int
is_suffix_dn_ext ( Slapi_PBlock *pb, const Slapi_DN *dn, Slapi_DN **parentdn,
int is_tombstone )
{
Slapi_Backend *backend;
int rc;
*parentdn = slapi_sdn_new();
slapi_pblock_get( pb, SLAPI_BACKEND, &backend );
slapi_sdn_get_backend_parent_ext (dn, *parentdn, backend, is_tombstone);
/* A suffix entry doesn't have parent dn */
rc = slapi_sdn_isempty (*parentdn) ? 1 : 0;
return rc;
}
/* This function is now fully executed for internal and replicated ops. */
int
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
{
struct slapdplugin *p;
int rc = 0;
void *change = NULL;
void *mychange[2];
Slapi_Entry *te = NULL;
Slapi_DN *sdn = NULL;
Operation *operation;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
(void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
switch ( optype ) {
case SLAPI_OPERATION_MODIFY:
(void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
break;
case SLAPI_OPERATION_ADD:
(void)slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &change );
te = (Slapi_Entry *)change;
if(!slapi_sdn_isempty(slapi_entry_get_sdn(te)))
{
sdn = slapi_entry_get_sdn(te);
}
break;
case SLAPI_OPERATION_MODRDN:
{
char *newrdn = NULL;
Slapi_DN *psdn = NULL;
char *pdn = NULL;
/* newrdn: "change" is normalized but not case-ignored */
/* The acl plugin expects normalized newrdn, but no need to be case-
* ignored. */
(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn );
if (psdn) {
pdn = (char *)slapi_sdn_get_dn(psdn);
} else {
(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn );
}
mychange[0] = newrdn;
mychange[1] = pdn;
change = mychange;
break;
}
}
if (NULL == sdn) {
slapi_log_err(SLAPI_LOG_ERR, "plugin_call_acl_mods_update", "NULL target DN\n");
return LDAP_INVALID_DN_SYNTAX;
}
/* call the global plugins first and then the backend specific */
for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){
rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change );
if ( rc != LDAP_SUCCESS ) break;
}
}
return rc;
}
static int
add_created_attrs(Slapi_PBlock *pb, Slapi_Entry *e)
{
char buf[20];
char *binddn = NULL;
char *plugin_dn = NULL;
struct berval bv;
struct berval *bvals[2];
time_t curtime;
struct tm ltm;
Operation *op;
struct slapdplugin *plugin = NULL;
struct slapi_componentid *cid = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
slapi_log_err(SLAPI_LOG_TRACE, "add_created_attrs", "==>\n");
bvals[0] = &bv;
bvals[1] = NULL;
slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if(slapdFrontendConfig->plugin_track){
/* plugin bindDN tracking is enabled, grab the dn from thread local storage */
if(slapi_sdn_isempty(&op->o_sdn)){
bv.bv_val = "";
bv.bv_len = 0;
} else {
slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &cid);
if (cid){
plugin=(struct slapdplugin *) cid->sci_plugin;
} else {
slapi_pblock_get (pb, SLAPI_PLUGIN, &plugin);
}
if(plugin)
plugin_dn = plugin_get_dn (plugin);
if(plugin_dn){
bv.bv_val = plugin_dn;
bv.bv_len = strlen(bv.bv_val);
} else {
bv.bv_val = (char*)slapi_sdn_get_dn(&op->o_sdn);
bv.bv_len = strlen(bv.bv_val);
}
}
slapi_entry_attr_replace(e, "internalCreatorsName", bvals);
slapi_entry_attr_replace(e, "internalModifiersName", bvals);
slapi_ch_free_string(&plugin_dn);
/* Grab the thread data(binddn) */
slapi_td_get_dn(&binddn);
if(binddn == NULL){
/* anonymous bind */
bv.bv_val = "";
bv.bv_len = 0;
} else {
bv.bv_val = binddn;
bv.bv_len = strlen(bv.bv_val);
}
} else {
if (slapi_sdn_isempty(&op->o_sdn)) {
bv.bv_val = "";
bv.bv_len = 0;
} else {
bv.bv_val = (char*)slapi_sdn_get_dn(&op->o_sdn);
bv.bv_len = strlen(bv.bv_val);
}
}
slapi_entry_attr_replace(e, "creatorsname", bvals);
slapi_entry_attr_replace(e, "modifiersname", bvals);
curtime = current_time();
gmtime_r(&curtime, <m);
strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", <m);
bv.bv_val = buf;
bv.bv_len = strlen(bv.bv_val);
slapi_entry_attr_replace(e, "createtimestamp", bvals);
bv.bv_val = buf;
bv.bv_len = strlen(bv.bv_val);
slapi_entry_attr_replace(e, "modifytimestamp", bvals);
if (add_uniqueid(e) != UID_SUCCESS ) {
return( -1 );
}
return( 0 );
}
/*
* Perform the agreement/domain specific configuration.
