git.sur5r.net Git - openldap/blob - servers/slapd/controls.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2003 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15
  16 #include "portable.h"
  17
  18 #include <stdio.h>
  19
  20 #include <ac/string.h>
  21 #include <ac/socket.h>
  22
  23 #include "slap.h"
  24
  25 #include "../../libraries/liblber/lber-int.h"
  26
  27 static SLAP_CTRL_PARSE_FN parseAssert;
  28 static SLAP_CTRL_PARSE_FN parsePreRead;
  29 static SLAP_CTRL_PARSE_FN parsePostRead;
  30 static SLAP_CTRL_PARSE_FN parseProxyAuthz;
  31 static SLAP_CTRL_PARSE_FN parseManageDSAit;
  32 static SLAP_CTRL_PARSE_FN parseModifyIncrement;
  33 static SLAP_CTRL_PARSE_FN parseNoOp;
  34 static SLAP_CTRL_PARSE_FN parsePagedResults;
  35 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter;
  36 static SLAP_CTRL_PARSE_FN parsePermissiveModify;
  37 static SLAP_CTRL_PARSE_FN parseDomainScope;
  38
  39 #ifdef LDAP_CONTROL_SUBENTRIES
  40 static SLAP_CTRL_PARSE_FN parseSubentries;
  41 #endif
  42 static SLAP_CTRL_PARSE_FN parseLDAPsync;
  43
  44 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
  45
  46 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ);
  47 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ);
  48
  49 struct slap_control {
  50         /* Control OID */
  51         char *sc_oid;
  52
  53         /* Operations supported by control */
  54         slap_mask_t sc_mask;
  55
  56         /* Extended operations supported by control */
  57         char **sc_extendedops;
  58
  59         /* Control parsing callback */
  60         SLAP_CTRL_PARSE_FN *sc_parse;
  61
  62         LDAP_SLIST_ENTRY(slap_control) sc_next;
  63 };
  64
  65 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list
  66         = LDAP_SLIST_HEAD_INITIALIZER(&controls_list);
  67
  68 /*
  69  * all known request control OIDs should be added to this list
  70  */
  71 char **slap_known_controls = NULL;
  72
  73 static char *proxy_authz_extops[] = {
  74         LDAP_EXOP_MODIFY_PASSWD,
  75         LDAP_EXOP_X_WHO_AM_I,
  76         NULL
  77 };
  78
  79 static struct slap_control control_defs[] = {
  80         { LDAP_CONTROL_ASSERT,
  81                 SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL,
  82                 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  83         { LDAP_CONTROL_PRE_READ,
  84                 SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  85                 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  86         { LDAP_CONTROL_POST_READ,
  87                 SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL,
  88                 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  89         { LDAP_CONTROL_VALUESRETURNFILTER,
  90                 SLAP_CTRL_SEARCH, NULL,
  91                 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  92         { LDAP_CONTROL_PAGEDRESULTS,
  93                 SLAP_CTRL_SEARCH, NULL,
  94                 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  95 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
  96         { LDAP_CONTROL_X_DOMAIN_SCOPE,
  97                 SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
  98                 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) },
  99 #endif
 100 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
 101         { LDAP_CONTROL_X_PERMISSIVE_MODIFY,
 102                 SLAP_CTRL_MODIFY, NULL,
 103                 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 104 #endif
 105 #ifdef LDAP_CONTROL_SUBENTRIES
 106         { LDAP_CONTROL_SUBENTRIES,
 107                 SLAP_CTRL_SEARCH, NULL,
 108                 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 109 #endif
 110         { LDAP_CONTROL_NOOP,
 111                 SLAP_CTRL_ACCESS, NULL,
 112                 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 113         { LDAP_CONTROL_SYNC,
 114                 SLAP_CTRL_HIDE|SLAP_CTRL_SEARCH, NULL,
 115                 parseLDAPsync, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 116         { LDAP_CONTROL_MODIFY_INCREMENT,
 117                 SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL,
 118                 parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 119         { LDAP_CONTROL_MANAGEDSAIT,
 120                 SLAP_CTRL_ACCESS, NULL,
 121                 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 122         { LDAP_CONTROL_PROXY_AUTHZ,
 123                 SLAP_CTRL_FRONTEND|SLAP_CTRL_ACCESS, proxy_authz_extops,
 124                 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 125         { NULL, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) }
 126 };
 127
 128 /*
 129  * Register a supported control.
