search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r8994: Clean up some more autogenerated files so I can predict when I'm going to
[Samba/aatanasov.git] / source / ldap_server / ldap_server.c
blobc898471e27bc3f5b4b7fd84a8401e9908e33f6f8
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "dlinklist.h"
29 #include "asn_1.h"
30 #include "ldap_server/ldap_server.h"
31 #include "smbd/service_task.h"
32 #include "smbd/service_stream.h"
33 #include "lib/socket/socket.h"
34 #include "lib/tls/tls.h"
35 #include "lib/messaging/irpc.h"
36
37 /*
38 close the socket and shutdown a server_context
39 */
40 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
41 const char *reason)
42 {
43 talloc_free(conn->tls);
44 conn->tls = NULL;
45 stream_terminate_connection(conn->connection, reason);
46 }
47
48 /*
49 process a decoded ldap message
50 */
51 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
52 struct ldap_message *msg)
53 {
54 struct ldapsrv_call *call;
55 NTSTATUS status;
56 DATA_BLOB blob;
57 struct ldapsrv_send *q;
58 BOOL enable_wrap = conn->enable_wrap;
59
60 call = talloc(conn, struct ldapsrv_call);
61 if (!call) {
62 ldapsrv_terminate_connection(conn, "no memory");
63 return;
64 }
65
66 call->request = talloc_steal(call, msg);
67 call->conn = conn;
68 call->replies = NULL;
69
70 /* make the call */
71 status = ldapsrv_do_call(call);
72 if (!NT_STATUS_IS_OK(status)) {
73 goto failed;
74 }
75
76 blob = data_blob(NULL, 0);
77
78 if (call->replies == NULL) {
79 talloc_free(call);
80 return;
81 }
82
83 /* build all the replies into a single blob */
84 while (call->replies) {
85 DATA_BLOB b;
86
87 msg = call->replies->msg;
88 if (!ldap_encode(msg, &b)) {
89 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
90 goto failed;
91 }
92
93 status = data_blob_append(call, &blob, b.data, b.length);
94 if (!NT_STATUS_IS_OK(status)) goto failed;
95
96 DLIST_REMOVE(call->replies, call->replies);
97 }
98
99 /* possibly encrypt/sign the reply */
100 if (enable_wrap) {
101 DATA_BLOB wrapped;
102
103 status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
104 if (!NT_STATUS_IS_OK(status)) {
105 goto failed;
106 }
107 data_blob_free(&blob);
108 blob = data_blob_talloc(call, NULL, wrapped.length + 4);
109 if (blob.data == NULL) {
110 goto failed;
111 }
112 RSIVAL(blob.data, 0, wrapped.length);
113 memcpy(blob.data+4, wrapped.data, wrapped.length);
114 data_blob_free(&wrapped);
115 }
116
117 q = talloc(conn, struct ldapsrv_send);
118 if (q == NULL) goto failed;
119
120 q->data = blob;
121 talloc_steal(q, blob.data);
122
123 if (conn->send_queue == NULL) {
124 EVENT_FD_WRITEABLE(conn->connection->event.fde);
125 }
126 DLIST_ADD_END(conn->send_queue, q, struct ldapsrv_send *);
127 talloc_free(call);
128 return;
129
130 failed:
131 talloc_free(call);
132 }
133
134
135 /*
136 try and decode the partial input buffer
137 */
138 static void ldapsrv_try_decode_plain(struct ldapsrv_connection *conn)
139 {
140 struct asn1_data asn1;
141
142 if (!asn1_load(&asn1, conn->partial)) {
143 ldapsrv_terminate_connection(conn, "out of memory");
144 return;
145 }
146
147 /* try and decode - this will fail if we don't have a full packet yet */
148 while (asn1.ofs < asn1.length) {
149 struct ldap_message *msg = talloc(conn, struct ldap_message);
150 off_t saved_ofs = asn1.ofs;
151
152 if (msg == NULL) {
153 ldapsrv_terminate_connection(conn, "out of memory");
154 return;
155 }
156
157 if (ldap_decode(&asn1, msg)) {
158 ldapsrv_process_message(conn, msg);
159 } else {
160 if (asn1.ofs < asn1.length) {
161 ldapsrv_terminate_connection(conn, "ldap_decode failed");
162 return;
163 }
164 asn1.ofs = saved_ofs;
165 talloc_free(msg);
166 break;
167 }
168 }
169
170 /* keep any remaining data in conn->partial */
171 data_blob_free(&conn->partial);
172 if (asn1.ofs != asn1.length) {
173 conn->partial = data_blob_talloc(conn,
174 asn1.data + asn1.ofs,
175 asn1.length - asn1.ofs);
176 }
177 asn1_free(&asn1);
178 }
179
180
181 /*
182 try and decode/process wrapped data
183 */
184 static void ldapsrv_try_decode_wrapped(struct ldapsrv_connection *conn)
185 {
186 uint32_t len;
187
188 /* keep decoding while we have a full wrapped packet */
189 while (conn->partial.length >= 4 &&
