archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/net/ias/providers/ntuser/ldap/ldapcxn.cpp

356 lines
9.0 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // FILE
  4. //
  5. // ldapcxn.cpp
  6. //
  7. // SYNOPSIS
  8. //
  9. // This file defines the class LDAPConnection.
  10. //
  11. // MODIFICATION HISTORY
  12. //
  13. // 05/08/1998 Original version.
  14. // 09/16/1998 Perform access check after bind.
  15. // 03/23/1999 Set timeout for connect.
  16. // 04/14/1999 Specify domain and server when opening a connection.
  17. // 07/09/1999 Disable auto reconnect.
  18. // 09/14/1999 Always specify timeout for LDAP searches.
  19. // 01/25/2000 Encrypt LDAP connections.
  20. // Pass server name (not domain) to ldap_initW.
  21. //
  22. ///////////////////////////////////////////////////////////////////////////////
  24. #include <ias.h>
  25. #include <iasutil.h>
  26. #include <ntldap.h>
  27. #define SECURITY_WIN32
  28. #include <security.h>
  29. #include <new>
  31. #include <ldapcxn.h>
  33. // Search timeout.
  34. LDAP_TIMEVAL LDAPConnection::SEARCH_TIMEOUT = { 10, 0 };
  36. namespace
  37. {
  38. // Timeout for LDAP connects.
  39. LDAP_TIMEVAL CONNECT_TIMEOUT = { 15, 0 };
  41. // RDN for the dummy object used for access checks.
  42. const WCHAR DUMMY_OBJECT[] =
  43. L"CN=RAS and IAS Servers Access Check,CN=System,";
  45. /* Credentials for Kerberos-only bind.
  46. SEC_WINNT_AUTH_IDENTITY_EXW BIND_CREDENTIALS =
  47. {
  48. SEC_WINNT_AUTH_IDENTITY_VERSION,
  49. sizeof(SEC_WINNT_AUTH_IDENTITY_EXW),
  50. NULL,
  51. 0,
  52. NULL,
  53. 0,
  54. NULL,
  55. 0,
  56. SEC_WINNT_AUTH_IDENTITY_UNICODE,
  57. L"Kerberos",
  58. 8
  59. };
  60. */
  61. }
  63. void LDAPConnection::Release() throw ()
  64. {
  65. if (!InterlockedDecrement(&refCount))
  66. {
  67. delete this;
  68. }
  69. }
  71. DWORD LDAPConnection::createInstance(
  72. PCWSTR domain,
  73. PCWSTR server,
  74. LDAPConnection** cxn
  75. ) throw ()
  76. {
  77. DWORD status;
  78. ULONG opt;
  80. // Check the input parameters.
  81. if (cxn == NULL) { return ERROR_INVALID_PARAMETER; }
  83. // Initialize the connection.
  84. LDAP* ld = ldap_initW(
  85. const_cast<PWCHAR>(server),
  86. LDAP_PORT
  87. );
  88. if (ld == NULL)
  89. {
  90. return LdapMapErrorToWin32(LdapGetLastError());
  91. }
  93. // Set the domain name.
  94. status = ldap_set_optionW(ld, LDAP_OPT_DNSDOMAIN_NAME, &domain);
  95. if (status != LDAP_SUCCESS)
  96. {
  97. IASTraceLdapFailure("ldap_set_optionW", status, ld);
  98. ldap_unbind(ld);
  99. return LdapMapErrorToWin32(status);
  100. }
  102. opt = PtrToUlong(LDAP_OPT_ON);
  103. status = ldap_set_optionW(ld, LDAP_OPT_AREC_EXCLUSIVE, &opt);
  104. if (status != LDAP_SUCCESS)
  105. {
  106. IASTraceLdapFailure("ldap_set_optionW", status, ld);
  107. ldap_unbind(ld);
  108. return LdapMapErrorToWin32(status);
  109. }
  111. // Turn on encryption.
