From 4503ddc155402d9a573e09b7e1b99ae244d5468b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2004 12:31:13 +0000 Subject: r2864: - Bind and Unbind are no directory partition operations - move Bind Unbind code to a seperate file metze (This used to be commit 3aa1a298970eab563ff6304210bee4696ecec105) --- source4/ldap_server/ldap_bind.c | 52 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 source4/ldap_server/ldap_bind.c (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c new file mode 100644 index 0000000000..d0e24bde29 --- /dev/null +++ b/source4/ldap_server/ldap_bind.c @@ -0,0 +1,52 @@ +/* + Unix SMB/CIFS implementation. + LDAP server + Copyright (C) Stefan Metzmacher 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + + +NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) +{ + struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldapsrv_reply *reply; + struct ldap_BindResponse *resp; + + DEBUG(10, ("BindRequest dn: %s\n",req->dn)); + + reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); + if (!reply) { + return NT_STATUS_NO_MEMORY; + } + + resp = &reply->msg.r.BindResponse; + resp->response.resultcode = 0; + resp->response.dn = NULL; + resp->response.errormessage = NULL; + resp->response.referral = NULL; + resp->SASL.secblob = data_blob(NULL, 0); + + return ldapsrv_queue_reply(call, reply); +} + +NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call) +{ +/* struct ldap_UnbindRequest *req = &call->request->r.UnbindRequest;*/ + DEBUG(10, ("UnbindRequest\n")); + return NT_STATUS_OK; +} -- cgit From 73e9f435f5e797b7c3b9874b57d081c2714a8bca Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 9 Oct 2004 22:00:00 +0000 Subject: r2878: add server sasl support (there are a lot of clean ups following later, but the LDAP-BASIC test works :-) metze (This used to be commit 34fe29c04a76f2f53f27adcaf9be2dce8d177516) --- source4/ldap_server/ldap_bind.c | 120 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 117 insertions(+), 3 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index d0e24bde29..3d9cd4b984 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -21,13 +21,13 @@ #include "includes.h" -NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) +static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { struct ldap_BindRequest *req = &call->request.r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; - DEBUG(10, ("BindRequest dn: %s\n",req->dn)); + DEBUG(10, ("BindSimple dn: %s\n",req->dn)); reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); if (!reply) { @@ -44,9 +44,123 @@ NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) return ldapsrv_queue_reply(call, reply); } +static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) +{ + struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldapsrv_reply *reply; + struct ldap_BindResponse *resp; + int result; + const char *errstr; + NTSTATUS status = NT_STATUS_OK; + NTSTATUS sasl_status; + BOOL ret; + + DEBUG(10, ("BindSASL dn: %s\n",req->dn)); + + if (!call->conn->gensec) { + call->conn->session_info = NULL; + + status = gensec_server_start(call->conn, &call->conn->gensec); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + return status; + } + + gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL); + + status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", + req->creds.SASL.mechanism, nt_errstr(status))); + goto reply; + } + } + +reply: + reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); + if (!reply) { + return NT_STATUS_NO_MEMORY; + } + resp = &reply->msg.r.BindResponse; + + if (NT_STATUS_IS_OK(status)) { + status = gensec_update(call->conn->gensec, reply, + req->creds.SASL.secblob, &resp->SASL.secblob); + } + + if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { + result = LDAP_SASL_BIND_IN_PROGRESS; + errstr = NULL; + } else if (NT_STATUS_IS_OK(status)) { + result = LDAP_SUCCESS; + errstr = NULL; + } else { + result = 49; + errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); + } + + resp->response.resultcode = result; + resp->response.dn = NULL; + resp->response.errormessage = errstr; + resp->response.referral = NULL; + + sasl_status = status; + status = ldapsrv_queue_reply(call, reply); + if (!NT_STATUS_IS_OK(sasl_status) || !NT_STATUS_IS_OK(status)) { + return status; + } + + status = ldapsrv_do_responses(call->conn); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); + if (!ret) { + return NT_STATUS_NO_MEMORY; + } + ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); + + status = gensec_session_info(call->conn->gensec, &call->conn->session_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + //debug_session_info(0, 0, call->conn->session_info); + + return status; +} + +NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) +{ + struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldapsrv_reply *reply; + struct ldap_BindResponse *resp; + + switch (req->mechanism) { + case LDAP_AUTH_MECH_SIMPLE: + return ldapsrv_BindSimple(call); + case LDAP_AUTH_MECH_SASL: + return ldapsrv_BindSASL(call); + } + + reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); + if (!reply) { + return NT_STATUS_NO_MEMORY; + } + + resp = &reply->msg.r.BindResponse; + resp->response.resultcode = 7; + resp->response.dn = NULL; + resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism); + resp->response.referral = NULL; + resp->SASL.secblob = data_blob(NULL, 0); + + return ldapsrv_queue_reply(call, reply); +} + NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call) { -/* struct ldap_UnbindRequest *req = &call->request->r.UnbindRequest;*/ DEBUG(10, ("UnbindRequest\n")); return NT_STATUS_OK; } -- cgit From 48d87ea3562440ed4decf581a9450064c75ed9db Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 10 Oct 2004 00:17:05 +0000 Subject: r2885: windows doesn't try to do sign or seal by default metze (This used to be commit 0f5267c29cca943acf5df392ce1f5c601c4ef7f0) --- source4/ldap_server/ldap_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 3d9cd4b984..2febc46b3d 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -66,7 +66,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) return status; } - gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL); + /*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/ status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { -- cgit From e465b65274723cbb6cf1f49035fef9970d40be10 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 10 Oct 2004 00:35:38 +0000 Subject: r2886: missing stuff from last commit metze (This used to be commit f3f2d1c6765a5799c3b0a302b68d41d045e1ba22) --- source4/ldap_server/ldap_bind.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 2febc46b3d..ad937eeb64 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -115,12 +115,12 @@ reply: return status; } - ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); +/* ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); - +*/ status = gensec_session_info(call->conn->gensec, &call->conn->session_info); if (!NT_STATUS_IS_OK(status)) { return status; -- cgit From 437a037b7bf7335a24290ce4252b22b631c6dda0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 10 Oct 2004 01:59:22 +0000 Subject: r2890: fix segfault when call is destroyed and we dereference it metze (This used to be commit 82e792a0ce94f63eeb8573d340b2198660aef132) --- source4/ldap_server/ldap_bind.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index ad937eeb64..840ff5d4e8 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -53,7 +53,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; - BOOL ret; + /*BOOL ret;*/ DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -120,13 +120,12 @@ reply: return NT_STATUS_NO_MEMORY; } ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); -*/ + status = gensec_session_info(call->conn->gensec, &call->conn->session_info); if (!NT_STATUS_IS_OK(status)) { return status; } - - //debug_session_info(0, 0, call->conn->session_info); +*/ return status; } -- cgit From a42142439aee9e75796e25cdf05e042174926abf Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 06:52:59 +0000 Subject: r3464: split out registry.h, rap.h and ldap_server.h (This used to be commit 70d2090f6bf2c7e0caf1e9c020f330de88871f8e) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 840ff5d4e8..b87919628f 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "ldap_server/ldap_server.