From 8408b3428d8c263f8453a0da8ef71e7fc1e4ec81 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 6 Nov 2004 20:15:39 +0000 Subject: r3583: - seperate the ldap client code and the ldap parsing code (vl: we should only sync the parsing code with trunk) - use hierachical talloc in the ldap client code metze (This used to be commit 1e9c0b68ca9ddb28877d45fc1b47653b13a7446d) --- source4/libcli/ldap/ldap_client.c | 690 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 690 insertions(+) create mode 100644 source4/libcli/ldap/ldap_client.c (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c new file mode 100644 index 0000000000..7a72734c57 --- /dev/null +++ b/source4/libcli/ldap/ldap_client.c @@ -0,0 +1,690 @@ +/* + Unix SMB/CIFS mplementation. + LDAP protocol helper functions for SAMBA + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Volker Lendecke 2004 + Copyright (C) Stefan Metzmacher 2004 + Copyright (C) Simo Sorce 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +*/ + +#include "includes.h" +#include "system/network.h" +#include "auth/auth.h" +#include "asn_1.h" +#include "dlinklist.h" + +#if 0 +static struct ldap_message *new_ldap_search_message(struct ldap_connection *conn, + const char *base, + enum ldap_scope scope, + char *filter, + int num_attributes, + const char **attributes) +{ + struct ldap_message *res; + + res = new_ldap_message(conn); + if (!res) { + return NULL; + } + + res->type = LDAP_TAG_SearchRequest; + res->r.SearchRequest.basedn = base; + res->r.SearchRequest.scope = scope; + res->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; + res->r.SearchRequest.timelimit = 0; + res->r.SearchRequest.sizelimit = 0; + res->r.SearchRequest.attributesonly = False; + res->r.SearchRequest.filter = filter; + res->r.SearchRequest.num_attributes = num_attributes; + res->r.SearchRequest.attributes = attributes; + + return res; +} +#endif + +static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, const char *dn, const char *pw) +{ + struct ldap_message *res; + + res = new_ldap_message(conn); + if (!res) { + return NULL; + } + + res->type = LDAP_TAG_BindRequest; + res->r.BindRequest.version = 3; + res->r.BindRequest.dn = talloc_strdup(res->mem_ctx, dn); + res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE; + res->r.BindRequest.creds.password = talloc_strdup(res->mem_ctx, pw); + + return res; +} + +static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn, const char *sasl_mechanism, DATA_BLOB *secblob) +{ + struct ldap_message *res; + + res = new_ldap_message(conn); + if (!res) { + return NULL; + } + + res->type = LDAP_TAG_BindRequest; + res->r.BindRequest.version = 3; + res->r.BindRequest.dn = ""; + res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL; + res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res->mem_ctx, sasl_mechanism); + res->r.BindRequest.creds.SASL.secblob = *secblob; + + return res; +} + +static struct ldap_connection *new_ldap_connection(TALLOC_CTX *mem_ctx) +{ + struct ldap_connection *result; + + result = talloc_p(mem_ctx, struct ldap_connection); + + if (!result) { + return NULL; + } + + result->mem_ctx = result; + result->next_msgid = 1; + result->outstanding = NULL; + result->searchid = 0; + result->search_entries = NULL; + result->auth_dn = NULL; + result->simple_pw = NULL; + result->gensec = NULL; + + return result; +} + +struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url) +{ + struct hostent *hp; + struct ipv4_addr ip; + struct ldap_connection *conn; + BOOL ret; + + conn = new_ldap_connection(mem_ctx); + if (!conn) { + return NULL; + } + + ret = ldap_parse_basic_url(conn->mem_ctx, url, &conn->host, + &conn->port, &conn->ldaps); + if (!ret) { + talloc_free(conn); + return NULL; + } + + hp = sys_gethostbyname(conn->host); + if (!hp || !hp->h_addr) { + talloc_free(conn); + return NULL; + } + + putip((char *)&ip, (char *)hp->h_addr); + + conn->sock = open_socket_out(SOCK_STREAM, &ip, conn->port, LDAP_CONNECTION_TIMEOUT); + if (conn->sock < 0) { + talloc_free(conn); + return NULL; + } + + return conn; +} + +struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx) +{ + struct ldap_message *result; + + result = talloc_p(mem_ctx, struct ldap_message); + + if (!result) { + return NULL; + } + + result->mem_ctx = result; + + return result; +} + +BOOL ldap_send_msg(struct ldap_connection *conn, struct ldap_message *msg, + const struct timeval *endtime) +{ + DATA_BLOB request; + BOOL result; + struct ldap_queue_entry *entry; + + msg->messageid = conn->next_msgid++; + + if (!ldap_encode(msg, &request)) + return False; + + result = (write_data_until(conn->sock, request.data, request.length, + endtime) == request.length); + + data_blob_free(&request); + + if (!result) + return result; + + /* abandon and unbind don't expect results */ + + if ((msg->type == LDAP_TAG_AbandonRequest) || + (msg->type == LDAP_TAG_UnbindRequest)) + return True; + + entry = malloc(sizeof(*entry)); + + if (entry == NULL) + return False; + + entry->msgid = msg->messageid; + entry->msg = NULL; + DLIST_ADD(conn->outstanding, entry); + + return True; +} + +BOOL ldap_receive_msg(struct ldap_connection *conn, struct ldap_message *msg, + const struct timeval *endtime) +{ + struct asn1_data data; + BOOL result; + + if (!asn1_read_sequence_until(conn->sock, &data, endtime)) + return False; + + result = ldap_decode(&data, msg); + + asn1_free(&data); + return result; +} + +static struct ldap_message *recv_from_queue(struct ldap_connection *conn, + int msgid) +{ + struct ldap_queue_entry *e; + + for (e = conn->outstanding; e != NULL; e = e->next) { + + if (e->msgid == msgid) { + struct ldap_message *result = e->msg; + DLIST_REMOVE(conn->outstanding, e); + SAFE_FREE(e); + return result; + } + } + + return NULL; +} + +static void add_search_entry(struct ldap_connection *conn, + struct ldap_message *msg) +{ + struct ldap_queue_entry *e = malloc(sizeof *e); + + if (e == NULL) + return; + + e->msg = msg; + DLIST_ADD_END(conn->search_entries, e, struct ldap_queue_entry *); + return; +} + +static void fill_outstanding_request(struct ldap_connection *conn, + struct ldap_message *msg) +{ + struct ldap_queue_entry *e; + + for (e = conn->outstanding; e != NULL; e = e->next) { + if (e->msgid == msg->messageid) { + e->msg = msg; + return; + } + } + + /* This reply has not been expected, destroy the incoming msg */ + talloc_free(msg); + return; +} + +struct ldap_message *ldap_receive(struct ldap_connection *conn, int msgid, + const struct timeval *endtime) +{ + struct ldap_message *result = recv_from_queue(conn, msgid); + + if (result != NULL) + return result; + + while (True) { + struct asn1_data data; + BOOL res; + + result = new_ldap_message(conn); + + if (!asn1_read_sequence_until(conn->sock, &data, endtime)) + return NULL; + + res = ldap_decode(&data, result); + asn1_free(&data); + + if (!res) + return NULL; + + if (result->messageid == msgid) + return result; + + if (result->type == LDAP_TAG_SearchResultEntry) { + add_search_entry(conn, result); + } else { + fill_outstanding_request(conn, result); + } + } + + return NULL; +} + +struct ldap_message *ldap_transaction(struct ldap_connection *conn, + struct ldap_message *request) +{ + if (!ldap_send_msg(conn, request, NULL)) + return False; + + return ldap_receive(conn, request->messageid, NULL); +} + +int ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password) +{ + struct ldap_message *response; + struct ldap_message *msg; + const char *dn, *pw; + int result = LDAP_OTHER; + + if (conn == NULL) + return result; + + if (userdn) { + dn = userdn; + } else { + if (conn->auth_dn) { + dn = conn->auth_dn; + } else { + dn = ""; + } + } + + if (password) { + pw = password; + } else { + if (conn->simple_pw) { + pw = conn->simple_pw; + } else { + pw = ""; + } + } + + msg = new_ldap_simple_bind_msg(conn, dn, pw); + if (!msg) + return result; + + response = ldap_transaction(conn, msg); + if (!response) { + talloc_free(msg); + return result; + } + + result = response->r.BindResponse.response.resultcode; + + talloc_free(msg); + talloc_free(response); + + return result; +} + +int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password) +{ + NTSTATUS status; + TALLOC_CTX *mem_ctx = NULL; + struct ldap_message *response; + struct ldap_message *msg; + DATA_BLOB input = data_blob(NULL, 0); + DATA_BLOB output = data_blob(NULL, 0); + int result = LDAP_OTHER; + + if (conn == NULL) + return result; + + status = gensec_client_start(conn, &conn->gensec); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); + return result; + } + + gensec_want_feature(conn->gensec, GENSEC_WANT_SIGN | GENSEC_WANT_SEAL); + + status = gensec_set_domain(conn->gensec, domain); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", + domain, nt_errstr(status))); + goto done; + } + + status = gensec_set_username(conn->gensec, username); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", + username, nt_errstr(status))); + goto done; + } + + status = gensec_set_password(conn->gensec, password); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client password: %s\n", + nt_errstr(status))); + goto done; + } + + status = gensec_set_target_hostname(conn->gensec, conn->host); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", + nt_errstr(status))); + goto done; + } + + status = gensec_start_mech_by_sasl_name(conn->gensec, "GSS-SPNEGO"); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", + nt_errstr(status))); + goto done; + } + + mem_ctx = talloc_init("ldap_bind_sasl"); + if (!mem_ctx) + goto done; + + status = gensec_update(conn->gensec, mem_ctx, + input, + &output); + + while(1) { + if (NT_STATUS_IS_OK(status) && output.length == 0) { + break; + } + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { + break; + } + + msg = new_ldap_sasl_bind_msg(conn, "GSS-SPNEGO", &output); + if (!msg) + goto done; + + response = ldap_transaction(conn, msg); + talloc_free(msg); + + if (!response) { + goto done; + } + + result = response->r.BindResponse.response.resultcode; + + if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { + break; + } + + status = gensec_update(conn->gensec, mem_ctx, + response->r.BindResponse.SASL.secblob, + &output); + + talloc_free(response); + } + +done: + if (mem_ctx) + talloc_destroy(mem_ctx); + + return result; +} + +struct ldap_connection *ldap_setup_connection(TALLOC_CTX *mem_ctx, const char *url, + const char *userdn, const char *password) +{ + struct ldap_connection *conn; + int result; + + conn =ldap_connect(mem_ctx, url); + if (!conn) { + return NULL; + } + + result = ldap_bind_simple(conn, userdn, password); + if (result != LDAP_SUCCESS) { + talloc_free(conn); + return NULL; + } + + return conn; +} + +struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, const char *url, + const char *username, const char *domain, const char *password) +{ + struct ldap_connection *conn; + int result; + + conn =ldap_connect(mem_ctx, url); + if (!conn) { + return NULL; + } + + result = ldap_bind_sasl(conn, username, domain, password); + if (result != LDAP_SUCCESS) { + talloc_free(conn); + return NULL; + } + + return conn; +} + +BOOL ldap_abandon_message(struct ldap_connection *conn, int msgid, + const struct timeval *endtime) +{ + struct ldap_message *msg = new_ldap_message(conn); + BOOL result; + + if (msg == NULL) + return False; + + msg->type = LDAP_TAG_AbandonRequest; + msg->r.AbandonRequest.messageid = msgid; + + result = ldap_send_msg(conn, msg, endtime); + talloc_free(msg); + return result; +} + +BOOL ldap_setsearchent(struct ldap_connection *conn, struct ldap_message *msg, + const struct timeval *endtime) +{ + if ((conn->searchid != 0) && + (!ldap_abandon_message(conn, conn->searchid, endtime))) + return False; + + conn->searchid = conn->next_msgid; + return ldap_send_msg(conn, msg, endtime); +} + +struct ldap_message *ldap_getsearchent(struct ldap_connection *conn, + const struct timeval *endtime) +{ + struct ldap_message *result; + + if (conn->search_entries != NULL) { + struct ldap_queue_entry *e = conn->search_entries; + + result = e->msg; + DLIST_REMOVE(conn->search_entries, e); + SAFE_FREE(e); + return result; + } + + result = ldap_receive(conn, conn->searchid, endtime); + if (!result) { + return NULL; + } + + if (result->type == LDAP_TAG_SearchResultEntry) + return result; + + if (result->type == LDAP_TAG_SearchResultDone) { + /* TODO: Handle Paged Results */ + talloc_free(result); + return NULL; + } + + /* TODO: Handle Search References here */ + return NULL; +} + +void ldap_endsearchent(struct ldap_connection *conn, + const struct timeval *endtime) +{ + struct ldap_queue_entry *e; + + e = conn->search_entries; + + while (e != NULL) { + struct ldap_queue_entry *next = e->next; + DLIST_REMOVE(conn->search_entries, e); + SAFE_FREE(e); + e = next; + } +} + +struct ldap_message *ldap_searchone(struct ldap_connection *conn, + struct ldap_message *msg, + const struct timeval *endtime) +{ + struct ldap_message *res1, *res2 = NULL; + if (!ldap_setsearchent(conn, msg, endtime)) + return NULL; + + res1 = ldap_getsearchent(conn, endtime); + + if (res1 != NULL) + res2 = ldap_getsearchent(conn, endtime); + + ldap_endsearchent(conn, endtime); + + if (res1 == NULL) + return NULL; + + if (res2 != NULL) { + /* More than one entry */ + talloc_free(res1); + talloc_free(res2); + return NULL; + } + + return res1; +} + +BOOL ldap_find_single_value(struct ldap_message *msg, const char *attr, + DATA_BLOB *value) +{ + int i; + struct ldap_SearchResEntry *r = &msg->r.SearchResultEntry; + + if (msg->type != LDAP_TAG_SearchResultEntry) + return False; + + for (i=0; inum_attributes; i++) { + if (strequal(attr, r->attributes[i].name)) { + if (r->attributes[i].num_values != 1) + return False; + + *value = r->attributes[i].values[0]; + return True; + } + } + return False; +} + +BOOL ldap_find_single_string(struct ldap_message *msg, const char *attr, + TALLOC_CTX *mem_ctx, char **value) +{ + DATA_BLOB blob; + + if (!ldap_find_single_value(msg, attr, &blob)) + return False; + + *value = talloc(mem_ctx, blob.length+1); + + if (*value == NULL) + return False; + + memcpy(*value, blob.data, blob.length); + (*value)[blob.length] = '\0'; + return True; +} + +BOOL ldap_find_single_int(struct ldap_message *msg, const char *attr, + int *value) +{ + DATA_BLOB blob; + char *val; + int errno_save; + BOOL res; + + if (!ldap_find_single_value(msg, attr, &blob)) + return False; + + val = malloc(blob.length+1); + if (val == NULL) + return False; + + memcpy(val, blob.data, blob.length); + val[blob.length] = '\0'; + + errno_save = errno; + errno = 0; + + *value = strtol(val, NULL, 10); + + res = (errno == 0); + + free(val); + errno = errno_save; + + return res; +} + +int ldap_error(struct ldap_connection *conn) +{ + return 0; +} + +NTSTATUS ldap2nterror(int ldaperror) +{ + return NT_STATUS_OK; +} -- cgit From 58c326809a816703dc516c3022c9c4dbb9d09445 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 3 Dec 2004 06:24:38 +0000 Subject: r4052: fixed a bunch of code to use the type safe _p allocation macros (This used to be commit 80d15fa3402a9d1183467463f6b21c0b674bc442) --- source4/libcli/ldap/ldap_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 7a72734c57..88c84d880b 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -195,7 +195,7 @@ BOOL ldap_send_msg(struct ldap_connection *conn, struct ldap_message *msg, (msg->type == LDAP_TAG_UnbindRequest)) return True; - entry = malloc(sizeof(*entry)); + entry = malloc_p(struct ldap_queue_entry); if (entry == NULL) return False; @@ -243,7 +243,7 @@ static struct ldap_message *recv_from_queue(struct ldap_connection *conn, static void add_search_entry(struct ldap_connection *conn, struct ldap_message *msg) { - struct ldap_queue_entry *e = malloc(sizeof *e); + struct ldap_queue_entry *e = malloc_p(struct ldap_queue_entry); if (e == NULL) return; -- cgit From 0ad10aec63201c45b09f91541e9eee17fcf7ede5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 6 Dec 2004 15:44:17 +0000 Subject: r4079: implement the gensec_have_feature() correctly by asking the backend what is actually in use metze (This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 88c84d880b..a9b20b4ea8 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -382,7 +382,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha return result; } - gensec_want_feature(conn->gensec, GENSEC_WANT_SIGN | GENSEC_WANT_SEAL); + gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); status = gensec_set_domain(conn->gensec, domain); if (!NT_STATUS_IS_OK(status)) { -- cgit From ecabb2dce5a7e651664ddaf47385cd792fb53347 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Dec 2004 23:59:22 +0000 Subject: r4385: Set the correct target service. Andrew Bartlett (This used to be commit 722f59c7c8d09f548d9325c6051d6687d7aa16c2) --- source4/libcli/ldap/ldap_client.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index a9b20b4ea8..b405b4f417 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -412,6 +412,13 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha goto done; } + status = gensec_set_target_service(conn->gensec, "ldap"); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", + nt_errstr(status))); + goto done; + } + status = gensec_start_mech_by_sasl_name(conn->gensec, "GSS-SPNEGO"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", -- cgit From e3da3b48b16bc6f166034189d2907d6ffa11a07a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 29 Dec 2004 00:03:34 +0000 Subject: r4386: Grr, fix copy-and-paste bug. Andrew Bartlett (This used to be commit 13aa88ed65a8914000cccbecf80929db3df65037) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index b405b4f417..77356cbe70 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -414,7 +414,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha status = gensec_set_target_service(conn->gensec, "ldap"); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", + DEBUG(1, ("Failed to start set GENSEC target service: %s\n", nt_errstr(status))); goto done; } -- cgit From 740ee4a8977512c03800ef88603cf65fd044443b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 1 Jan 2005 00:19:08 +0000 Subject: r4460: Add a new GENSEC module: gensec_gssapi (disabled by default, set parametric option: gensec:gssapi=yes to enable). This module backs directly onto GSSAPI, and allows us to sign and seal GSSAPI/Krb5 connections in particular. This avoids me reinventing the entire GSSAPI wheel. Currently a lot of things are left as default - we will soon start specifiying OIDs as well as passwords (it uses the keytab only at the moment). Tested with our LDAP-* torture tests against Win2k3. My hope is to use this module to access the new SPNEGO implementation in Heimdal, to avoid having to standards-verify our own. Andrew Bartlett (This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35) --- source4/libcli/ldap/ldap_client.