source4/libcli/ldap/ldap_bind.c

   1 /*
   2    Unix SMB/CIFS mplementation.
   3
   4    LDAP bind calls
   5
   6    Copyright (C) Andrew Tridgell  2005
   7    Copyright (C) Volker Lendecke  2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/ldap/ldap.h"
  27 #include "libcli/ldap/ldap_client.h"
  28 #include "auth/auth.h"
  29
  30 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
  31                                                      const char *dn, const char *pw)
  32 {
  33         struct ldap_message *res;
  34
  35         res = new_ldap_message(conn);
  36         if (!res) {
  37                 return NULL;
  38         }
  39
  40         res->type = LDAP_TAG_BindRequest;
  41         res->r.BindRequest.version = 3;
  42         res->r.BindRequest.dn = talloc_strdup(res, dn);
  43         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
  44         res->r.BindRequest.creds.password = talloc_strdup(res, pw);
  45         res->controls = NULL;
  46
  47         return res;
  48 }
  49
  50
  51 /*
  52   perform a simple username/password bind
  53 */
  54 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
  55                           const char *userdn, const char *password)
  56 {
  57         struct ldap_request *req;
  58         struct ldap_message *msg;
  59         const char *dn, *pw;
  60         NTSTATUS status;
  61
  62         if (conn == NULL) {
  63                 return NT_STATUS_INVALID_CONNECTION;
  64         }
  65
  66         if (userdn) {
  67                 dn = userdn;
  68         } else {
  69                 if (conn->auth_dn) {
  70                         dn = conn->auth_dn;
  71                 } else {
  72                         dn = "";
  73                 }
  74         }
  75
  76         if (password) {
  77                 pw = password;
  78         } else {
  79                 if (conn->simple_pw) {
  80                         pw = conn->simple_pw;
  81                 } else {
  82                         pw = "";
  83                 }
  84         }
  85
  86         msg = new_ldap_simple_bind_msg(conn, dn, pw);
  87         NT_STATUS_HAVE_NO_MEMORY(msg);
  88
  89         /* send the request */
  90         req = ldap_request_send(conn, msg);
  91         talloc_free(msg);
  92         NT_STATUS_HAVE_NO_MEMORY(req);
  93
  94         /* wait for replies */
  95         status = ldap_request_wait(req);
  96         if (!NT_STATUS_IS_OK(status)) {
  97                 talloc_free(req);
  98                 return status;
  99         }
 100
 101         /* check its a valid reply */
 102         msg = req->replies[0];
 103         if (msg->type != LDAP_TAG_BindResponse) {
 104                 talloc_free(req);
 105                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 106         }
 107
 108         status = ldap_check_response(conn, &msg->r.BindResponse.response);
 109
 110         talloc_free(req);
 111
 112         return status;
 113 }
 114
 115
 116 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
 117                                                    const char *sasl_mechanism,
 118                                                    DATA_BLOB *secblob)
 119 {
 120         struct ldap_message *res;
 121
 122         res = new_ldap_message(conn);
 123         if (!res) {
 124                 return NULL;
 125         }
 126
 127         res->type = LDAP_TAG_BindRequest;
 128         res->r.BindRequest.version = 3;
 129         res->r.BindRequest.dn = "";
 130         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
 131         res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
 132         res->r.BindRequest.creds.SASL.secblob = *secblob;
 133         res->controls = NULL;
 134
 135         return res;
 136 }
 137
 138
 139 /*
 140   perform a sasl bind using the given credentials
 141 */
 142 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
 143 {
 144         NTSTATUS status;
 145         TALLOC_CTX *tmp_ctx = NULL;
 146
 147         DATA_BLOB input = data_blob(NULL, 0);
 148         DATA_BLOB output = data_blob(NULL, 0);
 149
 150         struct ldap_message **sasl_mechs_msgs;
 151         struct ldap_SearchResEntry *search;
 152         int count, i;
 153
 154         const char **sasl_names;
 155
 156         static const char *supported_sasl_mech_attrs[] = {
 157                 "supportedSASLMechanisms",
 158                 NULL
 159         };
 160
 161         status = gensec_client_start(conn, &conn->gensec, NULL);
 162         if (!NT_STATUS_IS_OK(status)) {
 163                 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
 164                 goto failed;
 165         }
 166
 167         gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 168
 169         status = gensec_set_credentials(conn->gensec, creds);
 170         if (!NT_STATUS_IS_OK(status)) {
 171                 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
 172                           nt_errstr(status)));
 173                 goto failed;
 174         }
 175
 176         status = gensec_set_target_hostname(conn->gensec, conn->host);
 177         if (!NT_STATUS_IS_OK(status)) {
 178                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 179                           nt_errstr(status)));
 180                 goto failed;
 181         }
 182
 183         status = gensec_set_target_service(conn->gensec, "ldap");
 184         if (!NT_STATUS_IS_OK(status)) {
