source4/ldap_server/ldap_bind.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    LDAP server
   4    Copyright (C) Stefan Metzmacher 2004
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "ldap_server/ldap_server.h"
  22 #include "auth/auth.h"
  23 #include "smbd/service.h"
  24 #include "lib/ldb/include/ldb.h"
  25 #include "lib/ldb/include/ldb_errors.h"
  26 #include "dsdb/samdb/samdb.h"
  27 #include "auth/gensec/gensec.h"
  28 #include "param/param.h"
  29
  30 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
  31 {
  32         struct ldap_BindRequest *req = &call->request->r.BindRequest;
  33         struct ldapsrv_reply *reply;
  34         struct ldap_BindResponse *resp;
  35
  36         int result;
  37         const char *errstr;
  38         const char *nt4_domain, *nt4_account;
  39
  40         struct auth_session_info *session_info;
  41
  42         NTSTATUS status;
  43
  44         DEBUG(10, ("BindSimple dn: %s\n",req->dn));
  45
  46         status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account);
  47         if (NT_STATUS_IS_OK(status)) {
  48                 status = authenticate_username_pw(call,
  49                                                   call->conn->connection->event.ctx,
  50                                                   call->conn->connection->msg_ctx,
  51                                                   call->conn->lp_ctx,
  52                                                   nt4_domain, nt4_account,
  53                                                   req->creds.password,
  54                                                   &session_info);
  55         }
  56
  57         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
  58         if (!reply) {
  59                 return NT_STATUS_NO_MEMORY;
  60         }
  61
  62         if (NT_STATUS_IS_OK(status)) {
  63                 result = LDAP_SUCCESS;
  64                 errstr = NULL;
  65
  66                 talloc_unlink(call->conn, call->conn->session_info);
  67                 call->conn->session_info = session_info;
  68                 talloc_steal(call->conn, session_info);
  69
  70                 /* don't leak the old LDB */
  71                 talloc_unlink(call->conn, call->conn->ldb);
  72
  73                 status = ldapsrv_backend_Init(call->conn);
  74
  75                 if (!NT_STATUS_IS_OK(status)) {
  76                         result = LDAP_OPERATIONS_ERROR;
  77                         errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
  78                 }
  79         } else {
  80                 status = auth_nt_status_squash(status);
  81
  82                 result = LDAP_INVALID_CREDENTIALS;
  83                 errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
  84         }
  85
  86         resp = &reply->msg->r.BindResponse;
  87         resp->response.resultcode = result;
  88         resp->response.errormessage = errstr;
  89         resp->response.dn = NULL;
  90         resp->response.referral = NULL;
  91         resp->SASL.secblob = NULL;
  92
  93         ldapsrv_queue_reply(call, reply);
  94         return NT_STATUS_OK;
  95 }
  96
  97 struct ldapsrv_sasl_context {
  98         struct ldapsrv_connection *conn;
  99         struct socket_context *sasl_socket;
 100 };
 101
 102 static void ldapsrv_set_sasl(void *private_data)
 103 {
 104         struct ldapsrv_sasl_context *ctx = talloc_get_type(private_data, struct ldapsrv_sasl_context);
 105         talloc_steal(ctx->conn->connection, ctx->sasl_socket);
 106         talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
 107
 108         ctx->conn->sockets.sasl = ctx->sasl_socket;
 109         ctx->conn->connection->socket = ctx->sasl_socket;
 110         packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
 111 }
 112
 113 static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 114 {
 115         struct ldap_BindRequest *req = &call->request->r.BindRequest;
 116         struct ldapsrv_reply *reply;
 117         struct ldap_BindResponse *resp;
 118         struct ldapsrv_connection *conn;
 119         int result = 0;
 120         const char *errstr=NULL;
 121         NTSTATUS status = NT_STATUS_OK;
 122
 123         DEBUG(10, ("BindSASL dn: %s\n",req->dn));
 124
 125         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
 126         if (!reply) {
 127                 return NT_STATUS_NO_MEMORY;
 128         }
 129         resp = &reply->msg->r.BindResponse;
 130
 131         conn = call->conn;
 132
 133         /*
 134          * TODO: a SASL bind with a different mechanism
 135          *       should cancel an inprogress SASL bind.
