2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
51 #include "lib/util/server_id.h"
52 #include "lib/util/server_id_db.h"
53 #include "lib/messaging/messaging_internal.h"
57 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
60 close the socket and shutdown a server_context
62 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
65 struct tevent_req *subreq;
67 if (conn->limits.reason) {
71 DLIST_REMOVE(conn->service->connections, conn);
73 conn->limits.endtime = timeval_current_ofs(0, 500);
75 tevent_queue_stop(conn->sockets.send_queue);
76 TALLOC_FREE(conn->sockets.read_req);
77 TALLOC_FREE(conn->deferred_expire_disconnect);
78 if (conn->active_call) {
79 tevent_req_cancel(conn->active_call);
80 conn->active_call = NULL;
83 conn->limits.reason = talloc_strdup(conn, reason);
84 if (conn->limits.reason == NULL) {
85 TALLOC_FREE(conn->sockets.tls);
86 TALLOC_FREE(conn->sockets.sasl);
87 TALLOC_FREE(conn->sockets.raw);
88 stream_terminate_connection(conn->connection, reason);
92 subreq = tstream_disconnect_send(conn,
93 conn->connection->event.ctx,
94 conn->sockets.active);
96 TALLOC_FREE(conn->sockets.tls);
97 TALLOC_FREE(conn->sockets.sasl);
98 TALLOC_FREE(conn->sockets.raw);
99 stream_terminate_connection(conn->connection, reason);
102 tevent_req_set_endtime(subreq,
103 conn->connection->event.ctx,
104 conn->limits.endtime);
105 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
108 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
110 struct ldapsrv_connection *conn =
111 tevent_req_callback_data(subreq,
112 struct ldapsrv_connection);
116 tstream_disconnect_recv(subreq, &sys_errno);
119 if (conn->sockets.active == conn->sockets.raw) {
120 TALLOC_FREE(conn->sockets.tls);
121 TALLOC_FREE(conn->sockets.sasl);
122 TALLOC_FREE(conn->sockets.raw);
123 stream_terminate_connection(conn->connection,
124 conn->limits.reason);
128 TALLOC_FREE(conn->sockets.tls);
129 TALLOC_FREE(conn->sockets.sasl);
130 conn->sockets.active = conn->sockets.raw;
132 subreq = tstream_disconnect_send(conn,
133 conn->connection->event.ctx,
134 conn->sockets.active);
135 if (subreq == NULL) {
136 TALLOC_FREE(conn->sockets.raw);
137 stream_terminate_connection(conn->connection,
138 conn->limits.reason);
141 ok = tevent_req_set_endtime(subreq,
142 conn->connection->event.ctx,
143 conn->limits.endtime);
145 TALLOC_FREE(conn->sockets.raw);
146 stream_terminate_connection(conn->connection,
147 conn->limits.reason);
150 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
154 called when a LDAP socket becomes readable
156 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
158 smb_panic(__location__);
162 called when a LDAP socket becomes writable
164 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
166 smb_panic(__location__);
169 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
172 const char *attrs[] = { "configurationNamingContext", NULL };
173 const char *attrs2[] = { "lDAPAdminLimits", NULL };
174 struct ldb_message_element *el;
175 struct ldb_result *res = NULL;
176 struct ldb_dn *basedn;
177 struct ldb_dn *conf_dn;
178 struct ldb_dn *policy_dn;
182 /* set defaults limits in case of failure */
183 conn->limits.initial_timeout = 120;
184 conn->limits.conn_idle_time = 900;
185 conn->limits.max_page_size = 1000;
186 conn->limits.max_notifications = 5;
187 conn->limits.search_timeout = 120;
188 conn->limits.expire_time = (struct timeval) {
189 .tv_sec = get_time_t_max(),
193 tmp_ctx = talloc_new(conn);
194 if (tmp_ctx == NULL) {
198 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
199 if (basedn == NULL) {
203 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
204 if (ret != LDB_SUCCESS) {
208 if (res->count != 1) {
212 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
213 if (conf_dn == NULL) {
217 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
218 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
219 if (policy_dn == NULL) {
223 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
224 if (ret != LDB_SUCCESS) {
228 if (res->count != 1) {
232 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
237 for (i = 0; i < el->num_values; i++) {
238 char policy_name[256];
241 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
242 if (s != 2 || policy_value == 0)
244 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
245 conn->limits.initial_timeout = policy_value;
248 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
249 conn->limits.conn_idle_time = policy_value;
252 if (strcasecmp("MaxPageSize", policy_name) == 0) {
253 conn->limits.max_page_size = policy_value;
256 if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
257 conn->limits.max_notifications = policy_value;
260 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
261 if (policy_value > 0) {
262 conn->limits.search_timeout = policy_value;
271 DBG_ERR("Failed to load ldap server query policies\n");
272 talloc_free(tmp_ctx);
276 static int ldapsrv_call_destructor(struct ldapsrv_call *call)
278 if (call->conn == NULL) {
