git.sur5r.net Git - openldap/blob - servers/slapd/controls.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2003 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15
  16 #include "portable.h"
  17
  18 #include <stdio.h>
  19
  20 #include <ac/string.h>
  21 #include <ac/socket.h>
  22
  23 #include "slap.h"
  24
  25 #include "../../libraries/liblber/lber-int.h"
  26
  27 static SLAP_CTRL_PARSE_FN parseAssert;
  28 static SLAP_CTRL_PARSE_FN parsePreRead;
  29 static SLAP_CTRL_PARSE_FN parsePostRead;
  30 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
  31 static SLAP_CTRL_PARSE_FN parseManageDSAit;
  32 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
  33 static SLAP_CTRL_PARSE_FN parseNoOp;
  34 static SLAP_CTRL_PARSE_FN parsePagedResults;
  35 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
  36 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
  37 static SLAP_CTRL_PARSE_FN parseDomainScope;
  38
  39 #ifdef LDAP_CONTROL_SUBENTRIES
  40 static SLAP_CTRL_PARSE_FN parseSubentries;
  41 #endif
  42 static SLAP_CTRL_PARSE_FN parseLDAPsync;
  43
  44 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
  45
  46 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
  47 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
  48
  49 struct slap_control {
  50         /* Control OID */
  51         char *sc_oid;
  52
  53         /* Operations supported by control */
  54         slap_mask_t sc_mask;
  55
  56         /* Extended operations supported by control */
  57         char **sc_extendedops;
  58
  59         /* Control parsing callback */
  60         SLAP_CTRL_PARSE_FN *sc_parse;
  61
  62         LDAP_SLIST_ENTRY(slap_control) sc_next;
  63 };
  64
  65 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
  66         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
  67
  68 /*
  69  * all known request control OIDs should be added to this list
  70  */
  71 char **slap_known_controls = NULL;
  72
  73 static char *proxy_authz_extops[] = {
  74         LDAP_EXOP_MODIFY_PASSWD,
  75         LDAP_EXOP_X_WHO_AM_I,
  76         NULL
  77 };
  78
  79 static struct slap_control control_defs[] = {
  80         { LDAP_CONTROL_ASSERT,
  81                 SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL,
  82                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  83         { LDAP_CONTROL_PRE_READ,
  84                 SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  85                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  86         { LDAP_CONTROL_POST_READ,
  87                 SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  88                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  89         { LDAP_CONTROL_VALUESRETURNFILTER,
  90                 SLAP_CTRL_SEARCH, NULL,
  91                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  92         { LDAP_CONTROL_PAGEDRESULTS,
  93                 SLAP_CTRL_SEARCH, NULL,
  94                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  95 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
  96         { LDAP_CONTROL_X_DOMAIN_SCOPE,
  97                 SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
  98                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  99 #endif
 100 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
 101         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
 102                 SLAP_CTRL_MODIFY, NULL,
 103                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 104 #endif
 105 #ifdef LDAP_CONTROL_SUBENTRIES
 106         { LDAP_CONTROL_SUBENTRIES,
 107                 SLAP_CTRL_SEARCH, NULL,
 108                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 109 #endif
 110         { LDAP_CONTROL_NOOP,
 111                 SLAP_CTRL_ACCESS, NULL,
 112                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 113         { LDAP_CONTROL_SYNC,
 114                 SLAP_CTRL_HIDE|SLAP_CTRL_SEARCH, NULL,
 115                 parseLDAPsync, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 116         { LDAP_CONTROL_MODIFY_INCREMENT,
 117                 SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
 118                 parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 119         { LDAP_CONTROL_MANAGEDSAIT,
 120                 SLAP_CTRL_ACCESS, NULL,
 121                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 122         { LDAP_CONTROL_PROXY_AUTHZ,
 123                 SLAP_CTRL_FRONTEND|SLAP_CTRL_ACCESS, proxy_authz_extops,
 124                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 125         { NULL, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) }
 126 };
 127
 128 /*
 129  * Register a supported control.
 130  *
 131  * This can be called by an OpenLDAP plugin or, indirectly, by a
 132  * SLAPI plugin calling slapi_register_supported_control().
 133  */
 134 int
 135 register_supported_control(const char *controloid,
 136         slap_mask_t controlmask,
 137         char **controlexops,
 138         SLAP_CTRL_PARSE_FN *controlparsefn)
 139 {
 140         struct slap_control *sc;
 141         int i;
 142
 143         if ( controloid == NULL ) {
 144                 return LDAP_PARAM_ERROR;
 145         }
 146
 147         sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
 148         if ( sc == NULL ) {
 149                 return LDAP_NO_MEMORY;
 150         }
 151         sc->sc_oid = ch_strdup( controloid );
 152         sc->sc_mask = controlmask;
 153         if ( controlexops != NULL ) {
 154                 sc->sc_extendedops = ldap_charray_dup( controlexops );
 155                 if ( sc->sc_extendedops == NULL ) {
 156                         ch_free( sc );
 157                         return LDAP_NO_MEMORY;
 158                 }
 159         } else {
 160                 sc->sc_extendedops = NULL;
 161         }
 162         sc->sc_parse = controlparsefn;
 163
 164         /* Update slap_known_controls, too. */
 165         if ( slap_known_controls == NULL ) {
 166                 slap_known_controls = (char **)SLAP_MALLOC( 2 * sizeof(char *) );
 167                 if ( slap_known_controls == NULL ) {
 168                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 169                         ch_free( sc );
 170                         return LDAP_NO_MEMORY;
 171                 }
 172                 slap_known_controls[0] = ch_strdup( sc->sc_oid );
 173                 slap_known_controls[1] = NULL;
 174         } else {
 175                 for ( i = 0; slap_known_controls[i] != NULL; i++ )
 176                         ;
 177                 slap_known_controls = (char **)SLAP_REALLOC( slap_known_controls, (i + 2) * sizeof(char *) );
 178                 if ( slap_known_controls == NULL ) {
 179                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 180                         ch_free( sc );
 181                         return LDAP_NO_MEMORY;
 182                 }
 183                 slap_known_controls[i++] = ch_strdup( sc->sc_oid );
 184                 slap_known_controls[i] = NULL;
 185         }
 186
 187         LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
 188         LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
 189
 190         return LDAP_SUCCESS;
 191 }
 192
 193 /*
 194  * One-time initialization of internal controls.
