mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
ldap_server: Log access without a bind
This can be over the privileged ldapi socket, or just as the implicit anonymous access However, do not log for setting up StartTLS, or a rootDSE search. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
parent
9a96f901f5
commit
f4a4522d1f
@ -24,6 +24,7 @@
|
|||||||
#include "auth/credentials/credentials.h"
|
#include "auth/credentials/credentials.h"
|
||||||
#include "auth/gensec/gensec.h"
|
#include "auth/gensec/gensec.h"
|
||||||
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
|
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
|
||||||
|
#include "auth/common_auth.h"
|
||||||
#include "param/param.h"
|
#include "param/param.h"
|
||||||
#include "smbd/service_stream.h"
|
#include "smbd/service_stream.h"
|
||||||
#include "dsdb/samdb/samdb.h"
|
#include "dsdb/samdb/samdb.h"
|
||||||
@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
struct ldap_message *msg = call->request;
|
struct ldap_message *msg = call->request;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
bool log = true;
|
||||||
|
|
||||||
/* Check for undecoded critical extensions */
|
/* Check for undecoded critical extensions */
|
||||||
for (i=0; msg->controls && msg->controls[i]; i++) {
|
for (i=0; msg->controls && msg->controls[i]; i++) {
|
||||||
@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (call->conn->authz_logged == false) {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* We do not want to log anonymous access if the query
|
||||||
|
* is just for the rootDSE, or it is a startTLS or a
|
||||||
|
* Bind.
|
||||||
|
*
|
||||||
|
* A rootDSE search could also be done over
|
||||||
|
* CLDAP anonymously for example, so these don't
|
||||||
|
* really count.
|
||||||
|
* Essentially we want to know about
|
||||||
|
* access beyond that normally done prior to a
|
||||||
|
* bind.
|
||||||
|
*/
|
||||||
|
|
||||||
|
switch(call->request->type) {
|
||||||
|
case LDAP_TAG_BindRequest:
|
||||||
|
log = false;
|
||||||
|
break;
|
||||||
|
case LDAP_TAG_ExtendedResponse: {
|
||||||
|
struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
|
||||||
|
if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
|
||||||
|
log = false;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case LDAP_TAG_SearchRequest: {
|
||||||
|
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
|
||||||
|
if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
|
||||||
|
if (req->basedn[0] == '\0') {
|
||||||
|
log = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (log) {
|
||||||
|
log_successful_authz_event(call->conn->connection->remote_address,
|
||||||
|
call->conn->connection->local_address,
|
||||||
|
"LDAP",
|
||||||
|
"no bind",
|
||||||
|
call->conn->session_info);
|
||||||
|
|
||||||
|
call->conn->authz_logged = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
switch(call->request->type) {
|
switch(call->request->type) {
|
||||||
case LDAP_TAG_BindRequest:
|
case LDAP_TAG_BindRequest:
|
||||||
return ldapsrv_BindRequest(call);
|
return ldapsrv_BindRequest(call);
|
||||||
|
@ -109,6 +109,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
|
|||||||
talloc_unlink(call->conn, call->conn->session_info);
|
talloc_unlink(call->conn, call->conn->session_info);
|
||||||
call->conn->session_info = talloc_steal(call->conn, session_info);
|
call->conn->session_info = talloc_steal(call->conn, session_info);
|
||||||
|
|
||||||
|
call->conn->authz_logged = true;
|
||||||
|
|
||||||
/* don't leak the old LDB */
|
/* don't leak the old LDB */
|
||||||
talloc_unlink(call->conn, call->conn->ldb);
|
talloc_unlink(call->conn, call->conn->ldb);
|
||||||
|
|
||||||
@ -379,7 +381,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
|
|||||||
|
|
||||||
/* don't leak the old LDB */
|
/* don't leak the old LDB */
|
||||||
talloc_unlink(conn, conn->ldb);
|
talloc_unlink(conn, conn->ldb);
|
||||||
|
|
||||||
|
call->conn->authz_logged = true;
|
||||||
|
|
||||||
status = ldapsrv_backend_Init(conn);
|
status = ldapsrv_backend_Init(conn);
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
@ -46,6 +46,7 @@ struct ldapsrv_connection {
|
|||||||
bool global_catalog;
|
bool global_catalog;
|
||||||
bool is_privileged;
|
bool is_privileged;
|
||||||
enum ldap_server_require_strong_auth require_strong_auth;
|
enum ldap_server_require_strong_auth require_strong_auth;
|
||||||
|
bool authz_logged;
|
||||||
|
|
||||||
struct {
|
struct {
|
||||||
int initial_timeout;
|
int initial_timeout;
|
||||||
|
@ -6,7 +6,7 @@ bld.SAMBA_MODULE('service_ldap',
|
|||||||
autoproto='proto.h',
|
autoproto='proto.h',
|
||||||
subsystem='service',
|
subsystem='service',
|
||||||
init_function='server_service_ldap_init',
|
init_function='server_service_ldap_init',
|
||||||
deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec',
|
deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec common_auth',
|
||||||
internal_module=False,
|
internal_module=False,
|
||||||
enabled=bld.AD_DC_BUILD_IS_ENABLED()
|
enabled=bld.AD_DC_BUILD_IS_ENABLED()
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user