]> git.sur5r.net Git - openldap/blob - servers/slapd/controls.c
Ignore attempts to Add cn=schema,cn=config
[openldap] / servers / slapd / controls.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2009 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15
16 #include "portable.h"
17
18 #include <stdio.h>
19
20 #include <ac/string.h>
21 #include <ac/socket.h>
22
23 #include "slap.h"
24 #include "ldif.h"
25 #include "lutil.h"
26
27 #include "../../libraries/liblber/lber-int.h"
28
29 static SLAP_CTRL_PARSE_FN parseAssert;
30 static SLAP_CTRL_PARSE_FN parseDomainScope;
31 static SLAP_CTRL_PARSE_FN parseDontUseCopy;
32 static SLAP_CTRL_PARSE_FN parseManageDSAit;
33 static SLAP_CTRL_PARSE_FN parseNoOp;
34 static SLAP_CTRL_PARSE_FN parsePagedResults;
35 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
36 static SLAP_CTRL_PARSE_FN parsePreRead, parsePostRead;
37 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
38 static SLAP_CTRL_PARSE_FN parseRelax;
39 static SLAP_CTRL_PARSE_FN parseSearchOptions;
40 #ifdef SLAP_CONTROL_X_SORTEDRESULTS
41 static SLAP_CTRL_PARSE_FN parseSortedResults;
42 #endif
43 static SLAP_CTRL_PARSE_FN parseSubentries;
44 #ifdef SLAP_CONTROL_X_TREE_DELETE
45 static SLAP_CTRL_PARSE_FN parseTreeDelete;
46 #endif
47 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
48 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
49 static SLAP_CTRL_PARSE_FN parseSessionTracking;
50 #endif
51 #ifdef SLAP_CONTROL_X_WHATFAILED
52 static SLAP_CTRL_PARSE_FN parseWhatFailed;
53 #endif
54
55 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
56
57 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
58 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
59
60 struct slap_control_ids slap_cids;
61
62 struct slap_control {
63         /* Control OID */
64         char *sc_oid;
65
66         /* The controlID for this control */
67         int sc_cid;
68
69         /* Operations supported by control */
70         slap_mask_t sc_mask;
71
72         /* Extended operations supported by control */
73         char **sc_extendedops;          /* input */
74         BerVarray sc_extendedopsbv;     /* run-time use */
75
76         /* Control parsing callback */
77         SLAP_CTRL_PARSE_FN *sc_parse;
78
79         LDAP_SLIST_ENTRY(slap_control) sc_next;
80 };
81
82 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
83         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
84
85 /*
86  * all known request control OIDs should be added to this list
87  */
88 /*
89  * NOTE: initialize num_known_controls to 1 so that cid = 0 always
90  * addresses an undefined control; this allows to safely test for 
91  * well known controls even if they are not registered, e.g. if 
92  * they get moved to modules.  An example is sc_LDAPsync, which 
93  * is implemented in the syncprov overlay and thus, if configured 
94  * as dynamic module, may not be registered.  One side effect is that 
95  * slap_known_controls[0] == NULL, so it should always be used 
96  * starting from 1.
97  * FIXME: should we define the "undefined control" oid?
98  */
99 char *slap_known_controls[SLAP_MAX_CIDS+1];
100 static int num_known_controls = 1;
101
102 static char *proxy_authz_extops[] = {
103         LDAP_EXOP_MODIFY_PASSWD,
104         LDAP_EXOP_WHO_AM_I,
105         LDAP_EXOP_REFRESH,
106         NULL
107 };
108
109 static char *manageDSAit_extops[] = {
110         LDAP_EXOP_REFRESH,
111         NULL
112 };
113
114 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
115 static char *session_tracking_extops[] = {
116         LDAP_EXOP_MODIFY_PASSWD,
117         LDAP_EXOP_WHO_AM_I,
118         LDAP_EXOP_REFRESH,
119         NULL
120 };
121 #endif
122
123 static struct slap_control control_defs[] = {
124         {  LDAP_CONTROL_ASSERT,
125                 (int)offsetof(struct slap_control_ids, sc_assert),
126                 SLAP_CTRL_UPDATE|SLAP_CTRL_COMPARE|SLAP_CTRL_SEARCH,
127                 NULL, NULL,
128                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
129         { LDAP_CONTROL_PRE_READ,
130                 (int)offsetof(struct slap_control_ids, sc_preRead),
131                 SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME,
132                 NULL, NULL,
133                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
134         { LDAP_CONTROL_POST_READ,
135                 (int)offsetof(struct slap_control_ids, sc_postRead),
136                 SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME,
137                 NULL, NULL,
138                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
139         { LDAP_CONTROL_VALUESRETURNFILTER,
140                 (int)offsetof(struct slap_control_ids, sc_valuesReturnFilter),
141                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH,
142                 NULL, NULL,
143                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
144         { LDAP_CONTROL_PAGEDRESULTS,
145                 (int)offsetof(struct slap_control_ids, sc_pagedResults),
146                 SLAP_CTRL_SEARCH,
147                 NULL, NULL,
148                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
149 #ifdef SLAP_CONTROL_X_SORTEDRESULTS
150         { LDAP_CONTROL_SORTREQUEST,
151                 (int)offsetof(struct slap_control_ids, sc_sortedResults),
152                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
153                 NULL, NULL,
154                 parseSortedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
155 #endif
156         { LDAP_CONTROL_X_DOMAIN_SCOPE,
157                 (int)offsetof(struct slap_control_ids, sc_domainScope),
158                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
159                 NULL, NULL,
160                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
161         { LDAP_CONTROL_DONTUSECOPY,
162                 (int)offsetof(struct slap_control_ids, sc_dontUseCopy),
163                 SLAP_CTRL_GLOBAL|SLAP_CTRL_INTROGATE|SLAP_CTRL_HIDE,
164                 NULL, NULL,
165                 parseDontUseCopy, LDAP_SLIST_ENTRY_INITIALIZER(next) },
166         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
167                 (int)offsetof(struct slap_control_ids, sc_permissiveModify),
168                 SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE,
169                 NULL, NULL,
170                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
171 #ifdef SLAP_CONTROL_X_TREE_DELETE
172         { LDAP_CONTROL_X_TREE_DELETE,
173                 (int)offsetof(struct slap_control_ids, sc_treeDelete),
174                 SLAP_CTRL_DELETE|SLAP_CTRL_HIDE,
175                 NULL, NULL,
176                 parseTreeDelete, LDAP_SLIST_ENTRY_INITIALIZER(next) },
177 #endif
178         { LDAP_CONTROL_X_SEARCH_OPTIONS,
179                 (int)offsetof(struct slap_control_ids, sc_searchOptions),
180                 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE,
181                 NULL, NULL,
182                 parseSearchOptions, LDAP_SLIST_ENTRY_INITIALIZER(next) },
183         { LDAP_CONTROL_SUBENTRIES,
184                 (int)offsetof(struct slap_control_ids, sc_subentries),
185                 SLAP_CTRL_SEARCH,
186                 NULL, NULL,
187                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
188         { LDAP_CONTROL_NOOP,
189                 (int)offsetof(struct slap_control_ids, sc_noOp),
190                 SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE,
191                 NULL, NULL,
192                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
193         { LDAP_CONTROL_RELAX,
194                 (int)offsetof(struct slap_control_ids, sc_relax),
195                 SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE,
196                 NULL, NULL,
197                 parseRelax, LDAP_SLIST_ENTRY_INITIALIZER(next) },
198 #ifdef LDAP_X_TXN
199         { LDAP_CONTROL_X_TXN_SPEC,
200                 (int)offsetof(struct slap_control_ids, sc_txnSpec),
201                 SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE,
202                 NULL, NULL,
203                 txn_spec_ctrl, LDAP_SLIST_ENTRY_INITIALIZER(next) },
204 #endif
205         { LDAP_CONTROL_MANAGEDSAIT,
206                 (int)offsetof(struct slap_control_ids, sc_manageDSAit),
207                 SLAP_CTRL_ACCESS,
208                 manageDSAit_extops, NULL,
209                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
210         { LDAP_CONTROL_PROXY_AUTHZ,
211                 (int)offsetof(struct slap_control_ids, sc_proxyAuthz),
212                 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS,
213                 proxy_authz_extops, NULL,
214                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
215 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
216         { LDAP_CONTROL_X_SESSION_TRACKING,
217                 (int)offsetof(struct slap_control_ids, sc_sessionTracking),
218                 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS|SLAP_CTRL_BIND|SLAP_CTRL_HIDE,
219                 session_tracking_extops, NULL,
220                 parseSessionTracking, LDAP_SLIST_ENTRY_INITIALIZER(next) },
221 #endif
222 #ifdef SLAP_CONTROL_X_WHATFAILED
223         { LDAP_CONTROL_X_WHATFAILED,
224                 (int)offsetof(struct slap_control_ids, sc_whatFailed),
225                 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE,
226                 NULL, NULL,
227                 parseWhatFailed, LDAP_SLIST_ENTRY_INITIALIZER(next) },
228 #endif
229
230         { NULL, 0, 0, NULL, 0, NULL, LDAP_SLIST_ENTRY_INITIALIZER(next) }
231 };
232
233 static struct slap_control *
234 find_ctrl( const char *oid );
235
236 /*
237  * Register a supported control.
