#include "lib/events/events.h"
#include "auth/auth.h"
#include "dlinklist.h"
-#include "asn_1.h"
+#include "libcli/util/asn_1.h"
#include "ldap_server/ldap_server.h"
#include "smbd/service_task.h"
#include "smbd/service_stream.h"
+#include "smbd/service.h"
#include "lib/socket/socket.h"
#include "lib/tls/tls.h"
+#include "lib/messaging/irpc.h"
+#include "lib/stream/packet.h"
+#include "lib/ldb/include/ldb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "system/network.h"
+#include "netif/netif.h"
/*
close the socket and shutdown a server_context
*/
-static void ldapsrv_terminate_connection(struct ldapsrv_connection *ldap_conn, const char *reason)
+static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
+ const char *reason)
{
- talloc_free(ldap_conn->tls);
- ldap_conn->tls = NULL;
- stream_terminate_connection(ldap_conn->connection, reason);
+ if (conn->tls) {
+ talloc_free(conn->tls);
+ conn->tls = NULL;
+ }
+ stream_terminate_connection(conn->connection, reason);
}
-/* This rw-buf api is made to avoid memcpy. For now do that like mad... The
- idea is to write into a circular list of buffers where the ideal case is
- that a read(2) holds a complete request that is then thrown away
- completely. */
-
-void ldapsrv_consumed_from_buf(struct rw_buffer *buf,
- size_t length)
+/*
+ handle packet errors
+*/
+static void ldapsrv_error_handler(void *private, NTSTATUS status)
{
- memmove(buf->data, buf->data+length, buf->length-length);
- buf->length -= length;
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ ldapsrv_terminate_connection(conn, nt_errstr(status));
}
-static void peek_into_read_buf(struct rw_buffer *buf, uint8_t **out,
- size_t *out_length)
+/*
+ process a decoded ldap message
+*/
+static void ldapsrv_process_message(struct ldapsrv_connection *conn,
+ struct ldap_message *msg)
{
- *out = buf->data;
- *out_length = buf->length;
-}
+ struct ldapsrv_call *call;
+ NTSTATUS status;
+ DATA_BLOB blob;
+ BOOL enable_wrap = conn->enable_wrap;
-BOOL ldapsrv_append_to_buf(struct rw_buffer *buf, uint8_t *data, size_t length)
-{
- buf->data = realloc(buf->data, buf->length+length);
+ call = talloc(conn, struct ldapsrv_call);
+ if (!call) {
+ ldapsrv_terminate_connection(conn, "no memory");
+ return;
+ }
+
+ call->request = talloc_steal(call, msg);
+ call->conn = conn;
+ call->replies = NULL;
- if (buf->data == NULL)
- return False;
+ /* make the call */
+ status = ldapsrv_do_call(call);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+
+ blob = data_blob(NULL, 0);
- memcpy(buf->data+buf->length, data, length);
+ if (call->replies == NULL) {
+ talloc_free(call);
+ return;
+ }
- buf->length += length;
+ /* build all the replies into a single blob */
+ while (call->replies) {
+ DATA_BLOB b;
- return True;
-}
+ msg = call->replies->msg;
+ if (!ldap_encode(msg, &b, call)) {
+ DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
+ goto failed;
+ }
-static BOOL read_into_buf(struct ldapsrv_connection *conn, struct rw_buffer *buf)
-{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- BOOL ret;
- size_t nread;
+ status = data_blob_append(call, &blob, b.data, b.length);
+ data_blob_free(&b);
- tmp_blob = data_blob_talloc(conn, NULL, 1024);
- if (tmp_blob.data == NULL) {
- return False;
- }
+ if (!NT_STATUS_IS_OK(status)) goto failed;
- status = tls_socket_recv(conn->tls, tmp_blob.data, tmp_blob.length, &nread);
- if (NT_STATUS_IS_OK(status) && nread == 0) {
- return False;
- }
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(10,("socket_recv: %s\n",nt_errstr(status)));
- talloc_free(tmp_blob.data);
- return False;
- }
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(tmp_blob.data);
- return True;
+ DLIST_REMOVE(call->replies, call->replies);
}
- tmp_blob.length = nread;
+ /* possibly encrypt/sign the reply */
+ if (enable_wrap) {
+ DATA_BLOB wrapped;
