2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2010 The OpenLDAP Foundation.
5 * Portions Copyright 2001-2003 Pierangelo Masarati.
6 * Portions Copyright 1999-2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software and subsequently enhanced by Pierangelo
27 #include <ac/string.h>
28 #include <ac/socket.h>
32 #include "../back-ldap/back-ldap.h"
33 #undef ldap_debug /* silence a warning in ldap-int.h */
34 #include "../../../libraries/libldap/ldap-int.h"
35 #include "back-meta.h"
46 mt = ch_calloc( sizeof( metatarget_t ), 1 );
48 mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
49 if ( mt->mt_rwmap.rwm_rw == NULL ) {
55 * the filter rewrite as a string must be disabled
56 * by default; it can be re-enabled by adding rules;
57 * this creates an empty rewriteContext
59 rargv[ 0 ] = "rewriteContext";
60 rargv[ 1 ] = "searchFilter";
62 rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
64 rargv[ 0 ] = "rewriteContext";
65 rargv[ 1 ] = "default";
67 rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
69 ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
71 mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
72 mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
73 mt->mt_idassert_tls = SB_TLS_DEFAULT;
75 /* by default, use proxyAuthz control on each operation */
76 mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
84 check_true_false( char *str )
86 if ( strcasecmp( str, "true" ) == 0 || strcasecmp( str, "yes" ) == 0 ) {
90 if ( strcasecmp( str, "false" ) == 0 || strcasecmp( str, "no" ) == 0 ) {
107 metainfo_t *mi = ( metainfo_t * )be->be_private;
109 assert( mi != NULL );
111 /* URI of server to query */
112 if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
113 int i = mi->mi_ntargets;
124 Debug( LDAP_DEBUG_ANY,
125 "%s: line %d: missing URI "
126 "in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
131 if ( be->be_nsuffix == NULL ) {
132 Debug( LDAP_DEBUG_ANY,
133 "%s: line %d: the suffix must be defined before any target.\n",
140 mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets,
141 sizeof( metatarget_t * ) * mi->mi_ntargets );
142 if ( mi->mi_targets == NULL ) {
143 Debug( LDAP_DEBUG_ANY,
144 "%s: line %d: out of memory while storing server name"
145 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
150 if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
151 Debug( LDAP_DEBUG_ANY,
152 "%s: line %d: unable to init server"
153 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
158 mt = mi->mi_targets[ i ];
160 mt->mt_rebind_f = mi->mi_rebind_f;
161 mt->mt_urllist_f = mi->mi_urllist_f;
162 mt->mt_urllist_p = mt;
164 mt->mt_nretries = mi->mi_nretries;
165 mt->mt_quarantine = mi->mi_quarantine;
166 if ( META_BACK_QUARANTINE( mi ) ) {
167 ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
169 mt->mt_flags = mi->mi_flags;
170 mt->mt_version = mi->mi_version;
171 mt->mt_network_timeout = mi->mi_network_timeout;
172 mt->mt_bind_timeout = mi->mi_bind_timeout;
173 for ( c = 0; c < SLAP_OP_LAST; c++ ) {
174 mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
177 for ( c = 1; c < argc; c++ ) {
178 char **tmpuris = ldap_str2charray( argv[ c ], "\t" );
180 if ( tmpuris == NULL ) {
181 Debug( LDAP_DEBUG_ANY,
182 "%s: line %d: unable to parse URIs #%d"
183 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
184 fname, lineno, c - 1 );
192 ldap_charray_merge( &uris, tmpuris );
193 ldap_charray_free( tmpuris );
197 for ( c = 0; uris[ c ] != NULL; c++ ) {
203 if ( ldap_url_parselist_ext( &ludp, uris[ c ], "\t",
204 LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
205 || ludp->lud_next != NULL )
207 Debug( LDAP_DEBUG_ANY,
208 "%s: line %d: unable to parse URI #%d"
209 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
211 ldap_charray_free( uris );
218 * uri MUST have the <dn> part!
220 if ( ludp->lud_dn == NULL ) {
221 Debug( LDAP_DEBUG_ANY,
222 "%s: line %d: missing <naming context> "
223 " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
225 ldap_free_urllist( ludp );
226 ldap_charray_free( uris );
231 * copies and stores uri and suffix
233 ber_str2bv( ludp->lud_dn, 0, 0, &dn );
234 rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
235 &mt->mt_nsuffix, NULL );
236 if ( rc != LDAP_SUCCESS ) {
237 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
238 "target \"%s\" DN is invalid\n",
239 fname, lineno, argv[ 1 ] );
240 ldap_free_urllist( ludp );
241 ldap_charray_free( uris );
245 ludp->lud_dn[ 0 ] = '\0';
247 switch ( ludp->lud_scope ) {
248 case LDAP_SCOPE_DEFAULT:
249 mt->mt_scope = LDAP_SCOPE_SUBTREE;
252 case LDAP_SCOPE_SUBTREE:
253 case LDAP_SCOPE_SUBORDINATE:
254 mt->mt_scope = ludp->lud_scope;
258 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
259 "invalid scope for target \"%s\"\n",
260 fname, lineno, argv[ 1 ] );
261 ldap_free_urllist( ludp );
262 ldap_charray_free( uris );
267 /* check all, to apply the scope check on the first one */
268 if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
269 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
270 "multiple URIs must have "
273 ldap_free_urllist( ludp );
274 ldap_charray_free( uris );
280 tmpuri = ldap_url_list2urls( ludp );
281 ldap_free_urllist( ludp );
282 if ( tmpuri == NULL ) {
283 Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
285 ldap_charray_free( uris );
288 ldap_memfree( uris[ c ] );
292 mt->mt_uri = ldap_charray2str( uris, " " );
293 ldap_charray_free( uris );
294 if ( mt->mt_uri == NULL) {
295 Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
301 * uri MUST be a branch of suffix!
