int slap_compare_entry(
Operation *op,
Entry *e,
AttributeAssertion *ava )
{
int rc = LDAP_COMPARE_FALSE;
Attribute *a;
if ( ! access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rc = LDAP_ASSERTION_FAILED;
goto done;
}
a = attrs_find( e->e_attrs, ava->aa_desc );
if( a == NULL ) {
rc = LDAP_NO_SUCH_ATTRIBUTE;
goto done;
}
for(;
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ))
{
if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
break;
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rc = LDAP_COMPARE_TRUE;
break;
}
}
done:
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
{
rc = LDAP_NO_SUCH_OBJECT;
}
}
return rc;
}
static int
backsql_tree_delete_search_cb( Operation *op, SlapReply *rs )
{
if ( rs->sr_type == REP_SEARCH ) {
backsql_tree_delete_t *btd;
backsql_entryID *eid;
btd = (backsql_tree_delete_t *)op->o_callback->sc_private;
if ( !access_allowed( btd->btd_op, rs->sr_entry,
slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL )
|| !access_allowed( btd->btd_op, rs->sr_entry,
slap_schema.si_ad_children, NULL, ACL_WDEL, NULL ) )
{
btd->btd_rc = LDAP_INSUFFICIENT_ACCESS;
return rs->sr_err = LDAP_UNAVAILABLE;
}
assert( rs->sr_entry != NULL );
assert( rs->sr_entry->e_private != NULL );
eid = (backsql_entryID *)rs->sr_entry->e_private;
assert( eid->eid_oc != NULL );
if ( eid->eid_oc == NULL || eid->eid_oc->bom_delete_proc == NULL ) {
btd->btd_rc = LDAP_UNWILLING_TO_PERFORM;
return rs->sr_err = LDAP_UNAVAILABLE;
}
eid = backsql_entryID_dup( eid, op->o_tmpmemctx );
eid->eid_next = btd->btd_eid;
btd->btd_eid = eid;
}
return 0;
}
static int
test_substrings_filter(
Operation *op,
Entry *e,
Filter *f )
{
Attribute *a;
int rc;
Debug( LDAP_DEBUG_FILTER, "begin test_substrings_filter\n", 0, 0, 0 );
if ( !access_allowed( op, e,
f->f_sub_desc, NULL, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
rc = LDAP_COMPARE_FALSE;
for(a = attrs_find( e->e_attrs, f->f_sub_desc );
a != NULL;
a = attrs_find( a->a_next, f->f_sub_desc ) )
{
MatchingRule *mr;
struct berval *bv;
if (( f->f_sub_desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, NULL, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
mr = a->a_desc->ad_type->sat_substr;
if( mr == NULL ) {
rc = LDAP_INAPPROPRIATE_MATCHING;
continue;
}
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
int ret, match;
const char *text;
ret = value_match( &match, a->a_desc, mr, SLAP_MR_SUBSTR,
bv, f->f_sub, &text );
if( ret != LDAP_SUCCESS ) {
rc = ret;
break;
}
if ( match == 0 ) return LDAP_COMPARE_TRUE;
}
}
Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter %d\n",
rc, 0, 0 );
return rc;
}
static int
test_presence_filter(
Operation *op,
Entry *e,
AttributeDescription *desc )
{
Attribute *a;
int rc;
if ( !access_allowed( op, e, desc, NULL, ACL_SEARCH, NULL ) ) {
return LDAP_INSUFFICIENT_ACCESS;
}
if ( desc == slap_schema.si_ad_hasSubordinates ) {
/*
* XXX: fairly optimistic: if the function is defined,
* then PRESENCE must succeed, because hasSubordinate
* is boolean-valued; I think we may live with this
* simplification by now.
*/
if ( op && op->o_bd && op->o_bd->be_has_subordinates ) {
return LDAP_COMPARE_TRUE;
}
return LDAP_COMPARE_FALSE;
}
if ( desc == slap_schema.si_ad_entryDN ||
desc == slap_schema.si_ad_subschemaSubentry )
{
/* entryDN and subschemaSubentry are always present */
return LDAP_COMPARE_TRUE;
}
rc = LDAP_COMPARE_FALSE;
for(a = attrs_find( e->e_attrs, desc );
a != NULL;
a = attrs_find( a->a_next, desc ) )
{
if (( desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, NULL, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
rc = LDAP_COMPARE_TRUE;
break;
}
return rc;
}
int
shell_back_compare(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( si->si_compare == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"compare not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_READ, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_compare, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/*
* FIX ME: This should use LDIF routines so that binary
* values are properly dealt with
*/
/* write out the request to the compare process */
fprintf( wfp, "COMPARE\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "%s: %s\n",
op->oq_compare.rs_ava->aa_desc->ad_cname.bv_val,
op->oq_compare.rs_ava->aa_value.bv_val /* could be binary! */ );
fclose( wfp );
/* read in the result and send it along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
sock_back_compare(
Operation *op,
SlapReply *rs )
{
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *fp;
char *text;
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_COMPARE, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( (fp = opensock( si->si_sockpath )) == NULL ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not open socket" );
return( -1 );
}
/* write out the request to the compare process */
fprintf( fp, "COMPARE\n" );
fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
sock_print_conn( fp, op->o_conn, si );
sock_print_suffixes( fp, op->o_bd );
fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
/* could be binary */
text = ldif_put_wrap( LDIF_PUT_VALUE,
op->orc_ava->aa_desc->ad_cname.bv_val,
op->orc_ava->aa_value.bv_val,
op->orc_ava->aa_value.bv_len, LDIF_LINE_WIDTH_MAX );
if ( text ) {
fprintf( fp, "%s\n", text );
ber_memfree( text );
} else {
fprintf( fp, "\n\n" );
}
/* read in the result and send it along */
sock_read_and_send_results( op, rs, fp );
fclose( fp );
return( 0 );
}
static int
dds_op_rename( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dds_info_t *di = on->on_bi.bi_private;
if ( DDS_OFF( di ) ) {
return SLAP_CB_CONTINUE;
}
/* we don't allow dynamicObjects to have static subordinates */
if ( op->orr_nnewSup != NULL ) {
Entry *e = NULL;
BackendInfo *bi = op->o_bd->bd_info;
int is_dynamicObject = 0,
rc;
rs->sr_err = LDAP_SUCCESS;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = be_entry_get_rw( op, &op->o_req_ndn,
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
be_entry_release_r( op, e );
e = NULL;
is_dynamicObject = 1;
}
rc = be_entry_get_rw( op, op->orr_nnewSup,
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
} else {
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION,
"static entry cannot have dynamicObject as newSuperior" );
}
}
be_entry_release_r( op, e );
}
op->o_bd->bd_info = bi;
if ( rs->sr_err != LDAP_SUCCESS ) {
return rs->sr_err;
}
}
return SLAP_CB_CONTINUE;
}
int
shell_back_modrdn(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( si->si_modrdn == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"modrdn not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e, entry, NULL,
op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE,
NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_modrdn, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the modrdn process */
fprintf( wfp, "MODRDN\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "newrdn: %s\n", op->oq_modrdn.rs_newrdn.bv_val );
fprintf( wfp, "deleteoldrdn: %d\n", op->oq_modrdn.rs_deleteoldrdn ? 1 : 0 );
if ( op->oq_modrdn.rs_newSup != NULL ) {
fprintf( wfp, "newSuperior: %s\n", op->oq_modrdn.rs_newSup->bv_val );
}
fclose( wfp );
/* read in the results and send them along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
sock_back_modrdn(
Operation *op,
SlapReply *rs )
{
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *fp;
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e, entry, NULL,
op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE,
NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( (fp = opensock( si->si_sockpath )) == NULL ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not open socket" );
return( -1 );
}
/* write out the request to the modrdn process */
fprintf( fp, "MODRDN\n" );
fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
sock_print_conn( fp, op->o_conn, si );
sock_print_suffixes( fp, op->o_bd );
fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( fp, "newrdn: %s\n", op->oq_modrdn.rs_newrdn.bv_val );
fprintf( fp, "deleteoldrdn: %d\n", op->oq_modrdn.rs_deleteoldrdn ? 1 : 0 );
if ( op->oq_modrdn.rs_newSup != NULL ) {
fprintf( fp, "newSuperior: %s\n", op->oq_modrdn.rs_newSup->bv_val );
}
fprintf( fp, "\n" );
/* read in the results and send them along */
sock_read_and_send_results( op, rs, fp );
fclose( fp );
return( 0 );
}
int
sock_back_bind(
Operation *op,
SlapReply *rs )
{
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *fp;
int rc;
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_AUTH, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( (fp = opensock( si->si_sockpath )) == NULL ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not open socket" );
return( -1 );
}
/* write out the request to the bind process */
fprintf( fp, "BIND\n" );
fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
sock_print_conn( fp, op->o_conn, si );
sock_print_suffixes( fp, op->o_bd );
fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( fp, "method: %d\n", op->oq_bind.rb_method );
fprintf( fp, "credlen: %lu\n", op->oq_bind.rb_cred.bv_len );
fprintf( fp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */
fprintf( fp, "\n" );
/* read in the results and send them along */
rc = sock_read_and_send_results( op, rs, fp );
fclose( fp );
return( rc );
}
/*
* if "e" is provided, access to each value of the password is checked first
*/
int
slap_passwd_check(
Operation *op,
Entry *e,
Attribute *a,
struct berval *cred,
const char **text )
{
int result = 1;
struct berval *bv;
AccessControlState acl_state = ACL_STATE_INIT;
char credNul = cred->bv_val[cred->bv_len];
#ifdef SLAPD_SPASSWD
void *old_authctx = NULL;
ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
#endif
if ( credNul ) cred->bv_val[cred->bv_len] = 0;
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
/* if e is provided, check access */
if ( e && access_allowed( op, e, a->a_desc, bv,
ACL_AUTH, &acl_state ) == 0 )
{
continue;
}
if ( !lutil_passwd( bv, cred, NULL, text ) ) {
result = 0;
break;
}
}
if ( credNul ) cred->bv_val[cred->bv_len] = credNul;
#ifdef SLAPD_SPASSWD
ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
old_authctx, 0, NULL, NULL );
#endif
return result;
}
int
shell_back_add(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *rfp, *wfp;
int len;
if ( si->si_add == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"add not implemented" );
return( -1 );
}
if ( ! access_allowed( op, op->oq_add.rs_e,
entry, NULL, ACL_WADD, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_add, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the add process */
fprintf( wfp, "ADD\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
ldap_pvt_thread_mutex_lock( &entry2str_mutex );
fprintf( wfp, "%s", entry2str( op->oq_add.rs_e, &len ) );
ldap_pvt_thread_mutex_unlock( &entry2str_mutex );
fclose( wfp );
/* read in the result and send it along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
sock_back_add(
Operation *op,
SlapReply *rs )
{
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *fp;
int len;
if ( ! access_allowed( op, op->oq_add.rs_e,
entry, NULL, ACL_WADD, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( (fp = opensock( si->si_sockpath )) == NULL ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not open socket" );
return( -1 );
}
/* write out the request to the add process */
fprintf( fp, "ADD\n" );
fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
sock_print_conn( fp, op->o_conn, si );
sock_print_suffixes( fp, op->o_bd );
ldap_pvt_thread_mutex_lock( &entry2str_mutex );
fprintf( fp, "%s", entry2str( op->oq_add.rs_e, &len ) );
ldap_pvt_thread_mutex_unlock( &entry2str_mutex );
fprintf (fp, "\n" );
/* read in the result and send it along */
sock_read_and_send_results( op, rs, fp );
fclose( fp );
return( 0 );
}
int
mdb_search( Operation *op, SlapReply *rs )
{
struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private;
ID id, cursor, nsubs, ncand, cscope;
ID lastid = NOID;
ID candidates[MDB_IDL_UM_SIZE];
ID iscopes[MDB_IDL_DB_SIZE];
ID2 *scopes;
void *stack;
Entry *e = NULL, *base = NULL;
Entry *matched = NULL;
AttributeName *attrs;
slap_mask_t mask;
time_t stoptime;
int manageDSAit;
int tentries = 0;
IdScopes isc;
MDB_cursor *mci, *mcd;
ww_ctx wwctx;
slap_callback cb = { 0 };
mdb_op_info opinfo = {{{0}}}, *moi = &opinfo;
MDB_txn *ltid = NULL;
Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(mdb_search) "\n", 0, 0, 0);
attrs = op->oq_search.rs_attrs;
manageDSAit = get_manageDSAit( op );
rs->sr_err = mdb_opinfo_get( op, mdb, 1, &moi );
switch(rs->sr_err) {
case 0:
break;
default:
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
ltid = moi->moi_txn;
rs->sr_err = mdb_cursor_open( ltid, mdb->mi_id2entry, &mci );
if ( rs->sr_err ) {
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
rs->sr_err = mdb_cursor_open( ltid, mdb->mi_dn2id, &mcd );
if ( rs->sr_err ) {
mdb_cursor_close( mci );
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
scopes = scope_chunk_get( op );
stack = search_stack( op );
isc.mt = ltid;
isc.mc = mcd;
isc.scopes = scopes;
isc.oscope = op->ors_scope;
isc.sctmp = stack;
if ( op->ors_deref & LDAP_DEREF_FINDING ) {
MDB_IDL_ZERO(candidates);
}
dn2entry_retry:
/* get entry with reader lock */
rs->sr_err = mdb_dn2entry( op, ltid, mcd, &op->o_req_ndn, &e, &nsubs, 1 );
switch(rs->sr_err) {
case MDB_NOTFOUND:
matched = e;
e = NULL;
break;
case 0:
break;
case LDAP_BUSY:
send_ldap_error( op, rs, LDAP_BUSY, "ldap server busy" );
goto done;
default:
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
goto done;
}
if ( op->ors_deref & LDAP_DEREF_FINDING ) {
if ( matched && is_entry_alias( matched )) {
struct berval stub;
stub.bv_val = op->o_req_ndn.bv_val;
stub.bv_len = op->o_req_ndn.bv_len - matched->e_nname.bv_len - 1;
e = deref_base( op, rs, matched, &matched, ltid,
candidates, NULL );
if ( e ) {
build_new_dn( &op->o_req_ndn, &e->e_nname, &stub,
op->o_tmpmemctx );
mdb_entry_return(op, e);
matched = NULL;
goto dn2entry_retry;
}
} else if ( e && is_entry_alias( e )) {
e = deref_base( op, rs, e, &matched, ltid,
candidates, NULL );
}
}
if ( e == NULL ) {
struct berval matched_dn = BER_BVNULL;
if ( matched != NULL ) {
BerVarray erefs = NULL;
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
ber_dupbv( &matched_dn, &matched->e_name );
erefs = is_entry_referral( matched )
? get_entry_referrals( op, matched )
: NULL;
if ( rs->sr_err == MDB_NOTFOUND )
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = matched_dn.bv_val;
}
mdb_entry_return(op, matched);
matched = NULL;
if ( erefs ) {
rs->sr_ref = referral_rewrite( erefs, &matched_dn,
&op->o_req_dn, op->oq_search.rs_scope );
ber_bvarray_free( erefs );
}
} else {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, op->oq_search.rs_scope );
rs->sr_err = rs->sr_ref != NULL ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
}
send_ldap_result( op, rs );
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
if ( !BER_BVISNULL( &matched_dn ) ) {
ber_memfree( matched_dn.bv_val );
rs->sr_matched = NULL;
}
goto done;
}
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_SEARCH, NULL, &mask ) )
{
if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
mdb_entry_return( op,e);
send_ldap_result( op, rs );
goto done;
}
if ( !manageDSAit && is_entry_referral( e ) ) {
/* entry is a referral */
struct berval matched_dn = BER_BVNULL;
BerVarray erefs = NULL;
ber_dupbv( &matched_dn, &e->e_name );
erefs = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
mdb_entry_return( op, e );
e = NULL;
if ( erefs ) {
rs->sr_ref = referral_rewrite( erefs, &matched_dn,
&op->o_req_dn, op->oq_search.rs_scope );
ber_bvarray_free( erefs );
if ( !rs->sr_ref ) {
rs->sr_text = "bad_referral object";
}
}
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search) ": entry is referral\n",
0, 0, 0 );
rs->sr_matched = matched_dn.bv_val;
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
ber_memfree( matched_dn.bv_val );
rs->sr_matched = NULL;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rs->sr_err = LDAP_ASSERTION_FAILED;
mdb_entry_return( op,e);
send_ldap_result( op, rs );
goto done;
}
/* compute it anyway; root does not use it */
stoptime = op->o_time + op->ors_tlimit;
base = e;
e = NULL;
/* select candidates */
if ( op->oq_search.rs_scope == LDAP_SCOPE_BASE ) {
rs->sr_err = base_candidate( op->o_bd, base, candidates );
scopes[0].mid = 0;
ncand = 1;
} else {
if ( op->ors_scope == LDAP_SCOPE_ONELEVEL ) {
size_t nkids;
MDB_val key, data;
key.mv_data = &base->e_id;
key.mv_size = sizeof( ID );
mdb_cursor_get( mcd, &key, &data, MDB_SET );
mdb_cursor_count( mcd, &nkids );
nsubs = nkids - 1;
} else if ( !base->e_id ) {
/* we don't maintain nsubs for entryID 0.
