/*
Creates global config structure from config entry at plugin startup
*/
int
acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id ) {
acctPluginCfg *newcfg;
Slapi_Entry *config_entry = NULL;
Slapi_DN *config_sdn = NULL;
int rc;
/* Retrieve the config entry */
config_sdn = slapi_sdn_new_normdn_byref( PLUGIN_CONFIG_DN );
rc = slapi_search_internal_get_entry( config_sdn, NULL, &config_entry,
plugin_id);
slapi_sdn_free( &config_sdn );
if( rc != LDAP_SUCCESS || config_entry == NULL ) {
slapi_log_err(SLAPI_LOG_ERR, PLUGIN_NAME,
"acct_policy_load_config_startup - Failed to retrieve configuration entry %s: %d\n",
PLUGIN_CONFIG_DN, rc );
return( -1 );
}
config_wr_lock();
free_config();
newcfg = get_config();
rc = acct_policy_entry2config( config_entry, newcfg );
config_unlock();
slapi_entry_free( config_entry );
return( rc );
}
/*
* Check if User Private Groups are enabled in given IPA domain
* Returns: 0 - UPG are enabled
* 1 - UPG are disabled
* -1 - some sort of error
*/
static int
ipa_winsync_upg_enabled(const Slapi_DN *ds_subtree)
{
int ret = -1;
int rc;
char * dn = NULL;
Slapi_Entry *entry = NULL;
Slapi_Backend *be;
const Slapi_DN *ds_suffix = NULL;
Slapi_DN *sdn = NULL;
const char *attrs_list[] = {IPA_WINSYNC_UPG_DEF_ATTR, 0};
char * value = NULL;
/* find ancestor base DN */
be = slapi_be_select(ds_subtree);
ds_suffix = slapi_be_getsuffix(be, 0);
if (ds_suffix == NULL) {
LOG_FATAL("Invalid DS subtree [%s]\n", slapi_sdn_get_dn(ds_subtree));
goto done;
}
dn = slapi_ch_smprintf(IPA_WINSYNC_UPG_DEF_DN, slapi_sdn_get_dn(ds_suffix));
if (!dn) {
LOG_OOM();
goto done;
}
sdn = slapi_sdn_new_dn_byref(dn);
rc = slapi_search_internal_get_entry(sdn, (char **) attrs_list, &entry,
ipa_winsync_get_plugin_identity());
if (rc) {
LOG("failed to retrieve UPG definition (%s) with rc %d\n", dn, rc);
goto done;
}
value = slapi_entry_attr_get_charptr(entry, IPA_WINSYNC_UPG_DEF_ATTR);
if (!value) {
LOG("failed to read %s from UPG definition (%s)\n",
IPA_WINSYNC_UPG_DEF_ATTR, dn);
goto done;
}
if (strstr(value, IPA_WINSYNC_UPG_DEF_DISABLED) == NULL) {
ret = 0;
} else {
ret = 1;
}
done:
slapi_ch_free_string(&dn);
slapi_sdn_free(&sdn);
slapi_ch_free_string(&value);
slapi_entry_free(entry);
return ret;
}
/**
* Get a particular entry
*/
static Slapi_Entry *
getConfigEntry( const char *dn, Slapi_Entry **e2 ) {
Slapi_DN sdn;
slapi_sdn_init_dn_byref( &sdn, dn );
slapi_search_internal_get_entry( &sdn, NULL, e2,
plugin_get_default_component_id());
slapi_sdn_done( &sdn );
return *e2;
}
static Slapi_Entry *
getConfigEntry( Slapi_Entry **e ) {
Slapi_DN sdn;
/* SNMP_CONFIG_DN: no need to be normalized */
slapi_sdn_init_normdn_byref( &sdn, SNMP_CONFIG_DN );
slapi_search_internal_get_entry( &sdn, NULL, e,
plugin_get_default_component_id());
slapi_sdn_done( &sdn );
return *e;
}
/* Searches the dn in directory,
* If found : fills in slapi_entry structure and returns 0
* If NOT found : returns the search result as LDAP_NO_SUCH_OBJECT
*/
int ipapwd_getEntry(const char *dn, Slapi_Entry **e2, char **attrlist)
{
Slapi_DN *sdn;
int search_result = 0;
LOG_TRACE("=>\n");
sdn = slapi_sdn_new_dn_byref(dn);
search_result = slapi_search_internal_get_entry(sdn, attrlist, e2,
ipapwd_plugin_id);
if (search_result != LDAP_SUCCESS) {
LOG_TRACE("No such entry-(%s), err (%d)\n", dn, search_result);
}
slapi_sdn_free(&sdn);
LOG_TRACE("<= result: %d\n", search_result);
return search_result;
}
/*
* If "dn" is passed, get_entry returns an entry which dn is "dn".
* If "dn" is not passed, it returns an entry which dn is set in
* SLAPI_TARGET_SDN in pblock.
