Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : LDAP server
5 :
6 : Copyright (C) Andrew Tridgell 2005
7 : Copyright (C) Volker Lendecke 2004
8 : Copyright (C) Stefan Metzmacher 2004
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include "system/network.h"
26 : #include "lib/events/events.h"
27 : #include "auth/auth.h"
28 : #include "auth/credentials/credentials.h"
29 : #include "librpc/gen_ndr/ndr_samr.h"
30 : #include "../lib/util/dlinklist.h"
31 : #include "../lib/util/asn1.h"
32 : #include "ldap_server/ldap_server.h"
33 : #include "samba/service_task.h"
34 : #include "samba/service_stream.h"
35 : #include "samba/service.h"
36 : #include "samba/process_model.h"
37 : #include "lib/tls/tls.h"
38 : #include "lib/messaging/irpc.h"
39 : #include <ldb.h>
40 : #include <ldb_errors.h>
41 : #include "libcli/ldap/ldap_proto.h"
42 : #include "system/network.h"
43 : #include "lib/socket/netif.h"
44 : #include "dsdb/samdb/samdb.h"
45 : #include "param/param.h"
46 : #include "../lib/tsocket/tsocket.h"
47 : #include "../lib/util/tevent_ntstatus.h"
48 : #include "../libcli/util/tstream.h"
49 : #include "libds/common/roles.h"
50 : #include "lib/util/time.h"
51 :
52 : #undef strcasecmp
53 :
54 : static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
55 :
56 : /*
57 : close the socket and shutdown a server_context
58 : */
59 18290 : static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
60 : const char *reason)
61 : {
62 : struct tevent_req *subreq;
63 :
64 18290 : if (conn->limits.reason) {
65 0 : return;
66 : }
67 :
68 18290 : DLIST_REMOVE(conn->service->connections, conn);
69 :
70 18290 : conn->limits.endtime = timeval_current_ofs(0, 500);
71 :
72 18290 : tevent_queue_stop(conn->sockets.send_queue);
73 18290 : TALLOC_FREE(conn->sockets.read_req);
74 18290 : TALLOC_FREE(conn->deferred_expire_disconnect);
75 18290 : if (conn->active_call) {
76 0 : tevent_req_cancel(conn->active_call);
77 0 : conn->active_call = NULL;
78 : }
79 :
80 18290 : conn->limits.reason = talloc_strdup(conn, reason);
81 18290 : if (conn->limits.reason == NULL) {
82 0 : TALLOC_FREE(conn->sockets.tls);
83 0 : TALLOC_FREE(conn->sockets.sasl);
84 0 : TALLOC_FREE(conn->sockets.raw);
85 0 : stream_terminate_connection(conn->connection, reason);
86 0 : return;
87 : }
88 :
89 31542 : subreq = tstream_disconnect_send(conn,
90 18290 : conn->connection->event.ctx,
91 : conn->sockets.active);
92 18290 : if (subreq == NULL) {
93 0 : TALLOC_FREE(conn->sockets.tls);
94 0 : TALLOC_FREE(conn->sockets.sasl);
95 0 : TALLOC_FREE(conn->sockets.raw);
96 0 : stream_terminate_connection(conn->connection, reason);
97 0 : return;
98 : }
99 18290 : tevent_req_set_endtime(subreq,
100 18290 : conn->connection->event.ctx,
101 : conn->limits.endtime);
102 18290 : tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
103 : }
104 :
105 36111 : static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
106 : {
107 26107 : struct ldapsrv_connection *conn =
108 36111 : tevent_req_callback_data(subreq,
109 : struct ldapsrv_connection);
110 : int sys_errno;
111 : bool ok;
112 :
113 36111 : tstream_disconnect_recv(subreq, &sys_errno);
114 36111 : TALLOC_FREE(subreq);
115 :
116 36111 : if (conn->sockets.active == conn->sockets.raw) {
117 18290 : TALLOC_FREE(conn->sockets.tls);
118 18290 : TALLOC_FREE(conn->sockets.sasl);
119 18290 : TALLOC_FREE(conn->sockets.raw);
120 18290 : stream_terminate_connection(conn->connection,
121 : conn->limits.reason);
122 6946 : return;
123 : }
124 :
125 17821 : TALLOC_FREE(conn->sockets.tls);
126 17821 : TALLOC_FREE(conn->sockets.sasl);
127 17821 : conn->sockets.active = conn->sockets.raw;
128 :
129 30554 : subreq = tstream_disconnect_send(conn,
130 17821 : conn->connection->event.ctx,
131 : conn->sockets.active);
132 17821 : if (subreq == NULL) {
133 0 : TALLOC_FREE(conn->sockets.raw);
134 0 : stream_terminate_connection(conn->connection,
135 : conn->limits.reason);
136 0 : return;
137 : }
138 17821 : ok = tevent_req_set_endtime(subreq,
139 17821 : conn->connection->event.ctx,
140 : conn->limits.endtime);
141 17821 : if (!ok) {
142 0 : TALLOC_FREE(conn->sockets.raw);
143 0 : stream_terminate_connection(conn->connection,
144 : conn->limits.reason);
145 0 : return;
146 : }
147 17821 : tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
148 : }
149 :
150 : /*
151 : called when a LDAP socket becomes readable
152 : */
153 0 : void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
154 : {
155 0 : smb_panic(__location__);
156 : }
157 :
158 : /*
159 : called when a LDAP socket becomes writable
160 : */
161 0 : static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
162 : {
163 0 : smb_panic(__location__);
164 : }
165 :
166 18294 : static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
167 : {
168 : TALLOC_CTX *tmp_ctx;
169 18294 : const char *attrs[] = { "configurationNamingContext", NULL };
170 18294 : const char *attrs2[] = { "lDAPAdminLimits", NULL };
171 : struct ldb_message_element *el;
172 18294 : struct ldb_result *res = NULL;
173 : struct ldb_dn *basedn;
174 : struct ldb_dn *conf_dn;
175 : struct ldb_dn *policy_dn;
176 : unsigned int i;
177 : int ret;
178 :
179 : /* set defaults limits in case of failure */
180 18294 : conn->limits.initial_timeout = 120;
181 18294 : conn->limits.conn_idle_time = 900;
182 18294 : conn->limits.max_page_size = 1000;
183 18294 : conn->limits.max_notifications = 5;
184 18294 : conn->limits.search_timeout = 120;
185 18294 : conn->limits.expire_time = (struct timeval) {
186 18294 : .tv_sec = get_time_t_max(),
187 : };
188 :
189 :
190 18294 : tmp_ctx = talloc_new(conn);
191 18294 : if (tmp_ctx == NULL) {
192 0 : return -1;
193 : }
194 :
195 18294 : basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
196 18294 : if (basedn == NULL) {
197 0 : goto failed;
198 : }
199 :
200 18294 : ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
201 18294 : if (ret != LDB_SUCCESS) {
202 0 : goto failed;
203 : }
204 :
205 18294 : if (res->count != 1) {
206 0 : goto failed;
207 : }
208 :
209 18294 : conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
210 18294 : if (conf_dn == NULL) {
211 0 : goto failed;
212 : }
213 :
214 18294 : policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
215 18294 : ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
216 18294 : if (policy_dn == NULL) {
