Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

smbldap.c

Visit:

Last change on this file was 988, checked in by Silvan Scherrer, 9 years ago
Samba Server: update vendor to version 4.4.3
File size: 49.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27	#include "../libcli/security/security.h"
28	#include <tevent.h>
29	#include "lib/param/loadparm.h"
30
31	/* Try not to hit the up or down server forever */
32
33	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
34	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
35
36	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
37
38
39	/*******************************************************************
40	Search an attribute and return the first value found.
41	******************************************************************/
42
43	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
44	const char attribute, char value,
45	int max_len)
46	{
47	char **values;
48	size_t size = 0;
49
50	if ( !attribute )
51	return False;
52
53	value[0] = '\0';
54
55	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
56	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
57
58	return False;
59	}
60
61	if (!convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, &size)) {
62	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
63	attribute, values[0]));
64	ldap_value_free(values);
65	return False;
66	}
67
68	ldap_value_free(values);
69	#ifdef DEBUG_PASSWORDS
70	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
71	#endif
72	return True;
73	}
74
75	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
76	const char *attribute,
77	TALLOC_CTX *mem_ctx)
78	{
79	char **values;
80	char *result;
81	size_t converted_size;
82
83	if (attribute == NULL) {
84	return NULL;
85	}
86
87	values = ldap_get_values(ldap_struct, entry, attribute);
88
89	if (values == NULL) {
90	DEBUG(10, ("attribute %s does not exist\n", attribute));
91	return NULL;
92	}
93
94	if (ldap_count_values(values) != 1) {
95	DEBUG(10, ("attribute %s has %d values, expected only one\n",
96	attribute, ldap_count_values(values)));
97	ldap_value_free(values);
98	return NULL;
99	}
100
101	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
102	DEBUG(10, ("pull_utf8_talloc failed\n"));
103	ldap_value_free(values);
104	return NULL;
105	}
106
107	ldap_value_free(values);
108
109	#ifdef DEBUG_PASSWORDS
110	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
111	attribute, result));
112	#endif
113	return result;
114	}
115
116	char * smbldap_talloc_first_attribute(LDAP ldap_struct, LDAPMessage entry,
117	const char *attribute,
118	TALLOC_CTX *mem_ctx)
119	{
120	char **values;
121	char *result;
122	size_t converted_size;
123
124	if (attribute == NULL) {
125	return NULL;
126	}
127
128	values = ldap_get_values(ldap_struct, entry, attribute);
129
130	if (values == NULL) {
131	DEBUG(10, ("attribute %s does not exist\n", attribute));
132	return NULL;
133	}
134
135	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
136	DEBUG(10, ("pull_utf8_talloc failed\n"));
137	ldap_value_free(values);
138	return NULL;
139	}
140
141	ldap_value_free(values);
142
143	#ifdef DEBUG_PASSWORDS
144	DEBUG (100, ("smbldap_get_first_attribute: [%s] = [%s]\n",
145	attribute, result));
146	#endif
147	return result;
148	}
149
150	char * smbldap_talloc_smallest_attribute(LDAP ldap_struct, LDAPMessage entry,
151	const char *attribute,
152	TALLOC_CTX *mem_ctx)
153	{
154	char **values;
155	char *result;
156	size_t converted_size;
157	int i, num_values;
158
159	if (attribute == NULL) {
160	return NULL;
161	}
162
163	values = ldap_get_values(ldap_struct, entry, attribute);
164
165	if (values == NULL) {
166	DEBUG(10, ("attribute %s does not exist\n", attribute));
167	return NULL;
168	}
169
170	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
171	DEBUG(10, ("pull_utf8_talloc failed\n"));
172	ldap_value_free(values);
173	return NULL;
174	}
175
176	num_values = ldap_count_values(values);
177
178	for (i=1; i<num_values; i++) {
179	char *tmp;
180
181	if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
182	&converted_size)) {
183	DEBUG(10, ("pull_utf8_talloc failed\n"));
184	TALLOC_FREE(result);
185	ldap_value_free(values);
186	return NULL;
187	}
188
189	if (strcasecmp_m(tmp, result) < 0) {
190	TALLOC_FREE(result);
191	result = tmp;
192	} else {
193	TALLOC_FREE(tmp);
194	}
195	}
196
197	ldap_value_free(values);
198
199	#ifdef DEBUG_PASSWORDS
200	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
201	attribute, result));
202	#endif
203	return result;
204	}
205
206	bool smbldap_talloc_single_blob(TALLOC_CTX mem_ctx, LDAP ld,
207	LDAPMessage msg, const char attrib,
208	DATA_BLOB *blob)
209	{
210	struct berval **values;
211
212	values = ldap_get_values_len(ld, msg, attrib);
213	if (!values) {
214	return false;
215	}
216
217	if (ldap_count_values_len(values) != 1) {
218	DEBUG(10, ("Expected one value for %s, got %d\n", attrib,
219	ldap_count_values_len(values)));
220	return false;
221	}
222
223	*blob = data_blob_talloc(mem_ctx, values[0]->bv_val,
224	values[0]->bv_len);
225	ldap_value_free_len(values);
226
227	return (blob->data != NULL);
228	}
229
230	bool smbldap_pull_sid(LDAP ld, LDAPMessage msg, const char *attrib,
231	struct dom_sid *sid)
232	{
233	DATA_BLOB blob;
234	bool ret;
235
236	if (!smbldap_talloc_single_blob(talloc_tos(), ld, msg, attrib,
237	&blob)) {
238	return false;
239	}
240	ret = sid_parse(blob.data, blob.length, sid);
241	TALLOC_FREE(blob.data);
242	return ret;
243	}
244
245	static int ldapmsg_destructor(LDAPMessage **result) {
246	ldap_msgfree(*result);
247	return 0;
248	}
249
250	void smbldap_talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
251	{
252	LDAPMessage **handle;
253
254	if (result == NULL) {
255	return;
256	}
257
258	handle = talloc(mem_ctx, LDAPMessage *);
259	SMB_ASSERT(handle != NULL);
260
261	*handle = result;
262	talloc_set_destructor(handle, ldapmsg_destructor);
263	}
264
265	static int ldapmod_destructor(LDAPMod ***mod) {
266	ldap_mods_free(*mod, True);
267	return 0;
268	}
269
270	void smbldap_talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
271	{
272	LDAPMod ***handle;
273
274	if (mod == NULL) {
275	return;
276	}
277
278	handle = talloc(mem_ctx, LDAPMod **);
279	SMB_ASSERT(handle != NULL);
280
281	*handle = mod;
282	talloc_set_destructor(handle, ldapmod_destructor);
283	}
284
285	/************************************************************************
286	Routine to manage the LDAPMod structure array
287	manage memory used by the array, by each struct, and values
288	***********************************************************************/
289
290	static void smbldap_set_mod_internal(LDAPMod *** modlist, int modop, const char attribute, const char value, const DATA_BLOB *blob)
291	{
292	LDAPMod **mods;
293	int i;
294	int j;
295
296	mods = *modlist;
297
298	/* sanity checks on the mod values */
299
300	if (attribute == NULL \|\| *attribute == '\0') {
301	return;
302	}
303
304	#if 0 /* commented out after discussion with abartlet. Do not re-enable.
