-/*
+/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Stefan Metzmacher 2004
Copyright (C) Matthias Dieter Wallnöfer 2009
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "../lib/util/dlinklist.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "auth/common_auth.h"
#include "param/param.h"
-#include "smbd/service_stream.h"
+#include "samba/service_stream.h"
#include "dsdb/samdb/samdb.h"
#include <ldb_errors.h>
#include <ldb_module.h>
#include "ldb_wrap.h"
+#include "lib/tsocket/tsocket.h"
+#include "libcli/ldap/ldap_proto.h"
+#include "source4/auth/auth.h"
static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
const char *add_err_string, const char **errstring)
/*
connect to the sam database
*/
-NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
+int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
+ char **errstring)
{
- conn->ldb = samdb_connect(conn,
- conn->connection->event.ctx,
- conn->lp_ctx,
- conn->session_info,
- conn->global_catalog ? LDB_FLG_RDONLY : 0);
- if (conn->ldb == NULL) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ bool using_tls = conn->sockets.active == conn->sockets.tls;
+ bool using_seal = conn->gensec != NULL && gensec_have_feature(conn->gensec,
+ GENSEC_FEATURE_SEAL);
+ struct dsdb_encrypted_connection_state *opaque_connection_state = NULL;
+
+ int ret = samdb_connect_url(conn,
+ conn->connection->event.ctx,
+ conn->lp_ctx,
+ conn->session_info,
+ conn->global_catalog ? LDB_FLG_RDONLY : 0,
+ "sam.ldb",
+ conn->connection->remote_address,
+ &conn->ldb,
+ errstring);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
- if (conn->server_credentials) {
- char **sasl_mechs = NULL;
- struct gensec_security_ops **backends = gensec_security_all();
- struct gensec_security_ops **ops
- = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
- unsigned int i, j = 0;
- for (i = 0; ops && ops[i]; i++) {
- if (!lpcfg_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
- continue;
-
- if (ops[i]->sasl_name && ops[i]->server_start) {
- char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
+ /*
+ * We can safely call ldb_set_opaque() on this ldb as we have
+ * set remote_address above which avoids the ldb handle cache
+ */
+ opaque_connection_state = talloc_zero(conn, struct dsdb_encrypted_connection_state);
+ if (opaque_connection_state == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ opaque_connection_state->using_encrypted_connection = using_tls || using_seal || conn->is_ldapi;
+ ret = ldb_set_opaque(conn->ldb,
+ DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME,
+ opaque_connection_state);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("ldb_set_opaque() failed to store our "
+ "encrypted connection state!\n");
+ return ret;
+ }
- if (!sasl_name) {
- return NT_STATUS_NO_MEMORY;
- }
- sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2);
- if (!sasl_mechs) {
- return NT_STATUS_NO_MEMORY;
- }
- sasl_mechs[j] = sasl_name;
- talloc_steal(sasl_mechs, sasl_name);
- sasl_mechs[j+1] = NULL;
- j++;
- }
+ if (conn->server_credentials) {
+ struct gensec_security *gensec_security = NULL;
+ const char **sasl_mechs = NULL;
+ NTSTATUS status;
+
+ status = samba_server_gensec_start(conn,
+ conn->connection->event.ctx,
+ conn->connection->msg_ctx,
+ conn->lp_ctx,
+ conn->server_credentials,
+ "ldap",
+ &gensec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("samba_server_gensec_start failed: %s\n",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
}
- talloc_unlink(conn, ops);
/* ldb can have a different lifetime to conn, so we
need to ensure that sasl_mechs lives as long as the
ldb does */
- talloc_steal(conn->ldb, sasl_mechs);
+ sasl_mechs = gensec_security_sasl_names(gensec_security,
+ conn->ldb);
+ TALLOC_FREE(gensec_security);
+ if (sasl_mechs == NULL) {
+ DBG_ERR("Failed to get sasl mechs!\n");
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
ldb_set_opaque(conn->ldb, "supportedSASLMechanisms", sasl_mechs);
}
- return NT_STATUS_OK;
+ return LDB_SUCCESS;
