mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-02-18 18:18:06 -05:00
import selected fixes/improvements to proxy backends from HEAD:
Fixed slapd-ldap/meta privileged conn caching (ITS#4547)
Fixed slapd-ldap chase-referrals switch (ITS#4557)
Fixed slapd-ldap bind behavior when idassert is always used (ITS#4781)
Fixed slapd-ldap response handling bugs (ITS#4782)
Fixed slapd-ldap/meta privileged connections handling (ITS#4791)
Fixed slapd-meta retrying (ITS#4594, 4762)
Fixed slapo-chain referral DN use (ITS#4776)
This commit is contained in:
Pierangelo Masarati
parent
a497f11338
commit
2f605e1408
34 changed files with 6381 additions and 2564 deletions
7
CHANGES
7
CHANGES
|
|
@ -1,6 +1,13 @@
|
|||
OpenLDAP 2.3 Change Log
|
||||
|
||||
OpenLDAP 2.3.33 Engineering
|
||||
Fixed slapd-ldap/meta privileged conn caching (ITS#4547)
|
||||
Fixed slapd-ldap chase-referrals switch (ITS#4557)
|
||||
Fixed slapd-ldap bind behavior when idassert is always used (ITS#4781)
|
||||
Fixed slapd-ldap response handling bugs (ITS#4782)
|
||||
Fixed slapd-ldap/meta privileged connections handling (ITS#4791)
|
||||
Fixed slapd-meta retrying (ITS#4594, 4762)
|
||||
Fixed slapo-chain referral DN use (ITS#4776)
|
||||
|
||||
OpenLDAP 2.3.32 Release (2007/01/04)
|
||||
Fixed slapd add redundant duplicate value check (ITS#4600)
|
||||
|
|
|
|||
|
|
@ -296,6 +296,32 @@ lutil_parse_time( const char *in, unsigned long *tp );
|
|||
LDAP_LUTIL_F (int)
|
||||
lutil_unparse_time( char *buf, size_t buflen, unsigned long t );
|
||||
|
||||
#ifdef timerdiv
|
||||
#define lutil_timerdiv timerdiv
|
||||
#else /* ! timerdiv */
|
||||
/* works inplace (x == t) */
|
||||
#define lutil_timerdiv(t,d,x) \
|
||||
do { \
|
||||
time_t s = (t)->tv_sec; \
|
||||
assert( d > 0 ); \
|
||||
(x)->tv_sec = s / d; \
|
||||
(x)->tv_usec = ( (t)->tv_usec + 1000000 * ( s % d ) ) / d; \
|
||||
} while ( 0 )
|
||||
#endif /* ! timerdiv */
|
||||
|
||||
#ifdef timermul
|
||||
#define lutil_timermul timermul
|
||||
#else /* ! timermul */
|
||||
/* works inplace (x == t) */
|
||||
#define lutil_timermul(t,m,x) \
|
||||
do { \
|
||||
time_t u = (t)->tv_usec * m; \
|
||||
assert( m > 0 ); \
|
||||
(x)->tv_sec = (t)->tv_sec * m + u / 1000000; \
|
||||
(x)->tv_usec = u % 1000000; \
|
||||
} while ( 0 );
|
||||
#endif /* ! timermul */
|
||||
|
||||
LDAP_END_DECL
|
||||
|
||||
#endif /* _LUTIL_H */
|
||||
|
|
|
|||
|
|
@ -36,26 +36,25 @@ ldap_back_add(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc;
|
||||
int i = 0,
|
||||
j = 0;
|
||||
Attribute *a;
|
||||
LDAPMod **attrs = NULL,
|
||||
*attrs2 = NULL;
|
||||
ber_int_t msgid;
|
||||
int isupdate;
|
||||
int do_retry = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
ldapconn_t *lc = NULL;
|
||||
int i = 0,
|
||||
j = 0;
|
||||
Attribute *a;
|
||||
LDAPMod **attrs = NULL,
|
||||
*attrs2 = NULL;
|
||||
ber_int_t msgid;
|
||||
int isupdate;
|
||||
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
rs->sr_err = LDAP_SUCCESS;
|
||||
|
||||
Debug( LDAP_DEBUG_ARGS, "==> ldap_back_add(\"%s\")\n",
|
||||
op->o_req_dn.bv_val, 0, 0 );
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
lc = NULL;
|
||||
goto cleanup;
|
||||
}
|
||||
|
|
@ -94,7 +93,8 @@ ldap_back_add(
|
|||
|
||||
retry:
|
||||
ctrls = op->o_ctrls;
|
||||
rs->sr_err = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rs->sr_err = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rs->sr_err != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
|
|
@ -103,9 +103,10 @@ retry:
|
|||
rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs,
|
||||
ctrls, NULL, &msgid );
|
||||
rs->sr_err = ldap_back_op_result( lc, op, rs, msgid,
|
||||
li->li_timeout[ LDAP_BACK_OP_ADD ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
li->li_timeout[ SLAP_OP_ADD ],
|
||||
( LDAP_BACK_SENDRESULT | retrying ) );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
|
||||
retrying &= ~LDAP_BACK_RETRYING;
|
||||
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
|
|
|||
|
|
@ -26,41 +26,93 @@
|
|||
|
||||
LDAP_BEGIN_DECL
|
||||
|
||||
struct ldapinfo_t;
|
||||
|
||||
enum {
|
||||
/* even numbers are connection types */
|
||||
LDAP_BACK_PCONN_FIRST = 0,
|
||||
LDAP_BACK_PCONN_ROOTDN = LDAP_BACK_PCONN_FIRST,
|
||||
LDAP_BACK_PCONN_ANON = 2,
|
||||
LDAP_BACK_PCONN_BIND = 4,
|
||||
|
||||
/* add the TLS bit */
|
||||
LDAP_BACK_PCONN_TLS = 0x1U,
|
||||
|
||||
LDAP_BACK_PCONN_ROOTDN_TLS = (LDAP_BACK_PCONN_ROOTDN|LDAP_BACK_PCONN_TLS),
|
||||
LDAP_BACK_PCONN_ANON_TLS = (LDAP_BACK_PCONN_ANON|LDAP_BACK_PCONN_TLS),
|
||||
LDAP_BACK_PCONN_BIND_TLS = (LDAP_BACK_PCONN_BIND|LDAP_BACK_PCONN_TLS),
|
||||
|
||||
LDAP_BACK_PCONN_LAST
|
||||
};
|
||||
|
||||
typedef struct ldapconn_t {
|
||||
Connection *lc_conn;
|
||||
#define LDAP_BACK_PCONN ((void *)0x0)
|
||||
#define LDAP_BACK_PCONN_TLS ((void *)0x1)
|
||||
#define LDAP_BACK_PCONN_ID(c) ((void *)(c) > LDAP_BACK_PCONN_TLS ? (c)->c_connid : -1)
|
||||
#define LDAP_BACK_CONN2PRIV(lc) ((unsigned long)(lc)->lc_conn)
|
||||
#define LDAP_BACK_PCONN_ISPRIV(lc) ((void *)(lc)->lc_conn >= (void *)LDAP_BACK_PCONN_FIRST \
|
||||
&& (void *)(lc)->lc_conn < (void *)LDAP_BACK_PCONN_LAST)
|
||||
#define LDAP_BACK_PCONN_ISROOTDN(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_ANON))
|
||||
#define LDAP_BACK_PCONN_ISANON(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_BIND) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_ANON))
|
||||
#define LDAP_BACK_PCONN_ISBIND(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_BIND))
|
||||
#define LDAP_BACK_PCONN_ISTLS(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) & LDAP_BACK_PCONN_TLS))
|
||||
#define LDAP_BACK_PCONN_ID(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) ? \
|
||||
( -1 - (long)(lc)->lc_conn ) : (lc)->lc_conn->c_connid )
|
||||
#ifdef HAVE_TLS
|
||||
#define LDAP_BACK_PCONN_SET(op) ((op)->o_conn->c_is_tls ? LDAP_BACK_PCONN_TLS : LDAP_BACK_PCONN)
|
||||
#define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? LDAP_BACK_PCONN_ROOTDN_TLS : LDAP_BACK_PCONN_ROOTDN))
|
||||
#define LDAP_BACK_PCONN_ANON_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? LDAP_BACK_PCONN_ANON_TLS : LDAP_BACK_PCONN_ANON))
|
||||
#define LDAP_BACK_PCONN_BIND_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? LDAP_BACK_PCONN_BIND_TLS : LDAP_BACK_PCONN_BIND))
|
||||
#else /* ! HAVE_TLS */
|
||||
#define LDAP_BACK_PCONN_SET(op) (LDAP_BACK_PCONN)
|
||||
#define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)LDAP_BACK_PCONN_ROOTDN)
|
||||
#define LDAP_BACK_PCONN_ANON_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)LDAP_BACK_PCONN_ANON)
|
||||
#define LDAP_BACK_PCONN_BIND_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)LDAP_BACK_PCONN_BIND)
|
||||
#endif /* ! HAVE_TLS */
|
||||
#define LDAP_BACK_PCONN_SET(lc, op) \
|
||||
(BER_BVISEMPTY(&(op)->o_ndn) ? \
|
||||
LDAP_BACK_PCONN_ANON_SET((lc), (op)) : LDAP_BACK_PCONN_ROOTDN_SET((lc), (op)))
|
||||
|
||||
LDAP *lc_ld;
|
||||
struct berval lc_cred;
|
||||
struct berval lc_bound_ndn;
|
||||
struct berval lc_local_ndn;
|
||||
unsigned lc_lcflags;
|
||||
#define LDAP_BACK_CONN_ISSET(lc,f) ((lc)->lc_lcflags & (f))
|
||||
#define LDAP_BACK_CONN_SET(lc,f) ((lc)->lc_lcflags |= (f))
|
||||
#define LDAP_BACK_CONN_CLEAR(lc,f) ((lc)->lc_lcflags &= ~(f))
|
||||
#define LDAP_BACK_CONN_CPY(lc,f,mlc) \
|
||||
#define LDAP_BACK_CONN_ISSET_F(fp,f) (*(fp) & (f))
|
||||
#define LDAP_BACK_CONN_SET_F(fp,f) (*(fp) |= (f))
|
||||
#define LDAP_BACK_CONN_CLEAR_F(fp,f) (*(fp) &= ~(f))
|
||||
#define LDAP_BACK_CONN_CPY_F(fp,f,mfp) \
|
||||
do { \
|
||||
if ( ((f) & (mlc)->lc_lcflags) == (f) ) { \
|
||||
(lc)->lc_lcflags |= (f); \
|
||||
if ( ((f) & *(mfp)) == (f) ) { \
|
||||
*(fp) |= (f); \
|
||||
} else { \
|
||||
(lc)->lc_lcflags &= ~(f); \
|
||||
*(fp) &= ~(f); \
|
||||
} \
|
||||
} while ( 0 )
|
||||
|
||||
#define LDAP_BACK_FCONN_ISBOUND (0x01)
|
||||
#define LDAP_BACK_FCONN_ISANON (0x02)
|
||||
#define LDAP_BACK_CONN_ISSET(lc,f) LDAP_BACK_CONN_ISSET_F(&(lc)->lc_lcflags, (f))
|
||||
#define LDAP_BACK_CONN_SET(lc,f) LDAP_BACK_CONN_SET_F(&(lc)->lc_lcflags, (f))
|
||||
#define LDAP_BACK_CONN_CLEAR(lc,f) LDAP_BACK_CONN_CLEAR_F(&(lc)->lc_lcflags, (f))
|
||||
#define LDAP_BACK_CONN_CPY(lc,f,mlc) LDAP_BACK_CONN_CPY_F(&(lc)->lc_lcflags, (f), &(mlc)->lc_lcflags)
|
||||
|
||||
/* 0xFFF00000U are reserved for back-meta */
|
||||
|
||||
#define LDAP_BACK_FCONN_ISBOUND (0x00000001U)
|
||||
#define LDAP_BACK_FCONN_ISANON (0x00000002U)
|
||||
#define LDAP_BACK_FCONN_ISBMASK (LDAP_BACK_FCONN_ISBOUND|LDAP_BACK_FCONN_ISANON)
|
||||
#define LDAP_BACK_FCONN_ISPRIV (0x04)
|
||||
#define LDAP_BACK_FCONN_ISTLS (0x08)
|
||||
#define LDAP_BACK_FCONN_BINDING (0x10)
|
||||
#define LDAP_BACK_FCONN_TAINTED (0x20)
|
||||
#define LDAP_BACK_FCONN_ISPRIV (0x00000004U)
|
||||
#define LDAP_BACK_FCONN_ISTLS (0x00000008U)
|
||||
#define LDAP_BACK_FCONN_BINDING (0x00000010U)
|
||||
#define LDAP_BACK_FCONN_TAINTED (0x00000020U)
|
||||
#define LDAP_BACK_FCONN_ISIDASR (0x00000040U)
|
||||
#define LDAP_BACK_FCONN_CACHED (0x00000080U)
|
||||
|
||||
#define LDAP_BACK_CONN_ISBOUND(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISBOUND)
|
||||
#define LDAP_BACK_CONN_ISBOUND_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISBOUND)
|
||||
|
|
@ -84,105 +136,159 @@ typedef struct ldapconn_t {
|
|||
#define LDAP_BACK_CONN_TAINTED(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_TAINTED)
|
||||
#define LDAP_BACK_CONN_TAINTED_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_TAINTED)
|
||||
#define LDAP_BACK_CONN_TAINTED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_TAINTED)
|
||||
#define LDAP_BACK_CONN_ISIDASSERT(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISIDASR)
|
||||
#define LDAP_BACK_CONN_ISIDASSERT_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISIDASR)
|
||||
#define LDAP_BACK_CONN_ISIDASSERT_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISIDASR)
|
||||
#define LDAP_BACK_CONN_ISIDASSERT_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISIDASR, (mlc))
|
||||
#define LDAP_BACK_CONN_CACHED(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_CACHED)
|
||||
#define LDAP_BACK_CONN_CACHED_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_CACHED)
|
||||
#define LDAP_BACK_CONN_CACHED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_CACHED)
|
||||
|
||||
unsigned lc_refcnt;
|
||||
unsigned lc_binding;
|
||||
unsigned lc_flags;
|
||||
time_t lc_create_time;
|
||||
time_t lc_time;
|
||||
|
||||
LDAP_TAILQ_ENTRY(ldapconn_t) lc_q;
|
||||
} ldapconn_t;
|
||||
|
||||
/*
|
||||
* identity assertion modes
|
||||
*/
|
||||
enum {
|
||||
LDAP_BACK_IDASSERT_LEGACY = 1,
|
||||
LDAP_BACK_IDASSERT_NOASSERT,
|
||||
LDAP_BACK_IDASSERT_ANONYMOUS,
|
||||
LDAP_BACK_IDASSERT_SELF,
|
||||
LDAP_BACK_IDASSERT_OTHERDN,
|
||||
LDAP_BACK_IDASSERT_OTHERID
|
||||
};
|
||||
|
||||
/*
|
||||
* operation enumeration for timeouts
|
||||
*/
|
||||
enum {
|
||||
LDAP_BACK_OP_ADD = 0,
|
||||
LDAP_BACK_OP_DELETE,
|
||||
LDAP_BACK_OP_MODIFY,
|
||||
LDAP_BACK_OP_MODRDN,
|
||||
LDAP_BACK_OP_LAST
|
||||
};
|
||||
|
||||
typedef struct ldap_avl_info_t {
|
||||
ldap_pvt_thread_mutex_t lai_mutex;
|
||||
Avlnode *lai_tree;
|
||||
} ldap_avl_info_t;
|
||||
|
||||
typedef struct slap_retry_info_t {
|
||||
time_t *ri_interval;
|
||||
int *ri_num;
|
||||
int ri_idx;
|
||||
int ri_count;
|
||||
time_t ri_last;
|
||||
|
||||
#define SLAP_RETRYNUM_FOREVER (-1) /* retry forever */
|
||||
#define SLAP_RETRYNUM_TAIL (-2) /* end of retrynum array */
|
||||
#define SLAP_RETRYNUM_VALID(n) ((n) >= SLAP_RETRYNUM_FOREVER) /* valid retrynum */
|
||||
#define SLAP_RETRYNUM_FINITE(n) ((n) > SLAP_RETRYNUM_FOREVER) /* not forever */
|
||||
} slap_retry_info_t;
|
||||
|
||||
/*
|
||||
* identity assertion modes
|
||||
*/
|
||||
typedef enum {
|
||||
LDAP_BACK_IDASSERT_LEGACY = 1,
|
||||
LDAP_BACK_IDASSERT_NOASSERT,
|
||||
LDAP_BACK_IDASSERT_ANONYMOUS,
|
||||
LDAP_BACK_IDASSERT_SELF,
|
||||
LDAP_BACK_IDASSERT_OTHERDN,
|
||||
LDAP_BACK_IDASSERT_OTHERID
|
||||
} slap_idassert_mode_t;
|
||||
|
||||
/* ID assert stuff */
|
||||
typedef struct slap_idassert_t {
|
||||
slap_idassert_mode_t si_mode;
|
||||
#define li_idassert_mode li_idassert.si_mode
|
||||
|
||||
slap_bindconf si_bc;
|
||||
#define li_idassert_authcID li_idassert.si_bc.sb_authcId
|
||||
#define li_idassert_authcDN li_idassert.si_bc.sb_binddn
|
||||
#define li_idassert_passwd li_idassert.si_bc.sb_cred
|
||||
#define li_idassert_authzID li_idassert.si_bc.sb_authzId
|
||||
#define li_idassert_authmethod li_idassert.si_bc.sb_method
|
||||
#define li_idassert_sasl_mech li_idassert.si_bc.sb_saslmech
|
||||
#define li_idassert_sasl_realm li_idassert.si_bc.sb_realm
|
||||
#define li_idassert_secprops li_idassert.si_bc.sb_secprops
|
||||
#define li_idassert_tls li_idassert.si_bc.sb_tls
|
||||
|
||||
unsigned si_flags;
|
||||
#define LDAP_BACK_AUTH_NONE (0x00U)
|
||||
#define LDAP_BACK_AUTH_NATIVE_AUTHZ (0x01U)
|
||||
#define LDAP_BACK_AUTH_OVERRIDE (0x02U)
|
||||
#define LDAP_BACK_AUTH_PRESCRIPTIVE (0x04U)
|
||||
#define LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ (0x08U)
|
||||
#define LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND (0x10U)
|
||||
#define LDAP_BACK_AUTH_AUTHZ_ALL (0x20U)
|
||||
#define li_idassert_flags li_idassert.si_flags
|
||||
|
||||
BerVarray si_authz;
|
||||
#define li_idassert_authz li_idassert.si_authz
|
||||
} slap_idassert_t;
|
||||
|
||||
/*
|
||||
* Hook to allow mucking with ldapinfo_t when quarantine is over
|
||||
*/
|
||||
typedef int (*ldap_back_quarantine_f)( struct ldapinfo_t *, void * );
|
||||
|
||||
typedef struct ldapinfo_t {
|
||||
/* li_uri: the string that goes into ldap_initialize()
|
||||
* TODO: use li_acl.sb_uri instead */
|
||||
char *li_uri;
|
||||
char *li_uri;
|
||||
/* li_bvuri: an array of each single URI that is equivalent;
|
||||
* to be checked for the presence of a certain item */
|
||||
BerVarray li_bvuri;
|
||||
BerVarray li_bvuri;
|
||||
ldap_pvt_thread_mutex_t li_uri_mutex;
|
||||
|
||||
slap_bindconf li_acl;
|
||||
