESS) {
530 ret = ldb_transaction_commit(ldb);
531 }
532 else {
533 ldb_transaction_cancel(ldb);
534 }
535
536 talloc_free(req);
537 return ret;
538 }
539
540 static int ldapsrv_rename_with_controls(struct ldapsrv_call *call,
541 struct ldb_dn *olddn,
542 struct ldb_dn *newdn,
543 struct ldb_control **controls,
544 struct ldb_result *res)
545 {
546 struct ldb_context *ldb = call->conn->ldb;
547 struct ldb_request *req;
548 int ret;
549
550 ret = ldb_build_rename_req(&req, ldb, ldb,
551 olddn,
552 newdn,
553 controls,
554 res,
555 ldb_modify_default_callback,
556 NULL);
557
558 if (ret != LDB_SUCCESS) return ret;
559
560 if (call->conn->global_catalog) {
561 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
562 }
563 ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
564
565 ret = ldb_transaction_start(ldb);
566 if (ret != LDB_SUCCESS) {
567 return ret;
568 }
569
570 if (!call->conn->is_privileged) {
571 ldb_req_mark_untrusted(req);
572 }
573
574 LDB_REQ_SET_LOCATION(req);
575
576 ret = ldb_request(ldb, req);
577 if (ret == LDB_SUCCESS) {
578 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
579 }
580
581 if (ret == LDB_SUCCESS) {
582 ret = ldb_transaction_commit(ldb);
583 }
584 else {
585 ldb_transaction_cancel(ldb);
586 }
587
588 talloc_free(req);
589 return ret;
590 }
591
592
593
594 struct ldapsrv_context {
595 struct ldapsrv_call *call;
596 int extended_type;
597 bool attributesonly;
598 struct ldb_control **controls;
599 size_t count; /* For notification only */
600 const struct gmsa_update **updates;
601 };
602
603 static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
604 {
605 struct ldapsrv_context *ctx = talloc_get_type(req->context, struct ldapsrv_context);
606 struct ldapsrv_call *call = ctx->call;
607 struct ldb_context *ldb = call->conn->ldb;
608 unsigned int j;
609 struct ldapsrv_reply *ent_r = NULL;
610 struct ldap_SearchResEntry *ent;
611 int ret;
612 NTSTATUS status;
613
614 if (!ares) {
615 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
616 }
617 if (ares->error != LDB_SUCCESS) {
618 return ldb_request_done(req, ares->error);
619 }
620
621 switch (ares->type) {
622 case LDB_REPLY_ENTRY:
623 {
624 struct ldb_message *msg = ares->message;
625 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
626 if (ent_r == NULL) {
627 return ldb_oom(ldb);
628 }
629
630 ctx->count++;
631
632 /*
633 * Put the LDAP search response data under ent_r->msg
634 * so we can free that later once encoded
635 */
636 talloc_steal(ent_r->msg, msg);
637
638 ent = &ent_r->msg->r.SearchResultEntry;
639 ent->dn = ldb_dn_get_extended_linearized(ent_r, msg->dn,
640 ctx->extended_type);
641 ent->num_attributes = 0;
642 ent->attributes = NULL;
643 if (msg->num_elements == 0) {
644 goto queue_reply;
645 }
646 ent->num_attributes = msg->num_elements;
647 ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
648 if (ent->attributes == NULL) {
649 return ldb_oom(ldb);
650 }
651
652 for (j=0; j < ent->num_attributes; j++) {
653 ent->attributes[j].name = msg->elements[j].name;
654 ent->attributes[j].num_values = 0;
655 ent->attributes[j].values = NULL;
656 if (ctx->attributesonly && (msg->elements[j].num_values == 0)) {
657 continue;
658 }
659 ent->attributes[j].num_values = msg->elements[j].num_values;
660 ent->attributes[j].values = msg->elements[j].values;
661 }
662
663 {
664 const struct ldb_control
665 *ctrl = ldb_controls_get_control(
666 ares->controls,
667 DSDB_CONTROL_GMSA_UPDATE_OID);
668
669 if (ctrl != NULL) {
670 const struct gmsa_update **updates = NULL;
671 const size_t len = talloc_array_length(
672 ctx->updates);
673
674 updates = talloc_realloc(
675 ctx,
676 ctx->updates,
677 const struct gmsa_update *,
678 len + 1);
679 if (updates != NULL) {
680 updates[len] = talloc_steal(updates,
681 ctrl->data);
682 ctx->updates = updates;
683 }
684 }
685 }
686
687 queue_reply:
688 status = ldapsrv_queue_reply(call, ent_r);
689 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
690 ret = ldb_request_done(req,
691 LDB_ERR_SIZE_LIMIT_EXCEEDED);
692 ldb_asprintf_errstring(ldb,
693 "LDAP search response size "
