int ldap_back_map_attrs( struct ldapmap *at_map, AttributeName *an, int remap, char ***mapped_attrs, void *memctx ) { int i, j; char **na; struct berval mapped; if ( an == NULL ) { *mapped_attrs = NULL; return LDAP_SUCCESS; } for ( i = 0; !BER_BVISNULL( &an[i].an_name ); i++ ) /* */ ; na = (char **)ber_memcalloc_x( i + 1, sizeof(char *), memctx ); if ( na == NULL ) { *mapped_attrs = NULL; return LDAP_NO_MEMORY; } for ( i = j = 0; !BER_BVISNULL( &an[i].an_name ); i++ ) { ldap_back_map( at_map, &an[i].an_name, &mapped, remap ); if ( !BER_BVISNULL( &mapped ) && !BER_BVISEMPTY( &mapped ) ) { na[j++] = mapped.bv_val; } } if ( j == 0 && i != 0 ) { na[j++] = LDAP_NO_ATTRS; } na[j] = NULL; *mapped_attrs = na; return LDAP_SUCCESS; }
int meta_back_modify( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt; metaconn_t *mc; int rc = 0; LDAPMod **modv = NULL; LDAPMod *mods = NULL; Modifications *ml; int candidate = -1, i; int isupdate; struct berval mdn = BER_BVNULL; struct berval mapped; dncookie dc; int msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR ); if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } assert( mc->mc_conns[ candidate ].msc_ld != NULL ); /* * Rewrite the modify dn, if needed */ mt = mi->mi_targets[ candidate ]; dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "modifyDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); goto cleanup; } for ( i = 0, ml = op->orm_modlist; ml; i++ ,ml = ml->sml_next ) ; mods = ch_malloc( sizeof( LDAPMod )*i ); if ( mods == NULL ) { rs->sr_err = LDAP_OTHER; send_ldap_result( op, rs ); goto cleanup; } modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) ); if ( modv == NULL ) { rs->sr_err = LDAP_OTHER; send_ldap_result( op, rs ); goto cleanup; } dc.ctx = "modifyAttrDN"; isupdate = be_shadow_update( op ); for ( i = 0, ml = op->orm_modlist; ml; ml = ml->sml_next ) { int j, is_oc = 0; if ( !isupdate && !get_relax( op ) && ml->sml_desc->ad_type->sat_no_user_mod ) { continue; } if ( ml->sml_desc == slap_schema.si_ad_objectClass || ml->sml_desc == slap_schema.si_ad_structuralObjectClass ) { is_oc = 1; mapped = ml->sml_desc->ad_cname; } else { ldap_back_map( &mt->mt_rwmap.rwm_at, &ml->sml_desc->ad_cname, &mapped, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) { continue; } } modv[ i ] = &mods[ i ]; mods[ i ].mod_op = ml->sml_op | LDAP_MOD_BVALUES; mods[ i ].mod_type = mapped.bv_val; /* * FIXME: dn-valued attrs should be rewritten * to allow their use in ACLs at the back-ldap * level. */ if ( ml->sml_values != NULL ) { if ( is_oc ) { for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) ; mods[ i ].mod_bvalues = (struct berval **)ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); ) { struct ldapmapping *mapping; ldap_back_mapping( &mt->mt_rwmap.rwm_oc, &ml->sml_values[ j ], &mapping, BACKLDAP_MAP ); if ( mapping == NULL ) { if ( mt->mt_rwmap.rwm_oc.drop_missing ) { continue; } mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ]; } else { mods[ i ].mod_bvalues[ j ] = &mapping->dst; } j++; } mods[ i ].mod_bvalues[ j ] = NULL; } else { if ( ml->sml_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { ( void )ldap_dnattr_rewrite( &dc, ml->sml_values ); if ( ml->sml_values == NULL ) { continue; } } for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) ; mods[ i ].mod_bvalues = (struct berval **)ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) { mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ]; } mods[ i ].mod_bvalues[ j ] = NULL; } } else { mods[ i ].mod_bvalues = NULL; } i++; } modv[ i ] = 0; retry:; ctrls = op->o_ctrls; rc = meta_back_controls_add( op, rs, mc, candidate, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_modify_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val, modv, ctrls, NULL, &msgid ); rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid, mt->mt_timeout[ SLAP_OP_MODIFY ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); goto retry; } } cleanup:; (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); if ( mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); BER_BVZERO( &mdn ); } if ( modv != NULL ) { for ( i = 0; modv[ i ]; i++ ) { free( modv[ i ]->mod_bvalues ); } } free( mods ); free( modv ); if ( mc ) { meta_back_release_conn( mi, mc ); } return rs->sr_err; }
/* return 0 IFF op_dn is a value in group_at (member) attribute * of entry with gr_dn AND that entry has an objectClass * value of group_oc (groupOfNames) */ int ldap_back_group( Backend *be, Connection *conn, Operation *op, Entry *target, struct berval *gr_ndn, struct berval *op_ndn, ObjectClass *group_oc, AttributeDescription* group_at ) { struct ldapinfo *li = (struct ldapinfo *) be->be_private; int rc = 1; Attribute *attr; LDAPMessage *result; char *gattr[2]; char *filter = NULL, *ptr; LDAP *ld; struct berval mop_ndn = { 0, NULL }, mgr_ndn = { 0, NULL }; AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass; struct berval group_oc_name = {0, NULL}; struct berval group_at_name = group_at->ad_cname; if( group_oc->soc_names && group_oc->soc_names[0] ) { group_oc_name.bv_val = group_oc->soc_names[0]; } else { group_oc_name.bv_val = group_oc->soc_oid; } if (group_oc_name.bv_val) group_oc_name.bv_len = strlen(group_oc_name.bv_val); if (target != NULL && dn_match( &target->e_nname, gr_ndn ) ) { /* we already have a copy of the entry */ /* attribute and objectclass mapping has already been done */ /* * first we need to check if the objectClass attribute * has been retieved; otherwise we need to repeat the search */ attr = attr_find( target->e_attrs, ad_objectClass ); if ( attr != NULL ) { /* * Now we can check for the group objectClass value */ if( !is_entry_objectclass( target, group_oc, 0 ) ) { return(1); } /* * This part has been reworked: the group attr compare * fails only if the attribute is PRESENT but the value * is NOT PRESENT; if the attribute is NOT PRESENT, the * search must be repeated as well. * This may happen if a search for an entry has already * been performed (target is not null) but the group * attribute has not been required */ if ((attr = attr_find(target->e_attrs, group_at)) != NULL) { if( value_find_ex( group_at, SLAP_MR_VALUE_NORMALIZED_MATCH, attr->a_vals, op_ndn ) != LDAP_SUCCESS ) return(1); return(0); } /* else: repeat the search */ } /* else: repeat the search */ } /* else: do the search */ /* * Rewrite the op ndn if needed */ #ifdef ENABLE_REWRITE switch ( rewrite_session( li->rwinfo, "bindDn", op_ndn->bv_val, conn, &mop_ndn.bv_val ) ) { case REWRITE_REGEXEC_OK: if ( mop_ndn.bv_val == NULL ) { mop_ndn = *op_ndn; } #ifdef NEW_LOGGING LDAP_LOG( BACK_LDAP, DETAIL1, "[rw] bindDn (op ndn in group): \"%s\" -> \"%s\"\n", op_ndn->bv_val, mop_ndn.bv_val, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> bindDn (op ndn in group): \"%s\" -> \"%s\"\n%s", op_ndn->bv_val, mop_ndn.bv_val, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: case REWRITE_REGEXEC_ERR: goto cleanup; } /* * Rewrite the gr ndn if needed */ switch ( rewrite_session( li->rwinfo, "searchBase", gr_ndn->bv_val, conn, &mgr_ndn.bv_val ) ) { case REWRITE_REGEXEC_OK: if ( mgr_ndn.bv_val == NULL ) { mgr_ndn = *gr_ndn; } #ifdef NEW_LOGGING LDAP_LOG( BACK_LDAP, DETAIL1, "[rw] searchBase (gr ndn in