int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
{
struct berval npw;
int32_t tmpint32;
char dnc[1024];
char uidc[32];
char opwc[256];
char npwc[256];
char svcc[256];
struct paminfo pi;
int rc;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
pi.dn.bv_val = dnc;
pi.dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,opwc);
pi.pwd.bv_val = opwc;
pi.pwd.bv_len = tmpint32;
READ_STRING(fp,npwc);
npw.bv_val = npwc;
npw.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n",
pi.dn.bv_val,pi.uid.bv_val,0);
BER_BVZERO(&pi.msg);
/* This is a prelim check */
if (BER_BVISEMPTY(&pi.dn)) {
rc = pam_do_bind(ni,fp,op,&pi);
if (rc == NSLCD_PAM_IGNORE)
rc = NSLCD_PAM_SUCCESS;
} else {
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
struct berval bv;
SlapReply rs = {REP_RESULT};
slap_callback cb = {0};
ber_init_w_nullc(ber, LBER_USE_DER);
ber_printf(ber, "{");
if (!BER_BVISEMPTY(&pi.pwd))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
&pi.pwd);
if (!BER_BVISEMPTY(&npw))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
&npw);
ber_printf(ber, "N}");
ber_flatten2(ber, &bv, 0);
op->o_tag = LDAP_REQ_EXTENDED;
op->ore_reqoid = slap_EXOP_MODIFY_PASSWD;
op->ore_reqdata = &bv;
op->o_dn = pi.dn;
op->o_ndn = pi.dn;
op->o_callback = &cb;
op->o_conn->c_authz_backend = op->o_bd;
cb.sc_response = slap_null_cb;
op->o_bd = frontendDB;
rc = op->o_bd->be_extended(op, &rs);
if (rs.sr_text)
ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
if (rc == LDAP_SUCCESS)
rc = NSLCD_PAM_SUCCESS;
else
rc = NSLCD_PAM_PERM_DENIED;
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,&pi.uid);
WRITE_BERVAL(fp,&pi.dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&pi.msg);
return 0;
}
static void *
slapd_rw_config( const char *fname, int lineno, int argc, char **argv )
{
slapd_map_data *ret = NULL;
LDAPURLDesc *lud = NULL;
char *uri;
AttributeDescription *ad = NULL;
int rc, flen = 0;
struct berval dn, ndn;
if ( argc != 1 ) {
Debug( LDAP_DEBUG_ANY,
"[%s:%d] slapd map needs URI\n",
fname, lineno );
return NULL;
}
uri = argv[0];
if ( strncasecmp( uri, "uri=", STRLENOF( "uri=" ) ) == 0 ) {
uri += STRLENOF( "uri=" );
}
if ( ldap_url_parse( uri, &lud ) != LDAP_URL_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"[%s:%d] illegal URI '%s'\n",
fname, lineno, uri );
return NULL;
}
if ( strcasecmp( lud->lud_scheme, "ldap" )) {
Debug( LDAP_DEBUG_ANY,
"[%s:%d] illegal URI scheme '%s'\n",
fname, lineno, lud->lud_scheme );
goto done;
}
if (( lud->lud_host && lud->lud_host[0] ) || lud->lud_exts
|| !lud->lud_dn ) {
Debug( LDAP_DEBUG_ANY,
"[%s:%d] illegal URI '%s'\n",
fname, lineno, uri );
goto done;
}
if ( lud->lud_attrs ) {
if ( lud->lud_attrs[1] ) {
Debug( LDAP_DEBUG_ANY,
"[%s:%d] only one attribute allowed in URI\n",
fname, lineno );
goto done;
}
if ( strcasecmp( lud->lud_attrs[0], "dn" ) &&
strcasecmp( lud->lud_attrs[0], "entryDN" )) {
const char *text;
rc = slap_str2ad( lud->lud_attrs[0], &ad, &text );
if ( rc )
goto done;
}
}
ber_str2bv( lud->lud_dn, 0, 0, &dn );
if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL ))
goto done;
if ( lud->lud_filter ) {
flen = strlen( lud->lud_filter ) + 1;
}
ret = ch_malloc( sizeof( slapd_map_data ) + flen );
ret->base = ndn;
if ( flen ) {
ret->filter.bv_val = (char *)(ret+1);
ret->filter.bv_len = flen - 1;
strcpy( ret->filter.bv_val, lud->lud_filter );
} else {
BER_BVZERO( &ret->filter );
}
ret->scope = lud->lud_scope;
if ( ad ) {
ret->attrs[0].an_name = ad->ad_cname;
} else {
BER_BVZERO( &ret->attrs[0].an_name );
}
ret->attrs[0].an_desc = ad;
BER_BVZERO( &ret->attrs[1].an_name );
done:
ldap_free_urldesc( lud );
return ret;
}
meta_search_candidate_t
asyncmeta_back_add_start(Operation *op,
SlapReply *rs,
a_metaconn_t *mc,
bm_context_t *bc,
int candidate)
{
int isupdate;
Attribute *a;
int i;
LDAPMod **attrs;
struct berval mapped;
a_dncookie dc;
a_metainfo_t *mi = mc->mc_info;
a_metatarget_t *mt = mi->mi_targets[ candidate ];
struct berval mdn;
meta_search_candidate_t retcode = META_SEARCH_CANDIDATE;
BerElement *ber = NULL;
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
SlapReply *candidates = bc->candidates;
ber_int_t msgid;
LDAPControl **ctrls = NULL;
int rc, nretries = 1;
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "addDN";
mdn.bv_len = 0;
switch (asyncmeta_dn_massage( &dc, &bc->op->o_req_dn, &mdn ) )
{
case LDAP_SUCCESS:
break;
case LDAP_UNWILLING_TO_PERFORM:
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "Operation not allowed";
retcode = META_SEARCH_ERR;
goto doreturn;
default:
rs->sr_err = LDAP_NO_SUCH_OBJECT;
retcode = META_SEARCH_NOT_CANDIDATE;
goto doreturn;
}
/* Count number of attributes in entry ( +1 ) */
for ( i = 1, a = op->ora_e->e_attrs; a; i++, a = a->a_next );
/* Create array of LDAPMods for ldap_add() */
attrs = ch_malloc( sizeof( LDAPMod * )*i );
dc.ctx = "addAttrDN";
isupdate = be_shadow_update( op );
for ( i = 0, a = op->ora_e->e_attrs; a; a = a->a_next ) {
int j, is_oc = 0;
if ( !isupdate && !get_relax( op ) && a->a_desc->ad_type->sat_no_user_mod )
{
continue;
}
if ( a->a_desc == slap_schema.si_ad_objectClass
|| a->a_desc == slap_schema.si_ad_structuralObjectClass )
{
is_oc = 1;
mapped = a->a_desc->ad_cname;
} else {
asyncmeta_map( &mt->mt_rwmap.rwm_at,
&a->a_desc->ad_cname, &mapped, BACKLDAP_MAP );
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
continue;
}
}
attrs[ i ] = ch_malloc( sizeof( LDAPMod ) );
if ( attrs[ i ] == NULL ) {
continue;
}
attrs[ i ]->mod_op = LDAP_MOD_BVALUES;
attrs[ i ]->mod_type = mapped.bv_val;
if ( is_oc ) {
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ );
attrs[ i ]->mod_bvalues =
(struct berval **)ch_malloc( ( j + 1 ) *
sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); ) {
struct ldapmapping *mapping;
asyncmeta_mapping( &mt->mt_rwmap.rwm_oc,
&a->a_vals[ j ], &mapping, BACKLDAP_MAP );
if ( mapping == NULL ) {
if ( mt->mt_rwmap.rwm_oc.drop_missing ) {
continue;
}
attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ];
} else {
attrs[ i ]->mod_bvalues[ j ] = &mapping->dst;
}
j++;
}
attrs[ i ]->mod_bvalues[ j ] = NULL;
} else {
/*
* FIXME: dn-valued attrs should be rewritten
* to allow their use in ACLs at the back-ldap
* level.
*/
if ( a->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
{
(void)asyncmeta_dnattr_rewrite( &dc, a->a_vals );
if ( a->a_vals == NULL ) {
continue;
}
}
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ )
;
attrs[ i ]->mod_bvalues = ch_malloc( ( j + 1 ) * sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) {
attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ];
}
attrs[ i ]->mod_bvalues[ j ] = NULL;
}
i++;
}
attrs[ i ] = NULL;
retry:;
ctrls = op->o_ctrls;
if ( asyncmeta_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS )
{
candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
retcode = META_SEARCH_ERR;
goto done;
}
ber = ldap_build_add_req( msc->msc_ld, mdn.bv_val, attrs, ctrls, NULL, &msgid);
if (ber) {
candidates[ candidate ].sr_msgid = msgid;
rc = ldap_send_initial_request( msc->msc_ld, LDAP_REQ_ADD,
mdn.bv_val, ber, msgid );
if (rc == msgid)
rc = LDAP_SUCCESS;
else
rc = LDAP_SERVER_DOWN;
switch ( rc ) {
case LDAP_SUCCESS:
retcode = META_SEARCH_CANDIDATE;
asyncmeta_set_msc_time(msc);
break;
case LDAP_SERVER_DOWN:
ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex);
asyncmeta_clear_one_msc(NULL, mc, candidate);
ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex);
if ( nretries && asyncmeta_retry( op, rs, &mc, candidate, LDAP_BACK_DONTSEND ) ) {
nretries = 0;
/* if the identity changed, there might be need to re-authz */
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
goto retry;
}
default:
candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
retcode = META_SEARCH_ERR;
}
}
done:
(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
for ( --i; i >= 0; --i ) {
free( attrs[ i ]->mod_bvalues );
free( attrs[ i ] );
}
free( attrs );
if ( mdn.bv_val != op->ora_e->e_dn ) {
free( mdn.bv_val );
BER_BVZERO( &mdn );
}
doreturn:;
Debug( LDAP_DEBUG_TRACE, "%s <<< asyncmeta_back_add_start[%p]=%d\n", op->o_log_prefix, msc, candidates[candidate].sr_msgid );
return retcode;
}
static int objectSubClassIndexer(
slap_mask_t use,
slap_mask_t mask,
Syntax *syntax,
MatchingRule *mr,
struct berval *prefix,
BerVarray values,
BerVarray *keysp,
void *ctx )
{
int rc, noc, i;
BerVarray ocvalues;
ObjectClass **socs;
for( noc=0; values[noc].bv_val != NULL; noc++ ) {
/* just count em */;
}
/* over allocate */
socs = slap_sl_malloc( (noc+16) * sizeof( ObjectClass * ), ctx );
/* initialize */
for( i=0; i<noc; i++ ) {
socs[i] = oc_bvfind( &values[i] );
}
/* expand values */
for( i=0; i<noc; i++ ) {
int j;
ObjectClass *oc = socs[i];
if( oc == NULL || oc->soc_sups == NULL ) continue;
for( j=0; oc->soc_sups[j] != NULL; j++ ) {
int found = 0;
ObjectClass *sup = oc->soc_sups[j];
int k;
for( k=0; k<noc; k++ ) {
if( sup == socs[k] ) {
found++;
break;
}
}
if( !found ) {
socs = slap_sl_realloc( socs,
sizeof( ObjectClass * ) * (noc+2), ctx );
assert( k == noc );
socs[noc++] = sup;
}
}
}
ocvalues = slap_sl_malloc( sizeof( struct berval ) * (noc+1), ctx );
/* copy values */
for( i=0; i<noc; i++ ) {
if ( socs[i] )
ocvalues[i] = socs[i]->soc_cname;
else
ocvalues[i] = values[i];
}
BER_BVZERO( &ocvalues[i] );
rc = octetStringIndexer( use, mask, syntax, mr,
prefix, ocvalues, keysp, ctx );
slap_sl_free( ocvalues, ctx );
slap_sl_free( socs, ctx );
return rc;
}
static int
slap_auxprop_store(
void *glob_context,
sasl_server_params_t *sparams,
struct propctx *prctx,
const char *user,
unsigned ulen)
{
Operation op = {0};
Opheader oph;
SlapReply rs = {REP_RESULT};
int rc, i;
unsigned j;
Connection *conn = NULL;
const struct propval *pr;
Modifications *modlist = NULL, **modtail = &modlist, *mod;
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
char textbuf[SLAP_TEXT_BUFLEN];
const char *text;
size_t textlen = sizeof(textbuf);
/* just checking if we are enabled */
if (!prctx) return SASL_OK;
if (!sparams || !user) return SASL_BADPARAM;
pr = sparams->utils->prop_get( sparams->propctx );
/* Find our DN and conn first */
for( i = 0; pr[i].name; i++ ) {
if ( pr[i].name[0] == '*' ) {
if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_CONN] ) ) {
if ( pr[i].values && pr[i].values[0] )
AC_MEMCPY( &conn, pr[i].values[0], sizeof( conn ) );
continue;
}
if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
if ( pr[i].values && pr[i].values[0] )
AC_MEMCPY( &op.o_req_ndn.bv_len, pr[i].values[0],
sizeof( op.o_req_ndn.bv_len ) );
} else if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
if ( pr[i].values )
op.o_req_ndn.bv_val = (char *)pr[i].values[0];
}
}
}
if (!conn || !op.o_req_ndn.bv_val) return SASL_BADPARAM;
op.o_bd = select_backend( &op.o_req_ndn, 1 );
if ( !op.o_bd || !op.o_bd->bd_info->bi_op_modify ) return SASL_FAIL;
pr = sparams->utils->prop_get( prctx );
if (!pr) return SASL_BADPARAM;
for (i=0; pr[i].name; i++);
if (!i) return SASL_BADPARAM;
for (i=0; pr[i].name; i++) {
mod = (Modifications *)ch_malloc( sizeof(Modifications) );
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
ber_str2bv( pr[i].name, 0, 0, &mod->sml_type );
mod->sml_numvals = pr[i].nvalues;
mod->sml_values = (struct berval *)ch_malloc( (pr[i].nvalues + 1) *
sizeof(struct berval));
for (j=0; j<pr[i].nvalues; j++) {
ber_str2bv( pr[i].values[j], 0, 1, &mod->sml_values[j]);
}
BER_BVZERO( &mod->sml_values[j] );
mod->sml_nvalues = NULL;
mod->sml_desc = NULL;
*modtail = mod;
modtail = &mod->sml_next;
}
*modtail = NULL;
rc = slap_mods_check( &op, modlist, &text, textbuf, textlen, NULL );
if ( rc == LDAP_SUCCESS ) {
rc = slap_mods_no_user_mod_check( &op, modlist,
&text, textbuf, textlen );
if ( rc == LDAP_SUCCESS ) {
if ( conn->c_sasl_bindop ) {
op.o_hdr = conn->c_sasl_bindop->o_hdr;
} else {
op.o_hdr = &oph;
memset( &oph, 0, sizeof(oph) );
operation_fake_init( conn, &op, ldap_pvt_thread_pool_context(), 0 );
}
op.o_tag = LDAP_REQ_MODIFY;
op.o_ndn = op.o_req_ndn;
op.o_callback = &cb;
slap_op_time( &op.o_time, &op.o_tincr );
op.o_do_not_cache = 1;
op.o_is_auth_check = 1;
op.o_req_dn = op.o_req_ndn;
op.orm_modlist = modlist;
rc = slap_biglock_call_be( op_modify, &op, &rs );
}
}
slap_mods_free( modlist, 1 );
return rc != LDAP_SUCCESS ? SASL_FAIL : SASL_OK;
}
/*
* FIXME: error return must be handled in a cleaner way ...
*/
int
asyncmeta_back_op_result(
a_metaconn_t *mc,
Operation *op,
SlapReply *rs,
int candidate,
ber_int_t msgid,
time_t timeout,
ldap_back_send_t sendok )
{
a_metainfo_t *mi = mc->mc_info;
const char *save_text = rs->sr_text,
*save_matched = rs->sr_matched;
BerVarray save_ref = rs->sr_ref;
LDAPControl **save_ctrls = rs->sr_ctrls;
void *matched_ctx = NULL;
char *matched = NULL;
char *text = NULL;
char **refs = NULL;
LDAPControl **ctrls = NULL;
assert( mc != NULL );
rs->sr_text = NULL;
rs->sr_matched = NULL;
rs->sr_ref = NULL;
rs->sr_ctrls = NULL;
if ( candidate != META_TARGET_NONE ) {
a_metatarget_t *mt = mi->mi_targets[ candidate ];
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
if ( LDAP_ERR_OK( rs->sr_err ) ) {
int rc;
struct timeval tv;
LDAPMessage *res = NULL;
time_t stoptime = (time_t)(-1);
int timeout_err = op->o_protocol >= LDAP_VERSION3 ?
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER;
const char *timeout_text = "Operation timed out";
/* if timeout is not specified, compute and use
* the one specific to the ongoing operation */
if ( timeout == (time_t)(-1) ) {
slap_op_t opidx = slap_req2op( op->o_tag );
if ( opidx == SLAP_OP_SEARCH ) {
if ( op->ors_tlimit <= 0 ) {
timeout = 0;
} else {
timeout = op->ors_tlimit;
timeout_err = LDAP_TIMELIMIT_EXCEEDED;
timeout_text = NULL;
}
} else {
timeout = mt->mt_timeout[ opidx ];
}
}
/* better than nothing :) */
if ( timeout == 0 ) {
if ( mi->mi_idle_timeout ) {
timeout = mi->mi_idle_timeout;
}
}
if ( timeout ) {
stoptime = op->o_time + timeout;
}
LDAP_BACK_TV_SET( &tv );
retry:;
rc = ldap_result( msc->msc_ld, msgid, LDAP_MSG_ALL, &tv, &res );
switch ( rc ) {
case 0:
if ( timeout && slap_get_time() > stoptime ) {
(void)asyncmeta_back_cancel( mc, op, msgid, candidate );
rs->sr_err = timeout_err;
rs->sr_text = timeout_text;
break;
}
LDAP_BACK_TV_SET( &tv );
ldap_pvt_thread_yield();
goto retry;
case -1:
ldap_get_option( msc->msc_ld, LDAP_OPT_RESULT_CODE,
&rs->sr_err );
break;
/* otherwise get the result; if it is not
* LDAP_SUCCESS, record it in the reply
* structure (this includes
* LDAP_COMPARE_{TRUE|FALSE}) */
default:
/* only touch when activity actually took place... */
if ( mi->mi_idle_timeout != 0 && msc->msc_time < op->o_time ) {
msc->msc_time = op->o_time;
}
rc = ldap_parse_result( msc->msc_ld, res, &rs->sr_err,
&matched, &text, &refs, &ctrls, 1 );
res = NULL;
if ( rc == LDAP_SUCCESS ) {
rs->sr_text = text;
} else {
rs->sr_err = rc;
}
rs->sr_err = slap_map_api2result( rs );
/* RFC 4511: referrals can only appear
* if result code is LDAP_REFERRAL */
if ( refs != NULL
&& refs[ 0 ] != NULL
&& refs[ 0 ][ 0 ] != '\0' )
{
if ( rs->sr_err != LDAP_REFERRAL ) {
Debug( LDAP_DEBUG_ANY,
"%s asyncmeta_back_op_result[%d]: "
"got referrals with err=%d\n",
op->o_log_prefix,
candidate, rs->sr_err );
} else {
int i;
for ( i = 0; refs[ i ] != NULL; i++ )
/* count */ ;
rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( i + 1 ),
op->o_tmpmemctx );
for ( i = 0; refs[ i ] != NULL; i++ ) {
ber_str2bv( refs[ i ], 0, 0, &rs->sr_ref[ i ] );
}
BER_BVZERO( &rs->sr_ref[ i ] );
}
} else if ( rs->sr_err == LDAP_REFERRAL ) {
Debug( LDAP_DEBUG_ANY,
"%s asyncmeta_back_op_result[%d]: "
"got err=%d with null "
"or empty referrals\n",
op->o_log_prefix,
candidate, rs->sr_err );
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
if ( ctrls != NULL ) {
rs->sr_ctrls = ctrls;
}
}
assert( res == NULL );
}
/* if the error in the reply structure is not
* LDAP_SUCCESS, try to map it from client
* to server error */
if ( !LDAP_ERR_OK( rs->sr_err ) ) {
rs->sr_err = slap_map_api2result( rs );
/* internal ops ( op->o_conn == NULL )
* must not reply to client */
if ( op->o_conn && !op->o_do_not_cache && matched ) {
/* record the (massaged) matched
* DN into the reply structure */
rs->sr_matched = matched;
}
}
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
asyncmeta_quarantine( op, mi, rs, candidate );
}
} else {
int i,
err = rs->sr_err;
for ( i = 0; i < mi->mi_ntargets; i++ ) {
a_metasingleconn_t *msc = &mc->mc_conns[ i ];
char *xtext = NULL;
char *xmatched = NULL;
if ( msc->msc_ld == NULL ) {
continue;
}
rs->sr_err = LDAP_SUCCESS;
ldap_get_option( msc->msc_ld, LDAP_OPT_RESULT_CODE, &rs->sr_err );
if ( rs->sr_err != LDAP_SUCCESS ) {
/*
* better check the type of error. In some cases
* (search ?) it might be better to return a
* success if at least one of the targets gave
* positive result ...
