git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/search.c

   1 /* search.c - ldbm backend search function */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/string.h>
  13 #include <ac/socket.h>
  14
  15 #include "slap.h"
  16 #include "back-ldbm.h"
  17 #include "proto-back-ldbm.h"
  18
  19 static ID_BLOCK *base_candidate(
  20         Backend *be, Entry *e );
  21
  22 static ID_BLOCK *search_candidates(
  23         Backend *be, Entry *e, Filter *filter,
  24         int scope, int deref, int manageDSAit );
  25
  26
  27 int
  28 ldbm_back_search(
  29     Backend     *be,
  30     Connection  *conn,
  31     Operation   *op,
  32     struct berval       *base,
  33     struct berval       *nbase,
  34     int         scope,
  35     int         deref,
  36     int         slimit,
  37     int         tlimit,
  38     Filter      *filter,
  39     struct berval       *filterstr,
  40     AttributeName       *attrs,
  41     int         attrsonly )
  42 {
  43         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  44         int             rc, err;
  45         const char *text = NULL;
  46         time_t          stoptime;
  47         ID_BLOCK                *candidates;
  48         ID              id, cursor;
  49         Entry           *e;
  50         BerVarray               v2refs = NULL;
  51         Entry   *matched = NULL;
  52         struct berval   realbase = { 0, NULL };
  53         int             nentries = 0;
  54         int             manageDSAit = get_manageDSAit( op );
  55         int             cscope = LDAP_SCOPE_DEFAULT;
  56
  57 #ifdef LDAP_CACHING
  58         Entry           cache_base_entry;
  59 #endif /* LDAP_CACHING */
  60
  61         struct slap_limits_set *limit = NULL;
  62         int isroot = 0;
  63
  64 #ifdef NEW_LOGGING
  65         LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_search: enter\n", 0, 0, 0 );
  66 #else
  67         Debug(LDAP_DEBUG_TRACE, "=> ldbm_back_search\n", 0, 0, 0);
  68 #endif
  69
  70         /* grab giant lock for reading */
  71         ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
  72
  73 #ifndef LDAP_CACHING
  74         if ( nbase->bv_len == 0 ) {
  75                 /* DIT root special case */
  76                 e = (Entry *) &slap_entry_root;
  77
  78                 /* need normalized dn below */
  79                 ber_dupbv( &realbase, &e->e_nname );
  80
  81 #else /* LDAP_CACHING */
  82         if ( op->o_caching_on || nbase->bv_len == 0 ) {
  83                 if (nbase->bv_len == 0) {
  84                     e = (Entry *) &slap_entry_root;
  85                     /* need normalized dn below */
  86                     ber_dupbv( &realbase, &e->e_nname );
  87                 } else {
  88                         if ((scope == LDAP_SCOPE_BASE)
  89                                         && (e = dn2entry_r( be, nbase, &matched )))
  90                         {
  91                                 candidates = base_candidate(be,e);
  92                                 cache_return_entry_r( &li->li_cache, e );
  93                                 goto searchit;
  94                         }
  95                         cache_base_entry.e_nname = *nbase;
  96                         e = &cache_base_entry;
  97                 }
  98 #endif /* LDAP_CACHING */
  99
 100                 candidates = search_candidates( be, e, filter,
 101                                 scope, deref,
 102                                 manageDSAit || get_domainScope(op) );
 103
 104                 goto searchit;
 105
 106         } else if ( deref & LDAP_DEREF_FINDING ) {
 107                 /* deref dn and get entry with reader lock */
 108                 e = deref_dn_r( be, nbase, &err, &matched, &text );
 109
 110                 if( err == LDAP_NO_SUCH_OBJECT ) err = LDAP_REFERRAL;
 111
 112         } else {
 113                 /* get entry with reader lock */
 114                 e = dn2entry_r( be, nbase, &matched );
 115                 err = e != NULL ? LDAP_SUCCESS : LDAP_REFERRAL;
 116                 text = NULL;
 117         }
 118
 119         if ( e == NULL ) {
 120                 struct berval matched_dn = { 0, NULL };
 121                 BerVarray refs = NULL;
 122
 123                 if ( matched != NULL ) {
 124                         BerVarray erefs;
 125                         ber_dupbv( &matched_dn, &matched->e_name );
 126
 127                         erefs = is_entry_referral( matched )
 128                                 ? get_entry_referrals( be, conn, op, matched )
 129                                 : NULL;