305	left here so other do not re-add similar code --jerry */
306	if (value == NULL \|\| *value == '\0')
307	return;
308	#endif
309
310	if (mods == NULL) {
311	mods = SMB_MALLOC_P(LDAPMod *);
312	if (mods == NULL) {
313	smb_panic("smbldap_set_mod: out of memory!");
314	/* notreached. */
315	}
316	mods[0] = NULL;
317	}
318
319	for (i = 0; mods[i] != NULL; ++i) {
320	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
321	break;
322	}
323
324	if (mods[i] == NULL) {
325	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
326	if (mods == NULL) {
327	smb_panic("smbldap_set_mod: out of memory!");
328	/* notreached. */
329	}
330	mods[i] = SMB_MALLOC_P(LDAPMod);
331	if (mods[i] == NULL) {
332	smb_panic("smbldap_set_mod: out of memory!");
333	/* notreached. */
334	}
335	mods[i]->mod_op = modop;
336	mods[i]->mod_values = NULL;
337	mods[i]->mod_type = SMB_STRDUP(attribute);
338	mods[i + 1] = NULL;
339	}
340
341	if (blob && (modop & LDAP_MOD_BVALUES)) {
342	j = 0;
343	if (mods[i]->mod_bvalues != NULL) {
344	for (; mods[i]->mod_bvalues[j] != NULL; j++);
345	}
346	mods[i]->mod_bvalues = SMB_REALLOC_ARRAY(mods[i]->mod_bvalues, struct berval *, j + 2);
347
348	if (mods[i]->mod_bvalues == NULL) {
349	smb_panic("smbldap_set_mod: out of memory!");
350	/* notreached. */
351	}
352
353	mods[i]->mod_bvalues[j] = SMB_MALLOC_P(struct berval);
354	SMB_ASSERT(mods[i]->mod_bvalues[j] != NULL);
355
356	mods[i]->mod_bvalues[j]->bv_val = (char *)smb_memdup(blob->data, blob->length);
357	SMB_ASSERT(mods[i]->mod_bvalues[j]->bv_val != NULL);
358	mods[i]->mod_bvalues[j]->bv_len = blob->length;
359
360	mods[i]->mod_bvalues[j + 1] = NULL;
361	} else if (value != NULL) {
362	char *utf8_value = NULL;
363	size_t converted_size;
364
365	j = 0;
366	if (mods[i]->mod_values != NULL) {
367	for (; mods[i]->mod_values[j] != NULL; j++);
368	}
369	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
370
371	if (mods[i]->mod_values == NULL) {
372	smb_panic("smbldap_set_mod: out of memory!");
373	/* notreached. */
374	}
375
376	if (!push_utf8_talloc(talloc_tos(), &utf8_value, value, &converted_size)) {
377	smb_panic("smbldap_set_mod: String conversion failure!");
378	/* notreached. */
379	}
380
381	mods[i]->mod_values[j] = SMB_STRDUP(utf8_value);
382	TALLOC_FREE(utf8_value);
383	SMB_ASSERT(mods[i]->mod_values[j] != NULL);
384
385	mods[i]->mod_values[j + 1] = NULL;
386	}
387	*modlist = mods;
388	}
389
390	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
391	{
392	smbldap_set_mod_internal(modlist, modop, attribute, value, NULL);
393	}
394
395	void smbldap_set_mod_blob(LDAPMod *** modlist, int modop, const char attribute, const DATA_BLOB value)
396	{
397	smbldap_set_mod_internal(modlist, modop \| LDAP_MOD_BVALUES, attribute, NULL, value);
398	}
399
400	/**********************************************************************
401	Set attribute to newval in LDAP, regardless of what value the
402	attribute had in LDAP before.
403	*********************************************************************/
404
405	static void smbldap_make_mod_internal(LDAP ldap_struct, LDAPMessage existing,
406	LDAPMod ***mods,
407	const char *attribute, int op,
408	const char *newval,
409	const DATA_BLOB *newblob)
410	{
411	char oldval[2048]; /* current largest allowed value is mungeddial */
412	bool existed;
413	DATA_BLOB oldblob = data_blob_null;
414
415	if (existing != NULL) {
416	if (op & LDAP_MOD_BVALUES) {
417	existed = smbldap_talloc_single_blob(talloc_tos(), ldap_struct, existing, attribute, &oldblob);
418	} else {
419	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
420	}
421	} else {
422	existed = False;
423	*oldval = '\0';
424	}
425
426	if (existed) {
427	bool equal = false;
428	if (op & LDAP_MOD_BVALUES) {
429	equal = (newblob && (data_blob_cmp(&oldblob, newblob) == 0));
430	} else {
431	/* all of our string attributes are case insensitive */
432	equal = (newval && (strcasecmp_m(oldval, newval) == 0));
433	}
434
435	if (equal) {
436	/* Believe it or not, but LDAP will deny a delete and
437	an add at the same time if the values are the
438	same... */
439	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
440	return;
441	}
442
443	/* There has been no value before, so don't delete it.
