X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fauth%2Fntlm%2Fauth_simple.c;h=142bd401c9f197d73d6b8c465d1103dc7128afdf;hb=6e165ca85ae8049a7fb9a5535c168d1b9cb5ec26;hp=2e699919267d6367e754bad3808bba1d938bbfed;hpb=caf485a2bd0453b7d22600f9106a2026b1a50c79;p=samba.git

diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 2e699919267..142bd401c9f 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -22,33 +22,79 @@
 */
 
 #include "includes.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
 #include "auth/auth.h"
+#include "dsdb/samdb/samdb.h"
+
+struct authenticate_ldap_simple_bind_state {
+	struct auth_session_info *session_info;
+};
+
+_PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
+					struct tevent_context *ev,
+					struct imessaging_context *msg,
+					struct loadparm_context *lp_ctx,
+					struct tsocket_address *remote_address,
+					struct tsocket_address *local_address,
+					bool using_tls,
+					const char *dn,
+					const char *password)
+{
+	struct tevent_req *req = NULL;
+	struct authenticate_ldap_simple_bind_state *state = NULL;
+	NTSTATUS status;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct authenticate_ldap_simple_bind_state);
+	if (req == NULL) {
+		return NULL;
+	}
 
-/*
- It's allowed to pass NULL as session_info,
- when the caller doesn't need a session_info
-*/
-_PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
-					   struct tevent_context *ev,
-					   struct imessaging_context *msg,
-					   struct loadparm_context *lp_ctx,
-					   const char *nt4_domain,
-					   const char *nt4_username,
-					   const char *password,
-					   const uint32_t logon_parameters,
-					   struct auth_session_info **session_info) 
+	status = authenticate_ldap_simple_bind(state, ev, msg, lp_ctx,
+					       remote_address,
+					       local_address,
+					       using_tls,
+					       dn, password,
+					       &state->session_info);
+	if (tevent_req_nterror(req, status)) {
+		return tevent_req_post(req, ev);
+	}
+
+	tevent_req_done(req);
+	return tevent_req_post(req, ev);
+}
+
+_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
+						struct tevent_context *ev,
+						struct imessaging_context *msg,
+						struct loadparm_context *lp_ctx,
+						struct tsocket_address *remote_address,
+						struct tsocket_address *local_address,
+						bool using_tls,
+						const char *dn,
+						const char *password,
+						struct auth_session_info **session_info)
 {
 	struct auth4_context *auth_context;
 	struct auth_usersupplied_info *user_info;
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS nt_status;
+	uint8_t authoritative = 0;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	const char *nt4_domain = NULL;
+	const char *nt4_username = NULL;
+	uint32_t flags = 0;
+	const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+	if (using_tls) {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+	}
 
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	nt_status = auth_context_create(tmp_ctx, 
+	nt_status = auth_context_create(tmp_ctx,
 					ev, msg,
 					lp_ctx,
 					&auth_context);
@@ -57,21 +103,36 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
+	/*
+	 * We check the error after building the user_info so we can
+	 * log a failure to find the user correctly
+	 */
+	nt_status = crack_auto_name_to_nt4_name(tmp_ctx, ev, lp_ctx, dn,
+						&nt4_domain, &nt4_username);
+
 	user_info = talloc_zero(tmp_ctx, struct auth_usersupplied_info);
 	if (!user_info) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	user_info->mapped_state = true;
-	user_info->client.account_name = nt4_username;
+	user_info->client.account_name = dn;
+	/* No client.domain_name, use account_name instead */
 	user_info->mapped.account_name = nt4_username;
-	user_info->client.domain_name = nt4_domain;
 	user_info->mapped.domain_name = nt4_domain;
 
 	user_info->workstation_name = NULL;
 
-	user_info->remote_host = NULL;
+	user_info->remote_host = remote_address;
+	user_info->local_host = local_address;
+
+	user_info->service_description = "LDAP";
+
+	if (using_tls) {
+		user_info->auth_description = "simple bind";
+	} else {
+		user_info->auth_description = "simple bind/TLS";
+	}
 
 	user_info->password_state = AUTH_PASSWORD_PLAIN;
 	user_info->password.plaintext = talloc_strdup(user_info, password);
@@ -79,33 +140,77 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 	user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
 		USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
 
-	user_info->logon_parameters = logon_parameters |
+	user_info->logon_parameters =
+		MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
+		MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
 		MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
 		MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
 
-	nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc);
+	/* This is a check for the crack names call above */
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		log_authentication_event(auth_context->msg_ctx,
+					 auth_context->lp_ctx,
+					 user_info, nt_status,
+					 NULL, NULL, NULL, NULL);
+		talloc_free(tmp_ctx);
+		return nt_status;
+	}
+
+	/* Now that we have checked if the crack names worked, set mapped_state */
+	user_info->mapped_state = true;
+
+	nt_status = auth_check_password(auth_context, tmp_ctx, user_info,
+					&user_info_dc, &authoritative);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return nt_status;
 	}
 
-	if (session_info) {
-		uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-		if (user_info_dc->info->authenticated) {
-			flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-		}
-		nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
-								user_info_dc,
-								nt4_username,
-								flags,
-								session_info);
-
-		if (NT_STATUS_IS_OK(nt_status)) {
-			talloc_steal(mem_ctx, *session_info);
-		}
+	flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+	if (user_info_dc->info->authenticated) {
+		flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+	}
+	nt_status = auth_context->generate_session_info(auth_context,
+							tmp_ctx,
+							user_info_dc,
+							nt4_username,
+							flags,
+							session_info);
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		talloc_steal(mem_ctx, *session_info);
 	}
 
+	log_successful_authz_event(auth_context->msg_ctx,
+				   auth_context->lp_ctx,
+				   remote_address,
+				   local_address,
+				   "LDAP",
+				   "simple bind",
+				   transport_protection,
+				   *session_info);
+
 	talloc_free(tmp_ctx);
 	return nt_status;
 }
 
+_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
+					TALLOC_CTX *mem_ctx,
+					struct auth_session_info **session_info)
+{
+	struct authenticate_ldap_simple_bind_state *state =
+		tevent_req_data(req,
+		struct authenticate_ldap_simple_bind_state);
+	NTSTATUS status;
+
+	*session_info = NULL;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		tevent_req_received(req);
+		return status;
+	}
+
+	*session_info = talloc_move(mem_ctx, &state->session_info);
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}