2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2005 The OpenLDAP Foundation.
5 * Portions Copyright 1999 Dmitry Kovalev.
6 * Portions Copyright 2002 Pierangelo Mararati.
7 * Portions Copyright 2004 Mark Adamson.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by Dmitry Kovalev for inclusion
20 * by OpenLDAP Software. Additional significant contributors include
21 * Pierangelo Masarati and Mark Adamson.
24 * The following changes have been addressed:
27 * - re-styled code for better readability
28 * - upgraded backend API to reflect recent changes
29 * - LDAP schema is checked when loading SQL/LDAP mapping
30 * - AttributeDescription/ObjectClass pointers used for more efficient
32 * - bervals used where string length is required often
33 * - atomized write operations by committing at the end of each operation
34 * and defaulting connection closure to rollback
35 * - added LDAP access control to write operations
36 * - fully implemented modrdn (with rdn attrs change, deleteoldrdn,
37 * access check, parent/children check and more)
38 * - added parent access control, children control to delete operation
39 * - added structuralObjectClass operational attribute check and
40 * value return on search
41 * - added hasSubordinate operational attribute on demand
42 * - search limits are appropriately enforced
43 * - function backsql_strcat() has been made more efficient
44 * - concat function has been made configurable by means of a pattern
45 * - added config switches:
46 * - fail_if_no_mapping write operations fail if there is no mapping
47 * - has_ldapinfo_dn_ru overrides autodetect
48 * - concat_pattern a string containing two '?' is used
49 * (note that "?||?" should be more portable
50 * than builtin function "CONCAT(?,?)")
51 * - strcast_func cast of string constants in "SELECT DISTINCT
52 * statements (needed by PostgreSQL)
53 * - upper_needs_cast cast the argument of upper when required
54 * (basically when building dn substring queries)
55 * - added noop control
56 * - added values return filter control
57 * - hasSubordinate can be used in search filters (with limitations)
58 * - eliminated oc->name; use oc->oc->soc_cname instead
61 * - add security checks for SQL statements that can be injected (?)
62 * - re-test with previously supported RDBMs
63 * - replace dn_ru and so with normalized dn (no need for upper() and so
65 * - implement a backsql_normalize() function to replace the upper()
67 * - note that subtree deletion, subtree renaming and so could be easily
68 * implemented (rollback and consistency checks are available :)
69 * - implement "lastmod" and other operational stuff (ldap_entries table ?)
70 * - check how to allow multiple operations with one statement, to remove
71 * BACKSQL_REALLOC_STMT from modify.c (a more recent unixODBC lib?)
74 * Improvements submitted by (ITS#3432)
76 * 1. id_query.patch applied (with changes)
77 * 2. shortcut.patch applied (reworked)
78 * 3. create_hint.patch applied
79 * 4. count_query.patch applied (reworked)
80 * 5. returncodes.patch applied (with sanity checks)
81 * 6. connpool.patch under evaluation
82 * 7. modoc.patch under evaluation (requires
83 * manageDSAit and "manage"
85 * 8. miscfixes.patch applied (reworked; other
86 * operations need to load the
87 * entire entry for ACL purposes;
88 * see ITS#3480, now fixed)
90 * original description:
92 Changes that were made to the SQL backend.
94 The patches were made against 2.2.18 and can be applied individually,
95 but would best be applied in the numerical order of the file names.
96 A synopsis of each patch is given here:
99 1. Added an option to set SQL query for the "id_query" operation.
101 2. Added an option to the SQL backend called "use_subtree_shortcut".
