]> git.sur5r.net Git - openldap/blob - servers/slapd/backend.c
component cleanup
[openldap] / servers / slapd / backend.c
1 /* backend.c - routines for dealing with back-end databases */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27
28 #include "portable.h"
29
30 #include <stdio.h>
31
32 #include <ac/string.h>
33 #include <ac/socket.h>
34 #include <sys/stat.h>
35
36 #include "slap.h"
37 #include "lutil.h"
38 #include "lber_pvt.h"
39
40 #include "ldap_rq.h"
41
42 #ifdef LDAP_SLAPI
43 #include "slapi/slapi.h"
44
45 static void init_group_pblock( Operation *op, Entry *target,
46         Entry *e, struct berval *op_ndn, AttributeDescription *group_at );
47 static int call_group_preop_plugins( Operation *op );
48 static void call_group_postop_plugins( Operation *op );
49 #endif /* LDAP_SLAPI */
50
51 /*
52  * If a module is configured as dynamic, its header should not
53  * get included into slapd. While this is a general rule and does
54  * not have much of an effect in UNIX, this rule should be adhered
55  * to for Windows, where dynamic object code should not be implicitly
56  * imported into slapd without appropriate __declspec(dllimport) directives.
57  */
58
59 #if SLAPD_BDB == SLAPD_MOD_STATIC
60 #include "back-bdb/external.h"
61 #endif
62 #if SLAPD_DNSSRV == SLAPD_MOD_STATIC
63 #include "back-dnssrv/external.h"
64 #endif
65 #if SLAPD_HDB == SLAPD_MOD_STATIC
66 #include "back-hdb/external.h"
67 #endif
68 #if SLAPD_LDAP == SLAPD_MOD_STATIC
69 #include "back-ldap/external.h"
70 #endif
71 #if SLAPD_LDBM == SLAPD_MOD_STATIC
72 #include "back-ldbm/external.h"
73 #endif
74 #if SLAPD_META == SLAPD_MOD_STATIC
75 #include "back-meta/external.h"
76 #endif
77 #if SLAPD_MONITOR == SLAPD_MOD_STATIC
78 #include "back-monitor/external.h"
79 #endif
80 #if SLAPD_NULL == SLAPD_MOD_STATIC
81 #include "back-null/external.h"
82 #endif
83 #if SLAPD_PASSWD == SLAPD_MOD_STATIC
84 #include "back-passwd/external.h"
85 #endif
86 #if SLAPD_PERL == SLAPD_MOD_STATIC
87 #include "back-perl/external.h"
88 #endif
89 #if SLAPD_RELAY == SLAPD_MOD_STATIC
90 #include "back-relay/external.h"
91 #endif
92 #if SLAPD_SHELL == SLAPD_MOD_STATIC
93 #include "back-shell/external.h"
94 #endif
95 #if SLAPD_TCL == SLAPD_MOD_STATIC
96 #include "back-tcl/external.h"
97 #endif
98 #if SLAPD_SQL == SLAPD_MOD_STATIC
99 #include "back-sql/external.h"
100 #endif
101 #if SLAPD_PRIVATE == SLAPD_MOD_STATIC
102 #include "private/external.h"
103 #endif
104
105 static BackendInfo binfo[] = {
106 #if SLAPD_BDB == SLAPD_MOD_STATIC
107         {"bdb", bdb_initialize},
108 #endif
109 #if SLAPD_DNSSRV == SLAPD_MOD_STATIC
110         {"dnssrv",      dnssrv_back_initialize},
111 #endif
112 #if SLAPD_HDB == SLAPD_MOD_STATIC
113         {"hdb", hdb_initialize},
114 #endif
115 #if SLAPD_LDAP == SLAPD_MOD_STATIC
116         {"ldap",        ldap_back_initialize},
117 #endif
118 #if SLAPD_LDBM == SLAPD_MOD_STATIC
119         {"ldbm",        ldbm_back_initialize},
120 #endif
121 #if SLAPD_META == SLAPD_MOD_STATIC
122         {"meta",        meta_back_initialize},
123 #endif
124 #if SLAPD_MONITOR == SLAPD_MOD_STATIC
125         {"monitor",     monitor_back_initialize},
126 #endif
127 #if SLAPD_NULL == SLAPD_MOD_STATIC
128         {"null",        null_back_initialize},
129 #endif
130 #if SLAPD_PASSWD == SLAPD_MOD_STATIC
131         {"passwd",      passwd_back_initialize},
132 #endif
133 #if SLAPD_PERL == SLAPD_MOD_STATIC
134         {"perl",        perl_back_initialize},
135 #endif
136 #if SLAPD_RELAY == SLAPD_MOD_STATIC
137         {"relay",       relay_back_initialize},
138 #endif
139 #if SLAPD_SHELL == SLAPD_MOD_STATIC
140         {"shell",       shell_back_initialize},
141 #endif
142 #if SLAPD_TCL == SLAPD_MOD_STATIC
143         {"tcl",         tcl_back_initialize},
144 #endif
145 #if SLAPD_SQL == SLAPD_MOD_STATIC
146         {"sql",         backsql_initialize},
147 #endif
148         /* for any private backend */
149 #if SLAPD_PRIVATE == SLAPD_MOD_STATIC
150         {"private",     private_back_initialize},
151 #endif
152         {NULL}
153 };
154
155 int                     nBackendInfo = 0;
156 BackendInfo     *backendInfo = NULL;
157
158 int                     nBackendDB = 0; 
159 BackendDB       *backendDB = NULL;
160
161 ldap_pvt_thread_pool_t  syncrepl_pool;
162 int                     syncrepl_pool_max = SLAP_MAX_SYNCREPL_THREADS;
163
164 int backend_init(void)
165 {
166         int rc = -1;
167
168         ldap_pvt_thread_pool_init( &syncrepl_pool, syncrepl_pool_max, 0 );
169
170         if((nBackendInfo != 0) || (backendInfo != NULL)) {
171                 /* already initialized */
172                 Debug( LDAP_DEBUG_ANY,
173                         "backend_init: already initialized.\n", 0, 0, 0 );
174                 return -1;
175         }
176
177         for( ;
178                 binfo[nBackendInfo].bi_type != NULL;
179                 nBackendInfo++ )
180         {
181                 assert( binfo[nBackendInfo].bi_init );
182
183                 rc = binfo[nBackendInfo].bi_init( &binfo[nBackendInfo] );
184
185                 if(rc != 0) {
186                         Debug( LDAP_DEBUG_ANY,
187                                 "backend_init: initialized for type \"%s\"\n",
188                                 binfo[nBackendInfo].bi_type, 0, 0 );
189                         /* destroy those we've already inited */
190                         for( nBackendInfo--;
191                                 nBackendInfo >= 0 ;
192                                 nBackendInfo-- )
193                         { 
194                                 if ( binfo[nBackendInfo].bi_destroy ) {
195                                         binfo[nBackendInfo].bi_destroy(
196                                                 &binfo[nBackendInfo] );
197                                 }
198                         }
199                         return rc;
200                 }
201         }
202
203         if ( nBackendInfo > 0) {
204                 backendInfo = binfo;
205                 return 0;
206         }
207
208 #ifdef SLAPD_MODULES    
209         return 0;
210 #else
211
212         Debug( LDAP_DEBUG_ANY,
213                 "backend_init: failed\n",
214                 0, 0, 0 );
215
216         return rc;
217 #endif /* SLAPD_MODULES */
218 }
219
220 int backend_add(BackendInfo *aBackendInfo)
221 {
222         int rc = 0;
223
224         if ( aBackendInfo->bi_init == NULL ) {
225                 Debug( LDAP_DEBUG_ANY, "backend_add: "
226                         "backend type \"%s\" does not have the (mandatory)init function\n",
227                         aBackendInfo->bi_type, 0, 0 );
228                 return -1;
229         }
230
231    if ((rc = aBackendInfo->bi_init(aBackendInfo)) != 0) {
232                 Debug( LDAP_DEBUG_ANY,
233                         "backend_add:  initialization for type \"%s\" failed\n",
234                         aBackendInfo->bi_type, 0, 0 );
235                 return rc;
236    }
237
238         /* now add the backend type to the Backend Info List */
239         {
240                 BackendInfo *newBackendInfo = 0;
241
242                 /* if backendInfo == binfo no deallocation of old backendInfo */
243                 if (backendInfo == binfo) {
244                         newBackendInfo = ch_calloc(nBackendInfo + 1, sizeof(BackendInfo));
245                         AC_MEMCPY(newBackendInfo, backendInfo,
246                                 sizeof(BackendInfo) * nBackendInfo);
247                 } else {
248                         newBackendInfo = ch_realloc(backendInfo,
