2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Simo Sorce 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #include "system/network.h"
28 #include "system/filesys.h"
29 #include "auth/auth.h"
31 #include "dlinklist.h"
32 #include "libcli/ldap/ldap.h"
36 /****************************************************************************
38 ****************************************************************************/
39 static BOOL timeout_until(struct timeval *timeout,
40 const struct timeval *endtime)
46 if ((now.tv_sec > endtime->tv_sec) ||
47 ((now.tv_sec == endtime->tv_sec) &&
48 (now.tv_usec > endtime->tv_usec)))
51 timeout->tv_sec = endtime->tv_sec - now.tv_sec;
52 timeout->tv_usec = endtime->tv_usec - now.tv_usec;
57 /****************************************************************************
58 Read data from the client, reading exactly N bytes, with timeout.
59 ****************************************************************************/
60 static ssize_t read_data_until(int fd,char *buffer,size_t N,
61 const struct timeval *endtime)
68 if (endtime != NULL) {
70 struct timeval timeout;
76 if (!timeout_until(&timeout, endtime))
79 res = sys_select(fd+1, &r_fds, NULL, NULL, &timeout);
84 ret = sys_read(fd,buffer + total,N - total);
87 DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", (int)(N - total), strerror(errno) ));
92 DEBUG(0,("read_data: read failure for %d. Error = %s\n", (int)(N - total), strerror(errno) ));
97 return (ssize_t)total;
101 /****************************************************************************
102 Write data to a fd with timeout.
103 ****************************************************************************/
104 static ssize_t write_data_until(int fd,char *buffer,size_t N,
105 const struct timeval *endtime)
112 if (endtime != NULL) {
114 struct timeval timeout;
120 if (!timeout_until(&timeout, endtime))
123 res = sys_select(fd+1, NULL, &w_fds, NULL, &timeout);
128 ret = sys_write(fd,buffer + total,N - total);
131 DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) ));
139 return (ssize_t)total;
144 static BOOL read_one_uint8(int sock, uint8_t *result, struct asn1_data *data,
145 const struct timeval *endtime)
147 if (read_data_until(sock, result, 1, endtime) != 1)
150 return asn1_write(data, result, 1);
153 /* Read a complete ASN sequence (ie LDAP result) from a socket */
154 static BOOL asn1_read_sequence_until(int sock, struct asn1_data *data,
155 const struct timeval *endtime)
163 if (!read_one_uint8(sock, &b, data, endtime))
167 data->has_error = True;
171 if (!read_one_uint8(sock, &b, data, endtime))
176 if (!read_one_uint8(sock, &b, data, endtime))
180 if (!read_one_uint8(sock, &b, data, endtime))
189 buf = talloc_size(NULL, len);
193 if (read_data_until(sock, buf, len, endtime) != len)
196 if (!asn1_write(data, buf, len))
208 /****************************************************************************
209 create an outgoing socket. timeout is in milliseconds.
