static int
objectClassMatch(
int *matchp,
slap_mask_t flags,
Syntax *syntax,
MatchingRule *mr,
struct berval *value,
void *assertedValue )
{
struct berval *a = (struct berval *) assertedValue;
ObjectClass *oc = oc_bvfind( value );
ObjectClass *asserted = oc_bvfind( a );
if( asserted == NULL ) {
if( OID_LEADCHAR( *a->bv_val ) ) {
/* OID form, return FALSE */
*matchp = 1;
return LDAP_SUCCESS;
}
/* desc form, return undefined */
return LDAP_INVALID_SYNTAX;
}
if ( oc == NULL ) {
/* unrecognized stored value */
return LDAP_INVALID_SYNTAX;
}
*matchp = ( asserted != oc );
return LDAP_SUCCESS;
}
static int objectClassPretty(
Syntax *syntax,
struct berval *in,
struct berval *out,
void *ctx )
{
ObjectClass *oc;
if( oidValidate( NULL, in )) return LDAP_INVALID_SYNTAX;
oc = oc_bvfind( in );
if( oc == NULL ) return LDAP_INVALID_SYNTAX;
ber_dupbv_x( out, &oc->soc_cname, ctx );
return LDAP_SUCCESS;
}
static int
OpenLDAPaciValidate(
Syntax *syntax,
struct berval *val )
{
struct berval oid = BER_BVNULL,
scope = BER_BVNULL,
rights = BER_BVNULL,
type = BER_BVNULL,
subject = BER_BVNULL;
int idx;
int rc;
if ( BER_BVISEMPTY( val ) ) {
Debug( LDAP_DEBUG_ACL, "aciValidatet: value is empty\n" );
return LDAP_INVALID_SYNTAX;
}
/* oid */
if ( acl_get_part( val, 0, '#', &oid ) < 0 ||
numericoidValidate( NULL, &oid ) != LDAP_SUCCESS )
{
/* NOTE: the numericoidValidate() is rather pedantic;
* I'd replace it with X-ORDERED VALUES so that
* it's guaranteed values are maintained and used
* in the desired order */
Debug( LDAP_DEBUG_ACL, "aciValidate: invalid oid '%s'\n", oid.bv_val );
return LDAP_INVALID_SYNTAX;
}
/* scope */
if ( acl_get_part( val, 1, '#', &scope ) < 0 ||
bv_getcaseidx( &scope, OpenLDAPaciscopes ) == -1 )
{
Debug( LDAP_DEBUG_ACL, "aciValidate: invalid scope '%s'\n", scope.bv_val );
return LDAP_INVALID_SYNTAX;
}
/* rights */
if ( acl_get_part( val, 2, '#', &rights ) < 0 ||
OpenLDAPaciValidateRights( &rights ) != LDAP_SUCCESS )
{
return LDAP_INVALID_SYNTAX;
}
/* type */
if ( acl_get_part( val, 3, '#', &type ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: missing type in '%s'\n", val->bv_val );
return LDAP_INVALID_SYNTAX;
}
idx = bv_getcaseidx( &type, OpenLDAPacitypes );
if ( idx == -1 ) {
struct berval isgr;
if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'\n", type.bv_val );
return LDAP_INVALID_SYNTAX;
}
idx = bv_getcaseidx( &isgr, OpenLDAPacitypes );
if ( idx == -1 || idx >= LAST_OPTIONAL ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'\n", isgr.bv_val );
return LDAP_INVALID_SYNTAX;
}
}
/* subject */
bv_get_tail( val, &type, &subject );
if ( subject.bv_val[ 0 ] != '#' ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: missing subject in '%s'\n", val->bv_val );
return LDAP_INVALID_SYNTAX;
}
if ( idx >= LAST_DNVALUED ) {
if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
rc = slap_bv2ad( &subject, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: unknown dn attribute '%s'\n", subject.bv_val );
return LDAP_INVALID_SYNTAX;
}
if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
/* FIXME: allow nameAndOptionalUID? */
Debug( LDAP_DEBUG_ACL, "aciValidate: wrong syntax for dn attribute '%s'\n", subject.bv_val );
return LDAP_INVALID_SYNTAX;
}
}
/* not a DN */
return LDAP_SUCCESS;
} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ]
|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] )
{
/* do {group|role}/oc/at check */
struct berval ocbv = BER_BVNULL,
atbv = BER_BVNULL;
ocbv.bv_val = ber_bvchr( &type, '/' );
if ( ocbv.bv_val != NULL ) {
ocbv.bv_val++;
ocbv.bv_len = type.bv_len
- ( ocbv.bv_val - type.bv_val );
atbv.bv_val = ber_bvchr( &ocbv, '/' );
if ( atbv.bv_val != NULL ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
int rc;
atbv.bv_val++;
atbv.bv_len = type.bv_len
- ( atbv.bv_val - type.bv_val );
ocbv.bv_len = atbv.bv_val - ocbv.bv_val - 1;
rc = slap_bv2ad( &atbv, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: unknown group attribute '%s'\n", atbv.bv_val );
return LDAP_INVALID_SYNTAX;
}
}
if ( oc_bvfind( &ocbv ) == NULL ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: unknown group '%s'\n", ocbv.bv_val );
return LDAP_INVALID_SYNTAX;
}
}
}
if ( BER_BVISEMPTY( &subject ) ) {
/* empty DN invalid */
Debug( LDAP_DEBUG_ACL, "aciValidate: missing dn in '%s'\n", val->bv_val );
return LDAP_INVALID_SYNTAX;
}
subject.bv_val++;
subject.bv_len--;
/* FIXME: pass DN syntax? */
rc = dnValidate( NULL, &subject );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciValidate: invalid dn '%s'\n", subject.bv_val );
}
return rc;
}
static int
ndb_oc_list( struct ndb_info *ni, const NdbDictionary::Dictionary *myDict,
struct berval *oname, int implied, NdbOcs *out )
{
const NdbDictionary::Table *myTable;
NdbOcInfo *oci, octmp;
ObjectClass *oc;
int i, rc;
/* shortcut top */
if ( ber_bvstrcasecmp( oname, &slap_schema.si_oc_top->soc_cname )) {
octmp.no_name = *oname;
oci = (NdbOcInfo *)avl_find( ni->ni_oc_tree, &octmp, ndb_name_cmp );
if ( oci ) {
oc = oci->no_oc;
} else {
oc = oc_bvfind( oname );
if ( !oc ) {
/* undefined - shouldn't happen */
return LDAP_INVALID_SYNTAX;
}
}
if ( oc->soc_sups ) {
int i;
for ( i=0; oc->soc_sups[i]; i++ ) {
rc = ndb_oc_list( ni, myDict, &oc->soc_sups[i]->soc_cname, 1, out );
if ( rc ) return rc;
}
}
} else {
oc = slap_schema.si_oc_top;
}
/* Only insert once */
for ( i=0; i<out->no_ntext; i++ )
if ( out->no_text[i].bv_val == oc->soc_cname.bv_val )
break;
if ( i == out->no_ntext ) {
for ( i=0; i<out->no_nitext; i++ )
if ( out->no_itext[i].bv_val == oc->soc_cname.bv_val )
break;
if ( i == out->no_nitext ) {
if ( implied )
out->no_itext[out->no_nitext++] = oc->soc_cname;
else
out->no_text[out->no_ntext++] = oc->soc_cname;
}
}
/* ignore top, etc... */
if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT )
return 0;
if ( !oci ) {
ldap_pvt_thread_rdwr_runlock( &ni->ni_oc_rwlock );
oci = (NdbOcInfo *)ch_malloc( sizeof( NdbOcInfo )+oc->soc_cname.bv_len+1 );
oci->no_table.bv_val = (char *)(oci+1);
strcpy( oci->no_table.bv_val, oc->soc_cname.bv_val );
oci->no_table.bv_len = oc->soc_cname.bv_len;
oci->no_name = oci->no_table;
oci->no_oc = oc;
oci->no_flag = 0;
oci->no_nsets = 0;
oci->no_nattrs = 0;
ldap_pvt_thread_rdwr_wlock( &ni->ni_oc_rwlock );
if ( avl_insert( &ni->ni_oc_tree, oci, ndb_name_cmp, ndb_oc_dup_err )) {
octmp.no_oc = oci->no_oc;
ch_free( oci );
oci = (NdbOcInfo *)octmp.no_oc;
}
/* see if the oc table already exists in the DB */
myTable = myDict->getTable( oci->no_table.bv_val );
rc = ndb_oc_create( ni, oci, myTable == NULL );