* just grab entry count from id2entry stat
*/
MDB_stat ms;
mdb_stat( ltid, mdb->mi_id2entry, &ms );
nsubs = ms.ms_entries;
}
MDB_IDL_ZERO( candidates );
scopes[0].mid = 1;
scopes[1].mid = base->e_id;
scopes[1].mval.mv_data = NULL;
rs->sr_err = search_candidates( op, rs, base,
&isc, mci, candidates, stack );
ncand = MDB_IDL_N( candidates );
if ( !base->e_id || ncand == NOID ) {
/* grab entry count from id2entry stat
*/
MDB_stat ms;
mdb_stat( ltid, mdb->mi_id2entry, &ms );
if ( !base->e_id )
nsubs = ms.ms_entries;
if ( ncand == NOID )
ncand = ms.ms_entries;
}
}
/* start cursor at beginning of candidates.
*/
cursor = 0;
if ( candidates[0] == 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search) ": no candidates\n",
0, 0, 0 );
goto nochange;
}
/* if not root and candidates exceed to-be-checked entries, abort */
if ( op->ors_limit /* isroot == FALSE */ &&
op->ors_limit->lms_s_unchecked != -1 &&
ncand > (unsigned) op->ors_limit->lms_s_unchecked )
{
rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
send_ldap_result( op, rs );
rs->sr_err = LDAP_SUCCESS;
goto done;
}
if ( op->ors_limit == NULL /* isroot == TRUE */ ||
!op->ors_limit->lms_s_pr_hide )
{
tentries = ncand;
}
wwctx.flag = 0;
/* If we're running in our own read txn */
if ( moi == &opinfo ) {
cb.sc_writewait = mdb_writewait;
cb.sc_private = &wwctx;
wwctx.txn = ltid;
wwctx.mcd = NULL;
cb.sc_next = op->o_callback;
op->o_callback = &cb;
}
if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) {
PagedResultsState *ps = op->o_pagedresults_state;
/* deferred cookie parsing */
rs->sr_err = parse_paged_cookie( op, rs );
if ( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto done;
}
cursor = (ID) ps->ps_cookie;
if ( cursor && ps->ps_size == 0 ) {
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = "search abandoned by pagedResult size=0";
send_ldap_result( op, rs );
goto done;
}
id = mdb_idl_first( candidates, &cursor );
if ( id == NOID ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search)
": no paged results candidates\n",
0, 0, 0 );
send_paged_response( op, rs, &lastid, 0 );
rs->sr_err = LDAP_OTHER;
goto done;
}
if ( id == (ID)ps->ps_cookie )
id = mdb_idl_next( candidates, &cursor );
nsubs = ncand; /* always bypass scope'd search */
goto loop_begin;
}
if ( nsubs < ncand ) {
int rc;
/* Do scope-based search */
/* if any alias scopes were set, save them */
if (scopes[0].mid > 1) {
cursor = 1;
for (cscope = 1; cscope <= scopes[0].mid; cscope++) {
/* Ignore the original base */
if (scopes[cscope].mid == base->e_id)
continue;
iscopes[cursor++] = scopes[cscope].mid;
}
iscopes[0] = scopes[0].mid - 1;
} else {
iscopes[0] = 0;
}
wwctx.mcd = mcd;
isc.id = base->e_id;
isc.numrdns = 0;
rc = mdb_dn2id_walk( op, &isc );
if ( rc )
id = NOID;
else
id = isc.id;
cscope = 0;
} else {
id = mdb_idl_first( candidates, &cursor );
}
while (id != NOID)
{
int scopeok;
MDB_val edata;
loop_begin:
/* check for abandon */
if ( op->o_abandon ) {
rs->sr_err = SLAPD_ABANDON;
send_ldap_result( op, rs );
goto done;
}
/* mostly needed by internal searches,
* e.g. related to syncrepl, for whom
* abandon does not get set... */
if ( slapd_shutdown ) {
rs->sr_err = LDAP_UNAVAILABLE;
send_ldap_disconnect( op, rs );
goto done;
}
/* check time limit */
if ( op->ors_tlimit != SLAP_NO_LIMIT
&& slap_get_time() > stoptime )
{
rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
rs->sr_ref = rs->sr_v2ref;
send_ldap_result( op, rs );
rs->sr_err = LDAP_SUCCESS;
goto done;
}
if ( nsubs < ncand ) {
unsigned i;
/* Is this entry in the candidate list? */
scopeok = 0;
if (MDB_IDL_IS_RANGE( candidates )) {
if ( id >= MDB_IDL_RANGE_FIRST( candidates ) &&
id <= MDB_IDL_RANGE_LAST( candidates ))
scopeok = 1;
} else {
i = mdb_idl_search( candidates, id );
if ( candidates[i] == id )
scopeok = 1;
}
if ( scopeok )
goto scopeok;
goto loop_continue;
}
/* Does this candidate actually satisfy the search scope?
*/
scopeok = 0;
isc.numrdns = 0;
switch( op->ors_scope ) {
case LDAP_SCOPE_BASE:
/* This is always true, yes? */
if ( id == base->e_id ) scopeok = 1;
break;
#ifdef LDAP_SCOPE_CHILDREN
case LDAP_SCOPE_CHILDREN:
if ( id == base->e_id ) break;
/* Fall-thru */
#endif
case LDAP_SCOPE_SUBTREE:
if ( id == base->e_id ) {
scopeok = 1;
break;
}
/* Fall-thru */
case LDAP_SCOPE_ONELEVEL:
isc.id = id;
isc.nscope = 0;
rs->sr_err = mdb_idscopes( op, &isc );
if ( rs->sr_err == MDB_SUCCESS ) {
if ( isc.nscope )
scopeok = 1;
} else {
if ( rs->sr_err == MDB_NOTFOUND )
goto notfound;
}
break;
}
/* Not in scope, ignore it */
if ( !scopeok )
{
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search)
": %ld scope not okay\n",
(long) id, 0, 0 );
goto loop_continue;
}
scopeok:
if ( id == base->e_id ) {
e = base;
} else {
/* get the entry */
rs->sr_err = mdb_id2edata( op, mci, id, &edata );
if ( rs->sr_err == MDB_NOTFOUND ) {
notfound:
if( nsubs < ncand )
goto loop_continue;
if( !MDB_IDL_IS_RANGE(candidates) ) {
/* only complain for non-range IDLs */
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search)
": candidate %ld not found\n",
(long) id, 0, 0 );
} else {
/* get the next ID from the DB */
rs->sr_err = mdb_get_nextid( mci, &cursor );
if ( rs->sr_err == MDB_NOTFOUND ) {
break;
}
if ( rs->sr_err ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error in get_nextid";
send_ldap_result( op, rs );
goto done;
}
cursor--;
}
goto loop_continue;
} else if ( rs->sr_err ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error in mdb_id2edata";
send_ldap_result( op, rs );
goto done;
}
rs->sr_err = mdb_entry_decode( op, ltid, &edata, &e );
if ( rs->sr_err ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error in mdb_entry_decode";
send_ldap_result( op, rs );
goto done;
}
e->e_id = id;
e->e_name.bv_val = NULL;
e->e_nname.bv_val = NULL;
}
if ( is_entry_subentry( e ) ) {
if( op->oq_search.rs_scope != LDAP_SCOPE_BASE ) {
if(!get_subentries_visibility( op )) {
/* only subentries are visible */
goto loop_continue;
}
} else if ( get_subentries( op ) &&
!get_subentries_visibility( op ))
{
/* only subentries are visible */
goto loop_continue;
}
} else if ( get_subentries_visibility( op )) {
/* only subentries are visible */
goto loop_continue;
}
/* aliases were already dereferenced in candidate list */
if ( op->ors_deref & LDAP_DEREF_SEARCHING ) {
/* but if the search base is an alias, and we didn't
* deref it when finding, return it.
*/
if ( is_entry_alias(e) &&
((op->ors_deref & LDAP_DEREF_FINDING) || e != base ))
{
goto loop_continue;
}
}
if ( !manageDSAit && is_entry_glue( e )) {
goto loop_continue;
}
if (e != base) {
struct berval pdn, pndn;
char *d, *n;
int i;
/* child of base, just append RDNs to base->e_name */
if ( nsubs < ncand || isc.scopes[isc.nscope].mid == base->e_id ) {
pdn = base->e_name;
pndn = base->e_nname;
} else {
mdb_id2name( op, ltid, &isc.mc, scopes[isc.nscope].mid, &pdn, &pndn );
}
e->e_name.bv_len = pdn.bv_len;
e->e_nname.bv_len = pndn.bv_len;
for (i=0; i<isc.numrdns; i++) {
e->e_name.bv_len += isc.rdns[i].bv_len + 1;
e->e_nname.bv_len += isc.nrdns[i].bv_len + 1;
}
e->e_name.bv_val = op->o_tmpalloc(e->e_name.bv_len + 1, op->o_tmpmemctx);
e->e_nname.bv_val = op->o_tmpalloc(e->e_nname.bv_len + 1, op->o_tmpmemctx);
d = e->e_name.bv_val;
n = e->e_nname.bv_val;
if (nsubs < ncand) {
/* RDNs are in top-down order */
for (i=isc.numrdns-1; i>=0; i--) {
memcpy(d, isc.rdns[i].bv_val, isc.rdns[i].bv_len);
d += isc.rdns[i].bv_len;
*d++ = ',';
memcpy(n, isc.nrdns[i].bv_val, isc.nrdns[i].bv_len);
n += isc.nrdns[i].bv_len;
*n++ = ',';
}
} else {
/* RDNs are in bottom-up order */
for (i=0; i<isc.numrdns; i++) {
memcpy(d, isc.rdns[i].bv_val, isc.rdns[i].bv_len);
d += isc.rdns[i].bv_len;
*d++ = ',';
memcpy(n, isc.nrdns[i].bv_val, isc.nrdns[i].bv_len);
n += isc.nrdns[i].bv_len;
*n++ = ',';
}
}
if (pdn.bv_len) {
memcpy(d, pdn.bv_val, pdn.bv_len+1);
memcpy(n, pndn.bv_val, pndn.bv_len+1);
} else {
*--d = '\0';
*--n = '\0';
e->e_name.bv_len--;
e->e_nname.bv_len--;
}
if (pndn.bv_val != base->e_nname.bv_val) {
op->o_tmpfree(pndn.bv_val, op->o_tmpmemctx);
op->o_tmpfree(pdn.bv_val, op->o_tmpmemctx);
}
}
/*
* if it's a referral, add it to the list of referrals. only do
* this for non-base searches, and don't check the filter
* explicitly here since it's only a candidate anyway.
