int
plugin_call_acl_plugin ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs,
struct berval *val, int access , int flags, char **errbuf)
{
struct slapdplugin *p;
int rc = LDAP_INSUFFICIENT_ACCESS;
int aclplugin_initialized = 0;
Operation *operation;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
/* we don't perform acl check for internal operations and if the plugin has set it not to be checked */
if (operation_is_flag_set(operation, SLAPI_OP_FLAG_NO_ACCESS_CHECK|OP_FLAG_INTERNAL|OP_FLAG_REPLICATED|OP_FLAG_LEGACY_REPLICATION_DN))
return LDAP_SUCCESS;
/* call the global plugins first and then the backend specific */
for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
if (plugin_invoke_plugin_sdn (p, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, pb,
(Slapi_DN*)slapi_entry_get_sdn_const (e))){
aclplugin_initialized = 1;
rc = (*p->plg_acl_access_allowed)(pb, e, attrs, val, access, flags, errbuf);
if ( rc != LDAP_SUCCESS ) break;
}
}
if (! aclplugin_initialized ) {
rc = acl_default_access ( pb, e, access);
}
return rc;
}
int
plugin_call_acl_verify_syntax ( Slapi_PBlock *pb, Slapi_Entry *e, char **errbuf )
{
struct slapdplugin *p;
int rc = 0;
int plugin_called = 0;
Operation *operation;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
/* we don't perform acl check for internal operations and if the plugin has set it not to be checked */
if (operation_is_flag_set(operation, SLAPI_OP_FLAG_NO_ACCESS_CHECK|OP_FLAG_INTERNAL|OP_FLAG_REPLICATED|OP_FLAG_LEGACY_REPLICATION_DN))
return LDAP_SUCCESS;
/* call the global plugins first and then the backend specific */
for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
if (plugin_invoke_plugin_sdn (p, SLAPI_PLUGIN_ACL_SYNTAX_CHECK, pb,
(Slapi_DN*)slapi_entry_get_sdn_const (e))){
plugin_called = 1;
rc = (*p->plg_acl_syntax_check)( pb, e, errbuf );
if ( rc != LDAP_SUCCESS ) break;
}
}
if ( !plugin_called ) {
slapi_log_err(SLAPI_LOG_ERR, "plugin_call_acl_verify_syntax",
"The ACL plugin is not initialized. The aci syntax cannot be verified\n");
}
return rc;
}
/* This routine does that part of a modify operation which involves
updating the on-disk data: updates idices, id2entry.
Copes properly with DB_LOCK_DEADLOCK. The caller must be able to cope with
DB_LOCK_DEADLOCK returned.
The caller is presumed to proceed as follows:
Find the entry you want to modify;
Lock it for modify;
Make a copy of it; (call backentry_dup() )
Apply modifications to the copy in memory (call entry_apply_mods() )
begin transaction;
Do any other mods to on-disk data you want
Call this routine;
Commit transaction;
You pass it environment data: struct ldbminfo, pb (not sure why, but the vlv code seems to need it)
the copy of the entry before modfication, the entry after modification;
an LDAPMods array containing the modifications performed
*/
int modify_update_all(backend *be, Slapi_PBlock *pb,
modify_context *mc,
back_txn *txn)
{
static char *function_name = "modify_update_all";
Slapi_Operation *operation;
int is_ruv = 0; /* True if the current entry is RUV */
int retval = 0;
if (pb) { /* pb could be NULL if it's called from import */
slapi_pblock_get( pb, SLAPI_OPERATION, &operation );
is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
}
/*
* Update the ID to Entry index.
* Note that id2entry_add replaces the entry, so the Entry ID stays the same.
*/
retval = id2entry_add_ext( be, mc->new_entry, txn, mc->attr_encrypt, NULL );
if ( 0 != retval ) {
if (DB_LOCK_DEADLOCK != retval)
{
ldbm_nasty(function_name,"",66,retval);
}
goto error;
}
retval = index_add_mods( be, slapi_mods_get_ldapmods_byref(mc->smods), mc->old_entry, mc->new_entry, txn );
if ( 0 != retval ) {
if (DB_LOCK_DEADLOCK != retval)
{
ldbm_nasty(function_name,"",65,retval);
}
goto error;
}
/*
* Remove the old entry from the Virtual List View indexes.
* Add the new entry to the Virtual List View indexes.
* Because the VLV code calls slapi_filter_test(), which requires a pb (why?),
* we allow the caller sans pb to get everything except vlv indexing.
*/
if (NULL != pb && !is_ruv) {
retval= vlv_update_all_indexes(txn, be, pb, mc->old_entry, mc->new_entry);
if ( 0 != retval ) {
if (DB_LOCK_DEADLOCK != retval)
{
ldbm_nasty(function_name,"",64,retval);
}
goto error;
}
}
error:
return retval;
}
int urp_post_modrdn_operation (Slapi_PBlock *pb)
{
CSN *opcsn;
char sessionid[REPL_SESSION_ID_SIZE];
char *tombstone_uniqueid;
Slapi_Entry *postentry;
Slapi_Operation *op;
/*
* Do not abandon the post op - the processed CSN needs to be
* committed to keep the consistency between the changelog
* and the backend DB.
* if ( slapi_op_abandoned(pb) ) return 0;
*/
slapi_pblock_get (pb, SLAPI_URP_TOMBSTONE_UNIQUEID, &tombstone_uniqueid );
if (tombstone_uniqueid == NULL)
{
/*
* The entry is not resurrected from tombstone. Hence
* we need to check if any naming conflict with its
* old dn can be resolved.
*/
slapi_pblock_get( pb, SLAPI_OPERATION, &op);
if (!operation_is_flag_set(op, OP_FLAG_REPL_FIXUP))
{
get_repl_session_id (pb, sessionid, &opcsn);
urp_naming_conflict_removal (pb, sessionid, opcsn, "MODRDN");
}
}
else
{
/*
* The entry was a resurrected tombstone.
* This could happen when we applied a rename
* to a tombstone to avoid server divergence. Now
* it's time to put the entry back to tombstone.
*/
slapi_pblock_get ( pb, SLAPI_ENTRY_POST_OP, &postentry );
if (postentry && strcmp(tombstone_uniqueid, slapi_entry_get_uniqueid(postentry)) == 0)
{
entry_to_tombstone (pb, postentry);
}
slapi_ch_free ((void**)&tombstone_uniqueid);
slapi_pblock_set (pb, SLAPI_URP_TOMBSTONE_UNIQUEID, NULL);
}
return 0;
}
/*
* Conflict removal
*/
int
urp_post_delete_operation( Slapi_PBlock *pb )
{
Slapi_Operation *op;
Slapi_Entry *entry;
CSN *opcsn;
char sessionid[REPL_SESSION_ID_SIZE];
int op_result;
/*
* Do not abandon the post op - the processed CSN needs to be
* committed to keep the consistency between the changelog
* and the backend DB
* if ( slapi_op_abandoned(pb) ) return 0;
*/
get_repl_session_id (pb, sessionid, &opcsn);
/*
* Conflict removal from the parent entry:
* If the parent is glue and has no more children,
* turn the parent to tombstone
*/
slapi_pblock_get ( pb, SLAPI_DELETE_GLUE_PARENT_ENTRY, &entry );
if ( entry != NULL )
{
op_result = entry_to_tombstone ( pb, entry );
if ( op_result == LDAP_SUCCESS )
{
slapi_log_error ( slapi_log_urp, sessionid,
"Tombstoned glue entry %s since it has no more children\n",
slapi_entry_get_dn_const (entry) );
}
}
slapi_pblock_get( pb, SLAPI_OPERATION, &op);
if (!operation_is_flag_set(op, OP_FLAG_REPL_FIXUP))
{
/*
* Conflict removal from the peers of the old dn
*/
urp_naming_conflict_removal (pb, sessionid, opcsn, "DEL");
}
return 0;
}
/*
* op_shared_rename() -- common frontend code for modDN operations.