#define li_acl_authcID li_acl.sb_authcId
|
||||
#define li_acl_authcDN li_acl.sb_binddn
|
||||
#define li_acl_passwd li_acl.sb_cred
|
||||
#define li_acl_authzID li_acl.sb_authzId
|
||||
LDAP_REBIND_PROC *li_rebind_f;
|
||||
void *li_urllist_p;
|
||||
|
||||
slap_bindconf li_acl;
|
||||
#define li_acl_authcID li_acl.sb_authcId
|
||||
#define li_acl_authcDN li_acl.sb_binddn
|
||||
#define li_acl_passwd li_acl.sb_cred
|
||||
#define li_acl_authzID li_acl.sb_authzId
|
||||
#define li_acl_authmethod li_acl.sb_method
|
||||
#define li_acl_sasl_mech li_acl.sb_saslmech
|
||||
#define li_acl_sasl_realm li_acl.sb_realm
|
||||
#define li_acl_secprops li_acl.sb_secprops
|
||||
#define li_acl_secprops li_acl.sb_secprops
|
||||
|
||||
/* ID assert stuff */
|
||||
int li_idassert_mode;
|
||||
|
||||
slap_bindconf li_idassert;
|
||||
#define li_idassert_authcID li_idassert.sb_authcId
|
||||
#define li_idassert_authcDN li_idassert.sb_binddn
|
||||
#define li_idassert_passwd li_idassert.sb_cred
|
||||
#define li_idassert_authzID li_idassert.sb_authzId
|
||||
#define li_idassert_authmethod li_idassert.sb_method
|
||||
#define li_idassert_sasl_mech li_idassert.sb_saslmech
|
||||
#define li_idassert_sasl_realm li_idassert.sb_realm
|
||||
#define li_idassert_secprops li_idassert.sb_secprops
|
||||
|
||||
unsigned li_idassert_flags;
|
||||
#define LDAP_BACK_AUTH_NONE 0x00U
|
||||
#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01U
|
||||
#define LDAP_BACK_AUTH_OVERRIDE 0x02U
|
||||
#define LDAP_BACK_AUTH_PRESCRIPTIVE 0x04U
|
||||
|
||||
BerVarray li_idassert_authz;
|
||||
slap_idassert_t li_idassert;
|
||||
/* end of ID assert stuff */
|
||||
|
||||
int li_nretries;
|
||||
int li_nretries;
|
||||
#define LDAP_BACK_RETRY_UNDEFINED (-2)
|
||||
#define LDAP_BACK_RETRY_FOREVER (-1)
|
||||
#define LDAP_BACK_RETRY_NEVER (0)
|
||||
#define LDAP_BACK_RETRY_DEFAULT (3)
|
||||
|
||||
unsigned li_flags;
|
||||
#define LDAP_BACK_F_NONE 0x00U
|
||||
#define LDAP_BACK_F_SAVECRED 0x01U
|
||||
#define LDAP_BACK_F_USE_TLS 0x02U
|
||||
#define LDAP_BACK_F_PROPAGATE_TLS 0x04U
|
||||
#define LDAP_BACK_F_TLS_CRITICAL 0x08U
|
||||
unsigned li_flags;
|
||||
|
||||
/* 0xFFF00000U are reserved for back-meta */
|
||||
|
||||
#define LDAP_BACK_F_NONE (0x00000000U)
|
||||
#define LDAP_BACK_F_SAVECRED (0x00000001U)
|
||||
#define LDAP_BACK_F_USE_TLS (0x00000002U)
|
||||
#define LDAP_BACK_F_PROPAGATE_TLS (0x00000004U)
|
||||
#define LDAP_BACK_F_TLS_CRITICAL (0x00000008U)
|
||||
#define LDAP_BACK_F_TLS_USE_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL)
|
||||
#define LDAP_BACK_F_TLS_PROPAGATE_MASK (LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
|
||||
#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK)
|
||||
#define LDAP_BACK_F_CHASE_REFERRALS 0x10U
|
||||
#define LDAP_BACK_F_PROXY_WHOAMI 0x20U
|
||||
#define LDAP_BACK_F_CHASE_REFERRALS (0x00000010U)
|
||||
#define LDAP_BACK_F_PROXY_WHOAMI (0x00000020U)
|
||||
|
||||
#define LDAP_BACK_F_SUPPORT_T_F 0x80U
|
||||
#define LDAP_BACK_F_SUPPORT_T_F_DISCOVER 0x40U
|
||||
#define LDAP_BACK_F_SUPPORT_T_F_MASK (LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER)
|
||||
#define LDAP_BACK_F_T_F (0x00000040U)
|
||||
#define LDAP_BACK_F_T_F_DISCOVER (0x00000080U)
|
||||
#define LDAP_BACK_F_T_F_MASK (LDAP_BACK_F_T_F)
|
||||
#define LDAP_BACK_F_T_F_MASK2 (LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER)
|
||||
|
||||
#define LDAP_BACK_F_MONITOR (0x00000100U)
|
||||
#define LDAP_BACK_F_SINGLECONN (0x00000200U)
|
||||
#define LDAP_BACK_F_USE_TEMPORARIES (0x00000400U)
|
||||
|
||||
#define LDAP_BACK_F_ISOPEN (0x00000800U)
|
||||
|
||||
#define LDAP_BACK_F_CANCEL_ABANDON (0x00000000U)
|
||||
#define LDAP_BACK_F_CANCEL_IGNORE (0x00001000U)
|
||||
#define LDAP_BACK_F_CANCEL_EXOP (0x00002000U)
|
||||
#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00004000U)
|
||||
#define LDAP_BACK_F_CANCEL_MASK (LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP)
|
||||
#define LDAP_BACK_F_CANCEL_MASK2 (LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER)
|
||||
|
||||
#define LDAP_BACK_ISSET_F(ff,f) ( ( (ff) & (f) ) == (f) )
|
||||
#define LDAP_BACK_ISMASK_F(ff,m,f) ( ( (ff) & (m) ) == (f) )
|
||||
|
||||
#define LDAP_BACK_ISSET(li,f) LDAP_BACK_ISSET_F( (li)->li_flags, (f) )
|
||||
#define LDAP_BACK_ISMASK(li,m,f) LDAP_BACK_ISMASK_F( (li)->li_flags, (m), (f) )
|
||||
|
||||
#define LDAP_BACK_ISSET(li,f) ( ( (li)->li_flags & (f) ) == (f) )
|
||||
#define LDAP_BACK_SAVECRED(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_SAVECRED )
|
||||
#define LDAP_BACK_USE_TLS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_USE_TLS )
|
||||
#define LDAP_BACK_PROPAGATE_TLS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_PROPAGATE_TLS )
|
||||
|
|
@ -190,14 +296,55 @@ typedef struct ldapinfo_t {
|
|||
#define LDAP_BACK_CHASE_REFERRALS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_CHASE_REFERRALS )
|
||||
#define LDAP_BACK_PROXY_WHOAMI(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_PROXY_WHOAMI )
|
||||
|
||||
int li_version;
|
||||
#define LDAP_BACK_USE_TLS_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_USE_TLS )
|
||||
#define LDAP_BACK_PROPAGATE_TLS_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_PROPAGATE_TLS )
|
||||
#define LDAP_BACK_TLS_CRITICAL_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_TLS_CRITICAL )
|
||||
|
||||
ldap_avl_info_t li_conninfo;
|
||||
#define LDAP_BACK_T_F(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
|
||||
#define LDAP_BACK_T_F_DISCOVER(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
|
||||
|
||||
time_t li_network_timeout;
|
||||
time_t li_conn_ttl;
|
||||
time_t li_idle_timeout;
|
||||
time_t li_timeout[ LDAP_BACK_OP_LAST ];
|
||||
#define LDAP_BACK_MONITOR(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_MONITOR )
|
||||
#define LDAP_BACK_SINGLECONN(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_SINGLECONN )
|
||||
#define LDAP_BACK_USE_TEMPORARIES(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_USE_TEMPORARIES)
|
||||
|
||||
#define LDAP_BACK_ISOPEN(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_ISOPEN )
|
||||
|
||||
#define LDAP_BACK_ABANDON(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_ABANDON )
|
||||
#define LDAP_BACK_IGNORE(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_IGNORE )
|
||||
#define LDAP_BACK_CANCEL(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_EXOP )
|
||||
#define LDAP_BACK_CANCEL_DISCOVER(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK2, LDAP_BACK_F_CANCEL_EXOP_DISCOVER )
|
||||
|
||||
int li_version;
|
||||
|
||||
/* cached connections;
|
||||
* special conns are in tailq rather than in tree */
|
||||
ldap_avl_info_t li_conninfo;
|
||||
struct {
|
||||
int lic_num;
|
||||
LDAP_TAILQ_HEAD(lc_conn_priv_q, ldapconn_t) lic_priv;
|
||||
} li_conn_priv[ LDAP_BACK_PCONN_LAST ];
|
||||
int li_conn_priv_max;
|
||||
#define LDAP_BACK_CONN_PRIV_MIN (1)
|
||||
#define LDAP_BACK_CONN_PRIV_MAX (256)
|
||||
/* must be between LDAP_BACK_CONN_PRIV_MIN
|
||||
* and LDAP_BACK_CONN_PRIV_MAX ! */
|
||||
#define LDAP_BACK_CONN_PRIV_DEFAULT (16)
|
||||
|
||||
sig_atomic_t li_isquarantined;
|
||||
#define LDAP_BACK_FQ_NO (0)
|
||||
#define LDAP_BACK_FQ_YES (1)
|
||||
#define LDAP_BACK_FQ_RETRYING (2)
|
||||
|
||||
slap_retry_info_t li_quarantine;
|
||||
#define LDAP_BACK_QUARANTINE(li) ( (li)->li_quarantine.ri_num != NULL )
|
||||
ldap_pvt_thread_mutex_t li_quarantine_mutex;
|
||||
ldap_back_quarantine_f li_quarantine_f;
|
||||
void *li_quarantine_p;
|
||||
|
||||
time_t li_network_timeout;
|
||||
time_t li_conn_ttl;
|
||||
time_t li_idle_timeout;
|
||||
time_t li_timeout[ SLAP_OP_LAST ];
|
||||
} ldapinfo_t;
|
||||
|
||||
typedef enum ldap_back_send_t {
|
||||
|
|
@ -206,10 +353,19 @@ typedef enum ldap_back_send_t {
|
|||
LDAP_BACK_SENDERR = 0x02,
|
||||
LDAP_BACK_SENDRESULT = (LDAP_BACK_SENDOK|LDAP_BACK_SENDERR),
|
||||
LDAP_BACK_BINDING = 0x04,
|
||||
|
||||
LDAP_BACK_BIND_DONTSEND = (LDAP_BACK_BINDING),
|
||||
LDAP_BACK_BIND_SOK = (LDAP_BACK_BINDING|LDAP_BACK_SENDOK),
|
||||
LDAP_BACK_BIND_SERR = (LDAP_BACK_BINDING|LDAP_BACK_SENDERR),
|
||||
LDAP_BACK_BIND_SRES = (LDAP_BACK_BINDING|LDAP_BACK_SENDRESULT)
|
||||
LDAP_BACK_BIND_SRES = (LDAP_BACK_BINDING|LDAP_BACK_SENDRESULT),
|
||||
|
||||
LDAP_BACK_RETRYING = 0x08,
|
||||
LDAP_BACK_RETRY_DONTSEND = (LDAP_BACK_RETRYING),
|
||||
LDAP_BACK_RETRY_SOK = (LDAP_BACK_RETRYING|LDAP_BACK_SENDOK),
|
||||
LDAP_BACK_RETRY_SERR = (LDAP_BACK_RETRYING|LDAP_BACK_SENDERR),
|
||||
LDAP_BACK_RETRY_SRES = (LDAP_BACK_RETRYING|LDAP_BACK_SENDRESULT),
|
||||
|
||||
LDAP_BACK_GETCONN = 0x10
|
||||
} ldap_back_send_t;
|
||||
|
||||
/* define to use asynchronous StartTLS */
|
||||
|
|
@ -224,6 +380,10 @@ typedef enum ldap_back_send_t {
|
|||
(tv)->tv_usec = LDAP_BACK_RESULT_UTIMEOUT; \
|
||||
} while ( 0 )
|
||||
|
||||
#ifndef LDAP_BACK_PRINT_CONNTREE
|
||||
#define LDAP_BACK_PRINT_CONNTREE 0
|
||||
#endif /* !LDAP_BACK_PRINT_CONNTREE */
|
||||
|
||||
LDAP_END_DECL
|
||||
|
||||
#include "proto-ldap.h"
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
|
@ -36,21 +36,23 @@ ldap_back_compare(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ber_int_t msgid;
|
||||
int do_retry = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
int rc = LDAP_SUCCESS;
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
ldapconn_t *lc = NULL;
|
||||
ber_int_t msgid;
|
||||
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
|
||||
LDAPControl **ctrls = NULL;
|
||||
int rc = LDAP_SUCCESS;
|
||||
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
lc = NULL;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
retry:
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
|
|
@ -60,9 +62,11 @@ retry:
|
|||
op->orc_ava->aa_desc->ad_cname.bv_val,
|
||||
&op->orc_ava->aa_value,
|
||||
ctrls, NULL, &msgid );
|
||||
rc = ldap_back_op_result( lc, op, rs, msgid, 0, LDAP_BACK_SENDRESULT );
|
||||
if ( rc == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
rc = ldap_back_op_result( lc, op, rs, msgid,
|
||||
li->li_timeout[ SLAP_OP_COMPARE ],
|
||||
( LDAP_BACK_SENDRESULT | retrying ) );
|
||||
if ( rc == LDAP_UNAVAILABLE && retrying ) {
|
||||
retrying &= ~LDAP_BACK_RETRYING;
|
||||
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -38,21 +38,20 @@ ldap_back_delete(
|
|||
{
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc;
|
||||
ber_int_t msgid;
|
||||
LDAPControl **ctrls = NULL;
|
||||
int do_retry = 1;
|
||||
int rc = LDAP_SUCCESS;
|
||||
ldapconn_t *lc = NULL;
|
||||
ber_int_t msgid;
|
||||
LDAPControl **ctrls = NULL;
|
||||
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
|
||||
int rc = LDAP_SUCCESS;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
retry:
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
rc = rs->sr_err;
|
||||
|
|
@ -62,9 +61,10 @@ retry:
|
|||
rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_dn.bv_val,
|
||||
ctrls, NULL, &msgid );
|
||||
rc = ldap_back_op_result( lc, op, rs, msgid,
|
||||
li->li_timeout[ LDAP_BACK_OP_DELETE], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
|
||||
do_retry = 0;
|
||||
li->li_timeout[ SLAP_OP_DELETE ],
|
||||
( LDAP_BACK_SENDRESULT | retrying ) );
|
||||
if ( rs->sr_err == LDAP_SERVER_DOWN && retrying ) {
|
||||
retrying &= ~LDAP_BACK_RETRYING;
|
||||
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
|
|
|||
|
|
@ -42,7 +42,9 @@ static struct exop {
|
|||
static int
|
||||
ldap_back_extended_one( Operation *op, SlapReply *rs, BI_op_extended exop )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc = NULL;
|
||||
LDAPControl **oldctrls = NULL;
|
||||
int rc;
|
||||
|
||||
|
|
@ -50,13 +52,14 @@ ldap_back_extended_one( Operation *op, SlapReply *rs, BI_op_extended exop )
|
|||
* called twice; maybe we could avoid the
|
||||
* ldap_back_dobind() call inside each extended()
|
||||
* call ... */
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
oldctrls = op->o_ctrls;
|
||||
if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) {
|
||||
if ( ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &op->o_ctrls ) )
|
||||
{
|
||||
op->o_ctrls = oldctrls;
|
||||
send_ldap_extended( op, rs );
|
||||
rs->sr_text = NULL;
|
||||
|
|
@ -106,7 +109,9 @@ ldap_back_exop_passwd(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc = NULL;
|
||||
req_pwdexop_s *qpw = &op->oq_pwdexop;
|
||||
LDAPMessage *res;
|
||||
ber_int_t msgid;
|
||||
|
|
@ -114,8 +119,7 @@ ldap_back_exop_passwd(
|
|||
int do_retry = 1;
|
||||
char *text = NULL;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -136,6 +140,11 @@ retry:
|
|||
rs->sr_err = rc;
|
||||
|
||||
} else {
|
||||
/* only touch when activity actually took place... */
|
||||
if ( li->li_idle_timeout && lc ) {
|
||||
lc->lc_time = op->o_time;
|
||||
}
|
||||
|
||||
/* sigh. parse twice, because parse_passwd
|
||||
* doesn't give us the err / match / msg info.
|
||||
*/
|
||||
|
|
@ -191,10 +200,18 @@ retry:
|
|||
goto retry;
|
||||
}
|
||||
}
|
||||
|
||||
if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
ldap_back_quarantine( op, rs );
|
||||
}
|
||||
|
||||
if ( text ) rs->sr_text = text;
|
||||
send_ldap_extended( op, rs );
|
||||
/* otherwise frontend resends result */
|
||||
rc = rs->sr_err = SLAPD_ABANDON;
|
||||
|
||||
} else if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
ldap_back_quarantine( op, rs );
|
||||
}
|
||||
|
||||
/* these have to be freed anyway... */
|
||||
|
|
@ -220,15 +237,16 @@ ldap_back_exop_generic(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc = NULL;
|
||||
LDAPMessage *res;
|
||||
ber_int_t msgid;
|
||||
int rc;
|
||||
int do_retry = 1;
|
||||
char *text = NULL;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -246,6 +264,11 @@ retry:
|
|||
rs->sr_err = rc;
|
||||
|
||||
} else {
|
||||
/* only touch when activity actually took place... */
|
||||
if ( li->li_idle_timeout && lc ) {
|
||||
lc->lc_time = op->o_time;
|
||||
}
|
||||
|
||||
/* sigh. parse twice, because parse_passwd
|
||||
* doesn't give us the err / match / msg info.