* Note: pblock is not mandatory for get_entry (e.g., new_passwdPolicy).
*/
Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
{
int search_result = 0;
Slapi_Entry *retentry = NULL;
Slapi_DN *target_sdn = NULL;
const char *target_dn = dn;
Slapi_DN sdn;
if (pb) {
slapi_pblock_get( pb, SLAPI_TARGET_SDN, &target_sdn );
if (target_dn == NULL) {
target_dn = slapi_sdn_get_dn(target_sdn);
}
}
if (target_dn == NULL) {
LDAPDebug0Args(LDAP_DEBUG_TRACE,
"WARNING: 'get_entry' - no dn specified.\n");
goto bail;
}
if (target_dn == dn) { /* target_dn is NOT from target_sdn */
slapi_sdn_init_dn_byref(&sdn, target_dn);
target_sdn = &sdn;
}
search_result = slapi_search_internal_get_entry(target_sdn, NULL,
&retentry,
pw_get_componentID());
if (search_result != LDAP_SUCCESS) {
LDAPDebug2Args(LDAP_DEBUG_TRACE,
"WARNING: 'get_entry' can't find entry '%s', err %d\n",
target_dn, search_result);
}
if (target_dn == dn) { /* target_dn is NOT from target_sdn */
slapi_sdn_done(&sdn);
}
bail:
return retentry;
}
static char *
derive_from_bind_entry(Slapi_PBlock *pb, const Slapi_DN *bindsdn,
MyStrBuf *pam_id, char *map_ident_attr, int *locked)
{
Slapi_Entry *entry = NULL;
char *attrs[] = { NULL, NULL };
attrs[0] = map_ident_attr;
int rc = slapi_search_internal_get_entry((Slapi_DN *)bindsdn, attrs, &entry,
pam_passthruauth_get_plugin_identity());
if (rc != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"Could not find BIND dn %s (error %d - %s)\n",
slapi_sdn_get_ndn(bindsdn), rc, ldap_err2string(rc));
init_my_str_buf(pam_id, NULL);
} else if (NULL == entry) {
slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"Could not find entry for BIND dn %s\n",
slapi_sdn_get_ndn(bindsdn));
init_my_str_buf(pam_id, NULL);
} else if (slapi_check_account_lock( pb, entry, 0, 0, 0 ) == 1) {
slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"Account %s inactivated.\n",
slapi_sdn_get_ndn(bindsdn));
init_my_str_buf(pam_id, NULL);
*locked = 1;
} else {
char *val = slapi_entry_attr_get_charptr(entry, map_ident_attr);
init_my_str_buf(pam_id, val);
slapi_ch_free_string(&val);
}
slapi_entry_free(entry);
return pam_id->str;
}
/*
Given an entry, provide the account policy in effect for that entry.
Returns non-0 if function fails. If account policy comes back NULL, it's
not an error; the entry is simply not covered by a policy.
*/
int
get_acctpolicy( Slapi_PBlock *pb, Slapi_Entry *target_entry, void *plugin_id,
acctPolicy **policy )
{
Slapi_DN *sdn = NULL;
Slapi_Entry *policy_entry = NULL;
Slapi_Attr *attr;
Slapi_Value *sval = NULL;
int ldrc;
char *attr_name;
char *policy_dn = NULL;
acctPluginCfg *cfg;
int rc = 0;
if( policy == NULL ) {
/* Bad parameter */
return( -1 );
}
*policy = NULL;
config_rd_lock();
cfg = get_config();
/* Return success and NULL policy */
policy_dn = get_attr_string_val( target_entry, cfg->spec_attr_name );
if( policy_dn == NULL ) {
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - \"%s\" is not governed by an account inactivity "
"policy subentry\n", slapi_entry_get_ndn( target_entry ) );
if (cfg->inactivitylimit != ULONG_MAX) {
goto dopolicy;
}
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - \"%s\" is not governed by an account inactivity "
"global policy\n", slapi_entry_get_ndn( target_entry ) );
config_unlock();
return rc;
}
sdn = slapi_sdn_new_dn_byref( policy_dn );
ldrc = slapi_search_internal_get_entry( sdn, NULL, &policy_entry,
plugin_id );
slapi_sdn_free( &sdn );
/* There should be a policy but it can't be retrieved; fatal error */
if( policy_entry == NULL ) {
if( ldrc != LDAP_NO_SUCH_OBJECT ) {
slapi_log_err(SLAPI_LOG_ERR, PLUGIN_NAME,
"get_acctpolicy - Error retrieving policy entry \"%s\": %d\n", policy_dn, ldrc );
} else {
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - Policy entry \"%s\" is missing: %d\n", policy_dn, ldrc );
}
rc = -1;
goto done;
}
dopolicy:
*policy = (acctPolicy *)slapi_ch_calloc( 1, sizeof( acctPolicy ) );
if ( !policy_entry ) { /* global policy */
(*policy)->inactivitylimit = cfg->inactivitylimit;
goto done;
}
for( slapi_entry_first_attr( policy_entry, &attr ); attr != NULL;
slapi_entry_next_attr( policy_entry, attr, &attr ) ) {
slapi_attr_get_type(attr, &attr_name);
