use unsigned instead of uint32_t for LDB counters.
[Samba/cd1.git] / source4 / ldap_server / ldap_server.c
blob28e6f21f3d968c2b3d19f29b98675847cc2d41f3
1 /*
2 Unix SMB/CIFS implementation.
4 LDAP server
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include "auth/auth.h"
27 #include "auth/credentials/credentials.h"
28 #include "librpc/gen_ndr/ndr_samr.h"
29 #include "../lib/util/dlinklist.h"
30 #include "../lib/util/asn1.h"
31 #include "ldap_server/ldap_server.h"
32 #include "smbd/service_task.h"
33 #include "smbd/service_stream.h"
34 #include "smbd/service.h"
35 #include "smbd/process_model.h"
36 #include "lib/tls/tls.h"
37 #include "lib/messaging/irpc.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "libcli/ldap/ldap.h"
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
47 close the socket and shutdown a server_context
49 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
50 const char *reason)
52 packet_recv_disable(conn->packet);
53 TALLOC_FREE(conn->packet);
54 TALLOC_FREE(conn->sockets.tls);
55 stream_terminate_connection(conn->connection, reason);
59 handle packet errors
61 static void ldapsrv_error_handler(void *private_data, NTSTATUS status)
63 struct ldapsrv_connection *conn = talloc_get_type(private_data,
64 struct ldapsrv_connection);
65 ldapsrv_terminate_connection(conn, nt_errstr(status));
69 process a decoded ldap message
71 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
72 struct ldap_message *msg)
74 struct ldapsrv_call *call;
75 NTSTATUS status;
76 DATA_BLOB blob;
78 call = talloc(conn, struct ldapsrv_call);
79 if (!call) {
80 ldapsrv_terminate_connection(conn, "no memory");
81 return;
84 call->request = talloc_steal(call, msg);
85 call->conn = conn;
86 call->replies = NULL;
87 call->send_callback = NULL;
88 call->send_private = NULL;
90 /* make the call */
91 status = ldapsrv_do_call(call);
92 if (!NT_STATUS_IS_OK(status)) {
93 talloc_free(call);
94 return;
97 blob = data_blob(NULL, 0);
99 if (call->replies == NULL) {
100 talloc_free(call);
101 return;
104 /* build all the replies into a single blob */
105 while (call->replies) {
106 DATA_BLOB b;
107 bool ret;
109 msg = call->replies->msg;
110 if (!ldap_encode(msg, samba_ldap_control_handlers(), &b, call)) {
111 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
112 talloc_free(call);
113 return;
116 ret = data_blob_append(call, &blob, b.data, b.length);
117 data_blob_free(&b);
119 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
121 if (!ret) {
122 talloc_free(call);
123 return;
126 DLIST_REMOVE(call->replies, call->replies);
129 packet_send_callback(conn->packet, blob,
130 call->send_callback, call->send_private);
131 talloc_free(call);
132 return;
136 decode/process data
138 static NTSTATUS ldapsrv_decode(void *private_data, DATA_BLOB blob)
140 NTSTATUS status;
141 struct ldapsrv_connection *conn = talloc_get_type(private_data,
142 struct ldapsrv_connection);
143 struct asn1_data *asn1 = asn1_init(conn);
144 struct ldap_message *msg = talloc(conn, struct ldap_message);
146 if (asn1 == NULL || msg == NULL) {
147 return NT_STATUS_NO_MEMORY;
150 if (!asn1_load(asn1, blob)) {
151 talloc_free(msg);
152 talloc_free(asn1);
153 return NT_STATUS_NO_MEMORY;
156 status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
157 if (!NT_STATUS_IS_OK(status)) {
158 asn1_free(asn1);
159 return status;
162 data_blob_free(&blob);
163 talloc_steal(conn, msg);
164 asn1_free(asn1);
166 ldapsrv_process_message(conn, msg);
167 return NT_STATUS_OK;
171 Idle timeout handler
173 static void ldapsrv_conn_idle_timeout(struct tevent_context *ev,
174 struct tevent_timer *te,
175 struct timeval t,
176 void *private_data)
178 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
180 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
184 called when a LDAP socket becomes readable
186 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
188 struct ldapsrv_connection *conn =
189 talloc_get_type(c->private_data, struct ldapsrv_connection);
191 if (conn->limits.ite) { /* clean initial timeout if any */
192 talloc_free(conn->limits.ite);
193 conn->limits.ite = NULL;
196 if (conn->limits.te) { /* clean idle timeout if any */
197 talloc_free(conn->limits.te);
198 conn->limits.te = NULL;
201 packet_recv(conn->packet);
203 /* set idle timeout */