*/
if ( !manageDSAit && op->oq_search.rs_scope != LDAP_SCOPE_BASE
&& is_entry_referral( e ) )
{
BerVarray erefs = get_entry_referrals( op, e );
rs->sr_ref = referral_rewrite( erefs, &e->e_name, NULL,
op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL
? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE );
rs->sr_entry = e;
rs->sr_flags = 0;
send_search_reference( op, rs );
if (e != base)
mdb_entry_return( op, e );
rs->sr_entry = NULL;
e = NULL;
ber_bvarray_free( rs->sr_ref );
ber_bvarray_free( erefs );
rs->sr_ref = NULL;
if ( wwctx.flag ) {
rs->sr_err = mdb_waitfixup( op, &wwctx, mci, mcd );
if ( rs->sr_err ) {
send_ldap_result( op, rs );
goto done;
}
}
goto loop_continue;
}
/* if it matches the filter and scope, send it */
rs->sr_err = test_filter( op, e, op->oq_search.rs_filter );
if ( rs->sr_err == LDAP_COMPARE_TRUE ) {
/* check size limit */
if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
mdb_entry_return( op, e );
e = NULL;
send_paged_response( op, rs, &lastid, tentries );
goto done;
}
lastid = id;
}
if (e) {
/* safe default */
rs->sr_attrs = op->oq_search.rs_attrs;
rs->sr_operational_attrs = NULL;
rs->sr_ctrls = NULL;
rs->sr_entry = e;
RS_ASSERT( e->e_private != NULL );
rs->sr_flags = 0;
rs->sr_err = LDAP_SUCCESS;
rs->sr_err = send_search_entry( op, rs );
rs->sr_attrs = NULL;
rs->sr_entry = NULL;
if (e != base)
mdb_entry_return( op, e );
e = NULL;
switch ( rs->sr_err ) {
case LDAP_SUCCESS: /* entry sent ok */
break;
default: /* entry not sent */
break;
case LDAP_BUSY:
send_ldap_result( op, rs );
goto done;
case LDAP_UNAVAILABLE:
case LDAP_SIZELIMIT_EXCEEDED:
if ( rs->sr_err == LDAP_SIZELIMIT_EXCEEDED ) {
rs->sr_ref = rs->sr_v2ref;
send_ldap_result( op, rs );
rs->sr_err = LDAP_SUCCESS;
} else {
rs->sr_err = LDAP_OTHER;
}
goto done;
}
if ( wwctx.flag ) {
rs->sr_err = mdb_waitfixup( op, &wwctx, mci, mcd );
if ( rs->sr_err ) {
send_ldap_result( op, rs );
goto done;
}
}
}
} else {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(mdb_search)
": %ld does not match filter\n",
(long) id, 0, 0 );
}
loop_continue:
if( e != NULL ) {
if ( e != base )
mdb_entry_return( op, e );
RS_ASSERT( rs->sr_entry == NULL );
e = NULL;
rs->sr_entry = NULL;
}
if ( nsubs < ncand ) {
int rc = mdb_dn2id_walk( op, &isc );
if (rc) {
id = NOID;
/* We got to the end of a subtree. If there are any
* alias scopes left, search them too.
*/
while (iscopes[0] && cscope < iscopes[0]) {
cscope++;
isc.id = iscopes[cscope];
if ( base )
mdb_entry_return( op, base );
rs->sr_err = mdb_id2entry(op, mci, isc.id, &base);
if ( !rs->sr_err ) {
mdb_id2name( op, ltid, &isc.mc, isc.id, &base->e_name, &base->e_nname );
isc.numrdns = 0;
if (isc.oscope == LDAP_SCOPE_ONELEVEL)
isc.oscope = LDAP_SCOPE_BASE;
rc = mdb_dn2id_walk( op, &isc );
if ( !rc ) {
id = isc.id;
break;
}
}
}
} else
id = isc.id;
} else {
id = mdb_idl_next( candidates, &cursor );
}
}
nochange:
rs->sr_ctrls = NULL;
rs->sr_ref = rs->sr_v2ref;
rs->sr_err = (rs->sr_v2ref == NULL) ? LDAP_SUCCESS : LDAP_REFERRAL;
rs->sr_rspoid = NULL;
if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
send_paged_response( op, rs, NULL, 0 );
} else {
send_ldap_result( op, rs );
}
rs->sr_err = LDAP_SUCCESS;
done:
if ( cb.sc_private ) {
/* remove our writewait callback */
slap_callback **scp = &op->o_callback;
while ( *scp ) {
if ( *scp == &cb ) {
*scp = cb.sc_next;
cb.sc_private = NULL;
break;
}
}
}
mdb_cursor_close( mcd );
mdb_cursor_close( mci );
if ( moi == &opinfo ) {
mdb_txn_reset( moi->moi_txn );
LDAP_SLIST_REMOVE( &op->o_extra, &moi->moi_oe, OpExtra, oe_next );
} else {
moi->moi_ref--;
}
if( rs->sr_v2ref ) {
ber_bvarray_free( rs->sr_v2ref );
rs->sr_v2ref = NULL;
}
if (base)
mdb_entry_return( op, base );
scope_chunk_ret( op, scopes );
return rs->sr_err;
}
static int
aa_operational( Operation *op, SlapReply *rs )
{
Attribute *a, **ap;
AccessControlState acl_state = ACL_STATE_INIT;
struct berval *v;
AttributeType **atp = NULL;
ObjectClass **ocp = NULL;
#define GOT_NONE (0x0U)
#define GOT_C (0x1U)
#define GOT_CE (0x2U)
#define GOT_A (0x4U)
#define GOT_AE (0x8U)
#define GOT_ALL (GOT_C|GOT_CE|GOT_A|GOT_AE)
int got = GOT_NONE;
/* only add if requested */
if ( SLAP_OPATTRS( rs->sr_attr_flags ) ) {
got = GOT_ALL;
} else {
if ( ad_inlist( ad_allowedChildClasses, rs->sr_attrs ) ) {
got |= GOT_C;
}
if ( ad_inlist( ad_allowedChildClassesEffective, rs->sr_attrs ) ) {
got |= GOT_CE;
}
if ( ad_inlist( ad_allowedAttributes, rs->sr_attrs ) ) {
got |= GOT_A;
}
if ( ad_inlist( ad_allowedAttributesEffective, rs->sr_attrs ) ) {
got |= GOT_AE;
}
}
if ( got == GOT_NONE ) {
return SLAP_CB_CONTINUE;
}
/* shouldn't be called without an entry; please check */
assert( rs->sr_entry != NULL );
for ( ap = &rs->sr_operational_attrs; *ap != NULL; ap = &(*ap)->a_next )
/* go to last */ ;
/* see caveats; this is not guaranteed for all backends */
a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
goto do_oc;
}
/* if client has no access to objectClass attribute; don't compute */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass,
NULL, ACL_READ, &acl_state ) )
{
return SLAP_CB_CONTINUE;
}
for ( v = a->a_nvals; !BER_BVISNULL( v ); v++ ) {
ObjectClass *oc = oc_bvfind( v );
assert( oc != NULL );
/* if client has no access to specific value, don't compute */
if ( !access_allowed( op, rs->sr_entry,
slap_schema.si_ad_objectClass,
&oc->soc_cname, ACL_READ, &acl_state ) )
{
continue;
}
aa_add_oc( oc, &ocp, &atp );
if ( oc->soc_sups ) {
int i;
for ( i = 0; oc->soc_sups[ i ] != NULL; i++ ) {
aa_add_oc( oc->soc_sups[ i ], &ocp, &atp );
}
}
}
ch_free( ocp );
if ( atp != NULL ) {
BerVarray bv_allowed = NULL,
bv_effective = NULL;
int i, ja = 0, je = 0;
for ( i = 0; atp[ i ] != NULL; i++ )
/* just count */ ;
if ( got & GOT_A ) {
bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
if ( got & GOT_AE ) {
bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) {
if ( got & GOT_A ) {
ber_dupbv( &bv_allowed[ ja ], &atp[ i ]->sat_cname );
ja++;
}
if ( got & GOT_AE ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
if ( slap_bv2ad( &atp[ i ]->sat_cname, &ad, &text ) ) {
/* log? */
continue;
}
if ( access_allowed( op, rs->sr_entry,
ad, NULL, ACL_WRITE, NULL ) )
{
ber_dupbv( &bv_effective[ je ], &atp[ i ]->sat_cname );
je++;
}
}
}
ch_free( atp );
if ( ( got & GOT_A ) && ja > 0 ) {
BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedAttributes );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
(*ap)->a_numvals = ja;
ap = &(*ap)->a_next;
}
if ( ( got & GOT_AE ) && je > 0 ) {
BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedAttributesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
(*ap)->a_numvals = je;
ap = &(*ap)->a_next;
}
*ap = NULL;
}
do_oc:;
if ( ( got & GOT_C ) || ( got & GOT_CE ) ) {
BerVarray bv_allowed = NULL,
bv_effective = NULL;
int i, ja = 0, je = 0;
ObjectClass *oc;
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
/* we can only add AUXILIARY objectClasses */
if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
continue;
}
i++;
}
if ( got & GOT_C ) {
bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
if ( got & GOT_CE ) {
bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
/* we can only add AUXILIARY objectClasses */
if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
continue;
}
if ( got & GOT_C ) {
ber_dupbv( &bv_allowed[ ja ], &oc->soc_cname );
ja++;
}
if ( got & GOT_CE ) {
if ( !access_allowed( op, rs->sr_entry,
slap_schema.si_ad_objectClass,
&oc->soc_cname, ACL_WRITE, NULL ) )
{
goto done_ce;
}
if ( oc->soc_required ) {
for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
if ( slap_bv2ad( &oc->soc_required[ i ]->sat_cname, &ad, &text ) ) {
/* log? */
continue;
}
if ( !access_allowed( op, rs->sr_entry,
ad, NULL, ACL_WRITE, NULL ) )
{
goto done_ce;
}
}
}
ber_dupbv( &bv_effective[ je ], &oc->soc_cname );
je++;
}
done_ce:;
}
if ( ( got & GOT_C ) && ja > 0 ) {
BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedChildClasses );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
(*ap)->a_numvals = ja;
ap = &(*ap)->a_next;
}
if ( ( got & GOT_CE ) && je > 0 ) {
BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedChildClassesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
(*ap)->a_numvals = je;
ap = &(*ap)->a_next;
}
*ap = NULL;
}
return SLAP_CB_CONTINUE;
}
int
fe_op_compare( Operation *op, SlapReply *rs )
{
Entry *entry = NULL;
AttributeAssertion *ava = op->orc_ava;
BackendDB *bd = op->o_bd;
if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
} else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rs->sr_err = 0;
goto cleanup;
}
rs->sr_err = schema_info( &entry, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rs->sr_err = 0;
goto cleanup;
}
}
if( entry ) {
rs->sr_err = slap_compare_entry( op, entry, ava );
entry_free( entry );
send_ldap_result( op, rs );
if( rs->sr_err == LDAP_COMPARE_TRUE ||
rs->sr_err == LDAP_COMPARE_FALSE )
{
rs->sr_err = LDAP_SUCCESS;
}
goto cleanup;
}
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
op->o_bd = select_backend( &op->o_req_ndn, 0 );
if ( op->o_bd == NULL ) {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
rs->sr_err = LDAP_REFERRAL;
if (!rs->sr_ref) rs->sr_ref = default_referral;
op->o_bd = bd;
send_ldap_result( op, rs );
if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
rs->sr_err = 0;
goto cleanup;
}
/* check restrictions */
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
/* check for referrals */
if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
goto cleanup;
}
if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
/* don't use shadow copy */
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"copy not used" );
} else if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"entryDN compare not supported" );
} else if ( ava->aa_desc == slap_schema.si_ad_subschemaSubentry ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"subschemaSubentry compare not supported" );
#ifndef SLAP_COMPARE_IN_FRONTEND
} else if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
&& op->o_bd->be_has_subordinates )
{
int rc, hasSubordinates = LDAP_SUCCESS;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
if ( rc == 0 && entry ) {
if ( ! access_allowed( op, entry,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
} else {
rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
entry, &hasSubordinates );
be_entry_release_r( op, entry );
}
}
if ( rc == 0 ) {
int asserted;
asserted = bvmatch( &ava->aa_value, &slap_true_bv )
? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
if ( hasSubordinates == asserted ) {
rs->sr_err = LDAP_COMPARE_TRUE;
} else {
rs->sr_err = LDAP_COMPARE_FALSE;
}
} else {
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
send_ldap_result( op, rs );
if ( rc == 0 ) {
rs->sr_err = LDAP_SUCCESS;
}
} else if ( op->o_bd->be_compare ) {
rs->sr_err = op->o_bd->be_compare( op, rs );
#endif /* ! SLAP_COMPARE_IN_FRONTEND */
} else {
rs->sr_err = SLAP_CB_CONTINUE;
}
if ( rs->sr_err == SLAP_CB_CONTINUE ) {
/* do our best to compare that AVA
*
* NOTE: this code is used only
* if SLAP_COMPARE_IN_FRONTEND
* is #define'd (it's not by default)
* or if op->o_bd->be_compare is NULL.
