int
meta_back_delete( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metatarget_t *mt;
metaconn_t *mc = NULL;
int candidate = -1;
struct berval mdn = BER_BVNULL;
dncookie dc;
int msgid;
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
LDAPControl **ctrls = NULL;
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
ldap_pvt_thread_mutex_lock( &mc->mc_mutex );
/*
* Rewrite the compare dn, if needed
*/
mt = mi->mi_targets[ candidate ];
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "deleteDN";
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
send_ldap_result( op, rs );
goto cleanup;
}
retry:;
ctrls = op->o_ctrls;
if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS )
{
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = ldap_delete_ext( mc->mc_conns[ candidate ].msc_ld,
mdn.bv_val, ctrls, NULL, &msgid );
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
mt->mt_timeout[ SLAP_OP_DELETE ], ( LDAP_BACK_SENDRESULT | retrying ) );
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
retrying &= ~LDAP_BACK_RETRYING;
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
}
cleanup:;
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
BER_BVZERO( &mdn );
}
if ( mc ) {
ldap_pvt_thread_mutex_unlock( &mc->mc_mutex );
meta_back_release_conn( mi, mc );
}
return rs->sr_err;
}
int
meta_back_modify( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metatarget_t *mt;
metaconn_t *mc;
int rc = 0;
LDAPMod **modv = NULL;
LDAPMod *mods = NULL;
Modifications *ml;
int candidate = -1, i;
int isupdate;
struct berval mdn = BER_BVNULL;
struct berval mapped;
dncookie dc;
int msgid;
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
LDAPControl **ctrls = NULL;
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
/*
* Rewrite the modify dn, if needed
*/
mt = mi->mi_targets[ candidate ];
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "modifyDN";
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
send_ldap_result( op, rs );
goto cleanup;
}
for ( i = 0, ml = op->orm_modlist; ml; i++ ,ml = ml->sml_next )
;
mods = ch_malloc( sizeof( LDAPMod )*i );
if ( mods == NULL ) {
rs->sr_err = LDAP_OTHER;
send_ldap_result( op, rs );
goto cleanup;
}
modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) );
if ( modv == NULL ) {
rs->sr_err = LDAP_OTHER;
send_ldap_result( op, rs );
goto cleanup;
}
dc.ctx = "modifyAttrDN";
isupdate = be_shadow_update( op );
for ( i = 0, ml = op->orm_modlist; ml; ml = ml->sml_next ) {
int j, is_oc = 0;
if ( !isupdate && !get_relax( op ) && ml->sml_desc->ad_type->sat_no_user_mod )
{
continue;
}
if ( ml->sml_desc == slap_schema.si_ad_objectClass
|| ml->sml_desc == slap_schema.si_ad_structuralObjectClass )
{
is_oc = 1;
mapped = ml->sml_desc->ad_cname;
} else {
ldap_back_map( &mt->mt_rwmap.rwm_at,
&ml->sml_desc->ad_cname, &mapped,
BACKLDAP_MAP );
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
continue;
}
}
modv[ i ] = &mods[ i ];
mods[ i ].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
mods[ i ].mod_type = mapped.bv_val;
/*
* FIXME: dn-valued attrs should be rewritten
* to allow their use in ACLs at the back-ldap
* level.