102 When a search is performed, the SQL query includes a WHERE clause
103 which says the DN must be "LIKE %<searchbase>". The LIKE operation
104 can be slow in an RDBM. This shortcut option says that if the
105 searchbase of the LDAP search is the root DN of the SQL backend,
106 and thus all objects will match the LIKE operator, do not include
107 the "LIKE %<searchbase>" clause in the SQL query (it is replaced
108 instead by the always true "1=1" clause to keep the "AND"'s
109 working correctly). This option is off by default, and should be
110 turned on only if all objects to be found in the RDBM are under the
111 same root DN. Multiple backends working within the same RDBM table
112 space would encounter problems. LDAP searches whose searchbase are
113 not at the root DN will bypass this shortcut and employ the LIKE
116 3. Added a "create_hint" column to ldap_oc_mappings table. Allows
117 taking the value of an attr named in "create_hint" and passing it to
118 the create_proc procedure. This is necessary for when an objectClass's
119 table is partition indexed by some indexing column and thus the value
120 in that indexing column cannot change after the row is created. The
121 value for the indexed column is passed into the create_proc, which
122 uses it to fill in the indexed column as the new row is created.
124 4. When loading the values of an attribute, the count(*) of the number
125 of values is fetched first and memory is allocated for the array of
126 values and normalized values. The old system of loading the values one
127 by one and running realloc() on the array of values and normalized
128 values each time was badly fragmenting memory. The array of values and
129 normalized values would be side by side in memory, and realloc()'ing
130 them over and over would force them to leapfrog each other through all
131 of available memory. Attrs with a large number of values could not be
132 loaded without crashing the slapd daemon.
134 5. Added code to interpret the value returned by stored procedures
135 which have expect_return set. Returned value is interpreted as an LDAP
136 return code. This allows the distinction between the SQL failing to
137 execute and the SQL running to completion and returning an error code
138 which can indicate a policy violation.
140 6. Added RDBM connection pooling. Once an operation is finished the
141 connection to the RDBM is returned to a pool rather than closing.
142 Allows the next operation to skip the initialization and authentication
143 phases of contacting the RDBM. Also, if licensing with ODBC places
144 a limit on the number of connections, an LDAP thread can block waiting
145 for another thread to finish, so that no LDAP errors are returned
146 for having more LDAP connections than allowed RDBM connections. An
147 RDBM connection which receives an SQL error is marked as "tainted"
148 so that it will be closed rather than returned to the pool.
149 Also, RDBM connections must be bound to a given LDAP connection AND
150 operation number, and NOT just the connection number. Asynchronous
151 LDAP clients can have multiple simultaneous LDAP operations which
152 should not share the same RDBM connection. A given LDAP operation can
153 even make multiple SQL operations (e.g. a BIND operation which
154 requires SASL to perform an LDAP search to convert the SASL ID to an
155 LDAP DN), so each RDBM connection now has a refcount that must reach
156 zero before the connection is returned to the free pool.
158 7. Added ability to change the objectClass of an object. Required
159 considerable work to copy all attributes out of old object and into
160 new object. Does a schema check before proceeding. Creates a new
161 object, fills it in, deletes the old object, then changes the
162 oc_map_id and keyval of the entry in the "ldap_entries" table.
164 8. Generic fixes. Includes initializing pointers before they
165 get used in error branch cases, pointer checks before dereferencing,
166 resetting a return code to success after a COMPARE op, sealing
167 memory leaks, and in search.c, changing some of the "1=1" tests to
168 "2=2", "3=3", etc so that when reading slapd trace output, the
169 location in the source code where the x=x test was added to the SQL
170 can be easily distinguished.
173 #ifndef __BACKSQL_H__
174 #define __BACKSQL_H__
176 /* former sql-types.h */
185 SQLINTEGER *value_len;
189 * Better use the standard length of 8192 (as of slap.h)?
