static int slap_exop_refresh( Operation *op, SlapReply *rs ) { BackendDB *bd = op->o_bd; rs->sr_err = slap_parse_refresh( op->ore_reqdata, &op->o_req_ndn, NULL, &rs->sr_text, op->o_tmpmemctx ); if ( rs->sr_err != LDAP_SUCCESS ) { return rs->sr_err; } Log2( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, "%s REFRESH dn=\"%s\"\n", op->o_log_prefix, op->o_req_ndn.bv_val ); op->o_req_dn = op->o_req_ndn; op->o_bd = select_backend( &op->o_req_ndn, 0 ); if ( op->o_bd == NULL ) { send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT, "no global superior knowledge" ); goto done; } if ( !SLAP_DYNAMIC( op->o_bd ) ) { send_ldap_error( op, rs, LDAP_UNAVAILABLE_CRITICAL_EXTENSION, "backend does not support dynamic directory services" ); goto done; } rs->sr_err = backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_REFRESH ); if ( rs->sr_err != LDAP_SUCCESS ) { goto done; } if ( op->o_bd->be_extended == NULL ) { send_ldap_error( op, rs, LDAP_UNAVAILABLE_CRITICAL_EXTENSION, "backend does not support extended operations" ); goto done; } op->o_bd->be_extended( op, rs ); done:; if ( !BER_BVISNULL( &op->o_req_ndn ) ) { op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_ndn ); BER_BVZERO( &op->o_req_dn ); } op->o_bd = bd; return rs->sr_err; }
int txn_start_extop( Operation *op, SlapReply *rs ) { int rc; struct berval *bv; Statslog( LDAP_DEBUG_STATS, "%s TXN START\n", op->o_log_prefix, 0, 0, 0, 0 ); if( op->ore_reqdata != NULL ) { rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_TXN_START ) != LDAP_SUCCESS ) { return rs->sr_err; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn != CONN_TXN_INACTIVE ) { rs->sr_text = "Too many transactions"; rc = LDAP_BUSY; goto done; } assert( op->o_conn->c_txn_backend == NULL ); op->o_conn->c_txn = CONN_TXN_SPECIFY; bv = (struct berval *) ch_malloc( sizeof (struct berval) ); bv->bv_len = 0; bv->bv_val = NULL; rs->sr_rspdata = bv; rc = LDAP_SUCCESS; done: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); return rc; }
static int ldap_exop_chained_request( Operation *op, SlapReply *rs ) { Statslog( LDAP_DEBUG_STATS, "%s CHAINED REQUEST\n", op->o_log_prefix, 0, 0, 0, 0 ); rs->sr_err = backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_CHAINEDREQUEST ); if ( rs->sr_err != LDAP_SUCCESS ) { return rs->sr_err; } /* by now, just reject requests */ rs->sr_text = "under development"; return LDAP_UNWILLING_TO_PERFORM; }
static int whoami_extop ( Operation *op, SlapReply *rs ) { struct berval *bv; if ( op->ore_reqdata != NULL ) { /* no request data should be provided */ rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } Statslog( LDAP_DEBUG_STATS, "%s WHOAMI\n", op->o_log_prefix, 0, 0, 0, 0 ); op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_WHOAMI ) != LDAP_SUCCESS ) { return rs->sr_err; } bv = (struct berval *) ch_malloc( sizeof(struct berval) ); if( op->o_dn.bv_len ) { bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" ); bv->bv_val = ch_malloc( bv->bv_len + 1 ); AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) ); AC_MEMCPY( &bv->bv_val[STRLENOF( "dn:" )], op->o_dn.bv_val, op->o_dn.bv_len ); bv->bv_val[bv->bv_len] = '\0'; } else { bv->bv_len = 0; bv->bv_val = NULL; } rs->sr_rspdata = bv; return LDAP_SUCCESS; }
int txn_end_extop( Operation *op, SlapReply *rs ) { int rc; BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_tag_t tag; ber_len_t len; ber_int_t commit=1; struct berval txnid; Statslog( LDAP_DEBUG_STATS, "%s TXN END\n", op->o_log_prefix, 0, 0, 0, 0 ); if( op->ore_reqdata == NULL ) { rs->sr_text = "request data expected"; return LDAP_PROTOCOL_ERROR; } if( op->ore_reqdata->bv_len == 0 ) { rs->sr_text = "empty request data"; return LDAP_PROTOCOL_ERROR; } op->o_bd = op->o_conn->c_authz_backend; if( backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_TXN_END ) != LDAP_SUCCESS ) { return rs->sr_err; } ber_init2( ber, op->ore_reqdata, 0 ); tag = ber_scanf( ber, "{" /*}*/ ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } tag = ber_peek_tag( ber, &len ); if( tag == LBER_BOOLEAN ) { tag = ber_scanf( ber, "b", &commit ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } } tag = ber_scanf( ber, /*{*/ "m}", &txnid ); if( tag == LBER_ERROR ) { rs->sr_text = "request data decoding error"; return LDAP_PROTOCOL_ERROR; } if( txnid.bv_len ) { rs->sr_text = "invalid transaction identifier"; return LDAP_X_TXN_ID_INVALID; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( op->o_conn->c_txn != CONN_TXN_SPECIFY ) { rs->sr_text = "invalid transaction identifier"; rc = LDAP_X_TXN_ID_INVALID; goto done; } op->o_conn->c_txn = CONN_TXN_SETTLE; if( commit ) { if ( op->o_abandon ) { } if( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) ) { /* no updates to commit */ rs->sr_text = "no updates to commit"; rc = LDAP_OPERATIONS_ERROR; goto settled; } rs->sr_text = "not yet implemented"; rc = LDAP_UNWILLING_TO_PERFORM; } else { rs->sr_text = "transaction aborted"; rc = LDAP_SUCCESS;; } drain: /* drain txn ops list */ settled: assert( LDAP_STAILQ_EMPTY(&op->o_conn->c_txn_ops) ); assert( op->o_conn->c_txn == CONN_TXN_SETTLE ); op->o_conn->c_txn = CONN_TXN_INACTIVE; op->o_conn->c_txn_backend = NULL; done: /* release connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); return rc; }
