int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
LDAPDerefRes **results)
{
LDAPControl **ctrls = NULL;
LDAPControl *derefctrl = NULL;
int ret;
ret = ldap_get_entry_controls(lcontext, le, &ctrls);
if (ret != LDAP_SUCCESS) {
return EINVAL;
}
if (!ctrls) {
return ENOENT;
}
derefctrl = ldap_control_find(LDAP_CONTROL_X_DEREF, ctrls, NULL);
if (!derefctrl) {
ret = ENOENT;
goto done;
}
ret = ldap_parse_derefresponse_control(lcontext, derefctrl, results);
if (ret) {
ret = EINVAL;
goto done;
}
ret = 0;
done:
ldap_controls_free(ctrls);
return ret;
}
/*
* handle the LDAP_RES_SEARCH_ENTRY response
*/
static int
ldap_sync_search_entry( ldap_sync_t *ls, LDAPMessage *res )
{
LDAPControl **ctrls = NULL;
int rc = LDAP_OTHER,
i;
BerElement *ber = NULL;
struct berval entryUUID = { 0 },
cookie = { 0 };
int state = -1;
ber_len_t len;
ldap_sync_refresh_t phase;
#ifdef LDAP_SYNC_TRACE
fprintf( stderr, "\tgot LDAP_RES_SEARCH_ENTRY\n" );
#endif /* LDAP_SYNC_TRACE */
assert( ls != NULL );
assert( res != NULL );
phase = ls->ls_refreshPhase;
/* OK */
/* extract:
* - data
* - entryUUID
*
* check that:
* - Sync State Control is "add"
*/
/* the control MUST be present */
/* extract controls */
ldap_get_entry_controls( ls->ls_ld, res, &ctrls );
if ( ctrls == NULL ) {
goto done;
}
/* lookup the sync state control */
for ( i = 0; ctrls[ i ] != NULL; i++ ) {
if ( strcmp( ctrls[ i ]->ldctl_oid, LDAP_CONTROL_SYNC_STATE ) == 0 ) {
break;
}
}
/* control must be present; there might be other... */
if ( ctrls[ i ] == NULL ) {
goto done;
}
/* extract data */
ber = ber_init( &ctrls[ i ]->ldctl_value );
if ( ber == NULL ) {
goto done;
}
/* scan entryUUID in-place ("m") */
if ( ber_scanf( ber, "{em" /*"}"*/, &state, &entryUUID ) == LBER_ERROR
|| entryUUID.bv_len == 0 )
{
goto done;
}
if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
/* scan cookie in-place ("m") */
if ( ber_scanf( ber, /*"{"*/ "m}", &cookie ) == LBER_ERROR ) {
goto done;
}
if ( cookie.bv_val != NULL ) {
ber_bvreplace( &ls->ls_cookie, &cookie );
}
#ifdef LDAP_SYNC_TRACE
fprintf( stderr, "\t\tgot cookie=%s\n",
cookie.bv_val ? cookie.bv_val : "(null)" );
#endif /* LDAP_SYNC_TRACE */
}
switch ( state ) {
case LDAP_SYNC_PRESENT:
case LDAP_SYNC_DELETE:
case LDAP_SYNC_ADD:
case LDAP_SYNC_MODIFY:
/* NOTE: ldap_sync_refresh_t is defined
* as the corresponding LDAP_SYNC_*
* for the 4 above cases */
phase = state;
#ifdef LDAP_SYNC_TRACE
fprintf( stderr, "\t\tgot syncState=%s\n", ldap_sync_state2str( state ) );
#endif /* LDAP_SYNC_TRACE */
break;
default:
#ifdef LDAP_SYNC_TRACE
fprintf( stderr, "\t\tgot unknown syncState=%d\n", state );
#endif /* LDAP_SYNC_TRACE */
goto done;
}
rc = ls->ls_search_entry
? ls->ls_search_entry( ls, res, &entryUUID, phase )
: LDAP_SUCCESS;
done:;
if ( ber != NULL ) {
ber_free( ber, 1 );
}
if ( ctrls != NULL ) {
ldap_controls_free( ctrls );
}
return rc;
}
static int
asyncmeta_send_entry(
Operation *op,
SlapReply *rs,
a_metaconn_t *mc,
int target,
LDAPMessage *e )
{
a_metainfo_t *mi = mc->mc_info;
struct berval a, mapped = BER_BVNULL;
int check_sorted_attrs = 0;
Entry ent = {0};
BerElement ber = *ldap_get_message_ber( e );
Attribute *attr, **attrp;
struct berval bdn,
dn = BER_BVNULL;
const char *text;
a_dncookie dc;
ber_len_t len;
int rc;
void *mem_mark;
mem_mark = slap_sl_mark( op->o_tmpmemctx );
ber_set_option( &ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
if ( ber_scanf( &ber, "l{", &len ) == LBER_ERROR ) {
return LDAP_DECODING_ERROR;
}
if ( ber_set_option( &ber, LBER_OPT_REMAINING_BYTES, &len ) != LBER_OPT_SUCCESS ) {
return LDAP_OTHER;
}
if ( ber_scanf( &ber, "m{", &bdn ) == LBER_ERROR ) {
return LDAP_DECODING_ERROR;
}
/*
* Rewrite the dn of the result, if needed
*/
dc.op = op;
dc.target = mi->mi_targets[ target ];
dc.memctx = op->o_tmpmemctx;
dc.to_from = MASSAGE_REP;
asyncmeta_dn_massage( &dc, &bdn, &dn );
/*
* Note: this may fail if the target host(s) schema differs
* from the one known to the meta, and a DN with unknown
* attributes is returned.
