2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
54 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
57 close the socket and shutdown a server_context
59 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
62 struct tevent_req *subreq;
64 if (conn->limits.reason) {
68 DLIST_REMOVE(conn->service->connections, conn);
70 conn->limits.endtime = timeval_current_ofs(0, 500);
72 tevent_queue_stop(conn->sockets.send_queue);
73 TALLOC_FREE(conn->sockets.read_req);
74 TALLOC_FREE(conn->deferred_expire_disconnect);
75 if (conn->active_call) {
76 tevent_req_cancel(conn->active_call);
77 conn->active_call = NULL;
80 conn->limits.reason = talloc_strdup(conn, reason);
81 if (conn->limits.reason == NULL) {
82 TALLOC_FREE(conn->sockets.tls);
83 TALLOC_FREE(conn->sockets.sasl);
84 TALLOC_FREE(conn->sockets.raw);
85 stream_terminate_connection(conn->connection, reason);
89 subreq = tstream_disconnect_send(conn,
90 conn->connection->event.ctx,
91 conn->sockets.active);
93 TALLOC_FREE(conn->sockets.tls);
94 TALLOC_FREE(conn->sockets.sasl);
95 TALLOC_FREE(conn->sockets.raw);
96 stream_terminate_connection(conn->connection, reason);
99 tevent_req_set_endtime(subreq,
100 conn->connection->event.ctx,
101 conn->limits.endtime);
102 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
105 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
107 struct ldapsrv_connection *conn =
108 tevent_req_callback_data(subreq,
109 struct ldapsrv_connection);
113 tstream_disconnect_recv(subreq, &sys_errno);
116 if (conn->sockets.active == conn->sockets.raw) {
117 TALLOC_FREE(conn->sockets.tls);
118 TALLOC_FREE(conn->sockets.sasl);
119 TALLOC_FREE(conn->sockets.raw);
120 stream_terminate_connection(conn->connection,
121 conn->limits.reason);
125 TALLOC_FREE(conn->sockets.tls);
126 TALLOC_FREE(conn->sockets.sasl);
127 conn->sockets.active = conn->sockets.raw;
129 subreq = tstream_disconnect_send(conn,
130 conn->connection->event.ctx,
131 conn->sockets.active);
132 if (subreq == NULL) {
133 TALLOC_FREE(conn->sockets.raw);
134 stream_terminate_connection(conn->connection,
135 conn->limits.reason);
138 ok = tevent_req_set_endtime(subreq,
139 conn->connection->event.ctx,
140 conn->limits.endtime);
142 TALLOC_FREE(conn->sockets.raw);
143 stream_terminate_connection(conn->connection,
144 conn->limits.reason);
147 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
151 called when a LDAP socket becomes readable
153 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
155 smb_panic(__location__);
159 called when a LDAP socket becomes writable
161 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
163 smb_panic(__location__);
166 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
169 const char *attrs[] = { "configurationNamingContext", NULL };
170 const char *attrs2[] = { "lDAPAdminLimits", NULL };
171 struct ldb_message_element *el;
172 struct ldb_result *res = NULL;
173 struct ldb_dn *basedn;
174 struct ldb_dn *conf_dn;
175 struct ldb_dn *policy_dn;
179 /* set defaults limits in case of failure */
180 conn->limits.initial_timeout = 120;
181 conn->limits.conn_idle_time = 900;
182 conn->limits.max_page_size = 1000;
183 conn->limits.max_notifications = 5;
184 conn->limits.search_timeout = 120;
185 conn->limits.expire_time = (struct timeval) {
186 .tv_sec = get_time_t_max(),
190 tmp_ctx = talloc_new(conn);
191 if (tmp_ctx == NULL) {
195 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
196 if (basedn == NULL) {
200 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
201 if (ret != LDB_SUCCESS) {
205 if (res->count != 1) {
209 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
210 if (conf_dn == NULL) {
214 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
215 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
216 if (policy_dn == NULL) {
220 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
221 if (ret != LDB_SUCCESS) {
225 if (res->count != 1) {
229 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
234 for (i = 0; i < el->num_values; i++) {
235 char policy_name[256];
238 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
239 if (s != 2 || policy_value == 0)
241 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
242 conn->limits.initial_timeout = policy_value;
245 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
246 conn->limits.conn_idle_time = policy_value;
249 if (strcasecmp("MaxPageSize", policy_name) == 0) {
250 conn->limits.max_page_size = policy_value;
253 if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
254 conn->limits.max_notifications = policy_value;
257 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
258 conn->limits.search_timeout = policy_value;
266 DBG_ERR("Failed to load ldap server query policies\n");
267 talloc_free(tmp_ctx);
271 static int ldapsrv_call_destructor(struct ldapsrv_call *call)
273 if (call->conn == NULL) {
