int wt_bind( Operation *op, SlapReply *rs ) { struct wt_info *wi = (struct wt_info *) op->o_bd->be_private; WT_SESSION *session; wt_ctx *wc; int rc; Entry *e = NULL; Attribute *a; AttributeDescription *password = slap_schema.si_ad_userPassword; Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(wt_bind) ": dn: %s\n", op->o_req_dn.bv_val, 0, 0); /* allow noauth binds */ switch ( be_rootdn_bind( op, NULL ) ) { case LDAP_SUCCESS: /* frontend will send result */ return rs->sr_err = LDAP_SUCCESS; default: /* give the database a chance */ /* NOTE: this behavior departs from that of other backends, * since the others, in case of password checking failure * do not give the database a chance. If an entry with * rootdn's name does not exist in the database the result * will be the same. See ITS#4962 for discussion. */ break; } wc = wt_ctx_get(op, wi); if( !wc ){ Debug( LDAP_DEBUG_ANY, LDAP_XSTRING(wt_bind) ": wt_ctx_get failed\n", 0, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; send_ldap_result( op, rs ); return rs->sr_err; } /* get entry */ rc = wt_dn2entry(op->o_bd, wc, &op->o_req_ndn, &e); switch( rc ) { case 0: break; case WT_NOTFOUND: rs->sr_err = LDAP_INVALID_CREDENTIALS; send_ldap_result( op, rs ); return rs->sr_err; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; send_ldap_result( op, rs ); return rs->sr_err; } ber_dupbv( &op->oq_bind.rb_edn, &e->e_name ); /* check for deleted */ if ( is_entry_subentry( e ) ) { /* entry is an subentry, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_alias( e ) ) { /* entry is an alias, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_referral( e ) ) { Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } switch ( op->oq_bind.rb_method ) { case LDAP_AUTH_SIMPLE: a = attr_find( e->e_attrs, password ); if ( a == NULL ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { /* failure; stop front end from sending result */ rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } rs->sr_err = 0; break; default: rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED; rs->sr_text = "authentication method not supported"; } done: /* free entry */ if (e) { wt_entry_return(e); } if (rs->sr_err) { send_ldap_result( op, rs ); if ( rs->sr_ref ) { ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } } return rs->sr_err; }
int mdb_modify( Operation *op, SlapReply *rs ) { struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private; Entry *e = NULL; int manageDSAit = get_manageDSAit( op ); char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; MDB_txn *txn = NULL; mdb_op_info opinfo = {{{ 0 }}}, *moi = &opinfo; Entry dummy = {0}; LDAPControl **preread_ctrl = NULL; LDAPControl **postread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; int numads = -1; #ifdef LDAP_X_TXN int settle = 0; #endif Debug( LDAP_DEBUG_ARGS, LDAP_XSTRING(mdb_modify) ": %s\n", op->o_req_dn.bv_val ); #ifdef LDAP_X_TXN if( op->o_txnSpec ) { /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) { rs->sr_text = "invalid transaction identifier"; rs->sr_err = LDAP_X_TXN_ID_INVALID; goto txnReturn; } else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) { settle=1; goto txnReturn; } if( op->o_conn->c_txn_backend == NULL ) { op->o_conn->c_txn_backend = op->o_bd; } else if( op->o_conn->c_txn_backend != op->o_bd ) { rs->sr_text = "transaction cannot span multiple database contexts"; rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS; goto txnReturn; } /* insert operation into transaction */ rs->sr_text = "transaction specified"; rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY; txnReturn: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); if( !settle ) { send_ldap_result( op, rs ); return rs->sr_err; } } #endif ctrls[num_ctrls] = NULL; /* begin transaction */ rs->sr_err = mdb_opinfo_get( op, mdb, 0, &moi ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": txn_begin failed: " "%s (%d)\n", mdb_strerror(rs->sr_err), rs->sr_err ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } txn = moi->moi_txn; /* LY: to avoid race mi_numads should be read after a transaction was started */ numads = mdb->mi_numads; /* Don't touch the opattrs, if this is a contextCSN update * initiated from updatedn */ if ( !be_isupdate(op) || !op->orm_modlist || op->orm_modlist->sml_next || op->orm_modlist->sml_desc != slap_schema.si_ad_contextCSN ) { slap_mods_opattrs( op, &op->orm_modlist, 1 ); } /* get entry or ancestor */ rs->sr_err = mdb_dn2entry( op, txn, NULL, &op->o_req_ndn, &e, NULL, 1 ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": dn2entry failed (%d)\n", rs->sr_err ); switch( rs->sr_err ) { case MDB_NOTFOUND: break; case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } } /* acquire and lock entry */ /* FIXME: dn2entry() should return non-glue entry */ if (( rs->sr_err == MDB_NOTFOUND ) || ( !manageDSAit && e && is_entry_glue( e ))) { if ( e != NULL ) { rs->sr_matched = ch_strdup( e->e_dn ); if ( is_entry_referral( e )) { BerVarray ref = get_entry_referrals( op, e ); rs->sr_ref = referral_rewrite( ref, &e->e_name, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ber_bvarray_free( ref ); } else { rs->sr_ref = NULL; } mdb_entry_return( op, e ); e = NULL; } else { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); } rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); goto done; } if ( !manageDSAit && is_entry_referral( e ) ) { /* entry is a referral, don't allow modify */ rs->sr_ref = get_entry_referrals( op, e ); Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": entry is referral\n" ); rs->sr_err = LDAP_REFERRAL; rs->sr_matched = e->e_name.bv_val; rs->sr_flags = REP_REF_MUSTBEFREED; send_ldap_result( op, rs ); goto done; } if ( get_assert( op ) && ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } if( op->o_preread ) { if( preread_ctrl == NULL ) { preread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if ( slap_read_controls( op, rs, e, &slap_pre_read_bv, preread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(mdb_modify) ": pre-read " "failed!\n" ); if ( op->o_preread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } /* Modify the entry */ dummy = *e; if (unlikely( op->o_hollow )) { op->o_hollow = 0; } else { rs->sr_err = mdb_modify_internal( op, txn, op->orm_modlist, &dummy, &rs->sr_text, textbuf, textlen ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": modify failed (%d)\n", rs->sr_err ); /* Only free attrs if they were dup'd. */ if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs = NULL; goto return_results; } /* change the entry itself */ rs->sr_err = mdb_id2entry_update( op, txn, NULL, &dummy ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": id2entry update failed " "(%d)\n", rs->sr_err ); rs->sr_text = "entry update failed"; goto return_results; } } if( op->o_postread ) { if( postread_ctrl == NULL ) { postread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if( slap_read_controls( op, rs, &dummy, &slap_post_read_bv, postread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(mdb_modify) ": post-read failed!\n" ); if ( op->o_postread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } /* Only free attrs if they were dup'd. */ if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs = NULL; if( moi == &opinfo ) { LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.moi_oe, OpExtra, oe_next ); opinfo.moi_oe.oe_key = NULL; if( op->o_noop ) { assert(numads > -1); mdb->mi_numads = numads; mdb_txn_abort( txn ); rs->sr_err = LDAP_X_NO_OPERATION; txn = NULL; goto return_results; } else { rs->sr_err = mdb_txn_commit( txn ); if ( rs->sr_err ) { assert(numads > -1); mdb->mi_numads = numads; } txn = NULL; } } if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_ANY, LDAP_XSTRING(mdb_modify) ": txn_%s failed: %s (%d)\n", op->o_noop ? "abort (no-op)" : "commit", mdb_strerror(rs->sr_err), rs->sr_err ); rs->sr_err = LDAP_OTHER; rs->sr_text = "commit failed"; goto return_results; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_modify) ": updated%s id=%08lx dn=\"%s\"\n", op->o_noop ? " (no-op)" : "", dummy.e_id, op->o_req_dn.bv_val ); rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; if( num_ctrls ) rs->sr_ctrls = ctrls; return_results: if( dummy.e_attrs ) { attrs_free( dummy.e_attrs ); } send_ldap_result( op, rs ); #if 0 if( rs->sr_err == LDAP_SUCCESS && mdb->bi_txn_cp_kbyte ) { TXN_CHECKPOINT( mdb->bi_dbenv, mdb->bi_txn_cp_kbyte, mdb->bi_txn_cp_min, 0 ); } #endif done: rs_send_cleanup( rs ); slap_graduate_commit_csn( op ); if ( moi == &opinfo || --moi->moi_ref < 1 ) { if ( txn != NULL ) { assert(numads > -1); mdb->mi_numads = numads; mdb_txn_abort( txn ); } if ( moi->moi_oe.oe_key ) LDAP_SLIST_REMOVE( &op->o_extra, &moi->moi_oe, OpExtra, oe_next ); if ( moi->moi_flag & MOI_FREEIT ) op->o_tmpfree( moi, op->o_tmpmemctx ); } if( e != NULL ) { mdb_entry_return( op, e ); } if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) { slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *preread_ctrl, op->o_tmpmemctx ); } if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) { slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *postread_ctrl, op->o_tmpmemctx ); } return rs->sr_err; }
int bdb_add(Operation *op, SlapReply *rs ) { struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private; struct berval pdn; Entry *p = NULL, *oe = op->ora_e; EntryInfo *ei; char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *entry = slap_schema.si_ad_entry; DB_TXN *ltid = NULL, *lt2, *rtxn; ID eid = NOID; struct bdb_op_info opinfo = {{{ 0 }}}; int subentry; DB_LOCK lock; int num_retries = 0; int success; LDAPControl **postread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; #ifdef LDAP_X_TXN int settle = 0; #endif Debug(LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_add) ": %s\n", op->ora_e->e_name.bv_val, 0, 0); #ifdef LDAP_X_TXN if( op->o_txnSpec ) { /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) { rs->sr_text = "invalid transaction identifier"; rs->sr_err = LDAP_X_TXN_ID_INVALID; goto txnReturn; } else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) { settle=1; goto txnReturn; } if( op->o_conn->c_txn_backend == NULL ) { op->o_conn->c_txn_backend = op->o_bd; } else if( op->o_conn->c_txn_backend != op->o_bd ) { rs->sr_text = "transaction cannot span multiple database contexts"; rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS; goto txnReturn; } /* insert operation into transaction */ rs->sr_text = "transaction specified"; rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY; txnReturn: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); if( !settle ) { send_ldap_result( op, rs ); return rs->sr_err; } } #endif ctrls[num_ctrls] = 0; /* check entry's schema */ rs->sr_err = entry_schema_check( op, op->ora_e, NULL, get_relax(op), 1, NULL, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": entry failed schema check: " "%s (%d)\n", rs->sr_text, rs->sr_err, 0 ); goto return_results; } /* add opattrs to shadow as well, only missing attrs will actually * be added; helps compatibility with older OL versions */ rs->sr_err = slap_add_opattrs( op, &rs->sr_text, textbuf, textlen, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": entry failed op attrs add: " "%s (%d)\n", rs->sr_text, rs->sr_err, 0 ); goto return_results; } if ( get_assert( op ) && ( test_filter( op, op->ora_e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } subentry = is_entry_subentry( op->ora_e ); /* Get our reader TXN */ rs->sr_err = bdb_reader_get( op, bdb->bi_dbenv, &rtxn ); if( 0 ) { retry: /* transaction retry */ if( p ) { /* free parent and reader lock */ if ( p != (Entry *)&slap_entry_root ) { bdb_unlocked_cache_return_entry_r( bdb, p ); } p = NULL; } rs->sr_err = TXN_ABORT( ltid ); ltid = NULL; LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); opinfo.boi_oe.oe_key = NULL; op->o_do_not_cache = opinfo.boi_acl_cache; if( rs->sr_err != 0 ) { rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( op->o_abandon ) { rs->sr_err = SLAPD_ABANDON; goto return_results; } bdb_trans_backoff( ++num_retries ); } /* begin transaction */ rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, NULL, <id, bdb->bi_db_opflags ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": txn_begin failed: %s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } opinfo.boi_oe.oe_key = bdb; opinfo.boi_txn = ltid; opinfo.boi_err = 0; opinfo.boi_acl_cache = op->o_do_not_cache; LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next ); /* * Get the parent dn and see if the corresponding entry exists. */ if ( be_issuffix( op->o_bd, &op->ora_e->e_nname ) ) { pdn = slap_empty_bv; } else { dnParent( &op->ora_e->e_nname, &pdn ); } /* get entry or parent */ rs->sr_err = bdb_dn2entry( op, ltid, &op->ora_e->e_nname, &ei, 1, &lock ); switch( rs->sr_err ) { case 0: rs->sr_err = LDAP_ALREADY_EXISTS; goto return_results; case DB_NOTFOUND: break; case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } p = ei->bei_e; if ( !p ) p = (Entry *)&slap_entry_root; if ( !bvmatch( &pdn, &p->e_nname ) ) { rs->sr_matched = ber_strdup_x( p->e_name.bv_val, op->o_tmpmemctx ); rs->sr_ref = is_entry_referral( p ) ? get_entry_referrals( op, p ) : NULL; if ( p != (Entry *)&slap_entry_root ) bdb_unlocked_cache_return_entry_r( bdb, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": parent " "does not exist\n", 0, 0, 0 ); rs->sr_err = LDAP_REFERRAL; rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } rs->sr_err = access_allowed( op, p, children, NULL, ACL_WADD, NULL ); if ( ! rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } if ( p != (Entry *)&slap_entry_root ) bdb_unlocked_cache_return_entry_r( bdb, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": no write access to parent\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to parent"; goto return_results;; } if ( p != (Entry *)&slap_entry_root ) { if ( is_entry_subentry( p ) ) { bdb_unlocked_cache_return_entry_r( bdb, p ); p = NULL; /* parent is a subentry, don't allow add */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": parent is subentry\n", 0, 0, 0 ); rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION; rs->sr_text = "parent is a subentry"; goto return_results;; } if ( is_entry_alias( p ) ) { bdb_unlocked_cache_return_entry_r( bdb, p ); p = NULL; /* parent is an alias, don't allow add */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": parent is alias\n", 0, 0, 0 ); rs->sr_err = LDAP_ALIAS_PROBLEM; rs->sr_text = "parent is an alias"; goto return_results;; } if ( is_entry_referral( p ) ) { /* parent is a referral, don't allow add */ rs->sr_matched = ber_strdup_x( p->e_name.bv_val, op->o_tmpmemctx ); rs->sr_ref = get_entry_referrals( op, p ); bdb_unlocked_cache_return_entry_r( bdb, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": parent is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_REFERRAL; rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } } if ( subentry ) { /* FIXME: */ /* parent must be an administrative point of the required kind */ } /* free parent and reader lock */ if ( p != (Entry *)&slap_entry_root ) { if ( p->e_nname.bv_len ) { struct berval ppdn; /* ITS#5326: use parent's DN if differs from provided one */ dnParent( &op->ora_e->e_name, &ppdn ); if ( !dn_match( &p->e_name, &ppdn ) ) { struct berval rdn; struct berval newdn; dnRdn( &op->ora_e->e_name, &rdn ); build_new_dn( &newdn, &p->e_name, &rdn, NULL ); if ( op->ora_e->e_name.bv_val != op->o_req_dn.bv_val ) ber_memfree( op->ora_e->e_name.bv_val ); op->ora_e->e_name = newdn; /* FIXME: should check whether * dnNormalize(newdn) == e->e_nname ... */ } } bdb_unlocked_cache_return_entry_r( bdb, p ); } p = NULL; rs->sr_err = access_allowed( op, op->ora_e, entry, NULL, ACL_WADD, NULL ); if ( ! rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": no write access to entry\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to entry"; goto return_results;; } /* * Check ACL for attribute write access */ if (!acl_check_modlist(op, oe, op->ora_modlist)) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": no write access to attribute\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to attribute"; goto return_results;; } if ( eid == NOID ) { rs->sr_err = bdb_next_id( op->o_bd, &eid ); if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": next_id failed (%d)\n", rs->sr_err, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } op->ora_e->e_id = eid; } /* nested transaction */ rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, ltid, <2, bdb->bi_db_opflags ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": txn_begin(2) failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } /* dn2id index */ rs->sr_err = bdb_dn2id_add( op, lt2, ei, op->ora_e ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": dn2id_add failed: %s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case DB_KEYEXIST: rs->sr_err = LDAP_ALREADY_EXISTS; break; default: rs->sr_err = LDAP_OTHER; } goto return_results; } /* attribute indexes */ rs->sr_err = bdb_index_entry_add( op, lt2, op->ora_e ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": index_entry_add failed\n", 0, 0, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; default: rs->sr_err = LDAP_OTHER; } rs->sr_text = "index generation failed"; goto return_results; } /* id2entry index */ rs->sr_err = bdb_id2entry_add( op->o_bd, lt2, op->ora_e ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": id2entry_add failed\n", 0, 0, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; default: rs->sr_err = LDAP_OTHER; } rs->sr_text = "entry store failed"; goto return_results; } if ( TXN_COMMIT( lt2, 0 ) != 0 ) { rs->sr_err = LDAP_OTHER; rs->sr_text = "txn_commit(2) failed"; goto return_results; } /* post-read */ if( op->o_postread ) { if( postread_ctrl == NULL ) { postread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if ( slap_read_controls( op, rs, op->ora_e, &slap_post_read_bv, postread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_add) ": post-read " "failed!