*
* FIXME: one potential issue is that
* if SLAP_COMPARE_IN_FRONTEND overlays
* are not executed for compare. */
BerVarray vals = NULL;
int rc = LDAP_OTHER;
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
ava->aa_desc, &vals, ACL_COMPARE );
switch ( rs->sr_err ) {
default:
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL )
== LDAP_INSUFFICIENT_ACCESS )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
break;
case LDAP_SUCCESS:
if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
vals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
} else {
rs->sr_err = LDAP_COMPARE_FALSE;
}
rc = LDAP_SUCCESS;
break;
}
send_ldap_result( op, rs );
if ( rc == 0 ) {
rs->sr_err = LDAP_SUCCESS;
}
if ( vals ) {
ber_bvarray_free_x( vals, op->o_tmpmemctx );
}
}
cleanup:;
op->o_bd = bd;
return rs->sr_err;
}
int
bdb_compare( Operation *op, SlapReply *rs )
{
struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
Entry *e = NULL;
EntryInfo *ei;
int manageDSAit = get_manageDSAit( op );
DB_TXN *rtxn;
DB_LOCK lock;
rs->sr_err = bdb_reader_get(op, bdb->bi_dbenv, &rtxn);
switch(rs->sr_err) {
case 0:
break;
default:
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
dn2entry_retry:
/* get entry */
rs->sr_err = bdb_dn2entry( op, rtxn, &op->o_req_ndn, &ei, 1,
&lock );
switch( rs->sr_err ) {
case DB_NOTFOUND:
case 0:
break;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto dn2entry_retry;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
: NULL;
rs->sr_err = LDAP_REFERRAL;
}
bdb_cache_return_entry_r( bdb, e, &lock );
e = NULL;
} else {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
rs->sr_err = rs->sr_ref ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
}
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
free( (char *)rs->sr_matched );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e->e_name.bv_val;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
rs->sr_err = slap_compare_entry( op, e, op->orc_ava );
return_results:
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
done:
/* free entry */
if ( e != NULL ) {
bdb_cache_return_entry_r( bdb, e, &lock );
}
return rs->sr_err;
}
static int test_mra_filter(
Operation *op,
Entry *e,
MatchingRuleAssertion *mra )
{
Attribute *a;
void *memctx;
BER_MEMFREE_FN *memfree;
#ifdef LDAP_COMP_MATCH
int i, num_attr_vals = 0;
#endif
if ( op == NULL ) {
memctx = NULL;
memfree = slap_sl_free;
} else {
memctx = op->o_tmpmemctx;
memfree = op->o_tmpfree;
}
if ( mra->ma_desc ) {
/*
* if ma_desc is available, then we're filtering for
* one attribute, and SEARCH permissions can be checked
* directly.
*/
if ( !access_allowed( op, e,
mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( mra->ma_desc == slap_schema.si_ad_entryDN ) {
int ret, rc;
const char *text;
rc = value_match( &ret, slap_schema.si_ad_entryDN, mra->ma_rule,
SLAP_MR_EXT, &e->e_nname, &mra->ma_value, &text );
if( rc != LDAP_SUCCESS ) return rc;
if ( ret == 0 ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
for ( a = attrs_find( e->e_attrs, mra->ma_desc );
a != NULL;
a = attrs_find( a->a_next, mra->ma_desc ) )
{
struct berval *bv;
int normalize_attribute = 0;
#ifdef LDAP_COMP_MATCH
/* Component Matching */
if ( mra->ma_cf && mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) {
num_attr_vals = 0;
if ( !a->a_comp_data ) {
num_attr_vals = a->a_numvals;
if ( num_attr_vals <= 0 ) {
/* no attribute value */
return LDAP_INAPPROPRIATE_MATCHING;
}
num_attr_vals++;
/* following malloced will be freed by comp_tree_free () */
a->a_comp_data = SLAP_MALLOC( sizeof( ComponentData ) +
sizeof( ComponentSyntaxInfo* )*num_attr_vals );
if ( !a->a_comp_data ) return LDAP_NO_MEMORY;
a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)
((char*)a->a_comp_data + sizeof(ComponentData));
a->a_comp_data->cd_tree[num_attr_vals - 1] =
(ComponentSyntaxInfo*) NULL;
a->a_comp_data->cd_mem_op =
nibble_mem_allocator( 1024*16, 1024 );
}
}
#endif
/* If ma_rule is not the same as the attribute's
* normal rule, then we can't use the a_nvals.
*/
if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) {
bv = a->a_nvals;
} else {
bv = a->a_vals;
normalize_attribute = 1;
}
#ifdef LDAP_COMP_MATCH
i = 0;
#endif
for ( ; !BER_BVISNULL( bv ); bv++ ) {
int ret;
int rc;
const char *text;
#ifdef LDAP_COMP_MATCH
if ( mra->ma_cf &&
mra->ma_rule->smr_usage & SLAP_MR_COMPONENT )
{
/* Check if decoded component trees are already linked */
if ( num_attr_vals ) {
a->a_comp_data->cd_tree[i] = attr_converter(
a, a->a_desc->ad_type->sat_syntax, bv );
}
/* decoding error */
if ( !a->a_comp_data->cd_tree[i] ) {
return LDAP_OPERATIONS_ERROR;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_COMPONENT,
(struct berval*)a->a_comp_data->cd_tree[i++],
(void*)mra, &text );
} else
#endif
{
struct berval nbv = BER_BVNULL;
if ( normalize_attribute && mra->ma_rule->smr_normalize ) {
/*
Document: RFC 4511
4.5.1. Search Request
...
If the type field is present and the matchingRule is present,
the matchValue is compared against entry attributes of the
specified type. In this case, the matchingRule MUST be one
suitable for use with the specified type (see [RFC4517]),
otherwise the filter item is Undefined.
In this case, since the matchingRule requires the assertion
value to be normalized, we normalize the attribute value
according to the syntax of the matchingRule.
This should likely be done inside value_match(), by passing
the appropriate flags, but this is not done at present.
See ITS#3406.
*/
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
continue;
}
} else {
nbv = *bv;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_EXT, &nbv, &mra->ma_value, &text );
if ( nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
}
if ( rc != LDAP_SUCCESS ) return rc;
if ( ret == 0 ) return LDAP_COMPARE_TRUE;
}
}
} else {
/*
* No attribute description: test all
*/
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
struct berval *bv, value;
const char *text = NULL;
int rc;
int normalize_attribute = 0;
/* check if matching is appropriate */
if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type ) ) {
continue;
}
/* normalize for equality */
rc = asserted_value_validate_normalize( a->a_desc, mra->ma_rule,
SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&mra->ma_value, &value, &text, memctx );
if ( rc != LDAP_SUCCESS ) continue;
/* check search access */
if ( !access_allowed( op, e,
a->a_desc, &value, ACL_SEARCH, NULL ) )
{
memfree( value.bv_val, memctx );
continue;
}
#ifdef LDAP_COMP_MATCH
/* Component Matching */
if ( mra->ma_cf &&
mra->ma_rule->smr_usage & SLAP_MR_COMPONENT )
{
int ret;
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_COMPONENT,
(struct berval*)a, (void*)mra, &text );
if ( rc != LDAP_SUCCESS ) break;
if ( ret == 0 ) {
rc = LDAP_COMPARE_TRUE;
break;
}
}
#endif
/* check match */
if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) {
bv = a->a_nvals;
} else {
bv = a->a_vals;
normalize_attribute = 1;
}
for ( ; !BER_BVISNULL( bv ); bv++ ) {
int ret;
struct berval nbv = BER_BVNULL;
if ( normalize_attribute && mra->ma_rule->smr_normalize ) {
/* see comment above */
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
continue;
}
} else {
nbv = *bv;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_EXT, &nbv, &value, &text );
if ( nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
if ( rc != LDAP_SUCCESS ) break;
if ( ret == 0 ) {
rc = LDAP_COMPARE_TRUE;
break;
}
}
memfree( value.bv_val, memctx );
if ( rc != LDAP_SUCCESS ) return rc;
}
}
/* check attrs in DN AVAs if required */
if ( mra->ma_dnattrs && !BER_BVISEMPTY( &e->e_nname ) ) {
LDAPDN dn = NULL;
int iRDN, iAVA;
int rc;
/* parse and pretty the dn */
rc = dnPrettyDN( NULL, &e->e_name, &dn, memctx );
if ( rc != LDAP_SUCCESS ) {
return LDAP_INVALID_SYNTAX;
}
/* for each AVA of each RDN ... */
for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
LDAPRDN rdn = dn[ iRDN ];
for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
LDAPAVA *ava = rdn[ iAVA ];
struct berval *bv = &ava->la_value,
value = BER_BVNULL,
nbv = BER_BVNULL;
AttributeDescription *ad =
(AttributeDescription *)ava->la_private;
int ret;
const char *text;
assert( ad != NULL );
if ( mra->ma_desc ) {
/* have a mra type? check for subtype */
if ( !is_ad_subtype( ad, mra->ma_desc ) ) {
continue;
}
value = mra->ma_value;
} else {
const char *text = NULL;
/* check if matching is appropriate */
if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type ) ) {
continue;
}
/* normalize for equality */
rc = asserted_value_validate_normalize( ad,
mra->ma_rule,
SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&mra->ma_value, &value, &text, memctx );
if ( rc != LDAP_SUCCESS ) continue;
/* check search access */
if ( !access_allowed( op, e,
ad, &value, ACL_SEARCH, NULL ) )
{
memfree( value.bv_val, memctx );
continue;
}
}
if ( mra->ma_rule->smr_normalize ) {
/* see comment above */
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
rc = LDAP_SUCCESS;
ret = -1;
goto cleanup;
}
} else {
nbv = *bv;
}
/* check match */
rc = value_match( &ret, ad, mra->ma_rule, SLAP_MR_EXT,
&nbv, &value, &text );
cleanup:;
if ( !BER_BVISNULL( &value ) && value.bv_val != mra->ma_value.bv_val ) {
memfree( value.bv_val, memctx );
}
if ( !BER_BVISNULL( &nbv ) && nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
if ( rc == LDAP_SUCCESS && ret == 0 ) rc = LDAP_COMPARE_TRUE;
if ( rc != LDAP_SUCCESS ) {
ldap_dnfree_x( dn, memctx );
return rc;
}
}
}
ldap_dnfree_x( dn, memctx );
}
return LDAP_COMPARE_FALSE;
}
static int
test_ava_filter(
Operation *op,
Entry *e,
AttributeAssertion *ava,
int type )
{
int rc;
Attribute *a;
#ifdef LDAP_COMP_MATCH
int i, num_attr_vals = 0;
AttributeAliasing *a_alias = NULL;
#endif
if ( !access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
&& op && op->o_bd && op->o_bd->be_has_subordinates )
{
int hasSubordinates;
struct berval hs;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
if ( op->o_bd->be_has_subordinates( op, e, &hasSubordinates ) !=
LDAP_SUCCESS )
{
return LDAP_OTHER;
}
if ( hasSubordinates == LDAP_COMPARE_TRUE ) {
hs = slap_true_bv;
} else if ( hasSubordinates == LDAP_COMPARE_FALSE ) {
hs = slap_false_bv;
} else {
return LDAP_OTHER;
}
if ( bvmatch( &ava->aa_value, &hs ) ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
MatchingRule *mr;
int match;
const char *text;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
mr = slap_schema.si_ad_entryDN->ad_type->sat_equality;
assert( mr != NULL );
rc = value_match( &match, slap_schema.si_ad_entryDN, mr,
SLAP_MR_EXT, &e->e_nname, &ava->aa_value, &text );
if( rc != LDAP_SUCCESS ) return rc;
if( match == 0 ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
rc = LDAP_COMPARE_FALSE;
#ifdef LDAP_COMP_MATCH
if ( is_aliased_attribute && ava->aa_cf )
{
a_alias = is_aliased_attribute ( ava->aa_desc );
if ( a_alias )
ava->aa_desc = a_alias->aa_aliased_ad;
else
ava->aa_cf = NULL;
}
#endif
for(a = attrs_find( e->e_attrs, ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ) )
{
int use;
MatchingRule *mr;
struct berval *bv;
if (( ava->aa_desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
use = SLAP_MR_EQUALITY;
switch ( type ) {
case LDAP_FILTER_APPROX:
use = SLAP_MR_EQUALITY_APPROX;
mr = a->a_desc->ad_type->sat_approx;
if( mr != NULL ) break;
/* fallthru: use EQUALITY matching rule if no APPROX rule */
case LDAP_FILTER_EQUALITY:
/* use variable set above so fall thru use is not clobbered */
mr = a->a_desc->ad_type->sat_equality;
break;
case LDAP_FILTER_GE:
case LDAP_FILTER_LE:
use = SLAP_MR_ORDERING;
mr = a->a_desc->ad_type->sat_ordering;
break;
default:
mr = NULL;
}
if( mr == NULL ) {
rc = LDAP_INAPPROPRIATE_MATCHING;
continue;
}
/* We have no Sort optimization for Approx matches */
if (( a->a_flags & SLAP_ATTR_SORTED_VALS ) && type != LDAP_FILTER_APPROX ) {
unsigned slot;
int ret;
/* For Ordering matches, we just need to do one comparison with
* either the first (least) or last (greatest) value.
