/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- ldap4_new_connection
- ldap_connection_dead
- ldap_error_handler
- ldap_match_message
- ldap_recv_handler
- ldap_read_io_handler
- ldap_io_handler
- ldap_parse_basic_url
- ldap_connect_send
- ldap_connect_got_sock
- ldap_connect_recv_tcp_conn
- ldap_connect_recv_unix_conn
- ldap_connect_recv
- ldap_connect
- ldap_set_reconn_params
- ldap_reconnect
- ldap_request_destructor
- ldap_request_timeout
- ldap_request_complete
- ldap_request_send
- ldap_request_wait
- ldap_check_response
- ldap_errstr
- ldap_result_n
- ldap_result_one
- ldap_transaction
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Simo Sorce 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23 */
24
25 #include "includes.h"
26 #include <tevent.h>
27 #include "lib/socket/socket.h"
28 #include "../lib/util/asn1.h"
29 #include "../lib/util/dlinklist.h"
30 #include "libcli/ldap/ldap.h"
31 #include "libcli/ldap/ldap_proto.h"
32 #include "libcli/ldap/ldap_client.h"
33 #include "libcli/composite/composite.h"
34 #include "lib/stream/packet.h"
35 #include "lib/tls/tls.h"
36 #include "auth/gensec/gensec.h"
37 #include "system/time.h"
38 #include "param/param.h"
39 #include "libcli/resolve/resolve.h"
40
41 /**
42 create a new ldap_connection stucture. The event context is optional
43 */
44 _PUBLIC_ struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
45 struct loadparm_context *lp_ctx,
46 struct tevent_context *ev)
47 {
48 struct ldap_connection *conn;
49
50 if (ev == NULL) {
51 return NULL;
52 }
53
54 conn = talloc_zero(mem_ctx, struct ldap_connection);
55 if (conn == NULL) {
56 return NULL;
57 }
58
59 conn->next_messageid = 1;
60 conn->event.event_ctx = ev;
61
62 conn->lp_ctx = lp_ctx;
63
64 /* set a reasonable request timeout */
65 conn->timeout = 60;
66
67 /* explicitly avoid reconnections by default */
68 conn->reconnect.max_retries = 0;
69
70 return conn;
71 }
72
73 /*
74 the connection is dead
75 */
76 static void ldap_connection_dead(struct ldap_connection *conn)
/* [<][>][^][v][top][bottom][index][help] */
77 {
78 struct ldap_request *req;
79
80 talloc_free(conn->sock); /* this will also free event.fde */
81 talloc_free(conn->packet);
82 conn->sock = NULL;
83 conn->event.fde = NULL;
84 conn->packet = NULL;
85
86 /* return an error for any pending request ... */
87 while (conn->pending) {
88 req = conn->pending;
89 DLIST_REMOVE(req->conn->pending, req);
90 req->state = LDAP_REQUEST_DONE;
91 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
92 if (req->async.fn) {
93 req->async.fn(req);
94 }
95 }
96 }
97
98 static void ldap_reconnect(struct ldap_connection *conn);
99
100 /*
101 handle packet errors
102 */
103 static void ldap_error_handler(void *private_data, NTSTATUS status)
/* [<][>][^][v][top][bottom][index][help] */
104 {
105 struct ldap_connection *conn = talloc_get_type(private_data,
106 struct ldap_connection);
107 ldap_connection_dead(conn);
108
109 /* but try to reconnect so that the ldb client can go on */
110 ldap_reconnect(conn);
111 }
112
113
114 /*
115 match up with a pending message, adding to the replies list
116 */
117 static void ldap_match_message(struct ldap_connection *conn, struct ldap_message *msg)
/* [<][>][^][v][top][bottom][index][help] */
118 {
119 struct ldap_request *req;
120 int i;
121
122 for (req=conn->pending; req; req=req->next) {
123 if (req->messageid == msg->messageid) break;
124 }
125 /* match a zero message id to the last request sent.
