]> git.sur5r.net Git - openldap/blob - servers/slapd/backend.c
Merge remote-tracking branch 'origin/mdb.master' into OPENLDAP_REL_ENG_2_5
[openldap] / servers / slapd / backend.c
1 /* backend.c - routines for dealing with back-end databases */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2014 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27
28 #include "portable.h"
29
30 #include <stdio.h>
31
32 #include <ac/string.h>
33 #include <ac/socket.h>
34 #include <sys/stat.h>
35
36 #include "slap.h"
37 #include "config.h"
38 #include "lutil.h"
39 #include "lber_pvt.h"
40
41 /*
42  * If a module is configured as dynamic, its header should not
43  * get included into slapd. While this is a general rule and does
44  * not have much of an effect in UNIX, this rule should be adhered
45  * to for Windows, where dynamic object code should not be implicitly
46  * imported into slapd without appropriate __declspec(dllimport) directives.
47  */
48
49 int                     nBackendInfo = 0;
50 slap_bi_head backendInfo = LDAP_STAILQ_HEAD_INITIALIZER(backendInfo);
51
52 int                     nBackendDB = 0; 
53 slap_be_head backendDB = LDAP_STAILQ_HEAD_INITIALIZER(backendDB);
54
55 static int
56 backend_init_controls( BackendInfo *bi )
57 {
58         if ( bi->bi_controls ) {
59                 int     i;
60
61                 for ( i = 0; bi->bi_controls[ i ]; i++ ) {
62                         int     cid;
63
64                         if ( slap_find_control_id( bi->bi_controls[ i ], &cid )
65                                         == LDAP_CONTROL_NOT_FOUND )
66                         {
67                                 if ( !( slapMode & SLAP_TOOL_MODE ) ) {
68                                         assert( 0 );
69                                 }
70
71                                 return -1;
72                         }
73
74                         bi->bi_ctrls[ cid ] = 1;
75                 }
76         }
77
78         return 0;
79 }
80
81 int backend_init(void)
82 {
83         int rc = -1;
84         BackendInfo *bi;
85
86         if((nBackendInfo != 0) || !LDAP_STAILQ_EMPTY(&backendInfo)) {
87                 /* already initialized */
88                 Debug( LDAP_DEBUG_ANY,
89                         "backend_init: already initialized\n", 0, 0, 0 );
90                 return -1;
91         }
92
93         for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) {
94                 assert( bi->bi_init != 0 );
95
96                 rc = bi->bi_init( bi );
97
98                 if(rc != 0) {
99                         Debug( LDAP_DEBUG_ANY,
100                                 "backend_init: initialized for type \"%s\"\n",
101                                 bi->bi_type, 0, 0 );
102                         /* destroy those we've already inited */
103                         for( nBackendInfo--;
104                                 nBackendInfo >= 0 ;
105                                 nBackendInfo-- )
106                         { 
107                                 if ( slap_binfo[nBackendInfo].bi_destroy ) {
108                                         slap_binfo[nBackendInfo].bi_destroy(
109                                                 &slap_binfo[nBackendInfo] );
110                                 }
111                         }
112                         return rc;
113                 }
114
115                 LDAP_STAILQ_INSERT_TAIL(&backendInfo, bi, bi_next);
116         }
117
118         if ( nBackendInfo > 0) {
119                 return 0;
120         }
121
122 #ifdef SLAPD_MODULES    
123         return 0;
124 #else
125
126         Debug( LDAP_DEBUG_ANY,
127                 "backend_init: failed\n",
128                 0, 0, 0 );
129
130         return rc;
131 #endif /* SLAPD_MODULES */
132 }
133
134 int backend_add(BackendInfo *aBackendInfo)
135 {
136         int rc = 0;
137
138         if ( aBackendInfo->bi_init == NULL ) {
139                 Debug( LDAP_DEBUG_ANY, "backend_add: "
140                         "backend type \"%s\" does not have the (mandatory)init function\n",
141                         aBackendInfo->bi_type, 0, 0 );
142                 return -1;
143         }
144
145         rc = aBackendInfo->bi_init(aBackendInfo);
146         if ( rc != 0) {
147                 Debug( LDAP_DEBUG_ANY,
148                         "backend_add:  initialization for type \"%s\" failed\n",
149                         aBackendInfo->bi_type, 0, 0 );
150                 return rc;
151         }
152
153         (void)backend_init_controls( aBackendInfo );
154
155         /* now add the backend type to the Backend Info List */
156         LDAP_STAILQ_INSERT_TAIL( &backendInfo, aBackendInfo, bi_next );
157         nBackendInfo++;
158         return 0;
159 }
160
161 static int
162 backend_set_controls( BackendDB *be )
163 {
164         BackendInfo     *bi = be->bd_info;
165
166         /* back-relay takes care of itself; so may do other */
167         if ( overlay_is_over( be ) ) {
168                 bi = ((slap_overinfo *)be->bd_info->bi_private)->oi_orig;
169         }
170
171         if ( bi->bi_controls ) {
172                 if ( be->be_ctrls[ SLAP_MAX_CIDS ] == 0 ) {
173                         AC_MEMCPY( be->be_ctrls, bi->bi_ctrls,
174                                         sizeof( be->be_ctrls ) );
175                         be->be_ctrls[ SLAP_MAX_CIDS ] = 1;
176                         
177                 } else {
178                         int     i;
179                         
180                         for ( i = 0; i < SLAP_MAX_CIDS; i++ ) {
181                                 if ( bi->bi_ctrls[ i ] ) {
182                                         be->be_ctrls[ i ] = bi->bi_ctrls[ i ];
183                                 }
184                         }
185                 }
186
187         }
188
189         return 0;
190 }
191
192 /* startup a specific backend database */
193 int backend_startup_one(Backend *be, ConfigReply *cr)
194 {
195         int             rc = 0;
196
197         assert( be != NULL );
198
199         be->be_pending_csn_list = (struct be_pcl *)
200                 ch_calloc( 1, sizeof( struct be_pcl ) );
201
202         LDAP_TAILQ_INIT( be->be_pending_csn_list );
203
204         Debug( LDAP_DEBUG_TRACE,
205                 "backend_startup_one: starting \"%s\"\n",
206                 be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)",
207                 0, 0 );
208
209         /* set database controls */
210         (void)backend_set_controls( be );
211
212 #if 0
213         if ( !BER_BVISEMPTY( &be->be_rootndn )
214                 && select_backend( &be->be_rootndn, 0 ) == be
215                 && BER_BVISNULL( &be->be_rootpw ) )
216         {
217                 /* warning: if rootdn entry is created,
218                  * it can take rootdn privileges;
219                  * set empty rootpw to prevent */
220         }
221 #endif
222
223         if ( be->bd_info->bi_db_open ) {
224                 rc = be->bd_info->bi_db_open( be, cr );
225                 if ( rc == 0 ) {
226                         (void)backend_set_controls( be );
227
228                 } else {
229                         char *type = be->bd_info->bi_type;
230                         char *suffix = "(null)";
231
232                         if ( overlay_is_over( be ) ) {
233                                 slap_overinfo   *oi = (slap_overinfo *)be->bd_info->bi_private;
234                                 type = oi->oi_orig->bi_type;
235                         }
236
237                         if ( be->be_suffix != NULL && !BER_BVISNULL( &be->be_suffix[0] ) ) {
238                                 suffix = be->be_suffix[0].bv_val;
239                         }
240
241                         Debug( LDAP_DEBUG_ANY,
242                                 "backend_startup_one (type=%s, suffix=\"%s\"): "
243                                 "bi_db_open failed! (%d)\n",
244                                 type, suffix, rc );
245                 }
246         }
247
248         return rc;
249 }
250
251 int backend_startup(Backend *be)
252 {
253         int i;
254         int rc = 0;
255         BackendInfo *bi;
256         ConfigReply cr={0, ""};
257
258         if( ! ( nBackendDB > 0 ) ) {
259                 /* no databases */
260                 Debug( LDAP_DEBUG_ANY,
261                         "backend_startup: %d databases to startup.\n",
262                         nBackendDB, 0, 0 );
263                 return 1;
264         }
265
266         if(be != NULL) {
267                 /* silent noop if disabled */
268                 if ( SLAP_DBDISABLED( be ))
269                         return 0;
270                 if ( be->bd_info->bi_open ) {
271                         rc = be->bd_info->bi_open( be->bd_info );
272                         if ( rc != 0 ) {
273                                 Debug( LDAP_DEBUG_ANY,
274                                         "backend_startup: bi_open failed!\n",
275                                         0, 0, 0 );
276
277                                 return rc;
278                         }
279                 }
280
281                 return backend_startup_one( be, &cr );
282         }
283
284         /* open frontend, if required */
285         if ( frontendDB->bd_info->bi_db_open ) {
286                 rc = frontendDB->bd_info->bi_db_open( frontendDB, &cr );
287                 if ( rc != 0 ) {
288                         Debug( LDAP_DEBUG_ANY,
289                                 "backend_startup: bi_db_open(frontend) failed! (%d)\n",
290                                 rc, 0, 0 );
291                         return rc;
292                 }
293         }
294
295         /* open each backend type */
296         i = -1;
297         LDAP_STAILQ_FOREACH(bi, &backendInfo, bi_next) {
298                 i++;
299                 if( bi->bi_nDB == 0) {
300                         /* no database of this type, don't open */