group): \"%s\" -> \"%s\"\n%s", gr_ndn->bv_val, mgr_ndn.bv_val, "" ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> searchBase (gr ndn in group):" " \"%s\" -> \"%s\"\n%s", gr_ndn->bv_val, mgr_ndn.bv_val, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: case REWRITE_REGEXEC_ERR: goto cleanup; } #else /* !ENABLE_REWRITE */ ldap_back_dn_massage( li, op_ndn, &mop_ndn, 1, 1 ); if ( mop_ndn.bv_val == NULL ) { goto cleanup; } ldap_back_dn_massage( li, gr_ndn, &mgr_ndn, 1, 1 ); if ( mgr_ndn.bv_val == NULL ) { goto cleanup; } #endif /* !ENABLE_REWRITE */ ldap_back_map(&li->oc_map, &group_oc_name, &group_oc_name, BACKLDAP_MAP); if (group_oc_name.bv_val == NULL || group_oc_name.bv_val[0] == '\0') goto cleanup; ldap_back_map(&li->at_map, &group_at_name, &group_at_name, BACKLDAP_MAP); if (group_at_name.bv_val == NULL || group_at_name.bv_val[0] == '\0') goto cleanup; filter = ch_malloc(sizeof("(&(objectclass=)(=))") + group_oc_name.bv_len + group_at_name.bv_len + mop_ndn.bv_len + 1); if (filter == NULL) goto cleanup; if (ldap_initialize(&ld, li->url) != LDAP_SUCCESS) { goto cleanup; } if (ldap_bind_s(ld, li->binddn, li->bindpw, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { goto cleanup; } ptr = lutil_strcopy(filter, "(&(objectclass="); ptr = lutil_strcopy(ptr, group_oc_name.bv_val); ptr = lutil_strcopy(ptr, ")("); ptr = lutil_strcopy(ptr, group_at_name.bv_val); ptr = lutil_strcopy(ptr, "="); ptr = lutil_strcopy(ptr, mop_ndn.bv_val); strcpy(ptr, "))"); gattr[0] = "objectclass"; gattr[1] = NULL; if (ldap_search_ext_s(ld, mgr_ndn.bv_val, LDAP_SCOPE_BASE, filter, gattr, 0, NULL, NULL, LDAP_NO_LIMIT, LDAP_NO_LIMIT, &result) == LDAP_SUCCESS) { if (ldap_first_entry(ld, result) != NULL) rc = 0; ldap_msgfree(result); } cleanup:; if ( ld != NULL ) { ldap_unbind(ld); } ch_free(filter); if ( mop_ndn.bv_val != op_ndn->bv_val ) { free( mop_ndn.bv_val ); } if ( mgr_ndn.bv_val != gr_ndn->bv_val ) { free( mgr_ndn.bv_val ); } return(rc); }
int meta_back_compare( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt; metaconn_t *mc; int rc = 0; int candidate = -1; struct berval mdn = BER_BVNULL; dncookie dc; struct berval mapped_attr = op->orc_ava->aa_desc->ad_cname; struct berval mapped_value = op->orc_ava->aa_value; int msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR ); if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } assert( mc->mc_conns[ candidate ].msc_ld != NULL ); /* * Rewrite the modify dn, if needed */ mt = mi->mi_targets[ candidate ]; dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "compareDN"; switch ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { case LDAP_UNWILLING_TO_PERFORM: rc = 1; goto cleanup; default: break; } /* * if attr is objectClass, try to remap the value */ if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass ) { ldap_back_map( &mt->mt_rwmap.rwm_oc, &op->orc_ava->aa_value, &mapped_value, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped_value ) || BER_BVISEMPTY( &mapped_value ) ) { goto cleanup; } /* * else try to remap the attribute */ } else { ldap_back_map( &mt->mt_rwmap.rwm_at, &op->orc_ava->aa_desc->ad_cname, &mapped_attr, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped_attr ) || BER_BVISEMPTY( &mapped_attr ) ) { goto cleanup; } if ( op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { dc.ctx = "compareAttrDN"; switch ( ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_value ) ) { case LDAP_UNWILLING_TO_PERFORM: rc = 1; goto cleanup; default: break; } } } retry:; ctrls = op->o_ctrls; rc = meta_back_controls_add( op, rs, mc, candidate, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_compare_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val, mapped_attr.bv_val, &mapped_value, ctrls, NULL, &msgid ); rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid, mt->mt_timeout[ SLAP_OP_COMPARE ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); goto retry; } } cleanup:; (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); if ( mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); } if ( op->orc_ava->aa_value.bv_val != mapped_value.bv_val ) { free( mapped_value.bv_val ); } if ( mc ) { meta_back_release_conn( mi, mc ); } return rs->sr_err; }
int meta_back_db_open( Backend *be, ConfigReply *cr ) { metainfo_t *mi = (metainfo_t *)be->be_private; int i, not_always = 0, not_always_anon_proxyauthz = 0, not_always_anon_non_prescriptive = 0, rc; if ( mi->mi_ntargets == 0 ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open: no targets defined\n", 0, 0, 0 ); return 1; } for ( i = 0; i < mi->mi_ntargets; i++ ) { slap_bindconf sb = { BER_BVNULL }; metatarget_t *mt = mi->mi_targets[ i ]; struct berval mapped; ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); sb.sb_version = mt->mt_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_T_F; } } if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; } } if ( not_always == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) || mt->mt_idassert_authz != NULL ) { not_always = 1; } } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): " "target #%d inconsistent idassert configuration " "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n", be->be_suffix[ 0 ].bv_val, i, 0 ); return 1; } if ( not_always_anon_proxyauthz == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) { not_always_anon_proxyauthz = 1; } } if ( not_always_anon_non_prescriptive == 0 ) { if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { not_always_anon_non_prescriptive = 1; } } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_entryDN->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_ENTRYDN; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_SUBSCHEMA; } } if ( not_always == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS; } if ( not_always_anon_proxyauthz == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON; } else if ( not_always_anon_non_prescriptive == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON; } return 0; }
static int map_attr_value( dncookie *dc, AttributeDescription *ad, struct berval *mapped_attr, struct berval *value, struct berval *mapped_value, int remap, void *memctx ) { struct berval vtmp; int freeval = 0; ldap_back_map( &dc->target->mt_rwmap.rwm_at, &ad->ad_cname, mapped_attr, remap ); if ( BER_BVISNULL( mapped_attr ) || BER_BVISEMPTY( mapped_attr ) ) { #if 0 /* * FIXME: are we sure we need to search oc_map if at_map fails? */ ldap_back_map( &dc->target->mt_rwmap.rwm_oc, &ad->ad_cname, mapped_attr, remap ); if ( BER_BVISNULL( mapped_attr ) || BER_BVISEMPTY( mapped_attr ) ) { *mapped_attr = ad->ad_cname; } #endif if ( dc->target->mt_rwmap.rwm_at.drop_missing ) { return -1; } *mapped_attr = ad->ad_cname; } if ( value == NULL ) { return 0; } if ( ad->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { dncookie fdc = *dc; #ifdef ENABLE_REWRITE fdc.ctx = "searchFilterAttrDN"; #endif switch ( ldap_back_dn_massage( &fdc, value, &vtmp ) ) { case LDAP_SUCCESS: if ( vtmp.bv_val != value->bv_val ) { freeval = 1; } break; case LDAP_UNWILLING_TO_PERFORM: return -1; case LDAP_OTHER: return -1; } } else if ( ad->ad_type->sat_equality && ad->ad_type->sat_equality->smr_usage & SLAP_MR_MUTATION_NORMALIZER ) { if ( ad->ad_type->sat_equality->smr_normalize( (SLAP_MR_DENORMALIZE|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX), NULL, NULL, value, &vtmp, memctx ) ) { return -1; } freeval = 2; } else if ( ad == slap_schema.si_ad_objectClass || ad == slap_schema.si_ad_structuralObjectClass ) { ldap_back_map( &dc->target->mt_rwmap.rwm_oc, value, &vtmp, remap ); if ( BER_BVISNULL( &vtmp ) || BER_BVISEMPTY( &vtmp ) ) { vtmp = *value; } } else { vtmp = *value; } filter_escape_value_x( &vtmp, mapped_value, memctx ); switch ( freeval ) { case 1: ber_memfree( vtmp.bv_val ); break; case 2: ber_memfree_x( vtmp.bv_val, memctx ); break; } return 0; }
int ldap_back_map_attrs( Operation *op, struct ldapmap *at_map, AttributeName *an, int remap, char ***mapped_attrs ) { int i, x, j; char **na; struct berval mapped; if ( an == NULL && op->o_bd->be_extra_anlist == NULL ) { *mapped_attrs = NULL; return LDAP_SUCCESS; } i = 0; if ( an != NULL ) { for ( ; !BER_BVISNULL( &an[i].an_name ); i++ ) /* */ ; } x = 0; if ( op->o_bd->be_extra_anlist != NULL ) { for ( ; !BER_BVISNULL( &op->o_bd->be_extra_anlist[x].an_name ); x++ ) /* */ ; } assert( i > 0 || x > 0 ); na = (char **)ber_memcalloc_x( i + x + 1, sizeof(char *), op->o_tmpmemctx ); if ( na == NULL ) { *mapped_attrs = NULL; return LDAP_NO_MEMORY; } j = 0; if ( i > 0 ) { for ( i = 0; !BER_BVISNULL( &an[i].an_name ); i++ ) { ldap_back_map( at_map, &an[i].an_name, &mapped, remap ); if ( !BER_BVISNULL( &mapped ) && !BER_BVISEMPTY( &mapped ) ) { na[j++] = mapped.bv_val; } } } if ( x > 0 ) { for ( x = 0; !BER_BVISNULL( &op->o_bd->be_extra_anlist[x].an_name ); x++ ) { if ( op->o_bd->be_extra_anlist[x].an_desc && ad_inlist( op->o_bd->be_extra_anlist[x].an_desc, an ) ) { continue; } ldap_back_map( at_map, &op->o_bd->be_extra_anlist[x].an_name, &mapped, remap ); if ( !BER_BVISNULL( &mapped ) && !BER_BVISEMPTY( &mapped ) ) { na[j++] = mapped.bv_val; } } } if ( j == 0 && ( i > 0 || x > 0 ) ) { na[j++] = LDAP_NO_ATTRS; } na[j] = NULL; *mapped_attrs = na; return LDAP_SUCCESS; }
int meta_back_add( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt; metaconn_t *mc; int i, candidate = -1; int isupdate; Attribute *a; LDAPMod **attrs; struct berval mdn = BER_BVNULL, mapped; dncookie dc; int msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; LDAPControl **ctrls = NULL; Debug(LDAP_DEBUG_ARGS, "==> meta_back_add: %s\n", op->o_req_dn.bv_val ); /* * get the current connection */ mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR ); if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) { return rs->sr_err; } assert( mc->mc_conns[ candidate ].msc_ld != NULL ); /* * Rewrite the add dn, if needed */ mt = mi->mi_targets[ candidate ]; dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "addDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); goto done; } /* Count number of attributes in entry ( +1 ) */ for ( i = 1, a = op->ora_e->e_attrs; a; i++, a = a->a_next ); /* Create array of LDAPMods for ldap_add() */ attrs = ch_malloc( sizeof( LDAPMod * )*i ); dc.ctx = "addAttrDN"; isupdate = be_shadow_update( op ); for ( i = 0, a = op->ora_e->e_attrs; a; a = a->a_next ) { int j, is_oc = 0; if ( !isupdate && !get_relax( op ) && a->a_desc->ad_type->sat_no_user_mod ) { continue; } if ( a->a_desc == slap_schema.si_ad_objectClass || a->a_desc == slap_schema.si_ad_structuralObjectClass ) { is_oc = 1; mapped = a->a_desc->ad_cname; } else { ldap_back_map( &mt->mt_rwmap.rwm_at, &a->a_desc->ad_cname, &mapped, BACKLDAP_MAP ); if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) { continue; } } attrs[ i ] = ch_malloc( sizeof( LDAPMod ) ); if ( attrs[ i ] == NULL ) { continue; } attrs[ i ]->mod_op = LDAP_MOD_BVALUES; attrs[ i ]->mod_type = mapped.bv_val; if ( is_oc ) { for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) ; attrs[ i ]->mod_bvalues = (struct berval **)ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); ) { struct ldapmapping *mapping; ldap_back_mapping( &mt->mt_rwmap.rwm_oc, &a->a_vals[ j ], &mapping, BACKLDAP_MAP ); if ( mapping == NULL ) { if ( mt->mt_rwmap.rwm_oc.drop_missing ) { continue; } attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ]; } else { attrs[ i ]->mod_bvalues[ j ] = &mapping->dst; } j++; } attrs[ i ]->mod_bvalues[ j ] = NULL; } else { /* * FIXME: dn-valued attrs should be rewritten * to allow their use in ACLs at the back-ldap * level. */ if ( a->a_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { (void)ldap_dnattr_rewrite( &dc, a->a_vals ); if ( a->a_vals == NULL ) { continue; } } for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) ; attrs[ i ]->mod_bvalues = ch_malloc( ( j + 1 ) * sizeof( struct berval * ) ); for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ]; } attrs[ i ]->mod_bvalues[ j ] = NULL; } i++; } attrs[ i ] = NULL; retry:; ctrls = op->o_ctrls; if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = ldap_add_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val, attrs, ctrls, NULL, &msgid ); rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid, mt->mt_timeout[ SLAP_OP_ADD ], ( LDAP_BACK_SENDRESULT | retrying ) ); if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) { retrying &= ~LDAP_BACK_RETRYING; if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) { /* if the identity changed, there might be need to re-authz */ (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); goto retry; } } cleanup:; (void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); for ( --i; i >= 0; --i ) { free( attrs[ i ]->mod_bvalues ); free( attrs[ i ] ); } free( attrs ); if ( mdn.bv_val != op->ora_e->e_dn ) { free( mdn.bv_val ); BER_BVZERO( &mdn ); } done:; if ( mc ) { meta_back_release_conn( mi, mc ); } return rs->sr_err; }
int meta_back_compare( Backend *be, Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, AttributeAssertion *ava ) { struct metainfo *li = ( struct metainfo * )be->be_private; struct metaconn *lc; struct metasingleconn *lsc; char *match = NULL, *err = NULL, *mmatch = NULL; int candidates = 0, last = 0, i, count, rc; int cres = LDAP_SUCCESS, rres = LDAP_SUCCESS; int *msgid; lc = meta_back_getconn( li, conn, op, META_OP_ALLOW_MULTIPLE, ndn, NULL ); if ( !lc || !meta_back_dobind( lc, op ) ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, NULL, NULL, NULL ); return -1; } msgid = ch_calloc( sizeof( int ), li->ntargets ); if ( msgid == NULL ) { return -1; } /* * start an asynchronous compare for each candidate target */ for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) { char *mdn = NULL; struct berval mapped_attr = ava->aa_desc->ad_cname; struct berval mapped_value = ava->aa_value; if ( lsc->candidate != META_CANDIDATE ) { msgid[ i ] = -1; continue; } /* * Rewrite the compare dn, if needed */ switch ( rewrite_session( li->targets[ i ]->rwinfo, "compareDn", dn->bv_val, conn, &mdn ) ) { case REWRITE_REGEXEC_OK: if ( mdn == NULL ) { mdn = ( char * )dn->bv_val; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] compareDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> compareDn: \"%s\" -> \"%s\"\n%s", dn->bv_val, mdn, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation not allowed", NULL, NULL ); return -1; case REWRITE_REGEXEC_ERR: send_ldap_result( conn, op, LDAP_OTHER, NULL, "Rewrite error", NULL, NULL ); return -1; } /* * if attr is objectClass, try to remap the value */ if ( ava->aa_desc == slap_schema.si_ad_objectClass ) { ldap_back_map( &li->targets[ i ]->oc_map, &ava->aa_value, &mapped_value, BACKLDAP_MAP ); if ( mapped_value.bv_val == NULL || mapped_value.bv_val[0] == '\0' ) { continue; } /* * else try to remap the attribute */ } else { ldap_back_map( &li->targets[ i ]->at_map, &ava->aa_desc->ad_cname, &mapped_attr, BACKLDAP_MAP ); if ( mapped_attr.bv_val == NULL || mapped_attr.bv_val[0] == '\0' ) { continue; } } /* * the compare op is spawned across the targets and the first * that returns determines the result; a constraint on unicity * of the result ought to be enforced */ msgid[ i ] = ldap_compare( lc->conns[ i ].ld, mdn, mapped_attr.bv_val, mapped_value.bv_val ); if ( mdn != dn->bv_val ) { free( mdn ); } if ( mapped_attr.bv_val != ava->aa_desc->ad_cname.bv_val ) { free( mapped_attr.bv_val ); } if ( mapped_value.bv_val != ava->aa_value.bv_val ) { free( mapped_value.bv_val ); } if ( msgid[ i ] == -1 ) { continue; } ++candidates; } /* * wait for replies */ for ( rc = 0, count = 0; candidates > 0; ) { /* * FIXME: should we check for abandon? */ for ( i = 0, lsc = lc->conns; !META_LAST(lsc); lsc++, i++ ) { int lrc; LDAPMessage *res = NULL; if ( msgid[ i ] == -1 ) { continue; } lrc = ldap_result( lsc->ld, msgid[ i ], 0, NULL, &res ); if ( lrc == 0 ) { /* * FIXME: should we yield? */ if ( res ) { ldap_msgfree( res ); } continue; } else if ( lrc == LDAP_RES_COMPARE ) { if ( count > 0 ) { rres = LDAP_OTHER; rc = -1; goto finish; } cres = ldap_result2error( lsc->ld, res, 1 ); switch ( cres ) { case LDAP_COMPARE_TRUE: case LDAP_COMPARE_FALSE: /* * true or flase, got it; * sending to cache ... */ if ( li->cache.ttl != META_DNCACHE_DISABLED ) { ( void )meta_dncache_update_entry( &li->cache, ndn, i ); } count++; rc = 0; break; default: rres = ldap_back_map_result( cres ); if ( err != NULL ) { free( err ); } ldap_get_option( lsc->ld, LDAP_OPT_ERROR_STRING, &err ); if ( match != NULL ) { free( match ); } ldap_get_option( lsc->ld, LDAP_OPT_MATCHED_DN, &match ); last = i; break; } msgid[ i ] = -1; --candidates; } else { msgid[ i ] = -1; --candidates; if ( res ) { ldap_msgfree( res ); } break; } } } finish:; /* * Rewrite the matched portion of the search base, if required * * FIXME: only the last one gets caught! */ if ( count == 1 ) { if ( match != NULL ) { free( match ); match = NULL; } /* * the result of the compare is assigned to the res code * that will be returned */ rres = cres; } else if ( match != NULL ) { /* * At least one compare failed with matched portion, * and none was successful */ switch ( rewrite_session( li->targets[ last ]->rwinfo, "matchedDn", match, conn, &mmatch ) ) { case REWRITE_REGEXEC_OK: if ( mmatch == NULL ) { mmatch = ( char * )match; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] matchedDn: \"%s\" -> \"%s\"\n", match, mmatch, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> matchedDn:" " \"%s\" -> \"%s\"\n%s", match, mmatch, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation not allowed", NULL, NULL ); rc = -1; goto cleanup; case REWRITE_REGEXEC_ERR: send_ldap_result( conn, op, LDAP_OTHER, NULL, "Rewrite error", NULL, NULL ); rc = -1; goto cleanup; } } send_ldap_result( conn, op, rres, mmatch, err, NULL, NULL ); cleanup:; if ( match != NULL ) { if ( mmatch != match ) { free( mmatch ); } free( match ); } if ( msgid ) { free( msgid ); } return rc; }