*/
if ( ml->sml_values != NULL ) {
if ( is_oc ) {
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
;
mods[ i ].mod_bvalues =
(struct berval **)ch_malloc( ( j + 1 ) *
sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); ) {
struct ldapmapping *mapping;
ldap_back_mapping( &mt->mt_rwmap.rwm_oc,
&ml->sml_values[ j ], &mapping, BACKLDAP_MAP );
if ( mapping == NULL ) {
if ( mt->mt_rwmap.rwm_oc.drop_missing ) {
continue;
}
mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ];
} else {
mods[ i ].mod_bvalues[ j ] = &mapping->dst;
}
j++;
}
mods[ i ].mod_bvalues[ j ] = NULL;
} else {
if ( ml->sml_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
{
( void )ldap_dnattr_rewrite( &dc, ml->sml_values );
if ( ml->sml_values == NULL ) {
continue;
}
}
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
;
mods[ i ].mod_bvalues =
(struct berval **)ch_malloc( ( j + 1 ) *
sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) {
mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ];
}
mods[ i ].mod_bvalues[ j ] = NULL;
}
} else {
mods[ i ].mod_bvalues = NULL;
}
i++;
}
modv[ i ] = 0;
retry:;
ctrls = op->o_ctrls;
rc = meta_back_controls_add( op, rs, mc, candidate, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = ldap_modify_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
modv, ctrls, NULL, &msgid );
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
mt->mt_timeout[ SLAP_OP_MODIFY ], ( LDAP_BACK_SENDRESULT | retrying ) );
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
retrying &= ~LDAP_BACK_RETRYING;
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
}
cleanup:;
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
BER_BVZERO( &mdn );
}
if ( modv != NULL ) {
for ( i = 0; modv[ i ]; i++ ) {
free( modv[ i ]->mod_bvalues );
}
}
free( mods );
free( modv );
if ( mc ) {
meta_back_release_conn( mi, mc );
}
return rs->sr_err;
}
int
meta_back_compare( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metatarget_t *mt;
metaconn_t *mc;
int rc = 0;
int candidate = -1;
struct berval mdn = BER_BVNULL;
dncookie dc;
struct berval mapped_attr = op->orc_ava->aa_desc->ad_cname;
struct berval mapped_value = op->orc_ava->aa_value;
int msgid;
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
LDAPControl **ctrls = NULL;
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
/*
* Rewrite the modify dn, if needed
*/
mt = mi->mi_targets[ candidate ];
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "compareDN";
switch ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
case LDAP_UNWILLING_TO_PERFORM:
rc = 1;
goto cleanup;
default:
break;
}
/*
* if attr is objectClass, try to remap the value
*/
if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass ) {
ldap_back_map( &mt->mt_rwmap.rwm_oc,
&op->orc_ava->aa_value,
&mapped_value, BACKLDAP_MAP );
if ( BER_BVISNULL( &mapped_value ) || BER_BVISEMPTY( &mapped_value ) ) {
goto cleanup;
}
/*
* else try to remap the attribute
*/
} else {
ldap_back_map( &mt->mt_rwmap.rwm_at,
&op->orc_ava->aa_desc->ad_cname,
&mapped_attr, BACKLDAP_MAP );
if ( BER_BVISNULL( &mapped_attr ) || BER_BVISEMPTY( &mapped_attr ) ) {
goto cleanup;
}
if ( op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName )
{
dc.ctx = "compareAttrDN";
switch ( ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_value ) )
{
case LDAP_UNWILLING_TO_PERFORM:
rc = 1;
goto cleanup;
default:
break;
}
}
}
retry:;
ctrls = op->o_ctrls;
rc = meta_back_controls_add( op, rs, mc, candidate, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = ldap_compare_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
mapped_attr.bv_val, &mapped_value,
ctrls, NULL, &msgid );
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
mt->mt_timeout[ SLAP_OP_COMPARE ], ( LDAP_BACK_SENDRESULT | retrying ) );
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
retrying &= ~LDAP_BACK_RETRYING;
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
}
cleanup:;
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
if ( op->orc_ava->aa_value.bv_val != mapped_value.bv_val ) {
free( mapped_value.bv_val );
}
if ( mc ) {
meta_back_release_conn( mi, mc );
}
return rs->sr_err;
}
int
meta_back_add( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metatarget_t *mt;
metaconn_t *mc;
int i, candidate = -1;
int isupdate;
Attribute *a;
LDAPMod **attrs;