282 DLIST_REMOVE(call->conn->pending_calls, call);
288 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
289 struct tevent_context *ev,
290 struct tevent_queue *call_queue,
291 struct ldapsrv_call *call);
292 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
294 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
295 static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
298 initialise a server_context from a open socket and register a event handler
299 for reading from that socket
301 static void ldapsrv_accept(struct stream_connection *c,
302 struct auth_session_info *session_info,
305 struct ldapsrv_service *ldapsrv_service =
306 talloc_get_type(c->private_data, struct ldapsrv_service);
307 struct ldapsrv_connection *conn;
308 struct cli_credentials *server_credentials;
309 struct socket_address *socket_address;
312 struct tevent_req *subreq;
313 struct timeval endtime;
314 char *errstring = NULL;
316 conn = talloc_zero(c, struct ldapsrv_connection);
318 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
321 conn->is_privileged = is_privileged;
323 conn->sockets.send_queue = tevent_queue_create(conn, "ldapsrv send queue");
324 if (conn->sockets.send_queue == NULL) {
325 stream_terminate_connection(c,
326 "ldapsrv_accept: tevent_queue_create failed");
330 TALLOC_FREE(c->event.fde);
332 ret = tstream_bsd_existing_socket(conn,
333 socket_get_fd(c->socket),
336 stream_terminate_connection(c,
337 "ldapsrv_accept: out of memory");
340 socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
341 /* as server we want to fail early */
342 tstream_bsd_fail_readv_first_error(conn->sockets.raw, true);
344 conn->connection = c;
345 conn->service = ldapsrv_service;
346 conn->lp_ctx = ldapsrv_service->lp_ctx;
348 c->private_data = conn;
350 socket_address = socket_get_my_addr(c->socket, conn);
351 if (!socket_address) {
352 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
355 port = socket_address->port;
356 talloc_free(socket_address);
357 if (port == 3268 || port == 3269) /* Global catalog */ {
358 conn->global_catalog = true;
361 server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
362 if (!server_credentials) {
363 stream_terminate_connection(c, "Failed to init server credentials\n");
367 conn->server_credentials = server_credentials;
369 conn->session_info = session_info;
371 conn->sockets.active = conn->sockets.raw;
373 if (conn->is_privileged) {
374 conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
376 conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
379 ret = ldapsrv_backend_Init(conn, &errstring);
380 if (ret != LDB_SUCCESS) {
381 char *reason = talloc_asprintf(conn,
382 "LDB backend for LDAP Init "
384 errstring, ldb_strerror(ret));
385 ldapsrv_terminate_connection(conn, reason);
389 /* load limits from the conf partition */
390 ldapsrv_load_limits(conn); /* should we fail on error ? */
392 /* register the server */
393 irpc_add_name(c->msg_ctx, "ldap_server");
395 DLIST_ADD_END(ldapsrv_service->connections, conn);
397 if (port != 636 && port != 3269) {
398 ldapsrv_call_read_next(conn);
402 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
404 subreq = tstream_tls_accept_send(conn,
405 conn->connection->event.ctx,
407 conn->service->tls_params);
408 if (subreq == NULL) {
409 ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
410 "no memory for tstream_tls_accept_send");
413 tevent_req_set_endtime(subreq,
414 conn->connection->event.ctx,
416 tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
419 static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
421 struct ldapsrv_connection *conn =
422 tevent_req_callback_data(subreq,
423 struct ldapsrv_connection);
427 ret = tstream_tls_accept_recv(subreq, &sys_errno,
428 conn, &conn->sockets.tls);
433 reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
434 "tstream_tls_accept_recv() - %d:%s",
435 sys_errno, strerror(sys_errno));
437 reason = "ldapsrv_accept_tls_loop: "
438 "tstream_tls_accept_recv() - failed";
441 ldapsrv_terminate_connection(conn, reason);
445 conn->sockets.active = conn->sockets.tls;
446 conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
447 ldapsrv_call_read_next(conn);
450 static void ldapsrv_call_read_done(struct tevent_req *subreq);
451 static NTSTATUS ldapsrv_packet_check(
452 struct tstream_context *stream,
455 size_t *packet_size);
457 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
459 struct tevent_req *subreq;
461 if (conn->pending_calls != NULL) {
462 conn->limits.endtime = timeval_zero();
464 ldapsrv_notification_retry_setup(conn->service, false);
465 } else if (timeval_is_zero(&conn->limits.endtime)) {
466 conn->limits.endtime =
467 timeval_current_ofs(conn->limits.initial_timeout, 0);
469 conn->limits.endtime =
470 timeval_current_ofs(conn->limits.conn_idle_time, 0);
473 if (conn->sockets.read_req != NULL) {
478 * The minimum size of a LDAP pdu is 7 bytes
480 * dumpasn1 -hh ldap-unbind-min.dat
482 * <30 05 02 01 09 42 00>
487 * 5 0: [APPLICATION 2]
488 * : Error: Object has zero length.
