]> git.sur5r.net Git - openldap/blob - servers/slapd/back-mdb/search.c
a0ea03f063c6581801c0c5be3680470352012df3
[openldap] / servers / slapd / back-mdb / search.c
1 /* search.c - search operation */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 2000-2011 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16
17 #include "portable.h"
18
19 #include <stdio.h>
20 #include <ac/string.h>
21
22 #include "back-mdb.h"
23 #include "idl.h"
24
25 static int base_candidate(
26         BackendDB       *be,
27         Entry   *e,
28         ID              *ids );
29
30 static int search_candidates(
31         Operation *op,
32         SlapReply *rs,
33         Entry *e,
34         MDB_txn *txn,
35         MDB_cursor *mci,
36         ID      *ids,
37         ID2L    scopes );
38
39 static int parse_paged_cookie( Operation *op, SlapReply *rs );
40
41 static void send_paged_response( 
42         Operation *op,
43         SlapReply *rs,
44         ID  *lastid,
45         int tentries );
46
47 /* Dereference aliases for a single alias entry. Return the final
48  * dereferenced entry on success, NULL on any failure.
49  */
50 static Entry * deref_base (
51         Operation *op,
52         SlapReply *rs,
53         Entry *e,
54         Entry **matched,
55         MDB_txn *txn,
56         ID      *tmp,
57         ID      *visited )
58 {
59         struct berval ndn;
60
61         rs->sr_err = LDAP_ALIAS_DEREF_PROBLEM;
62         rs->sr_text = "maximum deref depth exceeded";
63
64         for (;;) {
65                 /* Remember the last entry we looked at, so we can
66                  * report broken links
67                  */
68                 *matched = e;
69
70                 if (MDB_IDL_N(tmp) >= op->o_bd->be_max_deref_depth) {
71                         e = NULL;
72                         break;
73                 }
74
75                 /* If this is part of a subtree or onelevel search,
76                  * have we seen this ID before? If so, quit.
77                  */
78                 if ( visited && mdb_idl_insert( visited, e->e_id ) ) {
79                         e = NULL;
80                         break;
81                 }
82
83                 /* If we've seen this ID during this deref iteration,
84                  * we've hit a loop.
85                  */
86                 if ( mdb_idl_insert( tmp, e->e_id ) ) {
87                         rs->sr_err = LDAP_ALIAS_PROBLEM;
88                         rs->sr_text = "circular alias";
89                         e = NULL;
90                         break;
91                 }
92
93                 /* If there was a problem getting the aliasedObjectName,
94                  * get_alias_dn will have set the error status.
95                  */
96                 if ( get_alias_dn(e, &ndn, &rs->sr_err, &rs->sr_text) ) {
97                         e = NULL;
98                         break;
99                 }
100
101                 rs->sr_err = mdb_dn2entry( op, txn, &ndn, &e, 0 );
102                 if (rs->sr_err) {
103                         rs->sr_err = LDAP_ALIAS_PROBLEM;
104                         rs->sr_text = "aliasedObject not found";
105                         break;
106                 }
107
108                 /* Free the previous entry, continue to work with the
109                  * one we just retrieved.
110                  */
111                 mdb_entry_return( op, *matched );
112
113                 /* We found a regular entry. Return this to the caller.
114                  */
115                 if (!is_entry_alias(e)) {
116                         rs->sr_err = LDAP_SUCCESS;
117                         rs->sr_text = NULL;
118                         break;
119                 }
120         }
121         return e;
122 }
123
124 /* Look for and dereference all aliases within the search scope.
125  * Requires "stack" to be able to hold 6 levels of DB_SIZE IDLs.
126  * Of course we're hardcoded to require a minimum of 8 UM_SIZE
127  * IDLs so this is never a problem.
128  */
129 static int search_aliases(
130         Operation *op,
131         SlapReply *rs,
132         Entry *e,
133         MDB_txn *txn,
134         MDB_cursor *mci,
135         ID2L scopes,
136         ID *stack )
137 {
138         ID *aliases, *curscop, *visited, *newsubs, *oldsubs, *tmp;
139         ID cursora, ida, cursoro, ido;
140         Entry *matched, *a;
141         struct berval bv_alias = BER_BVC( "alias" );
142         AttributeAssertion aa_alias = ATTRIBUTEASSERTION_INIT;
143         Filter  af;
144         int first = 1;
145
146         aliases = stack;        /* IDL of all aliases in the database */
147         curscop = aliases + MDB_IDL_DB_SIZE;    /* Aliases in the current scope */
148         visited = curscop + MDB_IDL_DB_SIZE;    /* IDs we've seen in this search */
149         newsubs = visited + MDB_IDL_DB_SIZE;    /* New subtrees we've added */
150         oldsubs = newsubs + MDB_IDL_DB_SIZE;    /* Subtrees added previously */
151         tmp = oldsubs + MDB_IDL_DB_SIZE;        /* Scratch space for deref_base() */
152
153         af.f_choice = LDAP_FILTER_EQUALITY;
154         af.f_ava = &aa_alias;
155         af.f_av_desc = slap_schema.si_ad_objectClass;
156         af.f_av_value = bv_alias;
157         af.f_next = NULL;
158
159         /* Find all aliases in database */
160         MDB_IDL_ZERO( aliases );
161         rs->sr_err = mdb_filter_candidates( op, txn, &af, aliases,
162                 curscop, visited );
163         if (rs->sr_err != LDAP_SUCCESS) {
164                 return rs->sr_err;
165         }
166         oldsubs[0] = 1;
167         oldsubs[1] = e->e_id;
168
169         MDB_IDL_ZERO( visited );
170         MDB_IDL_ZERO( newsubs );
171
172         cursoro = 0;
173         ido = mdb_idl_first( oldsubs, &cursoro );
174
175         for (;;) {
176                 /* Set curscop to only the aliases in the current scope. Start with
177                  * all the aliases, then get the intersection with the scope.