\n", 0, 0, 0 ); if ( op->o_postread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } if ( op->o_noop ) { if (( rs->sr_err=TXN_ABORT( ltid )) != 0 ) { rs->sr_text = "txn_abort (no-op) failed"; } else { rs->sr_err = LDAP_X_NO_OPERATION; ltid = NULL; goto return_results; } } else { struct berval nrdn; /* pick the RDN if not suffix; otherwise pick the entire DN */ if (pdn.bv_len) { nrdn.bv_val = op->ora_e->e_nname.bv_val; nrdn.bv_len = pdn.bv_val - op->ora_e->e_nname.bv_val - 1; } else { nrdn = op->ora_e->e_nname; } /* Use the reader txn here, outside the add txn */ bdb_cache_add( bdb, ei, op->ora_e, &nrdn, rtxn, &lock ); if(( rs->sr_err=TXN_COMMIT( ltid, 0 )) != 0 ) { rs->sr_text = "txn_commit failed"; } else { rs->sr_err = LDAP_SUCCESS; } } ltid = NULL; LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); opinfo.boi_oe.oe_key = NULL; if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": %s : %s (%d)\n", rs->sr_text, db_strerror(rs->sr_err), rs->sr_err ); rs->sr_err = LDAP_OTHER; goto return_results; } Debug(LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": added%s id=%08lx dn=\"%s\"\n", op->o_noop ? " (no-op)" : "", op->ora_e->e_id, op->ora_e->e_dn ); rs->sr_text = NULL; if( num_ctrls ) rs->sr_ctrls = ctrls; return_results: success = rs->sr_err; send_ldap_result( op, rs ); if( ltid != NULL ) { TXN_ABORT( ltid ); } if ( opinfo.boi_oe.oe_key ) { LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); } if( success == LDAP_SUCCESS ) { /* We own the entry now, and it can be purged at will * Check to make sure it's the same entry we entered with. * Possibly a callback may have mucked with it, although * in general callbacks should treat the entry as read-only. */ bdb_cache_return_entry_r( bdb, oe, &lock ); if ( op->ora_e == oe ) op->ora_e = NULL; if ( bdb->bi_txn_cp_kbyte ) { TXN_CHECKPOINT( bdb->bi_dbenv, bdb->bi_txn_cp_kbyte, bdb->bi_txn_cp_min, 0 ); } } slap_graduate_commit_csn( op ); if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) { slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *postread_ctrl, op->o_tmpmemctx ); } return rs->sr_err; }
int limits_check( Operation *op, SlapReply *rs ) { assert( op != NULL ); assert( rs != NULL ); /* FIXME: should this be always true? */ assert( op->o_tag == LDAP_REQ_SEARCH); /* protocol only allows 0..maxInt; * * internal searches: * - may use SLAP_NO_LIMIT ( = -1 ) to indicate no limits; * - should use slimit = N and tlimit = SLAP_NO_LIMIT to * indicate searches that should return exactly N matches, * and handle errors thru a callback (see for instance * slap_sasl_match() and slap_sasl2dn()) */ if ( op->ors_tlimit == SLAP_NO_LIMIT && op->ors_slimit == SLAP_NO_LIMIT ) { return 0; } /* allow root to set no limit */ if ( be_isroot( op ) ) { op->ors_limit = NULL; if ( op->ors_tlimit == 0 ) { op->ors_tlimit = SLAP_NO_LIMIT; } if ( op->ors_slimit == 0 ) { op->ors_slimit = SLAP_NO_LIMIT; } /* if paged results and slimit are requested */ if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED && op->ors_slimit != SLAP_NO_LIMIT ) { PagedResultsState *ps = op->o_pagedresults_state; int total = op->ors_slimit - ps->ps_count; if ( total > 0 ) { op->ors_slimit = total; } else { op->ors_slimit = 0; } } /* if not root, get appropriate limits */ } else { ( void ) limits_get( op, &op->ors_limit ); assert( op->ors_limit != NULL ); /* if no limit is required, use soft limit */ if ( op->ors_tlimit == 0 ) { op->ors_tlimit = op->ors_limit->lms_t_soft; /* limit required: check if legal */ } else { if ( op->ors_limit->lms_t_hard == 0 ) { if ( op->ors_limit->lms_t_soft > 0 && ( op->ors_tlimit > op->ors_limit->lms_t_soft ) ) { op->ors_tlimit = op->ors_limit->lms_t_soft; } } else if ( op->ors_limit->lms_t_hard > 0 ) { #ifdef ABOVE_HARD_LIMIT_IS_ERROR if ( op->ors_tlimit == SLAP_MAX_LIMIT ) { op->ors_tlimit = op->ors_limit->lms_t_hard; } else if ( op->ors_tlimit > op->ors_limit->lms_t_hard ) { /* error if exceeding hard limit */ rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; return -1; } #else /* ! ABOVE_HARD_LIMIT_IS_ERROR */ if ( op->ors_tlimit > op->ors_limit->lms_t_hard ) { op->ors_tlimit = op->ors_limit->lms_t_hard; } #endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */ } } /* else leave as is */ /* don't even get to backend if candidate check is disabled */ if ( op->ors_limit->lms_s_unchecked == 0 ) { rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; return -1; } /* if paged results is requested */ if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) { int slimit = -2; int pr_total; PagedResultsState *ps = op->o_pagedresults_state; /* paged results is not allowed */ if ( op->ors_limit->lms_s_pr_total == -2 ) { rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; rs->sr_text = "pagedResults control not allowed"; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; return -1; } if ( op->ors_limit->lms_s_pr > 0 && ps->ps_size > op->ors_limit->lms_s_pr ) { rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; rs->sr_text = "illegal pagedResults page size"; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; return -1; } if ( op->ors_limit->lms_s_pr_total == 0 ) { if ( op->ors_limit->lms_s_hard == 0 ) { pr_total = op->ors_limit->lms_s_soft; } else { pr_total = op->ors_limit->lms_s_hard; } } else { pr_total = op->ors_limit->lms_s_pr_total; } if ( pr_total == -1 ) { if ( op->ors_slimit == 0 || op->ors_slimit == SLAP_MAX_LIMIT ) { slimit = -1; } else { slimit = op->ors_slimit - ps->ps_count; } #ifdef ABOVE_HARD_LIMIT_IS_ERROR } else if ( pr_total > 0 && op->ors_slimit != SLAP_MAX_LIMIT && ( op->ors_slimit == SLAP_NO_LIMIT || op->ors_slimit > pr_total ) ) { rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; return -1; #endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */ } else { /* if no limit is required, use soft limit */ int total; int slimit2; /* first round of pagedResults: * set count to any appropriate limit */ /* if the limit is set, check that it does * not violate any server-side limit */ #ifdef ABOVE_HARD_LIMIT_IS_ERROR if ( op->ors_slimit == SLAP_MAX_LIMIT ) #else /* ! ABOVE_HARD_LIMIT_IS_ERROR */ if ( op->ors_slimit == SLAP_MAX_LIMIT || op->ors_slimit > pr_total ) #endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */ { slimit2 = op->ors_slimit = pr_total; } else if ( op->ors_slimit == 0 ) { slimit2 = pr_total; } else { slimit2 = op->ors_slimit; } total = slimit2 - ps->ps_count; if ( total >= 0 ) { if ( op->ors_limit->lms_s_pr > 0 ) { /* use the smallest limit set by total/per page */ if ( total < op->ors_limit->lms_s_pr ) { slimit = total; } else { /* use the perpage limit if any * NOTE: + 1 because given value must be legal */ slimit = op->ors_limit->lms_s_pr + 1; } } else { /* use the total limit if any */ slimit = total; } } else if ( op->ors_limit->lms_s_pr > 0 ) { /* use the perpage limit if any * NOTE: + 1 because the given value must be legal */ slimit = op->ors_limit->lms_s_pr + 1; } else { /* use the standard hard/soft limit if any */ slimit = op->ors_limit->lms_s_hard; } } /* if got any limit, use it */ if ( slimit != -2 ) { if ( op->ors_slimit == 0 ) { op->ors_slimit = slimit; } else if ( slimit > 0 ) { if ( op->ors_slimit - ps->ps_count > slimit ) { rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; return -1; } op->ors_slimit = slimit; } else if ( slimit == 0 ) { op->ors_slimit = 0; } } else { /* use the standard hard/soft limit if any */ op->ors_slimit = pr_total; } /* no limit requested: use soft, whatever it is */ } else if ( op->ors_slimit == 0 ) { op->ors_slimit = op->ors_limit->lms_s_soft; /* limit requested: check if legal */ } else { /* hard limit as soft (traditional behavior) */ if ( op->ors_limit->lms_s_hard == 0 ) { if ( op->ors_limit->lms_s_soft > 0 && op->ors_slimit > op->ors_limit->lms_s_soft ) { op->ors_slimit = op->ors_limit->lms_s_soft; } /* explicit hard limit: error if violated */ } else if ( op->ors_limit->lms_s_hard > 0 ) { #ifdef ABOVE_HARD_LIMIT_IS_ERROR if ( op->ors_slimit == SLAP_MAX_LIMIT ) { op->ors_slimit = op->ors_limit->lms_s_hard; } else if ( op->ors_slimit > op->ors_limit->lms_s_hard ) { /* if limit exceeds hard, error */ rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED; send_ldap_result( op, rs ); rs->sr_err = LDAP_SUCCESS; return -1; } #else /* ! ABOVE_HARD_LIMIT_IS_ERROR */ if ( op->ors_slimit > op->ors_limit->lms_s_hard ) { op->ors_slimit = op->ors_limit->lms_s_hard; } #endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */ } } /* else leave as is */ } return 0; }
static int translucent_modify(Operation *op, SlapReply *rs) { SlapReply nrs = { REP_RESULT }; slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; translucent_info *ov = on->on_bi.bi_private; Entry *e = NULL, *re = NULL; Attribute *a, *ax; Modifications *m, **mm; BackendDB *db; int del, rc, erc = 0; slap_callback cb = { 0 }; Debug(LDAP_DEBUG_TRACE, "==> translucent_modify: %s\n", op->o_req_dn.bv_val, 0, 0); if(ov->defer_db_open) { send_ldap_error(op, rs, LDAP_UNAVAILABLE, "remote DB not available"); return(rs->sr_err); } /* ** fetch entry from the captive backend; ** if it did not exist, fail; ** release it, if captive backend supports this; ** */ db = op->o_bd; op->o_bd = &ov->db; ov->db.be_acl = op->o_bd->be_acl; rc = ov->db.bd_info->bi_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &re); op->o_bd = db; if(rc != LDAP_SUCCESS || re == NULL ) { send_ldap_error((op), rs, LDAP_NO_SUCH_OBJECT, "attempt to modify nonexistent local record"); return(rs->sr_err); } /* ** fetch entry from local backend; ** if it exists: ** foreach Modification: ** if attr not present in local: ** if Mod == LDAP_MOD_DELETE: ** if remote attr not present, return NO_SUCH; ** if remote attr present, drop this Mod; ** else force this Mod to LDAP_MOD_ADD; ** return CONTINUE; ** */ op->o_bd->bd_info = (BackendInfo *) on->on_info->oi_orig; rc = be_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &e); op->o_bd->bd_info = (BackendInfo *) on; if(e && rc == LDAP_SUCCESS) { Debug(LDAP_DEBUG_TRACE, "=> translucent_modify: found local entry\n", 0, 0, 0); for(mm = &op->orm_modlist; *mm; ) { m = *mm; for(a = e->e_attrs; a; a = a->a_next) if(a->a_desc == m->sml_desc) break; if(a) { mm = &m->sml_next; continue; /* found local attr */ } if(m->sml_op == LDAP_MOD_DELETE) { for(a = re->e_attrs; a; a = a->a_next) if(a->a_desc == m->sml_desc) break; /* not found remote attr */ if(!a) { erc = LDAP_NO_SUCH_ATTRIBUTE; goto release; } if(ov->strict) { erc = LDAP_CONSTRAINT_VIOLATION; goto release; } Debug(LDAP_DEBUG_TRACE, "=> translucent_modify: silently dropping delete: %s\n", m->sml_desc->ad_cname.bv_val, 0, 0); *mm = m->sml_next; m->sml_next = NULL; slap_mods_free(m, 1); continue; } m->sml_op = LDAP_MOD_ADD; mm = &m->sml_next; } erc = SLAP_CB_CONTINUE; release: if(re) { if(ov->db.bd_info->bi_entry_release_rw) { op->o_bd = &ov->db; ov->db.bd_info->bi_entry_release_rw(op, re, 0); op->o_bd = db; } else entry_free(re); } op->o_bd->bd_info = (BackendInfo *) on->on_info->oi_orig; be_entry_release_r(op, e); op->o_bd->bd_info = (BackendInfo *) on; if(erc == SLAP_CB_CONTINUE) { return(erc); } else if(erc) { send_ldap_error(op, rs, erc, "attempt to delete nonexistent attribute"); return(erc); } } /* don't leak remote entry copy */ if(re) { if(ov->db.bd_info->bi_entry_release_rw) { op->o_bd = &ov->db; ov->db.bd_info->bi_entry_release_rw(op, re, 0); op->o_bd = db; } else entry_free(re); } /* ** foreach Modification: ** if MOD_ADD or MOD_REPLACE, add Attribute; ** if no Modifications were suitable: ** if strict, throw CONSTRAINT_VIOLATION; ** else, return early SUCCESS; ** fabricate Entry with new Attribute chain; ** glue_parent() for this Entry; ** call bi_op_add() in local backend; ** */ Debug(LDAP_DEBUG_TRACE, "=> translucent_modify: fabricating local add\n", 0, 0, 0); a = NULL; for(del = 0, ax = NULL, m = op->orm_modlist; m; m = m->sml_next) { Attribute atmp; if(((m->sml_op & LDAP_MOD_OP) != LDAP_MOD_ADD) && ((m->sml_op & LDAP_MOD_OP) != LDAP_MOD_REPLACE)) { Debug(LDAP_DEBUG_ANY, "=> translucent_modify: silently dropped modification(%d): %s\n", m->sml_op, m->sml_desc->ad_cname.bv_val, 0); if((m->sml_op & LDAP_MOD_OP) == LDAP_MOD_DELETE) del++; continue; } atmp.a_desc = m->sml_desc; atmp.a_vals = m->sml_values; atmp.a_nvals = m->sml_nvalues ? m->sml_nvalues : atmp.a_vals; atmp.a_numvals = m->sml_numvals; atmp.a_flags = 0; a = attr_dup( &atmp ); a->a_next = ax; ax = a; } if(del && ov->strict) { attrs_free( a ); send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, "attempt to delete attributes from local database"); return(rs->sr_err); } if(!ax) { if(ov->strict) { send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, "modification contained other than ADD or REPLACE"); return(rs->sr_err); } /* rs->sr_text = "no valid modification found"; */ rs->sr_err = LDAP_SUCCESS; send_ldap_result(op, rs); return(rs->sr_err); } e = entry_alloc(); ber_dupbv( &e->e_name, &op->o_req_dn ); ber_dupbv( &e->e_nname, &op->o_req_ndn ); e->e_attrs = a; op->o_tag = LDAP_REQ_ADD; cb.sc_response = translucent_tag_cb; cb.sc_private = op->orm_modlist; op->oq_add.rs_e = e; glue_parent(op); cb.sc_next = op->o_callback; op->o_callback = &cb; rc = on->on_info->oi_orig->bi_op_add(op, &nrs); if ( op->ora_e == e ) entry_free( e ); op->o_callback = cb.sc_next; return(rc); }