|
||||
*/
|
||||
|
|
@ -287,10 +310,18 @@ retry:
|
|||
goto retry;
|
||||
}
|
||||
}
|
||||
|
||||
if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
ldap_back_quarantine( op, rs );
|
||||
}
|
||||
|
||||
if ( text ) rs->sr_text = text;
|
||||
send_ldap_extended( op, rs );
|
||||
/* otherwise frontend resends result */
|
||||
rc = rs->sr_err = SLAPD_ABANDON;
|
||||
|
||||
} else if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
ldap_back_quarantine( op, rs );
|
||||
}
|
||||
|
||||
/* these have to be freed anyway... */
|
||||
|
|
|
|||
|
|
@ -81,12 +81,16 @@ int
|
|||
ldap_back_db_init( Backend *be )
|
||||
{
|
||||
ldapinfo_t *li;
|
||||
unsigned i;
|
||||
|
||||
li = (ldapinfo_t *)ch_calloc( 1, sizeof( ldapinfo_t ) );
|
||||
if ( li == NULL ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
li->li_rebind_f = ldap_back_default_rebind;
|
||||
ldap_pvt_thread_mutex_init( &li->li_uri_mutex );
|
||||
|
||||
BER_BVZERO( &li->li_acl_authcID );
|
||||
BER_BVZERO( &li->li_acl_authcDN );
|
||||
BER_BVZERO( &li->li_acl_passwd );
|
||||
|
|
@ -105,7 +109,7 @@ ldap_back_db_init( Backend *be )
|
|||
|
||||
li->li_idassert_authmethod = LDAP_AUTH_NONE;
|
||||
BER_BVZERO( &li->li_idassert_sasl_mech );
|
||||
li->li_idassert.sb_tls = SB_TLS_DEFAULT;
|
||||
li->li_idassert_tls = SB_TLS_DEFAULT;
|
||||
|
||||
/* by default, use proxyAuthz control on each operation */
|
||||
li->li_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
|
||||
|
|
@ -120,6 +124,12 @@ ldap_back_db_init( Backend *be )
|
|||
|
||||
ldap_pvt_thread_mutex_init( &li->li_conninfo.lai_mutex );
|
||||
|
||||
for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
|
||||
li->li_conn_priv[ i ].lic_num = 0;
|
||||
LDAP_TAILQ_INIT( &li->li_conn_priv[ i ].lic_priv );
|
||||
}
|
||||
li->li_conn_priv_max = LDAP_BACK_CONN_PRIV_DEFAULT;
|
||||
|
||||
be->be_private = li;
|
||||
SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_NOLASTMOD;
|
||||
|
||||
|
|
@ -150,48 +160,30 @@ ldap_back_db_open( BackendDB *be )
|
|||
break;
|
||||
}
|
||||
|
||||
#if 0 && defined(SLAPD_MONITOR)
|
||||
{
|
||||
/* FIXME: disabled because namingContexts doesn't have
|
||||
* a matching rule, and using an MRA filter doesn't work
|
||||
* because the normalized assertion is compared to the
|
||||
* non-normalized value, which in general differs from
|
||||
* the normalized one. See ITS#3406 */
|
||||
struct berval filter,
|
||||
base = BER_BVC( "cn=Databases," SLAPD_MONITOR );
|
||||
Attribute a = { 0 };
|
||||
|
||||
filter.bv_len = STRLENOF( "(&(namingContexts:distinguishedNameMatch:=)(monitoredInfo=ldap))" )
|
||||
+ be->be_nsuffix[ 0 ].bv_len;
|
||||
filter.bv_val = ch_malloc( filter.bv_len + 1 );
|
||||
snprintf( filter.bv_val, filter.bv_len + 1,
|
||||
"(&(namingContexts:distinguishedNameMatch:=%s)(monitoredInfo=ldap))",
|
||||
be->be_nsuffix[ 0 ].bv_val );
|
||||
|
||||
a.a_desc = slap_schema.si_ad_labeledURI;
|
||||
a.a_vals = li->li_bvuri;
|
||||
a.a_nvals = li->li_bvuri;
|
||||
if ( monitor_back_register_entry_attrs( NULL, &a, NULL, &base, LDAP_SCOPE_SUBTREE, &filter ) ) {
|
||||
/* error */
|
||||
}
|
||||
|
||||
ch_free( filter.bv_val );
|
||||
}
|
||||
#endif /* SLAPD_MONITOR */
|
||||
|
||||
if ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F_DISCOVER ) {
|
||||
if ( LDAP_BACK_T_F_DISCOVER( li ) && !LDAP_BACK_T_F( li ) ) {
|
||||
int rc;
|
||||
|
||||
li->li_flags &= ~LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
|
||||
|
||||
rc = slap_discover_feature( li->li_uri, li->li_version,
|
||||
slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
|
||||
LDAP_FEATURE_ABSOLUTE_FILTERS );
|
||||
if ( rc == LDAP_COMPARE_TRUE ) {
|
||||
li->li_flags |= LDAP_BACK_F_SUPPORT_T_F;
|
||||
li->li_flags |= LDAP_BACK_F_T_F;
|
||||
}
|
||||
}
|
||||
|
||||
if ( LDAP_BACK_CANCEL_DISCOVER( li ) && !LDAP_BACK_CANCEL( li ) ) {
|
||||
int rc;
|
||||
|
||||
rc = slap_discover_feature( li->li_uri, li->li_version,
|
||||
slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
|
||||
LDAP_EXOP_CANCEL );
|
||||
if ( rc == LDAP_COMPARE_TRUE ) {
|
||||
li->li_flags |= LDAP_BACK_F_CANCEL_EXOP;
|
||||
}
|
||||
}
|
||||
|
||||
li->li_flags |= LDAP_BACK_F_ISOPEN;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -213,16 +205,17 @@ ldap_back_conn_free( void *v_lc )
|
|||
if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) {
|
||||
ch_free( lc->lc_local_ndn.bv_val );
|
||||
}
|
||||
lc->lc_q.tqe_prev = NULL;
|
||||
lc->lc_q.tqe_next = NULL;
|
||||
ch_free( lc );
|
||||
}
|
||||
|
||||
int
|
||||
ldap_back_db_destroy(
|
||||
Backend *be
|
||||
)
|
||||
ldap_back_db_destroy( Backend *be )
|
||||
{
|
||||
if ( be->be_private ) {
|
||||
ldapinfo_t *li = ( ldapinfo_t * )be->be_private;
|
||||
unsigned i;
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
|
||||
|
||||
|
|
@ -285,9 +278,22 @@ ldap_back_db_destroy(
|
|||
if ( li->li_conninfo.lai_tree ) {
|
||||
avl_free( li->li_conninfo.lai_tree, ldap_back_conn_free );
|
||||
}
|
||||
for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
|
||||
while ( !LDAP_TAILQ_EMPTY( &li->li_conn_priv[ i ].lic_priv ) ) {
|
||||
ldapconn_t *lc = LDAP_TAILQ_FIRST( &li->li_conn_priv[ i ].lic_priv );
|
||||
|
||||
LDAP_TAILQ_REMOVE( &li->li_conn_priv[ i ].lic_priv, lc, lc_q );
|
||||
ldap_back_conn_free( lc );
|
||||
}
|
||||
}
|
||||
if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
slap_retry_info_destroy( &li->li_quarantine );
|
||||
ldap_pvt_thread_mutex_destroy( &li->li_quarantine_mutex );
|
||||
}
|
||||
|
||||
ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex );
|
||||
ldap_pvt_thread_mutex_destroy( &li->li_conninfo.lai_mutex );
|
||||
ldap_pvt_thread_mutex_destroy( &li->li_uri_mutex );
|
||||
}
|
||||
|
||||
ch_free( be->be_private );
|
||||
|
|
|
|||
|
|
@ -36,20 +36,19 @@ ldap_back_modify(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc;
|
||||
LDAPMod **modv = NULL,
|
||||
*mods = NULL;
|
||||
Modifications *ml;
|
||||
int i, j, rc;
|
||||
ber_int_t msgid;
|
||||
int isupdate;
|
||||
int do_retry = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
ldapconn_t *lc = NULL;
|
||||
LDAPMod **modv = NULL,
|
||||
*mods = NULL;
|
||||
Modifications *ml;
|
||||
int i, j, rc;
|
||||
ber_int_t msgid;
|
||||
int isupdate;
|
||||
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
|
|
@ -100,7 +99,8 @@ ldap_back_modify(
|
|||
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
rc = -1;
|
||||
|
|
@ -110,9 +110,10 @@ retry:;
|
|||
rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_dn.bv_val, modv,
|
||||
ctrls, NULL, &msgid );
|
||||
rc = ldap_back_op_result( lc, op, rs, msgid,
|
||||
li->li_timeout[ LDAP_BACK_OP_MODIFY], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
li->li_timeout[ SLAP_OP_MODIFY ],
|
||||
( LDAP_BACK_SENDRESULT | retrying ) );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && retrying ) {
|
||||
retrying &= ~LDAP_BACK_RETRYING;
|
||||
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
|
|
|||
|
|
@ -36,17 +36,16 @@ ldap_back_modrdn(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc;
|
||||
ber_int_t msgid;
|
||||
LDAPControl **ctrls = NULL;
|
||||
int do_retry = 1;
|
||||
int rc = LDAP_SUCCESS;
|
||||
char *newSup = NULL;
|
||||
ldapconn_t *lc = NULL;
|
||||
ber_int_t msgid;
|
||||
LDAPControl **ctrls = NULL;
|
||||
ldap_back_send_t retrying = LDAP_BACK_RETRYING;
|
||||
int rc = LDAP_SUCCESS;
|
||||
char *newSup = NULL;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
|
|
@ -75,7 +74,8 @@ ldap_back_modrdn(
|
|||
|
||||
retry:
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
rc = -1;
|
||||
|
|
@ -86,9 +86,10 @@ retry:
|
|||
op->orr_newrdn.bv_val, newSup,
|
||||
op->orr_deleteoldrdn, ctrls, NULL, &msgid );
|
||||
rc = ldap_back_op_result( lc, op, rs, msgid,
|
||||
li->li_timeout[ LDAP_BACK_OP_MODRDN ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
|
||||
do_retry = 0;
|
||||
li->li_timeout[ SLAP_OP_MODRDN ],
|
||||
( LDAP_BACK_SENDRESULT | retrying ) );
|
||||
if ( rs->sr_err == LDAP_SERVER_DOWN && retrying ) {
|
||||
retrying &= ~LDAP_BACK_RETRYING;
|
||||
if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
|
|
|||
|
|
@ -47,15 +47,14 @@ extern BI_connection_destroy ldap_back_conn_destroy;
|
|||
|
||||
extern BI_entry_get_rw ldap_back_entry_get;
|
||||
|
||||
int ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock );
|
||||
ldapconn_t *ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok );
|
||||
void ldap_back_release_conn_lock( Operation *op, SlapReply *rs, ldapconn_t *lc, int dolock );
|
||||
#define ldap_back_release_conn(op, rs, lc) ldap_back_release_conn_lock((op), (rs), (lc), 1)
|
||||
int ldap_back_dobind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok );
|
||||
void ldap_back_release_conn_lock( Operation *op, SlapReply *rs, ldapconn_t **lcp, int dolock );
|
||||
#define ldap_back_release_conn(op, rs, lc) ldap_back_release_conn_lock((op), (rs), &(lc), 1)
|
||||
int ldap_back_dobind( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok );
|
||||
int ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok );
|
||||
int ldap_back_map_result( SlapReply *rs );
|
||||
int ldap_back_op_result( ldapconn_t *lc, Operation *op, SlapReply *rs,
|
||||
ber_int_t msgid, time_t timeout, ldap_back_send_t sendok );
|
||||
int ldap_back_cancel( ldapconn_t *lc, Operation *op, SlapReply *rs, ber_int_t msgid, ldap_back_send_t sendok );
|
||||
|
||||
int ldap_back_init_cf( BackendInfo *bi );
|
||||
|
||||
|
|
@ -66,7 +65,9 @@ extern void ldap_back_conn_free( void *c );
|
|||
|
||||
extern int
|
||||
ldap_back_proxy_authz_ctrl(
|
||||
ldapconn_t *lc,
|
||||
struct berval *bound_ndn,
|
||||
int version,
|
||||
slap_idassert_t *si,
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
LDAPControl ***pctrls );
|
||||
|
|
@ -76,9 +77,27 @@ ldap_back_proxy_authz_ctrl_free(
|
|||
Operation *op,
|
||||
LDAPControl ***pctrls );
|
||||
|
||||
extern void
|
||||
ldap_back_quarantine(
|
||||
Operation *op,
|
||||
SlapReply *rs );
|
||||
|
||||
#ifdef LDAP_BACK_PRINT_CONNTREE
|
||||
extern void
|
||||
ldap_back_print_conntree( ldapinfo_t *li, char *msg );
|
||||
#endif /* LDAP_BACK_PRINT_CONNTREE */
|
||||
|
||||
extern void slap_retry_info_destroy( slap_retry_info_t *ri );
|
||||
extern int slap_retry_info_parse( char *in, slap_retry_info_t *ri,
|
||||
char *buf, ber_len_t buflen );
|
||||
extern int slap_retry_info_unparse( slap_retry_info_t *ri, struct berval *bvout );
|
||||
|
||||
extern int slap_idassert_authzfrom_parse_cf( const char *fname, int lineno, const char *arg, slap_idassert_t *si );
|
||||
extern int slap_idassert_parse_cf( const char *fname, int lineno, int argc, char *argv[], slap_idassert_t *si );
|
||||
|
||||
extern int chain_init( void );
|
||||
|
||||
extern LDAP_REBIND_PROC *ldap_back_rebind_f;
|
||||
extern LDAP_REBIND_PROC ldap_back_default_rebind;
|
||||
|
||||
LDAP_END_DECL
|
||||
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ ldap_back_munge_filter(
|
|||
|
||||
if ( strncmp( ptr, bv_true.bv_val, bv_true.bv_len ) == 0 ) {
|
||||
oldbv = &bv_true;
|
||||
if ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F ) {
|
||||
if ( LDAP_BACK_T_F( li ) ) {
|
||||
newbv = &bv_t;
|
||||
|
||||
} else {
|
||||
|
|
@ -85,7 +85,7 @@ ldap_back_munge_filter(
|
|||
} else if ( strncmp( ptr, bv_false.bv_val, bv_false.bv_len ) == 0 )
|
||||
{
|
||||
oldbv = &bv_false;
|
||||
if ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F ) {
|
||||
if ( LDAP_BACK_T_F( li ) ) {
|
||||
newbv = &bv_f;
|
||||
|
||||
} else {
|
||||
|
|
@ -141,9 +141,11 @@ ldap_back_search(
|
|||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc = NULL;
|
||||
struct timeval tv;
|
||||
time_t stoptime = (time_t)-1;
|
||||
time_t stoptime = (time_t)(-1);
|
||||
LDAPMessage *res,
|
||||
*e;
|
||||
int rc = 0,
|
||||
|
|
@ -159,8 +161,7 @@ ldap_back_search(
|
|||
/* FIXME: shouldn't this be null? */
|
||||
const char *save_matched = rs->sr_matched;
|
||||
|
||||
lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
|
|
@ -202,7 +203,8 @@ ldap_back_search(
|
|||
}
|
||||
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
goto finish;
|
||||
}
|
||||
|
|
@ -266,7 +268,7 @@ retry:
|
|||
if ( rc > 0 ) {
|
||||
ldap_msgfree( res );
|
||||
}
|
||||
ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
|
||||
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
|
||||
rc = SLAPD_ABANDON;
|
||||
goto finish;
|
||||
}
|
||||
|
|
@ -279,13 +281,18 @@ retry:
|
|||
if ( op->ors_tlimit != SLAP_NO_LIMIT
|
||||
&& slap_get_time() > stoptime )
|
||||
{
|
||||
ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
|
||||
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
|
||||
rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
|
||||
goto finish;
|
||||
}
|
||||
continue;
|
||||
|
||||
} else {
|
||||
/* only touch when activity actually took place... */
|
||||
if ( li->li_idle_timeout && lc ) {
|
||||
lc->lc_time = op->o_time;
|
||||
}
|
||||
|
||||
/* don't retry any more */
|
||||
dont_retry = 1;
|
||||
}
|
||||
|
|
@ -322,7 +329,7 @@ retry:
|
|||
if ( rc == LDAP_UNAVAILABLE ) {
|
||||
rc = rs->sr_err = LDAP_OTHER;
|
||||
} else {
|
||||
ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
|
||||
(void)ldap_back_cancel( lc, op, rs, msgid, LDAP_BACK_DONTSEND );
|
||||
}
|
||||
goto finish;
|
||||
}
|
||||
|
|
@ -346,7 +353,8 @@ retry:
|
|||
/* NO OP */ ;
|
||||
|
||||
/* FIXME: there MUST be at least one */
|
||||
rs->sr_ref = ch_malloc( ( cnt + 1 ) * sizeof( struct berval ) );
|
||||
rs->sr_ref = op->o_tmpalloc( ( cnt + 1 ) * sizeof( struct berval ),
|
||||
op->o_tmpmemctx );
|
||||
|
||||
for ( cnt = 0; references[ cnt ]; cnt++ ) {
|
||||
ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
|
||||
|
|
@ -367,7 +375,7 @@ retry:
|
|||
/* cleanup */
|
||||
if ( references ) {
|
||||
ber_memvfree( (void **)references );
|
||||
ch_free( rs->sr_ref );
|
||||
op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx );
|
||||
rs->sr_ref = NULL;
|
||||
}
|
||||
|
||||
|
|
@ -407,7 +415,8 @@ retry:
|
|||
for ( cnt = 0; references[ cnt ]; cnt++ )
|
||||
/* NO OP */ ;
|
||||
|
||||
rs->sr_ref = ch_malloc( ( cnt + 1 ) * sizeof( struct berval ) );
|
||||
rs->sr_ref = op->o_tmpalloc( ( cnt + 1 ) * sizeof( struct berval ),
|
||||
op->o_tmpmemctx );
|
||||
|
||||
for ( cnt = 0; references[ cnt ]; cnt++ ) {
|
||||
/* duplicating ...*/
|
||||
|
|
@ -476,7 +485,15 @@ retry:
|
|||
}
|
||||
|
||||
finish:;
|
||||
if ( rc != SLAPD_ABANDON ) {
|
||||
if ( LDAP_BACK_QUARANTINE( li ) ) {
|
||||
ldap_back_quarantine( op, rs );
|
||||
}
|
||||
|
||||
#if 0
|
||||
/* let send_ldap_result play cleanup handlers (ITS#4645) */
|
||||
if ( rc != SLAPD_ABANDON )
|
||||
#endif
|
||||
{
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
|
|
@ -509,7 +526,7 @@ finish:;
|
|||
}
|
||||
|
||||
if ( rs->sr_ref ) {
|
||||
ber_bvarray_free( rs->sr_ref );
|
||||
ber_bvarray_free_x( rs->sr_ref, op->o_tmpmemctx );
|
||||
rs->sr_ref = NULL;
|
||||
}
|
||||
|
||||
|
|
@ -716,10 +733,11 @@ ldap_back_entry_get(
|
|||
ObjectClass *oc,
|
||||
AttributeDescription *at,
|
||||
int rw,
|
||||
Entry **ent
|
||||
)
|
||||
Entry **ent )
|
||||
{
|
||||
ldapconn_t *lc;
|
||||
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
|
||||
|
||||
ldapconn_t *lc = NULL;
|
||||
int rc = 1,
|
||||
do_not_cache;
|
||||
struct berval bdn;
|
||||
|
|
@ -736,8 +754,7 @@ ldap_back_entry_get(
|
|||