277 DLIST_REMOVE(call->conn->pending_calls, call);
283 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
284 struct tevent_context *ev,
285 struct tevent_queue *call_queue,
286 struct ldapsrv_call *call);
287 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
289 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
290 static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
293 initialise a server_context from a open socket and register a event handler
294 for reading from that socket
296 static void ldapsrv_accept(struct stream_connection *c,
297 struct auth_session_info *session_info,
300 struct ldapsrv_service *ldapsrv_service =
301 talloc_get_type(c->private_data, struct ldapsrv_service);
302 struct ldapsrv_connection *conn;
303 struct cli_credentials *server_credentials;
304 struct socket_address *socket_address;
307 struct tevent_req *subreq;
308 struct timeval endtime;
309 char *errstring = NULL;
311 conn = talloc_zero(c, struct ldapsrv_connection);
313 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
316 conn->is_privileged = is_privileged;
318 conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send queue");
319 if (conn->sockets.send_queue == NULL) {
320 stream_terminate_connection(c,
321 "ldapsrv_accept: tevent_queue_create failed");
325 TALLOC_FREE(c->event.fde);
327 ret = tstream_bsd_existing_socket(conn,
328 socket_get_fd(c->socket),
331 stream_terminate_connection(c,
332 "ldapsrv_accept: out of memory");
335 socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
337 conn->connection = c;
338 conn->service = ldapsrv_service;
339 conn->lp_ctx = ldapsrv_service->task->lp_ctx;
341 c->private_data = conn;
343 socket_address = socket_get_my_addr(c->socket, conn);
344 if (!socket_address) {
345 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
348 port = socket_address->port;
349 talloc_free(socket_address);
350 if (port == 3268 || port == 3269) /* Global catalog */ {
351 conn->global_catalog = true;
354 server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
355 if (!server_credentials) {
356 stream_terminate_connection(c, "Failed to init server credentials\n");
360 conn->server_credentials = server_credentials;
362 conn->session_info = session_info;
364 conn->sockets.active = conn->sockets.raw;
366 if (conn->is_privileged) {
367 conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
369 conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
372 ret = ldapsrv_backend_Init(conn, &errstring);
373 if (ret != LDB_SUCCESS) {
374 char *reason = talloc_asprintf(conn,
375 "LDB backend for LDAP Init "
377 errstring, ldb_strerror(ret));
378 ldapsrv_terminate_connection(conn, reason);
382 /* load limits from the conf partition */
383 ldapsrv_load_limits(conn); /* should we fail on error ? */
385 /* register the server */
386 irpc_add_name(c->msg_ctx, "ldap_server");
388 DLIST_ADD_END(ldapsrv_service->connections, conn);
390 if (port != 636 && port != 3269) {
391 ldapsrv_call_read_next(conn);
395 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
397 subreq = tstream_tls_accept_send(conn,
398 conn->connection->event.ctx,
400 conn->service->tls_params);
401 if (subreq == NULL) {
402 ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
403 "no memory for tstream_tls_accept_send");
406 tevent_req_set_endtime(subreq,
407 conn->connection->event.ctx,
409 tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
412 static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
414 struct ldapsrv_connection *conn =
415 tevent_req_callback_data(subreq,
416 struct ldapsrv_connection);
420 ret = tstream_tls_accept_recv(subreq, &sys_errno,
421 conn, &conn->sockets.tls);
426 reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
427 "tstream_tls_accept_recv() - %d:%s",
428 sys_errno, strerror(sys_errno));
430 reason = "ldapsrv_accept_tls_loop: "
431 "tstream_tls_accept_recv() - failed";
434 ldapsrv_terminate_connection(conn, reason);
438 conn->sockets.active = conn->sockets.tls;
439 conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
440 ldapsrv_call_read_next(conn);
443 static void ldapsrv_call_read_done(struct tevent_req *subreq);
444 static NTSTATUS ldapsrv_packet_check(
447 size_t *packet_size);
449 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
451 struct tevent_req *subreq;
453 if (conn->pending_calls != NULL) {
454 conn->limits.endtime = timeval_zero();
456 ldapsrv_notification_retry_setup(conn->service, false);
457 } else if (timeval_is_zero(&conn->limits.endtime)) {
458 conn->limits.endtime =
459 timeval_current_ofs(conn->limits.initial_timeout, 0);
461 conn->limits.endtime =
462 timeval_current_ofs(conn->limits.conn_idle_time, 0);
465 if (conn->sockets.read_req != NULL) {
470 * The minimum size of a LDAP pdu is 7 bytes
472 * dumpasn1 -hh ldap-unbind-min.dat
474 * <30 05 02 01 09 42 00>
479 * 5 0: [APPLICATION 2]
480 * : Error: Object has zero length.
