int
sync_send_entry_from_changelog(Slapi_PBlock *pb,int chg_req, char *uniqueid)
{
Slapi_Entry *db_entry = NULL;
int chg_type = LDAP_SYNC_ADD;
int rv;
Slapi_PBlock *search_pb = NULL;
Slapi_Entry **entries = NULL;
char *origbase;
char *filter = slapi_ch_smprintf("(nsuniqueid=%s)",uniqueid);
slapi_pblock_get( pb, SLAPI_ORIGINAL_TARGET_DN, &origbase );
search_pb = slapi_pblock_new();
slapi_search_internal_set_pb(search_pb, origbase,
LDAP_SCOPE_SUBTREE, filter,
NULL, 0, NULL, NULL, plugin_get_default_component_id(), 0);
slapi_search_internal_pb(search_pb);
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rv);
if ( rv == LDAP_SUCCESS) {
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
if (entries)
db_entry = *entries; /* there can only be one */
}
if (db_entry && sync_is_entry_in_scope(pb, db_entry)) {
LDAPControl **ctrl = (LDAPControl **)slapi_ch_calloc(2, sizeof (LDAPControl *));
sync_create_state_control(db_entry, &ctrl[0], chg_type, NULL);
slapi_send_ldap_search_entry (pb, db_entry, ctrl, NULL, 0);
ldap_controls_free(ctrl);
}
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
slapi_ch_free((void **)&filter);
return (0);
}
int
agmtlist_config_init()
{
Slapi_PBlock *pb;
int agmtcount = 0;
agmt_set = objset_new(agmtlist_objset_destructor);
/* Register callbacks so we're informed about updates */
slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, AGMT_CONFIG_BASE,
LDAP_SCOPE_SUBTREE, GLOBAL_CONFIG_FILTER, agmtlist_add_callback, NULL);
slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, AGMT_CONFIG_BASE,
LDAP_SCOPE_SUBTREE, GLOBAL_CONFIG_FILTER, agmtlist_modify_callback, NULL);
slapi_config_register_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP, AGMT_CONFIG_BASE,
LDAP_SCOPE_SUBTREE, GLOBAL_CONFIG_FILTER, agmtlist_delete_callback, NULL);
slapi_config_register_callback(SLAPI_OPERATION_MODRDN, DSE_FLAG_PREOP, AGMT_CONFIG_BASE,
LDAP_SCOPE_SUBTREE, GLOBAL_CONFIG_FILTER, agmtlist_rename_callback, NULL);
/* Search the DIT and find all the replication agreements */
pb = slapi_pblock_new();
slapi_search_internal_set_pb(pb, AGMT_CONFIG_BASE, LDAP_SCOPE_SUBTREE,
GLOBAL_CONFIG_FILTER, NULL /* attrs */, 0 /* attrsonly */,
NULL, /* controls */ NULL /* uniqueid */,
repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0 /* actions */);
slapi_search_internal_callback_pb(pb,
(void *)&agmtcount /* callback data */,
NULL /* result_callback */,
handle_agmt_search /* search entry cb */,
NULL /* referral callback */);
slapi_pblock_destroy(pb);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_config_init: found %d replication agreements in DIT\n", agmtcount);
return 0;
}
Slapi_ValueSet *
replica_updatedn_list_get_members(Slapi_DN *dn)
{
static char* const filter_groups = "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))";
static char* const type_member = "member";
static char* const type_uniquemember = "uniquemember";
static char* const type_memberURL = "memberURL";
int rval;
char *attrs[4];
Slapi_PBlock *mpb = slapi_pblock_new ();
Slapi_ValueSet *members = slapi_valueset_new();
attrs[0] = type_member;
attrs[1] = type_uniquemember;
attrs[2] = type_memberURL;
attrs[3] = NULL;
slapi_search_internal_set_pb ( mpb, slapi_sdn_get_ndn(dn), LDAP_SCOPE_BASE, filter_groups,
&attrs[0], 0, NULL /* controls */, NULL /* uniqueid */,
repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
slapi_search_internal_pb(mpb);
slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_RESULT, &rval);
if (rval == LDAP_SUCCESS) {
Slapi_Entry **ep;
slapi_pblock_get(mpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &ep);
if ((ep != NULL) && (ep[0] != NULL)) {
Slapi_Attr *attr = NULL;
Slapi_Attr *nextAttr = NULL;
Slapi_ValueSet *vs = NULL;
char *attrType;
slapi_entry_first_attr ( ep[0], &attr);
while (attr) {
slapi_attr_get_type ( attr, &attrType );
if ((strcasecmp (attrType, type_member) == 0) ||
(strcasecmp (attrType, type_uniquemember) == 0 )) {
slapi_attr_get_valueset(attr, &vs);
slapi_valueset_join_attr_valueset(attr, members, vs);
slapi_valueset_free(vs);
} else if (strcasecmp (attrType, type_memberURL) == 0) {
/* not yet supported */
}
slapi_entry_next_attr ( ep[0], attr, &nextAttr );
attr = nextAttr;
}
}
}
slapi_free_search_results_internal(mpb);
slapi_pblock_destroy (mpb);
return(members);
}
static int ipa_cldap_get_domain_entry(struct ipa_cldap_ctx *ctx,
char *domain,