* IPA stores its configuration in the tree. We use the
* ds_subtree to search for the domain/realm specific
* configuration entries.
*/
void
ipa_winsync_config_refresh_domain(
void *cbdata, const Slapi_DN *ds_subtree,
const Slapi_DN *ad_subtree
)
{
IPA_WinSync_Domain_Config *iwdc =
(IPA_WinSync_Domain_Config *)cbdata;
Slapi_DN *config_dn = slapi_sdn_dup(ds_subtree);
char *realm_filter = NULL;
char *realm_attr = NULL;
char *new_entry_filter = NULL;
char *new_user_oc_attr = NULL; /* don't care about groups for now */
char *homedir_prefix_attr = NULL;
char *login_shell_attr = NULL;
char *default_group_attr = NULL;
char *default_group_filter = NULL;
char *default_group_name = NULL;
char *real_group_filter = NULL;
char *default_gid = NULL;
Slapi_ValueSet *new_user_objclasses = NULL; /* don't care about groups for now */
int loopdone = 0;
int search_scope = LDAP_SCOPE_SUBTREE;
int ret = LDAP_SUCCESS;
int acct_disable;
char *inactivated_filter = NULL;
char *activated_filter = NULL;
char *inactivated_group_dn = NULL;
char *activated_group_dn = NULL;
int upg = -1;
slapi_lock_mutex(theConfig.lock);
realm_filter = slapi_ch_strdup(theConfig.realm_filter);
realm_attr = slapi_ch_strdup(theConfig.realm_attr);
new_entry_filter = slapi_ch_strdup(theConfig.new_entry_filter);
new_user_oc_attr = slapi_ch_strdup(theConfig.new_user_oc_attr);
homedir_prefix_attr = slapi_ch_strdup(theConfig.homedir_prefix_attr);
if (theConfig.login_shell_attr) {
login_shell_attr = slapi_ch_strdup(theConfig.login_shell_attr);
}
default_group_attr = slapi_ch_strdup(theConfig.default_group_attr);
default_group_filter = slapi_ch_strdup(theConfig.default_group_filter);
acct_disable = theConfig.acct_disable;
if (acct_disable != ACCT_DISABLE_NONE) {
if (theConfig.inactivated_filter) {
inactivated_filter = slapi_ch_strdup(theConfig.inactivated_filter);
}
if (theConfig.activated_filter) {
activated_filter = slapi_ch_strdup(theConfig.activated_filter);
}
}
slapi_unlock_mutex(theConfig.lock);
/* starting at ds_subtree, search for the entry
containing the Kerberos realm to use */
slapi_ch_free_string(&iwdc->realm_name);
while(!loopdone && !slapi_sdn_isempty(config_dn)) {
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
realm_filter, realm_attr,
NULL, &iwdc->realm_name);
if ((0 == ret) && iwdc->realm_name) {
loopdone = 1;
} else if ((LDAP_NO_SUCH_OBJECT == ret) && !iwdc->realm_name) {
/* try again */
Slapi_DN *parent_dn = slapi_sdn_new();
slapi_sdn_get_parent(config_dn, parent_dn);
slapi_sdn_free(&config_dn);
config_dn = parent_dn;
} else { /* error */
goto out;
}
}
if (!iwdc->realm_name) {
/* error - could not find the IPA config entry with the realm name */
LOG_FATAL("Error: could not find the entry containing the realm name "
"[%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr);
goto out;
}
/* look for the entry containing the default objectclasses
to add to new entries */
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
new_entry_filter, new_user_oc_attr,
&new_user_objclasses, NULL);
if (!new_user_objclasses) {
/* error - could not find the entry containing list of objectclasses */
LOG_FATAL("Error: could not find the entry containing the new user objectclass list "
"[%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr);
goto out;
}
/* get the home directory prefix value */
/* note - this is in the same entry as the new entry template, so
use the same filter */
slapi_ch_free_string(&iwdc->homedir_prefix);
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
new_entry_filter, homedir_prefix_attr,
NULL, &iwdc->homedir_prefix);
if (!iwdc->homedir_prefix) {
/* error - could not find the home dir prefix */
LOG_FATAL("Error: could not find the entry containing the home directory prefix "
"[%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr);
goto out;
}
/* get the login shell value */
/* note - this is in the same entry as the new entry template, so
use the same filter */
slapi_ch_free_string(&iwdc->login_shell);
if (login_shell_attr) {
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
new_entry_filter,
login_shell_attr,
NULL, &iwdc->login_shell);
if (!iwdc->login_shell) {
LOG("Warning: could not find the entry containing the login shell "
"attribute [%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter,
login_shell_attr);
}
}
if (!iwdc->login_shell) {
/* could not find the login shell or was not configured */
LOG("Warning: no login shell configured!");
}
/* find the default group - the entry above contains the group name, but
we need the gidNumber for posixAccount - so first find the entry
and attr value which has the group name, then lookup the group
number from the group name */
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
new_entry_filter, default_group_attr,
NULL, &default_group_name);
if (!default_group_name) {
/* error - could not find the default group name */
LOG_FATAL("Error: could not find the entry containing the default group name "
"[%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr);
goto out;
}
/* check if User Private Groups are enabled */
upg = ipa_winsync_upg_enabled(ds_subtree);
/* next, find the group whose name is default_group_name - construct the filter
based on the filter attribute value - assumes the group name is stored
in the cn attribute value, and the gidNumber in the gidNumber attribute value */
real_group_filter = slapi_ch_smprintf("(&(cn=%s)%s)", default_group_name,
default_group_filter);
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
real_group_filter, "gidNumber",
NULL, &default_gid);
if (!default_gid) {
/* error - could not find the default gidNumber
This is not a fatal error if User Private Groups (UPG) are enabled.