*/
if ( use == SLAP_MR_ORDERING ) {
const char *text;
int match, which;
which = (type == LDAP_FILTER_LE) ? 0 : a->a_numvals-1;
ret = value_match( &match, a->a_desc, mr, use,
&a->a_nvals[which], &ava->aa_value, &text );
if ( ret != LDAP_SUCCESS ) return ret;
if (( type == LDAP_FILTER_LE && match <= 0 ) ||
( type == LDAP_FILTER_GE && match >= 0 ))
return LDAP_COMPARE_TRUE;
continue;
}
/* Only Equality will get here */
ret = attr_valfind( a, use | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH |
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
&ava->aa_value, &slot, NULL );
if ( ret == LDAP_SUCCESS )
return LDAP_COMPARE_TRUE;
else if ( ret != LDAP_NO_SUCH_ATTRIBUTE )
return ret;
#if 0
/* The following is useful if we want to know which values
* matched an ordering test. But here we don't care, we just
* want to know if any value did, and that is checked above.
*/
if ( ret == LDAP_NO_SUCH_ATTRIBUTE ) {
/* If insertion point is not the end of the list, there was
* at least one value greater than the assertion.
*/
if ( type == LDAP_FILTER_GE && slot < a->a_numvals )
return LDAP_COMPARE_TRUE;
/* Likewise, if insertion point is not the head of the list,
* there was at least one value less than the assertion.
*/
if ( type == LDAP_FILTER_LE && slot > 0 )
return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
#endif
continue;
}
#ifdef LDAP_COMP_MATCH
if ( nibble_mem_allocator && ava->aa_cf && !a->a_comp_data ) {
/* Component Matching */
for ( num_attr_vals = 0; a->a_vals[num_attr_vals].bv_val != NULL; num_attr_vals++ );
if ( num_attr_vals <= 0 )/* no attribute value */
return LDAP_INAPPROPRIATE_MATCHING;
num_attr_vals++;/* for NULL termination */
/* following malloced will be freed by comp_tree_free () */
a->a_comp_data = SLAP_MALLOC( sizeof( ComponentData ) + sizeof( ComponentSyntaxInfo* )*num_attr_vals );
if ( !a->a_comp_data ) {
return LDAP_NO_MEMORY;
}
a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)((char*)a->a_comp_data + sizeof(ComponentData));
i = num_attr_vals;
for ( ; i ; i-- ) {
a->a_comp_data->cd_tree[ i-1 ] = (ComponentSyntaxInfo*)NULL;
}
a->a_comp_data->cd_mem_op = nibble_mem_allocator ( 1024*10*(num_attr_vals-1), 1024 );
if ( a->a_comp_data->cd_mem_op == NULL ) {
free ( a->a_comp_data );
a->a_comp_data = NULL;
return LDAP_OPERATIONS_ERROR;
}
}
i = 0;
#endif
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
int ret, match;
const char *text;
#ifdef LDAP_COMP_MATCH
if( attr_converter && ava->aa_cf && a->a_comp_data ) {
/* Check if decoded component trees are already linked */
struct berval cf_bv = { 20, "componentFilterMatch" };
MatchingRule* cf_mr = mr_bvfind( &cf_bv );
MatchingRuleAssertion mra;
mra.ma_cf = ava->aa_cf;
if ( a->a_comp_data->cd_tree[i] == NULL )
a->a_comp_data->cd_tree[i] = attr_converter (a, a->a_desc->ad_type->sat_syntax, (a->a_vals + i));
/* decoding error */
if ( !a->a_comp_data->cd_tree[i] ) {
free_ComponentData ( a );
return LDAP_OPERATIONS_ERROR;
}
ret = value_match( &match, a->a_desc, cf_mr,
SLAP_MR_COMPONENT,
(struct berval*)a->a_comp_data->cd_tree[i++],
(void*)&mra, &text );
if ( ret == LDAP_INAPPROPRIATE_MATCHING ) {
/* cached component tree is broken, just remove it */
free_ComponentData ( a );
return ret;
}
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
} else
#endif
{
ret = ordered_value_match( &match, a->a_desc, mr, use,
bv, &ava->aa_value, &text );
}
if( ret != LDAP_SUCCESS ) {
rc = ret;
break;
}
switch ( type ) {
case LDAP_FILTER_EQUALITY:
case LDAP_FILTER_APPROX:
if ( match == 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_GE:
if ( match >= 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_LE:
if ( match <= 0 ) return LDAP_COMPARE_TRUE;
break;
}
}
}
#ifdef LDAP_COMP_MATCH
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
#endif
return rc;
}
static int
dynlist_sc_update( Operation *op, SlapReply *rs )
{
Entry *e;
Attribute *a;
int opattrs,
userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
dynlist_sc_t *dlc;
dynlist_map_t *dlm;
if ( rs->sr_type != REP_SEARCH ) {
return 0;
}
dlc = (dynlist_sc_t *)op->o_callback->sc_private;
e = dlc->dlc_e;
assert( e != NULL );
assert( rs->sr_entry != NULL );
/* test access to entry */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
goto done;
}
/* if there is only one member_ad, and it's not mapped,
* consider it as old-style member listing */
dlm = dlc->dlc_dli->dli_dlm;
if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
Modification mod;
const char *text = NULL;
char textbuf[1024];
struct berval vals[ 2 ], nvals[ 2 ];
vals[ 0 ] = rs->sr_entry->e_name;
BER_BVZERO( &vals[ 1 ] );
nvals[ 0 ] = rs->sr_entry->e_nname;
BER_BVZERO( &nvals[ 1 ] );
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = dlm->dlm_member_ad;
mod.sm_type = dlm->dlm_member_ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = 1;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
goto done;
}
opattrs = SLAP_OPATTRS( rs->sr_attr_flags );
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
for ( a = rs->sr_entry->e_attrs; a != NULL; a = a->a_next ) {
BerVarray vals, nvals = NULL;
int i, j,
is_oc = a->a_desc == slap_schema.si_ad_objectClass;
/* if attribute is not requested, skip it */
if ( rs->sr_attrs == NULL ) {
if ( is_at_operational( a->a_desc->ad_type ) ) {
continue;
}
} else {
if ( is_at_operational( a->a_desc->ad_type ) ) {
if ( !opattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
} else {
if ( !userattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
}
}
/* test access to attribute */
if ( op->ors_attrsonly ) {
if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
ACL_READ, &acl_state ) )
{
continue;
}
}
/* single-value check: keep first only */
if ( is_at_single_value( a->a_desc->ad_type ) ) {
if ( attr_find( e->e_attrs, a->a_desc ) != NULL ) {
continue;
}
}
/* test access to attribute */
i = a->a_numvals;
vals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
if ( a->a_nvals != a->a_vals ) {
nvals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
}
for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) {
if ( is_oc ) {
ObjectClass *soc = oc_bvfind( &a->a_vals[i] );
if ( soc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
continue;
}
}
if ( access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[i], ACL_READ, &acl_state ) )
{
vals[j] = a->a_vals[i];
if ( nvals ) {
nvals[j] = a->a_nvals[i];
}
j++;
}
}
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( j != 0 ) {
Modification mod;
const char *text = NULL;
char textbuf[1024];
dynlist_map_t *dlm;
AttributeDescription *ad;
BER_BVZERO( &vals[j] );
if ( nvals ) {
BER_BVZERO( &nvals[j] );
}
ad = a->a_desc;
for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == a->a_desc ) {
if ( dlm->dlm_mapped_ad ) {
ad = dlm->dlm_mapped_ad;
}
break;
}
}
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = ad;
mod.sm_type = ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = j;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
op->o_tmpfree( vals, op->o_tmpmemctx );
if ( nvals ) {
op->o_tmpfree( nvals, op->o_tmpmemctx );
}
}
done:;
if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( rs->sr_entry );
rs->sr_entry = NULL;
rs->sr_flags &= ~REP_ENTRY_MASK;
}
return 0;
}
int
backsql_delete( Operation *op, SlapReply *rs )
{
SQLHDBC dbh = SQL_NULL_HDBC;
SQLHSTMT sth = SQL_NULL_HSTMT;
backsql_oc_map_rec *oc = NULL;
backsql_srch_info bsi = { 0 };
backsql_entryID e_id = { 0 };
Entry d = { 0 }, p = { 0 }, *e = NULL;
struct berval pdn = BER_BVNULL;
int manageDSAit = get_manageDSAit( op );
Debug( LDAP_DEBUG_TRACE, "==>backsql_delete(): deleting entry \"%s\"\n",
op->o_req_ndn.bv_val, 0, 0 );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_delete(): "
"could not get connection handle - exiting\n",
0, 0, 0 );
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
e = NULL;
goto done;
}
/*
* Get the entry
*/
bsi.bsi_e = &d;
rs->sr_err = backsql_init_search( &bsi, &op->o_req_ndn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs, slap_anlist_no_attrs,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY | BACKSQL_ISF_GET_OC ) );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
e = &d;
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_delete(): "
"could not retrieve deleteDN ID - no such entry\n",
0, 0, 0 );
if ( !BER_BVISNULL( &d.e_nname ) ) {
/* FIXME: should always be true! */
e = &d;
} else {
e = NULL;
}
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, &d, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ) )
{
rs->sr_err = LDAP_ASSERTION_FAILED;
e = &d;
goto done;
}
if ( !access_allowed( op, &d, slap_schema.si_ad_entry,
NULL, ACL_WDEL, NULL ) )
{
Debug( LDAP_DEBUG_TRACE, " backsql_delete(): "
"no write access to entry\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
e = &d;
goto done;
}
rs->sr_err = backsql_has_children( op, dbh, &op->o_req_ndn );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
rs->sr_err = LDAP_SUCCESS;
break;
case LDAP_COMPARE_TRUE:
#ifdef SLAP_CONTROL_X_TREE_DELETE
if ( get_treeDelete( op ) ) {
rs->sr_err = LDAP_SUCCESS;
break;
}
#endif /* SLAP_CONTROL_X_TREE_DELETE */
Debug( LDAP_DEBUG_TRACE, " backsql_delete(): "
"entry \"%s\" has children\n",
op->o_req_dn.bv_val, 0, 0 );
rs->sr_err = LDAP_NOT_ALLOWED_ON_NONLEAF;
rs->sr_text = "subordinate objects must be deleted first";
/* fallthru */
default:
e = &d;
goto done;
}
assert( bsi.bsi_base_id.eid_oc != NULL );
oc = bsi.bsi_base_id.eid_oc;
if ( oc->bom_delete_proc == NULL ) {
Debug( LDAP_DEBUG_TRACE, " backsql_delete(): "
"delete procedure is not defined "
"for this objectclass - aborting\n", 0, 0, 0 );
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "operation not permitted within namingContext";
e = NULL;
goto done;
}
/*
* Get the parent
*/
e_id = bsi.bsi_base_id;
memset( &bsi.bsi_base_id, 0, sizeof( bsi.bsi_base_id ) );
if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) {
dnParent( &op->o_req_ndn, &pdn );
bsi.bsi_e = &p;
rs->sr_err = backsql_init_search( &bsi, &pdn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_no_attrs,
BACKSQL_ISF_GET_ENTRY );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_delete(): "
"could not retrieve deleteDN ID "
"- no such entry\n",
0, 0, 0 );
e = &p;
goto done;
}
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
/* check parent for "children" acl */
if ( !access_allowed( op, &p, slap_schema.si_ad_children,
NULL, ACL_WDEL, NULL ) )
{
Debug( LDAP_DEBUG_TRACE, " backsql_delete(): "
"no write access to parent\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
e = &p;
goto done;
}
}
e = &d;
#ifdef SLAP_CONTROL_X_TREE_DELETE
if ( get_treeDelete( op ) ) {
backsql_tree_delete( op, rs, dbh, &sth );
if ( rs->sr_err == LDAP_OTHER || rs->sr_err == LDAP_SUCCESS )
{
e = NULL;
}
} else
#endif /* SLAP_CONTROL_X_TREE_DELETE */
{
