2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2011 The OpenLDAP Foundation.
5 * Portions Copyright 2001-2003 Pierangelo Masarati.
6 * Portions Copyright 1999-2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software and subsequently enhanced by Pierangelo
27 #include <ac/string.h>
28 #include <ac/socket.h>
32 #include "../back-ldap/back-ldap.h"
33 #include "back-meta.h"
44 mt = ch_calloc( sizeof( metatarget_t ), 1 );
46 mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
47 if ( mt->mt_rwmap.rwm_rw == NULL ) {
53 * the filter rewrite as a string must be disabled
54 * by default; it can be re-enabled by adding rules;
55 * this creates an empty rewriteContext
57 rargv[ 0 ] = "rewriteContext";
58 rargv[ 1 ] = "searchFilter";
60 rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
62 rargv[ 0 ] = "rewriteContext";
63 rargv[ 1 ] = "default";
65 rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
67 ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
69 mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
70 mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
71 mt->mt_idassert_tls = SB_TLS_DEFAULT;
73 /* by default, use proxyAuthz control on each operation */
74 mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
82 check_true_false( char *str )
84 if ( strcasecmp( str, "true" ) == 0 || strcasecmp( str, "yes" ) == 0 ) {
88 if ( strcasecmp( str, "false" ) == 0 || strcasecmp( str, "no" ) == 0 ) {
96 meta_subtree_destroy( metasubtree_t *ms )
99 meta_subtree_destroy( ms->ms_next );
102 switch ( ms->ms_type ) {
103 case META_ST_SUBTREE:
104 case META_ST_SUBORDINATE:
105 ber_memfree( ms->ms_dn.bv_val );
109 regfree( &ms->ms_regex );
110 ch_free( ms->ms_regex_pattern );
131 meta_st_t type = META_ST_SUBTREE;
133 struct berval ndn = BER_BVNULL;
134 metasubtree_t *ms = NULL;
136 if ( strcasecmp( argv[0], "subtree-exclude" ) == 0 ) {
137 if ( mt->mt_subtree && !mt->mt_subtree_exclude ) {
138 snprintf( buf, buflen,
139 "\"subtree-exclude\" incompatible with previous \"subtree-include\" directives" );
143 mt->mt_subtree_exclude = 1;
146 if ( mt->mt_subtree && mt->mt_subtree_exclude ) {
147 snprintf( buf, buflen,
148 "\"subtree-include\" incompatible with previous \"subtree-exclude\" directives" );
155 snprintf( buf, buflen, "missing pattern" );
162 snprintf( buf, buflen, "too many args" );
167 if ( strncasecmp( pattern, "dn", STRLENOF( "dn" ) ) == 0 ) {
170 pattern = &pattern[STRLENOF( "dn")];
172 if ( pattern[0] == '.' ) {
175 if ( strncasecmp( style, "subtree", STRLENOF( "subtree" ) ) == 0 ) {
176 type = META_ST_SUBTREE;
177 pattern = &style[STRLENOF( "subtree" )];
179 } else if ( strncasecmp( style, "children", STRLENOF( "children" ) ) == 0 ) {
180 type = META_ST_SUBORDINATE;
181 pattern = &style[STRLENOF( "children" )];
183 } else if ( strncasecmp( style, "sub", STRLENOF( "sub" ) ) == 0 ) {
184 type = META_ST_SUBTREE;
185 pattern = &style[STRLENOF( "sub" )];
187 } else if ( strncasecmp( style, "regex", STRLENOF( "regex" ) ) == 0 ) {
188 type = META_ST_REGEX;
189 pattern = &style[STRLENOF( "regex" )];
192 snprintf( buf, buflen, "unknown style in \"dn.<style>\"" );
197 if ( pattern[0] != ':' ) {
198 snprintf( buf, buflen, "missing colon after \"dn.<style>\"" );
205 case META_ST_SUBTREE:
206 case META_ST_SUBORDINATE: {
209 ber_str2bv( pattern, 0, 0, &dn );
210 if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
213 snprintf( buf, buflen, "DN=\"%s\" is invalid", pattern );
217 if ( !dnIsSuffix( &ndn, &mt->mt_nsuffix ) ) {
218 snprintf( buf, buflen,
219 "DN=\"%s\" is not a subtree of target \"%s\"",
220 pattern, mt->mt_nsuffix.bv_val );
221 ber_memfree( ndn.bv_val );
227 /* silence warnings */
231 ms = ch_calloc( sizeof( metasubtree_t ), 1 );
234 switch ( ms->ms_type ) {
235 case META_ST_SUBTREE:
236 case META_ST_SUBORDINATE:
240 case META_ST_REGEX: {
243 rc = regcomp( &ms->ms_regex, pattern, REG_EXTENDED|REG_ICASE );
245 char regerr[ SLAP_TEXT_BUFLEN ];
247 regerror( rc, &ms->ms_regex, regerr, sizeof(regerr) );
249 snprintf( buf, sizeof( buf ),
250 "regular expression \"%s\" bad because of %s",
255 ms->ms_regex_pattern = ch_strdup( pattern );
259 if ( mt->mt_subtree == NULL ) {
265 for ( msp = &mt->mt_subtree; *msp; ) {
266 switch ( ms->ms_type ) {
267 case META_ST_SUBTREE:
268 switch ( (*msp)->ms_type ) {
269 case META_ST_SUBTREE:
270 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
271 metasubtree_t *tmp = *msp;
272 Debug( LDAP_DEBUG_CONFIG,
273 "%s: previous rule \"dn.subtree:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
274 log_prefix, pattern, (*msp)->ms_dn.bv_val );
275 *msp = (*msp)->ms_next;
277 meta_subtree_destroy( tmp );
280 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
281 Debug( LDAP_DEBUG_CONFIG,
282 "%s: previous rule \"dn.subtree:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
283 log_prefix, (*msp)->ms_dn.bv_val, pattern );
284 meta_subtree_destroy( ms );
290 case META_ST_SUBORDINATE:
291 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
292 metasubtree_t *tmp = *msp;
293 Debug( LDAP_DEBUG_CONFIG,
294 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
295 log_prefix, pattern, (*msp)->ms_dn.bv_val );
296 *msp = (*msp)->ms_next;
298 meta_subtree_destroy( tmp );
301 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
302 Debug( LDAP_DEBUG_CONFIG,
303 "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
304 log_prefix, (*msp)->ms_dn.bv_val, pattern );
305 meta_subtree_destroy( ms );
312 if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
313 Debug( LDAP_DEBUG_CONFIG,
314 "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
315 log_prefix, (*msp)->ms_regex_pattern, ms->ms_dn.bv_val );
321 case META_ST_SUBORDINATE:
322 switch ( (*msp)->ms_type ) {
323 case META_ST_SUBTREE:
324 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
