search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:winbindd: Call winbind_add_failed_connection_entry() for the correct dc name
[samba4-gss.git] / source4 / ldap_server / ldap_server.c
blob38c29be3ecbbd37ff40baf38968eb22df5f10dbe
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
39 #include <ldb.h>
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
51 #include "lib/util/server_id.h"
52 #include "lib/util/server_id_db.h"
53 #include "lib/messaging/messaging_internal.h"
54
55 #undef strcasecmp
56
57 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
58
59 /*
60 close the socket and shutdown a server_context
61 */
62 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
63 const char *reason)
64 {
65 struct tevent_req *subreq;
66
67 if (conn->limits.reason) {
68 return;
69 }
70
71 DLIST_REMOVE(conn->service->connections, conn);
72
73 conn->limits.endtime = timeval_current_ofs(0, 500);
74
75 tevent_queue_stop(conn->sockets.send_queue);
76 TALLOC_FREE(conn->sockets.read_req);
77 TALLOC_FREE(conn->deferred_expire_disconnect);
78 if (conn->active_call) {
79 tevent_req_cancel(conn->active_call);
80 conn->active_call = NULL;
81 }
82
83 conn->limits.reason = talloc_strdup(conn, reason);
84 if (conn->limits.reason == NULL) {
85 TALLOC_FREE(conn->sockets.tls);
86 TALLOC_FREE(conn->sockets.sasl);
87 TALLOC_FREE(conn->sockets.raw);
88 stream_terminate_connection(conn->connection, reason);
89 return;
90 }
91
92 subreq = tstream_disconnect_send(conn,
93 conn->connection->event.ctx,
94 conn->sockets.active);
95 if (subreq == NULL) {
96 TALLOC_FREE(conn->sockets.tls);
97 TALLOC_FREE(conn->sockets.sasl);
98 TALLOC_FREE(conn->sockets.raw);
99 stream_terminate_connection(conn->connection, reason);
100 return;
101 }
102 tevent_req_set_endtime(subreq,
103 conn->connection->event.ctx,
104 conn->limits.endtime);
105 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
106 }
107
108 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
109 {
110 struct ldapsrv_connection *conn =
111 tevent_req_callback_data(subreq,
112 struct ldapsrv_connection);
113 int sys_errno;
114 bool ok;
115
116 tstream_disconnect_recv(subreq, &sys_errno);
117 TALLOC_FREE(subreq);
118
119 if (conn->sockets.active == conn->sockets.raw) {
120 TALLOC_FREE(conn->sockets.tls);
121 TALLOC_FREE(conn->sockets.sasl);
122 TALLOC_FREE(conn->sockets.raw);
123 stream_terminate_connection(conn->connection,
124 conn->limits.reason);
125 return;
126 }
127
128 TALLOC_FREE(conn->sockets.tls);
129 TALLOC_FREE(conn->sockets.sasl);
130 conn->sockets.active = conn->sockets.raw;
131
132 subreq = tstream_disconnect_send(conn,
133 conn->connection->event.ctx,
134 conn->sockets.active);
135 if (subreq == NULL) {
136 TALLOC_FREE(conn->sockets.raw);
137 stream_terminate_connection(conn->connection,
138 conn->limits.reason);
139 return;
140 }
141 ok = tevent_req_set_endtime(subreq,
142 conn->connection->event.ctx,
143 conn->limits.endtime);
144 if (!ok) {
145 TALLOC_FREE(conn->sockets.raw);
146 stream_terminate_connection(conn->connection,
147 conn->limits.reason);
148 return;
149 }
150 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
151 }
152
153 /*
154 called when a LDAP socket becomes readable
155 */
156 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
157 {
158 smb_panic(__location__);
159 }
160
161 /*
162 called when a LDAP socket becomes writable
163 */
164 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
165 {
166 smb_panic(__location__);
167 }
168
169 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
170 {
171 TALLOC_CTX *tmp_ctx;
172 const char *attrs[] = { "configurationNamingContext", NULL };
173 const char *attrs2[] = { "lDAPAdminLimits", NULL };
174 struct ldb_message_element *el;
175 struct ldb_result *res = NULL;
176 struct ldb_dn *basedn;
177 struct ldb_dn *conf_dn;
178 struct ldb_dn *policy_dn;
179 unsigned int i;
180 int ret;
181
182 /* set defaults limits in case of failure */
183 conn->limits.initial_timeout = 120;
184 conn->limits.conn_idle_time = 900;
185 conn->limits.max_page_size = 1000;
186 conn->limits.max_notifications = 5;
187 conn->limits.search_timeout = 120;
188 conn->limits.expire_time = (struct timeval) {
189 .tv_sec = get_time_t_max(),
190 };
191
192
193 tmp_ctx = talloc_new(conn);
194 if (tmp_ctx == NULL) {
195 return -1;
196 }
197
198 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
199 if (basedn == NULL) {
200 goto failed;
201 }
202
203 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
204 if (ret != LDB_SUCCESS) {
205 goto failed;
206 }
207
208 if (res->count != 1) {
209 goto failed;
210 }
211
212 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
213 if (conf_dn == NULL) {
214 goto failed;
215 }
216
217 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
218 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
219 if (policy_dn == NULL) {
220 goto failed;
221 }
222
223 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
224 if (ret != LDB_SUCCESS) {
225 goto failed;
226 }
227
228 if (res->count != 1) {
229 goto failed;
230 }
231
232 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
233 if (el == NULL) {
234 goto failed;
235 }
236
237 for (i = 0; i < el->num_values; i++) {
238 char policy_name[256];
239 int policy_value, s;
240
241 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
242 if (s != 2 || policy_value == 0)
243 continue;
244 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
245 conn->limits.initial_timeout = policy_value;
246 continue;
247 }
248 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
249 conn->limits.conn_idle_time = policy_value;
250 continue;
251 }
252 if (strcasecmp("MaxPageSize", policy_name) == 0) {
253 conn->limits.max_page_size = policy_value;
254 continue;
255 }
256 if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
257 conn->limits.max_notifications = policy_value;
258 continue;
259 }
260 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
261 if (policy_value > 0) {
262 conn->limits.search_timeout = policy_value;
263 }
264 continue;
265 }
266 }
267
