int do_unbind( Operation *op, SlapReply *rs ) { Debug( LDAP_DEBUG_TRACE, "%s do_unbind\n", op->o_log_prefix, 0, 0 ); /* * Parse the unbind request. It looks like this: * * UnBindRequest ::= NULL */ Statslog( LDAP_DEBUG_STATS, "%s UNBIND\n", op->o_log_prefix, 0, 0, 0, 0 ); if ( frontendDB->be_unbind ) { op->o_bd = frontendDB; (void)frontendDB->be_unbind( op, rs ); op->o_bd = NULL; } /* pass the unbind to all backends */ (void)backend_unbind( op, rs ); return 0; }
void send_ldap_disconnect( Operation *op, SlapReply *rs ) { #define LDAP_UNSOLICITED_ERROR(e) \ ( (e) == LDAP_PROTOCOL_ERROR \ || (e) == LDAP_STRONG_AUTH_REQUIRED \ || (e) == LDAP_UNAVAILABLE ) assert( LDAP_UNSOLICITED_ERROR( rs->sr_err ) ); rs->sr_type = REP_EXTENDED; rs->sr_rspdata = NULL; Debug( LDAP_DEBUG_TRACE, "send_ldap_disconnect %d:%s\n", rs->sr_err, rs->sr_text ? rs->sr_text : "", NULL ); if ( op->o_protocol < LDAP_VERSION3 ) { rs->sr_rspoid = NULL; rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; } else { rs->sr_rspoid = LDAP_NOTICE_DISCONNECT; rs->sr_tag = LDAP_RES_EXTENDED; rs->sr_msgid = LDAP_RES_UNSOLICITED; } if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS, "%s DISCONNECT tag=%lu err=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_text ? rs->sr_text : "", 0 ); } }
static int slapi_op_bind_callback( Operation *op, SlapReply *rs, int prc ) { switch ( prc ) { case SLAPI_BIND_SUCCESS: /* Continue with backend processing */ break; case SLAPI_BIND_FAIL: /* Failure, frontend (that's us) sends result */ rs->sr_err = LDAP_INVALID_CREDENTIALS; send_ldap_result( op, rs ); return rs->sr_err; break; case SLAPI_BIND_ANONYMOUS: /* undocumented */ default: /* plugin sent result or no plugins called */ BER_BVZERO( &op->orb_edn ); if ( rs->sr_err == LDAP_SUCCESS ) { /* * Plugin will have called slapi_pblock_set(LDAP_CONN_DN) which * will have set conn->c_dn and conn->c_ndn */ if ( BER_BVISNULL( &op->o_conn->c_ndn ) && prc == 1 ) { /* No plugins were called; continue processing */ return LDAP_SUCCESS; } ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if ( !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) { ber_len_t max = sockbuf_max_incoming_auth; ber_sockbuf_ctrl( op->o_conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max ); } ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); /* log authorization identity */ Statslog( LDAP_DEBUG_STATS, "%s BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n", op->o_log_prefix, BER_BVISNULL( &op->o_conn->c_dn ) ? "<empty>" : op->o_conn->c_dn.bv_val, BER_BVISNULL( &op->orb_mech ) ? "<empty>" : op->orb_mech.bv_val, 0, 0 ); return -1; } break; } return rs->sr_err; }
int dnssrv_back_bind( Operation *op, SlapReply *rs ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: bind dn=\"%s\" (%d)\n", BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val, op->orb_method, 0 ); /* allow rootdn as a means to auth without the need to actually * contact the proxied DSA */ switch ( be_rootdn_bind( op, NULL ) ) { case LDAP_SUCCESS: /* frontend will send result */ return rs->sr_err; default: /* treat failure and like any other bind, otherwise * it could reveal the DN of the rootdn */ break; } if ( !BER_BVISNULL( &op->orb_cred ) && !BER_BVISEMPTY( &op->orb_cred ) ) { /* simple bind */ Statslog( LDAP_DEBUG_STATS, "%s DNSSRV BIND dn=\"%s\" provided cleartext passwd\n", op->o_log_prefix, BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val , 0, 0, 0 ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "you shouldn't send strangers your password" ); } else { /* unauthenticated bind */ /* NOTE: we're not going to get here anyway: * unauthenticated bind is dealt with by the frontend */ Debug( LDAP_DEBUG_TRACE, "DNSSRV: BIND dn=\"%s\"\n", BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val, 0, 0 ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "anonymous bind expected" ); } return 1; }
int txn_start_extop( Operation *op, SlapReply *rs ) { int rc; struct berval *bv; Statslog( LDAP_DEBUG_STATS, "%s TXN START\n", op->o_log_prefix, 0, 0, 0, 0 ); if( op->ore_reqdata != NULL ) { rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_TXN_START ) != LDAP_SUCCESS ) { return rs->sr_err; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn != CONN_TXN_INACTIVE ) { rs->sr_text = "Too many transactions"; rc = LDAP_BUSY; goto done; } assert( op->o_conn->c_txn_backend == NULL ); op->o_conn->c_txn = CONN_TXN_SPECIFY; bv = (struct berval *) ch_malloc( sizeof (struct berval) ); bv->bv_len = 0; bv->bv_val = NULL; rs->sr_rspdata = bv; rc = LDAP_SUCCESS; done: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); return rc; }
void send_ldap_sasl( Operation *op, SlapReply *rs ) { rs->sr_type = REP_SASL; Debug( LDAP_DEBUG_TRACE, "send_ldap_sasl: err=%d len=%ld\n", rs->sr_err, rs->sr_sasldata ? (long) rs->sr_sasldata->bv_len : -1, NULL ); rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS, "%s RESULT tag=%lu err=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_text ? rs->sr_text : "", 0 ); } }
void slap_send_ldap_intermediate( Operation *op, SlapReply *rs ) { rs->sr_type = REP_INTERMEDIATE; Debug( LDAP_DEBUG_TRACE, "send_ldap_intermediate: err=%d oid=%s len=%ld\n", rs->sr_err, rs->sr_rspoid ? rs->sr_rspoid : "", rs->sr_rspdata != NULL ? rs->sr_rspdata->bv_len : 0 ); rs->sr_tag = LDAP_RES_INTERMEDIATE; rs->sr_msgid = op->o_msgid; if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS2, "%s INTERM oid=%s\n", op->o_log_prefix, rs->sr_rspoid ? rs->sr_rspoid : "", 0, 0, 0 ); } }
static int ldap_exop_chained_request( Operation *op, SlapReply *rs ) { Statslog( LDAP_DEBUG_STATS, "%s CHAINED REQUEST\n", op->o_log_prefix, 0, 0, 0, 0 ); rs->sr_err = backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_CHAINEDREQUEST ); if ( rs->sr_err != LDAP_SUCCESS ) { return rs->sr_err; } /* by now, just reject requests */ rs->sr_text = "under development"; return LDAP_UNWILLING_TO_PERFORM; }
int fe_op_bind_success( Operation *op, SlapReply *rs ) { ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_authz_backend == NULL ) { op->o_conn->c_authz_backend = op->o_bd; } /* be_bind returns regular/global edn */ if( !BER_BVISEMPTY( &op->orb_edn ) ) { op->o_conn->c_dn = op->orb_edn; } else { ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn); } ber_dupbv( &op->o_conn->c_ndn, &op->o_req_ndn ); /* op->o_conn->c_sb may be 0 for internal operations */ if( !BER_BVISEMPTY( &op->o_conn->c_dn ) && op->o_conn->c_sb != 0 ) { ber_len_t max = sockbuf_max_incoming_auth; ber_sockbuf_ctrl( op->o_conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max ); } /* log authorization identity */ Statslog( LDAP_DEBUG_STATS, "%s BIND dn=\"%s\" mech=%s ssf=0\n", op->o_log_prefix, op->o_conn->c_dn.bv_val, op->orb_mech.bv_val ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d bind: \"%s\" to \"%s\"\n", op->o_protocol, op->o_req_dn.bv_val, op->o_conn->c_dn.bv_val ); ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); /* send this here to avoid a race condition */ send_ldap_result( op, rs ); return LDAP_SUCCESS; }
void send_ldap_sasl( Operation *op, SlapReply *rs ) { Debug( LDAP_DEBUG_TRACE, "send_ldap_sasl: err=%d len=%ld\n", rs->sr_err, rs->sr_sasldata ? (long) rs->sr_sasldata->bv_len : -1 ); RS_ASSERT( !(rs->sr_flags & REP_ENTRY_MASK) ); rs->sr_flags &= ~REP_ENTRY_MASK; /* paranoia */ rs->sr_type = REP_SASL; rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS, "%s RESULT tag=%lu err=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_text ? rs->sr_text : "" ); } }
void slap_send_ldap_extended( Operation *op, SlapReply *rs ) { rs->sr_type = REP_EXTENDED; Debug( LDAP_DEBUG_TRACE, "send_ldap_extended: err=%d oid=%s len=%ld\n", rs->sr_err, rs->sr_rspoid ? rs->sr_rspoid : "", rs->sr_rspdata != NULL ? rs->sr_rspdata->bv_len : 0 ); rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS, "%s RESULT oid=%s err=%d text=%s\n", op->o_log_prefix, rs->sr_rspoid ? rs->sr_rspoid : "", rs->sr_err, rs->sr_text ? rs->sr_text : "", 0 ); } }
static int whoami_extop ( Operation *op, SlapReply *rs ) { struct berval *bv; if ( op->ore_reqdata != NULL ) { /* no request data should be provided */ rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } Statslog( LDAP_DEBUG_STATS, "%s WHOAMI\n", op->o_log_prefix, 0, 0, 0, 0 ); op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_WHOAMI ) != LDAP_SUCCESS ) { return rs->sr_err; } bv = (struct berval *) ch_malloc( sizeof(struct berval) ); if( op->o_dn.bv_len ) { bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" ); bv->bv_val = ch_malloc( bv->bv_len + 1 ); AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) ); AC_MEMCPY( &bv->bv_val[STRLENOF( "dn:" )], op->o_dn.bv_val, op->o_dn.bv_len ); bv->bv_val[bv->bv_len] = '\0'; } else { bv->bv_len = 0; bv->bv_val = NULL; } rs->sr_rspdata = bv; return LDAP_SUCCESS; }
