/*
Unix SMB/CIFS implementation.
+
LDAP server
+
+ Copyright (C) Andrew Tridgell 2005
Copyright (C) Volker Lendecke 2004
Copyright (C) Stefan Metzmacher 2004
*/
#include "includes.h"
-#include "events.h"
+#include "lib/events/events.h"
#include "auth/auth.h"
#include "dlinklist.h"
-#include "asn_1.h"
+#include "libcli/util/asn_1.h"
#include "ldap_server/ldap_server.h"
+#include "smbd/service_task.h"
+#include "smbd/service_stream.h"
+#include "smbd/service.h"
+#include "lib/socket/socket.h"
+#include "lib/tls/tls.h"
+#include "lib/messaging/irpc.h"
+#include "lib/stream/packet.h"
+#include "lib/ldb/include/ldb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "system/network.h"
+#include "netif/netif.h"
/*
close the socket and shutdown a server_context
*/
-static void ldapsrv_terminate_connection(struct ldapsrv_connection *ldap_conn, const char *reason)
+static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
+ const char *reason)
{
- server_terminate_connection(ldap_conn->connection, reason);
+ if (conn->tls) {
+ talloc_free(conn->tls);
+ conn->tls = NULL;
+ }
+ stream_terminate_connection(conn->connection, reason);
}
/*
- add a socket address to the list of events, one event per port
+ handle packet errors
*/
-static void add_socket(struct server_service *service,
- const struct model_ops *model_ops,
- struct ipv4_addr *ifip)
+static void ldapsrv_error_handler(void *private, NTSTATUS status)
{
- struct server_socket *srv_sock;
- uint16_t port = 389;
- char *ip_str = talloc_strdup(service, sys_inet_ntoa(*ifip));
-
- srv_sock = service_setup_socket(service, model_ops, "ipv4", ip_str, &port);
-
- port = 3268;
- srv_sock = service_setup_socket(service, model_ops, "ipv4", ip_str, &port);
-
- talloc_free(ip_str);
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ ldapsrv_terminate_connection(conn, nt_errstr(status));
}
-/****************************************************************************
- Open the socket communication.
-****************************************************************************/
-static void ldapsrv_init(struct server_service *service,
- const struct model_ops *model_ops)
-{
- struct ldapsrv_service *ldap_service;
- struct ldapsrv_partition *part;
-
- DEBUG(10,("ldapsrv_init\n"));
+/*
+ process a decoded ldap message
+*/
+static void ldapsrv_process_message(struct ldapsrv_connection *conn,
+ struct ldap_message *msg)
+{
+ struct ldapsrv_call *call;
+ NTSTATUS status;
+ DATA_BLOB blob;
+ BOOL enable_wrap = conn->enable_wrap;
- ldap_service = talloc_p(service, struct ldapsrv_service);
- if (!ldap_service) {
- DEBUG(0,("talloc_p(service, struct ldapsrv_service) failed\n"));
- return;
+ call = talloc(conn, struct ldapsrv_call);
+ if (!call) {
+ ldapsrv_terminate_connection(conn, "no memory");
+ return;
}
- ZERO_STRUCTP(ldap_service);
+
+ call->request = talloc_steal(call, msg);
+ call->conn = conn;
+ call->replies = NULL;
- part = talloc_p(ldap_service, struct ldapsrv_partition);
- if (!ldap_service) {
- DEBUG(0,("talloc_p(ldap_service, struct ldapsrv_partition) failed\n"));
- return;
+ /* make the call */
+ status = ldapsrv_do_call(call);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
}
- part->base_dn = ""; /* RootDSE */
- part->ops = ldapsrv_get_rootdse_partition_ops();
-
- ldap_service->rootDSE = part;
- DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
+
+ blob = data_blob(NULL, 0);
- part = talloc_p(ldap_service, struct ldapsrv_partition);
- if (!ldap_service) {
- DEBUG(0,("talloc_p(ldap_service, struct ldapsrv_partition) failed\n"));
+ if (call->replies == NULL) {
+ talloc_free(call);
return;
}
- part->base_dn = "*"; /* default partition */
- part->ops = ldapsrv_get_sldb_partition_ops();
- ldap_service->default_partition = part;
- DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
+ /* build all the replies into a single blob */
+ while (call->replies) {
+ DATA_BLOB b;
- service->private_data = ldap_service;
+ msg = call->replies->msg;
+ if (!ldap_encode(msg, &b, call)) {
+ DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
+ goto failed;
+ }
- if (lp_interfaces() && lp_bind_interfaces_only()) {
- int num_interfaces = iface_count();
- int i;
+ status = data_blob_append(call, &blob, b.data, b.length);
+ data_blob_free(&b);
- /* We have been given an interfaces line, and been
- told to only bind to those interfaces. Create a
- socket per interface and bind to only these.
