static int
slapi_over_compute_output(
computed_attr_context *c,
Slapi_Attr *attribute,
Slapi_Entry *entry
)
{
Attribute **a;
AttributeDescription *desc;
SlapReply *rs;
if ( c == NULL || attribute == NULL || entry == NULL ) {
return 0;
}
rs = (SlapReply *)c->cac_private;
assert( rs->sr_entry == entry );
desc = attribute->a_desc;
if ( rs->sr_attrs == NULL ) {
/* All attrs request, skip operational attributes */
if ( is_at_operational( desc->ad_type ) ) {
return 0;
}
} else {
/* Specific attributes requested */
if ( is_at_operational( desc->ad_type ) ) {
if ( !SLAP_OPATTRS( rs->sr_attr_flags ) &&
!ad_inlist( desc, rs->sr_attrs ) ) {
return 0;
}
} else {
if ( !SLAP_USERATTRS( rs->sr_attr_flags ) &&
!ad_inlist( desc, rs->sr_attrs ) ) {
return 0;
}
}
}
/* XXX perhaps we should check for existing attributes and merge */
for ( a = &rs->sr_operational_attrs; *a != NULL; a = &(*a)->a_next )
;
*a = slapi_attr_dup( attribute );
return 0;
}
static int
dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
{
Attribute *a, *id = NULL;
slap_callback cb = { 0 };
Operation o = *op;
struct berval *url;
Entry *e;
int opattrs,
userattrs;
dynlist_sc_t dlc = { 0 };
dynlist_map_t *dlm;
a = attrs_find( rs->sr_entry->e_attrs, dli->dli_ad );
if ( a == NULL ) {
/* FIXME: error? */
return SLAP_CB_CONTINUE;
}
opattrs = SLAP_OPATTRS( rs->sr_attr_flags );
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
/* Don't generate member list if it wasn't requested */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
AttributeDescription *ad = dlm->dlm_mapped_ad ? dlm->dlm_mapped_ad : dlm->dlm_member_ad;
if ( userattrs || ad_inlist( ad, rs->sr_attrs ) )
break;
}
if ( dli->dli_dlm && !dlm )
return SLAP_CB_CONTINUE;
if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) {
Attribute *authz = NULL;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
return SLAP_CB_CONTINUE;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
e = rs->sr_entry;
/* ensure e is modifiable, but do not replace
* sr_entry yet since we have pointers into it */
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
e = entry_dup( rs->sr_entry );
}
dlc.dlc_e = e;
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
cb.sc_response = dynlist_sc_update;
o.o_callback = &cb;
o.ors_deref = LDAP_DEREF_NEVER;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
for ( url = a->a_nvals; !BER_BVISNULL( url ); url++ ) {
LDAPURLDesc *lud = NULL;
int i, j;
struct berval dn;
int rc;
BER_BVZERO( &o.o_req_dn );
BER_BVZERO( &o.o_req_ndn );
o.ors_filter = NULL;
o.ors_attrs = NULL;
BER_BVZERO( &o.ors_filterstr );
if ( ldap_url_parse( url->bv_val, &lud ) != LDAP_URL_SUCCESS ) {
/* FIXME: error? */
continue;
}
if ( lud->lud_host != NULL ) {
/* FIXME: host not allowed; reject as illegal? */
Debug( LDAP_DEBUG_ANY, "dynlist_prepare_entry(\"%s\"): "
"illegal URI \"%s\"\n",
e->e_name.bv_val, url->bv_val, 0 );
goto cleanup;
}
if ( lud->lud_dn == NULL ) {
/* note that an empty base is not honored in terms
* of defaultSearchBase, because select_backend()
* is not aware of the defaultSearchBase option;
* this can be useful in case of a database serving
* the empty suffix */
BER_BVSTR( &dn, "" );
} else {
ber_str2bv( lud->lud_dn, 0, 0, &dn );
}
rc = dnPrettyNormal( NULL, &dn, &o.o_req_dn, &o.o_req_ndn, op->o_tmpmemctx );
if ( rc != LDAP_SUCCESS ) {
/* FIXME: error? */
goto cleanup;
}
o.ors_scope = lud->lud_scope;
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_mapped_ad != NULL ) {
break;
}
}
if ( dli->dli_dlm && !dlm ) {
/* if ( lud->lud_attrs != NULL ),
* the URL should be ignored */
o.ors_attrs = slap_anlist_no_attrs;
} else if ( lud->lud_attrs == NULL ) {
o.ors_attrs = rs->sr_attrs;
} else {
for ( i = 0; lud->lud_attrs[i]; i++)
/* just count */ ;
o.ors_attrs = op->o_tmpcalloc( i + 1, sizeof( AttributeName ), op->o_tmpmemctx );
for ( i = 0, j = 0; lud->lud_attrs[i]; i++) {
const char *text = NULL;
ber_str2bv( lud->lud_attrs[i], 0, 0, &o.ors_attrs[j].an_name );
o.ors_attrs[j].an_desc = NULL;
(void)slap_bv2ad( &o.ors_attrs[j].an_name, &o.ors_attrs[j].an_desc, &text );
/* FIXME: ignore errors... */
if ( rs->sr_attrs == NULL ) {
if ( o.ors_attrs[j].an_desc != NULL &&
is_at_operational( o.ors_attrs[j].an_desc->ad_type ) )
{
continue;
}
} else {
if ( o.ors_attrs[j].an_desc != NULL &&
is_at_operational( o.ors_attrs[j].an_desc->ad_type ) )
{
if ( !opattrs ) {
continue;
}
if ( !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) {
/* lookup if mapped -- linear search,
* not very efficient unless list
* is very short */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) {
break;
}
}
if ( dlm == NULL ) {
continue;
}
}
} else {
if ( !userattrs &&
o.ors_attrs[j].an_desc != NULL &&
!ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) )
{
/* lookup if mapped -- linear search,
* not very efficient unless list
* is very short */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) {
break;
}
}
if ( dlm == NULL ) {
continue;
}
}
}
}
j++;
}
if ( j == 0 ) {
goto cleanup;
}
BER_BVZERO( &o.ors_attrs[j].an_name );
}
if ( lud->lud_filter == NULL ) {
ber_dupbv_x( &o.ors_filterstr,
&dli->dli_default_filter, op->o_tmpmemctx );
} else {
struct berval flt;
ber_str2bv( lud->lud_filter, 0, 0, &flt );
if ( dynlist_make_filter( op, rs->sr_entry, url->bv_val, &flt, &o.ors_filterstr ) ) {
/* error */
goto cleanup;
}
}
o.ors_filter = str2filter_x( op, o.ors_filterstr.bv_val );
if ( o.ors_filter == NULL ) {
goto cleanup;
}
o.o_bd = select_backend( &o.o_req_ndn, 1 );
if ( o.o_bd && o.o_bd->be_search ) {
SlapReply r = { REP_SEARCH };
r.sr_attr_flags = slap_attr_flags( o.ors_attrs );
(void)o.o_bd->be_search( &o, &r );
}
cleanup:;
if ( id ) {
slap_op_groups_free( &o );
}
if ( o.ors_filter ) {
filter_free_x( &o, o.ors_filter, 1 );
}
if ( o.ors_attrs && o.ors_attrs != rs->sr_attrs
&& o.ors_attrs != slap_anlist_no_attrs )
{
op->o_tmpfree( o.ors_attrs, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &o.o_req_dn ) ) {
op->o_tmpfree( o.o_req_dn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &o.o_req_ndn ) ) {
op->o_tmpfree( o.o_req_ndn.bv_val, op->o_tmpmemctx );
}
assert( BER_BVISNULL( &o.ors_filterstr )
|| o.ors_filterstr.bv_val != lud->lud_filter );
op->o_tmpfree( o.ors_filterstr.bv_val, op->o_tmpmemctx );
ldap_free_urldesc( lud );
}
if ( e != rs->sr_entry ) {
rs_replace_entry( op, rs, (slap_overinst *)op->o_bd->bd_info, e );
rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED;
}
return SLAP_CB_CONTINUE;
}
static int
dynlist_sc_update( Operation *op, SlapReply *rs )
{
Entry *e;
Attribute *a;
int opattrs,
userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
