2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2013 The OpenLDAP Foundation.
5 * Portions Copyright 2001-2003 Pierangelo Masarati.
6 * Portions Copyright 1999-2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software and subsequently enhanced by Pierangelo
24 #error "include servers/slapd/back-ldap/back-ldap.h before this file!"
25 #endif /* SLAPD_LDAP_H */
31 #define SLAPD_META_CLIENT_PR 1
32 #endif /* LDAP_DEVEL */
34 #include "proto-meta.h"
36 /* String rewrite library */
42 * Set META_BACK_PRINT_CONNTREE larger than 0 to dump the connection tree (debug only)
44 #ifndef META_BACK_PRINT_CONNTREE
45 #define META_BACK_PRINT_CONNTREE 0
46 #endif /* !META_BACK_PRINT_CONNTREE */
48 /* from back-ldap.h before rwm removal */
66 struct rewrite_info *rwm_rw;
67 #else /* !ENABLE_REWRITE */
68 /* some time the suffix massaging without librewrite
70 BerVarray rwm_suffix_massage;
71 #endif /* !ENABLE_REWRITE */
72 BerVarray rwm_bva_rewrite;
75 * Attribute/objectClass mapping
77 struct ldapmap rwm_oc;
78 struct ldapmap rwm_at;
79 BerVarray rwm_bva_map;
82 /* Whatever context ldap_back_dn_massage needs... */
83 typedef struct dncookie {
84 struct metatarget_t *target;
96 int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
99 extern int ldap_back_conn_cmp( const void *c1, const void *c2);
100 extern int ldap_back_conn_dup( void *c1, void *c2 );
101 extern void ldap_back_conn_free( void *c );
103 /* attributeType/objectClass mapping */
104 int mapping_cmp (const void *, const void *);
105 int mapping_dup (void *, void *);
107 void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** );
108 int ldap_back_mapping ( struct ldapmap *map, struct berval *s,
109 struct ldapmapping **m, int remap );
110 void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m,
112 #define BACKLDAP_MAP 0
113 #define BACKLDAP_REMAP 1
115 ldap_back_map_filter(
116 struct ldapmap *at_map,
117 struct ldapmap *oc_map,
124 struct ldapmap *at_map,
127 char ***mapped_attrs );
130 ldap_back_filter_map_rewrite(
137 /* suffix massaging by means of librewrite */
138 #ifdef ENABLE_REWRITE
140 suffix_massage_config( struct rewrite_info *info,
144 struct berval *nrnc );
145 #endif /* ENABLE_REWRITE */
147 ldap_back_referral_result_rewrite(
156 ldap_dnattr_result_rewrite(
160 /* (end of) from back-ldap.h before rwm removal */
163 * A metasingleconn_t can be in the following, mutually exclusive states:
166 * - creating META_BACK_FCONN_CREATING
167 * - initialized META_BACK_FCONN_INITED
168 * - binding LDAP_BACK_FCONN_BINDING
169 * - bound/anonymous LDAP_BACK_FCONN_ISBOUND/LDAP_BACK_FCONN_ISANON
171 * possible modifiers are:
173 * - privileged LDAP_BACK_FCONN_ISPRIV
174 * - privileged, TLS LDAP_BACK_FCONN_ISTLS
175 * - subjected to idassert LDAP_BACK_FCONN_ISIDASR
176 * - tainted LDAP_BACK_FCONN_TAINTED