268 return 0;
269
270 failed:
271 DBG_ERR("Failed to load ldap server query policies\n");
272 talloc_free(tmp_ctx);
273 return -1;
274 }
275
276 static int ldapsrv_call_destructor(struct ldapsrv_call *call)
277 {
278 if (call->conn == NULL) {
279 return 0;
280 }
281
282 DLIST_REMOVE(call->conn->pending_calls, call);
283
284 call->conn = NULL;
285 return 0;
286 }
287
288 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
289 struct tevent_context *ev,
290 struct tevent_queue *call_queue,
291 struct ldapsrv_call *call);
292 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
293
294 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
295 static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
296
297 /*
298 initialise a server_context from a open socket and register a event handler
299 for reading from that socket
300 */
301 static void ldapsrv_accept(struct stream_connection *c,
302 struct auth_session_info *session_info,
303 bool is_privileged)
304 {
305 struct ldapsrv_service *ldapsrv_service =
306 talloc_get_type(c->private_data, struct ldapsrv_service);
307 struct ldapsrv_connection *conn;
308 struct cli_credentials *server_credentials;
309 struct socket_address *socket_address;
310 int port;
311 int ret;
312 struct tevent_req *subreq;
313 struct timeval endtime;
314 char *errstring = NULL;
315
316 conn = talloc_zero(c, struct ldapsrv_connection);
317 if (!conn) {
318 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
319 return;
320 }
321 conn->is_privileged = is_privileged;
322
323 conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send queue");
324 if (conn->sockets.send_queue == NULL) {
325 stream_terminate_connection(c,
326 "ldapsrv_accept: tevent_queue_create failed");
327 return;
328 }
329
330 TALLOC_FREE(c->event.fde);
331
332 ret = tstream_bsd_existing_socket(conn,
333 socket_get_fd(c->socket),
334 &conn->sockets.raw);
335 if (ret == -1) {
336 stream_terminate_connection(c,
337 "ldapsrv_accept: out of memory");
338 return;
339 }
340 socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
341
342 conn->connection = c;
343 conn->service = ldapsrv_service;
344 conn->lp_ctx = ldapsrv_service->lp_ctx;
345
346 c->private_data = conn;
347
348 socket_address = socket_get_my_addr(c->socket, conn);
349 if (!socket_address) {
350 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
351 return;
352 }
353 port = socket_address->port;
354 talloc_free(socket_address);
355 if (port == 3268 || port == 3269) /* Global catalog */ {
356 conn->global_catalog = true;
357 }
358
359 server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
360 if (!server_credentials) {
361 stream_terminate_connection(c, "Failed to init server credentials\n");
362 return;
363 }
364
365 conn->server_credentials = server_credentials;
366
367 conn->session_info = session_info;
368
369 conn->sockets.active = conn->sockets.raw;
370
371 if (conn->is_privileged) {
372 conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
373 } else {
374 conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
375 }
376
377 ret = ldapsrv_backend_Init(conn, &errstring);
378 if (ret != LDB_SUCCESS) {
379 char *reason = talloc_asprintf(conn,
380 "LDB backend for LDAP Init "
381 "failed: %s: %s",
382 errstring, ldb_strerror(ret));
383 ldapsrv_terminate_connection(conn, reason);
384 return;
385 }
386
387 /* load limits from the conf partition */
388 ldapsrv_load_limits(conn); /* should we fail on error ? */
389
390 /* register the server */
391 irpc_add_name(c->msg_ctx, "ldap_server");
392
393 DLIST_ADD_END(ldapsrv_service->connections, conn);
394
395 if (port != 636 && port != 3269) {
396 ldapsrv_call_read_next(conn);
397 return;
398 }
399
400 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
401
402 subreq = tstream_tls_accept_send(conn,
403 conn->connection->event.ctx,
404 conn->sockets.raw,
405 conn->service->tls_params);
406 if (subreq == NULL) {
407 ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
408 "no memory for tstream_tls_accept_send");
409 return;
410 }
411 tevent_req_set_endtime(subreq,
412 conn->connection->event.ctx,
413 endtime);
414 tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
415 }
416
417 static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
418 {
419 struct ldapsrv_connection *conn =
420 tevent_req_callback_data(subreq,
421 struct ldapsrv_connection);
422 int ret;
423 int sys_errno;
424
425 ret = tstream_tls_accept_recv(subreq, &sys_errno,
426 conn, &conn->sockets.tls);
427 TALLOC_FREE(subreq);
428 if (ret == -1) {
429 const char *reason;
430
431 reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
432 "tstream_tls_accept_recv() - %d:%s",
433 sys_errno, strerror(sys_errno));
434 if (!reason) {
435 reason = "ldapsrv_accept_tls_loop: "
436 "tstream_tls_accept_recv() - failed";
437 }
438
439 ldapsrv_terminate_connection(conn, reason);
440 return;
441 }
442
443 conn->sockets.active = conn->sockets.tls;
444 conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
445 ldapsrv_call_read_next(conn);
446 }
447
448 static void ldapsrv_call_read_done(struct tevent_req *subreq);
449 static NTSTATUS ldapsrv_packet_check(
450 void *private_data,
451 DATA_BLOB blob,
452 size_t *packet_size);
453
454 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
455 {
456 struct tevent_req *subreq;
457
458 if (conn->pending_calls != NULL) {
459 conn->limits.endtime = timeval_zero();
460
461 ldapsrv_notification_retry_setup(conn->service, false);
462 } else if (timeval_is_zero(&conn->limits.endtime)) {
463 conn->limits.endtime =
464 timeval_current_ofs(conn->limits.initial_timeout, 0);
465 } else {
466 conn->limits.endtime =
467 timeval_current_ofs(conn->limits.conn_idle_time, 0);
468 }
469
470 if (conn->sockets.read_req != NULL) {
471 return true;
472 }
473
474 /*
475 * The minimum size of a LDAP pdu is 7 bytes
476 *
477 * dumpasn1 -hh ldap-unbind-min.dat
478 *
479 * <30 05 02 01 09 42 00>
480 * 0 5: SEQUENCE {
481 * <02 01 09>
482 * 2 1: INTEGER 9
483 * <42 00>
484 * 5 0: [APPLICATION 2]
485 * : Error: Object has zero length.
