2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2007 The OpenLDAP Foundation.
5 * Portions Copyright 2001-2003 Pierangelo Masarati.
6 * Portions Copyright 1999-2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software and subsequently enhanced by Pierangelo
24 #error "include servers/slapd/back-ldap/back-ldap.h before this file!"
25 #endif /* SLAPD_LDAP_H */
30 #include "proto-meta.h"
32 /* String rewrite library */
37 * Set META_BACK_PRINT_CONNTREE larger than 0 to dump the connection tree (debug only)
39 #ifndef META_BACK_PRINT_CONNTREE
40 #define META_BACK_PRINT_CONNTREE 0
41 #endif /* !META_BACK_PRINT_CONNTREE */
46 /* from back-ldap.h before rwm removal */
64 struct rewrite_info *rwm_rw;
65 #else /* !ENABLE_REWRITE */
66 /* some time the suffix massaging without librewrite
68 BerVarray rwm_suffix_massage;
69 #endif /* !ENABLE_REWRITE */
72 * Attribute/objectClass mapping
74 struct ldapmap rwm_oc;
75 struct ldapmap rwm_at;
78 /* Whatever context ldap_back_dn_massage needs... */
79 typedef struct dncookie {
80 struct metatarget_t *target;
92 int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
95 extern int ldap_back_conn_cmp( const void *c1, const void *c2);
96 extern int ldap_back_conn_dup( void *c1, void *c2 );
97 extern void ldap_back_conn_free( void *c );
99 /* attributeType/objectClass mapping */
100 int mapping_cmp (const void *, const void *);
101 int mapping_dup (void *, void *);
103 void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** );
104 int ldap_back_mapping ( struct ldapmap *map, struct berval *s,
105 struct ldapmapping **m, int remap );
106 void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m,
108 #define BACKLDAP_MAP 0
109 #define BACKLDAP_REMAP 1
111 ldap_back_map_filter(
112 struct ldapmap *at_map,
113 struct ldapmap *oc_map,
119 struct ldapmap *at_map,
122 char ***mapped_attrs );
124 extern int ldap_back_map_config(
125 struct ldapmap *oc_map,
126 struct ldapmap *at_map,
133 ldap_back_filter_map_rewrite(
139 /* suffix massaging by means of librewrite */
140 #ifdef ENABLE_REWRITE
142 suffix_massage_config( struct rewrite_info *info,
146 struct berval *nrnc );
147 #endif /* ENABLE_REWRITE */
149 ldap_back_referral_result_rewrite(
157 ldap_dnattr_result_rewrite(
161 /* (end of) from back-ldap.h before rwm removal */
164 * A metasingleconn_t can be in the following, mutually exclusive states:
167 * - creating META_BACK_FCONN_CREATING
168 * - initialized META_BACK_FCONN_INITED
169 * - binding LDAP_BACK_FCONN_BINDING
170 * - bound/anonymous LDAP_BACK_FCONN_ISBOUND/LDAP_BACK_FCONN_ISANON
172 * possible modifiers are:
174 * - privileged LDAP_BACK_FCONN_ISPRIV
175 * - privileged, TLS LDAP_BACK_FCONN_ISTLS
176 * - subjected to idassert LDAP_BACK_FCONN_ISIDASR
177 * - tainted LDAP_BACK_FCONN_TAINTED
180 #define META_BACK_FCONN_INITED (0x00100000U)
181 #define META_BACK_FCONN_CREATING (0x00200000U)
183 #define META_BACK_CONN_INITED(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_INITED)
184 #define META_BACK_CONN_INITED_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_INITED)
185 #define META_BACK_CONN_INITED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_INITED)
186 #define META_BACK_CONN_INITED_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_INITED, (mlc))
187 #define META_BACK_CONN_CREATING(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_CREATING)
188 #define META_BACK_CONN_CREATING_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_CREATING)
189 #define META_BACK_CONN_CREATING_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_CREATING)
190 #define META_BACK_CONN_CREATING_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_CREATING, (mlc))
194 #define META_NOT_CANDIDATE ((ber_tag_t)0x0)
195 #define META_CANDIDATE ((ber_tag_t)0x1)
196 #define META_BINDING ((ber_tag_t)0x2)
197 #define META_RETRYING ((ber_tag_t)0x4)
199 typedef struct metasingleconn_t {
200 #define META_CND_ISSET(rs,f) ( ( (rs)->sr_tag & (f) ) == (f) )
201 #define META_CND_SET(rs,f) ( (rs)->sr_tag |= (f) )
202 #define META_CND_CLEAR(rs,f) ( (rs)->sr_tag &= ~(f) )
204 #define META_CANDIDATE_RESET(rs) ( (rs)->sr_tag = 0 )
205 #define META_IS_CANDIDATE(rs) META_CND_ISSET( (rs), META_CANDIDATE )
206 #define META_CANDIDATE_SET(rs) META_CND_SET( (rs), META_CANDIDATE )
207 #define META_CANDIDATE_CLEAR(rs) META_CND_CLEAR( (rs), META_CANDIDATE )
208 #define META_IS_BINDING(rs) META_CND_ISSET( (rs), META_BINDING )
209 #define META_BINDING_SET(rs) META_CND_SET( (rs), META_BINDING )
210 #define META_BINDING_CLEAR(rs) META_CND_CLEAR( (rs), META_BINDING )
211 #define META_IS_RETRYING(rs) META_CND_ISSET( (rs), META_RETRYING )
212 #define META_RETRYING_SET(rs) META_CND_SET( (rs), META_RETRYING )
213 #define META_RETRYING_CLEAR(rs) META_CND_CLEAR( (rs), META_RETRYING )
217 struct berval msc_bound_ndn;
218 struct berval msc_cred;
219 unsigned msc_mscflags;
220 /* NOTE: lc_lcflags is redefined to msc_mscflags to reuse the macros
221 * defined for back-ldap */
222 #define lc_lcflags msc_mscflags
225 typedef struct metaconn_t {
226 struct slap_conn *mc_conn;
227 #define lc_conn mc_conn
230 time_t mc_create_time;
233 struct berval mc_local_ndn;
234 /* NOTE: msc_mscflags is used to recycle the #define
235 * in metasingleconn_t */
236 unsigned msc_mscflags;
239 * means that the connection is bound;
240 * of course only one target actually is ...