301                         continue;
302                 }
303
304                 if( bi->bi_open ) {
305                         rc = bi->bi_open( bi );
306                         if ( rc != 0 ) {
307                                 Debug( LDAP_DEBUG_ANY,
308                                         "backend_startup: bi_open %d (%s) failed!\n",
309                                         i, bi->bi_type, 0 );
310                                 return rc;
311                         }
312                 }
313
314                 (void)backend_init_controls( bi );
315         }
316
317         /* open each backend database */
318         i = -1;
319         LDAP_STAILQ_FOREACH(be, &backendDB, be_next) {
320                 i++;
321                 if ( SLAP_DBDISABLED( be ))
322                         continue;
323                 if ( be->be_suffix == NULL ) {
324                         Debug( LDAP_DEBUG_ANY,
325                                 "backend_startup: warning, database %d (%s) "
326                                 "has no suffix\n",
327                                 i, be->bd_info->bi_type, 0 );
328                 }
329
330                 rc = backend_startup_one( be, &cr );
331
332                 if ( rc ) return rc;
333         }
334
335         return rc;
336 }
337
338 int backend_num( Backend *be )
339 {
340         int i = 0;
341         BackendDB *b2;
342
343         if( be == NULL ) return -1;
344
345         LDAP_STAILQ_FOREACH( b2, &backendDB, be_next ) {
346                 if( be == b2 ) return i;
347                 i++;
348         }
349         return -1;
350 }
351
352 int backend_shutdown( Backend *be )
353 {
354         int rc = 0;
355         BackendInfo *bi;
356
357         if( be != NULL ) {
358                 /* shutdown a specific backend database */
359
360                 if ( be->bd_info->bi_nDB == 0 ) {
361                         /* no database of this type, we never opened it */
362                         return 0;
363                 }
364
365                 if ( be->bd_info->bi_db_close ) {
366                         rc = be->bd_info->bi_db_close( be, NULL );
367                         if ( rc ) return rc;
368                 }
369
370                 if( be->bd_info->bi_close ) {
371                         rc = be->bd_info->bi_close( be->bd_info );
372                         if ( rc ) return rc;
373                 }
374
375                 return 0;
376         }
377
378         /* close each backend database */
379         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
380                 if ( SLAP_DBDISABLED( be ))
381                         continue;
382                 if ( be->bd_info->bi_db_close ) {
383                         be->bd_info->bi_db_close( be, NULL );
384                 }
385
386                 if(rc != 0) {
387                         Debug( LDAP_DEBUG_ANY,
388                                 "backend_close: bi_db_close %s failed!\n",
389                                 be->be_type, 0, 0 );
390                 }
391         }
392
393         /* close each backend type */
394         LDAP_STAILQ_FOREACH( bi, &backendInfo, bi_next ) {
395                 if( bi->bi_nDB == 0 ) {
396                         /* no database of this type */
397                         continue;
398                 }
399
400                 if( bi->bi_close ) {
401                         bi->bi_close( bi );
402                 }
403         }
404
405         /* close frontend, if required */
406         if ( frontendDB->bd_info->bi_db_close ) {
407                 rc = frontendDB->bd_info->bi_db_close ( frontendDB, NULL );
408                 if ( rc != 0 ) {
409                         Debug( LDAP_DEBUG_ANY,
410                                 "backend_startup: bi_db_close(frontend) failed! (%d)\n",
411                                 rc, 0, 0 );
412                 }
413         }
414
415         return 0;
416 }
417
418 /*
419  * This function is supposed to be the exact counterpart
420  * of backend_startup_one(), although this one calls bi_db_destroy()
421  * while backend_startup_one() calls bi_db_open().
422  *
423  * Make sure backend_stopdown_one() destroys resources allocated
424  * by backend_startup_one(); only call backend_destroy_one() when
425  * all stuff in a BackendDB needs to be destroyed
426  */
427 void
428 backend_stopdown_one( BackendDB *bd )
429 {
430         if ( bd->be_pending_csn_list ) {
431                 struct slap_csn_entry *csne;
432                 csne = LDAP_TAILQ_FIRST( bd->be_pending_csn_list );
433                 while ( csne ) {
434                         struct slap_csn_entry *tmp_csne = csne;
435
436                         LDAP_TAILQ_REMOVE( bd->be_pending_csn_list, csne, ce_csn_link );
437                         ch_free( csne->ce_csn.bv_val );
438                         csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
439                         ch_free( tmp_csne );
440                 }
441                 ch_free( bd->be_pending_csn_list );
442         }
443
444         if ( bd->bd_info->bi_db_destroy ) {
445                 bd->bd_info->bi_db_destroy( bd, NULL );
446         }
447 }
448
449 void backend_destroy_one( BackendDB *bd, int dynamic )
450 {
451         if ( dynamic ) {
452                 LDAP_STAILQ_REMOVE(&backendDB, bd, BackendDB, be_next );
453         }
454
455         if ( bd->be_syncinfo ) {
456                 syncinfo_free( bd->be_syncinfo, 1 );
457         }
458
459         backend_stopdown_one( bd );
460
461         ber_bvarray_free( bd->be_suffix );
462         ber_bvarray_free( bd->be_nsuffix );
463         if ( !BER_BVISNULL( &bd->be_rootdn ) ) {
464                 free( bd->be_rootdn.bv_val );
465         }
466         if ( !BER_BVISNULL( &bd->be_rootndn ) ) {
467                 free( bd->be_rootndn.bv_val );
468         }
469         if ( !BER_BVISNULL( &bd->be_rootpw ) ) {
470                 free( bd->be_rootpw.bv_val );
471         }
472         acl_destroy( bd->be_acl );
473         limits_destroy( bd->be_limits );
474         if ( bd->be_extra_anlist ) {
475                 anlist_free( bd->be_extra_anlist, 1, NULL );
476         }
477         if ( !BER_BVISNULL( &bd->be_update_ndn ) ) {
478                 ch_free( bd->be_update_ndn.bv_val );
479         }
480         if ( bd->be_update_refs ) {
481                 ber_bvarray_free( bd->be_update_refs );
482         }
483
484         ldap_pvt_thread_mutex_destroy( &bd->be_pcl_mutex );
485
486         if ( dynamic ) {
487                 free( bd );
488         }
489 }
490
491 int backend_destroy(void)
492 {
493         BackendDB *bd;
494         BackendInfo *bi;
495
496         /* destroy each backend database */
497         while (( bd = LDAP_STAILQ_FIRST(&backendDB))) {
498                 backend_destroy_one( bd, 1 );
499         }
500
501         /* destroy each backend type */
502         LDAP_STAILQ_FOREACH( bi, &backendInfo, bi_next ) {
503                 if( bi->bi_destroy ) {
504                         bi->bi_destroy( bi );
505                 }
506         }
507
508         nBackendInfo = 0;
509         LDAP_STAILQ_INIT(&backendInfo);
510
511         /* destroy frontend database */
512         bd = frontendDB;
513         if ( bd ) {
514                 if ( bd->bd_info->bi_db_destroy ) {
515                         bd->bd_info->bi_db_destroy( bd, NULL );
516                 }
517                 ber_bvarray_free( bd->be_suffix );
518                 ber_bvarray_free( bd->be_nsuffix );
519                 if ( !BER_BVISNULL( &bd->be_rootdn ) ) {
520                         free( bd->be_rootdn.bv_val );
521                 }
522                 if ( !BER_BVISNULL( &bd->be_rootndn ) ) {
523                         free( bd->be_rootndn.bv_val );
524                 }
525                 if ( !BER_BVISNULL( &bd->be_rootpw ) ) {
526                         free( bd->be_rootpw.bv_val );
527                 }
528                 acl_destroy( bd->be_acl );
529                 frontendDB = NULL;
530         }
531
532         return 0;
533 }
534
535 BackendInfo* backend_info(const char *type)
536 {
537         BackendInfo *bi;
538
539         /* search for the backend type */
540         LDAP_STAILQ_FOREACH(bi,&backendInfo,bi_next) {
541                 if( strcasecmp(bi->bi_type, type) == 0 ) {
542                         return bi;
543                 }
544         }
545
546         return NULL;
547 }
548
549 void
550 backend_db_insert(
551         BackendDB *be,
552         int idx
553 )
554 {
555         /* If idx < 0, just add to end of list */
556         if ( idx < 0 ) {
557                 LDAP_STAILQ_INSERT_TAIL(&backendDB, be, be_next);
558         } else if ( idx == 0 ) {
559                 LDAP_STAILQ_INSERT_HEAD(&backendDB, be, be_next);
560         } else {
561                 int i;
562                 BackendDB *b2;
563
564                 b2 = LDAP_STAILQ_FIRST(&backendDB);
565                 idx--;
566                 for (i=0; i<idx; i++) {
567                         b2 = LDAP_STAILQ_NEXT(b2, be_next);
568                 }
569                 LDAP_STAILQ_INSERT_AFTER(&backendDB, b2, be, be_next);
570         }
571 }
572
573 void
574 backend_db_move(
575         BackendDB *be,
576         int idx
577 )
578 {
579         LDAP_STAILQ_REMOVE(&backendDB, be, BackendDB, be_next);
580         backend_db_insert(be, idx);
581 }
582
583 BackendDB *
584 backend_db_init(
585     const char  *type,
586         BackendDB *b0,
587         int idx,
588         ConfigReply *cr)
589 {
590         BackendInfo *bi = backend_info(type);
591         BackendDB *be = b0;
592         int     rc = 0;
593
594         if( bi == NULL ) {
595                 fprintf( stderr, "Unrecognized database type (%s)\n", type );
596                 return NULL;
597         }
598
599         /* If be is provided, treat it as private. Otherwise allocate
600          * one and add it to the global list.