dynlist_sc_t *dlc;
dynlist_map_t *dlm;
if ( rs->sr_type != REP_SEARCH ) {
return 0;
}
dlc = (dynlist_sc_t *)op->o_callback->sc_private;
e = dlc->dlc_e;
assert( e != NULL );
assert( rs->sr_entry != NULL );
/* test access to entry */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
goto done;
}
/* if there is only one member_ad, and it's not mapped,
* consider it as old-style member listing */
dlm = dlc->dlc_dli->dli_dlm;
if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
Modification mod;
const char *text = NULL;
char textbuf[1024];
struct berval vals[ 2 ], nvals[ 2 ];
vals[ 0 ] = rs->sr_entry->e_name;
BER_BVZERO( &vals[ 1 ] );
nvals[ 0 ] = rs->sr_entry->e_nname;
BER_BVZERO( &nvals[ 1 ] );
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = dlm->dlm_member_ad;
mod.sm_type = dlm->dlm_member_ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = 1;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
goto done;
}
opattrs = SLAP_OPATTRS( rs->sr_attr_flags );
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
for ( a = rs->sr_entry->e_attrs; a != NULL; a = a->a_next ) {
BerVarray vals, nvals = NULL;
int i, j,
is_oc = a->a_desc == slap_schema.si_ad_objectClass;
/* if attribute is not requested, skip it */
if ( rs->sr_attrs == NULL ) {
if ( is_at_operational( a->a_desc->ad_type ) ) {
continue;
}
} else {
if ( is_at_operational( a->a_desc->ad_type ) ) {
if ( !opattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
} else {
if ( !userattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
}
}
/* test access to attribute */
if ( op->ors_attrsonly ) {
if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
ACL_READ, &acl_state ) )
{
continue;
}
}
/* single-value check: keep first only */
if ( is_at_single_value( a->a_desc->ad_type ) ) {
if ( attr_find( e->e_attrs, a->a_desc ) != NULL ) {
continue;
}
}
/* test access to attribute */
i = a->a_numvals;
vals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
if ( a->a_nvals != a->a_vals ) {
nvals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
}
for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) {
if ( is_oc ) {
ObjectClass *soc = oc_bvfind( &a->a_vals[i] );
if ( soc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
continue;
}
}
if ( access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[i], ACL_READ, &acl_state ) )
{
vals[j] = a->a_vals[i];
if ( nvals ) {
nvals[j] = a->a_nvals[i];
}
j++;
}
}
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( j != 0 ) {
Modification mod;
const char *text = NULL;
char textbuf[1024];
dynlist_map_t *dlm;
AttributeDescription *ad;
BER_BVZERO( &vals[j] );
if ( nvals ) {
BER_BVZERO( &nvals[j] );
}
ad = a->a_desc;
for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == a->a_desc ) {
if ( dlm->dlm_mapped_ad ) {
ad = dlm->dlm_mapped_ad;
}
break;
}
}
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = ad;
mod.sm_type = ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = j;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
op->o_tmpfree( vals, op->o_tmpmemctx );
if ( nvals ) {
op->o_tmpfree( nvals, op->o_tmpmemctx );
}
}
done:;
if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( rs->sr_entry );
rs->sr_entry = NULL;
rs->sr_flags &= ~REP_ENTRY_MASK;
}
return 0;
}
int mdb_modify_internal(
Operation *op,
MDB_txn *tid,
Modifications *modlist,
Entry *e,
const char **text,
char *textbuf,
size_t textlen )
{
int rc, err;
Modification *mod;
Modifications *ml;
Attribute *save_attrs;
Attribute *ap;
int glue_attr_delete = 0;
int got_delete;
Debug( LDAP_DEBUG_TRACE, "mdb_modify_internal: 0x%08lx: %s\n",
e->e_id, e->e_dn, 0);
if ( !acl_check_modlist( op, e, modlist )) {
return LDAP_INSUFFICIENT_ACCESS;
}
/* save_attrs will be disposed of by caller */
save_attrs = e->e_attrs;
e->e_attrs = attrs_dup( e->e_attrs );
for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
int match;
mod = &ml->sml_mod;
switch( mod->sm_op ) {
case LDAP_MOD_ADD:
case LDAP_MOD_REPLACE:
if ( mod->sm_desc == slap_schema.si_ad_structuralObjectClass ) {
value_match( &match, slap_schema.si_ad_structuralObjectClass,
slap_schema.si_ad_structuralObjectClass->
ad_type->sat_equality,
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
&mod->sm_values[0], &scbva[0], text );
if ( !match ) glue_attr_delete = 1;
}
}
if ( glue_attr_delete )
break;
}
if ( glue_attr_delete ) {
Attribute **app = &e->e_attrs;
while ( *app != NULL ) {
if ( !is_at_operational( (*app)->a_desc->ad_type )) {
Attribute *save = *app;
*app = (*app)->a_next;
attr_free( save );
continue;
}
app = &(*app)->a_next;
}
}
for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
mod = &ml->sml_mod;
got_delete = 0;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: add %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case LDAP_MOD_DELETE:
if ( glue_attr_delete ) {
err = LDAP_SUCCESS;
break;
}
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: delete %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_delete_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case LDAP_MOD_REPLACE:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: replace %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_replace_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case LDAP_MOD_INCREMENT:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: increment %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
err = modify_increment_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: %d %s\n",
err, *text, 0);
} else {
got_delete = 1;
}
break;
case SLAP_MOD_SOFTADD:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: softadd %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_add_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTADD;
if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
err = LDAP_SUCCESS;
}
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case SLAP_MOD_SOFTDEL:
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: softdel %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_delete_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_DELETE;
err = modify_delete_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTDEL;
if ( err == LDAP_NO_SUCH_ATTRIBUTE ) {
err = LDAP_SUCCESS;
}
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
case SLAP_MOD_ADD_IF_NOT_PRESENT:
if ( attr_find( e->e_attrs, mod->sm_desc ) != NULL ) {
/* skip */
err = LDAP_SUCCESS;
break;
}
Debug(LDAP_DEBUG_ARGS,
"mdb_modify_internal: add_if_not_present %s\n",
mod->sm_desc->ad_cname.bv_val, 0, 0);
/* Avoid problems in index_add_mods()
* We need to add index if necessary.
