upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove rewrite stuff -- now delegted to rwm overlay

Browse source
This commit is contained in:
Pierangelo Masarati 2004-11-13 14:43:30 +00:00
parent 3cfbe2ec29
commit f176935a58
14 changed files with 852 additions and 1775 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
servers/slapd/back-ldap/Makefile.in
View file

@ -14,11 +14,9 @@
## <http://www.OpenLDAP.org/license.html>.
SRCS = init.c config.c search.c bind.c unbind.c add.c compare.c \
delete.c modify.c modrdn.c \
suffixmassage.c map.c extended.c
delete.c modify.c modrdn.c extended.c
OBJS = init.lo config.lo search.lo bind.lo unbind.lo add.lo compare.lo \
delete.lo modify.lo modrdn.lo \
suffixmassage.lo map.lo extended.lo
delete.lo modify.lo modrdn.lo extended.lo
LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries
@ -29,12 +27,9 @@ BUILD_MOD = @BUILD_LDAP@
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
mod_REWRITE = $(LDAP_LIBREWRITE_A)
REWRITE = $(@BUILD_META@_REWRITE) $(@BUILD_LDAP@_REWRITE)
shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBBASE = back_ldap

32
servers/slapd/back-ldap/TODO.proxy
View file

@ -13,11 +13,11 @@ and it wants to propose to the outer world as a unique URI
"ldap://ldap.company.net/dc=company, dc=net"
It could do some rewriting to map everything that comes in with a base dn
It could do some rewriting to map everything that comes in with a base DN
of "o=Branch 1, dc=company, dc=net" as the URI of the Branch 1, and
everything that comes in with a base dn of "o=Branch 2, dc=company, dc=net"
as the URI of Branch 2, and by rewriting all the dns back to the new, uniform
base. Everything that comes in with a base dn of "dc=company, dc=net" should
everything that comes in with a base DN of "o=Branch 2, dc=company, dc=net"
as the URI of Branch 2, and by rewriting all the DNs back to the new, uniform
base. Everything that comes in with a base DN of "dc=company, dc=net" should
be handled locally and propagated to the two branch URIs if a subtree
(or at least onelevel) search is required.
@ -35,7 +35,7 @@ Operations:
The input of each operation may be related to:
exact dn exact parent ancestor
exact DN exact parent ancestor
-------------------------------------------------------------
bind x
unbind
@ -47,20 +47,20 @@ modrdn x
delete x
abandon
The backend must rely on a dn fetching mechanism. Each operation requires
The backend must rely on a DN fetching mechanism. Each operation requires
to determine as early as possible which URI will be able to satisfy it.
Apart from searches, which by definition are usually allowed to return
multiple results, and apart from unbind and abandon, which do not return any
result, all the remaining operations require the related entry to be unique.
A major problem isposed by the uniqueness of the dns. As far as the suffixes
are masqueraded by a common suffix, tyhe dns are no longer guaranteed to be
A major problem isposed by the uniqueness of the DNs. As far as the suffixes
are masqueraded by a common suffix, the DNs are no longer guaranteed to be
unique. This backend relies on the assumption that the uniqueness of the
dns is guaranteed.
DNs is guaranteed.
Two layers of depth in dn fetching are envisaged.
Two layers of depth in DN fetching are envisaged.
The first layer is provided by a backend-side cache made of previously
retrieved entries. The cache relates each rdn (i.e. the dn apart from the
retrieved entries. The cache relates each RDN (i.e. the DN apart from the
common suffix) to the pool of URIs that are expected to contain a subset
of its children.
@ -74,14 +74,14 @@ So write operations will require to skip the cache search and to perform
the exaustive search of all the URIs unless some hint mechanism is provided
to the backend (e.g. a server is read-only).
Again, the lag between the fetching of the required dn and the actual
Again, the lag between the fetching of the required DN and the actual
read/write may result in a failure; however, this applies to any LDAP
operation AFAIK.
- bind
if updates are to be strictly honored, a bind operation is performed against
each URI; otherwise, it is performed against the URIs resulting from a
cache-level dn fetch.
cache-level DN fetch.
- unbind
nothing to say; all the open handles related to the connection are reset.
@ -90,12 +90,12 @@ nothing to say; all the open handles related to the connection are reset.
if updates are to be strictly honored, a search operation is performed agaist
each URI. Note that this needs be performed also when the backend suffix
is used as base. In case the base is stricter, the URI pool may be restricted
by performing a cache dn fetch of the base first.
by performing a cache DN fetch of the base first.
- compare
the same applies to the compare dn.
the same applies to the compare DN.
- add
this operation is delicate. Unless the dn up to the top-level part excluded
this operation is delicate. Unless the DN up to the top-level part excluded
can be uniquely associated to a URI, and unless its uniqueness can be trusted,
no add operation should be allowed.

140
servers/slapd/back-ldap/add.c
View file

@ -33,95 +33,60 @@
int
ldap_back_add(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
int i, j;
Attribute *a;
LDAPMod **attrs;
struct berval mapped;
struct berval mdn = BER_BVNULL;
ber_int_t msgid;
dncookie dc;
int isupdate;
int do_retry = 1;
LDAPControl **ctrls = NULL;
int rc = LDAP_SUCCESS;
struct ldapconn *lc;
int i = 0,
j = 0;
Attribute *a;
LDAPMod **attrs = NULL,
*attrs2 = NULL;
ber_int_t msgid;
int isupdate;
int do_retry = 1;
LDAPControl **ctrls = NULL;
int rc = LDAP_SUCCESS;
Debug(LDAP_DEBUG_ARGS, "==> ldap_back_add: %s\n", op->o_req_dn.bv_val, 0, 0);
lc = ldap_back_getconn(op, rs);
Debug( LDAP_DEBUG_ARGS, "==> ldap_back_add(\"%s\")\n",
op->o_req_dn.bv_val, 0, 0 );
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
}
/*
* Rewrite the add dn, if needed
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "addDN";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
rc = -1;
goto cleanup;
}
/* Count number of attributes in entry */
for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next)
;
/* just count attrs */ ;
/* Create array of LDAPMods for ldap_add() */
attrs = (LDAPMod **)ch_malloc(sizeof(LDAPMod *)*i);
#ifdef ENABLE_REWRITE
dc.ctx = "addAttrDN";
#endif
attrs = (LDAPMod **)ch_malloc( sizeof( LDAPMod * )*i
+ sizeof( LDAPMod )*( i - 1 ) );
attrs2 = ( LDAPMod * )&attrs[ i ];
isupdate = be_shadow_update( op );
for (i=0, a=op->oq_add.rs_e->e_attrs; a; a=a->a_next) {
for ( i = 0, a = op->oq_add.rs_e->e_attrs; a; a = a->a_next ) {
if ( !isupdate && a->a_desc->ad_type->sat_no_user_mod ) {
continue;
}
ldap_back_map(&li->rwmap.rwm_at, &a->a_desc->ad_cname, &mapped,
BACKLDAP_MAP);
if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
continue;
attrs[ i ] = &attrs2[ i ];
attrs[ i ]->mod_op = LDAP_MOD_BVALUES;
attrs[ i ]->mod_type = a->a_desc->ad_cname.bv_val;
for ( j = 0; a->a_vals[ j ].bv_val; j++ )
/* just count vals */ ;
attrs[i]->mod_vals.modv_bvals =
ch_malloc( ( j + 1 )*sizeof( struct berval * ) );
for ( j = 0; a->a_vals[ j ].bv_val; j++ ) {
attrs[ i ]->mod_vals.modv_bvals[ j ] = &a->a_vals[ j ];
}
attrs[i] = (LDAPMod *)ch_malloc(sizeof(LDAPMod));
if (attrs[i] == NULL) {
continue;
}
attrs[i]->mod_op = LDAP_MOD_BVALUES;
attrs[i]->mod_type = mapped.bv_val;
if ( a->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName ) {
/*
* FIXME: rewrite could fail; in this case
* the operation should give up, right?
*/
(void)ldap_dnattr_rewrite( &dc, a->a_vals );
}
for (j=0; a->a_vals[j].bv_val; j++);
attrs[i]->mod_vals.modv_bvals = ch_malloc((j+1)*sizeof(struct berval *));
for (j=0; a->a_vals[j].bv_val; j++)
attrs[i]->mod_vals.modv_bvals[j] = &a->a_vals[j];
attrs[i]->mod_vals.modv_bvals[j] = NULL;
attrs[ i ]->mod_vals.modv_bvals[ j ] = NULL;
i++;
}
attrs[i] = NULL;
attrs[ i ] = NULL;
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
@ -134,28 +99,31 @@ ldap_back_add(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
ctrls, NULL, &msgid);
rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs,
ctrls, NULL, &msgid );
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
do_retry = 0;
if ( ldap_back_retry (lc, op, rs )) goto retry;
if ( ldap_back_retry( lc, op, rs ) ) {
goto retry;
}
}
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
for (--i; i>= 0; --i) {
ch_free(attrs[i]->mod_vals.modv_bvals);
ch_free(attrs[i]);
}
ch_free(attrs);
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
if ( attrs ) {
for ( --i; i >= 0; --i ) {
ch_free( attrs[ i ]->mod_vals.modv_bvals );
}
ch_free( attrs );
}
Debug( LDAP_DEBUG_ARGS, "<== ldap_back_add(\"%s\"): %d\n",
op->o_req_dn.bv_val, rc, 0 );
return rc;
}

