1 /* chain.c - chain LDAP operations */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2003-2005 The OpenLDAP Foundation.
6 * Portions Copyright 2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software.
26 #include <ac/string.h>
27 #include <ac/socket.h>
30 #include "back-ldap.h"
32 static BackendInfo *lback;
36 ldap_chain_chk_referrals( Operation *op, SlapReply *rs )
43 ldap_chain_operational( Operation *op, SlapReply *rs )
45 /* trap entries generated by back-ldap.
46 * FIXME: we need a better way to recognize them; a cleaner
47 * solution would be to be able to intercept the response
48 * of be_operational(), so that we can divert only those
49 * calls that fail because operational attributes were
50 * requested for entries that do not belong to the underlying
51 * database. This fix is likely to intercept also entries
52 * generated by back-perl and so. */
53 if ( rs->sr_entry->e_private == NULL ) {
57 return SLAP_CB_CONTINUE;
61 ldap_chain_cb_response( Operation *op, SlapReply *rs )
63 assert( op->o_tag == LDAP_REQ_SEARCH );
65 if ( rs->sr_type == REP_SEARCH ) {
66 Attribute **ap = &rs->sr_entry->e_attrs;
68 for ( ; *ap != NULL; ap = &(*ap)->a_next ) {
69 /* will be generated later by frontend
70 * (a cleaner solution would be that
71 * the frontend checks if it already exists */
72 if ( ad_cmp( (*ap)->a_desc, slap_schema.si_ad_entryDN ) == 0 )
79 /* there SHOULD be one only! */
84 return SLAP_CB_CONTINUE;
91 ldap_chain_response( Operation *op, SlapReply *rs )
93 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
94 void *private = op->o_bd->be_private;
95 slap_callback *sc = op->o_callback;
96 LDAPControl **prev = op->o_ctrls;
97 LDAPControl **ctrls = NULL, *c[ 2 ], authz;
98 int i, nctrls = 0, rc = 0;
99 int cache = op->o_do_not_cache;
100 char *authzid = NULL;
102 struct berval ndn = op->o_ndn;
104 struct ldapinfo li, *lip = (struct ldapinfo *)on->on_bi.bi_private;
106 if ( rs->sr_err != LDAP_REFERRAL && rs->sr_type != REP_SEARCHREF )
107 return SLAP_CB_CONTINUE;
112 op->o_callback = NULL;
114 if ( lip->url == NULL ) {
115 /* if we parse the URI then by no means
116 * we can cache stuff or reuse connections,
117 * because in back-ldap there's no caching
118 * based on the URI value, which is supposed
119 * to be set once for all (correct?) */
120 op->o_do_not_cache = 1;
122 /* FIXME: we're setting the URI of the first referral;
123 * what if there are more? Is this something we should
126 op->o_bd->be_private = &li;
128 if ( rs->sr_type != REP_SEARCHREF ) {
132 /* parse reference and use
133 * proto://[host][:port]/ only */
134 rc = ldap_url_parse_ext( ref[0].bv_val, &srv );
135 if ( rc != LDAP_URL_SUCCESS ) {
140 /* remove DN essentially because later on
141 * ldap_initialize() will parse the URL
142 * as a comma-separated URL list */
143 save_dn = srv->lud_dn;
145 srv->lud_scope = LDAP_SCOPE_DEFAULT;
146 li.url = ldap_url_desc2str( srv );
147 srv->lud_dn = save_dn;
148 ldap_free_urldesc( srv );
150 if ( li.url == NULL ) {
157 op->o_bd->be_private = on->on_bi.bi_private;
160 /* Chaining is performed by a privileged user on behalf
161 * of a normal user, using the ProxyAuthz control. However,
162 * Binds are done separately, on an anonymous session.
