static int
collect_response( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
collect_info *ci = on->on_bi.bi_private;
/* If we've been configured and the current response is
* a search entry
*/
if ( ci && rs->sr_type == REP_SEARCH ) {
int rc;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
for (; ci; ci=ci->ci_next ) {
int idx=0;
/* Is this entry an ancestor of this collectinfo ? */
if (!dnIsSuffix(&rs->sr_entry->e_nname, &ci->ci_dn)) {
/* collectinfo does not match */
continue;
}
/* Is this entry the same as the template DN ? */
if ( dn_match(&rs->sr_entry->e_nname, &ci->ci_dn)) {
/* dont apply change to parent */
continue;
}
/* The current entry may live in a cache, so
* don't modify it directly. Make a copy and
* work with that instead.
*/
rs_entry2modifiable( op, rs, on );
/* Loop for each attribute in this collectinfo */
for(idx=0; idx<ci->ci_ad_num; idx++) {
BerVarray vals = NULL;
/* Extract the values of the desired attribute from
* the ancestor entry */
rc = backend_attribute( op, NULL, &ci->ci_dn,
ci->ci_ad[idx], &vals, ACL_READ );
/* If there are any values, merge them into the
* current search result
*/
if ( vals ) {
attr_merge( rs->sr_entry, ci->ci_ad[idx],
vals, NULL );
ber_bvarray_free_x( vals, op->o_tmpmemctx );
}
}
}
}
/* Default is to just fall through to the normal processing */
return SLAP_CB_CONTINUE;
}
/*
* This function answers the question, "Can this ID authorize to that ID?",
* based on authorization rules. The rules are stored in the *searchDN, in the
* attribute named by *attr. If any of those rules map to the *assertDN, the
* authorization is approved.
*
* The DNs should not have the dn: prefix
*/
static int
slap_sasl_check_authz( Connection *conn,
struct berval *searchDN,
struct berval *assertDN,
AttributeDescription *ad,
struct berval *authc )
{
int i, rc;
BerVarray vals=NULL;
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_check_authz: does %s match %s rule in %s?\n",
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
#else
Debug( LDAP_DEBUG_TRACE,
"==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
#endif
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
searchDN, ad, &vals );
if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any **vals */
for( i=0; vals[i].bv_val != NULL; i++ ) {
rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
if ( rc == LDAP_SUCCESS ) goto COMPLETE;
}
rc = LDAP_INAPPROPRIATE_AUTH;
COMPLETE:
if( vals ) ber_bvarray_free( vals );
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, RESULTS,
"slap_sasl_check_authz: %s check returning %s\n",
ad->ad_cname.bv_val, rc, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<==slap_sasl_check_authz: %s check returning %d\n",
ad->ad_cname.bv_val, rc, 0);
#endif
return( rc );
}
static int
dynacl_aci_mask(
void *priv,
Operation *op,
Entry *e,
AttributeDescription *desc,
struct berval *val,
int nmatch,
regmatch_t *matches,
slap_access_t *grantp,
slap_access_t *denyp )
{
AttributeDescription *ad = ( AttributeDescription * )priv;
Attribute *at;
slap_access_t tgrant, tdeny, grant, deny;
#ifdef LDAP_DEBUG
char accessmaskbuf[ACCESSMASK_MAXLEN];
char accessmaskbuf1[ACCESSMASK_MAXLEN];
#endif /* LDAP_DEBUG */
if ( BER_BVISEMPTY( &e->e_nname ) ) {
/* no ACIs in the root DSE */
return -1;
}
/* start out with nothing granted, nothing denied */
ACL_INIT(tgrant);
ACL_INIT(tdeny);
/* get the aci attribute */
at = attr_find( e->e_attrs, ad );
if ( at != NULL ) {
int i;
/* the aci is an multi-valued attribute. The
* rights are determined by OR'ing the individual
* rights given by the acis.
