1 /* rdnval.c - RDN value overlay */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2013 The OpenLDAP Foundation.
6 * Portions Copyright 2008 Pierangelo Masarati.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Pierangelo Masarati
19 * for inclusion in OpenLDAP Software.
24 #ifdef SLAPD_OVER_RDNVAL
28 #include "ac/string.h"
29 #include "ac/socket.h"
37 * Maintain an attribute (rdnValue) that contains the values of each AVA
38 * that builds up the RDN of an entry. This is required for interoperation
39 * with Samba4. It mimics the "name" attribute provided by Active Directory.
40 * The naming attributes must be directoryString-valued, or compatible.
41 * For example, IA5String values are cast into directoryString unless
42 * consisting of the empty string ("").
45 static AttributeDescription *ad_rdnValue;
46 static Syntax *syn_IA5String;
48 static slap_overinst rdnval;
51 rdnval_is_valid( AttributeDescription *desc, struct berval *value )
53 if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) {
57 if ( desc->ad_type->sat_syntax == syn_IA5String
58 && !BER_BVISEMPTY( value ) )
67 rdnval_unique_check_cb( Operation *op, SlapReply *rs )
69 if ( rs->sr_type == REP_SEARCH ) {
70 int *p = (int *)op->o_callback->sc_private;
78 rdnval_unique_check( Operation *op, BerVarray vals )
80 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
82 BackendDB db = *op->o_bd;
84 SlapReply rs2 = { 0 };
89 slap_callback cb = { 0 };
91 /* short-circuit attempts to add suffix entry */
92 if ( op->o_tag == LDAP_REQ_ADD
93 && be_issuffix( op->o_bd, &op->o_req_ndn ) )
99 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
100 op2.o_tag = LDAP_REQ_SEARCH;
101 op2.o_dn = op->o_bd->be_rootdn;
102 op2.o_ndn = op->o_bd->be_rootndn;
103 op2.o_callback = &cb;
104 cb.sc_response = rdnval_unique_check_cb;
105 cb.sc_private = (void *)&gotit;
107 dnParent( &op->o_req_ndn, &op2.o_req_dn );
108 op2.o_req_ndn = op2.o_req_dn;
110 op2.ors_limit = NULL;
112 op2.ors_tlimit = SLAP_NO_LIMIT;
113 op2.ors_attrs = slap_anlist_no_attrs;
114 op2.ors_attrsonly = 1;
115 op2.ors_deref = LDAP_DEREF_NEVER;
116 op2.ors_scope = LDAP_SCOPE_ONELEVEL;
118 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ )
121 fvals = op->o_tmpcalloc( sizeof( struct berval ), i + 1,
124 op2.ors_filterstr.bv_len = 0;
126 op2.ors_filterstr.bv_len = STRLENOF( "(&)" );
129 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
130 ldap_bv2escaped_filter_value_x( &vals[ i ], &fvals[ i ],
131 1, op->o_tmpmemctx );
132 op2.ors_filterstr.bv_len += ad_rdnValue->ad_cname.bv_len
133 + fvals[ i ].bv_len + STRLENOF( "(=)" );
136 op2.ors_filterstr.bv_val = op->o_tmpalloc( op2.ors_filterstr.bv_len + 1, op->o_tmpmemctx );
138 ptr = op2.ors_filterstr.bv_val;
140 ptr = lutil_strcopy( ptr, "(&" );
142 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
144 ptr = lutil_strncopy( ptr, ad_rdnValue->ad_cname.bv_val, ad_rdnValue->ad_cname.bv_len );
146 ptr = lutil_strncopy( ptr, fvals[ i ].bv_val, fvals[ i ].bv_len );
155 assert( ptr == op2.ors_filterstr.bv_val + op2.ors_filterstr.bv_len );
156 op2.ors_filter = str2filter_x( op, op2.ors_filterstr.bv_val );
157 assert( op2.ors_filter != NULL );
159 (void)op2.o_bd->be_search( &op2, &rs2 );
161 filter_free_x( op, op2.ors_filter, 1 );
162 op->o_tmpfree( op2.ors_filterstr.bv_val, op->o_tmpmemctx );
163 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