210 **************************************************************************/
211 static int open_socket_out(int type, struct ipv4_addr *addr, int port, int timeout)
213 struct sockaddr_in sock_out;
215 int connect_loop = 250; /* 250 milliseconds */
216 int loops = (timeout) / connect_loop;
218 /* create a socket to write to */
219 res = socket(PF_INET, type, 0);
221 { DEBUG(0,("socket error\n")); return -1; }
223 if (type != SOCK_STREAM) return(res);
225 memset((char *)&sock_out,'\0',sizeof(sock_out));
226 sock_out.sin_addr.s_addr = addr->addr;
228 sock_out.sin_port = htons( port );
229 sock_out.sin_family = PF_INET;
231 /* set it non-blocking */
232 set_blocking(res,False);
234 DEBUG(3,("Connecting to %s at port %d\n", sys_inet_ntoa(*addr),port));
236 /* and connect it to the destination */
238 ret = connect(res,(struct sockaddr *)&sock_out,sizeof(sock_out));
240 /* Some systems return EAGAIN when they mean EINPROGRESS */
241 if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY ||
242 errno == EAGAIN) && loops--) {
243 msleep(connect_loop);
247 if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY ||
249 DEBUG(1,("timeout connecting to %s:%d\n", sys_inet_ntoa(*addr),port));
255 if (ret < 0 && errno == EISCONN) {
262 DEBUG(2,("error connecting to %s:%d (%s)\n",
263 sys_inet_ntoa(*addr),port,strerror(errno)));
268 /* set it blocking again */
269 set_blocking(res,True);
275 static struct ldap_message *new_ldap_search_message(struct ldap_connection *conn,
277 enum ldap_scope scope,
280 const char **attributes)
282 struct ldap_message *res;
284 res = new_ldap_message(conn);
289 res->type = LDAP_TAG_SearchRequest;
290 res->r.SearchRequest.basedn = base;
291 res->r.SearchRequest.scope = scope;
292 res->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
293 res->r.SearchRequest.timelimit = 0;
294 res->r.SearchRequest.sizelimit = 0;
295 res->r.SearchRequest.attributesonly = False;
296 res->r.SearchRequest.filter = filter;
297 res->r.SearchRequest.num_attributes = num_attributes;
298 res->r.SearchRequest.attributes = attributes;
304 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, const char *dn, const char *pw)
306 struct ldap_message *res;
308 res = new_ldap_message(conn);
313 res->type = LDAP_TAG_BindRequest;
314 res->r.BindRequest.version = 3;
315 res->r.BindRequest.dn = talloc_strdup(res->mem_ctx, dn);
316 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
317 res->r.BindRequest.creds.password = talloc_strdup(res->mem_ctx, pw);
322 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn, const char *sasl_mechanism, DATA_BLOB *secblob)
324 struct ldap_message *res;
326 res = new_ldap_message(conn);
331 res->type = LDAP_TAG_BindRequest;
332 res->r.BindRequest.version = 3;
333 res->r.BindRequest.dn = "";
334 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
335 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res->mem_ctx, sasl_mechanism);
336 res->r.BindRequest.creds.SASL.secblob = *secblob;
341 static struct ldap_connection *new_ldap_connection(TALLOC_CTX *mem_ctx)
343 struct ldap_connection *result;
345 result = talloc(mem_ctx, struct ldap_connection);
351 result->mem_ctx = result;
352 result->next_msgid = 1;
353 result->outstanding = NULL;
354 result->searchid = 0;
355 result->search_entries = NULL;
356 result->auth_dn = NULL;
357 result->simple_pw = NULL;
358 result->gensec = NULL;
363 struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url)
367 struct ldap_connection *conn;
370 conn = new_ldap_connection(mem_ctx);
375 ret = ldap_parse_basic_url(conn->mem_ctx, url, &conn->host,
376 &conn->port, &conn->ldaps);
382 hp = sys_gethostbyname(conn->host);
383 if (!hp || !hp->h_addr) {
388 memcpy((char *)&ip, (char *)hp->h_addr, 4);
390 conn->sock = open_socket_out(SOCK_STREAM, &ip, conn->port, LDAP_CONNECTION_TIMEOUT);
391 if (conn->sock < 0) {
399 struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx)
401 struct ldap_message *result;
403 result = talloc(mem_ctx, struct ldap_message);
