]> git.sur5r.net Git - openldap/blob - servers/slapd/controls.c
now I remember why I introduced the 'has_ldapinfo_dn_ru' flag
[openldap] / servers / slapd / controls.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2004 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15
16 #include "portable.h"
17
18 #include <stdio.h>
19
20 #include <ac/string.h>
21 #include <ac/socket.h>
22
23 #include "slap.h"
24
25 #include "../../libraries/liblber/lber-int.h"
26
27 static SLAP_CTRL_PARSE_FN parseAssert;
28 static SLAP_CTRL_PARSE_FN parsePreRead;
29 static SLAP_CTRL_PARSE_FN parsePostRead;
30 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
31 static SLAP_CTRL_PARSE_FN parseManageDSAit;
32 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
33 static SLAP_CTRL_PARSE_FN parseNoOp;
34 static SLAP_CTRL_PARSE_FN parsePagedResults;
35 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
36 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
37 static SLAP_CTRL_PARSE_FN parseDomainScope;
38
39 #ifdef LDAP_CONTROL_SUBENTRIES
40 static SLAP_CTRL_PARSE_FN parseSubentries;
41 #endif
42 static SLAP_CTRL_PARSE_FN parseLDAPsync;
43
44 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
45
46 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
47 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
48
49 struct slap_control {
50         /* Control OID */
51         char *sc_oid;
52
53         /* Operations supported by control */
54         slap_mask_t sc_mask;
55
56         /* Extended operations supported by control */
57         char **sc_extendedops;
58
59         /* Control parsing callback */
60         SLAP_CTRL_PARSE_FN *sc_parse;
61
62         LDAP_SLIST_ENTRY(slap_control) sc_next;
63 };
64
65 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
66         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
67
68 /*
69  * all known request control OIDs should be added to this list
70  */
71 char **slap_known_controls = NULL;
72
73 static char *proxy_authz_extops[] = {
74         LDAP_EXOP_MODIFY_PASSWD,
75         LDAP_EXOP_X_WHO_AM_I,
76         NULL
77 };
78
79 static struct slap_control control_defs[] = {
80         { LDAP_CONTROL_ASSERT,
81                 SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL,
82                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
83         { LDAP_CONTROL_PRE_READ,
84                 SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
85                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
86         { LDAP_CONTROL_POST_READ,
87                 SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
88                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
89         { LDAP_CONTROL_VALUESRETURNFILTER,
90                 SLAP_CTRL_SEARCH, NULL,
91                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
92         { LDAP_CONTROL_PAGEDRESULTS,
93                 SLAP_CTRL_SEARCH, NULL,
94                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
95 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
96         { LDAP_CONTROL_X_DOMAIN_SCOPE,
97                 SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
98                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
99 #endif
100 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
101         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
102                 SLAP_CTRL_MODIFY, NULL,
103                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
104 #endif
105 #ifdef LDAP_CONTROL_SUBENTRIES
106         { LDAP_CONTROL_SUBENTRIES,
107                 SLAP_CTRL_SEARCH, NULL,
108                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
109 #endif
110         { LDAP_CONTROL_NOOP,
111                 SLAP_CTRL_ACCESS, NULL,
112                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
113         { LDAP_CONTROL_SYNC,
114                 SLAP_CTRL_HIDE|SLAP_CTRL_SEARCH, NULL,
115                 parseLDAPsync, LDAP_SLIST_ENTRY_INITIALIZER(next) },
116 #ifdef LDAP_CONTROL_MODIFY_INCREMENT
117         { LDAP_CONTROL_MODIFY_INCREMENT,
118                 SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
119                 parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
120 #endif
121         { LDAP_CONTROL_MANAGEDSAIT,
122                 SLAP_CTRL_ACCESS, NULL,
123                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
124         { LDAP_CONTROL_PROXY_AUTHZ,
125                 SLAP_CTRL_FRONTEND|SLAP_CTRL_ACCESS, proxy_authz_extops,
126                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
127         { NULL, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) }
128 };
129
130 /*
131  * Register a supported control.
132  *
133  * This can be called by an OpenLDAP plugin or, indirectly, by a
134  * SLAPI plugin calling slapi_register_supported_control().
135  */
136 int
137 register_supported_control(const char *controloid,
138         slap_mask_t controlmask,
139         char **controlexops,
140         SLAP_CTRL_PARSE_FN *controlparsefn)
141 {
142         struct slap_control *sc;
143         int i;
144
145         if ( controloid == NULL ) {
146                 return LDAP_PARAM_ERROR;
147         }
148
149         sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
150         if ( sc == NULL ) {
151                 return LDAP_NO_MEMORY;
152         }
153         sc->sc_oid = ch_strdup( controloid );
154         sc->sc_mask = controlmask;
155         if ( controlexops != NULL ) {
156                 sc->sc_extendedops = ldap_charray_dup( controlexops );
157                 if ( sc->sc_extendedops == NULL ) {
158                         ch_free( sc );
159                         return LDAP_NO_MEMORY;
160                 }
161         } else {
162                 sc->sc_extendedops = NULL;
163         }
164         sc->sc_parse = controlparsefn;
165
166         /* Update slap_known_controls, too. */
167         if ( slap_known_controls == NULL ) {
168                 slap_known_controls = (char **)SLAP_MALLOC( 2 * sizeof(char *) );
169                 if ( slap_known_controls == NULL ) {
170                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
171                         ch_free( sc );
172                         return LDAP_NO_MEMORY;
173                 }
174                 slap_known_controls[0] = ch_strdup( sc->sc_oid );
175                 slap_known_controls[1] = NULL;
176         } else {
177                 for ( i = 0; slap_known_controls[i] != NULL; i++ )
178                         ;
179                 slap_known_controls = (char **)SLAP_REALLOC( slap_known_controls, (i + 2) * sizeof(char *) );
180                 if ( slap_known_controls == NULL ) {
181                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
182                         ch_free( sc );
183                         return LDAP_NO_MEMORY;
184                 }
185                 slap_known_controls[i++] = ch_strdup( sc->sc_oid );
186                 slap_known_controls[i] = NULL;
187         }
188
189         LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
190         LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
191
192         return LDAP_SUCCESS;
193 }
194
195 /*
196  * One-time initialization of internal controls.