178                  */
179                 rs->sr_err = mdb_idscope( op, txn, e->e_id, aliases, curscop );
180
181                 if (first) {
182                         first = 0;
183                 } else {
184                         mdb_entry_return( op, e );
185                 }
186
187                 /* Dereference all of the aliases in the current scope. */
188                 cursora = 0;
189                 for (ida = mdb_idl_first(curscop, &cursora); ida != NOID;
190                         ida = mdb_idl_next(curscop, &cursora))
191                 {
192                         rs->sr_err = mdb_id2entry(op, mci, ida, &a);
193                         if (rs->sr_err != LDAP_SUCCESS) {
194                                 continue;
195                         }
196
197                         /* This should only happen if the curscop IDL has maxed out and
198                          * turned into a range that spans IDs indiscriminately
199                          */
200                         if (!is_entry_alias(a)) {
201                                 mdb_entry_return(op, a);
202                                 continue;
203                         }
204
205                         /* Actually dereference the alias */
206                         MDB_IDL_ZERO(tmp);
207                         a = deref_base( op, rs, a, &matched, txn,
208                                 tmp, visited );
209                         if (a) {
210                                 /* If the target was not already in our current scopes,
211                                  * make note of it in the newsubs list.
212                                  */
213                                 ID2 mid;
214                                 mid.mid = a->e_id;
215                                 mid.mval.mv_data = NULL;
216                                 if (mdb_id2l_insert(scopes, &mid) == 0) {
217                                         mdb_idl_insert(newsubs, a->e_id);
218                                 }
219                                 mdb_entry_return( op, a );
220
221                         } else if (matched) {
222                                 /* Alias could not be dereferenced, or it deref'd to
223                                  * an ID we've already seen. Ignore it.
224                                  */
225                                 mdb_entry_return( op, matched );
226                                 rs->sr_text = NULL;
227                         }
228                 }
229                 /* If this is a OneLevel search, we're done; oldsubs only had one
230                  * ID in it. For a Subtree search, oldsubs may be a list of scope IDs.
231                  */
232                 if ( op->ors_scope == LDAP_SCOPE_ONELEVEL ) break;
233 nextido:
234                 ido = mdb_idl_next( oldsubs, &cursoro );
235                 
236                 /* If we're done processing the old scopes, did we add any new
237                  * scopes in this iteration? If so, go back and do those now.
238                  */
239                 if (ido == NOID) {
240                         if (MDB_IDL_IS_ZERO(newsubs)) break;
241                         MDB_IDL_CPY(oldsubs, newsubs);
242                         MDB_IDL_ZERO(newsubs);
243                         cursoro = 0;
244                         ido = mdb_idl_first( oldsubs, &cursoro );
245                 }
246
247                 /* Find the entry corresponding to the next scope. If it can't
248                  * be found, ignore it and move on. This should never happen;
249                  * we should never see the ID of an entry that doesn't exist.
250                  */
251                 rs->sr_err = mdb_id2entry(op, mci, ido, &e);
252                 if ( rs->sr_err != LDAP_SUCCESS ) {
253                         goto nextido;
254                 }
255         }
256         return rs->sr_err;
257 }
258
259 /* Get the next ID from the DB. Used if the candidate list is
260  * a range and simple iteration hits missing entryIDs
261  */
262 static int
263 mdb_get_nextid(MDB_cursor *mci, ID *cursor)
264 {
265         MDB_val key;
266         ID id;
267         int rc;
268
269         id = *cursor + 1;
270         key.mv_data = &id;
271         key.mv_size = sizeof(ID);
272         rc = mdb_cursor_get( mci, &key, NULL, MDB_SET_RANGE );
273         if ( rc )
274                 return rc;
275         memcpy( cursor, key.mv_data, sizeof(ID));
276         return 0;
277 }
278
279 int
280 mdb_search( Operation *op, SlapReply *rs )
281 {
282         struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private;
283         ID              id, cursor;
284         ID              lastid = NOID;
285         ID              candidates[MDB_IDL_UM_SIZE];
286         ID2             scopes[MDB_IDL_UM_SIZE];
287         Entry           *e = NULL, *base = NULL;
288         Entry           *matched = NULL;
289         AttributeName   *attrs;
290         slap_mask_t     mask;
291         time_t          stoptime;
292         int             manageDSAit;
293         int             tentries = 0;
294         IdScopes        isc;
295         MDB_cursor      *mci;
296
297         mdb_op_info     opinfo = {0}, *moi = &opinfo;
298         MDB_txn                 *ltid = NULL;
299
300         Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(mdb_search) "\n", 0, 0, 0);
301         attrs = op->oq_search.rs_attrs;
302
303         manageDSAit = get_manageDSAit( op );
304
305         rs->sr_err = mdb_opinfo_get( op, mdb, 1, &moi );
306         switch(rs->sr_err) {
307         case 0:
308                 break;
309         default:
310                 send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
311                 return rs->sr_err;
312         }
313
314         ltid = moi->moi_txn;
315         isc.mt = ltid;
316         isc.mc = NULL;
317         isc.scopes = scopes;
318
319         rs->sr_err = mdb_cursor_open( ltid, mdb->mi_id2entry, &mci );
320         if ( rs->sr_err ) {
321                 send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
322                 return rs->sr_err;
323         }
324
325         if ( op->ors_deref & LDAP_DEREF_FINDING ) {
326                 MDB_IDL_ZERO(candidates);
327         }
328 dn2entry_retry:
329         /* get entry with reader lock */
330         rs->sr_err = mdb_dn2entry( op, ltid, &op->o_req_ndn, &e, 1 );
331
