2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/events/events.h"
26 #include "auth/auth.h"
27 #include "auth/credentials/credentials.h"
28 #include "librpc/gen_ndr/ndr_samr.h"
29 #include "lib/util/dlinklist.h"
30 #include "libcli/util/asn_1.h"
31 #include "ldap_server/ldap_server.h"
32 #include "smbd/service_task.h"
33 #include "smbd/service_stream.h"
34 #include "smbd/service.h"
35 #include "smbd/process_model.h"
36 #include "lib/tls/tls.h"
37 #include "lib/messaging/irpc.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "system/network.h"
41 #include "lib/socket/netif.h"
42 #include "dsdb/samdb/samdb.h"
44 close the socket and shutdown a server_context
46 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
49 stream_terminate_connection(conn->connection, reason);
55 static void ldapsrv_error_handler(void *private, NTSTATUS status)
57 struct ldapsrv_connection *conn = talloc_get_type(private,
58 struct ldapsrv_connection);
59 ldapsrv_terminate_connection(conn, nt_errstr(status));
63 process a decoded ldap message
65 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
66 struct ldap_message *msg)
68 struct ldapsrv_call *call;
72 call = talloc(conn, struct ldapsrv_call);
74 ldapsrv_terminate_connection(conn, "no memory");
78 call->request = talloc_steal(call, msg);
81 call->send_callback = NULL;
82 call->send_private = NULL;
85 status = ldapsrv_do_call(call);
86 if (!NT_STATUS_IS_OK(status)) {
91 blob = data_blob(NULL, 0);
93 if (call->replies == NULL) {
98 /* build all the replies into a single blob */
99 while (call->replies) {
103 msg = call->replies->msg;
104 if (!ldap_encode(msg, &b, call)) {
105 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
110 ret = data_blob_append(call, &blob, b.data, b.length);
113 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
120 DLIST_REMOVE(call->replies, call->replies);
123 packet_send_callback(conn->packet, blob,
124 call->send_callback, call->send_private);
132 static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
135 struct ldapsrv_connection *conn = talloc_get_type(private,
136 struct ldapsrv_connection);
137 struct asn1_data *asn1 = asn1_init(conn);
138 struct ldap_message *msg = talloc(conn, struct ldap_message);
140 if (asn1 == NULL || msg == NULL) {
141 return NT_STATUS_NO_MEMORY;
144 if (!asn1_load(asn1, blob)) {
147 return NT_STATUS_NO_MEMORY;
150 status = ldap_decode(asn1, msg);
151 if (!NT_STATUS_IS_OK(status)) {
156 data_blob_free(&blob);
157 ldapsrv_process_message(conn, msg);
165 static void ldapsrv_conn_idle_timeout(struct event_context *ev,
166 struct timed_event *te,
170 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
172 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
176 called when a LDAP socket becomes readable
178 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
180 struct ldapsrv_connection *conn =
181 talloc_get_type(c->private, struct ldapsrv_connection);
183 if (conn->limits.ite) { /* clean initial timeout if any */
184 talloc_free(conn->limits.ite);
185 conn->limits.ite = NULL;
188 if (conn->limits.te) { /* clean idle timeout if any */
189 talloc_free(conn->limits.te);
190 conn->limits.te = NULL;
193 packet_recv(conn->packet);
195 /* set idle timeout */
196 conn->limits.te = event_add_timed(c->event.ctx, conn,
197 timeval_current_ofs(conn->limits.conn_idle_time, 0),
198 ldapsrv_conn_idle_timeout, conn);
202 called when a LDAP socket becomes writable
204 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
206 struct ldapsrv_connection *conn =
207 talloc_get_type(c->private, struct ldapsrv_connection);
209 packet_queue_run(conn->packet);
212 static void ldapsrv_conn_init_timeout(struct event_context *ev,
213 struct timed_event *te,
217 struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
219 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
222 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
225 const char *attrs[] = { "configurationNamingContext", NULL };
226 const char *attrs2[] = { "lDAPAdminLimits", NULL };
227 struct ldb_message_element *el;
