search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Move connection tracking to 10.interface
[samba4-gss.git] / source4 / ldap_server / ldap_server.c
blob3a91f6d4fc2449e5b3494357655d5c06dc16b7fe
1 /*
2 Unix SMB/CIFS implementation.
3
4 LDAP server
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/credentials/credentials.h"
29 #include "librpc/gen_ndr/ndr_samr.h"
30 #include "../lib/util/dlinklist.h"
31 #include "../lib/util/asn1.h"
32 #include "ldap_server/ldap_server.h"
33 #include "samba/service_task.h"
34 #include "samba/service_stream.h"
35 #include "samba/service.h"
36 #include "samba/process_model.h"
37 #include "lib/tls/tls.h"
38 #include "lib/messaging/irpc.h"
39 #include <ldb.h>
40 #include <ldb_errors.h>
41 #include "libcli/ldap/ldap_proto.h"
42 #include "system/network.h"
43 #include "lib/socket/netif.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "param/param.h"
46 #include "../lib/tsocket/tsocket.h"
47 #include "../lib/util/tevent_ntstatus.h"
48 #include "../libcli/util/tstream.h"
49 #include "libds/common/roles.h"
50 #include "lib/util/time.h"
51 #include "lib/util/server_id.h"
52 #include "lib/util/server_id_db.h"
53 #include "lib/messaging/messaging_internal.h"
54
55 #undef strcasecmp
56
57 #undef DBGC_CLASS
58 #define DBGC_CLASS DBGC_LDAPSRV
59
60 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
61
62 /*
63 close the socket and shutdown a server_context
64 */
65 static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,
66 const char *reason)
67 {
68 struct tevent_req *subreq;
69
70 if (conn->limits.reason) {
71 return;
72 }
73
74 DLIST_REMOVE(conn->service->connections, conn);
75
76 conn->limits.endtime = timeval_current_ofs(0, 500);
77
78 tevent_queue_stop(conn->sockets.send_queue);
79 TALLOC_FREE(conn->sockets.read_req);
80 TALLOC_FREE(conn->deferred_expire_disconnect);
81 if (conn->active_call) {
82 tevent_req_cancel(conn->active_call);
83 conn->active_call = NULL;
84 }
85
86 conn->limits.reason = talloc_strdup(conn, reason);
87 if (conn->limits.reason == NULL) {
88 TALLOC_FREE(conn->sockets.tls);
89 TALLOC_FREE(conn->sockets.sasl);
90 TALLOC_FREE(conn->sockets.raw);
91 stream_terminate_connection(conn->connection, reason);
92 return;
93 }
94
95 subreq = tstream_disconnect_send(conn,
96 conn->connection->event.ctx,
97 conn->sockets.active);
98 if (subreq == NULL) {
99 TALLOC_FREE(conn->sockets.tls);
100 TALLOC_FREE(conn->sockets.sasl);
101 TALLOC_FREE(conn->sockets.raw);
102 stream_terminate_connection(conn->connection, reason);
103 return;
104 }
105 tevent_req_set_endtime(subreq,
106 conn->connection->event.ctx,
107 conn->limits.endtime);
108 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
109 }
110
111 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq)
112 {
113 struct ldapsrv_connection *conn =
114 tevent_req_callback_data(subreq,
115 struct ldapsrv_connection);
116 int sys_errno;
117 bool ok;
118
119 tstream_disconnect_recv(subreq, &sys_errno);
120 TALLOC_FREE(subreq);
121
122 if (conn->sockets.active == conn->sockets.raw) {
123 TALLOC_FREE(conn->sockets.tls);
124 TALLOC_FREE(conn->sockets.sasl);
125 TALLOC_FREE(conn->sockets.raw);
126 stream_terminate_connection(conn->connection,
127 conn->limits.reason);
128 return;
129 }
130
131 TALLOC_FREE(conn->sockets.tls);
132 TALLOC_FREE(conn->sockets.sasl);
133 conn->sockets.active = conn->sockets.raw;
134
135 subreq = tstream_disconnect_send(conn,
136 conn->connection->event.ctx,
137 conn->sockets.active);
138 if (subreq == NULL) {
139 TALLOC_FREE(conn->sockets.raw);
140 stream_terminate_connection(conn->connection,
141 conn->limits.reason);
142 return;
143 }
144 ok = tevent_req_set_endtime(subreq,
145 conn->connection->event.ctx,
146 conn->limits.endtime);
147 if (!ok) {
148 TALLOC_FREE(conn->sockets.raw);
149 stream_terminate_connection(conn->connection,
150 conn->limits.reason);
151 return;
152 }
153 tevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);
154 }
155
156 /*
157 called when a LDAP socket becomes readable
158 */
159 void ldapsrv_recv(struct stream_connection *c, uint16_t flags)
160 {
161 smb_panic(__location__);
162 }
163
164 /*
165 called when a LDAP socket becomes writable
166 */
167 static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
168 {
169 smb_panic(__location__);
170 }
171
172 static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
173 {
174 TALLOC_CTX *tmp_ctx;
175 const char *attrs[] = { "configurationNamingContext", NULL };
176 const char *attrs2[] = { "lDAPAdminLimits", NULL };
177 struct ldb_message_element *el;
178 struct ldb_result *res = NULL;
179 struct ldb_dn *basedn;
180 struct ldb_dn *conf_dn;
181 struct ldb_dn *policy_dn;
182 unsigned int i;
183 int ret;
184
185 /* set defaults limits in case of failure */
186 conn->limits.initial_timeout = 120;
187 conn->limits.conn_idle_time = 900;
188 conn->limits.max_page_size = 1000;
189 conn->limits.max_notifications = 5;
190 conn->limits.search_timeout = 120;
191 conn->limits.expire_time = (struct timeval) {
192 .tv_sec = get_time_t_max(),
193 };
194
195
196 tmp_ctx = talloc_new(conn);
197 if (tmp_ctx == NULL) {
198 return -1;
199 }
200
201 basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
202 if (basedn == NULL) {
203 goto failed;
204 }
205
206 ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
207 if (ret != LDB_SUCCESS) {
208 goto failed;
209 }
210
211 if (res->count != 1) {
212 goto failed;
213 }
214
215 conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
216 if (conf_dn == NULL) {
217 goto failed;
218 }
219
220 policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
221 ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
222 if (policy_dn == NULL) {
223 goto failed;
224 }
225
226 ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
227 if (ret != LDB_SUCCESS) {
228 goto failed;
229 }
230
231 if (res->count != 1) {
232 goto failed;
233 }
234
235 el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
236 if (el == NULL) {
237 goto failed;
238 }
239
240 for (i = 0; i < el->num_values; i++) {
241 char policy_name[256];
242 int policy_value, s;
243
244 s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
245 if (s != 2 || policy_value == 0)
246 continue;
247 if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
248 conn->limits.initial_timeout = policy_value;
249 continue;
250 }
251 if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
252 conn->limits.conn_idle_time = policy_value;
253 continue;
254 }
255 if (strcasecmp("MaxPageSize", policy_name) == 0) {
256 conn->limits.max_page_size = policy_value;
257 continue;
258 }
259 if (strcasecmp("MaxNotificationPerConn", policy_name) == 0) {
260 conn->limits.max_notifications = policy_value;
261 continue;
262 }
263 if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
