/* Handles the parsing of the config entry for an ldbm instance. Returns 0
* on success. */
static int
parse_ldbm_instance_config_entry(ldbm_instance *inst, Slapi_Entry *e, config_info *config_array)
{
Slapi_Attr *attr = NULL;
for (slapi_entry_first_attr(e, &attr); attr;
slapi_entry_next_attr(e, attr, &attr)) {
char *attr_name = NULL;
Slapi_Value *sval = NULL;
struct berval *bval;
char err_buf[BUFSIZ];
slapi_attr_get_type(attr, &attr_name);
/* There are some attributes that we don't care about,
* like objectclass. */
if (ldbm_config_ignored_attr(attr_name)) {
continue;
}
/* We have to handle suffix attributes a little differently */
if (strcasecmp(attr_name, CONFIG_INSTANCE_SUFFIX) == 0) {
Slapi_DN suffix;
slapi_attr_first_value(attr, &sval);
bval = (struct berval *) slapi_value_get_berval(sval);
slapi_sdn_init_dn_byref(&suffix, bval->bv_val);
if (!slapi_be_issuffix(inst->inst_be, &suffix)) {
be_addsuffix(inst->inst_be, &suffix);
}
slapi_sdn_done(&suffix);
continue;
}
/* We are assuming that each of these attributes are to have
* only one value. If they have more than one value, like
* the nsslapd-suffix attribute, then they need to be
* handled differently. */
slapi_attr_first_value(attr, &sval);
bval = (struct berval *) slapi_value_get_berval(sval);
if (ldbm_config_set((void *) inst, attr_name, config_array, bval,
err_buf, CONFIG_PHASE_STARTUP, 1 /* apply */, LDAP_MOD_REPLACE) != LDAP_SUCCESS) {
LDAPDebug(LDAP_DEBUG_ANY, "Error with config attribute %s : %s\n",
attr_name, err_buf, 0);
return 1;
}
}
/* Read the index entries */
read_instance_index_entries(inst);
/* Read the attribute encryption entries */
read_instance_attrcrypt_entries(inst);
return 0;
}
Slapi_ValueSet *
replica_updatedn_list_get_members(Slapi_DN *dn)
{
static char* const filter_groups = "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))";
static char* const type_member = "member";
static char* const type_uniquemember = "uniquemember";
static char* const type_memberURL = "memberURL";
int rval;
char *attrs[4];
Slapi_PBlock *mpb = slapi_pblock_new ();
Slapi_ValueSet *members = slapi_valueset_new();
attrs[0] = type_member;
attrs[1] = type_uniquemember;
attrs[2] = type_memberURL;
attrs[3] = NULL;
slapi_search_internal_set_pb ( mpb, slapi_sdn_get_ndn(dn), LDAP_SCOPE_BASE, filter_groups,
&attrs[0], 0, NULL /* controls */, NULL /* uniqueid */,
repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
slapi_search_internal_pb(mpb);
slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_RESULT, &rval);
if (rval == LDAP_SUCCESS) {
Slapi_Entry **ep;
slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &ep);
if ((ep != NULL) && (ep[0] != NULL)) {
Slapi_Attr *attr = NULL;
Slapi_Attr *nextAttr = NULL;
Slapi_ValueSet *vs = NULL;
char *attrType;
slapi_entry_first_attr ( ep[0], &attr);
while (attr) {
slapi_attr_get_type ( attr, &attrType );
if ((strcasecmp (attrType, type_member) == 0) ||
(strcasecmp (attrType, type_uniquemember) == 0 )) {
slapi_attr_get_valueset(attr, &vs);
slapi_valueset_join_attr_valueset(attr, members, vs);
slapi_valueset_free(vs);
} else if (strcasecmp (attrType, type_memberURL) == 0) {
/* not yet supported */
}
slapi_entry_next_attr ( ep[0], attr, &nextAttr );
attr = nextAttr;
}
}
}
slapi_free_search_results_internal(mpb);
slapi_pblock_destroy (mpb);
return(members);
}
static int
parse_ldbm_instance_entry(Slapi_Entry *e, char **instance_name)
{
Slapi_Attr *attr = NULL;
for (slapi_entry_first_attr(e, &attr); attr;
slapi_entry_next_attr(e, attr, &attr)) {
char *attr_name = NULL;
slapi_attr_get_type(attr, &attr_name);
if (strcasecmp(attr_name, "cn") == 0) {
Slapi_Value *sval = NULL;
struct berval *bval;
slapi_attr_first_value(attr, &sval);
bval = (struct berval *) slapi_value_get_berval(sval);
*instance_name = slapi_ch_strdup((char *)bval->bv_val);
}
}
return 0;
}
/*
Given an entry, provide the account policy in effect for that entry.