*
* FIXME: should we log anything, or delegate to dnNormalize?
*/
rc = dnPrettyNormal( NULL, &dn, &ent.e_name, &ent.e_nname,
op->o_tmpmemctx );
if ( dn.bv_val != bdn.bv_val ) {
op->o_tmpfree( dn.bv_val, op->o_tmpmemctx );
}
BER_BVZERO( &dn );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s asyncmeta_send_entry(\"%s\"): "
"invalid DN syntax\n",
op->o_log_prefix, ent.e_name.bv_val );
rc = LDAP_INVALID_DN_SYNTAX;
goto done;
}
/*
* cache dn
*/
if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED ) {
( void )asyncmeta_dncache_update_entry( &mi->mi_cache,
&ent.e_nname, target );
}
attrp = &ent.e_attrs;
while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
int last = 0;
slap_syntax_validate_func *validate;
slap_syntax_transform_func *pretty;
if ( ber_pvt_ber_remaining( &ber ) < 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s asyncmeta_send_entry(\"%s\"): "
"unable to parse attr \"%s\".\n",
op->o_log_prefix, ent.e_name.bv_val, a.bv_val );
rc = LDAP_OTHER;
goto done;
}
if ( ber_pvt_ber_remaining( &ber ) == 0 ) {
break;
}
attr = op->o_tmpcalloc( 1, sizeof(Attribute), op->o_tmpmemctx );
if ( slap_bv2ad( &a, &attr->a_desc, &text )
!= LDAP_SUCCESS) {
if ( slap_bv2undef_ad( &a, &attr->a_desc, &text,
SLAP_AD_PROXIED ) != LDAP_SUCCESS )
{
Debug(LDAP_DEBUG_ANY,
"%s meta_send_entry(\"%s\"): " "slap_bv2undef_ad(%s): %s\n",
op->o_log_prefix, ent.e_name.bv_val,
mapped.bv_val, text );
( void )ber_scanf( &ber, "x" /* [W] */ );
op->o_tmpfree( attr, op->o_tmpmemctx );
continue;
}
}
if ( attr->a_desc->ad_type->sat_flags & SLAP_AT_SORTED_VAL )
check_sorted_attrs = 1;
/* no subschemaSubentry */
if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry
|| attr->a_desc == slap_schema.si_ad_entryDN )
{
/*
* We eat target's subschemaSubentry because
* a search for this value is likely not
* to resolve to the appropriate backend;
* later, the local subschemaSubentry is
* added.
*
* We also eat entryDN because the frontend
* will reattach it without checking if already
* present...
*/
( void )ber_scanf( &ber, "x" /* [W] */ );
op->o_tmpfree( attr, op->o_tmpmemctx );
continue;
}
if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
|| attr->a_vals == NULL )
{
attr->a_vals = (struct berval *)&slap_dummy_bv;
} else {
for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); ++last )
;
}
attr->a_numvals = last;
validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
if ( !validate && !pretty ) {
ber_bvarray_free_x( attr->a_vals, op->o_tmpmemctx );
op->o_tmpfree( attr, op->o_tmpmemctx );
goto next_attr;
}
/*
* It is necessary to try to rewrite attributes with
* dn syntax because they might be used in ACLs as
* members of groups; since ACLs are applied to the
* rewritten stuff, no dn-based subecj clause could
* be used at the ldap backend side (see
* http://www.OpenLDAP.org/faq/data/cache/452.html)
* The problem can be overcome by moving the dn-based
* ACLs to the target directory server, and letting
* everything pass thru the ldap backend.
