Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : auth functions
5 :
6 : Copyright (C) Simo Sorce 2005
7 : Copyright (C) Andrew Tridgell 2005
8 : Copyright (C) Andrew Bartlett 2005
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include <tevent.h>
26 : #include "lib/util/tevent_ntstatus.h"
27 : #include "auth/auth.h"
28 : #include "dsdb/samdb/samdb.h"
29 :
30 : #undef DBGC_CLASS
31 : #define DBGC_CLASS DBGC_AUTH
32 :
33 : struct authenticate_ldap_simple_bind_state {
34 : bool using_tls;
35 : struct auth4_context *auth_context;
36 : struct auth_usersupplied_info *user_info;
37 : struct auth_session_info *session_info;
38 : };
39 :
40 : static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq);
41 :
42 120 : _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
43 : struct tevent_context *ev,
44 : struct imessaging_context *msg,
45 : struct loadparm_context *lp_ctx,
46 : struct tsocket_address *remote_address,
47 : struct tsocket_address *local_address,
48 : bool using_tls,
49 : const char *dn,
50 : const char *password)
51 : {
52 120 : struct tevent_req *req = NULL;
53 120 : struct authenticate_ldap_simple_bind_state *state = NULL;
54 120 : struct auth_usersupplied_info *user_info = NULL;
55 120 : const char *nt4_domain = NULL;
56 120 : const char *nt4_username = NULL;
57 120 : struct tevent_req *subreq = NULL;
58 : NTSTATUS status;
59 :
60 120 : req = tevent_req_create(mem_ctx, &state,
61 : struct authenticate_ldap_simple_bind_state);
62 120 : if (req == NULL) {
63 0 : return NULL;
64 : }
65 120 : state->using_tls = using_tls;
66 :
67 120 : status = auth_context_create(state, ev, msg, lp_ctx,
68 120 : &state->auth_context);
69 120 : if (tevent_req_nterror(req, status)) {
70 0 : return tevent_req_post(req, ev);
71 : }
72 :
73 120 : user_info = talloc_zero(state, struct auth_usersupplied_info);
74 120 : if (tevent_req_nomem(user_info, req)) {
75 0 : return tevent_req_post(req, ev);
76 : }
77 120 : state->user_info = user_info;
78 :
79 120 : user_info->client.account_name = dn;
80 : /* No client.domain_name, use account_name instead */
81 : /* user_info->mapped.* will be filled below */
82 :
83 120 : user_info->workstation_name = NULL;
84 :
85 120 : user_info->remote_host = remote_address;
86 120 : user_info->local_host = local_address;
87 :
88 120 : user_info->service_description = "LDAP";
89 :
90 120 : if (using_tls) {
91 80 : user_info->auth_description = "simple bind";
92 : } else {
93 40 : user_info->auth_description = "simple bind/TLS";
94 : }
95 :
96 120 : user_info->password_state = AUTH_PASSWORD_PLAIN;
97 120 : user_info->password.plaintext = talloc_strdup(user_info, password);
98 120 : if (tevent_req_nomem(user_info->password.plaintext, req)) {
99 0 : return tevent_req_post(req, ev);
100 : }
101 :
102 120 : user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
103 : USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
104 :
105 120 : user_info->logon_parameters =
106 : MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
107 : MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
108 : MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
109 : MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
110 :
111 120 : status = crack_auto_name_to_nt4_name(state, state->auth_context->sam_ctx,
112 : dn, &nt4_domain, &nt4_username);
113 120 : if (!NT_STATUS_IS_OK(status)) {
114 6 : log_authentication_event(msg, lp_ctx,
115 6 : &state->auth_context->start_time,
116 : user_info, status,
117 : NULL, NULL, NULL);
118 : }
119 120 : if (tevent_req_nterror(req, status)) {
120 6 : return tevent_req_post(req, ev);
121 : }
122 :
123 114 : user_info->mapped.account_name = nt4_username;
124 114 : user_info->mapped.domain_name = nt4_domain;
125 114 : user_info->mapped_state = true;
126 :
127 114 : subreq = auth_check_password_send(state, ev,
128 114 : state->auth_context,
129 114 : state->user_info);
130 114 : if (tevent_req_nomem(subreq, req)) {
131 0 : return tevent_req_post(req, ev);
132 : }
133 114 : tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req);
134 :
135 114 : return req;
136 : }
137 :
138 114 : static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
139 : {
140 80 : struct tevent_req *req =
141 114 : tevent_req_callback_data(subreq,
142 : struct tevent_req);
143 80 : struct authenticate_ldap_simple_bind_state *state =
144 114 : tevent_req_data(req,
145 : struct authenticate_ldap_simple_bind_state);
146 114 : struct auth4_context *auth_context = state->auth_context;
147 114 : struct auth_usersupplied_info *user_info = state->user_info;
148 114 : const char *nt4_username = user_info->mapped.account_name;
149 114 : const struct tsocket_address *remote_address = user_info->remote_host;
150 114 : const struct tsocket_address *local_address = user_info->local_host;
151 114 : const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
152 114 : struct auth_user_info_dc *user_info_dc = NULL;
153 114 : uint8_t authoritative = 0;
154 114 : uint32_t flags = 0;
155 : NTSTATUS nt_status;
156 :
157 114 : if (state->using_tls) {
158 74 : transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
159 : }
160 :
161 114 : nt_status = auth_check_password_recv(subreq, state,
162 : &user_info_dc,
163 : &authoritative);
164 114 : TALLOC_FREE(subreq);
165 114 : if (tevent_req_nterror(req, nt_status)) {
166 13 : return;
167 : }
168 :
169 106 : flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
170 106 : if (user_info_dc->info->authenticated) {
171 100 : flags |= AUTH_SESSION_INFO_AUTHENTICATED;
172 : }
173 :
174 106 : nt_status = auth_context->generate_session_info(auth_context,
175 : state,
176 : user_info_dc,
177 : nt4_username,
178 : flags,
179 : &state->session_info);
180 106 : if (tevent_req_nterror(req, nt_status)) {
181 0 : return;
182 : }
183 :
184 106 : log_successful_authz_event(auth_context->msg_ctx,
185 : auth_context->lp_ctx,
186 : remote_address,
187 : local_address,
188 : "LDAP",
189 : "simple bind",
190 : transport_protection,
191 : state->session_info);
192 :
193 106 : tevent_req_done(req);
194 : }
195 :
196 120 : _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
197 : TALLOC_CTX *mem_ctx,
198 : struct auth_session_info **session_info)
199 : {
200 85 : struct authenticate_ldap_simple_bind_state *state =
201 120 : tevent_req_data(req,
202 : struct authenticate_ldap_simple_bind_state);
203 : NTSTATUS status;
204 :
205 120 : *session_info = NULL;
206 :
207 120 : if (tevent_req_is_nterror(req, &status)) {
208 14 : tevent_req_received(req);
209 14 : return status;
210 : }
211 :
212 106 : *session_info = talloc_move(mem_ctx, &state->session_info);
213 106 : tevent_req_received(req);
214 106 : return NT_STATUS_OK;
215 : }
|