303 for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
304 if ( dnIsSuffix( &mt->mt_nsuffix, &be->be_nsuffix[ c ] ) ) {
309 if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
310 Debug( LDAP_DEBUG_ANY,
311 "%s: line %d: <naming context> of URI must be within the naming context of this database.\n",
316 /* subtree-exclude */
317 } else if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ) {
318 int i = mi->mi_ntargets - 1;
319 struct berval dn, ndn;
322 Debug( LDAP_DEBUG_ANY,
323 "%s: line %d: need \"uri\" directive first\n",
330 Debug( LDAP_DEBUG_ANY,
331 "%s: line %d: missing DN in \"subtree-exclude <DN>\" line\n",
339 Debug( LDAP_DEBUG_ANY,
340 "%s: line %d: too many args in \"subtree-exclude <DN>\" line\n",
345 ber_str2bv( argv[ 1 ], 0, 0, &dn );
346 if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
349 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
350 "subtree-exclude DN=\"%s\" is invalid\n",
351 fname, lineno, argv[ 1 ] );
355 if ( !dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_nsuffix ) ) {
356 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
357 "subtree-exclude DN=\"%s\" "
358 "must be subtree of target\n",
359 fname, lineno, argv[ 1 ] );
360 ber_memfree( ndn.bv_val );
364 if ( mi->mi_targets[ i ]->mt_subtree_exclude != NULL ) {
367 for ( j = 0; !BER_BVISNULL( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ); j++ )
369 if ( dnIsSuffix( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ], &ndn ) ) {
370 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
371 "subtree-exclude DN=\"%s\" "
372 "is suffix of another subtree-exclude\n",
373 fname, lineno, argv[ 1 ] );
374 /* reject, because it might be superior
375 * to more than one subtree-exclude */
376 ber_memfree( ndn.bv_val );
379 } else if ( dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ) ) {
380 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
381 "another subtree-exclude is suffix of "
382 "subtree-exclude DN=\"%s\"\n",
383 fname, lineno, argv[ 1 ] );
384 ber_memfree( ndn.bv_val );
390 ber_bvarray_add( &mi->mi_targets[ i ]->mt_subtree_exclude, &ndn );
392 /* default target directive */
393 } else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
394 int i = mi->mi_ntargets - 1;
398 Debug( LDAP_DEBUG_ANY,
399 "%s: line %d: \"default-target\" alone need be"
400 " inside a \"uri\" directive\n",
404 mi->mi_defaulttarget = i;
407 if ( strcasecmp( argv[ 1 ], "none" ) == 0 ) {
409 Debug( LDAP_DEBUG_ANY,
410 "%s: line %d: \"default-target none\""
411 " should go before uri definitions\n",
414 mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
418 if ( lutil_atoi( &mi->mi_defaulttarget, argv[ 1 ] ) != 0
419 || mi->mi_defaulttarget < 0
420 || mi->mi_defaulttarget >= i - 1 )
422 Debug( LDAP_DEBUG_ANY,
423 "%s: line %d: illegal target number %d\n",
424 fname, lineno, mi->mi_defaulttarget );
430 /* ttl of dn cache */
431 } else if ( strcasecmp( argv[ 0 ], "dncache-ttl" ) == 0 ) {
433 Debug( LDAP_DEBUG_ANY,
434 "%s: line %d: missing ttl in \"dncache-ttl <ttl>\" line\n",
439 if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
440 mi->mi_cache.ttl = META_DNCACHE_FOREVER;
442 } else if ( strcasecmp( argv[ 1 ], "disabled" ) == 0 ) {
443 mi->mi_cache.ttl = META_DNCACHE_DISABLED;
448 if ( lutil_parse_time( argv[ 1 ], &t ) != 0 ) {
449 Debug( LDAP_DEBUG_ANY,
450 "%s: line %d: unable to parse ttl \"%s\" in \"dncache-ttl <ttl>\" line\n",
451 fname, lineno, argv[ 1 ] );
454 mi->mi_cache.ttl = (time_t)t;
457 /* network timeout when connecting to ldap servers */
458 } else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
460 time_t *tp = mi->mi_ntargets ?
461 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
462 : &mi->mi_network_timeout;
465 Debug( LDAP_DEBUG_ANY,
466 "%s: line %d: missing network timeout in \"network-timeout <seconds>\" line\n",
471 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
472 Debug( LDAP_DEBUG_ANY,
473 "%s: line %d: unable to parse timeout \"%s\" in \"network-timeout <seconds>\" line\n",
474 fname, lineno, argv[ 1 ] );
481 /* idle timeout when connecting to ldap servers */
482 } else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
487 Debug( LDAP_DEBUG_ANY,
488 "%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
494 Debug( LDAP_DEBUG_ANY,
495 "%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
500 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
501 Debug( LDAP_DEBUG_ANY,
502 "%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
503 fname, lineno, argv[ 1 ] );
508 mi->mi_idle_timeout = (time_t)t;
511 } else if ( strcasecmp( argv[ 0 ], "conn-ttl" ) == 0 ) {
516 Debug( LDAP_DEBUG_ANY,
517 "%s: line %d: missing ttl value in \"conn-ttl <seconds>\" line\n",
523 Debug( LDAP_DEBUG_ANY,
524 "%s: line %d: extra cruft after ttl value in \"conn-ttl <seconds>\" line\n",
529 if ( lutil_parse_time( argv[ 1 ], &t ) ) {
530 Debug( LDAP_DEBUG_ANY,
531 "%s: line %d: unable to parse ttl \"%s\" in \"conn-ttl <seconds>\" line\n",
532 fname, lineno, argv[ 1 ] );
537 mi->mi_conn_ttl = (time_t)t;
539 /* bind timeout when connecting to ldap servers */
540 } else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
542 struct timeval *tp = mi->mi_ntargets ?
