2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "dlinklist.h"
29 #include "libcli/util/asn_1.h"
30 #include "ldap_server/ldap_server.h"
31 #include "smbd/service_task.h"
32 #include "smbd/service_stream.h"
33 #include "smbd/service.h"
34 #include "lib/socket/socket.h"
35 #include "lib/tls/tls.h"
36 #include "lib/messaging/irpc.h"
37 #include "lib/stream/packet.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "system/network.h"
41 #include "netif/netif.h"
44 close the socket and shutdown a server_context
46 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
50 talloc_free(conn->tls);
53 stream_terminate_connection(conn->connection, reason);
59 static void ldapsrv_error_handler(void *private, NTSTATUS status)
61 struct ldapsrv_connection *conn = talloc_get_type(private,
62 struct ldapsrv_connection);
63 ldapsrv_terminate_connection(conn, nt_errstr(status));
67 process a decoded ldap message
69 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
70 struct ldap_message *msg)
72 struct ldapsrv_call *call;
75 BOOL enable_wrap = conn->enable_wrap;
77 call = talloc(conn, struct ldapsrv_call);
79 ldapsrv_terminate_connection(conn, "no memory");
83 call->request = talloc_steal(call, msg);
88 status = ldapsrv_do_call(call);
89 if (!NT_STATUS_IS_OK(status)) {
93 blob = data_blob(NULL, 0);
95 if (call->replies == NULL) {
100 /* build all the replies into a single blob */
101 while (call->replies) {
104 msg = call->replies->msg;
105 if (!ldap_encode(msg, &b, call)) {
106 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
110 status = data_blob_append(call, &blob, b.data, b.length);
113 if (!NT_STATUS_IS_OK(status)) goto failed;
115 DLIST_REMOVE(call->replies, call->replies);
118 /* possibly encrypt/sign the reply */
122 status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
123 if (!NT_STATUS_IS_OK(status)) {
126 data_blob_free(&blob);
127 blob = data_blob_talloc(call, NULL, wrapped.length + 4);
128 if (blob.data == NULL) {
131 RSIVAL(blob.data, 0, wrapped.length);
132 memcpy(blob.data+4, wrapped.data, wrapped.length);
133 data_blob_free(&wrapped);
136 packet_send(conn->packet, blob);
146 decode the input buffer
148 static NTSTATUS ldapsrv_decode_plain(struct ldapsrv_connection *conn, DATA_BLOB blob)
150 struct asn1_data asn1;
151 struct ldap_message *msg = talloc(conn, struct ldap_message);
154 return NT_STATUS_NO_MEMORY;
157 if (!asn1_load(&asn1, blob)) {
158 return NT_STATUS_NO_MEMORY;
161 if (!ldap_decode(&asn1, msg)) {
163 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
166 data_blob_free(&blob);
167 ldapsrv_process_message(conn, msg);
174 decode/process wrapped data
176 static NTSTATUS ldapsrv_decode_wrapped(struct ldapsrv_connection *conn,
179 DATA_BLOB wrapped, unwrapped;
180 struct asn1_data asn1;
181 struct ldap_message *msg = talloc(conn, struct ldap_message);
185 return NT_STATUS_NO_MEMORY;
188 wrapped = data_blob_const(blob.data+4, blob.length-4);
190 status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
191 if (!NT_STATUS_IS_OK(status)) {
192 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
195 data_blob_free(&blob);
197 if (!asn1_load(&asn1, unwrapped)) {
198 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
201 while (ldap_decode(&asn1, msg)) {
202 ldapsrv_process_message(conn, msg);
203 msg = talloc(conn, struct ldap_message);
206 if (asn1.ofs < asn1.length) {
207 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
219 static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
221 struct ldapsrv_connection *conn = talloc_get_type(private,
222 struct ldapsrv_connection);
223 if (conn->enable_wrap) {
224 return ldapsrv_decode_wrapped(conn, blob);
226 return ldapsrv_decode_plain(conn, blob);
232 static void ldapsrv_conn_idle_timeout(struct event_context *ev,
233 struct timed_event *te,
237 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
239 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
243 called when a LDAP socket becomes readable
245 static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
247 struct ldapsrv_connection *conn =
248 talloc_get_type(c->private, struct ldapsrv_connection);
250 if (conn->limits.ite) { /* clean initial timeout if any */
251 talloc_free(conn->limits.ite);
252 conn->limits.ite = NULL;
255 if (conn->limits.te) { /* clean idle timeout if any */