*
* Beware: this function resets the following pblock elements that were
* set by the caller:
*
* SLAPI_MODRDN_TARGET_SDN
* SLAPI_MODRDN_NEWRDN
* SLAPI_MODRDN_NEWSUPERIOR_SDN
*/
static void
op_shared_rename(Slapi_PBlock *pb, int passin_args)
{
char *dn, *newrdn, *newdn = NULL;
const char *newsuperior;
char **rdns;
int deloldrdn;
Slapi_Backend *be = NULL;
Slapi_DN *origsdn = NULL;
Slapi_Mods smods;
int internal_op, repl_op, lastmod;
Slapi_Operation *operation;
Slapi_Entry *referral;
char errorbuf[BUFSIZ];
int err;
char *proxydn = NULL;
char *proxystr = NULL;
int proxy_err = LDAP_SUCCESS;
char *errtext = NULL;
Slapi_DN *sdn = NULL;
Slapi_DN *newsuperiorsdn = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn);
slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn);
slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &origsdn);
internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
/*
* If ownership has not been passed to this function, we replace the
* string input fields within the pblock with strdup'd copies. Why?
* Because some pre- and post-op plugins may change them, and the
* convention is that plugins should place a malloc'd string in the
* pblock. Therefore, we need to be able to retrieve and free them
* later. But the callers of the internal modrdn calls are promised
* that we will not free these parameters... so if passin_args is
* zero, we need to make copies.
*
* In the case of SLAPI_MODRDN_TARGET_SDN and SLAPI_MODRDN_NEWSUPERIOR_SDN,
* we replace the existing values with normalized values (because plugins
* expect these DNs to be normalized).
*/
if (NULL == origsdn) {
sdn = slapi_sdn_new_dn_byval(dn);
slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
}
if (passin_args) {
if (NULL == sdn) { /* origsdn is not NULL, so use it. */
sdn = origsdn;
}
} else {
if (NULL == sdn) {
sdn = slapi_sdn_dup(origsdn);
}
newrdn = slapi_ch_strdup(newrdn);
newsuperiorsdn = slapi_sdn_dup(newsuperiorsdn);
slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn);
slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, newsuperiorsdn);
}
/* normdn = slapi_sdn_get_dn(sdn); */
newsuperior = slapi_sdn_get_dn(newsuperiorsdn);
/* get the proxy auth dn if the proxy auth control is present */
proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
/*
* first, log the operation to the access log,
* then check rdn and newsuperior,
* and - if applicable - log reason of any error to the errors log
*/
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
{
if (proxydn)
{
proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn);
}
if ( !internal_op )
{
slapi_log_access(LDAP_DEBUG_STATS,
"conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n",
pb->pb_conn->c_connid,
pb->pb_op->o_opid,
dn,
newrdn ? newrdn : "(null)",
newsuperior ? newsuperior : "(null)",
proxystr ? proxystr : "");
}
else
{
slapi_log_access(LDAP_DEBUG_ARGS,
"conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n",
LOG_INTERNAL_OP_CON_ID,
LOG_INTERNAL_OP_OP_ID,
dn,
newrdn ? newrdn : "(null)",
newsuperior ? newsuperior : "(null)",
proxystr ? proxystr : "");
}
}
/* If we encountered an error parsing the proxy control, return an error
* to the client. We do this here to ensure that we log the operation first. */
if (proxy_err != LDAP_SUCCESS)
{
send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL);
goto free_and_return_nolock;
}
/* check that the rdn is formatted correctly */
if ((rdns = slapi_ldap_explode_rdn(newrdn, 0)) == NULL)
{
if ( !internal_op ) {
slapi_log_error(SLAPI_LOG_ARGS, NULL,
"conn=%" NSPRIu64 " op=%d MODRDN invalid new RDN (\"%s\")\n",
pb->pb_conn->c_connid,
pb->pb_op->o_opid,
(NULL == newrdn) ? "(null)" : newrdn);
} else {
slapi_log_error(SLAPI_LOG_ARGS, NULL,
"conn=%s op=%d MODRDN invalid new RDN (\"%s\")\n",
LOG_INTERNAL_OP_CON_ID,
LOG_INTERNAL_OP_OP_ID,
(NULL == newrdn) ? "(null)" : newrdn);
}
send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid RDN", 0, NULL);
goto free_and_return_nolock;
}
else
{
slapi_ldap_value_free(rdns);
}
/* check if created attributes are used in the new RDN */
/* check_rdn_for_created_attrs ignores the cases */
if (check_rdn_for_created_attrs((const char *)newrdn)) {
send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid attribute in RDN", 0, NULL);
goto free_and_return_nolock;
}
/* check that the dn is formatted correctly */
err = slapi_dn_syntax_check(pb, newsuperior, 1);
if (err)
{
LDAPDebug0Args(LDAP_DEBUG_ARGS, "Syntax check of newSuperior failed\n");
if (!internal_op) {
slapi_log_error(SLAPI_LOG_ARGS, NULL,
"conn=%" NSPRIu64 " op=%d MODRDN invalid new superior (\"%s\")",
pb->pb_conn->c_connid,
pb->pb_op->o_opid,
newsuperior ? newsuperior : "(null)");
} else {
slapi_log_error(SLAPI_LOG_ARGS, NULL,
"conn=%s op=%d MODRDN invalid new superior (\"%s\")",
LOG_INTERNAL_OP_CON_ID,
LOG_INTERNAL_OP_OP_ID,
newsuperior ? newsuperior : "(null)");
}
send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
"newSuperior does not look like a DN", 0, NULL);
goto free_and_return_nolock;
}
if (newsuperior != NULL)
{
LDAPDebug(LDAP_DEBUG_ARGS, "do_moddn: newsuperior (%s)\n", newsuperior, 0, 0);
}
/* target spec is used to decide which plugins are applicable for the operation */
operation_set_target_spec (pb->pb_op, sdn);
/*
* Construct the new DN (code sdn from backend
* and modified to handle newsuperior)
*/
newdn = slapi_moddn_get_newdn(sdn, newrdn, newsuperior);
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
/* slapi_mapping_tree_select_and_check ignores the case of newdn
* which is generated using newrdn above. */
if ((err = slapi_mapping_tree_select_and_check(pb, newdn, &be, &referral, errorbuf)) != LDAP_SUCCESS)
{
send_ldap_result(pb, err, NULL, errorbuf, 0, NULL);
goto free_and_return_nolock;
}
if (referral)
{
int managedsait;
slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait);
if (managedsait)
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"cannot update referral", 0, NULL);
slapi_entry_free(referral);
goto free_and_return;
}
send_referrals_from_entry(pb,referral);
slapi_entry_free(referral);
goto free_and_return;
}
slapi_pblock_set(pb, SLAPI_BACKEND, be);
/* can get lastmod only after backend is selected */
slapi_pblock_get(pb, SLAPI_BE_LASTMOD, &lastmod);
/* if it is a replicated operation - leave lastmod attributes alone */
slapi_mods_init (&smods, 2);
if (!repl_op && lastmod)
{
modify_update_last_modified_attr(pb, &smods);
slapi_pblock_set(pb, SLAPI_MODIFY_MODS, (void*)slapi_mods_get_ldapmods_passout(&smods));
}
else {
slapi_mods_done (&smods);
}
/*
* call the pre-modrdn plugins. if they succeed, call
* the backend modrdn function. then call the
* post-modrdn plugins.