141
servers/slapd/back-ldap/back-ldap.h
View file

@ -26,11 +26,6 @@
#include "proto-ldap.h"
/* String rewrite library */
#ifdef ENABLE_REWRITE
#include "rewrite.h"
#endif /* ENABLE_REWRITE */
#ifdef LDAP_DEVEL
#define LDAP_BACK_PROXY_AUTHZ
#endif
@ -42,44 +37,13 @@ struct slap_op;
struct slap_backend_db;
struct ldapconn {
struct slap_conn *conn;
LDAP *ld;
struct berval cred;
struct berval bound_dn;
struct berval local_dn;
int bound;
ldap_pvt_thread_mutex_t lc_mutex;
};
struct ldapmap {
int drop_missing;
Avlnode *map;
Avlnode *remap;
};
struct ldapmapping {
struct berval src;
struct berval dst;
};
struct ldaprwmap {
/*
* DN rewriting
*/
#ifdef ENABLE_REWRITE
struct rewrite_info *rwm_rw;
#else /* !ENABLE_REWRITE */
/* some time the suffix massaging without librewrite
* will be disabled */
BerVarray rwm_suffix_massage;
#endif /* !ENABLE_REWRITE */
/*
* Attribute/objectClass mapping
*/
struct ldapmap rwm_oc;
struct ldapmap rwm_at;
struct slap_conn *lc_conn;
LDAP *lc_ld;
struct berval lc_cred;
struct berval lc_bound_ndn;
struct berval lc_local_ndn;
int lc_bound;
ldap_pvt_thread_mutex_t lc_mutex;
};
struct ldapauth {
@ -94,9 +58,10 @@ struct ldapauth {
struct berval la_sasl_mech;
struct berval la_sasl_realm;
#define LDAP_BACK_AUTH_NONE 0x00
#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01
int la_flags;
#define LDAP_BACK_AUTH_NONE 0x00U
#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01U
#define LDAP_BACK_AUTH_OVERRIDE 0x02U
unsigned la_flags;
};
struct ldapinfo {
@ -135,35 +100,8 @@ struct ldapinfo {
ldap_pvt_thread_mutex_t conn_mutex;
int savecred;
Avlnode *conntree;
#if 0
#ifdef ENABLE_REWRITE
struct rewrite_info *rwinfo;
#else /* !ENABLE_REWRITE */
BerVarray suffix_massage;
#endif /* !ENABLE_REWRITE */
struct ldapmap oc_map;
struct ldapmap at_map;
#endif
struct ldaprwmap rwmap;
};
/* Whatever context ldap_back_dn_massage needs... */
typedef struct dncookie {
struct ldaprwmap *rwmap;
#ifdef ENABLE_REWRITE
Connection *conn;
char *ctx;
SlapReply *rs;
#else
int normalized;
int tofrom;
#endif
} dncookie;
int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
@ -173,62 +111,10 @@ int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
ber_int_t msgid, int sendok);
int back_ldap_LTX_init_module(int argc, char *argv[]);
int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
struct berval *res);
extern int ldap_back_conn_cmp( const void *c1, const void *c2);
extern int ldap_back_conn_dup( void *c1, void *c2 );
extern void ldap_back_conn_free( void *c );
/* attributeType/objectClass mapping */
int mapping_cmp (const void *, const void *);
int mapping_dup (void *, void *);
void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** );
void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m,
int remap );
#define BACKLDAP_MAP 0
#define BACKLDAP_REMAP 1
char *
ldap_back_map_filter(
struct ldapmap *at_map,
struct ldapmap *oc_map,
struct berval *f,
int remap
);
int
ldap_back_map_attrs(
struct ldapmap *at_map,
AttributeName *a,
int remap,
char ***mapped_attrs
);
extern int ldap_back_map_config(
struct ldapmap *oc_map,
struct ldapmap *at_map,
const char *fname,
int lineno,
int argc,
char **argv );
extern int
ldap_back_filter_map_rewrite(
dncookie *dc,
Filter *f,
struct berval *fstr,
int remap );
/* suffix massaging by means of librewrite */
#ifdef ENABLE_REWRITE
extern int suffix_massage_config( struct rewrite_info *info,
struct berval *pvnc, struct berval *nvnc,
struct berval *prnc, struct berval *nrnc);
#endif /* ENABLE_REWRITE */
extern int ldap_dnattr_rewrite( dncookie *dc, BerVarray a_vals );
extern int ldap_dnattr_result_rewrite( dncookie *dc, BerVarray a_vals );
#ifdef LDAP_BACK_PROXY_AUTHZ
extern int
ldap_back_proxy_authz_ctrl(
@ -236,6 +122,11 @@ ldap_back_proxy_authz_ctrl(
Operation *op,
SlapReply *rs,
LDAPControl ***pctrls );
extern int
ldap_back_proxy_authz_ctrl_free(
Operation *op,
LDAPControl ***pctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
LDAP_END_DECL

730
servers/slapd/back-ldap/bind.c
View file

File diff suppressed because it is too large Load diff

93
servers/slapd/back-ldap/compare.c
View file

@ -33,70 +33,19 @@
int
ldap_back_compare(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
struct berval mapped_at = BER_BVNULL, mapped_val = BER_BVNULL;
struct berval mdn = BER_BVNULL;
ber_int_t msgid;
int freeval = 0;
int do_retry = 1;
dncookie dc;
LDAPControl **ctrls = NULL;
int rc = LDAP_SUCCESS;
struct ldapconn *lc;
ber_int_t msgid;
int do_retry = 1;
LDAPControl **ctrls = NULL;
int rc = LDAP_SUCCESS;
lc = ldap_back_getconn(op, rs);
lc = ldap_back_getconn( op, rs );
if (!lc || !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
}
/*
* Rewrite the compare dn, if needed
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "compareDN";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
}
if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass
|| op->orc_ava->aa_desc == slap_schema.si_ad_structuralObjectClass ) {
ldap_back_map(&li->rwmap.rwm_oc, &op->orc_ava->aa_value,
&mapped_val, BACKLDAP_MAP);
if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') {
return( -1 );
}
mapped_at = op->orc_ava->aa_desc->ad_cname;
} else {
ldap_back_map(&li->rwmap.rwm_at,
&op->orc_ava->aa_desc->ad_cname, &mapped_at,
BACKLDAP_MAP);
if (mapped_at.bv_val == NULL || mapped_at.bv_val[0] == '\0') {
return( -1 );
}
if (op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
#ifdef ENABLE_REWRITE
dc.ctx = "compareAttrDN";
#endif
ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_val );
if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') {
mapped_val = op->orc_ava->aa_value;
} else if (mapped_val.bv_val != op->orc_ava->aa_value.bv_val) {
freeval = 1;
}
} else {
mapped_val = op->orc_ava->aa_value;
}
rc = -1;
goto cleanup;
}
ctrls = op->o_ctrls;
@ -110,28 +59,22 @@ ldap_back_compare(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
mapped_at.bv_val, &mapped_val,
rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val,
op->orc_ava->aa_desc->ad_cname.bv_val,
&op->orc_ava->aa_value,
ctrls, NULL, &msgid );
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
do_retry = 0;
if ( ldap_back_retry (lc, op, rs )) goto retry;
if ( ldap_back_retry(lc, op, rs ) ) {
goto retry;
}
}
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
free( mdn.bv_val );
}
if ( freeval ) {
free( mapped_val.bv_val );
}
return rc;
}

