1 /* config.c - ldap backend configuration file routine */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
7 /* This is an altered version */
9 * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
11 * Permission is granted to anyone to use this software for any purpose
12 * on any computer system, and to alter it and redistribute it, subject
13 * to the following restrictions:
15 * 1. The author is not responsible for the consequences of use of this
16 * software, no matter how awful, even if they arise from flaws in it.
18 * 2. The origin of this software must not be misrepresented, either by
19 * explicit claim or by omission. Since few users ever read sources,
20 * credits should appear in the documentation.
22 * 3. Altered versions must be plainly marked as such, and must not be
23 * misrepresented as being the original software. Since few users
24 * ever read sources, credits should appear in the documentation.
26 * 4. This notice may not be removed or altered.
30 * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
32 * This software is being modified by Pierangelo Masarati.
33 * The previously reported conditions apply to the modified code as well.
34 * Changes in the original code are highlighted where required.
35 * Credits for the original code go to the author, Howard Chu.
42 #include <ac/string.h>
43 #include <ac/socket.h>
46 #include "back-ldap.h"
49 static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
60 struct ldapinfo *li = (struct ldapinfo *) be->be_private;
63 fprintf( stderr, "%s: line %d: ldap backend info is null!\n",
68 /* server address to query (depricated, use "uri" directive) */
69 if ( strcasecmp( argv[0], "server" ) == 0 ) {
72 "%s: line %d: missing address in \"server <address>\" line\n",
78 li->url = ch_calloc(strlen(argv[1]) + 9, sizeof(char));
79 if (li->url != NULL) {
80 strcpy(li->url, "ldap://");
81 strcat(li->url, argv[1]);
85 /* URI of server to query (preferred over "server" directive) */
86 } else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
89 "%s: line %d: missing address in \"uri <address>\" line\n",
95 li->url = ch_strdup(argv[1]);
97 /* name to use for ldap_back_group */
98 } else if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
101 "%s: line %d: missing name in \"binddn <name>\" line\n",
105 li->binddn = ch_strdup(argv[1]);
107 /* password to use for ldap_back_group */
108 } else if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
111 "%s: line %d: missing password in \"bindpw <password>\" line\n",
115 li->bindpw = ch_strdup(argv[1]);
117 /* save bind creds for referral rebinds? */
118 } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
121 "%s: line %d: rebind-as-user takes no arguments\n",
127 /* intercept exop_who_am_i? */
128 } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
131 "%s: line %d: proxy-whoami takes no arguments\n",
135 load_extop( (struct berval *)&slap_EXOP_WHOAMI, ldap_back_exop_whoami );
138 } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) {
140 struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc;
141 #ifdef ENABLE_REWRITE
143 #endif /* ENABLE_REWRITE */
148 * suffixmassage <suffix> <massaged suffix>
150 * the <suffix> field must be defined as a valid suffix
151 * (or suffixAlias?) for the current database;
152 * the <massaged suffix> shouldn't have already been
153 * defined as a valid suffix or suffixAlias for the
157 fprintf( stderr, "%s: line %d: syntax is"
158 " \"suffixMassage <suffix>"
159 " <massaged suffix>\"\n",
164 ber_str2bv( argv[1], 0, 0, &bvnc );
165 if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc ) != LDAP_SUCCESS ) {
166 fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
167 fname, lineno, bvnc.bv_val );
170 tmp_be = select_backend( &nvnc, 0, 0 );
171 if ( tmp_be != NULL && tmp_be != be ) {
172 fprintf( stderr, "%s: line %d: suffix already in use"
173 " by another backend in"
174 " \"suffixMassage <suffix>"
175 " <massaged suffix>\"\n",
182 ber_str2bv( argv[2], 0, 0, &brnc );
183 if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc ) != LDAP_SUCCESS ) {
184 fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
185 fname, lineno, brnc.bv_val );
192 tmp_be = select_backend( &nrnc, 0, 0 );
193 if ( tmp_be != NULL ) {
194 fprintf( stderr, "%s: line %d: massaged suffix"
195 " already in use by another backend in"
196 " \"suffixMassage <suffix>"
197 " <massaged suffix>\"\n",
207 #ifdef ENABLE_REWRITE
209 * The suffix massaging is emulated by means of the
210 * rewrite capabilities
211 * FIXME: no extra rewrite capabilities should be added
214 rc = suffix_massage_config( li->rwinfo, &pvnc, &nvnc, &prnc, &nrnc );
222 #else /* !ENABLE_REWRITE */
223 ber_bvarray_add( &li->suffix_massage, &pvnc );