*/
{
int i;
if ( attr->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
{
asyncmeta_dnattr_result_rewrite( &dc, attr->a_vals );
} else if ( attr->a_desc == slap_schema.si_ad_ref ) {
asyncmeta_referral_result_rewrite( &dc, attr->a_vals );
}
for ( i = 0; i < last; i++ ) {
struct berval pval;
int rc;
if ( pretty ) {
rc = ordered_value_pretty( attr->a_desc,
&attr->a_vals[i], &pval, op->o_tmpmemctx );
} else {
rc = ordered_value_validate( attr->a_desc,
&attr->a_vals[i], 0 );
}
if ( rc ) {
ber_memfree_x( attr->a_vals[i].bv_val, op->o_tmpmemctx );
if ( --last == i ) {
BER_BVZERO( &attr->a_vals[ i ] );
break;
}
attr->a_vals[i] = attr->a_vals[last];
BER_BVZERO( &attr->a_vals[last] );
i--;
continue;
}
if ( pretty ) {
ber_memfree_x( attr->a_vals[i].bv_val, op->o_tmpmemctx );
attr->a_vals[i] = pval;
}
}
if ( last == 0 && attr->a_vals != &slap_dummy_bv ) {
ber_bvarray_free_x( attr->a_vals, op->o_tmpmemctx );
op->o_tmpfree( attr, op->o_tmpmemctx );
goto next_attr;
}
}
if ( last && attr->a_desc->ad_type->sat_equality &&
attr->a_desc->ad_type->sat_equality->smr_normalize )
{
int i;
attr->a_nvals = op->o_tmpalloc( ( last + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
for ( i = 0; i<last; i++ ) {
/* if normalizer fails, drop this value */
if ( ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
attr->a_desc,
attr->a_desc->ad_type->sat_equality,
&attr->a_vals[i], &attr->a_nvals[i],
op->o_tmpmemctx )) {
ber_memfree_x( attr->a_vals[i].bv_val, op->o_tmpmemctx );
if ( --last == i ) {
BER_BVZERO( &attr->a_vals[ i ] );
break;
}
attr->a_vals[i] = attr->a_vals[last];
BER_BVZERO( &attr->a_vals[last] );
i--;
}
}
BER_BVZERO( &attr->a_nvals[i] );
if ( last == 0 ) {
ber_bvarray_free_x( attr->a_vals, op->o_tmpmemctx );
ber_bvarray_free_x( attr->a_nvals, op->o_tmpmemctx );
op->o_tmpfree( attr, op->o_tmpmemctx );
goto next_attr;
}
} else {
attr->a_nvals = attr->a_vals;
}
attr->a_numvals = last;
*attrp = attr;
attrp = &attr->a_next;
next_attr:;
}
/* Check for sorted attributes */
if ( check_sorted_attrs ) {
for ( attr = ent.e_attrs; attr; attr = attr->a_next ) {
if ( attr->a_desc->ad_type->sat_flags & SLAP_AT_SORTED_VAL ) {
while ( attr->a_numvals > 1 ) {
int i;
int rc = slap_sort_vals( (Modifications *)attr, &text, &i, op->o_tmpmemctx );
if ( rc != LDAP_TYPE_OR_VALUE_EXISTS )
break;
/* Strip duplicate values */
if ( attr->a_nvals != attr->a_vals )
ber_memfree_x( attr->a_nvals[i].bv_val, op->o_tmpmemctx );
ber_memfree_x( attr->a_vals[i].bv_val, op->o_tmpmemctx );
attr->a_numvals--;
if ( (unsigned)i < attr->a_numvals ) {
attr->a_vals[i] = attr->a_vals[attr->a_numvals];
if ( attr->a_nvals != attr->a_vals )
attr->a_nvals[i] = attr->a_nvals[attr->a_numvals];
}
BER_BVZERO(&attr->a_vals[attr->a_numvals]);
if ( attr->a_nvals != attr->a_vals )
BER_BVZERO(&attr->a_nvals[attr->a_numvals]);
}
attr->a_flags |= SLAP_ATTR_SORTED_VALS;
}
}
}
Debug( LDAP_DEBUG_TRACE,
"%s asyncmeta_send_entry(\"%s\"): "
".\n",
op->o_log_prefix, ent.e_name.bv_val );
ldap_get_entry_controls( mc->mc_conns[target].msc_ldr,
e, &rs->sr_ctrls );
rs->sr_entry = &ent;
rs->sr_attrs = op->ors_attrs;
rs->sr_operational_attrs = NULL;
rs->sr_flags = mi->mi_targets[ target ]->mt_rep_flags;
rs->sr_err = LDAP_SUCCESS;
rc = send_search_entry( op, rs );
switch ( rc ) {
case LDAP_UNAVAILABLE:
rc = LDAP_OTHER;
break;
}
done:;
if ( rs->sr_ctrls != NULL ) {
ldap_controls_free( rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
#if 0
while ( ent.e_attrs ) {
attr = ent.e_attrs;
ent.e_attrs = attr->a_next;
if ( attr->a_nvals != attr->a_vals )
ber_bvarray_free_x( attr->a_nvals, op->o_tmpmemctx );
ber_bvarray_free_x( attr->a_vals, op->o_tmpmemctx );
op->o_tmpfree( attr, op->o_tmpmemctx );
}
if (ent.e_name.bv_val != NULL) {
op->o_tmpfree( ent.e_name.bv_val, op->o_tmpmemctx );
}
if (ent.e_nname.bv_val != NULL) {
op->o_tmpfree( ent.e_nname.bv_val, op->o_tmpmemctx );
}
if (rs->sr_entry && rs->sr_entry != &ent) {
entry_free( rs->sr_entry );
}
#endif
slap_sl_release( mem_mark, op->o_tmpmemctx );
rs->sr_entry = NULL;
rs->sr_attrs = NULL;
return rc;
}
/** Perform basic parsing of multiple types of messages, checking for error conditions
*
* @note Error messages should be retrieved with fr_strerror() and fr_strerror_pop()
*
* @param[out] ctrls Server ctrls returned to the client. May be NULL if not required.