256 talloc_free(conn->limits.te);
257 conn->limits.te = NULL;
260 packet_recv(conn->packet);
262 /* set idle timeout */
263 conn->limits.te = event_add_timed(c->event.ctx, conn,
264 timeval_current_ofs(conn->limits.conn_idle_time, 0),
265 ldapsrv_conn_idle_timeout, conn);
269 check if a blob is a complete ldap packet
270 handle wrapper or unwrapped connections
272 NTSTATUS ldapsrv_complete_packet(void *private, DATA_BLOB blob, size_t *size)
274 struct ldapsrv_connection *conn = talloc_get_type(private,
275 struct ldapsrv_connection);
276 if (conn->enable_wrap) {
277 return packet_full_request_u32(private, blob, size);
279 return ldap_full_packet(private, blob, size);
283 called when a LDAP socket becomes writable
285 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
287 struct ldapsrv_connection *conn =
288 talloc_get_type(c->private, struct ldapsrv_connection);
290 packet_queue_run(conn->packet);
293 static void ldapsrv_conn_init_timeout(struct event_context *ev,
294 struct timed_event *te,
298 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
300 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
303 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
306 const char *attrs[] = { "configurationNamingContext", NULL };
307 const char *attrs2[] = { "lDAPAdminLimits", NULL };
308 const char *conf_dn_s;
309 struct ldb_message_element *el;
310 struct ldb_result *res = NULL;
311 struct ldb_dn *basedn;
312 struct ldb_dn *conf_dn;
313 struct ldb_dn *policy_dn;
316 /* set defaults limits in case of failure */
317 conn->limits.initial_timeout = 120;
318 conn->limits.conn_idle_time = 900;
319 conn->limits.max_page_size = 1000;
320 conn->limits.search_timeout = 120;
323 tmp_ctx = talloc_new(conn);
324 if (tmp_ctx == NULL) {
328 basedn = ldb_dn_explode(tmp_ctx, "");
329 if (basedn == NULL) {
333 ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
334 talloc_steal(tmp_ctx, res);
335 if (ret != LDB_SUCCESS || res->count != 1) {
339 conf_dn_s = ldb_msg_find_string(res->msgs[0], "configurationNamingContext", NULL);
340 if (conf_dn_s == NULL) {
343 conf_dn = ldb_dn_explode(tmp_ctx, conf_dn_s);
344 if (conf_dn == NULL) {
348 policy_dn = ldb_dn_string_compose(tmp_ctx, conf_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
349 if (policy_dn == NULL) {
353 ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
354 talloc_steal(tmp_ctx, res);
355 if (ret != LDB_SUCCESS || res->count != 1) {
359 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
364 for (i = 0; i < el->num_values; i++) {
365 char policy_name[256];
368 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
369 if (ret != 2 || policy_value == 0)
372 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
373 conn->limits.initial_timeout = policy_value;
376 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
377 conn->limits.conn_idle_time = policy_value;
380 if (strcasecmp("MaxPageSize", policy_name) == 0) {
381 conn->limits.max_page_size = policy_value;
384 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
385 conn->limits.search_timeout = policy_value;
393 DEBUG(0, ("Failed to load ldap server query policies\n"));
394 talloc_free(tmp_ctx);
399 initialise a server_context from a open socket and register a event handler
400 for reading from that socket
402 static void ldapsrv_accept(struct stream_connection *c)
404 struct ldapsrv_service *ldapsrv_service =
405 talloc_get_type(c->private, struct ldapsrv_service);
406 struct ldapsrv_connection *conn;
407 struct cli_credentials *server_credentials;
408 struct socket_address *socket_address;
412 conn = talloc_zero(c, struct ldapsrv_connection);
414 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
418 conn->enable_wrap = False;
420 conn->connection = c;
421 conn->service = ldapsrv_service;
425 socket_address = socket_get_my_addr(c->socket, conn);
426 if (!socket_address) {
427 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
430 port = socket_address->port;
431 talloc_free(socket_address);
433 conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
434 c->event.fde, NULL, port != 389);
436 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
440 conn->packet = packet_init(conn);
441 if (conn->packet == NULL) {
442 ldapsrv_terminate_connection(conn, "out of memory");
446 packet_set_private(conn->packet, conn);
447 packet_set_tls(conn->packet, conn->tls);