struct berval mdn = BER_BVNULL, mapped;
dncookie dc;
int msgid;
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
LDAPControl **ctrls = NULL;
Debug(LDAP_DEBUG_ARGS, "==> meta_back_add: %s\n",
op->o_req_dn.bv_val );
/*
* get the current connection
*/
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
/*
* Rewrite the add dn, if needed
*/
mt = mi->mi_targets[ candidate ];
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "addDN";
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
send_ldap_result( op, rs );
goto done;
}
/* Count number of attributes in entry ( +1 ) */
for ( i = 1, a = op->ora_e->e_attrs; a; i++, a = a->a_next );
/* Create array of LDAPMods for ldap_add() */
attrs = ch_malloc( sizeof( LDAPMod * )*i );
dc.ctx = "addAttrDN";
isupdate = be_shadow_update( op );
for ( i = 0, a = op->ora_e->e_attrs; a; a = a->a_next ) {
int j, is_oc = 0;
if ( !isupdate && !get_relax( op ) && a->a_desc->ad_type->sat_no_user_mod )
{
continue;
}
if ( a->a_desc == slap_schema.si_ad_objectClass
|| a->a_desc == slap_schema.si_ad_structuralObjectClass )
{
is_oc = 1;
mapped = a->a_desc->ad_cname;
} else {
ldap_back_map( &mt->mt_rwmap.rwm_at,
&a->a_desc->ad_cname, &mapped, BACKLDAP_MAP );
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
continue;
}
}
attrs[ i ] = ch_malloc( sizeof( LDAPMod ) );
if ( attrs[ i ] == NULL ) {
continue;
}
attrs[ i ]->mod_op = LDAP_MOD_BVALUES;
attrs[ i ]->mod_type = mapped.bv_val;
if ( is_oc ) {
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ )
;
attrs[ i ]->mod_bvalues =
(struct berval **)ch_malloc( ( j + 1 ) *
sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); ) {
struct ldapmapping *mapping;
ldap_back_mapping( &mt->mt_rwmap.rwm_oc,
&a->a_vals[ j ], &mapping, BACKLDAP_MAP );
if ( mapping == NULL ) {
if ( mt->mt_rwmap.rwm_oc.drop_missing ) {
continue;
}
attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ];
} else {
attrs[ i ]->mod_bvalues[ j ] = &mapping->dst;
}
j++;
}
attrs[ i ]->mod_bvalues[ j ] = NULL;
} else {
/*
* FIXME: dn-valued attrs should be rewritten
* to allow their use in ACLs at the back-ldap
* level.
*/
if ( a->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
{
(void)ldap_dnattr_rewrite( &dc, a->a_vals );
if ( a->a_vals == NULL ) {
continue;
}
}
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ )
;
attrs[ i ]->mod_bvalues = ch_malloc( ( j + 1 ) * sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) {
attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ];
}
attrs[ i ]->mod_bvalues[ j ] = NULL;
}
i++;
}
attrs[ i ] = NULL;
retry:;
ctrls = op->o_ctrls;
if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS )
{
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = ldap_add_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
attrs, ctrls, NULL, &msgid );
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
mt->mt_timeout[ SLAP_OP_ADD ], ( LDAP_BACK_SENDRESULT | retrying ) );
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
retrying &= ~LDAP_BACK_RETRYING;
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
}
cleanup:;
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
for ( --i; i >= 0; --i ) {
free( attrs[ i ]->mod_bvalues );
free( attrs[ i ] );
}
free( attrs );
if ( mdn.bv_val != op->ora_e->e_dn ) {
free( mdn.bv_val );
BER_BVZERO( &mdn );
}
done:;
if ( mc ) {
meta_back_release_conn( mi, mc );
}
return rs->sr_err;
}
int
meta_back_modrdn( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metatarget_t *mt;
metaconn_t *mc;
int candidate = -1;
struct berval mdn = BER_BVNULL,
mnewSuperior = BER_BVNULL;
dncookie dc;
int msgid;
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
LDAPControl **ctrls = NULL;
struct berval newrdn = BER_BVNULL;
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
mt = mi->mi_targets[ candidate ];
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
if ( op->orr_newSup ) {
/*
* NOTE: the newParent, if defined, must be on the
* same target as the entry to be renamed. This check
* has been anticipated in meta_back_getconn()
*/
/*
* FIXME: one possibility is to delete the entry
* from one target and add it to the other;
* unfortunately we'd need write access to both,
* which is nearly impossible; for administration
* needs, the rootdn of the metadirectory could
* be mapped to an administrative account on each
* target (the binddn?); we'll see.