char **guid, char **sid, char **name)
{
Slapi_PBlock *pb;
Slapi_Entry **e = NULL;
char *filter;
int ret;
pb = slapi_pblock_new();
if (!pb) {
return ENOMEM;
}
ret = asprintf(&filter, "(&(cn=%s)(objectclass=ipaNTDomainAttrs))", domain);
if (ret == -1) {
ret = ENOMEM;
goto done;
}
slapi_search_internal_set_pb(pb, ctx->base_dn,
LDAP_SCOPE_SUBTREE, filter,
NULL, 0, NULL, NULL, ctx->plugin_id, 0);
slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret) {
ret = ENOENT;
goto done;
}
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
if (!e || !e[0] || e[1]) {
/* no matches or too many matches */
ret = ENOENT;
goto done;
}
*guid = slapi_entry_attr_get_charptr(e[0], "ipaNTDomainGUID");
*sid = slapi_entry_attr_get_charptr(e[0], "ipaNTSecurityIdentifier");
*name = slapi_entry_attr_get_charptr(e[0], "ipaNTFlatName");
ret = 0;
done:
slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
free(filter);
return ret;
}
int
sync_refresh_update_content(Slapi_PBlock *pb, Sync_Cookie *client_cookie, Sync_Cookie *server_cookie)
{
Slapi_PBlock *seq_pb;
char *filter;
Sync_CallBackData cb_data;
int rc;
int chg_count = server_cookie->cookie_change_info -
client_cookie->cookie_change_info + 1;
cb_data.cb_updates = (Sync_UpdateNode *)slapi_ch_calloc(chg_count, sizeof(Sync_UpdateNode));
seq_pb = slapi_pblock_new();
slapi_pblock_init(seq_pb);
cb_data.orig_pb = pb;
cb_data.change_start = client_cookie->cookie_change_info;
filter = slapi_ch_smprintf("(&(changenumber>=%lu)(changenumber<=%lu))",
client_cookie->cookie_change_info,
server_cookie->cookie_change_info);
slapi_search_internal_set_pb(
seq_pb,
CL_SRCH_BASE,
LDAP_SCOPE_ONE,
filter,
NULL,
0,
NULL, NULL,
plugin_get_default_component_id(),
0);
rc = slapi_search_internal_callback_pb (
seq_pb, &cb_data, NULL, sync_read_entry_from_changelog, NULL);
slapi_pblock_destroy(seq_pb);
/* Now send the deleted entries in a sync info message
* and the modified entries as single entries
*/
sync_send_deleted_entries(pb, cb_data.cb_updates, chg_count, server_cookie);
sync_send_modified_entries(pb, cb_data.cb_updates, chg_count);
sync_free_update_nodes(&cb_data.cb_updates, chg_count);
slapi_ch_free((void **)&filter);
return (rc);
}
/* When a new instance is started, we need to read the dse to
* find out what attributes should be encrypted. This function
* does that. Returns 0 on success. */
static int
read_instance_attrcrypt_entries(ldbm_instance *inst)
{
Slapi_PBlock *tmp_pb;
int scope = LDAP_SCOPE_SUBTREE;
const char *searchfilter = ldbm_instance_attrcrypt_filter;
char *basedn = NULL;
/* Construct the base dn of the subtree that holds the index entries
* for this instance. */
basedn = slapi_create_dn_string("cn=encrypted attributes,cn=%s,cn=%s,cn=plugins,cn=config",
inst->inst_name, inst->inst_li->li_plugin->plg_name);
if (NULL == basedn) {
LDAPDebug2Args(LDAP_DEBUG_ANY,
"read_instance_attrcrypt_entries: "
"failed create encrypted attributes dn for plugin %s, "
"instance %s\n",
inst->inst_li->li_plugin->plg_name, inst->inst_name);
return 1;
}
/* Set up a tmp callback that will handle the init for each index entry */
slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
basedn, scope, searchfilter, ldbm_attrcrypt_init_entry_callback,
(void *) inst);
/* Do a search of the subtree containing the index entries */
tmp_pb = slapi_pblock_new();
slapi_search_internal_set_pb(tmp_pb, basedn, LDAP_SCOPE_SUBTREE,
searchfilter, NULL, 0, NULL, NULL, inst->inst_li->li_identity, 0);
slapi_search_internal_pb (tmp_pb);
/* Remove the tmp callback */
slapi_config_remove_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
basedn, scope, searchfilter, ldbm_attrcrypt_init_entry_callback);
slapi_free_search_results_internal(tmp_pb);
slapi_pblock_destroy(tmp_pb);
slapi_ch_free_string(&basedn);
return 0;
}
Slapi_PBlock *
slapi_search_internal(
char *ldn,
int scope,
char *filStr,
LDAPControl **controls,
char **attrs,
int attrsonly )
{
Slapi_PBlock *pb;
pb = slapi_pblock_new();
slapi_search_internal_set_pb( pb, ldn, scope, filStr,
attrs, attrsonly,
controls, NULL, NULL, 0 );
slapi_search_internal_pb( pb );
return pb;
}
int ipapwd_getPolicy(const char *dn,
Slapi_Entry *target,
struct ipapwd_policy *policy)
{
const char *krbPwdPolicyReference;
char *pdn = NULL;
Slapi_PBlock *pb = NULL;
char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",
"krbPwdMinDiffChars", "krbPwdMinLength",