*/
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( e, mod, get_permissiveModify(op),
text, textbuf, textlen );
mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT;
if( err != LDAP_SUCCESS ) {
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
break;
default:
Debug(LDAP_DEBUG_ANY, "mdb_modify_internal: invalid op %d\n",
mod->sm_op, 0, 0);
*text = "Invalid modify operation";
err = LDAP_OTHER;
Debug(LDAP_DEBUG_ARGS, "mdb_modify_internal: %d %s\n",
err, *text, 0);
}
if ( err != LDAP_SUCCESS ) {
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
/* unlock entry, delete from cache */
return err;
}
/* If objectClass was modified, reset the flags */
if ( mod->sm_desc == slap_schema.si_ad_objectClass ) {
e->e_ocflags = 0;
}
if ( glue_attr_delete ) e->e_ocflags = 0;
/* check if modified attribute was indexed
* but not in case of NOOP... */
if ( !op->o_noop ) {
mdb_modify_idxflags( op, mod->sm_desc, got_delete, e->e_attrs, save_attrs );
}
}
/* check that the entry still obeys the schema */
ap = NULL;
rc = entry_schema_check( op, e, save_attrs, get_relax(op), 0, &ap,
text, textbuf, textlen );
if ( rc != LDAP_SUCCESS || op->o_noop ) {
attrs_free( e->e_attrs );
/* clear the indexing flags */
for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) {
ap->a_flags &= ~(SLAP_ATTR_IXADD|SLAP_ATTR_IXDEL);
}
e->e_attrs = save_attrs;
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"entry failed schema check: %s\n",
*text, 0, 0 );
}
/* if NOOP then silently revert to saved attrs */
return rc;
}
/* structuralObjectClass modified! */
if ( ap ) {
assert( ap->a_desc == slap_schema.si_ad_structuralObjectClass );
if ( !op->o_noop ) {
mdb_modify_idxflags( op, slap_schema.si_ad_structuralObjectClass,
1, e->e_attrs, save_attrs );
}
}
/* update the indices of the modified attributes */
/* start with deleting the old index entries */
for ( ap = save_attrs; ap != NULL; ap = ap->a_next ) {
if ( ap->a_flags & SLAP_ATTR_IXDEL ) {
struct berval *vals;
Attribute *a2;
ap->a_flags &= ~SLAP_ATTR_IXDEL;
a2 = attr_find( e->e_attrs, ap->a_desc );
if ( a2 ) {
/* need to detect which values were deleted */
int i, j;
vals = op->o_tmpalloc( (ap->a_numvals + 1) *
sizeof(struct berval), op->o_tmpmemctx );
j = 0;
for ( i=0; i < ap->a_numvals; i++ ) {
rc = attr_valfind( a2, SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ap->a_nvals[i], NULL, op->o_tmpmemctx );
/* Save deleted values */
if ( rc == LDAP_NO_SUCH_ATTRIBUTE )
vals[j++] = ap->a_nvals[i];
}
BER_BVZERO(vals+j);
} else {
/* attribute was completely deleted */
vals = ap->a_nvals;
}
rc = 0;
if ( !BER_BVISNULL( vals )) {
rc = mdb_index_values( op, tid, ap->a_desc,
vals, e->e_id, SLAP_INDEX_DELETE_OP );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: attribute \"%s\" index delete failure\n",
op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 );
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
}
}
if ( vals != ap->a_nvals )
op->o_tmpfree( vals, op->o_tmpmemctx );
if ( rc ) return rc;
}
}
/* add the new index entries */
for ( ap = e->e_attrs; ap != NULL; ap = ap->a_next ) {
if (ap->a_flags & SLAP_ATTR_IXADD) {
ap->a_flags &= ~SLAP_ATTR_IXADD;
rc = mdb_index_values( op, tid, ap->a_desc,
ap->a_nvals,
e->e_id, SLAP_INDEX_ADD_OP );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: attribute \"%s\" index add failure\n",
op->o_log_prefix, ap->a_desc->ad_cname.bv_val, 0 );
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
return rc;
}
}
}
return rc;
}
static int
dupent_parseCtrl (
Operation *op,
SlapReply *rs,
LDAPControl *ctrl )
{
ber_tag_t tag;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_len_t len;
BerVarray AttributeDescriptionList = NULL;
ber_len_t cnt = sizeof(struct berval);
ber_len_t off = 0;
ber_int_t PartialApplicationAllowed = 1;
dupent_t *ds = NULL;
int i;
if ( op->o_dupent != SLAP_CONTROL_NONE ) {
rs->sr_text = "Dupent control specified multiple times";
return LDAP_PROTOCOL_ERROR;
}
if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
rs->sr_text = "Dupent control value is absent";
return LDAP_PROTOCOL_ERROR;
}
if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
rs->sr_text = "Dupent control value is empty";
return LDAP_PROTOCOL_ERROR;
}
ber_init2( ber, &ctrl->ldctl_value, 0 );
/*
DuplicateEntryRequest ::= SEQUENCE {
AttributeDescriptionList, -- from [RFC2251]
PartialApplicationAllowed BOOLEAN DEFAULT TRUE }
AttributeDescriptionList ::= SEQUENCE OF
AttributeDescription
AttributeDescription ::= LDAPString
attributeDescription = AttributeType [ ";" <options> ]
*/
tag = ber_skip_tag( ber, &len );
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
if ( ber_scanf( ber, "{M}", &AttributeDescriptionList, &cnt, off )
== LBER_ERROR )
{
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_skip_tag( ber, &len );
if ( tag == LBER_BOOLEAN ) {
/* NOTE: PartialApplicationAllowed is ignored, since the control
* can always be honored
*/
if ( ber_scanf( ber, "b", &PartialApplicationAllowed ) == LBER_ERROR )
{
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_skip_tag( ber, &len );
}
if ( len || tag != LBER_DEFAULT ) {
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
ds = (dupent_t *)op->o_tmpcalloc( 1,
sizeof(dupent_t) + sizeof(AttributeName)*cnt,
op->o_tmpmemctx );
ds->ds_paa = PartialApplicationAllowed;
if ( cnt == 0 ) {
ds->ds_flags |= SLAP_USERATTRS_YES;
} else {
int c;
ds->ds_an = (AttributeName *)&ds[ 1 ];
for ( i = 0, c = 0; i < cnt; i++ ) {
const char *text;
int j;
int rc;
AttributeDescription *ad = NULL;
if ( bvmatch( &AttributeDescriptionList[i],
slap_bv_all_user_attrs ) )
{
if ( ds->ds_flags & SLAP_USERATTRS_YES ) {
rs->sr_text = "Dupent control: AttributeDescription decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
ds->ds_flags |= SLAP_USERATTRS_YES;
continue;
}
rc = slap_bv2ad( &AttributeDescriptionList[i], &ad, &text );
if ( rc != LDAP_SUCCESS ) {
continue;
}
ds->ds_an[c].an_desc = ad;
ds->ds_an[c].an_name = ad->ad_cname;
/* FIXME: not specified; consider this an error, just in case */
for ( j = 0; j < c; j++ ) {
if ( ds->ds_an[c].an_desc == ds->ds_an[j].an_desc ) {
rs->sr_text = "Dupent control: AttributeDescription must be unique within AttributeDescriptionList";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
}
c++;
}
ds->ds_nattrs = c;
if ( ds->ds_flags & SLAP_USERATTRS_YES ) {
/* purge user attrs */
for ( i = 0; i < ds->ds_nattrs; ) {
if ( is_at_operational( ds->ds_an[i].an_desc->ad_type ) ) {
i++;
continue;
}
ds->ds_nattrs--;
if ( i < ds->ds_nattrs ) {
ds->ds_an[i] = ds->ds_an[ds->ds_nattrs];
}
}
}
}
op->o_ctrldupent = (void *)ds;
op->o_dupent = ctrl->ldctl_iscritical
? SLAP_CONTROL_CRITICAL
: SLAP_CONTROL_NONCRITICAL;
rs->sr_err = LDAP_SUCCESS;
done:;
if ( rs->sr_err != LDAP_SUCCESS ) {
op->o_tmpfree( ds, op->o_tmpmemctx );
}
if ( AttributeDescriptionList != NULL ) {
ber_memfree_x( AttributeDescriptionList, op->o_tmpmemctx );
}
return rs->sr_err;
}
int oc_check_allowed(
AttributeType *at,
ObjectClass **socs,
ObjectClass *sc )
{
int i, j;
Debug( LDAP_DEBUG_TRACE,
"oc_check_allowed type \"%s\"\n",
at->sat_cname.bv_val );
/* always allow objectClass attribute */
if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
return LDAP_SUCCESS;
}
/*
* All operational attributions are allowed by schema rules.
