1 /* search.c - ldap backend search function */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1999-2004 The OpenLDAP Foundation.
6 * Portions Copyright 1999-2003 Howard Chu.
7 * Portions Copyright 2000-2003 Pierangelo Masarati.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by the Howard Chu for inclusion
20 * in OpenLDAP Software and subsequently enhanced by Pierangelo
28 #include <ac/socket.h>
29 #include <ac/string.h>
33 #include "back-ldap.h"
34 #undef ldap_debug /* silence a warning in ldap-int.h */
35 #include "../../../libraries/libldap/ldap-int.h"
40 ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
41 struct berval *bdn, int flags );
42 #define LDAP_BUILD_ENTRY_PRIVATE 0x01
44 static struct berval dummy = BER_BVNULL;
51 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
56 struct berval match = BER_BVNULL;
57 char **mapped_attrs = NULL;
59 struct berval mfilter = BER_BVNULL;
63 LDAPControl **ctrls = NULL;
65 lc = ldap_back_getconn(op, rs);
71 * FIXME: in case of values return filter, we might want
72 * to map attrs and maybe rewrite value
74 if ( !ldap_back_dobind( lc, op, rs ) ) {
78 /* should we check return values? */
79 if ( op->ors_deref != -1 ) {
80 ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref );
83 if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
84 tv.tv_sec = op->ors_tlimit;
92 * Rewrite the search base, if required
94 dc.rwmap = &li->rwmap;
98 dc.ctx = "searchBase";
103 if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) {
104 send_ldap_result( op, rs );
108 rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter,
109 &mfilter, BACKLDAP_MAP );
115 case LDAP_COMPARE_FALSE:
116 rs->sr_err = LDAP_SUCCESS;
122 rs->sr_err = LDAP_OTHER;
123 rs->sr_text = "Rewrite error";
129 rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at,
131 BACKLDAP_MAP, &mapped_attrs );
132 if ( rs->sr_err != LDAP_SUCCESS ) {
138 #ifdef LDAP_BACK_PROXY_AUTHZ
139 rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
140 if ( rc != LDAP_SUCCESS ) {
144 #endif /* LDAP_BACK_PROXY_AUTHZ */
146 rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val,
147 op->ors_scope, mfilter.bv_val,
148 mapped_attrs, op->ors_attrsonly,
150 tv.tv_sec ? &tv : NULL, op->ors_slimit,
153 if ( rs->sr_err != LDAP_SUCCESS ) {
155 rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
157 ldap_back_freeconn( op, lc );
163 /* We pull apart the ber result, stuff it into a slapd entry, and
164 * let send_search_entry stuff it back into ber format. Slow & ugly,
165 * but this is necessary for version matching, and for ACL processing.
168 for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) )
170 /* check for abandon */
171 if ( op->o_abandon ) {
172 ldap_abandon( lc->ld, msgid );
180 ldap_pvt_thread_yield();
182 } else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
186 e = ldap_first_entry( lc->ld, res );
187 rc = ldap_build_entry( op, e, &ent, &bdn,
188 LDAP_BUILD_ENTRY_PRIVATE );
189 if ( rc == LDAP_SUCCESS ) {
191 rs->sr_attrs = op->ors_attrs;
192 rs->sr_operational_attrs = NULL;
194 abort = send_search_entry( op, rs );
195 while (ent.e_attrs) {
200 ent.e_attrs = a->a_next;
203 if ( a->a_vals != &dummy ) {
204 ber_bvarray_free(a->a_vals);
206 if ( a->a_nvals != v ) {
207 ber_bvarray_free(a->a_nvals);
212 if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) )
219 ldap_abandon( lc->ld, msgid );
223 } else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
224 char **references = NULL;
227 rc = ldap_parse_reference( lc->ld, res,
228 &references, &rs->sr_ctrls, 1 );
230 if ( rc != LDAP_SUCCESS ) {
234 if ( references == NULL ) {
238 for ( cnt = 0; references[ cnt ]; cnt++ )
241 rs->sr_ref = ch_calloc( cnt + 1, sizeof( struct berval ) );
243 for ( cnt = 0; references[ cnt ]; cnt++ ) {
244 ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
247 /* ignore return value by now */
248 ( void )send_search_reference( op, rs );
252 ldap_value_free( references );
253 ch_free( rs->sr_ref );
257 if ( rs->sr_ctrls ) {
258 ldap_controls_free( rs->sr_ctrls );
263 rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
264 &match.bv_val, (char **)&rs->sr_text,
266 if (rc != LDAP_SUCCESS ) {
269 rs->sr_err = slap_map_api2result( rs );
276 /* FIXME: invalidate the connection? */
277 rs->sr_err = LDAP_SERVER_DOWN;
283 * Rewrite the matched portion of the search base, if required
285 if ( match.bv_val && *match.bv_val ) {
288 #ifdef ENABLE_REWRITE
289 dc.ctx = "matchedDN";