126 It seems that servers send 0 if unable to parse */
127 if (req == NULL && msg->messageid == 0) {
128 req = conn->pending;
129 }
130 if (req == NULL) {
131 DEBUG(0,("ldap: no matching message id for %u\n",
132 msg->messageid));
133 talloc_free(msg);
134 return;
135 }
136
137 /* Check for undecoded critical extensions */
138 for (i=0; msg->controls && msg->controls[i]; i++) {
139 if (!msg->controls_decoded[i] &&
140 msg->controls[i]->critical) {
141 req->status = NT_STATUS_LDAP(LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
142 req->state = LDAP_REQUEST_DONE;
143 DLIST_REMOVE(conn->pending, req);
144 if (req->async.fn) {
145 req->async.fn(req);
146 }
147 return;
148 }
149 }
150
151 /* add to the list of replies received */
152 talloc_steal(req, msg);
153 req->replies = talloc_realloc(req, req->replies,
154 struct ldap_message *, req->num_replies+1);
155 if (req->replies == NULL) {
156 req->status = NT_STATUS_NO_MEMORY;
157 req->state = LDAP_REQUEST_DONE;
158 DLIST_REMOVE(conn->pending, req);
159 if (req->async.fn) {
160 req->async.fn(req);
161 }
162 return;
163 }
164
165 req->replies[req->num_replies] = talloc_steal(req->replies, msg);
166 req->num_replies++;
167
168 if (msg->type != LDAP_TAG_SearchResultEntry &&
169 msg->type != LDAP_TAG_SearchResultReference) {
170 /* currently only search results expect multiple
171 replies */
172 req->state = LDAP_REQUEST_DONE;
173 DLIST_REMOVE(conn->pending, req);
174 }
175
176 if (req->async.fn) {
177 req->async.fn(req);
178 }
179 }
180
181
182 /*
183 decode/process LDAP data
184 */
185 static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob)
/* [<][>][^][v][top][bottom][index][help] */
186 {
187 NTSTATUS status;
188 struct ldap_connection *conn = talloc_get_type(private_data,
189 struct ldap_connection);
190 struct ldap_message *msg = talloc(conn, struct ldap_message);
191 struct asn1_data *asn1 = asn1_init(conn);
192
193 if (asn1 == NULL || msg == NULL) {
194 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
195 }
196
197 if (!asn1_load(asn1, blob)) {
198 talloc_free(msg);
199 talloc_free(asn1);
200 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
201 }
202
203 status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
204 if (!NT_STATUS_IS_OK(status)) {
205 asn1_free(asn1);
206 return status;
207 }
208
209 ldap_match_message(conn, msg);
210
211 data_blob_free(&blob);
212 asn1_free(asn1);
213 return NT_STATUS_OK;
214 }
215
216 /* Handle read events, from the GENSEC socket callback, or real events */
217 void ldap_read_io_handler(void *private_data, uint16_t flags)
/* [<][>][^][v][top][bottom][index][help] */
218 {
219 struct ldap_connection *conn = talloc_get_type(private_data,
220 struct ldap_connection);
221 packet_recv(conn->packet);
222 }
223
224 /*
225 handle ldap socket events
226 */
227 static void ldap_io_handler(struct tevent_context *ev, struct tevent_fd *fde,
/* [<][>][^][v][top][bottom][index][help] */
228 uint16_t flags, void *private_data)
229 {
230 struct ldap_connection *conn = talloc_get_type(private_data,
231 struct ldap_connection);
232 if (flags & TEVENT_FD_WRITE) {
233 packet_queue_run(conn->packet);
234 if (!tls_enabled(conn->sock)) return;
235 }
236 if (flags & TEVENT_FD_READ) {
237 ldap_read_io_handler(private_data, flags);
238 }
239 }
240
241 /*
242 parse a ldap URL
243 */
244 static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url,
/* [<][>][^][v][top][bottom][index][help] */
245 char **host, uint16_t *port, bool *ldaps)
246 {
247 int tmp_port = 0;
248 char protocol[11];