 130
 131                         cache_return_entry_r( &li->li_cache, matched );
 132
 133                         if( erefs ) {
 134                                 refs = referral_rewrite( erefs, &matched_dn,
 135                                         base, scope );
 136
 137                                 ber_bvarray_free( erefs );
 138                         }
 139
 140                 } else {
 141                         refs = referral_rewrite( default_referral,
 142                                 NULL, base, scope );
 143                 }
 144
 145                 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 146
 147                 send_ldap_result( conn, op, err, matched_dn.bv_val,
 148                         text, refs, NULL );
 149
 150                 ber_bvarray_free( refs );
 151                 ber_memfree( matched_dn.bv_val );
 152                 return 1;
 153         }
 154
 155         if (!manageDSAit && is_entry_referral( e ) ) {
 156                 /* entry is a referral, don't allow add */
 157                 struct berval matched_dn;
 158                 BerVarray erefs;
 159                 BerVarray refs;
 160
 161                 ber_dupbv( &matched_dn, &e->e_name );
 162                 erefs = get_entry_referrals( be, conn, op, e );
 163                 refs = NULL;
 164
 165                 cache_return_entry_r( &li->li_cache, e );
 166                 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 167
 168 #ifdef NEW_LOGGING
 169                 LDAP_LOG( BACK_LDBM, INFO,
 170                         "ldbm_search: entry (%s) is a referral.\n",
 171                         e->e_dn, 0, 0 );
 172 #else
 173                 Debug( LDAP_DEBUG_TRACE,
 174                         "ldbm_search: entry is referral\n",
 175                         0, 0, 0 );
 176 #endif
 177
 178                 if( erefs ) {
 179                         refs = referral_rewrite( erefs, &matched_dn,
 180                                 base, scope );
 181
 182                         ber_bvarray_free( erefs );
 183                 }
 184
 185                 if( refs ) {
 186                         send_ldap_result( conn, op, LDAP_REFERRAL,
 187                                 matched_dn.bv_val, NULL, refs, NULL );
 188                         ber_bvarray_free( refs );
 189
 190                 } else {
 191                         send_ldap_result( conn, op, LDAP_OTHER,
 192                                 matched_dn.bv_val,
 193                         "bad referral object", NULL, NULL );
 194                 }
 195
 196                 ber_memfree( matched_dn.bv_val );
 197                 return 1;
 198         }
 199
 200         if ( is_entry_alias( e ) ) {
 201                 /* don't deref */
 202                 deref = LDAP_DEREF_NEVER;
 203         }
 204
 205         if ( scope == LDAP_SCOPE_BASE ) {
 206                 cscope = LDAP_SCOPE_BASE;
 207                 candidates = base_candidate( be, e );
 208
 209         } else {
 210                 cscope = ( scope != LDAP_SCOPE_SUBTREE )
 211                         ? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE;
 212                 candidates = search_candidates( be, e, filter,
 213                     scope, deref, manageDSAit );
 214         }
 215
 216         /* need normalized dn below */
 217         ber_dupbv( &realbase, &e->e_nname );
 218
 219         cache_return_entry_r( &li->li_cache, e );
 220
 221 searchit:
 222         if ( candidates == NULL ) {
 223                 /* no candidates */
 224 #ifdef NEW_LOGGING
 225                 LDAP_LOG( BACK_LDBM, INFO,
 226                         "ldbm_search: no candidates\n" , 0, 0, 0);
 227 #else
 228                 Debug( LDAP_DEBUG_TRACE, "ldbm_search: no candidates\n",
 229                         0, 0, 0 );
 230 #endif
 231 #ifdef LDAP_CACHING
 232                 if ( op->o_caching_on ) {
 233                         ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 234                 }
 235 #endif /* LDAP_CACHING */
 236
 237                 send_search_result( conn, op,
 238                         LDAP_SUCCESS,
 239                         NULL, NULL, NULL, NULL, 0 );
 240
 241 #ifdef LDAP_CACHING
 242                 if ( op->o_caching_on ) {
 243                         ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
 244                 }
 245 #endif /* LDAP_CACHING */
 246
 247                 rc = 1;
 248                 goto done;
 249         }
 250
 251         /* if not root, get appropriate limits */
 252 #ifndef LDAP_CACHING
 253         if ( be_isroot( be, &op->o_ndn ) )