*/
ldap_get_option( msc->msc_ld,
LDAP_OPT_DIAGNOSTIC_MESSAGE, &xtext );
if ( xtext != NULL && xtext [ 0 ] == '\0' ) {
ldap_memfree( xtext );
xtext = NULL;
}
ldap_get_option( msc->msc_ld,
LDAP_OPT_MATCHED_DN, &xmatched );
if ( xmatched != NULL && xmatched[ 0 ] == '\0' ) {
ldap_memfree( xmatched );
xmatched = NULL;
}
rs->sr_err = slap_map_api2result( rs );
if ( LogTest( LDAP_DEBUG_ANY ) ) {
char buf[ SLAP_TEXT_BUFLEN ];
snprintf( buf, sizeof( buf ),
"asyncmeta_back_op_result[%d] "
"err=%d text=\"%s\" matched=\"%s\"",
i, rs->sr_err,
( xtext ? xtext : "" ),
( xmatched ? xmatched : "" ) );
Debug( LDAP_DEBUG_ANY, "%s %s.\n",
op->o_log_prefix, buf, 0 );
}
/*
* FIXME: need to rewrite "match" (need rwinfo)
*/
switch ( rs->sr_err ) {
default:
err = rs->sr_err;
if ( xtext != NULL ) {
if ( text ) {
ldap_memfree( text );
}
text = xtext;
xtext = NULL;
}
if ( xmatched != NULL ) {
if ( matched ) {
ldap_memfree( matched );
}
matched = xmatched;
xmatched = NULL;
}
break;
}
if ( xtext ) {
ldap_memfree( xtext );
}
if ( xmatched ) {
ldap_memfree( xmatched );
}
}
if ( META_BACK_TGT_QUARANTINE( mi->mi_targets[ i ] ) ) {
asyncmeta_quarantine( op, mi, rs, i );
}
}
if ( err != LDAP_SUCCESS ) {
rs->sr_err = err;
}
}
if ( matched != NULL ) {
struct berval dn, pdn;
ber_str2bv( matched, 0, 0, &dn );
if ( dnPretty( NULL, &dn, &pdn, op->o_tmpmemctx ) == LDAP_SUCCESS ) {
ldap_memfree( matched );
matched_ctx = op->o_tmpmemctx;
matched = pdn.bv_val;
}
rs->sr_matched = matched;
}
if ( rs->sr_err == LDAP_UNAVAILABLE ) {
if ( !( sendok & LDAP_BACK_RETRYING ) ) {
if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) {
if ( rs->sr_text == NULL ) rs->sr_text = "Proxy operation retry failed";
send_ldap_result( op, rs );
}
}
} else if ( op->o_conn &&
( ( ( sendok & LDAP_BACK_SENDOK ) && LDAP_ERR_OK( rs->sr_err ) )
|| ( ( sendok & LDAP_BACK_SENDERR ) && !LDAP_ERR_OK( rs->sr_err ) ) ) )
{
send_ldap_result( op, rs );
}
if ( matched ) {
op->o_tmpfree( (char *)rs->sr_matched, matched_ctx );
}
if ( text ) {
ldap_memfree( text );
}
if ( rs->sr_ref ) {
op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx );
rs->sr_ref = NULL;
}
if ( refs ) {
ber_memvfree( (void **)refs );
}
if ( ctrls ) {
assert( rs->sr_ctrls != NULL );
ldap_controls_free( ctrls );
}
rs->sr_text = save_text;
rs->sr_matched = save_matched;
rs->sr_ref = save_ref;
rs->sr_ctrls = save_ctrls;
return( LDAP_ERR_OK( rs->sr_err ) ? LDAP_SUCCESS : rs->sr_err );
}
static int
aci_mask(
Operation *op,
Entry *e,
AttributeDescription *desc,
struct berval *val,
struct berval *aci,
int nmatch,
regmatch_t *matches,
slap_access_t *grant,
slap_access_t *deny,
slap_aci_scope_t asserted_scope )
{
struct berval bv,
scope,
perms,
type,
opts,
sdn;
int rc;
ACL_INIT( *grant );
ACL_INIT( *deny );
assert( !BER_BVISNULL( &desc->ad_cname ) );
/* parse an aci of the form:
oid # scope # action;rights;attr;rights;attr
$ action;rights;attr;rights;attr # type # subject
[NOTE: the following comment is very outdated,
as the draft version it refers to (Ando, 2004-11-20)].
See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
a full description of the format for this attribute.
Differences: "this" in the draft is "self" here, and
"self" and "public" is in the position of type.
<scope> = {entry|children|subtree}
<type> = {public|users|access-id|subtree|onelevel|children|
self|dnattr|group|role|set|set-ref}
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
- CHILDREN applies to "children" and "subtree"
*/
/* check that the aci has all 5 components */
if ( acl_get_part( aci, 4, '#', NULL ) < 0 ) {
return 0;
}
/* check that the aci family is supported */
/* FIXME: the OID is ignored? */
if ( acl_get_part( aci, 0, '#', &bv ) < 0 ) {
return 0;
}
/* check that the scope matches */
if ( acl_get_part( aci, 1, '#', &scope ) < 0 ) {
return 0;
}
/* note: scope can be either ENTRY or CHILDREN;
* they respectively match "entry" and "children" in bv
* both match "subtree" */
switch ( asserted_scope ) {
case SLAP_ACI_SCOPE_ENTRY:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_ENTRY ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_CHILDREN:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_CHILDREN ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_SUBTREE:
/* TODO: add assertion? */
return 0;
}
/* get the list of permissions clauses, bail if empty */
if ( acl_get_part( aci, 2, '#', &perms ) <= 0 ) {
assert( 0 );
return 0;
}
/* check if any permissions allow desired access */
if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) {
return 0;
}
/* see if we have a DN match */
if ( acl_get_part( aci, 3, '#', &type ) < 0 ) {
assert( 0 );
return 0;
}
/* see if we have a public (i.e. anonymous) access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_PUBLIC ], &type ) == 0 ) {
return 1;
}
/* otherwise require an identity */
if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) {
return 0;
}
/* see if we have a users access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_USERS ], &type ) == 0 ) {
return 1;
}
/* NOTE: this may fail if a DN contains a valid '#' (unescaped);
* just grab all the berval up to its end (ITS#3303).
* NOTE: the problem could be solved by providing the DN with
* the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would
* become "cn=Foo\23Bar" and be safely used by aci_mask(). */
#if 0
if ( acl_get_part( aci, 4, '#', &sdn ) < 0 ) {
return 0;
}
#endif
sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" );
sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val );
/* get the type options, if any */
if ( acl_get_part( &type, 1, '/', &opts ) > 0 ) {
opts.bv_len = type.bv_len - ( opts.bv_val - type.bv_val );
type.bv_len = opts.bv_val - type.bv_val - 1;
} else {
BER_BVZERO( &opts );
}
if ( ber_bvcmp( &aci_bv[ ACI_BV_ACCESS_ID ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SUBTREE ], &type ) == 0 ) {
return dnIsSuffix( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ONELEVEL ], &type ) == 0 ) {
struct berval pdn;
dnParent( &sdn, &pdn );
return dn_match( &op->o_ndn, &pdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_CHILDREN ], &type ) == 0 ) {
return ( !dn_match( &op->o_ndn, &sdn ) && dnIsSuffix( &op->o_ndn, &sdn ) );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SELF ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &e->e_nname );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_DNATTR ], &type ) == 0 ) {
Attribute *at;
AttributeDescription *ad = NULL;
const char *text;
rc = slap_bv2ad( &sdn, &ad, &text );
assert( rc == LDAP_SUCCESS );
rc = 0;
for ( at = attrs_find( e->e_attrs, ad );
at != NULL;
at = attrs_find( at->a_next, ad ) )
{
if ( attr_valfind( at,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->o_ndn, NULL, op->o_tmpmemctx ) == 0 )
{
rc = 1;
break;
}
}
return rc;
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_GROUP ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_GROUP_CLASS ];
at = aci_bv[ ACI_BV_GROUP_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
assert( 0 );
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_GROUP_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ROLE ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_ROLE_CLASS ];
at = aci_bv[ ACI_BV_ROLE_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
assert( 0 );
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_ROLE_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, NULL ) ) {
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET_REF ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, (struct berval *)&aci_bv[ ACI_BV_SET_ATTR ] ) ) {
return 1;
}
} else {
/* it passed normalization! */
assert( 0 );
}
return 0;
}
int
slap_set_filter( SLAP_SET_GATHER gatherer,
SetCookie *cp, struct berval *fbv,
struct berval *user, struct berval *target, BerVarray *results )
{
#define STACK_SIZE 64
#define IS_SET(x) ( (unsigned long)(x) >= 256 )
#define IS_OP(x) ( (unsigned long)(x) < 256 )
#define SF_ERROR(x) do { rc = -1; goto _error; } while ( 0 )
#define SF_TOP() ( (BerVarray)( ( stp < 0 ) ? 0 : stack[ stp ] ) )
#define SF_POP() ( (BerVarray)( ( stp < 0 ) ? 0 : stack[ stp-- ] ) )
#define SF_PUSH(x) do { \
if ( stp >= ( STACK_SIZE - 1 ) ) SF_ERROR( overflow ); \
stack[ ++stp ] = (BerVarray)(long)(x); \
} while ( 0 )
BerVarray set, lset;
BerVarray stack[ STACK_SIZE ] = { 0 };
int len, rc, stp;
unsigned long op;
char c, *filter = fbv->bv_val;
if ( results ) {
*results = NULL;
}
stp = -1;
while ( ( c = *filter++ ) ) {
set = NULL;
switch ( c ) {
case ' ':
case '\t':
case '\x0A':
case '\x0D':
break;
case '(' /* ) */ :
if ( IS_SET( SF_TOP() ) ) {
SF_ERROR( syntax );
}
SF_PUSH( c );
break;
case /* ( */ ')':
set = SF_POP();
if ( IS_OP( set ) ) {
SF_ERROR( syntax );
}
if ( SF_TOP() == (void *)'(' /* ) */ ) {
SF_POP();
SF_PUSH( set );
set = NULL;
} else if ( IS_OP( SF_TOP() ) ) {
op = (unsigned long)SF_POP();
lset = SF_POP();
SF_POP();
set = slap_set_join( cp, lset, op, set );
if ( set == NULL ) {
SF_ERROR( memory );
}
SF_PUSH( set );
set = NULL;
} else {
SF_ERROR( syntax );
}
break;
case '|': /* union */
case '&': /* intersection */
case '+': /* string concatenation */
set = SF_POP();
if ( IS_OP( set ) ) {
SF_ERROR( syntax );
}
if ( SF_TOP() == 0 || SF_TOP() == (void *)'(' /* ) */ ) {
SF_PUSH( set );
set = NULL;
} else if ( IS_OP( SF_TOP() ) ) {
op = (unsigned long)SF_POP();
lset = SF_POP();
set = slap_set_join( cp, lset, op, set );
if ( set == NULL ) {
SF_ERROR( memory );
}
SF_PUSH( set );
set = NULL;
} else {
SF_ERROR( syntax );
}
SF_PUSH( c );
break;
case '[' /* ] */:
if ( ( SF_TOP() == (void *)'/' ) || IS_SET( SF_TOP() ) ) {
SF_ERROR( syntax );
}
for ( len = 0; ( c = *filter++ ) && ( c != /* [ */ ']' ); len++ )
;
if ( c == 0 ) {
SF_ERROR( syntax );
}
set = cp->set_op->o_tmpcalloc( 2, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set == NULL ) {
SF_ERROR( memory );
}
set->bv_val = cp->set_op->o_tmpcalloc( len + 1, sizeof( char ),
cp->set_op->o_tmpmemctx );
if ( BER_BVISNULL( set ) ) {
SF_ERROR( memory );
}
AC_MEMCPY( set->bv_val, &filter[ - len - 1 ], len );
set->bv_len = len;
SF_PUSH( set );
set = NULL;
break;
case '-':
if ( ( SF_TOP() == (void *)'/' )
&& ( *filter == '*' || ASCII_DIGIT( *filter ) ) )
{
SF_POP();
if ( *filter == '*' ) {
set = set_parents( cp, SF_POP() );
filter++;
} else {
char *next = NULL;
long parent = strtol( filter, &next, 10 );
if ( next == filter ) {
SF_ERROR( syntax );
}
set = SF_POP();
if ( parent != 0 ) {
set = set_parent( cp, set, parent );
}
filter = next;
}
if ( set == NULL ) {
SF_ERROR( memory );
}
SF_PUSH( set );
set = NULL;
break;
} else {
c = *filter++;
if ( c != '>' ) {
SF_ERROR( syntax );
}
/* fall through to next case */
}
case '/':
if ( IS_OP( SF_TOP() ) ) {
SF_ERROR( syntax );
}
SF_PUSH( '/' );
break;
default:
if ( !AD_LEADCHAR( c ) ) {
SF_ERROR( syntax );
}
filter--;
for ( len = 1;
( c = filter[ len ] ) && AD_CHAR( c );
len++ )
{
/* count */
if ( c == '-' && !AD_CHAR( filter[ len + 1 ] ) ) {
break;
}
}
if ( len == 4
&& memcmp( "this", filter, len ) == 0 )
{
assert( !BER_BVISNULL( target ) );
if ( ( SF_TOP() == (void *)'/' ) || IS_SET( SF_TOP() ) ) {
SF_ERROR( syntax );
}
set = cp->set_op->o_tmpcalloc( 2, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set == NULL ) {
SF_ERROR( memory );
}
ber_dupbv_x( set, target, cp->set_op->o_tmpmemctx );
if ( BER_BVISNULL( set ) ) {
SF_ERROR( memory );
}
BER_BVZERO( &set[ 1 ] );
} else if ( len == 4
&& memcmp( "user", filter, len ) == 0 )
{
if ( ( SF_TOP() == (void *)'/' ) || IS_SET( SF_TOP() ) ) {
SF_ERROR( syntax );
}
if ( BER_BVISNULL( user ) ) {
SF_ERROR( memory );
}
set = cp->set_op->o_tmpcalloc( 2, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set == NULL ) {
SF_ERROR( memory );
}
ber_dupbv_x( set, user, cp->set_op->o_tmpmemctx );
BER_BVZERO( &set[ 1 ] );
} else if ( SF_TOP() != (void *)'/' ) {
SF_ERROR( syntax );
} else {
struct berval fb2;
AttributeDescription *ad = NULL;
const char *text = NULL;
SF_POP();
fb2.bv_val = filter;
fb2.bv_len = len;
if ( slap_bv2ad( &fb2, &ad, &text ) != LDAP_SUCCESS ) {
SF_ERROR( syntax );
}
/* NOTE: ad must have distinguishedName syntax
* or expand in an LDAP URI if c == '*'
*/
set = set_chase( gatherer,
cp, SF_POP(), ad, c == '*' );
if ( set == NULL ) {
SF_ERROR( memory );
}
if ( c == '*' ) {
len++;
}
}
filter += len;
SF_PUSH( set );
set = NULL;
break;
}
}
set = SF_POP();
if ( IS_OP( set ) ) {
SF_ERROR( syntax );
}
if ( SF_TOP() == 0 ) {
/* FIXME: ok ? */ ;
} else if ( IS_OP( SF_TOP() ) ) {
op = (unsigned long)SF_POP();
lset = SF_POP();
set = slap_set_join( cp, lset, op, set );
if ( set == NULL ) {
SF_ERROR( memory );
}
} else {
SF_ERROR( syntax );
}
rc = slap_set_isempty( set ) ? 0 : 1;
if ( results ) {
*results = set;
set = NULL;
}
_error:
if ( IS_SET( set ) ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
}
while ( ( set = SF_POP() ) ) {
if ( IS_SET( set ) ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
}
}
return rc;
}
static int
bdb_cf_gen( ConfigArgs *c )
{
struct bdb_info *bdb = c->be->be_private;
int rc;
if ( c->op == SLAP_CONFIG_EMIT ) {
rc = 0;
switch( c->type ) {
case BDB_MODE: {
char buf[64];
struct berval bv;
bv.bv_len = snprintf( buf, sizeof(buf), "0%o", bdb->bi_dbenv_mode );
if ( bv.bv_len > 0 && bv.bv_len < sizeof(buf) ) {
bv.bv_val = buf;
value_add_one( &c->rvalue_vals, &bv );
} else {
rc = 1;
}
} break;
case BDB_CHKPT:
if ( bdb->bi_txn_cp ) {
char buf[64];
struct berval bv;
bv.bv_len = snprintf( buf, sizeof(buf), "%ld %ld",
(long) bdb->bi_txn_cp_kbyte, (long) bdb->bi_txn_cp_min );
if ( bv.bv_len > 0 && bv.bv_len < sizeof(buf) ) {
bv.bv_val = buf;
value_add_one( &c->rvalue_vals, &bv );
} else {
rc = 1;
}
} else {
rc = 1;
}
break;
case BDB_CRYPTFILE:
if ( bdb->bi_db_crypt_file ) {
c->value_string = ch_strdup( bdb->bi_db_crypt_file );
} else {
rc = 1;
}
break;
/* If a crypt file has been set, its contents are copied here.
* But we don't want the key to be incorporated here.