486 * : }
487 *
488 * dumpasn1 -hh ldap-unbind-windows.dat
489 *
490 * <30 84 00 00 00 05 02 01 09 42 00>
491 * 0 5: SEQUENCE {
492 * <02 01 09>
493 * 6 1: INTEGER 9
494 * <42 00>
495 * 9 0: [APPLICATION 2]
496 * : Error: Object has zero length.
497 * : }
498 *
499 * This means using an initial read size
500 * of 7 is ok.
501 */
502 subreq = tstream_read_pdu_blob_send(conn,
503 conn->connection->event.ctx,
504 conn->sockets.active,
505 7, /* initial_read_size */
506 ldapsrv_packet_check,
507 conn);
508 if (subreq == NULL) {
509 ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
510 "no memory for tstream_read_pdu_blob_send");
511 return false;
512 }
513 if (!timeval_is_zero(&conn->limits.endtime)) {
514 bool ok;
515 ok = tevent_req_set_endtime(subreq,
516 conn->connection->event.ctx,
517 conn->limits.endtime);
518 if (!ok) {
519 ldapsrv_terminate_connection(
520 conn,
521 "ldapsrv_call_read_next: "
522 "no memory for tevent_req_set_endtime");
523 return false;
524 }
525 }
526 tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
527 conn->sockets.read_req = subreq;
528 return true;
529 }
530
531 static void ldapsrv_call_process_done(struct tevent_req *subreq);
532 static int ldapsrv_check_packet_size(
533 struct ldapsrv_connection *conn,
534 size_t size);
535
536 static void ldapsrv_call_read_done(struct tevent_req *subreq)
537 {
538 struct ldapsrv_connection *conn =
539 tevent_req_callback_data(subreq,
540 struct ldapsrv_connection);
541 NTSTATUS status;
542 struct ldapsrv_call *call;
543 struct asn1_data *asn1;
544 DATA_BLOB blob;
545 int ret = LDAP_SUCCESS;
546 struct ldap_request_limits limits = {0};
547
548 conn->sockets.read_req = NULL;
549
550 call = talloc_zero(conn, struct ldapsrv_call);
551 if (!call) {
552 ldapsrv_terminate_connection(conn, "no memory");
553 return;
554 }
555 talloc_set_destructor(call, ldapsrv_call_destructor);
556
557 call->conn = conn;
558
559 status = tstream_read_pdu_blob_recv(subreq,
560 call,
561 &blob);
562 TALLOC_FREE(subreq);
563 if (!NT_STATUS_IS_OK(status)) {
564 const char *reason;
565
566 reason = talloc_asprintf(call, "ldapsrv_call_loop: "
567 "tstream_read_pdu_blob_recv() - %s",
568 nt_errstr(status));
569 if (!reason) {
570 reason = nt_errstr(status);
571 }
572
573 ldapsrv_terminate_connection(conn, reason);
574 return;
575 }
576
577 ret = ldapsrv_check_packet_size(conn, blob.length);
578 if (ret != LDAP_SUCCESS) {
579 ldapsrv_terminate_connection(
580 conn,
581 "Request packet too large");
582 return;
583 }
584
585 asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
586 if (asn1 == NULL) {
587 ldapsrv_terminate_connection(conn, "no memory");
588 return;
589 }
590
591 call->request = talloc(call, struct ldap_message);
592 if (call->request == NULL) {
593 ldapsrv_terminate_connection(conn, "no memory");
594 return;
595 }
596
597 asn1_load_nocopy(asn1, blob.data, blob.length);
598
599 limits.max_search_size =
600 lpcfg_ldap_max_search_request_size(conn->lp_ctx);
601 status = ldap_decode(
602 asn1,
603 &limits,
604 samba_ldap_control_handlers(),
605 call->request);
606 if (!NT_STATUS_IS_OK(status)) {
607 ldapsrv_terminate_connection(conn, nt_errstr(status));
608 return;
609 }
610
611 data_blob_free(&blob);
612 TALLOC_FREE(asn1);
613
614
615 /* queue the call in the global queue */
616 subreq = ldapsrv_process_call_send(call,
617 conn->connection->event.ctx,
618 conn->service->call_queue,
619 call);
620 if (subreq == NULL) {
621 ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
622 return;
623 }
624 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
625 conn->active_call = subreq;
626 }
627
628 static void ldapsrv_call_wait_done(struct tevent_req *subreq);
629 static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
630 static void ldapsrv_call_writev_done(struct tevent_req *subreq);
631
632 static void ldapsrv_call_process_done(struct tevent_req *subreq)
633 {
634 struct ldapsrv_call *call =
635 tevent_req_callback_data(subreq,
636 struct ldapsrv_call);
637 struct ldapsrv_connection *conn = call->conn;
638 NTSTATUS status;
639
640 conn->active_call = NULL;
641
642 status = ldapsrv_process_call_recv(subreq);
643 TALLOC_FREE(subreq);
644 if (!NT_STATUS_IS_OK(status)) {
645 ldapsrv_terminate_connection(conn, nt_errstr(status));
646 return;
647 }
648
649 if (call->wait_send != NULL) {
650 subreq = call->wait_send(call,
651 conn->connection->event.ctx,
652 call->wait_private);
653 if (subreq == NULL) {
654 ldapsrv_terminate_connection(conn,
655 "ldapsrv_call_process_done: "
656 "call->wait_send - no memory");
657 return;
658 }
659 tevent_req_set_callback(subreq,
660 ldapsrv_call_wait_done,
661 call);
662 conn->active_call = subreq;
663 return;
664 }
665
666 ldapsrv_call_writev_start(call);
667 }
668
669 static void ldapsrv_call_wait_done(struct tevent_req *subreq)
670 {
671 struct ldapsrv_call *call =
672 tevent_req_callback_data(subreq,
673 struct ldapsrv_call);
674 struct ldapsrv_connection *conn = call->conn;
675 NTSTATUS status;
676
677 conn->active_call = NULL;
678
679 status = call->wait_recv(subreq);
680 TALLOC_FREE(subreq);
681 if (!NT_STATUS_IS_OK(status)) {
682 const char *reason;
683
684 reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
685 "call->wait_recv() - %s",
686 nt_errstr(status));
687 if (reason == NULL) {
688 reason = nt_errstr(status);
689 }
690
691 ldapsrv_terminate_connection(conn, reason);
692 return;
693 }
694
695 ldapsrv_call_writev_start(call);
696 }
697
698 static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
699 {
