root/source4/ldap_server/ldap_server.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. ldapsrv_terminate_connection
  2. ldapsrv_error_handler
  3. ldapsrv_process_message
  4. ldapsrv_decode
  5. ldapsrv_conn_idle_timeout
  6. ldapsrv_recv
  7. ldapsrv_send
  8. ldapsrv_conn_init_timeout
  9. ldapsrv_load_limits
  10. ldapsrv_accept
  11. add_socket
  12. ldapsrv_task_init
  13. server_service_ldap_init

   1 /* 
   2    Unix SMB/CIFS implementation.
   3 
   4    LDAP server
   5 
   6    Copyright (C) Andrew Tridgell 2005
   7    Copyright (C) Volker Lendecke 2004
   8    Copyright (C) Stefan Metzmacher 2004
   9    
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14    
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19    
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23 
  24 #include "includes.h"
  25 #include "lib/events/events.h"
  26 #include "auth/auth.h"
  27 #include "auth/credentials/credentials.h"
  28 #include "librpc/gen_ndr/ndr_samr.h"
  29 #include "../lib/util/dlinklist.h"
  30 #include "../lib/util/asn1.h"
  31 #include "ldap_server/ldap_server.h"
  32 #include "smbd/service_task.h"
  33 #include "smbd/service_stream.h"
  34 #include "smbd/service.h"
  35 #include "smbd/process_model.h"
  36 #include "lib/tls/tls.h"
  37 #include "lib/messaging/irpc.h"
  38 #include "lib/ldb/include/ldb.h"
  39 #include "lib/ldb/include/ldb_errors.h"
  40 #include "libcli/ldap/ldap.h"
  41 #include "libcli/ldap/ldap_proto.h"
  42 #include "system/network.h"
  43 #include "lib/socket/netif.h"
  44 #include "dsdb/samdb/samdb.h"
  45 #include "param/param.h"
  46 /*
  47   close the socket and shutdown a server_context
  48 */
  49 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn, 
     /* [<][>][^][v][top][bottom][index][help] */
  50                                          const char *reason)
  51 {
  52         stream_terminate_connection(conn->connection, reason);
  53 }
  54 
  55 /*
  56   handle packet errors
  57 */
  58 static void ldapsrv_error_handler(void *private_data, NTSTATUS status)
     /* [<][>][^][v][top][bottom][index][help] */
  59 {
  60         struct ldapsrv_connection *conn = talloc_get_type(private_data,
  61                                                           struct ldapsrv_connection);
  62         ldapsrv_terminate_connection(conn, nt_errstr(status));
  63 }
  64 
  65 /*
  66   process a decoded ldap message
  67 */
  68 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
     /* [<][>][^][v][top][bottom][index][help] */
  69                                     struct ldap_message *msg)
  70 {
  71         struct ldapsrv_call *call;
  72         NTSTATUS status;
  73         DATA_BLOB blob;
  74 
  75         call = talloc(conn, struct ldapsrv_call);
  76         if (!call) {
  77                 ldapsrv_terminate_connection(conn, "no memory");
  78                 return;         
  79         }
  80         
  81         call->request = talloc_steal(call, msg);
  82         call->conn = conn;
  83         call->replies = NULL;
  84         call->send_callback = NULL;
  85         call->send_private = NULL;
  86         
  87         /* make the call */
  88         status = ldapsrv_do_call(call);
  89         if (!NT_STATUS_IS_OK(status)) {
  90                 talloc_free(call);
  91                 return;
  92         }
  93         
  94         blob = data_blob(NULL, 0);
  95 
  96         if (call->replies == NULL) {
  97                 talloc_free(call);
  98                 return;
  99         }
 100 
 101         /* build all the replies into a single blob */
 102         while (call->replies) {
 103                 DATA_BLOB b;
 104                 bool ret;
 105 
 106                 msg = call->replies->msg;
 107                 if (!ldap_encode(msg, samba_ldap_control_handlers(), &b, call)) {
 108                         DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
 109                         talloc_free(call);
 110                         return;
 111                 }
 112 
 113                 ret = data_blob_append(call, &blob, b.data, b.length);
 114                 data_blob_free(&b);
 115 
 116                 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
 117 
 118                 if (!ret) {
 119                         talloc_free(call);
 120                         return;
 121                 }
 122 
 123                 DLIST_REMOVE(call->replies, call->replies);
 124         }
 125 
 126         packet_send_callback(conn->packet, blob, 
 127                              call->send_callback, call->send_private);
 128         talloc_free(call);
 129         return;
 130 }
 131 
 132 /*
 133   decode/process data
 134 */
 135 static NTSTATUS ldapsrv_decode(void *private_data, DATA_BLOB blob)