*/
if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_MODRDN_FN :
SLAPI_PLUGIN_PRE_MODRDN_FN) == 0)
{
int rc= LDAP_OPERATIONS_ERROR;
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
set_db_default_result_handlers(pb);
if (be->be_modrdn != NULL)
{
if ((rc = (*be->be_modrdn)(pb)) == 0)
{
Slapi_Entry *pse;
Slapi_Entry *ecopy;
/* we don't perform acl check for internal operations */
/* dont update aci store for remote acis */
if ((!internal_op) &&
(!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))
plugin_call_acl_mods_update (pb, SLAPI_OPERATION_MODRDN);
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
write_audit_log_entry(pb); /* Record the operation in the audit log */
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
/* GGOODREPL persistent search system needs the changenumber, oops. */
do_ps_service(pse, ecopy, LDAP_CHANGETYPE_MODDN, 0);
}
}
else
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL);
}
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN :
SLAPI_PLUGIN_POST_MODRDN_FN);
}
free_and_return:
if (be)
slapi_be_Unlock(be);
free_and_return_nolock:
{
/* Free up everything left in the PBlock */
Slapi_Entry *pse;
Slapi_Entry *ecopy;
LDAPMod **mods;
char *s;
if (passin_args) {
if (NULL == origsdn) {
slapi_sdn_free(&sdn);
}
} else {
slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
/* get newrdn to free the string */
slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
slapi_ch_free_string(&newrdn);
slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn);
slapi_sdn_free(&newsuperiorsdn);
}
slapi_ch_free_string(&newdn);
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
slapi_entry_free(ecopy);
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
slapi_entry_free(pse);
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
ldap_mods_free( mods, 1 );
slapi_ch_free_string(&proxydn);
slapi_ch_free_string(&proxystr);
slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &s);
slapi_ch_free((void **)&s);
}
}
static void handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry)
{
Slapi_Backend *be;
Slapi_Operation *operation;
int ret;
be = pb->pb_conn->c_bi_backend;
if ((be == NULL) || (be->be_wire_import == NULL)) {
/* can this even happen? */
slapi_log_err(SLAPI_LOG_ERR,
"handle_fast_add", "Backend not supported\n");
send_ldap_result(pb, LDAP_NOT_SUPPORTED, NULL, NULL, 0, NULL);
return;
}
/* ensure that the RDN values are present as attribute values */
if ((ret = slapi_entry_add_rdn_values(entry)) != LDAP_SUCCESS) {
send_ldap_result(pb, ret, NULL, "failed to add RDN values", 0, NULL);
return;
}
/* schema check */
slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
if (operation_is_flag_set(operation, OP_FLAG_ACTION_SCHEMA_CHECK) &&
(slapi_entry_schema_check(pb, entry) != 0)) {
char *errtext;
slapi_log_err(SLAPI_LOG_TRACE, "handle_fast_add", "Entry failed schema check\n");
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
send_ldap_result(pb, LDAP_OBJECT_CLASS_VIOLATION, NULL, errtext, 0, NULL);
slapi_entry_free(entry);
return;
}
/* syntax check */
if (slapi_entry_syntax_check(pb, entry, 0) != 0) {
char *errtext;
slapi_log_err(SLAPI_LOG_TRACE, "handle_fast_add", "Entry failed syntax check\n");
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
send_ldap_result(pb, LDAP_INVALID_SYNTAX, NULL, errtext, 0, NULL);
slapi_entry_free(entry);
return;
}
/* Check if the entry being added is a Tombstone. Could be if we are
* doing a replica init. */
if (slapi_entry_attr_hasvalue(entry, SLAPI_ATTR_OBJECTCLASS,
SLAPI_ATTR_VALUE_TOMBSTONE)) {
entry->e_flags |= SLAPI_ENTRY_FLAG_TOMBSTONE;
}
slapi_pblock_set(pb, SLAPI_BACKEND, be);
slapi_pblock_set(pb, SLAPI_BULK_IMPORT_ENTRY, entry);
ret = SLAPI_BI_STATE_ADD;
slapi_pblock_set(pb, SLAPI_BULK_IMPORT_STATE, &ret);
ret = (*be->be_wire_import)(pb);
if (ret != 0) {
slapi_log_err(SLAPI_LOG_ERR, "handle_fast_add",
"wire import: Error during import (%d)\n", ret);
send_ldap_result(pb, LDAP_OPERATIONS_ERROR,
NULL, NULL, 0, NULL);
/* It's our responsibility to free the entry if
* be_wire_import doesn't succeed. */
slapi_entry_free(entry);
/* turn off fast replica init -- import is now aborted */
pb->pb_conn->c_bi_backend = NULL;
pb->pb_conn->c_flags &= ~CONN_FLAG_IMPORT;
return;
}
send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);
return;
}
/* Code shared between regular and internal add operation */
static void op_shared_add (Slapi_PBlock *pb)
{
Slapi_Operation *operation;
Slapi_Entry *e, *pse;
Slapi_Backend *be = NULL;
int err;
int internal_op, repl_op, legacy_op, lastmod;
char *pwdtype = NULL;
Slapi_Attr *attr = NULL;
Slapi_Entry *referral;
char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
struct slapdplugin *p = NULL;
char *proxydn = NULL;
char *proxystr = NULL;
int proxy_err = LDAP_SUCCESS;
char *errtext = NULL;
Slapi_DN *sdn = NULL;
passwdPolicy *pwpolicy;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op);
internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e));
/* target spec is used to decide which plugins are applicable for the operation */
operation_set_target_spec (operation, slapi_entry_get_sdn (e));
if ((err = slapi_entry_add_rdn_values(e)) != LDAP_SUCCESS)
{
send_ldap_result(pb, err, NULL, "failed to add RDN values", 0, NULL);
goto done;
}
/* get the proxy auth dn if the proxy auth control is present */
proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
{
if (proxydn)
{
proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn);
}
if ( !internal_op )
{
slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ADD dn=\"%s\"%s\n",
pb->pb_conn->c_connid,
operation->o_opid,
slapi_entry_get_dn_const(e),
proxystr ? proxystr : "");
}
else
{
slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d ADD dn=\"%s\"\n",
LOG_INTERNAL_OP_CON_ID,
LOG_INTERNAL_OP_OP_ID,
slapi_entry_get_dn_const(e));
}
}
/* If we encountered an error parsing the proxy control, return an error
* to the client. We do this here to ensure that we log the operation first. */
if (proxy_err != LDAP_SUCCESS)
{
send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL);
goto done;
}
/*
* We could be serving multiple database backends. Select the
* appropriate one.
*/
if ((err = slapi_mapping_tree_select(pb, &be, &referral, errorbuf, sizeof(errorbuf))) != LDAP_SUCCESS) {
send_ldap_result(pb, err, NULL, errorbuf, 0, NULL);
be = NULL;
goto done;
}
if (referral)
{
int managedsait;
slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait);
if (managedsait)
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"cannot update referral", 0, NULL);
slapi_entry_free(referral);
goto done;
}
slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*)operation_get_target_spec (operation));
send_referrals_from_entry(pb,referral);
slapi_entry_free(referral);
goto done;
}
if (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)) {
Slapi_Value **unhashed_password_vals = NULL;
Slapi_Value **present_values = NULL;
/* Setting unhashed password to the entry extension. */
if (repl_op) {
/* replicated add ==> get unhashed pw from entry, if any.
* set it to the extension */
slapi_entry_attr_find(e, PSEUDO_ATTR_UNHASHEDUSERPASSWORD, &attr);
if (attr) {
present_values = attr_get_present_values(attr);
valuearray_add_valuearray(&unhashed_password_vals,
present_values, 0);
#if !defined(USE_OLD_UNHASHED)
/* and remove it from the entry. */
slapi_entry_attr_delete(e, PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
#endif
}
} else {
/* ordinary add ==>
* get unhashed pw from userpassword before encrypting it */
/* look for user password attribute */
slapi_entry_attr_find(e, SLAPI_USERPWD_ATTR, &attr);
if (attr) {
Slapi_Value **vals = NULL;
/* Set the backend in the pblock.