"krbPwdHistoryLength", NULL};
Slapi_Entry **es = NULL;
Slapi_Entry *pe = NULL;
int ret, res, scope, i;
int buffer_flags=0;
Slapi_ValueSet* results = NULL;
char *actual_type_name = NULL;
LOG_TRACE("Searching policy for [%s]\n", dn);
pwd_get_values(target, "krbPwdPolicyReference",
&results, &actual_type_name, &buffer_flags);
if (results) {
Slapi_Value *sv;
slapi_valueset_first_value(results, &sv);
krbPwdPolicyReference = slapi_value_get_string(sv);
pdn = slapi_ch_strdup(krbPwdPolicyReference);
} else {
/* Fallback to hardcoded value */
pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);
}
if (pdn == NULL) {
LOG_OOM();
ret = -1;
goto done;
}
LOG_TRACE("Using policy at [%s]\n", pdn);
scope = LDAP_SCOPE_BASE;
pb = slapi_pblock_new();
slapi_search_internal_set_pb(pb,
pdn, scope,
"(objectClass=krbPwdPolicy)",
attrs, 0,
NULL, /* Controls */
NULL, /* UniqueID */
ipapwd_plugin_id,
0); /* Flags */
/* do search the tree */
ret = slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (ret == -1 || res != LDAP_SUCCESS) {
LOG_FATAL("Couldn't find policy, err (%d)\n", res ? res : ret);
ret = -1;
goto done;
}
/* get entries */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es);
if (!es) {
LOG_TRACE("No entries ?!");
ret = -1;
goto done;
}
/* count entries */
for (i = 0; es[i]; i++) /* count */ ;
/* if there is only one, return that */
if (i == 1) {
pe = es[0];
} else {
LOG_TRACE("Multiple entries from a base search ?!");
ret = -1;
goto done;
}
/* read data out of policy object */
policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");
policy->max_pwd_life = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
policy->min_pwd_length = slapi_entry_attr_get_int(pe, "krbPwdMinLength");
policy->history_length = slapi_entry_attr_get_int(pe,
"krbPwdHistoryLength");
policy->min_complexity = slapi_entry_attr_get_int(pe,
"krbPwdMinDiffChars");
ret = 0;
done:
if (results) {
pwd_values_free(&results, &actual_type_name, buffer_flags);
}
if (pb) {
slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
}
slapi_ch_free_string(&pdn);
return ret;
}
int
aclinit_search_and_update_aci ( int thisbeonly, const Slapi_DN *base,
char *be_name, int scope, int op,
acl_lock_flag_t lock_flag )
{
char *attrs[2] = { "aci", NULL };
/* Tell __aclinit_handler whether it's an add or a delete */
Slapi_PBlock *aPb;
LDAPControl **ctrls=NULL;
struct berval *bval;
aclinit_handler_callback_data_t call_back_data;
PR_ASSERT( lock_flag == DONT_TAKE_ACLCACHE_WRITELOCK ||
lock_flag == DO_TAKE_ACLCACHE_WRITELOCK);
if ( thisbeonly && be_name == NULL) {
slapi_log_err(SLAPI_LOG_ERR, plugin_name,
"aclinit_search_and_update_aci - be_name must be specified.\n");
return -1;
}
/*
* We need to explicitly request (objectclass=ldapsubentry)
* in order to get all the subentry acis too.
* Note that subentries can be added under subentries (although its not
* recommended) so that
* there may be non-trivial acis under a subentry.
*/
/* Use new search internal API */
/* and never retrieve aci from a remote server */
aPb = slapi_pblock_new ();
/*
* Set up the control to say "Only get acis from this Backend--
* there may be more backends under this one.
*/
if ( thisbeonly ) {
bval = (struct berval *)slapi_ch_malloc(sizeof(struct berval));
bval->bv_len = strlen(be_name) + 1;
bval->bv_val = slapi_ch_strdup(be_name);
ctrls = (LDAPControl **)slapi_ch_calloc( 2, sizeof(LDAPControl *));
ctrls[0] = NULL;
ctrls[1] = NULL;
slapi_build_control_from_berval(
MTN_CONTROL_USE_ONE_BACKEND_OID,
bval,
1 /* is critical */,
ctrls);
}
slapi_search_internal_set_pb ( aPb,
slapi_sdn_get_dn(base),
scope,
"(|(aci=*)(objectclass=ldapsubentry))",
attrs,
0 /* attrsonly */,
ctrls /* controls: SLAPI_ARGCONTROLS */,
NULL /* uniqueid */,
aclplugin_get_identity (ACL_PLUGIN_IDENTITY),
SLAPI_OP_FLAG_NEVER_CHAIN /* actions : get local aci only */);
if (thisbeonly) {
slapi_pblock_set(aPb, SLAPI_REQCONTROLS, ctrls);
}
call_back_data.op = op;
call_back_data.retCode = 0;
call_back_data.lock_flag = lock_flag;
slapi_search_internal_callback_pb(aPb,
&call_back_data /* callback_data */,
NULL/* result_callback */,
__aclinit_handler,
NULL /* referral_callback */);
if (thisbeonly) {
slapi_ch_free((void **)&bval);
}
/*
* This frees the control oid, the bv_val and the control itself and the
* ctrls array mem by caling ldap_controls_free()--so we
* don't need to do it ourselves.