- ret = ldapsrv_append_to_buf(buf, tmp_blob.data, tmp_blob.length);
+ status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+ data_blob_free(&blob);
+ blob = data_blob_talloc(call, NULL, wrapped.length + 4);
+ if (blob.data == NULL) {
+ goto failed;
+ }
+ RSIVAL(blob.data, 0, wrapped.length);
+ memcpy(blob.data+4, wrapped.data, wrapped.length);
+ data_blob_free(&wrapped);
+ }
- talloc_free(tmp_blob.data);
+ packet_send(conn->packet, blob);
+ talloc_free(call);
+ return;
- return ret;
+failed:
+ talloc_free(call);
}
-static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
+
+/*
+ decode the input buffer
+*/
+static NTSTATUS ldapsrv_decode_plain(struct ldapsrv_connection *conn, DATA_BLOB blob)
{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- DATA_BLOB wrapped;
- DATA_BLOB unwrapped;
- BOOL ret;
- uint8_t *buf;
- size_t buf_length, sasl_length;
- TALLOC_CTX *mem_ctx;
- size_t nread;
+ struct asn1_data asn1;
+ struct ldap_message *msg = talloc(conn, struct ldap_message);
- if (!conn->gensec || !conn->session_info ||
- !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
- gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
- return read_into_buf(conn, &conn->in_buffer);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- mem_ctx = talloc_new(conn);
- if (!mem_ctx) {
- DEBUG(0,("no memory\n"));
- return False;
+ if (!asn1_load(&asn1, blob)) {
+ return NT_STATUS_NO_MEMORY;
}
- tmp_blob = data_blob_talloc(mem_ctx, NULL, 1024);
- if (tmp_blob.data == NULL) {
- talloc_free(mem_ctx);
- return False;
+ if (!ldap_decode(&asn1, msg)) {
+ asn1_free(&asn1);
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
- status = tls_socket_recv(conn->tls, tmp_blob.data, tmp_blob.length, &nread);
- if (NT_STATUS_IS_OK(status) && nread == 0) {
- talloc_free(conn->tls);
- return False;
- }
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(10,("socket_recv: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
+ data_blob_free(&blob);
+ ldapsrv_process_message(conn, msg);
+ asn1_free(&asn1);
+ return NT_STATUS_OK;
+}
+
+
+/*
+ decode/process wrapped data
+*/
+static NTSTATUS ldapsrv_decode_wrapped(struct ldapsrv_connection *conn,
+ DATA_BLOB blob)
+{
+ DATA_BLOB wrapped, unwrapped;
+ struct asn1_data asn1;
+ struct ldap_message *msg = talloc(conn, struct ldap_message);
+ NTSTATUS status;
+
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
+
+ wrapped = data_blob_const(blob.data+4, blob.length-4);
+
+ status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(mem_ctx);
- return True;
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
- tmp_blob.length = nread;
- ret = ldapsrv_append_to_buf(&conn->sasl_in_buffer, tmp_blob.data, tmp_blob.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ data_blob_free(&blob);
+
+ if (!asn1_load(&asn1, unwrapped)) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
- peek_into_read_buf(&conn->sasl_in_buffer, &buf, &buf_length);
+ while (ldap_decode(&asn1, msg)) {
+ ldapsrv_process_message(conn, msg);
+ msg = talloc(conn, struct ldap_message);
+ }
- if (buf_length < 4) {
- /* not enough yet */
- talloc_free(mem_ctx);
- return True;
+ if (asn1.ofs < asn1.length) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
+
+ talloc_free(msg);
+ asn1_free(&asn1);
- sasl_length = RIVAL(buf, 0);
+ return NT_STATUS_OK;
+}
- if ((buf_length - 4) < sasl_length) {
- /* not enough yet */
- talloc_free(mem_ctx);
- return True;
+/*
+ decode/process data
+*/
+static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ if (conn->enable_wrap) {
+ return ldapsrv_decode_wrapped(conn, blob);
}
+ return ldapsrv_decode_plain(conn, blob);
+}
- wrapped.data = buf + 4;
- wrapped.length = sasl_length;
+/*
+ Idle timeout handler
+*/
+static void ldapsrv_conn_idle_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- status = gensec_unwrap(conn->gensec, mem_ctx,
- &wrapped,