if( !strcasecmp( attr_name, cfg->limit_attr_name ) ) {
if( slapi_attr_first_value( attr, &sval ) == 0 ) {
(*policy)->inactivitylimit = slapi_value_get_ulong( sval );
}
}
}
done:
config_unlock();
slapi_ch_free_string( &policy_dn );
slapi_entry_free( policy_entry );
return( rc );
}
/*
* Check if we are modifying the config, or changing the shared config entry
*/
int
memberof_shared_config_validate(Slapi_PBlock *pb)
{
Slapi_Entry *e = 0;
Slapi_Entry *resulting_e = 0;
Slapi_Entry *config_entry = NULL;
Slapi_DN *sdn = NULL;
Slapi_DN *config_sdn = NULL;
Slapi_Mods *smods = 0;
Slapi_Mod *smod = NULL, *nextmod = NULL;
LDAPMod **mods = NULL;
char returntext[SLAPI_DSE_RETURNTEXT_SIZE];
char *configarea_dn = NULL;
int ret = SLAPI_PLUGIN_SUCCESS;
slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
if (slapi_sdn_compare(sdn, memberof_get_plugin_area()) == 0 ||
slapi_sdn_compare(sdn, memberof_get_config_area()) == 0)
{
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &e);
if(e){
/*
* Create a copy of the entry and apply the
* mods to create the resulting entry.
*/
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
smods = slapi_mods_new();
slapi_mods_init_byref(smods, mods);
resulting_e = slapi_entry_dup(e);
if (mods && (slapi_entry_apply_mods(resulting_e, mods) != LDAP_SUCCESS)) {
/* we don't care about this, the update is invalid and will be caught later */
goto bail;
}
if (slapi_sdn_compare(sdn, memberof_get_plugin_area())){
/*
* This entry is a plugin config area entry, validate it.
*/
if( SLAPI_DSE_CALLBACK_ERROR == memberof_validate_config (pb, NULL, resulting_e, &ret, returntext,0)) {
ret = LDAP_UNWILLING_TO_PERFORM;
}
} else {
/*
* This is the memberOf plugin entry, check if we are adding/replacing the
* plugin config area.
*/
nextmod = slapi_mod_new();
for (smod = slapi_mods_get_first_smod(smods, nextmod);
smod != NULL;
smod = slapi_mods_get_next_smod(smods, nextmod) )
{
if ( PL_strcasecmp(SLAPI_PLUGIN_SHARED_CONFIG_AREA, slapi_mod_get_type(smod)) == 0 )
{
/*
* Okay, we are modifying the plugin config area, we only care about
* adds and replaces.
*/
if(SLAPI_IS_MOD_REPLACE(slapi_mod_get_operation(smod)) ||
SLAPI_IS_MOD_ADD(slapi_mod_get_operation(smod)))
{
struct berval *bv = NULL;
int rc = 0;
bv = slapi_mod_get_first_value(smod);
configarea_dn = slapi_ch_strdup(bv->bv_val);
if(configarea_dn){
/* Check the DN syntax */
rc = slapi_dn_syntax_check(pb, configarea_dn, 1);
if (rc) { /* syntax check failed */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"%s does not contain a valid DN (%s)",
SLAPI_PLUGIN_SHARED_CONFIG_AREA, configarea_dn);
ret = LDAP_UNWILLING_TO_PERFORM;
goto bail;
}
/* Check if the plugin config area entry exists */
if((config_sdn = slapi_sdn_new_dn_byval(configarea_dn))){
rc = slapi_search_internal_get_entry(config_sdn, NULL, &config_entry,
memberof_get_plugin_id());
if(config_entry){
int err = 0;
/*
* Validate the settings from the new config area.
*/
if ( memberof_validate_config(pb, NULL, config_entry, &err, returntext,0)
== SLAPI_DSE_CALLBACK_ERROR )
{
ret = LDAP_UNWILLING_TO_PERFORM;
goto bail;
}
} else {
/* The config area does not exist */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"Unable to locate shared config entry (%s) error %d",
slapi_sdn_get_dn(memberof_get_config_area()), rc);
ret = LDAP_UNWILLING_TO_PERFORM;
goto bail;
}
}
}
slapi_ch_free_string(&configarea_dn);
slapi_sdn_free(&config_sdn);
}
}
}
}
} else {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,"Unable to locate shared config entry (%s)",
slapi_sdn_get_dn(memberof_get_config_area()));
ret = LDAP_UNWILLING_TO_PERFORM;
}
}
bail:
if (ret){
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ret);
slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, returntext);
slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_shared_config_validate - %s/n",
returntext);
}
slapi_sdn_free(&config_sdn);
if(nextmod)
slapi_mod_free(&nextmod);
slapi_mods_free(&smods);
slapi_entry_free(resulting_e);
slapi_entry_free(config_entry);
slapi_ch_free_string(&configarea_dn);
return ret;
}
/*
* memberof_apply_config()
*
* Apply the pending changes in the e entry to our config struct.