*/
if( is_at_operational(at) ) {
return LDAP_SUCCESS;
}
/* check to see if its allowed by the structuralObjectClass */
if( sc ) {
/* does it require the type? */
for ( j = 0; sc->soc_required != NULL &&
sc->soc_required[j] != NULL; j++ )
{
if( at == sc->soc_required[j] ) {
return LDAP_SUCCESS;
}
}
/* does it allow the type? */
for ( j = 0; sc->soc_allowed != NULL &&
sc->soc_allowed[j] != NULL; j++ )
{
if( at == sc->soc_allowed[j] ) {
return LDAP_SUCCESS;
}
}
}
/* check that the type appears as req or opt in at least one oc */
for ( i = 0; socs[i]; i++ ) {
/* if we know about the oc */
ObjectClass *oc = socs[i];
/* extensibleObject allows all */
if ( oc == slap_schema.si_oc_extensibleObject ) {
return LDAP_SUCCESS;
}
if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
{
/* does it require the type? */
for ( j = 0; oc->soc_required != NULL &&
oc->soc_required[j] != NULL; j++ )
{
if( at == oc->soc_required[j] ) {
return LDAP_SUCCESS;
}
}
/* does it allow the type? */
for ( j = 0; oc->soc_allowed != NULL &&
oc->soc_allowed[j] != NULL; j++ )
{
if( at == oc->soc_allowed[j] ) {
return LDAP_SUCCESS;
}
}
}
}
/* not allowed by any oc */
return LDAP_OBJECT_CLASS_VIOLATION;
}
static int
dupent_response_entry( Operation *op, SlapReply *rs )
{
dupent_cb_t *dc = (dupent_cb_t *)op->o_callback->sc_private;
int nattrs = 0;
valnum_t *valnum = NULL;
Attribute **app, *ap_list = NULL;
int i, c;
Entry *e = NULL;
int rc;
assert( rs->sr_type == REP_SEARCH );
for ( i = 0; i < dc->dc_ds->ds_nattrs; i++ ) {
Attribute *ap;
ap = attr_find( rs->sr_entry->e_attrs,
dc->dc_ds->ds_an[ i ].an_desc );
if ( ap && ap->a_numvals > 1 ) {
nattrs++;
}
}
if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) {
Attribute *ap;
for ( ap = rs->sr_entry->e_attrs; ap != NULL; ap = ap->a_next ) {
if ( !is_at_operational( ap->a_desc->ad_type ) && ap->a_numvals > 1 ) {
nattrs++;
}
}
}
if ( !nattrs ) {
return SLAP_CB_CONTINUE;
}
rs_entry2modifiable( op, rs, dc->dc_on );
rs->sr_flags &= ~(REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED);
e = rs->sr_entry;
valnum = op->o_tmpcalloc( sizeof(valnum_t), nattrs, op->o_tmpmemctx );
for ( c = 0, i = 0; i < dc->dc_ds->ds_nattrs; i++ ) {
for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) {
if ( (*app)->a_desc == dc->dc_ds->ds_an[ i ].an_desc ) {
break;
}
}
if ( *app != NULL && (*app)->a_numvals > 1 ) {
assert( c < nattrs );
dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list );
c++;
}
}
if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) {
for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) {
if ( !is_at_operational( (*app)->a_desc->ad_type ) && (*app)->a_numvals > 1 ) {
assert( c < nattrs );
dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list );
c++;
}
}
}
for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next )
/* goto tail */ ;
*app = &valnum[0].a;
/* NOTE: since send_search_entry() does not honor the
* REP_CTRLS_MUSTBEFREED flag set by slap_add_ctrls(),
* the control could be added here once for all (ITS#6629)
*/
dc->dc_skip = 1;
rc = dupent_response_entry_1level( op, rs, e, valnum, nattrs, 0 );
dc->dc_skip = 0;
*app = ap_list;
entry_free( e );
op->o_tmpfree( valnum, op->o_tmpmemctx );
return rc;
}
static int
constraint_update( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
Backend *be = op->o_bd;
constraint *c = on->on_bi.bi_private, *cp;
Entry *target_entry = NULL, *target_entry_copy = NULL;
Modifications *modlist, *m;
BerVarray b = NULL;
int i;
struct berval rsv = BER_BVC("modify breaks constraint");
int rc;
char *msg = NULL;
if (get_relax(op)) {
return SLAP_CB_CONTINUE;
}
switch ( op->o_tag ) {
case LDAP_REQ_MODIFY:
modlist = op->orm_modlist;
break;
case LDAP_REQ_MODRDN:
modlist = op->orr_modlist;
break;
default:
/* impossible! assert? */
return LDAP_OTHER;
}
Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_update()\n", 0,0,0);
if ((m = modlist) == NULL) {
op->o_bd->bd_info = (BackendInfo *)(on->on_info);
send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
"constraint_update() got null modlist");
return(rs->sr_err);
}
/* Do we need to count attributes? */
for(cp = c; cp; cp = cp->ap_next) {
if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
op->o_bd = on->on_info->oi_origdb;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
op->o_bd = be;
if (rc != 0 || target_entry == NULL) {
Debug(LDAP_DEBUG_TRACE,
"==> constraint_update rc = %d DN=\"%s\"%s\n",
rc, op->o_req_ndn.bv_val,
target_entry ? "" : " not found" );
if ( rc == 0 )
rc = LDAP_CONSTRAINT_VIOLATION;
goto mod_violation;
}
break;
}
}
rc = LDAP_CONSTRAINT_VIOLATION;
for(;m; m = m->sml_next) {
unsigned ce = 0;
if (is_at_operational( m->sml_desc->ad_type )) continue;
if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
(( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
(( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
continue;
/* we only care about ADD and REPLACE modifications */
/* and DELETE are used to track attribute count */
if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
continue;
/* Get this attribute count, if needed */
if (target_entry)
ce = constraint_count_attr(target_entry, m->sml_desc);
for(cp = c; cp; cp = cp->ap_next) {
int j;
for (j = 0; cp->ap[j]; j++) {
if (cp->ap[j] == m->sml_desc) {
break;
}
}
if (cp->ap[j] == NULL) continue;
if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, target_entry) == 0) {
continue;
}
if (cp->count != 0) {
unsigned ca;
if (m->sml_op == LDAP_MOD_DELETE)
ce = 0;
for (ca = 0; b[ca].bv_val; ++ca);
Debug(LDAP_DEBUG_TRACE,
"==> constraint_update ce = %u, "
"ca = %u, cp->count = %lu\n",
ce, ca, (unsigned long) cp->count);
if (m->sml_op == LDAP_MOD_ADD) {
if (ca + ce > cp->count) {
rc = LDAP_CONSTRAINT_VIOLATION;
goto mod_violation;
}
}
if (m->sml_op == LDAP_MOD_REPLACE) {
if (ca > cp->count) {
rc = LDAP_CONSTRAINT_VIOLATION;
goto mod_violation;
}
ce = ca;
}
}
/* DELETE are to be ignored beyond this point */
if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
continue;
for ( i = 0; b[i].bv_val; i++ ) {
rc = constraint_violation( cp, &b[i], op, rs );
if ( rc ) {
goto mod_violation;
}
}
if (cp->set && target_entry) {
if (target_entry_copy == NULL) {
Modifications *ml;
target_entry_copy = entry_dup(target_entry);
/* if rename, set the new entry's name
* (in normalized form only) */
if ( op->o_tag == LDAP_REQ_MODRDN ) {
struct berval pdn, ndn = BER_BVNULL;
if ( op->orr_nnewSup ) {
pdn = *op->orr_nnewSup;
} else {
dnParent( &target_entry_copy->e_nname, &pdn );
}
build_new_dn( &ndn, &pdn, &op->orr_nnewrdn, NULL );
ber_memfree( target_entry_copy->e_nname.bv_val );
target_entry_copy->e_nname = ndn;
ber_bvreplace( &target_entry_copy->e_name, &ndn );
}
/* apply modifications, in an attempt
