int slap_compare_entry(
Operation *op,
Entry *e,
AttributeAssertion *ava )
{
int rc = LDAP_COMPARE_FALSE;
Attribute *a;
if ( ! access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
rc = LDAP_ASSERTION_FAILED;
goto done;
}
a = attrs_find( e->e_attrs, ava->aa_desc );
if( a == NULL ) {
rc = LDAP_NO_SUCH_ATTRIBUTE;
goto done;
}
for(;
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ))
{
if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
break;
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rc = LDAP_COMPARE_TRUE;
break;
}
}
done:
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
{
rc = LDAP_NO_SUCH_OBJECT;
}
}
return rc;
}
static int
test_substrings_filter(
Operation *op,
Entry *e,
Filter *f )
{
Attribute *a;
int rc;
Debug( LDAP_DEBUG_FILTER, "begin test_substrings_filter\n", 0, 0, 0 );
if ( !access_allowed( op, e,
f->f_sub_desc, NULL, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
rc = LDAP_COMPARE_FALSE;
for(a = attrs_find( e->e_attrs, f->f_sub_desc );
a != NULL;
a = attrs_find( a->a_next, f->f_sub_desc ) )
{
MatchingRule *mr;
struct berval *bv;
if (( f->f_sub_desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, NULL, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
mr = a->a_desc->ad_type->sat_substr;
if( mr == NULL ) {
rc = LDAP_INAPPROPRIATE_MATCHING;
continue;
}
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
int ret, match;
const char *text;
ret = value_match( &match, a->a_desc, mr, SLAP_MR_SUBSTR,
bv, f->f_sub, &text );
if( ret != LDAP_SUCCESS ) {
rc = ret;
break;
}
if ( match == 0 ) return LDAP_COMPARE_TRUE;
}
}
Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter %d\n",
rc, 0, 0 );
return rc;
}
static int
test_presence_filter(
Operation *op,
Entry *e,
AttributeDescription *desc )
{
Attribute *a;
int rc;
if ( !access_allowed( op, e, desc, NULL, ACL_SEARCH, NULL ) ) {
return LDAP_INSUFFICIENT_ACCESS;
}
if ( desc == slap_schema.si_ad_hasSubordinates ) {
/*
* XXX: fairly optimistic: if the function is defined,
* then PRESENCE must succeed, because hasSubordinate
* is boolean-valued; I think we may live with this
* simplification by now.
*/
if ( op && op->o_bd && op->o_bd->be_has_subordinates ) {
return LDAP_COMPARE_TRUE;
}
return LDAP_COMPARE_FALSE;
}
if ( desc == slap_schema.si_ad_entryDN ||
desc == slap_schema.si_ad_subschemaSubentry )
{
/* entryDN and subschemaSubentry are always present */
return LDAP_COMPARE_TRUE;
}
rc = LDAP_COMPARE_FALSE;
for(a = attrs_find( e->e_attrs, desc );
a != NULL;
a = attrs_find( a->a_next, desc ) )
{
if (( desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, NULL, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
rc = LDAP_COMPARE_TRUE;
break;
}
return rc;
}
static int
dynlist_sc_compare_entry( Operation *op, SlapReply *rs )
{
if ( rs->sr_type == REP_SEARCH && rs->sr_entry != NULL ) {
dynlist_cc_t *dc = (dynlist_cc_t *)op->o_callback;
AttributeAssertion *ava = dc->dc_ava;
Attribute *a = attrs_find( rs->sr_entry->e_attrs, ava->aa_desc );
if ( a != NULL ) {
while ( LDAP_SUCCESS != attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&ava->aa_value, NULL, op->o_tmpmemctx )
&& (a = attrs_find( a->a_next, ava->aa_desc )) != NULL )
;
*dc->dc_res = a ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
}
}
return 0;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( dli->dli_lud != NULL ) {
/* check base and scope */
if ( !BER_BVISNULL( &dli->dli_uri_nbase )
&& !dnIsSuffixScope( &rs->sr_entry->e_nname,
&dli->dli_uri_nbase,
dli->dli_lud->lud_scope ) )
{
continue;
}
/* check filter */
if ( dli->dli_uri_filter && test_filter( op, rs->sr_entry, dli->dli_uri_filter ) != LDAP_COMPARE_TRUE ) {
continue;
}
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
static int
dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
{
Attribute *a, *id = NULL;
slap_callback cb = { 0 };
Operation o = *op;
struct berval *url;
Entry *e;
int opattrs,
userattrs;
dynlist_sc_t dlc = { 0 };
dynlist_map_t *dlm;
a = attrs_find( rs->sr_entry->e_attrs, dli->dli_ad );
if ( a == NULL ) {
/* FIXME: error? */
return SLAP_CB_CONTINUE;
}
opattrs = SLAP_OPATTRS( rs->sr_attr_flags );
userattrs = SLAP_USERATTRS( rs->sr_attr_flags );
/* Don't generate member list if it wasn't requested */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
AttributeDescription *ad = dlm->dlm_mapped_ad ? dlm->dlm_mapped_ad : dlm->dlm_member_ad;
if ( userattrs || ad_inlist( ad, rs->sr_attrs ) )
break;
}
if ( dli->dli_dlm && !dlm )
return SLAP_CB_CONTINUE;
if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) {
Attribute *authz = NULL;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
return SLAP_CB_CONTINUE;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
e = rs->sr_entry;
/* ensure e is modifiable, but do not replace
* sr_entry yet since we have pointers into it */
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
e = entry_dup( rs->sr_entry );
}
dlc.dlc_e = e;
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
cb.sc_response = dynlist_sc_update;
o.o_callback = &cb;
o.ors_deref = LDAP_DEREF_NEVER;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
for ( url = a->a_nvals; !BER_BVISNULL( url ); url++ ) {
LDAPURLDesc *lud = NULL;
int i, j;
struct berval dn;
int rc;
BER_BVZERO( &o.o_req_dn );
BER_BVZERO( &o.o_req_ndn );
o.ors_filter = NULL;
o.ors_attrs = NULL;
BER_BVZERO( &o.ors_filterstr );
if ( ldap_url_parse( url->bv_val, &lud ) != LDAP_URL_SUCCESS ) {
/* FIXME: error? */
continue;
}
if ( lud->lud_host != NULL ) {
/* FIXME: host not allowed; reject as illegal? */
Debug( LDAP_DEBUG_ANY, "dynlist_prepare_entry(\"%s\"): "
"illegal URI \"%s\"\n",
e->e_name.bv_val, url->bv_val, 0 );
goto cleanup;
}
if ( lud->lud_dn == NULL ) {
/* note that an empty base is not honored in terms
* of defaultSearchBase, because select_backend()
* is not aware of the defaultSearchBase option;
* this can be useful in case of a database serving
* the empty suffix */
BER_BVSTR( &dn, "" );
} else {
ber_str2bv( lud->lud_dn, 0, 0, &dn );
}
rc = dnPrettyNormal( NULL, &dn, &o.o_req_dn, &o.o_req_ndn, op->o_tmpmemctx );
if ( rc != LDAP_SUCCESS ) {
/* FIXME: error? */
goto cleanup;
}
o.ors_scope = lud->lud_scope;
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_mapped_ad != NULL ) {
break;
}
}
if ( dli->dli_dlm && !dlm ) {
/* if ( lud->lud_attrs != NULL ),
* the URL should be ignored */
o.ors_attrs = slap_anlist_no_attrs;
} else if ( lud->lud_attrs == NULL ) {
o.ors_attrs = rs->sr_attrs;
} else {
for ( i = 0; lud->lud_attrs[i]; i++)
/* just count */ ;
o.ors_attrs = op->o_tmpcalloc( i + 1, sizeof( AttributeName ), op->o_tmpmemctx );
for ( i = 0, j = 0; lud->lud_attrs[i]; i++) {