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 77356cbe70..9ca9e4b5c4 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -459,9 +459,13 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha break; } - status = gensec_update(conn->gensec, mem_ctx, - response->r.BindResponse.SASL.secblob, - &output); + if (!NT_STATUS_IS_OK(status)) { + status = gensec_update(conn->gensec, mem_ctx, + response->r.BindResponse.SASL.secblob, + &output); + } else { + output.length = 0; + } talloc_free(response); } -- cgit From ddc10d4d37984246a6547e34a32d629c689c40d1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 6 Jan 2005 03:06:58 +0000 Subject: r4549: got rid of a lot more uses of plain talloc(), instead using talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 9ca9e4b5c4..84fd0f1d64 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -649,7 +649,7 @@ BOOL ldap_find_single_string(struct ldap_message *msg, const char *attr, if (!ldap_find_single_value(msg, attr, &blob)) return False; - *value = talloc(mem_ctx, blob.length+1); + *value = talloc_size(mem_ctx, blob.length+1); if (*value == NULL) return False; -- cgit From 759da3b915e2006d4c87b5ace47f399accd9ce91 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 Jan 2005 07:08:20 +0000 Subject: r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0) --- source4/libcli/ldap/ldap_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 84fd0f1d64..c9e81ac28f 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -100,7 +100,7 @@ static struct ldap_connection *new_ldap_connection(TALLOC_CTX *mem_ctx) { struct ldap_connection *result; - result = talloc_p(mem_ctx, struct ldap_connection); + result = talloc(mem_ctx, struct ldap_connection); if (!result) { return NULL; @@ -158,7 +158,7 @@ struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx) { struct ldap_message *result; - result = talloc_p(mem_ctx, struct ldap_message); + result = talloc(mem_ctx, struct ldap_message); if (!result) { return NULL; @@ -472,7 +472,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha done: if (mem_ctx) - talloc_destroy(mem_ctx); + talloc_free(mem_ctx); return result; } -- cgit From a0ab1f7afda62964d480af9dc26e60a38d1350e0 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 30 Jan 2005 07:22:16 +0000 Subject: r5107: moved the horrible ldap socket code, and the even worse asn1-tied-to-blocking-sockets code into the ldap client and torture suite, and out of the generic libs, so nobody else is tempted to use it for any new code. (This used to be commit 39d1ced21baeca40d1fca62ba65243ca8f15757e) --- source4/libcli/ldap/ldap_client.c | 240 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 240 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index c9e81ac28f..73099ec1be 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -29,6 +29,246 @@ #include "asn_1.h" #include "dlinklist.h" + + +/**************************************************************************** + Check the timeout. +****************************************************************************/ +static BOOL timeout_until(struct timeval *timeout, + const struct timeval *endtime) +{ + struct timeval now; + + GetTimeOfDay(&now); + + if ((now.tv_sec > endtime->tv_sec) || + ((now.tv_sec == endtime->tv_sec) && + (now.tv_usec > endtime->tv_usec))) + return False; + + timeout->tv_sec = endtime->tv_sec - now.tv_sec; + timeout->tv_usec = endtime->tv_usec - now.tv_usec; + return True; +} + + +/**************************************************************************** + Read data from the client, reading exactly N bytes, with timeout. +****************************************************************************/ +static ssize_t read_data_until(int fd,char *buffer,size_t N, + const struct timeval *endtime) +{ + ssize_t ret; + size_t total=0; + + while (total < N) { + + if (endtime != NULL) { + fd_set r_fds; + struct timeval timeout; + int res; + + FD_ZERO(&r_fds); + FD_SET(fd, &r_fds); + + if (!timeout_until(&timeout, endtime)) + return -1; + + res = sys_select(fd+1, &r_fds, NULL, NULL, &timeout); + if (res <= 0) + return -1; + } + + ret = sys_read(fd,buffer + total,N - total); + + if (ret == 0) { + DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", (int)(N - total), strerror(errno) )); + return 0; + } + + if (ret == -1) { + DEBUG(0,("read_data: read failure for %d. Error = %s\n", (int)(N - total), strerror(errno) )); + return -1; + } + total += ret; + } + return (ssize_t)total; +} + + +/**************************************************************************** + Write data to a fd with timeout. +****************************************************************************/ +static ssize_t write_data_until(int fd,char *buffer,size_t N, + const struct timeval *endtime) +{ + size_t total=0; + ssize_t ret; + + while (total < N) { + + if (endtime != NULL) { + fd_set w_fds; + struct timeval timeout; + int res; + + FD_ZERO(&w_fds); + FD_SET(fd, &w_fds); + + if (!timeout_until(&timeout, endtime)) + return -1; + + res = sys_select(fd+1, NULL, &w_fds, NULL, &timeout); + if (res <= 0) + return -1; + } + + ret = sys_write(fd,buffer + total,N - total); + + if (ret == -1) { + DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) )); + return -1; + } + if (ret == 0) + return total; + + total += ret; + } + return (ssize_t)total; +} + + + +static BOOL read_one_uint8(int sock, uint8_t *result, struct asn1_data *data, + const struct timeval *endtime) +{ + if (read_data_until(sock, result, 1, endtime) != 1) + return False; + + return asn1_write(data, result, 1); +} + +/* Read a complete ASN sequence (ie LDAP result) from a socket */ +static BOOL asn1_read_sequence_until(int sock, struct asn1_data *data, + const struct timeval *endtime) +{ + uint8_t b; + size_t len; + char *buf; + + ZERO_STRUCTP(data); + + if (!read_one_uint8(sock, &b, data, endtime)) + return False; + + if (b != 0x30) { + data->has_error = True; + return False; + } + + if (!read_one_uint8(sock, &b, data, endtime)) + return False; + + if (b & 0x80) { + int n = b & 0x7f; + if (!read_one_uint8(sock, &b, data, endtime)) + return False; + len = b; + while (n > 1) { + if (!read_one_uint8(sock, &b, data, endtime)) + return False; + len = (len<<8) | b; + n--; + } + } else { + len = b; + } + + buf = talloc_size(NULL, len); + if (buf == NULL) + return False; + + if (read_data_until(sock, buf, len, endtime) != len) + return False; + + if (!asn1_write(data, buf, len)) + return False; + + talloc_free(buf); + + data->ofs = 0; + + return True; +} + + + +/**************************************************************************** + create an outgoing socket. timeout is in milliseconds. + **************************************************************************/ +static int open_socket_out(int type, struct ipv4_addr *addr, int port, int timeout) +{ + struct sockaddr_in sock_out; + int res,ret; + int connect_loop = 250; /* 250 milliseconds */ + int loops = (timeout) / connect_loop; + + /* create a socket to write to */ + res = socket(PF_INET, type, 0); + if (res == -1) + { DEBUG(0,("socket error\n")); return -1; } + + if (type != SOCK_STREAM) return(res); + + memset((char *)&sock_out,'\0',sizeof(sock_out)); + putip((char *)&sock_out.sin_addr,(char *)addr); + + sock_out.sin_port = htons( port ); + sock_out.sin_family = PF_INET; + + /* set it non-blocking */ + set_blocking(res,False); + + DEBUG(3,("Connecting to %s at port %d\n", sys_inet_ntoa(*addr),port)); + + /* and connect it to the destination */ +connect_again: + ret = connect(res,(struct sockaddr *)&sock_out,sizeof(sock_out)); + + /* Some systems return EAGAIN when they mean EINPROGRESS */ + if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY || + errno == EAGAIN) && loops--) { + msleep(connect_loop); + goto connect_again; + } + + if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY || + errno == EAGAIN)) { + DEBUG(1,("timeout connecting to %s:%d\n", sys_inet_ntoa(*addr),port)); + close(res); + return -1; + } + +#ifdef EISCONN + if (ret < 0 && errno == EISCONN) { + errno = 0; + ret = 0; + } +#endif + + if (ret < 0) { + DEBUG(2,("error connecting to %s:%d (%s)\n", + sys_inet_ntoa(*addr),port,strerror(errno))); + close(res); + return -1; + } + + /* set it blocking again */ + set_blocking(res,True); + + return res; +} + #if 0 static struct ldap_message *new_ldap_search_message(struct ldap_connection *conn, const char *base, -- cgit From e82aad1ce39a6b7a2e51b9e2cb494d74ec70e158 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 05:09:35 +0000 Subject: r5298: - got rid of pstring.h from includes.h. This at least makes it a bit less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f) --- source4/libcli/ldap/ldap_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 73099ec1be..ddf0932fa1 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -25,6 +25,7 @@ #include "includes.h" #include "system/network.h" +#include "system/filesys.h" #include "auth/auth.h" #include "asn_1.h" #include "dlinklist.h" -- cgit From 501379431c7fc6c9a78e74eca43b208184debce6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 07:08:40 +0000 Subject: r5305: removed libcli/ldap/ldap.h from includes.h (This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e) --- source4/libcli/ldap/ldap_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index ddf0932fa1..11815ddd6d 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -29,6 +29,7 @@ #include "auth/auth.h" #include "asn_1.h" #include "dlinklist.h" +#include "libcli/ldap/ldap.h" -- cgit From 75ddf59ea110117578acd3a7b889549bfb40473c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 07:39:14 +0000 Subject: r5308: trimmed back a lot of the old macros from smb_macros.h (This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561) --- source4/libcli/ldap/ldap_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 11815ddd6d..e3904c7a6b 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -223,7 +223,7 @@ static int open_socket_out(int type, struct ipv4_addr *addr, int port, int timeo if (type != SOCK_STREAM) return(res); memset((char *)&sock_out,'\0',sizeof(sock_out)); - putip((char *)&sock_out.sin_addr,(char *)addr); + sock_out.sin_addr.s_addr = addr->addr; sock_out.sin_port = htons( port ); sock_out.sin_family = PF_INET; @@ -385,7 +385,7 @@ struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url) return NULL; } - putip((char *)&ip, (char *)hp->h_addr); + memcpy((char *)&ip, (char *)hp->h_addr, 4); conn->sock = open_socket_out(SOCK_STREAM, &ip, conn->port, LDAP_CONNECTION_TIMEOUT); if (conn->sock < 0) { -- cgit From 2eb3d680625286431a3a60e37b75f47e0738f253 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Mar 2005 04:14:06 +0000 Subject: r6028: A MAJOR update to intergrate the new credentails system fully with GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66) --- source4/libcli/ldap/ldap_client.c | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index e3904c7a6b..71b57e116e 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -605,7 +605,7 @@ int ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const cha return result; } -int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password) +int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds) { NTSTATUS status; TALLOC_CTX *mem_ctx = NULL; @@ -626,23 +626,9 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); - status = gensec_set_domain(conn->gensec, domain); + status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", - domain, nt_errstr(status))); - goto done; - } - - status = gensec_set_username(conn->gensec, username); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", - username, nt_errstr(status))); - goto done; - } - - status = gensec_set_password(conn->gensec, password); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client password: %s\n", + DEBUG(1, ("Failed to start set GENSEC creds: %s\n", nt_errstr(status))); goto done; } @@ -739,8 +725,9 @@ struct ldap_connection *ldap_setup_connection(TALLOC_CTX *mem_ctx, const char *u return conn; } -struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, const char *url, - const char *username, const char *domain, const char *password) +struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, + const char *url, + struct cli_credentials *creds) { struct ldap_connection *conn; int result; @@ -750,7 +737,7 @@ struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, con return NULL; } - result = ldap_bind_sasl(conn, username, domain, password); + result = ldap_bind_sasl(conn, creds); if (result != LDAP_SUCCESS) { talloc_free(conn); return NULL; -- cgit From 2542d54e9384302c6c9a7b2b2bf4be07b6d95f9c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 May 2005 14:38:13 +0000 Subject: r6732: - move sasl send recv code to the ldap lib - support 'modrdn' ldif metze (This used to be commit b6a1734699953964fcde6fe6ea7048496492eb33) --- source4/libcli/ldap/ldap_client.c | 131 +++++++++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 71b57e116e..8867344de3 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -548,9 +548,138 @@ struct ldap_message *ldap_receive(struct ldap_connection *conn, int msgid, return NULL; } +/* + Write data to a fd +*/ +static ssize_t write_data(int fd, char *buffer, size_t N) +{ + size_t total=0; + ssize_t ret; + + while (total < N) { + ret = sys_write(fd,buffer + total,N - total); + + if (ret == -1) { + DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) )); + return -1; + } + if (ret == 0) + return total; + + total += ret; + } + + return (ssize_t)total; +} + + +/* + Read data from the client, reading exactly N bytes +*/ +static ssize_t read_data(int fd, char *buffer, size_t N) +{ + ssize_t ret; + size_t total=0; + + while (total < N) { + + ret = sys_read(fd,buffer + total,N - total); + + if (ret == 0) { + DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", + (int)(N - total), strerror(errno) )); + return 0; + } + + if (ret == -1) { + DEBUG(0,("read_data: read failure for %d. Error = %s\n", + (int)(N - total), strerror(errno) )); + return -1; + } + total += ret; + } + + return (ssize_t)total; +} + +static struct ldap_message *ldap_transaction_sasl(struct ldap_connection *conn, struct ldap_message *req) +{ + NTSTATUS status; + DATA_BLOB request; + BOOL result; + DATA_BLOB wrapped; + int len; + char length[4]; + struct asn1_data asn1; + struct ldap_message *rep; + + req->messageid = conn->next_msgid++; + + if (!ldap_encode(req, &request)) + return NULL; + + status = gensec_wrap(conn->gensec, + req->mem_ctx, + &request, + &wrapped); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status))); + return NULL; + } + + RSIVAL(length, 0, wrapped.length); + + result = (write_data(conn->sock, length, 4) == 4); + if (!result) + return NULL; + + result = (write_data(conn->sock, wrapped.data, wrapped.length) == wrapped.length); + if (!result) + return NULL; + + wrapped = data_blob(NULL, 0x4000); + data_blob_clear(&wrapped); + + result = (read_data(conn->sock, length, 4) == 4); + if (!result) + return NULL; + + len = RIVAL(length,0); + + result = (read_data(conn->sock, wrapped.data, MIN(wrapped.length,len)) == len); + if (!result) + return NULL; + + wrapped.length = len; + + status = gensec_unwrap(conn->gensec, + req->mem_ctx, + &wrapped, + &request); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status))); + return NULL; + } + + rep = new_ldap_message(req->mem_ctx); + + asn1_load(&asn1, request); + if (!ldap_decode(&asn1, rep)) { + return NULL; + } + + return rep; +} + struct ldap_message *ldap_transaction(struct ldap_connection *conn, struct ldap_message *request) { + if ((request->type != LDAP_TAG_BindRequest) && conn->gensec && + (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) { + return ldap_transaction_sasl(conn, request); + } + if (!ldap_send_msg(conn, request, NULL)) return False; @@ -624,7 +753,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds) return result; } - gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); + gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { -- cgit From c0947b0d7f809f5139fbfcdbd618ed7b0a77d2be Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 15 Jun 2005 00:27:51 +0000 Subject: r7593: simplified the memory management in the ldap code. Having a mem_ctx element in a structure is not necessary any more. (This used to be commit 912d0427f52eac811b27bf7e385b0642f7dc7f53) --- source4/libcli/ldap/ldap_client.c | 34 +++++++++++----------------------- 1 file changed, 11 insertions(+), 23 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 8867344de3..6ff8db85a5 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -312,9 +312,9 @@ static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *con res->type = LDAP_TAG_BindRequest; res->r.BindRequest.version = 3; - res->r.BindRequest.dn = talloc_strdup(res->mem_ctx, dn); + res->r.BindRequest.dn = talloc_strdup(res, dn); res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE; - res->r.BindRequest.creds.password = talloc_strdup(res->mem_ctx, pw); + res->r.BindRequest.creds.password = talloc_strdup(res, pw); return res; } @@ -332,7 +332,7 @@ static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn, res->r.BindRequest.version = 3; res->r.BindRequest.dn = ""; res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL; - res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res->mem_ctx, sasl_mechanism); + res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism); res->r.BindRequest.creds.SASL.secblob = *secblob; return res; @@ -348,7 +348,6 @@ static struct ldap_connection *new_ldap_connection(TALLOC_CTX *mem_ctx) return NULL; } - result->mem_ctx = result; result->next_msgid = 1; result->outstanding = NULL; result->searchid = 0; @@ -372,8 +371,8 @@ struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url) return NULL; } - ret = ldap_parse_basic_url(conn->mem_ctx, url, &conn->host, - &conn->port, &conn->ldaps); + ret = ldap_parse_basic_url(conn, url, &conn->host, + &conn->port, &conn->ldaps); if (!ret) { talloc_free(conn); return NULL; @@ -398,17 +397,7 @@ struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url) struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx) { - struct ldap_message *result; - - result = talloc(mem_ctx, struct ldap_message); - - if (!result) { - return NULL; - } - - result->mem_ctx = result; - - return result; + return talloc(mem_ctx, struct ldap_message); } BOOL ldap_send_msg(struct ldap_connection *conn, struct ldap_message *msg, @@ -619,7 +608,7 @@ static struct ldap_message *ldap_transaction_sasl(struct ldap_connection *conn, return NULL; status = gensec_wrap(conn->gensec, - req->mem_ctx, + req, &request, &wrapped); if (!NT_STATUS_IS_OK(status)) { @@ -653,7 +642,7 @@ static struct ldap_message *ldap_transaction_sasl(struct ldap_connection *conn, wrapped.length = len; status = gensec_unwrap(conn->gensec, - req->mem_ctx, + req, &wrapped, &request); if (!NT_STATUS_IS_OK(status)) { @@ -661,7 +650,7 @@ static struct ldap_message *ldap_transaction_sasl(struct ldap_connection *conn, return NULL; } - rep = new_ldap_message(req->mem_ctx); + rep = new_ldap_message(req); asn1_load(&asn1, request); if (!ldap_decode(&asn1, rep)) { @@ -776,7 +765,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds) goto done; } - status = gensec_start_mech_by_sasl_name(conn->gensec, "GSS-SPNEGO"); + status = gensec_start_mech_by_sasl_name(conn->gensec, "NTLM"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", nt_errstr(status))); @@ -828,8 +817,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds) } done: - if (mem_ctx) - talloc_free(mem_ctx); + talloc_free(mem_ctx); return result; } -- cgit From bab977dad76e9204278c7afe0bb905cda064f488 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 05:39:40 +0000 Subject: r7626: a new ldap client library. Main features are: - hooked into events system, so requests can be truly async and won't interfere with other processing happening at the same time - uses NTSTATUS codes for errors (previously errors were mostly ignored). In a similar fashion to the DOS error handling, I have reserved a range of the NTSTATUS code 32 bit space for LDAP error codes, so a function can return a LDAP error code in a NTSTATUS - much cleaner packet handling (This used to be commit 2e3c660b2fc20e046d82bf1cc296422b6e7dfad0) --- source4/libcli/ldap/ldap_client.c | 1275 ++++++++++++------------------------- 1 file changed, 419 insertions(+), 856 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 6ff8db85a5..f3a7f104d4 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -24,1024 +24,587 @@ */ #include "includes.h" -#include "system/network.h" -#include "system/filesys.h" -#include "auth/auth.h" #include "asn_1.h" #include "dlinklist.h" +#include "lib/events/events.h" +#include "lib/socket/socket.h" #include "libcli/ldap/ldap.h" +#include "libcli/ldap/ldap_client.h" - -/**************************************************************************** - Check the timeout. -****************************************************************************/ -static BOOL timeout_until(struct timeval *timeout, - const struct timeval *endtime) -{ - struct timeval now; - - GetTimeOfDay(&now); - - if ((now.tv_sec > endtime->tv_sec) || - ((now.tv_sec == endtime->tv_sec) && - (now.tv_usec > endtime->tv_usec))) - return False; - - timeout->tv_sec = endtime->tv_sec - now.tv_sec; - timeout->tv_usec = endtime->tv_usec - now.tv_usec; - return True; -} - - -/**************************************************************************** - Read data from the client, reading exactly N bytes, with timeout. -****************************************************************************/ -static ssize_t read_data_until(int fd,char *buffer,size_t N, - const struct timeval *endtime) +/* + create a new ldap_connection stucture. The event context is optional +*/ +struct ldap_connection *ldap_new_connection(TALLOC_CTX *mem_ctx, + struct event_context *ev) { - ssize_t