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) -- cgit From 44113c4de1ae06a78a940782dc762b6576310d0d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 24 Dec 2004 09:54:23 +0000 Subject: r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f) --- source4/ldap_server/ldap_bind.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index b87919628f..80d1f51748 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -66,6 +66,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); return status; } + + gensec_set_target_service(call->conn->gensec, "ldap"); /*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/ -- cgit From 9a6671cf9529fd7817c5ef266da3d3bea46a88c0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 31 Dec 2004 22:45:11 +0000 Subject: r4459: GENSEC refinements: In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6) --- source4/ldap_server/ldap_bind.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 80d1f51748..f4be5b5242 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -20,7 +20,7 @@ #include "includes.h" #include "ldap_server/ldap_server.h" - +#include "auth/auth.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -50,11 +50,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldap_BindRequest *req = &call->request.r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; + struct ldapsrv_connection *conn; int result; const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; - /*BOOL ret;*/ + BOOL ret; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -69,7 +70,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - /*gensec_want_feature(call->conn->gensec, GENSEC_WANT_SIGN|GENSEC_WANT_SEAL);*/ + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { @@ -85,6 +87,8 @@ reply: return NT_STATUS_NO_MEMORY; } resp = &reply->msg.r.BindResponse; + + conn = call->conn; if (NT_STATUS_IS_OK(status)) { status = gensec_update(call->conn->gensec, reply, @@ -118,17 +122,14 @@ reply: return status; } -/* ret = ldapsrv_append_to_buf(&call->conn->sasl_out_buffer, call->conn->out_buffer.data, call->conn->out_buffer.length); + ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } - ldapsrv_consumed_from_buf(&call->conn->out_buffer, call->conn->out_buffer.length); - - status = gensec_session_info(call->conn->gensec, &call->conn->session_info); - if (!NT_STATUS_IS_OK(status)) { - return status; + ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(conn->gensec, &conn->session_info); } -*/ return status; } -- cgit From 047d41cc490c05dd07eeab29913b3f2882887678 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Jan 2005 10:45:39 +0000 Subject: r4634: disable sign and seal in ldap_server for now. metze (This used to be commit 872c687184e5317b4477a184e0a954e6de0b8e9e) --- source4/ldap_server/ldap_bind.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index f4be5b5242..f397b7611b 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -55,8 +55,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; - BOOL ret; - +/* BOOL ret; +*/ DEBUG(10, ("BindSASL dn: %s\n",req->dn)); if (!call->conn->gensec) { @@ -70,9 +70,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); + /*gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); - + */ status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", @@ -122,7 +122,7 @@ reply: return status; } - ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); +/* ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } @@ -130,7 +130,7 @@ reply: if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(conn->gensec, &conn->session_info); } - +*/ return status; } -- cgit From 501379431c7fc6c9a78e74eca43b208184debce6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 07:08:40 +0000 Subject: r5305: removed libcli/ldap/ldap.h from includes.h (This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index f397b7611b..d6b0332b6e 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -21,6 +21,7 @@ #include "includes.h" #include "ldap_server/ldap_server.h" #include "auth/auth.h" +#include "libcli/ldap/ldap.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { -- cgit From db2e86f75cf08715503f28046fd29fcc1c0f6867 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 14 Jun 2005 03:55:27 +0000 Subject: r7568: enable the NTLMSSP bulk data sign/seal code for out ldap server. This now works with windows clients, as I fixed the zero length bind ack packet. Andrew, note that this has the strncmp("NTLMSSP", data, 7) hack. Please replace with a more correct fix as we discussed. (This used to be commit 69b02e8adb25a5152aec15f55b2b2f67457cf08a) --- source4/ldap_server/ldap_bind.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index d6b0332b6e..3b14606439 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -56,8 +56,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) const char *errstr; NTSTATUS status = NT_STATUS_OK; NTSTATUS sasl_status; -/* BOOL ret; -*/ + BOOL ret; + DEBUG(10, ("BindSASL dn: %s\n",req->dn)); if (!call->conn->gensec) { @@ -71,10 +71,15 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - /*gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); - */ - status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); + + if (req->creds.SASL.secblob.length >= 7 && + strncmp(req->creds.SASL.secblob.data, "NTLMSSP", 7) == 0) { + status = gensec_start_mech_by_sasl_name(call->conn->gensec, "NTLM"); + } else { + status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); + } if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", req->creds.SASL.mechanism, nt_errstr(status))); @@ -93,7 +98,7 @@ reply: if (NT_STATUS_IS_OK(status)) { status = gensec_update(call->conn->gensec, reply, - req->creds.SASL.secblob, &resp->SASL.secblob); + req->creds.SASL.secblob, &resp->SASL.secblob); } if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { @@ -123,7 +128,7 @@ reply: return status; } -/* ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); + ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); if (!ret) { return NT_STATUS_NO_MEMORY; } @@ -131,7 +136,7 @@ reply: if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(conn->gensec, &conn->session_info); } -*/ + return status; } -- cgit From c0947b0d7f809f5139fbfcdbd618ed7b0a77d2be Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 15 Jun 2005 00:27:51 +0000 Subject: r7593: simplified the memory management in the ldap code. Having a mem_ctx element in a structure is not necessary any more. (This used to be commit 912d0427f52eac811b27bf7e385b0642f7dc7f53) --- source4/ldap_server/ldap_bind.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 3b14606439..55ce6ed24d 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -25,7 +25,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { - struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldap_BindRequest *req = &call->request->r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; @@ -36,7 +36,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) return NT_STATUS_NO_MEMORY; } - resp = &reply->msg.r.BindResponse; + resp = &reply->msg->r.BindResponse; resp->response.resultcode = 0; resp->response.dn = NULL; resp->response.errormessage = NULL; @@ -48,7 +48,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) { - struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldap_BindRequest *req = &call->request->r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; struct ldapsrv_connection *conn; @@ -92,7 +92,7 @@ reply: if (!reply) { return NT_STATUS_NO_MEMORY; } - resp = &reply->msg.r.BindResponse; + resp = &reply->msg->r.BindResponse; conn = call->conn; @@ -142,7 +142,7 @@ reply: NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) { - struct ldap_BindRequest *req = &call->request.r.BindRequest; + struct ldap_BindRequest *req = &call->request->r.BindRequest; struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; @@ -158,7 +158,7 @@ NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) return NT_STATUS_NO_MEMORY; } - resp = &reply->msg.r.BindResponse; + resp = &reply->msg->r.BindResponse; resp->response.resultcode = 7; resp->response.dn = NULL; resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism); -- cgit From a7d6185f41229463f071a4d5f8c42ebe916982b2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 15 Jun 2005 00:30:03 +0000 Subject: r7594: abartlet is right that this hack is not actually necessary, it just prevents a bogus: GSS Update failed: Miscellaneous failure (see text): ASN.1 identifier doesn't match expected value error on every ldap connection. I'll remove it and let the error remain until Andrew works out a better fix. (This used to be commit 6123eb2ecad6f53521b546f76954523fbc0fb981) --- source4/ldap_server/ldap_bind.