int ldap_back_db_open( BackendDB *be, ConfigReply *cr ) { ldapinfo_t *li = (ldapinfo_t *)be->be_private; slap_bindconf sb = { BER_BVNULL }; int rc = 0; Debug( LDAP_DEBUG_TRACE, "ldap_back_db_open: URI=%s\n", li->li_uri != NULL ? li->li_uri : "", 0, 0 ); /* by default, use proxyAuthz control on each operation */ switch ( li->li_idassert_mode ) { case LDAP_BACK_IDASSERT_LEGACY: case LDAP_BACK_IDASSERT_SELF: /* however, since admin connections are pooled and shared, * only static authzIDs can be native */ li->li_idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ; break; default: break; } ber_str2bv( li->li_uri, 0, 0, &sb.sb_uri ); sb.sb_version = li->li_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( LDAP_BACK_T_F_DISCOVER( li ) && !LDAP_BACK_T_F( li ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { li->li_flags |= LDAP_BACK_F_T_F; } } if ( LDAP_BACK_CANCEL_DISCOVER( li ) && !LDAP_BACK_CANCEL( li ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { li->li_flags |= LDAP_BACK_F_CANCEL_EXOP; } } /* monitor setup */ rc = ldap_back_monitor_db_open( be ); if ( rc != 0 ) { /* ignore by now */ rc = 0; } li->li_flags |= LDAP_BACK_F_ISOPEN; return rc; }
int meta_back_db_open( Backend *be, ConfigReply *cr ) { metainfo_t *mi = (metainfo_t *)be->be_private; int i, not_always = 0, not_always_anon_proxyauthz = 0, not_always_anon_non_prescriptive = 0, rc; if ( mi->mi_ntargets == 0 ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open: no targets defined\n", 0, 0, 0 ); return 1; } for ( i = 0; i < mi->mi_ntargets; i++ ) { slap_bindconf sb = { BER_BVNULL }; metatarget_t *mt = mi->mi_targets[ i ]; struct berval mapped; ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); sb.sb_version = mt->mt_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_T_F; } } if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; } } if ( not_always == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) || mt->mt_idassert_authz != NULL ) { not_always = 1; } } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): " "target #%d inconsistent idassert configuration " "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n", be->be_suffix[ 0 ].bv_val, i, 0 ); return 1; } if ( not_always_anon_proxyauthz == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) { not_always_anon_proxyauthz = 1; } } if ( not_always_anon_non_prescriptive == 0 ) { if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { not_always_anon_non_prescriptive = 1; } } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_entryDN->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_ENTRYDN; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_SUBSCHEMA; } } if ( not_always == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS; } if ( not_always_anon_proxyauthz == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON; } else if ( not_always_anon_non_prescriptive == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON; } return 0; }
int meta_target_finish( metainfo_t *mi, metatarget_t *mt, const char *log, char *msg, size_t msize ) { slap_bindconf sb = { BER_BVNULL }; struct berval mapped; int rc; ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); sb.sb_version = mt->mt_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_T_F; } } if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; } } if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) || mt->mt_idassert_authz != NULL ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS; } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { snprintf( msg, msize, "%s: inconsistent idassert configuration " "(likely authz=\"*\" used with \"non-prescriptive\" flag)", log ); Debug( LDAP_DEBUG_ANY, "%s (target %s)\n", msg, mt->mt_uri ); return 1; } if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON; } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_entryDN->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_ENTRYDN; } BER_BVZERO( &mapped ); ldap_back_map( &mt->mt_rwmap.rwm_at, &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { mt->mt_rep_flags |= REP_NO_SUBSCHEMA; } return 0; }
int meta_back_db_open( Backend *be, ConfigReply *cr ) { metainfo_t *mi = (metainfo_t *)be->be_private; BackendInfo *bi; int i, not_always = 0, not_always_anon_proxyauthz = 0, not_always_anon_non_prescriptive = 0, rc; if ( mi->mi_ntargets == 0 ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open: no targets defined\n", 0, 0, 0 ); return 1; } bi = backend_info( "ldap" ); if ( !bi || !bi->bi_extra ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open: needs back-ldap\n", 0, 0, 0 ); return 1; } mi->mi_ldap_extra = (ldap_extra_t *)bi->bi_extra; for ( i = 0; i < mi->mi_ntargets; i++ ) { slap_bindconf sb = { BER_BVNULL }; metatarget_t *mt = mi->mi_targets[ i ]; ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); sb.sb_version = mt->mt_version; sb.sb_method = LDAP_AUTH_SIMPLE; BER_BVSTR( &sb.sb_binddn, "" ); if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, LDAP_FEATURE_ABSOLUTE_FILTERS ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_T_F; } } if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { rc = slap_discover_feature( &sb, slap_schema.si_ad_supportedExtension->ad_cname.bv_val, LDAP_EXOP_CANCEL ); if ( rc == LDAP_COMPARE_TRUE ) { mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; } } if ( not_always == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) || mt->mt_idassert_authz != NULL ) { not_always = 1; } } if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): " "target #%d inconsistent idassert configuration " "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n", be->be_suffix[ 0 ].bv_val, i, 0 ); return 1; } if ( not_always_anon_proxyauthz == 0 ) { if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) { not_always_anon_proxyauthz = 1; } } if ( not_always_anon_non_prescriptive == 0 ) { if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) { not_always_anon_non_prescriptive = 1; } } } if ( not_always == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS; } if ( not_always_anon_proxyauthz == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON; } else if ( not_always_anon_non_prescriptive == 0 ) { mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON; } return 0; }