 130  *
 131  * This can be called by an OpenLDAP plugin or, indirectly, by a
 132  * SLAPI plugin calling slapi_register_supported_control().
 133  */
 134 int
 135 register_supported_control(const char *controloid,
 136         slap_mask_t controlmask,
 137         char **controlexops,
 138         SLAP_CTRL_PARSE_FN *controlparsefn)
 139 {
 140         struct slap_control *sc;
 141         int i;
 142
 143         if ( controloid == NULL ) {
 144                 return LDAP_PARAM_ERROR;
 145         }
 146
 147         sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) );
 148         if ( sc == NULL ) {
 149                 return LDAP_NO_MEMORY;
 150         }
 151         sc->sc_oid = ch_strdup( controloid );
 152         sc->sc_mask = controlmask;
 153         if ( controlexops != NULL ) {
 154                 sc->sc_extendedops = ldap_charray_dup( controlexops );
 155                 if ( sc->sc_extendedops == NULL ) {
 156                         ch_free( sc );
 157                         return LDAP_NO_MEMORY;
 158                 }
 159         } else {
 160                 sc->sc_extendedops = NULL;
 161         }
 162         sc->sc_parse = controlparsefn;
 163
 164         /* Update slap_known_controls, too. */
 165         if ( slap_known_controls == NULL ) {
 166                 slap_known_controls = (char **)SLAP_MALLOC( 2 * sizeof(char *) );
 167                 if ( slap_known_controls == NULL ) {
 168                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 169                         ch_free( sc );
 170                         return LDAP_NO_MEMORY;
 171                 }
 172                 slap_known_controls[0] = ch_strdup( sc->sc_oid );
 173                 slap_known_controls[1] = NULL;
 174         } else {
 175                 for ( i = 0; slap_known_controls[i] != NULL; i++ )
 176                         ;
 177                 slap_known_controls = (char **)SLAP_REALLOC( slap_known_controls, (i + 2) * sizeof(char *) );
 178                 if ( slap_known_controls == NULL ) {
 179                         if ( sc->sc_extendedops != NULL ) ldap_charray_free( sc->sc_extendedops );
 180                         ch_free( sc );
 181                         return LDAP_NO_MEMORY;
 182                 }
 183                 slap_known_controls[i++] = ch_strdup( sc->sc_oid );
 184                 slap_known_controls[i] = NULL;
 185         }
 186
 187         LDAP_SLIST_NEXT( sc, sc_next ) = NULL;
 188         LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next );
 189
 190         return LDAP_SUCCESS;
 191 }
 192
 193 /*
 194  * One-time initialization of internal controls.
 195  */
 196 int
 197 slap_controls_init( void )
 198 {
 199         int i, rc;
 200         struct slap_control *sc;
 201
 202         rc = LDAP_SUCCESS;
 203
 204         for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) {
 205                 rc = register_supported_control( control_defs[i].sc_oid,
 206                         control_defs[i].sc_mask, control_defs[i].sc_extendedops,
 207                         control_defs[i].sc_parse );
 208                 if ( rc != LDAP_SUCCESS )
 209                         break;
 210         }
 211
 212         return rc;
 213 }
 214
 215 /*
 216  * Free memory associated with list of supported controls.
 217  */
 218 void
 219 controls_destroy( void )
 220 {
 221         struct slap_control *sc;
 222
 223         while ( !LDAP_SLIST_EMPTY(&controls_list) ) {
 224                 sc = LDAP_SLIST_FIRST(&controls_list);
 225                 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next);
 226
 227                 ch_free( sc->sc_oid );
 228                 if ( sc->sc_extendedops != NULL ) {
 229                         ldap_charray_free( sc->sc_extendedops );
 230                 }
 231                 ch_free( sc );
 232         }
 233         ldap_charray_free( slap_known_controls );
 234 }
 235
 236 /*
 237  * Format the supportedControl attribute of the root DSE,
 238  * detailing which controls are supported by the directory
 239  * server.