/* Tell getconn this is a privileged op */
|
||||
do_not_cache = op->o_do_not_cache;
|
||||
op->o_do_not_cache = 1;
|
||||
lc = ldap_back_getconn( op, &rs, LDAP_BACK_DONTSEND );
|
||||
if ( !lc || !ldap_back_dobind( lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
|
||||
if ( !ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
|
||||
op->o_do_not_cache = do_not_cache;
|
||||
return rs.sr_err;
|
||||
}
|
||||
|
|
@ -769,7 +786,8 @@ ldap_back_entry_get(
|
|||
|
||||
retry:
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls );
|
||||
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
|
||||
li->li_version, &li->li_idassert, op, &rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,11 +48,14 @@ ldap_back_conn_destroy(
|
|||
lc_curr.lc_conn = conn;
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
|
||||
#if LDAP_BACK_PRINT_CONNTREE > 0
|
||||
ldap_back_print_conntree( li, ">>> ldap_back_conn_destroy" );
|
||||
#endif /* LDAP_BACK_PRINT_CONNTREE */
|
||||
while ( ( lc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)&lc_curr, ldap_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>ldap_back_conn_destroy: destroying conn %ld (refcnt=%u)\n",
|
||||
LDAP_BACK_PCONN_ID( lc->lc_conn ), lc->lc_refcnt, 0 );
|
||||
LDAP_BACK_PCONN_ID( lc ), lc->lc_refcnt, 0 );
|
||||
|
||||
assert( lc->lc_refcnt == 0 );
|
||||
|
||||
|
|
@ -63,6 +66,9 @@ ldap_back_conn_destroy(
|
|||
*/
|
||||
ldap_back_conn_free( lc );
|
||||
}
|
||||
#if LDAP_BACK_PRINT_CONNTREE > 0
|
||||
ldap_back_print_conntree( li, "<<< ldap_back_conn_destroy" );
|
||||
#endif /* LDAP_BACK_PRINT_CONNTREE */
|
||||
ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex );
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ int
|
|||
meta_back_add( Operation *op, SlapReply *rs )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metatarget_t *mt;
|
||||
metaconn_t *mc;
|
||||
int i, candidate = -1;
|
||||
int isupdate;
|
||||
|
|
@ -45,7 +46,7 @@ meta_back_add( Operation *op, SlapReply *rs )
|
|||
dncookie dc;
|
||||
int msgid;
|
||||
int do_retry = 1;
|
||||
int maperr = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
Debug(LDAP_DEBUG_ARGS, "==> meta_back_add: %s\n",
|
||||
op->o_req_dn.bv_val, 0, 0 );
|
||||
|
|
@ -63,7 +64,8 @@ meta_back_add( Operation *op, SlapReply *rs )
|
|||
/*
|
||||
* Rewrite the add dn, if needed
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ candidate ];
|
||||
mt = mi->mi_targets[ candidate ];
|
||||
dc.target = mt;
|
||||
dc.conn = op->o_conn;
|
||||
dc.rs = rs;
|
||||
dc.ctx = "addDN";
|
||||
|
|
@ -96,7 +98,7 @@ meta_back_add( Operation *op, SlapReply *rs )
|
|||
mapped = a->a_desc->ad_cname;
|
||||
|
||||
} else {
|
||||
ldap_back_map( &mi->mi_targets[ candidate ].mt_rwmap.rwm_at,
|
||||
ldap_back_map( &mt->mt_rwmap.rwm_at,
|
||||
&a->a_desc->ad_cname, &mapped, BACKLDAP_MAP );
|
||||
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
|
||||
continue;
|
||||
|
|
@ -121,11 +123,11 @@ meta_back_add( Operation *op, SlapReply *rs )
|
|||
for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); ) {
|
||||
struct ldapmapping *mapping;
|
||||
|
||||
ldap_back_mapping( &mi->mi_targets[ candidate ].mt_rwmap.rwm_oc,
|
||||
ldap_back_mapping( &mt->mt_rwmap.rwm_oc,
|
||||
&a->a_vals[ j ], &mapping, BACKLDAP_MAP );
|
||||
|
||||
if ( mapping == NULL ) {
|
||||
if ( mi->mi_targets[ candidate ].mt_rwmap.rwm_oc.drop_missing ) {
|
||||
if ( mt->mt_rwmap.rwm_oc.drop_missing ) {
|
||||
continue;
|
||||
}
|
||||
attrs[ i ]->mod_bvalues[ j ] = &a->a_vals[ j ];
|
||||
|
|
@ -166,64 +168,30 @@ meta_back_add( Operation *op, SlapReply *rs )
|
|||
attrs[ i ] = NULL;
|
||||
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
|
||||
mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
|
||||
{
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rs->sr_err = ldap_add_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
|
||||
attrs, op->o_ctrls, NULL, &msgid );
|
||||
attrs, ctrls, NULL, &msgid );
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
|
||||
mt->mt_timeout[ SLAP_OP_ADD ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
goto retry;
|
||||
}
|
||||
goto cleanup;
|
||||
|
||||
} else if ( rs->sr_err == LDAP_SUCCESS ) {
|
||||
struct timeval tv, *tvp = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
int rc;
|
||||
|
||||
if ( mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_ADD ] != 0 ) {
|
||||
tv.tv_sec = mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_ADD ];
|
||||
tv.tv_usec = 0;
|
||||
tvp = &tv;
|
||||
}
|
||||
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
maperr = 0;
|
||||
rc = ldap_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, LDAP_MSG_ALL, tvp, &res );
|
||||
switch ( rc ) {
|
||||
case -1:
|
||||
break;
|
||||
|
||||
case 0:
|
||||
ldap_abandon_ext( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, NULL, NULL );
|
||||
rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
|
||||
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OPERATIONS_ERROR;
|
||||
break;
|
||||
|
||||
case LDAP_RES_ADD:
|
||||
rc = ldap_parse_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
res, &rs->sr_err, NULL, NULL, NULL, NULL, 1 );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rs->sr_err = rc;
|
||||
}
|
||||
maperr = 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
ldap_msgfree( res );
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( maperr ) {
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate );
|
||||
|
||||
} else {
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
cleanup:;
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
||||
for ( --i; i >= 0; --i ) {
|
||||
free( attrs[ i ]->mod_bvalues );
|
||||
free( attrs[ i ] );
|
||||
|
|
|
|||
|
|
@ -33,6 +33,13 @@
|
|||
#include "rewrite.h"
|
||||
LDAP_BEGIN_DECL
|
||||
|
||||
/*
|
||||
* Set META_BACK_PRINT_CONNTREE larger than 0 to dump the connection tree (debug only)
|
||||
*/
|
||||
#ifndef META_BACK_PRINT_CONNTREE
|
||||
#define META_BACK_PRINT_CONNTREE 0
|
||||
#endif /* !META_BACK_PRINT_CONNTREE */
|
||||
|
||||
struct slap_conn;
|
||||
struct slap_op;
|
||||
|
||||
|
|
@ -153,26 +160,67 @@ ldap_dnattr_result_rewrite(
|
|||
|
||||
/* (end of) from back-ldap.h before rwm removal */
|
||||
|
||||
/*
|
||||
* A metasingleconn_t can be in the following, mutually exclusive states:
|
||||
*
|
||||
* - none (0x0U)
|
||||
* - creating META_BACK_FCONN_CREATING
|
||||
* - initialized META_BACK_FCONN_INITED
|
||||
* - binding LDAP_BACK_FCONN_BINDING
|
||||
* - bound/anonymous LDAP_BACK_FCONN_ISBOUND/LDAP_BACK_FCONN_ISANON
|
||||
*
|
||||
* possible modifiers are:
|
||||
*
|
||||
* - privileged LDAP_BACK_FCONN_ISPRIV
|
||||
* - privileged, TLS LDAP_BACK_FCONN_ISTLS
|
||||
* - subjected to idassert LDAP_BACK_FCONN_ISIDASR
|
||||
* - tainted LDAP_BACK_FCONN_TAINTED
|
||||
*/
|
||||
|
||||
#define META_BACK_FCONN_INITED (0x00100000U)
|
||||
#define META_BACK_FCONN_CREATING (0x00200000U)
|
||||
|
||||
#define META_BACK_CONN_INITED(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_INITED)
|
||||
#define META_BACK_CONN_INITED_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_INITED)
|
||||
#define META_BACK_CONN_INITED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_INITED)
|
||||
#define META_BACK_CONN_INITED_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_INITED, (mlc))
|
||||
#define META_BACK_CONN_CREATING(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_CREATING)
|
||||
#define META_BACK_CONN_CREATING_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_CREATING)
|
||||
#define META_BACK_CONN_CREATING_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_CREATING)
|
||||
#define META_BACK_CONN_CREATING_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_CREATING, (mlc))
|
||||
|
||||
struct metainfo_t;
|
||||
|
||||
#define META_NOT_CANDIDATE ((ber_tag_t)0x0)
|
||||
#define META_CANDIDATE ((ber_tag_t)0x1)
|
||||
#define META_BINDING ((ber_tag_t)0x2)
|
||||
|
||||
typedef struct metasingleconn_t {
|
||||
int msc_candidate;
|
||||
#define META_NOT_CANDIDATE ((ber_tag_t)0)
|
||||
#define META_CANDIDATE ((ber_tag_t)1)
|
||||
#define META_CND_ISSET(rs,f) ( ( (rs)->sr_tag & (f) ) == (f) )
|
||||
#define META_CND_SET(rs,f) ( (rs)->sr_tag |= (f) )
|
||||
#define META_CND_CLEAR(rs,f) ( (rs)->sr_tag &= ~(f) )
|
||||
|
||||
#define META_CANDIDATE_RESET(rs) ( (rs)->sr_tag = 0 )
|
||||
#define META_IS_CANDIDATE(rs) META_CND_ISSET( (rs), META_CANDIDATE )
|
||||
#define META_CANDIDATE_SET(rs) META_CND_SET( (rs), META_CANDIDATE )
|
||||
#define META_CANDIDATE_CLEAR(rs) META_CND_CLEAR( (rs), META_CANDIDATE )
|
||||
#define META_IS_BINDING(rs) META_CND_ISSET( (rs), META_BINDING )
|
||||
#define META_BINDING_SET(rs) META_CND_SET( (rs), META_BINDING )
|
||||
#define META_BINDING_CLEAR(rs) META_CND_CLEAR( (rs), META_BINDING )
|
||||
|
||||
LDAP *msc_ld;
|
||||
time_t msc_time;
|
||||
struct berval msc_bound_ndn;
|
||||
struct berval msc_cred;
|
||||
unsigned msc_mscflags;
|
||||
/* NOTE: lc_lcflags is redefined to msc_mscflags to reuse the macros
|
||||
* defined for back-ldap */
|
||||
#define lc_lcflags msc_mscflags
|
||||
|
||||
struct metainfo_t *msc_info;
|
||||
} metasingleconn_t;
|
||||
|
||||
typedef struct metaconn_t {
|
||||
struct slap_conn *mc_conn;
|
||||
#define lc_conn mc_conn
|
||||
unsigned mc_refcnt;
|
||||
|
||||
time_t mc_create_time;
|
||||
|
|
@ -190,6 +238,11 @@ typedef struct metaconn_t {
|
|||
int mc_authz_target;
|
||||
#define META_BOUND_NONE (-1)
|
||||
#define META_BOUND_ALL (-2)
|
||||
|
||||
struct metainfo_t *mc_info;
|
||||
|
||||
LDAP_TAILQ_ENTRY(metaconn_t) mc_q;
|
||||
|
||||
/* supersedes the connection stuff */
|
||||
metasingleconn_t mc_conns[ 1 ];
|
||||
/* NOTE: mc_conns must be last, because
|
||||
|
|
@ -199,6 +252,13 @@ typedef struct metaconn_t {
|
|||
|
||||
typedef struct metatarget_t {
|
||||
char *mt_uri;
|
||||
ldap_pvt_thread_mutex_t mt_uri_mutex;
|
||||
|
||||
/* TODO: we might want to enable different strategies
|
||||
* for different targets */
|
||||
LDAP_REBIND_PROC *mt_rebind_f;
|
||||
void *mt_urllist_p;
|
||||
|
||||
BerVarray mt_subtree_exclude;
|
||||
int mt_scope;
|
||||
|
||||
|
|
@ -208,23 +268,50 @@ typedef struct metatarget_t {
|
|||
struct berval mt_binddn;
|
||||
struct berval mt_bindpw;
|
||||
|
||||
struct berval mt_pseudorootdn;
|
||||
struct berval mt_pseudorootpw;
|
||||
slap_idassert_t mt_idassert;
|
||||
#define mt_idassert_mode mt_idassert.si_mode
|
||||
#define mt_idassert_authcID mt_idassert.si_bc.sb_authcId
|
||||
#define mt_idassert_authcDN mt_idassert.si_bc.sb_binddn
|
||||
#define mt_idassert_passwd mt_idassert.si_bc.sb_cred
|
||||
#define mt_idassert_authzID mt_idassert.si_bc.sb_authzId
|
||||
#define mt_idassert_authmethod mt_idassert.si_bc.sb_method
|
||||
#define mt_idassert_sasl_mech mt_idassert.si_bc.sb_saslmech
|
||||
#define mt_idassert_sasl_realm mt_idassert.si_bc.sb_realm
|
||||
#define mt_idassert_secprops mt_idassert.si_bc.sb_secprops
|
||||
#define mt_idassert_tls mt_idassert.si_bc.sb_tls
|
||||
#define mt_idassert_flags mt_idassert.si_flags
|
||||
#define mt_idassert_authz mt_idassert.si_authz
|
||||
|
||||
int mt_nretries;
|
||||
#define META_RETRY_UNDEFINED (-2)
|
||||
#define META_RETRY_FOREVER (-1)
|
||||
#define META_RETRY_NEVER (0)
|
||||
#define META_RETRY_DEFAULT (3)
|
||||
#define META_RETRY_DEFAULT (10)
|
||||
|
||||
struct ldaprwmap mt_rwmap;
|
||||
|
||||
sig_atomic_t mt_isquarantined;
|
||||
slap_retry_info_t mt_quarantine;
|
||||
ldap_pvt_thread_mutex_t mt_quarantine_mutex;
|
||||
#define META_BACK_TGT_QUARANTINE(mt) ( (mt)->mt_quarantine.ri_num != NULL )
|
||||
|
||||
unsigned mt_flags;
|
||||
#define META_BACK_TGT_ISSET(mt,f) ( ( (mt)->mt_flags & (f) ) == (f) )
|
||||
#define META_BACK_TGT_ISMASK(mt,m,f) ( ( (mt)->mt_flags & (m) ) == (f) )
|
||||
|
||||
#define META_BACK_TGT_T_F(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
|
||||
#define META_BACK_TGT_T_F_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
|
||||
|
||||
#define META_BACK_TGT_ABANDON(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_ABANDON )
|
||||
#define META_BACK_TGT_IGNORE(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_IGNORE )
|
||||
#define META_BACK_TGT_CANCEL(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_EXOP )
|
||||
#define META_BACK_TGT_CANCEL_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK2, LDAP_BACK_F_CANCEL_EXOP_DISCOVER )
|
||||
|
||||
int mt_version;
|
||||
time_t mt_network_timeout;
|
||||
struct timeval mt_bind_timeout;
|
||||
#define META_BIND_TIMEOUT LDAP_BACK_RESULT_UTIMEOUT
|
||||
time_t mt_timeout[ LDAP_BACK_OP_LAST ];
|
||||
time_t mt_timeout[ SLAP_OP_LAST ];
|
||||
} metatarget_t;
|
||||
|
||||
typedef struct metadncache_t {
|
||||
|
|
@ -241,36 +328,62 @@ typedef struct metacandidates_t {
|
|||
SlapReply *mc_candidates;
|
||||
} metacandidates_t;
|
||||
|
||||
/*
|
||||
* Hook to allow mucking with metainfo_t/metatarget_t when quarantine is over
|
||||
*/
|
||||
typedef int (*meta_back_quarantine_f)( struct metainfo_t *, int target, void * );
|
||||
|
||||
typedef struct metainfo_t {
|
||||
int mi_ntargets;
|
||||
int mi_defaulttarget;
|
||||
#define META_DEFAULT_TARGET_NONE (-1)
|
||||
int mi_nretries;
|
||||
|
||||
metatarget_t *mi_targets;
|
||||
metatarget_t **mi_targets;
|
||||
metacandidates_t *mi_candidates;
|
||||
|
||||
LDAP_REBIND_PROC *mi_rebind_f;
|
||||
|
||||
metadncache_t mi_cache;
|
||||
|
||||
/* cached connections;
|
||||
* special conns are in tailq rather than in tree */
|
||||
ldap_avl_info_t mi_conninfo;
|
||||
struct {
|
||||
int mic_num;
|
||||
LDAP_TAILQ_HEAD(mc_conn_priv_q, metaconn_t) mic_priv;
|
||||
} mi_conn_priv[ LDAP_BACK_PCONN_LAST ];
|
||||
int mi_conn_priv_max;
|
||||
|
||||
/* NOTE: quarantine uses the connection mutex */
|
||||
slap_retry_info_t mi_quarantine;
|
||||
|
||||
#define META_BACK_QUARANTINE(mi) ( (mi)->mi_quarantine.ri_num != NULL )
|
||||
meta_back_quarantine_f mi_quarantine_f;
|
||||
void *mi_quarantine_p;
|
||||
|
||||
unsigned mi_flags;
|
||||
#define li_flags mi_flags
|
||||
/* uses flags as defined in <back-ldap/back-ldap.h> */
|
||||
#define META_BACK_F_ONERR_STOP 0x00010000U
|
||||
#define META_BACK_F_DEFER_ROOTDN_BIND 0x00020000U
|
||||
#define META_BACK_F_ONERR_STOP (0x00100000U)
|
||||
#define META_BACK_F_ONERR_REPORT (0x00200000U)
|
||||
#define META_BACK_F_ONERR_MASK (META_BACK_F_ONERR_STOP|META_BACK_F_ONERR_REPORT)
|
||||
#define META_BACK_F_DEFER_ROOTDN_BIND (0x00400000U)
|
||||
#define META_BACK_F_PROXYAUTHZ_ALWAYS (0x00800000U)
|
||||
|
||||
#define META_BACK_ONERR_STOP(mi) ( (mi)->mi_flags & META_BACK_F_ONERR_STOP )
|
||||
#define META_BACK_ONERR_CONTINUE(mi) ( !META_BACK_ONERR_CONTINUE( (mi) ) )
|
||||
#define META_BACK_ONERR_REPORT(mi) ( (mi)->mi_flags & META_BACK_F_ONERR_REPORT )
|
||||
#define META_BACK_ONERR_CONTINUE(mi) ( !( (mi)->mi_flags & META_BACK_F_ONERR_MASK ) )
|
||||
|
||||
#define META_BACK_DEFER_ROOTDN_BIND(mi) ( (mi)->mi_flags & META_BACK_F_DEFER_ROOTDN_BIND )
|
||||
#define META_BACK_PROXYAUTHZ_ALWAYS(mi) ( (mi)->mi_flags & META_BACK_F_PROXYAUTHZ_ALWAYS )
|
||||
|
||||
int mi_version;
|
||||
time_t mi_network_timeout;
|
||||
time_t mi_conn_ttl;
|
||||
time_t mi_idle_timeout;
|
||||
struct timeval mi_bind_timeout;
|
||||
time_t mi_timeout[ LDAP_BACK_OP_LAST ];
|
||||
time_t mi_timeout[ SLAP_OP_LAST ];
|
||||
} metainfo_t;
|
||||
|
||||