164 if ( op->o_tag != LDAP_REQ_BIND ) {
166 for ( i = 0; prev[i]; i++ )
167 /* count and set prev to the last one */ ;
170 ctrls = op->o_tmpalloc((i + 1)*sizeof(LDAPControl *),
172 for ( i = 0; i < nctrls; i++ ) {
180 ctrls[nctrls] = &authz;
181 ctrls[nctrls + 1] = NULL;
182 authz.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
183 authz.ldctl_iscritical = 1;
184 authz.ldctl_value = op->o_dn;
185 if ( !BER_BVISEMPTY( &op->o_dn ) ) {
186 authzid = op->o_tmpalloc( op->o_dn.bv_len + STRLENOF("dn:"),
188 strcpy(authzid, "dn:");
189 strcpy(authzid + STRLENOF("dn:"), op->o_dn.bv_val);
190 authz.ldctl_value.bv_len = op->o_dn.bv_len + STRLENOF("dn:");
191 authz.ldctl_value.bv_val = authzid;
194 op->o_ndn = op->o_bd->be_rootndn;
197 switch ( op->o_tag ) {
198 case LDAP_REQ_BIND: {
199 struct berval rndn = op->o_req_ndn;
200 Connection *conn = op->o_conn;
202 op->o_req_ndn = slap_empty_bv;
205 rc = lback->bi_op_bind( op, rs );
206 op->o_req_ndn = rndn;
212 int cleanup_attrs = 0;
214 if ( op->ora_e->e_attrs == NULL ) {
215 char textbuf[ SLAP_TEXT_BUFLEN ];
216 size_t textlen = sizeof( textbuf );
218 /* global overlay; create entry */
219 /* NOTE: this is a hack to use the chain overlay
220 * as global. I expect to be able to remove this
221 * soon by using slap_mods2entry() earlier in
222 * do_add(), adding the operational attrs later
224 rs->sr_err = slap_mods2entry( op->ora_modlist,
226 &rs->sr_text, textbuf, textlen );
227 if ( rs->sr_err != LDAP_SUCCESS ) {
228 send_ldap_result( op, rs );
233 rc = lback->bi_op_add( op, rs );
234 if ( cleanup_attrs ) {
235 attrs_free( op->ora_e->e_attrs );
236 op->ora_e->e_attrs = NULL;
240 case LDAP_REQ_DELETE:
241 rc = lback->bi_op_delete( op, rs );
243 case LDAP_REQ_MODRDN:
244 rc = lback->bi_op_modrdn( op, rs );
246 case LDAP_REQ_MODIFY:
247 rc = lback->bi_op_modify( op, rs );
249 case LDAP_REQ_COMPARE:
250 rc = lback->bi_op_compare( op, rs );
252 case LDAP_REQ_SEARCH:
253 if ( rs->sr_type == REP_SEARCHREF ) {
254 struct berval *curr = ref,
256 ondn = op->o_req_ndn;
257 slap_callback sc2 = { 0 };
259 ber_len_t refcnt = 0;
260 BerVarray newref = NULL;
262 sc2.sc_response = ldap_chain_cb_response;
263 op->o_callback = &sc2;
265 rs->sr_type = REP_SEARCH;
267 /* copy the private info because we need to modify it */
268 for ( ; !BER_BVISNULL( &curr[0] ); curr++ ) {
272 /* parse reference and use
273 * proto://[host][:port]/ only */
274 tmprc = ldap_url_parse_ext( curr[0].bv_val, &srv );
275 if ( tmprc != LDAP_URL_SUCCESS ) {
278 goto end_of_searchref;
281 /* remove DN essentially because later on
282 * ldap_initialize() will parse the URL
283 * as a comma-separated URL list */
284 save_dn = srv->lud_dn;
286 srv->lud_scope = LDAP_SCOPE_DEFAULT;
287 li.url = ldap_url_desc2str( srv );
288 if ( li.url != NULL ) {
289 ber_str2bv_x( save_dn, 0, 1, &op->o_req_dn,
291 ber_dupbv_x( &op->o_req_ndn, &op->o_req_dn,
295 srv->lud_dn = save_dn;
296 ldap_free_urldesc( srv );
298 if ( li.url == NULL ) {
301 goto end_of_searchref;
305 /* FIXME: should we also copy filter and scope?