 240  */
 241 int
 242 controls_root_dse_info( Entry *e )
 243 {
 244         AttributeDescription *ad_supportedControl
 245                 = slap_schema.si_ad_supportedControl;
 246         struct berval vals[2];
 247         struct slap_control *sc;
 248
 249         vals[1].bv_val = NULL;
 250         vals[1].bv_len = 0;
 251
 252         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 253                 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue;
 254
 255                 vals[0].bv_val = sc->sc_oid;
 256                 vals[0].bv_len = strlen( sc->sc_oid );
 257
 258                 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) {
 259                         return -1;
 260                 }
 261         }
 262
 263         return 0;
 264 }
 265
 266 /*
 267  * Return a list of OIDs and operation masks for supported
 268  * controls. Used by SLAPI.
 269  */
 270 int
 271 get_supported_controls(char ***ctrloidsp,
 272         slap_mask_t **ctrlmasks)
 273 {
 274         int i, n;
 275         char **oids;
 276         slap_mask_t *masks;
 277         int rc;
 278         struct slap_control *sc;
 279
 280         n = 0;
 281
 282         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 283                 n++;
 284         }
 285
 286         if ( n == 0 ) {
 287                 *ctrloidsp = NULL;
 288                 *ctrlmasks = NULL;
 289                 return LDAP_SUCCESS;
 290         }
 291
 292         oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) );
 293         if ( oids == NULL ) {
 294                 return LDAP_NO_MEMORY;
 295         }
 296         masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) );
 297         if  ( masks == NULL ) {
 298                 ch_free( oids );
 299                 return LDAP_NO_MEMORY;
 300         }
 301
 302         n = 0;
 303
 304         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 305                 oids[n] = ch_strdup( sc->sc_oid );
 306                 masks[n] = sc->sc_mask;
 307                 n++;
 308         }
 309         oids[n] = NULL;
 310         masks[n] = 0;
 311
 312         *ctrloidsp = oids;
 313         *ctrlmasks = masks;
 314
 315         return LDAP_SUCCESS;
 316 }
 317
 318 /*
 319  * Find a control given its OID.
 320  */
 321 static struct slap_control *
 322 find_ctrl( const char *oid )
 323 {
 324         struct slap_control *sc;
 325
 326         LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) {
 327                 if ( strcmp( oid, sc->sc_oid ) == 0 ) {
 328                         return sc;
 329                 }
 330         }
 331
 332         return NULL;
 333 }
 334
 335 void slap_free_ctrls(
 336         Operation *op,
 337         LDAPControl **ctrls
 338 )
 339 {
 340         int i;
 341
 342         for (i=0; ctrls[i]; i++) {
 343                 op->o_tmpfree(ctrls[i], op->o_tmpmemctx );
 344         }
 345         op->o_tmpfree( ctrls, op->o_tmpmemctx );
 346 }
 347
 348 int get_ctrls(
 349         Operation *op,
 350         SlapReply *rs,
 351         int sendres )
 352 {
 353         int nctrls = 0;
 354         ber_tag_t tag;
 355         ber_len_t len;
 356         char *opaque;
 357         BerElement *ber = op->o_ber;
 358         struct slap_control *sc;
 359         struct berval bv;
 360
 361         len = ber_pvt_ber_remaining(ber);
 362
 363         if( len == 0) {
 364                 /* no controls */
 365                 rs->sr_err = LDAP_SUCCESS;
 366                 return rs->sr_err;
 367         }
 368
 369         if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) {
 370                 if( tag == LBER_ERROR ) {
 371                         rs->sr_err = SLAPD_DISCONNECT;
 372                         rs->sr_text = "unexpected data in PDU";
 373                 }
 374
 375                 goto return_results;
 376         }
 377
 378 #ifdef NEW_LOGGING
 379         LDAP_LOG( OPERATION, ENTRY,
 380                 "get_ctrls: conn %lu\n", op->o_connid, 0, 0 );
 381 #else
 382         Debug( LDAP_DEBUG_TRACE,
 383                 "=> get_ctrls\n", 0, 0, 0 );
 384 #endif
 385
 386         if( op->o_protocol < LDAP_VERSION3 ) {
 387                 rs->sr_err = SLAPD_DISCONNECT;
 388                 rs->sr_text = "controls require LDAPv3";
 389                 goto return_results;
 390         }
 391
 392         /* one for first control, one for termination */
 393         op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx );
 394
 395 #if 0
 396         if( op->ctrls == NULL ) {
 397                 rs->sr_err = LDAP_NO_MEMORY;
 398                 rs->sr_text = "no memory";
 399                 goto return_results;
