Beispiel #1
0
int
sync_send_entry_from_changelog(Slapi_PBlock *pb,int chg_req, char *uniqueid)
{
	Slapi_Entry *db_entry = NULL;
	int chg_type = LDAP_SYNC_ADD;
	int rv;
	Slapi_PBlock *search_pb = NULL;
    	Slapi_Entry **entries = NULL;
	char *origbase;
	char *filter = slapi_ch_smprintf("(nsuniqueid=%s)",uniqueid);

	slapi_pblock_get( pb, SLAPI_ORIGINAL_TARGET_DN, &origbase );
	search_pb = slapi_pblock_new();
    	slapi_search_internal_set_pb(search_pb, origbase,
           				LDAP_SCOPE_SUBTREE, filter,
            				NULL, 0, NULL, NULL, plugin_get_default_component_id(), 0);
 	slapi_search_internal_pb(search_pb);
	slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rv);
	if ( rv == LDAP_SUCCESS) {
		slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
    		if (entries)
			db_entry = *entries; /* there can only be one */
	}

	if (db_entry && sync_is_entry_in_scope(pb, db_entry)) {
		LDAPControl **ctrl = (LDAPControl **)slapi_ch_calloc(2, sizeof (LDAPControl *));
		sync_create_state_control(db_entry, &ctrl[0], chg_type, NULL);
		slapi_send_ldap_search_entry (pb, db_entry, ctrl, NULL, 0);
		ldap_controls_free(ctrl);
	}
	slapi_free_search_results_internal(search_pb);
	slapi_pblock_destroy(search_pb);
	slapi_ch_free((void **)&filter);
	return (0);
}
Beispiel #2
0
Slapi_ValueSet *
replica_updatedn_list_get_members(Slapi_DN *dn)
{
	static char* const filter_groups = "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))";
	static char* const	type_member = "member";
	static char* const	type_uniquemember = "uniquemember";
	static char* const	type_memberURL = "memberURL";

	int rval;
	char *attrs[4]; 
	Slapi_PBlock *mpb = slapi_pblock_new ();
	Slapi_ValueSet *members = slapi_valueset_new();
		
	attrs[0] = type_member;
	attrs[1] = type_uniquemember;
	attrs[2] = type_memberURL;
	attrs[3] = NULL;
	slapi_search_internal_set_pb (  mpb, slapi_sdn_get_ndn(dn), LDAP_SCOPE_BASE, filter_groups,
					&attrs[0], 0, NULL /* controls */, NULL /* uniqueid */,
					repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
	slapi_search_internal_pb(mpb);
	slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_RESULT, &rval);
	if (rval == LDAP_SUCCESS) {
		Slapi_Entry	**ep;
		slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &ep);
		if ((ep != NULL) && (ep[0] != NULL)) {
			Slapi_Attr *attr = NULL;
			Slapi_Attr *nextAttr = NULL;
			Slapi_ValueSet *vs = NULL;
			char *attrType;
			slapi_entry_first_attr ( ep[0],  &attr);
			while (attr) {
				slapi_attr_get_type ( attr, &attrType );

				if ((strcasecmp (attrType, type_member) == 0) ||
				    (strcasecmp (attrType, type_uniquemember) == 0 ))  {
					slapi_attr_get_valueset(attr, &vs);
					slapi_valueset_join_attr_valueset(attr, members, vs);
					slapi_valueset_free(vs);
				} else if (strcasecmp (attrType, type_memberURL) == 0) {
					/* not yet supported */
				}
				slapi_entry_next_attr ( ep[0], attr, &nextAttr );
				attr = nextAttr;
			}
		}
	}
	slapi_free_search_results_internal(mpb);
	slapi_pblock_destroy (mpb);
	return(members);
}
Beispiel #3
0
static int ipa_cldap_get_domain_entry(struct ipa_cldap_ctx *ctx,
                                      char *domain,
                                      char **guid, char **sid, char **name)
{
    Slapi_PBlock *pb;
    Slapi_Entry **e = NULL;
    char *filter;
    int ret;

    pb = slapi_pblock_new();
    if (!pb) {
        return ENOMEM;
    }

    ret = asprintf(&filter, "(&(cn=%s)(objectclass=ipaNTDomainAttrs))", domain);
    if (ret == -1) {
        ret = ENOMEM;
        goto done;
    }

    slapi_search_internal_set_pb(pb, ctx->base_dn,
                                 LDAP_SCOPE_SUBTREE, filter,
                                 NULL, 0, NULL, NULL, ctx->plugin_id, 0);

    slapi_search_internal_pb(pb);
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);

    if (ret) {
        ret = ENOENT;
        goto done;
    }

    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
    if (!e || !e[0] || e[1]) {
        /* no matches or too many matches */
        ret = ENOENT;
        goto done;
    }

    *guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID");
    *sid = slapi_entry_attr_get_charptr(e[0], "ipaNTSecurityIdentifier");
    *name = slapi_entry_attr_get_charptr(e[0], "ipaNTFlatName");

    ret = 0;

done:
    slapi_free_search_results_internal(pb);
    slapi_pblock_destroy(pb);
    free(filter);
    return ret;
}
Beispiel #4
0
/* When a new instance is started, we need to read the dse to
 * find out what attributes should be encrypted.  This function
 * does that.  Returns 0 on success. */
static int 
read_instance_attrcrypt_entries(ldbm_instance *inst)
{
    Slapi_PBlock *tmp_pb;
    int scope = LDAP_SCOPE_SUBTREE;
    const char *searchfilter = ldbm_instance_attrcrypt_filter;
    char *basedn = NULL;