*/
for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
if ( aci_mask( op, e, desc, val, &at->a_nvals[i],
nmatch, matches, &grant, &deny,
SLAP_ACI_SCOPE_ENTRY ) != 0 )
{
tgrant |= grant;
tdeny |= deny;
}
}
Debug( LDAP_DEBUG_ACL, " <= aci_mask grant %s deny %s\n",
accessmask2str( tgrant, accessmaskbuf, 1 ),
accessmask2str( tdeny, accessmaskbuf1, 1 ) );
}
/* If the entry level aci didn't contain anything valid for the
* current operation, climb up the tree and evaluate the
* acis with scope set to subtree
*/
if ( tgrant == ACL_PRIV_NONE && tdeny == ACL_PRIV_NONE ) {
struct berval parent_ndn;
dnParent( &e->e_nname, &parent_ndn );
while ( !BER_BVISEMPTY( &parent_ndn ) ){
int i;
BerVarray bvals = NULL;
int ret, stop;
/* to solve the chicken'n'egg problem of accessing
* the OpenLDAPaci attribute, the direct access
* to the entry's attribute is unchecked; however,
* further accesses to OpenLDAPaci values in the
* ancestors occur through backend_attribute(), i.e.
* with the identity of the operation, requiring
* further access checking. For uniformity, this
* makes further requests occur as the rootdn, if
* any, i.e. searching for the OpenLDAPaci attribute
* is considered an internal search. If this is not
* acceptable, then the same check needs be performed
* when accessing the entry's attribute. */
struct berval save_o_dn = {0}, save_o_ndn = {0};
if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) {
save_o_dn = op->o_dn;
save_o_ndn = op->o_ndn;
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
}
Debug( LDAP_DEBUG_ACL, " checking ACI of \"%s\"\n", parent_ndn.bv_val );
ret = backend_attribute( op, NULL, &parent_ndn, ad, &bvals, ACL_AUTH );
if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) {
op->o_dn = save_o_dn;
op->o_ndn = save_o_ndn;
}
switch ( ret ) {
case LDAP_SUCCESS :
stop = 0;
if ( !bvals ) {
break;
}
for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++ ) {
if ( aci_mask( op, e, desc, val,
&bvals[i],
nmatch, matches,
&grant, &deny,
SLAP_ACI_SCOPE_CHILDREN ) != 0 )
{
tgrant |= grant;
tdeny |= deny;
/* evaluation stops as soon as either a "deny" or a
* "grant" directive matches.
*/
if ( tgrant != ACL_PRIV_NONE || tdeny != ACL_PRIV_NONE ) {
stop = 1;
}
}
Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n",
accessmask2str( tgrant, accessmaskbuf, 1 ),
accessmask2str( tdeny, accessmaskbuf1, 1 ) );
}
break;
case LDAP_NO_SUCH_ATTRIBUTE:
/* just go on if the aci-Attribute is not present in
* the current entry
*/
Debug( LDAP_DEBUG_ACL, "no such attribute\n" );
stop = 0;
break;
case LDAP_NO_SUCH_OBJECT:
/* We have reached the base object */
Debug( LDAP_DEBUG_ACL, "no such object\n" );
stop = 1;
break;
default:
stop = 1;
break;
}
if ( stop ) {
break;
}
dnParent( &parent_ndn, &parent_ndn );
}
}
*grantp = tgrant;
*denyp = tdeny;
return 0;
}
static int
dynlist_compare( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private;
Operation o = *op;
Entry *e = NULL;
dynlist_map_t *dlm;
BackendDB *be;
for ( ; dli != NULL; dli = dli->dli_next ) {
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
break;
if ( dlm ) {
/* This compare is for one of the attributes we're
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
rs->sr_err = LDAP_COMPARE_TRUE;
break;
case LDAP_NO_SUCH_OBJECT:
/* NOTE: backend_group() returns noSuchObject
* if op_ndn does not exist; however, since
* dynamic list expansion means that the
* member attribute is virtually present, the
* non-existence of the asserted value implies
* the assertion is FALSE rather than
* UNDEFINED */
rs->sr_err = LDAP_COMPARE_FALSE;
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
}
}
be = select_backend( &o.o_req_ndn, 1 );
if ( !be || !be->be_search ) {
return SLAP_CB_CONTINUE;
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
/* check for dynlist objectClass; done if not found */
dli = (dynlist_info_t *)on->on_bi.bi_private;
while ( dli != NULL && !is_entry_objectclass_or_sub( e, dli->dli_oc ) ) {