325 metasubtree_t *tmp = *msp;
326 Debug( LDAP_DEBUG_CONFIG,
327 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
328 log_prefix, pattern, (*msp)->ms_dn.bv_val );
329 *msp = (*msp)->ms_next;
331 meta_subtree_destroy( tmp );
334 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
335 Debug( LDAP_DEBUG_CONFIG,
336 "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
337 log_prefix, (*msp)->ms_dn.bv_val, pattern );
338 meta_subtree_destroy( ms );
344 case META_ST_SUBORDINATE:
345 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
346 metasubtree_t *tmp = *msp;
347 Debug( LDAP_DEBUG_CONFIG,
348 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.children:%s\" (replaced)\n",
349 log_prefix, pattern, (*msp)->ms_dn.bv_val );
350 *msp = (*msp)->ms_next;
352 meta_subtree_destroy( tmp );
355 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
356 Debug( LDAP_DEBUG_CONFIG,
357 "%s: previous rule \"dn.children:%s\" contains rule \"dn.children:%s\" (ignored)\n",
358 log_prefix, (*msp)->ms_dn.bv_val, pattern );
359 meta_subtree_destroy( ms );
366 if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
367 Debug( LDAP_DEBUG_CONFIG,
368 "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
369 log_prefix, (*msp)->ms_regex_pattern, ms->ms_dn.bv_val );
376 switch ( (*msp)->ms_type ) {
377 case META_ST_SUBTREE:
378 case META_ST_SUBORDINATE:
379 if ( regexec( &ms->ms_regex, (*msp)->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
380 Debug( LDAP_DEBUG_CONFIG,
381 "%s: previous rule \"dn.subtree:%s\" may be contained in rule \"dn.regex:%s\"\n",
382 log_prefix, (*msp)->ms_dn.bv_val, ms->ms_regex_pattern );
387 /* no check possible */
393 msp = &(*msp)->ms_next;
410 metainfo_t *mi = ( metainfo_t * )be->be_private;
412 assert( mi != NULL );
414 /* URI of server to query */
415 if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
416 int i = mi->mi_ntargets;
427 Debug( LDAP_DEBUG_ANY,
428 "%s: line %d: missing URI "
429 "in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
434 if ( be->be_nsuffix == NULL ) {
435 Debug( LDAP_DEBUG_ANY,
436 "%s: line %d: the suffix must be defined before any target.\n",
443 mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets,
444 sizeof( metatarget_t * ) * mi->mi_ntargets );
445 if ( mi->mi_targets == NULL ) {
446 Debug( LDAP_DEBUG_ANY,
447 "%s: line %d: out of memory while storing server name"
448 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
453 if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
454 Debug( LDAP_DEBUG_ANY,
455 "%s: line %d: unable to init server"
456 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
461 mt = mi->mi_targets[ i ];
463 mt->mt_rebind_f = mi->mi_rebind_f;
464 mt->mt_urllist_f = mi->mi_urllist_f;
465 mt->mt_urllist_p = mt;
467 mt->mt_nretries = mi->mi_nretries;
468 mt->mt_quarantine = mi->mi_quarantine;
469 if ( META_BACK_QUARANTINE( mi ) ) {
470 ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
472 mt->mt_flags = mi->mi_flags;
473 mt->mt_version = mi->mi_version;
474 #ifdef SLAPD_META_CLIENT_PR
475 mt->mt_ps = mi->mi_ps;
476 #endif /* SLAPD_META_CLIENT_PR */
477 mt->mt_network_timeout = mi->mi_network_timeout;
478 mt->mt_bind_timeout = mi->mi_bind_timeout;
479 for ( c = 0; c < SLAP_OP_LAST; c++ ) {
480 mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
483 for ( c = 1; c < argc; c++ ) {
484 char **tmpuris = ldap_str2charray( argv[ c ], "\t" );
486 if ( tmpuris == NULL ) {
487 Debug( LDAP_DEBUG_ANY,
488 "%s: line %d: unable to parse URIs #%d"
489 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
490 fname, lineno, c - 1 );
498 ldap_charray_merge( &uris, tmpuris );
499 ldap_charray_free( tmpuris );
503 for ( c = 0; uris[ c ] != NULL; c++ ) {
509 if ( ldap_url_parselist_ext( &ludp, uris[ c ], "\t",
510 LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
511 || ludp->lud_next != NULL )
513 Debug( LDAP_DEBUG_ANY,
514 "%s: line %d: unable to parse URI #%d"
515 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
517 ldap_charray_free( uris );
524 * uri MUST have the <dn> part!
526 if ( ludp->lud_dn == NULL ) {
527 Debug( LDAP_DEBUG_ANY,
528 "%s: line %d: missing <naming context> "
529 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
531 ldap_free_urllist( ludp );
532 ldap_charray_free( uris );
537 * copies and stores uri and suffix
539 ber_str2bv( ludp->lud_dn, 0, 0, &dn );
540 rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
541 &mt->mt_nsuffix, NULL );
542 if ( rc != LDAP_SUCCESS ) {
543 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
544 "target \"%s\" DN is invalid\n",
545 fname, lineno, argv[ 1 ] );
546 ldap_free_urllist( ludp );
547 ldap_charray_free( uris );
551 ludp->lud_dn[ 0 ] = '\0';
553 switch ( ludp->lud_scope ) {
554 case LDAP_SCOPE_DEFAULT:
555 mt->mt_scope = LDAP_SCOPE_SUBTREE;
558 case LDAP_SCOPE_SUBTREE:
559 case LDAP_SCOPE_SUBORDINATE:
560 mt->mt_scope = ludp->lud_scope;
564 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
565 "invalid scope for target \"%s\"\n",
566 fname, lineno, argv[ 1 ] );
567 ldap_free_urllist( ludp );
568 ldap_charray_free( uris );
573 /* check all, to apply the scope check on the first one */
574 if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
575 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
576 "multiple URIs must have "
579 ldap_free_urllist( ludp );
580 ldap_charray_free( uris );
586 tmpuri = ldap_url_list2urls( ludp );
587 ldap_free_urllist( ludp );
588 if ( tmpuri == NULL ) {
589 Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
591 ldap_charray_free( uris );
594 ldap_memfree( uris[ c ] );
598 mt->mt_uri = ldap_charray2str( uris, " " );
599 ldap_charray_free( uris );
600 if ( mt->mt_uri == NULL) {
601 Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
607 * uri MUST be a branch of suffix!