- */
- for(i = 0; i < num_interfaces; i++) {
- struct ipv4_addr *ifip = iface_n_ip(i);
+ if (!NT_STATUS_IS_OK(status)) goto failed;
- if (ifip == NULL) {
- DEBUG(0,("ldapsrv_init: interface %d has NULL "
- "IP address !\n", i));
- continue;
- }
+ DLIST_REMOVE(call->replies, call->replies);
+ }
- add_socket(service, model_ops, ifip);
- }
- } else {
- struct ipv4_addr ifip;
+ /* possibly encrypt/sign the reply */
+ if (enable_wrap) {
+ DATA_BLOB wrapped;
- /* Just bind to lp_socket_address() (usually 0.0.0.0) */
- ifip = interpret_addr2(lp_socket_address());
- add_socket(service, model_ops, &ifip);
+ status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+ data_blob_free(&blob);
+ blob = data_blob_talloc(call, NULL, wrapped.length + 4);
+ if (blob.data == NULL) {
+ goto failed;
+ }
+ RSIVAL(blob.data, 0, wrapped.length);
+ memcpy(blob.data+4, wrapped.data, wrapped.length);
+ data_blob_free(&wrapped);
}
-}
-/* This rw-buf api is made to avoid memcpy. For now do that like mad... The
- idea is to write into a circular list of buffers where the ideal case is
- that a read(2) holds a complete request that is then thrown away
- completely. */
+ packet_send(conn->packet, blob);
+ talloc_free(call);
+ return;
-void ldapsrv_consumed_from_buf(struct rw_buffer *buf,
- size_t length)
-{
- memcpy(buf->data, buf->data+length, buf->length-length);
- buf->length -= length;
+failed:
+ talloc_free(call);
}
-static void peek_into_read_buf(struct rw_buffer *buf, uint8_t **out,
- size_t *out_length)
-{
- *out = buf->data;
- *out_length = buf->length;
-}
-BOOL ldapsrv_append_to_buf(struct rw_buffer *buf, uint8_t *data, size_t length)
-{
- buf->data = realloc(buf->data, buf->length+length);
-
- if (buf->data == NULL)
- return False;
-
- memcpy(buf->data+buf->length, data, length);
-
- buf->length += length;
- return True;
-}
-
-static BOOL read_into_buf(struct socket_context *sock, struct rw_buffer *buf)
+/*
+ decode the input buffer
+*/
+static NTSTATUS ldapsrv_decode_plain(struct ldapsrv_connection *conn, DATA_BLOB blob)
{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- BOOL ret;
- size_t nread;
+ struct asn1_data asn1;
+ struct ldap_message *msg = talloc(conn, struct ldap_message);
- tmp_blob = data_blob_talloc(sock, NULL, 1024);
- if (tmp_blob.data == NULL) {
- return False;
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- status = socket_recv(sock, tmp_blob.data, tmp_blob.length, &nread, 0);
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(10,("socket_recv: %s\n",nt_errstr(status)));
- talloc_free(tmp_blob.data);
- return False;
+ if (!asn1_load(&asn1, blob)) {
+ return NT_STATUS_NO_MEMORY;
}
- ret = ldapsrv_append_to_buf(buf, tmp_blob.data, tmp_blob.length);
-
- talloc_free(tmp_blob.data);
+ if (!ldap_decode(&asn1, msg)) {
+ asn1_free(&asn1);
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+ }
- return ret;
+ data_blob_free(&blob);
+ ldapsrv_process_message(conn, msg);
+ asn1_free(&asn1);
+ return NT_STATUS_OK;
}
-static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
+
+/*
+ decode/process wrapped data
+*/
+static NTSTATUS ldapsrv_decode_wrapped(struct ldapsrv_connection *conn,
+ DATA_BLOB blob)
{
+ DATA_BLOB wrapped, unwrapped;
+ struct asn1_data asn1;
+ struct ldap_message *msg = talloc(conn, struct ldap_message);
NTSTATUS status;
- DATA_BLOB tmp_blob;
- DATA_BLOB creds;
- BOOL ret;
- uint8_t *buf;
- int buf_length, sasl_length;
- struct socket_context *sock = conn->connection->socket;
- TALLOC_CTX *mem_ctx;
- size_t nread;
- if (!conn->gensec || !conn->session_info ||
- !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) &&
- gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) {
- return read_into_buf(sock, &conn->in_buffer);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- mem_ctx = talloc(conn, 0);
- if (!mem_ctx) {