}
struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
{
struct ldapsrv_reply *reply;
- reply = talloc(call, struct ldapsrv_reply);
+ reply = talloc_zero(call, struct ldapsrv_reply);
if (!reply) {
return NULL;
}
- reply->msg = talloc(reply, struct ldap_message);
+ reply->msg = talloc_zero(reply, struct ldap_message);
if (reply->msg == NULL) {
talloc_free(reply);
return NULL;
return reply;
}
-void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
+/*
+ * Encode a reply to an LDAP client as ASN.1, free the original memory
+ */
+static NTSTATUS ldapsrv_encode(TALLOC_CTX *mem_ctx,
+ struct ldapsrv_reply *reply)
{
- DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
+ bool bret = ldap_encode(reply->msg,
+ samba_ldap_control_handlers(),
+ &reply->blob,
+ mem_ctx);
+ if (!bret) {
+ DBG_ERR("Failed to encode ldap reply of type %d: "
+ "ldap_encode() failed\n",
+ reply->msg->type);
+ TALLOC_FREE(reply->msg);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ TALLOC_FREE(reply->msg);
+ talloc_set_name_const(reply->blob.data,
+ "Outgoing, encoded single LDAP reply");
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Queue a reply (encoding it also), even if it would exceed the
+ * limit. This allows the error packet with LDAP_SIZE_LIMIT_EXCEEDED
+ * to be sent
+ */
+static NTSTATUS ldapsrv_queue_reply_forced(struct ldapsrv_call *call,
+ struct ldapsrv_reply *reply)
+{
+ NTSTATUS status = ldapsrv_encode(call, reply);
+
+ if (NT_STATUS_IS_OK(status)) {
+ DLIST_ADD_END(call->replies, reply);
+ }
+ return status;
+}
+
+/*
+ * Queue a reply (encoding it also) but check we do not send more than
+ * LDAP_SERVER_MAX_REPLY_SIZE of responses as a way to limit the
+ * amount of data a client can make us allocate.
+ */
+NTSTATUS ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
+{
+ NTSTATUS status = ldapsrv_encode(call, reply);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (call->reply_size > call->reply_size + reply->blob.length
+ || call->reply_size + reply->blob.length > LDAP_SERVER_MAX_REPLY_SIZE) {
+ DBG_WARNING("Refusing to queue LDAP search response size "
+ "of more than %zu bytes\n",
+ LDAP_SERVER_MAX_REPLY_SIZE);
+ TALLOC_FREE(reply->blob.data);
+ return NT_STATUS_FILE_TOO_LARGE;
+ }
+
+ call->reply_size += reply->blob.length;
+
+ DLIST_ADD_END(call->replies, reply);
+
+ return status;
}
static NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
struct ldapsrv_reply *reply;
struct ldap_ExtendedResponse *r;
- DEBUG(10,("Unwilling type[%d] id[%d]\n", call->request->type, call->request->messageid));
+ DBG_DEBUG("type[%d] id[%d]\n", call->request->type, call->request->messageid);
reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
if (!reply) {
static int ldapsrv_add_with_controls(struct ldapsrv_call *call,
const struct ldb_message *message,
struct ldb_control **controls,
- void *context)
+ struct ldb_result *res)
{
struct ldb_context *ldb = call->conn->ldb;
struct ldb_request *req;
ret = ldb_build_add_req(&req, ldb, ldb,
message,
controls,
- context,
+ res,
ldb_modify_default_callback,
NULL);
static int ldapsrv_mod_with_controls(struct ldapsrv_call *call,
const struct ldb_message *message,
struct ldb_control **controls,
- void *context)
+ struct ldb_result *res)
{
struct ldb_context *ldb = call->conn->ldb;
struct ldb_request *req;
ret = ldb_build_mod_req(&req, ldb, ldb,
message,
controls,
- context,
+ res,
ldb_modify_default_callback,
NULL);
static int ldapsrv_del_with_controls(struct ldapsrv_call *call,
struct ldb_dn *dn,
struct ldb_control **controls,
- void *context)
+ struct ldb_result *res)
{
struct ldb_context *ldb = call->conn->ldb;
struct ldb_request *req;
ret = ldb_build_del_req(&req, ldb, ldb,
dn,
controls,
- context,
+ res,
ldb_modify_default_callback,
NULL);
struct ldb_dn *olddn,
struct ldb_dn *newdn,
struct ldb_control **controls,
- void *context)
+ struct ldb_result *res)
{
struct ldb_context *ldb = call->conn->ldb;
struct ldb_request *req;
ret = ldb_build_rename_req(&req, ldb, ldb,
olddn,