217 0 : goto failed;
218 : }
219 :
220 18294 : ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
221 18294 : if (ret != LDB_SUCCESS) {
222 0 : goto failed;
223 : }
224 :
225 18294 : if (res->count != 1) {
226 0 : goto failed;
227 : }
228 :
229 18294 : el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
230 18294 : if (el == NULL) {
231 0 : goto failed;
232 : }
233 :
234 255994 : for (i = 0; i < el->num_values; i++) {
235 : char policy_name[256];
236 : int policy_value, s;
237 :
238 237822 : s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
239 237822 : if (s != 2 || policy_value == 0)
240 91470 : continue;
241 237822 : if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
242 18294 : conn->limits.initial_timeout = policy_value;
243 18294 : continue;
244 : }
245 219528 : if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
246 18294 : conn->limits.conn_idle_time = policy_value;
247 18294 : continue;
248 : }
249 201234 : if (strcasecmp("MaxPageSize", policy_name) == 0) {
250 18294 : conn->limits.max_page_size = policy_value;
251 18294 : continue;
252 : }
253 182940 : if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
254 18294 : conn->limits.max_notifications = policy_value;
255 18294 : continue;
256 : }
257 164646 : if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
258 18294 : conn->limits.search_timeout = policy_value;
259 18294 : continue;
260 : }
261 : }
262 :
263 18172 : return 0;
264 :
265 0 : failed:
266 0 : DBG_ERR("Failed to load ldap server query policies\n");
267 0 : talloc_free(tmp_ctx);
268 0 : return -1;
269 : }
270 :
271 469720 : static int ldapsrv_call_destructor(struct ldapsrv_call *call)
272 : {
273 469720 : if (call->conn == NULL) {
274 0 : return 0;
275 : }
276 :
277 469720 : DLIST_REMOVE(call->conn->pending_calls, call);
278 :
279 469720 : call->conn = NULL;
280 469720 : return 0;
281 : }
282 :
283 : static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
284 : struct tevent_context *ev,
285 : struct tevent_queue *call_queue,
286 : struct ldapsrv_call *call);
287 : static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
288 :
289 : static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
290 : static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
291 :
292 : /*
293 : initialise a server_context from a open socket and register a event handler
294 : for reading from that socket
295 : */
296 18294 : static void ldapsrv_accept(struct stream_connection *c,
297 : struct auth_session_info *session_info,
298 : bool is_privileged)
299 : {
300 13255 : struct ldapsrv_service *ldapsrv_service =
301 18294 : talloc_get_type(c->private_data, struct ldapsrv_service);
302 : struct ldapsrv_connection *conn;
303 : struct cli_credentials *server_credentials;
304 : struct socket_address *socket_address;
305 : int port;
306 : int ret;
307 : struct tevent_req *subreq;
308 : struct timeval endtime;
309 18294 : char *errstring = NULL;
310 :
311 18294 : conn = talloc_zero(c, struct ldapsrv_connection);
312 18294 : if (!conn) {
313 0 : stream_terminate_connection(c, "ldapsrv_accept: out of memory");
314 5013 : return;
315 : }
316 18294 : conn->is_privileged = is_privileged;
317 :
318 18294 : conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send queue");
319 18294 : if (conn->sockets.send_queue == NULL) {
320 0 : stream_terminate_connection(c,
321 : "ldapsrv_accept: tevent_queue_create failed");
322 0 : return;
323 : }
324 :
325 18294 : TALLOC_FREE(c->event.fde);
326 :
327 18294 : ret = tstream_bsd_existing_socket(conn,
328 : socket_get_fd(c->socket),
329 : &conn->sockets.raw);
330 18294 : if (ret == -1) {
331 0 : stream_terminate_connection(c,
332 : "ldapsrv_accept: out of memory");
333 0 : return;
334 : }
335 18294 : socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
336 :
337 18294 : conn->connection = c;
338 18294 : conn->service = ldapsrv_service;
339 18294 : conn->lp_ctx = ldapsrv_service->task->lp_ctx;
340 :
341 18294 : c->private_data = conn;
342 :
343 18294 : socket_address = socket_get_my_addr(c->socket, conn);
344 18294 : if (!socket_address) {
345 0 : ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
346 0 : return;
347 : }
348 18294 : port = socket_address->port;
349 18294 : talloc_free(socket_address);
350 18294 : if (port == 3268 || port == 3269) /* Global catalog */ {
351 3 : conn->global_catalog = true;
352 : }
353 :
354 18294 : server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
355 18294 : if (!server_credentials) {
356 0 : stream_terminate_connection(c, "Failed to init server credentials\n");
357 0 : return;
358 : }
359 :
360 18294 : conn->server_credentials = server_credentials;
361 :
362 18294 : conn->session_info = session_info;
363 :
364 18294 : conn->sockets.active = conn->sockets.raw;
365 :
366 18294 : if (conn->is_privileged) {
367 42 : conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
368 : } else {
369 18252 : conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
370 : }
371 :
372 18294 : ret = ldapsrv_backend_Init(conn, &errstring);
373 18294 : if (ret != LDB_SUCCESS) {
374 0 : char *reason = talloc_asprintf(conn,
375 : "LDB backend for LDAP Init "
376 : "failed: %s: %s",
377 : errstring, ldb_strerror(ret));
378 0 : ldapsrv_terminate_connection(conn, reason);
379 0 : return;
380 : }
381 :
382 : /* load limits from the conf partition */
383 18294 : ldapsrv_load_limits(conn); /* should we fail on error ? */
384 :
385 : /* register the server */
386 18294 : irpc_add_name(c->msg_ctx, "ldap_server");
387 :
388 18294 : DLIST_ADD_END(ldapsrv_service->connections, conn);
389 :
390 18294 : if (port != 636 && port != 3269) {
391 18114 : ldapsrv_call_read_next(conn);
392 18114 : return;
393 : }
394 :
395 180 : endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
396 :
397 180 : subreq = tstream_tls_accept_send(conn,
398 : conn->connection->event.ctx,
399 : conn->sockets.raw,
400 : conn->service->tls_params);
401 180 : if (subreq == NULL) {
402 0 : ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
403 : "no memory for tstream_tls_accept_send");
404 0 : return;
405 : }
406 180 : tevent_req_set_endtime(subreq,
407 180 : conn->connection->event.ctx,
408 : endtime);
409 180 : tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
410 : }
411 :