    /* Construct the base dn of the subtree that holds the index entries 
     * for this instance. */
    basedn = slapi_create_dn_string("cn=encrypted attributes,cn=%s,cn=%s,cn=plugins,cn=config",
                          inst->inst_name, inst->inst_li->li_plugin->plg_name); 
    if (NULL == basedn) {
        LDAPDebug2Args(LDAP_DEBUG_ANY,
                       "read_instance_attrcrypt_entries: "
                       "failed create encrypted attributes dn for plugin %s, "
                       "instance %s\n",
                       inst->inst_li->li_plugin->plg_name, inst->inst_name);
        return 1;
    }

    /* Set up a tmp callback that will handle the init for each index entry */
    slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
        basedn, scope, searchfilter, ldbm_attrcrypt_init_entry_callback,
        (void *) inst);

    /* Do a search of the subtree containing the index entries */
    tmp_pb = slapi_pblock_new();
    slapi_search_internal_set_pb(tmp_pb, basedn, LDAP_SCOPE_SUBTREE, 
        searchfilter, NULL, 0, NULL, NULL, inst->inst_li->li_identity, 0);
    slapi_search_internal_pb (tmp_pb);

    /* Remove the tmp callback */
    slapi_config_remove_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
        basedn, scope, searchfilter, ldbm_attrcrypt_init_entry_callback);
    slapi_free_search_results_internal(tmp_pb);
    slapi_pblock_destroy(tmp_pb);

    slapi_ch_free_string(&basedn);
    return 0;
}
Beispiel #5
0
Slapi_PBlock *
slapi_search_internal(
	char *ldn, 
	int scope, 
	char *filStr, 
	LDAPControl **controls, 
	char **attrs, 
	int attrsonly ) 
{
	Slapi_PBlock *pb;

	pb = slapi_pblock_new();

	slapi_search_internal_set_pb( pb, ldn, scope, filStr,
		attrs, attrsonly,
		controls, NULL, NULL, 0 );

	slapi_search_internal_pb( pb );

	return pb;
}
Beispiel #6
0
int oath_preop_bind(Slapi_PBlock *pb) {

    char *dn;
    const char *creds;
    int creds_len, hotp_len = oath_preop_config.hotp_length, pin_len, method, rc = LDAP_SUCCESS, handled = 1;
    struct berval *credentials;
    Slapi_Value *sv_creds = NULL;
    Slapi_PBlock *upb, *tpb; // PBlocks for user and token searches
    Token token;

    slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind\n");

    if (slapi_pblock_get(pb, SLAPI_BIND_METHOD, (void *) &method) != 0 ||
            slapi_pblock_get(pb, SLAPI_BIND_TARGET, (void *) &dn) != 0 ||
            slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, (void *) &credentials) != 0) {
        slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Could not get parameters for bind operation\n");
        slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
        return 1;
    }

    switch (method) {

    case LDAP_AUTH_SIMPLE:

        rc = LDAP_SUCCESS;
        sv_creds = slapi_value_new_berval(credentials);
        creds = slapi_value_get_string(sv_creds);
        creds_len = creds ? strlen(creds) : 0;

        Slapi_Entry **entries, *entry;
        int nentries = 0;

        upb = slapi_pblock_new();
        slapi_search_internal_set_pb(upb, dn, LDAP_SCOPE_SUB, "(objectClass=*)", NULL, 0, NULL, NULL, oath_preop_plugin_id, 0);
        slapi_search_internal_pb(upb);
        slapi_pblock_get(upb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
        slapi_pblock_get(upb, SLAPI_NENTRIES, &nentries);
        slapi_pblock_get(upb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);

        if (rc == LDAP_SUCCESS && nentries > 0 && entries != NULL && (entry = *entries) != NULL) {

            char filter[1024], *attrs[] = {"tokenSerial", "tokenSeed", "tokenCounter", "tokenPIN", NULL};
            Slapi_Entry **tokens;
            int ntokens = 0;

            slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Authenticating DN: %s\n", dn);

            // search for tokens

            snprintf(filter, 1024, "(&(objectClass=oathToken)(tokenOwner=%s))", dn);

            tpb = slapi_pblock_new();
            slapi_search_internal_set_pb(tpb, oath_preop_config.token_base, LDAP_SCOPE_SUBTREE, filter, attrs, 0, NULL, NULL, oath_preop_plugin_id, 0);
            slapi_search_internal_pb(tpb);
            slapi_pblock_get(tpb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
            slapi_pblock_get(tpb, SLAPI_NENTRIES, &ntokens);
            slapi_pblock_get(tpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &tokens);

            if (rc == LDAP_SUCCESS && ntokens > 0 && tokens != NULL) {

                int t, w;
                unsigned char hotp[hotp_len + 1];

                for (t = 0; t < ntokens; t++) {

                    oath_token_from_entry(&token, tokens[t]);

                    pin_len = token.pin ? strlen(token.pin) : 0;

                    slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Found token: %s\n", token.serial);

                    if (pin_len + hotp_len != creds_len)
                        slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Credentials length did not match\n");

                    else if (token.pin && strncmp(creds, token.pin, pin_len))
                        slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: PIN did not match\n");

                    else for (w = 0; w < oath_preop_config.hotp_inner_window; w++) {

                            if (oath_hotp(hotp, hotp_len, token.seed->bv_val, token.seed->bv_len, token.counter + w, oath_preop_config.hotp_trunc_offset, oath_preop_config.hotp_checksum)) {

