git.sur5r.net Git - openldap/blob - servers/slapd/controls.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2003 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15
  16 #include "portable.h"
  17
  18 #include <stdio.h>
  19
  20 #include <ac/string.h>
  21 #include <ac/socket.h>
  22
  23 #include "slap.h"
  24
  25 #include "../../libraries/liblber/lber-int.h"
  26
  27 static SLAP_CTRL_PARSE_FN parseAssert;
  28 static SLAP_CTRL_PARSE_FN parsePreRead;
  29 static SLAP_CTRL_PARSE_FN parsePostRead;
  30 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
  31 static SLAP_CTRL_PARSE_FN parseManageDSAit;
  32 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
  33 static SLAP_CTRL_PARSE_FN parseNoOp;
  34 static SLAP_CTRL_PARSE_FN parsePagedResults;
  35 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
  36 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
  37 static SLAP_CTRL_PARSE_FN parseDomainScope;
  38
  39 #ifdef LDAP_CONTROL_SUBENTRIES
  40 static SLAP_CTRL_PARSE_FN parseSubentries;
  41 #endif
  42 static SLAP_CTRL_PARSE_FN parseLDAPsync;
  43
  44 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
  45
  46 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
  47 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
  48
  49 struct slap_control {
  50         /* Control OID */
  51         char *sc_oid;
  52
  53         /* Operations supported by control */
  54         slap_mask_t sc_mask;
  55
  56         /* Extended operations supported by control */
  57         char **sc_extendedops;
  58
  59         /* Control parsing callback */
  60         SLAP_CTRL_PARSE_FN *sc_parse;
  61
  62         LDAP_SLIST_ENTRY(slap_control) sc_next;
  63 };
  64
  65 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
  66         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
  67
  68 /*
  69  * all known request control OIDs should be added to this list
  70  */
  71 char **slap_known_controls = NULL;
  72
  73 static char *proxy_authz_extops[] = {
  74         LDAP_EXOP_MODIFY_PASSWD,
  75         LDAP_EXOP_X_WHO_AM_I,
  76         NULL
  77 };
  78
  79 static struct slap_control control_defs[] = {
  80         { LDAP_CONTROL_ASSERT,
  81                 SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL,
  82                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  83         { LDAP_CONTROL_PRE_READ,
  84                 SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  85                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  86         { LDAP_CONTROL_POST_READ,
  87                 SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  88                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  89         { LDAP_CONTROL_VALUESRETURNFILTER,
  90                 SLAP_CTRL_SEARCH, NULL,
  91                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  92         { LDAP_CONTROL_PAGEDRESULTS,
  93                 SLAP_CTRL_SEARCH, NULL,
  94                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  95 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
  96         { LDAP_CONTROL_X_DOMAIN_SCOPE,
  97                 SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
  98                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  99 #endif
 100 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
 101         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
 102                 SLAP_CTRL_MODIFY, NULL,
 103                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 104 #endif
 105 #ifdef LDAP_CONTROL_SUBENTRIES
 106         { LDAP_CONTROL_SUBENTRIES,
 107                 SLAP_CTRL_SEARCH, NULL,
 108                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 109 #endif
 110         { LDAP_CONTROL_NOOP,
 111                 SLAP_CTRL_ACCESS, NULL,
 112                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 113         { LDAP_CONTROL_SYNC,
 114                 SLAP_CTRL_HIDE|SLAP_CTRL_SEARCH, NULL,
 115                 parseLDAPsync, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 116 #ifdef LDAP_CONTROL_MODIFY_INCREMENT
 117         { LDAP_CONTROL_MODIFY_INCREMENT,
 118                 SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
 119                 parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 120 #endif
 121         { LDAP_CONTROL_MANAGEDSAIT,
 122                 SLAP_CTRL_ACCESS, NULL,
 123                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 124         { LDAP_CONTROL_PROXY_AUTHZ,
 125                 SLAP_CTRL_FRONTEND|SLAP_CTRL_ACCESS, proxy_authz_extops,
 126                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 127         { NULL, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) }
 128 };
 129
 130 /*
 131  * Register a supported control.
 132  *
 133  * This can be called by an OpenLDAP plugin or, indirectly, by a
 134  * SLAPI plugin calling slapi_register_supported_control().
 135  */
 136 int
 137 register_supported_control(const char *controloid,
 138         slap_mask_t controlmask,
 139         char **controlexops,
 140         SLAP_CTRL_PARSE_FN *controlparsefn)
 141 {
 142         struct slap_control *sc;
 143         int i;
 144
 145         if ( controloid == NULL ) {
 146                 return LDAP_PARAM_ERROR;
 147         }
 148
 149         sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
 150         if ( sc == NULL ) {
 151                 return LDAP_NO_MEMORY;
 152         }
 153         sc->sc_oid = ch_strdup( controloid );
 154         sc->sc_mask = controlmask;
 155         if ( controlexops != NULL ) {
 156                 sc->sc_extendedops = ldap_charray_dup( controlexops );
 157                 if ( sc->sc_extendedops == NULL ) {
 158                         ch_free( sc );
 159                         return LDAP_NO_MEMORY;
 160                 }
 161         } else {
 162                 sc->sc_extendedops = NULL;
 163         }
 164         sc->sc_parse = controlparsefn;
 165
 166         /* Update slap_known_controls, too. */
 167         if ( slap_known_controls == NULL ) {
 168                 slap_known_controls = (char **)SLAP_MALLOC( 2 * sizeof(char *) );
 169                 if ( slap_known_controls == NULL ) {
 170                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 171                         ch_free( sc );
 172                         return LDAP_NO_MEMORY;
 173                 }
 174                 slap_known_controls[0] = ch_strdup( sc->sc_oid );
 175                 slap_known_controls[1] = NULL;
 176         } else {
 177                 for ( i = 0; slap_known_controls[i] != NULL; i++ )
 178                         ;
 179                 slap_known_controls = (char **)SLAP_REALLOC( slap_known_controls, (i + 2) * sizeof(char *) );
 180                 if ( slap_known_controls == NULL ) {
 181                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 182                         ch_free( sc );
 183                         return LDAP_NO_MEMORY;
 184                 }
 185                 slap_known_controls[i++] = ch_strdup( sc->sc_oid );
 186                 slap_known_controls[i] = NULL;
 187         }
 188
 189         LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
 190         LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
 191
 192         return LDAP_SUCCESS;
 193 }
 194
 195 /*
 196  * One-time initialization of internal controls.