const char *text = NULL;
ber_str2bv( lud->lud_attrs[i], 0, 0, &o.ors_attrs[j].an_name );
o.ors_attrs[j].an_desc = NULL;
(void)slap_bv2ad( &o.ors_attrs[j].an_name, &o.ors_attrs[j].an_desc, &text );
/* FIXME: ignore errors... */
if ( rs->sr_attrs == NULL ) {
if ( o.ors_attrs[j].an_desc != NULL &&
is_at_operational( o.ors_attrs[j].an_desc->ad_type ) )
{
continue;
}
} else {
if ( o.ors_attrs[j].an_desc != NULL &&
is_at_operational( o.ors_attrs[j].an_desc->ad_type ) )
{
if ( !opattrs ) {
continue;
}
if ( !ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) ) {
/* lookup if mapped -- linear search,
* not very efficient unless list
* is very short */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) {
break;
}
}
if ( dlm == NULL ) {
continue;
}
}
} else {
if ( !userattrs &&
o.ors_attrs[j].an_desc != NULL &&
!ad_inlist( o.ors_attrs[j].an_desc, rs->sr_attrs ) )
{
/* lookup if mapped -- linear search,
* not very efficient unless list
* is very short */
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
if ( dlm->dlm_member_ad == o.ors_attrs[j].an_desc ) {
break;
}
}
if ( dlm == NULL ) {
continue;
}
}
}
}
j++;
}
if ( j == 0 ) {
goto cleanup;
}
BER_BVZERO( &o.ors_attrs[j].an_name );
}
if ( lud->lud_filter == NULL ) {
ber_dupbv_x( &o.ors_filterstr,
&dli->dli_default_filter, op->o_tmpmemctx );
} else {
struct berval flt;
ber_str2bv( lud->lud_filter, 0, 0, &flt );
if ( dynlist_make_filter( op, rs->sr_entry, url->bv_val, &flt, &o.ors_filterstr ) ) {
/* error */
goto cleanup;
}
}
o.ors_filter = str2filter_x( op, o.ors_filterstr.bv_val );
if ( o.ors_filter == NULL ) {
goto cleanup;
}
o.o_bd = select_backend( &o.o_req_ndn, 1 );
if ( o.o_bd && o.o_bd->be_search ) {
SlapReply r = { REP_SEARCH };
r.sr_attr_flags = slap_attr_flags( o.ors_attrs );
(void)o.o_bd->be_search( &o, &r );
}
cleanup:;
if ( id ) {
slap_op_groups_free( &o );
}
if ( o.ors_filter ) {
filter_free_x( &o, o.ors_filter, 1 );
}
if ( o.ors_attrs && o.ors_attrs != rs->sr_attrs
&& o.ors_attrs != slap_anlist_no_attrs )
{
op->o_tmpfree( o.ors_attrs, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &o.o_req_dn ) ) {
op->o_tmpfree( o.o_req_dn.bv_val, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &o.o_req_ndn ) ) {
op->o_tmpfree( o.o_req_ndn.bv_val, op->o_tmpmemctx );
}
assert( BER_BVISNULL( &o.ors_filterstr )
|| o.ors_filterstr.bv_val != lud->lud_filter );
op->o_tmpfree( o.ors_filterstr.bv_val, op->o_tmpmemctx );
ldap_free_urldesc( lud );
}
if ( e != rs->sr_entry ) {
rs_replace_entry( op, rs, (slap_overinst *)op->o_bd->bd_info, e );
rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED;
}
return SLAP_CB_CONTINUE;
}
static dynlist_info_t *
dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli;
Attribute *a;
if ( old_dli == NULL ) {
dli = (dynlist_info_t *)on->on_bi.bi_private;
} else {
dli = old_dli->dli_next;
}
a = attrs_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
/* FIXME: objectClass must be present; for non-storage
* backends, like back-ldap, it needs to be added
* to the requested attributes */
return NULL;
}
for ( ; dli; dli = dli->dli_next ) {
if ( dli->dli_lud != NULL ) {
/* check base and scope */
if ( !BER_BVISNULL( &dli->dli_uri_nbase ) ) {
int d = rs->sr_entry->e_nname.bv_len - dli->dli_uri_nbase.bv_len;
if ( d < 0 ) {
continue;
}
if ( !dnIsSuffix( &rs->sr_entry->e_nname, &dli->dli_uri_nbase ) ) {
continue;
}
switch ( dli->dli_lud->lud_scope ) {
case LDAP_SCOPE_BASE:
if ( d != 0 ) {
continue;
}
break;
case LDAP_SCOPE_ONELEVEL: {
struct berval pdn;
dnParent( &rs->sr_entry->e_nname, &pdn );
if ( pdn.bv_len != dli->dli_uri_nbase.bv_len ) {
continue;
}
} break;
case LDAP_SCOPE_SUBORDINATE:
if ( d == 0 ) {
continue;
}
break;
case LDAP_SCOPE_SUBTREE:
case LDAP_SCOPE_DEFAULT:
break;
default:
continue;
}
}
/* check filter */
if ( dli->dli_uri_filter && test_filter( op, rs->sr_entry, dli->dli_uri_filter ) != LDAP_COMPARE_TRUE ) {
continue;
}
}
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&dli->dli_oc->soc_cname, NULL,
op->o_tmpmemctx ) == 0 )
{
return dli;
}
}
return NULL;
}
static int
test_ava_filter(
Operation *op,
Entry *e,
AttributeAssertion *ava,
int type )
{
int rc;
Attribute *a;
#ifdef LDAP_COMP_MATCH
int i, num_attr_vals = 0;
AttributeAliasing *a_alias = NULL;
#endif
if ( !access_allowed( op, e,
ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
&& op && op->o_bd && op->o_bd->be_has_subordinates )
{
int hasSubordinates;
struct berval hs;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
if ( op->o_bd->be_has_subordinates( op, e, &hasSubordinates ) !=
LDAP_SUCCESS )
{
return LDAP_OTHER;
}
if ( hasSubordinates == LDAP_COMPARE_TRUE ) {
hs = slap_true_bv;
} else if ( hasSubordinates == LDAP_COMPARE_FALSE ) {
hs = slap_false_bv;
} else {
return LDAP_OTHER;
}
if ( bvmatch( &ava->aa_value, &hs ) ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
MatchingRule *mr;
int match;
const char *text;
if( type != LDAP_FILTER_EQUALITY &&
type != LDAP_FILTER_APPROX )
{
/* No other match is allowed */
return LDAP_INAPPROPRIATE_MATCHING;
}
mr = slap_schema.si_ad_entryDN->ad_type->sat_equality;
assert( mr != NULL );
rc = value_match( &match, slap_schema.si_ad_entryDN, mr,
SLAP_MR_EXT, &e->e_nname, &ava->aa_value, &text );
if( rc != LDAP_SUCCESS ) return rc;
if( match == 0 ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
rc = LDAP_COMPARE_FALSE;
#ifdef LDAP_COMP_MATCH
if ( is_aliased_attribute && ava->aa_cf )
{
a_alias = is_aliased_attribute ( ava->aa_desc );
if ( a_alias )
ava->aa_desc = a_alias->aa_aliased_ad;
else
ava->aa_cf = NULL;
}
#endif
for(a = attrs_find( e->e_attrs, ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ) )
{
int use;
MatchingRule *mr;
struct berval *bv;
if (( ava->aa_desc != a->a_desc ) && !access_allowed( op,
e, a->a_desc, &ava->aa_value, ACL_SEARCH, NULL ))
{
rc = LDAP_INSUFFICIENT_ACCESS;
continue;
}
use = SLAP_MR_EQUALITY;
switch ( type ) {
case LDAP_FILTER_APPROX:
use = SLAP_MR_EQUALITY_APPROX;
mr = a->a_desc->ad_type->sat_approx;
if( mr != NULL ) break;
/* fallthru: use EQUALITY matching rule if no APPROX rule */
case LDAP_FILTER_EQUALITY:
/* use variable set above so fall thru use is not clobbered */
mr = a->a_desc->ad_type->sat_equality;
break;
case LDAP_FILTER_GE:
case LDAP_FILTER_LE:
use = SLAP_MR_ORDERING;
mr = a->a_desc->ad_type->sat_ordering;
break;
default:
mr = NULL;
}
if( mr == NULL ) {
rc = LDAP_INAPPROPRIATE_MATCHING;
continue;
}
/* We have no Sort optimization for Approx matches */
if (( a->a_flags & SLAP_ATTR_SORTED_VALS ) && type != LDAP_FILTER_APPROX ) {
unsigned slot;
int ret;
/* For Ordering matches, we just need to do one comparison with
* either the first (least) or last (greatest) value.