483 * dumpasn1 -hh ldap-unbind-windows.dat
485 * <30 84 00 00 00 05 02 01 09 42 00>
490 * 9 0: [APPLICATION 2]
491 * : Error: Object has zero length.
494 * This means using an initial read size
497 subreq = tstream_read_pdu_blob_send(conn,
498 conn->connection->event.ctx,
499 conn->sockets.active,
500 7, /* initial_read_size */
501 ldapsrv_packet_check,
503 if (subreq == NULL) {
504 ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
505 "no memory for tstream_read_pdu_blob_send");
508 if (!timeval_is_zero(&conn->limits.endtime)) {
510 ok = tevent_req_set_endtime(subreq,
511 conn->connection->event.ctx,
512 conn->limits.endtime);
514 ldapsrv_terminate_connection(
516 "ldapsrv_call_read_next: "
517 "no memory for tevent_req_set_endtime");
521 tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
522 conn->sockets.read_req = subreq;
526 static void ldapsrv_call_process_done(struct tevent_req *subreq);
527 static int ldapsrv_check_packet_size(
528 struct ldapsrv_connection *conn,
531 static void ldapsrv_call_read_done(struct tevent_req *subreq)
533 struct ldapsrv_connection *conn =
534 tevent_req_callback_data(subreq,
535 struct ldapsrv_connection);
537 struct ldapsrv_call *call;
538 struct asn1_data *asn1;
540 int ret = LDAP_SUCCESS;
541 struct ldap_request_limits limits = {0};
543 conn->sockets.read_req = NULL;
545 call = talloc_zero(conn, struct ldapsrv_call);
547 ldapsrv_terminate_connection(conn, "no memory");
550 talloc_set_destructor(call, ldapsrv_call_destructor);
554 status = tstream_read_pdu_blob_recv(subreq,
558 if (!NT_STATUS_IS_OK(status)) {
561 reason = talloc_asprintf(call, "ldapsrv_call_loop: "
562 "tstream_read_pdu_blob_recv() - %s",
565 reason = nt_errstr(status);
568 ldapsrv_terminate_connection(conn, reason);
572 ret = ldapsrv_check_packet_size(conn, blob.length);
573 if (ret != LDAP_SUCCESS) {
574 ldapsrv_terminate_connection(
576 "Request packet too large");
580 asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
582 ldapsrv_terminate_connection(conn, "no memory");
586 call->request = talloc(call, struct ldap_message);
587 if (call->request == NULL) {
588 ldapsrv_terminate_connection(conn, "no memory");
592 asn1_load_nocopy(asn1, blob.data, blob.length);
594 limits.max_search_size =
595 lpcfg_ldap_max_search_request_size(conn->lp_ctx);
596 status = ldap_decode(
599 samba_ldap_control_handlers(),
601 if (!NT_STATUS_IS_OK(status)) {
602 ldapsrv_terminate_connection(conn, nt_errstr(status));
606 data_blob_free(&blob);
610 /* queue the call in the global queue */
611 subreq = ldapsrv_process_call_send(call,
612 conn->connection->event.ctx,
613 conn->service->call_queue,
615 if (subreq == NULL) {
616 ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
619 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
620 conn->active_call = subreq;
623 static void ldapsrv_call_wait_done(struct tevent_req *subreq);
624 static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
625 static void ldapsrv_call_writev_done(struct tevent_req *subreq);
627 static void ldapsrv_call_process_done(struct tevent_req *subreq)
629 struct ldapsrv_call *call =
630 tevent_req_callback_data(subreq,
631 struct ldapsrv_call);
632 struct ldapsrv_connection *conn = call->conn;
635 conn->active_call = NULL;
637 status = ldapsrv_process_call_recv(subreq);
639 if (!NT_STATUS_IS_OK(status)) {
640 ldapsrv_terminate_connection(conn, nt_errstr(status));
644 if (call->wait_send != NULL) {
645 subreq = call->wait_send(call,
646 conn->connection->event.ctx,
648 if (subreq == NULL) {
649 ldapsrv_terminate_connection(conn,
650 "ldapsrv_call_process_done: "
651 "call->wait_send - no memory");
654 tevent_req_set_callback(subreq,
655 ldapsrv_call_wait_done,
657 conn->active_call = subreq;
661 ldapsrv_call_writev_start(call);