444	* Here's a possible race: We might end up with
445	* duplicate attributes */
446	/* By deleting exactly the value we found in the entry this
447	* should be race-free in the sense that the LDAP-Server will
448	* deny the complete operation if somebody changed the
449	* attribute behind our back. */
450	/* This will also allow modifying single valued attributes
451	* in Novell NDS. In NDS you have to first remove attribute and then
452	* you could add new value */
453
454	if (op & LDAP_MOD_BVALUES) {
455	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| blob\n", attribute));
456	smbldap_set_mod_blob(mods, LDAP_MOD_DELETE, attribute, &oldblob);
457	} else {
458	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
459	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
460	}
461	}
462
463	/* Regardless of the real operation (add or modify)
464	we add the new value here. We rely on deleting
465	the old value, should it exist. */
466
467	if (op & LDAP_MOD_BVALUES) {
468	if (newblob && newblob->length) {
469	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| blob\n", attribute));
470	smbldap_set_mod_blob(mods, LDAP_MOD_ADD, attribute, newblob);
471	}
472	} else {
473	if ((newval != NULL) && (strlen(newval) > 0)) {
474	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
475	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
476	}
477	}
478	}
479
480	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
481	LDAPMod ***mods,
482	const char attribute, const char newval)
483	{
484	smbldap_make_mod_internal(ldap_struct, existing, mods, attribute,
485	0, newval, NULL);
486	}
487
488	void smbldap_make_mod_blob(LDAP ldap_struct, LDAPMessage existing,
489	LDAPMod ***mods,
490	const char attribute, const DATA_BLOB newblob)
491	{
492	smbldap_make_mod_internal(ldap_struct, existing, mods, attribute,
493	LDAP_MOD_BVALUES, NULL, newblob);
494	}
495
496	/**********************************************************************
497	Some varients of the LDAP rebind code do not pass in the third 'arg'
498	pointer to a void*, so we try and work around it by assuming that the
499	value of the 'LDAP *' pointer is the same as the one we had passed in
500	**********************************************************************/
501
502	struct smbldap_state_lookup {
503	LDAP *ld;
504	struct smbldap_state *smbldap_state;
505	struct smbldap_state_lookup prev, next;
506	};
507
508	static struct smbldap_state_lookup *smbldap_state_lookup_list;
509
510	static struct smbldap_state smbldap_find_state(LDAP ld)
511	{
512	struct smbldap_state_lookup *t;
513
514	for (t = smbldap_state_lookup_list; t; t = t->next) {
515	if (t->ld == ld) {
516	return t->smbldap_state;
517	}
518	}
519	return NULL;
520	}
521
522	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
523	{
524	struct smbldap_state_lookup *t;
525
526	for (t = smbldap_state_lookup_list; t; t = t->next) {
527	if (t->smbldap_state == smbldap_state) {
528	DLIST_REMOVE(smbldap_state_lookup_list, t);
529	SAFE_FREE(t);
530	return;
531	}
532	}
533	}
534
535	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
536	{
537	struct smbldap_state *tmp_ldap_state;
538	struct smbldap_state_lookup *t;
539
540	if ((tmp_ldap_state = smbldap_find_state(ld))) {
541	SMB_ASSERT(tmp_ldap_state == smbldap_state);
542	return;
543	}
544
545	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
546	ZERO_STRUCTP(t);
547
548	DLIST_ADD_END(smbldap_state_lookup_list, t);
549	t->ld = ld;
550	t->smbldap_state = smbldap_state;
551	}
552
553	/********************************************************************
554	start TLS on an existing LDAP connection
555	*******************************************************************/
556
557	int smbldap_start_tls(LDAP *ldap_struct, int version)
558	{
559	#ifdef LDAP_OPT_X_TLS
560	int rc;
561	#endif
562
563	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
564	return LDAP_SUCCESS;
565	}
566
567	#ifdef LDAP_OPT_X_TLS
568	if (version != LDAP_VERSION3) {
569	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
570	return LDAP_OPERATIONS_ERROR;
571	}
572
573	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
574	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
575	ldap_err2string(rc)));
576	return rc;
577	}
578
579	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
580	return LDAP_SUCCESS;
581	#else
582	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
583	return LDAP_OPERATIONS_ERROR;
584	#endif
585	}
586
587	/********************************************************************
588	setup a connection to the LDAP server based on a uri
589	*******************************************************************/
590
591	static int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
592	{
593	int rc;
594
595	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
596
597	#ifdef HAVE_LDAP_INITIALIZE
598
599	rc = ldap_initialize(ldap_struct, uri);
600	if (rc) {
601	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
602	return rc;
603	}
604
605	if (lp_ldap_follow_referral() != Auto) {
606	rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS,
607	lp_ldap_follow_referral() ? LDAP_OPT_ON : LDAP_OPT_OFF);
608	if (rc != LDAP_SUCCESS)
609	DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n",
610	ldap_err2string(rc)));
611	}
612
613	return LDAP_SUCCESS;
614	#else
615
616	/* Parse the string manually */
617
618	{
619	int port = 0;
620	fstring protocol;
621	fstring host;
622	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
623
624
625	/* skip leading "URL:" (if any) */
626	if ( strnequal( uri, "URL:", 4 ) ) {
627	uri += 4;
628	}
629
630	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
631
632	if (port == 0) {
633	if (strequal(protocol, "ldap")) {
634	port = LDAP_PORT;
635	} else if (strequal(protocol, "ldaps")) {
636	port = LDAPS_PORT;
637	} else {
638	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
639	}
640	}
641
642	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
643	DEBUG(0, ("ldap_init failed !\n"));
644	return LDAP_OPERATIONS_ERROR;
645	}
646
647	if (strequal(protocol, "ldaps")) {
648	#ifdef LDAP_OPT_X_TLS
649	int tls = LDAP_OPT_X_TLS_HARD;
650	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
651	{
652	DEBUG(0, ("Failed to setup a TLS session\n"));
653	}
654
655	DEBUG(3,("LDAPS option set...!\n"));
656	#else
657	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
658	return LDAP_OPERATIONS_ERROR;
659	#endif /* LDAP_OPT_X_TLS */
660	}
661	}
662	#endif /* HAVE_LDAP_INITIALIZE */
663
664	/* now set connection timeout */
665	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
666	{
667	int ct = lp_ldap_connection_timeout()*1000;
668	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
669	if (rc != LDAP_SUCCESS) {
670	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
671	ct, ldap_err2string(rc)));
672	}
673	}
674	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
675	{
676	struct timeval ct;
677	ct.tv_usec = 0;
678	ct.tv_sec = lp_ldap_connection_timeout();
679	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
680	if (rc != LDAP_SUCCESS) {
681	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
682	(int)ct.tv_sec, ldap_err2string(rc)));
683	}
684	}
685	#endif
686
687	return LDAP_SUCCESS;
688	}
689
690	/********************************************************************
691	try to upgrade to Version 3 LDAP if not already, in either case return current
692	version
693	*******************************************************************/
694
695	static int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
696	{
697	int version;
698	int rc;
699
700	/* assume the worst */
701	*new_version = LDAP_VERSION2;
702
703	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
704	if (rc) {
705	return rc;
706	}
707
708	if (version == LDAP_VERSION3) {
709	*new_version = LDAP_VERSION3;
710	return LDAP_SUCCESS;
711	}
712
713	/* try upgrade */
714	version = LDAP_VERSION3;
715	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
716	if (rc) {
717	return rc;
718	}
719
720	*new_version = LDAP_VERSION3;
721	return LDAP_SUCCESS;
722	}
723
724	/*******************************************************************
725	open a connection to the ldap server (just until the bind)
726	******************************************************************/
727
728	int smbldap_setup_full_conn(LDAP *ldap_struct, const char uri)
729	{
730	int rc, version;
731
732	rc = smb_ldap_setup_conn(ldap_struct, uri);
733	if (rc) {
734	return rc;
735	}
736
737	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
738	if (rc) {
739	return rc;
740	}
741
742	rc = smbldap_start_tls(*ldap_struct, version);
743	if (rc) {
744	return rc;
745	}
746
747	return LDAP_SUCCESS;
748	}
749
750	/*******************************************************************
751	open a connection to the ldap server.
