search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix nasty bug that would come up only if a client connection to a remote
[Samba/ekacnet.git] / source4 / libcli / ldap / ldap_bind.c
blobb66232c02e55356cdad32dcba285516e6e7ae5d4
1 /*
2 Unix SMB/CIFS mplementation.
3
4 LDAP bind calls
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 */
23
24 #include "includes.h"
25 #include "libcli/ldap/ldap.h"
26 #include "libcli/ldap/ldap_proto.h"
27 #include "libcli/ldap/ldap_client.h"
28 #include "lib/tls/tls.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/credentials/credentials.h"
31 #include "lib/stream/packet.h"
32 #include "param/param.h"
33
34 struct ldap_simple_creds {
35 const char *dn;
36 const char *pw;
37 };
38
39 _PUBLIC_ NTSTATUS ldap_rebind(struct ldap_connection *conn)
40 {
41 NTSTATUS status;
42 struct ldap_simple_creds *creds;
43
44 switch (conn->bind.type) {
45 case LDAP_BIND_SASL:
46 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds,
47 conn->lp_ctx);
48 break;
49
50 case LDAP_BIND_SIMPLE:
51 creds = (struct ldap_simple_creds *)conn->bind.creds;
52
53 if (creds == NULL) {
54 return NT_STATUS_UNSUCCESSFUL;
55 }
56
57 status = ldap_bind_simple(conn, creds->dn, creds->pw);
58 break;
59
60 default:
61 return NT_STATUS_UNSUCCESSFUL;
62 }
63
64 return status;
65 }
66
67
68 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
69 const char *dn, const char *pw)
70 {
71 struct ldap_message *res;
72
73 res = new_ldap_message(conn);
74 if (!res) {
75 return NULL;
76 }
77
78 res->type = LDAP_TAG_BindRequest;
79 res->r.BindRequest.version = 3;
80 res->r.BindRequest.dn = talloc_strdup(res, dn);
81 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
82 res->r.BindRequest.creds.password = talloc_strdup(res, pw);
83 res->controls = NULL;
84
85 return res;
86 }
87
88
89 /*
90 perform a simple username/password bind
91 */
92 _PUBLIC_ NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
93 const char *userdn, const char *password)
94 {
95 struct ldap_request *req;
96 struct ldap_message *msg;
97 const char *dn, *pw;
98 NTSTATUS status;
99
100 if (conn == NULL) {
101 return NT_STATUS_INVALID_CONNECTION;
102 }
103
104 if (userdn) {
105 dn = userdn;
106 } else {
107 if (conn->auth_dn) {
108 dn = conn->auth_dn;
109 } else {
110 dn = "";
111 }
112 }
113
114 if (password) {
115 pw = password;
116 } else {
117 if (conn->simple_pw) {
118 pw = conn->simple_pw;
119 } else {
120 pw = "";
121 }
122 }
123
124 msg = new_ldap_simple_bind_msg(conn, dn, pw);
125 NT_STATUS_HAVE_NO_MEMORY(msg);
126
127 /* send the request */
128 req = ldap_request_send(conn, msg);
129 talloc_free(msg);
130 NT_STATUS_HAVE_NO_MEMORY(req);
131
132 /* wait for replies */
133 status = ldap_request_wait(req);
134 if (!NT_STATUS_IS_OK(status)) {
135 talloc_free(req);
136 return status;
137 }
138
139 /* check its a valid reply */
140 msg = req->replies[0];
141 if (msg->type != LDAP_TAG_BindResponse) {
142 talloc_free(req);
143 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
144 }
145
146 status = ldap_check_response(conn, &msg->r.BindResponse.response);
147
148 talloc_free(req);
149
150 if (NT_STATUS_IS_OK(status)) {
151 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
152 if (creds == NULL) {
153 return NT_STATUS_NO_MEMORY;
154 }
155 creds->dn = talloc_strdup(creds, dn);
156 creds->pw = talloc_strdup(creds, pw);
157 if (creds->dn == NULL || creds->pw == NULL) {
158 return NT_STATUS_NO_MEMORY;
159 }
160 conn->bind.type = LDAP_BIND_SIMPLE;
161 conn->bind.creds = creds;
162 }
163
164 return status;
165 }
166
167
168 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
169 const char *sasl_mechanism,
170 DATA_BLOB *secblob)
171 {
172 struct ldap_message *res;
173
174 res = new_ldap_message(conn);
175 if (!res) {
176 return NULL;
177 }
178
179 res->type = LDAP_TAG_BindRequest;
180 res->r.BindRequest.version = 3;
181 res->r.BindRequest.dn = "";
182 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
183 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
184 if (secblob) {
185 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
186 if (!res->r.BindRequest.creds.SASL.secblob) {
187 talloc_free(res);
188 return NULL;
189 }
190 *res->r.BindRequest.creds.SASL.secblob = *secblob;
191 } else {
192 res->r.BindRequest.creds.SASL.secblob = NULL;
193 }
194 res->controls = NULL;
195
196 return res;
197 }
198
199
200 /*
201 perform a sasl bind using the given credentials
202 */
203 _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
204 struct cli_credentials *creds,
205 struct loadparm_context *lp_ctx)
206 {
207 NTSTATUS status;
208 TALLOC_CTX *tmp_ctx = NULL;
209
210 DATA_BLOB input = data_blob(NULL, 0);
211 DATA_BLOB output = data_blob(NULL, 0);
212
213 struct ldap_message **sasl_mechs_msgs;
214 struct ldap_SearchResEntry *search;
215 int count, i;
216
217 const char **sasl_names;
218 uint32_t old_gensec_features;
219 static const char *supported_sasl_mech_attrs[] = {
220 "supportedSASLMechanisms",
221 NULL
222 };
223
224 gensec_init(lp_ctx);
225
226 status = gensec_client_start(conn, &conn->gensec,
227 conn->event.event_ctx, lp_ctx);
228 if (!NT_STATUS_IS_OK(status)) {