                                // slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: hotp(%d) =  %s\n", token.counter + w, hotp);

                                if (!strncmp(hotp, creds + pin_len, hotp_len)) {

                                    // success
                                    slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: hotp(%d) =  %s\n", token.counter + w, hotp);

                                    if (oath_update_token(tokens[t], token.counter + w + 1) != 0) {
                                        slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Failed to update token entry\n");
                                        rc = LDAP_OPERATIONS_ERROR;
                                    };

                                    // OpenLDAP does not support setting SLAPI_CONN_DN and SLAPI_CONN_AUTHMETHOD

                                    /*
                                                                        if (slapi_pblock_set(pb, SLAPI_CONN_DN, slapi_ch_strdup(dn)) != 0 ||
                                                                                slapi_pblock_set(pb, SLAPI_CONN_AUTHMETHOD, SLAPD_AUTH_SIMPLE) != 0) {
                                                                            slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Failed to set DN and auth method for connection\n", dn);
                                                                            rc = LDAP_OPERATIONS_ERROR;
                                                                        }
                                    */

                                    goto free_tpb;

                                }

                            } else {
                                // HOTP error
                                slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: HOTP error for token %s\n", token.serial);
                                break;
                            }

                        }

                    slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Token %s did not match\n", token.serial);
                    oath_token_free(&token);

                }

                // No token matched

                handled = 0;
                goto free_tpb;

            } else { // no tokens associated

                slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: DN %s has got no token(s) associated, rc = %d\n", dn, rc);
                handled = 0;
                goto free_upb;

            }


        } else {

            // entry not found; don't fail because this can be root (directory manager) DN

            slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: DN %s not found\n", dn);

            if (rc == LDAP_SUCCESS)
                rc = LDAP_OPERATIONS_ERROR;
            else
                handled = 0;

            goto free_upb;

        }

        break;

    case LDAP_AUTH_NONE:
    case LDAP_AUTH_SASL:
    default:
        slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_bind_preop: Authentication type not supported: %d", method);
        return 0;

    }

free_tpb:
    oath_token_free(&token);
    slapi_free_search_results_internal(tpb);
    slapi_pblock_destroy(tpb);

free_upb:
    slapi_free_search_results_internal(upb);
    slapi_pblock_destroy(upb);

    slapi_value_free(&sv_creds);

    if (handled) {
        slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL);
        return 1;
    } else
        return 0;

}
Beispiel #7
0
/* Reads in any config information held in the dse for the given
 * entry.  Creates dse entries used to configure the given instance
 * if they don't already exist.  Registers dse callback functions to
 * maintain those dse entries.  Returns 0 on success. */
int 
ldbm_instance_config_load_dse_info(ldbm_instance *inst)
{
    struct ldbminfo *li = inst->inst_li;
    Slapi_PBlock *search_pb;
    Slapi_Entry **entries = NULL;
    char *dn = NULL;
    int rval = 0;

    /* We try to read the entry 
     * cn=instance_name, cn=ldbm database, cn=plugins, cn=config.  If the
     * entry is there, then we process the config information it stores.
     */
    dn = slapi_create_dn_string("cn=%s,cn=%s,cn=plugins,cn=config",
                                inst->inst_name, li->li_plugin->plg_name);
    if (NULL == dn) {
        LDAPDebug2Args(LDAP_DEBUG_ANY,
                       "ldbm_instance_config_load_dse_info: "
                       "failed create instance dn %s for plugin %s\n",
                       inst->inst_name, inst->inst_li->li_plugin->plg_name);
        rval = 1;
        goto bail;
    }

    search_pb = slapi_pblock_new();
    if (!search_pb) {
        LDAPDebug(LDAP_DEBUG_ANY,
                       "ldbm_instance_config_load_dse_info: Out of memory\n",
                       0, 0, 0);
        rval = 1;
        goto bail;
    }

    slapi_search_internal_set_pb(search_pb, dn, LDAP_SCOPE_BASE, 
                                 "objectclass=*", NULL, 0, NULL, NULL,
                                 li->li_identity, 0);
    slapi_search_internal_pb (search_pb);
    slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rval);

    if (rval != LDAP_SUCCESS) {
        LDAPDebug(LDAP_DEBUG_ANY, "Error accessing the config DSE\n", 0, 0, 0);
        rval = 1;
        goto bail;
    } else {
        /* Need to parse the configuration information for the ldbm
         * plugin that is held in the DSE. */
        slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
                         &entries);
        if ((!entries) || (!entries[0])) {
            LDAPDebug(LDAP_DEBUG_ANY, "Error accessing the config DSE\n",
                      0, 0, 0);
            rval = 1;
            goto bail;
        }
        if (0 != parse_ldbm_instance_config_entry(inst, entries[0],
                                         ldbm_instance_config)) {
            LDAPDebug(LDAP_DEBUG_ANY, "Error parsing the config DSE\n",
                      0, 0, 0);
            rval = 1;
            goto bail;
        }
    }

    if (search_pb)
    {
        slapi_free_search_results_internal(search_pb);
        slapi_pblock_destroy(search_pb);
    }