491 * dumpasn1 -hh ldap-unbind-windows.dat
493 * <30 84 00 00 00 05 02 01 09 42 00>
498 * 9 0: [APPLICATION 2]
499 * : Error: Object has zero length.
502 * This means using an initial read size
505 subreq = tstream_read_pdu_blob_send(conn,
506 conn->connection->event.ctx,
507 conn->sockets.active,
508 7, /* initial_read_size */
509 ldapsrv_packet_check,
511 if (subreq == NULL) {
512 ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
513 "no memory for tstream_read_pdu_blob_send");
516 if (!timeval_is_zero(&conn->limits.endtime)) {
518 ok = tevent_req_set_endtime(subreq,
519 conn->connection->event.ctx,
520 conn->limits.endtime);
522 ldapsrv_terminate_connection(
524 "ldapsrv_call_read_next: "
525 "no memory for tevent_req_set_endtime");
529 tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
530 conn->sockets.read_req = subreq;
534 static void ldapsrv_call_process_done(struct tevent_req *subreq);
535 static int ldapsrv_check_packet_size(
536 struct ldapsrv_connection *conn,
539 static void ldapsrv_call_read_done(struct tevent_req *subreq)
541 struct ldapsrv_connection *conn =
542 tevent_req_callback_data(subreq,
543 struct ldapsrv_connection);
545 struct ldapsrv_call *call;
546 struct asn1_data *asn1;
548 int ret = LDAP_SUCCESS;
549 struct ldap_request_limits limits = {0};
551 conn->sockets.read_req = NULL;
553 call = talloc_zero(conn, struct ldapsrv_call);
555 ldapsrv_terminate_connection(conn, "no memory");
558 talloc_set_destructor(call, ldapsrv_call_destructor);
562 status = tstream_read_pdu_blob_recv(subreq,
566 if (!NT_STATUS_IS_OK(status)) {
569 reason = talloc_asprintf(call, "ldapsrv_call_loop: "
570 "tstream_read_pdu_blob_recv() - %s",
573 reason = nt_errstr(status);
576 ldapsrv_terminate_connection(conn, reason);
580 ret = ldapsrv_check_packet_size(conn, blob.length);
581 if (ret != LDAP_SUCCESS) {
582 ldapsrv_terminate_connection(
584 "Request packet too large");
588 asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
590 ldapsrv_terminate_connection(conn, "no memory");
594 call->request = talloc(call, struct ldap_message);
595 if (call->request == NULL) {
596 ldapsrv_terminate_connection(conn, "no memory");
600 asn1_load_nocopy(asn1, blob.data, blob.length);
602 limits.max_search_size =
603 lpcfg_ldap_max_search_request_size(conn->lp_ctx);
604 status = ldap_decode(
607 samba_ldap_control_handlers(),
609 if (!NT_STATUS_IS_OK(status)) {
610 ldapsrv_terminate_connection(conn, nt_errstr(status));
614 data_blob_free(&blob);
618 /* queue the call in the global queue */
619 subreq = ldapsrv_process_call_send(call,
620 conn->connection->event.ctx,
621 conn->service->call_queue,
623 if (subreq == NULL) {
624 ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
627 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
628 conn->active_call = subreq;
631 static void ldapsrv_call_wait_done(struct tevent_req *subreq);
632 static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
633 static void ldapsrv_call_writev_done(struct tevent_req *subreq);
635 static void ldapsrv_call_process_done(struct tevent_req *subreq)
637 struct ldapsrv_call *call =
638 tevent_req_callback_data(subreq,
639 struct ldapsrv_call);
640 struct ldapsrv_connection *conn = call->conn;
643 conn->active_call = NULL;
645 status = ldapsrv_process_call_recv(subreq);
647 if (!NT_STATUS_IS_OK(status)) {
648 ldapsrv_terminate_connection(conn, nt_errstr(status));
652 if (call->wait_send != NULL) {
653 subreq = call->wait_send(call,
654 conn->connection->event.ctx,
656 if (subreq == NULL) {
657 ldapsrv_terminate_connection(conn,
658 "ldapsrv_call_process_done: "
659 "call->wait_send - no memory");
662 tevent_req_set_callback(subreq,
663 ldapsrv_call_wait_done,
665 conn->active_call = subreq;
669 ldapsrv_call_writev_start(call);
672 static void ldapsrv_call_wait_done(struct tevent_req *subreq)
674 struct ldapsrv_call *call =
675 tevent_req_callback_data(subreq,
676 struct ldapsrv_call);
677 struct ldapsrv_connection *conn = call->conn;
680 conn->active_call = NULL;
682 status = call->wait_recv(subreq);
684 if (!NT_STATUS_IS_OK(status)) {
687 reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
688 "call->wait_recv() - %s",
690 if (reason == NULL) {
691 reason = nt_errstr(status);
694 ldapsrv_terminate_connection(conn, reason);
698 ldapsrv_call_writev_start(call);
701 static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
703 struct ldapsrv_connection *conn = call->conn;
704 struct ldapsrv_reply *reply = NULL;
705 struct tevent_req *subreq = NULL;
706 struct timeval endtime;
712 /* build all the replies into an IOV (no copy) */
