Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : LDAP server
4 : Copyright (C) Stefan Metzmacher 2004
5 :
6 : This program is free software; you can redistribute it and/or modify
7 : it under the terms of the GNU General Public License as published by
8 : the Free Software Foundation; either version 3 of the License, or
9 : (at your option) any later version.
10 :
11 : This program is distributed in the hope that it will be useful,
12 : but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : GNU General Public License for more details.
15 :
16 : You should have received a copy of the GNU General Public License
17 : along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : #include "includes.h"
21 : #include "ldap_server/ldap_server.h"
22 : #include "../lib/util/dlinklist.h"
23 : #include "lib/tls/tls.h"
24 : #include "samba/service_stream.h"
25 : #include "../lib/util/tevent_ntstatus.h"
26 : #include "librpc/gen_ndr/auth.h"
27 : #include "libcli/security/security_token.h"
28 :
29 : struct ldapsrv_starttls_postprocess_context {
30 : struct ldapsrv_connection *conn;
31 : };
32 :
33 : struct ldapsrv_starttls_postprocess_state {
34 : struct ldapsrv_connection *conn;
35 : };
36 :
37 : static void ldapsrv_starttls_postprocess_done(struct tevent_req *subreq);
38 :
39 0 : static struct tevent_req *ldapsrv_starttls_postprocess_send(TALLOC_CTX *mem_ctx,
40 : struct tevent_context *ev,
41 : void *private_data)
42 : {
43 0 : struct ldapsrv_starttls_postprocess_context *context =
44 0 : talloc_get_type_abort(private_data,
45 : struct ldapsrv_starttls_postprocess_context);
46 0 : struct ldapsrv_connection *conn = context->conn;
47 0 : struct tevent_req *req;
48 0 : struct ldapsrv_starttls_postprocess_state *state;
49 0 : struct tevent_req *subreq;
50 :
51 0 : req = tevent_req_create(mem_ctx, &state,
52 : struct ldapsrv_starttls_postprocess_state);
53 0 : if (req == NULL) {
54 0 : return NULL;
55 : }
56 :
57 0 : state->conn = conn;
58 :
59 0 : subreq = tstream_tls_accept_send(conn,
60 : conn->connection->event.ctx,
61 : conn->sockets.raw,
62 : conn->service->tls_params);
63 0 : if (tevent_req_nomem(subreq, req)) {
64 0 : return tevent_req_post(req, ev);
65 : }
66 0 : tevent_req_set_callback(subreq, ldapsrv_starttls_postprocess_done, req);
67 :
68 0 : return req;
69 : }
70 :
71 0 : static void ldapsrv_starttls_postprocess_done(struct tevent_req *subreq)
72 : {
73 0 : struct tevent_req *req =
74 0 : tevent_req_callback_data(subreq,
75 : struct tevent_req);
76 0 : struct ldapsrv_starttls_postprocess_state *state =
77 0 : tevent_req_data(req,
78 : struct ldapsrv_starttls_postprocess_state);
79 0 : struct ldapsrv_connection *conn = state->conn;
80 0 : int ret;
81 0 : int sys_errno;
82 :
83 0 : ret = tstream_tls_accept_recv(subreq, &sys_errno,
84 : conn, &conn->sockets.tls);
85 0 : TALLOC_FREE(subreq);
86 0 : if (ret == -1) {
87 0 : NTSTATUS status = map_nt_error_from_unix_common(sys_errno);
88 :
89 0 : DEBUG(1,("ldapsrv_starttls_postprocess_done: accept_tls_loop: "
90 : "tstream_tls_accept_recv() - %d:%s => %s\n",
91 : sys_errno, strerror(sys_errno), nt_errstr(status)));
92 :
93 0 : tevent_req_nterror(req, status);
94 0 : return;
95 : }
96 :
97 0 : conn->sockets.active = conn->sockets.tls;
98 :
99 0 : tevent_req_done(req);
100 : }
101 :
102 0 : static NTSTATUS ldapsrv_starttls_postprocess_recv(struct tevent_req *req)
103 : {
104 0 : return tevent_req_simple_recv_ntstatus(req);
105 : }
106 :
107 0 : static NTSTATUS ldapsrv_StartTLS(struct ldapsrv_call *call,
108 : struct ldapsrv_reply *reply,
109 : const char **errstr)
110 : {
111 0 : struct ldapsrv_starttls_postprocess_context *context;
112 :
113 0 : (*errstr) = NULL;
114 :
115 : /*
116 : * TODO: give LDAP_OPERATIONS_ERROR also when
117 : * there's a SASL bind in progress
118 : * (see rfc4513 section 3.1.1)
119 : */
120 0 : if (call->conn->sockets.tls) {
121 0 : (*errstr) = talloc_asprintf(reply, "START-TLS: TLS is already enabled on this LDAP session");
122 0 : return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
123 : }
124 :
125 0 : if (call->conn->sockets.sasl) {
126 0 : (*errstr) = talloc_asprintf(reply, "START-TLS: SASL is already enabled on this LDAP session");
127 0 : return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
128 : }
129 :
130 0 : if (call->conn->pending_calls != NULL) {