 136          *       (see RFC 4513)
 137          */
 138
 139         if (!conn->gensec) {
 140                 conn->session_info = NULL;
 141
 142                 status = samba_server_gensec_start(conn,
 143                                                    conn->connection->event.ctx,
 144                                                    conn->connection->msg_ctx,
 145                                                    conn->lp_ctx,
 146                                                    conn->server_credentials,
 147                                                    "ldap",
 148                                                    &conn->gensec);
 149                 if (!NT_STATUS_IS_OK(status)) {
 150                         DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
 151                         result = LDAP_OPERATIONS_ERROR;
 152                         errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s",
 153                                                  nt_errstr(status));
 154                 } else {
 155
 156                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
 157                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
 158                         gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
 159
 160                         status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism);
 161
 162                         if (!NT_STATUS_IS_OK(status)) {
 163                                 DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n",
 164                                           req->creds.SASL.mechanism, nt_errstr(status)));
 165                                 result = LDAP_OPERATIONS_ERROR;
 166                                 errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s",
 167                                                          req->creds.SASL.mechanism, nt_errstr(status));
 168                         }
 169                 }
 170         }
 171
 172         if (NT_STATUS_IS_OK(status)) {
 173                 DATA_BLOB input = data_blob(NULL, 0);
 174                 DATA_BLOB output = data_blob(NULL, 0);
 175
 176                 if (req->creds.SASL.secblob) {
 177                         input = *req->creds.SASL.secblob;
 178                 }
 179
 180                 status = gensec_update(conn->gensec, reply,
 181                                        input, &output);
 182
 183                 /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */
 184                 resp->SASL.secblob = talloc(reply, DATA_BLOB);
 185                 NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
 186                 *resp->SASL.secblob = output;
 187         } else {
 188                 resp->SASL.secblob = NULL;
 189         }
 190
 191         if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
 192                 result = LDAP_SASL_BIND_IN_PROGRESS;
 193                 errstr = NULL;
 194         } else if (NT_STATUS_IS_OK(status)) {
 195                 struct auth_session_info *old_session_info=NULL;
 196                 struct ldapsrv_sasl_context *ctx;
 197
 198                 result = LDAP_SUCCESS;
 199                 errstr = NULL;
 200
 201                 ctx = talloc(call, struct ldapsrv_sasl_context);
 202
 203                 if (!ctx) {
 204                         status = NT_STATUS_NO_MEMORY;
 205                 } else {
 206                         ctx->conn = conn;
 207                         status = gensec_socket_init(conn->gensec,
 208                                                     conn->connection,
 209                                                     conn->connection->socket,
 210                                                     conn->connection->event.ctx,
 211                                                     stream_io_handler_callback,
 212                                                     conn->connection,
 213                                                     &ctx->sasl_socket);
 214                 }
 215
 216                 if (!ctx || !NT_STATUS_IS_OK(status)) {
 217                         conn->session_info = old_session_info;
 218                         result = LDAP_OPERATIONS_ERROR;
 219                         errstr = talloc_asprintf(reply,
 220                                                  "SASL:[%s]: Failed to setup SASL socket: %s",
 221                                                  req->creds.SASL.mechanism, nt_errstr(status));
 222                 } else {
 223
 224                         call->send_callback = ldapsrv_set_sasl;
 225                         call->send_private = ctx;
 226
 227                         old_session_info = conn->session_info;
 228                         conn->session_info = NULL;
 229                         status = gensec_session_info(conn->gensec, &conn->session_info);
 230                         if (!NT_STATUS_IS_OK(status)) {
 231                                 conn->session_info = old_session_info;
 232                                 result = LDAP_OPERATIONS_ERROR;
 233                                 errstr = talloc_asprintf(reply,
 234                                                          "SASL:[%s]: Failed to get session info: %s",
 235                                                          req->creds.SASL.mechanism, nt_errstr(status));
 236                         } else {
 237                                 talloc_unlink(conn, old_session_info);
 238                                 talloc_steal(conn, conn->session_info);
 239
 240                                 /* don't leak the old LDB */
 241                                 talloc_unlink(conn, conn->ldb);
 242
 243                                 status = ldapsrv_backend_Init(conn);
 244
 245                                 if (!NT_STATUS_IS_OK(status)) {
 246                                         result = LDAP_OPERATIONS_ERROR;
 247                                         errstr = talloc_asprintf(reply,
 248                                                                  "SASL:[%s]: Failed to advise samdb of new credentials: %s",
 249                                                                  req->creds.SASL.mechanism,
 250                                                                  nt_errstr(status));
 251                                 }
 252                         }
 253                 }
 254         } else {
 255                 status = auth_nt_status_squash(status);
 256                 if (result == 0) {
 257                         result = LDAP_INVALID_CREDENTIALS;
 258                         errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
 259                 }
 260         }
 261
 262         resp->response.resultcode = result;
 263         resp->response.dn = NULL;
 264         resp->response.errormessage = errstr;
 265         resp->response.referral = NULL;
 266
 267         ldapsrv_queue_reply(call, reply);
 268         return NT_STATUS_OK;
 269 }
 270
 271 NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call)
 272 {
 273         struct ldap_BindRequest *req = &call->request->r.BindRequest;
 274         struct ldapsrv_reply *reply;
 275         struct ldap_BindResponse *resp;
 276
 277         /*
 278          * TODO: we should fail the bind request
 279          *       if there're any pending requests.
 280          *
 281          *       also a simple bind should cancel an
 282          *       inprogress SASL bind.
 283          *       (see RFC 4513)
 284          */
 285         switch (req->mechanism) {
 286                 case LDAP_AUTH_MECH_SIMPLE:
 287                         return ldapsrv_BindSimple(call);
 288                 case LDAP_AUTH_MECH_SASL:
 289                         return ldapsrv_BindSASL(call);
 290         }
 291
 292         reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
 293         if (!reply) {
 294                 return NT_STATUS_NO_MEMORY;
 295         }
 296
 297         resp = &reply->msg->r.BindResponse;
 298         resp->response.resultcode = 7;
 299         resp->response.dn = NULL;
 300         resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
 301         resp->response.referral = NULL;
 302         resp->SASL.secblob = NULL;
 303
 304         ldapsrv_queue_reply(call, reply);
 305         return NT_STATUS_OK;
 306 }
 307
 308 NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call)
 309 {
 310         DEBUG(10, ("UnbindRequest\n"));
 311         return NT_STATUS_OK;
 312 }