ldap_pvt_thread_rdwr_wunlock( &ni->ni_oc_rwlock );
ldap_pvt_thread_rdwr_rlock( &ni->ni_oc_rwlock );
if ( rc ) return rc;
}
/* Only insert once */
for ( i=0; i<out->no_ninfo; i++ )
if ( out->no_info[i] == oci )
break;
if ( i == out->no_ninfo )
out->no_info[out->no_ninfo++] = oci;
return 0;
}
/* Read table definitions from the DB and populate ObjectClassInfo */
extern "C" int
ndb_oc_read( struct ndb_info *ni, const NdbDictionary::Dictionary *myDict )
{
const NdbDictionary::Table *myTable;
const NdbDictionary::Column *myCol;
NdbOcInfo *oci, octmp;
NdbAttrInfo *ai;
ObjectClass *oc;
NdbDictionary::Dictionary::List myList;
struct berval bv;
int i, j, rc, col;
rc = myDict->listObjects( myList, NdbDictionary::Object::UserTable );
/* Populate our objectClass structures */
for ( i=0; i<myList.count; i++ ) {
/* Ignore other DBs */
if ( strcmp( myList.elements[i].database, ni->ni_dbname ))
continue;
/* Ignore internal tables */
if ( !strncmp( myList.elements[i].name, "OL_", 3 ))
continue;
ber_str2bv( myList.elements[i].name, 0, 0, &octmp.no_name );
oci = (NdbOcInfo *)avl_find( ni->ni_oc_tree, &octmp, ndb_name_cmp );
if ( oci )
continue;
oc = oc_bvfind( &octmp.no_name );
if ( !oc ) {
/* undefined - shouldn't happen */
continue;
}
myTable = myDict->getTable( myList.elements[i].name );
oci = (NdbOcInfo *)ch_malloc( sizeof( NdbOcInfo )+oc->soc_cname.bv_len+1 );
oci->no_table.bv_val = (char *)(oci+1);
strcpy( oci->no_table.bv_val, oc->soc_cname.bv_val );
oci->no_table.bv_len = oc->soc_cname.bv_len;
oci->no_name = oci->no_table;
oci->no_oc = oc;
oci->no_flag = 0;
oci->no_nsets = 0;
oci->no_nattrs = 0;
col = 0;
/* Make space for all attrs, even tho sups will be dropped */
if ( oci->no_oc->soc_required ) {
for ( j=0; oci->no_oc->soc_required[j]; j++ );
col = j;
}
if ( oci->no_oc->soc_allowed ) {
for ( j=0; oci->no_oc->soc_allowed[j]; j++ );
col += j;
}
oci->no_attrs = (struct ndb_attrinfo **)ch_malloc( col * sizeof(struct ndb_attrinfo *));
avl_insert( &ni->ni_oc_tree, oci, ndb_name_cmp, avl_dup_error );
col = myTable->getNoOfColumns();
/* Skip 0 and 1, eid and vid */
for ( j = 2; j<col; j++ ) {
myCol = myTable->getColumn( j );
ber_str2bv( myCol->getName(), 0, 0, &bv );
ai = ndb_ai_get( ni, &bv );
/* shouldn't happen */
if ( !ai )
continue;
ai->na_oi = oci;
ai->na_column = j;
ai->na_len = myCol->getLength();
if ( myCol->getType() == NdbDictionary::Column::Blob )
ai->na_flag |= NDB_INFO_ATBLOB;
}
}
/* Link to any attrsets */
for ( i=0; i<myList.count; i++ ) {
/* Ignore other DBs */
if ( strcmp( myList.elements[i].database, ni->ni_dbname ))
continue;
/* Ignore internal tables */
if ( !strncmp( myList.elements[i].name, "OL_", 3 ))
continue;
ber_str2bv( myList.elements[i].name, 0, 0, &octmp.no_name );
oci = (NdbOcInfo *)avl_find( ni->ni_oc_tree, &octmp, ndb_name_cmp );
/* shouldn't happen */
if ( !oci )
continue;
col = 2;
if ( oci->no_oc->soc_required ) {
rc = ndb_ai_check( ni, oci, oci->no_oc->soc_required, NULL, &col, 0 );
}
if ( oci->no_oc->soc_allowed ) {
rc = ndb_ai_check( ni, oci, oci->no_oc->soc_allowed, NULL, &col, 0 );
}
/* shrink down to just the needed size */
oci->no_attrs = (struct ndb_attrinfo **)ch_realloc( oci->no_attrs,
oci->no_nattrs * sizeof(struct ndb_attrinfo *));
}
return 0;
}
int
rwm_map_config(
struct ldapmap *oc_map,
struct ldapmap *at_map,
const char *fname,
int lineno,
int argc,
char **argv )
{
struct ldapmap *map;
struct ldapmapping *mapping;
char *src, *dst;
int is_oc = 0;
int rc = 0;
if ( argc < 3 || argc > 4 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
fname, lineno, 0 );
return 1;
}
if ( strcasecmp( argv[1], "objectclass" ) == 0 ) {
map = oc_map;
is_oc = 1;
} else if ( strcasecmp( argv[1], "attribute" ) == 0 ) {
map = at_map;
} else {
Debug( LDAP_DEBUG_ANY, "%s: line %d: syntax is "
"\"map {objectclass | attribute} [<local> | *] "
"{<foreign> | *}\"\n",
fname, lineno, 0 );
return 1;
}
if ( !is_oc && map->map == NULL ) {
/* only init if required */
if ( rwm_map_init( map, &mapping ) != LDAP_SUCCESS ) {
return 1;
}
}
if ( strcmp( argv[2], "*" ) == 0 ) {
if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
map->drop_missing = ( argc < 4 );
goto success_return;
}
src = dst = argv[3];
} else if ( argc < 4 ) {
src = "";
dst = argv[2];
} else {
src = argv[2];
dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] );
}
if ( ( map == at_map )
&& ( strcasecmp( src, "objectclass" ) == 0
|| strcasecmp( dst, "objectclass" ) == 0 ) )
{
Debug( LDAP_DEBUG_ANY,
"%s: line %d: objectclass attribute cannot be mapped\n",
fname, lineno, 0 );
return 1;
}
mapping = (struct ldapmapping *)ch_calloc( 2,
sizeof(struct ldapmapping) );
if ( mapping == NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: out of memory\n",
fname, lineno, 0 );
return 1;
}
ber_str2bv( src, 0, 1, &mapping[0].m_src );
ber_str2bv( dst, 0, 1, &mapping[0].m_dst );
mapping[1].m_src = mapping[0].m_dst;
mapping[1].m_dst = mapping[0].m_src;
mapping[0].m_flags = RWMMAP_F_NONE;
mapping[1].m_flags = RWMMAP_F_NONE;
/*
* schema check
*/
if ( is_oc ) {
if ( src[0] != '\0' ) {
mapping[0].m_src_oc = oc_bvfind( &mapping[0].m_src );
if ( mapping[0].m_src_oc == NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: warning, source objectClass '%s' "
"should be defined in schema\n",
fname, lineno, src );
/*
* FIXME: this should become an err
*/
mapping[0].m_src_oc = ch_malloc( sizeof( ObjectClass ) );
memset( mapping[0].m_src_oc, 0, sizeof( ObjectClass ) );
mapping[0].m_src_oc->soc_cname = mapping[0].m_src;
mapping[0].m_flags |= RWMMAP_F_FREE_SRC;
}
mapping[1].m_dst_oc = mapping[0].m_src_oc;
}
mapping[0].m_dst_oc = oc_bvfind( &mapping[0].m_dst );
if ( mapping[0].m_dst_oc == NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: warning, destination objectClass '%s' "
"is not defined in schema\n",
fname, lineno, dst );
mapping[0].m_dst_oc = oc_bvfind_undef( &mapping[0].m_dst );
if ( mapping[0].m_dst_oc == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: unable to mimic destination objectClass '%s'\n",
fname, lineno, dst );
goto error_return;
}
}
mapping[1].m_src_oc = mapping[0].m_dst_oc;
mapping[0].m_flags |= RWMMAP_F_IS_OC;
mapping[1].m_flags |= RWMMAP_F_IS_OC;
} else {
int rc;
const char *text = NULL;
if ( src[0] != '\0' ) {
rc = slap_bv2ad( &mapping[0].m_src,
&mapping[0].m_src_ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: warning, source attributeType '%s' "
"should be defined in schema\n",
fname, lineno, src );
/*
* we create a fake "proxied" ad
* and add it here.