412 180 : static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
413 : {
414 154 : struct ldapsrv_connection *conn =
415 180 : tevent_req_callback_data(subreq,
416 : struct ldapsrv_connection);
417 : int ret;
418 : int sys_errno;
419 :
420 180 : ret = tstream_tls_accept_recv(subreq, &sys_errno,
421 : conn, &conn->sockets.tls);
422 180 : TALLOC_FREE(subreq);
423 180 : if (ret == -1) {
424 : const char *reason;
425 :
426 4 : reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
427 : "tstream_tls_accept_recv() - %d:%s",
428 : sys_errno, strerror(sys_errno));
429 4 : if (!reason) {
430 0 : reason = "ldapsrv_accept_tls_loop: "
431 : "tstream_tls_accept_recv() - failed";
432 : }
433 :
434 4 : ldapsrv_terminate_connection(conn, reason);
435 4 : return;
436 : }
437 :
438 176 : conn->sockets.active = conn->sockets.tls;
439 176 : conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
440 176 : ldapsrv_call_read_next(conn);
441 : }
442 :
443 : static void ldapsrv_call_read_done(struct tevent_req *subreq);
444 : static NTSTATUS ldapsrv_packet_check(
445 : void *private_data,
446 : DATA_BLOB blob,
447 : size_t *packet_size);
448 :
449 469728 : static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
450 : {
451 : struct tevent_req *subreq;
452 :
453 469728 : if (conn->pending_calls != NULL) {
454 1916 : conn->limits.endtime = timeval_zero();
455 :
456 1916 : ldapsrv_notification_retry_setup(conn->service, false);
457 467812 : } else if (timeval_is_zero(&conn->limits.endtime)) {
458 13290 : conn->limits.endtime =
459 18339 : timeval_current_ofs(conn->limits.initial_timeout, 0);
460 : } else {
461 335735 : conn->limits.endtime =
462 449473 : timeval_current_ofs(conn->limits.conn_idle_time, 0);
463 : }
464 :
465 469728 : if (conn->sockets.read_req != NULL) {
466 3 : return true;
467 : }
468 :
469 : /*
470 : * The minimum size of a LDAP pdu is 7 bytes
471 : *
472 : * dumpasn1 -hh ldap-unbind-min.dat
473 : *
474 : * <30 05 02 01 09 42 00>
475 : * 0 5: SEQUENCE {
476 : * <02 01 09>
477 : * 2 1: INTEGER 9
478 : * <42 00>
479 : * 5 0: [APPLICATION 2]
480 : * : Error: Object has zero length.
481 : * : }
482 : *
483 : * dumpasn1 -hh ldap-unbind-windows.dat
484 : *
485 : * <30 84 00 00 00 05 02 01 09 42 00>
486 : * 0 5: SEQUENCE {
487 : * <02 01 09>
488 : * 6 1: INTEGER 9
489 : * <42 00>
490 : * 9 0: [APPLICATION 2]
491 : * : Error: Object has zero length.
492 : * : }
493 : *
494 : * This means using an initial read size
495 : * of 7 is ok.
496 : */
497 819982 : subreq = tstream_read_pdu_blob_send(conn,
498 469725 : conn->connection->event.ctx,
499 : conn->sockets.active,
500 : 7, /* initial_read_size */
501 : ldapsrv_packet_check,
502 : conn);
503 469725 : if (subreq == NULL) {
504 0 : ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
505 : "no memory for tstream_read_pdu_blob_send");
506 0 : return false;
507 : }
508 469725 : if (!timeval_is_zero(&conn->limits.endtime)) {
509 : bool ok;
510 467812 : ok = tevent_req_set_endtime(subreq,
511 467812 : conn->connection->event.ctx,
512 : conn->limits.endtime);
513 467812 : if (!ok) {
514 0 : ldapsrv_terminate_connection(
515 : conn,
516 : "ldapsrv_call_read_next: "
517 : "no memory for tevent_req_set_endtime");
518 0 : return false;
519 : }
520 : }
521 469725 : tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
522 469725 : conn->sockets.read_req = subreq;
523 469725 : return true;
524 : }
525 :
526 : static void ldapsrv_call_process_done(struct tevent_req *subreq);
527 : static int ldapsrv_check_packet_size(
528 : struct ldapsrv_connection *conn,
529 : size_t size);
530 :
531 469720 : static void ldapsrv_call_read_done(struct tevent_req *subreq)
532 : {
533 350253 : struct ldapsrv_connection *conn =
534 469720 : tevent_req_callback_data(subreq,
535 : struct ldapsrv_connection);
536 : NTSTATUS status;
537 : struct ldapsrv_call *call;
538 : struct asn1_data *asn1;
539 : DATA_BLOB blob;
540 469720 : int ret = LDAP_SUCCESS;
541 469720 : struct ldap_request_limits limits = {0};
542 :
543 469720 : conn->sockets.read_req = NULL;
544 :
545 469720 : call = talloc_zero(conn, struct ldapsrv_call);
546 469720 : if (!call) {
547 0 : ldapsrv_terminate_connection(conn, "no memory");
548 4902 : return;
549 : }
550 469720 : talloc_set_destructor(call, ldapsrv_call_destructor);
551 :
552 469720 : call->conn = conn;
553 :
554 469720 : status = tstream_read_pdu_blob_recv(subreq,
555 : call,
556 : &blob);
557 469720 : TALLOC_FREE(subreq);
558 469720 : if (!NT_STATUS_IS_OK(status)) {
559 : const char *reason;
560 :
561 18003 : reason = talloc_asprintf(call, "ldapsrv_call_loop: "
562 : "tstream_read_pdu_blob_recv() - %s",
563 : nt_errstr(status));
564 18003 : if (!reason) {
565 0 : reason = nt_errstr(status);
566 : }
567 :
568 18003 : ldapsrv_terminate_connection(conn, reason);
569 18003 : return;
570 : }
571 :
572 451717 : ret = ldapsrv_check_packet_size(conn, blob.length);
573 451717 : if (ret != LDAP_SUCCESS) {
574 0 : ldapsrv_terminate_connection(
575 : conn,
576 : "Request packet too large");
577 0 : return;
578 : }
579 :
580 451717 : asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
581 451717 : if (asn1 == NULL) {
582 0 : ldapsrv_terminate_connection(conn, "no memory");
583 0 : return;
584 : }
585 :
586 451717 : call->request = talloc(call, struct ldap_message);
587 451717 : if (call->request == NULL) {
588 0 : ldapsrv_terminate_connection(conn, "no memory");
589 0 : return;
590 : }
591 :
592 451717 : asn1_load_nocopy(asn1, blob.data, blob.length);
593 :
594 451717 : limits.max_search_size =
595 451717 : lpcfg_ldap_max_search_request_size(conn->lp_ctx);
596 451717 : status = ldap_decode(
597 : asn1,
598 : &limits,
599 : samba_ldap_control_handlers(),
600 : call->request);
601 451717 : if (!NT_STATUS_IS_OK(status)) {
602 2 : ldapsrv_terminate_connection(conn, nt_errstr(status));
603 2 : return;
604 : }
605 :
606 451715 : data_blob_free(&blob);
607 451715 : TALLOC_FREE(asn1);
608 :
609 :
610 : /* queue the call in the global queue */
611 788865 : subreq = ldapsrv_process_call_send(call,
612 451715 : conn->connection->event.ctx,
613 451715 : conn->service->call_queue,
614 : call);
615 451715 : if (subreq == NULL) {
616 0 : ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
617 0 : return;
618 : }
619 451715 : tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