409 result->mem_ctx = result;
414 BOOL ldap_send_msg(struct ldap_connection *conn, struct ldap_message *msg,
415 const struct timeval *endtime)
419 struct ldap_queue_entry *entry;
421 msg->messageid = conn->next_msgid++;
423 if (!ldap_encode(msg, &request))
426 result = (write_data_until(conn->sock, request.data, request.length,
427 endtime) == request.length);
429 data_blob_free(&request);
434 /* abandon and unbind don't expect results */
436 if ((msg->type == LDAP_TAG_AbandonRequest) ||
437 (msg->type == LDAP_TAG_UnbindRequest))
440 entry = malloc_p(struct ldap_queue_entry);
445 entry->msgid = msg->messageid;
447 DLIST_ADD(conn->outstanding, entry);
452 BOOL ldap_receive_msg(struct ldap_connection *conn, struct ldap_message *msg,
453 const struct timeval *endtime)
455 struct asn1_data data;
458 if (!asn1_read_sequence_until(conn->sock, &data, endtime))
461 result = ldap_decode(&data, msg);
467 static struct ldap_message *recv_from_queue(struct ldap_connection *conn,
470 struct ldap_queue_entry *e;
472 for (e = conn->outstanding; e != NULL; e = e->next) {
474 if (e->msgid == msgid) {
475 struct ldap_message *result = e->msg;
476 DLIST_REMOVE(conn->outstanding, e);
485 static void add_search_entry(struct ldap_connection *conn,
486 struct ldap_message *msg)
488 struct ldap_queue_entry *e = malloc_p(struct ldap_queue_entry);
494 DLIST_ADD_END(conn->search_entries, e, struct ldap_queue_entry *);
498 static void fill_outstanding_request(struct ldap_connection *conn,
499 struct ldap_message *msg)
501 struct ldap_queue_entry *e;
503 for (e = conn->outstanding; e != NULL; e = e->next) {
504 if (e->msgid == msg->messageid) {
510 /* This reply has not been expected, destroy the incoming msg */
515 struct ldap_message *ldap_receive(struct ldap_connection *conn, int msgid,
516 const struct timeval *endtime)
518 struct ldap_message *result = recv_from_queue(conn, msgid);
524 struct asn1_data data;
527 result = new_ldap_message(conn);
529 if (!asn1_read_sequence_until(conn->sock, &data, endtime))
532 res = ldap_decode(&data, result);
538 if (result->messageid == msgid)
541 if (result->type == LDAP_TAG_SearchResultEntry) {
542 add_search_entry(conn, result);
544 fill_outstanding_request(conn, result);
551 struct ldap_message *ldap_transaction(struct ldap_connection *conn,
552 struct ldap_message *request)
554 if (!ldap_send_msg(conn, request, NULL))
557 return ldap_receive(conn, request->messageid, NULL);
560 int ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password)
562 struct ldap_message *response;
563 struct ldap_message *msg;
565 int result = LDAP_OTHER;
583 if (conn->simple_pw) {
584 pw = conn->simple_pw;
590 msg = new_ldap_simple_bind_msg(conn, dn, pw);
594 response = ldap_transaction(conn, msg);
600 result = response->r.BindResponse.response.resultcode;
603 talloc_free(response);
608 int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
611 TALLOC_CTX *mem_ctx = NULL;
612 struct ldap_message *response;
613 struct ldap_message *msg;
614 DATA_BLOB input = data_blob(NULL, 0);
615 DATA_BLOB output = data_blob(NULL, 0);
616 int result = LDAP_OTHER;
621 status = gensec_client_start(conn, &conn->gensec);
622 if (!NT_STATUS_IS_OK(status)) {
623 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
627 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
629 status = gensec_set_credentials(conn->gensec, creds);
630 if (!NT_STATUS_IS_OK(status)) {
631 DEBUG(1, ("Failed to start set GENSEC creds: %s\n",
636 status = gensec_set_target_hostname(conn->gensec, conn->host);
637 if (!NT_STATUS_IS_OK(status)) {
638 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
643 status = gensec_set_target_service(conn->gensec, "ldap");
644 if (!NT_STATUS_IS_OK(status)) {
645 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
650 status = gensec_start_mech_by_sasl_name(conn->gensec, "GSS-SPNEGO");
651 if (!NT_STATUS_IS_OK(status)) {
652 DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
