static int slapi_over_compute_output( computed_attr_context *c, Slapi_Attr *attribute, Slapi_Entry *entry ) { Attribute **a; AttributeDescription *desc; SlapReply *rs; if ( c == NULL || attribute == NULL || entry == NULL ) { return 0; } rs = (SlapReply *)c->cac_private; assert( rs->sr_entry == entry ); desc = attribute->a_desc; if ( rs->sr_attrs == NULL ) { /* All attrs request, skip operational attributes */ if ( is_at_operational( desc->ad_type ) ) { return 0; } } else { /* Specific attributes requested */ if ( is_at_operational( desc->ad_type ) ) { if ( !SLAP_OPATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { return 0; } } else { if ( !SLAP_USERATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { return 0; } } } /* XXX perhaps we should check for existing attributes and merge */ for ( a = &rs->sr_operational_attrs; *a != NULL; a = &(*a)->a_next ) ; *a = slapi_attr_dup( attribute ); return 0; }
static int dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli ) { Attribute *a, *id = NULL; slap_callback cb = { 0 }; Operation o = *op; struct berval *url; Entry *e; int opattrs, userattrs; dynlist_sc_t dlc = { 0 }; dynlist_map_t *dlm; a = attrs_find( rs->sr_entry->e_attrs, dli->dli_ad ); if ( a == NULL ) { /* FIXME: error? */ return SLAP_CB_CONTINUE; } opattrs = SLAP_OPATTRS( rs->sr_attr_flags ); userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); /* Don't generate member list if it wasn't requested */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { AttributeDescription *ad = dlm->dlm_mapped_ad ? dlm->dlm_mapped_ad : dlm->dlm_member_ad; if ( userattrs || ad_inlist( ad, rs->sr_attrs ) ) break; } if ( dli->dli_dlm && !dlm ) return SLAP_CB_CONTINUE; if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) { Attribute *authz = NULL; /* if not rootdn and dgAuthz is present, * check if user can be authorized as dgIdentity */ if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op ) && ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) ) { if ( slap_sasl_matches( op, authz->a_nvals, &o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS ) { return SLAP_CB_CONTINUE; } } o.o_dn = id->a_vals[0]; o.o_ndn = id->a_nvals[0]; o.o_groups = NULL; } e = rs->sr_entry; /* ensure e is modifiable, but do not replace * sr_entry yet since we have pointers into it */ if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) { e = entry_dup( rs->sr_entry ); } dlc.dlc_e = e; dlc.dlc_dli = dli; cb.sc_private = &dlc; cb.sc_response = dynlist_sc_update; o.o_callback = &cb; o.ors_deref = LDAP_DEREF_NEVER; o.ors_limit = NULL; o.ors_tlimit = SLAP_NO_LIMIT; o.ors_slimit = SLAP_NO_LIMIT; for ( url = a->a_nvals; !BER_BVISNULL( url ); url++ ) { LDAPURLDesc *lud = NULL; int i, j; struct berval dn; int rc; BER_BVZERO( &o.o_req_dn ); BER_BVZERO( &o.o_req_ndn ); o.ors_filter = NULL; o.ors_attrs = NULL; BER_BVZERO( &o.ors_filterstr ); if ( ldap_url_parse( url->bv_val, &lud ) != LDAP_URL_SUCCESS ) { /* FIXME: error? */ continue; } if ( lud->lud_host != NULL ) { /* FIXME: host not allowed; reject as illegal? */ Debug( LDAP_DEBUG_ANY, "dynlist_prepare_entry(\"%s\"): " "illegal URI \"%s\"\n", e->e_name.bv_val, url->bv_val, 0 ); goto cleanup; } if ( lud->lud_dn == NULL ) { /* note that an empty base is not honored in terms * of defaultSearchBase, because select_backend() * is not aware of the defaultSearchBase option; * this can be useful in case of a database serving * the empty suffix */ BER_BVSTR( &dn, "" ); } else { ber_str2bv( lud->lud_dn, 0, 0, &dn ); } rc = dnPrettyNormal( NULL, &dn, &o.o_req_dn, &o.o_req_ndn, op->o_tmpmemctx ); if ( rc != LDAP_SUCCESS ) { /* FIXME: error? */ goto cleanup; } o.ors_scope = lud->lud_scope; for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_mapped_ad != NULL ) { break; } } if ( dli->dli_dlm && !dlm ) { /* if ( lud->lud_attrs != NULL ), * the URL should be ignored */ o.ors_attrs = slap_anlist_no_attrs; } else if ( lud->lud_attrs == NULL ) { o.ors_attrs = rs->sr_attrs; } else { for ( i = 0; lud->lud_attrs[i]; i++) /* just count */ ; o.ors_attrs = op->o_tmpcalloc( i + 1, sizeof( AttributeName ), op->o_tmpmemctx ); for ( i = 0, j = 0; lud->lud_attrs[i]; i++) { const char *text = NULL; ber_str2bv( lud->lud_attrs[i], 0, 0, &o.ors_attrs[j].an_name ); o.ors_attrs[j].an_desc = NULL; (void)slap_bv2ad( &o.ors_attrs[j].an_name, &o.ors_attrs[j].an_desc, &text ); /* FIXME: ignore errors... */ if ( rs->sr_attrs == NULL ) { if ( o.ors_attrs[j].an_desc != NULL && is_at_operational( o.ors_attrs[j].an_desc->ad_type ) ) { continue; } } else { if ( o.ors_attrs[j].an_desc != NULL && is_at_operational( o.ors_attrs[j].an_desc->ad_type ) ) { if ( !opattrs ) { continue; } if ( !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) { /* lookup if mapped -- linear search, * not very efficient unless list * is very short */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) { break; } } if ( dlm == NULL ) { continue; } } } else { if ( !userattrs && o.ors_attrs[j].an_desc != NULL && !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) { /* lookup if mapped -- linear search, * not very efficient unless list * is very short */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) { break; } } if ( dlm == NULL ) { continue; } } } } j++; } if ( j == 0 ) { goto cleanup; } BER_BVZERO( &o.ors_attrs[j].an_name ); } if ( lud->lud_filter == NULL ) { ber_dupbv_x( &o.ors_filterstr, &dli->dli_default_filter, op->o_tmpmemctx ); } else { struct berval flt; ber_str2bv( lud->lud_filter, 0, 0, &flt ); if ( dynlist_make_filter( op, rs->sr_entry, url->bv_val, &flt, &o.ors_filterstr ) ) { /* error */ goto cleanup; } } o.ors_filter = str2filter_x( op, o.ors_filterstr.bv_val ); if ( o.ors_filter == NULL ) { goto cleanup; } o.o_bd = select_backend( &o.o_req_ndn, 1 ); if ( o.o_bd && o.o_bd->be_search ) { SlapReply r = { REP_SEARCH }; r.sr_attr_flags = slap_attr_flags( o.ors_attrs ); (void)o.o_bd->be_search( &o, &r ); } cleanup:; if ( id ) { slap_op_groups_free( &o ); } if ( o.ors_filter ) { filter_free_x( &o, o.ors_filter, 1 ); } if ( o.ors_attrs && o.ors_attrs != rs->sr_attrs && o.ors_attrs != slap_anlist_no_attrs ) { op->o_tmpfree( o.ors_attrs, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &o.o_req_dn ) ) { op->o_tmpfree( o.o_req_dn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &o.o_req_ndn ) ) { op->o_tmpfree( o.o_req_ndn.bv_val, op->o_tmpmemctx ); } assert( BER_BVISNULL( &o.ors_filterstr ) || o.ors_filterstr.bv_val != lud->lud_filter ); op->o_tmpfree( o.ors_filterstr.bv_val, op->o_tmpmemctx ); ldap_free_urldesc( lud ); } if ( e != rs->sr_entry ) { rs_replace_entry( op, rs, (slap_overinst *)op->o_bd->bd_info, e ); rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED; } return SLAP_CB_CONTINUE; }
