static NTSTATUS tcp_ldap_rootdse(void *data, TALLOC_CTX *mem_ctx, struct cldap_search *io) { struct ldap_connection *conn = talloc_get_type(data, struct ldap_connection); struct ldap_message *msg, *result; struct ldap_request *req; int i; NTSTATUS status; msg = new_ldap_message(mem_ctx); if (!msg) { return NT_STATUS_NO_MEMORY; } msg->type = LDAP_TAG_SearchRequest; msg->r.SearchRequest.basedn = ""; msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE; msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; msg->r.SearchRequest.timelimit = 0; msg->r.SearchRequest.sizelimit = 0; msg->r.SearchRequest.attributesonly = false; msg->r.SearchRequest.tree = ldb_parse_tree(msg, io->in.filter); msg->r.SearchRequest.num_attributes = str_list_length(io->in.attributes); msg->r.SearchRequest.attributes = io->in.attributes; req = ldap_request_send(conn, msg); if (req == NULL) { printf("Could not setup ldap search\n"); return NT_STATUS_UNSUCCESSFUL; } ZERO_STRUCT(io->out); for (i = 0; i < 2; ++i) { status = ldap_result_n(req, i, &result); if (!NT_STATUS_IS_OK(status)) { return status; } switch (result->type) { case LDAP_TAG_SearchResultEntry: if (i != 0) { return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } io->out.response = &result->r.SearchResultEntry; break; case LDAP_TAG_SearchResultDone: io->out.result = &result->r.SearchResultDone; if (io->out.result->resultcode != LDAP_SUCCESS) { return NT_STATUS_LDAP(io->out.result->resultcode); } return NT_STATUS_OK; default: return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } } return NT_STATUS_OK; }
static bool test_search_auth_empty_substring(struct ldap_connection *conn, const char *basedn) { bool ret = true; struct ldap_message *msg, *result; struct ldap_request *req; NTSTATUS status; struct ldap_Result *r; printf("Testing authenticated base Search with objectclass= substring filter\n"); msg = new_ldap_message(conn); if (!msg) { return false; } msg->type = LDAP_TAG_SearchRequest; msg->r.SearchRequest.basedn = basedn; msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE; msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; msg->r.SearchRequest.timelimit = 0; msg->r.SearchRequest.sizelimit = 0; msg->r.SearchRequest.attributesonly = false; msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)"); msg->r.SearchRequest.tree->operation = LDB_OP_SUBSTRING; msg->r.SearchRequest.tree->u.substring.attr = "objectclass"; msg->r.SearchRequest.tree->u.substring.start_with_wildcard = 1; msg->r.SearchRequest.tree->u.substring.end_with_wildcard = 1; msg->r.SearchRequest.tree->u.substring.chunks = NULL; msg->r.SearchRequest.num_attributes = 0; msg->r.SearchRequest.attributes = NULL; req = ldap_request_send(conn, msg); if (req == NULL) { printf("Could not setup ldap search\n"); return false; } status = ldap_result_one(req, &result, LDAP_TAG_SearchResultDone); if (!NT_STATUS_IS_OK(status)) { printf("looking for search result done failed - %s\n", nt_errstr(status)); return false; } printf("received %d replies\n", req->num_replies); r = &result->r.SearchResultDone; if (r->resultcode != LDAP_SUCCESS) { printf("search result done gave error - %s\n", ldb_strerror(r->resultcode)); return false; } return ret; }
static bool test_compare_sasl(struct ldap_connection *conn, const char *basedn) { struct ldap_message *msg, *rep; struct ldap_request *req; const char *val; NTSTATUS status; printf("Testing SASL Compare: %s\n", basedn); if (!basedn) { return false; } msg = new_ldap_message(conn); if (!msg) { return false; } msg->type = LDAP_TAG_CompareRequest; msg->r.CompareRequest.dn = basedn; msg->r.CompareRequest.attribute = talloc_strdup(msg, "objectClass"); val = "domain"; msg->r.CompareRequest.value = data_blob_talloc(msg, val, strlen(val)); req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_CompareResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap compare request - %s\n", nt_errstr(status)); return false; } DEBUG(5,("Code: %d DN: [%s] ERROR:[%s] REFERRAL:[%s]\n", rep->r.CompareResponse.resultcode, rep->r.CompareResponse.dn, rep->r.CompareResponse.errormessage, rep->r.CompareResponse.referral)); return true; }