713 for (reply = call->replies;
715 reply = reply->next) {
717 /* Cap output at 25MB per writev() */
718 if (length > length + reply->blob.length
719 || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
724 * Overflow is harmless here, just used below to
725 * decide if to read or write, but checked above anyway
727 length += reply->blob.length;
730 * At worst an overflow would mean we send less
737 if (!call->notification.busy) {
741 ldapsrv_call_read_next(conn);
745 /* Cap call->iov_count at IOV_MAX */
746 call->iov_count = MIN(call->iov_count, IOV_MAX);
748 call->out_iov = talloc_array(call,
751 if (!call->out_iov) {
752 /* This is not ideal */
753 ldapsrv_terminate_connection(conn,
754 "failed to allocate "
759 /* We may have had to cap the number of replies at IOV_MAX */
761 i < call->iov_count && call->replies != NULL;
763 reply = call->replies;
764 call->out_iov[i].iov_base = reply->blob.data;
765 call->out_iov[i].iov_len = reply->blob.length;
767 /* Keep only the ASN.1 encoded data */
768 talloc_steal(call->out_iov, reply->blob.data);
770 DLIST_REMOVE(call->replies, reply);
774 if (i > call->iov_count) {
775 /* This is not ideal, but also (essentially) impossible */
776 ldapsrv_terminate_connection(conn,
782 subreq = tstream_writev_queue_send(call,
783 conn->connection->event.ctx,
784 conn->sockets.active,
785 conn->sockets.send_queue,
786 call->out_iov, call->iov_count);
787 if (subreq == NULL) {
788 ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
791 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
792 tevent_req_set_endtime(subreq,
793 conn->connection->event.ctx,
795 tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
798 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
800 static void ldapsrv_call_writev_done(struct tevent_req *subreq)
802 struct ldapsrv_call *call =
803 tevent_req_callback_data(subreq,
804 struct ldapsrv_call);
805 struct ldapsrv_connection *conn = call->conn;
809 rc = tstream_writev_queue_recv(subreq, &sys_errno);
812 /* This releases the ASN.1 encoded packets from memory */
813 TALLOC_FREE(call->out_iov);
817 reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
818 "tstream_writev_queue_recv() - %d:%s",
819 sys_errno, strerror(sys_errno));
820 if (reason == NULL) {
821 reason = "ldapsrv_call_writev_done: "
822 "tstream_writev_queue_recv() failed";
825 ldapsrv_terminate_connection(conn, reason);
829 if (call->postprocess_send) {
830 subreq = call->postprocess_send(call,
831 conn->connection->event.ctx,
832 call->postprocess_private);
833 if (subreq == NULL) {
834 ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
835 "call->postprocess_send - no memory");
838 tevent_req_set_callback(subreq,
839 ldapsrv_call_postprocess_done,
844 /* Perhaps still some more to send */
845 if (call->replies != NULL) {
846 ldapsrv_call_writev_start(call);
850 if (!call->notification.busy) {
854 ldapsrv_call_read_next(conn);
857 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
859 struct ldapsrv_call *call =
860 tevent_req_callback_data(subreq,
861 struct ldapsrv_call);
862 struct ldapsrv_connection *conn = call->conn;
865 status = call->postprocess_recv(subreq);
867 if (!NT_STATUS_IS_OK(status)) {
870 reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
871 "call->postprocess_recv() - %s",
873 if (reason == NULL) {
874 reason = nt_errstr(status);
877 ldapsrv_terminate_connection(conn, reason);
883 ldapsrv_call_read_next(conn);
886 static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
888 void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
890 struct ldapsrv_connection *conn = NULL;
891 struct timeval retry;
892 size_t num_pending = 0;
893 size_t num_active = 0;
896 TALLOC_FREE(service->notification.retry);
897 service->notification.generation += 1;
900 if (service->notification.retry != NULL) {
904 for (conn = service->connections; conn != NULL; conn = conn->next) {
905 if (conn->pending_calls == NULL) {
911 if (conn->pending_calls->notification.generation !=
912 service->notification.generation)
918 if (num_pending == 0) {
922 if (num_active != 0) {
923 retry = timeval_current_ofs(0, 100);
925 retry = timeval_current_ofs(5, 0);
928 service->notification.retry = tevent_wakeup_send(service,
931 if (service->notification.retry == NULL) {
936 tevent_req_set_callback(service->notification.retry,
937 ldapsrv_notification_retry_done,
941 static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
943 struct ldapsrv_service *service =
944 tevent_req_callback_data(subreq,
945 struct ldapsrv_service);
946 struct ldapsrv_connection *conn = NULL;