179 #define META_BACK_FCONN_INITED (0x00100000U)
180 #define META_BACK_FCONN_CREATING (0x00200000U)
182 #define META_BACK_CONN_INITED(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_INITED)
183 #define META_BACK_CONN_INITED_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_INITED)
184 #define META_BACK_CONN_INITED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_INITED)
185 #define META_BACK_CONN_INITED_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_INITED, (mlc))
186 #define META_BACK_CONN_CREATING(lc) LDAP_BACK_CONN_ISSET((lc), META_BACK_FCONN_CREATING)
187 #define META_BACK_CONN_CREATING_SET(lc) LDAP_BACK_CONN_SET((lc), META_BACK_FCONN_CREATING)
188 #define META_BACK_CONN_CREATING_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), META_BACK_FCONN_CREATING)
189 #define META_BACK_CONN_CREATING_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), META_BACK_FCONN_CREATING, (mlc))
193 #define META_NOT_CANDIDATE ((ber_tag_t)0x0)
194 #define META_CANDIDATE ((ber_tag_t)0x1)
195 #define META_BINDING ((ber_tag_t)0x2)
196 #define META_RETRYING ((ber_tag_t)0x4)
198 typedef struct metasingleconn_t {
199 #define META_CND_ISSET(rs,f) ( ( (rs)->sr_tag & (f) ) == (f) )
200 #define META_CND_SET(rs,f) ( (rs)->sr_tag |= (f) )
201 #define META_CND_CLEAR(rs,f) ( (rs)->sr_tag &= ~(f) )
203 #define META_CANDIDATE_RESET(rs) ( (rs)->sr_tag = 0 )
204 #define META_IS_CANDIDATE(rs) META_CND_ISSET( (rs), META_CANDIDATE )
205 #define META_CANDIDATE_SET(rs) META_CND_SET( (rs), META_CANDIDATE )
206 #define META_CANDIDATE_CLEAR(rs) META_CND_CLEAR( (rs), META_CANDIDATE )
207 #define META_IS_BINDING(rs) META_CND_ISSET( (rs), META_BINDING )
208 #define META_BINDING_SET(rs) META_CND_SET( (rs), META_BINDING )
209 #define META_BINDING_CLEAR(rs) META_CND_CLEAR( (rs), META_BINDING )
210 #define META_IS_RETRYING(rs) META_CND_ISSET( (rs), META_RETRYING )
211 #define META_RETRYING_SET(rs) META_CND_SET( (rs), META_RETRYING )
212 #define META_RETRYING_CLEAR(rs) META_CND_CLEAR( (rs), META_RETRYING )
216 struct berval msc_bound_ndn;
217 struct berval msc_cred;
218 unsigned msc_mscflags;
219 /* NOTE: lc_lcflags is redefined to msc_mscflags to reuse the macros
220 * defined for back-ldap */
221 #define lc_lcflags msc_mscflags
224 typedef struct metaconn_t {
225 ldapconn_base_t lc_base;
226 #define mc_base lc_base
227 #define mc_conn mc_base.lcb_conn
228 #define mc_local_ndn mc_base.lcb_local_ndn
229 #define mc_refcnt mc_base.lcb_refcnt
230 #define mc_create_time mc_base.lcb_create_time
231 #define mc_time mc_base.lcb_time
233 LDAP_TAILQ_ENTRY(metaconn_t) mc_q;
235 /* NOTE: msc_mscflags is used to recycle the #define
236 * in metasingleconn_t */
237 unsigned msc_mscflags;
240 * means that the connection is bound;
241 * of course only one target actually is ...
