search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
[samba4-gss.git] / source4 / libcli / ldap / ldap_bind.c
blobb00329c9fa43fb6e5037f1b1a2b593740f4ffd39
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP bind calls
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 */
23
24 #include "includes.h"
25 #include "libcli/ldap/libcli_ldap.h"
26 #include "libcli/ldap/ldap_proto.h"
27 #include "libcli/ldap/ldap_client.h"
28 #include "lib/tls/tls.h"
29 #include "auth/gensec/gensec.h"
30 #include "source4/auth/gensec/gensec_tstream.h"
31 #include "auth/credentials/credentials.h"
32 #include "lib/stream/packet.h"
33 #include "param/param.h"
34 #include "param/loadparm.h"
35 #include "librpc/gen_ndr/ads.h"
36
37 struct ldap_simple_creds {
38 const char *dn;
39 const char *pw;
40 };
41
42 _PUBLIC_ NTSTATUS ldap_rebind(struct ldap_connection *conn)
43 {
44 NTSTATUS status;
45 struct ldap_simple_creds *creds;
46
47 switch (conn->bind.type) {
48 case LDAP_BIND_SASL:
49 status = ldap_bind_sasl(conn, (struct cli_credentials *)conn->bind.creds,
50 conn->lp_ctx);
51 break;
52
53 case LDAP_BIND_SIMPLE:
54 creds = (struct ldap_simple_creds *)conn->bind.creds;
55
56 if (creds == NULL) {
57 return NT_STATUS_UNSUCCESSFUL;
58 }
59
60 status = ldap_bind_simple(conn, creds->dn, creds->pw);
61 break;
62
63 default:
64 return NT_STATUS_UNSUCCESSFUL;
65 }
66
67 return status;
68 }
69
70
71 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn,
72 const char *dn, const char *pw)
73 {
74 struct ldap_message *res;
75
76 res = new_ldap_message(conn);
77 if (!res) {
78 return NULL;
79 }
80
81 res->type = LDAP_TAG_BindRequest;
82 res->r.BindRequest.version = 3;
83 res->r.BindRequest.dn = talloc_strdup(res, dn);
84 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE;
85 res->r.BindRequest.creds.password = talloc_strdup(res, pw);
86 res->controls = NULL;
87
88 return res;
89 }
90
91
92 /*
93 perform a simple username/password bind
94 */
95 _PUBLIC_ NTSTATUS ldap_bind_simple(struct ldap_connection *conn,
96 const char *userdn, const char *password)
97 {
98 struct ldap_request *req;
99 struct ldap_message *msg;
100 const char *dn, *pw;
101 NTSTATUS status;
102
103 if (conn == NULL) {
104 return NT_STATUS_INVALID_CONNECTION;
105 }
106
107 if (userdn) {
108 dn = userdn;
109 } else {
110 if (conn->auth_dn) {
111 dn = conn->auth_dn;
112 } else {
113 dn = "";
114 }
115 }
116
117 if (password) {
118 pw = password;
119 } else {
120 if (conn->simple_pw) {
121 pw = conn->simple_pw;
122 } else {
123 pw = "";
124 }
125 }
126
127 msg = new_ldap_simple_bind_msg(conn, dn, pw);
128 NT_STATUS_HAVE_NO_MEMORY(msg);
129
130 /* send the request */
131 req = ldap_request_send(conn, msg);
132 talloc_free(msg);
133 NT_STATUS_HAVE_NO_MEMORY(req);
134
135 /* wait for replies */
136 status = ldap_request_wait(req);
137 if (!NT_STATUS_IS_OK(status)) {
138 talloc_free(req);
139 return status;
140 }
141
142 /* check its a valid reply */
143 msg = req->replies[0];
144 if (msg->type != LDAP_TAG_BindResponse) {
145 talloc_free(req);
146 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
147 }
148
149 status = ldap_check_response(conn, &msg->r.BindResponse.response);
150
151 talloc_free(req);
152
153 if (NT_STATUS_IS_OK(status)) {
154 struct ldap_simple_creds *creds = talloc(conn, struct ldap_simple_creds);
155 if (creds == NULL) {
156 return NT_STATUS_NO_MEMORY;
157 }
158 creds->dn = talloc_strdup(creds, dn);
159 creds->pw = talloc_strdup(creds, pw);
160 if (creds->dn == NULL || creds->pw == NULL) {
161 return NT_STATUS_NO_MEMORY;
