2
Unix SMB/CIFS implementation.
6
Copyright (C) Andrew Tridgell 2005
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
see RFC1798 for details of CLDAP
26
- carried over UDP on port 389
27
- request and response matched by message ID
28
- request consists of only a single searchRequest element
29
- response can be in one of two forms
30
- a single searchResponse, followed by a searchResult
31
- a single searchResult
35
#include "lib/events/events.h"
36
#include "../lib/util/dlinklist.h"
37
#include "libcli/ldap/ldap.h"
38
#include "libcli/ldap/ldap_ndr.h"
39
#include "libcli/cldap/cldap.h"
40
#include "lib/socket/socket.h"
41
#include "libcli/security/security.h"
42
#include "librpc/gen_ndr/ndr_nbt.h"
45
destroy a pending request
47
static int cldap_request_destructor(struct cldap_request *req)
49
if (req->state == CLDAP_REQUEST_SEND) {
50
DLIST_REMOVE(req->cldap->send_queue, req);
52
if (!req->is_reply && req->message_id != 0) {
53
idr_remove(req->cldap->idr, req->message_id);
60
handle recv events on a cldap socket
62
static void cldap_socket_recv(struct cldap_socket *cldap)
64
TALLOC_CTX *tmp_ctx = talloc_new(cldap);
66
struct socket_address *src;
69
struct asn1_data *asn1 = asn1_init(tmp_ctx);
70
struct ldap_message *ldap_msg;
71
struct cldap_request *req;
75
status = socket_pending(cldap->sock, &dsize);
76
if (!NT_STATUS_IS_OK(status)) {
81
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
82
if (blob.data == NULL) {
87
status = socket_recvfrom(cldap->sock, blob.data, blob.length, &nread,
89
if (!NT_STATUS_IS_OK(status)) {
95
DEBUG(2,("Received cldap packet of length %d from %s:%d\n",
96
(int)blob.length, src->addr, src->port));
98
if (!asn1_load(asn1, blob)) {
99
DEBUG(2,("Failed to setup for asn.1 decode\n"));
100
talloc_free(tmp_ctx);
104
ldap_msg = talloc(tmp_ctx, struct ldap_message);
105
if (ldap_msg == NULL) {
106
talloc_free(tmp_ctx);
110
/* this initial decode is used to find the message id */
111
status = ldap_decode(asn1, NULL, ldap_msg);
112
if (!NT_STATUS_IS_OK(status)) {
113
DEBUG(2,("Failed to decode ldap message: %s\n", nt_errstr(status)));
114
talloc_free(tmp_ctx);
118
/* find the pending request */
119
req = idr_find(cldap->idr, ldap_msg->messageid);
121
if (cldap->incoming.handler) {
122
cldap->incoming.handler(cldap, ldap_msg, src);
124
DEBUG(2,("Mismatched cldap reply %u from %s:%d\n",
125
ldap_msg->messageid, src->addr, src->port));
127
talloc_free(tmp_ctx);
131
req->asn1 = talloc_steal(req, asn1);
134
req->state = CLDAP_REQUEST_DONE;
135
talloc_free(req->te);
137
talloc_free(tmp_ctx);
145
handle request timeouts
147
static void cldap_request_timeout(struct tevent_context *event_ctx,
148
struct tevent_timer *te, struct timeval t,
151
struct cldap_request *req = talloc_get_type(private_data, struct cldap_request);
153
/* possibly try again */
154
if (req->num_retries != 0) {
155
size_t len = req->encoded.length;
159
socket_sendto(req->cldap->sock, &req->encoded, &len,
162
req->te = event_add_timed(req->cldap->event_ctx, req,
163
timeval_current_ofs(req->timeout, 0),
164
cldap_request_timeout, req);
168
req->state = CLDAP_REQUEST_ERROR;
169
