int asyncmeta_handle_common_result(LDAPMessage *msg, a_metaconn_t *mc, bm_context_t *bc, int candidate) { a_metainfo_t *mi; a_metatarget_t *mt; a_metasingleconn_t *msc; const char *save_text = NULL, *save_matched = NULL; BerVarray save_ref = NULL; LDAPControl **save_ctrls = NULL; void *matched_ctx = NULL; char *matched = NULL; char *text = NULL; char **refs = NULL; LDAPControl **ctrls = NULL; Operation *op; SlapReply *rs; int rc; mi = mc->mc_info; mt = mi->mi_targets[ candidate ]; msc = &mc->mc_conns[ candidate ]; op = bc->op; rs = &bc->rs; save_text = rs->sr_text, save_matched = rs->sr_matched; save_ref = rs->sr_ref; save_ctrls = rs->sr_ctrls; rs->sr_text = NULL; rs->sr_matched = NULL; rs->sr_ref = NULL; rs->sr_ctrls = NULL; /* only touch when activity actually took place... */ if ( mi->mi_idle_timeout != 0 ) { asyncmeta_set_msc_time(msc); } rc = ldap_parse_result( msc->msc_ldr, msg, &rs->sr_err, &matched, &text, &refs, &ctrls, 0 ); if ( rc == LDAP_SUCCESS ) { rs->sr_text = text; } else { rs->sr_err = rc; } rs->sr_err = slap_map_api2result( rs ); /* RFC 4511: referrals can only appear * if result code is LDAP_REFERRAL */ if ( refs != NULL && refs[ 0 ] != NULL && refs[ 0 ][ 0 ] != '\0' ) { if ( rs->sr_err != LDAP_REFERRAL ) { Debug( LDAP_DEBUG_ANY, "%s asyncmeta_handle_common_result[%d]: " "got referrals with err=%d\n", op->o_log_prefix, candidate, rs->sr_err ); } else { int i; for ( i = 0; refs[ i ] != NULL; i++ ) /* count */ ; rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( i + 1 ), op->o_tmpmemctx ); for ( i = 0; refs[ i ] != NULL; i++ ) { ber_str2bv( refs[ i ], 0, 0, &rs->sr_ref[ i ] ); } BER_BVZERO( &rs->sr_ref[ i ] ); } } else if ( rs->sr_err == LDAP_REFERRAL ) { Debug( LDAP_DEBUG_ANY, "%s asyncmeta_handle_common_result[%d]: " "got err=%d with null " "or empty referrals\n", op->o_log_prefix, candidate, rs->sr_err ); rs->sr_err = LDAP_NO_SUCH_OBJECT; } if ( ctrls != NULL ) { rs->sr_ctrls = ctrls; } /* if the error in the reply structure is not * LDAP_SUCCESS, try to map it from client * to server error */ if ( !LDAP_ERR_OK( rs->sr_err ) ) { rs->sr_err = slap_map_api2result( rs ); /* internal ops ( op->o_conn == NULL ) * must not reply to client */ if ( op->o_conn && !op->o_do_not_cache && matched ) { /* record the (massaged) matched * DN into the reply structure */ rs->sr_matched = matched; } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { asyncmeta_quarantine( op, mi, rs, candidate ); } if ( matched != NULL ) { struct berval dn, pdn; ber_str2bv( matched, 0, 0, &dn ); if ( dnPretty( NULL, &dn, &pdn, op->o_tmpmemctx ) == LDAP_SUCCESS ) { ldap_memfree( matched ); matched_ctx = op->o_tmpmemctx; matched = pdn.bv_val; } rs->sr_matched = matched; } if ( rs->sr_err == LDAP_UNAVAILABLE || rs->sr_err == LDAP_SERVER_DOWN ) { if ( rs->sr_text == NULL ) { rs->sr_text = "Target is unavailable"; } } ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); asyncmeta_drop_bc( mc, bc); ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); if ( op->o_conn ) { asyncmeta_send_ldap_result(bc, op, rs); } if ( matched ) { op->o_tmpfree( (char *)rs->sr_matched, matched_ctx ); } if ( text ) { ldap_memfree( text ); } if ( rs->sr_ref ) { op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx ); rs->sr_ref = NULL; } if ( refs ) { ber_memvfree( (void **)refs ); } if ( ctrls ) { assert( rs->sr_ctrls != NULL ); ldap_controls_free( ctrls ); } rs->sr_text = save_text; rs->sr_matched = save_matched; rs->sr_ref = save_ref; rs->sr_ctrls = save_ctrls; rc = (LDAP_ERR_OK( rs->sr_err ) ? LDAP_SUCCESS : rs->sr_err); ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); asyncmeta_clear_bm_context(bc); ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); return rc; }