*/
if ( use == SLAP_MR_ORDERING ) {
const char *text;
int match, which;
which = (type == LDAP_FILTER_LE) ? 0 : a->a_numvals-1;
ret = value_match( &match, a->a_desc, mr, use,
&a->a_nvals[which], &ava->aa_value, &text );
if ( ret != LDAP_SUCCESS ) return ret;
if (( type == LDAP_FILTER_LE && match <= 0 ) ||
( type == LDAP_FILTER_GE && match >= 0 ))
return LDAP_COMPARE_TRUE;
continue;
}
/* Only Equality will get here */
ret = attr_valfind( a, use | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH |
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
&ava->aa_value, &slot, NULL );
if ( ret == LDAP_SUCCESS )
return LDAP_COMPARE_TRUE;
else if ( ret != LDAP_NO_SUCH_ATTRIBUTE )
return ret;
#if 0
/* The following is useful if we want to know which values
* matched an ordering test. But here we don't care, we just
* want to know if any value did, and that is checked above.
*/
if ( ret == LDAP_NO_SUCH_ATTRIBUTE ) {
/* If insertion point is not the end of the list, there was
* at least one value greater than the assertion.
*/
if ( type == LDAP_FILTER_GE && slot < a->a_numvals )
return LDAP_COMPARE_TRUE;
/* Likewise, if insertion point is not the head of the list,
* there was at least one value less than the assertion.
*/
if ( type == LDAP_FILTER_LE && slot > 0 )
return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
#endif
continue;
}
#ifdef LDAP_COMP_MATCH
if ( nibble_mem_allocator && ava->aa_cf && !a->a_comp_data ) {
/* Component Matching */
for ( num_attr_vals = 0; a->a_vals[num_attr_vals].bv_val != NULL; num_attr_vals++ );
if ( num_attr_vals <= 0 )/* no attribute value */
return LDAP_INAPPROPRIATE_MATCHING;
num_attr_vals++;/* for NULL termination */
/* following malloced will be freed by comp_tree_free () */
a->a_comp_data = SLAP_MALLOC( sizeof( ComponentData ) + sizeof( ComponentSyntaxInfo* )*num_attr_vals );
if ( !a->a_comp_data ) {
return LDAP_NO_MEMORY;
}
a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)((char*)a->a_comp_data + sizeof(ComponentData));
i = num_attr_vals;
for ( ; i ; i-- ) {
a->a_comp_data->cd_tree[ i-1 ] = (ComponentSyntaxInfo*)NULL;
}
a->a_comp_data->cd_mem_op = nibble_mem_allocator ( 1024*10*(num_attr_vals-1), 1024 );
if ( a->a_comp_data->cd_mem_op == NULL ) {
free ( a->a_comp_data );
a->a_comp_data = NULL;
return LDAP_OPERATIONS_ERROR;
}
}
i = 0;
#endif
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
int ret, match;
const char *text;
#ifdef LDAP_COMP_MATCH
if( attr_converter && ava->aa_cf && a->a_comp_data ) {
/* Check if decoded component trees are already linked */
struct berval cf_bv = { 20, "componentFilterMatch" };
MatchingRule* cf_mr = mr_bvfind( &cf_bv );
MatchingRuleAssertion mra;
mra.ma_cf = ava->aa_cf;
if ( a->a_comp_data->cd_tree[i] == NULL )
a->a_comp_data->cd_tree[i] = attr_converter (a, a->a_desc->ad_type->sat_syntax, (a->a_vals + i));
/* decoding error */
if ( !a->a_comp_data->cd_tree[i] ) {
free_ComponentData ( a );
return LDAP_OPERATIONS_ERROR;
}
ret = value_match( &match, a->a_desc, cf_mr,
SLAP_MR_COMPONENT,
(struct berval*)a->a_comp_data->cd_tree[i++],
(void*)&mra, &text );
if ( ret == LDAP_INAPPROPRIATE_MATCHING ) {
/* cached component tree is broken, just remove it */
free_ComponentData ( a );
return ret;
}
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
} else
#endif
{
ret = ordered_value_match( &match, a->a_desc, mr, use,
bv, &ava->aa_value, &text );
}
if( ret != LDAP_SUCCESS ) {
rc = ret;
break;
}
switch ( type ) {
case LDAP_FILTER_EQUALITY:
case LDAP_FILTER_APPROX:
if ( match == 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_GE:
if ( match >= 0 ) return LDAP_COMPARE_TRUE;
break;
case LDAP_FILTER_LE:
if ( match <= 0 ) return LDAP_COMPARE_TRUE;
break;
}
}
}
#ifdef LDAP_COMP_MATCH
if ( a_alias )
ava->aa_desc = a_alias->aa_aliasing_ad;
#endif
return rc;
}
/*
** Adds a group to the internal list from the passed entry.
** scan specifies whether to add all maching members to the group.
** modify specifies whether to modify the given group entry (when modify == 0),
** or to modify the group entry in the database (when modify == 1 and e = NULL and ndn != NULL).
** agi - pointer to the groups and the attribute definitions
** agd - the attribute definition of the added group
** e - the entry representing the group, can be NULL if the ndn is specified, and modify == 1
** ndn - the DN of the group, can be NULL if we give a non-NULL e
*/
static int
autogroup_add_group( Operation *op, autogroup_info_t *agi, autogroup_def_t *agd, Entry *e, BerValue *ndn, int scan, int modify)
{
autogroup_entry_t **agep = &agi->agi_entry;
autogroup_filter_t *agf, *agf_prev = NULL;
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
LDAPURLDesc *lud = NULL;
Attribute *a;
BerValue *bv, dn;
int rc = 0, match = 1, null_entry = 0;
if ( e == NULL ) {
if ( overlay_entry_get_ov( op, ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot get entry for <%s>\n", ndn->bv_val, 0, 0);
return 1;
}
null_entry = 1;
}
Debug(LDAP_DEBUG_TRACE, "==> autogroup_add_group <%s>\n",
e->e_name.bv_val, 0, 0);
if ( agi->agi_entry != NULL ) {
for ( ; *agep ; agep = &(*agep)->age_next ) {
dnMatch( &match, 0, NULL, NULL, &e->e_nname, &(*agep)->age_ndn );
if ( match == 0 ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: group already exists: <%s>\n", e->e_name.bv_val,0,0);
return 1;
}
/* goto last */;
}
}
*agep = (autogroup_entry_t *)ch_calloc( 1, sizeof( autogroup_entry_t ) );
ldap_pvt_thread_mutex_init( &(*agep)->age_mutex );
(*agep)->age_def = agd;
(*agep)->age_filter = NULL;
ber_dupbv( &(*agep)->age_dn, &e->e_name );
ber_dupbv( &(*agep)->age_ndn, &e->e_nname );
a = attrs_find( e->e_attrs, agd->agd_member_url_ad );
if ( null_entry == 1 ) {
a = attrs_dup( a );
overlay_entry_release_ov( op, e, 0, on );
}
if( a == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: group has no memberURL\n", 0,0,0);
} else {
for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) {
agf = (autogroup_filter_t*)ch_calloc( 1, sizeof( autogroup_filter_t ) );
if ( ldap_url_parse( bv->bv_val, &lud ) != LDAP_URL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot parse url <%s>\n", bv->bv_val,0,0);
/* FIXME: error? */
ch_free( agf );
continue;
}
agf->agf_scope = lud->lud_scope;
if ( lud->lud_dn == NULL ) {
BER_BVSTR( &dn, "" );
} else {
ber_str2bv( lud->lud_dn, 0, 0, &dn );
}
rc = dnPrettyNormal( NULL, &dn, &agf->agf_dn, &agf->agf_ndn, NULL );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot normalize DN <%s>\n", dn.bv_val,0,0);
/* FIXME: error? */
goto cleanup;
}
if ( lud->lud_filter != NULL ) {
ber_str2bv( lud->lud_filter, 0, 1, &agf->agf_filterstr);
agf->agf_filter = str2filter( lud->lud_filter );
}
agf->agf_next = NULL;
if( (*agep)->age_filter == NULL ) {
(*agep)->age_filter = agf;
}
if( agf_prev != NULL ) {
agf_prev->agf_next = agf;
}
agf_prev = agf;
if ( scan == 1 ){
autogroup_add_members_from_filter( op, e, (*agep), agf, modify );
}
Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: added memberURL DN <%s> with filter <%s>\n",
agf->agf_ndn.bv_val, agf->agf_filterstr.bv_val, 0);
ldap_free_urldesc( lud );
continue;
cleanup:;
ldap_free_urldesc( lud );
ch_free( agf );
}
}
if ( null_entry == 1 ) {
attrs_free( a );
}
return rc;