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 55ce6ed24d..3c51dc2ba5 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -74,12 +74,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); - if (req->creds.SASL.secblob.length >= 7 && - strncmp(req->creds.SASL.secblob.data, "NTLMSSP", 7) == 0) { - status = gensec_start_mech_by_sasl_name(call->conn->gensec, "NTLM"); - } else { - status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); - } + + status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", req->creds.SASL.mechanism, nt_errstr(status))); -- cgit From af237084ecd4f9928c6c282b9c5c73598d5c73d6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 11:36:09 +0000 Subject: r7633: this patch started as an attempt to make the dcerpc code use a given event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9) --- source4/ldap_server/ldap_bind.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 3c51dc2ba5..7b416c9726 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -22,6 +22,7 @@ #include "ldap_server/ldap_server.h" #include "auth/auth.h" #include "libcli/ldap/ldap.h" +#include "smbd/service_stream.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -63,7 +64,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) if (!call->conn->gensec) { call->conn->session_info = NULL; - status = gensec_server_start(call->conn, &call->conn->gensec); + status = gensec_server_start(call->conn, &call->conn->gensec, + call->conn->connection->event.ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); return status; -- cgit From c7496c6cdb7bdcdd483868c21457350f567ec054 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 09:31:34 +0000 Subject: r7747: - simplified the ldap server buffer handling - got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a) --- source4/ldap_server/ldap_bind.c | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 7b416c9726..aba35e0b56 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -44,7 +44,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) resp->response.referral = NULL; resp->SASL.secblob = data_blob(NULL, 0); - return ldapsrv_queue_reply(call, reply); + ldapsrv_queue_reply(call, reply); + return NT_STATUS_OK; } static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) @@ -56,8 +57,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) int result; const char *errstr; NTSTATUS status = NT_STATUS_OK; - NTSTATUS sasl_status; - BOOL ret; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -105,6 +104,7 @@ reply: } else if (NT_STATUS_IS_OK(status)) { result = LDAP_SUCCESS; errstr = NULL; + call->conn->enable_wrap = True; } else { result = 49; errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); @@ -115,27 +115,8 @@ reply: resp->response.errormessage = errstr; resp->response.referral = NULL; - sasl_status = status; - status = ldapsrv_queue_reply(call, reply); - if (!NT_STATUS_IS_OK(sasl_status) || !NT_STATUS_IS_OK(status)) { - return status; - } - - status = ldapsrv_do_responses(call->conn); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - ret = ldapsrv_append_to_buf(&conn->sasl_out_buffer, conn->out_buffer.data, conn->out_buffer.length); - if (!ret) { - return NT_STATUS_NO_MEMORY; - } - ldapsrv_consumed_from_buf(&conn->out_buffer, conn->out_buffer.length); - if (NT_STATUS_IS_OK(status)) { - status = gensec_session_info(conn->gensec, &conn->session_info); - } - - return status; + ldapsrv_queue_reply(call, reply); + return NT_STATUS_OK; } NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) @@ -163,7 +144,8 @@ NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) resp->response.referral = NULL; resp->SASL.secblob = data_blob(NULL, 0); - return ldapsrv_queue_reply(call, reply); + ldapsrv_queue_reply(call, reply); + return NT_STATUS_OK; } NTSTATUS ldapsrv_UnbindRequest(struct ldapsrv_call *call) -- cgit From 63811f0cb82229bc4d0473204fb43b411ca3a021 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 24 Jun 2005 00:03:17 +0000 Subject: r7854: only enable wrapping in the ldap server if it was negotiated by gensec (This used to be commit 355983493bc87b9e812152ef81773dccb23e03d5) --- source4/ldap_server/ldap_bind.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index aba35e0b56..0cf2a8b7e6 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -74,7 +74,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); - status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { @@ -104,7 +103,10 @@ reply: } else if (NT_STATUS_IS_OK(status)) { result = LDAP_SUCCESS; errstr = NULL; - call->conn->enable_wrap = True; + if (gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SEAL) || + gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) { + call->conn->enable_wrap = True; + } } else { result = 49; errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); -- cgit From 897e9f2b4dcef7593766fcb7ba439013e1022376 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Aug 2005 06:14:46 +0000 Subject: r9417: Ask for the ASYNC_REPLIES feature, as will want that. Andrew Bartlett (This used to be commit 8cb8f99ae602f3bca0235e5e695ecb1ba55b0e46) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 0cf2a8b7e6..166bd31ede 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -74,6 +74,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES); status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); if (!NT_STATUS_IS_OK(status)) { -- cgit From 1377cca5f4beb43cf67fcc65eed79f14178d6349 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 7 Oct 2005 11:31:45 +0000 Subject: r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71) --- source4/ldap_server/ldap_bind.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 166bd31ede..9c9cca362b 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -32,6 +32,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) DEBUG(10, ("BindSimple dn: %s\n",req->dn)); + /* When we add authentication here, we also need to handle telling the backends */ + reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); if (!reply) { return NT_STATUS_NO_MEMORY; @@ -102,14 +104,33 @@ reply: result = LDAP_SASL_BIND_IN_PROGRESS; errstr = NULL; } else if (NT_STATUS_IS_OK(status)) { + struct ldapsrv_partition *part; + result = LDAP_SUCCESS; errstr = NULL; if (gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SEAL) || gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) { call->conn->enable_wrap = True; } + status = gensec_session_info(call->conn->gensec, &call->conn->session_info); + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); + } else { + for (part = call->conn->partitions; part; part = part->next) { + if (!part->ops->Bind) { + continue; + } + status = part->ops->Bind(part, conn); + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise partition %s of new credentials: %s", req->creds.SASL.mechanism, part->base_dn, nt_errstr(status)); + } + } + } } else { - result = 49; + status = auth_nt_status_squash(status); + result = LDAP_INVALID_CREDENTIALS; errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); } -- cgit From 1e14572a2648b000ec6b1567fa72ca9ba6531c48 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 8 Oct 2005 09:55:38 +0000 Subject: r10832: free the old session info metze (This used to be commit 16b2569788348ee3654557cf714ea3b204375c3c) --- source4/ldap_server/ldap_bind.