2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/events/events.h"
26 #include "auth/auth.h"
27 #include "auth/credentials/credentials.h"
28 #include "librpc/gen_ndr/ndr_samr.h"
29 #include "../lib/util/dlinklist.h"
30 #include "../lib/util/asn1.h"
31 #include "ldap_server/ldap_server.h"
32 #include "smbd/service_task.h"
33 #include "smbd/service_stream.h"
34 #include "smbd/service.h"
35 #include "smbd/process_model.h"
36 #include "lib/tls/tls.h"
37 #include "lib/messaging/irpc.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "libcli/ldap/ldap.h"
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
47 close the socket and shutdown a server_context
49 void ldapsrv_terminate_connection(struct ldapsrv_connection
*conn
,
52 packet_recv_disable(conn
->packet
);
53 TALLOC_FREE(conn
->packet
);
54 TALLOC_FREE(conn
->sockets
.tls
);
55 stream_terminate_connection(conn
->connection
, reason
);
61 static void ldapsrv_error_handler(void *private_data
, NTSTATUS status
)
63 struct ldapsrv_connection
*conn
= talloc_get_type(private_data
,
64 struct ldapsrv_connection
);
65 ldapsrv_terminate_connection(conn
, nt_errstr(status
));
69 process a decoded ldap message
71 static void ldapsrv_process_message(struct ldapsrv_connection
*conn
,
72 struct ldap_message
*msg
)
74 struct ldapsrv_call
*call
;
78 call
= talloc(conn
, struct ldapsrv_call
);
80 ldapsrv_terminate_connection(conn
, "no memory");
84 call
->request
= talloc_steal(call
, msg
);
87 call
->send_callback
= NULL
;
88 call
->send_private
= NULL
;
91 status
= ldapsrv_do_call(call
);
92 if (!NT_STATUS_IS_OK(status
)) {
97 blob
= data_blob(NULL
, 0);
99 if (call
->replies
== NULL
) {
104 /* build all the replies into a single blob */
105 while (call
->replies
) {
109 msg
= call
->replies
->msg
;
110 if (!ldap_encode(msg
, samba_ldap_control_handlers(), &b
, call
)) {
111 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg
->type
));
116 ret
= data_blob_append(call
, &blob
, b
.data
, b
.length
);
119 talloc_set_name_const(blob
.data
, "Outgoing, encoded LDAP packet");
126 DLIST_REMOVE(call
->replies
, call
->replies
);
129 packet_send_callback(conn
->packet
, blob
,
130 call
->send_callback
, call
->send_private
);
138 static NTSTATUS
ldapsrv_decode(void *private_data
, DATA_BLOB blob
)
141 struct ldapsrv_connection
*conn
= talloc_get_type(private_data
,
142 struct ldapsrv_connection
);
143 struct asn1_data
*asn1
= asn1_init(conn
);
144 struct ldap_message
*msg
= talloc(conn
, struct ldap_message
);
146 if (asn1
== NULL
|| msg
== NULL
) {
147 return NT_STATUS_NO_MEMORY
;
150 if (!asn1_load(asn1
, blob
)) {
153 return NT_STATUS_NO_MEMORY
;
156 status
= ldap_decode(asn1
, samba_ldap_control_handlers(), msg
);
157 if (!NT_STATUS_IS_OK(status
)) {
162 data_blob_free(&blob
);
163 talloc_steal(conn
, msg
);
166 ldapsrv_process_message(conn
, msg
);
173 static void ldapsrv_conn_idle_timeout(struct tevent_context
*ev
,
174 struct tevent_timer
*te
,
178 struct ldapsrv_connection
*conn
= talloc_get_type(private_data
, struct ldapsrv_connection
);
180 ldapsrv_terminate_connection(conn
, "Timeout. No requests after bind");
184 called when a LDAP socket becomes readable
186 void ldapsrv_recv(struct stream_connection
*c
, uint16_t flags
)
188 struct ldapsrv_connection
