source4/auth/ntlm/auth_simple.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    auth functions
   5
   6    Copyright (C) Simo Sorce 2005
   7    Copyright (C) Andrew Tridgell 2005
   8    Copyright (C) Andrew Bartlett 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include <tevent.h>
  26 #include "lib/util/tevent_ntstatus.h"
  27 #include "auth/auth.h"
  28 #include "dsdb/samdb/samdb.h"
  29
  30 #undef DBGC_CLASS
  31 #define DBGC_CLASS DBGC_AUTH
  32
  33 struct authenticate_ldap_simple_bind_state {
  34         bool using_tls;
  35         struct auth4_context *auth_context;
  36         struct auth_usersupplied_info *user_info;
  37         struct auth_session_info *session_info;
  38 };
  39
  40 static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq);
  41
  42 _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
  43                                         struct tevent_context *ev,
  44                                         struct imessaging_context *msg,
  45                                         struct loadparm_context *lp_ctx,
  46                                         struct tsocket_address *remote_address,
  47                                         struct tsocket_address *local_address,
  48                                         bool using_tls,
  49                                         const char *dn,
  50                                         const char *password)
  51 {
  52         struct tevent_req *req = NULL;
  53         struct authenticate_ldap_simple_bind_state *state = NULL;
  54         struct auth_usersupplied_info *user_info = NULL;
  55         const char *nt4_domain = NULL;
  56         const char *nt4_username = NULL;
  57         struct tevent_req *subreq = NULL;
  58         NTSTATUS status;
  59
  60         req = tevent_req_create(mem_ctx, &state,
  61                                 struct authenticate_ldap_simple_bind_state);
  62         if (req == NULL) {
  63                 return NULL;
  64         }
  65         state->using_tls = using_tls;
  66
  67         status = auth_context_create(state, ev, msg, lp_ctx,
  68                                      &state->auth_context);
  69         if (tevent_req_nterror(req, status)) {
  70                 return tevent_req_post(req, ev);
  71         }
  72
  73         user_info = talloc_zero(state, struct auth_usersupplied_info);
  74         if (tevent_req_nomem(user_info, req)) {
  75                 return tevent_req_post(req, ev);
  76         }
  77         state->user_info = user_info;
  78
  79         user_info->client.account_name = dn;
  80         /* No client.domain_name, use account_name instead */
  81         /* user_info->mapped.* will be filled below */
  82
  83         user_info->workstation_name = NULL;
  84
  85         user_info->remote_host = remote_address;
  86         user_info->local_host = local_address;
  87
  88         user_info->service_description = "LDAP";
  89
  90         if (using_tls) {
  91                 user_info->auth_description = "simple bind";
  92         } else {
  93                 user_info->auth_description = "simple bind/TLS";
  94         }
  95
  96         user_info->password_state = AUTH_PASSWORD_PLAIN;
  97         user_info->password.plaintext = talloc_strdup(user_info, password);
  98         if (tevent_req_nomem(user_info->password.plaintext, req)) {
  99                 return tevent_req_post(req, ev);
 100         }
 101
 102         user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
 103                 USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
 104
 105         user_info->logon_parameters =
 106                 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
 107                 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
 108                 MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
 109                 MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
 110
 111         status = crack_auto_name_to_nt4_name(state, state->auth_context->sam_ctx,
 112                                              dn, &nt4_domain, &nt4_username);
 113         if (!NT_STATUS_IS_OK(status)) {
 114                 log_authentication_event(msg, lp_ctx,
 115                                          &state->auth_context->start_time,
 116                                          user_info, status,
 117                                          NULL, NULL, NULL, NULL);
 118         }
 119         if (tevent_req_nterror(req, status)) {
 120                 return tevent_req_post(req, ev);
 121         }
 122
 123         user_info->mapped.account_name = nt4_username;
 124         user_info->mapped.domain_name = nt4_domain;
 125         user_info->mapped_state = true;
 126
 127         subreq = auth_check_password_send(state, ev,
 128                                           state->auth_context,
 129                                           state->user_info);
 130         if (tevent_req_nomem(subreq, req)) {
 131                 return tevent_req_post(req, ev);
 132         }
 133         tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req);
 134
 135         return req;
 136 }
 137
 138 static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
 139 {
 140         struct tevent_req *req =
 141                 tevent_req_callback_data(subreq,
 142                 struct tevent_req);
 143         struct authenticate_ldap_simple_bind_state *state =
 144                 tevent_req_data(req,
 145                 struct authenticate_ldap_simple_bind_state);
 146         struct auth4_context *auth_context = state->auth_context;
 147         struct auth_usersupplied_info *user_info = state->user_info;
 148         const char *nt4_username = user_info->mapped.account_name;
 149         const struct tsocket_address *remote_address = user_info->remote_host;
 150         const struct tsocket_address *local_address = user_info->local_host;
 151         const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
 152         struct auth_user_info_dc *user_info_dc = NULL;
 153         uint8_t authoritative = 0;
 154         uint32_t flags = 0;
 155         NTSTATUS nt_status;
 156
 157         if (state->using_tls) {
 158                 transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
 159         }
 160
 161         nt_status = auth_check_password_recv(subreq, state,
 162                                              &user_info_dc,
 163                                              &authoritative);
 164         TALLOC_FREE(subreq);
 165         if (tevent_req_nterror(req, nt_status)) {
 166                 return;
 167         }
 168
 169         flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
 170         if (user_info_dc->info->authenticated) {
 171                 flags |= AUTH_SESSION_INFO_AUTHENTICATED;
 172         }
 173
 174         nt_status = auth_context->generate_session_info(auth_context,
 175                                                         state,
 176                                                         user_info_dc,
 177                                                         nt4_username,
 178                                                         flags,
 179                                                         &state->session_info);
 180         if (tevent_req_nterror(req, nt_status)) {
 181                 return;
 182         }
 183
 184         log_successful_authz_event(auth_context->msg_ctx,
 185                                    auth_context->lp_ctx,
 186                                    remote_address,
 187                                    local_address,
 188                                    "LDAP",
 189                                    "simple bind",
 190                                    transport_protection,
 191                                    state->session_info);
 192
 193         tevent_req_done(req);
 194 }
 195
 196 _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
 197                                         TALLOC_CTX *mem_ctx,
 198                                         struct auth_session_info **session_info)
 199 {
 200         struct authenticate_ldap_simple_bind_state *state =
 201                 tevent_req_data(req,
 202                 struct authenticate_ldap_simple_bind_state);
 203         NTSTATUS status;
 204
 205         *session_info = NULL;
 206
 207         if (tevent_req_is_nterror(req, &status)) {
 208                 tevent_req_received(req);
 209                 return status;
 210         }
 211
 212         *session_info = talloc_move(mem_ctx, &state->session_info);
 213         tevent_req_received(req);
 214         return NT_STATUS_OK;
 215 }