Returns non-0 if function fails. If account policy comes back NULL, it's
not an error; the entry is simply not covered by a policy.
*/
int
get_acctpolicy( Slapi_PBlock *pb, Slapi_Entry *target_entry, void *plugin_id,
acctPolicy **policy )
{
Slapi_DN *sdn = NULL;
Slapi_Entry *policy_entry = NULL;
Slapi_Attr *attr;
Slapi_Value *sval = NULL;
int ldrc;
char *attr_name;
char *policy_dn = NULL;
acctPluginCfg *cfg;
int rc = 0;
if( policy == NULL ) {
/* Bad parameter */
return( -1 );
}
*policy = NULL;
config_rd_lock();
cfg = get_config();
/* Return success and NULL policy */
policy_dn = get_attr_string_val( target_entry, cfg->spec_attr_name );
if( policy_dn == NULL ) {
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - \"%s\" is not governed by an account inactivity "
"policy subentry\n", slapi_entry_get_ndn( target_entry ) );
if (cfg->inactivitylimit != ULONG_MAX) {
goto dopolicy;
}
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - \"%s\" is not governed by an account inactivity "
"global policy\n", slapi_entry_get_ndn( target_entry ) );
config_unlock();
return rc;
}
sdn = slapi_sdn_new_dn_byref( policy_dn );
ldrc = slapi_search_internal_get_entry( sdn, NULL, &policy_entry,
plugin_id );
slapi_sdn_free( &sdn );
/* There should be a policy but it can't be retrieved; fatal error */
if( policy_entry == NULL ) {
if( ldrc != LDAP_NO_SUCH_OBJECT ) {
slapi_log_err(SLAPI_LOG_ERR, PLUGIN_NAME,
"get_acctpolicy - Error retrieving policy entry \"%s\": %d\n", policy_dn, ldrc );
} else {
slapi_log_err(SLAPI_LOG_PLUGIN, PLUGIN_NAME,
"get_acctpolicy - Policy entry \"%s\" is missing: %d\n", policy_dn, ldrc );
}
rc = -1;
goto done;
}
dopolicy:
*policy = (acctPolicy *)slapi_ch_calloc( 1, sizeof( acctPolicy ) );
if ( !policy_entry ) { /* global policy */
(*policy)->inactivitylimit = cfg->inactivitylimit;
goto done;
}
for( slapi_entry_first_attr( policy_entry, &attr ); attr != NULL;
slapi_entry_next_attr( policy_entry, attr, &attr ) ) {
slapi_attr_get_type(attr, &attr_name);
if( !strcasecmp( attr_name, cfg->limit_attr_name ) ) {
if( slapi_attr_first_value( attr, &sval ) == 0 ) {
(*policy)->inactivitylimit = slapi_value_get_ulong( sval );
}
}
}
done:
config_unlock();
slapi_ch_free_string( &policy_dn );
slapi_entry_free( policy_entry );
return( rc );
}
int
update_integrity(char **argv, Slapi_DN *origSDN,
char *newrDN, Slapi_DN *newsuperior,
int logChanges)
{
Slapi_PBlock *search_result_pb = NULL;
Slapi_PBlock *mod_pb = slapi_pblock_new();
Slapi_Entry **search_entries = NULL;
Slapi_DN *sdn = NULL;
Slapi_Attr *attr = NULL;
void *node = NULL;
const char *origDN = slapi_sdn_get_dn(origSDN);
const char *search_base = NULL;
char *attrName = NULL;
char *filter = NULL;
char *attrs[2];
int search_result;
int nval = 0;
int i, j;
int rc;
if ( argv == NULL ){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"referint_postop required config file arguments missing\n" );
rc = -1;
goto free_and_return;
}
/*
* For now, just putting attributes to keep integrity on in conf file,
* until resolve the other timing mode issue
*/
search_result_pb = slapi_pblock_new();
/* Search each namingContext in turn */