  112. opt = PtrToUlong(LDAP_OPT_ON);
  113. status = ldap_set_optionW(ld, LDAP_OPT_ENCRYPT, &opt);
  114. if (status != LDAP_SUCCESS)
  115. {
  116. IASTraceLdapFailure("ldap_set_optionW", status, ld);
  117. ldap_unbind(ld);
  118. return LdapMapErrorToWin32(status);
  119. }
  121. // Connect to the server ...
  122. status = ldap_connect(ld, &CONNECT_TIMEOUT);
  123. if (status == LDAP_SUCCESS)
  124. {
  125. // ... and bind the connection.
  126. status = ldap_bind_sW(ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
  127. if (status != LDAP_SUCCESS)
  128. {
  129. IASTraceLdapFailure("ldap_bind_s", status, ld);
  130. ldap_unbind(ld);
  131. return LdapMapErrorToWin32(status);
  132. }
  133. }
  134. else
  135. {
  136. IASTraceLdapFailure("ldap_connect", status, ld);
  137. ldap_unbind(ld);
  138. return LdapMapErrorToWin32(status);
  139. }
  141. // Turn off automatic chasing of referrals.
  142. opt = PtrToUlong(LDAP_OPT_OFF);
  143. ldap_set_option(ld, LDAP_OPT_REFERRALS, &opt);
  145. // Turn off auto reconnect of bad connections.
  146. opt = PtrToUlong(LDAP_OPT_OFF);
  147. ldap_set_option(ld, LDAP_OPT_AUTO_RECONNECT, &opt);
  149. // Turn on ldap_conn_from_msg.
  150. opt = PtrToUlong(LDAP_OPT_ON);
  151. ldap_set_option(ld, LDAP_OPT_REF_DEREF_CONN_PER_MSG, &opt);
  153. // Create the LDAPConnection wrapper.
  154. LDAPConnection* newCxn = new (std::nothrow) LDAPConnection(ld);
  155. if (newCxn == NULL)
  156. {
  157. ldap_unbind(ld);
  158. return ERROR_NOT_ENOUGH_MEMORY;
  159. }
  161. // Read the RootDSE.
  162. status = newCxn->readRootDSE();
  164. // Check access permissions.
  165. if (status == NO_ERROR)
  166. {
  167. status = newCxn->checkAccess();
  168. }
  170. // Process the result.
  171. if (status == NO_ERROR)
  172. {
  173. *cxn = newCxn;
  174. }
  175. else
  176. {
  177. newCxn->Release();
  178. }
  180. return status;
  181. }
  183. //////////
  184. //
  185. // NOTE: This doesn't have to be serialized since it's only called from
  186. // within createInstance.
  187. //
  188. //////////
  189. DWORD LDAPConnection::checkAccess() throw ()
  190. {
  191. // Allocate a temporary buffer for the DN.
  192. size_t len = wcslen(base) * sizeof(WCHAR) + sizeof(DUMMY_OBJECT);
  193. PWSTR dn = (PWSTR)_alloca(len);
  195. // Construct the DN of the dummy object.
  196. memcpy(dn, DUMMY_OBJECT, sizeof(DUMMY_OBJECT));
  197. wcscat(dn, base);
  199. // Try to read the dummy object.
  200. PWCHAR attrs[] = { L"CN", NULL };
  201. LDAPMessage* res = NULL;
  202. ULONG ldapError = ldap_search_ext_sW(
  203. connection,
  204. dn,
  205. LDAP_SCOPE_BASE,
  206. L"(objectclass=*)",
  207. attrs,
  208. TRUE,
  209. NULL,
  210. NULL,
  211. &SEARCH_TIMEOUT,
  212. 0,
  213. &res
  214. );
  216. // We have two different error codes.