543 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
544 : &mi->mi_bind_timeout;
548 Debug( LDAP_DEBUG_ANY,
549 "%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
555 Debug( LDAP_DEBUG_ANY,
556 "%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
561 if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
562 Debug( LDAP_DEBUG_ANY,
563 "%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
564 fname, lineno, argv[ 1 ] );
569 tp->tv_sec = t/1000000;
570 tp->tv_usec = t%1000000;
572 /* name to use for meta_back_group */
573 } else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
574 || strcasecmp( argv[ 0 ], "binddn" ) == 0 )
576 int i = mi->mi_ntargets - 1;
580 Debug( LDAP_DEBUG_ANY,
581 "%s: line %d: need \"uri\" directive first\n",
587 Debug( LDAP_DEBUG_ANY,
588 "%s: line %d: missing name in \"binddn <name>\" line\n",
593 if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
594 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
595 "\"binddn\" statement is deprecated; "
596 "use \"acl-authcDN\" instead\n",
598 /* FIXME: some day we'll need to throw an error */
601 ber_str2bv( argv[ 1 ], 0, 0, &dn );
602 if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
603 NULL ) != LDAP_SUCCESS )
605 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
606 "bind DN '%s' is invalid\n",
607 fname, lineno, argv[ 1 ] );
611 /* password to use for meta_back_group */
612 } else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
613 || strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
615 int i = mi->mi_ntargets - 1;
618 Debug( LDAP_DEBUG_ANY,
619 "%s: line %d: need \"uri\" directive first\n",
625 Debug( LDAP_DEBUG_ANY,
626 "%s: line %d: missing password in \"bindpw <password>\" line\n",
631 if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
632 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
633 "\"bindpw\" statement is deprecated; "
634 "use \"acl-passwd\" instead\n",
636 /* FIXME: some day we'll need to throw an error */
639 ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw );
641 /* save bind creds for referral rebinds? */
642 } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
643 unsigned *flagsp = mi->mi_ntargets ?
644 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
648 Debug( LDAP_DEBUG_ANY,
649 "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
655 Debug( LDAP_DEBUG_ANY,
656 "%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
658 *flagsp |= LDAP_BACK_F_SAVECRED;
661 switch ( check_true_false( argv[ 1 ] ) ) {
663 *flagsp &= ~LDAP_BACK_F_SAVECRED;
667 *flagsp |= LDAP_BACK_F_SAVECRED;
671 Debug( LDAP_DEBUG_ANY,
672 "%s: line %d: \"rebind-as-user {FALSE|true}\" unknown argument \"%s\".\n",
673 fname, lineno, argv[ 1 ] );
678 } else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
679 unsigned *flagsp = mi->mi_ntargets ?
680 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
684 Debug( LDAP_DEBUG_ANY,
685 "%s: line %d: \"chase-referrals {TRUE|false}\" needs 1 argument.\n",
690 /* this is the default; we add it because the default might change... */
691 switch ( check_true_false( argv[ 1 ] ) ) {
693 *flagsp |= LDAP_BACK_F_CHASE_REFERRALS;
697 *flagsp &= ~LDAP_BACK_F_CHASE_REFERRALS;
701 Debug( LDAP_DEBUG_ANY,
702 "%s: line %d: \"chase-referrals {TRUE|false}\": unknown argument \"%s\".\n",
703 fname, lineno, argv[ 1 ] );
707 } else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) {
708 unsigned *flagsp = mi->mi_ntargets ?
709 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
713 if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
714 *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
717 } else if ( strcasecmp( argv[ 1 ], "try-start" ) == 0 ) {
718 *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
719 *flagsp |= LDAP_BACK_F_USE_TLS;
721 /* propagate start tls */
722 } else if ( strcasecmp( argv[ 1 ], "propagate" ) == 0 ) {
723 *flagsp |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
726 } else if ( strcasecmp( argv[ 1 ], "try-propagate" ) == 0 ) {
727 *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
728 *flagsp |= LDAP_BACK_F_PROPAGATE_TLS;
731 Debug( LDAP_DEBUG_ANY,
732 "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
733 fname, lineno, argv[ 1 ] );
738 metatarget_t *mt = NULL;
741 if ( mi->mi_ntargets - 1 < 0 ) {
742 Debug( LDAP_DEBUG_ANY,
743 "%s: line %d: need \"uri\" directive first\n",
748 mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
750 for ( i = 2; i < argc; i++ ) {
751 if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
754 bindconf_tls_defaults( &mt->mt_tls );
757 } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
758 unsigned *flagsp = mi->mi_ntargets ?
