int
do_unbind( Operation *op, SlapReply *rs )
{
Debug( LDAP_DEBUG_TRACE, "%s do_unbind\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the unbind request. It looks like this:
*
* UnBindRequest ::= NULL
*/
Statslog( LDAP_DEBUG_STATS, "%s UNBIND\n", op->o_log_prefix,
0, 0, 0, 0 );
if ( frontendDB->be_unbind ) {
op->o_bd = frontendDB;
(void)frontendDB->be_unbind( op, rs );
op->o_bd = NULL;
}
/* pass the unbind to all backends */
(void)backend_unbind( op, rs );
return 0;
}
void
send_ldap_disconnect( Operation *op, SlapReply *rs )
{
#define LDAP_UNSOLICITED_ERROR(e) \
( (e) == LDAP_PROTOCOL_ERROR \
|| (e) == LDAP_STRONG_AUTH_REQUIRED \
|| (e) == LDAP_UNAVAILABLE )
assert( LDAP_UNSOLICITED_ERROR( rs->sr_err ) );
rs->sr_type = REP_EXTENDED;
rs->sr_rspdata = NULL;
Debug( LDAP_DEBUG_TRACE,
"send_ldap_disconnect %d:%s\n",
rs->sr_err, rs->sr_text ? rs->sr_text : "", NULL );
if ( op->o_protocol < LDAP_VERSION3 ) {
rs->sr_rspoid = NULL;
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
} else {
rs->sr_rspoid = LDAP_NOTICE_DISCONNECT;
rs->sr_tag = LDAP_RES_EXTENDED;
rs->sr_msgid = LDAP_RES_UNSOLICITED;
}
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS,
"%s DISCONNECT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "", 0 );
}
}
static int
slapi_op_bind_callback( Operation *op, SlapReply *rs, int prc )
{
switch ( prc ) {
case SLAPI_BIND_SUCCESS:
/* Continue with backend processing */
break;
case SLAPI_BIND_FAIL:
/* Failure, frontend (that's us) sends result */
rs->sr_err = LDAP_INVALID_CREDENTIALS;
send_ldap_result( op, rs );
return rs->sr_err;
break;
case SLAPI_BIND_ANONYMOUS: /* undocumented */
default: /* plugin sent result or no plugins called */
BER_BVZERO( &op->orb_edn );
if ( rs->sr_err == LDAP_SUCCESS ) {
/*
* Plugin will have called slapi_pblock_set(LDAP_CONN_DN) which
* will have set conn->c_dn and conn->c_ndn
*/
if ( BER_BVISNULL( &op->o_conn->c_ndn ) && prc == 1 ) {
/* No plugins were called; continue processing */
return LDAP_SUCCESS;
}
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if ( !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {
ber_len_t max = sockbuf_max_incoming_auth;
ber_sockbuf_ctrl( op->o_conn->c_sb,
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
"%s BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
op->o_log_prefix,
BER_BVISNULL( &op->o_conn->c_dn )
? "<empty>" : op->o_conn->c_dn.bv_val,
BER_BVISNULL( &op->orb_mech )
? "<empty>" : op->orb_mech.bv_val, 0, 0 );
return -1;
}
break;
}
return rs->sr_err;
}
int
dnssrv_back_bind(
Operation *op,
SlapReply *rs )
{
Debug( LDAP_DEBUG_TRACE, "DNSSRV: bind dn=\"%s\" (%d)\n",
BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val,
op->orb_method, 0 );
/* allow rootdn as a means to auth without the need to actually
* contact the proxied DSA */
switch ( be_rootdn_bind( op, NULL ) ) {
case LDAP_SUCCESS:
/* frontend will send result */
return rs->sr_err;
default:
/* treat failure and like any other bind, otherwise
* it could reveal the DN of the rootdn */
break;
}
if ( !BER_BVISNULL( &op->orb_cred ) &&
!BER_BVISEMPTY( &op->orb_cred ) )
{
/* simple bind */
Statslog( LDAP_DEBUG_STATS,
"%s DNSSRV BIND dn=\"%s\" provided cleartext passwd\n",
op->o_log_prefix,
BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val , 0, 0, 0 );
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"you shouldn't send strangers your password" );
} else {
/* unauthenticated bind */
/* NOTE: we're not going to get here anyway:
* unauthenticated bind is dealt with by the frontend */
Debug( LDAP_DEBUG_TRACE, "DNSSRV: BIND dn=\"%s\"\n",
BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val, 0, 0 );
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"anonymous bind expected" );
}
return 1;
}
int txn_start_extop(
Operation *op, SlapReply *rs )
{
int rc;
struct berval *bv;
Statslog( LDAP_DEBUG_STATS, "%s TXN START\n",
op->o_log_prefix, 0, 0, 0, 0 );
if( op->ore_reqdata != NULL ) {
rs->sr_text = "no request data expected";
return LDAP_PROTOCOL_ERROR;
}
op->o_bd = op->o_conn->c_authz_backend;
if( backend_check_restrictions( op, rs,
(struct berval *)&slap_EXOP_TXN_START ) != LDAP_SUCCESS )
{
return rs->sr_err;
}
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if( op->o_conn->c_txn != CONN_TXN_INACTIVE ) {
rs->sr_text = "Too many transactions";
rc = LDAP_BUSY;
goto done;
}
assert( op->o_conn->c_txn_backend == NULL );
op->o_conn->c_txn = CONN_TXN_SPECIFY;
bv = (struct berval *) ch_malloc( sizeof (struct berval) );
bv->bv_len = 0;
bv->bv_val = NULL;
rs->sr_rspdata = bv;
rc = LDAP_SUCCESS;
done:
/* release connection lock */
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
return rc;
}
void
send_ldap_sasl( Operation *op, SlapReply *rs )
{
rs->sr_type = REP_SASL;
Debug( LDAP_DEBUG_TRACE, "send_ldap_sasl: err=%d len=%ld\n",
rs->sr_err,
rs->sr_sasldata ? (long) rs->sr_sasldata->bv_len : -1, NULL );
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS,
"%s RESULT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "", 0 );
}
}
void
slap_send_ldap_intermediate( Operation *op, SlapReply *rs )
{
rs->sr_type = REP_INTERMEDIATE;
Debug( LDAP_DEBUG_TRACE,
"send_ldap_intermediate: err=%d oid=%s len=%ld\n",
rs->sr_err,
rs->sr_rspoid ? rs->sr_rspoid : "",
rs->sr_rspdata != NULL ? rs->sr_rspdata->bv_len : 0 );
rs->sr_tag = LDAP_RES_INTERMEDIATE;
rs->sr_msgid = op->o_msgid;
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS2,
"%s INTERM oid=%s\n",
op->o_log_prefix,
rs->sr_rspoid ? rs->sr_rspoid : "", 0, 0, 0 );
}
}
static int
ldap_exop_chained_request(
Operation *op,
SlapReply *rs )
{
Statslog( LDAP_DEBUG_STATS, "%s CHAINED REQUEST\n",
op->o_log_prefix, 0, 0, 0, 0 );
rs->sr_err = backend_check_restrictions( op, rs,
(struct berval *)&slap_EXOP_CHAINEDREQUEST );
if ( rs->sr_err != LDAP_SUCCESS ) {
return rs->sr_err;
}
/* by now, just reject requests */
rs->sr_text = "under development";
return LDAP_UNWILLING_TO_PERFORM;
}
int
fe_op_bind_success( Operation *op, SlapReply *rs )
{
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if( op->o_conn->c_authz_backend == NULL ) {
op->o_conn->c_authz_backend = op->o_bd;
}
/* be_bind returns regular/global edn */
if( !BER_BVISEMPTY( &op->orb_edn ) ) {
op->o_conn->c_dn = op->orb_edn;
} else {
ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
}
ber_dupbv( &op->o_conn->c_ndn, &op->o_req_ndn );
/* op->o_conn->c_sb may be 0 for internal operations */
if( !BER_BVISEMPTY( &op->o_conn->c_dn ) && op->o_conn->c_sb != 0 ) {
ber_len_t max = sockbuf_max_incoming_auth;
ber_sockbuf_ctrl( op->o_conn->c_sb,
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
"%s BIND dn=\"%s\" mech=%s ssf=0\n",
op->o_log_prefix,
op->o_conn->c_dn.bv_val, op->orb_mech.bv_val );
Debug( LDAP_DEBUG_TRACE,
"do_bind: v%d bind: \"%s\" to \"%s\"\n",
op->o_protocol, op->o_req_dn.bv_val, op->o_conn->c_dn.bv_val );
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
/* send this here to avoid a race condition */
send_ldap_result( op, rs );
return LDAP_SUCCESS;
}
void
send_ldap_sasl( Operation *op, SlapReply *rs )
{
Debug( LDAP_DEBUG_TRACE, "send_ldap_sasl: err=%d len=%ld\n",
rs->sr_err,
rs->sr_sasldata ? (long) rs->sr_sasldata->bv_len : -1 );
RS_ASSERT( !(rs->sr_flags & REP_ENTRY_MASK) );
rs->sr_flags &= ~REP_ENTRY_MASK; /* paranoia */
rs->sr_type = REP_SASL;
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS,
"%s RESULT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "" );
}
}
void
slap_send_ldap_extended( Operation *op, SlapReply *rs )
{
rs->sr_type = REP_EXTENDED;
Debug( LDAP_DEBUG_TRACE,
"send_ldap_extended: err=%d oid=%s len=%ld\n",
rs->sr_err,
rs->sr_rspoid ? rs->sr_rspoid : "",
rs->sr_rspdata != NULL ? rs->sr_rspdata->bv_len : 0 );
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS,
"%s RESULT oid=%s err=%d text=%s\n",
op->o_log_prefix, rs->sr_rspoid ? rs->sr_rspoid : "",
rs->sr_err, rs->sr_text ? rs->sr_text : "", 0 );
}
}
static int
whoami_extop (
Operation *op,
SlapReply *rs )
{
struct berval *bv;
if ( op->ore_reqdata != NULL ) {
