source4/auth/ntlm/auth_simple.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    auth functions
   5
   6    Copyright (C) Simo Sorce 2005
   7    Copyright (C) Andrew Tridgell 2005
   8    Copyright (C) Andrew Bartlett 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include <tevent.h>
  26 #include "lib/util/tevent_ntstatus.h"
  27 #include "auth/auth.h"
  28 #include "dsdb/samdb/samdb.h"
  29
  30 struct authenticate_ldap_simple_bind_state {
  31         bool using_tls;
  32         struct auth4_context *auth_context;
  33         struct auth_usersupplied_info *user_info;
  34         struct auth_session_info *session_info;
  35 };
  36
  37 static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq);
  38
  39 _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
  40                                         struct tevent_context *ev,
  41                                         struct imessaging_context *msg,
  42                                         struct loadparm_context *lp_ctx,
  43                                         struct tsocket_address *remote_address,
  44                                         struct tsocket_address *local_address,
  45                                         bool using_tls,
  46                                         const char *dn,
  47                                         const char *password)
  48 {
  49         struct tevent_req *req = NULL;
  50         struct authenticate_ldap_simple_bind_state *state = NULL;
  51         struct auth_usersupplied_info *user_info = NULL;
  52         const char *nt4_domain = NULL;
  53         const char *nt4_username = NULL;
  54         struct tevent_req *subreq = NULL;
  55         NTSTATUS status;
  56
  57         req = tevent_req_create(mem_ctx, &state,
  58                                 struct authenticate_ldap_simple_bind_state);
  59         if (req == NULL) {
  60                 return NULL;
  61         }
  62         state->using_tls = using_tls;
  63
  64         status = auth_context_create(state, ev, msg, lp_ctx,
  65                                      &state->auth_context);
  66         if (tevent_req_nterror(req, status)) {
  67                 return tevent_req_post(req, ev);
  68         }
  69
  70         user_info = talloc_zero(state, struct auth_usersupplied_info);
  71         if (tevent_req_nomem(user_info, req)) {
  72                 return tevent_req_post(req, ev);
  73         }
  74         state->user_info = user_info;
  75
  76         user_info->client.account_name = dn;
  77         /* No client.domain_name, use account_name instead */
  78         /* user_info->mapped.* will be filled below */
  79
  80         user_info->workstation_name = NULL;
  81
  82         user_info->remote_host = remote_address;
  83         user_info->local_host = local_address;
  84
  85         user_info->service_description = "LDAP";
  86
  87         if (using_tls) {
  88                 user_info->auth_description = "simple bind";
  89         } else {
  90                 user_info->auth_description = "simple bind/TLS";
  91         }
  92
  93         user_info->password_state = AUTH_PASSWORD_PLAIN;
  94         user_info->password.plaintext = talloc_strdup(user_info, password);
  95         if (tevent_req_nomem(user_info->password.plaintext, req)) {
  96                 return tevent_req_post(req, ev);
  97         }
  98
  99         user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
 100                 USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
 101
 102         user_info->logon_parameters =
 103                 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
 104                 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
 105                 MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
 106                 MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
 107
 108         status = crack_auto_name_to_nt4_name(state, ev, lp_ctx, dn,
 109                                              &nt4_domain, &nt4_username);
 110         if (!NT_STATUS_IS_OK(status)) {
 111                 log_authentication_event(msg, lp_ctx,
 112                                          user_info, status,
 113                                          NULL, NULL, NULL, NULL);
 114         }
 115         if (tevent_req_nterror(req, status)) {
 116                 return tevent_req_post(req, ev);
 117         }
 118
 119         user_info->mapped.account_name = nt4_username;
 120         user_info->mapped.domain_name = nt4_domain;
 121         user_info->mapped_state = true;
 122
 123         subreq = auth_check_password_send(state, ev,
 124                                           state->auth_context,
 125                                           state->user_info);
 126         if (tevent_req_nomem(subreq, req)) {
 127                 return tevent_req_post(req, ev);
 128         }
 129         tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req);
 130
 131         return req;
 132 }
 133
 134 static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
 135 {
 136         struct tevent_req *req =
 137                 tevent_req_callback_data(subreq,
 138                 struct tevent_req);
 139         struct authenticate_ldap_simple_bind_state *state =
 140                 tevent_req_data(req,
 141                 struct authenticate_ldap_simple_bind_state);
 142         struct auth4_context *auth_context = state->auth_context;
 143         struct auth_usersupplied_info *user_info = state->user_info;
 144         const char *nt4_username = user_info->mapped.account_name;
 145         const struct tsocket_address *remote_address = user_info->remote_host;
 146         const struct tsocket_address *local_address = user_info->local_host;
 147         const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
 148         struct auth_user_info_dc *user_info_dc = NULL;
 149         uint8_t authoritative = 0;
 150         uint32_t flags = 0;
 151         NTSTATUS nt_status;
 152
 153         if (state->using_tls) {
 154                 transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
 155         }
 156
 157         nt_status = auth_check_password_recv(subreq, state,
 158                                              &user_info_dc,
 159                                              &authoritative);
 160         TALLOC_FREE(subreq);
 161         if (tevent_req_nterror(req, nt_status)) {
 162                 return;
 163         }
 164
 165         flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
 166         if (user_info_dc->info->authenticated) {
 167                 flags |= AUTH_SESSION_INFO_AUTHENTICATED;
 168         }
 169
 170         nt_status = auth_context->generate_session_info(auth_context,
 171                                                         state,
 172                                                         user_info_dc,
 173                                                         nt4_username,
 174                                                         flags,
 175                                                         &state->session_info);
 176         if (tevent_req_nterror(req, nt_status)) {
 177                 return;
 178         }
 179
 180         log_successful_authz_event(auth_context->msg_ctx,
 181                                    auth_context->lp_ctx,
 182                                    remote_address,
 183                                    local_address,
 184                                    "LDAP",
 185                                    "simple bind",
 186                                    transport_protection,
 187                                    state->session_info);
 188
 189         tevent_req_done(req);
 190 }
 191
 192 _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
 193                                         TALLOC_CTX *mem_ctx,
 194                                         struct auth_session_info **session_info)
 195 {
 196         struct authenticate_ldap_simple_bind_state *state =
 197                 tevent_req_data(req,
 198                 struct authenticate_ldap_simple_bind_state);
 199         NTSTATUS status;
 200
 201         *session_info = NULL;
 202
 203         if (tevent_req_is_nterror(req, &status)) {
 204                 tevent_req_received(req);
 205                 return status;
 206         }
 207
 208         *session_info = talloc_move(mem_ctx, &state->session_info);
 209         tevent_req_received(req);
 210         return NT_STATUS_OK;
 211 }