947 struct ldapsrv_connection *conn_next = NULL;
950 service->notification.retry = NULL;
952 ok = tevent_wakeup_recv(subreq);
958 for (conn = service->connections; conn != NULL; conn = conn_next) {
959 struct ldapsrv_call *call = conn->pending_calls;
961 conn_next = conn->next;
963 if (conn->pending_calls == NULL) {
967 if (conn->active_call != NULL) {
971 DLIST_DEMOTE(conn->pending_calls, call);
972 call->notification.generation =
973 service->notification.generation;
975 /* queue the call in the global queue */
976 subreq = ldapsrv_process_call_send(call,
977 conn->connection->event.ctx,
978 conn->service->call_queue,
980 if (subreq == NULL) {
981 ldapsrv_terminate_connection(conn,
982 "ldapsrv_process_call_send failed");
985 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
986 conn->active_call = subreq;
989 ldapsrv_notification_retry_setup(service, false);
992 struct ldapsrv_process_call_state {
993 struct ldapsrv_call *call;
996 static void ldapsrv_process_call_trigger(struct tevent_req *req,
999 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
1000 struct tevent_context *ev,
1001 struct tevent_queue *call_queue,
1002 struct ldapsrv_call *call)
1004 struct tevent_req *req;
1005 struct ldapsrv_process_call_state *state;
1008 req = tevent_req_create(mem_ctx, &state,
1009 struct ldapsrv_process_call_state);
1016 ok = tevent_queue_add(call_queue, ev, req,
1017 ldapsrv_process_call_trigger, NULL);
1019 tevent_req_oom(req);
1020 return tevent_req_post(req, ev);
1026 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1028 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1031 struct ldapsrv_process_call_state *state =
1032 tevent_req_data(req,
1033 struct ldapsrv_process_call_state);
1034 struct ldapsrv_connection *conn = state->call->conn;
1037 if (conn->deferred_expire_disconnect != NULL) {
1039 * Just drop this on the floor
1041 tevent_req_done(req);
1046 status = ldapsrv_do_call(state->call);
1048 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1050 * For testing purposes, defer the TCP disconnect
1051 * after having sent the msgid 0
1052 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1053 * should not wait for the TCP connection to close but
1054 * handle this packet equivalent to a TCP
1055 * disconnect. This delay enables testing both cases
1056 * in LDAP client libraries.
1059 int defer_msec = lpcfg_parm_int(
1063 "delay_expire_disconnect",
1066 conn->deferred_expire_disconnect = tevent_wakeup_send(
1068 conn->connection->event.ctx,
1069 timeval_current_ofs_msec(defer_msec));
1070 if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1073 tevent_req_set_callback(
1074 conn->deferred_expire_disconnect,
1075 ldapsrv_disconnect_ticket_expired,
1078 tevent_req_done(req);
1082 if (!NT_STATUS_IS_OK(status)) {
1083 tevent_req_nterror(req, status);
1087 tevent_req_done(req);
1090 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1092 struct ldapsrv_connection *conn = tevent_req_callback_data(
1093 subreq, struct ldapsrv_connection);
1096 ok = tevent_wakeup_recv(subreq);
1097 TALLOC_FREE(subreq);
1099 DBG_WARNING("tevent_wakeup_recv failed\n");
1101 conn->deferred_expire_disconnect = NULL;
1102 ldapsrv_terminate_connection(conn, "network session expired");
1105 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1109 if (tevent_req_is_nterror(req, &status)) {
1110 tevent_req_received(req);
1114 tevent_req_received(req);
1115 return NT_STATUS_OK;
1118 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1120 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1121 c->private_data, struct ldapsrv_service);
1122 struct auth_session_info *session_info;
1125 status = auth_anonymous_session_info(
1126 c, ldapsrv_service->lp_ctx, &session_info);
1127 if (!NT_STATUS_IS_OK(status)) {
1128 stream_terminate_connection(c, "failed to setup anonymous "
1132 ldapsrv_accept(c, session_info, false);
1135 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1137 .accept_connection = ldapsrv_accept_nonpriv,
1138 .recv_handler = ldapsrv_recv,
1139 .send_handler = ldapsrv_send,
1142 static void ldapsrv_accept_nonpriv_ldapi(struct stream_connection *c)
1144 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1145 c->private_data, struct ldapsrv_service);
1146 struct auth_session_info *session_info;
1149 status = auth_anonymous_session_info(
1150 c, ldapsrv_service->lp_ctx, &session_info);
1151 if (!NT_STATUS_IS_OK(status)) {
1152 stream_terminate_connection(c, "failed to setup anonymous "
1156 ldapsrv_accept(c, session_info, false);
1159 static const struct stream_server_ops ldapi_stream_nonpriv_ops = {
