]> git.sur5r.net Git - openldap/blob - servers/slapd/backend.c
now I remember why I introduced the 'has_ldapinfo_dn_ru' flag
[openldap] / servers / slapd / backend.c
1 /* backend.c - routines for dealing with back-end databases */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27
28 #include "portable.h"
29
30 #include <stdio.h>
31
32 #include <ac/string.h>
33 #include <ac/socket.h>
34 #include <sys/stat.h>
35
36 #include "slap.h"
37 #include "lutil.h"
38 #include "lber_pvt.h"
39
40 #include "ldap_rq.h"
41
42 #ifdef LDAP_SLAPI
43 #include "slapi/slapi.h"
44 #endif
45
46 /*
47  * If a module is configured as dynamic, its header should not
48  * get included into slapd. While this is a general rule and does
49  * not have much of an effect in UNIX, this rule should be adhered
50  * to for Windows, where dynamic object code should not be implicitly
51  * imported into slapd without appropriate __declspec(dllimport) directives.
52  */
53
54 #if defined(SLAPD_BDB) && !defined(SLAPD_BDB_DYNAMIC)
55 #include "back-bdb/external.h"
56 #endif
57 #if defined(SLAPD_DNSSRV) && !defined(SLAPD_DNSSRV_DYNAMIC)
58 #include "back-dnssrv/external.h"
59 #endif
60 #if defined(SLAPD_HDB) && !defined(SLAPD_HDB_DYNAMIC)
61 #include "back-hdb/external.h"
62 #endif
63 #if defined(SLAPD_LDAP) && !defined(SLAPD_LDAP_DYNAMIC)
64 #include "back-ldap/external.h"
65 #endif
66 #if defined(SLAPD_LDBM) && !defined(SLAPD_LDBM_DYNAMIC)
67 #include "back-ldbm/external.h"
68 #endif
69 #if defined(SLAPD_META) && !defined(SLAPD_META_DYNAMIC)
70 #include "back-meta/external.h"
71 #endif
72 #if defined(SLAPD_MONITOR) && !defined(SLAPD_MONITOR_DYNAMIC)
73 #include "back-monitor/external.h"
74 #endif
75 #if defined(SLAPD_NULL) && !defined(SLAPD_NULL_DYNAMIC)
76 #include "back-null/external.h"
77 #endif
78 #if defined(SLAPD_PASSWD) && !defined(SLAPD_PASSWD_DYNAMIC)
79 #include "back-passwd/external.h"
80 #endif
81 #if defined(SLAPD_PERL) && !defined(SLAPD_PERL_DYNAMIC)
82 #include "back-perl/external.h"
83 #endif
84 #if defined(SLAPD_SHELL) && !defined(SLAPD_SHELL_DYNAMIC)
85 #include "back-shell/external.h"
86 #endif
87 #if defined(SLAPD_TCL) && !defined(SLAPD_TCL_DYNAMIC)
88 #include "back-tcl/external.h"
89 #endif
90 #if defined(SLAPD_SQL) && !defined(SLAPD_SQL_DYNAMIC)
91 #include "back-sql/external.h"
92 #endif
93 #if defined(SLAPD_PRIVATE) && !defined(SLAPD_PRIVATE_DYNAMIC)
94 #include "private/external.h"
95 #endif
96
97 static BackendInfo binfo[] = {
98 #if defined(SLAPD_BDB) && !defined(SLAPD_BDB_DYNAMIC)
99         {"bdb", bdb_initialize},
100 #endif
101 #if defined(SLAPD_DNSSRV) && !defined(SLAPD_DNSSRV_DYNAMIC)
102         {"dnssrv",      dnssrv_back_initialize},
103 #endif
104 #if defined(SLAPD_HDB) && !defined(SLAPD_HDB_DYNAMIC)
105         {"hdb", hdb_initialize},
106 #endif
107 #if defined(SLAPD_LDAP) && !defined(SLAPD_LDAP_DYNAMIC)
108         {"ldap",        ldap_back_initialize},
109 #endif
110 #if defined(SLAPD_LDBM) && !defined(SLAPD_LDBM_DYNAMIC)
111         {"ldbm",        ldbm_back_initialize},
112 #endif
113 #if defined(SLAPD_META) && !defined(SLAPD_META_DYNAMIC)
114         {"meta",        meta_back_initialize},
115 #endif
116 #if defined(SLAPD_MONITOR) && !defined(SLAPD_MONITOR_DYNAMIC)
117         {"monitor",     monitor_back_initialize},
118 #endif
119 #if defined(SLAPD_NULL) && !defined(SLAPD_NULL_DYNAMIC)
120         {"null",        null_back_initialize},
121 #endif
122 #if defined(SLAPD_PASSWD) && !defined(SLAPD_PASSWD_DYNAMIC)
123         {"passwd",      passwd_back_initialize},
124 #endif
125 #if defined(SLAPD_PERL) && !defined(SLAPD_PERL_DYNAMIC)
126         {"perl",        perl_back_initialize},
127 #endif
128 #if defined(SLAPD_SHELL) && !defined(SLAPD_SHELL_DYNAMIC)
129         {"shell",       shell_back_initialize},
130 #endif
131 #if defined(SLAPD_TCL) && !defined(SLAPD_TCL_DYNAMIC)
132         {"tcl",         tcl_back_initialize},
133 #endif
134 #if defined(SLAPD_SQL) && !defined(SLAPD_SQL_DYNAMIC)
135         {"sql",         sql_back_initialize},
136 #endif
137         /* for any private backend */
138 #if defined(SLAPD_PRIVATE) && !defined(SLAPD_PRIVATE_DYNAMIC)
139         {"private",     private_back_initialize},
140 #endif
141         {NULL}
142 };
143
144 int                     nBackendInfo = 0;
145 BackendInfo     *backendInfo = NULL;
146
147 int                     nBackendDB = 0; 
148 BackendDB       *backendDB = NULL;
149
150 ldap_pvt_thread_pool_t  syncrepl_pool;
151 int                     syncrepl_pool_max = SLAP_MAX_SYNCREPL_THREADS;
152
153 int backend_init(void)
154 {
155         int rc = -1;
156
157         ldap_pvt_thread_pool_init( &syncrepl_pool, syncrepl_pool_max, 0 );
158
159         if((nBackendInfo != 0) || (backendInfo != NULL)) {
160                 /* already initialized */
161 #ifdef NEW_LOGGING
162                 LDAP_LOG( BACKEND, ERR, 
163                         "backend_init:  backend already initialized\n", 0, 0, 0 );
164 #else
165                 Debug( LDAP_DEBUG_ANY,
166                         "backend_init: already initialized.\n", 0, 0, 0 );
167 #endif
168                 return -1;
169         }
170
171         for( ;
172                 binfo[nBackendInfo].bi_type != NULL;
173                 nBackendInfo++ )
174         {
175                 assert( binfo[nBackendInfo].bi_init );
176
177                 rc = binfo[nBackendInfo].bi_init( &binfo[nBackendInfo] );
178
179                 if(rc != 0) {
180 #ifdef NEW_LOGGING
181                         LDAP_LOG( BACKEND, INFO, 
182                                 "backend_init:  initialized for type \"%s\"\n",
183                                 binfo[nBackendInfo].bi_type, 0, 0 );
184 #else
185                         Debug( LDAP_DEBUG_ANY,
186                                 "backend_init: initialized for type \"%s\"\n",
187                                 binfo[nBackendInfo].bi_type, 0, 0 );
188 #endif
189                         /* destroy those we've already inited */
190                         for( nBackendInfo--;
191                                 nBackendInfo >= 0 ;
192                                 nBackendInfo-- )
193                         { 
194                                 if ( binfo[nBackendInfo].bi_destroy ) {
195                                         binfo[nBackendInfo].bi_destroy(
196                                                 &binfo[nBackendInfo] );
197                                 }
198                         }
199                         return rc;
200                 }
201         }
202
203         if ( nBackendInfo > 0) {
204                 backendInfo = binfo;
205                 return 0;
206         }
207
208 #ifdef SLAPD_MODULES    
209         return 0;
210 #else
211