- DEBUG(0,("no memory\n"));
- return False;
- }
+ wrapped = data_blob_const(blob.data+4, blob.length-4);
- tmp_blob = data_blob_talloc(mem_ctx, NULL, 1024);
- if (tmp_blob.data == NULL) {
- talloc_free(mem_ctx);
- return False;
+ status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
- status = socket_recv(sock, tmp_blob.data, tmp_blob.length, &nread, 0);
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(10,("socket_recv: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
- }
- tmp_blob.length = nread;
+ data_blob_free(&blob);
- ret = ldapsrv_append_to_buf(&conn->sasl_in_buffer, tmp_blob.data, tmp_blob.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ if (!asn1_load(&asn1, unwrapped)) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
- peek_into_read_buf(&conn->sasl_in_buffer, &buf, &buf_length);
+ while (ldap_decode(&asn1, msg)) {
+ ldapsrv_process_message(conn, msg);
+ msg = talloc(conn, struct ldap_message);
+ }
- if (buf_length < 4) {
- /* not enough yet */
- talloc_free(mem_ctx);
- return True;
+ if (asn1.ofs < asn1.length) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
}
+
+ talloc_free(msg);
+ asn1_free(&asn1);
- sasl_length = RIVAL(buf, 0);
+ return NT_STATUS_OK;
+}
- if (buf_length < (4 + sasl_length)) {
- /* not enough yet */
- talloc_free(mem_ctx);
- return True;
+/*
+ decode/process data
+*/
+static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ if (conn->enable_wrap) {
+ return ldapsrv_decode_wrapped(conn, blob);
}
+ return ldapsrv_decode_plain(conn, blob);
+}
- creds.data = buf + 4;
- creds.length = gensec_sig_size(conn->gensec);
+/*
+ Idle timeout handler
+*/
+static void ldapsrv_conn_idle_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- if (creds.length > sasl_length) {
- /* invalid packet? */
- talloc_free(mem_ctx);
- return False;
- }
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
+}
- tmp_blob.data = buf + (4 + creds.length);
- tmp_blob.length = (4 + sasl_length) - (4 + creds.length);
+/*
+ called when a LDAP socket becomes readable
+*/
+static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
+{
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
- if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) {
- status = gensec_unseal_packet(conn->gensec, mem_ctx,
- tmp_blob.data, tmp_blob.length,
- tmp_blob.data, tmp_blob.length,
- &creds);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_unseal_packet: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
- }
- } else {
- status = gensec_check_packet(conn->gensec, mem_ctx,
- tmp_blob.data, tmp_blob.length,
- tmp_blob.data, tmp_blob.length,
- &creds);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_check_packet: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
- }
+ if (conn->limits.ite) { /* clean initial timeout if any */
+ talloc_free(conn->limits.ite);
+ conn->limits.ite = NULL;
}
- ret = ldapsrv_append_to_buf(&conn->in_buffer, tmp_blob.data, tmp_blob.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ if (conn->limits.te) { /* clean idle timeout if any */
+ talloc_free(conn->limits.te);
+ conn->limits.te = NULL;
}
- ldapsrv_consumed_from_buf(&conn->sasl_in_buffer, 4 + sasl_length);
+ packet_recv(conn->packet);
- talloc_free(mem_ctx);
- return ret;
+ /* set idle timeout */
+ conn->limits.te = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.conn_idle_time, 0),
+ ldapsrv_conn_idle_timeout, conn);
}
-static BOOL write_from_buf(struct socket_context *sock, struct rw_buffer *buf)
+/*
+ check if a blob is a complete ldap packet
+ handle wrapper or unwrapped connections
+*/
+NTSTATUS ldapsrv_complete_packet(void *private, DATA_BLOB blob, size_t *size)
{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- size_t sendlen;
-
- tmp_blob.data = buf->data;
- tmp_blob.length = buf->length;
-
