2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "ldap_server/ldap_server.h"
23 #include "auth/auth.h"
24 #include "libcli/ldap/ldap.h"
25 #include "smbd/service.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "lib/ldb/include/ldb_errors.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/socket.h"
32 static NTSTATUS
ldapsrv_BindSimple(struct ldapsrv_call
*call
)
34 struct ldap_BindRequest
*req
= &call
->request
->r
.BindRequest
;
35 struct ldapsrv_reply
*reply
;
36 struct ldap_BindResponse
*resp
;
40 const char *nt4_domain
, *nt4_account
;
42 struct auth_session_info
*session_info
;
46 DEBUG(10, ("BindSimple dn: %s\n",req
->dn
));
48 status
= crack_auto_name_to_nt4_name(call
, req
->dn
, &nt4_domain
, &nt4_account
);
49 if (NT_STATUS_IS_OK(status
)) {
50 status
= authenticate_username_pw(call
,
51 call
->conn
->connection
->event
.ctx
,
52 call
->conn
->connection
->msg_ctx
,
53 nt4_domain
, nt4_account
,
58 reply
= ldapsrv_init_reply(call
, LDAP_TAG_BindResponse
);
60 return NT_STATUS_NO_MEMORY
;
63 if (NT_STATUS_IS_OK(status
)) {
64 result
= LDAP_SUCCESS
;
67 talloc_free(call
->conn
->session_info
);
68 call
->conn
->session_info
= session_info
;
69 talloc_steal(call
->conn
, session_info
);
71 /* don't leak the old LDB */
72 talloc_free(call
->conn
->ldb
);
74 status
= ldapsrv_backend_Init(call
->conn
);
76 if (!NT_STATUS_IS_OK(status
)) {
77 result
= LDAP_OPERATIONS_ERROR
;
78 errstr
= talloc_asprintf(reply
, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status
));
81 status
= auth_nt_status_squash(status
);
83 result
= LDAP_INVALID_CREDENTIALS
;
84 errstr
= talloc_asprintf(reply
, "Simple Bind Failed: %s", nt_errstr(status
));
87 resp
= &reply
->msg
->r
.BindResponse
;
88 resp
->response
.resultcode
= result
;
89 resp
->response
.errormessage
= errstr
;
90 resp
->response
.dn
= NULL
;
91 resp
->response
.referral
= NULL
;
92 resp
->SASL
.secblob
= NULL
;
94 ldapsrv_queue_reply(call
, reply
);
98 struct ldapsrv_sasl_context
{
99 struct ldapsrv_connection
*conn
;
100 struct socket_context
*sasl_socket
;
103 static void ldapsrv_set_sasl(void *private)
105 struct ldapsrv_sasl_context
*ctx
= talloc_get_type(private, struct ldapsrv_sasl_context
);
106 talloc_steal(ctx
->conn
->connection
, ctx
->sasl_socket
);
107 talloc_unlink(ctx
->conn
->connection
, ctx
->conn
->connection
->socket
);
109 ctx
->conn
->sockets
.sasl
= ctx
->sasl_socket
;
110 ctx
->conn
->connection
->socket
= ctx
->sasl_socket
;
111 packet_set_socket(ctx
->conn
->packet
, ctx
->conn
->connection
->socket
);
114 static NTSTATUS
ldapsrv_BindSASL(struct ldapsrv_call
*call
)
116 struct ldap_BindRequest
*req
= &call
->request
->r
.BindRequest
;
117 struct ldapsrv_reply
*reply
;
118 struct ldap_BindResponse
*resp
;
119 struct ldapsrv_connection
*conn
;
121 const char *errstr
=NULL
;
122 NTSTATUS status
= NT_STATUS_OK
;
124 DEBUG(10, ("BindSASL dn: %s\n",req
->dn
));
126 reply
= ldapsrv_init_reply(call
, LDAP_TAG_BindResponse
);
128 return NT_STATUS_NO_MEMORY
;
130 resp
= &reply
->msg
->r
.BindResponse
;
135 * TODO: a SASL bind with a different mechanism
136 * should cancel an inprogress SASL bind.
