2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "dlinklist.h"
30 #include "ldap_server/ldap_server.h"
31 #include "smbd/service_task.h"
32 #include "smbd/service_stream.h"
33 #include "lib/socket/socket.h"
34 #include "lib/tls/tls.h"
35 #include "lib/messaging/irpc.h"
38 close the socket and shutdown a server_context
40 static void ldapsrv_terminate_connection(struct ldapsrv_connection
*conn
,
43 talloc_free(conn
->tls
);
45 stream_terminate_connection(conn
->connection
, reason
);
49 process a decoded ldap message
51 static void ldapsrv_process_message(struct ldapsrv_connection
*conn
,
52 struct ldap_message
*msg
)
54 struct ldapsrv_call
*call
;
57 struct ldapsrv_send
*q
;
58 BOOL enable_wrap
= conn
->enable_wrap
;
60 call
= talloc(conn
, struct ldapsrv_call
);
62 ldapsrv_terminate_connection(conn
, "no memory");
66 call
->request
= talloc_steal(call
, msg
);
71 status
= ldapsrv_do_call(call
);
72 if (!NT_STATUS_IS_OK(status
)) {
76 blob
= data_blob(NULL
, 0);
78 if (call
->replies
== NULL
) {
83 /* build all the replies into a single blob */
84 while (call
->replies
) {
87 msg
= call
->replies
->msg
;
88 if (!ldap_encode(msg
, &b
)) {
89 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg
->type
));
93 status
= data_blob_append(call
, &blob
, b
.data
, b
.length
);
94 if (!NT_STATUS_IS_OK(status
)) goto failed
;
96 DLIST_REMOVE(call
->replies
, call
->replies
);
99 /* possibly encrypt/sign the reply */
103 status
= gensec_wrap(conn
->gensec
, call
, &blob
, &wrapped
);
104 if (!NT_STATUS_IS_OK(status
)) {
107 data_blob_free(&blob
);
108 blob
= data_blob_talloc(call
, NULL
, wrapped
.length
+ 4);
109 if (blob
.data
== NULL
) {
112 RSIVAL(blob
.data
, 0, wrapped
.length
);
113 memcpy(blob
.data
+4, wrapped
.data
, wrapped
.length
);
114 data_blob_free(&wrapped
);
117 q
= talloc(conn
, struct ldapsrv_send
);
118 if (q
== NULL
) goto failed
;
121 talloc_steal(q
, blob
.data
);
123 if (conn
->send_queue
== NULL
) {
124 EVENT_FD_WRITEABLE(conn
->connection
->event
.fde
);
126 DLIST_ADD_END(conn
->send_queue
, q
, struct ldapsrv_send
*);
136 try and decode the partial input buffer
138 static void ldapsrv_try_decode_plain(struct ldapsrv_connection
*conn
)
140 struct asn1_data asn1
;
142 if (!asn1_load(&asn1
, conn
->partial
)) {
143 ldapsrv_terminate_connection(conn
, "out of memory");
147 /* try and decode - this will fail if we don't have a full packet yet */
148 while (asn1
.ofs
< asn1
.length
) {
149 struct ldap_message
*msg
= talloc(conn
, struct ldap_message
);
150 off_t saved_ofs
= asn1
.ofs
;
153 ldapsrv_terminate_connection(conn
, "out of memory");
157 if (ldap_decode(&asn1
, msg
)) {
158 ldapsrv_process_message(conn
, msg
);
160 if (asn1
.ofs
< asn1
.length
) {
161 ldapsrv_terminate_connection(conn
, "ldap_decode failed");
164 asn1
.ofs
= saved_ofs
;
170 /* keep any remaining data in conn->partial */
171 data_blob_free(&conn
->partial
);
172 if (asn1
.ofs
!= asn1
.length
) {
173 conn
->partial
= data_blob_talloc(conn
,
174 asn1
.data
+ asn1
.ofs
,
175 asn1
.length
- asn1
.ofs
);
182 try and decode/process wrapped data
184 static void ldapsrv_try_decode_wrapped(struct ldapsrv_connection
*conn
)
188 /* keep decoding while we have a full wrapped packet */
189 while (conn
->partial
.length
>= 4 &&
190 (len
=RIVAL(conn
->partial
.data
, 0)) <= conn
->partial
.length
-4) {
191 DATA_BLOB wrapped
, unwrapped
;
192 struct asn1_data asn1
;
193 struct ldap_message
*msg
= talloc(conn
, struct ldap_message
);
197 ldapsrv_terminate_connection(conn
, "out of memory");
201 wrapped
.data
= conn
->partial
.data
+4;
202 wrapped
.length
= len
;
204 status