 195  */
 196 int
 197 slap_controls_init( void )
 198 {
 199         int i, rc;
 200         struct slap_control *sc;
 201
 202         rc = LDAP_SUCCESS;
 203
 204         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
 205                 rc = register_supported_control( control_defs[i].sc_oid,
 206                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
 207                         control_defs[i].sc_parse );
 208                 if ( rc != LDAP_SUCCESS )
 209                         break;
 210         }
 211
 212         return rc;
 213 }
 214
 215 /*
 216  * Free memory associated with list of supported controls.
 217  */
 218 void
 219 controls_destroy( void )
 220 {
 221         struct slap_control *sc;
 222
 223         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
 224                 sc = LDAP_SLIST_FIRST(&controls_list);
 225                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
 226
 227                 ch_free( sc->sc_oid );
 228                 if ( sc->sc_extendedops != NULL ) {
 229                         ldap_charray_free( sc->sc_extendedops );
 230                 }
 231                 ch_free( sc );
 232         }
 233         ldap_charray_free( slap_known_controls );
 234 }
 235
 236 /*
 237  * Format the supportedControl attribute of the root DSE,
 238  * detailing which controls are supported by the directory
 239  * server.
 240  */
 241 int
 242 controls_root_dse_info( Entry *e )
 243 {
 244         AttributeDescription *ad_supportedControl
 245                 = slap_schema.si_ad_supportedControl;
 246         struct berval vals[2];
 247         struct slap_control *sc;
 248
 249         vals[1].bv_val = NULL;
 250         vals[1].bv_len = 0;
 251
 252         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 253                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
 254
 255                 vals[0].bv_val = sc->sc_oid;
 256                 vals[0].bv_len = strlen( sc->sc_oid );
 257
 258                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
 259                         return -1;
 260                 }
 261         }
 262
 263         return 0;
 264 }
 265
 266 /*
 267  * Return a list of OIDs and operation masks for supported
 268  * controls. Used by SLAPI.
 269  */
 270 int
 271 get_supported_controls(char ***ctrloidsp,
 272         slap_mask_t **ctrlmasks)
 273 {
 274         int i, n;
 275         char **oids;
 276         slap_mask_t *masks;
 277         int rc;
 278         struct slap_control *sc;
 279
 280         n = 0;
 281
 282         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 283                 n++;
 284         }
 285
 286         if ( n == 0 ) {
 287                 *ctrloidsp = NULL;
 288                 *ctrlmasks = NULL;
 289                 return LDAP_SUCCESS;
 290         }
 291
 292         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
 293         if ( oids == NULL ) {
 294                 return LDAP_NO_MEMORY;
 295         }
 296         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
 297         if  ( masks == NULL ) {
 298                 ch_free( oids );
 299                 return LDAP_NO_MEMORY;
 300         }
 301
 302         n = 0;
 303
 304         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 305                 oids[n] = ch_strdup( sc->sc_oid );
 306                 masks[n] = sc->sc_mask;
 307                 n++;
 308         }
 309         oids[n] = NULL;
 310         masks[n] = 0;
 311
 312         *ctrloidsp = oids;
 313         *ctrlmasks = masks;
 314
 315         return LDAP_SUCCESS;
 316 }
 317
 318 /*
 319  * Find a control given its OID.