249 char tmp_host[1025];
250 int ret;
251
252 /* Paranoia check */
253 SMB_ASSERT(sizeof(protocol)>10 && sizeof(tmp_host)>254);
254
255 ret = sscanf(url, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port);
256 if (ret < 2) {
257 return NT_STATUS_INVALID_PARAMETER;
258 }
259
260 if (strequal(protocol, "ldap")) {
261 *port = 389;
262 *ldaps = false;
263 } else if (strequal(protocol, "ldaps")) {
264 *port = 636;
265 *ldaps = true;
266 } else {
267 DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol));
268 return NT_STATUS_PROTOCOL_UNREACHABLE;
269 }
270
271 if (tmp_port != 0)
272 *port = tmp_port;
273
274 *host = talloc_strdup(mem_ctx, tmp_host);
275 NT_STATUS_HAVE_NO_MEMORY(*host);
276
277 return NT_STATUS_OK;
278 }
279
280 /*
281 connect to a ldap server
282 */
283
284 struct ldap_connect_state {
285 struct composite_context *ctx;
286 struct ldap_connection *conn;
287 };
288
289 static void ldap_connect_recv_unix_conn(struct composite_context *ctx);
290 static void ldap_connect_recv_tcp_conn(struct composite_context *ctx);
291
292 _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *conn,
/* [<][>][^][v][top][bottom][index][help] */
293 const char *url)
294 {
295 struct composite_context *result, *ctx;
296 struct ldap_connect_state *state;
297 char protocol[11];
298 int ret;
299
300 result = talloc_zero(conn, struct composite_context);
301 if (result == NULL) goto failed;
302 result->state = COMPOSITE_STATE_IN_PROGRESS;
303 result->async.fn = NULL;
304 result->event_ctx = conn->event.event_ctx;
305
306 state = talloc(result, struct ldap_connect_state);
307 if (state == NULL) goto failed;
308 state->ctx = result;
309 result->private_data = state;
310
311 state->conn = conn;
312
313 if (conn->reconnect.url == NULL) {
314 conn->reconnect.url = talloc_strdup(conn, url);
315 if (conn->reconnect.url == NULL) goto failed;
316 }
317
318 /* Paranoia check */
319 SMB_ASSERT(sizeof(protocol)>10);
320
321 ret = sscanf(url, "%10[^:]://", protocol);
322 if (ret < 1) {
323 return NULL;
324 }
325
326 if (strequal(protocol, "ldapi")) {
327 struct socket_address *unix_addr;
328 char path[1025];
329
330 NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &conn->sock, 0);
331 if (!NT_STATUS_IS_OK(status)) {
332 return NULL;
333 }
334 talloc_steal(conn, conn->sock);
335 SMB_ASSERT(sizeof(protocol)>10);
336 SMB_ASSERT(sizeof(path)>1024);
337
338 /* LDAPI connections are to localhost, so give the local host name as the target for gensec */
339 conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx));
340 if (composite_nomem(conn->host, state->ctx)) {
341 return result;
342 }
343
344 /* The %c specifier doesn't null terminate :-( */
345 ZERO_STRUCT(path);
346 ret = sscanf(url, "%10[^:]://%1025c", protocol, path);
347 if (ret < 2) {
348 composite_error(state->ctx, NT_STATUS_INVALID_PARAMETER);
349 return result;
350 }
351
352 rfc1738_unescape(path);
353
354 unix_addr = socket_address_from_strings(conn, conn->sock->backend_name,
355 path, 0);
356 if (!unix_addr) {
357 return NULL;
358 }
359
360 ctx = socket_connect_send(conn->sock, NULL, unix_addr,
361 0, conn->event.event_ctx);
362 ctx->async.fn = ldap_connect_recv_unix_conn;
363 ctx->async.private_data = state;
364 return result;
365 } else {
366 NTSTATUS status = ldap_parse_basic_url(conn, url, &conn->host,
367 &conn->port, &conn->ldaps);
368 if (!NT_STATUS_IS_OK(state->ctx->status)) {
369 composite_error(state->ctx, status);
370 return result;
371 }
372
373 ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port,