190 (len=RIVAL(conn->partial.data, 0)) <= conn->partial.length-4) {
191 DATA_BLOB wrapped, unwrapped;
192 struct asn1_data asn1;
193 struct ldap_message *msg = talloc(conn, struct ldap_message);
194 NTSTATUS status;
195
196 if (msg == NULL) {
197 ldapsrv_terminate_connection(conn, "out of memory");
198 return;
199 }
200
201 wrapped.data = conn->partial.data+4;
202 wrapped.length = len;
203
204 status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
205 if (!NT_STATUS_IS_OK(status)) {
206 ldapsrv_terminate_connection(conn, "gensec unwrap failed");
207 return;
208 }
209
210 if (!asn1_load(&asn1, unwrapped)) {
211 ldapsrv_terminate_connection(conn, "out of memory");
212 return;
213 }
214
215 while (ldap_decode(&asn1, msg)) {
216 ldapsrv_process_message(conn, msg);
217 msg = talloc(conn, struct ldap_message);
218 }
219
220 if (asn1.ofs < asn1.length) {
221 ldapsrv_terminate_connection(conn, "ldap_decode failed");
222 return;
223 }
224
225 talloc_free(msg);
226 asn1_free(&asn1);
227
228 if (conn->partial.length == len + 4) {
229 data_blob_free(&conn->partial);
230 } else {
231 memmove(conn->partial.data, conn->partial.data+len+4,
232 conn->partial.length - (len+4));
233 conn->partial.length -= len + 4;
234 }
235 }
236 }
237
238
239 /*
240 called when a LDAP socket becomes readable
241 */
242 static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
243 {
244 struct ldapsrv_connection *conn =
245 talloc_get_type(c->private, struct ldapsrv_connection);
246 NTSTATUS status;
247 size_t npending, nread;
248
249 if (conn->processing) {
250 EVENT_FD_NOT_READABLE(c->event.fde);
251 return;
252 }
253
254 /* work out how much data is pending */
255 status = tls_socket_pending(conn->tls, &npending);
256 if (!NT_STATUS_IS_OK(status)) {
257 ldapsrv_terminate_connection(conn, "socket_pening() failed");
258 return;
259 }
260 if (npending == 0) {
261 ldapsrv_terminate_connection(conn, "EOF from client");
262 return;
263 }
264
265 conn->partial.data = talloc_realloc_size(conn, conn->partial.data,
266 conn->partial.length + npending);
267 if (conn->partial.data == NULL) {
268 ldapsrv_terminate_connection(conn, "out of memory");
269 return;
270 }
271
272 /* receive the data */
273 status = tls_socket_recv(conn->tls, conn->partial.data + conn->partial.length,
274 npending, &nread);
275 if (NT_STATUS_IS_ERR(status)) {
276 ldapsrv_terminate_connection(conn, "socket_recv() failed");
277 return;
278 }
279 if (!NT_STATUS_IS_OK(status)) {
280 return;
281 }
282 if (nread == 0) {
283 ldapsrv_terminate_connection(conn, "EOF from client");
284 return;
285 }
286 conn->partial.length += nread;
287
288 conn->processing = True;
289 /* see if we can decode what we have */
290 if (conn->enable_wrap) {
291 ldapsrv_try_decode_wrapped(conn);
292 } else {
293 ldapsrv_try_decode_plain(conn);
294 }
295 conn->processing = False;
296
297 EVENT_FD_READABLE(c->event.fde);
298 }
299
300 /*
301 called when a LDAP socket becomes writable
302 */
303 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
304 {
305 struct ldapsrv_connection *conn =
306 talloc_get_type(c->private, struct ldapsrv_connection);
307 while (conn->send_queue) {
308 struct ldapsrv_send *q = conn->send_queue;
309 size_t nsent;
310 NTSTATUS status;
311
312 status = tls_socket_send(conn->tls, &q->data, &nsent);
313 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
314 break;
315 }
316 if (!NT_STATUS_IS_OK(status)) {
317 ldapsrv_terminate_connection(conn, "socket_send error");
318 return;
319 }
320
321 q->data.data += nsent;
322 q->data.length -= nsent;
323 if (q->data.length == 0) {
324 DLIST_REMOVE(conn->send_queue, q);
325 }
326 }
327 if (conn->send_queue == NULL) {
328 EVENT_FD_NOT_WRITEABLE(c->event.fde);
329 }
330 }
331
332 /*
333 initialise a server_context from a open socket and register a event handler
334 for reading from that socket
335 */
336 static void ldapsrv_accept(struct stream_connection *c)
337 {
338 struct ldapsrv_service *ldapsrv_service =
339 talloc_get_type(c->private, struct ldapsrv_service);
340 struct ldapsrv_connection *conn;
341 int port;
342
343 conn = talloc_zero(c, struct ldapsrv_connection);
344 if (conn == NULL) goto failed;
345
346 conn->enable_wrap = False;