void* asyncmeta_timeout_loop(void *ctx, void *arg) { struct re_s* rtask = arg; a_metainfo_t *mi = rtask->arg; bm_context_t *bc, *onext; time_t current_time = slap_get_time(); int i, j; LDAP_STAILQ_HEAD(BCList, bm_context_t) timeout_list; LDAP_STAILQ_INIT( &timeout_list ); Debug( asyncmeta_debug, "asyncmeta_timeout_loop[%p] start at [%ld] \n", rtask, current_time ); void *oldctx = slap_sl_mem_create(SLAP_SLAB_SIZE, SLAP_SLAB_STACK, ctx, 0); for (i=0; i<mi->mi_num_conns; i++) { a_metaconn_t * mc= &mi->mi_conns[i]; ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); for (bc = LDAP_STAILQ_FIRST(&mc->mc_om_list); bc; bc = onext) { onext = LDAP_STAILQ_NEXT(bc, bc_next); if (bc->bc_active > 0) { continue; } if (bc->op->o_abandon ) { /* set our memctx */ bc->op->o_threadctx = ctx; bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); Operation *op = bc->op; LDAP_STAILQ_REMOVE(&mc->mc_om_list, bc, bm_context_t, bc_next); mc->pending_ops--; for (j=0; j<mi->mi_ntargets; j++) { if (bc->candidates[j].sr_msgid >= 0) { a_metasingleconn_t *msc = &mc->mc_conns[j]; if ( op->o_tag == LDAP_REQ_SEARCH ) { msc->msc_active++; asyncmeta_back_cancel( mc, op, bc->candidates[ j ].sr_msgid, j ); msc->msc_active--; } } } asyncmeta_clear_bm_context(bc); continue; } if (bc->bc_invalid) { LDAP_STAILQ_REMOVE(&mc->mc_om_list, bc, bm_context_t, bc_next); mc->pending_ops--; LDAP_STAILQ_INSERT_TAIL( &timeout_list, bc, bc_next); continue; } if (bc->timeout && bc->stoptime < current_time) { Operation *op = bc->op; LDAP_STAILQ_REMOVE(&mc->mc_om_list, bc, bm_context_t, bc_next); mc->pending_ops--; LDAP_STAILQ_INSERT_TAIL( &timeout_list, bc, bc_next); for (j=0; j<mi->mi_ntargets; j++) { if (bc->candidates[j].sr_msgid >= 0) { a_metasingleconn_t *msc = &mc->mc_conns[j]; asyncmeta_set_msc_time(msc); if ( op->o_tag == LDAP_REQ_SEARCH ) { msc->msc_active++; asyncmeta_back_cancel( mc, op, bc->candidates[ j ].sr_msgid, j ); msc->msc_active--; } } } } } ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); for (bc = LDAP_STAILQ_FIRST(&timeout_list); bc; bc = onext) { Operation *op = bc->op; SlapReply *rs = &bc->rs; int timeout_err; const char *timeout_text; onext = LDAP_STAILQ_NEXT(bc, bc_next); LDAP_STAILQ_REMOVE(&timeout_list, bc, bm_context_t, bc_next); /* set our memctx */ bc->op->o_threadctx = ctx; bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); if (bc->searchtime) { timeout_err = LDAP_TIMELIMIT_EXCEEDED; } else { timeout_err = op->o_protocol >= LDAP_VERSION3 ? LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER; } if ( bc->bc_invalid ) { timeout_text = "Operation is invalid - target connection has been reset"; } else { a_metasingleconn_t *log_msc = &mc->mc_conns[0]; Debug( asyncmeta_debug, "asyncmeta_timeout_loop:Timeout op %s loop[%p], " "current_time:%ld, op->o_time:%ld msc: %p, " "msc->msc_binding_time: %x, msc->msc_flags:%x \n", bc->op->o_log_prefix, rtask, current_time, bc->op->o_time, log_msc, (unsigned int)log_msc->msc_binding_time, log_msc->msc_mscflags ); if (bc->searchtime) { timeout_text = NULL; } else { timeout_text = "Operation timed out"; } for (j=0; j<mi->mi_ntargets; j++) { if (bc->candidates[j].sr_msgid >= 0) { a_metatarget_t *mt = mi->mi_targets[j]; if (!META_BACK_TGT_QUARANTINE( mt ) || bc->candidates[j].sr_type == REP_RESULT) { continue; } if (mt->mt_isquarantined > LDAP_BACK_FQ_NO) { timeout_err = LDAP_UNAVAILABLE; } else { mt->mt_timeout_ops++; if ((mi->mi_max_timeout_ops > 0) && (mt->mt_timeout_ops > mi->mi_max_timeout_ops)) { timeout_err = LDAP_UNAVAILABLE; rs->sr_err = timeout_err; if (mt->mt_isquarantined == LDAP_BACK_FQ_NO) asyncmeta_quarantine(op, mi, rs, j); } } } } } rs->sr_err = timeout_err; rs->sr_text = timeout_text; if (!bc->op->o_abandon ) { asyncmeta_send_ldap_result( bc, bc->op, &bc->rs ); } asyncmeta_clear_bm_context(bc); } ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); if (mi->mi_idle_timeout) { for (j=0; j<mi->mi_ntargets; j++) { a_metasingleconn_t *msc = &mc->mc_conns[j]; if ( msc->msc_active > 0 ) { continue; } if (mc->pending_ops > 0) { continue; } current_time = slap_get_time(); if (msc->msc_ld && msc->msc_time > 0 && msc->msc_time + mi->mi_idle_timeout < current_time) { asyncmeta_clear_one_msc(NULL, mc, j, 1, __FUNCTION__); } } } ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex ); } slap_sl_mem_setctx(ctx, oldctx); current_time = slap_get_time(); Debug( asyncmeta_debug, "asyncmeta_timeout_loop[%p] stop at [%ld] \n", rtask, current_time ); ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); if ( ldap_pvt_runqueue_isrunning( &slapd_rq, rtask )) { ldap_pvt_runqueue_stoptask( &slapd_rq, rtask ); } rtask->interval.tv_sec = 1; rtask->interval.tv_usec = 0; ldap_pvt_runqueue_resched(&slapd_rq, rtask, 0); ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); return NULL; }
int meta_back_db_destroy( Backend *be, ConfigReply *cr ) { metainfo_t *mi; if ( be->be_private ) { int i; mi = ( metainfo_t * )be->be_private; /* * Destroy the connection tree */ ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); if ( mi->mi_conninfo.lai_tree ) { avl_free( mi->mi_conninfo.lai_tree, meta_back_conn_free ); } for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) { while ( !LDAP_TAILQ_EMPTY( &mi->mi_conn_priv[ i ].mic_priv ) ) { metaconn_t *mc = LDAP_TAILQ_FIRST( &mi->mi_conn_priv[ i ].mic_priv ); LDAP_TAILQ_REMOVE( &mi->mi_conn_priv[ i ].mic_priv, mc, mc_q ); meta_back_conn_free( mc ); } } /* * Destroy the per-target stuff (assuming there's at * least one ...) */ if ( mi->mi_targets != NULL ) { for ( i = 0; i < mi->mi_ntargets; i++ ) { metatarget_t *mt = mi->mi_targets[ i ]; if ( META_BACK_TGT_QUARANTINE( mt ) ) { if ( mt->mt_quarantine.ri_num != mi->mi_quarantine.ri_num ) { mi->mi_ldap_extra->retry_info_destroy( &mt->mt_quarantine ); } ldap_pvt_thread_mutex_destroy( &mt->mt_quarantine_mutex ); } target_free( mt ); } free( mi->mi_targets ); } ldap_pvt_thread_mutex_lock( &mi->mi_cache.mutex ); if ( mi->mi_cache.tree ) { avl_free( mi->mi_cache.tree, meta_dncache_free ); } ldap_pvt_thread_mutex_unlock( &mi->mi_cache.mutex ); ldap_pvt_thread_mutex_destroy( &mi->mi_cache.mutex ); ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); ldap_pvt_thread_mutex_destroy( &mi->mi_conninfo.lai_mutex ); if ( mi->mi_candidates != NULL ) { ber_memfree_x( mi->mi_candidates, NULL ); } if ( META_BACK_QUARANTINE( mi ) ) { mi->mi_ldap_extra->retry_info_destroy( &mi->mi_quarantine ); } } free( be->be_private ); return 0; }
