archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/ldap/ldapcxn.cpp

291 lines
7.0 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // FILE
  4. //
  5. // ldapcxn.cpp
  6. //
  7. // SYNOPSIS
  8. //
  9. // This file defines the class LDAPConnection.
  10. //
  11. // MODIFICATION HISTORY
  12. //
  13. // 05/08/1998 Original version.
  14. // 09/16/1998 Perform access check after bind.
  15. // 03/23/1999 Set timeout for connect.
  16. // 04/14/1999 Specify domain and server when opening a connection.
  17. // 07/09/1999 Disable auto reconnect.
  18. // 09/14/1999 Always specify timeout for LDAP searches.
  19. // 01/25/2000 Encrypt LDAP connections.
  20. // Pass server name (not domain) to ldap_initW.
  21. //
  22. ///////////////////////////////////////////////////////////////////////////////
  24. #include <ias.h>
  25. #include <iasutil.h>
  26. #include <ntldap.h>
  27. #define SECURITY_WIN32
  28. #include <security.h>
  29. #include <new>
  31. #include <ldapcxn.h>
  34. // Search timeout.
  35. LDAP_TIMEVAL LDAPConnection::SEARCH_TIMEOUT = { 10, 0 };
  37. namespace
  38. {
  39. // Timeout for LDAP connects.
  40. LDAP_TIMEVAL CONNECT_TIMEOUT = { 15, 0 };
  42. // RDN for the dummy object used for access checks.
  43. const WCHAR DUMMY_OBJECT[] =
  44. L"CN=RAS and IAS Servers Access Check,CN=System,";
  46. /* Credentials for Kerberos-only bind.
  47. SEC_WINNT_AUTH_IDENTITY_EXW BIND_CREDENTIALS =
  48. {
  49. SEC_WINNT_AUTH_IDENTITY_VERSION,
  50. sizeof(SEC_WINNT_AUTH_IDENTITY_EXW),
  51. NULL,
  52. 0,
  53. NULL,
  54. 0,
  55. NULL,
  56. 0,
  57. SEC_WINNT_AUTH_IDENTITY_UNICODE,
  58. L"Kerberos",
  59. 8
  60. };
  61. */
  62. }
  64. void LDAPConnection::Release() throw ()
  65. {
  66. if (!InterlockedDecrement(&refCount))
  67. {
  68. delete this;
  69. }
  70. }
  72. DWORD LDAPConnection::createInstance(
  73. PCWSTR domain,
  74. PCWSTR server,
  75. LDAPConnection** cxn
  76. ) throw ()
  77. {
  78. DWORD status;
  79. ULONG opt;
  81. // Check the input parameters.
  82. if (cxn == NULL) { return ERROR_INVALID_PARAMETER; }
  84. // Initialize the connection.
  85. LDAP* ld = ldap_initW(
  86. const_cast<PWCHAR>(server),
  87. LDAP_PORT
  88. );
  89. if (ld == NULL)
  90. {
  91. return LdapMapErrorToWin32(LdapGetLastError());
  92. }
  94. // Set the domain name.
  95. ldap_set_optionW(ld, LDAP_OPT_DNSDOMAIN_NAME, &domain);
  97. // Turn on encryption.
  98. opt = PtrToUlong(LDAP_OPT_ON);
  99. ldap_set_option(ld, LDAP_OPT_ENCRYPT, &opt);
  101. // Connect to the server ...
  102. status = ldap_connect(ld, &CONNECT_TIMEOUT);
  103. if (status == LDAP_SUCCESS)
  104. {
  105. // ... and bind the connection.
  106. status = ldap_bind_sW(ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
  107. }
  109. if (status != LDAP_SUCCESS)
  110. {
  111. ldap_unbind(ld);
  112. return LdapMapErrorToWin32(status);
  113. }
  115. // Turn off automatic chasing of referrals.
  116. opt = PtrToUlong(LDAP_OPT_OFF);
  117. ldap_set_option(ld, LDAP_OPT_REFERRALS, &opt);
  119. // Turn off auto reconnect of bad connections.
  120. opt = PtrToUlong(LDAP_OPT_OFF);
  121. ldap_set_option(ld, LDAP_OPT_AUTO_RECONNECT, &opt);
  123. // Turn on ldap_conn_from_msg.
  124. opt = PtrToUlong(LDAP_OPT_ON);
  125. ldap_set_option(ld, LDAP_OPT_REF_DEREF_CONN_PER_MSG, &opt);
  127. // Create the LDAPConnection wrapper.