/* This function is called to process operation that come over external connections */ void do_modrdn( Slapi_PBlock *pb ) { Slapi_Operation *operation; BerElement *ber; char *rawdn = NULL, *rawnewsuperior = NULL; const char *dn = NULL, *newsuperior = NULL; char *newrdn = NULL; int err = 0, deloldrdn = 0; ber_len_t len = 0; char *newdn = NULL; char *parent = NULL; Slapi_DN sdn; Slapi_DN snewdn; Slapi_DN *snewsuperior = NULL; LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 ); /* count the modrdn request */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsModifyRDNOps); slapi_pblock_get( pb, SLAPI_OPERATION, &operation); ber = operation->o_ber; slapi_sdn_init(&sdn); slapi_sdn_init(&snewdn); /* * Parse the modrdn request. It looks like this: * * ModifyRDNRequest := SEQUENCE { * entry DistinguishedName, * newrdn RelativeDistinguishedName, * deleteoldrdn BOOLEAN, * newSuperior [0] LDAPDN OPTIONAL -- v3 only * } */ if (ber_scanf(ber, "{aab", &rawdn, &newrdn, &deloldrdn) == LBER_ERROR) { LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed (op=ModRDN; params=DN,newRDN,deleteOldRDN)\n", 0, 0, 0 ); op_shared_log_error_access (pb, "MODRDN", "???", "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "unable to decode DN, newRDN, or deleteOldRDN parameters", 0, NULL ); goto free_and_return; } if ( ber_peek_tag( ber, &len ) == LDAP_TAG_NEWSUPERIOR ) { /* This "len" is not used... */ if ( pb->pb_conn->c_ldapversion < LDAP_VERSION3 ) { LDAPDebug( LDAP_DEBUG_ANY, "got newSuperior in LDAPv2 modrdn op\n", 0, 0, 0 ); op_shared_log_error_access (pb, "MODRDN", rawdn?rawdn:"", "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "received newSuperior in LDAPv2 modrdn", 0, NULL ); slapi_ch_free_string( &rawdn ); slapi_ch_free_string( &newrdn ); goto free_and_return; } if ( ber_scanf( ber, "a", &rawnewsuperior ) == LBER_ERROR ) { LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed (op=ModRDN; params=newSuperior)\n", 0, 0, 0 ); op_shared_log_error_access (pb, "MODRDN", rawdn, "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "unable to decode newSuperior parameter", 0, NULL ); slapi_ch_free_string( &rawdn ); slapi_ch_free_string( &newrdn ); goto free_and_return; } } /* Check if we should be performing strict validation. */ if (config_get_dn_validate_strict()) { /* check that the dn is formatted correctly */ err = slapi_dn_syntax_check(pb, rawdn, 1); if (err) { /* syntax check failed */ op_shared_log_error_access(pb, "MODRDN", rawdn?rawdn:"", "strict: invalid dn"); send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid dn", 0, NULL); slapi_ch_free_string( &rawdn ); slapi_ch_free_string( &newrdn ); slapi_ch_free_string( &rawnewsuperior ); goto free_and_return; } /* check that the new rdn is formatted correctly */ err = slapi_dn_syntax_check(pb, newrdn, 1); if (err) { /* syntax check failed */ op_shared_log_error_access(pb, "MODRDN", newrdn?newrdn:"", "strict: invalid new rdn"); send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid new rdn", 0, NULL); slapi_ch_free_string( &rawdn ); slapi_ch_free_string( &newrdn ); slapi_ch_free_string( &rawnewsuperior ); goto free_and_return; } } slapi_sdn_init_dn_passin(&sdn, rawdn); dn = slapi_sdn_get_dn(&sdn); if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) { /* normalization failed */ op_shared_log_error_access(pb, "MODRDN", rawdn, "invalid dn"); send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid dn", 0, NULL); slapi_ch_free_string( &newrdn ); slapi_ch_free_string( &rawnewsuperior ); goto free_and_return; } if (rawnewsuperior) { if (config_get_dn_validate_strict()) { /* check that the dn is formatted correctly */ err = slapi_dn_syntax_check(pb, rawnewsuperior, 1); if (err) { /* syntax check failed */ op_shared_log_error_access(pb, "MODRDN", rawnewsuperior, "strict: invalid new superior"); send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid new superior", 0, NULL); slapi_ch_free_string( &rawnewsuperior ); goto free_and_return; } } snewsuperior = slapi_sdn_new_dn_passin(rawnewsuperior); newsuperior = slapi_sdn_get_dn(snewsuperior); } /* * If newsuperior is myself or my descendent, the modrdn should fail. * Note: need to check the case newrdn is given, and newsuperior * uses the newrdn, as well. */ parent = slapi_dn_parent(slapi_sdn_get_ndn(&sdn)); newdn = slapi_ch_smprintf("%s,%s", newrdn, parent); /* slapi_sdn_init_normdn_passin expects normalized but NOT * decapitalized dn */ slapi_sdn_init_dn_passin(&snewdn, newdn); if (0 == slapi_sdn_compare(&sdn, snewsuperior) || 0 == slapi_sdn_compare(&snewdn, snewsuperior)) { op_shared_log_error_access(pb, "MODRDN", newsuperior, "new superior is identical to the entry dn"); send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "new superior is identical to the entry dn", 0, NULL); goto free_and_return; } if (slapi_sdn_issuffix(snewsuperior, &sdn) || slapi_sdn_issuffix(snewsuperior, &snewdn)) { /* E.g., * newsuperior: ou=sub,ou=people,dc=example,dc=com * dn: ou=people,dc=example,dc=com */ op_shared_log_error_access(pb, "MODRDN", newsuperior, "new superior is descendent of the entry"); send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "new superior is descendent of the entry", 0, NULL); goto free_and_return; } /* * in LDAPv3 there can be optional control extensions on * the end of an LDAPMessage. we need to read them in and * pass them to the backend. */ if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 ) { op_shared_log_error_access (pb, "MODRDN", dn, "failed to decode LDAP controls"); send_ldap_result( pb, err, NULL, NULL, 0, NULL ); goto free_and_return; } LDAPDebug( LDAP_DEBUG_ARGS, "do_modrdn: dn (%s) newrdn (%s) deloldrdn (%d)\n", dn, newrdn, deloldrdn ); slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot ); /* dn, newrdn and newsuperior are all normalized */ slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, (void *)slapi_sdn_get_udn(&sdn) ); slapi_pblock_set( pb, SLAPI_MODRDN_TARGET_SDN, &sdn ); slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn ); slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, (void *)snewsuperior ); slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn ); op_shared_rename(pb, 0 /* do not pass in ownership of string arguments */ ); free_and_return: slapi_sdn_done(&sdn); slapi_ch_free_string(&newrdn); slapi_sdn_free(&snewsuperior); slapi_sdn_done(&snewdn); slapi_ch_free_string(&parent); return; }
static int null_back_respond( Operation *op, SlapReply *rs, int rc ) { LDAPControl ctrl[SLAP_MAX_RESPONSE_CONTROLS], *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int c = 0; BerElementBuffer ps_berbuf; BerElement *ps_ber = NULL; LDAPControl **preread_ctrl = NULL, **postread_ctrl = NULL; rs->sr_err = LDAP_OTHER; /* this comes first, as in case of assertion failure * any further processing must stop */ if ( get_assert( op ) ) { rs->sr_err = LDAP_ASSERTION_FAILED; goto respond; } if ( op->o_preread ) { Entry e = { 0 }; switch ( op->o_tag ) { case LDAP_REQ_MODIFY: case LDAP_REQ_RENAME: case LDAP_REQ_DELETE: e.e_name = op->o_req_dn; e.e_nname = op->o_req_ndn; preread_ctrl = &ctrls[c]; *preread_ctrl = NULL; if ( slap_read_controls( op, rs, &e, &slap_pre_read_bv, preread_ctrl ) ) { preread_ctrl = NULL; Debug( LDAP_DEBUG_TRACE, "<=- null_back_respond: pre-read " "failed!\n", 0, 0, 0 ); if ( op->o_preread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto respond; } } else { c++; } break; } } if ( op->o_postread ) { Entry e = { 0 }; switch ( op->o_tag ) { case LDAP_REQ_ADD: case LDAP_REQ_MODIFY: case LDAP_REQ_RENAME: if ( op->o_tag == LDAP_REQ_ADD ) { e.e_name = op->ora_e->e_name; e.e_nname = op->ora_e->e_nname; } else { e.e_name = op->o_req_dn; e.e_nname = op->o_req_ndn; } postread_ctrl = &ctrls[c]; *postread_ctrl = NULL; if ( slap_read_controls( op, rs, &e, &slap_post_read_bv, postread_ctrl ) ) { postread_ctrl = NULL; Debug( LDAP_DEBUG_TRACE, "<=- null_back_respond: post-read " "failed!\n", 0, 0, 0 ); if ( op->o_postread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto respond; } } else { c++; } break; } } if ( op->o_noop ) { switch ( op->o_tag ) { case LDAP_REQ_ADD: case LDAP_REQ_MODIFY: case LDAP_REQ_RENAME: case LDAP_REQ_DELETE: case LDAP_REQ_EXTENDED: rc = LDAP_X_NO_OPERATION; break; } } if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) { struct berval cookie = BER_BVC( "" ); /* should not be here... */ assert( op->o_tag == LDAP_REQ_SEARCH ); ctrl[c].ldctl_oid = LDAP_CONTROL_PAGEDRESULTS; ctrl[c].ldctl_iscritical = 0; ps_ber = (BerElement *)&ps_berbuf; ber_init2( ps_ber, NULL, LBER_USE_DER ); /* return size of 0 -- no estimate */ ber_printf( ps_ber, "{iO}", 0, &cookie ); if ( ber_flatten2( ps_ber, &ctrl[c].ldctl_value, 0 ) == -1 ) { goto done; } ctrls[c] = &ctrl[c]; c++; } /* terminate controls array */ ctrls[c] = NULL; rs->sr_ctrls = ctrls; rs->sr_err = rc; respond:; send_ldap_result( op, rs ); rs->sr_ctrls = NULL; done:; if ( ps_ber != NULL ) { (void) ber_free_buf( ps_ber ); } if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) { slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *preread_ctrl, op->o_tmpmemctx ); } if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) { slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *postread_ctrl, op->o_tmpmemctx ); } return rs->sr_err; }
int bdb_delete( Operation *op, SlapReply *rs ) { struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private; Entry *matched = NULL; struct berval pdn = {0, NULL}; Entry *e = NULL; Entry *p = NULL; EntryInfo *ei = NULL, *eip = NULL; int manageDSAit = get_manageDSAit( op ); AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *entry = slap_schema.si_ad_entry; DB_TXN *ltid = NULL, *lt2; struct bdb_op_info opinfo = {{{ 0 }}}; ID eid; DB_LOCK lock, plock; int num_retries = 0; int rc; LDAPControl **preread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; int parent_is_glue = 0; int parent_is_leaf = 0; #ifdef LDAP_X_TXN int settle = 0; #endif Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_delete) ": %s\n", op->o_req_dn.bv_val, 0, 0 ); #ifdef LDAP_X_TXN if( op->o_txnSpec ) { /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) { rs->sr_text = "invalid transaction identifier"; rs->sr_err = LDAP_X_TXN_ID_INVALID; goto txnReturn; } else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) { settle=1; goto txnReturn; } if( op->o_conn->c_txn_backend == NULL ) { op->o_conn->c_txn_backend = op->o_bd; } else if( op->o_conn->c_txn_backend != op->o_bd ) { rs->sr_text = "transaction cannot span multiple database contexts"; rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS; goto txnReturn; } /* insert operation into transaction */ rs->sr_text = "transaction specified"; rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY; txnReturn: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); if( !settle ) { send_ldap_result( op, rs ); return rs->sr_err; } } #endif ctrls[num_ctrls] = 0; /* allocate CSN */ if ( BER_BVISNULL( &op->o_csn ) ) { struct berval csn; char csnbuf[LDAP_PVT_CSNSTR_BUFSIZE]; csn.bv_val = csnbuf; csn.bv_len = sizeof(csnbuf); slap_get_csn( op, &csn, 1 ); } if( 0 ) { retry: /* transaction retry */ if( e != NULL ) { bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e); e = NULL; } if( p != NULL ) { bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p); p = NULL; } Debug( LDAP_DEBUG_TRACE, "==> " LDAP_XSTRING(bdb_delete) ": retrying...\n", 0, 0, 0 ); rs->sr_err = TXN_ABORT( ltid ); ltid = NULL; LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); opinfo.boi_oe.oe_key = NULL; op->o_do_not_cache = opinfo.boi_acl_cache; if( rs->sr_err != 0 ) { rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( op->o_abandon ) { rs->sr_err = SLAPD_ABANDON; goto return_results; } parent_is_glue = 0; parent_is_leaf = 0; bdb_trans_backoff( ++num_retries ); } /* begin transaction */ rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, NULL, <id, bdb->bi_db_opflags ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": txn_begin failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } opinfo.boi_oe.oe_key = bdb; opinfo.boi_txn = ltid; opinfo.boi_err = 0; opinfo.boi_acl_cache = op->o_do_not_cache; LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next ); if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) { dnParent( &op->o_req_ndn, &pdn ); } /* get entry */ rs->sr_err = bdb_dn2entry( op, ltid, &op->o_req_ndn, &ei, 1, &lock ); switch( rs->sr_err ) { case 0: case DB_NOTFOUND: break; case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( rs->sr_err == 0 ) { e = ei->bei_e; eip = ei->bei_parent; } else { matched = ei->bei_e; } /* FIXME : dn2entry() should return non-glue entry */ if ( e == NULL || ( !manageDSAit && is_entry_glue( e ))) { Debug( LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(bdb_delete) ": no such object %s\n", op->o_req_dn.bv_val, 0, 0); if ( matched != NULL ) { rs->sr_matched = ch_strdup( matched->e_dn ); rs->sr_ref = is_entry_referral( matched ) ? get_entry_referrals( op, matched ) : NULL; bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, matched); matched = NULL; } else { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); } rs->sr_err = LDAP_REFERRAL; rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } rc = bdb_cache_find_id( op, ltid, eip->bei_id, &eip, 0, &plock ); switch( rc ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case 0: case DB_NOTFOUND: break; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( eip ) p = eip->bei_e; if ( pdn.bv_len != 0 ) { if( p == NULL || !bvmatch( &pdn, &p->e_nname )) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": parent " "does not exist\n", 0, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "could not locate parent of entry"; goto return_results; } /* check parent for "children" acl */ rs->sr_err = access_allowed( op, p, children, NULL, ACL_WDEL, NULL ); if ( !rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": no write " "access to parent\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to parent"; goto return_results; } } else { /* no parent, must be root to delete */ if( ! be_isroot( op ) ) { if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) || be_shadow_update( op ) ) { p = (Entry *)&slap_entry_root; /* check parent for "children" acl */ rs->sr_err = access_allowed( op, p, children, NULL, ACL_WDEL, NULL ); p = NULL; if ( !rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": no access to parent\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to parent"; goto return_results; } } else { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": no parent and not root\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results; } } } if ( get_assert( op ) && ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } rs->sr_err = access_allowed( op, e, entry, NULL, ACL_WDEL, NULL ); if ( !rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": no write access " "to entry\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to entry"; goto return_results; } if ( !manageDSAit && is_entry_referral( e ) ) { /* entry is a referral, don't allow delete */ rs->sr_ref = get_entry_referrals( op, e ); Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": entry is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_REFERRAL; rs->sr_matched = ch_strdup( e->e_name.bv_val ); rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } /* pre-read */ if( op->o_preread ) { if( preread_ctrl == NULL ) { preread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if( slap_read_controls( op, rs, e, &slap_pre_read_bv, preread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": pre-read " "failed!