typedef enum meta_op_type {
|
||||
|
|
@ -293,9 +406,8 @@ extern void
|
|||
meta_back_release_conn_lock(
|
||||
Operation *op,
|
||||
metaconn_t *mc,
|
||||
int dofree,
|
||||
int dolock );
|
||||
#define meta_back_release_conn(op, mc) meta_back_release_conn_lock( (op), (mc), 0, 1 )
|
||||
#define meta_back_release_conn(op, mc) meta_back_release_conn_lock( (op), (mc), 1 )
|
||||
|
||||
extern int
|
||||
meta_back_retry(
|
||||
|
|
@ -309,23 +421,28 @@ extern void
|
|||
meta_back_conn_free(
|
||||
void *v_mc );
|
||||
|
||||
#if META_BACK_PRINT_CONNTREE > 0
|
||||
extern void
|
||||
meta_back_print_conntree(
|
||||
metainfo_t *mi,
|
||||
char *msg );
|
||||
#endif
|
||||
|
||||
extern int
|
||||
meta_back_init_one_conn(
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
metatarget_t *mt,
|
||||
metaconn_t *mc,
|
||||
int candidate,
|
||||
int ispriv,
|
||||
ldap_back_send_t sendok );
|
||||
ldap_back_send_t sendok,
|
||||
int dolock );
|
||||
|
||||
extern int
|
||||
meta_back_single_bind(
|
||||
extern void
|
||||
meta_back_quarantine(
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
metaconn_t *mc,
|
||||
int candidate,
|
||||
int massage );
|
||||
int candidate );
|
||||
|
||||
extern int
|
||||
meta_back_dobind(
|
||||
|
|
@ -344,12 +461,35 @@ meta_back_single_dobind(
|
|||
int retries,
|
||||
int dolock );
|
||||
|
||||
extern int
|
||||
meta_back_proxy_authz_cred(
|
||||
metaconn_t *mc,
|
||||
int candidate,
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
ldap_back_send_t sendok,
|
||||
struct berval *binddn,
|
||||
struct berval *bindcred,
|
||||
int *method );
|
||||
|
||||
extern int
|
||||
meta_back_cancel(
|
||||
metaconn_t *mc,
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
ber_int_t msgid,
|
||||
int candidate,
|
||||
ldap_back_send_t sendok );
|
||||
|
||||
extern int
|
||||
meta_back_op_result(
|
||||
metaconn_t *mc,
|
||||
Operation *op,
|
||||
SlapReply *rs,
|
||||
int candidate );
|
||||
int candidate,
|
||||
ber_int_t msgid,
|
||||
time_t timeout,
|
||||
ldap_back_send_t sendok );
|
||||
|
||||
extern int
|
||||
back_meta_LTX_init_module(
|
||||
|
|
@ -376,9 +516,7 @@ meta_back_conndn_dup(
|
|||
*/
|
||||
extern int
|
||||
meta_back_is_candidate(
|
||||
struct berval *nsuffix,
|
||||
int suffixscope,
|
||||
BerVarray subtree_exclude,
|
||||
metatarget_t *mt,
|
||||
struct berval *ndn,
|
||||
int scope );
|
||||
|
||||
|
|
@ -394,12 +532,9 @@ meta_clear_unused_candidates(
|
|||
|
||||
extern int
|
||||
meta_clear_one_candidate(
|
||||
metasingleconn_t *mc );
|
||||
|
||||
extern int
|
||||
meta_clear_candidates(
|
||||
Operation *op,
|
||||
metaconn_t *mc );
|
||||
metaconn_t *mc,
|
||||
int candidate );
|
||||
|
||||
/*
|
||||
* Dn cache stuff (experimental)
|
||||
|
|
@ -435,7 +570,7 @@ meta_dncache_delete_entry(
|
|||
extern void
|
||||
meta_dncache_free( void *entry );
|
||||
|
||||
extern LDAP_REBIND_PROC *meta_back_rebind_f;
|
||||
extern LDAP_REBIND_PROC meta_back_default_rebind;
|
||||
|
||||
LDAP_END_DECL
|
||||
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -59,40 +59,38 @@
|
|||
*/
|
||||
int
|
||||
meta_back_is_candidate(
|
||||
struct berval *nsuffix,
|
||||
int suffixscope,
|
||||
BerVarray subtree_exclude,
|
||||
metatarget_t *mt,
|
||||
struct berval *ndn,
|
||||
int scope )
|
||||
{
|
||||
if ( dnIsSuffix( ndn, nsuffix ) ) {
|
||||
if ( subtree_exclude ) {
|
||||
if ( dnIsSuffix( ndn, &mt->mt_nsuffix ) ) {
|
||||
if ( mt->mt_subtree_exclude ) {
|
||||
int i;
|
||||
|
||||
for ( i = 0; !BER_BVISNULL( &subtree_exclude[ i ] ); i++ ) {
|
||||
if ( dnIsSuffix( ndn, &subtree_exclude[ i ] ) ) {
|
||||
for ( i = 0; !BER_BVISNULL( &mt->mt_subtree_exclude[ i ] ); i++ ) {
|
||||
if ( dnIsSuffix( ndn, &mt->mt_subtree_exclude[ i ] ) ) {
|
||||
return META_NOT_CANDIDATE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
switch ( suffixscope ) {
|
||||
switch ( mt->mt_scope ) {
|
||||
case LDAP_SCOPE_SUBTREE:
|
||||
default:
|
||||
return META_CANDIDATE;
|
||||
|
||||
case LDAP_SCOPE_SUBORDINATE:
|
||||
if ( ndn->bv_len > nsuffix->bv_len ) {
|
||||
if ( ndn->bv_len > mt->mt_nsuffix.bv_len ) {
|
||||
return META_CANDIDATE;
|
||||
}
|
||||
break;
|
||||
|
||||
/* nearly useless; not allowed by config */
|
||||
case LDAP_SCOPE_ONELEVEL:
|
||||
if ( ndn->bv_len > nsuffix->bv_len ) {
|
||||
if ( ndn->bv_len > mt->mt_nsuffix.bv_len ) {
|
||||
struct berval rdn = *ndn;
|
||||
|
||||
rdn.bv_len -= nsuffix->bv_len
|
||||
rdn.bv_len -= mt->mt_nsuffix.bv_len
|
||||
+ STRLENOF( "," );
|
||||
if ( dnIsOneLevelRDN( &rdn ) ) {
|
||||
return META_CANDIDATE;
|
||||
|
|
@ -102,7 +100,7 @@ meta_back_is_candidate(
|
|||
|
||||
/* nearly useless; not allowed by config */
|
||||
case LDAP_SCOPE_BASE:
|
||||
if ( ndn->bv_len == nsuffix->bv_len ) {
|
||||
if ( ndn->bv_len == mt->mt_nsuffix.bv_len ) {
|
||||
return META_CANDIDATE;
|
||||
}
|
||||
break;
|
||||
|
|
@ -111,7 +109,7 @@ meta_back_is_candidate(
|
|||
return META_NOT_CANDIDATE;
|
||||
}
|
||||
|
||||
if ( scope == LDAP_SCOPE_SUBTREE && dnIsSuffix( nsuffix, ndn ) ) {
|
||||
if ( scope == LDAP_SCOPE_SUBTREE && dnIsSuffix( &mt->mt_nsuffix, ndn ) ) {
|
||||
/*
|
||||
* suffix longer than dn, but common part matches
|
||||
*/
|
||||
|
|
@ -136,12 +134,10 @@ meta_back_select_unique_candidate(
|
|||
{
|
||||
int i, candidate = META_TARGET_NONE;
|
||||
|
||||
for ( i = 0; i < mi->mi_ntargets; ++i ) {
|
||||
if ( meta_back_is_candidate( &mi->mi_targets[ i ].mt_nsuffix,
|
||||
mi->mi_targets[ i ].mt_scope,
|
||||
mi->mi_targets[ i ].mt_subtree_exclude,
|
||||
ndn, LDAP_SCOPE_BASE ) )
|
||||
{
|
||||
for ( i = 0; i < mi->mi_ntargets; i++ ) {
|
||||
metatarget_t *mt = mi->mi_targets[ i ];
|
||||
|
||||
if ( meta_back_is_candidate( mt, ndn, LDAP_SCOPE_BASE ) ) {
|
||||
if ( candidate == META_TARGET_NONE ) {
|
||||
candidate = i;
|
||||
|
||||
|
|
@ -172,7 +168,7 @@ meta_clear_unused_candidates(
|
|||
if ( i == candidate ) {
|
||||
continue;
|
||||
}
|
||||
candidates[ i ].sr_tag = META_NOT_CANDIDATE;
|
||||
META_CANDIDATE_RESET( &candidates[ i ] );
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
@ -185,9 +181,23 @@ meta_clear_unused_candidates(
|
|||
*/
|
||||
int
|
||||
meta_clear_one_candidate(
|
||||
metasingleconn_t *msc )
|
||||
Operation *op,
|
||||
metaconn_t *mc,
|
||||
int candidate )
|
||||
{
|
||||
if ( msc->msc_ld ) {
|
||||
metasingleconn_t *msc = &mc->mc_conns[ candidate ];
|
||||
|
||||
if ( msc->msc_ld != NULL ) {
|
||||
|
||||
#ifdef DEBUG_205
|
||||
char buf[ BUFSIZ ];
|
||||
|
||||
snprintf( buf, sizeof( buf ), "meta_clear_one_candidate ldap_unbind_ext[%d] mc=%p ld=%p",
|
||||
candidate, (void *)mc, (void *)msc->msc_ld );
|
||||
Debug( LDAP_DEBUG_ANY, "### %s %s\n",
|
||||
op ? op->o_log_prefix : "", buf, 0 );
|
||||
#endif /* DEBUG_205 */
|
||||
|
||||
ldap_unbind_ext( msc->msc_ld, NULL, NULL );
|
||||
msc->msc_ld = NULL;
|
||||
}
|
||||
|
|
@ -203,25 +213,8 @@ meta_clear_one_candidate(
|
|||
BER_BVZERO( &msc->msc_cred );
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* meta_clear_candidates
|
||||
*
|
||||
* clears all candidates
|
||||
*/
|
||||
int
|
||||
meta_clear_candidates( Operation *op, metaconn_t *mc )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
int c;
|
||||
|
||||
for ( c = 0; c < mi->mi_ntargets; c++ ) {
|
||||
if ( mc->mc_conns[ c ].msc_ld != NULL ) {
|
||||
meta_clear_one_candidate( &mc->mc_conns[ c ] );
|
||||
}
|
||||
}
|
||||
msc->msc_mscflags = 0;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,296 +34,122 @@
|
|||
int
|
||||
meta_back_compare( Operation *op, SlapReply *rs )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metaconn_t *mc = NULL;
|
||||
char *match = NULL,
|
||||
*err = NULL;
|
||||
struct berval mmatch = BER_BVNULL;
|
||||
int ncandidates = 0,
|
||||
last = 0,
|
||||
i,
|
||||
count = 0,
|
||||
rc,
|
||||
cres = LDAP_SUCCESS,
|
||||
rres = LDAP_SUCCESS,
|
||||
*msgid;
|
||||
dncookie dc;
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metatarget_t *mt;
|
||||
metaconn_t *mc;
|
||||
int rc = 0;
|
||||
int candidate = -1;
|
||||
struct berval mdn = BER_BVNULL;
|
||||
dncookie dc;
|
||||
struct berval mapped_attr = op->orc_ava->aa_desc->ad_cname;
|
||||
struct berval mapped_value = op->orc_ava->aa_value;
|
||||
int msgid;
|
||||
int do_retry = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
SlapReply *candidates = meta_back_candidates_get( op );
|
||||
|
||||
mc = meta_back_getconn( op, rs, NULL, LDAP_BACK_SENDERR );
|
||||
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
|
||||
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
msgid = ch_calloc( sizeof( int ), mi->mi_ntargets );
|
||||
if ( msgid == NULL ) {
|
||||
send_ldap_error( op, rs, LDAP_OTHER, NULL );
|
||||
rc = LDAP_OTHER;
|
||||
goto done;
|
||||
}
|
||||
|
||||
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
|
||||
|
||||
/*
|
||||
* start an asynchronous compare for each candidate target
|
||||
* Rewrite the modify dn, if needed
|
||||
*/
|
||||
mt = mi->mi_targets[ candidate ];
|
||||
dc.target = mt;
|
||||
dc.conn = op->o_conn;
|
||||
dc.rs = rs;
|
||||
dc.ctx = "compareDN";
|
||||
|
||||
for ( i = 0; i < mi->mi_ntargets; i++ ) {
|
||||
struct berval mdn = BER_BVNULL;
|
||||
struct berval mapped_attr = op->orc_ava->aa_desc->ad_cname;
|
||||
struct berval mapped_value = op->orc_ava->aa_value;
|
||||
switch ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
|
||||
case LDAP_UNWILLING_TO_PERFORM:
|
||||
rc = 1;
|
||||
goto cleanup;
|
||||
|
||||
if ( candidates[ i ].sr_tag != META_CANDIDATE ) {
|
||||
msgid[ i ] = -1;
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* Rewrite the compare dn, if needed
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ i ];
|
||||
|
||||
switch ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
|
||||
case LDAP_UNWILLING_TO_PERFORM:
|
||||
rc = 1;
|
||||
goto finish;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* if attr is objectClass, try to remap the value
|
||||
*/
|
||||
if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass ) {
|
||||
ldap_back_map( &mi->mi_targets[ i ].mt_rwmap.rwm_oc,
|
||||
&op->orc_ava->aa_value,
|
||||
&mapped_value, BACKLDAP_MAP );
|
||||
|
||||
if ( BER_BVISNULL( &mapped_value ) || mapped_value.bv_val[0] == '\0' ) {
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* else try to remap the attribute
|
||||
*/
|
||||
} else {
|
||||
ldap_back_map( &mi->mi_targets[ i ].mt_rwmap.rwm_at,
|
||||
&op->orc_ava->aa_desc->ad_cname,
|
||||
&mapped_attr, BACKLDAP_MAP );
|
||||
if ( BER_BVISNULL( &mapped_attr ) || mapped_attr.bv_val[0] == '\0' ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName )
|
||||
{
|
||||
dc.ctx = "compareAttrDN";
|
||||
|
||||
switch ( ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_value ) )
|
||||
{
|
||||
case LDAP_UNWILLING_TO_PERFORM:
|
||||
rc = 1;
|
||||
goto finish;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* the compare op is spawned across the targets and the first
|
||||
* that returns determines the result; a constraint on unicity
|
||||
* of the result ought to be enforced
|
||||
*/
|
||||
rc = ldap_compare_ext( mc->mc_conns[ i ].msc_ld, mdn.bv_val,
|
||||
mapped_attr.bv_val, &mapped_value,
|
||||
op->o_ctrls, NULL, &msgid[ i ] );
|
||||
|
||||
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
|
||||
free( mdn.bv_val );
|
||||
BER_BVZERO( &mdn );
|
||||
}
|
||||
|
||||
if ( mapped_attr.bv_val != op->orc_ava->aa_desc->ad_cname.bv_val ) {
|
||||
free( mapped_attr.bv_val );
|
||||
BER_BVZERO( &mapped_attr );
|
||||
}
|
||||
|
||||
if ( mapped_value.bv_val != op->orc_ava->aa_value.bv_val ) {
|
||||
free( mapped_value.bv_val );
|
||||
BER_BVZERO( &mapped_value );
|
||||
}
|
||||
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
/* FIXME: what should we do with the error? */
|
||||
continue;
|
||||
}
|
||||
|
||||
++ncandidates;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* wait for replies
|
||||
* if attr is objectClass, try to remap the value
|
||||
*/
|
||||
for ( rc = 0, count = 0; ncandidates > 0; ) {
|
||||
if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass ) {
|
||||
ldap_back_map( &mt->mt_rwmap.rwm_oc,
|
||||
&op->orc_ava->aa_value,
|
||||
&mapped_value, BACKLDAP_MAP );
|
||||
|
||||
/*
|
||||
* FIXME: should we check for abandon?
|
||||
*/
|
||||
for ( i = 0; i < mi->mi_ntargets; i++ ) {
|
||||
metasingleconn_t *msc = &mc->mc_conns[ i ];
|
||||
int lrc;
|
||||
LDAPMessage *res = NULL;
|
||||
struct timeval tv;
|
||||
if ( BER_BVISNULL( &mapped_value ) || BER_BVISEMPTY( &mapped_value ) ) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
LDAP_BACK_TV_SET( &tv );
|
||||
/*
|
||||
* else try to remap the attribute
|
||||
*/
|
||||
} else {
|
||||
ldap_back_map( &mt->mt_rwmap.rwm_at,
|
||||
&op->orc_ava->aa_desc->ad_cname,
|
||||
&mapped_attr, BACKLDAP_MAP );
|
||||
if ( BER_BVISNULL( &mapped_attr ) || BER_BVISEMPTY( &mapped_attr ) ) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ( msgid[ i ] == -1 ) {
|
||||
continue;
|
||||
}
|
||||
if ( op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName )
|
||||
{
|
||||
dc.ctx = "compareAttrDN";
|
||||
|
||||
lrc = ldap_result( msc->msc_ld, msgid[ i ],
|
||||
LDAP_MSG_ALL, &tv, &res );
|
||||
switch ( ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_value ) )
|
||||
{
|
||||
case LDAP_UNWILLING_TO_PERFORM:
|
||||
rc = 1;
|
||||
goto cleanup;
|
||||
|
||||
if ( lrc == 0 ) {
|
||||
assert( res == NULL );
|
||||
continue;
|
||||
|
||||
} else if ( lrc == -1 ) {
|
||||
/* we do not retry in this case;
|
||||
* only for unique operations... */
|
||||
ldap_get_option( msc->msc_ld,
|
||||
LDAP_OPT_ERROR_NUMBER, &rs->sr_err );
|
||||
rres = slap_map_api2result( rs );
|
||||
rres = rc;
|
||||
rc = -1;
|
||||
goto finish;
|
||||
|
||||
} else if ( lrc == LDAP_RES_COMPARE ) {
|
||||
if ( count > 0 ) {
|
||||
rres = LDAP_OTHER;
|
||||
rc = -1;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
rc = ldap_parse_result( msc->msc_ld, res,
|
||||
&rs->sr_err,
|
||||
NULL, NULL, NULL, NULL, 1 );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rres = rc;
|
||||
rc = -1;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
switch ( rs->sr_err ) {
|
||||
case LDAP_COMPARE_TRUE:
|
||||
case LDAP_COMPARE_FALSE:
|
||||
|
||||
/*
|
||||
* true or false, got it;
|
||||
* sending to cache ...
|
||||
*/
|
||||
if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED ) {
|
||||
( void )meta_dncache_update_entry( &mi->mi_cache, &op->o_req_ndn, i );
|
||||
}
|
||||
|
||||
count++;
|
||||
rc = 0;
|
||||
break;
|
||||
|
||||
default:
|
||||
rres = slap_map_api2result( rs );
|
||||
|
||||
if ( err != NULL ) {
|
||||
free( err );
|
||||
}
|
||||
ldap_get_option( msc->msc_ld,
|
||||
LDAP_OPT_ERROR_STRING, &err );
|
||||
|
||||
if ( match != NULL ) {
|
||||
free( match );
|
||||
}
|
||||
ldap_get_option( msc->msc_ld,
|
||||
LDAP_OPT_MATCHED_DN, &match );
|
||||
|
||||
last = i;
|
||||
break;
|
||||
}
|
||||
msgid[ i ] = -1;
|
||||
--ncandidates;
|
||||
|
||||
} else {
|
||||
msgid[ i ] = -1;
|
||||
--ncandidates;
|
||||
if ( res ) {
|
||||
ldap_msgfree( res );
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
finish:;
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
|
||||
mt->mt_version, &mt->mt_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Rewrite the matched portion of the search base, if required
|
||||
*
|
||||
* FIXME: only the last one gets caught!
