int slap_compare_entry(
Operation *op,
Entry *e,
AttributeAssertion *ava )
{
int rc = LDAP_COMPARE_FALSE;
Attribute *a;
if ( ! access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rc = LDAP_ASSERTION_FAILED;
goto done;
}
a = attrs_find( e->e_attrs, ava->aa_desc );
if( a == NULL ) {
rc = LDAP_NO_SUCH_ATTRIBUTE;
goto done;
}
for(;
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ))
{
if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
break;
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rc = LDAP_COMPARE_TRUE;
break;
}
}
done:
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
{
rc = LDAP_NO_SUCH_OBJECT;
}
}
return rc;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( dli->dli_lud != NULL ) {
/* check base and scope */
if ( !BER_BVISNULL( &dli->dli_uri_nbase )
&& !dnIsSuffixScope( &rs->sr_entry->e_nname,
&dli->dli_uri_nbase,
dli->dli_lud->lud_scope ) )
{
continue;
}
/* check filter */
if ( dli->dli_uri_filter && test_filter( op, rs->sr_entry, dli->dli_uri_filter ) != LDAP_COMPARE_TRUE ) {
continue;
}
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
static int
dynlist_sc_compare_entry( Operation *op, SlapReply *rs )
{
if ( rs->sr_type == REP_SEARCH && rs->sr_entry != NULL ) {
dynlist_cc_t *dc = (dynlist_cc_t *)op->o_callback;
AttributeAssertion *ava = dc->dc_ava;
Attribute *a = attrs_find( rs->sr_entry->e_attrs, ava->aa_desc );
if ( a != NULL ) {
while ( LDAP_SUCCESS != attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ava->aa_value, NULL, op->o_tmpmemctx )
&& (a = attrs_find( a->a_next, ava->aa_desc )) != NULL )
;
*dc->dc_res = a ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
}
}
return 0;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
/* This is a copy from slapd/mods.c, but with compaction tweaked
* to swap values from the tail into deleted slots, to reduce the
* overall update traffic.
*/
static int
ndb_modify_delete(
Entry *e,
Modification *mod,
int permissive,
const char **text,
char *textbuf, size_t textlen,
int *idx )
{
Attribute *a;
MatchingRule *mr = mod->sm_desc->ad_type->sat_equality;
struct berval *cvals;
int *id2 = NULL;
int i, j, rc = 0, num;
unsigned flags;
char dummy = '\0';
/* For ordered vals, we have no choice but to preserve order */
if ( mod->sm_desc->ad_type->sat_flags & SLAP_AT_ORDERED_VAL )
return modify_delete_vindex( e, mod, permissive, text,
textbuf, textlen, idx );
/*
* If permissive is set, then the non-existence of an
* attribute is not treated as an error.
*/
/* delete the entire attribute */
if ( mod->sm_values == NULL ) {
rc = attr_delete( &e->e_attrs, mod->sm_desc );
if( permissive ) {
rc = LDAP_SUCCESS;
} else if( rc != LDAP_SUCCESS ) {
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: no such attribute",
mod->sm_desc->ad_cname.bv_val );
rc = LDAP_NO_SUCH_ATTRIBUTE;
}
return rc;
}
/* FIXME: Catch old code that doesn't set sm_numvals.
*/
if ( !BER_BVISNULL( &mod->sm_values[mod->sm_numvals] )) {
for ( i = 0; !BER_BVISNULL( &mod->sm_values[i] ); i++ );
assert( mod->sm_numvals == i );
}
if ( !idx ) {
id2 = (int *)ch_malloc( mod->sm_numvals * sizeof( int ));
idx = id2;
}
if( mr == NULL || !mr->smr_match ) {
/* disallow specific attributes from being deleted if
no equality rule */
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: no equality matching rule",
mod->sm_desc->ad_cname.bv_val );
rc = LDAP_INAPPROPRIATE_MATCHING;
goto return_result;
}
/* delete specific values - find the attribute first */
if ( (a = attr_find( e->e_attrs, mod->sm_desc )) == NULL ) {
if( permissive ) {
rc = LDAP_SUCCESS;
goto return_result;
}
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: no such attribute",
mod->sm_desc->ad_cname.bv_val );
rc = LDAP_NO_SUCH_ATTRIBUTE;
goto return_result;
}
if ( mod->sm_nvalues ) {
flags = SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX
| SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH
| SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH;
cvals = mod->sm_nvalues;
} else {
flags = SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX;
cvals = mod->sm_values;
}
/* Locate values to delete */
for ( i = 0; !BER_BVISNULL( &mod->sm_values[i] ); i++ ) {
unsigned sort;
rc = attr_valfind( a, flags, &cvals[i], &sort, NULL );
if ( rc == LDAP_SUCCESS ) {
idx[i] = sort;
} else if ( rc == LDAP_NO_SUCH_ATTRIBUTE ) {
if ( permissive ) {
idx[i] = -1;
continue;
}
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: no such value",
mod->sm_desc->ad_cname.bv_val );
goto return_result;
} else {
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: matching rule failed",
mod->sm_desc->ad_cname.bv_val );
goto return_result;
}
}
num = a->a_numvals;
/* Delete the values */
for ( i = 0; i < mod->sm_numvals; i++ ) {
/* Skip permissive values that weren't found */
if ( idx[i] < 0 )
continue;
/* Skip duplicate delete specs */
if ( a->a_vals[idx[i]].bv_val == &dummy )
continue;
/* delete value and mark it as gone */
free( a->a_vals[idx[i]].bv_val );
a->a_vals[idx[i]].bv_val = &dummy;
if( a->a_nvals != a->a_vals ) {
free( a->a_nvals[idx[i]].bv_val );
a->a_nvals[idx[i]].bv_val = &dummy;
}
a->a_numvals--;
}
/* compact array */
for ( i=0; i<num; i++ ) {
if ( a->a_vals[i].bv_val != &dummy )
continue;
for ( --num; num > i && a->a_vals[num].bv_val == &dummy; num-- )
;
a->a_vals[i] = a->a_vals[num];
if ( a->a_nvals != a->a_vals )
a->a_nvals[i] = a->a_nvals[num];
}
BER_BVZERO( &a->a_vals[num] );
if (a->a_nvals != a->a_vals) {
BER_BVZERO( &a->a_nvals[num] );
}
/* if no values remain, delete the entire attribute */
if ( !a->a_numvals ) {
if ( attr_delete( &e->e_attrs, mod->sm_desc ) ) {
/* Can never happen */
*text = textbuf;
snprintf( textbuf, textlen,
"modify/delete: %s: no such attribute",
mod->sm_desc->ad_cname.bv_val );
rc = LDAP_NO_SUCH_ATTRIBUTE;
}
}
return_result:
if ( id2 )
ch_free( id2 );
return rc;
}
int
modify_add_values(
Entry *e,
Modification *mod,
int permissive,
const char **text,
char *textbuf,
size_t textlen )
{
int rc;
const char *op;
Attribute *a;
Modification pmod = *mod;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
op = "add";
break;
case LDAP_MOD_REPLACE:
op = "replace";
break;
default:
op = "?";
assert( 0 );
}
/* FIXME: Catch old code that doesn't set sm_numvals.