* The slapi_access_allowed function
* needs this set to work properly. */
slapi_pblock_set(pb, SLAPI_BACKEND,
slapi_be_select(slapi_entry_get_sdn_const(e)));
/* Check ACI before checking password syntax */
if ((err = slapi_access_allowed(pb, e, SLAPI_USERPWD_ATTR, NULL,
SLAPI_ACL_ADD)) != LDAP_SUCCESS) {
send_ldap_result(pb, err, NULL,
"Insufficient 'add' privilege to the "
"'userPassword' attribute", 0, NULL);
goto done;
}
/*
* Check password syntax, unless this is a pwd admin/rootDN
*/
present_values = attr_get_present_values(attr);
if (!pw_is_pwp_admin(pb, pwpolicy) &&
check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
present_values, NULL, e, 0) != 0) {
/* error result is sent from check_pw_syntax */
goto done;
}
/* pw syntax is valid */
valuearray_add_valuearray(&unhashed_password_vals,
present_values, 0);
valuearray_add_valuearray(&vals, present_values, 0);
pw_encodevals_ext(pb, slapi_entry_get_sdn (e), vals);
add_password_attrs(pb, operation, e);
slapi_entry_attr_replace_sv(e, SLAPI_USERPWD_ATTR, vals);
valuearray_free(&vals);
#if defined(USE_OLD_UNHASHED)
/* Add the unhashed password pseudo-attribute to the entry */
pwdtype =
slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
slapi_entry_add_values_sv(e, pwdtype, unhashed_password_vals);
#endif
}
}
if (unhashed_password_vals &&
(SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
/* unhashed_password_vals is consumed if successful. */
err = slapi_pw_set_entry_ext(e, unhashed_password_vals,
SLAPI_EXT_SET_ADD);
if (err) {
valuearray_free(&unhashed_password_vals);
}
}
#if defined(THISISTEST)
{
/* test code to retrieve an unhashed pw from the entry extention &
* PSEUDO_ATTR_UNHASHEDUSERPASSWORD attribute */
char *test_str = slapi_get_first_clear_text_pw(e);
if (test_str) {
slapi_log_err(SLAPI_LOG_ERR,
"Value from extension: %s\n", test_str);
slapi_ch_free_string(&test_str);
}
#if defined(USE_OLD_UNHASHED)
test_str = slapi_entry_attr_get_charptr(e,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
if (test_str) {
slapi_log_err(SLAPI_LOG_ERR,
"Value from attr: %s\n", test_str);
slapi_ch_free_string(&test_str);
}
#endif /* USE_OLD_UNHASHED */
}
#endif /* THISISTEST */
/* look for multiple backend local credentials or replication local credentials */
for ( p = get_plugin_list(PLUGIN_LIST_REVER_PWD_STORAGE_SCHEME); p != NULL && !repl_op;
p = p->plg_next )
{
char *L_attr = NULL;
int i=0;
/* Get the appropriate decoding function */
for ( L_attr = p->plg_argv[i]; i<p->plg_argc; L_attr = p->plg_argv[++i])
{
/* look for multiple backend local credentials or replication local credentials */
char *L_normalized = slapi_attr_syntax_normalize(L_attr);
slapi_entry_attr_find(e, L_normalized, &attr);
if (attr)
{
Slapi_Value **present_values = NULL;
Slapi_Value **vals = NULL;
present_values= attr_get_present_values(attr);
valuearray_add_valuearray(&vals, present_values, 0);
pw_rever_encode(vals, L_normalized);
slapi_entry_attr_replace_sv(e, L_normalized, vals);
valuearray_free(&vals);
}
if (L_normalized)
slapi_ch_free ((void**)&L_normalized);
}
}
}
slapi_pblock_set(pb, SLAPI_BACKEND, be);
if (!repl_op)
{
/* can get lastmod only after backend is selected */
slapi_pblock_get(pb, SLAPI_BE_LASTMOD, &lastmod);
if (lastmod && add_created_attrs(pb, e) != 0)
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"cannot insert computed attributes", 0, NULL);
goto done;
}
/* expand objectClass values to reflect the inheritance hierarchy */
slapi_schema_expand_objectclasses( e );
}
/* uniqueid needs to be generated for entries added during legacy replication */
if (legacy_op){
if (add_uniqueid(e) != UID_SUCCESS)
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"cannot insert computed attributes", 0, NULL);
goto done;
}
}
/*
* call the pre-add plugins. if they succeed, call
* the backend add function. then call the post-add
* plugins.
*/
sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(e));
slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, (void *)sdn);
if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN :
SLAPI_PLUGIN_PRE_ADD_FN) == SLAPI_PLUGIN_SUCCESS)
{
int rc;
Slapi_Entry *ec;
Slapi_DN *add_target_sdn = NULL;
Slapi_Entry *save_e = NULL;
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
set_db_default_result_handlers(pb);
/* because be_add frees the entry */
ec = slapi_entry_dup(e);
add_target_sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(ec));
slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, add_target_sdn);
if (be->be_add != NULL)
{
rc = (*be->be_add)(pb);
/* backend may change this if errors and not consumed */
slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &save_e);
slapi_pblock_set(pb, SLAPI_ADD_ENTRY, ec);
if (rc == 0)
{
/* acl is not enabled for internal operations */
/* don't update aci store for remote acis */
if ((!internal_op) &&
(!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))
{
plugin_call_acl_mods_update (pb, SLAPI_OPERATION_ADD);
}
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
{
write_audit_log_entry(pb); /* Record the operation in the audit log */
}
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
do_ps_service(pse, NULL, LDAP_CHANGETYPE_ADD, 0);
/*
* If be_add succeeded, then e is consumed except the resurrect case.
* If it is resurrect, the corresponding tombstone entry is resurrected
* and put into the cache.
* Otherwise, we set e to NULL to prevent freeing it ourselves.
*/
if (operation_is_flag_set(operation,OP_FLAG_RESURECT_ENTRY) && save_e) {
e = save_e;
} else {
e = NULL;
}
}
else
{
/* PR_ASSERT(!save_e); save_e is supposed to be freed in the backend. */
e = save_e;
if (rc == SLAPI_FAIL_DISKFULL)
{
operation_out_of_disk_space();
goto done;
}
/* If the disk is full we don't want to make it worse ... */
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
{
write_auditfail_log_entry(pb); /* Record the operation in the audit log */
}
}
}
else
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Function not implemented", 0, NULL);
}
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_ADD_FN :
SLAPI_PLUGIN_POST_ADD_FN);
slapi_entry_free(ec);
}
slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
done:
if (be)
slapi_be_Unlock(be);
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
slapi_entry_free(pse);
slapi_ch_free((void **)&operation->o_params.p.p_add.parentuniqueid);
slapi_entry_free(e);
slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
slapi_ch_free((void**)&pwdtype);
slapi_ch_free_string(&proxydn);
slapi_ch_free_string(&proxystr);
}
static void op_shared_delete (Slapi_PBlock *pb)
{
char *rawdn = NULL;
const char *dn = NULL;
Slapi_Backend *be = NULL;
int internal_op;
Slapi_DN *sdn = NULL;
Slapi_Operation *operation;
Slapi_Entry *referral;
Slapi_Entry *ecopy = NULL;
char errorbuf[BUFSIZ];
int err;
char *proxydn = NULL;
char *proxystr = NULL;
int proxy_err = LDAP_SUCCESS;
char *errtext = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &rawdn);
slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
sdn = slapi_sdn_new_dn_byval(rawdn);
dn = slapi_sdn_get_dn(sdn);
slapi_pblock_set(pb, SLAPI_DELETE_TARGET_SDN, (void*)sdn);
if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
/* normalization failed */
op_shared_log_error_access(pb, "DEL", rawdn, "invalid dn");
send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX,
NULL, "invalid dn", 0, NULL);
goto free_and_return;
}
/* target spec is used to decide which plugins are applicable for the operation */
operation_set_target_spec (operation, sdn);
/* get the proxy auth dn if the proxy auth control is present */
proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
{
if (proxydn)
{
proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn);
}
if (!internal_op )
{
slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn=\"%s\"%s\n",
pb->pb_conn->c_connid,
pb->pb_op->o_opid,
slapi_sdn_get_dn(sdn),
proxystr ? proxystr: "");
}
else
{
slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d DEL dn=\"%s\"%s\n",
LOG_INTERNAL_OP_CON_ID,
LOG_INTERNAL_OP_OP_ID,
slapi_sdn_get_dn(sdn),
proxystr ? proxystr: "");
}
}
/* If we encountered an error parsing the proxy control, return an error
* to the client. We do this here to ensure that we log the operation first. */
if (proxy_err != LDAP_SUCCESS)
{
send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL);
goto free_and_return;
}
/*
* We could be serving multiple database backends. Select the
* appropriate one.
*/
if ((err = slapi_mapping_tree_select(pb, &be, &referral, errorbuf)) != LDAP_SUCCESS) {
send_ldap_result(pb, err, NULL, errorbuf, 0, NULL);
be = NULL;
goto free_and_return;
}
if (referral)
{
int managedsait;
slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait);
if (managedsait)
{
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"cannot delete referral", 0, NULL);
slapi_entry_free(referral);
goto free_and_return;
}
send_referrals_from_entry(pb,referral);
slapi_entry_free(referral);
goto free_and_return;
}
slapi_pblock_set(pb, SLAPI_BACKEND, be);
/*
* call the pre-delete plugins. if they succeed, call
* the backend delete function. then call the
* post-delete plugins.
