/* * meta_back_single_dobind */ int meta_back_single_dobind( Operation *op, SlapReply *rs, metaconn_t **mcp, int candidate, ldap_back_send_t sendok, int nretries, int dolock ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; metaconn_t *mc = *mcp; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; assert( !LDAP_BACK_CONN_ISBOUND( msc ) ); /* NOTE: this obsoletes pseudorootdn */ if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( LDAP_BACK_CONN_ISPRIV( mc ) && dn_match( &msc->msc_bound_ndn, &mt->mt_idassert_authcDN ) ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { (void)meta_back_proxy_authz_bind( mc, candidate, op, rs, sendok, dolock ); } else { char *binddn = ""; struct berval cred = BER_BVC( "" ); /* use credentials if available */ if ( !BER_BVISNULL( &msc->msc_bound_ndn ) && !BER_BVISNULL( &msc->msc_cred ) ) { binddn = msc->msc_bound_ndn.bv_val; cred = msc->msc_cred; } /* FIXME: should we check if at least some of the op->o_ctrls * can/should be passed? */ if(!dolock) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); } for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, binddn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } if(!dolock) { ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); } rs->sr_err = meta_back_bind_op_result( op, rs, mc, candidate, msgid, sendok, dolock ); /* if bind succeeded, but anonymous, clear msc_bound_ndn */ if ( rs->sr_err != LDAP_SUCCESS || binddn[0] == '\0' ) { if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ber_memfree( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ber_memfree( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } } } if ( rs->sr_err != LDAP_SUCCESS ) { if ( dolock ) { ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); } LDAP_BACK_CONN_BINDING_CLEAR( msc ); if ( META_BACK_ONERR_STOP( mi ) ) { LDAP_BACK_CONN_TAINTED_SET( mc ); meta_back_release_conn_lock( mi, mc, 0 ); *mcp = NULL; } if ( dolock ) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { meta_back_quarantine( op, rs, candidate ); } return rs->sr_err; }
meta_search_candidate_t asyncmeta_dobind_init_with_retry(Operation *op, SlapReply *rs, bm_context_t *bc, a_metaconn_t *mc, int candidate) { int rc, retries = 1; a_metasingleconn_t *msc = &mc->mc_conns[candidate]; a_metainfo_t *mi = mc->mc_info; a_metatarget_t *mt = mi->mi_targets[ candidate ]; SlapReply *candidates = bc->candidates; retry_dobind: rc = asyncmeta_dobind_init(op, rs, bc, mc, candidate); if (rs->sr_err != LDAP_UNAVAILABLE) { return rc; } else if (retries <= 0) { ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); if (mc->mc_active < 1) { asyncmeta_clear_one_msc(NULL, mc, candidate); } ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); return rc; } /* need to retry */ retries--; if ( LogTest( LDAP_DEBUG_ANY ) ) { char buf[ SLAP_TEXT_BUFLEN ]; /* this lock is required; however, * it's invoked only when logging is on */ ldap_pvt_thread_mutex_lock( &mt->mt_uri_mutex ); snprintf( buf, sizeof( buf ), "retrying URI=\"%s\" DN=\"%s\"", mt->mt_uri, BER_BVISNULL( &msc->msc_bound_ndn ) ? "" : msc->msc_bound_ndn.bv_val ); ldap_pvt_thread_mutex_unlock( &mt->mt_uri_mutex ); Debug( LDAP_DEBUG_ANY, "%s asyncmeta_search_dobind_init_with_retry[%d]: %s.\n", op->o_log_prefix, candidate, buf ); } ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); if (mc->mc_active < 1) { asyncmeta_clear_one_msc(NULL, mc, candidate); } ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); ( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn ); rc = asyncmeta_init_one_conn( op, rs, mc, candidate, LDAP_BACK_CONN_ISPRIV( mc ), LDAP_BACK_DONTSEND, 0 ); if (rs->sr_err != LDAP_SUCCESS) { ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); if (mc->mc_active < 1) { asyncmeta_clear_one_msc(NULL, mc, candidate); } ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); return META_SEARCH_ERR; } goto retry_dobind; return rc; }