141 conn
->session_info
= NULL
;
143 status
= gensec_server_start(conn
,
144 conn
->connection
->event
.ctx
,
145 conn
->connection
->msg_ctx
,
147 if (!NT_STATUS_IS_OK(status
)) {
148 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status
)));
149 result
= LDAP_OPERATIONS_ERROR
;
150 errstr
= talloc_asprintf(reply
, "SASL: Failed to start authentication system: %s",
154 gensec_set_target_service(conn
->gensec
, "ldap");
156 gensec_set_credentials(conn
->gensec
, conn
->server_credentials
);
158 gensec_want_feature(conn
->gensec
, GENSEC_FEATURE_SIGN
);
159 gensec_want_feature(conn
->gensec
, GENSEC_FEATURE_SEAL
);
160 gensec_want_feature(conn
->gensec
, GENSEC_FEATURE_ASYNC_REPLIES
);
162 status
= gensec_start_mech_by_sasl_name(conn
->gensec
, req
->creds
.SASL
.mechanism
);
164 if (!NT_STATUS_IS_OK(status
)) {
165 DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n",
166 req
->creds
.SASL
.mechanism
, nt_errstr(status
)));
167 result
= LDAP_OPERATIONS_ERROR
;
168 errstr
= talloc_asprintf(reply
, "SASL:[%s]: Failed to start authentication backend: %s",
169 req
->creds
.SASL
.mechanism
, nt_errstr(status
));
174 if (NT_STATUS_IS_OK(status
)) {
175 DATA_BLOB input
= data_blob(NULL
, 0);
176 DATA_BLOB output
= data_blob(NULL
, 0);
178 if (req
->creds
.SASL
.secblob
) {
179 input
= *req
->creds
.SASL
.secblob
;
182 resp
->SASL
.secblob
= talloc(reply
, DATA_BLOB
);
183 NT_STATUS_HAVE_NO_MEMORY(resp
->SASL
.secblob
);
185 status
= gensec_update(conn
->gensec
, reply
,
188 /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */
189 resp
->SASL
.secblob
= talloc(reply
, DATA_BLOB
);
190 NT_STATUS_HAVE_NO_MEMORY(resp
->SASL
.secblob
);
191 *resp
->SASL
.secblob
= output
;
193 resp
->SASL
.secblob
= NULL
;
196 if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED
, status
)) {
197 result
= LDAP_SASL_BIND_IN_PROGRESS
;
199 } else if (NT_STATUS_IS_OK(status
)) {
200 struct auth_session_info
*old_session_info
=NULL
;
201 struct ldapsrv_sasl_context
*ctx
;
203 result
= LDAP_SUCCESS
;
206 ctx
= talloc(call
, struct ldapsrv_sasl_context
);
209 status
= NT_STATUS_NO_MEMORY
;
212 status
= gensec_socket_init(conn
->gensec
,
213 conn
->connection
->socket
,
214 conn
->connection
->event
.ctx
,
215 stream_io_handler_callback
,
220 if (!ctx
|| !NT_STATUS_IS_OK(status
)) {
221 conn
->session_info
= old_session_info
;
222 result
= LDAP_OPERATIONS_ERROR
;
223 errstr
= talloc_asprintf(reply
,
224 "SASL:[%s]: Failed to setup SASL socket: %s",
225 req
->creds
.SASL
.mechanism
, nt_errstr(status
));
228 call
->send_callback
= ldapsrv_set_sasl
;
229 call
->send_private
= ctx
;
231 old_session_info
= conn
->session_info
;
232 conn
->session_info
= NULL
;
233 status
= gensec_session_info(conn
->gensec
, &conn
->session_info
);
234 if (!NT_STATUS_IS_OK(status
)) {
235 conn
->session_info
= old_session_info
;
236 result
= LDAP_OPERATIONS_ERROR
;
237 errstr
= talloc_asprintf(reply
,
238 "SASL:[%s]: Failed to get session info: %s",
239 req
->creds
.SASL
.mechanism
, nt_errstr(status
));
241 talloc_free(old_session_info
);
242 talloc_steal(conn
, conn
->session_info
);
244 /* don't leak the old LDB */
245 talloc_free(conn
->ldb
);
247 status
= ldapsrv_backend_Init(conn
);
249 if (!NT_STATUS_IS_OK(status
)) {
250 result
= LDAP_OPERATIONS_ERROR
;
251 errstr
= talloc_asprintf(reply
,
252 "SASL:[%s]: Failed to advise samdb of new credentials: %s",
253 req
->creds
.SASL
.mechanism
,
259 status
= auth_nt_status_squash(status
);
261 result
= LDAP_INVALID_CREDENTIALS
;
262 errstr
= talloc_asprintf(reply
, "SASL:[%s]: %s", req
->creds
.SASL
.mechanism
, nt_errstr(status
));
266 resp
->response
.resultcode
= result
;
267 resp
->response
.dn
= NULL
;
268 resp
->response
.errormessage
= errstr
;
269 resp
->response
.referral
= NULL
;
271 ldapsrv_queue_reply(call
, reply
);
275 NTSTATUS
ldapsrv_BindRequest(struct ldapsrv_call
*call
)
277 struct ldap_BindRequest
*req
= &call
->request
->r
.BindRequest
;
278 struct ldapsrv_reply
*reply
;
279 struct ldap_BindResponse
*resp
;
282 * TODO: we should fail the bind request
283 * if there're any pending requests.
285 * also a simple bind should cancel an
286 * inprogress SASL bind.
289 switch (req
->mechanism
) {
290 case LDAP_AUTH_MECH_SIMPLE
:
291 return ldapsrv_BindSimple(call
);
292 case LDAP_AUTH_MECH_SASL
:
293 return ldapsrv_BindSASL(call
);
296 reply
= ldapsrv_init_reply(call
, LDAP_TAG_BindResponse
);
298 return NT_STATUS_NO_MEMORY
;
301 resp
= &reply
->msg
->r
.BindResponse
;
302 resp
->response
.resultcode
= 7;
303 resp
->response
.dn
= NULL
;
304 resp
->response
.errormessage
= talloc_asprintf(reply
, "Bad AuthenticationChoice [%d]", req
->mechanism
);
305 resp
->response
.referral
= NULL
;
306 resp
->SASL
.secblob
= NULL
;
308 ldapsrv_queue_reply(call
, reply
);
312 NTSTATUS
ldapsrv_UnbindRequest(struct ldapsrv_call
*call
)
314 DEBUG(10, ("UnbindRequest\n"));