- status = socket_send(sock, &tmp_blob, &sendlen, 0);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("socket_send() %s\n",nt_errstr(status)));
- return False;
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ if (conn->enable_wrap) {
+ return packet_full_request_u32(private, blob, size);
}
+ return ldap_full_packet(private, blob, size);
+}
+
+/*
+ called when a LDAP socket becomes writable
+*/
+static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
+{
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
+
+ packet_queue_run(conn->packet);
+}
- ldapsrv_consumed_from_buf(buf, sendlen);
+static void ldapsrv_conn_init_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
+{
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- return True;
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
}
-static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
+static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- DATA_BLOB creds;
- DATA_BLOB sasl;
- size_t sendlen;
- BOOL ret;
- struct socket_context *sock = conn->connection->socket;
- TALLOC_CTX *mem_ctx;
-
- if (!conn->gensec || !conn->session_info ||
- !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) &&
- gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) {
- return write_from_buf(sock, &conn->out_buffer);
+ TALLOC_CTX *tmp_ctx;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+ const char *attrs2[] = { "lDAPAdminLimits", NULL };
+ const char *conf_dn_s;
+ struct ldb_message_element *el;
+ struct ldb_result *res = NULL;
+ struct ldb_dn *basedn;
+ struct ldb_dn *conf_dn;
+ struct ldb_dn *policy_dn;
+ int i,ret;
+
+ /* set defaults limits in case of failure */
+ conn->limits.initial_timeout = 120;
+ conn->limits.conn_idle_time = 900;
+ conn->limits.max_page_size = 1000;
+ conn->limits.search_timeout = 120;
+
+
+ tmp_ctx = talloc_new(conn);
+ if (tmp_ctx == NULL) {
+ return -1;
}
- mem_ctx = talloc(conn, 0);
- if (!mem_ctx) {
- DEBUG(0,("no memory\n"));
- return False;
+ basedn = ldb_dn_explode(tmp_ctx, "");
+ if (basedn == NULL) {
+ goto failed;
}
- tmp_blob.data = conn->out_buffer.data;
- tmp_blob.length = conn->out_buffer.length;
-
- if (tmp_blob.length == 0) {
- goto nodata;
+ ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
}
- if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) {
- status = gensec_seal_packet(conn->gensec, mem_ctx,
- tmp_blob.data, tmp_blob.length,
- tmp_blob.data, tmp_blob.length,
- &creds);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_seal_packet: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
- }
- } else {
- status = gensec_sign_packet(conn->gensec, mem_ctx,
- tmp_blob.data, tmp_blob.length,
- tmp_blob.data, tmp_blob.length,
- &creds);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("gensec_sign_packet: %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
- }
+ conf_dn_s = ldb_msg_find_string(res->msgs[0], "configurationNamingContext", NULL);
+ if (conf_dn_s == NULL) {
+ goto failed;
}
-
- sasl = data_blob_talloc(mem_ctx, NULL, 4 + creds.length + tmp_blob.length);
- if (!sasl.data) {
- DEBUG(0,("no memory\n"));
- talloc_free(mem_ctx);
- return False;
+ conf_dn = ldb_dn_explode(tmp_ctx, conf_dn_s);
+ if (conf_dn == NULL) {
+ goto failed;
}
- RSIVAL(sasl.data, 0, creds.length + tmp_blob.length);
- memcpy(sasl.data + 4, creds.data, creds.length);
- memcpy(sasl.data + 4 + creds.length, tmp_blob.data, tmp_blob.length);
-
- ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, sasl.data, sasl.length);
- if (!ret) {
- talloc_free(mem_ctx);
- return False;
+ policy_dn = ldb_dn_string_compose(tmp_ctx, conf_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
+ if (policy_dn == NULL) {
+ goto failed;
}
- ldapsrv_consumed_from_buf(&conn->out_buffer, tmp_blob.length);
-nodata:
- tmp_blob.data = conn->sasl_out_buffer.data;
- tmp_blob.length = conn->sasl_out_buffer.length;