374 lp_resolve_context(conn->lp_ctx), conn->event.event_ctx);
375 if (ctx == NULL) goto failed;
376
377 ctx->async.fn = ldap_connect_recv_tcp_conn;
378 ctx->async.private_data = state;
379 return result;
380 }
381 failed:
382 talloc_free(result);
383 return NULL;
384 }
385
386 static void ldap_connect_got_sock(struct composite_context *ctx,
/* [<][>][^][v][top][bottom][index][help] */
387 struct ldap_connection *conn)
388 {
389 /* setup a handler for events on this socket */
390 conn->event.fde = tevent_add_fd(conn->event.event_ctx, conn->sock,
391 socket_get_fd(conn->sock),
392 TEVENT_FD_READ, ldap_io_handler, conn);
393 if (conn->event.fde == NULL) {
394 composite_error(ctx, NT_STATUS_INTERNAL_ERROR);
395 return;
396 }
397
398 tevent_fd_set_close_fn(conn->event.fde, socket_tevent_fd_close_fn);
399 socket_set_flags(conn->sock, SOCKET_FLAG_NOCLOSE);
400
401 talloc_steal(conn, conn->sock);
402 if (conn->ldaps) {
403 struct socket_context *tls_socket;
404 struct socket_context *tmp_socket;
405 char *cafile = lp_tls_cafile(conn->sock, conn->lp_ctx);
406
407 if (!cafile || !*cafile) {
408 talloc_free(conn->sock);
409 return;
410 }
411
412 tls_socket = tls_init_client(conn->sock, conn->event.fde, cafile);
413 talloc_free(cafile);
414
415 if (tls_socket == NULL) {
416 talloc_free(conn->sock);
417 return;
418 }
419
420 /* the original socket, must become a child of the tls socket */
421 tmp_socket = conn->sock;
422 conn->sock = talloc_steal(conn, tls_socket);
423 talloc_steal(conn->sock, tmp_socket);
424 }
425
426 conn->packet = packet_init(conn);
427 if (conn->packet == NULL) {
428 talloc_free(conn->sock);
429 return;
430 }
431
432 packet_set_private(conn->packet, conn);
433 packet_set_socket(conn->packet, conn->sock);
434 packet_set_callback(conn->packet, ldap_recv_handler);
435 packet_set_full_request(conn->packet, ldap_full_packet);
436 packet_set_error_handler(conn->packet, ldap_error_handler);
437 packet_set_event_context(conn->packet, conn->event.event_ctx);
438 packet_set_fde(conn->packet, conn->event.fde);
439 /* packet_set_serialise(conn->packet); */
440
441 if (conn->ldaps) {
442 packet_set_unreliable_select(conn->packet);
443 }
444
445 composite_done(ctx);
446 }
447
448 static void ldap_connect_recv_tcp_conn(struct composite_context *ctx)
/* [<][>][^][v][top][bottom][index][help] */
449 {
450 struct ldap_connect_state *state =
451 talloc_get_type(ctx->async.private_data,
452 struct ldap_connect_state);
453 struct ldap_connection *conn = state->conn;
454 uint16_t port;
455 NTSTATUS status = socket_connect_multi_recv(ctx, state, &conn->sock,
456 &port);
457 if (!NT_STATUS_IS_OK(status)) {
458 composite_error(state->ctx, status);
459 return;
460 }
461
462 ldap_connect_got_sock(state->ctx, conn);
463 }
464
465 static void ldap_connect_recv_unix_conn(struct composite_context *ctx)
/* [<][>][^][v][top][bottom][index][help] */
466 {
467 struct ldap_connect_state *state =
468 talloc_get_type(ctx->async.private_data,
469 struct ldap_connect_state);
470 struct ldap_connection *conn = state->conn;
471
472 NTSTATUS status = socket_connect_recv(ctx);
473
474 if (!NT_STATUS_IS_OK(state->ctx->status)) {
475 composite_error(state->ctx, status);
476 return;
477 }
478
479 ldap_connect_got_sock(state->ctx, conn);
480 }
481
482 _PUBLIC_ NTSTATUS ldap_connect_recv(struct composite_context *ctx)
/* [<][>][^][v][top][bottom][index][help] */
483 {
484 NTSTATUS status = composite_wait(ctx);
485 talloc_free(ctx);
486 return status;
487 }
488
489 _PUBLIC_ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url)