int fe_op_search( Operation *op, SlapReply *rs ) { BackendDB *bd = op->o_bd; if ( op->ors_scope == LDAP_SCOPE_BASE ) { Entry *entry = NULL; if ( BER_BVISEMPTY( &op->o_req_ndn ) ) { #ifdef LDAP_CONNECTIONLESS /* Ignore LDAPv2 CLDAP Root DSE queries */ if (op->o_protocol == LDAP_VERSION2 && op->o_conn->c_is_udp) { goto return_results; } #endif /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text ); } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } rs->sr_err = schema_info( &entry, &rs->sr_text ); } if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } else if ( entry != NULL ) { if ( get_assert( op ) && ( test_filter( op, entry, get_assertion( op )) != LDAP_COMPARE_TRUE )) { rs->sr_err = LDAP_ASSERTION_FAILED; goto fail1; } rs->sr_err = test_filter( op, entry, op->ors_filter ); if( rs->sr_err == LDAP_COMPARE_TRUE ) { /* note: we set no limits because either * no limit is specified, or at least 1 * is specified, and we're going to return * at most one entry */ op->ors_slimit = SLAP_NO_LIMIT; op->ors_tlimit = SLAP_NO_LIMIT; rs->sr_entry = entry; rs->sr_attrs = op->ors_attrs; rs->sr_operational_attrs = NULL; rs->sr_flags = 0; send_search_entry( op, rs ); rs->sr_entry = NULL; rs->sr_operational_attrs = NULL; } rs->sr_err = LDAP_SUCCESS; fail1: entry_free( entry ); send_ldap_result( op, rs ); goto return_results; } } if( BER_BVISEMPTY( &op->o_req_ndn ) && !BER_BVISEMPTY( &default_search_nbase ) ) { slap_sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); slap_sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); ber_dupbv_x( &op->o_req_dn, &default_search_base, op->o_tmpmemctx ); ber_dupbv_x( &op->o_req_ndn, &default_search_nbase, op->o_tmpmemctx ); } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 1 ); if ( op->o_bd == NULL ) { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, op->ors_scope ); if (!rs->sr_ref) rs->sr_ref = default_referral; rs->sr_err = LDAP_REFERRAL; op->o_bd = bd; send_ldap_result( op, rs ); if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; goto return_results; } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto return_results; } /* check for referrals */ if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto return_results; } if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) { /* don't use shadow copy */ BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if( defref != NULL ) { rs->sr_ref = referral_rewrite( defref, NULL, &op->o_req_dn, op->ors_scope ); if( !rs->sr_ref) rs->sr_ref = defref; rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != defref) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "copy not used; no referral information available" ); } } else if ( op->o_bd->be_search ) { if ( limits_check( op, rs ) == 0 ) { /* actually do the search and send the result(s) */ (op->o_bd->be_search)( op, rs ); } /* else limits_check() sends error */ } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within namingContext" ); } return_results:; op->o_bd = bd; return rs->sr_err; }
int fe_op_bind( Operation *op, SlapReply *rs ) { BackendDB *bd = op->o_bd; /* check for inappropriate controls */ if( get_manageDSAit( op ) == SLAP_CONTROL_CRITICAL ) { send_ldap_error( op, rs, LDAP_UNAVAILABLE_CRITICAL_EXTENSION, "manageDSAit control inappropriate" ); goto cleanup; } if ( op->orb_method == LDAP_AUTH_SASL ) { if ( op->o_protocol < LDAP_VERSION3 ) { Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n", (unsigned long)op->o_protocol ); send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "SASL bind requires LDAPv3" ); rs->sr_err = SLAPD_DISCONNECT; goto cleanup; } if( BER_BVISNULL( &op->orb_mech ) || BER_BVISEMPTY( &op->orb_mech ) ) { Debug( LDAP_DEBUG_ANY, "do_bind: no sasl mechanism provided\n" ); send_ldap_error( op, rs, LDAP_AUTH_METHOD_NOT_SUPPORTED, "no SASL mechanism provided" ); goto cleanup; } /* check restrictions */ if( backend_check_restrictions( op, rs, &op->orb_mech ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if ( op->o_conn->c_sasl_bind_in_progress ) { if( !bvmatch( &op->o_conn->c_sasl_bind_mech, &op->orb_mech ) ) { /* mechanism changed between bind steps */ slap_sasl_reset(op->o_conn); } } else { ber_dupbv(&op->o_conn->c_sasl_bind_mech, &op->orb_mech); } /* Set the bindop for the benefit of in-directory SASL lookups */ op->o_conn->c_sasl_bindop = op; ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); rs->sr_err = slap_sasl_bind( op, rs ); goto cleanup; } else { /* Not SASL, cancel any in-progress bind */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if ( !BER_BVISNULL( &op->o_conn->c_sasl_bind_mech ) ) { free( op->o_conn->c_sasl_bind_mech.bv_val ); BER_BVZERO( &op->o_conn->c_sasl_bind_mech ); } op->o_conn->c_sasl_bind_in_progress = 0; slap_sasl_reset( op->o_conn ); ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } if ( op->orb_method == LDAP_AUTH_SIMPLE ) { BER_BVSTR( &op->orb_mech, "SIMPLE" ); /* accept "anonymous" binds */ if ( BER_BVISEMPTY( &op->orb_cred ) || BER_BVISEMPTY( &op->o_req_ndn ) ) { rs->sr_err = LDAP_SUCCESS; if( !BER_BVISEMPTY( &op->orb_cred ) && !( global_allows & SLAP_ALLOW_BIND_ANON_CRED )) { /* cred is not empty, disallow */ rs->sr_err = LDAP_INVALID_CREDENTIALS; } else if ( !BER_BVISEMPTY( &op->o_req_ndn ) && !