1 /* rdnval.c - RDN value overlay */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2013 The OpenLDAP Foundation.
6 * Portions Copyright 2008 Pierangelo Masarati.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Pierangelo Masarati
19 * for inclusion in OpenLDAP Software.
24 #ifdef SLAPD_OVER_RDNVAL
28 #include "ac/string.h"
29 #include "ac/socket.h"
37 * Maintain an attribute (rdnValue) that contains the values of each AVA
38 * that builds up the RDN of an entry. This is required for interoperation
39 * with Samba4. It mimics the "name" attribute provided by Active Directory.
40 * The naming attributes must be directoryString-valued, or compatible.
41 * For example, IA5String values are cast into directoryString unless
42 * consisting of the empty string ("").
45 static AttributeDescription *ad_rdnValue;
46 static Syntax *syn_IA5String;
48 static slap_overinst rdnval;
51 rdnval_is_valid( AttributeDescription *desc, struct berval *value )
53 if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) {
57 if ( desc->ad_type->sat_syntax == syn_IA5String
58 && !BER_BVISEMPTY( value ) )
67 rdnval_unique_check_cb( Operation *op, SlapReply *rs )
69 if ( rs->sr_type == REP_SEARCH ) {
70 int *p = (int *)op->o_callback->sc_private;
78 rdnval_unique_check( Operation *op, BerVarray vals )
80 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
82 BackendDB db = *op->o_bd;
84 SlapReply rs2 = { 0 };
89 slap_callback cb = { 0 };
91 /* short-circuit attempts to add suffix entry */
92 if ( op->o_tag == LDAP_REQ_ADD
93 && be_issuffix( op->o_bd, &op->o_req_ndn ) )
99 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
100 op2.o_tag = LDAP_REQ_SEARCH;
101 op2.o_dn = op->o_bd->be_rootdn;
102 op2.o_ndn = op->o_bd->be_rootndn;
103 op2.o_callback = &cb;
104 cb.sc_response = rdnval_unique_check_cb;
105 cb.sc_private = (void *)&gotit;
107 dnParent( &op->o_req_ndn, &op2.o_req_dn );
108 op2.o_req_ndn = op2.o_req_dn;
110 op2.ors_limit = NULL;
112 op2.ors_tlimit = SLAP_NO_LIMIT;
113 op2.ors_attrs = slap_anlist_no_attrs;
114 op2.ors_attrsonly = 1;
115 op2.ors_deref = LDAP_DEREF_NEVER;
116 op2.ors_scope = LDAP_SCOPE_ONELEVEL;
118 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ )
121 fvals = op->o_tmpcalloc( sizeof( struct berval ), i + 1,
124 op2.ors_filterstr.bv_len = 0;
126 op2.ors_filterstr.bv_len = STRLENOF( "(&)" );
129 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
130 ldap_bv2escaped_filter_value_x( &vals[ i ], &fvals[ i ],
131 1, op->o_tmpmemctx );
132 op2.ors_filterstr.bv_len += ad_rdnValue->ad_cname.bv_len
133 + fvals[ i ].bv_len + STRLENOF( "(=)" );
136 op2.ors_filterstr.bv_val = op->o_tmpalloc( op2.ors_filterstr.bv_len + 1, op->o_tmpmemctx );
138 ptr = op2.ors_filterstr.bv_val;
140 ptr = lutil_strcopy( ptr, "(&" );
142 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
144 ptr = lutil_strncopy( ptr, ad_rdnValue->ad_cname.bv_val, ad_rdnValue->ad_cname.bv_len );
146 ptr = lutil_strncopy( ptr, fvals[ i ].bv_val, fvals[ i ].bv_len );
155 assert( ptr == op2.ors_filterstr.bv_val + op2.ors_filterstr.bv_len );
156 op2.ors_filter = str2filter_x( op, op2.ors_filterstr.bv_val );
157 assert( op2.ors_filter != NULL );
159 (void)op2.o_bd->be_search( &op2, &rs2 );
161 filter_free_x( op, op2.ors_filter, 1 );
162 op->o_tmpfree( op2.ors_filterstr.bv_val, op->o_tmpmemctx );
163 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