* to estimate what the entry would
* look like in case all modifications
* pass */
for ( ml = modlist; ml; ml = ml->sml_next ) {
Modification *mod = &ml->sml_mod;
const char *text;
char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof(textbuf);
int err;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
err = modify_add_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
break;
case LDAP_MOD_DELETE:
err = modify_delete_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
break;
case LDAP_MOD_REPLACE:
err = modify_replace_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
break;
case LDAP_MOD_INCREMENT:
err = modify_increment_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
break;
case SLAP_MOD_SOFTADD:
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTADD;
if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
err = LDAP_SUCCESS;
}
break;
case SLAP_MOD_SOFTDEL:
mod->sm_op = LDAP_MOD_ADD;
err = modify_delete_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
mod->sm_op = SLAP_MOD_SOFTDEL;
if ( err == LDAP_NO_SUCH_ATTRIBUTE ) {
err = LDAP_SUCCESS;
}
break;
case SLAP_MOD_ADD_IF_NOT_PRESENT:
if ( attr_find( target_entry_copy->e_attrs, mod->sm_desc ) ) {
err = LDAP_SUCCESS;
break;
}
mod->sm_op = LDAP_MOD_ADD;
err = modify_add_values( target_entry_copy,
mod, get_permissiveModify(op),
&text, textbuf, textlen );
mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT;
break;
default:
err = LDAP_OTHER;
break;
}
if ( err != LDAP_SUCCESS ) {
rc = err;
goto mod_violation;
}
}
}
if ( acl_match_set(&cp->val, op, target_entry_copy, NULL) == 0) {
rc = LDAP_CONSTRAINT_VIOLATION;
goto mod_violation;
}
}
}
}
if (target_entry) {
op->o_bd = on->on_info->oi_origdb;
be_entry_release_r(op, target_entry);
op->o_bd = be;
}
if (target_entry_copy) {
entry_free(target_entry_copy);
}
return SLAP_CB_CONTINUE;
mod_violation:
/* violation */
if (target_entry) {
op->o_bd = on->on_info->oi_origdb;
be_entry_release_r(op, target_entry);
op->o_bd = be;
}
if (target_entry_copy) {
entry_free(target_entry_copy);
}
op->o_bd->bd_info = (BackendInfo *)(on->on_info);
if ( rc == LDAP_CONSTRAINT_VIOLATION ) {
msg = print_message( &rsv, m->sml_desc );
}
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
ch_free(msg);
return (rs->sr_err);
}
static int
monitor_subsys_log_modify(
Operation *op,
SlapReply *rs,
Entry *e )
{
monitor_info_t *mi = ( monitor_info_t * )op->o_bd->be_private;
int rc = LDAP_OTHER;
int newlevel = ldap_syslog;
Attribute *save_attrs;
Modifications *modlist = op->orm_modlist;
Modifications *ml;
ldap_pvt_thread_mutex_lock( &monitor_log_mutex );
save_attrs = e->e_attrs;
e->e_attrs = attrs_dup( e->e_attrs );
for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
Modification *mod = &ml->sml_mod;
/*
* accept all operational attributes;
* this includes modifersName and modifyTimestamp
* if lastmod is "on"
*/
if ( is_at_operational( mod->sm_desc->ad_type ) ) {
( void ) attr_delete( &e->e_attrs, mod->sm_desc );
rc = rs->sr_err = attr_merge( e, mod->sm_desc,
mod->sm_values, mod->sm_nvalues );
if ( rc != LDAP_SUCCESS ) {
break;
}
continue;
/*
* only the "managedInfo" attribute can be modified
*/
} else if ( mod->sm_desc != mi->mi_ad_managedInfo ) {
rc = rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
break;
}
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
rc = add_values( op, e, mod, &newlevel );
break;
case LDAP_MOD_DELETE:
rc = delete_values( op, e, mod, &newlevel );
break;
case LDAP_MOD_REPLACE:
rc = replace_values( op, e, mod, &newlevel );
break;
default:
rc = LDAP_OTHER;
break;
}
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = rc;
break;
}
}
/* set the new debug level */
if ( rc == LDAP_SUCCESS ) {
const char *text;
static char textbuf[ BACKMONITOR_BUFSIZE ];
/* check for abandon */
if ( op->o_abandon ) {
rc = rs->sr_err = SLAPD_ABANDON;
goto cleanup;
}
/* check that the entry still obeys the schema */
rc = entry_schema_check( op, e, save_attrs, 0, 0, NULL,
&text, textbuf, sizeof( textbuf ) );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = rc;
goto cleanup;
}
/*
* Do we need to protect this with a mutex?
*/
ldap_syslog = newlevel;
#if 0 /* debug rather than log */
slap_debug = newlevel;
lutil_set_debug_level( "slapd", slap_debug );
ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &slap_debug);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &slap_debug);
ldif_debug = slap_debug;
#endif
}
cleanup:;
if ( rc == LDAP_SUCCESS ) {
attrs_free( save_attrs );
} else {
attrs_free( e->e_attrs );
e->e_attrs = save_attrs;
}
ldap_pvt_thread_mutex_unlock( &monitor_log_mutex );
if ( rc == LDAP_SUCCESS ) {
rc = SLAP_CB_CONTINUE;
}
return rc;
}
static int
constraint_add( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
Attribute *a;
constraint *c = on->on_bi.bi_private, *cp;
BerVarray b = NULL;
int i;
struct berval rsv = BER_BVC("add breaks constraint");
int rc;
char *msg = NULL;
if (get_relax(op)) {
return SLAP_CB_CONTINUE;
}
if ((a = op->ora_e->e_attrs) == NULL) {
op->o_bd->bd_info = (BackendInfo *)(on->on_info);
send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
"constraint_add: no attrs");
return(rs->sr_err);
}
for(; a; a = a->a_next ) {
/* we don't constrain operational attributes */
if (is_at_operational(a->a_desc->ad_type)) continue;
for(cp = c; cp; cp = cp->ap_next) {
int j;
for (j = 0; cp->ap[j]; j++) {
if (cp->ap[j] == a->a_desc) break;
}
if (cp->ap[j] == NULL) continue;
if ((b = a->a_vals) == NULL) continue;
if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, op->ora_e) == 0) {
continue;
}
Debug(LDAP_DEBUG_TRACE,
"==> constraint_add, "
"a->a_numvals = %u, cp->count = %lu\n",
a->a_numvals, (unsigned long) cp->count, 0);
if ((cp->count != 0) && (a->a_numvals > cp->count)) {
rc = LDAP_CONSTRAINT_VIOLATION;
goto add_violation;
}
for ( i = 0; b[i].bv_val; i++ ) {
rc = constraint_violation( cp, &b[i], op, rs );
if ( rc ) {
goto add_violation;
}
}
if (cp->set && acl_match_set(&cp->val, op, op->ora_e, NULL) == 0) {
rc = LDAP_CONSTRAINT_VIOLATION;
goto add_violation; /* constraint violation */
}
}
}
/* Default is to just fall through to the normal processing */
return SLAP_CB_CONTINUE;
add_violation:
op->o_bd->bd_info = (BackendInfo *)(on->on_info);
if (rc == LDAP_CONSTRAINT_VIOLATION ) {
msg = print_message( &rsv, a->a_desc );
}
send_ldap_error(op, rs, rc, msg );
ch_free(msg);
return (rs->sr_err);
}
int ad_inlist(
AttributeDescription *desc,
AttributeName *attrs )
{
if (! attrs ) return 0;
for( ; attrs->an_name.bv_val; attrs++ ) {
AttributeType *a;
ObjectClass *oc;
if ( attrs->an_desc ) {
int lr;
if ( desc == attrs->an_desc ) {
return 1;
}
/*
* EXTENSION: if requested description is preceeded by
* a '-' character, do not match on subtypes.