332         switch(rs->sr_err) {
333         case MDB_NOTFOUND:
334                 matched = e;
335                 e = NULL;
336                 break;
337         case 0:
338                 break;
339         case LDAP_BUSY:
340                 send_ldap_error( op, rs, LDAP_BUSY, "ldap server busy" );
341                 goto done;
342         default:
343                 send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
344                 goto done;
345         }
346
347         if ( op->ors_deref & LDAP_DEREF_FINDING ) {
348                 if ( matched && is_entry_alias( matched )) {
349                         struct berval stub;
350
351                         stub.bv_val = op->o_req_ndn.bv_val;
352                         stub.bv_len = op->o_req_ndn.bv_len - matched->e_nname.bv_len - 1;
353                         e = deref_base( op, rs, matched, &matched, ltid,
354                                 candidates, NULL );
355                         if ( e ) {
356                                 build_new_dn( &op->o_req_ndn, &e->e_nname, &stub,
357                                         op->o_tmpmemctx );
358                                 mdb_entry_return(op, e);
359                                 matched = NULL;
360                                 goto dn2entry_retry;
361                         }
362                 } else if ( e && is_entry_alias( e )) {
363                         e = deref_base( op, rs, e, &matched, ltid,
364                                 candidates, NULL );
365                 }
366         }
367
368         if ( e == NULL ) {
369                 struct berval matched_dn = BER_BVNULL;
370
371                 if ( matched != NULL ) {
372                         BerVarray erefs = NULL;
373
374                         /* return referral only if "disclose"
375                          * is granted on the object */
376                         if ( ! access_allowed( op, matched,
377                                                 slap_schema.si_ad_entry,
378                                                 NULL, ACL_DISCLOSE, NULL ) )
379                         {
380                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
381
382                         } else {
383                                 ber_dupbv( &matched_dn, &matched->e_name );
384
385                                 erefs = is_entry_referral( matched )
386                                         ? get_entry_referrals( op, matched )
387                                         : NULL;
388                                 if ( rs->sr_err == MDB_NOTFOUND )
389                                         rs->sr_err = LDAP_REFERRAL;
390                                 rs->sr_matched = matched_dn.bv_val;
391                         }
392
393                         mdb_entry_return(op, matched);
394                         matched = NULL;
395
396                         if ( erefs ) {
397                                 rs->sr_ref = referral_rewrite( erefs, &matched_dn,
398                                         &op->o_req_dn, op->oq_search.rs_scope );
399                                 ber_bvarray_free( erefs );
400                         }
401
402                 } else {
403                         rs->sr_ref = referral_rewrite( default_referral,
404                                 NULL, &op->o_req_dn, op->oq_search.rs_scope );
405                         rs->sr_err = rs->sr_ref != NULL ? LDAP_REFERRAL : LDAP_NO_SUCH_OBJECT;
406                 }
407
408                 send_ldap_result( op, rs );
409
410                 if ( rs->sr_ref ) {
411                         ber_bvarray_free( rs->sr_ref );
412                         rs->sr_ref = NULL;
413                 }
414                 if ( !BER_BVISNULL( &matched_dn ) ) {
415                         ber_memfree( matched_dn.bv_val );
416                         rs->sr_matched = NULL;
417                 }
418                 goto done;
419         }
420
421         /* NOTE: __NEW__ "search" access is required
422          * on searchBase object */
423         if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
424                                 NULL, ACL_SEARCH, NULL, &mask ) )
425         {
426                 if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
427                         rs->sr_err = LDAP_NO_SUCH_OBJECT;
428                 } else {
429                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
430                 }
431
432                 mdb_entry_return( op,e);
433                 send_ldap_result( op, rs );
434                 goto done;
435         }
436
437         if ( !manageDSAit && is_entry_referral( e ) ) {
438                 /* entry is a referral */
439                 struct berval matched_dn = BER_BVNULL;
440                 BerVarray erefs = NULL;
441                 
442                 ber_dupbv( &matched_dn, &e->e_name );
443                 erefs = get_entry_referrals( op, e );
444
445                 rs->sr_err = LDAP_REFERRAL;
446
447                 mdb_entry_return( op, e );
448                 e = NULL;
449
450                 if ( erefs ) {
451                         rs->sr_ref = referral_rewrite( erefs, &matched_dn,
452                                 &op->o_req_dn, op->oq_search.rs_scope );
453                         ber_bvarray_free( erefs );
454
455                         if ( !rs->sr_ref ) {
456                                 rs->sr_text = "bad_referral object";
457                         }
458                 }
459
460                 Debug( LDAP_DEBUG_TRACE,
461                         LDAP_XSTRING(mdb_search) ": entry is referral\n",
462                         0, 0, 0 );
463
464                 rs->sr_matched = matched_dn.bv_val;
465                 send_ldap_result( op, rs );
466
467                 ber_bvarray_free( rs->sr_ref );
468                 rs->sr_ref = NULL;
469                 ber_memfree( matched_dn.bv_val );
470                 rs->sr_matched = NULL;
471                 goto done;
472         }
473
474         if ( get_assert( op ) &&
475                 ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
476         {
477                 rs->sr_err = LDAP_ASSERTION_FAILED;
478                 mdb_entry_return( op,e);
479                 send_ldap_result( op, rs );
480                 goto done;
481         }
482
483         /* compute it anyway; root does not use it */
