git.sur5r.net Git - openldap/blob - servers/slapd/controls.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1999-2003 The OpenLDAP Foundation.
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms are permitted only
   7  * as authorized by the OpenLDAP Public License.  A copy of this
   8  * license is available at http://www.OpenLDAP.org/license.html or
   9  * in file LICENSE in the top-level directory of the distribution.
  10  */
  11 #include "portable.h"
  12
  13 #include <stdio.h>
  14
  15 #include <ac/string.h>
  16 #include <ac/socket.h>
  17
  18 #include "slap.h"
  19
  20 #include "../../libraries/liblber/lber-int.h"
  21
  22 static SLAP_CTRL_PARSE_FN parseAssert;
  23 static SLAP_CTRL_PARSE_FN parsePreRead;
  24 static SLAP_CTRL_PARSE_FN parsePostRead;
  25 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
  26 static SLAP_CTRL_PARSE_FN parseManageDSAit;
  27 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
  28 static SLAP_CTRL_PARSE_FN parseNoOp;
  29 static SLAP_CTRL_PARSE_FN parsePagedResults;
  30 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
  31 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
  32 static SLAP_CTRL_PARSE_FN parseDomainScope;
  33
  34 #ifdef LDAP_CONTROL_SUBENTRIES
  35 static SLAP_CTRL_PARSE_FN parseSubentries;
  36 #endif
  37 static SLAP_CTRL_PARSE_FN parseLDAPsync;
  38
  39 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
  40
  41 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
  42 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
  43
  44 struct slap_control {
  45         /* Control OID */
  46         char *sc_oid;
  47
  48         /* Operations supported by control */
  49         slap_mask_t sc_mask;
  50
  51         /* Extended operations supported by control */
  52         char **sc_extendedops;
  53
  54         /* Control parsing callback */
  55         SLAP_CTRL_PARSE_FN *sc_parse;
  56
  57         LDAP_SLIST_ENTRY(slap_control) sc_next;
  58 };
  59
  60 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
  61         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
  62
  63 /*
  64  * all known request control OIDs should be added to this list
  65  */
  66 char **slap_known_controls = NULL;
  67
  68 static char *proxy_authz_extops[] = {
  69         LDAP_EXOP_MODIFY_PASSWD,
  70         LDAP_EXOP_X_WHO_AM_I,
  71         NULL
  72 };
  73
  74 static struct slap_control control_defs[] = {
  75         { LDAP_CONTROL_ASSERT,
  76                 SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL,
  77                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  78         { LDAP_CONTROL_PRE_READ,
  79                 SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  80                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  81         { LDAP_CONTROL_POST_READ,
  82                 SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  83                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  84         { LDAP_CONTROL_VALUESRETURNFILTER,
  85                 SLAP_CTRL_SEARCH, NULL,
  86                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  87 #ifdef LDAP_CONTROL_PAGEDRESULTS
  88         { LDAP_CONTROL_PAGEDRESULTS,
  89                 SLAP_CTRL_SEARCH, NULL,
  90                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  91 #endif
  92 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
  93         { LDAP_CONTROL_X_DOMAIN_SCOPE,
  94                 SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
  95                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  96 #endif
  97 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
  98         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
  99                 SLAP_CTRL_MODIFY, NULL,
 100                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 101 #endif
 102 #ifdef LDAP_CONTROL_SUBENTRIES
 103         { LDAP_CONTROL_SUBENTRIES,
 104                 SLAP_CTRL_SEARCH, NULL,
 105                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 106 #endif
 107         { LDAP_CONTROL_NOOP,
 108                 SLAP_CTRL_ACCESS, NULL,
 109                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 110         { LDAP_CONTROL_SYNC,
 111                 SLAP_CTRL_HIDE|SLAP_CTRL_SEARCH, NULL,
 112                 parseLDAPsync, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 113         { LDAP_CONTROL_MODIFY_INCREMENT,
 114                 SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
 115                 parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 116         { LDAP_CONTROL_MANAGEDSAIT,
 117                 SLAP_CTRL_ACCESS, NULL,
 118                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 119         { LDAP_CONTROL_PROXY_AUTHZ,
 120                 SLAP_CTRL_FRONTEND|SLAP_CTRL_ACCESS, proxy_authz_extops,
 121                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 122         { NULL, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) }
 123 };
 124
 125 /*
 126  * Register a supported control.
 127  *
 128  * This can be called by an OpenLDAP plugin or, indirectly, by a
 129  * SLAPI plugin calling slapi_register_supported_control().