*conn
=
189 talloc_get_type(c
->private_data
, struct ldapsrv_connection
);
191 if (conn
->limits
.ite
) { /* clean initial timeout if any */
192 talloc_free(conn
->limits
.ite
);
193 conn
->limits
.ite
= NULL
;
196 if (conn
->limits
.te
) { /* clean idle timeout if any */
197 talloc_free(conn
->limits
.te
);
198 conn
->limits
.te
= NULL
;
201 packet_recv(conn
->packet
);
203 /* set idle timeout */
204 conn
->limits
.te
= event_add_timed(c
->event
.ctx
, conn
,
205 timeval_current_ofs(conn
->limits
.conn_idle_time
, 0),
206 ldapsrv_conn_idle_timeout
, conn
);
210 called when a LDAP socket becomes writable
212 static void ldapsrv_send(struct stream_connection
*c
, uint16_t flags
)
214 struct ldapsrv_connection
*conn
=
215 talloc_get_type(c
->private_data
, struct ldapsrv_connection
);
217 packet_queue_run(conn
->packet
);
220 static void ldapsrv_conn_init_timeout(struct tevent_context
*ev
,
221 struct tevent_timer
*te
,
225 struct ldapsrv_connection
*conn
= talloc_get_type(private_data
, struct ldapsrv_connection
);
227 ldapsrv_terminate_connection(conn
, "Timeout. No requests after initial connection");
230 static int ldapsrv_load_limits(struct ldapsrv_connection
*conn
)
233 const char *attrs
[] = { "configurationNamingContext", NULL
};
234 const char *attrs2
[] = { "lDAPAdminLimits", NULL
};
235 struct ldb_message_element
*el
;
236 struct ldb_result
*res
= NULL
;
237 struct ldb_dn
*basedn
;
238 struct ldb_dn
*conf_dn
;
239 struct ldb_dn
*policy_dn
;
243 /* set defaults limits in case of failure */
244 conn
->limits
.initial_timeout
= 120;
245 conn
->limits
.conn_idle_time
= 900;
246 conn
->limits
.max_page_size
= 1000;
247 conn
->limits
.search_timeout
= 120;
250 tmp_ctx
= talloc_new(conn
);
251 if (tmp_ctx
== NULL
) {
255 basedn
= ldb_dn_new(tmp_ctx
, conn
->ldb
, NULL
);
256 if ( ! ldb_dn_validate(basedn
)) {
260 ret
= ldb_search(conn
->ldb
, tmp_ctx
, &res
, basedn
, LDB_SCOPE_BASE
, attrs
, NULL
);
261 if (ret
!= LDB_SUCCESS
) {
265 if (res
->count
!= 1) {
269 conf_dn
= ldb_msg_find_attr_as_dn(conn
->ldb
, tmp_ctx
, res
->msgs
[0], "configurationNamingContext");
270 if (conf_dn
== NULL
) {
274 policy_dn
= ldb_dn_copy(tmp_ctx
, conf_dn
);
275 ldb_dn_add_child_fmt(policy_dn
, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
276 if (policy_dn
== NULL
) {
280 ret
= ldb_search(conn
->ldb
, tmp_ctx
, &res
, policy_dn
, LDB_SCOPE_BASE
, attrs2
, NULL
);
281 if (ret
!= LDB_SUCCESS
) {
285 if (res
->count
!= 1) {
289 el
= ldb_msg_find_element(res
->msgs
[0], "lDAPAdminLimits");
294 for (i
= 0; i
< el
->num_values
; i
++) {
295 char policy_name
[256];
298 s
= sscanf((const char *)el
->values
[i
].data
, "%255[^=]=%d", policy_name
, &policy_value
);
299 if (ret
!= 2 || policy_value
== 0)
302 if (strcasecmp("InitRecvTimeout", policy_name
) == 0) {
303 conn
->limits
.initial_timeout
= policy_value
;
306 if (strcasecmp("MaxConnIdleTime", policy_name
) == 0) {
307 conn
->limits
.conn_idle_time
= policy_value
;
310 if (strcasecmp("MaxPageSize", policy_name
) == 0) {
311 conn
->limits
.max_page_size
= policy_value
;
314 if (strcasecmp("MaxQueryDuration", policy_name
) == 0) {
315 conn
->limits
.search_timeout
= policy_value
;
323 DEBUG(0, ("Failed to load ldap server query policies\n"));
324 talloc_free(tmp_ctx
);
