source4/libcli/ldap/ldap_bind.c

   1 /*
   2    Unix SMB/CIFS mplementation.
   3
   4    LDAP bind calls
   5
   6    Copyright (C) Andrew Tridgell  2005
   7    Copyright (C) Volker Lendecke  2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/ldap/ldap.h"
  27 #include "libcli/ldap/ldap_client.h"
  28 #include "lib/tls/tls.h"
  29 #include "auth/auth.h"
  30
  31 struct ldap_simple_creds {
  32         const char *dn;
  33         const char *pw;
  34 };
  35
  36 NTSTATUS ldap_rebind(struct ldap_connection *conn)
  37 {
  38         NTSTATUS status;
  39         struct ldap_simple_creds *creds;
  40
  41         switch (conn->bind.type) {
  42         case LDAP_BIND_SASL:
  43                 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds);
  44                 break;
  45
  46         case LDAP_BIND_SIMPLE:
  47                 creds = (struct ldap_simple_creds *)conn->bind.creds;
  48
  49                 if (creds == NULL) {
  50                         return NT_STATUS_UNSUCCESSFUL;
  51                 }
  52
  53                 status = ldap_bind_simple(conn, creds->dn, creds->pw);
  54                 break;
  55
  56         default:
  57                 return NT_STATUS_UNSUCCESSFUL;
  58         }
  59
  60         return status;
  61 }
  62
  63
  64 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
  65                                                      const char *dn, const char *pw)
  66 {
  67         struct ldap_message *res;
  68
  69         res = new_ldap_message(conn);
  70         if (!res) {
  71                 return NULL;
  72         }
  73
  74         res->type = LDAP_TAG_BindRequest;
  75         res->r.BindRequest.version = 3;
  76         res->r.BindRequest.dn = talloc_strdup(res, dn);
  77         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
  78         res->r.BindRequest.creds.password = talloc_strdup(res, pw);
  79         res->controls = NULL;
  80
  81         return res;
  82 }
  83
  84
  85 /*
  86   perform a simple username/password bind
  87 */
  88 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
  89                           const char *userdn, const char *password)
  90 {
  91         struct ldap_request *req;
  92         struct ldap_message *msg;
  93         const char *dn, *pw;
  94         NTSTATUS status;
  95
  96         if (conn == NULL) {
  97                 return NT_STATUS_INVALID_CONNECTION;
  98         }
  99
 100         if (userdn) {
 101                 dn = userdn;
 102         } else {
 103                 if (conn->auth_dn) {
 104                         dn = conn->auth_dn;
 105                 } else {
 106                         dn = "";
 107                 }
 108         }
 109
 110         if (password) {
 111                 pw = password;
 112         } else {
 113                 if (conn->simple_pw) {
 114                         pw = conn->simple_pw;
 115                 } else {
 116                         pw = "";
 117                 }
 118         }
 119
 120         msg = new_ldap_simple_bind_msg(conn, dn, pw);
 121         NT_STATUS_HAVE_NO_MEMORY(msg);
 122
 123         /* send the request */
 124         req = ldap_request_send(conn, msg);
 125         talloc_free(msg);
 126         NT_STATUS_HAVE_NO_MEMORY(req);
 127
 128         /* wait for replies */
 129         status = ldap_request_wait(req);
 130         if (!NT_STATUS_IS_OK(status)) {
 131                 talloc_free(req);
 132                 return status;
 133         }
 134
 135         /* check its a valid reply */
 136         msg = req->replies[0];
 137         if (msg->type != LDAP_TAG_BindResponse) {
 138                 talloc_free(req);
 139                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 140         }
 141
 142         status = ldap_check_response(conn, &msg->r.BindResponse.response);
 143
 144         talloc_free(req);
 145
 146         if (NT_STATUS_IS_OK(status)) {
 147                 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
 148                 if (creds == NULL) {
 149                         return NT_STATUS_NO_MEMORY;
 150                 }
 151                 creds->dn = talloc_strdup(creds, dn);
 152                 creds->pw = talloc_strdup(creds, pw);
 153                 if (creds->dn == NULL || creds->pw == NULL) {
 154                         return NT_STATUS_NO_MEMORY;
 155                 }
 156                 conn->bind.type = LDAP_BIND_SIMPLE;
 157                 conn->bind.creds = creds;
 158         }
 159
 160         return status;
 161 }
 162
 163
 164 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
 165                                                    const char *sasl_mechanism,
 166                                                    DATA_BLOB *secblob)
 167 {
 168         struct ldap_message *res;
 169
 170         res = new_ldap_message(conn);
 171         if (!res) {
 172                 return NULL;
 173         }
 174
 175         res->type = LDAP_TAG_BindRequest;
 176         res->r.BindRequest.version = 3;
 177         res->r.BindRequest.dn = "";
 178         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
 179         res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
 180         if (secblob) {
 181                 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
 182                 if (!res->r.BindRequest.creds.SASL.secblob) {
 183                         talloc_free(res);
 184                         return NULL;
 185                 }
 186                 *res->r.BindRequest.creds.SASL.secblob = *secblob;
 187         } else {
 188                 res->r.BindRequest.creds.SASL.secblob = NULL;
 189         }
 190         res->controls = NULL;
 191
 192         return res;
 193 }
 194
 195
 196 /*
 197   perform a sasl bind using the given credentials
 198 */
 199 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
 200 {
 201         NTSTATUS status;
 202         TALLOC_CTX *tmp_ctx = NULL;
 203
 204         DATA_BLOB input = data_blob(NULL, 0);
 205         DATA_BLOB output = data_blob(NULL, 0);
 206
 207         struct ldap_message **sasl_mechs_msgs;
 208         struct ldap_SearchResEntry *search;
 209         int count, i;
 210
 211         const char **sasl_names;
 212
 213         static const char *supported_sasl_mech_attrs[] = {
 214                 "supportedSASLMechanisms",
 215                 NULL
 216         };
 217
 218         status = gensec_client_start(conn, &conn->gensec, NULL);
 219         if (!NT_STATUS_IS_OK(status)) {
 220                 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
 221                 goto failed;
 222         }
 223
 224         /* require Kerberos SIGN/SEAL only if we don't use SSL