\n", 0, 0, 0 ); if ( op->o_preread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } /* nested transaction */ rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, ltid, <2, bdb->bi_db_opflags ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": txn_begin(2) failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } BDB_LOG_PRINTF( bdb->bi_dbenv, lt2, "slapd Starting delete %s(%d)", e->e_nname.bv_val, e->e_id ); /* Can't do it if we have kids */ rs->sr_err = bdb_cache_children( op, lt2, e ); if( rs->sr_err != DB_NOTFOUND ) { switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case 0: Debug(LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(bdb_delete) ": non-leaf %s\n", op->o_req_dn.bv_val, 0, 0); rs->sr_err = LDAP_NOT_ALLOWED_ON_NONLEAF; rs->sr_text = "subordinate objects must be deleted first"; break; default: Debug(LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(bdb_delete) ": has_children failed: %s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; } goto return_results; } /* delete from dn2id */ rs->sr_err = bdb_dn2id_delete( op, lt2, eip, e ); if ( rs->sr_err != 0 ) { Debug(LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": dn2id failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } rs->sr_text = "DN index delete failed"; rs->sr_err = LDAP_OTHER; goto return_results; } /* delete indices for old attributes */ rs->sr_err = bdb_index_entry_del( op, lt2, e ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": index failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } rs->sr_text = "entry index delete failed"; rs->sr_err = LDAP_OTHER; goto return_results; } /* fixup delete CSN */ if ( !SLAP_SHADOW( op->o_bd )) { struct berval vals[2]; assert( !BER_BVISNULL( &op->o_csn ) ); vals[0] = op->o_csn; BER_BVZERO( &vals[1] ); rs->sr_err = bdb_index_values( op, lt2, slap_schema.si_ad_entryCSN, vals, 0, SLAP_INDEX_ADD_OP ); if ( rs->sr_err != LDAP_SUCCESS ) { switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } rs->sr_text = "entryCSN index update failed"; rs->sr_err = LDAP_OTHER; goto return_results; } } /* delete from id2entry */ rs->sr_err = bdb_id2entry_delete( op->o_bd, lt2, e ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(bdb_delete) ": id2entry failed: " "%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } rs->sr_text = "entry delete failed"; rs->sr_err = LDAP_OTHER; goto return_results; } if ( pdn.bv_len != 0 ) { parent_is_glue = is_entry_glue(p); rs->sr_err = bdb_cache_children( op, lt2, p ); if ( rs->sr_err != DB_NOTFOUND ) { switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; case 0: break; default: Debug(LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(bdb_delete) ": has_children failed: %s (%d)\n", db_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } parent_is_leaf = 1; } bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p); p = NULL; } BDB_LOG_PRINTF( bdb->bi_dbenv, lt2, "slapd Commit1 delete %s(%d)", e->e_nname.bv_val, e->e_id ); if ( TXN_COMMIT( lt2, 0 ) != 0 ) { rs->sr_err = LDAP_OTHER; rs->sr_text = "txn_commit(2) failed"; goto return_results; } eid = e->e_id; #if 0 /* Do we want to reclaim deleted IDs? */ ldap_pvt_thread_mutex_lock( &bdb->bi_lastid_mutex ); if ( e->e_id == bdb->bi_lastid ) { bdb_last_id( op->o_bd, ltid ); } ldap_pvt_thread_mutex_unlock( &bdb->bi_lastid_mutex ); #endif if( op->o_noop ) { if ( ( rs->sr_err = TXN_ABORT( ltid ) ) != 0 ) { rs->sr_text = "txn_abort (no-op) failed"; } else { rs->sr_err = LDAP_X_NO_OPERATION; ltid = NULL; goto return_results; } } else { BDB_LOG_PRINTF( bdb->bi_dbenv, ltid, "slapd Cache delete %s(%d)", e->e_nname.bv_val, e->e_id ); rc = bdb_cache_delete( bdb, e, ltid, &lock ); switch( rc ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } rs->sr_err = TXN_COMMIT( ltid, 0 ); } ltid = NULL; LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); opinfo.boi_oe.oe_key = NULL; BDB_LOG_PRINTF( bdb->bi_dbenv, NULL, "slapd Committed delete %s(%d)", e->e_nname.bv_val, e->e_id ); if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": txn_%s failed: %s (%d)\n", op->o_noop ? "abort (no-op)" : "commit", db_strerror(rs->sr_err), rs->sr_err ); rs->sr_err = LDAP_OTHER; rs->sr_text = "commit failed"; goto return_results; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": deleted%s id=%08lx dn=\"%s\"\n", op->o_noop ? " (no-op)" : "", eid, op->o_req_dn.bv_val ); rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; if( num_ctrls ) rs->sr_ctrls = ctrls; return_results: if ( rs->sr_err == LDAP_SUCCESS && parent_is_glue && parent_is_leaf ) { op->o_delete_glue_parent = 1; } if ( p ) bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p); /* free entry */ if( e != NULL ) { if ( rs->sr_err == LDAP_SUCCESS ) { /* Free the EntryInfo and the Entry */ bdb_cache_entryinfo_lock( BEI(e) ); bdb_cache_delete_cleanup( &bdb->bi_cache, BEI(e) ); } else { bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e); } } if( ltid != NULL ) { TXN_ABORT( ltid ); } if ( opinfo.boi_oe.oe_key ) { LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next ); } send_ldap_result( op, rs ); slap_graduate_commit_csn( op ); if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) { slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *preread_ctrl, op->o_tmpmemctx ); } if( rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp_kbyte ) { TXN_CHECKPOINT( bdb->bi_dbenv, bdb->bi_txn_cp_kbyte, bdb->bi_txn_cp_min, 0 ); } return rs->sr_err; }
int dnssrv_back_referrals( Operation *op, SlapReply *rs ) { int i; int rc = LDAP_OTHER; char *domain = NULL; char *hostlist = NULL; char **hosts = NULL; BerVarray urls = NULL; if ( BER_BVISEMPTY( &op->o_req_dn ) ) { /* FIXME: need some means to determine whether the database * is a glue instance */ if ( SLAP_GLUE_INSTANCE( op->o_bd ) ) { return LDAP_SUCCESS; } rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed"; return LDAP_UNWILLING_TO_PERFORM; } if( get_manageDSAit( op ) ) { if( op->o_tag == LDAP_REQ_SEARCH ) { return LDAP_SUCCESS; } rs->sr_text = "DNS SRV problem processing manageDSAit control"; return LDAP_OTHER; } if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) { rs->sr_err = LDAP_REFERRAL; rs->sr_ref = default_referral; send_ldap_result( op, rs ); rs->sr_ref = NULL; return LDAP_REFERRAL; } Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n", op->o_req_dn.bv_val, domain, 0 ); i = ldap_domain2hostlist( domain, &hostlist ); if ( i ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist(%s) returned %d\n", domain, i, 0 ); rs->sr_text = "no DNS SRV RR available for DN"; rc = LDAP_NO_SUCH_OBJECT; goto done; } hosts = ldap_str2charray( hostlist, " " ); if( hosts == NULL ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error\n", 0, 0, 0 ); rs->sr_text = "problem processing DNS SRV records for DN"; goto done; } for( i=0; hosts[i] != NULL; i++) { struct berval url; url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] ); url.bv_val = ch_malloc( url.bv_len + 1 ); strcpy( url.bv_val, "ldap://" ); strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] ); if ( ber_bvarray_add( &urls, &url ) < 0 ) { free( url.bv_val ); rs->sr_text = "problem processing DNS SRV records for DN"; goto done; } } Statslog( LDAP_DEBUG_STATS, "%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n", op->o_log_prefix, op->o_protocol, op->o_req_dn.bv_val, urls[0].bv_val, 0 ); Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> url=\"%s\"\n", op->o_req_dn.bv_val, urls[0].bv_val, 0 ); rs->sr_ref = urls; send_ldap_error( op, rs, LDAP_REFERRAL, "DNS SRV generated referrals" ); rs->sr_ref = NULL; rc = LDAP_REFERRAL; done: if( domain != NULL ) ch_free( domain ); if( hostlist != NULL ) ch_free( hostlist ); if( hosts != NULL ) ldap_charray_free( hosts ); ber_bvarray_free( urls ); return rc; }
int mdb_bind( Operation *op, SlapReply *rs ) { struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private; Entry *e; Attribute *a; AttributeDescription *password = slap_schema.si_ad_userPassword; MDB_txn *rtxn; mdb_op_info opinfo = {{{0}}}, *moi = &opinfo; Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(mdb_bind) ": dn: %s\n", op->o_req_dn.bv_val, 0, 0); /* allow noauth binds */ switch ( be_rootdn_bind( op, NULL ) ) { case LDAP_SUCCESS: /* frontend will send result */ return rs->sr_err = LDAP_SUCCESS; default: /* give the database a chance */ /* NOTE: this behavior departs from that of other backends, * since the others, in case of password checking failure * do not give the database a chance. If an entry with * rootdn's name does not exist in the database the result * will be the same. See ITS#4962 for discussion. */ break; } rs->sr_err = mdb_opinfo_get(op, mdb, 1, &moi); switch(rs->sr_err) { case 0: break; default: rs->sr_text = "internal error"; send_ldap_result( op, rs ); return rs->sr_err; } rtxn = moi->moi_txn; /* get entry with reader lock */ rs->sr_err = mdb_dn2entry( op, rtxn, NULL, &op->o_req_ndn, &e, NULL, 0 ); switch(rs->sr_err) { case MDB_NOTFOUND: rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; case 0: break; case LDAP_BUSY: rs->sr_text = "ldap_server_busy"; goto done; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto done; } ber_dupbv( &op->oq_bind.rb_edn, &e->e_name ); /* check for deleted */ if ( is_entry_subentry( e ) ) { /* entry is an subentry, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_alias( e ) ) { /* entry is an alias, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_referral( e ) ) { Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } switch ( op->oq_bind.rb_method ) { case LDAP_AUTH_SIMPLE: a = attr_find( e->e_attrs, password ); if ( a == NULL ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { /* failure; stop front end from sending result */ rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } rs->sr_err = 0; break; default: assert( 0 ); /* should not be reachable */ rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED; rs->sr_text = "authentication method not supported"; } done: if ( moi == &opinfo ) { mdb_txn_reset( moi->moi_txn ); LDAP_SLIST_REMOVE( &op->o_extra, &moi->moi_oe, OpExtra, oe_next ); } else { moi->moi_ref--; } /* free entry and reader lock */ if( e != NULL ) { mdb_entry_return( op, e ); } if ( rs->sr_err ) { send_ldap_result( op, rs ); if ( rs->sr_ref ) { ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } } /* front end will send result on success (rs->sr_err==0) */ return rs->sr_err; }
int bdb_referrals( Operation *op, SlapReply *rs ) { struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private; Entry *e = NULL; EntryInfo *ei; int rc = LDAP_SUCCESS; DB_TXN *rtxn; DB_LOCK lock; if( op->o_tag == LDAP_REQ_SEARCH ) { /* let search take care of itself */ return rc; } if( get_manageDSAit( op ) ) { /* let op take care of DSA management */ return rc; } rc = bdb_reader_get(op, bdb->bi_dbenv, &rtxn); switch(rc) { case 0: break; default: return LDAP_OTHER; } dn2entry_retry: /* get entry */ rc = bdb_dn2entry( op, rtxn, &op->o_req_ndn, &ei, 1, &lock ); /* bdb_dn2entry() may legally leave ei == NULL * if rc != 0 and rc != DB_NOTFOUND */ if ( ei ) { e = ei->bei_e; } switch(rc) { case DB_NOTFOUND: case 0: break; case LDAP_BUSY: rs->sr_text = "ldap server busy"; return LDAP_BUSY; case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto dn2entry_retry; default: Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_referrals) ": dn2entry failed: %s (%d)\n", db_strerror(rc), rc, 0 ); rs->sr_text = "internal error"; return LDAP_OTHER; } if ( rc == DB_NOTFOUND ) { rc = LDAP_SUCCESS; rs->sr_matched = NULL; if ( e != NULL ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_referrals) ": tag=%lu target=\"%s\" matched=\"%s\"\n", (unsigned long)op->o_tag, op->o_req_dn.bv_val, e->e_name.bv_val ); if( is_entry_referral( e ) ) { BerVarray ref = get_entry_referrals( op, e ); rc = LDAP_OTHER; rs->sr_ref = referral_rewrite( ref, &e->e_name, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ber_bvarray_free( ref ); if ( rs->sr_ref ) { rs->sr_matched = ber_strdup_x( e->e_name.bv_val, op->o_tmpmemctx ); } } bdb_cache_return_entry_r (bdb, e, &lock); e = NULL; } if( rs->sr_ref != NULL ) { /* send referrals */ rc = rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } else if ( rc != LDAP_SUCCESS ) { rs->sr_text = rs->sr_matched ? "bad referral object" : NULL; } if (rs->sr_matched) { op->o_tmpfree( (char *)rs->sr_matched, op->o_tmpmemctx ); rs->sr_matched = NULL; } return rc; } if ( is_entry_referral( e ) ) { /* entry is a referral */ BerVarray refs = get_entry_referrals( op, e ); rs->sr_ref = referral_rewrite( refs, &e->e_name, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_referrals) ": tag=%lu target=\"%s\" matched=\"%s\"\n", (unsigned long)op->o_tag, op->o_req_dn.bv_val, e->e_name.bv_val ); rs->sr_matched = e->e_name.bv_val; if( rs->sr_ref != NULL ) { rc = rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } else { rc = LDAP_OTHER; rs->sr_text = "bad referral object"; } rs->sr_matched = NULL; ber_bvarray_free( refs ); } bdb_cache_return_entry_r(bdb, e, &lock); return rc; }
int backsql_bind( Operation *op, SlapReply *rs ) { SQLHDBC dbh = SQL_NULL_HDBC; Entry e = { 0 }; Attribute *a; backsql_srch_info bsi = { 0 }; AttributeName anlist[2]; int rc; Debug( LDAP_DEBUG_TRACE, "==>backsql_bind()\n", 0, 0, 0 ); switch ( be_rootdn_bind( op, rs ) ) { case SLAP_CB_CONTINUE: break; default: /* in case of success, front end will send result; * otherwise, be_rootdn_bind() did */ Debug( LDAP_DEBUG_TRACE, "<==backsql_bind(%d)\n", rs->sr_err, 0, 0 ); return rs->sr_err; } rs->sr_err = backsql_get_db_conn( op, &dbh ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "backsql_bind(): " "could not get connection handle - exiting\n", 0, 0, 0 ); rs->sr_text = ( rs->sr_err == LDAP_OTHER ) ? "SQL-backend error" : NULL; goto error_return; } anlist[0].an_name = slap_schema.si_ad_userPassword->ad_cname; anlist[0].an_desc = slap_schema.si_ad_userPassword; anlist[1].an_name.bv_val = NULL; bsi.bsi_e = &e; rc = backsql_init_search( &bsi, &op->o_req_ndn, LDAP_SCOPE_BASE, (time_t)(-1), NULL, dbh, op, rs, anlist, BACKSQL_ISF_GET_ENTRY ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "backsql_bind(): " "could not retrieve bindDN ID - no such entry\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto error_return; } a = attr_find( e.e_attrs, slap_schema.si_ad_userPassword ); if ( a == NULL ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto error_return; } if ( slap_passwd_check( op, &e, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto error_return; } error_return:; if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) { (void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &e.e_nname ) ) { backsql_entry_clean( op, &e ); } if ( bsi.bsi_attrs != NULL ) { op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx ); } if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); } Debug( LDAP_DEBUG_TRACE,"<==backsql_bind()\n", 0, 0, 0 ); return rs->sr_err; }
int ldap_back_modrdn( Operation *op, SlapReply *rs ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; ldapconn_t *lc = NULL; ber_int_t msgid; LDAPControl **ctrls = NULL; ldap_back_send_t retrying = LDAP_BACK_RETRYING; int rc = LDAP_SUCCESS; char *newSup = NULL; struct berval newrdn = BER_BVNULL; if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } if ( op->orr_newSup ) { /* needs LDAPv3 */ switch ( li->li_version ) { case LDAP_VERSION3: break; case 0: if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) { break; } /* fall thru */ default: /* op->o_protocol cannot be anything but LDAPv3, * otherwise wouldn't be here */ rs->sr_err = LDAP_UNWILLING_TO_PERFORM; send_ldap_result( op, rs ); goto cleanup; } newSup = op->orr_newSup->bv_val; } /* NOTE: we need to copy the newRDN in case it was formed * from a DN by simply changing the length (ITS#5397) */ newrdn = op->orr_newrdn; if ( newrdn.bv_val[ newrdn.bv_len ] != '\0' ) { ber_dupbv_x( &newrdn, &op->orr_newrdn, op->o_tmpmemctx ); } retry: ctrls = op->o_ctrls; rc = ldap_back_controls_add( op, rs, lc, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_dn.bv_val, newrdn.bv_val, newSup, op->orr_deleteoldrdn, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, li->li_timeout[ SLAP_OP_MODRDN ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)ldap_back_controls_free( op, rs, &ctrls ); goto retry; } } cleanup: (void)ldap_back_controls_free( op, rs, &ctrls ); if ( newrdn.bv_val != op->orr_newrdn.bv_val ) { op->o_tmpfree( newrdn.bv_val, op->o_tmpmemctx ); } if ( lc != NULL ) { ldap_back_release_conn( li, lc ); } return rc; }