*/
if ( attrs->an_name.bv_val[0] == '-' ) {
continue;
}
/* Is this a subtype of the requested attr? */
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == attrs->an_desc->ad_type )
break;
}
if ( !a ) {
continue;
}
/* Does desc support all the requested flags? */
lr = desc->ad_tags.bv_len ? SLAP_DESC_TAG_RANGE : 0;
if(( attrs->an_desc->ad_flags & (desc->ad_flags | lr))
!= attrs->an_desc->ad_flags ) {
continue;
}
/* Do the descs have compatible tags? */
if ( attrs->an_desc->ad_tags.bv_len == 0 ) {
return 1;
}
if ( desc->ad_tags.bv_len == 0) {
continue;
}
if ( is_ad_subtags( &desc->ad_tags,
&attrs->an_desc->ad_tags ) ) {
return 1;
}
continue;
}
if ( ber_bvccmp( &attrs->an_name, '*' ) ) {
if ( !is_at_operational( desc->ad_type ) ) {
return 1;
}
continue;
}
if ( ber_bvccmp( &attrs->an_name, '+' ) ) {
if ( is_at_operational( desc->ad_type ) ) {
return 1;
}
continue;
}
/*
* EXTENSION: see if requested description is @objectClass
* if so, return attributes which the class requires/allows
* else if requested description is !objectClass, return
* attributes which the class does not require/allow
*/
if ( !( attrs->an_flags & SLAP_AN_OCINITED )) {
if( attrs->an_name.bv_val ) {
switch( attrs->an_name.bv_val[0] ) {
case '@': /* @objectClass */
case '+': /* +objectClass (deprecated) */
case '!': { /* exclude */
struct berval ocname;
ocname.bv_len = attrs->an_name.bv_len - 1;
ocname.bv_val = &attrs->an_name.bv_val[1];
oc = oc_bvfind( &ocname );
if ( oc && attrs->an_name.bv_val[0] == '!' ) {
attrs->an_flags |= SLAP_AN_OCEXCLUDE;
} else {
attrs->an_flags &= ~SLAP_AN_OCEXCLUDE;
}
} break;
default: /* old (deprecated) way */
oc = oc_bvfind( &attrs->an_name );
}
attrs->an_oc = oc;
}
attrs->an_flags |= SLAP_AN_OCINITED;
}
oc = attrs->an_oc;
if( oc != NULL ) {
if ( attrs->an_flags & SLAP_AN_OCEXCLUDE ) {
if ( oc == slap_schema.si_oc_extensibleObject ) {
/* extensibleObject allows the return of anything */
return 0;
}
if( oc->soc_required ) {
/* allow return of required attributes */
int i;
for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_required[i] ) {
return 0;
}
}
}
}
if( oc->soc_allowed ) {
/* allow return of allowed attributes */
int i;
for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_allowed[i] ) {
return 0;
}
}
}
}
return 1;
}
if ( oc == slap_schema.si_oc_extensibleObject ) {
/* extensibleObject allows the return of anything */
return 1;
}
if( oc->soc_required ) {
/* allow return of required attributes */
int i;
for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_required[i] ) {
return 1;
}
}
}
}
if( oc->soc_allowed ) {
/* allow return of allowed attributes */
int i;
for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_allowed[i] ) {
return 1;
}
}
}
}
} else {
const char *text;
/* give it a chance of being retrieved by a proxy... */
(void)slap_bv2undef_ad( &attrs->an_name,
&attrs->an_desc, &text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
}
}
return 0;
}
int slap_bv2ad(
struct berval *bv,
AttributeDescription **ad,
const char **text )
{
int rtn = LDAP_UNDEFINED_TYPE;
AttributeDescription desc, *d2;
char *name, *options, *optn;
char *opt, *next;
int ntags;
int tagslen;
/* hardcoded limits for speed */
#define MAX_TAGGING_OPTIONS 128
struct berval tags[MAX_TAGGING_OPTIONS+1];
#define MAX_TAGS_LEN 1024
char tagbuf[MAX_TAGS_LEN];
assert( ad != NULL );
assert( *ad == NULL ); /* temporary */
if( bv == NULL || BER_BVISNULL( bv ) || BER_BVISEMPTY( bv ) ) {
*text = "empty AttributeDescription";
return rtn;
}
/* make sure description is IA5 */
if( ad_keystring( bv ) ) {
*text = "AttributeDescription contains inappropriate characters";
return rtn;
}
/* find valid base attribute type; parse in place */
desc.ad_cname = *bv;
desc.ad_flags = 0;
BER_BVZERO( &desc.ad_tags );
name = bv->bv_val;
options = ber_bvchr( bv, ';' );
if ( options != NULL && (unsigned) ( options - name ) < bv->bv_len ) {
/* don't go past the end of the berval! */
desc.ad_cname.bv_len = options - name;
} else {
options = NULL;
}
desc.ad_type = at_bvfind( &desc.ad_cname );
if( desc.ad_type == NULL ) {
*text = "attribute type undefined";
return rtn;
}
if( is_at_operational( desc.ad_type ) && options != NULL ) {
*text = "operational attribute with options undefined";
return rtn;
}
/*
* parse options in place
*/
ntags = 0;
tagslen = 0;
optn = bv->bv_val + bv->bv_len;
for( opt=options; opt != NULL; opt=next ) {
int optlen;
opt++;
next = strchrlen( opt, optn, ';', &optlen );
if( optlen == 0 ) {
*text = "zero length option is invalid";
return rtn;
} else if ( optlen == STRLENOF("binary") &&
strncasecmp( opt, "binary", STRLENOF("binary") ) == 0 )
{
/* binary option */
if( slap_ad_is_binary( &desc ) ) {
*text = "option \"binary\" specified multiple times";
return rtn;
}
if( !slap_syntax_is_binary( desc.ad_type->sat_syntax )) {
/* not stored in binary, disallow option */
*text = "option \"binary\" not supported with type";
return rtn;
}
desc.ad_flags |= SLAP_DESC_BINARY;
continue;
} else if ( ad_find_option_definition( opt, optlen ) ) {
int i;
if( opt[optlen-1] == '-' ||
( opt[optlen-1] == '=' && msad_range_hack )) {
desc.ad_flags |= SLAP_DESC_TAG_RANGE;
}
if( ntags >= MAX_TAGGING_OPTIONS ) {
*text = "too many tagging options";
return rtn;
}
/*
* tags should be presented in sorted order,
* so run the array in reverse.
*/
for( i=ntags-1; i>=0; i-- ) {
int rc;
rc = strncasecmp( opt, tags[i].bv_val,
(unsigned) optlen < tags[i].bv_len
? (unsigned) optlen : tags[i].bv_len );
if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
/* duplicate (ignore) */
ntags--;
goto done;
} else if ( rc > 0 ||
( rc == 0 && (unsigned)optlen > tags[i].bv_len ))
{
AC_MEMCPY( &tags[i+2], &tags[i+1],
(ntags-i-1)*sizeof(struct berval) );
tags[i+1].bv_val = opt;
tags[i+1].bv_len = optlen;
goto done;
}
}
if( ntags ) {
AC_MEMCPY( &tags[1], &tags[0],
ntags*sizeof(struct berval) );
}
tags[0].bv_val = opt;
tags[0].bv_len = optlen;
done:;
tagslen += optlen + 1;
ntags++;
} else {
*text = "unrecognized option";
return rtn;
}
}
if( ntags > 0 ) {
int i;
if( tagslen > MAX_TAGS_LEN ) {
*text = "tagging options too long";
return rtn;
}
desc.ad_tags.bv_val = tagbuf;
tagslen = 0;
for( i=0; i<ntags; i++ ) {
AC_MEMCPY( &desc.ad_tags.bv_val[tagslen],
tags[i].bv_val, tags[i].bv_len );
tagslen += tags[i].bv_len;
desc.ad_tags.bv_val[tagslen++] = ';';
}
desc.ad_tags.bv_val[--tagslen] = '\0';
desc.ad_tags.bv_len = tagslen;
}
/* see if a matching description is already cached */
for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
if( d2->ad_flags != desc.ad_flags ) {
continue;
}
if( d2->ad_tags.bv_len != desc.ad_tags.bv_len ) {
continue;
}
if( d2->ad_tags.bv_len == 0 ) {
break;
}
if( strncasecmp( d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len ) == 0 )
{
break;
}
}
/* Not found, add new one */
while (d2 == NULL) {
size_t dlen = 0;
ldap_pvt_thread_mutex_lock( &desc.ad_type->sat_ad_mutex );
/* check again now that we've locked */
for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
if (d2->ad_flags != desc.ad_flags)
continue;
if (d2->ad_tags.bv_len != desc.ad_tags.bv_len)
continue;
if (d2->ad_tags.bv_len == 0)
break;
if (strncasecmp(d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len) == 0)
break;
}
if (d2) {
ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex );
break;
}
/* Allocate a single contiguous block. If there are no
* options, we just need space for the AttrDesc structure.
* Otherwise, we need to tack on the full name length +
* options length, + maybe tagging options length again.
