r15356: Remove unused 'flags' argument from socket_send() and friends.
[bbaumbach/samba-autobuild/.git] / source4 / ldap_server / ldap_bind.c
1 /* 
2    Unix SMB/CIFS implementation.
3    LDAP server
4    Copyright (C) Stefan Metzmacher 2004
5    
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 2 of the License, or
9    (at your option) any later version.
10    
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15    
16    You should have received a copy of the GNU General Public License
17    along with this program; if not, write to the Free Software
18    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22 #include "ldap_server/ldap_server.h"
23 #include "auth/auth.h"
24 #include "libcli/ldap/ldap.h"
25 #include "smbd/service_stream.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "lib/ldb/include/ldb_errors.h"
28 #include "dsdb/samdb/samdb.h"
29
30 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
31 {
32         struct ldap_BindRequest *req = &call->request->r.BindRequest;
33         struct ldapsrv_reply *reply;
34         struct ldap_BindResponse *resp;
35
36         int result;
37         const char *errstr;
38         const char *nt4_domain, *nt4_account;
39
40         struct auth_session_info *session_info;
41
42         NTSTATUS status;
43
44         DEBUG(10, ("BindSimple dn: %s\n",req->dn));
45
46         status = crack_dn_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account);
47         if (NT_STATUS_IS_OK(status)) {
48                 status = authenticate_username_pw(call, nt4_domain, nt4_account, 
49                                                   req->creds.password, &session_info);
50         }
51
52         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
53         if (!reply) {
54                 return NT_STATUS_NO_MEMORY;
55         }
56
57         if (NT_STATUS_IS_OK(status)) {
58                 result = LDAP_SUCCESS;
59                 errstr = NULL;
60
61                 talloc_free(call->conn->session_info);
62                 call->conn->session_info = session_info;
63
64                 /* don't leak the old LDB */
65                 talloc_free(call->conn->ldb);
66
67                 status = ldapsrv_backend_Init(call->conn);              
68                 
69                 if (!NT_STATUS_IS_OK(status)) {
70                         result = LDAP_OPERATIONS_ERROR;
71                         errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
72                 }
73         } else {
74                 status = auth_nt_status_squash(status);
75
76                 result = LDAP_INVALID_CREDENTIALS;
77                 errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
78         }
79
80         resp = &reply->msg->r.BindResponse;
81         resp->response.resultcode = result;
82         resp->response.errormessage = errstr;
83         resp->response.dn = NULL;
84         resp->response.referral = NULL;
85         resp->SASL.secblob = NULL;
86
87         ldapsrv_queue_reply(call, reply);
88         return NT_STATUS_OK;
89 }
90
91 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
92 {
93         struct ldap_BindRequest *req = &call->request->r.BindRequest;
94         struct ldapsrv_reply *reply;
95         struct ldap_BindResponse *resp;
96         struct ldapsrv_connection *conn;
97         int result = 0;
98         const char *errstr;
99         NTSTATUS status = NT_STATUS_OK;
100
101         DEBUG(10, ("BindSASL dn: %s\n",req->dn));
102
103         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
104         if (!reply) {
105                 return NT_STATUS_NO_MEMORY;
106         }
107         resp = &reply->msg->r.BindResponse;
108         
109         conn = call->conn;
110
111         if (!conn->gensec) {
112                 conn->session_info = NULL;
113
114                 status = gensec_server_start(conn, &conn->gensec,
115                                              conn->connection->event.ctx);
116                 if (!NT_STATUS_IS_OK(status)) {
117                         DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
118                         result = LDAP_OPERATIONS_ERROR;
119                         errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s", 
120                                                  nt_errstr(status));
121                 } else {
122                 
123                         gensec_set_target_service(conn->gensec, "ldap");
124                         
125                         gensec_set_credentials(conn->gensec, conn->server_credentials);
126                         
127                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
128                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
129                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
130                         
131                         status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism);
132                         
133                         if (!NT_STATUS_IS_OK(status)) {
134                                 DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", 