/* no request data should be provided */
rs->sr_text = "no request data expected";
return LDAP_PROTOCOL_ERROR;
}
Statslog( LDAP_DEBUG_STATS, "%s WHOAMI\n",
op->o_log_prefix, 0, 0, 0, 0 );
op->o_bd = op->o_conn->c_authz_backend;
if( backend_check_restrictions( op, rs,
(struct berval *)&slap_EXOP_WHOAMI ) != LDAP_SUCCESS )
{
return rs->sr_err;
}
bv = (struct berval *) ch_malloc( sizeof(struct berval) );
if( op->o_dn.bv_len ) {
bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" );
bv->bv_val = ch_malloc( bv->bv_len + 1 );
AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &bv->bv_val[STRLENOF( "dn:" )], op->o_dn.bv_val,
op->o_dn.bv_len );
bv->bv_val[bv->bv_len] = '\0';
} else {
bv->bv_len = 0;
bv->bv_val = NULL;
}
rs->sr_rspdata = bv;
return LDAP_SUCCESS;
}
void
send_ldap_disconnect( Operation *op, SlapReply *rs )
{
#define LDAP_UNSOLICITED_ERROR(e) \
( (e) == LDAP_PROTOCOL_ERROR \
|| (e) == LDAP_STRONG_AUTH_REQUIRED \
|| (e) == LDAP_UNAVAILABLE )
Debug( LDAP_DEBUG_TRACE,
"send_ldap_disconnect %d:%s\n",
rs->sr_err, rs->sr_text ? rs->sr_text : "" );
assert( LDAP_UNSOLICITED_ERROR( rs->sr_err ) );
/* TODO: Flush the entry if sr_type == REP_SEARCH/REP_SEARCHREF? */
RS_ASSERT( !(rs->sr_flags & REP_ENTRY_MASK) );
rs->sr_flags &= ~REP_ENTRY_MASK; /* paranoia */
rs->sr_type = REP_EXTENDED;
rs->sr_rspdata = NULL;
if ( op->o_protocol < LDAP_VERSION3 ) {
rs->sr_rspoid = NULL;
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
} else {
rs->sr_rspoid = LDAP_NOTICE_DISCONNECT;
rs->sr_tag = LDAP_RES_EXTENDED;
rs->sr_msgid = LDAP_RES_UNSOLICITED;
}
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
Statslog( LDAP_DEBUG_STATS,
"%s DISCONNECT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "" );
}
}
int
do_modify(
Operation *op,
SlapReply *rs )
{
struct berval dn = BER_BVNULL;
char textbuf[ SLAP_TEXT_BUFLEN ];
size_t textlen = sizeof( textbuf );
#ifdef LDAP_DEBUG
Modifications *tmp;
#endif
Debug( LDAP_DEBUG_TRACE, "%s do_modify\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the modify request. It looks like this:
*
* ModifyRequest := [APPLICATION 6] SEQUENCE {
* name DistinguishedName,
* mods SEQUENCE OF SEQUENCE {
* operation ENUMERATED {
* add (0),
* delete (1),
* replace (2)
* },
* modification SEQUENCE {
* type AttributeType,
* values SET OF AttributeValue
* }
* }
* }
*/
if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_modify: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
Debug( LDAP_DEBUG_ARGS, "%s do_modify: dn (%s)\n",
op->o_log_prefix, dn.bv_val, 0 );
rs->sr_err = slap_parse_modlist( op, rs, op->o_ber, &op->oq_modify );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modify: slap_parse_modlist failed err=%d msg=%s\n",
op->o_log_prefix, rs->sr_err, rs->sr_text );
send_ldap_result( op, rs );
goto cleanup;
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modify: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
/* get_ctrls has sent results. Now clean up. */
goto cleanup;
}
rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modify: invalid dn (%s)\n",
op->o_log_prefix, dn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto cleanup;
}
op->orm_no_opattrs = 0;
#ifdef LDAP_DEBUG
Debug( LDAP_DEBUG_ARGS, "%s modifications:\n",
op->o_log_prefix, 0, 0 );
for ( tmp = op->orm_modlist; tmp != NULL; tmp = tmp->sml_next ) {
Debug( LDAP_DEBUG_ARGS, "\t%s: %s\n",
tmp->sml_op == LDAP_MOD_ADD ? "add" :
(tmp->sml_op == LDAP_MOD_INCREMENT ? "increment" :
(tmp->sml_op == LDAP_MOD_DELETE ? "delete" :
"replace")), tmp->sml_type.bv_val, 0 );
if ( tmp->sml_values == NULL ) {
Debug( LDAP_DEBUG_ARGS, "%s\n",
"\t\tno values", NULL, NULL );
} else if ( BER_BVISNULL( &tmp->sml_values[ 0 ] ) ) {
Debug( LDAP_DEBUG_ARGS, "%s\n",
"\t\tzero values", NULL, NULL );
} else if ( BER_BVISNULL( &tmp->sml_values[ 1 ] ) ) {
Debug( LDAP_DEBUG_ARGS, "%s, length %ld\n",
"\t\tone value", (long) tmp->sml_values[0].bv_len, NULL );
} else {
Debug( LDAP_DEBUG_ARGS, "%s\n",
"\t\tmultiple values", NULL, NULL );
}
}
if ( StatslogTest( LDAP_DEBUG_STATS ) ) {
char abuf[BUFSIZ/2], *ptr = abuf;
int len = 0;
Statslog( LDAP_DEBUG_STATS, "%s MOD dn=\"%s\"\n",
op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 );
for ( tmp = op->orm_modlist; tmp != NULL; tmp = tmp->sml_next ) {
if (len + 1 + tmp->sml_type.bv_len > sizeof(abuf)) {
Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n",
op->o_log_prefix, abuf, 0, 0, 0 );
len = 0;
ptr = abuf;
if( 1 + tmp->sml_type.bv_len > sizeof(abuf)) {
Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n",
op->o_log_prefix, tmp->sml_type.bv_val, 0, 0, 0 );
continue;
}
}
if (len) {
*ptr++ = ' ';
len++;
}
ptr = lutil_strcopy(ptr, tmp->sml_type.bv_val);
len += tmp->sml_type.bv_len;
}
if (len) {
Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n",
op->o_log_prefix, abuf, 0, 0, 0 );
}
}
#endif /* LDAP_DEBUG */
rs->sr_err = slap_mods_check( op, op->orm_modlist,
&rs->sr_text, textbuf, textlen, NULL );
if ( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_modify( op, rs );
#ifdef LDAP_X_TXN
if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) {
/* skip cleanup */
return rs->sr_err;
}
#endif
cleanup:
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
if ( op->orm_modlist != NULL ) slap_mods_free( op->orm_modlist, 1 );
return rs->sr_err;
}
int
do_bind(
Operation *op,
SlapReply *rs )
{
BerElement *ber = op->o_ber;
ber_int_t version;
ber_tag_t method;
struct berval mech = BER_BVNULL;
struct berval dn = BER_BVNULL;
ber_tag_t tag;
Backend *be = NULL;
Debug( LDAP_DEBUG_TRACE, "%s do_bind\n",
op->o_log_prefix );
/*
* Force the connection to "anonymous" until bind succeeds.
*/
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if ( op->o_conn->c_sasl_bind_in_progress ) {
be = op->o_conn->c_authz_backend;
}
if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
/* log authorization identity demotion */
Statslog( LDAP_DEBUG_STATS,
"%s BIND anonymous mech=implicit ssf=0\n",
op->o_log_prefix );
}
connection2anonymous( op->o_conn );
if ( op->o_conn->c_sasl_bind_in_progress ) {
op->o_conn->c_authz_backend = be;
}
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
if ( !BER_BVISNULL( &op->o_dn ) ) {
/* NOTE: temporarily wasting few bytes
* (until bind is completed), but saving
* a couple of ch_free() and ch_strdup("") */
op->o_dn.bv_val[0] = '\0';
op->o_dn.bv_len = 0;
}
if ( !BER_BVISNULL( &op->o_ndn ) ) {
op->o_ndn.bv_val[0] = '\0';
op->o_ndn.bv_len = 0;
}
/*
* Parse the bind request. It looks like this:
*
* BindRequest ::= SEQUENCE {
* version INTEGER, -- version
* name DistinguishedName, -- dn
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
* krbv42ldap [1] OCTET STRING -- OBSOLETE
* krbv42dsa [2] OCTET STRING -- OBSOLETE
* SASL [3] SaslCredentials
* }
* }
*
* SaslCredentials ::= SEQUENCE {
* mechanism LDAPString,
* credentials OCTET STRING OPTIONAL
* }
*/
tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &method );
if ( tag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_bind: ber_scanf failed\n",
op->o_log_prefix );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto cleanup;
}
op->o_protocol = version;
op->orb_method = method;
if( op->orb_method != LDAP_AUTH_SASL ) {
tag = ber_scanf( ber, /*{*/ "m}", &op->orb_cred );
} else {
tag = ber_scanf( ber, "{m" /*}*/, &mech );
if ( tag != LBER_ERROR ) {
ber_len_t len;
tag = ber_peek_tag( ber, &len );
if ( tag == LDAP_TAG_LDAPCRED ) {
tag = ber_scanf( ber, "m", &op->orb_cred );
} else {
tag = LDAP_TAG_LDAPCRED;
BER_BVZERO( &op->orb_cred );
}
if ( tag != LBER_ERROR ) {
tag = ber_scanf( ber, /*{{*/ "}}" );
}
}
}
if ( tag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_bind: ber_scanf failed\n",
op->o_log_prefix );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto cleanup;
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_bind: get_ctrls failed\n",
op->o_log_prefix );
goto cleanup;
}
/* We use the tmpmemctx here because it speeds up normalization.
* However, we must dup with regular malloc when storing any
* resulting DNs in the op or conn structures.
