2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/ldap/libcli_ldap.h"
26 #include "libcli/ldap/ldap_proto.h"
27 #include "libcli/ldap/ldap_client.h"
28 #include "lib/tls/tls.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h" /* TODO: remove this */
31 #include "source4/auth/gensec/gensec_tstream.h"
32 #include "auth/credentials/credentials.h"
33 #include "lib/stream/packet.h"
34 #include "param/param.h"
35 #include "param/loadparm.h"
36 #include "librpc/gen_ndr/ads.h"
38 struct ldap_simple_creds {
43 _PUBLIC_ NTSTATUS ldap_rebind(struct ldap_connection *conn)
46 struct ldap_simple_creds *creds;
48 switch (conn->bind.type) {
50 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds,
54 case LDAP_BIND_SIMPLE:
55 creds = (struct ldap_simple_creds *)conn->bind.creds;
58 return NT_STATUS_UNSUCCESSFUL;
61 status = ldap_bind_simple(conn, creds->dn, creds->pw);
65 return NT_STATUS_UNSUCCESSFUL;
72 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
73 const char *dn, const char *pw)
75 struct ldap_message *res;
77 res = new_ldap_message(conn);
82 res->type = LDAP_TAG_BindRequest;
83 res->r.BindRequest.version = 3;
84 res->r.BindRequest.dn = talloc_strdup(res, dn);
85 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
86 res->r.BindRequest.creds.password = talloc_strdup(res, pw);
94 perform a simple username/password bind
96 _PUBLIC_ NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
97 const char *userdn, const char *password)
99 struct ldap_request *req;
100 struct ldap_message *msg;
105 return NT_STATUS_INVALID_CONNECTION;
121 if (conn->simple_pw) {
122 pw = conn->simple_pw;
128 msg = new_ldap_simple_bind_msg(conn, dn, pw);
129 NT_STATUS_HAVE_NO_MEMORY(msg);
131 /* send the request */
132 req = ldap_request_send(conn, msg);
134 NT_STATUS_HAVE_NO_MEMORY(req);
136 /* wait for replies */
137 status = ldap_request_wait(req);
138 if (!NT_STATUS_IS_OK(status)) {
143 /* check its a valid reply */
144 msg = req->replies[0];
145 if (msg->type != LDAP_TAG_BindResponse) {
147 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
150 status = ldap_check_response(conn, &msg->r.BindResponse.response);
154 if (NT_STATUS_IS_OK(status)) {
155 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
157 return NT_STATUS_NO_MEMORY;
159 creds->dn = talloc_strdup(creds, dn);
160 creds->pw = talloc_strdup(creds, pw);
161 if (creds->dn == NULL || creds->pw == NULL) {
162 return NT_STATUS_NO_MEMORY;
164 conn->bind.type = LDAP_BIND_SIMPLE;
165 conn->bind.creds = creds;
172 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
173 const char *sasl_mechanism,
176 struct ldap_message *res;
178 res = new_ldap_message(conn);
183 res->type = LDAP_TAG_BindRequest;
184 res->r.BindRequest.version = 3;
185 res->r.BindRequest.dn = "";
186 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
187 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
189 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
190 if (!res->r.BindRequest.creds.SASL.secblob) {
194 *res->r.BindRequest.creds.SASL.secblob = *secblob;
196 res->r.BindRequest.creds.SASL.secblob = NULL;
198 res->controls = NULL;
205 perform a sasl bind using the given credentials
207 _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
208 struct cli_credentials *creds,
209 struct loadparm_context *lp_ctx)
212 TALLOC_CTX *tmp_ctx = NULL;
214 DATA_BLOB input = data_blob(NULL, 0);
215 DATA_BLOB output = data_blob(NULL, 0);
217 struct ldap_message **sasl_mechs_msgs;
218 struct ldap_SearchResEntry *search;
222 const char **sasl_names;
223 uint32_t old_gensec_features;
224 static const char *supported_sasl_mech_attrs[] = {
225 "supportedSASLMechanisms",
228 unsigned int logon_retries = 0;
231 if (conn->sockets.active == NULL) {
232 status = NT_STATUS_CONNECTION_DISCONNECTED;
236 queue_length = tevent_queue_length(conn->sockets.send_queue);
237 if (queue_length != 0) {
238 status = NT_STATUS_INVALID_PARAMETER_MIX;
239 DEBUG(1, ("SASL bind triggered with non empty send_queue[%zu]: %s\n",
240 queue_length, nt_errstr(status)));
244 if (conn->pending != NULL) {
245 status = NT_STATUS_INVALID_PARAMETER_MIX;
246 DEBUG(1, ("SASL bind triggered with pending requests: %s\n",
251 status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
252 false, NULL, NULL, &sasl_mechs_msgs);
253 if (!NT_STATUS_IS_OK(status)) {
254 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
259 count = ildap_count_entries(conn, sasl_mechs_msgs);
261 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
266 tmp_ctx = talloc_new(conn);
267 if (tmp_ctx == NULL) {
268 status = NT_STATUS_NO_MEMORY;
272 search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
273 if (search->num_attributes != 1) {
274 DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n",
275 search->num_attributes));
279 sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
281 DEBUG(1, ("talloc_arry(char *, %d) failed\n",
286 for (i=0; i<search->attributes[0].num_values; i++) {
287 sasl_names[i] = (const char *)search->attributes[0].values[i].data;
289 sasl_names[i] = NULL;
293 if (conn->sockets.active == conn->sockets.tls) {
295 * require Kerberos SIGN/SEAL only if we don't use SSL
296 * Windows seem not to like double encryption
299 } else if (cli_credentials_is_anonymous(creds)) {
301 * anonymous isn't protected
305 wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
310 we loop back here on a logon failure, and re-create the
311 gensec session. The logon_retries counter ensures we don't
314 data_blob_free(&input);
315 TALLOC_FREE(conn->gensec);
317 status = gensec_client_start(conn, &conn->gensec,
318 lpcfg_gensec_settings(conn, lp_ctx));
319 if (!NT_STATUS_IS_OK(status)) {
320 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
324 old_gensec_features = cli_credentials_get_gensec_features(creds);
325 if (wrap_flags == 0) {
326 cli_credentials_set_gensec_features(creds,
327 old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL),
331 /* this call also sets the gensec_want_features */
332 status = gensec_set_credentials(conn->gensec, creds);
333 if (!NT_STATUS_IS_OK(status)) {
334 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
339 /* reset the original gensec_features (on the credentials
340 * context, so we don't tattoo it ) */
341 cli_credentials_set_gensec_features(creds,
345 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
346 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
347 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
349 if (wrap_flags & ADS_AUTH_SASL_SIGN) {
350 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
354 * This is an indication for the NTLMSSP backend to
355 * also encrypt when only GENSEC_FEATURE_SIGN is requested
356 * in gensec_[un]wrap().