*/
case BDB_CRYPTKEY:
if ( !bdb->bi_db_crypt_file && !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
value_add_one( &c->rvalue_vals, &bdb->bi_db_crypt_key );
} else {
rc = 1;
}
break;
case BDB_DIRECTORY:
if ( bdb->bi_dbenv_home ) {
c->value_string = ch_strdup( bdb->bi_dbenv_home );
} else {
rc = 1;
}
break;
case BDB_CONFIG:
if ( !( bdb->bi_flags & BDB_IS_OPEN )
&& !bdb->bi_db_config )
{
char buf[SLAP_TEXT_BUFLEN];
FILE *f = fopen( bdb->bi_db_config_path, "r" );
struct berval bv;
if ( f ) {
bdb->bi_flags |= BDB_HAS_CONFIG;
while ( fgets( buf, sizeof(buf), f )) {
ber_str2bv( buf, 0, 1, &bv );
if ( bv.bv_len > 0 && bv.bv_val[bv.bv_len-1] == '\n' ) {
bv.bv_len--;
bv.bv_val[bv.bv_len] = '\0';
}
/* shouldn't need this, but ... */
if ( bv.bv_len > 0 && bv.bv_val[bv.bv_len-1] == '\r' ) {
bv.bv_len--;
bv.bv_val[bv.bv_len] = '\0';
}
ber_bvarray_add( &bdb->bi_db_config, &bv );
}
fclose( f );
}
}
if ( bdb->bi_db_config ) {
int i;
struct berval bv;
bv.bv_val = c->log;
for (i=0; !BER_BVISNULL(&bdb->bi_db_config[i]); i++) {
bv.bv_len = sprintf( bv.bv_val, "{%d}%s", i,
bdb->bi_db_config[i].bv_val );
value_add_one( &c->rvalue_vals, &bv );
}
}
if ( !c->rvalue_vals ) rc = 1;
break;
case BDB_NOSYNC:
if ( bdb->bi_dbenv_xflags & DB_TXN_NOSYNC )
c->value_int = 1;
break;
case BDB_CHECKSUM:
if ( bdb->bi_flags & BDB_CHKSUM )
c->value_int = 1;
break;
case BDB_INDEX:
bdb_attr_index_unparse( bdb, &c->rvalue_vals );
if ( !c->rvalue_vals ) rc = 1;
break;
case BDB_LOCKD:
rc = 1;
if ( bdb->bi_lock_detect != DB_LOCK_DEFAULT ) {
int i;
for (i=0; !BER_BVISNULL(&bdb_lockd[i].word); i++) {
if ( bdb->bi_lock_detect == (u_int32_t)bdb_lockd[i].mask ) {
value_add_one( &c->rvalue_vals, &bdb_lockd[i].word );
rc = 0;
break;
}
}
}
break;
case BDB_SSTACK:
c->value_int = bdb->bi_search_stack_depth;
break;
case BDB_PGSIZE: {
struct bdb_db_pgsize *ps;
char buf[SLAP_TEXT_BUFLEN];
struct berval bv;
int rc = 1;
bv.bv_val = buf;
for ( ps = bdb->bi_pagesizes; ps; ps = ps->bdp_next ) {
bv.bv_len = sprintf( buf, "%s %d", ps->bdp_name.bv_val,
ps->bdp_size / 1024 );
value_add_one( &c->rvalue_vals, &bv );
rc = 0;
}
break;
}
}
return rc;
} else if ( c->op == LDAP_MOD_DELETE ) {
rc = 0;
switch( c->type ) {
case BDB_MODE:
#if 0
/* FIXME: does it make any sense to change the mode,
* if we don't exec a chmod()? */
bdb->bi_dbenv_mode = SLAPD_DEFAULT_DB_MODE;
break;
#endif
/* single-valued no-ops */
case BDB_LOCKD:
case BDB_SSTACK:
break;
case BDB_CHKPT:
if ( bdb->bi_txn_cp_task ) {
struct re_s *re = bdb->bi_txn_cp_task;
bdb->bi_txn_cp_task = NULL;
ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ) )
ldap_pvt_runqueue_stoptask( &slapd_rq, re );
ldap_pvt_runqueue_remove( &slapd_rq, re );
ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
}
bdb->bi_txn_cp = 0;
break;
case BDB_CONFIG:
if ( c->valx < 0 ) {
ber_bvarray_free( bdb->bi_db_config );
bdb->bi_db_config = NULL;
} else {
int i = c->valx;
ch_free( bdb->bi_db_config[i].bv_val );
for (; bdb->bi_db_config[i].bv_val; i++)
bdb->bi_db_config[i] = bdb->bi_db_config[i+1];
}
bdb->bi_flags |= BDB_UPD_CONFIG|BDB_RE_OPEN;
c->cleanup = bdb_cf_cleanup;
break;
/* Doesn't really make sense to change these on the fly;
* the entire DB must be dumped and reloaded
*/
case BDB_CRYPTFILE:
if ( bdb->bi_db_crypt_file ) {
ch_free( bdb->bi_db_crypt_file );
bdb->bi_db_crypt_file = NULL;
}
/* FALLTHRU */
case BDB_CRYPTKEY:
if ( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
ch_free( bdb->bi_db_crypt_key.bv_val );
BER_BVZERO( &bdb->bi_db_crypt_key );
}
break;
case BDB_DIRECTORY:
bdb->bi_flags |= BDB_RE_OPEN;
bdb->bi_flags ^= BDB_HAS_CONFIG;
ch_free( bdb->bi_dbenv_home );
bdb->bi_dbenv_home = NULL;
ch_free( bdb->bi_db_config_path );
bdb->bi_db_config_path = NULL;
c->cleanup = bdb_cf_cleanup;
ldap_pvt_thread_pool_purgekey( bdb->bi_dbenv );
break;
case BDB_NOSYNC:
bdb->bi_dbenv->set_flags( bdb->bi_dbenv, DB_TXN_NOSYNC, 0 );
break;
case BDB_CHECKSUM:
bdb->bi_flags &= ~BDB_CHKSUM;
break;
case BDB_INDEX:
if ( c->valx == -1 ) {
int i;
/* delete all (FIXME) */
for ( i = 0; i < bdb->bi_nattrs; i++ ) {
bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING;
}
bdb->bi_flags |= BDB_DEL_INDEX;
c->cleanup = bdb_cf_cleanup;
} else {
struct berval bv, def = BER_BVC("default");
char *ptr;
for (ptr = c->line; !isspace( (unsigned char) *ptr ); ptr++);
bv.bv_val = c->line;
bv.bv_len = ptr - bv.bv_val;
if ( bvmatch( &bv, &def )) {
bdb->bi_defaultmask = 0;
} else {
int i;
char **attrs;
char sep;
sep = bv.bv_val[ bv.bv_len ];
bv.bv_val[ bv.bv_len ] = '\0';
attrs = ldap_str2charray( bv.bv_val, "," );
for ( i = 0; attrs[ i ]; i++ ) {
AttributeDescription *ad = NULL;
const char *text;
AttrInfo *ai;
slap_str2ad( attrs[ i ], &ad, &text );
/* if we got here... */
assert( ad != NULL );
ai = bdb_attr_mask( bdb, ad );
/* if we got here... */
assert( ai != NULL );
ai->ai_indexmask |= BDB_INDEX_DELETING;
bdb->bi_flags |= BDB_DEL_INDEX;
c->cleanup = bdb_cf_cleanup;
}
bv.bv_val[ bv.bv_len ] = sep;
ldap_charray_free( attrs );
}
}
break;
/* doesn't make sense on the fly; the DB file must be
* recreated
*/
case BDB_PGSIZE: {
struct bdb_db_pgsize *ps, **prev;
int i;
for ( i = 0, prev = &bdb->bi_pagesizes, ps = *prev; ps;
prev = &ps->bdp_next, ps = ps->bdp_next, i++ ) {
if ( c->valx == -1 || i == c->valx ) {
*prev = ps->bdp_next;
ch_free( ps );
ps = *prev;
if ( i == c->valx ) break;
}
}
}
break;
}
return rc;
}
switch( c->type ) {
case BDB_MODE:
if ( ASCII_DIGIT( c->argv[1][0] ) ) {
long mode;
char *next;
errno = 0;
mode = strtol( c->argv[1], &next, 0 );
if ( errno != 0 || next == c->argv[1] || next[0] != '\0' ) {
fprintf( stderr, "%s: "
"unable to parse mode=\"%s\".\n",
c->log, c->argv[1] );
return 1;
}
bdb->bi_dbenv_mode = mode;
} else {
char *m = c->argv[1];
int who, what, mode = 0;
if ( strlen( m ) != STRLENOF("-rwxrwxrwx") ) {
return 1;
}
if ( m[0] != '-' ) {
return 1;
}
m++;
for ( who = 0; who < 3; who++ ) {
for ( what = 0; what < 3; what++, m++ ) {
if ( m[0] == '-' ) {
continue;
} else if ( m[0] != "rwx"[what] ) {
return 1;
}
mode += ((1 << (2 - what)) << 3*(2 - who));
}
}
bdb->bi_dbenv_mode = mode;
}
break;
case BDB_CHKPT: {
long l;
bdb->bi_txn_cp = 1;
if ( lutil_atolx( &l, c->argv[1], 0 ) != 0 ) {
fprintf( stderr, "%s: "
"invalid kbyte \"%s\" in \"checkpoint\".\n",
c->log, c->argv[1] );
return 1;
}
bdb->bi_txn_cp_kbyte = l;
if ( lutil_atolx( &l, c->argv[2], 0 ) != 0 ) {
fprintf( stderr, "%s: "
"invalid minutes \"%s\" in \"checkpoint\".\n",
c->log, c->argv[2] );
return 1;
}
bdb->bi_txn_cp_min = l;
/* If we're in server mode and time-based checkpointing is enabled,
* submit a task to perform periodic checkpoints.
*/
if ((slapMode & SLAP_SERVER_MODE) && bdb->bi_txn_cp_min ) {
struct re_s *re = bdb->bi_txn_cp_task;
if ( re ) {
re->interval.tv_sec = bdb->bi_txn_cp_min * 60;
} else {
if ( c->be->be_suffix == NULL || BER_BVISNULL( &c->be->be_suffix[0] ) ) {
fprintf( stderr, "%s: "
"\"checkpoint\" must occur after \"suffix\".\n",
c->log );
return 1;
}
ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
bdb->bi_txn_cp_task = ldap_pvt_runqueue_insert( &slapd_rq,
bdb->bi_txn_cp_min * 60, bdb_checkpoint, bdb,
LDAP_XSTRING(bdb_checkpoint), c->be->be_suffix[0].bv_val );
ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
}
}
} break;
case BDB_CONFIG: {
char *ptr = c->line;
struct berval bv;
if ( c->op == SLAP_CONFIG_ADD ) {
ptr += STRLENOF("dbconfig");
while (!isspace((unsigned char)*ptr)) ptr++;
while (isspace((unsigned char)*ptr)) ptr++;
}
if ( bdb->bi_flags & BDB_IS_OPEN ) {
bdb->bi_flags |= BDB_UPD_CONFIG|BDB_RE_OPEN;
c->cleanup = bdb_cf_cleanup;
} else {
/* If we're just starting up...
*/
FILE *f;
/* If a DB_CONFIG file exists, or we don't know the path
* to the DB_CONFIG file, ignore these directives
*/
if (( bdb->bi_flags & BDB_HAS_CONFIG ) || !bdb->bi_db_config_path )
break;
f = fopen( bdb->bi_db_config_path, "a" );
if ( f ) {
/* FIXME: EBCDIC probably needs special handling */
fprintf( f, "%s\n", ptr );
fclose( f );
}
}
ber_str2bv( ptr, 0, 1, &bv );
ber_bvarray_add( &bdb->bi_db_config, &bv );
}
break;
case BDB_CRYPTFILE:
rc = lutil_get_filed_password( c->value_string, &bdb->bi_db_crypt_key );
if ( rc == 0 ) {
bdb->bi_db_crypt_file = c->value_string;
}
break;
/* Cannot set key if file was already set */
case BDB_CRYPTKEY:
if ( bdb->bi_db_crypt_file ) {
rc = 1;
} else {
bdb->bi_db_crypt_key = c->value_bv;
}
break;
case BDB_DIRECTORY: {
FILE *f;
char *ptr, *testpath;
int len;
len = strlen( c->value_string );
testpath = ch_malloc( len + STRLENOF(LDAP_DIRSEP) + STRLENOF("DUMMY") + 1 );
ptr = lutil_strcopy( testpath, c->value_string );
*ptr++ = LDAP_DIRSEP[0];
strcpy( ptr, "DUMMY" );
f = fopen( testpath, "w" );
if ( f ) {
fclose( f );
unlink( testpath );
}
ch_free( testpath );
if ( !f ) {
snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s: invalid path: %s",
c->log, strerror( errno ));
Debug( LDAP_DEBUG_ANY, "%s\n", c->cr_msg, 0, 0 );
return -1;
}
if ( bdb->bi_dbenv_home )
ch_free( bdb->bi_dbenv_home );
bdb->bi_dbenv_home = c->value_string;
/* See if a DB_CONFIG file already exists here */
if ( bdb->bi_db_config_path )
ch_free( bdb->bi_db_config_path );
bdb->bi_db_config_path = ch_malloc( len +
STRLENOF(LDAP_DIRSEP) + STRLENOF("DB_CONFIG") + 1 );
ptr = lutil_strcopy( bdb->bi_db_config_path, bdb->bi_dbenv_home );
*ptr++ = LDAP_DIRSEP[0];
strcpy( ptr, "DB_CONFIG" );
f = fopen( bdb->bi_db_config_path, "r" );
if ( f ) {
bdb->bi_flags |= BDB_HAS_CONFIG;
fclose(f);
}
}
break;
case BDB_NOSYNC:
if ( c->value_int )
bdb->bi_dbenv_xflags |= DB_TXN_NOSYNC;
else
bdb->bi_dbenv_xflags &= ~DB_TXN_NOSYNC;
if ( bdb->bi_flags & BDB_IS_OPEN ) {
bdb->bi_dbenv->set_flags( bdb->bi_dbenv, DB_TXN_NOSYNC,
c->value_int );
}
break;
case BDB_CHECKSUM:
if ( c->value_int )
bdb->bi_flags |= BDB_CHKSUM;
else
bdb->bi_flags &= ~BDB_CHKSUM;
break;
case BDB_INDEX:
rc = bdb_attr_index_config( bdb, c->fname, c->lineno,
c->argc - 1, &c->argv[1], &c->reply);
if( rc != LDAP_SUCCESS ) return 1;
if (( bdb->bi_flags & BDB_IS_OPEN ) && !bdb->bi_index_task ) {
/* Start the task as soon as we finish here. Set a long
* interval (10 hours) so that it only gets scheduled once.
*/
if ( c->be->be_suffix == NULL || BER_BVISNULL( &c->be->be_suffix[0] ) ) {
fprintf( stderr, "%s: "
"\"index\" must occur after \"suffix\".\n",
c->log );
return 1;
}
ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
bdb->bi_index_task = ldap_pvt_runqueue_insert( &slapd_rq, 36000,
bdb_online_index, c->be,
LDAP_XSTRING(bdb_online_index), c->be->be_suffix[0].bv_val );
ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
}
break;
case BDB_LOCKD:
rc = verb_to_mask( c->argv[1], bdb_lockd );
if ( BER_BVISNULL(&bdb_lockd[rc].word) ) {
fprintf( stderr, "%s: "
"bad policy (%s) in \"lockDetect <policy>\" line\n",
c->log, c->argv[1] );
return 1;
}
bdb->bi_lock_detect = (u_int32_t)rc;
break;
case BDB_SSTACK:
if ( c->value_int < MINIMUM_SEARCH_STACK_DEPTH ) {
fprintf( stderr,
"%s: depth %d too small, using %d\n",
c->log, c->value_int, MINIMUM_SEARCH_STACK_DEPTH );
c->value_int = MINIMUM_SEARCH_STACK_DEPTH;
}
bdb->bi_search_stack_depth = c->value_int;
break;
case BDB_PGSIZE: {
struct bdb_db_pgsize *ps, **prev;
int i, s;
s = atoi(c->argv[2]);
if ( s < 1 || s > 64 ) {
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"%s: size must be > 0 and <= 64: %d",
c->log, s );
Debug( LDAP_DEBUG_ANY, "%s\n", c->cr_msg, 0, 0 );
return -1;
}
i = strlen(c->argv[1]);
ps = ch_malloc( sizeof(struct bdb_db_pgsize) + i + 1 );
ps->bdp_next = NULL;
ps->bdp_name.bv_len = i;
ps->bdp_name.bv_val = (char *)(ps+1);
strcpy( ps->bdp_name.bv_val, c->argv[1] );
ps->bdp_size = s * 1024;
for ( prev = &bdb->bi_pagesizes; *prev; prev = &(*prev)->bdp_next )
;
*prev = ps;
}
break;
}
return 0;
}
/* Join two sets according to operator op and flags op_flags.
* op can be:
* '|' (or): the union between the two sets is returned,
* eliminating duplicates
* '&' (and): the intersection between the two sets
* is returned
* '+' (add): the inner product of the two sets is returned,
* namely a set containing the concatenation of
* all combinations of the two sets members,
* except for duplicates.
* The two sets are disposed of according to the flags as described
* for slap_set_dispose().
*/
BerVarray
slap_set_join(
SetCookie *cp,
BerVarray lset,
unsigned op_flags,
BerVarray rset )
{
BerVarray set;
long i, j, last, rlast;
unsigned op = ( op_flags & SLAP_SET_OPMASK );
set = NULL;
switch ( op ) {
case '|': /* union */
if ( lset == NULL || BER_BVISNULL( &lset[ 0 ] ) ) {
if ( rset == NULL ) {
if ( lset == NULL ) {
set = cp->set_op->o_tmpcalloc( 1,
sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
BER_BVZERO( &set[ 0 ] );
goto done2;
}
set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
goto done2;
}
slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
set = set_dup( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
goto done2;
}
if ( rset == NULL || BER_BVISNULL( &rset[ 0 ] ) ) {
slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
goto done2;
}
/* worst scenario: no duplicates */
rlast = slap_set_size( rset );
i = slap_set_size( lset ) + rlast + 1;
set = cp->set_op->o_tmpcalloc( i, sizeof( struct berval ), cp->set_op->o_tmpmemctx );
if ( set != NULL ) {
/* set_chase() depends on this routine to
* keep the first elements of the result
* set the same (and in the same order)
* as the left-set.