238  *
239  * This can be called by an OpenLDAP plugin or, indirectly, by a
240  * SLAPI plugin calling slapi_register_supported_control().
241  *
242  * NOTE: if flags == 1 the control is replaced if already registered;
243  * otherwise registering an already registered control is not allowed.
244  */
245 int
246 register_supported_control2(const char *controloid,
247         slap_mask_t controlmask,
248         char **controlexops,
249         SLAP_CTRL_PARSE_FN *controlparsefn,
250         unsigned flags,
251         int *controlcid)
252 {
253         struct slap_control *sc = NULL;
254         int i;
255         BerVarray extendedopsbv = NULL;
256
257         if ( num_known_controls >= SLAP_MAX_CIDS ) {
258                 Debug( LDAP_DEBUG_ANY, "Too many controls registered."
259                         " Recompile slapd with SLAP_MAX_CIDS defined > %d\n",
260                 SLAP_MAX_CIDS, 0, 0 );
261                 return LDAP_OTHER;
262         }
263
264         if ( controloid == NULL ) {
265                 return LDAP_PARAM_ERROR;
266         }
267
268         /* check if already registered */
269         for ( i = 0; slap_known_controls[ i ]; i++ ) {
270                 if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) {
271                         if ( flags == 1 ) {
272                                 Debug( LDAP_DEBUG_TRACE,
273                                         "Control %s already registered; replacing.\n",
274                                         controloid, 0, 0 );
275                                 /* (find and) replace existing handler */
276                                 sc = find_ctrl( controloid );
277                                 assert( sc != NULL );
278                                 break;
279                         }
280
281                         Debug( LDAP_DEBUG_ANY,
282                                 "Control %s already registered.\n",
283                                 controloid, 0, 0 );
284                         return LDAP_PARAM_ERROR;
285                 }
286         }
287
288         /* turn compatible extended operations into bervals */
289         if ( controlexops != NULL ) {
290                 int i;
291
292                 for ( i = 0; controlexops[ i ]; i++ );
293
294                 extendedopsbv = ber_memcalloc( i + 1, sizeof( struct berval ) );
295                 if ( extendedopsbv == NULL ) {
296                         return LDAP_NO_MEMORY;
297                 }
298
299                 for ( i = 0; controlexops[ i ]; i++ ) {
300                         ber_str2bv( controlexops[ i ], 0, 1, &extendedopsbv[ i ] );
301                 }
302         }
303
304         if ( sc == NULL ) {
305                 sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
306                 if ( sc == NULL ) {
307                         return LDAP_NO_MEMORY;
308                 }
309
310                 sc->sc_oid = ch_strdup( controloid );
311                 sc->sc_cid = num_known_controls;
312
313                 /* Update slap_known_controls, too. */
314                 slap_known_controls[num_known_controls - 1] = sc->sc_oid;
315                 slap_known_controls[num_known_controls++] = NULL;
316
317                 LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
318                 LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
319
320         } else {
321                 if ( sc->sc_extendedopsbv ) {
322                         /* FIXME: in principle, we should rather merge
323                          * existing extops with those supported by the
324                          * new control handling implementation.
325                          * In fact, whether a control is compatible with
326                          * an extop should not be a matter of implementation.
327                          * We likely also need a means for a newly
328                          * registered extop to declare that it is
329                          * comptible with an already registered control.
330                          */
331                         ber_bvarray_free( sc->sc_extendedopsbv );
332                         sc->sc_extendedopsbv = NULL;
333                         sc->sc_extendedops = NULL;
334                 }
335         }
336
337         sc->sc_extendedopsbv = extendedopsbv;
338         sc->sc_mask = controlmask;
339         sc->sc_parse = controlparsefn;
340         if ( controlcid ) {
341                 *controlcid = sc->sc_cid;
342         }
343
344         return LDAP_SUCCESS;
345 }
346
347 /*
348  * One-time initialization of internal controls.
349  */
350 int
351 slap_controls_init( void )
352 {
353         int i, rc;
354
355         rc = LDAP_SUCCESS;
356
357         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
358                 int *cid = (int *)(((char *)&slap_cids) + control_defs[i].sc_cid );
359                 rc = register_supported_control( control_defs[i].sc_oid,
360                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
361                         control_defs[i].sc_parse, cid );
362                 if ( rc != LDAP_SUCCESS ) break;
363         }
364
365         return rc;
366 }
367
368 /*
369  * Free memory associated with list of supported controls.
370  */
371 void
372 controls_destroy( void )
373 {
374         struct slap_control *sc;
375
376         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
377                 sc = LDAP_SLIST_FIRST(&controls_list);
378                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
379
380                 ch_free( sc->sc_oid );
381                 if ( sc->sc_extendedopsbv != NULL ) {
382                         ber_bvarray_free( sc->sc_extendedopsbv );
383                 }
384                 ch_free( sc );
385         }
386 }
387
388 /*
389  * Format the supportedControl attribute of the root DSE,
390  * detailing which controls are supported by the directory
391  * server.
392  */
393 int
394 controls_root_dse_info( Entry *e )
395 {
396         AttributeDescription *ad_supportedControl
397                 = slap_schema.si_ad_supportedControl;
398         struct berval vals[2];
399         struct slap_control *sc;
400
401         vals[1].bv_val = NULL;
402         vals[1].bv_len = 0;
403
404         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
405                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
406
407                 vals[0].bv_val = sc->sc_oid;
408                 vals[0].bv_len = strlen( sc->sc_oid );
409
410                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
411                         return -1;
412                 }
413         }
414
415         return 0;
416 }
417
418 /*
419  * Return a list of OIDs and operation masks for supported
420  * controls. Used by SLAPI.
421  */
422 int
423 get_supported_controls(char ***ctrloidsp,
424         slap_mask_t **ctrlmasks)
425 {
426         int n;
427         char **oids;
428         slap_mask_t *masks;
429         struct slap_control *sc;
430
431         n = 0;
432
433         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
434                 n++;
435         }
436
437         if ( n == 0 ) {
438                 *ctrloidsp = NULL;
439                 *ctrlmasks = NULL;
440                 return LDAP_SUCCESS;
441         }
442
443         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
444         if ( oids == NULL ) {
445                 return LDAP_NO_MEMORY;
446         }
447         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
448         if  ( masks == NULL ) {
449                 SLAP_FREE( oids );
450                 return LDAP_NO_MEMORY;
451         }
452
453         n = 0;
454
455         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
456                 oids[n] = ch_strdup( sc->sc_oid );
457                 masks[n] = sc->sc_mask;
458                 n++;
459         }
460         oids[n] = NULL;
461         masks[n] = 0;
462
463         *ctrloidsp = oids;
464         *ctrlmasks = masks;
465
466         return LDAP_SUCCESS;
467 }
468
469 /*
470  * Find a control given its OID.
