2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "dlinklist.h"
29 #include "libcli/util/asn_1.h"
30 #include "ldap_server/ldap_server.h"
31 #include "smbd/service_task.h"
32 #include "smbd/service_stream.h"
33 #include "smbd/service.h"
34 #include "lib/socket/socket.h"
35 #include "lib/tls/tls.h"
36 #include "lib/messaging/irpc.h"
37 #include "lib/stream/packet.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "system/network.h"
41 #include "netif/netif.h"
44 close the socket and shutdown a server_context
46 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
49 stream_terminate_connection(conn->connection, reason);
55 static void ldapsrv_error_handler(void *private, NTSTATUS status)
57 struct ldapsrv_connection *conn = talloc_get_type(private,
58 struct ldapsrv_connection);
59 ldapsrv_terminate_connection(conn, nt_errstr(status));
63 process a decoded ldap message
65 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
66 struct ldap_message *msg)
68 struct ldapsrv_call *call;
71 BOOL enable_wrap = conn->enable_wrap;
73 call = talloc(conn, struct ldapsrv_call);
75 ldapsrv_terminate_connection(conn, "no memory");
79 call->request = talloc_steal(call, msg);
84 status = ldapsrv_do_call(call);
85 if (!NT_STATUS_IS_OK(status)) {
89 blob = data_blob(NULL, 0);
91 if (call->replies == NULL) {
96 /* build all the replies into a single blob */
97 while (call->replies) {
100 msg = call->replies->msg;
101 if (!ldap_encode(msg, &b, call)) {
102 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
106 status = data_blob_append(call, &blob, b.data, b.length);
109 if (!NT_STATUS_IS_OK(status)) goto failed;
111 DLIST_REMOVE(call->replies, call->replies);
114 /* possibly encrypt/sign the reply */
118 status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
119 if (!NT_STATUS_IS_OK(status)) {
122 data_blob_free(&blob);
123 blob = data_blob_talloc(call, NULL, wrapped.length + 4);
124 if (blob.data == NULL) {
127 RSIVAL(blob.data, 0, wrapped.length);
128 memcpy(blob.data+4, wrapped.data, wrapped.length);
129 data_blob_free(&wrapped);
132 packet_send(conn->packet, blob);
142 decode the input buffer
144 static NTSTATUS ldapsrv_decode_plain(struct ldapsrv_connection *conn, DATA_BLOB blob)
146 struct asn1_data asn1;
147 struct ldap_message *msg = talloc(conn, struct ldap_message);
150 return NT_STATUS_NO_MEMORY;
153 if (!asn1_load(&asn1, blob)) {
154 return NT_STATUS_NO_MEMORY;
157 if (!ldap_decode(&asn1, msg)) {
159 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
162 data_blob_free(&blob);
163 ldapsrv_process_message(conn, msg);
170 decode/process wrapped data
172 static NTSTATUS ldapsrv_decode_wrapped(struct ldapsrv_connection *conn,
175 DATA_BLOB wrapped, unwrapped;
176 struct asn1_data asn1;
177 struct ldap_message *msg = talloc(conn, struct ldap_message);
181 return NT_STATUS_NO_MEMORY;
184 wrapped = data_blob_const(blob.data+4, blob.length-4);
186 status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
187 if (!NT_STATUS_IS_OK(status)) {
188 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
191 data_blob_free(&blob);
193 if (!asn1_load(&asn1, unwrapped)) {
194 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
197 while (ldap_decode(&asn1, msg)) {
198 ldapsrv_process_message(conn, msg);
199 msg = talloc(conn, struct ldap_message);
202 if (asn1.ofs < asn1.length) {
203 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
215 static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
217 struct ldapsrv_connection *conn = talloc_get_type(private,
218 struct ldapsrv_connection);
219 if (conn->enable_wrap) {
220 return ldapsrv_decode_wrapped(conn, blob);
222 return ldapsrv_decode_plain(conn, blob);
228 static void ldapsrv_conn_idle_timeout(struct event_context *ev,
229 struct timed_event *te,
233 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
235 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
239 called when a LDAP socket becomes readable
241 static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
243 struct ldapsrv_connection *conn =
244 talloc_get_type(c->private, struct ldapsrv_connection);
246 if (conn->limits.ite) { /* clean initial timeout if any */
247 talloc_free(conn->limits.ite);
248 conn->limits.ite = NULL;
251 if (conn->limits.te) { /* clean idle timeout if any */
252 talloc_free(conn->limits.te);
253 conn->limits.te = NULL;