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 9c9cca362b..e9d38ad93b 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -105,6 +105,7 @@ reply: errstr = NULL; } else if (NT_STATUS_IS_OK(status)) { struct ldapsrv_partition *part; + struct auth_session_info *old_session_info; result = LDAP_SUCCESS; errstr = NULL; @@ -112,11 +113,15 @@ reply: gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) { call->conn->enable_wrap = True; } + old_session_info = call->conn->session_info; + call->conn->session_info = NULL; status = gensec_session_info(call->conn->gensec, &call->conn->session_info); if (!NT_STATUS_IS_OK(status)) { + call->conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); } else { + talloc_free(old_session_info); for (part = call->conn->partitions; part; part = part->next) { if (!part->ops->Bind) { continue; -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/ldap_server/ldap_bind.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index e9d38ad93b..7a296d01ac 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -63,6 +63,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) DEBUG(10, ("BindSASL dn: %s\n",req->dn)); if (!call->conn->gensec) { + struct cli_credentials *server_credentials; call->conn->session_info = NULL; status = gensec_server_start(call->conn, &call->conn->gensec, @@ -74,6 +75,23 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); + server_credentials + = cli_credentials_init(call); + if (!server_credentials) { + DEBUG(1, ("Failed to init server credentials\n")); + return NT_STATUS_NO_MEMORY; + } + + cli_credentials_set_conf(server_credentials); + status = cli_credentials_set_machine_account(server_credentials); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); + talloc_free(server_credentials); + server_credentials = NULL; + } + + gensec_set_credentials(call->conn->gensec, server_credentials); + gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES); -- cgit From 90550077b9c3eae1a2a15f5fce7ab4b1e05b1f30 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 13:10:20 +0000 Subject: r11225: Remove pointless goto. Andrew Bartlett (This used to be commit 30f4ece4d2e55d2d50061f74a491d3f77551a6ae) --- source4/ldap_server/ldap_bind.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 7a296d01ac..6525840232 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -100,11 +100,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", req->creds.SASL.mechanism, nt_errstr(status))); - goto reply; } } -reply: reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); if (!reply) { return NT_STATUS_NO_MEMORY; -- cgit From 6bd8be867130686946e687512d7a4a68934217e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 19 Dec 2005 06:56:45 +0000 Subject: r12360: Add simple bind support into our LDAP server. Needs changes to our client code for automated testing. Andrew Bartlett (This used to be commit e751d814149d847ff1699542a4fa81eb8ca129ec) --- source4/ldap_server/ldap_bind.c | 44 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 6525840232..4350f3abe8 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -30,8 +30,22 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; + int result; + const char *errstr; + const char *nt4_domain, *nt4_account; + + struct auth_session_info *session_info; + + NTSTATUS status; + DEBUG(10, ("BindSimple dn: %s\n",req->dn)); + status = crack_dn_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); + if (NT_STATUS_IS_OK(status)) { + status = authenticate_username_pw(call, nt4_domain, nt4_account, + req->creds.password, &session_info); + } + /* When we add authentication here, we also need to handle telling the backends */ reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); @@ -39,11 +53,37 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) return NT_STATUS_NO_MEMORY; } + if (NT_STATUS_IS_OK(status)) { + struct ldapsrv_partition *part; + result = LDAP_SUCCESS; + errstr = NULL; + + talloc_free(call->conn->session_info); + call->conn->session_info = session_info; + for (part = call->conn->partitions; part; part = part->next) { + if (!part->ops->Bind) { + continue; + } + status = part->ops->Bind(part, call->conn); + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise partition %s of new credentials: %s", part->base_dn, nt_errstr(status)); + } + } + } else { + status = auth_nt_status_squash(status); + + result = LDAP_INVALID_CREDENTIALS; + errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status)); + } + resp = &reply->msg->r.BindResponse; - resp->response.resultcode = 0; + resp->response.resultcode = result; + resp->response.errormessage = errstr; resp->response.dn = NULL; - resp->response.errormessage = NULL; resp->response.referral = NULL; + + /* This looks wrong... */ resp->SASL.secblob = data_blob(NULL, 0); ldapsrv_queue_reply(call, reply); -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 4350f3abe8..badd4ec541 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -23,6 +23,7 @@ #include "auth/auth.h" #include "libcli/ldap/ldap.h" #include "smbd/service_stream.h" +#include "dsdb/samdb/samdb.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/ldap_server/ldap_bind.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index badd4ec541..beaf3da46c 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -21,7 +21,6 @@ #include "includes.h" #include "ldap_server/ldap_server.h" #include "auth/auth.h" -#include "libcli/ldap/ldap.h" #include "smbd/service_stream.h" #include "dsdb/samdb/samdb.h" -- cgit From bedfb063268f70e66f16fdd0e9bdd29d176a0634 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jan 2006 00:10:15 +0000 Subject: r12686: Push the real SASL list into the rootdse. Get this out of the server credentials, and push it down to ldb via an opaque pointer. Andrew Bartlett (This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3) --- source4/ldap_server/ldap_bind.c | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index beaf3da46c..feb36135a8 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -115,22 +115,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) gensec_set_target_service(call->conn->gensec, "ldap"); - server_credentials - = cli_credentials_init(call); - if (!server_credentials) { - DEBUG(1, ("Failed to init server credentials\n")); - return NT_STATUS_NO_MEMORY; - } - - cli_credentials_set_conf(server_credentials); - status = cli_credentials_set_machine_account(server_credentials); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); - talloc_free(server_credentials); - server_credentials = NULL; - } - - gensec_set_credentials(call->conn->gensec, server_credentials); + gensec_set_credentials(call->conn->gensec, call->conn->server_credentials); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); -- cgit From c908d0b2aa111659e57a73efb8c33c413965c846 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 6 Jan 2006 04:01:23 +0000 Subject: r12733: Merge ldap/ldb controls into main tree There's still lot of work to do but the patch is stable enough to be pushed into the main samba4 tree. Simo. (This used to be commit 77125feaff252cab44d26593093a9c211c846ce8) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index feb36135a8..4a0ee0044d 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -21,6 +21,7 @@ #include "includes.h" #include "ldap_server/ldap_server.h" #include "auth/auth.h" +#include "libcli/ldap/ldap.h" #include "smbd/service_stream.h" #include "dsdb/samdb/samdb.h" -- cgit From a36c172d46a50406ba9dfc19d3c33965a62c79a0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jan 2006 15:45:12 +0000 Subject: r12792: fix compiler warning metze (This used to be commit 1eca5f46c60d09fccbef5e605c06b1b3e3b65feb) --- source4/ldap_server/ldap_bind.