484         stoptime = op->o_time + op->ors_tlimit;
485
486         base = e;
487
488         e = NULL;
489
490         /* select candidates */
491         if ( op->oq_search.rs_scope == LDAP_SCOPE_BASE ) {
492                 rs->sr_err = base_candidate( op->o_bd, base, candidates );
493
494         } else {
495                 MDB_IDL_ZERO( candidates );
496                 scopes[0].mid = 1;
497                 scopes[1].mid = base->e_id;
498                 scopes[1].mval.mv_data = NULL;
499                 rs->sr_err = search_candidates( op, rs, base,
500                         ltid, mci, candidates, scopes );
501         }
502
503         /* start cursor at beginning of candidates.
504          */
505         cursor = 0;
506
507         if ( candidates[0] == 0 ) {
508                 Debug( LDAP_DEBUG_TRACE,
509                         LDAP_XSTRING(mdb_search) ": no candidates\n",
510                         0, 0, 0 );
511
512                 goto nochange;
513         }
514
515         /* if not root and candidates exceed to-be-checked entries, abort */
516         if ( op->ors_limit      /* isroot == FALSE */ &&
517                 op->ors_limit->lms_s_unchecked != -1 &&
518                 MDB_IDL_N(candidates) > (unsigned) op->ors_limit->lms_s_unchecked )
519         {
520                 rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
521                 send_ldap_result( op, rs );
522                 rs->sr_err = LDAP_SUCCESS;
523                 goto done;
524         }
525
526         if ( op->ors_limit == NULL      /* isroot == TRUE */ ||
527                 !op->ors_limit->lms_s_pr_hide )
528         {
529                 tentries = MDB_IDL_N(candidates);
530         }
531
532         if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) {
533                 PagedResultsState *ps = op->o_pagedresults_state;
534                 /* deferred cookie parsing */
535                 rs->sr_err = parse_paged_cookie( op, rs );
536                 if ( rs->sr_err != LDAP_SUCCESS ) {
537                         send_ldap_result( op, rs );
538                         goto done;
539                 }
540
541                 cursor = (ID) ps->ps_cookie;
542                 if ( cursor && ps->ps_size == 0 ) {
543                         rs->sr_err = LDAP_SUCCESS;
544                         rs->sr_text = "search abandoned by pagedResult size=0";
545                         send_ldap_result( op, rs );
546                         goto done;
547                 }
548                 id = mdb_idl_first( candidates, &cursor );
549                 if ( id == NOID ) {
550                         Debug( LDAP_DEBUG_TRACE, 
551                                 LDAP_XSTRING(mdb_search)
552                                 ": no paged results candidates\n",
553                                 0, 0, 0 );
554                         send_paged_response( op, rs, &lastid, 0 );
555
556                         rs->sr_err = LDAP_OTHER;
557                         goto done;
558                 }
559                 if ( id == (ID)ps->ps_cookie )
560                         id = mdb_idl_next( candidates, &cursor );
561                 goto loop_begin;
562         }
563
564         for ( id = mdb_idl_first( candidates, &cursor );
565                   id != NOID ; id = mdb_idl_next( candidates, &cursor ) )
566         {
567                 int scopeok;
568
569 loop_begin:
570
571                 /* check for abandon */
572                 if ( op->o_abandon ) {
573                         rs->sr_err = SLAPD_ABANDON;
574                         send_ldap_result( op, rs );
575                         goto done;
576                 }
577
578                 /* mostly needed by internal searches,
579                  * e.g. related to syncrepl, for whom
580                  * abandon does not get set... */
581                 if ( slapd_shutdown ) {
582                         rs->sr_err = LDAP_UNAVAILABLE;
583                         send_ldap_disconnect( op, rs );
584                         goto done;
585                 }
586
587                 /* check time limit */
588                 if ( op->ors_tlimit != SLAP_NO_LIMIT
589                                 && slap_get_time() > stoptime )
590                 {
591                         rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
592                         rs->sr_ref = rs->sr_v2ref;
593                         send_ldap_result( op, rs );
594                         rs->sr_err = LDAP_SUCCESS;
595                         goto done;
596                 }
597
598                 if ( id == base->e_id ) {
599                         e = base;
600                 } else {
601
602                         /* get the entry */
603                         rs->sr_err = mdb_id2entry( op, mci, id, &e );
604
605                         if (rs->sr_err == LDAP_BUSY) {
606                                 rs->sr_text = "ldap server busy";
607                                 send_ldap_result( op, rs );
608                                 goto done;
609
610                         } else if ( rs->sr_err == LDAP_OTHER ) {
611                                 rs->sr_text = "internal error";
612                                 send_ldap_result( op, rs );
613                                 goto done;
614                         }
615
616                         if ( e == NULL ) {
617                                 if( !MDB_IDL_IS_RANGE(candidates) ) {
618                                         /* only complain for non-range IDLs */
619                                         Debug( LDAP_DEBUG_TRACE,
620                                                 LDAP_XSTRING(mdb_search)
621                                                 ": candidate %ld not found\n",
622                                                 (long) id, 0, 0 );
623                                 } else {
624                                         /* get the next ID from the DB */
625                                         rs->sr_err = mdb_get_nextid( mci, &cursor );
626                                         if ( rs->sr_err == MDB_NOTFOUND ) {
627                                                 break;
628                                         }
629                                         if ( rs->sr_err ) {
630                                                 rs->sr_err = LDAP_OTHER;
631                                                 rs->sr_text = "internal error in get_nextid";