329 initialise a server_context from a open socket and register a event handler
330 for reading from that socket
332 static void ldapsrv_accept(struct stream_connection
*c
,
333 struct auth_session_info
*session_info
)
335 struct ldapsrv_service
*ldapsrv_service
=
336 talloc_get_type(c
->private_data
, struct ldapsrv_service
);
337 struct ldapsrv_connection
*conn
;
338 struct cli_credentials
*server_credentials
;
339 struct socket_address
*socket_address
;
343 conn
= talloc_zero(c
, struct ldapsrv_connection
);
345 stream_terminate_connection(c
, "ldapsrv_accept: out of memory");
350 conn
->connection
= c
;
351 conn
->service
= ldapsrv_service
;
352 conn
->sockets
.raw
= c
->socket
;
353 conn
->lp_ctx
= ldapsrv_service
->task
->lp_ctx
;
355 c
->private_data
= conn
;
357 socket_address
= socket_get_my_addr(c
->socket
, conn
);
358 if (!socket_address
) {
359 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: failed to obtain local socket address!");
362 port
= socket_address
->port
;
363 talloc_free(socket_address
);
366 struct socket_context
*tls_socket
= tls_init_server(ldapsrv_service
->tls_params
, c
->socket
,
369 ldapsrv_terminate_connection(conn
, "ldapsrv_accept: tls_init_server() failed");
372 talloc_steal(c
, tls_socket
);
373 c
->socket
= tls_socket
;
374 conn
->sockets
.tls
= tls_socket
;
376 } else if (port
== 3268) /* Global catalog */ {
377 conn
->global_catalog
= true;
379 conn
->packet
= packet_init(conn
);
380 if (conn
->packet
== NULL
) {
381 ldapsrv_terminate_connection(conn
, "out of memory");
385 packet_set_private(conn
->packet
, conn
);
386 packet_set_socket(conn
->packet
, c
->socket
);
387 packet_set_callback(conn
->packet
, ldapsrv_decode
);
388 packet_set_full_request(conn
->packet
, ldap_full_packet
);
389 packet_set_error_handler(conn
->packet
, ldapsrv_error_handler
);
390 packet_set_event_context(conn
->packet
, c
->event
.ctx
);
391 packet_set_fde(conn
->packet
, c
->event
.fde
);
392 packet_set_serialise(conn
->packet
);
394 if (conn
->sockets
.tls
) {
395 packet_set_unreliable_select(conn
->packet
);
398 /* Ensure we don't get packets until the database is ready below */
399 packet_recv_disable(conn
->packet
);
401 server_credentials
= cli_credentials_init(conn
);
402 if (!server_credentials
) {
403 stream_terminate_connection(c
, "Failed to init server credentials\n");
407 cli_credentials_set_conf(server_credentials
, conn
->lp_ctx
);
408 status
= cli_credentials_set_machine_account(server_credentials
, conn
->lp_ctx
);
409 if (!NT_STATUS_IS_OK(status
)) {
410 stream_terminate_connection(c
, talloc_asprintf(conn
, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status
)));
413 conn
->server_credentials
= server_credentials
;
415 conn
->session_info
= talloc_move(conn
, &session_info
);
417 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn
))) {
418 ldapsrv_terminate_connection(conn
, "backend Init failed");
422 /* load limits from the conf partition */
423 ldapsrv_load_limits(conn
); /* should we fail on error ? */
425 /* register the server */
426 irpc_add_name(c
->msg_ctx
, "ldap_server");
428 /* set connections limits */
429 conn
->limits
.ite
= event_add_timed(c
->event
.ctx
, conn
,
430 timeval_current_ofs(conn
->limits
.initial_timeout
, 0),
431 ldapsrv_conn_init_timeout
