]> git.sur5r.net Git - openldap/blob - servers/slapd/controls.c
more cleanup; add the frontend to the set of monitored databases; handle exceptional...
[openldap] / servers / slapd / controls.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2006 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15
16 #include "portable.h"
17
18 #include <stdio.h>
19
20 #include <ac/string.h>
21 #include <ac/socket.h>
22
23 #include "slap.h"
24
25 #include "../../libraries/liblber/lber-int.h"
26
27 static SLAP_CTRL_PARSE_FN parseAssert;
28 static SLAP_CTRL_PARSE_FN parseDomainScope;
29 static SLAP_CTRL_PARSE_FN parseDontUseCopy;
30 static SLAP_CTRL_PARSE_FN parseManageDSAit;
31 static SLAP_CTRL_PARSE_FN parseNoOp;
32 static SLAP_CTRL_PARSE_FN parsePagedResults;
33 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
34 static SLAP_CTRL_PARSE_FN parsePreRead, parsePostRead;
35 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
36 static SLAP_CTRL_PARSE_FN parseRelax;
37 static SLAP_CTRL_PARSE_FN parseSearchOptions;
38 #ifdef SLAP_SORTEDRESULTS
39 static SLAP_CTRL_PARSE_FN parseSortedResults;
40 #endif
41 static SLAP_CTRL_PARSE_FN parseSubentries;
42 #ifdef SLAP_CONTROL_X_TREE_DELETE
43 static SLAP_CTRL_PARSE_FN parseTreeDelete;
44 #endif
45 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
46
47 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
48
49 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
50 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
51
52 struct slap_control_ids slap_cids;
53
54 struct slap_control {
55         /* Control OID */
56         char *sc_oid;
57
58         /* The controlID for this control */
59         int sc_cid;
60
61         /* Operations supported by control */
62         slap_mask_t sc_mask;
63
64         /* Extended operations supported by control */
65         char **sc_extendedops;          /* input */
66         BerVarray sc_extendedopsbv;     /* run-time use */
67
68         /* Control parsing callback */
69         SLAP_CTRL_PARSE_FN *sc_parse;
70
71         LDAP_SLIST_ENTRY(slap_control) sc_next;
72 };
73
74 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
75         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
76
77 /*
78  * all known request control OIDs should be added to this list
79  */
80 /*
81  * NOTE: initialize num_known_controls to 1 so that cid = 0 always
82  * addresses an undefined control; this allows to safely test for 
83  * well known controls even if they are not registered, e.g. if 
84  * they get moved to modules.  An example is sc_LDAPsync, which 
85  * is implemented in the syncprov overlay and thus, if configured 
86  * as dynamic module, may not be registered.  One side effect is that 
87  * slap_known_controls[0] == NULL, so it should always be used 
88  * starting from 1.
89  * FIXME: should we define the "undefined control" oid?
90  */
91 char *slap_known_controls[SLAP_MAX_CIDS+1];
92 static int num_known_controls = 1;
93
94 static char *proxy_authz_extops[] = {
95         LDAP_EXOP_MODIFY_PASSWD,
96         LDAP_EXOP_WHO_AM_I,
97         LDAP_EXOP_REFRESH,
98         NULL
99 };
100
101 static char *manageDSAit_extops[] = {
102         LDAP_EXOP_REFRESH,
103         NULL
104 };
105
106 static struct slap_control control_defs[] = {
107         {  LDAP_CONTROL_ASSERT,
108                 (int)offsetof(struct slap_control_ids, sc_assert),
109                 SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME|
110                         SLAP_CTRL_COMPARE|SLAP_CTRL_SEARCH,
111                 NULL, NULL,
112                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
113         { LDAP_CONTROL_PRE_READ,
114                 (int)offsetof(struct slap_control_ids, sc_preRead),
115                 SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME,
116                 NULL, NULL,
117                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
118         { LDAP_CONTROL_POST_READ,
119                 (int)offsetof(struct slap_control_ids, sc_postRead),
120                 SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME,
121                 NULL, NULL,
122                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
123         { LDAP_CONTROL_VALUESRETURNFILTER,
124                 (int)offsetof(struct slap_control_ids, sc_valuesReturnFilter),
125                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH,
126                 NULL, NULL,
127                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
128         { LDAP_CONTROL_PAGEDRESULTS,
129                 (int)offsetof(struct slap_control_ids, sc_pagedResults),
130                 SLAP_CTRL_SEARCH,
131                 NULL, NULL,
132                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
133 #ifdef SLAP_SORTEDRESULTS
134         { LDAP_CONTROL_SORTREQUEST,
135                 (int)offsetof(struct slap_control_ids, sc_sortedResults),
136                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
137                 NULL, NULL,
138                 parseSortedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
139 #endif
140         { LDAP_CONTROL_X_DOMAIN_SCOPE,
141                 (int)offsetof(struct slap_control_ids, sc_domainScope),
142                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
143                 NULL, NULL,
144                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
145         { LDAP_CONTROL_DONTUSECOPY,
146                 (int)offsetof(struct slap_control_ids, sc_dontUseCopy),
147                 SLAP_CTRL_GLOBAL|SLAP_CTRL_INTROGATE|SLAP_CTRL_HIDE,
148                 NULL, NULL,
149                 parseDontUseCopy, LDAP_SLIST_ENTRY_INITIALIZER(next) },
150         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
151                 (int)offsetof(struct slap_control_ids, sc_permissiveModify),
152                 SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE,
153                 NULL, NULL,
154                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
155 #ifdef SLAP_CONTROL_X_TREE_DELETE
156         { LDAP_CONTROL_X_TREE_DELETE,
157                 (int)offsetof(struct slap_control_ids, sc_treeDelete),
158                 SLAP_CTRL_DELETE|SLAP_CTRL_HIDE,
159                 NULL, NULL,
160                 parseTreeDelete, LDAP_SLIST_ENTRY_INITIALIZER(next) },
161 #endif
162         { LDAP_CONTROL_X_SEARCH_OPTIONS,
163                 (int)offsetof(struct slap_control_ids, sc_searchOptions),
164                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
165                 NULL, NULL,
166                 parseSearchOptions, LDAP_SLIST_ENTRY_INITIALIZER(next) },
167         { LDAP_CONTROL_SUBENTRIES,
168                 (int)offsetof(struct slap_control_ids, sc_subentries),
169                 SLAP_CTRL_SEARCH,
170                 NULL, NULL,
171                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
172         { LDAP_CONTROL_NOOP,
173                 (int)offsetof(struct slap_control_ids, sc_noOp),
174                 SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE,
175                 NULL, NULL,
176                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
177         { LDAP_CONTROL_RELAX,
178                 (int)offsetof(struct slap_control_ids, sc_relax),
179                 SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE,
180                 NULL, NULL,
181                 parseRelax, LDAP_SLIST_ENTRY_INITIALIZER(next) },
182 #ifdef LDAP_X_TXN
183         { LDAP_CONTROL_X_TXN_SPEC,
184                 (int)offsetof(struct slap_control_ids, sc_txnSpec),
185                 SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE,
186                 NULL, NULL,
187                 txn_spec_ctrl, LDAP_SLIST_ENTRY_INITIALIZER(next) },
188 #endif
189         { LDAP_CONTROL_MANAGEDSAIT,
190                 (int)offsetof(struct slap_control_ids, sc_manageDSAit),
191                 SLAP_CTRL_ACCESS,
192                 manageDSAit_extops, NULL,
193                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
194         { LDAP_CONTROL_PROXY_AUTHZ,
195                 (int)offsetof(struct slap_control_ids, sc_proxyAuthz),
196                 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS,
197                 proxy_authz_extops, NULL,
198                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
199         { NULL, 0, 0, NULL, 0, NULL, LDAP_SLIST_ENTRY_INITIALIZER(next) }
200 };
201
202 static struct slap_control *
203 find_ctrl( const char *oid );
204
205 /*
206  * Register a supported control.