1161 .accept_connection = ldapsrv_accept_nonpriv_ldapi,
1162 .recv_handler = ldapsrv_recv,
1163 .send_handler = ldapsrv_send,
1166 /* The feature removed behind an #ifdef until we can do it properly
1167 * with an EXTERNAL bind. */
1169 #define WITH_LDAPI_PRIV_SOCKET
1171 #ifdef WITH_LDAPI_PRIV_SOCKET
1172 static void ldapsrv_accept_priv_ldapi(struct stream_connection *c)
1174 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1175 c->private_data, struct ldapsrv_service);
1176 struct auth_session_info *session_info;
1178 session_info = system_session(ldapsrv_service->lp_ctx);
1179 if (!session_info) {
1180 stream_terminate_connection(c, "failed to setup system "
1184 ldapsrv_accept(c, session_info, true);
1187 static const struct stream_server_ops ldapi_stream_priv_ops = {
1189 .accept_connection = ldapsrv_accept_priv_ldapi,
1190 .recv_handler = ldapsrv_recv,
1191 .send_handler = ldapsrv_send,
1198 add a socket address to the list of events, one event per port
1200 static NTSTATUS add_socket(struct task_server *task,
1201 struct loadparm_context *lp_ctx,
1202 const struct model_ops *model_ops,
1203 const char *address, struct ldapsrv_service *ldap_service)
1205 uint16_t port = 389;
1207 struct ldb_context *ldb;
1209 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1210 model_ops, &ldap_stream_nonpriv_ops,
1211 "ip", address, &port,
1212 lpcfg_socket_options(lp_ctx),
1213 ldap_service, task->process_context);
1214 if (!NT_STATUS_IS_OK(status)) {
1215 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1216 address, port, nt_errstr(status));
1220 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1221 /* add ldaps server */
1223 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1225 &ldap_stream_nonpriv_ops,
1226 "ip", address, &port,
1227 lpcfg_socket_options(lp_ctx),
1229 task->process_context);
1230 if (!NT_STATUS_IS_OK(status)) {
1231 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1232 address, port, nt_errstr(status));
1237 /* Load LDAP database, but only to read our settings */
1238 ldb = samdb_connect(ldap_service,
1239 ldap_service->current_ev,
1241 system_session(lp_ctx),
1245 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1248 if (samdb_is_gc(ldb)) {
1250 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1252 &ldap_stream_nonpriv_ops,
1253 "ip", address, &port,
1254 lpcfg_socket_options(lp_ctx),
1256 task->process_context);
1257 if (!NT_STATUS_IS_OK(status)) {
1258 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1259 address, port, nt_errstr(status));
1262 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1263 /* add ldaps server for the global catalog */
1265 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1267 &ldap_stream_nonpriv_ops,
1268 "ip", address, &port,
1269 lpcfg_socket_options(lp_ctx),
1271 task->process_context);
1272 if (!NT_STATUS_IS_OK(status)) {
1273 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1274 address, port, nt_errstr(status));
1280 /* And once we are bound, free the temporary ldb, it will
1281 * connect again on each incoming LDAP connection */
1282 talloc_unlink(ldap_service, ldb);
1284 return NT_STATUS_OK;
1287 static void ldap_reload_certs(struct imessaging_context *msg_ctx,
1290 struct server_id server_id,
1295 TALLOC_CTX *frame = talloc_stackframe();
1296 struct ldapsrv_service *ldap_service =
1297 talloc_get_type_abort(private_data,
1298 struct ldapsrv_service);
1299 int default_children;
1303 struct server_id ldap_master_id;
1305 struct tstream_tls_params *new_tls_params = NULL;
1307 SMB_ASSERT(msg_ctx == ldap_service->current_msg);
1309 /* reload certificates */
1310 status = tstream_tls_params_server(ldap_service,
1311 ldap_service->dns_host_name,
1312 lpcfg_tls_enabled(ldap_service->lp_ctx),
1313 lpcfg_tls_keyfile(frame, ldap_service->lp_ctx),
1314 lpcfg_tls_certfile(frame, ldap_service->lp_ctx),
1315 lpcfg_tls_cafile(frame, ldap_service->lp_ctx),
1316 lpcfg_tls_crlfile(frame, ldap_service->lp_ctx),
1317 lpcfg_tls_dhpfile(frame, ldap_service->lp_ctx),
1318 lpcfg_tls_priority(ldap_service->lp_ctx),
1320 if (!NT_STATUS_IS_OK(status)) {
1321 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1327 TALLOC_FREE(ldap_service->tls_params);
1328 ldap_service->tls_params = new_tls_params;
1330 if (getpid() != ldap_service->parent_pid) {
1332 * If we are not the master process we are done
1339 * Check we're running under the prefork model,
1340 * by checking if the prefork-master-ldap name
1343 ok = server_id_db_lookup_one(msg_ctx->names, "prefork-master-ldap", &ldap_master_id);
1346 * We are done if another process model is in use.