694 "limited to %zu bytes\n",
695 LDAP_SERVER_MAX_REPLY_SIZE);
696 } else if (!NT_STATUS_IS_OK(status)) {
697 ret = ldb_request_done(req,
698 ldb_operr(ldb));
699 } else {
700 ret = LDB_SUCCESS;
701 }
702 break;
703 }
704 case LDB_REPLY_REFERRAL:
705 {
706 struct ldap_SearchResRef *ent_ref;
707
708 /*
709 * TODO: This should be handled by the notification
710 * module not here
711 */
712 if (call->notification.busy) {
713 ret = LDB_SUCCESS;
714 break;
715 }
716
717 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultReference);
718 if (ent_r == NULL) {
719 return ldb_oom(ldb);
720 }
721
722 /*
723 * Put the LDAP referral data under ent_r->msg
724 * so we can free that later once encoded
725 */
726 talloc_steal(ent_r->msg, ares->referral);
727
728 ent_ref = &ent_r->msg->r.SearchResultReference;
729 ent_ref->referral = ares->referral;
730
731 status = ldapsrv_queue_reply(call, ent_r);
732 if (!NT_STATUS_IS_OK(status)) {
733 ret = LDB_ERR_OPERATIONS_ERROR;
734 } else {
735 ret = LDB_SUCCESS;
736 }
737 break;
738 }
739 case LDB_REPLY_DONE:
740 {
741 /*
742 * We don't queue the reply for this one, we let that
743 * happen outside
744 */
745 ctx->controls = talloc_move(ctx, &ares->controls);
746
747 TALLOC_FREE(ares);
748 return ldb_request_done(req, LDB_SUCCESS);
749 }
750 default:
751 /* Doesn't happen */
752 ret = LDB_ERR_OPERATIONS_ERROR;
753 }
754 TALLOC_FREE(ares);
755
756 return ret;
757 }
758
759
760 static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
761 {
762 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
763 struct ldap_Result *done;
764 struct ldapsrv_reply *done_r;
765 TALLOC_CTX *local_ctx;
766 struct ldapsrv_context *callback_ctx = NULL;
767 struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
768 struct ldb_dn *basedn;
769 struct ldb_request *lreq;
770 struct ldb_control *search_control;
771 struct ldb_search_options_control *search_options;
772 struct ldb_control *extended_dn_control;
773 struct ldb_extended_dn_control *extended_dn_decoded = NULL;
774 struct ldb_control *notification_control = NULL;
775 enum ldb_scope scope = LDB_SCOPE_DEFAULT;
776 const char **attrs = NULL;
777 const char *scope_str, *errstr = NULL;
778 int result = -1;
779 int ldb_ret = -1;
780 unsigned int i;
781 int extended_type = 1;
782
783 /*
784 * Warn for searches that are longer than 1/4 of the
785 * search_timeout, being 30sec by default
786 */
787 struct timeval start_time = timeval_current();
788 struct timeval warning_time
789 = timeval_add(&start_time,
790 call->conn->limits.search_timeout / 4,
791 0);
792
793 local_ctx = talloc_new(call);
794 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
795
796 basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
797 NT_STATUS_HAVE_NO_MEMORY(basedn);
798
799 switch (req->scope) {
800 case LDAP_SEARCH_SCOPE_BASE:
801 scope = LDB_SCOPE_BASE;
802 break;
803 case LDAP_SEARCH_SCOPE_SINGLE:
804 scope = LDB_SCOPE_ONELEVEL;
805 break;
806 case LDAP_SEARCH_SCOPE_SUB:
807 scope = LDB_SCOPE_SUBTREE;
808 break;
809 default:
810 result = LDAP_PROTOCOL_ERROR;
811 map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
812 &errstr);
813 scope_str = "<Invalid scope>";
814 errstr = talloc_asprintf(local_ctx,
815 "%s. Invalid scope", errstr);
816 goto reply;
817 }
818 scope_str = dsdb_search_scope_as_string(scope);
819
820 DBG_DEBUG("scope: [%s]\n", scope_str);
821
822 if (req->num_attributes >= 1) {
823 attrs = talloc_array(local_ctx, const char *, req->num_attributes+1);
824 NT_STATUS_HAVE_NO_MEMORY(attrs);
825
826 for (i=0; i < req->num_attributes; i++) {
827 DBG_DEBUG("attrs: [%s]\n",req->attributes[i]);
828 attrs[i] = req->attributes[i];
829 }
830 attrs[i] = NULL;
831 }
832
833 DBG_INFO("ldb_request %s dn=%s filter=%s\n",
834 scope_str, req->basedn, ldb_filter_from_tree(call, req->tree));
835
836 callback_ctx = talloc_zero(local_ctx, struct ldapsrv_context);
837 NT_STATUS_HAVE_NO_MEMORY(callback_ctx);
838 callback_ctx->call = call;
839 callback_ctx->extended_type = extended_type;
840 callback_ctx->attributesonly = req->attributesonly;
841