*/
slapi_pblock_destroy (aPb);
return call_back_data.retCode;
}
int
update_integrity(char **argv, Slapi_DN *origSDN,
char *newrDN, Slapi_DN *newsuperior,
int logChanges)
{
Slapi_PBlock *search_result_pb = NULL;
Slapi_PBlock *mod_pb = slapi_pblock_new();
Slapi_Entry **search_entries = NULL;
Slapi_DN *sdn = NULL;
Slapi_Attr *attr = NULL;
void *node = NULL;
const char *origDN = slapi_sdn_get_dn(origSDN);
const char *search_base = NULL;
char *attrName = NULL;
char *filter = NULL;
char *attrs[2];
int search_result;
int nval = 0;
int i, j;
int rc;
if ( argv == NULL ){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"referint_postop required config file arguments missing\n" );
rc = -1;
goto free_and_return;
}
/*
* For now, just putting attributes to keep integrity on in conf file,
* until resolve the other timing mode issue
*/
search_result_pb = slapi_pblock_new();
/* Search each namingContext in turn */
for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL;
sdn = slapi_get_next_suffix( &node, 0 ))
{
Slapi_Backend *be = slapi_be_select(sdn);
search_base = slapi_sdn_get_dn( sdn );
for(i = 3; argv[i] != NULL; i++){
filter = slapi_filter_sprintf("(%s=*%s%s)", argv[i], ESC_NEXT_VAL, origDN);
if ( filter ) {
/* Need only the current attribute and its subtypes */
attrs[0] = argv[i];
attrs[1] = NULL;
/* Use new search API */
slapi_pblock_init(search_result_pb);
slapi_pblock_set(search_result_pb, SLAPI_BACKEND, be);
slapi_search_internal_set_pb(search_result_pb, search_base,
LDAP_SCOPE_SUBTREE, filter, attrs, 0 /* attrs only */,
NULL, NULL, referint_plugin_identity, 0);
slapi_search_internal_pb(search_result_pb);
slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
/* if search successfull then do integrity update */
if(search_result == LDAP_SUCCESS)
{
slapi_pblock_get(search_result_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&search_entries);
for(j = 0; search_entries[j] != NULL; j++){
attr = NULL;
attrName = NULL;
/*
* Loop over all the attributes of the entry and search
* for the integrity attribute and its subtypes
*/
for (slapi_entry_first_attr(search_entries[j], &attr); attr;
slapi_entry_next_attr(search_entries[j], attr, &attr))
{
/*
* Take into account only the subtypes of the attribute
* in argv[i] having the necessary value - origDN
*/
slapi_attr_get_type(attr, &attrName);
if (slapi_attr_type_cmp(argv[i], attrName,
SLAPI_TYPE_CMP_SUBTYPE) == 0)
{
nval = 0;
slapi_attr_get_numvalues(attr, &nval);
/*
* We want to reduce the "modify" call as much as
* possible. But if an entry contains 1000s of
* attributes which need to be updated by the
* referint plugin (e.g., a group containing 1000s
* of members), we want to avoid to allocate too
* many mods * in one "modify" call.
* This is a compromise: If an attribute type has
* more than 128 values, we update the attribute
* value one by one. Otherwise, update all values
* in one "modify" call.
*/
if (nval > 128) {
rc = _update_one_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
} else {
rc = _update_all_per_mod(
slapi_entry_get_sdn(search_entries[j]),
attr, attrName, origSDN, newrDN,
slapi_sdn_get_dn(newsuperior),
mod_pb);
}
/* Should we stop if one modify returns an error? */
}
}
}
} else {
if (isFatalSearchError(search_result)){
slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
"update_integrity search (base=%s filter=%s) returned "
"error %d\n", search_base, filter, search_result);
rc = -1;
goto free_and_return;
}
}
slapi_ch_free_string(&filter);
}
slapi_free_search_results_internal(search_result_pb);
}
}
/* if got here, then everything good rc = 0 */
rc = 0;
free_and_return:
/* free filter and search_results_pb */
slapi_ch_free_string(&filter);
slapi_pblock_destroy(mod_pb);
if (search_result_pb) {
slapi_free_search_results_internal(search_result_pb);
slapi_pblock_destroy(search_result_pb);
}
return(rc);
}
static int do_work(struct worker_ctx *worker_ctx)
{
Slapi_PBlock *pb;
int ret;
size_t c;
char *filter = NULL;
char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL };
Slapi_Entry **e = NULL;
struct timespec ts;
pb = slapi_pblock_new();
if (pb == NULL) {
return ENOMEM;
}
pthread_cleanup_push(free_pblock, (void *) pb);
filter = slapi_ch_smprintf("(&(%s=%s)(!(%s=%s))(|(%s=%s)(%s=%s)(%s=%s))(!(%s=*)))",
OBJECTCLASS, IPA_OBJECT,
OBJECTCLASS, MEP_MANAGED_ENTRY,
OBJECTCLASS, POSIX_ACCOUNT,
OBJECTCLASS, POSIX_GROUP,
OBJECTCLASS, IPA_ID_OBJECT,
IPA_SID);
if (filter == NULL) {
LOG_FATAL("Cannot generate search filter for objects without a SID.\n");
ret = ENOMEM;
goto done;
}
LOG("Base DN: [%s], Filter: [%s].\n", worker_ctx->base_dn, filter);
slapi_search_internal_set_pb(pb, worker_ctx->base_dn, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL,
worker_ctx->plugin_id, 0);
ret = slapi_search_internal_pb(pb);
if (ret != 0) {
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret != 0) {
LOG_FATAL("Search failed with [%d].\n", ret);
} else {
LOG_FATAL("slapi_search_internal_pb failed, "
"but no error code available.\n");
ret = EFAULT;
}
goto done;
}
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
if (ret != 0) {
LOG_FATAL("slapi_pblock_get failed.\n");
ret = EFAULT;
goto done;
}
if (e == NULL || e[0] == NULL) {
LOG("No entry with missing SID found.\n");
ret = 0;
goto done;
}
for (c = 0; e[c] != NULL; c++) {
ret = find_sid_for_ldap_entry(e[c], worker_ctx->plugin_id,
worker_ctx->base_dn, worker_ctx->dom_sid,
worker_ctx->ranges);
if (ret != 0) {
LOG_FATAL("Cannot add SID to existing entry.\n");
goto done;
}
if (worker_ctx->delay != 0) {
ts.tv_nsec = worker_ctx->delay % NSEC_PER_SEC;
ts.tv_sec = (worker_ctx->delay - ts.tv_nsec) / NSEC_PER_SEC;
nanosleep(&ts, NULL);
}
};
done:
slapi_ch_free_string(&filter);
pthread_cleanup_pop(1);
LOG("do_work finished with [%d].\n", ret);
return ret;
}
static void
linked_attrs_fixup_links(struct configEntry *config)
{
Slapi_PBlock *pb = slapi_pblock_new();
char *del_filter = NULL;
char *add_filter = NULL;
del_filter = slapi_ch_smprintf("%s=*", config->managedtype);
add_filter = slapi_ch_smprintf("%s=*", config->linktype);
/* Lock the attribute pair. */
slapi_lock_mutex(config->lock);
if (config->scope) {
/* Find all entries with the managed type present
* within the scope and remove the managed type. */
slapi_search_internal_set_pb(pb, config->scope, LDAP_SCOPE_SUBTREE,
del_filter, 0, 0, 0, 0, linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config->managedtype, 0,
linked_attrs_remove_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
/* Find all entries with the link type present within the
* scope and add backlinks to the entries they point to. */
slapi_search_internal_set_pb(pb, config->scope, LDAP_SCOPE_SUBTREE,
add_filter, 0, 0, 0, 0, linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config, 0,
linked_attrs_add_backlinks_callback, 0);
} else {
/* Loop through all non-private backend suffixes and
* remove the managed type from any entry that has it.
