2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Simo Sorce 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #include "dlinklist.h"
29 #include "lib/events/events.h"
30 #include "lib/socket/socket.h"
31 #include "libcli/ldap/ldap.h"
32 #include "libcli/ldap/ldap_client.h"
36 create a new ldap_connection stucture. The event context is optional
38 struct ldap_connection *ldap_new_connection(TALLOC_CTX *mem_ctx,
39 struct event_context *ev)
41 struct ldap_connection *conn;
43 conn = talloc_zero(mem_ctx, struct ldap_connection);
49 ev = event_context_init(conn);
56 conn->next_messageid = 1;
57 conn->event.event_ctx = ev;
59 /* set a reasonable request timeout */
67 the connection is dead
69 static void ldap_connection_dead(struct ldap_connection *conn)
71 struct ldap_request *req;
73 while (conn->pending) {
75 DLIST_REMOVE(req->conn->pending, req);
76 req->state = LDAP_REQUEST_DONE;
77 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
83 while (conn->send_queue) {
84 req = conn->send_queue;
85 DLIST_REMOVE(req->conn->send_queue, req);
86 req->state = LDAP_REQUEST_DONE;
87 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
93 talloc_free(conn->sock);
99 match up with a pending message, adding to the replies list
101 static void ldap_match_message(struct ldap_connection *conn, struct ldap_message *msg)
103 struct ldap_request *req;
105 for (req=conn->pending; req; req=req->next) {
106 if (req->messageid == msg->messageid) break;
109 DEBUG(0,("ldap: no matching message id for %u\n",
115 /* add to the list of replies received */
116 talloc_steal(req, msg);
117 req->replies = talloc_realloc(req, req->replies,
118 struct ldap_message *, req->num_replies+1);
119 if (req->replies == NULL) {
120 req->status = NT_STATUS_NO_MEMORY;
121 req->state = LDAP_REQUEST_DONE;
122 DLIST_REMOVE(conn->pending, req);
129 req->replies[req->num_replies] = talloc_steal(req->replies, msg);
132 if (msg->type != LDAP_TAG_SearchResultEntry) {
133 /* currently only search results expect multiple
135 req->state = LDAP_REQUEST_DONE;
136 DLIST_REMOVE(conn->pending, req);
145 try and decode/process plain data
147 static void ldap_try_decode_plain(struct ldap_connection *conn)
149 struct asn1_data asn1;
151 if (!asn1_load(&asn1, conn->partial)) {
152 ldap_connection_dead(conn);
156 /* try and decode - this will fail if we don't have a full packet yet */
157 while (asn1.ofs < asn1.length) {
158 struct ldap_message *msg = talloc(conn, struct ldap_message);
159 off_t saved_ofs = asn1.ofs;
162 ldap_connection_dead(conn);
166 if (ldap_decode(&asn1, msg)) {
167 ldap_match_message(conn, msg);
169 asn1.ofs = saved_ofs;
175 /* keep any remaining data in conn->partial */
176 data_blob_free(&conn->partial);
177 if (asn1.ofs != conn->partial.length) {
178 conn->partial = data_blob_talloc(conn,
179 asn1.data + asn1.ofs,
180 asn1.length - asn1.ofs);
186 try and decode/process wrapped data
188 static void ldap_try_decode_wrapped(struct ldap_connection *conn)
192 /* keep decoding while we have a full wrapped packet */
193 while (conn->partial.length >= 4 &&
194 (len=RIVAL(conn->partial.data, 0)) <= conn->partial.length-4) {
195 DATA_BLOB wrapped, unwrapped;
196 struct asn1_data asn1;
197 struct ldap_message *msg = talloc(conn, struct ldap_message);
201 ldap_connection_dead(conn);
205 wrapped.data = conn->partial.data+4;
206 wrapped.length = len;
208 status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped);
209 if (!NT_STATUS_IS_OK(status)) {
210 ldap_connection_dead(conn);
214 if (!asn1_load(&asn1, unwrapped)) {
215 ldap_connection_dead(conn);
219 while (ldap_decode(&asn1, msg)) {
220 ldap_match_message(conn, msg);
221 msg = talloc(conn, struct ldap_message);
227 if (conn->partial.length == len + 4) {
228 data_blob_free(&conn->partial);
230 memmove(conn->partial.data, conn->partial.data+len+4,
231 conn->partial.length - (len+4));
232 conn->partial.length -= len + 4;
239 handle ldap recv events
241 static void ldap_recv_handler(struct ldap_connection *conn)
244 size_t npending=0, nread;