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 4a0ee0044d..0f24ad9a04 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -104,7 +104,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) DEBUG(10, ("BindSASL dn: %s\n",req->dn)); if (!call->conn->gensec) { - struct cli_credentials *server_credentials; call->conn->session_info = NULL; status = gensec_server_start(call->conn, &call->conn->gensec, -- cgit From a7a79d2b256c97bd6ffa6e9740d14366ebc7602e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 13 Jan 2006 00:38:35 +0000 Subject: r12880: Remove ldap partitions useless now and probably we will not use it anyway as we plan to support partitions in ldb directly like with rootdse Merge ldap_simple_ldb into ldap_backend, it is not simple anymore and makes no sense to have it separated now that ldap partitions are gone Initial attempt at working to some limit to avoid DOSs for the ldap server. Simo. (This used to be commit 97bff3e049eba48019f2b0f3eb5a19e32fef2e23) --- source4/ldap_server/ldap_bind.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 0f24ad9a04..cfd70d30d3 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -23,6 +23,8 @@ #include "auth/auth.h" #include "libcli/ldap/ldap.h" #include "smbd/service_stream.h" +#include "lib/ldb/include/ldb.h" +#include "lib/ldb/include/ldb_errors.h" #include "dsdb/samdb/samdb.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) @@ -55,21 +57,20 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) } if (NT_STATUS_IS_OK(status)) { - struct ldapsrv_partition *part; result = LDAP_SUCCESS; errstr = NULL; talloc_free(call->conn->session_info); call->conn->session_info = session_info; - for (part = call->conn->partitions; part; part = part->next) { - if (!part->ops->Bind) { - continue; - } - status = part->ops->Bind(part, call->conn); - if (!NT_STATUS_IS_OK(status)) { - result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise partition %s of new credentials: %s", part->base_dn, nt_errstr(status)); - } + + /* don't leak the old LDB */ + talloc_free(call->conn->ldb); + + status = ldapsrv_backend_Init(call->conn); + + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status)); } } else { status = auth_nt_status_squash(status); @@ -145,7 +146,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) result = LDAP_SASL_BIND_IN_PROGRESS; errstr = NULL; } else if (NT_STATUS_IS_OK(status)) { - struct ldapsrv_partition *part; struct auth_session_info *old_session_info; result = LDAP_SUCCESS; @@ -163,15 +163,15 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); } else { talloc_free(old_session_info); - for (part = call->conn->partitions; part; part = part->next) { - if (!part->ops->Bind) { - continue; - } - status = part->ops->Bind(part, conn); - if (!NT_STATUS_IS_OK(status)) { - result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise partition %s of new credentials: %s", req->creds.SASL.mechanism, part->base_dn, nt_errstr(status)); - } + + /* don't leak the old LDB */ + talloc_free(call->conn->ldb); + + status = ldapsrv_backend_Init(call->conn); + + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise samdb of new credentials: %s", req->creds.SASL.mechanism, nt_errstr(status)); } } } else { -- cgit From 15f73e6404a9c83140892e51477cf38a24252027 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Feb 2006 09:48:22 +0000 Subject: r13339: Propogate more error infomation into the error packet and reformat the code a little. This also fixes a segfault when we didn't fill in the error message. Andrew Bartlett (This used to be commit 3be01a4ac7efe8d161910e8339bfe42584c0db86) --- source4/ldap_server/ldap_bind.c | 87 +++++++++++++++++++++++------------------ 1 file changed, 49 insertions(+), 38 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index cfd70d30d3..b42fe51b38 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -98,37 +98,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; struct ldapsrv_connection *conn; - int result; + int result = 0; const char *errstr; NTSTATUS status = NT_STATUS_OK; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); - if (!call->conn->gensec) { - call->conn->session_info = NULL; - - status = gensec_server_start(call->conn, &call->conn->gensec, - call->conn->connection->event.ctx); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); - return status; - } - - gensec_set_target_service(call->conn->gensec, "ldap"); - - gensec_set_credentials(call->conn->gensec, call->conn->server_credentials); - - gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN); - gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL); - gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES); - - status = gensec_start_mech_by_sasl_name(call->conn->gensec, req->creds.SASL.mechanism); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", - req->creds.SASL.mechanism, nt_errstr(status))); - } - } - reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); if (!reply) { return NT_STATUS_NO_MEMORY; @@ -137,9 +112,43 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) conn = call->conn; + if (!conn->gensec) { + conn->session_info = NULL; + + status = gensec_server_start(conn, &conn->gensec, + conn->connection->event.ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "SASL: Failed to start authentication system: %s", + nt_errstr(status)); + } else { + + gensec_set_target_service(conn->gensec, "ldap"); + + gensec_set_credentials(conn->gensec, conn->server_credentials); + + gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); + gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL); + gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES); + + status = gensec_start_mech_by_sasl_name(conn->gensec, req->creds.SASL.mechanism); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC SASL[%s] server code: %s\n", + req->creds.SASL.mechanism, nt_errstr(status))); + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to start authentication backend: %s", + req->creds.SASL.mechanism, nt_errstr(status)); + } + } + } + if (NT_STATUS_IS_OK(status)) { - status = gensec_update(call->conn->gensec, reply, + status = gensec_update(conn->gensec, reply, req->creds.SASL.secblob, &resp->SASL.secblob); + } else { + resp->SASL.secblob = data_blob(NULL, 0); } if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { @@ -150,24 +159,24 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) result = LDAP_SUCCESS; errstr = NULL; - if (gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SEAL) || - gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) { - call->conn->enable_wrap = True; + if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { + conn->enable_wrap = True; } - old_session_info = call->conn->session_info; - call->conn->session_info = NULL; - status = gensec_session_info(call->conn->gensec, &call->conn->session_info); + old_session_info = conn->session_info; + conn->session_info = NULL; + status = gensec_session_info(conn->gensec, &conn->session_info); if (!NT_STATUS_IS_OK(status)) { - call->conn->session_info = old_session_info; + conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); } else { talloc_free(old_session_info); /* don't leak the old LDB */ - talloc_free(call->conn->ldb); + talloc_free(conn->ldb); - status = ldapsrv_backend_Init(call->conn); + status = ldapsrv_backend_Init(conn); if (!NT_STATUS_IS_OK(status)) { result = LDAP_OPERATIONS_ERROR; @@ -176,8 +185,10 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) } } else { status = auth_nt_status_squash(status); - result = LDAP_INVALID_CREDENTIALS; - errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); + if (result == 0) { + result = LDAP_INVALID_CREDENTIALS; + errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); + } } resp->response.resultcode = result; -- cgit From 7449f4d8030e7d4a14c75d35af5ea68cf682d24f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Feb 2006 15:19:10 +0000 Subject: r13508: some ASN.1 element in LDAP are optional, make it possible to code the difference between a zero length and a NULL DATA_BLOB... metze (This used to be commit 54f0b19c55df8ad3882f31a114e2ea0e4cf940ae) --- source4/ldap_server/ldap_bind.