609 for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
610 if ( dnIsSuffix( &mt->mt_nsuffix, &be->be_nsuffix[ c ] ) ) {
615 if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
616 Debug( LDAP_DEBUG_ANY,
617 "%s: line %d: <naming context> of URI must be within the naming context of this database.\n",
622 /* subtree-exclude */
623 } else if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ||
624 strcasecmp( argv[ 0 ], "subtree-include" ) == 0)
626 char log_prefix[SLAP_TEXT_BUFLEN];
627 char textbuf[SLAP_TEXT_BUFLEN];
629 int i = mi->mi_ntargets - 1;
632 Debug( LDAP_DEBUG_ANY,
633 "%s: line %d: need \"uri\" directive first\n",
638 if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ) {
639 arg0 = "subtree-exclude";
642 arg0 = "subtree-include";
645 snprintf( log_prefix, sizeof(log_prefix), "%s: line %d: %s", fname, lineno, arg0 );
647 if ( meta_subtree_config( mi->mi_targets[ i ], argc, argv, textbuf, sizeof(textbuf), log_prefix ) ) {
648 Debug( LDAP_DEBUG_ANY, "%s: %s\n", log_prefix, textbuf, 0 );
652 /* default target directive */
653 } else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
654 int i = mi->mi_ntargets - 1;
658 Debug( LDAP_DEBUG_ANY,
659 "%s: line %d: \"default-target\" alone need be"
660 " inside a \"uri\" directive\n",
664 mi->mi_defaulttarget = i;
667 if ( strcasecmp( argv[ 1 ], "none" ) == 0 ) {
669 Debug( LDAP_DEBUG_ANY,
670 "%s: line %d: \"default-target none\""
671 " should go before uri definitions\n",
674 mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
678 if ( lutil_atoi( &mi->mi_defaulttarget, argv[ 1 ] ) != 0
679 || mi->mi_defaulttarget < 0
680 || mi->mi_defaulttarget >= i - 1 )
682 Debug( LDAP_DEBUG_ANY,
683 "%s: line %d: illegal target number %d\n",
684 fname, lineno, mi->mi_defaulttarget );
690 /* ttl of dn cache */
691 } else if ( strcasecmp( argv[ 0 ], "dncache-ttl" ) == 0 ) {
693 Debug( LDAP_DEBUG_ANY,
694 "%s: line %d: missing ttl in \"dncache-ttl <ttl>\" line\n",
699 if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
700 mi->mi_cache.ttl = META_DNCACHE_FOREVER;
702 } else if ( strcasecmp( argv[ 1 ], "disabled" ) == 0 ) {
703 mi->mi_cache.ttl = META_DNCACHE_DISABLED;
708 if ( lutil_parse_time( argv[ 1 ], &t ) != 0 ) {
709 Debug( LDAP_DEBUG_ANY,
710 "%s: line %d: unable to parse ttl \"%s\" in \"dncache-ttl <ttl>\" line\n",
711 fname, lineno, argv[ 1 ] );
714 mi->mi_cache.ttl = (time_t)t;
717 /* network timeout when connecting to ldap servers */
718 } else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
720 time_t *tp = mi->mi_ntargets ?
721 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
722 : &mi->mi_network_timeout;
725 Debug( LDAP_DEBUG_ANY,
726 "%s: line %d: missing network timeout in \"network-timeout <seconds>\" line\n",
731 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
732 Debug( LDAP_DEBUG_ANY,
733 "%s: line %d: unable to parse timeout \"%s\" in \"network-timeout <seconds>\" line\n",
734 fname, lineno, argv[ 1 ] );
741 /* idle timeout when connecting to ldap servers */
742 } else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
747 Debug( LDAP_DEBUG_ANY,
748 "%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
754 Debug( LDAP_DEBUG_ANY,
755 "%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
760 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
761 Debug( LDAP_DEBUG_ANY,
762 "%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
763 fname, lineno, argv[ 1 ] );
768 mi->mi_idle_timeout = (time_t)t;
771 } else if ( strcasecmp( argv[ 0 ], "conn-ttl" ) == 0 ) {
776 Debug( LDAP_DEBUG_ANY,
777 "%s: line %d: missing ttl value in \"conn-ttl <seconds>\" line\n",
783 Debug( LDAP_DEBUG_ANY,
784 "%s: line %d: extra cruft after ttl value in \"conn-ttl <seconds>\" line\n",
789 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
790 Debug( LDAP_DEBUG_ANY,
791 "%s: line %d: unable to parse ttl \"%s\" in \"conn-ttl <seconds>\" line\n",
792 fname, lineno, argv[ 1 ] );
797 mi->mi_conn_ttl = (time_t)t;
799 /* bind timeout when connecting to ldap servers */
800 } else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
802 struct timeval *tp = mi->mi_ntargets ?
803 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
804 : &mi->mi_bind_timeout;
808 Debug( LDAP_DEBUG_ANY,
809 "%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
815 Debug( LDAP_DEBUG_ANY,
816 "%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
821 if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
822 Debug( LDAP_DEBUG_ANY,
823 "%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
824 fname, lineno, argv[ 1 ] );
829 tp->tv_sec = t/1000000;
830 tp->tv_usec = t%1000000;
832 /* name to use for meta_back_group */
833 } else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
834 || strcasecmp( argv[ 0 ], "binddn" ) == 0 )
836 int i = mi->mi_ntargets - 1;
840 Debug( LDAP_DEBUG_ANY,
841 "%s: line %d: need \"uri\" directive first\n",
847 Debug( LDAP_DEBUG_ANY,
848 "%s: line %d: missing name in \"binddn <name>\" line\n",
853 if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
854 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
855 "\"binddn\" statement is deprecated; "
856 "use \"acl-authcDN\" instead\n",
858 /* FIXME: some day we'll need to throw an error */
861 ber_str2bv( argv[ 1 ], 0, 0, &dn );
862 if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
863 NULL ) != LDAP_SUCCESS )
865 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
866 "bind DN '%s' is invalid\n",
867 fname, lineno, argv[ 1 ] );
871 /* password to use for meta_back_group */
872 } else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
873 || strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
875 int i = mi->mi_ntargets - 1;
878 Debug( LDAP_DEBUG_ANY,
879 "%s: line %d: need \"uri\" directive first\n",
885 Debug( LDAP_DEBUG_ANY,
886 "%s: line %d: missing password in \"bindpw <password>\" line\n",
891 if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
892 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
893 "\"bindpw\" statement is deprecated; "
894 "use \"acl-passwd\" instead\n",
896 /* FIXME: some day we'll need to throw an error */
899 ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw );
901 /* save bind creds for referral rebinds? */
902 } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
903 unsigned *flagsp = mi->mi_ntargets ?
