/*
Unix SMB/CIFS implementation.
+
LDAP server
+
+ Copyright (C) Andrew Tridgell 2005
Copyright (C) Volker Lendecke 2004
Copyright (C) Stefan Metzmacher 2004
*/
#include "includes.h"
+#include "lib/events/events.h"
+#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "lib/util/dlinklist.h"
+#include "libcli/util/asn_1.h"
+#include "ldap_server/ldap_server.h"
+#include "smbd/service_task.h"
+#include "smbd/service_stream.h"
+#include "smbd/service.h"
+#include "smbd/process_model.h"
+#include "lib/tls/tls.h"
+#include "lib/messaging/irpc.h"
+#include "lib/ldb/include/ldb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "system/network.h"
+#include "lib/socket/netif.h"
/*
close the socket and shutdown a server_context
*/
-void ldapsrv_terminate_connection(struct ldapsrv_connection *ldap_conn, const char *reason)
+void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
+ const char *reason)
{
- server_terminate_connection(ldap_conn->connection, reason);
+ stream_terminate_connection(conn->connection, reason);
}
/*
- add a socket address to the list of events, one event per port
+ handle packet errors
*/
-static void add_socket(struct server_service *service,
- const struct model_ops *model_ops,
- struct in_addr *ifip)
-{
- struct server_socket *srv_sock;
- uint16_t port = 389;
- char *ip_str = talloc_strdup(service->mem_ctx, inet_ntoa(*ifip));
-
- srv_sock = service_setup_socket(service, model_ops, ip_str, &port);
-
- talloc_free(ip_str);
-}
-
-/****************************************************************************
- Open the socket communication.
-****************************************************************************/
-static void ldapsrv_init(struct server_service *service,
- const struct model_ops *model_ops)
-{
- DEBUG(1,("ldapsrv_init\n"));
-
- if (lp_interfaces() && lp_bind_interfaces_only()) {
- int num_interfaces = iface_count();
- int i;
-
- /* We have been given an interfaces line, and been
- told to only bind to those interfaces. Create a
- socket per interface and bind to only these.
- */
- for(i = 0; i < num_interfaces; i++) {
- struct in_addr *ifip = iface_n_ip(i);
-
- if (ifip == NULL) {
- DEBUG(0,("ldapsrv_init: interface %d has NULL "
- "IP address !\n", i));
- continue;
- }
-
- add_socket(service, model_ops, ifip);
- }
- } else {
- struct in_addr *ifip;
- TALLOC_CTX *mem_ctx = talloc_init("ldapsrv_init");
-
- if (!mem_ctx) {
- smb_panic("No memory");
- }
-
- /* Just bind to lp_socket_address() (usually 0.0.0.0) */
- ifip = interpret_addr2(mem_ctx, lp_socket_address());
- add_socket(service, model_ops, ifip);
-
- talloc_destroy(mem_ctx);
- }
-}
-
-/* This rw-buf api is made to avoid memcpy. For now do that like mad... The
- idea is to write into a circular list of buffers where the ideal case is
- that a read(2) holds a complete request that is then thrown away
- completely. */
-
-static void consumed_from_buf(struct rw_buffer *buf,
- size_t length)
+static void ldapsrv_error_handler(void *private, NTSTATUS status)
{
- memcpy(buf->data, buf->data+length, buf->length-length);
- buf->length -= length;
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ ldapsrv_terminate_connection(conn, nt_errstr(status));
}
-static BOOL append_to_buf(struct rw_buffer *buf, uint8_t *data, size_t length)
-{
- buf->data = realloc(buf->data, buf->length+length);
-
- if (buf->data == NULL)
- return False;
-
- memcpy(buf->data+buf->length, data, length);
-
- buf->length += length;
- return True;
-}
-
-static BOOL read_into_buf(struct socket_context *sock, struct rw_buffer *buf)
+/*
+ process a decoded ldap message
+*/
+static void ldapsrv_process_message(struct ldapsrv_connection *conn,
+ struct ldap_message *msg)
{
+ struct ldapsrv_call *call;
NTSTATUS status;
- DATA_BLOB tmp_blob;
- BOOL ret;
+ DATA_BLOB blob;
- status = socket_recv(sock, sock, &tmp_blob, 1024, 0);
