From: Stefan Metzmacher Date: Thu, 11 May 2017 16:53:06 +0000 (+0200) Subject: s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv X-Git-Tag: ldb-1.1.31~53 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=c0fa0b88d033e374cd28730d435b5ed0e6af2ff9 s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index 142bd401c9f..c3bc25acae5 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -28,9 +28,14 @@ #include "dsdb/samdb/samdb.h" struct authenticate_ldap_simple_bind_state { + bool using_tls; + struct auth4_context *auth_context; + struct auth_usersupplied_info *user_info; struct auth_session_info *session_info; }; +static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq); + _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct imessaging_context *msg, @@ -43,6 +48,10 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c { struct tevent_req *req = NULL; struct authenticate_ldap_simple_bind_state *state = NULL; + struct auth_usersupplied_info *user_info = NULL; + const char *nt4_domain = NULL; + const char *nt4_username = NULL; + struct tevent_req *subreq = NULL; NTSTATUS status; req = tevent_req_create(mem_ctx, &state, @@ -50,76 +59,23 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c if (req == NULL) { return NULL; } + state->using_tls = using_tls; - status = authenticate_ldap_simple_bind(state, ev, msg, lp_ctx, - remote_address, - local_address, - using_tls, - dn, password, - &state->session_info); + status = auth_context_create(state, ev, msg, lp_ctx, + &state->auth_context); if (tevent_req_nterror(req, status)) { return tevent_req_post(req, ev); } - tevent_req_done(req); - return tevent_req_post(req, ev); -} - -_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct imessaging_context *msg, - struct loadparm_context *lp_ctx, - struct tsocket_address *remote_address, - struct tsocket_address *local_address, - bool using_tls, - const char *dn, - const char *password, - struct auth_session_info **session_info) -{ - struct auth4_context *auth_context; - struct auth_usersupplied_info *user_info; - struct auth_user_info_dc *user_info_dc; - NTSTATUS nt_status; - uint8_t authoritative = 0; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - const char *nt4_domain = NULL; - const char *nt4_username = NULL; - uint32_t flags = 0; - const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; - if (using_tls) { - transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; - } - - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - nt_status = auth_context_create(tmp_ctx, - ev, msg, - lp_ctx, - &auth_context); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - /* - * We check the error after building the user_info so we can - * log a failure to find the user correctly - */ - nt_status = crack_auto_name_to_nt4_name(tmp_ctx, ev, lp_ctx, dn, - &nt4_domain, &nt4_username); - - user_info = talloc_zero(tmp_ctx, struct auth_usersupplied_info); - if (!user_info) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; + user_info = talloc_zero(state, struct auth_usersupplied_info); + if (tevent_req_nomem(user_info, req)) { + return tevent_req_post(req, ev); } + state->user_info = user_info; user_info->client.account_name = dn; /* No client.domain_name, use account_name instead */ - user_info->mapped.account_name = nt4_username; - user_info->mapped.domain_name = nt4_domain; + /* user_info->mapped.* will be filled below */ user_info->workstation_name = NULL; @@ -136,6 +92,9 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, user_info->password_state = AUTH_PASSWORD_PLAIN; user_info->password.plaintext = talloc_strdup(user_info, password); + if (tevent_req_nomem(user_info->password.plaintext, req)) { + return tevent_req_post(req, ev); + } user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME | USER_INFO_DONT_CHECK_UNIX_ACCOUNT; @@ -146,39 +105,76 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, MSV1_0_CLEARTEXT_PASSWORD_ALLOWED | MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED; - /* This is a check for the crack names call above */ - if (!NT_STATUS_IS_OK(nt_status)) { - log_authentication_event(auth_context->msg_ctx, - auth_context->lp_ctx, - user_info, nt_status, + status = crack_auto_name_to_nt4_name(state, ev, lp_ctx, dn, + &nt4_domain, &nt4_username); + if (!NT_STATUS_IS_OK(status)) { + log_authentication_event(msg, lp_ctx, + user_info, status, NULL, NULL, NULL, NULL); - talloc_free(tmp_ctx); - return nt_status; + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); } - /* Now that we have checked if the crack names worked, set mapped_state */ + user_info->mapped.account_name = nt4_username; + user_info->mapped.domain_name = nt4_domain; user_info->mapped_state = true; - nt_status = auth_check_password(auth_context, tmp_ctx, user_info, - &user_info_dc, &authoritative); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; + subreq = auth_check_password_send(state, ev, + state->auth_context, + state->user_info); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req); + + return req; +} + +static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct authenticate_ldap_simple_bind_state *state = + tevent_req_data(req, + struct authenticate_ldap_simple_bind_state); + struct auth4_context *auth_context = state->auth_context; + struct auth_usersupplied_info *user_info = state->user_info; + const char *nt4_username = user_info->mapped.account_name; + const struct tsocket_address *remote_address = user_info->remote_host; + const struct tsocket_address *local_address = user_info->local_host; + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + struct auth_user_info_dc *user_info_dc = NULL; + uint8_t authoritative = 0; + uint32_t flags = 0; + NTSTATUS nt_status; + + if (state->using_tls) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } + + nt_status = auth_check_password_recv(subreq, state, + &user_info_dc, + &authoritative); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, nt_status)) { + return; } flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } + nt_status = auth_context->generate_session_info(auth_context, - tmp_ctx, + state, user_info_dc, nt4_username, flags, - session_info); - - if (NT_STATUS_IS_OK(nt_status)) { - talloc_steal(mem_ctx, *session_info); + &state->session_info); + if (tevent_req_nterror(req, nt_status)) { + return; } log_successful_authz_event(auth_context->msg_ctx, @@ -188,10 +184,9 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, "LDAP", "simple bind", transport_protection, - *session_info); + state->session_info); - talloc_free(tmp_ctx); - return nt_status; + tevent_req_done(req); } _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,