/* [<][>][^][v][top][bottom][index][help] */
490 {
491 struct composite_context *ctx = ldap_connect_send(conn, url);
492 return ldap_connect_recv(ctx);
493 }
494
495 /* set reconnect parameters */
496
497 _PUBLIC_ void ldap_set_reconn_params(struct ldap_connection *conn, int max_retries)
/* [<][>][^][v][top][bottom][index][help] */
498 {
499 if (conn) {
500 conn->reconnect.max_retries = max_retries;
501 conn->reconnect.retries = 0;
502 conn->reconnect.previous = time(NULL);
503 }
504 }
505
506 /* Actually this function is NOT ASYNC safe, FIXME? */
507 static void ldap_reconnect(struct ldap_connection *conn)
/* [<][>][^][v][top][bottom][index][help] */
508 {
509 NTSTATUS status;
510 time_t now = time(NULL);
511
512 /* do we have set up reconnect ? */
513 if (conn->reconnect.max_retries == 0) return;
514
515 /* is the retry time expired ? */
516 if (now > conn->reconnect.previous + 30) {
517 conn->reconnect.retries = 0;
518 conn->reconnect.previous = now;
519 }
520
521 /* are we reconnectind too often and too fast? */
522 if (conn->reconnect.retries > conn->reconnect.max_retries) return;
523
524 /* keep track of the number of reconnections */
525 conn->reconnect.retries++;
526
527 /* reconnect */
528 status = ldap_connect(conn, conn->reconnect.url);
529 if ( ! NT_STATUS_IS_OK(status)) {
530 return;
531 }
532
533 /* rebind */
534 status = ldap_rebind(conn);
535 if ( ! NT_STATUS_IS_OK(status)) {
536 ldap_connection_dead(conn);
537 }
538 }
539
540 /* destroy an open ldap request */
541 static int ldap_request_destructor(struct ldap_request *req)
/* [<][>][^][v][top][bottom][index][help] */
542 {
543 if (req->state == LDAP_REQUEST_PENDING) {
544 DLIST_REMOVE(req->conn->pending, req);
545 }
546 return 0;
547 }
548
549 /*
550 called on timeout of a ldap request
551 */
552 static void ldap_request_timeout(struct tevent_context *ev, struct tevent_timer *te,
/* [<][>][^][v][top][bottom][index][help] */
553 struct timeval t, void *private_data)
554 {
555 struct ldap_request *req = talloc_get_type(private_data, struct ldap_request);
556 req->status = NT_STATUS_IO_TIMEOUT;
557 if (req->state == LDAP_REQUEST_PENDING) {
558 DLIST_REMOVE(req->conn->pending, req);
559 }
560 req->state = LDAP_REQUEST_DONE;
561 if (req->async.fn) {
562 req->async.fn(req);
563 }
564 }
565
566
567 /*
568 called on completion of a one-way ldap request
569 */
570 static void ldap_request_complete(struct tevent_context *ev, struct tevent_timer *te,
/* [<][>][^][v][top][bottom][index][help] */
571 struct timeval t, void *private_data)
572 {
573 struct ldap_request *req = talloc_get_type(private_data, struct ldap_request);
574 if (req->async.fn) {
575 req->async.fn(req);
576 }
577 }
578
579 /*
580 send a ldap message - async interface
581 */
582 _PUBLIC_ struct ldap_request *ldap_request_send(struct ldap_connection *conn,
/* [<][>][^][v][top][bottom][index][help] */
583 struct ldap_message *msg)
584 {
585 struct ldap_request *req;
586 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
587
588 req = talloc_zero(conn, struct ldap_request);
589 if (req == NULL) return NULL;
590
591 if (conn->sock == NULL) {
592 status = NT_STATUS_INVALID_CONNECTION;
593 goto failed;
594 }
595
596 req->state = LDAP_REQUEST_SEND;
597 req->conn = conn;
598 req->messageid = conn->next_messageid++;
599 if (conn->next_messageid == 0) {
600 conn->next_messageid = 1;
601 }
602 req->type = msg->type;
603 if (req->messageid == -1) {
604 goto failed;
605 }
606
607 talloc_set_destructor(req, ldap_request_destructor);