|
||||
*/
|
||||
if ( count == 1 ) {
|
||||
if ( match != NULL ) {
|
||||
free( match );
|
||||
match = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* the result of the compare is assigned to the res code
|
||||
* that will be returned
|
||||
*/
|
||||
rres = cres;
|
||||
|
||||
/*
|
||||
* At least one compare failed with matched portion,
|
||||
* and none was successful
|
||||
*/
|
||||
} else if ( match != NULL && match[ 0 ] != '\0' ) {
|
||||
struct berval matched, pmatched;
|
||||
rs->sr_err = ldap_compare_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
|
||||
mapped_attr.bv_val, &mapped_value,
|
||||
ctrls, NULL, &msgid );
|
||||
|
||||
ber_str2bv( match, 0, 0, &matched );
|
||||
|
||||
dc.ctx = "matchedDN";
|
||||
ldap_back_dn_massage( &dc, &matched, &mmatch );
|
||||
if ( dnPretty( NULL, &mmatch, &pmatched, NULL ) == LDAP_SUCCESS ) {
|
||||
if ( mmatch.bv_val != match ) {
|
||||
free( mmatch.bv_val );
|
||||
}
|
||||
mmatch = pmatched;
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
|
||||
mt->mt_timeout[ SLAP_OP_COMPARE ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
goto retry;
|
||||
}
|
||||
}
|
||||
|
||||
if ( rres != LDAP_SUCCESS ) {
|
||||
rs->sr_err = rres;
|
||||
}
|
||||
rs->sr_matched = mmatch.bv_val;
|
||||
send_ldap_result( op, rs );
|
||||
rs->sr_matched = NULL;
|
||||
cleanup:;
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
||||
if ( match != NULL ) {
|
||||
if ( mmatch.bv_val != match ) {
|
||||
free( mmatch.bv_val );
|
||||
}
|
||||
free( match );
|
||||
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
|
||||
free( mdn.bv_val );
|
||||
}
|
||||
|
||||
if ( msgid ) {
|
||||
free( msgid );
|
||||
if ( op->orc_ava->aa_value.bv_val != mapped_value.bv_val ) {
|
||||
free( mapped_value.bv_val );
|
||||
}
|
||||
|
||||
done:;
|
||||
meta_back_release_conn( op, mc );
|
||||
if ( mc ) {
|
||||
meta_back_release_conn( op, mc );
|
||||
}
|
||||
|
||||
return rc;
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -36,19 +36,21 @@
|
|||
|
||||
static int
|
||||
meta_back_new_target(
|
||||
metatarget_t *mt )
|
||||
metatarget_t **mtp )
|
||||
{
|
||||
struct ldapmapping *mapping;
|
||||
char *rargv[ 3 ];
|
||||
metatarget_t *mt;
|
||||
|
||||
memset( mt, 0, sizeof( metatarget_t ) );
|
||||
*mtp = NULL;
|
||||
|
||||
mt = ch_calloc( sizeof( metatarget_t ), 1 );
|
||||
|
||||
mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
|
||||
if ( mt->mt_rwmap.rwm_rw == NULL ) {
|
||||
return -1;
|
||||
ch_free( mt );
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* the filter rewrite as a string must be disabled
|
||||
* by default; it can be re-enabled by adding rules;
|
||||
|
|
@ -64,7 +66,16 @@ meta_back_new_target(
|
|||
rargv[ 2 ] = NULL;
|
||||
rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
|
||||
|
||||
ldap_back_map_init( &mt->mt_rwmap.rwm_at, &mapping );
|
||||
ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
|
||||
|
||||
mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
|
||||
mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
|
||||
mt->mt_idassert_tls = SB_TLS_DEFAULT;
|
||||
|
||||
/* by default, use proxyAuthz control on each operation */
|
||||
mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
|
||||
|
||||
*mtp = mt;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -107,6 +118,8 @@ meta_back_db_config(
|
|||
struct berval dn;
|
||||
int rc;
|
||||
int c;
|
||||
|
||||
metatarget_t *mt;
|
||||
|
||||
switch ( argc ) {
|
||||
case 1:
|
||||
|
|
@ -136,8 +149,8 @@ meta_back_db_config(
|
|||
|
||||
++mi->mi_ntargets;
|
||||
|
||||
mi->mi_targets = ( metatarget_t * )ch_realloc( mi->mi_targets,
|
||||
sizeof( metatarget_t ) * mi->mi_ntargets );
|
||||
mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets,
|
||||
sizeof( metatarget_t * ) * mi->mi_ntargets );
|
||||
if ( mi->mi_targets == NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: out of memory while storing server name"
|
||||
|
|
@ -154,19 +167,29 @@ meta_back_db_config(
|
|||
return 1;
|
||||
}
|
||||
|
||||
mi->mi_targets[ i ].mt_nretries = mi->mi_nretries;
|
||||
mi->mi_targets[ i ].mt_flags = mi->mi_flags;
|
||||
mi->mi_targets[ i ].mt_version = mi->mi_version;
|
||||
mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout;
|
||||
mi->mi_targets[ i ].mt_bind_timeout = mi->mi_bind_timeout;
|
||||
for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) {
|
||||
mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ];
|
||||
mt = mi->mi_targets[ i ];
|
||||
|
||||
mt->mt_rebind_f = mi->mi_rebind_f;
|
||||
mt->mt_urllist_p = mt;
|
||||
|
||||
mt->mt_nretries = mi->mi_nretries;
|
||||
mt->mt_quarantine = mi->mi_quarantine;
|
||||
if ( META_BACK_QUARANTINE( mi ) ) {
|
||||
ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
|
||||
}
|
||||
mt->mt_flags = mi->mi_flags;
|
||||
mt->mt_version = mi->mi_version;
|
||||
mt->mt_network_timeout = mi->mi_network_timeout;
|
||||
mt->mt_bind_timeout = mi->mi_bind_timeout;
|
||||
for ( c = 0; c < SLAP_OP_LAST; c++ ) {
|
||||
mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
|
||||
}
|
||||
|
||||
/*
|
||||
* uri MUST be legal!
|
||||
*/
|
||||
if ( ldap_url_parselist_ext( &ludp, argv[ 1 ], "\t" ) != LDAP_SUCCESS ) {
|
||||
if ( ldap_url_parselist_ext( &ludp, argv[ 1 ], "\t" ) != LDAP_SUCCESS )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: unable to parse URI"
|
||||
" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
|
||||
|
|
@ -206,8 +229,8 @@ meta_back_db_config(
|
|||
* copies and stores uri and suffix
|
||||
*/
|
||||
ber_str2bv( ludp->lud_dn, 0, 0, &dn );
|
||||
rc = dnPrettyNormal( NULL, &dn, &mi->mi_targets[ i ].mt_psuffix,
|
||||
&mi->mi_targets[ i ].mt_nsuffix, NULL );
|
||||
rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
|
||||
&mt->mt_nsuffix, NULL );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
"target \"%s\" DN is invalid\n",
|
||||
|
|
@ -219,12 +242,12 @@ meta_back_db_config(
|
|||
|
||||
switch ( ludp->lud_scope ) {
|
||||
case LDAP_SCOPE_DEFAULT:
|
||||
mi->mi_targets[ i ].mt_scope = LDAP_SCOPE_SUBTREE;
|
||||
mt->mt_scope = LDAP_SCOPE_SUBTREE;
|
||||
break;
|
||||
|
||||
case LDAP_SCOPE_SUBTREE:
|
||||
case LDAP_SCOPE_SUBORDINATE:
|
||||
mi->mi_targets[ i ].mt_scope = ludp->lud_scope;
|
||||
mt->mt_scope = ludp->lud_scope;
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
@ -246,9 +269,9 @@ meta_back_db_config(
|
|||
}
|
||||
}
|
||||
|
||||
mi->mi_targets[ i ].mt_uri = ldap_url_list2urls( ludp );
|
||||
mt->mt_uri = ldap_url_list2urls( ludp );
|
||||
ldap_free_urllist( ludp );
|
||||
if ( mi->mi_targets[ i ].mt_uri == NULL) {
|
||||
if ( mt->mt_uri == NULL) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
|
|
@ -258,7 +281,7 @@ meta_back_db_config(
|
|||
* uri MUST be a branch of suffix!
|
||||
*/
|
||||
#if 0 /* too strict a constraint */
|
||||
if ( select_backend( &mi->mi_targets[ i ].suffix, 0, 0 ) != be ) {
|
||||
if ( select_backend( &mt->mt_nsuffix, 0, 0 ) != be ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: <naming context> of URI does not refer to current backend"
|
||||
" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
|
||||
|
|
@ -269,7 +292,7 @@ meta_back_db_config(
|
|||
/*
|
||||
* uri MUST be a branch of a suffix!
|
||||
*/
|
||||
if ( select_backend( &mi->mi_targets[ i ].mt_nsuffix, 0, 0 ) == NULL ) {
|
||||
if ( select_backend( &mt->mt_nsuffix, 0, 0 ) == NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: <naming context> of URI does not resolve to a backend"
|
||||
" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
|
||||
|
|
@ -317,7 +340,7 @@ meta_back_db_config(
|
|||
return( 1 );
|
||||
}
|
||||
|
||||
if ( !dnIsSuffix( &ndn, &mi->mi_targets[ i ].mt_nsuffix ) ) {
|
||||
if ( !dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_nsuffix ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
"subtree-exclude DN=\"%s\" "
|
||||
"must be subtree of target\n",
|
||||
|
|
@ -326,12 +349,12 @@ meta_back_db_config(
|
|||
return( 1 );
|
||||
}
|
||||
|
||||
if ( mi->mi_targets[ i ].mt_subtree_exclude != NULL ) {
|
||||
if ( mi->mi_targets[ i ]->mt_subtree_exclude != NULL ) {
|
||||
int j;
|
||||
|
||||
for ( j = 0; !BER_BVISNULL( &mi->mi_targets[ i ].mt_subtree_exclude[ j ] ); j++ )
|
||||
for ( j = 0; !BER_BVISNULL( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ); j++ )
|
||||
{
|
||||
if ( dnIsSuffix( &mi->mi_targets[ i ].mt_subtree_exclude[ j ], &ndn ) ) {
|
||||
if ( dnIsSuffix( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ], &ndn ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
"subtree-exclude DN=\"%s\" "
|
||||
"is suffix of another subtree-exclude\n",
|
||||
|
|
@ -341,7 +364,7 @@ meta_back_db_config(
|
|||
ber_memfree( ndn.bv_val );
|
||||
return( 1 );
|
||||
|
||||
} else if ( dnIsSuffix( &ndn, &mi->mi_targets[ i ].mt_subtree_exclude[ j ] ) ) {
|
||||
} else if ( dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
"another subtree-exclude is suffix of "
|
||||
"subtree-exclude DN=\"%s\"\n",
|
||||
|
|
@ -352,7 +375,7 @@ meta_back_db_config(
|
|||
}
|
||||
}
|
||||
|
||||
ber_bvarray_add( &mi->mi_targets[ i ].mt_subtree_exclude, &ndn );
|
||||
ber_bvarray_add( &mi->mi_targets[ i ]->mt_subtree_exclude, &ndn );
|
||||
|
||||
/* default target directive */
|
||||
} else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
|
||||
|
|
@ -423,7 +446,7 @@ meta_back_db_config(
|
|||
} else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
|
||||
unsigned long t;
|
||||
time_t *tp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_network_timeout
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
|
||||
: &mi->mi_network_timeout;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
|
|
@ -505,7 +528,7 @@ meta_back_db_config(
|
|||
} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
|
||||
unsigned long t;
|
||||
struct timeval *tp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_bind_timeout
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
|
||||
: &mi->mi_bind_timeout;
|
||||
|
||||
switch ( argc ) {
|
||||
|
|
@ -564,7 +587,7 @@ meta_back_db_config(
|
|||
}
|
||||
|
||||
ber_str2bv( argv[ 1 ], 0, 0, &dn );
|
||||
if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ].mt_binddn,
|
||||
if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
|
||||
NULL ) != LDAP_SUCCESS )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
|
|
@ -601,7 +624,7 @@ meta_back_db_config(
|
|||
/* FIXME: some day we'll need to throw an error */
|
||||
}
|
||||
|
||||
ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ].mt_bindpw );
|
||||
ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw );
|
||||
|
||||
/* save bind creds for referral rebinds? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
|
||||
|
|
@ -638,7 +661,7 @@ meta_back_db_config(
|
|||
|
||||
} else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
|
||||
unsigned *flagsp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_flags
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
|
||||
: &mi->mi_flags;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
|
|
@ -667,7 +690,7 @@ meta_back_db_config(
|
|||
|
||||
} else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) {
|
||||
unsigned *flagsp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_flags
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
|
||||
: &mi->mi_flags;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
|
|
@ -704,7 +727,7 @@ meta_back_db_config(
|
|||
|
||||
} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
|
||||
unsigned *flagsp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_flags
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
|
||||
: &mi->mi_flags;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
|
|
@ -716,16 +739,16 @@ meta_back_db_config(
|
|||
|
||||
switch ( check_true_false( argv[ 1 ] ) ) {
|
||||
case 0:
|
||||
*flagsp &= ~(LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER);
|
||||
*flagsp &= ~LDAP_BACK_F_T_F_MASK2;
|
||||
break;
|
||||
|
||||
case 1:
|
||||
*flagsp |= LDAP_BACK_F_SUPPORT_T_F;
|
||||
*flagsp |= LDAP_BACK_F_T_F;
|
||||
break;
|
||||
|
||||
default:
|
||||
if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
|
||||
*flagsp |= LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
|
||||
*flagsp |= LDAP_BACK_F_T_F_DISCOVER;
|
||||
|
||||
} else {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
|
|
@ -740,29 +763,34 @@ meta_back_db_config(
|
|||
} else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"onerr {CONTINUE|stop}\" takes 1 argument\n",
|
||||
"%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
|
||||
mi->mi_flags &= ~META_BACK_F_ONERR_STOP;
|
||||
mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
|
||||
|
||||
} else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
|
||||
mi->mi_flags |= META_BACK_F_ONERR_STOP;
|
||||
|
||||
} else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) {
|
||||
mi->mi_flags |= META_BACK_F_ONERR_REPORT;
|
||||
|
||||
} else {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"onerr {CONTINUE|stop}\": invalid arg \"%s\".\n",
|
||||
"%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* bind-defer? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0 ) {
|
||||
} else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0
|
||||
|| strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 )
|
||||
{
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"pseudoroot-bind-defer {FALSE|true}\" takes 1 argument\n",
|
||||
"%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
|
@ -778,21 +806,148 @@ meta_back_db_config(
|
|||
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"pseudoroot-bind-defer {FALSE|true}\": invalid arg \"%s\".\n",
|
||||
"%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\": invalid arg \"%s\".\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* single-conn? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) {
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( mi->mi_ntargets > 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"single-conn\" must appear before target definitions\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
switch ( check_true_false( argv[ 1 ] ) ) {
|
||||
case 0:
|
||||
mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
|
||||
break;
|
||||
|
||||
case 1:
|
||||
mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
|
||||
break;
|
||||
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* use-temporaries? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) {
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( mi->mi_ntargets > 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"use-temporary-conn\" must appear before target definitions\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
switch ( check_true_false( argv[ 1 ] ) ) {
|
||||
case 0:
|
||||
mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
|
||||
break;
|
||||
|
||||
case 1:
|
||||
mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
|
||||
break;
|
||||
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* privileged connections pool max size ? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) {
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( mi->mi_ntargets > 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"conn-pool-max\" must appear before target definitions\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] )
|
||||
|| mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN
|
||||
|| mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
}
|
||||
|
||||
} else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) {
|
||||
unsigned flag = 0;
|
||||
unsigned *flagsp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
|
||||
: &mi->mi_flags;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) {
|
||||
flag = LDAP_BACK_F_CANCEL_ABANDON;
|
||||
|
||||
#if 0 /* needs ldap_int_discard(), 2.4 */
|
||||
} else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) {
|
||||
flag = LDAP_BACK_F_CANCEL_IGNORE;
|
||||
#endif
|
||||
|
||||
} else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) {
|
||||
flag = LDAP_BACK_F_CANCEL_EXOP;
|
||||
|
||||
} else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) {
|
||||
flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER;
|
||||
|
||||
} else {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
*flagsp &= ~LDAP_BACK_F_CANCEL_MASK2;
|
||||
*flagsp |= flag;
|
||||
|
||||
} else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) {
|
||||
char *sep;
|
||||
time_t *tv = mi->mi_ntargets ?
|
||||
mi->mi_targets[ mi->mi_ntargets - 1 ].mt_timeout
|
||||
mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout
|
||||
: mi->mi_timeout;
|
||||
int c;
|
||||
|
||||
if ( argc < 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"timeout [{add|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
|
||||
"%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
|
||||
fname, lineno, 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
|
@ -805,19 +960,33 @@ meta_back_db_config(
|
|||
if ( sep != NULL ) {
|
||||
size_t len = sep - argv[ c ];
|
||||
|
||||
if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
|
||||
t = &tv[ LDAP_BACK_OP_ADD ];
|
||||
if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_BIND ];
|
||||
/* unbind makes little sense */
|
||||
} else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_ADD ];
|
||||
} else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) {
|
||||
t = &tv[ LDAP_BACK_OP_DELETE ];
|
||||
} else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
|
||||
t = &tv[ LDAP_BACK_OP_MODIFY ];
|
||||
t = &tv[ SLAP_OP_DELETE ];
|
||||
} else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) {
|
||||
t = &tv[ LDAP_BACK_OP_MODRDN ];
|
||||
t = &tv[ SLAP_OP_MODRDN ];
|
||||
} else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_MODIFY ];
|
||||
} else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_COMPARE ];
|
||||
#if 0 /* uses timelimit instead */
|
||||
} else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_SEARCH ];
|
||||
#endif
|
||||
/* abandon makes little sense */
|
||||
#if 0 /* not implemented yet */
|
||||
} else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) {
|
||||
t = &tv[ SLAP_OP_EXTENDED ];
|
||||
#endif
|
||||
} else {
|
||||
char buf[ SLAP_TEXT_BUFLEN ];
|
||||
snprintf( buf, sizeof( buf ),
|
||||
"unknown operation \"%s\" for timeout #%d",
|
||||
argv[ c ], c );
|
||||
"unknown/unhandled operation \"%s\" for timeout #%d",
|
||||
argv[ c ], c - 1 );
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: %s.\n",
|
||||
fname, lineno, buf );
|
||||
|
|
@ -842,7 +1011,7 @@ meta_back_db_config(
|
|||
} else {
|
||||
int i;
|
||||
|
||||
for ( i = 0; i < LDAP_BACK_OP_LAST; i++ ) {
|
||||
for ( i = 0; i < SLAP_OP_LAST; i++ ) {
|
||||
tv[ i ] = (time_t)val;
|
||||
}
|
||||
}
|
||||
|
|
@ -851,7 +1020,6 @@ meta_back_db_config(
|
|||
/* name to use as pseudo-root dn */
|
||||
} else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
|
||||
int i = mi->mi_ntargets - 1;
|
||||
struct berval dn;
|
||||
|
||||
if ( i < 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
|
|
@ -867,15 +1035,74 @@ meta_back_db_config(
|
|||
return 1;
|
||||
}
|
||||
|
||||
dn.bv_val = argv[ 1 ];
|
||||
dn.bv_len = strlen( argv[ 1 ] );
|
||||
if ( dnNormalize( 0, NULL, NULL, &dn,
|
||||
&mi->mi_targets[ i ].mt_pseudorootdn, NULL ) != LDAP_SUCCESS )
|
||||
/*
|
||||
* exact replacement:
|
||||
*
|
||||
|
||||
idassert-bind bindmethod=simple
|
||||
binddn=<pseudorootdn>
|
||||
credentials=<pseudorootpw>
|
||||
mode=none
|
||||
flags=non-prescriptive
|
||||
idassert-authzFrom "dn:<rootdn>"
|
||||
|
||||
* so that only when authc'd as <rootdn> the proxying occurs
|
||||
* rebinding as the <pseudorootdn> without proxyAuthz.