newdn,
- NULL,
- context,
+ controls,
+ res,
ldb_modify_default_callback,
NULL);
return ret;
}
+
+
+struct ldapsrv_context {
+ struct ldapsrv_call *call;
+ int extended_type;
+ bool attributesonly;
+ struct ldb_control **controls;
+ size_t count; /* For notification only */
+};
+
+static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
+{
+ struct ldapsrv_context *ctx = talloc_get_type(req->context, struct ldapsrv_context);
+ struct ldapsrv_call *call = ctx->call;
+ struct ldb_context *ldb = call->conn->ldb;
+ unsigned int j;
+ struct ldapsrv_reply *ent_r = NULL;
+ struct ldap_SearchResEntry *ent;
+ int ret;
+ NTSTATUS status;
+
+ if (!ares) {
+ return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
+ }
+ if (ares->error != LDB_SUCCESS) {
+ return ldb_request_done(req, ares->error);
+ }
+
+ switch (ares->type) {
+ case LDB_REPLY_ENTRY:
+ {
+ struct ldb_message *msg = ares->message;
+ ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
+ if (ent_r == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ ctx->count++;
+
+ /*
+ * Put the LDAP search response data under ent_r->msg
+ * so we can free that later once encoded
+ */
+ talloc_steal(ent_r->msg, msg);
+
+ ent = &ent_r->msg->r.SearchResultEntry;
+ ent->dn = ldb_dn_get_extended_linearized(ent_r, msg->dn,
+ ctx->extended_type);
+ ent->num_attributes = 0;
+ ent->attributes = NULL;
+ if (msg->num_elements == 0) {
+ goto queue_reply;
+ }
+ ent->num_attributes = msg->num_elements;
+ ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
+ if (ent->attributes == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ for (j=0; j < ent->num_attributes; j++) {
+ ent->attributes[j].name = msg->elements[j].name;
+ ent->attributes[j].num_values = 0;
+ ent->attributes[j].values = NULL;
+ if (ctx->attributesonly && (msg->elements[j].num_values == 0)) {
+ continue;
+ }
+ ent->attributes[j].num_values = msg->elements[j].num_values;
+ ent->attributes[j].values = msg->elements[j].values;
+ }
+queue_reply:
+ status = ldapsrv_queue_reply(call, ent_r);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
+ ret = ldb_request_done(req,
+ LDB_ERR_SIZE_LIMIT_EXCEEDED);
+ ldb_asprintf_errstring(ldb,
+ "LDAP search response size "
+ "limited to %zu bytes\n",
+ LDAP_SERVER_MAX_REPLY_SIZE);
+ } else if (!NT_STATUS_IS_OK(status)) {
+ ret = ldb_request_done(req,
+ ldb_operr(ldb));
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ break;
+ }
+ case LDB_REPLY_REFERRAL:
+ {
+ struct ldap_SearchResRef *ent_ref;
+
+ /*
+ * TODO: This should be handled by the notification
+ * module not here
+ */
+ if (call->notification.busy) {
+ ret = LDB_SUCCESS;
+ break;
+ }
+
+ ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultReference);
+ if (ent_r == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ /*
+ * Put the LDAP referral data under ent_r->msg
+ * so we can free that later once encoded
+ */
+ talloc_steal(ent_r->msg, ares->referral);
+
+ ent_ref = &ent_r->msg->r.SearchResultReference;
+ ent_ref->referral = ares->referral;
+
+ status = ldapsrv_queue_reply(call, ent_r);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ break;
+ }
+ case LDB_REPLY_DONE:
+ {
+ /*
+ * We don't queue the reply for this one, we let that
+ * happen outside
+ */
+ ctx->controls = talloc_move(ctx, &ares->controls);
+
+ TALLOC_FREE(ares);
+ return ldb_request_done(req, LDB_SUCCESS);
+ }
+ default:
+ /* Doesn't happen */
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ }
+ TALLOC_FREE(ares);
+
+ return ret;
+}
+
+
static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
{
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
- struct ldap_SearchResEntry *ent;
struct ldap_Result *done;
- struct ldapsrv_reply *ent_r, *done_r;
+ struct ldapsrv_reply *done_r;
TALLOC_CTX *local_ctx;
+ struct ldapsrv_context *callback_ctx = NULL;
struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
struct ldb_dn *basedn;
- struct ldb_result *res = NULL;
struct ldb_request *lreq;
struct ldb_control *search_control;