*/
rc = slap_bv2undef_ad( &mapping[0].m_src,
&mapping[0].m_src_ad, &text,
SLAP_AD_PROXIED );
if ( rc != LDAP_SUCCESS ) {
char prefix[1024];
snprintf( prefix, sizeof(prefix),
"%s: line %d: source attributeType '%s': %d",
fname, lineno, src, rc );
Debug( LDAP_DEBUG_ANY, "%s (%s)\n",
prefix, text ? text : "null", 0 );
goto error_return;
}
}
mapping[1].m_dst_ad = mapping[0].m_src_ad;
}
rc = slap_bv2ad( &mapping[0].m_dst, &mapping[0].m_dst_ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: warning, destination attributeType '%s' "
"is not defined in schema\n",
fname, lineno, dst );
rc = slap_bv2undef_ad( &mapping[0].m_dst,
&mapping[0].m_dst_ad, &text,
SLAP_AD_PROXIED );
if ( rc != LDAP_SUCCESS ) {
char prefix[1024];
snprintf( prefix, sizeof(prefix),
"%s: line %d: destination attributeType '%s': %d",
fname, lineno, dst, rc );
Debug( LDAP_DEBUG_ANY, "%s (%s)\n",
prefix, text ? text : "null", 0 );
goto error_return;
}
}
mapping[1].m_src_ad = mapping[0].m_dst_ad;
}
if ( ( src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, rwm_mapping_cmp ) != NULL)
|| avl_find( map->remap, (caddr_t)&mapping[1], rwm_mapping_cmp ) != NULL)
{
Debug( LDAP_DEBUG_ANY,
"%s: line %d: duplicate mapping found.\n",
fname, lineno, 0 );
/* FIXME: free stuff */
goto error_return;
}
if ( src[0] != '\0' ) {
avl_insert( &map->map, (caddr_t)&mapping[0],
rwm_mapping_cmp, rwm_mapping_dup );
}
avl_insert( &map->remap, (caddr_t)&mapping[1],
rwm_mapping_cmp, rwm_mapping_dup );
success_return:;
return rc;
error_return:;
if ( mapping ) {
rwm_mapping_free( mapping );
}
return 1;
}
static int
aa_operational( Operation *op, SlapReply *rs )
{
Attribute *a, **ap;
AccessControlState acl_state = ACL_STATE_INIT;
struct berval *v;
AttributeType **atp = NULL;
ObjectClass **ocp = NULL;
#define GOT_NONE (0x0U)
#define GOT_C (0x1U)
#define GOT_CE (0x2U)
#define GOT_A (0x4U)
#define GOT_AE (0x8U)
#define GOT_ALL (GOT_C|GOT_CE|GOT_A|GOT_AE)
int got = GOT_NONE;
/* only add if requested */
if ( SLAP_OPATTRS( rs->sr_attr_flags ) ) {
got = GOT_ALL;
} else {
if ( ad_inlist( ad_allowedChildClasses, rs->sr_attrs ) ) {
got |= GOT_C;
}
if ( ad_inlist( ad_allowedChildClassesEffective, rs->sr_attrs ) ) {
got |= GOT_CE;
}
if ( ad_inlist( ad_allowedAttributes, rs->sr_attrs ) ) {
got |= GOT_A;
}
if ( ad_inlist( ad_allowedAttributesEffective, rs->sr_attrs ) ) {
got |= GOT_AE;
}
}
if ( got == GOT_NONE ) {
return SLAP_CB_CONTINUE;
}
/* shouldn't be called without an entry; please check */
assert( rs->sr_entry != NULL );
for ( ap = &rs->sr_operational_attrs; *ap != NULL; ap = &(*ap)->a_next )
/* go to last */ ;
/* see caveats; this is not guaranteed for all backends */
a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
goto do_oc;
}
/* if client has no access to objectClass attribute; don't compute */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass,
NULL, ACL_READ, &acl_state ) )
{
return SLAP_CB_CONTINUE;
}
for ( v = a->a_nvals; !BER_BVISNULL( v ); v++ ) {
ObjectClass *oc = oc_bvfind( v );
assert( oc != NULL );
/* if client has no access to specific value, don't compute */
if ( !access_allowed( op, rs->sr_entry,
slap_schema.si_ad_objectClass,
&oc->soc_cname, ACL_READ, &acl_state ) )
{
continue;
}
aa_add_oc( oc, &ocp, &atp );
if ( oc->soc_sups ) {
int i;
for ( i = 0; oc->soc_sups[ i ] != NULL; i++ ) {
aa_add_oc( oc->soc_sups[ i ], &ocp, &atp );
}
}
}
ch_free( ocp );
if ( atp != NULL ) {
BerVarray bv_allowed = NULL,
bv_effective = NULL;
int i, ja = 0, je = 0;
for ( i = 0; atp[ i ] != NULL; i++ )
/* just count */ ;
if ( got & GOT_A ) {
bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
if ( got & GOT_AE ) {
bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) {
if ( got & GOT_A ) {
ber_dupbv( &bv_allowed[ ja ], &atp[ i ]->sat_cname );
ja++;
}
if ( got & GOT_AE ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
if ( slap_bv2ad( &atp[ i ]->sat_cname, &ad, &text ) ) {
/* log? */
continue;
}
if ( access_allowed( op, rs->sr_entry,
ad, NULL, ACL_WRITE, NULL ) )
{
ber_dupbv( &bv_effective[ je ], &atp[ i ]->sat_cname );
je++;
}
}
}
ch_free( atp );
if ( ( got & GOT_A ) && ja > 0 ) {
BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedAttributes );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
(*ap)->a_numvals = ja;
ap = &(*ap)->a_next;
}
if ( ( got & GOT_AE ) && je > 0 ) {
BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedAttributesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
(*ap)->a_numvals = je;
ap = &(*ap)->a_next;
}
*ap = NULL;
}
do_oc:;
if ( ( got & GOT_C ) || ( got & GOT_CE ) ) {
BerVarray bv_allowed = NULL,
bv_effective = NULL;
int i, ja = 0, je = 0;
ObjectClass *oc;
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
/* we can only add AUXILIARY objectClasses */
if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
continue;
}
i++;
}
if ( got & GOT_C ) {
bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
if ( got & GOT_CE ) {
bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
}
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
/* we can only add AUXILIARY objectClasses */
if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
continue;
}
if ( got & GOT_C ) {
ber_dupbv( &bv_allowed[ ja ], &oc->soc_cname );
ja++;
}
if ( got & GOT_CE ) {
if ( !access_allowed( op, rs->sr_entry,
slap_schema.si_ad_objectClass,
&oc->soc_cname, ACL_WRITE, NULL ) )
{
goto done_ce;
}
if ( oc->soc_required ) {
for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
if ( slap_bv2ad( &oc->soc_required[ i ]->sat_cname, &ad, &text ) ) {
/* log? */
continue;
}
if ( !access_allowed( op, rs->sr_entry,
ad, NULL, ACL_WRITE, NULL ) )
{
goto done_ce;
}
}
}
ber_dupbv( &bv_effective[ je ], &oc->soc_cname );
je++;
}
done_ce:;
}
if ( ( got & GOT_C ) && ja > 0 ) {
BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedChildClasses );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
(*ap)->a_numvals = ja;
ap = &(*ap)->a_next;
}
if ( ( got & GOT_CE ) && je > 0 ) {
BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedChildClassesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
(*ap)->a_numvals = je;
ap = &(*ap)->a_next;
}
*ap = NULL;
}
return SLAP_CB_CONTINUE;
}
int
limits_parse(
Backend *be,
const char *fname,
int lineno,
int argc,
char **argv
)
{
int flags = SLAP_LIMITS_UNDEFINED;
char *pattern;
struct slap_limits_set limit;
int i, rc = 0;
ObjectClass *group_oc = NULL;
AttributeDescription *group_ad = NULL;
assert( be != NULL );
if ( argc < 3 ) {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: missing arg(s) in "
"\"limits <pattern> <limits>\" line.\n%s",
fname, lineno, "" );
return( -1 );
}
limit = be->be_def_limit;
/*
* syntax:
*
* "limits" <pattern> <limit> [ ... ]
*
*
* <pattern>:
*
* "anonymous"
* "users"
* [ "dn" [ "." { "this" | "self" } ] [ "." { "exact" | "base" |
* "onelevel" | "subtree" | "children" | "regex" | "anonymous" } ]
* "=" ] <dn pattern>
*
* Note:
* "this" is the baseobject, "self" (the default) is the bound DN
* "exact" and "base" are the same (exact match);
* "onelevel" means exactly one rdn below, NOT including pattern
* "subtree" means any rdn below, including pattern
* "children" means any rdn below, NOT including pattern
*
* "anonymous" may be deprecated in favour
* of the pattern = "anonymous" form
*
* "group[/objectClass[/attributeType]]" "=" "<dn pattern>"
*
* <limit>:
*
* "time" [ "." { "soft" | "hard" } ] "=" <integer>
*
* "size" [ "." { "soft" | "hard" | "unchecked" } ] "=" <integer>
*/
pattern = argv[1];
if ( strcmp( pattern, "*" ) == 0) {
flags = SLAP_LIMITS_ANY;
} else if ( strcasecmp( pattern, "anonymous" ) == 0 ) {
flags = SLAP_LIMITS_ANONYMOUS;
} else if ( strcasecmp( pattern, "users" ) == 0 ) {
flags = SLAP_LIMITS_USERS;
} else if ( STRSTART( pattern, "dn" ) ) {
pattern += STRLENOF( "dn" );
flags = SLAP_LIMITS_TYPE_SELF;
if ( pattern[0] == '.' ) {
pattern++;
if ( STRSTART( pattern, "this" ) ) {
flags = SLAP_LIMITS_TYPE_THIS;
pattern += STRLENOF( "this" );
} else if ( STRSTART( pattern, "self" ) ) {
pattern += STRLENOF( "self" );
} else {
goto got_dn_dot;
}
}
if ( pattern[0] == '.' ) {
pattern++;
got_dn_dot:
if ( STRSTART( pattern, "exact" ) ) {
flags |= SLAP_LIMITS_EXACT;
pattern += STRLENOF( "exact" );
} else if ( STRSTART( pattern, "base" ) ) {
flags |= SLAP_LIMITS_BASE;
pattern += STRLENOF( "base" );
} else if ( STRSTART( pattern, "one" ) ) {
