diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-03-03 12:53:06 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
| commit | f4a4522d1f8c19fdf142e12760160b15de1557ec (patch) | |
| tree | c24d82860260f28395d0e7d6d0f7b5657133bc97 /source4/ldap_server | |
| parent | 9a96f901f5e7369b33c839844d5a2286d4d44b6d (diff) | |
| download | samba-f4a4522d1f8c19fdf142e12760160b15de1557ec.tar.gz | |
ldap_server: Log access without a bind
This can be over the privileged ldapi socket, or just as the implicit anonymous access
However, do not log for setting up StartTLS, or a rootDSE search.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'source4/ldap_server')
| -rw-r--r-- | source4/ldap_server/ldap_backend.c | 52 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_bind.c | 6 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.h | 1 | ||||
| -rw-r--r-- | source4/ldap_server/wscript_build | 2 |
4 files changed, 59 insertions, 2 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index dc6a44c8237..b023eb4dd7c 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -24,6 +24,7 @@ #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" /* TODO: remove this */ +#include "auth/common_auth.h" #include "param/param.h" #include "smbd/service_stream.h" #include "dsdb/samdb/samdb.h" @@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) unsigned int i; struct ldap_message *msg = call->request; NTSTATUS status; + bool log = true; /* Check for undecoded critical extensions */ for (i=0; msg->controls && msg->controls[i]; i++) { @@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) } } + if (call->conn->authz_logged == false) { + + /* + * We do not want to log anonymous access if the query + * is just for the rootDSE, or it is a startTLS or a + * Bind. + * + * A rootDSE search could also be done over + * CLDAP anonymously for example, so these don't + * really count. + * Essentially we want to know about + * access beyond that normally done prior to a + * bind. + */ + + switch(call->request->type) { + case LDAP_TAG_BindRequest: + log = false; + break; + case LDAP_TAG_ExtendedResponse: { + struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest; + if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) { + log = false; + } + break; + } + case LDAP_TAG_SearchRequest: { + struct ldap_SearchRequest *req = &call->request->r.SearchRequest; + if (req->scope == LDAP_SEARCH_SCOPE_BASE) { + if (req->basedn[0] == '\0') { + log = false; + } + } + break; + } + default: + break; + } + + if (log) { + log_successful_authz_event(call->conn->connection->remote_address, + call->conn->connection->local_address, + "LDAP", + "no bind", + call->conn->session_info); + + call->conn->authz_logged = true; + } + } + switch(call->request->type) { case LDAP_TAG_BindRequest: return ldapsrv_BindRequest(call); diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index e70545f8fa5..5fc50dce538 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -109,6 +109,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) talloc_unlink(call->conn, call->conn->session_info); call->conn->session_info = talloc_steal(call->conn, session_info); + call->conn->authz_logged = true; + /* don't leak the old LDB */ talloc_unlink(call->conn, call->conn->ldb); @@ -379,7 +381,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) /* don't leak the old LDB */ talloc_unlink(conn, conn->ldb); - + + call->conn->authz_logged = true; + status = ldapsrv_backend_Init(conn); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h index 86e5d34f21e..337c974aaae 100644 --- a/source4/ldap_server/ldap_server.h +++ b/source4/ldap_server/ldap_server.h @@ -46,6 +46,7 @@ struct ldapsrv_connection { bool global_catalog; bool is_privileged; enum ldap_server_require_strong_auth require_strong_auth; + bool authz_logged; struct { int initial_timeout; diff --git a/source4/ldap_server/wscript_build b/source4/ldap_server/wscript_build index 32a77c79c91..881cc893c72 100644 --- a/source4/ldap_server/wscript_build +++ b/source4/ldap_server/wscript_build @@ -6,7 +6,7 @@ bld.SAMBA_MODULE('service_ldap', autoproto='proto.h', subsystem='service', init_function='server_service_ldap_init', - deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec', + deps='samba-credentials cli-ldap samdb process_model gensec samba-hostconfig samba_server_gensec common_auth', internal_module=False, enabled=bld.AD_DC_BUILD_IS_ENABLED() ) |