struct ldb_search_options_control *search_options;
struct ldb_control *extended_dn_control;
struct ldb_extended_dn_control *extended_dn_decoded = NULL;
+ struct ldb_control *notification_control = NULL;
enum ldb_scope scope = LDB_SCOPE_DEFAULT;
const char **attrs = NULL;
const char *scope_str, *errstr = NULL;
- int success_limit = 1;
int result = -1;
int ldb_ret = -1;
- unsigned int i, j;
+ unsigned int i;
int extended_type = 1;
- DEBUG(10, ("SearchRequest"));
- DEBUGADD(10, (" basedn: %s", req->basedn));
- DEBUGADD(10, (" filter: %s\n", ldb_filter_from_tree(call, req->tree)));
+ /*
+ * Warn for searches that are longer than 1/4 of the
+ * search_timeout, being 30sec by default
+ */
+ struct timeval start_time = timeval_current();
+ struct timeval warning_time
+ = timeval_add(&start_time,
+ call->conn->limits.search_timeout / 4,
+ 0);
local_ctx = talloc_new(call);
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
NT_STATUS_HAVE_NO_MEMORY(basedn);
- DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
- DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
-
switch (req->scope) {
- case LDAP_SEARCH_SCOPE_BASE:
- scope_str = "BASE";
- scope = LDB_SCOPE_BASE;
- success_limit = 0;
- break;
- case LDAP_SEARCH_SCOPE_SINGLE:
- scope_str = "ONE";
- scope = LDB_SCOPE_ONELEVEL;
- success_limit = 0;
- break;
- case LDAP_SEARCH_SCOPE_SUB:
- scope_str = "SUB";
- scope = LDB_SCOPE_SUBTREE;
- success_limit = 0;
- break;
- default:
- result = LDAP_PROTOCOL_ERROR;
- map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
- &errstr);
- errstr = talloc_asprintf(local_ctx,
- "%s. Invalid scope", errstr);
- goto reply;
+ case LDAP_SEARCH_SCOPE_BASE:
+ scope = LDB_SCOPE_BASE;
+ break;
+ case LDAP_SEARCH_SCOPE_SINGLE:
+ scope = LDB_SCOPE_ONELEVEL;
+ break;
+ case LDAP_SEARCH_SCOPE_SUB:
+ scope = LDB_SCOPE_SUBTREE;
+ break;
+ default:
+ result = LDAP_PROTOCOL_ERROR;
+ map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
+ &errstr);
+ scope_str = "<Invalid scope>";
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Invalid scope", errstr);
+ goto reply;
}
- DEBUG(10,("SearchRequest: scope: [%s]\n", scope_str));
+ scope_str = dsdb_search_scope_as_string(scope);
+
+ DBG_DEBUG("scope: [%s]\n", scope_str);
if (req->num_attributes >= 1) {
attrs = talloc_array(local_ctx, const char *, req->num_attributes+1);
NT_STATUS_HAVE_NO_MEMORY(attrs);
for (i=0; i < req->num_attributes; i++) {
- DEBUG(10,("SearchRequest: attrs: [%s]\n",req->attributes[i]));
+ DBG_DEBUG("attrs: [%s]\n",req->attributes[i]);
attrs[i] = req->attributes[i];
}
attrs[i] = NULL;
}
- DEBUG(5,("ldb_request %s dn=%s filter=%s\n",
- scope_str, req->basedn, ldb_filter_from_tree(call, req->tree)));
+ DBG_INFO("ldb_request %s dn=%s filter=%s\n",
+ scope_str, req->basedn, ldb_filter_from_tree(call, req->tree));
- res = talloc_zero(local_ctx, struct ldb_result);
- NT_STATUS_HAVE_NO_MEMORY(res);
+ callback_ctx = talloc_zero(local_ctx, struct ldapsrv_context);
+ NT_STATUS_HAVE_NO_MEMORY(callback_ctx);
+ callback_ctx->call = call;
+ callback_ctx->extended_type = extended_type;
+ callback_ctx->attributesonly = req->attributesonly;
ldb_ret = ldb_build_search_req_ex(&lreq, samdb, local_ctx,
basedn, scope,
req->tree, attrs,
call->request->controls,
- res, ldb_search_default_callback,
+ callback_ctx,
+ ldap_server_search_callback,
NULL);
if (ldb_ret != LDB_SUCCESS) {
} else {
extended_type = 0;
}
+ callback_ctx->extended_type = extended_type;
+ }
+
+ notification_control = ldb_request_get_control(lreq, LDB_CONTROL_NOTIFICATION_OID);
+ if (notification_control != NULL) {
+ const struct ldapsrv_call *pc = NULL;
+ size_t count = 0;
+
+ for (pc = call->conn->pending_calls; pc != NULL; pc = pc->next) {
+ count += 1;
+ }
+
+ if (count >= call->conn->limits.max_notifications) {
+ DBG_DEBUG("error MaxNotificationPerConn\n");
+ result = map_ldb_error(local_ctx,
+ LDB_ERR_ADMIN_LIMIT_EXCEEDED,
+ "MaxNotificationPerConn reached",
+ &errstr);
+ goto reply;
+ }
+
+ /*
+ * For now we need to do periodic retries on our own.