162 }
163 conn->bind.type = LDAP_BIND_SIMPLE;
164 conn->bind.creds = creds;
165 }
166
167 return status;
168 }
169
170
171 static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn,
172 const char *sasl_mechanism,
173 DATA_BLOB *secblob)
174 {
175 struct ldap_message *res;
176
177 res = new_ldap_message(conn);
178 if (!res) {
179 return NULL;
180 }
181
182 res->type = LDAP_TAG_BindRequest;
183 res->r.BindRequest.version = 3;
184 res->r.BindRequest.dn = "";
185 res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL;
186 res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism);
187 if (secblob) {
188 res->r.BindRequest.creds.SASL.secblob = talloc(res, DATA_BLOB);
189 if (!res->r.BindRequest.creds.SASL.secblob) {
190 talloc_free(res);
191 return NULL;
192 }
193 *res->r.BindRequest.creds.SASL.secblob = *secblob;
194 } else {
195 res->r.BindRequest.creds.SASL.secblob = NULL;
196 }
197 res->controls = NULL;
198
199 return res;
200 }
201
202
203 /*
204 perform a sasl bind using the given credentials
205 */
206 _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
207 struct cli_credentials *creds,
208 struct loadparm_context *lp_ctx)
209 {
210 const char *sasl_mech = "GSS-SPNEGO";
211 NTSTATUS status;
212 TALLOC_CTX *tmp_ctx = NULL;
213 DATA_BLOB input = data_blob(NULL, 0);
214 DATA_BLOB output = data_blob(NULL, 0);
215 bool first = true;
216 int wrap_flags = 0;
217 uint32_t old_gensec_features;
218 unsigned int logon_retries = 0;
219 size_t queue_length;
220 const DATA_BLOB *tls_cb = NULL;
221 bool use_channel_bound = lpcfg_parm_bool(lp_ctx,
222 NULL,
223 "ldap_testing",
224 "channel_bound",
225 true);
226 const char *forced_channel_binding = lpcfg_parm_string(lp_ctx,
227 NULL,
228 "ldap_testing",
229 "forced_channel_binding");
230 DATA_BLOB forced_cb = data_blob_string_const(forced_channel_binding);
231
232 if (conn->sockets.active == NULL) {
233 status = NT_STATUS_CONNECTION_DISCONNECTED;
234 goto failed;
235 }
236
237 queue_length = tevent_queue_length(conn->sockets.send_queue);
238 if (queue_length != 0) {
239 status = NT_STATUS_INVALID_PARAMETER_MIX;
240 DEBUG(1, ("SASL bind triggered with non empty send_queue[%zu]: %s\n",
241 queue_length, nt_errstr(status)));
242 goto failed;
243 }
244
245 if (conn->pending != NULL) {
246 status = NT_STATUS_INVALID_PARAMETER_MIX;
247 DEBUG(1, ("SASL bind triggered with pending requests: %s\n",
248 nt_errstr(status)));
249 goto failed;
250 }
251
252 tmp_ctx = talloc_new(conn);
253 if (tmp_ctx == NULL) {
254 status = NT_STATUS_NO_MEMORY;
255 goto failed;
256 }
257
258 gensec_init();
259
260 if (conn->sockets.active == conn->sockets.tls) {
261 /*
262 * allow this for testing the old code:
263 * ldap_testing:no_tls_channel_bindings = no
264 */
265 bool use_tls_cb = lpcfg_parm_bool(lp_ctx,
266 NULL,
267 "ldap_testing",
268 "tls_channel_bindings",
269 true);
270
271 /*
272 * require Kerberos SIGN/SEAL only if we don't use SSL
273 * Windows seem not to like double encryption
274 */
275 wrap_flags = 0;
276
277 if (use_tls_cb) {
278 tls_cb = tstream_tls_channel_bindings(conn->sockets.tls);
279 }
280 } else if (cli_credentials_is_anonymous(creds)) {
281 /*
282 * anonymous isn't protected
283 */
284 wrap_flags = 0;
285 } else {
286 wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
287 }
288
289 if (forced_cb.length != 0) {
290 tls_cb = &forced_cb;
291 }
292
293 try_logon_again:
294 /*
295 we loop back here on a logon failure, and re-create the
296 gensec session. The logon_retries counter ensures we don't
297 loop forever.