197  */
198 int
199 slap_controls_init( void )
200 {
201         int i, rc;
202         struct slap_control *sc;
203
204         rc = LDAP_SUCCESS;
205
206         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
207                 rc = register_supported_control( control_defs[i].sc_oid,
208                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
209                         control_defs[i].sc_parse );
210                 if ( rc != LDAP_SUCCESS )
211                         break;
212         }
213
214         return rc;
215 }
216
217 /*
218  * Free memory associated with list of supported controls.
219  */
220 void
221 controls_destroy( void )
222 {
223         struct slap_control *sc;
224
225         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
226                 sc = LDAP_SLIST_FIRST(&controls_list);
227                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
228
229                 ch_free( sc->sc_oid );
230                 if ( sc->sc_extendedops != NULL ) {
231                         ldap_charray_free( sc->sc_extendedops );
232                 }
233                 ch_free( sc );
234         }
235         ldap_charray_free( slap_known_controls );
236 }
237
238 /*
239  * Format the supportedControl attribute of the root DSE,
240  * detailing which controls are supported by the directory
241  * server.
242  */
243 int
244 controls_root_dse_info( Entry *e )
245 {
246         AttributeDescription *ad_supportedControl
247                 = slap_schema.si_ad_supportedControl;
248         struct berval vals[2];
249         struct slap_control *sc;
250
251         vals[1].bv_val = NULL;
252         vals[1].bv_len = 0;
253
254         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
255                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
256
257                 vals[0].bv_val = sc->sc_oid;
258                 vals[0].bv_len = strlen( sc->sc_oid );
259
260                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
261                         return -1;
262                 }
263         }
264
265         return 0;
266 }
267
268 /*
269  * Return a list of OIDs and operation masks for supported
270  * controls. Used by SLAPI.
271  */
272 int
273 get_supported_controls(char ***ctrloidsp,
274         slap_mask_t **ctrlmasks)
275 {
276         int i, n;
277         char **oids;
278         slap_mask_t *masks;
279         int rc;
280         struct slap_control *sc;
281
282         n = 0;
283
284         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
285                 n++;
286         }
287
288         if ( n == 0 ) {
289                 *ctrloidsp = NULL;
290                 *ctrlmasks = NULL;
291                 return LDAP_SUCCESS;
292         }
293
294         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
295         if ( oids == NULL ) {
296                 return LDAP_NO_MEMORY;
297         }
298         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
299         if  ( masks == NULL ) {
300                 ch_free( oids );
301                 return LDAP_NO_MEMORY;
302         }
303
304         n = 0;
305
306         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
307                 oids[n] = ch_strdup( sc->sc_oid );
308                 masks[n] = sc->sc_mask;
309                 n++;
310         }
311         oids[n] = NULL;
312         masks[n] = 0;
313
314         *ctrloidsp = oids;
315         *ctrlmasks = masks;
316
317         return LDAP_SUCCESS;
318 }
319
320 /*
321  * Find a control given its OID.