842 ldb_ret = ldb_build_search_req_ex(&lreq, samdb, local_ctx,
843 basedn, scope,
844 req->tree, attrs,
845 call->request->controls,
846 callback_ctx,
847 ldap_server_search_callback,
848 NULL);
849
850 if (ldb_ret != LDB_SUCCESS) {
851 goto reply;
852 }
853
854 if (call->conn->global_catalog) {
855 search_control = ldb_request_get_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID);
856
857 search_options = NULL;
858 if (search_control) {
859 search_options = talloc_get_type(search_control->data, struct ldb_search_options_control);
860 search_options->search_options |= LDB_SEARCH_OPTION_PHANTOM_ROOT;
861 } else {
862 search_options = talloc(lreq, struct ldb_search_options_control);
863 NT_STATUS_HAVE_NO_MEMORY(search_options);
864 search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
865 ldb_request_add_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
866 }
867 } else {
868 ldb_request_add_control(lreq, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
869 }
870
871 extended_dn_control = ldb_request_get_control(lreq, LDB_CONTROL_EXTENDED_DN_OID);
872
873 if (extended_dn_control) {
874 if (extended_dn_control->data) {
875 extended_dn_decoded = talloc_get_type(extended_dn_control->data, struct ldb_extended_dn_control);
876 extended_type = extended_dn_decoded->type;
877 } else {
878 extended_type = 0;
879 }
880 callback_ctx->extended_type = extended_type;
881 }
882
883 notification_control = ldb_request_get_control(lreq, LDB_CONTROL_NOTIFICATION_OID);
884 if (notification_control != NULL) {
885 const struct ldapsrv_call *pc = NULL;
886 size_t count = 0;
887
888 for (pc = call->conn->pending_calls; pc != NULL; pc = pc->next) {
889 count += 1;
890 }
891
892 if (count >= call->conn->limits.max_notifications) {
893 DBG_DEBUG("error MaxNotificationPerConn\n");
894 result = map_ldb_error(local_ctx,
895 LDB_ERR_ADMIN_LIMIT_EXCEEDED,
896 "MaxNotificationPerConn reached",
897 &errstr);
898 goto reply;
899 }
900
901 /*
902 * For now we need to do periodic retries on our own.
903 * As the dsdb_notification module will return after each run.
904 */
905 call->notification.busy = true;
906 }
907
908 {
909 const char *scheme = NULL;
910 switch (call->conn->referral_scheme) {
911 case LDAP_REFERRAL_SCHEME_LDAPS:
912 scheme = "ldaps";
913 break;
914 default:
915 scheme = "ldap";
916 }
917 ldb_ret = ldb_set_opaque(
918 samdb,
919 LDAP_REFERRAL_SCHEME_OPAQUE,
920 discard_const_p(char *, scheme));
921 if (ldb_ret != LDB_SUCCESS) {
922 goto reply;
923 }
924 }
925
926 {
927 time_t timeout = call->conn->limits.search_timeout;
928
929 if (timeout == 0
930 || (req->timelimit != 0
931 && req->timelimit < timeout))
932 {
933 timeout = req->timelimit;
934 }
935 ldb_set_timeout(samdb, lreq, timeout);
936 }
937
938 if (!call->conn->is_privileged) {
939 ldb_req_mark_untrusted(lreq);
940 }
941
942 LDB_REQ_SET_LOCATION(lreq);
943
944 ldb_ret = ldb_request(samdb, lreq);
945
946 if (ldb_ret != LDB_SUCCESS) {
947 goto reply;
948 }
949
950 ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
951
952 if (ldb_ret == LDB_SUCCESS) {
953 size_t n;
954 const size_t len = talloc_array_length(callback_ctx->updates);
955
956 for (n = 0; n < len; ++n) {
957 int ret;
958
959 ret = dsdb_update_gmsa_entry_keys(
960 samdb, local_ctx, callback_ctx->updates[n]);
961 if (ret) {
962 /* Ignore the error. */
963 DBG_WARNING("Failed to update keys for Group "
964 "Managed Service Account: %s\n",
965 ldb_strerror(ret));
966 }
967 }
968
969 if (call->notification.busy) {
970 /* Move/Add it to the end */
971 DLIST_DEMOTE(call->conn->pending_calls, call);
972 call->notification.generation =
973 call->conn->service->notification.generation;
974
975 if (callback_ctx->count != 0) {
976 call->notification.generation += 1;
977 ldapsrv_notification_retry_setup(call->conn->service,
978 true);
979 }
980
981 talloc_free(local_ctx);
982 return NT_STATUS_OK;
983 }
984 }
985
986 reply:
987
988 /*
989 * This looks like duplicated code - because it is - but
990 * otherwise the work in the parameters will be done
991 * regardless, this way the functions only execute when the
992 * log level is set.
