2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2005 The OpenLDAP Foundation.
5 * Portions Copyright 1999 Dmitry Kovalev.
6 * Portions Copyright 2002 Pierangelo Mararati.
7 * Portions Copyright 2004 Mark Adamson.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
19 * This work was initially developed by Dmitry Kovalev for inclusion
20 * by OpenLDAP Software. Additional significant contributors include
21 * Pierangelo Masarati and Mark Adamson.
24 * The following changes have been addressed:
27 * - re-styled code for better readability
28 * - upgraded backend API to reflect recent changes
29 * - LDAP schema is checked when loading SQL/LDAP mapping
30 * - AttributeDescription/ObjectClass pointers used for more efficient
32 * - bervals used where string length is required often
33 * - atomized write operations by committing at the end of each operation
34 * and defaulting connection closure to rollback
35 * - added LDAP access control to write operations
36 * - fully implemented modrdn (with rdn attrs change, deleteoldrdn,
37 * access check, parent/children check and more)
38 * - added parent access control, children control to delete operation
39 * - added structuralObjectClass operational attribute check and
40 * value return on search
41 * - added hasSubordinate operational attribute on demand
42 * - search limits are appropriately enforced
43 * - function backsql_strcat() has been made more efficient
44 * - concat function has been made configurable by means of a pattern
45 * - added config switches:
46 * - fail_if_no_mapping write operations fail if there is no mapping
47 * - has_ldapinfo_dn_ru overrides autodetect
48 * - concat_pattern a string containing two '?' is used
49 * (note that "?||?" should be more portable
50 * than builtin function "CONCAT(?,?)")
51 * - strcast_func cast of string constants in "SELECT DISTINCT
52 * statements (needed by PostgreSQL)
53 * - upper_needs_cast cast the argument of upper when required
54 * (basically when building dn substring queries)
55 * - added noop control
56 * - added values return filter control
57 * - hasSubordinate can be used in search filters (with limitations)
58 * - eliminated oc->name; use oc->oc->soc_cname instead
61 * - add security checks for SQL statements that can be injected (?)
62 * - re-test with previously supported RDBMs
63 * - replace dn_ru and so with normalized dn (no need for upper() and so
65 * - implement a backsql_normalize() function to replace the upper()
67 * - note that subtree deletion, subtree renaming and so could be easily
68 * implemented (rollback and consistency checks are available :)
69 * - implement "lastmod" and other operational stuff (ldap_entries table ?)
70 * - check how to allow multiple operations with one statement, to remove
71 * BACKSQL_REALLOC_STMT from modify.c (a more recent unixODBC lib?)
74 * Improvements submitted by (ITS#3432)
76 * 1. id_query.patch applied (with changes)
77 * 2. shortcut.patch applied (reworked)
78 * 3. create_hint.patch applied
79 * 4. count_query.patch applied (reworked)
80 * 5. returncodes.patch applied (with sanity checks)
81 * 6. connpool.patch under evaluation
82 * 7. modoc.patch under evaluation (requires
83 * manageDSAit and "manage"
85 * 8. miscfixes.patch applied (reworked; other
86 * operations need to load the
87 * entire entry for ACL purposes;
88 * see ITS#3480, now fixed)
90 * original description:
92 Changes that were made to the SQL backend.
94 The patches were made against 2.2.18 and can be applied individually,
95 but would best be applied in the numerical order of the file names.
96 A synopsis of each patch is given here:
99 1. Added an option to set SQL query for the "id_query" operation.
101 2. Added an option to the SQL backend called "use_subtree_shortcut".