- &unwrapped);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
+}
+
+/*
+ called when a LDAP socket becomes readable
+*/
+static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
+{
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
+
+ if (conn->limits.ite) { /* clean initial timeout if any */
+ talloc_free(conn->limits.ite);
+ conn->limits.ite = NULL;
}
- ret = ldapsrv_append_to_buf(&conn->in_buffer, unwrapped.data, unwrapped.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ if (conn->limits.te) { /* clean idle timeout if any */
+ talloc_free(conn->limits.te);
+ conn->limits.te = NULL;
}
- ldapsrv_consumed_from_buf(&conn->sasl_in_buffer, 4 + sasl_length);
+ packet_recv(conn->packet);
- talloc_free(mem_ctx);
- return ret;
+ /* set idle timeout */
+ conn->limits.te = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.conn_idle_time, 0),
+ ldapsrv_conn_idle_timeout, conn);
}
-static BOOL write_from_buf(struct ldapsrv_connection *conn, struct rw_buffer *buf)
+/*
+ check if a blob is a complete ldap packet
+ handle wrapper or unwrapped connections
+*/
+NTSTATUS ldapsrv_complete_packet(void *private, DATA_BLOB blob, size_t *size)
{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- size_t sendlen;
-
- tmp_blob.data = buf->data;
- tmp_blob.length = buf->length;
-
- status = tls_socket_send(conn->tls, &tmp_blob, &sendlen);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("socket_send() %s\n",nt_errstr(status)));
- return False;
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ if (conn->enable_wrap) {
+ return packet_full_request_u32(private, blob, size);
}
+ return ldap_full_packet(private, blob, size);
+}
+
+/*
+ called when a LDAP socket becomes writable
+*/
+static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
+{
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
+
+ packet_queue_run(conn->packet);
+}
- ldapsrv_consumed_from_buf(buf, sendlen);
+static void ldapsrv_conn_init_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- return True;
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
}
-static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
+static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
{
- NTSTATUS status;
- DATA_BLOB wrapped;
- DATA_BLOB tmp_blob;
- DATA_BLOB sasl;
- size_t sendlen;
- BOOL ret;
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *tmp_ctx;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+ const char *attrs2[] = { "lDAPAdminLimits", NULL };
+ const char *conf_dn_s;
+ struct ldb_message_element *el;
+ struct ldb_result *res = NULL;
+ struct ldb_dn *basedn;
+ struct ldb_dn *conf_dn;
+ struct ldb_dn *policy_dn;
+ int i,ret;
+ /* set defaults limits in case of failure */
+ conn->limits.initial_timeout = 120;
+ conn->limits.conn_idle_time = 900;
+ conn->limits.max_page_size = 1000;
+ conn->limits.search_timeout = 120;
- if (!conn->gensec) {
- return write_from_buf(conn, &conn->out_buffer);
- }
- if (!conn->session_info) {
- return write_from_buf(conn, &conn->out_buffer);
- }
- if (conn->sasl_out_buffer.length == 0 &&
- !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) ||
- gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
- return write_from_buf(conn, &conn->out_buffer);
- }
- mem_ctx = talloc_new(conn);
- if (!mem_ctx) {
- DEBUG(0,("no memory\n"));
- return False;
+ tmp_ctx = talloc_new(conn);
+ if (tmp_ctx == NULL) {
+ return -1;
}
- if (conn->out_buffer.length == 0) {
- goto nodata;
+ basedn = ldb_dn_explode(tmp_ctx, "");
+ if (basedn == NULL) {
+ goto failed;
}
- tmp_blob.data = conn->out_buffer.data;
- tmp_blob.length = conn->out_buffer.length;
- status = gensec_wrap(conn->gensec, mem_ctx,
- &tmp_blob,
- &wrapped);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
+ ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
}
- sasl = data_blob_talloc(mem_ctx, NULL, 4 + wrapped.length);