904 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
908 Debug( LDAP_DEBUG_ANY,
909 "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
915 Debug( LDAP_DEBUG_ANY,
916 "%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
918 *flagsp |= LDAP_BACK_F_SAVECRED;
921 switch ( check_true_false( argv[ 1 ] ) ) {
923 *flagsp &= ~LDAP_BACK_F_SAVECRED;
927 *flagsp |= LDAP_BACK_F_SAVECRED;
931 Debug( LDAP_DEBUG_ANY,
932 "%s: line %d: \"rebind-as-user {FALSE|true}\" unknown argument \"%s\".\n",
933 fname, lineno, argv[ 1 ] );
938 } else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
939 unsigned *flagsp = mi->mi_ntargets ?
940 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
944 Debug( LDAP_DEBUG_ANY,
945 "%s: line %d: \"chase-referrals {TRUE|false}\" needs 1 argument.\n",
950 /* this is the default; we add it because the default might change... */
951 switch ( check_true_false( argv[ 1 ] ) ) {
953 *flagsp |= LDAP_BACK_F_CHASE_REFERRALS;
957 *flagsp &= ~LDAP_BACK_F_CHASE_REFERRALS;
961 Debug( LDAP_DEBUG_ANY,
962 "%s: line %d: \"chase-referrals {TRUE|false}\": unknown argument \"%s\".\n",
963 fname, lineno, argv[ 1 ] );
967 } else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) {
968 unsigned *flagsp = mi->mi_ntargets ?
969 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
973 if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
974 *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
977 } else if ( strcasecmp( argv[ 1 ], "try-start" ) == 0 ) {
978 *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
979 *flagsp |= LDAP_BACK_F_USE_TLS;
981 /* propagate start tls */
982 } else if ( strcasecmp( argv[ 1 ], "propagate" ) == 0 ) {
983 *flagsp |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
986 } else if ( strcasecmp( argv[ 1 ], "try-propagate" ) == 0 ) {
987 *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
988 *flagsp |= LDAP_BACK_F_PROPAGATE_TLS;
991 Debug( LDAP_DEBUG_ANY,
992 "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
993 fname, lineno, argv[ 1 ] );
998 metatarget_t *mt = NULL;
1001 if ( mi->mi_ntargets - 1 < 0 ) {
1002 Debug( LDAP_DEBUG_ANY,
1003 "%s: line %d: need \"uri\" directive first\n",
1008 mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
1010 for ( i = 2; i < argc; i++ ) {
1011 if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
1014 bindconf_tls_defaults( &mt->mt_tls );
1017 } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
1018 unsigned *flagsp = mi->mi_ntargets ?
1019 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1023 Debug( LDAP_DEBUG_ANY,
1024 "%s: line %d: \"t-f-support {FALSE|true|discover}\" needs 1 argument.\n",
1029 switch ( check_true_false( argv[ 1 ] ) ) {
1031 *flagsp &= ~LDAP_BACK_F_T_F_MASK2;
1035 *flagsp |= LDAP_BACK_F_T_F;
1039 if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
1040 *flagsp |= LDAP_BACK_F_T_F_DISCOVER;
1043 Debug( LDAP_DEBUG_ANY,
1044 "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
1045 fname, lineno, argv[ 1 ] );
1052 } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
1054 Debug( LDAP_DEBUG_ANY,
1055 "%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n",
1060 if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
1061 mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
1063 } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
1064 mi->mi_flags |= META_BACK_F_ONERR_STOP;
1066 } else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) {
1067 mi->mi_flags |= META_BACK_F_ONERR_REPORT;
1070 Debug( LDAP_DEBUG_ANY,
1071 "%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n",
1072 fname, lineno, argv[ 1 ] );
1077 } else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0
1078 || strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 )
1081 Debug( LDAP_DEBUG_ANY,
1082 "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\" takes 1 argument\n",
1087 switch ( check_true_false( argv[ 1 ] ) ) {
1089 mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
1093 mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
1097 Debug( LDAP_DEBUG_ANY,
1098 "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\": invalid arg \"%s\".\n",
1099 fname, lineno, argv[ 1 ] );
1104 } else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) {
1106 Debug( LDAP_DEBUG_ANY,
1107 "%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n",
1112 if ( mi->mi_ntargets > 0 ) {
1113 Debug( LDAP_DEBUG_ANY,
1114 "%s: line %d: \"single-conn\" must appear before target definitions\n",
1119 switch ( check_true_false( argv[ 1 ] ) ) {
1121 mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
1125 mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
1129 Debug( LDAP_DEBUG_ANY,
1130 "%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n",
1131 fname, lineno, argv[ 1 ] );
1135 /* use-temporaries? */
1136 } else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) {
1138 Debug( LDAP_DEBUG_ANY,
1139 "%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n",
1144 if ( mi->mi_ntargets > 0 ) {
1145 Debug( LDAP_DEBUG_ANY,
1146 "%s: line %d: \"use-temporary-conn\" must appear before target definitions\n",
1151 switch ( check_true_false( argv[ 1 ] ) ) {
1153 mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
1157 mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
1161 Debug( LDAP_DEBUG_ANY,
1162 "%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n",
1163 fname, lineno, argv[ 1 ] );
1167 /* privileged connections pool max size ? */
1168 } else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) {
1170 Debug( LDAP_DEBUG_ANY,
1171 "%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n",
1176 if ( mi->mi_ntargets > 0 ) {
1177 Debug( LDAP_DEBUG_ANY,
1178 "%s: line %d: \"conn-pool-max\" must appear before target definitions\n",
1183 if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] )
1184 || mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN
1185 || mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX )
1187 Debug( LDAP_DEBUG_ANY,
1188 "%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n",
1189 fname, lineno, argv[ 1 ] );
1193 } else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) {
1195 unsigned *flagsp = mi->mi_ntargets ?
1196 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1200 Debug( LDAP_DEBUG_ANY,
1201 "%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n",
1206 if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) {
1207 flag = LDAP_BACK_F_CANCEL_ABANDON;
1209 } else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) {
1210 flag = LDAP_BACK_F_CANCEL_IGNORE;
1212 } else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) {
1213 flag = LDAP_BACK_F_CANCEL_EXOP;
1215 } else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) {
1216 flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER;
1219 Debug( LDAP_DEBUG_ANY,
1220 "%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n",
1221 fname, lineno, argv[ 1 ] );
1225 *flagsp &= ~LDAP_BACK_F_CANCEL_MASK2;
1228 } else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) {
1230 time_t *tv = mi->mi_ntargets ?