212 #ifdef NEW_LOGGING
213         LDAP_LOG( BACKEND, ERR, "backend_init: failed\n", 0, 0, 0 );
214 #else
215         Debug( LDAP_DEBUG_ANY,
216                 "backend_init: failed\n",
217                 0, 0, 0 );
218 #endif
219
220         return rc;
221 #endif /* SLAPD_MODULES */
222 }
223
224 int backend_add(BackendInfo *aBackendInfo)
225 {
226    int rc = 0;
227
228    if ( aBackendInfo->bi_init == NULL ) {
229 #ifdef NEW_LOGGING
230         LDAP_LOG( BACKEND, ERR, 
231                   "backend_add:  backend type \"%s\" does not have the "
232                   "(mandatory)init function\n",
233                   aBackendInfo->bi_type, 0, 0 );
234 #else
235       Debug( LDAP_DEBUG_ANY,
236                   "backend_add:  backend type \"%s\" does not have the "
237                   "(mandatory)init function\n",
238                   aBackendInfo->bi_type, 0, 0 );
239 #endif
240       return -1;
241    }
242
243    if ((rc = aBackendInfo->bi_init(aBackendInfo)) != 0) {
244 #ifdef NEW_LOGGING
245         LDAP_LOG( BACKEND, ERR, 
246                   "backend_add:  initialization for type \"%s\" failed\n",
247                   aBackendInfo->bi_type, 0, 0 );
248 #else
249       Debug( LDAP_DEBUG_ANY,
250              "backend_add: initialization for type \"%s\" failed\n",
251              aBackendInfo->bi_type, 0, 0 );
252 #endif
253       return rc;
254    }
255
256    /* now add the backend type to the Backend Info List */
257    {
258       BackendInfo *newBackendInfo = 0;
259
260       /* if backendInfo == binfo no deallocation of old backendInfo */
261       if (backendInfo == binfo) {
262          newBackendInfo = ch_calloc(nBackendInfo + 1, sizeof(BackendInfo));
263          AC_MEMCPY(newBackendInfo, backendInfo, sizeof(BackendInfo) * 
264                 nBackendInfo);
265       } else {
266          newBackendInfo = ch_realloc(backendInfo, sizeof(BackendInfo) * 
267                                      (nBackendInfo + 1));
268       }
269       AC_MEMCPY(&newBackendInfo[nBackendInfo], aBackendInfo, 
270              sizeof(BackendInfo));
271       backendInfo = newBackendInfo;
272       nBackendInfo++;
273
274       return 0;
275    }        
276 }
277
278 int backend_startup(Backend *be)
279 {
280         int i;
281         int rc = 0;
282
283         if( ! ( nBackendDB > 0 ) ) {
284                 /* no databases */
285 #ifdef NEW_LOGGING
286                 LDAP_LOG( BACKEND, INFO, 
287                         "backend_startup: %d databases to startup. \n", nBackendDB, 0, 0 );
288 #else
289                 Debug( LDAP_DEBUG_ANY,
290                         "backend_startup: %d databases to startup.\n",
291                         nBackendDB, 0, 0 );
292 #endif
293                 return 1;
294         }
295
296         if(be != NULL) {
297                 /* startup a specific backend database */
298
299                 LDAP_TAILQ_INIT( &be->be_pending_csn_list );
300
301 #ifdef NEW_LOGGING
302                 LDAP_LOG( BACKEND, DETAIL1, "backend_startup:  starting \"%s\"\n",
303                         be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)",
304                         0, 0 );
305 #else
306                 Debug( LDAP_DEBUG_TRACE,
307                         "backend_startup: starting \"%s\"\n",
308                         be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)",
309                         0, 0 );
310 #endif
311
312                 if ( be->bd_info->bi_open ) {
313                         rc = be->bd_info->bi_open( be->bd_info );
314                         if ( rc != 0 ) {
315 #ifdef NEW_LOGGING
316                                 LDAP_LOG( BACKEND, CRIT, "backend_startup: bi_open failed!\n", 0, 0, 0 );
317 #else
318                                 Debug( LDAP_DEBUG_ANY,
319                                         "backend_startup: bi_open failed!\n",
320                                         0, 0, 0 );
321 #endif
322
323                                 return rc;
324                         }
325                 }
326
327                 if ( be->bd_info->bi_db_open ) {
328                         rc = be->bd_info->bi_db_open( be );
329                         if ( rc != 0 ) {
330 #ifdef NEW_LOGGING
331                                 LDAP_LOG( BACKEND, CRIT, 
332                                         "backend_startup: bi_db_open failed! (%d)\n", rc, 0, 0 );
333 #else
334                                 Debug( LDAP_DEBUG_ANY,
335                                         "backend_startup: bi_db_open failed! (%d)\n",
336                                         rc, 0, 0 );
337 #endif
338                                 return rc;
339                         }
340                 }
341
342                 return rc;
343         }
344
345         /* open each backend type */
346         for( i = 0; i < nBackendInfo; i++ ) {
347                 if( backendInfo[i].bi_nDB == 0) {
348                         /* no database of this type, don't open */
349                         continue;
350                 }
351
352                 if( backendInfo[i].bi_open ) {
353                         rc = backendInfo[i].bi_open(
354                                 &backendInfo[i] );
355                         if ( rc != 0 ) {
356 #ifdef NEW_LOGGING
357                                 LDAP_LOG( BACKEND, CRIT, 
358                                         "backend_startup: bi_open %d failed!\n", i, 0, 0 );
359 #else
360                                 Debug( LDAP_DEBUG_ANY,
361                                         "backend_startup: bi_open %d failed!\n",
362                                         i, 0, 0 );
363 #endif
364                                 return rc;
365                         }
366                 }
367         }
368
369         ldap_pvt_thread_mutex_init( &syncrepl_rq.rq_mutex );
370         LDAP_STAILQ_INIT( &syncrepl_rq.task_list );
371         LDAP_STAILQ_INIT( &syncrepl_rq.run_list );
372
373         /* open each backend database */
374         for( i = 0; i < nBackendDB; i++ ) {
375                 /* append global access controls */
376                 acl_append( &backendDB[i].be_acl, global_acl );
377
378                 LDAP_TAILQ_INIT( &backendDB[i].be_pending_csn_list );
379
380                 if ( backendDB[i].be_suffix == NULL ) {
381 #ifdef NEW_LOGGING
382                         LDAP_LOG( BACKEND, CRIT, 
383                                 "backend_startup: warning, database %d (%s) "
384                                 "has no suffix\n",
385                                 i, backendDB[i].bd_info->bi_type, 0 );
386 #else
387                         Debug( LDAP_DEBUG_ANY,
388                                 "backend_startup: warning, database %d (%s) "