759 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
763 Debug( LDAP_DEBUG_ANY,
764 "%s: line %d: \"t-f-support {FALSE|true|discover}\" needs 1 argument.\n",
769 switch ( check_true_false( argv[ 1 ] ) ) {
771 *flagsp &= ~LDAP_BACK_F_T_F_MASK2;
775 *flagsp |= LDAP_BACK_F_T_F;
779 if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
780 *flagsp |= LDAP_BACK_F_T_F_DISCOVER;
783 Debug( LDAP_DEBUG_ANY,
784 "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
785 fname, lineno, argv[ 1 ] );
792 } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
794 Debug( LDAP_DEBUG_ANY,
795 "%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n",
800 if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
801 mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
803 } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
804 mi->mi_flags |= META_BACK_F_ONERR_STOP;
806 } else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) {
807 mi->mi_flags |= META_BACK_F_ONERR_REPORT;
810 Debug( LDAP_DEBUG_ANY,
811 "%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n",
812 fname, lineno, argv[ 1 ] );
817 } else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0
818 || strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 )
821 Debug( LDAP_DEBUG_ANY,
822 "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\" takes 1 argument\n",
827 switch ( check_true_false( argv[ 1 ] ) ) {
829 mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
833 mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
837 Debug( LDAP_DEBUG_ANY,
838 "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\": invalid arg \"%s\".\n",
839 fname, lineno, argv[ 1 ] );
844 } else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) {
846 Debug( LDAP_DEBUG_ANY,
847 "%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n",
852 if ( mi->mi_ntargets > 0 ) {
853 Debug( LDAP_DEBUG_ANY,
854 "%s: line %d: \"single-conn\" must appear before target definitions\n",
859 switch ( check_true_false( argv[ 1 ] ) ) {
861 mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
865 mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
869 Debug( LDAP_DEBUG_ANY,
870 "%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n",
871 fname, lineno, argv[ 1 ] );
875 /* use-temporaries? */
876 } else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) {
878 Debug( LDAP_DEBUG_ANY,
879 "%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n",
884 if ( mi->mi_ntargets > 0 ) {
885 Debug( LDAP_DEBUG_ANY,
886 "%s: line %d: \"use-temporary-conn\" must appear before target definitions\n",
891 switch ( check_true_false( argv[ 1 ] ) ) {
893 mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
897 mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
901 Debug( LDAP_DEBUG_ANY,
902 "%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n",
903 fname, lineno, argv[ 1 ] );
907 /* privileged connections pool max size ? */
908 } else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) {
910 Debug( LDAP_DEBUG_ANY,
911 "%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n",
916 if ( mi->mi_ntargets > 0 ) {
917 Debug( LDAP_DEBUG_ANY,
918 "%s: line %d: \"conn-pool-max\" must appear before target definitions\n",
923 if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] )
924 || mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN
925 || mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX )
927 Debug( LDAP_DEBUG_ANY,
928 "%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n",
929 fname, lineno, argv[ 1 ] );
933 } else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) {
935 unsigned *flagsp = mi->mi_ntargets ?
936 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
940 Debug( LDAP_DEBUG_ANY,
941 "%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n",
946 if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) {
947 flag = LDAP_BACK_F_CANCEL_ABANDON;
949 } else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) {
950 flag = LDAP_BACK_F_CANCEL_IGNORE;
952 } else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) {
953 flag = LDAP_BACK_F_CANCEL_EXOP;
955 } else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) {
956 flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER;
959 Debug( LDAP_DEBUG_ANY,
960 "%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n",
961 fname, lineno, argv[ 1 ] );
965 *flagsp &= ~LDAP_BACK_F_CANCEL_MASK2;
968 } else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) {
970 time_t *tv = mi->mi_ntargets ?
971 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout
976 Debug( LDAP_DEBUG_ANY,
977 "%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
982 for ( c = 1; c < argc; c++ ) {
986 sep = strchr( argv[ c ], '=' );
988 size_t len = sep - argv[ c ];
990 if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) {
991 t = &tv[ SLAP_OP_BIND ];
992 /* unbind makes little sense */
993 } else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
994 t = &tv[ SLAP_OP_ADD ];
995 } else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) {
996 t = &tv[ SLAP_OP_DELETE ];
997 } else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) {
998 t = &tv[ SLAP_OP_MODRDN ];
999 } else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
1000 t = &tv[ SLAP_OP_MODIFY ];
1001 } else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) {
1002 t = &tv[ SLAP_OP_COMPARE ];
1003 } else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) {
1004 t = &tv[ SLAP_OP_SEARCH ];
1005 /* abandon makes little sense */
1006 #if 0 /* not implemented yet */
1007 } else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) {
1008 t = &tv[ SLAP_OP_EXTENDED ];
1011 char buf[ SLAP_TEXT_BUFLEN ];
1012 snprintf( buf, sizeof( buf ),
1013 "unknown/unhandled operation \"%s\" for timeout #%d",
1015 Debug( LDAP_DEBUG_ANY,
1016 "%s: line %d: %s.\n",
1017 fname, lineno, buf );
1026 if ( lutil_parse_time( sep, &val ) != 0 ) {
1027 Debug( LDAP_DEBUG_ANY,
1028 "%s: line %d: unable to parse value \"%s\" for timeout.\n",
1029 fname, lineno, sep );
1039 for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1040 tv[ i ] = (time_t)val;
1045 /* name to use as pseudo-root dn */
1046 } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
1047 int i = mi->mi_ntargets - 1;
1050 Debug( LDAP_DEBUG_ANY,
1051 "%s: line %d: need \"uri\" directive first\n",
1057 Debug( LDAP_DEBUG_ANY,
1058 "%s: line %d: missing name in \"pseudorootdn <name>\" line\n",
1064 * exact replacement:
1067 idassert-bind bindmethod=simple
1068 binddn=<pseudorootdn>
1069 credentials=<pseudorootpw>
1071 flags=non-prescriptive
1072 idassert-authzFrom "dn:<rootdn>"
1074 * so that only when authc'd as <rootdn> the proxying occurs
1075 * rebinding as the <pseudorootdn> without proxyAuthz.