322  */
323 static struct slap_control *
324 find_ctrl( const char *oid )
325 {
326         struct slap_control *sc;
327
328         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
329                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
330                         return sc;
331                 }
332         }
333
334         return NULL;
335 }
336
337 void slap_free_ctrls(
338         Operation *op,
339         LDAPControl **ctrls
340 )
341 {
342         int i;
343
344         for (i=0; ctrls[i]; i++) {
345                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
346         }
347         op->o_tmpfree( ctrls, op->o_tmpmemctx );
348 }
349
350 int get_ctrls(
351         Operation *op,
352         SlapReply *rs,
353         int sendres )
354 {
355         int nctrls = 0;
356         ber_tag_t tag;
357         ber_len_t len;
358         char *opaque;
359         BerElement *ber = op->o_ber;
360         struct slap_control *sc;
361         struct berval bv;
362
363         len = ber_pvt_ber_remaining(ber);
364
365         if( len == 0) {
366                 /* no controls */
367                 rs->sr_err = LDAP_SUCCESS;
368                 return rs->sr_err;
369         }
370
371         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
372                 if( tag == LBER_ERROR ) {
373                         rs->sr_err = SLAPD_DISCONNECT;
374                         rs->sr_text = "unexpected data in PDU";
375                 }
376
377                 goto return_results;
378         }
379
380 #ifdef NEW_LOGGING
381         LDAP_LOG( OPERATION, ENTRY,
382                 "get_ctrls: conn %lu\n", op->o_connid, 0, 0 );
383 #else
384         Debug( LDAP_DEBUG_TRACE,
385                 "=> get_ctrls\n", 0, 0, 0 );
386 #endif
387
388         if( op->o_protocol < LDAP_VERSION3 ) {
389                 rs->sr_err = SLAPD_DISCONNECT;
390                 rs->sr_text = "controls require LDAPv3";
391                 goto return_results;
392         }
393
394         /* one for first control, one for termination */
395         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
396
397 #if 0
398         if( op->ctrls == NULL ) {
399                 rs->sr_err = LDAP_NO_MEMORY;
400                 rs->sr_text = "no memory";
401                 goto return_results;
402         }
403 #endif
404
405         op->o_ctrls[nctrls] = NULL;
406
407         /* step through each element */
408         for( tag = ber_first_element( ber, &len, &opaque );
409                 tag != LBER_ERROR;
410                 tag = ber_next_element( ber, &len, opaque ) )
411         {
412                 LDAPControl *c;
413                 LDAPControl **tctrls;
414
415                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
416                 memset(c, 0, sizeof(LDAPControl));
417
418                 /* allocate pointer space for current controls (nctrls)
419                  * + this control + extra NULL
420                  */
421                 tctrls = op->o_tmprealloc( op->o_ctrls,
422                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
423
424 #if 0
425                 if( tctrls == NULL ) {
426                         ch_free( c );
427                         ldap_controls_free(op->o_ctrls);
428                         op->o_ctrls = NULL;
429
430                         rs->sr_err = LDAP_NO_MEMORY;
431                         rs->sr_text = "no memory";
432                         goto return_results;
433                 }
434 #endif
435                 op->o_ctrls = tctrls;
436
437                 op->o_ctrls[nctrls++] = c;
438                 op->o_ctrls[nctrls] = NULL;
439
440                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
441                 c->ldctl_oid = bv.bv_val;
442
443                 if( tag == LBER_ERROR ) {
444 #ifdef NEW_LOGGING
445                         LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu get OID failed.\n",
446                                 op->o_connid, 0, 0 );
447 #else
448                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
449                                 0, 0, 0 );
450 #endif
451
452                         slap_free_ctrls( op, op->o_ctrls );
453                         op->o_ctrls = NULL;
454                         rs->sr_err = SLAPD_DISCONNECT;
455                         rs->sr_text = "decoding controls error";
456                         goto return_results;
457
458                 } else if( c->ldctl_oid == NULL ) {
459 #ifdef NEW_LOGGING
460                         LDAP_LOG( OPERATION, INFO,
461                                 "get_ctrls: conn %lu got emtpy OID.\n",
462                                 op->o_connid, 0, 0 );
463 #else
464                         Debug( LDAP_DEBUG_TRACE,
465                                 "get_ctrls: conn %lu got emtpy OID.\n",
466                                 op->o_connid, 0, 0 );
467 #endif
468
469                         slap_free_ctrls( op, op->o_ctrls );
470                         op->o_ctrls = NULL;
471                         rs->sr_err = LDAP_PROTOCOL_ERROR;
472                         rs->sr_text = "OID field is empty";
473                         goto return_results;
474                 }
475
476                 tag = ber_peek_tag( ber, &len );
477
478                 if( tag == LBER_BOOLEAN ) {
479                         ber_int_t crit;
480                         tag = ber_scanf( ber, "b", &crit );
481
482                         if( tag == LBER_ERROR ) {
483 #ifdef NEW_LOGGING
484                                 LDAP_LOG( OPERATION, INFO, 
485                                         "get_ctrls: conn %lu get crit failed.\n", 
486                                         op->o_connid, 0, 0 );
487 #else
488                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
489                                         0, 0, 0 );
490 #endif
491                                 slap_free_ctrls( op, op->o_ctrls );
492                                 op->o_ctrls = NULL;
493                                 rs->sr_err = SLAPD_DISCONNECT;
494                                 rs->sr_text = "decoding controls error";
495                                 goto return_results;
496                         }