993 *
994 * The basedn is re-obtained as a string to escape it
995 */
996 if ((req->timelimit == 0 || call->conn->limits.search_timeout < req->timelimit)
997 && ldb_ret == LDB_ERR_TIME_LIMIT_EXCEEDED) {
998 struct dom_sid_buf sid_buf;
999 DBG_WARNING("MaxQueryDuration(%d) timeout exceeded "
1000 "in SearchRequest by %s from %s filter: [%s] "
1001 "basedn: [%s] "
1002 "scope: [%s]\n",
1003 call->conn->limits.search_timeout,
1004 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1005 &sid_buf),
1006 tsocket_address_string(call->conn->connection->remote_address,
1007 call),
1008 ldb_filter_from_tree(call, req->tree),
1009 ldb_dn_get_extended_linearized(call, basedn, 1),
1010 scope_str);
1011 for (i=0; i < req->num_attributes; i++) {
1012 DBG_WARNING("MaxQueryDuration timeout exceeded attrs: [%s]\n",
1013 req->attributes[i]);
1014 }
1015
1016 } else if (timeval_expired(&warning_time)) {
1017 struct dom_sid_buf sid_buf;
1018 DBG_NOTICE("Long LDAP Query: Duration was %.2fs, "
1019 "MaxQueryDuration(%d)/4 == %d "
1020 "in SearchRequest by %s from %s filter: [%s] "
1021 "basedn: [%s] "
1022 "scope: [%s] "
1023 "result: %s\n",
1024 timeval_elapsed(&start_time),
1025 call->conn->limits.search_timeout,
1026 call->conn->limits.search_timeout / 4,
1027 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1028 &sid_buf),
1029 tsocket_address_string(call->conn->connection->remote_address,
1030 call),
1031 ldb_filter_from_tree(call, req->tree),
1032 ldb_dn_get_extended_linearized(call, basedn, 1),
1033 scope_str,
1034 ldb_strerror(ldb_ret));
1035 for (i=0; i < req->num_attributes; i++) {
1036 DBG_NOTICE("Long LDAP Query attrs: [%s]\n",
1037 req->attributes[i]);
1038 }
1039 } else {
1040 struct dom_sid_buf sid_buf;
1041 DBG_INFO("LDAP Query: Duration was %.2fs, "
1042 "SearchRequest by %s from %s filter: [%s] "
1043 "basedn: [%s] "
1044 "scope: [%s] "
1045 "result: %s\n",
1046 timeval_elapsed(&start_time),
1047 dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
1048 &sid_buf),
1049 tsocket_address_string(call->conn->connection->remote_address,
1050 call),
1051 ldb_filter_from_tree(call, req->tree),
1052 ldb_dn_get_extended_linearized(call, basedn, 1),
1053 scope_str,
1054 ldb_strerror(ldb_ret));
1055 }
1056
1057 DLIST_REMOVE(call->conn->pending_calls, call);
1058 call->notification.busy = false;
1059
1060 done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
1061 NT_STATUS_HAVE_NO_MEMORY(done_r);
1062
1063 done = &done_r->msg->r.SearchResultDone;
1064 done->dn = NULL;
1065 done->referral = NULL;
1066
1067 if (result != -1) {
1068 } else if (ldb_ret == LDB_SUCCESS) {
1069 if (callback_ctx->controls) {
1070 done_r->msg->controls = callback_ctx->controls;
1071 talloc_steal(done_r->msg, callback_ctx->controls);
1072 }
1073 result = LDB_SUCCESS;
1074 } else {
1075 DBG_DEBUG("error\n");
1076 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1077 &errstr);
1078 }
1079
1080 done->resultcode = result;
1081 done->errormessage = (errstr?talloc_strdup(done_r, errstr):NULL);
1082
1083 talloc_free(local_ctx);
1084
1085 return ldapsrv_queue_reply_forced(call, done_r);
1086 }
1087
1088 static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
1089 {
1090 struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
1091 struct ldap_Result *modify_result;
1092 struct ldapsrv_reply *modify_reply;
1093 TALLOC_CTX *local_ctx;
1094 struct ldb_context *samdb = call->conn->ldb;
1095 struct ldb_message *msg = NULL;
1096 struct ldb_dn *dn;
1097 const char *errstr = NULL;
1098 int result = LDAP_SUCCESS;
1099 int ldb_ret;
1100 unsigned int i,j;
1101 struct ldb_result *res = NULL;
1102
1103 DBG_DEBUG("dn: %s\n", req->dn);
1104
1105 local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
1106 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1107
1108 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1109 NT_STATUS_HAVE_NO_MEMORY(dn);
1110
1111 DBG_DEBUG("dn: [%s]\n", req->dn);
1112
1113 msg = ldb_msg_new(local_ctx);
1114 NT_STATUS_HAVE_NO_MEMORY(msg);
1115
1116 msg->dn = dn;
1117
1118 if (req->num_mods > 0) {
1119 msg->num_elements = req->num_mods;
1120 msg->elements = talloc_array(msg, struct ldb_message_element, req->num_mods);
1121 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
1122
1123 for (i=0; i < msg->num_elements; i++) {
1124 msg->elements[i].name = discard_const_p(char, req->mods[i].attrib.name);