req->status = NT_STATUS_IO_TIMEOUT;
176
handle send events on a cldap socket
178
static void cldap_socket_send(struct cldap_socket *cldap)
180
struct cldap_request *req;
183
while ((req = cldap->send_queue)) {
186
len = req->encoded.length;
187
status = socket_sendto(cldap->sock, &req->encoded, &len,
189
if (NT_STATUS_IS_ERR(status)) {
190
DEBUG(0,("Failed to send cldap request of length %u to %s:%d\n",
191
(unsigned)req->encoded.length, req->dest->addr, req->dest->port));
192
DLIST_REMOVE(cldap->send_queue, req);
193
req->state = CLDAP_REQUEST_ERROR;
194
req->status = status;
201
if (!NT_STATUS_IS_OK(status)) return;
203
DLIST_REMOVE(cldap->send_queue, req);
208
req->state = CLDAP_REQUEST_WAIT;
210
req->te = event_add_timed(cldap->event_ctx, req,
211
timeval_current_ofs(req->timeout, 0),
212
cldap_request_timeout, req);
214
EVENT_FD_READABLE(cldap->fde);
218
EVENT_FD_NOT_WRITEABLE(cldap->fde);
224
handle fd events on a cldap_socket
226
static void cldap_socket_handler(struct tevent_context *ev, struct tevent_fd *fde,
227
uint16_t flags, void *private_data)
229
struct cldap_socket *cldap = talloc_get_type(private_data, struct cldap_socket);
230
if (flags & EVENT_FD_WRITE) {
231
cldap_socket_send(cldap);
233
if (flags & EVENT_FD_READ) {
234
cldap_socket_recv(cldap);
239
initialise a cldap_socket. The event_ctx is optional, if provided
240
then operations will use that event context
242
struct cldap_socket *cldap_socket_init(TALLOC_CTX *mem_ctx,
243
struct tevent_context *event_ctx,
244
struct smb_iconv_convenience *iconv_convenience)
246
struct cldap_socket *cldap;
249
cldap = talloc(mem_ctx, struct cldap_socket);
250
if (cldap == NULL) goto failed;
252
cldap->event_ctx = talloc_reference(cldap, event_ctx);
253
if (cldap->event_ctx == NULL) goto failed;
255
cldap->idr = idr_init(cldap);
256
if (cldap->idr == NULL) goto failed;
258
status = socket_create("ip", SOCKET_TYPE_DGRAM, &cldap->sock, 0);
259
if (!NT_STATUS_IS_OK(status)) goto failed;
261
talloc_steal(cldap, cldap->sock);
263
cldap->fde = event_add_fd(cldap->event_ctx, cldap,
264
socket_get_fd(cldap->sock), 0,
265
cldap_socket_handler, cldap);
267
cldap->send_queue = NULL;
268
cldap->incoming.handler = NULL;
269
cldap->iconv_convenience = iconv_convenience;
280
setup a handler for incoming requests
282
NTSTATUS cldap_set_incoming_handler(struct cldap_socket *cldap,
283
void (*handler)(struct cldap_socket *, struct ldap_message *,
284
struct socket_address *),
287
cldap->incoming.handler = handler;
288
cldap->incoming.private_data = private_data;
289
EVENT_FD_READABLE(cldap->fde);
294
queue a cldap request for send
296
struct cldap_request *cldap_search_send(struct cldap_socket *cldap,
297
struct cldap_search *io)
299
struct ldap_message *msg;
300
struct cldap_request *req;
301
struct ldap_SearchRequest *search;
303
req = talloc_zero(cldap, struct cldap_request);
304
if (req == NULL) goto failed;
307
req->state = CLDAP_REQUEST_SEND;
308
req->timeout = io->in.timeout;
309
req->num_retries = io->in.retries;
310
req->is_reply = false;
311
req->asn1 = asn1_init(req);
316
req->dest = socket_address_from_strings(req, cldap->sock->backend_name,
319