*/
if (desc.ad_tags.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
dlen = desc.ad_type->sat_cname.bv_len + 1;
if (desc.ad_tags.bv_len) {
dlen += 1 + desc.ad_tags.bv_len;
}
if ( slap_ad_is_binary( &desc ) ) {
dlen += 1 + STRLENOF(";binary") + desc.ad_tags.bv_len;
}
}
d2 = ch_malloc(sizeof(AttributeDescription) + dlen);
d2->ad_next = NULL;
d2->ad_type = desc.ad_type;
d2->ad_flags = desc.ad_flags;
d2->ad_cname.bv_len = desc.ad_type->sat_cname.bv_len;
d2->ad_tags.bv_len = desc.ad_tags.bv_len;
ldap_pvt_thread_mutex_lock( &ad_index_mutex );
d2->ad_index = ++ad_count;
ldap_pvt_thread_mutex_unlock( &ad_index_mutex );
if (dlen == 0) {
d2->ad_cname.bv_val = d2->ad_type->sat_cname.bv_val;
d2->ad_tags.bv_val = NULL;
} else {
char *cp, *op, *lp;
int j;
d2->ad_cname.bv_val = (char *)(d2+1);
strcpy(d2->ad_cname.bv_val, d2->ad_type->sat_cname.bv_val);
cp = d2->ad_cname.bv_val + d2->ad_cname.bv_len;
if( slap_ad_is_binary( &desc ) ) {
op = cp;
lp = NULL;
if( desc.ad_tags.bv_len ) {
lp = desc.ad_tags.bv_val;
while( strncasecmp(lp, "binary", STRLENOF("binary")) < 0
&& (lp = strchr( lp, ';' )) != NULL )
++lp;
if( lp != desc.ad_tags.bv_val ) {
*cp++ = ';';
j = (lp
? (unsigned) (lp - desc.ad_tags.bv_val - 1)
: strlen( desc.ad_tags.bv_val ));
cp = lutil_strncopy(cp, desc.ad_tags.bv_val, j);
}
}
cp = lutil_strcopy(cp, ";binary");
if( lp != NULL ) {
*cp++ = ';';
cp = lutil_strcopy(cp, lp);
}
d2->ad_cname.bv_len = cp - d2->ad_cname.bv_val;
if( desc.ad_tags.bv_len )
ldap_pvt_str2lower(op);
j = 1;
} else {
j = 0;
}
if( desc.ad_tags.bv_len ) {
lp = d2->ad_cname.bv_val + d2->ad_cname.bv_len + j;
if ( j == 0 )
*lp++ = ';';
d2->ad_tags.bv_val = lp;
strcpy(lp, desc.ad_tags.bv_val);
ldap_pvt_str2lower(lp);
if( j == 0 )
d2->ad_cname.bv_len += 1 + desc.ad_tags.bv_len;
}
}
/* Add new desc to list. We always want the bare Desc with
* no options to stay at the head of the list, assuming
* that one will be used most frequently.
*/
if (desc.ad_type->sat_ad == NULL || dlen == 0) {
d2->ad_next = desc.ad_type->sat_ad;
desc.ad_type->sat_ad = d2;
} else {
d2->ad_next = desc.ad_type->sat_ad->ad_next;
desc.ad_type->sat_ad->ad_next = d2;
}
ldap_pvt_thread_mutex_unlock( &desc.ad_type->sat_ad_mutex );
}
if( *ad == NULL ) {
*ad = d2;
} else {
**ad = *d2;
}
return LDAP_SUCCESS;
}
int
backsql_compare( Operation *op, SlapReply *rs )
{
SQLHDBC dbh = SQL_NULL_HDBC;
Entry e = { 0 };
Attribute *a = NULL;
backsql_srch_info bsi = { 0 };
int rc;
int manageDSAit = get_manageDSAit( op );
AttributeName anlist[2];
Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not get connection handle - exiting\n",
0, 0, 0 );
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
goto return_results;
}
anlist[ 0 ].an_name = op->oq_compare.rs_ava->aa_desc->ad_cname;
anlist[ 0 ].an_desc = op->oq_compare.rs_ava->aa_desc;
BER_BVZERO( &anlist[ 1 ].an_name );
/*
* Get the entry
*/
bsi.bsi_e = &e;
rc = backsql_init_search( &bsi, &op->o_req_ndn, LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs, anlist,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) );
switch ( rc ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not retrieve compareDN ID - no such entry\n",
0, 0, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, &e, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ) )
{
rs->sr_err = LDAP_ASSERTION_FAILED;
goto return_results;
}
if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) {
SlapReply nrs = { REP_SEARCH };
Attribute **ap;
for ( ap = &e.e_attrs; *ap; ap = &(*ap)->a_next )
;
nrs.sr_attrs = anlist;
nrs.sr_entry = &e;
nrs.sr_attr_flags = SLAP_OPATTRS_NO;
nrs.sr_operational_attrs = NULL;
rs->sr_err = backsql_operational( op, &nrs );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
*ap = nrs.sr_operational_attrs;
}
if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value,
ACL_COMPARE, NULL ) )
{
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:;
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
break;
default:
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
break;
}
send_ldap_result( op, rs );
if ( rs->sr_matched ) {
rs->sr_matched = NULL;
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) {
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &e.e_nname ) ) {
backsql_entry_clean( op, &e );
}
if ( bsi.bsi_attrs != NULL ) {
op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx );
}
Debug(LDAP_DEBUG_TRACE,"<==backsql_compare()\n",0,0,0);
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
return LDAP_SUCCESS;
default:
return rs->sr_err;
}
}
int
slap_send_search_entry( Operation *op, SlapReply *rs )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *) &berbuf;
Attribute *a;
int i, j, rc = LDAP_UNAVAILABLE, bytes;
int userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
int attrsonly;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
/* a_flags: array of flags telling if the i-th element will be
* returned or filtered out
* e_flags: array of a_flags
*/
char **e_flags = NULL;
rs->sr_type = REP_SEARCH;
if ( op->ors_slimit >= 0 && rs->sr_nentries >= op->ors_slimit ) {
rc = LDAP_SIZELIMIT_EXCEEDED;
goto error_return;
}
/* Every 64 entries, check for thread pool pause */
if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) &&
ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 )
{
rc = LDAP_BUSY;
goto error_return;
}
/* eventually will loop through generated operational attribute types
* currently implemented types include:
* entryDN, subschemaSubentry, and hasSubordinates */
/* NOTE: moved before overlays callback circling because
* they may modify entry and other stuff in rs */
/* check for special all operational attributes ("+") type */
/* FIXME: maybe we could set this flag at the operation level;
* however, in principle the caller of send_search_entry() may
* change the attribute list at each call */
rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs );
rc = backend_operational( op, rs );
if ( rc ) {
goto error_return;
}
if ( op->o_callback ) {
rc = slap_response_play( op, rs );
if ( rc != SLAP_CB_CONTINUE ) {
goto error_return;
}
}
Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: conn %lu dn=\"%s\"%s\n",
op->o_connid, rs->sr_entry->e_name.bv_val,
op->ors_attrsonly ? " (attrsOnly)" : "" );
attrsonly = op->ors_attrsonly;
if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) {
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu access to entry (%s) not allowed\n",
op->o_connid, rs->sr_entry->e_name.bv_val );
rc = LDAP_INSUFFICIENT_ACCESS;
goto error_return;
}
if ( op->o_res_ber ) {
/* read back control or LDAP_CONNECTIONLESS */
ber = op->o_res_ber;
} else {
struct berval bv;
bv.bv_len = entry_flatsize( rs->sr_entry, 0 );
bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx );
ber_init2( ber, &bv, LBER_USE_DER );
ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
}
#ifdef LDAP_CONNECTIONLESS
if ( op->o_conn && op->o_conn->c_is_udp ) {
/* CONNECTIONLESS */
if ( op->o_protocol == LDAP_VERSION2 ) {
rc = ber_printf(ber, "t{O{" /*}}*/,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
} else {
rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
}
} else
#endif
if ( op->o_res_ber ) {
/* read back control */
rc = ber_printf( ber, "t{O{" /*}}*/,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
} else {
rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid,
LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name );
}
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encoding DN error" );
rc = rs->sr_err;
goto error_return;
}
/* check for special all user attributes ("*") type */
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
/* create an array of arrays of flags. Each flag corresponds
* to particular value of attribute and equals 1 if value matches
* to ValuesReturnFilter or 0 if not
*/
if ( op->o_vrFilter != NULL ) {
int k = 0;
size_t size;
for ( a = rs->sr_entry->e_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++;
}
size = i * sizeof(char *) + k;
if ( size > 0 ) {
char *a_flags;