601          */
602         if ( !be ) {
603                 be = ch_calloc( 1, sizeof(Backend) );
604                 /* Just append */
605                 if ( idx >= nbackends )
606                         idx = -1;
607                 nbackends++;
608                 backend_db_insert( be, idx );
609         }
610
611         be->bd_info = bi;
612         be->bd_self = be;
613
614         be->be_def_limit = frontendDB->be_def_limit;
615         be->be_dfltaccess = frontendDB->be_dfltaccess;
616
617         be->be_restrictops = frontendDB->be_restrictops;
618         be->be_requires = frontendDB->be_requires;
619         be->be_ssf_set = frontendDB->be_ssf_set;
620
621         ldap_pvt_thread_mutex_init( &be->be_pcl_mutex );
622
623         /* assign a default depth limit for alias deref */
624         be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; 
625
626         if ( bi->bi_db_init ) {
627                 rc = bi->bi_db_init( be, cr );
628         }
629
630         if ( rc != 0 ) {
631                 fprintf( stderr, "database init failed (%s)\n", type );
632                 /* If we created and linked this be, remove it and free it */
633                 if ( !b0 ) {
634                         LDAP_STAILQ_REMOVE(&backendDB, be, BackendDB, be_next);
635                         ldap_pvt_thread_mutex_destroy( &be->be_pcl_mutex );
636                         ch_free( be );
637                         be = NULL;
638                         nbackends--;
639                 }
640         } else {
641                 if ( !bi->bi_nDB ) {
642                         backend_init_controls( bi );
643                 }
644                 bi->bi_nDB++;
645         }
646         return( be );
647 }
648
649 void
650 be_db_close( void )
651 {
652         BackendDB *be;
653
654         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
655                 if ( be->bd_info->bi_db_close ) {
656                         be->bd_info->bi_db_close( be, NULL );
657                 }
658         }
659
660         if ( frontendDB->bd_info->bi_db_close ) {
661                 frontendDB->bd_info->bi_db_close( frontendDB, NULL );
662         }
663
664 }
665
666 Backend *
667 select_backend(
668         struct berval * dn,
669         int noSubs )
670 {
671         int             j;
672         ber_len_t       len, dnlen = dn->bv_len;
673         Backend         *be;
674
675         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
676                 if ( be->be_nsuffix == NULL || SLAP_DBHIDDEN( be ) || SLAP_DBDISABLED( be )) {
677                         continue;
678                 }
679
680                 for ( j = 0; !BER_BVISNULL( &be->be_nsuffix[j] ); j++ )
681                 {
682                         if ( ( SLAP_GLUE_SUBORDINATE( be ) ) && noSubs )
683                         {
684                                 continue;
685                         }
686
687                         len = be->be_nsuffix[j].bv_len;
688
689                         if ( len > dnlen ) {
690                                 /* suffix is longer than DN */
691                                 continue;
692                         }
693                         
694                         /*
695                          * input DN is normalized, so the separator check
696                          * need not look at escaping
697                          */
698                         if ( len && len < dnlen &&
699                                 !DN_SEPARATOR( dn->bv_val[(dnlen-len)-1] ))
700                         {
701                                 continue;
702                         }
703
704                         if ( strcmp( be->be_nsuffix[j].bv_val,
705                                 &dn->bv_val[dnlen-len] ) == 0 )
706                         {
707                                 return be;
708                         }
709                 }
710         }
711
712         return be;
713 }
714
715 int
716 be_issuffix(
717     Backend *be,
718     struct berval *bvsuffix )
719 {
720         int     i;
721
722         if ( be->be_nsuffix == NULL ) {
723                 return 0;
724         }
725
726         for ( i = 0; !BER_BVISNULL( &be->be_nsuffix[i] ); i++ ) {
727                 if ( bvmatch( &be->be_nsuffix[i], bvsuffix ) ) {
728                         return 1;
729                 }
730         }
731
732         return 0;
733 }
734
735 int
736 be_issubordinate(
737     Backend *be,
738     struct berval *bvsubordinate )
739 {
740         int     i;
741
742         if ( be->be_nsuffix == NULL ) {
743                 return 0;
744         }
745
746         for ( i = 0; !BER_BVISNULL( &be->be_nsuffix[i] ); i++ ) {
747                 if ( dnIsSuffix( bvsubordinate, &be->be_nsuffix[i] ) ) {
748                         return 1;
749                 }
750         }
751
752         return 0;
753 }
754
755 int
756 be_isroot_dn( Backend *be, struct berval *ndn )
757 {
758         if ( BER_BVISEMPTY( ndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) {
759                 return 0;
760         }
761
762         return dn_match( &be->be_rootndn, ndn );
763 }
764
765 int
766 be_slurp_update( Operation *op )
767 {
768         return ( SLAP_SLURP_SHADOW( op->o_bd ) &&
769                 be_isupdate_dn( op->o_bd, &op->o_ndn ) );
770 }
771
772 int
773 be_shadow_update( Operation *op )
774 {
775         /* This assumes that all internal ops (connid <= -1000) on a syncrepl
776          * database are syncrepl operations.