700 struct ldapsrv_connection *conn = call->conn;
701 struct ldapsrv_reply *reply = NULL;
702 struct tevent_req *subreq = NULL;
703 struct timeval endtime;
704 size_t length = 0;
705 size_t i;
706
707 call->iov_count = 0;
708
709 /* build all the replies into an IOV (no copy) */
710 for (reply = call->replies;
711 reply != NULL;
712 reply = reply->next) {
713
714 /* Cap output at 25MB per writev() */
715 if (length > length + reply->blob.length
716 || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
717 break;
718 }
719
720 /*
721 * Overflow is harmless here, just used below to
722 * decide if to read or write, but checked above anyway
723 */
724 length += reply->blob.length;
725
726 /*
727 * At worst an overflow would mean we send less
728 * replies
729 */
730 call->iov_count++;
731 }
732
733 if (length == 0) {
734 if (!call->notification.busy) {
735 TALLOC_FREE(call);
736 }
737
738 ldapsrv_call_read_next(conn);
739 return;
740 }
741
742 /* Cap call->iov_count at IOV_MAX */
743 call->iov_count = MIN(call->iov_count, IOV_MAX);
744
745 call->out_iov = talloc_array(call,
746 struct iovec,
747 call->iov_count);
748 if (!call->out_iov) {
749 /* This is not ideal */
750 ldapsrv_terminate_connection(conn,
751 "failed to allocate "
752 "iovec array");
753 return;
754 }
755
756 /* We may have had to cap the number of replies at IOV_MAX */
757 for (i = 0;
758 i < call->iov_count && call->replies != NULL;
759 i++) {
760 reply = call->replies;
761 call->out_iov[i].iov_base = reply->blob.data;
762 call->out_iov[i].iov_len = reply->blob.length;
763
764 /* Keep only the ASN.1 encoded data */
765 talloc_steal(call->out_iov, reply->blob.data);
766
767 DLIST_REMOVE(call->replies, reply);
768 TALLOC_FREE(reply);
769 }
770
771 if (i > call->iov_count) {
772 /* This is not ideal, but also (essentially) impossible */
773 ldapsrv_terminate_connection(conn,
774 "call list ended"
775 "before iov_count");
776 return;
777 }
778
779 subreq = tstream_writev_queue_send(call,
780 conn->connection->event.ctx,
781 conn->sockets.active,
782 conn->sockets.send_queue,
783 call->out_iov, call->iov_count);
784 if (subreq == NULL) {
785 ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
786 return;
787 }
788 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
789 tevent_req_set_endtime(subreq,
790 conn->connection->event.ctx,
791 endtime);
792 tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
793 }
794
795 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
796
797 static void ldapsrv_call_writev_done(struct tevent_req *subreq)
798 {
799 struct ldapsrv_call *call =
800 tevent_req_callback_data(subreq,
801 struct ldapsrv_call);
802 struct ldapsrv_connection *conn = call->conn;
803 int sys_errno;
804 int rc;
805
806 rc = tstream_writev_queue_recv(subreq, &sys_errno);
807 TALLOC_FREE(subreq);
808
809 /* This releases the ASN.1 encoded packets from memory */
810 TALLOC_FREE(call->out_iov);
811 if (rc == -1) {
812 const char *reason;
813
814 reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
815 "tstream_writev_queue_recv() - %d:%s",
816 sys_errno, strerror(sys_errno));
817 if (reason == NULL) {
818 reason = "ldapsrv_call_writev_done: "
819 "tstream_writev_queue_recv() failed";
820 }
821
822 ldapsrv_terminate_connection(conn, reason);
823 return;
824 }
825
826 if (call->postprocess_send) {
827 subreq = call->postprocess_send(call,
828 conn->connection->event.ctx,
829 call->postprocess_private);
830 if (subreq == NULL) {
831 ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
832 "call->postprocess_send - no memory");
833 return;
834 }
835 tevent_req_set_callback(subreq,
836 ldapsrv_call_postprocess_done,
837 call);
838 return;
839 }
840
841 /* Perhaps still some more to send */
842 if (call->replies != NULL) {
843 ldapsrv_call_writev_start(call);
844 return;
845 }
846
847 if (!call->notification.busy) {
848 TALLOC_FREE(call);
849 }
850
851 ldapsrv_call_read_next(conn);
852 }
853
854 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
855 {
856 struct ldapsrv_call *call =
857 tevent_req_callback_data(subreq,
858 struct ldapsrv_call);
859 struct ldapsrv_connection *conn = call->conn;
860 NTSTATUS status;
861
862 status = call->postprocess_recv(subreq);
863 TALLOC_FREE(subreq);
864 if (!NT_STATUS_IS_OK(status)) {
865 const char *reason;
866
867 reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
868 "call->postprocess_recv() - %s",
869 nt_errstr(status));
870 if (reason == NULL) {
871 reason = nt_errstr(status);
872 }
873
874 ldapsrv_terminate_connection(conn, reason);
875 return;
876 }
877
878 TALLOC_FREE(call);
879
880 ldapsrv_call_read_next(conn);
881 }
882
883 static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
884
885 void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
886 {
887 struct ldapsrv_connection *conn = NULL;
888 struct timeval retry;
889 size_t num_pending = 0;
890 size_t num_active = 0;
891
892 if (force) {
893 TALLOC_FREE(service->notification.retry);
894 service->notification.generation += 1;
895 }
896
897 if (service->notification.retry != NULL) {
898 return;
899 }
900
901 for (conn = service->connections; conn != NULL; conn = conn->next) {
902 if (conn->pending_calls == NULL) {
903 continue;
904 }
905
906 num_pending += 1;
907
908 if (conn->pending_calls->notification.generation !=
909 service->notification.generation)
910 {
911 num_active += 1;
912 }
913 }
914
915 if (num_pending == 0) {
916 return;
917 }
918
919 if (num_active != 0) {
920 retry = timeval_current_ofs(0, 100);
921 } else {
922 retry = timeval_current_ofs(5, 0);