620 451715 : conn->active_call = subreq;
621 : }
622 :
623 : static void ldapsrv_call_wait_done(struct tevent_req *subreq);
624 : static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
625 : static void ldapsrv_call_writev_done(struct tevent_req *subreq);
626 :
627 451718 : static void ldapsrv_call_process_done(struct tevent_req *subreq)
628 : {
629 337153 : struct ldapsrv_call *call =
630 451718 : tevent_req_callback_data(subreq,
631 : struct ldapsrv_call);
632 451718 : struct ldapsrv_connection *conn = call->conn;
633 : NTSTATUS status;
634 :
635 451718 : conn->active_call = NULL;
636 :
637 451718 : status = ldapsrv_process_call_recv(subreq);
638 451718 : TALLOC_FREE(subreq);
639 451718 : if (!NT_STATUS_IS_OK(status)) {
640 0 : ldapsrv_terminate_connection(conn, nt_errstr(status));
641 7190 : return;
642 : }
643 :
644 451718 : if (call->wait_send != NULL) {
645 40806 : subreq = call->wait_send(call,
646 23998 : conn->connection->event.ctx,
647 : call->wait_private);
648 23998 : if (subreq == NULL) {
649 0 : ldapsrv_terminate_connection(conn,
650 : "ldapsrv_call_process_done: "
651 : "call->wait_send - no memory");
652 0 : return;
653 : }
654 23998 : tevent_req_set_callback(subreq,
655 : ldapsrv_call_wait_done,
656 : call);
657 23998 : conn->active_call = subreq;
658 23998 : return;
659 : }
660 :
661 427720 : ldapsrv_call_writev_start(call);
662 : }
663 :
664 23998 : static void ldapsrv_call_wait_done(struct tevent_req *subreq)
665 : {
666 16808 : struct ldapsrv_call *call =
667 23998 : tevent_req_callback_data(subreq,
668 : struct ldapsrv_call);
669 23998 : struct ldapsrv_connection *conn = call->conn;
670 : NTSTATUS status;
671 :
672 23998 : conn->active_call = NULL;
673 :
674 23998 : status = call->wait_recv(subreq);
675 23998 : TALLOC_FREE(subreq);
676 23998 : if (!NT_STATUS_IS_OK(status)) {
677 : const char *reason;
678 :
679 280 : reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
680 : "call->wait_recv() - %s",
681 : nt_errstr(status));
682 280 : if (reason == NULL) {
683 0 : reason = nt_errstr(status);
684 : }
685 :
686 280 : ldapsrv_terminate_connection(conn, reason);
687 280 : return;
688 : }
689 :
690 23718 : ldapsrv_call_writev_start(call);
691 : }
692 :
693 451584 : static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
694 : {
695 451584 : struct ldapsrv_connection *conn = call->conn;
696 451584 : struct ldapsrv_reply *reply = NULL;
697 451584 : struct tevent_req *subreq = NULL;
698 451584 : size_t length = 0;
699 : size_t i;
700 :
701 451584 : call->iov_count = 0;
702 :
703 : /* build all the replies into an IOV (no copy) */
704 1662478 : for (reply = call->replies;
705 335638 : reply != NULL;
706 1094948 : reply = reply->next) {
707 :
708 : /* Cap output at 25MB per writev() */
709 1095088 : if (length > length + reply->blob.length
710 1095088 : || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
711 : break;
712 : }
713 :
714 : /*
715 : * Overflow is harmless here, just used below to
716 : * decide if to read or write, but checked above anyway
717 : */
718 1094948 : length += reply->blob.length;
719 :
720 : /*
721 : * At worst an overflow would mean we send less
722 : * replies
723 : */
724 1094948 : call->iov_count++;
725 : }
726 :
727 451584 : if (length == 0) {
728 109 : if (!call->notification.busy) {
729 54 : TALLOC_FREE(call);
730 : }
731 :
732 109 : ldapsrv_call_read_next(conn);
733 109 : return;
734 : }
735 :
736 : /* Cap call->iov_count at IOV_MAX */
737 451475 : call->iov_count = MIN(call->iov_count, IOV_MAX);
738 :
739 451475 : call->out_iov = talloc_array(call,
740 : struct iovec,
741 : call->iov_count);
742 451475 : if (!call->out_iov) {
743 : /* This is not ideal */
744 0 : ldapsrv_terminate_connection(conn,
745 : "failed to allocate "
746 : "iovec array");
747 0 : return;
748 : }
749 :
750 : /* We may have had to cap the number of replies at IOV_MAX */
751 1657208 : for (i = 0;
752 2410478 : i < call->iov_count && call->replies != NULL;
753 1089601 : i++) {
754 1089601 : reply = call->replies;
755 1089601 : call->out_iov[i].iov_base = reply->blob.data;
756 1089601 : call->out_iov[i].iov_len = reply->blob.length;
757 :
758 : /* Keep only the ASN.1 encoded data */
759 1089601 : talloc_steal(call->out_iov, reply->blob.data);
760 :
761 1089601 : DLIST_REMOVE(call->replies, reply);
762 1089601 : TALLOC_FREE(reply);
763 : }
764 :
765 451475 : if (i > call->iov_count) {
766 : /* This is not ideal, but also (essentially) impossible */
767 0 : ldapsrv_terminate_connection(conn,
768 : "call list ended"
769 : "before iov_count");
770 0 : return;
771 : }
772 :
773 1124846 : subreq = tstream_writev_queue_send(call,
774 451475 : conn->connection->event.ctx,
775 : conn->sockets.active,
776 : conn->sockets.send_queue,
777 451475 : call->out_iov, call->iov_count);
778 451475 : if (subreq == NULL) {
779 0 : ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
780 0 : return;
781 : }
782 451475 : tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
783 : }
784 :
785 : static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
786 :
787 451475 : static void ldapsrv_call_writev_done(struct tevent_req *subreq)
788 : {
789 337040 : struct ldapsrv_call *call =
790 451475 : tevent_req_callback_data(subreq,
791 : struct ldapsrv_call);
792 451475 : struct ldapsrv_connection *conn = call->conn;
793 : int sys_errno;
794 : int rc;
795 :
796 451475 : rc = tstream_writev_queue_recv(subreq, &sys_errno);
797 451475 : TALLOC_FREE(subreq);
798 :
799 : /* This releases the ASN.1 encoded packets from memory */
800 451475 : TALLOC_FREE(call->out_iov);
801 451475 : if (rc == -1) {
802 : const char *reason;
803 :
804 0 : reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
805 : "tstream_writev_queue_recv() - %d:%s",
806 : sys_errno, strerror(sys_errno));
807 0 : if (reason == NULL) {
808 0 : reason = "ldapsrv_call_writev_done: "
809 : "tstream_writev_queue_recv() failed";
810 : }
811 :
812 0 : ldapsrv_terminate_connection(conn, reason);
813 4973 : return;
814 : }
815 :
816 451475 : if (call->postprocess_send) {
817 30354 : subreq = call->postprocess_send(call,
818 17649 : conn->connection->event.ctx,
819 : call->postprocess_private);
820 17649 : if (subreq == NULL) {
821 0 : ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
822 : "call->postprocess_send - no memory");