}
/*
** When modifing a group, we must deny any modifications to the member attribute,
** because the group would be inconsistent.
*/
static int
autogroup_modify_entry( Operation *op, SlapReply *rs)
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private;
autogroup_def_t *agd = agi->agi_def;
autogroup_entry_t *age = agi->agi_entry;
Entry *e;
Attribute *a;
if ( get_manageDSAit( op ) ) {
return SLAP_CB_CONTINUE;
}
Debug( LDAP_DEBUG_TRACE, "==> autogroup_modify_entry <%s>\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_lock( &agi->agi_mutex );
if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry entry <%s> has no objectClass\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
for ( ; agd; agd = agd->agd_next ) {
if ( value_find_ex( slap_schema.si_ad_objectClass,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
a->a_nvals, &agd->agd_oc->soc_cname,
op->o_tmpmemctx ) == 0 )
{
Modifications *m;
int match = 1;
m = op->orm_modlist;
for ( ; age ; age = age->age_next ) {
dnMatch( &match, 0, NULL, NULL, &op->o_req_ndn, &age->age_ndn );
if ( match == 0 ) {
for ( ; m ; m = m->sml_next ) {
if ( m->sml_desc == age->age_def->agd_member_ad ) {
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry attempted to modify group's <%s> member attribute\n", op->o_req_dn.bv_val, 0, 0);
send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, "attempt to modify dynamic group member attribute");
return LDAP_CONSTRAINT_VIOLATION;
}
}
break;
}
}
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
}
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
int
backsql_compare( Operation *op, SlapReply *rs )
{
SQLHDBC dbh = SQL_NULL_HDBC;
Entry e = { 0 };
Attribute *a = NULL;
backsql_srch_info bsi = { 0 };
int rc;
int manageDSAit = get_manageDSAit( op );
AttributeName anlist[2];
Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 );
rs->sr_err = backsql_get_db_conn( op, &dbh );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not get connection handle - exiting\n",
0, 0, 0 );
rs->sr_text = ( rs->sr_err == LDAP_OTHER )
? "SQL-backend error" : NULL;
goto return_results;
}
anlist[ 0 ].an_name = op->oq_compare.rs_ava->aa_desc->ad_cname;
anlist[ 0 ].an_desc = op->oq_compare.rs_ava->aa_desc;
BER_BVZERO( &anlist[ 1 ].an_name );
/*
* Get the entry
*/
bsi.bsi_e = &e;
rc = backsql_init_search( &bsi, &op->o_req_ndn, LDAP_SCOPE_BASE,
(time_t)(-1), NULL, dbh, op, rs, anlist,
( BACKSQL_ISF_MATCHED | BACKSQL_ISF_GET_ENTRY ) );
switch ( rc ) {
case LDAP_SUCCESS:
break;
case LDAP_REFERRAL:
if ( manageDSAit && !BER_BVISNULL( &bsi.bsi_e->e_nname ) &&
dn_match( &op->o_req_ndn, &bsi.bsi_e->e_nname ) )
{
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rs->sr_matched = NULL;
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
break;
}
/* fallthru */
default:
Debug( LDAP_DEBUG_TRACE, "backsql_compare(): "
"could not retrieve compareDN ID - no such entry\n",
0, 0, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, &e, get_assertion( op ) )
!= LDAP_COMPARE_TRUE ) )
{
rs->sr_err = LDAP_ASSERTION_FAILED;
goto return_results;
}
if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) {
SlapReply nrs = { REP_SEARCH };
Attribute **ap;
for ( ap = &e.e_attrs; *ap; ap = &(*ap)->a_next )
;
nrs.sr_attrs = anlist;
nrs.sr_entry = &e;
nrs.sr_attr_flags = SLAP_OPATTRS_NO;
nrs.sr_operational_attrs = NULL;
rs->sr_err = backsql_operational( op, &nrs );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
*ap = nrs.sr_operational_attrs;
}
if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value,
ACL_COMPARE, NULL ) )
{
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:;
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
break;
default:
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
break;
}
send_ldap_result( op, rs );
if ( rs->sr_matched ) {
rs->sr_matched = NULL;
}
if ( rs->sr_ref ) {
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
}
if ( !BER_BVISNULL( &bsi.bsi_base_id.eid_ndn ) ) {
(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
}
if ( !BER_BVISNULL( &e.e_nname ) ) {
backsql_entry_clean( op, &e );
}
if ( bsi.bsi_attrs != NULL ) {
op->o_tmpfree( bsi.bsi_attrs, op->o_tmpmemctx );
}
Debug(LDAP_DEBUG_TRACE,"<==backsql_compare()\n",0,0,0);
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
return LDAP_SUCCESS;
default:
return rs->sr_err;
}
}
int
ldbm_back_compare(
Backend *be,
Connection *conn,
Operation *op,
struct berval *dn,
struct berval *ndn,
AttributeAssertion *ava
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Entry *matched;
Entry *e;
Attribute *a;
int rc;
int manageDSAit = get_manageDSAit( op );
/* grab giant lock for reading */
ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
/* get entry with reader lock */
if ( (e = dn2entry_r( be, ndn, &matched )) == NULL ) {
char *matched_dn = NULL;
BerVarray refs = NULL;
if ( matched != NULL ) {
matched_dn = ch_strdup( matched->e_dn );
refs = is_entry_referral( matched )
? get_entry_referrals( be, conn, op, matched )
: NULL;
cache_return_entry_r( &li->li_cache, matched );
} else {
refs = referral_rewrite( default_referral,
NULL, dn, LDAP_SCOPE_DEFAULT );
}
ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
send_ldap_result( conn, op, LDAP_REFERRAL,
matched_dn, NULL, refs, NULL );
if ( refs ) ber_bvarray_free( refs );
free( matched_dn );
return( 1 );
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* entry is a referral, don't allow add */
BerVarray refs = get_entry_referrals( be,
conn, op, e );
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, INFO,
"ldbm_back_compare: entry (%s) is a referral.\n", e->e_dn, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_REFERRAL,
e->e_dn, NULL, refs, NULL );
if (refs ) ber_bvarray_free( refs );
rc = 1;
goto return_results;
}
if ( ! access_allowed( be, conn, op, e,
ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
rc = 1;
goto return_results;
}
rc = LDAP_NO_SUCH_ATTRIBUTE;
for(a = attrs_find( e->e_attrs, ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, ava->aa_desc ))
{
rc = LDAP_COMPARE_FALSE;
if ( value_find( ava->aa_desc, a->a_vals, &ava->aa_value ) == 0 ) {
rc = LDAP_COMPARE_TRUE;
break;
}
}
send_ldap_result( conn, op, rc,
NULL, NULL, NULL, NULL );
if( rc != LDAP_NO_SUCH_ATTRIBUTE ) {
rc = 0;
}
return_results:
;
cache_return_entry_r( &li->li_cache, e );
ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
return( rc );
}
static int
dynlist_compare( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private;
Operation o = *op;
Entry *e = NULL;
dynlist_map_t *dlm;
for ( ; dli != NULL; dli = dli->dli_next ) {