backsql_delete_int( op, rs, dbh, &sth, &e_id, &e );
}
/*
* Commit only if all operations succeed
*/
if ( sth != SQL_NULL_HSTMT ) {
SQLUSMALLINT CompletionType = SQL_ROLLBACK;
if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
assert( e == NULL );
CompletionType = SQL_COMMIT;
}
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
}
done:;
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
}
}
if ( op->o_noop && rs->sr_err == LDAP_SUCCESS ) {
rs->sr_err = LDAP_X_NO_OPERATION;
}
send_ldap_result( op, rs );
Debug( LDAP_DEBUG_TRACE, "<==backsql_delete()\n", 0, 0, 0 );
if ( !BER_BVISNULL( &e_id.eid_ndn ) ) {
(void)backsql_free_entryID( &e_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &d.e_nname ) ) {
backsql_entry_clean( op, &d );
}
if ( !BER_BVISNULL( &p.e_nname ) ) {
backsql_entry_clean( op, &p );
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
return rs->sr_err;
}
/*
* if "e" is provided, access to each value of the password is checked first
*/
int
slap_passwd_check(
Operation *op,
Entry *e,
Attribute *a,
struct berval *cred,
const char **text )
{
int result = 1;
struct berval *bv;
AccessControlState acl_state = ACL_STATE_INIT;
char credNul = cred->bv_val[cred->bv_len];
#ifdef SLAPD_SPASSWD
void *old_authctx = NULL;
ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
#endif
if ( credNul ) cred->bv_val[cred->bv_len] = 0;
struct berval *totp = malloc(sizeof(struct berval));
struct berval *code = malloc(sizeof(struct berval));
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
if ( strncasecmp(bv->bv_val, (const char *) "{TOTP}", 6) == 0 ) {
totp->bv_val = bv->bv_val + 6;
totp->bv_len = bv->bv_len - 6;
break;
}
}
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
/* if e is provided, check access */
if ( e && access_allowed( op, e, a->a_desc, bv,
ACL_AUTH, &acl_state ) == 0 )
{
continue;
}
if ( strncasecmp(bv->bv_val, (const char *) "{TOTP}", 6) == 0 ) {
continue;
}
if ( totp != NULL && totp->bv_len > 0 ) {
if ( cred->bv_len <= 6 ) {
result = 1;
break;
}
cred->bv_len = cred->bv_len - 6;
code->bv_val = cred->bv_val + cred->bv_len;
code->bv_len = 6;
}
if ( !lutil_passwd( bv, cred, NULL, text, totp, code ) ) {
result = 0;
break;
}
}
free(totp);
free(code);
if ( credNul ) cred->bv_val[cred->bv_len] = credNul;
#ifdef SLAPD_SPASSWD
ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
old_authctx, 0, NULL, NULL );
#endif
return result;
}
int
shell_back_modify(
Operation *op,
SlapReply *rs )
{
Modification *mod;
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Modifications *ml = op->orm_modlist;
Entry e;
FILE *rfp, *wfp;
int i;
if ( si->si_modify == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"modify not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_modify, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the modify process */
fprintf( wfp, "MODIFY\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
for ( ; ml != NULL; ml = ml->sml_next ) {
mod = &ml->sml_mod;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
fprintf( wfp, "add: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_DELETE:
fprintf( wfp, "delete: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_REPLACE:
fprintf( wfp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
}
if( mod->sm_values != NULL ) {
for ( i = 0; mod->sm_values[i].bv_val != NULL; i++ ) {
char *out = ldif_put( LDIF_PUT_VALUE,
mod->sm_desc->ad_cname.bv_val,
mod->sm_values[i].bv_val,
mod->sm_values[i].bv_len );
if ( out ) {
fprintf( wfp, "%s", out );
ber_memfree( out );
}
}
}
fprintf( wfp, "-\n" );
}
fclose( wfp );
/* read in the results and send them along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
backsql_modify( Operation *op, SlapReply *rs )
{
backsql_info *bi = (backsql_info*)op->o_bd->be_private;
SQLHDBC dbh = SQL_NULL_HDBC;
backsql_oc_map_rec *oc = NULL;
backsql_srch_info bsi = { 0 };
Entry m = { 0 }, *e = NULL;
int manageDSAit = get_manageDSAit( op );
SQLUSMALLINT CompletionType = SQL_ROLLBACK;
/*
* FIXME: in case part of the operation cannot be performed
* (missing mapping, SQL write fails or so) the entire operation
* should be rolled-back
*/
Debug( LDAP_DEBUG_TRACE, "==>backsql_modify(): modifying entry \"%s\"\n",
op->o_req_ndn.bv_val, 0, 0 );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modify(): "
"could not get connection handle - exiting\n",
0, 0, 0 );
/*
* FIXME: we don't want to send back
* excessively detailed messages
*/
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
goto done;
}
bsi.bsi_e = &m;
rs->sr_err = backsql_init_search( &bsi, &op->o_req_ndn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_all_attributes,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY | BACKSQL_ISF_GET_OC ) );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
e = &m;
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_modify(): "
"could not retrieve modifyDN ID - no such entry\n",
0, 0, 0 );
if ( !BER_BVISNULL( &m.e_nname ) ) {
/* FIXME: should always be true! */
e = &m;
} else {
e = NULL;
}
goto done;
}
#ifdef BACKSQL_ARBITRARY_KEY
Debug( LDAP_DEBUG_TRACE, " backsql_modify(): "
"modifying entry \"%s\" (id=%s)\n",
bsi.bsi_base_id.eid_dn.bv_val,
bsi.bsi_base_id.eid_id.bv_val, 0 );
#else /* ! BACKSQL_ARBITRARY_KEY */
Debug( LDAP_DEBUG_TRACE, " backsql_modify(): "
"modifying entry \"%s\" (id=%ld)\n",
bsi.bsi_base_id.eid_dn.bv_val, bsi.bsi_base_id.eid_id, 0 );
#endif /* ! BACKSQL_ARBITRARY_KEY */
if ( get_assert( op ) &&
( test_filter( op, &m, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ))
{
rs->sr_err = LDAP_ASSERTION_FAILED;
e = &m;
goto done;
}
slap_mods_opattrs( op, &op->orm_modlist, 1 );
assert( bsi.bsi_base_id.eid_oc != NULL );
oc = bsi.bsi_base_id.eid_oc;
if ( !acl_check_modlist( op, &m, op->orm_modlist ) ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
e = &m;
goto done;
}
rs->sr_err = backsql_modify_internal( op, rs, dbh, oc,
&bsi.bsi_base_id, op->orm_modlist );
if ( rs->sr_err != LDAP_SUCCESS ) {
e = &m;
goto do_transact;
}
if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
char textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
backsql_entry_clean( op, &m );
bsi.bsi_e = &m;
rs->sr_err = backsql_id2entry( &bsi, &bsi.bsi_base_id );
if ( rs->sr_err != LDAP_SUCCESS ) {
e = &m;
goto do_transact;
}
rs->sr_err = entry_schema_check( op, &m, NULL, 0, 0, NULL,
&rs->sr_text, textbuf, sizeof( textbuf ) );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modify(\"%s\"): "
"entry failed schema check -- aborting\n",
m.e_name.bv_val, 0, 0 );
e = NULL;
goto do_transact;
}
}
do_transact:;
/*
* Commit only if all operations succeed
*/
if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
assert( e == NULL );
CompletionType = SQL_COMMIT;
}
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
done:;
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
}
}
if ( op->o_noop && rs->sr_err == LDAP_SUCCESS ) {
rs->sr_err = LDAP_X_NO_OPERATION;
}
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) {
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &m.e_nname ) ) {
backsql_entry_clean( op, &m );
}
if ( bsi.bsi_attrs != NULL ) {
op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx );
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
Debug( LDAP_DEBUG_TRACE, "<==backsql_modify()\n", 0, 0, 0 );
return rs->sr_err;
}
int
bdb_add(Operation *op, SlapReply *rs )
{
struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
struct berval pdn;
Entry *p = NULL, *oe = op->ora_e;
EntryInfo *ei;
char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof textbuf;
AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
DB_TXN *ltid = NULL, *lt2;
ID eid = NOID;
struct bdb_op_info opinfo = {{{ 0 }}};
int subentry;
DB_LOCK lock;
int num_retries = 0;
int success;
LDAPControl **postread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
#ifdef LDAP_X_TXN
int settle = 0;
#endif
Debug(LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_add) ": %s\n",
op->ora_e->e_name.bv_val, 0, 0);
#ifdef LDAP_X_TXN
if( op->o_txnSpec ) {
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) {
rs->sr_text = "invalid transaction identifier";
rs->sr_err = LDAP_X_TXN_ID_INVALID;
goto txnReturn;
} else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) {
settle=1;
goto txnReturn;
}
if( op->o_conn->c_txn_backend == NULL ) {
op->o_conn->c_txn_backend = op->o_bd;
} else if( op->o_conn->c_txn_backend != op->o_bd ) {
rs->sr_text = "transaction cannot span multiple database contexts";
rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS;
goto txnReturn;
}
/* insert operation into transaction */
rs->sr_text = "transaction specified";
rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY;
txnReturn:
/* release connection lock */
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
if( !settle ) {
send_ldap_result( op, rs );
return rs->sr_err;
}
}
#endif
ctrls[num_ctrls] = 0;
/* check entry's schema */
rs->sr_err = entry_schema_check( op, op->ora_e, NULL,
get_relax(op), 1, NULL, &rs->sr_text, textbuf, textlen );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": entry failed schema check: "
"%s (%d)\n", rs->sr_text, rs->sr_err, 0 );
goto return_results;
}
/* add opattrs to shadow as well, only missing attrs will actually
* be added; helps compatibility with older OL versions */
rs->sr_err = slap_add_opattrs( op, &rs->sr_text, textbuf, textlen, 1 );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": entry failed op attrs add: "
"%s (%d)\n", rs->sr_text, rs->sr_err, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, op->ora_e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rs->sr_err = LDAP_ASSERTION_FAILED;
goto return_results;
}
subentry = is_entry_subentry( op->ora_e );
if( 0 ) {
retry: /* transaction retry */
if( p ) {
/* free parent and reader lock */
if ( p != (Entry *)&slap_entry_root ) {
bdb_unlocked_cache_return_entry_r( bdb, p );
}
p = NULL;
}
rs->sr_err = TXN_ABORT( ltid );
ltid = NULL;
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
opinfo.boi_oe.oe_key = NULL;
op->o_do_not_cache = opinfo.boi_acl_cache;
if( rs->sr_err != 0 ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
if ( op->o_abandon ) {
rs->sr_err = SLAPD_ABANDON;
goto return_results;
}
bdb_trans_backoff( ++num_retries );
}
/* begin transaction */
rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, NULL, <id,
bdb->bi_db_opflags );
rs->sr_text = NULL;
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": txn_begin failed: %s (%d)\n",
db_strerror(rs->sr_err), rs->sr_err, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": txn1 id: %x\n",
ltid->id(ltid), 0, 0 );
opinfo.boi_oe.oe_key = bdb;
opinfo.boi_txn = ltid;
opinfo.boi_err = 0;
opinfo.boi_acl_cache = op->o_do_not_cache;
LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
/*
* Get the parent dn and see if the corresponding entry exists.