( global_allows & SLAP_ALLOW_BIND_ANON_DN )) { /* DN is not empty, disallow */ rs->sr_err = LDAP_UNWILLING_TO_PERFORM; rs->sr_text = "unauthenticated bind (DN with no password) disallowed"; } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { /* disallow */ rs->sr_err = LDAP_INAPPROPRIATE_AUTH; rs->sr_text = "anonymous bind disallowed"; } else { backend_check_restrictions( op, rs, &op->orb_mech ); } /* * we already forced connection to "anonymous", * just need to send success */ send_ldap_result( op, rs ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", op->o_protocol ); goto cleanup; } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) { /* disallow simple authentication */ rs->sr_err = LDAP_UNWILLING_TO_PERFORM; rs->sr_text = "unwilling to perform simple authentication"; send_ldap_result( op, rs ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d simple bind(%s) disallowed\n", op->o_protocol, op->o_req_ndn.bv_val ); goto cleanup; } } else { rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED; rs->sr_text = "unknown authentication method"; send_ldap_result( op, rs ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d unknown authentication method (%d)\n", op->o_protocol, op->orb_method ); goto cleanup; } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ if ( (op->o_bd = select_backend( &op->o_req_ndn, 0 )) == NULL ) { /* don't return referral for bind requests */ /* noSuchObject is not allowed to be returned by bind */ rs->sr_err = LDAP_INVALID_CREDENTIALS; op->o_bd = bd; send_ldap_result( op, rs ); goto cleanup; } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } if( op->o_bd->be_bind ) { op->o_conn->c_authz_cookie = NULL; rs->sr_err = (op->o_bd->be_bind)( op, rs ); if ( rs->sr_err == 0 ) { (void)fe_op_bind_success( op, rs ); } else if ( !BER_BVISNULL( &op->orb_edn ) ) { free( op->orb_edn.bv_val ); BER_BVZERO( &op->orb_edn ); } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within naming context" ); } cleanup:; op->o_bd = bd; return rs->sr_err; }
int fe_op_delete( Operation *op, SlapReply *rs ) { struct berval pdn = BER_BVNULL; BackendDB *op_be, *bd = op->o_bd; /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 1 ); if ( op->o_bd == NULL ) { op->o_bd = bd; rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if (!rs->sr_ref) rs->sr_ref = default_referral; if ( rs->sr_ref != NULL ) { rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "no global superior knowledge" ); } goto cleanup; } /* If we've got a glued backend, check the real backend */ op_be = op->o_bd; if ( SLAP_GLUE_INSTANCE( op->o_bd )) { op->o_bd = select_backend( &op->o_req_ndn, 0 ); } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } /* check for referrals */ if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto cleanup; } /* * do the delete if 1 && (2 || 3) * 1) there is a delete function implemented in this backend; * 2) this backend is master for what it holds; * 3) it's a replica and the dn supplied is the update_ndn. */ if ( op->o_bd->be_delete ) { /* do the update here */ int repl_user = be_isupdate( op ); if ( !SLAP_SINGLE_SHADOW(op->o_bd) || repl_user ) { struct berval org_req_dn = BER_BVNULL; struct berval org_req_ndn = BER_BVNULL; struct berval org_dn = BER_BVNULL; struct berval org_ndn = BER_BVNULL; int org_managedsait; op->o_bd = op_be; op->o_bd->be_delete( op, rs ); org_req_dn = op->o_req_dn; org_req_ndn = op->o_req_ndn; org_dn = op->o_dn; org_ndn = op->o_ndn; org_managedsait = get_manageDSAit( op ); op->o_dn = op->o_bd->be_rootdn; op->o_ndn = op->o_bd->be_rootndn; op->o_managedsait = SLAP_CONTROL_NONCRITICAL; while ( rs->sr_err == LDAP_SUCCESS && op->o_delete_glue_parent ) { op->o_delete_glue_parent = 0; if ( !be_issuffix( op->o_bd, &op->o_req_ndn )) { slap_callback cb = { NULL, NULL, NULL, NULL }; cb.sc_response = slap_null_cb; dnParent( &op->o_req_ndn, &pdn ); op->o_req_dn = pdn; op->o_req_ndn = pdn; op->o_callback = &cb; op->o_bd->be_delete( op, rs ); } else { break; } } op->o_managedsait = org_managedsait; op->o_dn = org_dn; op->o_ndn = org_ndn; op->o_req_dn = org_req_dn; op->o_req_ndn = org_req_ndn; op->o_delete_glue_parent = 0; } else { BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if ( defref != NULL ) { rs->sr_ref = referral_rewrite( defref, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if (!rs->sr_ref) rs->sr_ref = defref; rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != defref) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "shadow context; no update referral" ); } } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within namingContext" ); } cleanup:; op->o_bd = bd; return rs->sr_err; }
int passwd_extop( Operation *op, SlapReply *rs ) { struct berval id = {0, NULL}, hash, *rsp = NULL; req_pwdexop_s *qpw = &op->oq_pwdexop; req_extended_s qext = op->oq_extended; Modifications *ml; slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; int i, nhash; char **hashes, idNul; int rc; BackendDB *op_be; int freenewpw = 0; struct berval dn = BER_BVNULL, ndn = BER_BVNULL; assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); if( op->o_dn.bv_len == 0 ) { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD\n", op->o_log_prefix, 0, 0, 0, 0 ); rs->sr_text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } qpw->rs_old.bv_len = 0; qpw->rs_old.bv_val = NULL; qpw->rs_new.bv_len = 0; qpw->rs_new.bv_val = NULL; qpw->rs_mods = NULL; qpw->rs_modtail = NULL; rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id, &qpw->rs_old, &qpw->rs_new, &rs->sr_text ); if ( !BER_BVISNULL( &id )) { idNul = id.bv_val[id.bv_len]; id.bv_val[id.bv_len] = '\0'; } if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n", op->o_log_prefix, id.bv_val, qpw->rs_old.bv_val ? " old" : "", qpw->rs_new.bv_val ? " new" : "", 0 ); } else { Statslog( LDAP_DEBUG_STATS, "%s PASSMOD%s%s\n", op->o_log_prefix, qpw->rs_old.bv_val ? " old" : "", qpw->rs_new.bv_val ? " new" : "", 0, 0 ); } if ( rs->sr_err != LDAP_SUCCESS ) { if ( !BER_BVISNULL( &id )) id.bv_val[id.bv_len] = idNul; return rs->sr_err; } if ( !BER_BVISEMPTY( &id ) ) { rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); id.bv_val[id.bv_len] = idNul; if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_text = "Invalid DN"; rc = rs->sr_err; goto error_return; } op->o_req_dn = dn; op->o_req_ndn = ndn; op->o_bd = select_backend( &op->o_req_ndn, 1 ); } else { ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx ); ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx ); op->o_req_dn = dn; op->o_req_ndn = ndn; ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); op->o_bd = op->o_conn->c_authz_backend; ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } if( op->o_bd == NULL ) { if ( qpw->rs_old.bv_val != NULL ) { rs->sr_text = "unwilling to verify old password"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } #ifdef HAVE_CYRUS_SASL rc = slap_sasl_setpass( op, rs ); #else rs->sr_text = "no authz backend"; rc = LDAP_OTHER; #endif goto error_return; } if ( op->o_req_ndn.bv_len == 0 ) { rs->sr_text = "no password is associated with the Root DSE"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } /* If we've got a glued backend, check the real backend */ op_be = op->o_bd; if ( SLAP_GLUE_INSTANCE( op->o_bd )) { op->o_bd = select_backend( &op->o_req_ndn, 0 ); } if (backend_check_restrictions( op, rs, (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) { rc = rs->sr_err; goto error_return; } /* check for referrals */ if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { rc = rs->sr_err; goto error_return; } /* This does not apply to multi-master case */ if(!( !SLAP_SINGLE_SHADOW( op->o_bd ) || be_isupdate( op ))) { /* we SHOULD return a referral in this case */ BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if( defref != NULL ) { rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs, NULL, NULL, LDAP_SCOPE_DEFAULT ); if(rs->sr_ref) { rs->sr_flags |= REP_REF_MUSTBEFREED; } else { rs->sr_ref = defref; } rc = LDAP_REFERRAL; goto error_return; } rs->sr_text = "shadow context; no update referral"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } /* generate a new password if none was provided */ if ( qpw->rs_new.bv_len == 0 ) { slap_passwd_generate( &qpw->rs_new ); if ( qpw->rs_new.bv_len ) { rsp = slap_passwd_return( &qpw->rs_new ); freenewpw = 1; } } if ( qpw->rs_new.bv_len == 0 ) { rs->sr_text = "password generation failed"; rc = LDAP_OTHER; goto error_return; } op->o_bd = op_be; /* Give the backend a chance to handle this itself */ if ( op->o_bd->be_extended ) { rs->sr_err = op->o_bd->be_extended( op, rs ); if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM && rs->sr_err != SLAP_CB_CONTINUE ) { rc = rs->sr_err; if ( rsp ) { rs->sr_rspdata = rsp; rsp = NULL; } goto error_return; } } /* The backend didn't handle it, so try it here */ if( op->o_bd && !op->o_bd->be_modify ) { rs->sr_text = "operation not supported for current user"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } if ( qpw->rs_old.bv_val != NULL ) { Entry *e = NULL; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, slap_schema.si_ad_userPassword, 0, &e ); if ( rc == LDAP_SUCCESS && e ) { Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword ); if ( a ) rc = slap_passwd_check( op, e, a, &qpw->rs_old, &rs->sr_text ); else rc = 1; be_entry_release_r( op, e ); if ( rc == LDAP_SUCCESS ) goto old_good; } rs->sr_text = "unwilling to verify old password"; rc = LDAP_UNWILLING_TO_PERFORM; goto error_return; } old_good: ml = ch_malloc( sizeof(Modifications) ); if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next; if ( default_passwd_hash ) { for ( nhash = 0; default_passwd_hash[nhash]; nhash++ ); hashes = default_passwd_hash; } else { nhash = 1; hashes = (char **)defhash; } ml->sml_numvals = nhash; ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) ); for ( i=0; hashes[i]; i++ ) { slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text ); if ( hash.bv_len == 0 ) { if ( !rs->sr_text ) { rs->sr_text = "password hash failed"; } break; } ml->sml_values[i] = hash; } ml->sml_values[i].bv_val = NULL; ml->sml_nvalues = NULL; ml->sml_desc = slap_schema.si_ad_userPassword; ml->sml_type = ml->sml_desc->ad_cname; ml->sml_op = LDAP_MOD_REPLACE; ml->sml_flags = 0; ml->sml_next = qpw->rs_mods; qpw->rs_mods = ml; if ( hashes[i] ) { rs->sr_err = LDAP_OTHER; } else { slap_callback *sc = op->o_callback; op->o_tag = LDAP_REQ_MODIFY; op->o_callback = &cb; op->orm_modlist = qpw->rs_mods; op->orm_no_opattrs = 0; cb.sc_private = qpw; /* let Modify know this was pwdMod, * if it cares... */ rs->sr_err = op->o_bd->be_modify( op, rs ); /* be_modify() might have shuffled modifications */ qpw->rs_mods = op->orm_modlist; if ( rs->sr_err == LDAP_SUCCESS ) { rs->sr_rspdata = rsp; } else if ( rsp ) { ber_bvfree( rsp ); rsp = NULL; } op->o_tag = LDAP_REQ_EXTENDED; op->o_callback = sc; } rc = rs->sr_err; op->oq_extended = qext; error_return:; if ( qpw->rs_mods ) { slap_mods_free( qpw->rs_mods, 1 ); } if ( freenewpw ) { free( qpw->rs_new.bv_val ); } if ( !BER_BVISNULL( &dn ) ) { op->o_tmpfree( dn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_dn ); } if ( !BER_BVISNULL( &ndn ) ) { op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx ); BER_BVZERO( &op->o_req_ndn ); } return rc; }
