static void
print_suffixes(void)
{
void *cookie = NULL;
Slapi_DN *sdn = NULL;
slapi_log_err(SLAPI_LOG_INFO, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"print_suffixes - The following is the list of valid suffixes to use with "
PAMPT_EXCLUDES_ATTR " and " PAMPT_INCLUDES_ATTR ":\n");
for (sdn = slapi_get_first_suffix(&cookie, 1);
sdn && cookie;
sdn = slapi_get_next_suffix(&cookie, 1)) {
slapi_log_err(SLAPI_LOG_INFO, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"print_suffixes -\t%s\n", slapi_sdn_get_dn(sdn));
}
}
int
aclinit_main()
{
Slapi_PBlock *pb;
int rv;
Slapi_DN *sdn;
void *node;
if (acl_initialized) {
/* There is no need to do anything more */
return 0;
}
/* Initialize the LIBACCESS ACL library */
if (ACL_Init() != 0) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"aclinit_main - ACL Library Initialization failed\n");
return 1;
}
/* register all the LASes supported by the DS */
if (ACL_ERR == __aclinit__RegisterLases()) {
/* Error is already logged */
return 1;
}
/* Register all the Attrs */
if (ACL_ERR == __aclinit__RegisterAttributes()) {
/* Error is already logged */
return 1;
}
/*
* Register to get backend state changes so we can add/remove
* acis from backends that come up and go down.
*/
slapi_register_backend_state_change((void *) NULL, acl_be_state_change_fnc);
/* register the extensions */
/* ONREPL Moved to the acl_init function because extensions
need to be registered before any operations are issued
if ( 0 != acl_init_ext() ) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"Unable to initialize the extensions\n");
return 1;
} */
/* create the mutex array */
if ( 0 != aclext_alloc_lockarray ( ) ) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"aclinit_main - Unable to create the mutext array\n");
return 1;
}
/* Allocate the pool */
if ( 0 != acl_create_aclpb_pool () ) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"aclinit_main - Unable to create the acl private pool\n");
return 1;
}
/*
* Now read all the ACLs from all the backends and put it
* in a list
*/
/* initialize the ACLLIST sub-system */
if ( 0 != (rv = acllist_init ( ))) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"aclinit_main - Unable to initialize the plugin:%d\n", rv );
return 1;
}
/* Initialize the anonymous profile i.e., generate it */
rv = aclanom_init ();
pb = slapi_pblock_new();
/*
* search for the aci_attr_type attributes of all entries.
*
* slapi_get_fist_suffix() and slapi_get_next_suffix() do not return the
* rootdse entry so we search for acis in there explicitly here.
*/
sdn = slapi_sdn_new_ndn_byval("");
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"aclinit_main - Searching for all acis(scope base) at suffix ''\n");
aclinit_search_and_update_aci ( 0, /* thisbeonly */
sdn, /* base */
NULL, /* be name*/
LDAP_SCOPE_BASE, ACL_ADD_ACIS,
DO_TAKE_ACLCACHE_WRITELOCK);
slapi_sdn_free(&sdn);
sdn = slapi_get_first_suffix( &node, 1 );
while (sdn)
{
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"aclinit_main - Searching for all acis(scope subtree) at suffix '%s'\n",
slapi_sdn_get_dn(sdn) );
aclinit_search_and_update_aci ( 0, /* thisbeonly */
sdn, /* base */
NULL, /* be name*/
LDAP_SCOPE_SUBTREE, ACL_ADD_ACIS,
DO_TAKE_ACLCACHE_WRITELOCK);
sdn = slapi_get_next_suffix( &node, 1 );
}
/* Initialize it. */
acl_initialized = 1;
/* generate the signatures */
acl_set_aclsignature ( aclutil_gen_signature ( 100 ) );
/* Initialize the user-group cache */
rv = aclgroup_init ( );
aclanom_gen_anomProfile (DO_TAKE_ACLCACHE_READLOCK);
/* Register both of the proxied authorization controls (version 1 and 2) */
slapi_register_supported_control( LDAP_CONTROL_PROXYAUTH,
SLAPI_OPERATION_SEARCH | SLAPI_OPERATION_COMPARE
| SLAPI_OPERATION_ADD | SLAPI_OPERATION_DELETE
| SLAPI_OPERATION_MODIFY | SLAPI_OPERATION_MODDN
| SLAPI_OPERATION_EXTENDED );
slapi_register_supported_control( LDAP_CONTROL_PROXIEDAUTH,
SLAPI_OPERATION_SEARCH | SLAPI_OPERATION_COMPARE
| SLAPI_OPERATION_ADD | SLAPI_OPERATION_DELETE
| SLAPI_OPERATION_MODIFY | SLAPI_OPERATION_MODDN
| SLAPI_OPERATION_EXTENDED );
slapi_pblock_destroy ( pb );
return 0;
}
int
update_integrity(char **argv, Slapi_DN *origSDN,
char *newrDN, Slapi_DN *newsuperior,
int logChanges)
{
Slapi_PBlock *search_result_pb = NULL;
Slapi_PBlock *mod_pb = slapi_pblock_new();
Slapi_Entry **search_entries = NULL;
Slapi_DN *sdn = NULL;
Slapi_Attr *attr = NULL;
void *node = NULL;
const char *origDN = slapi_sdn_get_dn(origSDN);
const char *search_base = NULL;
char *attrName = NULL;
char *filter = NULL;
char *attrs[2];
int search_result;
int nval = 0;
int i, j;
int rc;
if ( argv == NULL ){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"referint_postop required config file arguments missing\n" );
rc = -1;
goto free_and_return;
}
/*
* For now, just putting attributes to keep integrity on in conf file,
* until resolve the other timing mode issue
*/
search_result_pb = slapi_pblock_new();