207  *
208  * This can be called by an OpenLDAP plugin or, indirectly, by a
209  * SLAPI plugin calling slapi_register_supported_control().
210  *
211  * NOTE: if flags == 1 the control is replaced if already registered;
212  * otherwise registering an already registered control is not allowed.
213  */
214 int
215 register_supported_control2(const char *controloid,
216         slap_mask_t controlmask,
217         char **controlexops,
218         SLAP_CTRL_PARSE_FN *controlparsefn,
219         unsigned flags,
220         int *controlcid)
221 {
222         struct slap_control *sc = NULL;
223         int i;
224         BerVarray extendedopsbv = NULL;
225
226         if ( num_known_controls >= SLAP_MAX_CIDS ) {
227                 Debug( LDAP_DEBUG_ANY, "Too many controls registered."
228                         " Recompile slapd with SLAP_MAX_CIDS defined > %d\n",
229                 SLAP_MAX_CIDS, 0, 0 );
230                 return LDAP_OTHER;
231         }
232
233         if ( controloid == NULL ) {
234                 return LDAP_PARAM_ERROR;
235         }
236
237         /* check if already registered */
238         for ( i = 0; slap_known_controls[ i ]; i++ ) {
239                 if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) {
240                         if ( flags == 1 ) {
241                                 Debug( LDAP_DEBUG_TRACE,
242                                         "Control %s already registered; replacing.\n",
243                                         controloid, 0, 0 );
244                                 /* (find and) replace existing handler */
245                                 sc = find_ctrl( controloid );
246                                 assert( sc != NULL );
247                                 break;
248                         }
249
250                         Debug( LDAP_DEBUG_ANY,
251                                 "Control %s already registered.\n",
252                                 controloid, 0, 0 );
253                         return LDAP_PARAM_ERROR;
254                 }
255         }
256
257         /* turn compatible extended operations into bervals */
258         if ( controlexops != NULL ) {
259                 int i;
260
261                 for ( i = 0; controlexops[ i ]; i++ );
262
263                 extendedopsbv = ber_memcalloc( i + 1, sizeof( struct berval ) );
264                 if ( extendedopsbv == NULL ) {
265                         return LDAP_NO_MEMORY;
266                 }
267
268                 for ( i = 0; controlexops[ i ]; i++ ) {
269                         ber_str2bv( controlexops[ i ], 0, 1, &extendedopsbv[ i ] );
270                 }
271         }
272
273         if ( sc == NULL ) {
274                 sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
275                 if ( sc == NULL ) {
276                         return LDAP_NO_MEMORY;
277                 }
278
279                 sc->sc_oid = ch_strdup( controloid );
280                 sc->sc_cid = num_known_controls;
281
282                 /* Update slap_known_controls, too. */
283                 slap_known_controls[num_known_controls - 1] = sc->sc_oid;
284                 slap_known_controls[num_known_controls++] = NULL;
285
286                 LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
287                 LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
288
289         } else {
290                 if ( sc->sc_extendedopsbv ) {
291                         /* FIXME: in principle, we should rather merge
292                          * existing extops with those supported by the
293                          * new control handling implementation.
294                          * In fact, whether a control is compatible with
295                          * an extop should not be a matter of implementation.
296                          * We likely also need a means for a newly
297                          * registered extop to declare that it is
298                          * comptible with an already registered control.
299                          */
300                         ber_bvarray_free( sc->sc_extendedopsbv );
301                         sc->sc_extendedopsbv = NULL;
302                         sc->sc_extendedops = NULL;
303                 }
304         }
305
306         sc->sc_extendedopsbv = extendedopsbv;
307         sc->sc_mask = controlmask;
308         sc->sc_parse = controlparsefn;
309         if ( controlcid ) {
310                 *controlcid = sc->sc_cid;
311         }
312
313         return LDAP_SUCCESS;
314 }
315
316 /*
317  * One-time initialization of internal controls.
318  */
319 int
320 slap_controls_init( void )
321 {
322         int i, rc;
323
324         rc = LDAP_SUCCESS;
325
326         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
327                 int *cid = (int *)(((char *)&slap_cids) + control_defs[i].sc_cid );
328                 rc = register_supported_control( control_defs[i].sc_oid,
329                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
330                         control_defs[i].sc_parse, cid );
331                 if ( rc != LDAP_SUCCESS ) break;
332         }
333
334         return rc;
335 }
336
337 /*
338  * Free memory associated with list of supported controls.
339  */
340 void
341 controls_destroy( void )
342 {
343         struct slap_control *sc;
344
345         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
346                 sc = LDAP_SLIST_FIRST(&controls_list);
347                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
348
349                 ch_free( sc->sc_oid );
350                 if ( sc->sc_extendedopsbv != NULL ) {
351                         ber_bvarray_free( sc->sc_extendedopsbv );
352                 }
353                 ch_free( sc );
354         }
355 }
356
357 /*
358  * Format the supportedControl attribute of the root DSE,
359  * detailing which controls are supported by the directory
360  * server.