664 static void ldapsrv_call_wait_done(struct tevent_req *subreq)
666 struct ldapsrv_call *call =
667 tevent_req_callback_data(subreq,
668 struct ldapsrv_call);
669 struct ldapsrv_connection *conn = call->conn;
672 conn->active_call = NULL;
674 status = call->wait_recv(subreq);
676 if (!NT_STATUS_IS_OK(status)) {
679 reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
680 "call->wait_recv() - %s",
682 if (reason == NULL) {
683 reason = nt_errstr(status);
686 ldapsrv_terminate_connection(conn, reason);
690 ldapsrv_call_writev_start(call);
693 static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
695 struct ldapsrv_connection *conn = call->conn;
696 struct ldapsrv_reply *reply = NULL;
697 struct tevent_req *subreq = NULL;
703 /* build all the replies into an IOV (no copy) */
704 for (reply = call->replies;
706 reply = reply->next) {
708 /* Cap output at 25MB per writev() */
709 if (length > length + reply->blob.length
710 || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
715 * Overflow is harmless here, just used below to
716 * decide if to read or write, but checked above anyway
718 length += reply->blob.length;
721 * At worst an overflow would mean we send less
728 if (!call->notification.busy) {
732 ldapsrv_call_read_next(conn);
736 /* Cap call->iov_count at IOV_MAX */
737 call->iov_count = MIN(call->iov_count, IOV_MAX);
739 call->out_iov = talloc_array(call,
742 if (!call->out_iov) {
743 /* This is not ideal */
744 ldapsrv_terminate_connection(conn,
745 "failed to allocate "
750 /* We may have had to cap the number of replies at IOV_MAX */
752 i < call->iov_count && call->replies != NULL;
754 reply = call->replies;
755 call->out_iov[i].iov_base = reply->blob.data;
756 call->out_iov[i].iov_len = reply->blob.length;
758 /* Keep only the ASN.1 encoded data */
759 talloc_steal(call->out_iov, reply->blob.data);
761 DLIST_REMOVE(call->replies, reply);
765 if (i > call->iov_count) {
766 /* This is not ideal, but also (essentially) impossible */
767 ldapsrv_terminate_connection(conn,
773 subreq = tstream_writev_queue_send(call,
774 conn->connection->event.ctx,
775 conn->sockets.active,
776 conn->sockets.send_queue,
777 call->out_iov, call->iov_count);
778 if (subreq == NULL) {
779 ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
782 tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
785 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
787 static void ldapsrv_call_writev_done(struct tevent_req *subreq)
789 struct ldapsrv_call *call =
790 tevent_req_callback_data(subreq,
791 struct ldapsrv_call);
792 struct ldapsrv_connection *conn = call->conn;
796 rc = tstream_writev_queue_recv(subreq, &sys_errno);
799 /* This releases the ASN.1 encoded packets from memory */
800 TALLOC_FREE(call->out_iov);
804 reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
805 "tstream_writev_queue_recv() - %d:%s",
806 sys_errno, strerror(sys_errno));
807 if (reason == NULL) {
808 reason = "ldapsrv_call_writev_done: "
809 "tstream_writev_queue_recv() failed";
812 ldapsrv_terminate_connection(conn, reason);
816 if (call->postprocess_send) {
817 subreq = call->postprocess_send(call,
818 conn->connection->event.ctx,
819 call->postprocess_private);
820 if (subreq == NULL) {
821 ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
822 "call->postprocess_send - no memory");
825 tevent_req_set_callback(subreq,
826 ldapsrv_call_postprocess_done,
831 /* Perhaps still some more to send */
832 if (call->replies != NULL) {
833 ldapsrv_call_writev_start(call);
837 if (!call->notification.busy) {
841 ldapsrv_call_read_next(conn);
844 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
846 struct ldapsrv_call *call =
847 tevent_req_callback_data(subreq,
848 struct ldapsrv_call);
849 struct ldapsrv_connection *conn = call->conn;
852 status = call->postprocess_recv(subreq);