 254 #else /* LDAP_CACHING */
 255         if ( op->o_caching_on || be_isroot( be, &op->o_ndn ) )
 256 #endif /* LDAP_CACHING */
 257         {
 258                 /*
 259                  * FIXME: I'd consider this dangerous if someone
 260                  * uses isroot for anything but handling limits
 261                  */
 262                 isroot = 1;
 263         } else {
 264                 ( void ) get_limits( be, &op->o_ndn, &limit );
 265         }
 266
 267         /* if candidates exceed to-be-checked entries, abort */
 268         if ( !isroot && limit->lms_s_unchecked != -1 ) {
 269                 if ( ID_BLOCK_NIDS( candidates ) > (unsigned) limit->lms_s_unchecked ) {
 270                         send_search_result( conn, op, LDAP_ADMINLIMIT_EXCEEDED,
 271                                         NULL, NULL, NULL, NULL, 0 );
 272                         rc = 0;
 273                         goto done;
 274                 }
 275         }
 276
 277         /* if root an no specific limit is required, allow unlimited search */
 278         if ( isroot ) {
 279                 if ( tlimit == 0 ) {
 280                         tlimit = -1;
 281                 }
 282
 283                 if ( slimit == 0 ) {
 284                         slimit = -1;
 285                 }
 286
 287         } else {
 288                 /* if no limit is required, use soft limit */
 289                 if ( tlimit <= 0 ) {
 290                         tlimit = limit->lms_t_soft;
 291
 292                 /* if requested limit higher than hard limit, abort */
 293                 } else if ( tlimit > limit->lms_t_hard ) {
 294                         /* no hard limit means use soft instead */
 295                         if ( limit->lms_t_hard == 0
 296                                         && limit->lms_t_soft > -1
 297                                         && tlimit > limit->lms_t_soft ) {
 298                                 tlimit = limit->lms_t_soft;
 299
 300                         /* positive hard limit means abort */
 301                         } else if ( limit->lms_t_hard > 0 ) {
 302                                 send_search_result( conn, op,
 303                                                 LDAP_ADMINLIMIT_EXCEEDED,
 304                                                 NULL, NULL, NULL, NULL, 0 );
 305                                 rc = 0;
 306                                 goto done;
 307                         }
 308
 309                         /* negative hard limit means no limit */
 310                 }
 311
 312                 /* if no limit is required, use soft limit */
 313                 if ( slimit <= 0 ) {
 314                         slimit = limit->lms_s_soft;
 315
 316                 /* if requested limit higher than hard limit, abort */
 317                 } else if ( slimit > limit->lms_s_hard ) {
 318                         /* no hard limit means use soft instead */
 319                         if ( limit->lms_s_hard == 0
 320                                         && limit->lms_s_soft > -1
 321                                         && slimit > limit->lms_s_soft ) {
 322                                 slimit = limit->lms_s_soft;
 323
 324                         /* positive hard limit means abort */
 325                         } else if ( limit->lms_s_hard > 0 ) {
 326                                 send_search_result( conn, op,
 327                                                 LDAP_ADMINLIMIT_EXCEEDED,
 328                                                 NULL, NULL, NULL, NULL, 0 );
 329                                 rc = 0;
 330                                 goto done;
 331                         }
 332
 333                         /* negative hard limit means no limit */
 334                 }
 335         }
 336
 337         /* compute it anyway; root does not use it */
 338         stoptime = op->o_time + tlimit;
 339
 340         for ( id = idl_firstid( candidates, &cursor ); id != NOID;
 341             id = idl_nextid( candidates, &cursor ) )
 342         {
 343                 int scopeok = 0;
 344                 int result = 0;
 345
 346                 /* check for abandon */
 347                 if ( op->o_abandon ) {
 348                         rc = 0;
 349                         goto done;
 350                 }
 351
 352                 /* check time limit */
 353                 if ( tlimit != -1 && slap_get_time() > stoptime ) {
 354                         send_search_result( conn, op, LDAP_TIMELIMIT_EXCEEDED,
 355                                 NULL, NULL, v2refs, NULL, nentries );