1231 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout
1236 Debug( LDAP_DEBUG_ANY,
1237 "%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
1242 for ( c = 1; c < argc; c++ ) {
1246 sep = strchr( argv[ c ], '=' );
1247 if ( sep != NULL ) {
1248 size_t len = sep - argv[ c ];
1250 if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) {
1251 t = &tv[ SLAP_OP_BIND ];
1252 /* unbind makes little sense */
1253 } else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
1254 t = &tv[ SLAP_OP_ADD ];
1255 } else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) {
1256 t = &tv[ SLAP_OP_DELETE ];
1257 } else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) {
1258 t = &tv[ SLAP_OP_MODRDN ];
1259 } else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
1260 t = &tv[ SLAP_OP_MODIFY ];
1261 } else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) {
1262 t = &tv[ SLAP_OP_COMPARE ];
1263 } else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) {
1264 t = &tv[ SLAP_OP_SEARCH ];
1265 /* abandon makes little sense */
1266 #if 0 /* not implemented yet */
1267 } else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) {
1268 t = &tv[ SLAP_OP_EXTENDED ];
1271 char buf[ SLAP_TEXT_BUFLEN ];
1272 snprintf( buf, sizeof( buf ),
1273 "unknown/unhandled operation \"%s\" for timeout #%d",
1275 Debug( LDAP_DEBUG_ANY,
1276 "%s: line %d: %s.\n",
1277 fname, lineno, buf );
1286 if ( lutil_parse_time( sep, &val ) != 0 ) {
1287 Debug( LDAP_DEBUG_ANY,
1288 "%s: line %d: unable to parse value \"%s\" for timeout.\n",
1289 fname, lineno, sep );
1299 for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1300 tv[ i ] = (time_t)val;
1305 /* name to use as pseudo-root dn */
1306 } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
1307 int i = mi->mi_ntargets - 1;
1310 Debug( LDAP_DEBUG_ANY,
1311 "%s: line %d: need \"uri\" directive first\n",
1317 Debug( LDAP_DEBUG_ANY,
1318 "%s: line %d: missing name in \"pseudorootdn <name>\" line\n",
1324 * exact replacement:
1327 idassert-bind bindmethod=simple
1328 binddn=<pseudorootdn>
1329 credentials=<pseudorootpw>
1331 flags=non-prescriptive
1332 idassert-authzFrom "dn:<rootdn>"
1334 * so that only when authc'd as <rootdn> the proxying occurs
1335 * rebinding as the <pseudorootdn> without proxyAuthz.
1338 Debug( LDAP_DEBUG_ANY,
1339 "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
1340 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
1344 char binddn[ SLAP_TEXT_BUFLEN ];
1347 "bindmethod=simple",
1350 "flags=non-prescriptive",
1356 if ( BER_BVISNULL( &be->be_rootndn ) ) {
1357 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
1362 if ( sizeof( binddn ) <= (unsigned) snprintf( binddn,
1363 sizeof( binddn ), "binddn=%s", argv[ 1 ] ))
1365 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\" too long.\n",
1369 cargv[ 2 ] = binddn;
1371 rc = mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1375 if ( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz != NULL ) {
1376 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-authzFrom\" already defined (discarded).\n",
1378 ber_bvarray_free( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz );
1379 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz = NULL;
1382 assert( !BER_BVISNULL( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authcDN ) );
1384 bv.bv_len = STRLENOF( "dn:" ) + be->be_rootndn.bv_len;
1385 bv.bv_val = ber_memalloc( bv.bv_len + 1 );
1386 AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
1387 AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], be->be_rootndn.bv_val, be->be_rootndn.bv_len + 1 );
1389 ber_bvarray_add( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz, &bv );
1395 /* password to use as pseudo-root */
1396 } else if ( strcasecmp( argv[ 0 ], "pseudorootpw" ) == 0 ) {
1397 int i = mi->mi_ntargets - 1;
1400 Debug( LDAP_DEBUG_ANY,
1401 "%s: line %d: need \"uri\" directive first\n",
1407 Debug( LDAP_DEBUG_ANY,
1408 "%s: line %d: missing password in \"pseudorootpw <password>\" line\n",
1413 Debug( LDAP_DEBUG_ANY,
1414 "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
1415 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
1418 if ( BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_authcDN ) ) {
1419 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
1424 if ( !BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_passwd ) ) {
1425 memset( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val, 0,
1426 mi->mi_targets[ i ]->mt_idassert_passwd.bv_len );
1427 ber_memfree( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val );
1429 ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_targets[ i ]->mt_idassert_passwd );
1432 } else if ( strcasecmp( argv[ 0 ], "idassert-bind" ) == 0 ) {
1433 if ( mi->mi_ntargets == 0 ) {
1434 Debug( LDAP_DEBUG_ANY,
1435 "%s: line %d: \"idassert-bind\" "
1436 "must appear inside a target specification.\n",
1441 return mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1443 /* idassert-authzFrom */
1444 } else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) {
1445 if ( mi->mi_ntargets == 0 ) {
1446 Debug( LDAP_DEBUG_ANY,
1447 "%s: line %d: \"idassert-bind\" "
1448 "must appear inside a target specification.\n",
1458 Debug( LDAP_DEBUG_ANY,
1459 "%s: line %d: missing <id> in \"idassert-authzFrom <id>\".\n",
1464 Debug( LDAP_DEBUG_ANY,
1465 "%s: line %d: extra cruft after <id> in \"idassert-authzFrom <id>\".\n",
1470 return mi->mi_ldap_extra->idassert_authzfrom_parse_cf( fname, lineno, argv[ 1 ], &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1473 } else if ( strcasecmp( argv[ 0 ], "quarantine" ) == 0 ) {
1474 char buf[ SLAP_TEXT_BUFLEN ] = { '\0' };
1475 slap_retry_info_t *ri = mi->mi_ntargets ?