  217. if (ldapError == LDAP_SUCCESS)
  218. {
  219. ldapError = res->lm_returncode;
  220. }
  222. DWORD status = NO_ERROR;
  224. if (ldapError != LDAP_SUCCESS)
  225. {
  226. TraceFailure("ldap_search_ext_sW", ldapError);
  227. status = LdapMapErrorToWin32(ldapError);
  228. }
  229. else
  230. {
  231. // Get the first attribute from the first entry.
  232. BerElement* ptr;
  233. PWCHAR attr = ldap_first_attributeW(
  234. connection,
  235. ldap_first_entry(connection, res),
  236. &ptr
  237. );
  239. // If we couldn't read any attributes, then we must not be a member
  240. // of the RAS and IAS Servers group.
  241. if (attr == NULL)
  242. {
  243. status = ERROR_ACCESS_DENIED;
  244. }
  245. }
  247. ldap_msgfree(res);
  249. return status;
  250. }
  252. //////////
  253. //
  254. // NOTE: This doesn't have to be serialized since it's only called from
  255. // within createInstance.
  256. //
  257. //////////
  258. DWORD LDAPConnection::readRootDSE() throw ()
  259. {
  260. //////////
  261. // Read the defaultNamingContext from the RootDSE.
  262. //////////
  264. PWCHAR attrs[] = { LDAP_OPATT_DEFAULT_NAMING_CONTEXT_W, NULL };
  265. LDAPMessage* res = NULL;
  266. ULONG ldapError = ldap_search_ext_sW(
  267. connection,
  268. L"",
  269. LDAP_SCOPE_BASE,
  270. L"(objectclass=*)",
  271. attrs,
  272. 0,
  273. NULL,
  274. NULL,
  275. &SEARCH_TIMEOUT,
  276. 0,
  277. &res
  278. );
  280. // We have two different error codes.
  281. if (ldapError == LDAP_SUCCESS)
  282. {
  283. ldapError = res->lm_returncode;
  284. }
  286. if (ldapError != LDAP_SUCCESS)
  287. {
  288. TraceFailure("ldap_search_ext_sW", ldapError);
  289. ldap_msgfree(res);
  290. return LdapMapErrorToWin32(ldapError);
  291. }
  293. //////////
  294. // The search succeeded, so get the attribute value.
  295. //////////
  297. PWCHAR* vals = ldap_get_valuesW(
  298. connection,
  299. ldap_first_entry(connection, res),
  300. LDAP_OPATT_DEFAULT_NAMING_CONTEXT_W
  301. );
  302. DWORD status;
  304. if (vals && *vals)
  305. {
  306. // We got something, so save the value.
  307. base = ias_wcsdup(*vals);
  309. status = base ? NO_ERROR : ERROR_NOT_ENOUGH_MEMORY;
  310. }
  311. else
  312. {
  313. // It's a mandatory attribute but we can't see it, so we must not have
  314. // sufficient permission.
  315. status = ERROR_ACCESS_DENIED;
  316. }
  318. ldap_value_freeW(vals);
  320. ldap_msgfree(res);
  322. return status;
  323. }
  325. void LDAPConnection::TraceFailure(
  326. PCSTR functionName,
  327. ULONG errorCode
  328. )
  329. {
  330. IASTraceLdapFailure(functionName, errorCode, connection);
  331. }
  333. void IASTraceLdapFailure(
  334. PCSTR functionName,
  335. ULONG errorCode,
  336. LDAP* cxn
  337. )
  338. {
  339. _ASSERT(functionName != NULL);
  341. IASTracePrintf("LDAP ERROR in %s. Code = %d", functionName, errorCode);
  343. PWCHAR errorString = NULL;
  344. ULONG result = ldap_get_optionW(
  345. cxn,
  346. LDAP_OPT_SERVER_ERROR,
  347. (void*) &errorString
  348. );
  349. if (result == LDAP_SUCCESS)
  350. {
  351. IASTracePrintf("Extended error string: %S", errorString);
  352. // do what you want with the string here
  353. ldap_memfree(errorString);
  354. }
  355. }