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
break;
if ( dli->dli_dlm && dlm ) {
/* This compare is for one of the attributes we're
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
rs->sr_err = LDAP_COMPARE_TRUE;
break;
case LDAP_NO_SUCH_OBJECT:
/* NOTE: backend_group() returns noSuchObject
* if op_ndn does not exist; however, since
* dynamic list expansion means that the
* member attribute is virtually present, the
* non-existence of the asserted value implies
* the assertion is FALSE rather than
* UNDEFINED */
rs->sr_err = LDAP_COMPARE_FALSE;
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
}
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
dli = (dynlist_info_t *)on->on_bi.bi_private;
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
Attribute *a;
slap_callback cb;
SlapReply r = { REP_SEARCH };
AttributeName an[2];
int rc;
dynlist_sc_t dlc = { 0 };
if ( !is_entry_objectclass_or_sub( e, dli->dli_oc ))
continue;
/* if the entry has the right objectClass, generate
* the dynamic list and compare */
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
cb.sc_response = dynlist_sc_save_entry;
cb.sc_cleanup = NULL;
cb.sc_next = NULL;
o.o_callback = &cb;
o.o_tag = LDAP_REQ_SEARCH;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
o.o_bd = select_backend( &o.o_req_ndn, 1 );
if ( !o.o_bd || !o.o_bd->be_search ) {
goto release;
}
o.ors_filterstr = *slap_filterstr_objectClass_pres;
o.ors_filter = (Filter *) slap_filter_objectClass_pres;
o.ors_scope = LDAP_SCOPE_BASE;
o.ors_deref = LDAP_DEREF_NEVER;
an[0].an_name = op->orc_ava->aa_desc->ad_cname;
an[0].an_desc = op->orc_ava->aa_desc;
BER_BVZERO( &an[1].an_name );
o.ors_attrs = an;
o.ors_attrsonly = 0;
o.o_acl_priv = ACL_COMPARE;
rc = o.o_bd->be_search( &o, &r );
if ( o.o_dn.bv_val != op->o_dn.bv_val ) {
slap_op_groups_free( &o );
}
if ( rc != 0 ) {
goto release;
}
if ( dlc.dlc_e != NULL ) {
r.sr_entry = dlc.dlc_e;
}
if ( r.sr_err != LDAP_SUCCESS || r.sr_entry == NULL ) {
/* error? */
goto release;
}
for ( a = attrs_find( r.sr_entry->e_attrs, op->orc_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->orc_ava->aa_desc ) )
{
/* if we're here, we got a match... */
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->orc_ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
if ( r.sr_flags & REP_ENTRY_MUSTBEFREED ) {
entry_free( r.sr_entry );
}
}
release:;
if ( e != NULL ) {
overlay_entry_release_ov( &o, e, 0, on );
}
return SLAP_CB_CONTINUE;
}
static int
dynlist_compare( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private;
Operation o = *op;
Entry *e = NULL;
dynlist_map_t *dlm;
BackendDB *be;
for ( ; dli != NULL; dli = dli->dli_next ) {
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
break;
if ( dlm ) {
/* This compare is for one of the attributes we're
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
case LDAP_SUCCESS:
rs->sr_err = LDAP_COMPARE_TRUE;
break;
case LDAP_NO_SUCH_OBJECT:
/* NOTE: backend_group() returns noSuchObject
* if op_ndn does not exist; however, since
* dynamic list expansion means that the
* member attribute is virtually present, the
* non-existence of the asserted value implies
* the assertion is FALSE rather than
* UNDEFINED */
rs->sr_err = LDAP_COMPARE_FALSE;
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
}
}
be = select_backend( &o.o_req_ndn, 1 );
if ( !be || !be->be_search ) {
return SLAP_CB_CONTINUE;
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
/* check for dynlist objectClass; done if not found */
dli = (dynlist_info_t *)on->on_bi.bi_private;
while ( dli != NULL && !is_entry_objectclass_or_sub( e, dli->dli_oc ) ) {
dli = dli->dli_next;
}
if ( dli == NULL ) {
goto release;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
/* generate dynamic list with dynlist_response() and compare */
{
SlapReply r = { REP_SEARCH };
dynlist_cc_t dc = { { 0, dynlist_sc_compare_entry, 0, 0 }, 0 };
AttributeName an[2];
dc.dc_ava = op->orc_ava;
dc.dc_res = &rs->sr_err;
o.o_callback = (slap_callback *) &dc;
o.o_tag = LDAP_REQ_SEARCH;
o.ors_limit = NULL;
o.ors_tlimit = SLAP_NO_LIMIT;
o.ors_slimit = SLAP_NO_LIMIT;
o.ors_filterstr = *slap_filterstr_objectClass_pres;
o.ors_filter = (Filter *) slap_filter_objectClass_pres;
o.ors_scope = LDAP_SCOPE_BASE;
o.ors_deref = LDAP_DEREF_NEVER;
an[0].an_name = op->orc_ava->aa_desc->ad_cname;
an[0].an_desc = op->orc_ava->aa_desc;
BER_BVZERO( &an[1].an_name );
o.ors_attrs = an;
o.ors_attrsonly = 0;
o.o_acl_priv = ACL_COMPARE;
o.o_bd = be;
(void)be->be_search( &o, &r );
if ( o.o_dn.bv_val != op->o_dn.bv_val ) {
slap_op_groups_free( &o );
}
}
release:;
if ( e != NULL ) {
overlay_entry_release_ov( &o, e, 0, on );
}
return SLAP_CB_CONTINUE;
}
static int test_mra_filter(
Operation *op,
Entry *e,
MatchingRuleAssertion *mra )
{
Attribute *a;
void *memctx;
BER_MEMFREE_FN *memfree;
#ifdef LDAP_COMP_MATCH
int i, num_attr_vals = 0;
#endif
if ( op == NULL ) {
memctx = NULL;
memfree = slap_sl_free;
} else {
memctx = op->o_tmpmemctx;
memfree = op->o_tmpfree;
}
if ( mra->ma_desc ) {
/*
* if ma_desc is available, then we're filtering for
* one attribute, and SEARCH permissions can be checked
* directly.
*/
if ( !access_allowed( op, e,
mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( mra->ma_desc == slap_schema.si_ad_entryDN ) {
int ret, rc;
const char *text;
rc = value_match( &ret, slap_schema.si_ad_entryDN, mra->ma_rule,
SLAP_MR_EXT, &e->e_nname, &mra->ma_value, &text );
if( rc != LDAP_SUCCESS ) return rc;
if ( ret == 0 ) return LDAP_COMPARE_TRUE;
return LDAP_COMPARE_FALSE;
}
for ( a = attrs_find( e->e_attrs, mra->ma_desc );
a != NULL;
a = attrs_find( a->a_next, mra->ma_desc ) )
{
struct berval *bv;
int normalize_attribute = 0;
#ifdef LDAP_COMP_MATCH
/* Component Matching */
if ( mra->ma_cf && mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) {
num_attr_vals = 0;
if ( !a->a_comp_data ) {
num_attr_vals = a->a_numvals;
if ( num_attr_vals <= 0 ) {
/* no attribute value */
return LDAP_INAPPROPRIATE_MATCHING;
}
num_attr_vals++;
/* following malloced will be freed by comp_tree_free () */
a->a_comp_data = SLAP_MALLOC( sizeof( ComponentData ) +
sizeof( ComponentSyntaxInfo* )*num_attr_vals );
if ( !a->a_comp_data ) return LDAP_NO_MEMORY;
a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)
((char*)a->a_comp_data + sizeof(ComponentData));
a->a_comp_data->cd_tree[num_attr_vals - 1] =
(ComponentSyntaxInfo*) NULL;
a->a_comp_data->cd_mem_op =
nibble_mem_allocator( 1024*16, 1024 );
}
}
#endif
/* If ma_rule is not the same as the attribute's
* normal rule, then we can't use the a_nvals.