204 conn->limits.te = event_add_timed(c->event.ctx, conn,
205 timeval_current_ofs(conn->limits.conn_idle_time, 0),
206 ldapsrv_conn_idle_timeout, conn);
210 called when a LDAP socket becomes writable
212 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
214 struct ldapsrv_connection *conn =
215 talloc_get_type(c->private_data, struct ldapsrv_connection);
217 packet_queue_run(conn->packet);
220 static void ldapsrv_conn_init_timeout(struct tevent_context *ev,
221 struct tevent_timer *te,
222 struct timeval t,
223 void *private_data)
225 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
227 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
230 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
232 TALLOC_CTX *tmp_ctx;
233 const char *attrs[] = { "configurationNamingContext", NULL };
234 const char *attrs2[] = { "lDAPAdminLimits", NULL };
235 struct ldb_message_element *el;
236 struct ldb_result *res = NULL;
237 struct ldb_dn *basedn;
238 struct ldb_dn *conf_dn;
239 struct ldb_dn *policy_dn;
240 unsigned int i;
241 int ret;
243 /* set defaults limits in case of failure */
244 conn->limits.initial_timeout = 120;
245 conn->limits.conn_idle_time = 900;
246 conn->limits.max_page_size = 1000;
247 conn->limits.search_timeout = 120;
250 tmp_ctx = talloc_new(conn);
251 if (tmp_ctx == NULL) {
252 return -1;
255 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
256 if ( ! ldb_dn_validate(basedn)) {
257 goto failed;
260 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
261 if (ret != LDB_SUCCESS) {
262 goto failed;
265 if (res->count != 1) {
266 goto failed;
269 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
270 if (conf_dn == NULL) {
271 goto failed;
274 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
275 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
276 if (policy_dn == NULL) {
277 goto failed;
280 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
281 if (ret != LDB_SUCCESS) {
282 goto failed;
285 if (res->count != 1) {
286 goto failed;
289 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
290 if (el == NULL) {
291 goto failed;
294 for (i = 0; i < el->num_values; i++) {
295 char policy_name[256];
296 int policy_value, s;
298 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
299 if (ret != 2 || policy_value == 0)
300 continue;
302 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
303 conn->limits.initial_timeout = policy_value;
304 continue;
306 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
307 conn->limits.conn_idle_time = policy_value;
308 continue;
310 if (strcasecmp("MaxPageSize", policy_name) == 0) {
311 conn->limits.max_page_size = policy_value;
312 continue;
314 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
315 conn->limits.search_timeout = policy_value;
316 continue;
320 return 0;
322 failed:
323 DEBUG(0, ("Failed to load ldap server query policies\n"));
324 talloc_free(tmp_ctx);
325 return -1;
329 initialise a server_context from a open socket and register a event handler
330 for reading from that socket
332 static void ldapsrv_accept(struct stream_connection *c,
333 struct auth_session_info *session_info)
335 struct ldapsrv_service *ldapsrv_service =
336 talloc_get_type(c->private_data, struct ldapsrv_service);
337 struct ldapsrv_connection *conn;
338 struct cli_credentials *server_credentials;
339 struct socket_address *socket_address;
340 NTSTATUS status;
341 int port;
343 conn = talloc_zero(c, struct ldapsrv_connection);
344 if (!conn) {
345 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
346 return;
349 conn->packet = NULL;
350 conn->connection = c;
351 conn->service = ldapsrv_service;
352 conn->sockets.raw = c->socket;
353 conn->lp_ctx = ldapsrv_service->task->lp_ctx;
355 c->private_data = conn;
357 socket_address = socket_get_my_addr(c->socket, conn);
358 if (!socket_address) {
359 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
360 return;
362 port = socket_address->port;
363 talloc_free(socket_address);
365 if (port == 636) {
366 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
367 c->event.fde, NULL);
368 if (!tls_socket) {
369 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
370 return;
372 talloc_steal(c, tls_socket);
373 c->socket = tls_socket;
374 conn->sockets.tls = tls_socket;
376 } else if (port == 3268) /* Global catalog */ {
377 conn->global_catalog = true;