int fe_op_modrdn( Operation *op, SlapReply *rs ) { struct berval dest_ndn = BER_BVNULL, dest_pndn, pdn = BER_BVNULL; BackendDB *op_be, *bd = op->o_bd; ber_slen_t diff; if( op->o_req_ndn.bv_len == 0 ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: root dse!\n", op->o_log_prefix, 0, 0 ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "cannot rename the root DSE" ); goto cleanup; } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { Debug( LDAP_DEBUG_ANY, "%s do_modrdn: subschema subentry: %s (%ld)\n", op->o_log_prefix, frontendDB->be_schemandn.bv_val, (long)frontendDB->be_schemandn.bv_len ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "cannot rename subschema subentry" ); goto cleanup; } if( op->orr_nnewSup ) { dest_pndn = *op->orr_nnewSup; } else { dnParent( &op->o_req_ndn, &dest_pndn ); } build_new_dn( &dest_ndn, &dest_pndn, &op->orr_nnewrdn, op->o_tmpmemctx ); diff = (ber_slen_t) dest_ndn.bv_len - (ber_slen_t) op->o_req_ndn.bv_len; if ( diff > 0 ? dnIsSuffix( &dest_ndn, &op->o_req_ndn ) : diff < 0 && dnIsSuffix( &op->o_req_ndn, &dest_ndn ) ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, diff > 0 ? "cannot place an entry below itself" : "cannot place an entry above itself" ); goto cleanup; } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 1 ); if ( op->o_bd == NULL ) { op->o_bd = bd; rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if (!rs->sr_ref) rs->sr_ref = default_referral; if ( rs->sr_ref != NULL ) { rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "no global superior knowledge" ); } goto cleanup; } /* If we've got a glued backend, check the real backend */ op_be = op->o_bd; if ( SLAP_GLUE_INSTANCE( op->o_bd )) { op->o_bd = select_backend( &op->o_req_ndn, 0 ); } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } /* check for referrals */ if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto cleanup; } /* check that destination DN is in the same backend as source DN */ if ( select_backend( &dest_ndn, 0 ) != op->o_bd ) { send_ldap_error( op, rs, LDAP_AFFECTS_MULTIPLE_DSAS, "cannot rename between DSAs" ); goto cleanup; } /* * do the modrdn if 1 && (2 || 3) * 1) there is a modrdn function implemented in this backend; * 2) this backend is master for what it holds; * 3) it's a replica and the dn supplied is the update_ndn. */ if ( op->o_bd->be_modrdn ) { /* do the update here */ int repl_user = be_isupdate( op ); if ( !SLAP_SINGLE_SHADOW(op->o_bd) || repl_user ) { op->o_bd = op_be; op->o_bd->be_modrdn( op, rs ); if ( op->o_bd->be_delete ) { struct berval org_req_dn = BER_BVNULL; struct berval org_req_ndn = BER_BVNULL; struct berval org_dn = BER_BVNULL; struct berval org_ndn = BER_BVNULL; int org_managedsait; org_req_dn = op->o_req_dn; org_req_ndn = op->o_req_ndn; org_dn = op->o_dn; org_ndn = op->o_ndn; org_managedsait = get_manageDSAit( op ); op->o_dn = op->o_bd->be_rootdn; op->o_ndn = op->o_bd->be_rootndn; op->o_managedsait = SLAP_CONTROL_NONCRITICAL; while ( rs->sr_err == LDAP_SUCCESS && op->o_delete_glue_parent ) { op->o_delete_glue_parent = 0; if ( !be_issuffix( op->o_bd, &op->o_req_ndn )) { slap_callback cb = { NULL }; cb.sc_response = slap_null_cb; dnParent( &op->o_req_ndn, &pdn ); op->o_req_dn = pdn; op->o_req_ndn = pdn; op->o_callback = &cb; op->o_bd->be_delete( op, rs ); } else { break; } } op->o_managedsait = org_managedsait; op->o_dn = org_dn; op->o_ndn = org_ndn; op->o_req_dn = org_req_dn; op->o_req_ndn = org_req_ndn; op->o_delete_glue_parent = 0; } } else { BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if ( defref != NULL ) { rs->sr_ref = referral_rewrite( defref, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if (!rs->sr_ref) rs->sr_ref = defref; rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if (rs->sr_ref != defref) ber_bvarray_free( rs->sr_ref ); } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "shadow context; no update referral" ); } } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within namingContext" ); } cleanup:; if ( dest_ndn.bv_val != NULL ) ber_memfree_x( dest_ndn.bv_val, op->o_tmpmemctx ); op->o_bd = bd; return rs->sr_err; }
int fe_op_modify( Operation *op, SlapReply *rs ) { BackendDB *op_be, *bd = op->o_bd; char textbuf[ SLAP_TEXT_BUFLEN ]; size_t textlen = sizeof( textbuf ); if ( BER_BVISEMPTY( &op->o_req_ndn ) ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: root dse!\n", op->o_log_prefix, 0, 0 ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "modify upon the root DSE not supported" ); goto cleanup; } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { Debug( LDAP_DEBUG_ANY, "%s do_modify: subschema subentry!\n", op->o_log_prefix, 0, 0 ); send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "modification of subschema subentry not supported" ); goto cleanup; } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 1 ); if ( op->o_bd == NULL ) { op->o_bd = bd; rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if ( !rs->sr_ref ) { rs->sr_ref = default_referral; } if ( rs->sr_ref != NULL ) { rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if ( rs->sr_ref != default_referral ) { ber_bvarray_free( rs->sr_ref ); } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "no global superior knowledge" ); } goto cleanup; } /* If we've got a glued backend, check the real backend */ op_be = op->o_bd; if ( SLAP_GLUE_INSTANCE( op->o_bd )) { op->o_bd = select_backend( &op->o_req_ndn, 0 ); } /* check restrictions */ if ( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } /* check for referrals */ if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto cleanup; } rs->sr_err = slap_mods_obsolete_check( op, op->orm_modlist, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } /* check for modify/increment support */ if ( op->orm_increment && !SLAP_INCREMENT( op->o_bd ) ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "modify/increment not supported in context" ); goto cleanup; } /* * do the modify if 1 && (2 || 3) * 1) there is a modify function implemented in this backend; * 2) this backend is master for what it holds; * 3) it's a replica and the dn supplied is the update_ndn. */ if ( op->o_bd->be_modify ) { /* do the update here */ int repl_user = be_isupdate( op ); /* * Multimaster slapd does not have