void send_ldap_disconnect( Operation *op, SlapReply *rs ) { #define LDAP_UNSOLICITED_ERROR(e) \ ( (e) == LDAP_PROTOCOL_ERROR \ || (e) == LDAP_STRONG_AUTH_REQUIRED \ || (e) == LDAP_UNAVAILABLE ) Debug( LDAP_DEBUG_TRACE, "send_ldap_disconnect %d:%s\n", rs->sr_err, rs->sr_text ? rs->sr_text : "" ); assert( LDAP_UNSOLICITED_ERROR( rs->sr_err ) ); /* TODO: Flush the entry if sr_type == REP_SEARCH/REP_SEARCHREF? */ RS_ASSERT( !(rs->sr_flags & REP_ENTRY_MASK) ); rs->sr_flags &= ~REP_ENTRY_MASK; /* paranoia */ rs->sr_type = REP_EXTENDED; rs->sr_rspdata = NULL; if ( op->o_protocol < LDAP_VERSION3 ) { rs->sr_rspoid = NULL; rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; } else { rs->sr_rspoid = LDAP_NOTICE_DISCONNECT; rs->sr_tag = LDAP_RES_EXTENDED; rs->sr_msgid = LDAP_RES_UNSOLICITED; } if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { Statslog( LDAP_DEBUG_STATS, "%s DISCONNECT tag=%lu err=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_text ? rs->sr_text : "" ); } }
int do_modify( Operation *op, SlapReply *rs ) { struct berval dn = BER_BVNULL; char textbuf[ SLAP_TEXT_BUFLEN ]; size_t textlen = sizeof( textbuf ); #ifdef LDAP_DEBUG Modifications *tmp; #endif Debug( LDAP_DEBUG_TRACE, "%s do_modify\n", op->o_log_prefix, 0, 0 ); /* * Parse the modify request. It looks like this: * * ModifyRequest := [APPLICATION 6] SEQUENCE { * name DistinguishedName, * mods SEQUENCE OF SEQUENCE { * operation ENUMERATED { * add (0), * delete (1), * replace (2) * }, * modification SEQUENCE { * type AttributeType, * values SET OF AttributeValue * } * } * } */ if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } Debug( LDAP_DEBUG_ARGS, "%s do_modify: dn (%s)\n", op->o_log_prefix, dn.bv_val, 0 ); rs->sr_err = slap_parse_modlist( op, rs, op->o_ber, &op->oq_modify ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: slap_parse_modlist failed err=%d msg=%s\n", op->o_log_prefix, rs->sr_err, rs->sr_text ); send_ldap_result( op, rs ); goto cleanup; } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); /* get_ctrls has sent results. Now clean up. */ goto cleanup; } rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: invalid dn (%s)\n", op->o_log_prefix, dn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto cleanup; } op->orm_no_opattrs = 0; #ifdef LDAP_DEBUG Debug( LDAP_DEBUG_ARGS, "%s modifications:\n", op->o_log_prefix, 0, 0 ); for ( tmp = op->orm_modlist; tmp != NULL; tmp = tmp->sml_next ) { Debug( LDAP_DEBUG_ARGS, "\t%s: %s\n", tmp->sml_op == LDAP_MOD_ADD ? "add" : (tmp->sml_op == LDAP_MOD_INCREMENT ? "increment" : (tmp->sml_op == LDAP_MOD_DELETE ? "delete" : "replace")), tmp->sml_type.bv_val, 0 ); if ( tmp->sml_values == NULL ) { Debug( LDAP_DEBUG_ARGS, "%s\n", "\t\tno values", NULL, NULL ); } else if ( BER_BVISNULL( &tmp->sml_values[ 0 ] ) ) { Debug( LDAP_DEBUG_ARGS, "%s\n", "\t\tzero values", NULL, NULL ); } else if ( BER_BVISNULL( &tmp->sml_values[ 1 ] ) ) { Debug( LDAP_DEBUG_ARGS, "%s, length %ld\n", "\t\tone value", (long) tmp->sml_values[0].bv_len, NULL ); } else { Debug( LDAP_DEBUG_ARGS, "%s\n", "\t\tmultiple values", NULL, NULL ); } } if ( StatslogTest( LDAP_DEBUG_STATS ) ) { char abuf[BUFSIZ/2], *ptr = abuf; int len = 0; Statslog( LDAP_DEBUG_STATS, "%s MOD dn=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 ); for ( tmp = op->orm_modlist; tmp != NULL; tmp = tmp->sml_next ) { if (len + 1 + tmp->sml_type.bv_len > sizeof(abuf)) { Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n", op->o_log_prefix, abuf, 0, 0, 0 ); len = 0; ptr = abuf; if( 1 + tmp->sml_type.bv_len > sizeof(abuf)) { Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n", op->o_log_prefix, tmp->sml_type.bv_val, 0, 0, 0 ); continue; } } if (len) { *ptr++ = ' '; len++; } ptr = lutil_strcopy(ptr, tmp->sml_type.bv_val); len += tmp->sml_type.bv_len; } if (len) { Statslog( LDAP_DEBUG_STATS, "%s MOD attr=%s\n", op->o_log_prefix, abuf, 0, 0, 0 ); } } #endif /* LDAP_DEBUG */ rs->sr_err = slap_mods_check( op, op->orm_modlist, &rs->sr_text, textbuf, textlen, NULL ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_modify( op, rs ); #ifdef LDAP_X_TXN if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) { /* skip cleanup */ return rs->sr_err; } #endif cleanup: op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); if ( op->orm_modlist != NULL ) slap_mods_free( op->orm_modlist, 1 ); return rs->sr_err; }
int do_bind( Operation *op, SlapReply *rs ) { BerElement *ber = op->o_ber; ber_int_t version; ber_tag_t method; struct berval mech = BER_BVNULL; struct berval dn = BER_BVNULL; ber_tag_t tag; Backend *be = NULL; Debug( LDAP_DEBUG_TRACE, "%s do_bind\n", op->o_log_prefix ); /* * Force the connection to "anonymous" until bind succeeds. */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if ( op->o_conn->c_sasl_bind_in_progress ) { be = op->o_conn->c_authz_backend; } if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) { /* log authorization identity demotion */ Statslog( LDAP_DEBUG_STATS, "%s BIND anonymous mech=implicit ssf=0\n", op->o_log_prefix ); } connection2anonymous( op->o_conn ); if ( op->o_conn->c_sasl_bind_in_progress ) { op->o_conn->c_authz_backend = be; } ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); if ( !BER_BVISNULL( &op->o_dn ) ) { /* NOTE: temporarily wasting few bytes * (until bind is completed), but saving * a couple of ch_free() and ch_strdup("") */ op->o_dn.bv_val[0] = '\0'; op->o_dn.bv_len = 0; } if ( !BER_BVISNULL( &op->o_ndn ) ) { op->o_ndn.bv_val[0] = '\0'; op->o_ndn.bv_len = 0; } /* * Parse the bind request. It looks like this: * * BindRequest ::= SEQUENCE { * version INTEGER, -- version * name DistinguishedName, -- dn * authentication CHOICE { * simple [0] OCTET STRING -- passwd * krbv42ldap [1] OCTET STRING -- OBSOLETE * krbv42dsa [2] OCTET STRING -- OBSOLETE * SASL [3] SaslCredentials * } * } * * SaslCredentials ::= SEQUENCE { * mechanism LDAPString, * credentials OCTET STRING OPTIONAL * } */ tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &method ); if ( tag == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_bind: ber_scanf failed\n", op->o_log_prefix ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } op->o_protocol = version; op->orb_method = method; if( op->orb_method != LDAP_AUTH_SASL ) { tag = ber_scanf( ber, /*{*/ "m}", &op->orb_cred ); } else { tag = ber_scanf( ber, "{m" /*}*/, &mech ); if ( tag != LBER_ERROR ) { ber_len_t len; tag = ber_peek_tag( ber, &len ); if ( tag == LDAP_TAG_LDAPCRED ) { tag = ber_scanf( ber, "m", &op->orb_cred ); } else { tag = LDAP_TAG_LDAPCRED; BER_BVZERO( &op->orb_cred ); } if ( tag != LBER_ERROR ) { tag = ber_scanf( ber, /*{{*/ "}}" ); } } } if ( tag == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_bind: ber_scanf failed\n", op->o_log_prefix ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_bind: get_ctrls failed\n", op->o_log_prefix ); goto cleanup; } /* We use the tmpmemctx here because it speeds up normalization. * However, we must dup with regular malloc when storing any * resulting DNs in the op or conn structures. */ rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_bind: invalid dn (%s)\n", op->o_log_prefix, dn.bv_val ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto cleanup; } Statslog( LDAP_DEBUG_STATS, "%s BIND dn=\"%s\" method=%ld\n", op->o_log_prefix, op->o_req_dn.bv_val, (unsigned long) op->orb_method ); if( op->orb_method == LDAP_AUTH_SASL ) { Debug( LDAP_DEBUG_TRACE, "do_bind: dn (%s) SASL mech %s\n", op->o_req_dn.bv_val, mech.bv_val ); } else { Debug( LDAP_DEBUG_TRACE, "do_bind: version=%ld dn=\"%s\" method=%ld\n", (unsigned long) version, op->o_req_dn.bv_val, (unsigned long) op->orb_method ); } if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) { Debug( LDAP_DEBUG_ANY, "%s do_bind: unknown version=%ld\n", op->o_log_prefix, (unsigned long) version ); send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "requested protocol version not supported" ); goto cleanup; } else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) && version < LDAP_VERSION3 ) { send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "historical protocol version requested, use LDAPv3 instead" ); goto cleanup; } /* * we set connection version regardless of whether bind succeeds or not. */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); op->o_conn->c_protocol = version; ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); op->orb_mech = mech; op->o_bd = frontendDB; rs->sr_err = frontendDB->be_bind( op, rs ); cleanup: if ( rs->sr_err == LDAP_SUCCESS ) { if ( op->orb_method != LDAP_AUTH_SASL ) { ber_dupbv( &op->o_conn->c_authmech, &mech ); } op->o_conn->c_authtype = op->orb_method; } if( !BER_BVISNULL( &op->o_req_dn ) ) { slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_dn ); } if( !BER_BVISNULL( &op->o_req_ndn ) ) { slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_ndn ); } return rs->sr_err; }