static bool test_abandon_request(struct torture_context *tctx, struct ldap_connection *conn, const char *basedn) { struct ldap_message *msg; struct ldap_request *req; NTSTATUS status; printf("Testing the AbandonRequest with an old message id!\n"); if (!basedn) { return false; } msg = new_ldap_message(conn); if (!msg) { return false; } printf(" Try a AbandonRequest for an old message id\n"); msg->type = LDAP_TAG_AbandonRequest; msg->r.AbandonRequest.messageid = 1; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_request_wait(req); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap abandon request - %s\n", nt_errstr(status)); return false; } return true; }
/* perform a simple username/password bind */ _PUBLIC_ NTSTATUS ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password) { struct ldap_request *req; struct ldap_message *msg; const char *dn, *pw; NTSTATUS status; if (conn == NULL) { return NT_STATUS_INVALID_CONNECTION; } if (userdn) { dn = userdn; } else { if (conn->auth_dn) { dn = conn->auth_dn; } else { dn = ""; } } if (password) { pw = password; } else { if (conn->simple_pw) { pw = conn->simple_pw; } else { pw = ""; } } msg = new_ldap_simple_bind_msg(conn, dn, pw); NT_STATUS_HAVE_NO_MEMORY(msg); /* send the request */ req = ldap_request_send(conn, msg); talloc_free(msg); NT_STATUS_HAVE_NO_MEMORY(req); /* wait for replies */ status = ldap_request_wait(req); if (!NT_STATUS_IS_OK(status)) { talloc_free(req); return status; } /* check its a valid reply */ msg = req->replies[0]; if (msg->type != LDAP_TAG_BindResponse) { talloc_free(req); return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } status = ldap_check_response(conn, &msg->r.BindResponse.response); talloc_free(req); if (NT_STATUS_IS_OK(status)) { struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds); if (creds == NULL) { return NT_STATUS_NO_MEMORY; } creds->dn = talloc_strdup(creds, dn); creds->pw = talloc_strdup(creds, pw); if (creds->dn == NULL || creds->pw == NULL) { return NT_STATUS_NO_MEMORY; } conn->bind.type = LDAP_BIND_SIMPLE; conn->bind.creds = creds; } return status; }
/* perform a sasl bind using the given credentials */ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds, struct loadparm_context *lp_ctx) { NTSTATUS status; TALLOC_CTX *tmp_ctx = NULL; DATA_BLOB input = data_blob(NULL, 0); DATA_BLOB output = data_blob(NULL, 0); struct ldap_message **sasl_mechs_msgs; struct ldap_SearchResEntry *search; int count, i; const char **sasl_names; uint32_t old_gensec_features; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", NULL }; unsigned int logon_retries = 0; status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs, false, NULL, NULL, &sasl_mechs_msgs); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n", nt_errstr(status))); goto failed; } count = ildap_count_entries(conn, sasl_mechs_msgs); if (count != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n", count)); goto failed; } tmp_ctx = talloc_new(conn); if (tmp_ctx == NULL) goto failed; search = &sasl_mechs_msgs[0]->r.SearchResultEntry; if (search->num_attributes != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n", search->num_attributes)); goto failed; } sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1); if (!sasl_names) { DEBUG(1, ("talloc_arry(char *, %d) failed\n", count)); goto failed; } for (i=0; i<search->attributes[0].num_values; i++) { sasl_names[i] = (const char *)search->attributes[0].values[i].data; } sasl_names[i] = NULL; gensec_init(); try_logon_again: /* we loop back here on a logon failure, and re-create the gensec session. The logon_retries counter ensures we don't loop forever. */ status = gensec_client_start(conn, &conn->gensec, lpcfg_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); goto failed; } /* require Kerberos SIGN/SEAL only if we don't use SSL * Windows seem not to like double encryption */ old_gensec_features = cli_credentials_get_gensec_features(creds); if (tls_enabled(conn->sock)) { cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC creds: %s\n", nt_errstr(status))); goto failed; } /* reset the original gensec_features (on the credentials * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (conn->host) { status = gensec_set_target_hostname(conn->gensec, conn->host); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", nt_errstr(status))); goto failed; } } status = gensec_set_target_service(conn->gensec, "ldap"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target service: %s\n", nt_errstr(status))); goto failed; } status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n", count, nt_errstr(status))); goto failed; } while (1) { NTSTATUS gensec_status; struct ldap_message *response; struct ldap_message *msg; struct ldap_request *req; int result = LDAP_OTHER; status = gensec_update(conn->gensec, tmp_ctx, conn->event.event_ctx, input, &output); /* The status value here, from GENSEC is vital to the security * of the system. Even if the other end accepts, if GENSEC * claims 'MORE_PROCESSING_REQUIRED' then you must keep * feeding it blobs, or else the remote host/attacker might * avoid mutal authentication requirements. * * Likewise, you must not feed GENSEC too much (after the OK), * it doesn't like that either */ gensec_status = status; if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { break; } if (NT_STATUS_IS_OK(status) && output.length == 0) { break; } /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL)); if (msg == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } req = ldap_request_send(conn, msg); if (req == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } talloc_reparent(conn, tmp_ctx, req); status = ldap_result_n(req, 0, &response); if (!NT_STATUS_IS_OK(status)) { goto failed; } if (response->type != LDAP_TAG_BindResponse) { status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; goto failed; } result = response->r.BindResponse.response.resultcode; if (result == LDAP_INVALID_CREDENTIALS) { /* try a second time on invalid credentials, to give the user a chance to re-enter the password and to handle the case where our kerberos ticket is invalid as the server password has changed */ const char *principal; principal = gensec_get_target_principal(conn->gensec); if (principal == NULL) { const char *hostname = gensec_get_target_hostname(conn->gensec); const char *service = gensec_get_target_service(conn->gensec); if (hostname != NULL && service != NULL) { principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname); } } if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) || cli_credentials_wrong_password(creds)) { /* destroy our gensec session and loop back up to the top to retry, offering the user a chance to enter new credentials, or get a new ticket if using kerberos */ talloc_free(conn->gensec); conn->gensec = NULL; goto try_logon_again; } } if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { status = ldap_check_response(conn, &response->r.BindResponse.response); break; } /* This is where we check if GENSEC wanted to be fed more data */ if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { break; } if (response->r.BindResponse.SASL.secblob) { input = *response->r.BindResponse.SASL.secblob; } else { input = data_blob(NULL, 0); } } talloc_free(tmp_ctx); if (NT_STATUS_IS_OK(status)) { struct socket_context *sasl_socket; status = gensec_socket_init(conn->gensec, conn, conn->sock, conn->event.event_ctx, ldap_read_io_handler, conn, &sasl_socket); if (!NT_STATUS_IS_OK(status)) goto failed; conn->sock = sasl_socket; packet_set_socket(conn->packet, conn->sock); conn->bind.type = LDAP_BIND_SASL; conn->bind.creds = creds; } return status; failed: talloc_free(tmp_ctx); talloc_free(conn->gensec); conn->gensec = NULL; return status; }