471  */
472 static struct slap_control *
473 find_ctrl( const char *oid )
474 {
475         struct slap_control *sc;
476
477         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
478                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
479                         return sc;
480                 }
481         }
482
483         return NULL;
484 }
485
486 int
487 slap_find_control_id(
488         const char *oid,
489         int *cid )
490 {
491         struct slap_control *ctrl = find_ctrl( oid );
492         if ( ctrl ) {
493                 if ( cid ) *cid = ctrl->sc_cid;
494                 return LDAP_SUCCESS;
495         }
496         return LDAP_CONTROL_NOT_FOUND;
497 }
498
499 int
500 slap_global_control( Operation *op, const char *oid, int *cid )
501 {
502         struct slap_control *ctrl = find_ctrl( oid );
503
504         if ( ctrl == NULL ) {
505                 /* should not be reachable */
506                 Debug( LDAP_DEBUG_ANY,
507                         "slap_global_control: unrecognized control: %s\n",      
508                         oid, 0, 0 );
509                 return LDAP_CONTROL_NOT_FOUND;
510         }
511
512         if ( cid ) *cid = ctrl->sc_cid;
513
514         if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) ||
515                 ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
516                 ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
517         {
518                 return LDAP_COMPARE_TRUE;
519         }
520
521 #if 0
522         Debug( LDAP_DEBUG_TRACE,
523                 "slap_global_control: unavailable control: %s\n",      
524                 oid, 0, 0 );
525 #endif
526
527         return LDAP_COMPARE_FALSE;
528 }
529
530 void slap_free_ctrls(
531         Operation *op,
532         LDAPControl **ctrls )
533 {
534         int i;
535
536         for (i=0; ctrls[i]; i++) {
537                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
538         }
539         op->o_tmpfree( ctrls, op->o_tmpmemctx );
540 }
541
542 int slap_add_ctrls(
543         Operation *op,
544         SlapReply *rs,
545         LDAPControl **ctrls )
546 {
547         int i = 0, j;
548         LDAPControl **ctrlsp;
549
550         if ( rs->sr_ctrls ) {
551                 for ( ; rs->sr_ctrls[ i ]; i++ ) ;
552         }
553
554         for ( j=0; ctrls[j]; j++ ) ;
555
556         ctrlsp = op->o_tmpalloc(( i+j+1 )*sizeof(LDAPControl *), op->o_tmpmemctx );
557         i = 0;
558         if ( rs->sr_ctrls ) {
559                 for ( ; rs->sr_ctrls[i]; i++ )
560                         ctrlsp[i] = rs->sr_ctrls[i];
561         }
562         for ( j=0; ctrls[j]; j++)
563                 ctrlsp[i++] = ctrls[j];
564         ctrlsp[i] = NULL;
565
566         if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED )
567                 op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx );
568         rs->sr_ctrls = ctrlsp;
569         rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
570         return i;
571 }
572
573 int slap_parse_ctrl(
574         Operation *op,
575         SlapReply *rs,
576         LDAPControl *control,
577         const char **text )
578 {
579         struct slap_control *sc;
580         int rc = LDAP_SUCCESS;
581
582         sc = find_ctrl( control->ldctl_oid );
583         if( sc != NULL ) {
584                 /* recognized control */
585                 slap_mask_t tagmask;
586                 switch( op->o_tag ) {
587                 case LDAP_REQ_ADD:
588                         tagmask = SLAP_CTRL_ADD;
589                         break;
590                 case LDAP_REQ_BIND:
591                         tagmask = SLAP_CTRL_BIND;
592                         break;
593                 case LDAP_REQ_COMPARE:
594                         tagmask = SLAP_CTRL_COMPARE;
595                         break;
596                 case LDAP_REQ_DELETE:
597                         tagmask = SLAP_CTRL_DELETE;
598                         break;
599                 case LDAP_REQ_MODIFY:
600                         tagmask = SLAP_CTRL_MODIFY;
601                         break;
602                 case LDAP_REQ_RENAME:
603                         tagmask = SLAP_CTRL_RENAME;
604                         break;
605                 case LDAP_REQ_SEARCH:
606                         tagmask = SLAP_CTRL_SEARCH;
607                         break;
608                 case LDAP_REQ_UNBIND:
609                         tagmask = SLAP_CTRL_UNBIND;
610                         break;
611                 case LDAP_REQ_ABANDON:
612                         tagmask = SLAP_CTRL_ABANDON;
613                         break;
614                 case LDAP_REQ_EXTENDED:
615                         tagmask=~0L;
616                         assert( op->ore_reqoid.bv_val != NULL );
617                         if( sc->sc_extendedopsbv != NULL ) {
618                                 int i;
619                                 for( i=0; !BER_BVISNULL( &sc->sc_extendedopsbv[i] ); i++ ) {
620                                         if( bvmatch( &op->ore_reqoid,
621                                                 &sc->sc_extendedopsbv[i] ) )
622                                         {
623                                                 tagmask=0L;
624                                                 break;
625                                         }
626                                 }
627                         }
628                         break;
629                 default:
630                         *text = "controls internal error";
631                         return LDAP_OTHER;
632                 }
633
634                 if (( sc->sc_mask & tagmask ) == tagmask ) {
635                         /* available extension */
636                         if ( sc->sc_parse ) {
637                                 rc = sc->sc_parse( op, rs, control );
638                                 assert( rc != LDAP_UNAVAILABLE_CRITICAL_EXTENSION );
639
640                         } else if ( control->ldctl_iscritical ) {
641                                 *text = "not yet implemented";
642                                 rc = LDAP_OTHER;
643                         }
644
645
646                 } else if ( control->ldctl_iscritical ) {
647                         /* unavailable CRITICAL control */
648                         *text = "critical extension is unavailable";
649                         rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
650                 }
651
652         } else if ( control->ldctl_iscritical ) {
653                 /* unrecognized CRITICAL control */
654                 *text = "critical extension is not recognized";
655                 rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
656         }
657
658         return rc;
659 }
660
661 int get_ctrls(
662         Operation *op,
663         SlapReply *rs,
664         int sendres )
665 {
666         int nctrls = 0;
667         ber_tag_t tag;
668         ber_len_t len;
669         char *opaque;
670         BerElement *ber = op->o_ber;
671         struct berval bv;
672 #ifdef SLAP_CONTROL_X_WHATFAILED
673         /* NOTE: right now, slapd checks the validity of each control
674          * while parsing.  As a consequence, it can only detect one
675          * cause of failure at a time.  This results in returning
676          * exactly one OID with the whatFailed control, or no control
677          * at all.
678          */
679         char *failed_oid = NULL;
680 #endif
681
682         len = ber_pvt_ber_remaining(ber);
683
684         if( len == 0) {
685                 /* no controls */
686                 rs->sr_err = LDAP_SUCCESS;
687                 return rs->sr_err;
688         }
689
690         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
691                 if( tag == LBER_ERROR ) {
692                         rs->sr_err = SLAPD_DISCONNECT;
693                         rs->sr_text = "unexpected data in PDU";
694                 }
695
696                 goto return_results;
697         }
698
699         Debug( LDAP_DEBUG_TRACE,
700                 "=> get_ctrls\n", 0, 0, 0 );
701
702         if( op->o_protocol < LDAP_VERSION3 ) {
703                 rs->sr_err = SLAPD_DISCONNECT;
704                 rs->sr_text = "controls require LDAPv3";
705                 goto return_results;
706         }
707
708         /* one for first control, one for termination */
709         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
710
711 #if 0
712         if( op->ctrls == NULL ) {
713                 rs->sr_err = LDAP_NO_MEMORY;
714                 rs->sr_text = "no memory";
715                 goto return_results;
716         }
717 #endif
718
719         op->o_ctrls[nctrls] = NULL;
720
721         /* step through each element */
722         for( tag = ber_first_element( ber, &len, &opaque );
723                 tag != LBER_ERROR;
724                 tag = ber_next_element( ber, &len, opaque ) )
725         {
726                 LDAPControl *c;
727                 LDAPControl **tctrls;
728
729                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
730                 memset(c, 0, sizeof(LDAPControl));
731
732                 /* allocate pointer space for current controls (nctrls)
733                  * + this control + extra NULL
734                  */
735                 tctrls = op->o_tmprealloc( op->o_ctrls,
736                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
737
738 #if 0
739                 if( tctrls == NULL ) {
740                         ch_free( c );
741                         ldap_controls_free(op->o_ctrls);
742                         op->o_ctrls = NULL;
743
744                         rs->sr_err = LDAP_NO_MEMORY;
745                         rs->sr_text = "no memory";
746                         goto return_results;
747                 }
748 #endif
749                 op->o_ctrls = tctrls;
750
751                 op->o_ctrls[nctrls++] = c;
752                 op->o_ctrls[nctrls] = NULL;
753
754                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
755                 c->ldctl_oid = bv.bv_val;
756
757                 if( tag == LBER_ERROR ) {