* memberof_validate_config() must have already been called.
*/
int
memberof_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e,
int *returncode, char *returntext, void *arg)
{
Slapi_Entry *config_entry = NULL;
Slapi_DN *config_sdn = NULL;
char **groupattrs = NULL;
char *memberof_attr = NULL;
char *filter_str = NULL;
int num_groupattrs = 0;
int groupattr_name_len = 0;
char *allBackends = NULL;
char **entryScopes = NULL;
char **entryScopeExcludeSubtrees = NULL;
char *sharedcfg = NULL;
char *skip_nested = NULL;
char *auto_add_oc = NULL;
int num_vals = 0;
*returncode = LDAP_SUCCESS;
/*
* Check if this is a shared config entry
*/
sharedcfg = slapi_entry_attr_get_charptr(e, SLAPI_PLUGIN_SHARED_CONFIG_AREA);
if(sharedcfg){
if((config_sdn = slapi_sdn_new_dn_byval(sharedcfg))){
slapi_search_internal_get_entry(config_sdn, NULL, &config_entry, memberof_get_plugin_id());
if(config_entry){
/* Set the entry to be the shared config entry. Validation was done in preop */
e = config_entry;
} else {
/* This should of been checked in preop validation */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"memberof_apply_config - Failed to locate shared config entry (%s)",
sharedcfg);
slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM,"%s\n",returntext);
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
}
}
/*
* Apply the config settings
*/
groupattrs = slapi_entry_attr_get_charray(e, MEMBEROF_GROUP_ATTR);
memberof_attr = slapi_entry_attr_get_charptr(e, MEMBEROF_ATTR);
allBackends = slapi_entry_attr_get_charptr(e, MEMBEROF_BACKEND_ATTR);
skip_nested = slapi_entry_attr_get_charptr(e, MEMBEROF_SKIP_NESTED_ATTR);
auto_add_oc = slapi_entry_attr_get_charptr(e, MEMBEROF_AUTO_ADD_OC);
/*
* We want to be sure we don't change the config in the middle of
* a memberOf operation, so we obtain an exclusive lock here
*/
memberof_wlock_config();
if (groupattrs)
{
int i = 0;
slapi_ch_array_free(theConfig.groupattrs);
theConfig.groupattrs = groupattrs;
groupattrs = NULL; /* config now owns memory */
/*
* We allocate a list of Slapi_Attr using the groupattrs for
* convenience in our memberOf comparison functions
*/
for (i = 0; theConfig.group_slapiattrs && theConfig.group_slapiattrs[i]; i++)
{
slapi_attr_free(&theConfig.group_slapiattrs[i]);
}
/* Count the number of groupattrs. */
for (num_groupattrs = 0; theConfig.groupattrs && theConfig.groupattrs[num_groupattrs]; num_groupattrs++)
{
/*
* Add up the total length of all attribute names. We need
* to know this for building the group check filter later.
*/
groupattr_name_len += strlen(theConfig.groupattrs[num_groupattrs]);
}
/* Realloc the list of Slapi_Attr if necessary. */
if (i < num_groupattrs)
{
theConfig.group_slapiattrs = (Slapi_Attr **)slapi_ch_realloc((char *)theConfig.group_slapiattrs,
sizeof(Slapi_Attr *) * (num_groupattrs + 1));
}
/* Build the new list */
for (i = 0; theConfig.groupattrs[i]; i++)
{
theConfig.group_slapiattrs[i] = slapi_attr_new();
slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]);
}
/* Terminate the list. */
theConfig.group_slapiattrs[i] = NULL;
/* The filter is based off of the groupattr, so we update it here too. */
slapi_filter_free(theConfig.group_filter, 1);
if (num_groupattrs > 1)
{
int bytes_out = 0;
int filter_str_len = groupattr_name_len + (num_groupattrs * 4) + 4;
/* Allocate enough space for the filter */
filter_str = slapi_ch_malloc(filter_str_len);
/* Add beginning of filter. */
bytes_out = snprintf(filter_str, filter_str_len - bytes_out, "(|");
/* Add filter section for each groupattr. */
for (i = 0; theConfig.groupattrs[i]; i++)
{
bytes_out += snprintf(filter_str + bytes_out, filter_str_len - bytes_out, "(%s=*)", theConfig.groupattrs[i]);
}
/* Add end of filter. */
snprintf(filter_str + bytes_out, filter_str_len - bytes_out, ")");
}
else
{
filter_str = slapi_ch_smprintf("(%s=*)", theConfig.groupattrs[0]);
}
/*
* Log an error if we were unable to build the group filter for some
* reason. If this happens, the memberOf plugin will not be able to
* check if an entry is a group, causing it to not catch changes. This
* shouldn't happen, but there may be some garbage configuration that
* could trigger this.