*/
if ( !BER_BVISNULL( &mod->sm_values[mod->sm_numvals] )) {
unsigned i;
for ( i = 0; !BER_BVISNULL( &mod->sm_values[i] ); i++ );
assert( mod->sm_numvals == i );
}
/* check if values to add exist in attribute */
a = attr_find( e->e_attrs, mod->sm_desc );
if ( a != NULL ) {
MatchingRule *mr;
struct berval *cvals;
int rc;
unsigned i, p, flags;
mr = mod->sm_desc->ad_type->sat_equality;
if( mr == NULL || !mr->smr_match ) {
/* do not allow add of additional attribute
if no equality rule exists */
*text = textbuf;
snprintf( textbuf, textlen,
"modify/%s: %s: no equality matching rule",
op, mod->sm_desc->ad_cname.bv_val );
return LDAP_INAPPROPRIATE_MATCHING;
}
if ( permissive ) {
i = mod->sm_numvals;
pmod.sm_values = (BerVarray)ch_malloc(
(i + 1) * sizeof( struct berval ));
if ( pmod.sm_nvalues != NULL ) {
pmod.sm_nvalues = (BerVarray)ch_malloc(
(i + 1) * sizeof( struct berval ));
}
}
/* no normalization is done in this routine nor
* in the matching routines called by this routine.
* values are now normalized once on input to the
* server (whether from LDAP or from the underlying
* database).
*/
if ( a->a_desc == slap_schema.si_ad_objectClass ) {
/* Needed by ITS#5517 */
flags = SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX;
} else {
flags = SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX;
}
if ( mod->sm_nvalues ) {
flags |= SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH |
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH;
cvals = mod->sm_nvalues;
} else {
cvals = mod->sm_values;
}
for ( p = i = 0; i < mod->sm_numvals; i++ ) {
unsigned slot;
rc = attr_valfind( a, flags, &cvals[i], &slot, NULL );
if ( rc == LDAP_SUCCESS ) {
if ( !permissive ) {
/* value already exists */
*text = textbuf;
snprintf( textbuf, textlen,
"modify/%s: %s: value #%u already exists",
op, mod->sm_desc->ad_cname.bv_val, i );
return LDAP_TYPE_OR_VALUE_EXISTS;
}
} else if ( rc != LDAP_NO_SUCH_ATTRIBUTE ) {
return rc;
}
if ( permissive && rc ) {
if ( pmod.sm_nvalues ) {
pmod.sm_nvalues[p] = mod->sm_nvalues[i];
}
pmod.sm_values[p++] = mod->sm_values[i];
}
}
if ( permissive ) {
if ( p == 0 ) {
/* all new values match exist */
ch_free( pmod.sm_values );
if ( pmod.sm_nvalues ) ch_free( pmod.sm_nvalues );
return LDAP_SUCCESS;
}
BER_BVZERO( &pmod.sm_values[p] );
if ( pmod.sm_nvalues ) {
BER_BVZERO( &pmod.sm_nvalues[p] );
}
}
}
/* no - add them */
if ( mod->sm_desc->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
rc = ordered_value_add( e, mod->sm_desc, a,
pmod.sm_values, pmod.sm_nvalues );
} else {
rc = attr_merge( e, mod->sm_desc, pmod.sm_values, pmod.sm_nvalues );
}
if ( a != NULL && permissive ) {
ch_free( pmod.sm_values );
if ( pmod.sm_nvalues ) ch_free( pmod.sm_nvalues );
}
if ( rc != 0 ) {
/* this should return result of attr_merge */
*text = textbuf;
snprintf( textbuf, textlen,
"modify/%s: %s: merge error (%d)",
op, mod->sm_desc->ad_cname.bv_val, rc );
return LDAP_OTHER;
}
return LDAP_SUCCESS;
}
int mdb_modify_internal(
Operation *op,
MDB_txn *tid,
Modifications *modlist,
Entry *e,
const char **text,
char *textbuf,
size_t textlen )
{
int rc, err;
Modification *mod;
Modifications *ml;
Attribute *save_attrs;
Attribute *ap;
int glue_attr_delete = 0;
int got_delete;
Debug( LDAP_DEBUG_TRACE, "mdb_modify_internal: 0x%08lx: %s\n",
e->e_id, e->e_dn, 0);
if ( !acl_check_modlist( op, e, modlist )) {
return LDAP_INSUFFICIENT_ACCESS;
}
/* save_attrs will be disposed of by caller */
save_attrs = e->e_attrs;
e->e_attrs = attrs_dup( e->e_attrs );
for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
int match;
mod = &ml->sml_mod;
switch( mod->sm_op ) {
case LDAP_MOD_ADD:
case LDAP_MOD_REPLACE:
if ( mod->sm_desc == slap_schema.si_ad_structuralObjectClass ) {
value_match( &match, slap_schema.si_ad_structuralObjectClass,
slap_schema.si_ad_structuralObjectClass->
ad_type->sat_equality,
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
&mod->sm_values[0], &scbva[0], text );
if ( !match ) glue_attr_delete = 1;
}
}
if ( glue_attr_delete )
break;
}
if ( glue_attr_delete ) {
Attribute **app = &e->e_attrs;
while ( *app != NULL ) {
if ( !is_at_operational( (*app)->a_desc->ad_type )) {
Attribute *save = *app;
*app = (*app)->a_next;
attr_free( save );
continue;
}
app = &(*app)->a_next;
}
}
for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
mod = &ml->sml_mod;
got_delete = 0;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: add %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case LDAP_MOD_DELETE:
if ( glue_attr_delete ) {
err = LDAP_SUCCESS;
break;
}
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: delete %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_delete_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case LDAP_MOD_REPLACE:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: replace %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_replace_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case LDAP_MOD_INCREMENT:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: increment %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_increment_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case SLAP_MOD_SOFTADD:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: softadd %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_add_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTADD;