*/
rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_bind: invalid dn (%s)\n",
op->o_log_prefix, dn.bv_val );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto cleanup;
}
Statslog( LDAP_DEBUG_STATS, "%s BIND dn=\"%s\" method=%ld\n",
op->o_log_prefix, op->o_req_dn.bv_val,
(unsigned long) op->orb_method );
if( op->orb_method == LDAP_AUTH_SASL ) {
Debug( LDAP_DEBUG_TRACE, "do_bind: dn (%s) SASL mech %s\n",
op->o_req_dn.bv_val, mech.bv_val );
} else {
Debug( LDAP_DEBUG_TRACE,
"do_bind: version=%ld dn=\"%s\" method=%ld\n",
(unsigned long) version, op->o_req_dn.bv_val,
(unsigned long) op->orb_method );
}
if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
Debug( LDAP_DEBUG_ANY, "%s do_bind: unknown version=%ld\n",
op->o_log_prefix, (unsigned long) version );
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR,
"requested protocol version not supported" );
goto cleanup;
} else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
version < LDAP_VERSION3 )
{
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR,
"historical protocol version requested, use LDAPv3 instead" );
goto cleanup;
}
/*
* we set connection version regardless of whether bind succeeds or not.
*/
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
op->o_conn->c_protocol = version;
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
op->orb_mech = mech;
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_bind( op, rs );
cleanup:
if ( rs->sr_err == LDAP_SUCCESS ) {
if ( op->orb_method != LDAP_AUTH_SASL ) {
ber_dupbv( &op->o_conn->c_authmech, &mech );
}
op->o_conn->c_authtype = op->orb_method;
}
if( !BER_BVISNULL( &op->o_req_dn ) ) {
slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_dn );
}
if( !BER_BVISNULL( &op->o_req_ndn ) ) {
slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_ndn );
}
return rs->sr_err;
}
static int
slap_sasl_authorize(
sasl_conn_t *sconn,
void *context,
char *requested_user,
unsigned rlen,
char *auth_identity,
unsigned alen,
const char *def_realm,
unsigned urlen,
struct propctx *props)
{
Connection *conn = (Connection *)context;
/* actually:
* (SLAP_SASL_PROP_COUNT - 1) because we skip "conn",
* + 1 for NULL termination?
*/
struct propval auxvals[ SLAP_SASL_PROP_COUNT ] = { { 0 } };
struct berval authcDN, authzDN = BER_BVNULL;
int rc;
/* Simple Binds don't support proxy authorization, ignore it */
if ( !conn->c_sasl_bindop ||
conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK;
Debug( LDAP_DEBUG_ARGS, "SASL proxy authorize [conn=%ld]: "
"authcid=\"%s\" authzid=\"%s\"\n",
conn ? (long) conn->c_connid : -1L, auth_identity, requested_user );
if ( conn->c_sasl_dn.bv_val ) {
BER_BVZERO( &conn->c_sasl_dn );
}
/* Skip SLAP_SASL_PROP_CONN */
prop_getnames( props, slap_propnames+1, auxvals );
/* Should not happen */
if ( !auxvals[0].values ) {
sasl_seterror( sconn, 0, "invalid authcid" );
return SASL_NOAUTHZ;
}
AC_MEMCPY( &authcDN.bv_len, auxvals[0].values[0], sizeof(authcDN.bv_len) );
authcDN.bv_val = auxvals[1].values ? (char *)auxvals[1].values[0] : NULL;
conn->c_sasl_dn = authcDN;
/* Nothing to do if no authzID was given */
if ( !auxvals[2].name || !auxvals[2].values ) {
goto ok;
}
AC_MEMCPY( &authzDN.bv_len, auxvals[2].values[0], sizeof(authzDN.bv_len) );
authzDN.bv_val = auxvals[3].values ? (char *)auxvals[3].values[0] : NULL;
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
conn ? (long) conn->c_connid : -1L, rc, 0 );
sasl_seterror( sconn, 0, "not authorized" );
return SASL_NOAUTHZ;
}
/* FIXME: we need yet another dup because slap_sasl_getdn()
* is using the bind operation slab */
ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
ok:
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
"%s BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_sasl_bindop->o_log_prefix,
auth_identity, requested_user, 0, 0 );
}
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
" proxy authorization allowed authzDN=\"%s\"\n",
conn ? (long) conn->c_connid : -1L,
authzDN.bv_val ? authzDN.bv_val : "", 0 );
return SASL_OK;
}
int
dnssrv_back_search(
Operation *op,
SlapReply *rs )
{
int i;
int rc;
char *domain = NULL;
char *hostlist = NULL;
char **hosts = NULL;
char *refdn;
struct berval nrefdn = BER_BVNULL;
BerVarray urls = NULL;
int manageDSAit;
rs->sr_ref = NULL;
if ( BER_BVISEMPTY( &op->o_req_ndn ) ) {
/* FIXME: need some means to determine whether the database
* is a glue instance; if we got here with empty DN, then
* we passed this same test in dnssrv_back_referrals() */
if ( !SLAP_GLUE_INSTANCE( op->o_bd ) ) {
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed";
} else {
rs->sr_err = LDAP_SUCCESS;
}
goto done;
}
manageDSAit = get_manageDSAit( op );
/*
* FIXME: we may return a referral if manageDSAit is not set
*/
if ( !manageDSAit ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"manageDSAit must be set" );
goto done;
}
if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) {
rs->sr_err = LDAP_REFERRAL;
rs->sr_ref = default_referral;
send_ldap_result( op, rs );
rs->sr_ref = NULL;
goto done;
}
Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n",
op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", domain, 0 );
if( ( rc = ldap_domain2hostlist( domain, &hostlist ) ) ) {
Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist returned %d\n",
rc, 0, 0 );
send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT,
"no DNS SRV RR available for DN" );
goto done;
}
hosts = ldap_str2charray( hostlist, " " );
if( hosts == NULL ) {
Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error\n", 0, 0, 0 );
send_ldap_error( op, rs, LDAP_OTHER,
"problem processing DNS SRV records for DN" );
goto done;
}
for( i=0; hosts[i] != NULL; i++) {
struct berval url;
url.bv_len = STRLENOF( "ldap://" ) + strlen(hosts[i]);
url.bv_val = ch_malloc( url.bv_len + 1 );
strcpy( url.bv_val, "ldap://" );
strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );
if( ber_bvarray_add( &urls, &url ) < 0 ) {
free( url.bv_val );
send_ldap_error( op, rs, LDAP_OTHER,
"problem processing DNS SRV records for DN" );
goto done;
}
}
Statslog( LDAP_DEBUG_STATS,
"%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n",
op->o_log_prefix, op->o_protocol,
op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", urls[0].bv_val, 0 );
Debug( LDAP_DEBUG_TRACE,
"DNSSRV: ManageDSAit scope=%d dn=\"%s\" -> url=\"%s\"\n",
op->oq_search.rs_scope,
op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "",
urls[0].bv_val );
rc = ldap_domain2dn(domain, &refdn);
if( rc != LDAP_SUCCESS ) {
send_ldap_error( op, rs, LDAP_OTHER,
"DNS SRV problem processing manageDSAit control" );
goto done;
} else {
struct berval bv;
bv.bv_val = refdn;
bv.bv_len = strlen( refdn );
rc = dnNormalize( 0, NULL, NULL, &bv, &nrefdn, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
send_ldap_error( op, rs, LDAP_OTHER,
"DNS SRV problem processing manageDSAit control" );
goto done;
}
}
if( !dn_match( &nrefdn, &op->o_req_ndn ) ) {
/* requested dn is subordinate */
Debug( LDAP_DEBUG_TRACE,
"DNSSRV: dn=\"%s\" subordinate to refdn=\"%s\"\n",
op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "",
refdn == NULL ? "" : refdn,
NULL );
rs->sr_matched = refdn;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
rs->sr_matched = NULL;
} else if ( op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL ) {
send_ldap_error( op, rs, LDAP_SUCCESS, NULL );
} else {
Entry e = { 0 };
AttributeDescription *ad_objectClass
= slap_schema.si_ad_objectClass;
AttributeDescription *ad_ref = slap_schema.si_ad_ref;
e.e_name.bv_val = ch_strdup( op->o_req_dn.bv_val );
e.e_name.bv_len = op->o_req_dn.bv_len;
e.e_nname.bv_val = ch_strdup( op->o_req_ndn.bv_val );
e.e_nname.bv_len = op->o_req_ndn.bv_len;
e.e_attrs = NULL;
e.e_private = NULL;
attr_merge_one( &e, ad_objectClass, &slap_schema.si_oc_referral->soc_cname, NULL );
attr_merge_one( &e, ad_objectClass, &slap_schema.si_oc_extensibleObject->soc_cname, NULL );
if ( ad_dc ) {
char *p;
struct berval bv;
bv.bv_val = domain;
p = strchr( bv.bv_val, '.' );
if ( p == bv.bv_val ) {
bv.bv_len = 1;
} else if ( p != NULL ) {
bv.bv_len = p - bv.bv_val;
} else {
bv.bv_len = strlen( bv.bv_val );
}
attr_merge_normalize_one( &e, ad_dc, &bv, NULL );
}
if ( ad_associatedDomain ) {
struct berval bv;
ber_str2bv( domain, 0, 0, &bv );
attr_merge_normalize_one( &e, ad_associatedDomain, &bv, NULL );
}
attr_merge_normalize_one( &e, ad_ref, urls, NULL );
rc = test_filter( op, &e, op->oq_search.rs_filter );
if( rc == LDAP_COMPARE_TRUE ) {
rs->sr_entry = &e;
rs->sr_attrs = op->oq_search.rs_attrs;
rs->sr_flags = REP_ENTRY_MODIFIABLE;
send_search_entry( op, rs );
rs->sr_entry = NULL;
rs->sr_attrs = NULL;
rs->sr_flags = 0;
}
entry_clean( &e );
rs->sr_err = LDAP_SUCCESS;
send_ldap_result( op, rs );
}
if ( refdn ) free( refdn );
if ( nrefdn.bv_val ) free( nrefdn.bv_val );
done:
if( domain != NULL ) ch_free( domain );
if( hostlist != NULL ) ch_free( hostlist );
if( hosts != NULL ) ldap_charray_free( hosts );
if( urls != NULL ) ber_bvarray_free( urls );
return 0;
}
int
do_delete(
Operation *op,
SlapReply *rs )
{
struct berval dn = BER_BVNULL;
Debug( LDAP_DEBUG_TRACE, "%s do_delete\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the delete request. It looks like this:
*
* DelRequest := DistinguishedName
*/
if ( ber_scanf( op->o_ber, "m", &dn ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_delete: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_delete: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
goto cleanup;
}
rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_delete: invalid dn (%s)\n",