e_flags = slap_sl_calloc ( 1, i * sizeof(char *) + k, op->o_tmpmemctx );
if( e_flags == NULL ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu slap_sl_calloc failed\n",
op->o_connid );
ber_free( ber, 1 );
set_ldap_error( rs, LDAP_OTHER, "out of memory" );
goto error_return;
}
a_flags = (char *)(e_flags + i);
memset( a_flags, 0, k );
for ( a=rs->sr_entry->e_attrs, i=0; a != NULL; a=a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ );
e_flags[i] = a_flags;
a_flags += j;
}
rc = filter_matched_values(op, rs->sr_entry->e_attrs, &e_flags) ;
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY, "send_search_entry: "
"conn %lu matched values filtering failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"matched values filtering error" );
rc = rs->sr_err;
goto error_return;
}
}
}
for ( a = rs->sr_entry->e_attrs, j = 0; a != NULL; a = a->a_next, j++ ) {
AttributeDescription *desc = a->a_desc;
int finish = 0;
if ( rs->sr_attrs == NULL ) {
/* all user attrs request, skip operational attributes */
if( is_at_operational( desc->ad_type ) ) {
continue;
}
} else {
/* specific attrs requested */
if ( is_at_operational( desc->ad_type ) ) {
/* if not explicitly requested */
if ( !ad_inlist( desc, rs->sr_attrs )) {
/* if not all op attrs requested, skip */
if ( !SLAP_OPATTRS( rs->sr_attr_flags ))
continue;
/* if DSA-specific and replicating, skip */
if ( op->o_sync != SLAP_CONTROL_NONE &&
desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION )
continue;
}
} else {
if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) {
continue;
}
}
}
if ( attrsonly ) {
if ( ! access_allowed( op, rs->sr_entry, desc, NULL,
ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL, "send_search_entry: "
"conn %lu access to attribute %s not allowed\n",
op->o_connid, desc->ad_cname.bv_val );
continue;
}
if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error");
rc = rs->sr_err;
goto error_return;
}
finish = 1;
} else {
int first = 1;
for ( i = 0; a->a_nvals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( op, rs->sr_entry,
desc, &a->a_nvals[i], ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to attribute %s, value #%d not allowed\n",
op->o_connid, desc->ad_cname.bv_val, i );
continue;
}
if ( op->o_vrFilter && e_flags[j][i] == 0 ){
continue;
}
if ( first ) {
first = 0;
finish = 1;
if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error");
rc = rs->sr_err;
goto error_return;
}
}
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"ber_printf failed.\n", op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding values error" );
rc = rs->sr_err;
goto error_return;
}
}
}
if ( finish && ( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode end error" );
rc = rs->sr_err;
goto error_return;
}
}
/* NOTE: moved before overlays callback circling because
* they may modify entry and other stuff in rs */
if ( rs->sr_operational_attrs != NULL && op->o_vrFilter != NULL ) {
int k = 0;
size_t size;
for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++;
}
size = i * sizeof(char *) + k;
if ( size > 0 ) {
char *a_flags, **tmp;
/*
* Reuse previous memory - we likely need less space
* for operational attributes
*/
tmp = slap_sl_realloc( e_flags, i * sizeof(char *) + k,
op->o_tmpmemctx );
if ( tmp == NULL ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"not enough memory "
"for matched values filtering\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"not enough memory for matched values filtering" );
goto error_return;
}
e_flags = tmp;
a_flags = (char *)(e_flags + i);
memset( a_flags, 0, k );
for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) {
for ( j = 0; a->a_vals[j].bv_val != NULL; j++ );
e_flags[i] = a_flags;
a_flags += j;
}
rc = filter_matched_values(op, rs->sr_operational_attrs, &e_flags) ;
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"matched values filtering failed\n",
op->o_connid);
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"matched values filtering error" );
rc = rs->sr_err;
goto error_return;
}
}
}
for (a = rs->sr_operational_attrs, j=0; a != NULL; a = a->a_next, j++ ) {
AttributeDescription *desc = a->a_desc;
if ( rs->sr_attrs == NULL ) {
/* all user attrs request, skip operational attributes */
if( is_at_operational( desc->ad_type ) ) {
continue;
}
} else {
/* specific attrs requested */
if( is_at_operational( desc->ad_type ) ) {
if ( !SLAP_OPATTRS( rs->sr_attr_flags ) &&
!ad_inlist( desc, rs->sr_attrs ) )
{
continue;
}
/* if DSA-specific and replicating, skip */
if ( op->o_sync != SLAP_CONTROL_NONE &&
desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION )
continue;
} else {
if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) {
continue;
}
}
}
if ( ! access_allowed( op, rs->sr_entry, desc, NULL,
ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to attribute %s not allowed\n",
op->o_connid, desc->ad_cname.bv_val );
continue;
}
rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname );
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu "
"ber_printf failed\n", op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding description error" );
rc = rs->sr_err;
goto error_return;
}
if ( ! attrsonly ) {
for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( op, rs->sr_entry,
desc, &a->a_vals[i], ACL_READ, &acl_state ) )
{
Debug( LDAP_DEBUG_ACL,
"send_search_entry: conn %lu "
"access to %s, value %d not allowed\n",
op->o_connid, desc->ad_cname.bv_val, i );
continue;
}
if ( op->o_vrFilter && e_flags[j][i] == 0 ){
continue;
}
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER,
"encoding values error" );
rc = rs->sr_err;
goto error_return;
}
}
}
if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber_printf failed\n",
op->o_connid );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode end error" );
rc = rs->sr_err;
goto error_return;
}
}
/* free e_flags */
if ( e_flags ) {
slap_sl_free( e_flags, op->o_tmpmemctx );
e_flags = NULL;
}
rc = ber_printf( ber, /*{{*/ "}N}" );
if( rc != -1 ) {
rc = send_ldap_controls( op, ber, rs->sr_ctrls );
}
if( rc != -1 ) {
#ifdef LDAP_CONNECTIONLESS
if( op->o_conn && op->o_conn->c_is_udp ) {
if ( op->o_protocol != LDAP_VERSION2 ) {
rc = ber_printf( ber, /*{*/ "N}" );
}
} else
#endif
if ( op->o_res_ber == NULL ) {
rc = ber_printf( ber, /*{*/ "N}" );
}
}
if ( rc == -1 ) {
Debug( LDAP_DEBUG_ANY, "ber_printf failed\n" );
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
set_ldap_error( rs, LDAP_OTHER, "encode entry end error" );
rc = rs->sr_err;
goto error_return;
}
Statslog( LDAP_DEBUG_STATS2, "%s ENTRY dn=\"%s\"\n",
op->o_log_prefix, rs->sr_entry->e_nname.bv_val );
rs_flush_entry( op, rs, NULL );
if ( op->o_res_ber == NULL ) {
bytes = send_ldap_ber( op, ber );
ber_free_buf( ber );
if ( bytes < 0 ) {
Debug( LDAP_DEBUG_ANY,
"send_search_entry: conn %lu ber write failed.\n",
op->o_connid );
rc = LDAP_UNAVAILABLE;
goto error_return;
}
rs->sr_nentries++;
ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex );
ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes );
ldap_pvt_mp_add_ulong( op->o_counters->sc_entries, 1 );
ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 );
ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex );
}
Debug( LDAP_DEBUG_TRACE,
"<= send_search_entry: conn %lu exit.\n", op->o_connid );
rc = LDAP_SUCCESS;
error_return:;
if ( op->o_callback ) {
(void)slap_cleanup_play( op, rs );
}
if ( e_flags ) {
slap_sl_free( e_flags, op->o_tmpmemctx );
}
/* FIXME: Can break if rs now contains an extended response */
if ( rs->sr_operational_attrs ) {
attrs_free( rs->sr_operational_attrs );
rs->sr_operational_attrs = NULL;
}
rs->sr_attr_flags = SLAP_ATTRS_UNDEFINED;
if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH ) {
rs_flush_entry( op, rs, NULL );
} else {
RS_ASSERT( (rs->sr_flags & REP_ENTRY_MASK) == 0 );
}
if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) {
rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */
if ( rs->sr_ctrls ) {
slap_free_ctrls( op, rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
}
return( rc );
}