* Must be freed with ldap_free_ctrls.
* @param[in] conn the message was received on.
* @param[in] msg we're parsing.
* @param[in] dn if processing the result from a search request.
* @return One of the LDAP_PROC_* (#fr_ldap_rcode_t) values.
*/
fr_ldap_rcode_t fr_ldap_error_check(LDAPControl ***ctrls, fr_ldap_connection_t const *conn, LDAPMessage *msg, char const *dn)
{
fr_ldap_rcode_t status = LDAP_PROC_SUCCESS;
int msg_type;
int lib_errno = LDAP_SUCCESS; /* errno returned by the library */
int srv_errno = LDAP_SUCCESS; /* errno in the result message */
char *part_dn = NULL; /* Partial DN match */
char *srv_err = NULL; /* Server's extended error message */
ssize_t len;
if (ctrls) *ctrls = NULL;
if (!msg) {
ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno);
if (lib_errno != LDAP_SUCCESS) goto process_error;
fr_strerror_printf("No result available");
return LDAP_PROC_NO_RESULT;
}
msg_type = ldap_msgtype(msg);
switch (msg_type) {
/*
* Parse the result and check for errors sent by the server
*/
case LDAP_RES_SEARCH_RESULT: /* The result of a search */
case LDAP_RES_BIND: /* The result of a bind operation */
case LDAP_RES_EXTENDED:
lib_errno = ldap_parse_result(conn->handle, msg,
&srv_errno, &part_dn, &srv_err,
NULL, ctrls, 0);
break;
/*
* These are messages containing objects so unless they're
* malformed they can't contain errors.
*/
case LDAP_RES_SEARCH_ENTRY:
if (ctrls) lib_errno = ldap_get_entry_controls(conn->handle, msg, ctrls);
break;
/*
* An intermediate message updating us on the result of an operation
*/
case LDAP_RES_INTERMEDIATE:
lib_errno = ldap_parse_intermediate(conn->handle, msg, NULL, NULL, ctrls, 0);
break;
/*
* Can't extract any more useful information.
*/
default:
return LDAP_PROC_SUCCESS;
}
/*
* Stupid messy API
*/
if (lib_errno != LDAP_SUCCESS) {
rad_assert(!ctrls || !*ctrls);
ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno);
}
process_error:
if ((lib_errno == LDAP_SUCCESS) && (srv_errno != LDAP_SUCCESS)) {
lib_errno = srv_errno;
} else if ((lib_errno != LDAP_SUCCESS) && (srv_errno == LDAP_SUCCESS)) {
srv_errno = lib_errno;
}
switch (lib_errno) {
case LDAP_SUCCESS:
fr_strerror_printf("Success");
break;
case LDAP_SASL_BIND_IN_PROGRESS:
fr_strerror_printf("Continuing");
status = LDAP_PROC_CONTINUE;
break;
case LDAP_NO_SUCH_OBJECT:
fr_strerror_printf("The specified DN wasn't found");
status = LDAP_PROC_BAD_DN;
/*
* Build our own internal diagnostic string
*/
if (dn && part_dn) {
char *spaces;
char *text;
len = fr_ldap_common_dn(dn, part_dn);
if (len < 0) break;
fr_canonicalize_error(NULL, &spaces, &text, -len, dn);
fr_strerror_printf_push("%s", text);
fr_strerror_printf_push("%s^ %s", spaces, "match stopped here");
talloc_free(spaces);
talloc_free(text);
}
goto error_string;
case LDAP_INSUFFICIENT_ACCESS:
fr_strerror_printf("Insufficient access. Check the identity and password configuration directives");
status = LDAP_PROC_NOT_PERMITTED;
break;
case LDAP_UNWILLING_TO_PERFORM:
fr_strerror_printf("Server was unwilling to perform");
status = LDAP_PROC_NOT_PERMITTED;
break;
case LDAP_FILTER_ERROR:
fr_strerror_printf("Bad search filter");
status = LDAP_PROC_ERROR;
break;
case LDAP_TIMEOUT:
fr_strerror_printf("Timed out while waiting for server to respond");
status = LDAP_PROC_TIMEOUT;
break;
case LDAP_TIMELIMIT_EXCEEDED:
fr_strerror_printf("Time limit exceeded");
status = LDAP_PROC_TIMEOUT;
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
case LDAP_SERVER_DOWN:
status = LDAP_PROC_BAD_CONN;
goto error_string;
case LDAP_INVALID_CREDENTIALS:
case LDAP_CONSTRAINT_VIOLATION:
status = LDAP_PROC_REJECT;
goto error_string;
case LDAP_OPERATIONS_ERROR:
fr_strerror_printf("Please set 'chase_referrals=yes' and 'rebind=yes'. "
"See the ldap module configuration for details");
/* FALL-THROUGH */
default:
status = LDAP_PROC_ERROR;
error_string:
if (lib_errno == srv_errno) {
fr_strerror_printf("lib error: %s (%u)", ldap_err2string(lib_errno), lib_errno);
} else {
fr_strerror_printf("lib error: %s (%u), srv error: %s (%u)",
ldap_err2string(lib_errno), lib_errno,