379 conn->packet = packet_init(conn);
380 if (conn->packet == NULL) {
381 ldapsrv_terminate_connection(conn, "out of memory");
382 return;
385 packet_set_private(conn->packet, conn);
386 packet_set_socket(conn->packet, c->socket);
387 packet_set_callback(conn->packet, ldapsrv_decode);
388 packet_set_full_request(conn->packet, ldap_full_packet);
389 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
390 packet_set_event_context(conn->packet, c->event.ctx);
391 packet_set_fde(conn->packet, c->event.fde);
392 packet_set_serialise(conn->packet);
394 if (conn->sockets.tls) {
395 packet_set_unreliable_select(conn->packet);
398 /* Ensure we don't get packets until the database is ready below */
399 packet_recv_disable(conn->packet);
401 server_credentials = cli_credentials_init(conn);
402 if (!server_credentials) {
403 stream_terminate_connection(c, "Failed to init server credentials\n");
404 return;
407 cli_credentials_set_conf(server_credentials, conn->lp_ctx);
408 status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
409 if (!NT_STATUS_IS_OK(status)) {
410 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
411 return;
413 conn->server_credentials = server_credentials;
415 conn->session_info = talloc_move(conn, &session_info);
417 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
418 ldapsrv_terminate_connection(conn, "backend Init failed");
419 return;
422 /* load limits from the conf partition */
423 ldapsrv_load_limits(conn); /* should we fail on error ? */
425 /* register the server */
426 irpc_add_name(c->msg_ctx, "ldap_server");
428 /* set connections limits */
429 conn->limits.ite = event_add_timed(c->event.ctx, conn,
430 timeval_current_ofs(conn->limits.initial_timeout, 0),
431 ldapsrv_conn_init_timeout, conn);
433 packet_recv_enable(conn->packet);
437 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
439 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
440 c->private_data, struct ldapsrv_service);
441 struct auth_session_info *session_info;
442 NTSTATUS status;
444 status = auth_anonymous_session_info(
445 c, c->event.ctx, ldapsrv_service->task->lp_ctx, &session_info);
446 if (!NT_STATUS_IS_OK(status)) {
447 stream_terminate_connection(c, "failed to setup anonymous "
448 "session info");
449 return;
451 ldapsrv_accept(c, session_info);
454 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
455 .name = "ldap",
456 .accept_connection = ldapsrv_accept_nonpriv,
457 .recv_handler = ldapsrv_recv,
458 .send_handler = ldapsrv_send,
461 /* The feature removed behind an #ifdef until we can do it properly
462 * with an EXTERNAL bind. */
464 #define WITH_LDAPI_PRIV_SOCKET
466 #ifdef WITH_LDAPI_PRIV_SOCKET
467 static void ldapsrv_accept_priv(struct stream_connection *c)
469 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
470 c->private_data, struct ldapsrv_service);
471 struct auth_session_info *session_info;
473 session_info = system_session(ldapsrv_service->task->lp_ctx);
474 if (!session_info) {
475 stream_terminate_connection(c, "failed to setup system "
476 "session info");
477 return;
479 ldapsrv_accept(c, session_info);
482 static const struct stream_server_ops ldap_stream_priv_ops = {
483 .name = "ldap",
484 .accept_connection = ldapsrv_accept_priv,
485 .recv_handler = ldapsrv_recv,
486 .send_handler = ldapsrv_send,
489 #endif
491 add a socket address to the list of events, one event per port
493 static NTSTATUS add_socket(struct tevent_context *event_context,
494 struct loadparm_context *lp_ctx,
495 const struct model_ops *model_ops,
496 const char *address, struct ldapsrv_service *ldap_service)
498 uint16_t port = 389;
499 NTSTATUS status;
500 struct ldb_context *ldb;
502 status = stream_setup_socket(event_context, lp_ctx,
503 model_ops, &ldap_stream_nonpriv_ops,
504 "ipv4", address, &port,
505 lp_socket_options(lp_ctx),
506 ldap_service);
507 if (!NT_STATUS_IS_OK(status)) {
508 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
509 address, port, nt_errstr(status)));
512 if (tls_support(ldap_service->tls_params)) {
513 /* add ldaps server */
514 port = 636;
515 status = stream_setup_socket(event_context, lp_ctx,
516 model_ops,
517 &ldap_stream_nonpriv_ops,
518 "ipv4", address, &port,
519 lp_socket_options(lp_ctx),
520 ldap_service);
521 if (!NT_STATUS_IS_OK(status)) {