246 /* work out how much data is pending */
247 status = socket_pending(conn->sock, &npending);
248 if (!NT_STATUS_IS_OK(status) || npending == 0) {
249 ldap_connection_dead(conn);
253 conn->partial.data = talloc_realloc_size(conn, conn->partial.data,
254 conn->partial.length + npending);
255 if (conn->partial.data == NULL) {
256 ldap_connection_dead(conn);
260 /* receive the pending data */
261 status = socket_recv(conn->sock, conn->partial.data + conn->partial.length,
262 npending, &nread, 0);
263 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
266 if (!NT_STATUS_IS_OK(status)) {
267 ldap_connection_dead(conn);
270 conn->partial.length += nread;
272 /* see if we can decode what we have */
273 if (conn->enable_wrap) {
274 ldap_try_decode_wrapped(conn);
276 ldap_try_decode_plain(conn);
282 handle ldap send events
284 static void ldap_send_handler(struct ldap_connection *conn)
286 while (conn->send_queue) {
287 struct ldap_request *req = conn->send_queue;
291 status = socket_send(conn->sock, &req->data, &nsent, 0);
292 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
295 if (!NT_STATUS_IS_OK(status)) {
296 ldap_connection_dead(conn);
300 req->data.data += nsent;
301 req->data.length -= nsent;
302 if (req->data.length == 0) {
303 req->state = LDAP_REQUEST_PENDING;
304 DLIST_REMOVE(conn->send_queue, req);
306 /* some types of requests don't expect a reply */
307 if (req->type == LDAP_TAG_AbandonRequest ||
308 req->type == LDAP_TAG_UnbindRequest) {
309 req->status = NT_STATUS_OK;
310 req->state = LDAP_REQUEST_DONE;
315 DLIST_ADD(conn->pending, req);
319 if (conn->send_queue == NULL) {
320 EVENT_FD_NOT_WRITEABLE(conn->event.fde);
326 handle ldap socket events
328 static void ldap_io_handler(struct event_context *ev, struct fd_event *fde,
329 uint16_t flags, void *private)
331 struct ldap_connection *conn = talloc_get_type(private, struct ldap_connection);
332 if (flags & EVENT_FD_WRITE) {
333 ldap_send_handler(conn);
334 if (conn->sock == NULL) return;
336 if (flags & EVENT_FD_READ) {
337 ldap_recv_handler(conn);
344 static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url,
345 char **host, uint16_t *port, BOOL *ldaps)
353 /* skip leading "URL:" (if any) */
354 if (strncasecmp(p, "URL:", 4) == 0) {
359 SMB_ASSERT(sizeof(protocol)>10 && sizeof(tmp_host)>254);
361 ret = sscanf(p, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port);
363 return NT_STATUS_INVALID_PARAMETER;
366 if (strequal(protocol, "ldap")) {
369 } else if (strequal(protocol, "ldaps")) {
373 DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol));
374 return NT_STATUS_PROTOCOL_UNREACHABLE;
380 *host = talloc_strdup(mem_ctx, tmp_host);
381 NT_STATUS_HAVE_NO_MEMORY(*host);
387 connect to a ldap server
389 NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url)
393 status = ldap_parse_basic_url(conn, url, &conn->host,
394 &conn->port, &conn->ldaps);
395 NT_STATUS_NOT_OK_RETURN(status);
397 status = socket_create("ipv4", SOCKET_TYPE_STREAM, &conn->sock, 0);
398 NT_STATUS_NOT_OK_RETURN(status);
400 talloc_steal(conn, conn->sock);
402 /* connect in a event friendly way */
403 status = socket_connect_ev(conn->sock, NULL, 0, conn->host, conn->port, 0,
404 conn->event.event_ctx);
405 if (!NT_STATUS_IS_OK(status)) {
406 talloc_free(conn->sock);
410 /* setup a handler for events on this socket */
411 conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock,
412 socket_get_fd(conn->sock),
413 EVENT_FD_READ, ldap_io_handler, conn);
414 if (conn->event.fde == NULL) {
415 talloc_free(conn->sock);
416 return NT_STATUS_INTERNAL_ERROR;
422 /* destroy an open ldap request */
423 static int ldap_request_destructor(void *ptr)
425 struct ldap_request *req = talloc_get_type(ptr, struct ldap_request);
426 if (req->state == LDAP_REQUEST_SEND) {
427 DLIST_REMOVE(req->conn->send_queue, req);
429 if (req->state == LDAP_REQUEST_PENDING) {
430 DLIST_REMOVE(req->conn->pending, req);
436 called on timeout of a ldap request
438 static void ldap_request_timeout(struct event_context *ev, struct timed_event *te,