*/
for ( i = 0; !BER_BVISNULL( &lset[ i ] ); i++ ) {
if ( op_flags & SLAP_SET_LREFVAL ) {
ber_dupbv_x( &set[ i ], &lset[ i ], cp->set_op->o_tmpmemctx );
} else {
set[ i ] = lset[ i ];
}
}
/* pointers to values have been used in set - don't free twice */
op_flags |= SLAP_SET_LREFVAL;
last = i;
for ( i = 0; !BER_BVISNULL( &rset[ i ] ); i++ ) {
int exists = 0;
for ( j = 0; !BER_BVISNULL( &set[ j ] ); j++ ) {
if ( bvmatch( &rset[ i ], &set[ j ] ) )
{
if ( !( op_flags & SLAP_SET_RREFVAL ) ) {
cp->set_op->o_tmpfree( rset[ i ].bv_val, cp->set_op->o_tmpmemctx );
rset[ i ] = rset[ --rlast ];
BER_BVZERO( &rset[ rlast ] );
i--;
}
exists = 1;
break;
}
}
if ( !exists ) {
if ( op_flags & SLAP_SET_RREFVAL ) {
ber_dupbv_x( &set[ last ], &rset[ i ], cp->set_op->o_tmpmemctx );
} else {
set[ last ] = rset[ i ];
}
last++;
}
}
/* pointers to values have been used in set - don't free twice */
op_flags |= SLAP_SET_RREFVAL;
BER_BVZERO( &set[ last ] );
}
break;
case '&': /* intersection */
if ( lset == NULL || BER_BVISNULL( &lset[ 0 ] )
|| rset == NULL || BER_BVISNULL( &rset[ 0 ] ) )
{
set = cp->set_op->o_tmpcalloc( 1, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
BER_BVZERO( &set[ 0 ] );
break;
} else {
long llen, rlen;
BerVarray sset;
llen = slap_set_size( lset );
rlen = slap_set_size( rset );
/* dup the shortest */
if ( llen < rlen ) {
last = llen;
set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
lset = NULL;
sset = rset;
} else {
last = rlen;
set = set_dup( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
rset = NULL;
sset = lset;
}
if ( set == NULL ) {
break;
}
for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
for ( j = 0; !BER_BVISNULL( &sset[ j ] ); j++ ) {
if ( bvmatch( &set[ i ], &sset[ j ] ) ) {
break;
}
}
if ( BER_BVISNULL( &sset[ j ] ) ) {
cp->set_op->o_tmpfree( set[ i ].bv_val, cp->set_op->o_tmpmemctx );
set[ i ] = set[ --last ];
BER_BVZERO( &set[ last ] );
i--;
}
}
}
break;
case '+': /* string concatenation */
i = slap_set_size( rset );
j = slap_set_size( lset );
/* handle empty set cases */
if ( i == 0 || j == 0 ) {
set = cp->set_op->o_tmpcalloc( 1, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set == NULL ) {
break;
}
BER_BVZERO( &set[ 0 ] );
break;
}
set = cp->set_op->o_tmpcalloc( i * j + 1, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set == NULL ) {
break;
}
for ( last = 0, i = 0; !BER_BVISNULL( &lset[ i ] ); i++ ) {
for ( j = 0; !BER_BVISNULL( &rset[ j ] ); j++ ) {
struct berval bv;
long k;
/* don't concatenate with the empty string */
if ( BER_BVISEMPTY( &lset[ i ] ) ) {
ber_dupbv_x( &bv, &rset[ j ], cp->set_op->o_tmpmemctx );
if ( bv.bv_val == NULL ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
set = NULL;
goto done;
}
} else if ( BER_BVISEMPTY( &rset[ j ] ) ) {
ber_dupbv_x( &bv, &lset[ i ], cp->set_op->o_tmpmemctx );
if ( bv.bv_val == NULL ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
set = NULL;
goto done;
}
} else {
bv.bv_len = lset[ i ].bv_len + rset[ j ].bv_len;
bv.bv_val = cp->set_op->o_tmpalloc( bv.bv_len + 1,
cp->set_op->o_tmpmemctx );
if ( bv.bv_val == NULL ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
set = NULL;
goto done;
}
AC_MEMCPY( bv.bv_val, lset[ i ].bv_val, lset[ i ].bv_len );
AC_MEMCPY( &bv.bv_val[ lset[ i ].bv_len ], rset[ j ].bv_val, rset[ j ].bv_len );
bv.bv_val[ bv.bv_len ] = '\0';
}
for ( k = 0; k < last; k++ ) {
if ( bvmatch( &set[ k ], &bv ) ) {
cp->set_op->o_tmpfree( bv.bv_val, cp->set_op->o_tmpmemctx );
break;
}
}
if ( k == last ) {
set[ last++ ] = bv;
}
}
}
BER_BVZERO( &set[ last ] );
break;
default:
break;
}
done:;
if ( lset ) slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
if ( rset ) slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
done2:;
if ( LogTest( LDAP_DEBUG_ACL ) ) {
if ( BER_BVISNULL( set ) ) {
Debug( LDAP_DEBUG_ACL, " ACL set: empty\n", 0, 0, 0 );
} else {
for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
Debug( LDAP_DEBUG_ACL, " ACL set[%ld]=%s\n", i, set[i].bv_val, 0 );
}
}
}
return set;
}
static BerVarray
set_parents( SetCookie *cp, BerVarray set )
{
int i, j, last;
struct berval bv, pbv;
BerVarray nset, vals;
if ( set == NULL ) {
set = cp->set_op->o_tmpcalloc( 1, sizeof( struct berval ),
cp->set_op->o_tmpmemctx );
if ( set != NULL ) {
BER_BVZERO( &set[ 0 ] );
}
return set;
}
if ( BER_BVISNULL( &set[ 0 ] ) ) {
return set;
}
nset = cp->set_op->o_tmpcalloc( 1, sizeof( struct berval ), cp->set_op->o_tmpmemctx );
if ( nset == NULL ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
return NULL;
}
BER_BVZERO( &nset[ 0 ] );
for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
int level = 1;
pbv = bv = set[ i ];
for ( ; !BER_BVISEMPTY( &pbv ); dnParent( &bv, &pbv ) ) {
level++;
bv = pbv;
}
vals = cp->set_op->o_tmpcalloc( level + 1, sizeof( struct berval ), cp->set_op->o_tmpmemctx );
if ( vals == NULL ) {
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
ber_bvarray_free_x( nset, cp->set_op->o_tmpmemctx );
return NULL;
}
BER_BVZERO( &vals[ 0 ] );
last = 0;
bv = set[ i ];
for ( j = 0 ; j < level ; j++ ) {
ber_dupbv_x( &vals[ last ], &bv, cp->set_op->o_tmpmemctx );
last++;
dnParent( &bv, &bv );
}
BER_BVZERO( &vals[ last ] );
nset = slap_set_join( cp, nset, '|', vals );
}
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
return nset;
}
int
bdb_delete( Operation *op, SlapReply *rs )
{
struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
Entry *matched = NULL;
struct berval pdn = {0, NULL};
Entry *e = NULL;
Entry *p = NULL;
EntryInfo *ei = NULL, *eip = NULL;
int manageDSAit = get_manageDSAit( op );
AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
DB_TXN *ltid = NULL, *lt2;
struct bdb_op_info opinfo = {{{ 0 }}};
ID eid;
DB_LOCK lock, plock;
int num_retries = 0;
int rc;
LDAPControl **preread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
int parent_is_glue = 0;
int parent_is_leaf = 0;
#ifdef LDAP_X_TXN
int settle = 0;
#endif
Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_delete) ": %s\n",
op->o_req_dn.bv_val );
#ifdef LDAP_X_TXN
if( op->o_txnSpec ) {
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if( op->o_conn->c_txn == CONN_TXN_INACTIVE ) {
rs->sr_text = "invalid transaction identifier";
rs->sr_err = LDAP_X_TXN_ID_INVALID;
goto txnReturn;
} else if( op->o_conn->c_txn == CONN_TXN_SETTLE ) {
settle=1;
goto txnReturn;
}
if( op->o_conn->c_txn_backend == NULL ) {
op->o_conn->c_txn_backend = op->o_bd;
} else if( op->o_conn->c_txn_backend != op->o_bd ) {
rs->sr_text = "transaction cannot span multiple database contexts";
rs->sr_err = LDAP_AFFECTS_MULTIPLE_DSAS;
goto txnReturn;
}
/* insert operation into transaction */
rs->sr_text = "transaction specified";
rs->sr_err = LDAP_X_TXN_SPECIFY_OKAY;
txnReturn:
/* release connection lock */
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
if( !settle ) {
send_ldap_result( op, rs );
return rs->sr_err;
}
}
#endif
ctrls[num_ctrls] = 0;
/* allocate CSN */
if ( BER_BVISEMPTY( &op->o_csn ) ) {
struct berval csn;
char csnbuf[LDAP_PVT_CSNSTR_BUFSIZE];
csn.bv_val = csnbuf;
csn.bv_len = sizeof(csnbuf);
slap_get_csn( op, &csn );
}
if( 0 ) {
retry: /* transaction retry */
if( e != NULL ) {
bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e);
e = NULL;
}
if( p != NULL ) {
bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p);
p = NULL;
}
Debug( LDAP_DEBUG_TRACE,
"==> " LDAP_XSTRING(bdb_delete) ": retrying...\n" );
rs->sr_err = TXN_ABORT( ltid );
ltid = NULL;
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
opinfo.boi_oe.oe_key = NULL;
op->o_do_not_cache = opinfo.boi_acl_cache;
if( rs->sr_err != 0 ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
if ( slap_get_op_abandon(op) ) {
rs->sr_err = SLAPD_ABANDON;
goto return_results;
}
parent_is_glue = 0;
parent_is_leaf = 0;
bdb_trans_backoff( ++num_retries );
}
/* begin transaction */
rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, NULL, <id,
bdb->bi_db_opflags );
Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": txn1 id: %x\n",
ltid->id(ltid) );
rs->sr_text = NULL;
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_delete) ": txn_begin failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
opinfo.boi_oe.oe_key = bdb;
opinfo.boi_txn = ltid;
opinfo.boi_err = 0;
opinfo.boi_acl_cache = op->o_do_not_cache;
LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) {
dnParent( &op->o_req_ndn, &pdn );
}
/* get entry */
rs->sr_err = bdb_dn2entry( op, ltid, &op->o_req_ndn, &ei, 1,
&lock );
switch( rs->sr_err ) {
case 0:
case DB_NOTFOUND:
break;
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
if ( rs->sr_err == 0 ) {
e = ei->bei_e;
eip = ei->bei_parent;
} else {
matched = ei->bei_e;
}
/* FIXME : dn2entry() should return non-glue entry */
if ( e == NULL || ( !manageDSAit && is_entry_glue( e ))) {
Debug( LDAP_DEBUG_ARGS,
"<=- " LDAP_XSTRING(bdb_delete) ": no such object %s\n",
op->o_req_dn.bv_val);
if ( matched != NULL ) {
rs->sr_matched = ch_strdup( matched->e_dn );
rs->sr_ref = is_entry_referral( matched )
? get_entry_referrals( op, matched )
: NULL;
bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, matched);
matched = NULL;
} else {
rs->sr_ref = referral_rewrite( default_referral, NULL,
&op->o_req_dn, LDAP_SCOPE_DEFAULT );
}
rs->sr_err = LDAP_REFERRAL;
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
goto return_results;
}
rc = bdb_cache_find_id( op, ltid, eip->bei_id, &eip, 0, &plock );
switch( rc ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case 0:
case DB_NOTFOUND:
break;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
if ( eip ) p = eip->bei_e;
if ( pdn.bv_len != 0 ) {
if( p == NULL || !bvmatch( &pdn, &p->e_nname )) {
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": parent "
"does not exist\n" );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "could not locate parent of entry";
goto return_results;
}
/* check parent for "children" acl */
rs->sr_err = access_allowed( op, p,
children, NULL, ACL_WDEL, NULL );
if ( !rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": no write "
"access to parent\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to parent";
goto return_results;
}
} else {
/* no parent, must be root to delete */
if( ! be_isroot( op ) ) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
|| be_shadow_update( op ) ) {
p = (Entry *)&slap_entry_root;
/* check parent for "children" acl */
rs->sr_err = access_allowed( op, p,
children, NULL, ACL_WDEL, NULL );
p = NULL;
if ( !rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete)
": no access to parent\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to parent";
goto return_results;
}
} else {
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete)
": no parent and not root\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
}
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rs->sr_err = LDAP_ASSERTION_FAILED;
goto return_results;
}
rs->sr_err = access_allowed( op, e,
entry, NULL, ACL_WDEL, NULL );
if ( !rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": no write access "
"to entry\n" );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to entry";
goto return_results;
}
if ( !manageDSAit && is_entry_referral( e ) ) {
/* entry is a referral, don't allow delete */
rs->sr_ref = get_entry_referrals( op, e );
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_delete) ": entry is referral\n" );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = ch_strdup( e->e_name.bv_val );
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
goto return_results;
}
/* pre-read */
if( op->o_preread ) {
if( preread_ctrl == NULL ) {
preread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
}
if( slap_read_controls( op, rs, e,
&slap_pre_read_bv, preread_ctrl ) )
{
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": pre-read "
"failed!\n" );
if ( op->o_preread & SLAP_CONTROL_CRITICAL ) {
/* FIXME: is it correct to abort
* operation if control fails? */
goto return_results;
}
}
}
/* nested transaction */
rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, ltid, <2,
bdb->bi_db_opflags );
rs->sr_text = NULL;
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_delete) ": txn_begin(2) failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_delete) ": txn2 id: %x\n",
lt2->id(lt2) );
BDB_LOG_PRINTF( bdb->bi_dbenv, lt2, "slapd Starting delete %s(%d)",
e->e_nname.bv_val, e->e_id );
/* Can't do it if we have kids */
rs->sr_err = bdb_cache_children( op, lt2, e );
if( rs->sr_err != DB_NOTFOUND ) {
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case 0:
Debug(LDAP_DEBUG_ARGS,
"<=- " LDAP_XSTRING(bdb_delete)
": non-leaf %s\n",
op->o_req_dn.bv_val);
rs->sr_err = LDAP_NOT_ALLOWED_ON_NONLEAF;
rs->sr_text = "subordinate objects must be deleted first";
break;
default:
Debug(LDAP_DEBUG_ARGS,
"<=- " LDAP_XSTRING(bdb_delete)
": has_children failed: %s (%d)\n",
db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
}
goto return_results;
}
/* delete from dn2id */
rs->sr_err = bdb_dn2id_delete( op, lt2, eip, e );
if ( rs->sr_err != 0 ) {
Debug(LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": dn2id failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
rs->sr_text = "DN index delete failed";
rs->sr_err = LDAP_OTHER;
goto return_results;
}
/* delete indices for old attributes */
rs->sr_err = bdb_index_entry_del( op, lt2, e );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": index failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
rs->sr_text = "entry index delete failed";
rs->sr_err = LDAP_OTHER;
goto return_results;
}
/* fixup delete CSN */
if ( !SLAP_SHADOW( op->o_bd )) {
struct berval vals[2];
assert( !BER_BVISEMPTY( &op->o_csn ) );
vals[0] = op->o_csn;
BER_BVZERO( &vals[1] );
rs->sr_err = bdb_index_values( op, lt2, slap_schema.si_ad_entryCSN,
vals, 0, SLAP_INDEX_ADD_OP );
if ( rs->sr_err != LDAP_SUCCESS ) {
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
rs->sr_text = "entryCSN index update failed";
rs->sr_err = LDAP_OTHER;
goto return_results;
}
}
/* delete from id2entry */
rs->sr_err = bdb_id2entry_delete( op->o_bd, lt2, e );
if ( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
"<=- " LDAP_XSTRING(bdb_delete) ": id2entry failed: "
"%s (%d)\n", db_strerror(rs->sr_err), rs->sr_err );
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
rs->sr_text = "entry delete failed";
rs->sr_err = LDAP_OTHER;
goto return_results;
}
if ( pdn.bv_len != 0 ) {
parent_is_glue = is_entry_glue(p);
rs->sr_err = bdb_cache_children( op, lt2, p );
if ( rs->sr_err != DB_NOTFOUND ) {
switch( rs->sr_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
case 0:
break;
default:
Debug(LDAP_DEBUG_ARGS,
"<=- " LDAP_XSTRING(bdb_delete)
": has_children failed: %s (%d)\n",
db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
parent_is_leaf = 1;
}
bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p);
p = NULL;
}
BDB_LOG_PRINTF( bdb->bi_dbenv, lt2, "slapd Commit1 delete %s(%d)",
e->e_nname.bv_val, e->e_id );
if ( TXN_COMMIT( lt2, 0 ) != 0 ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "txn_commit(2) failed";
goto return_results;
}
eid = e->e_id;
#if 0 /* Do we want to reclaim deleted IDs? */
ldap_pvt_thread_mutex_lock( &bdb->bi_lastid_mutex );
if ( e->e_id == bdb->bi_lastid ) {
bdb_last_id( op->o_bd, ltid );
}
ldap_pvt_thread_mutex_unlock( &bdb->bi_lastid_mutex );
#endif
if( op->o_noop ) {
if ( ( rs->sr_err = TXN_ABORT( ltid ) ) != 0 ) {
rs->sr_text = "txn_abort (no-op) failed";
} else {
rs->sr_err = LDAP_X_NO_OPERATION;
ltid = NULL;
goto return_results;
}
} else {
BDB_LOG_PRINTF( bdb->bi_dbenv, ltid, "slapd Cache delete %s(%d)",
e->e_nname.bv_val, e->e_id );
rc = bdb_cache_delete( bdb, e, ltid, &lock );
switch( rc ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
rs->sr_err = TXN_COMMIT( ltid, 0 );
}
ltid = NULL;
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
opinfo.boi_oe.oe_key = NULL;
BDB_LOG_PRINTF( bdb->bi_dbenv, NULL, "slapd Committed delete %s(%d)",
e->e_nname.bv_val, e->e_id );
if( rs->sr_err != 0 ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_delete) ": txn_%s failed: %s (%d)\n",
op->o_noop ? "abort (no-op)" : "commit",
db_strerror(rs->sr_err), rs->sr_err );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "commit failed";
goto return_results;
}
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_delete) ": deleted%s id=%08lx dn=\"%s\"\n",
op->o_noop ? " (no-op)" : "",
eid, op->o_req_dn.bv_val );
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
if( num_ctrls ) rs->sr_ctrls = ctrls;
return_results:
if ( rs->sr_err == LDAP_SUCCESS && parent_is_glue && parent_is_leaf ) {
op->o_delete_glue_parent = 1;
}
if ( p )
bdb_unlocked_cache_return_entry_r(&bdb->bi_cache, p);
/* free entry */
if( e != NULL ) {
if ( rs->sr_err == LDAP_SUCCESS ) {
/* Free the EntryInfo and the Entry */
bdb_cache_entryinfo_lock( BEI(e) );
bdb_cache_delete_cleanup( &bdb->bi_cache, BEI(e) );
} else {
bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e);
}
}
if( ltid != NULL ) {
TXN_ABORT( ltid );
}
if ( opinfo.boi_oe.oe_key ) {
LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
}
send_ldap_result( op, rs );
rs_send_cleanup( rs );
slap_graduate_commit_csn( op );
if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) {
slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx );
slap_sl_free( *preread_ctrl, op->o_tmpmemctx );
}
if( rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp_kbyte ) {
TXN_CHECKPOINT( bdb->bi_dbenv,
bdb->bi_txn_cp_kbyte, bdb->bi_txn_cp_min, 0 );
}
return rs->sr_err;
}
static int
pblock_set( Slapi_PBlock *pb, int param, void *value )
{
int rc = PBLOCK_SUCCESS;
pblock_lock( pb );
switch ( param ) {
case SLAPI_OPERATION:
pb->pb_op = (Operation *)value;
break;
case SLAPI_OPINITIATED_TIME:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_time = *((long *)value);
break;