|
||||
*/
|
||||
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
|
||||
"use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
|
||||
fname, lineno, 0 );
|
||||
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
|
||||
"pseudoroot DN '%s' is invalid\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return( 1 );
|
||||
char binddn[ SLAP_TEXT_BUFLEN ];
|
||||
char *cargv[] = {
|
||||
"idassert-bind",
|
||||
"bindmethod=simple",
|
||||
NULL,
|
||||
"mode=none",
|
||||
"flags=non-prescriptive",
|
||||
NULL
|
||||
};
|
||||
int cargc = 5;
|
||||
int rc;
|
||||
|
||||
if ( BER_BVISNULL( &be->be_rootndn ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( snprintf( binddn, sizeof( binddn ), "binddn=%s", argv[ 1 ] ) >= sizeof( binddn ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\" too long.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
cargv[ 2 ] = binddn;
|
||||
|
||||
rc = slap_idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
|
||||
if ( rc == 0 ) {
|
||||
struct berval bv;
|
||||
|
||||
if ( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz != NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-authzFrom\" already defined (discarded).\n",
|
||||
fname, lineno, 0 );
|
||||
ber_bvarray_free( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz );
|
||||
mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz = NULL;
|
||||
}
|
||||
|
||||
assert( !BER_BVISNULL( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authcDN ) );
|
||||
|
||||
bv.bv_len = STRLENOF( "dn:" ) + be->be_rootndn.bv_len;
|
||||
bv.bv_val = ber_memalloc( bv.bv_len + 1 );
|
||||
AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
|
||||
AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], be->be_rootndn.bv_val, be->be_rootndn.bv_len + 1 );
|
||||
|
||||
ber_bvarray_add( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz, &bv );
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* password to use as pseudo-root */
|
||||
|
|
@ -895,7 +1122,114 @@ meta_back_db_config(
|
|||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ].mt_pseudorootpw );
|
||||
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
|
||||
"use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
|
||||
fname, lineno, 0 );
|
||||
|
||||
if ( BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_authcDN ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( !BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_passwd ) ) {
|
||||
memset( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val, 0,
|
||||
mi->mi_targets[ i ]->mt_idassert_passwd.bv_len );
|
||||
ber_memfree( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val );
|
||||
}
|
||||
ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_targets[ i ]->mt_idassert_passwd );
|
||||
|
||||
/* idassert-bind */
|
||||
} else if ( strcasecmp( argv[ 0 ], "idassert-bind" ) == 0 ) {
|
||||
if ( mi->mi_ntargets == 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"idassert-bind\" "
|
||||
"must appear inside a target specification.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
return slap_idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
|
||||
|
||||
/* idassert-authzFrom */
|
||||
} else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) {
|
||||
if ( mi->mi_ntargets == 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"idassert-bind\" "
|
||||
"must appear inside a target specification.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
switch ( argc ) {
|
||||
case 2:
|
||||
break;
|
||||
|
||||
case 1:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: missing <id> in \"idassert-authzFrom <id>\".\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: extra cruft after <id> in \"idassert-authzFrom <id>\".\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
return slap_idassert_authzfrom_parse_cf( fname, lineno, argv[ 1 ], &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
|
||||
|
||||
/* quarantine */
|
||||
} else if ( strcasecmp( argv[ 0 ], "quarantine" ) == 0 ) {
|
||||
char buf[ SLAP_TEXT_BUFLEN ] = { '\0' };
|
||||
slap_retry_info_t *ri = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine
|
||||
: &mi->mi_quarantine;
|
||||
|
||||
if ( ( mi->mi_ntargets == 0 && META_BACK_QUARANTINE( mi ) )
|
||||
|| ( mi->mi_ntargets > 0 && META_BACK_TGT_QUARANTINE( mi->mi_targets[ mi->mi_ntargets - 1 ] ) ) )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: quarantine already defined.\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
switch ( argc ) {
|
||||
case 2:
|
||||
break;
|
||||
|
||||
case 1:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: missing arg in \"quarantine <pattern list>\".\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: extra cruft after \"quarantine <pattern list>\".\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( ri != &mi->mi_quarantine ) {
|
||||
ri->ri_interval = NULL;
|
||||
ri->ri_num = NULL;
|
||||
}
|
||||
|
||||
if ( mi->mi_ntargets > 0 && !META_BACK_QUARANTINE( mi ) ) {
|
||||
ldap_pvt_thread_mutex_init( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine_mutex );
|
||||
}
|
||||
|
||||
if ( slap_retry_info_parse( argv[ 1 ], ri, buf, sizeof( buf ) ) ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s line %d: %s.\n",
|
||||
fname, lineno, buf );
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* dn massaging */
|
||||
} else if ( strcasecmp( argv[ 0 ], "suffixmassage" ) == 0 ) {
|
||||
|
|
@ -978,7 +1312,7 @@ meta_back_db_config(
|
|||
* FIXME: no extra rewrite capabilities should be added
|
||||
* to the database
|
||||
*/
|
||||
rc = suffix_massage_config( mi->mi_targets[ i ].mt_rwmap.rwm_rw,
|
||||
rc = suffix_massage_config( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
|
||||
&pvnc, &nvnc, &prnc, &nrnc );
|
||||
|
||||
free( pvnc.bv_val );
|
||||
|
|
@ -999,7 +1333,7 @@ meta_back_db_config(
|
|||
return 1;
|
||||
}
|
||||
|
||||
return rewrite_parse( mi->mi_targets[ i ].mt_rwmap.rwm_rw,
|
||||
return rewrite_parse( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
|
||||
fname, lineno, argc, argv );
|
||||
|
||||
/* objectclass/attribute mapping */
|
||||
|
|
@ -1013,8 +1347,8 @@ meta_back_db_config(
|
|||
return 1;
|
||||
}
|
||||
|
||||
return ldap_back_map_config( &mi->mi_targets[ i ].mt_rwmap.rwm_oc,
|
||||
&mi->mi_targets[ i ].mt_rwmap.rwm_at,
|
||||
return ldap_back_map_config( &mi->mi_targets[ i ]->mt_rwmap.rwm_oc,
|
||||
&mi->mi_targets[ i ]->mt_rwmap.rwm_at,
|
||||
fname, lineno, argc, argv );
|
||||
|
||||
} else if ( strcasecmp( argv[ 0 ], "nretries" ) == 0 ) {
|
||||
|
|
@ -1047,12 +1381,12 @@ meta_back_db_config(
|
|||
mi->mi_nretries = nretries;
|
||||
|
||||
} else {
|
||||
mi->mi_targets[ i ].mt_nretries = nretries;
|
||||
mi->mi_targets[ i ]->mt_nretries = nretries;
|
||||
}
|
||||
|
||||
} else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
|
||||
int *version = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_version
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_version
|
||||
: &mi->mi_version;
|
||||
|
||||
if ( argc != 2 ) {
|
||||
|
|
@ -1122,7 +1456,7 @@ ldap_back_map_config(
|
|||
if ( strcmp( argv[ 2 ], "*" ) == 0 ) {
|
||||
if ( argc < 4 || strcmp( argv[ 3 ], "*" ) == 0 ) {
|
||||
map->drop_missing = ( argc < 4 );
|
||||
return 0;
|
||||
goto success_return;
|
||||
}
|
||||
src = dst = argv[ 3 ];
|
||||
|
||||
|
|
@ -1136,7 +1470,7 @@ ldap_back_map_config(
|
|||
}
|
||||
|
||||
if ( ( map == at_map )
|
||||
&& ( strcasecmp( src, "objectclass" ) == 0
|
||||
&& ( strcasecmp( src, "objectclass" ) == 0
|
||||
|| strcasecmp( dst, "objectclass" ) == 0 ) )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
|
|
@ -1264,6 +1598,12 @@ ldap_back_map_config(
|
|||
avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
|
||||
mapping_cmp, mapping_dup );
|
||||
|
||||
success_return:;
|
||||
if ( !is_oc && map->map == NULL ) {
|
||||
/* only init if required */
|
||||
ldap_back_map_init( map, &mapping );
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
error_return:;
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -35,13 +35,14 @@ int
|
|||
meta_back_delete( Operation *op, SlapReply *rs )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metatarget_t *mt;
|
||||
metaconn_t *mc = NULL;
|
||||
int candidate = -1;
|
||||
struct berval mdn = BER_BVNULL;
|
||||
dncookie dc;
|
||||
int msgid;
|
||||
int do_retry = 1;
|
||||
int maperr = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
|
||||
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
|
||||
|
|
@ -53,82 +54,47 @@ meta_back_delete( Operation *op, SlapReply *rs )
|
|||
/*
|
||||
* Rewrite the compare dn, if needed
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ candidate ];
|
||||
mt = mi->mi_targets[ candidate ];
|
||||
dc.target = mt;
|
||||
dc.conn = op->o_conn;
|
||||
dc.rs = rs;
|
||||
dc.ctx = "deleteDN";
|
||||
|
||||
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
|
||||
send_ldap_result( op, rs );
|
||||
goto done;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
|
||||
mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
|
||||
{
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rs->sr_err = ldap_delete_ext( mc->mc_conns[ candidate ].msc_ld,
|
||||
mdn.bv_val, op->o_ctrls, NULL, &msgid );
|
||||
mdn.bv_val, ctrls, NULL, &msgid );
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
|
||||
mt->mt_timeout[ SLAP_OP_DELETE ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
goto retry;
|
||||
}
|
||||
goto cleanup;
|
||||
|
||||
} else if ( rs->sr_err == LDAP_SUCCESS ) {
|
||||
struct timeval tv, *tvp = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
int rc;
|
||||
|
||||
if ( mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_DELETE ] != 0 ) {
|
||||
tv.tv_sec = mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_DELETE ];
|
||||
tv.tv_usec = 0;
|
||||
tvp = &tv;
|
||||
}
|
||||
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
maperr = 0;
|
||||
rc = ldap_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, LDAP_MSG_ALL, tvp, &res );
|
||||
switch ( rc ) {
|
||||
case -1:
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
break;
|
||||
|
||||
case 0:
|
||||
ldap_abandon_ext( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, NULL, NULL );
|
||||
rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
|
||||
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OPERATIONS_ERROR;
|
||||
break;
|
||||
|
||||
case LDAP_RES_DELETE:
|
||||
rc = ldap_parse_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
res, &rs->sr_err, NULL, NULL, NULL, NULL, 1 );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rs->sr_err = rc;
|
||||
}
|
||||
maperr = 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
ldap_msgfree( res );
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( maperr ) {
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate );
|
||||
|
||||
} else {
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
cleanup:;
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
||||
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
|
||||
free( mdn.bv_val );
|
||||
BER_BVZERO( &mdn );
|
||||
}
|
||||
|
||||
done:;
|
||||
if ( mc ) {
|
||||
meta_back_release_conn( op, mc );
|
||||
}
|
||||
|
|
|
|||
|
|
@ -76,6 +76,7 @@ meta_back_db_init(
|
|||
Backend *be )
|
||||
{
|
||||
metainfo_t *mi;
|
||||
int i;
|
||||
|
||||
mi = ch_calloc( 1, sizeof( metainfo_t ) );
|
||||
if ( mi == NULL ) {
|
||||
|
|
@ -90,12 +91,20 @@ meta_back_db_init(
|
|||
mi->mi_bind_timeout.tv_sec = 0;
|
||||
mi->mi_bind_timeout.tv_usec = META_BIND_TIMEOUT;
|
||||
|
||||
mi->mi_rebind_f = meta_back_default_rebind;
|
||||
|
||||
ldap_pvt_thread_mutex_init( &mi->mi_conninfo.lai_mutex );
|
||||
ldap_pvt_thread_mutex_init( &mi->mi_cache.mutex );
|
||||
|
||||
/* safe default */
|
||||
mi->mi_nretries = META_RETRY_DEFAULT;
|
||||
mi->mi_version = LDAP_VERSION3;
|
||||
|
||||
for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
|
||||
mi->mi_conn_priv[ i ].mic_num = 0;
|
||||
LDAP_TAILQ_INIT( &mi->mi_conn_priv[ i ].mic_priv );
|
||||
}
|
||||
mi->mi_conn_priv_max = LDAP_BACK_CONN_PRIV_DEFAULT;
|
||||
|
||||
be->be_private = mi;
|
||||
|
||||
|
|
@ -108,46 +117,73 @@ meta_back_db_open(
|
|||
{
|
||||
metainfo_t *mi = (metainfo_t *)be->be_private;
|
||||
|
||||
int i, rc;
|
||||
int i,
|
||||
not_always = 0,
|
||||
rc;
|
||||
|
||||
for ( i = 0; i < mi->mi_ntargets; i++ ) {
|
||||
if ( mi->mi_targets[ i ].mt_flags & LDAP_BACK_F_SUPPORT_T_F_DISCOVER )
|
||||
{
|
||||
mi->mi_targets[ i ].mt_flags &= ~LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
|
||||
rc = slap_discover_feature( mi->mi_targets[ i ].mt_uri,
|
||||
mi->mi_targets[ i ].mt_version,
|
||||
metatarget_t *mt = mi->mi_targets[ i ];
|
||||
|
||||
if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
|
||||
rc = slap_discover_feature( mt->mt_uri, mt->mt_version,
|
||||
slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
|
||||
LDAP_FEATURE_ABSOLUTE_FILTERS );
|
||||
if ( rc == LDAP_COMPARE_TRUE ) {
|
||||
mi->mi_targets[ i ].mt_flags |= LDAP_BACK_F_SUPPORT_T_F;
|
||||
mt->mt_flags |= LDAP_BACK_F_T_F;
|
||||
}
|
||||
}
|
||||
|
||||
if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
|
||||
rc = slap_discover_feature( mt->mt_uri, mt->mt_version,
|
||||
slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
|
||||
LDAP_EXOP_CANCEL );
|
||||
if ( rc == LDAP_COMPARE_TRUE ) {
|
||||
mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
|
||||
}
|
||||
}
|
||||
|
||||
if ( not_always == 0 ) {
|
||||
if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
|
||||
|| !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
|
||||
{
|
||||
not_always = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( not_always == 0 ) {
|
||||
mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* meta_back_conn_free()
|
||||
*
|
||||
* actually frees a connection; the reference count must be 0,
|
||||
* and it must not (or no longer) be in the cache.