164 if ( vals[ i ].bv_val != fvals[ i ].bv_val ) {
165 op->o_tmpfree( fvals[ i ].bv_val, op->o_tmpmemctx );
168 op->o_tmpfree( fvals, op->o_tmpmemctx );
170 if ( rs2.sr_err != LDAP_SUCCESS || gotit > 0 ) {
171 return LDAP_CONSTRAINT_VIOLATION;
187 LDAPRDN rdn = NULL, nrdn = NULL;
190 assert( *valsp == NULL );
191 assert( *nvalsp == NULL );
195 if ( ldap_bv2rdn_x( dn, &rdn, (char **)&rs->sr_text,
196 LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
198 Debug( LDAP_DEBUG_TRACE,
199 "%s rdnval: can't figure out "
200 "type(s)/value(s) of rdn DN=\"%s\"\n",
201 op->o_log_prefix, dn->bv_val, 0 );
202 rs->sr_err = LDAP_INVALID_DN_SYNTAX;
203 rs->sr_text = "unknown type(s) used in RDN";
208 if ( ldap_bv2rdn_x( ndn, &nrdn,
209 (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
211 Debug( LDAP_DEBUG_TRACE,
212 "%s rdnval: can't figure out "
213 "type(s)/value(s) of normalized rdn DN=\"%s\"\n",
214 op->o_log_prefix, ndn->bv_val, 0 );
215 rs->sr_err = LDAP_INVALID_DN_SYNTAX;
216 rs->sr_text = "unknown type(s) used in RDN";
221 for ( nAVA = 0; rdn[ nAVA ]; nAVA++ )
224 /* NOTE: we assume rdn and nrdn contain the same AVAs! */
226 *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
227 *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
229 /* Add new attribute values to the entry */
230 for ( i = 0; rdn[ i ]; i++ ) {
231 AttributeDescription *desc = NULL;
233 rs->sr_err = slap_bv2ad( &rdn[ i ]->la_attr,
234 &desc, &rs->sr_text );
236 if ( rs->sr_err != LDAP_SUCCESS ) {
237 Debug( LDAP_DEBUG_TRACE,
238 "%s rdnval: %s: %s\n",
241 rdn[ i ]->la_attr.bv_val );
245 if ( !rdnval_is_valid( desc, &rdn[ i ]->la_value ) ) {
246 Debug( LDAP_DEBUG_TRACE,
247 "%s rdnval: syntax of naming attribute '%s' "
248 "not compatible with directoryString",
249 op->o_log_prefix, rdn[ i ]->la_attr.bv_val, 0 );
253 if ( value_find_ex( desc,
254 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
255 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
257 &nrdn[ i ]->la_value,
259 == LDAP_NO_SUCH_ATTRIBUTE )
261 ber_dupbv( &(*valsp)[ *numvalsp ], &rdn[ i ]->la_value );
262 ber_dupbv( &(*nvalsp)[ *numvalsp ], &nrdn[ i ]->la_value );
268 if ( rdnval_unique_check( op, *valsp ) != LDAP_SUCCESS ) {
269 rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
270 rs->sr_text = "rdnValue not unique within siblings";
276 ldap_rdnfree_x( rdn, op->o_tmpmemctx );
279 if ( nrdn != NULL ) {
280 ldap_rdnfree_x( nrdn, op->o_tmpmemctx );
283 if ( rs->sr_err != LDAP_SUCCESS ) {
284 if ( *valsp != NULL ) {
285 ber_bvarray_free( *valsp );
286 ber_bvarray_free( *nvalsp );
297 rdnval_op_add( Operation *op, SlapReply *rs )
301 BerVarray vals = NULL, nvals = NULL;
304 /* NOTE: should we accept an entry still in mods format? */
305 assert( op->ora_e != NULL );
307 if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) {
308 return SLAP_CB_CONTINUE;
311 a = attr_find( op->ora_e->e_attrs, ad_rdnValue );
313 /* TODO: check consistency? */
314 return SLAP_CB_CONTINUE;
317 rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname,
318 &vals, &nvals, &numvals );
319 if ( rc != LDAP_SUCCESS ) {
320 send_ldap_result( op, rs );
323 a = attr_alloc( ad_rdnValue );
327 a->a_numvals = numvals;
329 for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next )
334 return SLAP_CB_CONTINUE;
338 rdnval_op_rename( Operation *op, SlapReply *rs )
340 Modifications *ml, **mlp;
342 BerVarray vals = NULL, nvals = NULL;