static int slap_sasl_authorize( sasl_conn_t *sconn, void *context, char *requested_user, unsigned rlen, char *auth_identity, unsigned alen, const char *def_realm, unsigned urlen, struct propctx *props) { Connection *conn = (Connection *)context; /* actually: * (SLAP_SASL_PROP_COUNT - 1) because we skip "conn", * + 1 for NULL termination? */ struct propval auxvals[ SLAP_SASL_PROP_COUNT ] = { { 0 } }; struct berval authcDN, authzDN = BER_BVNULL; int rc; /* Simple Binds don't support proxy authorization, ignore it */ if ( !conn->c_sasl_bindop || conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK; Debug( LDAP_DEBUG_ARGS, "SASL proxy authorize [conn=%ld]: " "authcid=\"%s\" authzid=\"%s\"\n", conn ? (long) conn->c_connid : -1L, auth_identity, requested_user ); if ( conn->c_sasl_dn.bv_val ) { BER_BVZERO( &conn->c_sasl_dn ); } /* Skip SLAP_SASL_PROP_CONN */ prop_getnames( props, slap_propnames+1, auxvals ); /* Should not happen */ if ( !auxvals[0].values ) { sasl_seterror( sconn, 0, "invalid authcid" ); return SASL_NOAUTHZ; } AC_MEMCPY( &authcDN.bv_len, auxvals[0].values[0], sizeof(authcDN.bv_len) ); authcDN.bv_val = auxvals[1].values ? (char *)auxvals[1].values[0] : NULL; conn->c_sasl_dn = authcDN; /* Nothing to do if no authzID was given */ if ( !auxvals[2].name || !auxvals[2].values ) { goto ok; } AC_MEMCPY( &authzDN.bv_len, auxvals[2].values[0], sizeof(authzDN.bv_len) ); authzDN.bv_val = auxvals[3].values ? (char *)auxvals[3].values[0] : NULL; rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: " "proxy authorization disallowed (%d)\n", conn ? (long) conn->c_connid : -1L, rc, 0 ); sasl_seterror( sconn, 0, "not authorized" ); return SASL_NOAUTHZ; } /* FIXME: we need yet another dup because slap_sasl_getdn() * is using the bind operation slab */ ber_dupbv( &conn->c_sasl_authz_dn, &authzDN ); ok: if (conn->c_sasl_bindop) { Statslog( LDAP_DEBUG_STATS, "%s BIND authcid=\"%s\" authzid=\"%s\"\n", conn->c_sasl_bindop->o_log_prefix, auth_identity, requested_user, 0, 0 ); } Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " proxy authorization allowed authzDN=\"%s\"\n", conn ? (long) conn->c_connid : -1L, authzDN.bv_val ? authzDN.bv_val : "", 0 ); return SASL_OK; }
int dnssrv_back_search( Operation *op, SlapReply *rs ) { int i; int rc; char *domain = NULL; char *hostlist = NULL; char **hosts = NULL; char *refdn; struct berval nrefdn = BER_BVNULL; BerVarray urls = NULL; int manageDSAit; rs->sr_ref = NULL; if ( BER_BVISEMPTY( &op->o_req_ndn ) ) { /* FIXME: need some means to determine whether the database * is a glue instance; if we got here with empty DN, then * we passed this same test in dnssrv_back_referrals() */ if ( !SLAP_GLUE_INSTANCE( op->o_bd ) ) { rs->sr_err = LDAP_UNWILLING_TO_PERFORM; rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed"; } else { rs->sr_err = LDAP_SUCCESS; } goto done; } manageDSAit = get_manageDSAit( op ); /* * FIXME: we may return a referral if manageDSAit is not set */ if ( !manageDSAit ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "manageDSAit must be set" ); goto done; } if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) { rs->sr_err = LDAP_REFERRAL; rs->sr_ref = default_referral; send_ldap_result( op, rs ); rs->sr_ref = NULL; goto done; } Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n", op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", domain, 0 ); if( ( rc = ldap_domain2hostlist( domain, &hostlist ) ) ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist returned %d\n", rc, 0, 0 ); send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT, "no DNS SRV RR available for DN" ); goto done; } hosts = ldap_str2charray( hostlist, " " ); if( hosts == NULL ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error\n", 0, 0, 0 ); send_ldap_error( op, rs, LDAP_OTHER, "problem processing DNS SRV records for DN" ); goto done; } for( i=0; hosts[i] != NULL; i++) { struct berval url; url.bv_len = STRLENOF( "ldap://" ) + strlen(hosts[i]); url.bv_val = ch_malloc( url.bv_len + 1 ); strcpy( url.bv_val, "ldap://" ); strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] ); if( ber_bvarray_add( &urls, &url ) < 0 ) { free( url.bv_val ); send_ldap_error( op, rs, LDAP_OTHER, "problem processing DNS SRV records for DN" ); goto done; } } Statslog( LDAP_DEBUG_STATS, "%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n", op->o_log_prefix, op->o_protocol, op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", urls[0].bv_val, 0 ); Debug( LDAP_DEBUG_TRACE, "DNSSRV: ManageDSAit scope=%d dn=\"%s\" -> url=\"%s\"\n", op->oq_search.rs_scope, op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", urls[0].bv_val ); rc = ldap_domain2dn(domain, &refdn); if( rc != LDAP_SUCCESS ) { send_ldap_error( op, rs, LDAP_OTHER, "DNS SRV problem processing manageDSAit control" ); goto done; } else { struct berval bv; bv.bv_val = refdn; bv.bv_len = strlen( refdn ); rc = dnNormalize( 0, NULL, NULL, &bv, &nrefdn, op->o_tmpmemctx ); if( rc != LDAP_SUCCESS ) { send_ldap_error( op, rs, LDAP_OTHER, "DNS SRV problem processing manageDSAit control" ); goto done; } } if( !dn_match( &nrefdn, &op->o_req_ndn ) ) { /* requested dn is subordinate */ Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" subordinate to refdn=\"%s\"\n", op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", refdn == NULL ? "" : refdn, NULL ); rs->sr_matched = refdn; rs->sr_err = LDAP_NO_SUCH_OBJECT; send_ldap_result( op, rs ); rs->sr_matched = NULL; } else if ( op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL ) { send_ldap_error( op, rs, LDAP_SUCCESS, NULL ); } else { Entry e = { 0 }; AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass; AttributeDescription *ad_ref = slap_schema.si_ad_ref; e.e_name.bv_val = ch_strdup( op->o_req_dn.bv_val ); e.e_name.bv_len = op->o_req_dn.bv_len; e.e_nname.bv_val = ch_strdup( op->o_req_ndn.bv_val ); e.e_nname.bv_len = op->o_req_ndn.bv_len; e.e_attrs = NULL; e.e_private = NULL; attr_merge_one( &e, ad_objectClass, &slap_schema.si_oc_referral->soc_cname, NULL ); attr_merge_one( &e, ad_objectClass, &slap_schema.si_oc_extensibleObject->soc_cname, NULL ); if ( ad_dc ) { char *p; struct berval bv; bv.bv_val = domain; p = strchr( bv.bv_val, '.' ); if ( p == bv.bv_val ) { bv.bv_len = 1; } else if ( p != NULL ) { bv.bv_len = p - bv.bv_val; } else { bv.bv_len = strlen( bv.bv_val ); } attr_merge_normalize_one( &e, ad_dc, &bv, NULL ); } if ( ad_associatedDomain ) { struct berval bv; ber_str2bv( domain, 0, 0, &bv ); attr_merge_normalize_one( &e, ad_associatedDomain, &bv, NULL ); } attr_merge_normalize_one( &e, ad_ref, urls, NULL ); rc = test_filter( op, &e, op->oq_search.rs_filter ); if( rc == LDAP_COMPARE_TRUE ) { rs->sr_entry = &e; rs->sr_attrs = op->oq_search.rs_attrs; rs->sr_flags = REP_ENTRY_MODIFIABLE; send_search_entry( op, rs ); rs->sr_entry = NULL; rs->sr_attrs = NULL; rs->sr_flags = 0; } entry_clean( &e ); rs->sr_err = LDAP_SUCCESS; send_ldap_result( op, rs ); } if ( refdn ) free( refdn ); if ( nrefdn.bv_val ) free( nrefdn.bv_val ); done: if( domain != NULL ) ch_free( domain ); if( hostlist != NULL ) ch_free( hostlist ); if( hosts != NULL ) ldap_charray_free( hosts ); if( urls != NULL ) ber_bvarray_free( urls ); return 0; }