+ * As the dsdb_notification module will return after each run.
+ */
+ call->notification.busy = true;
+ }
+
+ {
+ const char *scheme = NULL;
+ switch (call->conn->referral_scheme) {
+ case LDAP_REFERRAL_SCHEME_LDAPS:
+ scheme = "ldaps";
+ break;
+ default:
+ scheme = "ldap";
+ }
+ ldb_ret = ldb_set_opaque(
+ samdb,
+ LDAP_REFERRAL_SCHEME_OPAQUE,
+ discard_const_p(char *, scheme));
+ if (ldb_ret != LDB_SUCCESS) {
+ goto reply;
+ }
}
- ldb_set_timeout(samdb, lreq, req->timelimit);
+ {
+ time_t timeout = call->conn->limits.search_timeout;
+
+ if (timeout == 0
+ || (req->timelimit != 0
+ && req->timelimit < timeout))
+ {
+ timeout = req->timelimit;
+ }
+ ldb_set_timeout(samdb, lreq, timeout);
+ }
if (!call->conn->is_privileged) {
ldb_req_mark_untrusted(lreq);
ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
if (ldb_ret == LDB_SUCCESS) {
- for (i = 0; i < res->count; i++) {
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
-
- /* Better to have the whole message kept here,
- * than to find someone further up didn't put
- * a value in the right spot in the talloc tree */
- talloc_steal(ent_r, res->msgs[i]);
-
- ent = &ent_r->msg->r.SearchResultEntry;
- ent->dn = ldb_dn_get_extended_linearized(ent_r, res->msgs[i]->dn, extended_type);
- ent->num_attributes = 0;
- ent->attributes = NULL;
- if (res->msgs[i]->num_elements == 0) {
- goto queue_reply;
+ if (call->notification.busy) {
+ /* Move/Add it to the end */
+ DLIST_DEMOTE(call->conn->pending_calls, call);
+ call->notification.generation =
+ call->conn->service->notification.generation;
+
+ if (callback_ctx->count != 0) {
+ call->notification.generation += 1;
+ ldapsrv_notification_retry_setup(call->conn->service,
+ true);
}
- ent->num_attributes = res->msgs[i]->num_elements;
- ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
- for (j=0; j < ent->num_attributes; j++) {
- ent->attributes[j].name = res->msgs[i]->elements[j].name;
- ent->attributes[j].num_values = 0;
- ent->attributes[j].values = NULL;
- if (req->attributesonly && (res->msgs[i]->elements[j].num_values == 0)) {
- continue;
- }
- ent->attributes[j].num_values = res->msgs[i]->elements[j].num_values;
- ent->attributes[j].values = res->msgs[i]->elements[j].values;
- }
-queue_reply:
- ldapsrv_queue_reply(call, ent_r);
- }
-
- /* Send back referrals if they do exist (search operations) */
- if (res->refs != NULL) {
- char **ref;
- struct ldap_SearchResRef *ent_ref;
- for (ref = res->refs; *ref != NULL; ++ref) {
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultReference);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
+ talloc_free(local_ctx);
+ return NT_STATUS_OK;
+ }
+ }
- /* Better to have the whole referrals kept here,
- * than to find someone further up didn't put
- * a value in the right spot in the talloc tree
- */
- talloc_steal(ent_r, *ref);
+reply:
- ent_ref = &ent_r->msg->r.SearchResultReference;
- ent_ref->referral = *ref;
+ /*
+ * This looks like duplicated code - because it is - but
+ * otherwise the work in the parameters will be done
+ * regardless, this way the functions only execute when the
+ * log level is set.