264 if (policy_value > 0) {
265 conn->limits.search_timeout = policy_value;
266 }
267 continue;
268 }
269 }
270
271 return 0;
272
273 failed:
274 DBG_ERR("Failed to load ldap server query policies\n");
275 talloc_free(tmp_ctx);
276 return -1;
277 }
278
279 static int ldapsrv_call_destructor(struct ldapsrv_call *call)
280 {
281 if (call->conn == NULL) {
282 return 0;
283 }
284
285 DLIST_REMOVE(call->conn->pending_calls, call);
286
287 call->conn = NULL;
288 return 0;
289 }
290
291 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
292 struct tevent_context *ev,
293 struct tevent_queue *call_queue,
294 struct ldapsrv_call *call);
295 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req);
296
297 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn);
298 static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
299
300 /*
301 initialise a server_context from a open socket and register a event handler
302 for reading from that socket
303 */
304 static void ldapsrv_accept(struct stream_connection *c,
305 struct auth_session_info *session_info,
306 bool is_privileged,
307 bool is_ldapi)
308 {
309 struct ldapsrv_service *ldapsrv_service =
310 talloc_get_type(c->private_data, struct ldapsrv_service);
311 struct ldapsrv_connection *conn;
312 struct cli_credentials *server_credentials;
313 struct socket_address *socket_address;
314 int port;
315 int ret;
316 struct tevent_req *subreq;
317 struct timeval endtime;
318 char *errstring = NULL;
319
320 conn = talloc_zero(c, struct ldapsrv_connection);
321 if (!conn) {
322 stream_terminate_connection(c, "ldapsrv_accept: out of memory");
323 return;
324 }
325 conn->is_privileged = is_privileged;
326 conn->is_ldapi = is_ldapi;
327
328 conn->sockets.send_queue = tevent_queue_create(conn, "ldapsrv send queue");
329 if (conn->sockets.send_queue == NULL) {
330 stream_terminate_connection(c,
331 "ldapsrv_accept: tevent_queue_create failed");
332 return;
333 }
334
335 TALLOC_FREE(c->event.fde);
336
337 ret = tstream_bsd_existing_socket(conn,
338 socket_get_fd(c->socket),
339 &conn->sockets.raw);
340 if (ret == -1) {
341 stream_terminate_connection(c,
342 "ldapsrv_accept: out of memory");
343 return;
344 }
345 socket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);
346 /* as server we want to fail early */
347 tstream_bsd_fail_readv_first_error(conn->sockets.raw, true);
348
349 conn->connection = c;
350 conn->service = ldapsrv_service;
351 conn->lp_ctx = ldapsrv_service->lp_ctx;
352
353 c->private_data = conn;
354
355 socket_address = socket_get_my_addr(c->socket, conn);
356 if (!socket_address) {
357 ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
358 return;
359 }
360 port = socket_address->port;
361 talloc_free(socket_address);
362 if (port == 3268 || port == 3269) /* Global catalog */ {
363 conn->global_catalog = true;
364 }
365
366 server_credentials = cli_credentials_init_server(conn, conn->lp_ctx);
367 if (!server_credentials) {
368 stream_terminate_connection(c, "Failed to init server credentials\n");
369 return;
370 }
371
372 conn->server_credentials = server_credentials;
373
374 conn->session_info = session_info;
375
376 conn->sockets.active = conn->sockets.raw;
377
378 if (conn->is_privileged) {
379 conn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;
380 } else {
381 conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
382 }
383
384 if (conn->require_strong_auth ==
385 LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
386 {
387 D_ERR("WARNING: You have not configured "
388 "'ldap server require strong auth = "
389 "allow_sasl_over_tls'.\n"
390 "Please change to 'yes' (preferred and default) or "
391 "'allow_sasl_without_tls_channel_bindings' "
392 "(if really needed)\n\n");
393 }
394
395 ret = ldapsrv_backend_Init(conn, &errstring);
396 if (ret != LDB_SUCCESS) {
397 char *reason = talloc_asprintf(conn,
398 "LDB backend for LDAP Init "
399 "failed: %s: %s",
400 errstring, ldb_strerror(ret));
401 ldapsrv_terminate_connection(conn, reason);
402 return;
403 }
404
405 /* load limits from the conf partition */
406 ldapsrv_load_limits(conn); /* should we fail on error ? */
407
408 /* register the server */
409 irpc_add_name(c->msg_ctx, "ldap_server");
410
411 DLIST_ADD_END(ldapsrv_service->connections, conn);
412
413 if (port != 636 && port != 3269) {
414 ldapsrv_call_read_next(conn);
415 return;
416 }
417
418 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
419
420 subreq = tstream_tls_accept_send(conn,
421 conn->connection->event.ctx,
422 conn->sockets.raw,
423 conn->service->tls_params);
424 if (subreq == NULL) {
425 ldapsrv_terminate_connection(conn, "ldapsrv_accept: "
426 "no memory for tstream_tls_accept_send");
427 return;
428 }
429 tevent_req_set_endtime(subreq,
430 conn->connection->event.ctx,
431 endtime);
432 tevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);
433 }
434
435 static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
436 {
437 struct ldapsrv_connection *conn =
438 tevent_req_callback_data(subreq,
439 struct ldapsrv_connection);
440 int ret;
441 int sys_errno;
442
443 ret = tstream_tls_accept_recv(subreq, &sys_errno,
444 conn, &conn->sockets.tls);
445 TALLOC_FREE(subreq);
446 if (ret == -1) {
447 const char *reason;
448
449 reason = talloc_asprintf(conn, "ldapsrv_accept_tls_loop: "
450 "tstream_tls_accept_recv() - %d:%s",
451 sys_errno, strerror(sys_errno));
452 if (!reason) {
453 reason = "ldapsrv_accept_tls_loop: "
454 "tstream_tls_accept_recv() - failed";
455 }
456
457 ldapsrv_terminate_connection(conn, reason);
458 return;
459 }
460
461 conn->sockets.active = conn->sockets.tls;
462 conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
463 ldapsrv_call_read_next(conn);
464 }
465
466 static void ldapsrv_call_read_done(struct tevent_req *subreq);
467 static NTSTATUS ldapsrv_packet_check(
468 struct tstream_context *stream,
469 void *private_data,
470 DATA_BLOB blob,
471 size_t *packet_size);
472
473 static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)
474 {
475 struct tevent_req *subreq;
476
477 if (conn->pending_calls != NULL) {
478 conn->limits.endtime = timeval_zero();
479
480 ldapsrv_notification_retry_setup(conn->service, false);
481 } else if (timeval_is_zero(&conn->limits.endtime)) {
482 conn->limits.endtime =
483 timeval_current_ofs(conn->limits.initial_timeout, 0);
484 } else {
485 conn->limits.endtime =
486 timeval_current_ofs(conn->limits.conn_idle_time, 0);
487 }
488
489 if (conn->sockets.read_req != NULL) {
490 return true;
491 }
492
493 /*
494 * The minimum size of a LDAP pdu is 7 bytes
495 *
496 * dumpasn1 -hh ldap-unbind-min.dat
497 *
498 * <30 05 02 01 09 42 00>
499 * 0 5: SEQUENCE {
500 * <02 01 09>
501 * 2 1: INTEGER 9
502 * <42 00>
503 * 5 0: [APPLICATION 2]
504 * : Error: Object has zero length.