*/
if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) {
bv = a->a_nvals;
} else {
bv = a->a_vals;
normalize_attribute = 1;
}
#ifdef LDAP_COMP_MATCH
i = 0;
#endif
for ( ; !BER_BVISNULL( bv ); bv++ ) {
int ret;
int rc;
const char *text;
#ifdef LDAP_COMP_MATCH
if ( mra->ma_cf &&
mra->ma_rule->smr_usage & SLAP_MR_COMPONENT )
{
/* Check if decoded component trees are already linked */
if ( num_attr_vals ) {
a->a_comp_data->cd_tree[i] = attr_converter(
a, a->a_desc->ad_type->sat_syntax, bv );
}
/* decoding error */
if ( !a->a_comp_data->cd_tree[i] ) {
return LDAP_OPERATIONS_ERROR;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_COMPONENT,
(struct berval*)a->a_comp_data->cd_tree[i++],
(void*)mra, &text );
} else
#endif
{
struct berval nbv = BER_BVNULL;
if ( normalize_attribute && mra->ma_rule->smr_normalize ) {
/*
Document: RFC 4511
4.5.1. Search Request
...
If the type field is present and the matchingRule is present,
the matchValue is compared against entry attributes of the
specified type. In this case, the matchingRule MUST be one
suitable for use with the specified type (see [RFC4517]),
otherwise the filter item is Undefined.
In this case, since the matchingRule requires the assertion
value to be normalized, we normalize the attribute value
according to the syntax of the matchingRule.
This should likely be done inside value_match(), by passing
the appropriate flags, but this is not done at present.
See ITS#3406.
*/
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
continue;
}
} else {
nbv = *bv;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_EXT, &nbv, &mra->ma_value, &text );
if ( nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
}
if ( rc != LDAP_SUCCESS ) return rc;
if ( ret == 0 ) return LDAP_COMPARE_TRUE;
}
}
} else {
/*
* No attribute description: test all
*/
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
struct berval *bv, value;
const char *text = NULL;
int rc;
int normalize_attribute = 0;
/* check if matching is appropriate */
if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type ) ) {
continue;
}
/* normalize for equality */
rc = asserted_value_validate_normalize( a->a_desc, mra->ma_rule,
SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&mra->ma_value, &value, &text, memctx );
if ( rc != LDAP_SUCCESS ) continue;
/* check search access */
if ( !access_allowed( op, e,
a->a_desc, &value, ACL_SEARCH, NULL ) )
{
memfree( value.bv_val, memctx );
continue;
}
#ifdef LDAP_COMP_MATCH
/* Component Matching */
if ( mra->ma_cf &&
mra->ma_rule->smr_usage & SLAP_MR_COMPONENT )
{
int ret;
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_COMPONENT,
(struct berval*)a, (void*)mra, &text );
if ( rc != LDAP_SUCCESS ) break;
if ( ret == 0 ) {
rc = LDAP_COMPARE_TRUE;
break;
}
}
#endif
/* check match */
if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) {
bv = a->a_nvals;
} else {
bv = a->a_vals;
normalize_attribute = 1;
}
for ( ; !BER_BVISNULL( bv ); bv++ ) {
int ret;
struct berval nbv = BER_BVNULL;
if ( normalize_attribute && mra->ma_rule->smr_normalize ) {
/* see comment above */
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
continue;
}
} else {
nbv = *bv;
}
rc = value_match( &ret, a->a_desc, mra->ma_rule,
SLAP_MR_EXT, &nbv, &value, &text );
if ( nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
if ( rc != LDAP_SUCCESS ) break;
if ( ret == 0 ) {
rc = LDAP_COMPARE_TRUE;
break;
}
}
memfree( value.bv_val, memctx );
if ( rc != LDAP_SUCCESS ) return rc;
}
}
/* check attrs in DN AVAs if required */
if ( mra->ma_dnattrs && !BER_BVISEMPTY( &e->e_nname ) ) {
LDAPDN dn = NULL;
int iRDN, iAVA;
int rc;
/* parse and pretty the dn */
rc = dnPrettyDN( NULL, &e->e_name, &dn, memctx );
if ( rc != LDAP_SUCCESS ) {
return LDAP_INVALID_SYNTAX;
}
/* for each AVA of each RDN ... */
for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
LDAPRDN rdn = dn[ iRDN ];
for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
LDAPAVA *ava = rdn[ iAVA ];
struct berval *bv = &ava->la_value,
value = BER_BVNULL,
nbv = BER_BVNULL;
AttributeDescription *ad =
(AttributeDescription *)ava->la_private;
int ret;
const char *text;
assert( ad != NULL );
if ( mra->ma_desc ) {
/* have a mra type? check for subtype */
if ( !is_ad_subtype( ad, mra->ma_desc ) ) {
continue;
}
value = mra->ma_value;
} else {
const char *text = NULL;
/* check if matching is appropriate */
if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type ) ) {
continue;
}
/* normalize for equality */
rc = asserted_value_validate_normalize( ad,
mra->ma_rule,
SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&mra->ma_value, &value, &text, memctx );
if ( rc != LDAP_SUCCESS ) continue;
/* check search access */
if ( !access_allowed( op, e,
ad, &value, ACL_SEARCH, NULL ) )
{
memfree( value.bv_val, memctx );
continue;
}
}
if ( mra->ma_rule->smr_normalize ) {
/* see comment above */
if ( mra->ma_rule->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
mra->ma_rule->smr_syntax,
mra->ma_rule,
bv, &nbv, memctx ) != LDAP_SUCCESS )
{
/* FIXME: stop processing? */
rc = LDAP_SUCCESS;
ret = -1;
goto cleanup;
}
} else {
nbv = *bv;
}
/* check match */
rc = value_match( &ret, ad, mra->ma_rule, SLAP_MR_EXT,
&nbv, &value, &text );
cleanup:;
if ( !BER_BVISNULL( &value ) && value.bv_val != mra->ma_value.bv_val ) {
memfree( value.bv_val, memctx );
}
if ( !BER_BVISNULL( &nbv ) && nbv.bv_val != bv->bv_val ) {
memfree( nbv.bv_val, memctx );
}
if ( rc == LDAP_SUCCESS && ret == 0 ) rc = LDAP_COMPARE_TRUE;
if ( rc != LDAP_SUCCESS ) {
ldap_dnfree_x( dn, memctx );
return rc;
}
}
}
ldap_dnfree_x( dn, memctx );
}
return LDAP_COMPARE_FALSE;
}
static int
autogroup_response( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private;
autogroup_def_t *agd = agi->agi_def;
autogroup_entry_t *age = agi->agi_entry;
autogroup_filter_t *agf;
BerValue new_dn, new_ndn, pdn;
Entry *e, *group;
Attribute *a;
int is_olddn, is_newdn, dn_equal;
if ( op->o_tag == LDAP_REQ_MODRDN ) {
if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !get_manageDSAit( op )) {
Debug( LDAP_DEBUG_TRACE, "==> autogroup_response MODRDN from <%s>\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_lock( &agi->agi_mutex );
if ( op->oq_modrdn.rs_newSup ) {
pdn = *op->oq_modrdn.rs_newSup;
} else {
dnParent( &op->o_req_dn, &pdn );
}
build_new_dn( &new_dn, &pdn, &op->orr_newrdn, op->o_tmpmemctx );
if ( op->oq_modrdn.rs_nnewSup ) {
pdn = *op->oq_modrdn.rs_nnewSup;
} else {
dnParent( &op->o_req_ndn, &pdn );
}
build_new_dn( &new_ndn, &pdn, &op->orr_nnewrdn, op->o_tmpmemctx );
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN to <%s>\n", new_dn.bv_val, 0, 0);
dnMatch( &dn_equal, 0, NULL, NULL, &op->o_req_ndn, &new_ndn );
if ( overlay_entry_get_ov( op, &new_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN cannot get entry for <%s>\n", new_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN entry <%s> has no objectClass\n", new_dn.bv_val, 0, 0);
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
/* If a groups DN is modified, just update age_dn/ndn of that group with the new DN. */
for ( ; agd; agd = agd->agd_next ) {
if ( value_find_ex( slap_schema.si_ad_objectClass,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
a->a_nvals, &agd->agd_oc->soc_cname,
op->o_tmpmemctx ) == 0 )
{
for ( age = agi->agi_entry ; age ; age = age->age_next ) {
int match = 1;
dnMatch( &match, 0, NULL, NULL, &age->age_ndn, &op->o_req_ndn );
if ( match == 0 ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN updating group's DN to <%s>\n", new_dn.bv_val, 0, 0);
ber_dupbv( &age->age_dn, &new_dn );
ber_dupbv( &age->age_ndn, &new_ndn );
op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx );
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
}
}
}
overlay_entry_release_ov( op, e, 0, on );
/* For each group:
1. check if the orginal entry's DN is in the group.