 197  */
 198 int
 199 slap_controls_init( void )
 200 {
 201         int i, rc;
 202         struct slap_control *sc;
 203
 204         rc = LDAP_SUCCESS;
 205
 206         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
 207                 rc = register_supported_control( control_defs[i].sc_oid,
 208                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
 209                         control_defs[i].sc_parse );
 210                 if ( rc != LDAP_SUCCESS )
 211                         break;
 212         }
 213
 214         return rc;
 215 }
 216
 217 /*
 218  * Free memory associated with list of supported controls.
 219  */
 220 void
 221 controls_destroy( void )
 222 {
 223         struct slap_control *sc;
 224
 225         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
 226                 sc = LDAP_SLIST_FIRST(&controls_list);
 227                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
 228
 229                 ch_free( sc->sc_oid );
 230                 if ( sc->sc_extendedops != NULL ) {
 231                         ldap_charray_free( sc->sc_extendedops );
 232                 }
 233                 ch_free( sc );
 234         }
 235         ldap_charray_free( slap_known_controls );
 236 }
 237
 238 /*
 239  * Format the supportedControl attribute of the root DSE,
 240  * detailing which controls are supported by the directory
 241  * server.
 242  */
 243 int
 244 controls_root_dse_info( Entry *e )
 245 {
 246         AttributeDescription *ad_supportedControl
 247                 = slap_schema.si_ad_supportedControl;
 248         struct berval vals[2];
 249         struct slap_control *sc;
 250
 251         vals[1].bv_val = NULL;
 252         vals[1].bv_len = 0;
 253
 254         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 255                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
 256
 257                 vals[0].bv_val = sc->sc_oid;
 258                 vals[0].bv_len = strlen( sc->sc_oid );
 259
 260                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
 261                         return -1;
 262                 }
 263         }
 264
 265         return 0;
 266 }
 267
 268 /*
 269  * Return a list of OIDs and operation masks for supported
 270  * controls. Used by SLAPI.
 271  */
 272 int
 273 get_supported_controls(char ***ctrloidsp,
 274         slap_mask_t **ctrlmasks)
 275 {
 276         int i, n;
 277         char **oids;
 278         slap_mask_t *masks;
 279         int rc;
 280         struct slap_control *sc;
 281
 282         n = 0;
 283
 284         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 285                 n++;
 286         }
 287
 288         if ( n == 0 ) {
 289                 *ctrloidsp = NULL;
 290                 *ctrlmasks = NULL;
 291                 return LDAP_SUCCESS;
 292         }
 293
 294         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
 295         if ( oids == NULL ) {
 296                 return LDAP_NO_MEMORY;
 297         }
 298         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
 299         if  ( masks == NULL ) {
 300                 ch_free( oids );
 301                 return LDAP_NO_MEMORY;
 302         }
 303
 304         n = 0;
 305
 306         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 307                 oids[n] = ch_strdup( sc->sc_oid );
 308                 masks[n] = sc->sc_mask;
 309                 n++;
 310         }
 311         oids[n] = NULL;
 312         masks[n] = 0;
 313
 314         *ctrloidsp = oids;
 315         *ctrlmasks = masks;
 316
 317         return LDAP_SUCCESS;
 318 }
 319
 320 /*
 321  * Find a control given its OID.