dli = dli->dli_next;
}
if ( dli == NULL ) {
goto release;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
/* generate dynamic list with dynlist_response() and compare */
{
SlapReply r = { REP_SEARCH };
dynlist_cc_t dc = { { 0, dynlist_sc_compare_entry, 0, 0 }, 0 };
AttributeName an[2];
dc.dc_ava = op->orc_ava;
dc.dc_res = &rs->sr_err;
o.o_callback = (slap_callback *) &dc;
o.o_tag = LDAP_REQ_SEARCH;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
o.ors_filterstr = *slap_filterstr_objectClass_pres;
o.ors_filter = (Filter *) slap_filter_objectClass_pres;
o.ors_scope = LDAP_SCOPE_BASE;
o.ors_deref = LDAP_DEREF_NEVER;
an[0].an_name = op->orc_ava->aa_desc->ad_cname;
an[0].an_desc = op->orc_ava->aa_desc;
BER_BVZERO( &an[1].an_name );
o.ors_attrs = an;
o.ors_attrsonly = 0;
o.o_acl_priv = ACL_COMPARE;
o.o_bd = be;
(void)be->be_search( &o, &r );
if ( o.o_dn.bv_val != op->o_dn.bv_val ) {
slap_op_groups_free( &o );
}
}
release:;
if ( e != NULL ) {
overlay_entry_release_ov( &o, e, 0, on );
}
return SLAP_CB_CONTINUE;
}
int
fe_op_compare( Operation *op, SlapReply *rs )
{
Entry *entry = NULL;
AttributeAssertion *ava = op->orc_ava;
BackendDB *bd = op->o_bd;
if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
} else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rs->sr_err = 0;
goto cleanup;
}
rs->sr_err = schema_info( &entry, &rs->sr_text );
if( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rs->sr_err = 0;
goto cleanup;
}
}
if( entry ) {
rs->sr_err = slap_compare_entry( op, entry, ava );
entry_free( entry );
send_ldap_result( op, rs );
if( rs->sr_err == LDAP_COMPARE_TRUE ||
rs->sr_err == LDAP_COMPARE_FALSE )
{
rs->sr_err = LDAP_SUCCESS;
}
goto cleanup;
}
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
op->o_bd = select_backend( &op->o_req_ndn, 0 );
if ( op->o_bd == NULL ) {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
rs->sr_err = LDAP_REFERRAL;
if (!rs->sr_ref) rs->sr_ref = default_referral;
op->o_bd = bd;
send_ldap_result( op, rs );
if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
rs->sr_err = 0;
goto cleanup;
}
/* check restrictions */
if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
}
/* check for referrals */
if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
goto cleanup;
}
if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
/* don't use shadow copy */
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"copy not used" );
} else if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"entryDN compare not supported" );
} else if ( ava->aa_desc == slap_schema.si_ad_subschemaSubentry ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"subschemaSubentry compare not supported" );
#ifndef SLAP_COMPARE_IN_FRONTEND
} else if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
&& op->o_bd->be_has_subordinates )
{
int rc, hasSubordinates = LDAP_SUCCESS;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
if ( rc == 0 && entry ) {
if ( ! access_allowed( op, entry,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
} else {
rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
entry, &hasSubordinates );
be_entry_release_r( op, entry );
}
}
if ( rc == 0 ) {
int asserted;
asserted = bvmatch( &ava->aa_value, &slap_true_bv )
? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
if ( hasSubordinates == asserted ) {
rs->sr_err = LDAP_COMPARE_TRUE;
} else {
rs->sr_err = LDAP_COMPARE_FALSE;
}
} else {
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
send_ldap_result( op, rs );
if ( rc == 0 ) {
rs->sr_err = LDAP_SUCCESS;
}
} else if ( op->o_bd->be_compare ) {
rs->sr_err = op->o_bd->be_compare( op, rs );
#endif /* ! SLAP_COMPARE_IN_FRONTEND */
} else {
rs->sr_err = SLAP_CB_CONTINUE;
}
if ( rs->sr_err == SLAP_CB_CONTINUE ) {
/* do our best to compare that AVA
*
* NOTE: this code is used only
* if SLAP_COMPARE_IN_FRONTEND
* is #define'd (it's not by default)
* or if op->o_bd->be_compare is NULL.