249                                 sizeof(BackendInfo) * (nBackendInfo + 1));
250                 }
251
252                 AC_MEMCPY(&newBackendInfo[nBackendInfo], aBackendInfo,
253                         sizeof(BackendInfo));
254                 backendInfo = newBackendInfo;
255                 nBackendInfo++;
256                 return 0;
257         }
258 }
259
260 /* startup a specific backend database */
261 int backend_startup_one(Backend *be)
262 {
263         int rc = 0;
264
265         assert(be);
266
267         be->be_pending_csn_list = (struct be_pcl *)
268                 ch_calloc( 1, sizeof( struct be_pcl ));
269         build_new_dn( &be->be_context_csn, be->be_nsuffix,
270                 (struct berval *)&slap_ldapsync_cn_bv, NULL );
271
272         LDAP_TAILQ_INIT( be->be_pending_csn_list );
273
274         Debug( LDAP_DEBUG_TRACE,
275                 "backend_startup: starting \"%s\"\n",
276                 be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)",
277                 0, 0 );
278         if ( be->bd_info->bi_db_open ) {
279                 rc = be->bd_info->bi_db_open( be );
280                 if ( rc != 0 ) {
281                         Debug( LDAP_DEBUG_ANY,
282                                 "backend_startup: bi_db_open failed! (%d)\n",
283                                 rc, 0, 0 );
284                 }
285         }
286         return rc;
287 }
288
289 int backend_startup(Backend *be)
290 {
291         int i;
292         int rc = 0;
293
294         if( ! ( nBackendDB > 0 ) ) {
295                 /* no databases */
296                 Debug( LDAP_DEBUG_ANY,
297                         "backend_startup: %d databases to startup.\n",
298                         nBackendDB, 0, 0 );
299                 return 1;
300         }
301
302         if(be != NULL) {
303                 if ( be->bd_info->bi_open ) {
304                         rc = be->bd_info->bi_open( be->bd_info );
305                         if ( rc != 0 ) {
306                                 Debug( LDAP_DEBUG_ANY,
307                                         "backend_startup: bi_open failed!\n",
308                                         0, 0, 0 );
309
310                                 return rc;
311                         }
312                 }
313
314                 return backend_startup_one( be );
315         }
316
317         /* open frontend, if required */
318         if ( frontendDB->bd_info->bi_db_open ) {
319                 rc = frontendDB->bd_info->bi_db_open( frontendDB );
320                 if ( rc != 0 ) {
321                         Debug( LDAP_DEBUG_ANY,
322                                 "backend_startup: bi_db_open(frontend) failed! (%d)\n",
323                                 rc, 0, 0 );
324                         return rc;
325                 }
326         }
327
328         /* open each backend type */
329         for( i = 0; i < nBackendInfo; i++ ) {
330                 if( backendInfo[i].bi_nDB == 0) {
331                         /* no database of this type, don't open */
332                         continue;
333                 }
334
335                 if( backendInfo[i].bi_open ) {
336                         rc = backendInfo[i].bi_open(
337                                 &backendInfo[i] );
338                         if ( rc != 0 ) {
339                                 Debug( LDAP_DEBUG_ANY,
340                                         "backend_startup: bi_open %d failed!\n",
341                                         i, 0, 0 );
342                                 return rc;
343                         }
344                 }
345         }
346
347         ldap_pvt_thread_mutex_init( &syncrepl_rq.rq_mutex );
348         LDAP_STAILQ_INIT( &syncrepl_rq.task_list );
349         LDAP_STAILQ_INIT( &syncrepl_rq.run_list );
350
351         /* open each backend database */
352         for( i = 0; i < nBackendDB; i++ ) {
353                 if ( backendDB[i].be_suffix == NULL ) {
354                         Debug( LDAP_DEBUG_ANY,
355                                 "backend_startup: warning, database %d (%s) "
356                                 "has no suffix\n",
357                                 i, backendDB[i].bd_info->bi_type, 0 );
358                 }
359                 /* append global access controls */
360                 acl_append( &backendDB[i].be_acl, frontendDB->be_acl );
361
362                 rc = backend_startup_one( &backendDB[i] );
363
364                 if ( rc ) return rc;
365
366
367                 if ( !LDAP_STAILQ_EMPTY( &backendDB[i].be_syncinfo )) {
368                         syncinfo_t *si;
369
370                         if ( !( backendDB[i].be_search && backendDB[i].be_add &&
371                                 backendDB[i].be_modify && backendDB[i].be_delete )) {
372                                 Debug( LDAP_DEBUG_ANY,
373                                         "backend_startup: database(%d) does not support "
374                                         "operations required for syncrepl", i, 0, 0 );
375                                 continue;
376                         }
377
378                         LDAP_STAILQ_FOREACH( si, &backendDB[i].be_syncinfo, si_next ) {
379                                 si->si_be = &backendDB[i];
380                                 init_syncrepl( si );
381                                 ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex );
382                                 ldap_pvt_runqueue_insert( &syncrepl_rq,
383                                                 si->si_interval, do_syncrepl, (void *) si );
384                                 ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex );
385                         }
386                 }
387         }
388
389         return rc;
390 }
391
392 int backend_num( Backend *be )
393 {
394         int i;
395
396         if( be == NULL ) return -1;
397
398         for( i = 0; i < nBackendDB; i++ ) {
399                 if( be == &backendDB[i] ) return i;
400         }
401         return -1;
402 }
403
404 int backend_shutdown( Backend *be )
405 {
406         int i;
407         int rc = 0;
408
409         if( be != NULL ) {
410                 /* shutdown a specific backend database */
411
412                 if ( be->bd_info->bi_nDB == 0 ) {
413                         /* no database of this type, we never opened it */
414                         return 0;
415                 }
416
417                 if ( be->bd_info->bi_db_close ) {
418                         be->bd_info->bi_db_close( be );
419                 }
420
421                 if( be->bd_info->bi_close ) {
422                         be->bd_info->bi_close( be->bd_info );
423                 }
424
425                 return 0;
426         }
427
428         /* close each backend database */
429         for( i = 0; i < nBackendDB; i++ ) {
430                 if ( backendDB[i].bd_info->bi_db_close ) {
431                         backendDB[i].bd_info->bi_db_close(
432                                 &backendDB[i] );
433                 }
434
435                 if(rc != 0) {
436                         Debug( LDAP_DEBUG_ANY,
437                                 "backend_close: bi_db_close %s failed!\n",
438                                 backendDB[i].be_type, 0, 0 );
439                 }
440         }
441
442         /* close each backend type */
443         for( i = 0; i < nBackendInfo; i++ ) {
444                 if( backendInfo[i].bi_nDB == 0 ) {