if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
err = LDAP_SUCCESS;
}
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case SLAP_MOD_SOFTDEL:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: softdel %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_delete_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_DELETE;
err = modify_delete_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTDEL;
if ( err == LDAP_NO_SUCH_ATTRIBUTE ) {
err = LDAP_SUCCESS;
}
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case SLAP_MOD_ADD_IF_NOT_PRESENT:
if ( attr_find( e->e_attrs, mod->sm_desc ) != NULL ) {
/* skip */
err = LDAP_SUCCESS;
break;
}
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: add_if_not_present %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_add_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT;
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
default:
Debug(LDAP_DEBUG_ANY, "mdb_modify_internal: invalid op %d\n",
mod->sm_op, 0, 0);
*text = "Invalid modify operation";
err = LDAP_OTHER;
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
if ( err != LDAP_SUCCESS ) {
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
/* unlock entry, delete from cache */
return err;
}
/* If objectClass was modified, reset the flags */
if ( mod->sm_desc == slap_schema.si_ad_objectClass ) {
e->e_ocflags = 0;
}
if ( glue_attr_delete ) e->e_ocflags = 0;
/* check if modified attribute was indexed
* but not in case of NOOP... */
if ( !op->o_noop ) {
mdb_modify_idxflags( op, mod->sm_desc, got_delete, e->e_attrs, save_attrs );
}
}
/* check that the entry still obeys the schema */
ap = NULL;
rc = entry_schema_check( op, e, save_attrs, get_relax(op), 0, &ap,
text, textbuf, textlen );
if ( rc != LDAP_SUCCESS || op->o_noop ) {
attrs_free( e->e_attrs );
/* clear the indexing flags */
for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) {
ap->a_flags &= ~(SLAP_ATTR_IXADD|SLAP_ATTR_IXDEL);
}
e->e_attrs = save_attrs;
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"entry failed schema check: %s\n",
*text, 0, 0 );
}
/* if NOOP then silently revert to saved attrs */
return rc;
}
/* structuralObjectClass modified! */
if ( ap ) {
assert( ap->a_desc == slap_schema.si_ad_structuralObjectClass );
if ( !op->o_noop ) {
mdb_modify_idxflags( op, slap_schema.si_ad_structuralObjectClass,
1, e->e_attrs, save_attrs );
}
}
/* update the indices of the modified attributes */
/* start with deleting the old index entries */
for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) {
if ( ap->a_flags & SLAP_ATTR_IXDEL ) {
struct berval *vals;
Attribute *a2;
ap->a_flags &= ~SLAP_ATTR_IXDEL;
a2 = attr_find( e->e_attrs, ap->a_desc );
if ( a2 ) {
/* need to detect which values were deleted */
int i, j;
vals = op->o_tmpalloc( (ap->a_numvals + 1) *
sizeof(struct berval), op->o_tmpmemctx );
j = 0;
for ( i=0; i < ap->a_numvals; i++ ) {
rc = attr_valfind( a2, SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ap->a_nvals[i], NULL, op->o_tmpmemctx );
/* Save deleted values */
if ( rc == LDAP_NO_SUCH_ATTRIBUTE )
vals[j++] = ap->a_nvals[i];
}
BER_BVZERO(vals+j);
} else {
/* attribute was completely deleted */
vals = ap->a_nvals;
}
rc = 0;
if ( !BER_BVISNULL( vals )) {
rc = mdb_index_values( op, tid, ap->a_desc,
vals, e->e_id, SLAP_INDEX_DELETE_OP );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: attribute \"%s\" index delete failure\n",
op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 );
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
}
}
if ( vals != ap->a_nvals )
op->o_tmpfree( vals, op->o_tmpmemctx );
if ( rc ) return rc;
}
}
/* add the new index entries */
for ( ap = e->e_attrs; ap != NULL; ap = ap->a_next ) {
if (ap->a_flags & SLAP_ATTR_IXADD) {
ap->a_flags &= ~SLAP_ATTR_IXADD;
rc = mdb_index_values( op, tid, ap->a_desc,
ap->a_nvals,
e->e_id, SLAP_INDEX_ADD_OP );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: attribute \"%s\" index add failure\n",
op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 );
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
return rc;
}
}
}
return rc;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( dli->dli_lud != NULL ) {
/* check base and scope */
if ( !BER_BVISNULL( &dli->dli_uri_nbase ) ) {
int d = rs->sr_entry->e_nname.bv_len - dli->dli_uri_nbase.bv_len;
if ( d < 0 ) {
continue;
}
if ( !dnIsSuffix( &rs->sr_entry->e_nname, &dli->dli_uri_nbase ) ) {
continue;
}
switch ( dli->dli_lud->lud_scope ) {
case LDAP_SCOPE_BASE:
if ( d != 0 ) {
continue;
}
break;
case LDAP_SCOPE_ONELEVEL: {
struct berval pdn;
dnParent( &rs->sr_entry->e_nname, &pdn );
if ( pdn.bv_len != dli->dli_uri_nbase.bv_len ) {
continue;
}
} break;
case LDAP_SCOPE_SUBORDINATE:
if ( d == 0 ) {
continue;
}
break;
case LDAP_SCOPE_SUBTREE:
case LDAP_SCOPE_DEFAULT:
break;
default:
continue;
}
}
/* check filter */
if ( dli->dli_uri_filter && test_filter( op, rs->sr_entry, dli->dli_uri_filter ) != LDAP_COMPARE_TRUE ) {
continue;
}
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
int
bdb_compare( Operation *op, SlapReply *rs )
{
struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
Entry *e = NULL;
EntryInfo *ei;
Attribute *a;
int manageDSAit = get_manageDSAit( op );
BDB_LOCKER locker;
DB_LOCK lock;
rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker);
