1 /* search.c - ldap backend search function */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1999-2004 The OpenLDAP Foundation.
6 * Portions Copyright 1999-2003 Howard Chu.
7 * Portions Copyright 2000-2003 Pierangelo Masarati.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by the Howard Chu for inclusion
20 * in OpenLDAP Software and subsequently enhanced by Pierangelo
28 #include <ac/socket.h>
29 #include <ac/string.h>
33 #include "back-ldap.h"
34 #undef ldap_debug /* silence a warning in ldap-int.h */
35 #include "../../../libraries/libldap/ldap-int.h"
40 ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
41 struct berval *bdn, int flags );
42 #define LDAP_BUILD_ENTRY_PRIVATE 0x01
49 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
54 struct berval match = BER_BVNULL;
55 char **mapped_attrs = NULL;
57 struct berval mfilter = BER_BVNULL;
61 LDAPControl **ctrls = NULL;
63 lc = ldap_back_getconn(op, rs);
69 * FIXME: in case of values return filter, we might want
70 * to map attrs and maybe rewrite value
72 if ( !ldap_back_dobind( lc, op, rs ) ) {
76 /* should we check return values? */
77 if ( op->ors_deref != -1 ) {
78 ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref );
81 if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
82 tv.tv_sec = op->ors_tlimit;
90 * Rewrite the search base, if required
92 dc.rwmap = &li->rwmap;
96 dc.ctx = "searchBase";
101 if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) {
102 send_ldap_result( op, rs );
106 rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter,
107 &mfilter, BACKLDAP_MAP );
113 case LDAP_COMPARE_FALSE:
114 rs->sr_err = LDAP_SUCCESS;
120 rs->sr_err = LDAP_OTHER;
121 rs->sr_text = "Rewrite error";
127 rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at,
129 BACKLDAP_MAP, &mapped_attrs );
130 if ( rs->sr_err != LDAP_SUCCESS ) {
136 #ifdef LDAP_BACK_PROXY_AUTHZ
137 rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
138 if ( rc != LDAP_SUCCESS ) {
142 #endif /* LDAP_BACK_PROXY_AUTHZ */
144 rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val,
145 op->ors_scope, mfilter.bv_val,
146 mapped_attrs, op->ors_attrsonly,
148 tv.tv_sec ? &tv : NULL, op->ors_slimit,
151 if ( rs->sr_err != LDAP_SUCCESS ) {
153 rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
155 ldap_back_freeconn( op, lc );
161 /* We pull apart the ber result, stuff it into a slapd entry, and
162 * let send_search_entry stuff it back into ber format. Slow & ugly,
163 * but this is necessary for version matching, and for ACL processing.
166 for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) )
168 /* check for abandon */
169 if ( op->o_abandon ) {
170 ldap_abandon( lc->ld, msgid );
178 ldap_pvt_thread_yield();
180 } else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
184 e = ldap_first_entry( lc->ld, res );
185 rc = ldap_build_entry( op, e, &ent, &bdn,
186 LDAP_BUILD_ENTRY_PRIVATE );
187 if ( rc == LDAP_SUCCESS ) {
189 rs->sr_attrs = op->ors_attrs;
190 rs->sr_operational_attrs = NULL;
192 abort = send_search_entry( op, rs );
193 while (ent.e_attrs) {
198 ent.e_attrs = a->a_next;
201 if ( a->a_vals != &slap_dummy_bv ) {
202 ber_bvarray_free(a->a_vals);
204 if ( a->a_nvals != v ) {
205 ber_bvarray_free(a->a_nvals);
210 if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) )
217 ldap_abandon( lc->ld, msgid );
221 } else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
222 char **references = NULL;
225 rc = ldap_parse_reference( lc->ld, res,
226 &references, &rs->sr_ctrls, 1 );
228 if ( rc != LDAP_SUCCESS ) {
232 if ( references == NULL ) {
236 for ( cnt = 0; references[ cnt ]; cnt++ )
239 rs->sr_ref = ch_calloc( cnt + 1, sizeof( struct berval ) );
241 for ( cnt = 0; references[ cnt ]; cnt++ ) {
242 ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
245 /* ignore return value by now */
246 ( void )send_search_reference( op, rs );
250 ldap_value_free( references );
251 ch_free( rs->sr_ref );
255 if ( rs->sr_ctrls ) {
256 ldap_controls_free( rs->sr_ctrls );
261 rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
262 &match.bv_val, (char **)&rs->sr_text,
264 if (rc != LDAP_SUCCESS ) {
267 rs->sr_err = slap_map_api2result( rs );
274 /* FIXME: invalidate the connection? */
275 rs->sr_err = LDAP_SERVER_DOWN;
281 * Rewrite the matched portion of the search base, if required
283 if ( match.bv_val && *match.bv_val ) {