497
498                         c->ldctl_iscritical = (crit != 0);
499                         tag = ber_peek_tag( ber, &len );
500                 }
501
502                 if( tag == LBER_OCTETSTRING ) {
503                         tag = ber_scanf( ber, "m", &c->ldctl_value );
504
505                         if( tag == LBER_ERROR ) {
506 #ifdef NEW_LOGGING
507                                 LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu: "
508                                         "%s (%scritical): get value failed.\n",
509                                         op->o_connid, c->ldctl_oid,
510                                         c->ldctl_iscritical ? "" : "non" );
511 #else
512                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
513                                         "%s (%scritical): get value failed.\n",
514                                         op->o_connid, c->ldctl_oid,
515                                         c->ldctl_iscritical ? "" : "non" );
516 #endif
517                                 slap_free_ctrls( op, op->o_ctrls );
518                                 op->o_ctrls = NULL;
519                                 rs->sr_err = SLAPD_DISCONNECT;
520                                 rs->sr_text = "decoding controls error";
521                                 goto return_results;
522                         }
523                 }
524
525 #ifdef NEW_LOGGING
526                 LDAP_LOG( OPERATION, INFO, 
527                         "get_ctrls: conn %lu oid=\"%s\" (%scritical)\n",
528                         op->o_connid, c->ldctl_oid, c->ldctl_iscritical ? "" : "non" );
529 #else
530                 Debug( LDAP_DEBUG_TRACE,
531                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
532                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
533 #endif
534
535                 sc = find_ctrl( c->ldctl_oid );
536                 if( sc != NULL ) {
537                         /* recognized control */
538                         slap_mask_t tagmask;
539                         switch( op->o_tag ) {
540                         case LDAP_REQ_ADD:
541                                 tagmask = SLAP_CTRL_ADD;
542                                 break;
543                         case LDAP_REQ_BIND:
544                                 tagmask = SLAP_CTRL_BIND;
545                                 break;
546                         case LDAP_REQ_COMPARE:
547                                 tagmask = SLAP_CTRL_COMPARE;
548                                 break;
549                         case LDAP_REQ_DELETE:
550                                 tagmask = SLAP_CTRL_DELETE;
551                                 break;
552                         case LDAP_REQ_MODIFY:
553                                 tagmask = SLAP_CTRL_MODIFY;
554                                 break;
555                         case LDAP_REQ_RENAME:
556                                 tagmask = SLAP_CTRL_RENAME;
557                                 break;
558                         case LDAP_REQ_SEARCH:
559                                 tagmask = SLAP_CTRL_SEARCH;
560                                 break;
561                         case LDAP_REQ_UNBIND:
562                                 tagmask = SLAP_CTRL_UNBIND;
563                                 break;
564                         case LDAP_REQ_ABANDON:
565                                 tagmask = SLAP_CTRL_ABANDON;
566                                 break;
567                         case LDAP_REQ_EXTENDED:
568                                 tagmask=~0L;
569                                 assert( op->ore_reqoid.bv_val != NULL );
570                                 if( sc->sc_extendedops != NULL ) {
571                                         int i;
572                                         for( i=0; sc->sc_extendedops[i] != NULL; i++ ) {
573                                                 if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] )
574                                                         == 0 )
575                                                 {
576                                                         tagmask=0L;
577                                                         break;
578                                                 }
579                                         }
580                                 }
581                                 break;
582                         default:
583                                 rs->sr_err = LDAP_OTHER;
584                                 rs->sr_text = "controls internal error";
585                                 goto return_results;
586                         }
587
588                         if (( sc->sc_mask & tagmask ) == tagmask ) {
589                                 /* available extension */
590
591                                 if( !sc->sc_parse ) {
592                                         rs->sr_err = LDAP_OTHER;
593                                         rs->sr_text = "not yet implemented";
594                                         goto return_results;
595                                 }
596
597                                 rs->sr_err = sc->sc_parse( op, rs, c );
598
599                                 if( rs->sr_err != LDAP_SUCCESS ) goto return_results;
600
601                                 if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
602                                         /* kludge to disable backend_control() check */
603                                         c->ldctl_iscritical = 0;
604
605                                 } else if ( tagmask == SLAP_CTRL_SEARCH &&
606                                         sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
607                                 {
608                                         /* kludge to disable backend_control() check */
609                                         c->ldctl_iscritical = 0;
610                                 }
611
612                         } else if( c->ldctl_iscritical ) {
613                                 /* unavailable CRITICAL control */
614                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