* We then find any entry with the linktype present and
* generate the proper backlinks. */
void *node = NULL;
Slapi_DN * suffix = slapi_get_first_suffix (&node, 0);
while (suffix) {
slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(suffix),
LDAP_SCOPE_SUBTREE, del_filter,
0, 0, 0, 0,
linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config->managedtype, 0,
linked_attrs_remove_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(suffix),
LDAP_SCOPE_SUBTREE, add_filter,
0, 0, 0, 0,
linked_attrs_get_plugin_id(), 0);
slapi_search_internal_callback_pb(pb, config, 0,
linked_attrs_add_backlinks_callback, 0);
/* Clean out pblock for reuse. */
slapi_pblock_init(pb);
suffix = slapi_get_next_suffix (&node, 0);
}
}
/* Unlock the attribute pair. */
slapi_unlock_mutex(config->lock);
slapi_ch_free_string(&del_filter);
slapi_ch_free_string(&add_filter);
slapi_pblock_destroy(pb);
}
/*
return the value(s) of the given attribute in the entry that
matches the given criteria. The criteria must match one
and only one entry.
Returns:
-1 - problem doing internal search
LDAP_UNWILLING_TO_PERFORM - more than one matching entry
LDAP_NO_SUCH_OBJECT - no entry found that matched
0 and attrval == NULL - entry found but no attribute
other ldap error - error doing search for given basedn
*/
static int
internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope,
const char *filter, const char *attrname,
Slapi_ValueSet **svs, char **attrval)
{
Slapi_Entry **entries = NULL;
Slapi_PBlock *pb = NULL;
const char *search_basedn = slapi_sdn_get_dn(basedn);
int search_scope = scope;
int ret = LDAP_SUCCESS;
const char *attrs[2] = {attrname, NULL};
if (svs) {
*svs = NULL;
}
if (attrval) {
*attrval = NULL;
}
pb = slapi_pblock_new();
slapi_search_internal_set_pb(pb, search_basedn, search_scope, filter,
(char **)attrs, 0, NULL, NULL,
ipa_winsync_get_plugin_identity(), 0);
slapi_search_internal_pb(pb);
/* This search may return no entries, but should never
return an error
*/
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret != LDAP_SUCCESS) {
LOG_FATAL("Error [%d:%s] searching for base [%s] filter [%s]"
" attr [%s]\n", ret, ldap_err2string(ret),
search_basedn, filter, attrs[0]);
goto out1;
}
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
if (entries && entries[0] && entries[1]) {
/* error - should never be more than one matching entry */
LOG_FATAL("Error: more than one entry matches search for "
"base [%s] filter [%s] attr [%s]\n",
search_basedn, filter, attrs[0]);
ret = LDAP_UNWILLING_TO_PERFORM;
goto out1;
}
if (entries && entries[0]) { /* found one */
if (svs) {
Slapi_Attr *attr = NULL;
if (!slapi_entry_attr_find(entries[0], attrname, &attr) &&
(NULL != attr)) {
/* slapi_attr_get_valueset allocates svs - must be freed later */
slapi_attr_get_valueset(attr, svs);
}
}
if (attrval) {
if (!strcmp(attrname, "dn")) { /* special - to just get the DN */
*attrval = slapi_ch_strdup(slapi_entry_get_dn_const(entries[0]));
} else {
*attrval = slapi_entry_attr_get_charptr(entries[0], attrname);
}
}
} else {
ret = LDAP_NO_SUCH_OBJECT;
LOG("Did not find an entry for search "
"base [%s] filter [%s] attr [%s]\n",
search_basedn, filter, attrs[0]);
}
out1:
if (pb) {
slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
pb = NULL;
}
return ret;
}
/*
* An URP Naming Collision helper function. Retreives a list of entries
* that have the given dn excluding the unique id of the entry. Any
* entries returned will be entries that have been added with the same
* dn, but caused a naming conflict when replicated. The URP to fix
* this constraint violation is to append the unique id of the entry
* to its RDN.