445                         /* no database of this type */
446                         continue;
447                 }
448
449                 if( backendInfo[i].bi_close ) {
450                         backendInfo[i].bi_close(
451                                 &backendInfo[i] );
452                 }
453         }
454
455         /* close frontend, if required */
456         if ( frontendDB->bd_info->bi_db_close ) {
457                 rc = frontendDB->bd_info->bi_db_close ( frontendDB );
458                 if ( rc != 0 ) {
459                         Debug( LDAP_DEBUG_ANY,
460                                 "backend_startup: bi_db_close(frontend) failed! (%d)\n",
461                                 rc, 0, 0 );
462                 }
463         }
464
465         return 0;
466 }
467
468 int backend_destroy(void)
469 {
470         int i;
471         BackendDB *bd;
472         syncinfo_t *si_entry;
473
474         ldap_pvt_thread_pool_destroy( &syncrepl_pool, 1 );
475
476         /* destroy each backend database */
477         for( i = 0, bd = backendDB; i < nBackendDB; i++, bd++ ) {
478
479                 while ( !LDAP_STAILQ_EMPTY( &bd->be_syncinfo )) {
480                         si_entry = LDAP_STAILQ_FIRST( &bd->be_syncinfo );
481                         LDAP_STAILQ_REMOVE_HEAD( &bd->be_syncinfo, si_next );
482                         syncinfo_free( si_entry );
483                 }
484                 
485                 if ( bd->bd_info->bi_db_destroy ) {
486                         bd->bd_info->bi_db_destroy( bd );
487                 }
488                 ber_bvarray_free( bd->be_suffix );
489                 ber_bvarray_free( bd->be_nsuffix );
490                 if ( bd->be_rootdn.bv_val ) free( bd->be_rootdn.bv_val );
491                 if ( bd->be_rootndn.bv_val ) free( bd->be_rootndn.bv_val );
492                 if ( bd->be_rootpw.bv_val ) free( bd->be_rootpw.bv_val );
493                 if ( bd->be_context_csn.bv_val ) free( bd->be_context_csn.bv_val );
494                 acl_destroy( bd->be_acl, frontendDB->be_acl );
495         }
496         free( backendDB );
497
498         /* destroy each backend type */
499         for( i = 0; i < nBackendInfo; i++ ) {
500                 if( backendInfo[i].bi_destroy ) {
501                         backendInfo[i].bi_destroy(
502                                 &backendInfo[i] );
503                 }
504         }
505
506 #ifdef SLAPD_MODULES
507         if (backendInfo != binfo) {
508            free(backendInfo);
509         }
510 #endif /* SLAPD_MODULES */
511
512         nBackendInfo = 0;
513         backendInfo = NULL;
514
515         /* destroy frontend database */
516         bd = frontendDB;
517         if ( bd->bd_info->bi_db_destroy ) {
518                 bd->bd_info->bi_db_destroy( bd );
519         }
520         ber_bvarray_free( bd->be_suffix );
521         ber_bvarray_free( bd->be_nsuffix );
522         if ( bd->be_rootdn.bv_val ) free( bd->be_rootdn.bv_val );
523         if ( bd->be_rootndn.bv_val ) free( bd->be_rootndn.bv_val );
524         if ( bd->be_rootpw.bv_val ) free( bd->be_rootpw.bv_val );
525         acl_destroy( bd->be_acl, frontendDB->be_acl );
526
527         return 0;
528 }
529
530 BackendInfo* backend_info(const char *type)
531 {
532         int i;
533
534         /* search for the backend type */
535         for( i = 0; i < nBackendInfo; i++ ) {
536                 if( strcasecmp(backendInfo[i].bi_type, type) == 0 ) {
537                         return &backendInfo[i];
538                 }
539         }
540
541         return NULL;
542 }
543
544
545 BackendDB *
546 backend_db_init(
547     const char  *type )
548 {
549         Backend *be;
550         BackendInfo *bi = backend_info(type);
551         int     rc = 0;
552
553         if( bi == NULL ) {
554                 fprintf( stderr, "Unrecognized database type (%s)\n", type );
555                 return NULL;
556         }
557
558         be = backendDB;
559
560         backendDB = (BackendDB *) ch_realloc(
561                         (char *) backendDB,
562                     (nBackendDB + 1) * sizeof(Backend) );
563
564         memset( &backendDB[nbackends], '\0', sizeof(Backend) );
565
566         /* did realloc move our table? if so, fix up dependent pointers */
567         if ( be != backendDB ) {
568                 int i;
569                 for ( i=0, be=backendDB; i<nbackends; i++, be++ ) {
570                         be->be_pcl_mutexp = &be->be_pcl_mutex;
571                 }
572         }
573
574         be = &backends[nbackends++];
575
576         be->bd_info = bi;
577         be->be_def_limit = frontendDB->be_def_limit;
578         be->be_dfltaccess = frontendDB->be_dfltaccess;
579
580         be->be_restrictops = frontendDB->be_restrictops;
581         be->be_requires = frontendDB->be_requires;
582         be->be_ssf_set = frontendDB->be_ssf_set;
583
584         be->be_context_csn.bv_len = 0;
585         be->be_context_csn.bv_val = NULL;
586         be->be_pcl_mutexp = &be->be_pcl_mutex;
587         ldap_pvt_thread_mutex_init( be->be_pcl_mutexp );
588
589         LDAP_STAILQ_INIT( &be->be_syncinfo );
590
591         /* assign a default depth limit for alias deref */
592         be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; 
593
594         if(bi->bi_db_init) {
595                 rc = bi->bi_db_init( be );
596         }
597
598         if(rc != 0) {
599                 fprintf( stderr, "database init failed (%s)\n", type );
600                 nbackends--;
601                 return NULL;
602         }
603
604         bi->bi_nDB++;
605         return( be );
606 }
607
608 void
609 be_db_close( void )
610 {
611         int     i;
612
613         for ( i = 0; i < nbackends; i++ ) {
614                 if ( backends[i].bd_info->bi_db_close ) {
615                         (*backends[i].bd_info->bi_db_close)( &backends[i] );
616                 }
617         }
618
619         if ( frontendDB->bd_info->bi_db_close ) {
620                 (*frontendDB->bd_info->bi_db_close)( frontendDB );
621         }
622 }
623
624 Backend *
625 select_backend(
626         struct berval * dn,
627         int manageDSAit,
628         int noSubs )
629 {
630         int     i, j;
631         ber_len_t len, dnlen = dn->bv_len;
632         Backend *be = NULL;
633
634         for ( i = 0; i < nbackends; i++ ) {
635                 for ( j = 0; backends[i].be_nsuffix != NULL &&
636                     backends[i].be_nsuffix[j].bv_val != NULL; j++ )
637                 {
638                         if ( ( SLAP_GLUE_SUBORDINATE( &backends[i] ) )
639                                 && noSubs )
640                         {
641                                 continue;
642                         }
643
644                         len = backends[i].be_nsuffix[j].bv_len;
645
646                         if ( len > dnlen ) {
647                                 /* suffix is longer than DN */
648                                 continue;
649                         }
650                         
651                         /*
652                          * input DN is normalized, so the separator check
653                          * need not look at escaping
654                          */
655                         if ( len && len < dnlen &&
656                                 !DN_SEPARATOR( dn->bv_val[(dnlen-len)-1] ))
657                         {
658                                 continue;
659                         }
660
661                         if ( strcmp( backends[i].be_nsuffix[j].bv_val,