static int dynlist_sc_update( Operation *op, SlapReply *rs ) { Entry *e; Attribute *a; int opattrs, userattrs; AccessControlState acl_state = ACL_STATE_INIT; dynlist_sc_t *dlc; dynlist_map_t *dlm; if ( rs->sr_type != REP_SEARCH ) { return 0; } dlc = (dynlist_sc_t *)op->o_callback->sc_private; e = dlc->dlc_e; assert( e != NULL ); assert( rs->sr_entry != NULL ); /* test access to entry */ if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, NULL, ACL_READ, NULL ) ) { goto done; } /* if there is only one member_ad, and it's not mapped, * consider it as old-style member listing */ dlm = dlc->dlc_dli->dli_dlm; if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) { /* if access allowed, try to add values, emulating permissive * control to silently ignore duplicates */ if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, NULL, ACL_READ, NULL ) ) { Modification mod; const char *text = NULL; char textbuf[1024]; struct berval vals[ 2 ], nvals[ 2 ]; vals[ 0 ] = rs->sr_entry->e_name; BER_BVZERO( &vals[ 1 ] ); nvals[ 0 ] = rs->sr_entry->e_nname; BER_BVZERO( &nvals[ 1 ] ); mod.sm_op = LDAP_MOD_ADD; mod.sm_desc = dlm->dlm_member_ad; mod.sm_type = dlm->dlm_member_ad->ad_cname; mod.sm_values = vals; mod.sm_nvalues = nvals; mod.sm_numvals = 1; (void)modify_add_values( e, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); } goto done; } opattrs = SLAP_OPATTRS( rs->sr_attr_flags ); userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); for ( a = rs->sr_entry->e_attrs; a != NULL; a = a->a_next ) { BerVarray vals, nvals = NULL; int i, j, is_oc = a->a_desc == slap_schema.si_ad_objectClass; /* if attribute is not requested, skip it */ if ( rs->sr_attrs == NULL ) { if ( is_at_operational( a->a_desc->ad_type ) ) { continue; } } else { if ( is_at_operational( a->a_desc->ad_type ) ) { if ( !opattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) ) { continue; } } else { if ( !userattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) ) { continue; } } } /* test access to attribute */ if ( op->ors_attrsonly ) { if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL, ACL_READ, &acl_state ) ) { continue; } } /* single-value check: keep first only */ if ( is_at_single_value( a->a_desc->ad_type ) ) { if ( attr_find( e->e_attrs, a->a_desc ) != NULL ) { continue; } } /* test access to attribute */ i = a->a_numvals; vals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx ); if ( a->a_nvals != a->a_vals ) { nvals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx ); } for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) { if ( is_oc ) { ObjectClass *soc = oc_bvfind( &a->a_vals[i] ); if ( soc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) { continue; } } if ( access_allowed( op, rs->sr_entry, a->a_desc, &a->a_nvals[i], ACL_READ, &acl_state ) ) { vals[j] = a->a_vals[i]; if ( nvals ) { nvals[j] = a->a_nvals[i]; } j++; } } /* if access allowed, try to add values, emulating permissive * control to silently ignore duplicates */ if ( j != 0 ) { Modification mod; const char *text = NULL; char textbuf[1024]; dynlist_map_t *dlm; AttributeDescription *ad; BER_BVZERO( &vals[j] ); if ( nvals ) { BER_BVZERO( &nvals[j] ); } ad = a->a_desc; for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == a->a_desc ) { if ( dlm->dlm_mapped_ad ) { ad = dlm->dlm_mapped_ad; } break; } } mod.sm_op = LDAP_MOD_ADD; mod.sm_desc = ad; mod.sm_type = ad->ad_cname; mod.sm_values = vals; mod.sm_nvalues = nvals; mod.sm_numvals = j; (void)modify_add_values( e, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); } op->o_tmpfree( vals, op->o_tmpmemctx ); if ( nvals ) { op->o_tmpfree( nvals, op->o_tmpmemctx ); } } done:; if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) { entry_free( rs->sr_entry ); rs->sr_entry = NULL; rs->sr_flags &= ~REP_ENTRY_MASK; } return 0; }
int mdb_modify_internal( Operation *op, MDB_txn *tid, Modifications *modlist, Entry *e, const char **text, char *textbuf, size_t textlen ) { int rc, err; Modification *mod; Modifications *ml; Attribute *save_attrs; Attribute *ap; int glue_attr_delete = 0; int got_delete; Debug( LDAP_DEBUG_TRACE, "mdb_modify_internal: 0x%08lx: %s\n", e->e_id, e->e_dn, 0); if ( !acl_check_modlist( op, e, modlist )) { return LDAP_INSUFFICIENT_ACCESS; } /* save_attrs will be disposed of by caller */ save_attrs = e->e_attrs; e->e_attrs = attrs_dup( e->e_attrs ); for ( ml = modlist; ml != NULL; ml = ml->sml_next ) { int match; mod = &ml->sml_mod; switch( mod->sm_op ) { case LDAP_MOD_ADD: case LDAP_MOD_REPLACE: if ( mod->sm_desc == slap_schema.si_ad_structuralObjectClass ) { value_match( &match, slap_schema.si_ad_structuralObjectClass, slap_schema.si_ad_structuralObjectClass-> ad_type->sat_equality, SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, &mod->sm_values[0], &scbva[0], text ); if ( !match ) glue_attr_delete = 1; } } if ( glue_attr_delete ) break; } if ( glue_attr_delete ) { Attribute **app = &e->e_attrs; while ( *app != NULL ) { if ( !is_at_operational( (*app)->a_desc->ad_type )) { Attribute *save = *app; *app = (*app)->a_next; attr_free( save ); continue; } app = &(*app)->a_next; } } for ( ml = modlist; ml != NULL; ml = ml->sml_next ) { mod = &ml->sml_mod; got_delete = 0; switch ( mod->sm_op ) { case LDAP_MOD_ADD: Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: add %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); err = modify_add_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } break; case LDAP_MOD_DELETE: if ( glue_attr_delete ) { err = LDAP_SUCCESS; break; } Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: delete %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); err = modify_delete_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } else { got_delete = 1; } break; case LDAP_MOD_REPLACE: Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: replace %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); err = modify_replace_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } else { got_delete = 1; } break; case LDAP_MOD_INCREMENT: Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: increment %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); err = modify_increment_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } else { got_delete = 1; } break; case SLAP_MOD_SOFTADD: Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: softadd %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); /* Avoid problems in index_add_mods() * We need to add index if necessary. */ mod->sm_op = LDAP_MOD_ADD; err = modify_add_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); mod->sm_op = SLAP_MOD_SOFTADD; if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) { err = LDAP_SUCCESS; } if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } break; case SLAP_MOD_SOFTDEL: Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: softdel %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); /* Avoid problems in index_delete_mods() * We need to add index if necessary. */ mod->sm_op = LDAP_MOD_DELETE; err = modify_delete_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); mod->sm_op = SLAP_MOD_SOFTDEL; if ( err == LDAP_NO_SUCH_ATTRIBUTE ) { err = LDAP_SUCCESS; } if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } break; case SLAP_MOD_ADD_IF_NOT_PRESENT: if ( attr_find( e->e_attrs, mod->sm_desc ) != NULL ) { /* skip */ err = LDAP_SUCCESS; break; } Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: add_if_not_present %s\n", mod->sm_desc->ad_cname.bv_val, 0, 0); /* Avoid problems in index_add_mods() * We need to add index if necessary. */ mod->sm_op = LDAP_MOD_ADD; err = modify_add_values( e, mod, get_permissiveModify(op), text, textbuf, textlen ); mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT; if( err != LDAP_SUCCESS ) { Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } break; default: Debug(LDAP_DEBUG_ANY, "mdb_modify_internal: invalid op %d\n", mod->sm_op, 0, 0); *text = "Invalid modify operation"; err = LDAP_OTHER; Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n", err, *text, 0); } if ( err != LDAP_SUCCESS ) { attrs_free( e->e_attrs ); e->e_attrs = save_attrs; /* unlock entry, delete from cache */ return err; } /* If objectClass was modified, reset the flags */ if ( mod->sm_desc == slap_schema.si_ad_objectClass ) { e->e_ocflags = 0; } if ( glue_attr_delete ) e->e_ocflags = 0; /* check if modified attribute was indexed * but not in case of NOOP... */ if ( !op->o_noop ) { mdb_modify_idxflags( op, mod->sm_desc, got_delete, e->e_attrs, save_attrs ); } } /* check that the entry still obeys the schema */ ap = NULL; rc = entry_schema_check( op, e, save_attrs, get_relax(op), 0, &ap, text, textbuf, textlen ); if ( rc != LDAP_SUCCESS || op->o_noop ) { attrs_free( e->e_attrs ); /* clear the indexing flags */ for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) { ap->a_flags &= ~(SLAP_ATTR_IXADD|SLAP_ATTR_IXDEL); } e->e_attrs = save_attrs; if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n", *text, 0, 0 ); } /* if NOOP then silently revert to saved attrs */ return rc; } /* structuralObjectClass modified! */ if ( ap ) { assert( ap->a_desc == slap_schema.si_ad_structuralObjectClass ); if ( !op->o_noop ) { mdb_modify_idxflags( op, slap_schema.si_ad_structuralObjectClass, 1, e->e_attrs, save_attrs ); } } /* update the indices of the modified attributes */ /* start with deleting the old index entries */ for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) { if ( ap->a_flags & SLAP_ATTR_IXDEL ) { struct berval *vals; Attribute *a2; ap->a_flags &= ~SLAP_ATTR_IXDEL; a2 = attr_find( e->e_attrs, ap->a_desc ); if ( a2 ) { /* need to detect which values were deleted */ int i, j; vals = op->o_tmpalloc( (ap->a_numvals + 1) * sizeof(struct berval), op->o_tmpmemctx ); j = 0; for ( i=0; i < ap->a_numvals; i++ ) { rc = attr_valfind( a2, SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, &ap->a_nvals[i], NULL, op->o_tmpmemctx ); /* Save deleted values */ if ( rc == LDAP_NO_SUCH_ATTRIBUTE ) vals[j++] = ap->a_nvals[i]; } BER_BVZERO(vals+j); } else { /* attribute was completely deleted */ vals = ap->a_nvals; } rc = 0; if ( !BER_BVISNULL( vals )) { rc = mdb_index_values( op, tid, ap->a_desc, vals, e->e_id, SLAP_INDEX_DELETE_OP ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s: attribute \"%s\" index delete failure\n", op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 ); attrs_free( e->e_attrs ); e->e_attrs = save_attrs; } } if ( vals != ap->a_nvals ) op->o_tmpfree( vals, op->o_tmpmemctx ); if ( rc ) return rc; } } /* add the new index entries */ for ( ap = e->e_attrs; ap != NULL; ap = ap->a_next ) { if (ap->a_flags & SLAP_ATTR_IXADD) { ap->a_flags &= ~SLAP_ATTR_IXADD; rc = mdb_index_values( op, tid, ap->a_desc, ap->a_nvals, e->e_id, SLAP_INDEX_ADD_OP ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "%s: attribute \"%s\" index add failure\n", op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 ); attrs_free( e->e_attrs ); e->e_attrs = save_attrs; return rc; } } } return rc; }
static int dupent_parseCtrl ( Operation *op, SlapReply *rs, LDAPControl *ctrl ) { ber_tag_t tag; BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_len_t len; BerVarray AttributeDescriptionList = NULL; ber_len_t cnt = sizeof(struct berval); ber_len_t off = 0; ber_int_t PartialApplicationAllowed = 1; dupent_t *ds = NULL; int i; if ( op->o_dupent != SLAP_CONTROL_NONE ) { rs->sr_text = "Dupent control specified multiple times"; return LDAP_PROTOCOL_ERROR; } if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { rs->sr_text = "Dupent control value is absent"; return LDAP_PROTOCOL_ERROR; } if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { rs->sr_text = "Dupent control value is empty"; return LDAP_PROTOCOL_ERROR; } ber_init2( ber, &ctrl->ldctl_value, 0 ); /* DuplicateEntryRequest ::= SEQUENCE { AttributeDescriptionList, -- from [RFC2251] PartialApplicationAllowed BOOLEAN DEFAULT TRUE } AttributeDescriptionList ::= SEQUENCE OF AttributeDescription AttributeDescription ::= LDAPString attributeDescription = AttributeType [ ";" <options> ] */ tag = ber_skip_tag( ber, &len ); if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; if ( ber_scanf( ber, "{M}", &AttributeDescriptionList, &cnt, off ) == LBER_ERROR ) { rs->sr_text = "Dupent control: dupentSpec decoding error"; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } tag = ber_skip_tag( ber, &len ); if ( tag == LBER_BOOLEAN ) { /* NOTE: PartialApplicationAllowed is ignored, since the control * can always be honored */ if ( ber_scanf( ber, "b", &PartialApplicationAllowed ) == LBER_ERROR ) { rs->sr_text = "Dupent control: dupentSpec decoding error"; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } tag = ber_skip_tag( ber, &len ); } if ( len || tag != LBER_DEFAULT ) { rs->sr_text = "Dupent control: dupentSpec decoding error"; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } ds = (dupent_t *)op->o_tmpcalloc( 1, sizeof(dupent_t) + sizeof(AttributeName)*cnt, op->o_tmpmemctx ); ds->ds_paa = PartialApplicationAllowed; if ( cnt == 0 ) { ds->ds_flags |= SLAP_USERATTRS_YES; } else { int c; ds->ds_an = (AttributeName *)&ds[ 1 ]; for ( i = 0, c = 0; i < cnt; i++ ) { const char *text; int j; int rc; AttributeDescription *ad = NULL; if ( bvmatch( &AttributeDescriptionList[i], slap_bv_all_user_attrs ) ) { if ( ds->ds_flags & SLAP_USERATTRS_YES ) { rs->sr_text = "Dupent control: AttributeDescription decoding error"; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } ds->ds_flags |= SLAP_USERATTRS_YES; continue; } rc = slap_bv2ad( &AttributeDescriptionList[i], &ad, &text ); if ( rc != LDAP_SUCCESS ) { continue; } ds->ds_an[c].an_desc = ad; ds->ds_an[c].an_name = ad->ad_cname; /* FIXME: not specified; consider this an error, just in case */ for ( j = 0; j < c; j++ ) { if ( ds->ds_an[c].an_desc == ds->ds_an[j].an_desc ) { rs->sr_text = "Dupent control: AttributeDescription must be unique within AttributeDescriptionList"; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } } c++; } ds->ds_nattrs = c; if ( ds->ds_flags & SLAP_USERATTRS_YES ) { /* purge user attrs */ for ( i = 0; i < ds->ds_nattrs; ) { if ( is_at_operational( ds->ds_an[i].an_desc->ad_type ) ) { i++; continue; } ds->ds_nattrs--; if ( i < ds->ds_nattrs ) { ds->ds_an[i] = ds->ds_an[ds->ds_nattrs]; } } } } op->o_ctrldupent = (void *)ds; op->o_dupent = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; rs->sr_err = LDAP_SUCCESS; done:; if ( rs->sr_err != LDAP_SUCCESS ) { op->o_tmpfree( ds, op->o_tmpmemctx ); } if ( AttributeDescriptionList != NULL ) { ber_memfree_x( AttributeDescriptionList, op->o_tmpmemctx ); } return rs->sr_err; }