 400         }
 401 #endif
 402
 403         op->o_ctrls[nctrls] = NULL;
 404
 405         /* step through each element */
 406         for( tag = ber_first_element( ber, &len, &opaque );
 407                 tag != LBER_ERROR;
 408                 tag = ber_next_element( ber, &len, opaque ) )
 409         {
 410                 LDAPControl *c;
 411                 LDAPControl **tctrls;
 412
 413                 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx );
 414                 memset(c, 0, sizeof(LDAPControl));
 415
 416                 /* allocate pointer space for current controls (nctrls)
 417                  * + this control + extra NULL
 418                  */
 419                 tctrls = op->o_tmprealloc( op->o_ctrls,
 420                         (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx );
 421
 422 #if 0
 423                 if( tctrls == NULL ) {
 424                         ch_free( c );
 425                         ldap_controls_free(op->o_ctrls);
 426                         op->o_ctrls = NULL;
 427
 428                         rs->sr_err = LDAP_NO_MEMORY;
 429                         rs->sr_text = "no memory";
 430                         goto return_results;
 431                 }
 432 #endif
 433                 op->o_ctrls = tctrls;
 434
 435                 op->o_ctrls[nctrls++] = c;
 436                 op->o_ctrls[nctrls] = NULL;
 437
 438                 tag = ber_scanf( ber, "{m" /*}*/, &bv );
 439                 c->ldctl_oid = bv.bv_val;
 440
 441                 if( tag == LBER_ERROR ) {
 442 #ifdef NEW_LOGGING
 443                         LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu get OID failed.\n",
 444                                 op->o_connid, 0, 0 );
 445 #else
 446                         Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n",
 447                                 0, 0, 0 );
 448 #endif
 449
 450                         slap_free_ctrls( op, op->o_ctrls );
 451                         op->o_ctrls = NULL;
 452                         rs->sr_err = SLAPD_DISCONNECT;
 453                         rs->sr_text = "decoding controls error";
 454                         goto return_results;
 455
 456                 } else if( c->ldctl_oid == NULL ) {
 457 #ifdef NEW_LOGGING
 458                         LDAP_LOG( OPERATION, INFO,
 459                                 "get_ctrls: conn %lu got emtpy OID.\n",
 460                                 op->o_connid, 0, 0 );
 461 #else
 462                         Debug( LDAP_DEBUG_TRACE,
 463                                 "get_ctrls: conn %lu got emtpy OID.\n",
 464                                 op->o_connid, 0, 0 );
 465 #endif
 466
 467                         slap_free_ctrls( op, op->o_ctrls );
 468                         op->o_ctrls = NULL;
 469                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 470                         rs->sr_text = "OID field is empty";
 471                         goto return_results;
 472                 }
 473
 474                 tag = ber_peek_tag( ber, &len );
 475
 476                 if( tag == LBER_BOOLEAN ) {
 477                         ber_int_t crit;
 478                         tag = ber_scanf( ber, "b", &crit );
 479
 480                         if( tag == LBER_ERROR ) {
 481 #ifdef NEW_LOGGING
 482                                 LDAP_LOG( OPERATION, INFO,
 483                                         "get_ctrls: conn %lu get crit failed.\n",
 484                                         op->o_connid, 0, 0 );
 485 #else
 486                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n",
 487                                         0, 0, 0 );
 488 #endif
 489                                 slap_free_ctrls( op, op->o_ctrls );
 490                                 op->o_ctrls = NULL;
 491                                 rs->sr_err = SLAPD_DISCONNECT;
 492                                 rs->sr_text = "decoding controls error";
 493                                 goto return_results;
 494                         }
 495
 496                         c->ldctl_iscritical = (crit != 0);
 497                         tag = ber_peek_tag( ber, &len );
 498                 }
 499
 500                 if( tag == LBER_OCTETSTRING ) {
 501                         tag = ber_scanf( ber, "m", &c->ldctl_value );
 502
 503                         if( tag == LBER_ERROR ) {
 504 #ifdef NEW_LOGGING
 505                                 LDAP_LOG( OPERATION, INFO, "get_ctrls: conn %lu: "
 506                                         "%s (%scritical): get value failed.\n",
 507                                         op->o_connid, c->ldctl_oid,