+ call = talloc(conn, struct ldapsrv_call);
+ if (!call) {
+ ldapsrv_terminate_connection(conn, "no memory");
+ return;
+ }
+
+ call->request = talloc_steal(call, msg);
+ call->conn = conn;
+ call->replies = NULL;
+ call->send_callback = NULL;
+ call->send_private = NULL;
+
+ /* make the call */
+ status = ldapsrv_do_call(call);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("socket_recv: %s\n",nt_errstr(status)));
- return False;
+ talloc_free(call);
+ return;
}
+
+ blob = data_blob(NULL, 0);
- ret = append_to_buf(buf, tmp_blob.data, tmp_blob.length);
-
- talloc_free(tmp_blob.data);
-
- return ret;
-}
-
-static BOOL write_from_buf(struct socket_context *sock, struct rw_buffer *buf)
-{
- NTSTATUS status;
- DATA_BLOB tmp_blob;
- size_t sendlen;
-
- tmp_blob.data = buf->data;
- tmp_blob.length = buf->length;
-
- status = socket_send(sock, sock, &tmp_blob, &sendlen, 0);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("socket_send() %s\n",nt_errstr(status)));
- return False;
+ if (call->replies == NULL) {
+ talloc_free(call);
+ return;
}
- consumed_from_buf(buf, sendlen);
+ /* build all the replies into a single blob */
+ while (call->replies) {
+ DATA_BLOB b;
- return True;
-}
+ msg = call->replies->msg;
+ if (!ldap_encode(msg, &b, call)) {
+ DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
+ talloc_free(call);
+ return;
+ }
-static void peek_into_read_buf(struct rw_buffer *buf, uint8_t **out,
- size_t *out_length)
-{
- *out = buf->data;
- *out_length = buf->length;
-}
+ status = data_blob_append(call, &blob, b.data, b.length);
+ data_blob_free(&b);
-static BOOL ldap_append_to_buf(struct ldap_message *msg, struct rw_buffer *buf)
-{
- DATA_BLOB blob;
- BOOL res;
+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
- if (!ldap_encode(msg, &blob))
- return False;
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(call);
+ return;
+ }
- res = append_to_buf(buf, blob.data, blob.length);
+ DLIST_REMOVE(call->replies, call->replies);
+ }
- data_blob_free(&blob);
- return res;
+ packet_send_callback(conn->packet, blob,
+ call->send_callback, call->send_private);
+ talloc_free(call);
+ return;
}
-struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, enum ldap_request_tag type)
+/*
+ decode/process data
+*/
+static NTSTATUS ldapsrv_decode(void *private, DATA_BLOB blob)
{
- struct ldapsrv_reply *reply;
+ struct ldapsrv_connection *conn = talloc_get_type(private,
+ struct ldapsrv_connection);
+ struct asn1_data asn1;
+ struct ldap_message *msg = talloc(conn, struct ldap_message);
- reply = talloc_p(call, struct ldapsrv_reply);
- if (!reply) {
- return NULL;
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- reply->prev = reply->next = NULL;
- reply->state = LDAPSRV_REPLY_STATE_NEW;
- reply->msg.messageid = call->request.messageid;
- reply->msg.type = type;
- reply->msg.mem_ctx = reply;
+ if (!asn1_load(&asn1, blob)) {
+ return NT_STATUS_NO_MEMORY;
+ }
- return reply;
-}
+ if (!ldap_decode(&asn1, msg)) {
+ asn1_free(&asn1);
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+ }
-void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
-{
- DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
+ data_blob_free(&blob);
+ ldapsrv_process_message(conn, msg);
+ asn1_free(&asn1);
+ return NT_STATUS_OK;
}
-struct ldapsrv_partition *ldapsrv_get_partition(struct ldapsrv_connection *conn, const char *dn)
+/*
+ Idle timeout handler
+*/
+static void ldapsrv_conn_idle_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
{
- static const struct ldapsrv_partition_ops null_ops;
- static struct ldapsrv_partition null_part = {
- .ops = &null_ops
- };
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- return &null_part;
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
}
-void ldapsrv_unwilling(struct ldapsrv_call *call, int error)
+/*
+ called when a LDAP socket becomes readable
+*/