- status = socket_send(sock, &tmp_blob, &sendlen, 0);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("socket_send() %s\n",nt_errstr(status)));
- talloc_free(mem_ctx);
- return False;
+ ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
}
- ldapsrv_consumed_from_buf(&conn->sasl_out_buffer, sendlen);
-
- talloc_free(mem_ctx);
-
- return True;
-}
-
-static BOOL ldap_encode_to_buf(struct ldap_message *msg, struct rw_buffer *buf)
-{
- DATA_BLOB blob;
- BOOL res;
-
- if (!ldap_encode(msg, &blob))
- return False;
-
- res = ldapsrv_append_to_buf(buf, blob.data, blob.length);
-
- data_blob_free(&blob);
- return res;
-}
+ el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
+ if (el == NULL) {
+ goto failed;
+ }
-NTSTATUS ldapsrv_do_responses(struct ldapsrv_connection *conn)
-{
- struct ldapsrv_call *call, *next_call = NULL;
- struct ldapsrv_reply *reply, *next_reply = NULL;
-
- for (call=conn->calls; call; call=next_call) {
- for (reply=call->replies; reply; reply=next_reply) {
- if (!ldap_encode_to_buf(&reply->msg, &conn->out_buffer)) {
- return NT_STATUS_FOOBAR;
- }
- next_reply = reply->next;
- DLIST_REMOVE(call->replies, reply);
- reply->state = LDAPSRV_REPLY_STATE_SEND;
- talloc_free(reply);
+ for (i = 0; i < el->num_values; i++) {
+ char policy_name[256];
+ int policy_value, s;
+
+ s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
+ if (ret != 2 || policy_value == 0)
+ continue;
+
+ if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
+ conn->limits.initial_timeout = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
+ conn->limits.conn_idle_time = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxPageSize", policy_name) == 0) {
+ conn->limits.max_page_size = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
+ conn->limits.search_timeout = policy_value;
+ continue;
}
- next_call = call->next;
- DLIST_REMOVE(conn->calls, call);
- call->state = LDAPSRV_CALL_STATE_COMPLETE;
- talloc_free(call);
}
- return NT_STATUS_OK;
-}
+ return 0;
-NTSTATUS ldapsrv_flush_responses(struct ldapsrv_connection *conn)
-{
- return NT_STATUS_OK;
+failed:
+ DEBUG(0, ("Failed to load ldap server query policies\n"));
+ talloc_free(tmp_ctx);
+ return -1;
}
/*
- called when a LDAP socket becomes readable
+ initialise a server_context from a open socket and register a event handler
+ for reading from that socket
*/
-static void ldapsrv_recv(struct server_connection *conn, time_t t,
- uint16_t flags)
+static void ldapsrv_accept(struct stream_connection *c)
{
- struct ldapsrv_connection *ldap_conn = conn->private_data;
- uint8_t *buf;
- int buf_length, msg_length;
- DATA_BLOB blob;
- struct asn1_data data;
- struct ldapsrv_call *call;
+ struct ldapsrv_service *ldapsrv_service =
+ talloc_get_type(c->private, struct ldapsrv_service);
+ struct ldapsrv_connection *conn;
+ struct cli_credentials *server_credentials;
+ struct socket_address *socket_address;
NTSTATUS status;
+ int port;
- DEBUG(10,("ldapsrv_recv\n"));
-
- if (!ldapsrv_read_buf(ldap_conn)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_read_buf() failed");
+ conn = talloc_zero(c, struct ldapsrv_connection);
+ if (!conn) {
+ stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
+ conn->enable_wrap = False;
+ conn->packet = NULL;
+ conn->connection = c;
+ conn->service = ldapsrv_service;
- while (buf_length > 0) {
- /* LDAP Messages are always SEQUENCES */
+ c->private = conn;
- if (!asn1_object_length(buf, buf_length, ASN1_SEQUENCE(0),
- &msg_length)) {
- ldapsrv_terminate_connection(ldap_conn, "asn1_object_length() failed");
- return;
- }
-
- if (buf_length < msg_length) {
- /* Not enough yet */
- break;
- }
-
- /* We've got a complete LDAP request in the in-buffer, convert
- * that to a ldap_message and put it into the incoming
- * queue. */
+ socket_address = socket_get_my_addr(c->socket, conn);