164 if ( vals[ i ].bv_val != fvals[ i ].bv_val ) {
165 op->o_tmpfree( fvals[ i ].bv_val, op->o_tmpmemctx );
168 op->o_tmpfree( fvals, op->o_tmpmemctx );
170 if ( rs2.sr_err != LDAP_SUCCESS || gotit > 0 ) {
171 return LDAP_CONSTRAINT_VIOLATION;
187 LDAPRDN rdn = NULL, nrdn = NULL;
190 assert( *valsp == NULL );
191 assert( *nvalsp == NULL );
195 if ( ldap_bv2rdn_x( dn, &rdn, (char **)&rs->sr_text,
196 LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
198 Debug( LDAP_DEBUG_TRACE,
199 "%s rdnval: can't figure out "
200 "type(s)/value(s) of rdn DN=\"%s\"\n",
201 op->o_log_prefix, dn->bv_val, 0 );
202 rs->sr_err = LDAP_INVALID_DN_SYNTAX;
203 rs->sr_text = "unknown type(s) used in RDN";
208 if ( ldap_bv2rdn_x( ndn, &nrdn,
209 (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
211 Debug( LDAP_DEBUG_TRACE,
212 "%s rdnval: can't figure out "
213 "type(s)/value(s) of normalized rdn DN=\"%s\"\n",
214 op->o_log_prefix, ndn->bv_val, 0 );
215 rs->sr_err = LDAP_INVALID_DN_SYNTAX;
216 rs->sr_text = "unknown type(s) used in RDN";
221 for ( nAVA = 0; rdn[ nAVA ]; nAVA++ )
224 /* NOTE: we assume rdn and nrdn contain the same AVAs! */
226 *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
227 *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
229 /* Add new attribute values to the entry */
230 for ( i = 0; rdn[ i ]; i++ ) {
231 AttributeDescription *desc = NULL;
233 rs->sr_err = slap_bv2ad( &rdn[ i ]->la_attr,
234 &desc, &rs->sr_text );
236 if ( rs->sr_err != LDAP_SUCCESS ) {
237 Debug( LDAP_DEBUG_TRACE,
238 "%s rdnval: %s: %s\n",
241 rdn[ i ]->la_attr.bv_val );
245 if ( !rdnval_is_valid( desc, &rdn[ i ]->la_value ) ) {
246 Debug( LDAP_DEBUG_TRACE,
247 "%s rdnval: syntax of naming attribute '%s' "
248 "not compatible with directoryString",
249 op->o_log_prefix, rdn[ i ]->la_attr.bv_val, 0 );
253 if ( value_find_ex( desc,
254 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
255 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
257 &nrdn[ i ]->la_value,
259 == LDAP_NO_SUCH_ATTRIBUTE )
261 ber_dupbv( &(*valsp)[ *numvalsp ], &rdn[ i ]->la_value );
262 ber_dupbv( &(*nvalsp)[ *numvalsp ], &nrdn[ i ]->la_value );
268 if ( rdnval_unique_check( op, *valsp ) != LDAP_SUCCESS ) {
269 rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
270 rs->sr_text = "rdnValue not unique within siblings";
276 ldap_rdnfree_x( rdn, op->o_tmpmemctx );
279 if ( nrdn != NULL ) {
280 ldap_rdnfree_x( nrdn, op->o_tmpmemctx );
283 if ( rs->sr_err != LDAP_SUCCESS ) {
284 if ( *valsp != NULL ) {
285 ber_bvarray_free( *valsp );
286 ber_bvarray_free( *nvalsp );
297 rdnval_op_add( Operation *op, SlapReply *rs )
301 BerVarray vals = NULL, nvals = NULL;
304 /* NOTE: should we accept an entry still in mods format? */
305 assert( op->ora_e != NULL );
307 if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) {
308 return SLAP_CB_CONTINUE;
311 a = attr_find( op->ora_e->e_attrs, ad_rdnValue );
313 /* TODO: check consistency? */
314 return SLAP_CB_CONTINUE;
317 rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname,
318 &vals, &nvals, &numvals );
319 if ( rc != LDAP_SUCCESS ) {
320 send_ldap_result( op, rs );
323 a = attr_alloc( ad_rdnValue );
327 a->a_numvals = numvals;
329 for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next )
334 return SLAP_CB_CONTINUE;
338 rdnval_op_rename( Operation *op, SlapReply *rs )
340 Modifications *ml, **mlp;