1078 Debug( LDAP_DEBUG_ANY,
1079 "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
1080 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
1084 char binddn[ SLAP_TEXT_BUFLEN ];
1087 "bindmethod=simple",
1090 "flags=non-prescriptive",
1096 if ( BER_BVISNULL( &be->be_rootndn ) ) {
1097 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
1102 if ( sizeof( binddn ) <= (unsigned) snprintf( binddn,
1103 sizeof( binddn ), "binddn=%s", argv[ 1 ] ))
1105 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\" too long.\n",
1109 cargv[ 2 ] = binddn;
1111 rc = mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1115 if ( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz != NULL ) {
1116 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-authzFrom\" already defined (discarded).\n",
1118 ber_bvarray_free( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz );
1119 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz = NULL;
1122 assert( !BER_BVISNULL( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authcDN ) );
1124 bv.bv_len = STRLENOF( "dn:" ) + be->be_rootndn.bv_len;
1125 bv.bv_val = ber_memalloc( bv.bv_len + 1 );
1126 AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
1127 AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], be->be_rootndn.bv_val, be->be_rootndn.bv_len + 1 );
1129 ber_bvarray_add( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz, &bv );
1135 /* password to use as pseudo-root */
1136 } else if ( strcasecmp( argv[ 0 ], "pseudorootpw" ) == 0 ) {
1137 int i = mi->mi_ntargets - 1;
1140 Debug( LDAP_DEBUG_ANY,
1141 "%s: line %d: need \"uri\" directive first\n",
1147 Debug( LDAP_DEBUG_ANY,
1148 "%s: line %d: missing password in \"pseudorootpw <password>\" line\n",
1153 Debug( LDAP_DEBUG_ANY,
1154 "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
1155 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
1158 if ( BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_authcDN ) ) {
1159 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
1164 if ( !BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_passwd ) ) {
1165 memset( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val, 0,
1166 mi->mi_targets[ i ]->mt_idassert_passwd.bv_len );
1167 ber_memfree( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val );
1169 ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_targets[ i ]->mt_idassert_passwd );
1172 } else if ( strcasecmp( argv[ 0 ], "idassert-bind" ) == 0 ) {
1173 if ( mi->mi_ntargets == 0 ) {
1174 Debug( LDAP_DEBUG_ANY,
1175 "%s: line %d: \"idassert-bind\" "
1176 "must appear inside a target specification.\n",
1181 return mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1183 /* idassert-authzFrom */
1184 } else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) {
1185 if ( mi->mi_ntargets == 0 ) {
1186 Debug( LDAP_DEBUG_ANY,
1187 "%s: line %d: \"idassert-bind\" "
1188 "must appear inside a target specification.\n",
1198 Debug( LDAP_DEBUG_ANY,
1199 "%s: line %d: missing <id> in \"idassert-authzFrom <id>\".\n",
1204 Debug( LDAP_DEBUG_ANY,
1205 "%s: line %d: extra cruft after <id> in \"idassert-authzFrom <id>\".\n",
1210 return mi->mi_ldap_extra->idassert_authzfrom_parse_cf( fname, lineno, argv[ 1 ], &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
1213 } else if ( strcasecmp( argv[ 0 ], "quarantine" ) == 0 ) {
1214 char buf[ SLAP_TEXT_BUFLEN ] = { '\0' };
1215 slap_retry_info_t *ri = mi->mi_ntargets ?
1216 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine
1217 : &mi->mi_quarantine;
1219 if ( ( mi->mi_ntargets == 0 && META_BACK_QUARANTINE( mi ) )
1220 || ( mi->mi_ntargets > 0 && META_BACK_TGT_QUARANTINE( mi->mi_targets[ mi->mi_ntargets - 1 ] ) ) )
1222 Debug( LDAP_DEBUG_ANY,
1223 "%s: line %d: quarantine already defined.\n",
1233 Debug( LDAP_DEBUG_ANY,
1234 "%s: line %d: missing arg in \"quarantine <pattern list>\".\n",
1239 Debug( LDAP_DEBUG_ANY,
1240 "%s: line %d: extra cruft after \"quarantine <pattern list>\".\n",
1245 if ( ri != &mi->mi_quarantine ) {
1246 ri->ri_interval = NULL;
1250 if ( mi->mi_ntargets > 0 && !META_BACK_QUARANTINE( mi ) ) {
1251 ldap_pvt_thread_mutex_init( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine_mutex );
1254 if ( mi->mi_ldap_extra->retry_info_parse( argv[ 1 ], ri, buf, sizeof( buf ) ) ) {
1255 Debug( LDAP_DEBUG_ANY,
1256 "%s line %d: %s.\n",
1257 fname, lineno, buf );
1261 if ( mi->mi_ntargets == 0 ) {
1262 mi->mi_flags |= LDAP_BACK_F_QUARANTINE;
1265 mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags |= LDAP_BACK_F_QUARANTINE;
1268 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1269 /* session tracking request */
1270 } else if ( strcasecmp( argv[ 0 ], "session-tracking-request" ) == 0 ) {
1271 unsigned *flagsp = mi->mi_ntargets ?