 130  */
 131 int
 132 register_supported_control(const char *controloid,
 133         slap_mask_t controlmask,
 134         char **controlexops,
 135         SLAP_CTRL_PARSE_FN *controlparsefn)
 136 {
 137         struct slap_control *sc;
 138         int i;
 139
 140         if ( controloid == NULL ) {
 141                 return LDAP_PARAM_ERROR;
 142         }
 143
 144         sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
 145         if ( sc == NULL ) {
 146                 return LDAP_NO_MEMORY;
 147         }
 148         sc->sc_oid = ch_strdup( controloid );
 149         sc->sc_mask = controlmask;
 150         if ( controlexops != NULL ) {
 151                 sc->sc_extendedops = ldap_charray_dup( controlexops );
 152                 if ( sc->sc_extendedops == NULL ) {
 153                         ch_free( sc );
 154                         return LDAP_NO_MEMORY;
 155                 }
 156         } else {
 157                 sc->sc_extendedops = NULL;
 158         }
 159         sc->sc_parse = controlparsefn;
 160
 161         /* Update slap_known_controls, too. */
 162         if ( slap_known_controls == NULL ) {
 163                 slap_known_controls = (char **)SLAP_MALLOC( 2 * sizeof(char *) );
 164                 if ( slap_known_controls == NULL ) {
 165                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 166                         ch_free( sc );
 167                         return LDAP_NO_MEMORY;
 168                 }
 169                 slap_known_controls[0] = ch_strdup( sc->sc_oid );
 170                 slap_known_controls[1] = NULL;
 171         } else {
 172                 for ( i = 0; slap_known_controls[i] != NULL; i++ )
 173                         ;
 174                 slap_known_controls = (char **)SLAP_REALLOC( slap_known_controls, (i + 2) * sizeof(char *) );
 175                 if ( slap_known_controls == NULL ) {
 176                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 177                         ch_free( sc );
 178                         return LDAP_NO_MEMORY;
 179                 }
 180                 slap_known_controls[i++] = ch_strdup( sc->sc_oid );
 181                 slap_known_controls[i] = NULL;
 182         }
 183
 184         LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
 185         LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
 186
 187         return LDAP_SUCCESS;
 188 }
 189
 190 /*
 191  * One-time initialization of internal controls.
 192  */
 193 int
 194 slap_controls_init( void )
 195 {
 196         int i, rc;
 197         struct slap_control *sc;
 198
 199         rc = LDAP_SUCCESS;
 200
 201         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
 202                 rc = register_supported_control( control_defs[i].sc_oid,
 203                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
 204                         control_defs[i].sc_parse );
 205                 if ( rc != LDAP_SUCCESS )
 206                         break;
 207         }
 208
 209         return rc;
 210 }
 211
 212 /*
 213  * Free memory associated with list of supported controls.
 214  */
 215 void
 216 controls_destroy( void )
 217 {
 218         struct slap_control *sc;
 219
 220         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
 221                 sc = LDAP_SLIST_FIRST(&controls_list);
 222                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
 223
 224                 ch_free( sc->sc_oid );
 225                 if ( sc->sc_extendedops != NULL ) {
 226                         ldap_charray_free( sc->sc_extendedops );
 227                 }
 228                 ch_free( sc );
 229         }
 230         ldap_charray_free( slap_known_controls );
 231 }
 232
 233 /*
 234  * Format the supportedControl attribute of the root DSE,
 235  * detailing which controls are supported by the directory
 236  * server.
 237  */
 238 int
 239 controls_root_dse_info( Entry *e )
 240 {
 241         AttributeDescription *ad_supportedControl
 242                 = slap_schema.si_ad_supportedControl;
 243         struct berval vals[2];
 244         struct slap_control *sc;
 245
 246         vals[1].bv_val = NULL;
 247         vals[1].bv_len = 0;
 248
 249         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 250                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
 251
 252                 vals[0].bv_val = sc->sc_oid;
 253                 vals[0].bv_len = strlen( sc->sc_oid );
 254
 255                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
 256                         return -1;
 257                 }
 258         }
 259
 260         return 0;
 261 }
 262
 263 /*
 264  * Return a list of OIDs and operation masks for supported
 265  * controls. Used by SLAPI.
 266  */
 267 int
 268 get_supported_controls(char ***ctrloidsp,
 269         slap_mask_t **ctrlmasks)
 270 {
 271         int i, n;
 272         char **oids;
 273         slap_mask_t *masks;
 274         int rc;
 275         struct slap_control *sc;
 276
 277         n = 0;
 278
 279         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 280                 n++;
 281         }
 282
 283         if ( n == 0 ) {
 284                 *ctrloidsp = NULL;
 285                 *ctrlmasks = NULL;
 286                 return LDAP_SUCCESS;
 287         }
 288
 289         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
 290         if ( oids == NULL ) {
 291                 return LDAP_NO_MEMORY;
 292         }
 293         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
 294         if  ( masks == NULL ) {
 295                 ch_free( oids );
 296                 return LDAP_NO_MEMORY;
 297         }
 298
 299         n = 0;
 300
 301         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 302                 oids[n] = ch_strdup( sc->sc_oid );
 303                 masks[n] = sc->sc_mask;
 304                 n++;
 305         }
 306         oids[n] = NULL;
 307         masks[n] = 0;
 308
 309         *ctrloidsp = oids;
 310         *ctrlmasks = masks;
 311
 312         return LDAP_SUCCESS;
 313 }
 314
 315 /*
 316  * Find a control given its OID.