505 * : }
506 *
507 * dumpasn1 -hh ldap-unbind-windows.dat
508 *
509 * <30 84 00 00 00 05 02 01 09 42 00>
510 * 0 5: SEQUENCE {
511 * <02 01 09>
512 * 6 1: INTEGER 9
513 * <42 00>
514 * 9 0: [APPLICATION 2]
515 * : Error: Object has zero length.
516 * : }
517 *
518 * This means using an initial read size
519 * of 7 is ok.
520 */
521 subreq = tstream_read_pdu_blob_send(conn,
522 conn->connection->event.ctx,
523 conn->sockets.active,
524 7, /* initial_read_size */
525 ldapsrv_packet_check,
526 conn);
527 if (subreq == NULL) {
528 ldapsrv_terminate_connection(conn, "ldapsrv_call_read_next: "
529 "no memory for tstream_read_pdu_blob_send");
530 return false;
531 }
532 if (!timeval_is_zero(&conn->limits.endtime)) {
533 bool ok;
534 ok = tevent_req_set_endtime(subreq,
535 conn->connection->event.ctx,
536 conn->limits.endtime);
537 if (!ok) {
538 ldapsrv_terminate_connection(
539 conn,
540 "ldapsrv_call_read_next: "
541 "no memory for tevent_req_set_endtime");
542 return false;
543 }
544 }
545 tevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);
546 conn->sockets.read_req = subreq;
547 return true;
548 }
549
550 static void ldapsrv_call_process_done(struct tevent_req *subreq);
551 static int ldapsrv_check_packet_size(
552 struct ldapsrv_connection *conn,
553 size_t size);
554
555 static void ldapsrv_call_read_done(struct tevent_req *subreq)
556 {
557 struct ldapsrv_connection *conn =
558 tevent_req_callback_data(subreq,
559 struct ldapsrv_connection);
560 NTSTATUS status;
561 struct ldapsrv_call *call;
562 struct asn1_data *asn1;
563 DATA_BLOB blob;
564 int ret = LDAP_SUCCESS;
565 struct ldap_request_limits limits = {0};
566
567 conn->sockets.read_req = NULL;
568
569 call = talloc_zero(conn, struct ldapsrv_call);
570 if (!call) {
571 ldapsrv_terminate_connection(conn, "no memory");
572 return;
573 }
574 talloc_set_destructor(call, ldapsrv_call_destructor);
575
576 call->conn = conn;
577
578 status = tstream_read_pdu_blob_recv(subreq,
579 call,
580 &blob);
581 TALLOC_FREE(subreq);
582 if (!NT_STATUS_IS_OK(status)) {
583 const char *reason;
584
585 reason = talloc_asprintf(call, "ldapsrv_call_loop: "
586 "tstream_read_pdu_blob_recv() - %s",
587 nt_errstr(status));
588 if (!reason) {
589 reason = nt_errstr(status);
590 }
591
592 ldapsrv_terminate_connection(conn, reason);
593 return;
594 }
595
596 ret = ldapsrv_check_packet_size(conn, blob.length);
597 if (ret != LDAP_SUCCESS) {
598 ldapsrv_terminate_connection(
599 conn,
600 "Request packet too large");
601 return;
602 }
603
604 asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);
605 if (asn1 == NULL) {
606 ldapsrv_terminate_connection(conn, "no memory");
607 return;
608 }
609
610 call->request = talloc(call, struct ldap_message);
611 if (call->request == NULL) {
612 ldapsrv_terminate_connection(conn, "no memory");
613 return;
614 }
615
616 asn1_load_nocopy(asn1, blob.data, blob.length);
617
618 limits.max_search_size =
619 lpcfg_ldap_max_search_request_size(conn->lp_ctx);
620 status = ldap_decode(
621 asn1,
622 &limits,
623 samba_ldap_control_handlers(),
624 call->request);
625 if (!NT_STATUS_IS_OK(status)) {
626 ldapsrv_terminate_connection(conn, nt_errstr(status));
627 return;
628 }
629
630 data_blob_free(&blob);
631 TALLOC_FREE(asn1);
632
633
634 /* queue the call in the global queue */
635 subreq = ldapsrv_process_call_send(call,
636 conn->connection->event.ctx,
637 conn->service->call_queue,
638 call);
639 if (subreq == NULL) {
640 ldapsrv_terminate_connection(conn, "ldapsrv_process_call_send failed");
641 return;
642 }
643 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
644 conn->active_call = subreq;
645 }
646
647 static void ldapsrv_call_wait_done(struct tevent_req *subreq);
648 static void ldapsrv_call_writev_start(struct ldapsrv_call *call);
649 static void ldapsrv_call_writev_done(struct tevent_req *subreq);
650
651 static void ldapsrv_call_process_done(struct tevent_req *subreq)
652 {
653 struct ldapsrv_call *call =
654 tevent_req_callback_data(subreq,
655 struct ldapsrv_call);
656 struct ldapsrv_connection *conn = call->conn;
657 NTSTATUS status;
658
659 conn->active_call = NULL;
660
661 status = ldapsrv_process_call_recv(subreq);
662 TALLOC_FREE(subreq);
663 if (!NT_STATUS_IS_OK(status)) {
664 ldapsrv_terminate_connection(conn, nt_errstr(status));
665 return;
666 }
667
668 if (call->wait_send != NULL) {
669 subreq = call->wait_send(call,
670 conn->connection->event.ctx,
671 call->wait_private);
672 if (subreq == NULL) {
673 ldapsrv_terminate_connection(conn,
674 "ldapsrv_call_process_done: "
675 "call->wait_send - no memory");
676 return;
677 }
678 tevent_req_set_callback(subreq,
679 ldapsrv_call_wait_done,
680 call);
681 conn->active_call = subreq;
682 return;
683 }
684
685 ldapsrv_call_writev_start(call);
686 }
687
688 static void ldapsrv_call_wait_done(struct tevent_req *subreq)
689 {
690 struct ldapsrv_call *call =
691 tevent_req_callback_data(subreq,
692 struct ldapsrv_call);
693 struct ldapsrv_connection *conn = call->conn;
694 NTSTATUS status;
695
696 conn->active_call = NULL;
697
698 status = call->wait_recv(subreq);
699 TALLOC_FREE(subreq);
700 if (!NT_STATUS_IS_OK(status)) {
701 const char *reason;
702
703 reason = talloc_asprintf(call, "ldapsrv_call_wait_done: "
704 "call->wait_recv() - %s",
705 nt_errstr(status));
706 if (reason == NULL) {
707 reason = nt_errstr(status);
708 }
709
710 ldapsrv_terminate_connection(conn, reason);
711 return;
712 }
713
714 ldapsrv_call_writev_start(call);
715 }
716
717 static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
718 {
719 struct ldapsrv_connection *conn = call->conn;
720 struct ldapsrv_reply *reply = NULL;
721 struct tevent_req *subreq = NULL;
722 struct timeval endtime;
723 size_t length = 0;
724 size_t i;
725
726 call->iov_count = 0;
727