191 * NOTE: must be consistent with definition in ldap_entries table
193 /* #define BACKSQL_MAX_DN_LEN SLAP_LDAPDN_MAXLEN */
194 #define BACKSQL_MAX_DN_LEN 255
197 * define to enable very extensive trace logging (debug only)
202 * define if using MS SQL and workaround needed (see sql-wrap.c)
204 #undef BACKSQL_MSSQL_WORKAROUND
207 * define to enable values counting for attributes
209 #define BACKSQL_COUNTQUERY
212 * define to enable prettification/validation of values
214 #define BACKSQL_PRETTY_VALIDATE
217 * define to enable varchars as unique keys in user tables
219 * by default integers are used (and recommended)
220 * for performances. Integers are used anyway in back-sql
223 #undef BACKSQL_ARBITRARY_KEY
226 * define to enable experimental support for syncporv overlay
229 #define BACKSQL_SYNCPROV
230 #endif /* LDAP_DEVEL */
233 * define to the appropriate aliasing string
235 * some RDBMSes tolerate (or require) that " AS " is not used
236 * when aliasing tables/columns
238 #define BACKSQL_ALIASING "AS "
239 /* #define BACKSQL_ALIASING "" */
242 * define to the appropriate quoting char
244 * some RDBMSes tolerate/require that the aliases be enclosed
245 * in quotes. This is especially true for those that do not
246 * allow keywords used as aliases.
248 #define BACKSQL_ALIASING_QUOTE ""
249 /* #define BACKSQL_ALIASING_QUOTE "\"" */
250 /* #define BACKSQL_ALIASING_QUOTE "'" */
255 * a simple mechanism to allow DN mucking between the LDAP
256 * and the stored string representation.
258 typedef struct backsql_api {
260 int (*ba_config)( struct backsql_api *self, int argc, char *argv[] );
261 int (*ba_destroy)( struct backsql_api *self );
263 int (*ba_dn2odbc)( Operation *op, SlapReply *rs, struct berval *dn );
264 int (*ba_odbc2dn)( Operation *op, SlapReply *rs, struct berval *dn );
267 struct backsql_api *ba_next;
273 typedef struct backsql_entryID {
274 /* #define BACKSQL_ARBITRARY_KEY to allow a non-numeric key.
275 * It is required by some special applications that use
276 * strings as keys for the main table.
277 * In this case, #define BACKSQL_MAX_KEY_LEN consistently
278 * with the key size definition */
279 #ifdef BACKSQL_ARBITRARY_KEY
280 struct berval eid_id;
281 struct berval eid_keyval;
282 #define BACKSQL_MAX_KEY_LEN 64
283 #else /* ! BACKSQL_ARBITRARY_KEY */
284 /* The original numeric key is maintained as default. */
285 unsigned long eid_id;
286 unsigned long eid_keyval;
287 #endif /* ! BACKSQL_ARBITRARY_KEY */
289 unsigned long eid_oc_id;
290 struct berval eid_dn;
291 struct berval eid_ndn;
292 struct backsql_entryID *eid_next;
295 #ifdef BACKSQL_ARBITRARY_KEY
296 #define BACKSQL_ENTRYID_INIT { BER_BVNULL, BER_BVNULL, 0, BER_BVNULL, BER_BVNULL, NULL }
297 #else /* ! BACKSQL_ARBITRARY_KEY */
298 #define BACKSQL_ENTRYID_INIT { 0, 0, 0, BER_BVNULL, BER_BVNULL, NULL }
299 #endif /* BACKSQL_ARBITRARY_KEY */
302 * "structural" objectClass mapping structure