*/
if ((theConfig.group_filter = slapi_str2filter(filter_str)) == NULL)
{
slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM,
"memberof_apply_config - Unable to create the group check filter. The memberOf "
"plug-in will not operate on changes to groups. Please check "
"your %s configuration settings. (filter: %s)\n",
MEMBEROF_GROUP_ATTR, filter_str );
}
slapi_ch_free_string(&filter_str);
}
if (memberof_attr)
{
slapi_ch_free_string(&theConfig.memberof_attr);
theConfig.memberof_attr = memberof_attr;
memberof_attr = NULL; /* config now owns memory */
}
if (skip_nested){
if(strcasecmp(skip_nested,"on") == 0){
theConfig.skip_nested = 1;
} else {
theConfig.skip_nested = 0;
}
}
if (allBackends)
{
if(strcasecmp(allBackends,"on")==0){
theConfig.allBackends = 1;
} else {
theConfig.allBackends = 0;
}
} else {
theConfig.allBackends = 0;
}
theConfig.auto_add_oc = auto_add_oc;
/*
* Check and process the entry scopes
*/
memberof_free_scope(theConfig.entryScopes, &theConfig.entryScopeCount);
entryScopes = slapi_entry_attr_get_charray_ext(e, MEMBEROF_ENTRY_SCOPE_ATTR, &num_vals);
if(entryScopes){
int i = 0;
/* Validation has already been performed in preop, just build the DN's */
theConfig.entryScopes = (Slapi_DN **)slapi_ch_calloc(sizeof(Slapi_DN *), num_vals+1);
for (i = 0;i < num_vals; i++){
theConfig.entryScopes[i] = slapi_sdn_new_dn_passin(entryScopes[i]);
}
theConfig.entryScopeCount = num_vals; /* shortcut for config copy */
}
/*
* Check and process the entry exclude scopes
*/
memberof_free_scope(theConfig.entryScopeExcludeSubtrees,
&theConfig.entryExcludeScopeCount);
entryScopeExcludeSubtrees =
slapi_entry_attr_get_charray_ext(e, MEMBEROF_ENTRY_SCOPE_EXCLUDE_SUBTREE, &num_vals);
if(entryScopeExcludeSubtrees){
int i = 0;
/* Validation has already been performed in preop, just build the DN's */
theConfig.entryScopeExcludeSubtrees =
(Slapi_DN **)slapi_ch_calloc(sizeof(Slapi_DN *),num_vals+1);
for (i = 0;i < num_vals; i++){
theConfig.entryScopeExcludeSubtrees[i] =
slapi_sdn_new_dn_passin(entryScopeExcludeSubtrees[i]);
}
theConfig.entryExcludeScopeCount = num_vals; /* shortcut for config copy */
}
/* release the lock */
memberof_unlock_config();
done:
slapi_sdn_free(&config_sdn);
slapi_entry_free(config_entry);
slapi_ch_array_free(groupattrs);
slapi_ch_free_string(&sharedcfg);
slapi_ch_free_string(&memberof_attr);
slapi_ch_free_string(&allBackends);
slapi_ch_free_string(&skip_nested);
slapi_ch_free((void **)&entryScopes);
slapi_ch_free((void **)&entryScopeExcludeSubtrees);
if (*returncode != LDAP_SUCCESS)
{
return SLAPI_DSE_CALLBACK_ERROR;
}
else
{
return SLAPI_DSE_CALLBACK_OK;
}
}
/*
* memberof_validate_config()
*
* Validate the pending changes in the e entry.