728 /* build all the replies into an IOV (no copy) */
729 for (reply = call->replies;
730 reply != NULL;
731 reply = reply->next) {
732
733 /* Cap output at 25MB per writev() */
734 if (length > length + reply->blob.length
735 || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {
736 break;
737 }
738
739 /*
740 * Overflow is harmless here, just used below to
741 * decide if to read or write, but checked above anyway
742 */
743 length += reply->blob.length;
744
745 /*
746 * At worst an overflow would mean we send less
747 * replies
748 */
749 call->iov_count++;
750 }
751
752 if (length == 0) {
753 if (!call->notification.busy) {
754 TALLOC_FREE(call);
755 }
756
757 ldapsrv_call_read_next(conn);
758 return;
759 }
760
761 /* Cap call->iov_count at IOV_MAX */
762 call->iov_count = MIN(call->iov_count, IOV_MAX);
763
764 call->out_iov = talloc_array(call,
765 struct iovec,
766 call->iov_count);
767 if (!call->out_iov) {
768 /* This is not ideal */
769 ldapsrv_terminate_connection(conn,
770 "failed to allocate "
771 "iovec array");
772 return;
773 }
774
775 /* We may have had to cap the number of replies at IOV_MAX */
776 for (i = 0;
777 i < call->iov_count && call->replies != NULL;
778 i++) {
779 reply = call->replies;
780 call->out_iov[i].iov_base = reply->blob.data;
781 call->out_iov[i].iov_len = reply->blob.length;
782
783 /* Keep only the ASN.1 encoded data */
784 talloc_steal(call->out_iov, reply->blob.data);
785
786 DLIST_REMOVE(call->replies, reply);
787 TALLOC_FREE(reply);
788 }
789
790 if (i > call->iov_count) {
791 /* This is not ideal, but also (essentially) impossible */
792 ldapsrv_terminate_connection(conn,
793 "call list ended"
794 "before iov_count");
795 return;
796 }
797
798 subreq = tstream_writev_queue_send(call,
799 conn->connection->event.ctx,
800 conn->sockets.active,
801 conn->sockets.send_queue,
802 call->out_iov, call->iov_count);
803 if (subreq == NULL) {
804 ldapsrv_terminate_connection(conn, "stream_writev_queue_send failed");
805 return;
806 }
807 endtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);
808 tevent_req_set_endtime(subreq,
809 conn->connection->event.ctx,
810 endtime);
811 tevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);
812 }
813
814 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq);
815
816 static void ldapsrv_call_writev_done(struct tevent_req *subreq)
817 {
818 struct ldapsrv_call *call =
819 tevent_req_callback_data(subreq,
820 struct ldapsrv_call);
821 struct ldapsrv_connection *conn = call->conn;
822 int sys_errno;
823 int rc;
824
825 rc = tstream_writev_queue_recv(subreq, &sys_errno);
826 TALLOC_FREE(subreq);
827
828 /* This releases the ASN.1 encoded packets from memory */
829 TALLOC_FREE(call->out_iov);
830 if (rc == -1) {
831 const char *reason;
832
833 reason = talloc_asprintf(call, "ldapsrv_call_writev_done: "
834 "tstream_writev_queue_recv() - %d:%s",
835 sys_errno, strerror(sys_errno));
836 if (reason == NULL) {
837 reason = "ldapsrv_call_writev_done: "
838 "tstream_writev_queue_recv() failed";
839 }
840
841 ldapsrv_terminate_connection(conn, reason);
842 return;
843 }
844
845 if (call->postprocess_send) {
846 subreq = call->postprocess_send(call,
847 conn->connection->event.ctx,
848 call->postprocess_private);
849 if (subreq == NULL) {
850 ldapsrv_terminate_connection(conn, "ldapsrv_call_writev_done: "
851 "call->postprocess_send - no memory");
852 return;
853 }
854 tevent_req_set_callback(subreq,
855 ldapsrv_call_postprocess_done,
856 call);
857 return;
858 }
859
860 /* Perhaps still some more to send */
861 if (call->replies != NULL) {
862 ldapsrv_call_writev_start(call);
863 return;
864 }
865
866 if (!call->notification.busy) {
867 TALLOC_FREE(call);
868 }
869
870 ldapsrv_call_read_next(conn);
871 }
872
873 static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)
874 {
875 struct ldapsrv_call *call =
876 tevent_req_callback_data(subreq,
877 struct ldapsrv_call);
878 struct ldapsrv_connection *conn = call->conn;
879 NTSTATUS status;
880
881 status = call->postprocess_recv(subreq);
882 TALLOC_FREE(subreq);
883 if (!NT_STATUS_IS_OK(status)) {
884 const char *reason;
885
886 reason = talloc_asprintf(call, "ldapsrv_call_postprocess_done: "
887 "call->postprocess_recv() - %s",
888 nt_errstr(status));
889 if (reason == NULL) {
890 reason = nt_errstr(status);
891 }
892
893 ldapsrv_terminate_connection(conn, reason);
894 return;
895 }
896
897 TALLOC_FREE(call);
898
899 ldapsrv_call_read_next(conn);
900 }
901
902 static void ldapsrv_notification_retry_done(struct tevent_req *subreq);
903
904 void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)
905 {
906 struct ldapsrv_connection *conn = NULL;
907 struct timeval retry;
908 size_t num_pending = 0;
909 size_t num_active = 0;
910
911 if (force) {
912 TALLOC_FREE(service->notification.retry);
913 service->notification.generation += 1;
914 }
915
916 if (service->notification.retry != NULL) {
917 return;
918 }
919
920 for (conn = service->connections; conn != NULL; conn = conn->next) {
921 if (conn->pending_calls == NULL) {
922 continue;
923 }
924
925 num_pending += 1;
926
927 if (conn->pending_calls->notification.generation !=
928 service->notification.generation)
929 {
930 num_active += 1;
931 }
932 }
933
934 if (num_pending == 0) {
935 return;
936 }
937
938 if (num_active != 0) {
939 retry = timeval_current_ofs(0, 100);
940 } else {
941 retry = timeval_current_ofs(5, 0);
942 }
943
944 service->notification.retry = tevent_wakeup_send(service,
945 service->current_ev,
946 retry);
947 if (service->notification.retry == NULL) {
948 /* retry later */
949 return;
950 }
951
952 tevent_req_set_callback(service->notification.retry,
953 ldapsrv_notification_retry_done,
954 service);
955 }
956
957 static void ldapsrv_notification_retry_done(struct tevent_req *subreq)