494
servers/slapd/back-ldap/config.c
View file

@ -43,36 +43,40 @@ parse_idassert( BackendDB *be, const char *fname, int lineno,
int
ldap_back_db_config(
BackendDB *be,
const char *fname,
int lineno,
int argc,
char **argv
)
BackendDB *be,
const char *fname,
int lineno,
int argc,
char **argv )
{
struct ldapinfo *li = (struct ldapinfo *) be->be_private;
if ( li == NULL ) {
fprintf( stderr, "%s: line %d: ldap backend info is null!\n",
fname, lineno );
return( 1 );
fname, lineno );
return 1;
}
/* server address to query (depricated, use "uri" directive) */
if ( strcasecmp( argv[0], "server" ) == 0 ) {
ber_len_t l;
if (argc != 2) {
fprintf( stderr,
"%s: line %d: \"server <address>\" directive is deprecated\n",
fname, lineno );
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing address in \"server <address>\" line\n",
fname, lineno );
return( 1 );
fname, lineno );
return 1;
}
if ( li->url != NULL ) {
ch_free( li->url );
}
if (li->url != NULL)
ch_free(li->url);
l = strlen( argv[1] ) + STRLENOF( "ldap:///") + 1;
li->url = ch_calloc( l, sizeof( char ) );
if (li->url == NULL) {
if ( li->url == NULL ) {
fprintf( stderr, "%s: line %d: malloc failed\n" );
return 1;
}
@ -81,15 +85,15 @@ ldap_back_db_config(
/* URI of server to query (preferred over "server" directive) */
} else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
LDAPURLDesc tmplud, *tmpludp;
LDAPURLDesc *tmpludp;
int urlrc;
if (argc != 2) {
if ( argc != 2 ) {
fprintf( stderr, "%s: line %d: "
"missing uri "
"in \"uri <uri>\" line\n",
fname, lineno );
return( 1 );
"missing uri "
"in \"uri <uri>\" line\n",
fname, lineno );
return 1;
}
if ( li->url != NULL ) {
ch_free( li->url );
@ -142,29 +146,31 @@ ldap_back_db_config(
break;
}
fprintf( stderr, "%s: line %d: "
"unable to parse uri \"%s\" "
"in \"uri <uri>\" line: %s\n",
fname, lineno, argv[ 1 ], why );
"unable to parse uri \"%s\" "
"in \"uri <uri>\" line: %s\n",
fname, lineno, argv[ 1 ], why );
return 1;
}
for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) {
if ( ( tmpludp->lud_dn != NULL && tmpludp->lud_dn[0] != '\0' )
if ( ( tmpludp->lud_dn != NULL
&& tmpludp->lud_dn[0] != '\0' )
|| tmpludp->lud_attrs != NULL
|| tmpludp->lud_filter != NULL
|| tmpludp->lud_exts != NULL )
{
fprintf( stderr, "%s: line %d: "
"warning, only protocol, "
"host and port allowed "
"in \"uri <uri>\" statement "
"for \"%s\"\n",
fname, lineno, argv[1] );
"warning, only protocol, "
"host and port allowed "
"in \"uri <uri>\" statement "
"for \"%s\"\n",
fname, lineno, argv[1] );
}
}
#if 0
for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) {
LDAPURLDesc tmplud;
char *tmpurl;
ber_len_t oldlen = 0, len;
@ -206,10 +212,10 @@ ldap_back_db_config(
/* name to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
|| strcasecmp( argv[0], "binddn" ) == 0 ) {
if (argc != 2) {
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing name in \"%s <name>\" line\n",
fname, lineno, argv[0] );
fname, lineno, argv[0] );
return( 1 );
}
ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
@ -217,10 +223,10 @@ ldap_back_db_config(
/* password to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
|| strcasecmp( argv[0], "bindpw" ) == 0 ) {
if (argc != 2) {
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing password in \"%s <password>\" line\n",
fname, lineno, argv[0] );
fname, lineno, argv[0] );
return( 1 );
}
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
@ -234,304 +240,37 @@ ldap_back_db_config(
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
if (argc != 1) {
if ( argc != 1 ) {
fprintf( stderr,
"%s: line %d: rebind-as-user takes no arguments\n",
fname, lineno );
fname, lineno );
return( 1 );
}
li->savecred = 1;
/* intercept exop_who_am_i? */
} else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
if (argc != 1) {
if ( argc != 1 ) {
fprintf( stderr,
"%s: line %d: proxy-whoami takes no arguments\n",
fname, lineno );
fname, lineno );
return( 1 );
}
load_extop( (struct berval *)&slap_EXOP_WHOAMI,
0, ldap_back_exop_whoami );
0, ldap_back_exop_whoami );
/* dn massaging */
} else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) {
BackendDB *tmp_be;
struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc;
#ifdef ENABLE_REWRITE
int rc;
#endif /* ENABLE_REWRITE */
/*
* syntax:
*
* suffixmassage <suffix> <massaged suffix>
*
* the <suffix> field must be defined as a valid suffix
* (or suffixAlias?) for the current database;
* the <massaged suffix> shouldn't have already been
* defined as a valid suffix or suffixAlias for the
* current server
*/
if ( argc != 3 ) {
fprintf( stderr, "%s: line %d: syntax is"
" \"suffixMassage <suffix>"
" <massaged suffix>\"\n",
fname, lineno );
return( 1 );
}
ber_str2bv( argv[1], 0, 0, &bvnc );
if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
fname, lineno, bvnc.bv_val );
return( 1 );
}
tmp_be = select_backend( &nvnc, 0, 0 );
if ( tmp_be != NULL && tmp_be != be ) {
fprintf( stderr, "%s: line %d: suffix already in use"
" by another backend in"
" \"suffixMassage <suffix>"
" <massaged suffix>\"\n",
fname, lineno );
free( nvnc.bv_val );
free( pvnc.bv_val );
return( 1 );
}
ber_str2bv( argv[2], 0, 0, &brnc );
if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
fname, lineno, brnc.bv_val );
free( nvnc.bv_val );
free( pvnc.bv_val );
return( 1 );
}
#if 0
tmp_be = select_backend( &nrnc, 0, 0 );
if ( tmp_be != NULL ) {
fprintf( stderr, "%s: line %d: massaged suffix"
" already in use by another backend in"
" \"suffixMassage <suffix>"
" <massaged suffix>\"\n",
fname, lineno );
free( nvnc.bv_val );
free( pvnc.bv_val );
free( nrnc.bv_val );
free( prnc.bv_val );
return( 1 );
}
#endif
#ifdef ENABLE_REWRITE
/*
* The suffix massaging is emulated by means of the
* rewrite capabilities
* FIXME: no extra rewrite capabilities should be added
* to the database
*/
rc = suffix_massage_config( li->rwmap.rwm_rw,
&pvnc, &nvnc, &prnc, &nrnc );
free( nvnc.bv_val );
free( pvnc.bv_val );
free( nrnc.bv_val );
free( prnc.bv_val );
return( rc );
#else /* !ENABLE_REWRITE */
ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &pvnc );
ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nvnc );
ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &prnc );
ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nrnc );
#endif /* !ENABLE_REWRITE */
/* rewrite stuff ... */
} else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) {
#ifdef ENABLE_REWRITE
return rewrite_parse( li->rwmap.rwm_rw,
fname, lineno, argc, argv );
#else /* !ENABLE_REWRITE */
fprintf( stderr, "%s: line %d: rewrite capabilities "
"are not enabled\n", fname, lineno );
#endif /* !ENABLE_REWRITE */
/* objectclass/attribute mapping */
} else if ( strcasecmp( argv[0], "map" ) == 0 ) {
return ldap_back_map_config( &li->rwmap.rwm_oc,
&li->rwmap.rwm_at,
fname, lineno, argc, argv );
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;
}
return 0;
}
int
ldap_back_map_config(
struct ldapmap *oc_map,
struct ldapmap *at_map,
const char *fname,
int lineno,
int argc,
char **argv )
{
struct ldapmap *map;
struct ldapmapping *mapping;
char *src, *dst;
int is_oc = 0;
if ( argc < 3 || argc > 4 ) {
fprintf( stderr,
"%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
fname, lineno );
return 1;
}
if ( strcasecmp( argv[1], "objectclass" ) == 0 ) {
map = oc_map;
is_oc = 1;
} else if ( strcasecmp( argv[1], "attribute" ) == 0 ) {
map = at_map;
} else {
fprintf( stderr, "%s: line %d: syntax is "
"\"map {objectclass | attribute} [<local> | *] "
"{<foreign> | *}\"\n",
fname, lineno );
return 1;
}
if ( strcmp( argv[2], "*" ) == 0 ) {
if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
map->drop_missing = ( argc < 4 );
return 0;
}
src = dst = argv[3];
} else if ( argc < 4 ) {
src = "";
dst = argv[2];
} else {
src = argv[2];
dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] );
}
if ( ( map == at_map )
&& ( strcasecmp( src, "objectclass" ) == 0
|| strcasecmp( dst, "objectclass" ) == 0 ) )
{
fprintf( stderr,
"%s: line %d: objectclass attribute cannot be mapped\n",
fname, lineno );
}
mapping = (struct ldapmapping *)ch_calloc( 2,
sizeof(struct ldapmapping) );
if ( mapping == NULL ) {
fprintf( stderr,
"%s: line %d: out of memory\n",
fname, lineno );
return 1;
}
ber_str2bv( src, 0, 1, &mapping->src );
ber_str2bv( dst, 0, 1, &mapping->dst );
mapping[1].src = mapping->dst;
mapping[1].dst = mapping->src;
/*
* schema check
*/
if ( is_oc ) {
if ( src[0] != '\0' ) {
if ( oc_bvfind( &mapping->src ) == NULL ) {
fprintf( stderr,
"%s: line %d: warning, source objectClass '%s' "
"should be defined in schema\n",
fname, lineno, src );
/*
* FIXME: this should become an err
*/
goto error_return;
}
}
if ( oc_bvfind( &mapping->dst ) == NULL ) {
fprintf( stderr,
"%s: line %d: warning, destination objectClass '%s' "
"is not defined in schema\n",
fname, lineno, dst );
}
} else {
int rc;
const char *text = NULL;
AttributeDescription *ad = NULL;
if ( src[0] != '\0' ) {
rc = slap_bv2ad( &mapping->src, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: warning, source attributeType '%s' "
"should be defined in schema\n",
fname, lineno, src );
/*
* FIXME: this should become an err
*/
goto error_return;
}
ad = NULL;
}
rc = slap_bv2ad( &mapping->dst, &ad, &text );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: warning, destination attributeType '%s' "
"is not defined in schema\n",
fname, lineno, dst );
}
}
if ( (src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL)
|| avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL)
{
fprintf( stderr,
"%s: line %d: duplicate mapping found (ignored)\n",
fname, lineno );
goto error_return;
}
if ( src[0] != '\0' ) {
avl_insert( &map->map, (caddr_t)mapping,
mapping_cmp, mapping_dup );
}
avl_insert( &map->remap, (caddr_t)&mapping[1],
mapping_cmp, mapping_dup );
return 0;
error_return:;
if ( mapping ) {
ch_free( mapping->src.bv_val );
ch_free( mapping->dst.bv_val );
ch_free( mapping );
}
return 1;
}
static int
ldap_back_exop_whoami(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct berval *bv = NULL;
@ -569,10 +308,10 @@ ldap_back_exop_whoami(
strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
retry:
rs->sr_err = ldap_whoami(lc->ld, ctrls, NULL, &msgid);
rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid);
if (rs->sr_err == LDAP_SUCCESS) {
if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) {
ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
&rs->sr_err);
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
@ -583,7 +322,7 @@ retry:
lc = NULL;
} else {
rs->sr_err = ldap_parse_whoami(lc->ld, res, &bv);
rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv);
ldap_msgfree(res);
}
}
@ -594,7 +333,7 @@ retry:
} else {
/* else just do the same as before */
bv = (struct berval *) ch_malloc( sizeof(struct berval) );
if( op->o_dn.bv_len ) {
if ( !BER_BVISEMPTY( &op->o_dn ) ) {
bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1;
bv->bv_val = ch_malloc( bv->bv_len + 1 );
AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 );
@ -612,119 +351,6 @@ retry:
}
#ifdef ENABLE_REWRITE
static char *
suffix_massage_regexize( const char *s )
{
char *res, *ptr;
const char *p, *r;
int i;
for ( i = 0, p = s;
( r = strchr( p, ',' ) ) != NULL;
p = r + 1, i++ )
;
res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 );
ptr = lutil_strcopy( res, "(.*)" );
for ( i = 0, p = s;
( r = strchr( p, ',' ) ) != NULL;
p = r + 1 , i++ ) {
ptr = lutil_strncopy( ptr, p, r - p + 1 );
ptr = lutil_strcopy( ptr, "[ ]?" );
if ( r[ 1 ] == ' ' ) {
r++;
}
}
lutil_strcopy( ptr, p );
return res;
}
static char *
suffix_massage_patternize( const char *s )
{
ber_len_t len;
char *res;
len = strlen( s );
res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) );
if ( res == NULL ) {
return NULL;
}
strcpy( res, "%1" );
strcpy( res + sizeof( "%1" ) - 1, s );
return res;
}
int
suffix_massage_config(
struct rewrite_info *info,
struct berval *pvnc,
struct berval *nvnc,
struct berval *prnc,
struct berval *nrnc
)
{
char *rargv[ 5 ];
int line = 0;
rargv[ 0 ] = "rewriteEngine";
rargv[ 1 ] = "on";
rargv[ 2 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "default";
rargv[ 2 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
rargv[ 0 ] = "rewriteRule";
rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val );
rargv[ 3 ] = ":";
rargv[ 4 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
ch_free( rargv[ 1 ] );
ch_free( rargv[ 2 ] );
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "searchResult";
rargv[ 2 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
rargv[ 0 ] = "rewriteRule";
rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val );
rargv[ 3 ] = ":";
rargv[ 4 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
ch_free( rargv[ 1 ] );
ch_free( rargv[ 2 ] );
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "matchedDN";
rargv[ 2 ] = "alias";
rargv[ 3 ] = "searchResult";
rargv[ 4 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "searchAttrDN";
rargv[ 2 ] = "alias";
rargv[ 3 ] = "searchResult";
rargv[ 4 ] = NULL;
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
return 0;
}
#endif /* ENABLE_REWRITE */
#ifdef LDAP_BACK_PROXY_AUTHZ
static int
parse_idassert(
@ -739,9 +365,9 @@ parse_idassert(
/* identity assertion mode */
if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
if ( argc != 2 ) {
if ( argc < 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
"%s: line %d: illegal args number %d in \"idassert-mode <args> [<flag> [...]]\" line.\n",
fname, lineno, argc );
return 1;
}
@ -802,6 +428,20 @@ parse_idassert(
}
}
for ( argc -= 2, argv += 2; argc--; argv++ ) {
if ( strcasecmp( argv[0], "override" ) == 0 ) {
li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown flag \"%s\" "
"in \"idassert-mode <args> "
"[<flags>]\" line.\n",
fname, lineno, argv[0] );
return 1;
}
}
/* name to use for proxyAuthz propagation */
} else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0
|| strcasecmp( argv[0], "proxyauthzdn" ) == 0 )