case SLAPI_OPERATION_ID:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_opid = *((long *)value);
break;
case SLAPI_OPERATION_TYPE:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_tag = *((ber_tag_t *)value);
break;
case SLAPI_OPERATION_MSGID:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_msgid = *((long *)value);
break;
case SLAPI_X_OPERATION_DELETE_GLUE_PARENT:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_delete_glue_parent = *((int *)value);
break;
case SLAPI_X_OPERATION_NO_SCHEMA_CHECK:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_no_schema_check = *((int *)value);
break;
case SLAPI_X_OPERATION_NO_SUBORDINATE_GLUE:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_no_subordinate_glue = *((int *)value);
break;
case SLAPI_REQCONTROLS:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_ctrls = (LDAPControl **)value;
break;
case SLAPI_RESCONTROLS: {
LDAPControl **ctrls = NULL;
pblock_get_default( pb, param, (void **)&ctrls );
if ( ctrls != NULL ) {
/* free old ones first */
ldap_controls_free( ctrls );
}
rc = pblock_set_default( pb, param, value );
break;
}
case SLAPI_ADD_RESCONTROL:
PBLOCK_ASSERT_OP( pb, 0 );
rc = pblock_add_control( pb, (LDAPControl *)value );
break;
case SLAPI_REQUESTOR_DN:
PBLOCK_ASSERT_OP( pb, 0 );
rc = pblock_set_dn( value, &pb->pb_op->o_dn, &pb->pb_op->o_ndn, pb->pb_op->o_tmpmemctx );
break;
case SLAPI_MANAGEDSAIT:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_managedsait = *((int *)value);
break;
case SLAPI_X_RELAX:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_relax = *((int *)value);
break;
case SLAPI_BACKEND:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_op->o_bd = (BackendDB *)value;
break;
case SLAPI_CONNECTION:
pb->pb_conn = (Connection *)value;
break;
case SLAPI_X_CONN_SSF:
PBLOCK_ASSERT_CONN( pb );
PBLOCK_LOCK_CONN( pb );
pb->pb_conn->c_ssf = (slap_ssf_t)(long)value;
PBLOCK_UNLOCK_CONN( pb );
break;
case SLAPI_X_CONN_SASL_CONTEXT:
PBLOCK_ASSERT_CONN( pb );
PBLOCK_LOCK_CONN( pb );
pb->pb_conn->c_sasl_authctx = value;
PBLOCK_UNLOCK_CONN( pb );
break;
case SLAPI_TARGET_DN:
PBLOCK_ASSERT_OP( pb, 0 );
rc = pblock_set_dn( value, &pb->pb_op->o_req_dn, &pb->pb_op->o_req_ndn, pb->pb_op->o_tmpmemctx );
break;
case SLAPI_CONN_ID:
PBLOCK_ASSERT_CONN( pb );
PBLOCK_LOCK_CONN( pb );
pb->pb_conn->c_connid = *((long *)value);
PBLOCK_UNLOCK_CONN( pb );
break;
case SLAPI_CONN_DN:
PBLOCK_ASSERT_CONN( pb );
PBLOCK_LOCK_CONN( pb );
rc = pblock_set_dn( value, &pb->pb_conn->c_dn, &pb->pb_conn->c_ndn, NULL );
PBLOCK_UNLOCK_CONN( pb );
break;
case SLAPI_RESULT_CODE:
case SLAPI_PLUGIN_INTOP_RESULT:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_rs->sr_err = *((int *)value);
break;
case SLAPI_RESULT_TEXT:
PBLOCK_ASSERT_OP( pb, 0 );
snprintf( pb->pb_textbuf, sizeof( pb->pb_textbuf ), "%s", (char *)value );
pb->pb_rs->sr_text = pb->pb_textbuf;
break;
case SLAPI_RESULT_MATCHED:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_rs->sr_matched = (char *)value; /* XXX should dup? */
break;
case SLAPI_ADD_ENTRY:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_ADD )
pb->pb_op->ora_e = (Slapi_Entry *)value;
else
rc = PBLOCK_ERROR;
break;
case SLAPI_MODIFY_MODS: {
Modifications **mlp;
Modifications *newmods;
PBLOCK_ASSERT_OP( pb, 0 );
rc = pblock_set_default( pb, param, value );
if ( rc != PBLOCK_SUCCESS ) {
break;
}
if ( pb->pb_op->o_tag == LDAP_REQ_MODIFY ) {
mlp = &pb->pb_op->orm_modlist;
} else if ( pb->pb_op->o_tag == LDAP_REQ_ADD ) {
mlp = &pb->pb_op->ora_modlist;
} else if ( pb->pb_op->o_tag == LDAP_REQ_MODRDN ) {
mlp = &pb->pb_op->orr_modlist;
} else {
break;
}
newmods = slapi_int_ldapmods2modifications( pb->pb_op, (LDAPMod **)value );
if ( newmods != NULL ) {
slap_mods_free( *mlp, 1 );
*mlp = newmods;
}
break;
}
case SLAPI_MODRDN_NEWRDN:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_MODRDN ) {
rc = pblock_set_dn( value, &pb->pb_op->orr_newrdn, &pb->pb_op->orr_nnewrdn, pb->pb_op->o_tmpmemctx );
if ( rc == LDAP_SUCCESS )
rc = rdn_validate( &pb->pb_op->orr_nnewrdn );
} else {
rc = PBLOCK_ERROR;
}
break;
case SLAPI_MODRDN_NEWSUPERIOR:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_MODRDN ) {
if ( value == NULL ) {
if ( pb->pb_op->orr_newSup != NULL ) {
pb->pb_op->o_tmpfree( pb->pb_op->orr_newSup, pb->pb_op->o_tmpmemctx );
BER_BVZERO( pb->pb_op->orr_newSup );
pb->pb_op->orr_newSup = NULL;
}
if ( pb->pb_op->orr_newSup != NULL ) {
pb->pb_op->o_tmpfree( pb->pb_op->orr_nnewSup, pb->pb_op->o_tmpmemctx );
BER_BVZERO( pb->pb_op->orr_nnewSup );
pb->pb_op->orr_nnewSup = NULL;
}
} else {
if ( pb->pb_op->orr_newSup == NULL ) {
pb->pb_op->orr_newSup = (struct berval *)pb->pb_op->o_tmpalloc(
sizeof(struct berval), pb->pb_op->o_tmpmemctx );
BER_BVZERO( pb->pb_op->orr_newSup );
}
if ( pb->pb_op->orr_nnewSup == NULL ) {
pb->pb_op->orr_nnewSup = (struct berval *)pb->pb_op->o_tmpalloc(
sizeof(struct berval), pb->pb_op->o_tmpmemctx );
BER_BVZERO( pb->pb_op->orr_nnewSup );
}
rc = pblock_set_dn( value, pb->pb_op->orr_newSup, pb->pb_op->orr_nnewSup, pb->pb_op->o_tmpmemctx );
}
} else {
rc = PBLOCK_ERROR;
}
break;
case SLAPI_MODRDN_DELOLDRDN:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_MODRDN )
pb->pb_op->orr_deleteoldrdn = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_SCOPE: {
int scope = *((int *)value);
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH ) {
switch ( *((int *)value) ) {
case LDAP_SCOPE_BASE:
case LDAP_SCOPE_ONELEVEL:
case LDAP_SCOPE_SUBTREE:
case LDAP_SCOPE_SUBORDINATE:
pb->pb_op->ors_scope = scope;
break;
default:
rc = PBLOCK_ERROR;
break;
}
} else {
rc = PBLOCK_ERROR;
}
break;
}
case SLAPI_SEARCH_DEREF:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH )
pb->pb_op->ors_deref = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_SIZELIMIT:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH )
pb->pb_op->ors_slimit = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_TIMELIMIT:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH )
pb->pb_op->ors_tlimit = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_FILTER:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH )
pb->pb_op->ors_filter = (Slapi_Filter *)value;
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_STRFILTER:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH ) {
pb->pb_op->ors_filterstr.bv_val = (char *)value;
pb->pb_op->ors_filterstr.bv_len = strlen((char *)value);
} else {
rc = PBLOCK_ERROR;
}
break;
case SLAPI_SEARCH_ATTRS: {
AttributeName *an = NULL;
size_t i = 0, j = 0;
char **attrs = (char **)value;
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag != LDAP_REQ_SEARCH ) {
rc = PBLOCK_ERROR;
break;
}
/* also set mapped attrs */
rc = pblock_set_default( pb, param, value );
if ( rc != PBLOCK_SUCCESS ) {
break;
}
if ( pb->pb_op->ors_attrs != NULL ) {
pb->pb_op->o_tmpfree( pb->pb_op->ors_attrs, pb->pb_op->o_tmpmemctx );
pb->pb_op->ors_attrs = NULL;
}
if ( attrs != NULL ) {
for ( i = 0; attrs[i] != NULL; i++ )
;
}
if ( i ) {
an = (AttributeName *)pb->pb_op->o_tmpcalloc( i + 1,
sizeof(AttributeName), pb->pb_op->o_tmpmemctx );
for ( i = 0; attrs[i] != NULL; i++ ) {
an[j].an_desc = NULL;
an[j].an_oc = NULL;
an[j].an_oc_exclude = 0;
an[j].an_name.bv_val = attrs[i];
an[j].an_name.bv_len = strlen( attrs[i] );
if ( slap_bv2ad( &an[j].an_name, &an[j].an_desc, &pb->pb_rs->sr_text ) == LDAP_SUCCESS ) {
j++;
}
}
an[j].an_name.bv_val = NULL;
an[j].an_name.bv_len = 0;
}
pb->pb_op->ors_attrs = an;
break;
}
case SLAPI_SEARCH_ATTRSONLY:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_SEARCH )
pb->pb_op->ors_attrsonly = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_SEARCH_RESULT_ENTRY:
PBLOCK_ASSERT_OP( pb, 0 );
if ( pb->pb_rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( pb->pb_rs->sr_entry );
} else if ( pb->pb_rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
be_entry_release_r( pb->pb_op, pb->pb_rs->sr_entry );
pb->pb_rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
}
pb->pb_rs->sr_entry = (Slapi_Entry *)value;
pb->pb_rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
break;
case SLAPI_BIND_RET_SASLCREDS:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_rs->sr_sasldata = (struct berval *)value;
break;
case SLAPI_EXT_OP_REQ_OID:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_EXTENDED ) {
pb->pb_op->ore_reqoid.bv_val = (char *)value;
pb->pb_op->ore_reqoid.bv_len = strlen((char *)value);
} else {
rc = PBLOCK_ERROR;
}
break;
case SLAPI_EXT_OP_REQ_VALUE:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_EXTENDED )
pb->pb_op->ore_reqdata = (struct berval *)value;
else
rc = PBLOCK_ERROR;
break;
case SLAPI_EXT_OP_RET_OID:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_rs->sr_rspoid = (char *)value;
break;
case SLAPI_EXT_OP_RET_VALUE:
PBLOCK_ASSERT_OP( pb, 0 );
pb->pb_rs->sr_rspdata = (struct berval *)value;
break;
case SLAPI_BIND_METHOD:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_BIND )
pb->pb_op->orb_method = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_BIND_CREDENTIALS:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_BIND )
pb->pb_op->orb_cred = *((struct berval *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_COMPARE_TYPE:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_COMPARE ) {
const char *text;
pb->pb_op->orc_ava->aa_desc = NULL;
rc = slap_str2ad( (char *)value, &pb->pb_op->orc_ava->aa_desc, &text );
} else {
rc = PBLOCK_ERROR;
}
break;
case SLAPI_COMPARE_VALUE:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_COMPARE )
pb->pb_op->orc_ava->aa_value = *((struct berval *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_ABANDON_MSGID:
PBLOCK_ASSERT_OP( pb, 0 );
PBLOCK_VALIDATE_IS_INTOP( pb );
if ( pb->pb_op->o_tag == LDAP_REQ_ABANDON)
pb->pb_op->orn_msgid = *((int *)value);
else
rc = PBLOCK_ERROR;
break;
case SLAPI_REQUESTOR_ISROOT:
case SLAPI_IS_REPLICATED_OPERATION:
case SLAPI_CONN_AUTHTYPE:
case SLAPI_CONN_AUTHMETHOD:
case SLAPI_IS_INTERNAL_OPERATION:
case SLAPI_X_CONN_IS_UDP:
case SLAPI_CONN_CLIENTIP:
case SLAPI_X_CONN_CLIENTPATH:
case SLAPI_CONN_SERVERIP:
case SLAPI_X_CONN_SERVERPATH:
case SLAPI_X_ADD_STRUCTURAL_CLASS:
/* These parameters cannot be set */
rc = PBLOCK_ERROR;
break;
default:
rc = pblock_set_default( pb, param, value );
break;
}
pblock_unlock( pb );
return rc;
}
void
slap_op_free( Operation *op, void *ctx )
{
OperationBuffer *opbuf;
assert( LDAP_STAILQ_NEXT(op, o_next) == NULL );
if ( op->o_ber != NULL ) {
ber_free( op->o_ber, 1 );
}
if ( !BER_BVISNULL( &op->o_dn ) ) {
ch_free( op->o_dn.bv_val );
}
if ( !BER_BVISNULL( &op->o_ndn ) ) {
ch_free( op->o_ndn.bv_val );
}
if ( !BER_BVISNULL( &op->o_authmech ) ) {
ch_free( op->o_authmech.bv_val );
}
if ( op->o_ctrls != NULL ) {
slap_free_ctrls( op, op->o_ctrls );
}
#ifdef LDAP_CONNECTIONLESS
if ( op->o_res_ber != NULL ) {
ber_free( op->o_res_ber, 1 );
}
#endif
if ( op->o_groups ) {
slap_op_groups_free( op );
}
#if defined( LDAP_SLAPI )
if ( slapi_plugins_used ) {
slapi_int_free_object_extensions( SLAPI_X_EXT_OPERATION, op );
}
#endif /* defined( LDAP_SLAPI ) */
if ( !BER_BVISNULL( &op->o_csn ) ) {
op->o_tmpfree( op->o_csn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_csn );
}
if ( op->o_pagedresults_state != NULL ) {
op->o_tmpfree( op->o_pagedresults_state, op->o_tmpmemctx );
op->o_pagedresults_state = NULL;
}
opbuf = (OperationBuffer *) op;
memset( opbuf, 0, sizeof(*opbuf) );
op->o_hdr = &opbuf->ob_hdr;
op->o_controls = opbuf->ob_controls;
if ( ctx ) {
void *op2 = NULL;
ldap_pvt_thread_pool_setkey( ctx, (void *)slap_op_free,
op, slap_op_q_destroy, &op2, NULL );
LDAP_STAILQ_NEXT( op, o_next ) = op2;
} else {
ber_memfree_x( op, NULL );
}
}
/*
* asyncmeta_back_single_dobind
*/
int
asyncmeta_back_single_dobind(
Operation *op,
SlapReply *rs,
a_metaconn_t **mcp,
int candidate,
ldap_back_send_t sendok,
int nretries,
int dolock )
{
a_metaconn_t *mc = *mcp;
a_metainfo_t *mi = mc->mc_info;
a_metatarget_t *mt = mi->mi_targets[ candidate ];
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
int msgid;
assert( !LDAP_BACK_CONN_ISBOUND( msc ) );
if ( op->o_conn != NULL &&
!op->o_do_not_cache &&
( BER_BVISNULL( &msc->msc_bound_ndn ) ||
BER_BVISEMPTY( &msc->msc_bound_ndn ) ||
( LDAP_BACK_CONN_ISPRIV( mc ) && dn_match( &msc->msc_bound_ndn, &mt->mt_idassert_authcDN ) ) ||
( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
{
(void)asyncmeta_proxy_authz_bind( mc, candidate, op, rs, sendok, dolock );
} else {
char *binddn = "";
struct berval cred = BER_BVC( "" );
/* use credentials if available */
if ( !BER_BVISNULL( &msc->msc_bound_ndn )
&& !BER_BVISNULL( &msc->msc_cred ) )
{
binddn = msc->msc_bound_ndn.bv_val;
cred = msc->msc_cred;
}
for (;;) {
rs->sr_err = ldap_sasl_bind( msc->msc_ld,
binddn, LDAP_SASL_SIMPLE, &cred,
NULL, NULL, &msgid );
if ( rs->sr_err != LDAP_X_CONNECTING ) {
break;
}
ldap_pvt_thread_yield();
}
rs->sr_err = asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, sendok, dolock );
/* if bind succeeded, but anonymous, clear msc_bound_ndn */
if ( rs->sr_err != LDAP_SUCCESS || binddn[0] == '\0' ) {
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ber_memfree( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len );
ber_memfree( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
}
}
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
asyncmeta_quarantine( op, mi, rs, candidate );
}
return rs->sr_err;
}
int slap_bv2ad(
struct berval *bv,
AttributeDescription **ad,
const char **text )
{
int rtn = LDAP_UNDEFINED_TYPE;
AttributeDescription desc, *d2;
char *name, *options, *optn;
char *opt, *next;
int ntags;
int tagslen;
/* hardcoded limits for speed */
#define MAX_TAGGING_OPTIONS 128
struct berval tags[MAX_TAGGING_OPTIONS+1];
#define MAX_TAGS_LEN 1024
char tagbuf[MAX_TAGS_LEN];
assert( ad != NULL );
assert( *ad == NULL ); /* temporary */
if( bv == NULL || BER_BVISNULL( bv ) || BER_BVISEMPTY( bv ) ) {
*text = "empty AttributeDescription";
return rtn;
}
/* make sure description is IA5 */
if( ad_keystring( bv ) ) {
*text = "AttributeDescription contains inappropriate characters";
return rtn;
}
/* find valid base attribute type; parse in place */
desc.ad_cname = *bv;
desc.ad_flags = 0;
BER_BVZERO( &desc.ad_tags );
name = bv->bv_val;
options = ber_bvchr( bv, ';' );
if ( options != NULL && (unsigned) ( options - name ) < bv->bv_len ) {
/* don't go past the end of the berval! */
desc.ad_cname.bv_len = options - name;
} else {
options = NULL;
}
desc.ad_type = at_bvfind( &desc.ad_cname );
if( desc.ad_type == NULL ) {
*text = "attribute type undefined";
return rtn;
}
if( is_at_operational( desc.ad_type ) && options != NULL ) {
*text = "operational attribute with options undefined";
return rtn;
}
/*
* parse options in place
*/
ntags = 0;
tagslen = 0;
optn = bv->bv_val + bv->bv_len;
for( opt=options; opt != NULL; opt=next ) {
int optlen;
opt++;
next = strchrlen( opt, optn, ';', &optlen );
if( optlen == 0 ) {
*text = "zero length option is invalid";
return rtn;
} else if ( optlen == STRLENOF("binary") &&
strncasecmp( opt, "binary", STRLENOF("binary") ) == 0 )
{
/* binary option */
if( slap_ad_is_binary( &desc ) ) {
*text = "option \"binary\" specified multiple times";
return rtn;
}
if( !slap_syntax_is_binary( desc.ad_type->sat_syntax )) {
/* not stored in binary, disallow option */
*text = "option \"binary\" not supported with type";
return rtn;
}
desc.ad_flags |= SLAP_DESC_BINARY;
continue;
} else if ( ad_find_option_definition( opt, optlen ) ) {
int i;
if( opt[optlen-1] == '-' ||
( opt[optlen-1] == '=' && msad_range_hack )) {
desc.ad_flags |= SLAP_DESC_TAG_RANGE;
}
if( ntags >= MAX_TAGGING_OPTIONS ) {
*text = "too many tagging options";
return rtn;
}
/*
* tags should be presented in sorted order,
* so run the array in reverse.
*/
for( i=ntags-1; i>=0; i-- ) {
int rc;
rc = strncasecmp( opt, tags[i].bv_val,
(unsigned) optlen < tags[i].bv_len
? (unsigned) optlen : tags[i].bv_len );
if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
/* duplicate (ignore) */
ntags--;
goto done;
} else if ( rc > 0 ||
( rc == 0 && (unsigned)optlen > tags[i].bv_len ))
{
AC_MEMCPY( &tags[i+2], &tags[i+1],
(ntags-i-1)*sizeof(struct berval) );
tags[i+1].bv_val = opt;
tags[i+1].bv_len = optlen;
goto done;
}
}
if( ntags ) {
AC_MEMCPY( &tags[1], &tags[0],
ntags*sizeof(struct berval) );
}
tags[0].bv_val = opt;
tags[0].bv_len = optlen;
done:
;
tagslen += optlen + 1;
ntags++;
} else {
*text = "unrecognized option";
return rtn;
}
}
if( ntags > 0 ) {
int i;
if( tagslen > MAX_TAGS_LEN ) {
*text = "tagging options too long";
return rtn;
}
desc.ad_tags.bv_val = tagbuf;
tagslen = 0;
for( i=0; i<ntags; i++ ) {
AC_MEMCPY( &desc.ad_tags.bv_val[tagslen],
tags[i].bv_val, tags[i].bv_len );
tagslen += tags[i].bv_len;
desc.ad_tags.bv_val[tagslen++] = ';';
}
desc.ad_tags.bv_val[--tagslen] = '\0';
desc.ad_tags.bv_len = tagslen;
}
/* see if a matching description is already cached */
for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
if( d2->ad_flags != desc.ad_flags ) {
continue;
}
if( d2->ad_tags.bv_len != desc.ad_tags.bv_len ) {
continue;
}
if( d2->ad_tags.bv_len == 0 ) {
break;
}
if( strncasecmp( d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len ) == 0 )
{
break;
}
}
/* Not found, add new one */
while (d2 == NULL) {
size_t dlen = 0;
ldap_pvt_thread_mutex_lock( &desc.ad_type->sat_ad_mutex );
/* check again now that we've locked */
for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
if (d2->ad_flags != desc.ad_flags)
continue;
if (d2->ad_tags.bv_len != desc.ad_tags.bv_len)
continue;
if (d2->ad_tags.bv_len == 0)
break;
if (strncasecmp(d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len) == 0)
break;
}
if (d2) {
ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex );
break;
}
/* Allocate a single contiguous block. If there are no
* options, we just need space for the AttrDesc structure.