, conn
);
433 packet_recv_enable(conn
->packet
);
437 static void ldapsrv_accept_nonpriv(struct stream_connection
*c
)
439 struct ldapsrv_service
*ldapsrv_service
= talloc_get_type_abort(
440 c
->private_data
, struct ldapsrv_service
);
441 struct auth_session_info
*session_info
;
444 status
= auth_anonymous_session_info(
445 c
, c
->event
.ctx
, ldapsrv_service
->task
->lp_ctx
, &session_info
);
446 if (!NT_STATUS_IS_OK(status
)) {
447 stream_terminate_connection(c
, "failed to setup anonymous "
451 ldapsrv_accept(c
, session_info
);
454 static const struct stream_server_ops ldap_stream_nonpriv_ops
= {
456 .accept_connection
= ldapsrv_accept_nonpriv
,
457 .recv_handler
= ldapsrv_recv
,
458 .send_handler
= ldapsrv_send
,
461 /* The feature removed behind an #ifdef until we can do it properly
462 * with an EXTERNAL bind. */
464 #define WITH_LDAPI_PRIV_SOCKET
466 #ifdef WITH_LDAPI_PRIV_SOCKET
467 static void ldapsrv_accept_priv(struct stream_connection
*c
)
469 struct ldapsrv_service
*ldapsrv_service
= talloc_get_type_abort(
470 c
->private_data
, struct ldapsrv_service
);
471 struct auth_session_info
*session_info
;
473 session_info
= system_session(ldapsrv_service
->task
->lp_ctx
);
475 stream_terminate_connection(c
, "failed to setup system "
479 ldapsrv_accept(c
, session_info
);
482 static const struct stream_server_ops ldap_stream_priv_ops
= {
484 .accept_connection
= ldapsrv_accept_priv
,
485 .recv_handler
= ldapsrv_recv
,
486 .send_handler
= ldapsrv_send
,
491 add a socket address to the list of events, one event per port
493 static NTSTATUS
add_socket(struct tevent_context
*event_context
,
494 struct loadparm_context
*lp_ctx
,
495 const struct model_ops
*model_ops
,
496 const char *address
, struct ldapsrv_service
*ldap_service
)
500 struct ldb_context
*ldb
;
502 status
= stream_setup_socket(event_context
, lp_ctx
,
503 model_ops
, &ldap_stream_nonpriv_ops
,
504 "ipv4", address
, &port
,
505 lp_socket_options(lp_ctx
),
507 if (!NT_STATUS_IS_OK(status
)) {
508 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
509 address
, port
, nt_errstr(status
)));
512 if (tls_support(ldap_service
->tls_params
)) {
513 /* add ldaps server */
515 status
= stream_setup_socket(event_context
, lp_ctx
,
517 &ldap_stream_nonpriv_ops
,
518 "ipv4", address
, &port
,
519 lp_socket_options(lp_ctx
),
521 if (!NT_STATUS_IS_OK(status
)) {
522 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
523 address
, port
, nt_errstr(status
)));
527 /* Load LDAP database, but only to read our settings */
528 ldb
= samdb_connect(ldap_service
, ldap_service
->task
->event_ctx
,
529 lp_ctx
, system_session(lp_ctx
));
531 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
534 if (samdb_is_gc(ldb
)) {
536 status
= stream_setup_socket(event_context
, lp_ctx
,
538 &ldap_stream_nonpriv_ops
,
539 "ipv4", address
, &port
,
540 lp_socket_options(lp_ctx
),
542 if (!NT_STATUS_IS_OK(status
)) {
543 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
544 address
, port
, nt_errstr(status
)));
548 /* And once we are bound, free the tempoary ldb, it will
549 * connect again on each incoming LDAP connection */
550 talloc_unlink(ldap_service
, ldb
);
556 open the ldap server sockets
558 static void ldapsrv_task_init(struct task_server