 322  */
 323 static struct slap_control *
 324 find_ctrl( const char *oid )
 325 {
 326         struct slap_control *sc;
 327
 328         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 329                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
 330                         return sc;
 331                 }
 332         }
 333
 334         return NULL;
 335 }
 336
 337 void slap_free_ctrls(
 338         Operation *op,
 339         LDAPControl **ctrls
 340 )
 341 {
 342         int i;
 343
 344         for (i=0; ctrls[i]; i++) {
 345                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
 346         }
 347         op->o_tmpfree( ctrls, op->o_tmpmemctx );
 348 }
 349
 350 int get_ctrls(
 351         Operation *op,
 352         SlapReply *rs,
 353         int sendres )
 354 {
 355         int nctrls = 0;
 356         ber_tag_t tag;
 357         ber_len_t len;
 358         char *opaque;
 359         BerElement *ber = op->o_ber;
 360         struct slap_control *sc;
 361         struct berval bv;
 362
 363         len = ber_pvt_ber_remaining(ber);
 364
 365         if( len == 0) {
 366                 /* no controls */
 367                 rs->sr_err = LDAP_SUCCESS;
 368                 return rs->sr_err;
 369         }
 370
 371         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
 372                 if( tag == LBER_ERROR ) {
 373                         rs->sr_err = SLAPD_DISCONNECT;
 374                         rs->sr_text = "unexpected data in PDU";
 375                 }
 376
 377                 goto return_results;
 378         }
 379
 380 #ifdef NEW_LOGGING
 381         LDAP_LOG( OPERATION, ENTRY,
 382                 "get_ctrls: conn %lu\n", op->o_connid, 0, 0 );
 383 #else
 384         Debug( LDAP_DEBUG_TRACE,
 385                 "=> get_ctrls\n", 0, 0, 0 );
 386 #endif
 387
 388         if( op->o_protocol < LDAP_VERSION3 ) {
 389                 rs->sr_err = SLAPD_DISCONNECT;
 390                 rs->sr_text = "controls require LDAPv3";
 391                 goto return_results;
 392         }
 393
 394         /* one for first control, one for termination */
 395         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
 396
 397 #if 0
 398         if( op->ctrls == NULL ) {
 399                 rs->sr_err = LDAP_NO_MEMORY;
 400                 rs->sr_text = "no memory";
 401                 goto return_results;
 402         }
 403 #endif
 404
 405         op->o_ctrls[nctrls] = NULL;
 406
 407         /* step through each element */
 408         for( tag = ber_first_element( ber, &len, &opaque );
 409                 tag != LBER_ERROR;
 410                 tag = ber_next_element( ber, &len, opaque ) )
 411         {
 412                 LDAPControl *c;
 413                 LDAPControl **tctrls;
 414
 415                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
 416                 memset(c, 0, sizeof(LDAPControl));
 417
 418                 /* allocate pointer space for current controls (nctrls)
 419                  * + this control + extra NULL
 420                  */
 421                 tctrls = op->o_tmprealloc( op->o_ctrls,
 422                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
 423
 424 #if 0
 425                 if( tctrls == NULL ) {
 426                         ch_free( c );
 427                         ldap_controls_free(op->o_ctrls);
 428                         op->o_ctrls = NULL;
 429
 430                         rs->sr_err = LDAP_NO_MEMORY;
 431                         rs->sr_text = "no memory";
 432                         goto return_results;
 433                 }
 434 #endif
 435                 op->o_ctrls = tctrls;
 436
 437                 op->o_ctrls[nctrls++] = c;
 438                 op->o_ctrls[nctrls] = NULL;
 439
 440                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
 441                 c->ldctl_oid = bv.bv_val;
 442
 443                 if( tag == LBER_ERROR ) {
 444 #ifdef NEW_LOGGING
 445                         LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu get OID failed.\n",
 446                                 op->o_connid, 0, 0 );
 447 #else
 448                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
 449                                 0, 0, 0 );
 450 #endif
 451
 452                         slap_free_ctrls( op, op->o_ctrls );
 453                         op->o_ctrls = NULL;
 454                         rs->sr_err = SLAPD_DISCONNECT;
 455                         rs->sr_text = "decoding controls error";
 456                         goto return_results;
 457
 458                 } else if( c->ldctl_oid == NULL ) {
 459 #ifdef NEW_LOGGING
 460                         LDAP_LOG( OPERATION, INFO,
 461                                 "get_ctrls: conn %lu got emtpy OID.\n",
 462                                 op->o_connid, 0, 0 );
 463 #else
 464                         Debug( LDAP_DEBUG_TRACE,
 465                                 "get_ctrls: conn %lu got emtpy OID.\n",
 466                                 op->o_connid, 0, 0 );
 467 #endif
 468
 469                         slap_free_ctrls( op, op->o_ctrls );
 470                         op->o_ctrls = NULL;
 471                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 472                         rs->sr_text = "OID field is empty";
 473                         goto return_results;
 474                 }
 475
 476                 tag = ber_peek_tag( ber, &len );
 477
 478                 if( tag == LBER_BOOLEAN ) {
 479                         ber_int_t crit;
 480                         tag = ber_scanf( ber, "b", &crit );
 481
 482                         if( tag == LBER_ERROR ) {
 483 #ifdef NEW_LOGGING
 484                                 LDAP_LOG( OPERATION, INFO,
 485                                         "get_ctrls: conn %lu get crit failed.\n",
 486                                         op->o_connid, 0, 0 );
 487 #else
 488                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
 489                                         0, 0, 0 );
 490 #endif
 491                                 slap_free_ctrls( op, op->o_ctrls );
 492                                 op->o_ctrls = NULL;
 493                                 rs->sr_err = SLAPD_DISCONNECT;
 494                                 rs->sr_text = "decoding controls error";
 495                                 goto return_results;
 496                         }
 497
 498                         c->ldctl_iscritical = (crit != 0);