752	******************************************************************/
753	static int smbldap_open_connection (struct smbldap_state *ldap_state)
754
755	{
756	int rc = LDAP_SUCCESS;
757	int version;
758	int deref;
759	LDAP **ldap_struct = &ldap_state->ldap_struct;
760
761	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
762	if (rc) {
763	return rc;
764	}
765
766	/* Store the LDAP pointer in a lookup list */
767
768	smbldap_store_state(*ldap_struct, ldap_state);
769
770	/* Upgrade to LDAPv3 if possible */
771
772	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
773	if (rc) {
774	return rc;
775	}
776
777	/* Start TLS if required */
778
779	rc = smbldap_start_tls(*ldap_struct, version);
780	if (rc) {
781	return rc;
782	}
783
784	/* Set alias dereferencing method */
785	deref = lp_ldap_deref();
786	if (deref != -1) {
787	if (ldap_set_option (*ldap_struct, LDAP_OPT_DEREF, &deref) != LDAP_OPT_SUCCESS) {
788	DEBUG(1,("smbldap_open_connection: Failed to set dereferencing method: %d\n", deref));
789	} else {
790	DEBUG(5,("Set dereferencing method: %d\n", deref));
791	}
792	}
793
794	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
795	return rc;
796	}
797
798	/*******************************************************************
799	a rebind function for authenticated referrals
800	This version takes a void* that we can shove useful stuff in :-)
801	******************************************************************/
802	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
803	#else
804	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
805	int methodp, int freeit, void arg)
806	{
807	struct smbldap_state *ldap_state = arg;
808	struct timespec ts;
809
810	/** @TODO Should we be doing something to check what servers we rebind to?
811	Could we get a referral to a machine that we don't want to give our
812	username and password to? */
813
814	if (freeit) {
815	SAFE_FREE(*whop);
816	if (*credp) {
817	memset(credp, '\0', strlen(credp));
818	}
819	SAFE_FREE(*credp);
820	} else {
821	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
822	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
823
824	if (ldap_state->anonymous) {
825	*whop = NULL;
826	*credp = NULL;
827	} else {
828	*whop = SMB_STRDUP(ldap_state->bind_dn);
829	if (!*whop) {
830	return LDAP_NO_MEMORY;
831	}
832	*credp = SMB_STRDUP(ldap_state->bind_secret);
833	if (!*credp) {
834	SAFE_FREE(*whop);
835	return LDAP_NO_MEMORY;
836	}
837	}
838	*methodp = LDAP_AUTH_SIMPLE;
839	}
840
841	clock_gettime_mono(&ts);
842	ldap_state->last_rebind = convert_timespec_to_timeval(ts);
843
844	return 0;
845	}
846	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
847
848	/*******************************************************************
849	a rebind function for authenticated referrals
850	This version takes a void* that we can shove useful stuff in :-)
851	and actually does the connection.
852	******************************************************************/
853	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
854	static int rebindproc_connect_with_state (LDAP *ldap_struct,
855	LDAP_CONST char *url,
856	ber_tag_t request,
857	ber_int_t msgid, void *arg)
858	{
859	struct smbldap_state *ldap_state =
860	(struct smbldap_state *)arg;
861	int rc;
862	struct timespec ts;
863	int version;
864
865	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
866	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
867
868	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
869	* itself) before rebinding to another LDAP server to avoid to expose
870	* our credentials. At least try to secure the connection - Guenther */
871
872	smb_ldap_upgrade_conn(ldap_struct, &version);
873	smbldap_start_tls(ldap_struct, version);
874
875	/** @TODO Should we be doing something to check what servers we rebind to?
876	Could we get a referral to a machine that we don't want to give our
877	username and password to? */
878
879	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
880
881	/* only set the last rebind timestamp when we did rebind after a
882	* non-read LDAP operation. That way we avoid the replication sleep
883	* after a simple redirected search operation - Guenther */
884
885	switch (request) {
886
887	case LDAP_REQ_MODIFY:
888	case LDAP_REQ_ADD:
889	case LDAP_REQ_DELETE:
890	case LDAP_REQ_MODDN:
891	case LDAP_REQ_EXTENDED:
892	DEBUG(10,("rebindproc_connect_with_state: "
893	"setting last_rebind timestamp "
894	"(req: 0x%02x)\n", (unsigned int)request));
895	clock_gettime_mono(&ts);
896	ldap_state->last_rebind = convert_timespec_to_timeval(ts);
897	break;
898	default:
899	ZERO_STRUCT(ldap_state->last_rebind);
900	break;
901	}
902
903	return rc;
904	}
905	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
906
907	/*******************************************************************
908	Add a rebind function for authenticated referrals
909	******************************************************************/
910	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
911	#else
912	# if LDAP_SET_REBIND_PROC_ARGS == 2
913	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
914	int *method, int freeit )
915	{
916	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
917
918	return rebindproc_with_state(ldap_struct, whop, credp,
919	method, freeit, ldap_state);
920	}
921	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
922	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
923
924	/*******************************************************************
925	a rebind function for authenticated referrals
926	this also does the connection, but no void*.
927	******************************************************************/
928	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
929	# if LDAP_SET_REBIND_PROC_ARGS == 2
930	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
931	ber_int_t msgid)
932	{
933	struct smbldap_state *ldap_state = smbldap_find_state(ld);
934
935	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
936	ldap_state);
937	}
938	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
939	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
940
941	/*******************************************************************
942	connect to the ldap server under system privilege.
943	******************************************************************/
944	static int smbldap_connect_system(struct smbldap_state *ldap_state)
945	{
946	LDAP *ldap_struct = ldap_state->ldap_struct;
947	int rc;
948	int version;
949
950	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
951	(OpenLDAP) doesnt' seem to support it */
952
953	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
954	ldap_state->uri, ldap_state->bind_dn));
955
956	#ifdef HAVE_LDAP_SET_REBIND_PROC
957	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
958	# if LDAP_SET_REBIND_PROC_ARGS == 2
959	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
960	# endif
961	# if LDAP_SET_REBIND_PROC_ARGS == 3
962	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
963	# endif
964	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
965	# if LDAP_SET_REBIND_PROC_ARGS == 2
966	ldap_set_rebind_proc(ldap_struct, &rebindproc);
967	# endif
968	# if LDAP_SET_REBIND_PROC_ARGS == 3
969	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
970	# endif
971	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
972	#endif
973
974	/* When there is an alternative bind callback is set,
975	attempt to use it to perform the bind */
976	if (ldap_state->bind_callback != NULL) {
977	/* We have to allow bind callback to be run under become_root/unbecome_root
978	to make sure within smbd the callback has proper write access to its resources,
979	like credential cache. This is similar to passdb case where this callback is supposed
980	to be used. When used outside smbd, become_root()/unbecome_root() are no-op.