 356                         rc = 0;
 357                         goto done;
 358                 }
 359
 360                 /* get the entry with reader lock */
 361                 e = id2entry_r( be, id );
 362
 363                 if ( e == NULL ) {
 364 #ifdef NEW_LOGGING
 365                         LDAP_LOG( BACK_LDBM, INFO,
 366                                 "ldbm_search: candidate %ld not found.\n", id, 0, 0 );
 367 #else
 368                         Debug( LDAP_DEBUG_TRACE,
 369                                 "ldbm_search: candidate %ld not found\n",
 370                                 id, 0, 0 );
 371 #endif
 372
 373                         goto loop_continue;
 374                 }
 375
 376 #ifdef LDAP_CACHING
 377                 if ( !op->o_caching_on ) {
 378 #endif /* LDAP_CACHING */
 379
 380                 if ( deref & LDAP_DEREF_SEARCHING && is_entry_alias( e ) ) {
 381                         Entry *matched;
 382                         int err;
 383                         const char *text;
 384
 385                         e = deref_entry_r( be, e, &err, &matched, &text );
 386
 387                         if( e == NULL ) {
 388                                 e = matched;
 389                                 goto loop_continue;
 390                         }
 391
 392                         if( e->e_id == id ) {
 393                                 /* circular loop */
 394                                 goto loop_continue;
 395                         }
 396
 397                         /* need to skip alias which deref into scope */
 398                         if( scope & LDAP_SCOPE_ONELEVEL ) {
 399                                 struct berval pdn;
 400                                 dnParent( &e->e_nname, &pdn );
 401                                 if ( ber_bvcmp( &pdn, &realbase ) ) {
 402                                         goto loop_continue;
 403                                 }
 404
 405                         } else if ( dnIsSuffix( &e->e_nname, &realbase ) ) {
 406                                 /* alias is within scope */
 407 #ifdef NEW_LOGGING
 408                                 LDAP_LOG( BACK_LDBM, DETAIL1,
 409                                         "ldbm_search: alias \"%s\" in subtree\n", e->e_dn, 0, 0 );
 410 #else
 411                                 Debug( LDAP_DEBUG_TRACE,
 412                                         "ldbm_search: alias \"%s\" in subtree\n",
 413                                         e->e_dn, 0, 0 );
 414 #endif
 415
 416                                 goto loop_continue;
 417                         }
 418
 419                         scopeok = 1;
 420                 }
 421
 422                 /*
 423                  * if it's a referral, add it to the list of referrals. only do
 424                  * this for non-base searches, and don't check the filter
 425                  * explicitly here since it's only a candidate anyway.
 426                  */
 427                 if ( !manageDSAit && scope != LDAP_SCOPE_BASE &&
 428                         is_entry_referral( e ) )
 429                 {
 430                         struct berval   dn;
 431
 432                         /* check scope */
 433                         if ( !scopeok && scope == LDAP_SCOPE_ONELEVEL ) {
 434                                 if ( !be_issuffix( be, &e->e_nname ) ) {
 435                                         dnParent( &e->e_nname, &dn );
 436                                         scopeok = dn_match( &dn, &realbase );
 437                                 } else {
 438                                         scopeok = (realbase.bv_len == 0);
 439                                 }
 440
 441                         } else if ( !scopeok && scope == LDAP_SCOPE_SUBTREE ) {
 442                                 scopeok = dnIsSuffix( &e->e_nname, &realbase );
 443
 444                         } else {
 445                                 scopeok = 1;
 446                         }
 447
 448                         if( scopeok ) {
 449                                 BerVarray erefs = get_entry_referrals(
 450                                         be, conn, op, e );
 451                                 BerVarray refs = referral_rewrite( erefs,
 452                                         &e->e_name, NULL,
 453                                         scope == LDAP_SCOPE_SUBTREE
 454                                                 ? LDAP_SCOPE_SUBTREE
 455                                                 : LDAP_SCOPE_BASE );
 456
