/* * meta_back_single_bind * * attempts to perform a bind with creds */ static int meta_back_single_bind( Operation *op, SlapReply *rs, metaconn_t *mc, int candidate ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; struct berval mdn = BER_BVNULL; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; dncookie dc; struct berval save_o_dn; int save_o_do_not_cache; LDAPControl **ctrls = NULL; if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ch_free( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { /* destroy sensitive data */ memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ch_free( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } /* * Rewrite the bind dn if needed */ dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "bindDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { rs->sr_text = "DN rewrite error"; rs->sr_err = LDAP_OTHER; return rs->sr_err; } /* don't add proxyAuthz; set the bindDN */ save_o_dn = op->o_dn; save_o_do_not_cache = op->o_do_not_cache; op->o_do_not_cache = 1; op->o_dn = op->o_req_dn; ctrls = op->o_ctrls; rs->sr_err = meta_back_controls_add( op, rs, mc, candidate, &ctrls ); op->o_dn = save_o_dn; op->o_do_not_cache = save_o_do_not_cache; if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } /* FIXME: this fixes the bind problem right now; we need * to use the asynchronous version to get the "matched" * and more in case of failure ... */ /* FIXME: should we check if at least some of the op->o_ctrls * can/should be passed? */ for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, mdn.bv_val, LDAP_SASL_SIMPLE, &op->orb_cred, ctrls, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); meta_back_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } /* If defined, proxyAuthz will be used also when * back-ldap is the authorizing backend; for this * purpose, a successful bind is followed by a * bind with the configured identity assertion */ /* NOTE: use with care */ if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { meta_back_proxy_authz_bind( mc, candidate, op, rs, LDAP_BACK_SENDERR, 1 ); if ( !LDAP_BACK_CONN_ISBOUND( msc ) ) { goto return_results; } goto cache_refresh; } ber_bvreplace( &msc->msc_bound_ndn, &op->o_req_ndn ); LDAP_BACK_CONN_ISBOUND_SET( msc ); mc->mc_authz_target = candidate; if ( META_BACK_TGT_SAVECRED( mt ) ) { if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); } ber_bvreplace( &msc->msc_cred, &op->orb_cred ); ldap_set_rebind_proc( msc->msc_ld, mt->mt_rebind_f, msc ); } cache_refresh:; if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED && !BER_BVISEMPTY( &op->o_req_ndn ) ) { ( void )meta_dncache_update_entry( &mi->mi_cache, &op->o_req_ndn, candidate ); } return_results:; if ( mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); } if ( META_BACK_TGT_QUARANTINE( mt ) ) { meta_back_quarantine( op, rs, candidate ); } return rs->sr_err; }
int meta_back_compare( Backend *be, Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, AttributeAssertion *ava ) { struct metainfo *li = ( struct metainfo * )be->be_private; struct metaconn *lc; struct metasingleconn *lsc; char *match = NULL, *err = NULL, *mmatch = NULL; int candidates = 0, last = 0, i, count, rc; int cres = LDAP_SUCCESS, rres = LDAP_SUCCESS; int *msgid; lc = meta_back_getconn( li, conn, op, META_OP_ALLOW_MULTIPLE, ndn, NULL ); if ( !lc || !meta_back_dobind( lc, op ) ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, NULL, NULL, NULL ); return -1; } msgid = ch_calloc( sizeof( int ), li->ntargets ); if ( msgid == NULL ) { return -1; } /* * start an asynchronous compare for each candidate target */ for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) { char *mdn = NULL; struct berval mapped_attr = ava->aa_desc->ad_cname; struct berval mapped_value = ava->aa_value; if ( lsc->candidate != META_CANDIDATE ) { msgid[ i ] = -1; continue; } /* * Rewrite the compare dn, if needed */ switch ( rewrite_session( li->targets[ i ]->rwinfo, "compareDn", dn->bv_val, conn, &mdn ) ) { case REWRITE_REGEXEC_OK: if ( mdn == NULL ) { mdn = ( char * )dn->bv_val; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] compareDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> compareDn: \"%s\" -> \"%s\"\n%s", dn->bv_val, mdn, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation not allowed", NULL, NULL ); return -1; case REWRITE_REGEXEC_ERR: send_ldap_result( conn, op, LDAP_OTHER, NULL, "Rewrite error", NULL, NULL ); return -1; } /* * if attr is objectClass, try to remap the value */ if ( ava->aa_desc == slap_schema.si_ad_objectClass ) { ldap_back_map( &li->targets[ i ]->oc_map, &ava->aa_value, &mapped_value, BACKLDAP_MAP ); if ( mapped_value.bv_val == NULL || mapped_value.bv_val[0] == '\0' ) { continue; } /* * else try to remap the attribute */ } else { ldap_back_map( &li->targets[ i ]->at_map, &ava->aa_desc->ad_cname, &mapped_attr, BACKLDAP_MAP ); if ( mapped_attr.bv_val == NULL || mapped_attr.bv_val[0] == '\0' ) { continue; } } /* * the compare op is spawned across the targets and the first * that returns determines the result; a constraint on unicity * of the result ought to be enforced */ msgid[ i ] = ldap_compare( lc->conns[ i ].ld, mdn, mapped_attr.bv_val, mapped_value.bv_val ); if ( mdn != dn->bv_val ) { free( mdn ); } if ( mapped_attr.bv_val != ava->aa_desc->ad_cname.bv_val ) { free( mapped_attr.bv_val ); } if ( mapped_value.bv_val != ava->aa_value.bv_val ) { free( mapped_value.bv_val ); } if ( msgid[ i ] == -1 ) { continue; } ++candidates; } /* * wait for replies */ for ( rc = 0, count = 0; candidates > 0; ) { /* * FIXME: should we check for abandon? */ for ( i = 0, lsc = lc->conns; !META_LAST(lsc); lsc++, i++ ) { int lrc; LDAPMessage *res = NULL; if ( msgid[ i ] == -1 ) { continue; } lrc = ldap_result( lsc->ld, msgid[ i ], 0, NULL, &res ); if ( lrc == 0 ) { /* * FIXME: should we yield? */ if ( res ) { ldap_msgfree( res ); } continue; } else if ( lrc == LDAP_RES_COMPARE ) { if ( count > 0 ) { rres = LDAP_OTHER; rc = -1; goto finish; } cres = ldap_result2error( lsc->ld, res, 1 ); switch ( cres ) { case LDAP_COMPARE_TRUE: case LDAP_COMPARE_FALSE: /* * true or flase, got it; * sending to cache ... */ if ( li->cache.ttl != META_DNCACHE_DISABLED ) { ( void )meta_dncache_update_entry( &li->cache, ndn, i ); } count++; rc = 0; break; default: rres = ldap_back_map_result( cres ); if ( err != NULL ) { free( err ); } ldap_get_option( lsc->ld, LDAP_OPT_ERROR_STRING, &err ); if ( match != NULL ) { free( match ); } ldap_get_option( lsc->ld, LDAP_OPT_MATCHED_DN, &match ); last = i; break; } msgid[ i ] = -1; --candidates; } else { msgid[ i ] = -1; --candidates; if ( res ) { ldap_msgfree( res ); } break; } } } finish:; /* * Rewrite the matched portion of the search base, if required * * FIXME: only the last one gets caught! */ if ( count == 1 ) { if ( match != NULL ) { free( match ); match = NULL; } /* * the result of the compare is assigned to the res code * that will be returned */ rres = cres; } else if ( match != NULL ) { /* * At least one compare failed with matched portion, * and none was successful */ switch ( rewrite_session( li->targets[ last ]->rwinfo, "matchedDn", match, conn, &mmatch ) ) { case REWRITE_REGEXEC_OK: if ( mmatch == NULL ) { mmatch = ( char * )match; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] matchedDn: \"%s\" -> \"%s\"\n", match, mmatch, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> matchedDn:" " \"%s\" -> \"%s\"\n%s", match, mmatch, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL, "Operation not allowed", NULL, NULL ); rc = -1; goto cleanup; case REWRITE_REGEXEC_ERR: send_ldap_result( conn, op, LDAP_OTHER, NULL, "Rewrite error", NULL, NULL ); rc = -1; goto cleanup; } } send_ldap_result( conn, op, rres, mmatch, err, NULL, NULL ); cleanup:; if ( match != NULL ) { if ( mmatch != match ) { free( mmatch ); } free( match ); } if ( msgid ) { free( msgid ); } return rc; }