samba.git/source4/ldap_server, branch talloc-2.3.2 Unnamed repository; edit this file 'description' to name the repository. s4:ldap_server: Use samba_server_gensec_start() in ldapsrv_backend_Init() 2020-09-07T12:02:15+00:00 Stefan Metzmacher metze@samba.org 2020-09-04T08:48:27+00:00 5e3363e0b82193700f91a9bae5080aae0b744e5c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
lib/util: remove extra safe_string.h file 2020-08-28T02:18:40+00:00 Matthew DeVore matvore@google.com 2020-08-07T20:27:39+00:00 232054c09b1932b3940f08aa818703b51d29d968 lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184 
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
ldap_server: Terminate LDAP connections on krb ticket expiry 2020-08-21T19:14:32+00:00 Volker Lendecke vl@samba.org 2020-08-10T14:24:04+00:00 eb72f887b0bf91c050fd5d911f58a1b3ff9b8bcc See RFC4511 section 4.4.1 and https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html for details: Windows terminates LDAP connections when the krb5 ticket expires, Samba should do the same. This patch slightly deviates from Windows behaviour by sending a LDAP exop response with msgid 0 that is ASN1-encoded conforming to RFC4511. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
See RFC4511 section 4.4.1 and

https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html

for details: Windows terminates LDAP connections when the krb5 ticket
expires, Samba should do the same. This patch slightly deviates from
Windows behaviour by sending a LDAP exop response with msgid 0 that is
ASN1-encoded conforming to RFC4511.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
ldap_server: Add the krb5 expiry to conn->limits 2020-08-21T19:14:32+00:00 Volker Lendecke vl@samba.org 2020-08-07T11:40:58+00:00 77f72fb01faba45babfe6080f805361492ce49e5 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
ldap_server: Fix a typo 2020-08-17T19:35:37+00:00 Volker Lendecke vl@samba.org 2020-08-06T16:39:01+00:00 4f3ab0e9cad8b8a4ce429f1ed13b9eddefff062b Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
ldap_server: Do an early TALLOC_FREE() 2020-08-17T11:10:04+00:00 Volker Lendecke vl@samba.org 2020-08-10T12:48:45+00:00 3514e4100cc87c840dba43715f84f0b04162c354 We don't need the asn1 struct after this point anymore Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Aug 17 11:10:04 UTC 2020 on sn-devel-184 
We don't need the asn1 struct after this point anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Aug 17 11:10:04 UTC 2020 on sn-devel-184
ldap_server: Avoid talloc_memdup() for ldap_decode() 2020-08-17T09:46:36+00:00 Volker Lendecke vl@samba.org 2020-08-10T12:47:26+00:00 86ab46766768dd3fee40f6c61431395fb099fb73 Slight optimization for the ldap server: We don't need to copy the client PDU into the ASN1 struct, the decoding process happens immediately in the same routine. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Slight optimization for the ldap server: We don't need to copy the
client PDU into the ASN1 struct, the decoding process happens
immediately in the same routine.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
s4 ldap_server: modernize debug calls 2020-05-06T21:15:42+00:00 Gary Lockyer gary@catalyst.net.nz 2020-05-05T21:10:32+00:00 79b371da805af305d51aa324eaa1a9c318158515 Replace DEBUG(0 with DBG_ERR( Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org> 
Replace DEBUG(0 with DBG_ERR(

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode 2020-05-04T02:59:32+00:00 Gary Lockyer gary@catalyst.net.nz 2020-04-07T20:49:23+00:00 3149ea0a8aada3b03d1ca0af2e3a0f6304cda43b Add search request size limits to ldap_decode calls. The ldap server uses the smb.conf variable "ldap max search request size" which defaults to 250Kb. For cldap the limit is hard coded as 4096. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-10704: S4 ldap server: Limit request sizes 2020-05-04T02:59:32+00:00 Gary Lockyer gary@catalyst.net.nz 2020-04-08T03:32:22+00:00 28ee4acc8347299cb41119012d9256d48c92cc5c Check the size of authenticated and anonymous ldap requests and reject them if they exceed the limits in smb.conf Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Check the size of authenticated and anonymous ldap requests and reject
them if they exceed the limits in smb.conf

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>