102 When a search is performed, the SQL query includes a WHERE clause
103 which says the DN must be "LIKE %<searchbase>". The LIKE operation
104 can be slow in an RDBM. This shortcut option says that if the
105 searchbase of the LDAP search is the root DN of the SQL backend,
106 and thus all objects will match the LIKE operator, do not include
107 the "LIKE %<searchbase>" clause in the SQL query (it is replaced
108 instead by the always true "1=1" clause to keep the "AND"'s
109 working correctly). This option is off by default, and should be
110 turned on only if all objects to be found in the RDBM are under the
111 same root DN. Multiple backends working within the same RDBM table
112 space would encounter problems. LDAP searches whose searchbase are
113 not at the root DN will bypass this shortcut and employ the LIKE
116 3. Added a "create_hint" column to ldap_oc_mappings table. Allows
117 taking the value of an attr named in "create_hint" and passing it to
118 the create_proc procedure. This is necessary for when an objectClass's
119 table is partition indexed by some indexing column and thus the value
120 in that indexing column cannot change after the row is created. The
121 value for the indexed column is passed into the create_proc, which
122 uses it to fill in the indexed column as the new row is created.
124 4. When loading the values of an attribute, the count(*) of the number
125 of values is fetched first and memory is allocated for the array of
126 values and normalized values. The old system of loading the values one
127 by one and running realloc() on the array of values and normalized
128 values each time was badly fragmenting memory. The array of values and
129 normalized values would be side by side in memory, and realloc()'ing
130 them over and over would force them to leapfrog each other through all
131 of available memory. Attrs with a large number of values could not be
132 loaded without crashing the slapd daemon.
134 5. Added code to interpret the value returned by stored procedures
135 which have expect_return set. Returned value is interpreted as an LDAP
136 return code. This allows the distinction between the SQL failing to
137 execute and the SQL running to completion and returning an error code
138 which can indicate a policy violation.
140 6. Added RDBM connection pooling. Once an operation is finished the
141 connection to the RDBM is returned to a pool rather than closing.
142 Allows the next operation to skip the initialization and authentication
143 phases of contacting the RDBM. Also, if licensing with ODBC places
144 a limit on the number of connections, an LDAP thread can block waiting
145 for another thread to finish, so that no LDAP errors are returned
146 for having more LDAP connections than allowed RDBM connections. An
147 RDBM connection which receives an SQL error is marked as "tainted"
148 so that it will be closed rather than returned to the pool.
149 Also, RDBM connections must be bound to a given LDAP connection AND
150 operation number, and NOT just the connection number. Asynchronous
151 LDAP clients can have multiple simultaneous LDAP operations which
152 should not share the same RDBM connection. A given LDAP operation can
153 even make multiple SQL operations (e.g. a BIND operation which
154 requires SASL to perform an LDAP search to convert the SASL ID to an
155 LDAP DN), so each RDBM connection now has a refcount that must reach
156 zero before the connection is returned to the free pool.
158 7. Added ability to change the objectClass of an object. Required
159 considerable work to copy all attributes out of old object and into
160 new object. Does a schema check before proceeding. Creates a new
161 object, fills it in, deletes the old object, then changes the
162 oc_map_id and keyval of the entry in the "ldap_entries" table.
164 8. Generic fixes. Includes initializing pointers before they
165 get used in error branch cases, pointer checks before dereferencing,
166 resetting a return code to success after a COMPARE op, sealing
167 memory leaks, and in search.c, changing some of the "1=1" tests to
168 "2=2", "3=3", etc so that when reading slapd trace output, the
169 location in the source code where the x=x test was added to the SQL
170 can be easily distinguished.
173 #ifndef __BACKSQL_H__
174 #define __BACKSQL_H__
176 /* former sql-types.h */
185 SQLINTEGER *value_len;
189 * Better use the standard length of 8192 (as of slap.h)?