static bool test_search_rootDSE(struct ldap_connection *conn, const char **basedn, const char ***partitions) { bool ret = true; struct ldap_message *msg, *result; struct ldap_request *req; int i; struct ldap_SearchResEntry *r; NTSTATUS status; printf("Testing RootDSE Search\n"); *basedn = NULL; if (partitions != NULL) { *partitions = const_str_list(str_list_make_empty(conn)); } msg = new_ldap_message(conn); if (!msg) { return false; } msg->type = LDAP_TAG_SearchRequest; msg->r.SearchRequest.basedn = ""; msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE; msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; msg->r.SearchRequest.timelimit = 0; msg->r.SearchRequest.sizelimit = 0; msg->r.SearchRequest.attributesonly = false; msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)"); msg->r.SearchRequest.num_attributes = 0; msg->r.SearchRequest.attributes = NULL; req = ldap_request_send(conn, msg); if (req == NULL) { printf("Could not setup ldap search\n"); return false; } status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry); if (!NT_STATUS_IS_OK(status)) { printf("search failed - %s\n", nt_errstr(status)); return false; } printf("received %d replies\n", req->num_replies); r = &result->r.SearchResultEntry; DEBUG(1,("\tdn: %s\n", r->dn)); for (i=0; i<r->num_attributes; i++) { int j; for (j=0; j<r->attributes[i].num_values; j++) { DEBUG(1,("\t%s: %d %.*s\n", r->attributes[i].name, (int)r->attributes[i].values[j].length, (int)r->attributes[i].values[j].length, (char *)r->attributes[i].values[j].data)); if (!(*basedn) && strcasecmp("defaultNamingContext",r->attributes[i].name)==0) { *basedn = talloc_asprintf(conn, "%.*s", (int)r->attributes[i].values[j].length, (char *)r->attributes[i].values[j].data); } if ((partitions != NULL) && (strcasecmp("namingContexts", r->attributes[i].name) == 0)) { char *entry = talloc_asprintf(conn, "%.*s", (int)r->attributes[i].values[j].length, (char *)r->attributes[i].values[j].data); *partitions = str_list_add(*partitions, entry); } } } return ret; }
/* This has to be done using the LDAP API since the LDB API does only transmit * the error code and not the error message. */ static bool test_error_codes(struct torture_context *tctx, struct ldap_connection *conn, const char *basedn) { struct ldap_message *msg, *rep; struct ldap_request *req; const char *err_code_str; char *endptr; WERROR err; NTSTATUS status; printf("Testing the most important error code -> error message conversions!\n"); if (!basedn) { return false; } msg = new_ldap_message(conn); if (!msg) { return false; } printf(" Try a wrong addition\n"); msg->type = LDAP_TAG_AddRequest; msg->r.AddRequest.dn = basedn; msg->r.AddRequest.num_attributes = 0; msg->r.AddRequest.attributes = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap add request - %s\n", nt_errstr(status)); return false; } if ((rep->r.AddResponse.resultcode == 0) || (rep->r.AddResponse.errormessage == NULL) || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.AddResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_REFERRAL)) || (rep->r.AddResponse.resultcode != LDAP_REFERRAL)) { return false; } if ((rep->r.AddResponse.referral == NULL) || (strstr(rep->r.AddResponse.referral, basedn) == NULL)) { return false; } printf(" Try another wrong addition\n"); msg->type = LDAP_TAG_AddRequest; msg->r.AddRequest.dn = ""; msg->r.AddRequest.num_attributes = 0; msg->r.AddRequest.attributes = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap add request - %s\n", nt_errstr(status)); return false; } if ((rep->r.AddResponse.resultcode == 0) || (rep->r.AddResponse.errormessage == NULL) || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.AddResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_ROOT_MUST_BE_NC) && !W_ERROR_EQUAL(err, WERR_DS_NAMING_VIOLATION)) || (rep->r.AddResponse.resultcode != LDAP_NAMING_VIOLATION)) { return false; } printf(" Try a wrong modification\n"); msg->type = LDAP_TAG_ModifyRequest; msg->r.ModifyRequest.dn = basedn; msg->r.ModifyRequest.num_mods = 0; msg->r.ModifyRequest.mods = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap modifification request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyResponse.resultcode == 0) || (rep->r.ModifyResponse.errormessage == NULL) || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) && !