websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am Normal file
View File

@@ -0,0 +1,64 @@
NULL =
PLUGIN_COMMON_DIR = $(srcdir)/../common
AM_CPPFLAGS = \
-I$(srcdir) \
-I$(PLUGIN_COMMON_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(DIRSRV_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRNBT_CFLAGS) \
$(NULL)
plugindir = $(libdir)/dirsrv/plugins
plugin_LTLIBRARIES = \
libipa_cldap.la \
$(NULL)
libipa_cldap_la_SOURCES = \
ipa_cldap_netlogon.c \
ipa_cldap_worker.c \
ipa_cldap.c \
ipa_cldap.h \
$(NULL)
libipa_cldap_la_LDFLAGS = -avoid-version
libipa_cldap_la_LIBADD = \
$(LDAP_LIBS) \
$(NDRNBT_LIBS) \
$(NULL)
if HAVE_CMOCKA
TESTS = ipa_cldap_tests
check_PROGRAMS = ipa_cldap_tests
endif
ipa_cldap_tests_SOURCES = \
ipa_cldap_tests.c \
ipa_cldap_netlogon.c \
$(NULL)
ipa_cldap_tests_CFLAGS = $(CMOCKA_FLAGS)
ipa_cldap_tests_LDFLAGS = \
-rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \
$(NULL)
ipa_cldap_tests_LDADD = \
$(CMOCKA_LIBS) \
$(NDRNBT_LIBS) \
$(DIRSRV_LIBS) \
$(NULL)
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa-cldap-conf.ldif \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)

1244
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.in Normal file
View File

File diff suppressed because it is too large Load Diff

16
daemons/ipa-slapi-plugins/ipa-cldap/ipa-cldap-conf.ldif Normal file
View File

@@ -0,0 +1,16 @@
dn: cn=ipa_cldap,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: ipa_cldap
nsslapd-pluginpath: libipa_cldap
nsslapd-plugininitfunc: ipa_cldap_init
nsslapd-plugintype: postoperation
nsslapd-pluginenabled: on
nsslapd-pluginid: ipa_cldap_init
nsslapd-pluginversion: @PACKAGE_VERSION@
nsslapd-pluginvendor: RedHat
nsslapd-plugindescription: CLDAP Server to interoperate with AD
nsslapd-plugin-depends-on-type: database
nsslapd-basedn: $SUFFIX

243
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c Normal file
View File

@@ -0,0 +1,243 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2011 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "ipa_cldap.h"
#include "util.h"
Slapi_PluginDesc ipa_cldap_desc = {
IPA_CLDAP_PLUGIN_NAME,
"FreeIPA project",
"FreeIPA/3.0",
IPA_CLDAP_PLUGIN_DESC
};
static int ipa_cldap_start(Slapi_PBlock *pb)
{
struct ipa_cldap_ctx *ctx;
int ret;
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
if (ret) {
LOG_FATAL("No plugin context ?!\n");
return -1;
}
ret = pthread_create(&ctx->tid, NULL, ipa_cldap_worker, ctx);
if (ret) {
LOG_FATAL("Failed to create worker thread\n");
return -1;
}
LOG("Plugin statrup completed.\n");
return 0;
}
static int ipa_cldap_stop(Slapi_PBlock *pb)
{
struct ipa_cldap_ctx *ctx;
void *retval;
int ret;
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
if (ret) {
LOG_FATAL("No plugin context ?!\n");
return -1;
}
/* send stop signal to terminate worker thread */
do {
ret = write(ctx->stopfd[1], "", 1);
} while (ret == -1 && errno == EINTR);
close(ctx->stopfd[1]);
ret = pthread_join(ctx->tid, &retval);
if (ret) {
LOG_FATAL("Failed to stop worker thread\n");
return -1;
}
LOG("Plugin shutdown completed.\n");
return 0;
}
static int ipa_cldap_init_service(Slapi_PBlock *pb,
struct ipa_cldap_ctx **cldap_ctx)
{
struct ipa_cldap_ctx *ctx;
struct sockaddr_in6 addr;
Slapi_Entry *e;
int flags;
int val;
int ret;
ctx = calloc(1, sizeof(struct ipa_cldap_ctx));
if (!ctx) {
return ENOMEM;
}
ctx->sd = -1;
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ctx->plugin_id);
if ((ret != 0) || (NULL == ctx->plugin_id)) {
LOG_FATAL("Could not get identity or identity was NULL\n");
if (ret == 0) {
ret = -1;
}
goto done;
}
slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &e);
if (!e) {
LOG_FATAL("Plugin configuration not found!\n");
ret = -1;
goto done;
}
ctx->base_dn = slapi_entry_attr_get_charptr(e, "nsslapd-basedn");
if (!ctx->base_dn) {
LOG_FATAL("Plugin configuration not found!\n");
ret = -1;
goto done;
}
/* create a stop pipe so the main DS thread can interrupt the poll()
* of the worker thread at any time and cause the worker thread to
* immediately exit without waiting for timeouts or such */
ret = pipe(ctx->stopfd);
if (ret != 0) {
LOG_FATAL("Failed to stop pipe\n");
ret = EIO;
goto done;
}
ctx->sd = socket(PF_INET6, SOCK_DGRAM, 0);
if (ctx->sd == -1) {
LOG_FATAL("Failed to create IPv6 socket: IPv6 support in kernel "
"is required\n");
ret = EIO;
goto done;
}
val = 1;
ret = setsockopt(ctx->sd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val));
if (ret == -1) {
ret = errno;
LOG("Failed to make socket immediately reusable (%d, %s)\n",
ret, strerror(ret));
}
memset(&addr, 0, sizeof(addr));
addr.sin6_family = AF_INET6;
addr.sin6_port = htons(CLDAP_PORT);
ret = bind(ctx->sd, (struct sockaddr *)&addr, sizeof(addr));
if (ret == -1) {
ret = errno;
LOG_FATAL("Failed to bind socket (%d, %s)\n", ret, strerror(ret));
goto done;
}
flags = fcntl(ctx->sd, F_GETFL);
if ((flags & O_NONBLOCK) == 0) {
ret = fcntl(ctx->sd, F_SETFL, flags | O_NONBLOCK);
if (ret == -1) {
ret = errno;
LOG_FATAL("Failed to set socket to non-blocking\n");
goto done;
}
}
done:
if (ret) {
if (ctx->sd != -1) {
close(ctx->sd);
}
free(ctx);
} else {
*cldap_ctx = ctx;
}
return ret;
}
static int ipa_cldap_post_init(Slapi_PBlock *pb)
{
return 0;
}
/* Initialization function */
int ipa_cldap_init(Slapi_PBlock *pb)
{
struct ipa_cldap_ctx *cldap_ctx = NULL;
int ret;
ret = ipa_cldap_init_service(pb, &cldap_ctx);
if (ret) {
LOG_FATAL("Failed to initialize CLDAP Plugin\n");
/* do not cause DS to stop, simply do nothing */
return 0;
}
/* Register the plug-in */
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
if (!ret) {
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, &ipa_cldap_desc);
}
if (!ret) {
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, &ipa_cldap_start);
}
if (!ret) {
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, &ipa_cldap_stop);
}
if (!ret) {
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, cldap_ctx);
}
if (ret) {
LOG_FATAL("Failed to initialize plug-in\n" );
return -1;
}
slapi_register_plugin("postoperation", 1,
"ipa_cldap_post_init",
ipa_cldap_post_init,
"CLDAP post ops", NULL,
cldap_ctx->plugin_id);
return 0;
}

109
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h Normal file
View File

@@ -0,0 +1,109 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2011 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#pragma once
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdlib.h>
#include <pthread.h>
#include <dirsrv/slapi-plugin.h>
#include <talloc.h>
#include "util.h"
#define IPA_CLDAP_PLUGIN_NAME "CLDAP Server"
#define IPA_CLDAP_PLUGIN_DESC "MS/AD introperable CLDAP server"
#define IPA_PLUGIN_NAME IPA_CLDAP_PLUGIN_NAME
#define CLDAP_PORT 389
#define MAX_DG_SIZE 4096
#define NETBIOS_NAME_MAX 15
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 64
#endif
struct ipa_cldap_ctx {
Slapi_ComponentId *plugin_id;
pthread_t tid;
char *base_dn;
int stopfd[2];
int sd;
};
struct kvp {
struct berval attr;
struct berval value;
};
struct kvp_list {
struct kvp *pairs;
int allocated;
int top;
};
struct ipa_cldap_req {
int fd;
struct sockaddr_storage ss;
socklen_t ss_len;
char dgram[MAX_DG_SIZE];
size_t dgsize;
ber_int_t id;
/* filter members */
struct kvp_list kvps;
};
/*void *ipa_cldap_worker(struct ipa_cldap_ctx *ctx);*/
void *ipa_cldap_worker(void *arg);
int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
struct ipa_cldap_req *req,
struct berval *reply);
char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s);

366
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c Normal file
View File

@@ -0,0 +1,366 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2011 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "ipa_cldap.h"
#include <endian.h>
#include <talloc.h>
#include <ctype.h>
#include "gen_ndr/ndr_nbt.h"
#include "gen_ndr/netlogon.h"
static int string_to_guid(char *str, struct GUID *guid)
{
unsigned int time_low;
unsigned int time_mid;
unsigned int time_hi;
unsigned int seq[2];
unsigned int node[6];
int ret;
ret = sscanf(str, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
&time_low, &time_mid, &time_hi, &seq[0], &seq[1],
&node[0], &node[1], &node[2], &node[3], &node[4], &node[5]);
if (ret != 11) {
return EINVAL;
}
guid->time_low = time_low;
guid->time_mid = time_mid;
guid->time_hi_and_version = time_hi;
guid->clock_seq[0] = seq[0];
guid->clock_seq[1] = seq[1];
guid->node[0] = node[0];
guid->node[1] = node[1];
guid->node[2] = node[2];
guid->node[3] = node[3];
guid->node[4] = node[4];
guid->node[5] = node[5];
return 0;
}
static int ipa_cldap_get_domain_entry(struct ipa_cldap_ctx *ctx,
char **domain,
char **guid, char **sid, char **name)
{
Slapi_PBlock *pb;
Slapi_Entry **e = NULL;
const char *filter = "objectclass=ipaNTDomainAttrs";
int ret;
pb = slapi_pblock_new();
if (!pb) {
return ENOMEM;
}
slapi_search_internal_set_pb(pb, ctx->base_dn,
LDAP_SCOPE_SUBTREE, filter,
NULL, 0, NULL, NULL, ctx->plugin_id, 0);
slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret) {
ret = ENOENT;
goto done;
}
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
if (!e || !e[0] || e[1]) {
/* no matches or too many matches */
ret = ENOENT;
goto done;
}
*guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID");
*sid = slapi_entry_attr_get_charptr(e[0], "ipaNTSecurityIdentifier");
*name = slapi_entry_attr_get_charptr(e[0], "ipaNTFlatName");
*domain = slapi_entry_attr_get_charptr(e[0], "cn");
ret = 0;
done:
slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
return ret;
}
char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
{
char *nb_name;
const char *p;
size_t c = 0;
if (s == NULL) {
return NULL;
}
nb_name = talloc_zero_size(mem_ctx, NETBIOS_NAME_MAX + 1);
if (nb_name == NULL) {
return NULL;
}
for (p = s; *p && c < NETBIOS_NAME_MAX; p++) {
/* Create the NetBIOS name from the first segment of the hostname */
if (*p == '.') {
break;
} else if (isalnum(*p)) {
nb_name[c++] = toupper(*p);
}
}
if (*nb_name == '\0') {
talloc_free(nb_name);
return NULL;
}
return nb_name;
}
#define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
(ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags
static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
char *guid, char *sid, char *name,
uint32_t ntver, struct berval *reply)
{
struct NETLOGON_SAM_LOGON_RESPONSE_EX *nlr;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
int ret;
nlr = talloc_zero(NULL, struct NETLOGON_SAM_LOGON_RESPONSE_EX);
if (!nlr) {
return ENOMEM;
}
if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) {
ret = EINVAL;
goto done;
}
nlr->command = LOGON_SAM_LOGON_RESPONSE_EX;
/* nlr->sbz */
nlr->server_type = DS_SERVER_PDC |
DS_SERVER_GC |
DS_SERVER_LDAP |
DS_SERVER_DS |
DS_SERVER_KDC |
DS_SERVER_TIMESERV |
DS_SERVER_CLOSEST |
DS_SERVER_WRITABLE |
DS_SERVER_GOOD_TIMESERV;
string_to_guid(guid, &nlr->domain_uuid);
nlr->forest = domain;
nlr->dns_domain = domain;
nlr->pdc_dns_name = fq_hostname;
nlr->domain_name = name;
nlr->pdc_name = make_netbios_name(nlr, fq_hostname);
nlr->user_name = "";
nlr->server_site = "Default-First-Site-Name";
nlr->client_site = "Default-First-Site-Name";
/* nlr->sockaddr_size (filled in by ndr_push) */
nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1;
if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) {
nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP;
nlr->sockaddr.sockaddr_family = 2;
nlr->sockaddr.pdc_ip = "127.0.0.1";
nlr->sockaddr.remaining.length = 8;
nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
}
/* nlr->next_closest_site */
nlr->lmnt_token = 0xFFFF;
nlr->lm20_token = 0xFFFF;
ndr_err = ndr_push_struct_blob(&blob, nlr, nlr,
NETLOGON_SAM_LOGON_RESPONSE_EX_pusher);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
ret = EFAULT;
goto done;
}
reply->bv_val = malloc(blob.length);
if (!reply->bv_val) {
ret = ENOMEM;
goto done;
}
memcpy(reply->bv_val, blob.data, blob.length);
reply->bv_len = blob.length;
ret = 0;
done:
talloc_free(nlr);
return ret;
}
int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
struct ipa_cldap_req *req,
struct berval *reply)
{
char hostname[MAXHOSTNAMELEN + 1]; /* NOTE: lenght hardcoded in kernel */
char *domain = NULL;
char *our_domain = NULL;
char *guid = NULL;
char *sid = NULL;
char *name = NULL;
uint32_t ntver = 0;
uint32_t t;
char *dot;
int ret;
int len;
int i;
/* determine request type */
for (i = 0; i < req->kvps.top; i++) {
if (strncasecmp("DnsDomain",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* remove trailing dot if any */
len = req->kvps.pairs[i].value.bv_len;
if (req->kvps.pairs[i].value.bv_val[len-1] == '.') {
len--;
}
domain = strndup(req->kvps.pairs[i].value.bv_val, len);
if (!domain) {
ret = ENOMEM;
goto done;
}
continue;
}
if (strncasecmp("Host",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* we ignore Host for now */
continue;
}
if (strncasecmp("DomainGUID",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* we ignore DomainGUID for now */
continue;
}
if (strncasecmp("DomainSID",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* we ignore DomainSID for now */
continue;
}
if (strncasecmp("User",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* we ignore User for now */
continue;
}
if (strncasecmp("AAC",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
/* we ignore AAC for now */
continue;
}
if (strncasecmp("NTver",
req->kvps.pairs[i].attr.bv_val,
req->kvps.pairs[i].attr.bv_len) == 0) {
if (req->kvps.pairs[i].value.bv_len != 4) {
ret = EINVAL;
goto done;
}
memcpy(&t, req->kvps.pairs[i].value.bv_val, 4);
ntver = le32toh(t);
continue;
}
LOG_TRACE("Unknown filter attribute: %s\n",
req->kvps.pairs[i].attr.bv_val);
}
if (!ntver) {
ret = EINVAL;
goto done;
}
ret = gethostname(hostname, MAXHOSTNAMELEN);
if (ret == -1) {
ret = errno;
goto done;
}
/* Make double sure it is terminated */
hostname[MAXHOSTNAMELEN] = '\0';
dot = strchr(hostname, '.');
if (!dot) {
/* this name is not fully qualified, therefore invalid */
ret = EINVAL;
goto done;
}
/* FIXME: we support only NETLOGON_NT_VERSION_5EX for now */
if (!(ntver & NETLOGON_NT_VERSION_5EX)) {
ret = EINVAL;
goto done;
}
ret = ipa_cldap_get_domain_entry(ctx, &our_domain, &guid, &sid, &name);
if (ret) {
goto done;
}
/* If a domain is provided, check it is our own.
* If no domain is provided the client is asking for our own domain. */
if (domain) {
ret = strcasecmp(domain, our_domain);
if (ret != 0) {
ret = EINVAL;
goto done;
}
}
ret = ipa_cldap_encode_netlogon(hostname, our_domain,
guid, sid, name,
ntver, reply);
done:
free(domain);
slapi_ch_free_string(&our_domain);
slapi_ch_free_string(&guid);
slapi_ch_free_string(&sid);
slapi_ch_free_string(&name);
return ret;
}

68
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_tests.c Normal file
View File

@@ -0,0 +1,68 @@
/*
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2014 Red Hat
Tests for FreeIPA CLDAP plugin
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdarg.h>
#include <stddef.h>
#include <setjmp.h>
#include <cmocka.h>
#include "ipa_cldap.h"
void test_make_netbios_name(void **state)
{
char *r;
size_t c;
struct test_data {
char *i;
char *o;
} d[] = {
{"abc", "ABC"},
{"long-host-name-12345", "LONGHOSTNAME123"},
{"abc.def.123", "ABC"},
{"####", NULL},
{NULL, NULL}
};
r = make_netbios_name(NULL, NULL);
assert_null(r);
for (c = 0; d[c].i != NULL; c++) {
r = make_netbios_name(NULL, d[c].i);
if (d[c].o != NULL) {
assert_string_equal(r, d[c].o);
} else {
assert_null(r);
}
}
}
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_make_netbios_name),
};
return cmocka_run_group_tests(tests, NULL, NULL);
}

363
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c Normal file
View File

@@ -0,0 +1,363 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2011 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "ipa_cldap.h"
#include <poll.h>
#include <lber.h>
/* pre allocate some space for answers, default to increment 3 at a time */
static int ipa_cldap_more_kvps(struct kvp_list *kvps)
{
struct kvp *pairs;
if (kvps->allocated - kvps->top > 0) {
return 0;
}
pairs = realloc(kvps->pairs, (kvps->allocated + 3) * sizeof(struct kvp));
if (!pairs) {
return ENOMEM;
}
kvps->pairs = pairs;
kvps->allocated += 3;
return 0;
}
static void ipa_cldap_free_kvps(struct kvp_list *kvps)
{
free(kvps->pairs);
kvps->pairs = NULL;
kvps->allocated = 0;
kvps->top = 0;
}
static int ipa_cldap_get_kvp(BerElement *be, struct kvp_list *kvps)
{
ber_tag_t tag;
int ret;
ret = ipa_cldap_more_kvps(kvps);
if (ret) {
return ret;
}
tag = ber_scanf(be, "{mm}",
&(kvps->pairs[kvps->top].attr),
&(kvps->pairs[kvps->top].value));
if (tag == LBER_ERROR) {
LOG_TRACE("Invalid filter\n");
ret = EINVAL;
} else {
kvps->top++;
}
return ret;
}
static int ipa_cldap_get_tree(BerElement *be, struct kvp_list *kvps)
{
ber_tag_t tag;
ber_tag_t len;
char *cookie;
int ret;
tag = ber_peek_tag(be, &len);
if (tag == LDAP_FILTER_EQUALITY) {
/* Special case of a single clause filter, eg. (NtVer=\06\00\00\00) */
ret = ipa_cldap_get_kvp(be, kvps);
if (ret == 0) {
return 0;
}
}
tag = ber_first_element(be, &len, &cookie);
while (tag != LBER_DEFAULT) {
tag = ber_peek_tag(be, &len);
switch (tag) {
case LDAP_FILTER_EQUALITY:
ret = ipa_cldap_get_kvp(be, kvps);
break;
case LDAP_FILTER_AND:
ret = ipa_cldap_get_tree(be, kvps);
break;
default:
LOG_TRACE("Unsupported filter\n");
ret = EINVAL;
break;
}
if (ret) {
return ret;
}
tag = ber_next_element(be, &len, cookie);
}
return 0;
}
static int ipa_cldap_decode(struct ipa_cldap_req *req)
{
struct berval bv;
BerElement *be;
ber_tag_t tag;
ber_len_t len;
ber_int_t scope;
ber_int_t deref;
ber_int_t sizelimit;
ber_int_t timelimit;
ber_int_t typesonly;
struct berval base;
struct berval attr;
int ret = EINVAL;
bv.bv_val = req->dgram;
bv.bv_len = req->dgsize;
be = ber_alloc_t(0);
if (!be) {
LOG_FATAL("Out of memory!\n");
goto done;
}
ber_init2(be, &bv, 0);
tag = ber_skip_tag(be, &len);
if (tag != LDAP_TAG_MESSAGE) {
LOG_TRACE("Invalid message (%d)\n", (int)tag);
goto done;
}
tag = ber_get_int(be, &req->id);
if (tag != LDAP_TAG_MSGID) {
LOG_TRACE("Failed to get id\n");
goto done;
}
tag = ber_peek_tag(be, &len);
if (tag != LDAP_REQ_SEARCH) {
LOG_TRACE("Unexpected message type (%d)\n", (int)tag);
goto done;
}
tag = ber_scanf(be, "{meeiib",
&base, &scope, &deref, &sizelimit, &timelimit, &typesonly);
if (tag == LBER_ERROR) {
LOG_TRACE("Failed to parse message\n");
goto done;
}
if ((base.bv_len != 0) ||
(scope != 0) ||
(typesonly != 0)){
LOG_TRACE("Unexpected request\n");
goto done;
}
ret = ipa_cldap_get_tree(be, &req->kvps);
if (ret) {
LOG_TRACE("Failed to parse filter\n");
goto done;
}
tag = ber_scanf(be, "{m}}", &attr);
if (tag == LBER_ERROR) {
LOG_TRACE("Failed to parse message\n");
goto done;
}
if (strncasecmp(attr.bv_val, "netlogon", attr.bv_len) != 0) {
LOG_TRACE("Unexpected request\n");
goto done;
}
done:
ber_free(be, 0);
return ret;
}
static void ipa_cldap_respond(struct ipa_cldap_ctx *ctx,
struct ipa_cldap_req *req,
struct berval *nbtblob)
{
struct berval *bv = NULL;
BerElement *be;
int ret;
be = ber_alloc_t(0);
if (!be) {
LOG_OOM();
return;
}
if (nbtblob->bv_len != 0) {
/* result */
ret = ber_printf(be, "{it{s{{s[O]}}}}", req->id,
LDAP_RES_SEARCH_ENTRY, "", "netlogon", nbtblob);
if (ret == LBER_ERROR) {
LOG("Failed to encode CLDAP reply\n");
goto done;
}
}
/* done */
/* As per MS-ADTS 6.3.3.3 always return SUCCESS even for invalid filters */
ret = ber_printf(be, "{it{ess}}", req->id,
LDAP_RES_SEARCH_RESULT, 0, "", "");
if (ret == LBER_ERROR) {
LOG("Failed to encode CLDAP reply\n");
goto done;
}
/* get data blob */
ret = ber_flatten(be, &bv);
if (ret == LBER_ERROR) {
LOG("Failed to encode CLDAP reply\n");
goto done;
}
ret = sendto(ctx->sd, bv->bv_val, bv->bv_len, 0,
(struct sockaddr *)&req->ss, req->ss_len);
if (ret == -1) {
LOG("Failed to send CLDAP reply (%d, %s)\n", errno, strerror(errno));
}
done:
ber_bvfree(bv);
ber_free(be, 1);
}
static void ipa_cldap_process(struct ipa_cldap_ctx *ctx,
struct ipa_cldap_req *req)
{
struct berval reply;
int ret;
ret = ipa_cldap_decode(req);
if (ret) {
goto done;
}
LOG_TRACE("CLDAP Request received");
ret = ipa_cldap_netlogon(ctx, req, &reply);
done:
if (ret != 0) {
/* bad request, or internal error, return empty reply */
/* as Windows does per MS-ADTS 6.3.3.3 */
memset(&reply, 0, sizeof(struct berval));
}
ipa_cldap_respond(ctx, req, &reply);
ipa_cldap_free_kvps(&req->kvps);
free(req);
return;
}
static struct ipa_cldap_req *ipa_cldap_recv_dgram(struct ipa_cldap_ctx *ctx)
{
struct ipa_cldap_req *req;
req = calloc(1, sizeof(struct ipa_cldap_req));
if (!req) {
LOG("Failed to allocate memory for req");
return NULL;
}
req->fd = ctx->sd;
req->ss_len = sizeof(struct sockaddr_storage);
req->dgsize = recvfrom(req->fd, req->dgram, MAX_DG_SIZE, 0,
(struct sockaddr *)&req->ss, &req->ss_len);
if (req->dgsize == -1) {
LOG_TRACE("Failed to get datagram\n");
free(req);
return NULL;
}
return req;
}
void *ipa_cldap_worker(void *arg)
{
struct ipa_cldap_req *req;
struct pollfd fds[2];
bool stop = false;
struct ipa_cldap_ctx *ctx = (struct ipa_cldap_ctx *) arg;
int ret;
while (!stop) {
fds[0].fd = ctx->stopfd[0];
fds[0].events = POLLIN;
fds[0].revents = 0;
fds[1].fd = ctx->sd;
fds[1].events = POLLIN;
fds[1].revents = 0;
/* wait until a request comes in */
ret = poll(fds, 2, -1);
if (ret == -1) {
if (errno != EINTR) {
LOG_FATAL("poll() failed with [%d, %s]. Can't continue.\n",
errno, strerror(errno));
stop = true;
}
}
if (ret <= 0) {
continue;
}
/* got a stop signal, exit the loop */
if (fds[0].revents & POLLIN) {
stop = true;
continue;
}
/* got a CLDAP packet, handle it */
if (fds[1].revents & POLLIN) {
req = ipa_cldap_recv_dgram(ctx);
if (req) {
ipa_cldap_process(ctx, req);
}
}
}
return NULL;
}