flags |= SLAP_LIMITS_ONE;
pattern += STRLENOF( "one" );
if ( STRSTART( pattern, "level" ) ) {
pattern += STRLENOF( "level" );
} else {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: deprecated \"one\" style "
"\"limits <pattern> <limits>\" line; "
"use \"onelevel\" instead.\n", fname, lineno, 0 );
}
} else if ( STRSTART( pattern, "sub" ) ) {
flags |= SLAP_LIMITS_SUBTREE;
pattern += STRLENOF( "sub" );
if ( STRSTART( pattern, "tree" ) ) {
pattern += STRLENOF( "tree" );
} else {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: deprecated \"sub\" style "
"\"limits <pattern> <limits>\" line; "
"use \"subtree\" instead.\n", fname, lineno, 0 );
}
} else if ( STRSTART( pattern, "children" ) ) {
flags |= SLAP_LIMITS_CHILDREN;
pattern += STRLENOF( "children" );
} else if ( STRSTART( pattern, "regex" ) ) {
flags |= SLAP_LIMITS_REGEX;
pattern += STRLENOF( "regex" );
/*
* this could be deprecated in favour
* of the pattern = "anonymous" form
*/
} else if ( STRSTART( pattern, "anonymous" )
&& flags == SLAP_LIMITS_TYPE_SELF )
{
flags = SLAP_LIMITS_ANONYMOUS;
pattern = NULL;
} else {
/* force error below */
if ( *pattern == '=' )
--pattern;
}
}
/* pre-check the data */
if ( pattern != NULL ) {
if ( pattern[0] != '=' ) {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: %s in "
"\"dn[.{this|self}][.{exact|base"
"|onelevel|subtree|children|regex"
"|anonymous}]=<pattern>\" in "
"\"limits <pattern> <limits>\" line.\n",
fname, lineno,
isalnum( (unsigned char)pattern[0] )
? "unknown DN modifier" : "missing '='" );
return( -1 );
}
/* skip '=' (required) */
pattern++;
/* trim obvious cases */
if ( strcmp( pattern, "*" ) == 0 ) {
flags = SLAP_LIMITS_ANY;
pattern = NULL;
} else if ( (flags & SLAP_LIMITS_MASK) == SLAP_LIMITS_REGEX
&& strcmp( pattern, ".*" ) == 0 ) {
flags = SLAP_LIMITS_ANY;
pattern = NULL;
}
}
} else if (STRSTART( pattern, "group" ) ) {
pattern += STRLENOF( "group" );
if ( pattern[0] == '/' ) {
struct berval oc, ad;
oc.bv_val = pattern + 1;
pattern = strchr( pattern, '=' );
if ( pattern == NULL ) {
return -1;
}
ad.bv_val = strchr( oc.bv_val, '/' );
if ( ad.bv_val != NULL ) {
const char *text = NULL;
oc.bv_len = ad.bv_val - oc.bv_val;
ad.bv_val++;
ad.bv_len = pattern - ad.bv_val;
rc = slap_bv2ad( &ad, &group_ad, &text );
if ( rc != LDAP_SUCCESS ) {
goto no_ad;
}
} else {
oc.bv_len = pattern - oc.bv_val;
}
group_oc = oc_bvfind( &oc );
if ( group_oc == NULL ) {
goto no_oc;
}
}
if ( group_oc == NULL ) {
group_oc = oc_find( SLAPD_GROUP_CLASS );
if ( group_oc == NULL ) {
no_oc:;
return( -1 );
}
}
if ( group_ad == NULL ) {
const char *text = NULL;
rc = slap_str2ad( SLAPD_GROUP_ATTR, &group_ad, &text );
if ( rc != LDAP_SUCCESS ) {
no_ad:;
return( -1 );
}
}
flags = SLAP_LIMITS_TYPE_GROUP | SLAP_LIMITS_EXACT;
if ( pattern[0] != '=' ) {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: missing '=' in "
"\"group[/objectClass[/attributeType]]"
"=<pattern>\" in "
"\"limits <pattern> <limits>\" line.\n",
fname, lineno, 0 );
return( -1 );
}
/* skip '=' (required) */
pattern++;
}
/* get the limits */
for ( i = 2; i < argc; i++ ) {
if ( limits_parse_one( argv[i], &limit ) ) {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: unknown limit values \"%s\" in "
"\"limits <pattern> <limits>\" line.\n",
fname, lineno, argv[i] );
return( 1 );
}
}
/*
* sanity checks ...
*
* FIXME: add warnings?
*/
if ( limit.lms_t_hard > 0 &&
( limit.lms_t_hard < limit.lms_t_soft
|| limit.lms_t_soft == -1 ) ) {
limit.lms_t_hard = limit.lms_t_soft;
}
if ( limit.lms_s_hard > 0 &&
( limit.lms_s_hard < limit.lms_s_soft
|| limit.lms_s_soft == -1 ) ) {
limit.lms_s_hard = limit.lms_s_soft;
}
/*
* defaults ...
*
* lms_t_hard:
* -1 => no limits
* 0 => same as soft
* > 0 => limit (in seconds)
*
* lms_s_hard:
* -1 => no limits
* 0 0> same as soft
* > 0 => limit (in entries)
*
* lms_s_pr_total:
* -2 => disable the control
* -1 => no limits
* 0 => same as soft
* > 0 => limit (in entries)
*
* lms_s_pr:
* -1 => no limits
* 0 => no limits?
* > 0 => limit size (in entries)
*/
if ( limit.lms_s_pr_total > 0 &&
limit.lms_s_pr > limit.lms_s_pr_total ) {
limit.lms_s_pr = limit.lms_s_pr_total;
}
rc = limits_add( be, flags, pattern, group_oc, group_ad, &limit );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"%s : line %d: unable to add limit in "
"\"limits <pattern> <limits>\" line.\n",
fname, lineno, 0 );
}
return( rc );
}
int is_entry_objectclass(
Entry* e,
ObjectClass *oc,
unsigned flags )
{
/*
* set_flags should only be true if oc is one of operational
* object classes which we support objectClass flags for
* (e.g., referral, alias, ...). See <slap.h>.
*/
Attribute *attr;
struct berval *bv;
assert( !( e == NULL || oc == NULL ) );
assert( ( flags & SLAP_OCF_MASK ) != SLAP_OCF_MASK );
if ( e == NULL || oc == NULL ) {
return 0;
}
if ( flags == SLAP_OCF_SET_FLAGS && ( e->e_ocflags & SLAP_OC__END ) )
{
/* flags are set, use them */
return (e->e_ocflags & oc->soc_flags & SLAP_OC__MASK) != 0;
}
/*
* find objectClass attribute
*/
attr = attr_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( attr == NULL ) {
/* no objectClass attribute */
Debug( LDAP_DEBUG_ANY, "is_entry_objectclass(\"%s\", \"%s\") "
"no objectClass attribute\n",
e->e_dn == NULL ? "" : e->e_dn,
oc->soc_oclass.oc_oid );
/* mark flags as set */
e->e_ocflags |= SLAP_OC__END;
return 0;
}
for ( bv = attr->a_vals; bv->bv_val; bv++ ) {
ObjectClass *objectClass = oc_bvfind( bv );
if ( objectClass == NULL ) {
/* FIXME: is this acceptable? */
continue;
}
if ( !( flags & SLAP_OCF_SET_FLAGS ) ) {
if ( objectClass == oc ) {
return 1;
}
if ( ( flags & SLAP_OCF_CHECK_SUP )
&& is_object_subclass( oc, objectClass ) )
{
return 1;
}
}
e->e_ocflags |= objectClass->soc_flags;
}
/* mark flags as set */
e->e_ocflags |= SLAP_OC__END;
return ( e->e_ocflags & oc->soc_flags & SLAP_OC__MASK ) != 0;
}
/*
* Determine the structural object class from a set of OIDs
*/
int structural_class(
BerVarray ocs,
ObjectClass **scp,
ObjectClass ***socsp,
const char **text,
char *textbuf, size_t textlen,
void *ctx )
{
int i, nocs;
ObjectClass *oc, **socs;
ObjectClass *sc = NULL;
int scn = -1;
*text = "structural_class: internal error";
/* count them */
for( i=0; ocs[i].bv_val; i++ ) ;
nocs = i;
socs = slap_sl_malloc( (nocs+1) * sizeof(ObjectClass *), ctx );
for( i=0; ocs[i].bv_val; i++ ) {
socs[i] = oc_bvfind( &ocs[i] );
if( socs[i] == NULL ) {
snprintf( textbuf, textlen,
"unrecognized objectClass '%s'",
ocs[i].bv_val );
*text = textbuf;
goto fail;
}
}
socs[i] = NULL;
for( i=0; ocs[i].bv_val; i++ ) {
oc = socs[i];
if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
if( sc == NULL || is_object_subclass( sc, oc ) ) {
sc = oc;
scn = i;
} else if ( !is_object_subclass( oc, sc ) ) {
int j;
ObjectClass *xc = NULL;
/* find common superior */
for( j=i+1; ocs[j].bv_val; j++ ) {
xc = socs[j];
if( xc == NULL ) {
snprintf( textbuf, textlen,
"unrecognized objectClass '%s'",
ocs[j].bv_val );
*text = textbuf;
goto fail;
}
if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
xc = NULL;
continue;
}
if( is_object_subclass( sc, xc ) &&
is_object_subclass( oc, xc ) )
{
/* found common subclass */
break;
}
xc = NULL;
}
if( xc == NULL ) {
/* no common subclass */
snprintf( textbuf, textlen,
"invalid structural object class chain (%s/%s)",
ocs[scn].bv_val, ocs[i].bv_val );
*text = textbuf;
goto fail;
}
}
}
}
if( scp ) {
*scp = sc;
}
if( sc == NULL ) {
*text = "no structural object class provided";
goto fail;
}
if( scn < 0 ) {
*text = "invalid structural object class";
goto fail;
}
if ( socsp ) {
*socsp = socs;
} else {
slap_sl_free( socs, ctx );
}
*text = NULL;
return LDAP_SUCCESS;
fail:
slap_sl_free( socs, ctx );
return LDAP_OBJECT_CLASS_VIOLATION;
}
int
entry_schema_check(
Operation *op,
Entry *e,
Attribute *oldattrs,
int manage,
int add,
Attribute **socp,
const char** text,
char *textbuf, size_t textlen )
{
Attribute *a, *asc = NULL, *aoc = NULL;
ObjectClass *sc, *oc, **socs = NULL;
AttributeType *at;
ContentRule *cr;
int rc, i;
AttributeDescription *ad_structuralObjectClass
= slap_schema.si_ad_structuralObjectClass;
AttributeDescription *ad_objectClass
= slap_schema.si_ad_objectClass;
int extensible = 0;
int subentry = is_entry_subentry( e );
int collectiveSubentry = 0;
if ( SLAP_NO_SCHEMA_CHECK( op->o_bd )) {
return LDAP_SUCCESS;
}
if ( get_no_schema_check( op ) ) {
return LDAP_SUCCESS;
}
