1 /* config.c - ldap backend configuration file routine */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
7 /* This is an altered version */
9 * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
11 * Permission is granted to anyone to use this software for any purpose
12 * on any computer system, and to alter it and redistribute it, subject
13 * to the following restrictions:
15 * 1. The author is not responsible for the consequences of use of this
16 * software, no matter how awful, even if they arise from flaws in it.
18 * 2. The origin of this software must not be misrepresented, either by
19 * explicit claim or by omission. Since few users ever read sources,
20 * credits should appear in the documentation.
22 * 3. Altered versions must be plainly marked as such, and must not be
23 * misrepresented as being the original software. Since few users
24 * ever read sources, credits should appear in the documentation.
26 * 4. This notice may not be removed or altered.
30 * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
32 * This software is being modified by Pierangelo Masarati.
33 * The previously reported conditions apply to the modified code as well.
34 * Changes in the original code are highlighted where required.
35 * Credits for the original code go to the author, Howard Chu.
42 #include <ac/string.h>
43 #include <ac/socket.h>
46 #include "back-ldap.h"
49 static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
60 struct ldapinfo *li = (struct ldapinfo *) be->be_private;
63 fprintf( stderr, "%s: line %d: ldap backend info is null!\n",
68 /* server address to query (depricated, use "uri" directive) */
69 if ( strcasecmp( argv[0], "server" ) == 0 ) {
72 "%s: line %d: missing address in \"server <address>\" line\n",
78 li->url = ch_calloc(strlen(argv[1]) + 9, sizeof(char));
79 if (li->url != NULL) {
80 strcpy(li->url, "ldap://");
81 strcat(li->url, argv[1]);
85 /* URI of server to query (preferred over "server" directive) */
86 } else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
89 "%s: line %d: missing address in \"uri <address>\" line\n",
95 li->url = ch_strdup(argv[1]);
97 /* name to use for ldap_back_group */
98 } else if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
101 "%s: line %d: missing name in \"binddn <name>\" line\n",
105 li->binddn = ch_strdup(argv[1]);
107 /* password to use for ldap_back_group */
108 } else if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
111 "%s: line %d: missing password in \"bindpw <password>\" line\n",
115 li->bindpw = ch_strdup(argv[1]);
117 /* save bind creds for referral rebinds? */
118 } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
121 "%s: line %d: rebind-as-user takes no arguments\n",
127 /* intercept exop_who_am_i? */
128 } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
131 "%s: line %d: proxy-whoami takes no arguments\n",
135 load_extop( (struct berval *)&slap_EXOP_WHOAMI, ldap_back_exop_whoami );
138 } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) {
140 struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc;
141 #ifdef ENABLE_REWRITE
143 #endif /* ENABLE_REWRITE */
148 * suffixmassage <suffix> <massaged suffix>
150 * the <suffix> field must be defined as a valid suffix
151 * (or suffixAlias?) for the current database;
152 * the <massaged suffix> shouldn't have already been
153 * defined as a valid suffix or suffixAlias for the
157 fprintf( stderr, "%s: line %d: syntax is"
158 " \"suffixMassage <suffix>"
159 " <massaged suffix>\"\n",
164 ber_str2bv( argv[1], 0, 0, &bvnc );
165 if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc ) != LDAP_SUCCESS ) {
166 fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
167 fname, lineno, bvnc.bv_val );
170 tmp_be = select_backend( &nvnc, 0, 0 );
171 if ( tmp_be != NULL && tmp_be != be ) {
172 fprintf( stderr, "%s: line %d: suffix already in use"
173 " by another backend in"
174 " \"suffixMassage <suffix>"
175 " <massaged suffix>\"\n",
182 ber_str2bv( argv[2], 0, 0, &brnc );
183 if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc ) != LDAP_SUCCESS ) {
184 fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
185 fname, lineno, brnc.bv_val );
192 tmp_be = select_backend( &nrnc, 0, 0 );
193 if ( tmp_be != NULL ) {