 508                                         c->ldctl_iscritical ? "" : "non" );
 509 #else
 510                                 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: "
 511                                         "%s (%scritical): get value failed.\n",
 512                                         op->o_connid, c->ldctl_oid,
 513                                         c->ldctl_iscritical ? "" : "non" );
 514 #endif
 515                                 slap_free_ctrls( op, op->o_ctrls );
 516                                 op->o_ctrls = NULL;
 517                                 rs->sr_err = SLAPD_DISCONNECT;
 518                                 rs->sr_text = "decoding controls error";
 519                                 goto return_results;
 520                         }
 521                 }
 522
 523 #ifdef NEW_LOGGING
 524                 LDAP_LOG( OPERATION, INFO,
 525                         "get_ctrls: conn %lu oid=\"%s\" (%scritical)\n",
 526                         op->o_connid, c->ldctl_oid, c->ldctl_iscritical ? "" : "non" );
 527 #else
 528                 Debug( LDAP_DEBUG_TRACE,
 529                         "=> get_ctrls: oid=\"%s\" (%scritical)\n",
 530                         c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 );
 531 #endif
 532
 533                 sc = find_ctrl( c->ldctl_oid );
 534                 if( sc != NULL ) {
 535                         /* recognized control */
 536                         slap_mask_t tagmask;
 537                         switch( op->o_tag ) {
 538                         case LDAP_REQ_ADD:
 539                                 tagmask = SLAP_CTRL_ADD;
 540                                 break;
 541                         case LDAP_REQ_BIND:
 542                                 tagmask = SLAP_CTRL_BIND;
 543                                 break;
 544                         case LDAP_REQ_COMPARE:
 545                                 tagmask = SLAP_CTRL_COMPARE;
 546                                 break;
 547                         case LDAP_REQ_DELETE:
 548                                 tagmask = SLAP_CTRL_DELETE;
 549                                 break;
 550                         case LDAP_REQ_MODIFY:
 551                                 tagmask = SLAP_CTRL_MODIFY;
 552                                 break;
 553                         case LDAP_REQ_RENAME:
 554                                 tagmask = SLAP_CTRL_RENAME;
 555                                 break;
 556                         case LDAP_REQ_SEARCH:
 557                                 tagmask = SLAP_CTRL_SEARCH;
 558                                 break;
 559                         case LDAP_REQ_UNBIND:
 560                                 tagmask = SLAP_CTRL_UNBIND;
 561                                 break;
 562                         case LDAP_REQ_ABANDON:
 563                                 tagmask = SLAP_CTRL_ABANDON;
 564                                 break;
 565                         case LDAP_REQ_EXTENDED:
 566                                 tagmask=~0L;
 567                                 assert( op->ore_reqoid.bv_val != NULL );
 568                                 if( sc->sc_extendedops != NULL ) {
 569                                         int i;
 570                                         for( i=0; sc->sc_extendedops[i] != NULL; i++ ) {
 571                                                 if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] )
 572                                                         == 0 )
 573                                                 {
 574                                                         tagmask=0L;
 575                                                         break;
 576                                                 }
 577                                         }
 578                                 }
 579                                 break;
 580                         default:
 581                                 rs->sr_err = LDAP_OTHER;
 582                                 rs->sr_text = "controls internal error";
 583                                 goto return_results;
 584                         }
 585
 586                         if (( sc->sc_mask & tagmask ) == tagmask ) {
 587                                 /* available extension */
 588
 589                                 if( !sc->sc_parse ) {
 590                                         rs->sr_err = LDAP_OTHER;
 591                                         rs->sr_text = "not yet implemented";
 592                                         goto return_results;
 593                                 }
 594