+ if (!socket_address) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
+ return;
+ }
+ port = socket_address->port;
+ talloc_free(socket_address);
- blob.data = buf;
- blob.length = msg_length;
+ conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
+ c->event.fde, NULL, port != 389);
+ if (!conn->tls) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
+ return;
+ }
- if (!asn1_load(&data, blob)) {
- ldapsrv_terminate_connection(ldap_conn, "asn1_load() failed");
- return;
- }
+ conn->packet = packet_init(conn);
+ if (conn->packet == NULL) {
+ ldapsrv_terminate_connection(conn, "out of memory");
+ return;
+ }
- call = talloc_p(ldap_conn, struct ldapsrv_call);
- if (!call) {
- ldapsrv_terminate_connection(ldap_conn, "no memory");
- return;
- }
+ packet_set_private(conn->packet, conn);
+ packet_set_tls(conn->packet, conn->tls);
+ packet_set_callback(conn->packet, ldapsrv_decode);
+ packet_set_full_request(conn->packet, ldapsrv_complete_packet);
+ packet_set_error_handler(conn->packet, ldapsrv_error_handler);
+ packet_set_event_context(conn->packet, c->event.ctx);
+ packet_set_fde(conn->packet, c->event.fde);
+ packet_set_serialise(conn->packet);
+
+ /* Ensure we don't get packets until the database is ready below */
+ packet_recv_disable(conn->packet);
- ZERO_STRUCTP(call);
- call->state = LDAPSRV_CALL_STATE_NEW;
- call->conn = ldap_conn;
- call->request.mem_ctx = call;
+ server_credentials
+ = cli_credentials_init(conn);
+ if (!server_credentials) {
+ stream_terminate_connection(c, "Failed to init server credentials\n");
+ return;
+ }
+
+ cli_credentials_set_conf(server_credentials);
+ status = cli_credentials_set_machine_account(server_credentials);
+ if (!NT_STATUS_IS_OK(status)) {
+ stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
+ return;
+ }
+ conn->server_credentials = server_credentials;
- if (!ldap_decode(&data, &call->request)) {
- dump_data(0,buf, msg_length);
- asn1_free(&data);
- ldapsrv_terminate_connection(ldap_conn, "ldap_decode() failed");
- return;
- }
+ /* Connections start out anonymous */
+ if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
+ ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
+ return;
+ }
- asn1_free(&data);
+ if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
+ ldapsrv_terminate_connection(conn, "backend Init failed");
+ return;
+ }
- DLIST_ADD_END(ldap_conn->calls, call,
- struct ldapsrv_call *);
+ /* load limits from the conf partition */
+ ldapsrv_load_limits(conn); /* should we fail on error ? */
- ldapsrv_consumed_from_buf(&ldap_conn->in_buffer, msg_length);
+ /* register the server */
+ irpc_add_name(c->msg_ctx, "ldap_server");
- status = ldapsrv_do_call(call);
- if (!NT_STATUS_IS_OK(status)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_do_call() failed");
- return;
- }
+ /* set connections limits */
+ conn->limits.ite = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.initial_timeout, 0),
+ ldapsrv_conn_init_timeout, conn);
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
- }
+ packet_recv_enable(conn->packet);
- status = ldapsrv_do_responses(ldap_conn);
- if (!NT_STATUS_IS_OK(status)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_do_responses() failed");
- return;
- }
+}
- if ((ldap_conn->out_buffer.length > 0)||(ldap_conn->sasl_out_buffer.length > 0)) {
- conn->event.fde->flags |= EVENT_FD_WRITE;
- }
+static const struct stream_server_ops ldap_stream_ops = {
+ .name = "ldap",
+ .accept_connection = ldapsrv_accept,
+ .recv_handler = ldapsrv_recv,
+ .send_handler = ldapsrv_send,
+};
- return;
-}
-
/*
- called when a LDAP socket becomes writable
+ add a socket address to the list of events, one event per port
*/
-static void ldapsrv_send(struct server_connection *conn, time_t t,
- uint16_t flags)
+static NTSTATUS add_socket(struct event_context *event_context,