1125 msg->elements[i].num_values = 0;
1126 msg->elements[i].values = NULL;
1127
1128 switch (req->mods[i].type) {
1129 default:
1130 result = LDAP_PROTOCOL_ERROR;
1131 map_ldb_error(local_ctx,
1132 LDB_ERR_PROTOCOL_ERROR, NULL, &errstr);
1133 errstr = talloc_asprintf(local_ctx,
1134 "%s. Invalid LDAP_MODIFY_* type", errstr);
1135 goto reply;
1136 case LDAP_MODIFY_ADD:
1137 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
1138 break;
1139 case LDAP_MODIFY_DELETE:
1140 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
1141 break;
1142 case LDAP_MODIFY_REPLACE:
1143 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
1144 break;
1145 }
1146
1147 msg->elements[i].num_values = req->mods[i].attrib.num_values;
1148 if (msg->elements[i].num_values > 0) {
1149 msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
1150 msg->elements[i].num_values);
1151 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
1152
1153 for (j=0; j < msg->elements[i].num_values; j++) {
1154 msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
1155 msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
1156 }
1157 }
1158 }
1159 }
1160
1161 reply:
1162 modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
1163 NT_STATUS_HAVE_NO_MEMORY(modify_reply);
1164
1165 if (result == LDAP_SUCCESS) {
1166 res = talloc_zero(local_ctx, struct ldb_result);
1167 NT_STATUS_HAVE_NO_MEMORY(res);
1168 ldb_ret = ldapsrv_mod_with_controls(call, msg, call->request->controls, res);
1169 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1170 &errstr);
1171 }
1172
1173 modify_result = &modify_reply->msg->r.ModifyResponse;
1174 modify_result->dn = NULL;
1175 if ((res != NULL) && (res->refs != NULL)) {
1176 modify_result->resultcode = map_ldb_error(local_ctx,
1177 LDB_ERR_REFERRAL,
1178 NULL, &errstr);
1179 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
1180 modify_result->referral = talloc_strdup(call, *res->refs);
1181 } else {
1182 modify_result->resultcode = result;
1183 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
1184 modify_result->referral = NULL;
1185 }
1186 talloc_free(local_ctx);
1187
1188 return ldapsrv_queue_reply(call, modify_reply);
1189
1190 }
1191
1192 static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call)
1193 {
1194 struct ldap_AddRequest *req = &call->request->r.AddRequest;
1195 struct ldap_Result *add_result;
1196 struct ldapsrv_reply *add_reply;
1197 TALLOC_CTX *local_ctx;
1198 struct ldb_context *samdb = call->conn->ldb;
1199 struct ldb_message *msg = NULL;
1200 struct ldb_dn *dn;
1201 const char *errstr = NULL;
1202 int result = LDAP_SUCCESS;
1203 int ldb_ret;
1204 unsigned int i,j;
1205 struct ldb_result *res = NULL;
1206
1207 DBG_DEBUG("dn: %s\n", req->dn);
1208
1209 local_ctx = talloc_named(call, 0, "AddRequest local memory context");
1210 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1211
1212 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1213 NT_STATUS_HAVE_NO_MEMORY(dn);
1214
1215 DBG_DEBUG("dn: [%s]\n", req->dn);
1216
1217 msg = talloc(local_ctx, struct ldb_message);
1218 NT_STATUS_HAVE_NO_MEMORY(msg);
1219
1220 msg->dn = dn;
1221 msg->num_elements = 0;
1222 msg->elements = NULL;
1223
1224 if (req->num_attributes > 0) {
1225 msg->num_elements = req->num_attributes;
1226 msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
1227 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
1228
1229 for (i=0; i < msg->num_elements; i++) {
1230 msg->elements[i].name = discard_const_p(char, req->attributes[i].name);
1231 msg->elements[i].flags = 0;
1232 msg->elements[i].num_values = 0;
1233 msg->elements[i].values = NULL;
1234
1235 if (req->attributes[i].num_values > 0) {
1236 msg->elements[i].num_values = req->attributes[i].num_values;
1237 msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
1238 msg->elements[i].num_values);
1239 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
1240
1241 for (j=0; j < msg->elements[i].num_values; j++) {
1242 msg->elements[i].values[j].length = req->attributes[i].values[j].length;
1243 msg->elements[i].values[j].data = req->attributes[i].values[j].data;
1244 }
1245 }
1246 }
1247 }
1248
1249 add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
1250 NT_STATUS_HAVE_NO_MEMORY(add_reply);
1251
1252 if (result == LDAP_SUCCESS) {
1253 res = talloc_zero(local_ctx, struct ldb_result);
1254 NT_STATUS_HAVE_NO_MEMORY(res);
