2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1998-2006 The OpenLDAP Foundation.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
15 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
16 * All rights reserved.
18 * Redistribution and use in source and binary forms are permitted
19 * provided that this notice is preserved and that due credit is given
20 * to the University of Michigan at Ann Arbor. The name of the University
21 * may not be used to endorse or promote products derived from this
22 * software without specific prior written permission. This software
23 * is provided ``as is'' without express or implied warranty.
29 #include <ac/socket.h>
30 #include <ac/string.h>
34 static int compare_entry(
37 AttributeAssertion *ava );
44 struct berval dn = BER_BVNULL;
45 struct berval desc = BER_BVNULL;
46 struct berval value = BER_BVNULL;
47 #ifdef LDAP_COMP_MATCH
48 AttributeAssertion ava = { NULL, BER_BVNULL, NULL };
50 AttributeAssertion ava = { NULL, BER_BVNULL };
55 Debug( LDAP_DEBUG_TRACE, "do_compare\n", 0, 0, 0 );
57 * Parse the compare request. It looks like this:
59 * CompareRequest := [APPLICATION 14] SEQUENCE {
60 * entry DistinguishedName,
63 * value AttributeValue
68 if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
69 Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
70 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
71 return SLAPD_DISCONNECT;
74 if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) {
75 Debug( LDAP_DEBUG_ANY, "do_compare: get ava failed\n", 0, 0, 0 );
76 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
77 return SLAPD_DISCONNECT;
80 if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) {
81 Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
82 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
83 return SLAPD_DISCONNECT;
86 if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
87 Debug( LDAP_DEBUG_ANY, "do_compare: get_ctrls failed\n", 0, 0, 0 );
91 rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
93 if( rs->sr_err != LDAP_SUCCESS ) {
94 Debug( LDAP_DEBUG_ANY,
95 "do_compare: invalid dn (%s)\n", dn.bv_val, 0, 0 );
96 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
100 rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
101 if( rs->sr_err != LDAP_SUCCESS ) {
102 rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
104 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
105 if( rs->sr_err != LDAP_SUCCESS ) {
106 send_ldap_result( op, rs );
111 rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
112 ava.aa_desc->ad_type->sat_equality,
113 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
114 &value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx );
115 if( rs->sr_err != LDAP_SUCCESS ) {
116 send_ldap_result( op, rs );
122 op->o_bd = frontendDB;
123 rs->sr_err = frontendDB->be_compare( op, rs );
126 op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
127 op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
128 if ( !BER_BVISNULL( &ava.aa_value ) ) {
129 op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
136 fe_op_compare( Operation *op, SlapReply *rs )
140 AttributeAssertion ava = *op->orc_ava;
142 if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
143 Debug( LDAP_DEBUG_ARGS,
144 "do_compare: dn (%s) attr (%s) value (%s)\n",
146 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
148 Statslog( LDAP_DEBUG_STATS,
149 "%s CMP dn=\"%s\" attr=\"%s\"\n",
150 op->o_log_prefix, op->o_req_dn.bv_val,
151 ava.aa_desc->ad_cname.bv_val, 0, 0 );
153 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
154 send_ldap_result( op, rs );
158 rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
159 if( rs->sr_err != LDAP_SUCCESS ) {
160 send_ldap_result( op, rs );
164 } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
165 Debug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s) value (%s)\n",
167 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
169 Statslog( LDAP_DEBUG_STATS,
170 "%s CMP dn=\"%s\" attr=\"%s\"\n",
171 op->o_log_prefix, op->o_req_dn.bv_val,
172 ava.aa_desc->ad_cname.bv_val, 0, 0 );
174 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
175 send_ldap_result( op, rs );
180 rs->sr_err = schema_info( &entry, &rs->sr_text );
181 if( rs->sr_err != LDAP_SUCCESS ) {
182 send_ldap_result( op, rs );
189 rs->sr_err = compare_entry( op, entry, &ava );
192 send_ldap_result( op, rs );
194 if( rs->sr_err == LDAP_COMPARE_TRUE ||
195 rs->sr_err == LDAP_COMPARE_FALSE )
197 rs->sr_err = LDAP_SUCCESS;
203 manageDSAit = get_manageDSAit( op );
206 * We could be serving multiple database backends. Select the
207 * appropriate one, or send a referral to our "referral server"
208 * if we don't hold it.