int do_delete( Operation *op, SlapReply *rs ) { struct berval dn = BER_BVNULL; Debug( LDAP_DEBUG_TRACE, "%s do_delete\n", op->o_log_prefix, 0, 0 ); /* * Parse the delete request. It looks like this: * * DelRequest := DistinguishedName */ if ( ber_scanf( op->o_ber, "m", &dn ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_delete: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_delete: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); goto cleanup; } rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_delete: invalid dn (%s)\n", op->o_log_prefix, dn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto cleanup; } Statslog( LDAP_DEBUG_STATS, "%s DEL dn=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 ); if( op->o_req_ndn.bv_len == 0 ) { Debug( LDAP_DEBUG_ANY, "%s do_delete: root dse!\n", op->o_log_prefix, 0, 0 ); /* protocolError would likely be a more appropriate error */ send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "cannot delete the root DSE" ); goto cleanup; } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { Debug( LDAP_DEBUG_ANY, "%s do_delete: subschema subentry!\n", op->o_log_prefix, 0, 0 ); /* protocolError would likely be a more appropriate error */ send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "cannot delete the root DSE" ); goto cleanup; } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_delete( op, rs ); #ifdef LDAP_X_TXN if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) { /* skip cleanup */ return rs->sr_err; } #endif cleanup:; op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); return rs->sr_err; }
int do_extended( Operation *op, SlapReply *rs ) { struct berval reqdata = {0, NULL}; ber_len_t len; Debug( LDAP_DEBUG_TRACE, "%s do_extended\n", op->o_log_prefix, 0, 0 ); if( op->o_protocol < LDAP_VERSION3 ) { Debug( LDAP_DEBUG_ANY, "%s do_extended: protocol version (%d) too low\n", op->o_log_prefix, op->o_protocol, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "requires LDAPv3" ); rs->sr_err = SLAPD_DISCONNECT; goto done; } if ( ber_scanf( op->o_ber, "{m" /*}*/, &op->ore_reqoid ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto done; } if( ber_peek_tag( op->o_ber, &len ) == LDAP_TAG_EXOP_REQ_VALUE ) { if( ber_scanf( op->o_ber, "m", &reqdata ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto done; } } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_extended: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); return rs->sr_err; } Statslog( LDAP_DEBUG_STATS, "%s EXT oid=%s\n", op->o_log_prefix, op->ore_reqoid.bv_val, 0, 0, 0 ); /* check for controls inappropriate for all extended operations */ if( get_manageDSAit( op ) == SLAP_CONTROL_CRITICAL ) { send_ldap_error( op, rs, LDAP_UNAVAILABLE_CRITICAL_EXTENSION, "manageDSAit control inappropriate" ); goto done; } /* FIXME: temporary? */ if ( reqdata.bv_val ) { op->ore_reqdata = &reqdata; } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_extended( op, rs ); /* clean up in case some overlay set them? */ if ( !BER_BVISNULL( &op->o_req_ndn ) ) { if ( !BER_BVISNULL( &op->o_req_dn ) && op->o_req_ndn.bv_val != op->o_req_dn.bv_val ) { op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); } op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_dn ); BER_BVZERO( &op->o_req_ndn ); } done: return rs->sr_err; }
int passwd_extop( Operation *op, SlapReply *rs ) { struct berval id = {0, NULL}, hash, *rsp = NULL; req_pwdexop_s *qpw = &op->oq_pwdexop; req_extended_s qext = op->oq_extended; Modifications *ml; slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; int i, nhash; char **hashes, idNul; int rc; BackendDB *op_be; int freenewpw = 0; struct berval dn = BER_BVNULL, ndn = BER_BVNULL; assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); if( op->o_dn.bv_len == 0 ) { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD\n", op->o_log_prefix, 0, 0, 0, 0 ); rs->sr_text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } qpw->rs_old.bv_len = 0; qpw->rs_old.bv_val = NULL; qpw->rs_new.bv_len = 0; qpw->rs_new.bv_val = NULL; qpw->rs_mods = NULL; qpw->rs_modtail = NULL; rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id, &qpw->rs_old, &qpw->rs_new, &rs->sr_text ); if ( !BER_BVISNULL( &id )) { idNul = id.bv_val[id.bv_len]; id.bv_val[id.bv_len] = '\0'; } if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n", op->o_log_prefix, id.bv_val, qpw->rs_old.bv_val ? " old" : "", qpw->rs_new.bv_val ? " new" : "", 0 ); } else { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD%s%s\n", op->o_log_prefix, qpw->rs_old.bv_val ? " old" : "", qpw->rs_new.bv_val ? " new" : "", 0, 0 ); } if ( rs->sr_err != LDAP_SUCCESS ) { if ( !BER_BVISNULL( &id )) id.bv_val[id.bv_len] = idNul; return rs->sr_err; } if ( !BER_BVISEMPTY( &id ) ) { rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); id.bv_val[id.bv_len] = idNul; if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_text = "Invalid DN"; rc = rs->sr_err; goto error_return; } op->o_req_dn = dn; op->o_req_ndn = ndn; op->o_bd = select_backend( &op->o_req_ndn, 1 ); } else { ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx ); ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx ); op->o_req_dn = dn; op->o_req_ndn = ndn; ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); op->o_bd = op->o_conn->c_authz_backend; ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } if( op->o_bd == NULL ) { if ( qpw->rs_old.bv_val != NULL ) { rs->sr_text = "unwilling to verify old password"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } #ifdef HAVE_CYRUS_SASL rc = slap_sasl_setpass( op, rs ); #else rs->sr_text = "no authz backend"; rc = LDAP_OTHER; #endif goto error_return; } if ( op->o_req_ndn.bv_len == 0 ) { rs->sr_text = "no password is associated with the Root DSE"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } /* If we've got a glued backend, check the real backend */ op_be = op->o_bd; if ( SLAP_GLUE_INSTANCE( op->o_bd )) { op->o_bd = select_backend( &op->o_req_ndn, 0 ); } if (backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) { rc = rs->sr_err; goto error_return; } /* check for referrals */ if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { rc = rs->sr_err; goto error_return; } /* This does not apply to multi-master case */ if(!( !SLAP_SINGLE_SHADOW( op->o_bd ) || be_isupdate( op ))) { /* we SHOULD return a referral in this case */ BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if( defref != NULL ) { rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs, NULL, NULL, LDAP_SCOPE_DEFAULT ); if(rs->sr_ref) { rs->sr_flags |= REP_REF_MUSTBEFREED; } else { rs->sr_ref = defref; } rc = LDAP_REFERRAL; goto error_return; } rs->sr_text = "shadow context; no update referral"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } /* generate a new password if none was provided */ if ( qpw->rs_new.bv_len == 0 ) { slap_passwd_generate( &qpw->rs_new ); if ( qpw->rs_new.bv_len ) { rsp = slap_passwd_return( &qpw->rs_new ); freenewpw = 1; } } if ( qpw->rs_new.bv_len == 0 ) { rs->sr_text = "password generation failed"; rc = LDAP_OTHER; goto error_return; } op->o_bd = op_be; /* Give the backend a chance to handle this itself */ if ( op->o_bd->be_extended ) { rs->sr_err = op->o_bd->be_extended( op, rs ); if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM && rs->sr_err != SLAP_CB_CONTINUE ) { rc = rs->sr_err; if ( rsp ) { rs->sr_rspdata = rsp; rsp = NULL; } goto error_return; } } /* The backend didn't handle it, so try it here */ if( op->o_bd && !op->o_bd->be_modify ) { rs->sr_text = "operation not supported for current user"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } if ( qpw->rs_old.bv_val != NULL ) { Entry *e = NULL; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, slap_schema.si_ad_userPassword, 0, &e ); if ( rc == LDAP_SUCCESS && e ) { Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword ); if ( a ) rc = slap_passwd_check( op, e, a, &qpw->rs_old, &rs->sr_text ); else rc = 1; be_entry_release_r( op, e ); if ( rc == LDAP_SUCCESS ) goto old_good; } rs->sr_text = "unwilling to verify old password"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } old_good: ml = ch_malloc( sizeof(Modifications) ); if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next; if ( default_passwd_hash ) { for ( nhash = 0; default_passwd_hash[nhash]; nhash++ ); hashes = default_passwd_hash; } else { nhash = 1; hashes = (char **)defhash; } ml->sml_numvals = nhash; ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) ); for ( i=0; hashes[i]; i++ ) { slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text ); if ( hash.bv_len == 0 ) { if ( !rs->sr_text ) { rs->sr_text = "password hash failed"; } break; } ml->sml_values[i] = hash; } ml->sml_values[i].bv_val = NULL; ml->sml_nvalues = NULL; ml->sml_desc = slap_schema.si_ad_userPassword; ml->sml_type = ml->sml_desc->ad_cname; ml->sml_op = LDAP_MOD_REPLACE; ml->sml_flags = 0; ml->sml_next = qpw->rs_mods; qpw->rs_mods = ml; if ( hashes[i] ) { rs->sr_err = LDAP_OTHER; } else { slap_callback *sc = op->o_callback; op->o_tag = LDAP_REQ_MODIFY; op->o_callback = &cb; op->orm_modlist = qpw->rs_mods; op->orm_no_opattrs = 0; cb.sc_private = qpw; /* let Modify know this was pwdMod, * if it cares... */ rs->sr_err = op->o_bd->be_modify( op, rs ); /* be_modify() might have shuffled modifications */ qpw->rs_mods = op->orm_modlist; if ( rs->sr_err == LDAP_SUCCESS ) { rs->sr_rspdata = rsp; } else if ( rsp ) { ber_bvfree( rsp ); rsp = NULL; } op->o_tag = LDAP_REQ_EXTENDED; op->o_callback = sc; } rc = rs->sr_err; op->oq_extended = qext; error_return:; if ( qpw->rs_mods ) { slap_mods_free( qpw->rs_mods, 1 ); } if ( freenewpw ) { free( qpw->rs_new.bv_val ); } if ( !BER_BVISNULL( &dn ) ) { op->o_tmpfree( dn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_dn ); } if ( !BER_BVISNULL( &ndn ) ) { op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_ndn ); } return rc; }