522 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
523 address, port, nt_errstr(status)));
527 /* Load LDAP database, but only to read our settings */
528 ldb = samdb_connect(ldap_service, ldap_service->task->event_ctx,
529 lp_ctx, system_session(lp_ctx));
530 if (!ldb) {
531 return NT_STATUS_INTERNAL_DB_CORRUPTION;
534 if (samdb_is_gc(ldb)) {
535 port = 3268;
536 status = stream_setup_socket(event_context, lp_ctx,
537 model_ops,
538 &ldap_stream_nonpriv_ops,
539 "ipv4", address, &port,
540 lp_socket_options(lp_ctx),
541 ldap_service);
542 if (!NT_STATUS_IS_OK(status)) {
543 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
544 address, port, nt_errstr(status)));
548 /* And once we are bound, free the tempoary ldb, it will
549 * connect again on each incoming LDAP connection */
550 talloc_unlink(ldap_service, ldb);
552 return status;
556 open the ldap server sockets
558 static void ldapsrv_task_init(struct task_server *task)
560 char *ldapi_path;
561 #ifdef WITH_LDAPI_PRIV_SOCKET
562 char *priv_dir;
563 #endif
564 struct ldapsrv_service *ldap_service;
565 NTSTATUS status;
566 const struct model_ops *model_ops;
568 switch (lp_server_role(task->lp_ctx)) {
569 case ROLE_STANDALONE:
570 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
571 false);
572 return;
573 case ROLE_DOMAIN_MEMBER:
574 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
575 false);
576 return;
577 case ROLE_DOMAIN_CONTROLLER:
578 /* Yes, we want an LDAP server */
579 break;
582 task_server_set_title(task, "task[ldapsrv]");
584 /* run the ldap server as a single process */
585 model_ops = process_model_startup(task->event_ctx, "single");
586 if (!model_ops) goto failed;
588 ldap_service = talloc_zero(task, struct ldapsrv_service);
589 if (ldap_service == NULL) goto failed;
591 ldap_service->task = task;
593 ldap_service->tls_params = tls_initialise(ldap_service, task->lp_ctx);
594 if (ldap_service->tls_params == NULL) goto failed;
596 if (lp_interfaces(task->lp_ctx) && lp_bind_interfaces_only(task->lp_ctx)) {
597 struct interface *ifaces;
598 int num_interfaces;
599 int i;
601 load_interfaces(task, lp_interfaces(task->lp_ctx), &ifaces);
602 num_interfaces = iface_count(ifaces);
604 /* We have been given an interfaces line, and been
605 told to only bind to those interfaces. Create a
606 socket per interface and bind to only these.
608 for(i = 0; i < num_interfaces; i++) {
609 const char *address = iface_n_ip(ifaces, i);
610 status = add_socket(task->event_ctx, task->lp_ctx, model_ops, address, ldap_service);
611 if (!NT_STATUS_IS_OK(status)) goto failed;
613 } else {
614 status = add_socket(task->event_ctx, task->lp_ctx, model_ops,
615 lp_socket_address(task->lp_ctx), ldap_service);
616 if (!NT_STATUS_IS_OK(status)) goto failed;
619 ldapi_path = private_path(ldap_service, task->lp_ctx, "ldapi");
620 if (!ldapi_path) {
621 goto failed;
624 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
625 model_ops, &ldap_stream_nonpriv_ops,
626 "unix", ldapi_path, NULL,
627 lp_socket_options(task->lp_ctx),
628 ldap_service);
629 talloc_free(ldapi_path);
630 if (!NT_STATUS_IS_OK(status)) {
631 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
632 ldapi_path, nt_errstr(status)));
635 #ifdef WITH_LDAPI_PRIV_SOCKET
636 priv_dir = private_path(ldap_service, task->lp_ctx, "ldap_priv");
637 if (priv_dir == NULL) {
638 goto failed;
641 * Make sure the directory for the privileged ldapi socket exists, and
642 * is of the correct permissions
644 if (!directory_create_or_exist(priv_dir, geteuid(), 0750)) {
645 task_server_terminate(task, "Cannot create ldap "
646 "privileged ldapi directory", true);
647 return;
649 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
650 talloc_free(priv_dir);
651 if (ldapi_path == NULL) {
652 goto failed;
655 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
656 model_ops, &ldap_stream_priv_ops,
657 "unix", ldapi_path, NULL,
658 lp_socket_options(task->lp_ctx),
659 ldap_service);
660 talloc_free(ldapi_path);
661 if (!NT_STATUS_IS_OK(status)) {
662 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
663 ldapi_path, nt_errstr(status)));
666 #endif
667 return;
669 failed:
670 task_server_terminate(task, "Failed to startup ldap server task", true);
674 NTSTATUS server_service_ldap_init(void)
676 return register_server_service("ldap", ldapsrv_task_init);