+ *
+ * The basedn is re-obtained as a string to escape it
+ */
+ if ((req->timelimit == 0 || call->conn->limits.search_timeout < req->timelimit)
+ && ldb_ret == LDB_ERR_TIME_LIMIT_EXCEEDED) {
+ struct dom_sid_buf sid_buf;
+ DBG_WARNING("MaxQueryDuration(%d) timeout exceeded "
+ "in SearchRequest by %s from %s filter: [%s] "
+ "basedn: [%s] "
+ "scope: [%s]\n",
+ call->conn->limits.search_timeout,
+ dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
+ &sid_buf),
+ tsocket_address_string(call->conn->connection->remote_address,
+ call),
+ ldb_filter_from_tree(call, req->tree),
+ ldb_dn_get_extended_linearized(call, basedn, 1),
+ scope_str);
+ for (i=0; i < req->num_attributes; i++) {
+ DBG_WARNING("MaxQueryDuration timeout exceeded attrs: [%s]\n",
+ req->attributes[i]);
+ }
- ldapsrv_queue_reply(call, ent_r);
- }
+ } else if (timeval_expired(&warning_time)) {
+ struct dom_sid_buf sid_buf;
+ DBG_NOTICE("Long LDAP Query: Duration was %.2fs, "
+ "MaxQueryDuration(%d)/4 == %d "
+ "in SearchRequest by %s from %s filter: [%s] "
+ "basedn: [%s] "
+ "scope: [%s] "
+ "result: %s\n",
+ timeval_elapsed(&start_time),
+ call->conn->limits.search_timeout,
+ call->conn->limits.search_timeout / 4,
+ dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
+ &sid_buf),
+ tsocket_address_string(call->conn->connection->remote_address,
+ call),
+ ldb_filter_from_tree(call, req->tree),
+ ldb_dn_get_extended_linearized(call, basedn, 1),
+ scope_str,
+ ldb_strerror(ldb_ret));
+ for (i=0; i < req->num_attributes; i++) {
+ DBG_NOTICE("Long LDAP Query attrs: [%s]\n",
+ req->attributes[i]);
}
+ } else {
+ struct dom_sid_buf sid_buf;
+ DBG_INFO("LDAP Query: Duration was %.2fs, "
+ "SearchRequest by %s from %s filter: [%s] "
+ "basedn: [%s] "
+ "scope: [%s] "
+ "result: %s\n",
+ timeval_elapsed(&start_time),
+ dom_sid_str_buf(&call->conn->session_info->security_token->sids[0],
+ &sid_buf),
+ tsocket_address_string(call->conn->connection->remote_address,
+ call),
+ ldb_filter_from_tree(call, req->tree),
+ ldb_dn_get_extended_linearized(call, basedn, 1),
+ scope_str,
+ ldb_strerror(ldb_ret));
}
-reply:
+ DLIST_REMOVE(call->conn->pending_calls, call);
+ call->notification.busy = false;
+
done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
NT_STATUS_HAVE_NO_MEMORY(done_r);
if (result != -1) {
} else if (ldb_ret == LDB_SUCCESS) {
- if (res->count >= success_limit) {
- DEBUG(10,("SearchRequest: results: [%d]\n", res->count));
- result = LDAP_SUCCESS;
- errstr = NULL;
- }
- if (res->controls) {
- done_r->msg->controls = res->controls;
- talloc_steal(done_r, res->controls);
+ if (callback_ctx->controls) {
+ done_r->msg->controls = callback_ctx->controls;
+ talloc_steal(done_r->msg, callback_ctx->controls);
}
+ result = LDB_SUCCESS;
} else {
- DEBUG(10,("SearchRequest: error\n"));
+ DBG_DEBUG("error\n");
result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
&errstr);
}
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, done_r);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply_forced(call, done_r);
}
static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
unsigned int i,j;
struct ldb_result *res = NULL;
- DEBUG(10, ("ModifyRequest"));
- DEBUGADD(10, (" dn: %s\n", req->dn));
+ DBG_DEBUG("dn: %s\n", req->dn);
local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
NT_STATUS_HAVE_NO_MEMORY(dn);
- DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
+ DBG_DEBUG("dn: [%s]\n", req->dn);
- msg = talloc(local_ctx, struct ldb_message);
+ msg = ldb_msg_new(local_ctx);
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->dn = dn;
- msg->num_elements = 0;
- msg->elements = NULL;
if (req->num_mods > 0) {
msg->num_elements = req->num_mods;
for (j=0; j < msg->elements[i].num_values; j++) {
msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
- msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
+ msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
}
}
}
}
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, modify_reply);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply(call, modify_reply);
}
unsigned int i,j;
struct ldb_result *res = NULL;
- DEBUG(10, ("AddRequest"));
- DEBUGADD(10, (" dn: %s\n", req->dn));
+ DBG_DEBUG("dn: %s\n", req->dn);
local_ctx = talloc_named(call, 0, "AddRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
NT_STATUS_HAVE_NO_MEMORY(dn);
- DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
+ DBG_DEBUG("dn: [%s]\n", req->dn);
msg = talloc(local_ctx, struct ldb_message);
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->elements[i].flags = 0;
msg->elements[i].num_values = 0;
msg->elements[i].values = NULL;
-
+
if (req->attributes[i].num_values > 0) {
msg->elements[i].num_values = req->attributes[i].num_values;
msg->elements[i].values = talloc_array(msg->elements, struct ldb_val,
for (j=0; j < msg->elements[i].num_values; j++) {
msg->elements[i].values[j].length = req->attributes[i].values[j].length;
- msg->elements[i].values[j].data = req->attributes[i].values[j].data;
+ msg->elements[i].values[j].data = req->attributes[i].values[j].data;
}
}
}
}
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, add_reply);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply(call, add_reply);
}
int ldb_ret;
struct ldb_result *res = NULL;
- DEBUG(10, ("DelRequest"));
- DEBUGADD(10, (" dn: %s\n", req->dn));
+ DBG_DEBUG("dn: %s\n", req->dn);
local_ctx = talloc_named(call, 0, "DelRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
NT_STATUS_HAVE_NO_MEMORY(dn);
- DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
+ DBG_DEBUG("dn: [%s]\n", req->dn);
del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
NT_STATUS_HAVE_NO_MEMORY(del_reply);
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, del_reply);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply(call, del_reply);
}
static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
int ldb_ret;
struct ldb_result *res = NULL;
- DEBUG(10, ("ModifyDNRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
- DEBUGADD(10, (" newrdn: %s\n", req->newrdn));
+ DBG_DEBUG("dn: %s newrdn: %s\n",
+ req->dn, req->newrdn);
local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
NT_STATUS_HAVE_NO_MEMORY(newrdn);
- DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
- DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
+ DBG_DEBUG("olddn: [%s] newrdn: [%s]\n",
+ req->dn, req->newrdn);
if (ldb_dn_get_comp_num(newrdn) == 0) {
result = LDAP_PROTOCOL_ERROR;
}
if (req->newsuperior) {
- DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
+ DBG_DEBUG("newsuperior: [%s]\n", req->newsuperior);
parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
}
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, modifydn_r);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply(call, modifydn_r);
}
static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
int result = LDAP_SUCCESS;
int ldb_ret;
- DEBUG(10, ("CompareRequest"));
- DEBUGADD(10, (" dn: %s\n", req->dn));
+ DBG_DEBUG("dn: %s\n", req->dn);
local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
NT_STATUS_HAVE_NO_MEMORY(dn);
- DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
- filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
+ DBG_DEBUG("dn: [%s]\n", req->dn);
+ filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
(int)req->value.length, req->value.data);
NT_STATUS_HAVE_NO_MEMORY(filter);
- DEBUGADD(10, ("CompareRequest: attribute: [%s]\n", filter));
+ DBG_DEBUG("attribute: [%s]\n", filter);
attrs[0] = NULL;
if (ldb_ret != LDB_SUCCESS) {
result = map_ldb_error(local_ctx, ldb_ret,
ldb_errstring(samdb), &errstr);
- DEBUG(10,("CompareRequest: error: %s\n", errstr));
+ DBG_DEBUG("error: %s\n", errstr);
} else if (res->count == 0) {
- DEBUG(10,("CompareRequest: doesn't matched\n"));
+ DBG_DEBUG("didn't match\n");
result = LDAP_COMPARE_FALSE;
errstr = NULL;
} else if (res->count == 1) {
- DEBUG(10,("CompareRequest: matched\n"));
+ DBG_DEBUG("matched\n");
result = LDAP_COMPARE_TRUE;
errstr = NULL;
} else if (res->count > 1) {
map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
errstr = talloc_asprintf(local_ctx,
"%s. Too many objects match!", errstr);
- DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
+ DBG_DEBUG("%u results: %s\n", res->count, errstr);
}
}
talloc_free(local_ctx);
- ldapsrv_queue_reply(call, compare_r);
- return NT_STATUS_OK;
+ return ldapsrv_queue_reply(call, compare_r);
}
static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
{
-/* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
- DEBUG(10, ("AbandonRequest\n"));
+ struct ldap_AbandonRequest *req = &call->request->r.AbandonRequest;
+ struct ldapsrv_call *c = NULL;
+ struct ldapsrv_call *n = NULL;
+
+ DBG_DEBUG("abandoned\n");
+