*/
if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_DELETE_FN :
SLAPI_PLUGIN_PRE_DELETE_FN) == 0)
{
int rc;
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
set_db_default_result_handlers(pb);
if (be->be_delete != NULL)
{
if ((rc = (*be->be_delete)(pb)) == 0)
{
/* we don't perform acl check for internal operations */
/* Dont update aci store for remote acis */
if ((!internal_op) &&
(!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))
plugin_call_acl_mods_update (pb, SLAPI_OPERATION_DELETE);
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
write_audit_log_entry(pb); /* Record the operation in the audit log */
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
do_ps_service(ecopy, NULL, LDAP_CHANGETYPE_DELETE, 0);
}
else
{
if (rc == SLAPI_FAIL_DISKFULL)
{
operation_out_of_disk_space();
goto free_and_return;
}
}
}
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN :
SLAPI_PLUGIN_POST_DELETE_FN);
}
free_and_return:
if (be) {
slapi_be_Unlock(be);
}
{
char *coldn = NULL;
Slapi_Entry *epre = NULL, *eparent = NULL;
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &epre);
slapi_pblock_get(pb, SLAPI_DELETE_GLUE_PARENT_ENTRY, &eparent);
slapi_pblock_set(pb, SLAPI_ENTRY_PRE_OP, NULL);
slapi_pblock_set(pb, SLAPI_DELETE_GLUE_PARENT_ENTRY, NULL);
if (epre == eparent) {
eparent = NULL;
}
slapi_entry_free(epre);
slapi_entry_free(eparent);
slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &coldn);
slapi_ch_free_string(&coldn);
}
slapi_pblock_get(pb, SLAPI_DELETE_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_ch_free_string(&proxydn);
slapi_ch_free_string(&proxystr);
}
int
ldbm_back_modify( Slapi_PBlock *pb )
{
backend *be;
ldbm_instance *inst = NULL;
struct ldbminfo *li;
struct backentry *e = NULL, *ec = NULL;
struct backentry *original_entry = NULL, *tmpentry = NULL;
Slapi_Entry *postentry = NULL;
LDAPMod **mods = NULL;
LDAPMod **mods_original = NULL;
Slapi_Mods smods = {0};
back_txn txn;
back_txnid parent_txn;
modify_context ruv_c = {0};
int ruv_c_init = 0;
int retval = -1;
char *msg;
char *errbuf = NULL;
int retry_count = 0;
int disk_full = 0;
int ldap_result_code= LDAP_SUCCESS;
char *ldap_result_message= NULL;
int rc = 0;
Slapi_Operation *operation;
entry_address *addr;
int is_fixup_operation= 0;
int is_ruv = 0; /* True if the current entry is RUV */
CSN *opcsn = NULL;
int repl_op;
int opreturn = 0;
int mod_count = 0;
int not_an_error = 0;
int fixup_tombstone = 0;
int ec_locked = 0;
int result_sent = 0;
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
slapi_pblock_get( pb, SLAPI_TARGET_ADDRESS, &addr );
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
slapi_pblock_get( pb, SLAPI_TXN, (void**)&parent_txn );
slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
slapi_pblock_get( pb, SLAPI_OPERATION, &operation );
fixup_tombstone = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_FIXUP);
dblayer_txn_init(li,&txn); /* must do this before first goto error_return */
/* the calls to perform searches require the parent txn if any
so set txn to the parent_txn until we begin the child transaction */
if (parent_txn) {
txn.back_txn_txn = parent_txn;
} else {
parent_txn = txn.back_txn_txn;
slapi_pblock_set( pb, SLAPI_TXN, parent_txn );
}
if (NULL == operation)
{
ldap_result_code = LDAP_OPERATIONS_ERROR;
goto error_return;
}
is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP);
is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
inst = (ldbm_instance *) be->be_instance_info;
if (NULL == addr)
{
goto error_return;
}
if (inst && inst->inst_ref_count) {
slapi_counter_increment(inst->inst_ref_count);
} else {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"Instance \"%s\" does not exist.\n",
inst ? inst->inst_name : "null instance");
goto error_return;
}
/* no need to check the dn syntax as this is a replicated op */
if(!repl_op){
ldap_result_code = slapi_dn_syntax_check(pb, slapi_sdn_get_dn(addr->sdn), 1);
if (ldap_result_code)
{
ldap_result_code = LDAP_INVALID_DN_SYNTAX;
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
}
/* The dblock serializes writes to the database,
* which reduces deadlocking in the db code,
* which means that we run faster.
*
* But, this lock is re-enterant for the fixup
* operations that the URP code in the Replication
* plugin generates.
*
* SERIALLOCK is moved to dblayer_txn_begin along with exposing be
* transaction to plugins (see slapi_back_transaction_* APIs).
*
if(SERIALLOCK(li) && !operation_is_flag_set(operation,OP_FLAG_REPL_FIXUP)) {
dblayer_lock_backend(be);
dblock_acquired= 1;
}
*/
if ( MANAGE_ENTRY_BEFORE_DBLOCK(li)) {
/* find and lock the entry we are about to modify */
if (fixup_tombstone) {
e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent );
} else {
e = find_entry2modify( pb, be, addr, &txn, &result_sent );
}
if (e == NULL) {
ldap_result_code = -1;
goto error_return; /* error result sent by find_entry2modify() */
}
}
txn.back_txn_txn = NULL; /* ready to create the child transaction */
for (retry_count = 0; retry_count < RETRY_TIMES; retry_count++) {
int cache_rc = 0;
int new_mod_count = 0;
if (txn.back_txn_txn && (txn.back_txn_txn != parent_txn)) {
/* don't release SERIAL LOCK */
dblayer_txn_abort_ext(li, &txn, PR_FALSE);
slapi_pblock_set(pb, SLAPI_TXN, parent_txn);
/*
* Since be_txn_preop functions could have modified the entry/mods,
* We need to grab the current mods, free them, and restore the
* originals. Same thing for the entry.
*/
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
ldap_mods_free(mods, 1);
slapi_pblock_set(pb, SLAPI_MODIFY_MODS, copy_mods(mods_original));
/* reset ec set cache in id2entry_add_ext */
if (ec) {
/* must duplicate ec before returning it to cache,
* which could free the entry. */
if ((tmpentry = backentry_dup(original_entry?original_entry:ec)) == NULL) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
if (cache_is_in_cache(&inst->inst_cache, ec)) {
CACHE_REMOVE(&inst->inst_cache, ec);
}
CACHE_RETURN(&inst->inst_cache, &ec);
slapi_pblock_set( pb, SLAPI_MODIFY_EXISTING_ENTRY, original_entry->ep_entry );
ec = original_entry;
original_entry = tmpentry;
tmpentry = NULL;
}
if (ruv_c_init) {
/* reset the ruv txn stuff */
modify_term(&ruv_c, be);
ruv_c_init = 0;
}
slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_modify",
"Modify Retrying Transaction\n");
#ifndef LDBM_NO_BACKOFF_DELAY
{
PRIntervalTime interval;
interval = PR_MillisecondsToInterval(slapi_rand() % 100);
DS_Sleep(interval);
}
#endif
}
/* Nothing above here modifies persistent store, everything after here is subject to the transaction */
/* dblayer_txn_begin holds SERIAL lock,
* which should be outside of locking the entry (find_entry2modify) */
if (0 == retry_count) {
/* First time, hold SERIAL LOCK */
retval = dblayer_txn_begin(be, parent_txn, &txn);
} else {
/* Otherwise, no SERIAL LOCK */
retval = dblayer_txn_begin_ext(li, parent_txn, &txn, PR_FALSE);
}
if (0 != retval) {
if (LDBM_OS_ERR_IS_DISKFULL(retval)) disk_full = 1;
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
/* stash the transaction for plugins */
slapi_pblock_set(pb, SLAPI_TXN, txn.back_txn_txn);
if (0 == retry_count) { /* just once */
if ( !MANAGE_ENTRY_BEFORE_DBLOCK(li)) {
/* find and lock the entry we are about to modify */
if (fixup_tombstone) {
e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent );
} else {
e = find_entry2modify( pb, be, addr, &txn, &result_sent );
}
if (e == NULL) {
ldap_result_code = -1;
goto error_return; /* error result sent by find_entry2modify() */
}
}
if ( !is_fixup_operation && !fixup_tombstone)
{
if (!repl_op && slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE))
{
ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
ldap_result_message = "Operation not allowed on tombstone entry.";
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"Attempt to modify a tombstone entry %s\n",
slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
goto error_return;
}
opcsn = operation_get_csn (operation);
if (NULL == opcsn && operation->o_csngen_handler)
{
/*
* Current op is a user request. Opcsn will be assigned
* if the dn is in an updatable replica.