*/
static Slapi_Entry *
urp_get_min_naming_conflict_entry ( Slapi_PBlock *pb, char *sessionid, CSN *opcsn )
{
Slapi_PBlock *newpb = NULL;
LDAPControl **server_ctrls = NULL;
Slapi_Entry **entries = NULL;
Slapi_Entry *min_naming_conflict_entry = NULL;
const CSN *min_csn = NULL;
char *filter = NULL;
char *parent_dn = NULL;
char *basedn;
int i = 0;
int min_i = -1;
int op_result = LDAP_SUCCESS;
slapi_pblock_get (pb, SLAPI_URP_NAMING_COLLISION_DN, &basedn);
if (NULL == basedn || strncmp (basedn, SLAPI_ATTR_UNIQUEID, strlen(SLAPI_ATTR_UNIQUEID)) == 0)
return NULL;
slapi_log_error ( SLAPI_LOG_REPL, sessionid,
"Enter urp_get_min_naming_conflict_entry for %s\n", basedn);
filter = slapi_filter_sprintf("(%s=%s %s%s)", ATTR_NSDS5_REPLCONFLICT, REASON_ANNOTATE_DN,
ESC_NEXT_VAL, basedn);
/* server_ctrls will be freed when newpb is destroyed */
server_ctrls = (LDAPControl **)slapi_ch_calloc (2, sizeof (LDAPControl *));
server_ctrls[0] = create_managedsait_control();
server_ctrls[1] = NULL;
newpb = slapi_pblock_new();
parent_dn = slapi_dn_parent (basedn);
slapi_search_internal_set_pb(newpb,
parent_dn, /* Base DN */
LDAP_SCOPE_ONELEVEL,
filter,
NULL, /* Attrs */
0, /* AttrOnly */
server_ctrls, /* Controls */
NULL, /* UniqueID */
repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION),
0);
slapi_search_internal_pb(newpb);
slapi_pblock_get(newpb, SLAPI_PLUGIN_INTOP_RESULT, &op_result);
slapi_pblock_get(newpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
if ( (op_result != LDAP_SUCCESS) || (entries == NULL) )
{
/* Log a message */
goto done;
}
/* For all entries, get the one with the smallest dn csn */
for (i = 0; NULL != entries[i]; i++)
{
const CSN *dncsn;
dncsn = entry_get_dncsn(entries[i]);
if ((dncsn != opcsn) &&
((min_csn == NULL) || (csn_compare(dncsn, min_csn) < 0)) &&
!is_tombstone_entry (entries[i]))
{
min_csn = dncsn;
min_i = i;
}
/*
* If there are too many conflicts, the current urp code has no
* guarantee for all servers to converge anyway, because the
* urp and the backend can't be done in one transaction due
* to either performance or the deadlock problem.
* Don't sacrifice the performance too much for impossible.
*/
if (min_csn && i > 5)
{
break;
}
}
if (min_csn != NULL) {
/* Found one entry */
min_naming_conflict_entry = slapi_entry_dup(entries[min_i]);
}
done:
slapi_ch_free_string(&parent_dn);
if (filter) {
PR_smprintf_free(filter);
}
slapi_free_search_results_internal(newpb);
slapi_pblock_destroy(newpb);
newpb = NULL;
slapi_log_error ( SLAPI_LOG_REPL, sessionid,
"Leave urp_get_min_naming_conflict_entry (found %d entries)\n", i);
return min_naming_conflict_entry;
}
/* Reads in any config information held in the dse for the given
* entry. Creates dse entries used to configure the given instance
* if they don't already exist. Registers dse callback functions to
* maintain those dse entries. Returns 0 on success. */
int
ldbm_instance_config_load_dse_info(ldbm_instance *inst)
{
struct ldbminfo *li = inst->inst_li;
Slapi_PBlock *search_pb;
Slapi_Entry **entries = NULL;
char *dn = NULL;
int rval = 0;
/* We try to read the entry
* cn=instance_name, cn=ldbm database, cn=plugins, cn=config. If the
* entry is there, then we process the config information it stores.
*/
dn = slapi_create_dn_string("cn=%s,cn=%s,cn=plugins,cn=config",
inst->inst_name, li->li_plugin->plg_name);
if (NULL == dn) {
LDAPDebug2Args(LDAP_DEBUG_ANY,
"ldbm_instance_config_load_dse_info: "
"failed create instance dn %s for plugin %s\n",
inst->inst_name, inst->inst_li->li_plugin->plg_name);
rval = 1;
goto bail;
}
search_pb = slapi_pblock_new();
if (!search_pb) {
LDAPDebug(LDAP_DEBUG_ANY,
"ldbm_instance_config_load_dse_info: Out of memory\n",
0, 0, 0);
rval = 1;
goto bail;
}
slapi_search_internal_set_pb(search_pb, dn, LDAP_SCOPE_BASE,
"objectclass=*", NULL, 0, NULL, NULL,
li->li_identity, 0);
slapi_search_internal_pb (search_pb);
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rval);
if (rval != LDAP_SUCCESS) {
LDAPDebug(LDAP_DEBUG_ANY, "Error accessing the config DSE\n", 0, 0, 0);
rval = 1;
goto bail;
} else {
/* Need to parse the configuration information for the ldbm
* plugin that is held in the DSE. */
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&entries);
if ((!entries) || (!entries[0])) {
LDAPDebug(LDAP_DEBUG_ANY, "Error accessing the config DSE\n",
0, 0, 0);
rval = 1;
goto bail;
}
if (0 != parse_ldbm_instance_config_entry(inst, entries[0],
ldbm_instance_config)) {
LDAPDebug(LDAP_DEBUG_ANY, "Error parsing the config DSE\n",
0, 0, 0);
rval = 1;
goto bail;
}
}
if (search_pb)
{
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
}
/* Add skeleton dse entries for this instance */
/* IF they already exist, that's ok */
ldbm_config_add_dse_entries(li, ldbm_instance_skeleton_entries,
inst->inst_name, li->li_plugin->plg_name,
inst->inst_name, 0);
/* setup the dse callback functions for the ldbm instance config entry */
slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)",
ldbm_instance_search_config_entry_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)",
ldbm_instance_modify_config_entry_callback, (void *) inst);