389                                 "has no suffix\n",
390                                 i, backendDB[i].bd_info->bi_type, 0 );
391 #endif
392                 }
393
394                 if ( backendDB[i].bd_info->bi_db_open ) {
395                         rc = backendDB[i].bd_info->bi_db_open(
396                                 &backendDB[i] );
397                         if ( rc != 0 ) {
398 #ifdef NEW_LOGGING
399                                 LDAP_LOG( BACKEND, CRIT, 
400                                         "backend_startup: bi_db_open(%d) failed! (%d)\n", i, rc, 0 );
401 #else
402                                 Debug( LDAP_DEBUG_ANY,
403                                         "backend_startup: bi_db_open(%d) failed! (%d)\n",
404                                         i, rc, 0 );
405 #endif
406                                 return rc;
407                         }
408                 }
409
410                 if ( !LDAP_STAILQ_EMPTY( &backendDB[i].be_syncinfo )) {
411                         syncinfo_t *si;
412                         LDAP_STAILQ_FOREACH( si, &backendDB[i].be_syncinfo, si_next ) {
413                                 si->si_be = &backendDB[i];
414                                 init_syncrepl( si );
415                                 ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex );
416                                 ldap_pvt_runqueue_insert( &syncrepl_rq,
417                                                 si->si_interval, do_syncrepl, (void *) si );
418                                 ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex );
419                         }
420                 }
421         }
422
423         return rc;
424 }
425
426 int backend_num( Backend *be )
427 {
428         int i;
429
430         if( be == NULL ) return -1;
431
432         for( i = 0; i < nBackendDB; i++ ) {
433                 if( be == &backendDB[i] ) return i;
434         }
435         return -1;
436 }
437
438 int backend_shutdown( Backend *be )
439 {
440         int i;
441         int rc = 0;
442
443         if( be != NULL ) {
444                 /* shutdown a specific backend database */
445
446                 if ( be->bd_info->bi_nDB == 0 ) {
447                         /* no database of this type, we never opened it */
448                         return 0;
449                 }
450
451                 if ( be->bd_info->bi_db_close ) {
452                         be->bd_info->bi_db_close( be );
453                 }
454
455                 if( be->bd_info->bi_close ) {
456                         be->bd_info->bi_close( be->bd_info );
457                 }
458
459                 return 0;
460         }
461
462         /* close each backend database */
463         for( i = 0; i < nBackendDB; i++ ) {
464                 if ( backendDB[i].bd_info->bi_db_close ) {
465                         backendDB[i].bd_info->bi_db_close(
466                                 &backendDB[i] );
467                 }
468
469                 if(rc != 0) {
470 #ifdef NEW_LOGGING
471                         LDAP_LOG( BACKEND, NOTICE, 
472                                 "backend_shutdown: bi_close %s failed!\n",
473                                 backendDB[i].be_type, 0, 0 );
474 #else
475                         Debug( LDAP_DEBUG_ANY,
476                                 "backend_close: bi_close %s failed!\n",
477                                 backendDB[i].be_type, 0, 0 );
478 #endif
479                 }
480         }
481
482         /* close each backend type */
483         for( i = 0; i < nBackendInfo; i++ ) {
484                 if( backendInfo[i].bi_nDB == 0 ) {
485                         /* no database of this type */
486                         continue;
487                 }
488
489                 if( backendInfo[i].bi_close ) {
490                         backendInfo[i].bi_close(
491                                 &backendInfo[i] );
492                 }
493         }
494
495         return 0;
496 }
497
498 int backend_destroy(void)
499 {
500         int i;
501         BackendDB *bd;
502
503         ldap_pvt_thread_pool_destroy( &syncrepl_pool, 1 );
504
505         /* destroy each backend database */
506         for( i = 0, bd = backendDB; i < nBackendDB; i++, bd++ ) {
507                 if ( bd->bd_info->bi_db_destroy ) {
508                         bd->bd_info->bi_db_destroy( bd );
509                 }
510                 ber_bvarray_free( bd->be_suffix );
511                 ber_bvarray_free( bd->be_nsuffix );
512                 if ( bd->be_rootdn.bv_val ) free( bd->be_rootdn.bv_val );
513                 if ( bd->be_rootndn.bv_val ) free( bd->be_rootndn.bv_val );
514                 if ( bd->be_rootpw.bv_val ) free( bd->be_rootpw.bv_val );
515                 acl_destroy( bd->be_acl, global_acl );
516         }
517         free( backendDB );
518
519         /* destroy each backend type */
520         for( i = 0; i < nBackendInfo; i++ ) {
521                 if( backendInfo[i].bi_destroy ) {
522                         backendInfo[i].bi_destroy(
523                                 &backendInfo[i] );
524                 }
525         }
526
527 #ifdef SLAPD_MODULES
528         if (backendInfo != binfo) {
529            free(backendInfo);
530         }
531 #endif /* SLAPD_MODULES */
532
533         nBackendInfo = 0;
534         backendInfo = NULL;
535
536         return 0;
537 }
538
539 BackendInfo* backend_info(const char *type)
540 {
541         int i;
542
543         /* search for the backend type */
544         for( i = 0; i < nBackendInfo; i++ ) {
545                 if( strcasecmp(backendInfo[i].bi_type, type) == 0 ) {
546                         return &backendInfo[i];
547                 }
548         }
549
550         return NULL;
551 }
552
553
554 BackendDB *
555 backend_db_init(
556     const char  *type
557 )
558 {
559         Backend *be;
560         BackendInfo *bi = backend_info(type);
561         int     rc = 0;
562
563         if( bi == NULL ) {
564                 fprintf( stderr, "Unrecognized database type (%s)\n", type );
565                 return NULL;
566         }
567
568         backendDB = (BackendDB *) ch_realloc(
569                         (char *) backendDB,
570                     (nBackendDB + 1) * sizeof(Backend) );
571
572         memset( &backendDB[nbackends], '\0', sizeof(Backend) );
573
574         be = &backends[nbackends++];
575
576         be->bd_info = bi;
577         be->be_def_limit = deflimit;
578         be->be_dfltaccess = global_default_access;
579
580         be->be_restrictops = global_restrictops;
581         be->be_requires = global_requires;
582         be->be_ssf_set = global_ssf_set;