304 typedef struct backsql_oc_map_rec {
306 * Structure of corresponding LDAP objectClass definition
309 #define BACKSQL_OC_NAME(ocmap) ((ocmap)->bom_oc->soc_cname.bv_val)
311 struct berval bom_keytbl;
312 struct berval bom_keycol;
313 /* expected to return keyval of newly created entry */
314 char *bom_create_proc;
315 /* in case create_proc does not return the keyval of the newly
317 char *bom_create_keyval;
318 /* supposed to expect keyval as parameter and delete
319 * all the attributes as well */
320 char *bom_delete_proc;
321 /* flags whether delete_proc is a function (whether back-sql
322 * should bind first parameter as output for return code) */
323 int bom_expect_return;
324 unsigned long bom_id;
326 AttributeDescription *bom_create_hint;
327 } backsql_oc_map_rec;
330 * attributeType mapping structure
332 typedef struct backsql_at_map_rec {
333 /* Description of corresponding LDAP attribute type */
334 AttributeDescription *bam_ad;
335 /* ObjectClass if bam_ad is objectClass */
338 struct berval bam_from_tbls;
339 struct berval bam_join_where;
340 struct berval bam_sel_expr;
342 /* TimesTen, or, if a uppercase function is defined,
343 * an uppercased version of bam_sel_expr */
344 struct berval bam_sel_expr_u;
346 /* supposed to expect 2 binded values: entry keyval
347 * and attr. value to add, like "add_name(?,?,?)" */
349 /* supposed to expect 2 binded values: entry keyval
350 * and attr. value to delete */
351 char *bam_delete_proc;
352 /* for optimization purposes attribute load query
353 * is preconstructed from parts on schemamap load time */
355 #ifdef BACKSQL_COUNTQUERY
356 char *bam_countquery;
357 #endif /* BACKSQL_COUNTQUERY */
358 /* following flags are bitmasks (first bit used for add_proc,
359 * second - for delete_proc) */
360 /* order of parameters for procedures above;
361 * 1 means "data then keyval", 0 means "keyval then data" */
363 /* flags whether one or more of procedures is a function
364 * (whether back-sql should bind first parameter as output
365 * for return code) */
366 int bam_expect_return;
368 /* next mapping for attribute */
369 struct backsql_at_map_rec *bam_next;
370 } backsql_at_map_rec;
372 #define BACKSQL_AT_MAP_REC_INIT { NULL, NULL, BER_BVC(""), BER_BVC(""), BER_BVNULL, BER_BVNULL, NULL, NULL, NULL, 0, 0, NULL }
374 /* define to uppercase filters only if the matching rule requires it
375 * (currently broken) */
376 /* #define BACKSQL_UPPERCASE_FILTER */
378 #define BACKSQL_AT_CANUPPERCASE(at) ( !BER_BVISNULL( &(at)->bam_sel_expr_u ) )
380 /* defines to support bitmasks above */
381 #define BACKSQL_ADD 0x1
382 #define BACKSQL_DEL 0x2
384 #define BACKSQL_IS_ADD(x) ( ( BACKSQL_ADD & (x) ) == BACKSQL_ADD )
385 #define BACKSQL_IS_DEL(x) ( ( BACKSQL_DEL & (x) ) == BACKSQL_DEL )
387 #define BACKSQL_NCMP(v1,v2) ber_bvcmp((v1),(v2))
389 #define BACKSQL_CONCAT
391 * berbuf structure: a berval with a buffer size associated