if (!req->dest) goto failed;
321
req->message_id = idr_get_new_random(cldap->idr, req, UINT16_MAX);
322
if (req->message_id == -1) goto failed;
324
talloc_set_destructor(req, cldap_request_destructor);
326
msg = talloc(req, struct ldap_message);
327
if (msg == NULL) goto failed;
328
msg->messageid = req->message_id;
329
msg->type = LDAP_TAG_SearchRequest;
330
msg->controls = NULL;
331
search = &msg->r.SearchRequest;
334
search->scope = LDAP_SEARCH_SCOPE_BASE;
335
search->deref = LDAP_DEREFERENCE_NEVER;
336
search->timelimit = 0;
337
search->sizelimit = 0;
338
search->attributesonly = false;
339
search->num_attributes = str_list_length(io->in.attributes);
340
search->attributes = io->in.attributes;
341
search->tree = ldb_parse_tree(req, io->in.filter);
342
if (search->tree == NULL) {
346
if (!ldap_encode(msg, NULL, &req->encoded, req)) {
347
DEBUG(0,("Failed to encode cldap message to %s:%d\n",
348
req->dest->addr, req->dest->port));
352
DLIST_ADD_END(cldap->send_queue, req, struct cldap_request *);
354
EVENT_FD_WRITEABLE(cldap->fde);
365
queue a cldap reply for send
367
NTSTATUS cldap_reply_send(struct cldap_socket *cldap, struct cldap_reply *io)
369
struct ldap_message *msg;
370
struct cldap_request *req;
371
DATA_BLOB blob1, blob2;
372
NTSTATUS status = NT_STATUS_NO_MEMORY;
374
req = talloc_zero(cldap, struct cldap_request);
375
if (req == NULL) goto failed;
378
req->state = CLDAP_REQUEST_SEND;
379
req->is_reply = true;
380
req->asn1 = asn1_init(req);
385
req->dest = io->dest;
386
if (talloc_reference(req, io->dest) == NULL) goto failed;
388
talloc_set_destructor(req, cldap_request_destructor);
390
msg = talloc(req, struct ldap_message);
391
if (msg == NULL) goto failed;
392
msg->messageid = io->messageid;
393
msg->controls = NULL;
396
msg->type = LDAP_TAG_SearchResultEntry;
397
msg->r.SearchResultEntry = *io->response;
399
if (!ldap_encode(msg, NULL, &blob1, req)) {
400
DEBUG(0,("Failed to encode cldap message to %s:%d\n",
401
req->dest->addr, req->dest->port));
402
status = NT_STATUS_INVALID_PARAMETER;
406
blob1 = data_blob(NULL, 0);
409
msg->type = LDAP_TAG_SearchResultDone;
410
msg->r.SearchResultDone = *io->result;
412
if (!ldap_encode(msg, NULL, &blob2, req)) {
413
DEBUG(0,("Failed to encode cldap message to %s:%d\n",
414
req->dest->addr, req->dest->port));
415
status = NT_STATUS_INVALID_PARAMETER;
419
req->encoded = data_blob_talloc(req, NULL, blob1.length + blob2.length);
420
if (req->encoded.data == NULL) goto failed;
422
memcpy(req->encoded.data, blob1.data, blob1.length);
423
memcpy(req->encoded.data+blob1.length, blob2.data, blob2.length);
425
DLIST_ADD_END(cldap->send_queue, req, struct cldap_request *);
427
EVENT_FD_WRITEABLE(cldap->fde);
437
receive a cldap reply
439
NTSTATUS cldap_search_recv(struct cldap_request *req,
441
struct cldap_search *io)
443
struct ldap_message *ldap_msg;
447
return NT_STATUS_NO_MEMORY;
450
while (req->state < CLDAP_REQUEST_DONE) {
451
if (event_loop_once(req->cldap->event_ctx) != 0) {
453
return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
457
if (req->state == CLDAP_REQUEST_ERROR) {
458
status = req->status;
463
ldap_msg = talloc(mem_ctx, struct ldap_message);
