2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "dlinklist.h"
30 #include "ldap_server/ldap_server.h"
31 #include "smbd/service_task.h"
32 #include "smbd/service_stream.h"
33 #include "lib/socket/socket.h"
34 #include "lib/tls/tls.h"
35 #include "lib/messaging/irpc.h"
38 close the socket and shutdown a server_context
40 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
44 talloc_free(conn->tls);
47 stream_terminate_connection(conn->connection, reason);
51 process a decoded ldap message
53 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
54 struct ldap_message *msg)
56 struct ldapsrv_call *call;
59 struct data_blob_list_item *q;
60 BOOL enable_wrap = conn->enable_wrap;
62 call = talloc(conn, struct ldapsrv_call);
64 ldapsrv_terminate_connection(conn, "no memory");
68 call->request = talloc_steal(call, msg);
73 status = ldapsrv_do_call(call);
74 if (!NT_STATUS_IS_OK(status)) {
78 blob = data_blob(NULL, 0);
80 if (call->replies == NULL) {
85 /* build all the replies into a single blob */
86 while (call->replies) {
89 msg = call->replies->msg;
90 if (!ldap_encode(msg, &b, call)) {
91 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
95 status = data_blob_append(call, &blob, b.data, b.length);
98 if (!NT_STATUS_IS_OK(status)) goto failed;
100 DLIST_REMOVE(call->replies, call->replies);
103 /* possibly encrypt/sign the reply */
107 status = gensec_wrap(conn->gensec, call, &blob, &wrapped);
108 if (!NT_STATUS_IS_OK(status)) {
111 data_blob_free(&blob);
112 blob = data_blob_talloc(call, NULL, wrapped.length + 4);
113 if (blob.data == NULL) {
116 RSIVAL(blob.data, 0, wrapped.length);
117 memcpy(blob.data+4, wrapped.data, wrapped.length);
118 data_blob_free(&wrapped);
121 q = talloc(conn, struct data_blob_list_item);
122 if (q == NULL) goto failed;
125 talloc_steal(q, blob.data);
127 if (conn->send_queue == NULL) {
128 EVENT_FD_WRITEABLE(conn->connection->event.fde);
130 DLIST_ADD_END(conn->send_queue, q, struct data_blob_list_item *);
140 try and decode the partial input buffer
142 static void ldapsrv_try_decode_plain(struct ldapsrv_connection *conn)
144 struct asn1_data asn1;
146 if (!asn1_load(&asn1, conn->partial)) {
147 ldapsrv_terminate_connection(conn, "out of memory");
151 /* try and decode - this will fail if we don't have a full packet yet */
152 while (asn1.ofs < asn1.length) {
153 struct ldap_message *msg = talloc(conn, struct ldap_message);
154 off_t saved_ofs = asn1.ofs;
157 ldapsrv_terminate_connection(conn, "out of memory");
161 if (ldap_decode(&asn1, msg)) {
162 ldapsrv_process_message(conn, msg);
164 if (asn1.ofs < asn1.length) {
165 ldapsrv_terminate_connection(conn, "ldap_decode failed");
168 asn1.ofs = saved_ofs;
174 /* keep any remaining data in conn->partial */
175 data_blob_free(&conn->partial);
176 if (asn1.ofs != asn1.length) {
177 conn->partial = data_blob_talloc(conn,
178 asn1.data + asn1.ofs,
179 asn1.length - asn1.ofs);
186 try and decode/process wrapped data
188 static void ldapsrv_try_decode_wrapped(struct ldapsrv_connection *conn)
192 /* keep decoding while we have a full wrapped packet */
193 while (conn->partial.length >= 4 &&
194 (len=RIVAL(conn->partial.data, 0)) <= conn->partial.length-4) {
195 DATA_BLOB wrapped, unwrapped;
196 struct asn1_data asn1;
197 struct ldap_message *msg = talloc(conn, struct ldap_message);
201 ldapsrv_terminate_connection(conn, "out of memory");
205 wrapped.data = conn->partial.data+4;
206 wrapped.length = len;
208 status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
209 if (!NT_STATUS_IS_OK(status)) {
210 ldapsrv_terminate_connection(conn, "gensec unwrap failed");
214 if (!asn1_load(&asn1, unwrapped)) {
215 ldapsrv_terminate_connection(conn, "out of memory");
219 while (ldap_decode(&asn1, msg)) {
220 ldapsrv_process_message(conn, msg);
221 msg = talloc(conn, struct ldap_message);
224 if (asn1.ofs < asn1.length) {
225 ldapsrv_terminate_connection(conn, "ldap_decode failed");
232 if (conn->partial.length == len + 4) {
233 data_blob_free(&conn->partial);
235 memmove(conn->partial.data, conn->partial.data+len+4,
236 conn->partial.length - (len+4));
237 conn->partial.length -= len + 4;
244 called when a LDAP socket becomes readable
246 static void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
248 struct ldapsrv_connection *conn =
249 talloc_get_type(c->private, struct ldapsrv_connection);
251 size_t npending, nread;
253 if (conn->processing) {
254 EVENT_FD_NOT_READABLE(c->event.fde);
258 /* work out how much data is pending */
259 status = tls_socket_pending(conn->tls, &npending);
260 if (!NT_STATUS_IS_OK(status)) {
261 ldapsrv_terminate_connection(conn, "socket_pending() failed");
265 ldapsrv_terminate_connection(conn, "EOF from client");
269 conn->partial.data = talloc_realloc_size(conn, conn->partial.data,
270 conn->partial.length + npending);
271 if (conn->partial.data == NULL) {
272 ldapsrv_terminate_connection(conn, "out of memory");
276 /* receive the data */
277 status = tls_socket_recv(conn->tls, conn->partial.data + conn->partial.length,
279 if (NT_STATUS_IS_ERR(status)) {
280 ldapsrv_terminate_connection(conn, "socket_recv() failed");
283 if (!NT_STATUS_IS_OK(status)) {