1272 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1276 Debug( LDAP_DEBUG_ANY,
1277 "%s: line %d: \"session-tracking-request {TRUE|false}\" needs 1 argument.\n",
1282 /* this is the default; we add it because the default might change... */
1283 switch ( check_true_false( argv[ 1 ] ) ) {
1285 *flagsp |= LDAP_BACK_F_ST_REQUEST;
1289 *flagsp &= ~LDAP_BACK_F_ST_REQUEST;
1293 Debug( LDAP_DEBUG_ANY,
1294 "%s: line %d: \"session-tracking-request {TRUE|false}\": unknown argument \"%s\".\n",
1295 fname, lineno, argv[ 1 ] );
1298 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1301 } else if ( strcasecmp( argv[ 0 ], "suffixmassage" ) == 0 ) {
1303 int i = mi->mi_ntargets - 1, c, rc;
1304 struct berval dn, nvnc, pvnc, nrnc, prnc;
1307 Debug( LDAP_DEBUG_ANY,
1308 "%s: line %d: need \"uri\" directive first\n",
1316 * suffixmassage <suffix> <massaged suffix>
1318 * the <suffix> field must be defined as a valid suffix
1319 * (or suffixAlias?) for the current database;
1320 * the <massaged suffix> shouldn't have already been
1321 * defined as a valid suffix or suffixAlias for the
1325 Debug( LDAP_DEBUG_ANY,
1326 "%s: line %d: syntax is \"suffixMassage <suffix> <massaged suffix>\"\n",
1331 ber_str2bv( argv[ 1 ], 0, 0, &dn );
1332 if ( dnPrettyNormal( NULL, &dn, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
1333 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1334 "suffix \"%s\" is invalid\n",
1335 fname, lineno, argv[ 1 ] );
1339 for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
1340 if ( dnIsSuffix( &nvnc, &be->be_nsuffix[ 0 ] ) ) {
1345 if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
1346 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1347 "<suffix> \"%s\" must be within the database naming context, in "
1348 "\"suffixMassage <suffix> <massaged suffix>\"\n",
1349 fname, lineno, pvnc.bv_val );
1350 free( pvnc.bv_val );
1351 free( nvnc.bv_val );
1355 ber_str2bv( argv[ 2 ], 0, 0, &dn );
1356 if ( dnPrettyNormal( NULL, &dn, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
1357 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1358 "massaged suffix \"%s\" is invalid\n",
1359 fname, lineno, argv[ 2 ] );
1360 free( pvnc.bv_val );
1361 free( nvnc.bv_val );
1365 tmp_bd = select_backend( &nrnc, 0 );
1366 if ( tmp_bd != NULL && tmp_bd->be_private == be->be_private ) {
1367 Debug( LDAP_DEBUG_ANY,
1368 "%s: line %d: warning: <massaged suffix> \"%s\" resolves to this database, in "
1369 "\"suffixMassage <suffix> <massaged suffix>\"\n",
1370 fname, lineno, prnc.bv_val );
1374 * The suffix massaging is emulated by means of the
1375 * rewrite capabilities
1377 rc = suffix_massage_config( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
1378 &pvnc, &nvnc, &prnc, &nrnc );
1380 free( pvnc.bv_val );
1381 free( nvnc.bv_val );
1382 free( prnc.bv_val );
1383 free( nrnc.bv_val );
1387 /* rewrite stuff ... */
1388 } else if ( strncasecmp( argv[ 0 ], "rewrite", 7 ) == 0 ) {
1389 int i = mi->mi_ntargets - 1;
1392 Debug( LDAP_DEBUG_ANY, "%s: line %d: \"rewrite\" "
1393 "statement outside target definition.\n",
1398 return rewrite_parse( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
1399 fname, lineno, argc, argv );
1401 /* objectclass/attribute mapping */
1402 } else if ( strcasecmp( argv[ 0 ], "map" ) == 0 ) {
1403 int i = mi->mi_ntargets - 1;
1406 Debug( LDAP_DEBUG_ANY,
1407 "%s: line %d: need \"uri\" directive first\n",
1412 return ldap_back_map_config( &mi->mi_targets[ i ]->mt_rwmap.rwm_oc,
1413 &mi->mi_targets[ i ]->mt_rwmap.rwm_at,
1414 fname, lineno, argc, argv );
1416 } else if ( strcasecmp( argv[ 0 ], "nretries" ) == 0 ) {
1417 int i = mi->mi_ntargets - 1;
1418 int nretries = META_RETRY_UNDEFINED;
1421 Debug( LDAP_DEBUG_ANY,
1422 "%s: line %d: need value in \"nretries <value>\"\n",
1427 if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
1428 nretries = META_RETRY_FOREVER;
1430 } else if ( strcasecmp( argv[ 1 ], "never" ) == 0 ) {
1431 nretries = META_RETRY_NEVER;
1434 if ( lutil_atoi( &nretries, argv[ 1 ] ) != 0 ) {
1435 Debug( LDAP_DEBUG_ANY,
1436 "%s: line %d: unable to parse value \"%s\" in \"nretries <value>\"\n",
1437 fname, lineno, argv[ 1 ] );
1443 mi->mi_nretries = nretries;
1446 mi->mi_targets[ i ]->mt_nretries = nretries;
1449 } else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
1450 int *version = mi->mi_ntargets ?
1451 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_version
1455 Debug( LDAP_DEBUG_ANY,
1456 "%s: line %d: need value in \"protocol-version <version>\"\n",
1461 if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
1462 Debug( LDAP_DEBUG_ANY,
1463 "%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
1464 fname, lineno, argv[ 1 ] );
1468 if ( *version != 0 && ( *version < LDAP_VERSION_MIN || *version > LDAP_VERSION_MAX ) ) {
1469 Debug( LDAP_DEBUG_ANY,
1470 "%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
1471 fname, lineno, argv[ 1 ] );
1475 /* do not return search references */
1476 } else if ( strcasecmp( argv[ 0 ], "norefs" ) == 0 ) {
1477 unsigned *flagsp = mi->mi_ntargets ?