298 */
299 data_blob_free(&input);
300 TALLOC_FREE(conn->gensec);
301
302 status = gensec_client_start(conn, &conn->gensec,
303 lpcfg_gensec_settings(conn, lp_ctx));
304 if (!NT_STATUS_IS_OK(status)) {
305 DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
306 goto failed;
307 }
308
309 old_gensec_features = cli_credentials_get_gensec_features(creds);
310 if (wrap_flags == 0) {
311 cli_credentials_set_gensec_features(creds,
312 old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL),
313 CRED_SPECIFIED);
314 }
315
316 /* this call also sets the gensec_want_features */
317 status = gensec_set_credentials(conn->gensec, creds);
318 if (!NT_STATUS_IS_OK(status)) {
319 DEBUG(1, ("Failed to set GENSEC creds: %s\n",
320 nt_errstr(status)));
321 goto failed;
322 }
323
324 /* reset the original gensec_features (on the credentials
325 * context, so we don't tattoo it ) */
326 cli_credentials_set_gensec_features(creds,
327 old_gensec_features,
328 CRED_SPECIFIED);
329
330 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
331 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
332 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
333 }
334 if (wrap_flags & ADS_AUTH_SASL_SIGN) {
335 gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
336 }
337
338 if (!use_channel_bound) {
339 gensec_want_feature(conn->gensec, GENSEC_FEATURE_CB_OPTIONAL);
340 }
341
342 /*
343 * This is an indication for the NTLMSSP backend to
344 * also encrypt when only GENSEC_FEATURE_SIGN is requested
345 * in gensec_[un]wrap().
346 */
347 gensec_want_feature(conn->gensec, GENSEC_FEATURE_LDAP_STYLE);
348
349 if (conn->host) {
350 status = gensec_set_target_hostname(conn->gensec, conn->host);
351 if (!NT_STATUS_IS_OK(status)) {
352 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
353 nt_errstr(status)));
354 goto failed;
355 }
356 }
357
358 status = gensec_set_target_service(conn->gensec, "ldap");
359 if (!NT_STATUS_IS_OK(status)) {
360 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
361 nt_errstr(status)));
362 goto failed;
363 }
364
365 if (tls_cb != NULL) {
366 uint32_t initiator_addrtype = 0;
367 const DATA_BLOB *initiator_address = NULL;
368 uint32_t acceptor_addrtype = 0;
369 const DATA_BLOB *acceptor_address = NULL;
370 const DATA_BLOB *application_data = tls_cb;
371
372 status = gensec_set_channel_bindings(conn->gensec,
373 initiator_addrtype,
374 initiator_address,
375 acceptor_addrtype,
376 acceptor_address,
377 application_data);
378 if (!NT_STATUS_IS_OK(status)) {
379 DBG_WARNING("Failed to set GENSEC channel bindings: %s\n",
380 nt_errstr(status));
381 goto failed;
382 }
383 }
384
385 status = gensec_start_mech_by_sasl_name(conn->gensec, sasl_mech);
386 if (!NT_STATUS_IS_OK(status)) {
387 DBG_WARNING("gensec_start_mech_by_sasl_name(%s): %s\n",
388 sasl_mech, nt_errstr(status));
389 goto failed;
390 }
391
392 while (1) {
393 NTSTATUS gensec_status;
394 struct ldap_message *response;
395 struct ldap_message *msg;
396 struct ldap_request *req;
397 int result = LDAP_OTHER;
398
399 status = gensec_update(conn->gensec, tmp_ctx,
400 input,
401 &output);
402 /* The status value here, from GENSEC is vital to the security
403 * of the system. Even if the other end accepts, if GENSEC
404 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
405 * feeding it blobs, or else the remote host/attacker might
406 * avoid mutual authentication requirements.
407 *
408 * Likewise, you must not feed GENSEC too much (after the OK),
409 * it doesn't like that either.