/* * asyncmeta_back_single_dobind */ int asyncmeta_back_single_dobind( Operation *op, SlapReply *rs, a_metaconn_t **mcp, int candidate, ldap_back_send_t sendok, int nretries, int dolock ) { a_metaconn_t *mc = *mcp; a_metainfo_t *mi = mc->mc_info; a_metatarget_t *mt = mi->mi_targets[ candidate ]; a_metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; assert( !LDAP_BACK_CONN_ISBOUND( msc ) ); if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( LDAP_BACK_CONN_ISPRIV( mc ) && dn_match( &msc->msc_bound_ndn, &mt->mt_idassert_authcDN ) ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { (void)asyncmeta_proxy_authz_bind( mc, candidate, op, rs, sendok, dolock ); } else { char *binddn = ""; struct berval cred = BER_BVC( "" ); /* use credentials if available */ if ( !BER_BVISNULL( &msc->msc_bound_ndn ) && !BER_BVISNULL( &msc->msc_cred ) ) { binddn = msc->msc_bound_ndn.bv_val; cred = msc->msc_cred; } for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, binddn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } rs->sr_err = asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, sendok, dolock ); /* if bind succeeded, but anonymous, clear msc_bound_ndn */ if ( rs->sr_err != LDAP_SUCCESS || binddn[0] == '\0' ) { if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ber_memfree( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ber_memfree( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { asyncmeta_quarantine( op, mi, rs, candidate ); } return rs->sr_err; }
/* * asyncmeta_dobind_init() * * initiates bind for a candidate target */ meta_search_candidate_t asyncmeta_dobind_init(Operation *op, SlapReply *rs, bm_context_t *bc, a_metaconn_t *mc, int candidate) { SlapReply *candidates = bc->candidates; a_metainfo_t *mi = ( a_metainfo_t * )mc->mc_info; a_metatarget_t *mt = mi->mi_targets[ candidate ]; a_metasingleconn_t *msc = &mc->mc_conns[ candidate ]; ber_socket_t s; struct berval binddn = msc->msc_bound_ndn, cred = msc->msc_cred; int method; int rc; ber_int_t msgid; meta_search_candidate_t retcode; Debug( LDAP_DEBUG_TRACE, "%s >>> asyncmeta_search_dobind_init[%d]\n", op->o_log_prefix, candidate, 0 ); if ( mc->mc_authz_target == META_BOUND_ALL ) { return META_SEARCH_CANDIDATE; } retcode = META_SEARCH_BINDING; if ( LDAP_BACK_CONN_ISBOUND( msc ) || LDAP_BACK_CONN_ISANON( msc ) ) { /* already bound (or anonymous) */ #ifdef DEBUG_205 char buf[ SLAP_TEXT_BUFLEN ] = { '\0' }; int bound = 0; if ( LDAP_BACK_CONN_ISBOUND( msc ) ) { bound = 1; } snprintf( buf, sizeof( buf ), " mc=%p ld=%p%s DN=\"%s\"", (void *)mc, (void *)msc->msc_ld, bound ? " bound" : " anonymous", bound == 0 ? "" : msc->msc_bound_ndn.bv_val ); Debug( LDAP_DEBUG_ANY, "### %s asyncmeta_search_dobind_init[%d]%s\n", op->o_log_prefix, candidate, buf ); #endif /* DEBUG_205 */ retcode = META_SEARCH_CANDIDATE; } else if ( META_BACK_CONN_CREATING( msc ) || LDAP_BACK_CONN_BINDING( msc ) ) { /* another thread is binding the target for this conn; wait */ #ifdef DEBUG_205 char buf[ SLAP_TEXT_BUFLEN ] = { '\0' }; snprintf( buf, sizeof( buf ), " mc=%p ld=%p needbind", (void *)mc, (void *)msc->msc_ld ); Debug( LDAP_DEBUG_ANY, "### %s asyncmeta_search_dobind_init[%d]%s\n", op->o_log_prefix, candidate, buf ); #endif /* DEBUG_205 */ candidates[ candidate ].sr_msgid = META_MSGID_NEED_BIND; retcode = META_SEARCH_NEED_BIND; } else { /* we'll need to bind the target for this conn */ #ifdef DEBUG_205 char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), " mc=%p ld=%p binding", (void *)mc, (void *)msc->msc_ld ); Debug( LDAP_DEBUG_ANY, "### %s asyncmeta_search_dobind_init[%d]%s\n", op->o_log_prefix, candidate, buf ); #endif /* DEBUG_205 */ if ( msc->msc_ld == NULL ) { /* for some reason (e.g. because formerly in "binding" * state, with eventual connection expiration or invalidation) * it was not initialized as expected */ Debug( LDAP_DEBUG_ANY, "%s asyncmeta_search_dobind_init[%d] mc=%p ld=NULL\n", op->o_log_prefix, candidate, (void *)mc ); rc = asyncmeta_init_one_conn( op, rs, mc, candidate, LDAP_BACK_CONN_ISPRIV( mc ), LDAP_BACK_DONTSEND, 0 ); switch ( rc ) { case LDAP_SUCCESS: assert( msc->msc_ld != NULL ); break; case LDAP_SERVER_DOWN: case LDAP_UNAVAILABLE: goto down; default: goto other; } } LDAP_BACK_CONN_BINDING_SET( msc ); } if ( retcode != META_SEARCH_BINDING ) { return retcode; } if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { rc = asyncmeta_back_proxy_authz_cred( mc, candidate, op, rs, LDAP_BACK_DONTSEND, &binddn, &cred, &method ); switch ( rc ) { case LDAP_SUCCESS: break; case LDAP_UNAVAILABLE: goto down; default: goto other; } /* NOTE: we copy things here, even if bind didn't succeed yet, * because the connection is not shared until bind is over */ if ( !BER_BVISNULL( &binddn ) ) { ldap_pvt_thread_mutex_lock(&mc->mc_om_mutex); ber_bvreplace( &msc->msc_bound_ndn, &binddn ); if ( META_BACK_TGT_SAVECRED( mt ) && !BER_BVISNULL( &cred ) ) { if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); } ber_bvreplace( &msc->msc_cred, &cred ); } ldap_pvt_thread_mutex_unlock(&mc->mc_om_mutex); } if ( LDAP_BACK_CONN_ISBOUND( msc ) ) { /* apparently, idassert was configured with SASL bind, * so bind occurred inside meta_back_proxy_authz_cred() */ LDAP_BACK_CONN_BINDING_CLEAR( msc ); return META_SEARCH_CANDIDATE; } /* paranoid */ switch ( method ) { case LDAP_AUTH_NONE: case LDAP_AUTH_SIMPLE: /* do a simple bind with binddn, cred */ break; default: assert( 0 ); break; } } assert( msc->msc_ld != NULL ); if ( !BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &cred ) ) { /* bind anonymously? */ Debug( LDAP_DEBUG_ANY, "%s asyncmeta_search_dobind_init[%d] mc=%p: " "non-empty dn with empty cred; binding anonymously\n", op->o_log_prefix, candidate, (void *)mc ); cred = slap_empty_bv; } else if ( BER_BVISEMPTY( &binddn ) && !BER_BVISEMPTY( &cred ) ) { /* error */ Debug( LDAP_DEBUG_ANY, "%s asyncmeta_search_dobind_init[%d] mc=%p: " "empty dn with non-empty cred: error\n", op->o_log_prefix, candidate, (void *)mc ); rc = LDAP_OTHER; goto other; } retry_bind: rc = ldap_sasl_bind( msc->msc_ld, binddn.bv_val, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &msgid ); ldap_get_option( msc->msc_ld, LDAP_OPT_RESULT_CODE, &rc ); if (rc == LDAP_SERVER_DOWN ) { goto down; } candidates[ candidate ].sr_msgid = msgid; asyncmeta_set_msc_time(msc); #ifdef DEBUG_205 { char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), "asyncmeta_search_dobind_init[%d] mc=%p ld=%p rc=%d", candidate, (void *)mc, (void *)mc->mc_conns[ candidate ].msc_ld, rc ); Debug( LDAP_DEBUG_ANY, "### %s %s\n", op->o_log_prefix, buf, 0 ); } #endif /* DEBUG_205 */ switch ( rc ) { case LDAP_SUCCESS: assert( msgid >= 0 ); META_BINDING_SET( &candidates[ candidate ] ); rs->sr_err = LDAP_SUCCESS; return META_SEARCH_BINDING; case LDAP_X_CONNECTING: /* must retry, same conn */ candidates[ candidate ].sr_msgid = META_MSGID_CONNECTING; LDAP_BACK_CONN_BINDING_CLEAR( msc ); goto retry_bind; case LDAP_SERVER_DOWN: down:; retcode = META_SEARCH_ERR; rs->sr_err = LDAP_UNAVAILABLE; candidates[ candidate ].sr_msgid = META_MSGID_IGNORE; break; /* fall thru */ default: other:; rs->sr_err = rc; rc = slap_map_api2result( rs ); candidates[ candidate ].sr_err = rc; if ( META_BACK_ONERR_STOP( mi ) ) { retcode = META_SEARCH_ERR; } else { retcode = META_SEARCH_NOT_CANDIDATE; } candidates[ candidate ].sr_msgid = META_MSGID_IGNORE; break; } return retcode; }