int slap_send_search_entry( Operation *op, SlapReply *rs ) { BerElementBuffer berbuf; BerElement *ber = (BerElement *) &berbuf; Attribute *a; int i, j, rc = LDAP_UNAVAILABLE, bytes; int userattrs; AccessControlState acl_state = ACL_STATE_INIT; int attrsonly; AttributeDescription *ad_entry = slap_schema.si_ad_entry; /* a_flags: array of flags telling if the i-th element will be * returned or filtered out * e_flags: array of a_flags */ char **e_flags = NULL; rs->sr_type = REP_SEARCH; if ( op->ors_slimit >= 0 && rs->sr_nentries >= op->ors_slimit ) { rc = LDAP_SIZELIMIT_EXCEEDED; goto error_return; } /* Every 64 entries, check for thread pool pause */ if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) && ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 ) { rc = LDAP_BUSY; goto error_return; } /* eventually will loop through generated operational attribute types * currently implemented types include: * entryDN, subschemaSubentry, and hasSubordinates */ /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ /* check for special all operational attributes ("+") type */ /* FIXME: maybe we could set this flag at the operation level; * however, in principle the caller of send_search_entry() may * change the attribute list at each call */ rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs ); rc = backend_operational( op, rs ); if ( rc ) { goto error_return; } if ( op->o_callback ) { rc = slap_response_play( op, rs ); if ( rc != SLAP_CB_CONTINUE ) { goto error_return; } } Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: conn %lu dn=\"%s\"%s\n", op->o_connid, rs->sr_entry->e_name.bv_val, op->ors_attrsonly ? " (attrsOnly)" : "" ); attrsonly = op->ors_attrsonly; if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu access to entry (%s) not allowed\n", op->o_connid, rs->sr_entry->e_name.bv_val ); rc = LDAP_INSUFFICIENT_ACCESS; goto error_return; } if ( op->o_res_ber ) { /* read back control or LDAP_CONNECTIONLESS */ ber = op->o_res_ber; } else { struct berval bv; bv.bv_len = entry_flatsize( rs->sr_entry, 0 ); bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx ); ber_init2( ber, &bv, LBER_USE_DER ); ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); } #ifdef LDAP_CONNECTIONLESS if ( op->o_conn && op->o_conn->c_is_udp ) { /* CONNECTIONLESS */ if ( op->o_protocol == LDAP_VERSION2 ) { rc = ber_printf(ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } } else #endif if ( op->o_res_ber ) { /* read back control */ rc = ber_printf( ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding DN error" ); rc = rs->sr_err; goto error_return; } /* check for special all user attributes ("*") type */ userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); /* create an array of arrays of flags. Each flag corresponds * to particular value of attribute and equals 1 if value matches * to ValuesReturnFilter or 0 if not */ if ( op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_entry->e_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags; e_flags = slap_sl_calloc ( 1, i * sizeof(char *) + k, op->o_tmpmemctx ); if( e_flags == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu slap_sl_calloc failed\n", op->o_connid ); ber_free( ber, 1 ); set_ldap_error( rs, LDAP_OTHER, "out of memory" ); goto error_return; } a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a=rs->sr_entry->e_attrs, i=0; a != NULL; a=a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_entry->e_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: " "conn %lu matched values filtering failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for ( a = rs->sr_entry->e_attrs, j = 0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; int finish = 0; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if ( is_at_operational( desc->ad_type ) ) { /* if not explicitly requested */ if ( !ad_inlist( desc, rs->sr_attrs )) { /* if not all op attrs requested, skip */ if ( !SLAP_OPATTRS( rs->sr_attr_flags )) continue; /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( attrsonly ) { if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: " "conn %lu access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } finish = 1; } else { int first = 1; for ( i = 0; a->a_nvals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_nvals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s, value #%d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if ( first ) { first = 0; finish = 1; if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed.\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if ( finish && ( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ if ( rs->sr_operational_attrs != NULL && op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags, **tmp; /* * Reuse previous memory - we likely need less space * for operational attributes */ tmp = slap_sl_realloc( e_flags, i * sizeof(char *) + k, op->o_tmpmemctx ); if ( tmp == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "not enough memory " "for matched values filtering\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "not enough memory for matched values filtering" ); goto error_return; } e_flags = tmp; a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_operational_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "matched values filtering failed\n", op->o_connid); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for (a = rs->sr_operational_attrs, j=0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if( is_at_operational( desc->ad_type ) ) { if ( !SLAP_OPATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname ); if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error" ); rc = rs->sr_err; goto error_return; } if ( ! attrsonly ) { for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_vals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to %s, value %d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* free e_flags */ if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); e_flags = NULL; } rc = ber_printf( ber, /*{{*/ "}N}" ); if( rc != -1 ) { rc = send_ldap_controls( op, ber, rs->sr_ctrls ); } if( rc != -1 ) { #ifdef LDAP_CONNECTIONLESS if( op->o_conn && op->o_conn->c_is_udp ) { if ( op->o_protocol != LDAP_VERSION2 ) { rc = ber_printf( ber, /*{*/ "N}" ); } } else #endif if ( op->o_res_ber == NULL ) { rc = ber_printf( ber, /*{*/ "N}" ); } } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "ber_printf failed\n" ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode entry end error" ); rc = rs->sr_err; goto error_return; } Statslog( LDAP_DEBUG_STATS2, "%s ENTRY dn=\"%s\"\n", op->o_log_prefix, rs->sr_entry->e_nname.bv_val ); rs_flush_entry( op, rs, NULL ); if ( op->o_res_ber == NULL ) { bytes = send_ldap_ber( op, ber ); ber_free_buf( ber ); if ( bytes < 0 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber write failed.\n", op->o_connid ); rc = LDAP_UNAVAILABLE; goto error_return; } rs->sr_nentries++; ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex ); ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes ); ldap_pvt_mp_add_ulong( op->o_counters->sc_entries, 1 ); ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 ); ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex ); } Debug( LDAP_DEBUG_TRACE, "<= send_search_entry: conn %lu exit.\n", op->o_connid ); rc = LDAP_SUCCESS; error_return:; if ( op->o_callback ) { (void)slap_cleanup_play( op, rs ); } if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); } /* FIXME: Can break if rs now contains an extended response */ if ( rs->sr_operational_attrs ) { attrs_free( rs->sr_operational_attrs ); rs->sr_operational_attrs = NULL; } rs->sr_attr_flags = SLAP_ATTRS_UNDEFINED; if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH ) { rs_flush_entry( op, rs, NULL ); } else { RS_ASSERT( (rs->sr_flags & REP_ENTRY_MASK) == 0 ); } if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) { rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */ if ( rs->sr_ctrls ) { slap_free_ctrls( op, rs->sr_ctrls ); rs->sr_ctrls = NULL; } } return( rc ); }