+ for (c = call->conn->pending_calls; c != NULL; c = n) {
+ n = c->next;
+
+ if (c->request->messageid != req->messageid) {
+ continue;
+ }
+
+ DLIST_REMOVE(call->conn->pending_calls, c);
+ TALLOC_FREE(c);
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS ldapsrv_expired(struct ldapsrv_call *call)
+{
+ struct ldapsrv_reply *reply = NULL;
+ struct ldap_ExtendedResponse *r = NULL;
+
+ DBG_DEBUG("Sending connection expired message\n");
+
+ reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
+ if (reply == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * According to RFC4511 section 4.4.1 this has a msgid of 0
+ */
+ reply->msg->messageid = 0;
+
+ r = &reply->msg->r.ExtendedResponse;
+ r->response.resultcode = LDB_ERR_UNAVAILABLE;
+ r->response.errormessage = "The server has timed out this connection";
+ r->oid = "1.3.6.1.4.1.1466.20036"; /* see rfc4511 section 4.4.1 */
+
+ ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
{
unsigned int i;
struct ldap_message *msg = call->request;
+ struct ldapsrv_connection *conn = call->conn;
+ NTSTATUS status;
+ bool expired;
+
+ expired = timeval_expired(&conn->limits.expire_time);
+ if (expired) {
+ status = ldapsrv_expired(call);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return NT_STATUS_NETWORK_SESSION_EXPIRED;
+ }
+
/* Check for undecoded critical extensions */
for (i=0; msg->controls && msg->controls[i]; i++) {
- if (!msg->controls_decoded[i] &&
+ if (!msg->controls_decoded[i] &&
msg->controls[i]->critical) {
- DEBUG(3, ("ldapsrv_do_call: Critical extension %s is not known to this server\n",
- msg->controls[i]->oid));
+ DBG_NOTICE("Critical extension %s is not known to this server\n",
+ msg->controls[i]->oid);
return ldapsrv_unwilling(call, LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
}
}
+ if (call->conn->authz_logged == false) {
+ bool log = true;
+
+ /*
+ * We do not want to log anonymous access if the query
+ * is just for the rootDSE, or it is a startTLS or a
+ * Bind.
+ *
+ * A rootDSE search could also be done over
+ * CLDAP anonymously for example, so these don't
+ * really count.
+ * Essentially we want to know about
+ * access beyond that normally done prior to a
+ * bind.
+ */
+
+ switch(call->request->type) {
+ case LDAP_TAG_BindRequest:
+ case LDAP_TAG_UnbindRequest:
+ case LDAP_TAG_AbandonRequest:
+ log = false;
+ break;
+ case LDAP_TAG_ExtendedResponse: {
+ struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
+ if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
+ log = false;
+ }
+ break;
+ }
+ case LDAP_TAG_SearchRequest: {
+ struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
+ if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
+ if (req->basedn[0] == '\0') {
+ log = false;
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (log) {
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (call->conn->sockets.active == call->conn->sockets.tls) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ }
+
+ log_successful_authz_event(call->conn->connection->msg_ctx,
+ call->conn->connection->lp_ctx,
+ call->conn->connection->remote_address,
+ call->conn->connection->local_address,
+ "LDAP",
+ "no bind",
+ transport_protection,
+ call->conn->session_info,
+ NULL /* client_audit_info */,
+ NULL /* server_audit_info */);
+
+ call->conn->authz_logged = true;
+ }
+ }
+
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);
case LDAP_TAG_SearchRequest:
return ldapsrv_SearchRequest(call);
case LDAP_TAG_ModifyRequest:
- return ldapsrv_ModifyRequest(call);
+ status = ldapsrv_ModifyRequest(call);
+ break;
case LDAP_TAG_AddRequest:
- return ldapsrv_AddRequest(call);
+ status = ldapsrv_AddRequest(call);
+ break;
case LDAP_TAG_DelRequest:
- return ldapsrv_DelRequest(call);
+ status = ldapsrv_DelRequest(call);
+ break;
case LDAP_TAG_ModifyDNRequest:
- return ldapsrv_ModifyDNRequest(call);
+ status = ldapsrv_ModifyDNRequest(call);
+ break;
case LDAP_TAG_CompareRequest:
return ldapsrv_CompareRequest(call);
case LDAP_TAG_AbandonRequest:
return ldapsrv_AbandonRequest(call);
case LDAP_TAG_ExtendedRequest:
- return ldapsrv_ExtendedRequest(call);
+ status = ldapsrv_ExtendedRequest(call);
+ break;
default:
return ldapsrv_unwilling(call, LDAP_PROTOCOL_ERROR);
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ ldapsrv_notification_retry_setup(call->conn->service, true);
+ }
+
+ return status;
}