op->o_log_prefix, dn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto cleanup;
}
Statslog( LDAP_DEBUG_STATS, "%s DEL dn=\"%s\"\n",
op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 );
if( op->o_req_ndn.bv_len == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s do_delete: root dse!\n",
op->o_log_prefix, 0, 0 );
/* protocolError would likely be a more appropriate error */
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"cannot delete the root DSE" );
goto cleanup;
} else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
Debug( LDAP_DEBUG_ANY, "%s do_delete: subschema subentry!\n",
op->o_log_prefix, 0, 0 );
/* protocolError would likely be a more appropriate error */
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"cannot delete the root DSE" );
goto cleanup;
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_delete( op, rs );
#ifdef LDAP_X_TXN
if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) {
/* skip cleanup */
return rs->sr_err;
}
#endif
cleanup:;
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
return rs->sr_err;
}
int
do_extended(
Operation *op,
SlapReply *rs
)
{
struct berval reqdata = {0, NULL};
ber_len_t len;
Debug( LDAP_DEBUG_TRACE, "%s do_extended\n",
op->o_log_prefix, 0, 0 );
if( op->o_protocol < LDAP_VERSION3 ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: protocol version (%d) too low\n",
op->o_log_prefix, op->o_protocol, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "requires LDAPv3" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
if ( ber_scanf( op->o_ber, "{m" /*}*/, &op->ore_reqoid ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
if( ber_peek_tag( op->o_ber, &len ) == LDAP_TAG_EXOP_REQ_VALUE ) {
if( ber_scanf( op->o_ber, "m", &reqdata ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
return rs->sr_err;
}
Statslog( LDAP_DEBUG_STATS, "%s EXT oid=%s\n",
op->o_log_prefix, op->ore_reqoid.bv_val, 0, 0, 0 );
/* check for controls inappropriate for all extended operations */
if( get_manageDSAit( op ) == SLAP_CONTROL_CRITICAL ) {
send_ldap_error( op, rs,
LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
"manageDSAit control inappropriate" );
goto done;
}
/* FIXME: temporary? */
if ( reqdata.bv_val ) {
op->ore_reqdata = &reqdata;
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_extended( op, rs );
/* clean up in case some overlay set them? */
if ( !BER_BVISNULL( &op->o_req_ndn ) ) {
if ( !BER_BVISNULL( &op->o_req_dn )
&& op->o_req_ndn.bv_val != op->o_req_dn.bv_val )
{
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
}
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_dn );
BER_BVZERO( &op->o_req_ndn );
}
done:
return rs->sr_err;
}
int passwd_extop(
Operation *op,
SlapReply *rs )
{
struct berval id = {0, NULL}, hash, *rsp = NULL;
req_pwdexop_s *qpw = &op->oq_pwdexop;
req_extended_s qext = op->oq_extended;
Modifications *ml;
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
int i, nhash;
char **hashes, idNul;
int rc;
BackendDB *op_be;
int freenewpw = 0;
struct berval dn = BER_BVNULL, ndn = BER_BVNULL;
assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
if( op->o_dn.bv_len == 0 ) {
Statslog( LDAP_DEBUG_STATS, "%s PASSMOD\n",
op->o_log_prefix, 0, 0, 0, 0 );
rs->sr_text = "only authenticated users may change passwords";
return LDAP_STRONG_AUTH_REQUIRED;
}
qpw->rs_old.bv_len = 0;
qpw->rs_old.bv_val = NULL;
qpw->rs_new.bv_len = 0;
qpw->rs_new.bv_val = NULL;
qpw->rs_mods = NULL;
qpw->rs_modtail = NULL;
rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id,
&qpw->rs_old, &qpw->rs_new, &rs->sr_text );
if ( !BER_BVISNULL( &id )) {
idNul = id.bv_val[id.bv_len];
id.bv_val[id.bv_len] = '\0';
}
if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) {
Statslog( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n",
op->o_log_prefix, id.bv_val,
qpw->rs_old.bv_val ? " old" : "",
qpw->rs_new.bv_val ? " new" : "", 0 );
} else {
Statslog( LDAP_DEBUG_STATS, "%s PASSMOD%s%s\n",
op->o_log_prefix,
qpw->rs_old.bv_val ? " old" : "",
qpw->rs_new.bv_val ? " new" : "", 0, 0 );
}
if ( rs->sr_err != LDAP_SUCCESS ) {
if ( !BER_BVISNULL( &id ))
id.bv_val[id.bv_len] = idNul;
return rs->sr_err;
}
if ( !BER_BVISEMPTY( &id ) ) {
rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx );
id.bv_val[id.bv_len] = idNul;
if ( rs->sr_err != LDAP_SUCCESS ) {
rs->sr_text = "Invalid DN";
rc = rs->sr_err;
goto error_return;
}
op->o_req_dn = dn;
op->o_req_ndn = ndn;
op->o_bd = select_backend( &op->o_req_ndn, 1 );
} else {
ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx );
ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx );
op->o_req_dn = dn;
op->o_req_ndn = ndn;
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
op->o_bd = op->o_conn->c_authz_backend;
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
}
if( op->o_bd == NULL ) {
if ( qpw->rs_old.bv_val != NULL ) {
rs->sr_text = "unwilling to verify old password";
rc = LDAP_UNWILLING_TO_PERFORM;
goto error_return;
}
#ifdef HAVE_CYRUS_SASL
rc = slap_sasl_setpass( op, rs );
#else
rs->sr_text = "no authz backend";
rc = LDAP_OTHER;
#endif
goto error_return;
}
if ( op->o_req_ndn.bv_len == 0 ) {
rs->sr_text = "no password is associated with the Root DSE";
rc = LDAP_UNWILLING_TO_PERFORM;
goto error_return;
}
/* If we've got a glued backend, check the real backend */
op_be = op->o_bd;
if ( SLAP_GLUE_INSTANCE( op->o_bd )) {
op->o_bd = select_backend( &op->o_req_ndn, 0 );
}
if (backend_check_restrictions( op, rs,
(struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
rc = rs->sr_err;
goto error_return;
}
/* check for referrals */
if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
rc = rs->sr_err;
goto error_return;
}
/* This does not apply to multi-master case */
if(!( !SLAP_SINGLE_SHADOW( op->o_bd ) || be_isupdate( op ))) {
/* we SHOULD return a referral in this case */
BerVarray defref = op->o_bd->be_update_refs
? op->o_bd->be_update_refs : default_referral;
if( defref != NULL ) {
rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs,
NULL, NULL, LDAP_SCOPE_DEFAULT );
if(rs->sr_ref) {
rs->sr_flags |= REP_REF_MUSTBEFREED;
} else {
rs->sr_ref = defref;
}
rc = LDAP_REFERRAL;
goto error_return;
}
rs->sr_text = "shadow context; no update referral";
rc = LDAP_UNWILLING_TO_PERFORM;
goto error_return;
}
/* generate a new password if none was provided */
if ( qpw->rs_new.bv_len == 0 ) {
slap_passwd_generate( &qpw->rs_new );
if ( qpw->rs_new.bv_len ) {
rsp = slap_passwd_return( &qpw->rs_new );
freenewpw = 1;
}
}
if ( qpw->rs_new.bv_len == 0 ) {
rs->sr_text = "password generation failed";
rc = LDAP_OTHER;
goto error_return;
}
op->o_bd = op_be;
/* Give the backend a chance to handle this itself */
if ( op->o_bd->be_extended ) {
rs->sr_err = op->o_bd->be_extended( op, rs );
if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM &&
rs->sr_err != SLAP_CB_CONTINUE )
{
rc = rs->sr_err;
if ( rsp ) {
rs->sr_rspdata = rsp;
rsp = NULL;
}
goto error_return;
}
}
/* The backend didn't handle it, so try it here */
if( op->o_bd && !op->o_bd->be_modify ) {
rs->sr_text = "operation not supported for current user";
rc = LDAP_UNWILLING_TO_PERFORM;
goto error_return;
}
if ( qpw->rs_old.bv_val != NULL ) {
Entry *e = NULL;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL,
slap_schema.si_ad_userPassword, 0, &e );
if ( rc == LDAP_SUCCESS && e ) {
Attribute *a = attr_find( e->e_attrs,
slap_schema.si_ad_userPassword );
if ( a )
rc = slap_passwd_check( op, e, a, &qpw->rs_old, &rs->sr_text );
else
rc = 1;
be_entry_release_r( op, e );
if ( rc == LDAP_SUCCESS )
goto old_good;
}
rs->sr_text = "unwilling to verify old password";
rc = LDAP_UNWILLING_TO_PERFORM;
goto error_return;
}
old_good:
ml = ch_malloc( sizeof(Modifications) );
if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next;
if ( default_passwd_hash ) {
for ( nhash = 0; default_passwd_hash[nhash]; nhash++ );
hashes = default_passwd_hash;
} else {
nhash = 1;
hashes = (char **)defhash;
}
ml->sml_numvals = nhash;
ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) );
for ( i=0; hashes[i]; i++ ) {
slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text );
if ( hash.bv_len == 0 ) {
if ( !rs->sr_text ) {
rs->sr_text = "password hash failed";
}
break;
}
ml->sml_values[i] = hash;
}
ml->sml_values[i].bv_val = NULL;
ml->sml_nvalues = NULL;
ml->sml_desc = slap_schema.si_ad_userPassword;
ml->sml_type = ml->sml_desc->ad_cname;
ml->sml_op = LDAP_MOD_REPLACE;
ml->sml_flags = 0;
ml->sml_next = qpw->rs_mods;
qpw->rs_mods = ml;
if ( hashes[i] ) {
rs->sr_err = LDAP_OTHER;
} else {
slap_callback *sc = op->o_callback;
op->o_tag = LDAP_REQ_MODIFY;
op->o_callback = &cb;
op->orm_modlist = qpw->rs_mods;
op->orm_no_opattrs = 0;
cb.sc_private = qpw; /* let Modify know this was pwdMod,
* if it cares... */
rs->sr_err = op->o_bd->be_modify( op, rs );
/* be_modify() might have shuffled modifications */
qpw->rs_mods = op->orm_modlist;
if ( rs->sr_err == LDAP_SUCCESS ) {
rs->sr_rspdata = rsp;
} else if ( rsp ) {
ber_bvfree( rsp );
rsp = NULL;
}
op->o_tag = LDAP_REQ_EXTENDED;
op->o_callback = sc;
}
rc = rs->sr_err;
op->oq_extended = qext;
error_return:;
if ( qpw->rs_mods ) {
slap_mods_free( qpw->rs_mods, 1 );
}
if ( freenewpw ) {
free( qpw->rs_new.bv_val );
}
if ( !BER_BVISNULL( &dn ) ) {
op->o_tmpfree( dn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_dn );
}
if ( !BER_BVISNULL( &ndn ) ) {
op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_ndn );
}
return rc;
}
int
slap_send_search_entry( Operation *op, SlapReply *rs )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *) &berbuf;