= gensec_unwrap(conn
->gensec
, msg
, &wrapped
, &unwrapped
);
205 if (!NT_STATUS_IS_OK(status
)) {
206 ldapsrv_terminate_connection(conn
, "gensec unwrap failed");
210 if (!asn1_load(&asn1
, unwrapped
)) {
211 ldapsrv_terminate_connection(conn
, "out of memory");
215 while (ldap_decode(&asn1
, msg
)) {
216 ldapsrv_process_message(conn
, msg
);
217 msg
= talloc(conn
, struct ldap_message
);
220 if (asn1
.ofs
< asn1
.length
) {
221 ldapsrv_terminate_connection(conn
, "ldap_decode failed");
228 if (conn
->partial
.length
== len
+ 4) {
229 data_blob_free(&conn
->partial
);
231 memmove(conn
->partial
.data
, conn
->partial
.data
+len
+4,
232 conn
->partial
.length
- (len
+4));
233 conn
->partial
.length
-= len
+ 4;
240 called when a LDAP socket becomes readable
242 static void ldapsrv_recv(struct stream_connection
*c
, uint16_t flags
)
244 struct ldapsrv_connection
*conn
=
245 talloc_get_type(c
->private, struct ldapsrv_connection
);
247 size_t npending
, nread
;
249 if (conn
->processing
) {
250 EVENT_FD_NOT_READABLE(c
->event
.fde
);
254 /* work out how much data is pending */
255 status
= tls_socket_pending(conn
->tls
, &npending
);
256 if (!NT_STATUS_IS_OK(status
)) {
257 ldapsrv_terminate_connection(conn
, "socket_pening() failed");
261 ldapsrv_terminate_connection(conn
, "EOF from client");
265 conn
->partial
.data
= talloc_realloc_size(conn
, conn
->partial
.data
,
266 conn
->partial
.length
+ npending
);
267 if (conn
->partial
.data
== NULL
) {
268 ldapsrv_terminate_connection(conn
, "out of memory");
272 /* receive the data */
273 status
= tls_socket_recv(conn
->tls
, conn
->partial
.data
+ conn
->partial
.length
,
275 if (NT_STATUS_IS_ERR(status
)) {
276 ldapsrv_terminate_connection(conn
, "socket_recv() failed");
279 if (!NT_STATUS_IS_OK(status
)) {
283 ldapsrv_terminate_connection(conn
, "EOF from client");
286 conn
->partial
.length
+= nread
;
288 conn
->processing
= True
;
289 /* see if we can decode what we have */
290 if (conn
->enable_wrap
) {
291 ldapsrv_try_decode_wrapped(conn
);
293 ldapsrv_try_decode_plain(conn
);
295 conn
->processing
= False
;
297 EVENT_FD_READABLE(c
->event
.fde
);
301 called when a LDAP socket becomes writable
303 static void ldapsrv_send(struct stream_connection
*c
, uint16_t flags
)
305 struct ldapsrv_connection
*conn
=
306 talloc_get_type(c
->private, struct ldapsrv_connection
);
307 while (conn
->send_queue
) {
308 struct ldapsrv_send
*q
= conn
->send_queue
;
312 status
= tls_socket_send(conn
->tls
, &q
->data
, &nsent
);
313 if (NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
316 if (!NT_STATUS_IS_OK(status
)) {
317 ldapsrv_terminate_connection(conn
, "socket_send error");
321 q
->data
.data
+= nsent
;
322 q
->data
.length
-= nsent
;
323 if (q
->data
.length
== 0) {
324 DLIST_REMOVE(conn
->send_queue
, q
);
327 if (conn
->send_queue
== NULL
) {
328 EVENT_FD_NOT_WRITEABLE(c
->event
.fde
);
333 initialise a server_context from a open socket and register a event handler
334 for reading from that socket
336 static void ldapsrv_accept(struct stream_connection
*c
)
338 struct ldapsrv_service
*ldapsrv_service
=
339 talloc_get_type(c
->private, struct ldapsrv_service
);
340 struct ldapsrv_connection
*conn
;
343 conn
= talloc_zero(c
, struct ldapsrv_connection
);
344 if (conn
== NULL
) goto failed
;
346 conn
->enable_wrap
= False
;
347 conn
->partial
= data_blob(NULL
, 0);
348 conn
->send_queue
= NULL
;
349 conn
->connection
= c
;
350 conn
->service
= talloc_get_type(c
->private, struct ldapsrv_service
);
351 conn
->processing
= False
;
354 port
= socket_get_my_port(c
->socket
);
356 /* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