191 * NOTE: must be consistent with definition in ldap_entries table
193 /* #define BACKSQL_MAX_DN_LEN SLAP_LDAPDN_MAXLEN */
194 #define BACKSQL_MAX_DN_LEN 255
197 * define to enable very extensive trace logging (debug only)
202 * define to enable values counting for attributes
204 #define BACKSQL_COUNTQUERY
207 * define to enable prettification/validation of values
209 #define BACKSQL_PRETTY_VALIDATE
212 * define to enable varchars as unique keys in user tables
214 * by default integers are used (and recommended)
215 * for performances. Integers are used anyway in back-sql
218 #undef BACKSQL_ARBITRARY_KEY
221 * define to enable experimental support for syncporv overlay
224 #define BACKSQL_SYNCPROV
225 #endif /* LDAP_DEVEL */
228 * define to the appropriate aliasing string
230 * some RDBMSes tolerate (or require) that " AS " is not used
231 * when aliasing tables/columns
233 #define BACKSQL_ALIASING "AS "
234 /* #define BACKSQL_ALIASING "" */
237 * define to the appropriate quoting char
239 * some RDBMSes tolerate/require that the aliases be enclosed
240 * in quotes. This is especially true for those that do not
241 * allow keywords used as aliases.
243 /* #define BACKSQL_ALIASING_QUOTE '"' */
244 /* #define BACKSQL_ALIASING_QUOTE '\'' */
249 * a simple mechanism to allow DN mucking between the LDAP
250 * and the stored string representation.
252 typedef struct backsql_api {
254 int (*ba_config)( struct backsql_api *self, int argc, char *argv[] );
255 int (*ba_destroy)( struct backsql_api *self );
257 int (*ba_dn2odbc)( Operation *op, SlapReply *rs, struct berval *dn );
258 int (*ba_odbc2dn)( Operation *op, SlapReply *rs, struct berval *dn );
261 struct backsql_api *ba_next;
267 typedef struct backsql_entryID {
268 /* #define BACKSQL_ARBITRARY_KEY to allow a non-numeric key.
269 * It is required by some special applications that use
270 * strings as keys for the main table.
271 * In this case, #define BACKSQL_MAX_KEY_LEN consistently
272 * with the key size definition */
273 #ifdef BACKSQL_ARBITRARY_KEY
274 struct berval eid_id;
275 struct berval eid_keyval;
276 #define BACKSQL_MAX_KEY_LEN 64
277 #else /* ! BACKSQL_ARBITRARY_KEY */
278 /* The original numeric key is maintained as default. */
279 unsigned long eid_id;
280 unsigned long eid_keyval;
281 #endif /* ! BACKSQL_ARBITRARY_KEY */
283 unsigned long eid_oc_id;
284 struct berval eid_dn;
285 struct berval eid_ndn;
286 struct backsql_entryID *eid_next;
289 #ifdef BACKSQL_ARBITRARY_KEY
290 #define BACKSQL_ENTRYID_INIT { BER_BVNULL, BER_BVNULL, 0, BER_BVNULL, BER_BVNULL, NULL }
291 #else /* ! BACKSQL_ARBITRARY_KEY */
292 #define BACKSQL_ENTRYID_INIT { 0, 0, 0, BER_BVNULL, BER_BVNULL, NULL }
293 #endif /* BACKSQL_ARBITRARY_KEY */
296 * "structural" objectClass mapping structure
298 typedef struct backsql_oc_map_rec {
300 * Structure of corresponding LDAP objectClass definition