981	*/
982	become_root();
983	rc = ldap_state->bind_callback(ldap_struct, ldap_state, ldap_state->bind_callback_data);
984	unbecome_root();
985	} else {
986	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
987	}
988
989	if (rc != LDAP_SUCCESS) {
990	char *ld_error = NULL;
991	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
992	&ld_error);
993	DEBUG(ldap_state->num_failures ? 2 : 0,
994	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
995	ldap_state->uri,
996	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
997	ldap_err2string(rc),
998	ld_error ? ld_error : "(unknown)"));
999	SAFE_FREE(ld_error);
1000	ldap_state->num_failures++;
1001	goto done;
1002	}
1003
1004	ldap_state->num_failures = 0;
1005	ldap_state->paged_results = False;
1006
1007	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1008
1009	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1010	ldap_state->paged_results = True;
1011	}
1012
1013	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1014	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1015	ldap_state->paged_results ? "does" : "does not"));
1016	done:
1017	if (rc != 0) {
1018	ldap_unbind(ldap_struct);
1019	ldap_state->ldap_struct = NULL;
1020	}
1021	return rc;
1022	}
1023
1024	static void smbldap_idle_fn(struct tevent_context *tevent_ctx,
1025	struct tevent_timer *te,
1026	struct timeval now_abs,
1027	void *private_data);
1028
1029	/**********************************************************************
1030	Connect to LDAP server (called before every ldap operation)
1031	*********************************************************************/
1032	static int smbldap_open(struct smbldap_state *ldap_state)
1033	{
1034	int rc, opt_rc;
1035	bool reopen = False;
1036	SMB_ASSERT(ldap_state);
1037
1038	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time_mono(NULL))) {
1039
1040	#ifdef HAVE_UNIXSOCKET
1041	struct sockaddr_un addr;
1042	#else
1043	struct sockaddr addr;
1044	#endif
1045	socklen_t len = sizeof(addr);
1046	int sd;
1047
1048	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1049	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1050	reopen = True;
1051
1052	#ifdef HAVE_UNIXSOCKET
1053	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1054	reopen = True;
1055	#endif
1056	if (reopen) {
1057	/* the other end has died. reopen. */
1058	ldap_unbind(ldap_state->ldap_struct);
1059	ldap_state->ldap_struct = NULL;
1060	ldap_state->last_ping = (time_t)0;
1061	} else {
1062	ldap_state->last_ping = time_mono(NULL);
1063	}
1064	}
1065
1066	if (ldap_state->ldap_struct != NULL) {
1067	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1068	return LDAP_SUCCESS;
1069	}
1070
1071	if ((rc = smbldap_open_connection(ldap_state))) {
1072	return rc;
1073	}
1074
1075	if ((rc = smbldap_connect_system(ldap_state))) {
1076	return rc;
1077	}
1078
1079
1080	ldap_state->last_ping = time_mono(NULL);
1081	ldap_state->pid = getpid();
1082
1083	TALLOC_FREE(ldap_state->idle_event);
1084
1085	if (ldap_state->tevent_context != NULL) {
1086	ldap_state->idle_event = tevent_add_timer(
1087	ldap_state->tevent_context, ldap_state,
1088	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1089	smbldap_idle_fn, ldap_state);
1090	}
1091
1092	DEBUG(4,("The LDAP server is successfully connected\n"));
1093
1094	return LDAP_SUCCESS;
1095	}
1096
1097	/**********************************************************************
1098	Disconnect from LDAP server
1099	*********************************************************************/
1100	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1101	{
1102	if (!ldap_state)
1103	return NT_STATUS_INVALID_PARAMETER;
1104
1105	if (ldap_state->ldap_struct != NULL) {
1106	ldap_unbind(ldap_state->ldap_struct);
1107	ldap_state->ldap_struct = NULL;
1108	}
1109
1110	smbldap_delete_state(ldap_state);
1111
1112	TALLOC_FREE(ldap_state->idle_event);
1113
1114	DEBUG(5,("The connection to the LDAP server was closed\n"));
1115	/* maybe free the results here --metze */
1116
1117	return NT_STATUS_OK;
1118	}
1119
1120	static SIG_ATOMIC_T got_alarm;
1121
1122	static void gotalarm_sig(int dummy)
1123	{
1124	got_alarm = 1;
1125	}
1126
1127	static time_t calc_ldap_abs_endtime(int ldap_to)
1128	{
1129	if (ldap_to == 0) {
1130	/* No timeout - don't
1131	return a value for
1132	the alarm. */
1133	return (time_t)0;
1134	}
1135
1136	/* Make the alarm time one second beyond
1137	the timout we're setting for the
1138	remote search timeout, to allow that
1139	to fire in preference. */
1140
1141	return time_mono(NULL)+ldap_to+1;
1142	}
1143
1144	static int end_ldap_local_alarm(time_t absolute_endtime, int rc)
1145	{
1146	if (absolute_endtime) {
1147	alarm(0);
1148	CatchSignal(SIGALRM, SIG_IGN);
1149	if (got_alarm) {
1150	/* Client timeout error code. */
1151	got_alarm = 0;
1152	return LDAP_TIMEOUT;
1153	}
1154	}
1155	return rc;
1156	}
1157
1158	static void setup_ldap_local_alarm(struct smbldap_state *ldap_state, time_t absolute_endtime)
1159	{
1160	time_t now = time_mono(NULL);
1161
1162	if (absolute_endtime) {
1163	got_alarm = 0;
1164	CatchSignal(SIGALRM, gotalarm_sig);
1165	alarm(absolute_endtime - now);
1166	}
1167
1168	if (ldap_state->pid != getpid()) {
1169	smbldap_close(ldap_state);
1170	}
1171	}
1172
1173	static void get_ldap_errs(struct smbldap_state ldap_state, char pp_ld_error, int p_ld_errno)
1174	{
1175	ldap_get_option(ldap_state->ldap_struct,
1176	LDAP_OPT_ERROR_NUMBER, p_ld_errno);
1177
1178	ldap_get_option(ldap_state->ldap_struct,
1179	LDAP_OPT_ERROR_STRING, pp_ld_error);
1180	}
1181
1182	static int get_cached_ldap_connect(struct smbldap_state *ldap_state, time_t abs_endtime)
1183	{
1184	int attempts = 0;
1185
1186	while (1) {
1187	int rc;
1188	time_t now;
1189
1190	now = time_mono(NULL);
1191	ldap_state->last_use = now;
1192
1193	if (abs_endtime && now > abs_endtime) {