210 op->o_bd = select_backend( &op->o_req_ndn, manageDSAit, 0 );
211 if ( op->o_bd == NULL ) {
212 rs->sr_ref = referral_rewrite( default_referral,
213 NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
215 rs->sr_err = LDAP_REFERRAL;
216 if (!rs->sr_ref) rs->sr_ref = default_referral;
217 op->o_bd = frontendDB;
218 send_ldap_result( op, rs );
221 if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
226 /* check restrictions */
227 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
228 send_ldap_result( op, rs );
232 /* check for referrals */
233 if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
237 Debug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s) value (%s)\n",
239 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
241 Statslog( LDAP_DEBUG_STATS, "%s CMP dn=\"%s\" attr=\"%s\"\n",
242 op->o_log_prefix, op->o_req_dn.bv_val,
243 ava.aa_desc->ad_cname.bv_val, 0, 0 );
246 if ( ava.aa_desc == slap_schema.si_ad_entryDN ) {
247 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
248 "entryDN compare not supported" );
250 } else if ( ava.aa_desc == slap_schema.si_ad_subschemaSubentry ) {
251 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
252 "subschemaSubentry compare not supported" );
254 #ifndef SLAP_COMPARE_IN_FRONTEND
255 } else if ( ava.aa_desc == slap_schema.si_ad_hasSubordinates
256 && op->o_bd->be_has_subordinates )
258 int rc, hasSubordinates = LDAP_SUCCESS;
260 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
261 if ( rc == 0 && entry ) {
262 if ( ! access_allowed( op, entry,
263 ava.aa_desc, &ava.aa_value, ACL_COMPARE, NULL ) )
265 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
268 rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
269 entry, &hasSubordinates );
270 be_entry_release_r( op, entry );
277 asserted = bvmatch( &ava.aa_value, &slap_true_bv )
278 ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
279 if ( hasSubordinates == asserted ) {
280 rs->sr_err = LDAP_COMPARE_TRUE;
283 rs->sr_err = LDAP_COMPARE_FALSE;
287 #ifdef SLAP_ACL_HONOR_DISCLOSE
288 /* return error only if "disclose"
289 * is granted on the object */
290 if ( backend_access( op, NULL, &op->o_req_ndn,
291 slap_schema.si_ad_entry,
292 NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
294 rs->sr_err = LDAP_NO_SUCH_OBJECT;
296 #endif /* SLAP_ACL_HONOR_DISCLOSE */
299 send_ldap_result( op, rs );
302 rs->sr_err = LDAP_SUCCESS;
305 } else if ( op->o_bd->be_compare ) {
306 rs->sr_err = op->o_bd->be_compare( op, rs );
308 #endif /* ! SLAP_COMPARE_IN_FRONTEND */
310 rs->sr_err = SLAP_CB_CONTINUE;
313 if ( rs->sr_err == SLAP_CB_CONTINUE ) {
314 /* do our best to compare that AVA
316 * NOTE: this code is used only
317 * if SLAP_COMPARE_IN_FRONTEND
318 * is #define'd (it's not by default)
319 * or if op->o_bd->be_compare is NULL.
321 * FIXME: one potential issue is that
322 * if SLAP_COMPARE_IN_FRONTEND overlays
323 * are not executed for compare. */
324 BerVarray vals = NULL;
327 rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
328 ava.aa_desc, &vals, ACL_COMPARE );
329 switch ( rs->sr_err ) {
331 #ifdef SLAP_ACL_HONOR_DISCLOSE
332 /* return error only if "disclose"
333 * is granted on the object */
334 if ( backend_access( op, NULL, &op->o_req_ndn,
335 slap_schema.si_ad_entry,
336 NULL, ACL_DISCLOSE, NULL )
337 == LDAP_INSUFFICIENT_ACCESS )
339 rs->sr_err = LDAP_NO_SUCH_OBJECT;
341 #endif /* SLAP_ACL_HONOR_DISCLOSE */
345 if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
346 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
347 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
348 vals, &ava.aa_value, op->o_tmpmemctx ) == 0 )
350 rs->sr_err = LDAP_COMPARE_TRUE;
354 rs->sr_err = LDAP_COMPARE_FALSE;
360 send_ldap_result( op, rs );
363 rs->sr_err = LDAP_SUCCESS;
367 ber_bvarray_free_x( vals, op->o_tmpmemctx );
375 static int compare_entry(
378 AttributeAssertion *ava )
380 int rc = LDAP_COMPARE_FALSE;
383 if ( ! access_allowed( op, e,
384 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
386 rc = LDAP_INSUFFICIENT_ACCESS;
390 a = attrs_find( e->e_attrs, ava->aa_desc );
392 rc = LDAP_NO_SUCH_ATTRIBUTE;
396 for(a = attrs_find( e->e_attrs, ava->aa_desc );
398 a = attrs_find( a->a_next, ava->aa_desc ))
400 if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
401 e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
403 rc = LDAP_INSUFFICIENT_ACCESS;
407 if ( value_find_ex( ava->aa_desc,
408 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
409 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
410 a->a_nvals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
412 rc = LDAP_COMPARE_TRUE;
418 #ifdef LDAP_ACL_HONOR_DISCLOSE
419 if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
420 if ( ! access_allowed( op, e,
421 slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
423 rc = LDAP_NO_SUCH_OBJECT;