switch(rs->sr_err) {
case 0:
break;
default:
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
dn2entry_retry:
/* get entry */
rs->sr_err = bdb_dn2entry( op, NULL, &op->o_req_ndn, &ei, 1,
locker, &lock );
switch( rs->sr_err ) {
case DB_NOTFOUND:
case 0:
break;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto dn2entry_retry;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
: NULL;
rs->sr_err = LDAP_REFERRAL;
}
bdb_cache_return_entry_r( bdb, e, &lock );
e = NULL;
} else {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
rs->sr_err = rs->sr_ref ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
}
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
free( (char *)rs->sr_matched );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e->e_name.bv_val;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
}
if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
done:
/* free entry */
if ( e != NULL ) {
bdb_cache_return_entry_r( bdb, e, &lock );
}
LOCK_ID_FREE ( bdb->bi_dbenv, locker );
return rs->sr_err;
}
static int
entry_naming_check(
Entry *e,
int manage,
int add_naming,
const char** text,
char *textbuf, size_t textlen )
{
/* naming check */
LDAPRDN rdn = NULL;
const char *p = NULL;
ber_len_t cnt;
int rc = LDAP_SUCCESS;
if ( BER_BVISEMPTY( &e->e_name )) {
return LDAP_SUCCESS;
}
/*
* Get attribute type(s) and attribute value(s) of our RDN
*/
if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
LDAP_DN_FORMAT_LDAP ) )
{
*text = "unrecognized attribute type(s) in RDN";
return LDAP_INVALID_DN_SYNTAX;
}
/* Check that each AVA of the RDN is present in the entry */
/* FIXME: Should also check that each AVA lists a distinct type */
for ( cnt = 0; rdn[cnt]; cnt++ ) {
LDAPAVA *ava = rdn[cnt];
AttributeDescription *desc = NULL;
Attribute *attr;
const char *errtext;
int add = 0;
if( ava->la_flags & LDAP_AVA_BINARY ) {
snprintf( textbuf, textlen,
"value of naming attribute '%s' in unsupported BER form",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
if ( rc != LDAP_SUCCESS ) {
snprintf( textbuf, textlen, "%s (in RDN)", errtext );
break;
}
if( desc->ad_type->sat_usage ) {
snprintf( textbuf, textlen,
"naming attribute '%s' is operational",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
if( desc->ad_type->sat_collective ) {
snprintf( textbuf, textlen,
"naming attribute '%s' is collective",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
if( !manage && desc->ad_type->sat_obsolete ) {
snprintf( textbuf, textlen,
"naming attribute '%s' is obsolete",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
if( !desc->ad_type->sat_equality ) {
snprintf( textbuf, textlen,
"naming attribute '%s' has no equality matching rule",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
if( !desc->ad_type->sat_equality->smr_match ) {
snprintf( textbuf, textlen,
"naming attribute '%s' has unsupported equality matching rule",
ava->la_attr.bv_val );
rc = LDAP_NAMING_VIOLATION;
break;
}
/* find the naming attribute */
attr = attr_find( e->e_attrs, desc );
if ( attr == NULL ) {
snprintf( textbuf, textlen,
"naming attribute '%s' is not present in entry",
ava->la_attr.bv_val );
if ( add_naming ) {
add = 1;
} else {
rc = LDAP_NAMING_VIOLATION;
}
} else {
rc = attr_valfind( attr, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
&ava->la_value, NULL, NULL );
if ( rc != 0 ) {
switch( rc ) {
case LDAP_INAPPROPRIATE_MATCHING:
snprintf( textbuf, textlen,
"inappropriate matching for naming attribute '%s'",
ava->la_attr.bv_val );
break;
case LDAP_INVALID_SYNTAX:
snprintf( textbuf, textlen,
"value of naming attribute '%s' is invalid",
ava->la_attr.bv_val );
break;
case LDAP_NO_SUCH_ATTRIBUTE:
if ( add_naming ) {
if ( is_at_single_value( desc->ad_type ) ) {
snprintf( textbuf, textlen,
"value of single-valued naming attribute '%s' conflicts with value present in entry",
ava->la_attr.bv_val );
} else {
add = 1;
rc = LDAP_SUCCESS;
}
} else {
snprintf( textbuf, textlen,
"value of naming attribute '%s' is not present in entry",
ava->la_attr.bv_val );
}
break;
default:
snprintf( textbuf, textlen,
"naming attribute '%s' is inappropriate",
ava->la_attr.bv_val );
}
if ( !add ) {
rc = LDAP_NAMING_VIOLATION;
}
}
}
if ( add ) {
attr_merge_normalize_one( e, desc, &ava->la_value, NULL );
} else if ( rc != LDAP_SUCCESS ) {
break;
}
}
ldap_rdnfree( rdn );
return rc;
}
int
backsql_compare( Operation *op, SlapReply *rs )
{
SQLHDBC dbh = SQL_NULL_HDBC;
Entry e = { 0 };
Attribute *a = NULL;
backsql_srch_info bsi = { 0 };
int rc;
int manageDSAit = get_manageDSAit( op );
AttributeName anlist[2];
Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not get connection handle - exiting\n",
0, 0, 0 );
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
goto return_results;
}
anlist[ 0 ].an_name = op->oq_compare.rs_ava->aa_desc->ad_cname;
anlist[ 0 ].an_desc = op->oq_compare.rs_ava->aa_desc;
BER_BVZERO( &anlist[ 1 ].an_name );
/*
* Get the entry
*/
bsi.bsi_e = &e;
rc = backsql_init_search( &bsi, &op->o_req_ndn, LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs, anlist,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) );
switch ( rc ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not retrieve compareDN ID - no such entry\n",
0, 0, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, &e, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ) )