244 #define META_BOUND_NONE (-1)
245 #define META_BOUND_ALL (-2)
247 struct metainfo_t *mc_info;
249 /* supersedes the connection stuff */
250 metasingleconn_t mc_conns[ 1 ];
251 /* NOTE: mc_conns must be last, because
252 * the required number of conns is malloc'ed
253 * in one block with the metaconn_t structure */
256 typedef enum meta_st_t {
258 META_ST_EXACT = LDAP_SCOPE_BASE,
260 META_ST_SUBTREE = LDAP_SCOPE_SUBTREE,
261 META_ST_SUBORDINATE = LDAP_SCOPE_SUBORDINATE,
262 META_ST_REGEX /* last + 1 */
265 typedef struct metasubtree_t {
268 struct berval msu_dn;
270 struct berval msr_regex_pattern;
274 #define ms_dn ms_un.msu_dn
275 #define ms_regex ms_un.msu_regex.msr_regex
276 #define ms_regex_pattern ms_un.msu_regex.msr_regex_pattern
278 struct metasubtree_t *ms_next;
281 typedef struct metafilter_t {
282 struct metafilter_t *mf_next;
283 struct berval mf_regex_pattern;
287 typedef struct metacommon_t {
290 #define META_RETRY_UNDEFINED (-2)
291 #define META_RETRY_FOREVER (-1)
292 #define META_RETRY_NEVER (0)
293 #define META_RETRY_DEFAULT (10)
296 #define META_BACK_CMN_ISSET(mc,f) ( ( (mc)->mc_flags & (f) ) == (f) )
297 #define META_BACK_CMN_QUARANTINE(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_QUARANTINE )
298 #define META_BACK_CMN_CHASE_REFERRALS(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_CHASE_REFERRALS )
299 #define META_BACK_CMN_NOREFS(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_NOREFS )
300 #define META_BACK_CMN_NOUNDEFFILTER(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_NOUNDEFFILTER )
301 #define META_BACK_CMN_SAVECRED(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_SAVECRED )
302 #define META_BACK_CMN_ST_REQUEST(mc) META_BACK_CMN_ISSET( (mc), LDAP_BACK_F_ST_REQUEST )
304 #ifdef SLAPD_META_CLIENT_PR
306 * client-side paged results:
307 * -1: accept unsolicited paged results responses
309 * >0: always request paged results with size == mt_ps
311 #define META_CLIENT_PR_DISABLE (0)
312 #define META_CLIENT_PR_ACCEPT_UNSOLICITED (-1)
314 #endif /* SLAPD_META_CLIENT_PR */
316 slap_retry_info_t mc_quarantine;
317 time_t mc_network_timeout;
318 struct timeval mc_bind_timeout;
319 #define META_BIND_TIMEOUT LDAP_BACK_RESULT_UTIMEOUT
320 time_t mc_timeout[ SLAP_OP_LAST ];
323 typedef struct metatarget_t {
325 ldap_pvt_thread_mutex_t mt_uri_mutex;
327 /* TODO: we might want to enable different strategies
328 * for different targets */
329 LDAP_REBIND_PROC *mt_rebind_f;
330 LDAP_URLLIST_PROC *mt_urllist_f;
333 metafilter_t *mt_filter;
334 metasubtree_t *mt_subtree;
335 /* F: subtree-include; T: subtree-exclude */
336 int mt_subtree_exclude;
340 struct berval mt_psuffix; /* pretty suffix */
341 struct berval mt_nsuffix; /* normalized suffix */
343 struct berval mt_binddn;
344 struct berval mt_bindpw;
346 /* we only care about the TLS options here */
347 slap_bindconf mt_tls;
349 slap_idassert_t mt_idassert;
350 #define mt_idassert_mode mt_idassert.si_mode
351 #define mt_idassert_authcID mt_idassert.si_bc.sb_authcId
352 #define mt_idassert_authcDN mt_idassert.si_bc.sb_binddn
353 #define mt_idassert_passwd mt_idassert.si_bc.sb_cred
354 #define mt_idassert_authzID mt_idassert.si_bc.sb_authzId
355 #define mt_idassert_authmethod mt_idassert.si_bc.sb_method
356 #define mt_idassert_sasl_mech mt_idassert.si_bc.sb_saslmech
357 #define mt_idassert_sasl_realm mt_idassert.si_bc.sb_realm
358 #define mt_idassert_secprops mt_idassert.si_bc.sb_secprops
359 #define mt_idassert_tls mt_idassert.si_bc.sb_tls
360 #define mt_idassert_flags mt_idassert.si_flags
