1 /* search.c - ldap backend search function */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1999-2004 The OpenLDAP Foundation.
6 * Portions Copyright 1999-2003 Howard Chu.
7 * Portions Copyright 2000-2003 Pierangelo Masarati.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by the Howard Chu for inclusion
20 * in OpenLDAP Software and subsequently enhanced by Pierangelo
28 #include <ac/socket.h>
29 #include <ac/string.h>
33 #include "back-ldap.h"
34 #undef ldap_debug /* silence a warning in ldap-int.h */
35 #include "../../../libraries/libldap/ldap-int.h"
40 ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
41 struct berval *bdn, int flags );
42 #define LDAP_BUILD_ENTRY_PRIVATE 0x01
49 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
54 struct berval match = BER_BVNULL;
55 char **mapped_attrs = NULL;
57 struct berval mfilter = BER_BVNULL;
62 LDAPControl **ctrls = NULL;
64 lc = ldap_back_getconn(op, rs);
70 * FIXME: in case of values return filter, we might want
71 * to map attrs and maybe rewrite value
73 if ( !ldap_back_dobind( lc, op, rs ) ) {
77 /* should we check return values? */
78 if ( op->ors_deref != -1 ) {
79 ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref );
82 if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
83 tv.tv_sec = op->ors_tlimit;
91 * Rewrite the search base, if required
93 dc.rwmap = &li->rwmap;
97 dc.ctx = "searchBase";
102 if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) {
103 send_ldap_result( op, rs );
107 rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter,
108 &mfilter, BACKLDAP_MAP );
114 case LDAP_COMPARE_FALSE:
115 rs->sr_err = LDAP_SUCCESS;
121 rs->sr_err = LDAP_OTHER;
122 rs->sr_text = "Rewrite error";
128 rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at,
130 BACKLDAP_MAP, &mapped_attrs );
131 if ( rs->sr_err != LDAP_SUCCESS ) {
137 #ifdef LDAP_BACK_PROXY_AUTHZ
138 rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
139 if ( rc != LDAP_SUCCESS ) {
143 #endif /* LDAP_BACK_PROXY_AUTHZ */
146 rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val,
147 op->ors_scope, mfilter.bv_val,
148 mapped_attrs, op->ors_attrsonly,
150 tv.tv_sec ? &tv : NULL, op->ors_slimit,
153 if ( rs->sr_err != LDAP_SUCCESS ) {
155 rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
157 ldap_back_freeconn( op, lc );
163 /* We pull apart the ber result, stuff it into a slapd entry, and
164 * let send_search_entry stuff it back into ber format. Slow & ugly,
165 * but this is necessary for version matching, and for ACL processing.
168 for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) )
170 /* check for abandon */
171 if ( op->o_abandon ) {
172 ldap_abandon( lc->ld, msgid );
180 ldap_pvt_thread_yield();
182 } else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
188 e = ldap_first_entry( lc->ld, res );
189 rc = ldap_build_entry( op, e, &ent, &bdn,
190 LDAP_BUILD_ENTRY_PRIVATE );
191 if ( rc == LDAP_SUCCESS ) {
193 rs->sr_attrs = op->ors_attrs;
194 rs->sr_operational_attrs = NULL;
196 abort = send_search_entry( op, rs );
197 while (ent.e_attrs) {
202 ent.e_attrs = a->a_next;
205 if ( a->a_vals != &slap_dummy_bv ) {
206 ber_bvarray_free(a->a_vals);
208 if ( a->a_nvals != v ) {
209 ber_bvarray_free(a->a_nvals);
214 if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) )
221 ldap_abandon( lc->ld, msgid );
225 } else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
226 char **references = NULL;
230 rc = ldap_parse_reference( lc->ld, res,
231 &references, &rs->sr_ctrls, 1 );
233 if ( rc != LDAP_SUCCESS ) {
237 if ( references == NULL ) {
241 for ( cnt = 0; references[ cnt ]; cnt++ )
244 rs->sr_ref = ch_calloc( cnt + 1, sizeof( struct berval ) );
246 for ( cnt = 0; references[ cnt ]; cnt++ ) {
247 ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
250 /* ignore return value by now */
251 ( void )send_search_reference( op, rs );
255 ldap_value_free( references );
256 ch_free( rs->sr_ref );
260 if ( rs->sr_ctrls ) {
261 ldap_controls_free( rs->sr_ctrls );
266 rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
267 &match.bv_val, (char **)&rs->sr_text,
268 NULL, &rs->sr_ctrls, 1 );
269 if (rc != LDAP_SUCCESS ) {
272 rs->sr_err = slap_map_api2result( rs );
281 if ( ldap_back_retry( lc, op, rs ))
284 /* FIXME: invalidate the connection? */
285 rs->sr_err = LDAP_SERVER_DOWN;
291 * Rewrite the matched portion of the search base, if required