Attribute *a;
int i, j, rc = LDAP_UNAVAILABLE, bytes;
int userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
int attrsonly;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
/* a_flags: array of flags telling if the i-th element will be
* returned or filtered out
* e_flags: array of a_flags
*/
char **e_flags = NULL;
rs->sr_type = REP_SEARCH;
if ( op->ors_slimit >= 0 && rs->sr_nentries >= op->ors_slimit ) {
rc = LDAP_SIZELIMIT_EXCEEDED;
goto error_return;
}
/* Every 64 entries, check for thread pool pause */
if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) &&
ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 )
{
rc = LDAP_BUSY;
goto error_return;
}
/* eventually will loop through generated operational attribute types
* currently implemented types include:
* entryDN, subschemaSubentry, and hasSubordinates */
/* NOTE: moved before overlays callback circling because
* they may modify entry and other stuff in rs */
/* check for special all operational attributes ("+") type */
/* FIXME: maybe we could set this flag at the operation level;
* however, in principle the caller of send_search_entry() may
* change the attribute list at each call */
rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs );
rc = backend_operational( op, rs );
if ( rc ) {
goto error_return;
}
if ( op->o_callback ) {
rc = slap_response_play( op, rs );
if ( rc != SLAP_CB_CONTINUE ) {
goto error_return;
}
}
Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: conn %lu dn=\"%s\"%s\n",
op->o_connid, rs->sr_entry->e_name.bv_val,
op->ors_attrsonly ? " (attrsOnly)" : "" );
attrsonly = op->ors_attrsonly;
if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) {
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu access to entry (%s) not allowed\n",
op->o_connid, rs->sr_entry->e_name.bv_val );
rc = LDAP_INSUFFICIENT_ACCESS;
goto error_return;
}
if ( op->o_res_ber ) {
/* read back control or LDAP_CONNECTIONLESS */
ber = op->o_res_ber;
} else {
struct berval bv;
bv.bv_len = entry_flatsize( rs->sr_entry, 0 );
bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx );
ber_init2( ber, &bv, LBER_USE_DER );
ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
}
#ifdef LDAP_CONNECTIONLESS
if ( op->o_conn && op->o_conn->c_is_udp ) {
/* CONNECTIONLESS */
if ( op->o_protocol == LDAP_VERSION2 ) {
rc = ber_printf(ber, "t{O{" /*}}*/,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
} else {
rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
}
} else
#endif
if ( op->o_res_ber ) {
/* read back control */
rc = ber_printf( ber, "t{O{" /*}}*/,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
} else {
rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
}
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encoding DN error" );
rc = rs->sr_err;
goto error_return;
}
/* check for special all user attributes ("*") type */
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
/* create an array of arrays of flags. Each flag corresponds
* to particular value of attribute and equals 1 if value matches
* to ValuesReturnFilter or 0 if not
*/
if ( op->o_vrFilter != NULL ) {
int k = 0;
size_t size;
for ( a = rs->sr_entry->e_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++;
}
size = i * sizeof(char *) + k;
if ( size > 0 ) {
char *a_flags;
e_flags = slap_sl_calloc ( 1, i * sizeof(char *) + k, op->o_tmpmemctx );
if( e_flags == NULL ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu slap_sl_calloc failed\n",
op->o_connid );
ber_free( ber, 1 );
set_ldap_error( rs, LDAP_OTHER, "out of memory" );
goto error_return;
}
a_flags = (char *)(e_flags + i);
memset( a_flags, 0, k );
for ( a=rs->sr_entry->e_attrs, i=0; a != NULL; a=a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ );
e_flags[i] = a_flags;
a_flags += j;
}
rc = filter_matched_values(op, rs->sr_entry->e_attrs, &e_flags) ;
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY, "send_search_entry: "
"conn %lu matched values filtering failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"matched values filtering error" );
rc = rs->sr_err;
goto error_return;
}
}
}
for ( a = rs->sr_entry->e_attrs, j = 0; a != NULL; a = a->a_next, j++ ) {
AttributeDescription *desc = a->a_desc;
int finish = 0;
if ( rs->sr_attrs == NULL ) {
/* all user attrs request, skip operational attributes */
if( is_at_operational( desc->ad_type ) ) {
continue;
}
} else {
/* specific attrs requested */
if ( is_at_operational( desc->ad_type ) ) {
/* if not explicitly requested */
if ( !ad_inlist( desc, rs->sr_attrs )) {
/* if not all op attrs requested, skip */
if ( !SLAP_OPATTRS( rs->sr_attr_flags ))
continue;
/* if DSA-specific and replicating, skip */
if ( op->o_sync != SLAP_CONTROL_NONE &&
desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION )
continue;
}
} else {
if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) {
continue;
}
}
}
if ( attrsonly ) {
if ( ! access_allowed( op, rs->sr_entry, desc, NULL,
ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL, "send_search_entry: "
"conn %lu access to attribute %s not allowed\n",
op->o_connid, desc->ad_cname.bv_val );
continue;
}
if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error");
rc = rs->sr_err;
goto error_return;
}
finish = 1;
} else {
int first = 1;
for ( i = 0; a->a_nvals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( op, rs->sr_entry,
desc, &a->a_nvals[i], ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to attribute %s, value #%d not allowed\n",
op->o_connid, desc->ad_cname.bv_val, i );
continue;
}
if ( op->o_vrFilter && e_flags[j][i] == 0 ){
continue;
}
if ( first ) {
first = 0;
finish = 1;
if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error");
rc = rs->sr_err;
goto error_return;
}
}
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"ber_printf failed.\n", op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding values error" );
rc = rs->sr_err;
goto error_return;
}
}
}
if ( finish && ( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode end error" );
rc = rs->sr_err;
goto error_return;
}
}
/* NOTE: moved before overlays callback circling because
* they may modify entry and other stuff in rs */
if ( rs->sr_operational_attrs != NULL && op->o_vrFilter != NULL ) {
int k = 0;
size_t size;
for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++;
}
size = i * sizeof(char *) + k;
if ( size > 0 ) {
char *a_flags, **tmp;
/*
* Reuse previous memory - we likely need less space
* for operational attributes
*/
tmp = slap_sl_realloc( e_flags, i * sizeof(char *) + k,
op->o_tmpmemctx );
if ( tmp == NULL ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"not enough memory "
"for matched values filtering\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"not enough memory for matched values filtering" );
goto error_return;
}
e_flags = tmp;
a_flags = (char *)(e_flags + i);
memset( a_flags, 0, k );
for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ );
e_flags[i] = a_flags;
a_flags += j;
}
rc = filter_matched_values(op, rs->sr_operational_attrs, &e_flags) ;
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"matched values filtering failed\n",
op->o_connid);
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"matched values filtering error" );
rc = rs->sr_err;
goto error_return;
}
}
}
for (a = rs->sr_operational_attrs, j=0; a != NULL; a = a->a_next, j++ ) {
AttributeDescription *desc = a->a_desc;
if ( rs->sr_attrs == NULL ) {
/* all user attrs request, skip operational attributes */
if( is_at_operational( desc->ad_type ) ) {
continue;
}
} else {
/* specific attrs requested */
if( is_at_operational( desc->ad_type ) ) {
if ( !SLAP_OPATTRS( rs->sr_attr_flags ) &&
!ad_inlist( desc, rs->sr_attrs ) )
{
continue;
}
/* if DSA-specific and replicating, skip */
if ( op->o_sync != SLAP_CONTROL_NONE &&
desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION )
continue;
} else {
if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) {
continue;
}
}
}
if ( ! access_allowed( op, rs->sr_entry, desc, NULL,
ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to attribute %s not allowed\n",
op->o_connid, desc->ad_cname.bv_val );
continue;
}
rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname );
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"ber_printf failed\n", op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error" );
rc = rs->sr_err;
goto error_return;
}
if ( ! attrsonly ) {
for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( op, rs->sr_entry,
desc, &a->a_vals[i], ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to %s, value %d not allowed\n",
op->o_connid, desc->ad_cname.bv_val, i );
continue;
}
if ( op->o_vrFilter && e_flags[j][i] == 0 ){
continue;
}
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding values error" );
rc = rs->sr_err;
goto error_return;
}
}
}
if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode end error" );
rc = rs->sr_err;
goto error_return;
}
}
/* free e_flags */
if ( e_flags ) {
slap_sl_free( e_flags, op->o_tmpmemctx );
e_flags = NULL;
}
rc = ber_printf( ber, /*{{*/ "}N}" );
if( rc != -1 ) {
rc = send_ldap_controls( op, ber, rs->sr_ctrls );
}
if( rc != -1 ) {
#ifdef LDAP_CONNECTIONLESS
if( op->o_conn && op->o_conn->c_is_udp ) {
if ( op->o_protocol != LDAP_VERSION2 ) {
rc = ber_printf( ber, /*{*/ "N}" );
}
} else
#endif
if ( op->o_res_ber == NULL ) {
rc = ber_printf( ber, /*{*/ "N}" );
}
}
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY, "ber_printf failed\n" );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode entry end error" );
