1 /* database.c - deals with database subsystem */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2001-2004 The OpenLDAP Foundation.
6 * Portions Copyright 2001-2003 Pierangelo Masarati.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Pierangelo Masarati for inclusion
19 * in OpenLDAP Software.
25 #include <ac/string.h>
28 #include "back-monitor.h"
30 #if defined(LDAP_SLAPI)
32 static int monitor_back_add_plugin( Backend *be, Entry *e );
33 #endif /* defined(LDAP_SLAPI) */
35 #if defined(SLAPD_LDAP)
36 #include "../back-ldap/back-ldap.h"
37 #endif /* defined(SLAPD_LDAP) */
39 static struct restricted_ops_t {
42 } restricted_ops[] = {
43 { BER_BVC( "add" ), SLAP_RESTRICT_OP_ADD },
44 { BER_BVC( "bind" ), SLAP_RESTRICT_OP_BIND },
45 { BER_BVC( "compare" ), SLAP_RESTRICT_OP_COMPARE },
46 { BER_BVC( "delete" ), SLAP_RESTRICT_OP_DELETE },
47 { BER_BVC( "extended" ), SLAP_RESTRICT_OP_EXTENDED },
48 { BER_BVC( "modify" ), SLAP_RESTRICT_OP_MODIFY },
49 { BER_BVC( "rename" ), SLAP_RESTRICT_OP_RENAME },
50 { BER_BVC( "search" ), SLAP_RESTRICT_OP_SEARCH },
52 }, restricted_exops[] = {
53 { BER_BVC( LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS },
54 { BER_BVC( LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD },
55 { BER_BVC( LDAP_EXOP_X_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI },
56 { BER_BVC( LDAP_EXOP_X_CANCEL ), SLAP_RESTRICT_EXOP_CANCEL },
61 init_readOnly( struct monitorinfo *mi, Entry *e, slap_mask_t restrictops )
63 struct berval *tf = ( ( restrictops & SLAP_RESTRICT_OP_MASK ) == SLAP_RESTRICT_OP_WRITES ) ?
64 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv;
66 return attr_merge_one( e, mi->mi_ad_readOnly, tf, tf );
70 init_restrictedOperation( struct monitorinfo *mi, Entry *e, slap_mask_t restrictops )
74 for ( i = 0; restricted_ops[ i ].op.bv_val; i++ ) {
75 if ( restrictops & restricted_ops[ i ].tag ) {
76 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation,
77 &restricted_ops[ i ].op, &restricted_ops[ i ].op );
84 for ( i = 0; restricted_exops[ i ].op.bv_val; i++ ) {
85 if ( restrictops & restricted_exops[ i ].tag ) {
86 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation,
87 &restricted_exops[ i ].op, &restricted_exops[ i ].op );
98 monitor_subsys_database_init(
102 struct monitorinfo *mi;
103 Entry *e, *e_database, *e_tmp;
105 struct monitorentrypriv *mp;
107 assert( be != NULL );
109 mi = ( struct monitorinfo * )be->be_private;
111 if ( monitor_cache_get( mi,
112 &monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn,
115 LDAP_LOG( OPERATION, CRIT,
116 "monitor_subsys_database_init: "
117 "unable to get entry '%s'\n",
118 monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val, 0, 0 );
120 Debug( LDAP_DEBUG_ANY,
121 "monitor_subsys_database_init: "
122 "unable to get entry '%s'\n%s%s",
123 monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val,
129 (void)init_readOnly( mi, e_database, global_restrictops );
130 (void)init_restrictedOperation( mi, e_database, global_restrictops );
133 for ( i = nBackendDB; i--; ) {
134 char buf[ BACKMONITOR_BUFSIZE ];
136 slap_overinfo *oi = NULL;
143 if ( strcmp( be->bd_info->bi_type, "over" ) == 0 ) {
144 oi = (slap_overinfo *)be->bd_info->bi_private;
148 /* Subordinates are not exposed as their own naming context */
149 if ( SLAP_GLUE_SUBORDINATE( be ) ) {
153 snprintf( buf, sizeof( buf ),