286 #ifdef ENABLE_REWRITE
287 dc.ctx = "matchedDN";
292 match.bv_len = strlen( match.bv_val );
293 ldap_back_dn_massage( &dc, &match, &mdn );
294 rs->sr_matched = mdn.bv_val;
296 if ( rs->sr_v2ref ) {
297 rs->sr_err = LDAP_REFERRAL;
301 send_ldap_result( op, rs );
303 #ifdef LDAP_BACK_PROXY_AUTHZ
304 if ( ctrls && ctrls != op->o_ctrls ) {
308 #endif /* LDAP_BACK_PROXY_AUTHZ */
310 if ( match.bv_val ) {
311 if ( rs->sr_matched != match.bv_val ) {
312 free( (char *)rs->sr_matched );
314 rs->sr_matched = NULL;
315 LDAP_FREE( match.bv_val );
318 if ( !dontfreetext ) {
319 LDAP_FREE( (char *)rs->sr_text );
323 if ( mapped_attrs ) {
324 ch_free( mapped_attrs );
326 if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
327 ch_free( mfilter.bv_val );
329 if ( mbase.bv_val != op->o_req_ndn.bv_val ) {
330 free( mbase.bv_val );
345 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
346 struct berval a, mapped;
347 BerElement ber = *e->lm_ber;
348 Attribute *attr, **attrp;
352 int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
355 /* safe assumptions ... */
357 ent->e_bv.bv_val = NULL;
359 if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
360 return LDAP_DECODING_ERROR;
364 * Rewrite the dn of the result, if needed
366 dc.rwmap = &li->rwmap;
367 #ifdef ENABLE_REWRITE
368 dc.conn = op->o_conn;
370 dc.ctx = "searchResult";
375 if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) {
380 * Note: this may fail if the target host(s) schema differs
381 * from the one known to the meta, and a DN with unknown
382 * attributes is returned.
384 * FIXME: should we log anything, or delegate to dnNormalize?
386 /* Note: if the distinguished values or the naming attributes
387 * change, should we massage them as well?
389 if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname,
390 op->o_tmpmemctx ) != LDAP_SUCCESS )
392 return LDAP_INVALID_DN_SYNTAX;
395 attrp = &ent->e_attrs;
397 #ifdef ENABLE_REWRITE
398 dc.ctx = "searchAttrDN";
400 while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
402 slap_syntax_validate_func *validate;
403 slap_syntax_transform_func *pretty;
405 ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP );
406 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) )
408 attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
414 if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) {
415 if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text )
419 LDAP_LOG( BACK_LDAP, DETAIL1,
420 "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
421 #else /* !NEW_LOGGING */
422 Debug( LDAP_DEBUG_ANY,
423 "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
424 #endif /* !NEW_LOGGING */
430 /* no subschemaSubentry */
431 if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry ) {
434 * We eat target's subschemaSubentry because
435 * a search for this value is likely not
436 * to resolve to the appropriate backend;
437 * later, the local subschemaSubentry is
440 ( void )ber_scanf( &ber, "x" /* [W] */ );
446 if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
447 || attr->a_vals == NULL )
450 * Note: attr->a_vals can be null when using
451 * values result filter
454 attr->a_vals = &slap_dummy_bv;
456 attr->a_vals = ch_malloc( sizeof( struct berval ) );
457 BER_BVZERO( &attr->a_vals[0] );
462 for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ );
467 } else if ( attr->a_desc == slap_schema.si_ad_objectClass
468 || attr->a_desc == slap_schema.si_ad_structuralObjectClass )
470 for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
471 ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped,
473 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
474 LBER_FREE( bv->bv_val );
478 *bv = attr->a_vals[last];
479 BER_BVZERO( &attr->a_vals[last] );
482 } else if ( mapped.bv_val != bv->bv_val ) {
484 * FIXME: after LBER_FREEing
485 * the value is replaced by
488 LBER_FREE( bv->bv_val );
489 ber_dupbv( bv, &mapped );
494 * It is necessary to try to rewrite attributes with
495 * dn syntax because they might be used in ACLs as
496 * members of groups; since ACLs are applied to the
497 * rewritten stuff, no dn-based subject clause could
498 * be used at the ldap backend side (see
499 * http://www.OpenLDAP.org/faq/data/cache/452.html)
500 * The problem can be overcome by moving the dn-based
501 * ACLs to the target directory server, and letting
502 * everything pass thru the ldap backend.