*/
opcsn = entry_assign_operation_csn ( pb, e->ep_entry, NULL );
}
if (opcsn)
{
entry_set_maxcsn (e->ep_entry, opcsn);
}
}
/* Save away a copy of the entry, before modifications */
slapi_pblock_set( pb, SLAPI_ENTRY_PRE_OP, slapi_entry_dup( e->ep_entry ));
if ( (ldap_result_code = plugin_call_acl_mods_access( pb, e->ep_entry, mods, &errbuf)) != LDAP_SUCCESS ) {
ldap_result_message= errbuf;
goto error_return;
}
/* create a copy of the entry and apply the changes to it */
if ( (ec = backentry_dup( e )) == NULL ) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
if(!repl_op){
remove_illegal_mods(mods);
}
/* ec is the entry that our bepreop should get to mess with */
slapi_pblock_set( pb, SLAPI_MODIFY_EXISTING_ENTRY, ec->ep_entry );
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
opreturn = plugin_call_plugins(pb, SLAPI_PLUGIN_BE_PRE_MODIFY_FN);
if (opreturn ||
(slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code) && ldap_result_code) ||
(slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn) && opreturn)) {
slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
if (!ldap_result_code) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"SLAPI_PLUGIN_BE_PRE_MODIFY_FN "
"returned error but did not set SLAPI_RESULT_CODE\n");
ldap_result_code = LDAP_OPERATIONS_ERROR;
}
if (SLAPI_PLUGIN_NOOP == opreturn) {
not_an_error = 1;
rc = opreturn = LDAP_SUCCESS;
} else if (!opreturn) {
opreturn = SLAPI_PLUGIN_FAILURE;
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
}
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/* The Plugin may have messed about with some of the PBlock parameters... ie. mods */
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
/* apply the mods, check for syntax, schema problems, etc. */
if (modify_apply_check_expand(pb, operation, mods, e, ec, &postentry,
&ldap_result_code, &ldap_result_message)) {
goto error_return;
}
/* the schema check could have added a repl conflict mod
* get the mods again */
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
slapi_mods_init_byref(&smods,mods);
mod_count = slapi_mods_get_num_mods(&smods);
/*
* Grab a copy of the mods and the entry in case the be_txn_preop changes
* the them. If we have a failure, then we need to reset the mods to their
* their original state;
*/
mods_original = copy_mods(mods);
if ( (original_entry = backentry_dup( ec )) == NULL ) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
} /* if (0 == retry_count) just once */
/* call the transaction pre modify plugins just after creating the transaction */
retval = plugin_call_plugins(pb, SLAPI_PLUGIN_BE_TXN_PRE_MODIFY_FN);
if (retval) {
slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modify", "SLAPI_PLUGIN_BE_TXN_PRE_MODIFY_FN plugin "
"returned error code %d\n", retval );
slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
if (SLAPI_PLUGIN_NOOP == retval) {
not_an_error = 1;
rc = retval = LDAP_SUCCESS;
}
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/* the mods might have been changed, so get the latest */
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
/* make sure the betxnpreop did not alter any of the mods that
had already previously been applied */
slapi_mods_done(&smods);
slapi_mods_init_byref(&smods,mods);
new_mod_count = slapi_mods_get_num_mods(&smods);
if (new_mod_count < mod_count) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"Error: BE_TXN_PRE_MODIFY plugin has removed "
"mods from the original list - mod count was [%d] now [%d] "
"mods will not be applied - mods list changes must be done "
"in the BE_PRE_MODIFY plugin, not the BE_TXN_PRE_MODIFY\n",
mod_count, new_mod_count );
} else if (new_mod_count > mod_count) { /* apply the new betxnpremod mods */
/* apply the mods, check for syntax, schema problems, etc. */
if (modify_apply_check_expand(pb, operation, &mods[mod_count], e, ec, &postentry,
&ldap_result_code, &ldap_result_message)) {
goto error_return;
}
} /* else if new_mod_count == mod_count then betxnpremod plugin did nothing */
/*
* Update the ID to Entry index.
* Note that id2entry_add replaces the entry, so the Entry ID
* stays the same.
*/
retval = id2entry_add_ext( be, ec, &txn, 1, &cache_rc );
if (DB_LOCK_DEADLOCK == retval)
{
/* Abort and re-try */
continue;
}
if (0 != retval) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"id2entry_add failed, err=%d %s\n",
retval, (msg = dblayer_strerror( retval )) ? msg : "");
if (LDBM_OS_ERR_IS_DISKFULL(retval)) disk_full = 1;
MOD_SET_ERROR(ldap_result_code, LDAP_OPERATIONS_ERROR, retry_count);
goto error_return;
}
retval = index_add_mods( be, mods, e, ec, &txn );
if (DB_LOCK_DEADLOCK == retval)
{
/* Abort and re-try */
continue;
}
if (0 != retval) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"index_add_mods failed, err=%d %s\n",
retval, (msg = dblayer_strerror( retval )) ? msg : "");
if (LDBM_OS_ERR_IS_DISKFULL(retval)) disk_full = 1;
MOD_SET_ERROR(ldap_result_code, LDAP_OPERATIONS_ERROR, retry_count);
goto error_return;
}
/*
* Remove the old entry from the Virtual List View indexes.
* Add the new entry to the Virtual List View indexes.
* If the entry is ruv, no need to update vlv.
*/
if (!is_ruv) {
retval= vlv_update_all_indexes(&txn, be, pb, e, ec);
if (DB_LOCK_DEADLOCK == retval)
{
/* Abort and re-try */
continue;
}
if (0 != retval) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"vlv_update_index failed, err=%d %s\n",
retval, (msg = dblayer_strerror( retval )) ? msg : "");
if (LDBM_OS_ERR_IS_DISKFULL(retval)) disk_full = 1;
MOD_SET_ERROR(ldap_result_code,
LDAP_OPERATIONS_ERROR, retry_count);
goto error_return;
}
}
if (!is_ruv && !is_fixup_operation && !NO_RUV_UPDATE(li)) {
ruv_c_init = ldbm_txn_ruv_modify_context( pb, &ruv_c );
if (-1 == ruv_c_init) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"ldbm_txn_ruv_modify_context failed to construct RUV modify context\n");
ldap_result_code= LDAP_OPERATIONS_ERROR;
retval = 0;
goto error_return;
}
}
if (ruv_c_init) {
retval = modify_update_all( be, pb, &ruv_c, &txn );
if (DB_LOCK_DEADLOCK == retval) {
/* Abort and re-try */
continue;
}
if (0 != retval) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"modify_update_all failed, err=%d %s\n", retval,
(msg = dblayer_strerror( retval )) ? msg : "");
if (LDBM_OS_ERR_IS_DISKFULL(retval))
disk_full = 1;
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
}
if (0 == retval) {
break;
}
}
if (retry_count == RETRY_TIMES) {
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"Retry count exceeded in modify\n");
ldap_result_code= LDAP_BUSY;
goto error_return;
}
if (ruv_c_init) {
if (modify_switch_entries(&ruv_c, be) != 0 ) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modify",
"modify_switch_entries failed\n");
goto error_return;
}
}
if (cache_replace( &inst->inst_cache, e, ec ) != 0 ) {
MOD_SET_ERROR(ldap_result_code, LDAP_OPERATIONS_ERROR, retry_count);
goto error_return;
}
/* e uncached */
/* we must return both e (which has been deleted) and new entry ec to cache */
/* cache_replace removes e from the cache hash tables */
cache_unlock_entry( &inst->inst_cache, e );
CACHE_RETURN( &inst->inst_cache, &e );
/* lock new entry in cache to prevent usage until we are complete */
cache_lock_entry( &inst->inst_cache, ec );
ec_locked = 1;
postentry = slapi_entry_dup( ec->ep_entry );
slapi_pblock_set( pb, SLAPI_ENTRY_POST_OP, postentry );
/* invalidate virtual cache */
ec->ep_entry->e_virtual_watermark = 0;
/*
* LP Fix of crash when the commit will fail:
* If the commit fail, the common error path will
* try to unlock the entry again and crash (PR_ASSERT
* in debug mode.