rc = rs->sr_err;
goto error_return;
}
Statslog( LDAP_DEBUG_STATS2, "%s ENTRY dn=\"%s\"\n",
op->o_log_prefix, rs->sr_entry->e_nname.bv_val );
rs_flush_entry( op, rs, NULL );
if ( op->o_res_ber == NULL ) {
bytes = send_ldap_ber( op, ber );
ber_free_buf( ber );
if ( bytes < 0 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber write failed.\n",
op->o_connid );
rc = LDAP_UNAVAILABLE;
goto error_return;
}
rs->sr_nentries++;
ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex );
ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes );
ldap_pvt_mp_add_ulong( op->o_counters->sc_entries, 1 );
ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 );
ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex );
}
Debug( LDAP_DEBUG_TRACE,
"<= send_search_entry: conn %lu exit.\n", op->o_connid );
rc = LDAP_SUCCESS;
error_return:;
if ( op->o_callback ) {
(void)slap_cleanup_play( op, rs );
}
if ( e_flags ) {
slap_sl_free( e_flags, op->o_tmpmemctx );
}
/* FIXME: Can break if rs now contains an extended response */
if ( rs->sr_operational_attrs ) {
attrs_free( rs->sr_operational_attrs );
rs->sr_operational_attrs = NULL;
}
rs->sr_attr_flags = SLAP_ATTRS_UNDEFINED;
if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH ) {
rs_flush_entry( op, rs, NULL );
} else {
RS_ASSERT( (rs->sr_flags & REP_ENTRY_MASK) == 0 );
}
if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) {
rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */
if ( rs->sr_ctrls ) {
slap_free_ctrls( op, rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
}
return( rc );
}
int
do_search(
Operation *op, /* info about the op to which we're responding */
SlapReply *rs /* all the response data we'll send */ )
{
struct berval base = BER_BVNULL;
ber_len_t siz, off, i;
Debug( LDAP_DEBUG_TRACE, "%s do_search\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the search request. It looks like this:
*
* SearchRequest := [APPLICATION 3] SEQUENCE {
* baseObject DistinguishedName,
* scope ENUMERATED {
* baseObject (0),
* singleLevel (1),
* wholeSubtree (2),
* subordinate (3) -- OpenLDAP extension
* },
* derefAliases ENUMERATED {
* neverDerefaliases (0),
* derefInSearching (1),
* derefFindingBaseObj (2),
* alwaysDerefAliases (3)
* },
* sizelimit INTEGER (0 .. 65535),
* timelimit INTEGER (0 .. 65535),
* attrsOnly BOOLEAN,
* filter Filter,
* attributes SEQUENCE OF AttributeType
* }
*/
/* baseObject, scope, derefAliases, sizelimit, timelimit, attrsOnly */
if ( ber_scanf( op->o_ber, "{miiiib" /*}*/,
&base, &op->ors_scope, &op->ors_deref, &op->ors_slimit,
&op->ors_tlimit, &op->ors_attrsonly ) == LBER_ERROR )
{
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto return_results;
}
if ( op->ors_tlimit < 0 || op->ors_tlimit > SLAP_MAX_LIMIT ) {
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid time limit" );
goto return_results;
}
if ( op->ors_slimit < 0 || op->ors_slimit > SLAP_MAX_LIMIT ) {
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid size limit" );
goto return_results;
}
switch( op->ors_scope ) {
case LDAP_SCOPE_BASE:
case LDAP_SCOPE_ONELEVEL:
case LDAP_SCOPE_SUBTREE:
case LDAP_SCOPE_SUBORDINATE:
break;
default:
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid scope" );
goto return_results;
}
switch( op->ors_deref ) {
case LDAP_DEREF_NEVER:
case LDAP_DEREF_FINDING:
case LDAP_DEREF_SEARCHING:
case LDAP_DEREF_ALWAYS:
break;
default:
send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid deref" );
goto return_results;
}
rs->sr_err = dnPrettyNormal( NULL, &base, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_search: invalid dn: \"%s\"\n",
op->o_log_prefix, base.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto return_results;
}
Debug( LDAP_DEBUG_ARGS, "SRCH \"%s\" %d %d",
base.bv_val, op->ors_scope, op->ors_deref );
Debug( LDAP_DEBUG_ARGS, " %d %d %d\n",
op->ors_slimit, op->ors_tlimit, op->ors_attrsonly);
/* filter - returns a "normalized" version */
rs->sr_err = get_filter( op, op->o_ber, &op->ors_filter, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
if( rs->sr_err == SLAPD_DISCONNECT ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
send_ldap_disconnect( op, rs );
rs->sr_err = SLAPD_DISCONNECT;
} else {
send_ldap_result( op, rs );
}
goto return_results;
}
filter2bv_x( op, op->ors_filter, &op->ors_filterstr );
Debug( LDAP_DEBUG_ARGS, " filter: %s\n",
!BER_BVISEMPTY( &op->ors_filterstr ) ? op->ors_filterstr.bv_val : "empty", 0, 0 );
/* attributes */
siz = sizeof(AttributeName);
off = offsetof(AttributeName,an_name);
if ( ber_scanf( op->o_ber, "{M}}", &op->ors_attrs, &siz, off ) == LBER_ERROR ) {
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding attrs error" );
rs->sr_err = SLAPD_DISCONNECT;
goto return_results;
}
for ( i=0; i<siz; i++ ) {
const char *dummy; /* ignore msgs from bv2ad */
op->ors_attrs[i].an_desc = NULL;
op->ors_attrs[i].an_oc = NULL;
op->ors_attrs[i].an_flags = 0;
if ( slap_bv2ad( &op->ors_attrs[i].an_name,
&op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS )
{
if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name,
&op->ors_attrs[i].an_desc, &dummy,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) )
{
struct berval *bv = &op->ors_attrs[i].an_name;
/* RFC 4511 LDAPv3: All User Attributes */
if ( bvmatch( bv, slap_bv_all_user_attrs ) ) {
continue;
}
/* RFC 3673 LDAPv3: All Operational Attributes */
if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) {
continue;
}
/* RFC 4529 LDAP: Requesting Attributes by Object Class */
if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) {
/* FIXME: check if remaining is valid oc name? */
continue;
}
/* add more "exceptions" to RFC 4511 4.5.1.8. */
/* invalid attribute description? remove */
if ( ad_keystring( bv ) ) {
/* NOTE: parsed in-place, don't modify;
* rather add "1.1", which must be ignored */
BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS );
}
/* otherwise leave in place... */
}
}
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_search: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
goto return_results;
}
Debug( LDAP_DEBUG_ARGS, " attrs:", 0, 0, 0 );
if ( siz != 0 ) {
for ( i = 0; i<siz; i++ ) {
Debug( LDAP_DEBUG_ARGS, " %s", op->ors_attrs[i].an_name.bv_val, 0, 0 );
}
}
Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
if ( StatslogTest( LDAP_DEBUG_STATS ) ) {
char abuf[BUFSIZ/2], *ptr = abuf;
unsigned len = 0, alen;
sprintf(abuf, "scope=%d deref=%d", op->ors_scope, op->ors_deref);
Statslog( LDAP_DEBUG_STATS,
"%s SRCH base=\"%s\" %s filter=\"%s\"\n",
op->o_log_prefix, op->o_req_dn.bv_val, abuf,
op->ors_filterstr.bv_val, 0 );
for ( i = 0; i<siz; i++ ) {
alen = op->ors_attrs[i].an_name.bv_len;
if (alen >= sizeof(abuf)) {
alen = sizeof(abuf)-1;
}
if (len && (len + 1 + alen >= sizeof(abuf))) {
Statslog( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n",
op->o_log_prefix, abuf, 0, 0, 0 );
len = 0;
ptr = abuf;
}
if (len) {
*ptr++ = ' ';
len++;
}
ptr = lutil_strncopy(ptr, op->ors_attrs[i].an_name.bv_val, alen);
len += alen;
*ptr = '\0';
}
if (len) {
Statslog( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n",
op->o_log_prefix, abuf, 0, 0, 0 );
}
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_search( op, rs );
return_results:;
if ( !BER_BVISNULL( &op->o_req_dn ) ) {
slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &op->o_req_ndn ) ) {
slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &op->ors_filterstr ) ) {
op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
}
if ( op->ors_filter != NULL) {
filter_free_x( op, op->ors_filter, 1 );
}
if ( op->ors_attrs != NULL ) {
op->o_tmpfree( op->ors_attrs, op->o_tmpmemctx );
}
return rs->sr_err;
}
int
slap_send_search_reference( Operation *op, SlapReply *rs )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *) &berbuf;
int rc = 0;
int bytes;
char *edn = rs->sr_entry ? rs->sr_entry->e_name.bv_val : "(null)";
AttributeDescription *ad_ref = slap_schema.si_ad_ref;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
rs->sr_type = REP_SEARCHREF;
if ( op->o_callback ) {
rc = slap_response_play( op, rs );
if ( rc != SLAP_CB_CONTINUE ) {
goto rel;
}
}
Debug( LDAP_DEBUG_TRACE,
"=> send_search_reference: dn=\"%s\"\n",
edn );
if ( rs->sr_entry && ! access_allowed( op, rs->sr_entry,
ad_entry, NULL, ACL_READ, NULL ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_reference: access to entry not allowed\n" );
rc = 1;
goto rel;
}
if ( rs->sr_entry && ! access_allowed( op, rs->sr_entry,
ad_ref, NULL, ACL_READ, NULL ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_reference: access "
"to reference not allowed\n" );
rc = 1;
goto rel;
}
if( op->o_domain_scope ) {
Debug( LDAP_DEBUG_ANY,
"send_search_reference: domainScope control in (%s)\n",
edn );
rc = 0;
goto rel;
}
if( rs->sr_ref == NULL ) {
Debug( LDAP_DEBUG_ANY,
"send_search_reference: null ref in (%s)\n",
edn );
rc = 1;
goto rel;
}
if( op->o_protocol < LDAP_VERSION3 ) {
rc = 0;
/* save the references for the result */
if( rs->sr_ref[0].bv_val != NULL ) {
if( value_add( &rs->sr_v2ref, rs->sr_ref ) )
rc = LDAP_OTHER;
}
goto rel;
}
#ifdef LDAP_CONNECTIONLESS
if( op->o_conn && op->o_conn->c_is_udp ) {
ber = op->o_res_ber;
} else
#endif
{
ber_init_w_nullc( ber, LBER_USE_DER );
ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
}
rc = ber_printf( ber, "{it{W}" /*"}"*/ , op->o_msgid,
LDAP_RES_SEARCH_REFERENCE, rs->sr_ref );
if( rc != -1 ) {
rc = send_ldap_controls( op, ber, rs->sr_ctrls );
}
if( rc != -1 ) {
rc = ber_printf( ber, /*"{"*/ "N}" );