228 struct ldb_result *res = NULL;
229 struct ldb_dn *basedn;
230 struct ldb_dn *conf_dn;
231 struct ldb_dn *policy_dn;
234 /* set defaults limits in case of failure */
235 conn->limits.initial_timeout = 120;
236 conn->limits.conn_idle_time = 900;
237 conn->limits.max_page_size = 1000;
238 conn->limits.search_timeout = 120;
241 tmp_ctx = talloc_new(conn);
242 if (tmp_ctx == NULL) {
246 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
247 if ( ! ldb_dn_validate(basedn)) {
251 ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
252 if (ret != LDB_SUCCESS) {
256 talloc_steal(tmp_ctx, res);
258 if (res->count != 1) {
262 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
263 if (conf_dn == NULL) {
267 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
268 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
269 if (policy_dn == NULL) {
273 ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
274 if (ret != LDB_SUCCESS) {
278 talloc_steal(tmp_ctx, res);
280 if (res->count != 1) {
284 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
289 for (i = 0; i < el->num_values; i++) {
290 char policy_name[256];
293 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
294 if (ret != 2 || policy_value == 0)
297 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
298 conn->limits.initial_timeout = policy_value;
301 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
302 conn->limits.conn_idle_time = policy_value;
305 if (strcasecmp("MaxPageSize", policy_name) == 0) {
306 conn->limits.max_page_size = policy_value;
309 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
310 conn->limits.search_timeout = policy_value;
318 DEBUG(0, ("Failed to load ldap server query policies\n"));
319 talloc_free(tmp_ctx);
324 initialise a server_context from a open socket and register a event handler
325 for reading from that socket
327 static void ldapsrv_accept(struct stream_connection *c)
329 struct ldapsrv_service *ldapsrv_service =
330 talloc_get_type(c->private, struct ldapsrv_service);
331 struct ldapsrv_connection *conn;
332 struct cli_credentials *server_credentials;
333 struct socket_address *socket_address;
337 conn = talloc_zero(c, struct ldapsrv_connection);
339 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
344 conn->connection = c;
345 conn->service = ldapsrv_service;
346 conn->sockets.raw = c->socket;
350 socket_address = socket_get_my_addr(c->socket, conn);
351 if (!socket_address) {
352 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
355 port = socket_address->port;
356 talloc_free(socket_address);
359 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
362 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
365 talloc_unlink(c, c->socket);
366 talloc_steal(c, tls_socket);
367 c->socket = tls_socket;
368 conn->sockets.tls = tls_socket;
370 } else if (port == 3268) /* Global catalog */ {
371 conn->global_catalog = True;
373 conn->packet = packet_init(conn);
374 if (conn->packet == NULL) {
375 ldapsrv_terminate_connection(conn, "out of memory");
379 packet_set_private(conn->packet, conn);
380 packet_set_socket(conn->packet, c->socket);
381 packet_set_callback(conn->packet, ldapsrv_decode);
382 packet_set_full_request(conn->packet, ldap_full_packet);
383 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
384 packet_set_event_context(conn->packet, c->event.ctx);
385 packet_set_fde(conn->packet, c->event.fde);
386 packet_set_serialise(conn->packet);
388 /* Ensure we don't get packets until the database is ready below */
389 packet_recv_disable(conn->packet);
392 = cli_credentials_init(conn);
393 if (!server_credentials) {
394 stream_terminate_connection(c, "Failed to init server credentials\n");
398 cli_credentials_set_conf(server_credentials);
399 status = cli_credentials_set_machine_account(server_credentials);
400 if (!NT_STATUS_IS_OK(status)) {
401 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
404 conn->server_credentials = server_credentials;
406 /* Connections start out anonymous */
407 if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