ret; - size_t total=0; - - while (total < N) { - - if (endtime != NULL) { - fd_set r_fds; - struct timeval timeout; - int res; - - FD_ZERO(&r_fds); - FD_SET(fd, &r_fds); - - if (!timeout_until(&timeout, endtime)) - return -1; - - res = sys_select(fd+1, &r_fds, NULL, NULL, &timeout); - if (res <= 0) - return -1; - } - - ret = sys_read(fd,buffer + total,N - total); - - if (ret == 0) { - DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", (int)(N - total), strerror(errno) )); - return 0; - } + struct ldap_connection *conn; - if (ret == -1) { - DEBUG(0,("read_data: read failure for %d. Error = %s\n", (int)(N - total), strerror(errno) )); - return -1; - } - total += ret; + conn = talloc_zero(mem_ctx, struct ldap_connection); + if (conn == NULL) { + return NULL; } - return (ssize_t)total; -} - -/**************************************************************************** - Write data to a fd with timeout. -****************************************************************************/ -static ssize_t write_data_until(int fd,char *buffer,size_t N, - const struct timeval *endtime) -{ - size_t total=0; - ssize_t ret; - - while (total < N) { - - if (endtime != NULL) { - fd_set w_fds; - struct timeval timeout; - int res; - - FD_ZERO(&w_fds); - FD_SET(fd, &w_fds); - - if (!timeout_until(&timeout, endtime)) - return -1; - - res = sys_select(fd+1, NULL, &w_fds, NULL, &timeout); - if (res <= 0) - return -1; - } - - ret = sys_write(fd,buffer + total,N - total); - - if (ret == -1) { - DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) )); - return -1; + if (ev == NULL) { + ev = event_context_init(conn); + if (ev == NULL) { + talloc_free(conn); + return NULL; } - if (ret == 0) - return total; - - total += ret; } - return (ssize_t)total; -} + conn->next_messageid = 1; + conn->event.event_ctx = ev; + /* set a reasonable request timeout */ + conn->timeout = 60; -static BOOL read_one_uint8(int sock, uint8_t *result, struct asn1_data *data, - const struct timeval *endtime) -{ - if (read_data_until(sock, result, 1, endtime) != 1) - return False; - - return asn1_write(data, result, 1); + return conn; } -/* Read a complete ASN sequence (ie LDAP result) from a socket */ -static BOOL asn1_read_sequence_until(int sock, struct asn1_data *data, - const struct timeval *endtime) -{ - uint8_t b; - size_t len; - char *buf; - - ZERO_STRUCTP(data); - - if (!read_one_uint8(sock, &b, data, endtime)) - return False; - if (b != 0x30) { - data->has_error = True; - return False; - } +/* + the connection is dead +*/ +static void ldap_connection_dead(struct ldap_connection *conn) +{ + struct ldap_request *req; - if (!read_one_uint8(sock, &b, data, endtime)) - return False; - - if (b & 0x80) { - int n = b & 0x7f; - if (!read_one_uint8(sock, &b, data, endtime)) - return False; - len = b; - while (n > 1) { - if (!read_one_uint8(sock, &b, data, endtime)) - return False; - len = (len<<8) | b; - n--; + while (conn->pending) { + req = conn->pending; + DLIST_REMOVE(req->conn->pending, req); + req->state = LDAP_REQUEST_DONE; + req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; + if (req->async.fn) { + req->async.fn(req); + } + } + + while (conn->send_queue) { + req = conn->send_queue; + DLIST_REMOVE(req->conn->send_queue, req); + req->state = LDAP_REQUEST_DONE; + req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; + if (req->async.fn) { + req->async.fn(req); } - } else { - len = b; } - buf = talloc_size(NULL, len); - if (buf == NULL) - return False; - - if (read_data_until(sock, buf, len, endtime) != len) - return False; - - if (!asn1_write(data, buf, len)) - return False; - - talloc_free(buf); - - data->ofs = 0; - - return True; + talloc_free(conn->sock); + conn->sock = NULL; } - -/**************************************************************************** - create an outgoing socket. timeout is in milliseconds. - **************************************************************************/ -static int open_socket_out(int type, struct ipv4_addr *addr, int port, int timeout) -{ - struct sockaddr_in sock_out; - int res,ret; - int connect_loop = 250; /* 250 milliseconds */ - int loops = (timeout) / connect_loop; - - /* create a socket to write to */ - res = socket(PF_INET, type, 0); - if (res == -1) - { DEBUG(0,("socket error\n")); return -1; } - - if (type != SOCK_STREAM) return(res); - - memset((char *)&sock_out,'\0',sizeof(sock_out)); - sock_out.sin_addr.s_addr = addr->addr; - - sock_out.sin_port = htons( port ); - sock_out.sin_family = PF_INET; - - /* set it non-blocking */ - set_blocking(res,False); - - DEBUG(3,("Connecting to %s at port %d\n", sys_inet_ntoa(*addr),port)); - - /* and connect it to the destination */ -connect_again: - ret = connect(res,(struct sockaddr *)&sock_out,sizeof(sock_out)); - - /* Some systems return EAGAIN when they mean EINPROGRESS */ - if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY || - errno == EAGAIN) && loops--) { - msleep(connect_loop); - goto connect_again; - } - - if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY || - errno == EAGAIN)) { - DEBUG(1,("timeout connecting to %s:%d\n", sys_inet_ntoa(*addr),port)); - close(res); - return -1; - } - -#ifdef EISCONN - if (ret < 0 && errno == EISCONN) { - errno = 0; - ret = 0; - } -#endif - - if (ret < 0) { - DEBUG(2,("error connecting to %s:%d (%s)\n", - sys_inet_ntoa(*addr),port,strerror(errno))); - close(res); - return -1; - } - - /* set it blocking again */ - set_blocking(res,True); - - return res; -} - -#if 0 -static struct ldap_message *new_ldap_search_message(struct ldap_connection *conn, - const char *base, - enum ldap_scope scope, - char *filter, - int num_attributes, - const char **attributes) +/* + match up with a pending message, adding to the replies list +*/ +static void ldap_match_message(struct ldap_connection *conn, struct ldap_message *msg) { - struct ldap_message *res; + struct ldap_request *req; - res = new_ldap_message(conn); - if (!res) { - return NULL; + for (req=conn->pending; req; req=req->next) { + if (req->messageid == msg->messageid) break; } - - res->type = LDAP_TAG_SearchRequest; - res->r.SearchRequest.basedn = base; - res->r.SearchRequest.scope = scope; - res->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; - res->r.SearchRequest.timelimit = 0; - res->r.SearchRequest.sizelimit = 0; - res->r.SearchRequest.attributesonly = False; - res->r.SearchRequest.filter = filter; - res->r.SearchRequest.num_attributes = num_attributes; - res->r.SearchRequest.attributes = attributes; - - return res; -} -#endif - -static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, const char *dn, const char *pw) -{ - struct ldap_message *res; - - res = new_ldap_message(conn); - if (!res) { - return NULL; + if (req == NULL) { + DEBUG(0,("ldap: no matching message id for %u\n", + msg->messageid)); + talloc_free(msg); + return; } - res->type = LDAP_TAG_BindRequest; - res->r.BindRequest.version = 3; - res->r.BindRequest.dn = talloc_strdup(res, dn); - res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SIMPLE; - res->r.BindRequest.creds.password = talloc_strdup(res, pw); - - return res; -} - -static struct ldap_message *new_ldap_sasl_bind_msg(struct ldap_connection *conn, const char *sasl_mechanism, DATA_BLOB *secblob) -{ - struct ldap_message *res; - - res = new_ldap_message(conn); - if (!res) { - return NULL; + /* add to the list of replies received */ + talloc_steal(req, msg); + req->replies = talloc_realloc(req, req->replies, + struct ldap_message *, req->num_replies+1); + if (req->replies == NULL) { + req->status = NT_STATUS_NO_MEMORY; + req->state = LDAP_REQUEST_DONE; + DLIST_REMOVE(conn->pending, req); + if (req->async.fn) { + req->async.fn(req); + } + return; } - res->type = LDAP_TAG_BindRequest; - res->r.BindRequest.version = 3; - res->r.BindRequest.dn = ""; - res->r.BindRequest.mechanism = LDAP_AUTH_MECH_SASL; - res->r.BindRequest.creds.SASL.mechanism = talloc_strdup(res, sasl_mechanism); - res->r.BindRequest.creds.SASL.secblob = *secblob; - - return res; -} - -static struct ldap_connection *new_ldap_connection(TALLOC_CTX *mem_ctx) -{ - struct ldap_connection *result; + req->replies[req->num_replies] = talloc_steal(req->replies, msg); + req->num_replies++; - result = talloc(mem_ctx, struct ldap_connection); - - if (!result) { - return NULL; + if (msg->type != LDAP_TAG_SearchResultEntry) { + /* currently only search results expect multiple + replies */ + req->state = LDAP_REQUEST_DONE; + DLIST_REMOVE(conn->pending, req); } - result->next_msgid = 1; - result->outstanding = NULL; - result->searchid = 0; - result->search_entries = NULL; - result->auth_dn = NULL; - result->simple_pw = NULL; - result->gensec = NULL; - - return result; + if (req->async.fn) { + req->async.fn(req); + } } -struct ldap_connection *ldap_connect(TALLOC_CTX *mem_ctx, const char *url) +/* + try and decode/process plain data +*/ +static void ldap_try_decode_plain(struct ldap_connection *conn) { - struct hostent *hp; - struct ipv4_addr ip; - struct ldap_connection *conn; - BOOL ret; + struct asn1_data asn1; - conn = new_ldap_connection(mem_ctx); - if (!conn) { - return NULL; + if (!asn1_load(&asn1, conn->partial)) { + ldap_connection_dead(conn); + return; } - ret = ldap_parse_basic_url(conn, url, &conn->host, - &conn->port, &conn->ldaps); - if (!ret) { - talloc_free(conn); - return NULL; - } + /* try and decode - this will fail if we don't have a full packet yet */ + while (asn1.ofs < asn1.length) { + struct ldap_message *msg = talloc(conn, struct ldap_message); + if (msg == NULL) { + ldap_connection_dead(conn); + return; + } - hp = sys_gethostbyname(conn->host); - if (!hp || !hp->h_addr) { - talloc_free(conn); - return NULL; + if (ldap_decode(&asn1, msg)) { + ldap_match_message(conn, msg); + } else { + talloc_free(msg); + break; + } } - memcpy((char *)&ip, (char *)hp->h_addr, 4); - - conn->sock = open_socket_out(SOCK_STREAM, &ip, conn->port, LDAP_CONNECTION_TIMEOUT); - if (conn->sock < 0) { - talloc_free(conn); - return NULL; + /* keep any remaining data in conn->partial */ + data_blob_free(&conn->partial); + if (asn1.ofs != conn->partial.length) { + conn->partial = data_blob_talloc(conn, + asn1.data + asn1.ofs, + asn1.length - asn1.ofs); } - - return conn; -} - -struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx) -{ - return talloc(mem_ctx, struct ldap_message); -} - -BOOL ldap_send_msg(struct ldap_connection *conn, struct ldap_message *msg, - const struct timeval *endtime) -{ - DATA_BLOB request; - BOOL result; - struct ldap_queue_entry *entry; - - msg->messageid = conn->next_msgid++; - - if (!ldap_encode(msg, &request)) - return False; - - result = (write_data_until(conn->sock, request.data, request.length, - endtime) == request.length); - - data_blob_free(&request); - - if (!result) - return result; - - /* abandon and unbind don't expect results */ - - if ((msg->type == LDAP_TAG_AbandonRequest) || - (msg->type == LDAP_TAG_UnbindRequest)) - return True; - - entry = malloc_p(struct ldap_queue_entry); - - if (entry == NULL) - return False; - - entry->msgid = msg->messageid; - entry->msg = NULL; - DLIST_ADD(conn->outstanding, entry); - - return True; -} - -BOOL ldap_receive_msg(struct ldap_connection *conn, struct ldap_message *msg, - const struct timeval *endtime) -{ - struct asn1_data data; - BOOL result; - - if (!asn1_read_sequence_until(conn->sock, &data, endtime)) - return False; - - result = ldap_decode(&data, msg); - - asn1_free(&data); - return result; + asn1_free(&asn1); } -static struct ldap_message *recv_from_queue(struct ldap_connection *conn, - int msgid) +/* + try and decode/process wrapped data +*/ +static void ldap_try_decode_wrapped(struct ldap_connection *conn) { - struct ldap_queue_entry *e; + uint32_t len; - for (e = conn->outstanding; e != NULL; e = e->next) { + /* keep decoding while we have a full wrapped packet */ + while (conn->partial.length >= 4 && + (len=RIVAL(conn->partial.data, 0)) <= conn->partial.length-4) { + DATA_BLOB wrapped, unwrapped; + struct asn1_data asn1; + struct ldap_message *msg = talloc(conn, struct ldap_message); + NTSTATUS status; - if (e->msgid == msgid) { - struct ldap_message *result = e->msg; - DLIST_REMOVE(conn->outstanding, e); - SAFE_FREE(e); - return result; + if (msg == NULL) { + ldap_connection_dead(conn); + return; } - } - return NULL; -} - -static void add_search_entry(struct ldap_connection *conn, - struct ldap_message *msg) -{ - struct ldap_queue_entry *e = malloc_p(struct ldap_queue_entry); - - if (e == NULL) - return; + wrapped.data = conn->partial.data+4; + wrapped.length = len; - e->msg = msg; - DLIST_ADD_END(conn->search_entries, e, struct ldap_queue_entry *); - return; -} - -static void fill_outstanding_request(struct ldap_connection *conn, - struct ldap_message *msg) -{ - struct ldap_queue_entry *e; - - for (e = conn->outstanding; e != NULL; e = e->next) { - if (e->msgid == msg->messageid) { - e->msg = msg; + status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped); + if (!NT_STATUS_IS_OK(status)) { + ldap_connection_dead(conn); return; } - } - - /* This reply has not been expected, destroy the incoming msg */ - talloc_free(msg); - return; -} - -struct ldap_message *ldap_receive(struct ldap_connection *conn, int msgid, - const struct timeval *endtime) -{ - struct ldap_message *result = recv_from_queue(conn, msgid); - - if (result != NULL) - return result; - while (True) { - struct asn1_data data; - BOOL res; - - result = new_ldap_message(conn); - - if (!asn1_read_sequence_until(conn->sock, &data, endtime)) - return NULL; - - res = ldap_decode(&data, result); - asn1_free(&data); - - if (!res) - return NULL; + if (!asn1_load(&asn1, unwrapped)) { + ldap_connection_dead(conn); + return; + } - if (result->messageid == msgid) - return result; + if (ldap_decode(&asn1, msg)) { + ldap_match_message(conn, msg); + } else { + talloc_free(msg); + } + + asn1_free(&asn1); - if (result->type == LDAP_TAG_SearchResultEntry) { - add_search_entry(conn, result); + if (conn->partial.length == len + 4) { + data_blob_free(&conn->partial); } else { - fill_outstanding_request(conn, result); + memmove(conn->partial.data, conn->partial.data+len+4, + conn->partial.length - (len+4)); + conn->partial.length -= len + 4; } } - - return NULL; } + /* - Write data to a fd + handle ldap recv events */ -static ssize_t write_data(int fd, char *buffer, size_t N) +static void ldap_recv_handler(struct ldap_connection *conn) { - size_t total=0; - ssize_t ret; + NTSTATUS status; + size_t npending=0, nread; - while (total < N) { - ret = sys_write(fd,buffer + total,N - total); + /* work out how much data is pending */ + status = socket_pending(conn->sock, &npending); + if (!NT_STATUS_IS_OK(status) || npending == 0) { + DEBUG(0,("ldap_recv_handler - pending=%d - %s\n", + (int)npending, nt_errstr(status))); + return; + } - if (ret == -1) { - DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) )); - return -1; - } - if (ret == 0) - return total; + conn->partial.data = talloc_realloc_size(conn, conn->partial.data, + conn->partial.length + npending); + if (conn->partial.data == NULL) { + ldap_connection_dead(conn); + return; + } - total += ret; + /* receive the pending data */ + status = socket_recv(conn->sock, conn->partial.data + conn->partial.length, + npending, &nread, 0); + if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { + return; } + if (!NT_STATUS_IS_OK(status)) { + ldap_connection_dead(conn); + return; + } + conn->partial.length += nread; - return (ssize_t)total; + /* see if we can decode what we have */ + if (conn->enable_wrap) { + ldap_try_decode_wrapped(conn); + } else { + ldap_try_decode_plain(conn); + } } /* - Read data from the client, reading exactly N bytes + handle ldap send events */ -static ssize_t read_data(int fd, char *buffer, size_t N) +static void ldap_send_handler(struct ldap_connection *conn) { - ssize_t ret; - size_t total=0; - - while (total < N) { + while (conn->send_queue) { + struct ldap_request *req = conn->send_queue; + size_t nsent; + NTSTATUS status; - ret = sys_read(fd,buffer + total,N - total); - - if (ret == 0) { - DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", - (int)(N - total), strerror(errno) )); - return 0; + status = socket_send(conn->sock, &req->data, &nsent, 0); + if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { + break; } - - if (ret == -1) { - DEBUG(0,("read_data: read failure for %d. Error = %s\n", - (int)(N - total), strerror(errno) )); - return -1; + if (!NT_STATUS_IS_OK(status)) { + ldap_connection_dead(conn); + return; } - total += ret; - } - - return (ssize_t)total; -} - -static struct ldap_message *ldap_transaction_sasl(struct ldap_connection *conn, struct ldap_message *req) -{ - NTSTATUS status; - DATA_BLOB request; - BOOL result; - DATA_BLOB wrapped; - int len; - char length[4]; - struct asn1_data asn1; - struct ldap_message *rep; - - req->messageid = conn->next_msgid++; - - if (!ldap_encode(req, &request)) - return NULL; - - status = gensec_wrap(conn->gensec, - req, - &request, - &wrapped); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_wrap: %s\n",nt_errstr(status))); - return NULL; - } - - RSIVAL(length, 0, wrapped.length); - result = (write_data(conn->sock, length, 4) == 4); - if (!result) - return NULL; - - result = (write_data(conn->sock, wrapped.data, wrapped.length) == wrapped.length); - if (!result) - return NULL; - - wrapped = data_blob(NULL, 0x4000); - data_blob_clear(&wrapped); - - result = (read_data(conn->sock, length, 4) == 4); - if (!result) - return NULL; - - len = RIVAL(length,0); - - result = (read_data(conn->sock, wrapped.data, MIN(wrapped.length,len)) == len); - if (!result) - return NULL; - - wrapped.length = len; - - status = gensec_unwrap(conn->gensec, - req, - &wrapped, - &request); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("gensec_unwrap: %s\n",nt_errstr(status))); - return NULL; + req->data.data += nsent; + req->data.length -= nsent; + if (req->data.length == 0) { + req->state = LDAP_REQUEST_PENDING; + DLIST_REMOVE(conn->send_queue, req); + + /* some types of requests don't expect a reply */ + if (req->type == LDAP_TAG_AbandonRequest || + req->type == LDAP_TAG_UnbindRequest) { + req->status = NT_STATUS_OK; + req->state = LDAP_REQUEST_DONE; + if (req->async.fn) { + req->async.fn(req); + } + } else { + DLIST_ADD(conn->pending, req); + } + } } - - rep = new_ldap_message(req); - - asn1_load(&asn1, request); - if (!ldap_decode(&asn1, rep)) { - return NULL; + if (conn->send_queue == NULL) { + EVENT_FD_NOT_WRITEABLE(conn->event.fde); } - - return rep; } -struct ldap_message *ldap_transaction(struct ldap_connection *conn, - struct ldap_message *request) + +/* + handle ldap socket events +*/ +static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, + uint16_t flags, void *private) { - if ((request->type != LDAP_TAG_BindRequest) && conn->gensec && - (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) || - gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN))) { - return ldap_transaction_sasl(conn, request); + struct ldap_connection *conn = talloc_get_type(private, struct ldap_connection); + if (flags & EVENT_FD_WRITE) { + ldap_send_handler(conn); + if (conn->sock == NULL) return; + } + if (flags & EVENT_FD_READ) { + ldap_recv_handler(conn); } - - if (!ldap_send_msg(conn, request, NULL)) - return False; - - return ldap_receive(conn, request->messageid, NULL); } -int ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password) +/* + parse a ldap URL +*/ +static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url, + char **host, uint16_t *port, BOOL *ldaps) { - struct ldap_message *response; - struct ldap_message *msg; - const char *dn, *pw; - int result = LDAP_OTHER; + int tmp_port = 0; + char protocol[11]; + char tmp_host[255]; + const char *p = url; + int ret; - if (conn == NULL) - return result; + /* skip leading "URL:" (if any) */ + if (strncasecmp(p, "URL:", 4) == 0) { + p += 4; + } - if (userdn) { - dn = userdn; - } else { - if (conn->auth_dn) { - dn = conn->auth_dn; - } else { - dn = ""; - } + /* Paranoia check */ + SMB_ASSERT(sizeof(protocol)>10 && sizeof(tmp_host)>254); + + ret = sscanf(p, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port); + if (ret < 2) { + return NT_STATUS_INVALID_PARAMETER; } - if (password) { - pw = password; + if (strequal(protocol, "ldap")) { + *port = 389; + *ldaps = False; + } else if (strequal(protocol, "ldaps")) { + *port = 636; + *ldaps = True; } else { - if (conn->simple_pw) { - pw = conn->simple_pw; - } else { - pw = ""; - } + DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol)); + return NT_STATUS_PROTOCOL_UNREACHABLE; } - msg = new_ldap_simple_bind_msg(conn, dn, pw); - if (!msg) - return result; + if (tmp_port != 0) + *port = tmp_port; - response = ldap_transaction(conn, msg); - if (!response) { - talloc_free(msg); - return result; - } - - result = response->r.BindResponse.response.resultcode; - - talloc_free(msg); - talloc_free(response); + *host = talloc_strdup(mem_ctx, tmp_host); + NT_STATUS_HAVE_NO_MEMORY(*host); - return result; + return NT_STATUS_OK; } -int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds) +/* + connect to a ldap server +*/ +NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) { NTSTATUS status; - TALLOC_CTX *mem_ctx = NULL; - struct ldap_message *response; - struct ldap_message *msg; - DATA_BLOB input = data_blob(NULL, 0); - DATA_BLOB output = data_blob(NULL, 0); - int result = LDAP_OTHER; - if (conn == NULL) - return result; + status = ldap_parse_basic_url(conn, url, &conn->host, + &conn->port, &conn->ldaps); + NT_STATUS_NOT_OK_RETURN(status); - status = gensec_client_start(conn, &conn->gensec); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); - return result; - } - - gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); - - status = gensec_set_credentials(conn->gensec, creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC creds: %s\n", - nt_errstr(status))); - goto done; - } + status = socket_create("ipv4", SOCKET_TYPE_STREAM, &conn->sock, 0); + NT_STATUS_NOT_OK_RETURN(status); - status = gensec_set_target_hostname(conn->gensec, conn->host); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", - nt_errstr(status))); - goto done; - } + talloc_steal(conn, conn->sock); - status = gensec_set_target_service(conn->gensec, "ldap"); + /* connect in a event friendly way */ + status = socket_connect_ev(conn->sock, NULL, 0, conn->host, conn->port, 0, + conn->event.event_ctx); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target service: %s\n", - nt_errstr(status))); - goto done; + talloc_free(conn->sock); + return status; } - status = gensec_start_mech_by_sasl_name(conn->gensec, "NTLM"); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", - nt_errstr(status))); - goto done; + /* setup a handler for events on this socket */ + conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock, + socket_get_fd(conn->sock), + EVENT_FD_READ, ldap_io_handler, conn); + if (conn->event.fde == NULL) { + talloc_free(conn->sock); + return NT_STATUS_INTERNAL_ERROR; } - mem_ctx = talloc_init("ldap_bind_sasl"); - if (!mem_ctx) - goto done; - - status = gensec_update(conn->gensec, mem_ctx, - input, - &output); - - while(1) { - if (NT_STATUS_IS_OK(status) && output.length == 0) { - break; - } - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { - break; - } - - msg = new_ldap_sasl_bind_msg(conn, "GSS-SPNEGO", &output); - if (!msg) - goto done; - - response = ldap_transaction(conn, msg); - talloc_free(msg); - - if (!response) { - goto done; - } - - result = response->r.BindResponse.response.resultcode; - - if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { - break; - } - - if (!NT_STATUS_IS_OK(status)) { - status = gensec_update(conn->gensec, mem_ctx, - response->r.BindResponse.SASL.secblob, - &output); - } else { - output.length = 0; - } - - talloc_free(response); - } - -done: - talloc_free(mem_ctx); - - return result; + return NT_STATUS_OK; } -struct ldap_connection *ldap_setup_connection(TALLOC_CTX *mem_ctx, const char *url, - const char *userdn, const char *password) +/* destroy an open ldap request */ +static int ldap_request_destructor(void *ptr) { - struct ldap_connection *conn; - int result; - - conn =ldap_connect(mem_ctx, url); - if (!conn) { - return NULL; + struct ldap_request *req = talloc_get_type(ptr, struct ldap_request); + if (req->state == LDAP_REQUEST_SEND) { + DLIST_REMOVE(req->conn->send_queue, req); } - - result = ldap_bind_simple(conn, userdn, password); - if (result != LDAP_SUCCESS) { - talloc_free(conn); - return NULL; + if (req->state == LDAP_REQUEST_PENDING) { + DLIST_REMOVE(req->conn->pending, req); } - - return conn; + return 0; } -struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, - const char *url, - struct cli_credentials *creds) +/* + called on timeout of a ldap request +*/ +static void ldap_request_timeout(struct event_context *ev, struct timed_event *te, + struct timeval t, void *private) { - struct ldap_connection *conn; - int result; - - conn =ldap_connect(mem_ctx, url); - if (!conn) { - return NULL; + struct ldap_request *req = talloc_get_type(private, struct ldap_request); + req->status = NT_STATUS_IO_TIMEOUT; + if (req->state == LDAP_REQUEST_SEND) { + DLIST_REMOVE(req->conn->send_queue, req); } - - result = ldap_bind_sasl(conn, creds); - if (result != LDAP_SUCCESS) { - talloc_free(conn); - return NULL; + if (req->state == LDAP_REQUEST_PENDING) { + DLIST_REMOVE(req->conn->pending, req); + } + req->state = LDAP_REQUEST_DONE; + if (req->async.fn) { + req->async.fn(req); } - - return conn; } -BOOL ldap_abandon_message(struct ldap_connection *conn, int msgid, - const struct timeval *endtime) +/* + send a ldap message - async interface +*/ +struct ldap_request *ldap_request_send(struct ldap_connection *conn, + struct ldap_message *msg) { - struct ldap_message *msg = new_ldap_message(conn); - BOOL result; + struct ldap_request *req; - if (msg == NULL) - return False; + if (conn->sock == NULL) { + return NULL; + } - msg->type = LDAP_TAG_AbandonRequest; - msg->r.AbandonRequest.messageid = msgid; + req = talloc_zero(conn, struct ldap_request); + if (req == NULL) goto failed; - result = ldap_send_msg(conn, msg, endtime); - talloc_free(msg); - return result; -} + req->state = LDAP_REQUEST_SEND; + req->conn = conn; + req->messageid = conn->next_messageid++; + req->type = msg->type; + if (req->messageid == -1) { + goto failed; + } -BOOL ldap_setsearchent(struct ldap_connection *conn, struct ldap_message *msg, - const struct timeval *endtime) -{ - if ((conn->searchid != 0) && - (!ldap_abandon_message(conn, conn->searchid, endtime))) - return False; + talloc_set_destructor(req, ldap_request_destructor); - conn->searchid = conn->next_msgid; - return ldap_send_msg(conn, msg, endtime); -} + msg->messageid = req->messageid; -struct ldap_message *ldap_getsearchent(struct ldap_connection *conn, - const struct timeval *endtime) -{ - struct ldap_message *result; + if (!ldap_encode(msg, &req->data)) { + goto failed; + } - if (conn->search_entries != NULL) { - struct ldap_queue_entry *e = conn->search_entries; + /* possibly encrypt/sign the request */ + if (conn->enable_wrap) { + DATA_BLOB wrapped; + NTSTATUS status; - result = e->msg; - DLIST_REMOVE(conn->search_entries, e); - SAFE_FREE(e); - return result; + status = gensec_wrap(conn->gensec, req, &req->data, &wrapped); + if (!NT_STATUS_IS_OK(status)) { + goto failed; + } + data_blob_free(&req->data); + req->data = data_blob_talloc(req, NULL, wrapped.length + 4); + if (req->data.data == NULL) { + goto failed; + } + RSIVAL(req->data.data, 0, wrapped.length); + memcpy(req->data.data+4, wrapped.data, wrapped.length); + data_blob_free(&wrapped); } - result = ldap_receive(conn, conn->searchid, endtime); - if (!result) { - return NULL; + + if (conn->send_queue == NULL) { + EVENT_FD_WRITEABLE(conn->event.fde); } + DLIST_ADD_END(conn->send_queue, req, struct ldap_request *); - if (result->type == LDAP_TAG_SearchResultEntry) - return result; + /* put a timeout on the request */ + event_add_timed(conn->event.event_ctx, req, + timeval_current_ofs(conn->timeout, 0), + ldap_request_timeout, req); - if (result->type == LDAP_TAG_SearchResultDone) { - /* TODO: Handle Paged Results */ - talloc_free(result); - return NULL; - } + return req; - /* TODO: Handle Search References here */ +failed: + talloc_free(req); return NULL; } -void ldap_endsearchent(struct ldap_connection *conn, - const struct timeval *endtime) -{ - struct ldap_queue_entry *e; - - e = conn->search_entries; - while (e != NULL) { - struct ldap_queue_entry *next = e->next; - DLIST_REMOVE(conn->search_entries, e); - SAFE_FREE(e); - e = next; +/* + wait for a request to complete + note that this does not destroy the request +*/ +NTSTATUS ldap_request_wait(struct ldap_request *req) +{ + while (req->state != LDAP_REQUEST_DONE) { + if (event_loop_once(req->conn->event.event_ctx) != 0) { + req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; + break; + } } + return req->status; } -struct ldap_message *ldap_searchone(struct ldap_connection *conn, - struct ldap_message *msg, - const struct timeval *endtime) -{ - struct ldap_message *res1, *res2 = NULL; - if (!ldap_setsearchent(conn, msg, endtime)) - return NULL; - - res1 = ldap_getsearchent(conn, endtime); - - if (res1 != NULL) - res2 = ldap_getsearchent(conn, endtime); - - ldap_endsearchent(conn, endtime); - - if (res1 == NULL) - return NULL; - if (res2 != NULL) { - /* More than one entry */ - talloc_free(res1); - talloc_free(res2); - return NULL; +/* + used to setup the status code from a ldap response +*/ +NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r) +{ + if (r->resultcode == LDAP_SUCCESS) { + return NT_STATUS_OK; } - return res1; + if (conn->last_error) { + talloc_free(conn->last_error); + } + conn->last_error = talloc_asprintf(conn, "LDAP error %u - %s <%s> <%s>", + r->resultcode, + r->dn, r->errormessage, r->referral); + + return NT_STATUS_LDAP(r->resultcode); } -BOOL ldap_find_single_value(struct ldap_message *msg, const char *attr, - DATA_BLOB *value) +/* + return error string representing the last error +*/ +const char *ldap_errstr(struct ldap_connection *conn, NTSTATUS status) { - int i; - struct ldap_SearchResEntry *r = &msg->r.SearchResultEntry; - - if (msg->type != LDAP_TAG_SearchResultEntry) - return False; - - for (i=0; inum_attributes; i++) { - if (strequal(attr, r->attributes[i].name)) { - if (r->attributes[i].num_values != 1) - return False; - - *value = r->attributes[i].values[0]; - return True; - } + if (NT_STATUS_IS_LDAP(status) && conn->last_error != NULL) { + return conn->last_error; } - return False; + return nt_errstr(status); } -BOOL ldap_find_single_string(struct ldap_message *msg, const char *attr, - TALLOC_CTX *mem_ctx, char **value) -{ - DATA_BLOB blob; - - if (!ldap_find_single_value(msg, attr, &blob)) - return False; - - *value = talloc_size(mem_ctx, blob.length+1); - - if (*value == NULL) - return False; - memcpy(*value, blob.data, blob.length); - (*value)[blob.length] = '\0'; - return True; -} - -BOOL ldap_find_single_int(struct ldap_message *msg, const char *attr, - int *value) +/* + return the Nth result message, waiting if necessary +*/ +NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg) { - DATA_BLOB blob; - char *val; - int errno_save; - BOOL res; - - if (!ldap_find_single_value(msg, attr, &blob)) - return False; - - val = malloc(blob.length+1); - if (val == NULL) - return False; + *msg = NULL; - memcpy(val, blob.data, blob.length); - val[blob.length] = '\0'; - - errno_save = errno; - errno = 0; - - *value = strtol(val, NULL, 10); + while (req->state != LDAP_REQUEST_DONE && n >= req->num_replies) { + if (event_loop_once(req->conn->event.event_ctx) != 0) { + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + } - res = (errno == 0); + if (n < req->num_replies) { + *msg = req->replies[n]; + return NT_STATUS_OK; + } - free(val); - errno = errno_save; + if (!NT_STATUS_IS_OK(req->status)) { + return req->status; + } - return res; + return NT_STATUS_NO_MORE_ENTRIES; } -int ldap_error(struct ldap_connection *conn) -{ - return 0; -} -NTSTATUS ldap2nterror(int ldaperror) +/* + return a single result message, checking if it is of the expected LDAP type +*/ +NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type) { - return NT_STATUS_OK; + NTSTATUS status; + status = ldap_result_n(req, 0, msg); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + if ((*msg)->type != type) { + *msg = NULL; + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + return status; } -- cgit From ab1e121b76a953f89592df8ec471603715b57dfc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 17 Jun 2005 02:45:40 +0000 Subject: r7665: - added a ildap_*() interface to our internal ldap library. This interface is very similar to the traditional ldap interface, and will be used as part of a ldb backend based on the current ldb_ldap backend - fixed some allocation issues in ldb_msg.c (This used to be commit b34a29dcf26f68a2f47380a6c74a4095fdfd2fbe) --- source4/libcli/ldap/ldap_client.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index f3a7f104d4..7ad45f4eea 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -573,6 +573,8 @@ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **ms { *msg = NULL; + NT_STATUS_HAVE_NO_MEMORY(req); + while (req->state != LDAP_REQUEST_DONE && n >= req->num_replies) { if (event_loop_once(req->conn->event.event_ctx) != 0) { return NT_STATUS_UNEXPECTED_NETWORK_ERROR; @@ -608,3 +610,26 @@ NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, in } return status; } + +/* + a simple ldap transaction, for single result requests that only need a status code + this relies on single valued requests having the response type == request type + 1 +*/ +NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg) +{ + struct ldap_request *req = ldap_request_send(conn, msg); + struct ldap_message *res; + NTSTATUS status; + status = ldap_result_n(req, 0, &res); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(req); + return status; + } + if (res->type != msg->type + 1) { + talloc_free(req); + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); + } + status = ldap_check_response(conn, &res->r.GeneralResult); + talloc_free(req); + return status; +} -- cgit From 90cf33953dcfab988162f9ee53cdc0eb6ff87c28 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 18 Jun 2005 09:01:51 +0000 Subject: r7715: ensure we don't print null strings in ldap_errstr() (This used to be commit dc419fc89973c2d7fa333df389b75cb218e8a848) --- source4/libcli/ldap/ldap_client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 7ad45f4eea..e392002a19 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -549,7 +549,9 @@ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r } conn->last_error = talloc_asprintf(conn, "LDAP error %u - %s <%s> <%s>", r->resultcode, - r->dn, r->errormessage, r->referral); + r->dn?r->dn:"(NULL)", + r->errormessage?r->errormessage:"", + r->referral?r->referral:""); return NT_STATUS_LDAP(r->resultcode); } -- cgit From 1e99722d020f38eaad7fe2010f43c23586a19410 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 18 Jun 2005 09:08:08 +0000 Subject: r7716: a single wrapped ldap blob can contain multiple ldap messages (This used to be commit de5f265b6c586335965a6de844c203206261cc3b) --- source4/libcli/ldap/ldap_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index e392002a19..bc70cd56aa 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -213,12 +213,12 @@ static void ldap_try_decode_wrapped(struct ldap_connection *conn) return; } - if (ldap_decode(&asn1, msg)) { + while (ldap_decode(&asn1, msg)) { ldap_match_message(conn, msg); - } else { - talloc_free(msg); + msg = talloc(conn, struct ldap_message); } + talloc_free(msg); asn1_free(&asn1); if (conn->partial.length == len + 4) { -- cgit From 91a79f2b24b62d9b78ecb52ff593672acc6f971a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 18 Jun 2005 12:44:36 +0000 Subject: r7722: when we get a zero read, the connection is dead (This used to be commit 060323530454edf21b217550b373513e5860146c) --- source4/libcli/ldap/ldap_client.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index bc70cd56aa..f2b09e89e3 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -243,8 +243,7 @@ static void ldap_recv_handler(struct ldap_connection *conn) /* work out how much data is pending */ status = socket_pending(conn->sock, &npending); if (!NT_STATUS_IS_OK(status) || npending == 0) { - DEBUG(0,("ldap_recv_handler - pending=%d - %s\n", - (int)npending, nt_errstr(status))); + ldap_connection_dead(conn); return; } -- cgit From e2bb0d0ba75265101cefd7325d705a7bf63ec585 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 18 Jun 2005 13:15:09 +0000 Subject: r7725: fixed a bug with partial asn1 frames in the ldap client (This used to be commit 0f22306a9c61c1b00aeb0f3bf7e875d9b7b4606d) --- source4/libcli/ldap/ldap_client.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index f2b09e89e3..41764b9a37 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -156,6 +156,8 @@ static void ldap_try_decode_plain(struct ldap_connection *conn) /* try and decode - this will fail if we don't have a full packet yet */ while (asn1.ofs < asn1.length) { struct ldap_message *msg = talloc(conn, struct ldap_message); + off_t saved_ofs = asn1.ofs; + if (msg == NULL) { ldap_connection_dead(conn); return; @@ -164,6 +166,7 @@ static void ldap_try_decode_plain(struct ldap_connection *conn) if (ldap_decode(&asn1, msg)) { ldap_match_message(conn, msg); } else { + asn1.ofs = saved_ofs; talloc_free(msg); break; } -- cgit From c7496c6cdb7bdcdd483868c21457350f567ec054 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 09:31:34 +0000 Subject: r7747: - simplified the ldap server buffer handling - got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 41764b9a37..c9915ae140 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -174,7 +174,7 @@ static void ldap_try_decode_plain(struct ldap_connection *conn) /* keep any remaining data in conn->partial */ data_blob_free(&conn->partial); - if (asn1.ofs != conn->partial.length) { + if (asn1.ofs != asn1.length) { conn->partial = data_blob_talloc(conn, asn1.data + asn1.ofs, asn1.length - asn1.ofs); -- cgit From 5eccf719fba324e9f1ce4a5b425b29a25125d4f1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 20 Jun 2005 01:17:29 +0000 Subject: r7770: added ldaps support to our ldap client library (This used to be commit 8f5c2e8682795258a6361b9516a38a8fabdef150) --- source4/libcli/ldap/ldap_client.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index c9915ae140..32bd6656d6 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -28,6 +28,7 @@ #include "dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" +#include "lib/tls/tls.h" #include "libcli/ldap/ldap.h" #include "libcli/ldap/ldap_client.h" @@ -90,8 +91,8 @@ static void ldap_connection_dead(struct ldap_connection *conn) } } - talloc_free(conn->sock); - conn->sock = NULL; + talloc_free(conn->tls); + conn->tls = NULL; } @@ -244,7 +245,7 @@ static void ldap_recv_handler(struct ldap_connection *conn) size_t npending=0, nread; /* work out how much data is pending */ - status = socket_pending(conn->sock, &npending); + status = tls_socket_pending(conn->tls, &npending); if (!NT_STATUS_IS_OK(status) || npending == 0) { ldap_connection_dead(conn); return; @@ -258,8 +259,8 @@ static void ldap_recv_handler(struct ldap_connection *conn) } /* receive the pending data */ - status = socket_recv(conn->sock, conn->partial.data + conn->partial.length, - npending, &nread, 0); + status = tls_socket_recv(conn->tls, conn->partial.data + conn->partial.length, + npending, &nread); if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { return; } @@ -288,7 +289,7 @@ static void ldap_send_handler(struct ldap_connection *conn) size_t nsent; NTSTATUS status; - status = socket_send(conn->sock, &req->data, &nsent, 0); + status = tls_socket_send(conn->tls, &req->data, &nsent); if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { break; } @@ -331,7 +332,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, struct ldap_connection *conn = talloc_get_type(private, struct ldap_connection); if (flags & EVENT_FD_WRITE) { ldap_send_handler(conn); - if (conn->sock == NULL) return; + if (conn->tls == NULL) return; } if (flags & EVENT_FD_READ) { ldap_recv_handler(conn); @@ -416,6 +417,14 @@ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) return NT_STATUS_INTERNAL_ERROR; } + conn->tls = tls_init_client(conn->sock, conn->event.fde, conn->ldaps); + if (conn->tls == NULL) { + talloc_free(conn->sock); + return NT_STATUS_INTERNAL_ERROR; + } + talloc_steal(conn, conn->tls); + talloc_steal(conn->tls, conn->sock); + return NT_STATUS_OK; } @@ -460,7 +469,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, { struct ldap_request *req; - if (conn->sock == NULL) { + if (conn->tls == NULL) { return NULL; } -- cgit From bec00581247c9062ea0acce6037ef75ab188548c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 21 Jun 2005 13:42:47 +0000 Subject: r7810: don't give errors when the ldap server sends us reference replies (This used to be commit f2b2d2626f5eb4fbd7d7c5cdcde486d00fc19447) --- source4/libcli/ldap/ldap_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 32bd6656d6..a8463f7872 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -130,7 +130,8 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message req->replies[req->num_replies] = talloc_steal(req->replies, msg); req->num_replies++; - if (msg->type != LDAP_TAG_SearchResultEntry) { + if (msg->type != LDAP_TAG_SearchResultEntry && + msg->type != LDAP_TAG_SearchResultReference) { /* currently only search results expect multiple replies */ req->state = LDAP_REQUEST_DONE; -- cgit From 039393d6620816789b4ebd131974b23b6420f4dc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 17 Jul 2005 10:52:31 +0000 Subject: r8523: match a zero message id in ldap replies to the last request sent. Thanks to simo for noticing that this is needed to catch the server sending a "can't decode request" error reply (This used to be commit 6e81e866dc7a5dc014d2d9f2e09803c6adfd1830) --- source4/libcli/ldap/ldap_client.