2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/events/events.h"
26 #include "auth/auth.h"
27 #include "auth/credentials/credentials.h"
28 #include "librpc/gen_ndr/ndr_samr.h"
29 #include "../lib/util/dlinklist.h"
30 #include "../lib/util/asn1.h"
31 #include "ldap_server/ldap_server.h"
32 #include "smbd/service_task.h"
33 #include "smbd/service_stream.h"
34 #include "smbd/service.h"
35 #include "smbd/process_model.h"
36 #include "lib/tls/tls.h"
37 #include "lib/messaging/irpc.h"
38 #include "lib/ldb/include/ldb.h"
39 #include "lib/ldb/include/ldb_errors.h"
40 #include "libcli/ldap/ldap.h"
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
47 close the socket and shutdown a server_context
49 void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
52 packet_recv_disable(conn->packet);
53 TALLOC_FREE(conn->packet);
54 stream_terminate_connection(conn->connection, reason);
60 static void ldapsrv_error_handler(void *private_data, NTSTATUS status)
62 struct ldapsrv_connection *conn = talloc_get_type(private_data,
63 struct ldapsrv_connection);
64 ldapsrv_terminate_connection(conn, nt_errstr(status));
68 process a decoded ldap message
70 static void ldapsrv_process_message(struct ldapsrv_connection *conn,
71 struct ldap_message *msg)
73 struct ldapsrv_call *call;
77 call = talloc(conn, struct ldapsrv_call);
79 ldapsrv_terminate_connection(conn, "no memory");
83 call->request = talloc_steal(call, msg);
86 call->send_callback = NULL;
87 call->send_private = NULL;
90 status = ldapsrv_do_call(call);
91 if (!NT_STATUS_IS_OK(status)) {
96 blob = data_blob(NULL, 0);
98 if (call->replies == NULL) {
103 /* build all the replies into a single blob */
104 while (call->replies) {
108 msg = call->replies->msg;
109 if (!ldap_encode(msg, samba_ldap_control_handlers(), &b, call)) {
110 DEBUG(0,("Failed to encode ldap reply of type %d\n", msg->type));
115 ret = data_blob_append(call, &blob, b.data, b.length);
118 talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
125 DLIST_REMOVE(call->replies, call->replies);
128 packet_send_callback(conn->packet, blob,
129 call->send_callback, call->send_private);
137 static NTSTATUS ldapsrv_decode(void *private_data, DATA_BLOB blob)
140 struct ldapsrv_connection *conn = talloc_get_type(private_data,
141 struct ldapsrv_connection);
142 struct asn1_data *asn1 = asn1_init(conn);
143 struct ldap_message *msg = talloc(conn, struct ldap_message);
145 if (asn1 == NULL || msg == NULL) {
146 return NT_STATUS_NO_MEMORY;
149 if (!asn1_load(asn1, blob)) {
152 return NT_STATUS_NO_MEMORY;
155 status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
156 if (!NT_STATUS_IS_OK(status)) {
161 data_blob_free(&blob);
162 talloc_steal(conn, msg);
165 ldapsrv_process_message(conn, msg);
172 static void ldapsrv_conn_idle_timeout(struct tevent_context *ev,
173 struct tevent_timer *te,
177 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
179 ldapsrv_terminate_connection(conn, "Timeout. No requests after bind");
183 called when a LDAP socket becomes readable
185 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
187 struct ldapsrv_connection *conn =
188 talloc_get_type(c->private_data, struct ldapsrv_connection);
190 if (conn->limits.ite) { /* clean initial timeout if any */
191 talloc_free(conn->limits.ite);
192 conn->limits.ite = NULL;
195 if (conn->limits.te) { /* clean idle timeout if any */
196 talloc_free(conn->limits.te);
197 conn->limits.te = NULL;
200 packet_recv(conn->packet);
202 /* set idle timeout */
203 conn->limits.te = event_add_timed(c->event.ctx, conn,
204 timeval_current_ofs(conn->limits.conn_idle_time, 0),
205 ldapsrv_conn_idle_timeout, conn);
209 called when a LDAP socket becomes writable
211 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
213 struct ldapsrv_connection *conn =