*/
/*
* NOTE: we need to port the identity assertion
* feature from back-ldap
*/
/* needs LDAPv3 */
switch ( mt->mt_version ) {
case LDAP_VERSION3:
break;
case 0:
if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
break;
}
/* fall thru */
default:
/* op->o_protocol cannot be anything but LDAPv3,
* otherwise wouldn't be here */
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
send_ldap_result( op, rs );
goto cleanup;
}
/*
* Rewrite the new superior, if defined and required
*/
dc.ctx = "newSuperiorDN";
if ( ldap_back_dn_massage( &dc, op->orr_newSup, &mnewSuperior ) ) {
rs->sr_err = LDAP_OTHER;
send_ldap_result( op, rs );
goto cleanup;
}
}
/*
* Rewrite the modrdn dn, if required
*/
dc.ctx = "modrDN";
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
rs->sr_err = LDAP_OTHER;
send_ldap_result( op, rs );
goto cleanup;
}
/* NOTE: we need to copy the newRDN in case it was formed
* from a DN by simply changing the length (ITS#5397) */
newrdn = op->orr_newrdn;
if ( newrdn.bv_val[ newrdn.bv_len ] != '\0' ) {
ber_dupbv_x( &newrdn, &op->orr_newrdn, op->o_tmpmemctx );
}
retry:;
ctrls = op->o_ctrls;
if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS )
{
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = ldap_rename( mc->mc_conns[ candidate ].msc_ld,
mdn.bv_val, newrdn.bv_val,
mnewSuperior.bv_val, op->orr_deleteoldrdn,
ctrls, NULL, &msgid );
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
mt->mt_timeout[ SLAP_OP_MODRDN ], ( LDAP_BACK_SENDRESULT | retrying ) );
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
retrying &= ~LDAP_BACK_RETRYING;
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
}
cleanup:;
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
BER_BVZERO( &mdn );
}
if ( !BER_BVISNULL( &mnewSuperior )
&& mnewSuperior.bv_val != op->orr_newSup->bv_val )
{
free( mnewSuperior.bv_val );
BER_BVZERO( &mnewSuperior );
}
if ( newrdn.bv_val != op->orr_newrdn.bv_val ) {
op->o_tmpfree( newrdn.bv_val, op->o_tmpmemctx );
}
if ( mc ) {
meta_back_release_conn( mi, mc );
}
return rs->sr_err;
}
/*
* meta_back_dobind
*/
int
meta_back_dobind(
Operation *op,
SlapReply *rs,
metaconn_t *mc,
ldap_back_send_t sendok )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
int bound = 0,
i,
isroot = 0;
SlapReply *candidates;
if ( be_isroot( op ) ) {
isroot = 1;
}
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
char buf[STRLENOF("4294967295U") + 1] = { 0 };
mi->mi_ldap_extra->connid2str( &mc->mc_base, buf, sizeof(buf) );
Debug( LDAP_DEBUG_TRACE,
"%s meta_back_dobind: conn=%s%s\n",
op->o_log_prefix, buf,
isroot ? " (isroot)" : "" );
}
/*
* all the targets are bound as pseudoroot
*/
if ( mc->mc_authz_target == META_BOUND_ALL ) {
bound = 1;
goto done;
}
candidates = meta_back_candidates_get( op );
for ( i = 0; i < mi->mi_ntargets; i++ ) {
metatarget_t *mt = mi->mi_targets[ i ];
metasingleconn_t *msc = &mc->mc_conns[ i ];
int rc;
/*
* Not a candidate
*/
if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
continue;
}
assert( msc->msc_ld != NULL );
/*
* If the target is already bound it is skipped
*/
retry_binding:;
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
if ( LDAP_BACK_CONN_ISBOUND( msc )
|| ( LDAP_BACK_CONN_ISANON( msc )
&& mt->mt_idassert_authmethod == LDAP_AUTH_NONE ) )
{
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
++bound;
continue;
} else if ( META_BACK_CONN_CREATING( msc ) || LDAP_BACK_CONN_BINDING( msc ) )
{
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
ldap_pvt_thread_yield();
goto retry_binding;
}
LDAP_BACK_CONN_BINDING_SET( msc );
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
rc = meta_back_single_dobind( op, rs, &mc, i,
LDAP_BACK_DONTSEND, mt->mt_nretries, 1 );
/*
* NOTE: meta_back_single_dobind() already retries;
* in case of failure, it resets mc...
*/
if ( rc != LDAP_SUCCESS ) {
char buf[ SLAP_TEXT_BUFLEN ];
if ( mc == NULL ) {
/* meta_back_single_dobind() already sent
* response and released connection */
goto send_err;
}
if ( rc == LDAP_UNAVAILABLE ) {
/* FIXME: meta_back_retry() already re-calls
* meta_back_single_dobind() */
if ( meta_back_retry( op, rs, &mc, i, sendok ) ) {
goto retry_ok;
}
if ( mc != NULL ) {
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
LDAP_BACK_CONN_BINDING_CLEAR( msc );
meta_back_release_conn_lock( mi, mc, 0 );
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
}
return 0;
}
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
LDAP_BACK_CONN_BINDING_CLEAR( msc );
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
snprintf( buf, sizeof( buf ),
"meta_back_dobind[%d]: (%s) err=%d (%s).",
i, isroot ? op->o_bd->be_rootdn.bv_val : "anonymous",
rc, ldap_err2string( rc ) );
Debug( LDAP_DEBUG_ANY,
"%s %s\n",
op->o_log_prefix, buf );
/*
* null cred bind should always succeed
* as anonymous, so a failure means
* the target is no longer candidate possibly
* due to technical reasons (remote host down?)