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index a8463f7872..97b75602aa 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -106,6 +106,11 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message for (req=conn->pending; req; req=req->next) { if (req->messageid == msg->messageid) break; } + /* match a zero message id to the last request sent. + It seems that servers send 0 if unable to parse */ + if (req == NULL && msg->messageid == 0) { + req = conn->pending; + } if (req == NULL) { DEBUG(0,("ldap: no matching message id for %u\n", msg->messageid)); @@ -480,6 +485,9 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, req->state = LDAP_REQUEST_SEND; req->conn = conn; req->messageid = conn->next_messageid++; + if (conn->next_messageid == 0) { + conn->next_messageid = 1; + } req->type = msg->type; if (req->messageid == -1) { goto failed; -- cgit From a129ad36eb34bbeda80c75b2f8d771bdaca8451e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 13 Sep 2005 22:05:45 +0000 Subject: r10213: fixed a memory leak in the ldap client and server code spotted by Karl Melcher. ldap_encode() now takes a memory context to use for the data blob (This used to be commit 09948a59336a7f02bf2b4605f2d4d886e65b85f2) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 97b75602aa..800e523eb4 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -497,7 +497,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, msg->messageid = req->messageid; - if (!ldap_encode(msg, &req->data)) { + if (!ldap_encode(msg, &req->data, req)) { goto failed; } -- cgit From d73bd8f01aefe97f007a59f49698a5c7c9e97c29 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 17 Oct 2005 11:50:34 +0000 Subject: r11114: - fixed error handling on bad bind in ildap client - added nicer error display, giving a string version of the error code (This used to be commit 5ec486bb81536b38a5f40cae7555cbcbbfa52263) --- source4/libcli/ldap/ldap_client.c | 63 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 800e523eb4..6b4e73d44b 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -555,11 +555,63 @@ NTSTATUS ldap_request_wait(struct ldap_request *req) } +/* + a mapping of ldap response code to strings +*/ +static const struct { + enum ldap_result_code code; + const char *str; +} ldap_code_map[] = { +#define _LDAP_MAP_CODE(c) { c, #c } + _LDAP_MAP_CODE(LDAP_SUCCESS), + _LDAP_MAP_CODE(LDAP_OPERATIONS_ERROR), + _LDAP_MAP_CODE(LDAP_PROTOCOL_ERROR), + _LDAP_MAP_CODE(LDAP_TIME_LIMIT_EXCEEDED), + _LDAP_MAP_CODE(LDAP_SIZE_LIMIT_EXCEEDED), + _LDAP_MAP_CODE(LDAP_COMPARE_FALSE), + _LDAP_MAP_CODE(LDAP_COMPARE_TRUE), + _LDAP_MAP_CODE(LDAP_AUTH_METHOD_NOT_SUPPORTED), + _LDAP_MAP_CODE(LDAP_STRONG_AUTH_REQUIRED), + _LDAP_MAP_CODE(LDAP_REFERRAL), + _LDAP_MAP_CODE(LDAP_ADMIN_LIMIT_EXCEEDED), + _LDAP_MAP_CODE(LDAP_UNAVAILABLE_CRITICAL_EXTENSION), + _LDAP_MAP_CODE(LDAP_CONFIDENTIALITY_REQUIRED), + _LDAP_MAP_CODE(LDAP_SASL_BIND_IN_PROGRESS), + _LDAP_MAP_CODE(LDAP_NO_SUCH_ATTRIBUTE), + _LDAP_MAP_CODE(LDAP_UNDEFINED_ATTRIBUTE_TYPE), + _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_MATCHING), + _LDAP_MAP_CODE(LDAP_CONSTRAINT_VIOLATION), + _LDAP_MAP_CODE(LDAP_ATTRIBUTE_OR_VALUE_EXISTS), + _LDAP_MAP_CODE(LDAP_INVALID_ATTRIBUTE_SYNTAX), + _LDAP_MAP_CODE(LDAP_NO_SUCH_OBJECT), + _LDAP_MAP_CODE(LDAP_ALIAS_PROBLEM), + _LDAP_MAP_CODE(LDAP_INVALID_DN_SYNTAX), + _LDAP_MAP_CODE(LDAP_ALIAS_DEREFERENCING_PROBLEM), + _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_AUTHENTICATION), + _LDAP_MAP_CODE(LDAP_INVALID_CREDENTIALS), + _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTs), + _LDAP_MAP_CODE(LDAP_BUSY), + _LDAP_MAP_CODE(LDAP_UNAVAILABLE), + _LDAP_MAP_CODE(LDAP_UNWILLING_TO_PERFORM), + _LDAP_MAP_CODE(LDAP_LOOP_DETECT), + _LDAP_MAP_CODE(LDAP_NAMING_VIOLATION), + _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_VIOLATION), + _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_NON_LEAF), + _LDAP_MAP_CODE(LDAP_NOT_ALLOWED_ON_RDN), + _LDAP_MAP_CODE(LDAP_ENTRY_ALREADY_EXISTS), + _LDAP_MAP_CODE(LDAP_OBJECT_CLASS_MODS_PROHIBITED), + _LDAP_MAP_CODE(LDAP_AFFECTS_MULTIPLE_DSAS), + _LDAP_MAP_CODE(LDAP_OTHER) +}; + /* used to setup the status code from a ldap response */ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r) { + int i; + const char *codename = "unknown"; + if (r->resultcode == LDAP_SUCCESS) { return NT_STATUS_OK; } @@ -567,8 +619,17 @@ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r if (conn->last_error) { talloc_free(conn->last_error); } - conn->last_error = talloc_asprintf(conn, "LDAP error %u - %s <%s> <%s>", + + for (i=0;iresultcode == ldap_code_map[i].code) { + codename = ldap_code_map[i].str; + break; + } + } + + conn->last_error = talloc_asprintf(conn, "LDAP error %u %s - %s <%s> <%s>", r->resultcode, + codename, r->dn?r->dn:"(NULL)", r->errormessage?r->errormessage:"", r->referral?r->referral:""); -- cgit From d6e070b74af8891c5e6ee15d57f8c0db3aac2f14 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 24 Oct 2005 09:34:12 +0000 Subject: r11274: Start a connection attempt to the DC's port 389. To do this properly, make socket_connect and ldap_connect properly async. Volker (This used to be commit bcc71fc1deeed443d7cf00220ce264011ddf588d) --- source4/libcli/ldap/ldap_client.c | 97 +++++++++++++++++++++++++++++++-------- 1 file changed, 79 insertions(+), 18 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 6b4e73d44b..d7cfd7c7e5 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -31,6 +31,7 @@ #include "lib/tls/tls.h" #include "libcli/ldap/ldap.h" #include "libcli/ldap/ldap_client.h" +#include "libcli/composite/composite.h" /* @@ -393,45 +394,105 @@ static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url, /* connect to a ldap server */ -NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) + +struct ldap_connect_state { + struct composite_context *ctx; + struct ldap_connection *conn; +}; + +static void ldap_connect_recv_conn(struct composite_context *ctx); + +struct composite_context *ldap_connect_send(struct ldap_connection *conn, + const char *url) { - NTSTATUS status; + struct composite_context *result, *ctx; + struct ldap_connect_state *state; - status = ldap_parse_basic_url(conn, url, &conn->host, - &conn->port, &conn->ldaps); - NT_STATUS_NOT_OK_RETURN(status); + result = talloc_zero(NULL, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->async.fn = NULL; + result->event_ctx = conn->event.event_ctx; - status = socket_create("ipv4", SOCKET_TYPE_STREAM, &conn->sock, 0); - NT_STATUS_NOT_OK_RETURN(status); + state = talloc(result, struct ldap_connect_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; - talloc_steal(conn, conn->sock); + state->conn = conn; - /* connect in a event friendly way */ - status = socket_connect_ev(conn->sock, NULL, 0, conn->host, conn->port, 0, - conn->event.event_ctx); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(conn->sock); - return status; + state->ctx->status = ldap_parse_basic_url(conn, url, &conn->host, + &conn->port, &conn->ldaps); + if (!NT_STATUS_IS_OK(state->ctx->status)) { + composite_trigger_error(state->ctx); + return result; } + state->ctx->status = socket_create("ipv4", SOCKET_TYPE_STREAM, + &conn->sock, 0); + if (!NT_STATUS_IS_OK(state->ctx->status)) { + composite_trigger_error(state->ctx); + return result; + } + + talloc_steal(conn, conn->sock); + + ctx = socket_connect_send(conn->sock, NULL, 0, conn->host, + conn->port, 0, conn->event.event_ctx); + if (ctx == NULL) goto failed; + + ctx->async.fn = ldap_connect_recv_conn; + ctx->async.private_data = state; + return result; + + failed: + talloc_free(result); + return NULL; +} + +static void ldap_connect_recv_conn(struct composite_context *ctx) +{ + struct ldap_connect_state *state = + talloc_get_type(ctx->async.private_data, + struct ldap_connect_state); + struct ldap_connection *conn = state->conn; + + state->ctx->status = socket_connect_recv(ctx); + if (!composite_is_ok(state->ctx)) return; + /* setup a handler for events on this socket */ conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock, socket_get_fd(conn->sock), EVENT_FD_READ, ldap_io_handler, conn); if (conn->event.fde == NULL) { - talloc_free(conn->sock); - return NT_STATUS_INTERNAL_ERROR; + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + return; } conn->tls = tls_init_client(conn->sock, conn->event.fde, conn->ldaps); if (conn->tls == NULL) { talloc_free(conn->sock); - return NT_STATUS_INTERNAL_ERROR; + return; } talloc_steal(conn, conn->tls); talloc_steal(conn->tls, conn->sock); - return NT_STATUS_OK; + composite_done(state->ctx); + + return; +} + +NTSTATUS ldap_connect_recv(struct composite_context *ctx) +{ + NTSTATUS status = composite_wait(ctx); + talloc_free(ctx); + return status; +} + +NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) +{ + struct composite_context *ctx = ldap_connect_send(conn, url); + return ldap_connect_recv(ctx); } /* destroy an open ldap request */ -- cgit From 134b2488c82ae13392121f71e4960178a38f3e01 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Oct 2005 11:02:42 +0000 Subject: r11369: Implement socket_connect_multi: Connect to multiple ipv4 tcp ports in sequence, with a 2-millisecond timeout between firing the syn packets. Build smbcli_sock_connect_send upon that. Volker (This used to be commit 5718df44d90d113304c5deed1e2e7f82ff9e928f) --- source4/libcli/ldap/ldap_client.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index d7cfd7c7e5..3b801ca225 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -428,17 +428,8 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, return result; } - state->ctx->status = socket_create("ipv4", SOCKET_TYPE_STREAM, - &conn->sock, 0); - if (!NT_STATUS_IS_OK(state->ctx->status)) { - composite_trigger_error(state->ctx); - return result; - } - - talloc_steal(conn, conn->sock); - - ctx = socket_connect_send(conn->sock, NULL, 0, conn->host, - conn->port, 0, conn->event.event_ctx); + ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, + conn->event.event_ctx); if (ctx == NULL) goto failed; ctx->async.fn = ldap_connect_recv_conn; @@ -456,8 +447,10 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct ldap_connect_state); struct ldap_connection *conn = state->conn; + uint16_t port; - state->ctx->status = socket_connect_recv(ctx); + state->ctx->status = socket_connect_multi_recv(ctx, state, &conn->sock, + &port); if (!composite_is_ok(state->ctx)) return; /* setup a handler for events on this socket */ -- cgit From 65baaafc34b2befac50541c5aef86e5d906d2797 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Nov 2005 00:28:02 +0000 Subject: r11620: switch the ldap client code over to using the generic packet code (This used to be commit 1d29ad2a27d89454e5e3c4a3cf05cc5edde0208c) --- source4/libcli/ldap/ldap_client.c | 286 ++++++++++++++++---------------------- 1 file changed, 119 insertions(+), 167 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 3b801ca225..503016e896 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -32,6 +32,7 @@ #include "libcli/ldap/ldap.h" #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" +#include "lib/stream/packet.h" /* @@ -82,20 +83,20 @@ static void ldap_connection_dead(struct ldap_connection *conn) } } - while (conn->send_queue) { - req = conn->send_queue; - DLIST_REMOVE(req->conn->send_queue, req); - req->state = LDAP_REQUEST_DONE; - req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; - if (req->async.fn) { - req->async.fn(req); - } - } - talloc_free(conn->tls); conn->tls = NULL; } +/* + handle packet errors +*/ +static void ldap_error_handler(void *private, NTSTATUS status) +{ + struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection); + ldap_connection_dead(conn); +} + /* match up with a pending message, adding to the replies list @@ -149,184 +150,99 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message } } + /* - try and decode/process plain data + check if a blob is a complete ldap packet + handle wrapper or unwrapped connections */ -static void ldap_try_decode_plain(struct ldap_connection *conn) +NTSTATUS ldap_complete_packet(void *private, DATA_BLOB blob, size_t *size) { - struct asn1_data asn1; - - if (!asn1_load(&asn1, conn->partial)) { - ldap_connection_dead(conn); - return; - } - - /* try and decode - this will fail if we don't have a full packet yet */ - while (asn1.ofs < asn1.length) { - struct ldap_message *msg = talloc(conn, struct ldap_message); - off_t saved_ofs = asn1.ofs; - - if (msg == NULL) { - ldap_connection_dead(conn); - return; - } - - if (ldap_decode(&asn1, msg)) { - ldap_match_message(conn, msg); - } else { - asn1.ofs = saved_ofs; - talloc_free(msg); - break; - } - } - - /* keep any remaining data in conn->partial */ - data_blob_free(&conn->partial); - if (asn1.ofs != asn1.length) { - conn->partial = data_blob_talloc(conn, - asn1.data + asn1.ofs, - asn1.length - asn1.ofs); + struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection); + if (conn->enable_wrap) { + return packet_full_request_u32(private, blob, size); } - asn1_free(&asn1); + return ldap_full_packet(private, blob, size); } /* - try and decode/process wrapped data + decode/process plain data */ -static void ldap_try_decode_wrapped(struct ldap_connection *conn) +static NTSTATUS ldap_decode_plain(struct ldap_connection *conn, DATA_BLOB blob) { - uint32_t len; - - /* keep decoding while we have a full wrapped packet */ - while (conn->partial.length >= 4 && - (len=RIVAL(conn->partial.data, 0)) <= conn->partial.length-4) { - DATA_BLOB wrapped, unwrapped; - struct asn1_data asn1; - struct ldap_message *msg = talloc(conn, struct ldap_message); - NTSTATUS status; - - if (msg == NULL) { - ldap_connection_dead(conn); - return; - } + struct asn1_data asn1; + struct ldap_message *msg = talloc(conn, struct ldap_message); - wrapped.data = conn->partial.data+4; - wrapped.length = len; + if (msg == NULL) { + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); + } - status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped); - if (!NT_STATUS_IS_OK(status)) { - ldap_connection_dead(conn); - return; - } + if (!asn1_load(&asn1, blob)) { + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); + } + + if (!ldap_decode(&asn1, msg)) { + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); + } - if (!asn1_load(&asn1, unwrapped)) { - ldap_connection_dead(conn); - return; - } + ldap_match_message(conn, msg); - while (ldap_decode(&asn1, msg)) { - ldap_match_message(conn, msg); - msg = talloc(conn, struct ldap_message); - } - - talloc_free(msg); - asn1_free(&asn1); - - if (conn->partial.length == len + 4) { - data_blob_free(&conn->partial); - } else { - memmove(conn->partial.data, conn->partial.data+len+4, - conn->partial.length - (len+4)); - conn->partial.length -= len + 4; - } - } + data_blob_free(&blob); + asn1_free(&asn1); + return NT_STATUS_OK; } - /* - handle ldap recv events + decode/process wrapped data */ -static void ldap_recv_handler(struct ldap_connection *conn) +static NTSTATUS ldap_decode_wrapped(struct ldap_connection *conn, DATA_BLOB blob) { + DATA_BLOB wrapped, unwrapped; + struct asn1_data asn1; + struct ldap_message *msg = talloc(conn, struct ldap_message); NTSTATUS status; - size_t npending=0, nread; - /* work out how much data is pending */ - status = tls_socket_pending(conn->tls, &npending); - if (!NT_STATUS_IS_OK(status) || npending == 0) { - ldap_connection_dead(conn); - return; + if (msg == NULL) { + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } - conn->partial.data = talloc_realloc_size(conn, conn->partial.data, - conn->partial.length + npending); - if (conn->partial.data == NULL) { - ldap_connection_dead(conn); - return; - } + wrapped = data_blob_const(blob.data+4, blob.length-4); - /* receive the pending data */ - status = tls_socket_recv(conn->tls, conn->partial.data + conn->partial.length, - npending, &nread); - if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { - return; - } + status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped); if (!NT_STATUS_IS_OK(status)) { - ldap_connection_dead(conn); - return; + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } - conn->partial.length += nread; - /* see if we can decode what we have */ - if (conn->enable_wrap) { - ldap_try_decode_wrapped(conn); - } else { - ldap_try_decode_plain(conn); + data_blob_free(&blob); + + if (!asn1_load(&asn1, unwrapped)) { + return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } + + while (ldap_decode(&asn1, msg)) { + ldap_match_message(conn, msg); + msg = talloc(conn, struct ldap_message); + } + + talloc_free(msg); + asn1_free(&asn1); + + return NT_STATUS_OK; } /* - handle ldap send events + handle ldap recv events */ -static void ldap_send_handler(struct ldap_connection *conn) +static NTSTATUS ldap_recv_handler(void *private, DATA_BLOB blob) { - while (conn->send_queue) { - struct ldap_request *req = conn->send_queue; - size_t nsent; - NTSTATUS status; - - status = tls_socket_send(conn->tls, &req->data, &nsent); - if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { - break; - } - if (!NT_STATUS_IS_OK(status)) { - ldap_connection_dead(conn); - return; - } - - req->data.data += nsent; - req->data.length -= nsent; - if (req->data.length == 0) { - req->state = LDAP_REQUEST_PENDING; - DLIST_REMOVE(conn->send_queue, req); - - /* some types of requests don't expect a reply */ - if (req->type == LDAP_TAG_AbandonRequest || - req->type == LDAP_TAG_UnbindRequest) { - req->status = NT_STATUS_OK; - req->state = LDAP_REQUEST_DONE; - if (req->async.fn) { - req->async.fn(req); - } - } else { - DLIST_ADD(conn->pending, req); - } - } - } - if (conn->send_queue == NULL) { - EVENT_FD_NOT_WRITEABLE(conn->event.fde); + struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection); + if (conn->enable_wrap) { + return ldap_decode_wrapped(conn, blob); } + + return ldap_decode_plain(conn, blob); } @@ -336,13 +252,14 @@ static void ldap_send_handler(struct ldap_connection *conn) static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, uint16_t flags, void *private) { - struct ldap_connection *conn = talloc_get_type(private, struct ldap_connection); + struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection); if (flags & EVENT_FD_WRITE) { - ldap_send_handler(conn); + packet_queue_run(conn->packet); if (conn->tls == NULL) return; } if (flags & EVENT_FD_READ) { - ldap_recv_handler(conn); + packet_recv(conn->packet); } } @@ -470,6 +387,19 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) talloc_steal(conn, conn->tls); talloc_steal(conn->tls, conn->sock); + conn->packet = packet_init(conn); + if (conn->packet == NULL) { + talloc_free(conn->sock); + return; + } + packet_set_private(conn->packet, conn); + packet_set_tls(conn->packet, conn->tls); + packet_set_callback(conn->packet, ldap_recv_handler); + packet_set_full_request(conn->packet, ldap_complete_packet); + packet_set_error_handler(conn->packet, ldap_error_handler); + packet_set_event_context(conn->packet, conn->event.event_ctx); + packet_set_serialise(conn->packet, conn->event.fde); + composite_done(state->ctx); return; @@ -492,9 +422,6 @@ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) static int ldap_request_destructor(void *ptr) { struct ldap_request *req = talloc_get_type(ptr, struct ldap_request); - if (req->state == LDAP_REQUEST_SEND) { - DLIST_REMOVE(req->conn->send_queue, req); - } if (req->state == LDAP_REQUEST_PENDING) { DLIST_REMOVE(req->conn->pending, req); } @@ -509,9 +436,6 @@ static void ldap_request_timeout(struct event_context *ev, struct timed_event *t { struct ldap_request *req = talloc_get_type(private, struct ldap_request); req->status = NT_STATUS_IO_TIMEOUT; - if (req->state == LDAP_REQUEST_SEND) { - DLIST_REMOVE(req->conn->send_queue, req); - } if (req->state == LDAP_REQUEST_PENDING) { DLIST_REMOVE(req->conn->pending, req); } @@ -521,6 +445,19 @@ static void ldap_request_timeout(struct event_context *ev, struct timed_event *t } } + +/* + called on completion of a one-way ldap request +*/ +static void ldap_request_complete(struct event_context *ev, struct timed_event *te, + struct timeval t, void *private) +{ + struct ldap_request *req = talloc_get_type(private, struct ldap_request); + if (req->async.fn) { + req->async.fn(req); + } +} + /* send a ldap message - async interface */ @@ -528,6 +465,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, struct ldap_message *msg) { struct ldap_request *req; + NTSTATUS status; if (conn->tls == NULL) { return NULL; @@ -558,7 +496,6 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, /* possibly encrypt/sign the request */ if (conn->enable_wrap) { DATA_BLOB wrapped; - NTSTATUS status; status = gensec_wrap(conn->gensec, req, &req->data, &wrapped); if (!NT_STATUS_IS_OK(status)) { @@ -574,11 +511,26 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, data_blob_free(&wrapped); } + status = packet_send(conn->packet, req->data); + if (!NT_STATUS_IS_OK(status)) { + goto failed; + } - if (conn->send_queue == NULL) { - EVENT_FD_WRITEABLE(conn->event.fde); + /* some requests don't expect a reply, so don't add those to the + pending queue */ + if (req->type == LDAP_TAG_AbandonRequest || + req->type == LDAP_TAG_UnbindRequest) { + req->status = NT_STATUS_OK; + req->state = LDAP_REQUEST_DONE; + /* we can't call the async callback now, as it isn't setup, so + call it as next event */ + event_add_timed(conn->event.event_ctx, req, timeval_zero(), + ldap_request_complete, req); + return req; } - DLIST_ADD_END(conn->send_queue, req, struct ldap_request *); + + req->state = LDAP_REQUEST_PENDING; + DLIST_ADD(conn->pending, req); /* put a timeout on the request */ event_add_timed(conn->event.event_ctx, req, -- cgit From 614950aed35353854019db5cccec5b3154643ca3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Nov 2005 03:45:57 +0000 Subject: r11713: separate out the setting of the fde in the packet context from the enabling of packet serialisation (This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb) --- source4/libcli/ldap/ldap_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 503016e896..a5f647939f 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -398,7 +398,8 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) packet_set_full_request(conn->packet, ldap_complete_packet); packet_set_error_handler(conn->packet, ldap_error_handler); packet_set_event_context(conn->packet, conn->event.event_ctx); - packet_set_serialise(conn->packet, conn->event.fde); + packet_set_fde(conn->packet, conn->event.fde); + packet_set_serialise(conn->packet); composite_done(state->ctx); -- cgit From 111a920fdb92ccef32f89b2f992bdd3051e5ac54 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 8 Dec 2005 01:13:45 +0000 Subject: r12116: got rid of composite_trigger_done() and composite_trigger_error(), and instead make the normal composite_done() and composite_error() functions automatically trigger a delayed callback if the caller has had no opportunity to setup a async callback this removes one of the common mistakes in writing a composite function (This used to be commit f9413ce792ded682e05134b66d433eeec293e6f1) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index a5f647939f..0a787bbf57 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -341,7 +341,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, state->ctx->status = ldap_parse_basic_url(conn, url, &conn->host, &conn->port, &conn->ldaps); if (!NT_STATUS_IS_OK(state->ctx->status)) { - composite_trigger_error(state->ctx); + composite_error(state->ctx, state->ctx->status); return result; } -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/libcli/ldap/ldap_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 0a787bbf57..1ce86f7f85 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -33,6 +33,7 @@ #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" #include "lib/stream/packet.h" +#include "auth/gensec/gensec.h" /* -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/libcli/ldap/ldap_client.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 1ce86f7f85..77fc7db049 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -28,8 +28,6 @@ #include "dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" -#include "lib/tls/tls.h" -#include "libcli/ldap/ldap.h" #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" #include "lib/stream/packet.h" -- cgit From 78c50015bb8bd5a1d831a6e7ec796b3367c73145 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 3 Jan 2006 15:40:05 +0000 Subject: r12694: Move some headers to the directory of the subsystem they belong to. (This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 77fc7db049..9b1a4ef9d5 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -24,7 +24,7 @@ */ #include "includes.h" -#include "asn_1.h" +#include "libcli/util/asn_1.h" #include "dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" -- cgit From c908d0b2aa111659e57a73efb8c33c413965c846 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 6 Jan 2006 04:01:23 +0000 Subject: r12733: Merge ldap/ldb controls into main tree There's still lot of work to do but the patch is stable enough to be pushed into the main samba4 tree. Simo. (This used to be commit 77125feaff252cab44d26593093a9c211c846ce8) --- source4/libcli/ldap/ldap_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 9b1a4ef9d5..9103e939e7 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -28,6 +28,7 @@ #include "dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" +#include "libcli/ldap/ldap.h" #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" #include "lib/stream/packet.h" -- cgit From 00fe70e5b917769418f68eaa255d3a06a9a08ce7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Feb 2006 01:31:35 +0000 Subject: r13609: Get in the initial work on making ldb async Currently only ldb_ildap is async, the plan is to first make all backend support the async calls, and then remove the sync functions from backends and keep the only in the API. Modules will need to be transformed along the way. Simo (This used to be commit 1e2c13b2d52de7c534493dd79a2c0596a3e8c1f5) --- source4/libcli/ldap/ldap_client.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 9103e939e7..364961cf47 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -90,9 +90,9 @@ static void ldap_connection_dead(struct ldap_connection *conn) /* handle packet errors */ -static void ldap_error_handler(void *private, NTSTATUS status) +static void ldap_error_handler(void *private_data, NTSTATUS status) { - struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); ldap_connection_dead(conn); } @@ -155,14 +155,14 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message check if a blob is a complete ldap packet handle wrapper or unwrapped connections */ -NTSTATUS ldap_complete_packet(void *private, DATA_BLOB blob, size_t *size) +NTSTATUS ldap_complete_packet(void *private_data, DATA_BLOB blob, size_t *size) { - struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); if (conn->enable_wrap) { - return packet_full_request_u32(private, blob, size); + return packet_full_request_u32(private_data, blob, size); } - return ldap_full_packet(private, blob, size); + return ldap_full_packet(private_data, blob, size); } /* @@ -234,9 +234,9 @@ static NTSTATUS ldap_decode_wrapped(struct ldap_connection *conn, DATA_BLOB blob /* handle ldap recv events */ -static NTSTATUS ldap_recv_handler(void *private, DATA_BLOB blob) +static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) { - struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); if (conn->enable_wrap) { return ldap_decode_wrapped(conn, blob); @@ -250,9 +250,9 @@ static NTSTATUS ldap_recv_handler(void *private, DATA_BLOB blob) handle ldap socket events */ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, - uint16_t flags, void *private) + uint16_t flags, void *private_data) { - struct ldap_connection *conn = talloc_get_type(private, + struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); if (flags & EVENT_FD_WRITE) { packet_queue_run(conn->packet); @@ -433,9 +433,9 @@ static int ldap_request_destructor(void *ptr) called on timeout of a ldap request */ static void ldap_request_timeout(struct event_context *ev, struct timed_event *te, - struct timeval t, void *private) + struct timeval t, void *private_data) { - struct ldap_request *req = talloc_get_type(private, struct ldap_request); + struct ldap_request *req = talloc_get_type(private_data, struct ldap_request); req->status = NT_STATUS_IO_TIMEOUT; if (req->state == LDAP_REQUEST_PENDING) { DLIST_REMOVE(req->conn->pending, req); @@ -451,9 +451,9 @@ static void ldap_request_timeout(struct event_context *ev, struct timed_event *t called on completion of a one-way ldap request */ static void ldap_request_complete(struct event_context *ev, struct timed_event *te, - struct timeval t, void *private) + struct timeval t, void *private_data) { - struct ldap_request *req = talloc_get_type(private, struct ldap_request); + struct ldap_request *req = talloc_get_type(private_data, struct ldap_request); if (req->async.fn) { req->async.fn(req); } @@ -534,9 +534,9 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, DLIST_ADD(conn->pending, req); /* put a timeout on the request */ - event_add_timed(conn->event.event_ctx, req, - timeval_current_ofs(conn->timeout, 0), - ldap_request_timeout, req); + req->time_event = event_add_timed(conn->event.event_ctx, req, + timeval_current_ofs(conn->timeout, 0), + ldap_request_timeout, req); return req; -- cgit From 8f164299473553ee28f4fbf1d9a120840c5e5feb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 25 Apr 2006 11:50:32 +0000 Subject: r15238: Add some code to automatically reconnect if we want to. (This used to be commit e2102999e26566543162455b34adbd2b0486b74d) --- source4/libcli/ldap/ldap_client.c | 78 ++++++++++++++++++++++++++++++++++----- 1 file changed, 68 insertions(+), 10 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 364961cf47..344605f4ec 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -33,6 +33,7 @@ #include "libcli/composite/composite.h" #include "lib/stream/packet.h" #include "auth/gensec/gensec.h" +#include "system/time.h" /* @@ -62,10 +63,12 @@ struct ldap_connection *ldap_new_connection(TALLOC_CTX *mem_ctx, /* set a reasonable request timeout */ conn->timeout = 60; + /* explicitly avoid reconnections by default */ + conn->reconnect.max_retries = 0; + return conn; } - /* the connection is dead */ @@ -73,6 +76,7 @@ static void ldap_connection_dead(struct ldap_connection *conn) { struct ldap_request *req; + /* return an error for any pending request ... */ while (conn->pending) { req = conn->pending; DLIST_REMOVE(req->conn->pending, req); @@ -84,9 +88,16 @@ static void ldap_connection_dead(struct ldap_connection *conn) } talloc_free(conn->tls); + talloc_free(conn->sock); /* this will also free event.fde */ + talloc_free(conn->packet); conn->tls = NULL; + conn->sock = NULL; + conn->event.fde = NULL; + conn->packet = NULL; } +static void ldap_reconnect(struct ldap_connection *conn); + /* handle packet errors */ @@ -95,6 +106,9 @@ static void ldap_error_handler(void *private_data, NTSTATUS status) struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); ldap_connection_dead(conn); + + /* but try to reconnect so that the ldb client can go on */ + ldap_reconnect(conn); } @@ -325,6 +339,11 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, struct composite_context *result, *ctx; struct ldap_connect_state *state; + if (conn->reconnect.url == NULL) { + conn->reconnect.url = talloc_strdup(conn, url); + if (conn->reconnect.url == NULL) goto failed; + } + result = talloc_zero(NULL, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; @@ -419,6 +438,40 @@ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) return ldap_connect_recv(ctx); } +/* Actually this function is NOT ASYNC safe, FIXME? */ +static void ldap_reconnect(struct ldap_connection *conn) +{ + NTSTATUS status; + time_t now = time(NULL); + + /* do we have set up reconnect ? */ + if (conn->reconnect.max_retries == 0) return; + + /* is the retry time expired ? */ + if (now > conn->reconnect.previous + 30) { + conn->reconnect.retries = 0; + conn->reconnect.previous = now; + } + + /* are we reconnectind too often and too fast? */ + if (conn->reconnect.retries > conn->reconnect.max_retries) return; + + /* keep track of the number of reconnections */ + conn->reconnect.retries++; + + /* reconnect */ + status = ldap_connect(conn, conn->reconnect.url); + if ( ! NT_STATUS_IS_OK(status)) { + return; + } + + /* rebind */ + status = ldap_rebind(conn); + if ( ! NT_STATUS_IS_OK(status)) { + ldap_connection_dead(conn); + } +} + /* destroy an open ldap request */ static int ldap_request_destructor(void *ptr) { @@ -466,15 +519,16 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, struct ldap_message *msg) { struct ldap_request *req; - NTSTATUS status; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + + req = talloc_zero(conn, struct ldap_request); + if (req == NULL) return NULL; if (conn->tls == NULL) { - return NULL; + status = NT_STATUS_INVALID_CONNECTION; + goto failed; } - req = talloc_zero(conn, struct ldap_request); - if (req == NULL) goto failed; - req->state = LDAP_REQUEST_SEND; req->conn = conn; req->messageid = conn->next_messageid++; @@ -541,8 +595,12 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, return req; failed: - talloc_free(req); - return NULL; + req->status = status; + req->state = LDAP_REQUEST_ERROR; + event_add_timed(conn->event.event_ctx, req, timeval_zero(), + ldap_request_complete, req); + + return req; } @@ -552,7 +610,7 @@ failed: */ NTSTATUS ldap_request_wait(struct ldap_request *req) { - while (req->state != LDAP_REQUEST_DONE) { + while (req->state <= LDAP_REQUEST_DONE) { if (event_loop_once(req->conn->event.event_ctx) != 0) { req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; break; @@ -665,7 +723,7 @@ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **ms NT_STATUS_HAVE_NO_MEMORY(req); - while (req->state != LDAP_REQUEST_DONE && n >= req->num_replies) { + while (req->state <= LDAP_REQUEST_DONE && n >= req->num_replies) { if (event_loop_once(req->conn->event.event_ctx) != 0) { return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } -- cgit From 13f17436ea98544315dcf119b0a395a8359fb3e9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 25 Apr 2006 12:34:13 +0000 Subject: r15241: Add helper function to set reconnect status defaults (This used to be commit 6fff8f871a607e561531e2aabef37f3469aa85e9) --- source4/libcli/ldap/ldap_client.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 344605f4ec..74ac64a68d 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -438,6 +438,17 @@ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) return ldap_connect_recv(ctx); } +/* set reconnect parameters */ + +void ldap_set_reconn_params(struct ldap_connection *conn, int max_retries) +{ + if (conn) { + conn->reconnect.max_retries = max_retries; + conn->reconnect.retries = 0; + conn->reconnect.previous = time(NULL); + } +} + /* Actually this function is NOT ASYNC safe, FIXME? */ static void ldap_reconnect(struct ldap_connection *conn) { -- cgit From 886329898c3e6184642a6e454fd10802c388dc7e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 26 Apr 2006 16:52:45 +0000 Subject: r15288: fix some problems (This used to be commit d448389be88b3bb9d6f9a3b8a1e1597c4988a0ff) --- source4/libcli/ldap/ldap_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 74ac64a68d..27cab38916 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -88,7 +88,7 @@ static void ldap_connection_dead(struct ldap_connection *conn) } talloc_free(conn->tls); - talloc_free(conn->sock); /* this will also free event.fde */ +/* talloc_free(conn->sock); this will also free event.fde */ talloc_free(conn->packet); conn->tls = NULL; conn->sock = NULL; @@ -621,7 +621,7 @@ failed: */ NTSTATUS ldap_request_wait(struct ldap_request *req) { - while (req->state <= LDAP_REQUEST_DONE) { + while (req->state < LDAP_REQUEST_DONE) { if (event_loop_once(req->conn->event.event_ctx) != 0) { req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; break; @@ -734,7 +734,7 @@ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **ms NT_STATUS_HAVE_NO_MEMORY(req); - while (req->state <= LDAP_REQUEST_DONE && n >= req->num_replies) { + while (req->state < LDAP_REQUEST_DONE && n >= req->num_replies) { if (event_loop_once(req->conn->event.event_ctx) != 0) { return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } -- cgit From 742c110cd67f4995639822981e8bfcb1f652f2c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 2 May 2006 20:15:47 +0000 Subject: r15400: Move the TLS code behind the socket interface. This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497) --- source4/libcli/ldap/ldap_client.c | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 27cab38916..8d815c7103 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -32,6 +32,7 @@ #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" #include "lib/stream/packet.h" +#include "lib/tls/tls.h" #include "auth/gensec/gensec.h" #include "system/time.h" @@ -85,12 +86,10 @@ static void ldap_connection_dead(struct ldap_connection *conn) if (req->async.fn) { req->async.fn(req); } - } + } - talloc_free(conn->tls); -/* talloc_free(conn->sock); this will also free event.fde */ + talloc_free(conn->sock); /* this will also free event.fde */ talloc_free(conn->packet); - conn->tls = NULL; conn->sock = NULL; conn->event.fde = NULL; conn->packet = NULL; @@ -270,7 +269,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, struct ldap_connection); if (flags & EVENT_FD_WRITE) { packet_queue_run(conn->packet); - if (conn->tls == NULL) return; + if (!tls_enabled(conn->sock)) return; } if (flags & EVENT_FD_READ) { packet_recv(conn->packet); @@ -339,11 +338,6 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, struct composite_context *result, *ctx; struct ldap_connect_state *state; - if (conn->reconnect.url == NULL) { - conn->reconnect.url = talloc_strdup(conn, url); - if (conn->reconnect.url == NULL) goto failed; - } - result = talloc_zero(NULL, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; @@ -357,6 +351,11 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, state->conn = conn; + if (conn->reconnect.url == NULL) { + conn->reconnect.url = talloc_strdup(conn, url); + if (conn->reconnect.url == NULL) goto failed; + } + state->ctx->status = ldap_parse_basic_url(conn, url, &conn->host, &conn->port, &conn->ldaps); if (!NT_STATUS_IS_OK(state->ctx->status)) { @@ -379,6 +378,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, static void ldap_connect_recv_conn(struct composite_context *ctx) { + struct socket_context *initial_socket; struct ldap_connect_state *state = talloc_get_type(ctx->async.private_data, struct ldap_connect_state); @@ -398,21 +398,24 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) return; } - conn->tls = tls_init_client(conn->sock, conn->event.fde, conn->ldaps); - if (conn->tls == NULL) { - talloc_free(conn->sock); - return; + talloc_steal(conn, conn->sock); + initial_socket = conn->sock; + if (conn->ldaps) { + conn->sock = tls_init_client(conn->sock, conn->event.fde); + if (conn->sock == NULL) { + talloc_free(initial_socket); + return; + } } - talloc_steal(conn, conn->tls); - talloc_steal(conn->tls, conn->sock); conn->packet = packet_init(conn); if (conn->packet == NULL) { talloc_free(conn->sock); return; } + packet_set_private(conn->packet, conn); - packet_set_tls(conn->packet, conn->tls); + packet_set_socket(conn->packet, conn->sock); packet_set_callback(conn->packet, ldap_recv_handler); packet_set_full_request(conn->packet, ldap_complete_packet); packet_set_error_handler(conn->packet, ldap_error_handler); @@ -535,7 +538,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, req = talloc_zero(conn, struct ldap_request); if (req == NULL) return NULL; - if (conn->tls == NULL) { + if (conn->sock == NULL) { status = NT_STATUS_INVALID_CONNECTION; goto failed; } -- cgit From 971d30bb201f5c3faff5f575d26882eb79f7955a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 24 May 2006 07:34:11 +0000 Subject: r15854: more talloc_set_destructor() typesafe fixes (This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3) --- source4/libcli/ldap/ldap_client.