583
584         be->be_context_csn.bv_len = 0;
585         be->be_context_csn.bv_val = NULL;
586         ldap_pvt_thread_mutex_init( &be->be_pcl_mutex );
587         ldap_pvt_thread_mutex_init( &be->be_context_csn_mutex );
588
589         LDAP_STAILQ_INIT( &be->be_syncinfo );
590
591         /* assign a default depth limit for alias deref */
592         be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; 
593
594         if(bi->bi_db_init) {
595                 rc = bi->bi_db_init( be );
596         }
597
598         if(rc != 0) {
599                 fprintf( stderr, "database init failed (%s)\n", type );
600                 nbackends--;
601                 return NULL;
602         }
603
604         bi->bi_nDB++;
605         return( be );
606 }
607
608 void
609 be_db_close( void )
610 {
611         int     i;
612
613         for ( i = 0; i < nbackends; i++ ) {
614                 if ( backends[i].bd_info->bi_db_close ) {
615                         (*backends[i].bd_info->bi_db_close)( &backends[i] );
616                 }
617         }
618 }
619
620 Backend *
621 select_backend(
622         struct berval * dn,
623         int manageDSAit,
624         int noSubs )
625 {
626         int     i, j;
627         ber_len_t len, dnlen = dn->bv_len;
628         Backend *be = NULL;
629
630         for ( i = 0; i < nbackends; i++ ) {
631                 for ( j = 0; backends[i].be_nsuffix != NULL &&
632                     backends[i].be_nsuffix[j].bv_val != NULL; j++ )
633                 {
634                         if ( ( SLAP_GLUE_SUBORDINATE( &backends[i] ) )
635                                 && noSubs )
636                         {
637                                 continue;
638                         }
639
640                         len = backends[i].be_nsuffix[j].bv_len;
641
642                         if ( len > dnlen ) {
643                                 /* suffix is longer than DN */
644                                 continue;
645                         }
646                         
647                         /*
648                          * input DN is normalized, so the separator check
649                          * need not look at escaping
650                          */
651                         if ( len && len < dnlen &&
652                                 !DN_SEPARATOR( dn->bv_val[(dnlen-len)-1] ))
653                         {
654                                 continue;
655                         }
656
657                         if ( strcmp( backends[i].be_nsuffix[j].bv_val,
658                                 &dn->bv_val[dnlen-len] ) == 0 )
659                         {
660                                 if( be == NULL ) {
661                                         be = &backends[i];
662
663                                         if( manageDSAit && len == dnlen &&
664                                                 !SLAP_GLUE_SUBORDINATE( be ) ) {
665                                                 continue;
666                                         }
667                                 } else {
668                                         be = &backends[i];
669                                 }
670                                 return be;
671                         }
672                 }
673         }
674
675         return be;
676 }
677
678 int
679 be_issuffix(
680     Backend     *be,
681     struct berval       *bvsuffix
682 )
683 {
684         int     i;
685
686         for ( i = 0; be->be_nsuffix != NULL && be->be_nsuffix[i].bv_val != NULL; i++ ) {
687                 if ( bvmatch( &be->be_nsuffix[i], bvsuffix ) ) {
688                         return( 1 );
689                 }
690         }
691
692         return( 0 );
693 }
694
695 int
696 be_isroot( Backend *be, struct berval *ndn )
697 {
698         if ( !ndn->bv_len ) {
699                 return( 0 );
700         }
701
702         if ( !be->be_rootndn.bv_len ) {
703                 return( 0 );
704         }
705
706         return dn_match( &be->be_rootndn, ndn );
707 }
708
709 int
710 be_isupdate( Backend *be, struct berval *ndn )
711 {
712         if ( !ndn->bv_len ) {
713                 return( 0 );
714         }
715
716         if ( !be->be_update_ndn.bv_len ) {
717                 return( 0 );
718         }
719
720         return dn_match( &be->be_update_ndn, ndn );
721 }
722
723 struct berval *
724 be_root_dn( Backend *be )
725 {
726         return &be->be_rootdn;
727 }
728
729 int
730 be_isroot_pw( Operation *op )
731 {
732         int result;
733         char *errmsg;
734
735         if ( ! be_isroot( op->o_bd, &op->o_req_ndn ) ) {
736                 return 0;
737         }
738
739         if( op->o_bd->be_rootpw.bv_len == 0 ) {
740                 return 0;
741         }
742
743 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
744         ldap_pvt_thread_mutex_lock( &passwd_mutex );
745 #ifdef SLAPD_SPASSWD
746         lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
747 #endif
748 #endif
749
750         result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
751
752 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
753 #ifdef SLAPD_SPASSWD
754         lutil_passwd_sasl_conn = NULL;
755 #endif
756         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
757 #endif
758
759         return result == 0;
760 }
761
762 int
763 be_entry_release_rw(
764         Operation *op,
765         Entry *e,
766         int rw )
767 {
768         if ( op->o_bd->be_release ) {
769                 /* free and release entry from backend */
770                 return op->o_bd->be_release( op, e, rw );
771         } else {
772                 /* free entry */
773                 entry_free( e );
774                 return 0;
775         }
776 }
777
778 int
779 backend_unbind( Operation *op, SlapReply *rs )
780 {
781         int             i;
782
783         for ( i = 0; i < nbackends; i++ ) {
784 #if defined( LDAP_SLAPI )
785                 if ( op->o_pb ) {
786                         int rc;
787                         if ( i == 0 ) slapi_int_pblock_set_operation( op->o_pb, op );
788                         slapi_pblock_set( op->o_pb, SLAPI_BACKEND, (void *)&backends[i] );
789                         rc = slapi_int_call_plugins( &backends[i], SLAPI_PLUGIN_PRE_UNBIND_FN,
790                                         (Slapi_PBlock *)op->o_pb );
791                         if ( rc < 0 ) {
792                                 /*
793                                  * A preoperation plugin failure will abort the
794                                  * entire operation.
795                                  */
796 #ifdef NEW_LOGGING
797                                 LDAP_LOG( OPERATION, INFO, "do_bind: Unbind preoperation plugin "