    /* Add skeleton dse entries for this instance */
    /* IF they already exist, that's ok */
    ldbm_config_add_dse_entries(li, ldbm_instance_skeleton_entries,
                                inst->inst_name, li->li_plugin->plg_name,
                                inst->inst_name, 0);

    /* setup the dse callback functions for the ldbm instance config entry */
    slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)",
        ldbm_instance_search_config_entry_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)",
        ldbm_instance_modify_config_entry_callback, (void *) inst);
    slapi_config_register_callback(DSE_OPERATION_WRITE, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)",
        ldbm_instance_search_config_entry_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)",
        ldbm_instance_deny_config, (void *)inst);
    /* delete is handled by a callback set in ldbm_config.c */

    slapi_ch_free_string(&dn);

    /* don't forget the monitor! */
    dn = slapi_create_dn_string("cn=monitor,cn=%s,cn=%s,cn=plugins,cn=config",
                                inst->inst_name, li->li_plugin->plg_name);
    if (NULL == dn) {
        LDAPDebug2Args(LDAP_DEBUG_ANY,
                       "ldbm_instance_config_load_dse_info: "
                       "failed create monitor instance dn for plugin %s, "
                       "instance %s\n",
                       inst->inst_li->li_plugin->plg_name, inst->inst_name);
        rval = 1;
        goto bail;
    }
    /* make callback on search; deny add/modify/delete */
    slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)", ldbm_back_monitor_instance_search,
        (void *)inst);
    slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, "(objectclass=*)", ldbm_instance_deny_config,
        (void *)inst);
    slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_BASE, "(objectclass=*)", ldbm_instance_deny_config,
        (void *)inst);
    /* delete is okay */
    slapi_ch_free_string(&dn);

    /* Callbacks to handle indexes */
    dn = slapi_create_dn_string("cn=index,cn=%s,cn=%s,cn=plugins,cn=config",
                                inst->inst_name, li->li_plugin->plg_name);
    if (NULL == dn) {
        LDAPDebug2Args(LDAP_DEBUG_ANY,
                       "ldbm_instance_config_load_dse_info: "
                       "failed create index instance dn for plugin %s, "
                       "instance %s\n",
                       inst->inst_li->li_plugin->plg_name, inst->inst_name);
        rval = 1;
        goto bail;
    }
    slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
        ldbm_instance_index_config_add_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
        ldbm_instance_index_config_delete_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
        ldbm_instance_index_config_modify_callback, (void *) inst);
    slapi_ch_free_string(&dn);

    /* Callbacks to handle attribute encryption */
    dn = slapi_create_dn_string("cn=encrypted attributes,cn=%s,cn=%s,cn=plugins,cn=config",
                                inst->inst_name, li->li_plugin->plg_name);
    if (NULL == dn) {
        LDAPDebug2Args(LDAP_DEBUG_ANY,
                       "ldbm_instance_config_load_dse_info: "
                       "failed create encrypted attribute instance dn "
                       "for plugin %s, instance %s\n",
                       inst->inst_li->li_plugin->plg_name, inst->inst_name);
        rval = 1;
        goto bail;
    }
    slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
        ldbm_instance_attrcrypt_config_add_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
        ldbm_instance_attrcrypt_config_delete_callback, (void *) inst);
    slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
        LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
        ldbm_instance_attrcrypt_config_modify_callback, (void *) inst);
    rval = 0;
bail:
    slapi_ch_free_string(&dn);
    return rval;
}
Beispiel #8
0
int ipapwd_getPolicy(const char *dn,
                     Slapi_Entry *target,
                     struct ipapwd_policy *policy)
{
    const char *krbPwdPolicyReference;
    char *pdn = NULL;
    Slapi_PBlock *pb = NULL;
    char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",
                      "krbPwdMinDiffChars", "krbPwdMinLength",
                      "krbPwdHistoryLength", NULL};
    Slapi_Entry **es = NULL;
    Slapi_Entry *pe = NULL;
    int ret, res, scope, i;
    int buffer_flags=0;
    Slapi_ValueSet* results = NULL;
    char *actual_type_name = NULL;

    LOG_TRACE("Searching policy for [%s]\n", dn);

    pwd_get_values(target, "krbPwdPolicyReference",
                   &results, &actual_type_name, &buffer_flags);
    if (results) {
        Slapi_Value *sv;
        slapi_valueset_first_value(results, &sv);
        krbPwdPolicyReference = slapi_value_get_string(sv);
        pdn = slapi_ch_strdup(krbPwdPolicyReference);
    } else {
        /* Fallback to hardcoded value */
        pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);
    }
    if (pdn == NULL) {
        LOG_OOM();
        ret = -1;
        goto done;
    }
    LOG_TRACE("Using policy at [%s]\n", pdn);
    scope = LDAP_SCOPE_BASE;

    pb = slapi_pblock_new();
    slapi_search_internal_set_pb(pb,
                                 pdn, scope,
                                 "(objectClass=krbPwdPolicy)",
                                 attrs, 0,
                                 NULL, /* Controls */
                                 NULL, /* UniqueID */
                                 ipapwd_plugin_id,
                                 0); /* Flags */

    /* do search the tree */
    ret = slapi_search_internal_pb(pb);
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
    if (ret == -1 || res != LDAP_SUCCESS) {
        LOG_FATAL("Couldn't find policy, err (%d)\n", res ? res : ret);
        ret = -1;
        goto done;
    }