662                                 &dn->bv_val[dnlen-len] ) == 0 )
663                         {
664                                 if( be == NULL ) {
665                                         be = &backends[i];
666
667                                         if( manageDSAit && len == dnlen &&
668                                                 !SLAP_GLUE_SUBORDINATE( be ) ) {
669                                                 continue;
670                                         }
671                                 } else {
672                                         be = &backends[i];
673                                 }
674                                 return be;
675                         }
676                 }
677         }
678
679         return be;
680 }
681
682 int
683 be_issuffix(
684     Backend *be,
685     struct berval *bvsuffix )
686 {
687         int     i;
688
689         for ( i = 0;
690                 be->be_nsuffix != NULL && be->be_nsuffix[i].bv_val != NULL;
691                 i++ )
692         {
693                 if ( bvmatch( &be->be_nsuffix[i], bvsuffix ) ) {
694                         return( 1 );
695                 }
696         }
697
698         return( 0 );
699 }
700
701 int
702 be_isroot_dn( Backend *be, struct berval *ndn )
703 {
704         if ( !ndn->bv_len ) {
705                 return( 0 );
706         }
707
708         if ( !be->be_rootndn.bv_len ) {
709                 return( 0 );
710         }
711
712         return dn_match( &be->be_rootndn, ndn );
713 }
714
715 int
716 be_sync_update( Operation *op )
717 {
718         return ( SLAP_SYNC_SHADOW( op->o_bd ) && syncrepl_isupdate( op ) );
719 }
720
721 int
722 be_slurp_update( Operation *op )
723 {
724         return ( SLAP_SLURP_SHADOW( op->o_bd ) &&
725                 be_isupdate_dn( op->o_bd, &op->o_ndn ));
726 }
727
728 int
729 be_shadow_update( Operation *op )
730 {
731         return ( SLAP_SHADOW( op->o_bd ) &&
732                 ( syncrepl_isupdate( op ) || be_isupdate_dn( op->o_bd, &op->o_ndn )));
733 }
734
735 int
736 be_isupdate_dn( Backend *be, struct berval *ndn )
737 {
738         if ( !ndn->bv_len ) return( 0 );
739
740         if ( !be->be_update_ndn.bv_len ) return( 0 );
741
742         return dn_match( &be->be_update_ndn, ndn );
743 }
744
745 struct berval *
746 be_root_dn( Backend *be )
747 {
748         return &be->be_rootdn;
749 }
750
751 int
752 be_isroot( Operation *op )
753 {
754         return be_isroot_dn( op->o_bd, &op->o_ndn );
755 }
756
757 int
758 be_isroot_pw( Operation *op )
759 {
760         int result;
761
762         if ( ! be_isroot_dn( op->o_bd, &op->o_req_ndn ) ) {
763                 return 0;
764         }
765
766         if( op->o_bd->be_rootpw.bv_len == 0 ) {
767                 return 0;
768         }
769
770 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
771         ldap_pvt_thread_mutex_lock( &passwd_mutex );
772 #ifdef SLAPD_SPASSWD
773         lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
774 #endif
775 #endif
776
777         result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
778
779 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
780 #ifdef SLAPD_SPASSWD
781         lutil_passwd_sasl_conn = NULL;
782 #endif
783         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
784 #endif
785
786         return result == 0;
787 }
788
789 int
790 be_entry_release_rw(
791         Operation *op,
792         Entry *e,
793         int rw )
794 {
795         if ( op->o_bd->be_release ) {
796                 /* free and release entry from backend */
797                 return op->o_bd->be_release( op, e, rw );
798         } else {
799                 /* free entry */
800                 entry_free( e );
801                 return 0;
802         }
803 }
804
805 int
806 backend_unbind( Operation *op, SlapReply *rs )
807 {
808         int             i;
809
810         for ( i = 0; i < nbackends; i++ ) {
811 #if defined( LDAP_SLAPI )
812                 if ( op->o_pb ) {
813                         int rc;
814                         if ( i == 0 ) slapi_int_pblock_set_operation( op->o_pb, op );
815                         slapi_pblock_set( op->o_pb, SLAPI_BACKEND, (void *)&backends[i] );
816                         rc = slapi_int_call_plugins( &backends[i],
817                                 SLAPI_PLUGIN_PRE_UNBIND_FN, (Slapi_PBlock *)op->o_pb );
818                         if ( rc < 0 ) {
819                                 /*
820                                  * A preoperation plugin failure will abort the
821                                  * entire operation.
822                                  */
823                                 Debug(LDAP_DEBUG_TRACE,
824                                         "do_bind: Unbind preoperation plugin failed\n",
825                                         0, 0, 0);
826                                 return 0;
827                         }
828                 }
829 #endif /* defined( LDAP_SLAPI ) */
830
831                 if ( backends[i].be_unbind ) {
832                         op->o_bd = &backends[i];
833                         (*backends[i].be_unbind)( op, rs );
834                 }
835
836 #if defined( LDAP_SLAPI )
837                 if ( op->o_pb != NULL && slapi_int_call_plugins( &backends[i],
838                         SLAPI_PLUGIN_POST_UNBIND_FN, (Slapi_PBlock *)op->o_pb ) < 0 )
839                 {
840                         Debug(LDAP_DEBUG_TRACE,
841                                 "do_unbind: Unbind postoperation plugins failed\n",
842                                 0, 0, 0);
843                 }
844 #endif /* defined( LDAP_SLAPI ) */
845         }
846
847         return 0;
848 }
849
850 int
851 backend_connection_init(
852         Connection   *conn )
853 {
854         int     i;
855
856         for ( i = 0; i < nbackends; i++ ) {
857                 if ( backends[i].be_connection_init ) {
858                         (*backends[i].be_connection_init)( &backends[i], conn);
859                 }
860         }
861
862         return 0;
863 }
864
865 int
866 backend_connection_destroy(
867         Connection   *conn )
868 {
869         int     i;
870
871         for ( i = 0; i < nbackends; i++ ) {
872                 if ( backends[i].be_connection_destroy ) {
873                         (*backends[i].be_connection_destroy)( &backends[i], conn);
874                 }
875         }
876
877         return 0;
878 }
879
880 static int
881 backend_check_controls(
882         Operation *op,
883         SlapReply *rs )
884 {
885         LDAPControl **ctrls = op->o_ctrls;
886         rs->sr_err = LDAP_SUCCESS;
887
888         if( ctrls ) {
889                 for( ; *ctrls != NULL ; ctrls++ ) {
890                         if( (*ctrls)->ldctl_iscritical && !ldap_charray_inlist(
891                                 op->o_bd->be_controls, (*ctrls)->ldctl_oid ) )
892                         {
893                                 /* FIXME: standards compliance issue
894                                  *
895                                  * Per RFC 2251 (and LDAPBIS discussions), if the control
896                                  * is recognized and appropriate for the operation (which
897                                  * we've already verified), then the server should make
898                                  * use of the control when performing the operation
899                                  * (without regard to criticality).  This code is incorrect
900                                  * on two counts.