ldap_err2string(srv_errno), srv_errno);
}
if (srv_err) fr_strerror_printf_push("Server said: %s", srv_err);
break;
}
/*
* Cleanup memory
*/
if (srv_err) ldap_memfree(srv_err);
if (part_dn) ldap_memfree(part_dn);
return status;
}
int
ldap_back_search(
Operation *op,
SlapReply *rs )
{
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
ldapconn_t *lc = NULL;
struct timeval tv;
time_t stoptime = (time_t)(-1);
LDAPMessage *res,
*e;
int rc = 0,
msgid;
struct berval match = BER_BVNULL,
filter = BER_BVNULL;
int i, x;
char **attrs = NULL;
int freetext = 0, filter_undef = 0;
int do_retry = 1, dont_retry = 0;
LDAPControl **ctrls = NULL;
char **references = NULL;
rs_assert_ready( rs );
rs->sr_flags &= ~REP_ENTRY_MASK; /* paranoia, we can set rs = non-entry */
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
return rs->sr_err;
}
/*
* FIXME: in case of values return filter, we might want
* to map attrs and maybe rewrite value
*/
if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
tv.tv_sec = op->ors_tlimit;
tv.tv_usec = 0;
stoptime = op->o_time + op->ors_tlimit;
} else {
LDAP_BACK_TV_SET( &tv );
}
i = 0;
if ( op->ors_attrs ) {
for ( ; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ )
/* just count attrs */ ;
}
x = 0;
if ( op->o_bd->be_extra_anlist ) {
for ( ; !BER_BVISNULL( &op->o_bd->be_extra_anlist[x].an_name ); x++ )
/* just count attrs */ ;
}
if ( i > 0 || x > 0 ) {
int j = 0;
attrs = op->o_tmpalloc( ( i + x + 1 )*sizeof( char * ),
op->o_tmpmemctx );
if ( attrs == NULL ) {
rs->sr_err = LDAP_NO_MEMORY;
rc = -1;
goto finish;
}
if ( i > 0 ) {
for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++, j++ ) {
attrs[ j ] = op->ors_attrs[i].an_name.bv_val;
}
}
if ( x > 0 ) {
for ( x = 0; !BER_BVISNULL( &op->o_bd->be_extra_anlist[x].an_name ); x++, j++ ) {
if ( op->o_bd->be_extra_anlist[x].an_desc &&
ad_inlist( op->o_bd->be_extra_anlist[x].an_desc, op->ors_attrs ) )
{
continue;
}
attrs[ j ] = op->o_bd->be_extra_anlist[x].an_name.bv_val;
}
}
attrs[ j ] = NULL;
}
ctrls = op->o_ctrls;
rc = ldap_back_controls_add( op, rs, lc, &ctrls );
if ( rc != LDAP_SUCCESS ) {
goto finish;
}
/* deal with <draft-zeilenga-ldap-t-f> filters */
filter = op->ors_filterstr;
retry:
/* this goes after retry because ldap_back_munge_filter()
* optionally replaces RFC 4526 T-F filters (&) (|)
* if already computed, they will be re-installed
* by filter2bv_undef_x() later */
if ( !LDAP_BACK_T_F( li ) ) {
ldap_back_munge_filter( op, &filter );
}
rs->sr_err = ldap_pvt_search( lc->lc_ld, op->o_req_dn.bv_val,
op->ors_scope, filter.bv_val,
attrs, op->ors_attrsonly, ctrls, NULL,
tv.tv_sec ? &tv : NULL,
op->ors_slimit, op->ors_deref, &msgid );
ldap_pvt_thread_mutex_lock( &li->li_counter_mutex );
ldap_pvt_mp_add( li->li_ops_completed[ SLAP_OP_SEARCH ], 1 );
ldap_pvt_thread_mutex_unlock( &li->li_counter_mutex );
if ( rs->sr_err != LDAP_SUCCESS ) {
switch ( rs->sr_err ) {
case LDAP_SERVER_DOWN:
if ( do_retry ) {
do_retry = 0;
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_DONTSEND ) ) {
goto retry;
}
}
if ( lc == NULL ) {
/* reset by ldap_back_retry ... */
rs->sr_err = slap_map_api2result( rs );
} else {
rc = ldap_back_op_result( lc, op, rs, msgid, 0, LDAP_BACK_DONTSEND );
}
goto finish;
case LDAP_FILTER_ERROR:
/* first try? */
if ( !filter_undef &&
strstr( filter.bv_val, "(?" ) &&
!LDAP_BACK_NOUNDEFFILTER( li ) )
{
BER_BVZERO( &filter );
filter2bv_undef_x( op, op->ors_filter, 1, &filter );
filter_undef = 1;
goto retry;
}
/* invalid filters return success with no data */
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
goto finish;
default:
rs->sr_err = slap_map_api2result( rs );
rs->sr_text = NULL;
goto finish;
}
}
/* if needed, initialize timeout */
if ( li->li_timeout[ SLAP_OP_SEARCH ] ) {
if ( tv.tv_sec == 0 || tv.tv_sec > li->li_timeout[ SLAP_OP_SEARCH ] ) {
tv.tv_sec = li->li_timeout[ SLAP_OP_SEARCH ];
tv.tv_usec = 0;
}
}
/* We pull apart the ber result, stuff it into a slapd entry, and
* let send_search_entry stuff it back into ber format. Slow & ugly,
* but this is necessary for version matching, and for ACL processing.