    /* get entries */
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es);
    if (!es) {
        LOG_TRACE("No entries ?!");
        ret = -1;
        goto done;
    }

    /* count entries */
    for (i = 0; es[i]; i++) /* count */ ;

    /* if there is only one, return that */
    if (i == 1) {
        pe = es[0];
    } else {
        LOG_TRACE("Multiple entries from a base search ?!");
        ret = -1;
        goto done;
    }

    /* read data out of policy object */
    policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");

    policy->max_pwd_life = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");

    policy->min_pwd_length = slapi_entry_attr_get_int(pe, "krbPwdMinLength");

    policy->history_length = slapi_entry_attr_get_int(pe,
                                                      "krbPwdHistoryLength");

    policy->min_complexity = slapi_entry_attr_get_int(pe,
                                                      "krbPwdMinDiffChars");

    ret = 0;

done:
    if (results) {
        pwd_values_free(&results, &actual_type_name, buffer_flags);
    }
    if (pb) {
        slapi_free_search_results_internal(pb);
        slapi_pblock_destroy(pb);
    }
    slapi_ch_free_string(&pdn);
    return ret;
}
Beispiel #9
0
int
update_integrity(char **argv, Slapi_DN *origSDN,
                 char *newrDN, Slapi_DN *newsuperior, 
                 int logChanges)
{
    Slapi_PBlock *search_result_pb = NULL;
    Slapi_PBlock *mod_pb = slapi_pblock_new();
    Slapi_Entry  **search_entries = NULL;
    Slapi_DN *sdn = NULL;
    Slapi_Attr *attr = NULL;
    void *node = NULL;
    const char *origDN = slapi_sdn_get_dn(origSDN);
    const char *search_base = NULL;
    char *attrName = NULL;
    char *filter = NULL;
    char *attrs[2];
    int search_result;
    int nval = 0;
    int i, j;
    int rc;

    if ( argv == NULL ){
        slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
            "referint_postop required config file arguments missing\n" );
        rc = -1;
        goto free_and_return;
    } 
    /*
     *  For now, just putting attributes to keep integrity on in conf file,
     *  until resolve the other timing mode issue
     */
    search_result_pb = slapi_pblock_new();

    /* Search each namingContext in turn */
    for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL;
          sdn = slapi_get_next_suffix( &node, 0 ))
    {
        Slapi_Backend *be = slapi_be_select(sdn);
        search_base = slapi_sdn_get_dn( sdn );

        for(i = 3; argv[i] != NULL; i++){
            filter = slapi_filter_sprintf("(%s=*%s%s)", argv[i], ESC_NEXT_VAL, origDN);
            if ( filter ) {
                /* Need only the current attribute and its subtypes */
                attrs[0] = argv[i];
                attrs[1] = NULL;

                /* Use new search API */
                slapi_pblock_init(search_result_pb);
                slapi_pblock_set(search_result_pb, SLAPI_BACKEND, be);
                slapi_search_internal_set_pb(search_result_pb, search_base, 
                    LDAP_SCOPE_SUBTREE, filter, attrs, 0 /* attrs only */,
                    NULL, NULL, referint_plugin_identity, 0);
                slapi_search_internal_pb(search_result_pb);
  
                slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);

                /* if search successfull then do integrity update */
                if(search_result == LDAP_SUCCESS)
                {
                    slapi_pblock_get(search_result_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
                                     &search_entries);

                    for(j = 0; search_entries[j] != NULL; j++){
                        attr = NULL;
                        attrName = NULL;
                        /*
                         *  Loop over all the attributes of the entry and search
                         *  for the integrity attribute and its subtypes
                         */
                        for (slapi_entry_first_attr(search_entries[j], &attr); attr; 
                             slapi_entry_next_attr(search_entries[j], attr, &attr))
                        {
                            /*
                             *  Take into account only the subtypes of the attribute
                             *  in argv[i] having the necessary value  - origDN
                             */
                            slapi_attr_get_type(attr, &attrName);
                            if (slapi_attr_type_cmp(argv[i], attrName,
                                                    SLAPI_TYPE_CMP_SUBTYPE) == 0)
                            {
                                nval = 0;
                                slapi_attr_get_numvalues(attr, &nval);
                                /* 
                                 * We want to reduce the "modify" call as much as
                                 * possible. But if an entry contains 1000s of 
                                 * attributes which need to be updated by the 
                                 * referint plugin (e.g., a group containing 1000s 
                                 * of members), we want to avoid to allocate too 
                                 * many mods * in one "modify" call.
                                 * This is a compromise: If an attribute type has
                                 * more than 128 values, we update the attribute 
                                 * value one by one. Otherwise, update all values
                                 * in one "modify" call.
                                 */
                                if (nval > 128) {
                                    rc = _update_one_per_mod(
                                         slapi_entry_get_sdn(search_entries[j]),
                                         attr, attrName, origSDN, newrDN, 
                                         slapi_sdn_get_dn(newsuperior),
                                         mod_pb);
                                } else {
                                    rc = _update_all_per_mod(
                                         slapi_entry_get_sdn(search_entries[j]),
                                         attr, attrName, origSDN, newrDN, 
                                         slapi_sdn_get_dn(newsuperior),
                                         mod_pb);
                                }
                                /* Should we stop if one modify returns an error? */
                            }
                        }
                    }
                } else {
                    if (isFatalSearchError(search_result)){
                        slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                            "update_integrity search (base=%s filter=%s) returned "
                            "error %d\n", search_base, filter, search_result);
                        rc = -1;
                        goto free_and_return;
                    }
                }
                slapi_ch_free_string(&filter);
            }
            slapi_free_search_results_internal(search_result_pb);
        }
    }
    /* if got here, then everything good rc = 0 */
    rc = 0;