slapi_config_register_callback(DSE_OPERATION_WRITE, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)",
ldbm_instance_search_config_entry_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)",
ldbm_instance_deny_config, (void *)inst);
/* delete is handled by a callback set in ldbm_config.c */
slapi_ch_free_string(&dn);
/* don't forget the monitor! */
dn = slapi_create_dn_string("cn=monitor,cn=%s,cn=%s,cn=plugins,cn=config",
inst->inst_name, li->li_plugin->plg_name);
if (NULL == dn) {
LDAPDebug2Args(LDAP_DEBUG_ANY,
"ldbm_instance_config_load_dse_info: "
"failed create monitor instance dn for plugin %s, "
"instance %s\n",
inst->inst_li->li_plugin->plg_name, inst->inst_name);
rval = 1;
goto bail;
}
/* make callback on search; deny add/modify/delete */
slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)", ldbm_back_monitor_instance_search,
(void *)inst);
slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, "(objectclass=*)", ldbm_instance_deny_config,
(void *)inst);
slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_BASE, "(objectclass=*)", ldbm_instance_deny_config,
(void *)inst);
/* delete is okay */
slapi_ch_free_string(&dn);
/* Callbacks to handle indexes */
dn = slapi_create_dn_string("cn=index,cn=%s,cn=%s,cn=plugins,cn=config",
inst->inst_name, li->li_plugin->plg_name);
if (NULL == dn) {
LDAPDebug2Args(LDAP_DEBUG_ANY,
"ldbm_instance_config_load_dse_info: "
"failed create index instance dn for plugin %s, "
"instance %s\n",
inst->inst_li->li_plugin->plg_name, inst->inst_name);
rval = 1;
goto bail;
}
slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
ldbm_instance_index_config_add_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
ldbm_instance_index_config_delete_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, "(objectclass=nsIndex)",
ldbm_instance_index_config_modify_callback, (void *) inst);
slapi_ch_free_string(&dn);
/* Callbacks to handle attribute encryption */
dn = slapi_create_dn_string("cn=encrypted attributes,cn=%s,cn=%s,cn=plugins,cn=config",
inst->inst_name, li->li_plugin->plg_name);
if (NULL == dn) {
LDAPDebug2Args(LDAP_DEBUG_ANY,
"ldbm_instance_config_load_dse_info: "
"failed create encrypted attribute instance dn "
"for plugin %s, instance %s\n",
inst->inst_li->li_plugin->plg_name, inst->inst_name);
rval = 1;
goto bail;
}
slapi_config_register_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
ldbm_instance_attrcrypt_config_add_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
ldbm_instance_attrcrypt_config_delete_callback, (void *) inst);
slapi_config_register_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, dn,
LDAP_SCOPE_SUBTREE, ldbm_instance_attrcrypt_filter,
ldbm_instance_attrcrypt_config_modify_callback, (void *) inst);
rval = 0;
bail:
slapi_ch_free_string(&dn);
return rval;
}
int oath_preop_bind(Slapi_PBlock *pb) {
char *dn;
const char *creds;
int creds_len, hotp_len = oath_preop_config.hotp_length, pin_len, method, rc = LDAP_SUCCESS, handled = 1;
struct berval *credentials;
Slapi_Value *sv_creds = NULL;
Slapi_PBlock *upb, *tpb; // PBlocks for user and token searches
Token token;
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind\n");
if (slapi_pblock_get(pb, SLAPI_BIND_METHOD, (void *) &method) != 0 ||
slapi_pblock_get(pb, SLAPI_BIND_TARGET, (void *) &dn) != 0 ||
slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, (void *) &credentials) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Could not get parameters for bind operation\n");
slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
return 1;
}
switch (method) {
case LDAP_AUTH_SIMPLE:
rc = LDAP_SUCCESS;
sv_creds = slapi_value_new_berval(credentials);
creds = slapi_value_get_string(sv_creds);
creds_len = creds ? strlen(creds) : 0;
Slapi_Entry **entries, *entry;
int nentries = 0;
upb = slapi_pblock_new();
slapi_search_internal_set_pb(upb, dn, LDAP_SCOPE_SUB, "(objectClass=*)", NULL, 0, NULL, NULL, oath_preop_plugin_id, 0);
slapi_search_internal_pb(upb);
slapi_pblock_get(upb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
slapi_pblock_get(upb, SLAPI_NENTRIES, &nentries);
slapi_pblock_get(upb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
if (rc == LDAP_SUCCESS && nentries > 0 && entries != NULL && (entry = *entries) != NULL) {
char filter[1024], *attrs[] = {"tokenSerial", "tokenSeed", "tokenCounter", "tokenPIN", NULL};
Slapi_Entry **tokens;
int ntokens = 0;
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Authenticating DN: %s\n", dn);
// search for tokens
snprintf(filter, 1024, "(&(objectClass=oathToken)(tokenOwner=%s))", dn);
tpb = slapi_pblock_new();
slapi_search_internal_set_pb(tpb, oath_preop_config.token_base, LDAP_SCOPE_SUBTREE, filter, attrs, 0, NULL, NULL, oath_preop_plugin_id, 0);
slapi_search_internal_pb(tpb);
slapi_pblock_get(tpb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
slapi_pblock_get(tpb, SLAPI_NENTRIES, &ntokens);
slapi_pblock_get(tpb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &tokens);
if (rc == LDAP_SUCCESS && ntokens > 0 && tokens != NULL) {
int t, w;
unsigned char hotp[hotp_len + 1];
for (t = 0; t < ntokens; t++) {
oath_token_from_entry(&token, tokens[t]);
pin_len = token.pin ? strlen(token.pin) : 0;