854 if (!NT_STATUS_IS_OK(status)) {
857 reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
858 "call->postprocess_recv() - %s",
860 if (reason == NULL) {
861 reason = nt_errstr(status);
864 ldapsrv_terminate_connection(conn, reason);
870 ldapsrv_call_read_next(conn);
873 static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
875 void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
877 struct ldapsrv_connection *conn = NULL;
878 struct timeval retry;
879 size_t num_pending = 0;
880 size_t num_active = 0;
883 TALLOC_FREE(service->notification.retry);
884 service->notification.generation += 1;
887 if (service->notification.retry != NULL) {
891 for (conn = service->connections; conn != NULL; conn = conn->next) {
892 if (conn->pending_calls == NULL) {
898 if (conn->pending_calls->notification.generation !=
899 service->notification.generation)
905 if (num_pending == 0) {
909 if (num_active != 0) {
910 retry = timeval_current_ofs(0, 100);
912 retry = timeval_current_ofs(5, 0);
915 service->notification.retry = tevent_wakeup_send(service,
916 service->task->event_ctx,
918 if (service->notification.retry == NULL) {
923 tevent_req_set_callback(service->notification.retry,
924 ldapsrv_notification_retry_done,
928 static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
930 struct ldapsrv_service *service =
931 tevent_req_callback_data(subreq,
932 struct ldapsrv_service);
933 struct ldapsrv_connection *conn = NULL;
934 struct ldapsrv_connection *conn_next = NULL;
937 service->notification.retry = NULL;
939 ok = tevent_wakeup_recv(subreq);
945 for (conn = service->connections; conn != NULL; conn = conn_next) {
946 struct ldapsrv_call *call = conn->pending_calls;
948 conn_next = conn->next;
950 if (conn->pending_calls == NULL) {
954 if (conn->active_call != NULL) {
958 DLIST_DEMOTE(conn->pending_calls, call);
959 call->notification.generation =
960 service->notification.generation;
962 /* queue the call in the global queue */
963 subreq = ldapsrv_process_call_send(call,
964 conn->connection->event.ctx,
965 conn->service->call_queue,
967 if (subreq == NULL) {
968 ldapsrv_terminate_connection(conn,
969 "ldapsrv_process_call_send failed");
972 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
973 conn->active_call = subreq;
976 ldapsrv_notification_retry_setup(service, false);
979 struct ldapsrv_process_call_state {
980 struct ldapsrv_call *call;
983 static void ldapsrv_process_call_trigger(struct tevent_req *req,
986 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
987 struct tevent_context *ev,
988 struct tevent_queue *call_queue,
989 struct ldapsrv_call *call)
991 struct tevent_req *req;
992 struct ldapsrv_process_call_state *state;
995 req = tevent_req_create(mem_ctx, &state,
996 struct ldapsrv_process_call_state);
1003 ok = tevent_queue_add(call_queue, ev, req,
1004 ldapsrv_process_call_trigger, NULL);
1006 tevent_req_oom(req);
1007 return tevent_req_post(req, ev);
1013 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1015 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1018 struct ldapsrv_process_call_state *state =
1019 tevent_req_data(req,
1020 struct ldapsrv_process_call_state);
1021 struct ldapsrv_connection *conn = state->call->conn;
1024 if (conn->deferred_expire_disconnect != NULL) {
1026 * Just drop this on the floor
1028 tevent_req_done(req);
1033 status = ldapsrv_do_call(state->call);
1035 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1037 * For testing purposes, defer the TCP disconnect
1038 * after having sent the msgid 0
1039 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1040 * should not wait for the TCP connection to close but
1041 * handle this packet equivalent to a TCP
1042 * disconnect. This delay enables testing both cases
1043 * in LDAP client libraries.
