source4/ldap_server/ldap_server.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    LDAP server
   5
   6    Copyright (C) Andrew Tridgell 2005
   7    Copyright (C) Volker Lendecke 2004
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "lib/events/events.h"
  26 #include "auth/auth.h"
  27 #include "auth/credentials/credentials.h"
  28 #include "librpc/gen_ndr/ndr_samr.h"
  29 #include "lib/util/dlinklist.h"
  30 #include "libcli/util/asn_1.h"
  31 #include "ldap_server/ldap_server.h"
  32 #include "smbd/service_task.h"
  33 #include "smbd/service_stream.h"
  34 #include "smbd/service.h"
  35 #include "smbd/process_model.h"
  36 #include "lib/tls/tls.h"
  37 #include "lib/messaging/irpc.h"
  38 #include "lib/ldb/include/ldb.h"
  39 #include "lib/ldb/include/ldb_errors.h"
  40 #include "system/network.h"
  41 #include "lib/socket/netif.h"
  42 #include "dsdb/samdb/samdb.h"
  43 /*
  44   close the socket and shutdown a server_context
  45 */
  46 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
  47                                          const char *reason)
  48 {
  49         stream_terminate_connection(conn->connection, reason);
  50 }
  51
  52 /*
  53   handle packet errors
  54 */
  55 static void ldapsrv_error_handler(void *private, NTSTATUS status)
  56 {
  57         struct ldapsrv_connection *conn = talloc_get_type(private,
  58                                                           struct ldapsrv_connection);
  59         ldapsrv_terminate_connection(conn, nt_errstr(status));
  60 }
  61
  62 /*
  63   process a decoded ldap message
  64 */
  65 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
  66                                     struct ldap_message *msg)
  67 {
  68         struct ldapsrv_call *call;
  69         NTSTATUS status;
  70         DATA_BLOB blob;
  71
  72         call = talloc(conn, struct ldapsrv_call);
  73         if (!call) {
  74                 ldapsrv_terminate_connection(conn, "no memory");
  75                 return;
  76         }
  77
  78         call->request = talloc_steal(call, msg);
  79         call->conn = conn;
  80         call->replies = NULL;
  81         call->send_callback = NULL;
  82         call->send_private = NULL;
  83
  84         /* make the call */
  85         status = ldapsrv_do_call(call);
  86         if (!NT_STATUS_IS_OK(status)) {
  87                 talloc_free(call);
  88                 return;
  89         }
  90
  91         blob = data_blob(NULL, 0);
  92
  93         if (call->replies == NULL) {
  94                 talloc_free(call);
  95                 return;
  96         }
  97
  98         /* build all the replies into a single blob */
  99         while (call->replies) {
 100                 DATA_BLOB b;
 101                 bool ret;
 102
 103                 msg = call->replies->msg;
 104                 if (!ldap_encode(msg, &b, call)) {
 105                         DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
 106                         talloc_free(call);
 107                         return;
 108                 }
 109
 110                 ret = data_blob_append(call, &blob, b.data, b.length);
 111                 data_blob_free(&b);
 112
 113                 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
 114
 115                 if (!ret) {
 116                         talloc_free(call);
 117                         return;
 118                 }
 119
 120                 DLIST_REMOVE(call->replies, call->replies);
 121         }
 122
 123         packet_send_callback(conn->packet, blob,
 124                              call->send_callback, call->send_private);
 125         talloc_free(call);
 126         return;
 127 }
 128
 129 /*
 130   decode/process data
 131 */
 132 static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
 133 {
 134         NTSTATUS status;
 135         struct ldapsrv_connection *conn = talloc_get_type(private,
 136                                                           struct ldapsrv_connection);
 137         struct asn1_data *asn1 = asn1_init(conn);
 138         struct ldap_message *msg = talloc(conn, struct ldap_message);
 139
 140         if (asn1 == NULL || msg == NULL) {
 141                 return NT_STATUS_NO_MEMORY;
 142         }
 143
 144         if (!asn1_load(asn1, blob)) {
 145                 talloc_free(msg);
 146                 talloc_free(asn1);
 147                 return NT_STATUS_NO_MEMORY;
 148         }
 149
 150         status = ldap_decode(asn1, msg);
 151         if (!NT_STATUS_IS_OK(status)) {
 152                 asn1_free(asn1);
 153                 return status;
 154         }
 155
 156         data_blob_free(&blob);
 157         ldapsrv_process_message(conn, msg);
 158         asn1_free(asn1);
 159         return NT_STATUS_OK;
 160 }
 161
 162 /*
 163  Idle timeout handler
 164 */
 165 static void ldapsrv_conn_idle_timeout(struct event_context *ev,
 166                                       struct timed_event *te,
 167                                       struct timeval t,
 168                                       void *private)
 169 {