243 #define META_BOUND_NONE (-1)
244 #define META_BOUND_ALL (-2)
246 struct metainfo_t *mc_info;
248 LDAP_TAILQ_ENTRY(metaconn_t) mc_q;
250 /* supersedes the connection stuff */
251 metasingleconn_t mc_conns[ 1 ];
252 /* NOTE: mc_conns must be last, because
253 * the required number of conns is malloc'ed
254 * in one block with the metaconn_t structure */
257 typedef struct metatarget_t {
259 ldap_pvt_thread_mutex_t mt_uri_mutex;
261 /* TODO: we might want to enable different strategies
262 * for different targets */
263 LDAP_REBIND_PROC *mt_rebind_f;
264 LDAP_URLLIST_PROC *mt_urllist_f;
267 BerVarray mt_subtree_exclude;
270 struct berval mt_psuffix; /* pretty suffix */
271 struct berval mt_nsuffix; /* normalized suffix */
273 struct berval mt_binddn;
274 struct berval mt_bindpw;
276 slap_idassert_t mt_idassert;
277 #define mt_idassert_mode mt_idassert.si_mode
278 #define mt_idassert_authcID mt_idassert.si_bc.sb_authcId
279 #define mt_idassert_authcDN mt_idassert.si_bc.sb_binddn
280 #define mt_idassert_passwd mt_idassert.si_bc.sb_cred
281 #define mt_idassert_authzID mt_idassert.si_bc.sb_authzId
282 #define mt_idassert_authmethod mt_idassert.si_bc.sb_method
283 #define mt_idassert_sasl_mech mt_idassert.si_bc.sb_saslmech
284 #define mt_idassert_sasl_realm mt_idassert.si_bc.sb_realm
285 #define mt_idassert_secprops mt_idassert.si_bc.sb_secprops
286 #define mt_idassert_tls mt_idassert.si_bc.sb_tls
287 #define mt_idassert_flags mt_idassert.si_flags
288 #define mt_idassert_authz mt_idassert.si_authz
291 #define META_RETRY_UNDEFINED (-2)
292 #define META_RETRY_FOREVER (-1)
293 #define META_RETRY_NEVER (0)
294 #define META_RETRY_DEFAULT (10)
296 struct ldaprwmap mt_rwmap;
298 sig_atomic_t mt_isquarantined;
299 slap_retry_info_t mt_quarantine;
300 ldap_pvt_thread_mutex_t mt_quarantine_mutex;
303 #define META_BACK_TGT_ISSET(mt,f) ( ( (mt)->mt_flags & (f) ) == (f) )
304 #define META_BACK_TGT_ISMASK(mt,m,f) ( ( (mt)->mt_flags & (m) ) == (f) )
306 #define META_BACK_TGT_T_F(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
307 #define META_BACK_TGT_T_F_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
309 #define META_BACK_TGT_ABANDON(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_ABANDON )
310 #define META_BACK_TGT_IGNORE(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_IGNORE )
311 #define META_BACK_TGT_CANCEL(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_EXOP )
312 #define META_BACK_TGT_CANCEL_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK2, LDAP_BACK_F_CANCEL_EXOP_DISCOVER )
313 #define META_BACK_TGT_QUARANTINE(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_QUARANTINE )
316 time_t mt_network_timeout;
317 struct timeval mt_bind_timeout;
318 #define META_BIND_TIMEOUT LDAP_BACK_RESULT_UTIMEOUT
319 time_t mt_timeout[ SLAP_OP_LAST ];
322 typedef struct metadncache_t {
323 ldap_pvt_thread_mutex_t mutex;
326 #define META_DNCACHE_DISABLED (0)
327 #define META_DNCACHE_FOREVER ((time_t)(-1))
328 time_t ttl; /* seconds; 0: no cache, -1: no expiry */
331 typedef struct metacandidates_t {
333 SlapReply *mc_candidates;
337 * Hook to allow mucking with metainfo_t/metatarget_t when quarantine is over
339 typedef int (*meta_back_quarantine_f)( struct metainfo_t *, int target, void * );
341 typedef struct metainfo_t {
343 int mi_defaulttarget;
344 #define META_DEFAULT_TARGET_NONE (-1)
347 metatarget_t **mi_targets;
348 metacandidates_t *mi_candidates;
350 LDAP_REBIND_PROC *mi_rebind_f;
351 LDAP_URLLIST_PROC *mi_urllist_f;
