search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
torture: fix typos
[Samba/ekacnet.git] / source4 / ldap_server / ldap_server.c
blob00698eec46c68277b976f2fe70b76e9576c885bf
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include "auth/auth.h"
27 #include "auth/credentials/credentials.h"
28 #include "librpc/gen_ndr/ndr_samr.h"
29 #include "../lib/util/dlinklist.h"
30 #include "../lib/util/asn1.h"
31 #include "ldap_server/ldap_server.h"
32 #include "smbd/service_task.h"
33 #include "smbd/service_stream.h"
34 #include "smbd/service.h"
35 #include "smbd/process_model.h"
36 #include "lib/tls/tls.h"
37 #include "lib/messaging/irpc.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "libcli/ldap/ldap_proto.h"
41 #include "system/network.h"
42 #include "lib/socket/netif.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "param/param.h"
45 /*
46 close the socket and shutdown a server_context
47 */
48 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
49 const char *reason)
50 {
51 packet_recv_disable(conn->packet);
52 TALLOC_FREE(conn->packet);
53 TALLOC_FREE(conn->sockets.tls);
54 stream_terminate_connection(conn->connection, reason);
55 }
56
57 /*
58 handle packet errors
59 */
60 static void ldapsrv_error_handler(void *private_data, NTSTATUS status)
61 {
62 struct ldapsrv_connection *conn = talloc_get_type(private_data,
63 struct ldapsrv_connection);
64 ldapsrv_terminate_connection(conn, nt_errstr(status));
65 }
66
67 /*
68 process a decoded ldap message
69 */
70 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
71 struct ldap_message *msg)
72 {
73 struct ldapsrv_call *call;
74 NTSTATUS status;
75 DATA_BLOB blob;
76
77 call = talloc(conn, struct ldapsrv_call);
78 if (!call) {
79 ldapsrv_terminate_connection(conn, "no memory");
80 return;
81 }
82
83 call->request = talloc_steal(call, msg);
84 call->conn = conn;
85 call->replies = NULL;
86 call->send_callback = NULL;
87 call->send_private = NULL;
88
89 /* make the call */
90 status = ldapsrv_do_call(call);
91 if (!NT_STATUS_IS_OK(status)) {
92 talloc_free(call);
93 return;
94 }
95
96 blob = data_blob(NULL, 0);
97
98 if (call->replies == NULL) {
99 talloc_free(call);
100 return;
101 }
102
103 /* build all the replies into a single blob */
104 while (call->replies) {
105 DATA_BLOB b;
106 bool ret;
107
108 msg = call->replies->msg;
109 if (!ldap_encode(msg, samba_ldap_control_handlers(), &b, call)) {
110 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
111 talloc_free(call);
112 return;
113 }
114
115 ret = data_blob_append(call, &blob, b.data, b.length);
116 data_blob_free(&b);
117
118 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
119
120 if (!ret) {
121 talloc_free(call);
122 return;
123 }
124
125 DLIST_REMOVE(call->replies, call->replies);
126 }
127
128 packet_send_callback(conn->packet, blob,
129 call->send_callback, call->send_private);
130 talloc_free(call);
131 return;
132 }
133
134 /*
135 decode/process data
136 */
137 static NTSTATUS ldapsrv_decode(void *private_data, DATA_BLOB blob)
138 {
139 NTSTATUS status;
140 struct ldapsrv_connection *conn = talloc_get_type(private_data,
141 struct ldapsrv_connection);
142 struct asn1_data *asn1 = asn1_init(conn);
143 struct ldap_message *msg = talloc(conn, struct ldap_message);
144
145 if (asn1 == NULL || msg == NULL) {
146 return NT_STATUS_NO_MEMORY;
147 }
148
149 if (!asn1_load(asn1, blob)) {
150 talloc_free(msg);
151 talloc_free(asn1);
152 return NT_STATUS_NO_MEMORY;
153 }
154
155 status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
156 if (!NT_STATUS_IS_OK(status)) {
157 asn1_free(asn1);
158 return status;
159 }
160
161 data_blob_free(&blob);
162 talloc_steal(conn, msg);