615                                 rs->sr_text = "critical extension is unavailable";
616                                 goto return_results;
617                         }
618
619                 } else if( c->ldctl_iscritical ) {
620                         /* unrecognized CRITICAL control */
621                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
622                         rs->sr_text = "critical extension is not recognized";
623                         goto return_results;
624                 }
625         }
626
627 return_results:
628 #ifdef NEW_LOGGING
629         LDAP_LOG( OPERATION, RESULTS, 
630                 "get_ctrls: n=%d rc=%d err=\"%s\"\n",
631                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "" );
632 #else
633         Debug( LDAP_DEBUG_TRACE,
634                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
635                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
636 #endif
637
638         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
639                 if( rs->sr_err == SLAPD_DISCONNECT ) {
640                         rs->sr_err = LDAP_PROTOCOL_ERROR;
641                         send_ldap_disconnect( op, rs );
642                         rs->sr_err = SLAPD_DISCONNECT;
643                 } else {
644                         send_ldap_result( op, rs );
645                 }
646         }
647
648         return rs->sr_err;
649 }
650
651 static int parseModifyIncrement (
652         Operation *op,
653         SlapReply *rs,
654         LDAPControl *ctrl )
655 {
656 #if 0
657         if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) {
658                 rs->sr_text = "modifyIncrement control specified multiple times";
659                 return LDAP_PROTOCOL_ERROR;
660         }
661 #endif
662
663         if ( ctrl->ldctl_value.bv_len ) {
664                 rs->sr_text = "modifyIncrement control value not empty";
665                 return LDAP_PROTOCOL_ERROR;
666         }
667
668 #if 0
669         op->o_parseModifyIncrement = ctrl->ldctl_iscritical
670                 ? SLAP_CRITICAL_CONTROL
671                 : SLAP_NONCRITICAL_CONTROL;
672 #endif
673
674         return LDAP_SUCCESS;
675 }
676
677 static int parseManageDSAit (
678         Operation *op,
679         SlapReply *rs,
680         LDAPControl *ctrl )
681 {
682         if ( op->o_managedsait != SLAP_NO_CONTROL ) {
683                 rs->sr_text = "manageDSAit control specified multiple times";
684                 return LDAP_PROTOCOL_ERROR;
685         }
686
687         if ( ctrl->ldctl_value.bv_len ) {
688                 rs->sr_text = "manageDSAit control value not empty";
689                 return LDAP_PROTOCOL_ERROR;
690         }
691
692         op->o_managedsait = ctrl->ldctl_iscritical
693                 ? SLAP_CRITICAL_CONTROL
694                 : SLAP_NONCRITICAL_CONTROL;
695
696         return LDAP_SUCCESS;
697 }
698
699 static int parseProxyAuthz (
700         Operation *op,
701         SlapReply *rs,
702         LDAPControl *ctrl )
703 {
704         int             rc;
705         struct berval   dn = { 0, NULL };
706
707         if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
708                 rs->sr_text = "proxy authorization control specified multiple times";
709                 return LDAP_PROTOCOL_ERROR;
710         }
711
712         op->o_proxy_authz = ctrl->ldctl_iscritical
713                 ? SLAP_CRITICAL_CONTROL
714                 : SLAP_NONCRITICAL_CONTROL;
715
716 #ifdef NEW_LOGGING
717         LDAP_LOG( OPERATION, ARGS, 
718                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n", 
719                 op->o_connid,
720                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
721                 0 );
722 #else
723         Debug( LDAP_DEBUG_ARGS,
724                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n", 
725                 op->o_connid,
726                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
727                 0 );
728 #endif
729
730         if( ctrl->ldctl_value.bv_len == 0 ) {
731 #ifdef NEW_LOGGING
732                 LDAP_LOG( OPERATION, RESULTS, 
733                         "parseProxyAuthz: conn=%lu anonymous\n", 
734                         op->o_connid, 0, 0 );
735 #else
736                 Debug( LDAP_DEBUG_TRACE,
737                         "parseProxyAuthz: conn=%lu anonymous\n", 
738                         op->o_connid, 0, 0 );
739 #endif
740
741                 /* anonymous */
742                 free( op->o_dn.bv_val );
743                 op->o_dn.bv_len = 0;
744                 op->o_dn.bv_val = ch_strdup( "" );
745
746                 free( op->o_ndn.bv_val );
747                 op->o_ndn.bv_len = 0;
748                 op->o_ndn.bv_val = ch_strdup( "" );
749
750                 return LDAP_SUCCESS;
751         }
752
753         rc = slap_sasl_getdn( op->o_conn, op,
754                         ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
755                         NULL, &dn, SLAP_GETDN_AUTHZID );
756
757         if( rc != LDAP_SUCCESS || !dn.bv_len ) {
758                 if ( dn.bv_val ) {
759                         ch_free( dn.bv_val );
760                 }
761                 rs->sr_text = "authzId mapping failed";
762                 return LDAP_PROXY_AUTHZ_FAILURE;
763
764         }
765
766 #ifdef NEW_LOGGING
767         LDAP_LOG( OPERATION, RESULTS, 
768                 "parseProxyAuthz: conn=%lu \"%s\"\n", 
769                 op->o_connid,
770                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
771 #else
772         Debug( LDAP_DEBUG_TRACE,
773                 "parseProxyAuthz: conn=%lu \"%s\"\n", 
774                 op->o_connid,
775                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
776 #endif
777
778         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
779
780         if( rc ) {
781                 ch_free( dn.bv_val );
782                 rs->sr_text = "not authorized to assume identity";
783                 return LDAP_PROXY_AUTHZ_FAILURE;
784         }
785
786         ch_free( op->o_dn.bv_val );
787         ch_free( op->o_ndn.bv_val );
788
789         op->o_dn.bv_val = NULL;
790         op->o_ndn = dn;
791
792         /*