  128. LDAPConnection* newCxn = new (std::nothrow) LDAPConnection(ld);
  129. if (newCxn == NULL)
  130. {
  131. ldap_unbind(ld);
  132. return ERROR_NOT_ENOUGH_MEMORY;
  133. }
  135. // Read the RootDSE.
  136. status = newCxn->readRootDSE();
  138. // Check access permissions.
  139. if (status == NO_ERROR) { status = newCxn->checkAccess(); }
  141. // Process the result.
  142. if (status == NO_ERROR)
  143. {
  144. *cxn = newCxn;
  145. }
  146. else
  147. {
  148. newCxn->Release();
  149. }
  151. return status;
  152. }
  154. //////////
  155. //
  156. // NOTE: This doesn't have to be serialized since it's only called from
  157. // within createInstance.
  158. //
  159. //////////
  160. DWORD LDAPConnection::checkAccess() throw ()
  161. {
  162. // Allocate a temporary buffer for the DN.
  163. size_t len = wcslen(base) * sizeof(WCHAR) + sizeof(DUMMY_OBJECT);
  164. PWSTR dn = (PWSTR)_alloca(len);
  166. // Construct the DN of the dummy object.
  167. memcpy(dn, DUMMY_OBJECT, sizeof(DUMMY_OBJECT));
  168. wcscat(dn, base);
  170. // Try to read the dummy object.
  171. PWCHAR attrs[] = { L"CN", NULL };
  172. LDAPMessage* res = NULL;
  173. ULONG ldapError = ldap_search_ext_sW(
  174. connection,
  175. dn,
  176. LDAP_SCOPE_BASE,
  177. L"(objectclass=*)",
  178. attrs,
  179. TRUE,
  180. NULL,
  181. NULL,
  182. &SEARCH_TIMEOUT,
  183. 0,
  184. &res
  185. );
  187. // We have two different error codes.
  188. if (ldapError == LDAP_SUCCESS)
  189. {
  190. ldapError = res->lm_returncode;
  191. }
  193. DWORD status = NO_ERROR;
  195. if (ldapError != LDAP_SUCCESS)
  196. {
  197. status = LdapMapErrorToWin32(ldapError);
  198. }
  199. else
  200. {
  201. // Get the first attribute from the first entry.
  202. BerElement* ptr;
  203. PWCHAR attr = ldap_first_attributeW(
  204. connection,
  205. ldap_first_entry(connection, res),
  206. &ptr
  207. );
  209. // If we couldn't read any attributes, then we must not be a member
  210. // of the RAS and IAS Servers group.
  211. if (attr == NULL) { status = ERROR_ACCESS_DENIED; }
  212. }
  214. ldap_msgfree(res);
  216. return status;
  217. }
  219. //////////
  220. //
  221. // NOTE: This doesn't have to be serialized since it's only called from
  222. // within createInstance.
  223. //
  224. //////////
  225. DWORD LDAPConnection::readRootDSE() throw ()
  226. {
  227. //////////
  228. // Read the defaultNamingContext from the RootDSE.
  229. //////////
  231. PWCHAR attrs[] = { LDAP_OPATT_DEFAULT_NAMING_CONTEXT_W, NULL };
  232. LDAPMessage* res = NULL;
  233. ULONG ldapError = ldap_search_ext_sW(
  234. connection,
  235. L"",
  236. LDAP_SCOPE_BASE,
  237. L"(objectclass=*)",
  238. attrs,
  239. 0,
  240. NULL,
  241. NULL,
  242. &SEARCH_TIMEOUT,
  243. 0,
  244. &res
  245. );
  247. // We have two different error codes.
  248. if (ldapError == LDAP_SUCCESS)
  249. {
  250. ldapError = res->lm_returncode;
  251. }
  253. if (ldapError != LDAP_SUCCESS)
  254. {
  255. ldap_msgfree(res);
  257. return LdapMapErrorToWin32(ldapError);
  258. }
  260. //////////
  261. // The search succeeded, so get the attribute value.
  262. //////////
  264. PWCHAR* vals = ldap_get_valuesW(
  265. connection,
  266. ldap_first_entry(connection, res),
  267. LDAP_OPATT_DEFAULT_NAMING_CONTEXT_W
  268. );
  270. DWORD status;
  272. if (vals && *vals)
  273. {
  274. // We got something, so save the value.
  275. base = ias_wcsdup(*vals);
  277. status = base ? NO_ERROR : ERROR_NOT_ENOUGH_MEMORY;
  278. }
  279. else
  280. {
  281. // It's a mandatory attribute but we can't see it, so we must not have
  282. // sufficient permission.
  283. status = ERROR_ACCESS_DENIED;
  284. }
  286. ldap_value_freeW(vals);
  288. ldap_msgfree(res);
  290. return status;
  291. }