163 asn1_free(asn1);
164
165 ldapsrv_process_message(conn, msg);
166 return NT_STATUS_OK;
167 }
168
169 /*
170 Idle timeout handler
171 */
172 static void ldapsrv_conn_idle_timeout(struct tevent_context *ev,
173 struct tevent_timer *te,
174 struct timeval t,
175 void *private_data)
176 {
177 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
178
179 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
180 }
181
182 /*
183 called when a LDAP socket becomes readable
184 */
185 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
186 {
187 struct ldapsrv_connection *conn =
188 talloc_get_type(c->private_data, struct ldapsrv_connection);
189
190 if (conn->limits.ite) { /* clean initial timeout if any */
191 talloc_free(conn->limits.ite);
192 conn->limits.ite = NULL;
193 }
194
195 if (conn->limits.te) { /* clean idle timeout if any */
196 talloc_free(conn->limits.te);
197 conn->limits.te = NULL;
198 }
199
200 packet_recv(conn->packet);
201
202 /* set idle timeout */
203 conn->limits.te = event_add_timed(c->event.ctx, conn,
204 timeval_current_ofs(conn->limits.conn_idle_time, 0),
205 ldapsrv_conn_idle_timeout, conn);
206 }
207
208 /*
209 called when a LDAP socket becomes writable
210 */
211 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
212 {
213 struct ldapsrv_connection *conn =
214 talloc_get_type(c->private_data, struct ldapsrv_connection);
215
216 packet_queue_run(conn->packet);
217 }
218
219 static void ldapsrv_conn_init_timeout(struct tevent_context *ev,
220 struct tevent_timer *te,
221 struct timeval t,
222 void *private_data)
223 {
224 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
225
226 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
227 }
228
229 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
230 {
231 TALLOC_CTX *tmp_ctx;
232 const char *attrs[] = { "configurationNamingContext", NULL };
233 const char *attrs2[] = { "lDAPAdminLimits", NULL };
234 struct ldb_message_element *el;
235 struct ldb_result *res = NULL;
236 struct ldb_dn *basedn;
237 struct ldb_dn *conf_dn;
238 struct ldb_dn *policy_dn;
239 unsigned int i;
240 int ret;
241
242 /* set defaults limits in case of failure */
243 conn->limits.initial_timeout = 120;
244 conn->limits.conn_idle_time = 900;
245 conn->limits.max_page_size = 1000;
246 conn->limits.search_timeout = 120;
247
248
249 tmp_ctx = talloc_new(conn);
250 if (tmp_ctx == NULL) {
251 return -1;
252 }
253
254 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
255 if ( ! ldb_dn_validate(basedn)) {
256 goto failed;
257 }
258
259 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
260 if (ret != LDB_SUCCESS) {
261 goto failed;
262 }
263
264 if (res->count != 1) {
265 goto failed;
266 }
267
268 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
269 if (conf_dn == NULL) {
270 goto failed;
271 }
272
273 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
274 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
275 if (policy_dn == NULL) {
276 goto failed;
277 }
278
279 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
280 if (ret != LDB_SUCCESS) {
281 goto failed;
282 }
283
284 if (res->count != 1) {
285 goto failed;
286 }
287
288 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
289 if (el == NULL) {
290 goto failed;
291 }
292
293 for (i = 0; i < el->num_values; i++) {
294 char policy_name[256];
295 int policy_value, s;
296
297 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
298 if (ret != 2 || policy_value == 0)
299 continue;
300
301 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
302 conn->limits.initial_timeout = policy_value;
303 continue;
304 }
305 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