287 ldapsrv_terminate_connection(conn, "EOF from client");
290 conn->partial.length += nread;
292 conn->processing = True;
293 /* see if we can decode what we have */
294 if (conn->enable_wrap) {
295 ldapsrv_try_decode_wrapped(conn);
297 ldapsrv_try_decode_plain(conn);
299 conn->processing = False;
301 EVENT_FD_READABLE(c->event.fde);
305 called when a LDAP socket becomes writable
307 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
309 struct ldapsrv_connection *conn =
310 talloc_get_type(c->private, struct ldapsrv_connection);
311 while (conn->send_queue) {
312 struct data_blob_list_item *q = conn->send_queue;
316 status = tls_socket_send(conn->tls, &q->blob, &nsent);
317 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
320 if (!NT_STATUS_IS_OK(status)) {
321 ldapsrv_terminate_connection(conn, "socket_send error");
325 q->blob.data += nsent;
326 q->blob.length -= nsent;
327 if (q->blob.length == 0) {
328 DLIST_REMOVE(conn->send_queue, q);
331 if (conn->send_queue == NULL) {
332 EVENT_FD_NOT_WRITEABLE(c->event.fde);
337 initialise a server_context from a open socket and register a event handler
338 for reading from that socket
340 static void ldapsrv_accept(struct stream_connection *c)
342 struct ldapsrv_service *ldapsrv_service =
343 talloc_get_type(c->private, struct ldapsrv_service);
344 struct ldapsrv_connection *conn;
347 conn = talloc_zero(c, struct ldapsrv_connection);
349 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
353 conn->enable_wrap = False;
354 conn->partial = data_blob(NULL, 0);
355 conn->send_queue = NULL;
356 conn->connection = c;
357 conn->service = ldapsrv_service;
358 conn->processing = False;
361 port = socket_get_my_port(c->socket);
363 /* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
364 any ldap connection */
365 conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
366 c->event.fde, NULL, port != 389);
368 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
372 irpc_add_name(c->msg_ctx, "ldap_server");
375 static const struct stream_server_ops ldap_stream_ops = {
377 .accept_connection = ldapsrv_accept,
378 .recv_handler = ldapsrv_recv,
379 .send_handler = ldapsrv_send,
383 add a socket address to the list of events, one event per port
385 static NTSTATUS add_socket(struct event_context *event_context,
386 const struct model_ops *model_ops,
387 const char *address, struct ldapsrv_service *ldap_service)
392 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
393 "ipv4", address, &port, ldap_service);
394 if (!NT_STATUS_IS_OK(status)) {
395 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
396 address, port, nt_errstr(status)));
399 if (tls_support(ldap_service->tls_params)) {
400 /* add ldaps server */
402 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
403 "ipv4", address, &port, ldap_service);
404 if (!NT_STATUS_IS_OK(status)) {
405 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
406 address, port, nt_errstr(status)));
414 open the ldap server sockets
416 static void ldapsrv_task_init(struct task_server *task)
418 struct ldapsrv_service *ldap_service;
419 struct ldapsrv_partition *rootDSE_part;
420 struct ldapsrv_partition *part;
423 ldap_service = talloc_zero(task, struct ldapsrv_service);
424 if (ldap_service == NULL) goto failed;
426 ldap_service->tls_params = tls_initialise(ldap_service);
427 if (ldap_service->tls_params == NULL) goto failed;
429 rootDSE_part = talloc(ldap_service, struct ldapsrv_partition);
430 if (rootDSE_part == NULL) goto failed;
432 rootDSE_part->base_dn = ""; /* RootDSE */
433 rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
435 ldap_service->rootDSE = rootDSE_part;
436 DLIST_ADD_END(ldap_service->partitions, rootDSE_part, struct ldapsrv_partition *);
438 part = talloc(ldap_service, struct ldapsrv_partition);
439 if (part == NULL) goto failed;
441 part->base_dn = "*"; /* default partition */
442 if (lp_parm_bool(-1, "ldapsrv", "hacked", False)) {
443 part->ops = ldapsrv_get_hldb_partition_ops();
445 part->ops = ldapsrv_get_sldb_partition_ops();
448 ldap_service->default_partition = part;
449 DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
451 if (lp_interfaces() && lp_bind_interfaces_only()) {
452 int num_interfaces = iface_count();
455 /* We have been given an interfaces line, and been
456 told to only bind to those interfaces. Create a
457 socket per interface and bind to only these.
459 for(i = 0; i < num_interfaces; i++) {
460 const char *address = iface_n_ip(i);
461 status = add_socket(task->event_ctx, task->model_ops, address, ldap_service);
462 if (!NT_STATUS_IS_OK(status)) goto failed;
465 status = add_socket(task->event_ctx, task->model_ops, lp_socket_address(), ldap_service);
466 if (!NT_STATUS_IS_OK(status)) goto failed;
472 task_server_terminate(task, "Failed to startup ldap server task");
476 called on startup of the web server service It's job is to start
477 listening on all configured sockets
479 static NTSTATUS ldapsrv_init(struct event_context *event_context,
480 const struct model_ops *model_ops)
482 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
486 NTSTATUS server_service_ldap_init(void)
488 return register_server_service("ldap", ldapsrv_init);