294 match.bv_len = strlen( match.bv_val );
295 ldap_back_dn_massage( &dc, &match, &mdn );
296 rs->sr_matched = mdn.bv_val;
298 if ( rs->sr_v2ref ) {
299 rs->sr_err = LDAP_REFERRAL;
303 send_ldap_result( op, rs );
305 #ifdef LDAP_BACK_PROXY_AUTHZ
306 if ( ctrls && ctrls != op->o_ctrls ) {
310 #endif /* LDAP_BACK_PROXY_AUTHZ */
312 if ( match.bv_val ) {
313 if ( rs->sr_matched != match.bv_val ) {
314 free( (char *)rs->sr_matched );
316 rs->sr_matched = NULL;
317 LDAP_FREE( match.bv_val );
320 if ( !dontfreetext ) {
321 LDAP_FREE( (char *)rs->sr_text );
325 if ( mapped_attrs ) {
326 ch_free( mapped_attrs );
328 if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
329 ch_free( mfilter.bv_val );
331 if ( mbase.bv_val != op->o_req_ndn.bv_val ) {
332 free( mbase.bv_val );
347 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
348 struct berval a, mapped;
349 BerElement ber = *e->lm_ber;
350 Attribute *attr, **attrp;
354 int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
357 /* safe assumptions ... */
359 ent->e_bv.bv_val = NULL;
361 if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
362 return LDAP_DECODING_ERROR;
366 * Rewrite the dn of the result, if needed
368 dc.rwmap = &li->rwmap;
369 #ifdef ENABLE_REWRITE
370 dc.conn = op->o_conn;
372 dc.ctx = "searchResult";
377 if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) {
382 * Note: this may fail if the target host(s) schema differs
383 * from the one known to the meta, and a DN with unknown
384 * attributes is returned.
386 * FIXME: should we log anything, or delegate to dnNormalize?
388 /* Note: if the distinguished values or the naming attributes
389 * change, should we massage them as well?
391 if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname,
392 op->o_tmpmemctx ) != LDAP_SUCCESS )
394 return LDAP_INVALID_DN_SYNTAX;
397 attrp = &ent->e_attrs;
399 #ifdef ENABLE_REWRITE
400 dc.ctx = "searchAttrDN";
402 while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
404 slap_syntax_validate_func *validate =
405 attr->a_desc->ad_type->sat_syntax->ssyn_validate;
406 slap_syntax_transform_func *pretty =
407 attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
409 ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP );
410 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) )
412 attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
418 if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) {
419 if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text )
423 LDAP_LOG( BACK_LDAP, DETAIL1,
424 "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
425 #else /* !NEW_LOGGING */
426 Debug( LDAP_DEBUG_ANY,
427 "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 );
428 #endif /* !NEW_LOGGING */
434 /* no subschemaSubentry */
435 if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry ) {
438 * We eat target's subschemaSubentry because
439 * a search for this value is likely not
440 * to resolve to the appropriate backend;
441 * later, the local subschemaSubentry is
444 ( void )ber_scanf( &ber, "x" /* [W] */ );
450 if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
451 || attr->a_vals == NULL )
454 * Note: attr->a_vals can be null when using
455 * values result filter
458 attr->a_vals = &dummy;
460 attr->a_vals = ch_malloc( sizeof( struct berval ) );
461 BER_BVZERO( &attr->a_vals[0] );
466 for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ );
471 } else if ( attr->a_desc == slap_schema.si_ad_objectClass
472 || attr->a_desc == slap_schema.si_ad_structuralObjectClass )
474 for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
475 ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped,
477 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
478 LBER_FREE( bv->bv_val );
482 *bv = attr->a_vals[last];
483 BER_BVZERO( &attr->a_vals[last] );
486 } else if ( mapped.bv_val != bv->bv_val ) {
488 * FIXME: after LBER_FREEing
489 * the value is replaced by
492 LBER_FREE( bv->bv_val );
493 ber_dupbv( bv, &mapped );
498 * It is necessary to try to rewrite attributes with
499 * dn syntax because they might be used in ACLs as
500 * members of groups; since ACLs are applied to the
501 * rewritten stuff, no dn-based subject clause could
502 * be used at the ldap backend side (see
503 * http://www.OpenLDAP.org/faq/data/cache/452.html)
504 * The problem can be overcome by moving the dn-based
505 * ACLs to the target directory server, and letting
506 * everything pass thru the ldap backend.