+ const struct model_ops *model_ops,
+ const char *address, struct ldapsrv_service *ldap_service)
{
- struct ldapsrv_connection *ldap_conn = conn->private_data;
-
- DEBUG(10,("ldapsrv_send\n"));
+ uint16_t port = 389;
+ NTSTATUS status;
- if (!ldapsrv_write_buf(ldap_conn)) {
- ldapsrv_terminate_connection(ldap_conn, "ldapsrv_write_buf() failed");
- return;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
}
- if (ldap_conn->out_buffer.length == 0 && ldap_conn->sasl_out_buffer.length == 0) {
- conn->event.fde->flags &= ~EVENT_FD_WRITE;
+ if (tls_support(ldap_service->tls_params)) {
+ /* add ldaps server */
+ port = 636;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
}
- return;
-}
-
-/*
- called when connection is idle
-*/
-static void ldapsrv_idle(struct server_connection *conn, time_t t)
-{
- DEBUG(10,("ldapsrv_idle: not implemented!\n"));
- return;
-}
+ /* if we are a PDC, then also enable the global catalog server port, 3268 */
+ if (lp_server_role() == ROLE_DOMAIN_PDC) {
+ port = 3268;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
+ }
-static void ldapsrv_close(struct server_connection *conn, const char *reason)
-{
- return;
+ return status;
}
/*
- initialise a server_context from a open socket and register a event handler
- for reading from that socket
+ open the ldap server sockets
*/
-static void ldapsrv_accept(struct server_connection *conn)
-{
- struct ldapsrv_connection *ldap_conn;
+static void ldapsrv_task_init(struct task_server *task)
+{
+ struct ldapsrv_service *ldap_service;
+ NTSTATUS status;
- DEBUG(10, ("ldapsrv_accept\n"));
+ task_server_set_title(task, "task[ldapsrv]");
- ldap_conn = talloc_p(conn, struct ldapsrv_connection);
+ ldap_service = talloc_zero(task, struct ldapsrv_service);
+ if (ldap_service == NULL) goto failed;
- if (ldap_conn == NULL)
- return;
+ ldap_service->tls_params = tls_initialise(ldap_service);
+ if (ldap_service->tls_params == NULL) goto failed;
- ZERO_STRUCTP(ldap_conn);
- ldap_conn->connection = conn;
- ldap_conn->service = talloc_reference(ldap_conn, conn->service->private_data);
+ if (lp_interfaces() && lp_bind_interfaces_only()) {
+ int num_interfaces = iface_count();
+ int i;
- conn->private_data = ldap_conn;
+ /* We have been given an interfaces line, and been
+ told to only bind to those interfaces. Create a
+ socket per interface and bind to only these.
+ */
+ for(i = 0; i < num_interfaces; i++) {
+ const char *address = iface_n_ip(i);
+ status = add_socket(task->event_ctx, task->model_ops, address, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) goto failed;
+ }
+ } else {
+ status = add_socket(task->event_ctx, task->model_ops, lp_socket_address(), ldap_service);
+ if (!NT_STATUS_IS_OK(status)) goto failed;
+ }
return;
+
+failed:
+ task_server_terminate(task, "Failed to startup ldap server task");
}
/*
- called on a fatal error that should cause this server to terminate
+ called on startup of the web server service It's job is to start
+ listening on all configured sockets
*/
-static void ldapsrv_exit(struct server_service *service, const char *reason)
-{
- DEBUG(10,("ldapsrv_exit\n"));
- return;
+static NTSTATUS ldapsrv_init(struct event_context *event_context,
+ const struct model_ops *model_ops)
+{
+ return task_server_startup(event_context, model_ops, ldapsrv_task_init);
}
-static const struct server_service_ops ldap_server_ops = {
- .name = "ldap",
- .service_init = ldapsrv_init,
- .accept_connection = ldapsrv_accept,
- .recv_handler = ldapsrv_recv,
- .send_handler = ldapsrv_send,
- .idle_handler = ldapsrv_idle,
- .close_connection = ldapsrv_close,
- .service_exit = ldapsrv_exit,
-};
-
-const struct server_service_ops *ldapsrv_get_ops(void)
-{
- return &ldap_server_ops;
-}
NTSTATUS server_service_ldap_init(void)
{
- return NT_STATUS_OK;
+ return register_server_service("ldap", ldapsrv_init);
}