923 }
924
925 service->notification.retry = tevent_wakeup_send(service,
926 service->current_ev,
927 retry);
928 if (service->notification.retry == NULL) {
929 /* retry later */
930 return;
931 }
932
933 tevent_req_set_callback(service->notification.retry,
934 ldapsrv_notification_retry_done,
935 service);
936 }
937
938 static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
939 {
940 struct ldapsrv_service *service =
941 tevent_req_callback_data(subreq,
942 struct ldapsrv_service);
943 struct ldapsrv_connection *conn = NULL;
944 struct ldapsrv_connection *conn_next = NULL;
945 bool ok;
946
947 service->notification.retry = NULL;
948
949 ok = tevent_wakeup_recv(subreq);
950 TALLOC_FREE(subreq);
951 if (!ok) {
952 /* ignore */
953 }
954
955 for (conn = service->connections; conn != NULL; conn = conn_next) {
956 struct ldapsrv_call *call = conn->pending_calls;
957
958 conn_next = conn->next;
959
960 if (conn->pending_calls == NULL) {
961 continue;
962 }
963
964 if (conn->active_call != NULL) {
965 continue;
966 }
967
968 DLIST_DEMOTE(conn->pending_calls, call);
969 call->notification.generation =
970 service->notification.generation;
971
972 /* queue the call in the global queue */
973 subreq = ldapsrv_process_call_send(call,
974 conn->connection->event.ctx,
975 conn->service->call_queue,
976 call);
977 if (subreq == NULL) {
978 ldapsrv_terminate_connection(conn,
979 "ldapsrv_process_call_send failed");
980 continue;
981 }
982 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
983 conn->active_call = subreq;
984 }
985
986 ldapsrv_notification_retry_setup(service, false);
987 }
988
989 struct ldapsrv_process_call_state {
990 struct ldapsrv_call *call;
991 };
992
993 static void ldapsrv_process_call_trigger(struct tevent_req *req,
994 void *private_data);
995
996 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
997 struct tevent_context *ev,
998 struct tevent_queue *call_queue,
999 struct ldapsrv_call *call)
1000 {
1001 struct tevent_req *req;
1002 struct ldapsrv_process_call_state *state;
1003 bool ok;
1004
1005 req = tevent_req_create(mem_ctx, &state,
1006 struct ldapsrv_process_call_state);
1007 if (req == NULL) {
1008 return req;
1009 }
1010
1011 state->call = call;
1012
1013 ok = tevent_queue_add(call_queue, ev, req,
1014 ldapsrv_process_call_trigger, NULL);
1015 if (!ok) {
1016 tevent_req_oom(req);
1017 return tevent_req_post(req, ev);
1018 }
1019
1020 return req;
1021 }
1022
1023 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1024
1025 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1026 void *private_data)
1027 {
1028 struct ldapsrv_process_call_state *state =
1029 tevent_req_data(req,
1030 struct ldapsrv_process_call_state);
1031 struct ldapsrv_connection *conn = state->call->conn;
1032 NTSTATUS status;
1033
1034 if (conn->deferred_expire_disconnect != NULL) {
1035 /*
1036 * Just drop this on the floor
1037 */
1038 tevent_req_done(req);
1039 return;
1040 }
1041
1042 /* make the call */
1043 status = ldapsrv_do_call(state->call);
1044
1045 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1046 /*
1047 * For testing purposes, defer the TCP disconnect
1048 * after having sent the msgid 0
1049 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1050 * should not wait for the TCP connection to close but
1051 * handle this packet equivalent to a TCP
1052 * disconnect. This delay enables testing both cases
1053 * in LDAP client libraries.
1054 */
1055
1056 int defer_msec = lpcfg_parm_int(
1057 conn->lp_ctx,
1058 NULL,
1059 "ldap_server",
1060 "delay_expire_disconnect",
1061 0);
1062
1063 conn->deferred_expire_disconnect = tevent_wakeup_send(
1064 conn,
1065 conn->connection->event.ctx,
1066 timeval_current_ofs_msec(defer_msec));
1067 if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1068 return;
1069 }
1070 tevent_req_set_callback(
1071 conn->deferred_expire_disconnect,
1072 ldapsrv_disconnect_ticket_expired,
1073 conn);
1074
1075 tevent_req_done(req);
1076 return;
1077 }
1078
1079 if (!NT_STATUS_IS_OK(status)) {
1080 tevent_req_nterror(req, status);
1081 return;
1082 }
1083
1084 tevent_req_done(req);
1085 }
1086
1087 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1088 {
1089 struct ldapsrv_connection *conn = tevent_req_callback_data(
1090 subreq, struct ldapsrv_connection);
1091 bool ok;
1092
1093 ok = tevent_wakeup_recv(subreq);
1094 TALLOC_FREE(subreq);
1095 if (!ok) {
1096 DBG_WARNING("tevent_wakeup_recv failed\n");
1097 }
1098 conn->deferred_expire_disconnect = NULL;
1099 ldapsrv_terminate_connection(conn, "network session expired");
1100 }
1101
1102 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1103 {
1104 NTSTATUS status;
1105
1106 if (tevent_req_is_nterror(req, &status)) {
1107 tevent_req_received(req);
1108 return status;
1109 }
1110
1111 tevent_req_received(req);
1112 return NT_STATUS_OK;
1113 }
1114
1115 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1116 {
1117 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1118 c->private_data, struct ldapsrv_service);
1119 struct auth_session_info *session_info;
1120 NTSTATUS status;
1121
1122 status = auth_anonymous_session_info(
1123 c, ldapsrv_service->lp_ctx, &session_info);
1124 if (!NT_STATUS_IS_OK(status)) {
1125 stream_terminate_connection(c, "failed to setup anonymous "
1126 "session info");
1127 return;
1128 }
1129 ldapsrv_accept(c, session_info, false);
1130 }
1131
1132 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1133 .name = "ldap",
1134 .accept_connection = ldapsrv_accept_nonpriv,