758                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
759                                 0, 0, 0 );
760
761                         slap_free_ctrls( op, op->o_ctrls );
762                         op->o_ctrls = NULL;
763                         rs->sr_err = SLAPD_DISCONNECT;
764                         rs->sr_text = "decoding controls error";
765                         goto return_results;
766
767                 } else if( c->ldctl_oid == NULL ) {
768                         Debug( LDAP_DEBUG_TRACE,
769                                 "get_ctrls: conn %lu got emtpy OID.\n",
770                                 op->o_connid, 0, 0 );
771
772                         slap_free_ctrls( op, op->o_ctrls );
773                         op->o_ctrls = NULL;
774                         rs->sr_err = LDAP_PROTOCOL_ERROR;
775                         rs->sr_text = "OID field is empty";
776                         goto return_results;
777                 }
778
779                 tag = ber_peek_tag( ber, &len );
780
781                 if( tag == LBER_BOOLEAN ) {
782                         ber_int_t crit;
783                         tag = ber_scanf( ber, "b", &crit );
784
785                         if( tag == LBER_ERROR ) {
786                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
787                                         0, 0, 0 );
788                                 slap_free_ctrls( op, op->o_ctrls );
789                                 op->o_ctrls = NULL;
790                                 rs->sr_err = SLAPD_DISCONNECT;
791                                 rs->sr_text = "decoding controls error";
792                                 goto return_results;
793                         }
794
795                         c->ldctl_iscritical = (crit != 0);
796                         tag = ber_peek_tag( ber, &len );
797                 }
798
799                 if( tag == LBER_OCTETSTRING ) {
800                         tag = ber_scanf( ber, "m", &c->ldctl_value );
801
802                         if( tag == LBER_ERROR ) {
803                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
804                                         "%s (%scritical): get value failed.\n",
805                                         op->o_connid, c->ldctl_oid,
806                                         c->ldctl_iscritical ? "" : "non" );
807                                 slap_free_ctrls( op, op->o_ctrls );
808                                 op->o_ctrls = NULL;
809                                 rs->sr_err = SLAPD_DISCONNECT;
810                                 rs->sr_text = "decoding controls error";
811                                 goto return_results;
812                         }
813                 }
814
815                 Debug( LDAP_DEBUG_TRACE,
816                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
817                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
818
819                 rs->sr_err = slap_parse_ctrl( op, rs, c, &rs->sr_text );
820                 if ( rs->sr_err != LDAP_SUCCESS ) {
821 #ifdef SLAP_CONTROL_X_WHATFAILED
822                         failed_oid = c->ldctl_oid;
823 #endif
824                         goto return_results;
825                 }
826         }
827
828 return_results:
829         Debug( LDAP_DEBUG_TRACE,
830                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
831                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
832
833         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
834                 if( rs->sr_err == SLAPD_DISCONNECT ) {
835                         rs->sr_err = LDAP_PROTOCOL_ERROR;
836                         send_ldap_disconnect( op, rs );
837                         rs->sr_err = SLAPD_DISCONNECT;
838                 } else {
839 #ifdef SLAP_CONTROL_X_WHATFAILED
840                         /* might have not been parsed yet? */
841                         if ( failed_oid != NULL ) {
842                                 if ( !get_whatFailed( op ) ) {
843                                         /* look it up */
844
845                                         /* step through each remaining element */
846                                         for ( ; tag != LBER_ERROR; tag = ber_next_element( ber, &len, opaque ) )
847                                         {
848                                                 LDAPControl c = { 0 };
849
850                                                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
851                                                 c.ldctl_oid = bv.bv_val;
852
853                                                 if ( tag == LBER_ERROR ) {
854                                                         slap_free_ctrls( op, op->o_ctrls );
855                                                         op->o_ctrls = NULL;
856                                                         break;
857
858                                                 } else if ( c.ldctl_oid == NULL ) {
859                                                         slap_free_ctrls( op, op->o_ctrls );
860                                                         op->o_ctrls = NULL;
861                                                         break;
862                                                 }
863
864                                                 tag = ber_peek_tag( ber, &len );
865                                                 if ( tag == LBER_BOOLEAN ) {
866                                                         ber_int_t crit;
867                                                         tag = ber_scanf( ber, "b", &crit );
868                                                         if( tag == LBER_ERROR ) {
869                                                                 slap_free_ctrls( op, op->o_ctrls );
870                                                                 op->o_ctrls = NULL;
871                                                                 break;
872                                                         }
873
874                                                         tag = ber_peek_tag( ber, &len );
875                                                 }
876
877                                                 if ( tag == LBER_OCTETSTRING ) {
878                                                         tag = ber_scanf( ber, "m", &c.ldctl_value );
879
880                                                         if( tag == LBER_ERROR ) {
881                                                                 slap_free_ctrls( op, op->o_ctrls );
882                                                                 op->o_ctrls = NULL;
883                                                                 break;
884                                                         }
885                                                 }
886
887                                                 if ( strcmp( c.ldctl_oid, LDAP_CONTROL_X_WHATFAILED ) == 0 ) {
888                                                         const char *text;
889                                                         slap_parse_ctrl( op, rs, &c, &text );
890                                                         break;
891                                                 }
892                                         }
893                                 }
894
895                                 if ( get_whatFailed( op ) ) {
896                                         char *oids[ 2 ];
897                                         oids[ 0 ] = failed_oid;
898                                         oids[ 1 ] = NULL;
899                                         slap_ctrl_whatFailed_add( op, rs, oids );
900                                 }
901                         }
902 #endif
903
904                         send_ldap_result( op, rs );
905                 }
906         }
907
908         return rs->sr_err;
909 }
910
911 int
912 slap_remove_control(
913         Operation       *op,
914         SlapReply       *rs,
915         int             ctrl,
916         BI_chk_controls fnc )
917 {
918         int             i, j;
919
920         switch ( op->o_ctrlflag[ ctrl ] ) {
921         case SLAP_CONTROL_NONCRITICAL:
922                 for ( i = 0, j = -1; op->o_ctrls[ i ] != NULL; i++ ) {
923                         if ( strcmp( op->o_ctrls[ i ]->ldctl_oid,
924                                 slap_known_controls[ ctrl - 1 ] ) == 0 )
925                         {
926                                 j = i;
927                         }
928                 }
929
930                 if ( j == -1 ) {
931                         rs->sr_err = LDAP_OTHER;
932                         break;
933                 }
934
935                 if ( fnc ) {
936                         (void)fnc( op, rs );
937                 }
938
939                 op->o_tmpfree( op->o_ctrls[ j ], op->o_tmpmemctx );
940
941                 if ( i > 1 ) {
942                         AC_MEMCPY( &op->o_ctrls[ j ], &op->o_ctrls[ j + 1 ],
943                                 ( i - j ) * sizeof( LDAPControl * ) );
944
945                 } else {
946                         op->o_tmpfree( op->o_ctrls, op->o_tmpmemctx );
947                         op->o_ctrls = NULL;
948                 }
949
950                 op->o_ctrlflag[ ctrl ] = SLAP_CONTROL_IGNORED;
951
952                 Debug( LDAP_DEBUG_ANY, "%s: "
953                         "non-critical control \"%s\" not supported; stripped.\n",
954                         op->o_log_prefix, slap_known_controls[ ctrl ], 0 );
955                 /* fall thru */
956
957         case SLAP_CONTROL_IGNORED:
958         case SLAP_CONTROL_NONE:
959                 rs->sr_err = SLAP_CB_CONTINUE;
960                 break;
961
962         case SLAP_CONTROL_CRITICAL:
963                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
964                 if ( fnc ) {
965                         (void)fnc( op, rs );
966                 }
967                 Debug( LDAP_DEBUG_ANY, "%s: "
968                         "critical control \"%s\" not supported.\n",
969                         op->o_log_prefix, slap_known_controls[ ctrl ], 0 );
