search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/samdb: optimize samldb_prim_group_change()
[Samba/gbeck.git] / source4 / ldap_server / ldap_bind.c
blob5036353a4b34a92cf36ba92126e21e85779dba2e
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP server
4 Copyright (C) Stefan Metzmacher 2004
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "ldap_server/ldap_server.h"
22 #include "auth/auth.h"
23 #include "smbd/service.h"
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_errors.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_tstream.h"
29 #include "param/param.h"
30 #include "../lib/util/tevent_ntstatus.h"
31
32 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
33 {
34 struct ldap_BindRequest *req = &call->request->r.BindRequest;
35 struct ldapsrv_reply *reply;
36 struct ldap_BindResponse *resp;
37
38 int result;
39 const char *errstr;
40 const char *nt4_domain, *nt4_account;
41
42 struct auth_session_info *session_info;
43
44 NTSTATUS status;
45
46 DEBUG(10, ("BindSimple dn: %s\n",req->dn));
47
48 status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account);
49 if (NT_STATUS_IS_OK(status)) {
50 status = authenticate_username_pw(call,
51 call->conn->connection->event.ctx,
52 call->conn->connection->msg_ctx,
53 call->conn->lp_ctx,
54 nt4_domain, nt4_account,
55 req->creds.password,
56 &session_info);
57 }
58
59 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
60 if (!reply) {
61 return NT_STATUS_NO_MEMORY;
62 }
63
64 if (NT_STATUS_IS_OK(status)) {
65 result = LDAP_SUCCESS;
66 errstr = NULL;
67
68 talloc_unlink(call->conn, call->conn->session_info);
69 call->conn->session_info = session_info;
70 talloc_steal(call->conn, session_info);
71
72 /* don't leak the old LDB */
73 talloc_unlink(call->conn, call->conn->ldb);
74
75 status = ldapsrv_backend_Init(call->conn);
76
77 if (!NT_STATUS_IS_OK(status)) {
78 result = LDAP_OPERATIONS_ERROR;
79 errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
80 }
81 } else {
82 status = auth_nt_status_squash(status);
83
84 result = LDAP_INVALID_CREDENTIALS;
85 errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
86 }
87
88 resp = &reply->msg->r.BindResponse;
89 resp->response.resultcode = result;
90 resp->response.errormessage = errstr;
91 resp->response.dn = NULL;
92 resp->response.referral = NULL;
93 resp->SASL.secblob = NULL;
94
95 ldapsrv_queue_reply(call, reply);
96 return NT_STATUS_OK;
97 }
98
99 struct ldapsrv_sasl_postprocess_context {
100 struct ldapsrv_connection *conn;
101 struct tstream_context *sasl;
102 };
103
104 struct ldapsrv_sasl_postprocess_state {
105 uint8_t dummy;
106 };
107
108 static struct tevent_req *ldapsrv_sasl_postprocess_send(TALLOC_CTX *mem_ctx,
109 struct tevent_context *ev,
110 void *private_data)
111 {
112 struct ldapsrv_sasl_postprocess_context *context =
113 talloc_get_type_abort(private_data,
114 struct ldapsrv_sasl_postprocess_context);
115 struct tevent_req *req;
116 struct ldapsrv_sasl_postprocess_state *state;
117
118 req = tevent_req_create(mem_ctx, &state,
119 struct ldapsrv_sasl_postprocess_state);
120 if (req == NULL) {
121 return NULL;
122 }
123
124 TALLOC_FREE(context->conn->sockets.sasl);
125 context->conn->sockets.sasl = talloc_move(context->conn, &context->sasl);
126 context->conn->sockets.active = context->conn->sockets.sasl;
127
128 tevent_req_done(req);
129 return tevent_req_post(req, ev);
130 }
131
132 static NTSTATUS ldapsrv_sasl_postprocess_recv(struct tevent_req *req)
133 {
134 return tevent_req_simple_recv_ntstatus(req);
135 }
136
137 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
138 {
139 struct ldap_BindRequest *req = &call->request->r.BindRequest;
140 struct ldapsrv_reply *reply;
141 struct ldap_BindResponse *resp;
142 struct ldapsrv_connection *conn;
143 int result = 0;
144 const char *errstr=NULL;
145 NTSTATUS status = NT_STATUS_OK;
146
147 DEBUG(10, ("BindSASL dn: %s\n",req->dn));
148
149 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
150 if (!reply) {
151 return NT_STATUS_NO_MEMORY;
152 }
153 resp = &reply->msg->r.BindResponse;
154
155 conn = call->conn;
156
157 /*
158 * TODO: a SASL bind with a different mechanism
159 * should cancel an inprogress SASL bind.