- if (!sasl.data) {
- DEBUG(0,("no memory\n"));
- talloc_free(mem_ctx);
- return False;
+ conf_dn_s = ldb_msg_find_string(res->msgs[0], "configurationNamingContext", NULL);
+ if (conf_dn_s == NULL) {
+ goto failed;
}
-
- RSIVAL(sasl.data, 0, wrapped.length);
- memcpy(sasl.data + 4, wrapped.data, wrapped.length);
-
- ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, sasl.data, sasl.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ conf_dn = ldb_dn_explode(tmp_ctx, conf_dn_s);
+ if (conf_dn == NULL) {
+ goto failed;
}
- ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length);
-nodata:
- tmp_blob.data = conn->sasl_out_buffer.data;
- tmp_blob.length = conn->sasl_out_buffer.length;
- status = tls_socket_send(conn->tls, &tmp_blob, &sendlen);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("socket_send() %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
+ policy_dn = ldb_dn_string_compose(tmp_ctx, conf_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
+ if (policy_dn == NULL) {
+ goto failed;
}
- ldapsrv_consumed_from_buf(&conn->sasl_out_buffer, sendlen);
-
- talloc_free(mem_ctx);
-
- return True;
-}
-
-static BOOL ldap_encode_to_buf(struct ldap_message *msg, struct rw_buffer *buf)
-{
- DATA_BLOB blob;
- BOOL res;
-
- if (!ldap_encode(msg, &blob))
- return False;
+ ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
+ }
- res = ldapsrv_append_to_buf(buf, blob.data, blob.length);
+ el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
+ if (el == NULL) {
+ goto failed;
+ }
- data_blob_free(&blob);
- return res;
-}
+ for (i = 0; i < el->num_values; i++) {
+ char policy_name[256];
+ int policy_value, s;
-NTSTATUS ldapsrv_do_responses(struct ldapsrv_connection *conn)
-{
- struct ldapsrv_call *call, *next_call = NULL;
- struct ldapsrv_reply *reply, *next_reply = NULL;
-
- for (call=conn->calls; call; call=next_call) {
- for (reply=call->replies; reply; reply=next_reply) {
- if (!ldap_encode_to_buf(reply->msg, &conn->out_buffer)) {
- return NT_STATUS_FOOBAR;
- }
- next_reply = reply->next;
- DLIST_REMOVE(call->replies, reply);
- reply->state = LDAPSRV_REPLY_STATE_SEND;
- talloc_free(reply);
+ s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
+ if (ret != 2 || policy_value == 0)
+ continue;
+
+ if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
+ conn->limits.initial_timeout = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
+ conn->limits.conn_idle_time = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxPageSize", policy_name) == 0) {
+ conn->limits.max_page_size = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
+ conn->limits.search_timeout = policy_value;
+ continue;
}
- next_call = call->next;
- DLIST_REMOVE(conn->calls, call);
- call->state = LDAPSRV_CALL_STATE_COMPLETE;
- talloc_free(call);
}
- return NT_STATUS_OK;
-}
+ return 0;
-NTSTATUS ldapsrv_flush_responses(struct ldapsrv_connection *conn)
-{
- return NT_STATUS_OK;
+failed:
+ DEBUG(0, ("Failed to load ldap server query policies\n"));
+ talloc_free(tmp_ctx);
+ return -1;
}
/*
- called when a LDAP socket becomes readable
+ initialise a server_context from a open socket and register a event handler
+ for reading from that socket
*/
-static void ldapsrv_recv(struct stream_connection *conn, uint16_t flags)
+static void ldapsrv_accept(struct stream_connection *c)
{
- struct ldapsrv_connection *ldap_conn = talloc_get_type(conn->private, struct ldapsrv_connection);
- uint8_t *buf;
- size_t buf_length;
- struct ldapsrv_call *call;
+ struct ldapsrv_service *ldapsrv_service =
+ talloc_get_type(c->private, struct ldapsrv_service);
+ struct ldapsrv_connection *conn;
+ struct cli_credentials *server_credentials;
+ struct socket_address *socket_address;
NTSTATUS status;
+ int port;
- if (!ldapsrv_read_buf(ldap_conn)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_read_buf() failed");
