1 /* search.c - ldap backend search function */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1999-2006 The OpenLDAP Foundation.
6 * Portions Copyright 1999-2003 Howard Chu.
7 * Portions Copyright 2000-2003 Pierangelo Masarati.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by the Howard Chu for inclusion
20 * in OpenLDAP Software and subsequently enhanced by Pierangelo
28 #include <ac/socket.h>
29 #include <ac/string.h>
33 #include "back-ldap.h"
34 #undef ldap_debug /* silence a warning in ldap-int.h */
35 #include "../../../libraries/libldap/ldap-int.h"
40 ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
44 * Quick'n'dirty rewrite of filter in case of error, to deal with
45 * <draft-zeilenga-ldap-t-f>.
48 ldap_back_munge_filter(
50 struct berval *filter )
52 ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
57 Debug( LDAP_DEBUG_ARGS, "=> ldap_back_munge_filter \"%s\"\n",
58 filter->bv_val, 0, 0 );
60 for ( ptr = strstr( filter->bv_val, "(?=" );
62 ptr = strstr( ptr, "(?=" ) )
65 bv_true = BER_BVC( "(?=true)" ),
66 bv_false = BER_BVC( "(?=false)" ),
67 bv_undefined = BER_BVC( "(?=undefined)" ),
68 bv_t = BER_BVC( "(&)" ),
69 bv_f = BER_BVC( "(|)" ),
70 bv_T = BER_BVC( "(objectClass=*)" ),
71 bv_F = BER_BVC( "(!(objectClass=*))" );
72 struct berval *oldbv = NULL,
74 oldfilter = BER_BVNULL;
76 if ( strncmp( ptr, bv_true.bv_val, bv_true.bv_len ) == 0 ) {
78 if ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F ) {
85 } else if ( strncmp( ptr, bv_false.bv_val, bv_false.bv_len ) == 0 )
88 if ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F ) {
95 } else if ( strncmp( ptr, bv_undefined.bv_val, bv_undefined.bv_len ) == 0 )
97 oldbv = &bv_undefined;
106 if ( newbv->bv_len > oldbv->bv_len ) {
107 filter->bv_len += newbv->bv_len - oldbv->bv_len;
108 if ( filter->bv_val == op->ors_filterstr.bv_val ) {
109 filter->bv_val = op->o_tmpalloc( filter->bv_len + 1,
112 AC_MEMCPY( filter->bv_val, op->ors_filterstr.bv_val,
113 op->ors_filterstr.bv_len + 1 );
116 filter->bv_val = op->o_tmprealloc( filter->bv_val,
117 filter->bv_len + 1, op->o_tmpmemctx );
120 ptr = filter->bv_val + ( ptr - oldfilter.bv_val );
123 AC_MEMCPY( &ptr[ newbv->bv_len ],
124 &ptr[ oldbv->bv_len ],
125 oldfilter.bv_len - ( ptr - filter->bv_val ) - oldbv->bv_len + 1 );
126 AC_MEMCPY( ptr, newbv->bv_val, newbv->bv_len );
128 ptr += newbv->bv_len;
133 Debug( LDAP_DEBUG_ARGS, "<= ldap_back_munge_filter \"%s\" (%d)\n",
134 filter->bv_val, gotit, 0 );
146 time_t stoptime = (time_t)-1;
151 struct berval match = BER_BVNULL,
156 int do_retry = 1, dont_retry = 0;
157 LDAPControl **ctrls = NULL;
158 /* FIXME: shouldn't this be null? */
159 const char *save_matched = rs->sr_matched;
161 lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR );
162 if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
167 * FIXME: in case of values return filter, we might want
168 * to map attrs and maybe rewrite value
171 /* should we check return values? */
172 if ( op->ors_deref != -1 ) {
173 ldap_set_option( lc->lc_ld, LDAP_OPT_DEREF,
174 (void *)&op->ors_deref );
177 if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
178 tv.tv_sec = op->ors_tlimit;
180 stoptime = op->o_time + op->ors_tlimit;
183 LDAP_BACK_TV_SET( &tv );
