/*
* Check if User Private Groups are enabled in given IPA domain
* Returns: 0 - UPG are enabled
* 1 - UPG are disabled
* -1 - some sort of error
*/
static int
ipa_winsync_upg_enabled(const Slapi_DN *ds_subtree)
{
int ret = -1;
int rc;
char * dn = NULL;
Slapi_Entry *entry = NULL;
Slapi_Backend *be;
const Slapi_DN *ds_suffix = NULL;
Slapi_DN *sdn = NULL;
const char *attrs_list[] = {IPA_WINSYNC_UPG_DEF_ATTR, 0};
char * value = NULL;
/* find ancestor base DN */
be = slapi_be_select(ds_subtree);
ds_suffix = slapi_be_getsuffix(be, 0);
if (ds_suffix == NULL) {
LOG_FATAL("Invalid DS subtree [%s]\n", slapi_sdn_get_dn(ds_subtree));
goto done;
}
dn = slapi_ch_smprintf(IPA_WINSYNC_UPG_DEF_DN, slapi_sdn_get_dn(ds_suffix));
if (!dn) {
LOG_OOM();
goto done;
}
sdn = slapi_sdn_new_dn_byref(dn);
rc = slapi_search_internal_get_entry(sdn, (char **) attrs_list, &entry,
ipa_winsync_get_plugin_identity());
if (rc) {
LOG("failed to retrieve UPG definition (%s) with rc %d\n", dn, rc);
goto done;
}
value = slapi_entry_attr_get_charptr(entry, IPA_WINSYNC_UPG_DEF_ATTR);
if (!value) {
LOG("failed to read %s from UPG definition (%s)\n",
IPA_WINSYNC_UPG_DEF_ATTR, dn);
goto done;
}
if (strstr(value, IPA_WINSYNC_UPG_DEF_DISABLED) == NULL) {
ret = 0;
} else {
ret = 1;
}
done:
slapi_ch_free_string(&dn);
slapi_sdn_free(&sdn);
slapi_ch_free_string(&value);
slapi_entry_free(entry);
return ret;
}
/*
* Config. DSE callback for instance entry searches.
*/
int
ldbm_instance_search_config_entry_callback(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *entryAfter, int *returncode, char *returntext, void *arg)
{
char buf[BUFSIZ];
struct berval *vals[2];
struct berval val;
ldbm_instance *inst = (ldbm_instance *) arg;
config_info *config;
int x;
const Slapi_DN *suffix;
vals[0] = &val;
vals[1] = NULL;
returntext[0] = '\0';
/* show the suffixes */
attrlist_delete(&e->e_attrs, CONFIG_INSTANCE_SUFFIX);
x = 0;
do {
suffix = slapi_be_getsuffix(inst->inst_be, x);
if (suffix != NULL) {
val.bv_val = (char *) slapi_sdn_get_dn(suffix);
val.bv_len = strlen (val.bv_val);
attrlist_merge( &e->e_attrs, CONFIG_INSTANCE_SUFFIX, vals );
}
x++;
} while(suffix!=NULL);
PR_Lock(inst->inst_config_mutex);
for(config = ldbm_instance_config; config->config_name != NULL; config++) {
/* Go through the ldbm_config table and fill in the entry. */
if (!(config->config_flags & (CONFIG_FLAG_ALWAYS_SHOW | CONFIG_FLAG_PREVIOUSLY_SET))) {
/* This config option shouldn't be shown */
continue;
}
ldbm_config_get((void *) inst, config, buf);
val.bv_val = buf;
val.bv_len = strlen(buf);
slapi_entry_attr_replace(e, config->config_name, vals);
}
PR_Unlock(inst->inst_config_mutex);
*returncode = LDAP_SUCCESS;
return SLAPI_DSE_CALLBACK_OK;
}
void
ipa_topo_be_state_change(void *handle, char *be_name,
int old_be_state, int new_be_state)
{
Slapi_Backend *be=NULL;
const char *be_suffix;
/* check if different backends require different actions */
be = slapi_be_select_by_instance_name(be_name);
be_suffix = slapi_sdn_get_dn(slapi_be_getsuffix(be, 0));
if (0 == ipa_topo_cfg_plugin_suffix_is_managed(be_suffix)) {
/* nothing to do */
return;
}
if (new_be_state == SLAPI_BE_STATE_ON) {
/* backend came back online - check change in domain level */
slapi_log_error(SLAPI_LOG_FATAL, IPA_TOPO_PLUGIN_SUBSYSTEM,
"ipa_topo_be_state_change - "
"backend %s is coming online; "
"checking domain level and init shared topology\n",
be_name);
ipa_topo_util_set_domain_level();
ipa_topo_util_check_plugin_active();
if (ipa_topo_get_plugin_active()) {
ipa_topo_set_post_init(1);
ipa_topo_util_start(1);
}
} else if (new_be_state == SLAPI_BE_STATE_OFFLINE) {
/* backend is about to be taken down - inactivate plugin */
slapi_log_error(SLAPI_LOG_FATAL, IPA_TOPO_PLUGIN_SUBSYSTEM,