int shell_back_bind( Backend *be, Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, int method, struct berval *cred, struct berval *edn ) { struct shellinfo *si = (struct shellinfo *) be->be_private; AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *rfp, *wfp; int rc; if ( si->si_bind == NULL ) { send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "bind not implemented", NULL, NULL ); return( -1 ); } e.e_id = NOID; e.e_name = *dn; e.e_nname = *ndn; e.e_attrs = NULL; e.e_ocflags = 0; e.e_bv.bv_len = 0; e.e_bv.bv_val = NULL; e.e_private = NULL; if ( ! access_allowed( be, conn, op, &e, entry, NULL, ACL_AUTH, NULL ) ) { send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, NULL, NULL, NULL, NULL ); return -1; } if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, "could not fork/exec", NULL, NULL ); return( -1 ); } /* write out the request to the bind process */ fprintf( wfp, "BIND\n" ); fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid ); print_suffixes( wfp, be ); fprintf( wfp, "dn: %s\n", dn->bv_val ); fprintf( wfp, "method: %d\n", method ); fprintf( wfp, "credlen: %lu\n", cred->bv_len ); fprintf( wfp, "cred: %s\n", cred->bv_val ); /* XXX */ fclose( wfp ); /* read in the results and send them along */ rc = read_and_send_results( be, conn, op, rfp, NULL, 0 ); fclose( rfp ); return( rc ); }
int meta_back_add( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt; metaconn_t *mc; int i, candidate = -1; int isupdate; Attribute *a; LDAPMod **attrs; struct berval mdn = BER_BVNULL, mapped; dncookie dc; int msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; Debug(LDAP_DEBUG_ARGS, "==> meta_back_add: %s\n", op->o_req_dn.bv_val ); /* * get the current connection */ mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR ); if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } assert( mc->mc_conns[ candidate ].msc_ld != NULL ); /* * Rewrite the add dn, if needed */ mt = mi->mi_targets[ candidate ]; dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "addDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); goto done; } /* Count number of attributes in entry ( +1 ) */ for ( i = 1, a = op->ora_e->e_attrs; a; i++, a = a->a_next ); /* Create array of LDAPMods for ldap_add() */ attrs = ch_malloc( sizeof( LDAPMod * )*i ); dc.ctx = "addAttrDN"; isupdate = be_shadow_update( op ); for ( i = 0, a = op->ora_e->e_attrs; a; a = a->a_next ) { int j, is_oc = 0; if ( !isupdate && !get_relax( op ) && a->a_desc->ad_type->sat_no_user_mod ) { continue; } if ( a->a_desc == slap_schema.si_ad_objectClass || a->a_desc == slap_schema.si_ad_structuralObjectClass ) { is_oc = 1; mapped = a->a_desc->ad_cname; } else { ldap_back_map( &mt->mt_rwmap.rwm_at, &a->a_desc->ad_cname, &mapped, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) { continue; } } attrs[ i ] = ch_malloc( sizeof( LDAPMod ) ); if ( attrs[ i ] == NULL ) { continue; } attrs[ i ]->mod_op = LDAP_MOD_BVALUES; attrs[ i ]->mod_type = mapped.bv_val; if ( is_oc ) { for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) ; attrs[ i ]->mod_bvalues = (struct berval **)ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); ) { struct ldapmapping *mapping; ldap_back_mapping( &mt->mt_rwmap.rwm_oc, &a->a_vals[ j ], &mapping, BACKLDAP_MAP ); if ( mapping == NULL ) { if ( mt->mt_rwmap.rwm_oc.drop_missing ) { continue; } attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ]; } else { attrs[ i ]->mod_bvalues[ j ] = &mapping->dst; } j++; } attrs[ i ]->mod_bvalues[ j ] = NULL; } else { /* * FIXME: dn-valued attrs should be rewritten * to allow their use in ACLs at the back-ldap * level. */ if ( a->a_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { (void)ldap_dnattr_rewrite( &dc, a->a_vals ); if ( a->a_vals == NULL ) { continue; } } for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) ; attrs[ i ]->mod_bvalues = ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ]; } attrs[ i ]->mod_bvalues[ j ] = NULL; } i++; } attrs[ i ] = NULL; retry:; ctrls = op->o_ctrls; if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_add_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val, attrs, ctrls, NULL, &msgid ); rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid, mt->mt_timeout[ SLAP_OP_ADD ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); goto retry; } } cleanup:; (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); for ( --i; i >= 0; --i ) { free( attrs[ i ]->mod_bvalues ); free( attrs[ i ] ); } free( attrs ); if ( mdn.bv_val != op->ora_e->e_dn ) { free( mdn.bv_val ); BER_BVZERO( &mdn ); } done:; if ( mc ) { meta_back_release_conn( mi, mc ); } return rs->sr_err; }
int read_and_send_results( Operation *op, SlapReply *rs, FILE *fp ) { int bsize, len; char *buf, *bp; char line[BUFSIZ]; char ebuf[128]; /* read in the result and send it along */ buf = (char *) ch_malloc( BUFSIZ ); buf[0] = '\0'; bsize = BUFSIZ; bp = buf; while ( !feof(fp) ) { errno = 0; if ( fgets( line, sizeof(line), fp ) == NULL ) { if ( errno == EINTR ) continue; Debug( LDAP_DEBUG_ANY, "shell: fgets failed: %s (%d)\n", AC_STRERROR_R(errno, ebuf, sizeof ebuf), errno, 0 ); break; } Debug( LDAP_DEBUG_SHELL, "shell search reading line (%s)\n", line, 0, 0 ); /* ignore lines beginning with # (LDIFv1 comments) */ if ( *line == '#' ) { continue; } /* ignore lines beginning with DEBUG: */ if ( strncasecmp( line, "DEBUG:", 6 ) == 0 ) { continue; } len = strlen( line ); while ( bp + len + 1 - buf > bsize ) { size_t offset = bp - buf; bsize += BUFSIZ; buf = (char *) ch_realloc( buf, bsize ); bp = &buf[offset]; } strcpy( bp, line ); bp += len; /* line marked the end of an entry or result */ if ( *line == '\n' ) { if ( strncasecmp( buf, "RESULT", 6 ) == 0 ) { break; } if ( (rs->sr_entry = str2entry( buf )) == NULL ) { Debug( LDAP_DEBUG_ANY, "str2entry(%s) failed\n", buf, 0, 0 ); } else { rs->sr_attrs = op->oq_search.rs_attrs; rs->sr_flags = REP_ENTRY_MODIFIABLE; send_search_entry( op, rs ); entry_free( rs->sr_entry ); } bp = buf; } } (void) str2result( buf, &rs->sr_err, (char **)&rs->sr_matched, (char **)&rs->sr_text ); /* otherwise, front end will send this result */ if ( rs->sr_err != 0 || op->o_tag != LDAP_REQ_BIND ) { send_ldap_result( op, rs ); } free( buf ); return( rs->sr_err ); }
/* * op_shared_rename() -- common frontend code for modDN operations. * * Beware: this function resets the following pblock elements that were * set by the caller: * * SLAPI_MODRDN_TARGET_SDN * SLAPI_MODRDN_NEWRDN * SLAPI_MODRDN_NEWSUPERIOR_SDN */ static void op_shared_rename(Slapi_PBlock *pb, int passin_args) { char *dn, *newrdn, *newdn = NULL; const char *newsuperior; char **rdns; int deloldrdn; Slapi_Backend *be = NULL; Slapi_DN *origsdn = NULL; Slapi_Mods smods; int internal_op, repl_op, lastmod; Slapi_Operation *operation; Slapi_Entry *referral; char errorbuf[BUFSIZ]; int err; char *proxydn = NULL; char *proxystr = NULL; int proxy_err = LDAP_SUCCESS; char *errtext = NULL; Slapi_DN *sdn = NULL; Slapi_DN *newsuperiorsdn = NULL; slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn); slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn); slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn); slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); slapi_pblock_get (pb, SLAPI_OPERATION, &operation); slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &origsdn); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); /* * If ownership has not been passed to this function, we replace the * string input fields within the pblock with strdup'd copies. Why? * Because some pre- and post-op plugins may change them, and the * convention is that plugins should place a malloc'd string in the * pblock. Therefore, we need to be able to retrieve and free them * later. But the callers of the internal modrdn calls are promised * that we will not free these parameters... so if passin_args is * zero, we need to make copies. * * In the case of SLAPI_MODRDN_TARGET_SDN and SLAPI_MODRDN_NEWSUPERIOR_SDN, * we replace the existing values with normalized values (because plugins * expect these DNs to be normalized). */ if (NULL == origsdn) { sdn = slapi_sdn_new_dn_byval(dn); slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn); } if (passin_args) { if (NULL == sdn) { /* origsdn is not NULL, so use it. */ sdn = origsdn; } } else { if (NULL == sdn) { sdn = slapi_sdn_dup(origsdn); } newrdn = slapi_ch_strdup(newrdn); newsuperiorsdn = slapi_sdn_dup(newsuperiorsdn); slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn); slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn); slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, newsuperiorsdn); } /* normdn = slapi_sdn_get_dn(sdn); */ newsuperior = slapi_sdn_get_dn(newsuperiorsdn); /* get the proxy auth dn if the proxy auth control is present */ proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); /* * first, log the operation to the access log, * then check rdn and newsuperior, * and - if applicable - log reason of any error to the errors log */ if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { if (proxydn) { proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); } if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, newrdn ? newrdn : "(null)", newsuperior ? newsuperior : "(null)", proxystr ? proxystr : ""); } else { slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, dn, newrdn ? newrdn : "(null)", newsuperior ? newsuperior : "(null)", proxystr ? proxystr : ""); } } /* If we encountered an error parsing the proxy control, return an error * to the client. We do this here to ensure that we log the operation first. */ if (proxy_err != LDAP_SUCCESS) { send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); goto free_and_return_nolock; } /* check that the rdn is formatted correctly */ if ((rdns = slapi_ldap_explode_rdn(newrdn, 0)) == NULL) { if ( !internal_op ) { slapi_log_error(SLAPI_LOG_ARGS, NULL, "conn=%" NSPRIu64 " op=%d MODRDN invalid new RDN (\"%s\")\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, (NULL == newrdn) ? "(null)" : newrdn); } else { slapi_log_error(SLAPI_LOG_ARGS, NULL, "conn=%s op=%d MODRDN invalid new RDN (\"%s\")\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, (NULL == newrdn) ? "(null)" : newrdn); } send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid RDN", 0, NULL); goto free_and_return_nolock; } else { slapi_ldap_value_free(rdns); } /* check if created attributes are used in the new RDN */ /* check_rdn_for_created_attrs ignores the cases */ if (check_rdn_for_created_attrs((const char *)newrdn)) { send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid attribute in RDN", 0, NULL); goto free_and_return_nolock; } /* check that the dn is formatted correctly */ err = slapi_dn_syntax_check(pb, newsuperior, 1); if (err) { LDAPDebug0Args(LDAP_DEBUG_ARGS, "Syntax check of newSuperior failed\n"); if (!internal_op) { slapi_log_error(SLAPI_LOG_ARGS, NULL, "conn=%" NSPRIu64 " op=%d MODRDN invalid new superior (\"%s\")", pb->pb_conn->c_connid, pb->pb_op->o_opid, newsuperior ? newsuperior : "(null)"); } else { slapi_log_error(SLAPI_LOG_ARGS, NULL, "conn=%s op=%d MODRDN invalid new superior (\"%s\")", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, newsuperior ? newsuperior : "(null)"); } send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "newSuperior does not look like a DN", 0, NULL); goto free_and_return_nolock; } if (newsuperior != NULL) { LDAPDebug(LDAP_DEBUG_ARGS, "do_moddn: newsuperior (%s)\n", newsuperior, 0, 0); } /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (pb->pb_op, sdn); /* * Construct the new DN (code sdn from backend * and modified to handle newsuperior) */ newdn = slapi_moddn_get_newdn(sdn, newrdn, newsuperior); /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ /* slapi_mapping_tree_select_and_check ignores the case of newdn * which is generated using newrdn above. */ if ((err = slapi_mapping_tree_select_and_check(pb, newdn, &be, &referral, errorbuf)) != LDAP_SUCCESS) { send_ldap_result(pb, err, NULL, errorbuf, 0, NULL); goto free_and_return_nolock; } if (referral) { int managedsait; slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait); if (managedsait) { send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "cannot update referral", 0, NULL); slapi_entry_free(referral); goto free_and_return; } send_referrals_from_entry(pb,referral); slapi_entry_free(referral); goto free_and_return; } slapi_pblock_set(pb, SLAPI_BACKEND, be); /* can get lastmod only after backend is selected */ slapi_pblock_get(pb, SLAPI_BE_LASTMOD, &lastmod); /* if it is a replicated operation - leave lastmod attributes alone */ slapi_mods_init (&smods, 2); if (!repl_op && lastmod) { modify_update_last_modified_attr(pb, &smods); slapi_pblock_set(pb, SLAPI_MODIFY_MODS, (void*)slapi_mods_get_ldapmods_passout(&smods)); } else { slapi_mods_done (&smods); } /* * call the pre-modrdn plugins. if they succeed, call * the backend modrdn function. then call the * post-modrdn plugins. */ if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_MODRDN_FN : SLAPI_PLUGIN_PRE_MODRDN_FN) == 0) { int rc= LDAP_OPERATIONS_ERROR; slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); set_db_default_result_handlers(pb); if (be->be_modrdn != NULL) { if ((rc = (*be->be_modrdn)(pb)) == 0) { Slapi_Entry *pse; Slapi_Entry *ecopy; /* we don't perform acl check for internal operations */ /* dont update aci store for remote acis */ if ((!internal_op) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA))) plugin_call_acl_mods_update (pb, SLAPI_OPERATION_MODRDN); if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT)) write_audit_log_entry(pb); /* Record the operation in the audit log */ slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse); slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy); /* GGOODREPL persistent search system needs the changenumber, oops. */ do_ps_service(pse, ecopy, LDAP_CHANGETYPE_MODDN, 0); } } else { send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL); } slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc); plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN : SLAPI_PLUGIN_POST_MODRDN_FN); } free_and_return: if (be) slapi_be_Unlock(be); free_and_return_nolock: { /* Free up everything left in the PBlock */ Slapi_Entry *pse; Slapi_Entry *ecopy; LDAPMod **mods; char *s; if (passin_args) { if (NULL == origsdn) { slapi_sdn_free(&sdn); } } else { slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn); slapi_sdn_free(&sdn); /* get newrdn to free the string */ slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn); slapi_ch_free_string(&newrdn); slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn); slapi_sdn_free(&newsuperiorsdn); } slapi_ch_free_string(&newdn); slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy); slapi_entry_free(ecopy); slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse); slapi_entry_free(pse); slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods ); ldap_mods_free( mods, 1 ); slapi_ch_free_string(&proxydn); slapi_ch_free_string(&proxystr); slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &s); slapi_ch_free((void **)&s); } }