306 conn->limits.conn_idle_time = policy_value;
307 continue;
308 }
309 if (strcasecmp("MaxPageSize", policy_name) == 0) {
310 conn->limits.max_page_size = policy_value;
311 continue;
312 }
313 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
314 conn->limits.search_timeout = policy_value;
315 continue;
316 }
317 }
318
319 return 0;
320
321 failed:
322 DEBUG(0, ("Failed to load ldap server query policies\n"));
323 talloc_free(tmp_ctx);
324 return -1;
325 }
326
327 /*
328 initialise a server_context from a open socket and register a event handler
329 for reading from that socket
330 */
331 static void ldapsrv_accept(struct stream_connection *c,
332 struct auth_session_info *session_info)
333 {
334 struct ldapsrv_service *ldapsrv_service =
335 talloc_get_type(c->private_data, struct ldapsrv_service);
336 struct ldapsrv_connection *conn;
337 struct cli_credentials *server_credentials;
338 struct socket_address *socket_address;
339 NTSTATUS status;
340 int port;
341
342 conn = talloc_zero(c, struct ldapsrv_connection);
343 if (!conn) {
344 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
345 return;
346 }
347
348 conn->packet = NULL;
349 conn->connection = c;
350 conn->service = ldapsrv_service;
351 conn->sockets.raw = c->socket;
352 conn->lp_ctx = ldapsrv_service->task->lp_ctx;
353
354 c->private_data = conn;
355
356 socket_address = socket_get_my_addr(c->socket, conn);
357 if (!socket_address) {
358 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
359 return;
360 }
361 port = socket_address->port;
362 talloc_free(socket_address);
363
364 if (port == 636) {
365 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
366 c->event.fde, NULL);
367 if (!tls_socket) {
368 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
369 return;
370 }
371 talloc_steal(c, tls_socket);
372 c->socket = tls_socket;
373 conn->sockets.tls = tls_socket;
374
375 } else if (port == 3268) /* Global catalog */ {
376 conn->global_catalog = true;
377 }
378 conn->packet = packet_init(conn);
379 if (conn->packet == NULL) {
380 ldapsrv_terminate_connection(conn, "out of memory");
381 return;
382 }
383
384 packet_set_private(conn->packet, conn);
385 packet_set_socket(conn->packet, c->socket);
386 packet_set_callback(conn->packet, ldapsrv_decode);
387 packet_set_full_request(conn->packet, ldap_full_packet);
388 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
389 packet_set_event_context(conn->packet, c->event.ctx);
390 packet_set_fde(conn->packet, c->event.fde);
391 packet_set_serialise(conn->packet);
392
393 if (conn->sockets.tls) {
394 packet_set_unreliable_select(conn->packet);
395 }
396
397 /* Ensure we don't get packets until the database is ready below */
398 packet_recv_disable(conn->packet);
399
400 server_credentials = cli_credentials_init(conn);
401 if (!server_credentials) {
402 stream_terminate_connection(c, "Failed to init server credentials\n");
403 return;
404 }
405
406 cli_credentials_set_conf(server_credentials, conn->lp_ctx);
407 status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
408 if (!NT_STATUS_IS_OK(status)) {
409 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
410 return;
411 }
412 conn->server_credentials = server_credentials;
413
414 conn->session_info = talloc_move(conn, &session_info);
415
416 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
417 ldapsrv_terminate_connection(conn, "backend Init failed");
418 return;
419 }
420
421 /* load limits from the conf partition */
422 ldapsrv_load_limits(conn); /* should we fail on error ? */
423
424 /* register the server */
425 irpc_add_name(c->msg_ctx, "ldap_server");
426
427 /* set connections limits */
428 conn->limits.ite = event_add_timed(c->event.ctx, conn,