 320  */
 321 static struct slap_control *
 322 find_ctrl( const char *oid )
 323 {
 324         struct slap_control *sc;
 325
 326         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 327                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
 328                         return sc;
 329                 }
 330         }
 331
 332         return NULL;
 333 }
 334
 335 void slap_free_ctrls(
 336         Operation *op,
 337         LDAPControl **ctrls
 338 )
 339 {
 340         int i;
 341
 342         for (i=0; ctrls[i]; i++) {
 343                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
 344         }
 345         op->o_tmpfree( ctrls, op->o_tmpmemctx );
 346 }
 347
 348 int get_ctrls(
 349         Operation *op,
 350         SlapReply *rs,
 351         int sendres )
 352 {
 353         int nctrls = 0;
 354         ber_tag_t tag;
 355         ber_len_t len;
 356         char *opaque;
 357         BerElement *ber = op->o_ber;
 358         struct slap_control *sc;
 359         struct berval bv;
 360
 361         len = ber_pvt_ber_remaining(ber);
 362
 363         if( len == 0) {
 364                 /* no controls */
 365                 rs->sr_err = LDAP_SUCCESS;
 366                 return rs->sr_err;
 367         }
 368
 369         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
 370                 if( tag == LBER_ERROR ) {
 371                         rs->sr_err = SLAPD_DISCONNECT;
 372                         rs->sr_text = "unexpected data in PDU";
 373                 }
 374
 375                 goto return_results;
 376         }
 377
 378 #ifdef NEW_LOGGING
 379         LDAP_LOG( OPERATION, ENTRY,
 380                 "get_ctrls: conn %lu\n", op->o_connid, 0, 0 );
 381 #else
 382         Debug( LDAP_DEBUG_TRACE,
 383                 "=> get_ctrls\n", 0, 0, 0 );
 384 #endif
 385
 386         if( op->o_protocol < LDAP_VERSION3 ) {
 387                 rs->sr_err = SLAPD_DISCONNECT;
 388                 rs->sr_text = "controls require LDAPv3";
 389                 goto return_results;
 390         }
 391
 392         /* one for first control, one for termination */
 393         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
 394
 395 #if 0
 396         if( op->ctrls == NULL ) {
 397                 rs->sr_err = LDAP_NO_MEMORY;
 398                 rs->sr_text = "no memory";
 399                 goto return_results;
 400         }
 401 #endif
 402
 403         op->o_ctrls[nctrls] = NULL;
 404
 405         /* step through each element */
 406         for( tag = ber_first_element( ber, &len, &opaque );
 407                 tag != LBER_ERROR;
 408                 tag = ber_next_element( ber, &len, opaque ) )
 409         {
 410                 LDAPControl *c;
 411                 LDAPControl **tctrls;
 412
 413                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
 414                 memset(c, 0, sizeof(LDAPControl));
 415
 416                 /* allocate pointer space for current controls (nctrls)
 417                  * + this control + extra NULL
 418                  */
 419                 tctrls = op->o_tmprealloc( op->o_ctrls,
 420                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
 421
 422 #if 0
 423                 if( tctrls == NULL ) {
 424                         ch_free( c );
 425                         ldap_controls_free(op->o_ctrls);
 426                         op->o_ctrls = NULL;
 427
 428                         rs->sr_err = LDAP_NO_MEMORY;
 429                         rs->sr_text = "no memory";
 430                         goto return_results;
 431                 }
 432 #endif
 433                 op->o_ctrls = tctrls;
 434
 435                 op->o_ctrls[nctrls++] = c;
 436                 op->o_ctrls[nctrls] = NULL;
 437
 438                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
 439                 c->ldctl_oid = bv.bv_val;
 440
 441                 if( tag == LBER_ERROR ) {
 442 #ifdef NEW_LOGGING
 443                         LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu get OID failed.\n",
 444                                 op->o_connid, 0, 0 );
 445 #else
 446                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
 447                                 0, 0, 0 );
 448 #endif
 449
 450                         slap_free_ctrls( op, op->o_ctrls );
 451                         op->o_ctrls = NULL;
 452                         rs->sr_err = SLAPD_DISCONNECT;
 453                         rs->sr_text = "decoding controls error";
 454                         goto return_results;
 455
 456                 } else if( c->ldctl_oid == NULL ) {
 457 #ifdef NEW_LOGGING
 458                         LDAP_LOG( OPERATION, INFO,
 459                                 "get_ctrls: conn %lu got emtpy OID.\n",
 460                                 op->o_connid, 0, 0 );
 461 #else
 462                         Debug( LDAP_DEBUG_TRACE,
 463                                 "get_ctrls: conn %lu got emtpy OID.\n",
 464                                 op->o_connid, 0, 0 );
 465 #endif
 466
 467                         slap_free_ctrls( op, op->o_ctrls );
 468                         op->o_ctrls = NULL;
 469                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 470                         rs->sr_text = "OID field is empty";
 471                         goto return_results;
 472                 }
 473
 474                 tag = ber_peek_tag( ber, &len );
 475
 476                 if( tag == LBER_BOOLEAN ) {
 477                         ber_int_t crit;
 478                         tag = ber_scanf( ber, "b", &crit );
 479
 480                         if( tag == LBER_ERROR ) {
 481 #ifdef NEW_LOGGING
 482                                 LDAP_LOG( OPERATION, INFO,
 483                                         "get_ctrls: conn %lu get crit failed.\n",
 484                                         op->o_connid, 0, 0 );
 485 #else
 486                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
 487                                         0, 0, 0 );
 488 #endif
 489                                 slap_free_ctrls( op, op->o_ctrls );
 490                                 op->o_ctrls = NULL;
 491                                 rs->sr_err = SLAPD_DISCONNECT;
 492                                 rs->sr_text = "decoding controls error";
 493                                 goto return_results;
 494                         }
 495