358 gensec_want_feature(conn->gensec, GENSEC_FEATURE_LDAP_STYLE);
361 status = gensec_set_target_hostname(conn->gensec, conn->host);
362 if (!NT_STATUS_IS_OK(status)) {
363 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
369 status = gensec_set_target_service(conn->gensec, "ldap");
370 if (!NT_STATUS_IS_OK(status)) {
371 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
376 status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
377 if (!NT_STATUS_IS_OK(status)) {
378 DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
379 count, nt_errstr(status)));
384 NTSTATUS gensec_status;
385 struct ldap_message *response;
386 struct ldap_message *msg;
387 struct ldap_request *req;
388 int result = LDAP_OTHER;
390 status = gensec_update(conn->gensec, tmp_ctx,
393 /* The status value here, from GENSEC is vital to the security
394 * of the system. Even if the other end accepts, if GENSEC
395 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
396 * feeding it blobs, or else the remote host/attacker might
397 * avoid mutual authentication requirements.
399 * Likewise, you must not feed GENSEC too much (after the OK),
400 * it doesn't like that either.
402 * For SASL/EXTERNAL, there is no data to send, but we still
403 * must send the actual Bind request the first time around.
404 * Otherwise, a result of NT_STATUS_OK with 0 output means the
405 * end of a multi-step authentication, and no message must be
409 gensec_status = status;
411 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
412 !NT_STATUS_IS_OK(status)) {
415 if (NT_STATUS_IS_OK(status) && output.length == 0) {
421 /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
422 msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
424 status = NT_STATUS_NO_MEMORY;
428 req = ldap_request_send(conn, msg);
430 status = NT_STATUS_NO_MEMORY;
433 talloc_reparent(conn, tmp_ctx, req);
435 status = ldap_result_n(req, 0, &response);
436 if (!NT_STATUS_IS_OK(status)) {
440 if (response->type != LDAP_TAG_BindResponse) {
441 status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
445 result = response->r.BindResponse.response.resultcode;
447 if (result == LDAP_STRONG_AUTH_REQUIRED) {
448 if (wrap_flags == 0) {
449 wrap_flags = ADS_AUTH_SASL_SIGN;
450 goto try_logon_again;
454 if (result == LDAP_INVALID_CREDENTIALS) {
456 try a second time on invalid credentials, to
457 give the user a chance to re-enter the
458 password and to handle the case where our
459 kerberos ticket is invalid as the server
462 const char *principal;
464 principal = gensec_get_target_principal(conn->gensec);
465 if (principal == NULL) {
466 const char *hostname = gensec_get_target_hostname(conn->gensec);
467 const char *service = gensec_get_target_service(conn->gensec);
468 if (hostname != NULL && service != NULL) {
469 principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname);
473 if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) ||
474 cli_credentials_wrong_password(creds)) {
476 destroy our gensec session and loop
477 back up to the top to retry,
478 offering the user a chance to enter
479 new credentials, or get a new ticket
482 goto try_logon_again;
486 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
487 status = ldap_check_response(conn,
488 &response->r.BindResponse.response);
492 /* This is where we check if GENSEC wanted to be fed more data */
493 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
496 if (response->r.BindResponse.SASL.secblob) {
497 input = *response->r.BindResponse.SASL.secblob;
499 input = data_blob(NULL, 0);
503 TALLOC_FREE(tmp_ctx);
505 if (!NT_STATUS_IS_OK(status)) {
509 conn->bind.type = LDAP_BIND_SASL;
510 conn->bind.creds = creds;
512 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
513 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
514 return NT_STATUS_INVALID_NETWORK_RESPONSE;
517 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
518 return NT_STATUS_INVALID_NETWORK_RESPONSE;
520 } else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
521 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
522 return NT_STATUS_INVALID_NETWORK_RESPONSE;
526 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
527 !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
531 status = gensec_create_tstream(conn->sockets.raw,
534 &conn->sockets.sasl);
535 if (!NT_STATUS_IS_OK(status)) {
539 conn->sockets.active = conn->sockets.sasl;
544 talloc_free(tmp_ctx);
545 talloc_free(conn->gensec);
git.samba.org / vlendec / samba-autobuild / .git / blob