*/
if ( be_issuffix( op->o_bd, &op->ora_e->e_nname ) ) {
pdn = slap_empty_bv;
} else {
dnParent( &op->ora_e->e_nname, &pdn );
}
/* get entry or parent */
rs->sr_err = bdb_dn2entry( op, ltid, &op->ora_e->e_nname, &ei,
1, &lock );
switch( rs->sr_err ) {
case 0:
rs->sr_err = LDAP_ALREADY_EXISTS;
goto return_results;
case DB_NOTFOUND:
break;
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
p = ei->bei_e;
if ( !p )
p = (Entry *)&slap_entry_root;
if ( !bvmatch( &pdn, &p->e_nname ) ) {
rs->sr_matched = ber_strdup_x( p->e_name.bv_val,
op->o_tmpmemctx );
rs->sr_ref = is_entry_referral( p )
? get_entry_referrals( op, p )
: NULL;
if ( p != (Entry *)&slap_entry_root )
bdb_unlocked_cache_return_entry_r( bdb, p );
p = NULL;
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": parent "
"does not exist\n", 0, 0, 0 );
rs->sr_err = LDAP_REFERRAL;
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
goto return_results;
}
rs->sr_err = access_allowed( op, p,
children, NULL, ACL_WADD, NULL );
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
if ( p != (Entry *)&slap_entry_root )
bdb_unlocked_cache_return_entry_r( bdb, p );
p = NULL;
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": no write access to parent\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to parent";
goto return_results;;
}
if ( p != (Entry *)&slap_entry_root ) {
if ( is_entry_subentry( p ) ) {
bdb_unlocked_cache_return_entry_r( bdb, p );
p = NULL;
/* parent is a subentry, don't allow add */
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": parent is subentry\n",
0, 0, 0 );
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
rs->sr_text = "parent is a subentry";
goto return_results;;
}
if ( is_entry_alias( p ) ) {
bdb_unlocked_cache_return_entry_r( bdb, p );
p = NULL;
/* parent is an alias, don't allow add */
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": parent is alias\n",
0, 0, 0 );
rs->sr_err = LDAP_ALIAS_PROBLEM;
rs->sr_text = "parent is an alias";
goto return_results;;
}
if ( is_entry_referral( p ) ) {
/* parent is a referral, don't allow add */
rs->sr_matched = ber_strdup_x( p->e_name.bv_val,
op->o_tmpmemctx );
rs->sr_ref = get_entry_referrals( op, p );
bdb_unlocked_cache_return_entry_r( bdb, p );
p = NULL;
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": parent is referral\n",
0, 0, 0 );
rs->sr_err = LDAP_REFERRAL;
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
goto return_results;
}
}
if ( subentry ) {
/* FIXME: */
/* parent must be an administrative point of the required kind */
}
/* free parent and reader lock */
if ( p != (Entry *)&slap_entry_root ) {
if ( p->e_nname.bv_len ) {
struct berval ppdn;
/* ITS#5326: use parent's DN if differs from provided one */
dnParent( &op->ora_e->e_name, &ppdn );
if ( !dn_match( &p->e_name, &ppdn ) ) {
struct berval rdn;
struct berval newdn;
dnRdn( &op->ora_e->e_name, &rdn );
build_new_dn( &newdn, &p->e_name, &rdn, NULL );
if ( op->ora_e->e_name.bv_val != op->o_req_dn.bv_val )
ber_memfree( op->ora_e->e_name.bv_val );
op->ora_e->e_name = newdn;
/* FIXME: should check whether
* dnNormalize(newdn) == e->e_nname ... */
}
}
bdb_unlocked_cache_return_entry_r( bdb, p );
}
p = NULL;
rs->sr_err = access_allowed( op, op->ora_e,
entry, NULL, ACL_WADD, NULL );
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": no write access to entry\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to entry";
goto return_results;;
}
/*
* Check ACL for attribute write access
*/
if (!acl_check_modlist(op, oe, op->ora_modlist)) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to attribute";
goto return_results;;
}
if ( eid == NOID ) {
rs->sr_err = bdb_next_id( op->o_bd, &eid );
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": next_id failed (%d)\n",
rs->sr_err, 0, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
op->ora_e->e_id = eid;
}
/* nested transaction */
rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, ltid, <2,
bdb->bi_db_opflags );
rs->sr_text = NULL;
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": txn_begin(2) failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": txn2 id: %x\n",
lt2->id(lt2), 0, 0 );
/* dn2id index */
rs->sr_err = bdb_dn2id_add( op, lt2, ei, op->ora_e );
if ( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": dn2id_add failed: %s (%d)\n",
db_strerror(rs->sr_err), rs->sr_err, 0 );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case DB_KEYEXIST:
rs->sr_err = LDAP_ALREADY_EXISTS;
break;
default:
rs->sr_err = LDAP_OTHER;
}
goto return_results;
}
/* attribute indexes */
rs->sr_err = bdb_index_entry_add( op, lt2, op->ora_e );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": index_entry_add failed\n",
0, 0, 0 );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
default:
rs->sr_err = LDAP_OTHER;
}
rs->sr_text = "index generation failed";
goto return_results;
}
/* id2entry index */
rs->sr_err = bdb_id2entry_add( op->o_bd, lt2, op->ora_e );
if ( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": id2entry_add failed\n",
0, 0, 0 );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
default:
rs->sr_err = LDAP_OTHER;
}
rs->sr_text = "entry store failed";
goto return_results;
}
if ( TXN_COMMIT( lt2, 0 ) != 0 ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "txn_commit(2) failed";
goto return_results;
}
/* post-read */
if( op->o_postread ) {
if( postread_ctrl == NULL ) {
postread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
}
if ( slap_read_controls( op, rs, op->ora_e,
&slap_post_read_bv, postread_ctrl ) )
{
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_add) ": post-read "
"failed!\n", 0, 0, 0 );
if ( op->o_postread & SLAP_CONTROL_CRITICAL ) {
/* FIXME: is it correct to abort
* operation if control fails? */
goto return_results;
}
}
}
if ( op->o_noop ) {
if (( rs->sr_err=TXN_ABORT( ltid )) != 0 ) {
rs->sr_text = "txn_abort (no-op) failed";
} else {
rs->sr_err = LDAP_X_NO_OPERATION;
ltid = NULL;
goto return_results;
}
} else {
struct berval nrdn;
/* pick the RDN if not suffix; otherwise pick the entire DN */
if (pdn.bv_len) {
nrdn.bv_val = op->ora_e->e_nname.bv_val;
nrdn.bv_len = pdn.bv_val - op->ora_e->e_nname.bv_val - 1;
} else {
nrdn = op->ora_e->e_nname;
}
bdb_cache_add( bdb, ei, op->ora_e, &nrdn, ltid, &lock );
if(( rs->sr_err=TXN_COMMIT( ltid, 0 )) != 0 ) {
rs->sr_text = "txn_commit failed";
} else {
rs->sr_err = LDAP_SUCCESS;
}
}
ltid = NULL;
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
opinfo.boi_oe.oe_key = NULL;
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": %s : %s (%d)\n",
rs->sr_text, db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
goto return_results;
}
Debug(LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": added%s id=%08lx dn=\"%s\"\n",
op->o_noop ? " (no-op)" : "",
op->ora_e->e_id, op->ora_e->e_dn );
rs->sr_text = NULL;
if( num_ctrls ) rs->sr_ctrls = ctrls;
return_results:
success = rs->sr_err;
send_ldap_result( op, rs );
if( ltid != NULL ) {
TXN_ABORT( ltid );
}
if ( opinfo.boi_oe.oe_key ) {
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
}
if( success == LDAP_SUCCESS ) {
/* We own the entry now, and it can be purged at will
* Check to make sure it's the same entry we entered with.
* Possibly a callback may have mucked with it, although
* in general callbacks should treat the entry as read-only.
*/
bdb_cache_deref( oe->e_private );
if ( op->ora_e == oe )
op->ora_e = NULL;
if ( bdb->bi_txn_cp_kbyte ) {
TXN_CHECKPOINT( bdb->bi_dbenv,
bdb->bi_txn_cp_kbyte, bdb->bi_txn_cp_min, 0 );
}
}
slap_graduate_commit_csn( op );
if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) {
slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx );
slap_sl_free( *postread_ctrl, op->o_tmpmemctx );
}
return rs->sr_err;
}
int
wt_compare( Operation *op, SlapReply *rs )
{
struct wt_info *wi = (struct wt_info *) op->o_bd->be_private;
Entry *e = NULL;
int manageDSAit = get_manageDSAit( op );
int rc;
wt_ctx *wc = NULL;
Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(wt_compare) ": %s\n",
op->o_req_dn.bv_val, 0, 0 );
wc = wt_ctx_get(op, wi);
if( !wc ){
Debug( LDAP_DEBUG_ANY,
LDAP_XSTRING(wt_compare)
": wt_ctx_get failed\n",
0, 0, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
send_ldap_result( op, rs );
return rs->sr_err;
}
rs->sr_err = wt_dn2entry(op->o_bd, wc, &op->o_req_ndn, &e);
switch( rs->sr_err ) {
case 0:
case WT_NOTFOUND:
break;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
if ( rs->sr_err == WT_NOTFOUND ) {
if ( e != NULL ) {
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_matched = ch_strdup( e->e_dn );
if ( is_entry_referral( e )) {
BerVarray ref = get_entry_referrals( op, e );
rs->sr_ref = referral_rewrite( ref,
&e->e_name,
&op->o_req_dn,
LDAP_SCOPE_DEFAULT );
ber_bvarray_free( ref );
} else {
rs->sr_ref = NULL;
}
rs->sr_err = LDAP_REFERRAL;
}
wt_entry_return( e );
e = NULL;
} else {
rs->sr_ref = referral_rewrite( default_referral,
NULL,
&op->o_req_dn,
LDAP_SCOPE_DEFAULT );
rs->sr_err = rs->sr_ref ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
}
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
send_ldap_result( op, rs );
goto done;
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e->e_name.bv_val;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
rs->sr_err = slap_compare_entry( op, e, op->orc_ava );
return_results:
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
done:
if ( e != NULL ) {
wt_entry_return( e );
}
return rs->sr_err;
}
int
sock_back_modify(
Operation *op,
SlapReply *rs )
{
Modification *mod;
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Modifications *ml = op->orm_modlist;
Entry e;
FILE *fp;
int i;
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( (fp = opensock( si->si_sockpath )) == NULL ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not open socket" );
return( -1 );
}
/* write out the request to the modify process */
fprintf( fp, "MODIFY\n" );
fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
sock_print_conn( fp, op->o_conn, si );
sock_print_suffixes( fp, op->o_bd );
fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
for ( ; ml != NULL; ml = ml->sml_next ) {
mod = &ml->sml_mod;
/* FIXME: should use LDIF routines to deal with binary data */
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
fprintf( fp, "add: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_DELETE:
fprintf( fp, "delete: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_REPLACE:
fprintf( fp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
}
if( mod->sm_values != NULL ) {
for ( i = 0; mod->sm_values[i].bv_val != NULL; i++ ) {
fprintf( fp, "%s: %s\n", mod->sm_desc->ad_cname.bv_val,
mod->sm_values[i].bv_val /* binary! */ );
}
}
fprintf( fp, "-\n" );
}
fprintf( fp, "\n" );
/* read in the results and send them along */
sock_read_and_send_results( op, rs, fp );
fclose( fp );
return( 0 );
}
int
backsql_modrdn( Operation *op, SlapReply *rs )
{
backsql_info *bi = (backsql_info*)op->o_bd->be_private;
SQLHDBC dbh = SQL_NULL_HDBC;
SQLHSTMT sth = SQL_NULL_HSTMT;
RETCODE rc;
backsql_entryID e_id = BACKSQL_ENTRYID_INIT,
n_id = BACKSQL_ENTRYID_INIT;
backsql_srch_info bsi = { 0 };
backsql_oc_map_rec *oc = NULL;
struct berval pdn = BER_BVNULL, pndn = BER_BVNULL,
*new_pdn = NULL, *new_npdn = NULL,
new_dn = BER_BVNULL, new_ndn = BER_BVNULL,
realnew_dn = BER_BVNULL;
Entry r = { 0 },
p = { 0 },
n = { 0 },
*e = NULL;
int manageDSAit = get_manageDSAit( op );
struct berval *newSuperior = op->oq_modrdn.rs_newSup;
Debug( LDAP_DEBUG_TRACE, "==>backsql_modrdn() renaming entry \"%s\", "
"newrdn=\"%s\", newSuperior=\"%s\"\n",
op->o_req_dn.bv_val, op->oq_modrdn.rs_newrdn.bv_val,
newSuperior ? newSuperior->bv_val : "(NULL)" );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"could not get connection handle - exiting\n" );
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
e = NULL;
goto done;
}
bsi.bsi_e = &r;
rs->sr_err = backsql_init_search( &bsi, &op->o_req_ndn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_all_attributes,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY | BACKSQL_ISF_GET_OC ) );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
e = &r;
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_modrdn(): "
"could not retrieve modrdnDN ID - no such entry\n" );
if ( !BER_BVISNULL( &r.e_nname ) ) {
/* FIXME: should always be true! */
e = &r;
} else {
e = NULL;
}
goto done;
}
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): entry id=" BACKSQL_IDFMT "\n",
BACKSQL_IDARG(e_id.eid_id) );
if ( get_assert( op ) &&
( test_filter( op, &r, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ) )
{
rs->sr_err = LDAP_ASSERTION_FAILED;
e = &r;
goto done;
}
if ( backsql_has_children( op, dbh, &op->o_req_ndn ) == LDAP_COMPARE_TRUE ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"entry \"%s\" has children\n",
op->o_req_dn.bv_val );
rs->sr_err = LDAP_NOT_ALLOWED_ON_NONLEAF;
rs->sr_text = "subtree rename not supported";
e = &r;
goto done;
}
/*
* Check for entry access to target
*/
if ( !access_allowed( op, &r, slap_schema.si_ad_entry,
NULL, ACL_WRITE, NULL ) ) {
Debug( LDAP_DEBUG_TRACE, " no access to entry\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
dnParent( &op->o_req_dn, &pdn );
dnParent( &op->o_req_ndn, &pndn );
/*
* namingContext "" is not supported
*/
if ( BER_BVISEMPTY( &pdn ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"parent is \"\" - aborting\n" );
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "not allowed within namingContext";
e = NULL;
goto done;
}
/*
* Check for children access to parent
*/
bsi.bsi_e = &p;
e_id = bsi.bsi_base_id;