*/
for ( rc = -2; rc != -1; rc = ldap_result( lc->lc_ld, msgid, LDAP_MSG_ONE, &tv, &res ) )
{
/* check for abandon */
if ( op->o_abandon || LDAP_BACK_CONN_ABANDON( lc ) ) {
if ( rc > 0 ) {
ldap_msgfree( res );
}
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
rc = SLAPD_ABANDON;
goto finish;
}
if ( rc == 0 || rc == -2 ) {
ldap_pvt_thread_yield();
/* check timeout */
if ( li->li_timeout[ SLAP_OP_SEARCH ] ) {
if ( rc == 0 ) {
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
rs->sr_text = "Operation timed out";
rc = rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER;
goto finish;
}
} else {
LDAP_BACK_TV_SET( &tv );
}
/* check time limit */
if ( op->ors_tlimit != SLAP_NO_LIMIT
&& slap_get_time() > stoptime )
{
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
goto finish;
}
continue;
} else {
/* only touch when activity actually took place... */
if ( li->li_idle_timeout && lc ) {
lc->lc_time = op->o_time;
}
/* don't retry any more */
dont_retry = 1;
}
if ( rc == LDAP_RES_SEARCH_ENTRY ) {
Entry ent = { 0 };
struct berval bdn = BER_BVNULL;
do_retry = 0;
e = ldap_first_entry( lc->lc_ld, res );
rc = ldap_build_entry( op, e, &ent, &bdn );
if ( rc == LDAP_SUCCESS ) {
ldap_get_entry_controls( lc->lc_ld, res, &rs->sr_ctrls );
rs->sr_entry = &ent;
rs->sr_attrs = op->ors_attrs;
rs->sr_operational_attrs = NULL;
rs->sr_flags = 0;
rs->sr_err = LDAP_SUCCESS;
rc = rs->sr_err = send_search_entry( op, rs );
if ( rs->sr_ctrls ) {
ldap_controls_free( rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
rs->sr_entry = NULL;
rs->sr_flags = 0;
if ( !BER_BVISNULL( &ent.e_name ) ) {
assert( ent.e_name.bv_val != bdn.bv_val );
op->o_tmpfree( ent.e_name.bv_val, op->o_tmpmemctx );
BER_BVZERO( &ent.e_name );
}
if ( !BER_BVISNULL( &ent.e_nname ) ) {
op->o_tmpfree( ent.e_nname.bv_val, op->o_tmpmemctx );
BER_BVZERO( &ent.e_nname );
}
entry_clean( &ent );
}
ldap_msgfree( res );
switch ( rc ) {
case LDAP_SUCCESS:
case LDAP_INSUFFICIENT_ACCESS:
break;
default:
if ( rc == LDAP_UNAVAILABLE ) {
rc = rs->sr_err = LDAP_OTHER;
} else {
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
}
goto finish;
}
} else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
if ( LDAP_BACK_NOREFS( li ) ) {
ldap_msgfree( res );
continue;
}
do_retry = 0;
rc = ldap_parse_reference( lc->lc_ld, res,
&references, &rs->sr_ctrls, 1 );
if ( rc != LDAP_SUCCESS ) {
continue;
}
/* FIXME: there MUST be at least one */
if ( references && references[ 0 ] && references[ 0 ][ 0 ] ) {
int cnt;
for ( cnt = 0; references[ cnt ]; cnt++ )
/* NO OP */ ;
/* FIXME: there MUST be at least one */
rs->sr_ref = op->o_tmpalloc( ( cnt + 1 ) * sizeof( struct berval ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {
ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
}
BER_BVZERO( &rs->sr_ref[ cnt ] );
/* ignore return value by now */
RS_ASSERT( !(rs->sr_flags & REP_ENTRY_MASK) );
rs->sr_entry = NULL;
( void )send_search_reference( op, rs );
} else {
Debug( LDAP_DEBUG_ANY,
"%s ldap_back_search: "
"got SEARCH_REFERENCE "
"with no referrals\n",
op->o_log_prefix, 0, 0 );
}
/* cleanup */
if ( references ) {
ber_memvfree( (void **)references );
op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx );
rs->sr_ref = NULL;
references = NULL;
}
if ( rs->sr_ctrls ) {
ldap_controls_free( rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
} else if ( rc == LDAP_RES_INTERMEDIATE ) {
/* FIXME: response controls
* are passed without checks */
rc = ldap_parse_intermediate( lc->lc_ld,
res,
(char **)&rs->sr_rspoid,
&rs->sr_rspdata,
&rs->sr_ctrls,
0 );
if ( rc != LDAP_SUCCESS ) {
continue;
}
slap_send_ldap_intermediate( op, rs );