361  */
362 int
363 controls_root_dse_info( Entry *e )
364 {
365         AttributeDescription *ad_supportedControl
366                 = slap_schema.si_ad_supportedControl;
367         struct berval vals[2];
368         struct slap_control *sc;
369
370         vals[1].bv_val = NULL;
371         vals[1].bv_len = 0;
372
373         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
374                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
375
376                 vals[0].bv_val = sc->sc_oid;
377                 vals[0].bv_len = strlen( sc->sc_oid );
378
379                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
380                         return -1;
381                 }
382         }
383
384         return 0;
385 }
386
387 /*
388  * Return a list of OIDs and operation masks for supported
389  * controls. Used by SLAPI.
390  */
391 int
392 get_supported_controls(char ***ctrloidsp,
393         slap_mask_t **ctrlmasks)
394 {
395         int n;
396         char **oids;
397         slap_mask_t *masks;
398         struct slap_control *sc;
399
400         n = 0;
401
402         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
403                 n++;
404         }
405
406         if ( n == 0 ) {
407                 *ctrloidsp = NULL;
408                 *ctrlmasks = NULL;
409                 return LDAP_SUCCESS;
410         }
411
412         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
413         if ( oids == NULL ) {
414                 return LDAP_NO_MEMORY;
415         }
416         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
417         if  ( masks == NULL ) {
418                 SLAP_FREE( oids );
419                 return LDAP_NO_MEMORY;
420         }
421
422         n = 0;
423
424         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
425                 oids[n] = ch_strdup( sc->sc_oid );
426                 masks[n] = sc->sc_mask;
427                 n++;
428         }
429         oids[n] = NULL;
430         masks[n] = 0;
431
432         *ctrloidsp = oids;
433         *ctrlmasks = masks;
434
435         return LDAP_SUCCESS;
436 }
437
438 /*
439  * Find a control given its OID.
440  */
441 static struct slap_control *
442 find_ctrl( const char *oid )
443 {
444         struct slap_control *sc;
445
446         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
447                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
448                         return sc;
449                 }
450         }
451
452         return NULL;
453 }
454
455 int
456 slap_find_control_id(
457         const char *oid,
458         int *cid )
459 {
460         struct slap_control *ctrl = find_ctrl( oid );
461         if ( ctrl ) {
462                 if ( cid ) *cid = ctrl->sc_cid;
463                 return LDAP_SUCCESS;
464         }
465         return LDAP_CONTROL_NOT_FOUND;
466 }
467
468 int
469 slap_global_control( Operation *op, const char *oid, int *cid )
470 {
471         struct slap_control *ctrl = find_ctrl( oid );
472
473         if ( ctrl == NULL ) {
474                 /* should not be reachable */
475                 Debug( LDAP_DEBUG_ANY,
476                         "slap_global_control: unrecognized control: %s\n",      
477                         oid, 0, 0 );
478                 return LDAP_CONTROL_NOT_FOUND;
479         }
480
481         if ( cid ) *cid = ctrl->sc_cid;
482
483         if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) ||
484                 ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
485                 ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
486         {
487                 return LDAP_COMPARE_TRUE;
488         }
489
490 #if 0
491         Debug( LDAP_DEBUG_TRACE,
492                 "slap_global_control: unavailable control: %s\n",      
493                 oid, 0, 0 );
494 #endif
495
496         return LDAP_COMPARE_FALSE;
497 }
498
499 void slap_free_ctrls(
500         Operation *op,
501         LDAPControl **ctrls )
502 {
503         int i;
504
505         for (i=0; ctrls[i]; i++) {
506                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
507         }
508         op->o_tmpfree( ctrls, op->o_tmpmemctx );
509 }
510
511 int slap_parse_ctrl(
512         Operation *op,
513         SlapReply *rs,
514         LDAPControl *control,
515         const char **text )
516 {
517         struct slap_control *sc;
518
519         sc = find_ctrl( control->ldctl_oid );
520         if( sc != NULL ) {
521                 /* recognized control */
522                 slap_mask_t tagmask;
523                 switch( op->o_tag ) {
524                 case LDAP_REQ_ADD:
525                         tagmask = SLAP_CTRL_ADD;
526                         break;
527                 case LDAP_REQ_BIND:
528                         tagmask = SLAP_CTRL_BIND;
529                         break;
530                 case LDAP_REQ_COMPARE:
531                         tagmask = SLAP_CTRL_COMPARE;
532                         break;
533                 case LDAP_REQ_DELETE:
534                         tagmask = SLAP_CTRL_DELETE;
535                         break;
536                 case LDAP_REQ_MODIFY:
537                         tagmask = SLAP_CTRL_MODIFY;
538                         break;
539                 case LDAP_REQ_RENAME:
540                         tagmask = SLAP_CTRL_RENAME;
541                         break;
542                 case LDAP_REQ_SEARCH:
543                         tagmask = SLAP_CTRL_SEARCH;
544                         break;
545                 case LDAP_REQ_UNBIND:
546                         tagmask = SLAP_CTRL_UNBIND;
547                         break;
548                 case LDAP_REQ_ABANDON:
549                         tagmask = SLAP_CTRL_ABANDON;
550                         break;
551                 case LDAP_REQ_EXTENDED:
552                         tagmask=~0L;
553                         assert( op->ore_reqoid.bv_val != NULL );
554                         if( sc->sc_extendedopsbv != NULL ) {
555                                 int i;
556                                 for( i=0; !BER_BVISNULL( &sc->sc_extendedopsbv[i] ); i++ ) {
557                                         if( bvmatch( &op->ore_reqoid,
558                                                 &sc->sc_extendedopsbv[i] ) )
559                                         {
560                                                 tagmask=0L;
561                                                 break;
562                                         }
563                                 }
564                         }
565                         break;
566                 default:
567                         *text = "controls internal error";
568                         return LDAP_OTHER;
569                 }
570
571                 if (( sc->sc_mask & tagmask ) == tagmask ) {
572                         /* available extension */
573                         int     rc;
574
575                         if( !sc->sc_parse ) {
