2 Unix SMB/CIFS mplementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/ldap/ldap.h"
27 #include "libcli/ldap/ldap_client.h"
28 #include "lib/tls/tls.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/socket.h"
31 #include "lib/stream/packet.h"
33 struct ldap_simple_creds {
38 NTSTATUS ldap_rebind(struct ldap_connection *conn)
41 struct ldap_simple_creds *creds;
43 switch (conn->bind.type) {
45 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds);
48 case LDAP_BIND_SIMPLE:
49 creds = (struct ldap_simple_creds *)conn->bind.creds;
52 return NT_STATUS_UNSUCCESSFUL;
55 status = ldap_bind_simple(conn, creds->dn, creds->pw);
59 return NT_STATUS_UNSUCCESSFUL;
66 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
67 const char *dn, const char *pw)
69 struct ldap_message *res;
71 res = new_ldap_message(conn);
76 res->type = LDAP_TAG_BindRequest;
77 res->r.BindRequest.version = 3;
78 res->r.BindRequest.dn = talloc_strdup(res, dn);
79 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
80 res->r.BindRequest.creds.password = talloc_strdup(res, pw);
88 perform a simple username/password bind
90 NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
91 const char *userdn, const char *password)
93 struct ldap_request *req;
94 struct ldap_message *msg;
99 return NT_STATUS_INVALID_CONNECTION;
115 if (conn->simple_pw) {
116 pw = conn->simple_pw;
122 msg = new_ldap_simple_bind_msg(conn, dn, pw);
123 NT_STATUS_HAVE_NO_MEMORY(msg);
125 /* send the request */
126 req = ldap_request_send(conn, msg);
128 NT_STATUS_HAVE_NO_MEMORY(req);
130 /* wait for replies */
131 status = ldap_request_wait(req);
132 if (!NT_STATUS_IS_OK(status)) {
137 /* check its a valid reply */
138 msg = req->replies[0];
139 if (msg->type != LDAP_TAG_BindResponse) {
141 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
144 status = ldap_check_response(conn, &msg->r.BindResponse.response);
148 if (NT_STATUS_IS_OK(status)) {
149 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
151 return NT_STATUS_NO_MEMORY;
153 creds->dn = talloc_strdup(creds, dn);
154 creds->pw = talloc_strdup(creds, pw);
155 if (creds->dn == NULL || creds->pw == NULL) {
156 return NT_STATUS_NO_MEMORY;
158 conn->bind.type = LDAP_BIND_SIMPLE;
159 conn->bind.creds = creds;
166 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
167 const char *sasl_mechanism,
170 struct ldap_message *res;
172 res = new_ldap_message(conn);
177 res->type = LDAP_TAG_BindRequest;
178 res->r.BindRequest.version = 3;
179 res->r.BindRequest.dn = "";
180 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
181 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
183 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
184 if (!res->r.BindRequest.creds.SASL.secblob) {
188 *res->r.BindRequest.creds.SASL.secblob = *secblob;
190 res->r.BindRequest.creds.SASL.secblob = NULL;
192 res->controls = NULL;
199 perform a sasl bind using the given credentials
201 NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
204 TALLOC_CTX *tmp_ctx = NULL;
206 DATA_BLOB input = data_blob(NULL, 0);
207 DATA_BLOB output = data_blob(NULL, 0);
209 struct ldap_message **sasl_mechs_msgs;
210 struct ldap_SearchResEntry *search;
213 const char **sasl_names;
215 static const char *supported_sasl_mech_attrs[] = {
216 "supportedSASLMechanisms",
220 status = gensec_client_start(conn, &conn->gensec, NULL);
221 if (!NT_STATUS_IS_OK(status)) {
222 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
226 /* require Kerberos SIGN/SEAL only if we don't use SSL
227 * Windows seem not to like double encryption */
228 if (!tls_enabled(conn->sock)) {
229 gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
232 status = gensec_set_credentials(conn->gensec, creds);
233 if (!NT_STATUS_IS_OK(status)) {
234 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
240 status = gensec_set_target_hostname(conn->gensec, conn->host);
241 if (!NT_STATUS_IS_OK(status)) {
242 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
248 status = gensec_set_target_service(conn->gensec, "ldap");
249 if (!NT_STATUS_IS_OK(status)) {
250 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
255 status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
256 False, NULL, NULL, &sasl_mechs_msgs);
257 if (!NT_STATUS_IS_OK(status)) {
258 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
263 count = ildap_count_entries(conn, sasl_mechs_msgs);
265 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
270 tmp_ctx = talloc_new(conn);
271 if (tmp_ctx == NULL) goto failed;
273 search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
274 if (search->num_attributes != 1) {
275 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n",
276 search->num_attributes));
280 sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
282 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
287 for (i=0; i<search->attributes[0].num_values; i++) {
288 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
290 sasl_names[i] = NULL;
292 status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
293 if (!NT_STATUS_IS_OK(status)) {
294 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
295 count, nt_errstr(status)));
300 NTSTATUS gensec_status;
301 struct ldap_message *response;
302 struct ldap_message *msg;
303 struct ldap_request *req;
304 int result = LDAP_OTHER;
306 status = gensec_update(conn->gensec, tmp_ctx,
309 /* The status value here, from GENSEC is vital to the security
310 * of the system. Even if the other end accepts, if GENSEC
311 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
312 * feeding it blobs, or else the remote host/attacker might
313 * avoid mutal authentication requirements.
315 * Likewise, you must not feed GENSEC too much (after the OK),
316 * it doesn't like that either
319 gensec_status = status;
321 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
322 !NT_STATUS_IS_OK(status)) {
325 if (NT_STATUS_IS_OK(status) && output.length == 0) {
329 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
330 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
332 status = NT_STATUS_NO_MEMORY;
336 req = ldap_request_send(conn, msg);
338 status = NT_STATUS_NO_MEMORY;
341 talloc_steal(tmp_ctx, req);
343 status = ldap_result_n(req, 0, &response);
344 if (!NT_STATUS_IS_OK(status)) {
348 if (response->type != LDAP_TAG_BindResponse) {
349 status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
353 result = response->r.BindResponse.response.resultcode;
355 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
356 status = ldap_check_response(conn,
357 &response->r.BindResponse.response);
361 /* This is where we check if GENSEC wanted to be fed more data */
362 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
365 if (response->r.BindResponse.SASL.secblob) {
366 input = *response->r.BindResponse.SASL.secblob;
368 input = data_blob(NULL, 0);
372 talloc_free(tmp_ctx);
374 if (NT_STATUS_IS_OK(status)) {
375 struct socket_context *sasl_socket;
376 status = gensec_socket_init(conn->gensec,
378 conn->event.event_ctx,
379 ldap_read_io_handler,
382 if (!NT_STATUS_IS_OK(status)) goto failed;
384 talloc_steal(conn->sock, sasl_socket);
385 talloc_unlink(conn, conn->sock);
386 conn->sock = sasl_socket;
387 packet_set_socket(conn->packet, conn->sock);
389 conn->bind.type = LDAP_BIND_SASL;
390 conn->bind.creds = creds;
396 talloc_free(tmp_ctx);
397 talloc_free(conn->gensec);