439 struct timeval t, void *private)
441 struct ldap_request *req = talloc_get_type(private, struct ldap_request);
442 req->status = NT_STATUS_IO_TIMEOUT;
443 if (req->state == LDAP_REQUEST_SEND) {
444 DLIST_REMOVE(req->conn->send_queue, req);
446 if (req->state == LDAP_REQUEST_PENDING) {
447 DLIST_REMOVE(req->conn->pending, req);
449 req->state = LDAP_REQUEST_DONE;
456 send a ldap message - async interface
458 struct ldap_request *ldap_request_send(struct ldap_connection *conn,
459 struct ldap_message *msg)
461 struct ldap_request *req;
463 if (conn->sock == NULL) {
467 req = talloc_zero(conn, struct ldap_request);
468 if (req == NULL) goto failed;
470 req->state = LDAP_REQUEST_SEND;
472 req->messageid = conn->next_messageid++;
473 req->type = msg->type;
474 if (req->messageid == -1) {
478 talloc_set_destructor(req, ldap_request_destructor);
480 msg->messageid = req->messageid;
482 if (!ldap_encode(msg, &req->data)) {
486 /* possibly encrypt/sign the request */
487 if (conn->enable_wrap) {
491 status = gensec_wrap(conn->gensec, req, &req->data, &wrapped);
492 if (!NT_STATUS_IS_OK(status)) {
495 data_blob_free(&req->data);
496 req->data = data_blob_talloc(req, NULL, wrapped.length + 4);
497 if (req->data.data == NULL) {
500 RSIVAL(req->data.data, 0, wrapped.length);
501 memcpy(req->data.data+4, wrapped.data, wrapped.length);
502 data_blob_free(&wrapped);
506 if (conn->send_queue == NULL) {
507 EVENT_FD_WRITEABLE(conn->event.fde);
509 DLIST_ADD_END(conn->send_queue, req, struct ldap_request *);
511 /* put a timeout on the request */
512 event_add_timed(conn->event.event_ctx, req,
513 timeval_current_ofs(conn->timeout, 0),
514 ldap_request_timeout, req);
525 wait for a request to complete
526 note that this does not destroy the request
528 NTSTATUS ldap_request_wait(struct ldap_request *req)
530 while (req->state != LDAP_REQUEST_DONE) {
531 if (event_loop_once(req->conn->event.event_ctx) != 0) {
532 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
541 used to setup the status code from a ldap response
543 NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r)
545 if (r->resultcode == LDAP_SUCCESS) {
549 if (conn->last_error) {
550 talloc_free(conn->last_error);
552 conn->last_error = talloc_asprintf(conn, "LDAP error %u - %s <%s> <%s>",
554 r->dn?r->dn:"(NULL)",
555 r->errormessage?r->errormessage:"",
556 r->referral?r->referral:"");
558 return NT_STATUS_LDAP(r->resultcode);
562 return error string representing the last error
564 const char *ldap_errstr(struct ldap_connection *conn, NTSTATUS status)
566 if (NT_STATUS_IS_LDAP(status) && conn->last_error != NULL) {
567 return conn->last_error;
569 return nt_errstr(status);
574 return the Nth result message, waiting if necessary
576 NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg)
580 NT_STATUS_HAVE_NO_MEMORY(req);
582 while (req->state != LDAP_REQUEST_DONE && n >= req->num_replies) {
583 if (event_loop_once(req->conn->event.event_ctx) != 0) {
584 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
588 if (n < req->num_replies) {
589 *msg = req->replies[n];
593 if (!NT_STATUS_IS_OK(req->status)) {
597 return NT_STATUS_NO_MORE_ENTRIES;
602 return a single result message, checking if it is of the expected LDAP type
604 NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type)
607 status = ldap_result_n(req, 0, msg);
608 if (!NT_STATUS_IS_OK(status)) {
611 if ((*msg)->type != type) {
613 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
619 a simple ldap transaction, for single result requests that only need a status code
620 this relies on single valued requests having the response type == request type + 1
622 NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg)
624 struct ldap_request *req = ldap_request_send(conn, msg);
625 struct ldap_message *res;
627 status = ldap_result_n(req, 0, &res);
628 if (!NT_STATUS_IS_OK(status)) {
632 if (res->type != msg->type + 1) {
634 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
636 status = ldap_check_response(conn, &res->r.GeneralResult);