if( subentry ) {
collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
}
*text = textbuf;
/* misc attribute checks */
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
const char *type = a->a_desc->ad_cname.bv_val;
/* there should be at least one value */
assert( a->a_vals != NULL );
assert( a->a_vals[0].bv_val != NULL );
if( a->a_desc->ad_type->sat_check ) {
rc = (a->a_desc->ad_type->sat_check)(
op->o_bd, e, a, text, textbuf, textlen );
if( rc != LDAP_SUCCESS ) {
return rc;
}
}
if( a->a_desc == ad_structuralObjectClass )
asc = a;
else if ( a->a_desc == ad_objectClass )
aoc = a;
if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
snprintf( textbuf, textlen,
"'%s' can only appear in collectiveAttributeSubentry",
type );
return LDAP_OBJECT_CLASS_VIOLATION;
}
/* if single value type, check for multiple values */
if( is_at_single_value( a->a_desc->ad_type ) &&
a->a_vals[1].bv_val != NULL )
{
Debug(LDAP_DEBUG_ANY,
"Entry (%s), attribute '%s' cannot have multiple values\n",
e->e_dn, type );
return LDAP_CONSTRAINT_VIOLATION;
}
}
/* check the object class attribute */
if ( aoc == NULL ) {
Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
e->e_dn );
*text = "no objectClass attribute";
return LDAP_OBJECT_CLASS_VIOLATION;
}
assert( aoc->a_vals != NULL );
assert( aoc->a_vals[0].bv_val != NULL );
/* check the structural object class attribute */
if ( asc == NULL && !add ) {
Debug( LDAP_DEBUG_ANY,
"No structuralObjectClass for entry (%s)\n",
e->e_dn );
*text = "no structuralObjectClass operational attribute";
return LDAP_OTHER;
}
rc = structural_class( aoc->a_vals, &oc, &socs, text, textbuf, textlen,
op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
return rc;
}
if ( asc == NULL && add ) {
attr_merge_one( e, ad_structuralObjectClass, &oc->soc_cname, NULL );
asc = attr_find( e->e_attrs, ad_structuralObjectClass );
sc = oc;
goto got_soc;
}
assert( asc->a_vals != NULL );
assert( asc->a_vals[0].bv_val != NULL );
assert( asc->a_vals[1].bv_val == NULL );
sc = oc_bvfind( &asc->a_vals[0] );
if( sc == NULL ) {
Debug(LDAP_DEBUG_ANY,
"entry_check_schema(%s): unrecognized structuralObjectClass '%s'\n",
e->e_dn, asc->a_vals[0].bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
Debug(LDAP_DEBUG_ANY,
"entry_check_schema(%s): structuralObjectClass '%s' is not STRUCTURAL\n",
e->e_dn, asc->a_vals[0].bv_val );
rc = LDAP_OTHER;
goto done;
}
got_soc:
if( !manage && sc->soc_obsolete ) {
Debug(LDAP_DEBUG_ANY,
"entry_check_schema(%s): structuralObjectClass '%s' is OBSOLETE\n",
e->e_dn, asc->a_vals[0].bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
*text = textbuf;
if ( oc == NULL ) {
snprintf( textbuf, textlen,
"unrecognized objectClass '%s'",
aoc->a_vals[0].bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
} else if ( sc != oc ) {
if ( !manage && sc != slap_schema.si_oc_glue ) {
snprintf( textbuf, textlen,
"structural object class modification "
"from '%s' to '%s' not allowed",
asc->a_vals[0].bv_val, oc->soc_cname.bv_val );
rc = LDAP_NO_OBJECT_CLASS_MODS;
goto done;
}
assert( asc->a_vals != NULL );
assert( !BER_BVISNULL( &asc->a_vals[0] ) );
assert( BER_BVISNULL( &asc->a_vals[1] ) );
assert( asc->a_nvals == asc->a_vals );
/* draft-zeilenga-ldap-relax: automatically modify
* structuralObjectClass if changed with relax */
sc = oc;
ber_bvreplace( &asc->a_vals[ 0 ], &sc->soc_cname );
if ( socp ) {
*socp = asc;
}
}
/* naming check */
if ( !is_entry_glue ( e ) ) {
rc = entry_naming_check( e, manage, add, text, textbuf, textlen );
if( rc != LDAP_SUCCESS ) {
goto done;
}
} else {
/* Glue Entry */
}
/* find the content rule for the structural class */
cr = cr_find( sc->soc_oid );
/* the cr must be same as the structural class */
assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
/* check that the entry has required attrs of the content rule */
if( cr ) {
if( !manage && cr->scr_obsolete ) {
Debug(LDAP_DEBUG_ANY,
"Entry (%s): content rule '%s' is obsolete\n",
e->e_dn, ldap_contentrule2name(&cr->scr_crule) );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
at = cr->scr_required[i];
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
if( a->a_desc->ad_type == at ) {
break;
}
}
/* not there => schema violation */
if ( a == NULL ) {
Debug(LDAP_DEBUG_ANY,
"Entry (%s): content rule '%s' requires attribute '%s'\n",
e->e_dn,
ldap_contentrule2name(&cr->scr_crule),
at->sat_cname.bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
}
if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
at = cr->scr_precluded[i];
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
if( a->a_desc->ad_type == at ) {
break;
}
}
/* there => schema violation */
if ( a != NULL ) {
Debug(LDAP_DEBUG_ANY,
"Entry (%s): content rule '%s' precluded attribute '%s'\n",
e->e_dn,
ldap_contentrule2name(&cr->scr_crule),
at->sat_cname.bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
}
}
/* check that the entry has required attrs for each oc */
for ( i = 0; socs[i]; i++ ) {
oc = socs[i];
if ( !manage && oc->soc_obsolete ) {
/* disallow obsolete classes */
Debug(LDAP_DEBUG_ANY,
"entry_check_schema(%s): objectClass '%s' is OBSOLETE\n",
e->e_dn, aoc->a_vals[i].bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
if ( oc->soc_check ) {
rc = (oc->soc_check)( op->o_bd, e, oc,
text, textbuf, textlen );
if( rc != LDAP_SUCCESS ) {
goto done;
}
}
if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
/* object class is abstract */
if ( oc != slap_schema.si_oc_top &&
!is_object_subclass( oc, sc ))
{
int j;
ObjectClass *xc = NULL;
for( j=0; socs[j]; j++ ) {
if( i != j ) {
xc = socs[j];
/* since we previous check against the
* structural object of this entry, the
* abstract class must be a (direct or indirect)
* superclass of one of the auxiliary classes of
* the entry.
*/
if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
is_object_subclass( oc, xc ) )
{
xc = NULL;
break;
}
}
}
if( xc != NULL ) {
Debug(LDAP_DEBUG_ANY,
"entry_check_schema(%s): instantiation of " "abstract objectClass '%s' not allowed\n",
e->e_dn, aoc->a_vals[i].bv_val );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
}
} else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
char *s;
if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
int k;
if( cr ) {
int j;
k = -1;
if( cr->scr_auxiliaries ) {
for( j = 0; cr->scr_auxiliaries[j]; j++ ) {
if( cr->scr_auxiliaries[j] == oc ) {
k = 0;
break;
}
}
}
if ( k ) {
snprintf( textbuf, textlen,
"class '%s' not allowed by content rule '%s'",
oc->soc_cname.bv_val,
ldap_contentrule2name( &cr->scr_crule ) );
}
} else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
k = -1;
snprintf( textbuf, textlen,
"class '%s' not allowed by any content rule",
oc->soc_cname.bv_val );
} else {
k = 0;
}
if( k == -1 ) {
Debug( LDAP_DEBUG_ANY,
"Entry (%s): %s\n",
e->e_dn, textbuf );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
}
s = oc_check_required( e, oc, &aoc->a_vals[i] );
if (s != NULL) {
Debug(LDAP_DEBUG_ANY,
"Entry (%s): object class '%s' requires attribute '%s'\n",
e->e_dn, aoc->a_vals[i].bv_val, s );
rc = LDAP_OBJECT_CLASS_VIOLATION;
goto done;
}
if( oc == slap_schema.si_oc_extensibleObject ) {
extensible=1;
}
}
}
if( extensible ) {
*text = NULL;
rc = LDAP_SUCCESS;
goto done;
}
/* check that each attr in the entry is allowed by some oc */
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
rc = LDAP_OBJECT_CLASS_VIOLATION;
if( cr && cr->scr_required ) {
for( i=0; cr->scr_required[i]; i++ ) {
if( cr->scr_required[i] == a->a_desc->ad_type ) {
rc = LDAP_SUCCESS;
break;
}
}
}
if( rc != LDAP_SUCCESS && cr && cr->scr_allowed ) {
for( i=0; cr->scr_allowed[i]; i++ ) {
if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
rc = LDAP_SUCCESS;
break;
}
}
}
if( rc != LDAP_SUCCESS )
{
rc = oc_check_allowed( a->a_desc->ad_type, socs, sc );
}
if ( rc != LDAP_SUCCESS ) {
char *type = a->a_desc->ad_cname.bv_val;
Debug(LDAP_DEBUG_ANY,
"Entry (%s), attribute '%s' not allowed\n",
e->e_dn, type );
goto done;
}
}
*text = NULL;
done:
slap_sl_free( socs, op->o_tmpmemctx );
return rc;
}
/*
* Convert a delimited string into a list of AttributeNames; add
* on to an existing list if it was given. If the string is not
* a valid attribute name, if a '-' is prepended it is skipped
* and the remaining name is tried again; if a '@' (or '+') is
* prepended, an objectclass name is searched instead; if a '!'