970                 break;
971
972         default:
973                 /* handle all cases! */
974                 assert( 0 );
975         }
976
977         return rs->sr_err;
978 }
979
980 static int parseDontUseCopy (
981         Operation *op,
982         SlapReply *rs,
983         LDAPControl *ctrl )
984 {
985         if ( op->o_dontUseCopy != SLAP_CONTROL_NONE ) {
986                 rs->sr_text = "dontUseCopy control specified multiple times";
987                 return LDAP_PROTOCOL_ERROR;
988         }
989
990         if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
991                 rs->sr_text = "dontUseCopy control value not absent";
992                 return LDAP_PROTOCOL_ERROR;
993         }
994
995         if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
996                 && !ctrl->ldctl_iscritical )
997         {
998                 rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
999                 return LDAP_PROTOCOL_ERROR;
1000         }
1001
1002         op->o_dontUseCopy = ctrl->ldctl_iscritical
1003                 ? SLAP_CONTROL_CRITICAL
1004                 : SLAP_CONTROL_NONCRITICAL;
1005
1006         return LDAP_SUCCESS;
1007 }
1008
1009 static int parseRelax (
1010         Operation *op,
1011         SlapReply *rs,
1012         LDAPControl *ctrl )
1013 {
1014         if ( op->o_relax != SLAP_CONTROL_NONE ) {
1015                 rs->sr_text = "relax control specified multiple times";
1016                 return LDAP_PROTOCOL_ERROR;
1017         }
1018
1019         if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
1020                 rs->sr_text = "relax control value not absent";
1021                 return LDAP_PROTOCOL_ERROR;
1022         }
1023
1024         op->o_relax = ctrl->ldctl_iscritical
1025                 ? SLAP_CONTROL_CRITICAL
1026                 : SLAP_CONTROL_NONCRITICAL;
1027
1028         return LDAP_SUCCESS;
1029 }
1030
1031 static int parseManageDSAit (
1032         Operation *op,
1033         SlapReply *rs,
1034         LDAPControl *ctrl )
1035 {
1036         if ( op->o_managedsait != SLAP_CONTROL_NONE ) {
1037                 rs->sr_text = "manageDSAit control specified multiple times";
1038                 return LDAP_PROTOCOL_ERROR;
1039         }
1040
1041         if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
1042                 rs->sr_text = "manageDSAit control value not absent";
1043                 return LDAP_PROTOCOL_ERROR;
1044         }
1045
1046         op->o_managedsait = ctrl->ldctl_iscritical
1047                 ? SLAP_CONTROL_CRITICAL
1048                 : SLAP_CONTROL_NONCRITICAL;
1049
1050         return LDAP_SUCCESS;
1051 }
1052
1053 static int parseProxyAuthz (
1054         Operation *op,
1055         SlapReply *rs,
1056         LDAPControl *ctrl )
1057 {
1058         int             rc;
1059         struct berval   dn = BER_BVNULL;
1060
1061         if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) {
1062                 rs->sr_text = "proxy authorization control specified multiple times";
1063                 return LDAP_PROTOCOL_ERROR;
1064         }
1065
1066         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1067                 rs->sr_text = "proxy authorization control value absent";
1068                 return LDAP_PROTOCOL_ERROR;
1069         }
1070
1071         if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
1072                 && !ctrl->ldctl_iscritical )
1073         {
1074                 rs->sr_text = "proxied authorization criticality of FALSE not allowed";
1075                 return LDAP_PROTOCOL_ERROR;
1076         }
1077
1078         if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
1079                 && BER_BVISEMPTY( &op->o_ndn ) )
1080         {
1081                 rs->sr_text = "anonymous proxied authorization not allowed";
1082                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
1083         }
1084
1085         op->o_proxy_authz = ctrl->ldctl_iscritical
1086                 ? SLAP_CONTROL_CRITICAL
1087                 : SLAP_CONTROL_NONCRITICAL;
1088
1089         Debug( LDAP_DEBUG_ARGS,
1090                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n", 
1091                 op->o_connid,
1092                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
1093                 0 );
1094
1095         if ( BER_BVISEMPTY( &ctrl->ldctl_value )) {
1096                 Debug( LDAP_DEBUG_TRACE,
1097                         "parseProxyAuthz: conn=%lu anonymous\n", 
1098                         op->o_connid, 0, 0 );
1099
1100                 /* anonymous */
1101                 if ( !BER_BVISNULL( &op->o_ndn ) ) {
1102                         op->o_ndn.bv_val[ 0 ] = '\0';
1103                 }
1104                 op->o_ndn.bv_len = 0;
1105
1106                 if ( !BER_BVISNULL( &op->o_dn ) ) {
1107                         op->o_dn.bv_val[ 0 ] = '\0';
1108                 }
1109                 op->o_dn.bv_len = 0;
1110
1111                 return LDAP_SUCCESS;
1112         }
1113
1114         rc = slap_sasl_getdn( op->o_conn, op, &ctrl->ldctl_value,
1115                         NULL, &dn, SLAP_GETDN_AUTHZID );
1116
1117         /* FIXME: empty DN in proxyAuthz control should be legal... */
1118         if( rc != LDAP_SUCCESS /* || !dn.bv_len */ ) {
1119                 if ( dn.bv_val ) {
1120                         ch_free( dn.bv_val );
1121                 }
1122                 rs->sr_text = "authzId mapping failed";
1123                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
1124         }
1125
1126         Debug( LDAP_DEBUG_TRACE,
1127                 "parseProxyAuthz: conn=%lu \"%s\"\n", 
1128                 op->o_connid,
1129                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
1130
1131         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
1132
1133         if ( rc ) {
1134                 ch_free( dn.bv_val );
1135                 rs->sr_text = "not authorized to assume identity";
1136                 return LDAP_PROXIED_AUTHORIZATION_DENIED;
1137         }
1138
1139         ch_free( op->o_ndn.bv_val );
1140         ch_free( op->o_dn.bv_val );
1141
1142         /*
1143          * NOTE: since slap_sasl_getdn() returns a normalized dn,
1144          * from now on op->o_dn is normalized
1145          */
1146         op->o_ndn = dn;
1147         ber_dupbv( &op->o_dn, &dn );
1148
1149         Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
1150             op->o_log_prefix, dn.bv_val, 0, 0, 0 );
1151
1152         return LDAP_SUCCESS;
1153 }
1154
1155 static int parseNoOp (
1156         Operation *op,
1157         SlapReply *rs,
1158         LDAPControl *ctrl )
1159 {
1160         if ( op->o_noop != SLAP_CONTROL_NONE ) {
1161                 rs->sr_text = "noop control specified multiple times";
1162                 return LDAP_PROTOCOL_ERROR;
1163         }
1164
1165         if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) {
1166                 rs->sr_text = "noop control value not empty";
1167                 return LDAP_PROTOCOL_ERROR;
1168         }
1169
1170         op->o_noop = ctrl->ldctl_iscritical
1171                 ? SLAP_CONTROL_CRITICAL
1172                 : SLAP_CONTROL_NONCRITICAL;
1173
1174         return LDAP_SUCCESS;
1175 }
1176
1177 static int parsePagedResults (
1178         Operation *op,
1179         SlapReply *rs,
1180         LDAPControl *ctrl )
1181 {
1182         BerElementBuffer berbuf;
1183         BerElement      *ber = (BerElement *)&berbuf;
1184         struct berval   cookie;
1185         PagedResultsState       *ps;
1186         int             rc = LDAP_SUCCESS;
1187         ber_tag_t       tag;
1188         ber_int_t       size;
1189
1190         if ( op->o_pagedresults != SLAP_CONTROL_NONE ) {
1191                 rs->sr_text = "paged results control specified multiple times";
1192                 return LDAP_PROTOCOL_ERROR;
1193         }
1194
1195         if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
1196                 rs->sr_text = "paged results control value is absent";
1197                 return LDAP_PROTOCOL_ERROR;
1198         }
1199
1200         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1201                 rs->sr_text = "paged results control value is empty";
1202                 return LDAP_PROTOCOL_ERROR;
1203         }
1204
1205         /* Parse the control value
1206          *      realSearchControlValue ::= SEQUENCE {
1207          *              size    INTEGER (0..maxInt),
1208          *                              -- requested page size from client
1209          *                              -- result set size estimate from server
1210          *              cookie  OCTET STRING
1211          * }
1212          */
1213         ber_init2( ber, &ctrl->ldctl_value, LBER_USE_DER );
1214
1215         tag = ber_scanf( ber, "{im}", &size, &cookie );
1216
1217         if ( tag == LBER_ERROR ) {
1218                 rs->sr_text = "paged results control could not be decoded";
1219                 rc = LDAP_PROTOCOL_ERROR;
1220                 goto done;
1221         }
1222
1223         if ( size < 0 ) {
1224                 rs->sr_text = "paged results control size invalid";
1225                 rc = LDAP_PROTOCOL_ERROR;
1226                 goto done;
1227         }
1228
1229         ps = op->o_tmpalloc( sizeof(PagedResultsState), op->o_tmpmemctx );
1230         *ps = op->o_conn->c_pagedresults_state;
1231         ps->ps_size = size;
1232         ps->ps_cookieval = cookie;
1233         op->o_pagedresults_state = ps;
1234         if ( !cookie.bv_len ) {
1235                 ps->ps_count = 0;
1236                 ps->ps_cookie = 0;
1237         }
1238
1239         /* NOTE: according to RFC 2696 3.:
1240
1241     If the page size is greater than or equal to the sizeLimit value, the
1242     server should ignore the control as the request can be satisfied in a
1243     single page.
1244
1245          * NOTE: this assumes that the op->ors_slimit be set
1246          * before the controls are parsed.     
1247          */
1248
1249         if ( op->ors_slimit > 0 && size >= op->ors_slimit ) {