632                                                 send_ldap_result( op, rs );
633                                                 goto done;
634                                         }
635                                         cursor--;
636                                 }
637
638                                 goto loop_continue;
639                         }
640                 }
641
642                 if ( is_entry_subentry( e ) ) {
643                         if( op->oq_search.rs_scope != LDAP_SCOPE_BASE ) {
644                                 if(!get_subentries_visibility( op )) {
645                                         /* only subentries are visible */
646                                         goto loop_continue;
647                                 }
648
649                         } else if ( get_subentries( op ) &&
650                                 !get_subentries_visibility( op ))
651                         {
652                                 /* only subentries are visible */
653                                 goto loop_continue;
654                         }
655
656                 } else if ( get_subentries_visibility( op )) {
657                         /* only subentries are visible */
658                         goto loop_continue;
659                 }
660
661                 /* Does this candidate actually satisfy the search scope?
662                  */
663                 scopeok = 0;
664                 isc.numrdns = 0;
665                 switch( op->ors_scope ) {
666                 case LDAP_SCOPE_BASE:
667                         /* This is always true, yes? */
668                         if ( id == base->e_id ) scopeok = 1;
669                         break;
670
671 #ifdef LDAP_SCOPE_CHILDREN
672                 case LDAP_SCOPE_CHILDREN:
673                         if ( id == base->e_id ) break;
674                         /* Fall-thru */
675 #endif
676                 case LDAP_SCOPE_SUBTREE:
677                         if ( id == base->e_id ) {
678                                 scopeok = 1;
679                                 break;
680                         }
681                         /* Fall-thru */
682                 case LDAP_SCOPE_ONELEVEL:
683                         isc.id = id;
684                         if ( mdb_idscopes( op, &isc ) == MDB_SUCCESS ) scopeok = 1;
685                         break;
686                 }
687
688                 /* aliases were already dereferenced in candidate list */
689                 if ( op->ors_deref & LDAP_DEREF_SEARCHING ) {
690                         /* but if the search base is an alias, and we didn't
691                          * deref it when finding, return it.
692                          */
693                         if ( is_entry_alias(e) &&
694                                 ((op->ors_deref & LDAP_DEREF_FINDING) ||
695                                         !bvmatch(&e->e_nname, &op->o_req_ndn)))
696                         {
697                                 goto loop_continue;
698                         }
699                 }
700
701                 /* Not in scope, ignore it */
702                 if ( !scopeok )
703                 {
704                         Debug( LDAP_DEBUG_TRACE,
705                                 LDAP_XSTRING(mdb_search)
706                                 ": %ld scope not okay\n",
707                                 (long) id, 0, 0 );
708                         goto loop_continue;
709                 }
710
711                 if ( !manageDSAit && is_entry_glue( e )) {
712                         goto loop_continue;
713                 }
714
715                 if (e != base) {
716                         struct berval pdn, pndn;
717                         char *d, *n;
718                         int i;
719                         /* child of base, just append RDNs to base->e_name */
720                         if ( isc.nscope == 1 ) {
721                                 pdn = base->e_name;
722                                 pndn = base->e_nname;
723                         } else {
724                                 mdb_id2name( op, ltid, &isc.mc, scopes[isc.nscope].mid, &pdn, &pndn );
725                         }
726                         e->e_name.bv_len = pdn.bv_len;
727                         e->e_nname.bv_len = pndn.bv_len;
728                         for (i=0; i<isc.numrdns; i++) {
729                                 e->e_name.bv_len += isc.rdns[i].bv_len + 1;
730                                 e->e_nname.bv_len += isc.nrdns[i].bv_len + 1;
731                         }
732                         e->e_name.bv_val = op->o_tmpalloc(e->e_name.bv_len + 1, op->o_tmpmemctx);
733                         e->e_nname.bv_val = op->o_tmpalloc(e->e_nname.bv_len + 1, op->o_tmpmemctx);
734                         d = e->e_name.bv_val;
735                         n = e->e_nname.bv_val;
736                         for (i=0; i<isc.numrdns; i++) {
737                                 memcpy(d, isc.rdns[i].bv_val, isc.rdns[i].bv_len);
738                                 d += isc.rdns[i].bv_len;
739                                 *d++ = ',';
740                                 memcpy(n, isc.nrdns[i].bv_val, isc.nrdns[i].bv_len);
741                                 n += isc.nrdns[i].bv_len;
742                                 *n++ = ',';
743                         }
744                         if (pdn.bv_len) {
745                                 memcpy(d, pdn.bv_val, pdn.bv_len+1);
746                                 memcpy(n, pndn.bv_val, pndn.bv_len+1);
747                         } else {
748                                 *--d = '\0';
749                                 *--n = '\0';
750                                 e->e_name.bv_len--;
751                                 e->e_nname.bv_len--;
752                         }
753                         if (isc.nscope != 1) {
754                                 op->o_tmpfree(pndn.bv_val, op->o_tmpmemctx);
755                                 op->o_tmpfree(pdn.bv_val, op->o_tmpmemctx);
756                         }
757                 }
758
759                 /*
760                  * if it's a referral, add it to the list of referrals. only do
761                  * this for non-base searches, and don't check the filter
762                  * explicitly here since it's only a candidate anyway.