823 0 : return;
824 : }
825 17649 : tevent_req_set_callback(subreq,
826 : ldapsrv_call_postprocess_done,
827 : call);
828 17649 : return;
829 : }
830 :
831 : /* Perhaps still some more to send */
832 433826 : if (call->replies != NULL) {
833 146 : ldapsrv_call_writev_start(call);
834 146 : return;
835 : }
836 :
837 433680 : if (!call->notification.busy) {
838 433679 : TALLOC_FREE(call);
839 : }
840 :
841 433680 : ldapsrv_call_read_next(conn);
842 : }
843 :
844 17649 : static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
845 : {
846 12705 : struct ldapsrv_call *call =
847 17649 : tevent_req_callback_data(subreq,
848 : struct ldapsrv_call);
849 17649 : struct ldapsrv_connection *conn = call->conn;
850 : NTSTATUS status;
851 :
852 17649 : status = call->postprocess_recv(subreq);
853 17649 : TALLOC_FREE(subreq);
854 17649 : if (!NT_STATUS_IS_OK(status)) {
855 : const char *reason;
856 :
857 0 : reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
858 : "call->postprocess_recv() - %s",
859 : nt_errstr(status));
860 0 : if (reason == NULL) {
861 0 : reason = nt_errstr(status);
862 : }
863 :
864 0 : ldapsrv_terminate_connection(conn, reason);
865 0 : return;
866 : }
867 :
868 17649 : TALLOC_FREE(call);
869 :
870 17649 : ldapsrv_call_read_next(conn);
871 : }
872 :
873 : static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
874 :
875 154054 : void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
876 : {
877 154054 : struct ldapsrv_connection *conn = NULL;
878 : struct timeval retry;
879 154054 : size_t num_pending = 0;
880 154054 : size_t num_active = 0;
881 :
882 154054 : if (force) {
883 152128 : TALLOC_FREE(service->notification.retry);
884 152128 : service->notification.generation += 1;
885 : }
886 :
887 154054 : if (service->notification.retry != NULL) {
888 155241 : return;
889 : }
890 :
891 343776 : for (conn = service->connections; conn != NULL; conn = conn->next) {
892 191614 : if (conn->pending_calls == NULL) {
893 191585 : continue;
894 : }
895 :
896 29 : num_pending += 1;
897 :
898 53 : if (conn->pending_calls->notification.generation !=
899 29 : service->notification.generation)
900 : {
901 1 : num_active += 1;
902 : }
903 : }
904 :
905 152162 : if (num_pending == 0) {
906 151917 : return;
907 : }
908 :
909 29 : if (num_active != 0) {
910 1 : retry = timeval_current_ofs(0, 100);
911 : } else {
912 28 : retry = timeval_current_ofs(5, 0);
913 : }
914 :
915 34 : service->notification.retry = tevent_wakeup_send(service,
916 29 : service->task->event_ctx,
917 : retry);
918 29 : if (service->notification.retry == NULL) {
919 : /* retry later */
920 0 : return;
921 : }
922 :
923 29 : tevent_req_set_callback(service->notification.retry,
924 : ldapsrv_notification_retry_done,
925 : service);
926 : }
927 :
928 10 : static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
929 : {
930 6 : struct ldapsrv_service *service =
931 10 : tevent_req_callback_data(subreq,
932 : struct ldapsrv_service);
933 10 : struct ldapsrv_connection *conn = NULL;
934 10 : struct ldapsrv_connection *conn_next = NULL;
935 : bool ok;
936 :
937 10 : service->notification.retry = NULL;
938 :
939 10 : ok = tevent_wakeup_recv(subreq);
940 10 : TALLOC_FREE(subreq);
941 10 : if (!ok) {
942 : /* ignore */
943 : }
944 :
945 25 : for (conn = service->connections; conn != NULL; conn = conn_next) {
946 15 : struct ldapsrv_call *call = conn->pending_calls;
947 :
948 15 : conn_next = conn->next;
949 :
950 15 : if (conn->pending_calls == NULL) {
951 12 : continue;
952 : }
953 :
954 3 : if (conn->active_call != NULL) {
955 0 : continue;
956 : }
957 :
958 3 : DLIST_DEMOTE(conn->pending_calls, call);
959 3 : call->notification.generation =
960 3 : service->notification.generation;
961 :
962 : /* queue the call in the global queue */
963 6 : subreq = ldapsrv_process_call_send(call,
964 3 : conn->connection->event.ctx,
965 3 : conn->service->call_queue,
966 : call);
967 3 : if (subreq == NULL) {
968 0 : ldapsrv_terminate_connection(conn,
969 : "ldapsrv_process_call_send failed");
970 0 : continue;
971 : }
972 3 : tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
973 3 : conn->active_call = subreq;
974 : }
975 :
976 10 : ldapsrv_notification_retry_setup(service, false);
977 10 : }
978 :
979 : struct ldapsrv_process_call_state {
980 : struct ldapsrv_call *call;
981 : };
982 :
983 : static void ldapsrv_process_call_trigger(struct tevent_req *req,
984 : void *private_data);
985 :
986 451718 : static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
987 : struct tevent_context *ev,
988 : struct tevent_queue *call_queue,
989 : struct ldapsrv_call *call)
990 : {
991 : struct tevent_req *req;
992 : struct ldapsrv_process_call_state *state;
993 : bool ok;
994 :
995 451718 : req = tevent_req_create(mem_ctx, &state,
996 : struct ldapsrv_process_call_state);
997 451718 : if (req == NULL) {
998 0 : return req;
999 : }
1000 :
1001 451718 : state->call = call;
1002 :
1003 451718 : ok = tevent_queue_add(call_queue, ev, req,
1004 : ldapsrv_process_call_trigger, NULL);
1005 451718 : if (!ok) {
1006 0 : tevent_req_oom(req);
1007 0 : return tevent_req_post(req, ev);
1008 : }
1009 :
1010 451009 : return req;
1011 : }
1012 :
1013 : static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1014 :
1015 451718 : static void ldapsrv_process_call_trigger(struct tevent_req *req,
1016 : void *private_data)
1017 : {
1018 337153 : struct ldapsrv_process_call_state *state =
1019 451718 : tevent_req_data(req,
1020 : struct ldapsrv_process_call_state);
1021 451718 : struct ldapsrv_connection *conn = state->call->conn;
1022 : NTSTATUS status;
1023 :
1024 451718 : if (conn->deferred_expire_disconnect != NULL) {
1025 : /*
1026 : * Just drop this on the floor
1027 : */
1028 0 : tevent_req_done(req);
1029 2 : return;
1030 : }
1031 :
1032 : /* make the call */
1033 451718 : status = ldapsrv_do_call(state->call);
1034 :
1035 451718 : if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1036 : /*
1037 : * For testing purposes, defer the TCP disconnect
1038 : * after having sent the msgid 0
1039 : * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1040 : * should not wait for the TCP connection to close but
1041 : * handle this packet equivalent to a TCP
1042 : * disconnect. This delay enables testing both cases
1043 : * in LDAP client libraries.