1478 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1482 Debug( LDAP_DEBUG_ANY,
1483 "%s: line %d: \"norefs {TRUE|false}\" needs 1 argument.\n",
1488 /* this is the default; we add it because the default might change... */
1489 switch ( check_true_false( argv[ 1 ] ) ) {
1491 *flagsp |= LDAP_BACK_F_NOREFS;
1495 *flagsp &= ~LDAP_BACK_F_NOREFS;
1499 Debug( LDAP_DEBUG_ANY,
1500 "%s: line %d: \"norefs {TRUE|false}\": unknown argument \"%s\".\n",
1501 fname, lineno, argv[ 1 ] );
1505 /* do not propagate undefined search filters */
1506 } else if ( strcasecmp( argv[ 0 ], "noundeffilter" ) == 0 ) {
1507 unsigned *flagsp = mi->mi_ntargets ?
1508 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
1512 Debug( LDAP_DEBUG_ANY,
1513 "%s: line %d: \"noundeffilter {TRUE|false}\" needs 1 argument.\n",
1518 /* this is the default; we add it because the default might change... */
1519 switch ( check_true_false( argv[ 1 ] ) ) {
1521 *flagsp |= LDAP_BACK_F_NOUNDEFFILTER;
1525 *flagsp &= ~LDAP_BACK_F_NOUNDEFFILTER;
1529 Debug( LDAP_DEBUG_ANY,
1530 "%s: line %d: \"noundeffilter {TRUE|false}\": unknown argument \"%s\".\n",
1531 fname, lineno, argv[ 1 ] );
1537 return SLAP_CONF_UNKNOWN;
1543 ldap_back_map_config(
1544 struct ldapmap *oc_map,
1545 struct ldapmap *at_map,
1551 struct ldapmap *map;
1552 struct ldapmapping *mapping;
1556 if ( argc < 3 || argc > 4 ) {
1557 Debug( LDAP_DEBUG_ANY,
1558 "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
1563 if ( strcasecmp( argv[ 1 ], "objectclass" ) == 0 ) {
1567 } else if ( strcasecmp( argv[ 1 ], "attribute" ) == 0 ) {
1571 Debug( LDAP_DEBUG_ANY, "%s: line %d: syntax is "
1572 "\"map {objectclass | attribute} [<local> | *] "
1573 "{<foreign> | *}\"\n",
1578 if ( !is_oc && map->map == NULL ) {
1579 /* only init if required */
1580 ldap_back_map_init( map, &mapping );
1583 if ( strcmp( argv[ 2 ], "*" ) == 0 ) {
1584 if ( argc < 4 || strcmp( argv[ 3 ], "*" ) == 0 ) {
1585 map->drop_missing = ( argc < 4 );
1586 goto success_return;
1588 src = dst = argv[ 3 ];
1590 } else if ( argc < 4 ) {
1596 dst = ( strcmp( argv[ 3 ], "*" ) == 0 ? src : argv[ 3 ] );
1599 if ( ( map == at_map )
1600 && ( strcasecmp( src, "objectclass" ) == 0
1601 || strcasecmp( dst, "objectclass" ) == 0 ) )
1603 Debug( LDAP_DEBUG_ANY,
1604 "%s: line %d: objectclass attribute cannot be mapped\n",
1608 mapping = (struct ldapmapping *)ch_calloc( 2,
1609 sizeof(struct ldapmapping) );
1610 if ( mapping == NULL ) {
1611 Debug( LDAP_DEBUG_ANY,
1612 "%s: line %d: out of memory\n",
1616 ber_str2bv( src, 0, 1, &mapping[ 0 ].src );
1617 ber_str2bv( dst, 0, 1, &mapping[ 0 ].dst );
1618 mapping[ 1 ].src = mapping[ 0 ].dst;
1619 mapping[ 1 ].dst = mapping[ 0 ].src;
1625 if ( src[ 0 ] != '\0' ) {
1626 if ( oc_bvfind( &mapping[ 0 ].src ) == NULL ) {
1627 Debug( LDAP_DEBUG_ANY,
1628 "%s: line %d: warning, source objectClass '%s' "
1629 "should be defined in schema\n",
1630 fname, lineno, src );
1633 * FIXME: this should become an err
1639 if ( oc_bvfind( &mapping[ 0 ].dst ) == NULL ) {
1640 Debug( LDAP_DEBUG_ANY,
1641 "%s: line %d: warning, destination objectClass '%s' "
1642 "is not defined in schema\n",
1643 fname, lineno, dst );
1647 const char *text = NULL;
1648 AttributeDescription *ad = NULL;
1650 if ( src[ 0 ] != '\0' ) {
1651 rc = slap_bv2ad( &mapping[ 0 ].src, &ad, &text );
1652 if ( rc != LDAP_SUCCESS ) {
1653 Debug( LDAP_DEBUG_ANY,
1654 "%s: line %d: warning, source attributeType '%s' "
1655 "should be defined in schema\n",
1656 fname, lineno, src );
1659 * FIXME: this should become an err
1662 * we create a fake "proxied" ad
1666 rc = slap_bv2undef_ad( &mapping[ 0 ].src,
1667 &ad, &text, SLAP_AD_PROXIED );
1668 if ( rc != LDAP_SUCCESS ) {
1669 char buf[ SLAP_TEXT_BUFLEN ];
1671 snprintf( buf, sizeof( buf ),
1672 "source attributeType \"%s\": %d (%s)",
1673 src, rc, text ? text : "" );
1674 Debug( LDAP_DEBUG_ANY,
1675 "%s: line %d: %s\n",
1676 fname, lineno, buf );
1684 rc = slap_bv2ad( &mapping[ 0 ].dst, &ad, &text );
1685 if ( rc != LDAP_SUCCESS ) {
1686 Debug( LDAP_DEBUG_ANY,
1687 "%s: line %d: warning, destination attributeType '%s' "
1688 "is not defined in schema\n",
1689 fname, lineno, dst );