1255 ldb_ret = ldapsrv_add_with_controls(call, msg, call->request->controls, res);
1256 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1257 &errstr);
1258 }
1259
1260 add_result = &add_reply->msg->r.AddResponse;
1261 add_result->dn = NULL;
1262 if ((res != NULL) && (res->refs != NULL)) {
1263 add_result->resultcode = map_ldb_error(local_ctx,
1264 LDB_ERR_REFERRAL, NULL,
1265 &errstr);
1266 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
1267 add_result->referral = talloc_strdup(call, *res->refs);
1268 } else {
1269 add_result->resultcode = result;
1270 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
1271 add_result->referral = NULL;
1272 }
1273 talloc_free(local_ctx);
1274
1275 return ldapsrv_queue_reply(call, add_reply);
1276
1277 }
1278
1279 static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call)
1280 {
1281 struct ldap_DelRequest *req = &call->request->r.DelRequest;
1282 struct ldap_Result *del_result;
1283 struct ldapsrv_reply *del_reply;
1284 TALLOC_CTX *local_ctx;
1285 struct ldb_context *samdb = call->conn->ldb;
1286 struct ldb_dn *dn;
1287 const char *errstr = NULL;
1288 int result = LDAP_SUCCESS;
1289 int ldb_ret;
1290 struct ldb_result *res = NULL;
1291
1292 DBG_DEBUG("dn: %s\n", req->dn);
1293
1294 local_ctx = talloc_named(call, 0, "DelRequest local memory context");
1295 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1296
1297 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1298 NT_STATUS_HAVE_NO_MEMORY(dn);
1299
1300 DBG_DEBUG("dn: [%s]\n", req->dn);
1301
1302 del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
1303 NT_STATUS_HAVE_NO_MEMORY(del_reply);
1304
1305 if (result == LDAP_SUCCESS) {
1306 res = talloc_zero(local_ctx, struct ldb_result);
1307 NT_STATUS_HAVE_NO_MEMORY(res);
1308 ldb_ret = ldapsrv_del_with_controls(call, dn, call->request->controls, res);
1309 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1310 &errstr);
1311 }
1312
1313 del_result = &del_reply->msg->r.DelResponse;
1314 del_result->dn = NULL;
1315 if ((res != NULL) && (res->refs != NULL)) {
1316 del_result->resultcode = map_ldb_error(local_ctx,
1317 LDB_ERR_REFERRAL, NULL,
1318 &errstr);
1319 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
1320 del_result->referral = talloc_strdup(call, *res->refs);
1321 } else {
1322 del_result->resultcode = result;
1323 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
1324 del_result->referral = NULL;
1325 }
1326
1327 talloc_free(local_ctx);
1328
1329 return ldapsrv_queue_reply(call, del_reply);
1330 }
1331
1332 static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
1333 {
1334 struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
1335 struct ldap_Result *modifydn;
1336 struct ldapsrv_reply *modifydn_r;
1337 TALLOC_CTX *local_ctx;
1338 struct ldb_context *samdb = call->conn->ldb;
1339 struct ldb_dn *olddn, *newdn=NULL, *newrdn;
1340 struct ldb_dn *parentdn = NULL;
1341 const char *errstr = NULL;
1342 int result = LDAP_SUCCESS;
1343 int ldb_ret;
1344 struct ldb_result *res = NULL;
1345
1346 DBG_DEBUG("dn: %s newrdn: %s\n",
1347 req->dn, req->newrdn);
1348
1349 local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
1350 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1351
1352 olddn = ldb_dn_new(local_ctx, samdb, req->dn);
1353 NT_STATUS_HAVE_NO_MEMORY(olddn);
1354
1355 newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
1356 NT_STATUS_HAVE_NO_MEMORY(newrdn);
1357
1358 DBG_DEBUG("olddn: [%s] newrdn: [%s]\n",
1359 req->dn, req->newrdn);
1360
1361 if (ldb_dn_get_comp_num(newrdn) == 0) {
1362 result = LDAP_PROTOCOL_ERROR;
1363 map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
1364 &errstr);
1365 goto reply;
1366 }
1367
1368 if (ldb_dn_get_comp_num(newrdn) > 1) {
1369 result = LDAP_NAMING_VIOLATION;
1370 map_ldb_error(local_ctx, LDB_ERR_NAMING_VIOLATION, NULL,
1371 &errstr);
1372 goto reply;
1373 }
1374
1375 /* we can't handle the rename if we should not remove the old dn */
1376 if (!req->deleteolddn) {
1377 result = LDAP_UNWILLING_TO_PERFORM;
1378 map_ldb_error(local_ctx, LDB_ERR_UNWILLING_TO_PERFORM, NULL,
1379 &errstr);
1380 errstr = talloc_asprintf(local_ctx,
1381 "%s. Old RDN must be deleted", errstr);
1382 goto reply;
1383 }
1384
1385 if (req->newsuperior) {
1386 DBG_DEBUG("newsuperior: [%s]\n", req->newsuperior);
1387 parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
1388 }
1389