 457                                 send_search_reference( be, conn, op,
 458                                         e, refs, NULL, &v2refs );
 459
 460                                 ber_bvarray_free( refs );
 461
 462                         } else {
 463 #ifdef NEW_LOGGING
 464                                 LDAP_LOG( BACK_LDBM, DETAIL2,
 465                                         "ldbm_search: candidate referral %ld scope not okay\n",
 466                                         id, 0, 0 );
 467 #else
 468                                 Debug( LDAP_DEBUG_TRACE,
 469                                         "ldbm_search: candidate referral %ld scope not okay\n",
 470                                         id, 0, 0 );
 471 #endif
 472                         }
 473
 474                         goto loop_continue;
 475                 }
 476
 477 #ifdef LDAP_CACHING
 478                 }
 479 #endif /* LDAP_CACHING */
 480
 481                 /* if it matches the filter and scope, send it */
 482                 result = test_filter( be, conn, op, e, filter );
 483
 484                 if ( result == LDAP_COMPARE_TRUE ) {
 485                         struct berval   dn;
 486
 487                         /* check scope */
 488                         if ( !scopeok && scope == LDAP_SCOPE_ONELEVEL ) {
 489                                 if ( !be_issuffix( be, &e->e_nname ) ) {
 490                                         dnParent( &e->e_nname, &dn );
 491                                         scopeok = dn_match( &dn, &realbase );
 492                                 } else {
 493                                         scopeok = (realbase.bv_len == 0);
 494                                 }
 495
 496                         } else if ( !scopeok && scope == LDAP_SCOPE_SUBTREE ) {
 497                                 scopeok = dnIsSuffix( &e->e_nname, &realbase );
 498
 499                         } else {
 500                                 scopeok = 1;
 501                         }
 502
 503                         if ( scopeok ) {
 504                                 /* check size limit */
 505                                 if ( --slimit == -1 ) {
 506                                         cache_return_entry_r( &li->li_cache, e );
 507                                         send_search_result( conn, op,
 508                                                 LDAP_SIZELIMIT_EXCEEDED, NULL, NULL,
 509                                                 v2refs, NULL, nentries );
 510                                         rc = 0;
 511                                         goto done;
 512                                 }
 513
 514                                 if (e) {
 515
 516 #ifdef LDAP_CACHING
 517                                         if ( op->o_caching_on ) {
 518                                                 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 519                                                 cache_return_entry_r( &li->li_cache, e );
 520                                         }
 521 #endif /* LDAP_CACHING */
 522
 523                                         result = send_search_entry(be, conn, op,
 524                                                 e, attrs, attrsonly, NULL);
 525
 526 #ifdef LDAP_CACHING
 527                                         if ( op->o_caching_on ) {
 528                                                 ldap_pvt_thread_rdwr_rlock( &li->li_giant_rwlock );
 529                                         }
 530 #endif /* LDAP_CACHING */
 531
 532
 533                                         switch (result) {
 534                                         case 0:         /* entry sent ok */
 535                                                 nentries++;
 536                                                 break;
 537                                         case 1:         /* entry not sent */
 538                                                 break;
 539                                         case -1:        /* connection closed */
 540                                                 cache_return_entry_r( &li->li_cache, e );
 541                                                 rc = 0;
 542                                                 goto done;
 543                                         }
 544                                 }
 545                         } else {
 546 #ifdef NEW_LOGGING
 547                                 LDAP_LOG( BACK_LDBM, DETAIL2,
 548                                         "ldbm_search: candidate entry %ld scope not okay\n",
 549                                         id, 0, 0 );