int meta_target_finish( metainfo_t *mi, metatarget_t *mt, const char *log, char *msg, size_t msize ) { slap_bindconf sb = { BER_BVNULL }; struct berval mapped; int rc; ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); sb.sb_version = mt->mt_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_T_F; } } if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; } } if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) || mt->mt_idassert_authz != NULL ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS; } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { snprintf( msg, msize, "%s: inconsistent idassert configuration " "(likely authz=\"*\" used with \"non-prescriptive\" flag)", log ); Debug( LDAP_DEBUG_ANY, "%s (target %s)\n", msg, mt->mt_uri ); return 1; } if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON; } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_entryDN->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_ENTRYDN; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_SUBSCHEMA; } return 0; }
int meta_back_modify( Backend *be, Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, Modifications *modlist ) { struct metainfo *li = ( struct metainfo * )be->be_private; struct metaconn *lc; LDAPMod **modv; LDAPMod *mods; Modifications *ml; int candidate = -1, i; char *mdn; struct berval mapped; lc = meta_back_getconn( li, conn, op, META_OP_REQUIRE_SINGLE, ndn, &candidate ); if ( !lc || !meta_back_dobind( lc, op ) || !meta_back_is_valid( lc, candidate ) ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, NULL, NULL, NULL ); return -1; } /* * Rewrite the modify dn, if needed */ switch ( rewrite_session( li->targets[ candidate ]->rwinfo, "modifyDn", dn->bv_val, conn, &mdn ) ) { case REWRITE_REGEXEC_OK: if ( mdn == NULL ) { mdn = ( char * )dn->bv_val; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] modifyDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> modifyDn: \"%s\" -> \"%s\"\n%s", dn->bv_val, mdn, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation not allowed", NULL, NULL ); return -1; case REWRITE_REGEXEC_ERR: send_ldap_result( conn, op, LDAP_OTHER, NULL, "Rewrite error", NULL, NULL ); return -1; } for ( i = 0, ml = modlist; ml; i++ ,ml = ml->sml_next ) ; mods = ch_malloc( sizeof( LDAPMod )*i ); if ( mods == NULL ) { if ( mdn != dn->bv_val ) { free( mdn ); } return -1; } modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) ); if ( modv == NULL ) { free( mods ); if ( mdn != dn->bv_val ) { free( mdn ); } return -1; } for ( i = 0, ml = modlist; ml; ml = ml->sml_next ) { int j; if ( ml->sml_desc->ad_type->sat_no_user_mod ) { continue; } ldap_back_map( &li->targets[ candidate ]->at_map, &ml->sml_desc->ad_cname, &mapped, BACKLDAP_MAP ); if ( mapped.bv_val == NULL || mapped.bv_val[0] == '\0' ) { continue; } modv[ i ] = &mods[ i ]; mods[ i ].mod_op = ml->sml_op | LDAP_MOD_BVALUES; mods[ i ].mod_type = mapped.bv_val; /* * FIXME: dn-valued attrs should be rewritten * to allow their use in ACLs at the back-ldap * level. */ if ( strcmp( ml->sml_desc->ad_type->sat_syntax->ssyn_oid, SLAPD_DN_SYNTAX ) == 0 ) { ldap_dnattr_rewrite( li->targets[ candidate ]->rwinfo, ml->sml_bvalues, conn ); } if ( ml->sml_bvalues != NULL ){ for (j = 0; ml->sml_bvalues[ j ].bv_val; j++); mods[ i ].mod_bvalues = (struct berval **)ch_malloc((j+1) * sizeof(struct berval *)); for (j = 0; ml->sml_bvalues[ j ].bv_val; j++) mods[ i ].mod_bvalues[ j ] = &ml->sml_bvalues[j]; mods[ i ].mod_bvalues[ j ] = NULL; } else { mods[ i ].mod_bvalues = NULL; } i++; } modv[ i ] = 0; ldap_modify_s( lc->conns[ candidate ].ld, mdn, modv ); if ( mdn != dn->bv_val ) { free( mdn ); } for ( i=0; modv[ i ]; i++) free( modv[ i ]->mod_bvalues ); free( mods ); free( modv ); return meta_back_op_result( lc, op ); }