410 *
411 * For SASL/EXTERNAL, there is no data to send, but we still
412 * must send the actual Bind request the first time around.
413 * Otherwise, a result of NT_STATUS_OK with 0 output means the
414 * end of a multi-step authentication, and no message must be
415 * sent.
416 */
417
418 gensec_status = status;
419
420 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
421 !NT_STATUS_IS_OK(status)) {
422 break;
423 }
424 if (NT_STATUS_IS_OK(status) && output.length == 0) {
425 if (!first)
426 break;
427 }
428 first = false;
429
430 msg = new_ldap_sasl_bind_msg(tmp_ctx,
431 sasl_mech,
432 output.data != NULL ? &output : NULL);
433 if (msg == NULL) {
434 status = NT_STATUS_NO_MEMORY;
435 goto failed;
436 }
437
438 req = ldap_request_send(conn, msg);
439 if (req == NULL) {
440 status = NT_STATUS_NO_MEMORY;
441 goto failed;
442 }
443 talloc_reparent(conn, tmp_ctx, req);
444
445 status = ldap_result_n(req, 0, &response);
446 if (!NT_STATUS_IS_OK(status)) {
447 goto failed;
448 }
449
450 if (response->type != LDAP_TAG_BindResponse) {
451 status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
452 goto failed;
453 }
454
455 result = response->r.BindResponse.response.resultcode;
456
457 if (result == LDAP_STRONG_AUTH_REQUIRED) {
458 if (wrap_flags == 0) {
459 wrap_flags = ADS_AUTH_SASL_SIGN;
460 goto try_logon_again;
461 }
462 }
463
464 if (result == LDAP_INVALID_CREDENTIALS) {
465 /*
466 try a second time on invalid credentials, to
467 give the user a chance to re-enter the
468 password and to handle the case where our
469 kerberos ticket is invalid as the server
470 password has changed
471 */
472 const char *principal;
473
474 principal = gensec_get_target_principal(conn->gensec);
475 if (principal == NULL) {
476 const char *hostname = gensec_get_target_hostname(conn->gensec);
477 const char *service = gensec_get_target_service(conn->gensec);
478 if (hostname != NULL && service != NULL) {
479 principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname);
480 }
481 }
482
483 if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) ||
484 cli_credentials_wrong_password(creds)) {
485 /*
486 destroy our gensec session and loop
487 back up to the top to retry,
488 offering the user a chance to enter
489 new credentials, or get a new ticket
490 if using kerberos
491 */
492 goto try_logon_again;
493 }
494 }
495
496 if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
497 status = ldap_check_response(conn,
498 &response->r.BindResponse.response);
499 break;
500 }
501
502 /* This is where we check if GENSEC wanted to be fed more data */
503 if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
504 break;
505 }
506 if (response->r.BindResponse.SASL.secblob) {
507 input = *response->r.BindResponse.SASL.secblob;
508 } else {
509 input = data_blob(NULL, 0);
510 }
511 }
512
513 TALLOC_FREE(tmp_ctx);
514
515 if (!NT_STATUS_IS_OK(status)) {
516 goto failed;
517 }
518
519 conn->bind.type = LDAP_BIND_SASL;
520 conn->bind.creds = creds;
521
522 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
523 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
524 return NT_STATUS_INVALID_NETWORK_RESPONSE;
525 }
526
527 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
528 return NT_STATUS_INVALID_NETWORK_RESPONSE;
529 }
530 } else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
531 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
532 return NT_STATUS_INVALID_NETWORK_RESPONSE;
533 }
534 }
535
536 if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
537 !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
538 return NT_STATUS_OK;
539 }
540
541 status = gensec_create_tstream(conn->sockets.raw,
542 conn->gensec,
543 conn->sockets.raw,
544 &conn->sockets.sasl);
545 if (!NT_STATUS_IS_OK(status)) {
546 goto failed;
547 }
548
549 conn->sockets.active = conn->sockets.sasl;
550
551 return NT_STATUS_OK;
552
553 failed:
554 talloc_free(tmp_ctx);
555 talloc_free(conn->gensec);
556 conn->gensec = NULL;
557 return status;
558 }
GSS-enabled samba4