1476 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine
1477 : &mi->mi_quarantine;
1479 if ( ( mi->mi_ntargets == 0 && META_BACK_QUARANTINE( mi ) )
1480 || ( mi->mi_ntargets > 0 && META_BACK_TGT_QUARANTINE( mi->mi_targets[ mi->mi_ntargets - 1 ] ) ) )
1482 Debug( LDAP_DEBUG_ANY,
1483 "%s: line %d: quarantine already defined.\n",
1493 Debug( LDAP_DEBUG_ANY,
1494 "%s: line %d: missing arg in \"quarantine <pattern list>\".\n",
1499 Debug( LDAP_DEBUG_ANY,
1500 "%s: line %d: extra cruft after \"quarantine <pattern list>\".\n",
1505 if ( ri != &mi->mi_quarantine ) {
1506 ri->ri_interval = NULL;
1510 if ( mi->mi_ntargets > 0 && !META_BACK_QUARANTINE( mi ) ) {
1511 ldap_pvt_thread_mutex_init( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine_mutex );
1514 if ( mi->mi_ldap_extra->retry_info_parse( argv[ 1 ], ri, buf, sizeof( buf ) ) ) {
1515 Debug( LDAP_DEBUG_ANY,
1516 "%s line %d: %s.\n",
1517 fname, lineno, buf );
1521 if ( mi->mi_ntargets == 0 ) {
1522 mi->mi_flags |= LDAP_BACK_F_QUARANTINE;
1525 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags |= LDAP_BACK_F_QUARANTINE;
1528 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1529 /* session tracking request */
1530 } else if ( strcasecmp( argv[ 0 ], "session-tracking-request" ) == 0 ) {
1531 unsigned *flagsp = mi->mi_ntargets ?
1532 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1536 Debug( LDAP_DEBUG_ANY,
1537 "%s: line %d: \"session-tracking-request {TRUE|false}\" needs 1 argument.\n",
1542 /* this is the default; we add it because the default might change... */
1543 switch ( check_true_false( argv[ 1 ] ) ) {
1545 *flagsp |= LDAP_BACK_F_ST_REQUEST;
1549 *flagsp &= ~LDAP_BACK_F_ST_REQUEST;
1553 Debug( LDAP_DEBUG_ANY,
1554 "%s: line %d: \"session-tracking-request {TRUE|false}\": unknown argument \"%s\".\n",
1555 fname, lineno, argv[ 1 ] );
1558 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1561 } else if ( strcasecmp( argv[ 0 ], "suffixmassage" ) == 0 ) {
1563 int i = mi->mi_ntargets - 1, c, rc;
1564 struct berval dn, nvnc, pvnc, nrnc, prnc;
1567 Debug( LDAP_DEBUG_ANY,
1568 "%s: line %d: need \"uri\" directive first\n",
1576 * suffixmassage <suffix> <massaged suffix>
1578 * the <suffix> field must be defined as a valid suffix
1579 * (or suffixAlias?) for the current database;
1580 * the <massaged suffix> shouldn't have already been
1581 * defined as a valid suffix or suffixAlias for the
1585 Debug( LDAP_DEBUG_ANY,
1586 "%s: line %d: syntax is \"suffixMassage <suffix> <massaged suffix>\"\n",
1591 ber_str2bv( argv[ 1 ], 0, 0, &dn );
1592 if ( dnPrettyNormal( NULL, &dn, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
1593 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1594 "suffix \"%s\" is invalid\n",
1595 fname, lineno, argv[ 1 ] );
1599 for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
1600 if ( dnIsSuffix( &nvnc, &be->be_nsuffix[ 0 ] ) ) {
1605 if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
1606 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1607 "<suffix> \"%s\" must be within the database naming context, in "
1608 "\"suffixMassage <suffix> <massaged suffix>\"\n",
1609 fname, lineno, pvnc.bv_val );
1610 free( pvnc.bv_val );
1611 free( nvnc.bv_val );
1615 ber_str2bv( argv[ 2 ], 0, 0, &dn );
1616 if ( dnPrettyNormal( NULL, &dn, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
1617 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1618 "massaged suffix \"%s\" is invalid\n",
1619 fname, lineno, argv[ 2 ] );
1620 free( pvnc.bv_val );
1621 free( nvnc.bv_val );
1625 tmp_bd = select_backend( &nrnc, 0 );
1626 if ( tmp_bd != NULL && tmp_bd->be_private == be->be_private ) {
1627 Debug( LDAP_DEBUG_ANY,
1628 "%s: line %d: warning: <massaged suffix> \"%s\" resolves to this database, in "
1629 "\"suffixMassage <suffix> <massaged suffix>\"\n",
1630 fname, lineno, prnc.bv_val );
1634 * The suffix massaging is emulated by means of the
1635 * rewrite capabilities
1637 rc = suffix_massage_config( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
1638 &pvnc, &nvnc, &prnc, &nrnc );
1640 free( pvnc.bv_val );
1641 free( nvnc.bv_val );
1642 free( prnc.bv_val );
1643 free( nrnc.bv_val );
1647 /* rewrite stuff ... */
1648 } else if ( strncasecmp( argv[ 0 ], "rewrite", 7 ) == 0 ) {
1649 int i = mi->mi_ntargets - 1;
1652 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"rewrite\" "
1653 "statement outside target definition.\n",
1658 return rewrite_parse( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
1659 fname, lineno, argc, argv );
1661 /* objectclass/attribute mapping */
1662 } else if ( strcasecmp( argv[ 0 ], "map" ) == 0 ) {
1663 int i = mi->mi_ntargets - 1;
1666 Debug( LDAP_DEBUG_ANY,
1667 "%s: line %d: need \"uri\" directive first\n",
1672 return ldap_back_map_config( &mi->mi_targets[ i ]->mt_rwmap.rwm_oc,
1673 &mi->mi_targets[ i ]->mt_rwmap.rwm_at,
1674 fname, lineno, argc, argv );
1676 } else if ( strcasecmp( argv[ 0 ], "nretries" ) == 0 ) {
1677 int i = mi->mi_ntargets - 1;
1678 int nretries = META_RETRY_UNDEFINED;
1681 Debug( LDAP_DEBUG_ANY,
1682 "%s: line %d: need value in \"nretries <value>\"\n",
1687 if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
1688 nretries = META_RETRY_FOREVER;
1690 } else if ( strcasecmp( argv[ 1 ], "never" ) == 0 ) {
1691 nretries = META_RETRY_NEVER;
1694 if ( lutil_atoi( &nretries, argv[ 1 ] ) != 0 ) {
1695 Debug( LDAP_DEBUG_ANY,
1696 "%s: line %d: unable to parse value \"%s\" in \"nretries <value>\"\n",
1697 fname, lineno, argv[ 1 ] );
1703 mi->mi_nretries = nretries;
1706 mi->mi_targets[ i ]->mt_nretries = nretries;
1709 } else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
1710 int *version = mi->mi_ntargets ?