*/
int
memberof_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e,
int *returncode, char *returntext, void *arg)
{
Slapi_Attr *memberof_attr = NULL;
Slapi_Attr *group_attr = NULL;
Slapi_DN *config_sdn = NULL;
Slapi_DN **include_dn = NULL;
Slapi_DN **exclude_dn = NULL;
char *syntaxoid = NULL;
char *config_dn = NULL;
char *skip_nested = NULL;
char *auto_add_oc = NULL;
char **entry_scopes = NULL;
char **entry_exclude_scopes = NULL;
int not_dn_syntax = 0;
int num_vals = 0;
*returncode = LDAP_UNWILLING_TO_PERFORM; /* be pessimistic */
/* Make sure both the group attr and the memberOf attr
* config atributes are supplied. We don't care about &attr
* here, but slapi_entry_attr_find() requires us to pass it. */
if (!slapi_entry_attr_find(e, MEMBEROF_GROUP_ATTR, &group_attr) &&
!slapi_entry_attr_find(e, MEMBEROF_ATTR, &memberof_attr))
{
Slapi_Attr *test_attr = NULL;
Slapi_Value *value = NULL;
int hint = 0;
/* Loop through each group attribute to see if the syntax is correct. */
hint = slapi_attr_first_value(group_attr, &value);
while (value && (not_dn_syntax == 0))
{
/* We need to create an attribute to find the syntax. */
test_attr = slapi_attr_new();
slapi_attr_init(test_attr, slapi_value_get_string(value));
/* Get the syntax OID and see if it's the Distinguished Name or
* Name and Optional UID syntax. */
slapi_attr_get_syntax_oid_copy(test_attr, &syntaxoid );
not_dn_syntax = strcmp(syntaxoid, DN_SYNTAX_OID) & strcmp(syntaxoid, NAME_OPT_UID_SYNTAX_OID);
slapi_ch_free_string(&syntaxoid);
/* Print an error if the current attribute is not using the Distinguished
* Name syntax, otherwise get the next group attribute. */
if (not_dn_syntax)
{
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s configuration attribute must be set to "
"an attribute defined to use either the Distinguished "
"Name or Name and Optional UID syntax. (illegal value: %s)",
slapi_value_get_string(value), MEMBEROF_GROUP_ATTR);
}
else
{
hint = slapi_attr_next_value(group_attr, hint, &value);
}
/* Free the group attribute. */
slapi_attr_free(&test_attr);
}
if (not_dn_syntax == 0)
{
/* Check the syntax of the memberof attribute. */
slapi_attr_first_value(memberof_attr, &value);
test_attr = slapi_attr_new();
slapi_attr_init(test_attr, slapi_value_get_string(value));
slapi_attr_get_syntax_oid_copy(test_attr, &syntaxoid );
not_dn_syntax = strcmp(syntaxoid, DN_SYNTAX_OID);
slapi_ch_free_string(&syntaxoid);
slapi_attr_free(&test_attr);
if (not_dn_syntax)
{
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s configuration attribute must be set to "
"an attribute defined to use the Distinguished "
"Name syntax. (illegal value: %s)",
slapi_value_get_string(value), MEMBEROF_ATTR);
goto done;
}
else
{
*returncode = LDAP_SUCCESS;
}
}
} else {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s and %s configuration attributes must be provided",
MEMBEROF_GROUP_ATTR, MEMBEROF_ATTR);
goto done;
}
if ((skip_nested = slapi_entry_attr_get_charptr(e, MEMBEROF_SKIP_NESTED_ATTR))){
if(strcasecmp(skip_nested, "on") != 0 && strcasecmp(skip_nested, "off") != 0){
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s configuration attribute must be set to "
"\"on\" or \"off\". (illegal value: %s)",
MEMBEROF_SKIP_NESTED_ATTR, skip_nested);
goto done;
}
}
if ((auto_add_oc = slapi_entry_attr_get_charptr(e, MEMBEROF_AUTO_ADD_OC))){
char *sup = NULL;
/* Check if the objectclass exists by looking for its superior oc */
if((sup = slapi_schema_get_superior_name(auto_add_oc)) == NULL){
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s configuration attribute must be set to "
"to an existing objectclass (unknown: %s)",
MEMBEROF_AUTO_ADD_OC, auto_add_oc);
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
} else {
slapi_ch_free_string(&sup);
}
}
if ((config_dn = slapi_entry_attr_get_charptr(e, SLAPI_PLUGIN_SHARED_CONFIG_AREA))){
/* Now check the shared config attribute, validate it now */
Slapi_Entry *e = NULL;
int rc = 0;
rc = slapi_dn_syntax_check(pb, config_dn, 1);
if (rc) { /* syntax check failed */
slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_validate_config - "
"%s does not contain a valid DN (%s)\n",
SLAPI_PLUGIN_SHARED_CONFIG_AREA, config_dn);
*returncode = LDAP_INVALID_DN_SYNTAX;
goto done;
}
config_sdn = slapi_sdn_new_dn_byval(config_dn);