306 * according to RFC3296, no */
307 tmprc = lback->bi_op_search( op, rs );
309 ldap_memfree( li.url );
312 op->o_tmpfree( op->o_req_dn.bv_val,
314 op->o_tmpfree( op->o_req_ndn.bv_val,
320 goto end_of_searchref;
323 if ( rs->sr_err != LDAP_SUCCESS ) {
324 /* if search was not successful,
325 * at least return the referral! */
326 /* FIXME: assumes referrals
327 * are always created via
328 * referral_rewrite() and freed via
329 * ber_bvarray_free( rs->sr_ref ) */
330 newref = ch_realloc( newref, sizeof( struct berval ) * (refcnt + 2) );
331 ber_dupbv( &newref[ refcnt ], &curr[ 0 ] );
333 BER_BVZERO( &newref[ refcnt ] );
339 op->o_req_ndn = ondn;
340 rs->sr_type = REP_SEARCHREF;
343 /* if the error was bad, it was already returned
344 * by back-ldap; destroy the referrals left;
345 * otherwise, let the frontend return them. */
348 rc = SLAP_CB_CONTINUE;
349 if ( ref != default_referral ) {
350 ber_bvarray_free( ref );
355 ber_bvarray_free( newref );
360 rc = lback->bi_op_search( op, rs );
363 case LDAP_REQ_EXTENDED:
364 rc = lback->bi_extended( op, rs );
365 /* FIXME: ldap_back_extended() by design
366 * doesn't send result; frontend is expected
368 if ( rc != SLAPD_ABANDON ) {
369 send_ldap_extended( op, rs );
373 rc = SLAP_CB_CONTINUE;
376 op->o_do_not_cache = cache;
378 op->o_bd->be_private = private;
381 if ( ctrls && ctrls != c ) {
382 op->o_tmpfree( ctrls, op->o_tmpmemctx );
385 op->o_tmpfree( authzid, op->o_tmpmemctx );
388 if ( lip->url == NULL && li.url != NULL ) {
389 ldap_memfree( li.url );
396 ldap_chain_db_config(
404 slap_overinst *on = (slap_overinst *) be->bd_info;
405 void *private = be->be_private;
409 be->be_private = on->on_bi.bi_private;
410 if ( strncasecmp( argv[ 0 ], "chain-", sizeof( "chain-" ) - 1 ) == 0 ) {
412 argv[ 0 ] = &argv[ 0 ][ sizeof( "chain-" ) - 1 ];
414 rc = lback->bi_db_config( be, fname, lineno, argc, argv );
419 be->be_private = private;
428 slap_overinst *on = (slap_overinst *) be->bd_info;
429 void *private = be->be_private;
432 if ( lback == NULL ) {
433 lback = backend_info( "ldap" );
435 if ( lback == NULL ) {
440 be->be_private = NULL;
441 rc = lback->bi_db_init( be );
442 on->on_bi.bi_private = be->be_private;
443 be->be_private = private;
449 ldap_chain_db_destroy(
453 slap_overinst *on = (slap_overinst *) be->bd_info;
454 void *private = be->be_private;
457 be->be_private = on->on_bi.bi_private;
458 rc = lback->bi_db_destroy( be );
459 on->on_bi.bi_private = be->be_private;
460 be->be_private = private;
464 static slap_overinst ldapchain;
469 ldapchain.on_bi.bi_type = "chain";
470 ldapchain.on_bi.bi_db_init = ldap_chain_db_init;
471 ldapchain.on_bi.bi_db_config = ldap_chain_db_config;
472 ldapchain.on_bi.bi_db_destroy = ldap_chain_db_destroy;
474 /* ... otherwise the underlying backend's function would be called,
475 * likely passing an invalid entry; on the contrary, the requested
476 * operational attributes should have been returned while chasing
477 * the referrals. This all in all is a bit messy, because part
478 * of the operational attributes are generated by they backend;
479 * part by the frontend; back-ldap should receive all the available
480 * ones from the remote server, but then, on it own, it strips those
481 * it assumes will be (re)generated by the frontend (e.g.
482 * subschemaSubentry.) */
483 ldapchain.on_bi.bi_operational = ldap_chain_operational;
485 ldapchain.on_response = ldap_chain_response;
488 ldapchain.on_bi.bi_chk_referrals = ldap_chain_chk_referrals;
491 return overlay_register( &ldapchain );