777          */
778         return ( ( SLAP_SYNC_SHADOW( op->o_bd ) && SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) ||
779                 ( SLAP_SHADOW( op->o_bd ) && be_isupdate_dn( op->o_bd, &op->o_ndn ) ) );
780 }
781
782 int
783 be_isupdate_dn( Backend *be, struct berval *ndn )
784 {
785         if ( BER_BVISEMPTY( ndn ) || BER_BVISEMPTY( &be->be_update_ndn ) ) {
786                 return 0;
787         }
788
789         return dn_match( &be->be_update_ndn, ndn );
790 }
791
792 struct berval *
793 be_root_dn( Backend *be )
794 {
795         return &be->be_rootdn;
796 }
797
798 int
799 be_isroot( Operation *op )
800 {
801         return be_isroot_dn( op->o_bd, &op->o_ndn );
802 }
803
804 int
805 be_isroot_pw( Operation *op )
806 {
807         return be_rootdn_bind( op, NULL ) == LDAP_SUCCESS;
808 }
809
810 /*
811  * checks if binding as rootdn
812  *
813  * return value:
814  *      SLAP_CB_CONTINUE                if not the rootdn, or if rootpw is null
815  *      LDAP_SUCCESS                    if rootdn & rootpw
816  *      LDAP_INVALID_CREDENTIALS        if rootdn & !rootpw
817  *
818  * if rs != NULL
819  *      if LDAP_SUCCESS, op->orb_edn is set
820  *      if LDAP_INVALID_CREDENTIALS, response is sent to client
821  */
822 int
823 be_rootdn_bind( Operation *op, SlapReply *rs )
824 {
825         int             rc;
826 #ifdef SLAPD_SPASSWD
827         void    *old_authctx = NULL;
828 #endif
829
830         assert( op->o_tag == LDAP_REQ_BIND );
831         assert( op->orb_method == LDAP_AUTH_SIMPLE );
832
833         if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn ) ) {
834                 return SLAP_CB_CONTINUE;
835         }
836
837         if ( BER_BVISNULL( &op->o_bd->be_rootpw ) ) {
838                 /* give the database a chance */
839                 return SLAP_CB_CONTINUE;
840         }
841
842         if ( BER_BVISEMPTY( &op->o_bd->be_rootpw ) ) {
843                 /* rootdn bind explicitly disallowed */
844                 rc = LDAP_INVALID_CREDENTIALS;
845                 if ( rs ) {
846                         goto send_result;
847                 }
848
849                 return rc;
850         }
851
852 #ifdef SLAPD_SPASSWD
853         ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
854                 op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
855 #endif
856
857         rc = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
858
859 #ifdef SLAPD_SPASSWD
860         ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
861                 old_authctx, 0, NULL, NULL );
862 #endif
863
864         rc = ( rc == 0 ? LDAP_SUCCESS : LDAP_INVALID_CREDENTIALS );
865         if ( rs ) {
866 send_result:;
867                 rs->sr_err = rc;
868
869                 Debug( LDAP_DEBUG_TRACE, "%s: rootdn=\"%s\" bind%s\n", 
870                         op->o_log_prefix, op->o_bd->be_rootdn.bv_val,
871                         rc == LDAP_SUCCESS ? " succeeded" : " failed" );
872
873                 if ( rc == LDAP_SUCCESS ) {
874                         /* Set to the pretty rootdn */
875                         ber_dupbv( &op->orb_edn, &op->o_bd->be_rootdn );
876
877                 } else {
878                         send_ldap_result( op, rs );
879                 }
880         }
881
882         return rc;
883 }
884
885 /* Inlined in proto-slap.h, sans assertions, when !(USE_RS_ASSERT) */
886 int
887 (slap_bi_op)(
888         BackendInfo *bi,
889         slap_operation_t which,
890         Operation *op,
891         SlapReply *rs )
892 {
893         int rc;
894 #ifndef slap_bi_op
895         void (*rsCheck)( const SlapReply *rs ) =
896                 which < op_aux_operational ? rs_assert_ready : rs_assert_ok;
897 #else
898 #       define rsCheck(rs) ((void) 0)
899 #endif
900         BI_op_func *fn;
901
902         assert( bi != NULL );
903         assert( (unsigned) which < (unsigned) op_last );
904
905         fn = (&bi->bi_op_bind)[ which ];
906
907         assert( op != NULL );
908         assert( rs != NULL );
909         assert( fn != 0 );
910         rsCheck( rs );
911
912         rc = fn( op, rs );
913
914 #ifndef slap_bi_op
915         if ( rc != SLAP_CB_CONTINUE && rc != SLAP_CB_BYPASS ) {
916                 int err = rs->sr_err;
917
918                 if ( 0 )        /* TODO */
919                 if ( err == LDAP_COMPARE_TRUE || err == LDAP_COMPARE_FALSE ) {
920                         assert( which == op_compare );
921                         assert( rc == LDAP_SUCCESS );
922                 }
923
924                 rsCheck = which < op_extended ? rs_assert_done : rs_assert_ok;
925                 if ( which == op_aux_chk_referrals ) {
926                         if      ( rc == LDAP_SUCCESS  ) rsCheck = rs_assert_ready;
927                         else if ( rc == LDAP_REFERRAL ) rsCheck = rs_assert_done;
928                 } else if ( which == op_bind ) {
929                         if      ( rc == LDAP_SUCCESS  ) rsCheck = rs_assert_ok;
930                 }
931
932                 /* TODO: Just what is the relation between rc and rs->sr_err? */
933                 if ( rc != err &&
934                         (rc != LDAP_SUCCESS ||
935                          (err != LDAP_COMPARE_TRUE && err != LDAP_COMPARE_FALSE)) )
936                 {
937                         rs->sr_err = rc;
938                         rsCheck( rs );
939                         rs->sr_err = err;
940                 }
941         }
942         rsCheck( rs );
943 #endif
944
945         return rc;
946 }
947
948 int
949 be_entry_release_rw(
950         Operation *op,
951         Entry *e,
952         int rw )
953 {
954         if ( op->o_bd->be_release ) {
955                 /* free and release entry from backend */
956                 return op->o_bd->be_release( op, e, rw );
957         } else {
958                 /* free entry */
959                 entry_free( e );
960                 return 0;
961         }
962 }
963
964 int
965 backend_unbind( Operation *op, SlapReply *rs )
966 {
967         BackendDB *be;
968
969         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
970                 if ( be->be_unbind ) {
971                         op->o_bd = be;
972                         be->be_unbind( op, rs );
973                 }
974         }
975
976         return 0;
977 }
978
979 int
980 backend_connection_init(
981         Connection   *conn )
982 {
983         BackendDB *be;
984
985         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
986                 if ( be->be_connection_init ) {
987                         be->be_connection_init( be, conn );
988                 }
989         }
990
991         return 0;
992 }
993
994 int
995 backend_connection_destroy(
996         Connection   *conn )
997 {
998         BackendDB *be;
999
1000         LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
1001                 if ( be->be_connection_destroy ) {
1002                         be->be_connection_destroy( be, conn);
1003                 }
1004         }
1005
1006         return 0;
1007 }
1008
1009 int
1010 backend_check_controls(
1011         Operation *op,
1012         SlapReply *rs )
1013 {
1014         LDAPControl **ctrls = op->o_ctrls;
1015         rs->sr_err = LDAP_SUCCESS;
1016
1017         if( ctrls ) {
1018                 for( ; *ctrls != NULL ; ctrls++ ) {
1019                         int cid;
1020
1021                         switch ( slap_global_control( op, (*ctrls)->ldctl_oid, &cid ) ) {
1022                         case LDAP_CONTROL_NOT_FOUND:
1023                                 /* unrecognized control */ 
1024                                 if ( (*ctrls)->ldctl_iscritical ) {
1025                                         /* should not be reachable */ 
1026                                         Debug( LDAP_DEBUG_ANY, "backend_check_controls: "
1027                                                 "unrecognized critical control: %s\n",
1028                                                 (*ctrls)->ldctl_oid, 0, 0 );
1029                                         assert( 0 );
1030                                 } else {
1031                                         Debug( LDAP_DEBUG_TRACE, "backend_check_controls: "
1032                                                 "unrecognized non-critical control: %s\n",
1033                                                 (*ctrls)->ldctl_oid, 0, 0 );
1034                                 }
1035                                 break;
1036
1037                         case LDAP_COMPARE_FALSE:
1038                                 if ( !op->o_bd->be_ctrls[cid] && (*ctrls)->ldctl_iscritical ) {
1039 #ifdef SLAP_CONTROL_X_WHATFAILED
1040                                         if ( get_whatFailed( op ) ) {
1041                                                 char *oids[ 2 ];
1042                                                 oids[ 0 ] = (*ctrls)->ldctl_oid;
1043                                                 oids[ 1 ] = NULL;
1044                                                 slap_ctrl_whatFailed_add( op, rs, oids );
1045                                         }
1046 #endif
1047                                         /* RFC 4511 allows unavailableCriticalExtension to be
1048                                          * returned when the server is unwilling to perform
1049                                          * an operation extended by a recognized critical
1050                                          * control.