slapi_search_internal_get_entry(config_sdn, NULL, &e, memberof_get_plugin_id());
if(e){
slapi_entry_free(e);
*returncode = LDAP_SUCCESS;
} else {
/* config area does not exist! */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The %s configuration attribute points to an entry that "
"can not be found. (%s)",
SLAPI_PLUGIN_SHARED_CONFIG_AREA, config_dn);
*returncode = LDAP_UNWILLING_TO_PERFORM;
}
}
/*
* Check the entry scopes
*/
entry_scopes = slapi_entry_attr_get_charray_ext(e, MEMBEROF_ENTRY_SCOPE_ATTR, &num_vals);
if(entry_scopes){
int i = 0;
/* Validate the syntax before we create our DN array */
for (i = 0;i < num_vals; i++){
if(slapi_dn_syntax_check(pb, entry_scopes[i], 1)){
/* invalid dn syntax */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"%s: Invalid DN (%s) for include suffix.",
MEMBEROF_PLUGIN_SUBSYSTEM, entry_scopes[i]);
slapi_ch_array_free(entry_scopes);
entry_scopes = NULL;
theConfig.entryScopeCount = 0;
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
}
/* Now create our SDN array for conflict checking */
include_dn = (Slapi_DN **)slapi_ch_calloc(sizeof(Slapi_DN *), num_vals+1);
for (i = 0;i < num_vals; i++){
include_dn[i] = slapi_sdn_new_dn_passin(entry_scopes[i]);
}
}
/*
* Check and process the entry exclude scopes
*/
entry_exclude_scopes =
slapi_entry_attr_get_charray_ext(e, MEMBEROF_ENTRY_SCOPE_EXCLUDE_SUBTREE, &num_vals);
if(entry_exclude_scopes){
int i = 0;
/* Validate the syntax before we create our DN array */
for (i = 0;i < num_vals; i++){
if(slapi_dn_syntax_check(pb, entry_exclude_scopes[i], 1)){
/* invalid dn syntax */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"%s: Invalid DN (%s) for exclude suffix.",
MEMBEROF_PLUGIN_SUBSYSTEM, entry_exclude_scopes[i]);
slapi_ch_array_free(entry_exclude_scopes);
entry_exclude_scopes = NULL;
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
}
/* Now create our SDN array for conflict checking */
exclude_dn = (Slapi_DN **)slapi_ch_calloc(sizeof(Slapi_DN *),num_vals+1);
for (i = 0;i < num_vals; i++){
exclude_dn[i] = slapi_sdn_new_dn_passin(entry_exclude_scopes[i]);
}
}
/*
* Need to do conflict checking
*/
if(include_dn && exclude_dn){
/*
* Make sure we haven't mixed the same suffix, and there are no
* conflicts between the includes and excludes
*/
int i = 0;
while(include_dn[i]){
int x = 0;
while(exclude_dn[x]){
if(slapi_sdn_compare(include_dn[i], exclude_dn[x] ) == 0)
{
/* we have a conflict */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"%s: include suffix (%s) is also listed as an exclude suffix list",
MEMBEROF_PLUGIN_SUBSYSTEM, slapi_sdn_get_dn(include_dn[i]));
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
x++;
}
i++;
}
/* Check for parent/child conflicts */
i = 0;
while(include_dn[i]){
int x = 0;
while(exclude_dn[x]){
if(slapi_sdn_issuffix(include_dn[i], exclude_dn[x]))
{
/* we have a conflict */
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"%s: include suffix (%s) is a child of the exclude suffix(%s)",
MEMBEROF_PLUGIN_SUBSYSTEM,
slapi_sdn_get_dn(include_dn[i]),
slapi_sdn_get_dn(exclude_dn[i]));
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
x++;
}
i++;
}
}
done:
memberof_free_scope(exclude_dn, &num_vals);
memberof_free_scope(include_dn, &num_vals);
slapi_ch_free((void**)&entry_scopes);
slapi_ch_free((void**)&entry_exclude_scopes);
slapi_sdn_free(&config_sdn);
slapi_ch_free_string(&config_dn);
slapi_ch_free_string(&skip_nested);
slapi_ch_free_string(&auto_add_oc);
if (*returncode != LDAP_SUCCESS)
{
return SLAPI_DSE_CALLBACK_ERROR;
}
else
{
return SLAPI_DSE_CALLBACK_OK;
}
}
/*
* preop_modrdn - Pre-operation call for modify RDN
*
* Check that the new RDN does not include attributes that
* cause a constraint violation
*/
static int
preop_modrdn(Slapi_PBlock *pb)
{
int result = LDAP_SUCCESS;
Slapi_Entry *e = NULL;
Slapi_Value *sv_requiredObjectClass = NULL;
char *errtext = NULL;
char *attrName = NULL;
#ifdef DEBUG
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN begin\n");
#endif
BEGIN
int err;
char *markerObjectClass=NULL;
char *requiredObjectClass=NULL;
Slapi_DN *sdn = NULL;
Slapi_DN *superior;
char *rdn;
int deloldrdn = 0;
int isupdatedn;
Slapi_Attr *attr;
int argc;
char **argv = NULL;
/*
* If this is a replication update, just be a noop.