+void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
{
- struct ldapsrv_reply *reply;
- struct ldap_ExtendedResponse *r;
-
- DEBUG(0,("Unwilling type[%d] id[%d]\n", call->request.type, call->request.messageid));
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
- reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
- if (!reply) {
- ldapsrv_terminate_connection(call->conn, "ldapsrv_init_reply() failed");
- return;
+ if (conn->limits.ite) { /* clean initial timeout if any */
+ talloc_free(conn->limits.ite);
+ conn->limits.ite = NULL;
}
- r = &reply->msg.r.ExtendedResponse;
- r->response.resultcode = error;
- r->response.dn = NULL;
- r->response.errormessage = NULL;
- r->response.referral = NULL;
- r->name = NULL;
- r->value.data = NULL;
- r->value.length = 0;
-
- ldapsrv_queue_reply(call, reply);
-}
-
-static void ldapsrv_BindRequest(struct ldapsrv_call *call)
-{
- struct ldap_BindRequest *req = &call->request.r.BindRequest;
- struct ldapsrv_reply *reply;
- struct ldap_BindResponse *resp;
-
- DEBUG(5, ("BindRequest dn: %s\n",req->dn));
-
- reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
- if (!reply) {
- ldapsrv_terminate_connection(call->conn, "ldapsrv_init_reply() failed");
- return;
+ if (conn->limits.te) { /* clean idle timeout if any */
+ talloc_free(conn->limits.te);
+ conn->limits.te = NULL;
}
- resp = &reply->msg.r.BindResponse;
- resp->response.resultcode = 0;
- resp->response.dn = NULL;
- resp->response.errormessage = NULL;
- resp->response.referral = NULL;
- resp->SASL.secblob = data_blob(NULL, 0);
+ packet_recv(conn->packet);
- ldapsrv_queue_reply(call, reply);
+ /* set idle timeout */
+ conn->limits.te = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.conn_idle_time, 0),
+ ldapsrv_conn_idle_timeout, conn);
}
-static void ldapsrv_UnbindRequest(struct ldapsrv_call *call)
+/*
+ called when a LDAP socket becomes writable
+*/
+static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
{
-/* struct ldap_UnbindRequest *req = &call->request->r.UnbindRequest;*/
- DEBUG(10, ("UnbindRequest\n"));
+ struct ldapsrv_connection *conn =
+ talloc_get_type(c->private, struct ldapsrv_connection);
+
+ packet_queue_run(conn->packet);
}
-static void ldapsrv_SearchRequest(struct ldapsrv_call *call)
+static void ldapsrv_conn_init_timeout(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t,
+ void *private)
{
- struct ldap_SearchRequest *req = &call->request.r.SearchRequest;
- struct ldapsrv_partition *part;
-
- DEBUG(10, ("SearchRequest"));
- DEBUGADD(10, (" basedn: %s", req->basedn));
- DEBUGADD(10, (" filter: %s\n", req->filter));
-
- if ((strcasecmp("", req->basedn) == 0) &&
- (req->scope == LDAP_SEARCH_SCOPE_BASE)) {
- ldapsrv_RootDSE_Search(call, req);
- return;
- }
-
- part = ldapsrv_get_partition(call->conn, req->basedn);
-
- if (!part->ops->Search) {
- struct ldap_Result *done;
- struct ldapsrv_reply *done_r;
-
- done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
- if (!done_r) {
- ldapsrv_terminate_connection(call->conn, "ldapsrv_init_reply() failed");
- return;
- }
-
- done = &done_r->msg.r.SearchResultDone;
- done->resultcode = 53;
- done->dn = NULL;
- done->errormessage = NULL;
- done->referral = NULL;
-
- ldapsrv_queue_reply(call, done_r);
- return;
- }
+ struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection);
- part->ops->Search(part, call, req);
+ ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
}
-static void ldapsrv_ModifyRequest(struct ldapsrv_call *call)
+static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
{
- struct ldap_ModifyRequest *req = &call->request.r.ModifyRequest;
- struct ldapsrv_partition *part;
+ TALLOC_CTX *tmp_ctx;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+ const char *attrs2[] = { "lDAPAdminLimits", NULL };
+ struct ldb_message_element *el;
+ struct ldb_result *res = NULL;
+ struct ldb_dn *basedn;
+ struct ldb_dn *conf_dn;