1051                                          */
1052                                         rs->sr_text = "critical control unavailable in context";
1053                                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
1054                                         goto done;
1055                                 }
1056                                 break;
1057
1058                         case LDAP_COMPARE_TRUE:
1059                                 break;
1060
1061                         default:
1062                                 /* unreachable */
1063                                 Debug( LDAP_DEBUG_ANY,
1064                                         "backend_check_controls: unable to check control: %s\n",
1065                                         (*ctrls)->ldctl_oid, 0, 0 );
1066                                 assert( 0 );
1067
1068                                 rs->sr_text = "unable to check control";
1069                                 rs->sr_err = LDAP_OTHER;
1070                                 goto done;
1071                         }
1072                 }
1073         }
1074
1075 #if 0 /* temporarily removed */
1076         /* check should be generalized */
1077         if( get_relax(op) && !be_isroot(op)) {
1078                 rs->sr_text = "requires manager authorization";
1079                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1080         }
1081 #endif
1082
1083 done:;
1084         return rs->sr_err;
1085 }
1086
1087 int
1088 backend_check_restrictions(
1089         Operation *op,
1090         SlapReply *rs,
1091         struct berval *opdata )
1092 {
1093         slap_mask_t restrictops;
1094         slap_mask_t requires;
1095         slap_mask_t opflag;
1096         slap_mask_t exopflag = 0;
1097         slap_ssf_set_t ssfs, *ssf;
1098         int updateop = 0;
1099         int starttls = 0;
1100         int session = 0;
1101
1102         restrictops = frontendDB->be_restrictops;
1103         requires = frontendDB->be_requires;
1104         ssfs = frontendDB->be_ssf_set;
1105         ssf = &ssfs;
1106
1107         if ( op->o_bd ) {
1108                 slap_ssf_t *fssf, *bssf;
1109                 int     rc = SLAP_CB_CONTINUE, i;
1110
1111                 if ( op->o_bd->be_chk_controls ) {
1112                         rc = ( *op->o_bd->be_chk_controls )( op, rs );
1113                 }
1114
1115                 if ( rc == SLAP_CB_CONTINUE ) {
1116                         rc = backend_check_controls( op, rs );
1117                 }
1118
1119                 if ( rc != LDAP_SUCCESS ) {
1120                         return rs->sr_err;
1121                 }
1122
1123                 restrictops |= op->o_bd->be_restrictops;
1124                 requires |= op->o_bd->be_requires;
1125                 bssf = &op->o_bd->be_ssf_set.sss_ssf;
1126                 fssf = &ssfs.sss_ssf;
1127                 for ( i=0; i < (int)(sizeof(ssfs)/sizeof(slap_ssf_t)); i++ ) {
1128                         if ( bssf[i] ) fssf[i] = bssf[i];
1129                 }
1130         }
1131
1132         switch( op->o_tag ) {
1133         case LDAP_REQ_ADD:
1134                 opflag = SLAP_RESTRICT_OP_ADD;
1135                 updateop++;
1136                 break;
1137         case LDAP_REQ_BIND:
1138                 opflag = SLAP_RESTRICT_OP_BIND;
1139                 session++;
1140                 break;
1141         case LDAP_REQ_COMPARE:
1142                 opflag = SLAP_RESTRICT_OP_COMPARE;
1143                 break;
1144         case LDAP_REQ_DELETE:
1145                 updateop++;
1146                 opflag = SLAP_RESTRICT_OP_DELETE;
1147                 break;
1148         case LDAP_REQ_EXTENDED:
1149                 opflag = SLAP_RESTRICT_OP_EXTENDED;
1150
1151                 if( !opdata ) {
1152                         /* treat unspecified as a modify */
1153                         opflag = SLAP_RESTRICT_OP_MODIFY;
1154                         updateop++;
1155                         break;
1156                 }
1157
1158                 if( bvmatch( opdata, &slap_EXOP_START_TLS ) ) {
1159                         session++;
1160                         starttls++;
1161                         exopflag = SLAP_RESTRICT_EXOP_START_TLS;
1162                         break;
1163                 }
1164
1165                 if( bvmatch( opdata, &slap_EXOP_WHOAMI ) ) {
1166                         exopflag = SLAP_RESTRICT_EXOP_WHOAMI;
1167                         break;
1168                 }
1169
1170                 if ( bvmatch( opdata, &slap_EXOP_CANCEL ) ) {
1171                         exopflag = SLAP_RESTRICT_EXOP_CANCEL;
1172                         break;
1173                 }
1174
1175                 if ( bvmatch( opdata, &slap_EXOP_MODIFY_PASSWD ) ) {
1176                         exopflag = SLAP_RESTRICT_EXOP_MODIFY_PASSWD;
1177                         updateop++;
1178                         break;
1179                 }
1180
1181                 /* treat everything else as a modify */
1182                 opflag = SLAP_RESTRICT_OP_MODIFY;
1183                 updateop++;
1184                 break;
1185
1186         case LDAP_REQ_MODIFY:
1187                 updateop++;
1188                 opflag = SLAP_RESTRICT_OP_MODIFY;
1189                 break;
1190         case LDAP_REQ_RENAME:
1191                 updateop++;
1192                 opflag = SLAP_RESTRICT_OP_RENAME;
1193                 break;
1194         case LDAP_REQ_SEARCH:
1195                 opflag = SLAP_RESTRICT_OP_SEARCH;
1196                 break;
1197         case LDAP_REQ_UNBIND:
1198                 session++;
1199                 opflag = 0;
1200                 break;
1201         default:
1202                 rs->sr_text = "restrict operations internal error";
1203                 rs->sr_err = LDAP_OTHER;
1204                 return rs->sr_err;
1205         }
1206
1207         if ( !starttls ) {
1208                 /* these checks don't apply to StartTLS */
1209
1210                 rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
1211                 if( op->o_transport_ssf < ssf->sss_transport ) {
1212                         rs->sr_text = op->o_transport_ssf
1213                                 ? "stronger transport confidentiality required"
1214                                 : "transport confidentiality required";
1215                         return rs->sr_err;
1216                 }
1217
1218                 if( op->o_tls_ssf < ssf->sss_tls ) {
1219                         rs->sr_text = op->o_tls_ssf
1220                                 ? "stronger TLS confidentiality required"
1221                                 : "TLS confidentiality required";
1222                         return rs->sr_err;
1223                 }
1224
1225
1226                 if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
1227                         /* simple bind specific check */
1228                         if( op->o_ssf < ssf->sss_simple_bind ) {
1229                                 rs->sr_text = op->o_ssf
1230                                         ? "stronger confidentiality required"
1231                                         : "confidentiality required";
1232                                 return rs->sr_err;
1233                         }
1234                 }
1235
1236                 if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
1237                         /* these checks don't apply to SASL bind */
1238
1239                         if( op->o_sasl_ssf < ssf->sss_sasl ) {
1240                                 rs->sr_text = op->o_sasl_ssf
1241                                         ? "stronger SASL confidentiality required"
1242                                         : "SASL confidentiality required";
1243                                 return rs->sr_err;
1244                         }
1245
1246                         if( op->o_ssf < ssf->sss_ssf ) {
1247                                 rs->sr_text = op->o_ssf
1248                                         ? "stronger confidentiality required"
1249                                         : "confidentiality required";
1250                                 return rs->sr_err;
1251                         }
1252                 }
1253
1254                 if( updateop ) {
1255                         if( op->o_transport_ssf < ssf->sss_update_transport ) {
1256                                 rs->sr_text = op->o_transport_ssf
1257                                         ? "stronger transport confidentiality required for update"
1258                                         : "transport confidentiality required for update";
1259                                 return rs->sr_err;
1260                         }
1261
1262                         if( op->o_tls_ssf < ssf->sss_update_tls ) {
1263                                 rs->sr_text = op->o_tls_ssf
1264                                         ? "stronger TLS confidentiality required for update"
1265                                         : "TLS confidentiality required for update";
1266                                 return rs->sr_err;
1267                         }
1268
1269                         if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
1270                                 rs->sr_text = op->o_sasl_ssf
1271                                         ? "stronger SASL confidentiality required for update"
1272                                         : "SASL confidentiality required for update";
1273                                 return rs->sr_err;
1274                         }
1275
1276                         if( op->o_ssf < ssf->sss_update_ssf ) {
1277                                 rs->sr_text = op->o_ssf
1278                                         ? "stronger confidentiality required for update"
1279                                         : "confidentiality required for update";
1280                                 return rs->sr_err;
1281                         }
1282
1283                         if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
1284                                 BER_BVISEMPTY( &op->o_ndn ) )
1285                         {
1286                                 rs->sr_text = "modifications require authentication";
1287                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1288                                 return rs->sr_err;
1289                         }
1290
1291 #ifdef SLAP_X_LISTENER_MOD
1292                         if ( op->o_conn->c_listener &&
1293                                 ! ( op->o_conn->c_listener->sl_perms & ( !BER_BVISEMPTY( &op->o_ndn )
1294                                         ? (S_IWUSR|S_IWOTH) : S_IWOTH ) ) )
1295                         {
1296                                 /* no "w" mode means readonly */
1297                                 rs->sr_text = "modifications not allowed on this listener";
1298                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1299                                 return rs->sr_err;
1300                         }
1301 #endif /* SLAP_X_LISTENER_MOD */
1302                 }
1303         }
1304
1305         if ( !session ) {
1306                 /* these checks don't apply to Bind, StartTLS, or Unbind */
1307
1308                 if( requires & SLAP_REQUIRE_STRONG ) {
1309                         /* should check mechanism */
1310                         if( ( op->o_transport_ssf < ssf->sss_transport
1311                                 && op->o_authtype == LDAP_AUTH_SIMPLE )
1312                                 || BER_BVISEMPTY( &op->o_dn ) )
1313                         {
1314                                 rs->sr_text = "strong(er) authentication required";