*/
err = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &isupdatedn);
if (err) { result = uid_op_error(30); break; }
if (isupdatedn)
{
break;
}
/*
* Get the arguments
*/
result = getArguments(pb, &attrName, &markerObjectClass,
&requiredObjectClass);
if (UNTAGGED_PARAMETER == result)
{
result = LDAP_SUCCESS;
/* Statically defined subtrees to monitor */
err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGC, &argc);
if (err) { result = uid_op_error(53); break; }
err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGV, &argv);
if (err) { result = uid_op_error(54); break; }
argc--; /* First argument was attribute name */
argv++;
} else if (0 != result)
{
break;
}
/* Create a Slapi_Value for the requiredObjectClass to use
* for checking the entry. */
if (requiredObjectClass) {
sv_requiredObjectClass = slapi_value_new_string(requiredObjectClass);
}
/* Get the DN of the entry being renamed */
err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
if (err) { result = uid_op_error(31); break; }
/* Get superior value - unimplemented in 3.0/4.0/5.0 DS */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &superior);
if (err) { result = uid_op_error(32); break; }
/*
* No superior means the entry is just renamed at
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
if (!superior) superior = sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
if (err) { result = uid_op_error(33); break; }
#ifdef DEBUG
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN newrdn=%s\n", rdn);
#endif
/* See if the old RDN value is being deleted. */
err = slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
if (err) { result = uid_op_error(34); break; }
/* Get the entry that is being renamed so we can make a dummy copy
* of what it will look like after the rename. */
err = slapi_search_internal_get_entry(sdn, NULL, &e, plugin_identity);
if (err != LDAP_SUCCESS) {
result = uid_op_error(35);
/* We want to return a no such object error if the target doesn't exist. */
if (err == LDAP_NO_SUCH_OBJECT) {
result = err;
}
break;
}
/* Apply the rename operation to the dummy entry. */
/* slapi_entry_rename does not expect rdn normalized */
err = slapi_entry_rename(e, rdn, deloldrdn, superior);
if (err != LDAP_SUCCESS) { result = uid_op_error(36); break; }
/*
* Find any unique attribute data in the new RDN
*/
err = slapi_entry_attr_find(e, attrName, &attr);
if (err) break; /* no UID attribute */
/*
* Check if it has the required object class
*/
if (requiredObjectClass &&
!slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, sv_requiredObjectClass)) { break; }
/*
* Passed all the requirements - this is an operation we
* need to enforce uniqueness on. Now find all parent entries
* with the marker object class, and do a search for each one.
*/
if (NULL != markerObjectClass)
{
/* Subtree defined by location of marker object class */
result = findSubtreeAndSearch(slapi_entry_get_sdn(e), attrName, attr, NULL,
requiredObjectClass, sdn,
markerObjectClass);
} else
{
/* Subtrees listed on invocation line */
result = searchAllSubtrees(argc, argv, attrName, attr, NULL,
requiredObjectClass, sdn);
}
END
/* Clean-up */
slapi_value_free(&sv_requiredObjectClass);
if (e) slapi_entry_free(e);
if (result)
{
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN result %d\n", result);
if (result == LDAP_CONSTRAINT_VIOLATION) {
errtext = slapi_ch_smprintf(moreInfo, attrName);
} else {
errtext = slapi_ch_strdup("Error checking for attribute uniqueness.");
}
slapi_send_ldap_result(pb, result, 0, errtext, 0, 0);
slapi_ch_free_string(&errtext);
}
return (result==LDAP_SUCCESS)?0:-1;
}
/* reads the cookie in dse.ldif to the replication agreement entry
returns: ldap result code of ldap operation, or
LDAP_NO_SUCH_ATTRIBUTE. (this is the equilivent of a null cookie) */
int windows_private_load_dirsync_cookie(const Repl_Agmt *ra)
{
Dirsync_Private *dp = NULL;
Slapi_PBlock *pb = NULL;
Slapi_DN* sdn = NULL;
int rc = 0;
Slapi_Entry *entry = NULL;
Slapi_Attr *attr = NULL;
LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_load_dirsync_cookie\n" );
PR_ASSERT(ra);
dp = (Dirsync_Private *) agmt_get_priv(ra);
PR_ASSERT (dp);
pb = slapi_pblock_new ();
sdn = slapi_sdn_dup( agmt_get_dn_byref(ra) );
rc = slapi_search_internal_get_entry(sdn, NULL, &entry,
repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION));
if (rc == 0)
{
rc= slapi_entry_attr_find( entry, type_nsds7DirsyncCookie, &attr );
if (attr)
{
struct berval **vals;
rc = slapi_attr_get_bervals_copy(attr, &vals );
if (vals)
{
dp->dirsync_cookie_len = (int) (vals[0])->bv_len;
slapi_ch_free_string(&dp->dirsync_cookie);
dp->dirsync_cookie = ( char* ) slapi_ch_malloc(dp->dirsync_cookie_len + 1);
memcpy(dp->dirsync_cookie,(vals[0]->bv_val), (vals[0])->bv_len+1);
}
ber_bvecfree(vals);
/* we do not free attr */
}
else
{
rc = LDAP_NO_SUCH_ATTRIBUTE;
}
}
if (entry)
{
slapi_entry_free(entry);
}
slapi_sdn_free( &sdn);
slapi_pblock_destroy (pb);
LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_load_dirsync_cookie\n" );
return rc;
}