256 packet_recv(conn->packet);
258 /* set idle timeout */
259 conn->limits.te = event_add_timed(c->event.ctx, conn,
260 timeval_current_ofs(conn->limits.conn_idle_time, 0),
261 ldapsrv_conn_idle_timeout, conn);
265 check if a blob is a complete ldap packet
266 handle wrapper or unwrapped connections
268 NTSTATUS ldapsrv_complete_packet(void *private, DATA_BLOB blob, size_t *size)
270 struct ldapsrv_connection *conn = talloc_get_type(private,
271 struct ldapsrv_connection);
272 if (conn->enable_wrap) {
273 return packet_full_request_u32(private, blob, size);
275 return ldap_full_packet(private, blob, size);
279 called when a LDAP socket becomes writable
281 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
283 struct ldapsrv_connection *conn =
284 talloc_get_type(c->private, struct ldapsrv_connection);
286 packet_queue_run(conn->packet);
289 static void ldapsrv_conn_init_timeout(struct event_context *ev,
290 struct timed_event *te,
294 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
296 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
299 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
302 const char *attrs[] = { "configurationNamingContext", NULL };
303 const char *attrs2[] = { "lDAPAdminLimits", NULL };
304 const char *conf_dn_s;
305 struct ldb_message_element *el;
306 struct ldb_result *res = NULL;
307 struct ldb_dn *basedn;
308 struct ldb_dn *conf_dn;
309 struct ldb_dn *policy_dn;
312 /* set defaults limits in case of failure */
313 conn->limits.initial_timeout = 120;
314 conn->limits.conn_idle_time = 900;
315 conn->limits.max_page_size = 1000;
316 conn->limits.search_timeout = 120;
319 tmp_ctx = talloc_new(conn);
320 if (tmp_ctx == NULL) {
324 basedn = ldb_dn_explode(tmp_ctx, "");
325 if (basedn == NULL) {
329 ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
330 talloc_steal(tmp_ctx, res);
331 if (ret != LDB_SUCCESS || res->count != 1) {
335 conf_dn_s = ldb_msg_find_string(res->msgs[0], "configurationNamingContext", NULL);
336 if (conf_dn_s == NULL) {
339 conf_dn = ldb_dn_explode(tmp_ctx, conf_dn_s);
340 if (conf_dn == NULL) {
344 policy_dn = ldb_dn_string_compose(tmp_ctx, conf_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
345 if (policy_dn == NULL) {
349 ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
350 talloc_steal(tmp_ctx, res);
351 if (ret != LDB_SUCCESS || res->count != 1) {
355 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
360 for (i = 0; i < el->num_values; i++) {
361 char policy_name[256];
364 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
365 if (ret != 2 || policy_value == 0)
368 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
369 conn->limits.initial_timeout = policy_value;
372 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
373 conn->limits.conn_idle_time = policy_value;
376 if (strcasecmp("MaxPageSize", policy_name) == 0) {
377 conn->limits.max_page_size = policy_value;
380 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
381 conn->limits.search_timeout = policy_value;
389 DEBUG(0, ("Failed to load ldap server query policies\n"));
390 talloc_free(tmp_ctx);
395 initialise a server_context from a open socket and register a event handler
396 for reading from that socket
398 static void ldapsrv_accept(struct stream_connection *c)
400 struct ldapsrv_service *ldapsrv_service =
401 talloc_get_type(c->private, struct ldapsrv_service);
402 struct ldapsrv_connection *conn;
403 struct cli_credentials *server_credentials;
404 struct socket_address *socket_address;
408 conn = talloc_zero(c, struct ldapsrv_connection);
410 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
414 conn->enable_wrap = False;
416 conn->connection = c;
417 conn->service = ldapsrv_service;
421 socket_address = socket_get_my_addr(c->socket, conn);
422 if (!socket_address) {
423 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
426 port = socket_address->port;
427 talloc_free(socket_address);
430 c->socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
433 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
436 } else if (port == 3268) /* Global catalog */ {
437 conn->global_catalog = True;
439 conn->packet = packet_init(conn);
440 if (conn->packet == NULL) {
441 ldapsrv_terminate_connection(conn, "out of memory");
445 packet_set_private(conn->packet, conn);
446 packet_set_socket(conn->packet, c->socket);