to check for replicator dn * because it accepts each modify request */ if ( !SLAP_SINGLE_SHADOW(op->o_bd) || repl_user ) { int update = !BER_BVISEMPTY( &op->o_bd->be_update_ndn ); op->o_bd = op_be; if ( !update ) { rs->sr_err = slap_mods_no_user_mod_check( op, op->orm_modlist, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } } op->o_bd->be_modify( op, rs ); } else { /* send a referral */ BerVarray defref = op->o_bd->be_update_refs ? op->o_bd->be_update_refs : default_referral; if ( defref != NULL ) { rs->sr_ref = referral_rewrite( defref, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); if ( rs->sr_ref == NULL ) { /* FIXME: must duplicate, because * overlays may muck with it */ rs->sr_ref = defref; } rs->sr_err = LDAP_REFERRAL; send_ldap_result( op, rs ); if ( rs->sr_ref != defref ) { ber_bvarray_free( rs->sr_ref ); } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "shadow context; no update referral" ); } } } else { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "operation not supported within namingContext" ); } cleanup:; op->o_bd = bd; return rs->sr_err; }
int passwd_extop( Connection *conn, Operation *op, const char *reqoid, struct berval *reqdata, char **rspoid, struct berval **rspdata, LDAPControl ***rspctrls, const char **text, BerVarray *refs ) { Backend *be; int rc; assert( reqoid != NULL ); assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); if( op->o_dn.bv_len == 0 ) { *text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } ldap_pvt_thread_mutex_lock( &conn->c_mutex ); be = conn->c_authz_backend; ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); if( be && !be->be_extended ) { *text = "operation not supported for current user"; return LDAP_UNWILLING_TO_PERFORM; } { struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD ); rc = backend_check_restrictions( be, conn, op, &passwd, text ); } if( rc != LDAP_SUCCESS ) { return rc; } if( be == NULL ) { #ifdef HAVE_CYRUS_SASL rc = slap_sasl_setpass( conn, op, reqoid, reqdata, rspoid, rspdata, rspctrls, text ); #else *text = "no authz backend"; rc = LDAP_OTHER; #endif #ifndef SLAPD_MULTIMASTER /* This does not apply to multi-master case */ } else if( be->be_update_ndn.bv_len ) { /* we SHOULD return a referral in this case */ *refs = referral_rewrite( be->be_update_refs, NULL, NULL, LDAP_SCOPE_DEFAULT ); rc = LDAP_REFERRAL; #endif /* !SLAPD_MULTIMASTER */ } else { rc = be->be_extended( be, conn, op, reqoid, reqdata, rspoid, rspdata, rspctrls, text, refs ); } return rc; }
int fe_op_compare( Operation *op, SlapReply *rs ) { Entry *entry = NULL; AttributeAssertion *ava = op->orc_ava; BackendDB *bd = op->o_bd; if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) { if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text ); if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) { if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rs->sr_err = 0; goto cleanup; } rs->sr_err = schema_info( &entry, &rs->sr_text ); if( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rs->sr_err = 0; goto cleanup; } } if( entry ) { rs->sr_err = slap_compare_entry( op, entry, ava ); entry_free( entry ); send_ldap_result( op, rs ); if( rs->sr_err == LDAP_COMPARE_TRUE || rs->sr_err == LDAP_COMPARE_FALSE ) { rs->sr_err = LDAP_SUCCESS; } goto cleanup; } /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ op->o_bd = select_backend( &op->o_req_ndn, 0 ); if ( op->o_bd == NULL ) { rs->sr_ref = referral_rewrite( default_referral, NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT ); rs->sr_err = LDAP_REFERRAL; if (!rs->sr_ref) rs->sr_ref = default_referral; op->o_bd = bd; send_ldap_result( op, rs ); if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref ); rs->sr_err = 0; goto cleanup; } /* check restrictions */ if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; } /* check for referrals */ if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) { goto cleanup; } if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) { /* don't use shadow copy */ send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "copy not used" ); } else if ( ava->aa_desc == slap_schema.si_ad_entryDN ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "entryDN compare not supported" ); } else if ( ava->aa_desc == slap_schema.si_ad_subschemaSubentry ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, "subschemaSubentry compare not supported" ); #ifndef SLAP_COMPARE_IN_FRONTEND } else if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates && op->o_bd->be_has_subordinates ) { int rc, hasSubordinates = LDAP_SUCCESS; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry ); if ( rc == 0 && entry ) { if ( ! access_allowed( op, entry, ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) ) { rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS; } else { rc = rs->sr_err = op->o_bd->be_has_subordinates( op, entry, &hasSubordinates ); be_entry_release_r( op, entry ); } } if ( rc == 0 ) { int asserted; asserted = bvmatch( &ava->aa_value, &slap_true_bv ) ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE; if ( hasSubordinates == asserted ) { rs->sr_err = LDAP_COMPARE_TRUE; } else { rs->sr_err = LDAP_COMPARE_FALSE; } } else { /* return error only if "disclose" * is granted on the object */ if ( backend_access( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } } send_ldap_result( op, rs ); if ( rc == 0 ) { rs->sr_err = LDAP_SUCCESS; } } else if ( op->o_bd->be_compare ) { rs->sr_err = op->o_bd->be_compare( op, rs ); #endif /* ! SLAP_COMPARE_IN_FRONTEND */ } else { rs->sr_err = SLAP_CB_CONTINUE; } if ( rs->sr_err == SLAP_CB_CONTINUE ) { /* do our best to compare that AVA * * NOTE: this code is used only * if SLAP_COMPARE_IN_FRONTEND * is #define'd (it's not by default) * or if op->o_bd->be_compare is NULL. * * FIXME: one potential issue is that * if SLAP_COMPARE_IN_FRONTEND overlays * are not executed for compare. */ BerVarray vals = NULL; int rc = LDAP_OTHER; rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, ava->aa_desc, &vals, ACL_COMPARE ); switch ( rs->sr_err ) { default: /* return error only if "disclose" * is granted on the object */ if ( backend_access( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } break; case LDAP_SUCCESS: if ( value_find_ex( op->oq_compare.rs_ava->aa_desc, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, vals, &ava->aa_value, op->o_tmpmemctx ) == 0 ) { rs->sr_err = LDAP_COMPARE_TRUE; break; } else { rs->sr_err = LDAP_COMPARE_FALSE; } rc = LDAP_SUCCESS; break; } send_ldap_result( op, rs ); if ( rc == 0 ) { rs->sr_err = LDAP_SUCCESS; } if ( vals ) { ber_bvarray_free_x( vals, op->o_tmpmemctx ); } } cleanup:; op->o_bd = bd; return rs->sr_err; }
int do_add( Connection *conn, Operation *op ) { BerElement *ber = op->o_ber; char *last; struct berval dn = { 0, NULL }; ber_len_t len; ber_tag_t tag; Entry *e; Backend *be; Modifications *modlist = NULL; Modifications **modtail = &modlist; Modifications tmp; const char *text; int rc = LDAP_SUCCESS; int manageDSAit; #ifdef LDAP_SLAPI Slapi_PBlock *pb = NULL; #endif /* LDAP_SLAPI */ #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ENTRY, "do_add: conn %d enter\n", conn->c_connid,0,0 ); #else Debug( LDAP_DEBUG_TRACE, "do_add\n", 0, 0, 0 ); #endif /* * Parse the add request. It looks like this: * * AddRequest := [APPLICATION 14] SEQUENCE { * name DistinguishedName, * attrs SEQUENCE OF SEQUENCE { * type AttributeType, * values SET OF AttributeValue * } * } */ /* get the name */ if ( ber_scanf( ber, "{m", /*}*/ &dn ) == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ERR, "do_add: conn %d ber_scanf failed\n", conn->c_connid,0,0 ); #else Debug( LDAP_DEBUG_ANY, "do_add: ber_scanf failed\n", 0, 0, 0 ); #endif send_ldap_disconnect( conn, op, LDAP_PROTOCOL_ERROR, "decoding error" ); return -1; } e = (Entry *) ch_calloc( 1, sizeof(Entry) ); rc = dnPrettyNormal( NULL, &dn, &e->e_name, &e->e_nname ); if( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ERR, "do_add: conn %d invalid dn (%s)\n", conn->c_connid, dn.bv_val, 0 ); #else Debug( LDAP_DEBUG_ANY, "do_add: invalid dn (%s)\n", dn.bv_val, 0, 0 ); #endif send_ldap_result( conn, op, rc = LDAP_INVALID_DN_SYNTAX, NULL, "invalid DN", NULL, NULL ); goto done; } #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ARGS, "do_add: conn %d dn (%s)\n", conn->c_connid, e->e_dn, 0 ); #else Debug( LDAP_DEBUG_ARGS, "do_add: dn (%s)\n", e->e_dn, 0, 0 ); #endif /* get the attrs */ for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT; tag = ber_next_element( ber, &len, last ) ) { Modifications *mod; ber_tag_t rtag; rtag = ber_scanf( ber, "{m{W}}", &tmp.sml_type, &tmp.sml_bvalues ); if ( rtag == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ERR, "do_add: conn %d decoding error \n", conn->c_connid, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "do_add: decoding error\n", 0, 0, 0 ); #endif send_ldap_disconnect( conn, op, LDAP_PROTOCOL_ERROR, "decoding error" ); rc = -1; goto done; } if ( tmp.sml_bvalues == NULL ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, "do_add: conn %d no values for type %s\n", conn->c_connid, tmp.sml_type.bv_val, 0 ); #else Debug( LDAP_DEBUG_ANY, "no values for type %s\n", tmp.sml_type.bv_val, 0, 0 ); #endif send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL, "no values for attribute type", NULL, NULL ); goto done; } mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = LDAP_MOD_ADD; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; mod->sml_bvalues = tmp.sml_bvalues; *modtail = mod; modtail = &mod->sml_next; } if ( ber_scanf( ber, /*{*/ "}") == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, ERR, "do_add: conn %d ber_scanf failed\n", conn->c_connid, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "do_add: ber_scanf failed\n", 0, 0, 0 ); #endif send_ldap_disconnect( conn, op, LDAP_PROTOCOL_ERROR, "decoding error" ); rc = -1; goto done; } if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, "do_add: conn %d get_ctrls failed\n", conn->c_connid, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "do_add: get_ctrls failed\n", 0, 0, 0 ); #endif goto done; } if ( modlist == NULL ) { send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL, "no attributes provided", NULL, NULL ); goto done; } Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu ADD dn=\"%s\"\n", op->o_connid, op->o_opid, e->e_dn, 0, 0 ); if( e->e_nname.bv_len == 0 ) { /* protocolError may be a more appropriate error */ send_ldap_result( conn, op, rc = LDAP_ALREADY_EXISTS, NULL, "root DSE already exists", NULL, NULL ); goto done; } else if ( bvmatch( &e->e_nname, &global_schemandn ) ) { send_ldap_result( conn, op, rc = LDAP_ALREADY_EXISTS, NULL, "subschema subentry already exists", NULL, NULL ); goto done; } manageDSAit = get_manageDSAit( op ); /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" * if we don't hold it. */ be = select_backend( &e->e_nname, manageDSAit, 0 ); if ( be == NULL ) { BerVarray ref = referral_rewrite( default_referral, NULL, &e->e_name, LDAP_SCOPE_DEFAULT ); if ( ref == NULL ) ref = default_referral; if ( ref != NULL ) { send_ldap_result( conn, op, rc = LDAP_REFERRAL, NULL, NULL, ref, NULL ); if ( ref != default_referral ) ber_bvarray_free( ref ); } else { send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, NULL, "referral missing", NULL, NULL ); } goto done; } /* check restrictions */ rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); goto done; } /* check for referrals */ rc = backend_check_referrals( be, conn, op, &e->e_name, &e->e_nname ); if ( rc != LDAP_SUCCESS ) { goto done; } #ifdef LDAP_SLAPI pb = initAddPlugin( be, conn, op, &dn, e, manageDSAit ); #endif /* LDAP_SLAPI */ /* * do the add if 1 && (2 || 3) * 1) there is an add function implemented in this backend; * 2) this backend is master for what it holds; * 3) it's a replica and the dn supplied is the updatedn. */ if ( be->be_add ) { /* do the update here */ int repl_user = be_isupdate(be, &op->o_ndn ); #ifndef SLAPD_MULTIMASTER if ( !be->be_update_ndn.bv_len || repl_user ) #endif { int update = be->be_update_ndn.bv_len; char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; rc = slap_mods_check( modlist, update, &text, textbuf, textlen ); if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); goto done; } if ( !repl_user ) { for( modtail = &modlist; *modtail != NULL; modtail = &(*modtail)->sml_next ) { assert( (*modtail)->sml_op == LDAP_MOD_ADD ); assert( (*modtail)->sml_desc != NULL ); } rc = slap_mods_opattrs( be, op, modlist, modtail, &text, textbuf, textlen ); if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); goto done; } } rc = slap_mods2entry( modlist, &e, repl_user, &text, textbuf, textlen ); if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); goto done; } #ifdef LDAP_SLAPI /* * Call the preoperation plugin here, because the entry * will actually contain something. */ rc = doPreAddPluginFNs( be, pb ); if ( rc != LDAP_SUCCESS ) { /* plugin will have sent result */ goto done; } #endif /* LDAP_SLAPI */ if ( (*be->be_add)( be, conn, op, e ) == 0 ) { #ifdef SLAPD_MULTIMASTER if ( !repl_user ) #endif { replog( be, op, &e->e_name, &e->e_nname, e ); } be_entry_release_w( be, conn, op, e ); e = NULL; } #ifndef SLAPD_MULTIMASTER } else { BerVarray defref; BerVarray ref; #ifdef LDAP_SLAPI /* * SLAPI_ADD_ENTRY will be empty, but this may be acceptable * on replicas (for now, it involves the minimum code intrusion). */ rc = doPreAddPluginFNs( be, pb ); if ( rc != LDAP_SUCCESS ) { /* plugin will have sent result */ goto done; } #endif /* LDAP_SLAPI */ defref = be->be_update_refs ? be->be_update_refs : default_referral; if ( defref ) { ref = referral_rewrite( defref, NULL, &e->e_name, LDAP_SCOPE_DEFAULT ); send_ldap_result( conn, op, rc = LDAP_REFERRAL, NULL, NULL, ref ? ref : defref, NULL ); if ( ref ) ber_bvarray_free( ref ); } else { send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, NULL, "referral missing", NULL, NULL ); } #endif /* SLAPD_MULTIMASTER */ } } else { #ifdef LDAP_SLAPI rc = doPreAddPluginFNs( be, pb ); if ( rc != LDAP_SUCCESS ) { /* plugin will have sent result */ goto done; } #endif #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, "do_add: conn %d no backend support\n", conn->c_connid, 0, 0 ); #else Debug( LDAP_DEBUG_ARGS, " do_add: no backend support\n", 0, 0, 0 ); #endif send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, NULL, "operation not supported within namingContext", NULL, NULL ); } #ifdef LDAP_SLAPI doPostAddPluginFNs( be, pb ); #endif /* LDAP_SLAPI */ done: if( modlist != NULL ) { slap_mods_free( modlist ); } if( e != NULL ) { entry_free( e ); } return rc; }
static int authzid_response( Operation *op, SlapReply *rs ) { LDAPControl **ctrls; struct berval edn = BER_BVNULL; ber_len_t len = 0; int n = 0; assert( rs->sr_tag = LDAP_RES_BIND ); if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) { authzid_conn_t *ac = op->o_controls[ authzid_cid ]; if ( ac ) { authzid_conn_release( ac ); } else { (void)authzid_conn_insert( op->o_conn, op->o_ctrlflag[ authzid_cid ] ); } return SLAP_CB_CONTINUE; } (void)authzid_conn_remove( op->o_conn ); if ( rs->sr_err != LDAP_SUCCESS ) { return SLAP_CB_CONTINUE; } if ( !BER_BVISEMPTY( &op->orb_edn ) ) { edn = op->orb_edn; } else if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) { edn = op->o_conn->c_dn; } if ( !BER_BVISEMPTY( &edn ) ) { ber_tag_t save_tag = op->o_tag; struct berval save_dn = op->o_dn; struct berval save_ndn = op->o_ndn; int rc; /* pretend it's an extop without data, * so it is treated as a generic write */ op->o_tag = LDAP_REQ_EXTENDED; op->o_dn = edn; op->o_ndn = edn; rc = backend_check_restrictions( op, rs, NULL ); op->o_tag = save_tag; op->o_dn = save_dn; op->o_ndn = save_ndn; if ( rc != LDAP_SUCCESS ) { rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED; return SLAP_CB_CONTINUE; } len = STRLENOF("dn:") + edn.bv_len; } /* save original controls in sc_private; * will be restored by sc_cleanup */ if ( rs->sr_ctrls != NULL ) { op->o_callback->sc_private = rs->sr_ctrls; for ( ; rs->sr_ctrls[n] != NULL; n++ ) ; } ctrls = op->o_tmpalloc( sizeof( LDAPControl * )*( n + 2 ), op->o_tmpmemctx ); n = 0; if ( rs->sr_ctrls ) { for ( ; rs->sr_ctrls[n] != NULL; n++ ) { ctrls[n] = rs->sr_ctrls[n]; } } /* anonymous: "", otherwise "dn:<dn>" */ ctrls[n] = op->o_tmpalloc( sizeof( LDAPControl ) + len + 1, op->o_tmpmemctx ); ctrls[n]->ldctl_oid = LDAP_CONTROL_AUTHZID_RESPONSE; ctrls[n]->ldctl_iscritical = 0; ctrls[n]->ldctl_value.bv_len = len; ctrls[n]->ldctl_value.bv_val = (char *)&ctrls[n][1]; if ( len ) { char *ptr; ptr = lutil_strcopy( ctrls[n]->ldctl_value.bv_val, "dn:" ); ptr = lutil_strncopy( ptr, edn.bv_val, edn.bv_len ); } ctrls[n]->ldctl_value.bv_val[len] = '\0'; ctrls[n + 1] = NULL; rs->sr_ctrls = ctrls; return SLAP_CB_CONTINUE; }