798                                                 "failed\n", 0, 0, 0);
799 #else
800                                 Debug(LDAP_DEBUG_TRACE, "do_bind: Unbind preoperation plugin "
801                                                 "failed.\n", 0, 0, 0);
802 #endif
803                                 return 0;
804                         }
805                 }
806 #endif /* defined( LDAP_SLAPI ) */
807
808                 if ( backends[i].be_unbind ) {
809                         op->o_bd = &backends[i];
810                         (*backends[i].be_unbind)( op, rs );
811                 }
812
813 #if defined( LDAP_SLAPI )
814                 if ( op->o_pb != NULL && slapi_int_call_plugins( &backends[i], SLAPI_PLUGIN_POST_UNBIND_FN,
815                                 (Slapi_PBlock *)op->o_pb ) < 0 ) {
816 #ifdef NEW_LOGGING
817                         LDAP_LOG( OPERATION, INFO, "do_unbind: Unbind postoperation plugins "
818                                         "failed\n", 0, 0, 0);
819 #else
820                         Debug(LDAP_DEBUG_TRACE, "do_unbind: Unbind postoperation plugins "
821                                         "failed.\n", 0, 0, 0);
822 #endif
823                 }
824 #endif /* defined( LDAP_SLAPI ) */
825         }
826
827         return 0;
828 }
829
830 int
831 backend_connection_init(
832         Connection   *conn
833 )
834 {
835         int     i;
836
837         for ( i = 0; i < nbackends; i++ ) {
838                 if ( backends[i].be_connection_init ) {
839                         (*backends[i].be_connection_init)( &backends[i], conn);
840                 }
841         }
842
843         return 0;
844 }
845
846 int
847 backend_connection_destroy(
848         Connection   *conn
849 )
850 {
851         int     i;
852
853         for ( i = 0; i < nbackends; i++ ) {
854                 if ( backends[i].be_connection_destroy ) {
855                         (*backends[i].be_connection_destroy)( &backends[i], conn);
856                 }
857         }
858
859         return 0;
860 }
861
862 static int
863 backend_check_controls(
864         Operation *op,
865         SlapReply *rs )
866 {
867         LDAPControl **ctrls = op->o_ctrls;
868         rs->sr_err = LDAP_SUCCESS;
869
870         if( ctrls ) {
871                 for( ; *ctrls != NULL ; ctrls++ ) {
872                         if( (*ctrls)->ldctl_iscritical && !ldap_charray_inlist(
873                                 op->o_bd->be_controls, (*ctrls)->ldctl_oid ) )
874                         {
875                                 rs->sr_text = "control unavailable in context";
876                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
877                                 break;
878                         }
879                 }
880         }
881
882         return rs->sr_err;
883 }
884
885 int
886 backend_check_restrictions(
887         Operation *op,
888         SlapReply *rs,
889         struct berval *opdata )
890 {
891         slap_mask_t restrictops;
892         slap_mask_t requires;
893         slap_mask_t opflag;
894         slap_ssf_set_t *ssf;
895         int updateop = 0;
896         int starttls = 0;
897         int session = 0;
898
899         if( op->o_bd ) {
900                 if ( backend_check_controls( op, rs ) != LDAP_SUCCESS ) {
901                         return rs->sr_err;
902                 }
903
904                 restrictops = op->o_bd->be_restrictops;
905                 requires = op->o_bd->be_requires;
906                 ssf = &op->o_bd->be_ssf_set;
907
908         } else {
909                 restrictops = global_restrictops;
910                 requires = global_requires;
911                 ssf = &global_ssf_set;
912         }
913
914         switch( op->o_tag ) {
915         case LDAP_REQ_ADD:
916                 opflag = SLAP_RESTRICT_OP_ADD;
917                 updateop++;
918                 break;
919         case LDAP_REQ_BIND:
920                 opflag = SLAP_RESTRICT_OP_BIND;
921                 session++;
922                 break;
923         case LDAP_REQ_COMPARE:
924                 opflag = SLAP_RESTRICT_OP_COMPARE;
925                 break;
926         case LDAP_REQ_DELETE:
927                 updateop++;
928                 opflag = SLAP_RESTRICT_OP_DELETE;
929                 break;
930         case LDAP_REQ_EXTENDED:
931                 opflag = SLAP_RESTRICT_OP_EXTENDED;
932
933                 if( !opdata ) {
934                         /* treat unspecified as a modify */
935                         opflag = SLAP_RESTRICT_OP_MODIFY;
936                         updateop++;
937                         break;
938                 }
939
940                 if( bvmatch( opdata, &slap_EXOP_START_TLS ) ) {
941                         session++;
942                         starttls++;
943                         break;
944                 }
945
946                 if( bvmatch( opdata, &slap_EXOP_WHOAMI ) ) {
947                         break;
948                 }
949
950                 if ( bvmatch( opdata, &slap_EXOP_CANCEL ) ) {
951                         break;
952                 }
953
954                 /* treat everything else as a modify */
955                 opflag = SLAP_RESTRICT_OP_MODIFY;
956                 updateop++;
957                 break;
958
959         case LDAP_REQ_MODIFY:
960                 updateop++;
961                 opflag = SLAP_RESTRICT_OP_MODIFY;
962                 break;
963         case LDAP_REQ_RENAME:
964                 updateop++;
965                 opflag = SLAP_RESTRICT_OP_RENAME;
966                 break;
967         case LDAP_REQ_SEARCH:
968                 opflag = SLAP_RESTRICT_OP_SEARCH;
969                 break;
970         case LDAP_REQ_UNBIND:
971                 session++;
972                 opflag = 0;
973                 break;
974         default:
975                 rs->sr_text = "restrict operations internal error";
976                 rs->sr_err = LDAP_OTHER;
977                 return rs->sr_err;
978         }
979
980         if ( !starttls ) {
981                 /* these checks don't apply to StartTLS */
982
983                 rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
984                 if( op->o_transport_ssf < ssf->sss_transport ) {
985                         rs->sr_text = "transport confidentiality required";
986                         return rs->sr_err;
987                 }
988
989                 if( op->o_tls_ssf < ssf->sss_tls ) {
990                         rs->sr_text = "TLS confidentiality required";
991                         return rs->sr_err;
992                 }
993
994
995                 if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