1135 .recv_handler = ldapsrv_recv,
1136 .send_handler = ldapsrv_send,
1137 };
1138
1139 /* The feature removed behind an #ifdef until we can do it properly
1140 * with an EXTERNAL bind. */
1141
1142 #define WITH_LDAPI_PRIV_SOCKET
1143
1144 #ifdef WITH_LDAPI_PRIV_SOCKET
1145 static void ldapsrv_accept_priv(struct stream_connection *c)
1146 {
1147 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1148 c->private_data, struct ldapsrv_service);
1149 struct auth_session_info *session_info;
1150
1151 session_info = system_session(ldapsrv_service->lp_ctx);
1152 if (!session_info) {
1153 stream_terminate_connection(c, "failed to setup system "
1154 "session info");
1155 return;
1156 }
1157 ldapsrv_accept(c, session_info, true);
1158 }
1159
1160 static const struct stream_server_ops ldap_stream_priv_ops = {
1161 .name = "ldap",
1162 .accept_connection = ldapsrv_accept_priv,
1163 .recv_handler = ldapsrv_recv,
1164 .send_handler = ldapsrv_send,
1165 };
1166
1167 #endif
1168
1169
1170 /*
1171 add a socket address to the list of events, one event per port
1172 */
1173 static NTSTATUS add_socket(struct task_server *task,
1174 struct loadparm_context *lp_ctx,
1175 const struct model_ops *model_ops,
1176 const char *address, struct ldapsrv_service *ldap_service)
1177 {
1178 uint16_t port = 389;
1179 NTSTATUS status;
1180 struct ldb_context *ldb;
1181
1182 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1183 model_ops, &ldap_stream_nonpriv_ops,
1184 "ip", address, &port,
1185 lpcfg_socket_options(lp_ctx),
1186 ldap_service, task->process_context);
1187 if (!NT_STATUS_IS_OK(status)) {
1188 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1189 address, port, nt_errstr(status));
1190 return status;
1191 }
1192
1193 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1194 /* add ldaps server */
1195 port = 636;
1196 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1197 model_ops,
1198 &ldap_stream_nonpriv_ops,
1199 "ip", address, &port,
1200 lpcfg_socket_options(lp_ctx),
1201 ldap_service,
1202 task->process_context);
1203 if (!NT_STATUS_IS_OK(status)) {
1204 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1205 address, port, nt_errstr(status));
1206 return status;
1207 }
1208 }
1209
1210 /* Load LDAP database, but only to read our settings */
1211 ldb = samdb_connect(ldap_service,
1212 ldap_service->current_ev,
1213 lp_ctx,
1214 system_session(lp_ctx),
1215 NULL,
1216 0);
1217 if (!ldb) {
1218 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1219 }
1220
1221 if (samdb_is_gc(ldb)) {
1222 port = 3268;
1223 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1224 model_ops,
1225 &ldap_stream_nonpriv_ops,
1226 "ip", address, &port,
1227 lpcfg_socket_options(lp_ctx),
1228 ldap_service,
1229 task->process_context);
1230 if (!NT_STATUS_IS_OK(status)) {
1231 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1232 address, port, nt_errstr(status));
1233 return status;
1234 }
1235 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1236 /* add ldaps server for the global catalog */
1237 port = 3269;
1238 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1239 model_ops,
1240 &ldap_stream_nonpriv_ops,
1241 "ip", address, &port,
1242 lpcfg_socket_options(lp_ctx),
1243 ldap_service,
1244 task->process_context);
1245 if (!NT_STATUS_IS_OK(status)) {
1246 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1247 address, port, nt_errstr(status));
1248 return status;
1249 }
1250 }
1251 }
1252
1253 /* And once we are bound, free the temporary ldb, it will
1254 * connect again on each incoming LDAP connection */
1255 talloc_unlink(ldap_service, ldb);
1256
1257 return NT_STATUS_OK;
1258 }
1259
1260 static void ldap_reload_certs(struct imessaging_context *msg_ctx,
1261 void *private_data,
1262 uint32_t msg_type,
1263 struct server_id server_id,
1264 size_t num_fds,
1265 int *fds,
1266 DATA_BLOB *data)
1267 {
1268 TALLOC_CTX *frame = talloc_stackframe();
1269 struct ldapsrv_service *ldap_service =
1270 talloc_get_type_abort(private_data,
1271 struct ldapsrv_service);
1272 int default_children;
1273 int num_children;
1274 int i;
1275 bool ok;
1276 struct server_id ldap_master_id;
1277 NTSTATUS status;
1278 struct tstream_tls_params *new_tls_params = NULL;
1279
1280 SMB_ASSERT(msg_ctx == ldap_service->current_msg);
1281
1282 /* reload certificates */
1283 status = tstream_tls_params_server(ldap_service,
1284 ldap_service->dns_host_name,
1285 lpcfg_tls_enabled(ldap_service->lp_ctx),
1286 lpcfg_tls_keyfile(frame, ldap_service->lp_ctx),
1287 lpcfg_tls_certfile(frame, ldap_service->lp_ctx),
1288 lpcfg_tls_cafile(frame, ldap_service->lp_ctx),
1289 lpcfg_tls_crlfile(frame, ldap_service->lp_ctx),
1290 lpcfg_tls_dhpfile(frame, ldap_service->lp_ctx),
1291 lpcfg_tls_priority(ldap_service->lp_ctx),
1292 &new_tls_params);
1293 if (!NT_STATUS_IS_OK(status)) {
1294 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1295 nt_errstr(status));
1296 TALLOC_FREE(frame);
1297 return;
1298 }
1299
1300 TALLOC_FREE(ldap_service->tls_params);
1301 ldap_service->tls_params = new_tls_params;
1302
1303 if (getpid() != ldap_service->parent_pid) {
1304 /*
1305 * If we are not the master process we are done
1306 */
1307 TALLOC_FREE(frame);
1308 return;
1309 }
1310
1311 /*
1312 * Check we're running under the prefork model,
1313 * by checking if the prefork-master-ldap name
1314 * was registered
1315 */
1316 ok = server_id_db_lookup_one(msg_ctx->names, "prefork-master-ldap", &ldap_master_id);
1317 if (!ok) {
1318 /*
1319 * We are done if another process model is in use.
