source4/libcli/ldap/ldap_bind.c

   1 /*
   2    Unix SMB/CIFS mplementation.
   3
   4    LDAP bind calls
   5
   6    Copyright (C) Andrew Tridgell  2005
   7    Copyright (C) Volker Lendecke  2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/ldap/ldap.h"
  27 #include "libcli/ldap/ldap_client.h"
  28 #include "lib/tls/tls.h"
  29 #include "auth/auth.h"
  30 #include "auth/gensec/socket.h"
  31 #include "lib/stream/packet.h"
  32
  33 struct ldap_simple_creds {
  34         const char *dn;
  35         const char *pw;
  36 };
  37
  38 NTSTATUS ldap_rebind(struct ldap_connection *conn)
  39 {
  40         NTSTATUS status;
  41         struct ldap_simple_creds *creds;
  42
  43         switch (conn->bind.type) {
  44         case LDAP_BIND_SASL:
  45                 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds);
  46                 break;
  47
  48         case LDAP_BIND_SIMPLE:
  49                 creds = (struct ldap_simple_creds *)conn->bind.creds;
  50
  51                 if (creds == NULL) {
  52                         return NT_STATUS_UNSUCCESSFUL;
  53                 }
  54
  55                 status = ldap_bind_simple(conn, creds->dn, creds->pw);
  56                 break;
  57
  58         default:
  59                 return NT_STATUS_UNSUCCESSFUL;
  60         }
  61
  62         return status;
  63 }
  64
  65
  66 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
  67                                                      const char *dn, const char *pw)
  68 {
  69         struct ldap_message *res;
  70
  71         res = new_ldap_message(conn);
  72         if (!res) {
  73                 return NULL;
  74         }
  75
  76         res->type = LDAP_TAG_BindRequest;
  77         res->r.BindRequest.version = 3;
  78         res->r.BindRequest.dn = talloc_strdup(res, dn);
  79         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
  80         res->r.BindRequest.creds.password = talloc_strdup(res, pw);
  81         res->controls = NULL;
  82
  83         return res;
  84 }
  85
  86
  87 /*
  88   perform a simple username/password bind
  89 */
  90 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
  91                           const char *userdn, const char *password)
  92 {
  93         struct ldap_request *req;
  94         struct ldap_message *msg;
  95         const char *dn, *pw;
  96         NTSTATUS status;
  97
  98         if (conn == NULL) {
  99                 return NT_STATUS_INVALID_CONNECTION;
 100         }
 101
 102         if (userdn) {
 103                 dn = userdn;
 104         } else {
 105                 if (conn->auth_dn) {
 106                         dn = conn->auth_dn;
 107                 } else {
 108                         dn = "";
 109                 }
 110         }
 111
 112         if (password) {
 113                 pw = password;
 114         } else {
 115                 if (conn->simple_pw) {
 116                         pw = conn->simple_pw;
 117                 } else {
 118                         pw = "";
 119                 }
 120         }
 121
 122         msg = new_ldap_simple_bind_msg(conn, dn, pw);
 123         NT_STATUS_HAVE_NO_MEMORY(msg);
 124
 125         /* send the request */
 126         req = ldap_request_send(conn, msg);
 127         talloc_free(msg);
 128         NT_STATUS_HAVE_NO_MEMORY(req);
 129
 130         /* wait for replies */
 131         status = ldap_request_wait(req);
 132         if (!NT_STATUS_IS_OK(status)) {
 133                 talloc_free(req);
 134                 return status;
 135         }
 136
 137         /* check its a valid reply */
 138         msg = req->replies[0];
 139         if (msg->type != LDAP_TAG_BindResponse) {
 140                 talloc_free(req);
 141                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 142         }
 143
 144         status = ldap_check_response(conn, &msg->r.BindResponse.response);
 145
 146         talloc_free(req);
 147
 148         if (NT_STATUS_IS_OK(status)) {
 149                 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
 150                 if (creds == NULL) {
 151                         return NT_STATUS_NO_MEMORY;
 152                 }
 153                 creds->dn = talloc_strdup(creds, dn);
 154                 creds->pw = talloc_strdup(creds, pw);
 155                 if (creds->dn == NULL || creds->pw == NULL) {
 156                         return NT_STATUS_NO_MEMORY;
 157                 }
 158                 conn->bind.type = LDAP_BIND_SIMPLE;
 159                 conn->bind.creds = creds;
 160         }
 161
 162         return status;
 163 }
 164
 165
 166 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
 167                                                    const char *sasl_mechanism,
 168                                                    DATA_BLOB *secblob)
 169 {
 170         struct ldap_message *res;
 171
 172         res = new_ldap_message(conn);
 173         if (!res) {
 174                 return NULL;
 175         }
 176
 177         res->type = LDAP_TAG_BindRequest;
 178         res->r.BindRequest.version = 3;
 179         res->r.BindRequest.dn = "";
 180         res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
 181         res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