     /* [<][>][^][v][top][bottom][index][help] */
 136 {
 137         NTSTATUS status;
 138         struct ldapsrv_connection *conn = talloc_get_type(private_data,
 139                                                           struct ldapsrv_connection);
 140         struct asn1_data *asn1 = asn1_init(conn);
 141         struct ldap_message *msg = talloc(conn, struct ldap_message);
 142 
 143         if (asn1 == NULL || msg == NULL) {
 144                 return NT_STATUS_NO_MEMORY;
 145         }
 146 
 147         if (!asn1_load(asn1, blob)) {
 148                 talloc_free(msg);
 149                 talloc_free(asn1);
 150                 return NT_STATUS_NO_MEMORY;
 151         }
 152 
 153         status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
 154         if (!NT_STATUS_IS_OK(status)) {
 155                 asn1_free(asn1);
 156                 return status;
 157         }
 158 
 159         data_blob_free(&blob);
 160         talloc_steal(conn, msg);
 161         asn1_free(asn1);
 162 
 163         ldapsrv_process_message(conn, msg);
 164         return NT_STATUS_OK;
 165 }
 166 
 167 /*
 168  Idle timeout handler
 169 */
 170 static void ldapsrv_conn_idle_timeout(struct tevent_context *ev,
     /* [<][>][^][v][top][bottom][index][help] */
 171                                       struct tevent_timer *te,
 172                                       struct timeval t,
 173                                       void *private_data)
 174 {
 175         struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
 176 
 177         ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
 178 }
 179 
 180 /*
 181   called when a LDAP socket becomes readable
 182 */
 183 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
     /* [<][>][^][v][top][bottom][index][help] */
 184 {
 185         struct ldapsrv_connection *conn = 
 186                 talloc_get_type(c->private_data, struct ldapsrv_connection);
 187 
 188         if (conn->limits.ite) { /* clean initial timeout if any */
 189                 talloc_free(conn->limits.ite);
 190                 conn->limits.ite = NULL;
 191         }
 192 
 193         if (conn->limits.te) { /* clean idle timeout if any */
 194                 talloc_free(conn->limits.te);
 195                 conn->limits.te = NULL;
 196         }
 197 
 198         packet_recv(conn->packet);
 199 
 200         /* set idle timeout */
 201         conn->limits.te = event_add_timed(c->event.ctx, conn, 
 202                                            timeval_current_ofs(conn->limits.conn_idle_time, 0),
 203                                            ldapsrv_conn_idle_timeout, conn);
 204 }
 205 
 206 /*
 207   called when a LDAP socket becomes writable
 208 */
 209 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
     /* [<][>][^][v][top][bottom][index][help] */
 210 {
 211         struct ldapsrv_connection *conn = 
 212                 talloc_get_type(c->private_data, struct ldapsrv_connection);
 213         
 214         packet_queue_run(conn->packet);
 215 }
 216 
 217 static void ldapsrv_conn_init_timeout(struct tevent_context *ev,
     /* [<][>][^][v][top][bottom][index][help] */
 218                                       struct tevent_timer *te,
 219                                       struct timeval t,
 220                                       void *private_data)
 221 {
 222         struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
 223 
 224         ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
 225 }
 226 
 227 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
     /* [<][>][^][v][top][bottom][index][help] */
 228 {
 229         TALLOC_CTX *tmp_ctx;
 230         const char *attrs[] = { "configurationNamingContext", NULL };
 231         const char *attrs2[] = { "lDAPAdminLimits", NULL };
 232         struct ldb_message_element *el;
 233         struct ldb_result *res = NULL;
 234         struct ldb_dn *basedn;
 235         struct ldb_dn *conf_dn;
 236         struct ldb_dn *policy_dn;
 237         int i,ret;
 238 
 239         /* set defaults limits in case of failure */
 240         conn->limits.initial_timeout = 120;
 241         conn->limits.conn_idle_time = 900;
 242         conn->limits.max_page_size = 1000;
 243         conn->limits.search_timeout = 120;
 244 
 245 
 246         tmp_ctx = talloc_new(conn);
 247         if (tmp_ctx == NULL) {
 248                 return -1;
 249         }
 250 
 251         basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
 252         if ( ! ldb_dn_validate(basedn)) {
 253                 goto failed;
 254         }
 255 
 256         ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
 257         if (ret != LDB_SUCCESS) {