186 if ( op->ors_attrs ) {
187 for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ )
188 /* just count attrs */ ;
190 attrs = ch_malloc( ( i + 1 )*sizeof( char * ) );
191 if ( attrs == NULL ) {
192 rs->sr_err = LDAP_NO_MEMORY;
197 for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ ) {
198 attrs[ i ] = op->ors_attrs[i].an_name.bv_val;
204 rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
205 if ( rc != LDAP_SUCCESS ) {
209 /* deal with <draft-zeilenga-ldap-t-f> filters */
210 filter = op->ors_filterstr;
212 rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_dn.bv_val,
213 op->ors_scope, filter.bv_val,
214 attrs, op->ors_attrsonly, ctrls, NULL,
215 tv.tv_sec ? &tv : NULL,
216 op->ors_slimit, &msgid );
218 if ( rs->sr_err != LDAP_SUCCESS ) {
219 switch ( rs->sr_err ) {
220 case LDAP_SERVER_DOWN:
223 if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_DONTSEND ) ) {
229 /* reset by ldap_back_retry ... */
230 rs->sr_err = slap_map_api2result( rs );
233 rc = ldap_back_op_result( lc, op, rs, msgid, 0, LDAP_BACK_DONTSEND );
238 case LDAP_FILTER_ERROR:
239 if ( ldap_back_munge_filter( op, &filter ) ) {
243 /* invalid filters return success with no data */
244 rs->sr_err = LDAP_SUCCESS;
249 rs->sr_err = slap_map_api2result( rs );
255 /* We pull apart the ber result, stuff it into a slapd entry, and
256 * let send_search_entry stuff it back into ber format. Slow & ugly,
257 * but this is necessary for version matching, and for ACL processing.
260 for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, LDAP_MSG_ONE, &tv, &res ) )
262 /* check for abandon */
263 if ( op->o_abandon ) {
267 ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
273 LDAP_BACK_TV_SET( &tv );
274 ldap_pvt_thread_yield();
276 /* check time limit */
277 if ( op->ors_tlimit != SLAP_NO_LIMIT
278 && slap_get_time() > stoptime )
280 ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
281 rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
287 /* don't retry any more */
292 if ( rc == LDAP_RES_SEARCH_ENTRY ) {
294 struct berval bdn = BER_BVNULL;
298 e = ldap_first_entry( lc->lc_ld, res );
299 rc = ldap_build_entry( op, e, &ent, &bdn );
300 if ( rc == LDAP_SUCCESS ) {
302 rs->sr_attrs = op->ors_attrs;
303 rs->sr_operational_attrs = NULL;
305 rs->sr_err = LDAP_SUCCESS;
306 rc = rs->sr_err = send_search_entry( op, rs );
307 if ( !BER_BVISNULL( &ent.e_name ) ) {
308 assert( ent.e_name.bv_val != bdn.bv_val );
309 op->o_tmpfree( ent.e_name.bv_val, op->o_tmpmemctx );
310 BER_BVZERO( &ent.e_name );
312 if ( !BER_BVISNULL( &ent.e_nname ) ) {
313 op->o_tmpfree( ent.e_nname.bv_val, op->o_tmpmemctx );
314 BER_BVZERO( &ent.e_nname );
319 if ( rc != LDAP_SUCCESS ) {
320 if ( rc == LDAP_UNAVAILABLE ) {
321 rc = rs->sr_err = LDAP_OTHER;
323 ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
328 } else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
329 char **references = NULL;
332 rc = ldap_parse_reference( lc->lc_ld, res,
333 &references, &rs->sr_ctrls, 1 );
335 if ( rc != LDAP_SUCCESS ) {
339 /* FIXME: there MUST be at least one */
340 if ( references && references[ 0 ] && references[ 0 ][ 0 ] ) {
343 for ( cnt = 0; references[ cnt ]; cnt++ )
346 /* FIXME: there MUST be at least one */