135                                           req->creds.SASL.mechanism, nt_errstr(status)));
136                                 result = LDAP_OPERATIONS_ERROR;
137                                 errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s", 
138                                                          req->creds.SASL.mechanism, nt_errstr(status));
139                         }
140                 }
141         }
142
143         if (NT_STATUS_IS_OK(status)) {
144                 DATA_BLOB input = data_blob(NULL, 0);
145                 DATA_BLOB output = data_blob(NULL, 0);
146
147                 if (req->creds.SASL.secblob) {
148                         input = *req->creds.SASL.secblob;
149                 }
150
151                 resp->SASL.secblob = talloc(reply, DATA_BLOB);
152                 NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
153
154                 status = gensec_update(conn->gensec, reply,
155                                        input, &output);
156
157                 /* TODO: gensec should really handle the difference between NULL and length=0 better! */
158                 if (output.data) {
159                         resp->SASL.secblob = talloc(reply, DATA_BLOB);
160                         NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
161                         *resp->SASL.secblob = output;
162                 } else {
163                         resp->SASL.secblob = NULL;
164                 }
165         } else {
166                 resp->SASL.secblob = NULL;
167         }
168
169         if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
170                 result = LDAP_SASL_BIND_IN_PROGRESS;
171                 errstr = NULL;
172         } else if (NT_STATUS_IS_OK(status)) {
173                 struct auth_session_info *old_session_info;
174
175                 result = LDAP_SUCCESS;
176                 errstr = NULL;
177                 if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
178                     gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
179                         conn->enable_wrap = True;
180                 }
181                 old_session_info = conn->session_info;
182                 conn->session_info = NULL;
183                 status = gensec_session_info(conn->gensec, &conn->session_info);
184                 if (!NT_STATUS_IS_OK(status)) {
185                         conn->session_info = old_session_info;
186                         result = LDAP_OPERATIONS_ERROR;
187                         errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status));
188                 } else {
189                         talloc_free(old_session_info);
190
191                         /* don't leak the old LDB */
192                         talloc_free(conn->ldb);
193
194                         status = ldapsrv_backend_Init(conn);            
195                         
196                         if (!NT_STATUS_IS_OK(status)) {
197                                 result = LDAP_OPERATIONS_ERROR;
198                                 errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise samdb of new credentials: %s", req->creds.SASL.mechanism, nt_errstr(status));
199                         }
200                 }
201         } else {
202                 status = auth_nt_status_squash(status);
203                 if (result == 0) {
204                         result = LDAP_INVALID_CREDENTIALS;
205                         errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
206                 }
207         }
208
209         resp->response.resultcode = result;
210         resp->response.dn = NULL;
211         resp->response.errormessage = errstr;
212         resp->response.referral = NULL;
213
214         ldapsrv_queue_reply(call, reply);
215         return NT_STATUS_OK;
216 }
217
218 NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call)
219 {
220         struct ldap_BindRequest *req = &call->request->r.BindRequest;
221         struct ldapsrv_reply *reply;
222         struct ldap_BindResponse *resp;
223
224         switch (req->mechanism) {
225                 case LDAP_AUTH_MECH_SIMPLE:
226                         return ldapsrv_BindSimple(call);
227                 case LDAP_AUTH_MECH_SASL:
228                         return ldapsrv_BindSASL(call);
229         }
230
231         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
232         if (!reply) {
233                 return NT_STATUS_NO_MEMORY;
234         }
235
236         resp = &reply->msg->r.BindResponse;
237         resp->response.resultcode = 7;
238         resp->response.dn = NULL;
239         resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
240         resp->response.referral = NULL;
241         resp->SASL.secblob = NULL;
242
243         ldapsrv_queue_reply(call, reply);
244         return NT_STATUS_OK;
245 }
246
247 NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call)
248 {
249         DEBUG(10, ("UnbindRequest\n"));
250         return NT_STATUS_OK;
251 }