194 fprintf( stderr, "%s: line %d: massaged suffix"
195 " already in use by another backend in"
196 " \"suffixMassage <suffix>"
197 " <massaged suffix>\"\n",
207 #ifdef ENABLE_REWRITE
209 * The suffix massaging is emulated by means of the
210 * rewrite capabilities
211 * FIXME: no extra rewrite capabilities should be added
214 rc = suffix_massage_config( li->rwinfo, &pvnc, &nvnc, &prnc, &nrnc );
222 #else /* !ENABLE_REWRITE */
223 ber_bvarray_add( &li->suffix_massage, &pvnc );
224 ber_bvarray_add( &li->suffix_massage, &nvnc );
226 ber_bvarray_add( &li->suffix_massage, &prnc );
227 ber_bvarray_add( &li->suffix_massage, &nrnc );
228 #endif /* !ENABLE_REWRITE */
230 /* rewrite stuff ... */
231 } else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) {
232 #ifdef ENABLE_REWRITE
233 return rewrite_parse( li->rwinfo, fname, lineno, argc, argv );
235 #else /* !ENABLE_REWRITE */
236 fprintf( stderr, "%s: line %d: rewrite capabilities "
237 "are not enabled\n", fname, lineno );
238 #endif /* !ENABLE_REWRITE */
240 /* objectclass/attribute mapping */
241 } else if ( strcasecmp( argv[0], "map" ) == 0 ) {
243 struct ldapmapping *mapping;
246 if ( argc < 3 || argc > 4 ) {
248 "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
253 if ( strcasecmp( argv[1], "objectclass" ) == 0 ) {
255 } else if ( strcasecmp( argv[1], "attribute" ) == 0 ) {
258 fprintf( stderr, "%s: line %d: syntax is "
259 "\"map {objectclass | attribute} [<local> | *] "
260 "{<foreign> | *}\"\n",
265 if ( strcmp( argv[2], "*" ) == 0 ) {
266 if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
267 map->drop_missing = ( argc < 4 );
271 } else if ( argc < 4 ) {
276 dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] );
279 if ( ( map == &li->at_map )
280 && ( strcasecmp( src, "objectclass" ) == 0
281 || strcasecmp( dst, "objectclass" ) == 0 ) )
284 "%s: line %d: objectclass attribute cannot be mapped\n",
288 mapping = (struct ldapmapping *)ch_calloc( 2,
289 sizeof(struct ldapmapping) );
290 if ( mapping == NULL ) {
292 "%s: line %d: out of memory\n",
296 ber_str2bv( src, 0, 1, &mapping->src );
297 ber_str2bv( dst, 0, 1, &mapping->dst );
298 mapping[1].src = mapping->dst;
299 mapping[1].dst = mapping->src;
301 if ( (*src != '\0' &&
302 avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL) ||
303 avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL)
306 "%s: line %d: duplicate mapping found (ignored)\n",
312 avl_insert( &map->map, (caddr_t)mapping,
313 mapping_cmp, mapping_dup );
314 avl_insert( &map->remap, (caddr_t)&mapping[1],
315 mapping_cmp, mapping_dup );
319 fprintf( stderr, "%s: line %d: unknown directive \"%s\" "
320 "in ldap database definition (ignored)\n",
321 fname, lineno, argv[0] );
327 ldap_back_exop_whoami(
330 struct berval *reqoid,
331 struct berval *reqdata,
333 struct berval **rspdata,
334 LDAPControl ***rspctrls,
338 struct berval *bv = NULL;
339 int rc = LDAP_SUCCESS;
341 if ( reqdata != NULL ) {
342 /* no request data should be provided */
343 *text = "no request data expected";
344 return LDAP_PROTOCOL_ERROR;
348 rc = backend_check_restrictions( conn->c_authz_backend,
349 conn, op, (struct berval *)&slap_EXOP_WHOAMI, text );
351 if( rc != LDAP_SUCCESS ) return rc;
354 /* if auth'd by back-ldap and request is proxied, forward it */
355 if ( conn->c_authz_backend && !strcmp(conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &conn->c_ndn)) {
356 struct ldapinfo *li =
357 (struct ldapinfo *)conn->c_authz_backend->be_private;
360 LDAPControl c, *ctrls[2] = {&c, NULL};
365 op2.o_ndn = conn->c_ndn;
366 lc = ldap_back_getconn(li, conn, &op2);
367 if (!lc || !ldap_back_dobind( li, lc, conn, op )) {
370 c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
371 c.ldctl_iscritical = 1;
372 c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4);
373 c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
374 strcpy(c.ldctl_value.bv_val, "dn:");
375 strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
377 rc = ldap_whoami(lc->ld, ctrls, NULL, &msgid);
378 if (rc == LDAP_SUCCESS) {
379 if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
380 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
383 rc = ldap_parse_whoami(lc->ld, res, &bv);
387 ch_free(c.ldctl_value.bv_val);