353 metadncache_t mi_cache;
355 /* cached connections;
356 * special conns are in tailq rather than in tree */
357 ldap_avl_info_t mi_conninfo;
360 LDAP_TAILQ_HEAD(mc_conn_priv_q, metaconn_t) mic_priv;
361 } mi_conn_priv[ LDAP_BACK_PCONN_LAST ];
362 int mi_conn_priv_max;
364 /* NOTE: quarantine uses the connection mutex */
365 slap_retry_info_t mi_quarantine;
366 meta_back_quarantine_f mi_quarantine_f;
367 void *mi_quarantine_p;
370 #define li_flags mi_flags
371 /* uses flags as defined in <back-ldap/back-ldap.h> */
372 #define META_BACK_F_ONERR_STOP (0x00100000U)
373 #define META_BACK_F_ONERR_REPORT (0x00200000U)
374 #define META_BACK_F_ONERR_MASK (META_BACK_F_ONERR_STOP|META_BACK_F_ONERR_REPORT)
375 #define META_BACK_F_DEFER_ROOTDN_BIND (0x00400000U)
376 #define META_BACK_F_PROXYAUTHZ_ALWAYS (0x00800000U) /* users always proxyauthz */
377 #define META_BACK_F_PROXYAUTHZ_ANON (0x01000000U) /* anonymous always proxyauthz */
378 #define META_BACK_F_PROXYAUTHZ_NOANON (0x02000000U) /* anonymous remains anonymous */
380 #define META_BACK_ONERR_STOP(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_STOP )
381 #define META_BACK_ONERR_REPORT(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_REPORT )
382 #define META_BACK_ONERR_CONTINUE(mi) ( !LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_MASK ) )
384 #define META_BACK_DEFER_ROOTDN_BIND(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_DEFER_ROOTDN_BIND )
385 #define META_BACK_PROXYAUTHZ_ALWAYS(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_ALWAYS )
386 #define META_BACK_PROXYAUTHZ_ANON(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_ANON )
387 #define META_BACK_PROXYAUTHZ_NOANON(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_NOANON )
389 #define META_BACK_QUARANTINE(mi) LDAP_BACK_ISSET( (mi), LDAP_BACK_F_QUARANTINE )
392 time_t mi_network_timeout;
394 time_t mi_idle_timeout;
395 struct timeval mi_bind_timeout;
396 time_t mi_timeout[ SLAP_OP_LAST ];
399 typedef enum meta_op_type {
400 META_OP_ALLOW_MULTIPLE = 0,
401 META_OP_REQUIRE_SINGLE,
406 meta_back_candidates_get( Operation *op );
413 ldap_back_send_t sendok );
416 meta_back_release_conn_lock(
420 #define meta_back_release_conn(mi, mc) meta_back_release_conn_lock( (mi), (mc), 1 )
428 ldap_back_send_t sendok );
434 #if META_BACK_PRINT_CONNTREE > 0
436 meta_back_print_conntree(
442 meta_back_init_one_conn(
448 ldap_back_send_t sendok,
452 meta_back_quarantine(
462 ldap_back_send_t sendok );
465 meta_back_single_dobind(
470 ldap_back_send_t sendok,
475 meta_back_proxy_authz_cred(
480 ldap_back_send_t sendok,
481 struct berval *binddn,
482 struct berval *bindcred,
492 ldap_back_send_t sendok );
502 ldap_back_send_t sendok );
505 back_meta_LTX_init_module(
515 meta_back_conndn_cmp(
520 meta_back_conndn_dup(
528 meta_back_is_candidate(
534 meta_back_select_unique_candidate(
536 struct berval *ndn );
539 meta_clear_unused_candidates(
544 meta_clear_one_candidate(
550 * Dn cache stuff (experimental)
562 #define META_TARGET_NONE (-1)
563 #define META_TARGET_MULTIPLE (-2)
565 meta_dncache_get_target(
566 metadncache_t *cache,
567 struct berval *ndn );
570 meta_dncache_update_entry(
571 metadncache_t *cache,
576 meta_dncache_delete_entry(
577 metadncache_t *cache,
578 struct berval *ndn );
581 meta_dncache_free( void *entry );
583 extern LDAP_REBIND_PROC meta_back_default_rebind;
584 extern LDAP_URLLIST_PROC meta_back_default_urllist;
588 #endif /* SLAPD_META_H */
projects / openldap / blob