/*
initialise a server_context from a open socket and register a event handler
for reading from that socket
*/
static void ldapsrv_accept(struct stream_connection *c,
struct auth_session_info *session_info)
{
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private_data, struct ldapsrv_service);
struct ldapsrv_connection *conn;
struct cli_credentials *server_credentials;
struct socket_address *socket_address;
NTSTATUS status;
int port;
conn = talloc_zero(c, struct ldapsrv_connection);
if (!conn) {
stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
conn->packet = NULL;
conn->connection = c;
conn->service = ldapsrv_service;
conn->sockets.raw = c->socket;
conn->lp_ctx = ldapsrv_service->task->lp_ctx;
c->private_data = conn;
socket_address = socket_get_my_addr(c->socket, conn);
if (!socket_address) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
return;
}
port = socket_address->port;
talloc_free(socket_address);
if (port == 636) {
struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
c->event.fde, NULL);
if (!tls_socket) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
return;
}
talloc_steal(c, tls_socket);
c->socket = tls_socket;
conn->sockets.tls = tls_socket;
} else if (port == 3268) /* Global catalog */ {
conn->global_catalog = true;
}
conn->packet = packet_init(conn);
if (conn->packet == NULL) {
ldapsrv_terminate_connection(conn, "out of memory");
return;
}
packet_set_private(conn->packet, conn);
packet_set_socket(conn->packet, c->socket);
packet_set_callback(conn->packet, ldapsrv_decode);
packet_set_full_request(conn->packet, ldap_full_packet);
packet_set_error_handler(conn->packet, ldapsrv_error_handler);
packet_set_event_context(conn->packet, c->event.ctx);
packet_set_fde(conn->packet, c->event.fde);
packet_set_serialise(conn->packet);
if (conn->sockets.tls) {
packet_set_unreliable_select(conn->packet);
}
/* Ensure we don't get packets until the database is ready below */
packet_recv_disable(conn->packet);
server_credentials = cli_credentials_init(conn);
if (!server_credentials) {
stream_terminate_connection(c, "Failed to init server credentials\n");
return;
}
cli_credentials_set_conf(server_credentials, conn->lp_ctx);
status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
return;
}
conn->server_credentials = server_credentials;
conn->session_info = talloc_move(conn, &session_info);
if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
ldapsrv_terminate_connection(conn, "backend Init failed");
return;
}
/* load limits from the conf partition */
ldapsrv_load_limits(conn); /* should we fail on error ? */
/* register the server */
irpc_add_name(c->msg_ctx, "ldap_server");
/* set connections limits */
conn->limits.ite = event_add_timed(c->event.ctx, conn,
timeval_current_ofs(conn->limits.initial_timeout, 0),
ldapsrv_conn_init_timeout, conn);
packet_recv_enable(conn->packet);
}
static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
{
struct ldap_BindRequest *req = &call->request->r.BindRequest;
struct ldapsrv_reply *reply;
struct ldap_BindResponse *resp;
int result;
const char *errstr;
const char *nt4_domain, *nt4_account;
struct auth_session_info *session_info;
NTSTATUS status;
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
}
if (req->dn != NULL &&
strlen(req->dn) != 0 &&
call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO &&
call->conn->sockets.active != call->conn->sockets.tls)
{
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
errstr = talloc_asprintf(reply,
"BindSimple: Transport encryption required.");
goto do_reply;
}
status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account);
if (NT_STATUS_IS_OK(status)) {
status = authenticate_username_pw(call,
call->conn->connection->event.ctx,
call->conn->connection->msg_ctx,
call->conn->lp_ctx,
nt4_domain, nt4_account,
req->creds.password,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
&session_info);
}
if (NT_STATUS_IS_OK(status)) {
result = LDAP_SUCCESS;
errstr = NULL;
talloc_unlink(call->conn, call->conn->session_info);
call->conn->session_info = talloc_steal(call->conn, session_info);
/* don't leak the old LDB */
talloc_unlink(call->conn, call->conn->ldb);
status = ldapsrv_backend_Init(call->conn);
if (!NT_STATUS_IS_OK(status)) {
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
}
} else {
status = nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
}
do_reply:
resp = &reply->msg->r.BindResponse;
resp->response.resultcode = result;
resp->response.errormessage = errstr;
resp->response.dn = NULL;
resp->response.referral = NULL;
resp->SASL.secblob = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
/*
initialise a server_context from a open socket and register a event handler
for reading from that socket
*/
static void ldapsrv_accept(struct stream_connection *c,
struct auth_session_info *session_info,
bool is_privileged)
{
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private_data, struct ldapsrv_service);
struct ldapsrv_connection *conn;
struct cli_credentials *server_credentials;
struct socket_address *socket_address;
NTSTATUS status;
int port;
int ret;
struct tevent_req *subreq;
struct timeval endtime;
conn = talloc_zero(c, struct ldapsrv_connection);
if (!conn) {
stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
conn->is_privileged = is_privileged;
conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send queue");
if (conn->sockets.send_queue == NULL) {
stream_terminate_connection(c,
"ldapsrv_accept: tevent_queue_create failed");
return;
}
TALLOC_FREE(c->event.fde);
ret = tstream_bsd_existing_socket(conn,
socket_get_fd(c->socket),
&conn->sockets.raw);
if (ret == -1) {
stream_terminate_connection(c,
"ldapsrv_accept: out of memory");
return;
}
socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
conn->connection = c;
conn->service = ldapsrv_service;
conn->lp_ctx = ldapsrv_service->task->lp_ctx;
c->private_data = conn;
socket_address = socket_get_my_addr(c->socket, conn);
if (!socket_address) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
return;
}
port = socket_address->port;
talloc_free(socket_address);
if (port == 3268 || port == 3269) /* Global catalog */ {
conn->global_catalog = true;
}
server_credentials = cli_credentials_init(conn);
if (!server_credentials) {
stream_terminate_connection(c, "Failed to init server credentials\n");
return;
}
cli_credentials_set_conf(server_credentials, conn->lp_ctx);
status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
return;
}
conn->server_credentials = server_credentials;
conn->session_info = session_info;
if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
ldapsrv_terminate_connection(conn, "backend Init failed");
return;
}
/* load limits from the conf partition */
ldapsrv_load_limits(conn); /* should we fail on error ? */
/* register the server */
irpc_add_name(c->msg_ctx, "ldap_server");
conn->sockets.active = conn->sockets.raw;
if (port != 636 && port != 3269) {
ldapsrv_call_read_next(conn);
return;
}
endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
subreq = tstream_tls_accept_send(conn,
conn->connection->event.ctx,
conn->sockets.raw,
conn->service->tls_params);
if (subreq == NULL) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
"no memory for tstream_tls_accept_send");
return;
}
tevent_req_set_endtime(subreq,
conn->connection->event.ctx,
endtime);
tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
}
