/* * sets the supported operational attributes (if required) */ int wt_operational( Operation *op, SlapReply *rs ) { Attribute **ap; assert( rs->sr_entry != NULL ); for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next ) { if ( (*ap)->a_desc == slap_schema.si_ad_hasSubordinates ) { break; } } if ( *ap == NULL && attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_hasSubordinates ) == NULL && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( slap_schema.si_ad_hasSubordinates, rs->sr_attrs ) ) ) { int hasSubordinates, rc; rc = wt_hasSubordinates( op, rs->sr_entry, &hasSubordinates ); if ( rc == LDAP_SUCCESS ) { *ap = slap_operational_hasSubordinate( hasSubordinates == LDAP_COMPARE_TRUE ); assert( *ap != NULL ); ap = &(*ap)->a_next; } } return LDAP_SUCCESS; }
int monitor_back_operational( Operation *op, SlapReply *rs ) { Attribute **ap; assert( rs->sr_entry != NULL ); for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next ) { if ( (*ap)->a_desc == slap_schema.si_ad_hasSubordinates ) { break; } } if ( *ap == NULL && attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_hasSubordinates ) == NULL && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( slap_schema.si_ad_hasSubordinates, rs->sr_attrs ) ) ) { int hs; monitor_entry_t *mp; mp = ( monitor_entry_t * )rs->sr_entry->e_private; assert( mp != NULL ); hs = MONITOR_HAS_CHILDREN( mp ); *ap = slap_operational_hasSubordinate( hs ); assert( *ap != NULL ); ap = &(*ap)->a_next; } return LDAP_SUCCESS; }
static int usn_operational( Operation *op, SlapReply *rs ) { slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; usn_info_t *ui = (usn_info_t *)on->on_bi.bi_private; if ( rs->sr_entry && dn_match( &rs->sr_entry->e_nname, op->o_bd->be_nsuffix )) { if ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( ad_usnChanged, rs->sr_attrs )) { Attribute *a, **ap = NULL; char intbuf[64]; struct berval bv; int my_usn; for ( a=rs->sr_entry->e_attrs; a; a=a->a_next ) { if ( a->a_desc == ad_usnChanged ) break; } if ( !a ) { for ( ap = &rs->sr_operational_attrs; *ap; ap=&(*ap)->a_next ); a = attr_alloc( ad_usnChanged ); *ap = a; } if ( !ap ) { if ( rs_entry2modifiable( op,rs, on )) { a = attr_find( rs->sr_entry->e_attrs, ad_usnChanged ); } ber_bvarray_free( a->a_vals ); a->a_vals = NULL; a->a_numvals = 0; } ldap_pvt_thread_mutex_lock( &ui->ui_mutex ); my_usn = ui->ui_current; ldap_pvt_thread_mutex_unlock( &ui->ui_mutex ); bv.bv_len = snprintf( intbuf, sizeof(intbuf), "%d", my_usn ); bv.bv_val = intbuf; attr_valadd( a, &bv, NULL, 1 ); } } return SLAP_CB_CONTINUE; }
static int slapi_over_compute_output( computed_attr_context *c, Slapi_Attr *attribute, Slapi_Entry *entry ) { Attribute **a; AttributeDescription *desc; SlapReply *rs; if ( c == NULL || attribute == NULL || entry == NULL ) { return 0; } rs = (SlapReply *)c->cac_private; assert( rs->sr_entry == entry ); desc = attribute->a_desc; if ( rs->sr_attrs == NULL ) { /* All attrs request, skip operational attributes */ if ( is_at_operational( desc->ad_type ) ) { return 0; } } else { /* Specific attributes requested */ if ( is_at_operational( desc->ad_type ) ) { if ( !SLAP_OPATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { return 0; } } else { if ( !SLAP_USERATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { return 0; } } } /* XXX perhaps we should check for existing attributes and merge */ for ( a = &rs->sr_operational_attrs; *a != NULL; a = &(*a)->a_next ) ; *a = slapi_attr_dup( attribute ); return 0; }
static int aa_operational( Operation *op, SlapReply *rs ) { Attribute *a, **ap; AccessControlState acl_state = ACL_STATE_INIT; struct berval *v; AttributeType **atp = NULL; ObjectClass **ocp = NULL; #define GOT_NONE (0x0U) #define GOT_C (0x1U) #define GOT_CE (0x2U) #define GOT_A (0x4U) #define GOT_AE (0x8U) #define GOT_ALL (GOT_C|GOT_CE|GOT_A|GOT_AE) int got = GOT_NONE; /* only add if requested */ if ( SLAP_OPATTRS( rs->sr_attr_flags ) ) { got = GOT_ALL; } else { if ( ad_inlist( ad_allowedChildClasses, rs->sr_attrs ) ) { got |= GOT_C; } if ( ad_inlist( ad_allowedChildClassesEffective, rs->sr_attrs ) ) { got |= GOT_CE; } if ( ad_inlist( ad_allowedAttributes, rs->sr_attrs ) ) { got |= GOT_A; } if ( ad_inlist( ad_allowedAttributesEffective, rs->sr_attrs ) ) { got |= GOT_AE; } } if ( got == GOT_NONE ) { return SLAP_CB_CONTINUE; } /* shouldn't be called without an entry; please check */ assert( rs->sr_entry != NULL ); for ( ap = &rs->sr_operational_attrs; *ap != NULL; ap = &(*ap)->a_next ) /* go to last */ ; /* see caveats; this is not guaranteed for all backends */ a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass ); if ( a == NULL ) { goto do_oc; } /* if client has no access to objectClass attribute; don't compute */ if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass, NULL, ACL_READ, &acl_state ) ) { return SLAP_CB_CONTINUE; } for ( v = a->a_nvals; !BER_BVISNULL( v ); v++ ) { ObjectClass *oc = oc_bvfind( v ); assert( oc != NULL ); /* if client has no access to specific value, don't compute */ if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass, &oc->soc_cname, ACL_READ, &acl_state ) ) { continue; } aa_add_oc( oc, &ocp, &atp ); if ( oc->soc_sups ) { int i; for ( i = 0; oc->soc_sups[ i ] != NULL; i++ ) { aa_add_oc( oc->soc_sups[ i ], &ocp, &atp ); } } } ch_free( ocp ); if ( atp != NULL ) { BerVarray bv_allowed = NULL, bv_effective = NULL; int i, ja = 0, je = 0; for ( i = 0; atp[ i ] != NULL; i++ ) /* just count */ ; if ( got & GOT_A ) { bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); } if ( got & GOT_AE ) { bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); } for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) { if ( got & GOT_A ) { ber_dupbv( &bv_allowed[ ja ], &atp[ i ]->sat_cname ); ja++; } if ( got & GOT_AE ) { AttributeDescription *ad = NULL; const char *text = NULL; if ( slap_bv2ad( &atp[ i ]->sat_cname, &ad, &text ) ) { /* log? */ continue; } if ( access_allowed( op, rs->sr_entry, ad, NULL, ACL_WRITE, NULL ) ) { ber_dupbv( &bv_effective[ je ], &atp[ i ]->sat_cname ); je++; } } } ch_free( atp ); if ( ( got & GOT_A ) && ja > 0 ) { BER_BVZERO( &bv_allowed[ ja ] ); *ap = attr_alloc( ad_allowedAttributes ); (*ap)->a_vals = bv_allowed; (*ap)->a_nvals = bv_allowed; (*ap)->a_numvals = ja; ap = &(*ap)->a_next; } if ( ( got & GOT_AE ) && je > 0 ) { BER_BVZERO( &bv_effective[ je ] ); *ap = attr_alloc( ad_allowedAttributesEffective ); (*ap)->a_vals = bv_effective; (*ap)->a_nvals = bv_effective; (*ap)->a_numvals = je; ap = &(*ap)->a_next; } *ap = NULL; } do_oc:; if ( ( got & GOT_C ) || ( got & GOT_CE ) ) { BerVarray bv_allowed = NULL, bv_effective = NULL; int i, ja = 0, je = 0; ObjectClass *oc; for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) { /* we can only add AUXILIARY objectClasses */ if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) { continue; } i++; } if ( got & GOT_C ) { bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); } if ( got & GOT_CE ) { bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); } for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) { /* we can only add AUXILIARY objectClasses */ if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) { continue; } if ( got & GOT_C ) { ber_dupbv( &bv_allowed[ ja ], &oc->soc_cname ); ja++; } if ( got & GOT_CE ) { if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass, &oc->soc_cname, ACL_WRITE, NULL ) ) { goto done_ce; } if ( oc->soc_required ) { for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) { AttributeDescription *ad = NULL; const char *text = NULL; if ( slap_bv2ad( &oc->soc_required[ i ]->sat_cname, &ad, &text ) ) { /* log? */ continue; } if ( !access_allowed( op, rs->sr_entry, ad, NULL, ACL_WRITE, NULL ) ) { goto done_ce; } } } ber_dupbv( &bv_effective[ je ], &oc->soc_cname ); je++; } done_ce:; } if ( ( got & GOT_C ) && ja > 0 ) { BER_BVZERO( &bv_allowed[ ja ] ); *ap = attr_alloc( ad_allowedChildClasses ); (*ap)->a_vals = bv_allowed; (*ap)->a_nvals = bv_allowed; (*ap)->a_numvals = ja; ap = &(*ap)->a_next; } if ( ( got & GOT_CE ) && je > 0 ) { BER_BVZERO( &bv_effective[ je ] ); *ap = attr_alloc( ad_allowedChildClassesEffective ); (*ap)->a_vals = bv_effective; (*ap)->a_nvals = bv_effective; (*ap)->a_numvals = je; ap = &(*ap)->a_next; } *ap = NULL; } return SLAP_CB_CONTINUE; }