+ struct ldb_dn *policy_dn;
+ int i,ret;
- DEBUG(10, ("ModifyRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
+ /* set defaults limits in case of failure */
+ conn->limits.initial_timeout = 120;
+ conn->limits.conn_idle_time = 900;
+ conn->limits.max_page_size = 1000;
+ conn->limits.search_timeout = 120;
- part = ldapsrv_get_partition(call->conn, req->dn);
- if (!part->ops->Modify) {
- ldapsrv_unwilling(call, 53);
- return;
+ tmp_ctx = talloc_new(conn);
+ if (tmp_ctx == NULL) {
+ return -1;
}
- part->ops->Modify(part, call, req);
-}
-
-static void ldapsrv_AddRequest(struct ldapsrv_call *call)
-{
- struct ldap_AddRequest *req = &call->request.r.AddRequest;
- struct ldapsrv_partition *part;
-
- DEBUG(10, ("AddRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
-
- part = ldapsrv_get_partition(call->conn, req->dn);
-
- if (!part->ops->Add) {
- ldapsrv_unwilling(call, 53);
- return;
+ basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
+ if ( ! ldb_dn_validate(basedn)) {
+ goto failed;
}
- part->ops->Add(part, call, req);
-}
-
-static void ldapsrv_DelRequest(struct ldapsrv_call *call)
-{
- struct ldap_DelRequest *req = &call->request.r.DelRequest;
- struct ldapsrv_partition *part;
-
- DEBUG(10, ("DelRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
-
- part = ldapsrv_get_partition(call->conn, req->dn);
-
- if (!part->ops->Del) {
- ldapsrv_unwilling(call, 53);
- return;
+ ret = ldb_search(conn->ldb, basedn, LDB_SCOPE_BASE, NULL, attrs, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
}
- part->ops->Del(part, call, req);
-}
-
-static void ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
-{
- struct ldap_ModifyDNRequest *req = &call->request.r.ModifyDNRequest;
- struct ldapsrv_partition *part;
-
- DEBUG(10, ("ModifyDNRequrest"));
- DEBUGADD(10, (" dn: %s", req->dn));
- DEBUGADD(10, (" newrdn: %s", req->newrdn));
-
- part = ldapsrv_get_partition(call->conn, req->dn);
-
- if (!part->ops->ModifyDN) {
- ldapsrv_unwilling(call, 53);
- return;
+ conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
+ if (conf_dn == NULL) {
+ goto failed;
}
- part->ops->ModifyDN(part, call, req);
-}
-
-static void ldapsrv_CompareRequest(struct ldapsrv_call *call)
-{
- struct ldap_CompareRequest *req = &call->request.r.CompareRequest;
- struct ldapsrv_partition *part;
-
- DEBUG(10, ("CompareRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
-
- part = ldapsrv_get_partition(call->conn, req->dn);
-
- if (!part->ops->Compare) {
- ldapsrv_unwilling(call, 53);
- return;
+ policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
+ ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
+ if (policy_dn == NULL) {
+ goto failed;
}
- part->ops->Compare(part, call, req);
-}
-
-static void ldapsrv_AbandonRequest(struct ldapsrv_call *call)
-{
-/* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
- DEBUG(10, ("AbandonRequest\n"));
-}
-
-static void ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
-{
-/* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/
- struct ldapsrv_reply *reply;
-
- DEBUG(10, ("Extended\n"));
-
- reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
- if (!reply) {
- ldapsrv_terminate_connection(call->conn, "ldapsrv_init_reply() failed");
- return;
+ ret = ldb_search(conn->ldb, policy_dn, LDB_SCOPE_BASE, NULL, attrs2, &res);
+ talloc_steal(tmp_ctx, res);
+ if (ret != LDB_SUCCESS || res->count != 1) {
+ goto failed;
}
- ZERO_STRUCT(reply->msg.r);
-
- ldapsrv_queue_reply(call, reply);
-}
-
-static void ldapsrv_do_call(struct ldapsrv_call *call)
-{
- switch(call->request.type) {
- case LDAP_TAG_BindRequest:
- ldapsrv_BindRequest(call);
- break;
- case LDAP_TAG_UnbindRequest:
- ldapsrv_UnbindRequest(call);
- break;
- case LDAP_TAG_SearchRequest:
- ldapsrv_SearchRequest(call);
- break;
- case LDAP_TAG_ModifyRequest:
- ldapsrv_ModifyRequest(call);
- break;