1315                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1316                                 return rs->sr_err;
1317                         }
1318                 }
1319
1320                 if( requires & SLAP_REQUIRE_SASL ) {
1321                         if( op->o_authtype != LDAP_AUTH_SASL || BER_BVISEMPTY( &op->o_dn ) ) {
1322                                 rs->sr_text = "SASL authentication required";
1323                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1324                                 return rs->sr_err;
1325                         }
1326                 }
1327                         
1328                 if( requires & SLAP_REQUIRE_AUTHC ) {
1329                         if( BER_BVISEMPTY( &op->o_dn ) ) {
1330                                 rs->sr_text = "authentication required";
1331                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1332                                 return rs->sr_err;
1333                         }
1334                 }
1335
1336                 if( requires & SLAP_REQUIRE_BIND ) {
1337                         int version;
1338                         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
1339                         version = op->o_conn->c_protocol;
1340                         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
1341
1342                         if( !version ) {
1343                                 /* no bind has occurred */
1344                                 rs->sr_text = "BIND required";
1345                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1346                                 return rs->sr_err;
1347                         }
1348                 }
1349
1350                 if( requires & SLAP_REQUIRE_LDAP_V3 ) {
1351                         if( op->o_protocol < LDAP_VERSION3 ) {
1352                                 /* no bind has occurred */
1353                                 rs->sr_text = "operation restricted to LDAPv3 clients";
1354                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1355                                 return rs->sr_err;
1356                         }
1357                 }
1358
1359 #ifdef SLAP_X_LISTENER_MOD
1360                 if ( !starttls && BER_BVISEMPTY( &op->o_dn ) ) {
1361                         if ( op->o_conn->c_listener &&
1362                                 !( op->o_conn->c_listener->sl_perms & S_IXOTH ))
1363                 {
1364                                 /* no "x" mode means bind required */
1365                                 rs->sr_text = "bind required on this listener";
1366                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1367                                 return rs->sr_err;
1368                         }
1369                 }
1370
1371                 if ( !starttls && !updateop ) {
1372                         if ( op->o_conn->c_listener &&
1373                                 !( op->o_conn->c_listener->sl_perms &
1374                                         ( !BER_BVISEMPTY( &op->o_dn )
1375                                                 ? (S_IRUSR|S_IROTH) : S_IROTH )))
1376                         {
1377                                 /* no "r" mode means no read */
1378                                 rs->sr_text = "read not allowed on this listener";
1379                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1380                                 return rs->sr_err;
1381                         }
1382                 }
1383 #endif /* SLAP_X_LISTENER_MOD */
1384
1385         }
1386
1387         if( ( restrictops & opflag )
1388                         || ( exopflag && ( restrictops & exopflag ) )
1389                         || (( restrictops & SLAP_RESTRICT_READONLY ) && updateop )) {
1390                 if( ( restrictops & SLAP_RESTRICT_OP_MASK) == SLAP_RESTRICT_OP_READS ) {
1391                         rs->sr_text = "read operations restricted";
1392                 } else if ( restrictops & exopflag ) {
1393                         rs->sr_text = "extended operation restricted";
1394                 } else {
1395                         rs->sr_text = "operation restricted";
1396                 }
1397                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1398                 return rs->sr_err;
1399         }
1400
1401         rs->sr_err = LDAP_SUCCESS;
1402         return rs->sr_err;
1403 }
1404
1405 int backend_check_referrals( Operation *op, SlapReply *rs )
1406 {
1407         rs->sr_err = LDAP_SUCCESS;
1408
1409         if( op->o_bd->be_chk_referrals ) {
1410                 rs->sr_err = op->o_bd->be_chk_referrals( op, rs );
1411
1412                 if( rs->sr_err != LDAP_SUCCESS && rs->sr_err != LDAP_REFERRAL ) {
1413                         send_ldap_result( op, rs );
1414                 }
1415         }
1416
1417         return rs->sr_err;
1418 }
1419
1420 int
1421 be_entry_get_rw(
1422         Operation *op,
1423         struct berval *ndn,
1424         ObjectClass *oc,
1425         AttributeDescription *at,
1426         int rw,
1427         Entry **e )
1428 {
1429         *e = NULL;
1430
1431         if ( op->o_bd == NULL ) {
1432                 return LDAP_NO_SUCH_OBJECT;
1433         }
1434
1435         if ( op->o_bd->be_fetch ) {
1436                 return op->o_bd->be_fetch( op, ndn, oc, at, rw, e );
1437         }
1438
1439         return LDAP_UNWILLING_TO_PERFORM;
1440 }
1441
1442 int 
1443 fe_acl_group(
1444         Operation *op,
1445         Entry   *target,
1446         struct berval *gr_ndn,
1447         struct berval *op_ndn,
1448         ObjectClass *group_oc,
1449         AttributeDescription *group_at )
1450 {
1451         Entry *e;
1452         void *o_priv = op->o_private, *e_priv = NULL;
1453         Attribute *a;
1454         int rc;
1455         GroupAssertion *g;
1456         Backend *be = op->o_bd;
1457         OpExtra         *oex;
1458
1459         LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
1460                 if ( oex->oe_key == (void *)backend_group )
1461                         break;
1462         }
1463
1464         if ( oex && ((OpExtraDB *)oex)->oe_db )
1465                 op->o_bd = ((OpExtraDB *)oex)->oe_db;
1466
1467         if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
1468                 op->o_bd = select_backend( gr_ndn, 0 );
1469
1470         for ( g = op->o_groups; g; g = g->ga_next ) {
1471                 if ( g->ga_be != op->o_bd || g->ga_oc != group_oc ||
1472                         g->ga_at != group_at || g->ga_len != gr_ndn->bv_len )
1473                 {
1474                         continue;
1475                 }
1476                 if ( strcmp( g->ga_ndn, gr_ndn->bv_val ) == 0 ) {
1477                         break;
1478                 }
1479         }
1480
1481         if ( g ) {
1482                 rc = g->ga_res;
1483                 goto done;
1484         }
1485
1486         if ( target && dn_match( &target->e_nname, gr_ndn ) ) {
1487                 e = target;
1488                 rc = 0;
1489
1490         } else {
1491                 op->o_private = NULL;
1492                 rc = be_entry_get_rw( op, gr_ndn, group_oc, group_at, 0, &e );
1493                 e_priv = op->o_private;
1494                 op->o_private = o_priv;
1495         }
1496
1497         if ( e ) {
1498                 a = attr_find( e->e_attrs, group_at );
1499                 if ( a ) {
1500                         /* If the attribute is a subtype of labeledURI,
1501                          * treat this as a dynamic group ala groupOfURLs
1502                          */
1503                         if ( is_at_subtype( group_at->ad_type,
1504                                 slap_schema.si_ad_labeledURI->ad_type ) )
1505                         {
1506                                 int i;
1507                                 LDAPURLDesc *ludp;
1508                                 struct berval bv, nbase;
1509                                 Filter *filter;
1510                                 Entry *user = NULL;
1511                                 void *user_priv = NULL;
1512                                 Backend *b2 = op->o_bd;
1513
1514                                 if ( target && dn_match( &target->e_nname, op_ndn ) ) {
1515                                         user = target;
1516                                 }
1517                                 
1518                                 rc = LDAP_COMPARE_FALSE;
1519                                 for ( i = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) {
1520                                         if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) !=
1521                                                 LDAP_URL_SUCCESS )
1522                                         {
1523                                                 continue;
1524                                         }
1525
1526                                         BER_BVZERO( &nbase );
1527
1528                                         /* host, attrs and extensions parts must be empty */
1529                                         if ( ( ludp->lud_host && *ludp->lud_host )
1530                                                 || ludp->lud_attrs
1531                                                 || ludp->lud_exts )
1532                                         {
1533                                                 goto loopit;
1534                                         }
1535
1536                                         ber_str2bv( ludp->lud_dn, 0, 0, &bv );
1537                                         if ( dnNormalize( 0, NULL, NULL, &bv, &nbase,
1538                                                 op->o_tmpmemctx ) != LDAP_SUCCESS )
1539                                         {
1540                                                 goto loopit;
1541                                         }
1542
1543                                         switch ( ludp->lud_scope ) {
1544                                         case LDAP_SCOPE_BASE:
1545                                                 if ( !dn_match( &nbase, op_ndn ) ) {
1546                                                         goto loopit;
1547                                                 }
1548                                                 break;
1549                                         case LDAP_SCOPE_ONELEVEL:
1550                                                 dnParent( op_ndn, &bv );
1551                                                 if ( !dn_match( &nbase, &bv ) ) {
1552                                                         goto loopit;
1553                                                 }
1554                                                 break;
1555                                         case LDAP_SCOPE_SUBTREE:
1556                                                 if ( !dnIsSuffix( op_ndn, &nbase ) ) {
1557                                                         goto loopit;
1558                                                 }
1559                                                 break;
1560                                         case LDAP_SCOPE_SUBORDINATE:
1561                                                 if ( dn_match( &nbase, op_ndn ) ||
1562                                                         !dnIsSuffix( op_ndn, &nbase ) )
1563                                                 {
1564                                                         goto loopit;
1565                                                 }
1566                                         }
1567
1568                                         /* NOTE: this could be NULL
1569                                          * if no filter is provided,
1570                                          * or if filter parsing fails.