224 ber_bvarray_add( &li->suffix_massage, &nvnc );
226 ber_bvarray_add( &li->suffix_massage, &prnc );
227 ber_bvarray_add( &li->suffix_massage, &nrnc );
228 #endif /* !ENABLE_REWRITE */
230 /* rewrite stuff ... */
231 } else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) {
232 #ifdef ENABLE_REWRITE
233 return rewrite_parse( li->rwinfo, fname, lineno, argc, argv );
235 #else /* !ENABLE_REWRITE */
236 fprintf( stderr, "%s: line %d: rewrite capabilities "
237 "are not enabled\n", fname, lineno );
238 #endif /* !ENABLE_REWRITE */
240 /* objectclass/attribute mapping */
241 } else if ( strcasecmp( argv[0], "map" ) == 0 ) {
242 return ldap_back_map_config( &li->oc_map, &li->at_map,
243 fname, lineno, argc, argv );
247 fprintf( stderr, "%s: line %d: unknown directive \"%s\" "
248 "in ldap database definition (ignored)\n",
249 fname, lineno, argv[0] );
255 ldap_back_map_config(
256 struct ldapmap *oc_map,
257 struct ldapmap *at_map,
264 struct ldapmapping *mapping;
268 if ( argc < 3 || argc > 4 ) {
270 "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
275 if ( strcasecmp( argv[1], "objectclass" ) == 0 ) {
279 } else if ( strcasecmp( argv[1], "attribute" ) == 0 ) {
283 fprintf( stderr, "%s: line %d: syntax is "
284 "\"map {objectclass | attribute} [<local> | *] "
285 "{<foreign> | *}\"\n",
290 if ( strcmp( argv[2], "*" ) == 0 ) {
291 if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
292 map->drop_missing = ( argc < 4 );
297 } else if ( argc < 4 ) {
303 dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] );
306 if ( ( map == at_map )
307 && ( strcasecmp( src, "objectclass" ) == 0
308 || strcasecmp( dst, "objectclass" ) == 0 ) )
311 "%s: line %d: objectclass attribute cannot be mapped\n",
315 mapping = (struct ldapmapping *)ch_calloc( 2,
316 sizeof(struct ldapmapping) );
317 if ( mapping == NULL ) {
319 "%s: line %d: out of memory\n",
323 ber_str2bv( src, 0, 1, &mapping->src );
324 ber_str2bv( dst, 0, 1, &mapping->dst );
325 mapping[1].src = mapping->dst;
326 mapping[1].dst = mapping->src;
332 if ( src[0] != '\0' ) {
333 if ( oc_bvfind( &mapping->src ) == NULL ) {
335 "%s: line %d: warning, source objectClass '%s' "
336 "should be defined in schema\n",
337 fname, lineno, src );
340 * FIXME: this should become an err
345 if ( oc_bvfind( &mapping->dst ) == NULL ) {
347 "%s: line %d: warning, destination objectClass '%s' "
348 "is not defined in schema\n",
349 fname, lineno, dst );
353 const char *text = NULL;
354 AttributeDescription *ad = NULL;
356 if ( src[0] != '\0' ) {
357 rc = slap_bv2ad( &mapping->src, &ad, &text );
358 if ( rc != LDAP_SUCCESS ) {
360 "%s: line %d: warning, source attributeType '%s' "
361 "should be defined in schema\n",
362 fname, lineno, src );
365 * FIXME: this should become an err
372 rc = slap_bv2ad( &mapping->dst, &ad, &text );
373 if ( rc != LDAP_SUCCESS ) {
375 "%s: line %d: warning, destination attributeType '%s' "
376 "is not defined in schema\n",
377 fname, lineno, dst );
381 if ( (src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL)
382 || avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL)
385 "%s: line %d: duplicate mapping found (ignored)\n",
387 /* FIXME: free stuff */
391 if ( src[0] != '\0' ) {
392 avl_insert( &map->map, (caddr_t)mapping,
393 mapping_cmp, mapping_dup );
395 avl_insert( &map->remap, (caddr_t)&mapping[1],
396 mapping_cmp, mapping_dup );
402 ch_free( mapping->src.bv_val );
403 ch_free( mapping->dst.bv_val );
411 ldap_back_exop_whoami(
414 struct berval *reqoid,
415 struct berval *reqdata,
417 struct berval **rspdata,
418 LDAPControl ***rspctrls,
422 struct berval *bv = NULL;
423 int rc = LDAP_SUCCESS;
425 if ( reqdata != NULL ) {
426 /* no request data should be provided */
427 *text = "no request data expected";
428 return LDAP_PROTOCOL_ERROR;
432 rc = backend_check_restrictions( conn->c_authz_backend,
433 conn, op, (struct berval *)&slap_EXOP_WHOAMI, text );
435 if( rc != LDAP_SUCCESS ) return rc;
438 /* if auth'd by back-ldap and request is proxied, forward it */
439 if ( conn->c_authz_backend && !strcmp(conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &conn->c_ndn)) {
440 struct ldapinfo *li =
441 (struct ldapinfo *)conn->c_authz_backend->be_private;
444 LDAPControl c, *ctrls[2] = {&c, NULL};
449 op2.o_ndn = conn->c_ndn;
450 lc = ldap_back_getconn(li, conn, &op2);
451 if (!lc || !ldap_back_dobind( li, lc, conn, op )) {
454 c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
455 c.ldctl_iscritical = 1;
456 c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4);
457 c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
458 strcpy(c.ldctl_value.bv_val, "dn:");
459 strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
461 rc = ldap_whoami(lc->ld, ctrls, NULL, &msgid);