131 0 : (*errstr) = talloc_asprintf(reply, "START-TLS: pending requests on this LDAP session");
132 0 : return NT_STATUS_LDAP(LDAP_BUSY);
133 : }
134 :
135 0 : context = talloc(call, struct ldapsrv_starttls_postprocess_context);
136 0 : NT_STATUS_HAVE_NO_MEMORY(context);
137 :
138 0 : context->conn = call->conn;
139 :
140 0 : call->postprocess_send = ldapsrv_starttls_postprocess_send;
141 0 : call->postprocess_recv = ldapsrv_starttls_postprocess_recv;
142 0 : call->postprocess_private = context;
143 :
144 0 : reply->msg->r.ExtendedResponse.response.resultcode = LDAP_SUCCESS;
145 0 : reply->msg->r.ExtendedResponse.response.errormessage = NULL;
146 :
147 0 : ldapsrv_queue_reply(call, reply);
148 0 : return NT_STATUS_OK;
149 : }
150 :
151 : struct ldapsrv_extended_operation {
152 : const char *oid;
153 : NTSTATUS (*fn)(struct ldapsrv_call *call, struct ldapsrv_reply *reply, const char **errorstr);
154 : };
155 :
156 1 : static NTSTATUS ldapsrv_whoami(struct ldapsrv_call *call,
157 : struct ldapsrv_reply *reply,
158 : const char **errstr)
159 : {
160 1 : struct ldapsrv_connection *conn = call->conn;
161 1 : struct auth_session_info *session_info = conn->session_info;
162 1 : struct ldap_ExtendedResponse *ext_resp =
163 1 : &reply->msg->r.ExtendedResponse;
164 :
165 1 : *errstr = NULL;
166 :
167 1 : if (!security_token_is_anonymous(session_info->security_token)) {
168 1 : struct auth_user_info *uinfo = session_info->info;
169 1 : DATA_BLOB *value = talloc_zero(call, DATA_BLOB);
170 :
171 1 : if (value == NULL) {
172 0 : goto nomem;
173 : }
174 :
175 1 : value->data = (uint8_t *)talloc_asprintf(value,
176 : "u:%s\\%s",
177 : uinfo->domain_name,
178 : uinfo->account_name);
179 1 : if (value->data == NULL) {
180 0 : goto nomem;
181 : }
182 1 : value->length = talloc_get_size(value->data) - 1;
183 :
184 1 : ext_resp->value = value;
185 : }
186 :
187 1 : ext_resp->response.resultcode = LDAP_SUCCESS;
188 1 : ext_resp->response.errormessage = NULL;
189 :
190 1 : ldapsrv_queue_reply(call, reply);
191 :
192 1 : return NT_STATUS_OK;
193 0 : nomem:
194 0 : return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
195 : }
196 :
197 :
198 : static struct ldapsrv_extended_operation extended_ops[] = {
199 : {
200 : .oid = LDB_EXTENDED_START_TLS_OID,
201 : .fn = ldapsrv_StartTLS,
202 : },{
203 : .oid = LDB_EXTENDED_WHOAMI_OID,
204 : .fn = ldapsrv_whoami,
205 : },
206 : {
207 : .oid = NULL,
208 : .fn = NULL,
209 : }
210 : };
211 :
212 316 : NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
213 : {
214 316 : struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
215 0 : struct ldapsrv_reply *reply;
216 316 : int result = LDAP_PROTOCOL_ERROR;
217 316 : const char *error_str = NULL;
218 316 : NTSTATUS status = NT_STATUS_OK;
219 0 : unsigned int i;
220 :
221 316 : DEBUG(10, ("Extended\n"));
222 :
223 316 : reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
224 316 : NT_STATUS_HAVE_NO_MEMORY(reply);
225 :
226 316 : ZERO_STRUCT(reply->msg->r);
227 316 : reply->msg->r.ExtendedResponse.oid = talloc_steal(reply, req->oid);
228 316 : reply->msg->r.ExtendedResponse.response.resultcode = LDAP_PROTOCOL_ERROR;
229 316 : reply->msg->r.ExtendedResponse.response.errormessage = NULL;
230 :
231 947 : for (i=0; extended_ops[i].oid; i++) {
232 632 : if (strcmp(extended_ops[i].oid,req->oid) != 0) continue;
233 :
234 : /*
235 : * if the backend function returns an error we
236 : * need to send the reply otherwise the reply is already
237 : * sent and we need to return directly
238 : */
239 1 : status = extended_ops[i].fn(call, reply, &error_str);
240 1 : if (NT_STATUS_IS_OK(status)) {
241 1 : return status;
242 : }
243 :
244 0 : if (NT_STATUS_IS_LDAP(status)) {
245 0 : result = NT_STATUS_LDAP_CODE(status);
246 : } else {
247 0 : result = LDAP_OPERATIONS_ERROR;
248 0 : error_str = talloc_asprintf(reply, "Extended Operation(%s) failed: %s",
249 : req->oid, nt_errstr(status));
250 : }
251 : }
252 : /* if we haven't found the oid, then status is still NT_STATUS_OK */
253 315 : if (NT_STATUS_IS_OK(status)) {
254 315 : error_str = talloc_asprintf(reply, "Extended Operation(%s) not supported",
255 : req->oid);
256 : }
257 :
258 315 : reply->msg->r.ExtendedResponse.response.resultcode = result;
259 315 : reply->msg->r.ExtendedResponse.response.errormessage = error_str;
260 :
261 315 : ldapsrv_queue_reply(call, reply);
262 315 : return NT_STATUS_OK;
263 : }
|