* is prepended, the objectclass name is negated.
*
* NOTE: currently, if a valid attribute name is not found, the
* same string is also checked as valid objectclass name; however,
* this behavior is deprecated.
*/
AttributeName *
str2anlist( AttributeName *an, char *in, const char *brkstr )
{
char *str;
char *s;
char *lasts;
int i, j;
const char *text;
AttributeName *anew;
/* find last element in list */
i = 0;
if ( an != NULL ) {
for ( i = 0; !BER_BVISNULL( &an[ i ].an_name ) ; i++)
;
}
/* protect the input string from strtok */
str = ch_strdup( in );
/* Count words in string */
j = 1;
for ( s = str; *s; s++ ) {
if ( strchr( brkstr, *s ) != NULL ) {
j++;
}
}
an = ch_realloc( an, ( i + j + 1 ) * sizeof( AttributeName ) );
anew = an + i;
for ( s = ldap_pvt_strtok( str, brkstr, &lasts );
s != NULL;
s = ldap_pvt_strtok( NULL, brkstr, &lasts ) )
{
/* put a stop mark */
BER_BVZERO( &anew[1].an_name );
anew->an_desc = NULL;
anew->an_oc = NULL;
anew->an_flags = 0;
ber_str2bv(s, 0, 1, &anew->an_name);
slap_bv2ad(&anew->an_name, &anew->an_desc, &text);
if ( !anew->an_desc ) {
switch( anew->an_name.bv_val[0] ) {
case '-': {
struct berval adname;
adname.bv_len = anew->an_name.bv_len - 1;
adname.bv_val = &anew->an_name.bv_val[1];
slap_bv2ad(&adname, &anew->an_desc, &text);
if ( !anew->an_desc ) {
goto reterr;
}
} break;
case '@':
case '+': /* (deprecated) */
case '!': {
struct berval ocname;
ocname.bv_len = anew->an_name.bv_len - 1;
ocname.bv_val = &anew->an_name.bv_val[1];
anew->an_oc = oc_bvfind( &ocname );
if ( !anew->an_oc ) {
goto reterr;
}
if ( anew->an_name.bv_val[0] == '!' ) {
anew->an_flags |= SLAP_AN_OCEXCLUDE;
}
} break;
default:
/* old (deprecated) way */
anew->an_oc = oc_bvfind( &anew->an_name );
if ( !anew->an_oc ) {
goto reterr;
}
}
}
anew->an_flags |= SLAP_AN_OCINITED;
anew++;
}
BER_BVZERO( &anew->an_name );
free( str );
return( an );
reterr:
anlist_free( an, 1, NULL );
/*
* overwrites input string
* on error!
*/
strcpy( in, s );
free( str );
return NULL;
}
int ad_inlist(
AttributeDescription *desc,
AttributeName *attrs )
{
if (! attrs ) return 0;
for( ; attrs->an_name.bv_val; attrs++ ) {
AttributeType *a;
ObjectClass *oc;
if ( attrs->an_desc ) {
int lr;
if ( desc == attrs->an_desc ) {
return 1;
}
/*
* EXTENSION: if requested description is preceeded by
* a '-' character, do not match on subtypes.
*/
if ( attrs->an_name.bv_val[0] == '-' ) {
continue;
}
/* Is this a subtype of the requested attr? */
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == attrs->an_desc->ad_type )
break;
}
if ( !a ) {
continue;
}
/* Does desc support all the requested flags? */
lr = desc->ad_tags.bv_len ? SLAP_DESC_TAG_RANGE : 0;
if(( attrs->an_desc->ad_flags & (desc->ad_flags | lr))
!= attrs->an_desc->ad_flags ) {
continue;
}
/* Do the descs have compatible tags? */
if ( attrs->an_desc->ad_tags.bv_len == 0 ) {
return 1;
}
if ( desc->ad_tags.bv_len == 0) {
continue;
}
if ( is_ad_subtags( &desc->ad_tags,
&attrs->an_desc->ad_tags ) ) {
return 1;
}
continue;
}
if ( ber_bvccmp( &attrs->an_name, '*' ) ) {
if ( !is_at_operational( desc->ad_type ) ) {
return 1;
}
continue;
}
if ( ber_bvccmp( &attrs->an_name, '+' ) ) {
if ( is_at_operational( desc->ad_type ) ) {
return 1;
}
continue;
}
/*
* EXTENSION: see if requested description is @objectClass
* if so, return attributes which the class requires/allows
* else if requested description is !objectClass, return
* attributes which the class does not require/allow
*/
if ( !( attrs->an_flags & SLAP_AN_OCINITED )) {
if( attrs->an_name.bv_val ) {
switch( attrs->an_name.bv_val[0] ) {
case '@': /* @objectClass */
case '+': /* +objectClass (deprecated) */
case '!': { /* exclude */
struct berval ocname;
ocname.bv_len = attrs->an_name.bv_len - 1;
ocname.bv_val = &attrs->an_name.bv_val[1];
oc = oc_bvfind( &ocname );
if ( oc && attrs->an_name.bv_val[0] == '!' ) {
attrs->an_flags |= SLAP_AN_OCEXCLUDE;
} else {
attrs->an_flags &= ~SLAP_AN_OCEXCLUDE;
}
} break;
default: /* old (deprecated) way */
oc = oc_bvfind( &attrs->an_name );
}
attrs->an_oc = oc;
}
attrs->an_flags |= SLAP_AN_OCINITED;
}
oc = attrs->an_oc;
if( oc != NULL ) {
if ( attrs->an_flags & SLAP_AN_OCEXCLUDE ) {
if ( oc == slap_schema.si_oc_extensibleObject ) {
/* extensibleObject allows the return of anything */
return 0;
}
if( oc->soc_required ) {
/* allow return of required attributes */
int i;
for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_required[i] ) {
return 0;
}
}
}
}
if( oc->soc_allowed ) {
/* allow return of allowed attributes */
int i;
for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_allowed[i] ) {
return 0;
}
}
}
}
return 1;
}
if ( oc == slap_schema.si_oc_extensibleObject ) {
/* extensibleObject allows the return of anything */
return 1;
}
if( oc->soc_required ) {
/* allow return of required attributes */
int i;
for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_required[i] ) {
return 1;
}
}
}
}
if( oc->soc_allowed ) {
/* allow return of allowed attributes */
int i;
for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
for (a = desc->ad_type; a; a=a->sat_sup) {
if ( a == oc->soc_allowed[i] ) {
return 1;
}
}
}
}
} else {
const char *text;
/* give it a chance of being retrieved by a proxy... */
(void)slap_bv2undef_ad( &attrs->an_name,
&attrs->an_desc, &text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
}
}
return 0;
}
static int objectSubClassIndexer(
slap_mask_t use,
slap_mask_t mask,
Syntax *syntax,
MatchingRule *mr,
struct berval *prefix,
BerVarray values,
BerVarray *keysp,
void *ctx )
{
int rc, noc, i;
BerVarray ocvalues;
ObjectClass **socs;
for( noc=0; values[noc].bv_val != NULL; noc++ ) {
/* just count em */;
}
/* over allocate */
socs = slap_sl_malloc( (noc+16) * sizeof( ObjectClass * ), ctx );
/* initialize */
for( i=0; i<noc; i++ ) {
socs[i] = oc_bvfind( &values[i] );
}
/* expand values */
for( i=0; i<noc; i++ ) {
int j;
ObjectClass *oc = socs[i];
if( oc == NULL || oc->soc_sups == NULL ) continue;
for( j=0; oc->soc_sups[j] != NULL; j++ ) {
int found = 0;
ObjectClass *sup = oc->soc_sups[j];
int k;
for( k=0; k<noc; k++ ) {
if( sup == socs[k] ) {
found++;
break;
}
}
if( !found ) {
socs = slap_sl_realloc( socs,
sizeof( ObjectClass * ) * (noc+2), ctx );
assert( k == noc );
socs[noc++] = sup;
}
}
}
ocvalues = slap_sl_malloc( sizeof( struct berval ) * (noc+1), ctx );
/* copy values */
for( i=0; i<noc; i++ ) {
if ( socs[i] )
ocvalues[i] = socs[i]->soc_cname;
else
ocvalues[i] = values[i];
}
BER_BVZERO( &ocvalues[i] );
rc = octetStringIndexer( use, mask, syntax, mr,
prefix, ocvalues, keysp, ctx );
slap_sl_free( ocvalues, ctx );
slap_sl_free( socs, ctx );
return rc;
}
static int
OpenLDAPaciPrettyNormal(
struct berval *val,
struct berval *out,
void *ctx,
int normalize )
{
struct berval oid = BER_BVNULL,
scope = BER_BVNULL,
rights = BER_BVNULL,
nrights = BER_BVNULL,
type = BER_BVNULL,
ntype = BER_BVNULL,
subject = BER_BVNULL,
nsubject = BER_BVNULL;
int idx,
rc = LDAP_SUCCESS,
freesubject = 0,
freetype = 0;
char *ptr;
BER_BVZERO( out );
if ( BER_BVISEMPTY( val ) ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty\n" );
return LDAP_INVALID_SYNTAX;
}
/* oid: if valid, it's already normalized */
if ( acl_get_part( val, 0, '#', &oid ) < 0 ||
numericoidValidate( NULL, &oid ) != LDAP_SUCCESS )
{
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid oid '%s'\n", oid.bv_val );
return LDAP_INVALID_SYNTAX;
}
/* scope: normalize by replacing with OpenLDAPaciscopes */
if ( acl_get_part( val, 1, '#', &scope ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing scope in '%s'\n", val->bv_val );
return LDAP_INVALID_SYNTAX;
}
idx = bv_getcaseidx( &scope, OpenLDAPaciscopes );
if ( idx == -1 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid scope '%s'\n", scope.bv_val );
return LDAP_INVALID_SYNTAX;
}
scope = *OpenLDAPaciscopes[ idx ];
/* rights */
if ( acl_get_part( val, 2, '#', &rights ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing rights in '%s'\n", val->bv_val );
return LDAP_INVALID_SYNTAX;
}
if ( OpenLDAPaciNormalizeRights( &rights, &nrights, ctx )
!= LDAP_SUCCESS )
{
return LDAP_INVALID_SYNTAX;
}
/* type */
if ( acl_get_part( val, 3, '#', &type ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing type in '%s'\n", val->bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
idx = bv_getcaseidx( &type, OpenLDAPacitypes );
if ( idx == -1 ) {
struct berval isgr;
if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", type.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
idx = bv_getcaseidx( &isgr, OpenLDAPacitypes );
if ( idx == -1 || idx >= LAST_OPTIONAL ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", isgr.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
}
ntype = *OpenLDAPacitypes[ idx ];
/* subject */
bv_get_tail( val, &type, &subject );