464
NT_STATUS_HAVE_NO_MEMORY(ldap_msg);
466
status = ldap_decode(req->asn1, NULL, ldap_msg);
467
if (!NT_STATUS_IS_OK(status)) {
468
DEBUG(2,("Failed to decode cldap search reply: %s\n", nt_errstr(status)));
473
ZERO_STRUCT(io->out);
475
/* the first possible form has a search result in first place */
476
if (ldap_msg->type == LDAP_TAG_SearchResultEntry) {
477
io->out.response = talloc(mem_ctx, struct ldap_SearchResEntry);
478
NT_STATUS_HAVE_NO_MEMORY(io->out.response);
479
*io->out.response = ldap_msg->r.SearchResultEntry;
481
/* decode the 2nd part */
482
status = ldap_decode(req->asn1, NULL, ldap_msg);
483
if (!NT_STATUS_IS_OK(status)) {
484
DEBUG(2,("Failed to decode cldap search result entry: %s\n", nt_errstr(status)));
490
if (ldap_msg->type != LDAP_TAG_SearchResultDone) {
492
return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
495
io->out.result = talloc(mem_ctx, struct ldap_Result);
496
NT_STATUS_HAVE_NO_MEMORY(io->out.result);
497
*io->out.result = ldap_msg->r.SearchResultDone;
501
if (io->out.result->resultcode != LDAP_SUCCESS) {
502
return NT_STATUS_LDAP(io->out.result->resultcode);
509
synchronous cldap search
511
NTSTATUS cldap_search(struct cldap_socket *cldap,
513
struct cldap_search *io)
515
struct cldap_request *req = cldap_search_send(cldap, io);
516
return cldap_search_recv(req, mem_ctx, io);
522
queue a cldap netlogon for send
524
struct cldap_request *cldap_netlogon_send(struct cldap_socket *cldap,
525
struct cldap_netlogon *io)
527
struct cldap_search search;
529
struct cldap_request *req;
530
const char *attr[] = { "NetLogon", NULL };
531
TALLOC_CTX *tmp_ctx = talloc_new(cldap);
533
filter = talloc_asprintf(tmp_ctx, "(&(NtVer=%s)",
534
ldap_encode_ndr_uint32(tmp_ctx, io->in.version));
535
if (filter == NULL) goto failed;
537
filter = talloc_asprintf_append_buffer(filter, "(User=%s)", io->in.user);
538
if (filter == NULL) goto failed;
541
filter = talloc_asprintf_append_buffer(filter, "(Host=%s)", io->in.host);
542
if (filter == NULL) goto failed;
545
filter = talloc_asprintf_append_buffer(filter, "(DnsDomain=%s)", io->in.realm);
546
if (filter == NULL) goto failed;
548
if (io->in.acct_control != -1) {
549
filter = talloc_asprintf_append_buffer(filter, "(AAC=%s)",
550
ldap_encode_ndr_uint32(tmp_ctx, io->in.acct_control));
551
if (filter == NULL) goto failed;
553
if (io->in.domain_sid) {
554
struct dom_sid *sid = dom_sid_parse_talloc(tmp_ctx, io->in.domain_sid);
555
if (sid == NULL) goto failed;
556
filter = talloc_asprintf_append_buffer(filter, "(domainSid=%s)",
557
ldap_encode_ndr_dom_sid(tmp_ctx, sid));
558
if (filter == NULL) goto failed;
560
if (io->in.domain_guid) {
563
status = GUID_from_string(io->in.domain_guid, &guid);
564
if (!NT_STATUS_IS_OK(status)) goto failed;
565
filter = talloc_asprintf_append_buffer(filter, "(DomainGuid=%s)",
566
ldap_encode_ndr_GUID(tmp_ctx, &guid));
567
if (filter == NULL) goto failed;
569
filter = talloc_asprintf_append_buffer(filter, ")");
570
if (filter == NULL) goto failed;
572
search.in.dest_address = io->in.dest_address;
573
search.in.dest_port = io->in.dest_port;
574
search.in.filter = filter;
575