1194	smbldap_close(ldap_state);
1195	return LDAP_TIMEOUT;
1196	}
1197
1198	rc = smbldap_open(ldap_state);
1199
1200	if (rc == LDAP_SUCCESS) {
1201	return LDAP_SUCCESS;
1202	}
1203
1204	attempts++;
1205	DEBUG(1, ("Connection to LDAP server failed for the "
1206	"%d try!\n", attempts));
1207
1208	if (rc == LDAP_INSUFFICIENT_ACCESS) {
1209	/* The fact that we are non-root or any other
1210	* access-denied condition will not change in the next
1211	* round of trying */
1212	return rc;
1213	}
1214
1215	if (got_alarm) {
1216	smbldap_close(ldap_state);
1217	return LDAP_TIMEOUT;
1218	}
1219
1220	smb_msleep(1000);
1221
1222	if (got_alarm) {
1223	smbldap_close(ldap_state);
1224	return LDAP_TIMEOUT;
1225	}
1226	}
1227	}
1228
1229	/*********************************************************************
1230	********************************************************************/
1231
1232	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1233	const char base, int scope, const char filter,
1234	const char *attrs[], int attrsonly,
1235	LDAPControl sctrls, LDAPControl cctrls,
1236	int sizelimit, LDAPMessage **res)
1237	{
1238	int rc = LDAP_SERVER_DOWN;
1239	char *utf8_filter;
1240	int to = lp_ldap_timeout();
1241	time_t abs_endtime = calc_ldap_abs_endtime(to);
1242	struct timeval timeout;
1243	struct timeval *timeout_ptr = NULL;
1244	size_t converted_size;
1245
1246	SMB_ASSERT(ldap_state);
1247
1248	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1249	"scope => [%d]\n", base, filter, scope));
1250
1251	if (ldap_state->last_rebind.tv_sec > 0) {
1252	struct timeval tval;
1253	struct timespec ts;
1254	int64_t tdiff = 0;
1255	int sleep_time = 0;
1256
1257	clock_gettime_mono(&ts);
1258	tval = convert_timespec_to_timeval(ts);
1259
1260	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1261	tdiff /= 1000; /* Convert to milliseconds. */
1262
1263	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1264	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1265
1266	if (sleep_time > 0) {
1267	/* we wait for the LDAP replication */
1268	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1269	"for LDAP replication.\n",sleep_time));
1270	smb_msleep(sleep_time);
1271	DEBUG(5,("smbldap_search_ext: go on!\n"));
1272	}
1273	ZERO_STRUCT(ldap_state->last_rebind);
1274	}
1275
1276	if (!push_utf8_talloc(talloc_tos(), &utf8_filter, filter, &converted_size)) {
1277	return LDAP_NO_MEMORY;
1278	}
1279
1280	/* Setup remote timeout for the ldap_search_ext_s call. */
1281	if (to) {
1282	timeout.tv_sec = to;
1283	timeout.tv_usec = 0;
1284	timeout_ptr = &timeout;
1285	}
1286
1287	setup_ldap_local_alarm(ldap_state, abs_endtime);
1288
1289	while (1) {
1290	char *ld_error = NULL;
1291	int ld_errno;
1292
1293	rc = get_cached_ldap_connect(ldap_state, abs_endtime);
1294	if (rc != LDAP_SUCCESS) {
1295	break;
1296	}
1297
1298	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1299	utf8_filter,
1300	discard_const_p(char *, attrs),
1301	attrsonly, sctrls, cctrls, timeout_ptr,
1302	sizelimit, res);
1303	if (rc == LDAP_SUCCESS) {
1304	break;
1305	}
1306
1307	get_ldap_errs(ldap_state, &ld_error, &ld_errno);
1308
1309	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1310	"(%s)\n", base, ld_errno,
1311	ldap_err2string(rc),
1312	ld_error ? ld_error : "unknown"));
1313	SAFE_FREE(ld_error);
1314
1315	if (ld_errno != LDAP_SERVER_DOWN) {
1316	break;
1317	}
1318	ldap_unbind(ldap_state->ldap_struct);
1319	ldap_state->ldap_struct = NULL;
1320	}
1321
1322	TALLOC_FREE(utf8_filter);
1323	return end_ldap_local_alarm(abs_endtime, rc);
1324	}
1325
1326	int smbldap_search(struct smbldap_state *ldap_state,
1327	const char base, int scope, const char filter,
1328	const char *attrs[], int attrsonly,
1329	LDAPMessage **res)
1330	{
1331	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1332	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1333	}
1334
1335	int smbldap_search_paged(struct smbldap_state *ldap_state,
1336	const char base, int scope, const char filter,
1337	const char **attrs, int attrsonly, int pagesize,
1338	LDAPMessage res, void cookie)
1339	{
1340	LDAPControl pr;
1341	LDAPControl **rcontrols;
1342	LDAPControl *controls[2] = { NULL, NULL};
1343	BerElement *cookie_be = NULL;
1344	struct berval *cookie_bv = NULL;
1345	int tmp = 0, i, rc;
1346	bool critical = True;
1347
1348	*res = NULL;
1349
1350	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1351	"scope => [%d], pagesize => [%d]\n",
1352	base, filter, scope, pagesize));
1353
1354	cookie_be = ber_alloc_t(LBER_USE_DER);
1355	if (cookie_be == NULL) {
1356	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1357	"NULL\n"));
1358	return LDAP_NO_MEMORY;
1359	}
1360
1361	/* construct cookie */
1362	if (*cookie != NULL) {
1363	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1364	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1365	*cookie = NULL;
1366	} else {
1367	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1368	}
1369	ber_flatten(cookie_be, &cookie_bv);
1370
1371	pr.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
1372	pr.ldctl_iscritical = (char) critical;
1373	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1374	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1375
1376	controls[0] = &pr;
1377	controls[1] = NULL;
1378
1379	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1380	0, controls, NULL, LDAP_NO_LIMIT, res);
1381
1382	ber_free(cookie_be, 1);
1383	ber_bvfree(cookie_bv);
1384
1385	if (rc != 0) {
1386	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1387	"failed with [%s]\n", filter, ldap_err2string(rc)));
1388	goto done;
1389	}
1390
1391	DEBUG(3,("smbldap_search_paged: search was successful\n"));
1392
1393	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1394	NULL, NULL, &rcontrols, 0);
1395	if (rc != 0) {
