2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Simo Sorce 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "libcli/util/asn_1.h"
27 #include "lib/util/dlinklist.h"
28 #include "lib/events/events.h"
29 #include "lib/socket/socket.h"
30 #include "libcli/ldap/ldap.h"
31 #include "libcli/ldap/ldap_client.h"
32 #include "libcli/composite/composite.h"
33 #include "lib/stream/packet.h"
34 #include "lib/tls/tls.h"
35 #include "auth/gensec/gensec.h"
36 #include "system/time.h"
37 #include "param/param.h"
41 create a new ldap_connection stucture. The event context is optional
43 struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx,
44 struct loadparm_context *lp_ctx,
45 struct event_context *ev)
47 struct ldap_connection *conn;
49 conn = talloc_zero(mem_ctx, struct ldap_connection);
55 ev = event_context_init(conn);
62 conn->next_messageid = 1;
63 conn->event.event_ctx = ev;
65 conn->lp_ctx = lp_ctx;
67 /* set a reasonable request timeout */
70 /* explicitly avoid reconnections by default */
71 conn->reconnect.max_retries = 0;
77 the connection is dead
79 static void ldap_connection_dead(struct ldap_connection *conn)
81 struct ldap_request *req;
83 /* return an error for any pending request ... */
84 while (conn->pending) {
86 DLIST_REMOVE(req->conn->pending, req);
87 req->state = LDAP_REQUEST_DONE;
88 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
94 talloc_free(conn->sock); /* this will also free event.fde */
95 talloc_free(conn->packet);
97 conn->event.fde = NULL;
101 static void ldap_reconnect(struct ldap_connection *conn);
106 static void ldap_error_handler(void *private_data, NTSTATUS status)
108 struct ldap_connection *conn = talloc_get_type(private_data,
109 struct ldap_connection);
110 ldap_connection_dead(conn);
112 /* but try to reconnect so that the ldb client can go on */
113 ldap_reconnect(conn);
118 match up with a pending message, adding to the replies list
120 static void ldap_match_message(struct ldap_connection *conn, struct ldap_message *msg)
122 struct ldap_request *req;
125 for (req=conn->pending; req; req=req->next) {
126 if (req->messageid == msg->messageid) break;
128 /* match a zero message id to the last request sent.
129 It seems that servers send 0 if unable to parse */
130 if (req == NULL && msg->messageid == 0) {
134 DEBUG(0,("ldap: no matching message id for %u\n",
140 /* Check for undecoded critical extensions */
141 for (i=0; msg->controls && msg->controls[i]; i++) {
142 if (!msg->controls_decoded[i] &&
143 msg->controls[i]->critical) {
144 req->status = NT_STATUS_LDAP(LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
145 req->state = LDAP_REQUEST_DONE;
146 DLIST_REMOVE(conn->pending, req);
154 /* add to the list of replies received */
155 talloc_steal(req, msg);
156 req->replies = talloc_realloc(req, req->replies,
157 struct ldap_message *, req->num_replies+1);
158 if (req->replies == NULL) {
159 req->status = NT_STATUS_NO_MEMORY;
160 req->state = LDAP_REQUEST_DONE;
161 DLIST_REMOVE(conn->pending, req);
168 req->replies[req->num_replies] = talloc_steal(req->replies, msg);
171 if (msg->type != LDAP_TAG_SearchResultEntry &&
172 msg->type != LDAP_TAG_SearchResultReference) {
173 /* currently only search results expect multiple
175 req->state = LDAP_REQUEST_DONE;
176 DLIST_REMOVE(conn->pending, req);
186 decode/process LDAP data
188 static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob)
191 struct ldap_connection *conn = talloc_get_type(private_data,
192 struct ldap_connection);
193 struct ldap_message *msg = talloc(conn, struct ldap_message);
194 struct asn1_data *asn1 = asn1_init(conn);
196 if (asn1 == NULL || msg == NULL) {