* so better clear the handle
*/
/* leave the target candidate, but record the error for later use */
candidates[ i ].sr_err = rc;
if ( META_BACK_ONERR_STOP( mi ) ) {
bound = 0;
goto done;
}
continue;
} /* else */
retry_ok:;
Debug( LDAP_DEBUG_TRACE,
"%s meta_back_dobind[%d]: "
"(%s)\n",
op->o_log_prefix, i,
isroot ? op->o_bd->be_rootdn.bv_val : "anonymous" );
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
LDAP_BACK_CONN_BINDING_CLEAR( msc );
if ( isroot ) {
LDAP_BACK_CONN_ISBOUND_SET( msc );
} else {
LDAP_BACK_CONN_ISANON_SET( msc );
}
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
++bound;
}
done:;
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
char buf[STRLENOF("4294967295U") + 1] = { 0 };
mi->mi_ldap_extra->connid2str( &mc->mc_base, buf, sizeof(buf) );
Debug( LDAP_DEBUG_TRACE,
"%s meta_back_dobind: conn=%s bound=%d\n",
op->o_log_prefix, buf, bound );
}
if ( bound == 0 ) {
meta_back_release_conn( mi, mc );
send_err:;
if ( sendok & LDAP_BACK_SENDERR ) {
if ( rs->sr_err == LDAP_SUCCESS ) {
rs->sr_err = LDAP_BUSY;
}
send_ldap_result( op, rs );
}
return 0;
}
return ( bound > 0 );
}
int
meta_back_bind( Operation *op, SlapReply *rs )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metaconn_t *mc = NULL;
int rc = LDAP_OTHER,
i,
gotit = 0,
isroot = 0;
SlapReply *candidates;
rs->sr_err = LDAP_SUCCESS;
Debug( LDAP_DEBUG_ARGS, "%s meta_back_bind: dn=\"%s\".\n",
op->o_log_prefix, op->o_req_dn.bv_val );
/* the test on the bind method should be superfluous */
switch ( be_rootdn_bind( op, rs ) ) {
case LDAP_SUCCESS:
if ( META_BACK_DEFER_ROOTDN_BIND( mi ) ) {
/* frontend will return success */
return rs->sr_err;
}
isroot = 1;
/* fallthru */
case SLAP_CB_CONTINUE:
break;
default:
/* be_rootdn_bind() sent result */
return rs->sr_err;
}
/* we need meta_back_getconn() not send result even on error,
* because we want to intercept the error and make it
* invalidCredentials */
mc = meta_back_getconn( op, rs, NULL, LDAP_BACK_BIND_DONTSEND );
if ( !mc ) {
if ( LogTest( LDAP_DEBUG_ANY ) ) {
char buf[ SLAP_TEXT_BUFLEN ];
snprintf( buf, sizeof( buf ),
"meta_back_bind: no target "
"for dn \"%s\" (%d%s%s).",
op->o_req_dn.bv_val, rs->sr_err,
rs->sr_text ? ". " : "",
rs->sr_text ? rs->sr_text : "" );
Debug( LDAP_DEBUG_ANY,
"%s %s\n",
op->o_log_prefix, buf );
}
/* FIXME: there might be cases where we don't want
* to map the error onto invalidCredentials */
switch ( rs->sr_err ) {
case LDAP_NO_SUCH_OBJECT:
case LDAP_UNWILLING_TO_PERFORM:
rs->sr_err = LDAP_INVALID_CREDENTIALS;
rs->sr_text = NULL;
break;
}
send_ldap_result( op, rs );
return rs->sr_err;
}
candidates = meta_back_candidates_get( op );
/*
* Each target is scanned ...
*/
mc->mc_authz_target = META_BOUND_NONE;
for ( i = 0; i < mi->mi_ntargets; i++ ) {
metatarget_t *mt = mi->mi_targets[ i ];
int lerr;
/*
* Skip non-candidates
*/
if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
continue;
}
if ( gotit == 0 ) {
/* set rc to LDAP_SUCCESS only if at least
* one candidate has been tried */
rc = LDAP_SUCCESS;
gotit = 1;
} else if ( !isroot ) {
/*
* A bind operation is expected to have
* ONE CANDIDATE ONLY!