1711 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_version
1715 Debug( LDAP_DEBUG_ANY,
1716 "%s: line %d: need value in \"protocol-version <version>\"\n",
1721 if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
1722 Debug( LDAP_DEBUG_ANY,
1723 "%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
1724 fname, lineno, argv[ 1 ] );
1728 if ( *version != 0 && ( *version < LDAP_VERSION_MIN || *version > LDAP_VERSION_MAX ) ) {
1729 Debug( LDAP_DEBUG_ANY,
1730 "%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
1731 fname, lineno, argv[ 1 ] );
1735 /* do not return search references */
1736 } else if ( strcasecmp( argv[ 0 ], "norefs" ) == 0 ) {
1737 unsigned *flagsp = mi->mi_ntargets ?
1738 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1742 Debug( LDAP_DEBUG_ANY,
1743 "%s: line %d: \"norefs {TRUE|false}\" needs 1 argument.\n",
1748 /* this is the default; we add it because the default might change... */
1749 switch ( check_true_false( argv[ 1 ] ) ) {
1751 *flagsp |= LDAP_BACK_F_NOREFS;
1755 *flagsp &= ~LDAP_BACK_F_NOREFS;
1759 Debug( LDAP_DEBUG_ANY,
1760 "%s: line %d: \"norefs {TRUE|false}\": unknown argument \"%s\".\n",
1761 fname, lineno, argv[ 1 ] );
1765 /* do not propagate undefined search filters */
1766 } else if ( strcasecmp( argv[ 0 ], "noundeffilter" ) == 0 ) {
1767 unsigned *flagsp = mi->mi_ntargets ?
1768 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1772 Debug( LDAP_DEBUG_ANY,
1773 "%s: line %d: \"noundeffilter {TRUE|false}\" needs 1 argument.\n",
1778 /* this is the default; we add it because the default might change... */
1779 switch ( check_true_false( argv[ 1 ] ) ) {
1781 *flagsp |= LDAP_BACK_F_NOUNDEFFILTER;
1785 *flagsp &= ~LDAP_BACK_F_NOUNDEFFILTER;
1789 Debug( LDAP_DEBUG_ANY,
1790 "%s: line %d: \"noundeffilter {TRUE|false}\": unknown argument \"%s\".\n",
1791 fname, lineno, argv[ 1 ] );
1795 #ifdef SLAPD_META_CLIENT_PR
1796 } else if ( strcasecmp( argv[ 0 ], "client-pr" ) == 0 ) {
1797 int *ps = mi->mi_ntargets ?
1798 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_ps
1802 Debug( LDAP_DEBUG_ANY,
1803 "%s: line %d: \"client-pr {accept-unsolicited|disable|<size>}\" needs 1 argument.\n",
1808 if ( strcasecmp( argv[ 1 ], "accept-unsolicited" ) == 0 ) {
1809 *ps = META_CLIENT_PR_ACCEPT_UNSOLICITED;
1811 } else if ( strcasecmp( argv[ 1 ], "disable" ) == 0 ) {
1812 *ps = META_CLIENT_PR_DISABLE;
1814 } else if ( lutil_atoi( ps, argv[ 1 ] ) || *ps < -1 ) {
1815 Debug( LDAP_DEBUG_ANY,
1816 "%s: line %d: \"client-pr {accept-unsolicited|disable|<size>}\" invalid arg \"%s\".\n",
1817 fname, lineno, argv[ 1 ] );
1820 #endif /* SLAPD_META_CLIENT_PR */
1824 return SLAP_CONF_UNKNOWN;
1831 ldap_back_map_config(
1832 struct ldapmap *oc_map,
1833 struct ldapmap *at_map,
1839 struct ldapmap *map;
1840 struct ldapmapping *mapping;
1844 if ( argc < 3 || argc > 4 ) {
1845 Debug( LDAP_DEBUG_ANY,
1846 "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
1851 if ( strcasecmp( argv[ 1 ], "objectclass" ) == 0 ) {
1855 } else if ( strcasecmp( argv[ 1 ], "attribute" ) == 0 ) {
1859 Debug( LDAP_DEBUG_ANY, "%s: line %d: syntax is "
1860 "\"map {objectclass | attribute} [<local> | *] "
1861 "{<foreign> | *}\"\n",
1866 if ( !is_oc && map->map == NULL ) {
1867 /* only init if required */
1868 ldap_back_map_init( map, &mapping );
1871 if ( strcmp( argv[ 2 ], "*" ) == 0 ) {
1872 if ( argc < 4 || strcmp( argv[ 3 ], "*" ) == 0 ) {
1873 map->drop_missing = ( argc < 4 );
1874 goto success_return;
1876 src = dst = argv[ 3 ];
1878 } else if ( argc < 4 ) {
1884 dst = ( strcmp( argv[ 3 ], "*" ) == 0 ? src : argv[ 3 ] );
1887 if ( ( map == at_map )
1888 && ( strcasecmp( src, "objectclass" ) == 0
1889 || strcasecmp( dst, "objectclass" ) == 0 ) )
1891 Debug( LDAP_DEBUG_ANY,
1892 "%s: line %d: objectclass attribute cannot be mapped\n",
1896 mapping = (struct ldapmapping *)ch_calloc( 2,
1897 sizeof(struct ldapmapping) );
1898 if ( mapping == NULL ) {
1899 Debug( LDAP_DEBUG_ANY,
1900 "%s: line %d: out of memory\n",
1904 ber_str2bv( src, 0, 1, &mapping[ 0 ].src );
1905 ber_str2bv( dst, 0, 1, &mapping[ 0 ].dst );
1906 mapping[ 1 ].src = mapping[ 0 ].dst;
1907 mapping[ 1 ].dst = mapping[ 0 ].src;
1913 if ( src[ 0 ] != '\0' ) {
1914 if ( oc_bvfind( &mapping[ 0 ].src ) == NULL ) {
1915 Debug( LDAP_DEBUG_ANY,
1916 "%s: line %d: warning, source objectClass '%s' "
1917 "should be defined in schema\n",
1918 fname, lineno, src );
1921 * FIXME: this should become an err
1927 if ( oc_bvfind( &mapping[ 0 ].dst ) == NULL ) {
1928 Debug( LDAP_DEBUG_ANY,
1929 "%s: line %d: warning, destination objectClass '%s' "
1930 "is not defined in schema\n",
1931 fname, lineno, dst );
1935 const char *text = NULL;
1936 AttributeDescription *ad = NULL;
1938 if ( src[ 0 ] != '\0' ) {
1939 rc = slap_bv2ad( &mapping[ 0 ].src, &ad, &text );
1940 if ( rc != LDAP_SUCCESS ) {
1941 Debug( LDAP_DEBUG_ANY,
1942 "%s: line %d: warning, source attributeType '%s' "