static int dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli ) { Attribute *a, *id = NULL; slap_callback cb = { 0 }; Operation o = *op; struct berval *url; Entry *e; int opattrs, userattrs; dynlist_sc_t dlc = { 0 }; dynlist_map_t *dlm; a = attrs_find( rs->sr_entry->e_attrs, dli->dli_ad ); if ( a == NULL ) { /* FIXME: error? */ return SLAP_CB_CONTINUE; } opattrs = SLAP_OPATTRS( rs->sr_attr_flags ); userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); /* Don't generate member list if it wasn't requested */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { AttributeDescription *ad = dlm->dlm_mapped_ad ? dlm->dlm_mapped_ad : dlm->dlm_member_ad; if ( userattrs || ad_inlist( ad, rs->sr_attrs ) ) break; } if ( dli->dli_dlm && !dlm ) return SLAP_CB_CONTINUE; if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) { Attribute *authz = NULL; /* if not rootdn and dgAuthz is present, * check if user can be authorized as dgIdentity */ if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op ) && ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) ) { if ( slap_sasl_matches( op, authz->a_nvals, &o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS ) { return SLAP_CB_CONTINUE; } } o.o_dn = id->a_vals[0]; o.o_ndn = id->a_nvals[0]; o.o_groups = NULL; } e = rs->sr_entry; /* ensure e is modifiable, but do not replace * sr_entry yet since we have pointers into it */ if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) { e = entry_dup( rs->sr_entry ); } dlc.dlc_e = e; dlc.dlc_dli = dli; cb.sc_private = &dlc; cb.sc_response = dynlist_sc_update; o.o_callback = &cb; o.ors_deref = LDAP_DEREF_NEVER; o.ors_limit = NULL; o.ors_tlimit = SLAP_NO_LIMIT; o.ors_slimit = SLAP_NO_LIMIT; for ( url = a->a_nvals; !BER_BVISNULL( url ); url++ ) { LDAPURLDesc *lud = NULL; int i, j; struct berval dn; int rc; BER_BVZERO( &o.o_req_dn ); BER_BVZERO( &o.o_req_ndn ); o.ors_filter = NULL; o.ors_attrs = NULL; BER_BVZERO( &o.ors_filterstr ); if ( ldap_url_parse( url->bv_val, &lud ) != LDAP_URL_SUCCESS ) { /* FIXME: error? */ continue; } if ( lud->lud_host != NULL ) { /* FIXME: host not allowed; reject as illegal? */ Debug( LDAP_DEBUG_ANY, "dynlist_prepare_entry(\"%s\"): " "illegal URI \"%s\"\n", e->e_name.bv_val, url->bv_val, 0 ); goto cleanup; } if ( lud->lud_dn == NULL ) { /* note that an empty base is not honored in terms * of defaultSearchBase, because select_backend() * is not aware of the defaultSearchBase option; * this can be useful in case of a database serving * the empty suffix */ BER_BVSTR( &dn, "" ); } else { ber_str2bv( lud->lud_dn, 0, 0, &dn ); } rc = dnPrettyNormal( NULL, &dn, &o.o_req_dn, &o.o_req_ndn, op->o_tmpmemctx ); if ( rc != LDAP_SUCCESS ) { /* FIXME: error? */ goto cleanup; } o.ors_scope = lud->lud_scope; for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_mapped_ad != NULL ) { break; } } if ( dli->dli_dlm && !dlm ) { /* if ( lud->lud_attrs != NULL ), * the URL should be ignored */ o.ors_attrs = slap_anlist_no_attrs; } else if ( lud->lud_attrs == NULL ) { o.ors_attrs = rs->sr_attrs; } else { for ( i = 0; lud->lud_attrs[i]; i++) /* just count */ ; o.ors_attrs = op->o_tmpcalloc( i + 1, sizeof( AttributeName ), op->o_tmpmemctx ); for ( i = 0, j = 0; lud->lud_attrs[i]; i++) { const char *text = NULL; ber_str2bv( lud->lud_attrs[i], 0, 0, &o.ors_attrs[j].an_name ); o.ors_attrs[j].an_desc = NULL; (void)slap_bv2ad( &o.ors_attrs[j].an_name, &o.ors_attrs[j].an_desc, &text ); /* FIXME: ignore errors... */ if ( rs->sr_attrs == NULL ) { if ( o.ors_attrs[j].an_desc != NULL && is_at_operational( o.ors_attrs[j].an_desc->ad_type ) ) { continue; } } else { if ( o.ors_attrs[j].an_desc != NULL && is_at_operational( o.ors_attrs[j].an_desc->ad_type ) ) { if ( !opattrs ) { continue; } if ( !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) { /* lookup if mapped -- linear search, * not very efficient unless list * is very short */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) { break; } } if ( dlm == NULL ) { continue; } } } else { if ( !userattrs && o.ors_attrs[j].an_desc != NULL && !