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Found token: %s\n", token.serial);
if (pin_len + hotp_len != creds_len)
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Credentials length did not match\n");
else if (token.pin && strncmp(creds, token.pin, pin_len))
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: PIN did not match\n");
else for (w = 0; w < oath_preop_config.hotp_inner_window; w++) {
if (oath_hotp(hotp, hotp_len, token.seed->bv_val, token.seed->bv_len, token.counter + w, oath_preop_config.hotp_trunc_offset, oath_preop_config.hotp_checksum)) {
// slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: hotp(%d) = %s\n", token.counter + w, hotp);
if (!strncmp(hotp, creds + pin_len, hotp_len)) {
// success
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: hotp(%d) = %s\n", token.counter + w, hotp);
if (oath_update_token(tokens[t], token.counter + w + 1) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Failed to update token entry\n");
rc = LDAP_OPERATIONS_ERROR;
};
// OpenLDAP does not support setting SLAPI_CONN_DN and SLAPI_CONN_AUTHMETHOD
/*
if (slapi_pblock_set(pb, SLAPI_CONN_DN, slapi_ch_strdup(dn)) != 0 ||
slapi_pblock_set(pb, SLAPI_CONN_AUTHMETHOD, SLAPD_AUTH_SIMPLE) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Failed to set DN and auth method for connection\n", dn);
rc = LDAP_OPERATIONS_ERROR;
}
*/
goto free_tpb;
}
} else {
// HOTP error
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: HOTP error for token %s\n", token.serial);
break;
}
}
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: Token %s did not match\n", token.serial);
oath_token_free(&token);
}
// No token matched
handled = 0;
goto free_tpb;
} else { // no tokens associated
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: DN %s has got no token(s) associated, rc = %d\n", dn, rc);
handled = 0;
goto free_upb;
}
} else {
// entry not found; don't fail because this can be root (directory manager) DN
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_preop_bind: DN %s not found\n", dn);
if (rc == LDAP_SUCCESS)
rc = LDAP_OPERATIONS_ERROR;
else
handled = 0;
goto free_upb;
}
break;
case LDAP_AUTH_NONE:
case LDAP_AUTH_SASL:
default:
slapi_log_error(SLAPI_LOG_PLUGIN, "oath", "oath_bind_preop: Authentication type not supported: %d", method);
return 0;
}
free_tpb:
oath_token_free(&token);
slapi_free_search_results_internal(tpb);
slapi_pblock_destroy(tpb);
free_upb:
slapi_free_search_results_internal(upb);
slapi_pblock_destroy(upb);
slapi_value_free(&sv_creds);
if (handled) {
slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL);
return 1;
} else
return 0;
}
/*
* Read and load configuration. Validation will also
* be performed unless skip_validate is set to non-0.
* Returns PAM_PASSTHRU_SUCCESS if all is well.
*/
int
pam_passthru_load_config(int skip_validate)
{
int status = PAM_PASSTHRU_SUCCESS;
int result;
int i;
int alternate = 0;
Slapi_PBlock *search_pb;
Slapi_Entry **entries = NULL;
slapi_log_err(SLAPI_LOG_TRACE, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"=> pam_passthru_load_config\n");
pam_passthru_write_lock();
pam_passthru_delete_config();
search_pb = slapi_pblock_new();
/* Find all entries in the active config area. */
slapi_search_internal_set_pb(search_pb, slapi_sdn_get_ndn(pam_passthru_get_config_area()),
LDAP_SCOPE_SUBTREE, "objectclass=*",
NULL, 0, NULL, NULL,
pam_passthruauth_get_plugin_identity(), 0);
slapi_search_internal_pb(search_pb);
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
if (LDAP_SUCCESS != result) {
status = PAM_PASSTHRU_FAILURE;
goto cleanup;
}
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&entries);
if (NULL == entries || NULL == entries[0]) {
status = PAM_PASSTHRU_FAILURE;
goto cleanup;
}
/* Check if we are using an alternate config area. We do this here
* so we don't have to check each every time in the loop below. */
if (slapi_sdn_compare(pam_passthru_get_config_area(),
pam_passthruauth_get_plugin_sdn()) != 0) {
alternate = 1;
}
/* Validate and apply config if valid. If skip_validate is set, we skip
* validation and just apply the config. This should only be done if the
* configuration has already been validated. */
for (i = 0; (entries[i] != NULL); i++) {
/* If this is the alternate config container, skip it since
* we don't consider it to be an actual config entry. */
if (alternate && (slapi_sdn_compare(pam_passthru_get_config_area(),
slapi_entry_get_sdn(entries[i])) == 0)) {
continue;
}
if (skip_validate || (PAM_PASSTHRU_SUCCESS == pam_passthru_validate_config(entries[i], NULL))) {
if (PAM_PASSTHRU_FAILURE == pam_passthru_apply_config(entries[i])) {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_load_config - Unable to apply config "
"for entry \"%s\"\n", slapi_entry_get_ndn(entries[i]));
}
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_load_config - Skipping invalid config "
"entry \"%s\"\n", slapi_entry_get_ndn(entries[i]));
}
}
cleanup:
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
pam_passthru_unlock();
slapi_log_err(SLAPI_LOG_TRACE, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"<= pam_passthru_load_config\n");
return status;
}