1353 * Now we loop over all possible prefork workers
1354 * in order to notify them about the reload
1356 default_children = lpcfg_prefork_children(ldap_service->lp_ctx);
1357 num_children = lpcfg_parm_int(ldap_service->lp_ctx,
1358 NULL, "prefork children", "ldap",
1360 for (i = 0; i < num_children; i++) {
1361 char child_name[64] = { 0, };
1362 struct server_id ldap_worker_id;
1364 snprintf(child_name, sizeof(child_name), "prefork-worker-ldap-%d", i);
1365 ok = server_id_db_lookup_one(msg_ctx->names, child_name, &ldap_worker_id);
1367 DBG_ERR("server_id_db_lookup_one(%s) - failed\n",
1372 status = imessaging_send(msg_ctx, ldap_worker_id,
1373 MSG_RELOAD_TLS_CERTIFICATES, NULL);
1374 if (!NT_STATUS_IS_OK(status)) {
1375 struct server_id_buf id_buf;
1376 DBG_ERR("ldapsrv failed imessaging_send(%s, %s) - %s\n",
1378 server_id_str_buf(ldap_worker_id, &id_buf),
1388 open the ldap server sockets
1390 static NTSTATUS ldapsrv_task_init(struct task_server *task)
1393 #ifdef WITH_LDAPI_PRIV_SOCKET
1396 struct ldapsrv_service *ldap_service;
1399 switch (lpcfg_server_role(task->lp_ctx)) {
1400 case ROLE_STANDALONE:
1401 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1403 return NT_STATUS_INVALID_DOMAIN_ROLE;
1404 case ROLE_DOMAIN_MEMBER:
1405 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1407 return NT_STATUS_INVALID_DOMAIN_ROLE;
1408 case ROLE_ACTIVE_DIRECTORY_DC:
1409 /* Yes, we want an LDAP server */
1413 task_server_set_title(task, "task[ldapsrv]");
1415 ldap_service = talloc_zero(task, struct ldapsrv_service);
1416 if (ldap_service == NULL) {
1417 status = NT_STATUS_NO_MEMORY;
1421 ldap_service->lp_ctx = task->lp_ctx;
1422 ldap_service->current_ev = task->event_ctx;
1423 ldap_service->current_msg = task->msg_ctx;
1425 ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1426 lpcfg_netbios_name(task->lp_ctx),
1427 lpcfg_dnsdomain(task->lp_ctx));
1428 if (ldap_service->dns_host_name == NULL) {
1429 status = NT_STATUS_NO_MEMORY;
1433 ldap_service->parent_pid = getpid();
1435 status = tstream_tls_params_server(ldap_service,
1436 ldap_service->dns_host_name,
1437 lpcfg_tls_enabled(task->lp_ctx),
1438 lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1439 lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1440 lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1441 lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1442 lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1443 lpcfg_tls_priority(task->lp_ctx),
1444 &ldap_service->tls_params);
1445 if (!NT_STATUS_IS_OK(status)) {
1446 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1451 ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1452 if (ldap_service->call_queue == NULL) {
1453 status = NT_STATUS_NO_MEMORY;
1457 if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1458 struct interface *ifaces;
1462 load_interface_list(task, task->lp_ctx, &ifaces);
1463 num_interfaces = iface_list_count(ifaces);
1465 /* We have been given an interfaces line, and been
1466 told to only bind to those interfaces. Create a
1467 socket per interface and bind to only these.
1469 for(i = 0; i < num_interfaces; i++) {
1470 const char *address = iface_list_n_ip(ifaces, i);
1471 status = add_socket(task, task->lp_ctx, task->model_ops,
1472 address, ldap_service);
1473 if (!NT_STATUS_IS_OK(status)) goto failed;
1478 size_t num_binds = 0;
1479 wcard = iface_list_wildcard(task);
1480 if (wcard == NULL) {
1481 DBG_ERR("No wildcard addresses available\n");
1482 status = NT_STATUS_UNSUCCESSFUL;
1485 for (i=0; wcard[i]; i++) {
1486 status = add_socket(task, task->lp_ctx, task->model_ops,
1487 wcard[i], ldap_service);
1488 if (NT_STATUS_IS_OK(status)) {
1493 if (num_binds == 0) {
1494 status = NT_STATUS_UNSUCCESSFUL;
1499 ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1501 status = NT_STATUS_UNSUCCESSFUL;
1505 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1506 task->model_ops, &ldapi_stream_nonpriv_ops,
1507 "unix", ldapi_path, NULL,
1508 lpcfg_socket_options(task->lp_ctx),
1509 ldap_service, task->process_context);
1510 talloc_free(ldapi_path);
1511 if (!NT_STATUS_IS_OK(status)) {
1512 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1513 ldapi_path, nt_errstr(status));
1516 #ifdef WITH_LDAPI_PRIV_SOCKET
1517 priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1518 if (priv_dir == NULL) {
1519 status = NT_STATUS_UNSUCCESSFUL;
1523 * Make sure the directory for the privileged ldapi socket exists, and
1524 * is of the correct permissions
1526 if (!directory_create_or_exist(priv_dir, 0750)) {
1527 task_server_terminate(task, "Cannot create ldap "
1528 "privileged ldapi directory", true);
1529 return NT_STATUS_UNSUCCESSFUL;
1531 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1532 talloc_free(priv_dir);
1533 if (ldapi_path == NULL) {
1534 status = NT_STATUS_NO_MEMORY;
1538 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1539 task->model_ops, &ldapi_stream_priv_ops,
1540 "unix", ldapi_path, NULL,
1541 lpcfg_socket_options(task->lp_ctx),
1543 task->process_context);
1544 talloc_free(ldapi_path);
1545 if (!NT_STATUS_IS_OK(status)) {
1546 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1547 ldapi_path, nt_errstr(status));
1552 /* register the server */
1553 irpc_add_name(task->msg_ctx, "ldap_server");
1555 task->private_data = ldap_service;
1557 return NT_STATUS_OK;
1560 task_server_terminate(task, "Failed to startup ldap server task", true);
1565 * Open a database to be later used by LDB wrap code (although it should be
1566 * plumbed through correctly eventually).