996                         /* simple bind specific check */
997                         if( op->o_ssf < ssf->sss_simple_bind ) {
998                                 rs->sr_text = "confidentiality required";
999                                 return rs->sr_err;
1000                         }
1001                 }
1002
1003                 if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
1004                         /* these checks don't apply to SASL bind */
1005
1006                         if( op->o_sasl_ssf < ssf->sss_sasl ) {
1007                                 rs->sr_text = "SASL confidentiality required";
1008                                 return rs->sr_err;
1009                         }
1010
1011                         if( op->o_ssf < ssf->sss_ssf ) {
1012                                 rs->sr_text = "confidentiality required";
1013                                 return rs->sr_err;
1014                         }
1015                 }
1016
1017                 if( updateop ) {
1018                         if( op->o_transport_ssf < ssf->sss_update_transport ) {
1019                                 rs->sr_text = "transport update confidentiality required";
1020                                 return rs->sr_err;
1021                         }
1022
1023                         if( op->o_tls_ssf < ssf->sss_update_tls ) {
1024                                 rs->sr_text = "TLS update confidentiality required";
1025                                 return rs->sr_err;
1026                         }
1027
1028                         if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
1029                                 rs->sr_text = "SASL update confidentiality required";
1030                                 return rs->sr_err;
1031                         }
1032
1033                         if( op->o_ssf < ssf->sss_update_ssf ) {
1034                                 rs->sr_text = "update confidentiality required";
1035                                 return rs->sr_err;
1036                         }
1037
1038                         if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
1039                                 op->o_ndn.bv_len == 0 )
1040                         {
1041                                 rs->sr_text = "modifications require authentication";
1042                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1043                                 return rs->sr_err;
1044                         }
1045
1046 #ifdef SLAP_X_LISTENER_MOD
1047                         if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_ndn.bv_len > 0 ? S_IWUSR : S_IWOTH ) ) ) {
1048                                 /* no "w" mode means readonly */
1049                                 rs->sr_text = "modifications not allowed on this listener";
1050                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1051                                 return rs->sr_err;
1052                         }
1053 #endif /* SLAP_X_LISTENER_MOD */
1054                 }
1055         }
1056
1057         if ( !session ) {
1058                 /* these checks don't apply to Bind, StartTLS, or Unbind */
1059
1060                 if( requires & SLAP_REQUIRE_STRONG ) {
1061                         /* should check mechanism */
1062                         if( ( op->o_transport_ssf < ssf->sss_transport
1063                                 && op->o_authtype == LDAP_AUTH_SIMPLE )
1064                                 || op->o_dn.bv_len == 0 )
1065                         {
1066                                 rs->sr_text = "strong(er) authentication required";
1067                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1068                                 return rs->sr_err;
1069                         }
1070                 }
1071
1072                 if( requires & SLAP_REQUIRE_SASL ) {
1073                         if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) {
1074                                 rs->sr_text = "SASL authentication required";
1075                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1076                                 return rs->sr_err;
1077                         }
1078                 }
1079                         
1080                 if( requires & SLAP_REQUIRE_AUTHC ) {
1081                         if( op->o_dn.bv_len == 0 ) {
1082                                 rs->sr_text = "authentication required";
1083                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1084                                 return rs->sr_err;
1085                         }
1086                 }
1087
1088                 if( requires & SLAP_REQUIRE_BIND ) {
1089                         int version;
1090                         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
1091                         version = op->o_conn->c_protocol;
1092                         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
1093
1094                         if( !version ) {
1095                                 /* no bind has occurred */
1096                                 rs->sr_text = "BIND required";
1097                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1098                                 return rs->sr_err;
1099                         }
1100                 }
1101
1102                 if( requires & SLAP_REQUIRE_LDAP_V3 ) {
1103                         if( op->o_protocol < LDAP_VERSION3 ) {
1104                                 /* no bind has occurred */
1105                                 rs->sr_text = "operation restricted to LDAPv3 clients";
1106                                 rs->sr_err = LDAP_OPERATIONS_ERROR;
1107                                 return rs->sr_err;
1108                         }
1109                 }
1110
1111 #ifdef SLAP_X_LISTENER_MOD
1112                 if ( !starttls && op->o_dn.bv_len == 0 ) {
1113                         if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXOTH ) ) {
1114                                 /* no "x" mode means bind required */
1115                                 rs->sr_text = "bind required on this listener";
1116                                 rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
1117                                 return rs->sr_err;
1118                         }
1119                 }
1120
1121                 if ( !starttls && !updateop ) {
1122                         if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_dn.bv_len > 0 ? S_IRUSR : S_IROTH ) ) ) {
1123                                 /* no "r" mode means no read */
1124                                 rs->sr_text = "read not allowed on this listener";