763                  */
764                 if ( !manageDSAit && op->oq_search.rs_scope != LDAP_SCOPE_BASE
765                         && is_entry_referral( e ) )
766                 {
767                         BerVarray erefs = get_entry_referrals( op, e );
768                         rs->sr_ref = referral_rewrite( erefs, &e->e_name, NULL,
769                                 op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL
770                                         ? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE );
771
772                         rs->sr_entry = e;
773                         rs->sr_flags = 0;
774
775                         send_search_reference( op, rs );
776
777                         mdb_entry_return( op, e );
778                         rs->sr_entry = NULL;
779                         e = NULL;
780
781                         ber_bvarray_free( rs->sr_ref );
782                         ber_bvarray_free( erefs );
783                         rs->sr_ref = NULL;
784
785                         goto loop_continue;
786                 }
787
788                 /* if it matches the filter and scope, send it */
789                 rs->sr_err = test_filter( op, e, op->oq_search.rs_filter );
790
791                 if ( rs->sr_err == LDAP_COMPARE_TRUE ) {
792                         /* check size limit */
793                         if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
794                                 if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
795                                         mdb_entry_return( op, e );
796                                         e = NULL;
797                                         send_paged_response( op, rs, &lastid, tentries );
798                                         goto done;
799                                 }
800                                 lastid = id;
801                         }
802
803                         if (e) {
804                                 /* safe default */
805                                 rs->sr_attrs = op->oq_search.rs_attrs;
806                                 rs->sr_operational_attrs = NULL;
807                                 rs->sr_ctrls = NULL;
808                                 rs->sr_entry = e;
809                                 RS_ASSERT( e->e_private != NULL );
810                                 rs->sr_flags = 0;
811                                 rs->sr_err = LDAP_SUCCESS;
812                                 rs->sr_err = send_search_entry( op, rs );
813                                 rs->sr_attrs = NULL;
814                                 rs->sr_entry = NULL;
815                                 if (e != base)
816                                         mdb_entry_return( op, e );
817                                 e = NULL;
818
819                                 switch ( rs->sr_err ) {
820                                 case LDAP_SUCCESS:      /* entry sent ok */
821                                         break;
822                                 default:                /* entry not sent */
823                                         break;
824                                 case LDAP_UNAVAILABLE:
825                                 case LDAP_SIZELIMIT_EXCEEDED:
826                                         if ( rs->sr_err == LDAP_SIZELIMIT_EXCEEDED ) {
827                                                 rs->sr_ref = rs->sr_v2ref;
828                                                 send_ldap_result( op, rs );
829                                                 rs->sr_err = LDAP_SUCCESS;
830
831                                         } else {
832                                                 rs->sr_err = LDAP_OTHER;
833                                         }
834                                         goto done;
835                                 }
836                         }
837
838                 } else {
839                         Debug( LDAP_DEBUG_TRACE,
840                                 LDAP_XSTRING(mdb_search)
841                                 ": %ld does not match filter\n",
842                                 (long) id, 0, 0 );
843                 }
844
845 loop_continue:
846                 if( e != NULL ) {
847                         if ( e != base )
848                                 mdb_entry_return( op, e );
849                         RS_ASSERT( rs->sr_entry == NULL );
850                         e = NULL;
851                         rs->sr_entry = NULL;
852                 }
853         }
854
855 nochange:
856         rs->sr_ctrls = NULL;
857         rs->sr_ref = rs->sr_v2ref;
858         rs->sr_err = (rs->sr_v2ref == NULL) ? LDAP_SUCCESS : LDAP_REFERRAL;
859         rs->sr_rspoid = NULL;
860         if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
861                 send_paged_response( op, rs, NULL, 0 );
862         } else {
863                 send_ldap_result( op, rs );
864         }
865
866         rs->sr_err = LDAP_SUCCESS;
867
868 done:
869         if( isc.mc )
870                 mdb_cursor_close( isc.mc );
871         if (mci)
872                 mdb_cursor_close( mci );
873         if ( moi == &opinfo ) {
874                 mdb_txn_reset( moi->moi_txn );
875                 LDAP_SLIST_REMOVE( &op->o_extra, &moi->moi_oe, OpExtra, oe_next );
876         }
877         if( rs->sr_v2ref ) {
878                 ber_bvarray_free( rs->sr_v2ref );
879                 rs->sr_v2ref = NULL;
880         }
881         if (base)
882                 mdb_entry_return( op,base);
883
884         return rs->sr_err;
885 }
886
887
888 static int base_candidate(
889         BackendDB       *be,
890         Entry   *e,
891         ID              *ids )
892 {
893         Debug(LDAP_DEBUG_ARGS, "base_candidates: base: \"%s\" (0x%08lx)\n",
894                 e->e_nname.bv_val, (long) e->e_id, 0);
895
896         ids[0] = 1;
897         ids[1] = e->e_id;
898         return 0;
899 }
900
901 /* Look for "objectClass Present" in this filter.