int oc_check_allowed( AttributeType *at, ObjectClass **socs, ObjectClass *sc ) { int i, j; Debug( LDAP_DEBUG_TRACE, "oc_check_allowed type \"%s\"\n", at->sat_cname.bv_val ); /* always allow objectClass attribute */ if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) { return LDAP_SUCCESS; } /* * All operational attributions are allowed by schema rules. */ if( is_at_operational(at) ) { return LDAP_SUCCESS; } /* check to see if its allowed by the structuralObjectClass */ if( sc ) { /* does it require the type? */ for ( j = 0; sc->soc_required != NULL && sc->soc_required[j] != NULL; j++ ) { if( at == sc->soc_required[j] ) { return LDAP_SUCCESS; } } /* does it allow the type? */ for ( j = 0; sc->soc_allowed != NULL && sc->soc_allowed[j] != NULL; j++ ) { if( at == sc->soc_allowed[j] ) { return LDAP_SUCCESS; } } } /* check that the type appears as req or opt in at least one oc */ for ( i = 0; socs[i]; i++ ) { /* if we know about the oc */ ObjectClass *oc = socs[i]; /* extensibleObject allows all */ if ( oc == slap_schema.si_oc_extensibleObject ) { return LDAP_SUCCESS; } if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT && ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY )) { /* does it require the type? */ for ( j = 0; oc->soc_required != NULL && oc->soc_required[j] != NULL; j++ ) { if( at == oc->soc_required[j] ) { return LDAP_SUCCESS; } } /* does it allow the type? */ for ( j = 0; oc->soc_allowed != NULL && oc->soc_allowed[j] != NULL; j++ ) { if( at == oc->soc_allowed[j] ) { return LDAP_SUCCESS; } } } } /* not allowed by any oc */ return LDAP_OBJECT_CLASS_VIOLATION; }
static int dupent_response_entry( Operation *op, SlapReply *rs ) { dupent_cb_t *dc = (dupent_cb_t *)op->o_callback->sc_private; int nattrs = 0; valnum_t *valnum = NULL; Attribute **app, *ap_list = NULL; int i, c; Entry *e = NULL; int rc; assert( rs->sr_type == REP_SEARCH ); for ( i = 0; i < dc->dc_ds->ds_nattrs; i++ ) { Attribute *ap; ap = attr_find( rs->sr_entry->e_attrs, dc->dc_ds->ds_an[ i ].an_desc ); if ( ap && ap->a_numvals > 1 ) { nattrs++; } } if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) { Attribute *ap; for ( ap = rs->sr_entry->e_attrs; ap != NULL; ap = ap->a_next ) { if ( !is_at_operational( ap->a_desc->ad_type ) && ap->a_numvals > 1 ) { nattrs++; } } } if ( !nattrs ) { return SLAP_CB_CONTINUE; } rs_entry2modifiable( op, rs, dc->dc_on ); rs->sr_flags &= ~(REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED); e = rs->sr_entry; valnum = op->o_tmpcalloc( sizeof(valnum_t), nattrs, op->o_tmpmemctx ); for ( c = 0, i = 0; i < dc->dc_ds->ds_nattrs; i++ ) { for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) { if ( (*app)->a_desc == dc->dc_ds->ds_an[ i ].an_desc ) { break; } } if ( *app != NULL && (*app)->a_numvals > 1 ) { assert( c < nattrs ); dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list ); c++; } } if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) { for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) { if ( !is_at_operational( (*app)->a_desc->ad_type ) && (*app)->a_numvals > 1 ) { assert( c < nattrs ); dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list ); c++; } } } for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) /* goto tail */ ; *app = &valnum[0].a; /* NOTE: since send_search_entry() does not honor the * REP_CTRLS_MUSTBEFREED flag set by slap_add_ctrls(), * the control could be added here once for all (ITS#6629) */ dc->dc_skip = 1; rc = dupent_response_entry_1level( op, rs, e, valnum, nattrs, 0 ); dc->dc_skip = 0; *app = ap_list; entry_free( e ); op->o_tmpfree( valnum, op->o_tmpmemctx ); return rc; }
static int constraint_update( Operation *op, SlapReply *rs ) { slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; Backend *be = op->o_bd; constraint *c = on->on_bi.bi_private, *cp; Entry *target_entry = NULL, *target_entry_copy = NULL; Modifications *modlist, *m; BerVarray b = NULL; int i; struct berval rsv = BER_BVC("modify breaks constraint"); int rc; char *msg = NULL; if (get_relax(op)) { return SLAP_CB_CONTINUE; } switch ( op->o_tag ) { case LDAP_REQ_MODIFY: modlist = op->orm_modlist; break; case LDAP_REQ_MODRDN: modlist = op->orr_modlist; break; default: /* impossible! assert? */ return LDAP_OTHER; } Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_update()\n", 0,0,0); if ((m = modlist) == NULL) { op->o_bd->bd_info = (BackendInfo *)(on->on_info); send_ldap_error(op, rs, LDAP_INVALID_SYNTAX, "constraint_update() got null modlist"); return(rs->sr_err); } /* Do we need to count attributes? */ for(cp = c; cp; cp = cp->ap_next) { if (cp->count != 0 || cp->set || cp->restrict_lud != 0) { op->o_bd = on->on_info->oi_origdb; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry ); op->o_bd = be; if (rc != 0 || target_entry == NULL) { Debug(LDAP_DEBUG_TRACE, "==> constraint_update rc = %d DN=\"%s\"%s\n", rc, op->o_req_ndn.bv_val, target_entry ? "" : " not found" ); if ( rc == 0 ) rc = LDAP_CONSTRAINT_VIOLATION; goto mod_violation; } break; } } rc = LDAP_CONSTRAINT_VIOLATION; for(;m; m = m->sml_next) { unsigned ce = 0; if (is_at_operational( m->sml_desc->ad_type )) continue; if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) && (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) && (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE)) continue; /* we only care about ADD and REPLACE modifications */ /* and DELETE are used to track attribute count */ if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL)) continue; /* Get this attribute count, if needed */ if (target_entry) ce = constraint_count_attr(target_entry, m->sml_desc); for(cp = c; cp; cp = cp->ap_next) { int j; for (j = 0; cp->ap[j]; j++) { if (cp->ap[j] == m->sml_desc) { break; } } if (cp->ap[j] == NULL) continue; if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, target_entry) == 0) { continue; } if (cp->count != 0) { unsigned ca; if (m->sml_op == LDAP_MOD_DELETE) ce = 0; for (ca = 0; b[ca].bv_val; ++ca); Debug(LDAP_DEBUG_TRACE, "==> constraint_update ce = %u, " "ca = %u, cp->count = %lu\n", ce, ca, (unsigned long) cp->count); if (m->sml_op == LDAP_MOD_ADD) { if (ca + ce > cp->count) { rc = LDAP_CONSTRAINT_VIOLATION; goto mod_violation; } } if (m->sml_op == LDAP_MOD_REPLACE) { if (ca > cp->count) { rc = LDAP_CONSTRAINT_VIOLATION; goto mod_violation; } ce = ca; } } /* DELETE are to be ignored beyond this point */ if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE) continue; for ( i = 0; b[i].bv_val; i++ ) { rc = constraint_violation( cp, &b[i], op, rs ); if ( rc ) { goto mod_violation; } } if (cp->set && target_entry) { if (target_entry_copy == NULL) { Modifications *ml; target_entry_copy = entry_dup(target_entry); /* if rename, set the new entry's name * (in normalized form only) */ if ( op->o_tag == LDAP_REQ_MODRDN ) { struct berval pdn, ndn = BER_BVNULL; if ( op->orr_nnewSup ) { pdn = *op->orr_nnewSup; } else { dnParent( &target_entry_copy->e_nname, &pdn ); } build_new_dn( &ndn, &pdn, &op->orr_nnewrdn, NULL ); ber_memfree( target_entry_copy->e_nname.bv_val ); target_entry_copy->e_nname = ndn; ber_bvreplace( &target_entry_copy->e_name, &ndn ); } /* apply modifications, in an attempt * to estimate what the entry would * look like in case all modifications * pass */ for ( ml = modlist; ml; ml = ml->sml_next ) { Modification *mod = &ml->sml_mod; const char *text; char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof(textbuf); int err; switch ( mod->sm_op ) { case LDAP_MOD_ADD: err = modify_add_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); break; case LDAP_MOD_DELETE: err = modify_delete_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); break; case LDAP_MOD_REPLACE: err = modify_replace_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); break; case LDAP_MOD_INCREMENT: err = modify_increment_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); break; case SLAP_MOD_SOFTADD: mod->sm_op = LDAP_MOD_ADD; err = modify_add_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); mod->sm_op = SLAP_MOD_SOFTADD; if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) { err = LDAP_SUCCESS; } break; case SLAP_MOD_SOFTDEL: mod->sm_op = LDAP_MOD_ADD; err = modify_delete_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); mod->sm_op = SLAP_MOD_SOFTDEL; if ( err == LDAP_NO_SUCH_ATTRIBUTE ) { err = LDAP_SUCCESS; } break; case SLAP_MOD_ADD_IF_NOT_PRESENT: if ( attr_find( target_entry_copy->e_attrs, mod->sm_desc ) ) { err = LDAP_SUCCESS; break; } mod->sm_op = LDAP_MOD_ADD; err = modify_add_values( target_entry_copy, mod, get_permissiveModify(op), &text, textbuf, textlen ); mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT; break; default: err = LDAP_OTHER; break; } if ( err != LDAP_SUCCESS ) { rc = err; goto mod_violation; } } } if ( acl_match_set(&cp->val, op, target_entry_copy, NULL) == 0) { rc = LDAP_CONSTRAINT_VIOLATION; goto mod_violation; } } } } if (target_entry) { op->o_bd = on->on_info->oi_origdb; be_entry_release_r(op, target_entry); op->o_bd = be; } if (target_entry_copy) { entry_free(target_entry_copy); } return SLAP_CB_CONTINUE; mod_violation: /* violation */ if (target_entry) { op->o_bd = on->on_info->oi_origdb; be_entry_release_r(op, target_entry); op->o_bd = be; } if (target_entry_copy) { entry_free(target_entry_copy); } op->o_bd->bd_info = (BackendInfo *)(on->on_info); if ( rc == LDAP_CONSTRAINT_VIOLATION ) { msg = print_message( &rsv, m->sml_desc ); } send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg ); ch_free(msg); return (rs->sr_err); }
static int monitor_subsys_log_modify( Operation *op, SlapReply *rs, Entry *e ) { monitor_info_t *mi = ( monitor_info_t * )op->o_bd->be_private; int rc = LDAP_OTHER; int newlevel = ldap_syslog; Attribute *save_attrs; Modifications *modlist = op->orm_modlist; Modifications *ml; ldap_pvt_thread_mutex_lock( &monitor_log_mutex ); save_attrs = e->e_attrs; e->e_attrs = attrs_dup( e->e_attrs ); for ( ml = modlist; ml != NULL; ml = ml->sml_next ) { Modification *mod = &ml->sml_mod; /* * accept all operational attributes; * this includes modifersName and modifyTimestamp * if lastmod is "on" */ if ( is_at_operational( mod->sm_desc->ad_type ) ) { ( void ) attr_delete( &e->e_attrs, mod->sm_desc ); rc = rs->sr_err = attr_merge( e, mod->sm_desc, mod->sm_values, mod->sm_nvalues ); if ( rc != LDAP_SUCCESS ) { break; } continue; /* * only the "managedInfo" attribute can be modified */ } else if ( mod->sm_desc != mi->mi_ad_managedInfo ) { rc = rs->sr_err = LDAP_UNWILLING_TO_PERFORM; break; } switch ( mod->sm_op ) { case LDAP_MOD_ADD: rc = add_values( op, e, mod, &newlevel ); break; case LDAP_MOD_DELETE: rc = delete_values( op, e, mod, &newlevel ); break; case LDAP_MOD_REPLACE: rc = replace_values( op, e, mod, &newlevel ); break; default: rc = LDAP_OTHER; break; } if ( rc != LDAP_SUCCESS ) { rs->sr_err = rc; break; } } /* set the new debug level */ if ( rc == LDAP_SUCCESS ) { const char *text; static char textbuf[ BACKMONITOR_BUFSIZE ]; /* check for abandon */ if ( op->o_abandon ) { rc = rs->sr_err = SLAPD_ABANDON; goto cleanup; } /* check that the entry still obeys the schema */ rc = entry_schema_check( op, e, save_attrs, 0, 0, NULL, &text, textbuf, sizeof( textbuf ) ); if ( rc != LDAP_SUCCESS ) { rs->sr_err = rc; goto cleanup; } /* * Do we need to protect this with a mutex? */ ldap_syslog = newlevel; #if 0 /* debug rather than log */ slap_debug = newlevel; lutil_set_debug_level( "slapd", slap_debug ); ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &slap_debug); ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &slap_debug); ldif_debug = slap_debug; #endif } cleanup:; if ( rc == LDAP_SUCCESS ) { attrs_free( save_attrs ); } else { attrs_free( e->e_attrs ); e->e_attrs = save_attrs; } ldap_pvt_thread_mutex_unlock( &monitor_log_mutex ); if ( rc == LDAP_SUCCESS ) { rc = SLAP_CB_CONTINUE; } return rc; }
static int constraint_add( Operation *op, SlapReply *rs ) { slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; Attribute *a; constraint *c = on->on_bi.bi_private, *cp; BerVarray b = NULL; int i; struct berval rsv = BER_BVC("add breaks constraint"); int rc; char *msg = NULL; if (get_relax(op)) { return SLAP_CB_CONTINUE; } if ((a = op->ora_e->e_attrs) == NULL) { op->o_bd->bd_info = (BackendInfo *)(on->on_info); send_ldap_error(op, rs, LDAP_INVALID_SYNTAX, "constraint_add: no attrs"); return(rs->sr_err); } for(; a; a = a->a_next ) { /* we don't constrain operational attributes */ if (is_at_operational(a->a_desc->ad_type)) continue; for(cp = c; cp; cp = cp->ap_next) { int j; for (j = 0; cp->ap[j]; j++) { if (cp->ap[j] == a->a_desc) break; } if (cp->ap[j] == NULL) continue; if ((b = a->a_vals) == NULL) continue; if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, op->ora_e) == 0) { continue; } Debug(LDAP_DEBUG_TRACE, "==> constraint_add, " "a->a_numvals = %u, cp->count = %lu\n", a->a_numvals, (unsigned long) cp->count, 0); if ((cp->count != 0) && (a->a_numvals > cp->count)) { rc = LDAP_CONSTRAINT_VIOLATION; goto add_violation; } for ( i = 0; b[i].bv_val; i++ ) { rc = constraint_violation( cp, &b[i], op, rs ); if ( rc ) { goto add_violation; } } if (cp->set && acl_match_set(&cp->val, op, op->ora_e, NULL) == 0) { rc = LDAP_CONSTRAINT_VIOLATION; goto add_violation; /* constraint violation */ } } } /* Default is to just fall through to the normal processing */ return SLAP_CB_CONTINUE; add_violation: op->o_bd->bd_info = (BackendInfo *)(on->on_info); if (rc == LDAP_CONSTRAINT_VIOLATION ) { msg = print_message( &rsv, a->a_desc ); } send_ldap_error(op, rs, rc, msg ); ch_free(msg); return (rs->sr_err); }