508 } else if ( attr->a_desc->ad_type->sat_syntax ==
509 slap_schema.si_syn_distinguishedName )
511 ldap_dnattr_result_rewrite( &dc, attr->a_vals );
514 validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
515 pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
517 if ( !validate && !pretty ) {
518 attr->a_nvals = NULL;
523 for ( i = 0; i < last; i++ ) {
528 rc = pretty( attr->a_desc->ad_type->sat_syntax,
529 &attr->a_vals[i], &pval, NULL );
531 rc = validate( attr->a_desc->ad_type->sat_syntax,
535 if ( rc != LDAP_SUCCESS ) {
536 attr->a_nvals = NULL;
542 LBER_FREE( attr->a_vals[i].bv_val );
543 attr->a_vals[i] = pval;
547 if ( last && attr->a_desc->ad_type->sat_equality &&
548 attr->a_desc->ad_type->sat_equality->smr_normalize )
550 attr->a_nvals = ch_malloc( ( last + 1 )*sizeof( struct berval ) );
551 for ( i = 0; i < last; i++ ) {
555 * check that each value is valid per syntax
556 * and pretty if appropriate
558 rc = attr->a_desc->ad_type->sat_equality->smr_normalize(
559 SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
560 attr->a_desc->ad_type->sat_syntax,
561 attr->a_desc->ad_type->sat_equality,
562 &attr->a_vals[i], &attr->a_nvals[i],
563 NULL /* op->o_tmpmemctx */ );
565 if ( rc != LDAP_SUCCESS ) {
566 BER_BVZERO( &attr->a_nvals[i] );
571 BER_BVZERO( &attr->a_nvals[i] );
574 attr->a_nvals = attr->a_vals;
577 attrp = &attr->a_next;
582 /* make sure it's free'able */
583 if ( !private && ent->e_name.bv_val == bdn->bv_val ) {
584 ber_dupbv( &ent->e_name, bdn );
589 /* return 0 IFF we can retrieve the entry with ndn
596 AttributeDescription *at,
601 struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
604 struct berval mapped = BER_BVNULL, bdn, mdn;
605 LDAPMessage *result = NULL, *e = NULL;
612 /* Tell getconn this is a privileged op */
613 is_oc = op->o_do_not_cache;
614 op->o_do_not_cache = 1;
615 lc = ldap_back_getconn(op, &rs);
618 if ( !lc || !ldap_back_dobind(lc, op, &rs) ) {
619 op->o_do_not_cache = is_oc;
623 op->o_do_not_cache = is_oc;
627 * Rewrite the search base, if required
629 dc.rwmap = &li->rwmap;
630 #ifdef ENABLE_REWRITE
631 dc.conn = op->o_conn;
633 dc.ctx = "searchBase";
638 if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) {
643 ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP);
644 if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
648 is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 );
649 if ( oc && !is_oc ) {
650 gattr[0] = "objectclass";
651 gattr[1] = mapped.bv_val;
655 gattr[0] = mapped.bv_val;
662 ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped,
664 filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 );
665 ptr = lutil_strcopy( filter, "(objectclass=" );
666 ptr = lutil_strcopy( ptr, mapped.bv_val );
671 if ( ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
672 gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
673 LDAP_NO_LIMIT, &result) != LDAP_SUCCESS )
678 e = ldap_first_entry( lc->ld, result );
683 *ent = ch_calloc( 1, sizeof( Entry ) );
685 rc = ldap_build_entry( op, e, *ent, &bdn, 0 );
687 if ( rc != LDAP_SUCCESS ) {
694 ldap_msgfree( result );
701 if ( mdn.bv_val != ndn->bv_val ) {
702 ch_free( mdn.bv_val );
projects / openldap / blob