+ conn = talloc_zero(c, struct ldapsrv_connection);
+ if (!conn) {
+ stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
-
- while (buf_length > 0) {
- DATA_BLOB blob;
- struct asn1_data data;
- struct ldap_message *msg = talloc(conn, struct ldap_message);
-
- blob.data = buf;
- blob.length = buf_length;
+ conn->enable_wrap = False;
+ conn->packet = NULL;
+ conn->connection = c;
+ conn->service = ldapsrv_service;
- if (!asn1_load(&data, blob)) {
- ldapsrv_terminate_connection(ldap_conn, "asn1_load() failed");
- return;
- }
-
- if (!ldap_decode(&data, msg)) {
- if (data.ofs == data.length) {
- /* we don't have a complete msg yet */
- talloc_free(msg);
- asn1_free(&data);
- return;
- }
- asn1_free(&data);
- talloc_free(msg);
- ldapsrv_terminate_connection(ldap_conn, "ldap_decode() failed");
- return;
- }
+ c->private = conn;
- ldapsrv_consumed_from_buf(&ldap_conn->in_buffer, data.ofs);
- asn1_free(&data);
-
- call = talloc_zero(ldap_conn, struct ldapsrv_call);
- if (!call) {
- ldapsrv_terminate_connection(ldap_conn, "no memory");
- return;
- }
-
- call->request = talloc_steal(call, msg);
- call->state = LDAPSRV_CALL_STATE_NEW;
- call->conn = ldap_conn;
-
- DLIST_ADD_END(ldap_conn->calls, call, struct ldapsrv_call *);
-
- status = ldapsrv_do_call(call);
- if (!NT_STATUS_IS_OK(status)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_do_call() failed");
- return;
- }
-
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
+ socket_address = socket_get_my_addr(c->socket, conn);
+ if (!socket_address) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
+ return;
}
+ port = socket_address->port;
+ talloc_free(socket_address);
- status = ldapsrv_do_responses(ldap_conn);
- if (!NT_STATUS_IS_OK(status)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_do_responses() failed");
+ conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
+ c->event.fde, NULL, port != 389);
+ if (!conn->tls) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
return;
}
- if ((ldap_conn->out_buffer.length > 0)||(ldap_conn->sasl_out_buffer.length > 0)) {
- EVENT_FD_WRITEABLE(conn->event.fde);
+ conn->packet = packet_init(conn);
+ if (conn->packet == NULL) {
+ ldapsrv_terminate_connection(conn, "out of memory");
+ return;
}
- return;
-}
+ packet_set_private(conn->packet, conn);
+ packet_set_tls(conn->packet, conn->tls);
+ packet_set_callback(conn->packet, ldapsrv_decode);
+ packet_set_full_request(conn->packet, ldapsrv_complete_packet);
+ packet_set_error_handler(conn->packet, ldapsrv_error_handler);
+ packet_set_event_context(conn->packet, c->event.ctx);
+ packet_set_fde(conn->packet, c->event.fde);
+ packet_set_serialise(conn->packet);
-/*
- called when a LDAP socket becomes writable
-*/
-static void ldapsrv_send(struct stream_connection *conn, uint16_t flags)
-{
- struct ldapsrv_connection *ldap_conn = talloc_get_type(conn->private, struct ldapsrv_connection);
+ /* Ensure we don't get packets until the database is ready below */
+ packet_recv_disable(conn->packet);
- DEBUG(10,("ldapsrv_send\n"));
-
- if (!ldapsrv_write_buf(ldap_conn)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_write_buf() failed");
+ server_credentials
+ = cli_credentials_init(conn);
+ if (!server_credentials) {
+ stream_terminate_connection(c, "Failed to init server credentials\n");
return;
}
-
- if (ldap_conn->out_buffer.length == 0 && ldap_conn->sasl_out_buffer.length == 0) {
- EVENT_FD_NOT_WRITEABLE(conn->event.fde);
+
+ cli_credentials_set_conf(server_credentials);
+ status = cli_credentials_set_machine_account(server_credentials);
+ if (!NT_STATUS_IS_OK(status)) {
+ stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
+ return;
}
+ conn->server_credentials = server_credentials;
- return;
-}
+ /* Connections start out anonymous */
+ if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
+ ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