*
* FIXME: one potential issue is that
* if SLAP_COMPARE_IN_FRONTEND overlays
* are not executed for compare. */
BerVarray vals = NULL;
int rc = LDAP_OTHER;
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
ava->aa_desc, &vals, ACL_COMPARE );
switch ( rs->sr_err ) {
default:
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL )
== LDAP_INSUFFICIENT_ACCESS )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
break;
case LDAP_SUCCESS:
if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
vals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
} else {
rs->sr_err = LDAP_COMPARE_FALSE;
}
rc = LDAP_SUCCESS;
break;
}
send_ldap_result( op, rs );
if ( rc == 0 ) {
rs->sr_err = LDAP_SUCCESS;
}
if ( vals ) {
ber_bvarray_free_x( vals, op->o_tmpmemctx );
}
}
cleanup:;
op->o_bd = bd;
return rs->sr_err;
}
static int
dynlist_compare( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private;
Operation o = *op;
Entry *e = NULL;
dynlist_map_t *dlm;
for ( ; dli != NULL; dli = dli->dli_next ) {
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
break;
if ( dli->dli_dlm && dlm ) {
/* This compare is for one of the attributes we're
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
rs->sr_err = LDAP_COMPARE_TRUE;
break;
case LDAP_NO_SUCH_OBJECT:
/* NOTE: backend_group() returns noSuchObject
* if op_ndn does not exist; however, since
* dynamic list expansion means that the
* member attribute is virtually present, the
* non-existence of the asserted value implies
* the assertion is FALSE rather than
* UNDEFINED */
rs->sr_err = LDAP_COMPARE_FALSE;
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
}
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
dli = (dynlist_info_t *)on->on_bi.bi_private;
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
Attribute *a;
slap_callback cb;
SlapReply r = { REP_SEARCH };
AttributeName an[2];
int rc;
dynlist_sc_t dlc = { 0 };
if ( !is_entry_objectclass_or_sub( e, dli->dli_oc ))
continue;
/* if the entry has the right objectClass, generate
* the dynamic list and compare */
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
cb.sc_response = dynlist_sc_save_entry;
cb.sc_cleanup = NULL;
cb.sc_next = NULL;
o.o_callback = &cb;
o.o_tag = LDAP_REQ_SEARCH;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
o.o_bd = select_backend( &o.o_req_ndn, 1 );
if ( !o.o_bd || !o.o_bd->be_search ) {
goto release;
}
o.ors_filterstr = *slap_filterstr_objectClass_pres;
o.ors_filter = (Filter *) slap_filter_objectClass_pres;
o.ors_scope = LDAP_SCOPE_BASE;
o.ors_deref = LDAP_DEREF_NEVER;
an[0].an_name = op->orc_ava->aa_desc->ad_cname;
an[0].an_desc = op->orc_ava->aa_desc;
BER_BVZERO( &an[1].an_name );
o.ors_attrs = an;
o.ors_attrsonly = 0;
o.o_acl_priv = ACL_COMPARE;
rc = o.o_bd->be_search( &o, &r );
if ( o.o_dn.bv_val != op->o_dn.bv_val ) {
slap_op_groups_free( &o );
}
if ( rc != 0 ) {
goto release;
}
if ( dlc.dlc_e != NULL ) {
r.sr_entry = dlc.dlc_e;
}
if ( r.sr_err != LDAP_SUCCESS || r.sr_entry == NULL ) {
/* error? */
goto release;
}
for ( a = attrs_find( r.sr_entry->e_attrs, op->orc_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->orc_ava->aa_desc ) )
{
/* if we're here, we got a match... */
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->orc_ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
if ( r.sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( r.sr_entry );
}
}
release:;
if ( e != NULL ) {
overlay_entry_release_ov( &o, e, 0, on );
}
return SLAP_CB_CONTINUE;
}
static int
dds_op_modify( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dds_info_t *di = (dds_info_t *)on->on_bi.bi_private;
Modifications *mod;
Entry *e = NULL;
BackendInfo *bi = op->o_bd->bd_info;
int was_dynamicObject = 0,
is_dynamicObject = 0;
struct berval bv_entryTtl = BER_BVNULL;
time_t entryTtl = 0;
char textbuf[ SLAP_TEXT_BUFLEN ];
if ( DDS_OFF( di ) ) {
return SLAP_CB_CONTINUE;
}
/* bv_entryTtl stores the string representation of the entryTtl
* across modifies for consistency checks of the final value;
* the bv_val points to a static buffer; the bv_len is zero when
* the attribute is deleted.