 317  */
 318 static struct slap_control *
 319 find_ctrl( const char *oid )
 320 {
 321         struct slap_control *sc;
 322
 323         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 324                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
 325                         return sc;
 326                 }
 327         }
 328
 329         return NULL;
 330 }
 331
 332 void slap_free_ctrls(
 333         Operation *op,
 334         LDAPControl **ctrls
 335 )
 336 {
 337         int i;
 338
 339         for (i=0; ctrls[i]; i++) {
 340                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
 341         }
 342         op->o_tmpfree( ctrls, op->o_tmpmemctx );
 343 }
 344
 345 int get_ctrls(
 346         Operation *op,
 347         SlapReply *rs,
 348         int sendres )
 349 {
 350         int nctrls = 0;
 351         ber_tag_t tag;
 352         ber_len_t len;
 353         char *opaque;
 354         BerElement *ber = op->o_ber;
 355         struct slap_control *sc;
 356         struct berval bv;
 357
 358         len = ber_pvt_ber_remaining(ber);
 359
 360         if( len == 0) {
 361                 /* no controls */
 362                 rs->sr_err = LDAP_SUCCESS;
 363                 return rs->sr_err;
 364         }
 365
 366         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
 367                 if( tag == LBER_ERROR ) {
 368                         rs->sr_err = SLAPD_DISCONNECT;
 369                         rs->sr_text = "unexpected data in PDU";
 370                 }
 371
 372                 goto return_results;
 373         }
 374
 375 #ifdef NEW_LOGGING
 376         LDAP_LOG( OPERATION, ENTRY,
 377                 "get_ctrls: conn %lu\n", op->o_connid, 0, 0 );
 378 #else
 379         Debug( LDAP_DEBUG_TRACE,
 380                 "=> get_ctrls\n", 0, 0, 0 );
 381 #endif
 382
 383         if( op->o_protocol < LDAP_VERSION3 ) {
 384                 rs->sr_err = SLAPD_DISCONNECT;
 385                 rs->sr_text = "controls require LDAPv3";
 386                 goto return_results;
 387         }
 388
 389         /* one for first control, one for termination */
 390         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
 391
 392 #if 0
 393         if( op->ctrls == NULL ) {
 394                 rs->sr_err = LDAP_NO_MEMORY;
 395                 rs->sr_text = "no memory";
 396                 goto return_results;
 397         }
 398 #endif
 399
 400         op->o_ctrls[nctrls] = NULL;
 401
 402         /* step through each element */
 403         for( tag = ber_first_element( ber, &len, &opaque );
 404                 tag != LBER_ERROR;
 405                 tag = ber_next_element( ber, &len, opaque ) )
 406         {
 407                 LDAPControl *c;
 408                 LDAPControl **tctrls;
 409
 410                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
 411                 memset(c, 0, sizeof(LDAPControl));
 412
 413                 /* allocate pointer space for current controls (nctrls)
 414                  * + this control + extra NULL
 415                  */
 416                 tctrls = op->o_tmprealloc( op->o_ctrls,
 417                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
 418
 419 #if 0
 420                 if( tctrls == NULL ) {
 421                         ch_free( c );
 422                         ldap_controls_free(op->o_ctrls);
 423                         op->o_ctrls = NULL;
 424
 425                         rs->sr_err = LDAP_NO_MEMORY;
 426                         rs->sr_text = "no memory";
 427                         goto return_results;
 428                 }
 429 #endif
 430                 op->o_ctrls = tctrls;
 431
 432                 op->o_ctrls[nctrls++] = c;
 433                 op->o_ctrls[nctrls] = NULL;
 434
 435                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
 436                 c->ldctl_oid = bv.bv_val;
 437
 438                 if( tag == LBER_ERROR ) {
 439 #ifdef NEW_LOGGING
 440                         LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu get OID failed.\n",
 441                                 op->o_connid, 0, 0 );
 442 #else
 443                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
 444                                 0, 0, 0 );
 445 #endif
 446
 447                         slap_free_ctrls( op, op->o_ctrls );
 448                         op->o_ctrls = NULL;
 449                         rs->sr_err = SLAPD_DISCONNECT;
 450                         rs->sr_text = "decoding controls error";
 451                         goto return_results;
 452
 453                 } else if( c->ldctl_oid == NULL ) {
 454 #ifdef NEW_LOGGING
 455                         LDAP_LOG( OPERATION, INFO,
 456                                 "get_ctrls: conn %lu got emtpy OID.\n",
 457                                 op->o_connid, 0, 0 );
 458 #else
 459                         Debug( LDAP_DEBUG_TRACE,
 460                                 "get_ctrls: conn %lu got emtpy OID.\n",
 461                                 op->o_connid, 0, 0 );
 462 #endif
 463
 464                         slap_free_ctrls( op, op->o_ctrls );
 465                         op->o_ctrls = NULL;
 466                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 467                         rs->sr_text = "OID field is empty";
 468                         goto return_results;
 469                 }
 470
 471                 tag = ber_peek_tag( ber, &len );
 472
 473                 if( tag == LBER_BOOLEAN ) {
 474                         ber_int_t crit;
 475                         tag = ber_scanf( ber, "b", &crit );
 476
 477                         if( tag == LBER_ERROR ) {
 478 #ifdef NEW_LOGGING
 479                                 LDAP_LOG( OPERATION, INFO,
 480                                         "get_ctrls: conn %lu get crit failed.\n",
 481                                         op->o_connid, 0, 0 );
 482 #else
 483                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
 484                                         0, 0, 0 );
 485 #endif
 486                                 slap_free_ctrls( op, op->o_ctrls );
 487                                 op->o_ctrls = NULL;