1396	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1397	"with [%s]\n", ldap_err2string(rc)));
1398	goto done;
1399	}
1400
1401	if (rcontrols == NULL)
1402	goto done;
1403
1404	for (i=0; rcontrols[i]; i++) {
1405
1406	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1407	continue;
1408
1409	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1410	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1411	/* the berval is the cookie, but must be freed when it is all
1412	done */
1413	if (cookie_bv->bv_len)
1414	*cookie=ber_bvdup(cookie_bv);
1415	else
1416	*cookie=NULL;
1417	ber_bvfree(cookie_bv);
1418	ber_free(cookie_be, 1);
1419	break;
1420	}
1421	ldap_controls_free(rcontrols);
1422	done:
1423	return rc;
1424	}
1425
1426	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1427	{
1428	int rc = LDAP_SERVER_DOWN;
1429	char *utf8_dn;
1430	time_t abs_endtime = calc_ldap_abs_endtime(lp_ldap_timeout());
1431	size_t converted_size;
1432
1433	SMB_ASSERT(ldap_state);
1434
1435	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1436
1437	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1438	return LDAP_NO_MEMORY;
1439	}
1440
1441	setup_ldap_local_alarm(ldap_state, abs_endtime);
1442
1443	while (1) {
1444	char *ld_error = NULL;
1445	int ld_errno;
1446
1447	rc = get_cached_ldap_connect(ldap_state, abs_endtime);
1448	if (rc != LDAP_SUCCESS) {
1449	break;
1450	}
1451
1452	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1453	if (rc == LDAP_SUCCESS) {
1454	break;
1455	}
1456
1457	get_ldap_errs(ldap_state, &ld_error, &ld_errno);
1458
1459	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1460	"(%s)\n", dn, ld_errno,
1461	ldap_err2string(rc),
1462	ld_error ? ld_error : "unknown"));
1463	SAFE_FREE(ld_error);
1464
1465	if (ld_errno != LDAP_SERVER_DOWN) {
1466	break;
1467	}
1468	ldap_unbind(ldap_state->ldap_struct);
1469	ldap_state->ldap_struct = NULL;
1470	}
1471
1472	TALLOC_FREE(utf8_dn);
1473	return end_ldap_local_alarm(abs_endtime, rc);
1474	}
1475
1476	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1477	{
1478	int rc = LDAP_SERVER_DOWN;
1479	char *utf8_dn;
1480	time_t abs_endtime = calc_ldap_abs_endtime(lp_ldap_timeout());
1481	size_t converted_size;
1482
1483	SMB_ASSERT(ldap_state);
1484
1485	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1486
1487	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1488	return LDAP_NO_MEMORY;
1489	}
1490
1491	setup_ldap_local_alarm(ldap_state, abs_endtime);
1492
1493	while (1) {
1494	char *ld_error = NULL;
1495	int ld_errno;
1496
1497	rc = get_cached_ldap_connect(ldap_state, abs_endtime);
1498	if (rc != LDAP_SUCCESS) {
1499	break;
1500	}
1501
1502	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1503	if (rc == LDAP_SUCCESS) {
1504	break;
1505	}
1506
1507	get_ldap_errs(ldap_state, &ld_error, &ld_errno);
1508
1509	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1510	"(%s)\n", dn, ld_errno,
1511	ldap_err2string(rc),
1512	ld_error ? ld_error : "unknown"));
1513	SAFE_FREE(ld_error);
1514
1515	if (ld_errno != LDAP_SERVER_DOWN) {
1516	break;
1517	}
1518	ldap_unbind(ldap_state->ldap_struct);
1519	ldap_state->ldap_struct = NULL;
1520	}
1521
1522	TALLOC_FREE(utf8_dn);
1523	return end_ldap_local_alarm(abs_endtime, rc);
1524	}
1525
1526	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1527	{
1528	int rc = LDAP_SERVER_DOWN;
1529	char *utf8_dn;
1530	time_t abs_endtime = calc_ldap_abs_endtime(lp_ldap_timeout());
1531	size_t converted_size;
1532
1533	SMB_ASSERT(ldap_state);
1534
1535	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1536
1537	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1538	return LDAP_NO_MEMORY;
1539	}
1540
1541	setup_ldap_local_alarm(ldap_state, abs_endtime);
1542
1543	while (1) {
1544	char *ld_error = NULL;
1545	int ld_errno;
1546
1547	rc = get_cached_ldap_connect(ldap_state, abs_endtime);
1548	if (rc != LDAP_SUCCESS) {
1549	break;
1550	}
1551
1552	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1553	if (rc == LDAP_SUCCESS) {
1554	break;
1555	}
1556
1557	get_ldap_errs(ldap_state, &ld_error, &ld_errno);
1558
1559	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1560	"(%s)\n", dn, ld_errno,
1561	ldap_err2string(rc),
1562	ld_error ? ld_error : "unknown"));
1563	SAFE_FREE(ld_error);
1564
1565	if (ld_errno != LDAP_SERVER_DOWN) {
1566	break;
1567	}
1568	ldap_unbind(ldap_state->ldap_struct);
1569	ldap_state->ldap_struct = NULL;
1570	}
1571
1572	TALLOC_FREE(utf8_dn);
1573	return end_ldap_local_alarm(abs_endtime, rc);
1574	}
1575
1576	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1577	LDAP_CONST char reqoid, struct berval reqdata,
1578	LDAPControl serverctrls, LDAPControl clientctrls,
1579	char retoidp, struct berval retdatap)
1580	{
1581	int rc = LDAP_SERVER_DOWN;
1582	time_t abs_endtime = calc_ldap_abs_endtime(lp_ldap_timeout());
1583
1584	if (!ldap_state)
1585	return (-1);
1586
1587	setup_ldap_local_alarm(ldap_state, abs_endtime);
1588
1589	while (1) {
1590	char *ld_error = NULL;
1591	int ld_errno;
1592
1593	rc = get_cached_ldap_connect(ldap_state, abs_endtime);
1594	if (rc != LDAP_SUCCESS) {
1595	break;
1596	}
1597
1598	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1599	reqdata, serverctrls,
1600	clientctrls, retoidp, retdatap);
1601	if (rc == LDAP_SUCCESS) {
1602	break;
1603	}
1604
1605	get_ldap_errs(ldap_state, &ld_error, &ld_errno);
1606
1607	DEBUG(10, ("Extended operation failed with error: "
1608	"%d (%s) (%s)\n", ld_errno,
1609	ldap_err2string(rc),
1610	ld_error ? ld_error : "unknown"));
1611	SAFE_FREE(ld_error);
1612
1613	if (ld_errno != LDAP_SERVER_DOWN) {
1614	break;
1615	}
1616	ldap_unbind(ldap_state->ldap_struct);
1617	ldap_state->ldap_struct = NULL;
1618	}
1619
1620	return end_ldap_local_alarm(abs_endtime, rc);
1621	}
1622
1623	/*******************************************************************
1624	run the search by name.