958 {
959 struct ldapsrv_service *service =
960 tevent_req_callback_data(subreq,
961 struct ldapsrv_service);
962 struct ldapsrv_connection *conn = NULL;
963 struct ldapsrv_connection *conn_next = NULL;
964 bool ok;
965
966 service->notification.retry = NULL;
967
968 ok = tevent_wakeup_recv(subreq);
969 TALLOC_FREE(subreq);
970 if (!ok) {
971 /* ignore */
972 }
973
974 for (conn = service->connections; conn != NULL; conn = conn_next) {
975 struct ldapsrv_call *call = conn->pending_calls;
976
977 conn_next = conn->next;
978
979 if (conn->pending_calls == NULL) {
980 continue;
981 }
982
983 if (conn->active_call != NULL) {
984 continue;
985 }
986
987 DLIST_DEMOTE(conn->pending_calls, call);
988 call->notification.generation =
989 service->notification.generation;
990
991 /* queue the call in the global queue */
992 subreq = ldapsrv_process_call_send(call,
993 conn->connection->event.ctx,
994 conn->service->call_queue,
995 call);
996 if (subreq == NULL) {
997 ldapsrv_terminate_connection(conn,
998 "ldapsrv_process_call_send failed");
999 continue;
1000 }
1001 tevent_req_set_callback(subreq, ldapsrv_call_process_done, call);
1002 conn->active_call = subreq;
1003 }
1004
1005 ldapsrv_notification_retry_setup(service, false);
1006 }
1007
1008 struct ldapsrv_process_call_state {
1009 struct ldapsrv_call *call;
1010 };
1011
1012 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1013 void *private_data);
1014
1015 static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx,
1016 struct tevent_context *ev,
1017 struct tevent_queue *call_queue,
1018 struct ldapsrv_call *call)
1019 {
1020 struct tevent_req *req;
1021 struct ldapsrv_process_call_state *state;
1022 bool ok;
1023
1024 req = tevent_req_create(mem_ctx, &state,
1025 struct ldapsrv_process_call_state);
1026 if (req == NULL) {
1027 return req;
1028 }
1029
1030 state->call = call;
1031
1032 ok = tevent_queue_add(call_queue, ev, req,
1033 ldapsrv_process_call_trigger, NULL);
1034 if (!ok) {
1035 tevent_req_oom(req);
1036 return tevent_req_post(req, ev);
1037 }
1038
1039 return req;
1040 }
1041
1042 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq);
1043
1044 static void ldapsrv_process_call_trigger(struct tevent_req *req,
1045 void *private_data)
1046 {
1047 struct ldapsrv_process_call_state *state =
1048 tevent_req_data(req,
1049 struct ldapsrv_process_call_state);
1050 struct ldapsrv_connection *conn = state->call->conn;
1051 NTSTATUS status;
1052
1053 if (conn->deferred_expire_disconnect != NULL) {
1054 /*
1055 * Just drop this on the floor
1056 */
1057 tevent_req_done(req);
1058 return;
1059 }
1060
1061 /* make the call */
1062 status = ldapsrv_do_call(state->call);
1063
1064 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1065 /*
1066 * For testing purposes, defer the TCP disconnect
1067 * after having sent the msgid 0
1068 * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients
1069 * should not wait for the TCP connection to close but
1070 * handle this packet equivalent to a TCP
1071 * disconnect. This delay enables testing both cases
1072 * in LDAP client libraries.
1073 */
1074
1075 int defer_msec = lpcfg_parm_int(
1076 conn->lp_ctx,
1077 NULL,
1078 "ldap_server",
1079 "delay_expire_disconnect",
1080 0);
1081
1082 conn->deferred_expire_disconnect = tevent_wakeup_send(
1083 conn,
1084 conn->connection->event.ctx,
1085 timeval_current_ofs_msec(defer_msec));
1086 if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) {
1087 return;
1088 }
1089 tevent_req_set_callback(
1090 conn->deferred_expire_disconnect,
1091 ldapsrv_disconnect_ticket_expired,
1092 conn);
1093
1094 tevent_req_done(req);
1095 return;
1096 }
1097
1098 if (!NT_STATUS_IS_OK(status)) {
1099 tevent_req_nterror(req, status);
1100 return;
1101 }
1102
1103 tevent_req_done(req);
1104 }
1105
1106 static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)
1107 {
1108 struct ldapsrv_connection *conn = tevent_req_callback_data(
1109 subreq, struct ldapsrv_connection);
1110 bool ok;
1111
1112 ok = tevent_wakeup_recv(subreq);
1113 TALLOC_FREE(subreq);
1114 if (!ok) {
1115 DBG_WARNING("tevent_wakeup_recv failed\n");
1116 }
1117 conn->deferred_expire_disconnect = NULL;
1118 ldapsrv_terminate_connection(conn, "network session expired");
1119 }
1120
1121 static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)
1122 {
1123 NTSTATUS status;
1124
1125 if (tevent_req_is_nterror(req, &status)) {
1126 tevent_req_received(req);
1127 return status;
1128 }
1129
1130 tevent_req_received(req);
1131 return NT_STATUS_OK;
1132 }
1133
1134 static void ldapsrv_accept_nonpriv(struct stream_connection *c)
1135 {
1136 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1137 c->private_data, struct ldapsrv_service);
1138 struct auth_session_info *session_info;
1139 NTSTATUS status;
1140
1141 status = auth_anonymous_session_info(
1142 c, ldapsrv_service->lp_ctx, &session_info);
1143 if (!NT_STATUS_IS_OK(status)) {
1144 stream_terminate_connection(c, "failed to setup anonymous "
1145 "session info");
1146 return;
1147 }
1148 ldapsrv_accept(c, session_info, false, false);
1149 }
1150
1151 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
1152 .name = "ldap",
1153 .accept_connection = ldapsrv_accept_nonpriv,
1154 .recv_handler = ldapsrv_recv,
1155 .send_handler = ldapsrv_send,
1156 };
1157
1158 static void ldapsrv_accept_nonpriv_ldapi(struct stream_connection *c)
1159 {
1160 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1161 c->private_data, struct ldapsrv_service);
1162 struct auth_session_info *session_info;
1163 NTSTATUS status;
1164
1165 status = auth_anonymous_session_info(
1166 c, ldapsrv_service->lp_ctx, &session_info);
1167 if (!NT_STATUS_IS_OK(status)) {
1168 stream_terminate_connection(c, "failed to setup anonymous "
1169 "session info");
1170 return;