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index b42fe51b38..5341b9f741 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -49,8 +49,6 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) req->creds.password, &session_info); } - /* When we add authentication here, we also need to handle telling the backends */ - reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); if (!reply) { return NT_STATUS_NO_MEMORY; @@ -84,9 +82,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) resp->response.errormessage = errstr; resp->response.dn = NULL; resp->response.referral = NULL; - - /* This looks wrong... */ - resp->SASL.secblob = data_blob(NULL, 0); + resp->SASL.secblob = NULL; ldapsrv_queue_reply(call, reply); return NT_STATUS_OK; @@ -145,10 +141,29 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) } if (NT_STATUS_IS_OK(status)) { + DATA_BLOB input = data_blob(NULL, 0); + DATA_BLOB output = data_blob(NULL, 0); + + if (req->creds.SASL.secblob) { + input = *req->creds.SASL.secblob; + } + + resp->SASL.secblob = talloc(reply, DATA_BLOB); + NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob); + status = gensec_update(conn->gensec, reply, - req->creds.SASL.secblob, &resp->SASL.secblob); + input, &output); + + /* TODO: gensec should really handle the difference between NULL and length=0 better! */ + if (output.data) { + resp->SASL.secblob = talloc(reply, DATA_BLOB); + NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob); + *resp->SASL.secblob = output; + } else { + resp->SASL.secblob = NULL; + } } else { - resp->SASL.secblob = data_blob(NULL, 0); + resp->SASL.secblob = NULL; } if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { @@ -223,7 +238,7 @@ NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) resp->response.dn = NULL; resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism); resp->response.referral = NULL; - resp->SASL.secblob = data_blob(NULL, 0); + resp->SASL.secblob = NULL; ldapsrv_queue_reply(call, reply); return NT_STATUS_OK; -- cgit From 9da5d4fd69d1e3a0c3129a41d185abcb1744d8be Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Jul 2006 03:32:39 +0000 Subject: r16795: Fix crash found by Dave Fenwick . The session_info was not being attached to the connection, so subsequent checks in the kludge_acl module were looking at free()ed memory. Andrew Bartlett (This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d) --- source4/ldap_server/ldap_bind.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 5341b9f741..35b6ad5fbf 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -60,6 +60,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) talloc_free(call->conn->session_info); call->conn->session_info = session_info; + talloc_steal(call->conn, session_info); /* don't leak the old LDB */ talloc_free(call->conn->ldb); @@ -187,6 +188,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); } else { talloc_free(old_session_info); + talloc_steal(conn, conn->session_info); /* don't leak the old LDB */ talloc_free(conn->ldb); -- cgit From ba07fa43d0b0090f5e686d8c1822468049f52416 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Jul 2006 02:50:08 +0000 Subject: r17197: This patch moves the encryption of bulk data on SASL negotiated security contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0) --- source4/ldap_server/ldap_bind.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 35b6ad5fbf..7fce390450 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -22,10 +22,11 @@ #include "ldap_server/ldap_server.h" #include "auth/auth.h" #include "libcli/ldap/ldap.h" -#include "smbd/service_stream.h" +#include "smbd/service.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "dsdb/samdb/samdb.h" +#include "auth/gensec/socket.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -89,6 +90,23 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) return NT_STATUS_OK; } +static void ldapsrv_set_sasl(void *private) +{ + struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection); + struct socket_context *socket = gensec_socket_init(conn->gensec, + conn->connection->socket, + conn->connection->event.ctx, + stream_io_handler_callback, + conn->connection); + if (socket) { + conn->connection->socket = socket; + talloc_steal(conn->connection->socket, socket); + packet_set_socket(conn->packet, socket); + } else { + ldapsrv_terminate_connection(conn, "Failed to setup SASL wrapping on socket"); + } +} + static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) { struct ldap_BindRequest *req = &call->request->r.BindRequest; @@ -175,10 +193,10 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) result = LDAP_SUCCESS; errstr = NULL; - if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL) || - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { - conn->enable_wrap = True; - } + + call->send_callback = ldapsrv_set_sasl; + call->send_private = conn; + old_session_info = conn->session_info; conn->session_info = NULL; status = gensec_session_info(conn->gensec, &conn->session_info); -- cgit From d8f1e27b19fb37eda9849fe7ffac7be0e6246ccb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Jul 2006 00:45:21 +0000 Subject: r17215: Prepare the SASL socket before actually settting it. This allows errors to be reported corectly, rather than just dropping the socket. Andrew Bartlett (This used to be commit 83dd22accfd565e86d831490043d6beaa9648c96) --- source4/ldap_server/ldap_bind.c | 80 ++++++++++++++++++++++++++--------------- 1 file changed, 51 insertions(+), 29 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 7fce390450..3afb617499 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -90,21 +90,17 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) return NT_STATUS_OK; } +struct ldapsrv_sasl_context { + struct ldapsrv_connection *conn; + struct socket_context *sasl_socket; +}; + static void ldapsrv_set_sasl(void *private) { - struct ldapsrv_connection *conn = talloc_get_type(private, struct ldapsrv_connection); - struct socket_context *socket = gensec_socket_init(conn->gensec, - conn->connection->socket, - conn->connection->event.ctx, - stream_io_handler_callback, - conn->connection); - if (socket) { - conn->connection->socket = socket; - talloc_steal(conn->connection->socket, socket); - packet_set_socket(conn->packet, socket); - } else { - ldapsrv_terminate_connection(conn, "Failed to setup SASL wrapping on socket"); - } + struct ldapsrv_sasl_context *ctx = talloc_get_type(private, struct ldapsrv_sasl_context); + ctx->conn->connection->socket = ctx->sasl_socket; + talloc_steal(ctx->conn->connection->socket, ctx->sasl_socket); + packet_set_socket(ctx->conn->packet, ctx->sasl_socket); } static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) @@ -190,32 +186,58 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) errstr = NULL; } else if (NT_STATUS_IS_OK(status)) { struct auth_session_info *old_session_info; + struct ldapsrv_sasl_context *ctx; result = LDAP_SUCCESS; errstr = NULL; - call->send_callback = ldapsrv_set_sasl; - call->send_private = conn; - - old_session_info = conn->session_info; - conn->session_info = NULL; - status = gensec_session_info(conn->gensec, &conn->session_info); - if (!NT_STATUS_IS_OK(status)) { + ctx = talloc(call, struct ldapsrv_sasl_context); + + if (ctx) { + ctx->conn = conn; + ctx->sasl_socket = gensec_socket_init(conn->gensec, + conn->connection->socket, + conn->connection->event.ctx, + stream_io_handler_callback, + conn->connection); + } + + if (!ctx || !ctx->sasl_socket) { conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status)); + errstr = talloc_asprintf(reply, + "SASL:[%s]: Failed to setup SASL socket (out of memory)", + req->creds.SASL.mechanism); } else { - talloc_free(old_session_info); - talloc_steal(conn, conn->session_info); - - /* don't