 488                                 rs->sr_err = SLAPD_DISCONNECT;
 489                                 rs->sr_text = "decoding controls error";
 490                                 goto return_results;
 491                         }
 492
 493                         c->ldctl_iscritical = (crit != 0);
 494                         tag = ber_peek_tag( ber, &len );
 495                 }
 496
 497                 if( tag == LBER_OCTETSTRING ) {
 498                         tag = ber_scanf( ber, "m", &c->ldctl_value );
 499
 500                         if( tag == LBER_ERROR ) {
 501 #ifdef NEW_LOGGING
 502                                 LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu: "
 503                                         "%s (%scritical): get value failed.\n",
 504                                         op->o_connid, c->ldctl_oid,
 505                                         c->ldctl_iscritical ? "" : "non" );
 506 #else
 507                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
 508                                         "%s (%scritical): get value failed.\n",
 509                                         op->o_connid, c->ldctl_oid,
 510                                         c->ldctl_iscritical ? "" : "non" );
 511 #endif
 512                                 slap_free_ctrls( op, op->o_ctrls );
 513                                 op->o_ctrls = NULL;
 514                                 rs->sr_err = SLAPD_DISCONNECT;
 515                                 rs->sr_text = "decoding controls error";
 516                                 goto return_results;
 517                         }
 518                 }
 519
 520 #ifdef NEW_LOGGING
 521                 LDAP_LOG( OPERATION, INFO,
 522                         "get_ctrls: conn %lu oid=\"%s\" (%scritical)\n",
 523                         op->o_connid, c->ldctl_oid, c->ldctl_iscritical ? "" : "non" );
 524 #else
 525                 Debug( LDAP_DEBUG_TRACE,
 526                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
 527                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
 528 #endif
 529
 530                 sc = find_ctrl( c->ldctl_oid );
 531                 if( sc != NULL ) {
 532                         /* recognized control */
 533                         slap_mask_t tagmask;
 534                         switch( op->o_tag ) {
 535                         case LDAP_REQ_ADD:
 536                                 tagmask = SLAP_CTRL_ADD;
 537                                 break;
 538                         case LDAP_REQ_BIND:
 539                                 tagmask = SLAP_CTRL_BIND;
 540                                 break;
 541                         case LDAP_REQ_COMPARE:
 542                                 tagmask = SLAP_CTRL_COMPARE;
 543                                 break;
 544                         case LDAP_REQ_DELETE:
 545                                 tagmask = SLAP_CTRL_DELETE;
 546                                 break;
 547                         case LDAP_REQ_MODIFY:
 548                                 tagmask = SLAP_CTRL_MODIFY;
 549                                 break;
 550                         case LDAP_REQ_RENAME:
 551                                 tagmask = SLAP_CTRL_RENAME;
 552                                 break;
 553                         case LDAP_REQ_SEARCH:
 554                                 tagmask = SLAP_CTRL_SEARCH;
 555                                 break;
 556                         case LDAP_REQ_UNBIND:
 557                                 tagmask = SLAP_CTRL_UNBIND;
 558                                 break;
 559                         case LDAP_REQ_ABANDON:
 560                                 tagmask = SLAP_CTRL_ABANDON;
 561                                 break;
 562                         case LDAP_REQ_EXTENDED:
 563                                 tagmask=~0L;
 564                                 assert( op->ore_reqoid.bv_val != NULL );
 565                                 if( sc->sc_extendedops != NULL ) {
 566                                         int i;
 567                                         for( i=0; sc->sc_extendedops[i] != NULL; i++ ) {
 568                                                 if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] )
 569                                                         == 0 )
 570                                                 {
 571                                                         tagmask=0L;
 572                                                         break;
 573                                                 }
 574                                         }
 575                                 }
 576                                 break;
 577                         default:
 578                                 rs->sr_err = LDAP_OTHER;
 579                                 rs->sr_text = "controls internal error";
 580                                 goto return_results;
 581                         }
 582
 583                         if (( sc->sc_mask & tagmask ) == tagmask ) {
 584                                 /* available extension */
 585
 586                                 if( !sc->sc_parse ) {
 587                                         rs->sr_err = LDAP_OTHER;
 588                                         rs->sr_text = "not yet implemented";
 589                                         goto return_results;
 590                                 }
 591
 592                                 rs->sr_err = sc->sc_parse( op, rs, c );
 593
 594                                 if( rs->sr_err != LDAP_SUCCESS ) goto return_results;
 595
 596                                 if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
 597                                         /* kludge to disable backend_control() check */
 598                                         c->ldctl_iscritical = 0;
 599
 600                                 } else if ( tagmask == SLAP_CTRL_SEARCH &&
 601                                         sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
 602                                 {
 603                                         /* kludge to disable backend_control() check */