388 if (rc != LDAP_SUCCESS) {
389 rc = ldap_back_map_result(rc);
392 /* else just do the same as before */
393 bv = (struct berval *) ch_malloc( sizeof(struct berval) );
394 if( op->o_dn.bv_len ) {
395 bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1;
396 bv->bv_val = ch_malloc( bv->bv_len + 1 );
397 AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:")-1 );
398 AC_MEMCPY( &bv->bv_val[sizeof("dn:")-1], op->o_dn.bv_val,
400 bv->bv_val[bv->bv_len] = '\0';
412 #ifdef ENABLE_REWRITE
414 suffix_massage_regexize( const char *s )
421 ( r = strchr( p, ',' ) ) != NULL;
425 res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 );
427 ptr = lutil_strcopy( res, "(.*)" );
429 ( r = strchr( p, ',' ) ) != NULL;
431 ptr = lutil_strncopy( ptr, p, r - p + 1 );
432 ptr = lutil_strcopy( ptr, "[ ]?" );
434 if ( r[ 1 ] == ' ' ) {
438 lutil_strcopy( ptr, p );
444 suffix_massage_patternize( const char *s )
451 res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) );
457 strcpy( res + sizeof( "%1" ) - 1, s );
463 suffix_massage_config(
464 struct rewrite_info *info,
474 rargv[ 0 ] = "rewriteEngine";
477 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
479 rargv[ 0 ] = "rewriteContext";
480 rargv[ 1 ] = "default";
482 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
484 rargv[ 0 ] = "rewriteRule";
485 rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
486 rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val );
489 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
490 ch_free( rargv[ 1 ] );
491 ch_free( rargv[ 2 ] );
493 rargv[ 0 ] = "rewriteContext";
494 rargv[ 1 ] = "searchResult";
496 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
498 rargv[ 0 ] = "rewriteRule";
499 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
500 rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val );
503 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
504 ch_free( rargv[ 1 ] );
505 ch_free( rargv[ 2 ] );
508 * the filter should be rewritten as
511 * "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)"
512 * "%1member=%2,dc=example,dc=com%3"
514 * where "o=Foo Bar, c=US" is the virtual naming context,
515 * and "dc=example, dc=com" is the real naming context
517 rargv[ 0 ] = "rewriteContext";
518 rargv[ 1 ] = "searchFilter";
520 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
522 #if 1 /* rewrite filters */
525 * Note: this is far more optimistic than desirable:
526 * for any AVA value ending with the virtual naming
527 * context the terminal part will be replaced by the
528 * real naming context; a better solution would be to
529 * walk the filter looking for DN-valued attributes,
530 * and only rewrite those that require rewriting
532 char vbuf_[BUFSIZ], *vbuf = vbuf_,
533 rbuf_[BUFSIZ], *rbuf = rbuf_;
536 len = snprintf( vbuf, sizeof( vbuf_ ),
537 "(.*)%s\\)(.*)", nvnc->bv_val );
540 * traditional behavior: snprintf returns -1
541 * if buffer is insufficient
545 } else if ( len >= (int)sizeof( vbuf_ ) ) {
547 * C99: snprintf returns the required size
549 vbuf = ch_malloc( len + 1 );
550 len = snprintf( vbuf, len,
551 "(.*)%s\\)(.*)", nvnc->bv_val );
555 len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
560 } else if ( len >= (int)sizeof( rbuf_ ) ) {
561 rbuf = ch_malloc( len + 1 );
562 len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
567 rargv[ 0 ] = "rewriteRule";
572 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
574 if ( vbuf != vbuf_ ) {
578 if ( rbuf != rbuf_ ) {
582 #endif /* rewrite filters */
584 #if 0 /* "matched" is not normalized */
585 rargv[ 0 ] = "rewriteContext";
586 rargv[ 1 ] = "matchedDn";
587 rargv[ 2 ] = "alias";
588 rargv[ 3 ] = "searchResult";
590 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
591 #else /* normalize "matched" */
592 rargv[ 0 ] = "rewriteContext";
593 rargv[ 1 ] = "matchedDn";
595 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
597 rargv[ 0 ] = "rewriteRule";
598 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
599 rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val );
602 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
603 ch_free( rargv[ 1 ] );
604 ch_free( rargv[ 2 ] );
605 #endif /* normalize "matched" */
609 #endif /* ENABLE_REWRITE */