1046 int defer_msec = lpcfg_parm_int(
1050 "delay_expire_disconnect",
1053 conn->deferred_expire_disconnect = tevent_wakeup_send(
1055 conn->connection->event.ctx,
1056 timeval_current_ofs_msec(defer_msec));
1057 if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1060 tevent_req_set_callback(
1061 conn->deferred_expire_disconnect,
1062 ldapsrv_disconnect_ticket_expired,
1065 tevent_req_done(req);
1069 if (!NT_STATUS_IS_OK(status)) {
1070 tevent_req_nterror(req, status);
1074 tevent_req_done(req);
1077 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1079 struct ldapsrv_connection *conn = tevent_req_callback_data(
1080 subreq, struct ldapsrv_connection);
1083 ok = tevent_wakeup_recv(subreq);
1084 TALLOC_FREE(subreq);
1086 DBG_WARNING("tevent_wakeup_recv failed\n");
1088 conn->deferred_expire_disconnect = NULL;
1089 ldapsrv_terminate_connection(conn, "network session expired");
1092 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1096 if (tevent_req_is_nterror(req, &status)) {
1097 tevent_req_received(req);
1101 tevent_req_received(req);
1102 return NT_STATUS_OK;
1105 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1107 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1108 c->private_data, struct ldapsrv_service);
1109 struct auth_session_info *session_info;
1112 status = auth_anonymous_session_info(
1113 c, ldapsrv_service->task->lp_ctx, &session_info);
1114 if (!NT_STATUS_IS_OK(status)) {
1115 stream_terminate_connection(c, "failed to setup anonymous "
1119 ldapsrv_accept(c, session_info, false);
1122 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1124 .accept_connection = ldapsrv_accept_nonpriv,
1125 .recv_handler = ldapsrv_recv,
1126 .send_handler = ldapsrv_send,
1129 /* The feature removed behind an #ifdef until we can do it properly
1130 * with an EXTERNAL bind. */
1132 #define WITH_LDAPI_PRIV_SOCKET
1134 #ifdef WITH_LDAPI_PRIV_SOCKET
1135 static void ldapsrv_accept_priv(struct stream_connection *c)
1137 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1138 c->private_data, struct ldapsrv_service);
1139 struct auth_session_info *session_info;
1141 session_info = system_session(ldapsrv_service->task->lp_ctx);
1142 if (!session_info) {
1143 stream_terminate_connection(c, "failed to setup system "
1147 ldapsrv_accept(c, session_info, true);
1150 static const struct stream_server_ops ldap_stream_priv_ops = {
1152 .accept_connection = ldapsrv_accept_priv,
1153 .recv_handler = ldapsrv_recv,
1154 .send_handler = ldapsrv_send,
1161 add a socket address to the list of events, one event per port
1163 static NTSTATUS add_socket(struct task_server *task,
1164 struct loadparm_context *lp_ctx,
1165 const struct model_ops *model_ops,
1166 const char *address, struct ldapsrv_service *ldap_service)
1168 uint16_t port = 389;
1170 struct ldb_context *ldb;
1172 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1173 model_ops, &ldap_stream_nonpriv_ops,
1174 "ip", address, &port,
1175 lpcfg_socket_options(lp_ctx),
1176 ldap_service, task->process_context);
1177 if (!NT_STATUS_IS_OK(status)) {
1178 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1179 address, port, nt_errstr(status));
1183 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1184 /* add ldaps server */
1186 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1188 &ldap_stream_nonpriv_ops,
1189 "ip", address, &port,
1190 lpcfg_socket_options(lp_ctx),