902  * Also count depth of filter tree while we're at it.
903  */
904 static int oc_filter(
905         Filter *f,
906         int cur,
907         int *max )
908 {
909         int rc = 0;
910
911         assert( f != NULL );
912
913         if( cur > *max ) *max = cur;
914
915         switch( f->f_choice ) {
916         case LDAP_FILTER_PRESENT:
917                 if (f->f_desc == slap_schema.si_ad_objectClass) {
918                         rc = 1;
919                 }
920                 break;
921
922         case LDAP_FILTER_AND:
923         case LDAP_FILTER_OR:
924                 cur++;
925                 for ( f=f->f_and; f; f=f->f_next ) {
926                         (void) oc_filter(f, cur, max);
927                 }
928                 break;
929
930         default:
931                 break;
932         }
933         return rc;
934 }
935
936 static void search_stack_free( void *key, void *data )
937 {
938         ber_memfree_x(data, NULL);
939 }
940
941 static void *search_stack( Operation *op )
942 {
943         struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private;
944         void *ret = NULL;
945
946         if ( op->o_threadctx ) {
947                 ldap_pvt_thread_pool_getkey( op->o_threadctx, (void *)search_stack,
948                         &ret, NULL );
949         } else {
950                 ret = mdb->mi_search_stack;
951         }
952
953         if ( !ret ) {
954                 ret = ch_malloc( mdb->mi_search_stack_depth * MDB_IDL_UM_SIZE
955                         * sizeof( ID ) );
956                 if ( op->o_threadctx ) {
957                         ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)search_stack,
958                                 ret, search_stack_free, NULL, NULL );
959                 } else {
960                         mdb->mi_search_stack = ret;
961                 }
962         }
963         return ret;
964 }
965
966 static int search_candidates(
967         Operation *op,
968         SlapReply *rs,
969         Entry *e,
970         MDB_txn *txn,
971         MDB_cursor *mci,
972         ID      *ids,
973         ID2L    scopes )
974 {
975         struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private;
976         int rc, depth = 1;
977         Filter          *f, rf, xf, nf, sf;
978         ID              *stack;
979         AttributeAssertion aa_ref = ATTRIBUTEASSERTION_INIT;
980         AttributeAssertion aa_subentry = ATTRIBUTEASSERTION_INIT;
981
982         /*
983          * This routine takes as input a filter (user-filter)
984          * and rewrites it as follows:
985          *      (&(scope=DN)[(objectClass=subentry)]
986          *              (|[(objectClass=referral)](user-filter))
987          */
988
989         Debug(LDAP_DEBUG_TRACE,
990                 "search_candidates: base=\"%s\" (0x%08lx) scope=%d\n",
991                 e->e_nname.bv_val, (long) e->e_id, op->oq_search.rs_scope );
992
993         f = op->oq_search.rs_filter;
994
995         /* If the user's filter uses objectClass=*,
996          * these clauses are redundant.
997          */
998         if (!oc_filter(op->oq_search.rs_filter, 1, &depth)
999                 && !get_subentries_visibility(op)) {
1000                 if( !get_manageDSAit(op) && !get_domainScope(op) ) {
1001                         /* match referral objects */
1002                         struct berval bv_ref = BER_BVC( "referral" );
1003                         rf.f_choice = LDAP_FILTER_EQUALITY;
1004                         rf.f_ava = &aa_ref;
1005                         rf.f_av_desc = slap_schema.si_ad_objectClass;
1006                         rf.f_av_value = bv_ref;
1007                         rf.f_next = f;
1008                         xf.f_or = &rf;
1009                         xf.f_choice = LDAP_FILTER_OR;
1010                         xf.f_next = NULL;
1011                         f = &xf;
1012                         depth++;
1013                 }
1014         }
1015
1016         if( get_subentries_visibility( op ) ) {
1017                 struct berval bv_subentry = BER_BVC( "subentry" );
1018                 sf.f_choice = LDAP_FILTER_EQUALITY;
1019                 sf.f_ava = &aa_subentry;
1020                 sf.f_av_desc = slap_schema.si_ad_objectClass;
1021                 sf.f_av_value = bv_subentry;
1022                 sf.f_next = f;
1023                 nf.f_choice = LDAP_FILTER_AND;
1024                 nf.f_and = &sf;
1025                 nf.f_next = NULL;
1026                 f = &nf;
1027                 depth++;
1028         }
1029
1030         /* Allocate IDL stack, plus 1 more for former tmp */
1031         if ( depth+1 > mdb->mi_search_stack_depth ) {
1032                 stack = ch_malloc( (depth + 1) * MDB_IDL_UM_SIZE * sizeof( ID ) );
1033         } else {
1034                 stack = search_stack( op );