462 if (rc == LDAP_SUCCESS) {
463 if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
464 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
467 rc = ldap_parse_whoami(lc->ld, res, &bv);
471 ch_free(c.ldctl_value.bv_val);
472 if (rc != LDAP_SUCCESS) {
473 rc = ldap_back_map_result(rc);
476 /* else just do the same as before */
477 bv = (struct berval *) ch_malloc( sizeof(struct berval) );
478 if( op->o_dn.bv_len ) {
479 bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1;
480 bv->bv_val = ch_malloc( bv->bv_len + 1 );
481 AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:")-1 );
482 AC_MEMCPY( &bv->bv_val[sizeof("dn:")-1], op->o_dn.bv_val,
484 bv->bv_val[bv->bv_len] = '\0';
496 #ifdef ENABLE_REWRITE
498 suffix_massage_regexize( const char *s )
505 ( r = strchr( p, ',' ) ) != NULL;
509 res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 );
511 ptr = lutil_strcopy( res, "(.*)" );
513 ( r = strchr( p, ',' ) ) != NULL;
515 ptr = lutil_strncopy( ptr, p, r - p + 1 );
516 ptr = lutil_strcopy( ptr, "[ ]?" );
518 if ( r[ 1 ] == ' ' ) {
522 lutil_strcopy( ptr, p );
528 suffix_massage_patternize( const char *s )
535 res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) );
541 strcpy( res + sizeof( "%1" ) - 1, s );
547 suffix_massage_config(
548 struct rewrite_info *info,
558 rargv[ 0 ] = "rewriteEngine";
561 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
563 rargv[ 0 ] = "rewriteContext";
564 rargv[ 1 ] = "default";
566 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
568 rargv[ 0 ] = "rewriteRule";
569 rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
570 rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val );
573 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
574 ch_free( rargv[ 1 ] );
575 ch_free( rargv[ 2 ] );
577 rargv[ 0 ] = "rewriteContext";
578 rargv[ 1 ] = "searchResult";
580 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
582 rargv[ 0 ] = "rewriteRule";
583 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
584 rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val );
587 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
588 ch_free( rargv[ 1 ] );
589 ch_free( rargv[ 2 ] );
593 * FIXME: this is no longer required since now we map filters
594 * based on the parsed filter structure, so we can deal directly
595 * with attribute types and values. The rewriteContext
596 * "searchFilter" now refers to the value of attrbutes
601 * the filter should be rewritten as
604 * "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)"
605 * "%1member=%2,dc=example,dc=com%3"
607 * where "o=Foo Bar, c=US" is the virtual naming context,
608 * and "dc=example, dc=com" is the real naming context
610 rargv[ 0 ] = "rewriteContext";
611 rargv[ 1 ] = "searchFilter";
613 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
615 #if 1 /* rewrite filters */
618 * Note: this is far more optimistic than desirable:
619 * for any AVA value ending with the virtual naming
620 * context the terminal part will be replaced by the
621 * real naming context; a better solution would be to
622 * walk the filter looking for DN-valued attributes,
623 * and only rewrite those that require rewriting
625 char vbuf_[BUFSIZ], *vbuf = vbuf_,
626 rbuf_[BUFSIZ], *rbuf = rbuf_;
629 len = snprintf( vbuf, sizeof( vbuf_ ),
630 "(.*)%s\\)(.*)", nvnc->bv_val );
633 * traditional behavior: snprintf returns -1
634 * if buffer is insufficient
638 } else if ( len >= (int)sizeof( vbuf_ ) ) {
640 * C99: snprintf returns the required size
642 vbuf = ch_malloc( len + 1 );
643 len = snprintf( vbuf, len,
644 "(.*)%s\\)(.*)", nvnc->bv_val );
648 len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
653 } else if ( len >= (int)sizeof( rbuf_ ) ) {
654 rbuf = ch_malloc( len + 1 );
655 len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
660 rargv[ 0 ] = "rewriteRule";
665 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
667 if ( vbuf != vbuf_ ) {
671 if ( rbuf != rbuf_ ) {
675 #endif /* rewrite filters */
678 #if 0 /* "matched" is not normalized */
679 rargv[ 0 ] = "rewriteContext";
680 rargv[ 1 ] = "matchedDn";
681 rargv[ 2 ] = "alias";
682 rargv[ 3 ] = "searchResult";
684 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
685 #else /* normalize "matched" */
686 rargv[ 0 ] = "rewriteContext";
687 rargv[ 1 ] = "matchedDn";
689 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
691 rargv[ 0 ] = "rewriteRule";
692 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
693 rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val );
696 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
697 ch_free( rargv[ 1 ] );
698 ch_free( rargv[ 2 ] );
699 #endif /* normalize "matched" */
703 #endif /* ENABLE_REWRITE */