if ( rs->sr_rspoid != NULL ) {
ber_memfree( (char *)rs->sr_rspoid );
rs->sr_rspoid = NULL;
}
if ( rs->sr_rspdata != NULL ) {
ber_bvfree( rs->sr_rspdata );
rs->sr_rspdata = NULL;
}
if ( rs->sr_ctrls != NULL ) {
ldap_controls_free( rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
} else {
char *err = NULL;
rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
&match.bv_val, &err,
&references, &rs->sr_ctrls, 1 );
if ( rc == LDAP_SUCCESS ) {
if ( err ) {
rs->sr_text = err;
freetext = 1;
}
} else {
rs->sr_err = rc;
}
rs->sr_err = slap_map_api2result( rs );
/* RFC 4511: referrals can only appear
* if result code is LDAP_REFERRAL */
if ( references
&& references[ 0 ]
&& references[ 0 ][ 0 ] )
{
if ( rs->sr_err != LDAP_REFERRAL ) {
Debug( LDAP_DEBUG_ANY,
"%s ldap_back_search: "
"got referrals with err=%d\n",
op->o_log_prefix,
rs->sr_err, 0 );
} else {
int cnt;
for ( cnt = 0; references[ cnt ]; cnt++ )
/* NO OP */ ;
rs->sr_ref = op->o_tmpalloc( ( cnt + 1 ) * sizeof( struct berval ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {
/* duplicating ...*/
ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
}
BER_BVZERO( &rs->sr_ref[ cnt ] );
}
} else if ( rs->sr_err == LDAP_REFERRAL ) {
Debug( LDAP_DEBUG_ANY,
"%s ldap_back_search: "
"got err=%d with null "
"or empty referrals\n",
op->o_log_prefix,
rs->sr_err, 0 );
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
if ( match.bv_val != NULL ) {
match.bv_len = strlen( match.bv_val );
}
rc = 0;
break;
}
/* if needed, restore timeout */
if ( li->li_timeout[ SLAP_OP_SEARCH ] ) {
if ( tv.tv_sec == 0 || tv.tv_sec > li->li_timeout[ SLAP_OP_SEARCH ] ) {
tv.tv_sec = li->li_timeout[ SLAP_OP_SEARCH ];
tv.tv_usec = 0;
}
}
}
if ( rc == -1 ) {
if ( dont_retry == 0 ) {
if ( do_retry ) {
do_retry = 0;
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_DONTSEND ) ) {
goto retry;
}
}
rs->sr_err = LDAP_SERVER_DOWN;
rs->sr_err = slap_map_api2result( rs );
goto finish;
} else if ( LDAP_BACK_ONERR_STOP( li ) ) {
/* if onerr == STOP */
rs->sr_err = LDAP_SERVER_DOWN;
rs->sr_err = slap_map_api2result( rs );
goto finish;
}
}
/*
* Rewrite the matched portion of the search base, if required
*/
if ( !BER_BVISNULL( &match ) && !BER_BVISEMPTY( &match ) ) {
struct berval pmatch;
if ( dnPretty( NULL, &match, &pmatch, op->o_tmpmemctx ) != LDAP_SUCCESS ) {
pmatch.bv_val = match.bv_val;
match.bv_val = NULL;
}
rs->sr_matched = pmatch.bv_val;
rs->sr_flags |= REP_MATCHED_MUSTBEFREED;
}
finish:;
if ( !BER_BVISNULL( &match ) ) {
ber_memfree( match.bv_val );
}
if ( rs->sr_v2ref ) {
rs->sr_err = LDAP_REFERRAL;
}
if ( LDAP_BACK_QUARANTINE( li ) ) {
ldap_back_quarantine( op, rs );
}
if ( filter.bv_val != op->ors_filterstr.bv_val ) {
op->o_tmpfree( filter.bv_val, op->o_tmpmemctx );
}
#if 0
/* let send_ldap_result play cleanup handlers (ITS#4645) */
if ( rc != SLAPD_ABANDON )
#endif
{
send_ldap_result( op, rs );
}
(void)ldap_back_controls_free( op, rs, &ctrls );
if ( rs->sr_ctrls ) {
ldap_controls_free( rs->sr_ctrls );
rs->sr_ctrls = NULL;
}
if ( rs->sr_text ) {
if ( freetext ) {
ber_memfree( (char *)rs->sr_text );
}
rs->sr_text = NULL;
}
if ( rs->sr_ref ) {
op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx );
rs->sr_ref = NULL;
}
if ( references ) {
ber_memvfree( (void **)references );
}
if ( attrs ) {
op->o_tmpfree( attrs, op->o_tmpmemctx );
}
if ( lc != NULL ) {
ldap_back_release_conn( li, lc );
}
return rs->sr_err;
}
int
main( int argc, char **argv )
{
LDAP *ld;
LDAPMessage *result, *e;
BerElement *ber;
char *a, *dn;
char **vals;
int i;
int rc;
int finished;
int msgid;
int num_entries = 0;
int version = LDAP_VERSION3;
LDAPControl *ctrls[2], *psctrl, **ectrls;