1125                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1126                                 return rs->sr_err;
1127                         }
1128                 }
1129 #endif /* SLAP_X_LISTENER_MOD */
1130
1131         }
1132
1133         if( restrictops & opflag ) {
1134                 if( restrictops == SLAP_RESTRICT_OP_READS ) {
1135                         rs->sr_text = "read operations restricted";
1136                 } else {
1137                         rs->sr_text = "operation restricted";
1138                 }
1139                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
1140                 return rs->sr_err;
1141         }
1142
1143         rs->sr_err = LDAP_SUCCESS;
1144         return rs->sr_err;
1145 }
1146
1147 int backend_check_referrals( Operation *op, SlapReply *rs )
1148 {
1149         rs->sr_err = LDAP_SUCCESS;
1150
1151         if( op->o_bd->be_chk_referrals ) {
1152                 rs->sr_err = op->o_bd->be_chk_referrals( op, rs );
1153
1154                 if( rs->sr_err != LDAP_SUCCESS && rs->sr_err != LDAP_REFERRAL ) {
1155                         send_ldap_result( op, rs );
1156                 }
1157         }
1158
1159         return rs->sr_err;
1160 }
1161
1162 int
1163 be_entry_get_rw(
1164         Operation *op,
1165         struct berval *ndn,
1166         ObjectClass *oc,
1167         AttributeDescription *at,
1168         int rw,
1169         Entry **e )
1170 {
1171         int rc;
1172
1173         *e = NULL;
1174
1175         if (op->o_bd == NULL) {
1176                 rc = LDAP_NO_SUCH_OBJECT;
1177         } else if ( op->o_bd->be_fetch ) {
1178                 rc = ( op->o_bd->be_fetch )( op, ndn,
1179                         oc, at, rw, e );
1180         } else {
1181                 rc = LDAP_UNWILLING_TO_PERFORM;
1182         }
1183         return rc;
1184 }
1185
1186 int 
1187 backend_group(
1188         Operation *op,
1189         Entry   *target,
1190         struct berval *gr_ndn,
1191         struct berval *op_ndn,
1192         ObjectClass *group_oc,
1193         AttributeDescription *group_at
1194 )
1195 {
1196         Entry *e;
1197         Attribute *a;
1198         int rc;
1199         GroupAssertion *g;
1200         Backend *be = op->o_bd;
1201
1202         if ( op->o_abandon ) return SLAPD_ABANDON;
1203
1204         op->o_bd = select_backend( gr_ndn, 0, 0 );
1205
1206         for (g = op->o_groups; g; g=g->ga_next) {
1207                 if (g->ga_be != op->o_bd || g->ga_oc != group_oc ||
1208                         g->ga_at != group_at || g->ga_len != gr_ndn->bv_len)
1209                         continue;
1210                 if (strcmp( g->ga_ndn, gr_ndn->bv_val ) == 0)
1211                         break;
1212         }
1213
1214         if (g) {
1215                 rc = g->ga_res;
1216                 goto done;
1217         }
1218
1219         if ( target && dn_match( &target->e_nname, gr_ndn ) ) {
1220                 e = target;
1221                 rc = 0;
1222         } else {
1223                 rc = be_entry_get_rw(op, gr_ndn, group_oc, group_at, 0, &e );
1224         }
1225         if ( e ) {
1226                 a = attr_find( e->e_attrs, group_at );
1227                 if ( a ) {
1228                         /* If the attribute is a subtype of labeledURI, treat this as
1229                          * a dynamic group ala groupOfURLs
1230                          */
1231                         if (is_at_subtype( group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) {
1232                                 int i;
1233                                 LDAPURLDesc *ludp;
1234                                 struct berval bv, nbase;
1235                                 Filter *filter;
1236                                 Entry *user;
1237                                 Backend *b2 = op->o_bd;
1238
1239                                 if ( target && dn_match( &target->e_nname, op_ndn ) ) {
1240                                         user = target;
1241                                 } else {
1242                                         op->o_bd = select_backend( op_ndn, 0, 0 );
1243                                         rc = be_entry_get_rw(op, op_ndn, NULL, NULL, 0, &user );
1244                                 }
1245                                 
1246                                 if ( rc == 0 ) {
1247                                         rc = 1;
1248                                         for (i=0; a->a_vals[i].bv_val; i++) {
1249                                                 if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) != LDAP_SUCCESS )
1250                                                         continue;
1251                                                 nbase.bv_val = NULL;
1252                                                 /* host part must be empty */
1253                                                 /* attrs and extensions parts must be empty */
1254                                                 if (( ludp->lud_host && *ludp->lud_host )
1255                                                         || ludp->lud_attrs || ludp->lud_exts )
1256                                                         goto loopit;
1257                                                 ber_str2bv( ludp->lud_dn, 0, 0, &bv );
1258                                                 if ( dnNormalize( 0, NULL, NULL, &bv, &nbase, op->o_tmpmemctx ) != LDAP_SUCCESS )
1259                                                         goto loopit;
1260                                                 switch(ludp->lud_scope) {
1261                                                 case LDAP_SCOPE_BASE:
1262                                                         if ( !dn_match( &nbase, op_ndn )) goto loopit;
1263                                                         break;
1264                                                 case LDAP_SCOPE_ONELEVEL:
1265                                                         dnParent(op_ndn, &bv );
1266                                                         if ( !dn_match( &nbase, &bv )) goto loopit;
1267                                                         break;
1268                                                 case LDAP_SCOPE_SUBTREE:
1269                                                         if ( !dnIsSuffix( op_ndn, &nbase )) goto loopit;
1270                                                         break;
1271                                                 case LDAP_SCOPE_SUBORDINATE:
1272                                                         if ( dn_match( &nbase, op_ndn ) &&
1273                                                                 !dnIsSuffix(op_ndn, &nbase ))
