2 * Copyright 1998-2001 The OpenLDAP Foundation, All Rights Reserved.
3 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
5 * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 * This work has been developed to fulfill the requirements
8 * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
9 * to the OpenLDAP Foundation in the hope that it may be useful
10 * to the Open Source community, but WITHOUT ANY WARRANTY.
12 * Permission is granted to anyone to use this software for any purpose
13 * on any computer system, and to alter it and redistribute it, subject
14 * to the following restrictions:
16 * 1. The author and SysNet s.n.c. are not responsible for the consequences
17 * of use of this software, no matter how awful, even if they arise from
20 * 2. The origin of this software must not be misrepresented, either by
21 * explicit claim or by omission. Since few users ever read sources,
22 * credits should appear in the documentation.
24 * 3. Altered versions must be plainly marked as such, and must not be
25 * misrepresented as being the original software. Since few users
26 * ever read sources, credits should appear in the documentation.
27 * SysNet s.n.c. cannot be responsible for the consequences of the
30 * 4. This notice may not be removed or altered.
33 * This software is based on the backend back-ldap, implemented
34 * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
35 * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
36 * contributors. The contribution of the original software to the present
37 * implementation is acknowledged in this copyright statement.
39 * A special acknowledgement goes to Howard for the overall architecture
40 * (and for borrowing large pieces of code), and to Mark, who implemented
41 * from scratch the attribute/objectclass mapping.
43 * The original copyright statement follows.
45 * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
47 * Permission is granted to anyone to use this software for any purpose
48 * on any computer system, and to alter it and redistribute it, subject
49 * to the following restrictions:
51 * 1. The author is not responsible for the consequences of use of this
52 * software, no matter how awful, even if they arise from flaws in it.
54 * 2. The origin of this software must not be misrepresented, either by
55 * explicit claim or by omission. Since few users ever read sources,
56 * credits should appear in the documentation.
58 * 3. Altered versions must be plainly marked as such, and must not be
59 * misrepresented as being the original software. Since few users
60 * ever read sources, credits should appear in the
63 * 4. This notice may not be removed or altered.
71 #include <ac/socket.h>
72 #include <ac/string.h>
75 #include "../back-ldap/back-ldap.h"
76 #include "back-meta.h"
79 /* return 0 IFF op_dn is a value in group_at (member) attribute
80 * of entry with gr_dn AND that entry has an objectClass
81 * value of group_oc (groupOfNames)
91 ObjectClass *group_oc,
92 AttributeDescription *group_at
95 struct metainfo *li = ( struct metainfo * )be->be_private;
96 int rc = 1, candidate;
100 AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
105 char *mop_ndn, *mgr_ndn;
107 char *group_oc_name = NULL;
108 char *group_at_name = group_at->ad_cname->bv_val;
110 if ( group_oc->soc_names && group_oc->soc_names[ 0 ] ) {
111 group_oc_name = group_oc->soc_names[ 0 ];
113 group_oc_name = group_oc->soc_oid;
116 if ( target != NULL && strcmp( target->e_ndn, gr_ndn ) == 0 ) {
117 /* we already have a copy of the entry */
118 /* attribute and objectclass mapping has already been done */
121 * first we need to check if the objectClass attribute
122 * has been retrieved; otherwise we need to repeat the search
124 attr = attr_find( target->e_attrs, ad_objectClass );
125 if ( attr != NULL ) {
128 * Now we can check for the group objectClass value
130 if ( !is_entry_objectclass( target, group_oc ) ) {
135 * This part has been reworked: the group attr compare
136 * fails only if the attribute is PRESENT but the value
137 * is NOT PRESENT; if the attribute is NOT PRESENT, the
138 * search must be repeated as well.
139 * This may happen if a search for an entry has already
140 * been performed (target is not null) but the group
141 * attribute has not been required
143 attr = attr_find( target->e_attrs, group_at );
144 if ( attr != NULL ) {
145 bv.bv_val = ( char * )op_ndn;
146 bv.bv_len = strlen( op_ndn );
147 rc = value_find( group_at, attr->a_vals, &bv );
148 if ( rc != LDAP_SUCCESS ) {
152 } /* else: repeat the search */
153 } /* else: repeat the search */
154 } /* else: do the search */
156 candidate = meta_back_select_unique_candidate( li, gr_ndn );
157 if ( candidate == -1 ) {
162 * Rewrite the op ndn if needed
164 switch ( rewrite_session( li->targets[ candidate ]->rwinfo, "bindDn",
165 op_ndn, conn, &mop_ndn ) ) {
166 case REWRITE_REGEXEC_OK:
167 if ( mop_ndn == NULL ) {
168 mop_ndn = ( char * )op_ndn;
170 Debug( LDAP_DEBUG_ARGS,
171 "rw> bindDn (op ndn in group):"
172 " \"%s\" -> \"%s\"\n%s",
173 op_ndn, mop_ndn, "" );
176 case REWRITE_REGEXEC_UNWILLING:
177 /* continues to next case */
179 case REWRITE_REGEXEC_ERR:
184 * Rewrite the gr ndn if needed
186 switch ( rewrite_session( li->targets[ candidate ]->rwinfo,
188 gr_ndn, conn, &mgr_ndn ) ) {
189 case REWRITE_REGEXEC_OK:
190 if ( mgr_ndn == NULL ) {
191 mgr_ndn = ( char * )gr_ndn;
193 Debug( LDAP_DEBUG_ARGS,
194 "rw> searchBase (gr ndn in group):"
195 " \"%s\" -> \"%s\"\n%s",
196 gr_ndn, mgr_ndn, "" );
199 case REWRITE_REGEXEC_UNWILLING:
200 /* continues to next case */
202 case REWRITE_REGEXEC_ERR:
206 group_oc_name = ldap_back_map( &li->targets[ candidate ]->oc_map,
208 if ( group_oc_name == NULL ) {
211 group_at_name = ldap_back_map( &li->targets[ candidate ]->at_map,
213 if ( group_at_name == NULL ) {
217 filter = ch_malloc( sizeof( "(&(objectclass=)(=))" )
218 + strlen( group_oc_name )
219 + strlen( group_at_name )
220 + strlen( mop_ndn ) + 1 );
221 if ( filter == NULL ) {
225 rc = ldap_initialize( &ld, li->targets[ candidate ]->uri );
226 if ( rc != LDAP_SUCCESS ) {
230 rc = ldap_bind_s( ld, li->targets[ candidate ]->binddn,
231 li->targets[ candidate ]->bindpw, LDAP_AUTH_SIMPLE );
232 if ( rc != LDAP_SUCCESS ) {
236 strcpy( filter, "(&(objectclass=" );
237 strcat( filter, group_oc_name );
238 strcat( filter, ")(" );
239 strcat( filter, group_at_name );
240 strcat( filter, "=" );
241 strcat( filter, mop_ndn );
242 strcat( filter, "))" );
244 gattr[ 0 ] = "objectclass";
247 if ( ldap_search_ext_s( ld, mgr_ndn, LDAP_SCOPE_BASE, filter,
248 gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
249 LDAP_NO_LIMIT, &result ) == LDAP_SUCCESS ) {
250 if ( ldap_first_entry( ld, result ) != NULL ) {
253 ldap_msgfree( result );
260 if ( filter != NULL ) {
263 if ( mop_ndn != op_ndn ) {
266 if ( mgr_ndn != gr_ndn ) {