if ( BER_BVISEMPTY( &subject ) || subject.bv_val[ 0 ] != '#' ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing subject in '%s'\n", val->bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
subject.bv_val++;
subject.bv_len--;
if ( idx < LAST_DNVALUED ) {
/* FIXME: pass DN syntax? */
if ( normalize ) {
rc = dnNormalize( 0, NULL, NULL,
&subject, &nsubject, ctx );
} else {
rc = dnPretty( NULL, &subject, &nsubject, ctx );
}
if ( rc == LDAP_SUCCESS ) {
freesubject = 1;
} else {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid subject dn '%s'\n", subject.bv_val );
goto cleanup;
}
if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ]
|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] )
{
/* do {group|role}/oc/at check */
struct berval ocbv = BER_BVNULL,
atbv = BER_BVNULL;
ocbv.bv_val = ber_bvchr( &type, '/' );
if ( ocbv.bv_val != NULL ) {
ObjectClass *oc = NULL;
AttributeDescription *ad = NULL;
const char *text = NULL;
int rc;
struct berval bv;
bv.bv_len = ntype.bv_len;
ocbv.bv_val++;
ocbv.bv_len = type.bv_len - ( ocbv.bv_val - type.bv_val );
atbv.bv_val = ber_bvchr( &ocbv, '/' );
if ( atbv.bv_val != NULL ) {
atbv.bv_val++;
atbv.bv_len = type.bv_len
- ( atbv.bv_val - type.bv_val );
ocbv.bv_len = atbv.bv_val - ocbv.bv_val - 1;
rc = slap_bv2ad( &atbv, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown group attribute '%s'\n", atbv.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
bv.bv_len += STRLENOF( "/" ) + ad->ad_cname.bv_len;
}
oc = oc_bvfind( &ocbv );
if ( oc == NULL ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid group '%s'\n", ocbv.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len;
bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx );
ptr = bv.bv_val;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
ptr[ 0 ] = '/';
ptr++;
ptr = lutil_strncopy( ptr,
oc->soc_cname.bv_val,
oc->soc_cname.bv_len );
if ( ad != NULL ) {
ptr[ 0 ] = '/';
ptr++;
ptr = lutil_strncopy( ptr,
ad->ad_cname.bv_val,
ad->ad_cname.bv_len );
}
ptr[ 0 ] = '\0';
ntype = bv;
freetype = 1;
}
}
} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
int rc;
rc = slap_bv2ad( &subject, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown dn attribute '%s'\n", subject.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
/* FIXME: allow nameAndOptionalUID? */
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: wrong syntax for dn attribute '%s'\n", subject.bv_val );
rc = LDAP_INVALID_SYNTAX;
goto cleanup;
}
nsubject = ad->ad_cname;
} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET ]
|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET_REF ] )
{
/* NOTE: dunno how to normalize it... */
nsubject = subject;
}
out->bv_len =
oid.bv_len + STRLENOF( "#" )
+ scope.bv_len + STRLENOF( "#" )
+ nrights.bv_len + STRLENOF( "#" )
+ ntype.bv_len + STRLENOF( "#" )
+ nsubject.bv_len;
out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, scope.bv_val, scope.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, nrights.bv_val, nrights.bv_len );
ptr[ 0 ] = '#';
ptr++;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
ptr[ 0 ] = '#';
ptr++;
if ( !BER_BVISNULL( &nsubject ) ) {
ptr = lutil_strncopy( ptr, nsubject.bv_val, nsubject.bv_len );
}
ptr[ 0 ] = '\0';
cleanup:;
if ( freesubject ) {
ber_memfree_x( nsubject.bv_val, ctx );
}
if ( freetype ) {
ber_memfree_x( ntype.bv_val, ctx );
}
if ( !BER_BVISNULL( &nrights ) ) {
ber_memfree_x( nrights.bv_val, ctx );
}
return rc;
}
static int
dynlist_sc_update( Operation *op, SlapReply *rs )
{
Entry *e;
Attribute *a;
int opattrs,
userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
dynlist_sc_t *dlc;
dynlist_map_t *dlm;
if ( rs->sr_type != REP_SEARCH ) {
return 0;
}
dlc = (dynlist_sc_t *)op->o_callback->sc_private;
e = dlc->dlc_e;
assert( e != NULL );
assert( rs->sr_entry != NULL );
/* test access to entry */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
goto done;
}
/* if there is only one member_ad, and it's not mapped,
* consider it as old-style member listing */
dlm = dlc->dlc_dli->dli_dlm;
if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
Modification mod;
const char *text = NULL;
char textbuf[1024];
struct berval vals[ 2 ], nvals[ 2 ];
vals[ 0 ] = rs->sr_entry->e_name;
BER_BVZERO( &vals[ 1 ] );
nvals[ 0 ] = rs->sr_entry->e_nname;
BER_BVZERO( &nvals[ 1 ] );
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = dlm->dlm_member_ad;
mod.sm_type = dlm->dlm_member_ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = 1;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
goto done;
}
opattrs = SLAP_OPATTRS( rs->sr_attr_flags );
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
for ( a = rs->sr_entry->e_attrs; a != NULL; a = a->a_next ) {
BerVarray vals, nvals = NULL;
int i, j,
is_oc = a->a_desc == slap_schema.si_ad_objectClass;
/* if attribute is not requested, skip it */
if ( rs->sr_attrs == NULL ) {
if ( is_at_operational( a->a_desc->ad_type ) ) {
continue;
}
} else {
if ( is_at_operational( a->a_desc->ad_type ) ) {
if ( !opattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
} else {
if ( !userattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) )
{
continue;
}
}
}
/* test access to attribute */
if ( op->ors_attrsonly ) {
if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
ACL_READ, &acl_state ) )
{
continue;
}
}
/* single-value check: keep first only */
if ( is_at_single_value( a->a_desc->ad_type ) ) {
if ( attr_find( e->e_attrs, a->a_desc ) != NULL ) {
continue;
}
}
/* test access to attribute */
i = a->a_numvals;
vals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
if ( a->a_nvals != a->a_vals ) {
nvals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx );
}
for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) {
if ( is_oc ) {
ObjectClass *soc = oc_bvfind( &a->a_vals[i] );
if ( soc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
continue;
}
}
if ( access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[i], ACL_READ, &acl_state ) )
{
vals[j] = a->a_vals[i];
if ( nvals ) {
nvals[j] = a->a_nvals[i];
}
j++;
}
}
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( j != 0 ) {
Modification mod;
const char *text = NULL;
char textbuf[1024];
dynlist_map_t *dlm;
AttributeDescription *ad;
BER_BVZERO( &vals[j] );
if ( nvals ) {
BER_BVZERO( &nvals[j] );
}
ad = a->a_desc;
for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == a->a_desc ) {
if ( dlm->dlm_mapped_ad ) {
ad = dlm->dlm_mapped_ad;
}
break;
}
}
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = ad;
mod.sm_type = ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = j;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
op->o_tmpfree( vals, op->o_tmpmemctx );
if ( nvals ) {
op->o_tmpfree( nvals, op->o_tmpmemctx );
}
}
done:;
if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( rs->sr_entry );
rs->sr_entry = NULL;
rs->sr_flags &= ~REP_ENTRY_MASK;
}
return 0;
}
static int
aci_group_member (
struct berval *subj,
const struct berval *defgrpoc,
const struct berval *defgrpat,
Operation *op,
Entry *e,
int nmatch,
regmatch_t *matches
)
{
struct berval subjdn;
struct berval grpoc;
struct berval grpat;
ObjectClass *grp_oc = NULL;
AttributeDescription *grp_ad = NULL;
const char *text;
int rc;
/* format of string is "{group|role}/objectClassValue/groupAttrName" */
if ( acl_get_part( subj, 0, '/', &subjdn ) < 0 ) {
return 0;
}
if ( acl_get_part( subj, 1, '/', &grpoc ) < 0 ) {
grpoc = *defgrpoc;
}
if ( acl_get_part( subj, 2, '/', &grpat ) < 0 ) {
grpat = *defgrpat;
}
rc = slap_bv2ad( &grpat, &grp_ad, &text );
if ( rc != LDAP_SUCCESS ) {
rc = 0;
goto done;
}
rc = 0;
grp_oc = oc_bvfind( &grpoc );
if ( grp_oc != NULL && grp_ad != NULL ) {
char buf[ ACI_BUF_SIZE ];
struct berval bv, ndn;
AclRegexMatches amatches = { 0 };
amatches.dn_count = nmatch;
memcpy( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = (char *)&buf;
if ( acl_string_expand( &bv, &subjdn,
&e->e_nname, NULL, &amatches ) )
{
rc = LDAP_OTHER;
goto done;
}
if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
{
rc = ( backend_group( op, e, &ndn, &op->o_ndn,
grp_oc, grp_ad ) == 0 );
slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
}
}
done:
return rc;
}
static int
dds_op_modify( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dds_info_t *di = (dds_info_t *)on->on_bi.bi_private;
Modifications *mod;
Entry *e = NULL;
BackendInfo *bi = op->o_bd->bd_info;
int was_dynamicObject = 0,
is_dynamicObject = 0;
struct berval bv_entryTtl = BER_BVNULL;
time_t entryTtl = 0;
char textbuf[ SLAP_TEXT_BUFLEN ];
if ( DDS_OFF( di ) ) {
return SLAP_CB_CONTINUE;
}
/* bv_entryTtl stores the string representation of the entryTtl
* across modifies for consistency checks of the final value;
* the bv_val points to a static buffer; the bv_len is zero when
* the attribute is deleted.