1171 }
1172 ldapsrv_accept(c, session_info, false, true);
1173 }
1174
1175 static const struct stream_server_ops ldapi_stream_nonpriv_ops = {
1176 .name = "ldap",
1177 .accept_connection = ldapsrv_accept_nonpriv_ldapi,
1178 .recv_handler = ldapsrv_recv,
1179 .send_handler = ldapsrv_send,
1180 };
1181
1182 /* The feature removed behind an #ifdef until we can do it properly
1183 * with an EXTERNAL bind. */
1184
1185 #define WITH_LDAPI_PRIV_SOCKET
1186
1187 #ifdef WITH_LDAPI_PRIV_SOCKET
1188 static void ldapsrv_accept_priv_ldapi(struct stream_connection *c)
1189 {
1190 struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
1191 c->private_data, struct ldapsrv_service);
1192 struct auth_session_info *session_info;
1193
1194 session_info = system_session(ldapsrv_service->lp_ctx);
1195 if (!session_info) {
1196 stream_terminate_connection(c, "failed to setup system "
1197 "session info");
1198 return;
1199 }
1200 ldapsrv_accept(c, session_info, true, true);
1201 }
1202
1203 static const struct stream_server_ops ldapi_stream_priv_ops = {
1204 .name = "ldap",
1205 .accept_connection = ldapsrv_accept_priv_ldapi,
1206 .recv_handler = ldapsrv_recv,
1207 .send_handler = ldapsrv_send,
1208 };
1209
1210 #endif
1211
1212
1213 /*
1214 add a socket address to the list of events, one event per port
1215 */
1216 static NTSTATUS add_socket(struct task_server *task,
1217 struct loadparm_context *lp_ctx,
1218 const struct model_ops *model_ops,
1219 const char *address, struct ldapsrv_service *ldap_service)
1220 {
1221 uint16_t port = 389;
1222 NTSTATUS status;
1223 struct ldb_context *ldb;
1224
1225 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1226 model_ops, &ldap_stream_nonpriv_ops,
1227 "ip", address, &port,
1228 lpcfg_socket_options(lp_ctx),
1229 ldap_service, task->process_context);
1230 if (!NT_STATUS_IS_OK(status)) {
1231 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1232 address, port, nt_errstr(status));
1233 return status;
1234 }
1235
1236 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1237 /* add ldaps server */
1238 port = 636;
1239 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1240 model_ops,
1241 &ldap_stream_nonpriv_ops,
1242 "ip", address, &port,
1243 lpcfg_socket_options(lp_ctx),
1244 ldap_service,
1245 task->process_context);
1246 if (!NT_STATUS_IS_OK(status)) {
1247 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1248 address, port, nt_errstr(status));
1249 return status;
1250 }
1251 }
1252
1253 /* Load LDAP database, but only to read our settings */
1254 ldb = samdb_connect(ldap_service,
1255 ldap_service->current_ev,
1256 lp_ctx,
1257 system_session(lp_ctx),
1258 NULL,
1259 0);
1260 if (!ldb) {
1261 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1262 }
1263
1264 if (samdb_is_gc(ldb)) {
1265 port = 3268;
1266 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1267 model_ops,
1268 &ldap_stream_nonpriv_ops,
1269 "ip", address, &port,
1270 lpcfg_socket_options(lp_ctx),
1271 ldap_service,
1272 task->process_context);
1273 if (!NT_STATUS_IS_OK(status)) {
1274 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1275 address, port, nt_errstr(status));
1276 return status;
1277 }
1278 if (tstream_tls_params_enabled(ldap_service->tls_params)) {
1279 /* add ldaps server for the global catalog */
1280 port = 3269;
1281 status = stream_setup_socket(task, task->event_ctx, lp_ctx,
1282 model_ops,
1283 &ldap_stream_nonpriv_ops,
1284 "ip", address, &port,
1285 lpcfg_socket_options(lp_ctx),
1286 ldap_service,
1287 task->process_context);
1288 if (!NT_STATUS_IS_OK(status)) {
1289 DBG_ERR("ldapsrv failed to bind to %s:%u - %s\n",
1290 address, port, nt_errstr(status));
1291 return status;
1292 }
1293 }
1294 }
1295
1296 /* And once we are bound, free the temporary ldb, it will
1297 * connect again on each incoming LDAP connection */
1298 talloc_unlink(ldap_service, ldb);
1299
1300 return NT_STATUS_OK;
1301 }
1302
1303 static void ldap_reload_certs(struct imessaging_context *msg_ctx,
1304 void *private_data,
1305 uint32_t msg_type,
1306 struct server_id server_id,
1307 size_t num_fds,
1308 int *fds,
1309 DATA_BLOB *data)
1310 {
1311 TALLOC_CTX *frame = talloc_stackframe();
1312 struct ldapsrv_service *ldap_service =
1313 talloc_get_type_abort(private_data,
1314 struct ldapsrv_service);
1315 int default_children;
1316 int num_children;
1317 int i;
1318 bool ok;
1319 struct server_id ldap_master_id;
1320 NTSTATUS status;
1321 struct tstream_tls_params *new_tls_params = NULL;
1322
1323 SMB_ASSERT(msg_ctx == ldap_service->current_msg);
1324
1325 /* reload certificates */
1326 status = tstream_tls_params_server(ldap_service,
1327 ldap_service->dns_host_name,
1328 lpcfg_tls_enabled(ldap_service->lp_ctx),
1329 lpcfg_tls_keyfile(frame, ldap_service->lp_ctx),
1330 lpcfg_tls_certfile(frame, ldap_service->lp_ctx),
1331 lpcfg_tls_cafile(frame, ldap_service->lp_ctx),
1332 lpcfg_tls_crlfile(frame, ldap_service->lp_ctx),
1333 lpcfg_tls_dhpfile(frame, ldap_service->lp_ctx),
1334 lpcfg_tls_priority(ldap_service->lp_ctx),
1335 &new_tls_params);
1336 if (!NT_STATUS_IS_OK(status)) {
1337 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1338 nt_errstr(status));
1339 TALLOC_FREE(frame);
1340 return;
1341 }
1342
1343 TALLOC_FREE(ldap_service->tls_params);
1344 ldap_service->tls_params = new_tls_params;
1345
1346 if (getpid() != ldap_service->parent_pid) {
1347 /*
1348 * If we are not the master process we are done
1349 */
1350 TALLOC_FREE(frame);
1351 return;
1352 }
1353
1354 /*
1355 * Check we're running under the prefork model,
1356 * by checking if the prefork-master-ldap name
1357 * was registered
1358 */
1359 ok = server_id_db_lookup_one(msg_ctx->names, "prefork-master-ldap", &ldap_master_id);
1360 if (!ok) {
1361 /*
1362 * We are done if another process model is in use.