* entryTtl stores the integer representation of the entryTtl;
* its value is -1 when the attribute is deleted; it is 0 only
* if no modifications of the entryTtl occurred, as an entryTtl
* of 0 is invalid. */
bv_entryTtl.bv_val = textbuf;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
slap_schema.si_oc_dynamicObject, slap_schema.si_ad_entryTtl, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_entryTtl );
/* the value of the entryTtl is saved for later checks */
if ( a != NULL ) {
unsigned long ttl;
int rc;
bv_entryTtl.bv_len = a->a_nvals[ 0 ].bv_len;
memcpy( bv_entryTtl.bv_val, a->a_nvals[ 0 ].bv_val, bv_entryTtl.bv_len );
bv_entryTtl.bv_val[ bv_entryTtl.bv_len ] = '\0';
rc = lutil_atoul( &ttl, bv_entryTtl.bv_val );
assert( rc == 0 );
entryTtl = (time_t)ttl;
}
be_entry_release_r( op, e );
e = NULL;
was_dynamicObject = is_dynamicObject = 1;
}
op->o_bd->bd_info = bi;
rs->sr_err = LDAP_SUCCESS;
for ( mod = op->orm_modlist; mod; mod = mod->sml_next ) {
if ( mod->sml_desc == slap_schema.si_ad_objectClass ) {
int i;
ObjectClass *oc;
switch ( mod->sml_op ) {
case LDAP_MOD_DELETE:
if ( mod->sml_values == NULL ) {
is_dynamicObject = 0;
break;
}
for ( i = 0; !BER_BVISNULL( &mod->sml_values[ i ] ); i++ ) {
oc = oc_bvfind( &mod->sml_values[ i ] );
if ( oc == slap_schema.si_oc_dynamicObject ) {
is_dynamicObject = 0;
break;
}
}
break;
case LDAP_MOD_REPLACE:
if ( mod->sml_values == NULL ) {
is_dynamicObject = 0;
break;
}
/* fallthru */
case LDAP_MOD_ADD:
for ( i = 0; !BER_BVISNULL( &mod->sml_values[ i ] ); i++ ) {
oc = oc_bvfind( &mod->sml_values[ i ] );
if ( oc == slap_schema.si_oc_dynamicObject ) {
is_dynamicObject = 1;
break;
}
}
break;
}
} else if ( mod->sml_desc == slap_schema.si_ad_entryTtl ) {
unsigned long uttl;
time_t ttl;
int rc;
switch ( mod->sml_op ) {
case LDAP_MOD_DELETE:
case SLAP_MOD_SOFTDEL: /* FIXME? */
if ( mod->sml_values != NULL ) {
if ( BER_BVISEMPTY( &bv_entryTtl )
|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
{
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
}
goto done;
}
}
bv_entryTtl.bv_len = 0;
entryTtl = -1;
break;
case LDAP_MOD_REPLACE:
bv_entryTtl.bv_len = 0;
entryTtl = -1;
/* fallthru */
case LDAP_MOD_ADD:
case SLAP_MOD_SOFTADD: /* FIXME? */
case SLAP_MOD_ADD_IF_NOT_PRESENT: /* FIXME? */
assert( mod->sml_values != NULL );
assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
}
goto done;
}
rc = lutil_atoul( &uttl, mod->sml_values[ 0 ].bv_val );
ttl = (time_t)uttl;
assert( rc == 0 );
if ( ttl > DDS_RF2589_MAX_TTL ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
rs->sr_text = "invalid time-to-live for dynamicObject";
goto done;
}
if ( ttl <= 0 || ttl > di->di_max_ttl ) {
/* FIXME: I don't understand if this has to be an error,
* or an indication that the requested Ttl has been
* shortened to di->di_max_ttl >= 1 day */
rs->sr_err = LDAP_SIZELIMIT_EXCEEDED;
rs->sr_text = "time-to-live for dynamicObject exceeds administrative limit";
goto done;
}
entryTtl = ttl;
bv_entryTtl.bv_len = mod->sml_values[ 0 ].bv_len;
memcpy( bv_entryTtl.bv_val, mod->sml_values[ 0 ].bv_val, bv_entryTtl.bv_len );
bv_entryTtl.bv_val[ bv_entryTtl.bv_len ] = '\0';
break;
case LDAP_MOD_INCREMENT:
if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
rs->sr_text = "modify/increment: entryTtl: no such attribute";
}
goto done;
}
entryTtl++;
if ( entryTtl > DDS_RF2589_MAX_TTL ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
rs->sr_text = "invalid time-to-live for dynamicObject";
} else if ( entryTtl <= 0 || entryTtl > di->di_max_ttl ) {
/* FIXME: I don't understand if this has to be an error,
* or an indication that the requested Ttl has been
* shortened to di->di_max_ttl >= 1 day */
rs->sr_err = LDAP_SIZELIMIT_EXCEEDED;
rs->sr_text = "time-to-live for dynamicObject exceeds administrative limit";
}
if ( rs->sr_err != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_text = NULL;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
bv_entryTtl.bv_len = snprintf( textbuf, sizeof( textbuf ), "%ld", entryTtl );
break;
default:
LDAP_BUG();
break;
}
} else if ( mod->sml_desc == ad_entryExpireTimestamp ) {
/* should have been trapped earlier */
assert( mod->sml_flags & SLAP_MOD_INTERNAL );
}
}
done:;
if ( rs->sr_err == LDAP_SUCCESS ) {
int rc;
/* FIXME: this could be allowed when the Relax control is used...
* in that case:
*
* TODO
*
* static => dynamic:
* entryTtl must be provided; add
* entryExpireTimestamp accordingly
*
* dynamic => static:
* entryTtl must be removed; remove
* entryTimestamp accordingly
*
* ... but we need to make sure that there are no subordinate
* issues...
*/
rc = is_dynamicObject - was_dynamicObject;
if ( rc ) {
#if 0 /* fix subordinate issues first */
if ( get_relax( op ) ) {
switch ( rc ) {
case -1:
/* need to delete entryTtl to have a consistent entry */
if ( entryTtl != -1 ) {
rs->sr_text = "objectClass modification from dynamicObject to static entry requires entryTtl deletion";
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
break;
case 1:
/* need to add entryTtl to have a consistent entry */
if ( entryTtl <= 0 ) {
rs->sr_text = "objectClass modification from static entry to dynamicObject requires entryTtl addition";
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
break;
}
} else
#endif
{
switch ( rc ) {
case -1:
rs->sr_text = "objectClass modification cannot turn dynamicObject into static entry";
break;
case 1:
rs->sr_text = "objectClass modification cannot turn static entry into dynamicObject";
break;
}
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
if ( rc != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_text = NULL;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
}
}
if ( rs->sr_err == LDAP_SUCCESS && entryTtl != 0 ) {
Modifications *tmpmod = NULL, **modp;
for ( modp = &op->orm_modlist; *modp; modp = &(*modp)->sml_next )
;
tmpmod = ch_calloc( 1, sizeof( Modifications ) );
tmpmod->sml_flags = SLAP_MOD_INTERNAL;
tmpmod->sml_type = ad_entryExpireTimestamp->ad_cname;
tmpmod->sml_desc = ad_entryExpireTimestamp;
*modp = tmpmod;
if ( entryTtl == -1 ) {
/* delete entryExpireTimestamp */
tmpmod->sml_op = LDAP_MOD_DELETE;
} else {
time_t expire;
char tsbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
struct berval bv;
/* keep entryExpireTimestamp consistent
* with entryTtl */
expire = slap_get_time() + entryTtl;
bv.bv_val = tsbuf;
bv.bv_len = sizeof( tsbuf );
slap_timestamp( &expire, &bv );
tmpmod->sml_op = LDAP_MOD_REPLACE;
value_add_one( &tmpmod->sml_values, &bv );
value_add_one( &tmpmod->sml_nvalues, &bv );
tmpmod->sml_numvals = 1;
}
}
if ( rs->sr_err ) {
op->o_bd->bd_info = (BackendInfo *)on->on_info;
send_ldap_result( op, rs );
return rs->sr_err;
}
return SLAP_CB_CONTINUE;
}