 604                                         c->ldctl_iscritical = 0;
 605                                 }
 606
 607                         } else if( c->ldctl_iscritical ) {
 608                                 /* unavailable CRITICAL control */
 609                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 610                                 rs->sr_text = "critical extension is unavailable";
 611                                 goto return_results;
 612                         }
 613
 614                 } else if( c->ldctl_iscritical ) {
 615                         /* unrecognized CRITICAL control */
 616                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 617                         rs->sr_text = "critical extension is not recognized";
 618                         goto return_results;
 619                 }
 620         }
 621
 622 return_results:
 623 #ifdef NEW_LOGGING
 624         LDAP_LOG( OPERATION, RESULTS,
 625                 "get_ctrls: n=%d rc=%d err=\"%s\"\n",
 626                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "" );
 627 #else
 628         Debug( LDAP_DEBUG_TRACE,
 629                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
 630                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
 631 #endif
 632
 633         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
 634                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 635                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 636                         send_ldap_disconnect( op, rs );
 637                         rs->sr_err = SLAPD_DISCONNECT;
 638                 } else {
 639                         send_ldap_result( op, rs );
 640                 }
 641         }
 642
 643         return rs->sr_err;
 644 }
 645
 646 static int parseModifyIncrement (
 647         Operation *op,
 648         SlapReply *rs,
 649         LDAPControl *ctrl )
 650 {
 651 #if 0
 652         if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) {
 653                 rs->sr_text = "modifyIncrement control specified multiple times";
 654                 return LDAP_PROTOCOL_ERROR;
 655         }
 656 #endif
 657
 658         if ( ctrl->ldctl_value.bv_len ) {
 659                 rs->sr_text = "modifyIncrement control value not empty";
 660                 return LDAP_PROTOCOL_ERROR;
 661         }
 662
 663 #if 0
 664         op->o_parseModifyIncrement = ctrl->ldctl_iscritical
 665                 ? SLAP_CRITICAL_CONTROL
 666                 : SLAP_NONCRITICAL_CONTROL;
 667 #endif
 668
 669         return LDAP_SUCCESS;
 670 }
 671
 672 static int parseManageDSAit (
 673         Operation *op,
 674         SlapReply *rs,
 675         LDAPControl *ctrl )
 676 {
 677         if ( op->o_managedsait != SLAP_NO_CONTROL ) {
 678                 rs->sr_text = "manageDSAit control specified multiple times";
 679                 return LDAP_PROTOCOL_ERROR;
 680         }
 681
 682         if ( ctrl->ldctl_value.bv_len ) {
 683                 rs->sr_text = "manageDSAit control value not empty";
 684                 return LDAP_PROTOCOL_ERROR;
 685         }
 686
 687         op->o_managedsait = ctrl->ldctl_iscritical
 688                 ? SLAP_CRITICAL_CONTROL
 689                 : SLAP_NONCRITICAL_CONTROL;
 690
 691         return LDAP_SUCCESS;
 692 }
 693
 694 static int parseProxyAuthz (
 695         Operation *op,
 696         SlapReply *rs,
 697         LDAPControl *ctrl )
 698 {
 699         int rc;
 700         struct berval dn = { 0, NULL };
 701
 702         if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
 703                 rs->sr_text = "proxy authorization control specified multiple times";
 704                 return LDAP_PROTOCOL_ERROR;
 705         }
 706
 707         op->o_proxy_authz = ctrl->ldctl_iscritical
 708                 ? SLAP_CRITICAL_CONTROL
 709                 : SLAP_NONCRITICAL_CONTROL;
 710
 711 #ifdef NEW_LOGGING
 712         LDAP_LOG( OPERATION, ARGS,
 713                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 714                 op->o_connid,
 715                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 716                 0 );
 717 #else
 718         Debug( LDAP_DEBUG_ARGS,
 719                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 720                 op->o_connid,
 721                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 722                 0 );
 723 #endif
 724
 725         if( ctrl->ldctl_value.bv_len == 0 ) {
 726 #ifdef NEW_LOGGING
 727                 LDAP_LOG( OPERATION, RESULTS,
 728                         "parseProxyAuthz: conn=%lu anonymous\n",
 729                         op->o_connid, 0, 0 );
 730 #else
 731                 Debug( LDAP_DEBUG_TRACE,
 732                         "parseProxyAuthz: conn=%lu anonymous\n",
 733                         op->o_connid, 0, 0 );
 734 #endif
 735
 736                 /* anonymous */
 737                 free( op->o_dn.bv_val );
 738                 op->o_dn.bv_len = 0;
 739                 op->o_dn.bv_val = ch_strdup( "" );
 740
 741                 free( op->o_ndn.bv_val );
 742                 op->o_ndn.bv_len = 0;
 743                 op->o_ndn.bv_val = ch_strdup( "" );
 744
 745                 return LDAP_SUCCESS;
 746         }
 747
 748         rc = slap_sasl_getdn( op->o_conn, op,
 749                 ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
 750                 NULL, &dn, SLAP_GETDN_AUTHZID );
 751
 752         if( rc != LDAP_SUCCESS || !dn.bv_len ) {
 753                 if ( dn.bv_val ) {
 754                         ch_free( dn.bv_val );
 755                 }
 756                 rs->sr_text = "authzId mapping failed";
 757                 return LDAP_PROXY_AUTHZ_FAILURE;
 758         }
 759
 760 #ifdef NEW_LOGGING
 761         LDAP_LOG( OPERATION, RESULTS,
 762                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 763                 op->o_connid,
 764                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 765 #else
 766         Debug( LDAP_DEBUG_TRACE,
 767                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 768                 op->o_connid,