1044 : */
1045 :
1046 6 : int defer_msec = lpcfg_parm_int(
1047 : conn->lp_ctx,
1048 : NULL,
1049 : "ldap_server",
1050 : "delay_expire_disconnect",
1051 : 0);
1052 :
1053 10 : conn->deferred_expire_disconnect = tevent_wakeup_send(
1054 : conn,
1055 6 : conn->connection->event.ctx,
1056 : timeval_current_ofs_msec(defer_msec));
1057 6 : if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1058 2 : return;
1059 : }
1060 6 : tevent_req_set_callback(
1061 : conn->deferred_expire_disconnect,
1062 : ldapsrv_disconnect_ticket_expired,
1063 : conn);
1064 :
1065 6 : tevent_req_done(req);
1066 6 : return;
1067 : }
1068 :
1069 451712 : if (!NT_STATUS_IS_OK(status)) {
1070 0 : tevent_req_nterror(req, status);
1071 0 : return;
1072 : }
1073 :
1074 451712 : tevent_req_done(req);
1075 : }
1076 :
1077 1 : static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1078 : {
1079 1 : struct ldapsrv_connection *conn = tevent_req_callback_data(
1080 : subreq, struct ldapsrv_connection);
1081 : bool ok;
1082 :
1083 1 : ok = tevent_wakeup_recv(subreq);
1084 1 : TALLOC_FREE(subreq);
1085 1 : if (!ok) {
1086 0 : DBG_WARNING("tevent_wakeup_recv failed\n");
1087 : }
1088 1 : conn->deferred_expire_disconnect = NULL;
1089 1 : ldapsrv_terminate_connection(conn, "network session expired");
1090 1 : }
1091 :
1092 451718 : static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1093 : {
1094 : NTSTATUS status;
1095 :
1096 451718 : if (tevent_req_is_nterror(req, &status)) {
1097 0 : tevent_req_received(req);
1098 0 : return status;
1099 : }
1100 :
1101 451718 : tevent_req_received(req);
1102 451718 : return NT_STATUS_OK;
1103 : }
1104 :
1105 18252 : static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1106 : {
1107 18252 : struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1108 : c->private_data, struct ldapsrv_service);
1109 : struct auth_session_info *session_info;
1110 : NTSTATUS status;
1111 :
1112 18252 : status = auth_anonymous_session_info(
1113 18252 : c, ldapsrv_service->task->lp_ctx, &session_info);
1114 18252 : if (!NT_STATUS_IS_OK(status)) {
1115 0 : stream_terminate_connection(c, "failed to setup anonymous "
1116 : "session info");
1117 0 : return;
1118 : }
1119 18252 : ldapsrv_accept(c, session_info, false);
1120 : }
1121 :
1122 : static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1123 : .name = "ldap",
1124 : .accept_connection = ldapsrv_accept_nonpriv,
1125 : .recv_handler = ldapsrv_recv,
1126 : .send_handler = ldapsrv_send,
1127 : };
1128 :
1129 : /* The feature removed behind an #ifdef until we can do it properly
1130 : * with an EXTERNAL bind. */
1131 :
1132 : #define WITH_LDAPI_PRIV_SOCKET
1133 :
1134 : #ifdef WITH_LDAPI_PRIV_SOCKET
1135 42 : static void ldapsrv_accept_priv(struct stream_connection *c)
1136 : {
1137 42 : struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1138 : c->private_data, struct ldapsrv_service);
1139 : struct auth_session_info *session_info;
1140 :
1141 42 : session_info = system_session(ldapsrv_service->task->lp_ctx);
1142 42 : if (!session_info) {
1143 0 : stream_terminate_connection(c, "failed to setup system "
1144 : "session info");
1145 0 : return;
1146 : }
1147 42 : ldapsrv_accept(c, session_info, true);
1148 : }
1149 :
1150 : static const struct stream_server_ops ldap_stream_priv_ops = {
1151 : .name = "ldap",
1152 : .accept_connection = ldapsrv_accept_priv,
1153 : .recv_handler = ldapsrv_recv,
1154 : .send_handler = ldapsrv_send,
1155 : };
1156 :
1157 : #endif
1158 :
1159 :
1160 : /*
1161 : add a socket address to the list of events, one event per port
1162 : */
1163 116 : static NTSTATUS add_socket(struct task_server *task,
1164 : struct loadparm_context *lp_ctx,
1165 : const struct model_ops *model_ops,
1166 : const char *address, struct ldapsrv_service *ldap_service)
1167 : {
1168 116 : uint16_t port = 389;
1169 : NTSTATUS status;
1170 : struct ldb_context *ldb;
1171 :
1172 116 : status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1173 : model_ops, &ldap_stream_nonpriv_ops,
1174 : "ip", address, &port,
1175 : lpcfg_socket_options(lp_ctx),
1176 : ldap_service, task->process_context);
1177 116 : if (!NT_STATUS_IS_OK(status)) {
1178 0 : DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1179 : address, port, nt_errstr(status));
1180 0 : return status;
1181 : }
1182 :
1183 116 : if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1184 : /* add ldaps server */
1185 116 : port = 636;
1186 116 : status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1187 : model_ops,
1188 : &ldap_stream_nonpriv_ops,
1189 : "ip", address, &port,