346 dnRdn( &op->o_req_dn, &old );
347 if ( dn_match( &old, &op->orr_newrdn ) ) {
348 dnRdn( &op->o_req_ndn, &old );
349 if ( dn_match( &old, &op->orr_nnewrdn ) ) {
350 return SLAP_CB_CONTINUE;
354 rc = rdnval_rdn2vals( op, rs, &op->orr_newrdn, &op->orr_nnewrdn,
355 &vals, &nvals, &numvals );
356 if ( rc != LDAP_SUCCESS ) {
357 send_ldap_result( op, rs );
360 ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
361 ml->sml_values = vals;
362 ml->sml_nvalues = nvals;
364 ml->sml_numvals = numvals;
366 ml->sml_op = LDAP_MOD_REPLACE;
367 ml->sml_flags = SLAP_MOD_INTERNAL;
368 ml->sml_desc = ad_rdnValue;
369 ml->sml_type = ad_rdnValue->ad_cname;
371 for ( mlp = &op->orr_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next )
376 return SLAP_CB_CONTINUE;
384 if ( SLAP_ISGLOBALOVERLAY( be ) ) {
385 Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
386 "rdnval_db_init: rdnval cannot be used as global overlay.\n" );
390 if ( be->be_nsuffix == NULL ) {
391 Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
392 "rdnval_db_init: database must have suffix\n" );
396 if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) {
397 Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
398 "rdnval_db_init: missing rootdn for database DN=\"%s\", YMMV\n",
399 be->be_suffix[ 0 ].bv_val );
405 typedef struct rdnval_mod_t {
410 struct rdnval_mod_t *next;
416 } rdnval_repair_cb_t;
419 rdnval_repair_cb( Operation *op, SlapReply *rs )
422 rdnval_repair_cb_t *rcb = op->o_callback->sc_private;
424 BerVarray vals = NULL, nvals = NULL;
427 BackendDB *save_bd = op->o_bd;
429 switch ( rs->sr_type ) {
441 assert( rs->sr_entry != NULL );
444 rc = rdnval_rdn2vals( op, rs, &rs->sr_entry->e_name, &rs->sr_entry->e_nname,
445 &vals, &nvals, &numvals );
447 if ( rc != LDAP_SUCCESS ) {
451 len = sizeof( rdnval_mod_t ) + rs->sr_entry->e_nname.bv_len + 1;
452 mod = op->o_tmpalloc( len, op->o_tmpmemctx );
453 mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len;
454 mod->ndn.bv_val = (char *)&mod[1];
455 lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len );
458 mod->numvals = numvals;
460 mod->next = rcb->mods;
463 Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair_cb: scheduling entry DN=\"%s\" for repair\n",
464 op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 );
470 rdnval_repair( BackendDB *be )
472 slap_overinst *on = (slap_overinst *)be->bd_info;
473 void *ctx = ldap_pvt_thread_pool_context();
474 Connection conn = { 0 };
475 OperationBuffer opbuf;
478 slap_callback sc = { 0 };
479 rdnval_repair_cb_t rcb = { 0 };
480 SlapReply rs = { REP_RESULT };
484 connection_fake_init2( &conn, &opbuf, ctx, 0 );
487 op->o_tag = LDAP_REQ_SEARCH;
488 memset( &op->oq_search, 0, sizeof( op->oq_search ) );
490 assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) );
492 op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 );
493 assert( op->o_bd != NULL );
494 assert( op->o_bd->be_nsuffix != NULL );
496 op->o_req_dn = op->o_bd->be_suffix[ 0 ];
497 op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ];
499 op->o_dn = op->o_bd->be_rootdn;
500 op->o_ndn = op->o_bd->be_rootndn;
502 op->ors_scope = LDAP_SCOPE_SUBTREE;
503 op->ors_tlimit = SLAP_NO_LIMIT;
504 op->ors_slimit = SLAP_NO_LIMIT;
505 op->ors_attrs = slap_anlist_no_attrs;
507 op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_rdnValue->ad_cname.bv_len;
508 op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx );
509 snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1,
510 "(!(%s=*))", ad_rdnValue->ad_cname.bv_val );
512 op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val );
513 if ( op->ors_filter == NULL ) {
514 rs.sr_err = LDAP_OTHER;
518 op->o_callback = ≻
519 sc.sc_response = rdnval_repair_cb;
520 sc.sc_private = &rcb;
523 db.bd_info = (BackendInfo *)on;
525 (void)op->o_bd->bd_info->bi_op_search( op, &rs );
527 op->o_tag = LDAP_REQ_MODIFY;
528 sc.sc_response = slap_null_cb;
529 sc.sc_private = NULL;
530 memset( &op->oq_modify, 0, sizeof( req_modify_s ) );
532 for ( rmod = rcb.mods; rmod != NULL; ) {
536 SlapReply rs2 = { REP_RESULT };
538 mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
539 mod->sml_flags = SLAP_MOD_INTERNAL;
540 mod->sml_op = LDAP_MOD_REPLACE;
541 mod->sml_desc = ad_rdnValue;
542 mod->sml_type = ad_rdnValue->ad_cname;
543 mod->sml_values = rmod->vals;
544 mod->sml_nvalues = rmod->nvals;
545 mod->sml_numvals = rmod->numvals;
546 mod->sml_next = NULL;
548 op->o_req_dn = rmod->ndn;
549 op->o_req_ndn = rmod->ndn;
551 op->orm_modlist = mod;
553 op->o_bd->be_modify( op, &rs2 );
555 slap_mods_free( op->orm_modlist, 1 );
556 if ( rs2.sr_err == LDAP_SUCCESS ) {
557 Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair: entry DN=\"%s\" repaired\n",
558 op->o_log_prefix, rmod->ndn.bv_val, 0 );
562 Debug( LDAP_DEBUG_ANY, "%s: rdnval_repair: entry DN=\"%s\" repair failed (%d)\n",
563 op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err );
567 op->o_tmpfree( rmod, op->o_tmpmemctx );
572 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
573 filter_free_x( op, op->ors_filter, 1 );
575 Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO,
576 "rdnval: repaired=%d\n", nrepaired );
581 /* search all entries without parentUUID; "repair" them */
587 if ( SLAP_SINGLE_SHADOW( be ) ) {
588 Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
589 "rdnval incompatible with shadow database \"%s\".\n",
590 be->be_suffix[ 0 ].bv_val );
594 return rdnval_repair( be );
599 AttributeDescription **adp;
601 { "( 1.3.6.1.4.1.4203.666.1.58 "
603 "DESC 'the value of the naming attributes' "
604 "SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' "
605 "EQUALITY caseIgnoreMatch "
606 "USAGE dSAOperation "
607 "NO-USER-MODIFICATION "
614 rdnval_initialize(void)
618 for ( i = 0; as[ i ].desc != NULL; i++ ) {
619 code = register_at( as[ i ].desc, as[ i ].adp, 0 );
621 Debug( LDAP_DEBUG_ANY,
622 "rdnval_initialize: register_at #%d failed\n",
627 /* Allow Manager to set these as needed */
628 if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) {
629 (*as[ i ].adp)->ad_type->sat_flags |=
634 syn_IA5String = syn_find( "1.3.6.1.4.1.1466.115.121.1.26" );
635 if ( syn_IA5String == NULL ) {
636 Debug( LDAP_DEBUG_ANY,
637 "rdnval_initialize: unable to find syntax '1.3.6.1.4.1.1466.115.121.1.26' (IA5String)\n",
642 rdnval.on_bi.bi_type = "rdnval";
644 rdnval.on_bi.bi_op_add = rdnval_op_add;
645 rdnval.on_bi.bi_op_modrdn = rdnval_op_rename;
647 rdnval.on_bi.bi_db_init = rdnval_db_init;
648 rdnval.on_bi.bi_db_open = rdnval_db_open;
650 return overlay_register( &rdnval );
653 #if SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC
655 init_module( int argc, char *argv[] )
657 return rdnval_initialize();
659 #endif /* SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC */
661 #endif /* SLAPD_OVER_RDNVAL */