214 talloc_get_type(c->private_data, struct ldapsrv_connection);
216 packet_queue_run(conn->packet);
219 static void ldapsrv_conn_init_timeout(struct tevent_context *ev,
220 struct tevent_timer *te,
224 struct ldapsrv_connection *conn = talloc_get_type(private_data, struct ldapsrv_connection);
226 ldapsrv_terminate_connection(conn, "Timeout. No requests after initial connection");
229 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
232 const char *attrs[] = { "configurationNamingContext", NULL };
233 const char *attrs2[] = { "lDAPAdminLimits", NULL };
234 struct ldb_message_element *el;
235 struct ldb_result *res = NULL;
236 struct ldb_dn *basedn;
237 struct ldb_dn *conf_dn;
238 struct ldb_dn *policy_dn;
241 /* set defaults limits in case of failure */
242 conn->limits.initial_timeout = 120;
243 conn->limits.conn_idle_time = 900;
244 conn->limits.max_page_size = 1000;
245 conn->limits.search_timeout = 120;
248 tmp_ctx = talloc_new(conn);
249 if (tmp_ctx == NULL) {
253 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
254 if ( ! ldb_dn_validate(basedn)) {
258 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
259 if (ret != LDB_SUCCESS) {
263 if (res->count != 1) {
267 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
268 if (conf_dn == NULL) {
272 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
273 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
274 if (policy_dn == NULL) {
278 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
279 if (ret != LDB_SUCCESS) {
283 if (res->count != 1) {
287 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
292 for (i = 0; i < el->num_values; i++) {
293 char policy_name[256];
296 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
297 if (ret != 2 || policy_value == 0)
300 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
301 conn->limits.initial_timeout = policy_value;
304 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
305 conn->limits.conn_idle_time = policy_value;
308 if (strcasecmp("MaxPageSize", policy_name) == 0) {
309 conn->limits.max_page_size = policy_value;
312 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
313 conn->limits.search_timeout = policy_value;
321 DEBUG(0, ("Failed to load ldap server query policies\n"));
322 talloc_free(tmp_ctx);
327 initialise a server_context from a open socket and register a event handler
328 for reading from that socket
330 static void ldapsrv_accept(struct stream_connection *c,
331 struct auth_session_info *session_info)
333 struct ldapsrv_service *ldapsrv_service =
334 talloc_get_type(c->private_data, struct ldapsrv_service);
335 struct ldapsrv_connection *conn;
336 struct cli_credentials *server_credentials;
337 struct socket_address *socket_address;
341 conn = talloc_zero(c, struct ldapsrv_connection);
343 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
348 conn->connection = c;
349 conn->service = ldapsrv_service;
350 conn->sockets.raw = c->socket;
351 conn->lp_ctx = ldapsrv_service->task->lp_ctx;
353 c->private_data = conn;
355 socket_address = socket_get_my_addr(c->socket, conn);
356 if (!socket_address) {
357 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
360 port = socket_address->port;
361 talloc_free(socket_address);
364 struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
367 ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
370 talloc_steal(c, tls_socket);
371 c->socket = tls_socket;
372 conn->sockets.tls = tls_socket;
374 } else if (port == 3268) /* Global catalog */ {
375 conn->global_catalog = true;
377 conn->packet = packet_init(conn);
378 if (conn->packet == NULL) {
379 ldapsrv_terminate_connection(conn, "out of memory");
383 packet_set_private(conn->packet, conn);
384 packet_set_socket(conn->packet, c->socket);
385 packet_set_callback(conn->packet, ldapsrv_decode);