361 #define mt_idassert_authz mt_idassert.si_authz
363 struct ldaprwmap mt_rwmap;
365 sig_atomic_t mt_isquarantined;
366 ldap_pvt_thread_mutex_t mt_quarantine_mutex;
369 #define mt_nretries mt_mc.mc_nretries
370 #define mt_flags mt_mc.mc_flags
371 #define mt_version mt_mc.mc_version
372 #define mt_ps mt_mc.mc_ps
373 #define mt_network_timeout mt_mc.mc_network_timeout
374 #define mt_bind_timeout mt_mc.mc_bind_timeout
375 #define mt_timeout mt_mc.mc_timeout
376 #define mt_quarantine mt_mc.mc_quarantine
378 #define META_BACK_TGT_ISSET(mt,f) ( ( (mt)->mt_flags & (f) ) == (f) )
379 #define META_BACK_TGT_ISMASK(mt,m,f) ( ( (mt)->mt_flags & (m) ) == (f) )
381 #define META_BACK_TGT_SAVECRED(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_SAVECRED )
383 #define META_BACK_TGT_USE_TLS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_USE_TLS )
384 #define META_BACK_TGT_PROPAGATE_TLS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_PROPAGATE_TLS )
385 #define META_BACK_TGT_TLS_CRITICAL(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_TLS_CRITICAL )
387 #define META_BACK_TGT_CHASE_REFERRALS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_CHASE_REFERRALS )
389 #define META_BACK_TGT_T_F(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
390 #define META_BACK_TGT_T_F_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
392 #define META_BACK_TGT_ABANDON(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_ABANDON )
393 #define META_BACK_TGT_IGNORE(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_IGNORE )
394 #define META_BACK_TGT_CANCEL(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_EXOP )
395 #define META_BACK_TGT_CANCEL_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_CANCEL_MASK2, LDAP_BACK_F_CANCEL_EXOP_DISCOVER )
396 #define META_BACK_TGT_QUARANTINE(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_QUARANTINE )
398 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
399 #define META_BACK_TGT_ST_REQUEST(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_ST_REQUEST )
400 #define META_BACK_TGT_ST_RESPONSE(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_ST_RESPONSE )
401 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
403 #define META_BACK_TGT_NOREFS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_NOREFS )
404 #define META_BACK_TGT_NOUNDEFFILTER(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_NOUNDEFFILTER )
406 slap_mask_t mt_rep_flags;
410 typedef struct metadncache_t {
411 ldap_pvt_thread_mutex_t mutex;
414 #define META_DNCACHE_DISABLED (0)
415 #define META_DNCACHE_FOREVER ((time_t)(-1))
416 time_t ttl; /* seconds; 0: no cache, -1: no expiry */
419 typedef struct metacandidates_t {
421 SlapReply *mc_candidates;
425 * Hook to allow mucking with metainfo_t/metatarget_t when quarantine is over
427 typedef int (*meta_back_quarantine_f)( struct metainfo_t *, int target, void * );
429 typedef struct metainfo_t {
431 int mi_defaulttarget;
432 #define META_DEFAULT_TARGET_NONE (-1)
434 #define mi_nretries mi_mc.mc_nretries
435 #define mi_flags mi_mc.mc_flags
436 #define mi_version mi_mc.mc_version
437 #define mi_ps mi_mc.mc_ps
438 #define mi_network_timeout mi_mc.mc_network_timeout
439 #define mi_bind_timeout mi_mc.mc_bind_timeout
440 #define mi_timeout mi_mc.mc_timeout
441 #define mi_quarantine mi_mc.mc_quarantine
443 metatarget_t **mi_targets;
444 metacandidates_t *mi_candidates;
446 LDAP_REBIND_PROC *mi_rebind_f;
447 LDAP_URLLIST_PROC *mi_urllist_f;
449 metadncache_t mi_cache;
451 /* cached connections;
452 * special conns are in tailq rather than in tree */