 496                         c->ldctl_iscritical = (crit != 0);
 497                         tag = ber_peek_tag( ber, &len );
 498                 }
 499
 500                 if( tag == LBER_OCTETSTRING ) {
 501                         tag = ber_scanf( ber, "m", &c->ldctl_value );
 502
 503                         if( tag == LBER_ERROR ) {
 504 #ifdef NEW_LOGGING
 505                                 LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu: "
 506                                         "%s (%scritical): get value failed.\n",
 507                                         op->o_connid, c->ldctl_oid,
 508                                         c->ldctl_iscritical ? "" : "non" );
 509 #else
 510                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
 511                                         "%s (%scritical): get value failed.\n",
 512                                         op->o_connid, c->ldctl_oid,
 513                                         c->ldctl_iscritical ? "" : "non" );
 514 #endif
 515                                 slap_free_ctrls( op, op->o_ctrls );
 516                                 op->o_ctrls = NULL;
 517                                 rs->sr_err = SLAPD_DISCONNECT;
 518                                 rs->sr_text = "decoding controls error";
 519                                 goto return_results;
 520                         }
 521                 }
 522
 523 #ifdef NEW_LOGGING
 524                 LDAP_LOG( OPERATION, INFO,
 525                         "get_ctrls: conn %lu oid=\"%s\" (%scritical)\n",
 526                         op->o_connid, c->ldctl_oid, c->ldctl_iscritical ? "" : "non" );
 527 #else
 528                 Debug( LDAP_DEBUG_TRACE,
 529                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
 530                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
 531 #endif
 532
 533                 sc = find_ctrl( c->ldctl_oid );
 534                 if( sc != NULL ) {
 535                         /* recognized control */
 536                         slap_mask_t tagmask;
 537                         switch( op->o_tag ) {
 538                         case LDAP_REQ_ADD:
 539                                 tagmask = SLAP_CTRL_ADD;
 540                                 break;
 541                         case LDAP_REQ_BIND:
 542                                 tagmask = SLAP_CTRL_BIND;
 543                                 break;
 544                         case LDAP_REQ_COMPARE:
 545                                 tagmask = SLAP_CTRL_COMPARE;
 546                                 break;
 547                         case LDAP_REQ_DELETE:
 548                                 tagmask = SLAP_CTRL_DELETE;
 549                                 break;
 550                         case LDAP_REQ_MODIFY:
 551                                 tagmask = SLAP_CTRL_MODIFY;
 552                                 break;
 553                         case LDAP_REQ_RENAME:
 554                                 tagmask = SLAP_CTRL_RENAME;
 555                                 break;
 556                         case LDAP_REQ_SEARCH:
 557                                 tagmask = SLAP_CTRL_SEARCH;
 558                                 break;
 559                         case LDAP_REQ_UNBIND:
 560                                 tagmask = SLAP_CTRL_UNBIND;
 561                                 break;
 562                         case LDAP_REQ_ABANDON:
 563                                 tagmask = SLAP_CTRL_ABANDON;
 564                                 break;
 565                         case LDAP_REQ_EXTENDED:
 566                                 tagmask=~0L;
 567                                 assert( op->ore_reqoid.bv_val != NULL );
 568                                 if( sc->sc_extendedops != NULL ) {
 569                                         int i;
 570                                         for( i=0; sc->sc_extendedops[i] != NULL; i++ ) {
 571                                                 if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] )
 572                                                         == 0 )
 573                                                 {
 574                                                         tagmask=0L;
 575                                                         break;
 576                                                 }
 577                                         }
 578                                 }
 579                                 break;
 580                         default:
 581                                 rs->sr_err = LDAP_OTHER;
 582                                 rs->sr_text = "controls internal error";
 583                                 goto return_results;
 584                         }
 585
 586                         if (( sc->sc_mask & tagmask ) == tagmask ) {
 587                                 /* available extension */
 588
 589                                 if( !sc->sc_parse ) {
 590                                         rs->sr_err = LDAP_OTHER;
 591                                         rs->sr_text = "not yet implemented";
 592                                         goto return_results;
 593                                 }
 594
 595                                 rs->sr_err = sc->sc_parse( op, rs, c );
 596
 597                                 if( rs->sr_err != LDAP_SUCCESS ) goto return_results;
 598
 599                                 if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
 600                                         /* kludge to disable backend_control() check */
 601                                         c->ldctl_iscritical = 0;
 602
 603                                 } else if ( tagmask == SLAP_CTRL_SEARCH &&
 604                                         sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
 605                                 {
 606                                         /* kludge to disable backend_control() check */
 607                                         c->ldctl_iscritical = 0;
 608                                 }
 609
 610                         } else if( c->ldctl_iscritical ) {
 611                                 /* unavailable CRITICAL control */
 612                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 613                                 rs->sr_text = "critical extension is unavailable";
 614                                 goto return_results;