int ndb_back_modrdn( Operation *op, SlapReply *rs ) { struct ndb_info *ni = (struct ndb_info *) op->o_bd->be_private; AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *entry = slap_schema.si_ad_entry; struct berval new_dn = BER_BVNULL, new_ndn = BER_BVNULL; Entry e = {0}; Entry e2 = {0}; char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; struct berval *np_dn = NULL; /* newSuperior dn */ struct berval *np_ndn = NULL; /* newSuperior ndn */ int manageDSAit = get_manageDSAit( op ); int num_retries = 0; NdbArgs NA, NA2; NdbRdns rdns, rdn2; struct berval matched; LDAPControl **preread_ctrl = NULL; LDAPControl **postread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; int rc; Debug( LDAP_DEBUG_ARGS, "==>" LDAP_XSTRING(ndb_back_modrdn) "(%s,%s,%s)\n", op->o_req_dn.bv_val,op->oq_modrdn.rs_newrdn.bv_val, op->oq_modrdn.rs_newSup ? op->oq_modrdn.rs_newSup->bv_val : "NULL" ); ctrls[num_ctrls] = NULL; slap_mods_opattrs( op, &op->orr_modlist, 1 ); e.e_name = op->o_req_dn; e.e_nname = op->o_req_ndn; /* Get our NDB handle */ rs->sr_err = ndb_thread_handle( op, &NA.ndb ); rdns.nr_num = 0; NA.rdns = &rdns; NA.e = &e; NA2.ndb = NA.ndb; NA2.e = &e2; NA2.rdns = &rdn2; if( 0 ) { retry: /* transaction retry */ NA.txn->close(); NA.txn = NULL; if ( e.e_attrs ) { attrs_free( e.e_attrs ); e.e_attrs = NULL; } Debug( LDAP_DEBUG_TRACE, "==>" LDAP_XSTRING(ndb_back_modrdn) ": retrying...\n", 0, 0, 0 ); if ( op->o_abandon ) { rs->sr_err = SLAPD_ABANDON; goto return_results; } if ( NA2.ocs ) { ber_bvarray_free_x( NA2.ocs, op->o_tmpmemctx ); } if ( NA.ocs ) { ber_bvarray_free_x( NA.ocs, op->o_tmpmemctx ); } ndb_trans_backoff( ++num_retries ); } NA.ocs = NULL; NA2.ocs = NULL; /* begin transaction */ NA.txn = NA.ndb->startTransaction(); rs->sr_text = NULL; if( !NA.txn ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": startTransaction failed: %s (%d)\n", NA.ndb->getNdbError().message, NA.ndb->getNdbError().code, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } NA2.txn = NA.txn; /* get entry */ rs->sr_err = ndb_entry_get_info( op, &NA, 1, &matched ); switch( rs->sr_err ) { case 0: break; case LDAP_NO_SUCH_OBJECT: Debug( LDAP_DEBUG_ARGS, "<=- ndb_back_modrdn: no such object %s\n", op->o_req_dn.bv_val, 0, 0 ); rs->sr_matched = matched.bv_val; if ( NA.ocs ) ndb_check_referral( op, rs, &NA ); goto return_results; #if 0 case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; #endif case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } /* acquire and lock entry */ rs->sr_err = ndb_entry_get_data( op, &NA, 1 ); if ( rs->sr_err ) goto return_results; if ( !manageDSAit && is_entry_glue( &e )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; goto return_results; } if ( get_assert( op ) && ( test_filter( op, &e, (Filter *)get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } /* check write on old entry */ rs->sr_err = access_allowed( op, &e, entry, NULL, ACL_WRITE, NULL ); if ( ! rs->sr_err ) { Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0, 0, 0 ); rs->sr_text = "no write access to old entry"; rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results; } /* Can't do it if we have kids */ rs->sr_err = ndb_has_children( &NA, &rc ); if ( rs->sr_err ) { Debug(LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": has_children failed: %s (%d)\n", NA.txn->getNdbError().message, NA.txn->getNdbError().code, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( rc == LDAP_COMPARE_TRUE ) { Debug(LDAP_DEBUG_ARGS, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": non-leaf %s\n", op->o_req_dn.bv_val, 0, 0); rs->sr_err = LDAP_NOT_ALLOWED_ON_NONLEAF; rs->sr_text = "subtree rename not supported"; goto return_results; } if (!manageDSAit && is_entry_referral( &e ) ) { /* entry is a referral, don't allow modrdn */ rs->sr_ref = get_entry_referrals( op, &e ); Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": entry %s is referral\n", e.e_dn, 0, 0 ); rs->sr_err = LDAP_REFERRAL, rs->sr_matched = op->o_req_dn.bv_val; rs->sr_flags = REP_REF_MUSTBEFREED; goto return_results; } if ( be_issuffix( op->o_bd, &e.e_nname ) ) { /* There can only be one suffix entry */ rs->sr_err = LDAP_NAMING_VIOLATION; rs->sr_text = "cannot rename suffix entry"; goto return_results; } else { dnParent( &e.e_nname, &e2.e_nname ); dnParent( &e.e_name, &e2.e_name ); } /* check parent for "children" acl */ rs->sr_err = access_allowed( op, &e2, children, NULL, op->oq_modrdn.rs_newSup == NULL ? ACL_WRITE : ACL_WDEL, NULL ); if ( ! rs->sr_err ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0, 0, 0 ); rs->sr_text = "no write access to old parent's children"; goto return_results; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": wr to children " "of entry %s OK\n", e2.e_name.bv_val, 0, 0 ); if ( op->oq_modrdn.rs_newSup != NULL ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": new parent \"%s\" requested...\n", op->oq_modrdn.rs_newSup->bv_val, 0, 0 ); /* newSuperior == oldParent? */ if( dn_match( &e2.e_nname, op->oq_modrdn.rs_nnewSup ) ) { Debug( LDAP_DEBUG_TRACE, "bdb_back_modrdn: " "new parent \"%s\" same as the old parent \"%s\"\n", op->oq_modrdn.rs_newSup->bv_val, e2.e_name.bv_val, 0 ); op->oq_modrdn.rs_newSup = NULL; /* ignore newSuperior */ } } if ( op->oq_modrdn.rs_newSup != NULL ) { if ( op->oq_modrdn.rs_newSup->bv_len ) { rdn2.nr_num = 0; np_dn = op->oq_modrdn.rs_newSup; np_ndn = op->oq_modrdn.rs_nnewSup; /* newSuperior == oldParent? - checked above */ /* newSuperior == entry being moved?, if so ==> ERROR */ if ( dnIsSuffix( np_ndn, &e.e_nname )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = "new superior not found"; goto return_results; } /* Get Entry with dn=newSuperior. Does newSuperior exist? */ e2.e_name = *np_dn; e2.e_nname = *np_ndn; rs->sr_err = ndb_entry_get_info( op, &NA2, 1, NULL ); switch( rs->sr_err ) { case 0: break; case LDAP_NO_SUCH_OBJECT: Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": newSup(ndn=%s) not here!\n", np_ndn->bv_val, 0, 0); rs->sr_text = "new superior not found"; goto return_results; #if 0 case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; #endif case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( NA2.ocs ) { Attribute a; int i; for ( i=0; !BER_BVISNULL( &NA2.ocs[i] ); i++); a.a_numvals = i; a.a_desc = slap_schema.si_ad_objectClass; a.a_vals = NA2.ocs; a.a_nvals = NA2.ocs; a.a_next = NULL; e2.e_attrs = &a; if ( is_entry_alias( &e2 )) { /* parent is an alias, don't allow move */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": entry is alias\n", 0, 0, 0 ); rs->sr_text = "new superior is an alias"; rs->sr_err = LDAP_ALIAS_PROBLEM; goto return_results; } if ( is_entry_referral( &e2 ) ) { /* parent is a referral, don't allow move */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": entry is referral\n", 0, 0, 0 ); rs->sr_text = "new superior is a referral"; rs->sr_err = LDAP_OTHER; goto return_results; } } } /* check newSuperior for "children" acl */ rs->sr_err = access_allowed( op, &e2, children, NULL, ACL_WADD, NULL ); if( ! rs->sr_err ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": no wr to newSup children\n", 0, 0, 0 ); rs->sr_text = "no write access to new superior's children"; rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results; } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": wr to new parent OK id=%ld\n", (long) e2.e_id, 0, 0 ); } /* Build target dn and make sure target entry doesn't exist already. */ if (!new_dn.bv_val) { build_new_dn( &new_dn, &e2.e_name, &op->oq_modrdn.rs_newrdn, NULL ); } if (!new_ndn.bv_val) { build_new_dn( &new_ndn, &e2.e_nname, &op->oq_modrdn.rs_nnewrdn, NULL ); } Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": new ndn=%s\n", new_ndn.bv_val, 0, 0 ); /* Allow rename to same DN */ if ( !bvmatch ( &new_ndn, &e.e_nname )) { rdn2.nr_num = 0; e2.e_name = new_dn; e2.e_nname = new_ndn; NA2.ocs = &matched; rs->sr_err = ndb_entry_get_info( op, &NA2, 1, NULL ); NA2.ocs = NULL; switch( rs->sr_err ) { #if 0 case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; #endif case LDAP_NO_SUCH_OBJECT: break; case 0: rs->sr_err = LDAP_ALREADY_EXISTS; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } } assert( op->orr_modlist != NULL ); if( op->o_preread ) { if( preread_ctrl == NULL ) { preread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if( slap_read_controls( op, rs, &e, &slap_pre_read_bv, preread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": pre-read failed!\n", 0, 0, 0 ); if ( op->o_preread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } /* delete old DN */ rs->sr_err = ndb_entry_del_info( op->o_bd, &NA ); if ( rs->sr_err != 0 ) { Debug(LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": dn2id del failed: %s (%d)\n", NA.txn->getNdbError().message, NA.txn->getNdbError().code, 0 ); #if 0 switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } #endif rs->sr_err = LDAP_OTHER; rs->sr_text = "DN index delete fail"; goto return_results; } /* copy entry fields */ e2.e_attrs = e.e_attrs; e2.e_id = e.e_id; /* add new DN */ rs->sr_err = ndb_entry_put_info( op->o_bd, &NA2, 0 ); if ( rs->sr_err != 0 ) { Debug(LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": dn2id add failed: %s (%d)\n", NA.txn->getNdbError().message, NA.txn->getNdbError().code, 0 ); #if 0 switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } #endif rs->sr_err = LDAP_OTHER; rs->sr_text = "DN index add failed"; goto return_results; } /* modify entry */ rs->sr_err = ndb_modify_internal( op, &NA2, &rs->sr_text, textbuf, textlen ); if( rs->sr_err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": modify failed: %s (%d)\n", NA.txn->getNdbError().message, NA.txn->getNdbError().code, 0 ); #if 0 switch( rs->sr_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto retry; } #endif goto return_results; } e.e_attrs = e2.e_attrs; if( op->o_postread ) { if( postread_ctrl == NULL ) { postread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if( slap_read_controls( op, rs, &e2, &slap_post_read_bv, postread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(ndb_back_modrdn) ": post-read failed!\n", 0, 0, 0 ); if ( op->o_postread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } if( op->o_noop ) { if (( rs->sr_err=NA.txn->execute( NdbTransaction::Rollback, NdbOperation::AbortOnError, 1 )) != 0 ) { rs->sr_text = "txn_abort (no-op) failed"; } else { rs->sr_err = LDAP_X_NO_OPERATION; } } else { if (( rs->sr_err=NA.txn->execute( NdbTransaction::Commit, NdbOperation::AbortOnError, 1 )) != 0 ) { rs->sr_text = "txn_commit failed"; } else { rs->sr_err = LDAP_SUCCESS; } } if( rs->sr_err != LDAP_SUCCESS && rs->sr_err != LDAP_X_NO_OPERATION ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": txn_%s failed: %s (%d)\n", op->o_noop ? "abort (no-op)" : "commit", NA.txn->getNdbError().message, NA.txn->getNdbError().code ); rs->sr_err = LDAP_OTHER; goto return_results; } NA.txn->close(); NA.txn = NULL; Debug(LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_modrdn) ": rdn modified%s id=%08lx dn=\"%s\"\n", op->o_noop ? " (no-op)" : "", e.e_id, op->o_req_dn.bv_val ); rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; if( num_ctrls ) rs->sr_ctrls = ctrls; return_results: if ( NA2.ocs ) { ber_bvarray_free_x( NA2.ocs, op->o_tmpmemctx ); NA2.ocs = NULL; } if ( NA.ocs ) { ber_bvarray_free_x( NA.ocs, op->o_tmpmemctx ); NA.ocs = NULL; } if ( e.e_attrs ) { attrs_free( e.e_attrs ); e.e_attrs = NULL; } if( NA.txn != NULL ) { NA.txn->execute( Rollback ); NA.txn->close(); } send_ldap_result( op, rs ); slap_graduate_commit_csn( op ); if( new_dn.bv_val != NULL ) free( new_dn.bv_val ); if( new_ndn.bv_val != NULL ) free( new_ndn.bv_val ); if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) { slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *preread_ctrl, op->o_tmpmemctx ); } if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) { slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *postread_ctrl, op->o_tmpmemctx ); } rs->sr_text = NULL; return rs->sr_err; }
int meta_back_compare( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt; metaconn_t *mc; int rc = 0; int candidate = -1; struct berval mdn = BER_BVNULL; dncookie dc; struct berval mapped_attr = op->orc_ava->aa_desc->ad_cname; struct berval mapped_value = op->orc_ava->aa_value; int msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR ); if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } assert( mc->mc_conns[ candidate ].msc_ld != NULL ); /* * Rewrite the modify dn, if needed */ mt = mi->mi_targets[ candidate ]; dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "compareDN"; switch ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { case LDAP_UNWILLING_TO_PERFORM: rc = 1; goto cleanup; default: break; } /* * if attr is objectClass, try to remap the value */ if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass ) { ldap_back_map( &mt->mt_rwmap.rwm_oc, &op->orc_ava->aa_value, &mapped_value, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped_value ) || BER_BVISEMPTY( &mapped_value ) ) { goto cleanup; } /* * else try to remap the attribute */ } else { ldap_back_map( &mt->mt_rwmap.rwm_at, &op->orc_ava->aa_desc->ad_cname, &mapped_attr, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped_attr ) || BER_BVISEMPTY( &mapped_attr ) ) { goto cleanup; } if ( op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { dc.ctx = "compareAttrDN"; switch ( ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_value ) ) { case LDAP_UNWILLING_TO_PERFORM: rc = 1; goto cleanup; default: break; } } } retry:; ctrls = op->o_ctrls; rc = meta_back_controls_add( op, rs, mc, candidate, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_compare_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val, mapped_attr.bv_val, &mapped_value, ctrls, NULL, &msgid ); rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid, mt->mt_timeout[ SLAP_OP_COMPARE ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); goto retry; } } cleanup:; (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); if ( mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); } if ( op->orc_ava->aa_value.bv_val != mapped_value.bv_val ) { free( mapped_value.bv_val ); } if ( mc ) { meta_back_release_conn( mi, mc ); } return rs->sr_err; }
int monitor_back_search( Operation *op, SlapReply *rs ) { monitor_info_t *mi = ( monitor_info_t * )op->o_bd->be_private; int rc = LDAP_SUCCESS; Entry *e = NULL, *matched = NULL; slap_mask_t mask; Debug( LDAP_DEBUG_TRACE, "=> monitor_back_search\n", 0, 0, 0 ); /* get entry with reader lock */ monitor_cache_dn2entry( op, rs, &op->o_req_ndn, &e, &matched ); if ( e == NULL ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; if ( matched ) { if ( !access_allowed_mask( op, matched, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) { /* do nothing */ ; } else { rs->sr_matched = matched->e_dn; } } send_ldap_result( op, rs ); if ( matched ) { monitor_cache_release( mi, matched ); rs->sr_matched = NULL; } return rs->sr_err; } /* NOTE: __NEW__ "search" access is required * on searchBase object */ if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry, NULL, ACL_SEARCH, NULL, &mask ) ) { monitor_cache_release( mi, e ); if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; } send_ldap_result( op, rs ); return rs->sr_err; } rs->sr_attrs = op->oq_search.rs_attrs; switch ( op->oq_search.rs_scope ) { case LDAP_SCOPE_BASE: monitor_entry_update( op, rs, e ); rc = test_filter( op, e, op->oq_search.rs_filter ); if ( rc == LDAP_COMPARE_TRUE ) { rs->sr_entry = e; rs->sr_flags = 0; send_search_entry( op, rs ); rs->sr_entry = NULL; } rc = LDAP_SUCCESS; monitor_cache_release( mi, e ); break; case LDAP_SCOPE_ONELEVEL: case LDAP_SCOPE_SUBORDINATE: rc = monitor_send_children( op, rs, e, op->oq_search.rs_scope == LDAP_SCOPE_SUBORDINATE ); break; case LDAP_SCOPE_SUBTREE: monitor_entry_update( op, rs, e ); rc = test_filter( op, e, op->oq_search.rs_filter ); if ( rc == LDAP_COMPARE_TRUE ) { rs->sr_entry = e; rs->sr_flags = 0; send_search_entry( op, rs ); rs->sr_entry = NULL; } rc = monitor_send_children( op, rs, e, 1 ); break; default: rc = LDAP_UNWILLING_TO_PERFORM; monitor_cache_release( mi, e ); } rs->sr_attrs = NULL; rs->sr_err = rc; if ( rs->sr_err != SLAPD_ABANDON ) { send_ldap_result( op, rs ); } return rs->sr_err; }