576                                 *text = "not yet implemented";
577                                 return LDAP_OTHER;
578                         }
579
580                         rc = sc->sc_parse( op, rs, control );
581                         if ( rc ) {
582                                 assert( rc != LDAP_UNAVAILABLE_CRITICAL_EXTENSION );
583                                 return rc;
584                         }
585
586                 } else if( control->ldctl_iscritical ) {
587                         /* unavailable CRITICAL control */
588                         *text = "critical extension is unavailable";
589                         return LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
590                 }
591         } else if( control->ldctl_iscritical ) {
592                 /* unrecognized CRITICAL control */
593                 *text = "critical extension is not recognized";
594                 return LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
595         }
596
597         return LDAP_SUCCESS;
598 }
599
600 int get_ctrls(
601         Operation *op,
602         SlapReply *rs,
603         int sendres )
604 {
605         int nctrls = 0;
606         ber_tag_t tag;
607         ber_len_t len;
608         char *opaque;
609         BerElement *ber = op->o_ber;
610         struct berval bv;
611
612         len = ber_pvt_ber_remaining(ber);
613
614         if( len == 0) {
615                 /* no controls */
616                 rs->sr_err = LDAP_SUCCESS;
617                 return rs->sr_err;
618         }
619
620         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
621                 if( tag == LBER_ERROR ) {
622                         rs->sr_err = SLAPD_DISCONNECT;
623                         rs->sr_text = "unexpected data in PDU";
624                 }
625
626                 goto return_results;
627         }
628
629         Debug( LDAP_DEBUG_TRACE,
630                 "=> get_ctrls\n", 0, 0, 0 );
631
632         if( op->o_protocol < LDAP_VERSION3 ) {
633                 rs->sr_err = SLAPD_DISCONNECT;
634                 rs->sr_text = "controls require LDAPv3";
635                 goto return_results;
636         }
637
638         /* one for first control, one for termination */
639         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
640
641 #if 0
642         if( op->ctrls == NULL ) {
643                 rs->sr_err = LDAP_NO_MEMORY;
644                 rs->sr_text = "no memory";
645                 goto return_results;
646         }
647 #endif
648
649         op->o_ctrls[nctrls] = NULL;
650
651         /* step through each element */
652         for( tag = ber_first_element( ber, &len, &opaque );
653                 tag != LBER_ERROR;
654                 tag = ber_next_element( ber, &len, opaque ) )
655         {
656                 LDAPControl *c;
657                 LDAPControl **tctrls;
658
659                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
660                 memset(c, 0, sizeof(LDAPControl));
661
662                 /* allocate pointer space for current controls (nctrls)
663                  * + this control + extra NULL
664                  */
665                 tctrls = op->o_tmprealloc( op->o_ctrls,
666                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
667
668 #if 0
669                 if( tctrls == NULL ) {
670                         ch_free( c );
671                         ldap_controls_free(op->o_ctrls);
672                         op->o_ctrls = NULL;
673
674                         rs->sr_err = LDAP_NO_MEMORY;
675                         rs->sr_text = "no memory";
676                         goto return_results;
677                 }
678 #endif
679                 op->o_ctrls = tctrls;
680
681                 op->o_ctrls[nctrls++] = c;
682                 op->o_ctrls[nctrls] = NULL;
683
684                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
685                 c->ldctl_oid = bv.bv_val;
686
687                 if( tag == LBER_ERROR ) {
688                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
689                                 0, 0, 0 );
690
691                         slap_free_ctrls( op, op->o_ctrls );
692                         op->o_ctrls = NULL;
693                         rs->sr_err = SLAPD_DISCONNECT;
694                         rs->sr_text = "decoding controls error";
695                         goto return_results;
696
697                 } else if( c->ldctl_oid == NULL ) {
698                         Debug( LDAP_DEBUG_TRACE,
699                                 "get_ctrls: conn %lu got emtpy OID.\n",
700                                 op->o_connid, 0, 0 );
701
702                         slap_free_ctrls( op, op->o_ctrls );
703                         op->o_ctrls = NULL;
704                         rs->sr_err = LDAP_PROTOCOL_ERROR;
705                         rs->sr_text = "OID field is empty";
706                         goto return_results;
707                 }
708
709                 tag = ber_peek_tag( ber, &len );
710
711                 if( tag == LBER_BOOLEAN ) {
712                         ber_int_t crit;
713                         tag = ber_scanf( ber, "b", &crit );
714
715                         if( tag == LBER_ERROR ) {
716                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
717                                         0, 0, 0 );
718                                 slap_free_ctrls( op, op->o_ctrls );
719                                 op->o_ctrls = NULL;
720                                 rs->sr_err = SLAPD_DISCONNECT;
721                                 rs->sr_text = "decoding controls error";
722                                 goto return_results;
723                         }
724
725                         c->ldctl_iscritical = (crit != 0);
726                         tag = ber_peek_tag( ber, &len );
727                 }
728
729                 if( tag == LBER_OCTETSTRING ) {
730                         tag = ber_scanf( ber, "m", &c->ldctl_value );
731
732                         if( tag == LBER_ERROR ) {
733                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
734                                         "%s (%scritical): get value failed.\n",
735                                         op->o_connid, c->ldctl_oid,
736                                         c->ldctl_iscritical ? "" : "non" );
737                                 slap_free_ctrls( op, op->o_ctrls );
738                                 op->o_ctrls = NULL;
739                                 rs->sr_err = SLAPD_DISCONNECT;
740                                 rs->sr_text = "decoding controls error";
741                                 goto return_results;
742                         }
743                 }
744
745                 Debug( LDAP_DEBUG_TRACE,
746                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
747                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
748