 499                         tag = ber_peek_tag( ber, &len );
 500                 }
 501
 502                 if( tag == LBER_OCTETSTRING ) {
 503                         tag = ber_scanf( ber, "m", &c->ldctl_value );
 504
 505                         if( tag == LBER_ERROR ) {
 506 #ifdef NEW_LOGGING
 507                                 LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu: "
 508                                         "%s (%scritical): get value failed.\n",
 509                                         op->o_connid, c->ldctl_oid,
 510                                         c->ldctl_iscritical ? "" : "non" );
 511 #else
 512                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
 513                                         "%s (%scritical): get value failed.\n",
 514                                         op->o_connid, c->ldctl_oid,
 515                                         c->ldctl_iscritical ? "" : "non" );
 516 #endif
 517                                 slap_free_ctrls( op, op->o_ctrls );
 518                                 op->o_ctrls = NULL;
 519                                 rs->sr_err = SLAPD_DISCONNECT;
 520                                 rs->sr_text = "decoding controls error";
 521                                 goto return_results;
 522                         }
 523                 }
 524
 525 #ifdef NEW_LOGGING
 526                 LDAP_LOG( OPERATION, INFO,
 527                         "get_ctrls: conn %lu oid=\"%s\" (%scritical)\n",
 528                         op->o_connid, c->ldctl_oid, c->ldctl_iscritical ? "" : "non" );
 529 #else
 530                 Debug( LDAP_DEBUG_TRACE,
 531                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
 532                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
 533 #endif
 534
 535                 sc = find_ctrl( c->ldctl_oid );
 536                 if( sc != NULL ) {
 537                         /* recognized control */
 538                         slap_mask_t tagmask;
 539                         switch( op->o_tag ) {
 540                         case LDAP_REQ_ADD:
 541                                 tagmask = SLAP_CTRL_ADD;
 542                                 break;
 543                         case LDAP_REQ_BIND:
 544                                 tagmask = SLAP_CTRL_BIND;
 545                                 break;
 546                         case LDAP_REQ_COMPARE:
 547                                 tagmask = SLAP_CTRL_COMPARE;
 548                                 break;
 549                         case LDAP_REQ_DELETE:
 550                                 tagmask = SLAP_CTRL_DELETE;
 551                                 break;
 552                         case LDAP_REQ_MODIFY:
 553                                 tagmask = SLAP_CTRL_MODIFY;
 554                                 break;
 555                         case LDAP_REQ_RENAME:
 556                                 tagmask = SLAP_CTRL_RENAME;
 557                                 break;
 558                         case LDAP_REQ_SEARCH:
 559                                 tagmask = SLAP_CTRL_SEARCH;
 560                                 break;
 561                         case LDAP_REQ_UNBIND:
 562                                 tagmask = SLAP_CTRL_UNBIND;
 563                                 break;
 564                         case LDAP_REQ_ABANDON:
 565                                 tagmask = SLAP_CTRL_ABANDON;
 566                                 break;
 567                         case LDAP_REQ_EXTENDED:
 568                                 tagmask=~0L;
 569                                 assert( op->ore_reqoid.bv_val != NULL );
 570                                 if( sc->sc_extendedops != NULL ) {
 571                                         int i;
 572                                         for( i=0; sc->sc_extendedops[i] != NULL; i++ ) {
 573                                                 if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] )
 574                                                         == 0 )
 575                                                 {
 576                                                         tagmask=0L;
 577                                                         break;
 578                                                 }
 579                                         }
 580                                 }
 581                                 break;
 582                         default:
 583                                 rs->sr_err = LDAP_OTHER;
 584                                 rs->sr_text = "controls internal error";
 585                                 goto return_results;
 586                         }
 587
 588                         if (( sc->sc_mask & tagmask ) == tagmask ) {
 589                                 /* available extension */
 590
 591                                 if( !sc->sc_parse ) {
 592                                         rs->sr_err = LDAP_OTHER;
 593                                         rs->sr_text = "not yet implemented";
 594                                         goto return_results;
 595                                 }
 596
 597                                 rs->sr_err = sc->sc_parse( op, rs, c );
 598
 599                                 if( rs->sr_err != LDAP_SUCCESS ) goto return_results;
 600
 601                                 if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
 602                                         /* kludge to disable backend_control() check */
 603                                         c->ldctl_iscritical = 0;
 604
 605                                 } else if ( tagmask == SLAP_CTRL_SEARCH &&
 606                                         sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
 607                                 {
 608                                         /* kludge to disable backend_control() check */
 609                                         c->ldctl_iscritical = 0;
 610                                 }
 611
 612                         } else if( c->ldctl_iscritical ) {
 613                                 /* unavailable CRITICAL control */
 614                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 615                                 rs->sr_text = "critical extension is unavailable";
 616                                 goto return_results;
 617                         }
 618