*/
if (upg) {
LOG_FATAL("Error: could not find the entry containing the default gidNumber "
"UPG [%d] ds subtree [%s] filter [%s] attr [%s]\n",
ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber");
goto out;
} else {
ret = LDAP_SUCCESS;
}
}
/* If we are syncing account disable, we need to find the groups used
to denote active and inactive users e.g.
dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX
dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX
*/
if (acct_disable != ACCT_DISABLE_NONE) {
if (inactivated_filter) {
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
inactivated_filter, "dn",
NULL, &inactivated_group_dn);
if (!inactivated_group_dn) {
/* error - could not find the inactivated group dn */
LOG("Could not find the DN of the inactivated users group "
"[%d] ds subtree [%s] filter [%s]. Ignoring\n",
ret, slapi_sdn_get_dn(ds_subtree), inactivated_filter);
goto out;
}
}
if (activated_filter) {
ret = internal_find_entry_get_attr_val(config_dn, search_scope,
activated_filter, "dn",
NULL, &activated_group_dn);
if (!activated_group_dn) {
/* error - could not find the activated group dn */
LOG("Could not find the DN of the activated users group "
"[%d] ds subtree [%s] filter [%s]. Ignoring\n",
ret, slapi_sdn_get_dn(ds_subtree), activated_filter);
goto out;
}
}
}
/* ok, we have our values */
/* first, clear out the old domain config */
slapi_entry_free(iwdc->domain_e);
iwdc->domain_e = NULL;
/* next, copy the global attr config */
slapi_lock_mutex(theConfig.lock);
iwdc->domain_e = slapi_entry_dup(theConfig.config_e);
slapi_unlock_mutex(theConfig.lock);
/* set the objectclasses in the domain_e */
slapi_entry_attr_delete(iwdc->domain_e, "objectclass");
/* this copies new_user_objclasses */
slapi_entry_add_valueset(iwdc->domain_e, "objectclass", new_user_objclasses);
/* When UPG is disabled, set the default gid number */
if (upg && default_gid) {
slapi_entry_attr_set_charptr(iwdc->domain_e, "gidNumber", default_gid);
}
slapi_ch_free_string(&iwdc->inactivated_group_dn);
iwdc->inactivated_group_dn = inactivated_group_dn;
inactivated_group_dn = NULL;
slapi_ch_free_string(&iwdc->activated_group_dn);
iwdc->activated_group_dn = activated_group_dn;
activated_group_dn = NULL;
out:
slapi_valueset_free(new_user_objclasses);
slapi_sdn_free(&config_dn);
slapi_ch_free_string(&realm_filter);
slapi_ch_free_string(&realm_attr);
slapi_ch_free_string(&new_entry_filter);
slapi_ch_free_string(&new_user_oc_attr);
slapi_ch_free_string(&homedir_prefix_attr);
slapi_ch_free_string(&login_shell_attr);
slapi_ch_free_string(&default_group_attr);
slapi_ch_free_string(&default_group_filter);
slapi_ch_free_string(&default_group_name);
slapi_ch_free_string(&real_group_filter);
slapi_ch_free_string(&default_gid);
slapi_ch_free_string(&inactivated_filter);
slapi_ch_free_string(&inactivated_group_dn);
slapi_ch_free_string(&activated_filter);
slapi_ch_free_string(&activated_group_dn);
if (LDAP_SUCCESS != ret) {
slapi_ch_free_string(&iwdc->realm_name);
slapi_ch_free_string(&iwdc->homedir_prefix);
slapi_ch_free_string(&iwdc->login_shell);
slapi_entry_free(iwdc->domain_e);
iwdc->domain_e = NULL;
}
return;
}