* Otherwise, we need to tack on the full name length +
* options length, + maybe tagging options length again.
*/
if (desc.ad_tags.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
dlen = desc.ad_type->sat_cname.bv_len + 1;
if (desc.ad_tags.bv_len) {
dlen += 1 + desc.ad_tags.bv_len;
}
if ( slap_ad_is_binary( &desc ) ) {
dlen += 1 + STRLENOF(";binary") + desc.ad_tags.bv_len;
}
}
d2 = ch_malloc(sizeof(AttributeDescription) + dlen);
d2->ad_next = NULL;
d2->ad_type = desc.ad_type;
d2->ad_flags = desc.ad_flags;
d2->ad_cname.bv_len = desc.ad_type->sat_cname.bv_len;
d2->ad_tags.bv_len = desc.ad_tags.bv_len;
ldap_pvt_thread_mutex_lock( &ad_index_mutex );
d2->ad_index = ++ad_count;
ldap_pvt_thread_mutex_unlock( &ad_index_mutex );
if (dlen == 0) {
d2->ad_cname.bv_val = d2->ad_type->sat_cname.bv_val;
d2->ad_tags.bv_val = NULL;
} else {
char *cp, *op, *lp;
int j;
d2->ad_cname.bv_val = (char *)(d2+1);
strcpy(d2->ad_cname.bv_val, d2->ad_type->sat_cname.bv_val);
cp = d2->ad_cname.bv_val + d2->ad_cname.bv_len;
if( slap_ad_is_binary( &desc ) ) {
op = cp;
lp = NULL;
if( desc.ad_tags.bv_len ) {
lp = desc.ad_tags.bv_val;
while( strncasecmp(lp, "binary", STRLENOF("binary")) < 0
&& (lp = strchr( lp, ';' )) != NULL )
++lp;
if( lp != desc.ad_tags.bv_val ) {
*cp++ = ';';
j = (lp
? (unsigned) (lp - desc.ad_tags.bv_val - 1)
: strlen( desc.ad_tags.bv_val ));
cp = lutil_strncopy(cp, desc.ad_tags.bv_val, j);
}
}
cp = lutil_strcopy(cp, ";binary");
if( lp != NULL ) {
*cp++ = ';';
cp = lutil_strcopy(cp, lp);
}
d2->ad_cname.bv_len = cp - d2->ad_cname.bv_val;
if( desc.ad_tags.bv_len )
ldap_pvt_str2lower(op);
j = 1;
} else {
j = 0;
}
if( desc.ad_tags.bv_len ) {
lp = d2->ad_cname.bv_val + d2->ad_cname.bv_len + j;
if ( j == 0 )
*lp++ = ';';
d2->ad_tags.bv_val = lp;
strcpy(lp, desc.ad_tags.bv_val);
ldap_pvt_str2lower(lp);
if( j == 0 )
d2->ad_cname.bv_len += 1 + desc.ad_tags.bv_len;
}
}
/* Add new desc to list. We always want the bare Desc with
* no options to stay at the head of the list, assuming
* that one will be used most frequently.
*/
if (desc.ad_type->sat_ad == NULL || dlen == 0) {
d2->ad_next = desc.ad_type->sat_ad;
desc.ad_type->sat_ad = d2;
} else {
d2->ad_next = desc.ad_type->sat_ad->ad_next;
desc.ad_type->sat_ad->ad_next = d2;
}
ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex );
}
if( *ad == NULL ) {
*ad = d2;
} else {
**ad = *d2;
}
return LDAP_SUCCESS;
}
int
asyncmeta_back_bind( Operation *op, SlapReply *rs )
{
a_metainfo_t *mi = ( a_metainfo_t * )op->o_bd->be_private;
a_metaconn_t *mc = NULL;
int rc = LDAP_OTHER,
i,
gotit = 0,
isroot = 0;
SlapReply *candidates;
candidates = op->o_tmpcalloc(mi->mi_ntargets, sizeof(SlapReply),op->o_tmpmemctx);
rs->sr_err = LDAP_SUCCESS;
Debug( LDAP_DEBUG_ARGS, "%s asyncmeta_back_bind: dn=\"%s\".\n",
op->o_log_prefix, op->o_req_dn.bv_val, 0 );
/* the test on the bind method should be superfluous */
switch ( be_rootdn_bind( op, rs ) ) {
case LDAP_SUCCESS:
if ( META_BACK_DEFER_ROOTDN_BIND( mi ) ) {
/* frontend will return success */
return rs->sr_err;
}
isroot = 1;
/* fallthru */
case SLAP_CB_CONTINUE:
break;
default:
/* be_rootdn_bind() sent result */
return rs->sr_err;
}
/* we need asyncmeta_getconn() not send result even on error,
* because we want to intercept the error and make it
* invalidCredentials */
mc = asyncmeta_getconn( op, rs, candidates, NULL, LDAP_BACK_BIND_DONTSEND, 1 );
if ( !mc ) {
if ( LogTest( LDAP_DEBUG_ANY ) ) {
char buf[ SLAP_TEXT_BUFLEN ];
snprintf( buf, sizeof( buf ),
"asyncmeta_back_bind: no target "
"for dn \"%s\" (%d%s%s).",
op->o_req_dn.bv_val, rs->sr_err,
rs->sr_text ? ". " : "",
rs->sr_text ? rs->sr_text : "" );
Debug( LDAP_DEBUG_ANY,
"%s %s\n",
op->o_log_prefix, buf, 0 );
}
/* FIXME: there might be cases where we don't want
* to map the error onto invalidCredentials */
switch ( rs->sr_err ) {
case LDAP_NO_SUCH_OBJECT:
case LDAP_UNWILLING_TO_PERFORM:
rs->sr_err = LDAP_INVALID_CREDENTIALS;
rs->sr_text = NULL;
break;
}
send_ldap_result( op, rs );
return rs->sr_err;
}
/*
* Each target is scanned ...
*/
mc->mc_authz_target = META_BOUND_NONE;
for ( i = 0; i < mi->mi_ntargets; i++ ) {
a_metatarget_t *mt = mi->mi_targets[ i ];
int lerr;
/*
* Skip non-candidates
*/
if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
continue;
}
if ( gotit == 0 ) {
/* set rc to LDAP_SUCCESS only if at least
* one candidate has been tried */
rc = LDAP_SUCCESS;
gotit = 1;
} else if ( !isroot ) {
/*
* A bind operation is expected to have
* ONE CANDIDATE ONLY!
*/
Debug( LDAP_DEBUG_ANY,
"### %s asyncmeta_back_bind: more than one"
" candidate selected...\n",
op->o_log_prefix, 0, 0 );
}
if ( isroot ) {
if ( mt->mt_idassert_authmethod == LDAP_AUTH_NONE
|| BER_BVISNULL( &mt->mt_idassert_authcDN ) )
{
a_metasingleconn_t *msc = &mc->mc_conns[ i ];
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
continue;
}
(void)asyncmeta_proxy_authz_bind( mc, i, op, rs, LDAP_BACK_DONTSEND, 1 );
lerr = rs->sr_err;
} else {
lerr = asyncmeta_single_bind( op, rs, mc, i );
}
if ( lerr != LDAP_SUCCESS ) {
rc = rs->sr_err = lerr;
/* FIXME: in some cases (e.g. unavailable)
* do not assume it's not candidate; rather
* mark this as an error to be eventually
* reported to client */
META_CANDIDATE_CLEAR( &candidates[ i ] );
break;
}
}
if ( mc != NULL ) {
for ( i = 0; i < mi->mi_ntargets; i++ ) {
a_metasingleconn_t *msc = &mc->mc_conns[ i ];
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
}
}
asyncmeta_back_conn_free( mc );
}
/*
* rc is LDAP_SUCCESS if at least one bind succeeded,
* err is the last error that occurred during a bind;
* if at least (and at most?) one bind succeeds, fine.
*/
if ( rc != LDAP_SUCCESS ) {
/*
* deal with bind failure ...
*/
/*
* no target was found within the naming context,
* so bind must fail with invalid credentials
*/
if ( rs->sr_err == LDAP_SUCCESS && gotit == 0 ) {
rs->sr_err = LDAP_INVALID_CREDENTIALS;
} else {
rs->sr_err = slap_map_api2result( rs );
}
send_ldap_result( op, rs );
return rs->sr_err;
}
return LDAP_SUCCESS;
}
int slap_bv2undef_ad(
struct berval *bv,
AttributeDescription **ad,
const char **text,
unsigned flags )
{
AttributeDescription *desc;
AttributeType *at;
assert( ad != NULL );
if( bv == NULL || bv->bv_len == 0 ) {
*text = "empty AttributeDescription";
return LDAP_UNDEFINED_TYPE;
}
/* make sure description is IA5 */
if( ad_keystring( bv ) ) {
*text = "AttributeDescription contains inappropriate characters";
return LDAP_UNDEFINED_TYPE;
}
/* use the appropriate type */
if ( flags & SLAP_AD_PROXIED ) {
at = slap_schema.si_at_proxied;
} else {
at = slap_schema.si_at_undefined;
}
for( desc = at->sat_ad; desc; desc=desc->ad_next ) {
if( desc->ad_cname.bv_len == bv->bv_len &&
!strcasecmp( desc->ad_cname.bv_val, bv->bv_val ) )
{
break;
}
}
if( !desc ) {
if ( flags & SLAP_AD_NOINSERT ) {
*text = NULL;
return LDAP_UNDEFINED_TYPE;
}
desc = ch_malloc(sizeof(AttributeDescription) + 1 +
bv->bv_len);
desc->ad_flags = SLAP_DESC_NONE;
BER_BVZERO( &desc->ad_tags );
desc->ad_cname.bv_len = bv->bv_len;
desc->ad_cname.bv_val = (char *)(desc+1);
strncpy(desc->ad_cname.bv_val, bv->bv_val, bv->bv_len);
desc->ad_cname.bv_val[bv->bv_len] = '\0';
/* canonical to upper case */
ldap_pvt_str2upper( desc->ad_cname.bv_val );
/* shouldn't we protect this for concurrency? */
desc->ad_type = at;
desc->ad_index = 0;
ldap_pvt_thread_mutex_lock( &ad_undef_mutex );
desc->ad_next = desc->ad_type->sat_ad;
desc->ad_type->sat_ad = desc;
ldap_pvt_thread_mutex_unlock( &ad_undef_mutex );
Debug( LDAP_DEBUG_ANY,
"%s attributeDescription \"%s\" inserted.\n",
( flags & SLAP_AD_PROXIED ) ? "PROXIED" : "UNKNOWN",
desc->ad_cname.bv_val, 0 );
}
if( !*ad ) {
*ad = desc;
} else {
**ad = *desc;
}
return LDAP_SUCCESS;
}
static int
OpenLDAPaciPrettyNormal(
struct berval *val,
struct berval *out,
void *ctx,
int normalize )
{
struct berval oid = BER_BVNULL,
scope = BER_BVNULL,
rights = BER_BVNULL,
nrights = BER_BVNULL,
type = BER_BVNULL,
ntype = BER_BVNULL,
subject = BER_BVNULL,
nsubject = BER_BVNULL;
int idx,
rc = LDAP_SUCCESS,
freesubject = 0,
freetype = 0;
char *ptr;
BER_BVZERO( out );
if ( BER_BVISEMPTY( val ) ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty\n", 0, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
/* oid: if valid, it's already normalized */
if ( acl_get_part( val, 0, '#', &oid ) < 0 ||
numericoidValidate( NULL, &oid ) != LDAP_SUCCESS )
{
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid oid '%s'\n", oid.bv_val, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
/* scope: normalize by replacing with OpenLDAPaciscopes */
if ( acl_get_part( val, 1, '#', &scope ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing scope in '%s'\n", val->bv_val, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
idx = bv_getcaseidx( &scope, OpenLDAPaciscopes );
if ( idx == -1 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid scope '%s'\n", scope.bv_val, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
scope = *OpenLDAPaciscopes[ idx ];
/* rights */
if ( acl_get_part( val, 2, '#', &rights ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing rights in '%s'\n", val->bv_val, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
if ( OpenLDAPaciNormalizeRights( &rights, &nrights, ctx )
!= LDAP_SUCCESS )
{
return LDAP_INVALID_SYNTAX;
}
/* type */
if ( acl_get_part( val, 3, '#', &type ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing type in '%s'\n", val->bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
idx = bv_getcaseidx( &type, OpenLDAPacitypes );
if ( idx == -1 ) {
struct berval isgr;
if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", type.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
idx = bv_getcaseidx( &isgr, OpenLDAPacitypes );
if ( idx == -1 || idx >= LAST_OPTIONAL ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", isgr.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
}
ntype = *OpenLDAPacitypes[ idx ];
/* subject */
bv_get_tail( val, &type, &subject );
if ( BER_BVISEMPTY( &subject ) || subject.bv_val[ 0 ] != '#' ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing subject in '%s'\n", val->bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
subject.bv_val++;
subject.bv_len--;
if ( idx < LAST_DNVALUED ) {
/* FIXME: pass DN syntax? */
if ( normalize ) {
rc = dnNormalize( 0, NULL, NULL,
&subject, &nsubject, ctx );
} else {
rc = dnPretty( NULL, &subject, &nsubject, ctx );
}
if ( rc == LDAP_SUCCESS ) {
freesubject = 1;
} else {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid subject dn '%s'\n", subject.bv_val, 0, 0 );
goto cleanup;
}
if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ]
|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] )
{
/* do {group|role}/oc/at check */
struct berval ocbv = BER_BVNULL,
atbv = BER_BVNULL;
ocbv.bv_val = ber_bvchr( &type, '/' );
if ( ocbv.bv_val != NULL ) {
ObjectClass *oc = NULL;
AttributeDescription *ad = NULL;
const char *text = NULL;
int rc;
struct berval bv;
bv.bv_len = ntype.bv_len;
ocbv.bv_val++;
ocbv.bv_len = type.bv_len - ( ocbv.bv_val - type.bv_val );
atbv.bv_val = ber_bvchr( &ocbv, '/' );
if ( atbv.bv_val != NULL ) {
atbv.bv_val++;
atbv.bv_len = type.bv_len
- ( atbv.bv_val - type.bv_val );
ocbv.bv_len = atbv.bv_val - ocbv.bv_val - 1;
rc = slap_bv2ad( &atbv, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown group attribute '%s'\n", atbv.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
bv.bv_len += STRLENOF( "/" ) + ad->ad_cname.bv_len;
}
oc = oc_bvfind( &ocbv );
if ( oc == NULL ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid group '%s'\n", ocbv.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len;
bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx );
ptr = bv.bv_val;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
ptr[ 0 ] = '/';
ptr++;
ptr = lutil_strncopy( ptr,
oc->soc_cname.bv_val,
oc->soc_cname.bv_len );
if ( ad != NULL ) {
ptr[ 0 ] = '/';
ptr++;
ptr = lutil_strncopy( ptr,
ad->ad_cname.bv_val,
ad->ad_cname.bv_len );
}
ptr[ 0 ] = '\0';
ntype = bv;
freetype = 1;
}
}
} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
int rc;
rc = slap_bv2ad( &subject, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown dn attribute '%s'\n", subject.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
/* FIXME: allow nameAndOptionalUID? */
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: wrong syntax for dn attribute '%s'\n", subject.bv_val, 0, 0 );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
nsubject = ad->ad_cname;
} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET ]
|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET_REF ] )
{
/* NOTE: dunno how to normalize it... */
nsubject = subject;
}
out->bv_len =
oid.bv_len + STRLENOF( "#" )
+ scope.bv_len + STRLENOF( "#" )
+ nrights.bv_len + STRLENOF( "#" )
+ ntype.bv_len + STRLENOF( "#" )
+ nsubject.bv_len;
out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, scope.bv_val, scope.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, nrights.bv_val, nrights.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
ptr[ 0 ] = '#';
ptr++;
if ( !BER_BVISNULL( &nsubject ) ) {
ptr = lutil_strncopy( ptr, nsubject.bv_val, nsubject.bv_len );
}
ptr[ 0 ] = '\0';
cleanup:;
if ( freesubject ) {
ber_memfree_x( nsubject.bv_val, ctx );
}
if ( freetype ) {
ber_memfree_x( ntype.bv_val, ctx );
}
if ( !BER_BVISNULL( &nrights ) ) {
ber_memfree_x( nrights.bv_val, ctx );
}
return rc;
}
/*
* Convert a delimited string into a list of AttributeNames; add
* on to an existing list if it was given. If the string is not
* a valid attribute name, if a '-' is prepended it is skipped
* and the remaining name is tried again; if a '@' (or '+') is
* prepended, an objectclass name is searched instead; if a '!'
* is prepended, the objectclass name is negated.
*
* NOTE: currently, if a valid attribute name is not found, the
* same string is also checked as valid objectclass name; however,
* this behavior is deprecated.
*/
AttributeName *
str2anlist( AttributeName *an, char *in, const char *brkstr )
{
char *str;
char *s;
char *lasts;
int i, j;
const char *text;
AttributeName *anew;
/* find last element in list */
i = 0;
if ( an != NULL ) {
for ( i = 0; !BER_BVISNULL( &an[ i ].an_name ) ; i++)
;
}
/* protect the input string from strtok */
str = ch_strdup( in );
/* Count words in string */
j = 1;
for ( s = str; *s; s++ ) {
if ( strchr( brkstr, *s ) != NULL ) {
j++;
}
}
an = ch_realloc( an, ( i + j + 1 ) * sizeof( AttributeName ) );
anew = an + i;
for ( s = ldap_pvt_strtok( str, brkstr, &lasts );
s != NULL;
s = ldap_pvt_strtok( NULL, brkstr, &lasts ) )
{
/* put a stop mark */
BER_BVZERO( &anew[1].an_name );
anew->an_desc = NULL;
anew->an_oc = NULL;
anew->an_flags = 0;
ber_str2bv(s, 0, 1, &anew->an_name);
slap_bv2ad(&anew->an_name, &anew->an_desc, &text);
if ( !anew->an_desc ) {
switch( anew->an_name.bv_val[0] ) {
case '-': {
struct berval adname;
adname.bv_len = anew->an_name.bv_len - 1;
adname.bv_val = &anew->an_name.bv_val[1];
slap_bv2ad(&adname, &anew->an_desc, &text);
if ( !anew->an_desc ) {
goto reterr;
}
}
break;
case '@':
case '+': /* (deprecated) */
case '!': {
struct berval ocname;
ocname.bv_len = anew->an_name.bv_len - 1;
ocname.bv_val = &anew->an_name.bv_val[1];
anew->an_oc = oc_bvfind( &ocname );
if ( !anew->an_oc ) {
goto reterr;
}
if ( anew->an_name.bv_val[0] == '!' ) {
anew->an_flags |= SLAP_AN_OCEXCLUDE;
}
}
break;
default:
/* old (deprecated) way */
anew->an_oc = oc_bvfind( &anew->an_name );
if ( !anew->an_oc ) {
goto reterr;
}
}
}
anew->an_flags |= SLAP_AN_OCINITED;
anew++;
}
BER_BVZERO( &anew->an_name );
free( str );
return( an );
reterr:
anlist_free( an, 1, NULL );
/*
* overwrites input string
* on error!