*task
)
561 #ifdef WITH_LDAPI_PRIV_SOCKET
564 struct ldapsrv_service
*ldap_service
;
566 const struct model_ops
*model_ops
;
568 switch (lp_server_role(task
->lp_ctx
)) {
569 case ROLE_STANDALONE
:
570 task_server_terminate(task
, "ldap_server: no LDAP server required in standalone configuration",
573 case ROLE_DOMAIN_MEMBER
:
574 task_server_terminate(task
, "ldap_server: no LDAP server required in member server configuration",
577 case ROLE_DOMAIN_CONTROLLER
:
578 /* Yes, we want an LDAP server */
582 task_server_set_title(task
, "task[ldapsrv]");
584 /* run the ldap server as a single process */
585 model_ops
= process_model_startup(task
->event_ctx
, "single");
586 if (!model_ops
) goto failed
;
588 ldap_service
= talloc_zero(task
, struct ldapsrv_service
);
589 if (ldap_service
== NULL
) goto failed
;
591 ldap_service
->task
= task
;
593 ldap_service
->tls_params
= tls_initialise(ldap_service
, task
->lp_ctx
);
594 if (ldap_service
->tls_params
== NULL
) goto failed
;
596 if (lp_interfaces(task
->lp_ctx
) && lp_bind_interfaces_only(task
->lp_ctx
)) {
597 struct interface
*ifaces
;
601 load_interfaces(task
, lp_interfaces(task
->lp_ctx
), &ifaces
);
602 num_interfaces
= iface_count(ifaces
);
604 /* We have been given an interfaces line, and been
605 told to only bind to those interfaces. Create a
606 socket per interface and bind to only these.
608 for(i
= 0; i
< num_interfaces
; i
++) {
609 const char *address
= iface_n_ip(ifaces
, i
);
610 status
= add_socket(task
->event_ctx
, task
->lp_ctx
, model_ops
, address
, ldap_service
);
611 if (!NT_STATUS_IS_OK(status
)) goto failed
;
614 status
= add_socket(task
->event_ctx
, task
->lp_ctx
, model_ops
,
615 lp_socket_address(task
->lp_ctx
), ldap_service
);
616 if (!NT_STATUS_IS_OK(status
)) goto failed
;
619 ldapi_path
= private_path(ldap_service
, task
->lp_ctx
, "ldapi");
624 status
= stream_setup_socket(task
->event_ctx
, task
->lp_ctx
,
625 model_ops
, &ldap_stream_nonpriv_ops
,
626 "unix", ldapi_path
, NULL
,
627 lp_socket_options(task
->lp_ctx
),
629 talloc_free(ldapi_path
);
630 if (!NT_STATUS_IS_OK(status
)) {
631 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
632 ldapi_path
, nt_errstr(status
)));
635 #ifdef WITH_LDAPI_PRIV_SOCKET
636 priv_dir
= private_path(ldap_service
, task
->lp_ctx
, "ldap_priv");
637 if (priv_dir
== NULL
) {
641 * Make sure the directory for the privileged ldapi socket exists, and
642 * is of the correct permissions
644 if (!directory_create_or_exist(priv_dir
, geteuid(), 0750)) {
645 task_server_terminate(task
, "Cannot create ldap "
646 "privileged ldapi directory", true);
649 ldapi_path
= talloc_asprintf(ldap_service
, "%s/ldapi", priv_dir
);
650 talloc_free(priv_dir
);
651 if (ldapi_path
== NULL
) {
655 status
= stream_setup_socket(task
->event_ctx
, task
->lp_ctx
,
656 model_ops
, &ldap_stream_priv_ops
,
657 "unix", ldapi_path
, NULL
,
658 lp_socket_options(task
->lp_ctx
),
660 talloc_free(ldapi_path
);
661 if (!NT_STATUS_IS_OK(status
)) {
662 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
663 ldapi_path
, nt_errstr(status
)));
670 task_server_terminate(task
, "Failed to startup ldap server task", true);
674 NTSTATUS
server_service_ldap_init(void)
676 return register_server_service("ldap", ldapsrv_task_init
);