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) { /* lookup if mapped -- linear search, * not very efficient unless list * is very short */ for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) { break; } } if ( dlm == NULL ) { continue; } } } } j++; } if ( j == 0 ) { goto cleanup; } BER_BVZERO( &o.ors_attrs[j].an_name ); } if ( lud->lud_filter == NULL ) { ber_dupbv_x( &o.ors_filterstr, &dli->dli_default_filter, op->o_tmpmemctx ); } else { struct berval flt; ber_str2bv( lud->lud_filter, 0, 0, &flt ); if ( dynlist_make_filter( op, rs->sr_entry, url->bv_val, &flt, &o.ors_filterstr ) ) { /* error */ goto cleanup; } } o.ors_filter = str2filter_x( op, o.ors_filterstr.bv_val ); if ( o.ors_filter == NULL ) { goto cleanup; } o.o_bd = select_backend( &o.o_req_ndn, 1 ); if ( o.o_bd && o.o_bd->be_search ) { SlapReply r = { REP_SEARCH }; r.sr_attr_flags = slap_attr_flags( o.ors_attrs ); (void)o.o_bd->be_search( &o, &r ); } cleanup:; if ( id ) { slap_op_groups_free( &o ); } if ( o.ors_filter ) { filter_free_x( &o, o.ors_filter, 1 ); } if ( o.ors_attrs && o.ors_attrs != rs->sr_attrs && o.ors_attrs != slap_anlist_no_attrs ) { op->o_tmpfree( o.ors_attrs, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &o.o_req_dn ) ) { op->o_tmpfree( o.o_req_dn.bv_val, op->o_tmpmemctx ); } if ( !BER_BVISNULL( &o.o_req_ndn ) ) { op->o_tmpfree( o.o_req_ndn.bv_val, op->o_tmpmemctx ); } assert( BER_BVISNULL( &o.ors_filterstr ) || o.ors_filterstr.bv_val != lud->lud_filter ); op->o_tmpfree( o.ors_filterstr.bv_val, op->o_tmpmemctx ); ldap_free_urldesc( lud ); } if ( e != rs->sr_entry ) { rs_replace_entry( op, rs, (slap_overinst *)op->o_bd->bd_info, e ); rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED; } return SLAP_CB_CONTINUE; }
static int dynlist_sc_update( Operation *op, SlapReply *rs ) { Entry *e; Attribute *a; int opattrs, userattrs; AccessControlState acl_state = ACL_STATE_INIT; dynlist_sc_t *dlc; dynlist_map_t *dlm; if ( rs->sr_type != REP_SEARCH ) { return 0; } dlc = (dynlist_sc_t *)op->o_callback->sc_private; e = dlc->dlc_e; assert( e != NULL ); assert( rs->sr_entry != NULL ); /* test access to entry */ if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, NULL, ACL_READ, NULL ) ) { goto done; } /* if there is only one member_ad, and it's not mapped, * consider it as old-style member listing */ dlm = dlc->dlc_dli->dli_dlm; if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) { /* if access allowed, try to add values, emulating permissive * control to silently ignore duplicates */ if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, NULL, ACL_READ, NULL ) ) { Modification mod; const char *text = NULL; char textbuf[1024]; struct berval vals[ 2 ], nvals[ 2 ]; vals[ 0 ] = rs->sr_entry->e_name; BER_BVZERO( &vals[ 1 ] ); nvals[ 0 ] = rs->sr_entry->e_nname; BER_BVZERO( &nvals[ 1 ] ); mod.sm_op = LDAP_MOD_ADD; mod.sm_desc = dlm->dlm_member_ad; mod.sm_type = dlm->dlm_member_ad->ad_cname; mod.sm_values = vals; mod.sm_nvalues = nvals; mod.sm_numvals = 1; (void)modify_add_values( e, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); } goto done; } opattrs = SLAP_OPATTRS( rs->sr_attr_flags ); userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); for ( a = rs->sr_entry->e_attrs; a != NULL; a = a->a_next ) { BerVarray vals, nvals = NULL; int i, j, is_oc = a->a_desc == slap_schema.si_ad_objectClass; /* if attribute is not requested, skip it */ if ( rs->sr_attrs == NULL ) { if ( is_at_operational( a->a_desc->ad_type ) ) { continue; } } else { if ( is_at_operational( a->a_desc->ad_type ) ) { if ( !opattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) ) { continue; } } else { if ( !userattrs && !ad_inlist( a->a_desc, rs->sr_attrs ) ) { continue; } } } /* test access to attribute */ if ( op->ors_attrsonly ) { if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL, ACL_READ, &acl_state ) ) { continue; } } /* single-value check: keep first only */ if ( is_at_single_value( a->a_desc->ad_type ) ) { if ( attr_find( e->e_attrs, a->a_desc ) != NULL ) { continue; } } /* test access to attribute */ i = a->a_numvals; vals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx ); if ( a->a_nvals != a->a_vals ) { nvals = op->o_tmpalloc( ( i + 1 ) * sizeof( struct berval ), op->o_tmpmemctx ); } for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) { if ( is_oc ) { ObjectClass *soc = oc_bvfind( &a->a_vals[i] ); if ( soc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) { continue; } } if ( access_allowed( op, rs->sr_entry, a->a_desc, &a->a_nvals[i], ACL_READ, &acl_state ) ) { vals[j] = a->a_vals[i]; if ( nvals ) { nvals[j] = a->a_nvals[i]; } j++; } } /* if access allowed, try to add values, emulating permissive * control to silently ignore duplicates */ if ( j != 0 ) { Modification mod; const char *text = NULL; char textbuf[1024]; dynlist_map_t *dlm; AttributeDescription *ad; BER_BVZERO( &vals[j] ); if ( nvals ) { BER_BVZERO( &nvals[j] ); } ad = a->a_desc; for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_member_ad == a->a_desc ) { if ( dlm->dlm_mapped_ad ) { ad = dlm->dlm_mapped_ad; } break; } } mod.sm_op = LDAP_MOD_ADD; mod.sm_desc = ad; mod.sm_type = ad->ad_cname; mod.sm_values = vals; mod.sm_nvalues = nvals; mod.sm_numvals = j; (void)modify_add_values( e, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); } op->o_tmpfree( vals, op->o_tmpmemctx ); if ( nvals ) { op->o_tmpfree( nvals, op->o_tmpmemctx ); } } done:; if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) { entry_free( rs->sr_entry ); rs->sr_entry = NULL; rs->sr_flags &= ~REP_ENTRY_MASK; } return 0; }
int backsql_operational( Operation *op, SlapReply *rs ) { backsql_info *bi = (backsql_info*)op->o_bd->be_private; SQLHDBC dbh = SQL_NULL_HDBC; int rc = 0; Attribute **ap; enum { BACKSQL_OP_HASSUBORDINATES = 0, BACKSQL_OP_ENTRYUUID, BACKSQL_OP_ENTRYCSN, BACKSQL_OP_LAST }; int get_conn = BACKSQL_OP_LAST, got[ BACKSQL_OP_LAST ] = { 0 }; Debug( LDAP_DEBUG_TRACE, "==>backsql_operational(): entry \"%s\"\n", rs->sr_entry->e_nname.bv_val, 0, 0 ); for ( ap = &rs->sr_entry->e_attrs; *ap; ap = &(*ap)->a_next ) { if ( (*ap)->a_desc == slap_schema.si_ad_hasSubordinates ) { get_conn--; got[ BACKSQL_OP_HASSUBORDINATES ] = 1; } else if ( (*ap)->a_desc == slap_schema.si_ad_entryUUID ) { get_conn--; got[ BACKSQL_OP_ENTRYUUID ] = 1; } else if ( (*ap)->a_desc == slap_schema.si_ad_entryCSN ) { get_conn--; got[ BACKSQL_OP_ENTRYCSN ] = 1; } } for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next ) { if ( !got[ BACKSQL_OP_HASSUBORDINATES ] && (*ap)->a_desc == slap_schema.si_ad_hasSubordinates ) { get_conn--; got[ BACKSQL_OP_HASSUBORDINATES ] = 1; } else if ( !got[ BACKSQL_OP_ENTRYUUID ] && (*ap)->a_desc == slap_schema.si_ad_entryUUID ) { get_conn--; got[ BACKSQL_OP_ENTRYUUID ] = 1; } else if ( !got[ BACKSQL_OP_ENTRYCSN ] && (*ap)->a_desc == slap_schema.si_ad_entryCSN ) { get_conn--; got[ BACKSQL_OP_ENTRYCSN ] = 1; } } if ( !get_conn ) { return 0; } rc = backsql_get_db_conn( op, &dbh ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "backsql_operational(): " "could not get connection handle - exiting\n", 0, 0, 0 ); return 1; } if ( ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( slap_schema.si_ad_hasSubordinates, rs->sr_attrs ) ) && !got[ BACKSQL_OP_HASSUBORDINATES ] && attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_hasSubordinates ) == NULL ) { rc = backsql_has_children( op, dbh, &rs->sr_entry->e_nname ); switch( rc ) { case LDAP_COMPARE_TRUE: case LDAP_COMPARE_FALSE: *ap = slap_operational_hasSubordinate( rc == LDAP_COMPARE_TRUE ); assert( *ap != NULL ); ap = &(*ap)->a_next; rc = 0; break; default: Debug( LDAP_DEBUG_TRACE, "backsql_operational(): " "has_children failed( %d)\n", rc, 0, 0 ); return 1; } } if ( ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( slap_schema.si_ad_entryUUID, rs->sr_attrs ) ) && !got[ BACKSQL_OP_ENTRYUUID ] && attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_entryUUID ) == NULL ) { backsql_srch_info bsi = { 0 }; rc = backsql_init_search( &bsi, &rs->sr_entry->e_nname, LDAP_SCOPE_BASE, (time_t)(-1), NULL, dbh, op, rs, NULL, BACKSQL_ISF_GET_ID ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "backsql_operational(): " "could not retrieve entry ID - no such entry\n", 0, 0, 0 ); return 1; } *ap = backsql_operational_entryUUID( bi, &bsi.bsi_base_id ); (void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx ); if ( bsi.bsi_attrs != NULL ) { op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx ); } if ( *ap == NULL ) { Debug( LDAP_DEBUG_TRACE, "backsql_operational(): " "could not retrieve entryUUID\n", 0, 0, 0 ); return 1; } ap = &(*ap)->a_next; } if ( ( SLAP_OPATTRS( rs->sr_attr_flags ) || ad_inlist( slap_schema.si_ad_entryCSN, rs->sr_attrs ) ) && !got[ BACKSQL_OP_ENTRYCSN ] && attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_entryCSN ) == NULL ) { *ap = backsql_operational_entryCSN( op ); if ( *ap == NULL ) { Debug( LDAP_DEBUG_TRACE, "backsql_operational(): " "could not retrieve entryCSN\n", 0, 0, 0 ); return 1; } ap = &(*ap)->a_next; } Debug( LDAP_DEBUG_TRACE, "<==backsql_operational(%d)\n", rc, 0, 0); return rc; }
static int allop_op_search( Operation *op, SlapReply *rs ) { slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; allop_t *ao = (allop_t *)on->on_bi.bi_private; slap_mask_t mask; int i, add_allUser = 0; if ( ao == NULL ) { if ( !BER_BVISEMPTY( &op->o_req_ndn ) || op->ors_scope != LDAP_SCOPE_BASE ) { return SLAP_CB_CONTINUE; } } else { if ( !dnIsSuffix( &op->o_req_ndn, &ao->ao_ndn ) ) { return SLAP_CB_CONTINUE; } switch ( ao->ao_scope ) { case LDAP_SCOPE_BASE: if ( op->o_req_ndn.bv_len != ao->ao_ndn.bv_len ) { return SLAP_CB_CONTINUE; } break; case LDAP_SCOPE_ONELEVEL: if ( op->ors_scope == LDAP_SCOPE_BASE ) { struct berval rdn = op->o_req_ndn; rdn.bv_len -= ao->ao_ndn.bv_len + STRLENOF( "," ); if ( !dnIsOneLevelRDN( &rdn ) ) { return SLAP_CB_CONTINUE; } break; } return SLAP_CB_CONTINUE; case LDAP_SCOPE_SUBTREE: break; } } mask = slap_attr_flags( op->ors_attrs ); if ( SLAP_OPATTRS( mask ) ) { return SLAP_CB_CONTINUE; } if ( !SLAP_USERATTRS( mask ) ) { return SLAP_CB_CONTINUE; } i = 0; if ( op->ors_attrs == NULL ) { add_allUser = 1; } else { for ( ; !BER_BVISNULL( &op->ors_attrs[ i ].an_name ); i++ ) ; } op->ors_attrs = op->o_tmprealloc( op->ors_attrs, sizeof( AttributeName ) * ( i + add_allUser + 2 ), op->o_tmpmemctx ); if ( add_allUser ) { op->ors_attrs[ i ] = slap_anlist_all_user_attributes[ 0 ]; i++; } op->ors_attrs[ i ] = slap_anlist_all_operational_attributes[ 0 ]; BER_BVZERO( &op->ors_attrs[ i + 1 ].an_name ); return SLAP_CB_CONTINUE; }
int slap_send_search_entry( Operation *op, SlapReply *rs ) { BerElementBuffer berbuf; BerElement *ber = (BerElement *) &berbuf; Attribute *a; int i, j, rc = LDAP_UNAVAILABLE, bytes; int userattrs; AccessControlState acl_state = ACL_STATE_INIT; int attrsonly; AttributeDescription *ad_entry = slap_schema.si_ad_entry; /* a_flags: array of flags telling if the i-th element will be * returned or filtered out * e_flags: array of a_flags */ char **e_flags = NULL; rs->sr_type = REP_SEARCH; if ( op->ors_slimit >= 0 && rs->sr_nentries >= op->ors_slimit ) { rc = LDAP_SIZELIMIT_EXCEEDED; goto error_return; } /* Every 64 entries, check for thread pool pause */ if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) && ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 ) { rc = LDAP_BUSY; goto error_return; } /* eventually will loop through generated operational attribute types * currently implemented types include: * entryDN, subschemaSubentry, and hasSubordinates */ /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ /* check for special all operational attributes ("+") type */ /* FIXME: maybe we could set this flag at the operation level; * however, in principle the caller of send_search_entry() may * change the attribute list at each call */ rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs ); rc = backend_operational( op, rs ); if ( rc ) { goto error_return; } if ( op->o_callback ) { rc = slap_response_play( op, rs ); if ( rc != SLAP_CB_CONTINUE ) { goto error_return; } } Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: conn %lu dn=\"%s\"%s\n", op->o_connid, rs->sr_entry->e_name.bv_val, op->ors_attrsonly ? " (attrsOnly)" : "" ); attrsonly = op->ors_attrsonly; if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu access to entry (%s) not allowed\n", op->o_connid, rs->sr_entry->e_name.bv_val ); rc = LDAP_INSUFFICIENT_ACCESS; goto