51
servers/slapd/back-ldap/delete.c
View file

@ -33,40 +33,20 @@
int
ldap_back_delete(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
LDAPControl **ctrls = NULL;
int do_retry = 1;
int rc = LDAP_SUCCESS;
struct berval mdn = BER_BVNULL;
struct ldapconn *lc;
ber_int_t msgid;
LDAPControl **ctrls = NULL;
int do_retry = 1;
int rc = LDAP_SUCCESS;
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
}
/*
* Rewrite the request dn, if needed
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "deleteDN";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
rc = -1;
goto cleanup;
}
#ifdef LDAP_BACK_PROXY_AUTHZ
@ -80,7 +60,7 @@ ldap_back_delete(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val,
ctrls, NULL, &msgid );
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
@ -88,17 +68,10 @@ retry:
if ( ldap_back_retry (lc, op, rs )) goto retry;
}
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
free( mdn.bv_val );
}
return rc;
}

131
servers/slapd/back-ldap/extended.c
View file

@ -31,7 +31,7 @@
BI_op_extended ldap_back_exop_passwd;
static struct exop {
struct berval *oid;
struct berval *oid;
BI_op_extended *extended;
} exop_table[] = {
{ (struct berval *)&slap_EXOP_MODIFY_PASSWD, ldap_back_exop_passwd },
@ -40,36 +40,39 @@ static struct exop {
int
ldap_back_extended(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
int i;
int i;
for( i=0; exop_table[i].extended != NULL; i++ ) {
if( ber_bvcmp( exop_table[i].oid, &op->oq_extended.rs_reqoid ) == 0 ) {
for ( i = 0; exop_table[i].extended != NULL; i++ ) {
if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) )
{
#ifdef LDAP_BACK_PROXY_AUTHZ
struct ldapconn *lc;
LDAPControl **oldctrls = NULL;
int rc;
struct ldapconn *lc;
LDAPControl **oldctrls = NULL;
int rc;
/* FIXME: this needs to be called here, so it is
* called twice; maybe we could avoid the
* ldap_back_dobind() call inside each extended()
* call ... */
lc = ldap_back_getconn(op, rs);
if (!lc || !ldap_back_dobind(lc, op, rs) ) {
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return -1;
}
oldctrls = op->o_ctrls;
if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) {
if ( ldap_back_proxy_authz_ctrl( lc, op, rs,
&op->o_ctrls ) )
{
op->o_ctrls = oldctrls;
send_ldap_result( op, rs );
rs->sr_text = NULL;
return rs->sr_err;
}
rc = (exop_table[i].extended)( op, rs );
rc = ( *exop_table[i].extended )( op, rs );
if ( op->o_ctrls && op->o_ctrls != oldctrls ) {
free( op->o_ctrls[ 0 ] );
@ -79,7 +82,7 @@ ldap_back_extended(
return rc;
#else /* ! LDAP_BACK_PROXY_AUTHZ */
return (exop_table[i].extended)( op, rs );
return ( *exop_table[i].extended )( op, rs );
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
}
}
@ -90,94 +93,86 @@ ldap_back_extended(
int
ldap_back_exop_passwd(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
req_pwdexop_s *qpw = &op->oq_pwdexop;
struct berval mdn = BER_BVNULL, newpw;
LDAPMessage *res;
ber_int_t msgid;
int rc, isproxy;
int do_retry = 1;
dncookie dc;
struct ldapconn *lc;
req_pwdexop_s *qpw = &op->oq_pwdexop;
LDAPMessage *res;
ber_int_t msgid;
int rc, isproxy;
int do_retry = 1;
lc = ldap_back_getconn(op, rs);
if (!lc || !ldap_back_dobind(lc, op, rs) ) {
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return -1;
}
isproxy = ber_bvcmp( &op->o_req_ndn, &op->o_ndn );
Debug( LDAP_DEBUG_TRACE, "ldap_back_exop_passwd: \"%s\"%s\n",
Debug( LDAP_DEBUG_ARGS, "==> ldap_back_exop_passwd(\"%s\")%s\n",
op->o_req_dn.bv_val, isproxy ? " (proxy)" : "", 0 );
if ( isproxy ) {
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "exopPasswdDN";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
}
}
retry:
rc = ldap_passwd(lc->ld, isproxy ? &mdn : NULL,
rc = ldap_passwd( lc->lc_ld, isproxy ? &op->o_req_dn : NULL,
qpw->rs_old.bv_val ? &qpw->rs_old : NULL,
qpw->rs_new.bv_val ? &qpw->rs_new : NULL,
op->o_ctrls, NULL, &msgid);
op->o_ctrls, NULL, &msgid );
if (rc == LDAP_SUCCESS) {
if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &rc);
if ( rc == LDAP_SUCCESS ) {
if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) {
ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc );
ldap_back_freeconn( op, lc );
lc = NULL;
} else {
/* sigh. parse twice, because parse_passwd doesn't give
* us the err / match / msg info.
/* sigh. parse twice, because parse_passwd
* doesn't give us the err / match / msg info.
*/
rc = ldap_parse_result(lc->ld, res, &rs->sr_err, (char **)&rs->sr_matched, (char **)&rs->sr_text,
NULL, NULL, 0);
if (rc == LDAP_SUCCESS) {
if (rs->sr_err == LDAP_SUCCESS) {
rc = ldap_parse_passwd(lc->ld, res, &newpw);
if (rc == LDAP_SUCCESS && newpw.bv_val) {
rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
(char **)&rs->sr_matched,
(char **)&rs->sr_text,
NULL, NULL, 0 );
if ( rc == LDAP_SUCCESS ) {
if ( rs->sr_err == LDAP_SUCCESS ) {
struct berval newpw;
rc = ldap_parse_passwd( lc->lc_ld, res,
&newpw);
if ( rc == LDAP_SUCCESS &&
!BER_BVISNULL( &newpw ) )
{
rs->sr_type = REP_EXTENDED;
rs->sr_rspdata = slap_passwd_return(&newpw);
free(newpw.bv_val);
rs->sr_rspdata = slap_passwd_return( &newpw );
free( newpw.bv_val );
}
} else {
rc = rs->sr_err;
}
}
ldap_msgfree(res);
ldap_msgfree( res );
}
}
if (rc != LDAP_SUCCESS) {
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = slap_map_api2result( rs );
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
do_retry = 0;
if ( ldap_back_retry (lc, op, rs )) goto retry;
if ( ldap_back_retry(lc, op, rs ) ) {
goto retry;
}
}
send_ldap_result( op, rs );
if ( rs->sr_matched ) {
free( (char *)rs->sr_matched );
}
if ( rs->sr_text ) {
free( (char *)rs->sr_text );
}
send_ldap_result(op, rs);
if (rs->sr_matched) free((char *)rs->sr_matched);
if (rs->sr_text) free((char *)rs->sr_text);
rs->sr_matched = NULL;
rs->sr_text = NULL;
rc = -1;
}
if (mdn.bv_val != op->o_req_dn.bv_val) {
free(mdn.bv_val);
}
return rc;
}

152
servers/slapd/back-ldap/init.c
View file

@ -33,33 +33,31 @@
#include "external.h"
#if SLAPD_LDAP == SLAPD_MOD_DYNAMIC
int
init_module( int argc, char *argv[] )
{
BackendInfo bi;
int init_module(int argc, char *argv[]) {
BackendInfo bi;
memset( &bi, '\0', sizeof( bi ) );
bi.bi_type = "ldap";
bi.bi_init = ldap_back_initialize;
memset( &bi, '\0', sizeof(bi) );
bi.bi_type = "ldap";
bi.bi_init = ldap_back_initialize;
backend_add(&bi);
return 0;
backend_add( &bi );
return 0;
}
#endif /* SLAPD_LDAP */
int
ldap_back_open(
BackendInfo *bi
)
ldap_back_open( BackendInfo *bi )
{
bi->bi_controls = slap_known_controls;
return 0;
}
int
ldap_back_initialize(
BackendInfo *bi
)
ldap_back_initialize( BackendInfo *bi )
{
bi->bi_open = ldap_back_open;
bi->bi_config = 0;
@ -94,14 +92,11 @@ ldap_back_initialize(
}
int
ldap_back_db_init(
Backend *be
)
ldap_back_db_init( Backend *be )
{
struct ldapinfo *li;
struct ldapmapping *mapping;
li = (struct ldapinfo *) ch_calloc( 1, sizeof(struct ldapinfo) );
li = (struct ldapinfo *)ch_calloc( 1, sizeof( struct ldapinfo ) );
if ( li == NULL ) {
return -1;
}
@ -130,42 +125,10 @@ ldap_back_db_init(
li->idassert_flags = LDAP_BACK_AUTH_NONE;
#endif /* LDAP_BACK_PROXY_AUTHZ */
#ifdef ENABLE_REWRITE
li->rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
if ( li->rwmap.rwm_rw == NULL ) {
ch_free( li );
return -1;
}
{
char *rargv[3];
/*
* the filter rewrite as a string must be disabled
* by default; it can be re-enabled by adding rules;
* this creates an empty rewriteContext
*/
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "searchFilter";
rargv[ 2 ] = NULL;
rewrite_parse( li->rwmap.rwm_rw, "<suffix massage>",
1, 2, rargv );
rargv[ 0 ] = "rewriteContext";
rargv[ 1 ] = "default";
rargv[ 2 ] = NULL;
rewrite_parse( li->rwmap.rwm_rw, "<suffix massage>",
1, 2, rargv );
}
#endif /* ENABLE_REWRITE */
ldap_pvt_thread_mutex_init( &li->conn_mutex );
ldap_back_map_init( &li->rwmap.rwm_oc, &mapping );
ldap_back_map_init( &li->rwmap.rwm_at, &mapping );
be->be_private = li;
SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD;
SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_NOLASTMOD;
return 0;
}
@ -176,7 +139,7 @@ ldap_back_db_open( BackendDB *be )
struct ldapinfo *li = (struct ldapinfo *)be->be_private;
Debug( LDAP_DEBUG_TRACE,
"ldap_back_db_open: URI=%s\n", li->url, 0, 0 );
"ldap_back_db_open: URI=%s\n", li->url, 0, 0 );
#ifdef LDAP_BACK_PROXY_AUTHZ
/* by default, use proxyAuthz control on each operation */
@ -193,39 +156,55 @@ ldap_back_db_open( BackendDB *be )
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
#ifdef SLAPD_MONITOR
{
struct berval filter,
base = BER_BVC( "cn=Databases,cn=Monitor" );
const char *text;
struct berval vals[ 2 ];
Attribute a = { 0 };
filter.bv_len = STRLENOF( "(&(namingContexts=)(monitoredInfo=ldap))" )
+ be->be_nsuffix[ 0 ].bv_len;
filter.bv_val = ch_malloc( filter.bv_len + 1 );
snprintf( filter.bv_val, filter.bv_len + 1,
"(&(namingContexts=%s)(monitoredInfo=ldap))",
be->be_nsuffix[ 0 ].bv_val );
a.a_desc = slap_schema.si_ad_labeledURI;
ber_str2bv( li->url, 0, 0, &vals[ 0 ] );
BER_BVZERO( &vals[ 1 ] );
a.a_vals = vals;
a.a_nvals = vals;
if ( monitor_back_register_entry_attrs( NULL, &a, NULL, &base, LDAP_SCOPE_SUBTREE, &filter ) ) {
/* error */
}
}
#endif /* SLAPD_MONITOR */
return 0;
}
void
ldap_back_conn_free(
void *v_lc
)
ldap_back_conn_free( void *v_lc )
{
struct ldapconn *lc = v_lc;
ldap_unbind( lc->ld );
if ( lc->bound_dn.bv_val ) {
ch_free( lc->bound_dn.bv_val );
struct ldapconn *lc = v_lc;
ldap_unbind_ext_s( lc->lc_ld, NULL, NULL );
if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
ch_free( lc->lc_bound_ndn.bv_val );
}
if ( lc->cred.bv_val ) {
memset( lc->cred.bv_val, 0, lc->cred.bv_len );
ch_free( lc->cred.bv_val );
if ( !BER_BVISNULL( &lc->lc_cred ) ) {
memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len );
ch_free( lc->lc_cred.bv_val );
}
if ( lc->local_dn.bv_val ) {
ch_free( lc->local_dn.bv_val );
if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) {
ch_free( lc->lc_local_ndn.bv_val );
}
ldap_pvt_thread_mutex_destroy( &lc->lc_mutex );
ch_free( lc );
}
static void
mapping_free( void *v_mapping )
{
struct ldapmapping *mapping = v_mapping;
ch_free( mapping->src.bv_val );
ch_free( mapping->dst.bv_val );
ch_free( mapping );
}
int
ldap_back_db_destroy(
Backend *be
@ -233,13 +212,13 @@ ldap_back_db_destroy(
{
struct ldapinfo *li;
if (be->be_private) {
li = (struct ldapinfo *)be->be_private;
if ( be->be_private ) {
li = ( struct ldapinfo * )be->be_private;
ldap_pvt_thread_mutex_lock( &li->conn_mutex );
if (li->url) {
ch_free(li->url);
if ( li->url ) {
ch_free( li->url );
li->url = NULL;
}
if ( li->lud ) {
@ -280,28 +259,15 @@ ldap_back_db_destroy(
BER_BVZERO( &li->idassert_sasl_realm );
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
if (li->conntree) {
if ( li->conntree ) {
avl_free( li->conntree, ldap_back_conn_free );
}
#ifdef ENABLE_REWRITE
if (li->rwmap.rwm_rw) {
rewrite_info_delete( &li->rwmap.rwm_rw );
}
#else /* !ENABLE_REWRITE */
if (li->rwmap.rwm_suffix_massage) {
ber_bvarray_free( li->rwmap.rwm_suffix_massage );
}
#endif /* !ENABLE_REWRITE */
avl_free( li->rwmap.rwm_oc.remap, NULL );
avl_free( li->rwmap.rwm_oc.map, mapping_free );
avl_free( li->rwmap.rwm_at.remap, NULL );
avl_free( li->rwmap.rwm_at.map, mapping_free );
ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
ldap_pvt_thread_mutex_destroy( &li->conn_mutex );
}
ch_free( be->be_private );
return 0;
}