793          * NOTE: since slap_sasl_getdn() returns a normalized dn,
794          * from now on op->o_dn is normalized
795          */
796         ber_dupbv( &op->o_dn, &dn );
797
798         return LDAP_SUCCESS;
799 }
800
801 static int parseNoOp (
802         Operation *op,
803         SlapReply *rs,
804         LDAPControl *ctrl )
805 {
806         if ( op->o_noop != SLAP_NO_CONTROL ) {
807                 rs->sr_text = "noop control specified multiple times";
808                 return LDAP_PROTOCOL_ERROR;
809         }
810
811         if ( ctrl->ldctl_value.bv_len ) {
812                 rs->sr_text = "noop control value not empty";
813                 return LDAP_PROTOCOL_ERROR;
814         }
815
816         op->o_noop = ctrl->ldctl_iscritical
817                 ? SLAP_CRITICAL_CONTROL
818                 : SLAP_NONCRITICAL_CONTROL;
819
820         return LDAP_SUCCESS;
821 }
822
823 static int parsePagedResults (
824         Operation *op,
825         SlapReply *rs,
826         LDAPControl *ctrl )
827 {
828         ber_tag_t tag;
829         ber_int_t size;
830         BerElement *ber;
831         struct berval cookie = { 0, NULL };
832
833         if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
834                 rs->sr_text = "paged results control specified multiple times";
835                 return LDAP_PROTOCOL_ERROR;
836         }
837
838         if ( ctrl->ldctl_value.bv_len == 0 ) {
839                 rs->sr_text = "paged results control value is empty (or absent)";
840                 return LDAP_PROTOCOL_ERROR;
841         }
842
843         /* Parse the control value
844          *      realSearchControlValue ::= SEQUENCE {
845          *              size    INTEGER (0..maxInt),
846          *                              -- requested page size from client
847          *                              -- result set size estimate from server
848          *              cookie  OCTET STRING
849          * }
850          */
851         ber = ber_init( &ctrl->ldctl_value );
852         if( ber == NULL ) {
853                 rs->sr_text = "internal error";
854                 return LDAP_OTHER;
855         }
856
857         tag = ber_scanf( ber, "{im}", &size, &cookie );
858         (void) ber_free( ber, 1 );
859
860         if( tag == LBER_ERROR ) {
861                 rs->sr_text = "paged results control could not be decoded";
862                 return LDAP_PROTOCOL_ERROR;
863         }
864
865         if( size < 0 ) {
866                 rs->sr_text = "paged results control size invalid";
867                 return LDAP_PROTOCOL_ERROR;
868         }
869
870         if( cookie.bv_len ) {
871                 PagedResultsCookie reqcookie;
872                 if( cookie.bv_len != sizeof( reqcookie ) ) {
873                         /* bad cookie */
874                         rs->sr_text = "paged results cookie is invalid";
875                         return LDAP_PROTOCOL_ERROR;
876                 }
877
878                 AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
879
880                 if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
881                         /* bad cookie */
882                         rs->sr_text = "paged results cookie is invalid";
883                         return LDAP_PROTOCOL_ERROR;
884
885                 } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
886                         rs->sr_text = "paged results cookie is invalid or old";
887                         return LDAP_UNWILLING_TO_PERFORM;
888                 }
889         } else {
890                 /* Initial request.  Initialize state. */
891                 op->o_pagedresults_state.ps_cookie = 0;
892                 op->o_pagedresults_state.ps_id = NOID;
893         }
894
895         op->o_pagedresults_size = size;
896
897         op->o_pagedresults = ctrl->ldctl_iscritical
898                 ? SLAP_CRITICAL_CONTROL
899                 : SLAP_NONCRITICAL_CONTROL;
900
901         return LDAP_SUCCESS;
902 }
903
904 static int parseAssert (
905         Operation *op,
906         SlapReply *rs,
907         LDAPControl *ctrl )
908 {
909         BerElement      *ber;
910         struct berval   fstr = { 0, NULL };
911         const char *err_msg = "";
912
913         if ( op->o_assert != SLAP_NO_CONTROL ) {
914                 rs->sr_text = "assert control specified multiple times";
915                 return LDAP_PROTOCOL_ERROR;
916         }
917
918         if ( ctrl->ldctl_value.bv_len == 0 ) {
919                 rs->sr_text = "assert control value is empty (or absent)";
920                 return LDAP_PROTOCOL_ERROR;
921         }
922
923         ber = ber_init( &(ctrl->ldctl_value) );
924         if (ber == NULL) {
925                 rs->sr_text = "assert control: internal error";
926                 return LDAP_OTHER;
927         }
928         
929         rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
930
931         if( rs->sr_err != LDAP_SUCCESS ) {
932                 if( rs->sr_err == SLAPD_DISCONNECT ) {
933                         rs->sr_err = LDAP_PROTOCOL_ERROR;
934                         send_ldap_disconnect( op, rs );
935                         rs->sr_err = SLAPD_DISCONNECT;
936                 } else {
937                         send_ldap_result( op, rs );
938                 }
939                 if( op->o_assertion != NULL ) {
940                         filter_free_x( op, op->o_assertion );
941                 }
942                 return rs->sr_err;
943         }
944
945 #ifdef LDAP_DEBUG
946         filter2bv_x( op, op->o_assertion, &fstr );
947
948 #ifdef NEW_LOGGING
949         LDAP_LOG( OPERATION, ARGS, 
950                 "parseAssert: conn %ld assert: %s\n", 
951                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
952 #else
953         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
954                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
955 #endif
956         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
957 #endif
958
959         op->o_assert = ctrl->ldctl_iscritical
960                 ? SLAP_CRITICAL_CONTROL
961                 : SLAP_NONCRITICAL_CONTROL;
962
963         rs->sr_err = LDAP_SUCCESS;
964         return LDAP_SUCCESS;
965 }
966
967 static int parsePreRead (