 769                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 770 #endif
 771
 772         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
 773
 774         if( rc ) {
 775                 ch_free( dn.bv_val );
 776                 rs->sr_text = "not authorized to assume identity";
 777                 return LDAP_PROXY_AUTHZ_FAILURE;
 778         }
 779
 780         ch_free( op->o_dn.bv_val );
 781         ch_free( op->o_ndn.bv_val );
 782
 783         op->o_dn.bv_val = NULL;
 784         op->o_ndn = dn;
 785
 786         /*
 787          * NOTE: since slap_sasl_getdn() returns a normalized dn,
 788          * from now on op->o_dn is normalized
 789          */
 790         ber_dupbv( &op->o_dn, &dn );
 791
 792         return LDAP_SUCCESS;
 793 }
 794
 795 static int parseNoOp (
 796         Operation *op,
 797         SlapReply *rs,
 798         LDAPControl *ctrl )
 799 {
 800         if ( op->o_noop != SLAP_NO_CONTROL ) {
 801                 rs->sr_text = "noop control specified multiple times";
 802                 return LDAP_PROTOCOL_ERROR;
 803         }
 804
 805         if ( ctrl->ldctl_value.bv_len ) {
 806                 rs->sr_text = "noop control value not empty";
 807                 return LDAP_PROTOCOL_ERROR;
 808         }
 809
 810         op->o_noop = ctrl->ldctl_iscritical
 811                 ? SLAP_CRITICAL_CONTROL
 812                 : SLAP_NONCRITICAL_CONTROL;
 813
 814         return LDAP_SUCCESS;
 815 }
 816
 817 #ifdef LDAP_CONTROL_PAGEDRESULTS
 818 static int parsePagedResults (
 819         Operation *op,
 820         SlapReply *rs,
 821         LDAPControl *ctrl )
 822 {
 823         ber_tag_t tag;
 824         ber_int_t size;
 825         BerElement *ber;
 826         struct berval cookie = { 0, NULL };
 827
 828         if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
 829                 rs->sr_text = "paged results control specified multiple times";
 830                 return LDAP_PROTOCOL_ERROR;
 831         }
 832
 833         if ( ctrl->ldctl_value.bv_len == 0 ) {
 834                 rs->sr_text = "paged results control value is empty (or absent)";
 835                 return LDAP_PROTOCOL_ERROR;
 836         }
 837
 838         /* Parse the control value
 839          *      realSearchControlValue ::= SEQUENCE {
 840          *              size    INTEGER (0..maxInt),
 841          *                              -- requested page size from client
 842          *                              -- result set size estimate from server
 843          *              cookie  OCTET STRING
 844          * }
 845          */
 846         ber = ber_init( &ctrl->ldctl_value );
 847         if( ber == NULL ) {
 848                 rs->sr_text = "internal error";
 849                 return LDAP_OTHER;
 850         }
 851
 852         tag = ber_scanf( ber, "{im}", &size, &cookie );
 853         (void) ber_free( ber, 1 );
 854
 855         if( tag == LBER_ERROR ) {
 856                 rs->sr_text = "paged results control could not be decoded";
 857                 return LDAP_PROTOCOL_ERROR;
 858         }
 859
 860         if( size < 0 ) {
 861                 rs->sr_text = "paged results control size invalid";
 862                 return LDAP_PROTOCOL_ERROR;
 863         }
 864
 865         if( cookie.bv_len ) {
 866                 PagedResultsCookie reqcookie;
 867                 if( cookie.bv_len != sizeof( reqcookie ) ) {
 868                         /* bad cookie */
 869                         rs->sr_text = "paged results cookie is invalid";
 870                         return LDAP_PROTOCOL_ERROR;
 871                 }
 872
 873                 AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
 874
 875                 if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
 876                         /* bad cookie */
 877                         rs->sr_text = "paged results cookie is invalid";
 878                         return LDAP_PROTOCOL_ERROR;
 879
 880                 } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
 881                         rs->sr_text = "paged results cookie is invalid or old";
 882                         return LDAP_UNWILLING_TO_PERFORM;
 883                 }
 884         } else {
 885                 /* Initial request.  Initialize state. */
 886                 op->o_pagedresults_state.ps_cookie = 0;
 887                 op->o_pagedresults_state.ps_id = NOID;
 888         }
 889
 890         op->o_pagedresults_size = size;
 891
 892         op->o_pagedresults = ctrl->ldctl_iscritical
 893                 ? SLAP_CRITICAL_CONTROL
 894                 : SLAP_NONCRITICAL_CONTROL;
 895
 896         return LDAP_SUCCESS;
 897 }
 898 #endif
 899
 900 static int parseAssert (
 901         Operation *op,
 902         SlapReply *rs,
 903         LDAPControl *ctrl )
 904 {
 905         BerElement      *ber;
 906         struct berval   fstr = { 0, NULL };
 907         const char *err_msg = "";
 908
 909         if ( op->o_assert != SLAP_NO_CONTROL ) {
 910                 rs->sr_text = "assert control specified multiple times";
 911                 return LDAP_PROTOCOL_ERROR;
 912         }
 913
 914         if ( ctrl->ldctl_value.bv_len == 0 ) {
 915                 rs->sr_text = "assert control value is empty (or absent)";
 916                 return LDAP_PROTOCOL_ERROR;
 917         }
 918
 919         ber = ber_init( &(ctrl->ldctl_value) );
 920         if (ber == NULL) {
 921                 rs->sr_text = "assert control: internal error";
 922                 return LDAP_OTHER;
 923         }
 924
 925         rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
 926
 927         if( rs->sr_err != LDAP_SUCCESS ) {
 928                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 929                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 930                         send_ldap_disconnect( op, rs );
 931                         rs->sr_err = SLAPD_DISCONNECT;
 932                 } else {
 933                         send_ldap_result( op, rs );
 934                 }
 935                 if( op->o_assertion != NULL ) {