504 } else if ( attr->a_desc->ad_type->sat_syntax ==
505 slap_schema.si_syn_distinguishedName )
507 ldap_dnattr_result_rewrite( &dc, attr->a_vals );
510 validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
511 pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
513 if ( !validate && !pretty ) {
514 attr->a_nvals = NULL;
519 for ( i = 0; i < last; i++ ) {
524 rc = pretty( attr->a_desc->ad_type->sat_syntax,
525 &attr->a_vals[i], &pval, NULL );
527 rc = validate( attr->a_desc->ad_type->sat_syntax,
531 if ( rc != LDAP_SUCCESS ) {
532 attr->a_nvals = NULL;
538 LBER_FREE( attr->a_vals[i].bv_val );
539 attr->a_vals[i] = pval;
543 if ( last && attr->a_desc->ad_type->sat_equality &&
544 attr->a_desc->ad_type->sat_equality->smr_normalize )
546 attr->a_nvals = ch_malloc( ( last + 1 )*sizeof( struct berval ) );
547 for ( i = 0; i < last; i++ ) {
551 * check that each value is valid per syntax
552 * and pretty if appropriate
554 rc = attr->a_desc->ad_type->sat_equality->smr_normalize(
555 SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
556 attr->a_desc->ad_type->sat_syntax,
557 attr->a_desc->ad_type->sat_equality,
558 &attr->a_vals[i], &attr->a_nvals[i],
559 NULL /* op->o_tmpmemctx */ );
561 if ( rc != LDAP_SUCCESS ) {
562 BER_BVZERO( &attr->a_nvals[i] );
567 BER_BVZERO( &attr->a_nvals[i] );
570 attr->a_nvals = attr->a_vals;
573 attrp = &attr->a_next;
578 /* make sure it's free'able */
579 if ( !private && ent->e_name.bv_val == bdn->bv_val ) {
580 ber_dupbv( &ent->e_name, bdn );
585 /* return 0 IFF we can retrieve the entry with ndn
592 AttributeDescription *at,
597 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
600 struct berval mapped = BER_BVNULL, bdn, mdn;
601 LDAPMessage *result = NULL, *e = NULL;
608 /* Tell getconn this is a privileged op */
609 is_oc = op->o_do_not_cache;
610 op->o_do_not_cache = 1;
611 lc = ldap_back_getconn(op, &rs);
614 if ( !lc || !ldap_back_dobind(lc, op, &rs) ) {
615 op->o_do_not_cache = is_oc;
619 op->o_do_not_cache = is_oc;
623 * Rewrite the search base, if required
625 dc.rwmap = &li->rwmap;
626 #ifdef ENABLE_REWRITE
627 dc.conn = op->o_conn;
629 dc.ctx = "searchBase";
634 if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) {
639 ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP);
640 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
644 is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 );
645 if ( oc && !is_oc ) {
646 gattr[0] = "objectclass";
647 gattr[1] = mapped.bv_val;
651 gattr[0] = mapped.bv_val;
658 ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped,
660 filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 );
661 ptr = lutil_strcopy( filter, "(objectclass=" );
662 ptr = lutil_strcopy( ptr, mapped.bv_val );
667 if ( ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
668 gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
669 LDAP_NO_LIMIT, &result) != LDAP_SUCCESS )
674 e = ldap_first_entry( lc->ld, result );
679 *ent = ch_calloc( 1, sizeof( Entry ) );
681 rc = ldap_build_entry( op, e, *ent, &bdn, 0 );
683 if ( rc != LDAP_SUCCESS ) {
690 ldap_msgfree( result );
697 if ( mdn.bv_val != ndn->bv_val ) {
698 ch_free( mdn.bv_val );