968         Operation *op,
969         SlapReply *rs,
970         LDAPControl *ctrl )
971 {
972         ber_len_t siz, off, i;
973         AttributeName *an = NULL;
974         BerElement      *ber;
975
976         if ( op->o_preread != SLAP_NO_CONTROL ) {
977                 rs->sr_text = "preread control specified multiple times";
978                 return LDAP_PROTOCOL_ERROR;
979         }
980
981         if ( ctrl->ldctl_value.bv_len == 0 ) {
982                 rs->sr_text = "preread control value is empty (or absent)";
983                 return LDAP_PROTOCOL_ERROR;
984         }
985
986         ber = ber_init( &(ctrl->ldctl_value) );
987         if (ber == NULL) {
988                 rs->sr_text = "preread control: internal error";
989                 return LDAP_OTHER;
990         }
991
992         siz = sizeof( AttributeName );
993         off = offsetof( AttributeName, an_name );
994         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
995                 rs->sr_text = "preread control: decoding error";
996                 return LDAP_PROTOCOL_ERROR;
997         }
998
999         for( i=0; i<siz; i++ ) {
1000                 int             rc = LDAP_SUCCESS;
1001                 const char      *dummy = NULL;
1002
1003                 an[i].an_desc = NULL;
1004                 an[i].an_oc = NULL;
1005                 an[i].an_oc_exclude = 0;
1006                 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1007                 if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1008                         rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
1009                         return rc;
1010                 }
1011         }
1012
1013         op->o_preread = ctrl->ldctl_iscritical
1014                 ? SLAP_CRITICAL_CONTROL
1015                 : SLAP_NONCRITICAL_CONTROL;
1016
1017         op->o_preread_attrs = an;
1018
1019         rs->sr_err = LDAP_SUCCESS;
1020         return LDAP_SUCCESS;
1021 }
1022
1023 static int parsePostRead (
1024         Operation *op,
1025         SlapReply *rs,
1026         LDAPControl *ctrl )
1027 {
1028         ber_len_t siz, off, i;
1029         AttributeName *an = NULL;
1030         BerElement      *ber;
1031
1032         if ( op->o_postread != SLAP_NO_CONTROL ) {
1033                 rs->sr_text = "postread control specified multiple times";
1034                 return LDAP_PROTOCOL_ERROR;
1035         }
1036
1037         if ( ctrl->ldctl_value.bv_len == 0 ) {
1038                 rs->sr_text = "postread control value is empty (or absent)";
1039                 return LDAP_PROTOCOL_ERROR;
1040         }
1041
1042         ber = ber_init( &(ctrl->ldctl_value) );
1043         if (ber == NULL) {
1044                 rs->sr_text = "postread control: internal error";
1045                 return LDAP_OTHER;
1046         }
1047
1048         siz = sizeof( AttributeName );
1049         off = offsetof( AttributeName, an_name );
1050         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1051                 rs->sr_text = "postread control: decoding error";
1052                 return LDAP_PROTOCOL_ERROR;
1053         }
1054
1055         for( i=0; i<siz; i++ ) {
1056                 int             rc = LDAP_SUCCESS;
1057                 const char      *dummy = NULL;
1058
1059                 an[i].an_desc = NULL;
1060                 an[i].an_oc = NULL;
1061                 an[i].an_oc_exclude = 0;
1062                 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1063                 if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1064                         rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
1065                         return rc;
1066                 }
1067         }
1068
1069         op->o_postread = ctrl->ldctl_iscritical
1070                 ? SLAP_CRITICAL_CONTROL
1071                 : SLAP_NONCRITICAL_CONTROL;
1072
1073         op->o_postread_attrs = an;
1074
1075         rs->sr_err = LDAP_SUCCESS;
1076         return LDAP_SUCCESS;
1077 }
1078
1079 int parseValuesReturnFilter (
1080         Operation *op,
1081         SlapReply *rs,
1082         LDAPControl *ctrl )
1083 {
1084         BerElement      *ber;
1085         struct berval   fstr = { 0, NULL };
1086         const char *err_msg = "";
1087
1088         if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
1089                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1090                 return LDAP_PROTOCOL_ERROR;
1091         }
1092
1093         if ( ctrl->ldctl_value.bv_len == 0 ) {
1094                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1095                 return LDAP_PROTOCOL_ERROR;
1096         }
1097
1098         ber = ber_init( &(ctrl->ldctl_value) );
1099         if (ber == NULL) {
1100                 rs->sr_text = "internal error";
1101                 return LDAP_OTHER;
1102         }
1103         
1104         rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
1105
1106         if( rs->sr_err != LDAP_SUCCESS ) {
1107                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1108                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1109                         send_ldap_disconnect( op, rs );
1110                         rs->sr_err = SLAPD_DISCONNECT;
1111                 } else {
1112                         send_ldap_result( op, rs );
1113                 }
1114                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
1115         }
1116 #ifdef LDAP_DEBUG
1117         else {
1118                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1119         }
1120
1121 #ifdef NEW_LOGGING
1122         LDAP_LOG( OPERATION, ARGS, 
1123                 "parseValuesReturnFilter: conn %d       vrFilter: %s\n", 
1124                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1125 #else
1126         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1127                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1128 #endif
1129         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1130 #endif
1131
1132         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1133                 ? SLAP_CRITICAL_CONTROL
1134                 : SLAP_NONCRITICAL_CONTROL;
1135
1136         rs->sr_err = LDAP_SUCCESS;
1137         return LDAP_SUCCESS;
1138 }
1139
1140 #ifdef LDAP_CONTROL_SUBENTRIES
1141 static int parseSubentries (
1142         Operation *op,
1143         SlapReply *rs,
1144         LDAPControl *ctrl )
1145 {
1146         if ( op->o_subentries != SLAP_NO_CONTROL ) {
1147                 rs->sr_text = "subentries control specified multiple times";
1148                 return LDAP_PROTOCOL_ERROR;
1149         }
1150
1151         /* FIXME: should use BER library */
1152         if( ( ctrl->ldctl_value.bv_len != 3 )
1153                 && ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1154                 && ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1155         {
1156                 rs->sr_text = "subentries control value encoding is bogus";
1157                 return LDAP_PROTOCOL_ERROR;
1158         }
1159
1160         op->o_subentries = ctrl->ldctl_iscritical
1161                 ? SLAP_CRITICAL_CONTROL
1162                 : SLAP_NONCRITICAL_CONTROL;
1163
1164         op->o_subentries_visibility = (ctrl->ldctl_value.bv_val[2] != 0x00);
1165
1166         return LDAP_SUCCESS;
1167 }
1168 #endif
1169
1170 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
1171 static int parsePermissiveModify (
1172         Operation *op,
1173         SlapReply *rs,
1174         LDAPControl *ctrl )
1175 {
1176         if ( op->o_permissive_modify != SLAP_NO_CONTROL ) {
1177                 rs->sr_text = "permissiveModify control specified multiple times";
1178                 return LDAP_PROTOCOL_ERROR;
1179         }
1180
1181         if ( ctrl->ldctl_value.bv_len ) {
1182                 rs->sr_text = "permissiveModify control value not empty";
1183                 return LDAP_PROTOCOL_ERROR;
1184         }
1185
1186         op->o_permissive_modify = ctrl->ldctl_iscritical
1187                 ? SLAP_CRITICAL_CONTROL
1188                 : SLAP_NONCRITICAL_CONTROL;
1189
1190         return LDAP_SUCCESS;
1191 }
1192 #endif
1193
1194 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
1195 static int parseDomainScope (
1196         Operation *op,
1197         SlapReply *rs,
1198         LDAPControl *ctrl )
1199 {
1200         if ( op->o_domain_scope != SLAP_NO_CONTROL ) {
1201                 rs->sr_text = "domainScope control specified multiple times";
1202                 return LDAP_PROTOCOL_ERROR;
1203         }
1204
1205         if ( ctrl->ldctl_value.bv_len ) {
1206                 rs->sr_text = "domainScope control value not empty";
1207                 return LDAP_PROTOCOL_ERROR;
1208         }
1209
1210         op->o_domain_scope = ctrl->ldctl_iscritical
1211                 ? SLAP_CRITICAL_CONTROL
1212                 : SLAP_NONCRITICAL_CONTROL;
1213
1214         return LDAP_SUCCESS;
1215 }
1216 #endif
1217
1218 static int parseLDAPsync (
1219         Operation *op,
1220         SlapReply *rs,
1221         LDAPControl *ctrl )
1222 {
1223         ber_tag_t tag;
1224         BerElement *ber;
1225         ber_int_t mode;
1226         ber_len_t len;
1227         struct slap_session_entry *se;
1228
1229         if ( op->o_sync != SLAP_NO_CONTROL ) {
1230                 rs->sr_text = "LDAP Sync control specified multiple times";
1231                 return LDAP_PROTOCOL_ERROR;
1232         }
1233
1234         if ( ctrl->ldctl_value.bv_len == 0 ) {
1235                 rs->sr_text = "LDAP Sync control value is empty (or absent)";
1236                 return LDAP_PROTOCOL_ERROR;
1237         }
1238
1239         /* Parse the control value
1240          *      syncRequestValue ::= SEQUENCE {
1241          *              mode   ENUMERATED {
1242          *                      -- 0 unused
1243          *                      refreshOnly             (1),
1244          *                      -- 2 reserved
1245          *                      refreshAndPersist       (3)
1246          *              },
1247          *              cookie  syncCookie OPTIONAL
1248          *      }
1249          */
1250
1251         ber = ber_init( &ctrl->ldctl_value );
1252         if( ber == NULL ) {
1253                 rs->sr_text = "internal error";
1254                 return LDAP_OTHER;
1255         }
1256
1257         if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) {
1258                 rs->sr_text = "LDAP Sync control : mode decoding error";
1259                 return LDAP_PROTOCOL_ERROR;
1260         }
1261
1262         switch( mode ) {
1263         case LDAP_SYNC_REFRESH_ONLY:
1264                 mode = SLAP_SYNC_REFRESH;
1265                 break;
1266         case LDAP_SYNC_REFRESH_AND_PERSIST:
1267                 mode = SLAP_SYNC_REFRESH_AND_PERSIST;
1268                 break;
1269         default:
1270                 rs->sr_text = "LDAP Sync control : unknown update mode";
1271                 return LDAP_PROTOCOL_ERROR;
1272         }
1273
1274         tag = ber_peek_tag( ber, &len );
1275
1276         if ( tag == LDAP_TAG_SYNC_COOKIE ) {
1277                 struct berval tmp_bv;   
1278                 if (( ber_scanf( ber, /*{*/ "o", &tmp_bv )) == LBER_ERROR ) {
1279                         rs->sr_text = "LDAP Sync control : cookie decoding error";
1280                         return LDAP_PROTOCOL_ERROR;
1281                 }
1282                 ber_bvarray_add( &op->o_sync_state.octet_str, &tmp_bv );
1283                 slap_parse_sync_cookie( &op->o_sync_state );
1284         }
1285         if ( tag == LDAP_TAG_RELOAD_HINT ) {
1286                 if (( ber_scanf( ber, /*{*/ "b", &op->o_sync_rhint )) == LBER_ERROR ) {
1287                         rs->sr_text = "LDAP Sync control : rhint decoding error";
1288                         return LDAP_PROTOCOL_ERROR;
1289                 }
1290         }
1291         if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) {
1292                         rs->sr_text = "LDAP Sync control : decoding error";
1293                         return LDAP_PROTOCOL_ERROR;
1294         }
1295
1296         (void) ber_free( ber, 1 );
1297
1298         op->o_sync_mode = (char) mode;
1299
1300         op->o_sync = ctrl->ldctl_iscritical
1301                 ? SLAP_CRITICAL_CONTROL
1302                 : SLAP_NONCRITICAL_CONTROL;
1303
1304         return LDAP_SUCCESS;
1305 }