447 packet_set_callback(conn->packet, ldapsrv_decode);
448 packet_set_full_request(conn->packet, ldapsrv_complete_packet);
449 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
450 packet_set_event_context(conn->packet, c->event.ctx);
451 packet_set_fde(conn->packet, c->event.fde);
452 packet_set_serialise(conn->packet);
454 /* Ensure we don't get packets until the database is ready below */
455 packet_recv_disable(conn->packet);
458 = cli_credentials_init(conn);
459 if (!server_credentials) {
460 stream_terminate_connection(c, "Failed to init server credentials\n");
464 cli_credentials_set_conf(server_credentials);
465 status = cli_credentials_set_machine_account(server_credentials);
466 if (!NT_STATUS_IS_OK(status)) {
467 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
470 conn->server_credentials = server_credentials;
472 /* Connections start out anonymous */
473 if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
474 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
478 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
479 ldapsrv_terminate_connection(conn, "backend Init failed");
483 /* load limits from the conf partition */
484 ldapsrv_load_limits(conn); /* should we fail on error ? */
486 /* register the server */
487 irpc_add_name(c->msg_ctx, "ldap_server");
489 /* set connections limits */
490 conn->limits.ite = event_add_timed(c->event.ctx, conn,
491 timeval_current_ofs(conn->limits.initial_timeout, 0),
492 ldapsrv_conn_init_timeout, conn);
494 packet_recv_enable(conn->packet);
498 static const struct stream_server_ops ldap_stream_ops = {
500 .accept_connection = ldapsrv_accept,
501 .recv_handler = ldapsrv_recv,
502 .send_handler = ldapsrv_send,
506 add a socket address to the list of events, one event per port
508 static NTSTATUS add_socket(struct event_context *event_context,
509 const struct model_ops *model_ops,
510 const char *address, struct ldapsrv_service *ldap_service)
515 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
516 "ipv4", address, &port, ldap_service);
517 if (!NT_STATUS_IS_OK(status)) {
518 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
519 address, port, nt_errstr(status)));
522 if (tls_support(ldap_service->tls_params)) {
523 /* add ldaps server */
525 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
526 "ipv4", address, &port, ldap_service);
527 if (!NT_STATUS_IS_OK(status)) {
528 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
529 address, port, nt_errstr(status)));
533 /* if we are a PDC, then also enable the global catalog server port, 3268 */
534 if (lp_server_role() == ROLE_DOMAIN_PDC) {
536 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
537 "ipv4", address, &port, ldap_service);
538 if (!NT_STATUS_IS_OK(status)) {
539 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
540 address, port, nt_errstr(status)));
548 open the ldap server sockets
550 static void ldapsrv_task_init(struct task_server *task)
552 struct ldapsrv_service *ldap_service;
555 task_server_set_title(task, "task[ldapsrv]");
557 ldap_service = talloc_zero(task, struct ldapsrv_service);
558 if (ldap_service == NULL) goto failed;
560 ldap_service->tls_params = tls_initialise(ldap_service);
561 if (ldap_service->tls_params == NULL) goto failed;
563 if (lp_interfaces() && lp_bind_interfaces_only()) {
564 int num_interfaces = iface_count();
567 /* We have been given an interfaces line, and been
568 told to only bind to those interfaces. Create a
569 socket per interface and bind to only these.
571 for(i = 0; i < num_interfaces; i++) {
572 const char *address = iface_n_ip(i);
573 status = add_socket(task->event_ctx, task->model_ops, address, ldap_service);
574 if (!NT_STATUS_IS_OK(status)) goto failed;
577 status = add_socket(task->event_ctx, task->model_ops, lp_socket_address(), ldap_service);
578 if (!NT_STATUS_IS_OK(status)) goto failed;
584 task_server_terminate(task, "Failed to startup ldap server task");
588 called on startup of the web server service It's job is to start
589 listening on all configured sockets
591 static NTSTATUS ldapsrv_init(struct event_context *event_context,
592 const struct model_ops *model_ops)
594 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
598 NTSTATUS server_service_ldap_init(void)
600 return register_server_service("ldap", ldapsrv_init);