303 #define BACKSQL_OC_NAME(ocmap) ((ocmap)->bom_oc->soc_cname.bv_val)
305 struct berval bom_keytbl;
306 struct berval bom_keycol;
307 /* expected to return keyval of newly created entry */
308 char *bom_create_proc;
309 /* in case create_proc does not return the keyval of the newly
311 char *bom_create_keyval;
312 /* supposed to expect keyval as parameter and delete
313 * all the attributes as well */
314 char *bom_delete_proc;
315 /* flags whether delete_proc is a function (whether back-sql
316 * should bind first parameter as output for return code) */
317 int bom_expect_return;
318 unsigned long bom_id;
320 AttributeDescription *bom_create_hint;
321 } backsql_oc_map_rec;
324 * attributeType mapping structure
326 typedef struct backsql_at_map_rec {
327 /* Description of corresponding LDAP attribute type */
328 AttributeDescription *bam_ad;
329 /* ObjectClass if bam_ad is objectClass */
332 struct berval bam_from_tbls;
333 struct berval bam_join_where;
334 struct berval bam_sel_expr;
336 /* TimesTen, or, if a uppercase function is defined,
337 * an uppercased version of bam_sel_expr */
338 struct berval bam_sel_expr_u;
340 /* supposed to expect 2 binded values: entry keyval
341 * and attr. value to add, like "add_name(?,?,?)" */
343 /* supposed to expect 2 binded values: entry keyval
344 * and attr. value to delete */
345 char *bam_delete_proc;
346 /* for optimization purposes attribute load query
347 * is preconstructed from parts on schemamap load time */
349 #ifdef BACKSQL_COUNTQUERY
350 char *bam_countquery;
351 #endif /* BACKSQL_COUNTQUERY */
352 /* following flags are bitmasks (first bit used for add_proc,
353 * second - for delete_proc) */
354 /* order of parameters for procedures above;
355 * 1 means "data then keyval", 0 means "keyval then data" */
357 /* flags whether one or more of procedures is a function
358 * (whether back-sql should bind first parameter as output
359 * for return code) */
360 int bam_expect_return;
362 /* next mapping for attribute */
363 struct backsql_at_map_rec *bam_next;
364 } backsql_at_map_rec;
366 #define BACKSQL_AT_MAP_REC_INIT { NULL, NULL, BER_BVC(""), BER_BVC(""), BER_BVNULL, BER_BVNULL, NULL, NULL, NULL, 0, 0, NULL }
368 /* define to uppercase filters only if the matching rule requires it
369 * (currently broken) */
370 /* #define BACKSQL_UPPERCASE_FILTER */
372 #define BACKSQL_AT_CANUPPERCASE(at) ( !BER_BVISNULL( &(at)->bam_sel_expr_u ) )
374 /* defines to support bitmasks above */
375 #define BACKSQL_ADD 0x1
376 #define BACKSQL_DEL 0x2
378 #define BACKSQL_IS_ADD(x) ( ( BACKSQL_ADD & (x) ) == BACKSQL_ADD )
379 #define BACKSQL_IS_DEL(x) ( ( BACKSQL_DEL & (x) ) == BACKSQL_DEL )
381 #define BACKSQL_NCMP(v1,v2) ber_bvcmp((v1),(v2))
383 #define BACKSQL_CONCAT
385 * berbuf structure: a berval with a buffer size associated
387 typedef struct berbuf {
388 struct berval bb_val;
392 #define BB_NULL { BER_BVNULL, 0 }