* entryTtl stores the integer representation of the entryTtl;
* its value is -1 when the attribute is deleted; it is 0 only
* if no modifications of the entryTtl occurred, as an entryTtl
* of 0 is invalid. */
bv_entryTtl.bv_val = textbuf;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
slap_schema.si_oc_dynamicObject, slap_schema.si_ad_entryTtl, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_entryTtl );
/* the value of the entryTtl is saved for later checks */
if ( a != NULL ) {
unsigned long ttl;
int rc;
bv_entryTtl.bv_len = a->a_nvals[ 0 ].bv_len;
memcpy( bv_entryTtl.bv_val, a->a_nvals[ 0 ].bv_val, bv_entryTtl.bv_len );
bv_entryTtl.bv_val[ bv_entryTtl.bv_len ] = '\0';
rc = lutil_atoul( &ttl, bv_entryTtl.bv_val );
assert( rc == 0 );
entryTtl = (time_t)ttl;
}
be_entry_release_r( op, e );
e = NULL;
was_dynamicObject = is_dynamicObject = 1;
}
op->o_bd->bd_info = bi;
rs->sr_err = LDAP_SUCCESS;
for ( mod = op->orm_modlist; mod; mod = mod->sml_next ) {
if ( mod->sml_desc == slap_schema.si_ad_objectClass ) {
int i;
ObjectClass *oc;
switch ( mod->sml_op ) {
case LDAP_MOD_DELETE:
if ( mod->sml_values == NULL ) {
is_dynamicObject = 0;
break;
}
for ( i = 0; !BER_BVISNULL( &mod->sml_values[ i ] ); i++ ) {
oc = oc_bvfind( &mod->sml_values[ i ] );
if ( oc == slap_schema.si_oc_dynamicObject ) {
is_dynamicObject = 0;
break;
}
}
break;
case LDAP_MOD_REPLACE:
if ( mod->sml_values == NULL ) {
is_dynamicObject = 0;
break;
}
/* fallthru */
case LDAP_MOD_ADD:
for ( i = 0; !BER_BVISNULL( &mod->sml_values[ i ] ); i++ ) {
oc = oc_bvfind( &mod->sml_values[ i ] );
if ( oc == slap_schema.si_oc_dynamicObject ) {
is_dynamicObject = 1;
break;
}
}
break;
}
} else if ( mod->sml_desc == slap_schema.si_ad_entryTtl ) {
unsigned long uttl;
time_t ttl;
int rc;
switch ( mod->sml_op ) {
case LDAP_MOD_DELETE:
case SLAP_MOD_SOFTDEL: /* FIXME? */
if ( mod->sml_values != NULL ) {
if ( BER_BVISEMPTY( &bv_entryTtl )
|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
{
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
}
goto done;
}
}
bv_entryTtl.bv_len = 0;
entryTtl = -1;
break;
case LDAP_MOD_REPLACE:
bv_entryTtl.bv_len = 0;
entryTtl = -1;
/* fallthru */
case LDAP_MOD_ADD:
case SLAP_MOD_SOFTADD: /* FIXME? */
case SLAP_MOD_ADD_IF_NOT_PRESENT: /* FIXME? */
assert( mod->sml_values != NULL );
assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
}
goto done;
}
rc = lutil_atoul( &uttl, mod->sml_values[ 0 ].bv_val );
ttl = (time_t)uttl;
assert( rc == 0 );
if ( ttl > DDS_RF2589_MAX_TTL ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
rs->sr_text = "invalid time-to-live for dynamicObject";
goto done;
}
if ( ttl <= 0 || ttl > di->di_max_ttl ) {
/* FIXME: I don't understand if this has to be an error,
* or an indication that the requested Ttl has been
* shortened to di->di_max_ttl >= 1 day */
rs->sr_err = LDAP_SIZELIMIT_EXCEEDED;
rs->sr_text = "time-to-live for dynamicObject exceeds administrative limit";
goto done;
}
entryTtl = ttl;
bv_entryTtl.bv_len = mod->sml_values[ 0 ].bv_len;
memcpy( bv_entryTtl.bv_val, mod->sml_values[ 0 ].bv_val, bv_entryTtl.bv_len );
bv_entryTtl.bv_val[ bv_entryTtl.bv_len ] = '\0';
break;
case LDAP_MOD_INCREMENT:
if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
rs->sr_text = "modify/increment: entryTtl: no such attribute";
}
goto done;
}
entryTtl++;
if ( entryTtl > DDS_RF2589_MAX_TTL ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
rs->sr_text = "invalid time-to-live for dynamicObject";
} else if ( entryTtl <= 0 || entryTtl > di->di_max_ttl ) {
/* FIXME: I don't understand if this has to be an error,
* or an indication that the requested Ttl has been
* shortened to di->di_max_ttl >= 1 day */
rs->sr_err = LDAP_SIZELIMIT_EXCEEDED;
rs->sr_text = "time-to-live for dynamicObject exceeds administrative limit";
}
if ( rs->sr_err != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_text = NULL;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
bv_entryTtl.bv_len = snprintf( textbuf, sizeof( textbuf ), "%ld", entryTtl );
break;
default:
LDAP_BUG();
break;
}
} else if ( mod->sml_desc == ad_entryExpireTimestamp ) {
/* should have been trapped earlier */
assert( mod->sml_flags & SLAP_MOD_INTERNAL );
}
}
done:;
if ( rs->sr_err == LDAP_SUCCESS ) {
int rc;
/* FIXME: this could be allowed when the Relax control is used...
* in that case:
*
* TODO
*
* static => dynamic:
* entryTtl must be provided; add
* entryExpireTimestamp accordingly
*
* dynamic => static:
* entryTtl must be removed; remove
* entryTimestamp accordingly
*
* ... but we need to make sure that there are no subordinate
* issues...
*/
rc = is_dynamicObject - was_dynamicObject;
if ( rc ) {
#if 0 /* fix subordinate issues first */
if ( get_relax( op ) ) {
switch ( rc ) {
case -1:
/* need to delete entryTtl to have a consistent entry */
if ( entryTtl != -1 ) {
rs->sr_text = "objectClass modification from dynamicObject to static entry requires entryTtl deletion";
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
break;
case 1:
/* need to add entryTtl to have a consistent entry */
if ( entryTtl <= 0 ) {
rs->sr_text = "objectClass modification from static entry to dynamicObject requires entryTtl addition";
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
break;
}
} else
#endif
{
switch ( rc ) {
case -1:
rs->sr_text = "objectClass modification cannot turn dynamicObject into static entry";
break;
case 1:
rs->sr_text = "objectClass modification cannot turn static entry into dynamicObject";
break;
}
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
if ( rc != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_text = NULL;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
}
}
if ( rs->sr_err == LDAP_SUCCESS && entryTtl != 0 ) {
Modifications *tmpmod = NULL, **modp;
for ( modp = &op->orm_modlist; *modp; modp = &(*modp)->sml_next )
;
tmpmod = ch_calloc( 1, sizeof( Modifications ) );
tmpmod->sml_flags = SLAP_MOD_INTERNAL;
tmpmod->sml_type = ad_entryExpireTimestamp->ad_cname;
tmpmod->sml_desc = ad_entryExpireTimestamp;
*modp = tmpmod;
if ( entryTtl == -1 ) {
/* delete entryExpireTimestamp */
tmpmod->sml_op = LDAP_MOD_DELETE;
} else {
time_t expire;
char tsbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
struct berval bv;
/* keep entryExpireTimestamp consistent
* with entryTtl */
expire = slap_get_time() + entryTtl;
bv.bv_val = tsbuf;
bv.bv_len = sizeof( tsbuf );
slap_timestamp( &expire, &bv );
tmpmod->sml_op = LDAP_MOD_REPLACE;
value_add_one( &tmpmod->sml_values, &bv );
value_add_one( &tmpmod->sml_nvalues, &bv );
tmpmod->sml_numvals = 1;
}
}
if ( rs->sr_err ) {
op->o_bd->bd_info = (BackendInfo *)on->on_info;
send_ldap_result( op, rs );
return rs->sr_err;
}
return SLAP_CB_CONTINUE;
}