search.in.attributes = attr;
576
search.in.timeout = 2;
577
search.in.retries = 2;
579
req = cldap_search_send(cldap, &search);
581
talloc_free(tmp_ctx);
584
talloc_free(tmp_ctx);
590
receive a cldap netlogon reply
592
NTSTATUS cldap_netlogon_recv(struct cldap_request *req,
594
struct cldap_netlogon *io)
597
struct cldap_search search;
598
struct cldap_socket *cldap;
603
status = cldap_search_recv(req, mem_ctx, &search);
604
if (!NT_STATUS_IS_OK(status)) {
607
if (search.out.response == NULL) {
608
return NT_STATUS_NOT_FOUND;
611
if (search.out.response->num_attributes != 1 ||
612
strcasecmp(search.out.response->attributes[0].name, "netlogon") != 0 ||
613
search.out.response->attributes[0].num_values != 1 ||
614
search.out.response->attributes[0].values->length < 2) {
615
return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
617
data = search.out.response->attributes[0].values;
619
status = pull_netlogon_samlogon_response(data, mem_ctx, req->cldap->iconv_convenience,
621
if (!NT_STATUS_IS_OK(status)) {
625
if (io->in.map_response) {
626
map_netlogon_samlogon_response(&io->out.netlogon);
632
sync cldap netlogon search
634
NTSTATUS cldap_netlogon(struct cldap_socket *cldap,
635
TALLOC_CTX *mem_ctx, struct cldap_netlogon *io)
637
struct cldap_request *req = cldap_netlogon_send(cldap, io);
638
return cldap_netlogon_recv(req, mem_ctx, io);
643
send an empty reply (used on any error, so the client doesn't keep waiting
644
or send the bad request again)
646
NTSTATUS cldap_empty_reply(struct cldap_socket *cldap,
648
struct socket_address *src)
651
struct cldap_reply reply;
652
struct ldap_Result result;
654
reply.messageid = message_id;
656
reply.response = NULL;
657
reply.result = &result;
661
status = cldap_reply_send(cldap, &reply);
667
send an error reply (used on any error, so the client doesn't keep waiting
668
or send the bad request again)
670
NTSTATUS cldap_error_reply(struct cldap_socket *cldap,
672
struct socket_address *src,
674
const char *errormessage)
677
struct cldap_reply reply;
678
struct ldap_Result result;
680
reply.messageid = message_id;
682
reply.response = NULL;
683
reply.result = &result;
686
result.resultcode = resultcode;
687
result.errormessage = errormessage;
689
status = cldap_reply_send(cldap, &reply);
696
send a netlogon reply
698
NTSTATUS cldap_netlogon_reply(struct cldap_socket *cldap,
700
struct socket_address *src,
702
struct netlogon_samlogon_response *netlogon)
705
struct cldap_reply reply;
706
struct ldap_SearchResEntry response;
707
struct ldap_Result result;
708
TALLOC_CTX *tmp_ctx = talloc_new(cldap);
711
status = push_netlogon_samlogon_response(&blob, tmp_ctx, cldap->iconv_convenience,
713
if (!NT_STATUS_IS_OK(status)) {
716
reply.messageid = message_id;
718
reply.response = &response;
719
reply.result = &result;
724
response.num_attributes = 1;
725
response.attributes = talloc(tmp_ctx, struct ldb_message_element);
726
NT_STATUS_HAVE_NO_MEMORY(response.attributes);
727
response.attributes->name = "netlogon";
728
response.attributes->num_values = 1;
729
response.attributes->values = &blob;
731
status = cldap_reply_send(cldap, &reply);
733
talloc_free(tmp_ctx);