 185                 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 186                           nt_errstr(status)));
 187                 goto failed;
 188         }
 189
 190         status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
 191                               False, NULL, NULL, &sasl_mechs_msgs);
 192         if (!NT_STATUS_IS_OK(status)) {
 193                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
 194                           nt_errstr(status)));
 195                 goto failed;
 196         }
 197
 198         count = ildap_count_entries(conn, sasl_mechs_msgs);
 199         if (count != 1) {
 200                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
 201                           count));
 202                 goto failed;
 203         }
 204
 205         tmp_ctx = talloc_new(conn);
 206         if (tmp_ctx == NULL) goto failed;
 207
 208         search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
 209         if (search->num_attributes != 1) {
 210                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
 211                           search->num_attributes));
 212                 goto failed;
 213         }
 214
 215         sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
 216         if (!sasl_names) {
 217                 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
 218                           count));
 219                 goto failed;
 220         }
 221
 222         for (i=0; i<search->attributes[0].num_values; i++) {
 223                 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
 224         }
 225         sasl_names[i] = NULL;
 226
 227         status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
 228         if (!NT_STATUS_IS_OK(status)) {
 229                 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
 230                           count, nt_errstr(status)));
 231                 goto failed;
 232         }
 233
 234         while (1) {
 235                 NTSTATUS gensec_status;
 236                 struct ldap_message *response;
 237                 struct ldap_message *msg;
 238                 struct ldap_request *req;
 239                 int result = LDAP_OTHER;
 240
 241                 status = gensec_update(conn->gensec, tmp_ctx,
 242                                        input,
 243                                        &output);
 244                 /* The status value here, from GENSEC is vital to the security
 245                  * of the system.  Even if the other end accepts, if GENSEC
 246                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 247                  * feeding it blobs, or else the remote host/attacker might
 248                  * avoid mutal authentication requirements.
 249                  *
 250                  * Likewise, you must not feed GENSEC too much (after the OK),
 251                  * it doesn't like that either
 252                  */
 253
 254                 gensec_status = status;
 255
 256                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 257                     !NT_STATUS_IS_OK(status)) {
 258                         break;
 259                 }
 260                 if (NT_STATUS_IS_OK(status) && output.length == 0) {
 261                         break;
 262                 }
 263
 264                 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
 265                 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, &output);
 266                 if (msg == NULL) {
 267                         status = NT_STATUS_NO_MEMORY;
 268                         goto failed;
 269                 }
 270
 271                 req = ldap_request_send(conn, msg);
 272                 if (req == NULL) {
 273                         status = NT_STATUS_NO_MEMORY;
 274                         goto failed;
 275                 }
 276                 talloc_steal(tmp_ctx, req);
 277
 278                 status = ldap_result_n(req, 0, &response);
 279                 if (!NT_STATUS_IS_OK(status)) {
 280                         goto failed;
 281                 }
 282
 283                 if (response->type != LDAP_TAG_BindResponse) {
 284                         status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 285                         goto failed;
 286                 }
 287
 288                 result = response->r.BindResponse.response.resultcode;
 289
 290                 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
 291                         status = ldap_check_response(conn,
 292                                                      &response->r.BindResponse.response);
 293                         break;
 294                 }
 295
 296                 /* This is where we check if GENSEC wanted to be fed more data */
 297                 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 298                         break;
 299                 }
 300                 input = response->r.BindResponse.SASL.secblob;
 301         }
 302
 303         if (NT_STATUS_IS_OK(status) &&
 304             (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
 305              gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
 306                 conn->enable_wrap = True;
 307         }
 308
 309         talloc_free(tmp_ctx);
 310         return status;
 311
 312 failed:
 313         talloc_free(tmp_ctx);
 314         talloc_free(conn->gensec);
 315         conn->gensec = NULL;
 316         return status;
 317 }