*/
strcpy( in, s );
free( str );
return NULL;
}
/*
* massages "in" into "dn"
*
* "dn" may contain the value of "in" if no massage occurred
*/
int
rwm_dn_massage(
dncookie *dc,
struct berval *in,
struct berval *dn
)
{
int rc = 0;
struct berval mdn;
static char *dmy = "";
char *in_val;
assert( dc != NULL );
assert( in != NULL );
assert( dn != NULL );
/* protect from NULL berval */
in_val = in->bv_val ? in->bv_val : dmy;
rc = rewrite_session( dc->rwmap->rwm_rw, dc->ctx,
in_val, dc->conn, &mdn.bv_val );
switch ( rc ) {
case REWRITE_REGEXEC_OK:
if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != in_val ) {
mdn.bv_len = strlen( mdn.bv_val );
*dn = mdn;
} else {
dn->bv_len = in->bv_len;
dn->bv_val = in_val;
}
rc = LDAP_SUCCESS;
Debug( LDAP_DEBUG_ARGS,
"[rw] %s: \"%s\" -> \"%s\"\n",
dc->ctx, in_val, dn->bv_val );
break;
case REWRITE_REGEXEC_UNWILLING:
if ( dc->rs ) {
dc->rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
dc->rs->sr_text = "Operation not allowed";
}
rc = LDAP_UNWILLING_TO_PERFORM;
break;
case REWRITE_REGEXEC_ERR:
if ( dc->rs ) {
dc->rs->sr_err = LDAP_OTHER;
dc->rs->sr_text = "Rewrite error";
}
rc = LDAP_OTHER;
break;
}
if ( mdn.bv_val == dmy ) {
BER_BVZERO( &mdn );
}
if ( dn->bv_val == dmy ) {
BER_BVZERO( dn );
}
return rc;
}
static int
nssov_db_open(
BackendDB *be,
ConfigReply *cr )
{
slap_overinst *on = (slap_overinst *)be->bd_info;
nssov_info *ni = on->on_bi.bi_private;
nssov_mapinfo *mi;
int i, sock;
struct sockaddr_un addr;
/* Set default bases */
for (i=0; i<NM_NONE; i++) {
if ( BER_BVISNULL( &ni->ni_maps[i].mi_base )) {
ber_dupbv( &ni->ni_maps[i].mi_base, &be->be_nsuffix[0] );
}
if ( ni->ni_maps[i].mi_scope == LDAP_SCOPE_DEFAULT )
ni->ni_maps[i].mi_scope = LDAP_SCOPE_SUBTREE;
}
/* validate attribute maps */
mi = ni->ni_maps;
for ( i=0; i<NM_NONE; i++,mi++) {
const char *text;
int j;
for (j=0; !BER_BVISNULL(&mi->mi_attrkeys[j]); j++) {
/* skip attrs we already validated */
if ( mi->mi_attrs[j].an_desc ) continue;
if ( slap_bv2ad( &mi->mi_attrs[j].an_name,
&mi->mi_attrs[j].an_desc, &text )) {
Debug(LDAP_DEBUG_ANY,"nssov: invalid attr \"%s\": %s\n",
mi->mi_attrs[j].an_name.bv_val, text, 0 );
return -1;
}
}
BER_BVZERO(&mi->mi_attrs[j].an_name);
mi->mi_attrs[j].an_desc = NULL;
}
/* Find host and authorizedService definitions */
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad)
{
const char *text;
i = slap_str2ad("host", &nssov_pam_host_ad, &text);
if (i != LDAP_SUCCESS) {
Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n",
text, 0, 0 );
return -1;
}
}
if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) &&
!nssov_pam_svc_ad)
{
const char *text;
i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
if (i != LDAP_SUCCESS) {
Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n",
text, 0, 0 );
return -1;
}
}
if ( slapMode & SLAP_SERVER_MODE ) {
/* make sure /var/run/nslcd exists */
if (mkdir(NSLCD_PATH, (mode_t) 0555)) {
Debug(LDAP_DEBUG_TRACE,"nssov: mkdir(%s) failed (ignored): %s\n",
NSLCD_PATH,strerror(errno),0);
} else {
Debug(LDAP_DEBUG_TRACE,"nssov: created %s\n",NSLCD_PATH,0,0);
}
/* create a socket */
if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )
{
Debug(LDAP_DEBUG_ANY,"nssov: cannot create socket: %s\n",strerror(errno),0,0);
return -1;
}
/* remove existing named socket */
if (unlink(NSLCD_SOCKET)<0)
{
Debug( LDAP_DEBUG_TRACE,"nssov: unlink() of "NSLCD_SOCKET" failed (ignored): %s\n",
strerror(errno),0,0);
}
/* create socket address structure */
memset(&addr,0,sizeof(struct sockaddr_un));
addr.sun_family=AF_UNIX;
strncpy(addr.sun_path,NSLCD_SOCKET,sizeof(addr.sun_path));
addr.sun_path[sizeof(addr.sun_path)-1]='\0';
/* bind to the named socket */
if (bind(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr_un)))
{
Debug( LDAP_DEBUG_ANY,"nssov: bind() to "NSLCD_SOCKET" failed: %s",
strerror(errno),0,0);
if (close(sock))
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0);
return -1;
}
/* close the file descriptor on exit */
if (fcntl(sock,F_SETFD,FD_CLOEXEC)<0)
{
Debug( LDAP_DEBUG_ANY,"nssov: fcntl(F_SETFL,O_NONBLOCK) failed: %s",strerror(errno),0,0);
if (close(sock))
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0);
return -1;
}
/* set permissions of socket so anybody can do requests */
/* Note: we use chmod() here instead of fchmod() because
fchmod does not work on sockets
http://www.opengroup.org/onlinepubs/009695399/functions/fchmod.html
http://lkml.org/lkml/2005/5/16/11 */
if (chmod(NSLCD_SOCKET,(mode_t)0666))
{
Debug( LDAP_DEBUG_ANY,"nssov: chmod(0666) failed: %s",strerror(errno),0,0);
if (close(sock))
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0);
return -1;
}
/* start listening for connections */
if (listen(sock,SOMAXCONN)<0)
{
Debug( LDAP_DEBUG_ANY,"nssov: listen() failed: %s",strerror(errno),0,0);
if (close(sock))
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0);
return -1;
}
ni->ni_socket = sock;
ni->ni_conn = connection_client_setup( sock, acceptconn, ni );
}
return 0;
}
int
do_extended(
Operation *op,
SlapReply *rs
)
{
struct berval reqdata = {0, NULL};
ber_len_t len;
Debug( LDAP_DEBUG_TRACE, "%s do_extended\n",
op->o_log_prefix );
if( op->o_protocol < LDAP_VERSION3 ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: protocol version (%d) too low\n",
op->o_log_prefix, op->o_protocol );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "requires LDAPv3" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
if ( ber_scanf( op->o_ber, "{m" /*}*/, &op->ore_reqoid ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
op->o_log_prefix );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
if( ber_peek_tag( op->o_ber, &len ) == LDAP_TAG_EXOP_REQ_VALUE ) {
if( ber_scanf( op->o_ber, "m", &reqdata ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
op->o_log_prefix );
send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
rs->sr_err = SLAPD_DISCONNECT;
goto done;
}
}
if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s do_extended: get_ctrls failed\n",
op->o_log_prefix );
return rs->sr_err;
}
Debug( LDAP_DEBUG_STATS, "%s EXT oid=%s\n",
op->o_log_prefix, op->ore_reqoid.bv_val );
/* check for controls inappropriate for all extended operations */
if( get_manageDSAit( op ) == SLAP_CONTROL_CRITICAL ) {
send_ldap_error( op, rs,
LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
"manageDSAit control inappropriate" );
goto done;
}
/* FIXME: temporary? */
if ( reqdata.bv_val ) {
op->ore_reqdata = &reqdata;
}
op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_extended( op, rs );
/* clean up in case some overlay set them? */
if ( !BER_BVISNULL( &op->o_req_ndn ) ) {
if ( !BER_BVISNULL( &op->o_req_dn )
&& op->o_req_ndn.bv_val != op->o_req_dn.bv_val )
{
op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
}
op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &op->o_req_dn );
BER_BVZERO( &op->o_req_ndn );
}
done:
return rs->sr_err;
}
int
backsql_db_open(
BackendDB *bd,
ConfigReply *cr )
{
backsql_info *bi = (backsql_info*)bd->be_private;
struct berbuf bb = BB_NULL;
Connection conn = { 0 };
OperationBuffer opbuf;
Operation* op;
SQLHDBC dbh = SQL_NULL_HDBC;
void *thrctx = ldap_pvt_thread_pool_context();
Debug( LDAP_DEBUG_TRACE, "==>backsql_db_open(): "
"testing RDBMS connection\n", 0, 0, 0 );
if ( bi->sql_dbname == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"datasource name not specified "
"(use \"dbname\" directive in slapd.conf)\n", 0, 0, 0 );
return 1;
}
if ( bi->sql_concat_func == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"concat func not specified (use \"concat_pattern\" "
"directive in slapd.conf)\n", 0, 0, 0 );
if ( backsql_split_pattern( backsql_def_concat_func,
&bi->sql_concat_func, 2 ) ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"unable to parse pattern \"%s\"",
backsql_def_concat_func, 0, 0 );
return 1;
}
}
/*
* see back-sql.h for default values
*/
if ( BER_BVISNULL( &bi->sql_aliasing ) ) {
ber_str2bv( BACKSQL_ALIASING,
STRLENOF( BACKSQL_ALIASING ),
1, &bi->sql_aliasing );
}
if ( BER_BVISNULL( &bi->sql_aliasing_quote ) ) {
ber_str2bv( BACKSQL_ALIASING_QUOTE,
STRLENOF( BACKSQL_ALIASING_QUOTE ),
1, &bi->sql_aliasing_quote );
}
/*
* Prepare cast string as required
*/
if ( bi->sql_upper_func.bv_val ) {
char buf[1024];
if ( BACKSQL_UPPER_NEEDS_CAST( bi ) ) {
snprintf( buf, sizeof( buf ),
"%s(cast (" /* ? as varchar(%d))) */ ,
bi->sql_upper_func.bv_val );
ber_str2bv( buf, 0, 1, &bi->sql_upper_func_open );
snprintf( buf, sizeof( buf ),
/* (cast(? */ " as varchar(%d)))",
BACKSQL_MAX_DN_LEN );
ber_str2bv( buf, 0, 1, &bi->sql_upper_func_close );
} else {
snprintf( buf, sizeof( buf ), "%s(" /* ?) */ ,
bi->sql_upper_func.bv_val );
ber_str2bv( buf, 0, 1, &bi->sql_upper_func_open );
ber_str2bv( /* (? */ ")", 0, 1, &bi->sql_upper_func_close );
}
}
/* normalize filter values only if necessary */
bi->sql_caseIgnoreMatch = mr_find( "caseIgnoreMatch" );
assert( bi->sql_caseIgnoreMatch != NULL );
bi->sql_telephoneNumberMatch = mr_find( "telephoneNumberMatch" );
assert( bi->sql_telephoneNumberMatch != NULL );
if ( bi->sql_dbuser == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"user name not specified "
"(use \"dbuser\" directive in slapd.conf)\n", 0, 0, 0 );
return 1;
}
if ( BER_BVISNULL( &bi->sql_subtree_cond ) ) {
/*
* Prepare concat function for subtree search condition
*/
struct berval concat;
struct berval values[] = {
BER_BVC( "'%'" ),
BER_BVC( "?" ),
BER_BVNULL
};
struct berbuf bb = BB_NULL;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"subtree search SQL condition not specified "
"(use \"subtree_cond\" directive in slapd.conf); "
"preparing default\n",
0, 0, 0);
if ( backsql_prepare_pattern( bi->sql_concat_func, values,
&concat ) ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"unable to prepare CONCAT pattern for subtree search",
0, 0, 0 );
return 1;
}
if ( bi->sql_upper_func.bv_val ) {
/*
* UPPER(ldap_entries.dn) LIKE UPPER(CONCAT('%',?))
*/
backsql_strfcat_x( &bb, NULL, "blbbb",
&bi->sql_upper_func,
(ber_len_t)STRLENOF( "(ldap_entries.dn) LIKE " ),
"(ldap_entries.dn) LIKE ",
&bi->sql_upper_func_open,
&concat,
&bi->sql_upper_func_close );
} else {
/*
* ldap_entries.dn LIKE CONCAT('%',?)
*/
backsql_strfcat_x( &bb, NULL, "lb",
(ber_len_t)STRLENOF( "ldap_entries.dn LIKE " ),
"ldap_entries.dn LIKE ",
&concat );
}
ch_free( concat.bv_val );
bi->sql_subtree_cond = bb.bb_val;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" as default \"subtree_cond\"\n",
bi->sql_subtree_cond.bv_val, 0, 0 );
}
if ( bi->sql_children_cond.bv_val == NULL ) {
/*
* Prepare concat function for children search condition
*/
struct berval concat;
struct berval values[] = {
BER_BVC( "'%,'" ),
BER_BVC( "?" ),
BER_BVNULL
};
struct berbuf bb = BB_NULL;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"children search SQL condition not specified "
"(use \"children_cond\" directive in slapd.conf); "
"preparing default\n",
0, 0, 0);
if ( backsql_prepare_pattern( bi->sql_concat_func, values,
&concat ) ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"unable to prepare CONCAT pattern for children search", 0, 0, 0 );
return 1;
}
if ( bi->sql_upper_func.bv_val ) {
/*
* UPPER(ldap_entries.dn) LIKE UPPER(CONCAT('%,',?))
*/
backsql_strfcat_x( &bb, NULL, "blbbb",
&bi->sql_upper_func,
(ber_len_t)STRLENOF( "(ldap_entries.dn) LIKE " ),
"(ldap_entries.dn) LIKE ",
&bi->sql_upper_func_open,
&concat,
&bi->sql_upper_func_close );
} else {
/*
* ldap_entries.dn LIKE CONCAT('%,',?)
*/
backsql_strfcat_x( &bb, NULL, "lb",
(ber_len_t)STRLENOF( "ldap_entries.dn LIKE " ),
"ldap_entries.dn LIKE ",
&concat );
}
ch_free( concat.bv_val );
bi->sql_children_cond = bb.bb_val;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" as default \"children_cond\"\n",
bi->sql_children_cond.bv_val, 0, 0 );
}
if ( bi->sql_dn_match_cond.bv_val == NULL ) {
/*
* Prepare concat function for dn match search condition
*/
struct berbuf bb = BB_NULL;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"DN match search SQL condition not specified "
"(use \"dn_match_cond\" directive in slapd.conf); "
"preparing default\n",
0, 0, 0);
if ( bi->sql_upper_func.bv_val ) {
/*
* UPPER(ldap_entries.dn)=?
*/
backsql_strfcat_x( &bb, NULL, "blbcb",
&bi->sql_upper_func,
(ber_len_t)STRLENOF( "(ldap_entries.dn)=" ),
"(ldap_entries.dn)=",
&bi->sql_upper_func_open,
'?',
&bi->sql_upper_func_close );
} else {
/*
* ldap_entries.dn=?
*/
backsql_strfcat_x( &bb, NULL, "l",
(ber_len_t)STRLENOF( "ldap_entries.dn=?" ),
"ldap_entries.dn=?" );
}
bi->sql_dn_match_cond = bb.bb_val;
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" as default \"dn_match_cond\"\n",
bi->sql_dn_match_cond.bv_val, 0, 0 );
}
if ( bi->sql_oc_query == NULL ) {
if ( BACKSQL_CREATE_NEEDS_SELECT( bi ) ) {
bi->sql_oc_query =
ch_strdup( backsql_def_needs_select_oc_query );
} else {
bi->sql_oc_query = ch_strdup( backsql_def_oc_query );
}
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"objectclass mapping SQL statement not specified "
"(use \"oc_query\" directive in slapd.conf)\n",
0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n", bi->sql_oc_query, 0, 0 );
}
if ( bi->sql_at_query == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"attribute mapping SQL statement not specified "
"(use \"at_query\" directive in slapd.conf)\n",
0, 0, 0 );
Debug(LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n",
backsql_def_at_query, 0, 0 );
bi->sql_at_query = ch_strdup( backsql_def_at_query );
}
if ( bi->sql_insentry_stmt == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"entry insertion SQL statement not specified "
"(use \"insentry_stmt\" directive in slapd.conf)\n",
0, 0, 0 );
Debug(LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n",
backsql_def_insentry_stmt, 0, 0 );
bi->sql_insentry_stmt = ch_strdup( backsql_def_insentry_stmt );
}
if ( bi->sql_delentry_stmt == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"entry deletion SQL statement not specified "
"(use \"delentry_stmt\" directive in slapd.conf)\n",
0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n",
backsql_def_delentry_stmt, 0, 0 );
bi->sql_delentry_stmt = ch_strdup( backsql_def_delentry_stmt );
}
if ( bi->sql_renentry_stmt == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"entry deletion SQL statement not specified "
"(use \"renentry_stmt\" directive in slapd.conf)\n",
0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n",
backsql_def_renentry_stmt, 0, 0 );
bi->sql_renentry_stmt = ch_strdup( backsql_def_renentry_stmt );
}
if ( bi->sql_delobjclasses_stmt == NULL ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"objclasses deletion SQL statement not specified "
"(use \"delobjclasses_stmt\" directive in slapd.conf)\n",
0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"setting \"%s\" by default\n",
backsql_def_delobjclasses_stmt, 0, 0 );
bi->sql_delobjclasses_stmt = ch_strdup( backsql_def_delobjclasses_stmt );
}
/* This should just be to force schema loading */
connection_fake_init2( &conn, &opbuf, thrctx, 0 );
op = &opbuf.ob_op;
op->o_bd = bd;
if ( backsql_get_db_conn( op, &dbh ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"connection failed, exiting\n", 0, 0, 0 );
return 1;
}
if ( backsql_load_schema_map( bi, dbh ) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"schema mapping failed, exiting\n", 0, 0, 0 );
return 1;
}
if ( backsql_free_db_conn( op, dbh ) != SQL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"connection free failed\n", 0, 0, 0 );
}
if ( !BACKSQL_SCHEMA_LOADED( bi ) ) {
Debug( LDAP_DEBUG_TRACE, "backsql_db_open(): "
"test failed, schema map not loaded - exiting\n",
0, 0, 0 );
return 1;
}
/*
* Prepare ID selection query
*/
if ( bi->sql_id_query == NULL ) {
/* no custom id_query provided */
if ( bi->sql_upper_func.bv_val == NULL ) {
backsql_strcat_x( &bb, NULL, backsql_id_query, "dn=?", NULL );
} else {
if ( BACKSQL_HAS_LDAPINFO_DN_RU( bi ) ) {
backsql_strcat_x( &bb, NULL, backsql_id_query,
"dn_ru=?", NULL );
} else {
if ( BACKSQL_USE_REVERSE_DN( bi ) ) {
backsql_strfcat_x( &bb, NULL, "sbl",
backsql_id_query,
&bi->sql_upper_func,
(ber_len_t)STRLENOF( "(dn)=?" ), "(dn)=?" );
} else {
backsql_strfcat_x( &bb, NULL, "sblbcb",
backsql_id_query,
&bi->sql_upper_func,
(ber_len_t)STRLENOF( "(dn)=" ), "(dn)=",
&bi->sql_upper_func_open,
'?',
&bi->sql_upper_func_close );
}
}
}
bi->sql_id_query = bb.bb_val.bv_val;
}
/*
* Prepare children count query
*/
BER_BVZERO( &bb.bb_val );
bb.bb_len = 0;
backsql_strfcat_x( &bb, NULL, "sbsb",
"SELECT COUNT(distinct subordinates.id) "
"FROM ldap_entries,ldap_entries ",
&bi->sql_aliasing, "subordinates "
"WHERE subordinates.parent=ldap_entries.id AND ",
&bi->sql_dn_match_cond );
bi->sql_has_children_query = bb.bb_val.bv_val;
/*
* Prepare DN and objectClass aliasing bit of query
*/
BER_BVZERO( &bb.bb_val );
bb.bb_len = 0;
backsql_strfcat_x( &bb, NULL, "sbbsbsbbsb",
" ", &bi->sql_aliasing, &bi->sql_aliasing_quote,
"objectClass", &bi->sql_aliasing_quote,
",ldap_entries.dn ", &bi->sql_aliasing,
&bi->sql_aliasing_quote, "dn", &bi->sql_aliasing_quote );
bi->sql_dn_oc_aliasing = bb.bb_val;
/* should never happen! */
assert( bd->be_nsuffix != NULL );
if ( BER_BVISNULL( &bd->be_nsuffix[ 1 ] ) ) {
/* enable if only one suffix is defined */
bi->sql_flags |= BSQLF_USE_SUBTREE_SHORTCUT;
}
bi->sql_flags |= BSQLF_CHECK_SCHEMA;
Debug( LDAP_DEBUG_TRACE, "<==backsql_db_open(): "
"test succeeded, schema map loaded\n", 0, 0, 0 );
return 0;
}
static int
slap_sasl_authorize(
sasl_conn_t *sconn,
void *context,
char *requested_user,
unsigned rlen,
char *auth_identity,
unsigned alen,
const char *def_realm,
unsigned urlen,
struct propctx *props)
{
Connection *conn = (Connection *)context;
/* actually:
* (SLAP_SASL_PROP_COUNT - 1) because we skip "conn",
* + 1 for NULL termination?