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 8d815c7103..07b7f2b412 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -487,9 +487,8 @@ static void ldap_reconnect(struct ldap_connection *conn) } /* destroy an open ldap request */ -static int ldap_request_destructor(void *ptr) +static int ldap_request_destructor(struct ldap_request *req) { - struct ldap_request *req = talloc_get_type(ptr, struct ldap_request); if (req->state == LDAP_REQUEST_PENDING) { DLIST_REMOVE(req->conn->pending, req); } -- cgit From ba07fa43d0b0090f5e686d8c1822468049f52416 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Jul 2006 02:50:08 +0000 Subject: r17197: This patch moves the encryption of bulk data on SASL negotiated security contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0) --- source4/libcli/ldap/ldap_client.c | 94 ++++----------------------------------- 1 file changed, 9 insertions(+), 85 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 07b7f2b412..2e834b5244 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -165,25 +165,13 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message /* - check if a blob is a complete ldap packet - handle wrapper or unwrapped connections + decode/process LDAP data */ -NTSTATUS ldap_complete_packet(void *private_data, DATA_BLOB blob, size_t *size) -{ - struct ldap_connection *conn = talloc_get_type(private_data, - struct ldap_connection); - if (conn->enable_wrap) { - return packet_full_request_u32(private_data, blob, size); - } - return ldap_full_packet(private_data, blob, size); -} - -/* - decode/process plain data -*/ -static NTSTATUS ldap_decode_plain(struct ldap_connection *conn, DATA_BLOB blob) +static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) { struct asn1_data asn1; + struct ldap_connection *conn = talloc_get_type(private_data, + struct ldap_connection); struct ldap_message *msg = talloc(conn, struct ldap_message); if (msg == NULL) { @@ -205,60 +193,14 @@ static NTSTATUS ldap_decode_plain(struct ldap_connection *conn, DATA_BLOB blob) return NT_STATUS_OK; } -/* - decode/process wrapped data -*/ -static NTSTATUS ldap_decode_wrapped(struct ldap_connection *conn, DATA_BLOB blob) -{ - DATA_BLOB wrapped, unwrapped; - struct asn1_data asn1; - struct ldap_message *msg = talloc(conn, struct ldap_message); - NTSTATUS status; - - if (msg == NULL) { - return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); - } - - wrapped = data_blob_const(blob.data+4, blob.length-4); - - status = gensec_unwrap(conn->gensec, msg, &wrapped, &unwrapped); - if (!NT_STATUS_IS_OK(status)) { - return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); - } - - data_blob_free(&blob); - - if (!asn1_load(&asn1, unwrapped)) { - return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); - } - - while (ldap_decode(&asn1, msg)) { - ldap_match_message(conn, msg); - msg = talloc(conn, struct ldap_message); - } - - talloc_free(msg); - asn1_free(&asn1); - - return NT_STATUS_OK; -} - - -/* - handle ldap recv events -*/ -static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) +/* Handle read events, from the GENSEC socket callback, or real events */ +void ldap_read_io_handler(void *private_data, uint16_t flags) { struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); - if (conn->enable_wrap) { - return ldap_decode_wrapped(conn, blob); - } - - return ldap_decode_plain(conn, blob); + packet_recv(conn->packet); } - /* handle ldap socket events */ @@ -272,7 +214,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, if (!tls_enabled(conn->sock)) return; } if (flags & EVENT_FD_READ) { - packet_recv(conn->packet); + ldap_read_io_handler(private_data, flags); } } @@ -417,7 +359,7 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) packet_set_private(conn->packet, conn); packet_set_socket(conn->packet, conn->sock); packet_set_callback(conn->packet, ldap_recv_handler); - packet_set_full_request(conn->packet, ldap_complete_packet); + packet_set_full_request(conn->packet, ldap_full_packet); packet_set_error_handler(conn->packet, ldap_error_handler); packet_set_event_context(conn->packet, conn->event.event_ctx); packet_set_fde(conn->packet, conn->event.fde); @@ -561,24 +503,6 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, goto failed; } - /* possibly encrypt/sign the request */ - if (conn->enable_wrap) { - DATA_BLOB wrapped; - - status = gensec_wrap(conn->gensec, req, &req->data, &wrapped); - if (!NT_STATUS_IS_OK(status)) { - goto failed; - } - data_blob_free(&req->data); - req->data = data_blob_talloc(req, NULL, wrapped.length + 4); - if (req->data.data == NULL) { - goto failed; - } - RSIVAL(req->data.data, 0, wrapped.length); - memcpy(req->data.data+4, wrapped.data, wrapped.length); - data_blob_free(&wrapped); - } - status = packet_send(conn->packet, req->data); if (!NT_STATUS_IS_OK(status)) { goto failed; -- cgit From 9d6f2767179fad2f9a067c67c09afddb6304e4eb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jul 2006 00:57:27 +0000 Subject: r17222: Change the function prototypes for the GENSEc and TLS socket creation routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2) --- source4/libcli/ldap/ldap_client.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 2e834b5244..eb7b9c6327 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -320,7 +320,6 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, static void ldap_connect_recv_conn(struct composite_context *ctx) { - struct socket_context *initial_socket; struct ldap_connect_state *state = talloc_get_type(ctx->async.private_data, struct ldap_connect_state); @@ -341,13 +340,15 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) } talloc_steal(conn, conn->sock); - initial_socket = conn->sock; if (conn->ldaps) { - conn->sock = tls_init_client(conn->sock, conn->event.fde); - if (conn->sock == NULL) { - talloc_free(initial_socket); + struct socket_context *tls_socket = tls_init_client(conn->sock, conn->event.fde); + if (tls_socket == NULL) { + talloc_free(conn->sock); return; } + talloc_unlink(conn, conn->sock); + conn->sock = tls_socket; + talloc_steal(conn, conn->sock); } conn->packet = packet_init(conn); -- cgit From 0329d755a7611ba3897fc1ee9bdce410cc33d7f8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 30 Aug 2006 11:29:34 +0000 Subject: r17930: Merge noinclude branch: * Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index eb7b9c6327..efc6f7b4e5 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -25,7 +25,7 @@ #include "includes.h" #include "libcli/util/asn_1.h" -#include "dlinklist.h" +#include "lib/util/dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" #include "libcli/ldap/ldap.h" -- cgit From 22ced36791da7de99afb799deb30b934ccbd902e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Sep 2006 00:26:10 +0000 Subject: r18021: Add ldapi support to our LDAP client. To be used for testing an OpenLDAP backend. Andrew Bartlett (This used to be commit da66b53e6ac39c5f020781830ee69d460aa0cae5) --- source4/libcli/ldap/ldap_client.c | 127 ++++++++++++++++++++++++++++---------- 1 file changed, 93 insertions(+), 34 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index efc6f7b4e5..4fa8cc0146 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -226,19 +226,13 @@ static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url, { int tmp_port = 0; char protocol[11]; - char tmp_host[255]; - const char *p = url; + char tmp_host[1025]; int ret; - /* skip leading "URL:" (if any) */ - if (strncasecmp(p, "URL:", 4) == 0) { - p += 4; - } - /* Paranoia check */ SMB_ASSERT(sizeof(protocol)>10 && sizeof(tmp_host)>254); - ret = sscanf(p, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port); + ret = sscanf(url, "%10[^:]://%254[^:/]:%d", protocol, tmp_host, &tmp_port); if (ret < 2) { return NT_STATUS_INVALID_PARAMETER; } @@ -272,13 +266,16 @@ struct ldap_connect_state { struct ldap_connection *conn; }; -static void ldap_connect_recv_conn(struct composite_context *ctx); +static void ldap_connect_recv_unix_conn(struct composite_context *ctx); +static void ldap_connect_recv_tcp_conn(struct composite_context *ctx); struct composite_context *ldap_connect_send(struct ldap_connection *conn, const char *url) { struct composite_context *result, *ctx; struct ldap_connect_state *state; + char protocol[11]; + int ret; result = talloc_zero(NULL, struct composite_context); if (result == NULL) goto failed; @@ -298,44 +295,73 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, if (conn->reconnect.url == NULL) goto failed; } - state->ctx->status = ldap_parse_basic_url(conn, url, &conn->host, - &conn->port, &conn->ldaps); - if (!NT_STATUS_IS_OK(state->ctx->status)) { - composite_error(state->ctx, state->ctx->status); - return result; + /* Paranoia check */ + SMB_ASSERT(sizeof(protocol)>10); + + ret = sscanf(url, "%10[^:]://", protocol); + if (ret < 1) { + return NULL; } - ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, - conn->event.event_ctx); - if (ctx == NULL) goto failed; + if (strequal(protocol, "ldapi")) { + struct socket_address *unix_addr; + char path[1025]; + + NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &conn->sock, 0); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } + SMB_ASSERT(sizeof(protocol)>10); + SMB_ASSERT(sizeof(path)>1024); + + ret = sscanf(url, "%10[^:]://%1025c", protocol, path); + if (ret < 2) { + composite_error(state->ctx, NT_STATUS_INVALID_PARAMETER); + return result; + } - ctx->async.fn = ldap_connect_recv_conn; - ctx->async.private_data = state; - return result; + rfc1738_unescape(path); + + unix_addr = socket_address_from_strings(conn, conn->sock->backend_name, + path, 0); + if (!unix_addr) { + return NULL; + } + + ctx = socket_connect_send(conn->sock, NULL, unix_addr, + 0, conn->event.event_ctx); + ctx->async.fn = ldap_connect_recv_unix_conn; + ctx->async.private_data = state; + return result; + } else { + NTSTATUS status = ldap_parse_basic_url(conn, url, &conn->host, + &conn->port, &conn->ldaps); + if (!NT_STATUS_IS_OK(state->ctx->status)) { + composite_error(state->ctx, status); + return result; + } + + ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, + conn->event.event_ctx); + if (ctx == NULL) goto failed; + ctx->async.fn = ldap_connect_recv_tcp_conn; + ctx->async.private_data = state; + return result; + } failed: talloc_free(result); return NULL; } -static void ldap_connect_recv_conn(struct composite_context *ctx) +static void ldap_connect_got_sock(struct composite_context *ctx, struct ldap_connection *conn) { - struct ldap_connect_state *state = - talloc_get_type(ctx->async.private_data, - struct ldap_connect_state); - struct ldap_connection *conn = state->conn; - uint16_t port; - - state->ctx->status = socket_connect_multi_recv(ctx, state, &conn->sock, - &port); - if (!composite_is_ok(state->ctx)) return; - /* setup a handler for events on this socket */ conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock, socket_get_fd(conn->sock), EVENT_FD_READ, ldap_io_handler, conn); if (conn->event.fde == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + composite_error(ctx, NT_STATUS_INTERNAL_ERROR); return; } @@ -366,9 +392,42 @@ static void ldap_connect_recv_conn(struct composite_context *ctx) packet_set_fde(conn->packet, conn->event.fde); packet_set_serialise(conn->packet); - composite_done(state->ctx); + composite_done(ctx); +} + +static void ldap_connect_recv_tcp_conn(struct composite_context *ctx) +{ + struct ldap_connect_state *state = + talloc_get_type(ctx->async.private_data, + struct ldap_connect_state); + struct ldap_connection *conn = state->conn; + uint16_t port; + + NTSTATUS status = socket_connect_multi_recv(ctx, state, &conn->sock, + &port); + if (!NT_STATUS_IS_OK(state->ctx->status)) { + composite_error(state->ctx, status); + return; + } + + ldap_connect_got_sock(state->ctx, conn); +} + +static void ldap_connect_recv_unix_conn(struct composite_context *ctx) +{ + struct ldap_connect_state *state = + talloc_get_type(ctx->async.private_data, + struct ldap_connect_state); + struct ldap_connection *conn = state->conn; + + NTSTATUS status = socket_connect_recv(ctx); + + if (!NT_STATUS_IS_OK(state->ctx->status)) { + composite_error(state->ctx, status); + return; + } - return; + ldap_connect_got_sock(state->ctx, conn); } NTSTATUS ldap_connect_recv(struct composite_context *ctx) -- cgit From e21e8379a2ce9f3ca70227889c5c11a719516980 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Sep 2006 01:59:23 +0000 Subject: r18024: The %c sscanf format I'm using doesn't null terminate. Andrew Bartlett (This used to be commit 1920cb8b3978f745cba7e854410deb9174de2dc0) --- source4/libcli/ldap/ldap_client.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 4fa8cc0146..bc230879fc 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -311,9 +311,12 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, if (!NT_STATUS_IS_OK(status)) { return NULL; } + talloc_steal(conn, conn->sock); SMB_ASSERT(sizeof(protocol)>10); SMB_ASSERT(sizeof(path)>1024); + /* The %c specifier doesn't null terminate :-( */ + ZERO_STRUCT(path); ret = sscanf(url, "%10[^:]://%1025c", protocol, path); if (ret < 2) { composite_error(state->ctx, NT_STATUS_INVALID_PARAMETER); -- cgit From d7534e0cc772b9aa0b7cdeb0ed4469e44173348f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Sep 2006 06:04:10 +0000 Subject: r18256: use the right status variable (This used to be commit f4b4bd945f5c3955aab0c3cf89ad6cdda7529dac) --- source4/libcli/ldap/ldap_client.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index bc230879fc..da1ffcd317 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -405,10 +405,9 @@ static void ldap_connect_recv_tcp_conn(struct composite_context *ctx) struct ldap_connect_state); struct ldap_connection *conn = state->conn; uint16_t port; - NTSTATUS status = socket_connect_multi_recv(ctx, state, &conn->sock, &port); - if (!NT_STATUS_IS_OK(state->ctx->status)) { + if (!NT_STATUS_IS_OK(status)) { composite_error(state->ctx, status); return; } -- cgit From e91cee468eceb6ff8843bafc7fbb22a21b52a00c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 9 Sep 2006 12:57:45 +0000 Subject: r18309: FreeBSD 6.1 has a symbol ldap_new_connection() in the system ldap library. Even though we don't like to that library, it gets loaded via nss-ldap, which means nss-ldap calls into the samba ldap lib with the wrong parameters, and crashes. We really need to use a completely different namespace in libcli/ldap/ (This used to be commit c440e0eed9afae5fe69995a7416971e7c8560779) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index da1ffcd317..7bb4d0c79a 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -40,7 +40,7 @@ /* create a new ldap_connection stucture. The event context is optional */ -struct ldap_connection *ldap_new_connection(TALLOC_CTX *mem_ctx, +struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, struct event_context *ev) { struct ldap_connection *conn; -- cgit From 4fa24df98ded939c68bdc95e9f09334caeeb84af Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 29 Oct 2006 17:40:19 +0000 Subject: r19507: Merge my DSO fixes branch. Building Samba's libraries as shared libraries works again now, by specifying --enable-dso to configure. (This used to be commit 7a01235067a4800b07b8919a6a475954bfb0b04c) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 7bb4d0c79a..2c2cd0dd66 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -432,7 +432,7 @@ static void ldap_connect_recv_unix_conn(struct composite_context *ctx) ldap_connect_got_sock(state->ctx, conn); } -NTSTATUS ldap_connect_recv(struct composite_context *ctx) +_PUBLIC_ NTSTATUS ldap_connect_recv(struct composite_context *ctx) { NTSTATUS status = composite_wait(ctx); talloc_free(ctx); -- cgit From 3370f2f2d7e5296e8f54f721003c07fac111d1ad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Mar 2007 06:23:39 +0000 Subject: r21761: - Give more detail on LDAP client library failures (make it clear where the error is from) - Make default error string more consistant Andrew Bartlett (This used to be commit 7f115579d20a3112efd11444fafcbf78698fc9a1) --- source4/libcli/ldap/ldap_client.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 2c2cd0dd66..82cafd721a 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -562,6 +562,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn, msg->messageid = req->messageid; if (!ldap_encode(msg, &req->data, req)) { + status = NT_STATUS_INTERNAL_ERROR; goto failed; } @@ -704,12 +705,14 @@ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r /* return error string representing the last error */ -const char *ldap_errstr(struct ldap_connection *conn, NTSTATUS status) +const char *ldap_errstr(struct ldap_connection *conn, + TALLOC_CTX *mem_ctx, + NTSTATUS status) { if (NT_STATUS_IS_LDAP(status) && conn->last_error != NULL) { - return conn->last_error; + return talloc_strdup(mem_ctx, conn->last_error); } - return nt_errstr(status); + return talloc_asprintf(mem_ctx, "LDAP client internal error: %s", nt_errstr(status)); } -- cgit From 9b03286b32a916dbef59f1459eefa01f0ebfeed3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 13 Mar 2007 00:59:06 +0000 Subject: r21806: I've been working over the last week to fix up the LDAP backend for Samba4. This only broke on global catalog queries, which turned out to be due to changes in the partitions module that metze needed for his DRSUAPI work. I've reworked partitions.c to always include the 'problematic' control, and therefore demonstrated that this is the issue. This ensures consistency, and should help with finding issues like this in future. As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to be linearised, I've added logic to allow it to be skipped when creating network packets. I've likewise make our LDAP server skip unknown controls, when marked 'not critical' on it's input, rather than just dropping the entire request. I need some help to generate a correct error packet when it is marked critical. Further work could perhaps be to have the ldap_encode routine return a textual description of what failed to encode, as that would have saved me a lot of time... Andrew Bartlett (This used to be commit eef710668f91d1bbaa2d834d9e653e11c8aac817) --- source4/libcli/ldap/ldap_client.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 82cafd721a..8852fd5427 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -169,6 +169,8 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message */ static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) { + int ret; + NTSTATUS status; struct asn1_data asn1; struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); @@ -182,8 +184,9 @@ static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } - if (!ldap_decode(&asn1, msg)) { - return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); + status = ldap_decode(&asn1, msg); + if (!NT_STATUS_IS_OK(status)) { + return status; } ldap_match_message(conn, msg); -- cgit From 1c8b46bb7236edac23de83d1d8de7244e4044a81 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 20 Apr 2007 11:02:45 +0000 Subject: r22405: fix memory leak in error path metze (This used to be commit d19195bfa5405822613d5236cd76547f0ac77bde) --- source4/libcli/ldap/ldap_client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 8852fd5427..39f265015a 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -186,6 +186,7 @@ static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) status = ldap_decode(&asn1, msg); if (!NT_STATUS_IS_OK(status)) { + asn1_free(&asn1); return status; } -- cgit From cb00a33c672ce78dc58a722804013e5b567fdf45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 May 2007 07:16:04 +0000 Subject: r22884: Be consistant with the case of these constants. Andrew Bartlett (This used to be commit 7b086eebd6af21674ca18c7d9b35cb2c6b57514a) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 39f265015a..c819122dd2 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -658,7 +658,7 @@ static const struct { _LDAP_MAP_CODE(LDAP_ALIAS_DEREFERENCING_PROBLEM), _LDAP_MAP_CODE(LDAP_INAPPROPRIATE_AUTHENTICATION), _LDAP_MAP_CODE(LDAP_INVALID_CREDENTIALS), - _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTs), + _LDAP_MAP_CODE(LDAP_INSUFFICIENT_ACCESS_RIGHTS), _LDAP_MAP_CODE(LDAP_BUSY), _LDAP_MAP_CODE(LDAP_UNAVAILABLE), _LDAP_MAP_CODE(LDAP_UNWILLING_TO_PERFORM), -- cgit From 7bb939b1cb2b39a8271cf16d9f5fce5312a9af10 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 21 May 2007 06:12:06 +0000 Subject: r23030: finally fixed up our asn1 code to use better memory allocation. This should allow us to fix some long standing memory leaks. (This used to be commit 3db49c2ec9968221c1361785b94061046ecd159d) --- source4/libcli/ldap/ldap_client.