- case LDAP_TAG_AddRequest:
- ldapsrv_AddRequest(call);
- break;
- case LDAP_TAG_DelRequest:
- ldapsrv_DelRequest(call);
- break;
- case LDAP_TAG_ModifyDNRequest:
- ldapsrv_ModifyDNRequest(call);
- break;
- case LDAP_TAG_CompareRequest:
- ldapsrv_CompareRequest(call);
- break;
- case LDAP_TAG_AbandonRequest:
- ldapsrv_AbandonRequest(call);
- break;
- case LDAP_TAG_ExtendedRequest:
- ldapsrv_ExtendedRequest(call);
- break;
- default:
- ldapsrv_unwilling(call, 2);
- break;
+ el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
+ if (el == NULL) {
+ goto failed;
}
-}
-static void ldapsrv_do_responses(struct ldapsrv_connection *conn)
-{
- struct ldapsrv_call *call, *next_call = NULL;
- struct ldapsrv_reply *reply, *next_reply = NULL;
-
- for (call=conn->calls; call; call=next_call) {
- for (reply=call->replies; reply; reply=next_reply) {
- if (!ldap_append_to_buf(&reply->msg, &conn->out_buffer)) {
- ldapsrv_terminate_connection(conn, "append_to_buf() failed");
- return;
- }
- next_reply = reply->next;
- DLIST_REMOVE(call->replies, reply);
- reply->state = LDAPSRV_REPLY_STATE_SEND;
- talloc_free(reply);
+ for (i = 0; i < el->num_values; i++) {
+ char policy_name[256];
+ int policy_value, s;
+
+ s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
+ if (ret != 2 || policy_value == 0)
+ continue;
+
+ if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
+ conn->limits.initial_timeout = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
+ conn->limits.conn_idle_time = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxPageSize", policy_name) == 0) {
+ conn->limits.max_page_size = policy_value;
+ continue;
+ }
+ if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
+ conn->limits.search_timeout = policy_value;
+ continue;
}
- next_call = call->next;
- DLIST_REMOVE(conn->calls, call);
- call->state = LDAPSRV_CALL_STATE_COMPLETE;
- talloc_free(call);
}
+
+ return 0;
+
+failed:
+ DEBUG(0, ("Failed to load ldap server query policies\n"));
+ talloc_free(tmp_ctx);
+ return -1;
}
/*
- called when a LDAP socket becomes readable
+ initialise a server_context from a open socket and register a event handler
+ for reading from that socket
*/
-static void ldapsrv_recv(struct server_connection *conn, time_t t,
- uint16_t flags)
+static void ldapsrv_accept(struct stream_connection *c)
{
- struct ldapsrv_connection *ldap_conn = conn->private_data;
- uint8_t *buf;
- int buf_length, msg_length;
- DATA_BLOB blob;
- ASN1_DATA data;
- struct ldapsrv_call *call;
-
- DEBUG(10,("ldapsrv_recv\n"));
+ struct ldapsrv_service *ldapsrv_service =
+ talloc_get_type(c->private, struct ldapsrv_service);
+ struct ldapsrv_connection *conn;
+ struct cli_credentials *server_credentials;
+ struct socket_address *socket_address;
+ NTSTATUS status;
+ int port;
- if (!read_into_buf(conn->socket, &ldap_conn->in_buffer)) {
- ldapsrv_terminate_connection(ldap_conn, "read_into_buf() failed");
+ conn = talloc_zero(c, struct ldapsrv_connection);
+ if (!conn) {
+ stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
-
- while (buf_length > 0) {
+ conn->packet = NULL;
+ conn->connection = c;
+ conn->service = ldapsrv_service;
+ conn->sockets.raw = c->socket;
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
- /* LDAP Messages are always SEQUENCES */
+ c->private = conn;
- if (!asn1_object_length(buf, buf_length, ASN1_SEQUENCE(0),
- &msg_length)) {
- ldapsrv_terminate_connection(ldap_conn, "asn1_object_length() failed");
+ socket_address = socket_get_my_addr(c->socket, conn);
+ if (!socket_address) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
+ return;
+ }
+ port = socket_address->port;
+ talloc_free(socket_address);
+
+ if (port == 636) {
+ struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
+ c->event.fde, NULL);
+ if (!tls_socket) {
+ ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
return;
}
+ talloc_unlink(c, c->socket);
