2 * Copyright 1998-2001 The OpenLDAP Foundation, All Rights Reserved.
3 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
5 * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 * This work has been developed to fulfill the requirements
8 * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
9 * to the OpenLDAP Foundation in the hope that it may be useful
10 * to the Open Source community, but WITHOUT ANY WARRANTY.
12 * Permission is granted to anyone to use this software for any purpose
13 * on any computer system, and to alter it and redistribute it, subject
14 * to the following restrictions:
16 * 1. The author and SysNet s.n.c. are not responsible for the consequences
17 * of use of this software, no matter how awful, even if they arise from
20 * 2. The origin of this software must not be misrepresented, either by
21 * explicit claim or by omission. Since few users ever read sources,
22 * credits should appear in the documentation.
24 * 3. Altered versions must be plainly marked as such, and must not be
25 * misrepresented as being the original software. Since few users
26 * ever read sources, credits should appear in the documentation.
27 * SysNet s.n.c. cannot be responsible for the consequences of the
30 * 4. This notice may not be removed or altered.
33 * This software is based on the backend back-ldap, implemented
34 * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
35 * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
36 * contributors. The contribution of the original software to the present
37 * implementation is acknowledged in this copyright statement.
39 * A special acknowledgement goes to Howard for the overall architecture
40 * (and for borrowing large pieces of code), and to Mark, who implemented
41 * from scratch the attribute/objectclass mapping.
43 * The original copyright statement follows.
45 * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
47 * Permission is granted to anyone to use this software for any purpose
48 * on any computer system, and to alter it and redistribute it, subject
49 * to the following restrictions:
51 * 1. The author is not responsible for the consequences of use of this
52 * software, no matter how awful, even if they arise from flaws in it.
54 * 2. The origin of this software must not be misrepresented, either by
55 * explicit claim or by omission. Since few users ever read sources,
56 * credits should appear in the documentation.
58 * 3. Altered versions must be plainly marked as such, and must not be
59 * misrepresented as being the original software. Since few users
60 * ever read sources, credits should appear in the
63 * 4. This notice may not be removed or altered.
71 #include <ac/socket.h>
72 #include <ac/string.h>
75 #include "../back-ldap/back-ldap.h"
76 #include "back-meta.h"
79 /* return 0 IFF op_dn is a value in group_at (member) attribute
80 * of entry with gr_dn AND that entry has an objectClass
81 * value of group_oc (groupOfNames)
91 ObjectClass *group_oc,
92 AttributeDescription *group_at
95 struct metainfo *li = ( struct metainfo * )be->be_private;
96 int rc = 1, candidate;
100 AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
105 char *mop_ndn, *mgr_ndn;
107 char *group_oc_name = NULL;
108 char *group_at_name = group_at->ad_cname->bv_val;
110 if ( group_oc->soc_names && group_oc->soc_names[ 0 ] ) {
111 group_oc_name = group_oc->soc_names[ 0 ];
113 group_oc_name = group_oc->soc_oid;
116 if ( target != NULL && strcmp( target->e_ndn, gr_ndn ) == 0 ) {
117 /* we already have a copy of the entry */
118 /* attribute and objectclass mapping has already been done */
121 * first we need to check if the objectClass attribute
122 * has been retrieved; otherwise we need to repeat the search
124 attr = attr_find( target->e_attrs, ad_objectClass );
125 if ( attr != NULL ) {
128 * Now we can check for the group objectClass value
130 if ( !is_entry_objectclass( target, group_oc ) ) {
135 * This part has been reworked: the group attr compare
136 * fails only if the attribute is PRESENT but the value
137 * is NOT PRESENT; if the attribute is NOT PRESENT, the
138 * search must be repeated as well.