 170         struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
 171
 172         ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
 173 }
 174
 175 /*
 176   called when a LDAP socket becomes readable
 177 */
 178 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
 179 {
 180         struct ldapsrv_connection *conn =
 181                 talloc_get_type(c->private, struct ldapsrv_connection);
 182
 183         if (conn->limits.ite) { /* clean initial timeout if any */
 184                 talloc_free(conn->limits.ite);
 185                 conn->limits.ite = NULL;
 186         }
 187
 188         if (conn->limits.te) { /* clean idle timeout if any */
 189                 talloc_free(conn->limits.te);
 190                 conn->limits.te = NULL;
 191         }
 192
 193         packet_recv(conn->packet);
 194
 195         /* set idle timeout */
 196         conn->limits.te = event_add_timed(c->event.ctx, conn,
 197                                            timeval_current_ofs(conn->limits.conn_idle_time, 0),
 198                                            ldapsrv_conn_idle_timeout, conn);
 199 }
 200
 201 /*
 202   called when a LDAP socket becomes writable
 203 */
 204 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
 205 {
 206         struct ldapsrv_connection *conn =
 207                 talloc_get_type(c->private, struct ldapsrv_connection);
 208
 209         packet_queue_run(conn->packet);
 210 }
 211
 212 static void ldapsrv_conn_init_timeout(struct event_context *ev,
 213                                       struct timed_event *te,
 214                                       struct timeval t,
 215                                       void *private)
 216 {
 217         struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
 218
 219         ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
 220 }
 221
 222 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
 223 {
 224         TALLOC_CTX *tmp_ctx;
 225         const char *attrs[] = { "configurationNamingContext", NULL };
 226         const char *attrs2[] = { "lDAPAdminLimits", NULL };
 227         struct ldb_message_element *el;
 228         struct ldb_result *res = NULL;
 229         struct ldb_dn *basedn;
 230         struct ldb_dn *conf_dn;
 231         struct ldb_dn *policy_dn;
 232         int i,ret;
 233
 234         /* set defaults limits in case of failure */
 235         conn->limits.initial_timeout = 120;
 236         conn->limits.conn_idle_time = 900;
 237         conn->limits.max_page_size = 1000;
 238         conn->limits.search_timeout = 120;
 239
 240
 241         tmp_ctx = talloc_new(conn);
 242         if (tmp_ctx == NULL) {
 243                 return -1;
 244         }
 245
 246         basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
 247         if ( ! ldb_dn_validate(basedn)) {
 248                 goto failed;
 249         }
 250
 251         ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
 252         if (ret != LDB_SUCCESS) {
 253                 goto failed;
 254         }
 255
 256         talloc_steal(tmp_ctx, res);
 257
 258         if (res->count != 1) {
 259                 goto failed;
 260         }
 261
 262         conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
 263         if (conf_dn == NULL) {
 264                 goto failed;
 265         }
 266
 267         policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
 268         ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
 269         if (policy_dn == NULL) {
 270                 goto failed;
 271         }
 272
 273         ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
 274         if (ret != LDB_SUCCESS) {
 275                 goto failed;
 276         }
 277
 278         talloc_steal(tmp_ctx, res);
 279
 280         if (res->count != 1) {
 281                 goto failed;
 282         }
 283
 284         el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
 285         if (el == NULL) {
 286                 goto failed;
 287         }
 288
 289         for (i = 0; i < el->num_values; i++) {
 290                 char policy_name[256];
 291                 int policy_value, s;
 292
 293                 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
 294                 if (ret != 2 || policy_value == 0)
 295                         continue;
 296
 297                 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
 298                         conn->limits.initial_timeout = policy_value;
 299                         continue;
 300                 }
 301                 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
 302                         conn->limits.conn_idle_time = policy_value;
 303                         continue;
 304                 }
 305                 if (strcasecmp("MaxPageSize", policy_name) == 0) {
 306                         conn->limits.max_page_size = policy_value;
 307                         continue;
 308                 }
 309                 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
 310                         conn->limits.search_timeout = policy_value;
