summaryrefslogtreecommitdiff
path: root/source4/ldap_server/ldap_backend.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/ldap_server/ldap_backend.c')
-rw-r--r--source4/ldap_server/ldap_backend.c52
1 files changed, 52 insertions, 0 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index dc6a44c8237..b023eb4dd7c 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -24,6 +24,7 @@
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "auth/common_auth.h"
#include "param/param.h"
#include "smbd/service_stream.h"
#include "dsdb/samdb/samdb.h"
@@ -1227,6 +1228,7 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
unsigned int i;
struct ldap_message *msg = call->request;
NTSTATUS status;
+ bool log = true;
/* Check for undecoded critical extensions */
for (i=0; msg->controls && msg->controls[i]; i++) {
@@ -1238,6 +1240,56 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
}
+ if (call->conn->authz_logged == false) {
+
+ /*
+ * We do not want to log anonymous access if the query
+ * is just for the rootDSE, or it is a startTLS or a
+ * Bind.
+ *
+ * A rootDSE search could also be done over
+ * CLDAP anonymously for example, so these don't
+ * really count.
+ * Essentially we want to know about
+ * access beyond that normally done prior to a
+ * bind.
+ */
+
+ switch(call->request->type) {
+ case LDAP_TAG_BindRequest:
+ log = false;
+ break;
+ case LDAP_TAG_ExtendedResponse: {
+ struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
+ if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
+ log = false;
+ }
+ break;
+ }
+ case LDAP_TAG_SearchRequest: {
+ struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
+ if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
+ if (req->basedn[0] == '\0') {
+ log = false;
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (log) {
+ log_successful_authz_event(call->conn->connection->remote_address,
+ call->conn->connection->local_address,
+ "LDAP",
+ "no bind",
+ call->conn->session_info);
+
+ call->conn->authz_logged = true;
+ }
+ }
+
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);
View Lorry Controller Status