2. chceck if the any of the group filter's base DN is a suffix of the new DN
If 1 and 2 are both false, we do nothing.
If 1 and 2 is true, we remove the old DN from the group, and add the new DN.
If 1 is false, and 2 is true, we check the entry against the group's filters,
and add it's DN to the group.
If 1 is true, and 2 is false, we delete the entry's DN from the group.
*/
for ( age = agi->agi_entry ; age ; age = age->age_next ) {
is_olddn = 0;
is_newdn = 0;
ldap_pvt_thread_mutex_lock( &age->age_mutex );
if ( overlay_entry_get_ov( op, &age->age_ndn, NULL, NULL, 0, &group, on ) !=
LDAP_SUCCESS || group == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN cannot get group entry <%s>\n", age->age_dn.bv_val, 0, 0);
op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx );
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
a = attrs_find( group->e_attrs, age->age_def->agd_member_ad );
if ( a != NULL ) {
if ( value_find_ex( age->age_def->agd_member_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
a->a_nvals, &op->o_req_ndn, op->o_tmpmemctx ) == 0 )
{
is_olddn = 1;
}
}
overlay_entry_release_ov( op, group, 0, on );
for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) {
if ( dnIsSuffix( &new_ndn, &agf->agf_ndn ) ) {
is_newdn = 1;
break;
}
}
if ( is_olddn == 1 && is_newdn == 0 ) {
autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age );
} else
if ( is_olddn == 0 && is_newdn == 1 ) {
for ( agf = age->age_filter; agf; agf = agf->agf_next ) {
if ( test_filter( op, e, agf->agf_filter ) == LDAP_COMPARE_TRUE ) {
autogroup_add_member_to_group( op, &new_dn, &new_ndn, age );
break;
}
}
} else
if ( is_olddn == 1 && is_newdn == 1 && dn_equal != 0 ) {
autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age );
autogroup_add_member_to_group( op, &new_dn, &new_ndn, age );
}
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
}
op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx );
op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
}
}
if ( op->o_tag == LDAP_REQ_MODIFY ) {
if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !get_manageDSAit( op ) ) {
Debug( LDAP_DEBUG_TRACE, "==> autogroup_response MODIFY <%s>\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_lock( &agi->agi_mutex );
if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( a == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY entry <%s> has no objectClass\n", op->o_req_dn.bv_val, 0, 0);
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
/* If we modify a group's memberURL, we have to delete all of it's members,
and add them anew, because we cannot tell from which memberURL a member was added. */
for ( ; agd; agd = agd->agd_next ) {
if ( value_find_ex( slap_schema.si_ad_objectClass,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
a->a_nvals, &agd->agd_oc->soc_cname,
op->o_tmpmemctx ) == 0 )
{
Modifications *m;
int match = 1;
m = op->orm_modlist;
for ( ; age ; age = age->age_next ) {
ldap_pvt_thread_mutex_lock( &age->age_mutex );
dnMatch( &match, 0, NULL, NULL, &op->o_req_ndn, &age->age_ndn );
if ( match == 0 ) {
for ( ; m ; m = m->sml_next ) {
if ( m->sml_desc == age->age_def->agd_member_url_ad ) {
autogroup_def_t *group_agd = age->age_def;
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY changing memberURL for group <%s>\n",
op->o_req_dn.bv_val, 0, 0);
overlay_entry_release_ov( op, e, 0, on );
autogroup_delete_member_from_group( op, NULL, NULL, age );
autogroup_delete_group( agi, age );
autogroup_add_group( op, agi, group_agd, NULL, &op->o_req_ndn, 1, 1);
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
}
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
break;
}
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
}
overlay_entry_release_ov( op, e, 0, on );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
}
overlay_entry_release_ov( op, e, 0, on );
/* When modifing any of the attributes of an entry, we must
check if the entry is in any of our groups, and if
the modified entry maches any of the filters of that group.
If the entry exists in a group, but the modified attributes do
not match any of the group's filters, we delete the entry from that group.
If the entry doesn't exist in a group, but matches a filter,
we add it to that group.
*/
for ( age = agi->agi_entry ; age ; age = age->age_next ) {
is_olddn = 0;
is_newdn = 0;
ldap_pvt_thread_mutex_lock( &age->age_mutex );
if ( overlay_entry_get_ov( op, &age->age_ndn, NULL, NULL, 0, &group, on ) !=
LDAP_SUCCESS || group == NULL ) {
Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY cannot get entry for <%s>\n",
age->age_dn.bv_val, 0, 0);
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
return SLAP_CB_CONTINUE;
}
a = attrs_find( group->e_attrs, age->age_def->agd_member_ad );
if ( a != NULL ) {
if ( value_find_ex( age->age_def->agd_member_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
a->a_nvals, &op->o_req_ndn, op->o_tmpmemctx ) == 0 )
{
is_olddn = 1;
}
}
overlay_entry_release_ov( op, group, 0, on );
for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) {
if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) {
if ( test_filter( op, e, agf->agf_filter ) == LDAP_COMPARE_TRUE ) {
is_newdn = 1;
break;
}
}
}
if ( is_olddn == 1 && is_newdn == 0 ) {
autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age );
} else
if ( is_olddn == 0 && is_newdn == 1 ) {
autogroup_add_member_to_group( op, &op->o_req_dn, &op->o_req_ndn, age );
}
ldap_pvt_thread_mutex_unlock( &age->age_mutex );
}
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
}
}
return SLAP_CB_CONTINUE;
}
int
bdb_compare( Operation *op, SlapReply *rs )
{
struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
Entry *e = NULL;
EntryInfo *ei;
Attribute *a;
int manageDSAit = get_manageDSAit( op );
BDB_LOCKER locker;
DB_LOCK lock;
rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker);
switch(rs->sr_err) {
case 0:
break;
default:
send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
return rs->sr_err;
}
dn2entry_retry:
/* get entry */
rs->sr_err = bdb_dn2entry( op, NULL, &op->o_req_ndn, &ei, 1,
locker, &lock );
switch( rs->sr_err ) {
case DB_NOTFOUND:
case 0:
break;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto dn2entry_retry;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
: NULL;
rs->sr_err = LDAP_REFERRAL;
}
bdb_cache_return_entry_r( bdb, e, &lock );
e = NULL;
} else {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
rs->sr_err = rs->sr_ref ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
}
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
free( (char *)rs->sr_matched );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e->e_name.bv_val;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
rs->sr_matched = NULL;
goto done;
}
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
}
if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
done:
/* free entry */
if ( e != NULL ) {
bdb_cache_return_entry_r( bdb, e, &lock );
}
LOCK_ID_FREE ( bdb->bi_dbenv, locker );
return rs->sr_err;
}
int
ndb_back_compare( Operation *op, SlapReply *rs )
{
struct ndb_info *ni = (struct ndb_info *) op->o_bd->be_private;
Entry e = {0};
Attribute *a;
int manageDSAit = get_manageDSAit( op );
NdbArgs NA;
NdbRdns rdns;
struct berval matched;
/* Get our NDB handle */
rs->sr_err = ndb_thread_handle( op, &NA.ndb );
rdns.nr_num = 0;
NA.rdns = &rdns;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
NA.e = &e;
dn2entry_retry:
NA.txn = NA.ndb->startTransaction();
rs->sr_text = NULL;
if( !NA.txn ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(ndb_compare) ": startTransaction failed: %s (%d)\n",
NA.ndb->getNdbError().message, NA.ndb->getNdbError().code, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
NA.ocs = NULL;
/* get entry */
rs->sr_err = ndb_entry_get_info( op, &NA, 0, &matched );
switch( rs->sr_err ) {
case 0:
break;
case LDAP_NO_SUCH_OBJECT:
rs->sr_matched = matched.bv_val;
if ( NA.ocs )
ndb_check_referral( op, rs, &NA );
goto return_results;
case LDAP_BUSY:
rs->sr_text = "ldap server busy";
goto return_results;
#if 0
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto dn2entry_retry;
#endif
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "internal error";
goto return_results;
}
rs->sr_err = ndb_entry_get_data( op, &NA, 0 );
ber_bvarray_free_x( NA.ocs, op->o_tmpmemctx );
if (!manageDSAit && is_entry_referral( &e ) ) {
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, &e );
rs->sr_err = LDAP_REFERRAL;
rs->sr_matched = e.e_name.bv_val;
rs->sr_flags |= REP_REF_MUSTBEFREED;
}
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
goto return_results;
}
if ( get_assert( op ) &&
( test_filter( op, &e, (Filter *)get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
}
if ( !access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, &e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e.e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
{
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:
NA.txn->close();
if ( e.e_attrs ) {
attrs_free( e.e_attrs );
e.e_attrs = NULL;
}
send_ldap_result( op, rs );
switch ( rs->sr_err ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rs->sr_err = LDAP_SUCCESS;
break;
}
return rs->sr_err;
}
static int
aci_mask(
Operation *op,
Entry *e,
AttributeDescription *desc,
struct berval *val,
struct berval *aci,
int nmatch,
regmatch_t *matches,
slap_access_t *grant,
slap_access_t *deny,
slap_aci_scope_t asserted_scope )
{
struct berval bv,
scope,
perms,
type,
opts,
sdn;
int rc;
ACL_INIT( *grant );
ACL_INIT( *deny );
assert( !BER_BVISNULL( &desc->ad_cname ) );
/* parse an aci of the form:
oid # scope # action;rights;attr;rights;attr
$ action;rights;attr;rights;attr # type # subject
[NOTE: the following comment is very outdated,
as the draft version it refers to (Ando, 2004-11-20)].