int ad_inlist( AttributeDescription *desc, AttributeName *attrs ) { if (! attrs ) return 0; for( ; attrs->an_name.bv_val; attrs++ ) { AttributeType *a; ObjectClass *oc; if ( attrs->an_desc ) { int lr; if ( desc == attrs->an_desc ) { return 1; } /* * EXTENSION: if requested description is preceeded by * a '-' character, do not match on subtypes. */ if ( attrs->an_name.bv_val[0] == '-' ) { continue; } /* Is this a subtype of the requested attr? */ for (a = desc->ad_type; a; a=a->sat_sup) { if ( a == attrs->an_desc->ad_type ) break; } if ( !a ) { continue; } /* Does desc support all the requested flags? */ lr = desc->ad_tags.bv_len ? SLAP_DESC_TAG_RANGE : 0; if(( attrs->an_desc->ad_flags & (desc->ad_flags | lr)) != attrs->an_desc->ad_flags ) { continue; } /* Do the descs have compatible tags? */ if ( attrs->an_desc->ad_tags.bv_len == 0 ) { return 1; } if ( desc->ad_tags.bv_len == 0) { continue; } if ( is_ad_subtags( &desc->ad_tags, &attrs->an_desc->ad_tags ) ) { return 1; } continue; } if ( ber_bvccmp( &attrs->an_name, '*' ) ) { if ( !is_at_operational( desc->ad_type ) ) { return 1; } continue; } if ( ber_bvccmp( &attrs->an_name, '+' ) ) { if ( is_at_operational( desc->ad_type ) ) { return 1; } continue; } /* * EXTENSION: see if requested description is @objectClass * if so, return attributes which the class requires/allows * else if requested description is !objectClass, return * attributes which the class does not require/allow */ if ( !( attrs->an_flags & SLAP_AN_OCINITED )) { if( attrs->an_name.bv_val ) { switch( attrs->an_name.bv_val[0] ) { case '@': /* @objectClass */ case '+': /* +objectClass (deprecated) */ case '!': { /* exclude */ struct berval ocname; ocname.bv_len = attrs->an_name.bv_len - 1; ocname.bv_val = &attrs->an_name.bv_val[1]; oc = oc_bvfind( &ocname ); if ( oc && attrs->an_name.bv_val[0] == '!' ) { attrs->an_flags |= SLAP_AN_OCEXCLUDE; } else { attrs->an_flags &= ~SLAP_AN_OCEXCLUDE; } } break; default: /* old (deprecated) way */ oc = oc_bvfind( &attrs->an_name ); } attrs->an_oc = oc; } attrs->an_flags |= SLAP_AN_OCINITED; } oc = attrs->an_oc; if( oc != NULL ) { if ( attrs->an_flags & SLAP_AN_OCEXCLUDE ) { if ( oc == slap_schema.si_oc_extensibleObject ) { /* extensibleObject allows the return of anything */ return 0; } if( oc->soc_required ) { /* allow return of required attributes */ int i; for ( i = 0; oc->soc_required[i] != NULL; i++ ) { for (a = desc->ad_type; a; a=a->sat_sup) { if ( a == oc->soc_required[i] ) { return 0; } } } } if( oc->soc_allowed ) { /* allow return of allowed attributes */ int i; for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) { for (a = desc->ad_type; a; a=a->sat_sup) { if ( a == oc->soc_allowed[i] ) { return 0; } } } } return 1; } if ( oc == slap_schema.si_oc_extensibleObject ) { /* extensibleObject allows the return of anything */ return 1; } if( oc->soc_required ) { /* allow return of required attributes */ int i; for ( i = 0; oc->soc_required[i] != NULL; i++ ) { for (a = desc->ad_type; a; a=a->sat_sup) { if ( a == oc->soc_required[i] ) { return 1; } } } } if( oc->soc_allowed ) { /* allow return of allowed attributes */ int i; for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) { for (a = desc->ad_type; a; a=a->sat_sup) { if ( a == oc->soc_allowed[i] ) { return 1; } } } } } else { const char *text; /* give it a chance of being retrieved by a proxy... */ (void)slap_bv2undef_ad( &attrs->an_name, &attrs->an_desc, &text, SLAP_AD_PROXIED|SLAP_AD_NOINSERT ); } } return 0; }
int slap_bv2ad( struct berval *bv, AttributeDescription **ad, const char **text ) { int rtn = LDAP_UNDEFINED_TYPE; AttributeDescription desc, *d2; char *name, *options, *optn; char *opt, *next; int ntags; int tagslen; /* hardcoded limits for speed */ #define MAX_TAGGING_OPTIONS 128 struct berval tags[MAX_TAGGING_OPTIONS+1]; #define MAX_TAGS_LEN 1024 char tagbuf[MAX_TAGS_LEN]; assert( ad != NULL ); assert( *ad == NULL ); /* temporary */ if( bv == NULL || BER_BVISNULL( bv ) || BER_BVISEMPTY( bv ) ) { *text = "empty AttributeDescription"; return rtn; } /* make sure description is IA5 */ if( ad_keystring( bv ) ) { *text = "AttributeDescription contains inappropriate characters"; return rtn; } /* find valid base attribute type; parse in place */ desc.ad_cname = *bv; desc.ad_flags = 0; BER_BVZERO( &desc.ad_tags ); name = bv->bv_val; options = ber_bvchr( bv, ';' ); if ( options != NULL && (unsigned) ( options - name ) < bv->bv_len ) { /* don't go past the end of the berval! */ desc.ad_cname.bv_len = options - name; } else { options = NULL; } desc.ad_type = at_bvfind( &desc.ad_cname ); if( desc.ad_type == NULL ) { *text = "attribute type undefined"; return rtn; } if( is_at_operational( desc.ad_type ) && options != NULL ) { *text = "operational attribute with options undefined"; return rtn; } /* * parse options in place */ ntags = 0; tagslen = 0; optn = bv->bv_val + bv->bv_len; for( opt=options; opt != NULL; opt=next ) { int optlen; opt++; next = strchrlen( opt, optn, ';', &optlen ); if( optlen == 0 ) { *text = "zero length option is invalid"; return rtn; } else if ( optlen == STRLENOF("binary") && strncasecmp( opt, "binary", STRLENOF("binary") ) == 0 ) { /* binary option */ if( slap_ad_is_binary( &desc ) ) { *text = "option \"binary\" specified multiple times"; return rtn; } if( !slap_syntax_is_binary( desc.ad_type->sat_syntax )) { /* not stored in binary, disallow option */ *text = "option \"binary\" not supported with type"; return rtn; } desc.ad_flags |= SLAP_DESC_BINARY; continue; } else if ( ad_find_option_definition( opt, optlen ) ) { int i; if( opt[optlen-1] == '-' || ( opt[optlen-1] == '=' && msad_range_hack )) { desc.ad_flags |= SLAP_DESC_TAG_RANGE; } if( ntags >= MAX_TAGGING_OPTIONS ) { *text = "too many tagging options"; return rtn; } /* * tags should be presented in sorted order, * so run the array in reverse. */ for( i=ntags-1; i>=0; i-- ) { int rc; rc = strncasecmp( opt, tags[i].bv_val, (unsigned) optlen < tags[i].bv_len ? (unsigned) optlen : tags[i].bv_len ); if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) { /* duplicate (ignore) */ ntags--; goto done; } else if ( rc > 0 || ( rc == 0 && (unsigned)optlen > tags[i].bv_len )) { AC_MEMCPY( &tags[i+2], &tags[i+1], (ntags-i-1)*sizeof(struct berval) ); tags[i+1].bv_val = opt; tags[i+1].bv_len = optlen; goto done; } } if( ntags ) { AC_MEMCPY( &tags[1], &tags[0], ntags*sizeof(struct berval) ); } tags[0].bv_val = opt; tags[0].bv_len = optlen; done:; tagslen += optlen + 1; ntags++; } else { *text = "unrecognized option"; return rtn; } } if( ntags > 0 ) { int i; if( tagslen > MAX_TAGS_LEN ) { *text = "tagging options too long"; return rtn; } desc.ad_tags.bv_val = tagbuf; tagslen = 0; for( i=0; i<ntags; i++ ) { AC_MEMCPY( &desc.ad_tags.bv_val[tagslen], tags[i].bv_val, tags[i].bv_len ); tagslen += tags[i].bv_len; desc.ad_tags.bv_val[tagslen++] = ';'; } desc.ad_tags.bv_val[--tagslen] = '\0'; desc.ad_tags.bv_len = tagslen; } /* see if a matching description is already cached */ for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) { if( d2->ad_flags != desc.ad_flags ) { continue; } if( d2->ad_tags.bv_len != desc.ad_tags.bv_len ) { continue; } if( d2->ad_tags.bv_len == 0 ) { break; } if( strncasecmp( d2->ad_tags.bv_val, desc.ad_tags.bv_val, desc.ad_tags.bv_len ) == 0 ) { break; } } /* Not found, add new one */ while (d2 == NULL) { size_t dlen = 0; ldap_pvt_thread_mutex_lock( &desc.ad_type->sat_ad_mutex ); /* check again