1192 task->process_context);
1193 if (!NT_STATUS_IS_OK(status)) {
1194 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1195 address, port, nt_errstr(status));
1200 /* Load LDAP database, but only to read our settings */
1201 ldb = samdb_connect(ldap_service,
1202 ldap_service->task->event_ctx,
1204 system_session(lp_ctx),
1208 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1211 if (samdb_is_gc(ldb)) {
1213 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1215 &ldap_stream_nonpriv_ops,
1216 "ip", address, &port,
1217 lpcfg_socket_options(lp_ctx),
1219 task->process_context);
1220 if (!NT_STATUS_IS_OK(status)) {
1221 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1222 address, port, nt_errstr(status));
1225 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1226 /* add ldaps server for the global catalog */
1228 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1230 &ldap_stream_nonpriv_ops,
1231 "ip", address, &port,
1232 lpcfg_socket_options(lp_ctx),
1234 task->process_context);
1235 if (!NT_STATUS_IS_OK(status)) {
1236 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1237 address, port, nt_errstr(status));
1243 /* And once we are bound, free the temporary ldb, it will
1244 * connect again on each incoming LDAP connection */
1245 talloc_unlink(ldap_service, ldb);
1247 return NT_STATUS_OK;
1251 open the ldap server sockets
1253 static NTSTATUS ldapsrv_task_init(struct task_server *task)
1256 #ifdef WITH_LDAPI_PRIV_SOCKET
1259 const char *dns_host_name;
1260 struct ldapsrv_service *ldap_service;
1263 switch (lpcfg_server_role(task->lp_ctx)) {
1264 case ROLE_STANDALONE:
1265 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1267 return NT_STATUS_INVALID_DOMAIN_ROLE;
1268 case ROLE_DOMAIN_MEMBER:
1269 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1271 return NT_STATUS_INVALID_DOMAIN_ROLE;
1272 case ROLE_ACTIVE_DIRECTORY_DC:
1273 /* Yes, we want an LDAP server */
1277 task_server_set_title(task, "task[ldapsrv]");
1279 ldap_service = talloc_zero(task, struct ldapsrv_service);
1280 if (ldap_service == NULL) {
1281 status = NT_STATUS_NO_MEMORY;
1285 ldap_service->task = task;
1287 dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1288 lpcfg_netbios_name(task->lp_ctx),
1289 lpcfg_dnsdomain(task->lp_ctx));
1290 if (dns_host_name == NULL) {
1291 status = NT_STATUS_NO_MEMORY;
1295 status = tstream_tls_params_server(ldap_service,
1297 lpcfg_tls_enabled(task->lp_ctx),
1298 lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1299 lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1300 lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1301 lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1302 lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1303 lpcfg_tls_priority(task->lp_ctx),
1304 &ldap_service->tls_params);
1305 if (!NT_STATUS_IS_OK(status)) {
1306 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1311 ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1312 if (ldap_service->call_queue == NULL) {
1313 status = NT_STATUS_NO_MEMORY;
1317 if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1318 struct interface *ifaces;
1322 load_interface_list(task, task->lp_ctx, &ifaces);
1323 num_interfaces = iface_list_count(ifaces);
1325 /* We have been given an interfaces line, and been
1326 told to only bind to those interfaces. Create a
1327 socket per interface and bind to only these.