1320 */
1321 TALLOC_FREE(frame);
1322 return;
1323 }
1324
1325 /*
1326 * Now we loop over all possible prefork workers
1327 * in order to notify them about the reload
1328 */
1329 default_children = lpcfg_prefork_children(ldap_service->lp_ctx);
1330 num_children = lpcfg_parm_int(ldap_service->lp_ctx,
1331 NULL, "prefork children", "ldap",
1332 default_children);
1333 for (i = 0; i < num_children; i++) {
1334 char child_name[64] = { 0, };
1335 struct server_id ldap_worker_id;
1336
1337 snprintf(child_name, sizeof(child_name), "prefork-worker-ldap-%d", i);
1338 ok = server_id_db_lookup_one(msg_ctx->names, child_name, &ldap_worker_id);
1339 if (!ok) {
1340 DBG_ERR("server_id_db_lookup_one(%s) - failed\n",
1341 child_name);
1342 continue;
1343 }
1344
1345 status = imessaging_send(msg_ctx, ldap_worker_id,
1346 MSG_RELOAD_TLS_CERTIFICATES, NULL);
1347 if (!NT_STATUS_IS_OK(status)) {
1348 struct server_id_buf id_buf;
1349 DBG_ERR("ldapsrv failed imessaging_send(%s, %s) - %s\n",
1350 child_name,
1351 server_id_str_buf(ldap_worker_id, &id_buf),
1352 nt_errstr(status));
1353 continue;
1354 }
1355 }
1356
1357 TALLOC_FREE(frame);
1358 }
1359
1360 /*
1361 open the ldap server sockets
1362 */
1363 static NTSTATUS ldapsrv_task_init(struct task_server *task)
1364 {
1365 char *ldapi_path;
1366 #ifdef WITH_LDAPI_PRIV_SOCKET
1367 char *priv_dir;
1368 #endif
1369 struct ldapsrv_service *ldap_service;
1370 NTSTATUS status;
1371
1372 switch (lpcfg_server_role(task->lp_ctx)) {
1373 case ROLE_STANDALONE:
1374 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1375 false);
1376 return NT_STATUS_INVALID_DOMAIN_ROLE;
1377 case ROLE_DOMAIN_MEMBER:
1378 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1379 false);
1380 return NT_STATUS_INVALID_DOMAIN_ROLE;
1381 case ROLE_ACTIVE_DIRECTORY_DC:
1382 /* Yes, we want an LDAP server */
1383 break;
1384 }
1385
1386 task_server_set_title(task, "task[ldapsrv]");
1387
1388 ldap_service = talloc_zero(task, struct ldapsrv_service);
1389 if (ldap_service == NULL) {
1390 status = NT_STATUS_NO_MEMORY;
1391 goto failed;
1392 }
1393
1394 ldap_service->lp_ctx = task->lp_ctx;
1395 ldap_service->current_ev = task->event_ctx;
1396 ldap_service->current_msg = task->msg_ctx;
1397
1398 ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1399 lpcfg_netbios_name(task->lp_ctx),
1400 lpcfg_dnsdomain(task->lp_ctx));
1401 if (ldap_service->dns_host_name == NULL) {
1402 status = NT_STATUS_NO_MEMORY;
1403 goto failed;
1404 }
1405
1406 ldap_service->parent_pid = getpid();
1407
1408 status = tstream_tls_params_server(ldap_service,
1409 ldap_service->dns_host_name,
1410 lpcfg_tls_enabled(task->lp_ctx),
1411 lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1412 lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1413 lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1414 lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1415 lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1416 lpcfg_tls_priority(task->lp_ctx),
1417 &ldap_service->tls_params);
1418 if (!NT_STATUS_IS_OK(status)) {
1419 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1420 nt_errstr(status));
1421 goto failed;
1422 }
1423
1424 ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1425 if (ldap_service->call_queue == NULL) {
1426 status = NT_STATUS_NO_MEMORY;
1427 goto failed;
1428 }
1429
1430 if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1431 struct interface *ifaces;
1432 int num_interfaces;
1433 int i;
1434
1435 load_interface_list(task, task->lp_ctx, &ifaces);
1436 num_interfaces = iface_list_count(ifaces);
1437
1438 /* We have been given an interfaces line, and been
1439 told to only bind to those interfaces. Create a
1440 socket per interface and bind to only these.
1441 */
1442 for(i = 0; i < num_interfaces; i++) {
1443 const char *address = iface_list_n_ip(ifaces, i);
1444 status = add_socket(task, task->lp_ctx, task->model_ops,
1445 address, ldap_service);
1446 if (!NT_STATUS_IS_OK(status)) goto failed;
1447 }
1448 } else {
1449 char **wcard;
1450 size_t i;
1451 size_t num_binds = 0;
1452 wcard = iface_list_wildcard(task);
1453 if (wcard == NULL) {
1454 DBG_ERR("No wildcard addresses available\n");
1455 status = NT_STATUS_UNSUCCESSFUL;
1456 goto failed;
1457 }
1458 for (i=0; wcard[i]; i++) {
1459 status = add_socket(task, task->lp_ctx, task->model_ops,
1460 wcard[i], ldap_service);
1461 if (NT_STATUS_IS_OK(status)) {
1462 num_binds++;
1463 }
1464 }
1465 talloc_free(wcard);
1466 if (num_binds == 0) {
1467 status = NT_STATUS_UNSUCCESSFUL;
1468 goto failed;
1469 }
1470 }
1471
1472 ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1473 if (!ldapi_path) {
1474 status = NT_STATUS_UNSUCCESSFUL;
1475 goto failed;
1476 }
1477
1478 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1479 task->model_ops, &ldap_stream_nonpriv_ops,
1480 "unix", ldapi_path, NULL,
1481 lpcfg_socket_options(task->lp_ctx),
1482 ldap_service, task->process_context);
1483 talloc_free(ldapi_path);
1484 if (!NT_STATUS_IS_OK(status)) {
1485 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1486 ldapi_path, nt_errstr(status));
1487 }
1488
1489 #ifdef WITH_LDAPI_PRIV_SOCKET
1490 priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1491 if (priv_dir == NULL) {
1492 status = NT_STATUS_UNSUCCESSFUL;
1493 goto failed;
1494 }
1495 /*
1496 * Make sure the directory for the privileged ldapi socket exists, and
1497 * is of the correct permissions
1498 */
1499 if (!directory_create_or_exist(priv_dir, 0750)) {
1500 task_server_terminate(task, "Cannot create ldap "
1501 "privileged ldapi directory", true);
1502 return NT_STATUS_UNSUCCESSFUL;
1503 }
1504 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1505 talloc_free(priv_dir);
1506 if (ldapi_path == NULL) {
1507 status = NT_STATUS_NO_MEMORY;
1508 goto failed;
1509 }
1510
1511 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1512 task->model_ops, &ldap_stream_priv_ops,
1513 "unix", ldapi_path, NULL,
1514 lpcfg_socket_options(task->lp_ctx),
1515 ldap_service,
1516 task->process_context);
1517 talloc_free(ldapi_path);
1518 if (!NT_STATUS_IS_OK(status)) {
1519 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1520 ldapi_path, nt_errstr(status));
1521 }
1522
1523 #endif
1524
1525 /* register the server */
1526 irpc_add_name(task->msg_ctx, "ldap_server");
1527
1528 task->private_data = ldap_service;
1529
1530 return NT_STATUS_OK;
1531
1532 failed:
1533 task_server_terminate(task, "Failed to startup ldap server task", true);
1534 return status;
1535 }
1536
1537 /*
1538 * Open a database to be later used by LDB wrap code (although it should be
1539 * plumbed through correctly eventually).