 550 #else
 551                                 Debug( LDAP_DEBUG_TRACE,
 552                                         "ldbm_search: candidate entry %ld scope not okay\n",
 553                                         id, 0, 0 );
 554 #endif
 555                         }
 556
 557                 } else {
 558 #ifdef NEW_LOGGING
 559                         LDAP_LOG( BACK_LDBM, DETAIL2,
 560                                 "ldbm_search: candidate entry %ld does not match filter\n",
 561                                 id, 0, 0 );
 562 #else
 563                         Debug( LDAP_DEBUG_TRACE,
 564                                 "ldbm_search: candidate entry %ld does not match filter\n",
 565                                 id, 0, 0 );
 566 #endif
 567                 }
 568
 569 loop_continue:
 570                 if( e != NULL ) {
 571                         /* free reader lock */
 572 #ifndef LDAP_CACHING
 573                         cache_return_entry_r( &li->li_cache, e );
 574 #else /* LDAP_CACHING */
 575                         if ( !op->o_caching_on ) {
 576                                 cache_return_entry_r( &li->li_cache, e );
 577                         }
 578 #endif /* LDAP_CACHING */
 579                 }
 580
 581                 ldap_pvt_thread_yield();
 582         }
 583
 584         send_search_result( conn, op,
 585                 v2refs == NULL ? LDAP_SUCCESS : LDAP_REFERRAL,
 586                 NULL, NULL, v2refs, NULL, nentries );
 587
 588         rc = 0;
 589
 590 done:
 591         ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 592
 593         if( candidates != NULL )
 594                 idl_free( candidates );
 595
 596         if( v2refs ) ber_bvarray_free( v2refs );
 597         if( realbase.bv_val ) free( realbase.bv_val );
 598
 599         return rc;
 600 }
 601
 602 static ID_BLOCK *
 603 base_candidate(
 604     Backend     *be,
 605         Entry   *e )
 606 {
 607         ID_BLOCK                *idl;
 608
 609 #ifdef NEW_LOGGING
 610         LDAP_LOG( BACK_LDBM, ENTRY, "base_candidate: base (%s)\n", e->e_dn, 0, 0 );
 611 #else
 612         Debug(LDAP_DEBUG_TRACE, "base_candidates: base: \"%s\"\n",
 613                 e->e_dn, 0, 0);
 614 #endif
 615
 616
 617         idl = idl_alloc( 1 );
 618         idl_insert( &idl, e->e_id, 1 );
 619
 620         return( idl );
 621 }
 622
 623 static ID_BLOCK *
 624 search_candidates(
 625     Backend     *be,
 626     Entry       *e,
 627     Filter      *filter,
 628     int         scope,
 629         int             deref,
 630         int             manageDSAit )
 631 {
 632         ID_BLOCK                *candidates;
 633         Filter          f, fand, rf, af, xf;
 634     AttributeAssertion aa_ref, aa_alias;
 635         struct berval bv_ref = { sizeof("referral")-1, "referral" };
 636         struct berval bv_alias = { sizeof("alias")-1, "alias" };
 637
 638 #ifdef NEW_LOGGING
 639         LDAP_LOG( BACK_LDBM, DETAIL1,
 640                    "search_candidates: base (%s) scope %d deref %d\n",
 641                    e->e_ndn, scope, deref );
 642 #else
 643         Debug(LDAP_DEBUG_TRACE,
 644                 "search_candidates: base=\"%s\" s=%d d=%d\n",
 645                 e->e_ndn, scope, deref );
 646 #endif
 647
 648
 649         xf.f_or = filter;
 650         xf.f_choice = LDAP_FILTER_OR;
 651         xf.f_next = NULL;
 652
 653         if( !manageDSAit ) {
 654                 /* match referrals */
 655                 rf.f_choice = LDAP_FILTER_EQUALITY;
 656                 rf.f_ava = &aa_ref;
 657                 rf.f_av_desc = slap_schema.si_ad_objectClass;
 658                 rf.f_av_value = bv_ref;
 659                 rf.f_next = xf.f_or;
 660                 xf.f_or = &rf;
 661         }
 662
 663         if( deref & LDAP_DEREF_SEARCHING ) {
 664                 /* match aliases */
 665                 af.f_choice = LDAP_FILTER_EQUALITY;
 666                 af.f_ava = &aa_alias;
 667                 af.f_av_desc = slap_schema.si_ad_objectClass;
 668                 af.f_av_value = bv_alias;
 669                 af.f_next = xf.f_or;
 670                 xf.f_or = &af;
 671         }
 672
 673         f.f_next = NULL;
 674         f.f_choice = LDAP_FILTER_AND;
 675         f.f_and = &fand;
 676         fand.f_choice = scope == LDAP_SCOPE_SUBTREE
 677                 ? SLAPD_FILTER_DN_SUBTREE
 678                 : SLAPD_FILTER_DN_ONE;
 679         fand.f_dn = &e->e_nname;
 680         fand.f_next = xf.f_or == filter ? filter : &xf ;
 681
 682         candidates = filter_candidates( be, &f );
 683
 684         return( candidates );
 685 }