453 ldap_avl_info_t mi_conninfo;
456 LDAP_TAILQ_HEAD(mc_conn_priv_q, metaconn_t) mic_priv;
457 } mi_conn_priv[ LDAP_BACK_PCONN_LAST ];
458 int mi_conn_priv_max;
460 /* NOTE: quarantine uses the connection mutex */
461 meta_back_quarantine_f mi_quarantine_f;
462 void *mi_quarantine_p;
464 #define li_flags mi_flags
465 /* uses flags as defined in <back-ldap/back-ldap.h> */
466 #define META_BACK_F_ONERR_STOP LDAP_BACK_F_ONERR_STOP
467 #define META_BACK_F_ONERR_REPORT (0x02000000U)
468 #define META_BACK_F_ONERR_MASK (META_BACK_F_ONERR_STOP|META_BACK_F_ONERR_REPORT)
469 #define META_BACK_F_DEFER_ROOTDN_BIND (0x04000000U)
470 #define META_BACK_F_PROXYAUTHZ_ALWAYS (0x08000000U) /* users always proxyauthz */
471 #define META_BACK_F_PROXYAUTHZ_ANON (0x10000000U) /* anonymous always proxyauthz */
472 #define META_BACK_F_PROXYAUTHZ_NOANON (0x20000000U) /* anonymous remains anonymous */
474 #define META_BACK_ONERR_STOP(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_STOP )
475 #define META_BACK_ONERR_REPORT(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_REPORT )
476 #define META_BACK_ONERR_CONTINUE(mi) ( !LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_MASK ) )
478 #define META_BACK_DEFER_ROOTDN_BIND(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_DEFER_ROOTDN_BIND )
479 #define META_BACK_PROXYAUTHZ_ALWAYS(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_ALWAYS )
480 #define META_BACK_PROXYAUTHZ_ANON(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_ANON )
481 #define META_BACK_PROXYAUTHZ_NOANON(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_PROXYAUTHZ_NOANON )
483 #define META_BACK_QUARANTINE(mi) LDAP_BACK_ISSET( (mi), LDAP_BACK_F_QUARANTINE )
486 time_t mi_idle_timeout;
489 ldap_extra_t *mi_ldap_extra;
493 typedef enum meta_op_type {
494 META_OP_ALLOW_MULTIPLE = 0,
495 META_OP_REQUIRE_SINGLE,
500 meta_back_candidates_get( Operation *op );
507 ldap_back_send_t sendok );
510 meta_back_release_conn_lock(
514 #define meta_back_release_conn(mi, mc) meta_back_release_conn_lock( (mi), (mc), 1 )
522 ldap_back_send_t sendok );
528 #if META_BACK_PRINT_CONNTREE > 0
530 meta_back_print_conntree(
536 meta_back_init_one_conn(
542 ldap_back_send_t sendok,
546 meta_back_quarantine(
556 ldap_back_send_t sendok );
559 meta_back_single_dobind(
564 ldap_back_send_t sendok,
569 meta_back_proxy_authz_cred(
574 ldap_back_send_t sendok,
575 struct berval *binddn,
576 struct berval *bindcred,
586 ldap_back_send_t sendok );
596 ldap_back_send_t sendok );
599 meta_back_controls_add(
604 LDAPControl ***pctrls );
607 back_meta_LTX_init_module(
617 meta_back_conndn_cmp(
622 meta_back_conndn_dup(
630 meta_back_is_candidate(
636 meta_back_select_unique_candidate(
638 struct berval *ndn );
641 meta_clear_unused_candidates(
646 meta_clear_one_candidate(
652 * Dn cache stuff (experimental)
664 #define META_TARGET_NONE (-1)
665 #define META_TARGET_MULTIPLE (-2)
667 meta_dncache_get_target(
668 metadncache_t *cache,
669 struct berval *ndn );
672 meta_dncache_update_entry(
673 metadncache_t *cache,
678 meta_dncache_delete_entry(
679 metadncache_t *cache,
680 struct berval *ndn );
683 meta_dncache_free( void *entry );
686 meta_back_map_free( struct ldapmap *lm );
689 meta_subtree_destroy( metasubtree_t *ms );
692 meta_filter_destroy( metafilter_t *mf );
695 meta_target_finish( metainfo_t *mi, metatarget_t *mt,
696 const char *log, char *msg, size_t msize
699 extern LDAP_REBIND_PROC meta_back_default_rebind;
700 extern LDAP_URLLIST_PROC meta_back_default_urllist;
704 #endif /* SLAPD_META_H */
projects / openldap / blob