free_and_return:
    /* free filter and search_results_pb */
    slapi_ch_free_string(&filter);

    slapi_pblock_destroy(mod_pb);
    if (search_result_pb) {
        slapi_free_search_results_internal(search_result_pb);
        slapi_pblock_destroy(search_result_pb);
    }
 
    return(rc);
}
Beispiel #10
0
static int do_work(struct worker_ctx *worker_ctx)
{
    Slapi_PBlock *pb;
    int ret;
    size_t c;
    char *filter = NULL;
    char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL };
    Slapi_Entry **e = NULL;
    struct timespec ts;

    pb = slapi_pblock_new();
    if (pb == NULL) {
        return ENOMEM;
    }

    pthread_cleanup_push(free_pblock, (void *) pb);

    filter = slapi_ch_smprintf("(&(%s=%s)(!(%s=%s))(|(%s=%s)(%s=%s)(%s=%s))(!(%s=*)))",
                               OBJECTCLASS, IPA_OBJECT,
                               OBJECTCLASS, MEP_MANAGED_ENTRY,
                               OBJECTCLASS, POSIX_ACCOUNT,
                               OBJECTCLASS, POSIX_GROUP,
                               OBJECTCLASS, IPA_ID_OBJECT,
                               IPA_SID);
    if (filter == NULL) {
        LOG_FATAL("Cannot generate search filter for objects without a SID.\n");
        ret = ENOMEM;
        goto done;
    }
    LOG("Base DN: [%s], Filter: [%s].\n", worker_ctx->base_dn, filter);

    slapi_search_internal_set_pb(pb, worker_ctx->base_dn, LDAP_SCOPE_SUBTREE,
                                 filter, attrs, 0, NULL, NULL,
                                 worker_ctx->plugin_id, 0);
    ret = slapi_search_internal_pb(pb);
    if (ret != 0) {
        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
        if (ret != 0) {
            LOG_FATAL("Search failed with [%d].\n", ret);
        } else {
            LOG_FATAL("slapi_search_internal_pb failed, "
                      "but no error code available.\n");
            ret = EFAULT;
        }
        goto done;
    }

    ret = slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
    if (ret != 0) {
        LOG_FATAL("slapi_pblock_get failed.\n");
        ret = EFAULT;
        goto done;
    }

    if (e == NULL || e[0] == NULL) {
        LOG("No entry with missing SID found.\n");
        ret = 0;
        goto done;
    }

    for (c = 0; e[c] != NULL; c++) {
        ret = find_sid_for_ldap_entry(e[c], worker_ctx->plugin_id,
                                      worker_ctx->base_dn, worker_ctx->dom_sid,
                                      worker_ctx->ranges);
        if (ret != 0) {
            LOG_FATAL("Cannot add SID to existing entry.\n");
            goto done;
        }

        if (worker_ctx->delay != 0) {
            ts.tv_nsec = worker_ctx->delay % NSEC_PER_SEC;
            ts.tv_sec = (worker_ctx->delay - ts.tv_nsec) / NSEC_PER_SEC;
            nanosleep(&ts, NULL);
        }
    };

done:
    slapi_ch_free_string(&filter);
    pthread_cleanup_pop(1);

    LOG("do_work finished with [%d].\n", ret);

    return ret;
}
Beispiel #11
0
/*
 * Read and load configuration.  Validation will also
 * be performed unless skip_validate is set to non-0.
 * Returns PAM_PASSTHRU_SUCCESS if all is well.
 */
int
pam_passthru_load_config(int skip_validate)
{
    int status = PAM_PASSTHRU_SUCCESS;
    int result;
    int i;
    int alternate = 0;
    Slapi_PBlock *search_pb;
    Slapi_Entry **entries = NULL;

    slapi_log_err(SLAPI_LOG_TRACE, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
                     "=> pam_passthru_load_config\n");

    pam_passthru_write_lock();
    pam_passthru_delete_config();

    search_pb = slapi_pblock_new();

    /* Find all entries in the active config area. */
    slapi_search_internal_set_pb(search_pb, slapi_sdn_get_ndn(pam_passthru_get_config_area()),
                                 LDAP_SCOPE_SUBTREE, "objectclass=*",
                                 NULL, 0, NULL, NULL,
                                 pam_passthruauth_get_plugin_identity(), 0);
    slapi_search_internal_pb(search_pb);
    slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);

    if (LDAP_SUCCESS != result) {
        status = PAM_PASSTHRU_FAILURE;
        goto cleanup;
    }

    slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
                     &entries);
    if (NULL == entries || NULL == entries[0]) {
        status = PAM_PASSTHRU_FAILURE;
        goto cleanup;
    }

    /* Check if we are using an alternate config area.  We do this here
     * so we don't have to check each every time in the loop below. */
    if (slapi_sdn_compare(pam_passthru_get_config_area(),
            pam_passthruauth_get_plugin_sdn()) != 0) {
        alternate = 1;
    }