154
servers/slapd/back-ldap/modify.c
View file

@ -33,130 +33,67 @@
int
ldap_back_modify(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
LDAPMod **modv = NULL;
LDAPMod *mods;
Modifications *ml;
int i, j, rc;
struct berval mapped;
struct berval mdn = BER_BVNULL;
ber_int_t msgid;
dncookie dc;
int isupdate;
int do_retry = 1;
LDAPControl **ctrls = NULL;
struct ldapconn *lc;
LDAPMod **modv = NULL,
*mods = NULL;
Modifications *ml;
int i, j, rc;
ber_int_t msgid;
int isupdate;
int do_retry = 1;
LDAPControl **ctrls = NULL;
lc = ldap_back_getconn(op, rs);
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
}
/*
* Rewrite the modify dn, if needed
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "modifyDN";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
}
for (i=0, ml=op->oq_modify.rs_modlist; ml; i++,ml=ml->sml_next)
;
for ( i = 0, ml = op->oq_modify.rs_modlist; ml; i++, ml = ml->sml_next )
/* just count mods */ ;
mods = (LDAPMod *)ch_malloc(i*sizeof(LDAPMod));
if (mods == NULL) {
modv = (LDAPMod **)ch_malloc( ( i + 1 )*sizeof( LDAPMod * )
+ i*sizeof( LDAPMod ) );
if ( modv == NULL ) {
rc = LDAP_NO_MEMORY;
goto cleanup;
}
modv = (LDAPMod **)ch_malloc((i+1)*sizeof(LDAPMod *));
if (modv == NULL) {
rc = LDAP_NO_MEMORY;
goto cleanup;
}
#ifdef ENABLE_REWRITE
dc.ctx = "modifyAttrDN";
#endif
mods = (LDAPMod *)&modv[ i + 1 ];
isupdate = be_shadow_update( op );
for (i=0, ml=op->oq_modify.rs_modlist; ml; ml=ml->sml_next) {
int is_oc = 0;
for ( i = 0, ml = op->oq_modify.rs_modlist; ml; ml = ml->sml_next ) {
if ( !isupdate && ml->sml_desc->ad_type->sat_no_user_mod ) {
continue;
}
if ( ml->sml_desc == slap_schema.si_ad_objectClass
|| ml->sml_desc == slap_schema.si_ad_structuralObjectClass ) {
is_oc = 1;
mapped = ml->sml_desc->ad_cname;
} else {
ldap_back_map(&li->rwmap.rwm_at,
&ml->sml_desc->ad_cname,
&mapped, BACKLDAP_MAP);
if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
continue;
}
}
modv[i] = &mods[i];
mods[i].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
mods[i].mod_type = mapped.bv_val;
modv[ i ] = &mods[ i ];
mods[ i ].mod_op = ( ml->sml_op | LDAP_MOD_BVALUES );
mods[ i ].mod_type = ml->sml_desc->ad_cname.bv_val;
if ( ml->sml_values != NULL ) {
if ( is_oc ) {
for (j = 0; ml->sml_values[j].bv_val; j++);
mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) *
sizeof(struct berval *));
for (j = 0; ml->sml_values[j].bv_val; j++) {
ldap_back_map(&li->rwmap.rwm_oc,
&ml->sml_values[j],
&mapped, BACKLDAP_MAP);
if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
continue;
}
mods[i].mod_bvalues[j] = &mapped;
}
mods[i].mod_bvalues[j] = NULL;
} else {
if ( ml->sml_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName ) {
ldap_dnattr_rewrite( &dc, ml->sml_values );
}
if ( ml->sml_values == NULL ) {
continue;
}
for (j = 0; ml->sml_values[j].bv_val; j++);
mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) *
sizeof(struct berval *));
for (j = 0; ml->sml_values[j].bv_val; j++)
mods[i].mod_bvalues[j] = &ml->sml_values[j];
mods[i].mod_bvalues[j] = NULL;
if ( ml->sml_values == NULL ) {
continue;
}
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
/* just count mods */ ;
mods[ i ].mod_bvalues =
(struct berval **)ch_malloc( ( j + 1 )*sizeof( struct berval * ) );
for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
{
mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ];
}
mods[ i ].mod_bvalues[ j ] = NULL;
} else {
mods[i].mod_bvalues = NULL;
mods[ i ].mod_bvalues = NULL;
}
i++;
}
modv[i] = 0;
modv[ i ] = 0;
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
@ -169,29 +106,24 @@ ldap_back_modify(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv,
ctrls, NULL, &msgid );
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
do_retry = 0;
if ( ldap_back_retry (lc, op, rs )) goto retry;
if ( ldap_back_retry(lc, op, rs ) ) {
goto retry;
}
}
cleanup:;
#ifdef LDAP_BACK_PROXY_AUTHZ
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
free( mdn.bv_val );
for ( i = 0; modv[ i ]; i++ ) {
ch_free( modv[ i ]->mod_bvalues );
}
for (i=0; modv[i]; i++) {
ch_free(modv[i]->mod_bvalues);
}
ch_free( mods );
ch_free( modv );
return rc;

83
servers/slapd/back-ldap/modrdn.c
View file

@ -33,58 +33,26 @@
int
ldap_back_modrdn(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
LDAPControl **ctrls = NULL;
int do_retry = 1;
int rc = LDAP_SUCCESS;
struct berval mdn = BER_BVNULL, mnewSuperior = BER_BVNULL;
ber_int_t msgid;
LDAPControl **ctrls = NULL;
int do_retry = 1;
int rc = LDAP_SUCCESS;
char *newSup = NULL;
lc = ldap_back_getconn( op, rs );
if ( !lc || !ldap_back_dobind(lc, op, rs) ) {
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
}
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if (op->orr_newSup) {
int version = LDAP_VERSION3;
ldap_set_option( lc->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( op->orr_newSup ) {
int version = LDAP_VERSION3;
/*
* Rewrite the new superior, if defined and required
*/
#ifdef ENABLE_REWRITE
dc.ctx = "newSuperiorDN";
#endif
if ( ldap_back_dn_massage( &dc, op->orr_newSup,
&mnewSuperior ) ) {
send_ldap_result( op, rs );
return -1;
}
}
/*
* Rewrite the modrdn dn, if required
*/
#ifdef ENABLE_REWRITE
dc.ctx = "modrDN";
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
send_ldap_result( op, rs );
return -1;
ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
newSup = op->orr_newSup->bv_val;
}
ctrls = op->o_ctrls;
@ -98,33 +66,22 @@ ldap_back_modrdn(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
op->orr_newrdn.bv_val, mnewSuperior.bv_val,
op->orr_deleteoldrdn,
ctrls,
NULL, &msgid );
rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val,
op->orr_newrdn.bv_val, newSup,
op->orr_deleteoldrdn, ctrls, NULL, &msgid );
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
if ( ldap_back_retry (lc, op, rs )) goto retry;
if ( ldap_back_retry( lc, op, rs ) ) {
goto retry;
}
}
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
free( mdn.bv_val );
}
if ( mnewSuperior.bv_val != NULL
&& mnewSuperior.bv_val != op->oq_modrdn.rs_newSup->bv_val ) {
free( mnewSuperior.bv_val );
}
return rc;
}