extern "C" int ndb_back_bind( Operation *op, SlapReply *rs ) { struct ndb_info *ni = (struct ndb_info *) op->o_bd->be_private; Entry e = {0}; Attribute *a; AttributeDescription *password = slap_schema.si_ad_userPassword; NdbArgs NA; Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(ndb_back_bind) ": dn: %s\n", op->o_req_dn.bv_val, 0, 0); /* allow noauth binds */ switch ( be_rootdn_bind( op, NULL ) ) { case LDAP_SUCCESS: /* frontend will send result */ return rs->sr_err = LDAP_SUCCESS; default: /* give the database a chance */ break; } /* Get our NDB handle */ rs->sr_err = ndb_thread_handle( op, &NA.ndb ); e.e_name = op->o_req_dn; e.e_nname = op->o_req_ndn; NA.e = &e; dn2entry_retry: NA.txn = NA.ndb->startTransaction(); rs->sr_text = NULL; if( !NA.txn ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(ndb_back_bind) ": startTransaction failed: %s (%d)\n", NA.ndb->getNdbError().message, NA.ndb->getNdbError().code, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto done; } /* get entry */ { NdbRdns rdns; rdns.nr_num = 0; NA.rdns = &rdns; NA.ocs = NULL; rs->sr_err = ndb_entry_get_info( op, &NA, 0, NULL ); } switch(rs->sr_err) { case 0: break; case LDAP_NO_SUCH_OBJECT: rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; case LDAP_BUSY: rs->sr_text = "ldap_server_busy"; goto done; #if 0 case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto dn2entry_retry; #endif default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto done; } rs->sr_err = ndb_entry_get_data( op, &NA, 0 ); ber_bvarray_free_x( NA.ocs, op->o_tmpmemctx ); ber_dupbv( &op->oq_bind.rb_edn, &e.e_name ); /* check for deleted */ if ( is_entry_subentry( &e ) ) { /* entry is an subentry, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_alias( &e ) ) { /* entry is an alias, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( is_entry_referral( &e ) ) { Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } switch ( op->oq_bind.rb_method ) { case LDAP_AUTH_SIMPLE: a = attr_find( e.e_attrs, password ); if ( a == NULL ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } if ( slap_passwd_check( op, &e, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { /* failure; stop front end from sending result */ rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } rs->sr_err = 0; break; default: assert( 0 ); /* should not be reachable */ rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED; rs->sr_text = "authentication method not supported"; } done: NA.txn->close(); if ( e.e_attrs ) { attrs_free( e.e_attrs ); e.e_attrs = NULL; } if ( rs->sr_err ) { send_ldap_result( op, rs ); } /* front end will send result on success (rs->sr_err==0) */ return rs->sr_err; }
int ldap_back_add( Operation *op, SlapReply *rs ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; ldapconn_t *lc = NULL; int i = 0, j = 0; Attribute *a; LDAPMod **attrs = NULL, *attrs2 = NULL; ber_int_t msgid; int isupdate; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; rs->sr_err = LDAP_SUCCESS; Debug( LDAP_DEBUG_ARGS, "==> ldap_back_add(\"%s\")\n", op->o_req_dn.bv_val, 0, 0 ); if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) { lc = NULL; goto cleanup; } /* Count number of attributes in entry */ for ( i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next ) /* just count attrs */ ; /* Create array of LDAPMods for ldap_add() */ attrs = (LDAPMod **)ch_malloc( sizeof( LDAPMod * )*i + sizeof( LDAPMod )*( i - 1 ) ); attrs2 = ( LDAPMod * )&attrs[ i ]; isupdate = be_shadow_update( op ); for ( i = 0, a = op->oq_add.rs_e->e_attrs; a; a = a->a_next ) { if ( !isupdate && !get_relax( op ) && a->a_desc->ad_type->sat_no_user_mod ) { continue; } attrs[ i ] = &attrs2[ i ]; attrs[ i ]->mod_op = LDAP_MOD_BVALUES; attrs[ i ]->mod_type = a->a_desc->ad_cname.bv_val; for ( j = 0; a->a_vals[ j ].bv_val; j++ ) /* just count vals */ ; attrs[i]->mod_vals.modv_bvals = ch_malloc( ( j + 1 )*sizeof( struct berval * ) ); for ( j = 0; a->a_vals[ j ].bv_val; j++ ) { attrs[ i ]->mod_vals.modv_bvals[ j ] = &a->a_vals[ j ]; } attrs[ i ]->mod_vals.modv_bvals[ j ] = NULL; i++; } attrs[ i ] = NULL; retry: ctrls = op->o_ctrls; rs->sr_err = ldap_back_controls_add( op, rs, lc, &ctrls ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs, ctrls, NULL, &msgid ); rs->sr_err = ldap_back_op_result( lc, op, rs, msgid, li->li_timeout[ SLAP_OP_ADD ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)ldap_back_controls_free( op, rs, &ctrls ); goto retry; } } ldap_pvt_thread_mutex_lock( &li->li_counter_mutex ); ldap_pvt_mp_add( li->li_ops_completed[ SLAP_OP_ADD ], 1 ); ldap_pvt_thread_mutex_unlock( &li->li_counter_mutex ); cleanup: (void)ldap_back_controls_free( op, rs, &ctrls ); if ( attrs ) { for ( --i; i >= 0; --i ) { ch_free( attrs[ i ]->mod_vals.modv_bvals ); } ch_free( attrs ); } if ( lc ) { ldap_back_release_conn( li, lc ); } Debug( LDAP_DEBUG_ARGS, "<== ldap_back_add(\"%s\"): %d\n", op->o_req_dn.bv_val, rs->sr_err, 0 ); return rs->sr_err; }
static int translucent_search(Operation *op, SlapReply *rs) { slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; translucent_info *ov = on->on_bi.bi_private; slap_callback cb = { NULL, NULL, NULL, NULL }; trans_ctx tc; Filter *fl, *fr; struct berval fbv; int rc = 0; if ( op->o_managedsait > SLAP_CONTROL_IGNORED ) return SLAP_CB_CONTINUE; Debug(LDAP_DEBUG_TRACE, "==> translucent_search: <%s> %s\n", op->o_req_dn.bv_val, op->ors_filterstr.bv_val, 0); if(ov->defer_db_open) { send_ldap_error(op, rs, LDAP_UNAVAILABLE, "remote DB not available"); return(rs->sr_err); } fr = ov->remote ? trans_filter_dup( op, op->ors_filter, ov->remote ) : NULL; fl = ov->local ? trans_filter_dup( op, op->ors_filter, ov->local ) : NULL; cb.sc_response = (slap_response *) translucent_search_cb; cb.sc_private = &tc; cb.sc_next = op->o_callback; ov->db.be_acl = op->o_bd->be_acl; tc.db = op->o_bd; tc.on = on; tc.orig = op->ors_filter; tc.list = NULL; tc.step = 0; tc.slimit = op->ors_slimit; tc.attrs = NULL; fbv = op->ors_filterstr; op->o_callback = &cb; if ( fr || !fl ) { tc.attrs = op->ors_attrs; op->ors_slimit = SLAP_NO_LIMIT; op->ors_attrs = slap_anlist_all_attributes; op->o_bd = &ov->db; tc.step |= RMT_SIDE; if ( fl ) { tc.step |= USE_LIST; op->ors_filter = fr; filter2bv_x( op, fr, &op->ors_filterstr ); } rc = ov->db.bd_info->bi_op_search(op, rs); if ( op->ors_attrs == slap_anlist_all_attributes ) op->ors_attrs = tc.attrs; op->o_bd = tc.db; if ( fl ) { op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); } } if ( fl && !rc ) { tc.step |= LCL_SIDE; op->ors_filter = fl; filter2bv_x( op, fl, &op->ors_filterstr ); rc = overlay_op_walk( op, rs, op_search, on->on_info, on->on_next ); op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); } op->ors_filterstr = fbv; op->ors_filter = tc.orig; op->o_callback = cb.sc_next; rs->sr_attrs = op->ors_attrs; rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs ); /* Send out anything remaining on the list and finish */ if ( tc.step & USE_LIST ) { if ( tc.list ) { Avlnode *av; av = tavl_end( tc.list, TAVL_DIR_LEFT ); while ( av ) { rs->sr_entry = av->avl_data; if ( rc == LDAP_SUCCESS && LDAP_COMPARE_TRUE == test_filter( op, rs->sr_entry, op->ors_filter )) { rs->sr_flags = REP_ENTRY_MUSTBEFREED; rc = send_search_entry( op, rs ); } else { entry_free( rs->sr_entry ); } av = tavl_next( av, TAVL_DIR_RIGHT ); } tavl_free( tc.list, NULL ); rs->sr_flags = 0; rs->sr_entry = NULL; } send_ldap_result( op, rs ); } op->ors_slimit = tc.slimit; /* Free in reverse order */ if ( fl ) trans_filter_free( op, fl ); if ( fr ) trans_filter_free( op, fr ); return rc; }
int fe_op_search( Operation *op, SlapReply *rs ) { BackendDB *bd = op->o_bd; if ( op->ors_scope == LDAP_SCOPE_BASE ) { Entry *entry = NULL; if ( BER_BVISEMPTY( &op->o_req_ndn ) ) { #ifdef LDAP_CONNECTIONLESS /* Ignore LDAPv2 CLDAP Root DSE queries */ if (op->o_protocol == LDAP_VERSION2 && op->o_conn->c_is_udp) { goto return_results; } #endif /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text ); } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } rs->sr_err = schema_info( &entry, &rs->sr_text ); } if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } else if ( entry != NULL ) { if ( get_assert( op ) && ( test_filter( op, entry, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto fail1; } rs->sr_err = test_filter( op, entry, op->ors_filter ); if( rs->sr_err == LDAP_COMPARE_TRUE ) { /* note: we set no limits because either * no limit is specified, or at least 1 * is specified, and we're going to return * at most one entry */ op->ors_slimit = SLAP_NO_LIMIT; op->ors_tlimit = SLAP_NO_LIMIT; rs->sr_entry = entry; rs->sr_attrs = op->ors_attrs; rs->sr_operational_attrs = NULL; rs->sr_flags = 0; send_search_entry( op, rs ); rs->sr_entry = NULL; rs->sr_operational_attrs = NULL; } rs->sr_err = LDAP_SUCCESS; fail1: entry_free( entry ); send_ldap_result( op, rs ); goto return_results; } } if( BER_BVISEMPTY( &op->o_req_ndn ) && !BER_BVISEMPTY( &default_search_nbase ) ) { slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); ber_dupbv_x( &op->o_req_dn, &default_search_base, op->o_tmpmemctx ); ber_dupbv_x( &op->o_req_ndn, &default_search_nbase, op->o_tmpmemctx ); } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 1 ); if ( op->o_bd == NULL ) { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, op->ors_scope ); if (!rs->sr_ref) rs->sr_ref = default_referral; rs->sr_err = LDAP_REFERRAL; op->o_bd = bd; send_ldap_result( op, rs ); if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; goto return_results; } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } /* check for referrals */ if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto return_results; } if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) { /* don't use shadow copy */ BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if( defref != NULL ) { rs->sr_ref = referral_rewrite( defref, NULL, &op->o_req_dn, op->ors_scope ); if( !rs->sr_ref) rs->sr_ref = defref; rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != defref) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "copy not used; no referral information available" ); } } else if ( op->o_bd->be_search ) { if ( limits_check( op, rs ) == 0 ) { /* actually do the search and send the result(s) */ (op->o_bd->be_search)( op, rs ); } /* else limits_check() sends error */ } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within namingContext" ); } return_results:; op->o_bd = bd; return rs->sr_err; }
static int be_plgfn_unwillingtoperform(Slapi_PBlock *pb) { send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation on Directory Specific Entry not allowed", 0, NULL ); return -1; }
int do_search( Operation *op, /* info about the op to which we're responding */ SlapReply *rs /* all the response data we'll send */ ) { struct berval base = BER_BVNULL; ber_len_t siz, off, i; Debug( LDAP_DEBUG_TRACE, "%s do_search\n", op->o_log_prefix ); /* * Parse the search request. It looks like this: * * SearchRequest := [APPLICATION 3] SEQUENCE { * baseObject DistinguishedName, * scope ENUMERATED { * baseObject (0), * singleLevel (1), * wholeSubtree (2), * subordinate (3) -- OpenLDAP extension * }, * derefAliases ENUMERATED { * neverDerefaliases (0), * derefInSearching (1), * derefFindingBaseObj (2), * alwaysDerefAliases (3) * }, * sizelimit INTEGER (0 .. 65535), * timelimit INTEGER (0 .. 65535), * attrsOnly BOOLEAN, * filter Filter, * attributes SEQUENCE OF AttributeType * } */ /* baseObject, scope, derefAliases, sizelimit, timelimit, attrsOnly */ if ( ber_scanf( op->o_ber, "{miiiib" /*}*/, &base, &op->ors_scope, &op->ors_deref, &op->ors_slimit, &op->ors_tlimit, &op->ors_attrsonly ) == LBER_ERROR ) { send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto return_results; } if ( op->ors_tlimit < 0 || op->ors_tlimit > SLAP_MAX_LIMIT ) { send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid time limit" ); goto return_results; } if ( op->ors_slimit < 0 || op->ors_slimit > SLAP_MAX_LIMIT ) { send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid size limit" ); goto return_results; } switch( op->ors_scope ) { case LDAP_SCOPE_BASE: case LDAP_SCOPE_ONELEVEL: case LDAP_SCOPE_SUBTREE: case LDAP_SCOPE_SUBORDINATE: break; default: send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid scope" ); goto return_results; } switch( op->ors_deref ) { case LDAP_DEREF_NEVER: case LDAP_DEREF_FINDING: case LDAP_DEREF_SEARCHING: case LDAP_DEREF_ALWAYS: break; default: send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid deref" ); goto return_results; } rs->sr_err = dnPrettyNormal( NULL, &base, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_search: invalid dn: \"%s\"\n", op->o_log_prefix, base.bv_val ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto return_results; } Debug( LDAP_DEBUG_ARGS, "SRCH \"%s\" %d %d", base.bv_val, op->ors_scope, op->ors_deref ); Debug( LDAP_DEBUG_ARGS, " %d %d %d\n", op->ors_slimit, op->ors_tlimit, op->ors_attrsonly); /* filter - returns a "normalized" version */ rs->sr_err = get_filter( op, op->o_ber, &op->ors_filter, &rs->sr_text ); if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { rs->sr_err = LDAP_PROTOCOL_ERROR; send_ldap_disconnect( op, rs ); rs->sr_err = SLAPD_DISCONNECT; } else { send_ldap_result( op, rs ); } goto return_results; } filter2bv_x( op, op->ors_filter, &op->ors_filterstr ); Debug( LDAP_DEBUG_ARGS, " filter: %s\n", !BER_BVISEMPTY( &op->ors_filterstr ) ? op->ors_filterstr.bv_val : "empty" ); /* attributes */ siz = sizeof(AttributeName); off = offsetof(AttributeName,an_name); if ( ber_scanf( op->o_ber, "{M}}", &op->ors_attrs, &siz, off ) == LBER_ERROR ) { send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding attrs error" ); rs->sr_err = SLAPD_DISCONNECT; goto return_results; } for ( i=0; i<siz; i++ ) { const char *dummy; /* ignore msgs from bv2ad */ op->ors_attrs[i].an_desc = NULL; op->ors_attrs[i].an_oc = NULL; op->ors_attrs[i].an_flags = 0; if ( slap_bv2ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS ) { if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy, SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) ) { struct berval *bv = &op->ors_attrs[i].an_name; /* RFC 4511 LDAPv3: All User Attributes */ if ( bvmatch( bv, slap_bv_all_user_attrs ) ) { continue; } /* RFC 3673 LDAPv3: All Operational Attributes */ if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) { continue; } /* RFC 4529 LDAP: Requesting Attributes by Object Class */ if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) { /* FIXME: check if remaining is valid oc name? */ continue; } /* add more "exceptions" to RFC 4511 4.5.1.8. */ /* invalid attribute description? remove */ if ( ad_keystring( bv ) ) { /* NOTE: parsed in-place, don't modify; * rather add "1.1", which must be ignored */ BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS ); } /* otherwise leave in place... */ } } } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_search: get_ctrls failed\n", op->o_log_prefix ); goto return_results; } Debug( LDAP_DEBUG_ARGS, " attrs:" ); if ( siz != 0 ) { for ( i = 0; i<siz; i++ ) { Debug( LDAP_DEBUG_ARGS, " %s", op->ors_attrs[i].an_name.bv_val ); } } Debug( LDAP_DEBUG_ARGS, "\n" ); if (LogTest( LDAP_DEBUG_STATS ) ) { char abuf[BUFSIZ/2], *ptr = abuf; unsigned len = 0, alen; sprintf(abuf, "scope=%d deref=%d", op->ors_scope, op->ors_deref); Debug( LDAP_DEBUG_STATS, "%s SRCH base=\"%s\" %s filter=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, abuf, op->ors_filterstr.bv_val ); for ( i = 0; i<siz; i++ ) { alen = op->ors_attrs[i].an_name.bv_len; if (alen >= sizeof(abuf)) { alen = sizeof(abuf)-1; } if (len && (len + 1 + alen >= sizeof(abuf))) { Debug( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n", op->o_log_prefix, abuf ); len = 0; ptr = abuf; } if (len) { *ptr++ = ' '; len++; } ptr = lutil_strncopy(ptr, op->ors_attrs[i].an_name.bv_val, alen); len += alen; *ptr = '\0'; } if (len) { Debug( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n", op->o_log_prefix, abuf ); } } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_search( op, rs ); if ( rs->sr_err == SLAPD_ASYNCOP ) { /* skip cleanup */ return rs->sr_err; } return_results:; if ( !BER_BVISNULL( &op->o_req_dn ) ) { slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &op->o_req_ndn ) ) { slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &op->ors_filterstr ) ) { op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); } if ( op->ors_filter != NULL) { filter_free_x( op, op->ors_filter, 1 ); } if ( op->ors_attrs != NULL ) { op->o_tmpfree( op->ors_attrs, op->o_tmpmemctx ); } return rs->sr_err; }
