/// <summary>
/// Creates a BindRequest with simple bind.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="name">
/// The name field of BindRequest, see TD Section 5.1.1.1.1 for full list of legal names.
/// </param>
/// <param name="password">The password credential of the object.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsBindRequestPacket CreateSimpleBindRequest(
AdtsLdapContext context,
string name,
string password)
{
AuthenticationChoice authentication = new AuthenticationChoice();
authentication.SetData(AuthenticationChoice.simple, new Asn1OctetString(password ?? string.Empty));
BindRequest bindRequest = new BindRequest(
new Asn1Integer((long)version),
new LDAPDN(name ?? string.Empty),
authentication);
return CreateBindRequestPacket(context, bindRequest);
}
/// <summary>
/// Creates a BindRequestPacket with context and BindRequest.
/// </summary>
/// <param name="context">The context.</param>
/// <param name="bindRequest">The BindRequest message.</param>
/// <returns>The BindRequestPacket.</returns>
private AdtsBindRequestPacket CreateBindRequestPacket(
AdtsLdapContext context,
BindRequest bindRequest)
{
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.bindRequest, bindRequest);
MessageID messageId = new MessageID(context.MessageId);
LDAPMessage message = new LDAPMessage(messageId, operation, null);
AdtsBindRequestPacket packet = new AdtsBindRequestPacket();
packet.ldapMessagev3 = message;
packet.messageId = context.MessageId;
return packet;
}
/// <summary>
/// Creates a BindRequest with simple bind for Active Directory Domain Services(AD DS).
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="username">User name which doesn't include domain prefix.</param>
/// <param name="password">Password of user.</param>
/// <param name="domainNetbiosName">NetBIOS domain name(with suffix like ".com" removed).</param>
/// <returns>The packet that contains the request.</returns>
/// <exception cref="ArgumentNullException">Thrown when username is null.</exception>
internal override AdtsBindRequestPacket CreateSimpleBindRequest(
AdtsLdapContext context,
string username,
string password,
string domainNetbiosName)
{
if (username == null)
{
throw new ArgumentNullException("username");
}
AuthenticationChoice authentication = new AuthenticationChoice();
authentication.SetData(AuthenticationChoice.simple, new Asn1OctetString(password ?? string.Empty));
string fullname = (domainNetbiosName != null) ? (domainNetbiosName + "\\" + username) : username;
BindRequest bindRequest = new BindRequest(
new Asn1Integer((long)version),
new LDAPDN(fullname),
authentication);
return CreateBindRequestPacket(context, bindRequest);
}
/// <summary>
/// Creates a sicily response BindRequest packet. Usually it's the last packet of authentication during
/// the bind process.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="credential">The credential to be sent, it can be calculated with SSPI.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsBindRequestPacket CreateSicilyResponseBindRequest(
AdtsLdapContext context,
byte[] credential)
{
AuthenticationChoice authentication = new AuthenticationChoice();
authentication.SetData(AuthenticationChoice.sicilyResponse, new Asn1OctetString(credential ?? (new byte[0])));
BindRequest bindRequest = new BindRequest(
new Asn1Integer((long)version),
new LDAPDN(new byte[0]),
authentication);
return CreateBindRequestPacket(context, bindRequest);
}
/// <summary>
/// Creates a sicily package discovery BindRequest packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <returns>The sicily package discovery BindRequest.</returns>
internal override AdtsBindRequestPacket CreateSicilyPackageDiscoveryBindRequest(AdtsLdapContext context)
{
AuthenticationChoice authentication = new AuthenticationChoice();
authentication.SetData(AuthenticationChoice.sicilyPackageDiscovery, new Asn1OctetString(string.Empty));
BindRequest bindRequest = new BindRequest(
new Asn1Integer((long)version),
new LDAPDN(new byte[0]), // For Sicily package discovery, DN is not required.
authentication);
return CreateBindRequestPacket(context, bindRequest);
}
/// <summary>
/// Creates a BindRequest with SASL bind. This method is for LDAP v3 only.