1571                                          * In the latter case,
1572                                          * we should give up. */
1573                                         if ( ludp->lud_filter != NULL && ludp->lud_filter != '\0') {
1574                                                 filter = str2filter_x( op, ludp->lud_filter );
1575                                                 if ( filter == NULL ) {
1576                                                         /* give up... */
1577                                                         rc = LDAP_OTHER;
1578                                                         goto loopit;
1579                                                 }
1580
1581                                                 /* only get user if required
1582                                                  * and not available yet */
1583                                                 if ( user == NULL ) {   
1584                                                         int rc2;
1585
1586                                                         op->o_bd = select_backend( op_ndn, 0 );
1587                                                         op->o_private = NULL;
1588                                                         rc2 = be_entry_get_rw( op, op_ndn, NULL, NULL, 0, &user );
1589                                                         user_priv = op->o_private;
1590                                                         op->o_private = o_priv;
1591                                                         if ( rc2 != 0 ) {
1592                                                                 /* give up... */
1593                                                                 rc = LDAP_OTHER;
1594                                                                 goto loopit;
1595                                                         }
1596                                                 }
1597
1598                                                 if ( test_filter( NULL, user, filter ) ==
1599                                                         LDAP_COMPARE_TRUE )
1600                                                 {
1601                                                         rc = 0;
1602                                                 }
1603                                                 filter_free_x( op, filter, 1 );
1604                                         }
1605 loopit:
1606                                         ldap_free_urldesc( ludp );
1607                                         if ( !BER_BVISNULL( &nbase ) ) {
1608                                                 op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx );
1609                                         }
1610                                         if ( rc != LDAP_COMPARE_FALSE ) {
1611                                                 break;
1612                                         }
1613                                 }
1614
1615                                 if ( user != NULL && user != target ) {
1616                                         op->o_private = user_priv;
1617                                         be_entry_release_r( op, user );
1618                                         op->o_private = o_priv;
1619                                 }
1620                                 op->o_bd = b2;
1621
1622                         } else {
1623                                 rc = attr_valfind( a,
1624                                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1625                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1626                                         op_ndn, NULL, op->o_tmpmemctx );
1627                                 if ( rc == LDAP_NO_SUCH_ATTRIBUTE ) {
1628                                         rc = LDAP_COMPARE_FALSE;
1629                                 }
1630                         }
1631
1632                 } else {
1633                         rc = LDAP_NO_SUCH_ATTRIBUTE;
1634                 }
1635
1636                 if ( e != target ) {
1637                         op->o_private = e_priv;
1638                         be_entry_release_r( op, e );
1639                         op->o_private = o_priv;
1640                 }
1641
1642         } else {
1643                 rc = LDAP_NO_SUCH_OBJECT;
1644         }
1645
1646         if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
1647                 g = op->o_tmpalloc( sizeof( GroupAssertion ) + gr_ndn->bv_len,
1648                         op->o_tmpmemctx );
1649                 g->ga_be = op->o_bd;
1650                 g->ga_oc = group_oc;
1651                 g->ga_at = group_at;
1652                 g->ga_res = rc;
1653                 g->ga_len = gr_ndn->bv_len;
1654                 strcpy( g->ga_ndn, gr_ndn->bv_val );
1655                 g->ga_next = op->o_groups;
1656                 op->o_groups = g;
1657         }
1658
1659 done:
1660         op->o_bd = be;
1661         return rc;
1662 }
1663
1664 int 
1665 backend_group(
1666         Operation *op,
1667         Entry   *target,
1668         struct berval *gr_ndn,
1669         struct berval *op_ndn,
1670         ObjectClass *group_oc,
1671         AttributeDescription *group_at )
1672 {
1673         int                     rc;
1674         BackendDB *be_orig;
1675         OpExtraDB       oex;
1676
1677         if ( op->o_abandon ) {
1678                 return SLAPD_ABANDON;
1679         }
1680
1681         oex.oe_db = op->o_bd;
1682         oex.oe.oe_key = (void *)backend_group;
1683         LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
1684
1685         be_orig = op->o_bd;
1686         op->o_bd = frontendDB;
1687         rc = frontendDB->be_group( op, target, gr_ndn,
1688                 op_ndn, group_oc, group_at );
1689         op->o_bd = be_orig;
1690         LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
1691
1692         return rc;
1693 }
1694
1695 int 
1696 fe_acl_attribute(
1697         Operation *op,
1698         Entry   *target,
1699         struct berval   *edn,
1700         AttributeDescription *entry_at,
1701         BerVarray *vals,
1702         slap_access_t access )
1703 {
1704         Entry                   *e = NULL;
1705         void                    *o_priv = op->o_private, *e_priv = NULL;
1706         Attribute               *a = NULL;
1707         int                     freeattr = 0, i, j, rc = LDAP_SUCCESS;
1708         AccessControlState      acl_state = ACL_STATE_INIT;
1709         Backend                 *be = op->o_bd;
1710         OpExtra         *oex;
1711
1712         LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
1713                 if ( oex->oe_key == (void *)backend_attribute )
1714                         break;
1715         }
1716
1717         if ( oex && ((OpExtraDB *)oex)->oe_db )
1718                 op->o_bd = ((OpExtraDB *)oex)->oe_db;
1719
1720         if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
1721                 op->o_bd = select_backend( edn, 0 );
1722
1723         if ( target && dn_match( &target->e_nname, edn ) ) {
1724                 e = target;
1725
1726         } else {
1727                 op->o_private = NULL;
1728                 rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e );
1729                 e_priv = op->o_private;
1730                 op->o_private = o_priv;
1731         } 
1732
1733         if ( e ) {
1734                 if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children ) {
1735                         assert( vals == NULL );
1736
1737                         rc = LDAP_SUCCESS;
1738                         if ( op->o_conn && access > ACL_NONE &&
1739                                 access_allowed( op, e, entry_at, NULL,
1740                                                 access, &acl_state ) == 0 )
1741                         {
1742                                 rc = LDAP_INSUFFICIENT_ACCESS;
1743                         }
1744                         goto freeit;
1745                 }
1746
1747                 a = attr_find( e->e_attrs, entry_at );
1748                 if ( a == NULL ) {
1749                         SlapReply       rs = { REP_SEARCH };
1750                         AttributeName   anlist[ 2 ];
1751
1752                         anlist[ 0 ].an_name = entry_at->ad_cname;
1753                         anlist[ 0 ].an_desc = entry_at;
1754                         BER_BVZERO( &anlist[ 1 ].an_name );
1755                         rs.sr_attrs = anlist;
1756                         
1757                         /* NOTE: backend_operational() is also called
1758                          * when returning results, so it's supposed
1759                          * to do no harm to entries */
1760                         rs.sr_entry = e;
1761                         rc = backend_operational( op, &rs );
1762
1763                         if ( rc == LDAP_SUCCESS ) {
1764                                 if ( rs.sr_operational_attrs ) {
1765                                         freeattr = 1;
1766                                         a = rs.sr_operational_attrs;
1767
1768                                 } else {
1769                                         rc = LDAP_NO_SUCH_ATTRIBUTE;
1770                                 }
1771                         }
1772                 }
1773
1774                 if ( a ) {
1775                         BerVarray v;
1776
1777                         if ( op->o_conn && access > ACL_NONE &&
1778                                 access_allowed( op, e, entry_at, NULL,
1779                                                 access, &acl_state ) == 0 )
1780                         {
1781                                 rc = LDAP_INSUFFICIENT_ACCESS;
1782                                 goto freeit;
1783                         }
1784
1785                         i = a->a_numvals;
1786                         v = op->o_tmpalloc( sizeof(struct berval) * ( i + 1 ),
1787                                 op->o_tmpmemctx );
1788                         for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ )
1789                         {
1790                                 if ( op->o_conn && access > ACL_NONE && 
1791                                         access_allowed( op, e, entry_at,