1943 "should be defined in schema\n",
1944 fname, lineno, src );
1947 * FIXME: this should become an err
1950 * we create a fake "proxied" ad
1954 rc = slap_bv2undef_ad( &mapping[ 0 ].src,
1955 &ad, &text, SLAP_AD_PROXIED );
1956 if ( rc != LDAP_SUCCESS ) {
1957 char buf[ SLAP_TEXT_BUFLEN ];
1959 snprintf( buf, sizeof( buf ),
1960 "source attributeType \"%s\": %d (%s)",
1961 src, rc, text ? text : "" );
1962 Debug( LDAP_DEBUG_ANY,
1963 "%s: line %d: %s\n",
1964 fname, lineno, buf );
1972 rc = slap_bv2ad( &mapping[ 0 ].dst, &ad, &text );
1973 if ( rc != LDAP_SUCCESS ) {
1974 Debug( LDAP_DEBUG_ANY,
1975 "%s: line %d: warning, destination attributeType '%s' "
1976 "is not defined in schema\n",
1977 fname, lineno, dst );
1980 * we create a fake "proxied" ad
1984 rc = slap_bv2undef_ad( &mapping[ 0 ].dst,
1985 &ad, &text, SLAP_AD_PROXIED );
1986 if ( rc != LDAP_SUCCESS ) {
1987 char buf[ SLAP_TEXT_BUFLEN ];
1989 snprintf( buf, sizeof( buf ),
1990 "source attributeType \"%s\": %d (%s)\n",
1991 dst, rc, text ? text : "" );
1992 Debug( LDAP_DEBUG_ANY,
1993 "%s: line %d: %s\n",
1994 fname, lineno, buf );
2000 if ( (src[ 0 ] != '\0' && avl_find( map->map, (caddr_t)&mapping[ 0 ], mapping_cmp ) != NULL)
2001 || avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
2003 Debug( LDAP_DEBUG_ANY,
2004 "%s: line %d: duplicate mapping found.\n",
2009 if ( src[ 0 ] != '\0' ) {
2010 avl_insert( &map->map, (caddr_t)&mapping[ 0 ],
2011 mapping_cmp, mapping_dup );
2013 avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
2014 mapping_cmp, mapping_dup );
2021 ch_free( mapping[ 0 ].src.bv_val );
2022 ch_free( mapping[ 0 ].dst.bv_val );
2030 #ifdef ENABLE_REWRITE
2032 suffix_massage_regexize( const char *s )
2038 if ( s[ 0 ] == '\0' ) {
2039 return ch_strdup( "^(.+)$" );
2043 ( r = strchr( p, ',' ) ) != NULL;
2047 res = ch_calloc( sizeof( char ),
2049 + STRLENOF( "((.+),)?" )
2050 + STRLENOF( "[ ]?" ) * i
2051 + STRLENOF( "$" ) + 1 );
2053 ptr = lutil_strcopy( res, "((.+),)?" );
2055 ( r = strchr( p, ',' ) ) != NULL;
2057 ptr = lutil_strncopy( ptr, p, r - p + 1 );
2058 ptr = lutil_strcopy( ptr, "[ ]?" );
2060 if ( r[ 1 ] == ' ' ) {
2064 ptr = lutil_strcopy( ptr, p );
2073 suffix_massage_patternize( const char *s, const char *p )
2080 if ( s[ 0 ] == '\0' ) {
2084 res = ch_calloc( sizeof( char ), len + STRLENOF( "%1" ) + 1 );
2085 if ( res == NULL ) {
2089 ptr = lutil_strcopy( res, ( p[ 0 ] == '\0' ? "%2" : "%1" ) );
2090 if ( s[ 0 ] == '\0' ) {
2094 lutil_strcopy( ptr, p );
2100 suffix_massage_config(
2101 struct rewrite_info *info,
2102 struct berval *pvnc,
2103 struct berval *nvnc,
2104 struct berval *prnc,
2111 rargv[ 0 ] = "rewriteEngine";
2114 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
2116 rargv[ 0 ] = "rewriteContext";
2117 rargv[ 1 ] = "default";
2119 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
2121 rargv[ 0 ] = "rewriteRule";
2122 rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
2123 rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val, prnc->bv_val );
2126 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2127 ch_free( rargv[ 1 ] );
2128 ch_free( rargv[ 2 ] );
2130 if ( BER_BVISEMPTY( pvnc ) ) {
2131 rargv[ 0 ] = "rewriteRule";
2133 rargv[ 2 ] = prnc->bv_val;
2136 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2139 rargv[ 0 ] = "rewriteContext";
2140 rargv[ 1 ] = "searchEntryDN";
2142 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
2144 rargv[ 0 ] = "rewriteRule";
2145 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
2146 rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val, pvnc->bv_val );
2149 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2150 ch_free( rargv[ 1 ] );
2151 ch_free( rargv[ 2 ] );
2153 if ( BER_BVISEMPTY( prnc ) ) {
2154 rargv[ 0 ] = "rewriteRule";
2156 rargv[ 2 ] = pvnc->bv_val;
2159 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2162 /* backward compatibility */
2163 rargv[ 0 ] = "rewriteContext";
2164 rargv[ 1 ] = "searchResult";
2165 rargv[ 2 ] = "alias";
2166 rargv[ 3 ] = "searchEntryDN";
2168 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2170 rargv[ 0 ] = "rewriteContext";
2171 rargv[ 1 ] = "matchedDN";
2172 rargv[ 2 ] = "alias";
2173 rargv[ 3 ] = "searchEntryDN";
2175 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2177 rargv[ 0 ] = "rewriteContext";
2178 rargv[ 1 ] = "searchAttrDN";
2179 rargv[ 2 ] = "alias";
2180 rargv[ 3 ] = "searchEntryDN";
2182 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
2184 /* NOTE: this corresponds to #undef'ining RWM_REFERRAL_REWRITE;
2185 * see servers/slapd/overlays/rwm.h for details */
2186 rargv[ 0 ] = "rewriteContext";
2187 rargv[ 1 ] = "referralAttrDN";
2189 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
2191 rargv[ 0 ] = "rewriteContext";
2192 rargv[ 1 ] = "referralDN";
2194 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
2198 #endif /* ENABLE_REWRITE */