 615                         }
 616
 617                 } else if( c->ldctl_iscritical ) {
 618                         /* unrecognized CRITICAL control */
 619                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 620                         rs->sr_text = "critical extension is not recognized";
 621                         goto return_results;
 622                 }
 623         }
 624
 625 return_results:
 626 #ifdef NEW_LOGGING
 627         LDAP_LOG( OPERATION, RESULTS,
 628                 "get_ctrls: n=%d rc=%d err=\"%s\"\n",
 629                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "" );
 630 #else
 631         Debug( LDAP_DEBUG_TRACE,
 632                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
 633                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
 634 #endif
 635
 636         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
 637                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 638                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 639                         send_ldap_disconnect( op, rs );
 640                         rs->sr_err = SLAPD_DISCONNECT;
 641                 } else {
 642                         send_ldap_result( op, rs );
 643                 }
 644         }
 645
 646         return rs->sr_err;
 647 }
 648
 649 static int parseModifyIncrement (
 650         Operation *op,
 651         SlapReply *rs,
 652         LDAPControl *ctrl )
 653 {
 654 #if 0
 655         if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) {
 656                 rs->sr_text = "modifyIncrement control specified multiple times";
 657                 return LDAP_PROTOCOL_ERROR;
 658         }
 659 #endif
 660
 661         if ( ctrl->ldctl_value.bv_len ) {
 662                 rs->sr_text = "modifyIncrement control value not empty";
 663                 return LDAP_PROTOCOL_ERROR;
 664         }
 665
 666 #if 0
 667         op->o_parseModifyIncrement = ctrl->ldctl_iscritical
 668                 ? SLAP_CRITICAL_CONTROL
 669                 : SLAP_NONCRITICAL_CONTROL;
 670 #endif
 671
 672         return LDAP_SUCCESS;
 673 }
 674
 675 static int parseManageDSAit (
 676         Operation *op,
 677         SlapReply *rs,
 678         LDAPControl *ctrl )
 679 {
 680         if ( op->o_managedsait != SLAP_NO_CONTROL ) {
 681                 rs->sr_text = "manageDSAit control specified multiple times";
 682                 return LDAP_PROTOCOL_ERROR;
 683         }
 684
 685         if ( ctrl->ldctl_value.bv_len ) {
 686                 rs->sr_text = "manageDSAit control value not empty";
 687                 return LDAP_PROTOCOL_ERROR;
 688         }
 689
 690         op->o_managedsait = ctrl->ldctl_iscritical
 691                 ? SLAP_CRITICAL_CONTROL
 692                 : SLAP_NONCRITICAL_CONTROL;
 693
 694         return LDAP_SUCCESS;
 695 }
 696
 697 static int parseProxyAuthz (
 698         Operation *op,
 699         SlapReply *rs,
 700         LDAPControl *ctrl )
 701 {
 702         int             rc;
 703         struct berval   dn = { 0, NULL };
 704
 705         if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
 706                 rs->sr_text = "proxy authorization control specified multiple times";
 707                 return LDAP_PROTOCOL_ERROR;
 708         }
 709
 710         op->o_proxy_authz = ctrl->ldctl_iscritical
 711                 ? SLAP_CRITICAL_CONTROL
 712                 : SLAP_NONCRITICAL_CONTROL;
 713
 714 #ifdef NEW_LOGGING
 715         LDAP_LOG( OPERATION, ARGS,
 716                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 717                 op->o_connid,
 718                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 719                 0 );
 720 #else
 721         Debug( LDAP_DEBUG_ARGS,
 722                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 723                 op->o_connid,
 724                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 725                 0 );
 726 #endif
 727
 728         if( ctrl->ldctl_value.bv_len == 0 ) {
 729 #ifdef NEW_LOGGING
 730                 LDAP_LOG( OPERATION, RESULTS,
 731                         "parseProxyAuthz: conn=%lu anonymous\n",
 732                         op->o_connid, 0, 0 );
 733 #else
 734                 Debug( LDAP_DEBUG_TRACE,
 735                         "parseProxyAuthz: conn=%lu anonymous\n",
 736                         op->o_connid, 0, 0 );
 737 #endif
 738
 739                 /* anonymous */
 740                 free( op->o_dn.bv_val );
 741                 op->o_dn.bv_len = 0;
 742                 op->o_dn.bv_val = ch_strdup( "" );
 743
 744                 free( op->o_ndn.bv_val );
 745                 op->o_ndn.bv_len = 0;
 746                 op->o_ndn.bv_val = ch_strdup( "" );
 747
 748                 return LDAP_SUCCESS;
 749         }
 750
 751         /* FIXME: how can we get the realm? */
 752         {
 753                 int     rc;
 754                 char            buf[ SLAP_LDAPDN_MAXLEN ];
 755                 struct berval   id = { ctrl->ldctl_value.bv_len, (char *)buf },
 756                                 user = { 0, NULL },
 757                                 realm = { 0, NULL },
 758                                 mech = { 0, NULL };
 759
 760                 strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
 761
 762                 rc = slap_parse_user( &id, &user, &realm, &mech );
 763                 if ( rc == LDAP_SUCCESS ) {
 764                         struct berval authz = BER_BVC( "AUTHZ" );
 765
 766                         if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
 767                                 rs->sr_text = "mech not allowed in authzId";
 768                                 return LDAP_PROXY_AUTHZ_FAILURE;
 769                         }
 770                 } else {
 771                         user = ctrl->ldctl_value;
 772                 }
 773
 774                 rc = slap_sasl_getdn( op->o_conn, op,
 775                                 user.bv_val, user.bv_len,
 776                                 realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
 777
 778                 if( rc != LDAP_SUCCESS || !dn.bv_len ) {
 779                         if ( dn.bv_val ) {
 780                                 ch_free( dn.bv_val );
 781                         }
 782                         rs->sr_text = "authzId mapping failed";