154 "dn: cn=Database %d,%s\n"
156 "structuralObjectClass: %s\n"
158 "description: This object contains the type of the database.\n"
160 "createTimestamp: %s\n"
161 "modifyTimestamp: %s\n",
163 monitor_subsys[SLAPD_MONITOR_DATABASE].mss_dn.bv_val,
164 mi->mi_oc_monitoredObject->soc_cname.bv_val,
165 mi->mi_oc_monitoredObject->soc_cname.bv_val,
167 mi->mi_ad_monitoredInfo->ad_cname.bv_val,
169 mi->mi_startTime.bv_val,
170 mi->mi_startTime.bv_val );
172 e = str2entry( buf );
175 LDAP_LOG( OPERATION, CRIT,
176 "monitor_subsys_database_init: "
177 "unable to create entry 'cn=Database %d,%s'\n",
178 i, monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val, 0 );
180 Debug( LDAP_DEBUG_ANY,
181 "monitor_subsys_database_init: "
182 "unable to create entry 'cn=Database %d,%s'\n%s",
184 monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val,
190 if ( SLAP_MONITOR(be) ) {
191 attr_merge( e, slap_schema.si_ad_monitorContext,
192 be->be_suffix, be->be_nsuffix );
193 attr_merge( e_database, slap_schema.si_ad_monitorContext,
194 be->be_suffix, be->be_nsuffix );
196 attr_merge( e, slap_schema.si_ad_namingContexts,
197 be->be_suffix, be->be_nsuffix );
198 attr_merge( e_database, slap_schema.si_ad_namingContexts,
199 be->be_suffix, be->be_nsuffix );
202 (void)init_readOnly( mi, e, be->be_restrictops );
203 (void)init_restrictedOperation( mi, e, be->be_restrictops );
206 slap_overinst *on = oi->oi_list;
208 for ( ; on; on = on->on_next ) {
212 bv.bv_val = on->on_bi.bi_type;
213 bv.bv_len = strlen( bv.bv_val );
214 attr_merge_normalize_one( e, mi->mi_ad_monitorOverlay,
217 for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) {
218 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) {
224 snprintf( buf, sizeof( buf ),
226 j, monitor_subsys[SLAPD_MONITOR_OVERLAY].mss_dn.bv_val );
228 bv.bv_len = strlen( buf );
229 attr_merge_normalize_one( e, mi->mi_ad_seeAlso,
234 #if defined(SLAPD_LDAP)
235 if ( strcmp( bi->bi_type, "ldap" ) == 0 ) {
236 struct ldapinfo *li = (struct ldapinfo *)be->be_private;
240 bv.bv_len = strlen( bv.bv_val );
241 attr_merge_normalize_one( e, mi->mi_ad_labeledURI,
244 #endif /* defined(SLAPD_LDAP) */
246 for ( j = nBackendInfo; j--; ) {
247 if ( backendInfo[ j ].bi_type == bi->bi_type ) {
250 snprintf( buf, sizeof( buf ),
252 j, monitor_subsys[SLAPD_MONITOR_BACKEND].mss_dn.bv_val );
254 bv.bv_len = strlen( buf );
255 attr_merge_normalize_one( e, mi->mi_ad_seeAlso,
260 /* we must find it! */
263 mp = ( struct monitorentrypriv * )ch_calloc( sizeof( struct monitorentrypriv ), 1 );
264 e->e_private = ( void * )mp;
266 mp->mp_children = NULL;
267 mp->mp_info = &monitor_subsys[SLAPD_MONITOR_DATABASE];
268 mp->mp_flags = monitor_subsys[SLAPD_MONITOR_DATABASE].mss_flags
271 if ( monitor_cache_add( mi, e ) ) {
273 LDAP_LOG( OPERATION, CRIT,
274 "monitor_subsys_database_init: "
275 "unable to add entry 'cn=Database %d,%s'\n",
276 i, monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val, 0 );
278 Debug( LDAP_DEBUG_ANY,
279 "monitor_subsys_database_init: "
280 "unable to add entry 'cn=Database %d,%s'\n",
282 monitor_subsys[SLAPD_MONITOR_DATABASE].mss_ndn.bv_val,
288 #if defined(LDAP_SLAPI)
289 monitor_back_add_plugin( be, e );
290 #endif /* defined(LDAP_SLAPI) */
295 mp = ( struct monitorentrypriv * )e_database->e_private;
296 mp->mp_children = e_tmp;
298 monitor_cache_release( mi, e_database );