/// Note that for GSS-SPNEGO with NTLM, two rounds of bind requests is required.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="mechanism">Authentication mechanism used, e.g., GSS-SPNEGO, etc.</param>
/// <param name="credential">The credential to be sent, it can be calculated with SSPI.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsBindRequestPacket CreateSaslBindRequest(
AdtsLdapContext context,
string mechanism,
byte[] credential)
{
AuthenticationChoice authentication = new AuthenticationChoice();
authentication.SetData(
AuthenticationChoice.sasl,
new SaslCredentials(
new LDAPString(mechanism ?? string.Empty),
new Asn1OctetString(credential ?? (new byte[0]))));
BindRequest bindRequest = new BindRequest(
new Asn1Integer((long)version),
new LDAPDN(new byte[0]), // For SASL, DN is not required.
authentication);
return CreateBindRequestPacket(context, bindRequest);
}
/// <summary>
/// This method encapsulates LdapV2Decoder and LdapV3Decoder because the incoming packets may be
/// LDAP v2 or v3 packets, the decoding may require both decoders if the LDAP version that client uses
/// is not clear.
/// </summary>
/// <param name="endPoint">The end point of the client.</param>
/// <param name="messageBytes">The message bytes that contains the packet data.</param>
/// <param name="consumedLength">Consumed length.</param>
/// <param name="expectedLength">
/// Indicates expected length if the message bytes doesn't all packet data.
/// </param>
/// <returns>Decoded packets.</returns>
internal override StackPacket[] DecodeLdapPacketCallBack(
object endPoint,
byte[] messageBytes,
out int consumedLength,
out int expectedLength)
{
// Get packet data, start decoding.
IPEndPoint remote = (IPEndPoint)endPoint;
AdtsLdapContext context = GetContext(remote, this.server.IsTcp);
byte[] data = messageBytes;
// decode messageBytes if needed
if (context != null && messageBytes != null)
{
// if security is not init, and the package is SslHandshake, init security.
if (context.Security == null)
{
AdtsLdapSslTlsSecurityHeader header = new AdtsLdapSslTlsSecurityHeader();
header.FromBytes(messageBytes);
if (header.IsSslHandShake)
{
this.server.SslStartup(context);
}
}
// decode messageBytes with security.
if (context.Security != null)
{
data = this.server.Decrypt(context, messageBytes);
}
}
byte[] packetData = this.GetSinglePacketData(data, out consumedLength, out expectedLength);
// add the comsumed length of security decorder
if (context != null && context.Security != null && context.Security.ConsumedData)
{
consumedLength = context.Security.ConsumedLength;
}
if (packetData == null)
{
return(null);
}
// New connection. Try both LDAP v2 and v3 decoders. Note that for requests that don't have version
// context(e.g., UDP search requests), LDAP v3 is used by default.
AdtsLdapPacket packet = null;
if (context == null)
{
context = new AdtsLdapContext(AdtsLdapVersion.V3, remote);
packet = this.decoderv3.ParseAdtsLdapPacket(
this.decoderv3.AuthenticateMessage(packetData),
context);
// synchronize the message ID with newly received packet.
context.MessageId = packet.messageId;
// Check BindRequestPacket, normally it's the first message from client in which
// contains the LDAP version. And since LDAP v3 decoder can decode LDAP v2 messages
// without any exception, we need to check into the 'version' variable in the request.
AdtsBindRequestPacket bindRequestPacket = packet as AdtsBindRequestPacket;
if (bindRequestPacket != null)
{
LdapV3.BindRequest bindRequest =
(LdapV3.BindRequest)bindRequestPacket.GetInnerRequestOrResponse();
// Version doesn't match. Decode again with LDAP v2 decoder and update context version.
if ((AdtsLdapVersion)bindRequest.version.Value == AdtsLdapVersion.V2)
{
packet = this.decoderv2.ParseAdtsLdapPacket(
this.decoderv2.AuthenticateMessage(packetData),
context);
context.ClientVersion = context.ServerVersion = AdtsLdapVersion.V2;
}
}
// Add context.
this.server.ContextManager.AddContext(context, this.server.IsTcp);
}
else
{
if (context.ClientVersion == AdtsLdapVersion.V2)
{
packet = this.decoderv2.ParseAdtsLdapPacket(
this.decoderv2.AuthenticateMessage(packetData),
context);
}
else
{
packet = this.decoderv3.ParseAdtsLdapPacket(
this.decoderv3.AuthenticateMessage(packetData),
context);
}
// synchronize the message ID with newly received packet.
context.MessageId = packet.messageId;
}
return(new StackPacket[] { packet });
}