197 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
200 if (!asn1_load(asn1, blob)) {
203 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
206 status = ldap_decode(asn1, msg);
207 if (!NT_STATUS_IS_OK(status)) {
212 ldap_match_message(conn, msg);
214 data_blob_free(&blob);
219 /* Handle read events, from the GENSEC socket callback, or real events */
220 void ldap_read_io_handler(void *private_data, uint16_t flags)
222 struct ldap_connection *conn = talloc_get_type(private_data,
223 struct ldap_connection);
224 packet_recv(conn->packet);
228 handle ldap socket events
230 static void ldap_io_handler(struct event_context *ev, struct fd_event *fde,
231 uint16_t flags, void *private_data)
233 struct ldap_connection *conn = talloc_get_type(private_data,
234 struct ldap_connection);
235 if (flags & EVENT_FD_WRITE) {
236 packet_queue_run(conn->packet);
237 if (!tls_enabled(conn->sock)) return;
239 if (flags & EVENT_FD_READ) {
240 ldap_read_io_handler(private_data, flags);
247 static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url,
248 char **host, uint16_t *port, bool *ldaps)
256 SMB_ASSERT(sizeof(protocol)>10 && sizeof(tmp_host)>254);
258 ret = sscanf(url, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port);
260 return NT_STATUS_INVALID_PARAMETER;
263 if (strequal(protocol, "ldap")) {
266 } else if (strequal(protocol, "ldaps")) {
270 DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol));
271 return NT_STATUS_PROTOCOL_UNREACHABLE;
277 *host = talloc_strdup(mem_ctx, tmp_host);
278 NT_STATUS_HAVE_NO_MEMORY(*host);
284 connect to a ldap server
287 struct ldap_connect_state {
288 struct composite_context *ctx;
289 struct ldap_connection *conn;
292 static void ldap_connect_recv_unix_conn(struct composite_context *ctx);
293 static void ldap_connect_recv_tcp_conn(struct composite_context *ctx);
295 struct composite_context *ldap_connect_send(struct ldap_connection *conn,
298 struct composite_context *result, *ctx;
299 struct ldap_connect_state *state;
303 result = talloc_zero(NULL, struct composite_context);
304 if (result == NULL) goto failed;
305 result->state = COMPOSITE_STATE_IN_PROGRESS;
306 result->async.fn = NULL;
307 result->event_ctx = conn->event.event_ctx;
309 state = talloc(result, struct ldap_connect_state);
310 if (state == NULL) goto failed;
312 result->private_data = state;
316 if (conn->reconnect.url == NULL) {
317 conn->reconnect.url = talloc_strdup(conn, url);
318 if (conn->reconnect.url == NULL) goto failed;
322 SMB_ASSERT(sizeof(protocol)>10);
324 ret = sscanf(url, "%10[^:]://", protocol);
329 if (strequal(protocol, "ldapi")) {
330 struct socket_address *unix_addr;
333 NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &conn->sock, 0);
334 if (!NT_STATUS_IS_OK(status)) {
337 talloc_steal(conn, conn->sock);
338 SMB_ASSERT(sizeof(protocol)>10);
339 SMB_ASSERT(sizeof(path)>1024);
341 /* The %c specifier doesn't null terminate :-( */
343 ret = sscanf(url, "%10[^:]://%1025c", protocol, path);
345 composite_error(state->ctx, NT_STATUS_INVALID_PARAMETER);
349 rfc1738_unescape(path);
351 unix_addr = socket_address_from_strings(conn, conn->sock->backend_name,
357 ctx = socket_connect_send(conn->sock, NULL, unix_addr,
358 0, lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx);
359 ctx->async.fn = ldap_connect_recv_unix_conn;
360 ctx->async.private_data = state;
363 NTSTATUS status = ldap_parse_basic_url(conn, url, &conn->host,
364 &conn->port, &conn->ldaps);
365 if (!NT_STATUS_IS_OK(state->ctx->status)) {
366 composite_error(state->ctx, status);
370 ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port,
371 lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx);