 311                         continue;
 312                 }
 313         }
 314
 315         return 0;
 316
 317 failed:
 318         DEBUG(0, ("Failed to load ldap server query policies\n"));
 319         talloc_free(tmp_ctx);
 320         return -1;
 321 }
 322
 323 /*
 324   initialise a server_context from a open socket and register a event handler
 325   for reading from that socket
 326 */
 327 static void ldapsrv_accept(struct stream_connection *c)
 328 {
 329         struct ldapsrv_service *ldapsrv_service =
 330                 talloc_get_type(c->private, struct ldapsrv_service);
 331         struct ldapsrv_connection *conn;
 332         struct cli_credentials *server_credentials;
 333         struct socket_address *socket_address;
 334         NTSTATUS status;
 335         int port;
 336
 337         conn = talloc_zero(c, struct ldapsrv_connection);
 338         if (!conn) {
 339                 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
 340                 return;
 341         }
 342
 343         conn->packet      = NULL;
 344         conn->connection  = c;
 345         conn->service     = ldapsrv_service;
 346         conn->sockets.raw = c->socket;
 347
 348         c->private        = conn;
 349
 350         socket_address = socket_get_my_addr(c->socket, conn);
 351         if (!socket_address) {
 352                 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
 353                 return;
 354         }
 355         port = socket_address->port;
 356         talloc_free(socket_address);
 357
 358         if (port == 636) {
 359                 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
 360                                                                     c->event.fde, NULL);
 361                 if (!tls_socket) {
 362                         ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
 363                         return;
 364                 }
 365                 talloc_unlink(c, c->socket);
 366                 talloc_steal(c, tls_socket);
 367                 c->socket = tls_socket;
 368                 conn->sockets.tls = tls_socket;
 369
 370         } else if (port == 3268) /* Global catalog */ {
 371                 conn->global_catalog = True;
 372         }
 373         conn->packet = packet_init(conn);
 374         if (conn->packet == NULL) {
 375                 ldapsrv_terminate_connection(conn, "out of memory");
 376                 return;
 377         }
 378
 379         packet_set_private(conn->packet, conn);
 380         packet_set_socket(conn->packet, c->socket);
 381         packet_set_callback(conn->packet, ldapsrv_decode);
 382         packet_set_full_request(conn->packet, ldap_full_packet);
 383         packet_set_error_handler(conn->packet, ldapsrv_error_handler);
 384         packet_set_event_context(conn->packet, c->event.ctx);
 385         packet_set_fde(conn->packet, c->event.fde);
 386         packet_set_serialise(conn->packet);
 387
 388         /* Ensure we don't get packets until the database is ready below */
 389         packet_recv_disable(conn->packet);
 390
 391         server_credentials
 392                 = cli_credentials_init(conn);
 393         if (!server_credentials) {
 394                 stream_terminate_connection(c, "Failed to init server credentials\n");
 395                 return;
 396         }
 397
 398         cli_credentials_set_conf(server_credentials);
 399         status = cli_credentials_set_machine_account(server_credentials);
 400         if (!NT_STATUS_IS_OK(status)) {
 401                 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
 402                 return;
 403         }
 404         conn->server_credentials = server_credentials;
 405
 406         /* Connections start out anonymous */
 407         if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
 408                 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
 409                 return;
 410         }
 411
 412         if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
 413                 ldapsrv_terminate_connection(conn, "backend Init failed");
 414                 return;
 415         }
 416
 417         /* load limits from the conf partition */
 418         ldapsrv_load_limits(conn); /* should we fail on error ? */
 419
 420         /* register the server */
 421         irpc_add_name(c->msg_ctx, "ldap_server");
 422
 423         /* set connections limits */
 424         conn->limits.ite = event_add_timed(c->event.ctx, conn,
 425                                            timeval_current_ofs(conn->limits.initial_timeout, 0),
 426                                            ldapsrv_conn_init_timeout, conn);
 427
 428         packet_recv_enable(conn->packet);
 429
 430 }
 431
 432 static const struct stream_server_ops ldap_stream_ops = {
 433         .name                   = "ldap",
 434         .accept_connection      = ldapsrv_accept,
 435         .recv_handler           = ldapsrv_recv,
 436         .send_handler           = ldapsrv_send,
 437 };
 438
 439 /*
 440   add a socket address to the list of events, one event per port