int do_search( Operation *op, /* info about the op to which we're responding */ SlapReply *rs /* all the response data we'll send */ ) { struct berval base = BER_BVNULL; ber_len_t siz, off, i; Debug( LDAP_DEBUG_TRACE, "%s do_search\n", op->o_log_prefix, 0, 0 ); /* * Parse the search request. It looks like this: * * SearchRequest := [APPLICATION 3] SEQUENCE { * baseObject DistinguishedName, * scope ENUMERATED { * baseObject (0), * singleLevel (1), * wholeSubtree (2), * subordinate (3) -- OpenLDAP extension * }, * derefAliases ENUMERATED { * neverDerefaliases (0), * derefInSearching (1), * derefFindingBaseObj (2), * alwaysDerefAliases (3) * }, * sizelimit INTEGER (0 .. 65535), * timelimit INTEGER (0 .. 65535), * attrsOnly BOOLEAN, * filter Filter, * attributes SEQUENCE OF AttributeType * } */ /* baseObject, scope, derefAliases, sizelimit, timelimit, attrsOnly */ if ( ber_scanf( op->o_ber, "{miiiib" /*}*/, &base, &op->ors_scope, &op->ors_deref, &op->ors_slimit, &op->ors_tlimit, &op->ors_attrsonly ) == LBER_ERROR ) { send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto return_results; } if ( op->ors_tlimit < 0 || op->ors_tlimit > SLAP_MAX_LIMIT ) { send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid time limit" ); goto return_results; } if ( op->ors_slimit < 0 || op->ors_slimit > SLAP_MAX_LIMIT ) { send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid size limit" ); goto return_results; } switch( op->ors_scope ) { case LDAP_SCOPE_BASE: case LDAP_SCOPE_ONELEVEL: case LDAP_SCOPE_SUBTREE: case LDAP_SCOPE_SUBORDINATE: break; default: send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid scope" ); goto return_results; } switch( op->ors_deref ) { case LDAP_DEREF_NEVER: case LDAP_DEREF_FINDING: case LDAP_DEREF_SEARCHING: case LDAP_DEREF_ALWAYS: break; default: send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR, "invalid deref" ); goto return_results; } rs->sr_err = dnPrettyNormal( NULL, &base, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_search: invalid dn: \"%s\"\n", op->o_log_prefix, base.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto return_results; } Debug( LDAP_DEBUG_ARGS, "SRCH \"%s\" %d %d", base.bv_val, op->ors_scope, op->ors_deref ); Debug( LDAP_DEBUG_ARGS, " %d %d %d\n", op->ors_slimit, op->ors_tlimit, op->ors_attrsonly); /* filter - returns a "normalized" version */ rs->sr_err = get_filter( op, op->o_ber, &op->ors_filter, &rs->sr_text ); if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { rs->sr_err = LDAP_PROTOCOL_ERROR; send_ldap_disconnect( op, rs ); rs->sr_err = SLAPD_DISCONNECT; } else { send_ldap_result( op, rs ); } goto return_results; } filter2bv_x( op, op->ors_filter, &op->ors_filterstr ); Debug( LDAP_DEBUG_ARGS, " filter: %s\n", !BER_BVISEMPTY( &op->ors_filterstr ) ? op->ors_filterstr.bv_val : "empty", 0, 0 ); /* attributes */ siz = sizeof(AttributeName); off = offsetof(AttributeName,an_name); if ( ber_scanf( op->o_ber, "{M}}", &op->ors_attrs, &siz, off ) == LBER_ERROR ) { send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding attrs error" ); rs->sr_err = SLAPD_DISCONNECT; goto return_results; } for ( i=0; i<siz; i++ ) { const char *dummy; /* ignore msgs from bv2ad */ op->ors_attrs[i].an_desc = NULL; op->ors_attrs[i].an_oc = NULL; op->ors_attrs[i].an_flags = 0; if ( slap_bv2ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS ) { if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy, SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) ) { struct berval *bv = &op->ors_attrs[i].an_name; /* RFC 4511 LDAPv3: All User Attributes */ if ( bvmatch( bv, slap_bv_all_user_attrs ) ) { continue; } /* RFC 3673 LDAPv3: All Operational Attributes */ if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) { continue; } /* RFC 4529 LDAP: Requesting Attributes by Object Class */ if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) { /* FIXME: check if remaining is valid oc name? */ continue; } /* add more "exceptions" to RFC 4511 4.5.1.8. */ /* invalid attribute description? remove */ if ( ad_keystring( bv ) ) { /* NOTE: parsed in-place, don't modify; * rather add "1.1", which must be ignored */ BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS ); } /* otherwise leave in place... */ } } } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_search: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); goto return_results; } Debug( LDAP_DEBUG_ARGS, " attrs:", 0, 0, 0 ); if ( siz != 0 ) { for ( i = 0; i<siz; i++ ) { Debug( LDAP_DEBUG_ARGS, " %s", op->ors_attrs[i].an_name.bv_val, 0, 0 ); } } Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); if ( StatslogTest( LDAP_DEBUG_STATS ) ) { char abuf[BUFSIZ/2], *ptr = abuf; unsigned len = 0, alen; sprintf(abuf, "scope=%d deref=%d", op->ors_scope, op->ors_deref); Statslog( LDAP_DEBUG_STATS, "%s SRCH base=\"%s\" %s filter=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, abuf, op->ors_filterstr.bv_val, 0 ); for ( i = 0; i<siz; i++ ) { alen = op->ors_attrs[i].an_name.bv_len; if (alen >= sizeof(abuf)) { alen = sizeof(abuf)-1; } if (len && (len + 1 + alen >= sizeof(abuf))) { Statslog( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n", op->o_log_prefix, abuf, 0, 0, 0 ); len = 0; ptr = abuf; } if (len) { *ptr++ = ' '; len++; } ptr = lutil_strncopy(ptr, op->ors_attrs[i].an_name.bv_val, alen); len += alen; *ptr = '\0'; } if (len) { Statslog( LDAP_DEBUG_STATS, "%s SRCH attr=%s\n", op->o_log_prefix, abuf, 0, 0, 0 ); } } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_search( op, rs ); return_results:; if ( !BER_BVISNULL( &op->o_req_dn ) ) { slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &op->o_req_ndn ) ) { slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &op->ors_filterstr ) ) { op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); } if ( op->ors_filter != NULL) { filter_free_x( op, op->ors_filter, 1 ); } if ( op->ors_attrs != NULL ) { op->o_tmpfree( op->ors_attrs, op->o_tmpmemctx ); } return rs->sr_err; }
int slap_send_search_reference( Operation *op, SlapReply *rs ) { BerElementBuffer berbuf; BerElement *ber = (BerElement *) &berbuf; int rc = 0; int bytes; char *edn = rs->sr_entry ? rs->sr_entry->e_name.bv_val : "(null)"; AttributeDescription *ad_ref = slap_schema.si_ad_ref; AttributeDescription *ad_entry = slap_schema.si_ad_entry; rs->sr_type = REP_SEARCHREF; if ( op->o_callback ) { rc = slap_response_play( op, rs ); if ( rc != SLAP_CB_CONTINUE ) { goto rel; } } Debug( LDAP_DEBUG_TRACE, "=> send_search_reference: dn=\"%s\"\n", edn ); if ( rs->sr_entry && ! access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL ) ) { Debug( LDAP_DEBUG_ACL, "send_search_reference: access to entry not allowed\n" ); rc = 1; goto rel; } if ( rs->sr_entry && ! access_allowed( op, rs->sr_entry, ad_ref, NULL, ACL_READ, NULL ) ) { Debug( LDAP_DEBUG_ACL, "send_search_reference: access " "to reference not allowed\n" ); rc = 1; goto rel; } if( op->o_domain_scope ) { Debug( LDAP_DEBUG_ANY, "send_search_reference: domainScope control in (%s)\n", edn ); rc = 0; goto rel; } if( rs->sr_ref == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_reference: null ref in (%s)\n", edn ); rc = 1; goto rel; } if( op->o_protocol < LDAP_VERSION3 ) { rc = 0; /* save the references for the result */ if( rs->sr_ref[0].bv_val != NULL ) { if( value_add( &rs->sr_v2ref, rs->sr_ref ) ) rc = LDAP_OTHER; } goto rel; } #ifdef LDAP_CONNECTIONLESS if( op->o_conn && op->o_conn->c_is_udp ) { ber = op->o_res_ber; } else #endif { ber_init_w_nullc( ber, LBER_USE_DER ); ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); } rc = ber_printf( ber, "{it{W}" /*"}"*/ , op->o_msgid, LDAP_RES_SEARCH_REFERENCE, rs->sr_ref ); if( rc != -1 ) { rc = send_ldap_controls( op, ber, rs->sr_ctrls ); } if( rc != -1 ) { rc = ber_printf( ber, /*"{"*/ "N}" ); } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_reference: ber_printf failed\n" ); #ifdef LDAP_CONNECTIONLESS if (!op->o_conn || op->o_conn->c_is_udp == 0) #endif ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode DN error" ); goto rel; } rc = 0; rs_flush_entry( op, rs, NULL ); #ifdef LDAP_CONNECTIONLESS if (!op->o_conn || op->o_conn->c_is_udp == 0) { #endif bytes = send_ldap_ber( op, ber ); ber_free_buf( ber ); if ( bytes < 0 ) { rc = LDAP_UNAVAILABLE; } else { ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex ); ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes ); ldap_pvt_mp_add_ulong( op->o_counters->sc_refs, 1 ); ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 ); ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex ); } #ifdef LDAP_CONNECTIONLESS } #endif if ( rs->sr_ref != NULL ) { int r; for ( r = 0; !BER_BVISNULL( &rs->sr_ref[ r ] ); r++ ) { Statslog( LDAP_DEBUG_STATS2, "%s REF #%d \"%s\"\n", op->o_log_prefix, r, rs->sr_ref[0].bv_val ); } } else { Statslog( LDAP_DEBUG_STATS2, "%s REF \"(null)\"\n", op->o_log_prefix ); } Debug( LDAP_DEBUG_TRACE, "<= send_search_reference\n" ); if ( 0 ) { rel: rs_flush_entry( op, rs, NULL ); } if ( op->o_callback ) { (void)slap_cleanup_play( op, rs ); } if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) { rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */ if ( rs->sr_ctrls ) { slap_free_ctrls( op, rs->sr_ctrls ); rs->sr_ctrls = NULL; } } return rc; }
int do_compare( Operation *op, SlapReply *rs ) { struct berval dn = BER_BVNULL; struct berval desc = BER_BVNULL; struct berval value = BER_BVNULL; AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; Debug( LDAP_DEBUG_TRACE, "%s do_compare\n", op->o_log_prefix, 0, 0 ); /* * Parse the compare request. It looks like this: * * CompareRequest := [APPLICATION 14] SEQUENCE { * entry DistinguishedName, * ava SEQUENCE { * type AttributeType, * value AttributeValue * } * } */ if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_compare: get ava failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_compare: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); goto cleanup; } rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_compare: invalid dn (%s)\n", op->o_log_prefix, dn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto cleanup; } Statslog( LDAP_DEBUG_STATS, "%s CMP dn=\"%s\" attr=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, desc.bv_val, 0, 0 ); rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text ); if( rs->sr_err != LDAP_SUCCESS ) { rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc, &rs->sr_text, SLAP_AD_PROXIED|SLAP_AD_NOINSERT ); if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } } rs->sr_err = asserted_value_validate_normalize( ava.aa_desc, ava.aa_desc->ad_type->sat_equality, SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, &value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } op->orc_ava = &ava; Debug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s) value (%s)\n", op->o_req_dn.bv_val, ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val ); op->o_bd = frontendDB; rs->sr_err = frontendDB->be_compare( op, rs ); cleanup:; op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); if ( !BER_BVISNULL( &ava.aa_value ) ) { op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx ); } return rs->sr_err; }
void slap_send_ldap_result( Operation *op, SlapReply *rs ) { char *tmp = NULL; const char *otext = rs->sr_text; BerVarray oref = rs->sr_ref; rs->sr_type = REP_RESULT; /* Propagate Abandons so that cleanup callbacks can be processed */ if ( rs->sr_err == SLAPD_ABANDON || op->o_abandon ) goto abandon; Debug( LDAP_DEBUG_TRACE, "send_ldap_result: %s p=%d\n", op->o_log_prefix, op->o_protocol ); Debug( LDAP_DEBUG_ARGS, "send_ldap_result: err=%d matched=\"%s\" text=\"%s\"\n", rs->sr_err, rs->sr_matched ? rs->sr_matched : "", rs->sr_text ? rs->sr_text : "" ); if( rs->sr_ref ) { Debug( LDAP_DEBUG_ARGS, "send_ldap_result: referral=\"%s\"\n", rs->sr_ref[0].bv_val ? rs->sr_ref[0].bv_val : "NULL" ); } assert( !LDAP_API_ERROR( rs->sr_err ) ); assert( rs->sr_err != LDAP_PARTIAL_RESULTS ); if ( rs->sr_err == LDAP_REFERRAL ) { if( op->o_domain_scope ) rs->sr_ref = NULL; if( rs->sr_ref == NULL ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else if ( op->o_protocol < LDAP_VERSION3 ) { rs->sr_err = LDAP_PARTIAL_RESULTS; } } if ( op->o_protocol < LDAP_VERSION3 ) { tmp = v2ref( rs->sr_ref, rs->sr_text ); rs->sr_text = tmp; rs->sr_ref = NULL; } abandon: rs->sr_tag = slap_req2res( op->o_tag ); rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0; if ( rs->sr_flags & REP_REF_MUSTBEFREED ) { if ( rs->sr_ref == NULL ) { rs->sr_flags ^= REP_REF_MUSTBEFREED; ber_bvarray_free( oref ); } oref = NULL; /* send_ldap_response() will free rs->sr_ref if != NULL */ } if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) { if ( op->o_tag == LDAP_REQ_SEARCH ) { Statslog( LDAP_DEBUG_STATS, "%s SEARCH RESULT tag=%lu err=%d nentries=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_nentries, rs->sr_text ? rs->sr_text : "" ); } else { Statslog( LDAP_DEBUG_STATS, "%s RESULT tag=%lu err=%d text=%s\n", op->o_log_prefix, rs->sr_tag, rs->sr_err, rs->sr_text ? rs->sr_text : "" ); } } if( tmp != NULL ) ch_free(tmp); rs->sr_text = otext; rs->sr_ref = oref; }
static int proxyOld_parse( Operation *op, SlapReply *rs, LDAPControl *ctrl ) { int rc; BerElement *ber; ber_tag_t tag; struct berval dn = BER_BVNULL; struct berval authzDN = BER_BVNULL; /* We hijack the flag for the new control. Clearly only one or the * other can be used at any given time. */ if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { rs->sr_text = "proxy authorization control specified multiple times"; return LDAP_PROTOCOL_ERROR; } op->o_proxy_authz = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; /* Parse the control value * proxyAuthzControlValue ::= SEQUENCE { * proxyDN LDAPDN * } */ ber = ber_init( &ctrl->ldctl_value ); if ( ber == NULL ) { rs->sr_text = "ber_init failed"; return LDAP_OTHER; } tag = ber_scanf( ber, "{m}", &dn ); if ( tag == LBER_ERROR ) { rs->sr_text = "proxyOld control could not be decoded"; rc = LDAP_OTHER; goto done; } if ( BER_BVISEMPTY( &dn )) { Debug( LDAP_DEBUG_TRACE, "proxyOld_parse: conn=%lu anonymous\n", op->o_connid, 0, 0 ); authzDN.bv_val = ch_strdup(""); } else { Debug( LDAP_DEBUG_ARGS, "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", op->o_connid, dn.bv_val, 0 ); rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); if ( rc != LDAP_SUCCESS ) { goto done; } rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); if ( rc ) { op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); rs->sr_text = "not authorized to assume identity"; /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ rc = LDAP_INSUFFICIENT_ACCESS; goto done; } } free( op->o_ndn.bv_val ); free( op->o_dn.bv_val ); op->o_ndn = authzDN; ber_dupbv( &op->o_dn, &authzDN ); Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", op->o_connid, op->o_opid, authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 ); rc = LDAP_SUCCESS; done: ber_free( ber, 1 ); return rc; }
int txn_end_extop( Operation *op, SlapReply *rs ) { int rc; BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_tag_t tag; ber_len_t len; ber_int_t commit=1; struct berval txnid; Statslog( LDAP_DEBUG_STATS, "%s TXN END\n", op->o_log_prefix, 0, 0, 0, 0 ); if( op->ore_reqdata == NULL ) { rs->sr_text = "request data expected"; return LDAP_PROTOCOL_ERROR; } if( op->ore_reqdata->bv_len == 0 ) { rs->sr_text = "empty request data"; return LDAP_PROTOCOL_ERROR; } op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_TXN_END ) != LDAP_SUCCESS ) { return rs->sr_err; } ber_init2( ber, op->ore_reqdata, 0 ); tag = ber_scanf( ber, "{" /*}*/ ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } tag = ber_peek_tag( ber, &len ); if( tag == LBER_BOOLEAN ) { tag = ber_scanf( ber, "b", &commit ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } } tag = ber_scanf( ber, /*{*/ "m}", &txnid ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } if( txnid.bv_len ) { rs->sr_text = "invalid transaction identifier"; return LDAP_X_TXN_ID_INVALID; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn != CONN_TXN_SPECIFY ) { rs->sr_text = "invalid transaction identifier"; rc = LDAP_X_TXN_ID_INVALID; goto done; } op->o_conn->c_txn = CONN_TXN_SETTLE; if( commit ) { if ( op->o_abandon ) { } if( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) ) { /* no updates to commit */ rs->sr_text = "no updates to commit"; rc = LDAP_OPERATIONS_ERROR; goto settled; } rs->sr_text = "not yet implemented"; rc = LDAP_UNWILLING_TO_PERFORM; } else { rs->sr_text = "transaction aborted"; rc = LDAP_SUCCESS;; } drain: /* drain txn ops list */ settled: assert( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) ); assert( op->o_conn->c_txn == CONN_TXN_SETTLE ); op->o_conn->c_txn = CONN_TXN_INACTIVE; op->o_conn->c_txn_backend = NULL; done: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); return rc; }