 783                         return LDAP_PROXY_AUTHZ_FAILURE;
 784                 }
 785         }
 786
 787 #ifdef NEW_LOGGING
 788         LDAP_LOG( OPERATION, RESULTS,
 789                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 790                 op->o_connid,
 791                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 792 #else
 793         Debug( LDAP_DEBUG_TRACE,
 794                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 795                 op->o_connid,
 796                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 797 #endif
 798
 799         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
 800
 801         if( rc ) {
 802                 ch_free( dn.bv_val );
 803                 rs->sr_text = "not authorized to assume identity";
 804                 return LDAP_PROXY_AUTHZ_FAILURE;
 805         }
 806
 807         ch_free( op->o_dn.bv_val );
 808         ch_free( op->o_ndn.bv_val );
 809
 810         op->o_dn.bv_val = NULL;
 811         op->o_ndn = dn;
 812
 813         /*
 814          * NOTE: since slap_sasl_getdn() returns a normalized dn,
 815          * from now on op->o_dn is normalized
 816          */
 817         ber_dupbv( &op->o_dn, &dn );
 818
 819         return LDAP_SUCCESS;
 820 }
 821
 822 static int parseNoOp (
 823         Operation *op,
 824         SlapReply *rs,
 825         LDAPControl *ctrl )
 826 {
 827         if ( op->o_noop != SLAP_NO_CONTROL ) {
 828                 rs->sr_text = "noop control specified multiple times";
 829                 return LDAP_PROTOCOL_ERROR;
 830         }
 831
 832         if ( ctrl->ldctl_value.bv_len ) {
 833                 rs->sr_text = "noop control value not empty";
 834                 return LDAP_PROTOCOL_ERROR;
 835         }
 836
 837         op->o_noop = ctrl->ldctl_iscritical
 838                 ? SLAP_CRITICAL_CONTROL
 839                 : SLAP_NONCRITICAL_CONTROL;
 840
 841         return LDAP_SUCCESS;
 842 }
 843
 844 static int parsePagedResults (
 845         Operation *op,
 846         SlapReply *rs,
 847         LDAPControl *ctrl )
 848 {
 849         ber_tag_t tag;
 850         ber_int_t size;
 851         BerElement *ber;
 852         struct berval cookie = { 0, NULL };
 853
 854         if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
 855                 rs->sr_text = "paged results control specified multiple times";
 856                 return LDAP_PROTOCOL_ERROR;
 857         }
 858
 859         if ( ctrl->ldctl_value.bv_len == 0 ) {
 860                 rs->sr_text = "paged results control value is empty (or absent)";
 861                 return LDAP_PROTOCOL_ERROR;
 862         }
 863
 864         /* Parse the control value
 865          *      realSearchControlValue ::= SEQUENCE {
 866          *              size    INTEGER (0..maxInt),
 867          *                              -- requested page size from client
 868          *                              -- result set size estimate from server
 869          *              cookie  OCTET STRING
 870          * }
 871          */
 872         ber = ber_init( &ctrl->ldctl_value );
 873         if( ber == NULL ) {
 874                 rs->sr_text = "internal error";
 875                 return LDAP_OTHER;
 876         }
 877
 878         tag = ber_scanf( ber, "{im}", &size, &cookie );
 879         (void) ber_free( ber, 1 );
 880
 881         if( tag == LBER_ERROR ) {
 882                 rs->sr_text = "paged results control could not be decoded";
 883                 return LDAP_PROTOCOL_ERROR;
 884         }
 885
 886         if( size < 0 ) {
 887                 rs->sr_text = "paged results control size invalid";
 888                 return LDAP_PROTOCOL_ERROR;
 889         }
 890
 891         if( cookie.bv_len ) {
 892                 PagedResultsCookie reqcookie;
 893                 if( cookie.bv_len != sizeof( reqcookie ) ) {
 894                         /* bad cookie */
 895                         rs->sr_text = "paged results cookie is invalid";
 896                         return LDAP_PROTOCOL_ERROR;
 897                 }
 898
 899                 AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
 900
 901                 if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
 902                         /* bad cookie */
 903                         rs->sr_text = "paged results cookie is invalid";
 904                         return LDAP_PROTOCOL_ERROR;
 905
 906                 } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
 907                         rs->sr_text = "paged results cookie is invalid or old";
 908                         return LDAP_UNWILLING_TO_PERFORM;
 909                 }
 910         } else {
 911                 /* Initial request.  Initialize state. */
 912                 op->o_pagedresults_state.ps_cookie = 0;
 913                 op->o_pagedresults_state.ps_id = NOID;
 914         }
 915
 916         op->o_pagedresults_size = size;
 917
 918         op->o_pagedresults = ctrl->ldctl_iscritical
 919                 ? SLAP_CRITICAL_CONTROL
 920                 : SLAP_NONCRITICAL_CONTROL;
 921
 922         return LDAP_SUCCESS;
 923 }
 924
 925 static int parseAssert (
 926         Operation *op,
 927         SlapReply *rs,
 928         LDAPControl *ctrl )
 929 {
 930         BerElement      *ber;
 931         struct berval   fstr = { 0, NULL };
 932         const char *err_msg = "";
 933
 934         if ( op->o_assert != SLAP_NO_CONTROL ) {
 935                 rs->sr_text = "assert control specified multiple times";
 936                 return LDAP_PROTOCOL_ERROR;
 937         }
 938
 939         if ( ctrl->ldctl_value.bv_len == 0 ) {
 940                 rs->sr_text = "assert control value is empty (or absent)";
 941                 return LDAP_PROTOCOL_ERROR;
 942         }
 943
 944         ber = ber_init( &(ctrl->ldctl_value) );
 945         if (ber == NULL) {
 946                 rs->sr_text = "assert control: internal error";
 947                 return LDAP_OTHER;
 948         }
 949
 950         rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
 951
 952         if( rs->sr_err != LDAP_SUCCESS ) {
 953                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 954                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 955                         send_ldap_disconnect( op, rs );
 956                         rs->sr_err = SLAPD_DISCONNECT;
 957                 } else {