 441 */
 442 static NTSTATUS add_socket(struct event_context *event_context,
 443                            const struct model_ops *model_ops,
 444                            const char *address, struct ldapsrv_service *ldap_service)
 445 {
 446         uint16_t port = 389;
 447         NTSTATUS status;
 448         const char *attrs[] = { "options", NULL };
 449         int ret;
 450         struct ldb_result *res;
 451         struct ldb_context *ldb;
 452         int options;
 453
 454         status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
 455                                      "ipv4", address, &port, ldap_service);
 456         if (!NT_STATUS_IS_OK(status)) {
 457                 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 458                          address, port, nt_errstr(status)));
 459         }
 460
 461         if (tls_support(ldap_service->tls_params)) {
 462                 /* add ldaps server */
 463                 port = 636;
 464                 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
 465                                              "ipv4", address, &port, ldap_service);
 466                 if (!NT_STATUS_IS_OK(status)) {
 467                         DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 468                                  address, port, nt_errstr(status)));
 469                 }
 470         }
 471
 472         /* Load LDAP database */
 473         ldb = samdb_connect(ldap_service, system_session(ldap_service));
 474         if (!ldb) {
 475                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 476         }
 477
 478         /* Query cn=ntds settings,.... */
 479         ret = ldb_search(ldb, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, NULL, attrs, &res);
 480         if (ret) {
 481                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 482         }
 483         if (res->count != 1) {
 484                 talloc_free(res);
 485                 return NT_STATUS_NOT_FOUND;
 486         }
 487
 488         options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
 489         talloc_free(res);
 490         talloc_free(ldb);
 491
 492         /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
 493         if (options & 0x000000001) {
 494                 port = 3268;
 495                 status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
 496                                              "ipv4", address, &port, ldap_service);
 497                 if (!NT_STATUS_IS_OK(status)) {
 498                         DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 499                                  address, port, nt_errstr(status)));
 500                 }
 501         }
 502
 503         return status;
 504 }
 505
 506 /*
 507   open the ldap server sockets
 508 */
 509 static void ldapsrv_task_init(struct task_server *task)
 510 {
 511         struct ldapsrv_service *ldap_service;
 512         NTSTATUS status;
 513         const struct model_ops *model_ops;
 514
 515         task_server_set_title(task, "task[ldapsrv]");
 516
 517         /* run the ldap server as a single process */
 518         model_ops = process_model_byname("single");
 519         if (!model_ops) goto failed;
 520
 521         ldap_service = talloc_zero(task, struct ldapsrv_service);
 522         if (ldap_service == NULL) goto failed;
 523
 524         ldap_service->tls_params = tls_initialise(ldap_service);
 525         if (ldap_service->tls_params == NULL) goto failed;
 526
 527         if (lp_interfaces() && lp_bind_interfaces_only()) {
 528                 int num_interfaces = iface_count();
 529                 int i;
 530
 531                 /* We have been given an interfaces line, and been
 532                    told to only bind to those interfaces. Create a
 533                    socket per interface and bind to only these.
 534                 */
 535                 for(i = 0; i < num_interfaces; i++) {
 536                         const char *address = iface_n_ip(i);
 537                         status = add_socket(task->event_ctx, model_ops, address, ldap_service);
 538                         if (!NT_STATUS_IS_OK(status)) goto failed;
 539                 }
 540         } else {
 541                 status = add_socket(task->event_ctx, model_ops, lp_socket_address(), ldap_service);
 542                 if (!NT_STATUS_IS_OK(status)) goto failed;
 543         }
 544
 545         return;
 546
 547 failed:
 548         task_server_terminate(task, "Failed to startup ldap server task");
 549 }
 550
 551 /*
 552   called on startup of the web server service It's job is to start
 553   listening on all configured sockets
 554 */
 555 static NTSTATUS ldapsrv_init(struct event_context *event_context,
 556                              const struct model_ops *model_ops)
 557 {
 558         return task_server_startup(event_context, model_ops, ldapsrv_task_init);
 559 }
 560
 561
 562 NTSTATUS server_service_ldap_init(void)
 563 {
 564         return register_server_service("ldap", ldapsrv_init);
 565 }