749                 rs->sr_err = slap_parse_ctrl( op, rs, c, &rs->sr_text );
750                 if ( rs->sr_err != LDAP_SUCCESS ) {
751                         goto return_results;
752                 }
753         }
754
755 return_results:
756         Debug( LDAP_DEBUG_TRACE,
757                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
758                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
759
760         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
761                 if( rs->sr_err == SLAPD_DISCONNECT ) {
762                         rs->sr_err = LDAP_PROTOCOL_ERROR;
763                         send_ldap_disconnect( op, rs );
764                         rs->sr_err = SLAPD_DISCONNECT;
765                 } else {
766                         send_ldap_result( op, rs );
767                 }
768         }
769
770         return rs->sr_err;
771 }
772
773 int
774 slap_remove_control(
775         Operation       *op,
776         SlapReply       *rs,
777         int             ctrl,
778         BI_chk_controls fnc )
779 {
780         int             i, j;
781
782         switch ( op->o_ctrlflag[ ctrl ] ) {
783         case SLAP_CONTROL_NONCRITICAL:
784                 for ( i = 0, j = -1; op->o_ctrls[ i ] != NULL; i++ ) {
785                         if ( strcmp( op->o_ctrls[ i ]->ldctl_oid,
786                                 slap_known_controls[ ctrl - 1 ] ) == 0 )
787                         {
788                                 j = i;
789                         }
790                 }
791
792                 if ( j == -1 ) {
793                         rs->sr_err = LDAP_OTHER;
794                         break;
795                 }
796
797                 if ( fnc ) {
798                         (void)fnc( op, rs );
799                 }
800
801                 op->o_tmpfree( op->o_ctrls[ j ], op->o_tmpmemctx );
802
803                 if ( i > 1 ) {
804                         AC_MEMCPY( &op->o_ctrls[ j ], &op->o_ctrls[ j + 1 ],
805                                 ( i - j ) * sizeof( LDAPControl * ) );
806
807                 } else {
808                         op->o_tmpfree( op->o_ctrls, op->o_tmpmemctx );
809                         op->o_ctrls = NULL;
810                 }
811
812                 op->o_ctrlflag[ ctrl ] = SLAP_CONTROL_IGNORED;
813
814                 Debug( LDAP_DEBUG_ANY, "%s: "
815                         "non-critical control \"%s\" not supported; stripped.\n",
816                         op->o_log_prefix, slap_known_controls[ ctrl ], 0 );
817                 /* fall thru */
818
819         case SLAP_CONTROL_IGNORED:
820         case SLAP_CONTROL_NONE:
821                 rs->sr_err = SLAP_CB_CONTINUE;
822                 break;
823
824         case SLAP_CONTROL_CRITICAL:
825                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
826                 if ( fnc ) {
827                         (void)fnc( op, rs );
828                 }
829                 Debug( LDAP_DEBUG_ANY, "%s: "
830                         "critical control \"%s\" not supported.\n",
831                         op->o_log_prefix, slap_known_controls[ ctrl ], 0 );
832                 break;
833
834         default:
835                 /* handle all cases! */
836                 assert( 0 );
837         }
838
839         return rs->sr_err;
840 }
841
842 static int parseDontUseCopy (
843         Operation *op,
844         SlapReply *rs,
845         LDAPControl *ctrl )
846 {
847         if ( op->o_dontUseCopy != SLAP_CONTROL_NONE ) {
848                 rs->sr_text = "dontUseCopy control specified multiple times";
849                 return LDAP_PROTOCOL_ERROR;
850         }
851
852         if ( ctrl->ldctl_value.bv_len ) {
853                 rs->sr_text = "dontUseCopy control value not empty";
854                 return LDAP_PROTOCOL_ERROR;
855         }
856
857         if ( !ctrl->ldctl_iscritical ) {
858                 rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
859                 return LDAP_PROTOCOL_ERROR;
860         }
861
862         op->o_dontUseCopy = SLAP_CONTROL_CRITICAL;
863         return LDAP_SUCCESS;
864 }
865
866 static int parseRelax (
867         Operation *op,
868         SlapReply *rs,
869         LDAPControl *ctrl )
870 {
871         if ( op->o_relax != SLAP_CONTROL_NONE ) {
872                 rs->sr_text = "relax control specified multiple times";
873                 return LDAP_PROTOCOL_ERROR;
874         }
875
876         if ( ctrl->ldctl_value.bv_len ) {
877                 rs->sr_text = "relax control value not empty";
878                 return LDAP_PROTOCOL_ERROR;
879         }
880
881         op->o_relax = ctrl->ldctl_iscritical
882                 ? SLAP_CONTROL_CRITICAL
883                 : SLAP_CONTROL_NONCRITICAL;
884
885         return LDAP_SUCCESS;
886 }
887
888 static int parseManageDSAit (
889         Operation *op,
890         SlapReply *rs,
891         LDAPControl *ctrl )
892 {
893         if ( op->o_managedsait != SLAP_CONTROL_NONE ) {
894                 rs->sr_text = "manageDSAit control specified multiple times";
895                 return LDAP_PROTOCOL_ERROR;
896         }
897
898         if ( ctrl->ldctl_value.bv_len ) {
899                 rs->sr_text = "manageDSAit control value not empty";
900                 return LDAP_PROTOCOL_ERROR;
901         }
902
903         op->o_managedsait = ctrl->ldctl_iscritical
904                 ? SLAP_CONTROL_CRITICAL
905                 : SLAP_CONTROL_NONCRITICAL;
906
907         return LDAP_SUCCESS;
908 }
909
910 static int parseProxyAuthz (
911         Operation *op,
912         SlapReply *rs,
913         LDAPControl *ctrl )
914 {
915         int             rc;
916         struct berval   dn = BER_BVNULL;
917
918         if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) {
919                 rs->sr_text = "proxy authorization control specified multiple times";
920                 return LDAP_PROTOCOL_ERROR;
921         }
922
923         if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
924                 && BER_BVISEMPTY( &op->o_ndn ) )
925         {
926                 rs->sr_text = "anonymous proxied authorization not allowed";
927                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
928         }
929
930         op->o_proxy_authz = ctrl->ldctl_iscritical
931                 ? SLAP_CONTROL_CRITICAL
932                 : SLAP_CONTROL_NONCRITICAL;
933
934         Debug( LDAP_DEBUG_ARGS,
935                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n", 
936                 op->o_connid,
937                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
938                 0 );
939
940         if ( ctrl->ldctl_value.bv_len == 0 ) {
941                 Debug( LDAP_DEBUG_TRACE,
942                         "parseProxyAuthz: conn=%lu anonymous\n", 
943                         op->o_connid, 0, 0 );
944
945                 /* anonymous */
946                 if ( !BER_BVISNULL( &op->o_ndn ) ) {