1363 */
1364 TALLOC_FREE(frame);
1365 return;
1366 }
1367
1368 /*
1369 * Now we loop over all possible prefork workers
1370 * in order to notify them about the reload
1371 */
1372 default_children = lpcfg_prefork_children(ldap_service->lp_ctx);
1373 num_children = lpcfg_parm_int(ldap_service->lp_ctx,
1374 NULL, "prefork children", "ldap",
1375 default_children);
1376 for (i = 0; i < num_children; i++) {
1377 char child_name[64] = { 0, };
1378 struct server_id ldap_worker_id;
1379
1380 snprintf(child_name, sizeof(child_name), "prefork-worker-ldap-%d", i);
1381 ok = server_id_db_lookup_one(msg_ctx->names, child_name, &ldap_worker_id);
1382 if (!ok) {
1383 DBG_ERR("server_id_db_lookup_one(%s) - failed\n",
1384 child_name);
1385 continue;
1386 }
1387
1388 status = imessaging_send(msg_ctx, ldap_worker_id,
1389 MSG_RELOAD_TLS_CERTIFICATES, NULL);
1390 if (!NT_STATUS_IS_OK(status)) {
1391 struct server_id_buf id_buf;
1392 DBG_ERR("ldapsrv failed imessaging_send(%s, %s) - %s\n",
1393 child_name,
1394 server_id_str_buf(ldap_worker_id, &id_buf),
1395 nt_errstr(status));
1396 continue;
1397 }
1398 }
1399
1400 TALLOC_FREE(frame);
1401 }
1402
1403 /*
1404 open the ldap server sockets
1405 */
1406 static NTSTATUS ldapsrv_task_init(struct task_server *task)
1407 {
1408 char *ldapi_path;
1409 #ifdef WITH_LDAPI_PRIV_SOCKET
1410 char *priv_dir;
1411 #endif
1412 struct ldapsrv_service *ldap_service;
1413 NTSTATUS status;
1414
1415 switch (lpcfg_server_role(task->lp_ctx)) {
1416 case ROLE_STANDALONE:
1417 task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration",
1418 false);
1419 return NT_STATUS_INVALID_DOMAIN_ROLE;
1420 case ROLE_DOMAIN_MEMBER:
1421 task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
1422 false);
1423 return NT_STATUS_INVALID_DOMAIN_ROLE;
1424 case ROLE_ACTIVE_DIRECTORY_DC:
1425 /* Yes, we want an LDAP server */
1426 break;
1427 }
1428
1429 task_server_set_title(task, "task[ldapsrv]");
1430
1431 ldap_service = talloc_zero(task, struct ldapsrv_service);
1432 if (ldap_service == NULL) {
1433 status = NT_STATUS_NO_MEMORY;
1434 goto failed;
1435 }
1436
1437 ldap_service->lp_ctx = task->lp_ctx;
1438 ldap_service->current_ev = task->event_ctx;
1439 ldap_service->current_msg = task->msg_ctx;
1440
1441 ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
1442 lpcfg_netbios_name(task->lp_ctx),
1443 lpcfg_dnsdomain(task->lp_ctx));
1444 if (ldap_service->dns_host_name == NULL) {
1445 status = NT_STATUS_NO_MEMORY;
1446 goto failed;
1447 }
1448
1449 ldap_service->parent_pid = getpid();
1450
1451 status = tstream_tls_params_server(ldap_service,
1452 ldap_service->dns_host_name,
1453 lpcfg_tls_enabled(task->lp_ctx),
1454 lpcfg_tls_keyfile(ldap_service, task->lp_ctx),
1455 lpcfg_tls_certfile(ldap_service, task->lp_ctx),
1456 lpcfg_tls_cafile(ldap_service, task->lp_ctx),
1457 lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
1458 lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
1459 lpcfg_tls_priority(task->lp_ctx),
1460 &ldap_service->tls_params);
1461 if (!NT_STATUS_IS_OK(status)) {
1462 DBG_ERR("ldapsrv failed tstream_tls_params_server - %s\n",
1463 nt_errstr(status));
1464 goto failed;
1465 }
1466
1467 ldap_service->call_queue = tevent_queue_create(ldap_service, "ldapsrv_call_queue");
1468 if (ldap_service->call_queue == NULL) {
1469 status = NT_STATUS_NO_MEMORY;
1470 goto failed;
1471 }
1472
1473 if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) {
1474 struct interface *ifaces;
1475 int num_interfaces;
1476 int i;
1477
1478 load_interface_list(task, task->lp_ctx, &ifaces);
1479 num_interfaces = iface_list_count(ifaces);
1480
1481 /* We have been given an interfaces line, and been
1482 told to only bind to those interfaces. Create a
1483 socket per interface and bind to only these.
1484 */
1485 for(i = 0; i < num_interfaces; i++) {
1486 const char *address = iface_list_n_ip(ifaces, i);
1487 status = add_socket(task, task->lp_ctx, task->model_ops,
1488 address, ldap_service);
1489 if (!NT_STATUS_IS_OK(status)) goto failed;
1490 }
1491 } else {
1492 char **wcard;
1493 size_t i;
1494 size_t num_binds = 0;
1495 wcard = iface_list_wildcard(task);
1496 if (wcard == NULL) {
1497 DBG_ERR("No wildcard addresses available\n");
1498 status = NT_STATUS_UNSUCCESSFUL;
1499 goto failed;
1500 }
1501 for (i=0; wcard[i]; i++) {
1502 status = add_socket(task, task->lp_ctx, task->model_ops,
1503 wcard[i], ldap_service);
1504 if (NT_STATUS_IS_OK(status)) {
1505 num_binds++;
1506 }
1507 }
1508 talloc_free(wcard);
1509 if (num_binds == 0) {
1510 status = NT_STATUS_UNSUCCESSFUL;
1511 goto failed;
1512 }
1513 }
1514
1515 ldapi_path = lpcfg_private_path(ldap_service, task->lp_ctx, "ldapi");
1516 if (!ldapi_path) {
1517 status = NT_STATUS_UNSUCCESSFUL;
1518 goto failed;
1519 }
1520
1521 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1522 task->model_ops, &ldapi_stream_nonpriv_ops,
1523 "unix", ldapi_path, NULL,
1524 lpcfg_socket_options(task->lp_ctx),
1525 ldap_service, task->process_context);
1526 talloc_free(ldapi_path);
1527 if (!NT_STATUS_IS_OK(status)) {
1528 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1529 ldapi_path, nt_errstr(status));
1530 }
1531
1532 #ifdef WITH_LDAPI_PRIV_SOCKET
1533 priv_dir = lpcfg_private_path(ldap_service, task->lp_ctx, "ldap_priv");
1534 if (priv_dir == NULL) {
1535 status = NT_STATUS_UNSUCCESSFUL;
1536 goto failed;
1537 }
1538 /*
1539 * Make sure the directory for the privileged ldapi socket exists, and
1540 * is of the correct permissions
1541 */
1542 if (!directory_create_or_exist(priv_dir, 0750)) {
1543 task_server_terminate(task, "Cannot create ldap "
1544 "privileged ldapi directory", true);
1545 return NT_STATUS_UNSUCCESSFUL;
1546 }
1547 ldapi_path = talloc_asprintf(ldap_service, "%s/ldapi", priv_dir);
1548 talloc_free(priv_dir);
1549 if (ldapi_path == NULL) {
1550 status = NT_STATUS_NO_MEMORY;
1551 goto failed;
1552 }
1553
1554 status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
1555 task->model_ops, &ldapi_stream_priv_ops,
1556 "unix", ldapi_path, NULL,
1557 lpcfg_socket_options(task->lp_ctx),
1558 ldap_service,
1559 task->process_context);
1560 talloc_free(ldapi_path);
1561 if (!NT_STATUS_IS_OK(status)) {
1562 DBG_ERR("ldapsrv failed to bind to %s - %s\n",
1563 ldapi_path, nt_errstr(status));
1564 }
1565
1566 #endif
1567
1568 /* register the server */
1569 irpc_add_name(task->msg_ctx, "ldap_server");
1570
1571 task->private_data = ldap_service;
1572
1573 return NT_STATUS_OK;
1574
1575 failed:
1576 task_server_terminate(task, "Failed to startup ldap server task", true);
1577 return status;
1578 }
1579
1580 /*
1581 * Open a database to be later used by LDB wrap code (although it should be
1582 * plumbed through correctly eventually).