1190 : lpcfg_socket_options(lp_ctx),
1191 : ldap_service,
1192 : task->process_context);
1193 116 : if (!NT_STATUS_IS_OK(status)) {
1194 0 : DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1195 : address, port, nt_errstr(status));
1196 0 : return status;
1197 : }
1198 : }
1199 :
1200 : /* Load LDAP database, but only to read our settings */
1201 200 : ldb = samdb_connect(ldap_service,
1202 116 : ldap_service->task->event_ctx,
1203 : lp_ctx,
1204 : system_session(lp_ctx),
1205 : NULL,
1206 : 0);
1207 116 : if (!ldb) {
1208 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
1209 : }
1210 :
1211 116 : if (samdb_is_gc(ldb)) {
1212 116 : port = 3268;
1213 116 : status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1214 : model_ops,
1215 : &ldap_stream_nonpriv_ops,
1216 : "ip", address, &port,
1217 : lpcfg_socket_options(lp_ctx),
1218 : ldap_service,
1219 : task->process_context);
1220 116 : if (!NT_STATUS_IS_OK(status)) {
1221 0 : DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1222 : address, port, nt_errstr(status));
1223 0 : return status;
1224 : }
1225 116 : if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1226 : /* add ldaps server for the global catalog */
1227 116 : port = 3269;
1228 116 : status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1229 : model_ops,
1230 : &ldap_stream_nonpriv_ops,
1231 : "ip", address, &port,
1232 : lpcfg_socket_options(lp_ctx),
1233 : ldap_service,
1234 : task->process_context);
1235 116 : if (!NT_STATUS_IS_OK(status)) {
1236 0 : DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1237 : address, port, nt_errstr(status));
1238 0 : return status;
1239 : }
1240 : }
1241 : }
1242 :
1243 : /* And once we are bound, free the temporary ldb, it will
1244 : * connect again on each incoming LDAP connection */
1245 116 : talloc_unlink(ldap_service, ldb);
1246 :
1247 116 : return NT_STATUS_OK;
1248 : }
1249 :
1250 : /*
1251 : open the ldap server sockets
1252 : */
1253 64 : static NTSTATUS ldapsrv_task_init(struct task_server *task)
1254 : {
1255 : char *ldapi_path;
1256 : #ifdef WITH_LDAPI_PRIV_SOCKET
1257 : char *priv_dir;
1258 : #endif
1259 : const char *dns_host_name;
1260 : struct ldapsrv_service *ldap_service;
1261 : NTSTATUS status;
1262 :
1263 64 : switch (lpcfg_server_role(task->lp_ctx)) {
1264 0 : case ROLE_STANDALONE:
1265 0 : task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1266 : false);
1267 0 : return NT_STATUS_INVALID_DOMAIN_ROLE;
1268 6 : case ROLE_DOMAIN_MEMBER:
1269 6 : task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1270 : false);
1271 0 : return NT_STATUS_INVALID_DOMAIN_ROLE;
1272 56 : case ROLE_ACTIVE_DIRECTORY_DC:
1273 : /* Yes, we want an LDAP server */
1274 56 : break;
1275 : }
1276 :
1277 58 : task_server_set_title(task, "task[ldapsrv]");
1278 :
1279 58 : ldap_service = talloc_zero(task, struct ldapsrv_service);
1280 58 : if (ldap_service == NULL) {
1281 0 : status = NT_STATUS_NO_MEMORY;
1282 0 : goto failed;
1283 : }
1284 :
1285 58 : ldap_service->task = task;
1286 :
1287 58 : dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1288 : lpcfg_netbios_name(task->lp_ctx),
1289 : lpcfg_dnsdomain(task->lp_ctx));
1290 58 : if (dns_host_name == NULL) {
1291 0 : status = NT_STATUS_NO_MEMORY;
1292 0 : goto failed;
1293 : }
1294 :
1295 116 : status = tstream_tls_params_server(ldap_service,
1296 : dns_host_name,
1297 58 : lpcfg_tls_enabled(task->lp_ctx),
1298 58 : lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1299 58 : lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1300 58 : lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1301 58 : lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1302 58 : lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1303 : lpcfg_tls_priority(task->lp_ctx),
1304 : &ldap_service->tls_params);
1305 58 : if (!NT_STATUS_IS_OK(status)) {
1306 0 : DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1307 : nt_errstr(status));
1308 0 : goto failed;
1309 : }
1310 :
1311 58 : ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1312 58 : if (ldap_service->call_queue == NULL) {
1313 0 : status = NT_STATUS_NO_MEMORY;
1314 0 : goto failed;
1315 : }
1316 :
1317 58 : if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1318 : struct interface *ifaces;
1319 : int num_interfaces;
1320 : int i;
1321 :
1322 0 : load_interface_list(task, task->lp_ctx, &ifaces);
1323 0 : num_interfaces = iface_list_count(ifaces);
1324 :
1325 : /* We have been given an interfaces line, and been
1326 : told to only bind to those interfaces. Create a
1327 : socket per interface and bind to only these.