/* arrange to use LDAP version 3 */
if ( ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version ) != 0 ) {
perror( "ldap_set_option" );
return( 1 );
}
/* get a handle to an LDAP connection */
if ( (ld = ldap_init( MY_HOST, MY_PORT )) == NULL ) {
perror( "ldap_init" );
return( 1 );
}
/* authenticate to the directory as nobody */
if ( ldap_simple_bind_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_simple_bind_s" );
ldap_unbind( ld );
return( 1 );
}
/* construct the Persistent Search control */
if ( ldap_create_persistentsearch_control( ld, LDAP_CHANGETYPE_ANY,
1 /* changesOnly */, 1 /* request entry change controls */,
1 /* critical */, &psctrl ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_create_persistentsearch_control" );
ldap_unbind( ld );
return( 1 );
}
ctrls[0] = psctrl;
ctrls[1] = NULL;
/* issue a persistent search for all entries with surname of Jensen */
if ( LDAP_SUCCESS != ldap_search_ext( ld, MY_SEARCHBASE,
LDAP_SCOPE_SUBTREE, MY_FILTER, NULL /* all attrs */,
0 /* get attrs and values */, ctrls, NULL /* no client ctrls */,
NULL /* no timeout */, 0 /* no sizelimit */, &msgid )) {
ldap_perror( ld, "ldap_search_ext" );
ldap_unbind( ld );
return( 1 );
}
ldap_control_free( psctrl ); /* no longer needed */
/*
* Loop, polling for results until finished.
* Since this is a persistent search, this loop won't end until the
* server shuts down or we lose the connection for some other reason.
* We could abandon the persistent search or close the connection of
* course, but we don't in this example.
*/
finished = 0;
while ( !finished ) {
/*
* Poll for results. We call ldap_result with the "all" argument
* set to LDAP_MSG_ONE. This causes ldap_result() to return exactly one
* entry if at least one entry is available. This allows us to
* display the entries as they are received.
*/
result = NULL;
rc = ldap_result( ld, msgid, LDAP_MSG_ONE, NULL /* no timeout */, &result );
switch ( rc ) {
case -1:
/* some error occurred */
ldap_perror( ld, "ldap_result" );
ldap_unbind( ld );
return( 1 );
case 0:
/* Timeout was exceeded. No entries are ready for retrieval. */
if ( result != NULL ) {
ldap_msgfree( result );
}
break;
default:
/*
* Either an entry is ready for retrieval, or all entries have
* been retrieved.
*/
if (( e = ldap_first_entry( ld, result )) == NULL ) {
/* All done */
finished = 1;
if ( result != NULL ) {
ldap_msgfree( result );
}
continue;
}
num_entries++;
/* for each entry print out name */
if (( dn = ldap_get_dn( ld, e )) != NULL ) {
printf( "dn: %s\n", dn );
ldap_memfree( dn );
}
/* print entry change info. if it was returned */
if ( LDAP_SUCCESS == ldap_get_entry_controls( ld, e, &ectrls )) {
int chgnumpresent;
ber_int_t chgtype;
ber_int_t chgnum;
char *prevdn;
if ( LDAP_SUCCESS == ldap_parse_entrychange_control( ld,
ectrls, &chgtype, &prevdn, &chgnumpresent, &chgnum )) {
printf( "changeType: %s\n",
changetype_num2string( chgtype ));
if ( prevdn != NULL ) {
printf( "previousDN: %s\n", prevdn );
ldap_memfree( prevdn );
}
if ( chgnumpresent ) {
printf( "changeNumber: %d\n", chgnum );
}
ldap_controls_free( ectrls );
}
}
/* print out all attrs and values */
for ( a = ldap_first_attribute( ld, e, &ber );
a != NULL; a = ldap_next_attribute( ld, e, ber ) ) {
if (( vals = ldap_get_values( ld, e, a )) != NULL ) {
for ( i = 0; vals[ i ] != NULL; i++ ) {
printf( "%s: %s\n", a, vals[ i ] );
}
ldap_value_free( vals );
}
ldap_memfree( a );
}
if ( ber != NULL ) {
ber_free( ber, 0 );
}
printf( "\n" );
ldap_msgfree( result );
}
}
/* All done. Print a summary. */
printf( "%d entries retrieved.\n", num_entries );
ldap_unbind( ld );
return( 0 );
}