for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL;
sdn = slapi_get_next_suffix( &node, 0 ))
{
Slapi_Backend *be = slapi_be_select(sdn);
search_base = slapi_sdn_get_dn( sdn );
for(i = 3; argv[i] != NULL; i++){
filter = slapi_filter_sprintf("(%s=*%s%s)", argv[i], ESC_NEXT_VAL, origDN);
if ( filter ) {
/* Need only the current attribute and its subtypes */
attrs[0] = argv[i];
attrs[1] = NULL;
/* Use new search API */
slapi_pblock_init(search_result_pb);
slapi_pblock_set(search_result_pb, SLAPI_BACKEND, be);
slapi_search_internal_set_pb(search_result_pb, search_base,
LDAP_SCOPE_SUBTREE, filter, attrs, 0 /* attrs only */,
NULL, NULL, referint_plugin_identity, 0);
slapi_search_internal_pb(search_result_pb);
slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
/* if search successfull then do integrity update */
if(search_result == LDAP_SUCCESS)
{
slapi_pblock_get(search_result_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&search_entries);
for(j = 0; search_entries[j] != NULL; j++){
attr = NULL;
attrName = NULL;
/*
* Loop over all the attributes of the entry and search
* for the integrity attribute and its subtypes
*/
for (slapi_entry_first_attr(search_entries[j], &attr); attr;
slapi_entry_next_attr(search_entries[j], attr, &attr))
{
/*
* Take into account only the subtypes of the attribute
* in argv[i] having the necessary value - origDN
*/
slapi_attr_get_type(attr, &attrName);
if (slapi_attr_type_cmp(argv[i], attrName,
SLAPI_TYPE_CMP_SUBTYPE) == 0)
{
nval = 0;
slapi_attr_get_numvalues(attr, &nval);
/*
* We want to reduce the "modify" call as much as
* possible. But if an entry contains 1000s of
* attributes which need to be updated by the
* referint plugin (e.g., a group containing 1000s
* of members), we want to avoid to allocate too
* many mods * in one "modify" call.
* This is a compromise: If an attribute type has
* more than 128 values, we update the attribute
* value one by one. Otherwise, update all values
* in one "modify" call.
*/
if (nval > 128) {
rc = _update_one_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
} else {
rc = _update_all_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
}
/* Should we stop if one modify returns an error? */
}
}
}
} else {
if (isFatalSearchError(search_result)){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"update_integrity search (base=%s filter=%s) returned "
"error %d\n", search_base, filter, search_result);
rc = -1;
goto free_and_return;
}
}
slapi_ch_free_string(&filter);
}
slapi_free_search_results_internal(search_result_pb);
}
}
/* if got here, then everything good rc = 0 */
rc = 0;
free_and_return:
/* free filter and search_results_pb */
slapi_ch_free_string(&filter);
slapi_pblock_destroy(mod_pb);
if (search_result_pb) {
slapi_free_search_results_internal(search_result_pb);
slapi_pblock_destroy(search_result_pb);
}
return(rc);
}
/*
* Get a Slapi_Entry ready to send over the wire as part of
* a total update protocol stream. Convert the entry and all
* of its state information to a BerElement which will be the
* payload of an extended LDAP operation.