394 /* the function must collect the entry associated to nbase */
395 #define BACKSQL_ISF_GET_ID 0x1U
396 #define BACKSQL_ISF_GET_ENTRY ( 0x2U | BACKSQL_ISF_GET_ID )
397 #define BACKSQL_ISF_MATCHED 0x4U
398 #define BACKSQL_IS_GET_ID(f) \
399 ( ( (f) & BACKSQL_ISF_GET_ID ) == BACKSQL_ISF_GET_ID )
400 #define BACKSQL_IS_GET_ENTRY(f) \
401 ( ( (f) & BACKSQL_ISF_GET_ENTRY ) == BACKSQL_ISF_GET_ENTRY )
402 #define BACKSQL_IS_MATCHED(f) \
403 ( ( (f) & BACKSQL_ISF_MATCHED ) == BACKSQL_ISF_MATCHED )
404 typedef struct backsql_srch_info {
409 #define BSQL_SF_NONE 0x0000U
410 #define BSQL_SF_ALL_USER 0x0001U
411 #define BSQL_SF_ALL_OPER 0x0002U
412 #define BSQL_SF_ALL_ATTRS (BSQL_SF_ALL_USER|BSQL_SF_ALL_OPER)
413 #define BSQL_SF_FILTER_HASSUBORDINATE 0x0010U
414 #define BSQL_SF_FILTER_ENTRYUUID 0x0020U
415 #define BSQL_SF_FILTER_ENTRYCSN 0x0040U
416 #define BSQL_SF_RETURN_ENTRYUUID (BSQL_SF_FILTER_ENTRYUUID << 8)
417 #define BSQL_ISF(bsi, f) ( ( (bsi)->bsi_flags & f ) == f )
418 #define BSQL_ISF_ALL_USER(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_USER)
419 #define BSQL_ISF_ALL_OPER(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_OPER)
420 #define BSQL_ISF_ALL_ATTRS(bsi) BSQL_ISF(bsi, BSQL_SF_ALL_ATTRS)
422 struct berval *bsi_base_ndn;
423 int bsi_use_subtree_shortcut;
424 backsql_entryID bsi_base_id;
426 /* BACKSQL_SCOPE_BASE_LIKE can be set by API in ors_scope
427 * whenever the search base DN contains chars that cannot
428 * be mapped into the charset used in the RDBMS; so they're
429 * turned into '%' and an approximate ('LIKE') condition
431 #define BACKSQL_SCOPE_BASE_LIKE ( LDAP_SCOPE_BASE | 0x1000 )
437 backsql_entryID *bsi_id_list,
440 int bsi_n_candidates;
444 backsql_oc_map_rec *bsi_oc;
445 struct berbuf bsi_sel,
449 ObjectClass *bsi_filter_oc;
451 AttributeName *bsi_attrs;
457 * Backend private data structure
459 typedef struct backsql_info {
467 * SQL condition for subtree searches differs in syntax:
468 * "LIKE CONCAT('%',?)" or "LIKE '%'+?" or "LIKE '%'||?"
471 struct berval sql_subtree_cond;
472 struct berval sql_children_cond;
475 char *sql_insentry_stmt,
478 *sql_delobjclasses_stmt,
479 *sql_delreferrals_stmt;
481 char *sql_has_children_query;
483 MatchingRule *sql_caseIgnoreMatch;
484 MatchingRule *sql_telephoneNumberMatch;
486 struct berval sql_upper_func;
487 struct berval sql_upper_func_open;
488 struct berval sql_upper_func_close;
489 BerVarray sql_concat_func;
490 struct berval sql_strcast_func;
492 AttributeName *sql_anlist;
494 unsigned int sql_flags;
495 #define BSQLF_SCHEMA_LOADED 0x0001
496 #define BSQLF_UPPER_NEEDS_CAST 0x0002
497 #define BSQLF_CREATE_NEEDS_SELECT 0x0004
498 #define BSQLF_FAIL_IF_NO_MAPPING 0x0008
499 #define BSQLF_HAS_LDAPINFO_DN_RU 0x0010
500 #define BSQLF_DONTCHECK_LDAPINFO_DN_RU 0x0020
501 #define BSQLF_USE_REVERSE_DN 0x0040
502 #define BSQLF_ALLOW_ORPHANS 0x0080