901                                  * 1) a service error (e.g., unwillingToPerform) should be
902                                  * returned where a particular backend cannot service the
903                                  * operation,
904                                  * 2) this error should be returned irregardless of the
905                                  * criticality of the control.
906                                  */
907                                 rs->sr_text = "control unavailable in context";
908                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
909                                 break;
910                         }
911                 }
912         }
913
914         return rs->sr_err;
915 }
916
917 int
918 backend_check_restrictions(
919         Operation *op,
920         SlapReply *rs,
921         struct berval *opdata )
922 {
923         slap_mask_t restrictops;
924         slap_mask_t requires;
925         slap_mask_t opflag;
926         slap_mask_t exopflag = 0;
927         slap_ssf_set_t *ssf;
928         int updateop = 0;
929         int starttls = 0;
930         int session = 0;
931
932         if( op->o_bd ) {
933                 if ( backend_check_controls( op, rs ) != LDAP_SUCCESS ) {
934                         return rs->sr_err;
935                 }
936
937                 restrictops = op->o_bd->be_restrictops;
938                 requires = op->o_bd->be_requires;
939                 ssf = &op->o_bd->be_ssf_set;
940
941         } else {
942                 restrictops = frontendDB->be_restrictops;
943                 requires = frontendDB->be_requires;
944                 ssf = &frontendDB->be_ssf_set;
945         }
946
947         switch( op->o_tag ) {
948         case LDAP_REQ_ADD:
949                 opflag = SLAP_RESTRICT_OP_ADD;
950                 updateop++;
951                 break;
952         case LDAP_REQ_BIND:
953                 opflag = SLAP_RESTRICT_OP_BIND;
954                 session++;
955                 break;
956         case LDAP_REQ_COMPARE:
957                 opflag = SLAP_RESTRICT_OP_COMPARE;
958                 break;
959         case LDAP_REQ_DELETE:
960                 updateop++;
961                 opflag = SLAP_RESTRICT_OP_DELETE;
962                 break;
963         case LDAP_REQ_EXTENDED:
964                 opflag = SLAP_RESTRICT_OP_EXTENDED;
965
966                 if( !opdata ) {
967                         /* treat unspecified as a modify */
968                         opflag = SLAP_RESTRICT_OP_MODIFY;
969                         updateop++;
970                         break;
971                 }
972
973                 if( bvmatch( opdata, &slap_EXOP_START_TLS ) ) {
974                         session++;
975                         starttls++;
976                         exopflag = SLAP_RESTRICT_EXOP_START_TLS;
977                         break;
978                 }
979
980                 if( bvmatch( opdata, &slap_EXOP_WHOAMI ) ) {
981                         exopflag = SLAP_RESTRICT_EXOP_WHOAMI;
982                         break;
983                 }
984
985                 if ( bvmatch( opdata, &slap_EXOP_CANCEL ) ) {
986                         exopflag = SLAP_RESTRICT_EXOP_CANCEL;
987                         break;
988                 }
989
990                 if ( bvmatch( opdata, &slap_EXOP_MODIFY_PASSWD ) ) {
991                         exopflag = SLAP_RESTRICT_EXOP_MODIFY_PASSWD;
992                         updateop++;
993                         break;
994                 }
995
996                 /* treat everything else as a modify */
997                 opflag = SLAP_RESTRICT_OP_MODIFY;
998                 updateop++;
999                 break;
1000
1001         case LDAP_REQ_MODIFY:
1002                 updateop++;
1003                 opflag = SLAP_RESTRICT_OP_MODIFY;
1004                 break;
1005         case LDAP_REQ_RENAME:
1006                 updateop++;
1007                 opflag = SLAP_RESTRICT_OP_RENAME;
1008                 break;
1009         case LDAP_REQ_SEARCH:
1010                 opflag = SLAP_RESTRICT_OP_SEARCH;
1011                 break;
1012         case LDAP_REQ_UNBIND:
1013                 session++;
1014                 opflag = 0;
1015                 break;
1016         default:
1017                 rs->sr_text = "restrict operations internal error";
1018                 rs->sr_err = LDAP_OTHER;
1019                 return rs->sr_err;
1020         }
1021
1022         if ( !starttls ) {
1023                 /* these checks don't apply to StartTLS */
1024
1025                 rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
1026                 if( op->o_transport_ssf < ssf->sss_transport ) {
1027                         rs->sr_text = op->o_transport_ssf
1028                                 ? "stronger transport confidentiality required"
1029                                 : "transport confidentiality required";
1030                         return rs->sr_err;
1031                 }
1032
1033                 if( op->o_tls_ssf < ssf->sss_tls ) {
1034                         rs->sr_text = op->o_tls_ssf
1035                                 ? "stronger TLS confidentiality required"
1036                                 : "TLS confidentiality required";
1037                         return rs->sr_err;
1038                 }
1039
1040
1041                 if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
1042                         /* simple bind specific check */
1043                         if( op->o_ssf < ssf->sss_simple_bind ) {
1044                                 rs->sr_text = op->o_ssf
1045                                         ? "stronger confidentiality required"
1046                                         : "confidentiality required";
1047                                 return rs->sr_err;
1048                         }
1049                 }
1050
1051                 if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
1052                         /* these checks don't apply to SASL bind */
1053
1054                         if( op->o_sasl_ssf < ssf->sss_sasl ) {
1055                                 rs->sr_text = op->o_sasl_ssf
1056                                         ? "stronger SASL confidentiality required"
1057                                         : "SASL confidentiality required";
1058                                 return rs->sr_err;
1059                         }
1060
1061                         if( op->o_ssf < ssf->sss_ssf ) {
1062                                 rs->sr_text = op->o_ssf
1063                                         ? "stronger confidentiality required"
1064                                         : "confidentiality required";
1065                                 return rs->sr_err;
1066                         }
1067                 }
1068
1069                 if( updateop ) {
1070                         if( op->o_transport_ssf < ssf->sss_update_transport ) {
1071                                 rs->sr_text = op->o_transport_ssf
1072                                         ? "stronger transport confidentiality required for update"
1073                                         : "transport confidentiality required for update";
1074                                 return rs->sr_err;
1075                         }
1076
1077                         if( op->o_tls_ssf < ssf->sss_update_tls ) {
1078                                 rs->sr_text = op->o_tls_ssf
1079                                         ? "stronger TLS confidentiality required for update"
1080                                         : "TLS confidentiality required for update";
1081                                 return rs->sr_err;
1082                         }
1083
1084                         if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
1085                                 rs->sr_text = op->o_sasl_ssf
1086                                         ? "stronger SASL confidentiality required for update"
1087                                         : "SASL confidentiality required for update";
1088                                 return rs->sr_err;
1089                         }
1090
1091                         if( op->o_ssf < ssf->sss_update_ssf ) {
1092                                 rs->sr_text = op->o_ssf
1093                                         ? "stronger confidentiality required for update"