1540 */
1541 static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1542 {
1543 struct ldapsrv_service *ldap_service =
1544 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1545
1546 /*
1547 * As ldapsrv_before_loop() may changed the values for the parent loop
1548 * we need to adjust the pointers to the correct value in the child
1549 */
1550 ldap_service->lp_ctx = task->lp_ctx;
1551 ldap_service->current_ev = task->event_ctx;
1552 ldap_service->current_msg = task->msg_ctx;
1553
1554 ldap_service->sam_ctx = samdb_connect(ldap_service,
1555 ldap_service->current_ev,
1556 ldap_service->lp_ctx,
1557 system_session(ldap_service->lp_ctx),
1558 NULL,
1559 0);
1560 if (ldap_service->sam_ctx == NULL) {
1561 task_server_terminate(task, "Cannot open system session LDB",
1562 true);
1563 return;
1564 }
1565 }
1566
1567 static void ldapsrv_before_loop(struct task_server *task)
1568 {
1569 struct ldapsrv_service *ldap_service =
1570 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1571 NTSTATUS status;
1572
1573 if (ldap_service->sam_ctx != NULL) {
1574 /*
1575 * Make sure the values are still the same
1576 * as set in ldapsrv_post_fork()
1577 */
1578 SMB_ASSERT(task->lp_ctx == ldap_service->lp_ctx);
1579 SMB_ASSERT(task->event_ctx == ldap_service->current_ev);
1580 SMB_ASSERT(task->msg_ctx == ldap_service->current_msg);
1581 } else {
1582 /*
1583 * We need to adjust the pointers to the correct value
1584 * in the parent loop.
1585 */
1586 ldap_service->lp_ctx = task->lp_ctx;
1587 ldap_service->current_ev = task->event_ctx;
1588 ldap_service->current_msg = task->msg_ctx;
1589 }
1590
1591 status = imessaging_register(ldap_service->current_msg,
1592 ldap_service,
1593 MSG_RELOAD_TLS_CERTIFICATES,
1594 ldap_reload_certs);
1595 if (!NT_STATUS_IS_OK(status)) {
1596 task_server_terminate(task, "Cannot register ldap_reload_certs",
1597 true);
1598 return;
1599 }
1600 }
1601
1602 /*
1603 * Check the size of an ldap request packet.
1604 *
1605 * For authenticated connections the maximum packet size is controlled by
1606 * the smb.conf parameter "ldap max authenticated request size"
1607 *
1608 * For anonymous connections the maximum packet size is controlled by
1609 * the smb.conf parameter "ldap max anonymous request size"
1610 */
1611 static int ldapsrv_check_packet_size(
1612 struct ldapsrv_connection *conn,
1613 size_t size)
1614 {
1615 bool is_anonymous = false;
1616 size_t max_size = 0;
1617
1618 max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1619 if (size <= max_size) {
1620 return LDAP_SUCCESS;
1621 }
1622
1623 /*
1624 * Request is larger than the maximum unauthenticated request size.
1625 * As this code is called frequently we avoid calling
1626 * security_token_is_anonymous if possible
1627 */
1628 if (conn->session_info != NULL &&
1629 conn->session_info->security_token != NULL) {
1630 is_anonymous = security_token_is_anonymous(
1631 conn->session_info->security_token);
1632 }
1633
1634 if (is_anonymous) {
1635 DBG_WARNING(
1636 "LDAP request size (%zu) exceeds (%zu)\n",
1637 size,
1638 max_size);
1639 return LDAP_UNWILLING_TO_PERFORM;
1640 }
1641
1642 max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1643 if (size > max_size) {
1644 DBG_WARNING(
1645 "LDAP request size (%zu) exceeds (%zu)\n",
1646 size,
1647 max_size);
1648 return LDAP_UNWILLING_TO_PERFORM;
1649 }
1650 return LDAP_SUCCESS;
1651
1652 }
1653
1654 /*
1655 * Check that the blob contains enough data to be a valid packet
1656 * If there is a packet header check the size to ensure that it does not
1657 * exceed the maximum sizes.
1658 *
1659 */
1660 static NTSTATUS ldapsrv_packet_check(
1661 void *private_data,
1662 DATA_BLOB blob,
1663 size_t *packet_size)
1664 {
1665 NTSTATUS ret;
1666 struct ldapsrv_connection *conn = private_data;
1667 int result = LDB_SUCCESS;
1668
1669 ret = ldap_full_packet(private_data, blob, packet_size);
1670 if (!NT_STATUS_IS_OK(ret)) {
1671 return ret;
1672 }
1673 result = ldapsrv_check_packet_size(conn, *packet_size);
1674 if (result != LDAP_SUCCESS) {
1675 return NT_STATUS_LDAP(result);
1676 }
1677 return NT_STATUS_OK;
1678 }
1679
1680 NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1681 {
1682 static const struct service_details details = {
1683 .inhibit_fork_on_accept = false,
1684 .inhibit_pre_fork = false,
1685 .task_init = ldapsrv_task_init,
1686 .post_fork = ldapsrv_post_fork,
1687 .before_loop = ldapsrv_before_loop,
1688 };
1689 return register_server_service(ctx, "ldap", &details);
1690 }
GSS-enabled samba4