347 conn->partial = data_blob(NULL, 0);
348 conn->send_queue = NULL;
349 conn->connection = c;
350 conn->service = talloc_get_type(c->private, struct ldapsrv_service);
351 conn->processing = False;
352 c->private = conn;
353
354 port = socket_get_my_port(c->socket);
355
356 /* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
357 any ldap connection */
358 conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
359 c->event.fde, NULL, port != 389);
360 if (conn->tls == NULL) goto failed;
361
362 irpc_add_name(c->msg_ctx, "ldap_server");
363
364 return;
365
366 failed:
367 talloc_free(c);
368 }
369
370 static const struct stream_server_ops ldap_stream_ops = {
371 .name = "ldap",
372 .accept_connection = ldapsrv_accept,
373 .recv_handler = ldapsrv_recv,
374 .send_handler = ldapsrv_send,
375 };
376
377 /*
378 add a socket address to the list of events, one event per port
379 */
380 static NTSTATUS add_socket(struct event_context *event_context,
381 const struct model_ops *model_ops,
382 const char *address, struct ldapsrv_service *ldap_service)
383 {
384 uint16_t port = 389;
385 NTSTATUS status;
386
387 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
388 "ipv4", address, &port, ldap_service);
389 if (!NT_STATUS_IS_OK(status)) {
390 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
391 address, port, nt_errstr(status)));
392 }
393
394 if (tls_support(ldap_service->tls_params)) {
395 /* add ldaps server */
396 port = 636;
397 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
398 "ipv4", address, &port, ldap_service);
399 if (!NT_STATUS_IS_OK(status)) {
400 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
401 address, port, nt_errstr(status)));
402 }
403 }
404
405 return status;
406 }
407
408 /*
409 open the ldap server sockets
410 */
411 static void ldapsrv_task_init(struct task_server *task)
412 {
413 struct ldapsrv_service *ldap_service;
414 struct ldapsrv_partition *rootDSE_part;
415 struct ldapsrv_partition *part;
416 NTSTATUS status;
417
418 ldap_service = talloc_zero(task, struct ldapsrv_service);
419 if (ldap_service == NULL) goto failed;
420
421 ldap_service->tls_params = tls_initialise(ldap_service);
422 if (ldap_service->tls_params == NULL) goto failed;
423
424 rootDSE_part = talloc(ldap_service, struct ldapsrv_partition);
425 if (rootDSE_part == NULL) goto failed;
426
427 rootDSE_part->base_dn = ""; /* RootDSE */
428 rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
429
430 ldap_service->rootDSE = rootDSE_part;
431 DLIST_ADD_END(ldap_service->partitions, rootDSE_part, struct ldapsrv_partition *);
432
433 part = talloc(ldap_service, struct ldapsrv_partition);
434 if (part == NULL) goto failed;
435
436 part->base_dn = "*"; /* default partition */
437 if (lp_parm_bool(-1, "ldapsrv", "hacked", False)) {
438 part->ops = ldapsrv_get_hldb_partition_ops();
439 } else {
440 part->ops = ldapsrv_get_sldb_partition_ops();
441 }
442
443 ldap_service->default_partition = part;
444 DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
445
446 if (lp_interfaces() && lp_bind_interfaces_only()) {
447 int num_interfaces = iface_count();
448 int i;
449
450 /* We have been given an interfaces line, and been
451 told to only bind to those interfaces. Create a
452 socket per interface and bind to only these.
453 */
454 for(i = 0; i < num_interfaces; i++) {
455 const char *address = iface_n_ip(i);
456 status = add_socket(task->event_ctx, task->model_ops, address, ldap_service);
457 if (!NT_STATUS_IS_OK(status)) goto failed;
458 }
459 } else {
460 status = add_socket(task->event_ctx, task->model_ops, lp_socket_address(), ldap_service);
461 if (!NT_STATUS_IS_OK(status)) goto failed;
462 }
463
464 return;
465
466 failed:
467 task_server_terminate(task, "Failed to startup ldap server task");
468 }
469
470 /*
471 called on startup of the web server service It's job is to start
472 listening on all configured sockets
473 */
474 static NTSTATUS ldapsrv_init(struct event_context *event_context,
475 const struct model_ops *model_ops)
476 {
477 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
478 }
479
480
481 NTSTATUS server_service_ldap_init(void)
482 {
483 return register_server_service("ldap", ldapsrv_init);
484 }
aatanasov's samba4 branch