 619                 } else if( c->ldctl_iscritical ) {
 620                         /* unrecognized CRITICAL control */
 621                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 622                         rs->sr_text = "critical extension is not recognized";
 623                         goto return_results;
 624                 }
 625         }
 626
 627 return_results:
 628 #ifdef NEW_LOGGING
 629         LDAP_LOG( OPERATION, RESULTS,
 630                 "get_ctrls: n=%d rc=%d err=\"%s\"\n",
 631                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "" );
 632 #else
 633         Debug( LDAP_DEBUG_TRACE,
 634                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
 635                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
 636 #endif
 637
 638         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
 639                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 640                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 641                         send_ldap_disconnect( op, rs );
 642                         rs->sr_err = SLAPD_DISCONNECT;
 643                 } else {
 644                         send_ldap_result( op, rs );
 645                 }
 646         }
 647
 648         return rs->sr_err;
 649 }
 650
 651 static int parseModifyIncrement (
 652         Operation *op,
 653         SlapReply *rs,
 654         LDAPControl *ctrl )
 655 {
 656 #if 0
 657         if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) {
 658                 rs->sr_text = "modifyIncrement control specified multiple times";
 659                 return LDAP_PROTOCOL_ERROR;
 660         }
 661 #endif
 662
 663         if ( ctrl->ldctl_value.bv_len ) {
 664                 rs->sr_text = "modifyIncrement control value not empty";
 665                 return LDAP_PROTOCOL_ERROR;
 666         }
 667
 668 #if 0
 669         op->o_parseModifyIncrement = ctrl->ldctl_iscritical
 670                 ? SLAP_CRITICAL_CONTROL
 671                 : SLAP_NONCRITICAL_CONTROL;
 672 #endif
 673
 674         return LDAP_SUCCESS;
 675 }
 676
 677 static int parseManageDSAit (
 678         Operation *op,
 679         SlapReply *rs,
 680         LDAPControl *ctrl )
 681 {
 682         if ( op->o_managedsait != SLAP_NO_CONTROL ) {
 683                 rs->sr_text = "manageDSAit control specified multiple times";
 684                 return LDAP_PROTOCOL_ERROR;
 685         }
 686
 687         if ( ctrl->ldctl_value.bv_len ) {
 688                 rs->sr_text = "manageDSAit control value not empty";
 689                 return LDAP_PROTOCOL_ERROR;
 690         }
 691
 692         op->o_managedsait = ctrl->ldctl_iscritical
 693                 ? SLAP_CRITICAL_CONTROL
 694                 : SLAP_NONCRITICAL_CONTROL;
 695
 696         return LDAP_SUCCESS;
 697 }
 698
 699 static int parseProxyAuthz (
 700         Operation *op,
 701         SlapReply *rs,
 702         LDAPControl *ctrl )
 703 {
 704         int             rc;
 705         struct berval   dn = { 0, NULL };
 706
 707         if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
 708                 rs->sr_text = "proxy authorization control specified multiple times";
 709                 return LDAP_PROTOCOL_ERROR;
 710         }
 711
 712         op->o_proxy_authz = ctrl->ldctl_iscritical
 713                 ? SLAP_CRITICAL_CONTROL
 714                 : SLAP_NONCRITICAL_CONTROL;
 715
 716 #ifdef NEW_LOGGING
 717         LDAP_LOG( OPERATION, ARGS,
 718                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 719                 op->o_connid,
 720                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 721                 0 );
 722 #else
 723         Debug( LDAP_DEBUG_ARGS,
 724                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 725                 op->o_connid,
 726                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 727                 0 );
 728 #endif
 729
 730         if( ctrl->ldctl_value.bv_len == 0 ) {
 731 #ifdef NEW_LOGGING
 732                 LDAP_LOG( OPERATION, RESULTS,
 733                         "parseProxyAuthz: conn=%lu anonymous\n",
 734                         op->o_connid, 0, 0 );
 735 #else
 736                 Debug( LDAP_DEBUG_TRACE,
 737                         "parseProxyAuthz: conn=%lu anonymous\n",
 738                         op->o_connid, 0, 0 );
 739 #endif
 740
 741                 /* anonymous */
 742                 free( op->o_dn.bv_val );
 743                 op->o_dn.bv_len = 0;
 744                 op->o_dn.bv_val = ch_strdup( "" );
 745
 746                 free( op->o_ndn.bv_val );
 747                 op->o_ndn.bv_len = 0;
 748                 op->o_ndn.bv_val = ch_strdup( "" );
 749
 750                 return LDAP_SUCCESS;
 751         }
 752
 753         /* FIXME: how can we get the realm? */
 754         {
 755                 int     rc;
 756                 char            buf[ SLAP_LDAPDN_MAXLEN ];
 757                 struct berval   id,
 758                                 user = { 0, NULL },
 759                                 realm = { 0, NULL },
 760                                 mech = { 0, NULL };
 761
 762                 if ( sizeof( buf ) <= ctrl->ldctl_value.bv_len ) {
 763                         return LDAP_INVALID_SYNTAX;
 764                 }
 765
 766                 id.bv_len = ctrl->ldctl_value.bv_len;
 767                 id.bv_val = buf;
 768                 strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
 769
 770                 rc = slap_parse_user( &id, &user, &realm, &mech );
 771                 if ( rc == LDAP_SUCCESS ) {
 772                         struct berval authz = BER_BVC( "AUTHZ" );
 773
 774                         if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
 775                                 rs->sr_text = "mech not allowed in authzId";
 776                                 return LDAP_PROXY_AUTHZ_FAILURE;
 777                         }
 778                 } else {
 779                         user = ctrl->ldctl_value;
 780                 }
 781
 782                 rc = slap_sasl_getdn( op->o_conn, op,
 783                                 user.bv_val, user.bv_len,
 784                                 realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
 785
 786                 if( rc != LDAP_SUCCESS || !dn.bv_len ) {
 787                         if ( dn.bv_val ) {
 788                                 ch_free( dn.bv_val );