394
servers/slapd/back-ldap/search.c
View file

@ -43,27 +43,26 @@ ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
int
ldap_back_search(
Operation *op,
SlapReply *rs )
Operation *op,
SlapReply *rs )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
struct timeval tv;
LDAPMessage *res, *e;
int rc = 0, msgid;
struct berval match = BER_BVNULL;
char **mapped_attrs = NULL;
struct berval mbase;
struct berval mfilter = BER_BVNULL;
int dontfreetext = 0;
int freeconn = 0;
int do_retry = 1;
dncookie dc;
LDAPControl **ctrls = NULL;
LDAPMessage *res,
*e;
int rc = 0,
msgid;
struct berval match = BER_BVNULL;
int i;
char **attrs = NULL;
int dontfreetext = 0;
int freeconn = 0;
int do_retry = 1;
LDAPControl **ctrls = NULL;
lc = ldap_back_getconn(op, rs);
lc = ldap_back_getconn( op, rs );
if ( !lc ) {
return( -1 );
return -1;
}
/*
@ -71,12 +70,13 @@ ldap_back_search(
* to map attrs and maybe rewrite value
*/
if ( !ldap_back_dobind( lc, op, rs ) ) {
return( -1 );
return -1;
}
/* should we check return values? */
if ( op->ors_deref != -1 ) {
ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref );
ldap_set_option( lc->lc_ld, LDAP_OPT_DEREF,
(void *)&op->ors_deref );
}
if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
@ -87,50 +87,21 @@ ldap_back_search(
tv.tv_sec = 0;
}
/*
* Rewrite the search base, if required
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "searchBase";
#else
dc.tofrom = 1;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) {
send_ldap_result( op, rs );
return -1;
}
if ( op->ors_attrs ) {
for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ )
/* just count attrs */ ;
rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter,
&mfilter, BACKLDAP_MAP );
switch ( rc ) {
case LDAP_SUCCESS:
break;
case LDAP_COMPARE_FALSE:
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
rc = 0;
goto finish;
default:
rs->sr_err = LDAP_OTHER;
rs->sr_text = "Rewrite error";
dontfreetext = 1;
rc = -1;
goto finish;
}
rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at,
op->ors_attrs,
BACKLDAP_MAP, &mapped_attrs );
if ( rs->sr_err != LDAP_SUCCESS ) {
rc = -1;
goto finish;
attrs = ch_malloc( ( i + 1 )*sizeof( char * ) );
if ( attrs == NULL ) {
rs->sr_err = LDAP_NO_MEMORY;
rc = -1;
goto finish;
}
for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ ) {
attrs[ i ] = op->ors_attrs[i].an_name.bv_val;
}
attrs[ i ] = NULL;
}
ctrls = op->o_ctrls;
@ -143,12 +114,11 @@ ldap_back_search(
#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val,
op->ors_scope, mfilter.bv_val,
mapped_attrs, op->ors_attrsonly,
ctrls, NULL,
tv.tv_sec ? &tv : NULL, op->ors_slimit,
&msgid );
rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val,
op->ors_scope, op->ors_filterstr.bv_val,
attrs, op->ors_attrsonly, ctrls, NULL,
tv.tv_sec ? &tv : NULL,
op->ors_slimit, &msgid );
if ( rs->sr_err != LDAP_SUCCESS ) {
fail:;
@ -165,11 +135,11 @@ fail:;
* but this is necessary for version matching, and for ACL processing.
*/
for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) )
for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, 0, &tv, &res ) )
{
/* check for abandon */
if ( op->o_abandon ) {
ldap_abandon( lc->ld, msgid );
ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
rc = 0;
goto finish;
}
@ -180,12 +150,13 @@ fail:;
ldap_pvt_thread_yield();
} else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
Entry ent = {0};
struct berval bdn;
int abort = 0;
Entry ent = {0};
struct berval bdn;
int abort = 0;
do_retry = 0;
e = ldap_first_entry( lc->ld, res );
e = ldap_first_entry( lc->lc_ld, res );
rc = ldap_build_entry( op, e, &ent, &bdn,
LDAP_BUILD_ENTRY_PRIVATE );
if ( rc == LDAP_SUCCESS ) {
@ -194,31 +165,33 @@ fail:;
rs->sr_operational_attrs = NULL;
rs->sr_flags = 0;
abort = send_search_entry( op, rs );
while (ent.e_attrs) {
Attribute *a;
BerVarray v;
while ( ent.e_attrs ) {
Attribute *a;
BerVarray v;
a = ent.e_attrs;
ent.e_attrs = a->a_next;
v = a->a_vals;
if ( a->a_vals != &slap_dummy_bv ) {
ber_bvarray_free(a->a_vals);
ber_bvarray_free( a->a_vals );
}
if ( a->a_nvals != v ) {
ber_bvarray_free(a->a_nvals);
ber_bvarray_free( a->a_nvals );
}
ch_free(a);
ch_free( a );
}
if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) )
if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) ) {
free( ent.e_dn );
if ( ent.e_ndn )
}
if ( ent.e_ndn ) {
free( ent.e_ndn );
}
}
ldap_msgfree( res );
if ( abort ) {
ldap_abandon( lc->ld, msgid );
ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
goto finish;
}
@ -227,7 +200,7 @@ fail:;
int cnt;
do_retry = 0;
rc = ldap_parse_reference( lc->ld, res,
rc = ldap_parse_reference( lc->lc_ld, res,
&references, &rs->sr_ctrls, 1 );
if ( rc != LDAP_SUCCESS ) {
@ -263,7 +236,7 @@ fail:;
}
} else {
rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
&match.bv_val, (char **)&rs->sr_text,
NULL, &rs->sr_ctrls, 1 );
if (rc != LDAP_SUCCESS ) {
@ -278,8 +251,9 @@ fail:;
if ( rc == -1 ) {
if ( do_retry ) {
do_retry = 0;
if ( ldap_back_retry( lc, op, rs ))
if ( ldap_back_retry( lc, op, rs ) ) {
goto retry;
}
}
/* FIXME: invalidate the connection? */
rs->sr_err = LDAP_SERVER_DOWN;
@ -290,18 +264,8 @@ fail:;
/*
* Rewrite the matched portion of the search base, if required
*/
if ( match.bv_val && *match.bv_val ) {
struct berval mdn;
#ifdef ENABLE_REWRITE
dc.ctx = "matchedDN";
#else
dc.tofrom = 0;
dc.normalized = 0;
#endif
match.bv_len = strlen( match.bv_val );
ldap_back_dn_massage( &dc, &match, &mdn );
rs->sr_matched = mdn.bv_val;
if ( !BER_BVISNULL( &match ) && !BER_BVISEMPTY( &match ) ) {
rs->sr_matched = match.bv_val;
}
if ( rs->sr_v2ref ) {
rs->sr_err = LDAP_REFERRAL;
@ -311,10 +275,7 @@ finish:;
send_ldap_result( op, rs );
#ifdef LDAP_BACK_PROXY_AUTHZ
if ( ctrls && ctrls != op->o_ctrls ) {
free( ctrls[ 0 ] );
free( ctrls );
}
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( rs->sr_ctrls ) {
@ -323,9 +284,6 @@ finish:;
}
if ( match.bv_val ) {
if ( rs->sr_matched != match.bv_val ) {
free( (char *)rs->sr_matched );
}
rs->sr_matched = NULL;
LDAP_FREE( match.bv_val );
}
@ -335,62 +293,36 @@ finish:;
}
rs->sr_text = NULL;
}
if ( mapped_attrs ) {
ch_free( mapped_attrs );
if ( attrs ) {
ch_free( attrs );
}
if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
ch_free( mfilter.bv_val );
}
if ( mbase.bv_val != op->o_req_ndn.bv_val ) {
free( mbase.bv_val );
}
return rc;
}
static int
ldap_build_entry(
Operation *op,
LDAPMessage *e,
Entry *ent,
struct berval *bdn,
int flags
)
Operation *op,
LDAPMessage *e,
Entry *ent,
struct berval *bdn,
int flags )
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct berval a, mapped;
BerElement ber = *e->lm_ber;
Attribute *attr, **attrp;
struct berval *bv;
const char *text;
int last;
int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
dncookie dc;
struct berval a;
BerElement ber = *e->lm_ber;
Attribute *attr, **attrp;
const char *text;