947                         op->o_ndn.bv_val[ 0 ] = '\0';
948                 }
949                 op->o_ndn.bv_len = 0;
950
951                 if ( !BER_BVISNULL( &op->o_dn ) ) {
952                         op->o_dn.bv_val[ 0 ] = '\0';
953                 }
954                 op->o_dn.bv_len = 0;
955
956                 return LDAP_SUCCESS;
957         }
958
959         rc = slap_sasl_getdn( op->o_conn, op, &ctrl->ldctl_value,
960                         NULL, &dn, SLAP_GETDN_AUTHZID );
961
962         /* FIXME: empty DN in proxyAuthz control should be legal... */
963         if( rc != LDAP_SUCCESS /* || !dn.bv_len */ ) {
964                 if ( dn.bv_val ) {
965                         ch_free( dn.bv_val );
966                 }
967                 rs->sr_text = "authzId mapping failed";
968                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
969         }
970
971         Debug( LDAP_DEBUG_TRACE,
972                 "parseProxyAuthz: conn=%lu \"%s\"\n", 
973                 op->o_connid,
974                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
975
976         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
977
978         if ( rc ) {
979                 ch_free( dn.bv_val );
980                 rs->sr_text = "not authorized to assume identity";
981                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
982         }
983
984         ch_free( op->o_ndn.bv_val );
985         ch_free( op->o_dn.bv_val );
986
987         /*
988          * NOTE: since slap_sasl_getdn() returns a normalized dn,
989          * from now on op->o_dn is normalized
990          */
991         op->o_ndn = dn;
992         ber_dupbv( &op->o_dn, &dn );
993
994
995         Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
996             op->o_log_prefix, dn.bv_val, 0, 0, 0 );
997
998         return LDAP_SUCCESS;
999 }
1000
1001 static int parseNoOp (
1002         Operation *op,
1003         SlapReply *rs,
1004         LDAPControl *ctrl )
1005 {
1006         if ( op->o_noop != SLAP_CONTROL_NONE ) {
1007                 rs->sr_text = "noop control specified multiple times";
1008                 return LDAP_PROTOCOL_ERROR;
1009         }
1010
1011         if ( ctrl->ldctl_value.bv_len ) {
1012                 rs->sr_text = "noop control value not empty";
1013                 return LDAP_PROTOCOL_ERROR;
1014         }
1015
1016         op->o_noop = ctrl->ldctl_iscritical
1017                 ? SLAP_CONTROL_CRITICAL
1018                 : SLAP_CONTROL_NONCRITICAL;
1019
1020         return LDAP_SUCCESS;
1021 }
1022
1023 static int parsePagedResults (
1024         Operation *op,
1025         SlapReply *rs,
1026         LDAPControl *ctrl )
1027 {
1028         int             rc = LDAP_SUCCESS;
1029         ber_tag_t       tag;
1030         ber_int_t       size;
1031         BerElement      *ber;
1032         struct berval   cookie = BER_BVNULL;
1033         PagedResultsState       *ps;
1034
1035         if ( op->o_pagedresults != SLAP_CONTROL_NONE ) {
1036                 rs->sr_text = "paged results control specified multiple times";
1037                 return LDAP_PROTOCOL_ERROR;
1038         }
1039
1040         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1041                 rs->sr_text = "paged results control value is empty (or absent)";
1042                 return LDAP_PROTOCOL_ERROR;
1043         }
1044
1045         /* Parse the control value
1046          *      realSearchControlValue ::= SEQUENCE {
1047          *              size    INTEGER (0..maxInt),
1048          *                              -- requested page size from client
1049          *                              -- result set size estimate from server
1050          *              cookie  OCTET STRING
1051          * }
1052          */
1053         ber = ber_init( &ctrl->ldctl_value );
1054         if ( ber == NULL ) {
1055                 rs->sr_text = "internal error";
1056                 return LDAP_OTHER;
1057         }
1058
1059         tag = ber_scanf( ber, "{im}", &size, &cookie );
1060
1061         if ( tag == LBER_ERROR ) {
1062                 rs->sr_text = "paged results control could not be decoded";
1063                 rc = LDAP_PROTOCOL_ERROR;
1064                 goto done;
1065         }
1066
1067         if ( size < 0 ) {
1068                 rs->sr_text = "paged results control size invalid";
1069                 rc = LDAP_PROTOCOL_ERROR;
1070                 goto done;
1071         }
1072
1073         ps = op->o_tmpalloc( sizeof(PagedResultsState), op->o_tmpmemctx );
1074         *ps = op->o_conn->c_pagedresults_state;
1075         ps->ps_size = size;
1076         op->o_pagedresults_state = ps;
1077
1078         /* NOTE: according to RFC 2696 3.:
1079
1080     If the page size is greater than or equal to the sizeLimit value, the
1081     server should ignore the control as the request can be satisfied in a
1082     single page.
1083          
1084          * NOTE: this assumes that the op->ors_slimit be set
1085          * before the controls are parsed.     
1086          */
1087                 
1088         if ( op->ors_slimit > 0 && size >= op->ors_slimit ) {
1089                 op->o_pagedresults = SLAP_CONTROL_IGNORED;
1090
1091         } else if ( ctrl->ldctl_iscritical ) {
1092                 op->o_pagedresults = SLAP_CONTROL_CRITICAL;
1093
1094         } else {
1095                 op->o_pagedresults = SLAP_CONTROL_NONCRITICAL;
1096         }
1097
1098 done:;
1099         (void)ber_free( ber, 1 );
1100         return rc;
1101 }
1102
1103 #ifdef SLAP_SORTEDRESULTS
1104 static int parseSortedResults (
1105         Operation *op,
1106         SlapReply *rs,
1107         LDAPControl *ctrl )
1108 {
1109         int             rc = LDAP_SUCCESS;
1110
1111         if ( op->o_sortedresults != SLAP_CONTROL_NONE ) {
1112                 rs->sr_text = "sorted results control specified multiple times";
1113                 return LDAP_PROTOCOL_ERROR;
1114         }
1115
1116         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1117                 rs->sr_text = "sorted results control value is empty (or absent)";
1118                 return LDAP_PROTOCOL_ERROR;
1119         }
1120
1121         /* blow off parsing the value */
1122
1123         op->o_sortedresults = ctrl->ldctl_iscritical
1124                 ? SLAP_CONTROL_CRITICAL
1125                 : SLAP_CONTROL_NONCRITICAL;
1126
1127         return rc;
1128 }
1129 #endif
1130
1131 static int parseAssert (
1132         Operation *op,
1133         SlapReply *rs,
1134         LDAPControl *ctrl )
1135 {
1136         BerElement      *ber;
1137         struct berval   fstr = BER_BVNULL;
1138
1139         if ( op->o_assert != SLAP_CONTROL_NONE ) {
1140                 rs->sr_text = "assert control specified multiple times";
1141                 return LDAP_PROTOCOL_ERROR;
1142         }
1143
1144         if ( ctrl->ldctl_value.bv_len == 0 ) {
1145                 rs->sr_text = "assert control value is empty (or absent)";