 258                 goto failed;
 259         }
 260 
 261         if (res->count != 1) {
 262                 goto failed;
 263         }
 264 
 265         conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
 266         if (conf_dn == NULL) {
 267                 goto failed;
 268         }
 269 
 270         policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
 271         ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
 272         if (policy_dn == NULL) {
 273                 goto failed;
 274         }
 275 
 276         ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
 277         if (ret != LDB_SUCCESS) {
 278                 goto failed;
 279         }
 280 
 281         if (res->count != 1) {
 282                 goto failed;
 283         }
 284 
 285         el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
 286         if (el == NULL) {
 287                 goto failed;
 288         }
 289 
 290         for (i = 0; i < el->num_values; i++) {
 291                 char policy_name[256];
 292                 int policy_value, s;
 293 
 294                 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
 295                 if (ret != 2 || policy_value == 0)
 296                         continue;
 297                 
 298                 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
 299                         conn->limits.initial_timeout = policy_value;
 300                         continue;
 301                 }
 302                 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
 303                         conn->limits.conn_idle_time = policy_value;
 304                         continue;
 305                 }
 306                 if (strcasecmp("MaxPageSize", policy_name) == 0) {
 307                         conn->limits.max_page_size = policy_value;
 308                         continue;
 309                 }
 310                 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
 311                         conn->limits.search_timeout = policy_value;
 312                         continue;
 313                 }
 314         }
 315 
 316         return 0;
 317 
 318 failed:
 319         DEBUG(0, ("Failed to load ldap server query policies\n"));
 320         talloc_free(tmp_ctx);
 321         return -1;
 322 }
 323 
 324 /*
 325   initialise a server_context from a open socket and register a event handler
 326   for reading from that socket
 327 */
 328 static void ldapsrv_accept(struct stream_connection *c)
     /* [<][>][^][v][top][bottom][index][help] */
 329 {
 330         struct ldapsrv_service *ldapsrv_service = 
 331                 talloc_get_type(c->private_data, struct ldapsrv_service);
 332         struct ldapsrv_connection *conn;
 333         struct cli_credentials *server_credentials;
 334         struct socket_address *socket_address;
 335         NTSTATUS status;
 336         int port;
 337 
 338         conn = talloc_zero(c, struct ldapsrv_connection);
 339         if (!conn) {
 340                 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
 341                 return;
 342         }
 343 
 344         conn->packet      = NULL;
 345         conn->connection  = c;
 346         conn->service     = ldapsrv_service;
 347         conn->sockets.raw = c->socket;
 348         conn->lp_ctx      = ldapsrv_service->task->lp_ctx;
 349 
 350         c->private_data   = conn;
 351 
 352         socket_address = socket_get_my_addr(c->socket, conn);
 353         if (!socket_address) {
 354                 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
 355                 return;
 356         }
 357         port = socket_address->port;
 358         talloc_free(socket_address);
 359 
 360         if (port == 636) {
 361                 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket, 
 362                                                                     c->event.fde, NULL);
 363                 if (!tls_socket) {
 364                         ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
 365                         return;
 366                 }
 367                 talloc_unlink(c, c->socket);
 368                 talloc_steal(c, tls_socket);
 369                 c->socket = tls_socket;
 370                 conn->sockets.tls = tls_socket;
 371 
 372         } else if (port == 3268) /* Global catalog */ {
 373                 conn->global_catalog = true;
 374         }
 375         conn->packet = packet_init(conn);
 376         if (conn->packet == NULL) {
 377                 ldapsrv_terminate_connection(conn, "out of memory");
 378                 return;
 379         }
 380 
 381         packet_set_private(conn->packet, conn);
 382         packet_set_socket(conn->packet, c->socket);