+ talloc_steal(c, tls_socket);
+ c->socket = tls_socket;
+ conn->sockets.tls = tls_socket;
- if (buf_length < msg_length) {
- /* Not enough yet */
- break;
- }
-
- /* We've got a complete LDAP request in the in-buffer, convert
- * that to a ldap_message and put it into the incoming
- * queue. */
-
- blob.data = buf;
- blob.length = msg_length;
+ } else if (port == 3268) /* Global catalog */ {
+ conn->global_catalog = True;
+ }
+ conn->packet = packet_init(conn);
+ if (conn->packet == NULL) {
+ ldapsrv_terminate_connection(conn, "out of memory");
+ return;
+ }
- if (!asn1_load(&data, blob)) {
- ldapsrv_terminate_connection(ldap_conn, "asn1_load() failed");
- return;
- }
+ packet_set_private(conn->packet, conn);
+ packet_set_socket(conn->packet, c->socket);
+ packet_set_callback(conn->packet, ldapsrv_decode);
+ packet_set_full_request(conn->packet, ldap_full_packet);
+ packet_set_error_handler(conn->packet, ldapsrv_error_handler);
+ packet_set_event_context(conn->packet, c->event.ctx);
+ packet_set_fde(conn->packet, c->event.fde);
+ packet_set_serialise(conn->packet);
+
+ /* Ensure we don't get packets until the database is ready below */
+ packet_recv_disable(conn->packet);
- call = talloc_p(ldap_conn, struct ldapsrv_call);
- if (!call) {
- ldapsrv_terminate_connection(ldap_conn, "no memory");
- return;
- }
+ server_credentials
+ = cli_credentials_init(conn);
+ if (!server_credentials) {
+ stream_terminate_connection(c, "Failed to init server credentials\n");
+ return;
+ }
+
+ cli_credentials_set_conf(server_credentials);
+ status = cli_credentials_set_machine_account(server_credentials);
+ if (!NT_STATUS_IS_OK(status)) {
+ stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
+ return;
+ }
+ conn->server_credentials = server_credentials;
- ZERO_STRUCTP(call);
- call->state = LDAPSRV_CALL_STATE_NEW;
- call->conn = ldap_conn;
- call->request.mem_ctx = call;
+ /* Connections start out anonymous */
+ if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
+ ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
+ return;
+ }
- if (!ldap_decode(&data, &call->request)) {
- dump_data(0,buf, msg_length);
- ldapsrv_terminate_connection(ldap_conn, "ldap_decode() failed");
- return;
- }
+ if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
+ ldapsrv_terminate_connection(conn, "backend Init failed");
+ return;
+ }
- DLIST_ADD_END(ldap_conn->calls, call,
- struct ldapsrv_call *);
+ /* load limits from the conf partition */
+ ldapsrv_load_limits(conn); /* should we fail on error ? */
- consumed_from_buf(&ldap_conn->in_buffer, msg_length);
+ /* register the server */
+ irpc_add_name(c->msg_ctx, "ldap_server");
- ldapsrv_do_call(call);
+ /* set connections limits */
+ conn->limits.ite = event_add_timed(c->event.ctx, conn,
+ timeval_current_ofs(conn->limits.initial_timeout, 0),
+ ldapsrv_conn_init_timeout, conn);
- peek_into_read_buf(&ldap_conn->in_buffer, &buf, &buf_length);
- }
+ packet_recv_enable(conn->packet);
- ldapsrv_do_responses(ldap_conn);
+}
- if (ldap_conn->out_buffer.length > 0) {
- conn->event.fde->flags |= EVENT_FD_WRITE;
- }
+static const struct stream_server_ops ldap_stream_ops = {
+ .name = "ldap",
+ .accept_connection = ldapsrv_accept,
+ .recv_handler = ldapsrv_recv,
+ .send_handler = ldapsrv_send,
+};
- return;
-}
-
/*
- called when a LDAP socket becomes writable
+ add a socket address to the list of events, one event per port
*/
-static void ldapsrv_send(struct server_connection *conn, time_t t,
- uint16_t flags)
+static NTSTATUS add_socket(struct event_context *event_context,
+ const struct model_ops *model_ops,
+ const char *address, struct ldapsrv_service *ldap_service)
{
- struct ldapsrv_connection *ldap_conn = conn->private_data;
+ uint16_t port = 389;
+ NTSTATUS status;
- DEBUG(10,("ldapsrv_send\n"));
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