 182         if (secblob) {
 183                 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
 184                 if (!res->r.BindRequest.creds.SASL.secblob) {
 185                         talloc_free(res);
 186                         return NULL;
 187                 }
 188                 *res->r.BindRequest.creds.SASL.secblob = *secblob;
 189         } else {
 190                 res->r.BindRequest.creds.SASL.secblob = NULL;
 191         }
 192         res->controls = NULL;
 193
 194         return res;
 195 }
 196
 197
 198 /*
 199   perform a sasl bind using the given credentials
 200 */
 201 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
 202 {
 203         NTSTATUS status;
 204         TALLOC_CTX *tmp_ctx = NULL;
 205
 206         DATA_BLOB input = data_blob(NULL, 0);
 207         DATA_BLOB output = data_blob(NULL, 0);
 208
 209         struct ldap_message **sasl_mechs_msgs;
 210         struct ldap_SearchResEntry *search;
 211         int count, i;
 212
 213         const char **sasl_names;
 214
 215         static const char *supported_sasl_mech_attrs[] = {
 216                 "supportedSASLMechanisms",
 217                 NULL
 218         };
 219
 220         status = gensec_client_start(conn, &conn->gensec, NULL);
 221         if (!NT_STATUS_IS_OK(status)) {
 222                 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
 223                 goto failed;
 224         }
 225
 226         /* require Kerberos SIGN/SEAL only if we don't use SSL
 227          * Windows seem not to like double encryption */
 228         if (!tls_enabled(conn->sock)) {
 229                 gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 230         }
 231
 232         status = gensec_set_credentials(conn->gensec, creds);
 233         if (!NT_STATUS_IS_OK(status)) {
 234                 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
 235                           nt_errstr(status)));
 236                 goto failed;
 237         }
 238
 239         if (conn->host) {
 240                 status = gensec_set_target_hostname(conn->gensec, conn->host);
 241                 if (!NT_STATUS_IS_OK(status)) {
 242                         DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 243                                   nt_errstr(status)));
 244                         goto failed;
 245                 }
 246         }
 247
 248         status = gensec_set_target_service(conn->gensec, "ldap");
 249         if (!NT_STATUS_IS_OK(status)) {
 250                 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 251                           nt_errstr(status)));
 252                 goto failed;
 253         }
 254
 255         status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
 256                               False, NULL, NULL, &sasl_mechs_msgs);
 257         if (!NT_STATUS_IS_OK(status)) {
 258                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
 259                           nt_errstr(status)));
 260                 goto failed;
 261         }
 262
 263         count = ildap_count_entries(conn, sasl_mechs_msgs);
 264         if (count != 1) {
 265                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
 266                           count));
 267                 goto failed;
 268         }
 269
 270         tmp_ctx = talloc_new(conn);
 271         if (tmp_ctx == NULL) goto failed;
 272
 273         search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
 274         if (search->num_attributes != 1) {
 275                 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
 276                           search->num_attributes));
 277                 goto failed;
 278         }
 279
 280         sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
 281         if (!sasl_names) {
 282                 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
 283                           count));
 284                 goto failed;
 285         }
 286
 287         for (i=0; i<search->attributes[0].num_values; i++) {
 288                 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
 289         }
 290         sasl_names[i] = NULL;
 291
 292         status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
 293         if (!NT_STATUS_IS_OK(status)) {
 294                 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
 295                           count, nt_errstr(status)));
 296                 goto failed;
 297         }
 298
 299         while (1) {
 300                 NTSTATUS gensec_status;
 301                 struct ldap_message *response;
 302                 struct ldap_message *msg;
 303                 struct ldap_request *req;
 304                 int result = LDAP_OTHER;
 305
 306                 status = gensec_update(conn->gensec, tmp_ctx,
 307                                        input,
 308                                        &output);
 309                 /* The status value here, from GENSEC is vital to the security
 310                  * of the system.  Even if the other end accepts, if GENSEC
 311                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 312                  * feeding it blobs, or else the remote host/attacker might
 313                  * avoid mutal authentication requirements.
