1
0
mirror of https://github.com/samba-team/samba.git synced 2025-07-30 19:42:05 +03:00

ldap_server: Log access without a bind

This can be over the privileged ldapi socket, or just as the implicit anonymous access

However, do not log for setting up StartTLS, or a rootDSE search.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett
2017-03-03 12:53:06 +13:00
parent 9a96f901f5
commit f4a4522d1f
4 changed files with 59 additions and 2 deletions

View File

@ -24,6 +24,7 @@
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
#include "auth/common_auth.h"
#include "param/param.h"
#include "smbd/service_stream.h"
#include "dsdb/samdb/samdb.h"
@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
unsigned int i;
struct ldap_message *msg = call->request;
NTSTATUS status;
bool log = true;
/* Check for undecoded critical extensions */
for (i=0; msg->controls && msg->controls[i]; i++) {
@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
}
if (call->conn->authz_logged == false) {
/*
* We do not want to log anonymous access if the query
* is just for the rootDSE, or it is a startTLS or a
* Bind.
*
* A rootDSE search could also be done over
* CLDAP anonymously for example, so these don't
* really count.
* Essentially we want to know about
* access beyond that normally done prior to a
* bind.
*/
switch(call->request->type) {
case LDAP_TAG_BindRequest:
log = false;
break;
case LDAP_TAG_ExtendedResponse: {
struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
log = false;
}
break;
}
case LDAP_TAG_SearchRequest: {
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
if (req->basedn[0] == '\0') {
log = false;
}
}
break;
}
default:
break;
}
if (log) {
log_successful_authz_event(call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
call->conn->session_info);
call->conn->authz_logged = true;
}
}
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);