{
rs->sr_err = LDAP_ASSERTION_FAILED;
goto return_results;
}
if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) {
SlapReply nrs = { REP_SEARCH };
Attribute **ap;
for ( ap = &e.e_attrs; *ap; ap = &(*ap)->a_next )
;
nrs.sr_attrs = anlist;
nrs.sr_entry = &e;
nrs.sr_attr_flags = SLAP_OPATTRS_NO;
nrs.sr_operational_attrs = NULL;
rs->sr_err = backsql_operational( op, &nrs );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
*ap = nrs.sr_operational_attrs;
}
if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value,
ACL_COMPARE, NULL ) )
{
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:;
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
break;
default:
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
break;
}
send_ldap_result( op, rs );
if ( rs->sr_matched ) {
rs->sr_matched = NULL;
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) {
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &e.e_nname ) ) {
backsql_entry_clean( op, &e );
}
if ( bsi.bsi_attrs != NULL ) {
op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx );
}
Debug(LDAP_DEBUG_TRACE,"<==backsql_compare()\n",0,0,0);
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
return LDAP_SUCCESS;
default:
return rs->sr_err;
}
}
static int
dynlist_compare( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private;
Operation o = *op;
Entry *e = NULL;
dynlist_map_t *dlm;
for ( ; dli != NULL; dli = dli->dli_next ) {
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
break;
if ( dli->dli_dlm && dlm ) {
/* This compare is for one of the attributes we're
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
rs->sr_err = LDAP_COMPARE_TRUE;
break;
case LDAP_NO_SUCH_OBJECT:
/* NOTE: backend_group() returns noSuchObject
* if op_ndn does not exist; however, since
* dynamic list expansion means that the
* member attribute is virtually present, the
* non-existence of the asserted value implies
* the assertion is FALSE rather than
* UNDEFINED */
rs->sr_err = LDAP_COMPARE_FALSE;
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
}
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
dli = (dynlist_info_t *)on->on_bi.bi_private;
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
Attribute *a;
slap_callback cb;
SlapReply r = { REP_SEARCH };
AttributeName an[2];
int rc;
dynlist_sc_t dlc = { 0 };
if ( !is_entry_objectclass_or_sub( e, dli->dli_oc ))
continue;
/* if the entry has the right objectClass, generate
* the dynamic list and compare */
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
cb.sc_response = dynlist_sc_save_entry;
cb.sc_cleanup = NULL;
cb.sc_next = NULL;
o.o_callback = &cb;
o.o_tag = LDAP_REQ_SEARCH;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
o.o_bd = select_backend( &o.o_req_ndn, 1 );
if ( !o.o_bd || !o.o_bd->be_search ) {
goto release;
}
o.ors_filterstr = *slap_filterstr_objectClass_pres;
o.ors_filter = (Filter *) slap_filter_objectClass_pres;
o.ors_scope = LDAP_SCOPE_BASE;
o.ors_deref = LDAP_DEREF_NEVER;
an[0].an_name = op->orc_ava->aa_desc->ad_cname;
an[0].an_desc = op->orc_ava->aa_desc;
BER_BVZERO( &an[1].an_name );
o.ors_attrs = an;
o.ors_attrsonly = 0;
o.o_acl_priv = ACL_COMPARE;
rc = o.o_bd->be_search( &o, &r );
if ( o.o_dn.bv_val != op->o_dn.bv_val ) {
slap_op_groups_free( &o );
}
if ( rc != 0 ) {
goto release;
}
if ( dlc.dlc_e != NULL ) {
r.sr_entry = dlc.dlc_e;
}
if ( r.sr_err != LDAP_SUCCESS || r.sr_entry == NULL ) {
/* error? */
goto release;
}
for ( a = attrs_find( r.sr_entry->e_attrs, op->orc_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->orc_ava->aa_desc ) )
{
/* if we're here, we got a match... */
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->orc_ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
if ( r.sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( r.sr_entry );
}
}
release:;
if ( e != NULL ) {
overlay_entry_release_ov( &o, e, 0, on );
}
return SLAP_CB_CONTINUE;
}
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
{
struct berval dn, uid, svc, ruser, rhost, tty;
struct berval authzmsg = BER_BVNULL;
int32_t tmpint32;
char dnc[1024];
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
int rc;
Entry *e = NULL;
Attribute *a;
slap_callback cb = {0};
READ_STRING(fp,uidc);
uid.bv_val = uidc;
uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
dn.bv_val = dnc;
dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
svc.bv_val = svcc;
svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
ruser.bv_val = ruserc;
ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
rhost.bv_val = rhostc;
rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
tty.bv_val = ttyc;
tty.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0);
/* If we didn't do authc, we don't have a DN yet */
if (BER_BVISEMPTY(&dn)) {
struct paminfo pi;
pi.uid = uid;
pi.svc = svc;
rc = pam_uid2dn(ni, op, &pi);
if (rc) goto finish;
dn = pi.dn;
}
/* See if they have access to the host and service */
if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
struct berval hostdn = BER_BVNULL;
struct berval odn = op->o_ndn;
SlapReply rs = {REP_RESULT};
op->o_dn = dn;
op->o_ndn = dn;
{
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
char fbuf[1024];
struct berval filter = {sizeof(fbuf),fbuf};
SlapReply rs2 = {REP_RESULT};
/* Lookup the host entry */
nssov_filter_byname(mi,0,&global_host_bv,&filter);