now that we've locked */ for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) { if (d2->ad_flags != desc.ad_flags) continue; if (d2->ad_tags.bv_len != desc.ad_tags.bv_len) continue; if (d2->ad_tags.bv_len == 0) break; if (strncasecmp(d2->ad_tags.bv_val, desc.ad_tags.bv_val, desc.ad_tags.bv_len) == 0) break; } if (d2) { ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex ); break; } /* Allocate a single contiguous block. If there are no * options, we just need space for the AttrDesc structure. * Otherwise, we need to tack on the full name length + * options length, + maybe tagging options length again. */ if (desc.ad_tags.bv_len || desc.ad_flags != SLAP_DESC_NONE) { dlen = desc.ad_type->sat_cname.bv_len + 1; if (desc.ad_tags.bv_len) { dlen += 1 + desc.ad_tags.bv_len; } if ( slap_ad_is_binary( &desc ) ) { dlen += 1 + STRLENOF(";binary") + desc.ad_tags.bv_len; } } d2 = ch_malloc(sizeof(AttributeDescription) + dlen); d2->ad_next = NULL; d2->ad_type = desc.ad_type; d2->ad_flags = desc.ad_flags; d2->ad_cname.bv_len = desc.ad_type->sat_cname.bv_len; d2->ad_tags.bv_len = desc.ad_tags.bv_len; ldap_pvt_thread_mutex_lock( &ad_index_mutex ); d2->ad_index = ++ad_count; ldap_pvt_thread_mutex_unlock( &ad_index_mutex ); if (dlen == 0) { d2->ad_cname.bv_val = d2->ad_type->sat_cname.bv_val; d2->ad_tags.bv_val = NULL; } else { char *cp, *op, *lp; int j; d2->ad_cname.bv_val = (char *)(d2+1); strcpy(d2->ad_cname.bv_val, d2->ad_type->sat_cname.bv_val); cp = d2->ad_cname.bv_val + d2->ad_cname.bv_len; if( slap_ad_is_binary( &desc ) ) { op = cp; lp = NULL; if( desc.ad_tags.bv_len ) { lp = desc.ad_tags.bv_val; while( strncasecmp(lp, "binary", STRLENOF("binary")) < 0 && (lp = strchr( lp, ';' )) != NULL ) ++lp; if( lp != desc.ad_tags.bv_val ) { *cp++ = ';'; j = (lp ? (unsigned) (lp - desc.ad_tags.bv_val - 1) : strlen( desc.ad_tags.bv_val )); cp = lutil_strncopy(cp, desc.ad_tags.bv_val, j); } } cp = lutil_strcopy(cp, ";binary"); if( lp != NULL ) { *cp++ = ';'; cp = lutil_strcopy(cp, lp); } d2->ad_cname.bv_len = cp - d2->ad_cname.bv_val; if( desc.ad_tags.bv_len ) ldap_pvt_str2lower(op); j = 1; } else { j = 0; } if( desc.ad_tags.bv_len ) { lp = d2->ad_cname.bv_val + d2->ad_cname.bv_len + j; if ( j == 0 ) *lp++ = ';'; d2->ad_tags.bv_val = lp; strcpy(lp, desc.ad_tags.bv_val); ldap_pvt_str2lower(lp); if( j == 0 ) d2->ad_cname.bv_len += 1 + desc.ad_tags.bv_len; } } /* Add new desc to list. We always want the bare Desc with * no options to stay at the head of the list, assuming * that one will be used most frequently. */ if (desc.ad_type->sat_ad == NULL || dlen == 0) { d2->ad_next = desc.ad_type->sat_ad; desc.ad_type->sat_ad = d2; } else { d2->ad_next = desc.ad_type->sat_ad->ad_next; desc.ad_type->sat_ad->ad_next = d2; } ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex ); } if( *ad == NULL ) { *ad = d2; } else { **ad = *d2; } return LDAP_SUCCESS; }
int backsql_compare( Operation *op, SlapReply *rs ) { SQLHDBC dbh = SQL_NULL_HDBC; Entry e = { 0 }; Attribute *a = NULL; backsql_srch_info bsi = { 0 }; int rc; int manageDSAit = get_manageDSAit( op ); AttributeName anlist[2]; Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 ); rs->sr_err = backsql_get_db_conn( op, &dbh ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "backsql_compare(): " "could not get connection handle - exiting\n", 0, 0, 0 ); rs->sr_text = ( rs->sr_err == LDAP_OTHER ) ? "SQL-backend error" : NULL; goto return_results; } anlist[ 0 ].an_name = op->oq_compare.rs_ava->aa_desc->ad_cname; anlist[ 0 ].an_desc = op->oq_compare.rs_ava->aa_desc; BER_BVZERO( &anlist[ 1 ].an_name ); /* * Get the entry */ bsi.bsi_e = &e; rc = backsql_init_search( &bsi, &op->o_req_ndn, LDAP_SCOPE_BASE, (time_t)(-1), NULL, dbh, op, rs, anlist, ( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) ); switch ( rc ) { case LDAP_SUCCESS: break; case LDAP_REFERRAL: if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) && dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) ) { rs->sr_err = LDAP_SUCCESS; rs->sr_text = NULL; rs->sr_matched = NULL; if ( rs->sr_ref ) { ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } break; } /* fallthru */ default: Debug( LDAP_DEBUG_TRACE, "backsql_compare(): " "could not retrieve compareDN ID - no such entry\n", 0, 0, 0 ); goto return_results; } if ( get_assert( op ) && ( test_filter( op, &e, get_assertion( op ) ) != LDAP_COMPARE_TRUE ) ) { rs->sr_err = LDAP_ASSERTION_FAILED; goto return_results; } if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) { SlapReply nrs = { REP_SEARCH }; Attribute **ap; for ( ap = &e.e_attrs; *ap; ap = &(*ap)->a_next ) ; nrs.sr_attrs = anlist; nrs.sr_entry = &e; nrs.sr_attr_flags = SLAP_OPATTRS_NO; nrs.sr_operational_attrs = NULL; rs->sr_err = backsql_operational( op, &nrs ); if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } *ap = nrs.sr_operational_attrs; } if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc, &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results; } rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc ); a != NULL; a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) ) { rs->sr_err = LDAP_COMPARE_FALSE; if ( attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, &op->oq_compare.rs_ava->aa_value, NULL, op->o_tmpmemctx ) == 0 ) { rs->sr_err = LDAP_COMPARE_TRUE; break; } } return_results:; switch ( rs->sr_err ) { case LDAP_COMPARE_TRUE: case LDAP_COMPARE_FALSE: break; default: if ( !BER_BVISNULL( &e.e_nname ) && ! access_allowed( op, &e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; } break; } send_ldap_result( op, rs ); if ( rs->sr_matched ) { rs->sr_matched = NULL; } if ( rs->sr_ref ) { ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) { (void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &e.e_nname ) ) { backsql_entry_clean( op, &e ); } if ( bsi.bsi_attrs != NULL ) { op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx ); } Debug(LDAP_DEBUG_TRACE,"<==backsql_compare()\n",0,0,0); switch ( rs->sr_err ) { case LDAP_COMPARE_TRUE: case LDAP_COMPARE_FALSE: return LDAP_SUCCESS; default: return rs->sr_err; } }