347 rs->sr_ref = ch_malloc( ( cnt + 1 ) * sizeof( struct berval ) );
349 for ( cnt = 0; references[ cnt ]; cnt++ ) {
350 ber_str2bv( references[ cnt ], 0, 0, &rs->sr_ref[ cnt ] );
352 BER_BVZERO( &rs->sr_ref[ cnt ] );
354 /* ignore return value by now */
355 ( void )send_search_reference( op, rs );
358 Debug( LDAP_DEBUG_ANY,
359 "%s ldap_back_search: "
360 "got SEARCH_REFERENCE "
361 "with no referrals\n",
362 op->o_log_prefix, 0, 0 );
367 ber_memvfree( (void **)references );
368 ch_free( rs->sr_ref );
372 if ( rs->sr_ctrls ) {
373 ldap_controls_free( rs->sr_ctrls );
378 char **references = NULL, *err = NULL;
380 rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
382 &references, &rs->sr_ctrls, 1 );
383 if ( rc != LDAP_SUCCESS ) {
386 rs->sr_err = slap_map_api2result( rs );
392 if ( references && references[ 0 ] && references[ 0 ][ 0 ] ) {
395 if ( rs->sr_err != LDAP_REFERRAL ) {
397 Debug( LDAP_DEBUG_ANY,
398 "%s ldap_back_search: "
399 "got referrals with %d\n",
402 rs->sr_err = LDAP_REFERRAL;
405 for ( cnt = 0; references[ cnt ]; cnt++ )
408 rs->sr_ref = ch_malloc( ( cnt + 1 ) * sizeof( struct berval ) );
410 for ( cnt = 0; references[ cnt ]; cnt++ ) {
412 ber_str2bv( references[ cnt ], 0, 1, &rs->sr_ref[ cnt ] );
414 BER_BVZERO( &rs->sr_ref[ cnt ] );
417 if ( match.bv_val != NULL ) {
419 match.bv_len = strlen( match.bv_val );
425 ber_memvfree( (void **)references );
433 if ( rc == -1 && dont_retry == 0 ) {
436 if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_DONTSEND ) ) {
440 rs->sr_err = LDAP_SERVER_DOWN;
441 rs->sr_err = slap_map_api2result( rs );
446 * Rewrite the matched portion of the search base, if required
448 if ( !BER_BVISNULL( &match ) && !BER_BVISEMPTY( &match ) ) {
449 struct berval pmatch;
451 if ( dnPretty( NULL, &match, &pmatch, op->o_tmpmemctx ) == LDAP_SUCCESS ) {
452 rs->sr_matched = pmatch.bv_val;
453 LDAP_FREE( match.bv_val );
456 rs->sr_matched = match.bv_val;
460 if ( rs->sr_v2ref ) {
461 rs->sr_err = LDAP_REFERRAL;
465 if ( rc != SLAPD_ABANDON ) {
466 send_ldap_result( op, rs );
469 (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
471 if ( rs->sr_ctrls ) {
472 ldap_controls_free( rs->sr_ctrls );
476 if ( rs->sr_matched != NULL && rs->sr_matched != save_matched ) {
477 if ( rs->sr_matched != match.bv_val ) {
478 ber_memfree_x( (char *)rs->sr_matched, op->o_tmpmemctx );
481 LDAP_FREE( match.bv_val );
483 rs->sr_matched = save_matched;
486 if ( !BER_BVISNULL( &filter ) && filter.bv_val != op->ors_filterstr.bv_val ) {
487 op->o_tmpfree( filter.bv_val, op->o_tmpmemctx );
492 LDAP_FREE( (char *)rs->sr_text );
498 ber_bvarray_free( rs->sr_ref );
507 ldap_back_release_conn( op, rs, lc );
521 BerElement ber = *e->lm_ber;
522 Attribute *attr, **attrp;
526 /* safe assumptions ... */
527 assert( ent != NULL );
528 BER_BVZERO( &ent->e_bv );
530 if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
531 return LDAP_DECODING_ERROR;
535 * Note: this may fail if the target host(s) schema differs
536 * from the one known to the meta, and a DN with unknown
537 * attributes is returned.
539 * FIXME: should we log anything, or delegate to dnNormalize?
541 /* Note: if the distinguished values or the naming attributes
542 * change, should we massage them as well?
