2 Unix SMB/CIFS mplementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/ldap/ldap.h"
27 #include "libcli/ldap/ldap_client.h"
28 #include "auth/auth.h"
30 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
31 const char *dn, const char *pw)
33 struct ldap_message *res;
35 res = new_ldap_message(conn);
40 res->type = LDAP_TAG_BindRequest;
41 res->r.BindRequest.version = 3;
42 res->r.BindRequest.dn = talloc_strdup(res, dn);
43 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
44 res->r.BindRequest.creds.password = talloc_strdup(res, pw);
51 perform a simple username/password bind
53 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
54 const char *userdn, const char *password)
56 struct ldap_request *req;
57 struct ldap_message *msg;
62 return NT_STATUS_INVALID_CONNECTION;
78 if (conn->simple_pw) {
85 msg = new_ldap_simple_bind_msg(conn, dn, pw);
86 NT_STATUS_HAVE_NO_MEMORY(msg);
88 /* send the request */
89 req = ldap_request_send(conn, msg);
91 NT_STATUS_HAVE_NO_MEMORY(req);
93 /* wait for replies */
94 status = ldap_request_wait(req);
95 if (!NT_STATUS_IS_OK(status)) {
100 /* check its a valid reply */
101 msg = req->replies[0];
102 if (msg->type != LDAP_TAG_BindResponse) {
104 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
107 status = ldap_check_response(conn, &msg->r.BindResponse.response);
115 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
116 const char *sasl_mechanism,
119 struct ldap_message *res;
121 res = new_ldap_message(conn);
126 res->type = LDAP_TAG_BindRequest;
127 res->r.BindRequest.version = 3;
128 res->r.BindRequest.dn = "";
129 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
130 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
131 res->r.BindRequest.creds.SASL.secblob = *secblob;
138 perform a sasl bind using the given credentials
140 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
143 TALLOC_CTX *tmp_ctx = NULL;
145 DATA_BLOB input = data_blob(NULL, 0);
146 DATA_BLOB output = data_blob(NULL, 0);
148 struct ldap_message **sasl_mechs_msgs;
149 struct ldap_SearchResEntry *search;
152 const char **sasl_names;
153 const struct gensec_security_ops **mechs;
155 static const char *supported_sasl_mech_attrs[] = {
156 "supportedSASLMechanisms",
160 status = gensec_client_start(conn, &conn->gensec, NULL);
161 if (!NT_STATUS_IS_OK(status)) {
162 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
166 gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
168 status = gensec_set_credentials(conn->gensec, creds);
169 if (!NT_STATUS_IS_OK(status)) {
170 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
175 status = gensec_set_target_hostname(conn->gensec, conn->host);
176 if (!NT_STATUS_IS_OK(status)) {
177 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
182 status = gensec_set_target_service(conn->gensec, "ldap");
183 if (!NT_STATUS_IS_OK(status)) {
184 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
189 status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
190 False, &sasl_mechs_msgs);
191 if (!NT_STATUS_IS_OK(status)) {
192 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
197 count = ildap_count_entries(conn, sasl_mechs_msgs);
199 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
204 tmp_ctx = talloc_new(conn);
205 if (tmp_ctx == NULL) goto failed;
207 search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
208 if (search->num_attributes != 1) {
209 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
210 search->num_attributes));
214 sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
216 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
221 for (i=0; i<search->attributes[0].num_values; i++) {
222 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
224 sasl_names[i] = NULL;
226 mechs = gensec_security_by_sasl(conn->gensec, tmp_ctx, sasl_names);
227 if (!mechs || !mechs[0]) {
228 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable\n",
233 status = gensec_start_mech_by_ops(conn->gensec, mechs[0]);
234 if (!NT_STATUS_IS_OK(status)) {
235 DEBUG(1, ("Failed to set GENSEC client mechanism: %s/%s %s\n",
236 mechs[0]->name, mechs[0]->sasl_name, nt_errstr(status)));
241 NTSTATUS gensec_status;
242 struct ldap_message *response;
243 struct ldap_message *msg;
244 struct ldap_request *req;
245 int result = LDAP_OTHER;
247 status = gensec_update(conn->gensec, tmp_ctx,
250 /* The status value here, from GENSEC is vital to the security
251 * of the system. Even if the other end accepts, if GENSEC
252 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
253 * feeding it blobs, or else the remote host/attacker might
254 * avoid mutal authentication requirements.
256 * Likewise, you must not feed GENSEC too much (after the OK),
257 * it doesn't like that either
260 gensec_status = status;
262 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
263 !NT_STATUS_IS_OK(status)) {
266 if (output.length == 0) {
270 msg = new_ldap_sasl_bind_msg(tmp_ctx, "GSS-SPNEGO", &output);
272 status = NT_STATUS_NO_MEMORY;
276 req = ldap_request_send(conn, msg);
278 status = NT_STATUS_NO_MEMORY;
281 talloc_steal(tmp_ctx, req);
283 status = ldap_result_n(req, 0, &response);
284 if (!NT_STATUS_IS_OK(status)) {
288 if (response->type != LDAP_TAG_BindResponse) {
289 status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
293 result = response->r.BindResponse.response.resultcode;
295 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
296 status = ldap_check_response(conn,
297 &response->r.BindResponse.response);
301 /* This is where we check if GENSEC wanted to be fed more data */
302 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
305 input = response->r.BindResponse.SASL.secblob;
308 if (NT_STATUS_IS_OK(status) &&
309 (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
310 gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
311 conn->enable_wrap = True;
314 talloc_free(tmp_ctx);
318 talloc_free(tmp_ctx);
319 talloc_free(conn->gensec);