1094                                         : "confidentiality required for update";
1095                                 return rs->sr_err;
1096                         }
1097
1098                         if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
1099                                 op->o_ndn.bv_len == 0 )
1100                         {
1101                                 rs->sr_text = "modifications require authentication";
1102                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1103                                 return rs->sr_err;
1104                         }
1105
1106 #ifdef SLAP_X_LISTENER_MOD
1107                         if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_ndn.bv_len > 0 ? S_IWUSR : S_IWOTH ) ) ) {
1108                                 /* no "w" mode means readonly */
1109                                 rs->sr_text = "modifications not allowed on this listener";
1110                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1111                                 return rs->sr_err;
1112                         }
1113 #endif /* SLAP_X_LISTENER_MOD */
1114                 }
1115         }
1116
1117         if ( !session ) {
1118                 /* these checks don't apply to Bind, StartTLS, or Unbind */
1119
1120                 if( requires & SLAP_REQUIRE_STRONG ) {
1121                         /* should check mechanism */
1122                         if( ( op->o_transport_ssf < ssf->sss_transport
1123                                 && op->o_authtype == LDAP_AUTH_SIMPLE )
1124                                 || op->o_dn.bv_len == 0 )
1125                         {
1126                                 rs->sr_text = "strong(er) authentication required";
1127                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1128                                 return rs->sr_err;
1129                         }
1130                 }
1131
1132                 if( requires & SLAP_REQUIRE_SASL ) {
1133                         if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) {
1134                                 rs->sr_text = "SASL authentication required";
1135                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1136                                 return rs->sr_err;
1137                         }
1138                 }
1139                         
1140                 if( requires & SLAP_REQUIRE_AUTHC ) {
1141                         if( op->o_dn.bv_len == 0 ) {
1142                                 rs->sr_text = "authentication required";
1143                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1144                                 return rs->sr_err;
1145                         }
1146                 }
1147
1148                 if( requires & SLAP_REQUIRE_BIND ) {
1149                         int version;
1150                         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
1151                         version = op->o_conn->c_protocol;
1152                         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
1153
1154                         if( !version ) {
1155                                 /* no bind has occurred */
1156                                 rs->sr_text = "BIND required";
1157                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1158                                 return rs->sr_err;
1159                         }
1160                 }
1161
1162                 if( requires & SLAP_REQUIRE_LDAP_V3 ) {
1163                         if( op->o_protocol < LDAP_VERSION3 ) {
1164                                 /* no bind has occurred */
1165                                 rs->sr_text = "operation restricted to LDAPv3 clients";
1166                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1167                                 return rs->sr_err;
1168                         }
1169                 }
1170
1171 #ifdef SLAP_X_LISTENER_MOD
1172                 if ( !starttls && op->o_dn.bv_len == 0 ) {
1173                         if ( op->o_conn->c_listener &&
1174                                 !( op->o_conn->c_listener->sl_perms & S_IXOTH ))
1175                 {
1176                                 /* no "x" mode means bind required */
1177                                 rs->sr_text = "bind required on this listener";
1178                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1179                                 return rs->sr_err;
1180                         }
1181                 }
1182
1183                 if ( !starttls && !updateop ) {
1184                         if ( op->o_conn->c_listener &&
1185                                 !( op->o_conn->c_listener->sl_perms &
1186                                         ( op->o_dn.bv_len > 0 ? S_IRUSR : S_IROTH )))
1187                         {
1188                                 /* no "r" mode means no read */
1189                                 rs->sr_text = "read not allowed on this listener";
1190                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1191                                 return rs->sr_err;
1192                         }
1193                 }
1194 #endif /* SLAP_X_LISTENER_MOD */
1195
1196         }
1197
1198         if( ( restrictops & opflag )
1199                         || ( exopflag && ( restrictops & exopflag ) ) ) {
1200                 if( ( restrictops & SLAP_RESTRICT_OP_MASK) == SLAP_RESTRICT_OP_READS ) {
1201                         rs->sr_text = "read operations restricted";
1202                 } else if ( restrictops & exopflag ) {
1203                         rs->sr_text = "extended operation restricted";
1204                 } else {
1205                         rs->sr_text = "operation restricted";
1206                 }
1207                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1208                 return rs->sr_err;
1209         }
1210
1211         rs->sr_err = LDAP_SUCCESS;
1212         return rs->sr_err;
1213 }
1214
1215 int backend_check_referrals( Operation *op, SlapReply *rs )
1216 {
1217         rs->sr_err = LDAP_SUCCESS;
1218
1219         if( op->o_bd->be_chk_referrals ) {
1220                 rs->sr_err = op->o_bd->be_chk_referrals( op, rs );
1221
1222                 if( rs->sr_err != LDAP_SUCCESS && rs->sr_err != LDAP_REFERRAL ) {
1223                         send_ldap_result( op, rs );
1224                 }
1225         }
1226
1227         return rs->sr_err;
1228 }
1229
1230 int
1231 be_entry_get_rw(
1232         Operation *op,
1233         struct berval *ndn,
1234         ObjectClass *oc,
1235         AttributeDescription *at,
1236         int rw,
1237         Entry **e )
1238 {
1239         int rc;
1240
1241         *e = NULL;
1242
1243         if (op->o_bd == NULL) {
1244                 rc = LDAP_NO_SUCH_OBJECT;
1245         } else if ( op->o_bd->be_fetch ) {
1246                 rc = ( op->o_bd->be_fetch )( op, ndn,
1247                         oc, at, rw, e );
1248         } else {
1249                 rc = LDAP_UNWILLING_TO_PERFORM;
1250         }
1251         return rc;
1252 }
1253
1254 int 
1255 backend_group(
1256         Operation *op,
1257         Entry   *target,
1258         struct berval *gr_ndn,
1259         struct berval *op_ndn,
1260         ObjectClass *group_oc,
1261         AttributeDescription *group_at )
1262 {
1263         Entry *e;
1264         Attribute *a;
1265         int rc;
1266         GroupAssertion *g;
1267         Backend *be = op->o_bd;
1268
1269         if ( op->o_abandon ) return SLAPD_ABANDON;
1270
1271         op->o_bd = select_backend( gr_ndn, 0, 0 );
1272
1273         for (g = op->o_groups; g; g=g->ga_next) {
1274                 if (g->ga_be != op->o_bd || g->ga_oc != group_oc ||
1275                         g->ga_at != group_at || g->ga_len != gr_ndn->bv_len)
1276                         continue;
1277                 if (strcmp( g->ga_ndn, gr_ndn->bv_val ) == 0)
1278                         break;
1279         }
1280
1281         if (g) {
1282                 rc = g->ga_res;
1283                 goto done;
1284         }
1285
1286         if ( target && dn_match( &target->e_nname, gr_ndn ) ) {
1287                 e = target;
1288                 rc = 0;
1289         } else {
1290                 rc = be_entry_get_rw(op, gr_ndn, group_oc, group_at, 0, &e );
1291         }
1292         if ( e ) {