372 if (ctx == NULL) goto failed;
374 ctx->async.fn = ldap_connect_recv_tcp_conn;
375 ctx->async.private_data = state;
383 static void ldap_connect_got_sock(struct composite_context *ctx,
384 struct ldap_connection *conn)
386 /* setup a handler for events on this socket */
387 conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock,
388 socket_get_fd(conn->sock),
389 EVENT_FD_READ | EVENT_FD_AUTOCLOSE, ldap_io_handler, conn);
390 if (conn->event.fde == NULL) {
391 composite_error(ctx, NT_STATUS_INTERNAL_ERROR);
395 socket_set_flags(conn->sock, SOCKET_FLAG_NOCLOSE);
397 talloc_steal(conn, conn->sock);
399 struct socket_context *tls_socket;
400 char *cafile = private_path(conn->sock, conn->lp_ctx, lp_tls_cafile(conn->lp_ctx));
402 if (!cafile || !*cafile) {
403 talloc_free(conn->sock);
407 tls_socket = tls_init_client(conn->sock, conn->event.fde, cafile);
410 if (tls_socket == NULL) {
411 talloc_free(conn->sock);
414 talloc_unlink(conn, conn->sock);
415 conn->sock = tls_socket;
416 talloc_steal(conn, conn->sock);
419 conn->packet = packet_init(conn);
420 if (conn->packet == NULL) {
421 talloc_free(conn->sock);
425 packet_set_private(conn->packet, conn);
426 packet_set_socket(conn->packet, conn->sock);
427 packet_set_callback(conn->packet, ldap_recv_handler);
428 packet_set_full_request(conn->packet, ldap_full_packet);
429 packet_set_error_handler(conn->packet, ldap_error_handler);
430 packet_set_event_context(conn->packet, conn->event.event_ctx);
431 packet_set_fde(conn->packet, conn->event.fde);
432 packet_set_serialise(conn->packet);
437 static void ldap_connect_recv_tcp_conn(struct composite_context *ctx)
439 struct ldap_connect_state *state =
440 talloc_get_type(ctx->async.private_data,
441 struct ldap_connect_state);
442 struct ldap_connection *conn = state->conn;
444 NTSTATUS status = socket_connect_multi_recv(ctx, state, &conn->sock,
446 if (!NT_STATUS_IS_OK(status)) {
447 composite_error(state->ctx, status);
451 ldap_connect_got_sock(state->ctx, conn);
454 static void ldap_connect_recv_unix_conn(struct composite_context *ctx)
456 struct ldap_connect_state *state =
457 talloc_get_type(ctx->async.private_data,
458 struct ldap_connect_state);
459 struct ldap_connection *conn = state->conn;
461 NTSTATUS status = socket_connect_recv(ctx);
463 if (!NT_STATUS_IS_OK(state->ctx->status)) {
464 composite_error(state->ctx, status);
468 ldap_connect_got_sock(state->ctx, conn);
471 _PUBLIC_ NTSTATUS ldap_connect_recv(struct composite_context *ctx)
473 NTSTATUS status = composite_wait(ctx);
478 NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url)
480 struct composite_context *ctx = ldap_connect_send(conn, url);
481 return ldap_connect_recv(ctx);
484 /* set reconnect parameters */
486 void ldap_set_reconn_params(struct ldap_connection *conn, int max_retries)
489 conn->reconnect.max_retries = max_retries;
490 conn->reconnect.retries = 0;
491 conn->reconnect.previous = time(NULL);
495 /* Actually this function is NOT ASYNC safe, FIXME? */
496 static void ldap_reconnect(struct ldap_connection *conn)
499 time_t now = time(NULL);
501 /* do we have set up reconnect ? */
502 if (conn->reconnect.max_retries == 0) return;
504 /* is the retry time expired ? */
505 if (now > conn->reconnect.previous + 30) {
506 conn->reconnect.retries = 0;
507 conn->reconnect.previous = now;
510 /* are we reconnectind too often and too fast? */
511 if (conn->reconnect.retries > conn->reconnect.max_retries) return;
513 /* keep track of the number of reconnections */
514 conn->reconnect.retries++;
517 status = ldap_connect(conn, conn->reconnect.url);
518 if ( ! NT_STATUS_IS_OK(status)) {
523 status = ldap_rebind(conn);