int perl_back_modify( Operation *op, SlapReply *rs ) { PerlBackend *perl_back = (PerlBackend *)op->o_bd->be_private; Modifications *modlist = op->orm_modlist; int count; int i; #if defined(HAVE_WIN32_ASPERL) || defined(USE_ITHREADS) PERL_SET_CONTEXT( PERL_INTERPRETER ); #endif ldap_pvt_thread_mutex_lock( &perl_interpreter_mutex ); { dSP; ENTER; SAVETMPS; PUSHMARK(sp); XPUSHs( perl_back->pb_obj_ref ); XPUSHs(sv_2mortal(newSVpv( op->o_req_dn.bv_val , 0))); for (; modlist != NULL; modlist = modlist->sml_next ) { Modification *mods = &modlist->sml_mod; switch ( mods->sm_op & ~LDAP_MOD_BVALUES ) { case LDAP_MOD_ADD: XPUSHs(sv_2mortal(newSVpv("ADD", 0 ))); break; case LDAP_MOD_DELETE: XPUSHs(sv_2mortal(newSVpv("DELETE", 0 ))); break; case LDAP_MOD_REPLACE: XPUSHs(sv_2mortal(newSVpv("REPLACE", 0 ))); break; } XPUSHs(sv_2mortal(newSVpv( mods->sm_desc->ad_cname.bv_val, 0 ))); for ( i = 0; mods->sm_values != NULL && mods->sm_values[i].bv_val != NULL; i++ ) { XPUSHs(sv_2mortal(newSVpv( mods->sm_values[i].bv_val, 0 ))); } /* Fix delete attrib without value. */ if ( i == 0) { XPUSHs(sv_newmortal()); } } PUTBACK; #ifdef PERL_IS_5_6 count = call_method("modify", G_SCALAR); #else count = perl_call_method("modify", G_SCALAR); #endif SPAGAIN; if (count != 1) { croak("Big trouble in back_modify\n"); } rs->sr_err = POPi; PUTBACK; FREETMPS; LEAVE; } ldap_pvt_thread_mutex_unlock( &perl_interpreter_mutex ); send_ldap_result( op, rs ); Debug( LDAP_DEBUG_ANY, "Perl MODIFY\n", 0, 0, 0 ); return( 0 ); }
int ldap_back_modify( Operation *op, SlapReply *rs ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; ldapconn_t *lc = NULL; LDAPMod **modv = NULL, *mods = NULL; Modifications *ml; int i, j, rc; ber_int_t msgid; int isupdate; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } for ( i = 0, ml = op->orm_modlist; ml; i++, ml = ml->sml_next ) /* just count mods */ ; modv = (LDAPMod **)ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) + i*sizeof( LDAPMod ) ); if ( modv == NULL ) { rc = LDAP_NO_MEMORY; goto cleanup; } mods = (LDAPMod *)&modv[ i + 1 ]; isupdate = be_shadow_update( op ); for ( i = 0, ml = op->orm_modlist; ml; ml = ml->sml_next ) { if ( !isupdate && !get_relax( op ) && ml->sml_desc->ad_type->sat_no_user_mod ) { continue; } modv[ i ] = &mods[ i ]; mods[ i ].mod_op = ( ml->sml_op | LDAP_MOD_BVALUES ); mods[ i ].mod_type = ml->sml_desc->ad_cname.bv_val; if ( ml->sml_values != NULL ) { if ( ml->sml_values == NULL ) { continue; } for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) /* just count mods */ ; mods[ i ].mod_bvalues = (struct berval **)ch_malloc( ( j + 1 )*sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) { mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ]; } mods[ i ].mod_bvalues[ j ] = NULL; } else { mods[ i ].mod_bvalues = NULL; } i++; } modv[ i ] = 0; retry:; ctrls = op->o_ctrls; rc = ldap_back_controls_add( op, rs, lc, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_dn.bv_val, modv, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, li->li_timeout[ SLAP_OP_MODIFY ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)ldap_back_controls_free( op, rs, &ctrls ); goto retry; } } ldap_pvt_thread_mutex_lock( &li->li_counter_mutex ); ldap_pvt_mp_add( li->li_ops_completed[ SLAP_OP_MODIFY ], 1 ); ldap_pvt_thread_mutex_unlock( &li->li_counter_mutex ); cleanup:; (void)ldap_back_controls_free( op, rs, &ctrls ); for ( i = 0; modv[ i ]; i++ ) { ch_free( modv[ i ]->mod_bvalues ); } ch_free( modv ); if ( lc != NULL ) { ldap_back_release_conn( li, lc ); } return rc; }
int bdb_compare( Operation *op, SlapReply *rs ) { struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private; Entry *e = NULL; EntryInfo *ei; Attribute *a; int manageDSAit = get_manageDSAit( op ); BDB_LOCKER locker; DB_LOCK lock; rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker); switch(rs->sr_err) { case 0: break; default: send_ldap_error( op, rs, LDAP_OTHER, "internal error" ); return rs->sr_err; } dn2entry_retry: /* get entry */ rs->sr_err = bdb_dn2entry( op, NULL, &op->o_req_ndn, &ei, 1, locker, &lock ); switch( rs->sr_err ) { case DB_NOTFOUND: case 0: break; case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: goto dn2entry_retry; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } e = ei->bei_e; if ( rs->sr_err == DB_NOTFOUND ) { if ( e != NULL ) { /* return referral only if "disclose" is granted on the object */ if ( ! access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { rs->sr_matched = ch_strdup( e->e_dn ); rs->sr_ref = is_entry_referral( e ) ? get_entry_referrals( op, e ) : NULL; rs->sr_err = LDAP_REFERRAL; } bdb_cache_return_entry_r( bdb, e, &lock ); e = NULL; } else { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); rs->sr_err = rs->sr_ref ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT; } send_ldap_result( op, rs ); ber_bvarray_free( rs->sr_ref ); free( (char *)rs->sr_matched ); rs->sr_ref = NULL; rs->sr_matched = NULL; goto done; } if (!manageDSAit && is_entry_referral( e ) ) { /* return referral only if "disclose" is granted on the object */ if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { /* entry is a referral, don't allow compare */ rs->sr_ref = get_entry_referrals( op, e ); rs->sr_err = LDAP_REFERRAL; rs->sr_matched = e->e_name.bv_val; } Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 ); send_ldap_result( op, rs ); ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; rs->sr_matched = NULL; goto done; } if ( get_assert( op ) && ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { rs->sr_err = LDAP_ASSERTION_FAILED; } goto return_results; } if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) ) { /* return error only if "disclose" * is granted on the object */ if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; } goto return_results; } rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc ); a != NULL; a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) ) { rs->sr_err = LDAP_COMPARE_FALSE; if ( attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, &op->oq_compare.rs_ava->aa_value, NULL, op->o_tmpmemctx ) == 0 ) { rs->sr_err = LDAP_COMPARE_TRUE; break; } } return_results: send_ldap_result( op, rs ); switch ( rs->sr_err ) { case LDAP_COMPARE_FALSE: case LDAP_COMPARE_TRUE: rs->sr_err = LDAP_SUCCESS; break; } done: /* free entry */ if ( e != NULL ) { bdb_cache_return_entry_r( bdb, e, &lock ); } LOCK_ID_FREE ( bdb->bi_dbenv, locker ); return rs->sr_err; }
int mdb_add(Operation *op, SlapReply *rs ) { struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private; struct berval pdn; Entry *p = NULL, *oe = op->ora_e; char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *entry = slap_schema.si_ad_entry; MDB_txn *txn = NULL; MDB_cursor *mc = NULL; MDB_cursor *mcd; ID eid, pid = 0; mdb_op_info opinfo = {{{ 0 }}}, *moi = &opinfo; int subentry; int numads = mdb->mi_numads; int success; LDAPControl **postread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; #ifdef LDAP_X_TXN int settle = 0; #endif Debug(LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(mdb_add) ": %s\n", op->ora_e->e_name.bv_val, 0, 0); #ifdef LDAP_X_TXN if( op->o_txnSpec ) { /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) { rs->sr_text = "invalid transaction identifier"; rs->sr_err = LDAP_X_TXN_ID_INVALID; goto txnReturn; } else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) { settle=1; goto txnReturn; } if( op->o_conn->c_txn_backend == NULL ) { op->o_conn->c_txn_backend = op->o_bd; } else if( op->o_conn->c_txn_backend != op->o_bd ) { rs->sr_text = "transaction cannot span multiple database contexts"; rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS; goto txnReturn; } /* insert operation into transaction */ rs->sr_text = "transaction specified"; rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY; txnReturn: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); if( !settle ) { send_ldap_result( op, rs ); return rs->sr_err; } } #endif ctrls[num_ctrls] = 0; /* check entry's schema */ rs->sr_err = entry_schema_check( op, op->ora_e, NULL, get_relax(op), 1, NULL, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": entry failed schema check: " "%s (%d)\n", rs->sr_text, rs->sr_err, 0 ); goto return_results; } /* begin transaction */ rs->sr_err = mdb_opinfo_get( op, mdb, 0, &moi ); rs->sr_text = NULL; if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": txn_begin failed: %s (%d)\n", mdb_strerror(rs->sr_err), rs->sr_err, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } txn = moi->moi_txn; /* add opattrs to shadow as well, only missing attrs will actually * be added; helps compatibility with older OL versions */ rs->sr_err = slap_add_opattrs( op, &rs->sr_text, textbuf, textlen, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": entry failed op attrs add: " "%s (%d)\n", rs->sr_text, rs->sr_err, 0 ); goto return_results; } if ( get_assert( op ) && ( test_filter( op, op->ora_e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } subentry = is_entry_subentry( op->ora_e ); /* * Get the parent dn and see if the corresponding entry exists. */ if ( be_issuffix( op->o_bd, &op->ora_e->e_nname ) ) { pdn = slap_empty_bv; } else { dnParent( &op->ora_e->e_nname, &pdn ); } rs->sr_err = mdb_cursor_open( txn, mdb->mi_dn2id, &mcd ); if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": mdb_cursor_open failed (%d)\n", rs->sr_err, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } /* get entry or parent */ rs->sr_err = mdb_dn2entry( op, txn, mcd, &op->ora_e->e_nname, &p, NULL, 1 ); switch( rs->sr_err ) { case 0: rs->sr_err = LDAP_ALREADY_EXISTS; mdb_entry_return( op, p ); p = NULL; goto return_results; case MDB_NOTFOUND: break; case LDAP_BUSY: rs->sr_text = "ldap server busy"; goto return_results; default: rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } if ( !p ) p = (Entry *)&slap_entry_root; if ( !bvmatch( &pdn, &p->e_nname ) ) { rs->sr_matched = ber_strdup_x( p->e_name.bv_val, op->o_tmpmemctx ); if ( p != (Entry *)&slap_entry_root && is_entry_referral( p )) { BerVarray ref = get_entry_referrals( op, p ); rs->sr_ref = referral_rewrite( ref, &p->e_name, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ber_bvarray_free( ref ); } else { rs->sr_ref = NULL; } if ( p != (Entry *)&slap_entry_root ) mdb_entry_return( op, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": parent " "does not exist\n", 0, 0, 0 ); rs->sr_err = LDAP_REFERRAL; rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } rs->sr_err = access_allowed( op, p, children, NULL, ACL_WADD, NULL ); if ( ! rs->sr_err ) { if ( p != (Entry *)&slap_entry_root ) mdb_entry_return( op, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": no write access to parent\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to parent"; goto return_results;; } if ( p != (Entry *)&slap_entry_root ) { if ( is_entry_subentry( p ) ) { mdb_entry_return( op, p ); p = NULL; /* parent is a subentry, don't allow add */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": parent is subentry\n", 0, 0, 0 ); rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION; rs->sr_text = "parent is a subentry"; goto return_results;; } if ( is_entry_alias( p ) ) { mdb_entry_return( op, p ); p = NULL; /* parent is an alias, don't allow add */ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": parent is alias\n", 0, 0, 0 ); rs->sr_err = LDAP_ALIAS_PROBLEM; rs->sr_text = "parent is an alias"; goto return_results;; } if ( is_entry_referral( p ) ) { BerVarray ref = get_entry_referrals( op, p ); /* parent is a referral, don't allow add */ rs->sr_matched = ber_strdup_x( p->e_name.bv_val, op->o_tmpmemctx ); rs->sr_ref = referral_rewrite( ref, &p->e_name, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ber_bvarray_free( ref ); mdb_entry_return( op, p ); p = NULL; Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": parent is referral\n", 0, 0, 0 ); rs->sr_err = LDAP_REFERRAL; rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; goto return_results; } } if ( subentry ) { /* FIXME: */ /* parent must be an administrative point of the required kind */ } /* free parent */ if ( p != (Entry *)&slap_entry_root ) { pid = p->e_id; if ( p->e_nname.bv_len ) { struct berval ppdn; /* ITS#5326: use parent's DN if differs from provided one */ dnParent( &op->ora_e->e_name, &ppdn ); if ( !dn_match( &p->e_name, &ppdn ) ) { struct berval rdn; struct berval newdn; dnRdn( &op->ora_e->e_name, &rdn ); build_new_dn( &newdn, &p->e_name, &rdn, NULL ); if ( op->ora_e->e_name.bv_val != op->o_req_dn.bv_val ) ber_memfree( op->ora_e->e_name.bv_val ); op->ora_e->e_name = newdn; /* FIXME: should check whether * dnNormalize(newdn) == e->e_nname ... */ } } mdb_entry_return( op, p ); } p = NULL; rs->sr_err = access_allowed( op, op->ora_e, entry, NULL, ACL_WADD, NULL ); if ( ! rs->sr_err ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": no write access to entry\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to entry"; goto return_results;; } /* * Check ACL for attribute write access */ if (!acl_check_modlist(op, oe, op->ora_modlist)) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": no write access to attribute\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to attribute"; goto return_results;; } rs->sr_err = mdb_cursor_open( txn, mdb->mi_id2entry, &mc ); if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": mdb_cursor_open failed (%d)\n", rs->sr_err, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } rs->sr_err = mdb_next_id( op->o_bd, mc, &eid ); if( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": next_id failed (%d)\n", rs->sr_err, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "internal error"; goto return_results; } op->ora_e->e_id = eid; /* dn2id index */ rs->sr_err = mdb_dn2id_add( op, mcd, mcd, pid, 1, 1, op->ora_e ); mdb_cursor_close( mcd ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": dn2id_add failed: %s (%d)\n", mdb_strerror(rs->sr_err), rs->sr_err, 0 ); switch( rs->sr_err ) { case MDB_KEYEXIST: rs->sr_err = LDAP_ALREADY_EXISTS; break; default: rs->sr_err = LDAP_OTHER; } goto return_results; } /* attribute indexes */ rs->sr_err = mdb_index_entry_add( op, txn, op->ora_e ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": index_entry_add failed\n", 0, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "index generation failed"; goto return_results; } /* id2entry index */ rs->sr_err = mdb_id2entry_add( op, txn, mc, op->ora_e ); if ( rs->sr_err != 0 ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": id2entry_add failed\n", 0, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "entry store failed"; goto return_results; } /* post-read */ if( op->o_postread ) { if( postread_ctrl == NULL ) { postread_ctrl = &ctrls[num_ctrls++]; ctrls[num_ctrls] = NULL; } if ( slap_read_controls( op, rs, op->ora_e, &slap_post_read_bv, postread_ctrl ) ) { Debug( LDAP_DEBUG_TRACE, "<=- " LDAP_XSTRING(mdb_add) ": post-read " "failed!\n", 0, 0, 0 ); if ( op->o_postread & SLAP_CONTROL_CRITICAL ) { /* FIXME: is it correct to abort * operation if control fails? */ goto return_results; } } } if ( moi == &opinfo ) { LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.moi_oe, OpExtra, oe_next ); opinfo.moi_oe.oe_key = NULL; if ( op->o_noop ) { mdb->mi_numads = numads; mdb_txn_abort( txn ); rs->sr_err = LDAP_X_NO_OPERATION; txn = NULL; goto return_results; } rs->sr_err = mdb_txn_commit( txn ); txn = NULL; if ( rs->sr_err != 0 ) { mdb->mi_numads = numads; rs->sr_text = "txn_commit failed"; Debug( LDAP_DEBUG_ANY, LDAP_XSTRING(mdb_add) ": %s : %s (%d)\n", rs->sr_text, mdb_strerror(rs->sr_err), rs->sr_err ); rs->sr_err = LDAP_OTHER; goto return_results; } } Debug(LDAP_DEBUG_TRACE, LDAP_XSTRING(mdb_add) ": added%s id=%08lx dn=\"%s\"\n", op->o_noop ? " (no-op)" : "", op->ora_e->e_id, op->ora_e->e_dn ); rs->sr_text = NULL; if( num_ctrls ) rs->sr_ctrls = ctrls; return_results: success = rs->sr_err; send_ldap_result( op, rs ); if( moi == &opinfo ) { if( txn != NULL ) { mdb->mi_numads = numads; mdb_txn_abort( txn ); } if ( opinfo.moi_oe.oe_key ) { LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.moi_oe, OpExtra, oe_next ); } } else { moi->moi_ref--; } if( success == LDAP_SUCCESS ) { #if 0 if ( mdb->bi_txn_cp_kbyte ) { TXN_CHECKPOINT( mdb->bi_dbenv, mdb->bi_txn_cp_kbyte, mdb->bi_txn_cp_min, 0 ); } #endif } slap_graduate_commit_csn( op ); if( postread_ctrl != NULL && (*postread_ctrl) != NULL ) { slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx ); slap_sl_free( *postread_ctrl, op->o_tmpmemctx ); } return rs->sr_err; }