305 * cur: must not contain the tags corresponding to the values in v
306 * delta: will contain the tags corresponding to the values in v
309 value_mask( BerVarray v, slap_mask_t cur, slap_mask_t *delta )
311 for ( ; !BER_BVISNULL( v ); v++ ) {
312 struct restricted_ops_t *rops;
315 if ( OID_LEADCHAR( v->bv_val[ 0 ] ) ) {
316 rops = restricted_exops;
319 rops = restricted_ops;
322 for ( i = 0; !BER_BVISNULL( &rops[ i ].op ); i++ ) {
323 if ( ber_bvstrcasecmp( v, &rops[ i ].op ) != 0 ) {
327 if ( rops[ i ].tag & *delta ) {
331 if ( rops[ i ].tag & cur ) {
335 cur |= rops[ i ].tag;
336 *delta |= rops[ i ].tag;
341 if ( BER_BVISNULL( &rops[ i ].op ) ) {
342 return LDAP_INVALID_SYNTAX;
350 monitor_subsys_database_modify(
355 struct monitorinfo *mi = (struct monitorinfo *)op->o_bd->be_private;
357 Attribute *save_attrs, *a;
358 Modifications *modlist = op->oq_modify.rs_modlist;
361 int ro_gotval = 1, i, n;
362 slap_mask_t rp_add = 0, rp_delete = 0, rp_cur;
365 i = sscanf( e->e_nname.bv_val, "cn=database %d,", &n );
367 return LDAP_UNWILLING_TO_PERFORM;
369 if ( n < 0 || n >= nBackendDB )
370 return LDAP_NO_SUCH_OBJECT;
372 /* do not allow some changes on back-monitor (needs work)... */
374 if ( SLAP_MONITOR( be ) )
375 return LDAP_UNWILLING_TO_PERFORM;
377 rp_cur = be->be_restrictops;
379 save_attrs = e->e_attrs;
380 e->e_attrs = attrs_dup( e->e_attrs );
382 for ( ml=modlist; ml; ml=ml->sml_next ) {
383 Modification *mod = &ml->sml_mod;
385 if ( mod->sm_desc == mi->mi_ad_readOnly ) {
388 if ( mod->sm_values ) {
389 if ( !BER_BVISNULL( &mod->sm_values[ 1 ] ) ) {
390 rc = LDAP_CONSTRAINT_VIOLATION;
394 if ( bvmatch( &slap_true_bv, mod->sm_values )) {
397 } else if ( bvmatch( &slap_false_bv, mod->sm_values )) {
401 rc = LDAP_INVALID_SYNTAX;
406 switch ( mod->sm_op ) {
407 case LDAP_MOD_DELETE:
408 if ( ro_gotval < 1 ) {
409 rc = LDAP_CONSTRAINT_VIOLATION;
414 if ( val == 0 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) {
415 rc = LDAP_NO_SUCH_ATTRIBUTE;
419 if ( val == 1 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) != SLAP_RESTRICT_OP_WRITES ) {
420 rc = LDAP_NO_SUCH_ATTRIBUTE;
426 case LDAP_MOD_REPLACE:
431 if ( ro_gotval > 0 ) {
432 rc = LDAP_CONSTRAINT_VIOLATION;
438 rp_add |= (~rp_cur) & SLAP_RESTRICT_OP_WRITES;
439 rp_cur |= SLAP_RESTRICT_OP_WRITES;
440 rp_delete &= ~SLAP_RESTRICT_OP_WRITES;
442 } else if ( val == 0 ) {
443 rp_delete |= rp_cur & SLAP_RESTRICT_OP_WRITES;
444 rp_cur &= ~SLAP_RESTRICT_OP_WRITES;
445 rp_add &= ~SLAP_RESTRICT_OP_WRITES;
454 } else if ( mod->sm_desc == mi->mi_ad_restrictedOperation ) {
455 slap_mask_t mask = 0;
457 switch ( mod->sm_op ) {
458 case LDAP_MOD_DELETE:
459 if ( mod->sm_values == NULL ) {
465 rc = value_mask( mod->sm_values, ~rp_cur, &mask );
466 if ( rc == LDAP_SUCCESS ) {
471 } else if ( rc == LDAP_OTHER ) {
472 rc = LDAP_NO_SUCH_ATTRIBUTE;
476 case LDAP_MOD_REPLACE:
483 rc = value_mask( mod->sm_values, rp_cur, &mask );
484 if ( rc == LDAP_SUCCESS ) {
489 } else if ( rc == LDAP_OTHER ) {
490 rc = LDAP_TYPE_OR_VALUE_EXISTS;
499 if ( rc != LDAP_SUCCESS ) {
503 } else if ( is_at_operational( mod->sm_desc->ad_type )) {
504 /* accept all operational attributes */
505 attr_delete( &e->e_attrs, mod->sm_desc );
506 rc = attr_merge( e, mod->sm_desc, mod->sm_values,
514 rc = LDAP_UNWILLING_TO_PERFORM;
520 if ( ro_gotval < 1 ) {
521 rc = LDAP_CONSTRAINT_VIOLATION;