int do_modrdn( Operation *op, SlapReply *rs ) { struct berval dn = BER_BVNULL; struct berval newrdn = BER_BVNULL; struct berval newSuperior = BER_BVNULL; ber_int_t deloldrdn; struct berval pnewSuperior = BER_BVNULL; struct berval nnewSuperior = BER_BVNULL; ber_len_t length; Debug( LDAP_DEBUG_TRACE, "%s do_modrdn\n", op->o_log_prefix, 0, 0 ); /* * Parse the modrdn request. It looks like this: * * ModifyRDNRequest := SEQUENCE { * entry DistinguishedName, * newrdn RelativeDistinguishedName * deleteoldrdn BOOLEAN, * newSuperior [0] LDAPDN OPTIONAL (v3 Only!) * } */ if ( ber_scanf( op->o_ber, "{mmb", &dn, &newrdn, &deloldrdn ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); return SLAPD_DISCONNECT; } /* Check for newSuperior parameter, if present scan it */ if ( ber_peek_tag( op->o_ber, &length ) == LDAP_TAG_NEWSUPERIOR ) { if ( op->o_protocol < LDAP_VERSION3 ) { /* Connection record indicates v2 but field * newSuperior is present: report error. */ Debug( LDAP_DEBUG_ANY, "%s do_modrdn: newSuperior requires LDAPv3\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "newSuperior requires LDAPv3" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } if ( ber_scanf( op->o_ber, "m", &newSuperior ) == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf(\"m\") failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } op->orr_newSup = &pnewSuperior; op->orr_nnewSup = &nnewSuperior; } Debug( LDAP_DEBUG_ARGS, "do_modrdn: dn (%s) newrdn (%s) newsuperior (%s)\n", dn.bv_val, newrdn.bv_val, newSuperior.bv_len ? newSuperior.bv_val : "" ); if ( ber_scanf( op->o_ber, /*{*/ "}") == LBER_ERROR ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: ber_scanf failed\n", op->o_log_prefix, 0, 0 ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: get_ctrls failed\n", op->o_log_prefix, 0, 0 ); /* get_ctrls has sent results. Now clean up. */ goto cleanup; } rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid dn (%s)\n", op->o_log_prefix, dn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" ); goto cleanup; } /* FIXME: should have/use rdnPretty / rdnNormalize routines */ rs->sr_err = dnPrettyNormal( NULL, &newrdn, &op->orr_newrdn, &op->orr_nnewrdn, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid newrdn (%s)\n", op->o_log_prefix, newrdn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" ); goto cleanup; } if( rdn_validate( &op->orr_newrdn ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid rdn (%s)\n", op->o_log_prefix, op->orr_newrdn.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid new RDN" ); goto cleanup; } if( op->orr_newSup ) { rs->sr_err = dnPrettyNormal( NULL, &newSuperior, &pnewSuperior, &nnewSuperior, op->o_tmpmemctx ); if( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: invalid newSuperior (%s)\n", op->o_log_prefix, newSuperior.bv_val, 0 ); send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid newSuperior" ); goto cleanup; } } Statslog( LDAP_DEBUG_STATS, "%s MODRDN dn=\"%s\"\n", op->o_log_prefix, op->o_req_dn.bv_val, 0, 0, 0 ); op->orr_deleteoldrdn = deloldrdn; op->orr_modlist = NULL; /* prepare modlist of modifications from old/new RDN */ rs->sr_err = slap_modrdn2mods( op, rs ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } op->o_bd = frontendDB; rs->sr_err = frontendDB->be_modrdn( op, rs ); #ifdef LDAP_X_TXN if( rs->sr_err == LDAP_X_TXN_SPECIFY_OKAY ) { /* skip cleanup */ } #endif cleanup: op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->orr_newrdn.bv_val, op->o_tmpmemctx ); op->o_tmpfree( op->orr_nnewrdn.bv_val, op->o_tmpmemctx ); if ( op->orr_modlist != NULL ) slap_mods_free( op->orr_modlist, 1 ); if ( !BER_BVISNULL( &pnewSuperior ) ) { op->o_tmpfree( pnewSuperior.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &nnewSuperior ) ) { op->o_tmpfree( nnewSuperior.bv_val, op->o_tmpmemctx ); } return rs->sr_err; }
int dnssrv_back_referrals( Operation *op, SlapReply *rs ) { int i; int rc = LDAP_OTHER; char *domain = NULL; char *hostlist = NULL; char **hosts = NULL; BerVarray urls = NULL; if ( BER_BVISEMPTY( &op->o_req_dn ) ) { /* FIXME: need some means to determine whether the database * is a glue instance */ if ( SLAP_GLUE_INSTANCE( op->o_bd ) ) { return LDAP_SUCCESS; } rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed"; return LDAP_UNWILLING_TO_PERFORM; } if( get_manageDSAit( op ) ) { if( op->o_tag == LDAP_REQ_SEARCH ) { return LDAP_SUCCESS; } rs->sr_text = "DNS SRV problem processing manageDSAit control"; return LDAP_OTHER; } if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) { rs->sr_err = LDAP_REFERRAL; rs->sr_ref = default_referral; send_ldap_result( op, rs ); rs->sr_ref = NULL; return LDAP_REFERRAL; } Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> domain=\"%s\"\n", op->o_req_dn.bv_val, domain, 0 ); i = ldap_domain2hostlist( domain, &hostlist ); if ( i ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist(%s) returned %d\n", domain, i, 0 ); rs->sr_text = "no DNS SRV RR available for DN"; rc = LDAP_NO_SUCH_OBJECT; goto done; } hosts = ldap_str2charray( hostlist, " " ); if( hosts == NULL ) { Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error\n", 0, 0, 0 ); rs->sr_text = "problem processing DNS SRV records for DN"; goto done; } for( i=0; hosts[i] != NULL; i++) { struct berval url; url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] ); url.bv_val = ch_malloc( url.bv_len + 1 ); strcpy( url.bv_val, "ldap://" ); strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] ); if ( ber_bvarray_add( &urls, &url ) < 0 ) { free( url.bv_val ); rs->sr_text = "problem processing DNS SRV records for DN"; goto done; } } Statslog( LDAP_DEBUG_STATS, "%s DNSSRV p=%d dn=\"%s\" url=\"%s\"\n", op->o_log_prefix, op->o_protocol, op->o_req_dn.bv_val, urls[0].bv_val, 0 ); Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=\"%s\" -> url=\"%s\"\n", op->o_req_dn.bv_val, urls[0].bv_val, 0 ); rs->sr_ref = urls; send_ldap_error( op, rs, LDAP_REFERRAL, "DNS SRV generated referrals" ); rs->sr_ref = NULL; rc = LDAP_REFERRAL; done: if( domain != NULL ) ch_free( domain ); if( hostlist != NULL ) ch_free( hostlist ); if( hosts != NULL ) ldap_charray_free( hosts ); ber_bvarray_free( urls ); return rc; }
int starttls_extop ( Operation *op, SlapReply *rs ) { int rc; Statslog( LDAP_DEBUG_STATS, "%s STARTTLS\n", op->o_log_prefix, 0, 0, 0, 0 ); if ( op->ore_reqdata != NULL ) { /* no request data should be provided */ rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); /* can't start TLS if it is already started */ if (op->o_conn->c_is_tls != 0) { rs->sr_text = "TLS already started"; rc = LDAP_OPERATIONS_ERROR; goto done; } /* can't start TLS if there are other op's around */ if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) && (LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op || LDAP_STAILQ_NEXT(op, o_next) != NULL)) || ( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) )) { rs->sr_text = "cannot start TLS when operations are outstanding"; rc = LDAP_OPERATIONS_ERROR; goto done; } if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && ( op->o_conn->c_dn.bv_len != 0 ) ) { Statslog( LDAP_DEBUG_STATS, "%s AUTHZ anonymous mech=starttls ssf=0\n", op->o_log_prefix, 0, 0, 0, 0 ); /* force to anonymous */ connection2anonymous( op->o_conn ); } if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && ( op->o_conn->c_dn.bv_len != 0 ) ) { rs->sr_text = "cannot start TLS after authentication"; rc = LDAP_OPERATIONS_ERROR; goto done; } /* fail if TLS could not be initialized */ if ( slap_tls_ctx == NULL ) { if (default_referral != NULL) { /* caller will put the referral in the result */ rc = LDAP_REFERRAL; goto done; } rs->sr_text = "Could not initialize TLS"; rc = LDAP_UNAVAILABLE; goto done; } op->o_conn->c_is_tls = 1; op->o_conn->c_needs_tls_accept = 1; rc = LDAP_SUCCESS; done: /* give up connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); /* FIXME: RACE CONDITION! we give up lock before sending result * Should be resolved by reworking connection state, not * by moving send here (so as to ensure proper TLS sequencing) */ return rc; }