1390 if (!parentdn) {
1391 parentdn = ldb_dn_get_parent(local_ctx, olddn);
1392 }
1393 if (!parentdn) {
1394 result = LDAP_NO_SUCH_OBJECT;
1395 map_ldb_error(local_ctx, LDB_ERR_NO_SUCH_OBJECT, NULL, &errstr);
1396 goto reply;
1397 }
1398
1399 if ( ! ldb_dn_add_child(parentdn, newrdn)) {
1400 result = LDAP_OTHER;
1401 map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
1402 goto reply;
1403 }
1404 newdn = parentdn;
1405
1406 reply:
1407 modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
1408 NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
1409
1410 if (result == LDAP_SUCCESS) {
1411 res = talloc_zero(local_ctx, struct ldb_result);
1412 NT_STATUS_HAVE_NO_MEMORY(res);
1413 ldb_ret = ldapsrv_rename_with_controls(call, olddn, newdn, call->request->controls, res);
1414 result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
1415 &errstr);
1416 }
1417
1418 modifydn = &modifydn_r->msg->r.ModifyDNResponse;
1419 modifydn->dn = NULL;
1420 if ((res != NULL) && (res->refs != NULL)) {
1421 modifydn->resultcode = map_ldb_error(local_ctx,
1422 LDB_ERR_REFERRAL, NULL,
1423 &errstr);;
1424 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
1425 modifydn->referral = talloc_strdup(call, *res->refs);
1426 } else {
1427 modifydn->resultcode = result;
1428 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
1429 modifydn->referral = NULL;
1430 }
1431
1432 talloc_free(local_ctx);
1433
1434 return ldapsrv_queue_reply(call, modifydn_r);
1435 }
1436
1437 static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
1438 {
1439 struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
1440 struct ldap_Result *compare;
1441 struct ldapsrv_reply *compare_r;
1442 TALLOC_CTX *local_ctx;
1443 struct ldb_context *samdb = call->conn->ldb;
1444 struct ldb_result *res = NULL;
1445 struct ldb_dn *dn;
1446 const char *attrs[1];
1447 const char *errstr = NULL;
1448 const char *filter = NULL;
1449 int result = LDAP_SUCCESS;
1450 int ldb_ret;
1451
1452 DBG_DEBUG("dn: %s\n", req->dn);
1453
1454 local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
1455 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
1456
1457 dn = ldb_dn_new(local_ctx, samdb, req->dn);
1458 NT_STATUS_HAVE_NO_MEMORY(dn);
1459
1460 DBG_DEBUG("dn: [%s]\n", req->dn);
1461 filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
1462 (int)req->value.length, req->value.data);
1463 NT_STATUS_HAVE_NO_MEMORY(filter);
1464
1465 DBG_DEBUG("attribute: [%s]\n", filter);
1466
1467 attrs[0] = NULL;
1468
1469 compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
1470 NT_STATUS_HAVE_NO_MEMORY(compare_r);
1471
1472 if (result == LDAP_SUCCESS) {
1473 ldb_ret = ldb_search(samdb, local_ctx, &res,
1474 dn, LDB_SCOPE_BASE, attrs, "%s", filter);
1475 if (ldb_ret != LDB_SUCCESS) {
1476 result = map_ldb_error(local_ctx, ldb_ret,
1477 ldb_errstring(samdb), &errstr);
1478 DBG_DEBUG("error: %s\n", errstr);
1479 } else if (res->count == 0) {
1480 DBG_DEBUG("didn't match\n");
1481 result = LDAP_COMPARE_FALSE;
1482 errstr = NULL;
1483 } else if (res->count == 1) {
1484 DBG_DEBUG("matched\n");
1485 result = LDAP_COMPARE_TRUE;
1486 errstr = NULL;
1487 } else if (res->count > 1) {
1488 result = LDAP_OTHER;
1489 map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
1490 errstr = talloc_asprintf(local_ctx,
1491 "%s. Too many objects match!", errstr);
1492 DBG_DEBUG("%u results: %s\n", res->count, errstr);
1493 }
1494 }
1495
1496 compare = &compare_r->msg->r.CompareResponse;
1497 compare->dn = NULL;
1498 compare->resultcode = result;
1499 compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
1500 compare->referral = NULL;
1501
1502 talloc_free(local_ctx);
1503
1504 return ldapsrv_queue_reply(call, compare_r);
1505 }
1506
1507 static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
1508 {
1509 struct ldap_AbandonRequest *req = &call->request->r.AbandonRequest;
1510 struct ldapsrv_call *c = NULL;
1511 struct ldapsrv_call *n = NULL;
1512
1513 DBG_DEBUG("abandoned\n");
1514
1515 for (c = call->conn->pending_calls; c != NULL; c = n) {
1516 n = c->next;
1517
1518 if (c->request->messageid != req->messageid) {
1519 continue;
1520 }
1521
1522 DLIST_REMOVE(call->conn->pending_calls, c);
1523 TALLOC_FREE(c);
1524 }
1525
1526 return NT_STATUS_OK;
1527 }
1528
1529 static NTSTATUS ldapsrv_expired(struct ldapsrv_call *call)
1530 {
1531 struct ldapsrv_reply *reply = NULL;