393 typedef struct berbuf {
394 struct berval bb_val;
398 #define BB_NULL { BER_BVNULL, 0 }
400 /* the function must collect the entry associated to nbase */
401 #define BACKSQL_ISF_GET_ID 0x1U
402 #define BACKSQL_ISF_GET_ENTRY ( 0x2U | BACKSQL_ISF_GET_ID )
403 #define BACKSQL_ISF_MATCHED 0x4U
404 #define BACKSQL_IS_GET_ID(f) \
405 ( ( (f) & BACKSQL_ISF_GET_ID ) == BACKSQL_ISF_GET_ID )
406 #define BACKSQL_IS_GET_ENTRY(f) \
407 ( ( (f) & BACKSQL_ISF_GET_ENTRY ) == BACKSQL_ISF_GET_ENTRY )
408 #define BACKSQL_IS_MATCHED(f) \
409 ( ( (f) & BACKSQL_ISF_MATCHED ) == BACKSQL_ISF_MATCHED )
410 typedef struct backsql_srch_info {
415 #define BSQL_SF_NONE 0x0000U
416 #define BSQL_SF_ALL_USER 0x0001U
417 #define BSQL_SF_ALL_OPER 0x0002U
418 #define BSQL_SF_ALL_ATTRS (BSQL_SF_ALL_USER|BSQL_SF_ALL_OPER)
419 #define BSQL_SF_FILTER_HASSUBORDINATE 0x0010U
420 #define BSQL_SF_FILTER_ENTRYUUID 0x0020U
421 #define BSQL_SF_FILTER_ENTRYCSN 0x0040U
422 #define BSQL_SF_RETURN_ENTRYUUID (BSQL_SF_FILTER_ENTRYUUID << 8)
423 #define BSQL_ISF(bsi, f) ( ( (bsi)->bsi_flags & f ) == f )
424 #define BSQL_ISF_ALL_USER(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_USER)
425 #define BSQL_ISF_ALL_OPER(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_OPER)
426 #define BSQL_ISF_ALL_ATTRS(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_ATTRS)
428 struct berval *bsi_base_ndn;
429 int bsi_use_subtree_shortcut;
430 backsql_entryID bsi_base_id;
432 /* BACKSQL_SCOPE_BASE_LIKE can be set by API in ors_scope
433 * whenever the search base DN contains chars that cannot
434 * be mapped into the charset used in the RDBMS; so they're
435 * turned into '%' and an approximate ('LIKE') condition
437 #define BACKSQL_SCOPE_BASE_LIKE ( LDAP_SCOPE_BASE | 0x1000 )
443 backsql_entryID *bsi_id_list,
446 int bsi_n_candidates;
450 backsql_oc_map_rec *bsi_oc;
451 struct berbuf bsi_sel,
455 ObjectClass *bsi_filter_oc;
457 AttributeName *bsi_attrs;
463 * Backend private data structure
465 typedef struct backsql_info {
473 * SQL condition for subtree searches differs in syntax:
474 * "LIKE CONCAT('%',?)" or "LIKE '%'+?" or "LIKE '%'||?"
477 struct berval sql_subtree_cond;
478 struct berval sql_children_cond;
481 char *sql_insentry_stmt,
484 *sql_delobjclasses_stmt;
486 char *sql_has_children_query;
488 MatchingRule *sql_caseIgnoreMatch;
489 MatchingRule *sql_telephoneNumberMatch;
491 struct berval sql_upper_func;
492 struct berval sql_upper_func_open;
493 struct berval sql_upper_func_close;
494 BerVarray sql_concat_func;
495 struct berval sql_strcast_func;
497 AttributeName *sql_anlist;
499 unsigned int sql_flags;
500 #define BSQLF_SCHEMA_LOADED 0x0001
501 #define BSQLF_UPPER_NEEDS_CAST 0x0002
502 #define BSQLF_CREATE_NEEDS_SELECT 0x0004
503 #define BSQLF_FAIL_IF_NO_MAPPING 0x0008
504 #define BSQLF_HAS_LDAPINFO_DN_RU 0x0010
505 #define BSQLF_DONTCHECK_LDAPINFO_DN_RU 0x0020
506 #define BSQLF_USE_REVERSE_DN 0x0040