1328 : */
1329 0 : for(i = 0; i < num_interfaces; i++) {
1330 0 : const char *address = iface_list_n_ip(ifaces, i);
1331 0 : status = add_socket(task, task->lp_ctx, task->model_ops,
1332 : address, ldap_service);
1333 0 : if (!NT_STATUS_IS_OK(status)) goto failed;
1334 : }
1335 : } else {
1336 : char **wcard;
1337 : size_t i;
1338 58 : size_t num_binds = 0;
1339 58 : wcard = iface_list_wildcard(task);
1340 58 : if (wcard == NULL) {
1341 0 : DBG_ERR("No wildcard addresses available\n");
1342 0 : status = NT_STATUS_UNSUCCESSFUL;
1343 0 : goto failed;
1344 : }
1345 172 : for (i=0; wcard[i]; i++) {
1346 116 : status = add_socket(task, task->lp_ctx, task->model_ops,
1347 112 : wcard[i], ldap_service);
1348 116 : if (NT_STATUS_IS_OK(status)) {
1349 116 : num_binds++;
1350 : }
1351 : }
1352 58 : talloc_free(wcard);
1353 58 : if (num_binds == 0) {
1354 0 : status = NT_STATUS_UNSUCCESSFUL;
1355 0 : goto failed;
1356 : }
1357 : }
1358 :
1359 58 : ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1360 58 : if (!ldapi_path) {
1361 0 : status = NT_STATUS_UNSUCCESSFUL;
1362 0 : goto failed;
1363 : }
1364 :
1365 58 : status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1366 : task->model_ops, &ldap_stream_nonpriv_ops,
1367 : "unix", ldapi_path, NULL,
1368 : lpcfg_socket_options(task->lp_ctx),
1369 : ldap_service, task->process_context);
1370 58 : talloc_free(ldapi_path);
1371 58 : if (!NT_STATUS_IS_OK(status)) {
1372 0 : DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1373 : ldapi_path, nt_errstr(status));
1374 : }
1375 :
1376 : #ifdef WITH_LDAPI_PRIV_SOCKET
1377 58 : priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1378 58 : if (priv_dir == NULL) {
1379 0 : status = NT_STATUS_UNSUCCESSFUL;
1380 0 : goto failed;
1381 : }
1382 : /*
1383 : * Make sure the directory for the privileged ldapi socket exists, and
1384 : * is of the correct permissions
1385 : */
1386 58 : if (!directory_create_or_exist(priv_dir, 0750)) {
1387 0 : task_server_terminate(task, "Cannot create ldap "
1388 : "privileged ldapi directory", true);
1389 0 : return NT_STATUS_UNSUCCESSFUL;
1390 : }
1391 58 : ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1392 58 : talloc_free(priv_dir);
1393 58 : if (ldapi_path == NULL) {
1394 0 : status = NT_STATUS_NO_MEMORY;
1395 0 : goto failed;
1396 : }
1397 :
1398 58 : status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1399 : task->model_ops, &ldap_stream_priv_ops,
1400 : "unix", ldapi_path, NULL,
1401 : lpcfg_socket_options(task->lp_ctx),
1402 : ldap_service,
1403 : task->process_context);
1404 58 : talloc_free(ldapi_path);
1405 58 : if (!NT_STATUS_IS_OK(status)) {
1406 0 : DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1407 : ldapi_path, nt_errstr(status));
1408 : }
1409 :
1410 : #endif
1411 :
1412 : /* register the server */
1413 58 : irpc_add_name(task->msg_ctx, "ldap_server");
1414 :
1415 58 : task->private_data = ldap_service;
1416 :
1417 58 : return NT_STATUS_OK;
1418 :
1419 0 : failed:
1420 0 : task_server_terminate(task, "Failed to startup ldap server task", true);
1421 0 : return status;
1422 : }
1423 :
1424 : /*
1425 : * Open a database to be later used by LDB wrap code (although it should be
1426 : * plumbed through correctly eventually).
1427 : */
1428 138 : static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1429 : {
1430 101 : struct ldapsrv_service *ldap_service =
1431 138 : talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1432 :
1433 406 : ldap_service->sam_ctx = samdb_connect(ldap_service,
1434 130 : ldap_service->task->event_ctx,
1435 138 : ldap_service->task->lp_ctx,
1436 138 : system_session(ldap_service->task->lp_ctx),
1437 : NULL,
1438 : 0);
1439 138 : if (ldap_service->sam_ctx == NULL) {
1440 0 : task_server_terminate(task, "Cannot open system session LDB",
1441 : true);
1442 0 : return;
1443 : }
1444 : }
1445 :
1446 : /*
1447 : * Check the size of an ldap request packet.
1448 : *
1449 : * For authenticated connections the maximum packet size is controlled by
1450 : * the smb.conf parameter "ldap max authenticated request size"
1451 : *
1452 : * For anonymous connections the maximum packet size is controlled by
1453 : * the smb.conf parameter "ldap max anonymous request size"
1454 : */
1455 903440 : static int ldapsrv_check_packet_size(
1456 : struct ldapsrv_connection *conn,
1457 : size_t size)
1458 : {
1459 903440 : bool is_anonymous = false;
1460 903440 : size_t max_size = 0;
1461 :
1462 903440 : max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1463 903440 : if (size <= max_size) {
1464 898008 : return LDAP_SUCCESS;
1465 : }
1466 :
1467 : /*
1468 : * Request is larger than the maximum unauthenticated request size.
1469 : * As this code is called frequently we avoid calling
1470 : * security_token_is_anonymous if possible
1471 : */
1472 7221 : if (conn->session_info != NULL &&
1473 4014 : conn->session_info->security_token != NULL) {
1474 4014 : is_anonymous = security_token_is_anonymous(
1475 4014 : conn->session_info->security_token);
1476 : }
1477 :
1478 4014 : if (is_anonymous) {
1479 4 : DBG_WARNING(
1480 : "LDAP request size (%zu) exceeds (%zu)\n",
1481 : size,
1482 : max_size);
1483 4 : return LDAP_UNWILLING_TO_PERFORM;
1484 : }
1485 :
1486 4010 : max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1487 4010 : if (size > max_size) {
1488 2 : DBG_WARNING(
1489 : "LDAP request size (%zu) exceeds (%zu)\n",
1490 : size,
1491 : max_size);
1492 2 : return LDAP_UNWILLING_TO_PERFORM;
1493 : }
1494 4008 : return LDAP_SUCCESS;
1495 :
1496 : }
1497 :
1498 : /*
1499 : * Check that the blob contains enough data to be a valid packet
1500 : * If there is a packet header check the size to ensure that it does not
1501 : * exceed the maximum sizes.
1502 : *
1503 : */
1504 903165 : static NTSTATUS ldapsrv_packet_check(
1505 : void *private_data,
1506 : DATA_BLOB blob,
1507 : size_t *packet_size)
1508 : {
1509 : NTSTATUS ret;
1510 903165 : struct ldapsrv_connection *conn = private_data;
1511 903165 : int result = LDB_SUCCESS;
1512 :
1513 903165 : ret = ldap_full_packet(private_data, blob, packet_size);
1514 903165 : if (!NT_STATUS_IS_OK(ret)) {
1515 451442 : return ret;
1516 : }
1517 451723 : result = ldapsrv_check_packet_size(conn, *packet_size);
1518 451723 : if (result != LDAP_SUCCESS) {
1519 6 : return NT_STATUS_LDAP(result);
1520 : }
1521 451717 : return NT_STATUS_OK;
1522 : }
1523 :
1524 64 : NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1525 : {
1526 : static const struct service_details details = {
1527 : .inhibit_fork_on_accept = false,
1528 : .inhibit_pre_fork = false,
1529 : .task_init = ldapsrv_task_init,
1530 : .post_fork = ldapsrv_post_fork,
1531 : };
1532 64 : return register_server_service(ctx, "ldap", &details);
1533 : }
|