int last;
int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
/* safe assumptions ... */
assert( ent );
ent->e_bv.bv_val = NULL;
BER_BVZERO( &ent->e_bv );
if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
return LDAP_DECODING_ERROR;
}
/*
* Rewrite the dn of the result, if needed
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = NULL;
dc.ctx = "searchResult";
#else
dc.tofrom = 0;
dc.normalized = 0;
#endif
if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) {
return LDAP_OTHER;
}
/*
* Note: this may fail if the target host(s) schema differs
* from the one known to the meta, and a DN with unknown
@ -401,7 +333,7 @@ ldap_build_entry(
/* Note: if the distinguished values or the naming attributes
* change, should we massage them as well?
*/
if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname,
if ( dnPrettyNormal( NULL, bdn, &ent->e_name, &ent->e_nname,
op->o_tmpmemctx ) != LDAP_SUCCESS )
{
return LDAP_INVALID_DN_SYNTAX;
@ -409,29 +341,27 @@ ldap_build_entry(
attrp = &ent->e_attrs;
#ifdef ENABLE_REWRITE
dc.ctx = "searchAttrDN";
#endif
while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
int i;
slap_syntax_validate_func *validate;
slap_syntax_transform_func *pretty;
ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) )
continue;
attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
if ( attr == NULL )
if ( attr == NULL ) {
continue;
}
attr->a_flags = 0;
attr->a_next = 0;
attr->a_desc = NULL;
if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) {
if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text )
if ( slap_bv2ad( &a, &attr->a_desc, &text )
!= LDAP_SUCCESS )
{
if ( slap_bv2undef_ad( &a, &attr->a_desc, &text )
!= LDAP_SUCCESS )
{
Debug( LDAP_DEBUG_ANY,
"slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
"slap_bv2undef_ad(%s): %s\n",
a.bv_val, text, 0 );
ch_free( attr );
continue;
}
@ -449,7 +379,7 @@ ldap_build_entry(
*/
( void )ber_scanf( &ber, "x" /* [W] */ );
ch_free(attr);
ch_free( attr );
continue;
}
@ -461,60 +391,17 @@ ldap_build_entry(
* values result filter
*/
if ( private ) {
attr->a_vals = &slap_dummy_bv;
attr->a_vals = (struct berval *)&slap_dummy_bv;
} else {
attr->a_vals = ch_malloc( sizeof( struct berval ) );
BER_BVZERO( &attr->a_vals[0] );
BER_BVZERO( &attr->a_vals[ 0 ] );
}
last = 0;
} else {
for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ );
}
if ( last == 0 ) {
/* empty */
} else if ( attr->a_desc == slap_schema.si_ad_objectClass
|| attr->a_desc == slap_schema.si_ad_structuralObjectClass )
{
for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped,
BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
LBER_FREE( bv->bv_val );
BER_BVZERO( bv );
if (--last < 0)
break;
*bv = attr->a_vals[last];
BER_BVZERO( &attr->a_vals[last] );
bv--;
} else if ( mapped.bv_val != bv->bv_val ) {
/*
* FIXME: after LBER_FREEing
* the value is replaced by
* ch_alloc'ed memory
*/
LBER_FREE( bv->bv_val );
ber_dupbv( bv, &mapped );
}
}
/*
* It is necessary to try to rewrite attributes with
* dn syntax because they might be used in ACLs as
* members of groups; since ACLs are applied to the
* rewritten stuff, no dn-based subject clause could
* be used at the ldap backend side (see
* http://www.OpenLDAP.org/faq/data/cache/452.html)
* The problem can be overcome by moving the dn-based
* ACLs to the target directory server, and letting
* everything pass thru the ldap backend.
*/
} else if ( attr->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
{
ldap_dnattr_result_rewrite( &dc, attr->a_vals );
for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); last++ )
/* just count vals */ ;
}
validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
@ -585,10 +472,6 @@ ldap_build_entry(
next_attr:;
}
/* make sure it's free'able */
if ( !private && ent->e_name.bv_val == bdn->bv_val ) {
ber_dupbv( &ent->e_name, bdn );
}
return LDAP_SUCCESS;
}
@ -596,33 +479,33 @@ next_attr:;
*/
int
ldap_back_entry_get(
Operation *op,
struct berval *ndn,
ObjectClass *oc,
AttributeDescription *at,
int rw,
Entry **ent
Operation *op,
struct berval *ndn,
ObjectClass *oc,
AttributeDescription *at,
int rw,
Entry **ent
)
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
int rc = 1, is_oc;
struct berval mapped = BER_BVNULL, bdn, mdn;
LDAPMessage *result = NULL, *e = NULL;
char *gattr[3];
char *filter = NULL;
Connection *oconn;
SlapReply rs;
dncookie dc;
int do_retry = 1;
int rc = 1,
is_oc;
struct berval bdn;
LDAPMessage *result = NULL,
*e = NULL;
char *gattr[3];
char *filter = NULL;
Connection *oconn;
SlapReply rs;
int do_retry = 1;
/* Tell getconn this is a privileged op */
is_oc = op->o_do_not_cache;
op->o_do_not_cache = 1;
lc = ldap_back_getconn(op, &rs);
lc = ldap_back_getconn( op, &rs );
oconn = op->o_conn;
op->o_conn = NULL;
if ( !lc || !ldap_back_dobind(lc, op, &rs) ) {
if ( !lc || !ldap_back_dobind( lc, op, &rs ) ) {
op->o_do_not_cache = is_oc;
op->o_conn = oconn;
return 1;
@ -630,66 +513,45 @@ ldap_back_entry_get(
op->o_do_not_cache = is_oc;
op->o_conn = oconn;
/*
* Rewrite the search base, if required
*/
dc.rwmap = &li->rwmap;
#ifdef ENABLE_REWRITE
dc.conn = op->o_conn;
dc.rs = &rs;
dc.ctx = "searchBase";
#else
dc.tofrom = 1;
dc.normalized = 1;
#endif
if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) {
return 1;
}
if ( at ) {
ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP);
if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
rc = 1;
goto cleanup;
}
is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 );
is_oc = ( strcasecmp( "objectclass", at->ad_cname.bv_val ) == 0 );
if ( oc && !is_oc ) {
gattr[0] = "objectclass";
gattr[1] = mapped.bv_val;
gattr[1] = at->ad_cname.bv_val;
gattr[2] = NULL;
} else {
gattr[0] = mapped.bv_val;
gattr[0] = at->ad_cname.bv_val;
gattr[1] = NULL;
}
}
if (oc) {
char *ptr;
ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped,
BACKLDAP_MAP);
filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 );
if ( oc ) {
char *ptr;
filter = ch_malloc( STRLENOF( "(objectclass=)" )
+ oc->soc_cname.bv_len + 1 );
ptr = lutil_strcopy( filter, "(objectclass=" );
ptr = lutil_strcopy( ptr, mapped.bv_val );
ptr = lutil_strcopy( ptr, oc->soc_cname.bv_val );
*ptr++ = ')';
*ptr++ = '\0';
}
retry:
rc = ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter,
gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result);
if ( rc != LDAP_SUCCESS )
{
LDAP_NO_LIMIT, &result );
if ( rc != LDAP_SUCCESS ) {
if ( rc == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
if ( ldap_back_retry( lc, op, &rs ))
goto retry;
if ( ldap_back_retry( lc, op, &rs ) ) {
goto retry;
}
}
goto cleanup;
}
e = ldap_first_entry( lc->ld, result );
e = ldap_first_entry( lc->lc_ld, result );
if ( e == NULL ) {
goto cleanup;
}
@ -712,10 +574,6 @@ cleanup:
ch_free( filter );
}
if ( mdn.bv_val != ndn->bv_val ) {
ch_free( mdn.bv_val );
}
return rc;
}