386 packet_set_full_request(conn->packet, ldap_full_packet);
387 packet_set_error_handler(conn->packet, ldapsrv_error_handler);
388 packet_set_event_context(conn->packet, c->event.ctx);
389 packet_set_fde(conn->packet, c->event.fde);
390 packet_set_serialise(conn->packet);
392 if (conn->sockets.tls) {
393 packet_set_unreliable_select(conn->packet);
396 /* Ensure we don't get packets until the database is ready below */
397 packet_recv_disable(conn->packet);
399 server_credentials = cli_credentials_init(conn);
400 if (!server_credentials) {
401 stream_terminate_connection(c, "Failed to init server credentials\n");
405 cli_credentials_set_conf(server_credentials, conn->lp_ctx);
406 status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
407 if (!NT_STATUS_IS_OK(status)) {
408 stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
411 conn->server_credentials = server_credentials;
413 conn->session_info = talloc_move(conn, &session_info);
415 if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
416 ldapsrv_terminate_connection(conn, "backend Init failed");
420 /* load limits from the conf partition */
421 ldapsrv_load_limits(conn); /* should we fail on error ? */
423 /* register the server */
424 irpc_add_name(c->msg_ctx, "ldap_server");
426 /* set connections limits */
427 conn->limits.ite = event_add_timed(c->event.ctx, conn,
428 timeval_current_ofs(conn->limits.initial_timeout, 0),
429 ldapsrv_conn_init_timeout, conn);
431 packet_recv_enable(conn->packet);
435 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
437 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
438 c->private_data, struct ldapsrv_service);
439 struct auth_session_info *session_info;
442 status = auth_anonymous_session_info(
443 c, c->event.ctx, ldapsrv_service->task->lp_ctx, &session_info);
444 if (!NT_STATUS_IS_OK(status)) {
445 stream_terminate_connection(c, "failed to setup anonymous "
449 ldapsrv_accept(c, session_info);
452 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
454 .accept_connection = ldapsrv_accept_nonpriv,
455 .recv_handler = ldapsrv_recv,
456 .send_handler = ldapsrv_send,
459 /* The feature removed behind an #ifdef until we can do it properly
460 * with an EXTERNAL bind. */
462 #define WITH_LDAPI_PRIV_SOCKET
464 #ifdef WITH_LDAPI_PRIV_SOCKET
465 static void ldapsrv_accept_priv(struct stream_connection *c)
467 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
468 c->private_data, struct ldapsrv_service);
469 struct auth_session_info *session_info;
472 status = auth_system_session_info(
473 c, ldapsrv_service->task->lp_ctx, &session_info);
474 if (!NT_STATUS_IS_OK(status)) {
475 stream_terminate_connection(c, "failed to setup system "
479 ldapsrv_accept(c, session_info);
482 static const struct stream_server_ops ldap_stream_priv_ops = {
484 .accept_connection = ldapsrv_accept_priv,
485 .recv_handler = ldapsrv_recv,
486 .send_handler = ldapsrv_send,
491 add a socket address to the list of events, one event per port
493 static NTSTATUS add_socket(struct tevent_context *event_context,
494 struct loadparm_context *lp_ctx,
495 const struct model_ops *model_ops,
496 const char *address, struct ldapsrv_service *ldap_service)
500 struct ldb_context *ldb;
502 status = stream_setup_socket(event_context, lp_ctx,
503 model_ops, &ldap_stream_nonpriv_ops,
504 "ipv4", address, &port,
505 lp_socket_options(lp_ctx),
507 if (!NT_STATUS_IS_OK(status)) {
508 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
509 address, port, nt_errstr(status)));
512 if (tls_support(ldap_service->tls_params)) {
513 /* add ldaps server */
515 status = stream_setup_socket(event_context, lp_ctx,
517 &ldap_stream_nonpriv_ops,
518 "ipv4", address, &port,
519 lp_socket_options(lp_ctx),
521 if (!NT_STATUS_IS_OK(status)) {
522 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