 789                         }
 790                         rs->sr_text = "authzId mapping failed";
 791                         return LDAP_PROXY_AUTHZ_FAILURE;
 792                 }
 793         }
 794
 795 #ifdef NEW_LOGGING
 796         LDAP_LOG( OPERATION, RESULTS,
 797                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 798                 op->o_connid,
 799                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 800 #else
 801         Debug( LDAP_DEBUG_TRACE,
 802                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 803                 op->o_connid,
 804                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 805 #endif
 806
 807         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
 808
 809         if( rc ) {
 810                 ch_free( dn.bv_val );
 811                 rs->sr_text = "not authorized to assume identity";
 812                 return LDAP_PROXY_AUTHZ_FAILURE;
 813         }
 814
 815         ch_free( op->o_dn.bv_val );
 816         ch_free( op->o_ndn.bv_val );
 817
 818         op->o_dn.bv_val = NULL;
 819         op->o_ndn = dn;
 820
 821         /*
 822          * NOTE: since slap_sasl_getdn() returns a normalized dn,
 823          * from now on op->o_dn is normalized
 824          */
 825         ber_dupbv( &op->o_dn, &dn );
 826
 827         return LDAP_SUCCESS;
 828 }
 829
 830 static int parseNoOp (
 831         Operation *op,
 832         SlapReply *rs,
 833         LDAPControl *ctrl )
 834 {
 835         if ( op->o_noop != SLAP_NO_CONTROL ) {
 836                 rs->sr_text = "noop control specified multiple times";
 837                 return LDAP_PROTOCOL_ERROR;
 838         }
 839
 840         if ( ctrl->ldctl_value.bv_len ) {
 841                 rs->sr_text = "noop control value not empty";
 842                 return LDAP_PROTOCOL_ERROR;
 843         }
 844
 845         op->o_noop = ctrl->ldctl_iscritical
 846                 ? SLAP_CRITICAL_CONTROL
 847                 : SLAP_NONCRITICAL_CONTROL;
 848
 849         return LDAP_SUCCESS;
 850 }
 851
 852 static int parsePagedResults (
 853         Operation *op,
 854         SlapReply *rs,
 855         LDAPControl *ctrl )
 856 {
 857         ber_tag_t tag;
 858         ber_int_t size;
 859         BerElement *ber;
 860         struct berval cookie = { 0, NULL };
 861
 862         if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
 863                 rs->sr_text = "paged results control specified multiple times";
 864                 return LDAP_PROTOCOL_ERROR;
 865         }
 866
 867         if ( ctrl->ldctl_value.bv_len == 0 ) {
 868                 rs->sr_text = "paged results control value is empty (or absent)";
 869                 return LDAP_PROTOCOL_ERROR;
 870         }
 871
 872         /* Parse the control value
 873          *      realSearchControlValue ::= SEQUENCE {
 874          *              size    INTEGER (0..maxInt),
 875          *                              -- requested page size from client
 876          *                              -- result set size estimate from server
 877          *              cookie  OCTET STRING
 878          * }
 879          */
 880         ber = ber_init( &ctrl->ldctl_value );
 881         if( ber == NULL ) {
 882                 rs->sr_text = "internal error";
 883                 return LDAP_OTHER;
 884         }
 885
 886         tag = ber_scanf( ber, "{im}", &size, &cookie );
 887         (void) ber_free( ber, 1 );
 888
 889         if( tag == LBER_ERROR ) {
 890                 rs->sr_text = "paged results control could not be decoded";
 891                 return LDAP_PROTOCOL_ERROR;
 892         }
 893
 894         if( size < 0 ) {
 895                 rs->sr_text = "paged results control size invalid";
 896                 return LDAP_PROTOCOL_ERROR;
 897         }
 898
 899         if( cookie.bv_len ) {
 900                 PagedResultsCookie reqcookie;
 901                 if( cookie.bv_len != sizeof( reqcookie ) ) {
 902                         /* bad cookie */
 903                         rs->sr_text = "paged results cookie is invalid";
 904                         return LDAP_PROTOCOL_ERROR;
 905                 }
 906
 907                 AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
 908
 909                 if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
 910                         /* bad cookie */
 911                         rs->sr_text = "paged results cookie is invalid";
 912                         return LDAP_PROTOCOL_ERROR;
 913
 914                 } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
 915                         rs->sr_text = "paged results cookie is invalid or old";
 916                         return LDAP_UNWILLING_TO_PERFORM;
 917                 }
 918         } else {
 919                 /* Initial request.  Initialize state. */
 920                 op->o_pagedresults_state.ps_cookie = 0;
 921                 op->o_pagedresults_state.ps_id = NOID;
 922         }
 923
 924         op->o_pagedresults_size = size;
 925
 926         op->o_pagedresults = ctrl->ldctl_iscritical
 927                 ? SLAP_CRITICAL_CONTROL
 928                 : SLAP_NONCRITICAL_CONTROL;
 929
 930         return LDAP_SUCCESS;
 931 }
 932
 933 static int parseAssert (
 934         Operation *op,
 935         SlapReply *rs,
 936         LDAPControl *ctrl )
 937 {
 938         BerElement      *ber;
 939         struct berval   fstr = { 0, NULL };
 940         const char *err_msg = "";
 941
 942         if ( op->o_assert != SLAP_NO_CONTROL ) {
 943                 rs->sr_text = "assert control specified multiple times";
 944                 return LDAP_PROTOCOL_ERROR;
 945         }
 946
 947         if ( ctrl->ldctl_value.bv_len == 0 ) {
 948                 rs->sr_text = "assert control value is empty (or absent)";
 949                 return LDAP_PROTOCOL_ERROR;
 950         }
 951
 952         ber = ber_init( &(ctrl->ldctl_value) );
 953         if (ber == NULL) {
 954                 rs->sr_text = "assert control: internal error";
 955                 return LDAP_OTHER;
 956         }
 957
 958         rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
 959
 960         if( rs->sr_err != LDAP_SUCCESS ) {
 961                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 962                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 963                         send_ldap_disconnect( op, rs );