503 #define BSQLF_USE_SUBTREE_SHORTCUT 0x0100
504 #define BSQLF_FETCH_ALL_USERATTRS 0x0200
505 #define BSQLF_FETCH_ALL_OPATTRS 0x0400
506 #define BSQLF_FETCH_ALL_ATTRS (BSQLF_FETCH_ALL_USERATTRS|BSQLF_FETCH_ALL_OPATTRS)
508 #define BACKSQL_ISF(si, f) \
509 (((si)->sql_flags & f) == f)
511 #define BACKSQL_SCHEMA_LOADED(si) \
512 BACKSQL_ISF(si, BSQLF_SCHEMA_LOADED)
513 #define BACKSQL_UPPER_NEEDS_CAST(si) \
514 BACKSQL_ISF(si, BSQLF_UPPER_NEEDS_CAST)
515 #define BACKSQL_CREATE_NEEDS_SELECT(si) \
516 BACKSQL_ISF(si, BSQLF_CREATE_NEEDS_SELECT)
517 #define BACKSQL_FAIL_IF_NO_MAPPING(si) \
518 BACKSQL_ISF(si, BSQLF_FAIL_IF_NO_MAPPING)
519 #define BACKSQL_HAS_LDAPINFO_DN_RU(si) \
520 BACKSQL_ISF(si, BSQLF_HAS_LDAPINFO_DN_RU)
521 #define BACKSQL_DONTCHECK_LDAPINFO_DN_RU(si) \
522 BACKSQL_ISF(si, BSQLF_DONTCHECK_LDAPINFO_DN_RU)
523 #define BACKSQL_USE_REVERSE_DN(si) \
524 BACKSQL_ISF(si, BSQLF_USE_REVERSE_DN)
525 #define BACKSQL_CANUPPERCASE(si) \
526 (!BER_BVISNULL( &(si)->sql_upper_func ))
527 #define BACKSQL_ALLOW_ORPHANS(si) \
528 BACKSQL_ISF(si, BSQLF_ALLOW_ORPHANS)
529 #define BACKSQL_USE_SUBTREE_SHORTCUT(si) \
530 BACKSQL_ISF(si, BSQLF_USE_SUBTREE_SHORTCUT)
531 #define BACKSQL_FETCH_ALL_USERATTRS(si) \
532 BACKSQL_ISF(si, BSQLF_FETCH_ALL_USERATTRS)
533 #define BACKSQL_FETCH_ALL_OPATTRS(si) \
534 BACKSQL_ISF(si, BSQLF_FETCH_ALL_OPATTRS)
535 #define BACKSQL_FETCH_ALL_ATTRS(si) \
536 BACKSQL_ISF(si, BSQLF_FETCH_ALL_ATTRS)
538 Entry *sql_baseObject;
539 #ifdef BACKSQL_ARBITRARY_KEY
540 #define BACKSQL_BASEOBJECT_IDSTR "baseObject"
541 #define BACKSQL_BASEOBJECT_KEYVAL BACKSQL_BASEOBJECT_IDSTR
542 #define BACKSQL_IS_BASEOBJECT_ID(id) (bvmatch((id), &backsql_baseObject_bv))
543 #else /* ! BACKSQL_ARBITRARY_KEY */
544 #define BACKSQL_BASEOBJECT_ID 0
545 #define BACKSQL_BASEOBJECT_IDSTR LDAP_XSTRING(BACKSQL_BASEOBJECT_ID)
546 #define BACKSQL_BASEOBJECT_KEYVAL 0
547 #define BACKSQL_IS_BASEOBJECT_ID(id) (*(id) == BACKSQL_BASEOBJECT_ID)
548 #endif /* ! BACKSQL_ARBITRARY_KEY */
549 #define BACKSQL_BASEOBJECT_OC 0
551 Avlnode *sql_db_conns;
552 Avlnode *sql_oc_by_oc;
553 Avlnode *sql_oc_by_id;
554 ldap_pvt_thread_mutex_t sql_dbconn_mutex;
555 ldap_pvt_thread_mutex_t sql_schema_mutex;
558 backsql_api *sql_api;
561 #define BACKSQL_SUCCESS( rc ) \
562 ( (rc) == SQL_SUCCESS || (rc) == SQL_SUCCESS_WITH_INFO )
564 #define BACKSQL_AVL_STOP 0
565 #define BACKSQL_AVL_CONTINUE 1
567 /* see ldap.h for the meaning of the macros and of the values */
568 #define BACKSQL_LEGAL_ERROR( rc ) \
569 ( LDAP_RANGE( (rc), 0x00, 0x0e ) \
570 || LDAP_ATTR_ERROR( (rc) ) \
571 || LDAP_NAME_ERROR( (rc) ) \
572 || LDAP_SECURITY_ERROR( (rc) ) \
573 || LDAP_SERVICE_ERROR( (rc) ) \
574 || LDAP_UPDATE_ERROR( (rc) ) )
575 #define BACKSQL_SANITIZE_ERROR( rc ) \
576 ( BACKSQL_LEGAL_ERROR( (rc) ) ? (rc) : LDAP_OTHER )
578 #endif /* __BACKSQL_H__ */
projects / openldap / blob