error_return; } if ( op->o_res_ber ) { /* read back control or LDAP_CONNECTIONLESS */ ber = op->o_res_ber; } else { struct berval bv; bv.bv_len = entry_flatsize( rs->sr_entry, 0 ); bv.bv_val = op->o_tmpalloc( bv.bv_len, op->o_tmpmemctx ); ber_init2( ber, &bv, LBER_USE_DER ); ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); } #ifdef LDAP_CONNECTIONLESS if ( op->o_conn && op->o_conn->c_is_udp ) { /* CONNECTIONLESS */ if ( op->o_protocol == LDAP_VERSION2 ) { rc = ber_printf(ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } } else #endif if ( op->o_res_ber ) { /* read back control */ rc = ber_printf( ber, "t{O{" /*}}*/, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } else { rc = ber_printf( ber, "{it{O{" /*}}}*/, op->o_msgid, LDAP_RES_SEARCH_ENTRY, &rs->sr_entry->e_name ); } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding DN error" ); rc = rs->sr_err; goto error_return; } /* check for special all user attributes ("*") type */ userattrs = SLAP_USERATTRS( rs->sr_attr_flags ); /* create an array of arrays of flags. Each flag corresponds * to particular value of attribute and equals 1 if value matches * to ValuesReturnFilter or 0 if not */ if ( op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_entry->e_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags; e_flags = slap_sl_calloc ( 1, i * sizeof(char *) + k, op->o_tmpmemctx ); if( e_flags == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu slap_sl_calloc failed\n", op->o_connid ); ber_free( ber, 1 ); set_ldap_error( rs, LDAP_OTHER, "out of memory" ); goto error_return; } a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a=rs->sr_entry->e_attrs, i=0; a != NULL; a=a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_entry->e_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: " "conn %lu matched values filtering failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for ( a = rs->sr_entry->e_attrs, j = 0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; int finish = 0; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if ( is_at_operational( desc->ad_type ) ) { /* if not explicitly requested */ if ( !ad_inlist( desc, rs->sr_attrs )) { /* if not all op attrs requested, skip */ if ( !SLAP_OPATTRS( rs->sr_attr_flags )) continue; /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( attrsonly ) { if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: " "conn %lu access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } finish = 1; } else { int first = 1; for ( i = 0; a->a_nvals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_nvals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s, value #%d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if ( first ) { first = 0; finish = 1; if (( rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error"); rc = rs->sr_err; goto error_return; } } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed.\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if ( finish && ( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* NOTE: moved before overlays callback circling because * they may modify entry and other stuff in rs */ if ( rs->sr_operational_attrs != NULL && op->o_vrFilter != NULL ) { int k = 0; size_t size; for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ) k++; } size = i * sizeof(char *) + k; if ( size > 0 ) { char *a_flags, **tmp; /* * Reuse previous memory - we likely need less space * for operational attributes */ tmp = slap_sl_realloc( e_flags, i * sizeof(char *) + k, op->o_tmpmemctx ); if ( tmp == NULL ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "not enough memory " "for matched values filtering\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "not enough memory for matched values filtering" ); goto error_return; } e_flags = tmp; a_flags = (char *)(e_flags + i); memset( a_flags, 0, k ); for ( a = rs->sr_operational_attrs, i=0; a != NULL; a = a->a_next, i++ ) { for ( j = 0; a->a_vals[j].bv_val != NULL; j++ ); e_flags[i] = a_flags; a_flags += j; } rc = filter_matched_values(op, rs->sr_operational_attrs, &e_flags) ; if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "matched values