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM)) || (rep->r.ModifyResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) { return false; } printf(" Try another wrong modification\n"); msg->type = LDAP_TAG_ModifyRequest; msg->r.ModifyRequest.dn = ""; msg->r.ModifyRequest.num_mods = 0; msg->r.ModifyRequest.mods = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap modifification request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyResponse.resultcode == 0) || (rep->r.ModifyResponse.errormessage == NULL) || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) && !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM)) || (rep->r.ModifyResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) { return false; } printf(" Try a wrong removal\n"); msg->type = LDAP_TAG_DelRequest; msg->r.DelRequest.dn = basedn; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap removal request - %s\n", nt_errstr(status)); return false; } if ((rep->r.DelResponse.resultcode == 0) || (rep->r.DelResponse.errormessage == NULL) || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.DelResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_CANT_DELETE) && !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM)) || (rep->r.DelResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) { return false; } printf(" Try another wrong removal\n"); msg->type = LDAP_TAG_DelRequest; msg->r.DelRequest.dn = ""; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap removal request - %s\n", nt_errstr(status)); return false; } if ((rep->r.DelResponse.resultcode == 0) || (rep->r.DelResponse.errormessage == NULL) || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.DelResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND) && !W_ERROR_EQUAL(err, WERR_DS_NO_SUCH_OBJECT)) || (rep->r.DelResponse.resultcode != LDAP_NO_SUCH_OBJECT)) { return false; } printf(" Try a wrong rename\n"); msg->type = LDAP_TAG_ModifyDNRequest; msg->r.ModifyDNRequest.dn = basedn; msg->r.ModifyDNRequest.newrdn = "dc=test"; msg->r.ModifyDNRequest.deleteolddn = true; msg->r.ModifyDNRequest.newsuperior = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap rename request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyDNResponse.resultcode == 0) || (rep->r.ModifyDNResponse.errormessage == NULL) || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_NO_PARENT_OBJECT) && !W_ERROR_EQUAL(err, WERR_DS_GENERIC_ERROR)) || (rep->r.ModifyDNResponse.resultcode != LDAP_OTHER)) { return false; } printf(" Try another wrong rename\n"); msg->type = LDAP_TAG_ModifyDNRequest; msg->r.ModifyDNRequest.dn = basedn; msg->r.ModifyDNRequest.newrdn = basedn; msg->r.ModifyDNRequest.deleteolddn = true; msg->r.ModifyDNRequest.newsuperior = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap rename request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyDNResponse.resultcode == 0) || (rep->r.ModifyDNResponse.errormessage == NULL) || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) && !W_ERROR_EQUAL(err, WERR_DS_NAMING_VIOLATION)) || (rep->r.ModifyDNResponse.resultcode != LDAP_NAMING_VIOLATION)) { return false; } printf(" Try another wrong rename\n"); msg->type = LDAP_TAG_ModifyDNRequest; msg->r.ModifyDNRequest.dn = basedn; msg->r.ModifyDNRequest.newrdn = ""; msg->r.ModifyDNRequest.deleteolddn = true; msg->r.ModifyDNRequest.newsuperior = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap rename request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyDNResponse.resultcode == 0) || (rep->r.ModifyDNResponse.errormessage == NULL) || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) && !W_ERROR_EQUAL(err, WERR_DS_PROTOCOL_ERROR)) || (rep->r.ModifyDNResponse.resultcode != LDAP_PROTOCOL_ERROR)) { return false; } printf(" Try another wrong rename\n"); msg->type = LDAP_TAG_ModifyDNRequest; msg->r.ModifyDNRequest.dn = ""; msg->r.ModifyDNRequest.newrdn = "cn=temp"; msg->r.ModifyDNRequest.deleteolddn = true; msg->r.ModifyDNRequest.newsuperior = NULL; req = ldap_request_send(conn, msg); if (!req) { return false; } status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse); if (!NT_STATUS_IS_OK(status)) { printf("error in ldap rename request - %s\n", nt_errstr(status)); return false; } if ((rep->r.ModifyDNResponse.resultcode == 0) || (rep->r.ModifyDNResponse.errormessage == NULL) || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0) || (*endptr != ':')) { printf("Invalid error message!