* By just setting e to NULL, we avoid this. It's OK since
* we don't use e after that in the normal case.
*/
e = NULL;
/* call the transaction post modify plugins just before the commit */
if ((retval = plugin_call_plugins(pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN))) {
slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modify",
"SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN plugin "
"returned error code %d\n", retval );
if (!ldap_result_code) {
slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
}
if (!opreturn) {
slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
}
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/* Release SERIAL LOCK */
retval = dblayer_txn_commit(be, &txn);
/* after commit - txn is no longer valid - replace SLAPI_TXN with parent */
slapi_pblock_set(pb, SLAPI_TXN, parent_txn);
if (0 != retval) {
if (LDBM_OS_ERR_IS_DISKFULL(retval)) disk_full = 1;
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
rc= 0;
goto common_return;
error_return:
if ( postentry != NULL )
{
slapi_entry_free( postentry );
postentry = NULL;
slapi_pblock_set( pb, SLAPI_ENTRY_POST_OP, NULL );
}
if (retval == DB_RUNRECOVERY) {
dblayer_remember_disk_filled(li);
ldbm_nasty("ldbm_back_modify","Modify",81,retval);
disk_full = 1;
}
if (disk_full) {
rc= return_on_disk_full(li);
} else {
if (txn.back_txn_txn && (txn.back_txn_txn != parent_txn)) {
/* make sure SLAPI_RESULT_CODE and SLAPI_PLUGIN_OPRETURN are set */
int val = 0;
slapi_pblock_get(pb, SLAPI_RESULT_CODE, &val);
if (!val) {
if (!ldap_result_code) {
ldap_result_code = LDAP_OPERATIONS_ERROR;
}
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
}
slapi_pblock_get( pb, SLAPI_PLUGIN_OPRETURN, &val );
if (!val) {
opreturn = -1;
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &opreturn );
}
/* call the transaction post modify plugins just before the abort */
/* plugins called before abort should check for the OPRETURN or RESULT_CODE
and skip processing if they don't want do anything - some plugins that
keep track of a counter (usn, dna) may want to "rollback" the counter
in this case */
if ((retval = plugin_call_plugins(pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN))) {
slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modify",
"SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN plugin returned error code %d\n", retval );
slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
}
/* It is safer not to abort when the transaction is not started. */
/* Release SERIAL LOCK */
dblayer_txn_abort(be, &txn); /* abort crashes in case disk full */
/* txn is no longer valid - reset the txn pointer to the parent */
slapi_pblock_set(pb, SLAPI_TXN, parent_txn);
}
if (!not_an_error) {
rc = SLAPI_FAIL_GENERAL;
}
}
/* if ec is in cache, remove it, then add back e if we still have it */
if (inst && cache_is_in_cache(&inst->inst_cache, ec)) {
CACHE_REMOVE( &inst->inst_cache, ec );
/* if ec was in cache, e was not - add back e */
if (e) {
if (CACHE_ADD( &inst->inst_cache, e, NULL ) < 0) {
slapi_log_err(SLAPI_LOG_CACHE, "ldbm_back_modify", "CACHE_ADD %s failed\n",
slapi_entry_get_dn(e->ep_entry));
}
}
}
common_return:
slapi_mods_done(&smods);
if (inst) {
if (ec_locked || cache_is_in_cache(&inst->inst_cache, ec)) {
cache_unlock_entry(&inst->inst_cache, ec);
} else if (e) {
/* if ec was not in cache, cache_replace was not done.
* i.e., e was not unlocked. */
cache_unlock_entry(&inst->inst_cache, e);
CACHE_RETURN(&inst->inst_cache, &e);
}
CACHE_RETURN(&inst->inst_cache, &ec);
if (inst->inst_ref_count) {
slapi_counter_decrement(inst->inst_ref_count);
}
}
/* result code could be used in the bepost plugin functions. */
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
/* The bepostop is called even if the operation fails. */
if (!disk_full)
plugin_call_plugins (pb, SLAPI_PLUGIN_BE_POST_MODIFY_FN);
if (ruv_c_init) {
modify_term(&ruv_c, be);
}
if (ldap_result_code == -1) {
/* Reset to LDAP_NO_SUCH_OBJECT*/
ldap_result_code = LDAP_NO_SUCH_OBJECT;
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
} else {
if (not_an_error) {
/* This is mainly used by urp. Solved conflict is not an error.
* And we don't want the supplier to halt sending the updates. */
ldap_result_code = LDAP_SUCCESS;
}
if (!result_sent) {
/* result is already sent in find_entry. */
slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL );
}
}
/* free our backups */
ldap_mods_free(mods_original, 1);
backentry_free(&original_entry);
backentry_free(&tmpentry);
slapi_ch_free_string(&errbuf);
return rc;
}
/**
Apply the mods to the ec entry. Check for syntax, schema problems.
Check for abandon.
Return code:
-1 - error - result code and message are set appropriately
0 - successfully applied and checked
1 - not an error - no mods to apply or op abandoned
*/
static int
modify_apply_check_expand(
Slapi_PBlock *pb,
Slapi_Operation *operation,
LDAPMod **mods, /* list of mods to apply */
struct backentry *e, /* original "before" entry */
struct backentry *ec, /* "after" entry with mods applied */
Slapi_Entry **postentry,
int *ldap_result_code,
char **ldap_result_message
)
{
int rc = 0;
int i;
int repl_op;
int change_entry = 0;
Slapi_Mods smods = {0};
CSN *csn = operation_get_csn(operation);
slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
slapi_mods_init_byref( &smods, mods );
if ( (change_entry = mods_have_effect (ec->ep_entry, &smods)) ) {
*ldap_result_code = entry_apply_mods_wsi(ec->ep_entry, &smods, csn,
operation_is_flag_set(operation, OP_FLAG_REPLICATED));
/*
* XXXmcs: it would be nice to get back an error message from
* the above call so we could pass it along to the client, e.g.,
* "duplicate value for attribute givenName."
*/
} else {
Slapi_Entry *epostop = NULL;
/* If the entry was not actually changed, we still need to
* set the SLAPI_ENTRY_POST_OP field in the pblock (post-op
* plugins expect that field to be present for all modify
* operations that return LDAP_SUCCESS).
*/
slapi_pblock_get ( pb, SLAPI_ENTRY_POST_OP, &epostop );
slapi_entry_free ( epostop ); /* free existing one, if any */
slapi_pblock_set ( pb, SLAPI_ENTRY_POST_OP, slapi_entry_dup( e->ep_entry ) );
*postentry = NULL; /* to avoid free in main error cleanup code */
}
if ( !change_entry || *ldap_result_code != 0 ) {
/* change_entry == 0 is not an error just a no-op */
rc = change_entry ? -1 : 1;
goto done;
}
/*
* If the objectClass attribute type was modified in any way, expand
* the objectClass values to reflect the inheritance hierarchy.
*/
for ( i = 0; mods && mods[i]; ++i ) {
if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
slapi_schema_expand_objectclasses( ec->ep_entry );
break;
}
}
/*
* We are about to pass the last abandon test, so from now on we are
* committed to finish this operation. Set status to "will complete"
* before we make our last abandon check to avoid race conditions in
* the code that processes abandon operations.
*/
operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE;
if ( slapi_op_abandoned( pb ) ) {
rc = 1;
goto done;
}
/* multimaster replication can result in a schema violation,
* although the individual operations on each master were valid
* It is too late to resolve this. But we can check schema and
* add a replication conflict attribute.