1792                                                         &a->a_nvals[i],
1793                                                         access,
1794                                                         &acl_state ) == 0 )
1795                                 {
1796                                         continue;
1797                                 }
1798                                 ber_dupbv_x( &v[j], &a->a_nvals[i],
1799                                                 op->o_tmpmemctx );
1800                                 if ( !BER_BVISNULL( &v[j] ) ) {
1801                                         j++;
1802                                 }
1803                         }
1804                         if ( j == 0 ) {
1805                                 op->o_tmpfree( v, op->o_tmpmemctx );
1806                                 *vals = NULL;
1807                                 rc = LDAP_INSUFFICIENT_ACCESS;
1808
1809                         } else {
1810                                 BER_BVZERO( &v[j] );
1811                                 *vals = v;
1812                                 rc = LDAP_SUCCESS;
1813                         }
1814                 }
1815 freeit:         if ( e != target ) {
1816                         op->o_private = e_priv;
1817                         be_entry_release_r( op, e );
1818                         op->o_private = o_priv;
1819                 }
1820                 if ( freeattr ) {
1821                         attr_free( a );
1822                 }
1823         }
1824
1825         op->o_bd = be;
1826         return rc;
1827 }
1828
1829 int 
1830 backend_attribute(
1831         Operation *op,
1832         Entry   *target,
1833         struct berval   *edn,
1834         AttributeDescription *entry_at,
1835         BerVarray *vals,
1836         slap_access_t access )
1837 {
1838         int                     rc;
1839         BackendDB *be_orig;
1840         OpExtraDB       oex;
1841
1842         oex.oe_db = op->o_bd;
1843         oex.oe.oe_key = (void *)backend_attribute;
1844         LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
1845
1846         be_orig = op->o_bd;
1847         op->o_bd = frontendDB;
1848         rc = frontendDB->be_attribute( op, target, edn,
1849                 entry_at, vals, access );
1850         op->o_bd = be_orig;
1851         LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
1852
1853         return rc;
1854 }
1855
1856 int 
1857 backend_access(
1858         Operation               *op,
1859         Entry                   *target,
1860         struct berval           *edn,
1861         AttributeDescription    *entry_at,
1862         struct berval           *nval,
1863         slap_access_t           access,
1864         slap_mask_t             *mask )
1865 {
1866         Entry           *e = NULL;
1867         void            *o_priv, *e_priv = NULL;
1868         int             rc = LDAP_INSUFFICIENT_ACCESS;
1869         Backend         *be;
1870
1871         /* pedantic */
1872         assert( op != NULL );
1873         assert( op->o_conn != NULL );
1874         assert( edn != NULL );
1875         assert( access > ACL_NONE );
1876
1877         be = op->o_bd;
1878         o_priv = op->o_private;
1879
1880         if ( !op->o_bd ) {
1881                 op->o_bd = select_backend( edn, 0 );
1882         }
1883
1884         if ( target && dn_match( &target->e_nname, edn ) ) {
1885                 e = target;
1886
1887         } else {
1888                 op->o_private = NULL;
1889                 rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e );
1890                 e_priv = op->o_private;
1891                 op->o_private = o_priv;
1892         } 
1893
1894         if ( e ) {
1895                 Attribute       *a = NULL;
1896                 int             freeattr = 0;
1897
1898                 if ( entry_at == NULL ) {
1899                         entry_at = slap_schema.si_ad_entry;
1900                 }
1901
1902                 if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children )
1903                 {
1904                         if ( access_allowed_mask( op, e, entry_at,
1905                                         NULL, access, NULL, mask ) == 0 )
1906                         {
1907                                 rc = LDAP_INSUFFICIENT_ACCESS;
1908
1909                         } else {
1910                                 rc = LDAP_SUCCESS;
1911                         }
1912
1913                 } else {
1914                         a = attr_find( e->e_attrs, entry_at );
1915                         if ( a == NULL ) {
1916                                 SlapReply       rs = { REP_SEARCH };
1917                                 AttributeName   anlist[ 2 ];
1918
1919                                 anlist[ 0 ].an_name = entry_at->ad_cname;
1920                                 anlist[ 0 ].an_desc = entry_at;
1921                                 BER_BVZERO( &anlist[ 1 ].an_name );
1922                                 rs.sr_attrs = anlist;
1923                         
1924                                 rs.sr_attr_flags = slap_attr_flags( rs.sr_attrs );
1925
1926                                 /* NOTE: backend_operational() is also called
1927                                  * when returning results, so it's supposed
1928                                  * to do no harm to entries */
1929                                 rs.sr_entry = e;
1930                                 rc = backend_operational( op, &rs );
1931
1932                                 if ( rc == LDAP_SUCCESS ) {
1933                                         if ( rs.sr_operational_attrs ) {
1934                                                 freeattr = 1;
1935                                                 a = rs.sr_operational_attrs;
1936
1937                                         } else {
1938                                                 rc = LDAP_NO_SUCH_OBJECT;
1939                                         }
1940                                 }
1941                         }
1942
1943                         if ( a ) {
1944                                 if ( access_allowed_mask( op, e, entry_at,
1945                                                 nval, access, NULL, mask ) == 0 )
1946                                 {
1947                                         rc = LDAP_INSUFFICIENT_ACCESS;
1948                                         goto freeit;
1949                                 }
1950                                 rc = LDAP_SUCCESS;
1951                         }
1952                 }
1953 freeit:         if ( e != target ) {
1954                         op->o_private = e_priv;
1955                         be_entry_release_r( op, e );
1956                         op->o_private = o_priv;
1957                 }
1958                 if ( freeattr ) {
1959                         attr_free( a );
1960                 }
1961         }
1962
1963         op->o_bd = be;
1964         return rc;
1965 }
1966
1967 int
1968 fe_aux_operational(
1969         Operation *op,
1970         SlapReply *rs )
1971 {
1972         Attribute               **ap;
1973         int                     rc = LDAP_SUCCESS;
1974         BackendDB               *be_orig = op->o_bd;
1975         OpExtra         *oex;
1976
1977         LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
1978                 if ( oex->oe_key == (void *)backend_operational )
1979                         break;
1980         }
1981
1982         for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
1983                 /* just count them */ ;
1984
1985         /*
1986          * If operational attributes (allegedly) are required, 
1987          * and the backend supports specific operational attributes, 
1988          * add them to the attribute list
1989          */
1990         if ( !( rs->sr_flags & REP_NO_ENTRYDN )
1991                 && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( rs->sr_attrs &&
1992                 ad_inlist( slap_schema.si_ad_entryDN, rs->sr_attrs ) ) ) )
1993         {
1994                 *ap = slap_operational_entryDN( rs->sr_entry );
1995                 ap = &(*ap)->a_next;
1996         }
1997
1998         if ( !( rs->sr_flags & REP_NO_SUBSCHEMA)
1999                 && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( rs->sr_attrs &&
2000                 ad_inlist( slap_schema.si_ad_subschemaSubentry, rs->sr_attrs ) ) ) )
2001         {
2002                 *ap = slap_operational_subschemaSubentry( op->o_bd );
2003                 ap = &(*ap)->a_next;
2004         }
2005
2006         /* Let the overlays have a chance at this */
2007         if ( oex && ((OpExtraDB *)oex)->oe_db )
2008                 op->o_bd = ((OpExtraDB *)oex)->oe_db;
2009
2010         if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
2011                 op->o_bd = select_backend( &op->o_req_ndn, 0 );
2012
2013         if ( op->o_bd != NULL && !be_match( op->o_bd, frontendDB ) &&
2014                 ( SLAP_OPATTRS( rs->sr_attr_flags ) || rs->sr_attrs ) &&
2015                 op->o_bd->be_operational != NULL )
2016         {
2017                 rc = op->o_bd->be_operational( op, rs );
2018         }
2019         op->o_bd = be_orig;
2020
2021         return rc;
2022 }
2023
2024 int backend_operational( Operation *op, SlapReply *rs )
2025 {
2026         int rc;
2027         BackendDB *be_orig;
2028         OpExtraDB       oex;
2029
2030         oex.oe_db = op->o_bd;
2031         oex.oe.oe_key = (void *)backend_operational;
2032         LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
2033
2034         /* Moved this into the frontend so global overlays are called */
2035
2036         be_orig = op->o_bd;
2037         op->o_bd = frontendDB;
2038         rc = frontendDB->be_operational( op, rs );
2039         op->o_bd = be_orig;
2040         LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
2041
2042         return rc;
2043 }
2044
2045 /* helper that calls the bi_tool_entry_first_x() variant with default args;
2046  * use to initialize a backend's bi_tool_entry_first() when appropriate
2047  */
2048 ID
2049 backend_tool_entry_first( BackendDB *be )
2050 {
2051         return be->bd_info->bi_tool_entry_first_x( be,
2052                 NULL, LDAP_SCOPE_DEFAULT, NULL );
2053 }