1568 static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1570 struct ldapsrv_service *ldap_service =
1571 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1574 * As ldapsrv_before_loop() may changed the values for the parent loop
1575 * we need to adjust the pointers to the correct value in the child
1577 ldap_service->lp_ctx = task->lp_ctx;
1578 ldap_service->current_ev = task->event_ctx;
1579 ldap_service->current_msg = task->msg_ctx;
1581 ldap_service->sam_ctx = samdb_connect(ldap_service,
1582 ldap_service->current_ev,
1583 ldap_service->lp_ctx,
1584 system_session(ldap_service->lp_ctx),
1587 if (ldap_service->sam_ctx == NULL) {
1588 task_server_terminate(task, "Cannot open system session LDB",
1594 static void ldapsrv_before_loop(struct task_server *task)
1596 struct ldapsrv_service *ldap_service =
1597 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1600 if (ldap_service->sam_ctx != NULL) {
1602 * Make sure the values are still the same
1603 * as set in ldapsrv_post_fork()
1605 SMB_ASSERT(task->lp_ctx == ldap_service->lp_ctx);
1606 SMB_ASSERT(task->event_ctx == ldap_service->current_ev);
1607 SMB_ASSERT(task->msg_ctx == ldap_service->current_msg);
1610 * We need to adjust the pointers to the correct value
1611 * in the parent loop.
1613 ldap_service->lp_ctx = task->lp_ctx;
1614 ldap_service->current_ev = task->event_ctx;
1615 ldap_service->current_msg = task->msg_ctx;
1618 status = imessaging_register(ldap_service->current_msg,
1620 MSG_RELOAD_TLS_CERTIFICATES,
1622 if (!NT_STATUS_IS_OK(status)) {
1623 task_server_terminate(task, "Cannot register ldap_reload_certs",
1630 * Check the size of an ldap request packet.
1632 * For authenticated connections the maximum packet size is controlled by
1633 * the smb.conf parameter "ldap max authenticated request size"
1635 * For anonymous connections the maximum packet size is controlled by
1636 * the smb.conf parameter "ldap max anonymous request size"
1638 static int ldapsrv_check_packet_size(
1639 struct ldapsrv_connection *conn,
1642 bool is_anonymous = false;
1643 size_t max_size = 0;
1645 max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1646 if (size <= max_size) {
1647 return LDAP_SUCCESS;
1651 * Request is larger than the maximum unauthenticated request size.
1652 * As this code is called frequently we avoid calling
1653 * security_token_is_anonymous if possible
1655 if (conn->session_info != NULL &&
1656 conn->session_info->security_token != NULL) {
1657 is_anonymous = security_token_is_anonymous(
1658 conn->session_info->security_token);
1663 "LDAP request size (%zu) exceeds (%zu)\n",
1666 return LDAP_UNWILLING_TO_PERFORM;
1669 max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1670 if (size > max_size) {
1672 "LDAP request size (%zu) exceeds (%zu)\n",
1675 return LDAP_UNWILLING_TO_PERFORM;
1677 return LDAP_SUCCESS;
1682 * Check that the blob contains enough data to be a valid packet
1683 * If there is a packet header check the size to ensure that it does not
1684 * exceed the maximum sizes.
1687 static NTSTATUS ldapsrv_packet_check(
1688 struct tstream_context *stream,
1691 size_t *packet_size)
1694 struct ldapsrv_connection *conn = private_data;
1695 int result = LDB_SUCCESS;
1697 ret = ldap_full_packet(stream, private_data, blob, packet_size);
1698 if (!NT_STATUS_IS_OK(ret)) {
1701 result = ldapsrv_check_packet_size(conn, *packet_size);
1702 if (result != LDAP_SUCCESS) {
1703 return NT_STATUS_LDAP(result);
1705 return NT_STATUS_OK;
1708 NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1710 static const struct service_details details = {
1711 .inhibit_fork_on_accept = false,
1712 .inhibit_pre_fork = false,
1713 .task_init = ldapsrv_task_init,
1714 .post_fork = ldapsrv_post_fork,
1715 .before_loop = ldapsrv_before_loop,
1717 return register_server_service(ctx, "ldap", &details);