source4/libcli/ldap/ldap_bind.c

   1 /*
   2    Unix SMB/CIFS mplementation.
   3
   4    LDAP bind calls
   5
   6    Copyright (C) Andrew Tridgell  2005
   7    Copyright (C) Volker Lendecke  2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/ldap/ldap.h"
  27 #include "libcli/ldap/ldap_client.h"
  28 #include "auth/auth.h"
  29
  30 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
  31                                                      const char *dn, const char *pw)
  32 {
  33         struct ldap_message *res;
  34
  35         res = new_ldap_message(conn);
  36         if (!res) {
  37                 return NULL;
  38         }
  39
  40         res->type = LDAP_TAG_BindRequest;
  41         res->r.BindRequest.version = 3;
  42         res->r.BindRequest.dn = talloc_strdup(res, dn);
  43         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
  44         res->r.BindRequest.creds.password = talloc_strdup(res, pw);
  45
  46         return res;
  47 }
  48
  49
  50 /*
  51   perform a simple username/password bind
  52 */
  53 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
  54                           const char *userdn, const char *password)
  55 {
  56         struct ldap_request *req;
  57         struct ldap_message *msg;
  58         const char *dn, *pw;
  59         NTSTATUS status;
  60
  61         if (conn == NULL) {
  62                 return NT_STATUS_INVALID_CONNECTION;
  63         }
  64
  65         if (userdn) {
  66                 dn = userdn;
  67         } else {
  68                 if (conn->auth_dn) {
  69                         dn = conn->auth_dn;
  70                 } else {
  71                         dn = "";
  72                 }
  73         }
  74
  75         if (password) {
  76                 pw = password;
  77         } else {
  78                 if (conn->simple_pw) {
  79                         pw = conn->simple_pw;
  80                 } else {
  81                         pw = "";
  82                 }
  83         }
  84
  85         msg = new_ldap_simple_bind_msg(conn, dn, pw);
  86         NT_STATUS_HAVE_NO_MEMORY(msg);
  87
  88         /* send the request */
  89         req = ldap_request_send(conn, msg);
  90         talloc_free(msg);
  91         NT_STATUS_HAVE_NO_MEMORY(req);
  92
  93         /* wait for replies */
  94         status = ldap_request_wait(req);
  95         if (!NT_STATUS_IS_OK(status)) {
  96                 talloc_free(req);
  97                 return status;
  98         }
  99
 100         /* check its a valid reply */
 101         msg = req->replies[0];
 102         if (msg->type != LDAP_TAG_BindResponse) {
 103                 talloc_free(req);
 104                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 105         }
 106
 107         status = ldap_check_response(conn, &msg->r.BindResponse.response);
 108
 109         talloc_free(req);
 110
 111         return status;
 112 }
 113
 114
 115 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
 116                                                    const char *sasl_mechanism,
 117                                                    DATA_BLOB *secblob)
 118 {
 119         struct ldap_message *res;
 120
 121         res = new_ldap_message(conn);
 122         if (!res) {
 123                 return NULL;
 124         }
 125
 126         res->type = LDAP_TAG_BindRequest;
 127         res->r.BindRequest.version = 3;
 128         res->r.BindRequest.dn = "";
 129         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
 130         res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
 131         res->r.BindRequest.creds.SASL.secblob = *secblob;
 132
 133         return res;
 134 }
 135
 136
 137 /*
 138   perform a sasl bind using the given credentials
 139 */
 140 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
 141 {
 142         NTSTATUS status;
 143         TALLOC_CTX *tmp_ctx = NULL;
 144
 145         DATA_BLOB input = data_blob(NULL, 0);
 146         DATA_BLOB output = data_blob(NULL, 0);
 147
 148         struct ldap_message **sasl_mechs_msgs;
 149         struct ldap_SearchResEntry *search;
 150         int count, i;
 151
 152         const char **sasl_names;
 153         const struct gensec_security_ops **mechs;
 154
 155         static const char *supported_sasl_mech_attrs[] = {
 156                 "supportedSASLMechanisms",
 157                 NULL
 158         };
 159
 160         status = gensec_client_start(conn, &conn->gensec, NULL);
 161         if (!NT_STATUS_IS_OK(status)) {
 162                 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
 163                 goto failed;
 164         }
 165
 166         gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 167
 168         status = gensec_set_credentials(conn->gensec, creds);
 169         if (!NT_STATUS_IS_OK(status)) {
 170                 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
 171                           nt_errstr(status)));
 172                 goto failed;
 173         }
 174
 175         status = gensec_set_target_hostname(conn->gensec, conn->host);
 176         if (!NT_STATUS_IS_OK(status)) {
 177                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 178                           nt_errstr(status)));
 179                 goto failed;
 180         }
 181
 182         status = gensec_set_target_service(conn->gensec, "ldap");
 183         if (!NT_STATUS_IS_OK(status)) {
 184                 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 185                           nt_errstr(status)));
 186                 goto failed;