 314                  *
 315                  * Likewise, you must not feed GENSEC too much (after the OK),
 316                  * it doesn't like that either
 317                  */
 318
 319                 gensec_status = status;
 320
 321                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 322                     !NT_STATUS_IS_OK(status)) {
 323                         break;
 324                 }
 325                 if (NT_STATUS_IS_OK(status) && output.length == 0) {
 326                         break;
 327                 }
 328
 329                 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
 330                 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
 331                 if (msg == NULL) {
 332                         status = NT_STATUS_NO_MEMORY;
 333                         goto failed;
 334                 }
 335
 336                 req = ldap_request_send(conn, msg);
 337                 if (req == NULL) {
 338                         status = NT_STATUS_NO_MEMORY;
 339                         goto failed;
 340                 }
 341                 talloc_steal(tmp_ctx, req);
 342
 343                 status = ldap_result_n(req, 0, &response);
 344                 if (!NT_STATUS_IS_OK(status)) {
 345                         goto failed;
 346                 }
 347
 348                 if (response->type != LDAP_TAG_BindResponse) {
 349                         status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 350                         goto failed;
 351                 }
 352
 353                 result = response->r.BindResponse.response.resultcode;
 354
 355                 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
 356                         status = ldap_check_response(conn,
 357                                                      &response->r.BindResponse.response);
 358                         break;
 359                 }
 360
 361                 /* This is where we check if GENSEC wanted to be fed more data */
 362                 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 363                         break;
 364                 }
 365                 if (response->r.BindResponse.SASL.secblob) {
 366                         input = *response->r.BindResponse.SASL.secblob;
 367                 } else {
 368                         input = data_blob(NULL, 0);
 369                 }
 370         }
 371
 372         talloc_free(tmp_ctx);
 373
 374         if (NT_STATUS_IS_OK(status)) {
 375                 struct socket_context *sasl_socket;
 376                 status = gensec_socket_init(conn->gensec,
 377                                             conn->sock,
 378                                             conn->event.event_ctx,
 379                                             ldap_read_io_handler,
 380                                             conn,
 381                                             &sasl_socket);
 382                 if (!NT_STATUS_IS_OK(status)) goto failed;
 383
 384                 talloc_steal(conn->sock, sasl_socket);
 385                 talloc_unlink(conn, conn->sock);
 386                 conn->sock = sasl_socket;
 387                 packet_set_socket(conn->packet, conn->sock);
 388
 389                 conn->bind.type = LDAP_BIND_SASL;
 390                 conn->bind.creds = creds;
 391         }
 392
 393         return status;
 394
 395 failed:
 396         talloc_free(tmp_ctx);
 397         talloc_free(conn->gensec);
 398         conn->gensec = NULL;
 399         return status;
 400 }