19
servers/slapd/back-ldap/unbind.c
View file

@ -33,8 +33,8 @@
int
ldap_back_conn_destroy(
Backend *be,
Connection *conn
Backend *be,
Connection *conn
)
{
struct ldapinfo *li = (struct ldapinfo *) be->be_private;
@ -44,24 +44,17 @@ ldap_back_conn_destroy(
"=>ldap_back_conn_destroy: fetching conn %ld\n",
conn->c_connid, 0, 0 );
lc_curr.conn = conn;
lc_curr.local_dn = conn->c_ndn;
lc_curr.lc_conn = conn;
lc_curr.lc_local_ndn = conn->c_ndn;
ldap_pvt_thread_mutex_lock( &li->conn_mutex );
lc = avl_delete( &li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp );
ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
#ifdef ENABLE_REWRITE
/*
* Cleanup rewrite session
*/
rewrite_session_delete( li->rwmap.rwm_rw, conn );
#endif /* ENABLE_REWRITE */
if (lc) {
if ( lc ) {
Debug( LDAP_DEBUG_TRACE,
"=>ldap_back_conn_destroy: destroying conn %ld\n",
lc->conn->c_connid, 0, 0 );
lc->lc_conn->c_connid, 0, 0 );
/*
* Needs a test because the handler may be corrupted,