memset( &bsi.bsi_base_id, 0, sizeof( bsi.bsi_base_id ) );
rs->sr_err = backsql_init_search( &bsi, &pndn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_all_attributes,
BACKSQL_ISF_GET_ENTRY );
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): old parent entry id is " BACKSQL_IDFMT "\n",
BACKSQL_IDARG(bsi.bsi_base_id.eid_id) );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_modrdn(): "
"could not retrieve renameDN ID - no such entry\n" );
e = &p;
goto done;
}
if ( !access_allowed( op, &p, slap_schema.si_ad_children, NULL,
newSuperior ? ACL_WDEL : ACL_WRITE, NULL ) )
{
Debug( LDAP_DEBUG_TRACE, " no access to parent\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
if ( newSuperior ) {
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
/*
* namingContext "" is not supported
*/
if ( BER_BVISEMPTY( newSuperior ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"newSuperior is \"\" - aborting\n" );
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "not allowed within namingContext";
e = NULL;
goto done;
}
new_pdn = newSuperior;
new_npdn = op->oq_modrdn.rs_nnewSup;
/*
* Check for children access to new parent
*/
bsi.bsi_e = &n;
rs->sr_err = backsql_init_search( &bsi, new_npdn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_all_attributes,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_modrdn(): "
"could not retrieve renameDN ID - no such entry\n" );
e = &n;
goto done;
}
n_id = bsi.bsi_base_id;
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): new parent entry id=" BACKSQL_IDFMT "\n",
BACKSQL_IDARG(n_id.eid_id) );
if ( !access_allowed( op, &n, slap_schema.si_ad_children,
NULL, ACL_WADD, NULL ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"no access to new parent \"%s\"\n",
new_pdn->bv_val );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
e = &n;
goto done;
}
} else {
n_id = bsi.bsi_base_id;
new_pdn = &pdn;
new_npdn = &pndn;
}
memset( &bsi.bsi_base_id, 0, sizeof( bsi.bsi_base_id ) );
if ( newSuperior && dn_match( &pndn, new_npdn ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"newSuperior is equal to old parent - ignored\n" );
newSuperior = NULL;
}
if ( newSuperior && dn_match( &op->o_req_ndn, new_npdn ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"newSuperior is equal to entry being moved "
"- aborting\n" );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "newSuperior is equal to old DN";
e = &r;
goto done;
}
build_new_dn( &new_dn, new_pdn, &op->oq_modrdn.rs_newrdn,
op->o_tmpmemctx );
build_new_dn( &new_ndn, new_npdn, &op->oq_modrdn.rs_nnewrdn,
op->o_tmpmemctx );
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): new entry dn is \"%s\"\n",
new_dn.bv_val );
realnew_dn = new_dn;
if ( backsql_api_dn2odbc( op, rs, &realnew_dn ) ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(\"%s\"): "
"backsql_api_dn2odbc(\"%s\") failed\n",
op->o_req_dn.bv_val, realnew_dn.bv_val );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"executing renentry_stmt\n" );
rc = backsql_Prepare( dbh, &sth, bi->sql_renentry_stmt, 0 );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): "
"error preparing renentry_stmt\n" );
backsql_PrintErrors( bi->sql_db_env, dbh,
sth, rc );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
rc = backsql_BindParamBerVal( sth, 1, SQL_PARAM_INPUT, &realnew_dn );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): "
"error binding DN parameter for objectClass %s\n",
oc->bom_oc->soc_cname.bv_val );
backsql_PrintErrors( bi->sql_db_env, dbh,
sth, rc );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
rc = backsql_BindParamID( sth, 2, SQL_PARAM_INPUT, &n_id.eid_id );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): "
"error binding parent ID parameter for objectClass %s\n",
oc->bom_oc->soc_cname.bv_val );
backsql_PrintErrors( bi->sql_db_env, dbh,
sth, rc );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
rc = backsql_BindParamID( sth, 3, SQL_PARAM_INPUT, &e_id.eid_keyval );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): "
"error binding entry ID parameter for objectClass %s\n",
oc->bom_oc->soc_cname.bv_val );
backsql_PrintErrors( bi->sql_db_env, dbh,
sth, rc );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
rc = backsql_BindParamID( sth, 4, SQL_PARAM_INPUT, &e_id.eid_id );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
" backsql_modrdn(): "
"error binding ID parameter for objectClass %s\n",
oc->bom_oc->soc_cname.bv_val );
backsql_PrintErrors( bi->sql_db_env, dbh,
sth, rc );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_text = "SQL-backend error";
rs->sr_err = LDAP_OTHER;
e = NULL;
goto done;
}
rc = SQLExecute( sth );
if ( rc != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): "
"could not rename ldap_entries record\n" );
backsql_PrintErrors( bi->sql_db_env, dbh, sth, rc );
SQLFreeStmt( sth, SQL_DROP );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "SQL-backend error";
e = NULL;
goto done;
}
SQLFreeStmt( sth, SQL_DROP );
assert( op->orr_modlist != NULL );
slap_mods_opattrs( op, &op->orr_modlist, 1 );
assert( e_id.eid_oc != NULL );
oc = e_id.eid_oc;
rs->sr_err = backsql_modify_internal( op, rs, dbh, oc, &e_id, op->orr_modlist );
slap_graduate_commit_csn( op );
if ( rs->sr_err != LDAP_SUCCESS ) {
e = &r;
goto done;
}
if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
char textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
backsql_entry_clean( op, &r );
(void)backsql_free_entryID( &e_id, 0, op->o_tmpmemctx );
bsi.bsi_e = &r;
rs->sr_err = backsql_init_search( &bsi, &new_ndn,
LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs,
slap_anlist_all_attributes,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &new_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
e = &r;
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_modrdn(): "
"could not retrieve modrdnDN ID - no such entry\n" );
if ( !BER_BVISNULL( &r.e_nname ) ) {
/* FIXME: should always be true! */
e = &r;
} else {
e = NULL;
}
goto done;
}
e_id = bsi.bsi_base_id;
rs->sr_err = entry_schema_check( op, &r, NULL, 0, 0, NULL,
&rs->sr_text, textbuf, sizeof( textbuf ) );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(\"%s\"): "
"entry failed schema check -- aborting\n",
r.e_name.bv_val );
e = NULL;
goto done;
}
}
done:;
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
}
}
/*
* Commit only if all operations succeed
*/
if ( sth != SQL_NULL_HSTMT ) {
SQLUSMALLINT CompletionType = SQL_ROLLBACK;
if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
CompletionType = SQL_COMMIT;
}
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
}
if ( op->o_noop && rs->sr_err == LDAP_SUCCESS ) {
rs->sr_err = LDAP_X_NO_OPERATION;
}
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
if ( !BER_BVISNULL( &realnew_dn ) && realnew_dn.bv_val != new_dn.bv_val ) {
ch_free( realnew_dn.bv_val );
}
if ( !BER_BVISNULL( &new_dn ) ) {
slap_sl_free( new_dn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &new_ndn ) ) {
slap_sl_free( new_ndn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &e_id.eid_ndn ) ) {
(void)backsql_free_entryID( &e_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &n_id.eid_ndn ) ) {
(void)backsql_free_entryID( &n_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &r.e_nname ) ) {
backsql_entry_clean( op, &r );
}
if ( !BER_BVISNULL( &p.e_nname ) ) {
backsql_entry_clean( op, &p );
}
if ( !BER_BVISNULL( &n.e_nname ) ) {
backsql_entry_clean( op, &n );
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
Debug( LDAP_DEBUG_TRACE, "<==backsql_modrdn()\n" );
return rs->sr_err;
}
int
shell_back_bind(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
int rc;
/* allow rootdn as a means to auth without the need to actually
* contact the proxied DSA */
switch ( be_rootdn_bind( op, rs ) ) {
case SLAP_CB_CONTINUE:
break;
default:
return rs->sr_err;
}
if ( si->si_bind == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"bind not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_AUTH, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_bind, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the bind process */
fprintf( wfp, "BIND\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "method: %d\n", op->oq_bind.rb_method );
fprintf( wfp, "credlen: %lu\n", op->oq_bind.rb_cred.bv_len );
fprintf( wfp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */
fclose( wfp );
/* read in the results and send them along */
rc = read_and_send_results( op, rs, rfp );
fclose( rfp );
return( rc );
}
static int
deref_response( Operation *op, SlapReply *rs )
{
int rc = SLAP_CB_CONTINUE;
if ( rs->sr_type == REP_SEARCH ) {
BerElementBuffer berbuf;
BerElement *ber = (BerElement *) &berbuf;
deref_cb_t *dc = (deref_cb_t *)op->o_callback->sc_private;
DerefSpec *ds;
DerefRes *dr, *drhead = NULL, **drp = &drhead;
struct berval bv = BER_BVNULL;
int nDerefRes = 0, nDerefVals = 0, nAttrs = 0, nVals = 0;
struct berval ctrlval;
LDAPControl *ctrl, *ctrlsp[2];
AccessControlState acl_state = ACL_STATE_INIT;
static char dummy = '\0';
Entry *ebase;
int i;
rc = overlay_entry_get_ov( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &ebase, dc->dc_on );
if ( rc != LDAP_SUCCESS || ebase == NULL ) {
return SLAP_CB_CONTINUE;
}
for ( ds = dc->dc_ds; ds; ds = ds->ds_next ) {
Attribute *a = attr_find( ebase->e_attrs, ds->ds_derefAttr );
if ( a != NULL ) {
DerefVal *dv;
BerVarray *bva;
if ( !access_allowed( op, rs->sr_entry, a->a_desc,
NULL, ACL_READ, &acl_state ) )
{
continue;
}
dr = op->o_tmpcalloc( 1,
sizeof( DerefRes ) + ( sizeof( DerefVal ) + sizeof( BerVarray * ) * ds->ds_nattrs ) * ( a->a_numvals + 1 ),
op->o_tmpmemctx );
dr->dr_spec = *ds;
dv = dr->dr_vals = (DerefVal *)&dr[ 1 ];
bva = (BerVarray *)&dv[ a->a_numvals + 1 ];
bv.bv_len += ds->ds_derefAttr->ad_cname.bv_len;
nAttrs++;
nDerefRes++;
for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
Entry *e = NULL;
dv[ i ].dv_attrVals = bva;
bva += ds->ds_nattrs;
if ( !access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[ i ], ACL_READ, &acl_state ) )
{
dv[ i ].dv_derefSpecVal.bv_val = &dummy;
continue;
}
ber_dupbv_x( &dv[ i ].dv_derefSpecVal, &a->a_vals[ i ], op->o_tmpmemctx );
bv.bv_len += dv[ i ].dv_derefSpecVal.bv_len;
nVals++;
nDerefVals++;
rc = overlay_entry_get_ov( op, &a->a_nvals[ i ], NULL, NULL, 0, &e, dc->dc_on );
if ( rc == LDAP_SUCCESS && e != NULL ) {
int j;
if ( access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
for ( j = 0; j < ds->ds_nattrs; j++ ) {
Attribute *aa;
if ( !access_allowed( op, e, ds->ds_attributes[ j ], NULL,
ACL_READ, &acl_state ) )
{
continue;
}
aa = attr_find( e->e_attrs, ds->ds_attributes[ j ] );
if ( aa != NULL ) {
unsigned k, h, last = aa->a_numvals;
ber_bvarray_dup_x( &dv[ i ].dv_attrVals[ j ],
aa->a_vals, op->o_tmpmemctx );
bv.bv_len += ds->ds_attributes[ j ]->ad_cname.bv_len;
for ( k = 0, h = 0; k < aa->a_numvals; k++ ) {
if ( !access_allowed( op, e,
aa->a_desc,
&aa->a_nvals[ k ],
ACL_READ, &acl_state ) )
{
op->o_tmpfree( dv[ i ].dv_attrVals[ j ][ h ].bv_val,
op->o_tmpmemctx );
dv[ i ].dv_attrVals[ j ][ h ] = dv[ i ].dv_attrVals[ j ][ --last ];
BER_BVZERO( &dv[ i ].dv_attrVals[ j ][ last ] );
continue;
}
bv.bv_len += dv[ i ].dv_attrVals[ j ][ h ].bv_len;
nVals++;
h++;
}
nAttrs++;
}
}
}
overlay_entry_release_ov( op, e, 0, dc->dc_on );
}
}
*drp = dr;
drp = &dr->dr_next;
}
}
overlay_entry_release_ov( op, ebase, 0, dc->dc_on );
if ( drhead == NULL ) {
return SLAP_CB_CONTINUE;
}
/* cook the control value */
bv.bv_len += nVals * sizeof(struct berval)
+ nAttrs * sizeof(struct berval)
+ nDerefVals * sizeof(DerefVal)
+ nDerefRes * sizeof(DerefRes);
bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx );
ber_init2( ber, &bv, LBER_USE_DER );
ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
rc = ber_printf( ber, "{" /*}*/ );
for ( dr = drhead; dr != NULL; dr = dr->dr_next ) {
for ( i = 0; !BER_BVISNULL( &dr->dr_vals[ i ].dv_derefSpecVal ); i++ ) {
int j, first = 1;
if ( dr->dr_vals[ i ].dv_derefSpecVal.bv_val == &dummy ) {
continue;
}
rc = ber_printf( ber, "{OO" /*}*/,
&dr->dr_spec.ds_derefAttr->ad_cname,
&dr->dr_vals[ i ].dv_derefSpecVal );
op->o_tmpfree( dr->dr_vals[ i ].dv_derefSpecVal.bv_val, op->o_tmpmemctx );
for ( j = 0; j < dr->dr_spec.ds_nattrs; j++ ) {
if ( dr->dr_vals[ i ].dv_attrVals[ j ] != NULL ) {
if ( first ) {
rc = ber_printf( ber, "t{" /*}*/,
(LBER_CONSTRUCTED|LBER_CLASS_CONTEXT) );
first = 0;
}
rc = ber_printf( ber, "{O[W]}",
&dr->dr_spec.ds_attributes[ j ]->ad_cname,
dr->dr_vals[ i ].dv_attrVals[ j ] );
op->o_tmpfree( dr->dr_vals[ i ].dv_attrVals[ j ],
op->o_tmpmemctx );
}
}
if ( !first ) {
rc = ber_printf( ber, /*{{*/ "}N}" );
} else {
rc = ber_printf( ber, /*{*/ "}" );
}
}
}
rc = ber_printf( ber, /*{*/ "}" );
if ( ber_flatten2( ber, &ctrlval, 0 ) == -1 ) {
if ( op->o_deref == SLAP_CONTROL_CRITICAL ) {
rc = LDAP_CONSTRAINT_VIOLATION;
} else {
rc = SLAP_CB_CONTINUE;
}
goto cleanup;
}
ctrl = op->o_tmpcalloc( 1,
sizeof( LDAPControl ) + ctrlval.bv_len + 1,
op->o_tmpmemctx );
ctrl->ldctl_value.bv_val = (char *)&ctrl[ 1 ];
ctrl->ldctl_oid = LDAP_CONTROL_X_DEREF;
ctrl->ldctl_iscritical = 0;
ctrl->ldctl_value.bv_len = ctrlval.bv_len;
memcpy( ctrl->ldctl_value.bv_val, ctrlval.bv_val, ctrlval.bv_len );
ctrl->ldctl_value.bv_val[ ctrl->ldctl_value.bv_len ] = '\0';
ber_free_buf( ber );
ctrlsp[0] = ctrl;
ctrlsp[1] = NULL;
slap_add_ctrls( op, rs, ctrlsp );
rc = SLAP_CB_CONTINUE;
cleanup:;
/* release all */
for ( ; drhead != NULL; ) {
DerefRes *drnext = drhead->dr_next;
op->o_tmpfree( drhead, op->o_tmpmemctx );
drhead = drnext;
}
} else if ( rs->sr_type == REP_RESULT ) {
rc = deref_cleanup( op, rs );
}
return rc;
}