 383         packet_set_callback(conn->packet, ldapsrv_decode);
 384         packet_set_full_request(conn->packet, ldap_full_packet);
 385         packet_set_error_handler(conn->packet, ldapsrv_error_handler);
 386         packet_set_event_context(conn->packet, c->event.ctx);
 387         packet_set_fde(conn->packet, c->event.fde);
 388         packet_set_serialise(conn->packet);
 389 
 390         if (conn->sockets.tls) {
 391                 packet_set_unreliable_select(conn->packet);
 392         }
 393         
 394         /* Ensure we don't get packets until the database is ready below */
 395         packet_recv_disable(conn->packet);
 396 
 397         server_credentials = cli_credentials_init(conn);
 398         if (!server_credentials) {
 399                 stream_terminate_connection(c, "Failed to init server credentials\n");
 400                 return;
 401         }
 402         
 403         cli_credentials_set_conf(server_credentials, conn->lp_ctx);
 404         status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
 405         if (!NT_STATUS_IS_OK(status)) {
 406                 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
 407                 return;
 408         }
 409         conn->server_credentials = server_credentials;
 410 
 411         /* Connections start out anonymous */
 412         if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, c->event.ctx, conn->lp_ctx, &conn->session_info))) {
 413                 ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
 414                 return;
 415         }
 416 
 417         if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
 418                 ldapsrv_terminate_connection(conn, "backend Init failed");
 419                 return;
 420         }
 421 
 422         /* load limits from the conf partition */
 423         ldapsrv_load_limits(conn); /* should we fail on error ? */
 424 
 425         /* register the server */       
 426         irpc_add_name(c->msg_ctx, "ldap_server");
 427 
 428         /* set connections limits */
 429         conn->limits.ite = event_add_timed(c->event.ctx, conn, 
 430                                            timeval_current_ofs(conn->limits.initial_timeout, 0),
 431                                            ldapsrv_conn_init_timeout, conn);
 432 
 433         packet_recv_enable(conn->packet);
 434 
 435 }
 436 
 437 static const struct stream_server_ops ldap_stream_ops = {
 438         .name                   = "ldap",
 439         .accept_connection      = ldapsrv_accept,
 440         .recv_handler           = ldapsrv_recv,
 441         .send_handler           = ldapsrv_send,
 442 };
 443 
 444 /*
 445   add a socket address to the list of events, one event per port
 446 */
 447 static NTSTATUS add_socket(struct tevent_context *event_context,
     /* [<][>][^][v][top][bottom][index][help] */
 448                            struct loadparm_context *lp_ctx, 
 449                            const struct model_ops *model_ops,
 450                            const char *address, struct ldapsrv_service *ldap_service)
 451 {
 452         uint16_t port = 389;
 453         NTSTATUS status;
 454         struct ldb_context *ldb;
 455 
 456         status = stream_setup_socket(event_context, lp_ctx,
 457                                      model_ops, &ldap_stream_ops, 
 458                                      "ipv4", address, &port, 
 459                                      lp_socket_options(lp_ctx), 
 460                                      ldap_service);
 461         if (!NT_STATUS_IS_OK(status)) {
 462                 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 463                          address, port, nt_errstr(status)));
 464         }
 465 
 466         if (tls_support(ldap_service->tls_params)) {
 467                 /* add ldaps server */
 468                 port = 636;
 469                 status = stream_setup_socket(event_context, lp_ctx, 
 470                                              model_ops, &ldap_stream_ops, 
 471                                              "ipv4", address, &port, 
 472                                              lp_socket_options(lp_ctx), 
 473                                              ldap_service);
 474                 if (!NT_STATUS_IS_OK(status)) {
 475                         DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 476                                  address, port, nt_errstr(status)));
 477                 }
 478         }
 479 
 480         /* Load LDAP database, but only to read our settings */
 481         ldb = samdb_connect(ldap_service, ldap_service->task->event_ctx, 
 482                             lp_ctx, system_session(ldap_service, lp_ctx));
 483         if (!ldb) {
