git.samba.org / samba.git / blob
? search:


6b1c321d49e95d4967494e54ced0c719b54efb0f
[samba.git] / source / libcli / ldap / ldap_bind.c
1 /* 
2    Unix SMB/CIFS mplementation.
3
4    LDAP bind calls
5    
6    Copyright (C) Andrew Tridgell  2005
7    Copyright (C) Volker Lendecke  2004
8     
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22    
23 */
24
25 #include "includes.h"
26 #include "libcli/ldap/ldap_client.h"
27 #include "auth/auth.h"
28
29 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, 
30                                                      const char *dn, const char *pw)
31 {
32         struct ldap_message *res;
33
34         res = new_ldap_message(conn);
35         if (!res) {
36                 return NULL;
37         }
38
39         res->type = LDAP_TAG_BindRequest;
40         res->r.BindRequest.version = 3;
41         res->r.BindRequest.dn = talloc_strdup(res, dn);
42         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
43         res->r.BindRequest.creds.password = talloc_strdup(res, pw);
44
45         return res;
46 }
47
48
49 /*
50   perform a simple username/password bind
51 */
52 NTSTATUS ldap_bind_simple(struct ldap_connection *conn, 
53                           const char *userdn, const char *password)
54 {
55         struct ldap_request *req;
56         struct ldap_message *msg;
57         const char *dn, *pw;
58         NTSTATUS status;
59
60         if (conn == NULL) {
61                 return NT_STATUS_INVALID_CONNECTION;
62         }
63
64         if (userdn) {
65                 dn = userdn;
66         } else {
67                 if (conn->auth_dn) {
68                         dn = conn->auth_dn;
69                 } else {
70                         dn = "";
71                 }
72         }
73
74         if (password) {
75                 pw = password;
76         } else {
77                 if (conn->simple_pw) {
78                         pw = conn->simple_pw;
79                 } else {
80                         pw = "";
81                 }
82         }
83
84         msg = new_ldap_simple_bind_msg(conn, dn, pw);
85         NT_STATUS_HAVE_NO_MEMORY(msg);
86
87         /* send the request */
88         req = ldap_request_send(conn, msg);
89         talloc_free(msg);
90         NT_STATUS_HAVE_NO_MEMORY(req);
91
92         /* wait for replies */
93         status = ldap_request_wait(req);
94         if (!NT_STATUS_IS_OK(status)) {
95                 talloc_free(req);
96                 return status;
97         }
98
99         /* check its a valid reply */
100         msg = req->replies[0];
101         if (msg->type != LDAP_TAG_BindResponse) {
102                 talloc_free(req);
103                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
104         }
105
106         status = ldap_check_response(conn, &msg->r.BindResponse.response);
107
108         talloc_free(req);
109
110         return status;
111 }
112
113
114 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn, 
115                                                    const char *sasl_mechanism, 
116                                                    DATA_BLOB *secblob)
117 {
118         struct ldap_message *res;
119
120         res = new_ldap_message(conn);
121         if (!res) {
122                 return NULL;
123         }
124
125         res->type = LDAP_TAG_BindRequest;
126         res->r.BindRequest.version = 3;
127         res->r.BindRequest.dn = "";
128         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
129         res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
130         res->r.BindRequest.creds.SASL.secblob = *secblob;
131
132         return res;
133 }
134
135
136 /*
137   perform a sasl bind using the given credentials
138 */
139 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
140 {
141         NTSTATUS status;
142         TALLOC_CTX *tmp_ctx = NULL;
143
144         DATA_BLOB input = data_blob(NULL, 0);
145         DATA_BLOB output = data_blob(NULL, 0);
146
147         struct ldap_message **sasl_mechs_msgs;
148         struct ldap_SearchResEntry *search;
149         int count, i;
150
151         const char **sasl_names;
152         const struct gensec_security_ops **mechs;
153         
154         static const char *supported_sasl_mech_attrs[] = {
155                 "supportedSASLMechanisms", 
156                 NULL 
157         };
158
159         status = gensec_client_start(conn, &conn->gensec, NULL);
160         if (!NT_STATUS_IS_OK(status)) {
161                 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
162                 goto failed;
163         }
164
165         gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
166
167         status = gensec_set_credentials(conn->gensec, creds);
168         if (!NT_STATUS_IS_OK(status)) {
169                 DEBUG(1, ("Failed to set GENSEC creds: %s\n", 
170                           nt_errstr(status)));
171                 goto failed;
172         }
173
174         status = gensec_set_target_hostname(conn->gensec, conn->host);
175         if (!NT_STATUS_IS_OK(status)) {
176                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", 
177                           nt_errstr(status)));
178                 goto failed;
179         }
180
181         status = gensec_set_target_service(conn->gensec, "ldap");
182         if (!NT_STATUS_IS_OK(status)) {
183                 DEBUG(1, ("Failed to set GENSEC target service: %s\n", 
184                           nt_errstr(status)));
185                 goto failed;
186         }