 964                         rs->sr_err = SLAPD_DISCONNECT;
 965                 } else {
 966                         send_ldap_result( op, rs );
 967                 }
 968                 if( op->o_assertion != NULL ) {
 969                         filter_free_x( op, op->o_assertion );
 970                 }
 971                 return rs->sr_err;
 972         }
 973
 974 #ifdef LDAP_DEBUG
 975         filter2bv_x( op, op->o_assertion, &fstr );
 976
 977 #ifdef NEW_LOGGING
 978         LDAP_LOG( OPERATION, ARGS,
 979                 "parseAssert: conn %ld assert: %s\n",
 980                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 981 #else
 982         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
 983                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 984 #endif
 985         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
 986 #endif
 987
 988         op->o_assert = ctrl->ldctl_iscritical
 989                 ? SLAP_CRITICAL_CONTROL
 990                 : SLAP_NONCRITICAL_CONTROL;
 991
 992         rs->sr_err = LDAP_SUCCESS;
 993         return LDAP_SUCCESS;
 994 }
 995
 996 static int parsePreRead (
 997         Operation *op,
 998         SlapReply *rs,
 999         LDAPControl *ctrl )
1000 {
1001         ber_len_t siz, off, i;
1002         AttributeName *an = NULL;
1003         BerElement      *ber;
1004
1005         if ( op->o_preread != SLAP_NO_CONTROL ) {
1006                 rs->sr_text = "preread control specified multiple times";
1007                 return LDAP_PROTOCOL_ERROR;
1008         }
1009
1010         if ( ctrl->ldctl_value.bv_len == 0 ) {
1011                 rs->sr_text = "preread control value is empty (or absent)";
1012                 return LDAP_PROTOCOL_ERROR;
1013         }
1014
1015         ber = ber_init( &(ctrl->ldctl_value) );
1016         if (ber == NULL) {
1017                 rs->sr_text = "preread control: internal error";
1018                 return LDAP_OTHER;
1019         }
1020
1021         siz = sizeof( AttributeName );
1022         off = offsetof( AttributeName, an_name );
1023         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1024                 rs->sr_text = "preread control: decoding error";
1025                 return LDAP_PROTOCOL_ERROR;
1026         }
1027
1028         for( i=0; i<siz; i++ ) {
1029                 const char *dummy;
1030                 an[i].an_desc = NULL;
1031                 an[i].an_oc = NULL;
1032                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1033         }
1034
1035         op->o_preread = ctrl->ldctl_iscritical
1036                 ? SLAP_CRITICAL_CONTROL
1037                 : SLAP_NONCRITICAL_CONTROL;
1038
1039         op->o_preread_attrs = an;
1040
1041         rs->sr_err = LDAP_SUCCESS;
1042         return LDAP_SUCCESS;
1043 }
1044
1045 static int parsePostRead (
1046         Operation *op,
1047         SlapReply *rs,
1048         LDAPControl *ctrl )
1049 {
1050         ber_len_t siz, off, i;
1051         AttributeName *an = NULL;
1052         BerElement      *ber;
1053
1054         if ( op->o_postread != SLAP_NO_CONTROL ) {
1055                 rs->sr_text = "postread control specified multiple times";
1056                 return LDAP_PROTOCOL_ERROR;
1057         }
1058
1059         if ( ctrl->ldctl_value.bv_len == 0 ) {
1060                 rs->sr_text = "postread control value is empty (or absent)";
1061                 return LDAP_PROTOCOL_ERROR;
1062         }
1063
1064         ber = ber_init( &(ctrl->ldctl_value) );
1065         if (ber == NULL) {
1066                 rs->sr_text = "postread control: internal error";
1067                 return LDAP_OTHER;
1068         }
1069
1070         siz = sizeof( AttributeName );
1071         off = offsetof( AttributeName, an_name );
1072         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1073                 rs->sr_text = "postread control: decoding error";
1074                 return LDAP_PROTOCOL_ERROR;
1075         }
1076
1077         for( i=0; i<siz; i++ ) {
1078                 const char *dummy;
1079                 an[i].an_desc = NULL;
1080                 an[i].an_oc = NULL;
1081                 slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1082         }
1083
1084         op->o_postread = ctrl->ldctl_iscritical
1085                 ? SLAP_CRITICAL_CONTROL
1086                 : SLAP_NONCRITICAL_CONTROL;
1087
1088         op->o_postread_attrs = an;
1089
1090         rs->sr_err = LDAP_SUCCESS;
1091         return LDAP_SUCCESS;
1092 }
1093
1094 int parseValuesReturnFilter (
1095         Operation *op,
1096         SlapReply *rs,
1097         LDAPControl *ctrl )
1098 {
1099         BerElement      *ber;
1100         struct berval   fstr = { 0, NULL };
1101         const char *err_msg = "";
1102
1103         if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
1104                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1105                 return LDAP_PROTOCOL_ERROR;
1106         }
1107
1108         if ( ctrl->ldctl_value.bv_len == 0 ) {
1109                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1110                 return LDAP_PROTOCOL_ERROR;
1111         }
1112
1113         ber = ber_init( &(ctrl->ldctl_value) );
1114         if (ber == NULL) {
1115                 rs->sr_text = "internal error";
1116                 return LDAP_OTHER;
1117         }
1118
1119         rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
1120
1121         if( rs->sr_err != LDAP_SUCCESS ) {
1122                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1123                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1124                         send_ldap_disconnect( op, rs );
1125                         rs->sr_err = SLAPD_DISCONNECT;
1126                 } else {
1127                         send_ldap_result( op, rs );
1128                 }
1129                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
1130         }
1131 #ifdef LDAP_DEBUG
1132         else {
1133                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1134         }
1135
1136 #ifdef NEW_LOGGING
1137         LDAP_LOG( OPERATION, ARGS,
1138                 "parseValuesReturnFilter: conn %d       vrFilter: %s\n",
1139                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1140 #else
1141         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1142                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1143 #endif