"ipa_topo_be_state_change"
"backend %s is going offline; inactivate plugin\n", be_name);
} else if (new_be_state == SLAPI_BE_STATE_DELETE) {
/* backend is about to be removed - disable replication */
if (old_be_state == SLAPI_BE_STATE_ON) {
slapi_log_error(SLAPI_LOG_FATAL, IPA_TOPO_PLUGIN_SUBSYSTEM,
"ipa_topo_be_state_change"
"backend %s is about to be deleted; inactivate plugin\n", be_name);
}
}
}
int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
struct ipapwd_krbcfg **config, int check_flags)
{
int ret, ssf;
int rc = LDAP_SUCCESS;
Slapi_Backend *be;
const Slapi_DN *psdn;
Slapi_DN *sdn;
char *dn = NULL;
LOG_TRACE("=>\n");
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
/* Allow password modify on all connections with a Security Strength
* Factor (SSF) higher than 1 */
if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
LOG("Could not get SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if (ssf <= 1) {
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto done;
}
}
#endif
if (check_flags & IPAPWD_CHECK_DN) {
/* check we have a valid DN in the pblock or just abort */
ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
if (ret) {
LOG("Tried to change password for an invalid DN [%s]\n",
dn ? dn : "<NULL>");
*errMesg = "Invalid DN";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
sdn = slapi_sdn_new_dn_byref(dn);
if (!sdn) {
LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
*errMesg = "Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
be = slapi_be_select(sdn);
slapi_sdn_free(&sdn);
psdn = slapi_be_getsuffix(be, 0);
if (!psdn) {
*errMesg = "Invalid DN";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
}
/* get the kerberos context and master key */
*config = ipapwd_getConfig();
if (NULL == *config) {
LOG_FATAL("Error Retrieving Master Key");
*errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
}
done:
return rc;
}
static int
linked_attrs_add_backlinks_callback(Slapi_Entry *e, void *callback_data)
{
int rc = 0;
char *linkdn = slapi_entry_get_dn(e);
struct configEntry *config = (struct configEntry *)callback_data;
Slapi_PBlock *pb = slapi_pblock_new();
int i = 0;
char **targets = NULL;
char *val[2];
LDAPMod mod;
LDAPMod *mods[2];
/* Setup the modify operation. Only the target will
* change, so we only need to do this once. */
val[0] = linkdn;
val[1] = 0;
mod.mod_op = LDAP_MOD_ADD;
mod.mod_type = config->managedtype;
mod.mod_values = val;
mods[0] = &mod;
mods[1] = 0;
targets = slapi_entry_attr_get_charray(e, config->linktype);
for (i = 0; targets && targets[i]; ++i) {
char *targetdn = (char *)targets[i];
int perform_update = 0;
Slapi_DN *targetsdn = NULL;
if (slapi_is_shutting_down()) {
rc = -1;
goto done;
}
targetsdn = slapi_sdn_new_normdn_byref(targetdn);
if (config->scope) {
/* Check if the target is within the scope. */
perform_update = slapi_dn_issuffix(targetdn, config->scope);
} else {
/* Find out the root suffix that the linkdn is in
* and see if the target is in the same backend. */
Slapi_Backend *be = NULL;
Slapi_DN *linksdn = slapi_sdn_new_normdn_byref(linkdn);
if ((be = slapi_be_select(linksdn))) {
perform_update = slapi_sdn_issuffix(targetsdn, slapi_be_getsuffix(be, 0));
}
slapi_sdn_free(&linksdn);
}
if (perform_update) {
slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM,
"Adding backpointer (%s) in entry (%s)\n",
linkdn, targetdn);
/* Perform the modify operation. */
slapi_modify_internal_set_pb_ext(pb, targetsdn, mods, 0, 0,
linked_attrs_get_plugin_id(), 0);
slapi_modify_internal_pb(pb);
/* Initialize the pblock so we can reuse it. */
slapi_pblock_init(pb);
}
slapi_sdn_free(&targetsdn);
}
done:
slapi_ch_array_free(targets);
slapi_pblock_destroy(pb);
return rc;
}