 484                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 485         }
 486         
 487         if (samdb_is_gc(ldb)) {
 488                 port = 3268;
 489                 status = stream_setup_socket(event_context, lp_ctx,
 490                                              model_ops, &ldap_stream_ops, 
 491                                              "ipv4", address, &port, 
 492                                              lp_socket_options(lp_ctx), 
 493                                              ldap_service);
 494                 if (!NT_STATUS_IS_OK(status)) {
 495                         DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
 496                                  address, port, nt_errstr(status)));
 497                 }
 498         }
 499 
 500         /* And once we are bound, free the tempoary ldb, it will
 501          * connect again on each incoming LDAP connection */
 502         talloc_free(ldb);
 503 
 504         return status;
 505 }
 506 
 507 /*
 508   open the ldap server sockets
 509 */
 510 static void ldapsrv_task_init(struct task_server *task)
     /* [<][>][^][v][top][bottom][index][help] */
 511 {       
 512         char *ldapi_path;
 513         struct ldapsrv_service *ldap_service;
 514         NTSTATUS status;
 515         const struct model_ops *model_ops;
 516 
 517         switch (lp_server_role(task->lp_ctx)) {
 518         case ROLE_STANDALONE:
 519                 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
 520                 return;
 521         case ROLE_DOMAIN_MEMBER:
 522                 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
 523                 return;
 524         case ROLE_DOMAIN_CONTROLLER:
 525                 /* Yes, we want an LDAP server */
 526                 break;
 527         }
 528 
 529         task_server_set_title(task, "task[ldapsrv]");
 530 
 531         /* run the ldap server as a single process */
 532         model_ops = process_model_startup(task->event_ctx, "single");
 533         if (!model_ops) goto failed;
 534 
 535         ldap_service = talloc_zero(task, struct ldapsrv_service);
 536         if (ldap_service == NULL) goto failed;
 537 
 538         ldap_service->task = task;
 539 
 540         ldap_service->tls_params = tls_initialise(ldap_service, task->lp_ctx);
 541         if (ldap_service->tls_params == NULL) goto failed;
 542 
 543         if (lp_interfaces(task->lp_ctx) && lp_bind_interfaces_only(task->lp_ctx)) {
 544                 struct interface *ifaces;
 545                 int num_interfaces;
 546                 int i;
 547 
 548                 load_interfaces(task, lp_interfaces(task->lp_ctx), &ifaces);
 549                 num_interfaces = iface_count(ifaces);
 550 
 551                 /* We have been given an interfaces line, and been 
 552                    told to only bind to those interfaces. Create a
 553                    socket per interface and bind to only these.
 554                 */
 555                 for(i = 0; i < num_interfaces; i++) {
 556                         const char *address = iface_n_ip(ifaces, i);
 557                         status = add_socket(task->event_ctx, task->lp_ctx, model_ops, address, ldap_service);
 558                         if (!NT_STATUS_IS_OK(status)) goto failed;
 559                 }
 560         } else {
 561                 status = add_socket(task->event_ctx, task->lp_ctx, model_ops, 
 562                                     lp_socket_address(task->lp_ctx), ldap_service);
 563                 if (!NT_STATUS_IS_OK(status)) goto failed;
 564         }
 565 
 566         ldapi_path = private_path(ldap_service, task->lp_ctx, "ldapi");
 567         if (!ldapi_path) {
 568                 goto failed;
 569         }
 570 
 571         status = stream_setup_socket(task->event_ctx, task->lp_ctx,
 572                                      model_ops, &ldap_stream_ops, 
 573                                      "unix", ldapi_path, NULL, 
 574                                      lp_socket_options(task->lp_ctx), 
 575                                      ldap_service);
 576         talloc_free(ldapi_path);
 577         if (!NT_STATUS_IS_OK(status)) {
 578                 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
 579                          ldapi_path, nt_errstr(status)));
 580         }
 581 
 582         return;
 583 
 584 failed:
 585         task_server_terminate(task, "Failed to startup ldap server task");      
 586 }
 587 
 588 
 589 NTSTATUS server_service_ldap_init(void)
     /* [<][>][^][v][top][bottom][index][help] */
 590 {
 591         return register_server_service("ldap", ldapsrv_task_init);
 592 }

/* [<][>][^][v][top][bottom][index][help] */