293 if ( match.bv_val && *match.bv_val ) {
296 #ifdef ENABLE_REWRITE
297 dc.ctx = "matchedDN";
302 match.bv_len = strlen( match.bv_val );
303 ldap_back_dn_massage( &dc, &match, &mdn );
304 rs->sr_matched = mdn.bv_val;
306 if ( rs->sr_v2ref ) {
307 rs->sr_err = LDAP_REFERRAL;
311 send_ldap_result( op, rs );
313 #ifdef LDAP_BACK_PROXY_AUTHZ
314 if ( ctrls && ctrls != op->o_ctrls ) {
318 #endif /* LDAP_BACK_PROXY_AUTHZ */
320 if ( rs->sr_ctrls ) {
321 ldap_controls_free( rs->sr_ctrls );
325 if ( match.bv_val ) {
326 if ( rs->sr_matched != match.bv_val ) {
327 free( (char *)rs->sr_matched );
329 rs->sr_matched = NULL;
330 LDAP_FREE( match.bv_val );
333 if ( !dontfreetext ) {
334 LDAP_FREE( (char *)rs->sr_text );
338 if ( mapped_attrs ) {
339 ch_free( mapped_attrs );
341 if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
342 ch_free( mfilter.bv_val );
344 if ( mbase.bv_val != op->o_req_ndn.bv_val ) {
345 free( mbase.bv_val );
360 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
361 struct berval a, mapped;
362 BerElement ber = *e->lm_ber;
363 Attribute *attr, **attrp;
367 int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
370 /* safe assumptions ... */
372 ent->e_bv.bv_val = NULL;
374 if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
375 return LDAP_DECODING_ERROR;
379 * Rewrite the dn of the result, if needed
381 dc.rwmap = &li->rwmap;
382 #ifdef ENABLE_REWRITE
383 dc.conn = op->o_conn;
385 dc.ctx = "searchResult";
390 if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) {
395 * Note: this may fail if the target host(s) schema differs
396 * from the one known to the meta, and a DN with unknown
397 * attributes is returned.
399 * FIXME: should we log anything, or delegate to dnNormalize?
401 /* Note: if the distinguished values or the naming attributes
402 * change, should we massage them as well?
404 if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname,
405 op->o_tmpmemctx ) != LDAP_SUCCESS )
407 return LDAP_INVALID_DN_SYNTAX;
410 attrp = &ent->e_attrs;
412 #ifdef ENABLE_REWRITE
413 dc.ctx = "searchAttrDN";
415 while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
417 slap_syntax_validate_func *validate;
418 slap_syntax_transform_func *pretty;
420 ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP );
421 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) )
423 attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
429 if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) {
430 if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text )
433 Debug( LDAP_DEBUG_ANY,
434 "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
440 /* no subschemaSubentry */
441 if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry ) {
444 * We eat target's subschemaSubentry because
445 * a search for this value is likely not
446 * to resolve to the appropriate backend;
447 * later, the local subschemaSubentry is
450 ( void )ber_scanf( &ber, "x" /* [W] */ );
456 if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
457 || attr->a_vals == NULL )
460 * Note: attr->a_vals can be null when using
461 * values result filter
464 attr->a_vals = &slap_dummy_bv;
466 attr->a_vals = ch_malloc( sizeof( struct berval ) );
467 BER_BVZERO( &attr->a_vals[0] );
472 for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ );
477 } else if ( attr->a_desc == slap_schema.si_ad_objectClass
478 || attr->a_desc == slap_schema.si_ad_structuralObjectClass )
480 for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
481 ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped,
483 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
484 LBER_FREE( bv->bv_val );
488 *bv = attr->a_vals[last];
489 BER_BVZERO( &attr->a_vals[last] );
492 } else if ( mapped.bv_val != bv->bv_val ) {
494 * FIXME: after LBER_FREEing
495 * the value is replaced by
498 LBER_FREE( bv->bv_val );
499 ber_dupbv( bv, &mapped );
504 * It is necessary to try to rewrite attributes with
505 * dn syntax because they might be used in ACLs as
506 * members of groups; since ACLs are applied to the
507 * rewritten stuff, no dn-based subject clause could
508 * be used at the ldap backend side (see
509 * http://www.OpenLDAP.org/faq/data/cache/452.html)
510 * The problem can be overcome by moving the dn-based
511 * ACLs to the target directory server, and letting
512 * everything pass thru the ldap backend.