cb.sc_private = &hostdn;
cb.sc_response = nssov_name2dn_cb;
op->o_callback = &cb;
op->o_req_dn = mi->mi_base;
op->o_req_ndn = mi->mi_base;
op->ors_scope = mi->mi_scope;
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
op->ors_attrs = slap_anlist_no_attrs;
op->ors_tlimit = SLAP_NO_LIMIT;
op->ors_slimit = 2;
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
if (BER_BVISEMPTY(&hostdn) &&
!BER_BVISEMPTY(&ni->ni_pam_defhost)) {
filter.bv_len = sizeof(fbuf);
filter.bv_val = fbuf;
rs_reinit(&rs2, REP_RESULT);
nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter);
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
}
/* no host entry, no default host -> deny */
if (BER_BVISEMPTY(&hostdn)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
cb.sc_response = pam_compare_cb;
cb.sc_private = NULL;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = hostdn;
op->o_req_ndn = hostdn;
ava.aa_desc = nssov_pam_svc_ad;
ava.aa_value = svc;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
authzmsg = svcmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
op->o_dn = odn;
op->o_ndn = odn;
}
/* See if they're a member of the group */
if ((ni->ni_pam_opts & NI_PAM_USERGRP) &&
!BER_BVISEMPTY(&ni->ni_pam_group_dn) &&
ni->ni_pam_group_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
SlapReply rs = {REP_RESULT};
op->o_callback = &cb;
cb.sc_response = slap_null_cb;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = ni->ni_pam_group_dn;
op->o_req_ndn = ni->ni_pam_group_dn;
ava.aa_desc = ni->ni_pam_group_ad;
ava.aa_value = dn;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = grpmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
}
/* We need to check the user's entry for these bits */
if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) ||
ni->ni_pam_template_ad ||
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
a = attr_find(e->e_attrs, nssov_pam_host_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&global_host_bv, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
a = attr_find(e->e_attrs, nssov_pam_svc_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&svc, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
}
}
/* from passwd.c */
#define UIDN_KEY 2
if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) {
int id;
char *tmp;
nssov_mapinfo *mi = &ni->ni_maps[NM_passwd];
a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
if (!a) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
}
if (ni->ni_pam_template_ad) {
a = attr_find(e->e_attrs, ni->ni_pam_template_ad);
if (a)
uid = a->a_vals[0];
else if (!BER_BVISEMPTY(&ni->ni_pam_template))
uid = ni->ni_pam_template;
}
rc = NSLCD_PAM_SUCCESS;
finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,&uid);
WRITE_BERVAL(fp,&dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&authzmsg);
if (e) {
be_entry_release_r(op, e);
}
return 0;
}
static int
test_ava_filter(
Operation *op,
Entry *e,
AttributeAssertion *ava,
int type )
{
int rc;
Attribute *a;
#ifdef LDAP_COMP_MATCH
int i, num_attr_vals = 0;
AttributeAliasing *a_alias = NULL;
#endif
if ( !access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
&& op && op->o_bd && op->o_bd->be_has_subordinates )
{
int hasSubordinates;
struct berval hs;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
if ( op->o_bd->be_has_subordinates( op, e, &hasSubordinates ) !=
LDAP_SUCCESS )
{
return LDAP_OTHER;
}
if ( hasSubordinates == LDAP_COMPARE_TRUE ) {
hs = slap_true_bv;
} else if ( hasSubordinates == LDAP_COMPARE_FALSE ) {
hs = slap_false_bv;
} else {
return LDAP_OTHER;
}
if ( bvmatch( &ava->aa_value, &hs ) ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
MatchingRule *mr;
int match;
const char *text;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
mr = slap_schema.si_ad_entryDN->ad_type->sat_equality;
assert( mr != NULL );
rc = value_match( &match, slap_schema.si_ad_entryDN, mr,
SLAP_MR_EXT, &e->e_nname, &ava->aa_value, &text );
if( rc != LDAP_SUCCESS ) return rc;
if( match == 0 ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
rc = LDAP_COMPARE_FALSE;
#ifdef LDAP_COMP_MATCH
if ( is_aliased_attribute && ava->aa_cf )
{
a_alias = is_aliased_attribute ( ava->aa_desc );
if ( a_alias )
ava->aa_desc = a_alias->aa_aliased_ad;
else
ava->aa_cf = NULL;
}
#endif
for(a = attrs_find( e->e_attrs, ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ) )
{
int use;
MatchingRule *mr;
struct berval *bv;
if (( ava->aa_desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
use = SLAP_MR_EQUALITY;
switch ( type ) {
case LDAP_FILTER_APPROX:
use = SLAP_MR_EQUALITY_APPROX;
mr = a->a_desc->ad_type->sat_approx;
if( mr != NULL ) break;
/* fallthru: use EQUALITY matching rule if no APPROX rule */
case LDAP_FILTER_EQUALITY:
/* use variable set above so fall thru use is not clobbered */
mr = a->a_desc->ad_type->sat_equality;
break;
case LDAP_FILTER_GE:
case LDAP_FILTER_LE:
use = SLAP_MR_ORDERING;
mr = a->a_desc->ad_type->sat_ordering;
break;
default:
mr = NULL;
}
if( mr == NULL ) {
rc = LDAP_INAPPROPRIATE_MATCHING;
continue;
}
/* We have no Sort optimization for Approx matches */
if (( a->a_flags & SLAP_ATTR_SORTED_VALS ) && type != LDAP_FILTER_APPROX ) {
unsigned slot;
int ret;
/* For Ordering matches, we just need to do one comparison with
* either the first (least) or last (greatest) value.