/* Search each namingContext in turn */
for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL;
sdn = slapi_get_next_suffix( &node, 0 ))
{
Slapi_Backend *be = slapi_be_select(sdn);
search_base = slapi_sdn_get_dn( sdn );
for(i = 3; argv[i] != NULL; i++){
filter = slapi_filter_sprintf("(%s=*%s%s)", argv[i], ESC_NEXT_VAL, origDN);
if ( filter ) {
/* Need only the current attribute and its subtypes */
attrs[0] = argv[i];
attrs[1] = NULL;
/* Use new search API */
slapi_pblock_init(search_result_pb);
slapi_pblock_set(search_result_pb, SLAPI_BACKEND, be);
slapi_search_internal_set_pb(search_result_pb, search_base,
LDAP_SCOPE_SUBTREE, filter, attrs, 0 /* attrs only */,
NULL, NULL, referint_plugin_identity, 0);
slapi_search_internal_pb(search_result_pb);
slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
/* if search successfull then do integrity update */
if(search_result == LDAP_SUCCESS)
{
slapi_pblock_get(search_result_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&search_entries);
for(j = 0; search_entries[j] != NULL; j++){
attr = NULL;
attrName = NULL;
/*
* Loop over all the attributes of the entry and search
* for the integrity attribute and its subtypes
*/
for (slapi_entry_first_attr(search_entries[j], &attr); attr;
slapi_entry_next_attr(search_entries[j], attr, &attr))
{
/*
* Take into account only the subtypes of the attribute
* in argv[i] having the necessary value - origDN
*/
slapi_attr_get_type(attr, &attrName);
if (slapi_attr_type_cmp(argv[i], attrName,
SLAPI_TYPE_CMP_SUBTYPE) == 0)
{
nval = 0;
slapi_attr_get_numvalues(attr, &nval);
/*
* We want to reduce the "modify" call as much as
* possible. But if an entry contains 1000s of
* attributes which need to be updated by the
* referint plugin (e.g., a group containing 1000s
* of members), we want to avoid to allocate too
* many mods * in one "modify" call.
* This is a compromise: If an attribute type has
* more than 128 values, we update the attribute
* value one by one. Otherwise, update all values
* in one "modify" call.
*/
if (nval > 128) {
rc = _update_one_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
} else {
rc = _update_all_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
}
/* Should we stop if one modify returns an error? */
}
}
}
} else {
if (isFatalSearchError(search_result)){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"update_integrity search (base=%s filter=%s) returned "
"error %d\n", search_base, filter, search_result);
rc = -1;
goto free_and_return;
}
}
slapi_ch_free_string(&filter);
}
slapi_free_search_results_internal(search_result_pb);
}
}
/* if got here, then everything good rc = 0 */
rc = 0;
free_and_return:
/* free filter and search_results_pb */
slapi_ch_free_string(&filter);
slapi_pblock_destroy(mod_pb);
if (search_result_pb) {
slapi_free_search_results_internal(search_result_pb);
slapi_pblock_destroy(search_result_pb);
}
return(rc);
}
static void
linked_attrs_fixup_links(struct configEntry *config)
{
Slapi_PBlock *pb = slapi_pblock_new();
char *del_filter = NULL;
char *add_filter = NULL;
del_filter = slapi_ch_smprintf("%s=*", config->managedtype);
add_filter = slapi_ch_smprintf("%s=*", config->linktype);
/* Lock the attribute pair. */
slapi_lock_mutex(config->lock);
if (config->scope) {
/* Find all entries with the managed type present
* within the scope and remove the managed type. */
slapi_search_internal_set_pb(pb, config->scope, LDAP_SCOPE_SUBTREE,
del_filter, 0, 0, 0, 0, linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config->managedtype, 0,
linked_attrs_remove_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
/* Find all entries with the link type present within the
* scope and add backlinks to the entries they point to. */
slapi_search_internal_set_pb(pb, config->scope, LDAP_SCOPE_SUBTREE,
add_filter, 0, 0, 0, 0, linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config, 0,
linked_attrs_add_backlinks_callback, 0);
} else {
/* Loop through all non-private backend suffixes and
* remove the managed type from any entry that has it.
* We then find any entry with the linktype present and
* generate the proper backlinks. */
void *node = NULL;
Slapi_DN * suffix = slapi_get_first_suffix (&node, 0);
while (suffix) {
slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(suffix),
LDAP_SCOPE_SUBTREE, del_filter,
0, 0, 0, 0,
linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config->managedtype, 0,
linked_attrs_remove_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(suffix),
LDAP_SCOPE_SUBTREE, add_filter,
0, 0, 0, 0,
linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config, 0,
linked_attrs_add_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
suffix = slapi_get_next_suffix (&node, 0);
}
}
/* Unlock the attribute pair. */
slapi_unlock_mutex(config->lock);
slapi_ch_free_string(&del_filter);
slapi_ch_free_string(&add_filter);
slapi_pblock_destroy(pb);
}