1583 */
1584 static void ldapsrv_post_fork(struct task_server *task, struct process_details *pd)
1585 {
1586 struct ldapsrv_service *ldap_service =
1587 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1588
1589 /*
1590 * As ldapsrv_before_loop() may changed the values for the parent loop
1591 * we need to adjust the pointers to the correct value in the child
1592 */
1593 ldap_service->lp_ctx = task->lp_ctx;
1594 ldap_service->current_ev = task->event_ctx;
1595 ldap_service->current_msg = task->msg_ctx;
1596
1597 ldap_service->sam_ctx = samdb_connect(ldap_service,
1598 ldap_service->current_ev,
1599 ldap_service->lp_ctx,
1600 system_session(ldap_service->lp_ctx),
1601 NULL,
1602 0);
1603 if (ldap_service->sam_ctx == NULL) {
1604 task_server_terminate(task, "Cannot open system session LDB",
1605 true);
1606 return;
1607 }
1608 }
1609
1610 static void ldapsrv_before_loop(struct task_server *task)
1611 {
1612 struct ldapsrv_service *ldap_service =
1613 talloc_get_type_abort(task->private_data, struct ldapsrv_service);
1614 NTSTATUS status;
1615
1616 if (ldap_service->sam_ctx != NULL) {
1617 /*
1618 * Make sure the values are still the same
1619 * as set in ldapsrv_post_fork()
1620 */
1621 SMB_ASSERT(task->lp_ctx == ldap_service->lp_ctx);
1622 SMB_ASSERT(task->event_ctx == ldap_service->current_ev);
1623 SMB_ASSERT(task->msg_ctx == ldap_service->current_msg);
1624 } else {
1625 /*
1626 * We need to adjust the pointers to the correct value
1627 * in the parent loop.
1628 */
1629 ldap_service->lp_ctx = task->lp_ctx;
1630 ldap_service->current_ev = task->event_ctx;
1631 ldap_service->current_msg = task->msg_ctx;
1632 }
1633
1634 status = imessaging_register(ldap_service->current_msg,
1635 ldap_service,
1636 MSG_RELOAD_TLS_CERTIFICATES,
1637 ldap_reload_certs);
1638 if (!NT_STATUS_IS_OK(status)) {
1639 task_server_terminate(task, "Cannot register ldap_reload_certs",
1640 true);
1641 return;
1642 }
1643 }
1644
1645 /*
1646 * Check the size of an ldap request packet.
1647 *
1648 * For authenticated connections the maximum packet size is controlled by
1649 * the smb.conf parameter "ldap max authenticated request size"
1650 *
1651 * For anonymous connections the maximum packet size is controlled by
1652 * the smb.conf parameter "ldap max anonymous request size"
1653 */
1654 static int ldapsrv_check_packet_size(
1655 struct ldapsrv_connection *conn,
1656 size_t size)
1657 {
1658 bool is_anonymous = false;
1659 size_t max_size = 0;
1660
1661 max_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);
1662 if (size <= max_size) {
1663 return LDAP_SUCCESS;
1664 }
1665
1666 /*
1667 * Request is larger than the maximum unauthenticated request size.
1668 * As this code is called frequently we avoid calling
1669 * security_token_is_anonymous if possible
1670 */
1671 if (conn->session_info != NULL &&
1672 conn->session_info->security_token != NULL) {
1673 is_anonymous = security_token_is_anonymous(
1674 conn->session_info->security_token);
1675 }
1676
1677 if (is_anonymous) {
1678 DBG_WARNING(
1679 "LDAP request size (%zu) exceeds (%zu)\n",
1680 size,
1681 max_size);
1682 return LDAP_UNWILLING_TO_PERFORM;
1683 }
1684
1685 max_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);
1686 if (size > max_size) {
1687 DBG_WARNING(
1688 "LDAP request size (%zu) exceeds (%zu)\n",
1689 size,
1690 max_size);
1691 return LDAP_UNWILLING_TO_PERFORM;
1692 }
1693 return LDAP_SUCCESS;
1694
1695 }
1696
1697 /*
1698 * Check that the blob contains enough data to be a valid packet
1699 * If there is a packet header check the size to ensure that it does not
1700 * exceed the maximum sizes.
1701 *
1702 */
1703 static NTSTATUS ldapsrv_packet_check(
1704 struct tstream_context *stream,
1705 void *private_data,
1706 DATA_BLOB blob,
1707 size_t *packet_size)
1708 {
1709 NTSTATUS ret;
1710 struct ldapsrv_connection *conn = private_data;
1711 int result = LDB_SUCCESS;
1712
1713 ret = ldap_full_packet(stream, private_data, blob, packet_size);
1714 if (!NT_STATUS_IS_OK(ret)) {
1715 return ret;
1716 }
1717 result = ldapsrv_check_packet_size(conn, *packet_size);
1718 if (result != LDAP_SUCCESS) {
1719 return NT_STATUS_LDAP(result);
1720 }
1721 return NT_STATUS_OK;
1722 }
1723
1724 NTSTATUS server_service_ldap_init(TALLOC_CTX *ctx)
1725 {
1726 static const struct service_details details = {
1727 .inhibit_fork_on_accept = false,
1728 .inhibit_pre_fork = false,
1729 .task_init = ldapsrv_task_init,
1730 .post_fork = ldapsrv_post_fork,
1731 .before_loop = ldapsrv_before_loop,
1732 };
1733 return register_server_service(ctx, "ldap", &details);
1734 }
GSS-enabled samba4