408 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
412 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
413 ldapsrv_terminate_connection(conn, "backend Init failed");
417 /* load limits from the conf partition */
418 ldapsrv_load_limits(conn); /* should we fail on error ? */
420 /* register the server */
421 irpc_add_name(c->msg_ctx, "ldap_server");
423 /* set connections limits */
424 conn->limits.ite = event_add_timed(c->event.ctx, conn,
425 timeval_current_ofs(conn->limits.initial_timeout, 0),
426 ldapsrv_conn_init_timeout, conn);
428 packet_recv_enable(conn->packet);
432 static const struct stream_server_ops ldap_stream_ops = {
434 .accept_connection = ldapsrv_accept,
435 .recv_handler = ldapsrv_recv,
436 .send_handler = ldapsrv_send,
440 add a socket address to the list of events, one event per port
442 static NTSTATUS add_socket(struct event_context *event_context,
443 const struct model_ops *model_ops,
444 const char *address, struct ldapsrv_service *ldap_service)
448 const char *attrs[] = { "options", NULL };
450 struct ldb_result *res;
451 struct ldb_context *ldb;
454 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
455 "ipv4", address, &port, ldap_service);
456 if (!NT_STATUS_IS_OK(status)) {
457 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
458 address, port, nt_errstr(status)));
461 if (tls_support(ldap_service->tls_params)) {
462 /* add ldaps server */
464 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
465 "ipv4", address, &port, ldap_service);
466 if (!NT_STATUS_IS_OK(status)) {
467 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
468 address, port, nt_errstr(status)));
472 /* Load LDAP database */
473 ldb = samdb_connect(ldap_service, system_session(ldap_service));
475 return NT_STATUS_INTERNAL_DB_CORRUPTION;
478 /* Query cn=ntds settings,.... */
479 ret = ldb_search(ldb, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, NULL, attrs, &res);
481 return NT_STATUS_INTERNAL_DB_CORRUPTION;
483 if (res->count != 1) {
485 return NT_STATUS_NOT_FOUND;
488 options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
492 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
493 if (options & 0x000000001) {
495 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
496 "ipv4", address, &port, ldap_service);
497 if (!NT_STATUS_IS_OK(status)) {
498 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
499 address, port, nt_errstr(status)));
507 open the ldap server sockets
509 static void ldapsrv_task_init(struct task_server *task)
511 struct ldapsrv_service *ldap_service;
513 const struct model_ops *model_ops;
515 task_server_set_title(task, "task[ldapsrv]");
517 /* run the ldap server as a single process */
518 model_ops = process_model_byname("single");
519 if (!model_ops) goto failed;
521 ldap_service = talloc_zero(task, struct ldapsrv_service);
522 if (ldap_service == NULL) goto failed;
524 ldap_service->tls_params = tls_initialise(ldap_service);
525 if (ldap_service->tls_params == NULL) goto failed;
527 if (lp_interfaces() && lp_bind_interfaces_only()) {
528 int num_interfaces = iface_count();
531 /* We have been given an interfaces line, and been
532 told to only bind to those interfaces. Create a
533 socket per interface and bind to only these.
535 for(i = 0; i < num_interfaces; i++) {
536 const char *address = iface_n_ip(i);
537 status = add_socket(task->event_ctx, model_ops, address, ldap_service);
538 if (!NT_STATUS_IS_OK(status)) goto failed;
541 status = add_socket(task->event_ctx, model_ops, lp_socket_address(), ldap_service);
542 if (!NT_STATUS_IS_OK(status)) goto failed;
548 task_server_terminate(task, "Failed to startup ldap server task");
552 called on startup of the web server service It's job is to start
553 listening on all configured sockets
555 static NTSTATUS ldapsrv_init(struct event_context *event_context,
556 const struct model_ops *model_ops)
558 return task_server_startup(event_context, model_ops, ldapsrv_task_init);
562 NTSTATUS server_service_ldap_init(void)
564 return register_server_service("ldap", ldapsrv_init);