 936                         filter_free_x( op, op->o_assertion );
 937                 }
 938                 return rs->sr_err;
 939         }
 940
 941 #ifdef LDAP_DEBUG
 942         filter2bv_x( op, op->o_assertion, &fstr );
 943
 944 #ifdef NEW_LOGGING
 945         LDAP_LOG( OPERATION, ARGS,
 946                 "parseAssert: conn %ld assert: %s\n",
 947                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 948 #else
 949         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
 950                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 951 #endif
 952         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
 953 #endif
 954
 955         op->o_assert = ctrl->ldctl_iscritical
 956                 ? SLAP_CRITICAL_CONTROL
 957                 : SLAP_NONCRITICAL_CONTROL;
 958
 959         rs->sr_err = LDAP_SUCCESS;
 960         return LDAP_SUCCESS;
 961 }
 962
 963 static int parsePreRead (
 964         Operation *op,
 965         SlapReply *rs,
 966         LDAPControl *ctrl )
 967 {
 968         ber_len_t siz, off, i;
 969         AttributeName *an = NULL;
 970         BerElement      *ber;
 971
 972         if ( op->o_preread != SLAP_NO_CONTROL ) {
 973                 rs->sr_text = "preread control specified multiple times";
 974                 return LDAP_PROTOCOL_ERROR;
 975         }
 976
 977         if ( ctrl->ldctl_value.bv_len == 0 ) {
 978                 rs->sr_text = "preread control value is empty (or absent)";
 979                 return LDAP_PROTOCOL_ERROR;
 980         }
 981
 982         ber = ber_init( &(ctrl->ldctl_value) );
 983         if (ber == NULL) {
 984                 rs->sr_text = "preread control: internal error";
 985                 return LDAP_OTHER;
 986         }
 987
 988         siz = sizeof( AttributeName );
 989         off = 0;
 990         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
 991                 rs->sr_text = "preread control: decoding error";
 992                 return LDAP_PROTOCOL_ERROR;
 993         }
 994
 995         for( i=0; i<siz; i++ ) {
 996                 const char *dummy;
 997                 an[i].an_desc = NULL;
 998                 an[i].an_oc = NULL;
 999                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1000         }
1001
1002         op->o_preread = ctrl->ldctl_iscritical
1003                 ? SLAP_CRITICAL_CONTROL
1004                 : SLAP_NONCRITICAL_CONTROL;
1005
1006         op->o_preread_attrs = an;
1007
1008         rs->sr_err = LDAP_SUCCESS;
1009         return LDAP_SUCCESS;
1010 }
1011
1012 static int parsePostRead (
1013         Operation *op,
1014         SlapReply *rs,
1015         LDAPControl *ctrl )
1016 {
1017         ber_len_t siz, off, i;
1018         AttributeName *an = NULL;
1019         BerElement      *ber;
1020
1021         if ( op->o_postread != SLAP_NO_CONTROL ) {
1022                 rs->sr_text = "postread control specified multiple times";
1023                 return LDAP_PROTOCOL_ERROR;
1024         }
1025
1026         if ( ctrl->ldctl_value.bv_len == 0 ) {
1027                 rs->sr_text = "postread control value is empty (or absent)";
1028                 return LDAP_PROTOCOL_ERROR;
1029         }
1030
1031         ber = ber_init( &(ctrl->ldctl_value) );
1032         if (ber == NULL) {
1033                 rs->sr_text = "postread control: internal error";
1034                 return LDAP_OTHER;
1035         }
1036
1037         siz = sizeof( AttributeName );
1038         off = 0;
1039         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1040                 rs->sr_text = "postread control: decoding error";
1041                 return LDAP_PROTOCOL_ERROR;
1042         }
1043
1044         for( i=0; i<siz; i++ ) {
1045                 const char *dummy;
1046                 an[i].an_desc = NULL;
1047                 an[i].an_oc = NULL;
1048                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1049         }
1050
1051         op->o_postread = ctrl->ldctl_iscritical
1052                 ? SLAP_CRITICAL_CONTROL
1053                 : SLAP_NONCRITICAL_CONTROL;
1054
1055         op->o_postread_attrs = an;
1056
1057         rs->sr_err = LDAP_SUCCESS;
1058         return LDAP_SUCCESS;
1059 }
1060
1061 int parseValuesReturnFilter (
1062         Operation *op,
1063         SlapReply *rs,
1064         LDAPControl *ctrl )
1065 {
1066         BerElement      *ber;
1067         struct berval   fstr = { 0, NULL };
1068         const char *err_msg = "";
1069
1070         if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
1071                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1072                 return LDAP_PROTOCOL_ERROR;
1073         }
1074
1075         if ( ctrl->ldctl_value.bv_len == 0 ) {
1076                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1077                 return LDAP_PROTOCOL_ERROR;
1078         }
1079
1080         ber = ber_init( &(ctrl->ldctl_value) );
1081         if (ber == NULL) {
1082                 rs->sr_text = "internal error";
1083                 return LDAP_OTHER;
1084         }
1085
1086         rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
1087
1088         if( rs->sr_err != LDAP_SUCCESS ) {
1089                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1090                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1091                         send_ldap_disconnect( op, rs );
1092                         rs->sr_err = SLAPD_DISCONNECT;
1093                 } else {
1094                         send_ldap_result( op, rs );
1095                 }
1096                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
1097         }
1098 #ifdef LDAP_DEBUG
1099         else {
1100                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1101         }
1102
1103 #ifdef NEW_LOGGING
1104         LDAP_LOG( OPERATION, ARGS,
1105                 "parseValuesReturnFilter: conn %d       vrFilter: %s\n",
1106                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1107 #else
1108         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1109                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1110 #endif