160 * (see RFC 4513)
161 */
162
163 if (!conn->gensec) {
164 conn->session_info = NULL;
165
166 status = samba_server_gensec_start(conn,
167 conn->connection->event.ctx,
168 conn->connection->msg_ctx,
169 conn->lp_ctx,
170 conn->server_credentials,
171 "ldap",
172 &conn->gensec);
173 if (!NT_STATUS_IS_OK(status)) {
174 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
175 result = LDAP_OPERATIONS_ERROR;
176 errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s",
177 nt_errstr(status));
178 } else {
179
180 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
181 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
182 gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
183
184 status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism);
185
186 if (!NT_STATUS_IS_OK(status)) {
187 DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n",
188 req->creds.SASL.mechanism, nt_errstr(status)));
189 result = LDAP_OPERATIONS_ERROR;
190 errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s",
191 req->creds.SASL.mechanism, nt_errstr(status));
192 }
193 }
194 }
195
196 if (NT_STATUS_IS_OK(status)) {
197 DATA_BLOB input = data_blob(NULL, 0);
198 DATA_BLOB output = data_blob(NULL, 0);
199
200 if (req->creds.SASL.secblob) {
201 input = *req->creds.SASL.secblob;
202 }
203
204 status = gensec_update(conn->gensec, reply,
205 input, &output);
206
207 /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */
208 resp->SASL.secblob = talloc(reply, DATA_BLOB);
209 NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
210 *resp->SASL.secblob = output;
211 } else {
212 resp->SASL.secblob = NULL;
213 }
214
215 if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
216 result = LDAP_SASL_BIND_IN_PROGRESS;
217 errstr = NULL;
218 } else if (NT_STATUS_IS_OK(status)) {
219 struct auth_session_info *old_session_info=NULL;
220 struct ldapsrv_sasl_postprocess_context *context = NULL;
221
222 result = LDAP_SUCCESS;
223 errstr = NULL;
224
225 if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
226 gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
227
228 context = talloc(call, struct ldapsrv_sasl_postprocess_context);
229
230 if (!context) {
231 status = NT_STATUS_NO_MEMORY;
232 }
233 }
234
235 if (context && conn->sockets.tls) {
236 TALLOC_FREE(context);
237 status = NT_STATUS_NOT_SUPPORTED;
238 result = LDAP_UNWILLING_TO_PERFORM;
239 errstr = talloc_asprintf(reply,
240 "SASL:[%s]: Sign or Seal are not allowed if TLS is used",
241 req->creds.SASL.mechanism);
242 }
243
244 if (context) {
245 context->conn = conn;
246 status = gensec_create_tstream(context,
247 context->conn->gensec,
248 context->conn->sockets.raw,
249 &context->sasl);
250 }
251
252 if (result != LDAP_SUCCESS) {
253 conn->session_info = old_session_info;
254 } else if (!NT_STATUS_IS_OK(status)) {
255 conn->session_info = old_session_info;
256 result = LDAP_OPERATIONS_ERROR;
257 errstr = talloc_asprintf(reply,
258 "SASL:[%s]: Failed to setup SASL socket: %s",
259 req->creds.SASL.mechanism, nt_errstr(status));
260 } else {
261
262 old_session_info = conn->session_info;
263 conn->session_info = NULL;
264 status = gensec_session_info(conn->gensec, &conn->session_info);
265 if (!NT_STATUS_IS_OK(status)) {
266 conn->session_info = old_session_info;
267 result = LDAP_OPERATIONS_ERROR;
268 errstr = talloc_asprintf(reply,
269 "SASL:[%s]: Failed to get session info: %s",
270 req->creds.SASL.mechanism, nt_errstr(status));
271 } else {
272 talloc_unlink(conn, old_session_info);
273 talloc_steal(conn, conn->session_info);
274
275 /* don't leak the old LDB */
276 talloc_unlink(conn, conn->ldb);
277
278 status = ldapsrv_backend_Init(conn);
279
280 if (!NT_STATUS_IS_OK(status)) {
281 result = LDAP_OPERATIONS_ERROR;
282 errstr = talloc_asprintf(reply,
283 "SASL:[%s]: Failed to advise samdb of new credentials: %s",
284 req->creds.SASL.mechanism,
285 nt_errstr(status));
286 }
287 }
288 }
289
290 if (NT_STATUS_IS_OK(status) && context) {
291 call->postprocess_send = ldapsrv_sasl_postprocess_send;
292 call->postprocess_recv = ldapsrv_sasl_postprocess_recv;
293 call->postprocess_private = context;
294 }
295 } else {
296 status = auth_nt_status_squash(status);
297 if (result == 0) {
298 result = LDAP_INVALID_CREDENTIALS;
299 errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
300 }
301 }
302
303 resp->response.resultcode = result;
304 resp->response.dn = NULL;
305 resp->response.errormessage = errstr;
306 resp->response.referral = NULL;
307
308 ldapsrv_queue_reply(call, reply);
309 return NT_STATUS_OK;
310 }
311
312 NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call)
313 {
314 struct ldap_BindRequest *req = &call->request->r.BindRequest;
315 struct ldapsrv_reply *reply;
316 struct ldap_BindResponse *resp;
317
318 /*
319 * TODO: we should fail the bind request
320 * if there're any pending requests.
321 *
322 * also a simple bind should cancel an
323 * inprogress SASL bind.
324 * (see RFC 4513)
325 */
326 switch (req->mechanism) {
327 case LDAP_AUTH_MECH_SIMPLE:
328 return ldapsrv_BindSimple(call);
329 case LDAP_AUTH_MECH_SASL:
330 return ldapsrv_BindSASL(call);
331 }
332
333 reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
334 if (!reply) {
335 return NT_STATUS_NO_MEMORY;
336 }
337
338 resp = &reply->msg->r.BindResponse;
339 resp->response.resultcode = 7;
340 resp->response.dn = NULL;
341 resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
342 resp->response.referral = NULL;
343 resp->SASL.secblob = NULL;
344
345 ldapsrv_queue_reply(call, reply);
346 return NT_STATUS_OK;
347 }
348
349 NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call)
350 {
351 DEBUG(10, ("UnbindRequest\n"));
352 return NT_STATUS_OK;
353 }
WIP