523 address, port, nt_errstr(status)));
527 /* Load LDAP database, but only to read our settings */
528 ldb = samdb_connect(ldap_service, ldap_service->task->event_ctx,
529 lp_ctx, system_session(ldap_service, lp_ctx));
531 return NT_STATUS_INTERNAL_DB_CORRUPTION;
534 if (samdb_is_gc(ldb)) {
536 status = stream_setup_socket(event_context, lp_ctx,
538 &ldap_stream_nonpriv_ops,
539 "ipv4", address, &port,
540 lp_socket_options(lp_ctx),
542 if (!NT_STATUS_IS_OK(status)) {
543 DEBUG(0,("ldapsrv failed to bind to %s:%u - %s\n",
544 address, port, nt_errstr(status)));
548 /* And once we are bound, free the tempoary ldb, it will
549 * connect again on each incoming LDAP connection */
556 open the ldap server sockets
558 static void ldapsrv_task_init(struct task_server *task)
561 #ifdef WITH_LDAPI_PRIV_SOCKET
564 struct ldapsrv_service *ldap_service;
566 const struct model_ops *model_ops;
568 switch (lp_server_role(task->lp_ctx)) {
569 case ROLE_STANDALONE:
570 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
572 case ROLE_DOMAIN_MEMBER:
573 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
575 case ROLE_DOMAIN_CONTROLLER:
576 /* Yes, we want an LDAP server */
580 task_server_set_title(task, "task[ldapsrv]");
582 /* run the ldap server as a single process */
583 model_ops = process_model_startup(task->event_ctx, "single");
584 if (!model_ops) goto failed;
586 ldap_service = talloc_zero(task, struct ldapsrv_service);
587 if (ldap_service == NULL) goto failed;
589 ldap_service->task = task;
591 ldap_service->tls_params = tls_initialise(ldap_service, task->lp_ctx);
592 if (ldap_service->tls_params == NULL) goto failed;
594 if (lp_interfaces(task->lp_ctx) && lp_bind_interfaces_only(task->lp_ctx)) {
595 struct interface *ifaces;
599 load_interfaces(task, lp_interfaces(task->lp_ctx), &ifaces);
600 num_interfaces = iface_count(ifaces);
602 /* We have been given an interfaces line, and been
603 told to only bind to those interfaces. Create a
604 socket per interface and bind to only these.
606 for(i = 0; i < num_interfaces; i++) {
607 const char *address = iface_n_ip(ifaces, i);
608 status = add_socket(task->event_ctx, task->lp_ctx, model_ops, address, ldap_service);
609 if (!NT_STATUS_IS_OK(status)) goto failed;
612 status = add_socket(task->event_ctx, task->lp_ctx, model_ops,
613 lp_socket_address(task->lp_ctx), ldap_service);
614 if (!NT_STATUS_IS_OK(status)) goto failed;
617 ldapi_path = private_path(ldap_service, task->lp_ctx, "ldapi");
622 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
623 model_ops, &ldap_stream_nonpriv_ops,
624 "unix", ldapi_path, NULL,
625 lp_socket_options(task->lp_ctx),
627 talloc_free(ldapi_path);
628 if (!NT_STATUS_IS_OK(status)) {
629 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
630 ldapi_path, nt_errstr(status)));
633 #ifdef WITH_LDAPI_PRIV_SOCKET
634 priv_dir = private_path(ldap_service, task->lp_ctx, "ldap_priv");
635 if (priv_dir == NULL) {
639 * Make sure the directory for the privileged ldapi socket exists, and
640 * is of the correct permissions
642 if (!directory_create_or_exist(priv_dir, geteuid(), 0750)) {
643 task_server_terminate(task, "Cannot create ldap "
644 "privileged ldapi directory");
647 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
648 talloc_free(priv_dir);
649 if (ldapi_path == NULL) {
653 status = stream_setup_socket(task->event_ctx, task->lp_ctx,
654 model_ops, &ldap_stream_priv_ops,
655 "unix", ldapi_path, NULL,
656 lp_socket_options(task->lp_ctx),
658 talloc_free(ldapi_path);
659 if (!NT_STATUS_IS_OK(status)) {
660 DEBUG(0,("ldapsrv failed to bind to %s - %s\n",
661 ldapi_path, nt_errstr(status)));
668 task_server_terminate(task, "Failed to startup ldap server task");
672 NTSTATUS server_service_ldap_init(void)
674 return register_server_service("ldap", ldapsrv_task_init);