342 BerVarray vals = NULL, nvals = NULL;
346 dnRdn( &op->o_req_ndn, &old );
347 if ( dn_match( &old, &op->orr_nnewrdn ) ) {
348 return SLAP_CB_CONTINUE;
351 rc = rdnval_rdn2vals( op, rs, &op->orr_newrdn, &op->orr_nnewrdn,
352 &vals, &nvals, &numvals );
353 if ( rc != LDAP_SUCCESS ) {
354 send_ldap_result( op, rs );
357 ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
358 ml->sml_values = vals;
359 ml->sml_nvalues = nvals;
361 ml->sml_numvals = numvals;
363 ml->sml_op = LDAP_MOD_REPLACE;
364 ml->sml_flags = SLAP_MOD_INTERNAL;
365 ml->sml_desc = ad_rdnValue;
366 ml->sml_type = ad_rdnValue->ad_cname;
368 for ( mlp = &op->orr_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next )
373 return SLAP_CB_CONTINUE;
381 if ( SLAP_ISGLOBALOVERLAY( be ) ) {
382 Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
383 "rdnval_db_init: rdnval cannot be used as global overlay.\n" );
387 if ( be->be_nsuffix == NULL ) {
388 Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
389 "rdnval_db_init: database must have suffix\n" );
393 if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) {
394 Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
395 "rdnval_db_init: missing rootdn for database DN=\"%s\", YMMV\n",
396 be->be_suffix[ 0 ].bv_val );
402 typedef struct rdnval_mod_t {
407 struct rdnval_mod_t *next;
413 } rdnval_repair_cb_t;
416 rdnval_repair_cb( Operation *op, SlapReply *rs )
419 rdnval_repair_cb_t *rcb = op->o_callback->sc_private;
421 BerVarray vals = NULL, nvals = NULL;
424 BackendDB *save_bd = op->o_bd;
426 switch ( rs->sr_type ) {
438 assert( rs->sr_entry != NULL );
441 rc = rdnval_rdn2vals( op, rs, &rs->sr_entry->e_name, &rs->sr_entry->e_nname,
442 &vals, &nvals, &numvals );
444 if ( rc != LDAP_SUCCESS ) {
448 len = sizeof( rdnval_mod_t ) + rs->sr_entry->e_nname.bv_len + 1;
449 mod = op->o_tmpalloc( len, op->o_tmpmemctx );
450 mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len;
451 mod->ndn.bv_val = (char *)&mod[1];
452 lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len );
455 mod->numvals = numvals;
457 mod->next = rcb->mods;
460 Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair_cb: scheduling entry DN=\"%s\" for repair\n",
461 op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 );
467 rdnval_repair( BackendDB *be )
469 slap_overinst *on = (slap_overinst *)be->bd_info;
470 void *ctx = ldap_pvt_thread_pool_context();
471 Connection conn = { 0 };
472 OperationBuffer opbuf;
475 slap_callback sc = { 0 };
476 rdnval_repair_cb_t rcb = { 0 };
477 SlapReply rs = { REP_RESULT };
481 connection_fake_init2( &conn, &opbuf, ctx, 0 );
484 op->o_tag = LDAP_REQ_SEARCH;
485 memset( &op->oq_search, 0, sizeof( op->oq_search ) );
487 assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) );
489 op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 );
490 assert( op->o_bd != NULL );
491 assert( op->o_bd->be_nsuffix != NULL );
493 op->o_req_dn = op->o_bd->be_suffix[ 0 ];
494 op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ];
496 op->o_dn = op->o_bd->be_rootdn;
497 op->o_ndn = op->o_bd->be_rootndn;
499 op->ors_scope = LDAP_SCOPE_SUBTREE;
500 op->ors_tlimit = SLAP_NO_LIMIT;
501 op->ors_slimit = SLAP_NO_LIMIT;
502 op->ors_attrs = slap_anlist_no_attrs;
504 op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_rdnValue->ad_cname.bv_len;
505 op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx );
506 snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1,
507 "(!(%s=*))", ad_rdnValue->ad_cname.bv_val );
509 op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val );
510 if ( op->ors_filter == NULL ) {
511 rs.sr_err = LDAP_OTHER;
515 op->o_callback = ≻
516 sc.sc_response = rdnval_repair_cb;
517 sc.sc_private = &rcb;
520 db.bd_info = (BackendInfo *)on;
522 (void)op->o_bd->bd_info->bi_op_search( op, &rs );
524 op->o_tag = LDAP_REQ_MODIFY;
525 sc.sc_response = slap_null_cb;
526 sc.sc_private = NULL;
527 memset( &op->oq_modify, 0, sizeof( req_modify_s ) );
529 for ( rmod = rcb.mods; rmod != NULL; ) {
533 SlapReply rs2 = { REP_RESULT };
535 mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
536 mod->sml_flags = SLAP_MOD_INTERNAL;
537 mod->sml_op = LDAP_MOD_REPLACE;
538 mod->sml_desc = ad_rdnValue;
539 mod->sml_type = ad_rdnValue->ad_cname;
540 mod->sml_values = rmod->vals;
541 mod->sml_nvalues = rmod->nvals;
542 mod->sml_numvals = rmod->numvals;
543 mod->sml_next = NULL;
545 op->o_req_dn = rmod->ndn;
546 op->o_req_ndn = rmod->ndn;
548 op->orm_modlist = mod;
550 op->o_bd->be_modify( op, &rs2 );
552 slap_mods_free( op->orm_modlist, 1 );
553 if ( rs2.sr_err == LDAP_SUCCESS ) {
554 Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair: entry DN=\"%s\" repaired\n",
555 op->o_log_prefix, rmod->ndn.bv_val, 0 );
559 Debug( LDAP_DEBUG_ANY, "%s: rdnval_repair: entry DN=\"%s\" repair failed (%d)\n",
560 op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err );
564 op->o_tmpfree( rmod, op->o_tmpmemctx );
569 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
570 filter_free_x( op, op->ors_filter, 1 );
572 Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO,
573 "rdnval: repaired=%d\n", nrepaired );
578 /* search all entries without parentUUID; "repair" them */
584 if ( SLAP_SINGLE_SHADOW( be ) ) {
585 Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
586 "rdnval incompatible with shadow database \"%s\".\n",
587 be->be_suffix[ 0 ].bv_val );
591 return rdnval_repair( be );
596 AttributeDescription **adp;
598 { "( 1.3.6.1.4.1.4203.666.1.58 "
600 "DESC 'the value of the naming attributes' "
601 "SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' "
602 "EQUALITY caseIgnoreMatch "
603 "USAGE dSAOperation "
604 "NO-USER-MODIFICATION "
611 rdnval_initialize(void)
615 for ( i = 0; as[ i ].desc != NULL; i++ ) {
616 code = register_at( as[ i ].desc, as[ i ].adp, 0 );
618 Debug( LDAP_DEBUG_ANY,
619 "rdnval_initialize: register_at #%d failed\n",
624 /* Allow Manager to set these as needed */
625 if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) {
626 (*as[ i ].adp)->ad_type->sat_flags |=
631 syn_IA5String = syn_find( "1.3.6.1.4.1.1466.115.121.1.26" );
632 if ( syn_IA5String == NULL ) {
633 Debug( LDAP_DEBUG_ANY,
634 "rdnval_initialize: unable to find syntax '1.3.6.1.4.1.1466.115.121.1.26' (IA5String)\n",
639 rdnval.on_bi.bi_type = "rdnval";
641 rdnval.on_bi.bi_op_add = rdnval_op_add;
642 rdnval.on_bi.bi_op_modrdn = rdnval_op_rename;
644 rdnval.on_bi.bi_db_init = rdnval_db_init;
645 rdnval.on_bi.bi_db_open = rdnval_db_open;
647 return overlay_register( &rdnval );
650 #if SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC
652 init_module( int argc, char *argv[] )
654 return rdnval_initialize();
656 #endif /* SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC */
658 #endif /* SLAPD_OVER_RDNVAL */