filtering failed\n", op->o_connid); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "matched values filtering error" ); rc = rs->sr_err; goto error_return; } } } for (a = rs->sr_operational_attrs, j=0; a != NULL; a = a->a_next, j++ ) { AttributeDescription *desc = a->a_desc; if ( rs->sr_attrs == NULL ) { /* all user attrs request, skip operational attributes */ if( is_at_operational( desc->ad_type ) ) { continue; } } else { /* specific attrs requested */ if( is_at_operational( desc->ad_type ) ) { if ( !SLAP_OPATTRS( rs->sr_attr_flags ) && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } /* if DSA-specific and replicating, skip */ if ( op->o_sync != SLAP_CONTROL_NONE && desc->ad_type->sat_usage == LDAP_SCHEMA_DSA_OPERATION ) continue; } else { if ( !userattrs && !ad_inlist( desc, rs->sr_attrs ) ) { continue; } } } if ( ! access_allowed( op, rs->sr_entry, desc, NULL, ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to attribute %s not allowed\n", op->o_connid, desc->ad_cname.bv_val ); continue; } rc = ber_printf( ber, "{O[" /*]}*/ , &desc->ad_cname ); if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu " "ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding description error" ); rc = rs->sr_err; goto error_return; } if ( ! attrsonly ) { for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) { if ( ! access_allowed( op, rs->sr_entry, desc, &a->a_vals[i], ACL_READ, &acl_state ) ) { Debug( LDAP_DEBUG_ACL, "send_search_entry: conn %lu " "access to %s, value %d not allowed\n", op->o_connid, desc->ad_cname.bv_val, i ); continue; } if ( op->o_vrFilter && e_flags[j][i] == 0 ){ continue; } if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encoding values error" ); rc = rs->sr_err; goto error_return; } } } if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber_printf failed\n", op->o_connid ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode end error" ); rc = rs->sr_err; goto error_return; } } /* free e_flags */ if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); e_flags = NULL; } rc = ber_printf( ber, /*{{*/ "}N}" ); if( rc != -1 ) { rc = send_ldap_controls( op, ber, rs->sr_ctrls ); } if( rc != -1 ) { #ifdef LDAP_CONNECTIONLESS if( op->o_conn && op->o_conn->c_is_udp ) { if ( op->o_protocol != LDAP_VERSION2 ) { rc = ber_printf( ber, /*{*/ "N}" ); } } else #endif if ( op->o_res_ber == NULL ) { rc = ber_printf( ber, /*{*/ "N}" ); } } if ( rc == -1 ) { Debug( LDAP_DEBUG_ANY, "ber_printf failed\n" ); if ( op->o_res_ber == NULL ) ber_free_buf( ber ); set_ldap_error( rs, LDAP_OTHER, "encode entry end error" ); rc = rs->sr_err; goto error_return; } Statslog( LDAP_DEBUG_STATS2, "%s ENTRY dn=\"%s\"\n", op->o_log_prefix, rs->sr_entry->e_nname.bv_val ); rs_flush_entry( op, rs, NULL ); if ( op->o_res_ber == NULL ) { bytes = send_ldap_ber( op, ber ); ber_free_buf( ber ); if ( bytes < 0 ) { Debug( LDAP_DEBUG_ANY, "send_search_entry: conn %lu ber write failed.\n", op->o_connid ); rc = LDAP_UNAVAILABLE; goto error_return; } rs->sr_nentries++; ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex ); ldap_pvt_mp_add_ulong( op->o_counters->sc_bytes, (unsigned long)bytes ); ldap_pvt_mp_add_ulong( op->o_counters->sc_entries, 1 ); ldap_pvt_mp_add_ulong( op->o_counters->sc_pdu, 1 ); ldap_pvt_thread_mutex_unlock( &op->o_counters->sc_mutex ); } Debug( LDAP_DEBUG_TRACE, "<= send_search_entry: conn %lu exit.\n", op->o_connid ); rc = LDAP_SUCCESS; error_return:; if ( op->o_callback ) { (void)slap_cleanup_play( op, rs ); } if ( e_flags ) { slap_sl_free( e_flags, op->o_tmpmemctx ); } /* FIXME: Can break if rs now contains an extended response */ if ( rs->sr_operational_attrs ) { attrs_free( rs->sr_operational_attrs ); rs->sr_operational_attrs = NULL; } rs->sr_attr_flags = SLAP_ATTRS_UNDEFINED; if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH ) { rs_flush_entry( op, rs, NULL ); } else { RS_ASSERT( (rs->sr_flags & REP_ENTRY_MASK) == 0 ); } if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) { rs->sr_flags ^= REP_CTRLS_MUSTBEFREED; /* paranoia */ if ( rs->sr_ctrls ) { slap_free_ctrls( op, rs->sr_ctrls ); rs->sr_ctrls = NULL; } } return( rc ); }