507 #define BSQLF_ALLOW_ORPHANS 0x0080
508 #define BSQLF_USE_SUBTREE_SHORTCUT 0x0100
509 #define BSQLF_FETCH_ALL_USERATTRS 0x0200
510 #define BSQLF_FETCH_ALL_OPATTRS 0x0400
511 #define BSQLF_FETCH_ALL_ATTRS (BSQLF_FETCH_ALL_USERATTRS|BSQLF_FETCH_ALL_OPATTRS)
513 #define BACKSQL_ISF(si, f) \
514 (((si)->sql_flags & f) == f)
516 #define BACKSQL_SCHEMA_LOADED(si) \
517 BACKSQL_ISF(si, BSQLF_SCHEMA_LOADED)
518 #define BACKSQL_UPPER_NEEDS_CAST(si) \
519 BACKSQL_ISF(si, BSQLF_UPPER_NEEDS_CAST)
520 #define BACKSQL_CREATE_NEEDS_SELECT(si) \
521 BACKSQL_ISF(si, BSQLF_CREATE_NEEDS_SELECT)
522 #define BACKSQL_FAIL_IF_NO_MAPPING(si) \
523 BACKSQL_ISF(si, BSQLF_FAIL_IF_NO_MAPPING)
524 #define BACKSQL_HAS_LDAPINFO_DN_RU(si) \
525 BACKSQL_ISF(si, BSQLF_HAS_LDAPINFO_DN_RU)
526 #define BACKSQL_DONTCHECK_LDAPINFO_DN_RU(si) \
527 BACKSQL_ISF(si, BSQLF_DONTCHECK_LDAPINFO_DN_RU)
528 #define BACKSQL_USE_REVERSE_DN(si) \
529 BACKSQL_ISF(si, BSQLF_USE_REVERSE_DN)
530 #define BACKSQL_CANUPPERCASE(si) \
531 (!BER_BVISNULL( &(si)->sql_upper_func ))
532 #define BACKSQL_ALLOW_ORPHANS(si) \
533 BACKSQL_ISF(si, BSQLF_ALLOW_ORPHANS)
534 #define BACKSQL_USE_SUBTREE_SHORTCUT(si) \
535 BACKSQL_ISF(si, BSQLF_USE_SUBTREE_SHORTCUT)
536 #define BACKSQL_FETCH_ALL_USERATTRS(si) \
537 BACKSQL_ISF(si, BSQLF_FETCH_ALL_USERATTRS)
538 #define BACKSQL_FETCH_ALL_OPATTRS(si) \
539 BACKSQL_ISF(si, BSQLF_FETCH_ALL_OPATTRS)
540 #define BACKSQL_FETCH_ALL_ATTRS(si) \
541 BACKSQL_ISF(si, BSQLF_FETCH_ALL_ATTRS)
543 Entry *sql_baseObject;
544 #ifdef BACKSQL_ARBITRARY_KEY
545 #define BACKSQL_BASEOBJECT_IDSTR "baseObject"
546 #define BACKSQL_BASEOBJECT_KEYVAL BACKSQL_BASEOBJECT_IDSTR
547 #define BACKSQL_IS_BASEOBJECT_ID(id) (bvmatch((id), &backsql_baseObject_bv))
548 #else /* ! BACKSQL_ARBITRARY_KEY */
549 #define BACKSQL_BASEOBJECT_ID 0
550 #define BACKSQL_BASEOBJECT_IDSTR LDAP_XSTRING(BACKSQL_BASEOBJECT_ID)
551 #define BACKSQL_BASEOBJECT_KEYVAL 0
552 #define BACKSQL_IS_BASEOBJECT_ID(id) (*(id) == BACKSQL_BASEOBJECT_ID)
553 #endif /* ! BACKSQL_ARBITRARY_KEY */
554 #define BACKSQL_BASEOBJECT_OC 0
556 Avlnode *sql_db_conns;
557 Avlnode *sql_oc_by_oc;
558 Avlnode *sql_oc_by_id;
559 ldap_pvt_thread_mutex_t sql_dbconn_mutex;
560 ldap_pvt_thread_mutex_t sql_schema_mutex;
563 backsql_api *sql_api;
566 #define BACKSQL_SUCCESS( rc ) \
567 ( (rc) == SQL_SUCCESS || (rc) == SQL_SUCCESS_WITH_INFO )
569 #define BACKSQL_AVL_STOP 0
570 #define BACKSQL_AVL_CONTINUE 1
572 /* see ldap.h for the meaning of the macros and of the values */
573 #define BACKSQL_LEGAL_ERROR( rc ) \
574 ( LDAP_RANGE( (rc), 0x00, 0x0e ) \
575 || LDAP_ATTR_ERROR( (rc) ) \
576 || LDAP_NAME_ERROR( (rc) ) \
577 || LDAP_SECURITY_ERROR( (rc) ) \
578 || LDAP_SERVICE_ERROR( (rc) ) \
579 || LDAP_UPDATE_ERROR( (rc) ) )
580 #define BACKSQL_SANITIZE_ERROR( rc ) \
581 ( BACKSQL_LEGAL_ERROR( (rc) ) ? (rc) : LDAP_OTHER )
583 #endif /* __BACKSQL_H__ */
projects / openldap / blob