525 if ( ( rp_cur & SLAP_RESTRICT_OP_EXTENDED ) && ( rp_cur & SLAP_RESTRICT_EXOP_MASK ) ) {
526 rc = LDAP_CONSTRAINT_VIOLATION;
530 if ( rp_delete & rp_add ) {
535 /* check current value of readOnly */
536 if ( ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) {
537 tf = (struct berval *)&slap_true_bv;
540 tf = (struct berval *)&slap_false_bv;
543 a = attr_find( e->e_attrs, mi->mi_ad_readOnly );
549 if ( !bvmatch( &a->a_vals[0], tf ) ) {
550 attr_delete( &e->e_attrs, mi->mi_ad_readOnly );
551 rc = attr_merge_one( e, mi->mi_ad_readOnly, tf, tf );
554 if ( rc == LDAP_SUCCESS ) {
556 if ( rp_delete == be->be_restrictops ) {
557 attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation );
560 a = attr_find( e->e_attrs, mi->mi_ad_restrictedOperation );
566 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) {
567 if ( rp_delete & restricted_ops[ i ].tag ) {
570 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) {
573 if ( !bvmatch( &a->a_nvals[ j ], &restricted_ops[ i ].op ) ) {
577 ch_free( a->a_vals[ j ].bv_val );
578 ch_free( a->a_nvals[ j ].bv_val );
580 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) {
581 a->a_vals[ k - 1 ] = a->a_vals[ k ];
582 a->a_nvals[ k - 1 ] = a->a_nvals[ k ];
585 BER_BVZERO( &a->a_vals[ k - 1 ] );
586 BER_BVZERO( &a->a_nvals[ k - 1 ] );
591 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) {
592 if ( rp_delete & restricted_exops[ i ].tag ) {
595 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) {
598 if ( !bvmatch( &a->a_nvals[ j ], &restricted_exops[ i ].op ) ) {
602 ch_free( a->a_vals[ j ].bv_val );
603 ch_free( a->a_nvals[ j ].bv_val );
605 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) {
606 a->a_vals[ k - 1 ] = a->a_vals[ k ];
607 a->a_nvals[ k - 1 ] = a->a_nvals[ k ];
610 BER_BVZERO( &a->a_vals[ k - 1 ] );
611 BER_BVZERO( &a->a_nvals[ k - 1 ] );
619 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) {
620 if ( rp_add & restricted_ops[ i ].tag ) {
621 attr_merge_one( e, mi->mi_ad_restrictedOperation,
622 &restricted_ops[ i ].op, &restricted_ops[ i ].op );
626 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) {
627 if ( rp_add & restricted_exops[ i ].tag ) {
628 attr_merge_one( e, mi->mi_ad_restrictedOperation,
629 &restricted_exops[ i ].op, &restricted_exops[ i ].op );
635 be->be_restrictops = rp_cur;
638 if ( rc == LDAP_SUCCESS ) {
639 attrs_free( save_attrs );
642 Attribute *tmp = e->e_attrs;
643 e->e_attrs = save_attrs;
649 #if defined(LDAP_SLAPI)
651 monitor_back_add_plugin( Backend *be, Entry *e_database )
653 Slapi_PBlock *pCurrentPB;
654 int i, rc = LDAP_SUCCESS;
655 struct monitorinfo *mi = ( struct monitorinfo * )be->be_private;
657 if ( slapi_int_pblock_get_first( be, &pCurrentPB ) != LDAP_SUCCESS ) {
659 * LDAP_OTHER is returned if no plugins are installed
667 Slapi_PluginDesc *srchdesc;
668 char buf[ BACKMONITOR_BUFSIZE ];
671 rc = slapi_pblock_get( pCurrentPB, SLAPI_PLUGIN_DESCRIPTION,
673 if ( rc != LDAP_SUCCESS ) {
677 snprintf( buf, sizeof(buf),
678 "plugin %d name: %s; "
684 srchdesc->spd_vendor,
685 srchdesc->spd_version,
686 srchdesc->spd_description );
689 bv.bv_len = strlen( buf );
690 attr_merge_normalize_one( e_database,
691 mi->mi_ad_monitoredInfo, &bv, NULL );
695 } while ( ( slapi_int_pblock_get_next( &pCurrentPB ) == LDAP_SUCCESS )
696 && ( pCurrentPB != NULL ) );
701 #endif /* defined(LDAP_SLAPI) */