ldap_server: Log access without a bind
authorAndrew Bartlett <abartlet@samba.org>
Thu, 2 Mar 2017 23:53:06 +0000 (12:53 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 29 Mar 2017 00:37:27 +0000 (02:37 +0200)
This can be over the privileged ldapi socket, or just as the implicit anonymous access

However, do not log for setting up StartTLS, or a rootDSE search.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
source4/ldap_server/ldap_backend.c
source4/ldap_server/ldap_bind.c
source4/ldap_server/ldap_server.h
source4/ldap_server/wscript_build

index dc6a44c8237931dd003f425ce1818d35a731ed94..b023eb4dd7c192f3586954940f4a7a74e154eeef 100644 (file)
@@ -24,6 +24,7 @@
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "auth/common_auth.h"
 #include "param/param.h"
 #include "smbd/service_stream.h"
 #include "dsdb/samdb/samdb.h"
@@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
        unsigned int i;
        struct ldap_message *msg = call->request;
        NTSTATUS status;
+       bool log = true;
 
        /* Check for undecoded critical extensions */
        for (i=0; msg->controls && msg->controls[i]; i++) {
@@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
                }
        }
 
+       if (call->conn->authz_logged == false) {
+
+               /*
+                * We do not want to log anonymous access if the query
+                * is just for the rootDSE, or it is a startTLS or a
+                * Bind.
+                *
+                * A rootDSE search could also be done over
+                * CLDAP anonymously for example, so these don't
+                * really count.
+                * Essentially we want to know about
+                * access beyond that normally done prior to a
+                * bind.
+                */
+
+               switch(call->request->type) {
+               case LDAP_TAG_BindRequest:
+                       log = false;
+                       break;
+               case LDAP_TAG_ExtendedResponse: {
+                       struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
+                       if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
+                               log = false;
+                       }
+                       break;
+               }
+               case LDAP_TAG_SearchRequest: {
+                       struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
+                       if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
+                               if (req->basedn[0] == '\0') {
+                                       log = false;
+                               }
+                       }
+                       break;
+               }
+               default:
+                       break;
+               }
+
+               if (log) {
+                       log_successful_authz_event(call->conn->connection->remote_address,
+                                                  call->conn->connection->local_address,
+                                                  "LDAP",
+                                                  "no bind",
+                                                  call->conn->session_info);
+
+                       call->conn->authz_logged = true;
+               }
+       }
+
        switch(call->request->type) {
        case LDAP_TAG_BindRequest:
                return ldapsrv_BindRequest(call);
index e70545f8fa5160140f5ccf5516994ed7354ce614..5fc50dce5385378eb6d085aef52dad91a8850078 100644 (file)
@@ -109,6 +109,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
                talloc_unlink(call->conn, call->conn->session_info);
                call->conn->session_info = talloc_steal(call->conn, session_info);
 
+               call->conn->authz_logged = true;
+
                /* don't leak the old LDB */
                talloc_unlink(call->conn, call->conn->ldb);
 
@@ -379,7 +381,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                                
                                /* don't leak the old LDB */
                                talloc_unlink(conn, conn->ldb);
-                               
+
+                               call->conn->authz_logged = true;
+
                                status = ldapsrv_backend_Init(conn);            
                                
                                if (!NT_STATUS_IS_OK(status)) {
index 86e5d34f21e65f62482d2f4f3245b98f515462de..337c974aaaeea8cb6b014644b3d6e6dbd0aefeda 100644 (file)
@@ -46,6 +46,7 @@ struct ldapsrv_connection {
        bool global_catalog;
        bool is_privileged;
        enum ldap_server_require_strong_auth require_strong_auth;
+       bool authz_logged;
 
        struct {
                int initial_timeout;
index 32a77c79c91d331a1249052b1c6b35fbc138f252..881cc893c72f6eb22d7ef1ccdea52e6caf4d0d35 100644 (file)
@@ -6,7 +6,7 @@ bld.SAMBA_MODULE('service_ldap',
        autoproto='proto.h',
        subsystem='service',
        init_function='server_service_ldap_init',
-       deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec',
+       deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec common_auth',
        internal_module=False,
        enabled=bld.AD_DC_BUILD_IS_ENABLED()
        )