From 5f5756db714de0c1b00d648a48423fde19a564a1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Feb 2017 15:57:03 +1300 Subject: [PATCH] ldap_server: Move code into authenticate_ldap_simple_bind() This function is only called for simple binds, and by moving the mapping into the function call we allow the unmapped values to be included in the user_info and so logged. We also include the local address and the remote address of the client for future logging Signed-off-by: Andrew Bartlett Pair-Programmed-by: Gary Lockyer Signed-off-by: Gary Lockyer --- source4/auth/auth.h | 18 +++++++++--------- source4/auth/ntlm/auth_simple.c | 42 ++++++++++++++++++++++++++++------------- source4/ldap_server/ldap_bind.c | 22 +++++++++------------ 3 files changed, 47 insertions(+), 35 deletions(-) diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 7358f40b70d..461d711d22e 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -158,15 +158,15 @@ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, NTSTATUS auth4_init(void); NTSTATUS auth_register(const struct auth_operations *ops); NTSTATUS server_service_auth_init(void); -NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct imessaging_context *msg, - struct loadparm_context *lp_ctx, - const char *nt4_domain, - const char *nt4_username, - const char *password, - const uint32_t logon_parameters, - struct auth_session_info **session_info); +NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct imessaging_context *msg, + struct loadparm_context *lp_ctx, + struct tsocket_address *remote_address, + struct tsocket_address *local_address, + const char *dn, + const char *password, + struct auth_session_info **session_info); struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index be2ff5e1690..31dc0e51b18 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -23,20 +23,21 @@ #include "includes.h" #include "auth/auth.h" +#include "dsdb/samdb/samdb.h" /* It's allowed to pass NULL as session_info, when the caller doesn't need a session_info */ -_PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct imessaging_context *msg, - struct loadparm_context *lp_ctx, - const char *nt4_domain, - const char *nt4_username, - const char *password, - const uint32_t logon_parameters, - struct auth_session_info **session_info) +_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct imessaging_context *msg, + struct loadparm_context *lp_ctx, + struct tsocket_address *remote_address, + struct tsocket_address *local_address, + const char *dn, + const char *password, + struct auth_session_info **session_info) { struct auth4_context *auth_context; struct auth_usersupplied_info *user_info; @@ -44,11 +45,21 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; uint8_t authoritative = 0; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + const char *nt4_domain; + const char *nt4_username; if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } + nt_status = crack_auto_name_to_nt4_name(tmp_ctx, ev, lp_ctx, dn, + &nt4_domain, &nt4_username); + + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + nt_status = auth_context_create(tmp_ctx, ev, msg, lp_ctx, @@ -65,14 +76,17 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, } user_info->mapped_state = true; - user_info->client.account_name = nt4_username; + user_info->client.account_name = dn; + /* No client.domain_name, use account_name instead */ user_info->mapped.account_name = nt4_username; - user_info->client.domain_name = nt4_domain; user_info->mapped.domain_name = nt4_domain; user_info->workstation_name = NULL; - user_info->remote_host = NULL; + user_info->remote_host = remote_address; + user_info->local_host = local_address; + + user_info->service_description = "ldap simple bind"; user_info->password_state = AUTH_PASSWORD_PLAIN; user_info->password.plaintext = talloc_strdup(user_info, password); @@ -80,7 +94,9 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME | USER_INFO_DONT_CHECK_UNIX_ACCOUNT; - user_info->logon_parameters = logon_parameters | + user_info->logon_parameters = + MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_CLEARTEXT_PASSWORD_ALLOWED | MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index e0f13f2de2d..f51765789c6 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -68,7 +68,6 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) int result; const char *errstr; - const char *nt4_domain, *nt4_account; struct auth_session_info *session_info; @@ -93,18 +92,15 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) goto do_reply; } - status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account); - if (NT_STATUS_IS_OK(status)) { - status = authenticate_username_pw(call, - call->conn->connection->event.ctx, - call->conn->connection->msg_ctx, - call->conn->lp_ctx, - nt4_domain, nt4_account, - req->creds.password, - MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | - MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, - &session_info); - } + status = authenticate_ldap_simple_bind(call, + call->conn->connection->event.ctx, + call->conn->connection->msg_ctx, + call->conn->lp_ctx, + call->conn->connection->remote_address, + call->conn->connection->local_address, + req->dn, + req->creds.password, + &session_info); if (NT_STATUS_IS_OK(status)) { result = LDAP_SUCCESS; -- 2.11.4.GIT