*/
if ( use == SLAP_MR_ORDERING ) {
const char *text;
int match, which;
which = (type == LDAP_FILTER_LE) ? 0 : a->a_numvals-1;
ret = value_match( &match, a->a_desc, mr, use,
&a->a_nvals[which], &ava->aa_value, &text );
if ( ret != LDAP_SUCCESS ) return ret;
if (( type == LDAP_FILTER_LE && match <= 0 ) ||
( type == LDAP_FILTER_GE && match >= 0 ))
return LDAP_COMPARE_TRUE;
continue;
}
/* Only Equality will get here */
ret = attr_valfind( a, use | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH |
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
&ava->aa_value, &slot, NULL );
if ( ret == LDAP_SUCCESS )
return LDAP_COMPARE_TRUE;
else if ( ret != LDAP_NO_SUCH_ATTRIBUTE )
return ret;
#if 0
/* The following is useful if we want to know which values
* matched an ordering test. But here we don't care, we just
* want to know if any value did, and that is checked above.
*/
if ( ret == LDAP_NO_SUCH_ATTRIBUTE ) {
/* If insertion point is not the end of the list, there was
* at least one value greater than the assertion.
*/
if ( type == LDAP_FILTER_GE && slot < a->a_numvals )
return LDAP_COMPARE_TRUE;
/* Likewise, if insertion point is not the head of the list,
* there was at least one value less than the assertion.
*/
if ( type == LDAP_FILTER_LE && slot > 0 )
return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
#endif
continue;
}
#ifdef LDAP_COMP_MATCH
if ( nibble_mem_allocator && ava->aa_cf && !a->a_comp_data ) {
/* Component Matching */
for ( num_attr_vals = 0; a->a_vals[num_attr_vals].bv_val != NULL; num_attr_vals++ );
if ( num_attr_vals <= 0 )/* no attribute value */
return LDAP_INAPPROPRIATE_MATCHING;
num_attr_vals++;/* for NULL termination */
/* following malloced will be freed by comp_tree_free () */
a->a_comp_data = SLAP_MALLOC( sizeof( ComponentData ) + sizeof( ComponentSyntaxInfo* )*num_attr_vals );
if ( !a->a_comp_data ) {
return LDAP_NO_MEMORY;
}
a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)((char*)a->a_comp_data + sizeof(ComponentData));
i = num_attr_vals;
for ( ; i ; i-- ) {
a->a_comp_data->cd_tree[ i-1 ] = (ComponentSyntaxInfo*)NULL;
}
a->a_comp_data->cd_mem_op = nibble_mem_allocator ( 1024*10*(num_attr_vals-1), 1024 );
if ( a->a_comp_data->cd_mem_op == NULL ) {
free ( a->a_comp_data );
a->a_comp_data = NULL;
return LDAP_OPERATIONS_ERROR;
}
}
i = 0;
#endif
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
int ret, match;
const char *text;
#ifdef LDAP_COMP_MATCH
if( attr_converter && ava->aa_cf && a->a_comp_data ) {
/* Check if decoded component trees are already linked */
struct berval cf_bv = { 20, "componentFilterMatch" };
MatchingRule* cf_mr = mr_bvfind( &cf_bv );
MatchingRuleAssertion mra;
mra.ma_cf = ava->aa_cf;
if ( a->a_comp_data->cd_tree[i] == NULL )
a->a_comp_data->cd_tree[i] = attr_converter (a, a->a_desc->ad_type->sat_syntax, (a->a_vals + i));
/* decoding error */
if ( !a->a_comp_data->cd_tree[i] ) {
free_ComponentData ( a );
return LDAP_OPERATIONS_ERROR;
}
ret = value_match( &match, a->a_desc, cf_mr,
SLAP_MR_COMPONENT,
(struct berval*)a->a_comp_data->cd_tree[i++],
(void*)&mra, &text );
if ( ret == LDAP_INAPPROPRIATE_MATCHING ) {
/* cached component tree is broken, just remove it */
free_ComponentData ( a );
return ret;
}
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
} else
#endif
{
ret = ordered_value_match( &match, a->a_desc, mr, use,
bv, &ava->aa_value, &text );
}
if( ret != LDAP_SUCCESS ) {
rc = ret;
break;
}
switch ( type ) {
case LDAP_FILTER_EQUALITY:
case LDAP_FILTER_APPROX:
if ( match == 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_GE:
if ( match >= 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_LE:
if ( match <= 0 ) return LDAP_COMPARE_TRUE;
break;
}
}
}
#ifdef LDAP_COMP_MATCH
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
#endif
return rc;
}
int
ndb_back_compare( Operation *op, SlapReply *rs )
{
struct ndb_info *ni = (struct ndb_info *) op->o_bd->be_private;
Entry e = {0};
Attribute *a;
int manageDSAit = get_manageDSAit( op );
NdbArgs NA;
NdbRdns rdns;
struct berval matched;
/* Get our NDB handle */
rs->sr_err = ndb_thread_handle( op, &NA.ndb );
rdns.nr_num = 0;
NA.rdns = &rdns;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
NA.e = &e;
dn2entry_retry:
NA.txn = NA.ndb->startTransaction();
rs->sr_text = NULL;
if( !NA.txn ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(ndb_compare) ": startTransaction failed: %s (%d)\n",
NA.ndb->getNdbError().message, NA.ndb->getNdbError().code, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
NA.ocs = NULL;
/* get entry */
rs->sr_err = ndb_entry_get_info( op, &NA, 0, &matched );
switch( rs->sr_err ) {
case 0:
break;
case LDAP_NO_SUCH_OBJECT:
rs->sr_matched = matched.bv_val;
if ( NA.ocs )
ndb_check_referral( op, rs, &NA );
goto return_results;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
#if 0
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto dn2entry_retry;
#endif
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
rs->sr_err = ndb_entry_get_data( op, &NA, 0 );
ber_bvarray_free_x( NA.ocs, op->o_tmpmemctx );
if (!manageDSAit && is_entry_referral( &e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, &e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e.e_name.bv_val;
rs->sr_flags |= REP_REF_MUSTBEFREED;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, &e, (Filter *)get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
}
if ( !access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:
NA.txn->close();
if ( e.e_attrs ) {
attrs_free( e.e_attrs );
e.e_attrs = NULL;
}
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
return rs->sr_err;
}
static int
aci_mask(
Operation *op,
Entry *e,
AttributeDescription *desc,
struct berval *val,
struct berval *aci,
int nmatch,
regmatch_t *matches,
slap_access_t *grant,
slap_access_t *deny,
slap_aci_scope_t asserted_scope )
{
struct berval bv,
scope,
perms,
type,
opts,
sdn;
int rc;
ACL_INIT( *grant );
ACL_INIT( *deny );
assert( !BER_BVISNULL( &desc->ad_cname ) );
/* parse an aci of the form:
oid # scope # action;rights;attr;rights;attr
$ action;rights;attr;rights;attr # type # subject
[NOTE: the following comment is very outdated,
as the draft version it refers to (Ando, 2004-11-20)].