*/
/* check that the entry still obeys the schema */
if ((operation_is_flag_set(operation,OP_FLAG_ACTION_SCHEMA_CHECK)) &&
slapi_entry_schema_check_ext( pb, ec->ep_entry, 1 ) != 0 ) {
if(repl_op){
Slapi_Attr *attr;
Slapi_Mods smods;
LDAPMod **lmods;
if (slapi_entry_attr_find (ec->ep_entry, ATTR_NSDS5_REPLCONFLICT, &attr) == 0)
{
/* add value */
Slapi_Value *val = slapi_value_new_string("Schema violation");
slapi_attr_add_value(attr,val);
slapi_value_free(&val);
} else {
/* Add new attribute */
slapi_entry_add_string (ec->ep_entry, ATTR_NSDS5_REPLCONFLICT, "Schema violation");
}
/* the replconflict attribute is indexed and the index is built from the mods,
* so we need to extend the mods */
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &lmods);
slapi_mods_init_passin(&smods, lmods);
slapi_mods_add_string (&smods, LDAP_MOD_ADD, ATTR_NSDS5_REPLCONFLICT, "Schema violation");
lmods = slapi_mods_get_ldapmods_passout(&smods);
slapi_pblock_set(pb, SLAPI_MODIFY_MODS, lmods);
slapi_mods_done(&smods);
} else {
*ldap_result_code = LDAP_OBJECT_CLASS_VIOLATION;
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
rc = -1;
goto done;
}
}
if(!repl_op){
/* check attribute syntax for the new values */
if (slapi_mods_syntax_check(pb, mods, 0) != 0) {
*ldap_result_code = LDAP_INVALID_SYNTAX;
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
rc = -1;
goto done;
}
/*
* make sure the entry contains all values in the RDN.
* if not, the modification must have removed them.
*/
if ( ! slapi_entry_rdn_values_present( ec->ep_entry ) ) {
*ldap_result_code= LDAP_NOT_ALLOWED_ON_RDN;
rc = -1;
goto done;
}
}
done:
slapi_mods_done( &smods );
return rc;
}
static int
agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *e,
int *returncode, char *returntext, void *arg)
{
int i;
Slapi_DN *sdn = NULL;
int start_initialize = 0, stop_initialize = 0, cancel_initialize = 0;
int update_the_schedule = 0; /* do we need to update the repl sched? */
Repl_Agmt *agmt = NULL;
LDAPMod **mods;
char buff [SLAPI_DSE_RETURNTEXT_SIZE];
char *errortext = returntext ? returntext : buff;
int rc = SLAPI_DSE_CALLBACK_OK;
Slapi_Operation *op;
void *identity;
*returncode = LDAP_SUCCESS;
/* just let internal operations originated from replication plugin to go through */
slapi_pblock_get (pb, SLAPI_OPERATION, &op);
slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &identity);
if (operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
(identity == repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION)))
{
goto done;
}
slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
if (NULL == sdn) {
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"agmtlist_modify_callback: NULL target dn\n");
goto done;
}
agmt = agmtlist_get_by_agmt_name(sdn);
if (NULL == agmt)
{
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: received "
"a modification for unknown replication agreement \"%s\"\n",
slapi_sdn_get_dn(sdn));
goto done;
}
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
for (i = 0; NULL != mods && NULL != mods[i]; i++)
{
if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
{
/* we don't allow delete attribute operations unless it was issued by
the replication plugin - handled above */
if (mods[i]->mod_op & LDAP_MOD_DELETE)
{
if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0){
/* allow the deletion of cleanallruv agmt attr */
continue;
}
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize);
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
break;
}
else
{
char *val;
if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
else
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"no value provided for %s attribute\n", type_nsds5ReplicaInitialize);
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
break;
}
/* Start replica initialization */
if (val == NULL)
{
PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "No value supplied for attr (%s)", mods[i]->mod_type);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n",
errortext);
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
break;
}
if (strcasecmp (val, "start") == 0)
{
start_initialize = 1;
}
else if (strcasecmp (val, "stop") == 0)
{
stop_initialize = 1;
}
else if (strcasecmp (val, "cancel") == 0)
{
cancel_initialize = 1;
}
else
{
PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Invalid value (%s) value supplied for attr (%s)",
val, mods[i]->mod_type);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", errortext);
}
slapi_ch_free ((void**)&val);
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaUpdateSchedule))
{
/*
* Request to update the replication schedule. Set a flag so
* we know to update the schedule later.
*/
update_the_schedule = 1;
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaCredentials))
{
/* New replica credentials */
if (agmt_set_credentials_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update credentials for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaTimeout))
{
/* New replica timeout */
if (agmt_set_timeout_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update timeout for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBusyWaitTime))
{
/* New replica busywaittime */
if (agmt_set_busywaittime_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update busy wait time for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaSessionPauseTime))
{
/* New replica pausetime */
if (agmt_set_pausetime_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update session pause time for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBindDN))
{
/* New replica Bind DN */
if (agmt_set_binddn_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update bind DN for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaPort))
{
/* New replica port */
if (agmt_set_port_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"agmtlist_modify_callback: "
"failed to update port for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5TransportInfo))
{
/* New Transport info */
if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update transport info for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBindMethod))
{
if (agmt_set_bind_method_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update bind method for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicatedAttributeList))
{
char **denied_attrs = NULL;
/* New set of excluded attributes */
if (agmt_set_replicated_attributes_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update replicated attributes for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
/* Check that there are no verboten attributes in the exclude list */
denied_attrs = agmt_validate_replicated_attributes(agmt, 0 /* incremental */);
if (denied_attrs)
{
/* Report the error to the client */
PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "attempt to exclude an illegal attribute in a fractional agreement");
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"attempt to exclude an illegal attribute in a fractional agreement\n");
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
/* Free the deny list if we got one */
slapi_ch_array_free(denied_attrs);
break;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicatedAttributeListTotal))
{
char **denied_attrs = NULL;
/* New set of excluded attributes */
if (agmt_set_replicated_attributes_total_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update total update replicated attributes for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
/* Check that there are no verboten attributes in the exclude list */
denied_attrs = agmt_validate_replicated_attributes(agmt, 1 /* total */);
if (denied_attrs)
{
/* Report the error to the client */
PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "attempt to exclude an illegal total update "
"attribute in a fractional agreement");
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"attempt to exclude an illegal total update attribute in a fractional agreement\n");
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
/* Free the deny list if we got one */
slapi_ch_array_free(denied_attrs);
break;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
"nsds5debugreplicatimeout"))
{
char *val = slapi_entry_attr_get_charptr(e, "nsds5debugreplicatimeout");
repl5_set_debug_timeout(val);
slapi_ch_free_string(&val);
}
else if (strcasecmp (mods[i]->mod_type, "modifytimestamp") == 0 ||
strcasecmp (mods[i]->mod_type, "modifiersname") == 0 ||
strcasecmp (mods[i]->mod_type, "description") == 0)
{
/* ignore modifier's name and timestamp attributes and the description. */
continue;
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaEnabled))
{
if(agmt_set_enabled_from_entry(agmt, e, returntext) != 0){
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to set replica agmt state \"enabled/disabled\" for %s\n",agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaStripAttrs))
{
if(agmt_set_attrs_to_strip(agmt, e) != 0){
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to set replica agmt attributes to strip for %s\n",agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"modification of %s attribute is not allowed\n", mods[i]->mod_type);
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
break;
}
}
if (stop_initialize)
{
agmt_stop (agmt);
}
else if (start_initialize)
{
if (agmt_initialize_replica(agmt) != 0) {
/* The suffix/repl agmt is disabled */
agmt_set_last_init_status(agmt, 0, NSDS50_REPL_DISABLED, NULL);
if(agmt_is_enabled(agmt)){
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Suffix is disabled");
} else {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Replication agreement is disabled");
}
*returncode = LDAP_UNWILLING_TO_PERFORM;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
else if (cancel_initialize)
{
agmt_replica_init_done(agmt);
}
if (update_the_schedule)
{
if (agmt_set_schedule_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update replication schedule for agreement %s\n",
agmt_get_long_name(agmt));
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
done:
if (NULL != agmt)
{
agmtlist_release_agmt(agmt);
}
return rc;
}