 225          * Windows seem not to like double encryption */
 226         if (!tls_enabled(conn->sock)) {
 227                 gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 228         }
 229
 230         status = gensec_set_credentials(conn->gensec, creds);
 231         if (!NT_STATUS_IS_OK(status)) {
 232                 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
 233                           nt_errstr(status)));
 234                 goto failed;
 235         }
 236
 237         status = gensec_set_target_hostname(conn->gensec, conn->host);
 238         if (!NT_STATUS_IS_OK(status)) {
 239                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 240                           nt_errstr(status)));
 241                 goto failed;
 242         }
 243
 244         status = gensec_set_target_service(conn->gensec, "ldap");
 245         if (!NT_STATUS_IS_OK(status)) {
 246                 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 247                           nt_errstr(status)));
 248                 goto failed;
 249         }
 250
 251         status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
 252                               False, NULL, NULL, &sasl_mechs_msgs);
 253         if (!NT_STATUS_IS_OK(status)) {
 254                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
 255                           nt_errstr(status)));
 256                 goto failed;
 257         }
 258
 259         count = ildap_count_entries(conn, sasl_mechs_msgs);
 260         if (count != 1) {
 261                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
 262                           count));
 263                 goto failed;
 264         }
 265
 266         tmp_ctx = talloc_new(conn);
 267         if (tmp_ctx == NULL) goto failed;
 268
 269         search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
 270         if (search->num_attributes != 1) {
 271                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
 272                           search->num_attributes));
 273                 goto failed;
 274         }
 275
 276         sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
 277         if (!sasl_names) {
 278                 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
 279                           count));
 280                 goto failed;
 281         }
 282
 283         for (i=0; i<search->attributes[0].num_values; i++) {
 284                 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
 285         }
 286         sasl_names[i] = NULL;
 287
 288         status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
 289         if (!NT_STATUS_IS_OK(status)) {
 290                 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
 291                           count, nt_errstr(status)));
 292                 goto failed;
 293         }
 294
 295         while (1) {
 296                 NTSTATUS gensec_status;
 297                 struct ldap_message *response;
 298                 struct ldap_message *msg;
 299                 struct ldap_request *req;
 300                 int result = LDAP_OTHER;
 301
 302                 status = gensec_update(conn->gensec, tmp_ctx,
 303                                        input,
 304                                        &output);
 305                 /* The status value here, from GENSEC is vital to the security
 306                  * of the system.  Even if the other end accepts, if GENSEC
 307                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 308                  * feeding it blobs, or else the remote host/attacker might
 309                  * avoid mutal authentication requirements.
 310                  *
 311                  * Likewise, you must not feed GENSEC too much (after the OK),
 312                  * it doesn't like that either
 313                  */
 314
 315                 gensec_status = status;
 316
 317                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 318                     !NT_STATUS_IS_OK(status)) {
 319                         break;
 320                 }
 321                 if (NT_STATUS_IS_OK(status) && output.length == 0) {
 322                         break;
 323                 }
 324
 325                 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
 326                 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
 327                 if (msg == NULL) {
 328                         status = NT_STATUS_NO_MEMORY;
 329                         goto failed;
 330                 }
 331
 332                 req = ldap_request_send(conn, msg);
 333                 if (req == NULL) {
 334                         status = NT_STATUS_NO_MEMORY;
 335                         goto failed;
 336                 }
 337                 talloc_steal(tmp_ctx, req);
 338
 339                 status = ldap_result_n(req, 0, &response);
 340                 if (!NT_STATUS_IS_OK(status)) {
 341                         goto failed;
 342                 }
 343
 344                 if (response->type != LDAP_TAG_BindResponse) {
 345                         status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 346                         goto failed;
 347                 }
 348
 349                 result = response->r.BindResponse.response.resultcode;
 350
 351                 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
 352                         status = ldap_check_response(conn,
 353                                                      &response->r.BindResponse.response);
 354                         break;
 355                 }
 356
 357                 /* This is where we check if GENSEC wanted to be fed more data */
 358                 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 359                         break;
 360                 }
 361                 if (response->r.BindResponse.SASL.secblob) {
 362                         input = *response->r.BindResponse.SASL.secblob;
 363                 } else {
 364                         input = data_blob(NULL, 0);
 365                 }
 366         }
 367
 368         if (NT_STATUS_IS_OK(status) &&
 369             (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) ||
 370              gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) {
 371                 conn->enable_wrap = True;
 372         }
 373
 374         talloc_free(tmp_ctx);
 375
 376         if (NT_STATUS_IS_OK(status)) {
 377                 conn->bind.type = LDAP_BIND_SASL;
 378                 conn->bind.creds = creds;
 379         }
 380
 381         return status;
 382
 383 failed:
 384         talloc_free(tmp_ctx);
 385         talloc_free(conn->gensec);
 386         conn->gensec = NULL;
 387         return status;
 388 }