leak the old LDB */ - talloc_free(conn->ldb); - status = ldapsrv_backend_Init(conn); - + call->send_callback = ldapsrv_set_sasl; + call->send_private = ctx; + + old_session_info = conn->session_info; + conn->session_info = NULL; + status = gensec_session_info(conn->gensec, &conn->session_info); if (!NT_STATUS_IS_OK(status)) { + conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise samdb of new credentials: %s", req->creds.SASL.mechanism, nt_errstr(status)); + errstr = talloc_asprintf(reply, + "SASL:[%s]: Failed to get session info: %s", + req->creds.SASL.mechanism, nt_errstr(status)); + } else { + talloc_free(old_session_info); + talloc_steal(conn, conn->session_info); + + /* don't leak the old LDB */ + talloc_free(conn->ldb); + + status = ldapsrv_backend_Init(conn); + + if (!NT_STATUS_IS_OK(status)) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, + "SASL:[%s]: Failed to advise samdb of new credentials: %s", + req->creds.SASL.mechanism, + nt_errstr(status)); + } } } } else { -- cgit From 9d6f2767179fad2f9a067c67c09afddb6304e4eb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jul 2006 00:57:27 +0000 Subject: r17222: Change the function prototypes for the GENSEc and TLS socket creation routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2) --- source4/ldap_server/ldap_bind.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 3afb617499..daa82c1e48 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -98,9 +98,11 @@ struct ldapsrv_sasl_context { static void ldapsrv_set_sasl(void *private) { struct ldapsrv_sasl_context *ctx = talloc_get_type(private, struct ldapsrv_sasl_context); + talloc_steal(ctx->conn->connection, ctx->sasl_socket); + talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket); + ctx->conn->connection->socket = ctx->sasl_socket; - talloc_steal(ctx->conn->connection->socket, ctx->sasl_socket); - packet_set_socket(ctx->conn->packet, ctx->sasl_socket); + packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket); } static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) @@ -193,21 +195,24 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) ctx = talloc(call, struct ldapsrv_sasl_context); - if (ctx) { + if (!ctx) { + status = NT_STATUS_NO_MEMORY; + } else { ctx->conn = conn; - ctx->sasl_socket = gensec_socket_init(conn->gensec, - conn->connection->socket, - conn->connection->event.ctx, - stream_io_handler_callback, - conn->connection); - } - - if (!ctx || !ctx->sasl_socket) { + status = gensec_socket_init(conn->gensec, + conn->connection->socket, + conn->connection->event.ctx, + stream_io_handler_callback, + conn->connection, + &ctx->sasl_socket); + } + + if (!ctx || !NT_STATUS_IS_OK(status)) { conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; errstr = talloc_asprintf(reply, - "SASL:[%s]: Failed to setup SASL socket (out of memory)", - req->creds.SASL.mechanism); + "SASL:[%s]: Failed to setup SASL socket: %s", + req->creds.SASL.mechanism, nt_errstr(status)); } else { call->send_callback = ldapsrv_set_sasl; -- cgit From 79f7b58630e996ec734acb10e1fb99991979fe1b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 Jul 2006 07:48:23 +0000 Subject: r17226: add some comments about ldap binds and pending requests metze (This used to be commit e8db1fb55833ab7b9e0be391ff822b34682cb38c) --- source4/ldap_server/ldap_bind.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index daa82c1e48..0e7a147e52 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -125,6 +125,12 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) conn = call->conn; + /* + * TODO: a SASL bind with a different mechanism + * should cancel an inprogress SASL bind. + * (see RFC 4513) + */ + if (!conn->gensec) { conn->session_info = NULL; @@ -268,6 +274,14 @@ NTSTATUS ldapsrv_BindRequest(struct ldapsrv_call *call) struct ldapsrv_reply *reply; struct ldap_BindResponse *resp; + /* + * TODO: we should fail the bind request + * if there're any pending requests. + * + * also a simple bind should cancel an + * inprogress SASL bind. + * (see RFC 4513) + */ switch (req->mechanism) { case LDAP_AUTH_MECH_SIMPLE: return ldapsrv_BindSimple(call); -- cgit From 4cdcc1789363907f850a05c4b3349746c710ebf0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 Jul 2006 19:20:04 +0000 Subject: r17237: - keep pointer to the different sockets - we need this to later: - to disallow a StartTLS when TLS is already in use - to place the TLS socket between the raw and sasl socket when we had a sasl bind before the StartTLS - and rfc4513 says that the server may allow to remove the TLS from the tcp connection again and reuse raw tcp - and also a 2nd sasl bind should replace the old sasl socket metze (This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 0e7a147e52..60783df4df 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -101,6 +101,7 @@ static void ldapsrv_set_sasl(void *private) talloc_steal(ctx->conn->connection, ctx->sasl_socket); talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket); + ctx->conn->sockets.sasl = ctx->sasl_socket; ctx->conn->connection->socket = ctx->sasl_socket; packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket); } -- cgit From 7a845bcb0141a895d5685afcef1ffe7f93428d0f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jul 2006 14:05:08 +0000 Subject: r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710) --- source4/ldap_server/ldap_bind.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 60783df4df..fe23d55d1d 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -46,8 +46,12 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) status = crack_dn_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { - status = authenticate_username_pw(call, nt4_domain, nt4_account, - req->creds.password, &session_info); + status = authenticate_username_pw(call, + call->conn->connection->event.ctx, + call->conn->connection->msg_ctx, + nt4_domain, nt4_account, + req->creds.password, + &session_info); } reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); @@ -135,8 +139,10 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) if (!conn->gensec) { conn->session_info = NULL; - status = gensec_server_start(conn, &conn->gensec, - conn->connection->event.ctx); + status = gensec_server_start(conn, + conn->connection->event.ctx, + conn->connection->msg_ctx, + &conn->gensec); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); result = LDAP_OPERATIONS_ERROR; -- cgit From 30ee8beb9316a99e8a49993306252591106cb349 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 9 Sep 2006 10:05:58 +0000 Subject: r18301: I discovered how to load the warnings from a build farm build into emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667) --- source4/ldap_server/ldap_bind.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index fe23d55d1d..9736def3bf 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -117,7 +117,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) struct ldap_BindResponse *resp; struct ldapsrv_connection *conn; int result = 0; - const char *errstr; + const char *errstr=NULL; NTSTATUS status = NT_STATUS_OK; DEBUG(10, ("BindSASL dn: %s\n",req->dn)); @@ -200,7 +200,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) result = LDAP_SASL_BIND_IN_PROGRESS; errstr = NULL; } else if (NT_STATUS_IS_OK(status)) { - struct auth_session_info *old_session_info; + struct auth_session_info *old_session_info=NULL; struct ldapsrv_sasl_context *ctx; result = LDAP_SUCCESS; -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 9736def3bf..f88d08e822 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -26,6 +26,7 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "dsdb/samdb/samdb.h" +#include "auth/gensec/gensec.h" #include "auth/gensec/socket.