 187         }
 188
 189         status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
 190                               False, &sasl_mechs_msgs);
 191         if (!NT_STATUS_IS_OK(status)) {
 192                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
 193                           nt_errstr(status)));
 194                 goto failed;
 195         }
 196
 197         count = ildap_count_entries(conn, sasl_mechs_msgs);
 198         if (count != 1) {
 199                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
 200                           count));
 201                 goto failed;
 202         }
 203
 204         tmp_ctx = talloc_new(conn);
 205         if (tmp_ctx == NULL) goto failed;
 206
 207         search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
 208         if (search->num_attributes != 1) {
 209                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
 210                           search->num_attributes));
 211                 goto failed;
 212         }
 213
 214         sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
 215         if (!sasl_names) {
 216                 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
 217                           count));
 218                 goto failed;
 219         }
 220
 221         for (i=0; i<search->attributes[0].num_values; i++) {
 222                 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
 223         }
 224         sasl_names[i] = NULL;
 225
 226         mechs = gensec_security_by_sasl(conn->gensec, tmp_ctx, sasl_names);
 227         if (!mechs || !mechs[0]) {
 228                 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable\n",
 229                           count));
 230                 goto failed;
 231         }
 232
 233         status = gensec_start_mech_by_ops(conn->gensec, mechs[0]);
 234         if (!NT_STATUS_IS_OK(status)) {
 235                 DEBUG(1, ("Failed to set GENSEC client mechanism: %s/%s %s\n",
 236                           mechs[0]->name, mechs[0]->sasl_name, nt_errstr(status)));
 237                 goto failed;
 238         }
 239
 240         while (1) {
 241                 NTSTATUS gensec_status;
 242                 struct ldap_message *response;
 243                 struct ldap_message *msg;
 244                 struct ldap_request *req;
 245                 int result = LDAP_OTHER;
 246
 247                 status = gensec_update(conn->gensec, tmp_ctx,
 248                                        input,
 249                                        &output);
 250                 /* The status value here, from GENSEC is vital to the security
 251                  * of the system.  Even if the other end accepts, if GENSEC
 252                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 253                  * feeding it blobs, or else the remote host/attacker might
 254                  * avoid mutal authentication requirements.
 255                  *
 256                  * Likewise, you must not feed GENSEC too much (after the OK),
 257                  * it doesn't like that either
 258                  */
 259
 260                 gensec_status = status;
 261
 262                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 263                     !NT_STATUS_IS_OK(status)) {
 264                         break;
 265                 }
 266                 if (output.length == 0) {
 267                         break;
 268                 }
 269
 270                 msg = new_ldap_sasl_bind_msg(tmp_ctx, "GSS-SPNEGO", &output);
 271                 if (msg == NULL) {
 272                         status = NT_STATUS_NO_MEMORY;
 273                         goto failed;
 274                 }
 275
 276                 req = ldap_request_send(conn, msg);
 277                 if (req == NULL) {
 278                         status = NT_STATUS_NO_MEMORY;
 279                         goto failed;
 280                 }
 281                 talloc_steal(tmp_ctx, req);
 282
 283                 status = ldap_result_n(req, 0, &response);
 284                 if (!NT_STATUS_IS_OK(status)) {
 285                         goto failed;
 286                 }
 287
 288                 if (response->type != LDAP_TAG_BindResponse) {
 289                         status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 290                         goto failed;
 291                 }
 292
 293                 result = response->r.BindResponse.response.resultcode;
 294
 295                 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
 296                         status = ldap_check_response(conn,
 297                                                      &response->r.BindResponse.response);
 298                         break;
 299                 }
 300
 301                 /* This is where we check if GENSEC wanted to be fed more data */
 302                 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 303                         break;
 304                 }
 305                 input = response->r.BindResponse.SASL.secblob;
 306         }
 307
 308         if (NT_STATUS_IS_OK(status) &&
 309             (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
 310              gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
 311                 conn->enable_wrap = True;
 312         }
 313
 314         talloc_free(tmp_ctx);
 315         return status;
 316
 317 failed:
 318         talloc_free(tmp_ctx);
 319         talloc_free(conn->gensec);
 320         conn->gensec = NULL;
 321         return status;
 322 }