1111         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1112 #endif
1113
1114         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1115                 ? SLAP_CRITICAL_CONTROL
1116                 : SLAP_NONCRITICAL_CONTROL;
1117
1118         rs->sr_err = LDAP_SUCCESS;
1119         return LDAP_SUCCESS;
1120 }
1121
1122 #ifdef LDAP_CONTROL_SUBENTRIES
1123 static int parseSubentries (
1124         Operation *op,
1125         SlapReply *rs,
1126         LDAPControl *ctrl )
1127 {
1128         if ( op->o_subentries != SLAP_NO_CONTROL ) {
1129                 rs->sr_text = "subentries control specified multiple times";
1130                 return LDAP_PROTOCOL_ERROR;
1131         }
1132
1133         /* FIXME: should use BER library */
1134         if( ( ctrl->ldctl_value.bv_len != 3 )
1135                 && ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1136                 && ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1137         {
1138                 rs->sr_text = "subentries control value encoding is bogus";
1139                 return LDAP_PROTOCOL_ERROR;
1140         }
1141
1142         op->o_subentries = ctrl->ldctl_iscritical
1143                 ? SLAP_CRITICAL_CONTROL
1144                 : SLAP_NONCRITICAL_CONTROL;
1145
1146         op->o_subentries_visibility = (ctrl->ldctl_value.bv_val[2] != 0x00);
1147
1148         return LDAP_SUCCESS;
1149 }
1150 #endif
1151
1152 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
1153 static int parsePermissiveModify (
1154         Operation *op,
1155         SlapReply *rs,
1156         LDAPControl *ctrl )
1157 {
1158         if ( op->o_permissive_modify != SLAP_NO_CONTROL ) {
1159                 rs->sr_text = "permissiveModify control specified multiple times";
1160                 return LDAP_PROTOCOL_ERROR;
1161         }
1162
1163         if ( ctrl->ldctl_value.bv_len ) {
1164                 rs->sr_text = "permissiveModify control value not empty";
1165                 return LDAP_PROTOCOL_ERROR;
1166         }
1167
1168         op->o_permissive_modify = ctrl->ldctl_iscritical
1169                 ? SLAP_CRITICAL_CONTROL
1170                 : SLAP_NONCRITICAL_CONTROL;
1171
1172         return LDAP_SUCCESS;
1173 }
1174 #endif
1175
1176 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
1177 static int parseDomainScope (
1178         Operation *op,
1179         SlapReply *rs,
1180         LDAPControl *ctrl )
1181 {
1182         if ( op->o_domain_scope != SLAP_NO_CONTROL ) {
1183                 rs->sr_text = "domainScope control specified multiple times";
1184                 return LDAP_PROTOCOL_ERROR;
1185         }
1186
1187         if ( ctrl->ldctl_value.bv_len ) {
1188                 rs->sr_text = "domainScope control value not empty";
1189                 return LDAP_PROTOCOL_ERROR;
1190         }
1191
1192         op->o_domain_scope = ctrl->ldctl_iscritical
1193                 ? SLAP_CRITICAL_CONTROL
1194                 : SLAP_NONCRITICAL_CONTROL;
1195
1196         return LDAP_SUCCESS;
1197 }
1198 #endif
1199
1200 static int parseLDAPsync (
1201         Operation *op,
1202         SlapReply *rs,
1203         LDAPControl *ctrl )
1204 {
1205         ber_tag_t tag;
1206         BerElement *ber;
1207         ber_int_t mode;
1208         ber_len_t len;
1209         struct berval cookie = { 0, NULL };
1210
1211         if ( op->o_sync != SLAP_NO_CONTROL ) {
1212                 rs->sr_text = "LDAP Sync control specified multiple times";
1213                 return LDAP_PROTOCOL_ERROR;
1214         }
1215
1216         if ( ctrl->ldctl_value.bv_len == 0 ) {
1217                 rs->sr_text = "LDAP Sync control value is empty (or absent)";
1218                 return LDAP_PROTOCOL_ERROR;
1219         }
1220
1221         /* Parse the control value
1222          *      syncRequestValue ::= SEQUENCE {
1223          *              mode   ENUMERATED {
1224          *                      -- 0 unused
1225          *                      refreshOnly             (1),
1226          *                      -- 2 reserved
1227          *                      refreshAndPersist       (3)
1228          *              },
1229          *              cookie  syncCookie OPTIONAL
1230          *      }
1231          */
1232
1233         ber = ber_init( &ctrl->ldctl_value );
1234         if( ber == NULL ) {
1235                 rs->sr_text = "internal error";
1236                 return LDAP_OTHER;
1237         }
1238
1239         if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) {
1240                 rs->sr_text = "LDAP Sync control : mode decoding error";
1241                 return LDAP_PROTOCOL_ERROR;
1242         }
1243
1244         switch( mode ) {
1245         case LDAP_SYNC_REFRESH_ONLY:
1246                 mode = SLAP_SYNC_REFRESH;
1247                 break;
1248         case LDAP_SYNC_REFRESH_AND_PERSIST:
1249                 mode = SLAP_SYNC_REFRESH_AND_PERSIST;
1250                 break;
1251         default:
1252                 rs->sr_text = "LDAP Sync control : unknown update mode";
1253                 return LDAP_PROTOCOL_ERROR;
1254         }
1255
1256         tag = ber_peek_tag( ber, &len );
1257
1258         if ( tag == LDAP_SYNC_TAG_COOKIE ) {
1259                 if (( ber_scanf( ber, /*{*/ "m}",
1260                                         &cookie )) == LBER_ERROR ) {
1261                         rs->sr_text = "LDAP Sync control : cookie decoding error";
1262                         return LDAP_PROTOCOL_ERROR;
1263                 }
1264         } else {
1265                 if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) {
1266                         rs->sr_text = "LDAP Sync control : decoding error";
1267                         return LDAP_PROTOCOL_ERROR;
1268                 }
1269                 cookie.bv_len = 0;
1270                 cookie.bv_val = NULL;
1271         }
1272
1273         ber_dupbv( &op->o_sync_state, &cookie );
1274
1275         (void) ber_free( ber, 1 );
1276
1277         op->o_sync_mode = (char) mode;
1278
1279         op->o_sync = ctrl->ldctl_iscritical
1280                 ? SLAP_CRITICAL_CONTROL
1281                 : SLAP_NONCRITICAL_CONTROL;
1282
1283         return LDAP_SUCCESS;
1284 }