357 any ldap connection */
358 conn
->tls
= tls_init_server(ldapsrv_service
->tls_params
, c
->socket
,
359 c
->event
.fde
, NULL
, port
!= 389);
360 if (conn
->tls
== NULL
) goto failed
;
362 irpc_add_name(c
->msg_ctx
, "ldap_server");
370 static const struct stream_server_ops ldap_stream_ops
= {
372 .accept_connection
= ldapsrv_accept
,
373 .recv_handler
= ldapsrv_recv
,
374 .send_handler
= ldapsrv_send
,
378 add a socket address to the list of events, one event per port
380 static NTSTATUS
add_socket(struct event_context
*event_context
,
381 const struct model_ops
*model_ops
,
382 const char *address
, struct ldapsrv_service
*ldap_service
)
387 status
= stream_setup_socket(event_context
, model_ops
, &ldap_stream_ops
,
388 "ipv4", address
, &port
, ldap_service
);
389 if (!NT_STATUS_IS_OK(status
)) {
390 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
391 address
, port
, nt_errstr(status
)));
394 if (tls_support(ldap_service
->tls_params
)) {
395 /* add ldaps server */
397 status
= stream_setup_socket(event_context
, model_ops
, &ldap_stream_ops
,
398 "ipv4", address
, &port
, ldap_service
);
399 if (!NT_STATUS_IS_OK(status
)) {
400 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
401 address
, port
, nt_errstr(status
)));
409 open the ldap server sockets
411 static void ldapsrv_task_init(struct task_server
*task
)
413 struct ldapsrv_service
*ldap_service
;
414 struct ldapsrv_partition
*rootDSE_part
;
415 struct ldapsrv_partition
*part
;
418 ldap_service
= talloc_zero(task
, struct ldapsrv_service
);
419 if (ldap_service
== NULL
) goto failed
;
421 ldap_service
->tls_params
= tls_initialise(ldap_service
);
422 if (ldap_service
->tls_params
== NULL
) goto failed
;
424 rootDSE_part
= talloc(ldap_service
, struct ldapsrv_partition
);
425 if (rootDSE_part
== NULL
) goto failed
;
427 rootDSE_part
->base_dn
= ""; /* RootDSE */
428 rootDSE_part
->ops
= ldapsrv_get_rootdse_partition_ops();
430 ldap_service
->rootDSE
= rootDSE_part
;
431 DLIST_ADD_END(ldap_service
->partitions
, rootDSE_part
, struct ldapsrv_partition
*);
433 part
= talloc(ldap_service
, struct ldapsrv_partition
);
434 if (part
== NULL
) goto failed
;
436 part
->base_dn
= "*"; /* default partition */
437 if (lp_parm_bool(-1, "ldapsrv", "hacked", False
)) {
438 part
->ops
= ldapsrv_get_hldb_partition_ops();
440 part
->ops
= ldapsrv_get_sldb_partition_ops();
443 ldap_service
->default_partition
= part
;
444 DLIST_ADD_END(ldap_service
->partitions
, part
, struct ldapsrv_partition
*);
446 if (lp_interfaces() && lp_bind_interfaces_only()) {
447 int num_interfaces
= iface_count();
450 /* We have been given an interfaces line, and been
451 told to only bind to those interfaces. Create a
452 socket per interface and bind to only these.
454 for(i
= 0; i
< num_interfaces
; i
++) {
455 const char *address
= iface_n_ip(i
);
456 status
= add_socket(task
->event_ctx
, task
->model_ops
, address
, ldap_service
);
457 if (!NT_STATUS_IS_OK(status
)) goto failed
;
460 status
= add_socket(task
->event_ctx
, task
->model_ops
, lp_socket_address(), ldap_service
);
461 if (!NT_STATUS_IS_OK(status
)) goto failed
;
467 task_server_terminate(task
, "Failed to startup ldap server task");
471 called on startup of the web server service It's job is to start
472 listening on all configured sockets
474 static NTSTATUS
ldapsrv_init(struct event_context
*event_context
,
475 const struct model_ops
*model_ops
)
477 return task_server_startup(event_context
, model_ops
, ldapsrv_task_init
);
481 NTSTATUS
server_service_ldap_init(void)
483 return register_server_service("ldap", ldapsrv_init
);