524 if ( ! NT_STATUS_IS_OK(status)) {
525 ldap_connection_dead(conn);
529 /* destroy an open ldap request */
530 static int ldap_request_destructor(struct ldap_request *req)
532 if (req->state == LDAP_REQUEST_PENDING) {
533 DLIST_REMOVE(req->conn->pending, req);
539 called on timeout of a ldap request
541 static void ldap_request_timeout(struct event_context *ev, struct timed_event *te,
542 struct timeval t, void *private_data)
544 struct ldap_request *req = talloc_get_type(private_data, struct ldap_request);
545 req->status = NT_STATUS_IO_TIMEOUT;
546 if (req->state == LDAP_REQUEST_PENDING) {
547 DLIST_REMOVE(req->conn->pending, req);
549 req->state = LDAP_REQUEST_DONE;
557 called on completion of a one-way ldap request
559 static void ldap_request_complete(struct event_context *ev, struct timed_event *te,
560 struct timeval t, void *private_data)
562 struct ldap_request *req = talloc_get_type(private_data, struct ldap_request);
569 send a ldap message - async interface
571 struct ldap_request *ldap_request_send(struct ldap_connection *conn,
572 struct ldap_message *msg)
574 struct ldap_request *req;
575 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
577 req = talloc_zero(conn, struct ldap_request);
578 if (req == NULL) return NULL;
580 if (conn->sock == NULL) {
581 status = NT_STATUS_INVALID_CONNECTION;
585 req->state = LDAP_REQUEST_SEND;
587 req->messageid = conn->next_messageid++;
588 if (conn->next_messageid == 0) {
589 conn->next_messageid = 1;
591 req->type = msg->type;
592 if (req->messageid == -1) {
596 talloc_set_destructor(req, ldap_request_destructor);
598 msg->messageid = req->messageid;
600 if (!ldap_encode(msg, &req->data, req)) {
601 status = NT_STATUS_INTERNAL_ERROR;
605 status = packet_send(conn->packet, req->data);
606 if (!NT_STATUS_IS_OK(status)) {
610 /* some requests don't expect a reply, so don't add those to the
612 if (req->type == LDAP_TAG_AbandonRequest ||
613 req->type == LDAP_TAG_UnbindRequest) {
614 req->status = NT_STATUS_OK;
615 req->state = LDAP_REQUEST_DONE;
616 /* we can't call the async callback now, as it isn't setup, so
617 call it as next event */
618 event_add_timed(conn->event.event_ctx, req, timeval_zero(),
619 ldap_request_complete, req);
623 req->state = LDAP_REQUEST_PENDING;
624 DLIST_ADD(conn->pending, req);
626 /* put a timeout on the request */
627 req->time_event = event_add_timed(conn->event.event_ctx, req,
628 timeval_current_ofs(conn->timeout, 0),
629 ldap_request_timeout, req);
634 req->status = status;
635 req->state = LDAP_REQUEST_ERROR;
636 event_add_timed(conn->event.event_ctx, req, timeval_zero(),
637 ldap_request_complete, req);
644 wait for a request to complete
645 note that this does not destroy the request
647 NTSTATUS ldap_request_wait(struct ldap_request *req)
649 while (req->state < LDAP_REQUEST_DONE) {
650 if (event_loop_once(req->conn->event.event_ctx) != 0) {
651 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
660 a mapping of ldap response code to strings
662 static const struct {
663 enum ldap_result_code code;
665 } ldap_code_map[] = {
666 #define _LDAP_MAP_CODE(c) { c, #c }
667 _LDAP_MAP_CODE(LDAP_SUCCESS),
668 _LDAP_MAP_CODE(LDAP_OPERATIONS_ERROR),
669 _LDAP_MAP_CODE(LDAP_PROTOCOL_ERROR),
670 _LDAP_MAP_CODE(LDAP_TIME_LIMIT_EXCEEDED),
671 _LDAP_MAP_CODE(LDAP_SIZE_LIMIT_EXCEEDED),
672 _LDAP_MAP_CODE(LDAP_COMPARE_FALSE),
673 _LDAP_MAP_CODE(LDAP_COMPARE_TRUE),
674 _LDAP_MAP_CODE(LDAP_AUTH_METHOD_NOT_SUPPORTED),
675 _LDAP_MAP_CODE(LDAP_STRONG_AUTH_REQUIRED),
676 _LDAP_MAP_CODE(LDAP_REFERRAL),
677 _LDAP_MAP_CODE(LDAP_ADMIN_LIMIT_EXCEEDED),
678 _LDAP_MAP_CODE(LDAP_UNAVAILABLE_CRITICAL_EXTENSION),