1035         }
1036
1037         if( op->ors_deref & LDAP_DEREF_SEARCHING ) {
1038                 rc = search_aliases( op, rs, e, txn, mci, scopes, stack );
1039         } else {
1040                 rc = LDAP_SUCCESS;
1041         }
1042
1043         if ( rc == LDAP_SUCCESS ) {
1044                 rc = mdb_filter_candidates( op, txn, f, ids,
1045                         stack, stack+MDB_IDL_UM_SIZE );
1046         }
1047
1048         if ( depth+1 > mdb->mi_search_stack_depth ) {
1049                 ch_free( stack );
1050         }
1051
1052         if( rc ) {
1053                 Debug(LDAP_DEBUG_TRACE,
1054                         "mdb_search_candidates: failed (rc=%d)\n",
1055                         rc, NULL, NULL );
1056
1057         } else {
1058                 Debug(LDAP_DEBUG_TRACE,
1059                         "mdb_search_candidates: id=%ld first=%ld last=%ld\n",
1060                         (long) ids[0],
1061                         (long) MDB_IDL_FIRST(ids),
1062                         (long) MDB_IDL_LAST(ids) );
1063         }
1064
1065         return rc;
1066 }
1067
1068 static int
1069 parse_paged_cookie( Operation *op, SlapReply *rs )
1070 {
1071         int             rc = LDAP_SUCCESS;
1072         PagedResultsState *ps = op->o_pagedresults_state;
1073
1074         /* this function must be invoked only if the pagedResults
1075          * control has been detected, parsed and partially checked
1076          * by the frontend */
1077         assert( get_pagedresults( op ) > SLAP_CONTROL_IGNORED );
1078
1079         /* cookie decoding/checks deferred to backend... */
1080         if ( ps->ps_cookieval.bv_len ) {
1081                 PagedResultsCookie reqcookie;
1082                 if( ps->ps_cookieval.bv_len != sizeof( reqcookie ) ) {
1083                         /* bad cookie */
1084                         rs->sr_text = "paged results cookie is invalid";
1085                         rc = LDAP_PROTOCOL_ERROR;
1086                         goto done;
1087                 }
1088
1089                 AC_MEMCPY( &reqcookie, ps->ps_cookieval.bv_val, sizeof( reqcookie ));
1090
1091                 if ( reqcookie > ps->ps_cookie ) {
1092                         /* bad cookie */
1093                         rs->sr_text = "paged results cookie is invalid";
1094                         rc = LDAP_PROTOCOL_ERROR;
1095                         goto done;
1096
1097                 } else if ( reqcookie < ps->ps_cookie ) {
1098                         rs->sr_text = "paged results cookie is invalid or old";
1099                         rc = LDAP_UNWILLING_TO_PERFORM;
1100                         goto done;
1101                 }
1102
1103         } else {
1104                 /* we're going to use ps_cookie */
1105                 op->o_conn->c_pagedresults_state.ps_cookie = 0;
1106         }
1107
1108 done:;
1109
1110         return rc;
1111 }
1112
1113 static void
1114 send_paged_response( 
1115         Operation       *op,
1116         SlapReply       *rs,
1117         ID              *lastid,
1118         int             tentries )
1119 {
1120         LDAPControl     *ctrls[2];
1121         BerElementBuffer berbuf;
1122         BerElement      *ber = (BerElement *)&berbuf;
1123         PagedResultsCookie respcookie;
1124         struct berval cookie;
1125
1126         Debug(LDAP_DEBUG_ARGS,
1127                 "send_paged_response: lastid=0x%08lx nentries=%d\n", 
1128                 lastid ? *lastid : 0, rs->sr_nentries, NULL );
1129
1130         ctrls[1] = NULL;
1131
1132         ber_init2( ber, NULL, LBER_USE_DER );
1133
1134         if ( lastid ) {
1135                 respcookie = ( PagedResultsCookie )(*lastid);
1136                 cookie.bv_len = sizeof( respcookie );
1137                 cookie.bv_val = (char *)&respcookie;
1138
1139         } else {
1140                 respcookie = ( PagedResultsCookie )0;
1141                 BER_BVSTR( &cookie, "" );
1142         }
1143
1144         op->o_conn->c_pagedresults_state.ps_cookie = respcookie;
1145         op->o_conn->c_pagedresults_state.ps_count =
1146                 ((PagedResultsState *)op->o_pagedresults_state)->ps_count +
1147                 rs->sr_nentries;
1148
1149         /* return size of 0 -- no estimate */
1150         ber_printf( ber, "{iO}", 0, &cookie ); 
1151
1152         ctrls[0] = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
1153         if ( ber_flatten2( ber, &ctrls[0]->ldctl_value, 0 ) == -1 ) {
1154                 goto done;
1155         }
1156
1157         ctrls[0]->ldctl_oid = LDAP_CONTROL_PAGEDRESULTS;
1158         ctrls[0]->ldctl_iscritical = 0;
1159
1160         slap_add_ctrls( op, rs, ctrls );
1161         rs->sr_err = LDAP_SUCCESS;
1162         send_ldap_result( op, rs );
1163
1164 done:
1165         (void) ber_free_buf( ber );
1166 }