429 timeval_current_ofs(conn->limits.initial_timeout, 0),
430 ldapsrv_conn_init_timeout, conn);
431
432 packet_recv_enable(conn->packet);
433
434 }
435
436 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
437 {
438 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
439 c->private_data, struct ldapsrv_service);
440 struct auth_session_info *session_info;
441 NTSTATUS status;
442
443 status = auth_anonymous_session_info(
444 c, ldapsrv_service->task->lp_ctx, &session_info);
445 if (!NT_STATUS_IS_OK(status)) {
446 stream_terminate_connection(c, "failed to setup anonymous "
447 "session info");
448 return;
449 }
450 ldapsrv_accept(c, session_info);
451 }
452
453 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
454 .name = "ldap",
455 .accept_connection = ldapsrv_accept_nonpriv,
456 .recv_handler = ldapsrv_recv,
457 .send_handler = ldapsrv_send,
458 };
459
460 /* The feature removed behind an #ifdef until we can do it properly
461 * with an EXTERNAL bind. */
462
463 #define WITH_LDAPI_PRIV_SOCKET
464
465 #ifdef WITH_LDAPI_PRIV_SOCKET
466 static void ldapsrv_accept_priv(struct stream_connection *c)
467 {
468 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
469 c->private_data, struct ldapsrv_service);
470 struct auth_session_info *session_info;
471
472 session_info = system_session(ldapsrv_service->task->lp_ctx);
473 if (!session_info) {
474 stream_terminate_connection(c, "failed to setup system "
475 "session info");
476 return;
477 }
478 ldapsrv_accept(c, session_info);
479 }
480
481 static const struct stream_server_ops ldap_stream_priv_ops = {
482 .name = "ldap",
483 .accept_connection = ldapsrv_accept_priv,
484 .recv_handler = ldapsrv_recv,
485 .send_handler = ldapsrv_send,
486 };
487
488 #endif
489 /*
490 add a socket address to the list of events, one event per port
491 */
492 static NTSTATUS add_socket(struct tevent_context *event_context,
493 struct loadparm_context *lp_ctx,
494 const struct model_ops *model_ops,
495 const char *address, struct ldapsrv_service *ldap_service)
496 {
497 uint16_t port = 389;
498 NTSTATUS status;
499 struct ldb_context *ldb;
500
501 status = stream_setup_socket(event_context, lp_ctx,
502 model_ops, &ldap_stream_nonpriv_ops,
503 "ipv4", address, &port,
504 lp_socket_options(lp_ctx),
505 ldap_service);
506 if (!NT_STATUS_IS_OK(status)) {
507 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
508 address, port, nt_errstr(status)));
509 }
510
511 if (tls_support(ldap_service->tls_params)) {
512 /* add ldaps server */
513 port = 636;
514 status = stream_setup_socket(event_context, lp_ctx,
515 model_ops,
516 &ldap_stream_nonpriv_ops,
517 "ipv4", address, &port,
518 lp_socket_options(lp_ctx),
519 ldap_service);
520 if (!NT_STATUS_IS_OK(status)) {
521 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
522 address, port, nt_errstr(status)));
523 }
524 }
525
526 /* Load LDAP database, but only to read our settings */
527 ldb = samdb_connect(ldap_service, ldap_service->task->event_ctx,
528 lp_ctx, system_session(lp_ctx));
529 if (!ldb) {
530 return NT_STATUS_INTERNAL_DB_CORRUPTION;
531 }
532
533 if (samdb_is_gc(ldb)) {
534 port = 3268;
535 status = stream_setup_socket(event_context, lp_ctx,
536 model_ops,
537 &ldap_stream_nonpriv_ops,
538 "ipv4", address, &port,
539 lp_socket_options(lp_ctx),
540 ldap_service);
541 if (!NT_STATUS_IS_OK(status)) {
542 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
543 address, port, nt_errstr(status)));
544 }
545 }
546
547 /* And once we are bound, free the tempoary ldb, it will
548 * connect again on each incoming LDAP connection */
549 talloc_unlink(ldap_service, ldb);
550
551 return status;