1329 for(i = 0; i < num_interfaces; i++) {
1330 const char *address = iface_list_n_ip(ifaces, i);
1331 status = add_socket(task, task->lp_ctx, task->model_ops,
1332 address, ldap_service);
1333 if (!NT_STATUS_IS_OK(status)) goto failed;
1338 size_t num_binds = 0;
1339 wcard = iface_list_wildcard(task);
1340 if (wcard == NULL) {
1341 DBG_ERR("No wildcard addresses available\n");
1342 status = NT_STATUS_UNSUCCESSFUL;
1345 for (i=0; wcard[i]; i++) {
1346 status = add_socket(task, task->lp_ctx, task->model_ops,
1347 wcard[i], ldap_service);
1348 if (NT_STATUS_IS_OK(status)) {
1353 if (num_binds == 0) {
1354 status = NT_STATUS_UNSUCCESSFUL;
1359 ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1361 status = NT_STATUS_UNSUCCESSFUL;
1365 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1366 task->model_ops, &ldap_stream_nonpriv_ops,
1367 "unix", ldapi_path, NULL,
1368 lpcfg_socket_options(task->lp_ctx),
1369 ldap_service, task->process_context);
1370 talloc_free(ldapi_path);
1371 if (!NT_STATUS_IS_OK(status)) {
1372 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1373 ldapi_path, nt_errstr(status));
1376 #ifdef WITH_LDAPI_PRIV_SOCKET
1377 priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1378 if (priv_dir == NULL) {
1379 status = NT_STATUS_UNSUCCESSFUL;
1383 * Make sure the directory for the privileged ldapi socket exists, and
1384 * is of the correct permissions
1386 if (!directory_create_or_exist(priv_dir, 0750)) {
1387 task_server_terminate(task, "Cannot create ldap "
1388 "privileged ldapi directory", true);
1389 return NT_STATUS_UNSUCCESSFUL;
1391 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1392 talloc_free(priv_dir);
1393 if (ldapi_path == NULL) {
1394 status = NT_STATUS_NO_MEMORY;
1398 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1399 task->model_ops, &ldap_stream_priv_ops,
1400 "unix", ldapi_path, NULL,
1401 lpcfg_socket_options(task->lp_ctx),
1403 task->process_context);
1404 talloc_free(ldapi_path);
1405 if (!NT_STATUS_IS_OK(status)) {
1406 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1407 ldapi_path, nt_errstr(status));
1412 /* register the server */
1413 irpc_add_name(task->msg_ctx, "ldap_server");
1415 task->private_data = ldap_service;
1417 return NT_STATUS_OK;
1420 task_server_terminate(task, "Failed to startup ldap server task", true);
1425 * Open a database to be later used by LDB wrap code (although it should be
1426 * plumbed through correctly eventually).
1428 static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1430 struct ldapsrv_service *ldap_service =
1431 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1433 ldap_service->sam_ctx = samdb_connect(ldap_service,
1434 ldap_service->task->event_ctx,
1435 ldap_service->task->lp_ctx,
1436 system_session(ldap_service->task->lp_ctx),
1439 if (ldap_service->sam_ctx == NULL) {
1440 task_server_terminate(task, "Cannot open system session LDB",
1447 * Check the size of an ldap request packet.
1449 * For authenticated connections the maximum packet size is controlled by
1450 * the smb.conf parameter "ldap max authenticated request size"
1452 * For anonymous connections the maximum packet size is controlled by
1453 * the smb.conf parameter "ldap max anonymous request size"
1455 static int ldapsrv_check_packet_size(
1456 struct ldapsrv_connection *conn,
1459 bool is_anonymous = false;
1460 size_t max_size = 0;
1462 max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1463 if (size <= max_size) {
1464 return LDAP_SUCCESS;
1468 * Request is larger than the maximum unauthenticated request size.
1469 * As this code is called frequently we avoid calling
1470 * security_token_is_anonymous if possible
1472 if (conn->session_info != NULL &&
1473 conn->session_info->security_token != NULL) {
1474 is_anonymous = security_token_is_anonymous(
1475 conn->session_info->security_token);
1480 "LDAP request size (%zu) exceeds (%zu)\n",
1483 return LDAP_UNWILLING_TO_PERFORM;
1486 max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1487 if (size > max_size) {
1489 "LDAP request size (%zu) exceeds (%zu)\n",
1492 return LDAP_UNWILLING_TO_PERFORM;
1494 return LDAP_SUCCESS;
1499 * Check that the blob contains enough data to be a valid packet
1500 * If there is a packet header check the size to ensure that it does not
1501 * exceed the maximum sizes.
1504 static NTSTATUS ldapsrv_packet_check(
1507 size_t *packet_size)
1510 struct ldapsrv_connection *conn = private_data;
1511 int result = LDB_SUCCESS;
1513 ret = ldap_full_packet(private_data, blob, packet_size);
1514 if (!NT_STATUS_IS_OK(ret)) {
1517 result = ldapsrv_check_packet_size(conn, *packet_size);
1518 if (result != LDAP_SUCCESS) {
1519 return NT_STATUS_LDAP(result);
1521 return NT_STATUS_OK;
1524 NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1526 static const struct service_details details = {
1527 .inhibit_fork_on_accept = false,
1528 .inhibit_pre_fork = false,
1529 .task_init = ldapsrv_task_init,
1530 .post_fork = ldapsrv_post_fork,
1532 return register_server_service(ctx, "ldap", &details);