2005-12-19 06:56:45 +00:00
/*
Unix SMB / CIFS implementation .
auth functions
Copyright ( C ) Simo Sorce 2005
Copyright ( C ) Andrew Tridgell 2005
Copyright ( C ) Andrew Bartlett 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2005-12-19 06:56:45 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-12-19 06:56:45 +00:00
*/
# include "includes.h"
2017-05-11 17:05:02 +02:00
# include <tevent.h>
# include "lib/util/tevent_ntstatus.h"
2005-12-19 06:56:45 +00:00
# include "auth/auth.h"
2017-02-20 15:57:03 +13:00
# include "dsdb/samdb/samdb.h"
2005-12-19 06:56:45 +00:00
2018-05-21 13:51:16 +12:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2017-05-11 17:05:02 +02:00
struct authenticate_ldap_simple_bind_state {
2017-05-11 18:53:06 +02:00
bool using_tls ;
struct auth4_context * auth_context ;
struct auth_usersupplied_info * user_info ;
2017-05-11 17:05:02 +02:00
struct auth_session_info * session_info ;
} ;
2017-05-11 18:53:06 +02:00
static void authenticate_ldap_simple_bind_done ( struct tevent_req * subreq ) ;
2017-05-11 17:05:02 +02:00
_PUBLIC_ struct tevent_req * authenticate_ldap_simple_bind_send ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct imessaging_context * msg ,
struct loadparm_context * lp_ctx ,
struct tsocket_address * remote_address ,
struct tsocket_address * local_address ,
bool using_tls ,
const char * dn ,
const char * password )
{
struct tevent_req * req = NULL ;
struct authenticate_ldap_simple_bind_state * state = NULL ;
2017-05-11 18:53:06 +02:00
struct auth_usersupplied_info * user_info = NULL ;
const char * nt4_domain = NULL ;
const char * nt4_username = NULL ;
struct tevent_req * subreq = NULL ;
2017-05-11 17:05:02 +02:00
NTSTATUS status ;
req = tevent_req_create ( mem_ctx , & state ,
struct authenticate_ldap_simple_bind_state ) ;
if ( req = = NULL ) {
return NULL ;
}
2017-05-11 18:53:06 +02:00
state - > using_tls = using_tls ;
2017-05-11 17:05:02 +02:00
2017-05-11 18:53:06 +02:00
status = auth_context_create ( state , ev , msg , lp_ctx ,
& state - > auth_context ) ;
2017-05-11 17:05:02 +02:00
if ( tevent_req_nterror ( req , status ) ) {
return tevent_req_post ( req , ev ) ;
}
2017-05-11 18:53:06 +02:00
user_info = talloc_zero ( state , struct auth_usersupplied_info ) ;
if ( tevent_req_nomem ( user_info , req ) ) {
return tevent_req_post ( req , ev ) ;
2005-12-19 06:56:45 +00:00
}
2017-05-11 18:53:06 +02:00
state - > user_info = user_info ;
2005-12-19 06:56:45 +00:00
2017-02-20 15:57:03 +13:00
user_info - > client . account_name = dn ;
/* No client.domain_name, use account_name instead */
2017-05-11 18:53:06 +02:00
/* user_info->mapped.* will be filled below */
2005-12-19 06:56:45 +00:00
user_info - > workstation_name = NULL ;
2017-02-20 15:57:03 +13:00
user_info - > remote_host = remote_address ;
user_info - > local_host = local_address ;
2017-03-01 16:49:01 +13:00
user_info - > service_description = " LDAP " ;
2017-02-21 11:57:57 +13:00
2017-03-06 14:10:17 +13:00
if ( using_tls ) {
user_info - > auth_description = " simple bind/TLS " ;
2021-12-23 14:37:29 +13:00
} else {
user_info - > auth_description = " simple bind " ;
2017-03-06 14:10:17 +13:00
}
2005-12-19 06:56:45 +00:00
user_info - > password_state = AUTH_PASSWORD_PLAIN ;
user_info - > password . plaintext = talloc_strdup ( user_info , password ) ;
2017-05-11 18:53:06 +02:00
if ( tevent_req_nomem ( user_info - > password . plaintext , req ) ) {
return tevent_req_post ( req , ev ) ;
}
2005-12-19 06:56:45 +00:00
user_info - > flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
USER_INFO_DONT_CHECK_UNIX_ACCOUNT ;
2017-02-20 15:57:03 +13:00
user_info - > logon_parameters =
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
2010-11-05 00:00:13 +02:00
MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED ;
2005-12-19 06:56:45 +00:00
2017-06-19 08:39:19 +02:00
status = crack_auto_name_to_nt4_name ( state , state - > auth_context - > sam_ctx ,
dn , & nt4_domain , & nt4_username ) ;
2017-05-11 18:53:06 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
log_authentication_event ( msg , lp_ctx ,
2018-06-10 13:00:34 +02:00
& state - > auth_context - > start_time ,
2017-05-11 18:53:06 +02:00
user_info , status ,
2019-06-07 13:41:35 +12:00
NULL , NULL , NULL ) ;
2017-05-11 18:53:06 +02:00
}
if ( tevent_req_nterror ( req , status ) ) {
return tevent_req_post ( req , ev ) ;
2017-03-23 12:39:25 +13:00
}
2017-05-11 18:53:06 +02:00
user_info - > mapped . account_name = nt4_username ;
user_info - > mapped . domain_name = nt4_domain ;
2017-03-23 12:39:25 +13:00
user_info - > mapped_state = true ;
2017-05-11 18:53:06 +02:00
subreq = auth_check_password_send ( state , ev ,
state - > auth_context ,
state - > user_info ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , authenticate_ldap_simple_bind_done , req ) ;
return req ;
}
static void authenticate_ldap_simple_bind_done ( struct tevent_req * subreq )
{
struct tevent_req * req =
tevent_req_callback_data ( subreq ,
struct tevent_req ) ;
struct authenticate_ldap_simple_bind_state * state =
tevent_req_data ( req ,
struct authenticate_ldap_simple_bind_state ) ;
struct auth4_context * auth_context = state - > auth_context ;
struct auth_usersupplied_info * user_info = state - > user_info ;
const char * nt4_username = user_info - > mapped . account_name ;
const struct tsocket_address * remote_address = user_info - > remote_host ;
const struct tsocket_address * local_address = user_info - > local_host ;
const char * transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE ;
struct auth_user_info_dc * user_info_dc = NULL ;
2021-10-26 17:42:41 +02:00
uint8_t authoritative = 1 ;
2017-05-11 18:53:06 +02:00
uint32_t flags = 0 ;
NTSTATUS nt_status ;
if ( state - > using_tls ) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS ;
}
nt_status = auth_check_password_recv ( subreq , state ,
& user_info_dc ,
& authoritative ) ;
TALLOC_FREE ( subreq ) ;
if ( tevent_req_nterror ( req , nt_status ) ) {
return ;
2005-12-19 06:56:45 +00:00
}
2017-03-01 16:49:01 +13:00
flags = AUTH_SESSION_INFO_DEFAULT_GROUPS ;
if ( user_info_dc - > info - > authenticated ) {
flags | = AUTH_SESSION_INFO_AUTHENTICATED ;
}
2017-05-11 18:53:06 +02:00
2017-03-01 16:49:01 +13:00
nt_status = auth_context - > generate_session_info ( auth_context ,
2017-05-11 18:53:06 +02:00
state ,
2017-03-01 16:49:01 +13:00
user_info_dc ,
nt4_username ,
flags ,
2017-05-11 18:53:06 +02:00
& state - > session_info ) ;
if ( tevent_req_nterror ( req , nt_status ) ) {
return ;
2005-12-19 06:56:45 +00:00
}
2017-03-24 15:18:46 +13:00
log_successful_authz_event ( auth_context - > msg_ctx ,
auth_context - > lp_ctx ,
remote_address ,
2017-03-01 16:49:01 +13:00
local_address ,
" LDAP " ,
" simple bind " ,
2017-03-06 14:10:17 +13:00
transport_protection ,
2017-05-11 18:53:06 +02:00
state - > session_info ) ;
2017-03-01 16:49:01 +13:00
2017-05-11 18:53:06 +02:00
tevent_req_done ( req ) ;
2005-12-19 06:56:45 +00:00
}
2017-05-11 17:05:02 +02:00
_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv ( struct tevent_req * req ,
TALLOC_CTX * mem_ctx ,
struct auth_session_info * * session_info )
{
struct authenticate_ldap_simple_bind_state * state =
tevent_req_data ( req ,
struct authenticate_ldap_simple_bind_state ) ;
NTSTATUS status ;
* session_info = NULL ;
if ( tevent_req_is_nterror ( req , & status ) ) {
tevent_req_received ( req ) ;
return status ;
}
* session_info = talloc_move ( mem_ctx , & state - > session_info ) ;
tevent_req_received ( req ) ;
return NT_STATUS_OK ;
}