608
609 msg->messageid = req->messageid;
610
611 if (!ldap_encode(msg, samba_ldap_control_handlers(), &req->data, req)) {
612 status = NT_STATUS_INTERNAL_ERROR;
613 goto failed;
614 }
615
616 status = packet_send(conn->packet, req->data);
617 if (!NT_STATUS_IS_OK(status)) {
618 goto failed;
619 }
620
621 /* some requests don't expect a reply, so don't add those to the
622 pending queue */
623 if (req->type == LDAP_TAG_AbandonRequest ||
624 req->type == LDAP_TAG_UnbindRequest) {
625 req->status = NT_STATUS_OK;
626 req->state = LDAP_REQUEST_DONE;
627 /* we can't call the async callback now, as it isn't setup, so
628 call it as next event */
629 tevent_add_timer(conn->event.event_ctx, req, timeval_zero(),
630 ldap_request_complete, req);
631 return req;
632 }
633
634 req->state = LDAP_REQUEST_PENDING;
635 DLIST_ADD(conn->pending, req);
636
637 /* put a timeout on the request */
638 req->time_event = tevent_add_timer(conn->event.event_ctx, req,
639 timeval_current_ofs(conn->timeout, 0),
640 ldap_request_timeout, req);
641
642 return req;
643
644 failed:
645 req->status = status;
646 req->state = LDAP_REQUEST_ERROR;
647 tevent_add_timer(conn->event.event_ctx, req, timeval_zero(),
648 ldap_request_complete, req);
649
650 return req;
651 }
652
653
654 /*
655 wait for a request to complete
656 note that this does not destroy the request
657 */
658 _PUBLIC_ NTSTATUS ldap_request_wait(struct ldap_request *req)
/* [<][>][^][v][top][bottom][index][help] */
659 {
660 while (req->state < LDAP_REQUEST_DONE) {
661 if (tevent_loop_once(req->conn->event.event_ctx) != 0) {
662 req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
663 break;
664 }
665 }
666 return req->status;
667 }
668
669
670 /*
671 a mapping of ldap response code to strings
672 */
673 static const struct {
674 enum ldap_result_code code;
675 const char *str;
676 } ldap_code_map[] = {
677 #define _LDAP_MAP_CODE(c) { c, #c }
678 _LDAP_MAP_CODE(LDAP_SUCCESS),
679 _LDAP_MAP_CODE(LDAP_OPERATIONS_ERROR),
680 _LDAP_MAP_CODE(LDAP_PROTOCOL_ERROR),
681 _LDAP_MAP_CODE(LDAP_TIME_LIMIT_EXCEEDED),
682 _LDAP_MAP_CODE(LDAP_SIZE_LIMIT_EXCEEDED),
683 _LDAP_MAP_CODE(LDAP_COMPARE_FALSE),
684 _LDAP_MAP_CODE(LDAP_COMPARE_TRUE),
685 _LDAP_MAP_CODE(LDAP_AUTH_METHOD_NOT_SUPPORTED),
686 _LDAP_MAP_CODE(LDAP_STRONG_AUTH_REQUIRED),
687 _LDAP_MAP_CODE(LDAP_REFERRAL),
688 _LDAP_MAP_CODE(LDAP_ADMIN_LIMIT_EXCEEDED),
689 _LDAP_MAP_CODE(LDAP_UNAVAILABLE_CRITICAL_EXTENSION),
690 _LDAP_MAP_CODE(LDAP_CONFIDENTIALITY_REQUIRED),
691 _LDAP_MAP_CODE(LDAP_SASL_BIND_IN_PROGRESS),
692 _LDAP_MAP_CODE(LDAP_NO_SUCH_ATTRIBUTE),
693 _LDAP_MAP_CODE(LDAP_UNDEFINED_ATTRIBUTE_TYPE),
694 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_MATCHING),
695 _LDAP_MAP_CODE(LDAP_CONSTRAINT_VIOLATION),
696 _LDAP_MAP_CODE(LDAP_ATTRIBUTE_OR_VALUE_EXISTS),
697 _LDAP_MAP_CODE(LDAP_INVALID_ATTRIBUTE_SYNTAX),
698 _LDAP_MAP_CODE(LDAP_NO_SUCH_OBJECT),
699 _LDAP_MAP_CODE(LDAP_ALIAS_PROBLEM),
700 _LDAP_MAP_CODE(LDAP_INVALID_DN_SYNTAX),
701 _LDAP_MAP_CODE(LDAP_ALIAS_DEREFERENCING_PROBLEM),
702 _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_AUTHENTICATION),
703 _LDAP_MAP_CODE(LDAP_INVALID_CREDENTIALS),
704 _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTS),
705 _LDAP_MAP_CODE(LDAP_BUSY),
706 _LDAP_MAP_CODE(LDAP_UNAVAILABLE),
707 _LDAP_MAP_CODE(LDAP_UNWILLING_TO_PERFORM),
708 _LDAP_MAP_CODE(LDAP_LOOP_DETECT),
709 _LDAP_MAP_CODE(LDAP_NAMING_VIOLATION),
710 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_VIOLATION),
711 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_NON_LEAF),