1144         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1145 #endif
1146
1147         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1148                 ? SLAP_CRITICAL_CONTROL
1149                 : SLAP_NONCRITICAL_CONTROL;
1150
1151         rs->sr_err = LDAP_SUCCESS;
1152         return LDAP_SUCCESS;
1153 }
1154
1155 #ifdef LDAP_CONTROL_SUBENTRIES
1156 static int parseSubentries (
1157         Operation *op,
1158         SlapReply *rs,
1159         LDAPControl *ctrl )
1160 {
1161         if ( op->o_subentries != SLAP_NO_CONTROL ) {
1162                 rs->sr_text = "subentries control specified multiple times";
1163                 return LDAP_PROTOCOL_ERROR;
1164         }
1165
1166         /* FIXME: should use BER library */
1167         if( ( ctrl->ldctl_value.bv_len != 3 )
1168                 && ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1169                 && ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1170         {
1171                 rs->sr_text = "subentries control value encoding is bogus";
1172                 return LDAP_PROTOCOL_ERROR;
1173         }
1174
1175         op->o_subentries = ctrl->ldctl_iscritical
1176                 ? SLAP_CRITICAL_CONTROL
1177                 : SLAP_NONCRITICAL_CONTROL;
1178
1179         op->o_subentries_visibility = (ctrl->ldctl_value.bv_val[2] != 0x00);
1180
1181         return LDAP_SUCCESS;
1182 }
1183 #endif
1184
1185 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
1186 static int parsePermissiveModify (
1187         Operation *op,
1188         SlapReply *rs,
1189         LDAPControl *ctrl )
1190 {
1191         if ( op->o_permissive_modify != SLAP_NO_CONTROL ) {
1192                 rs->sr_text = "permissiveModify control specified multiple times";
1193                 return LDAP_PROTOCOL_ERROR;
1194         }
1195
1196         if ( ctrl->ldctl_value.bv_len ) {
1197                 rs->sr_text = "permissiveModify control value not empty";
1198                 return LDAP_PROTOCOL_ERROR;
1199         }
1200
1201         op->o_permissive_modify = ctrl->ldctl_iscritical
1202                 ? SLAP_CRITICAL_CONTROL
1203                 : SLAP_NONCRITICAL_CONTROL;
1204
1205         return LDAP_SUCCESS;
1206 }
1207 #endif
1208
1209 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
1210 static int parseDomainScope (
1211         Operation *op,
1212         SlapReply *rs,
1213         LDAPControl *ctrl )
1214 {
1215         if ( op->o_domain_scope != SLAP_NO_CONTROL ) {
1216                 rs->sr_text = "domainScope control specified multiple times";
1217                 return LDAP_PROTOCOL_ERROR;
1218         }
1219
1220         if ( ctrl->ldctl_value.bv_len ) {
1221                 rs->sr_text = "domainScope control value not empty";
1222                 return LDAP_PROTOCOL_ERROR;
1223         }
1224
1225         op->o_domain_scope = ctrl->ldctl_iscritical
1226                 ? SLAP_CRITICAL_CONTROL
1227                 : SLAP_NONCRITICAL_CONTROL;
1228
1229         return LDAP_SUCCESS;
1230 }
1231 #endif
1232
1233 static int parseLDAPsync (
1234         Operation *op,
1235         SlapReply *rs,
1236         LDAPControl *ctrl )
1237 {
1238         ber_tag_t tag;
1239         BerElement *ber;
1240         ber_int_t mode;
1241         ber_len_t len;
1242         struct slap_session_entry *se;
1243
1244         if ( op->o_sync != SLAP_NO_CONTROL ) {
1245                 rs->sr_text = "LDAP Sync control specified multiple times";
1246                 return LDAP_PROTOCOL_ERROR;
1247         }
1248
1249         if ( ctrl->ldctl_value.bv_len == 0 ) {
1250                 rs->sr_text = "LDAP Sync control value is empty (or absent)";
1251                 return LDAP_PROTOCOL_ERROR;
1252         }
1253
1254         /* Parse the control value
1255          *      syncRequestValue ::= SEQUENCE {
1256          *              mode   ENUMERATED {
1257          *                      -- 0 unused
1258          *                      refreshOnly             (1),
1259          *                      -- 2 reserved
1260          *                      refreshAndPersist       (3)
1261          *              },
1262          *              cookie  syncCookie OPTIONAL
1263          *      }
1264          */
1265
1266         ber = ber_init( &ctrl->ldctl_value );
1267         if( ber == NULL ) {
1268                 rs->sr_text = "internal error";
1269                 return LDAP_OTHER;
1270         }
1271
1272         if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) {
1273                 rs->sr_text = "LDAP Sync control : mode decoding error";
1274                 return LDAP_PROTOCOL_ERROR;
1275         }
1276
1277         switch( mode ) {
1278         case LDAP_SYNC_REFRESH_ONLY:
1279                 mode = SLAP_SYNC_REFRESH;
1280                 break;
1281         case LDAP_SYNC_REFRESH_AND_PERSIST:
1282                 mode = SLAP_SYNC_REFRESH_AND_PERSIST;
1283                 break;
1284         default:
1285                 rs->sr_text = "LDAP Sync control : unknown update mode";
1286                 return LDAP_PROTOCOL_ERROR;
1287         }
1288
1289         tag = ber_peek_tag( ber, &len );
1290
1291         if ( tag == LDAP_TAG_SYNC_COOKIE ) {
1292                 struct berval tmp_bv;
1293                 if (( ber_scanf( ber, /*{*/ "o", &tmp_bv )) == LBER_ERROR ) {
1294                         rs->sr_text = "LDAP Sync control : cookie decoding error";
1295                         return LDAP_PROTOCOL_ERROR;
1296                 }
1297                 ber_bvarray_add( &op->o_sync_state.octet_str, &tmp_bv );
1298                 slap_parse_sync_cookie( &op->o_sync_state );
1299         }
1300         if ( tag == LDAP_TAG_RELOAD_HINT ) {
1301                 if (( ber_scanf( ber, /*{*/ "b", &op->o_sync_rhint )) == LBER_ERROR ) {
1302                         rs->sr_text = "LDAP Sync control : rhint decoding error";
1303                         return LDAP_PROTOCOL_ERROR;
1304                 }
1305         }
1306         if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) {
1307                         rs->sr_text = "LDAP Sync control : decoding error";
1308                         return LDAP_PROTOCOL_ERROR;
1309         }
1310
1311         (void) ber_free( ber, 1 );
1312
1313         op->o_sync_mode = (char) mode;
1314
1315         op->o_sync = ctrl->ldctl_iscritical
1316                 ? SLAP_CRITICAL_CONTROL
1317                 : SLAP_NONCRITICAL_CONTROL;
1318
1319         return LDAP_SUCCESS;
1320 }