*/
struct propval auxvals[ SLAP_SASL_PROP_COUNT ] = { { 0 } };
struct berval authcDN, authzDN = BER_BVNULL;
int rc;
/* Simple Binds don't support proxy authorization, ignore it */
if ( !conn->c_sasl_bindop ||
conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK;
Debug( LDAP_DEBUG_ARGS, "SASL proxy authorize [conn=%ld]: "
"authcid=\"%s\" authzid=\"%s\"\n",
conn ? (long) conn->c_connid : -1L, auth_identity, requested_user );
if ( conn->c_sasl_dn.bv_val ) {
BER_BVZERO( &conn->c_sasl_dn );
}
/* Skip SLAP_SASL_PROP_CONN */
prop_getnames( props, slap_propnames+1, auxvals );
/* Should not happen */
if ( !auxvals[0].values ) {
sasl_seterror( sconn, 0, "invalid authcid" );
return SASL_NOAUTHZ;
}
AC_MEMCPY( &authcDN.bv_len, auxvals[0].values[0], sizeof(authcDN.bv_len) );
authcDN.bv_val = auxvals[1].values ? (char *)auxvals[1].values[0] : NULL;
conn->c_sasl_dn = authcDN;
/* Nothing to do if no authzID was given */
if ( !auxvals[2].name || !auxvals[2].values ) {
goto ok;
}
AC_MEMCPY( &authzDN.bv_len, auxvals[2].values[0], sizeof(authzDN.bv_len) );
authzDN.bv_val = auxvals[3].values ? (char *)auxvals[3].values[0] : NULL;
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
conn ? (long) conn->c_connid : -1L, rc );
sasl_seterror( sconn, 0, "not authorized" );
return SASL_NOAUTHZ;
}
/* FIXME: we need yet another dup because slap_sasl_getdn()
* is using the bind operation slab */
ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
ok:
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
"%s BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_sasl_bindop->o_log_prefix,
auth_identity, requested_user );
}
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
" proxy authorization allowed authzDN=\"%s\"\n",
conn ? (long) conn->c_connid : -1L,
authzDN.bv_val ? authzDN.bv_val : "" );
return SASL_OK;
}
int
schema_info( Entry **entry, const char **text )
{
AttributeDescription *ad_structuralObjectClass
= slap_schema.si_ad_structuralObjectClass;
AttributeDescription *ad_objectClass
= slap_schema.si_ad_objectClass;
AttributeDescription *ad_createTimestamp
= slap_schema.si_ad_createTimestamp;
AttributeDescription *ad_modifyTimestamp
= slap_schema.si_ad_modifyTimestamp;
Entry *e;
struct berval vals[5];
struct berval nvals[5];
e = entry_alloc();
if( e == NULL ) {
/* Out of memory, do something about it */
Debug( LDAP_DEBUG_ANY,
"schema_info: entry_alloc failed - out of memory.\n" );
*text = "out of memory";
return LDAP_OTHER;
}
e->e_attrs = NULL;
/* backend-specific schema info should be created by the
* backend itself
*/
ber_dupbv( &e->e_name, &frontendDB->be_schemadn );
ber_dupbv( &e->e_nname, &frontendDB->be_schemandn );
e->e_private = NULL;
BER_BVSTR( &vals[0], "subentry" );
if( attr_merge_one( e, ad_structuralObjectClass, vals, NULL ) ) {
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
BER_BVSTR( &vals[0], "top" );
BER_BVSTR( &vals[1], "subentry" );
BER_BVSTR( &vals[2], "subschema" );
BER_BVSTR( &vals[3], "extensibleObject" );
BER_BVZERO( &vals[4] );
if ( attr_merge( e, ad_objectClass, vals, NULL ) ) {
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
{
int rc;
AttributeDescription *desc = NULL;
struct berval rdn = frontendDB->be_schemadn;
vals[0].bv_val = ber_bvchr( &rdn, '=' );
if( vals[0].bv_val == NULL ) {
*text = "improperly configured subschema subentry";
return LDAP_OTHER;
}
vals[0].bv_val++;
vals[0].bv_len = rdn.bv_len - (vals[0].bv_val - rdn.bv_val);
rdn.bv_len -= vals[0].bv_len + 1;
rc = slap_bv2ad( &rdn, &desc, text );
if( rc != LDAP_SUCCESS ) {
entry_free( e );
*text = "improperly configured subschema subentry";
return LDAP_OTHER;
}
nvals[0].bv_val = ber_bvchr( &frontendDB->be_schemandn, '=' );
assert( nvals[0].bv_val != NULL );
nvals[0].bv_val++;
nvals[0].bv_len = frontendDB->be_schemandn.bv_len -
(nvals[0].bv_val - frontendDB->be_schemandn.bv_val);
if ( attr_merge_one( e, desc, vals, nvals ) ) {
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
}
{
char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
/*
* According to RFC 4512:
Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' attributes for all entries of
the DIT.
* to be conservative, we declare schema created
* AND modified at server startup time ...
*/
vals[0].bv_val = timebuf;
vals[0].bv_len = sizeof( timebuf );
slap_timestamp( &starttime, vals );
if( attr_merge_one( e, ad_createTimestamp, vals, NULL ) ) {
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
if( attr_merge_one( e, ad_modifyTimestamp, vals, NULL ) ) {
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
}
if ( syn_schema_info( e )
|| mr_schema_info( e )
|| mru_schema_info( e )
|| at_schema_info( e )
|| oc_schema_info( e )
|| cr_schema_info( e ) )
{
/* Out of memory, do something about it */
entry_free( e );
*text = "out of memory";
return LDAP_OTHER;
}
*entry = e;
return LDAP_SUCCESS;
}
static int
limits_add(
Backend *be,
unsigned flags,
const char *pattern,
ObjectClass *group_oc,
AttributeDescription *group_ad,
struct slap_limits_set *limit
)
{
int i;
struct slap_limits *lm;
unsigned type, style;
assert( be != NULL );
assert( limit != NULL );
type = flags & SLAP_LIMITS_TYPE_MASK;
style = flags & SLAP_LIMITS_MASK;
switch ( style ) {
case SLAP_LIMITS_ANONYMOUS:
case SLAP_LIMITS_USERS:
case SLAP_LIMITS_ANY:
/* For these styles, type == 0 (SLAP_LIMITS_TYPE_SELF). */
for ( i = 0; be->be_limits && be->be_limits[ i ]; i++ ) {
if ( be->be_limits[ i ]->lm_flags == style ) {
return( -1 );
}
}
break;
}
lm = ( struct slap_limits * )ch_calloc( sizeof( struct slap_limits ), 1 );
switch ( style ) {
case SLAP_LIMITS_UNDEFINED:
style = SLAP_LIMITS_EXACT;
/* continue to next cases */
case SLAP_LIMITS_EXACT:
case SLAP_LIMITS_ONE:
case SLAP_LIMITS_SUBTREE:
case SLAP_LIMITS_CHILDREN:
{
int rc;
struct berval bv;
ber_str2bv( pattern, 0, 0, &bv );
rc = dnNormalize( 0, NULL, NULL, &bv, &lm->lm_pat, NULL );
if ( rc != LDAP_SUCCESS ) {
ch_free( lm );
return( -1 );
}
}
break;
case SLAP_LIMITS_REGEX:
ber_str2bv( pattern, 0, 1, &lm->lm_pat );
if ( regcomp( &lm->lm_regex, lm->lm_pat.bv_val,
REG_EXTENDED | REG_ICASE ) ) {
free( lm->lm_pat.bv_val );
ch_free( lm );
return( -1 );
}
break;
case SLAP_LIMITS_ANONYMOUS:
case SLAP_LIMITS_USERS:
case SLAP_LIMITS_ANY:
BER_BVZERO( &lm->lm_pat );
break;
}
switch ( type ) {
case SLAP_LIMITS_TYPE_GROUP:
assert( group_oc != NULL );
assert( group_ad != NULL );
lm->lm_group_oc = group_oc;
lm->lm_group_ad = group_ad;
break;
}
lm->lm_flags = style | type;
lm->lm_limits = *limit;
i = 0;
if ( be->be_limits != NULL ) {
for ( ; be->be_limits[i]; i++ );
}
be->be_limits = ( struct slap_limits ** )ch_realloc( be->be_limits,
sizeof( struct slap_limits * ) * ( i + 2 ) );
be->be_limits[i] = lm;
be->be_limits[i+1] = NULL;
return( 0 );
}
/*
* asyncmeta_single_bind
*
* attempts to perform a bind with creds
*/
static int
asyncmeta_single_bind(
Operation *op,
SlapReply *rs,
a_metaconn_t *mc,
int candidate )
{
a_metainfo_t *mi = mc->mc_info;
a_metatarget_t *mt = mi->mi_targets[ candidate ];
struct berval mdn = BER_BVNULL;
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
int msgid;
a_dncookie dc;
struct berval save_o_dn;
int save_o_do_not_cache;
LDAPControl **ctrls = NULL;
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
/*
* Rewrite the bind dn if needed
*/
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "bindDN";
if ( asyncmeta_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
rs->sr_text = "DN rewrite error";
rs->sr_err = LDAP_OTHER;
return rs->sr_err;
}
/* don't add proxyAuthz; set the bindDN */
save_o_dn = op->o_dn;
save_o_do_not_cache = op->o_do_not_cache;
op->o_do_not_cache = 1;
op->o_dn = op->o_req_dn;
ctrls = op->o_ctrls;
rs->sr_err = asyncmeta_controls_add( op, rs, mc, candidate, &ctrls );
op->o_dn = save_o_dn;
op->o_do_not_cache = save_o_do_not_cache;
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* FIXME: this fixes the bind problem right now; we need
* to use the asynchronous version to get the "matched"
* and more in case of failure ... */
/* FIXME: should we check if at least some of the op->o_ctrls
* can/should be passed? */
for (;;) {
rs->sr_err = ldap_sasl_bind( msc->msc_ld, mdn.bv_val,
LDAP_SASL_SIMPLE, &op->orb_cred,
ctrls, NULL, &msgid );
if ( rs->sr_err != LDAP_X_CONNECTING ) {
break;
}
ldap_pvt_thread_yield();
}
mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND, 1 );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* If defined, proxyAuthz will be used also when
* back-ldap is the authorizing backend; for this
* purpose, a successful bind is followed by a
* bind with the configured identity assertion */
/* NOTE: use with care */
if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
asyncmeta_proxy_authz_bind( mc, candidate, op, rs, LDAP_BACK_SENDERR, 1 );
if ( !LDAP_BACK_CONN_ISBOUND( msc ) ) {
goto return_results;
}
goto cache_refresh;
}
ber_bvreplace( &msc->msc_bound_ndn, &op->o_req_ndn );
LDAP_BACK_CONN_ISBOUND_SET( msc );
mc->mc_authz_target = candidate;
if ( META_BACK_TGT_SAVECRED( mt ) ) {
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
}
ber_bvreplace( &msc->msc_cred, &op->orb_cred );
ldap_set_rebind_proc( msc->msc_ld, mt->mt_rebind_f, msc );
}
cache_refresh:;
if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED
&& !BER_BVISEMPTY( &op->o_req_ndn ) )
{
( void )asyncmeta_dncache_update_entry( &mi->mi_cache,
&op->o_req_ndn, candidate );
}
return_results:;
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
asyncmeta_quarantine( op, mi, rs, candidate );
}
ldap_unbind_ext( msc->msc_ld, NULL, NULL );
msc->msc_ld = NULL;
ldap_ld_free( msc->msc_ldr, 0, NULL, NULL );
msc->msc_ldr = NULL;
return rs->sr_err;
}
/*
* I don't like this much, but we need two different
* functions because different heap managers may be
* in use in back-ldap/meta to reduce the amount of
* calls to malloc routines, and some of the free()
* routines may be macros with args
*/
int
rwm_dnattr_rewrite(
Operation *op,
SlapReply *rs,
void *cookie,
BerVarray a_vals,
BerVarray *pa_nvals )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
struct ldaprwmap *rwmap =
(struct ldaprwmap *)on->on_bi.bi_private;
int i, last;
dncookie dc;
struct berval dn = BER_BVNULL,
ndn = BER_BVNULL;
BerVarray in;
if ( a_vals ) {
in = a_vals;
} else {
if ( pa_nvals == NULL || *pa_nvals == NULL ) {
return LDAP_OTHER;
}
in = *pa_nvals;
}
/*
* Rewrite the dn if needed
*/
dc.rwmap = rwmap;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = (char *)cookie;
for ( last = 0; !BER_BVISNULL( &in[last] ); last++ );
last--;
if ( pa_nvals != NULL ) {
if ( *pa_nvals == NULL ) {
*pa_nvals = ch_malloc( ( last + 2 ) * sizeof(struct berval) );
memset( *pa_nvals, 0, ( last + 2 ) * sizeof(struct berval) );
}
}
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
int rc;
if ( a_vals ) {
dn = in[i];
if ( pa_nvals ) {
ndn = (*pa_nvals)[i];
rc = rwm_dn_massage_pretty_normalize( &dc, &in[i], &dn, &ndn );
} else {
rc = rwm_dn_massage_pretty( &dc, &in[i], &dn );
}
} else {
ndn = in[i];
rc = rwm_dn_massage_normalize( &dc, &in[i], &ndn );
}
switch ( rc ) {
case LDAP_UNWILLING_TO_PERFORM:
/*
* FIXME: need to check if it may be considered
* legal to trim values when adding/modifying;
* it should be when searching (e.g. ACLs).
*/
ch_free( in[i].bv_val );
if (last > i ) {
in[i] = in[last];
if ( a_vals && pa_nvals ) {
(*pa_nvals)[i] = (*pa_nvals)[last];
}
}
BER_BVZERO( &in[last] );
if ( a_vals && pa_nvals ) {
BER_BVZERO( &(*pa_nvals)[last] );
}
last--;
break;
case LDAP_SUCCESS:
if ( a_vals ) {
if ( !BER_BVISNULL( &dn ) && dn.bv_val != a_vals[i].bv_val ) {
ch_free( a_vals[i].bv_val );
a_vals[i] = dn;
if ( pa_nvals ) {
if ( !BER_BVISNULL( &(*pa_nvals)[i] ) ) {
ch_free( (*pa_nvals)[i].bv_val );
}
(*pa_nvals)[i] = ndn;
}
}
} else {
if ( !BER_BVISNULL( &ndn ) && ndn.bv_val != (*pa_nvals)[i].bv_val ) {
ch_free( (*pa_nvals)[i].bv_val );
(*pa_nvals)[i] = ndn;
}
}
break;
default:
/* leave attr untouched if massage failed */
if ( a_vals && pa_nvals && BER_BVISNULL( &(*pa_nvals)[i] ) ) {
dnNormalize( 0, NULL, NULL, &a_vals[i], &(*pa_nvals)[i], NULL );
}
break;
}
}
return 0;
}
static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
{
struct berval dn, uid, svc, tty, rhost, ruser;
int32_t tmpint32;
char dnc[1024];
char svcc[256];
char uidc[32];
char ttyc[32];
char rhostc[256];
char ruserc[32];
slap_callback cb = {0};
SlapReply rs = {REP_RESULT};
char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
struct berval timestamp, bv[2], *nbv;
time_t stamp;
Modifications mod;
READ_STRING(fp,uidc);
uid.bv_val = uidc;
uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
dn.bv_val = dnc;
dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
svc.bv_val = svcc;
svc.bv_len = tmpint32;
READ_STRING(fp,ttyc);
tty.bv_val = ttyc;
tty.bv_len = tmpint32;
READ_STRING(fp,rhostc);
rhost.bv_val = rhostc;
rhost.bv_len = tmpint32;
READ_STRING(fp,ruserc);
ruser.bv_val = ruserc;
ruser.bv_len = tmpint32;
READ_INT32(fp,stamp);
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', dn.bv_val,0);
if (!dn.bv_len || !ni->ni_pam_sessions) return 0;
{
int i, found=0;
for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) {
if (ni->ni_pam_sessions[i].bv_len != svc.bv_len)
continue;
if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, svc.bv_val)) {
found = 1;
break;
}
}
if (!found) return 0;
}
slap_op_time( &op->o_time, &op->o_tincr );
timestamp.bv_len = sizeof(timebuf);
timestamp.bv_val = timebuf;
if (action == NSLCD_ACTION_PAM_SESS_O )
stamp = op->o_time;
slap_timestamp( &stamp, ×tamp );
bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + svc.bv_len +
tty.bv_len + ruser.bv_len + rhost.bv_len + STRLENOF(" (@)");
bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx );
sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)",
timestamp.bv_val, global_host_bv.bv_val, svc.bv_val, tty.bv_val,
ruser.bv_val, rhost.bv_val);
mod.sml_numvals = 1;
mod.sml_values = bv;
BER_BVZERO(&bv[1]);
attr_normalize( ad_loginStatus, bv, &nbv, op->o_tmpmemctx );
mod.sml_nvalues = nbv;
mod.sml_desc = ad_loginStatus;
mod.sml_op = action == NSLCD_ACTION_PAM_SESS_O ? LDAP_MOD_ADD :
LDAP_MOD_DELETE;
mod.sml_flags = SLAP_MOD_INTERNAL;
mod.sml_next = NULL;
cb.sc_response = slap_null_cb;
op->o_callback = &cb;
op->o_tag = LDAP_REQ_MODIFY;
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
op->orm_modlist = &mod;
op->orm_no_opattrs = 1;
op->o_req_dn = dn;
op->o_req_ndn = dn;
op->o_bd->be_modify( op, &rs );
if ( mod.sml_next ) {
slap_mods_free( mod.sml_next, 1 );
}
ber_bvarray_free_x( nbv, op->o_tmpmemctx );
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,action);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_INT32(fp,op->o_time);
return 0;
}