544 if ( dnPrettyNormal( NULL, bdn, &ent->e_name, &ent->e_nname,
545 op->o_tmpmemctx ) != LDAP_SUCCESS )
547 return LDAP_INVALID_DN_SYNTAX;
550 attrp = &ent->e_attrs;
552 while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
554 slap_syntax_validate_func *validate;
555 slap_syntax_transform_func *pretty;
557 attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
558 if ( attr == NULL ) {
564 if ( slap_bv2ad( &a, &attr->a_desc, &text )
567 if ( slap_bv2undef_ad( &a, &attr->a_desc, &text,
568 SLAP_AD_PROXIED ) != LDAP_SUCCESS )
570 Debug( LDAP_DEBUG_ANY,
571 "%s ldap_build_entry: "
572 "slap_bv2undef_ad(%s): %s\n",
573 op->o_log_prefix, a.bv_val, text );
579 /* no subschemaSubentry */
580 if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry
581 || attr->a_desc == slap_schema.si_ad_entryDN )
585 * We eat target's subschemaSubentry because
586 * a search for this value is likely not
587 * to resolve to the appropriate backend;
588 * later, the local subschemaSubentry is
591 * We also eat entryDN because the frontend
592 * will reattach it without checking if already
595 ( void )ber_scanf( &ber, "x" /* [W] */ );
601 if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
602 || attr->a_vals == NULL )
605 * Note: attr->a_vals can be null when using
606 * values result filter
608 attr->a_vals = (struct berval *)&slap_dummy_bv;
612 for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); last++ )
613 /* just count vals */ ;
616 validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
617 pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;
619 if ( !validate && !pretty ) {
620 attr->a_nvals = NULL;
625 for ( i = 0; i < last; i++ ) {
630 rc = pretty( attr->a_desc->ad_type->sat_syntax,
631 &attr->a_vals[i], &pval, NULL );
634 rc = validate( attr->a_desc->ad_type->sat_syntax,
638 if ( rc != LDAP_SUCCESS ) {
639 /* check if, by chance, it's an undefined objectClass */
640 if ( attr->a_desc == slap_schema.si_ad_objectClass &&
641 oc_bvfind_undef( &attr->a_vals[i] ) != NULL )
643 ber_dupbv( &pval, &attr->a_vals[i] );
646 attr->a_nvals = NULL;
653 LBER_FREE( attr->a_vals[i].bv_val );
654 attr->a_vals[i] = pval;
658 if ( last && attr->a_desc->ad_type->sat_equality &&
659 attr->a_desc->ad_type->sat_equality->smr_normalize )
661 attr->a_nvals = ch_malloc( ( last + 1 )*sizeof( struct berval ) );
662 for ( i = 0; i < last; i++ ) {
666 * check that each value is valid per syntax
667 * and pretty if appropriate
669 rc = attr->a_desc->ad_type->sat_equality->smr_normalize(
670 SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
671 attr->a_desc->ad_type->sat_syntax,
672 attr->a_desc->ad_type->sat_equality,
673 &attr->a_vals[i], &attr->a_nvals[i],
676 if ( rc != LDAP_SUCCESS ) {
677 BER_BVZERO( &attr->a_nvals[i] );
682 BER_BVZERO( &attr->a_nvals[i] );
685 attr->a_nvals = attr->a_vals;
688 attrp = &attr->a_next;
696 /* return 0 IFF we can retrieve the entry with ndn
703 AttributeDescription *at,
712 LDAPMessage *result = NULL,
714 char *attr[3], **attrp = NULL;
718 LDAPControl **ctrls = NULL;
722 /* Tell getconn this is a privileged op */
723 do_not_cache = op->o_do_not_cache;
724 op->o_do_not_cache = 1;
725 lc = ldap_back_getconn( op, &rs, LDAP_BACK_DONTSEND );
726 if ( !lc || !ldap_back_dobind( lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
727 op->o_do_not_cache = do_not_cache;
730 op->o_do_not_cache = do_not_cache;
734 if ( oc && at != slap_schema.si_ad_objectClass ) {
735 attr[0] = slap_schema.si_ad_objectClass->ad_cname.bv_val;
736 attr[1] = at->ad_cname.bv_val;
740 attr[0] = at->ad_cname.bv_val;
748 filter = ch_malloc( STRLENOF( "(objectclass=)" )
749 + oc->soc_cname.bv_len + 1 );
750 ptr = lutil_strcopy( filter, "(objectclass=" );
751 ptr = lutil_strcopy( ptr, oc->soc_cname.bv_val );
757 rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls );
758 if ( rc != LDAP_SUCCESS ) {
763 rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter,
764 attrp, 0, ctrls, NULL,
765 NULL, LDAP_NO_LIMIT, &result );
766 if ( rc != LDAP_SUCCESS ) {
767 if ( rc == LDAP_SERVER_DOWN && do_retry ) {
769 if ( ldap_back_retry( &lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
776 e = ldap_first_entry( lc->lc_ld, result );
778 /* the entry exists, but it doesn't match the filter? */
782 *ent = ch_calloc( 1, sizeof( Entry ) );
783 if ( *ent == NULL ) {
788 rc = ldap_build_entry( op, e, *ent, &bdn );
790 if ( rc != LDAP_SUCCESS ) {
796 (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
799 ldap_msgfree( result );
807 ldap_back_release_conn( op, &rs, lc );