187
188         status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs, 
189                               False, &sasl_mechs_msgs);
190         if (!NT_STATUS_IS_OK(status)) {
191                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n", 
192                           nt_errstr(status)));
193                 goto failed;
194         }
195         
196         count = ildap_count_entries(conn, sasl_mechs_msgs);
197         if (count != 1) {
198                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
199                           count));
200                 goto failed;
201         }
202
203         tmp_ctx = talloc_new(conn);
204         if (tmp_ctx == NULL) goto failed;
205
206         search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
207         if (search->num_attributes != 1) {
208                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
209                           search->num_attributes));
210                 goto failed;
211         }
212
213         sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
214         if (!sasl_names) {
215                 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
216                           count));
217                 goto failed;
218         }
219                 
220         for (i=0; i<search->attributes[0].num_values; i++) {
221                 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
222         }
223         sasl_names[i] = NULL;
224         
225         mechs = gensec_security_by_sasl(conn->gensec, tmp_ctx, sasl_names);
226         if (!mechs || !mechs[0]) {
227                 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable\n",
228                           count));
229                 goto failed;
230         }
231
232         status = gensec_start_mech_by_ops(conn->gensec, mechs[0]);
233         if (!NT_STATUS_IS_OK(status)) {
234                 DEBUG(1, ("Failed to set GENSEC client mechanism: %s/%s %s\n",
235                           mechs[0]->name, mechs[0]->sasl_name, nt_errstr(status)));
236                 goto failed;
237         }
238
239         while (1) {
240                 NTSTATUS gensec_status;
241                 struct ldap_message *response;
242                 struct ldap_message *msg;
243                 struct ldap_request *req;
244                 int result = LDAP_OTHER;
245         
246                 status = gensec_update(conn->gensec, tmp_ctx,
247                                        input,
248                                        &output);
249                 /* The status value here, from GENSEC is vital to the security
250                  * of the system.  Even if the other end accepts, if GENSEC
251                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
252                  * feeding it blobs, or else the remote host/attacker might
253                  * avoid mutal authentication requirements.
254                  *
255                  * Likewise, you must not feed GENSEC too much (after the OK),
256                  * it doesn't like that either
257                  */
258
259                 gensec_status = status;
260
261                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
262                     !NT_STATUS_IS_OK(status)) {
263                         break;
264                 }
265                 if (output.length == 0) {
266                         break;
267                 }
268
269                 msg = new_ldap_sasl_bind_msg(tmp_ctx, "GSS-SPNEGO", &output);
270                 if (msg == NULL) {
271                         status = NT_STATUS_NO_MEMORY;
272                         goto failed;
273                 }
274
275                 req = ldap_request_send(conn, msg);
276                 if (req == NULL) {
277                         status = NT_STATUS_NO_MEMORY;
278                         goto failed;
279                 }
280                 talloc_steal(tmp_ctx, req);
281
282                 status = ldap_result_n(req, 0, &response);
283                 if (!NT_STATUS_IS_OK(status)) {
284                         goto failed;
285                 }
286                 
287                 if (response->type != LDAP_TAG_BindResponse) {
288                         status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
289                         goto failed;
290                 }
291
292                 result = response->r.BindResponse.response.resultcode;
293
294                 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
295                         status = ldap_check_response(conn, 
296                                                      &response->r.BindResponse.response);
297                         break;
298                 }
299
300                 /* This is where we check if GENSEC wanted to be fed more data */
301                 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
302                         break;
303                 }
304                 input = response->r.BindResponse.SASL.secblob;
305         }
306
307         if (NT_STATUS_IS_OK(status) &&
308             (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
309              gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
310                 conn->enable_wrap = True;
311         }
312
313         talloc_free(tmp_ctx);
314         return status;
315
316 failed:
317         talloc_free(tmp_ctx);
318         talloc_free(conn->gensec);
319         conn->gensec = NULL;
320         return status;
321 }
Samba Shared Repository