\n"); return false; } err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr); err_code_str = win_errstr(err); printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr); if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND) && !W_ERROR_EQUAL(err, WERR_DS_NO_SUCH_OBJECT)) || (rep->r.ModifyDNResponse.resultcode != LDAP_NO_SUCH_OBJECT)) { return false; } return true; }
/* perform a sasl bind using the given credentials */ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds, struct loadparm_context *lp_ctx) { NTSTATUS status; TALLOC_CTX *tmp_ctx = NULL; DATA_BLOB input = data_blob(NULL, 0); DATA_BLOB output = data_blob(NULL, 0); struct ldap_message **sasl_mechs_msgs; struct ldap_SearchResEntry *search; int count, i; bool first = true; int wrap_flags = 0; const char **sasl_names; uint32_t old_gensec_features; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", NULL }; unsigned int logon_retries = 0; size_t queue_length; if (conn->sockets.active == NULL) { status = NT_STATUS_CONNECTION_DISCONNECTED; goto failed; } queue_length = tevent_queue_length(conn->sockets.send_queue); if (queue_length != 0) { status = NT_STATUS_INVALID_PARAMETER_MIX; DEBUG(1, ("SASL bind triggered with non empty send_queue[%zu]: %s\n", queue_length, nt_errstr(status))); goto failed; } if (conn->pending != NULL) { status = NT_STATUS_INVALID_PARAMETER_MIX; DEBUG(1, ("SASL bind triggered with pending requests: %s\n", nt_errstr(status))); goto failed; } status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs, false, NULL, NULL, &sasl_mechs_msgs); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n", nt_errstr(status))); goto failed; } count = ildap_count_entries(conn, sasl_mechs_msgs); if (count != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n", count)); goto failed; } tmp_ctx = talloc_new(conn); if (tmp_ctx == NULL) goto failed; search = &sasl_mechs_msgs[0]->r.SearchResultEntry; if (search->num_attributes != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n", search->num_attributes)); goto failed; } sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1); if (!sasl_names) { DEBUG(1, ("talloc_arry(char *, %d) failed\n", count)); goto failed; } for (i=0; i<search->attributes[0].num_values; i++) { sasl_names[i] = (const char *)search->attributes[0].values[i].data; } sasl_names[i] = NULL; gensec_init(); if (conn->sockets.active == conn->sockets.tls) { /* * require Kerberos SIGN/SEAL only if we don't use SSL * Windows seem not to like double encryption */ wrap_flags = 0; } else if (cli_credentials_is_anonymous(creds)) { /* * anonymous isn't protected */ wrap_flags = 0; } else { wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx); } try_logon_again: /* we loop back here on a logon failure, and re-create the gensec session. The logon_retries counter ensures we don't loop forever. */ data_blob_free(&input); TALLOC_FREE(conn->gensec); status = gensec_client_start(conn, &conn->gensec, lpcfg_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); goto failed; } old_gensec_features = cli_credentials_get_gensec_features(creds); if (wrap_flags == 0) { cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC creds: %s\n", nt_errstr(status))); goto failed; } /* reset the original gensec_features (on the credentials * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (wrap_flags & ADS_AUTH_SASL_SEAL) { gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL); } if (wrap_flags & ADS_AUTH_SASL_SIGN) { gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); } /* * This is an indication for the NTLMSSP backend to * also encrypt when only GENSEC_FEATURE_SIGN is requested * in gensec_[un]wrap(). */ gensec_want_feature(conn->gensec, GENSEC_FEATURE_LDAP_STYLE); if (conn->host) { status = gensec_set_target_hostname(conn->gensec, conn->host); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", nt_errstr(status))); goto failed; } } status = gensec_set_target_service(conn->gensec, "ldap"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target service: %s\n", nt_errstr(status))); goto failed; } status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n", count, nt_errstr(status))); goto failed; } while (1) { NTSTATUS gensec_status; struct ldap_message *response; struct ldap_message *msg; struct ldap_request *req; int result = LDAP_OTHER; status = gensec_update_ev(conn->gensec, tmp_ctx, conn->event.event_ctx, input, &output); /* The status value here, from GENSEC is vital to the security * of the system. Even if the other end accepts, if GENSEC * claims 'MORE_PROCESSING_REQUIRED' then you must keep * feeding it blobs, or else the remote host/attacker might * avoid mutal authentication requirements. * * Likewise, you must not feed GENSEC too much (after the OK), * it doesn't like that either. * * For SASL/EXTERNAL, there is no data to send, but we still * must send the actual Bind request the first time around. * Otherwise, a result of NT_STATUS_OK with 0 output means the * end of a multi-step authentication, and no message must be * sent. */ gensec_status = status; if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { break; } if (NT_STATUS_IS_OK(status) && output.length == 0) { if (!first) break; } first = false; /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL)); if (msg == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } req = ldap_request_send(conn, msg); if (req == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } talloc_reparent(conn, tmp_ctx, req); status = ldap_result_n(req, 0, &response); if (!NT_STATUS_IS_OK(status)) { goto failed; } if (response->type != LDAP_TAG_BindResponse) { status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; goto failed; } result = response->r.BindResponse.response.resultcode; if (result == LDAP_STRONG_AUTH_REQUIRED) { if (wrap_flags == 0) { wrap_flags = ADS_AUTH_SASL_SIGN; goto try_logon_again; } } if (result == LDAP_INVALID_CREDENTIALS) { /* try a second time on invalid credentials, to give the user a chance to re-enter the password and to handle the case where our kerberos ticket is invalid as the server password has changed */ const char *principal; principal = gensec_get_target_principal(conn->gensec); if (principal == NULL) { const char *hostname = gensec_get_target_hostname(conn->gensec); const char *service = gensec_get_target_service(conn->gensec); if (hostname != NULL && service != NULL) { principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname); } } if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) || cli_credentials_wrong_password(creds)) { /* destroy our gensec session and loop back up to the top to retry, offering the user a chance to enter new credentials, or get a new ticket if using kerberos */ goto try_logon_again; } } if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { status = ldap_check_response(conn, &response->r.BindResponse.response); break; } /* This is where we check if GENSEC wanted to be fed more data */ if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { break; } if (response->r.BindResponse.SASL.secblob) { input = *response->r.BindResponse.SASL.secblob; } else { input = data_blob(NULL, 0); } } TALLOC_FREE(tmp_ctx); if (!NT_STATUS_IS_OK(status)) { goto failed; } conn->bind.type = LDAP_BIND_SASL; conn->bind.creds = creds; if (wrap_flags & ADS_AUTH_SASL_SEAL) { if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } } else if (wrap_flags & ADS_AUTH_SASL_SIGN) { if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } } if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { return NT_STATUS_OK; } status = gensec_create_tstream(conn->sockets.raw, conn->gensec, conn->sockets.raw, &conn->sockets.sasl); if (!NT_STATUS_IS_OK(status)) { goto failed; } conn->sockets.active = conn->sockets.sasl; return NT_STATUS_OK; failed: talloc_free(tmp_ctx); talloc_free(conn->gensec); conn->gensec = NULL; return status; }