1532 struct ldap_ExtendedResponse *r = NULL;
1533
1534 DBG_DEBUG("Sending connection expired message\n");
1535
1536 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
1537 if (reply == NULL) {
1538 return NT_STATUS_NO_MEMORY;
1539 }
1540
1541 /*
1542 * According to RFC4511 section 4.4.1 this has a msgid of 0
1543 */
1544 reply->msg->messageid = 0;
1545
1546 r = &reply->msg->r.ExtendedResponse;
1547 r->response.resultcode = LDB_ERR_UNAVAILABLE;
1548 r->response.errormessage = "The server has timed out this connection";
1549 r->oid = "1.3.6.1.4.1.1466.20036"; /* see rfc4511 section 4.4.1 */
1550
1551 ldapsrv_queue_reply(call, reply);
1552 return NT_STATUS_OK;
1553 }
1554
1555 NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
1556 {
1557 unsigned int i;
1558 struct ldap_message *msg = call->request;
1559 struct ldapsrv_connection *conn = call->conn;
1560 NTSTATUS status;
1561 bool expired;
1562
1563 expired = timeval_expired(&conn->limits.expire_time);
1564 if (expired) {
1565 status = ldapsrv_expired(call);
1566 if (!NT_STATUS_IS_OK(status)) {
1567 return status;
1568 }
1569 return NT_STATUS_NETWORK_SESSION_EXPIRED;
1570 }
1571
1572 /* Check for undecoded critical extensions */
1573 for (i=0; msg->controls && msg->controls[i]; i++) {
1574 if (!msg->controls_decoded[i] &&
1575 msg->controls[i]->critical) {
1576 DBG_NOTICE("Critical extension %s is not known to this server\n",
1577 msg->controls[i]->oid);
1578 return ldapsrv_unwilling(call, LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
1579 }
1580 }
1581
1582 if (call->conn->authz_logged == false) {
1583 bool log = true;
1584
1585 /*
1586 * We do not want to log anonymous access if the query
1587 * is just for the rootDSE, or it is a startTLS or a
1588 * Bind.
1589 *
1590 * A rootDSE search could also be done over
1591 * CLDAP anonymously for example, so these don't
1592 * really count.
1593 * Essentially we want to know about
1594 * access beyond that normally done prior to a
1595 * bind.
1596 */
1597
1598 switch(call->request->type) {
1599 case LDAP_TAG_BindRequest:
1600 case LDAP_TAG_UnbindRequest:
1601 case LDAP_TAG_AbandonRequest:
1602 log = false;
1603 break;
1604 case LDAP_TAG_ExtendedResponse: {
1605 struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
1606 if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
1607 log = false;
1608 }
1609 break;
1610 }
1611 case LDAP_TAG_SearchRequest: {
1612 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
1613 if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
1614 if (req->basedn[0] == '\0') {
1615 log = false;
1616 }
1617 }
1618 break;
1619 }
1620 default:
1621 break;
1622 }
1623
1624 if (log) {
1625 const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
1626 if (call->conn->sockets.active == call->conn->sockets.tls) {
1627 transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
1628 }
1629
1630 log_successful_authz_event(call->conn->connection->msg_ctx,
1631 call->conn->connection->lp_ctx,
1632 call->conn->connection->remote_address,
1633 call->conn->connection->local_address,
1634 "LDAP",
1635 "no bind",
1636 transport_protection,
1637 call->conn->session_info,
1638 NULL /* client_audit_info */,
1639 NULL /* server_audit_info */);
1640
1641 call->conn->authz_logged = true;
1642 }
1643 }
1644
1645 switch(call->request->type) {
1646 case LDAP_TAG_BindRequest:
1647 return ldapsrv_BindRequest(call);
1648 case LDAP_TAG_UnbindRequest:
1649 return ldapsrv_UnbindRequest(call);
1650 case LDAP_TAG_SearchRequest:
1651 return ldapsrv_SearchRequest(call);
1652 case LDAP_TAG_ModifyRequest:
1653 status = ldapsrv_ModifyRequest(call);
1654 break;
1655 case LDAP_TAG_AddRequest:
1656 status = ldapsrv_AddRequest(call);
1657 break;
1658 case LDAP_TAG_DelRequest:
1659 status = ldapsrv_DelRequest(call);
1660 break;
1661 case LDAP_TAG_ModifyDNRequest:
1662 status = ldapsrv_ModifyDNRequest(call);
1663 break;
1664 case LDAP_TAG_CompareRequest:
1665 return ldapsrv_CompareRequest(call);
1666 case LDAP_TAG_AbandonRequest:
1667 return ldapsrv_AbandonRequest(call);
1668 case LDAP_TAG_ExtendedRequest:
1669 status = ldapsrv_ExtendedRequest(call);
1670 break;
1671 default:
1672 return ldapsrv_unwilling(call, LDAP_PROTOCOL_ERROR);
1673 }
1674
1675 if (NT_STATUS_IS_OK(status)) {
1676 ldapsrv_notification_retry_setup(call->conn->service, true);
1677 }
1678
1679 return status;
1680 }
Samba GIT mirror