    /* Validate and apply config if valid.  If skip_validate is set, we skip
     * validation and just apply the config.  This should only be done if the
     * configuration has already been validated. */
    for (i = 0; (entries[i] != NULL); i++) {
        /* If this is the alternate config container, skip it since
         * we don't consider it to be an actual config entry. */
        if (alternate && (slapi_sdn_compare(pam_passthru_get_config_area(),
                slapi_entry_get_sdn(entries[i])) == 0)) {
            continue;
        }

        if (skip_validate || (PAM_PASSTHRU_SUCCESS == pam_passthru_validate_config(entries[i], NULL))) {
            if (PAM_PASSTHRU_FAILURE == pam_passthru_apply_config(entries[i])) {
                slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
                                 "pam_passthru_load_config - Unable to apply config "
                                 "for entry \"%s\"\n", slapi_entry_get_ndn(entries[i]));
            }
        } else {
            slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
                             "pam_passthru_load_config - Skipping invalid config "
                             "entry \"%s\"\n", slapi_entry_get_ndn(entries[i]));
        }
    }

  cleanup:
    slapi_free_search_results_internal(search_pb);
    slapi_pblock_destroy(search_pb);
    pam_passthru_unlock();
    slapi_log_err(SLAPI_LOG_TRACE, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
                    "<= pam_passthru_load_config\n");

    return status;
}
Beispiel #12
0
/*
  return the value(s) of the given attribute in the entry that
  matches the given criteria.  The criteria must match one
  and only one entry.
  Returns:
  -1 - problem doing internal search
  LDAP_UNWILLING_TO_PERFORM - more than one matching entry
  LDAP_NO_SUCH_OBJECT - no entry found that matched
  0 and attrval == NULL - entry found but no attribute
  other ldap error - error doing search for given basedn
*/
static int
internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope,
                                 const char *filter, const char *attrname,
                                 Slapi_ValueSet **svs, char **attrval)
{
    Slapi_Entry **entries = NULL;
    Slapi_PBlock *pb = NULL;
    const char *search_basedn = slapi_sdn_get_dn(basedn);
    int search_scope = scope;
    int ret = LDAP_SUCCESS;
    const char *attrs[2] = {attrname, NULL};

    if (svs) {
        *svs = NULL;
    }
    if (attrval) {
        *attrval = NULL;
    }
    pb = slapi_pblock_new();
    slapi_search_internal_set_pb(pb, search_basedn, search_scope, filter,
                                 (char **)attrs, 0, NULL, NULL,
                                 ipa_winsync_get_plugin_identity(), 0);
    slapi_search_internal_pb(pb);

    /* This search may return no entries, but should never
       return an error
    */
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
    if (ret != LDAP_SUCCESS) {
        LOG_FATAL("Error [%d:%s] searching for base [%s] filter [%s]"
                  " attr [%s]\n", ret, ldap_err2string(ret),
                  search_basedn, filter, attrs[0]);
        goto out1;
    }

    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
    if (entries && entries[0] && entries[1]) {
        /* error - should never be more than one matching entry */
        LOG_FATAL("Error: more than one entry matches search for "
                  "base [%s] filter [%s] attr [%s]\n",
                  search_basedn, filter, attrs[0]);
        ret = LDAP_UNWILLING_TO_PERFORM;
        goto out1;
    }

    if (entries && entries[0]) { /* found one */
        if (svs) {
            Slapi_Attr *attr = NULL;
            if (!slapi_entry_attr_find(entries[0], attrname, &attr) &&
               (NULL != attr)) {
                /* slapi_attr_get_valueset allocates svs - must be freed later */
                slapi_attr_get_valueset(attr, svs);
            }
        }
        if (attrval) {
            if (!strcmp(attrname, "dn")) { /* special - to just get the DN */
                *attrval = slapi_ch_strdup(slapi_entry_get_dn_const(entries[0]));
            } else {
                *attrval = slapi_entry_attr_get_charptr(entries[0], attrname);
            }
        }
    } else {
        ret = LDAP_NO_SUCH_OBJECT;
        LOG("Did not find an entry for search "
            "base [%s] filter [%s] attr [%s]\n",
            search_basedn, filter, attrs[0]);
    }

out1:
    if (pb) {
        slapi_free_search_results_internal(pb);
        slapi_pblock_destroy(pb);
        pb = NULL;
    }

    return ret;
}
Beispiel #13
0
static int
search_one_berval(Slapi_DN *baseDN, const char *attrName,
		const struct berval *value, const char *requiredObjectClass,
		Slapi_DN *target)
{
	int result;
    char *filter;
    Slapi_PBlock *spb;

	result = LDAP_SUCCESS;

	/* If no value, can't possibly be a conflict */
	if ( (struct berval *)NULL == value )
		return result;

    filter = 0;
    spb = 0;

    BEGIN
      int err;
      int sres;
      Slapi_Entry **entries;
      static char *attrs[] = { "1.1", 0 };

      /* Create the filter - this needs to be freed */
      filter = create_filter(attrName, value, requiredObjectClass);

#ifdef DEBUG
      slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
        "SEARCH filter=%s\n", filter);
#endif

      /* Perform the search using the new internal API */
      spb = slapi_pblock_new();
      if (!spb) { result = uid_op_error(2); break; }

      slapi_search_internal_set_pb_ext(spb, baseDN, LDAP_SCOPE_SUBTREE,
      	filter, attrs, 0 /* attrs only */, NULL, NULL, plugin_identity, 0 /* actions */);
      slapi_search_internal_pb(spb);

      err = slapi_pblock_get(spb, SLAPI_PLUGIN_INTOP_RESULT, &sres);
      if (err) { result = uid_op_error(3); break; }
    