1250                 op->o_pagedresults = SLAP_CONTROL_IGNORED;
1251
1252         } else if ( ctrl->ldctl_iscritical ) {
1253                 op->o_pagedresults = SLAP_CONTROL_CRITICAL;
1254
1255         } else {
1256                 op->o_pagedresults = SLAP_CONTROL_NONCRITICAL;
1257         }
1258
1259 done:;
1260         return rc;
1261 }
1262
1263 #ifdef SLAP_CONTROL_X_SORTEDRESULTS
1264 static int parseSortedResults (
1265         Operation *op,
1266         SlapReply *rs,
1267         LDAPControl *ctrl )
1268 {
1269         int             rc = LDAP_SUCCESS;
1270
1271         if ( op->o_sortedresults != SLAP_CONTROL_NONE ) {
1272                 rs->sr_text = "sorted results control specified multiple times";
1273                 return LDAP_PROTOCOL_ERROR;
1274         }
1275
1276         if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
1277                 rs->sr_text = "sorted results control value is absent";
1278                 return LDAP_PROTOCOL_ERROR;
1279         }
1280
1281         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1282                 rs->sr_text = "sorted results control value is empty";
1283                 return LDAP_PROTOCOL_ERROR;
1284         }
1285
1286         /* blow off parsing the value */
1287
1288         op->o_sortedresults = ctrl->ldctl_iscritical
1289                 ? SLAP_CONTROL_CRITICAL
1290                 : SLAP_CONTROL_NONCRITICAL;
1291
1292         return rc;
1293 }
1294 #endif
1295
1296 static int parseAssert (
1297         Operation *op,
1298         SlapReply *rs,
1299         LDAPControl *ctrl )
1300 {
1301         BerElement      *ber;
1302         struct berval   fstr = BER_BVNULL;
1303
1304         if ( op->o_assert != SLAP_CONTROL_NONE ) {
1305                 rs->sr_text = "assert control specified multiple times";
1306                 return LDAP_PROTOCOL_ERROR;
1307         }
1308
1309         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1310                 rs->sr_text = "assert control value is absent";
1311                 return LDAP_PROTOCOL_ERROR;
1312         }
1313
1314         if ( BER_BVISEMPTY( &ctrl->ldctl_value )) {
1315                 rs->sr_text = "assert control value is empty";
1316                 return LDAP_PROTOCOL_ERROR;
1317         }
1318
1319         ber = ber_init( &(ctrl->ldctl_value) );
1320         if (ber == NULL) {
1321                 rs->sr_text = "assert control: internal error";
1322                 return LDAP_OTHER;
1323         }
1324
1325         rs->sr_err = get_filter( op, ber, (Filter **)&(op->o_assertion),
1326                 &rs->sr_text);
1327         (void) ber_free( ber, 1 );
1328         if( rs->sr_err != LDAP_SUCCESS ) {
1329                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1330                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1331                         send_ldap_disconnect( op, rs );
1332                         rs->sr_err = SLAPD_DISCONNECT;
1333                 } else {
1334                         send_ldap_result( op, rs );
1335                 }
1336                 if( op->o_assertion != NULL ) {
1337                         filter_free_x( op, op->o_assertion, 1 );
1338                 }
1339                 return rs->sr_err;
1340         }
1341
1342 #ifdef LDAP_DEBUG
1343         filter2bv_x( op, op->o_assertion, &fstr );
1344
1345         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
1346                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1347         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1348 #endif
1349
1350         op->o_assert = ctrl->ldctl_iscritical
1351                 ? SLAP_CONTROL_CRITICAL
1352                 : SLAP_CONTROL_NONCRITICAL;
1353
1354         rs->sr_err = LDAP_SUCCESS;
1355         return LDAP_SUCCESS;
1356 }
1357
1358 #define READMSG(post, msg) \
1359         ( post ? "postread control: " msg : "preread control: " msg )
1360
1361 static int
1362 parseReadAttrs(
1363         Operation *op,
1364         SlapReply *rs,
1365         LDAPControl *ctrl,
1366         int post )
1367 {
1368         ber_len_t       siz, off, i;
1369         BerElement      *ber;
1370         AttributeName   *an = NULL;
1371
1372         if ( ( post && op->o_postread != SLAP_CONTROL_NONE ) ||
1373                 ( !post && op->o_preread != SLAP_CONTROL_NONE ) )
1374         {
1375                 rs->sr_text = READMSG( post, "specified multiple times" );
1376                 return LDAP_PROTOCOL_ERROR;
1377         }
1378
1379         if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
1380                 rs->sr_text = READMSG( post, "value is absent" );
1381                 return LDAP_PROTOCOL_ERROR;
1382         }
1383
1384         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1385                 rs->sr_text = READMSG( post, "value is empty" );
1386                 return LDAP_PROTOCOL_ERROR;
1387         }
1388
1389 #ifdef LDAP_X_TXN
1390         if ( op->o_txnSpec ) { /* temporary limitation */
1391                 rs->sr_text = READMSG( post, "cannot perform in transaction" );
1392                 return LDAP_UNWILLING_TO_PERFORM;
1393         }
1394 #endif
1395
1396         ber = ber_init( &ctrl->ldctl_value );
1397         if ( ber == NULL ) {
1398                 rs->sr_text = READMSG( post, "internal error" );
1399                 return LDAP_OTHER;
1400         }
1401
1402         rs->sr_err = LDAP_SUCCESS;
1403         siz = sizeof( AttributeName );
1404         off = offsetof( AttributeName, an_name );
1405         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1406                 rs->sr_text = READMSG( post, "decoding error" );
1407                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1408                 goto done;
1409         }
1410
1411         for ( i = 0; i < siz; i++ ) {
1412                 const char      *dummy = NULL;
1413                 int             rc;
1414
1415                 an[i].an_desc = NULL;
1416                 an[i].an_oc = NULL;
1417                 an[i].an_flags = 0;
1418                 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1419                 if ( rc == LDAP_SUCCESS ) {
1420                         an[i].an_name = an[i].an_desc->ad_cname;
1421
1422                 } else {
1423                         int                     j;
1424                         static struct berval    special_attrs[] = {
1425                                 BER_BVC( LDAP_NO_ATTRS ),
1426                                 BER_BVC( LDAP_ALL_USER_ATTRIBUTES ),
1427                                 BER_BVC( LDAP_ALL_OPERATIONAL_ATTRIBUTES ),
1428                                 BER_BVNULL
1429                         };
1430
1431                         /* deal with special attribute types */
1432                         for ( j = 0; !BER_BVISNULL( &special_attrs[ j ] ); j++ ) {
1433                                 if ( bvmatch( &an[i].an_name, &special_attrs[ j ] ) ) {
1434                                         an[i].an_name = special_attrs[ j ];
1435                                         break;
1436                                 }
1437                         }
1438
1439                         if ( BER_BVISNULL( &special_attrs[ j ] ) && ctrl->ldctl_iscritical ) {
1440                                 rs->sr_err = rc;
1441                                 rs->sr_text = dummy ? dummy
1442                                         : READMSG( post, "unknown attributeType" );
1443                                 goto done;
1444                         }
1445                 }
1446         }
1447
1448         if ( post ) {
1449                 op->o_postread_attrs = an;
1450                 op->o_postread = ctrl->ldctl_iscritical
1451                         ? SLAP_CONTROL_CRITICAL
1452                         : SLAP_CONTROL_NONCRITICAL;
1453         } else {
1454                 op->o_preread_attrs = an;
1455                 op->o_preread = ctrl->ldctl_iscritical
1456                         ? SLAP_CONTROL_CRITICAL
1457                         : SLAP_CONTROL_NONCRITICAL;
1458         }
1459
1460 done:
1461         (void) ber_free( ber, 1 );
1462         return rs->sr_err;
1463 }
1464
1465 static int parsePreRead (
1466         Operation *op,
1467         SlapReply *rs,
1468         LDAPControl *ctrl )
1469 {
1470         return parseReadAttrs( op, rs, ctrl, 0 );
1471 }
1472
1473 static int parsePostRead (
1474         Operation *op,
1475         SlapReply *rs,
1476         LDAPControl *ctrl )
1477 {
1478         return parseReadAttrs( op, rs, ctrl, 1 );
1479 }
1480
1481 static int parseValuesReturnFilter (
1482         Operation *op,
1483         SlapReply *rs,
1484         LDAPControl *ctrl )
1485 {
1486         BerElement      *ber;
1487         struct berval   fstr = BER_BVNULL;
1488
1489         if ( op->o_valuesreturnfilter != SLAP_CONTROL_NONE ) {
1490                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1491                 return LDAP_PROTOCOL_ERROR;
1492         }
1493
1494         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1495                 rs->sr_text = "valuesReturnFilter control value is absent";
1496                 return LDAP_PROTOCOL_ERROR;
1497         }
1498
1499         if ( BER_BVISEMPTY( &ctrl->ldctl_value )) {
1500                 rs->sr_text = "valuesReturnFilter control value is empty";
1501                 return LDAP_PROTOCOL_ERROR;
1502         }
1503
1504         ber = ber_init( &(ctrl->ldctl_value) );
1505         if (ber == NULL) {
1506                 rs->sr_text = "internal error";
1507                 return LDAP_OTHER;
1508         }
1509
1510         rs->sr_err = get_vrFilter( op, ber,
1511                 (ValuesReturnFilter **)&(op->o_vrFilter), &rs->sr_text);
1512
1513         (void) ber_free( ber, 1 );
1514
1515         if( rs->sr_err != LDAP_SUCCESS ) {
1516                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1517                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1518                         send_ldap_disconnect( op, rs );
1519                         rs->sr_err = SLAPD_DISCONNECT;
1520                 } else {
1521                         send_ldap_result( op, rs );