1293 #ifdef LDAP_SLAPI
1294                 if ( op->o_pb != NULL ) {
1295                         init_group_pblock( op, target, e, op_ndn, group_at );
1296
1297                         rc = call_group_preop_plugins( op );
1298                         if ( rc == LDAP_SUCCESS ) {
1299                                 goto done;
1300                         }
1301                 }
1302 #endif /* LDAP_SLAPI */
1303
1304                 a = attr_find( e->e_attrs, group_at );
1305                 if ( a ) {
1306                         /* If the attribute is a subtype of labeledURI, treat this as
1307                          * a dynamic group ala groupOfURLs
1308                          */
1309                         if (is_at_subtype( group_at->ad_type,
1310                                 slap_schema.si_ad_labeledURI->ad_type ) )
1311                         {
1312                                 int i;
1313                                 LDAPURLDesc *ludp;
1314                                 struct berval bv, nbase;
1315                                 Filter *filter;
1316                                 Entry *user;
1317                                 Backend *b2 = op->o_bd;
1318
1319                                 if ( target && dn_match( &target->e_nname, op_ndn ) ) {
1320                                         user = target;
1321                                 } else {
1322                                         op->o_bd = select_backend( op_ndn, 0, 0 );
1323                                         rc = be_entry_get_rw(op, op_ndn, NULL, NULL, 0, &user );
1324                                 }
1325                                 
1326                                 if ( rc == 0 ) {
1327                                         rc = 1;
1328                                         for (i=0; a->a_vals[i].bv_val; i++) {
1329                                                 if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) !=
1330                                                         LDAP_SUCCESS )
1331                                                 {
1332                                                         continue;
1333                                                 }
1334                                                 nbase.bv_val = NULL;
1335                                                 /* host part must be empty */
1336                                                 /* attrs and extensions parts must be empty */
1337                                                 if (( ludp->lud_host && *ludp->lud_host ) ||
1338                                                         ludp->lud_attrs || ludp->lud_exts )
1339                                                 {
1340                                                         goto loopit;
1341                                                 }
1342                                                 ber_str2bv( ludp->lud_dn, 0, 0, &bv );
1343                                                 if ( dnNormalize( 0, NULL, NULL, &bv, &nbase,
1344                                                         op->o_tmpmemctx ) != LDAP_SUCCESS )
1345                                                 {
1346                                                         goto loopit;
1347                                                 }
1348                                                 switch(ludp->lud_scope) {
1349                                                 case LDAP_SCOPE_BASE:
1350                                                         if ( !dn_match( &nbase, op_ndn )) goto loopit;
1351                                                         break;
1352                                                 case LDAP_SCOPE_ONELEVEL:
1353                                                         dnParent(op_ndn, &bv );
1354                                                         if ( !dn_match( &nbase, &bv )) goto loopit;
1355                                                         break;
1356                                                 case LDAP_SCOPE_SUBTREE:
1357                                                         if ( !dnIsSuffix( op_ndn, &nbase )) goto loopit;
1358                                                         break;
1359 #ifdef LDAP_SCOPE_SUBORDINATE
1360                                                 case LDAP_SCOPE_SUBORDINATE:
1361                                                         if ( dn_match( &nbase, op_ndn ) &&
1362                                                                 !dnIsSuffix(op_ndn, &nbase ))
1363                                                         {
1364                                                                 goto loopit;
1365                                                         }
1366 #endif
1367                                                 }
1368                                                 filter = str2filter_x( op, ludp->lud_filter );
1369                                                 if ( filter ) {
1370                                                         if ( test_filter( NULL, user, filter ) ==
1371                                                                 LDAP_COMPARE_TRUE )
1372                                                         {
1373                                                                 rc = 0;
1374                                                         }
1375                                                         filter_free_x( op, filter );
1376                                                 }
1377 loopit:
1378                                                 ldap_free_urldesc( ludp );
1379                                                 if ( nbase.bv_val ) {
1380                                                         op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx );
1381                                                 }
1382                                                 if ( rc == 0 ) break;
1383                                         }
1384                                         if ( user != target ) {
1385                                                 be_entry_release_r( op, user );
1386                                         }
1387                                 }
1388                                 op->o_bd = b2;
1389                         } else {
1390                                 rc = value_find_ex( group_at,
1391                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1392                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1393                                 a->a_nvals, op_ndn, op->o_tmpmemctx );
1394                         }
1395                 } else {
1396                         rc = LDAP_NO_SUCH_ATTRIBUTE;
1397                 }
1398                 if (e != target ) {
1399                         be_entry_release_r( op, e );
1400                 }
1401         } else {
1402                 rc = LDAP_NO_SUCH_OBJECT;
1403         }
1404
1405 #ifdef LDAP_SLAPI
1406         if ( op->o_pb ) call_group_postop_plugins( op );
1407 #endif /* LDAP_SLAPI */
1408
1409         if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
1410                 g = op->o_tmpalloc(sizeof(GroupAssertion) + gr_ndn->bv_len,
1411                         op->o_tmpmemctx);
1412                 g->ga_be = op->o_bd;
1413                 g->ga_oc = group_oc;
1414                 g->ga_at = group_at;
1415                 g->ga_res = rc;
1416                 g->ga_len = gr_ndn->bv_len;
1417                 strcpy(g->ga_ndn, gr_ndn->bv_val);
1418                 g->ga_next = op->o_groups;
1419                 op->o_groups = g;
1420         }
1421 done:
1422         op->o_bd = be;
1423         return rc;
1424 }
1425
1426 #ifdef LDAP_SLAPI
1427 static int backend_compute_output_attr(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e)
1428 {
1429         BerVarray v;
1430         int rc;
1431         BerVarray *vals = (BerVarray *)c->cac_private;
1432         Operation *op = NULL;
1433         int i, j;
1434
1435         slapi_pblock_get( c->cac_pb, SLAPI_OPERATION, &op );
1436         if ( op == NULL ) {
1437                 return 1;
1438         }
1439
1440         if ( op->o_conn && access_allowed( op,
1441                 e, a->a_desc, NULL, ACL_AUTH,
1442                 &c->cac_acl_state ) == 0 ) {
1443                 return 1;
1444         }
1445