}
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_reference: ber_printf failed\n" );
#ifdef LDAP_CONNECTIONLESS
if (!op->o_conn || op->o_conn->c_is_udp == 0)
#endif
ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode DN error" );
goto rel;
}
rc = 0;
rs_flush_entry( op, rs, NULL );
#ifdef LDAP_CONNECTIONLESS
if (!op->o_conn || op->o_conn->c_is_udp == 0) {
#endif
bytes = send_ldap_ber( op, ber );
ber_free_buf( ber );
if ( bytes < 0 ) {
rc = LDAP_UNAVAILABLE;
} else {
ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex );
ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes );
ldap_pvt_mp_add_ulong( op->o_counters->sc_refs, 1 );
ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 );
ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex );
}
#ifdef LDAP_CONNECTIONLESS
}
#endif
if ( rs->sr_ref != NULL ) {
int r;
for ( r = 0; !BER_BVISNULL( &rs->sr_ref[ r ] ); r++ ) {
Statslog( LDAP_DEBUG_STATS2, "%s REF #%d \"%s\"\n",
op->o_log_prefix, r, rs->sr_ref[0].bv_val );
}
} else {
Statslog( LDAP_DEBUG_STATS2, "%s REF \"(null)\"\n",
op->o_log_prefix );
}
Debug( LDAP_DEBUG_TRACE, "<= send_search_reference\n" );
if ( 0 ) {
rel:
rs_flush_entry( op, rs, NULL );
}
if ( op->o_callback ) {
(void)slap_cleanup_play( op, rs );
}
if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) {
rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */
if ( rs->sr_ctrls ) {
slap_free_ctrls( op, rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
}
return rc;
}
int
do_compare(
Operation *op,
SlapReply *rs )
{
struct berval dn = BER_BVNULL;
struct berval desc = BER_BVNULL;
struct berval value = BER_BVNULL;
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
Debug( LDAP_DEBUG_TRACE, "%s do_compare\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the compare request. It looks like this:
*
* CompareRequest := [APPLICATION 14] SEQUENCE {
* entry DistinguishedName,
* ava SEQUENCE {
* type AttributeType,
* value AttributeValue
* }
* }
*/
if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_compare: get ava failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_compare: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
goto cleanup;
}
rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_compare: invalid dn (%s)\n",
op->o_log_prefix, dn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto cleanup;
}
Statslog( LDAP_DEBUG_STATS,
"%s CMP dn=\"%s\" attr=\"%s\"\n",
op->o_log_prefix, op->o_req_dn.bv_val,
desc.bv_val, 0, 0 );
rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
&rs->sr_text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
}
rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
ava.aa_desc->ad_type->sat_equality,
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
op->orc_ava = &ava;
Debug( LDAP_DEBUG_ARGS,
"do_compare: dn (%s) attr (%s) value (%s)\n",
op->o_req_dn.bv_val,
ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_compare( op, rs );
cleanup:;
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
if ( !BER_BVISNULL( &ava.aa_value ) ) {
op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
}
return rs->sr_err;
}
void
slap_send_ldap_result( Operation *op, SlapReply *rs )
{
char *tmp = NULL;
const char *otext = rs->sr_text;
BerVarray oref = rs->sr_ref;
rs->sr_type = REP_RESULT;
/* Propagate Abandons so that cleanup callbacks can be processed */
if ( rs->sr_err == SLAPD_ABANDON || op->o_abandon )
goto abandon;
Debug( LDAP_DEBUG_TRACE,
"send_ldap_result: %s p=%d\n",
op->o_log_prefix, op->o_protocol );
Debug( LDAP_DEBUG_ARGS,
"send_ldap_result: err=%d matched=\"%s\" text=\"%s\"\n",
rs->sr_err, rs->sr_matched ? rs->sr_matched : "",
rs->sr_text ? rs->sr_text : "" );
if( rs->sr_ref ) {
Debug( LDAP_DEBUG_ARGS,
"send_ldap_result: referral=\"%s\"\n",
rs->sr_ref[0].bv_val ? rs->sr_ref[0].bv_val : "NULL" );
}
assert( !LDAP_API_ERROR( rs->sr_err ) );
assert( rs->sr_err != LDAP_PARTIAL_RESULTS );
if ( rs->sr_err == LDAP_REFERRAL ) {
if( op->o_domain_scope ) rs->sr_ref = NULL;
if( rs->sr_ref == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else if ( op->o_protocol < LDAP_VERSION3 ) {
rs->sr_err = LDAP_PARTIAL_RESULTS;
}
}
if ( op->o_protocol < LDAP_VERSION3 ) {
tmp = v2ref( rs->sr_ref, rs->sr_text );
rs->sr_text = tmp;
rs->sr_ref = NULL;
}
abandon:
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
if ( rs->sr_flags & REP_REF_MUSTBEFREED ) {
if ( rs->sr_ref == NULL ) {
rs->sr_flags ^= REP_REF_MUSTBEFREED;
ber_bvarray_free( oref );
}
oref = NULL; /* send_ldap_response() will free rs->sr_ref if != NULL */
}
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
if ( op->o_tag == LDAP_REQ_SEARCH ) {
Statslog( LDAP_DEBUG_STATS,
"%s SEARCH RESULT tag=%lu err=%d nentries=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_nentries, rs->sr_text ? rs->sr_text : "" );
} else {
Statslog( LDAP_DEBUG_STATS,
"%s RESULT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "" );
}
}
if( tmp != NULL ) ch_free(tmp);
rs->sr_text = otext;
rs->sr_ref = oref;
}
static int
proxyOld_parse(
Operation *op,
SlapReply *rs,
LDAPControl *ctrl )
{
int rc;
BerElement *ber;
ber_tag_t tag;
struct berval dn = BER_BVNULL;
struct berval authzDN = BER_BVNULL;
/* We hijack the flag for the new control. Clearly only one or the
* other can be used at any given time.
*/
if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) {
rs->sr_text = "proxy authorization control specified multiple times";
return LDAP_PROTOCOL_ERROR;
}
op->o_proxy_authz = ctrl->ldctl_iscritical
? SLAP_CONTROL_CRITICAL
: SLAP_CONTROL_NONCRITICAL;
/* Parse the control value
* proxyAuthzControlValue ::= SEQUENCE {
* proxyDN LDAPDN
* }
*/
ber = ber_init( &ctrl->ldctl_value );
if ( ber == NULL ) {
rs->sr_text = "ber_init failed";
return LDAP_OTHER;
}
tag = ber_scanf( ber, "{m}", &dn );
if ( tag == LBER_ERROR ) {
rs->sr_text = "proxyOld control could not be decoded";
rc = LDAP_OTHER;
goto done;
}
if ( BER_BVISEMPTY( &dn )) {
Debug( LDAP_DEBUG_TRACE,
"proxyOld_parse: conn=%lu anonymous\n",
op->o_connid, 0, 0 );
authzDN.bv_val = ch_strdup("");
} else {
Debug( LDAP_DEBUG_ARGS,
"proxyOld_parse: conn %lu ctrl DN=\"%s\"\n",
op->o_connid, dn.bv_val, 0 );
rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx );
if ( rc != LDAP_SUCCESS ) {
goto done;
}
rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN );
if ( rc ) {
op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx );
rs->sr_text = "not authorized to assume identity";
/* new spec uses LDAP_PROXY_AUTHZ_FAILURE */
rc = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
}
free( op->o_ndn.bv_val );
free( op->o_dn.bv_val );
op->o_ndn = authzDN;
ber_dupbv( &op->o_dn, &authzDN );
Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n",
op->o_connid, op->o_opid,
authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 );
rc = LDAP_SUCCESS;
done:
ber_free( ber, 1 );
return rc;
}
int txn_end_extop(
Operation *op, SlapReply *rs )
{
int rc;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
ber_int_t commit=1;
struct berval txnid;
Statslog( LDAP_DEBUG_STATS, "%s TXN END\n",
op->o_log_prefix, 0, 0, 0, 0 );
if( op->ore_reqdata == NULL ) {
rs->sr_text = "request data expected";
return LDAP_PROTOCOL_ERROR;
}
if( op->ore_reqdata->bv_len == 0 ) {
rs->sr_text = "empty request data";
return LDAP_PROTOCOL_ERROR;
}
op->o_bd = op->o_conn->c_authz_backend;
if( backend_check_restrictions( op, rs,
(struct berval *)&slap_EXOP_TXN_END ) != LDAP_SUCCESS )
{
return rs->sr_err;
}
ber_init2( ber, op->ore_reqdata, 0 );
tag = ber_scanf( ber, "{" /*}*/ );
if( tag == LBER_ERROR ) {
rs->sr_text = "request data decoding error";
return LDAP_PROTOCOL_ERROR;
}
tag = ber_peek_tag( ber, &len );
if( tag == LBER_BOOLEAN ) {
tag = ber_scanf( ber, "b", &commit );
if( tag == LBER_ERROR ) {
rs->sr_text = "request data decoding error";
return LDAP_PROTOCOL_ERROR;
}
}
tag = ber_scanf( ber, /*{*/ "m}", &txnid );
if( tag == LBER_ERROR ) {
rs->sr_text = "request data decoding error";
return LDAP_PROTOCOL_ERROR;
}
if( txnid.bv_len ) {
rs->sr_text = "invalid transaction identifier";
return LDAP_X_TXN_ID_INVALID;
}
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if( op->o_conn->c_txn != CONN_TXN_SPECIFY ) {
rs->sr_text = "invalid transaction identifier";
rc = LDAP_X_TXN_ID_INVALID;
goto done;
}
op->o_conn->c_txn = CONN_TXN_SETTLE;
if( commit ) {
if ( op->o_abandon ) {
}
if( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) ) {
/* no updates to commit */
rs->sr_text = "no updates to commit";
rc = LDAP_OPERATIONS_ERROR;
goto settled;
}
rs->sr_text = "not yet implemented";
rc = LDAP_UNWILLING_TO_PERFORM;
} else {
rs->sr_text = "transaction aborted";
rc = LDAP_SUCCESS;;
}
drain:
/* drain txn ops list */
settled:
assert( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) );
assert( op->o_conn->c_txn == CONN_TXN_SETTLE );
op->o_conn->c_txn = CONN_TXN_INACTIVE;
op->o_conn->c_txn_backend = NULL;
done:
/* release connection lock */
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
return rc;
}
int
do_modrdn(
Operation *op,
SlapReply *rs
)
{
struct berval dn = BER_BVNULL;
struct berval newrdn = BER_BVNULL;
struct berval newSuperior = BER_BVNULL;
ber_int_t deloldrdn;
struct berval pnewSuperior = BER_BVNULL;
struct berval nnewSuperior = BER_BVNULL;
ber_len_t length;
Debug( LDAP_DEBUG_TRACE, "%s do_modrdn\n",
op->o_log_prefix, 0, 0 );
/*
* Parse the modrdn request. It looks like this:
*
* ModifyRDNRequest := SEQUENCE {
* entry DistinguishedName,
* newrdn RelativeDistinguishedName
* deleteoldrdn BOOLEAN,
* newSuperior [0] LDAPDN OPTIONAL (v3 Only!)