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) -- cgit From 89278a1469fe8f6c6080d6cb6b81de504802470d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 19 Jan 2007 15:14:45 +0000 Subject: r20906: allow LDAP simple binds using the following syntaxes in the DN field: CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base Administrator@W2K3 W2K3\Administrator w2k3.vmnet1.vm.base/Users/Administrator w2k3 also allows this (and maybe more...?) metze (This used to be commit 40c27ef88df9021e9ef2a6c43aabab709ac9662f) --- source4/ldap_server/ldap_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index f88d08e822..3d5df58e21 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -45,7 +45,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) DEBUG(10, ("BindSimple dn: %s\n",req->dn)); - status = crack_dn_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); + status = crack_auto_name_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { status = authenticate_username_pw(call, call->conn->connection->event.ctx, -- cgit From bf772399bf38b16567b68e7fde102431e5a28135 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 23 Feb 2007 07:46:51 +0000 Subject: r21511: this seems to be the nicer fix for the problem with the windows 2000 LDAP client metze (This used to be commit d40465470fa09827ea529e1f2c80bca9efc152a8) --- source4/ldap_server/ldap_bind.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 3d5df58e21..c0d3e67ff2 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -185,14 +185,10 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) status = gensec_update(conn->gensec, reply, input, &output); - /* TODO: gensec should really handle the difference between NULL and length=0 better! */ - if (output.data) { - resp->SASL.secblob = talloc(reply, DATA_BLOB); - NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob); - *resp->SASL.secblob = output; - } else { - resp->SASL.secblob = NULL; - } + /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */ + resp->SASL.secblob = talloc(reply, DATA_BLOB); + NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob); + *resp->SASL.secblob = output; } else { resp->SASL.secblob = NULL; } -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/ldap_server/ldap_bind.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index c0d3e67ff2..fe4680b1f2 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 51db4c3f3d81d1ed03beae6426786c843ac59807 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:56:09 +0100 Subject: r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166) --- source4/ldap_server/ldap_bind.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index fe4680b1f2..50521e9a52 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -27,6 +27,7 @@ #include "dsdb/samdb/samdb.h" #include "auth/gensec/gensec.h" #include "auth/gensec/socket.h" +#include "param/param.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { @@ -46,7 +47,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) status = crack_auto_name_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { - status = authenticate_username_pw(call, + status = authenticate_username_pw(global_loadparm, call, call->conn->connection->event.ctx, call->conn->connection->msg_ctx, nt4_domain, nt4_account, -- cgit From cc04f143dcd35fb67884e385ffd3e6ed2d32a4c2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 19:04:33 +0100 Subject: r26229: Set loadparm context as opaque pointer in ldb, remove more uses of global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a) --- source4/ldap_server/ldap_bind.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 50521e9a52..6a43228185 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -47,9 +47,10 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) status = crack_auto_name_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { - status = authenticate_username_pw(global_loadparm, call, + status = authenticate_username_pw(call, call->conn->connection->event.ctx, call->conn->connection->msg_ctx, + global_loadparm, nt4_domain, nt4_account, req->creds.password, &session_info); -- cgit From 7e298580e06a5b9a0c1210937af47f277849080e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 21:14:16 +0100 Subject: r26234: More global_loadparm fixes. (This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc) --- source4/ldap_server/ldap_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 6a43228185..979a4b5283 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -45,7 +45,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) DEBUG(10, ("BindSimple dn: %s\n",req->dn)); - status = crack_auto_name_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account); + status = crack_auto_name_to_nt4_name(call, global_loadparm, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { status = authenticate_username_pw(call, call->conn->connection->event.ctx, -- cgit From ecea5ce24553989103d4a06296b24f4d29f30a36 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 17:41:50 +0100 Subject: r26260: Store loadparm context in gensec context. (This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081) --- source4/ldap_server/ldap_bind.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 979a4b5283..874c9bfb49 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -143,6 +143,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) status = gensec_server_start(conn, conn->connection->event.ctx, + global_loadparm, conn->connection->msg_ctx, &conn->gensec); if (!NT_STATUS_IS_OK(status)) { -- cgit From 2f8dc4f48f1802baa3405e7803563f6840e0d1b3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 21:25:06 +0100 Subject: r26266: Remove more global_loadparm uses. (This used to be commit 99113075c4a96679bcec4f4d6bba4acb3dee4245) --- source4/ldap_server/ldap_bind.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 874c9bfb49..53cef5b349 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -45,12 +45,12 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) DEBUG(10, ("BindSimple dn: %s\n",req->dn)); - status = crack_auto_name_to_nt4_name(call, global_loadparm, req->dn, &nt4_domain, &nt4_account); + status = crack_auto_name_to_nt4_name(call, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { status = authenticate_username_pw(call, call->conn->connection->event.ctx, call->conn->connection->msg_ctx, - global_loadparm, + call->conn->lp_ctx, nt4_domain, nt4_account, req->creds.password, &session_info); @@ -143,7 +143,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) status = gensec_server_start(conn, conn->connection->event.ctx, - global_loadparm, + conn->lp_ctx, conn->connection->msg_ctx, &conn->gensec); if (!NT_STATUS_IS_OK(status)) { -- cgit From 3da665e9ac324320fed68a21163fffdf4bd3df89 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 18:42:07 +0100 Subject: r26385: Integrate gensec-socket into gensec. (This used to be commit 78bb444b4b73df9a84f8702814f9b30b32ffd885) --- source4/ldap_server/ldap_bind.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 53cef5b349..f2c974ae3f 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -26,7 +26,6 @@ #include "lib/ldb/include/ldb_errors.h" #include "dsdb/samdb/samdb.h" #include "auth/gensec/gensec.h" -#include "auth/gensec/socket.h" #include "param/param.h" static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) -- cgit From 21fc7673780aa1d7c0caab7b17ff9171238913ba Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 12:23:44 +0200 Subject: Specify event_context to ldb_wrap_connect explicitly. (This used to be commit b4e1ae07a284c044704322446c94351c2decff91) --- source4/ldap_server/ldap_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/ldap_server/ldap_bind.c') diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index f2c974ae3f..f37ef31c0a 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -44,7 +44,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) DEBUG(10, ("BindSimple dn: %s\n",req->dn)); - status = crack_auto_name_to_nt4_name(call, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account); + status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account); if (NT_STATUS_IS_OK(status)) { status = authenticate_username_pw(call, call->conn->connection->event.ctx, -- cgit