+ return;
+ }
-/*
- initialise a server_context from a open socket and register a event handler
- for reading from that socket
-*/
-static void ldapsrv_accept(struct stream_connection *conn)
-{
- struct ldapsrv_service *ldapsrv_service =
- talloc_get_type(conn->private, struct ldapsrv_service);
- struct ldapsrv_connection *ldap_conn;
+ if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
+ ldapsrv_terminate_connection(conn, "backend Init failed");
+ return;
+ }
- ldap_conn = talloc_zero(conn, struct ldapsrv_connection);
- if (ldap_conn == NULL) goto failed;
+ /* load limits from the conf partition */
+ ldapsrv_load_limits(conn); /* should we fail on error ? */
- ldap_conn->connection = conn;
- ldap_conn->service = talloc_get_type(conn->private, struct ldapsrv_service);
- conn->private = ldap_conn;
+ /* register the server */
+ irpc_add_name(c->msg_ctx, "ldap_server");
- /* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
- any ldap connection */
- ldap_conn->tls = tls_init_server(ldapsrv_service->tls_params, conn->socket,
- conn->event.fde, "0");
- if (ldap_conn->tls == NULL) goto failed;
+ /* set connections limits */
+ conn->limits.ite = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.initial_timeout, 0),
+ ldapsrv_conn_init_timeout, conn);
- return;
+ packet_recv_enable(conn->packet);
-failed:
- talloc_free(conn);
}
static const struct stream_server_ops ldap_stream_ops = {
/*
add a socket address to the list of events, one event per port
*/
-static NTSTATUS add_socket(struct event_context *event_context, const struct model_ops *model_ops,
+static NTSTATUS add_socket(struct event_context *event_context,
+ const struct model_ops *model_ops,
const char *address, struct ldapsrv_service *ldap_service)
{
uint16_t port = 389;
address, port, nt_errstr(status)));
}
- /* add ldaps server */
- port = 636;
- status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
- "ipv4", address, &port, ldap_service);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
- address, port, nt_errstr(status)));
+ if (tls_support(ldap_service->tls_params)) {
+ /* add ldaps server */
+ port = 636;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
}
+
+ /* if we are a PDC, then also enable the global catalog server port, 3268 */
+ if (lp_server_role() == ROLE_DOMAIN_PDC) {
+ port = 3268;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
+ }
+
return status;
}
static void ldapsrv_task_init(struct task_server *task)
{
struct ldapsrv_service *ldap_service;
- struct ldapsrv_partition *rootDSE_part;
- struct ldapsrv_partition *part;
NTSTATUS status;
+ task_server_set_title(task, "task[ldapsrv]");
+
ldap_service = talloc_zero(task, struct ldapsrv_service);
if (ldap_service == NULL) goto failed;
ldap_service->tls_params = tls_initialise(ldap_service);
if (ldap_service->tls_params == NULL) goto failed;
- rootDSE_part = talloc(ldap_service, struct ldapsrv_partition);
- if (rootDSE_part == NULL) goto failed;
-
- rootDSE_part->base_dn = ""; /* RootDSE */
- rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
-
- ldap_service->rootDSE = rootDSE_part;
- DLIST_ADD_END(ldap_service->partitions, rootDSE_part, struct ldapsrv_partition *);
-
- part = talloc(ldap_service, struct ldapsrv_partition);
- if (part == NULL) goto failed;
-
- part->base_dn = "*"; /* default partition */
- if (lp_parm_bool(-1, "ldapsrv", "hacked", False)) {
- part->ops = ldapsrv_get_hldb_partition_ops();
- } else {
- part->ops = ldapsrv_get_sldb_partition_ops();
- }
-
- ldap_service->default_partition = part;
- DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
-
if (lp_interfaces() && lp_bind_interfaces_only()) {
int num_interfaces = iface_count();
int i;
return;
failed:
- task_terminate(task, "Failed to startup ldap server task");
+ task_server_terminate(task, "Failed to startup ldap server task");
}
/*