1446         for ( i=0; a->a_vals[i].bv_val; i++ ) ;
1447                         
1448         v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
1449                 op->o_tmpmemctx );
1450         for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
1451                 if ( op->o_conn && access_allowed( op,
1452                         e, a->a_desc,
1453                         &a->a_nvals[i],
1454                         ACL_AUTH, &c->cac_acl_state ) == 0 ) {
1455                         continue;
1456                 }
1457                 ber_dupbv_x( &v[j],
1458                         &a->a_nvals[i], op->o_tmpmemctx );
1459                 if (v[j].bv_val ) j++;
1460         }
1461
1462         if (j == 0) {
1463                 op->o_tmpfree( v, op->o_tmpmemctx );
1464                 *vals = NULL;
1465                 rc = 1;
1466         } else {
1467                 v[j].bv_val = NULL;
1468                 v[j].bv_len = 0;
1469                 *vals = v;
1470                 rc = 0;
1471         }
1472
1473         return rc;
1474 }
1475 #endif /* LDAP_SLAPI */
1476
1477 int 
1478 backend_attribute(
1479         Operation *op,
1480         Entry   *target,
1481         struct berval   *edn,
1482         AttributeDescription *entry_at,
1483         BerVarray *vals,
1484         slap_access_t access )
1485 {
1486         Entry *e;
1487         Attribute *a;
1488         int i, j, rc = LDAP_SUCCESS;
1489         AccessControlState acl_state = ACL_STATE_INIT;
1490         Backend *be = op->o_bd;
1491
1492         op->o_bd = select_backend( edn, 0, 0 );
1493
1494         if ( target && dn_match( &target->e_nname, edn ) ) {
1495                 e = target;
1496         } else {
1497                 rc = be_entry_get_rw(op, edn, NULL, entry_at, 0, &e );
1498         } 
1499
1500         if ( e ) {
1501                 a = attr_find( e->e_attrs, entry_at );
1502                 if ( a ) {
1503                         BerVarray v;
1504
1505                         if ( op->o_conn && access > ACL_NONE && access_allowed( op,
1506                                 e, entry_at, NULL, access,
1507                                 &acl_state ) == 0 ) {
1508                                 rc = LDAP_INSUFFICIENT_ACCESS;
1509                                 goto freeit;
1510                         }
1511
1512                         for ( i=0; a->a_vals[i].bv_val; i++ ) ;
1513                         
1514                         v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
1515                                 op->o_tmpmemctx );
1516                         for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
1517                                 if ( op->o_conn && access > ACL_NONE && access_allowed( op,
1518                                         e, entry_at,
1519                                         &a->a_nvals[i],
1520                                         access, &acl_state ) == 0 ) {
1521                                         continue;
1522                                 }
1523                                 ber_dupbv_x( &v[j],
1524                                         &a->a_nvals[i], op->o_tmpmemctx );
1525                                 if (v[j].bv_val ) j++;
1526                         }
1527                         if (j == 0) {
1528                                 op->o_tmpfree( v, op->o_tmpmemctx );
1529                                 *vals = NULL;
1530                                 rc = LDAP_INSUFFICIENT_ACCESS;
1531                         } else {
1532                                 v[j].bv_val = NULL;
1533                                 v[j].bv_len = 0;
1534                                 *vals = v;
1535                                 rc = LDAP_SUCCESS;
1536                         }
1537                 }
1538 #ifdef LDAP_SLAPI
1539                 else if ( op->o_pb ) {
1540                         /* try any computed attributes */
1541                         computed_attr_context ctx;
1542                         AttributeName aname;
1543
1544                         slapi_int_pblock_set_operation( op->o_pb, op );
1545
1546                         ctx.cac_pb = op->o_pb;
1547                         ctx.cac_attrs = NULL;
1548                         ctx.cac_userattrs = 0;
1549                         ctx.cac_opattrs = 0;
1550                         ctx.cac_acl_state = acl_state;
1551                         ctx.cac_private = (void *)vals;
1552
1553                         if ( compute_evaluator( &ctx, entry_at->ad_cname.bv_val, e, backend_compute_output_attr ) == 1)
1554                                 rc = LDAP_INSUFFICIENT_ACCESS;
1555                         else
1556                                 rc = LDAP_SUCCESS;
1557                 }
1558 #endif /* LDAP_SLAPI */
1559 freeit:         if (e != target ) {
1560                         be_entry_release_r( op, e );
1561                 }
1562         }
1563
1564         op->o_bd = be;
1565         return rc;
1566 }
1567
1568 int backend_operational(
1569         Operation *op,
1570         SlapReply *rs )
1571 {
1572         Attribute       **ap;
1573         int             rc = 0;
1574
1575         for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
1576                 /* just count them */ ;
1577
1578         /*
1579          * If operational attributes (allegedly) are required, 
1580          * and the backend supports specific operational attributes, 
1581          * add them to the attribute list
1582          */
1583         if ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( op->ors_attrs &&
1584                 ad_inlist( slap_schema.si_ad_entryDN, op->ors_attrs )))
1585         {
1586                 *ap = slap_operational_entryDN( rs->sr_entry );
1587                 ap = &(*ap)->a_next;
1588         }
1589
1590         if ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( op->ors_attrs &&
1591                 ad_inlist( slap_schema.si_ad_subschemaSubentry, op->ors_attrs )))
1592         {
1593                 *ap = slap_operational_subschemaSubentry( op->o_bd );
1594                 ap = &(*ap)->a_next;
1595         }
1596
1597         if (( SLAP_OPATTRS( rs->sr_attr_flags ) || op->ors_attrs ) &&
1598                 op->o_bd && op->o_bd->be_operational != NULL )
1599         {
1600                 Attribute       *a;
1601                 
1602                 a = rs->sr_operational_attrs;
1603                 rs->sr_operational_attrs = NULL;
1604                 rc = op->o_bd->be_operational( op, rs );
1605                 *ap = rs->sr_operational_attrs;
1606                 if ( a != NULL ) {
1607                         rs->sr_operational_attrs = a;
1608                 }
1609
1610                 for ( ; *ap; ap = &(*ap)->a_next )
1611                         /* just count them */ ;
1612         }
1613
1614         return rc;
1615 }
1616
1617 #ifdef LDAP_SLAPI
1618 static void init_group_pblock( Operation *op, Entry *target,
1619         Entry *e, struct berval *op_ndn, AttributeDescription *group_at )
1620 {
1621         slapi_int_pblock_set_operation( op->o_pb, op );
1622
1623         slapi_pblock_set( op->o_pb,
1624                 SLAPI_X_GROUP_ENTRY, (void *)e );
1625         slapi_pblock_set( op->o_pb,
1626                 SLAPI_X_GROUP_OPERATION_DN, (void *)op_ndn->bv_val );
1627         slapi_pblock_set( op->o_pb,
1628                 SLAPI_X_GROUP_ATTRIBUTE, (void *)group_at->ad_cname.bv_val );
1629         slapi_pblock_set( op->o_pb,
1630                 SLAPI_X_GROUP_TARGET_ENTRY, (void *)target );
1631 }
1632
1633 static int call_group_preop_plugins( Operation *op )
1634 {
1635         int rc;
1636
1637         rc = slapi_int_call_plugins( op->o_bd,
1638                 SLAPI_X_PLUGIN_PRE_GROUP_FN, op->o_pb );
1639         if ( rc < 0 ) {
1640                 if (( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
1641                         (void *)&rc ) != 0 ) || rc == LDAP_SUCCESS )
1642                 {
1643                         rc = LDAP_NO_SUCH_ATTRIBUTE;
1644                 }
1645         } else {
1646                 rc = LDAP_SUCCESS;
1647         }
1648
1649         return rc;
1650 }
1651
1652 static void call_group_postop_plugins( Operation *op )
1653 {
1654         (void) slapi_int_call_plugins( op->o_bd, SLAPI_X_PLUGIN_POST_GROUP_FN, op->o_pb );
1655 }
1656 #endif /* LDAP_SLAPI */
1657