* }
*/
if ( ber_scanf( op->o_ber, "{mmb", &dn, &newrdn, &deloldrdn )
== LBER_ERROR )
{
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
return SLAPD_DISCONNECT;
}
/* Check for newSuperior parameter, if present scan it */
if ( ber_peek_tag( op->o_ber, &length ) == LDAP_TAG_NEWSUPERIOR ) {
if ( op->o_protocol < LDAP_VERSION3 ) {
/* Connection record indicates v2 but field
* newSuperior is present: report error.
*/
Debug( LDAP_DEBUG_ANY,
"%s do_modrdn: newSuperior requires LDAPv3\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs,
LDAP_PROTOCOL_ERROR, "newSuperior requires LDAPv3" );
rs->sr_err = SLAPD_DISCONNECT;
goto cleanup;
}
if ( ber_scanf( op->o_ber, "m", &newSuperior )
== LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf(\"m\") failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs,
LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto cleanup;
}
op->orr_newSup = &pnewSuperior;
op->orr_nnewSup = &nnewSuperior;
}
Debug( LDAP_DEBUG_ARGS,
"do_modrdn: dn (%s) newrdn (%s) newsuperior (%s)\n",
dn.bv_val, newrdn.bv_val,
newSuperior.bv_len ? newSuperior.bv_val : "" );
if ( ber_scanf( op->o_ber, /*{*/ "}") == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf failed\n",
op->o_log_prefix, 0, 0 );
send_ldap_discon( op, rs,
LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto cleanup;
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: get_ctrls failed\n",
op->o_log_prefix, 0, 0 );
/* get_ctrls has sent results. Now clean up. */
goto cleanup;
}
rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid dn (%s)\n",
op->o_log_prefix, dn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
goto cleanup;
}
/* FIXME: should have/use rdnPretty / rdnNormalize routines */
rs->sr_err = dnPrettyNormal( NULL, &newrdn, &op->orr_newrdn, &op->orr_nnewrdn, op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid newrdn (%s)\n",
op->o_log_prefix, newrdn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" );
goto cleanup;
}
if( rdn_validate( &op->orr_newrdn ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid rdn (%s)\n",
op->o_log_prefix, op->orr_newrdn.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" );
goto cleanup;
}
if( op->orr_newSup ) {
rs->sr_err = dnPrettyNormal( NULL, &newSuperior, &pnewSuperior,
&nnewSuperior, op->o_tmpmemctx );
if( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s do_modrdn: invalid newSuperior (%s)\n",
op->o_log_prefix, newSuperior.bv_val, 0 );
send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid newSuperior" );
goto cleanup;
}
}
Statslog( LDAP_DEBUG_STATS, "%s MODRDN dn=\"%s\"\n",
op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 );
op->orr_deleteoldrdn = deloldrdn;
op->orr_modlist = NULL;
/* prepare modlist of modifications from old/new RDN */
rs->sr_err = slap_modrdn2mods( op, rs );
if ( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_modrdn( op, rs );
#ifdef LDAP_X_TXN
if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) {
/* skip cleanup */
}
#endif
cleanup:
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->orr_newrdn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( op->orr_nnewrdn.bv_val, op->o_tmpmemctx );
if ( op->orr_modlist != NULL )
slap_mods_free( op->orr_modlist, 1 );
if ( !BER_BVISNULL( &pnewSuperior ) ) {
op->o_tmpfree( pnewSuperior.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &nnewSuperior ) ) {
op->o_tmpfree( nnewSuperior.bv_val, op->o_tmpmemctx );
}
return rs->sr_err;
}
int
dnssrv_back_referrals(
Operation *op,
SlapReply *rs )
{
int i;
int rc = LDAP_OTHER;
char *domain = NULL;
char *hostlist = NULL;
char **hosts = NULL;
BerVarray urls = NULL;
if ( BER_BVISEMPTY( &op->o_req_dn ) ) {
/* FIXME: need some means to determine whether the database
* is a glue instance */
if ( SLAP_GLUE_INSTANCE( op->o_bd ) ) {
return LDAP_SUCCESS;
}
rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed";
return LDAP_UNWILLING_TO_PERFORM;
}
if( get_manageDSAit( op ) ) {
if( op->o_tag == LDAP_REQ_SEARCH ) {
return LDAP_SUCCESS;
}
rs->sr_text = "DNS SRV problem processing manageDSAit control";
return LDAP_OTHER;
}
if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) {
rs->sr_err = LDAP_REFERRAL;
rs->sr_ref = default_referral;
send_ldap_result( op, rs );
rs->sr_ref = NULL;
return LDAP_REFERRAL;
}
Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n",
op->o_req_dn.bv_val, domain, 0 );
i = ldap_domain2hostlist( domain, &hostlist );
if ( i ) {
Debug( LDAP_DEBUG_TRACE,
"DNSSRV: domain2hostlist(%s) returned %d\n",
domain, i, 0 );
rs->sr_text = "no DNS SRV RR available for DN";
rc = LDAP_NO_SUCH_OBJECT;
goto done;
}
hosts = ldap_str2charray( hostlist, " " );
if( hosts == NULL ) {
Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error\n", 0, 0, 0 );
rs->sr_text = "problem processing DNS SRV records for DN";
goto done;
}
for( i=0; hosts[i] != NULL; i++) {
struct berval url;
url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] );
url.bv_val = ch_malloc( url.bv_len + 1 );
strcpy( url.bv_val, "ldap://" );
strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );
if ( ber_bvarray_add( &urls, &url ) < 0 ) {
free( url.bv_val );
rs->sr_text = "problem processing DNS SRV records for DN";
goto done;
}
}
Statslog( LDAP_DEBUG_STATS,
"%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n",
op->o_log_prefix, op->o_protocol,
op->o_req_dn.bv_val, urls[0].bv_val, 0 );
Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> url=\"%s\"\n",
op->o_req_dn.bv_val, urls[0].bv_val, 0 );
rs->sr_ref = urls;
send_ldap_error( op, rs, LDAP_REFERRAL,
"DNS SRV generated referrals" );
rs->sr_ref = NULL;
rc = LDAP_REFERRAL;
done:
if( domain != NULL ) ch_free( domain );
if( hostlist != NULL ) ch_free( hostlist );
if( hosts != NULL ) ldap_charray_free( hosts );
ber_bvarray_free( urls );
return rc;
}
int
starttls_extop ( Operation *op, SlapReply *rs )
{
int rc;
Statslog( LDAP_DEBUG_STATS, "%s STARTTLS\n",
op->o_log_prefix, 0, 0, 0, 0 );
if ( op->ore_reqdata != NULL ) {
/* no request data should be provided */
rs->sr_text = "no request data expected";
return LDAP_PROTOCOL_ERROR;
}
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
/* can't start TLS if it is already started */
if (op->o_conn->c_is_tls != 0) {
rs->sr_text = "TLS already started";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
/* can't start TLS if there are other op's around */
if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) &&
(LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op ||
LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) ))
{
rs->sr_text = "cannot start TLS when operations are outstanding";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
( op->o_conn->c_dn.bv_len != 0 ) )
{
Statslog( LDAP_DEBUG_STATS,
"%s AUTHZ anonymous mech=starttls ssf=0\n",
op->o_log_prefix, 0, 0, 0, 0 );
/* force to anonymous */
connection2anonymous( op->o_conn );
}
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
( op->o_conn->c_dn.bv_len != 0 ) )
{
rs->sr_text = "cannot start TLS after authentication";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
/* fail if TLS could not be initialized */
if ( slap_tls_ctx == NULL ) {
if (default_referral != NULL) {
/* caller will put the referral in the result */
rc = LDAP_REFERRAL;
goto done;
}
rs->sr_text = "Could not initialize TLS";
rc = LDAP_UNAVAILABLE;
goto done;
}
op->o_conn->c_is_tls = 1;
op->o_conn->c_needs_tls_accept = 1;
rc = LDAP_SUCCESS;
done:
/* give up connection lock */
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
/* FIXME: RACE CONDITION! we give up lock before sending result
* Should be resolved by reworking connection state, not
* by moving send here (so as to ensure proper TLS sequencing)
*/
return rc;
}