1625	******************************************************************/
1626	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1627	const char filter, const char *search_attr,
1628	LDAPMessage ** result)
1629	{
1630	return smbldap_search(ldap_state, lp_ldap_suffix(talloc_tos()),
1631	LDAP_SCOPE_SUBTREE,
1632	filter, search_attr, 0, result);
1633	}
1634
1635	static void smbldap_idle_fn(struct tevent_context *tevent_ctx,
1636	struct tevent_timer *te,
1637	struct timeval now_abs,
1638	void *private_data)
1639	{
1640	struct smbldap_state state = (struct smbldap_state )private_data;
1641
1642	TALLOC_FREE(state->idle_event);
1643
1644	if (state->ldap_struct == NULL) {
1645	DEBUG(10,("ldap connection not connected...\n"));
1646	return;
1647	}
1648
1649	if ((state->last_use+SMBLDAP_IDLE_TIME) > time_mono(NULL)) {
1650	DEBUG(10,("ldap connection not idle...\n"));
1651
1652	/* this needs to be made monotonic clock aware inside tevent: */
1653	state->idle_event = tevent_add_timer(
1654	tevent_ctx, state,
1655	timeval_add(&now_abs, SMBLDAP_IDLE_TIME, 0),
1656	smbldap_idle_fn,
1657	private_data);
1658	return;
1659	}
1660
1661	DEBUG(7,("ldap connection idle...closing connection\n"));
1662	smbldap_close(state);
1663	}
1664
1665	/**********************************************************************
1666	Housekeeping
1667	*********************************************************************/
1668
1669	void smbldap_free_struct(struct smbldap_state **ldap_state)
1670	{
1671	smbldap_close(*ldap_state);
1672
1673	if ((*ldap_state)->bind_secret) {
1674	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1675	}
1676
1677	SAFE_FREE((*ldap_state)->bind_dn);
1678	SAFE_FREE((*ldap_state)->bind_secret);
1679	(*ldap_state)->bind_callback = NULL;
1680	(*ldap_state)->bind_callback_data = NULL;
1681
1682	TALLOC_FREE(*ldap_state);
1683
1684	/* No need to free any further, as it is talloc()ed */
1685	}
1686
1687	static int smbldap_state_destructor(struct smbldap_state *state)
1688	{
1689	smbldap_free_struct(&state);
1690	return 0;
1691	}
1692
1693
1694	/**********************************************************************
1695	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1696	*********************************************************************/
1697
1698	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct tevent_context tevent_ctx,
1699	const char *location,
1700	bool anon,
1701	const char *bind_dn,
1702	const char *bind_secret,
1703	struct smbldap_state **smbldap_state)
1704	{
1705	*smbldap_state = talloc_zero(mem_ctx, struct smbldap_state);
1706	if (!*smbldap_state) {
1707	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1708	return NT_STATUS_NO_MEMORY;
1709	}
1710
1711	if (location) {
1712	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1713	} else {
1714	(*smbldap_state)->uri = "ldap://localhost";
1715	}
1716
1717	(*smbldap_state)->tevent_context = tevent_ctx;
1718
1719	if (bind_dn && bind_secret) {
1720	smbldap_set_creds(*smbldap_state, anon, bind_dn, bind_secret);
1721	}
1722
1723	talloc_set_destructor(*smbldap_state, smbldap_state_destructor);
1724	return NT_STATUS_OK;
1725	}
1726
1727	char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1728	LDAPMessage *entry)
1729	{
1730	char utf8_dn, unix_dn;
1731	size_t converted_size;
1732
1733	utf8_dn = ldap_get_dn(ld, entry);
1734	if (!utf8_dn) {
1735	DEBUG (5, ("smbldap_talloc_dn: ldap_get_dn failed\n"));
1736	return NULL;
1737	}
1738	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1739	DEBUG (0, ("smbldap_talloc_dn: String conversion failure utf8 "
1740	"[%s]\n", utf8_dn));
1741	return NULL;
1742	}
1743	ldap_memfree(utf8_dn);
1744	return unix_dn;
1745	}
1746
1747	/*******************************************************************
1748	Check if root-dse has a certain Control or Extension
1749	********************************************************************/
1750
1751	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1752	{
1753	LDAPMessage *msg = NULL;
1754	LDAPMessage *entry = NULL;
1755	char **values = NULL;
1756	int rc, num_result, num_values, i;
1757	bool result = False;
1758
1759	if (!attrs[0]) {
1760	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1761	return False;
1762	}
1763
1764	if (!strequal(attrs[0], "supportedExtension") &&
1765	!strequal(attrs[0], "supportedControl") &&
1766	!strequal(attrs[0], "namingContexts")) {
1767	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1768	return False;
1769	}
1770
1771	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1772	"(objectclass=)", discard_const_p(char , attrs), 0 , &msg);
1773
1774	if (rc != LDAP_SUCCESS) {
1775	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1776	return False;
1777	}
1778
1779	num_result = ldap_count_entries(ld, msg);
1780
1781	if (num_result != 1) {
1782	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1783	goto done;
1784	}
1785
1786	entry = ldap_first_entry(ld, msg);
1787
1788	if (entry == NULL) {
1789	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1790	goto done;
1791	}
1792
1793	values = ldap_get_values(ld, entry, attrs[0]);
1794
1795	if (values == NULL) {
1796	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1797	goto done;
1798	}
1799
1800	num_values = ldap_count_values(values);
1801
1802	if (num_values == 0) {
1803	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1804	goto done;
1805	}
1806
1807	for (i=0; i<num_values; i++) {
1808	if (strcmp(values[i], value) == 0)
1809	result = True;
1810	}
1811
1812
1813	done:
1814	if (values != NULL)
1815	ldap_value_free(values);
1816	if (msg != NULL)
1817	ldap_msgfree(msg);
1818
1819	return result;
1820
1821	}
1822
1823	/*******************************************************************
1824	Check if LDAP-Server supports a certain Control (OID in string format)
1825	********************************************************************/
1826
1827	bool smbldap_has_control(LDAP ld, const char control)
1828	{
1829	const char *attrs[] = { "supportedControl", NULL };
1830	return smbldap_check_root_dse(ld, attrs, control);
1831	}
1832
1833	/*******************************************************************
1834	Check if LDAP-Server supports a certain Extension (OID in string format)
1835	********************************************************************/
1836
1837	bool smbldap_has_extension(LDAP ld, const char extension)
1838	{
1839	const char *attrs[] = { "supportedExtension", NULL };
1840	return smbldap_check_root_dse(ld, attrs, extension);
1841	}
1842
1843	/*******************************************************************
1844	Check if LDAP-Server holds a given namingContext
1845	********************************************************************/
1846
1847	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1848	{
1849	const char *attrs[] = { "namingContexts", NULL };
1850	return smbldap_check_root_dse(ld, attrs, naming_context);
1851	}
1852
1853	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1854	{
1855	ldap_state->anonymous = anon;
1856
1857	/* free any previously set credential */
1858
1859	SAFE_FREE(ldap_state->bind_dn);
1860	ldap_state->bind_callback = NULL;
1861	ldap_state->bind_callback_data = NULL;
1862
1863	if (ldap_state->bind_secret) {
1864	/* make sure secrets are zeroed out of memory */
1865	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1866	SAFE_FREE(ldap_state->bind_secret);
1867	}
1868
1869	if ( ! anon) {
1870	ldap_state->bind_dn = SMB_STRDUP(dn);
1871	ldap_state->bind_secret = SMB_STRDUP(secret);
1872	}
1873
1874	return True;
1875	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: vendor/current/source3/lib/smbldap.c

Download in other formats: