diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-02-20 15:57:03 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:26 +0200 |
commit | 5f5756db714de0c1b00d648a48423fde19a564a1 (patch) | |
tree | beccc6bc5e12fa30514957352770e3c7ca3ccf18 | |
parent | 7609c57922f1d5041dd65660e157a1ba3bf1a417 (diff) | |
download | samba-5f5756db714de0c1b00d648a48423fde19a564a1.tar.gz |
ldap_server: Move code into authenticate_ldap_simple_bind()
This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.
We also include the local address and the remote address of the client
for future logging
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
-rw-r--r-- | source4/auth/auth.h | 18 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_simple.c | 42 | ||||
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 22 |
3 files changed, 47 insertions, 35 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 7358f40b70d..461d711d22e 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -158,15 +158,15 @@ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, NTSTATUS auth4_init(void); NTSTATUS auth_register(const struct auth_operations *ops); NTSTATUS server_service_auth_init(void); -NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct imessaging_context *msg, - struct loadparm_context *lp_ctx, - const char *nt4_domain, - const char *nt4_username, - const char *password, - const uint32_t logon_parameters, - struct auth_session_info **session_info); +NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct imessaging_context *msg, + struct loadparm_context *lp_ctx, + struct tsocket_address *remote_address, + struct tsocket_address *local_address, + const char *dn, + const char *password, + struct auth_session_info **session_info); struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index be2ff5e1690..31dc0e51b18 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -23,20 +23,21 @@ #include "includes.h" #include "auth/auth.h" +#include "dsdb/samdb/samdb.h" /* It's allowed to pass NULL as session_info, when the caller doesn't need a session_info */ -_PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct imessaging_context *msg, - struct loadparm_context *lp_ctx, - const char *nt4_domain, - const char *nt4_username, - const char *password, - const uint32_t logon_parameters, - struct auth_session_info **session_info) +_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct imessaging_context *msg, + struct loadparm_context *lp_ctx, + struct tsocket_address *remote_address, + struct tsocket_address *local_address, + const char *dn, + const char *password, + struct auth_session_info **session_info) { struct auth4_context *auth_context; struct auth_usersupplied_info *user_info; @@ -44,11 +45,21 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; uint8_t authoritative = 0; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + const char *nt4_domain; + const char *nt4_username; if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } + nt_status = crack_auto_name_to_nt4_name(tmp_ctx, ev, lp_ctx, dn, + &nt4_domain, &nt4_username); + + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + nt_status = auth_context_create(tmp_ctx, ev, msg, lp_ctx, @@ -65,14 +76,17 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, } user_info->mapped_state = true; - user_info->client.account_name = nt4_username; + user_info->client.account_name = dn; + /* No client.domain_name, use account_name instead */ user_info->mapped.account_name = nt4_username; - user_info->client.domain_name = nt4_domain; user_info->mapped.domain_name = nt4_domain; user_info->workstation_name = NULL; - user_info->remote_host = NULL; + user_info->remote_host = remote_address; + user_info->local_host = local_address; + + user_info->service_description = "ldap simple bind"; user_info->password_state = AUTH_PASSWORD_PLAIN; user_info->password.plaintext = talloc_strdup(user_info, password); @@ -80,7 +94,9 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME | USER_INFO_DONT_CHECK_UNIX_ACCOUNT; - user_info->logon_parameters = logon_parameters | + user_info->logon_parameters = + MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_CLEARTEXT_PASSWORD_ALLOWED | MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index e0f13f2de2d..f51765789c6 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -68,7 +68,6 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) int result; const char *errstr; - const char *nt4_domain, *nt4_account; struct auth_session_info *session_info; @@ -93,18 +92,15 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) goto do_reply; } - status = crack_auto_name_to_nt4_name(call, call->conn->connection->event.ctx, call->conn->lp_ctx, req->dn, &nt4_domain, &nt4_account); - if (NT_STATUS_IS_OK(status)) { - status = authenticate_username_pw(call, - call->conn->connection->event.ctx, - call->conn->connection->msg_ctx, - call->conn->lp_ctx, - nt4_domain, nt4_account, - req->creds.password, - MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | - MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, - &session_info); - } + status = authenticate_ldap_simple_bind(call, + call->conn->connection->event.ctx, + call->conn->connection->msg_ctx, + call->conn->lp_ctx, + call->conn->connection->remote_address, + call->conn->connection->local_address, + req->dn, + req->creds.password, + &session_info); if (NT_STATUS_IS_OK(status)) { result = LDAP_SUCCESS; |