139 * This may happen if a search for an entry has already
140 * been performed (target is not null) but the group
141 * attribute has not been required
143 attr = attr_find( target->e_attrs, group_at );
144 if ( attr != NULL ) {
145 bv.bv_val = ( char * )op_ndn;
146 bv.bv_len = strlen( op_ndn );
147 rc = value_find( group_at, attr->a_vals, &bv );
148 if ( rc != LDAP_SUCCESS ) {
152 } /* else: repeat the search */
153 } /* else: repeat the search */
154 } /* else: do the search */
156 candidate = meta_back_select_unique_candidate( li, gr_ndn );
157 if ( candidate == -1 ) {
162 * Rewrite the op ndn if needed
164 switch ( rewrite_session( li->targets[ candidate ]->rwinfo, "bindDn",
165 op_ndn, conn, &mop_ndn ) ) {
166 case REWRITE_REGEXEC_OK:
167 if ( mop_ndn == NULL ) {
168 mop_ndn = ( char * )op_ndn;
171 LDAP_LOG(( "backend", LDAP_LEVEL_DETAIL1,
172 "[rw] bindDn (op ndn in group):"
175 #else /* !NEW_LOGGING */
176 Debug( LDAP_DEBUG_ARGS,
177 "rw> bindDn (op ndn in group):"
178 " \"%s\" -> \"%s\"\n%s",
179 op_ndn, mop_ndn, "" );
180 #endif /* !NEW_LOGGING */
183 case REWRITE_REGEXEC_UNWILLING:
184 /* continues to next case */
186 case REWRITE_REGEXEC_ERR:
191 * Rewrite the gr ndn if needed
193 switch ( rewrite_session( li->targets[ candidate ]->rwinfo,
195 gr_ndn, conn, &mgr_ndn ) ) {
196 case REWRITE_REGEXEC_OK:
197 if ( mgr_ndn == NULL ) {
198 mgr_ndn = ( char * )gr_ndn;
201 LDAP_LOG(( "backend", LDAP_LEVEL_DETAIL1,
202 "[rw] searchBase (gr ndn in group):"
203 " \"%s\" -> \"%s\"\n",
205 #else /* !NEW_LOGGING */
206 Debug( LDAP_DEBUG_ARGS,
207 "rw> searchBase (gr ndn in group):"
208 " \"%s\" -> \"%s\"\n%s",
209 gr_ndn, mgr_ndn, "" );
210 #endif /* !NEW_LOGGING */
213 case REWRITE_REGEXEC_UNWILLING:
214 /* continues to next case */
216 case REWRITE_REGEXEC_ERR:
220 group_oc_name = ldap_back_map( &li->targets[ candidate ]->oc_map,
222 if ( group_oc_name == NULL ) {
225 group_at_name = ldap_back_map( &li->targets[ candidate ]->at_map,
227 if ( group_at_name == NULL ) {
231 filter = ch_malloc( sizeof( "(&(objectclass=)(=))" )
232 + strlen( group_oc_name )
233 + strlen( group_at_name )
234 + strlen( mop_ndn ) + 1 );
235 if ( filter == NULL ) {
239 rc = ldap_initialize( &ld, li->targets[ candidate ]->uri );
240 if ( rc != LDAP_SUCCESS ) {
244 rc = ldap_bind_s( ld, li->targets[ candidate ]->binddn,
245 li->targets[ candidate ]->bindpw, LDAP_AUTH_SIMPLE );
246 if ( rc != LDAP_SUCCESS ) {
250 strcpy( filter, "(&(objectclass=" );
251 strcat( filter, group_oc_name );
252 strcat( filter, ")(" );
253 strcat( filter, group_at_name );
254 strcat( filter, "=" );
255 strcat( filter, mop_ndn );
256 strcat( filter, "))" );
258 gattr[ 0 ] = "objectclass";
261 if ( ldap_search_ext_s( ld, mgr_ndn, LDAP_SCOPE_BASE, filter,
262 gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
263 LDAP_NO_LIMIT, &result ) == LDAP_SUCCESS ) {
264 if ( ldap_first_entry( ld, result ) != NULL ) {
267 ldap_msgfree( result );
274 if ( filter != NULL ) {
277 if ( mop_ndn != op_ndn ) {
280 if ( mgr_ndn != gr_ndn ) {