1146                 return LDAP_PROTOCOL_ERROR;
1147         }
1148
1149         ber = ber_init( &(ctrl->ldctl_value) );
1150         if (ber == NULL) {
1151                 rs->sr_text = "assert control: internal error";
1152                 return LDAP_OTHER;
1153         }
1154         
1155         rs->sr_err = get_filter( op, ber, (Filter **)&(op->o_assertion),
1156                 &rs->sr_text);
1157         (void) ber_free( ber, 1 );
1158         if( rs->sr_err != LDAP_SUCCESS ) {
1159                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1160                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1161                         send_ldap_disconnect( op, rs );
1162                         rs->sr_err = SLAPD_DISCONNECT;
1163                 } else {
1164                         send_ldap_result( op, rs );
1165                 }
1166                 if( op->o_assertion != NULL ) {
1167                         filter_free_x( op, op->o_assertion );
1168                 }
1169                 return rs->sr_err;
1170         }
1171
1172 #ifdef LDAP_DEBUG
1173         filter2bv_x( op, op->o_assertion, &fstr );
1174
1175         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
1176                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1177         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1178 #endif
1179
1180         op->o_assert = ctrl->ldctl_iscritical
1181                 ? SLAP_CONTROL_CRITICAL
1182                 : SLAP_CONTROL_NONCRITICAL;
1183
1184         rs->sr_err = LDAP_SUCCESS;
1185         return LDAP_SUCCESS;
1186 }
1187
1188 static int parsePreRead (
1189         Operation *op,
1190         SlapReply *rs,
1191         LDAPControl *ctrl )
1192 {
1193         ber_len_t siz, off, i;
1194         AttributeName *an = NULL;
1195         BerElement      *ber;
1196
1197         if ( op->o_preread != SLAP_CONTROL_NONE ) {
1198                 rs->sr_text = "preread control specified multiple times";
1199                 return LDAP_PROTOCOL_ERROR;
1200         }
1201
1202         if ( ctrl->ldctl_value.bv_len == 0 ) {
1203                 rs->sr_text = "preread control value is empty (or absent)";
1204                 return LDAP_PROTOCOL_ERROR;
1205         }
1206
1207 #ifdef LDAP_X_TXN
1208         if ( op->o_txnSpec ) { /* temporary limitation */
1209                 rs->sr_text = "cannot perform pre-read in transaction";
1210                 return LDAP_UNWILLING_TO_PERFORM;
1211         }
1212 #endif
1213
1214         ber = ber_init( &(ctrl->ldctl_value) );
1215         if (ber == NULL) {
1216                 rs->sr_text = "preread control: internal error";
1217                 return LDAP_OTHER;
1218         }
1219
1220         rs->sr_err = LDAP_SUCCESS;
1221
1222         siz = sizeof( AttributeName );
1223         off = offsetof( AttributeName, an_name );
1224         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1225                 rs->sr_text = "preread control: decoding error";
1226                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1227                 goto done;
1228         }
1229
1230         for( i=0; i<siz; i++ ) {
1231                 const char      *dummy = NULL;
1232
1233                 an[i].an_desc = NULL;
1234                 an[i].an_oc = NULL;
1235                 an[i].an_oc_exclude = 0;
1236                 rs->sr_err = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1237                 if ( rs->sr_err != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1238                         rs->sr_text = dummy
1239                                 ? dummy
1240                                 : "postread control: unknown attributeType";
1241                         goto done;
1242                 }
1243         }
1244
1245         op->o_preread = ctrl->ldctl_iscritical
1246                 ? SLAP_CONTROL_CRITICAL
1247                 : SLAP_CONTROL_NONCRITICAL;
1248
1249         op->o_preread_attrs = an;
1250
1251 done:
1252         (void) ber_free( ber, 1 );
1253         return rs->sr_err;
1254 }
1255
1256 static int parsePostRead (
1257         Operation *op,
1258         SlapReply *rs,
1259         LDAPControl *ctrl )
1260 {
1261         ber_len_t siz, off, i;
1262         AttributeName *an = NULL;
1263         BerElement      *ber;
1264
1265         if ( op->o_postread != SLAP_CONTROL_NONE ) {
1266                 rs->sr_text = "postread control specified multiple times";
1267                 return LDAP_PROTOCOL_ERROR;
1268         }
1269
1270         if ( ctrl->ldctl_value.bv_len == 0 ) {
1271                 rs->sr_text = "postread control value is empty (or absent)";
1272                 return LDAP_PROTOCOL_ERROR;
1273         }
1274
1275 #ifdef LDAP_X_TXN
1276         if ( op->o_txnSpec ) { /* temporary limitation */
1277                 rs->sr_text = "cannot perform post-read in transaction";
1278                 return LDAP_UNWILLING_TO_PERFORM;
1279         }
1280 #endif
1281
1282         ber = ber_init( &(ctrl->ldctl_value) );
1283         if (ber == NULL) {
1284                 rs->sr_text = "postread control: internal error";
1285                 return LDAP_OTHER;
1286         }
1287
1288         rs->sr_err = LDAP_SUCCESS;
1289         siz = sizeof( AttributeName );
1290         off = offsetof( AttributeName, an_name );
1291         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1292                 rs->sr_text = "postread control: decoding error";
1293                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1294                 goto done;
1295         }
1296
1297         for( i=0; i<siz; i++ ) {
1298                 const char      *dummy = NULL;
1299
1300                 an[i].an_desc = NULL;
1301                 an[i].an_oc = NULL;
1302                 an[i].an_oc_exclude = 0;
1303                 rs->sr_err = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1304                 if ( rs->sr_err != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1305                         rs->sr_text = dummy
1306                                 ? dummy
1307                                 : "postread control: unknown attributeType";
1308                         goto done;
1309                 }
1310         }
1311
1312         op->o_postread = ctrl->ldctl_iscritical
1313                 ? SLAP_CONTROL_CRITICAL
1314                 : SLAP_CONTROL_NONCRITICAL;
1315
1316         op->o_postread_attrs = an;
1317
1318 done:
1319         (void) ber_free( ber, 1 );
1320         return rs->sr_err;
1321 }
1322
1323 static int parseValuesReturnFilter (
1324         Operation *op,
1325         SlapReply *rs,
1326         LDAPControl *ctrl )
1327 {
1328         BerElement      *ber;
1329         struct berval   fstr = BER_BVNULL;
1330
1331         if ( op->o_valuesreturnfilter != SLAP_CONTROL_NONE ) {
1332                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1333                 return LDAP_PROTOCOL_ERROR;
1334         }
1335