1522                 }
1523                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
1524         }
1525 #ifdef LDAP_DEBUG
1526         else {
1527                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1528         }
1529
1530         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1531                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1532         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1533 #endif
1534
1535         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1536                 ? SLAP_CONTROL_CRITICAL
1537                 : SLAP_CONTROL_NONCRITICAL;
1538
1539         rs->sr_err = LDAP_SUCCESS;
1540         return LDAP_SUCCESS;
1541 }
1542
1543 static int parseSubentries (
1544         Operation *op,
1545         SlapReply *rs,
1546         LDAPControl *ctrl )
1547 {
1548         if ( op->o_subentries != SLAP_CONTROL_NONE ) {
1549                 rs->sr_text = "subentries control specified multiple times";
1550                 return LDAP_PROTOCOL_ERROR;
1551         }
1552
1553         /* FIXME: should use BER library */
1554         if( ( ctrl->ldctl_value.bv_len != 3 )
1555                 || ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1556                 || ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1557         {
1558                 rs->sr_text = "subentries control value encoding is bogus";
1559                 return LDAP_PROTOCOL_ERROR;
1560         }
1561
1562         op->o_subentries = ctrl->ldctl_iscritical
1563                 ? SLAP_CONTROL_CRITICAL
1564                 : SLAP_CONTROL_NONCRITICAL;
1565
1566         if (ctrl->ldctl_value.bv_val[2]) {
1567                 set_subentries_visibility( op );
1568         }
1569
1570         return LDAP_SUCCESS;
1571 }
1572
1573 static int parsePermissiveModify (
1574         Operation *op,
1575         SlapReply *rs,
1576         LDAPControl *ctrl )
1577 {
1578         if ( op->o_permissive_modify != SLAP_CONTROL_NONE ) {
1579                 rs->sr_text = "permissiveModify control specified multiple times";
1580                 return LDAP_PROTOCOL_ERROR;
1581         }
1582
1583         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1584                 rs->sr_text = "permissiveModify control value not absent";
1585                 return LDAP_PROTOCOL_ERROR;
1586         }
1587
1588         op->o_permissive_modify = ctrl->ldctl_iscritical
1589                 ? SLAP_CONTROL_CRITICAL
1590                 : SLAP_CONTROL_NONCRITICAL;
1591
1592         return LDAP_SUCCESS;
1593 }
1594
1595 static int parseDomainScope (
1596         Operation *op,
1597         SlapReply *rs,
1598         LDAPControl *ctrl )
1599 {
1600         if ( op->o_domain_scope != SLAP_CONTROL_NONE ) {
1601                 rs->sr_text = "domainScope control specified multiple times";
1602                 return LDAP_PROTOCOL_ERROR;
1603         }
1604
1605         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1606                 rs->sr_text = "domainScope control value not empty";
1607                 return LDAP_PROTOCOL_ERROR;
1608         }
1609
1610         op->o_domain_scope = ctrl->ldctl_iscritical
1611                 ? SLAP_CONTROL_CRITICAL
1612                 : SLAP_CONTROL_NONCRITICAL;
1613
1614         return LDAP_SUCCESS;
1615 }
1616
1617 #ifdef SLAP_CONTROL_X_TREE_DELETE
1618 static int parseTreeDelete (
1619         Operation *op,
1620         SlapReply *rs,
1621         LDAPControl *ctrl )
1622 {
1623         if ( op->o_tree_delete != SLAP_CONTROL_NONE ) {
1624                 rs->sr_text = "treeDelete control specified multiple times";
1625                 return LDAP_PROTOCOL_ERROR;
1626         }
1627
1628         if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
1629                 rs->sr_text = "treeDelete control value not absent";
1630                 return LDAP_PROTOCOL_ERROR;
1631         }
1632
1633         op->o_tree_delete = ctrl->ldctl_iscritical
1634                 ? SLAP_CONTROL_CRITICAL
1635                 : SLAP_CONTROL_NONCRITICAL;
1636
1637         return LDAP_SUCCESS;
1638 }
1639 #endif
1640
1641 static int parseSearchOptions (
1642         Operation *op,
1643         SlapReply *rs,
1644         LDAPControl *ctrl )
1645 {
1646         BerElement *ber;
1647         ber_int_t search_flags;
1648         ber_tag_t tag;
1649
1650         if ( BER_BVISNULL( &ctrl->ldctl_value )) {
1651                 rs->sr_text = "searchOptions control value is absent";
1652                 return LDAP_PROTOCOL_ERROR;
1653         }
1654
1655         if ( BER_BVISEMPTY( &ctrl->ldctl_value )) {
1656                 rs->sr_text = "searchOptions control value is empty";
1657                 return LDAP_PROTOCOL_ERROR;
1658         }
1659
1660         ber = ber_init( &ctrl->ldctl_value );
1661         if( ber == NULL ) {
1662                 rs->sr_text = "internal error";
1663                 return LDAP_OTHER;
1664         }
1665
1666         tag = ber_scanf( ber, "{i}", &search_flags );
1667         (void) ber_free( ber, 1 );
1668
1669         if ( tag == LBER_ERROR ) {
1670                 rs->sr_text = "searchOptions control decoding error";
1671                 return LDAP_PROTOCOL_ERROR;
1672         }
1673
1674         if ( search_flags & LDAP_SEARCH_FLAG_DOMAIN_SCOPE ) {
1675                 if ( op->o_domain_scope != SLAP_CONTROL_NONE ) {
1676                         rs->sr_text = "searchOptions control specified multiple times "
1677                                 "or with domainScope control";
1678                         return LDAP_PROTOCOL_ERROR;
1679                 }
1680
1681                 op->o_domain_scope = ctrl->ldctl_iscritical
1682                         ? SLAP_CONTROL_CRITICAL
1683                         : SLAP_CONTROL_NONCRITICAL;
1684         }
1685
1686         if ( search_flags & ~(LDAP_SEARCH_FLAG_DOMAIN_SCOPE) ) {
1687                 /* Other search flags not recognised so far,
1688                  * including:
1689                  *              LDAP_SEARCH_FLAG_PHANTOM_ROOM
1690                  */
1691                 rs->sr_text = "searchOptions contained unrecognized flag";
1692                 return LDAP_UNWILLING_TO_PERFORM;
1693         }
1694
1695         return LDAP_SUCCESS;
1696 }
1697
1698 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1699 struct berval session_tracking_formats[] = {
1700         BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_RADIUS_ACCT_SESSION_ID ),
1701                 BER_BVC( "RADIUS-Acct-Session-Id" ),
1702         BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_RADIUS_ACCT_MULTI_SESSION_ID ),
1703                 BER_BVC( "RADIUS-Acct-Multi-Session-Id" ),
1704         BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_USERNAME ),
1705                 BER_BVC( "USERNAME" ),
1706
1707         BER_BVNULL
1708 };
1709
1710 static int parseSessionTracking(
1711         Operation *op,
1712         SlapReply *rs,
1713         LDAPControl *ctrl )
1714 {
1715         BerElement              *ber;
1716         ber_tag_t               tag;
1717         ber_len_t               len;
1718         int                     i, rc;
1719
1720         struct berval           sessionSourceIp = BER_BVNULL,
1721                                 sessionSourceName = BER_BVNULL,
1722                                 formatOID = BER_BVNULL,
1723                                 sessionTrackingIdentifier = BER_BVNULL;
1724
1725         size_t                  st_len, st_pos;
1726
1727         if ( ctrl->ldctl_iscritical ) {
1728                 rs->sr_text = "sessionTracking criticality is TRUE";
1729                 return LDAP_PROTOCOL_ERROR;
1730         }
1731
1732         if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
1733                 rs->sr_text = "sessionTracking control value is absent";
1734                 return LDAP_PROTOCOL_ERROR;
1735         }
1736
1737         if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
1738                 rs->sr_text = "sessionTracking control value is empty";
1739                 return LDAP_PROTOCOL_ERROR;
1740         }
1741
1742         /* TODO: add the capability to determine if a client is allowed
1743          * to use this control, based on identity, ip and so */
1744
1745         ber = ber_init( &ctrl->ldctl_value );
1746         if ( ber == NULL ) {
1747                 rs->sr_text = "internal error";
1748                 return LDAP_OTHER;
1749         }
1750
1751         tag = ber_skip_tag( ber, &len );
1752         if ( tag != LBER_SEQUENCE ) {
1753                 tag = LBER_ERROR;
1754                 goto error;
1755         }
1756
1757         /* sessionSourceIp */
1758         tag = ber_peek_tag( ber, &len );
1759         if ( tag == LBER_DEFAULT ) {
1760                 tag = LBER_ERROR;
1761                 goto error;
1762         }
1763
1764         if ( len == 0 ) {
1765                 tag = ber_skip_tag( ber, &len );
1766
1767         } else if ( len > 128 ) {
1768                 rs->sr_text = "sessionTracking.sessionSourceIp too long";
1769                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1770                 goto error;
1771
1772         } else {
1773                 tag = ber_scanf( ber, "m", &sessionSourceIp );
1774         }
1775
1776         if ( ldif_is_not_printable( sessionSourceIp.bv_val, sessionSourceIp.bv_len ) ) {
1777                 BER_BVZERO( &sessionSourceIp );
1778         }
1779
1780         /* sessionSourceName */
1781         tag = ber_peek_tag( ber, &len );
1782         if ( tag == LBER_DEFAULT ) {
1783                 tag = LBER_ERROR;
1784                 goto error;
1785         }
1786
1787         if ( len == 0 ) {
1788                 tag = ber_skip_tag( ber, &len );
1789
1790         } else if ( len > 65536 ) {
1791                 rs->sr_text = "sessionTracking.sessionSourceName too long";
1792                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1793                 goto error;
1794
1795         } else {
1796                 tag = ber_scanf( ber, "m", &sessionSourceName );
1797         }
1798
1799         if ( ldif_is_not_printable( sessionSourceName.bv_val, sessionSourceName.bv_len ) ) {