1274                                                         {
1275                                                                 goto loopit;
1276                                                         }
1277                                                 }
1278                                                 filter = str2filter_x( op, ludp->lud_filter );
1279                                                 if ( filter ) {
1280                                                         if ( test_filter( NULL, user, filter ) == LDAP_COMPARE_TRUE )
1281                                                         {
1282                                                                 rc = 0;
1283                                                         }
1284                                                         filter_free_x( op, filter );
1285                                                 }
1286         loopit:
1287                                                 ldap_free_urldesc( ludp );
1288                                                 if ( nbase.bv_val ) {
1289                                                         op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx );
1290                                                 }
1291                                                 if ( rc == 0 ) break;
1292                                         }
1293                                         if ( user != target ) {
1294                                                 be_entry_release_r( op, user );
1295                                         }
1296                                 }
1297                                 op->o_bd = b2;
1298                         } else {
1299                                 rc = value_find_ex( group_at,
1300                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1301                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1302                                 a->a_nvals, op_ndn, op->o_tmpmemctx );
1303                         }
1304                 } else {
1305                         rc = LDAP_NO_SUCH_ATTRIBUTE;
1306                 }
1307                 if (e != target ) {
1308                         be_entry_release_r( op, e );
1309                 }
1310         } else {
1311                 rc = LDAP_NO_SUCH_OBJECT;
1312         }
1313
1314         if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
1315                 g = op->o_tmpalloc(sizeof(GroupAssertion) + gr_ndn->bv_len, op->o_tmpmemctx);
1316                 g->ga_be = op->o_bd;
1317                 g->ga_oc = group_oc;
1318                 g->ga_at = group_at;
1319                 g->ga_res = rc;
1320                 g->ga_len = gr_ndn->bv_len;
1321                 strcpy(g->ga_ndn, gr_ndn->bv_val);
1322                 g->ga_next = op->o_groups;
1323                 op->o_groups = g;
1324         }
1325 done:
1326         op->o_bd = be;
1327         return rc;
1328 }
1329
1330 int 
1331 backend_attribute(
1332         Operation *op,
1333         Entry   *target,
1334         struct berval   *edn,
1335         AttributeDescription *entry_at,
1336         BerVarray *vals
1337 )
1338 {
1339         Entry *e;
1340         Attribute *a;
1341         int i, j, rc = LDAP_SUCCESS;
1342         AccessControlState acl_state = ACL_STATE_INIT;
1343         Backend *be = op->o_bd;
1344
1345         op->o_bd = select_backend( edn, 0, 0 );
1346
1347         if ( target && dn_match( &target->e_nname, edn ) ) {
1348                 e = target;
1349         } else {
1350                 rc = be_entry_get_rw(op, edn, NULL, entry_at, 0, &e );
1351         } 
1352
1353         if ( e ) {
1354                 a = attr_find( e->e_attrs, entry_at );
1355                 if ( a ) {
1356                         BerVarray v;
1357
1358                         if ( op->o_conn && access_allowed( op,
1359                                 e, entry_at, NULL, ACL_AUTH,
1360                                 &acl_state ) == 0 ) {
1361                                 rc = LDAP_INSUFFICIENT_ACCESS;
1362                                 goto freeit;
1363                         }
1364
1365                         for ( i=0; a->a_vals[i].bv_val; i++ ) ;
1366                         
1367                         v = op->o_tmpalloc( sizeof(struct berval) * (i+1), op->o_tmpmemctx );
1368                         for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
1369                                 if ( op->o_conn && access_allowed( op,
1370                                         e, entry_at,
1371                                         &a->a_nvals[i],
1372                                         ACL_AUTH, &acl_state ) == 0 ) {
1373                                         continue;
1374                                 }
1375                                 ber_dupbv_x( &v[j],
1376                                         &a->a_nvals[i], op->o_tmpmemctx );
1377                                 if (v[j].bv_val ) j++;
1378                         }
1379                         if (j == 0) {
1380                                 op->o_tmpfree( v, op->o_tmpmemctx );
1381                                 *vals = NULL;
1382                                 rc = LDAP_INSUFFICIENT_ACCESS;
1383                         } else {
1384                                 v[j].bv_val = NULL;
1385                                 v[j].bv_len = 0;
1386                                 *vals = v;
1387                                 rc = LDAP_SUCCESS;
1388                         }
1389                 }
1390 freeit:         if (e != target ) {
1391                         be_entry_release_r( op, e );
1392                 }
1393         }
1394
1395         op->o_bd = be;
1396         return rc;
1397 }
1398
1399 Attribute *backend_operational(
1400         Operation *op,
1401         SlapReply *rs,
1402         int opattrs     )
1403 {
1404         Attribute *a = NULL, **ap = &a;
1405
1406         /*
1407          * If operational attributes (allegedly) are required, 
1408          * and the backend supports specific operational attributes, 
1409          * add them to the attribute list
1410          */
1411         if ( opattrs || ( op->ors_attrs &&
1412                 ad_inlist( slap_schema.si_ad_subschemaSubentry, op->ors_attrs )) ) {
1413                 *ap = slap_operational_subschemaSubentry( op->o_bd );
1414                 ap = &(*ap)->a_next;
1415         }
1416
1417         if ( ( opattrs || op->ors_attrs ) && op->o_bd && op->o_bd->be_operational != NULL ) {
1418                 ( void )op->o_bd->be_operational( op, rs, opattrs, ap );
1419         }
1420
1421         return a;
1422 }
1423