552 }
553
554 /*
555 open the ldap server sockets
556 */
557 static void ldapsrv_task_init(struct task_server *task)
558 {
559 char *ldapi_path;
560 #ifdef WITH_LDAPI_PRIV_SOCKET
561 char *priv_dir;
562 #endif
563 struct ldapsrv_service *ldap_service;
564 NTSTATUS status;
565 const struct model_ops *model_ops;
566
567 switch (lp_server_role(task->lp_ctx)) {
568 case ROLE_STANDALONE:
569 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
570 false);
571 return;
572 case ROLE_DOMAIN_MEMBER:
573 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
574 false);
575 return;
576 case ROLE_DOMAIN_CONTROLLER:
577 /* Yes, we want an LDAP server */
578 break;
579 }
580
581 task_server_set_title(task, "task[ldapsrv]");
582
583 /* run the ldap server as a single process */
584 model_ops = process_model_startup(task->event_ctx, "single");
585 if (!model_ops) goto failed;
586
587 ldap_service = talloc_zero(task, struct ldapsrv_service);
588 if (ldap_service == NULL) goto failed;
589
590 ldap_service->task = task;
591
592 ldap_service->tls_params = tls_initialise(ldap_service, task->lp_ctx);
593 if (ldap_service->tls_params == NULL) goto failed;
594
595 if (lp_interfaces(task->lp_ctx) && lp_bind_interfaces_only(task->lp_ctx)) {
596 struct interface *ifaces;
597 int num_interfaces;
598 int i;
599
600 load_interfaces(task, lp_interfaces(task->lp_ctx), &ifaces);
601 num_interfaces = iface_count(ifaces);
602
603 /* We have been given an interfaces line, and been
604 told to only bind to those interfaces. Create a
605 socket per interface and bind to only these.
606 */
607 for(i = 0; i < num_interfaces; i++) {
608 const char *address = iface_n_ip(ifaces, i);
609 status = add_socket(task->event_ctx, task->lp_ctx, model_ops, address, ldap_service);
610 if (!NT_STATUS_IS_OK(status)) goto failed;
611 }
612 } else {
613 status = add_socket(task->event_ctx, task->lp_ctx, model_ops,
614 lp_socket_address(task->lp_ctx), ldap_service);
615 if (!NT_STATUS_IS_OK(status)) goto failed;
616 }
617
618 ldapi_path = private_path(ldap_service, task->lp_ctx, "ldapi");
619 if (!ldapi_path) {
620 goto failed;
621 }
622
623 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
624 model_ops, &ldap_stream_nonpriv_ops,
625 "unix", ldapi_path, NULL,
626 lp_socket_options(task->lp_ctx),
627 ldap_service);
628 talloc_free(ldapi_path);
629 if (!NT_STATUS_IS_OK(status)) {
630 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
631 ldapi_path, nt_errstr(status)));
632 }
633
634 #ifdef WITH_LDAPI_PRIV_SOCKET
635 priv_dir = private_path(ldap_service, task->lp_ctx, "ldap_priv");
636 if (priv_dir == NULL) {
637 goto failed;
638 }
639 /*
640 * Make sure the directory for the privileged ldapi socket exists, and
641 * is of the correct permissions
642 */
643 if (!directory_create_or_exist(priv_dir, geteuid(), 0750)) {
644 task_server_terminate(task, "Cannot create ldap "
645 "privileged ldapi directory", true);
646 return;
647 }
648 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
649 talloc_free(priv_dir);
650 if (ldapi_path == NULL) {
651 goto failed;
652 }
653
654 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
655 model_ops, &ldap_stream_priv_ops,
656 "unix", ldapi_path, NULL,
657 lp_socket_options(task->lp_ctx),
658 ldap_service);
659 talloc_free(ldapi_path);
660 if (!NT_STATUS_IS_OK(status)) {
661 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
662 ldapi_path, nt_errstr(status)));
663 }
664
665 #endif
666 return;
667
668 failed:
669 task_server_terminate(task, "Failed to startup ldap server task", true);
670 }
671
672
673 NTSTATUS server_service_ldap_init(void)
674 {
675 return register_server_service("ldap", ldapsrv_task_init);
676 }