 958                         send_ldap_result( op, rs );
 959                 }
 960                 if( op->o_assertion != NULL ) {
 961                         filter_free_x( op, op->o_assertion );
 962                 }
 963                 return rs->sr_err;
 964         }
 965
 966 #ifdef LDAP_DEBUG
 967         filter2bv_x( op, op->o_assertion, &fstr );
 968
 969 #ifdef NEW_LOGGING
 970         LDAP_LOG( OPERATION, ARGS,
 971                 "parseAssert: conn %ld assert: %s\n",
 972                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 973 #else
 974         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
 975                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 976 #endif
 977         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
 978 #endif
 979
 980         op->o_assert = ctrl->ldctl_iscritical
 981                 ? SLAP_CRITICAL_CONTROL
 982                 : SLAP_NONCRITICAL_CONTROL;
 983
 984         rs->sr_err = LDAP_SUCCESS;
 985         return LDAP_SUCCESS;
 986 }
 987
 988 static int parsePreRead (
 989         Operation *op,
 990         SlapReply *rs,
 991         LDAPControl *ctrl )
 992 {
 993         ber_len_t siz, off, i;
 994         AttributeName *an = NULL;
 995         BerElement      *ber;
 996
 997         if ( op->o_preread != SLAP_NO_CONTROL ) {
 998                 rs->sr_text = "preread control specified multiple times";
 999                 return LDAP_PROTOCOL_ERROR;
1000         }
1001
1002         if ( ctrl->ldctl_value.bv_len == 0 ) {
1003                 rs->sr_text = "preread control value is empty (or absent)";
1004                 return LDAP_PROTOCOL_ERROR;
1005         }
1006
1007         ber = ber_init( &(ctrl->ldctl_value) );
1008         if (ber == NULL) {
1009                 rs->sr_text = "preread control: internal error";
1010                 return LDAP_OTHER;
1011         }
1012
1013         siz = sizeof( AttributeName );
1014         off = offsetof( AttributeName, an_name );
1015         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1016                 rs->sr_text = "preread control: decoding error";
1017                 return LDAP_PROTOCOL_ERROR;
1018         }
1019
1020         for( i=0; i<siz; i++ ) {
1021                 const char *dummy;
1022                 an[i].an_desc = NULL;
1023                 an[i].an_oc = NULL;
1024                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1025         }
1026
1027         op->o_preread = ctrl->ldctl_iscritical
1028                 ? SLAP_CRITICAL_CONTROL
1029                 : SLAP_NONCRITICAL_CONTROL;
1030
1031         op->o_preread_attrs = an;
1032
1033         rs->sr_err = LDAP_SUCCESS;
1034         return LDAP_SUCCESS;
1035 }
1036
1037 static int parsePostRead (
1038         Operation *op,
1039         SlapReply *rs,
1040         LDAPControl *ctrl )
1041 {
1042         ber_len_t siz, off, i;
1043         AttributeName *an = NULL;
1044         BerElement      *ber;
1045
1046         if ( op->o_postread != SLAP_NO_CONTROL ) {
1047                 rs->sr_text = "postread control specified multiple times";
1048                 return LDAP_PROTOCOL_ERROR;
1049         }
1050
1051         if ( ctrl->ldctl_value.bv_len == 0 ) {
1052                 rs->sr_text = "postread control value is empty (or absent)";
1053                 return LDAP_PROTOCOL_ERROR;
1054         }
1055
1056         ber = ber_init( &(ctrl->ldctl_value) );
1057         if (ber == NULL) {
1058                 rs->sr_text = "postread control: internal error";
1059                 return LDAP_OTHER;
1060         }
1061
1062         siz = sizeof( AttributeName );
1063         off = offsetof( AttributeName, an_name );
1064         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1065                 rs->sr_text = "postread control: decoding error";
1066                 return LDAP_PROTOCOL_ERROR;
1067         }
1068
1069         for( i=0; i<siz; i++ ) {
1070                 const char *dummy;
1071                 an[i].an_desc = NULL;
1072                 an[i].an_oc = NULL;
1073                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1074         }
1075
1076         op->o_postread = ctrl->ldctl_iscritical
1077                 ? SLAP_CRITICAL_CONTROL
1078                 : SLAP_NONCRITICAL_CONTROL;
1079
1080         op->o_postread_attrs = an;
1081
1082         rs->sr_err = LDAP_SUCCESS;
1083         return LDAP_SUCCESS;
1084 }
1085
1086 int parseValuesReturnFilter (
1087         Operation *op,
1088         SlapReply *rs,
1089         LDAPControl *ctrl )
1090 {
1091         BerElement      *ber;
1092         struct berval   fstr = { 0, NULL };
1093         const char *err_msg = "";
1094
1095         if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
1096                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1097                 return LDAP_PROTOCOL_ERROR;
1098         }
1099
1100         if ( ctrl->ldctl_value.bv_len == 0 ) {
1101                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1102                 return LDAP_PROTOCOL_ERROR;
1103         }
1104
1105         ber = ber_init( &(ctrl->ldctl_value) );
1106         if (ber == NULL) {
1107                 rs->sr_text = "internal error";
1108                 return LDAP_OTHER;
1109         }
1110
1111         rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
1112
1113         if( rs->sr_err != LDAP_SUCCESS ) {
1114                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1115                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1116                         send_ldap_disconnect( op, rs );
1117                         rs->sr_err = SLAPD_DISCONNECT;
1118                 } else {
1119                         send_ldap_result( op, rs );
1120                 }
1121                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
1122         }
1123 #ifdef LDAP_DEBUG
1124         else {
1125                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1126         }
1127
1128 #ifdef NEW_LOGGING
1129         LDAP_LOG( OPERATION, ARGS,
1130                 "parseValuesReturnFilter: conn %d       vrFilter: %s\n",
1131                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1132 #else
1133         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1134                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1135 #endif
1136         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1137 #endif