See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
a full description of the format for this attribute.
Differences: "this" in the draft is "self" here, and
"self" and "public" is in the position of type.
<scope> = {entry|children|subtree}
<type> = {public|users|access-id|subtree|onelevel|children|
self|dnattr|group|role|set|set-ref}
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
- CHILDREN applies to "children" and "subtree"
*/
/* check that the aci has all 5 components */
if ( acl_get_part( aci, 4, '#', NULL ) < 0 ) {
return 0;
}
/* check that the aci family is supported */
/* FIXME: the OID is ignored? */
if ( acl_get_part( aci, 0, '#', &bv ) < 0 ) {
return 0;
}
/* check that the scope matches */
if ( acl_get_part( aci, 1, '#', &scope ) < 0 ) {
return 0;
}
/* note: scope can be either ENTRY or CHILDREN;
* they respectively match "entry" and "children" in bv
* both match "subtree" */
switch ( asserted_scope ) {
case SLAP_ACI_SCOPE_ENTRY:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_ENTRY ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_CHILDREN:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_CHILDREN ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_SUBTREE:
/* TODO: add assertion? */
return 0;
}
/* get the list of permissions clauses, bail if empty */
if ( acl_get_part( aci, 2, '#', &perms ) <= 0 ) {
LDAP_BUG();
return 0;
}
/* check if any permissions allow desired access */
if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) {
return 0;
}
/* see if we have a DN match */
if ( acl_get_part( aci, 3, '#', &type ) < 0 ) {
LDAP_BUG();
return 0;
}
/* see if we have a public (i.e. anonymous) access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_PUBLIC ], &type ) == 0 ) {
return 1;
}
/* otherwise require an identity */
if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) {
return 0;
}
/* see if we have a users access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_USERS ], &type ) == 0 ) {
return 1;
}
/* NOTE: this may fail if a DN contains a valid '#' (unescaped);
* just grab all the berval up to its end (ITS#3303).
* NOTE: the problem could be solved by providing the DN with
* the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would
* become "cn=Foo\23Bar" and be safely used by aci_mask(). */
#if 0
if ( acl_get_part( aci, 4, '#', &sdn ) < 0 ) {
return 0;
}
#endif
sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" );
sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val );
/* get the type options, if any */
if ( acl_get_part( &type, 1, '/', &opts ) > 0 ) {
opts.bv_len = type.bv_len - ( opts.bv_val - type.bv_val );
type.bv_len = opts.bv_val - type.bv_val - 1;
} else {
BER_BVZERO( &opts );
}
if ( ber_bvcmp( &aci_bv[ ACI_BV_ACCESS_ID ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SUBTREE ], &type ) == 0 ) {
return dnIsSuffix( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ONELEVEL ], &type ) == 0 ) {
struct berval pdn;
dnParent( &sdn, &pdn );
return dn_match( &op->o_ndn, &pdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_CHILDREN ], &type ) == 0 ) {
return ( !dn_match( &op->o_ndn, &sdn ) && dnIsSuffix( &op->o_ndn, &sdn ) );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SELF ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &e->e_nname );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_DNATTR ], &type ) == 0 ) {
Attribute *at;
AttributeDescription *ad = NULL;
const char *text;
rc = slap_bv2ad( &sdn, &ad, &text );
assert( rc == LDAP_SUCCESS );
rc = 0;
for ( at = attrs_find( e->e_attrs, ad );
at != NULL;
at = attrs_find( at->a_next, ad ) )
{
if ( attr_valfind( at,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->o_ndn, NULL, op->o_tmpmemctx ) == 0 )
{
rc = 1;
break;
}
}
return rc;
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_GROUP ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_GROUP_CLASS ];
at = aci_bv[ ACI_BV_GROUP_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
LDAP_BUG();
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_GROUP_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ROLE ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_ROLE_CLASS ];
at = aci_bv[ ACI_BV_ROLE_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
LDAP_BUG();
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_ROLE_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, NULL ) ) {
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET_REF ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, (struct berval *)&aci_bv[ ACI_BV_SET_ATTR ] ) ) {
return 1;
}
} else {
/* it passed normalization! */
LDAP_BUG();
}
return 0;
}
int
monitor_back_compare( Operation *op, SlapReply *rs )
{
monitor_info_t *mi = ( monitor_info_t * ) op->o_bd->be_private;
Entry *e, *matched = NULL;
Attribute *a;
int rc;
/* get entry with reader lock */
monitor_cache_dn2entry( op, rs, &op->o_req_ndn, &e, &matched );
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
} else {
rs->sr_matched = matched->e_dn;
}
}
send_ldap_result( op, rs );
if ( matched ) {
monitor_cache_release( mi, matched );
rs->sr_matched = NULL;
}
return rs->sr_err;
}
rs->sr_err = access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
if ( !rs->sr_err ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc )) {
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:;
rc = rs->sr_err;
switch ( rc ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rc = LDAP_SUCCESS;
break;
case LDAP_NO_SUCH_ATTRIBUTE:
break;
default:
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
break;
}
send_ldap_result( op, rs );
rs->sr_err = rc;
monitor_cache_release( mi, e );
return rs->sr_err;
}