      /* Allow search to report that there is nothing in the subtree */
      if (sres == LDAP_NO_SUCH_OBJECT) break;

      /* Other errors are bad */
      if (sres) { result = uid_op_error(3); break; }

      err = slapi_pblock_get(spb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
              &entries);
      if (err) { result = uid_op_error(4); break; }

      /*
       * Look at entries returned.  Any entry found must be the
       * target entry or the constraint fails.
       */
      for(;*entries;entries++)
      {
#ifdef DEBUG
        slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
                        "SEARCH entry dn=%s\n", slapi_entry_get_dn(*entries));
#endif

        /*
         * It is a Constraint Violation if any entry is found, unless
         * the entry is the target entry (if any).
         */
        if (!target || slapi_sdn_compare(slapi_entry_get_sdn(*entries), target) != 0)
        {
          result = LDAP_CONSTRAINT_VIOLATION;
          break;
        }
      }

#ifdef DEBUG
      slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
        "SEARCH complete result=%d\n", result);
#endif
    END

    /* Clean-up */
    if (spb) {
	slapi_free_search_results_internal(spb);
	slapi_pblock_destroy(spb);
    }

    slapi_ch_free((void**)&filter);

  return result;
}
Beispiel #14
0
/*
 * An URP Naming Collision helper function. Retreives a list of entries
 * that have the given dn excluding the unique id of the entry. Any 
 * entries returned will be entries that have been added with the same
 * dn, but caused a naming conflict when replicated. The URP to fix
 * this constraint violation is to append the unique id of the entry
 * to its RDN.
 */
static Slapi_Entry *
urp_get_min_naming_conflict_entry ( Slapi_PBlock *pb, char *sessionid, CSN *opcsn )
{
	Slapi_PBlock *newpb = NULL;
	LDAPControl **server_ctrls = NULL;
	Slapi_Entry **entries = NULL;
	Slapi_Entry *min_naming_conflict_entry = NULL;
	const CSN *min_csn = NULL;
	char *filter = NULL;
	char *parent_dn = NULL;
	char *basedn;
	int i = 0;
	int min_i = -1;
	int op_result = LDAP_SUCCESS;

	slapi_pblock_get (pb, SLAPI_URP_NAMING_COLLISION_DN, &basedn);
	if (NULL == basedn || strncmp (basedn, SLAPI_ATTR_UNIQUEID, strlen(SLAPI_ATTR_UNIQUEID)) == 0)
		return NULL;

	slapi_log_error ( SLAPI_LOG_REPL, sessionid,
		"Enter urp_get_min_naming_conflict_entry for %s\n", basedn);

	filter = slapi_filter_sprintf("(%s=%s %s%s)", ATTR_NSDS5_REPLCONFLICT, REASON_ANNOTATE_DN,
			ESC_NEXT_VAL, basedn);

	/* server_ctrls will be freed when newpb is destroyed */
	server_ctrls = (LDAPControl **)slapi_ch_calloc (2, sizeof (LDAPControl *));
	server_ctrls[0] = create_managedsait_control();
	server_ctrls[1] = NULL;
	
	newpb = slapi_pblock_new();
	parent_dn = slapi_dn_parent (basedn);
	slapi_search_internal_set_pb(newpb,
								 parent_dn, /* Base DN */
								 LDAP_SCOPE_ONELEVEL,
								 filter,
								 NULL, /* Attrs */
								 0, /* AttrOnly */
								 server_ctrls, /* Controls */
								 NULL, /* UniqueID */
								 repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION),
								 0);
	slapi_search_internal_pb(newpb);
	slapi_pblock_get(newpb, SLAPI_PLUGIN_INTOP_RESULT, &op_result);
	slapi_pblock_get(newpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
	if ( (op_result != LDAP_SUCCESS) || (entries == NULL) )
	{
		/* Log a message */
		goto done;
	}
	/* For all entries, get the one with the smallest dn csn */
	for (i = 0; NULL != entries[i]; i++)
	{
		const CSN *dncsn;
		dncsn = entry_get_dncsn(entries[i]);
		if ((dncsn != opcsn) && 
			((min_csn == NULL) || (csn_compare(dncsn, min_csn) < 0)) &&
			!is_tombstone_entry (entries[i]))
		{
			min_csn = dncsn;
			min_i = i;
		}
		/*
		 * If there are too many conflicts, the current urp code has no
		 * guarantee for all servers to converge anyway, because the
		 * urp and the backend can't be done in one transaction due
		 * to either performance or the deadlock problem.
		 * Don't sacrifice the performance too much for impossible.
		 */
		if (min_csn && i > 5)
		{
			break;
		}
	}
	
	if (min_csn != NULL) {
		/* Found one entry */
		min_naming_conflict_entry = slapi_entry_dup(entries[min_i]);
	}

done:
	slapi_ch_free_string(&parent_dn);
	if (filter) {
		PR_smprintf_free(filter);
	}
	slapi_free_search_results_internal(newpb);
	slapi_pblock_destroy(newpb);
	newpb = NULL;

	slapi_log_error ( SLAPI_LOG_REPL, sessionid,
		"Leave urp_get_min_naming_conflict_entry (found %d entries)\n", i);

	return min_naming_conflict_entry;
}