*/
Debug( LDAP_DEBUG_ANY,
"### %s meta_back_bind: more than one"
" candidate selected...\n",
op->o_log_prefix );
}
if ( isroot ) {
if ( mt->mt_idassert_authmethod == LDAP_AUTH_NONE
|| BER_BVISNULL( &mt->mt_idassert_authcDN ) )
{
metasingleconn_t *msc = &mc->mc_conns[ i ];
/* skip the target if no pseudorootdn is provided */
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
continue;
}
(void)meta_back_proxy_authz_bind( mc, i, op, rs, LDAP_BACK_DONTSEND, 1 );
lerr = rs->sr_err;
} else {
lerr = meta_back_single_bind( op, rs, mc, i );
}
if ( lerr != LDAP_SUCCESS ) {
rc = rs->sr_err = lerr;
/* FIXME: in some cases (e.g. unavailable)
* do not assume it's not candidate; rather
* mark this as an error to be eventually
* reported to client */
META_CANDIDATE_CLEAR( &candidates[ i ] );
break;
}
}
/* must re-insert if local DN changed as result of bind */
if ( rc == LDAP_SUCCESS ) {
if ( isroot ) {
mc->mc_authz_target = META_BOUND_ALL;
}
if ( !LDAP_BACK_PCONN_ISPRIV( mc )
&& !dn_match( &op->o_req_ndn, &mc->mc_local_ndn ) )
{
int lerr;
/* wait for all other ops to release the connection */
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
assert( mc->mc_refcnt == 1 );
#if META_BACK_PRINT_CONNTREE > 0
meta_back_print_conntree( mi, ">>> meta_back_bind" );
#endif /* META_BACK_PRINT_CONNTREE */
/* delete all cached connections with the current connection */
if ( LDAP_BACK_SINGLECONN( mi ) ) {
metaconn_t *tmpmc;
while ( ( tmpmc = avl_delete( &mi->mi_conninfo.lai_tree, (caddr_t)mc, meta_back_conn_cmp ) ) != NULL )
{
assert( !LDAP_BACK_PCONN_ISPRIV( mc ) );
Debug( LDAP_DEBUG_TRACE,
"=>meta_back_bind: destroying conn %lu (refcnt=%u)\n",
mc->mc_conn->c_connid, mc->mc_refcnt );
if ( tmpmc->mc_refcnt != 0 ) {
/* taint it */
LDAP_BACK_CONN_TAINTED_SET( tmpmc );
} else {
/*
* Needs a test because the handler may be corrupted,
* and calling ldap_unbind on a corrupted header results
* in a segmentation fault
*/
meta_back_conn_free( tmpmc );
}
}
}
ber_bvreplace( &mc->mc_local_ndn, &op->o_req_ndn );
lerr = avl_insert( &mi->mi_conninfo.lai_tree, (caddr_t)mc,
meta_back_conndn_cmp, meta_back_conndn_dup );
#if META_BACK_PRINT_CONNTREE > 0
meta_back_print_conntree( mi, "<<< meta_back_bind" );
#endif /* META_BACK_PRINT_CONNTREE */
if ( lerr == 0 ) {
#if 0
/* NOTE: a connection cannot be privileged
* and be in the avl tree at the same time
*/
if ( isroot ) {
LDAP_BACK_CONN_ISPRIV_SET( mc );
LDAP_BACK_PCONN_SET( mc, op );
}
#endif
LDAP_BACK_CONN_CACHED_SET( mc );
} else {
LDAP_BACK_CONN_CACHED_CLEAR( mc );
}
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
}
}
if ( mc != NULL ) {
meta_back_release_conn( mi, mc );
}
/*
* rc is LDAP_SUCCESS if at least one bind succeeded,
* err is the last error that occurred during a bind;
* if at least (and at most?) one bind succeeds, fine.
*/
if ( rc != LDAP_SUCCESS ) {
/*
* deal with bind failure ...
*/
/*
* no target was found within the naming context,
* so bind must fail with invalid credentials
*/
if ( rs->sr_err == LDAP_SUCCESS && gotit == 0 ) {
rs->sr_err = LDAP_INVALID_CREDENTIALS;
} else {
rs->sr_err = slap_map_api2result( rs );
}
send_ldap_result( op, rs );
return rs->sr_err;
}
return LDAP_SUCCESS;
}
