1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

ldap_server: Log access without a bind

This can be over the privileged ldapi socket, or just as the implicit anonymous access

However, do not log for setting up StartTLS, or a rootDSE search.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2017-03-03 12:53:06 +13:00
parent 9a96f901f5
commit f4a4522d1f
4 changed files with 59 additions and 2 deletions

View File

@ -24,6 +24,7 @@
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
#include "auth/common_auth.h"
#include "param/param.h"
#include "smbd/service_stream.h"
#include "dsdb/samdb/samdb.h"
@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
unsigned int i;
struct ldap_message *msg = call->request;
NTSTATUS status;
bool log = true;
/* Check for undecoded critical extensions */
for (i=0; msg->controls && msg->controls[i]; i++) {
@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
}
if (call->conn->authz_logged == false) {
/*
* We do not want to log anonymous access if the query
* is just for the rootDSE, or it is a startTLS or a
* Bind.
*
* A rootDSE search could also be done over
* CLDAP anonymously for example, so these don't
* really count.
* Essentially we want to know about
* access beyond that normally done prior to a
* bind.
*/
switch(call->request->type) {
case LDAP_TAG_BindRequest:
log = false;
break;
case LDAP_TAG_ExtendedResponse: {
struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
log = false;
}
break;
}
case LDAP_TAG_SearchRequest: {
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
if (req->basedn[0] == '\0') {
log = false;
}
}
break;
}
default:
break;
}
if (log) {
log_successful_authz_event(call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
call->conn->session_info);
call->conn->authz_logged = true;
}
}
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);

View File

@ -109,6 +109,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
talloc_unlink(call->conn, call->conn->session_info);
call->conn->session_info = talloc_steal(call->conn, session_info);
call->conn->authz_logged = true;
/* don't leak the old LDB */
talloc_unlink(call->conn, call->conn->ldb);
@ -380,6 +382,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
/* don't leak the old LDB */
talloc_unlink(conn, conn->ldb);
call->conn->authz_logged = true;
status = ldapsrv_backend_Init(conn);
if (!NT_STATUS_IS_OK(status)) {

View File

@ -46,6 +46,7 @@ struct ldapsrv_connection {
bool global_catalog;
bool is_privileged;
enum ldap_server_require_strong_auth require_strong_auth;
bool authz_logged;
struct {
int initial_timeout;

View File

@ -6,7 +6,7 @@ bld.SAMBA_MODULE('service_ldap',
autoproto='proto.h',
subsystem='service',
init_function='server_service_ldap_init',
deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec',
deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec common_auth',
internal_module=False,
enabled=bld.AD_DC_BUILD_IS_ENABLED()
)