|
||||
*/
|
||||
void
|
||||
meta_back_conn_free(
|
||||
void *v_mc )
|
||||
{
|
||||
metaconn_t *mc = v_mc;
|
||||
int i, ntargets;
|
||||
int ntargets;
|
||||
|
||||
assert( mc != NULL );
|
||||
assert( mc->mc_refcnt == 0 );
|
||||
|
||||
if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
|
||||
free( mc->mc_local_ndn.bv_val );
|
||||
/* at least one must be present... */
|
||||
ntargets = mc->mc_info->mi_ntargets;
|
||||
assert( ntargets > 0 );
|
||||
|
||||
for ( ; ntargets--; ) {
|
||||
(void)meta_clear_one_candidate( NULL, mc, ntargets );
|
||||
}
|
||||
|
||||
assert( mc->mc_conns != NULL );
|
||||
|
||||
/* at least one must be present... */
|
||||
ntargets = mc->mc_conns[ 0 ].msc_info->mi_ntargets;
|
||||
|
||||
for ( i = 0; i < ntargets; i++ ) {
|
||||
(void)meta_clear_one_candidate( &mc->mc_conns[ i ] );
|
||||
if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
|
||||
free( mc->mc_local_ndn.bv_val );
|
||||
}
|
||||
|
||||
free( mc );
|
||||
|
|
@ -180,6 +216,7 @@ target_free(
|
|||
{
|
||||
if ( mt->mt_uri ) {
|
||||
free( mt->mt_uri );
|
||||
ldap_pvt_thread_mutex_destroy( &mt->mt_uri_mutex );
|
||||
}
|
||||
if ( mt->mt_subtree_exclude ) {
|
||||
ber_bvarray_free( mt->mt_subtree_exclude );
|
||||
|
|
@ -196,11 +233,26 @@ target_free(
|
|||
if ( !BER_BVISNULL( &mt->mt_bindpw ) ) {
|
||||
free( mt->mt_bindpw.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_pseudorootdn ) ) {
|
||||
free( mt->mt_pseudorootdn.bv_val );
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_authcID ) ) {
|
||||
ch_free( mt->mt_idassert_authcID.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_pseudorootpw ) ) {
|
||||
free( mt->mt_pseudorootpw.bv_val );
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_authcDN ) ) {
|
||||
ch_free( mt->mt_idassert_authcDN.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_passwd ) ) {
|
||||
ch_free( mt->mt_idassert_passwd.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_authzID ) ) {
|
||||
ch_free( mt->mt_idassert_authzID.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_sasl_mech ) ) {
|
||||
ch_free( mt->mt_idassert_sasl_mech.bv_val );
|
||||
}
|
||||
if ( !BER_BVISNULL( &mt->mt_idassert_sasl_realm ) ) {
|
||||
ch_free( mt->mt_idassert_sasl_realm.bv_val );
|
||||
}
|
||||
if ( mt->mt_idassert_authz != NULL ) {
|
||||
ber_bvarray_free( mt->mt_idassert_authz );
|
||||
}
|
||||
if ( mt->mt_rwmap.rwm_rw ) {
|
||||
rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
|
||||
|
|
@ -209,6 +261,8 @@ target_free(
|
|||
avl_free( mt->mt_rwmap.rwm_oc.map, mapping_free );
|
||||
avl_free( mt->mt_rwmap.rwm_at.remap, mapping_dst_free );
|
||||
avl_free( mt->mt_rwmap.rwm_at.map, mapping_free );
|
||||
|
||||
free( mt );
|
||||
}
|
||||
|
||||
int
|
||||
|
|
@ -230,6 +284,14 @@ meta_back_db_destroy(
|
|||
if ( mi->mi_conninfo.lai_tree ) {
|
||||
avl_free( mi->mi_conninfo.lai_tree, meta_back_conn_free );
|
||||
}
|
||||
for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
|
||||
while ( !LDAP_TAILQ_EMPTY( &mi->mi_conn_priv[ i ].mic_priv ) ) {
|
||||
metaconn_t *mc = LDAP_TAILQ_FIRST( &mi->mi_conn_priv[ i ].mic_priv );
|
||||
|
||||
LDAP_TAILQ_REMOVE( &mi->mi_conn_priv[ i ].mic_priv, mc, mc_q );
|
||||
meta_back_conn_free( mc );
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Destroy the per-target stuff (assuming there's at
|
||||
|
|
@ -237,7 +299,18 @@ meta_back_db_destroy(
|
|||
*/
|
||||
if ( mi->mi_targets != NULL ) {
|
||||
for ( i = 0; i < mi->mi_ntargets; i++ ) {
|
||||
target_free( &mi->mi_targets[ i ] );
|
||||
metatarget_t *mt = mi->mi_targets[ i ];
|
||||
|
||||
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
|
||||
if ( mt->mt_quarantine.ri_num != mi->mi_quarantine.ri_num )
|
||||
{
|
||||
slap_retry_info_destroy( &mt->mt_quarantine );
|
||||
}
|
||||
|
||||
ldap_pvt_thread_mutex_destroy( &mt->mt_quarantine_mutex );
|
||||
}
|
||||
|
||||
target_free( mt );
|
||||
}
|
||||
|
||||
free( mi->mi_targets );
|
||||
|
|
@ -257,6 +330,10 @@ meta_back_db_destroy(
|
|||
if ( mi->mi_candidates != NULL ) {
|
||||
ber_memfree_x( mi->mi_candidates, NULL );
|
||||
}
|
||||
|
||||
if ( META_BACK_QUARANTINE( mi ) ) {
|
||||
slap_retry_info_destroy( &mi->mi_quarantine );
|
||||
}
|
||||
}
|
||||
|
||||
free( be->be_private );
|
||||
|
|
|
|||
|
|
@ -90,19 +90,19 @@ ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping **m )
|
|||
assert( m != NULL );
|
||||
|
||||
*m = NULL;
|
||||
|
||||
|
||||
mapping = (struct ldapmapping *)ch_calloc( 2,
|
||||
sizeof( struct ldapmapping ) );
|
||||
if ( mapping == NULL ) {
|
||||
return;
|
||||
}
|
||||
|
||||
ber_str2bv( "objectclass", sizeof("objectclass")-1, 1, &mapping->src);
|
||||
ber_dupbv( &mapping->dst, &mapping->src );
|
||||
mapping[1].src = mapping->src;
|
||||
mapping[1].dst = mapping->dst;
|
||||
ber_str2bv( "objectclass", STRLENOF("objectclass"), 1, &mapping[0].src);
|
||||
ber_dupbv( &mapping[0].dst, &mapping[0].src );
|
||||
mapping[1].src = mapping[0].src;
|
||||
mapping[1].dst = mapping[0].dst;
|
||||
|
||||
avl_insert( &lm->map, (caddr_t)mapping,
|
||||
avl_insert( &lm->map, (caddr_t)&mapping[0],
|
||||
mapping_cmp, mapping_dup );
|
||||
avl_insert( &lm->remap, (caddr_t)&mapping[1],
|
||||
mapping_cmp, mapping_dup );
|
||||
|
|
@ -120,6 +120,7 @@ ldap_back_mapping ( struct ldapmap *map, struct berval *s, struct ldapmapping **
|
|||
|
||||
if ( remap == BACKLDAP_REMAP ) {
|
||||
tree = map->remap;
|
||||
|
||||
} else {
|
||||
tree = map->map;
|
||||
}
|
||||
|
|
@ -139,6 +140,13 @@ ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *bv,
|
|||
{
|
||||
struct ldapmapping *mapping;
|
||||
|
||||
/* map->map may be NULL when mapping is configured,
|
||||
* but map->remap can't */
|
||||
if ( map->remap == NULL ) {
|
||||
*bv = *s;
|
||||
return;
|
||||
}
|
||||
|
||||
BER_BVZERO( bv );
|
||||
( void )ldap_back_mapping( map, s, &mapping, remap );
|
||||
if ( mapping != NULL ) {
|
||||
|
|
@ -297,6 +305,9 @@ ldap_back_int_filter_map_rewrite(
|
|||
ber_bvnone = BER_BVC( "(?=none)" );
|
||||
ber_len_t len;
|
||||
|
||||
assert( fstr != NULL );
|
||||
BER_BVZERO( fstr );
|
||||
|
||||
if ( f == NULL ) {
|
||||
ber_dupbv( fstr, &ber_bvnone );
|
||||
return LDAP_OTHER;
|
||||
|
|
@ -513,7 +524,7 @@ ldap_back_int_filter_map_rewrite(
|
|||
/* FIXME: treat UNDEFINED as FALSE */
|
||||
case SLAPD_COMPARE_UNDEFINED:
|
||||
computed:;
|
||||
if ( dc->target->mt_flags & LDAP_BACK_F_SUPPORT_T_F ) {
|
||||
if ( META_BACK_TGT_T_F( dc->target ) ) {
|
||||
tmp = &ber_bvtf_false;
|
||||
break;
|
||||
}
|
||||
|
|
@ -521,7 +532,7 @@ computed:;
|
|||
break;
|
||||
|
||||
case LDAP_COMPARE_TRUE:
|
||||
if ( dc->target->mt_flags & LDAP_BACK_F_SUPPORT_T_F ) {
|
||||
if ( META_BACK_TGT_T_F( dc->target ) ) {
|
||||
tmp = &ber_bvtf_true;
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,9 +35,9 @@ int
|
|||
meta_back_modify( Operation *op, SlapReply *rs )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metatarget_t *mt;
|
||||
metaconn_t *mc;
|
||||
int rc = 0;
|
||||
int maperr = 1;
|
||||
LDAPMod **modv = NULL;
|
||||
LDAPMod *mods = NULL;
|
||||
Modifications *ml;
|
||||
|
|
@ -48,6 +48,7 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
dncookie dc;
|
||||
int msgid;
|
||||
int do_retry = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
|
||||
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
|
||||
|
|
@ -59,13 +60,14 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
/*
|
||||
* Rewrite the modify dn, if needed
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ candidate ];
|
||||
mt = mi->mi_targets[ candidate ];
|
||||
dc.target = mt;
|
||||
dc.conn = op->o_conn;
|
||||
dc.rs = rs;
|
||||
dc.ctx = "modifyDN";
|
||||
|
||||
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
|
||||
maperr = 0;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
|
@ -74,14 +76,14 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
|
||||
mods = ch_malloc( sizeof( LDAPMod )*i );
|
||||
if ( mods == NULL ) {
|
||||
rs->sr_err = LDAP_NO_MEMORY;
|
||||
maperr = 0;
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) );
|
||||
if ( modv == NULL ) {
|
||||
rs->sr_err = LDAP_NO_MEMORY;
|
||||
maperr = 0;
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
|
@ -102,7 +104,7 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
mapped = ml->sml_desc->ad_cname;
|
||||
|
||||
} else {
|
||||
ldap_back_map( &mi->mi_targets[ candidate ].mt_rwmap.rwm_at,
|
||||
ldap_back_map( &mt->mt_rwmap.rwm_at,
|
||||
&ml->sml_desc->ad_cname, &mapped,
|
||||
BACKLDAP_MAP );
|
||||
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
|
||||
|
|
@ -129,11 +131,11 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); ) {
|
||||
struct ldapmapping *mapping;
|
||||
|
||||
ldap_back_mapping( &mi->mi_targets[ candidate ].mt_rwmap.rwm_oc,
|
||||
ldap_back_mapping( &mt->mt_rwmap.rwm_oc,
|
||||
&ml->sml_values[ j ], &mapping, BACKLDAP_MAP );
|
||||
|
||||
if ( mapping == NULL ) {
|
||||
if ( mi->mi_targets[ candidate ].mt_rwmap.rwm_oc.drop_missing ) {
|
||||
if ( mt->mt_rwmap.rwm_oc.drop_missing ) {
|
||||
continue;
|
||||
}
|
||||
mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ];
|
||||
|
|
@ -175,66 +177,30 @@ meta_back_modify( Operation *op, SlapReply *rs )
|
|||
modv[ i ] = 0;
|
||||
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
rc = ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
|
||||
mt->mt_version, &mt->mt_idassert, op, rs, &ctrls );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rs->sr_err = ldap_modify_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
|
||||
modv, op->o_ctrls, NULL, &msgid );
|
||||
modv, ctrls, NULL, &msgid );
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
|
||||
mt->mt_timeout[ SLAP_OP_MODIFY ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
goto retry;
|
||||
}
|
||||
goto done;
|
||||
|
||||
} else if ( rs->sr_err == LDAP_SUCCESS ) {
|
||||
struct timeval tv, *tvp = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
|
||||
if ( mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_MODIFY ] != 0 ) {
|
||||
tv.tv_sec = mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_MODIFY ];
|
||||
tv.tv_usec = 0;
|
||||
tvp = &tv;
|
||||
}
|
||||
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
rc = ldap_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, LDAP_MSG_ALL, tvp, &res );
|
||||
switch ( rc ) {
|
||||
case -1:
|
||||
maperr = 0;
|
||||
break;
|
||||
|
||||
case 0:
|
||||
ldap_abandon_ext( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, NULL, NULL );
|
||||
rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
|
||||
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OPERATIONS_ERROR;
|
||||
maperr = 0;
|
||||
break;
|
||||
|
||||
case LDAP_RES_MODIFY:
|
||||
rc = ldap_parse_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
res, &rs->sr_err, NULL, NULL, NULL, NULL, 1 );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rs->sr_err = rc;
|
||||
}
|
||||
maperr = 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
maperr = 0;
|
||||
ldap_msgfree( res );
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:;
|
||||
if ( maperr ) {
|
||||
rc = meta_back_op_result( mc, op, rs, candidate );
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
||||
} else {
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
done:;
|
||||
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
|
||||
free( mdn.bv_val );
|
||||
BER_BVZERO( &mdn );
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ int
|
|||
meta_back_modrdn( Operation *op, SlapReply *rs )
|
||||
{
|
||||
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
|
||||
metatarget_t *mt;
|
||||
metaconn_t *mc;
|
||||
int candidate = -1;
|
||||
struct berval mdn = BER_BVNULL,
|
||||
|
|
@ -42,7 +43,7 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
|
|||
dncookie dc;
|
||||
int msgid;
|
||||
int do_retry = 1;
|
||||
int maperr = 1;
|
||||
LDAPControl **ctrls = NULL;
|
||||
|
||||
mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
|
||||
if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
|
||||
|
|
@ -51,6 +52,8 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
|
|||
|
||||
assert( mc->mc_conns[ candidate ].msc_ld != NULL );
|
||||
|
||||
mt = mi->mi_targets[ candidate ];
|
||||
dc.target = mt;
|
||||
dc.conn = op->o_conn;
|
||||
dc.rs = rs;
|
||||
|
||||
|
|
@ -76,7 +79,7 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
|
|||
*/
|
||||
|
||||
/* needs LDAPv3 */
|
||||
switch ( mi->mi_targets[ candidate ].mt_version ) {
|
||||
switch ( mt->mt_version ) {
|
||||
case LDAP_VERSION3:
|
||||
break;
|
||||
|
||||
|
|
@ -90,18 +93,17 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
|
|||
/* op->o_protocol cannot be anything but LDAPv3,
|
||||
* otherwise wouldn't be here */
|
||||
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
|
||||
maperr = 0;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Rewrite the new superior, if defined and required
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ candidate ];
|
||||
dc.ctx = "newSuperiorDN";
|
||||
if ( ldap_back_dn_massage( &dc, op->orr_newSup, &mnewSuperior ) ) {
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
maperr = 0;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
|
@ -109,76 +111,40 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
|
|||
/*
|
||||
* Rewrite the modrdn dn, if required
|
||||
*/
|
||||
dc.target = &mi->mi_targets[ candidate ];
|
||||
dc.ctx = "modrDN";
|
||||
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
maperr = 0;
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
retry:;
|
||||
ctrls = op->o_ctrls;
|
||||
if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
|
||||
mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
|
||||
{
|
||||
send_ldap_result( op, rs );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
rs->sr_err = ldap_rename( mc->mc_conns[ candidate ].msc_ld,
|
||||
mdn.bv_val, op->orr_newrdn.bv_val,
|
||||
mnewSuperior.bv_val, op->orr_deleteoldrdn,
|
||||
op->o_ctrls, NULL, &msgid );
|
||||
ctrls, NULL, &msgid );
|
||||
rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
|
||||
mt->mt_timeout[ SLAP_OP_MODRDN ], LDAP_BACK_SENDRESULT );
|
||||
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
|
||||
do_retry = 0;
|
||||
if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
|
||||
/* if the identity changed, there might be need to re-authz */
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
goto retry;
|
||||
}
|
||||
goto done;
|
||||
|
||||
} else if ( rs->sr_err == LDAP_SUCCESS ) {
|
||||
struct timeval tv, *tvp = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
int rc;
|
||||
|
||||
if ( mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_MODRDN ] != 0 ) {
|
||||
tv.tv_sec = mi->mi_targets[ candidate ].mt_timeout[ LDAP_BACK_OP_MODRDN ];
|
||||
tv.tv_usec = 0;
|
||||
tvp = &tv;
|
||||
}
|
||||
|
||||
rs->sr_err = LDAP_OTHER;
|
||||
rc = ldap_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, LDAP_MSG_ALL, tvp, &res );
|
||||
maperr = 0;
|
||||
switch ( rc ) {
|
||||
case -1:
|
||||
break;
|
||||
|
||||
case 0:
|
||||
ldap_abandon_ext( mc->mc_conns[ candidate ].msc_ld,
|
||||
msgid, NULL, NULL );
|
||||
rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
|
||||
LDAP_ADMINLIMIT_EXCEEDED : LDAP_OPERATIONS_ERROR;
|
||||
break;
|
||||
|
||||
case LDAP_RES_RENAME:
|
||||
rc = ldap_parse_result( mc->mc_conns[ candidate ].msc_ld,
|
||||
res, &rs->sr_err, NULL, NULL, NULL, NULL, 1 );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rs->sr_err = rc;
|
||||
}
|
||||
maperr = 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
ldap_msgfree( res );
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:;
|
||||
if ( maperr ) {
|
||||
meta_back_op_result( mc, op, rs, candidate );
|
||||
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
|
||||
|
||||
} else {
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
done:;
|
||||
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
|
||||
free( mdn.bv_val );
|
||||
BER_BVZERO( &mdn );
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -51,23 +51,29 @@ meta_back_conn_destroy(
|
|||
mc_curr.mc_conn = conn;
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
|
||||
#if META_BACK_PRINT_CONNTREE > 0
|
||||
meta_back_print_conntree( mi, ">>> meta_back_conn_destroy" );
|
||||
#endif /* META_BACK_PRINT_CONNTREE */
|
||||
while ( ( mc = avl_delete( &mi->mi_conninfo.lai_tree, ( caddr_t )&mc_curr, meta_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>meta_back_conn_destroy: destroying conn %ld\n",
|
||||
LDAP_BACK_PCONN_ID( mc->mc_conn ), 0, 0 );
|
||||
LDAP_BACK_PCONN_ID( mc ), 0, 0 );
|
||||
|
||||
assert( mc->mc_refcnt == 0 );
|
||||
|
||||
meta_back_conn_free( mc );
|
||||
}
|
||||
#if META_BACK_PRINT_CONNTREE > 0
|
||||
meta_back_print_conntree( mi, "<<< meta_back_conn_destroy" );
|
||||
#endif /* META_BACK_PRINT_CONNTREE */
|
||||
ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
|
||||
|
||||
/*
|
||||
* Cleanup rewrite session
|
||||
*/
|
||||
for ( i = 0; i < mi->mi_ntargets; ++i ) {
|
||||
rewrite_session_delete( mi->mi_targets[ i ].mt_rwmap.rwm_rw, conn );
|
||||
rewrite_session_delete( mi->mi_targets[ i ]->mt_rwmap.rwm_rw, conn );
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -383,7 +383,7 @@ monitor_subsys_database_init(
|
|||
int t;
|
||||
|
||||
for ( t = 0; t < mi->mi_ntargets; t++ ) {
|
||||
char **urls = ldap_str2charray( mi->mi_targets[ t ].mt_uri, " " );
|
||||
char **urls = ldap_str2charray( mi->mi_targets[ t ]->mt_uri, " " );
|
||||
int u;
|
||||
|
||||
for ( u = 0; urls[ u ] != NULL; u++ ) {
|
||||
|
|
|
|||
|
|
@ -121,6 +121,7 @@ rwm_callback_get( Operation *op, SlapReply *rs )
|
|||
return roc;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
rwm_op_dn_massage( Operation *op, SlapReply *rs, void *cookie,
|
||||
rwm_op_state *ros )
|
||||
|
|
@ -1642,7 +1643,6 @@ rwm_db_init(
|
|||
BackendDB *be )
|
||||
{
|
||||
slap_overinst *on = (slap_overinst *) be->bd_info;
|
||||
struct ldapmapping *mapping = NULL;
|
||||
struct ldaprwmap *rwmap;
|
||||
#ifdef ENABLE_REWRITE
|
||||
char *rargv[ 3 ];
|
||||
|
|
@ -1671,13 +1671,6 @@ rwm_db_init(
|
|||
rewrite_parse( rwmap->rwm_rw, "<suffix massage>", 2, 2, rargv );
|
||||
#endif /* ENABLE_REWRITE */
|
||||
|
||||
if ( rwm_map_init( &rwmap->rwm_oc, &mapping ) != LDAP_SUCCESS ||
|
||||
rwm_map_init( &rwmap->rwm_at, &mapping ) != LDAP_SUCCESS )
|
||||
{
|
||||
rc = 1;
|
||||
goto error_return;
|
||||
}
|
||||
|
||||
error_return:;
|
||||
on->on_bi.bi_private = (void *)rwmap;
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ rwm_map_config(
|
|||
struct ldapmapping *mapping;
|
||||
char *src, *dst;
|
||||
int is_oc = 0;
|
||||
int rc = 0;
|
||||
|
||||
if ( argc < 3 || argc > 4 ) {
|
||||
fprintf( stderr,
|
||||
|
|
@ -73,7 +74,7 @@ rwm_map_config(
|
|||
if ( strcmp( argv[2], "*" ) == 0 ) {
|
||||
if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
|
||||
map->drop_missing = ( argc < 4 );
|
||||
return 0;
|
||||
goto success_return;
|
||||
}
|
||||
src = dst = argv[3];
|
||||
|
||||
|
|
@ -230,7 +231,13 @@ rwm_map_config(
|
|||
avl_insert( &map->remap, (caddr_t)&mapping[1],
|
||||
rwm_mapping_cmp, rwm_mapping_dup );
|
||||
|
||||
return 0;
|
||||
success_return:;
|
||||
if ( !is_oc && map->map == NULL ) {
|
||||
/* only init if required */
|
||||
rc = rwm_map_init( map, &mapping ) != LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
return rc;
|
||||
|
||||
error_return:;
|
||||
if ( mapping ) {
|
||||
|
|
|
|||
|
|
@ -84,6 +84,7 @@ rwm_map_init( struct ldapmap *lm, struct ldapmapping **m )
|
|||
/* FIXME: I don't think this is needed any more... */
|
||||
rc = slap_str2ad( "objectClass", &mapping[0].m_src_ad, &text );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
ch_free( mapping );
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
|
@ -112,6 +113,10 @@ rwm_mapping( struct ldapmap *map, struct berval *s, struct ldapmapping **m, int
|
|||
Avlnode *tree;
|
||||
struct ldapmapping fmapping;
|
||||
|
||||
if ( map == NULL ) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
assert( m != NULL );
|
||||
|
||||
if ( remap == RWM_REMAP ) {
|
||||
|
|
@ -137,6 +142,13 @@ rwm_map( struct ldapmap *map, struct berval *s, struct berval *bv, int remap )
|
|||
{
|
||||
struct ldapmapping *mapping;
|
||||
|
||||
/* map->map may be NULL when mapping is configured,
|
||||
* but map->remap can't */
|
||||
if ( map->remap == NULL ) {
|
||||
*bv = *s;
|
||||
return;
|
||||
}
|
||||
|
||||
BER_BVZERO( bv );
|
||||
( void )rwm_mapping( map, s, &mapping, remap );
|
||||
if ( mapping != NULL ) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue