1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

55 Commits

Author SHA1 Message Date
Andrew Bartlett
c8a23147fe s4:libcli/ldap Rename ldap.h to libcli_ldap.h
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h

Andrew Bartlett
2010-05-21 17:39:15 +10:00
Andrew Bartlett
71632a1697 Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.

This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.

Andrew Bartlett
2009-02-13 10:24:16 +11:00
Stefan Metzmacher
0fadddf8d4 s4:ldap_server: s/private/private_data
metze
2009-02-02 13:08:40 +01:00
Jelmer Vernooij
b034c519f5 Add gensec_settings structure. This wraps loadparm_context for now, but
should in the future only contain some settings required for gensec.
2008-11-02 02:05:48 +01:00
Simo Sorce
83b0c5d43f Fix nasty bug that would come up only if a client connection to a remote
ldap server suddenly dies.
We were creating a wrong talloc hierarchy, so the event.fde was not
freed automatically as expected. This in turn made the event system call
the ldap io handlers with a null packet structure, causing a segfault.
Fix also the ordering in ldap_connection_dead()
Thanks to Metze for the huge help in tracking down this one.
2008-09-24 01:43:57 -04:00
Matthias Dieter Wallnöfer
8ac5db1246 LDAP Server: Don't create the SASL SECBLOB output object twice
Removes one "talloc" creation of the output object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2008-09-19 16:33:47 +02:00
Jelmer Vernooij
21fc767378 Specify event_context to ldb_wrap_connect explicitly.
(This used to be commit b4e1ae07a2)
2008-04-17 12:23:44 +02:00
Jelmer Vernooij
3da665e9ac r26385: Integrate gensec-socket into gensec.
(This used to be commit 78bb444b4b)
2007-12-21 05:49:19 +01:00
Jelmer Vernooij
2f8dc4f48f r26266: Remove more global_loadparm uses.
(This used to be commit 99113075c4)
2007-12-21 05:47:42 +01:00
Jelmer Vernooij
ecea5ce245 r26260: Store loadparm context in gensec context.
(This used to be commit b9e3a4862e)
2007-12-21 05:47:34 +01:00
Jelmer Vernooij
7e298580e0 r26234: More global_loadparm fixes.
(This used to be commit 84892d030d)
2007-12-21 05:47:12 +01:00
Jelmer Vernooij
cc04f143dc r26229: Set loadparm context as opaque pointer in ldb, remove more uses of global_loadparm.
(This used to be commit 37d05fdc7b)
2007-12-21 05:47:06 +01:00
Jelmer Vernooij
51db4c3f3d r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack.
(This used to be commit ba75f1613a)
2007-12-21 05:47:05 +01:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Stefan Metzmacher
bf772399bf r21511: this seems to be the nicer fix for the problem with
the windows 2000 LDAP client

metze
(This used to be commit d40465470f)
2007-10-10 14:48:47 -05:00
Stefan Metzmacher
89278a1469 r20906: allow LDAP simple binds using the following syntaxes in the DN field:
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base
Administrator@W2K3
W2K3\Administrator
w2k3.vmnet1.vm.base/Users/Administrator

w2k3 also allows this (and maybe more...?)

metze
(This used to be commit 40c27ef88d)
2007-10-10 14:43:50 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Andrew Tridgell
30ee8beb93 r18301: I discovered how to load the warnings from a build farm build into
emacs compile mode (hint, paste to a file, and compile as "cat
filename").

This allowed me to fix nearly all the warnings for a IA_64 SuSE build
very quickly.
(This used to be commit eba6c84eff)
2007-10-10 14:18:04 -05:00
Stefan Metzmacher
7a845bcb01 r17341: pass a messaging context to auth_context_create()
and gensec_server_start().

calling them with NULL for event context or messaging context
is no longer allowed!

metze
(This used to be commit 679ac74e71)
2007-10-10 14:15:17 -05:00
Stefan Metzmacher
4cdcc17893 r17237: - keep pointer to the different sockets
- we need this to later:
  - to disallow a StartTLS when TLS is already in use
  - to place the TLS socket between the raw and sasl socket
    when we had a sasl bind before the StartTLS
  - and rfc4513 says that the server may allow to remove the TLS from
    the tcp connection again and reuse raw tcp
  - and also a 2nd sasl bind should replace the old sasl socket

metze
(This used to be commit 10cb9c07ac)
2007-10-10 14:10:22 -05:00
Stefan Metzmacher
79f7b58630 r17226: add some comments about ldap binds and pending requests
metze
(This used to be commit e8db1fb558)
2007-10-10 14:10:22 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
d8f1e27b19 r17215: Prepare the SASL socket before actually settting it. This allows
errors to be reported corectly, rather than just dropping the socket.

Andrew Bartlett
(This used to be commit 83dd22accf)
2007-10-10 14:10:19 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb)
2007-10-10 14:10:18 -05:00
Andrew Bartlett
9da5d4fd69 r16795: Fix crash found by Dave Fenwick <djf@samba.org>.
The session_info was not being attached to the connection, so
subsequent checks in the kludge_acl module were looking at free()ed
memory.

Andrew Bartlett
(This used to be commit 7e9079ac7a)
2007-10-10 14:09:46 -05:00
Stefan Metzmacher
7449f4d803 r13508: some ASN.1 element in LDAP are optional,
make it possible to code the difference between a zero length and a NULL DATA_BLOB...

metze
(This used to be commit 54f0b19c55)
2007-10-10 13:51:56 -05:00
Andrew Bartlett
15f73e6404 r13339: Propogate more error infomation into the error packet and reformat the
code a little.  This also fixes a segfault when we didn't fill in the
error message.

Andrew Bartlett
(This used to be commit 3be01a4ac7)
2007-10-10 13:51:46 -05:00
Simo Sorce
a7a79d2b25 r12880: Remove ldap partitions useless now and probably we
will not use it anyway as we plan to support
partitions in ldb directly like with rootdse

Merge ldap_simple_ldb into ldap_backend, it is
not simple anymore and makes no sense to have
it separated now that ldap partitions are gone

Initial attempt at working to some limit to avoid DOSs
for the ldap server.

Simo.
(This used to be commit 97bff3e049)
2007-10-10 13:50:57 -05:00
Stefan Metzmacher
a36c172d46 r12792: fix compiler warning
metze
(This used to be commit 1eca5f46c6)
2007-10-10 13:49:55 -05:00
Simo Sorce
c908d0b2aa r12733: Merge ldap/ldb controls into main tree
There's still lot of work to do but the patch is stable
enough to be pushed into the main samba4 tree.

Simo.
(This used to be commit 77125feaff)
2007-10-10 13:49:47 -05:00
Andrew Bartlett
bedfb06326 r12686: Push the real SASL list into the rootdse.
Get this out of the server credentials, and push it down to ldb via an
opaque pointer.

Andrew Bartlett
(This used to be commit 61700252e0)
2007-10-10 13:49:38 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
6bd8be8671 r12360: Add simple bind support into our LDAP server.
Needs changes to our client code for automated testing.

Andrew Bartlett
(This used to be commit e751d81414)
2007-10-10 13:47:30 -05:00
Andrew Bartlett
90550077b9 r11225: Remove pointless goto.
Andrew Bartlett
(This used to be commit 30f4ece4d2)
2007-10-10 13:45:05 -05:00
Andrew Bartlett
372ca26b20 r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579)
2007-10-10 13:45:00 -05:00
Stefan Metzmacher
1e14572a26 r10832: free the old session info
metze
(This used to be commit 16b2569788)
2007-10-10 13:39:33 -05:00
Andrew Bartlett
1377cca5f4 r10810: This adds the hooks required to communicate the current user from the
authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett
(This used to be commit fd7203789a)
2007-10-10 13:39:32 -05:00
Andrew Bartlett
897e9f2b4d r9417: Ask for the ASYNC_REPLIES feature, as will want that.
Andrew Bartlett
(This used to be commit 8cb8f99ae6)
2007-10-10 13:33:36 -05:00
Andrew Tridgell
63811f0cb8 r7854: only enable wrapping in the ldap server if it was negotiated by gensec
(This used to be commit 355983493b)
2007-10-10 13:18:43 -05:00
Andrew Tridgell
c7496c6cdb r7747: - simplified the ldap server buffer handling
- got rid of the special cases for sasl buffers

- added a tls_socket_pending() call to determine how much data is waiting on a tls connection

- removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves
  are sync.
(This used to be commit 73cb4aad22)
2007-10-10 13:18:30 -05:00
Andrew Tridgell
af237084ec r7633: this patch started as an attempt to make the dcerpc code use a given
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.

Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.

There were 3 places where I punted:

  - abartlet wanted me to add a gensec_set_event_context() call
    instead of adding it to the gensec init calls. Andrew, my
    apologies for not doing this. I didn't do it as adding a new
    parameter allowed me to catch all the callers with the
    compiler. Now that its done, we could go back and use
    gensec_set_event_context()

  - the ejs code calls auth initialisation, which means it should pass
    in the event context from the web server. I punted on that. Needs fixing.

  - I used a NULL event context in dcom_get_pipe(). This is equivalent
    to what we did already, but should be fixed to use a callers event
    context. Jelmer, can you think of a clean way to do that?

I also cleaned up a couple of things:

 - libnet_context_destroy() makes no sense. I removed it.

 - removed some unused vars in various places
(This used to be commit 3a3025485b)
2007-10-10 13:18:15 -05:00
Andrew Tridgell
a7d6185f41 r7594: abartlet is right that this hack is not actually necessary, it just
prevents a bogus:
  GSS Update failed: Miscellaneous failure (see text): ASN.1 identifier doesn't match expected value
error on every ldap connection. I'll remove it and let the error remain until Andrew
works out a better fix.
(This used to be commit 6123eb2eca)
2007-10-10 13:18:12 -05:00
Andrew Tridgell
c0947b0d7f r7593: simplified the memory management in the ldap code. Having a mem_ctx
element in a structure is not necessary any more.
(This used to be commit 912d0427f5)
2007-10-10 13:18:12 -05:00
Andrew Tridgell
db2e86f75c r7568: enable the NTLMSSP bulk data sign/seal code for out ldap server. This
now works with windows clients, as I fixed the zero length bind ack packet.

Andrew, note that this has the strncmp("NTLMSSP", data, 7) hack. Please
replace with a more correct fix as we discussed.
(This used to be commit 69b02e8adb)
2007-10-10 13:18:10 -05:00
Andrew Tridgell
501379431c r5305: removed libcli/ldap/ldap.h from includes.h
(This used to be commit 0df3fdd817)
2007-10-10 13:09:39 -05:00
Stefan Metzmacher
047d41cc49 r4634: disable sign and seal in ldap_server for now.
metze
(This used to be commit 872c687184)
2007-10-10 13:08:37 -05:00
Andrew Bartlett
9a6671cf95 r4459: GENSEC refinements:
In developing a GSSAPI plugin for GENSEC, it became clear that the API
needed to change:
 - GSSAPI exposes only a wrap() and unwrap() interface, and determines
   the location of the signature itself.
 - The 'have feature' API did not correctly function in the recursive
   SPNEGO environment.

As such, NTLMSSP has been updated to support these methods.

The LDAP client and server have been updated to use the new wrap() and
unwrap() methods, and now pass the LDAP-* tests in our smbtorture.
(Unfortunely I still get valgrind warnings, in the code that was
previously unreachable).

Andrew Bartlett
(This used to be commit 9923c3bc1b)
2007-10-10 13:07:53 -05:00
Andrew Bartlett
44113c4de1 r4355: More work from the elves on Christmas eve:
- Update Samba4's kerberos code to match the 'salting' changes in
   Samba3 (and many other cleanups by jra).

 - Move GENSEC into the modern era of talloc destructors.  This avoids
   many of the memory leaks in this code, as we now can't somehow
   'forget' to call the end routine.
  - This required fixing some of the talloc hierarchies.

 - The new krb5 seems more sensitive to getting the service name
   right, so start actually setting the service name on the krb5 context.

Andrew Bartlett
(This used to be commit 278bf1a61a)
2007-10-10 13:07:37 -05:00
Andrew Tridgell
a42142439a r3464: split out registry.h, rap.h and ldap_server.h
(This used to be commit 70d2090f6b)
2007-10-10 13:05:17 -05:00