1800                 BER_BVZERO( &sessionSourceName );
1801         }
1802
1803         /* formatOID */
1804         tag = ber_peek_tag( ber, &len );
1805         if ( tag == LBER_DEFAULT ) {
1806                 tag = LBER_ERROR;
1807                 goto error;
1808         }
1809
1810         if ( len == 0 ) {
1811                 rs->sr_text = "sessionTracking.formatOID empty";
1812                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1813                 goto error;
1814
1815         } else if ( len > 1024 ) {
1816                 rs->sr_text = "sessionTracking.formatOID too long";
1817                 rs->sr_err = LDAP_PROTOCOL_ERROR;
1818                 goto error;
1819
1820         } else {
1821                 tag = ber_scanf( ber, "m", &formatOID );
1822         }
1823
1824         rc = numericoidValidate( NULL, &formatOID );
1825         if ( rc != LDAP_SUCCESS ) {
1826                 rs->sr_text = "sessionTracking.formatOID invalid";
1827                 goto error;
1828         }
1829
1830         for ( i = 0; !BER_BVISNULL( &session_tracking_formats[ i ] ); i += 2 )
1831         {
1832                 if ( bvmatch( &formatOID, &session_tracking_formats[ i ] ) ) {
1833                         formatOID = session_tracking_formats[ i + 1 ];
1834                         break;
1835                 }
1836         }
1837
1838         /* sessionTrackingIdentifier */
1839         tag = ber_peek_tag( ber, &len );
1840         if ( tag == LBER_DEFAULT ) {
1841                 tag = LBER_ERROR;
1842                 goto error;
1843         }
1844
1845         if ( len == 0 ) {
1846                 tag = ber_skip_tag( ber, &len );
1847
1848         } else {
1849                 /* note: should not be more than 65536... */
1850                 tag = ber_scanf( ber, "m", &sessionTrackingIdentifier );
1851                 if ( ldif_is_not_printable( sessionTrackingIdentifier.bv_val, sessionTrackingIdentifier.bv_len ) ) {
1852                         /* we want the OID printed, at least */
1853                         BER_BVSTR( &sessionTrackingIdentifier, "" );
1854                 }
1855         }
1856
1857         /* closure */
1858         tag = ber_skip_tag( ber, &len );
1859         if ( tag != LBER_DEFAULT || len != 0 ) {
1860                 tag = LBER_ERROR;
1861                 goto error;
1862         }
1863         tag = 0;
1864
1865         st_len = 0;
1866         if ( !BER_BVISNULL( &sessionSourceIp ) ) {
1867                 st_len += STRLENOF( "IP=" ) + sessionSourceIp.bv_len;
1868         }
1869         if ( !BER_BVISNULL( &sessionSourceName ) ) {
1870                 if ( st_len ) st_len++;
1871                 st_len += STRLENOF( "NAME=" ) + sessionSourceName.bv_len;
1872         }
1873         if ( !BER_BVISNULL( &sessionTrackingIdentifier ) ) {
1874                 if ( st_len ) st_len++;
1875                 st_len += formatOID.bv_len + STRLENOF( "=" )
1876                         + sessionTrackingIdentifier.bv_len;
1877         }
1878
1879         if ( st_len == 0 ) {
1880                 goto error;
1881         }
1882
1883         st_len += STRLENOF( " []" );
1884         st_pos = strlen( op->o_log_prefix );
1885
1886         if ( sizeof( op->o_log_prefix ) - st_pos > st_len ) {
1887                 char    *ptr = &op->o_log_prefix[ st_pos ];
1888
1889                 ptr = lutil_strcopy( ptr, " [" /*]*/ );
1890
1891                 st_len = 0;
1892                 if ( !BER_BVISNULL( &sessionSourceIp ) ) {
1893                         ptr = lutil_strcopy( ptr, "IP=" );
1894                         ptr = lutil_strcopy( ptr, sessionSourceIp.bv_val );
1895                         st_len++;
1896                 }
1897
1898                 if ( !BER_BVISNULL( &sessionSourceName ) ) {
1899                         if ( st_len ) *ptr++ = ' ';
1900                         ptr = lutil_strcopy( ptr, "NAME=" );
1901                         ptr = lutil_strcopy( ptr, sessionSourceName.bv_val );
1902                         st_len++;
1903                 }
1904
1905                 if ( !BER_BVISNULL( &sessionTrackingIdentifier ) ) {
1906                         if ( st_len ) *ptr++ = ' ';
1907                         ptr = lutil_strcopy( ptr, formatOID.bv_val );
1908                         *ptr++ = '=';
1909                         ptr = lutil_strcopy( ptr, sessionTrackingIdentifier.bv_val );
1910                 }
1911
1912                 *ptr++ = /*[*/ ']';
1913                 *ptr = '\0';
1914         }
1915
1916 error:;
1917         (void)ber_free( ber, 1 );
1918
1919         if ( tag == LBER_ERROR ) {
1920                 rs->sr_text = "sessionTracking control decoding error";
1921                 return LDAP_PROTOCOL_ERROR;
1922         }
1923
1924
1925         return rs->sr_err;
1926 }
1927
1928 int
1929 slap_ctrl_session_tracking_add(
1930         Operation *op,
1931         SlapReply *rs,
1932         struct berval *ip,
1933         struct berval *name,
1934         struct berval *id,
1935         LDAPControl *ctrl )
1936 {
1937         BerElementBuffer berbuf;
1938         BerElement      *ber = (BerElement *)&berbuf;
1939
1940         static struct berval    oid = BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_USERNAME );
1941
1942         assert( ctrl != NULL );
1943
1944         ber_init2( ber, NULL, LBER_USE_DER );
1945
1946         ber_printf( ber, "{OOOO}", ip, name, &oid, id ); 
1947
1948         if ( ber_flatten2( ber, &ctrl->ldctl_value, 0 ) == -1 ) {
1949                 rs->sr_err = LDAP_OTHER;
1950                 goto done;
1951         }
1952
1953         ctrl->ldctl_oid = LDAP_CONTROL_X_SESSION_TRACKING;
1954         ctrl->ldctl_iscritical = 0;
1955
1956         rs->sr_err = LDAP_SUCCESS;
1957
1958 done:;
1959         return rs->sr_err;
1960 }
1961
1962 int
1963 slap_ctrl_session_tracking_request_add( Operation *op, SlapReply *rs, LDAPControl *ctrl )
1964 {
1965         static struct berval    bv_unknown = BER_BVC( SLAP_STRING_UNKNOWN );
1966         struct berval           ip = BER_BVNULL,
1967                                 name = BER_BVNULL,
1968                                 id = BER_BVNULL;
1969
1970         if ( !BER_BVISNULL( &op->o_conn->c_peer_name ) &&
1971                 memcmp( op->o_conn->c_peer_name.bv_val, "IP=", STRLENOF( "IP=" ) ) == 0 )
1972         {
1973                 char    *ptr;
1974
1975                 ip.bv_val = op->o_conn->c_peer_name.bv_val + STRLENOF( "IP=" );
1976                 ip.bv_len = op->o_conn->c_peer_name.bv_len - STRLENOF( "IP=" );
1977
1978                 ptr = ber_bvchr( &ip, ':' );
1979                 if ( ptr ) {
1980                         ip.bv_len = ptr - ip.bv_val;
1981                 }
1982         }
1983
1984         if ( !BER_BVISNULL( &op->o_conn->c_peer_domain ) &&
1985                 !bvmatch( &op->o_conn->c_peer_domain, &bv_unknown ) )
1986         {
1987                 name = op->o_conn->c_peer_domain;
1988         }
1989
1990         if ( !BER_BVISNULL( &op->o_dn ) && !BER_BVISEMPTY( &op->o_dn ) ) {
1991                 id = op->o_dn;
1992         }
1993
1994         return slap_ctrl_session_tracking_add( op, rs, &ip, &name, &id, ctrl );
1995 }
1996 #endif
1997
1998 #ifdef SLAP_CONTROL_X_WHATFAILED
1999 static int parseWhatFailed(
2000         Operation *op,
2001         SlapReply *rs,
2002         LDAPControl *ctrl )
2003 {
2004         if ( op->o_whatFailed != SLAP_CONTROL_NONE ) {
2005                 rs->sr_text = "\"WHat Failed?\" control specified multiple times";
2006                 return LDAP_PROTOCOL_ERROR;
2007         }
2008
2009         if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
2010                 rs->sr_text = "\"What Failed?\" control value not absent";
2011                 return LDAP_PROTOCOL_ERROR;
2012         }
2013
2014         op->o_whatFailed = ctrl->ldctl_iscritical
2015                 ? SLAP_CONTROL_CRITICAL
2016                 : SLAP_CONTROL_NONCRITICAL;
2017
2018         return LDAP_SUCCESS;
2019 }
2020
2021 int
2022 slap_ctrl_whatFailed_add(
2023         Operation *op,
2024         SlapReply *rs,
2025         char **oids )
2026 {
2027         BerElementBuffer berbuf;
2028         BerElement *ber = (BerElement *) &berbuf;
2029         LDAPControl **ctrls = NULL;
2030         struct berval ctrlval;
2031         int i, rc = LDAP_SUCCESS;
2032
2033         ber_init2( ber, NULL, LBER_USE_DER );
2034         ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
2035         ber_printf( ber, "[" /*]*/ );
2036         for ( i = 0; oids[ i ] != NULL; i++ ) {
2037                 ber_printf( ber, "s", oids[ i ] );
2038         }
2039         ber_printf( ber, /*[*/ "]" );
2040
2041         if ( ber_flatten2( ber, &ctrlval, 0 ) == -1 ) {
2042                 rc = LDAP_OTHER;
2043                 goto done;
2044         }
2045
2046         i = 0;
2047         if ( rs->sr_ctrls != NULL ) {
2048                 for ( ; rs->sr_ctrls[ i ] != NULL; i++ ) {
2049                         if ( strcmp( rs->sr_ctrls[ i ]->ldctl_oid, LDAP_CONTROL_X_WHATFAILED ) != 0 ) {
2050                                 /* TODO: add */
2051                                 assert( 0 );
2052                         }
2053                 }
2054         }
2055
2056         ctrls = op->o_tmprealloc( rs->sr_ctrls,
2057                         sizeof(LDAPControl *)*( i + 2 )
2058                         + sizeof(LDAPControl)
2059                         + ctrlval.bv_len + 1,
2060                         op->o_tmpmemctx );
2061         if ( ctrls == NULL ) {
2062                 rc = LDAP_OTHER;
2063                 goto done;
2064         }
2065         ctrls[ i + 1 ] = NULL;
2066         ctrls[ i ] = (LDAPControl *)&ctrls[ i + 2 ];
2067         ctrls[ i ]->ldctl_oid = LDAP_CONTROL_X_WHATFAILED;
2068         ctrls[ i ]->ldctl_iscritical = 0;
2069         ctrls[ i ]->ldctl_value.bv_val = (char *)&ctrls[ i ][ 1 ];
2070         AC_MEMCPY( ctrls[ i ]->ldctl_value.bv_val, ctrlval.bv_val, ctrlval.bv_len + 1 );
2071         ctrls[ i ]->ldctl_value.bv_len = ctrlval.bv_len;
2072
2073         ber_free_buf( ber );
2074
2075         rs->sr_ctrls = ctrls;
2076
2077 done:;
2078         return rc;
2079 }
2080 #endif