int slap_send_search_entry( Operation *op, SlapReply *rs ) { BerElementBuffer berbuf; BerElement *ber = (BerElement *) &berbuf; Attribute *a; int i, j, rc = LDAP_UNAVAILABLE, bytes; int userattrs; AccessControlState acl_state = ACL_STATE_INIT; int attrsonly; AttributeDescription *ad_entry = slap_schema.si_ad_entry; /* a_flags: array of flags telling if the i-th element will be * returned or filtered out * e_flags: array of a_flags */ char **e_flags = NULL; rs->sr_type = REP_SEARCH; if ( op->ors_slimit >= 0 && rs->sr_nentries >= op->ors_slimit ) { rc = LDAP_SIZELIMIT_EXCEEDED; goto error_return; } /* Every 64 entries, check for thread pool pause */ if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) && ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 ) { rc = LDAP_BUSY; goto error_return; } /* eventually will loop through generated operational attribute types * currently implemented types include: * entryDN, subschemaSubentry, and hasSubordinates */ /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ /* check for special all operational attributes ("+") type */ /* FIXME: maybe we could set this flag at the operation level; * however, in principle the caller of send_search_entry() may * change the attribute list at each call */ rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs ); rc = backend_operational( op, rs ); if ( rc ) { goto error_return; } if ( op->o_callback ) { rc = slap_response_play( op, rs ); if ( rc != SLAP_CB_CONTINUE ) { goto error_return; } } Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: conn %lu dn=\"%s\"%s\n", op->o_connid, rs->sr_entry->e_name.bv_val, op->ors_attrsonly ? " (attrsOnly)" : "" ); attrsonly = op->ors_attrsonly; if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu access to entry (%s) not allowed\n", op->o_connid, rs->sr_entry->e_name.bv_val ); rc = LDAP_INSUFFICIENT_ACCESS; goto error_return; } if ( op->o_res_ber ) { /* read back control or LDAP_CONNECTIONLESS */ ber = op->o_res_ber; } else { struct berval bv; bv.bv_len = entry_flatsize( rs->sr_entry, 0 ); bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx ); ber_init2( ber, &bv, LBER_USE_DER ); ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); } #ifdef LDAP_CONNECTIONLESS if ( op->o_conn && op->o_conn->c_is_udp ) { /* CONNECTIONLESS */ if ( op->o_protocol == LDAP_VERSION2 ) { rc = ber_printf(ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } } else #endif if ( op->o_res_ber ) { /* read back control */ rc = ber_printf( ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding DN error" ); rc = rs->sr_err; goto error_return; } /* check for special all user attributes ("*") type */ userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); /* create an array of arrays of flags. Each flag corresponds * to particular value of attribute and equals 1 if value matches * to ValuesReturnFilter or 0 if not */ if ( op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_entry->e_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags; e_flags = slap_sl_calloc ( 1, i * sizeof(char *) + k, op->o_tmpmemctx ); if( e_flags == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu slap_sl_calloc failed\n", op->o_connid ); ber_free( ber, 1 ); set_ldap_error( rs, LDAP_OTHER, "out of memory" ); goto error_return; } a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a=rs->sr_entry->e_attrs, i=0; a != NULL; a=a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_entry->e_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: " "conn %lu matched values filtering failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for ( a = rs->sr_entry->e_attrs, j = 0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; int finish = 0; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if ( is_at_operational( desc->ad_type ) ) { /* if not explicitly requested */ if ( !ad_inlist( desc, rs->sr_attrs )) { /* if not all op attrs requested, skip */ if ( !SLAP_OPATTRS( rs->sr_attr_flags )) continue; /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( attrsonly ) { if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: " "conn %lu access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } finish = 1; } else { int first = 1; for ( i = 0; a->a_nvals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_nvals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s, value #%d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if ( first ) { first = 0; finish = 1; if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed.\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if ( finish && ( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ if ( rs->sr_operational_attrs != NULL && op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags, **tmp; /* * Reuse previous memory - we likely need less space * for operational attributes */ tmp = slap_sl_realloc( e_flags, i * sizeof(char *) + k, op->o_tmpmemctx ); if ( tmp == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "not enough memory " "for matched values filtering\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "not enough memory for matched values filtering" ); goto error_return; } e_flags = tmp; a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_operational_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "matched values filtering failed\n", op->o_connid); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for (a = rs->sr_operational_attrs, j=0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if( is_at_operational( desc->ad_type ) ) { if ( !SLAP_OPATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname ); if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error" ); rc = rs->sr_err; goto error_return; } if ( ! attrsonly ) { for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_vals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to %s, value %d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* free e_flags */ if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); e_flags = NULL; } rc = ber_printf( ber, /*{{*/ "}N}" ); if( rc != -1 ) { rc = send_ldap_controls( op, ber, rs->sr_ctrls ); } if( rc != -1 ) { #ifdef LDAP_CONNECTIONLESS if( op->o_conn && op->o_conn->c_is_udp ) { if ( op->o_protocol != LDAP_VERSION2 ) { rc = ber_printf( ber, /*{*/ "N}" ); } } else #endif if ( op->o_res_ber == NULL ) { rc = ber_printf( ber, /*{*/ "N}" ); } } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "ber_printf failed\n" ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode entry end error" ); rc = rs->sr_err; goto error_return; } Statslog( LDAP_DEBUG_STATS2, "%s ENTRY dn=\"%s\"\n", op->o_log_prefix, rs->sr_entry->e_nname.bv_val ); rs_flush_entry( op, rs, NULL ); if ( op->o_res_ber == NULL ) { bytes = send_ldap_ber( op, ber ); ber_free_buf( ber ); if ( bytes < 0 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber write failed.\n", op->o_connid ); rc = LDAP_UNAVAILABLE; goto error_return; } rs->sr_nentries++; ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex ); ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes ); ldap_pvt_mp_add_ulong( op->o_counters->sc_entries, 1 ); ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 ); ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex ); } Debug( LDAP_DEBUG_TRACE, "<= send_search_entry: conn %lu exit.\n", op->o_connid ); rc = LDAP_SUCCESS; error_return:; if ( op->o_callback ) { (void)slap_cleanup_play( op, rs ); } if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); } /* FIXME: Can break if rs now contains an extended response */ if ( rs->sr_operational_attrs ) { attrs_free( rs->sr_operational_attrs ); rs->sr_operational_attrs = NULL; } rs->sr_attr_flags = SLAP_ATTRS_UNDEFINED; if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH ) { rs_flush_entry( op, rs, NULL ); } else { RS_ASSERT( (rs->sr_flags & REP_ENTRY_MASK) == 0 ); } if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) { rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */ if ( rs->sr_ctrls ) { slap_free_ctrls( op, rs->sr_ctrls ); rs->sr_ctrls = NULL; } } return( rc ); }