657 mem_ctx = talloc_init("ldap_bind_sasl");
661 status = gensec_update(conn->gensec, mem_ctx,
666 if (NT_STATUS_IS_OK(status) && output.length == 0) {
669 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
673 msg = new_ldap_sasl_bind_msg(conn, "GSS-SPNEGO", &output);
677 response = ldap_transaction(conn, msg);
684 result = response->r.BindResponse.response.resultcode;
686 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
690 if (!NT_STATUS_IS_OK(status)) {
691 status = gensec_update(conn->gensec, mem_ctx,
692 response->r.BindResponse.SASL.secblob,
698 talloc_free(response);
703 talloc_free(mem_ctx);
708 struct ldap_connection *ldap_setup_connection(TALLOC_CTX *mem_ctx, const char *url,
709 const char *userdn, const char *password)
711 struct ldap_connection *conn;
714 conn =ldap_connect(mem_ctx, url);
719 result = ldap_bind_simple(conn, userdn, password);
720 if (result != LDAP_SUCCESS) {
728 struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx,
730 struct cli_credentials *creds)
732 struct ldap_connection *conn;
735 conn =ldap_connect(mem_ctx, url);
740 result = ldap_bind_sasl(conn, creds);
741 if (result != LDAP_SUCCESS) {
749 BOOL ldap_abandon_message(struct ldap_connection *conn, int msgid,
750 const struct timeval *endtime)
752 struct ldap_message *msg = new_ldap_message(conn);
758 msg->type = LDAP_TAG_AbandonRequest;
759 msg->r.AbandonRequest.messageid = msgid;
761 result = ldap_send_msg(conn, msg, endtime);
766 BOOL ldap_setsearchent(struct ldap_connection *conn, struct ldap_message *msg,
767 const struct timeval *endtime)
769 if ((conn->searchid != 0) &&
770 (!ldap_abandon_message(conn, conn->searchid, endtime)))
773 conn->searchid = conn->next_msgid;
774 return ldap_send_msg(conn, msg, endtime);
777 struct ldap_message *ldap_getsearchent(struct ldap_connection *conn,
778 const struct timeval *endtime)
780 struct ldap_message *result;
782 if (conn->search_entries != NULL) {
783 struct ldap_queue_entry *e = conn->search_entries;
786 DLIST_REMOVE(conn->search_entries, e);
791 result = ldap_receive(conn, conn->searchid, endtime);
796 if (result->type == LDAP_TAG_SearchResultEntry)
799 if (result->type == LDAP_TAG_SearchResultDone) {
800 /* TODO: Handle Paged Results */
805 /* TODO: Handle Search References here */
809 void ldap_endsearchent(struct ldap_connection *conn,
810 const struct timeval *endtime)
812 struct ldap_queue_entry *e;
814 e = conn->search_entries;
817 struct ldap_queue_entry *next = e->next;
818 DLIST_REMOVE(conn->search_entries, e);
824 struct ldap_message *ldap_searchone(struct ldap_connection *conn,
825 struct ldap_message *msg,
826 const struct timeval *endtime)
828 struct ldap_message *res1, *res2 = NULL;
829 if (!ldap_setsearchent(conn, msg, endtime))
832 res1 = ldap_getsearchent(conn, endtime);
835 res2 = ldap_getsearchent(conn, endtime);
837 ldap_endsearchent(conn, endtime);
843 /* More than one entry */
852 BOOL ldap_find_single_value(struct ldap_message *msg, const char *attr,
856 struct ldap_SearchResEntry *r = &msg->r.SearchResultEntry;
858 if (msg->type != LDAP_TAG_SearchResultEntry)
861 for (i=0; i<r->num_attributes; i++) {
862 if (strequal(attr, r->attributes[i].name)) {
863 if (r->attributes[i].num_values != 1)
866 *value = r->attributes[i].values[0];
873 BOOL ldap_find_single_string(struct ldap_message *msg, const char *attr,
874 TALLOC_CTX *mem_ctx, char **value)
878 if (!ldap_find_single_value(msg, attr, &blob))
881 *value = talloc_size(mem_ctx, blob.length+1);
886 memcpy(*value, blob.data, blob.length);
887 (*value)[blob.length] = '\0';
891 BOOL ldap_find_single_int(struct ldap_message *msg, const char *attr,
899 if (!ldap_find_single_value(msg, attr, &blob))
902 val = malloc(blob.length+1);
906 memcpy(val, blob.data, blob.length);
907 val[blob.length] = '\0';
912 *value = strtol(val, NULL, 10);
922 int ldap_error(struct ldap_connection *conn)
927 NTSTATUS ldap2nterror(int ldaperror)
git.samba.org / bbaumbach / samba-autobuild / .git / blob