1138
1139         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1140                 ? SLAP_CRITICAL_CONTROL
1141                 : SLAP_NONCRITICAL_CONTROL;
1142
1143         rs->sr_err = LDAP_SUCCESS;
1144         return LDAP_SUCCESS;
1145 }
1146
1147 #ifdef LDAP_CONTROL_SUBENTRIES
1148 static int parseSubentries (
1149         Operation *op,
1150         SlapReply *rs,
1151         LDAPControl *ctrl )
1152 {
1153         if ( op->o_subentries != SLAP_NO_CONTROL ) {
1154                 rs->sr_text = "subentries control specified multiple times";
1155                 return LDAP_PROTOCOL_ERROR;
1156         }
1157
1158         /* FIXME: should use BER library */
1159         if( ( ctrl->ldctl_value.bv_len != 3 )
1160                 && ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1161                 && ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1162         {
1163                 rs->sr_text = "subentries control value encoding is bogus";
1164                 return LDAP_PROTOCOL_ERROR;
1165         }
1166
1167         op->o_subentries = ctrl->ldctl_iscritical
1168                 ? SLAP_CRITICAL_CONTROL
1169                 : SLAP_NONCRITICAL_CONTROL;
1170
1171         op->o_subentries_visibility = (ctrl->ldctl_value.bv_val[2] != 0x00);
1172
1173         return LDAP_SUCCESS;
1174 }
1175 #endif
1176
1177 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
1178 static int parsePermissiveModify (
1179         Operation *op,
1180         SlapReply *rs,
1181         LDAPControl *ctrl )
1182 {
1183         if ( op->o_permissive_modify != SLAP_NO_CONTROL ) {
1184                 rs->sr_text = "permissiveModify control specified multiple times";
1185                 return LDAP_PROTOCOL_ERROR;
1186         }
1187
1188         if ( ctrl->ldctl_value.bv_len ) {
1189                 rs->sr_text = "permissiveModify control value not empty";
1190                 return LDAP_PROTOCOL_ERROR;
1191         }
1192
1193         op->o_permissive_modify = ctrl->ldctl_iscritical
1194                 ? SLAP_CRITICAL_CONTROL
1195                 : SLAP_NONCRITICAL_CONTROL;
1196
1197         return LDAP_SUCCESS;
1198 }
1199 #endif
1200
1201 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
1202 static int parseDomainScope (
1203         Operation *op,
1204         SlapReply *rs,
1205         LDAPControl *ctrl )
1206 {
1207         if ( op->o_domain_scope != SLAP_NO_CONTROL ) {
1208                 rs->sr_text = "domainScope control specified multiple times";
1209                 return LDAP_PROTOCOL_ERROR;
1210         }
1211
1212         if ( ctrl->ldctl_value.bv_len ) {
1213                 rs->sr_text = "domainScope control value not empty";
1214                 return LDAP_PROTOCOL_ERROR;
1215         }
1216
1217         op->o_domain_scope = ctrl->ldctl_iscritical
1218                 ? SLAP_CRITICAL_CONTROL
1219                 : SLAP_NONCRITICAL_CONTROL;
1220
1221         return LDAP_SUCCESS;
1222 }
1223 #endif
1224
1225 static int parseLDAPsync (
1226         Operation *op,
1227         SlapReply *rs,
1228         LDAPControl *ctrl )
1229 {
1230         ber_tag_t tag;
1231         BerElement *ber;
1232         ber_int_t mode;
1233         ber_len_t len;
1234         struct slap_session_entry *se;
1235
1236         if ( op->o_sync != SLAP_NO_CONTROL ) {
1237                 rs->sr_text = "LDAP Sync control specified multiple times";
1238                 return LDAP_PROTOCOL_ERROR;
1239         }
1240
1241         if ( ctrl->ldctl_value.bv_len == 0 ) {
1242                 rs->sr_text = "LDAP Sync control value is empty (or absent)";
1243                 return LDAP_PROTOCOL_ERROR;
1244         }
1245
1246         /* Parse the control value
1247          *      syncRequestValue ::= SEQUENCE {
1248          *              mode   ENUMERATED {
1249          *                      -- 0 unused
1250          *                      refreshOnly             (1),
1251          *                      -- 2 reserved
1252          *                      refreshAndPersist       (3)
1253          *              },
1254          *              cookie  syncCookie OPTIONAL
1255          *      }
1256          */
1257
1258         ber = ber_init( &ctrl->ldctl_value );
1259         if( ber == NULL ) {
1260                 rs->sr_text = "internal error";
1261                 return LDAP_OTHER;
1262         }
1263
1264         if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) {
1265                 rs->sr_text = "LDAP Sync control : mode decoding error";
1266                 return LDAP_PROTOCOL_ERROR;
1267         }
1268
1269         switch( mode ) {
1270         case LDAP_SYNC_REFRESH_ONLY:
1271                 mode = SLAP_SYNC_REFRESH;
1272                 break;
1273         case LDAP_SYNC_REFRESH_AND_PERSIST:
1274                 mode = SLAP_SYNC_REFRESH_AND_PERSIST;
1275                 break;
1276         default:
1277                 rs->sr_text = "LDAP Sync control : unknown update mode";
1278                 return LDAP_PROTOCOL_ERROR;
1279         }
1280
1281         tag = ber_peek_tag( ber, &len );
1282
1283         if ( tag == LDAP_TAG_SYNC_COOKIE ) {
1284                 struct berval tmp_bv;
1285                 if (( ber_scanf( ber, /*{*/ "o", &tmp_bv )) == LBER_ERROR ) {
1286                         rs->sr_text = "LDAP Sync control : cookie decoding error";
1287                         return LDAP_PROTOCOL_ERROR;
1288                 }
1289                 ber_bvarray_add( &op->o_sync_state.octet_str, &tmp_bv );
1290                 slap_parse_sync_cookie( &op->o_sync_state );
1291         }
1292         if ( tag == LDAP_TAG_RELOAD_HINT ) {
1293                 if (( ber_scanf( ber, /*{*/ "b", &op->o_sync_rhint )) == LBER_ERROR ) {
1294                         rs->sr_text = "LDAP Sync control : rhint decoding error";
1295                         return LDAP_PROTOCOL_ERROR;
1296                 }
1297         }
1298         if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) {
1299                         rs->sr_text = "LDAP Sync control : decoding error";
1300                         return LDAP_PROTOCOL_ERROR;
1301         }
1302
1303         (void) ber_free( ber, 1 );
1304
1305         op->o_sync_mode = (char) mode;
1306
1307         op->o_sync = ctrl->ldctl_iscritical
1308                 ? SLAP_CRITICAL_CONTROL
1309                 : SLAP_NONCRITICAL_CONTROL;
1310
1311         return LDAP_SUCCESS;
1312 }