See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
a full description of the format for this attribute.
Differences: "this" in the draft is "self" here, and
"self" and "public" is in the position of type.
<scope> = {entry|children|subtree}
<type> = {public|users|access-id|subtree|onelevel|children|
self|dnattr|group|role|set|set-ref}
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
- CHILDREN applies to "children" and "subtree"
*/
/* check that the aci has all 5 components */
if ( acl_get_part( aci, 4, '#', NULL ) < 0 ) {
return 0;
}
/* check that the aci family is supported */
/* FIXME: the OID is ignored? */
if ( acl_get_part( aci, 0, '#', &bv ) < 0 ) {
return 0;
}
/* check that the scope matches */
if ( acl_get_part( aci, 1, '#', &scope ) < 0 ) {
return 0;
}
/* note: scope can be either ENTRY or CHILDREN;
* they respectively match "entry" and "children" in bv
* both match "subtree" */
switch ( asserted_scope ) {
case SLAP_ACI_SCOPE_ENTRY:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_ENTRY ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_CHILDREN:
if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_CHILDREN ] ) != 0
&& ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 )
{
return 0;
}
break;
case SLAP_ACI_SCOPE_SUBTREE:
/* TODO: add assertion? */
return 0;
}
/* get the list of permissions clauses, bail if empty */
if ( acl_get_part( aci, 2, '#', &perms ) <= 0 ) {
LDAP_BUG();
return 0;
}
/* check if any permissions allow desired access */
if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) {
return 0;
}
/* see if we have a DN match */
if ( acl_get_part( aci, 3, '#', &type ) < 0 ) {
LDAP_BUG();
return 0;
}
/* see if we have a public (i.e. anonymous) access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_PUBLIC ], &type ) == 0 ) {
return 1;
}
/* otherwise require an identity */
if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) {
return 0;
}
/* see if we have a users access */
if ( ber_bvcmp( &aci_bv[ ACI_BV_USERS ], &type ) == 0 ) {
return 1;
}
/* NOTE: this may fail if a DN contains a valid '#' (unescaped);
* just grab all the berval up to its end (ITS#3303).
* NOTE: the problem could be solved by providing the DN with
* the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would
* become "cn=Foo\23Bar" and be safely used by aci_mask(). */
#if 0
if ( acl_get_part( aci, 4, '#', &sdn ) < 0 ) {
return 0;
}
#endif
sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" );
sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val );
/* get the type options, if any */
if ( acl_get_part( &type, 1, '/', &opts ) > 0 ) {
opts.bv_len = type.bv_len - ( opts.bv_val - type.bv_val );
type.bv_len = opts.bv_val - type.bv_val - 1;
} else {
BER_BVZERO( &opts );
}
if ( ber_bvcmp( &aci_bv[ ACI_BV_ACCESS_ID ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SUBTREE ], &type ) == 0 ) {
return dnIsSuffix( &op->o_ndn, &sdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ONELEVEL ], &type ) == 0 ) {
struct berval pdn;
dnParent( &sdn, &pdn );
return dn_match( &op->o_ndn, &pdn );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_CHILDREN ], &type ) == 0 ) {
return ( !dn_match( &op->o_ndn, &sdn ) && dnIsSuffix( &op->o_ndn, &sdn ) );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SELF ], &type ) == 0 ) {
return dn_match( &op->o_ndn, &e->e_nname );
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_DNATTR ], &type ) == 0 ) {
Attribute *at;
AttributeDescription *ad = NULL;
const char *text;
rc = slap_bv2ad( &sdn, &ad, &text );
assert( rc == LDAP_SUCCESS );
rc = 0;
for ( at = attrs_find( e->e_attrs, ad );
at != NULL;
at = attrs_find( at->a_next, ad ) )
{
if ( attr_valfind( at,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->o_ndn, NULL, op->o_tmpmemctx ) == 0 )
{
rc = 1;
break;
}
}
return rc;
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_GROUP ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_GROUP_CLASS ];
at = aci_bv[ ACI_BV_GROUP_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
LDAP_BUG();
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_GROUP_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_ROLE ], &type ) == 0 ) {
struct berval oc,
at;
if ( BER_BVISNULL( &opts ) ) {
oc = aci_bv[ ACI_BV_ROLE_CLASS ];
at = aci_bv[ ACI_BV_ROLE_ATTR ];
} else {
if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) {
LDAP_BUG();
}
if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) {
at = aci_bv[ ACI_BV_ROLE_ATTR ];
}
}
if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) )
{
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, NULL ) ) {
return 1;
}
} else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET_REF ], &type ) == 0 ) {
if ( acl_match_set( &sdn, op, e, (struct berval *)&aci_bv[ ACI_BV_SET_ATTR ] ) ) {
return 1;
}
} else {
/* it passed normalization! */
LDAP_BUG();
}
return 0;
}
int
monitor_back_compare( Operation *op, SlapReply *rs )
{
monitor_info_t *mi = ( monitor_info_t * ) op->o_bd->be_private;
Entry *e, *matched = NULL;
Attribute *a;
int rc;
/* get entry with reader lock */
monitor_cache_dn2entry( op, rs, &op->o_req_ndn, &e, &matched );
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
} else {
rs->sr_matched = matched->e_dn;
}
}
send_ldap_result( op, rs );
if ( matched ) {
monitor_cache_release( mi, matched );
rs->sr_matched = NULL;
}
return rs->sr_err;
}
rs->sr_err = access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
if ( !rs->sr_err ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
a != NULL;
a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc )) {
rs->sr_err = LDAP_COMPARE_FALSE;
if ( attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
&op->oq_compare.rs_ava->aa_value, NULL,
op->o_tmpmemctx ) == 0 )
{
rs->sr_err = LDAP_COMPARE_TRUE;
break;
}
}
return_results:;
rc = rs->sr_err;
switch ( rc ) {
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
rc = LDAP_SUCCESS;
break;
case LDAP_NO_SUCH_ATTRIBUTE:
break;
default:
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
break;
}
send_ldap_result( op, rs );
rs->sr_err = rc;
monitor_cache_release( mi, e );
return rs->sr_err;
}