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index c819122dd2..5e4eddee92 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -169,31 +169,30 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message */ static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) { - int ret; NTSTATUS status; - struct asn1_data asn1; struct ldap_connection *conn = talloc_get_type(private_data, struct ldap_connection); struct ldap_message *msg = talloc(conn, struct ldap_message); + struct asn1_data *asn1 = asn1_init(conn); if (msg == NULL) { return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } - if (!asn1_load(&asn1, blob)) { + if (!asn1_load(asn1, blob)) { return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } - status = ldap_decode(&asn1, msg); + status = ldap_decode(asn1, msg); if (!NT_STATUS_IS_OK(status)) { - asn1_free(&asn1); + asn1_free(asn1); return status; } ldap_match_message(conn, msg); data_blob_free(&blob); - asn1_free(&asn1); + asn1_free(asn1); return NT_STATUS_OK; } -- cgit From 931f594cf16b8c7f9f416d7a8831432b783a0ec8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 21 May 2007 12:47:18 +0000 Subject: r23036: error checking on asn1_init() failure (This used to be commit 26cf8494084c0106ef0e1c9b6ef40eeadf945ef2) --- source4/libcli/ldap/ldap_client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 5e4eddee92..ce15b39271 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -175,11 +175,13 @@ static NTSTATUS ldap_recv_handler(void *private_data, DATA_BLOB blob) struct ldap_message *msg = talloc(conn, struct ldap_message); struct asn1_data *asn1 = asn1_init(conn); - if (msg == NULL) { + if (asn1 == NULL || msg == NULL) { return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } if (!asn1_load(asn1, blob)) { + talloc_free(msg); + talloc_free(asn1); return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR); } -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/libcli/ldap/ldap_client.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index ce15b39271..8476a4977b 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ -- cgit From 2151cde58014ea2e822c13d2f8a369b45dc19ca8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:28:14 +0000 Subject: r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9) --- source4/libcli/ldap/ldap_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 8476a4977b..aea95de161 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -226,7 +226,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde, parse a ldap URL */ static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url, - char **host, uint16_t *port, BOOL *ldaps) + char **host, uint16_t *port, bool *ldaps) { int tmp_port = 0; char protocol[11]; @@ -243,10 +243,10 @@ static NTSTATUS ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url, if (strequal(protocol, "ldap")) { *port = 389; - *ldaps = False; + *ldaps = false; } else if (strequal(protocol, "ldaps")) { *port = 636; - *ldaps = True; + *ldaps = true; } else { DEBUG(0, ("unrecognised ldap protocol (%s)!\n", protocol)); return NT_STATUS_PROTOCOL_UNREACHABLE; -- cgit From 5861a17042d1dfb9ae77a519b7e0da9484c2074c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Oct 2007 03:32:07 +0200 Subject: r25692: fixed another example where the free of fde and the free of the socket causes the fd to be closed before epoll is told (This used to be commit d19686cf8a3aba0c6601c5fa58cbf74461055c1c) --- source4/libcli/ldap/ldap_client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index aea95de161..fcb2d92214 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -366,12 +366,14 @@ static void ldap_connect_got_sock(struct composite_context *ctx, struct ldap_con /* setup a handler for events on this socket */ conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock, socket_get_fd(conn->sock), - EVENT_FD_READ, ldap_io_handler, conn); + EVENT_FD_READ | EVENT_FD_AUTOCLOSE, ldap_io_handler, conn); if (conn->event.fde == NULL) { composite_error(ctx, NT_STATUS_INTERNAL_ERROR); return; } + socket_set_flags(conn->sock, SOCKET_FLAG_NOCLOSE); + talloc_steal(conn, conn->sock); if (conn->ldaps) { struct socket_context *tls_socket = tls_init_client(conn->sock, conn->event.fde); -- cgit From 364266e22a08e730f2442cf87ec385620cff2700 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Nov 2007 08:00:04 +0100 Subject: r26192: Handle, test and implement the style of extended_dn requiest that MMC uses. It appears that the control value is optional, implying type 0 responses. Failing to parse this was causing LDAP disconnects with 'unavailable critical extension'. Andrew Bartlett (This used to be commit 833dfc2f2af84c45f954e428c9ea6babf100ba92) --- source4/libcli/ldap/ldap_client.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index fcb2d92214..41e9c37196 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -116,6 +116,7 @@ static void ldap_error_handler(void *private_data, NTSTATUS status) static void ldap_match_message(struct ldap_connection *conn, struct ldap_message *msg) { struct ldap_request *req; + int i; for (req=conn->pending; req; req=req->next) { if (req->messageid == msg->messageid) break; @@ -132,6 +133,20 @@ static void ldap_match_message(struct ldap_connection *conn, struct ldap_message return; } + /* Check for undecoded critical extensions */ + for (i=0; msg->controls && msg->controls[i]; i++) { + if (!msg->controls_decoded[i] && + msg->controls[i]->critical) { + req->status = NT_STATUS_LDAP(LDAP_UNAVAILABLE_CRITICAL_EXTENSION); + req->state = LDAP_REQUEST_DONE; + DLIST_REMOVE(conn->pending, req); + if (req->async.fn) { + req->async.fn(req); + } + return; + } + } + /* add to the list of replies received */ talloc_steal(req, msg); req->replies = talloc_realloc(req, req->replies, -- cgit From bbdfbf8d9d486aee51117976b8f825759a4c4a37 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 00:28:22 +0100 Subject: r26238: Add a loadparm context parameter to torture_context, remove more uses of global_loadparm. (This used to be commit a33a5530545086b81a3b205aa109dff11c546926) --- source4/libcli/ldap/ldap_client.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 41e9c37196..f1cfaad18b 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -34,6 +34,7 @@ #include "lib/tls/tls.h" #include "auth/gensec/gensec.h" #include "system/time.h" +#include "param/param.h" /* @@ -391,7 +392,17 @@ static void ldap_connect_got_sock(struct composite_context *ctx, struct ldap_con talloc_steal(conn, conn->sock); if (conn->ldaps) { - struct socket_context *tls_socket = tls_init_client(conn->sock, conn->event.fde); + struct socket_context *tls_socket; + char *cafile = private_path(conn->sock, global_loadparm, lp_tls_cafile(global_loadparm)); + + if (!cafile || !*cafile) { + talloc_free(conn->sock); + return; + } + + tls_socket = tls_init_client(conn->sock, conn->event.fde, cafile); + talloc_free(cafile); + if (tls_socket == NULL) { talloc_free(conn->sock); return; -- cgit From 2f8dc4f48f1802baa3405e7803563f6840e0d1b3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 21:25:06 +0100 Subject: r26266: Remove more global_loadparm uses. (This used to be commit 99113075c4a96679bcec4f4d6bba4acb3dee4245) --- source4/libcli/ldap/ldap_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index f1cfaad18b..2fe0c78555 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -377,7 +377,8 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, return NULL; } -static void ldap_connect_got_sock(struct composite_context *ctx, struct ldap_connection *conn) +static void ldap_connect_got_sock(struct composite_context *ctx, + struct ldap_connection *conn) { /* setup a handler for events on this socket */ conn->event.fde = event_add_fd(conn->event.event_ctx, conn->sock, -- cgit From 01d2acfdb4c4c0349a28a18c5c0da5b960b02791 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Dec 2007 16:04:17 +0100 Subject: r26335: Specify name_resolve_order to socket code. (This used to be commit b03e5d00110be3f1fe5809dad4eb6ca5cea7463d) --- source4/libcli/ldap/ldap_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 2fe0c78555..c859b4a4d1 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -352,7 +352,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_send(conn->sock, NULL, unix_addr, - 0, conn->event.event_ctx); + 0, lp_name_resolve_order(global_loadparm), conn->event.event_ctx); ctx->async.fn = ldap_connect_recv_unix_conn; ctx->async.private_data = state; return result; @@ -365,7 +365,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, - conn->event.event_ctx); + lp_name_resolve_order(global_loadparm), conn->event.event_ctx); if (ctx == NULL) goto failed; ctx->async.fn = ldap_connect_recv_tcp_conn; -- cgit From b65dba2245bf382c47d65c95ac9b1efa43918fc0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 04:33:16 +0100 Subject: r26355: Eliminate global_loadparm in more places. (This used to be commit 5d589a0d94bd76a9b4c9fc748854e8098ea43c4d) --- source4/libcli/ldap/ldap_client.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index c859b4a4d1..906e9c2574 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -37,11 +37,12 @@ #include "param/param.h" -/* +/** create a new ldap_connection stucture. The event context is optional */ struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, - struct event_context *ev) + struct loadparm_context *lp_ctx, + struct event_context *ev) { struct ldap_connection *conn; @@ -61,6 +62,8 @@ struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, conn->next_messageid = 1; conn->event.event_ctx = ev; + conn->lp_ctx = lp_ctx; + /* set a reasonable request timeout */ conn->timeout = 60; @@ -352,7 +355,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_send(conn->sock, NULL, unix_addr, - 0, lp_name_resolve_order(global_loadparm), conn->event.event_ctx); + 0, lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx); ctx->async.fn = ldap_connect_recv_unix_conn; ctx->async.private_data = state; return result; @@ -365,7 +368,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, - lp_name_resolve_order(global_loadparm), conn->event.event_ctx); + lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx); if (ctx == NULL) goto failed; ctx->async.fn = ldap_connect_recv_tcp_conn; @@ -394,7 +397,7 @@ static void ldap_connect_got_sock(struct composite_context *ctx, talloc_steal(conn, conn->sock); if (conn->ldaps) { struct socket_context *tls_socket; - char *cafile = private_path(conn->sock, global_loadparm, lp_tls_cafile(global_loadparm)); + char *cafile = private_path(conn->sock, conn->lp_ctx, lp_tls_cafile(conn->lp_ctx)); if (!cafile || !*cafile) { talloc_free(conn->sock); -- cgit From 5f4842cf65ce64bfdf577cd549565da20ca818cf Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 18:41:19 +0100 Subject: r26376: Add context for libcli_resolve. (This used to be commit 459e1466a411d6f83b7372e248566e6e71c745fc) --- source4/libcli/ldap/ldap_client.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 906e9c2574..6b8a7a3f28 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -35,6 +35,7 @@ #include "auth/gensec/gensec.h" #include "system/time.h" #include "param/param.h" +#include "libcli/resolve/resolve.h" /** @@ -355,7 +356,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_send(conn->sock, NULL, unix_addr, - 0, lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx); + 0, lp_resolve_context(conn->lp_ctx), conn->event.event_ctx); ctx->async.fn = ldap_connect_recv_unix_conn; ctx->async.private_data = state; return result; @@ -368,7 +369,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn, } ctx = socket_connect_multi_send(state, conn->host, 1, &conn->port, - lp_name_resolve_order(conn->lp_ctx), conn->event.event_ctx); + lp_resolve_context(conn->lp_ctx), conn->event.event_ctx); if (ctx == NULL) goto failed; ctx->async.fn = ldap_connect_recv_tcp_conn; -- cgit From 939edd0eb7c3952859afb802c8e542449a2c4031 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 15 Jan 2008 01:04:38 +0100 Subject: util: Move asn1 to lib/util to trim down the number of subsystems. (This used to be commit 44e1cfd2d0ef62e4ee541cec00581a7151d951b3) --- source4/libcli/ldap/ldap_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 6b8a7a3f28..d99851ee15 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -23,7 +23,7 @@ */ #include "includes.h" -#include "libcli/util/asn_1.h" +#include "lib/util/asn1.h" #include "lib/util/dlinklist.h" #include "lib/events/events.h" #include "lib/socket/socket.h" -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/libcli/ldap/ldap_client.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index d99851ee15..296a7b11f2 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -28,6 +28,7 @@ #include "lib/events/events.h" #include "lib/socket/socket.h" #include "libcli/ldap/ldap.h" +#include "libcli/ldap/ldap_proto.h" #include "libcli/ldap/ldap_client.h" #include "libcli/composite/composite.h" #include "lib/stream/packet.h" @@ -41,7 +42,7 @@ /** create a new ldap_connection stucture. The event context is optional */ -struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, +_PUBLIC_ struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct event_context *ev) { @@ -293,7 +294,7 @@ struct ldap_connect_state { static void ldap_connect_recv_unix_conn(struct composite_context *ctx); static void ldap_connect_recv_tcp_conn(struct composite_context *ctx); -struct composite_context *ldap_connect_send(struct ldap_connection *conn, +_PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *conn, const char *url) { struct composite_context *result, *ctx; @@ -476,7 +477,7 @@ _PUBLIC_ NTSTATUS ldap_connect_recv(struct composite_context *ctx) return status; } -NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) +_PUBLIC_ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) { struct composite_context *ctx = ldap_connect_send(conn, url); return ldap_connect_recv(ctx); @@ -484,7 +485,7 @@ NTSTATUS ldap_connect(struct ldap_connection *conn, const char *url) /* set reconnect parameters */ -void ldap_set_reconn_params(struct ldap_connection *conn, int max_retries) +_PUBLIC_ void ldap_set_reconn_params(struct ldap_connection *conn, int max_retries) { if (conn) { conn->reconnect.max_retries = max_retries; @@ -569,7 +570,7 @@ static void ldap_request_complete(struct event_context *ev, struct timed_event * /* send a ldap message - async interface */ -struct ldap_request *ldap_request_send(struct ldap_connection *conn, +_PUBLIC_ struct ldap_request *ldap_request_send(struct ldap_connection *conn, struct ldap_message *msg) { struct ldap_request *req; @@ -645,7 +646,7 @@ failed: wait for a request to complete note that this does not destroy the request */ -NTSTATUS ldap_request_wait(struct ldap_request *req) +_PUBLIC_ NTSTATUS ldap_request_wait(struct ldap_request *req) { while (req->state < LDAP_REQUEST_DONE) { if (event_loop_once(req->conn->event.event_ctx) != 0) { @@ -709,7 +710,7 @@ static const struct { /* used to setup the status code from a ldap response */ -NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r) +_PUBLIC_ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r) { int i; const char *codename = "unknown"; @@ -742,7 +743,7 @@ NTSTATUS ldap_check_response(struct ldap_connection *conn, struct ldap_Result *r /* return error string representing the last error */ -const char *ldap_errstr(struct ldap_connection *conn, +_PUBLIC_ const char *ldap_errstr(struct ldap_connection *conn, TALLOC_CTX *mem_ctx, NTSTATUS status) { @@ -756,7 +757,7 @@ const char *ldap_errstr(struct ldap_connection *conn, /* return the Nth result message, waiting if necessary */ -NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg) +_PUBLIC_ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **msg) { *msg = NULL; @@ -784,7 +785,7 @@ NTSTATUS ldap_result_n(struct ldap_request *req, int n, struct ldap_message **ms /* return a single result message, checking if it is of the expected LDAP type */ -NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type) +_PUBLIC_ NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, int type) { NTSTATUS status; status = ldap_result_n(req, 0, msg); @@ -802,7 +803,7 @@ NTSTATUS ldap_result_one(struct ldap_request *req, struct ldap_message **msg, in a simple ldap transaction, for single result requests that only need a status code this relies on single valued requests having the response type == request type + 1 */ -NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg) +_PUBLIC_ NTSTATUS ldap_transaction(struct ldap_connection *conn, struct ldap_message *msg) { struct ldap_request *req = ldap_request_send(conn, msg); struct ldap_message *res; -- cgit From 4e83011f72ba3df387512755a17760b42a7bf2f2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 21 Apr 2008 17:58:23 -0400 Subject: Remove more event_context_init() uses from function calls within deep down the code. Make sure we pass around the event_context where we need it instead. All test but a few python ones fail. Jelmer promised to fix them. (This used to be commit 3045d391626fba169aa26be52174883e18d323e9) --- source4/libcli/ldap/ldap_client.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 296a7b11f2..bca867b033 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -48,17 +48,13 @@ _PUBLIC_ struct ldap_connection *ldap4_new_connection(TALLOC_CTX *mem_ctx, { struct ldap_connection *conn; - conn = talloc_zero(mem_ctx, struct ldap_connection); - if (conn == NULL) { + if (ev == NULL) { return NULL; } - if (ev == NULL) { - ev = event_context_init(conn); - if (ev == NULL) { - talloc_free(conn); - return NULL; - } + conn = talloc_zero(mem_ctx, struct ldap_connection); + if (conn == NULL) { + return NULL; } conn->next_messageid = 1; -- cgit From 403f4f94ffec28d1c1dc910e1960531f4c14534b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:10:29 +1000 Subject: Make up a full hostname for ldapi connections. The DIGEST-MD5 SASL method requires a hostname, so provide one. Andrew Bartlett (This used to be commit edfb2ed1f22bc735af5a0c3d3ae6ab6771d28f2c) --- source4/libcli/ldap/ldap_client.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source4/libcli/ldap/ldap_client.c') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index bca867b033..844238afdb 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -38,7 +38,6 @@ #include "param/param.h" #include "libcli/resolve/resolve.h" - /** create a new ldap_connection stucture. The event context is optional */ @@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con char protocol[11]; int ret; - result = talloc_zero(NULL, struct composite_context); + result = talloc_zero(conn, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; result->async.fn = NULL; @@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con SMB_ASSERT(sizeof(protocol)>10); SMB_ASSERT(sizeof(path)>1024); + /* LDAPI connections are to localhost, so give the local host name as the target for gensec */ + conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx)); + if (composite_nomem(conn->host, state->ctx)) { + return result; + } + /* The %c specifier doesn't null terminate :-( */ ZERO_STRUCT(path); ret = sscanf(url, "%10[^:]://%1025c", protocol, path); -- cgit