514 } else if ( attr->a_desc->ad_type->sat_syntax ==
515 slap_schema.si_syn_distinguishedName )
517 ldap_dnattr_result_rewrite( &dc, attr->a_vals );
520 validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
521 pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
523 if ( !validate && !pretty ) {
524 attr->a_nvals = NULL;
529 for ( i = 0; i < last; i++ ) {
534 rc = pretty( attr->a_desc->ad_type->sat_syntax,
535 &attr->a_vals[i], &pval, NULL );
537 rc = validate( attr->a_desc->ad_type->sat_syntax,
541 if ( rc != LDAP_SUCCESS ) {
542 attr->a_nvals = NULL;
548 LBER_FREE( attr->a_vals[i].bv_val );
549 attr->a_vals[i] = pval;
553 if ( last && attr->a_desc->ad_type->sat_equality &&
554 attr->a_desc->ad_type->sat_equality->smr_normalize )
556 attr->a_nvals = ch_malloc( ( last + 1 )*sizeof( struct berval ) );
557 for ( i = 0; i < last; i++ ) {
561 * check that each value is valid per syntax
562 * and pretty if appropriate
564 rc = attr->a_desc->ad_type->sat_equality->smr_normalize(
565 SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
566 attr->a_desc->ad_type->sat_syntax,
567 attr->a_desc->ad_type->sat_equality,
568 &attr->a_vals[i], &attr->a_nvals[i],
569 NULL /* op->o_tmpmemctx */ );
571 if ( rc != LDAP_SUCCESS ) {
572 BER_BVZERO( &attr->a_nvals[i] );
577 BER_BVZERO( &attr->a_nvals[i] );
580 attr->a_nvals = attr->a_vals;
583 attrp = &attr->a_next;
588 /* make sure it's free'able */
589 if ( !private && ent->e_name.bv_val == bdn->bv_val ) {
590 ber_dupbv( &ent->e_name, bdn );
595 /* return 0 IFF we can retrieve the entry with ndn
602 AttributeDescription *at,
607 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
610 struct berval mapped = BER_BVNULL, bdn, mdn;
611 LDAPMessage *result = NULL, *e = NULL;
619 /* Tell getconn this is a privileged op */
620 is_oc = op->o_do_not_cache;
621 op->o_do_not_cache = 1;
622 lc = ldap_back_getconn(op, &rs);
625 if ( !lc || !ldap_back_dobind(lc, op, &rs) ) {
626 op->o_do_not_cache = is_oc;
630 op->o_do_not_cache = is_oc;
634 * Rewrite the search base, if required
636 dc.rwmap = &li->rwmap;
637 #ifdef ENABLE_REWRITE
638 dc.conn = op->o_conn;
640 dc.ctx = "searchBase";
645 if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) {
650 ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP);
651 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
655 is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 );
656 if ( oc && !is_oc ) {
657 gattr[0] = "objectclass";
658 gattr[1] = mapped.bv_val;
662 gattr[0] = mapped.bv_val;
669 ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped,
671 filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 );
672 ptr = lutil_strcopy( filter, "(objectclass=" );
673 ptr = lutil_strcopy( ptr, mapped.bv_val );
679 rc = ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
680 gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
681 LDAP_NO_LIMIT, &result);
682 if ( rc != LDAP_SUCCESS )
684 if ( rc == LDAP_SERVER_DOWN && do_retry ) {
686 if ( ldap_back_retry( lc, op, &rs ))
692 e = ldap_first_entry( lc->ld, result );
697 *ent = ch_calloc( 1, sizeof( Entry ) );
699 rc = ldap_build_entry( op, e, *ent, &bdn, 0 );
701 if ( rc != LDAP_SUCCESS ) {
708 ldap_msgfree( result );
715 if ( mdn.bv_val != ndn->bv_val ) {
716 ch_free( mdn.bv_val );