1336         if ( ctrl->ldctl_value.bv_len == 0 ) {
1337                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1338                 return LDAP_PROTOCOL_ERROR;
1339         }
1340
1341         ber = ber_init( &(ctrl->ldctl_value) );
1342         if (ber == NULL) {
1343                 rs->sr_text = "internal error";
1344                 return LDAP_OTHER;
1345         }
1346         
1347         rs->sr_err = get_vrFilter( op, ber,
1348                 (ValuesReturnFilter **)&(op->o_vrFilter), &rs->sr_text);
1349
1350         (void) ber_free( ber, 1 );
1351
1352         if( rs->sr_err != LDAP_SUCCESS ) {
1353                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1354                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1355                         send_ldap_disconnect( op, rs );
1356                         rs->sr_err = SLAPD_DISCONNECT;
1357                 } else {
1358                         send_ldap_result( op, rs );
1359                 }
1360                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
1361         }
1362 #ifdef LDAP_DEBUG
1363         else {
1364                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1365         }
1366
1367         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1368                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1369         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1370 #endif
1371
1372         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1373                 ? SLAP_CONTROL_CRITICAL
1374                 : SLAP_CONTROL_NONCRITICAL;
1375
1376         rs->sr_err = LDAP_SUCCESS;
1377         return LDAP_SUCCESS;
1378 }
1379
1380 static int parseSubentries (
1381         Operation *op,
1382         SlapReply *rs,
1383         LDAPControl *ctrl )
1384 {
1385         if ( op->o_subentries != SLAP_CONTROL_NONE ) {
1386                 rs->sr_text = "subentries control specified multiple times";
1387                 return LDAP_PROTOCOL_ERROR;
1388         }
1389
1390         /* FIXME: should use BER library */
1391         if( ( ctrl->ldctl_value.bv_len != 3 )
1392                 || ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1393                 || ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1394         {
1395                 rs->sr_text = "subentries control value encoding is bogus";
1396                 return LDAP_PROTOCOL_ERROR;
1397         }
1398
1399         op->o_subentries = ctrl->ldctl_iscritical
1400                 ? SLAP_CONTROL_CRITICAL
1401                 : SLAP_CONTROL_NONCRITICAL;
1402
1403         if (ctrl->ldctl_value.bv_val[2]) {
1404                 set_subentries_visibility( op );
1405         }
1406
1407         return LDAP_SUCCESS;
1408 }
1409
1410 static int parsePermissiveModify (
1411         Operation *op,
1412         SlapReply *rs,
1413         LDAPControl *ctrl )
1414 {
1415         if ( op->o_permissive_modify != SLAP_CONTROL_NONE ) {
1416                 rs->sr_text = "permissiveModify control specified multiple times";
1417                 return LDAP_PROTOCOL_ERROR;
1418         }
1419
1420         if ( ctrl->ldctl_value.bv_len ) {
1421                 rs->sr_text = "permissiveModify control value not empty";
1422                 return LDAP_PROTOCOL_ERROR;
1423         }
1424
1425         op->o_permissive_modify = ctrl->ldctl_iscritical
1426                 ? SLAP_CONTROL_CRITICAL
1427                 : SLAP_CONTROL_NONCRITICAL;
1428
1429         return LDAP_SUCCESS;
1430 }
1431
1432 static int parseDomainScope (
1433         Operation *op,
1434         SlapReply *rs,
1435         LDAPControl *ctrl )
1436 {
1437         if ( op->o_domain_scope != SLAP_CONTROL_NONE ) {
1438                 rs->sr_text = "domainScope control specified multiple times";
1439                 return LDAP_PROTOCOL_ERROR;
1440         }
1441
1442         if ( ctrl->ldctl_value.bv_len ) {
1443                 rs->sr_text = "domainScope control value not empty";
1444                 return LDAP_PROTOCOL_ERROR;
1445         }
1446
1447         op->o_domain_scope = ctrl->ldctl_iscritical
1448                 ? SLAP_CONTROL_CRITICAL
1449                 : SLAP_CONTROL_NONCRITICAL;
1450
1451         return LDAP_SUCCESS;
1452 }
1453
1454 #ifdef SLAP_CONTROL_X_TREE_DELETE
1455 static int parseTreeDelete (
1456         Operation *op,
1457         SlapReply *rs,
1458         LDAPControl *ctrl )
1459 {
1460         if ( op->o_tree_delete != SLAP_CONTROL_NONE ) {
1461                 rs->sr_text = "treeDelete control specified multiple times";
1462                 return LDAP_PROTOCOL_ERROR;
1463         }
1464
1465         if ( ctrl->ldctl_value.bv_len ) {
1466                 rs->sr_text = "treeDelete control value not empty";
1467                 return LDAP_PROTOCOL_ERROR;
1468         }
1469
1470         op->o_tree_delete = ctrl->ldctl_iscritical
1471                 ? SLAP_CONTROL_CRITICAL
1472                 : SLAP_CONTROL_NONCRITICAL;
1473
1474         return LDAP_SUCCESS;
1475 }
1476 #endif
1477
1478 static int parseSearchOptions (
1479         Operation *op,
1480         SlapReply *rs,
1481         LDAPControl *ctrl )
1482 {
1483         BerElement *ber;
1484         ber_int_t search_flags;
1485         ber_tag_t tag;
1486
1487         if ( ctrl->ldctl_value.bv_len == 0 ) {
1488                 rs->sr_text = "searchOptions control value is empty (or absent)";
1489                 return LDAP_PROTOCOL_ERROR;
1490         }
1491
1492         ber = ber_init( &ctrl->ldctl_value );
1493         if( ber == NULL ) {
1494                 rs->sr_text = "internal error";
1495                 return LDAP_OTHER;
1496         }
1497
1498         tag = ber_scanf( ber, "{i}", &search_flags );
1499         (void) ber_free( ber, 1 );
1500
1501         if ( tag == LBER_ERROR ) {
1502                 rs->sr_text = "searchOptions control decoding error";
1503                 return LDAP_PROTOCOL_ERROR;
1504         }
1505
1506         if ( search_flags & LDAP_SEARCH_FLAG_DOMAIN_SCOPE ) {
1507                 if ( op->o_domain_scope != SLAP_CONTROL_NONE ) {
1508                         rs->sr_text = "searchOptions control specified multiple times "
1509                                 "or with domainScope control";
1510                         return LDAP_PROTOCOL_ERROR;
1511                 }
1512
1513                 op->o_domain_scope = ctrl->ldctl_iscritical
1514                         ? SLAP_CONTROL_CRITICAL
1515                         : SLAP_CONTROL_NONCRITICAL;
1516         }
1517
1518         if ( search_flags & ~(LDAP_SEARCH_FLAG_DOMAIN_SCOPE) ) {
1519                 /* Other search flags not recognised so far,
1520                  * including:
1521                  *              LDAP_SEARCH_FLAG_PHANTOM_ROOM
1522                  */
1523                 rs->sr_text = "searchOptions contained unrecognized flag";
1524                 return LDAP_UNWILLING_TO_PERFORM;
1525         }
1526
1527         return LDAP_SUCCESS;
1528 }
1529