- if (!write_from_buf(conn->socket, &ldap_conn->out_buffer)) {
- ldapsrv_terminate_connection(ldap_conn, "write_from_buf() failed");
- return;
+ if (tls_support(ldap_service->tls_params)) {
+ /* add ldaps server */
+ port = 636;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
}
- if (ldap_conn->out_buffer.length == 0) {
- conn->event.fde->flags &= ~EVENT_FD_WRITE;
+ /* if we are a PDC, then also enable the global catalog server port, 3268 */
+ if (lp_server_role() == ROLE_DOMAIN_PDC) {
+ port = 3268;
+ status = stream_setup_socket(event_context, model_ops, &ldap_stream_ops,
+ "ipv4", address, &port, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
+ address, port, nt_errstr(status)));
+ }
}
- return;
+ return status;
}
/*
- called when connection is idle
+ open the ldap server sockets
*/
-static void ldapsrv_idle(struct server_connection *conn, time_t t)
-{
- DEBUG(10,("ldapsrv_idle: not implemented!\n"));
- return;
-}
-
-static void ldapsrv_close(struct server_connection *conn, const char *reason)
-{
- struct ldapsrv_connection *ldap_conn = conn->private_data;
-
- talloc_free(ldap_conn);
-
- return;
-}
+static void ldapsrv_task_init(struct task_server *task)
+{
+ struct ldapsrv_service *ldap_service;
+ NTSTATUS status;
+ const struct model_ops *model_ops;
-/*
- initialise a server_context from a open socket and register a event handler
- for reading from that socket
-*/
-static void ldapsrv_accept(struct server_connection *conn)
-{
- struct ldapsrv_connection *ldap_conn;
+ task_server_set_title(task, "task[ldapsrv]");
- DEBUG(5, ("ldapsrv_accept\n"));
+ /* run the ldap server as a single process */
+ model_ops = process_model_byname("single");
+ if (!model_ops) goto failed;
- ldap_conn = talloc_p(NULL, struct ldapsrv_connection);
+ ldap_service = talloc_zero(task, struct ldapsrv_service);
+ if (ldap_service == NULL) goto failed;
- if (ldap_conn == NULL)
- return;
+ ldap_service->tls_params = tls_initialise(ldap_service);
+ if (ldap_service->tls_params == NULL) goto failed;
- ZERO_STRUCTP(ldap_conn);
- ldap_conn->connection = conn;
+ if (lp_interfaces() && lp_bind_interfaces_only()) {
+ int num_interfaces = iface_count();
+ int i;
- conn->private_data = ldap_conn;
+ /* We have been given an interfaces line, and been
+ told to only bind to those interfaces. Create a
+ socket per interface and bind to only these.
+ */
+ for(i = 0; i < num_interfaces; i++) {
+ const char *address = iface_n_ip(i);
+ status = add_socket(task->event_ctx, model_ops, address, ldap_service);
+ if (!NT_STATUS_IS_OK(status)) goto failed;
+ }
+ } else {
+ status = add_socket(task->event_ctx, model_ops, lp_socket_address(), ldap_service);
+ if (!NT_STATUS_IS_OK(status)) goto failed;
+ }
return;
+
+failed:
+ task_server_terminate(task, "Failed to startup ldap server task");
}
/*
- called on a fatal error that should cause this server to terminate
+ called on startup of the web server service It's job is to start
+ listening on all configured sockets
*/
-static void ldapsrv_exit(struct server_service *service, const char *reason)
-{
- DEBUG(1,("ldapsrv_exit\n"));
- return;
+static NTSTATUS ldapsrv_init(struct event_context *event_context,
+ const struct model_ops *model_ops)
+{
+ return task_server_startup(event_context, model_ops, ldapsrv_task_init);
}
-static const struct server_service_ops ldap_server_ops = {
- .name = "ldap",
- .service_init = ldapsrv_init,
- .accept_connection = ldapsrv_accept,
- .recv_handler = ldapsrv_recv,
- .send_handler = ldapsrv_send,
- .idle_handler = ldapsrv_idle,
- .close_connection = ldapsrv_close,
- .service_exit = ldapsrv_exit,
-};
-
-const struct server_service_ops *ldapsrv_get_ops(void)
-{
- return &ldap_server_ops;
-}
NTSTATUS server_service_ldap_init(void)
{
- return NT_STATUS_OK;
+ return register_server_service("ldap", ldapsrv_init);
}
git.samba.org / jelmer / samba4-debian.git / blobdiff