712 _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_RDN),
713 _LDAP_MAP_CODE(LDAP_ENTRY_ALREADY_EXISTS),
714 _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_MODS_PROHIBITED),
715 _LDAP_MAP_CODE(LDAP_AFFECTS_MULTIPLE_DSAS),
716 _LDAP_MAP_CODE(LDAP_OTHER)
717 };
718
719 /*
720 used to setup the status code from a ldap response
721 */
722 _PUBLIC_ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r)
/* [<][>][^][v][top][bottom][index][help] */
723 {
724 int i;
725 const char *codename = "unknown";
726
727 if (r->resultcode == LDAP_SUCCESS) {
728 return NT_STATUS_OK;
729 }
730
731 if (conn->last_error) {
732 talloc_free(conn->last_error);
733 }
734
735 for (i=0;i<ARRAY_SIZE(ldap_code_map);i++) {
736 if (r->resultcode == ldap_code_map[i].code) {
737 codename = ldap_code_map[i].str;
738 break;
739 }
740 }
741
742 conn->last_error = talloc_asprintf(conn, "LDAP error %u %s - %s <%s> <%s>",
743 r->resultcode,
744 codename,
745 r->dn?r->dn:"(NULL)",
746 r->errormessage?r->errormessage:"",
747 r->referral?r->referral:"");
748
749 return NT_STATUS_LDAP(r->resultcode);
750 }
751
752 /*
753 return error string representing the last error
754 */
755 _PUBLIC_ const char *ldap_errstr(struct ldap_connection *conn,
/* [<][>][^][v][top][bottom][index][help] */
756 TALLOC_CTX *mem_ctx,
757 NTSTATUS status)
758 {
759 if (NT_STATUS_IS_LDAP(status) && conn->last_error != NULL) {
760 return talloc_strdup(mem_ctx, conn->last_error);
761 }
762 return talloc_asprintf(mem_ctx, "LDAP client internal error: %s", nt_errstr(status));
763 }
764
765
766 /*
767 return the Nth result message, waiting if necessary
768 */
769 _PUBLIC_ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg)
/* [<][>][^][v][top][bottom][index][help] */
770 {
771 *msg = NULL;
772
773 NT_STATUS_HAVE_NO_MEMORY(req);
774
775 while (req->state < LDAP_REQUEST_DONE && n >= req->num_replies) {
776 if (tevent_loop_once(req->conn->event.event_ctx) != 0) {
777 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
778 }
779 }
780
781 if (n < req->num_replies) {
782 *msg = req->replies[n];
783 return NT_STATUS_OK;
784 }
785
786 if (!NT_STATUS_IS_OK(req->status)) {
787 return req->status;
788 }
789
790 return NT_STATUS_NO_MORE_ENTRIES;
791 }
792
793
794 /*
795 return a single result message, checking if it is of the expected LDAP type
796 */
797 _PUBLIC_ NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type)
/* [<][>][^][v][top][bottom][index][help] */
798 {
799 NTSTATUS status;
800 status = ldap_result_n(req, 0, msg);
801 if (!NT_STATUS_IS_OK(status)) {
802 return status;
803 }
804 if ((*msg)->type != type) {
805 *msg = NULL;
806 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
807 }
808 return status;
809 }
810
811 /*
812 a simple ldap transaction, for single result requests that only need a status code
813 this relies on single valued requests having the response type == request type + 1
814 */
815 _PUBLIC_ NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg)
/* [<][>][^][v][top][bottom][index][help] */
816 {
817 struct ldap_request *req = ldap_request_send(conn, msg);
818 struct ldap_message *res;
819 NTSTATUS status;
820 status = ldap_result_n(req, 0, &res);
821 if (!NT_STATUS_IS_OK(status)) {
822 talloc_free(req);
823 return status;
824 }
825 if (res->type != msg->type + 1) {
826 talloc_free(req);
827 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
828 }
829 status = ldap_check_response(conn, &res->r.GeneralResult);
830 talloc_free(req);
831 return status;
832 }