229 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
230 goto failed;
231 }
232
233 /* require Kerberos SIGN/SEAL only if we don't use SSL
234 * Windows seem not to like double encryption */
235 old_gensec_features = cli_credentials_get_gensec_features(creds);
236 if (tls_enabled(conn->sock)) {
237 cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
238 }
239
240 /* this call also sets the gensec_want_features */
241 status = gensec_set_credentials(conn->gensec, creds);
242 if (!NT_STATUS_IS_OK(status)) {
243 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
244 nt_errstr(status)));
245 goto failed;
246 }
247
248 /* reset the original gensec_features (on the credentials
249 * context, so we don't tatoo it ) */
250 cli_credentials_set_gensec_features(creds, old_gensec_features);
251
252 if (conn->host) {
253 status = gensec_set_target_hostname(conn->gensec, conn->host);
254 if (!NT_STATUS_IS_OK(status)) {
255 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
256 nt_errstr(status)));
257 goto failed;
258 }
259 }
260
261 status = gensec_set_target_service(conn->gensec, "ldap");
262 if (!NT_STATUS_IS_OK(status)) {
263 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
264 nt_errstr(status)));
265 goto failed;
266 }
267
268 status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
269 false, NULL, NULL, &sasl_mechs_msgs);
270 if (!NT_STATUS_IS_OK(status)) {
271 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
272 nt_errstr(status)));
273 goto failed;
274 }
275
276 count = ildap_count_entries(conn, sasl_mechs_msgs);
277 if (count != 1) {
278 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
279 count));
280 goto failed;
281 }
282
283 tmp_ctx = talloc_new(conn);
284 if (tmp_ctx == NULL) goto failed;
285
286 search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
287 if (search->num_attributes != 1) {
288 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
289 search->num_attributes));
290 goto failed;
291 }
292
293 sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
294 if (!sasl_names) {
295 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
296 count));
297 goto failed;
298 }
299
300 for (i=0; i<search->attributes[0].num_values; i++) {
301 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
302 }
303 sasl_names[i] = NULL;
304
305 status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
306 if (!NT_STATUS_IS_OK(status)) {
307 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
308 count, nt_errstr(status)));
309 goto failed;
310 }
311
312 while (1) {
313 NTSTATUS gensec_status;
314 struct ldap_message *response;
315 struct ldap_message *msg;
316 struct ldap_request *req;
317 int result = LDAP_OTHER;
318
319 status = gensec_update(conn->gensec, tmp_ctx,
320 input,
321 &output);
322 /* The status value here, from GENSEC is vital to the security
323 * of the system. Even if the other end accepts, if GENSEC
324 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
325 * feeding it blobs, or else the remote host/attacker might
326 * avoid mutal authentication requirements.
327 *
328 * Likewise, you must not feed GENSEC too much (after the OK),
329 * it doesn't like that either
330 */
331
332 gensec_status = status;
333
334 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
335 !NT_STATUS_IS_OK(status)) {
336 break;
337 }
338 if (NT_STATUS_IS_OK(status) && output.length == 0) {
339 break;
340 }
341
342 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
343 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
344 if (msg == NULL) {
345 status = NT_STATUS_NO_MEMORY;
346 goto failed;
347 }
348
349 req = ldap_request_send(conn, msg);
350 if (req == NULL) {
351 status = NT_STATUS_NO_MEMORY;
352 goto failed;
353 }
354 talloc_steal(tmp_ctx, req);
355
356 status = ldap_result_n(req, 0, &response);
357 if (!NT_STATUS_IS_OK(status)) {
358 goto failed;
359 }
360
361 if (response->type != LDAP_TAG_BindResponse) {
362 status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
363 goto failed;
364 }
365
366 result = response->r.BindResponse.response.resultcode;
367
368 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
369 status = ldap_check_response(conn,
370 &response->r.BindResponse.response);
371 break;
372 }
373
374 /* This is where we check if GENSEC wanted to be fed more data */
375 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
376 break;
377 }
378 if (response->r.BindResponse.SASL.secblob) {
379 input = *response->r.BindResponse.SASL.secblob;
380 } else {
381 input = data_blob(NULL, 0);
382 }
383 }
384
385 talloc_free(tmp_ctx);
386
387 if (NT_STATUS_IS_OK(status)) {
388 struct socket_context *sasl_socket;
389 status = gensec_socket_init(conn->gensec,
390 conn,
391 conn->sock,
392 conn->event.event_ctx,
393 ldap_read_io_handler,
394 conn,
395 &sasl_socket);
396 if (!NT_STATUS_IS_OK(status)) goto failed;
397
398 conn->sock = sasl_socket;
399 packet_set_socket(conn->packet, conn->sock);
400
401 conn->bind.type = LDAP_BIND_SASL;
402 conn->bind.creds = creds;
403 }
404
405 return status;
406
407 failed:
408 talloc_free(tmp_ctx);
409 talloc_free(conn->gensec);
410 conn->gensec = NULL;
411 return status;
412 }