448 packet_set_callback(conn->packet, ldapsrv_decode);
449 packet_set_full_request(conn->packet, ldapsrv_complete_packet);
450 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
451 packet_set_event_context(conn->packet, c->event.ctx);
452 packet_set_fde(conn->packet, c->event.fde);
453 packet_set_serialise(conn->packet);
455 /* Ensure we don't get packets until the database is ready below */
456 packet_recv_disable(conn->packet);
459 = cli_credentials_init(conn);
460 if (!server_credentials) {
461 stream_terminate_connection(c, "Failed to init server credentials\n");
465 cli_credentials_set_conf(server_credentials);
466 status = cli_credentials_set_machine_account(server_credentials);
467 if (!NT_STATUS_IS_OK(status)) {
468 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
471 conn->server_credentials = server_credentials;
473 /* Connections start out anonymous */
474 if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
475 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
479 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
480 ldapsrv_terminate_connection(conn, "backend Init failed");
484 /* load limits from the conf partition */
485 ldapsrv_load_limits(conn); /* should we fail on error ? */
487 /* register the server */
488 irpc_add_name(c->msg_ctx, "ldap_server");
490 /* set connections limits */
491 conn->limits.ite = event_add_timed(c->event.ctx, conn,
492 timeval_current_ofs(conn->limits.initial_timeout, 0),
493 ldapsrv_conn_init_timeout, conn);
495 packet_recv_enable(conn->packet);
499 static const struct stream_server_ops ldap_stream_ops = {
501 .accept_connection = ldapsrv_accept,
502 .recv_handler = ldapsrv_recv,
503 .send_handler = ldapsrv_send,
507 add a socket address to the list of events, one event per port
509 static NTSTATUS add_socket(struct event_context *event_context,
510 const struct model_ops *model_ops,
511 const char *address, struct ldapsrv_service *ldap_service)
516 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
517 "ipv4", address, &port, ldap_service);
518 if (!NT_STATUS_IS_OK(status)) {
519 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
520 address, port, nt_errstr(status)));
523 if (tls_support(ldap_service->tls_params)) {
524 /* add ldaps server */
526 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
527 "ipv4", address, &port, ldap_service);
528 if (!NT_STATUS_IS_OK(status)) {
529 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
530 address, port, nt_errstr(status)));
534 /* if we are a PDC, then also enable the global catalog server port, 3268 */
535 if (lp_server_role() == ROLE_DOMAIN_PDC) {
537 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
538 "ipv4", address, &port, ldap_service);
539 if (!NT_STATUS_IS_OK(status)) {
540 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
541 address, port, nt_errstr(status)));
549 open the ldap server sockets
551 static void ldapsrv_task_init(struct task_server *task)
553 struct ldapsrv_service *ldap_service;
556 task_server_set_title(task, "task[ldapsrv]");
558 ldap_service = talloc_zero(task, struct ldapsrv_service);
559 if (ldap_service == NULL) goto failed;
561 ldap_service->tls_params = tls_initialise(ldap_service);
562 if (ldap_service->tls_params == NULL) goto failed;
564 if (lp_interfaces() && lp_bind_interfaces_only()) {
565 int num_interfaces = iface_count();
568 /* We have been given an interfaces line, and been
569 told to only bind to those interfaces. Create a
570 socket per interface and bind to only these.
572 for(i = 0; i < num_interfaces; i++) {
573 const char *address = iface_n_ip(i);
574 status = add_socket(task->event_ctx, task->model_ops, address, ldap_service);
575 if (!NT_STATUS_IS_OK(status)) goto failed;
578 status = add_socket(task->event_ctx, task->model_ops, lp_socket_address(), ldap_service);
579 if (!NT_STATUS_IS_OK(status)) goto failed;
585 task_server_terminate(task, "Failed to startup ldap server task");
589 called on startup of the web server service It's job is to start
590 listening on all configured sockets
592 static NTSTATUS ldapsrv_init(struct event_context *event_context,
593 const struct model_ops *model_ops)
595 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
599 NTSTATUS server_service_ldap_init(void)
601 return register_server_service("ldap", ldapsrv_init);