1692 * we create a fake "proxied" ad
1696 rc = slap_bv2undef_ad( &mapping[ 0 ].dst,
1697 &ad, &text, SLAP_AD_PROXIED );
1698 if ( rc != LDAP_SUCCESS ) {
1699 char buf[ SLAP_TEXT_BUFLEN ];
1701 snprintf( buf, sizeof( buf ),
1702 "source attributeType \"%s\": %d (%s)\n",
1703 dst, rc, text ? text : "" );
1704 Debug( LDAP_DEBUG_ANY,
1705 "%s: line %d: %s\n",
1706 fname, lineno, buf );
1712 if ( (src[ 0 ] != '\0' && avl_find( map->map, (caddr_t)&mapping[ 0 ], mapping_cmp ) != NULL)
1713 || avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
1715 Debug( LDAP_DEBUG_ANY,
1716 "%s: line %d: duplicate mapping found.\n",
1721 if ( src[ 0 ] != '\0' ) {
1722 avl_insert( &map->map, (caddr_t)&mapping[ 0 ],
1723 mapping_cmp, mapping_dup );
1725 avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
1726 mapping_cmp, mapping_dup );
1733 ch_free( mapping[ 0 ].src.bv_val );
1734 ch_free( mapping[ 0 ].dst.bv_val );
1742 #ifdef ENABLE_REWRITE
1744 suffix_massage_regexize( const char *s )
1750 if ( s[ 0 ] == '\0' ) {
1751 return ch_strdup( "^(.+)$" );
1755 ( r = strchr( p, ',' ) ) != NULL;
1759 res = ch_calloc( sizeof( char ),
1761 + STRLENOF( "((.+),)?" )
1762 + STRLENOF( "[ ]?" ) * i
1763 + STRLENOF( "$" ) + 1 );
1765 ptr = lutil_strcopy( res, "((.+),)?" );
1767 ( r = strchr( p, ',' ) ) != NULL;
1769 ptr = lutil_strncopy( ptr, p, r - p + 1 );
1770 ptr = lutil_strcopy( ptr, "[ ]?" );
1772 if ( r[ 1 ] == ' ' ) {
1776 ptr = lutil_strcopy( ptr, p );
1785 suffix_massage_patternize( const char *s, const char *p )
1792 if ( s[ 0 ] == '\0' ) {
1796 res = ch_calloc( sizeof( char ), len + STRLENOF( "%1" ) + 1 );
1797 if ( res == NULL ) {
1801 ptr = lutil_strcopy( res, ( p[ 0 ] == '\0' ? "%2" : "%1" ) );
1802 if ( s[ 0 ] == '\0' ) {
1806 lutil_strcopy( ptr, p );
1812 suffix_massage_config(
1813 struct rewrite_info *info,
1814 struct berval *pvnc,
1815 struct berval *nvnc,
1816 struct berval *prnc,
1823 rargv[ 0 ] = "rewriteEngine";
1826 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
1828 rargv[ 0 ] = "rewriteContext";
1829 rargv[ 1 ] = "default";
1831 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
1833 rargv[ 0 ] = "rewriteRule";
1834 rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
1835 rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val, prnc->bv_val );
1838 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1839 ch_free( rargv[ 1 ] );
1840 ch_free( rargv[ 2 ] );
1842 if ( BER_BVISEMPTY( pvnc ) ) {
1843 rargv[ 0 ] = "rewriteRule";
1845 rargv[ 2 ] = prnc->bv_val;
1848 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1851 rargv[ 0 ] = "rewriteContext";
1852 rargv[ 1 ] = "searchEntryDN";
1854 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
1856 rargv[ 0 ] = "rewriteRule";
1857 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
1858 rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val, pvnc->bv_val );
1861 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1862 ch_free( rargv[ 1 ] );
1863 ch_free( rargv[ 2 ] );
1865 if ( BER_BVISEMPTY( prnc ) ) {
1866 rargv[ 0 ] = "rewriteRule";
1868 rargv[ 2 ] = pvnc->bv_val;
1871 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1874 /* backward compatibility */
1875 rargv[ 0 ] = "rewriteContext";
1876 rargv[ 1 ] = "searchResult";
1877 rargv[ 2 ] = "alias";
1878 rargv[ 3 ] = "searchEntryDN";
1880 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1882 rargv[ 0 ] = "rewriteContext";
1883 rargv[ 1 ] = "matchedDN";
1884 rargv[ 2 ] = "alias";
1885 rargv[ 3 ] = "searchEntryDN";
1887 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1889 rargv[ 0 ] = "rewriteContext";
1890 rargv[ 1 ] = "searchAttrDN";
1891 rargv[ 2 ] = "alias";
1892 rargv[ 3 ] = "searchEntryDN";
1894 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
1896 /* NOTE: this corresponds to #undef'ining RWM_REFERRAL_REWRITE;
1897 * see servers/slapd/overlays/rwm.h for details */
1898 rargv[ 0 ] = "rewriteContext";
1899 rargv[ 1 ] = "referralAttrDN";
1901 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
1903 rargv[ 0 ] = "rewriteContext";
1904 rargv[ 1 ] = "referralDN";
1906 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
1910 #endif /* ENABLE_REWRITE */
projects / openldap / blob