679 _LDAP_MAP_CODE(LDAP_CONFIDENTIALITY_REQUIRED),
680 _LDAP_MAP_CODE(LDAP_SASL_BIND_IN_PROGRESS),
681 _LDAP_MAP_CODE(LDAP_NO_SUCH_ATTRIBUTE),
682 _LDAP_MAP_CODE(LDAP_UNDEFINED_ATTRIBUTE_TYPE),
683 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_MATCHING),
684 _LDAP_MAP_CODE(LDAP_CONSTRAINT_VIOLATION),
685 _LDAP_MAP_CODE(LDAP_ATTRIBUTE_OR_VALUE_EXISTS),
686 _LDAP_MAP_CODE(LDAP_INVALID_ATTRIBUTE_SYNTAX),
687 _LDAP_MAP_CODE(LDAP_NO_SUCH_OBJECT),
688 _LDAP_MAP_CODE(LDAP_ALIAS_PROBLEM),
689 _LDAP_MAP_CODE(LDAP_INVALID_DN_SYNTAX),
690 _LDAP_MAP_CODE(LDAP_ALIAS_DEREFERENCING_PROBLEM),
691 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_AUTHENTICATION),
692 _LDAP_MAP_CODE(LDAP_INVALID_CREDENTIALS),
693 _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTS),
694 _LDAP_MAP_CODE(LDAP_BUSY),
695 _LDAP_MAP_CODE(LDAP_UNAVAILABLE),
696 _LDAP_MAP_CODE(LDAP_UNWILLING_TO_PERFORM),
697 _LDAP_MAP_CODE(LDAP_LOOP_DETECT),
698 _LDAP_MAP_CODE(LDAP_NAMING_VIOLATION),
699 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_VIOLATION),
700 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_NON_LEAF),
701 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_RDN),
702 _LDAP_MAP_CODE(LDAP_ENTRY_ALREADY_EXISTS),
703 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_MODS_PROHIBITED),
704 _LDAP_MAP_CODE(LDAP_AFFECTS_MULTIPLE_DSAS),
705 _LDAP_MAP_CODE(LDAP_OTHER)
709 used to setup the status code from a ldap response
711 NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r)
714 const char *codename = "unknown";
716 if (r->resultcode == LDAP_SUCCESS) {
720 if (conn->last_error) {
721 talloc_free(conn->last_error);
724 for (i=0;i<ARRAY_SIZE(ldap_code_map);i++) {
725 if (r->resultcode == ldap_code_map[i].code) {
726 codename = ldap_code_map[i].str;
731 conn->last_error = talloc_asprintf(conn, "LDAP error %u %s - %s <%s> <%s>",
734 r->dn?r->dn:"(NULL)",
735 r->errormessage?r->errormessage:"",
736 r->referral?r->referral:"");
738 return NT_STATUS_LDAP(r->resultcode);
742 return error string representing the last error
744 const char *ldap_errstr(struct ldap_connection *conn,
748 if (NT_STATUS_IS_LDAP(status) && conn->last_error != NULL) {
749 return talloc_strdup(mem_ctx, conn->last_error);
751 return talloc_asprintf(mem_ctx, "LDAP client internal error: %s", nt_errstr(status));
756 return the Nth result message, waiting if necessary
758 NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg)
762 NT_STATUS_HAVE_NO_MEMORY(req);
764 while (req->state < LDAP_REQUEST_DONE && n >= req->num_replies) {
765 if (event_loop_once(req->conn->event.event_ctx) != 0) {
766 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
770 if (n < req->num_replies) {
771 *msg = req->replies[n];
775 if (!NT_STATUS_IS_OK(req->status)) {
779 return NT_STATUS_NO_MORE_ENTRIES;
784 return a single result message, checking if it is of the expected LDAP type
786 NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type)
789 status = ldap_result_n(req, 0, msg);
790 if (!NT_STATUS_IS_OK(status)) {
793 if ((*msg)->type != type) {
795 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
801 a simple ldap transaction, for single result requests that only need a status code
802 this relies on single valued requests having the response type == request type + 1
804 NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg)
806 struct ldap_request *req = ldap_request_send(conn, msg);
807 struct ldap_message *res;
809 status = ldap_result_n(req, 0, &res);
810 if (!NT_STATUS_IS_OK(status)) {
814 if (res->type != msg->type + 1) {
816 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
818 status = ldap_check_response(conn, &res->r.GeneralResult);