/* * FIXME: error return must be handled in a cleaner way ... */ int meta_back_op_result( metaconn_t *mc, Operation *op, SlapReply *rs, int candidate, ber_int_t msgid, time_t timeout, ldap_back_send_t sendok ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; const char *save_text = rs->sr_text, *save_matched = rs->sr_matched; BerVarray save_ref = rs->sr_ref; LDAPControl **save_ctrls = rs->sr_ctrls; void *matched_ctx = NULL; char *matched = NULL; char *text = NULL; char **refs = NULL; LDAPControl **ctrls = NULL; assert( mc != NULL ); rs->sr_text = NULL; rs->sr_matched = NULL; rs->sr_ref = NULL; rs->sr_ctrls = NULL; if ( candidate != META_TARGET_NONE ) { metatarget_t *mt = mi->mi_targets[ candidate ]; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; if ( LDAP_ERR_OK( rs->sr_err ) ) { int rc; struct timeval tv; LDAPMessage *res = NULL; time_t stoptime = (time_t)(-1); int timeout_err = op->o_protocol >= LDAP_VERSION3 ? LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER; const char *timeout_text = "Operation timed out"; /* if timeout is not specified, compute and use * the one specific to the ongoing operation */ if ( timeout == (time_t)(-1) ) { slap_op_t opidx = slap_req2op( op->o_tag ); if ( opidx == SLAP_OP_SEARCH ) { if ( op->ors_tlimit <= 0 ) { timeout = 0; } else { timeout = op->ors_tlimit; timeout_err = LDAP_TIMELIMIT_EXCEEDED; timeout_text = NULL; } } else { timeout = mt->mt_timeout[ opidx ]; } } /* better than nothing :) */ if ( timeout == 0 ) { if ( mi->mi_idle_timeout ) { timeout = mi->mi_idle_timeout; } else if ( mi->mi_conn_ttl ) { timeout = mi->mi_conn_ttl; } } if ( timeout ) { stoptime = op->o_time + timeout; } LDAP_BACK_TV_SET( &tv ); retry:; rc = ldap_result( msc->msc_ld, msgid, LDAP_MSG_ALL, &tv, &res ); switch ( rc ) { case 0: if ( timeout && slap_get_time() > stoptime ) { (void)meta_back_cancel( mc, op, rs, msgid, candidate, sendok ); rs->sr_err = timeout_err; rs->sr_text = timeout_text; break; } LDAP_BACK_TV_SET( &tv ); ldap_pvt_thread_yield(); goto retry; case -1: ldap_get_option( msc->msc_ld, LDAP_OPT_RESULT_CODE, &rs->sr_err ); break; /* otherwise get the result; if it is not * LDAP_SUCCESS, record it in the reply * structure (this includes * LDAP_COMPARE_{TRUE|FALSE}) */ default: /* only touch when activity actually took place... */ if ( mi->mi_idle_timeout != 0 && msc->msc_time < op->o_time ) { msc->msc_time = op->o_time; } rc = ldap_parse_result( msc->msc_ld, res, &rs->sr_err, &matched, &text, &refs, &ctrls, 1 ); res = NULL; if ( rc == LDAP_SUCCESS ) { rs->sr_text = text; } else { rs->sr_err = rc; } rs->sr_err = slap_map_api2result( rs ); /* RFC 4511: referrals can only appear * if result code is LDAP_REFERRAL */ if ( refs != NULL && refs[ 0 ] != NULL && refs[ 0 ][ 0 ] != '\0' ) { if ( rs->sr_err != LDAP_REFERRAL ) { Debug( LDAP_DEBUG_ANY, "%s meta_back_op_result[%d]: " "got referrals with err=%d\n", op->o_log_prefix, candidate, rs->sr_err ); } else { int i; for ( i = 0; refs[ i ] != NULL; i++ ) /* count */ ; rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( i + 1 ), op->o_tmpmemctx ); for ( i = 0; refs[ i ] != NULL; i++ ) { ber_str2bv( refs[ i ], 0, 0, &rs->sr_ref[ i ] ); } BER_BVZERO( &rs->sr_ref[ i ] ); } } else if ( rs->sr_err == LDAP_REFERRAL ) { Debug( LDAP_DEBUG_ANY, "%s meta_back_op_result[%d]: " "got err=%d with null " "or empty referrals\n", op->o_log_prefix, candidate, rs->sr_err ); rs->sr_err = LDAP_NO_SUCH_OBJECT; } if ( ctrls != NULL ) { rs->sr_ctrls = ctrls; } } assert( res == NULL ); } /* if the error in the reply structure is not * LDAP_SUCCESS, try to map it from client * to server error */ if ( !LDAP_ERR_OK( rs->sr_err ) ) { rs->sr_err = slap_map_api2result( rs ); /* internal ops ( op->o_conn == NULL ) * must not reply to client */ if ( op->o_conn && !op->o_do_not_cache && matched ) { /* record the (massaged) matched * DN into the reply structure */ rs->sr_matched = matched; } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { meta_back_quarantine( op, rs, candidate ); } } else { int i, err = rs->sr_err; for ( i = 0; i < mi->mi_ntargets; i++ ) { metasingleconn_t *msc = &mc->mc_conns[ i ]; char *xtext = NULL; char *xmatched = NULL; if ( msc->msc_ld == NULL ) { continue; } rs->sr_err = LDAP_SUCCESS; ldap_get_option( msc->msc_ld, LDAP_OPT_RESULT_CODE, &rs->sr_err ); if ( rs->sr_err != LDAP_SUCCESS ) { /* * better check the type of error. In some cases * (search ?) it might be better to return a * success if at least one of the targets gave * positive result ... */ ldap_get_option( msc->msc_ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &xtext ); if ( xtext != NULL && xtext [ 0 ] == '\0' ) { ldap_memfree( xtext ); xtext = NULL; } ldap_get_option( msc->msc_ld, LDAP_OPT_MATCHED_DN, &xmatched ); if ( xmatched != NULL && xmatched[ 0 ] == '\0' ) { ldap_memfree( xmatched ); xmatched = NULL; } rs->sr_err = slap_map_api2result( rs ); if ( LogTest( LDAP_DEBUG_ANY ) ) { char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), "meta_back_op_result[%d] " "err=%d text=\"%s\" matched=\"%s\"", i, rs->sr_err, ( xtext ? xtext : "" ), ( xmatched ? xmatched : "" ) ); Debug( LDAP_DEBUG_ANY, "%s %s.\n", op->o_log_prefix, buf ); } /* * FIXME: need to rewrite "match" (need rwinfo) */ switch ( rs->sr_err ) { default: err = rs->sr_err; if ( xtext != NULL ) { if ( text ) { ldap_memfree( text ); } text = xtext; xtext = NULL; } if ( xmatched != NULL ) { if ( matched ) { ldap_memfree( matched ); } matched = xmatched; xmatched = NULL; } break; } if ( xtext ) { ldap_memfree( xtext ); } if ( xmatched ) { ldap_memfree( xmatched ); } } if ( META_BACK_TGT_QUARANTINE( mi->mi_targets[ i ] ) ) { meta_back_quarantine( op, rs, i ); } } if ( err != LDAP_SUCCESS ) { rs->sr_err = err; } } if ( matched != NULL ) { struct berval dn, pdn; ber_str2bv( matched, 0, 0, &dn ); if ( dnPretty( NULL, &dn, &pdn, op->o_tmpmemctx ) == LDAP_SUCCESS ) { ldap_memfree( matched ); matched_ctx = op->o_tmpmemctx; matched = pdn.bv_val; } rs->sr_matched = matched; } if ( rs->sr_err == LDAP_UNAVAILABLE ) { if ( !( sendok & LDAP_BACK_RETRYING ) ) { if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { if ( rs->sr_text == NULL ) rs->sr_text = "Proxy operation retry failed"; send_ldap_result( op, rs ); } } } else if ( op->o_conn && ( ( ( sendok & LDAP_BACK_SENDOK ) && LDAP_ERR_OK( rs->sr_err ) ) || ( ( sendok & LDAP_BACK_SENDERR ) && !LDAP_ERR_OK( rs->sr_err ) ) ) ) { send_ldap_result( op, rs ); } if ( matched ) { op->o_tmpfree( (char *)rs->sr_matched, matched_ctx ); } if ( text ) { ldap_memfree( text ); } if ( rs->sr_ref ) { op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx ); rs->sr_ref = NULL; } if ( refs ) { ber_memvfree( (void **)refs ); } if ( ctrls ) { assert( rs->sr_ctrls != NULL ); ldap_controls_free( ctrls ); } rs->sr_text = save_text; rs->sr_matched = save_matched; rs->sr_ref = save_ref; rs->sr_ctrls = save_ctrls; return( LDAP_ERR_OK( rs->sr_err ) ? LDAP_SUCCESS : rs->sr_err ); }