*
* Entries consist of:
* - An entry DN
* - A uniqueID
* - A set of present attributes, each of which consists of:
* - A set of present values, each of which consists of:
* - A value
* - A set of CSNs
* - A set of deleted values, each of which consists of:
* - A value
* - A set of CSNs
* - A set of deleted attibutes, each of which consists of:
* - An attribute type
* - A set of CSNs. Note that this list of CSNs will always contain exactly one CSN.
*
* This all gets mashed into one BerElement, ready to be blasted over the wire to
* a replica.
*
*/
BerElement *
entry2bere(const Slapi_Entry *e, char **excluded_attrs)
{
BerElement *ber = NULL;
const char *str = NULL;
const char *dnstr = NULL;
char *type;
Slapi_DN *sdn = NULL;
Slapi_Attr *attr = NULL, *prev_attr;
int rc;
PR_ASSERT(NULL != e);
if ((ber = ber_alloc()) == NULL)
{
goto loser;
}
BER_DEBUG("{");
if (ber_printf(ber, "{") == -1) /* Begin outer sequence */
{
goto loser;
}
/* Get the entry's uniqueid */
if ((str = slapi_entry_get_uniqueid(e)) == NULL)
{
goto loser;
}
BER_DEBUG("s(uniqueid)");
if (ber_printf(ber, "s", str) == -1)
{
goto loser;
}
/* Get the entry's DN */
if ((sdn = slapi_entry_get_sdn((Slapi_Entry *)e)) == NULL) /* XXXggood had to cast away const */
{
goto loser;
}
if ((dnstr = slapi_sdn_get_dn(sdn)) == NULL)
{
goto loser;
}
BER_DEBUG("s(dn)");
if (ber_printf(ber, "s", dnstr) == -1)
{
goto loser;
}
/* Next comes the annoted list of the entry's attributes */
BER_DEBUG("[");
if (ber_printf(ber, "[") == -1) /* Begin set of attributes */
{
goto loser;
}
/*
* We iterate over all of the non-deleted attributes first.
*/
slapi_entry_first_attr(e, &attr);
while (NULL != attr)
{
/* ONREPL - skip uniqueid attribute since we already sent uniqueid
This is a hack; need to figure a better way of storing uniqueid
in an entry */
slapi_attr_get_type (attr, &type);
if (strcasecmp (type, SLAPI_ATTR_UNIQUEID) != 0)
{
/* Check to see if this attribute is excluded by the fractional list */
if ( (NULL == excluded_attrs) || !charray_inlist(excluded_attrs,type))
{
/* Process this attribute */
rc = my_ber_printf_attr (ber, attr, PR_FALSE);
if (rc != 0)
{
goto loser;
}
}
}
prev_attr = attr;
slapi_entry_next_attr(e, prev_attr, &attr);
}
/*
* Now iterate over the deleted attributes.
*/
entry_first_deleted_attribute(e, &attr);
while (attr != NULL)
{
slapi_attr_get_type (attr, &type);
/* Check to see if this attribute is excluded by the fractional list */
if ( (NULL == excluded_attrs) || !charray_inlist(excluded_attrs,type))
{
/* Process this attribute */
rc = my_ber_printf_attr (ber, attr, PR_TRUE);
if (rc != 0)
{
goto loser;
}
}
entry_next_deleted_attribute(e, &attr);
}
BER_DEBUG("]");
if (ber_printf(ber, "]") == -1) /* End set for attributes */
{
goto loser;
}
BER_DEBUG("}");
if (ber_printf(ber, "}") == -1) /* End sequence for this entry */
{
goto loser;
}
/* If we get here, everything went ok */
BER_DEBUG("\n");
goto free_and_return;
loser:
if (NULL != ber)
{
ber_free(ber, 1);
ber = NULL;
}
free_and_return:
return ber;
}