/* * meta_back_single_dobind */ int meta_back_single_dobind( Operation *op, SlapReply *rs, metaconn_t **mcp, int candidate, ldap_back_send_t sendok, int nretries, int dolock ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; metaconn_t *mc = *mcp; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; assert( !LDAP_BACK_CONN_ISBOUND( msc ) ); /* NOTE: this obsoletes pseudorootdn */ if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( LDAP_BACK_CONN_ISPRIV( mc ) && dn_match( &msc->msc_bound_ndn, &mt->mt_idassert_authcDN ) ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { (void)meta_back_proxy_authz_bind( mc, candidate, op, rs, sendok, dolock ); } else { char *binddn = ""; struct berval cred = BER_BVC( "" ); /* use credentials if available */ if ( !BER_BVISNULL( &msc->msc_bound_ndn ) && !BER_BVISNULL( &msc->msc_cred ) ) { binddn = msc->msc_bound_ndn.bv_val; cred = msc->msc_cred; } /* FIXME: should we check if at least some of the op->o_ctrls * can/should be passed? */ if(!dolock) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); } for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, binddn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } if(!dolock) { ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); } rs->sr_err = meta_back_bind_op_result( op, rs, mc, candidate, msgid, sendok, dolock ); /* if bind succeeded, but anonymous, clear msc_bound_ndn */ if ( rs->sr_err != LDAP_SUCCESS || binddn[0] == '\0' ) { if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ber_memfree( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ber_memfree( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } } } if ( rs->sr_err != LDAP_SUCCESS ) { if ( dolock ) { ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); } LDAP_BACK_CONN_BINDING_CLEAR( msc ); if ( META_BACK_ONERR_STOP( mi ) ) { LDAP_BACK_CONN_TAINTED_SET( mc ); meta_back_release_conn_lock( mi, mc, 0 ); *mcp = NULL; } if ( dolock ) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { meta_back_quarantine( op, rs, candidate ); } return rs->sr_err; }
/* * meta_back_single_bind * * attempts to perform a bind with creds */ static int meta_back_single_bind( Operation *op, SlapReply *rs, metaconn_t *mc, int candidate ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; struct berval mdn = BER_BVNULL; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; dncookie dc; struct berval save_o_dn; int save_o_do_not_cache; LDAPControl **ctrls = NULL; if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ch_free( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { /* destroy sensitive data */ memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ch_free( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } /* * Rewrite the bind dn if needed */ dc.target = mt; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "bindDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { rs->sr_text = "DN rewrite error"; rs->sr_err = LDAP_OTHER; return rs->sr_err; } /* don't add proxyAuthz; set the bindDN */ save_o_dn = op->o_dn; save_o_do_not_cache = op->o_do_not_cache; op->o_do_not_cache = 1; op->o_dn = op->o_req_dn; ctrls = op->o_ctrls; rs->sr_err = meta_back_controls_add( op, rs, mc, candidate, &ctrls ); op->o_dn = save_o_dn; op->o_do_not_cache = save_o_do_not_cache; if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } /* FIXME: this fixes the bind problem right now; we need * to use the asynchronous version to get the "matched" * and more in case of failure ... */ /* FIXME: should we check if at least some of the op->o_ctrls * can/should be passed? */ for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, mdn.bv_val, LDAP_SASL_SIMPLE, &op->orb_cred, ctrls, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } mi->mi_ldap_extra->controls_free( op, rs, &ctrls ); meta_back_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } /* If defined, proxyAuthz will be used also when * back-ldap is the authorizing backend; for this * purpose, a successful bind is followed by a * bind with the configured identity assertion */ /* NOTE: use with care */ if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { meta_back_proxy_authz_bind( mc, candidate, op, rs, LDAP_BACK_SENDERR, 1 ); if ( !LDAP_BACK_CONN_ISBOUND( msc ) ) { goto return_results; } goto cache_refresh; } ber_bvreplace( &msc->msc_bound_ndn, &op->o_req_ndn ); LDAP_BACK_CONN_ISBOUND_SET( msc ); mc->mc_authz_target = candidate; if ( META_BACK_TGT_SAVECRED( mt ) ) { if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); } ber_bvreplace( &msc->msc_cred, &op->orb_cred ); ldap_set_rebind_proc( msc->msc_ld, mt->mt_rebind_f, msc ); } cache_refresh:; if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED && !BER_BVISEMPTY( &op->o_req_ndn ) ) { ( void )meta_dncache_update_entry( &mi->mi_cache, &op->o_req_ndn, candidate ); } return_results:; if ( mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); } if ( META_BACK_TGT_QUARANTINE( mt ) ) { meta_back_quarantine( op, rs, candidate ); } return rs->sr_err; }
/* * asyncmeta_back_single_dobind */ int asyncmeta_back_single_dobind( Operation *op, SlapReply *rs, a_metaconn_t **mcp, int candidate, ldap_back_send_t sendok, int nretries, int dolock ) { a_metaconn_t *mc = *mcp; a_metainfo_t *mi = mc->mc_info; a_metatarget_t *mt = mi->mi_targets[ candidate ]; a_metasingleconn_t *msc = &mc->mc_conns[ candidate ]; int msgid; assert( !LDAP_BACK_CONN_ISBOUND( msc ) ); if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( LDAP_BACK_CONN_ISPRIV( mc ) && dn_match( &msc->msc_bound_ndn, &mt->mt_idassert_authcDN ) ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { (void)asyncmeta_proxy_authz_bind( mc, candidate, op, rs, sendok, dolock ); } else { char *binddn = ""; struct berval cred = BER_BVC( "" ); /* use credentials if available */ if ( !BER_BVISNULL( &msc->msc_bound_ndn ) && !BER_BVISNULL( &msc->msc_cred ) ) { binddn = msc->msc_bound_ndn.bv_val; cred = msc->msc_cred; } for (;;) { rs->sr_err = ldap_sasl_bind( msc->msc_ld, binddn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &msgid ); if ( rs->sr_err != LDAP_X_CONNECTING ) { break; } ldap_pvt_thread_yield(); } rs->sr_err = asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, sendok, dolock ); /* if bind succeeded, but anonymous, clear msc_bound_ndn */ if ( rs->sr_err != LDAP_SUCCESS || binddn[0] == '\0' ) { if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) { ber_memfree( msc->msc_bound_ndn.bv_val ); BER_BVZERO( &msc->msc_bound_ndn ); } if ( !BER_BVISNULL( &msc->msc_cred ) ) { memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len ); ber_memfree( msc->msc_cred.bv_val ); BER_BVZERO( &msc->msc_cred ); } } } if ( META_BACK_TGT_QUARANTINE( mt ) ) { asyncmeta_quarantine( op, mi, rs, candidate ); } return rs->sr_err; }