 595                                 rs->sr_err = sc->sc_parse( op, rs, c );
 596
 597                                 if( rs->sr_err != LDAP_SUCCESS ) goto return_results;
 598
 599                                 if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
 600                                         /* kludge to disable backend_control() check */
 601                                         c->ldctl_iscritical = 0;
 602
 603                                 } else if ( tagmask == SLAP_CTRL_SEARCH &&
 604                                         sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
 605                                 {
 606                                         /* kludge to disable backend_control() check */
 607                                         c->ldctl_iscritical = 0;
 608                                 }
 609
 610                         } else if( c->ldctl_iscritical ) {
 611                                 /* unavailable CRITICAL control */
 612                                 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 613                                 rs->sr_text = "critical extension is unavailable";
 614                                 goto return_results;
 615                         }
 616
 617                 } else if( c->ldctl_iscritical ) {
 618                         /* unrecognized CRITICAL control */
 619                         rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
 620                         rs->sr_text = "critical extension is not recognized";
 621                         goto return_results;
 622                 }
 623         }
 624
 625 return_results:
 626 #ifdef NEW_LOGGING
 627         LDAP_LOG( OPERATION, RESULTS,
 628                 "get_ctrls: n=%d rc=%d err=\"%s\"\n",
 629                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "" );
 630 #else
 631         Debug( LDAP_DEBUG_TRACE,
 632                 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n",
 633                 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : "");
 634 #endif
 635
 636         if( sendres && rs->sr_err != LDAP_SUCCESS ) {
 637                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 638                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 639                         send_ldap_disconnect( op, rs );
 640                         rs->sr_err = SLAPD_DISCONNECT;
 641                 } else {
 642                         send_ldap_result( op, rs );
 643                 }
 644         }
 645
 646         return rs->sr_err;
 647 }
 648
 649 static int parseModifyIncrement (
 650         Operation *op,
 651         SlapReply *rs,
 652         LDAPControl *ctrl )
 653 {
 654 #if 0
 655         if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) {
 656                 rs->sr_text = "modifyIncrement control specified multiple times";
 657                 return LDAP_PROTOCOL_ERROR;
 658         }
 659 #endif
 660
 661         if ( ctrl->ldctl_value.bv_len ) {
 662                 rs->sr_text = "modifyIncrement control value not empty";
 663                 return LDAP_PROTOCOL_ERROR;
 664         }
 665
 666 #if 0
 667         op->o_parseModifyIncrement = ctrl->ldctl_iscritical
 668                 ? SLAP_CRITICAL_CONTROL
 669                 : SLAP_NONCRITICAL_CONTROL;
 670 #endif
 671
 672         return LDAP_SUCCESS;
 673 }
 674
 675 static int parseManageDSAit (
 676         Operation *op,
 677         SlapReply *rs,
 678         LDAPControl *ctrl )
 679 {
 680         if ( op->o_managedsait != SLAP_NO_CONTROL ) {
 681                 rs->sr_text = "manageDSAit control specified multiple times";
 682                 return LDAP_PROTOCOL_ERROR;
 683         }
 684
 685         if ( ctrl->ldctl_value.bv_len ) {
 686                 rs->sr_text = "manageDSAit control value not empty";
 687                 return LDAP_PROTOCOL_ERROR;
 688         }
 689
 690         op->o_managedsait = ctrl->ldctl_iscritical
 691                 ? SLAP_CRITICAL_CONTROL
 692                 : SLAP_NONCRITICAL_CONTROL;
 693
 694         return LDAP_SUCCESS;
 695 }
 696
 697 static int parseProxyAuthz (
 698         Operation *op,
 699         SlapReply *rs,
 700         LDAPControl *ctrl )
 701 {
 702         int             rc;
 703         struct berval   dn = { 0, NULL };
 704
 705         if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
 706                 rs->sr_text = "proxy authorization control specified multiple times";
 707                 return LDAP_PROTOCOL_ERROR;
 708         }
 709
 710         op->o_proxy_authz = ctrl->ldctl_iscritical
 711                 ? SLAP_CRITICAL_CONTROL
 712                 : SLAP_NONCRITICAL_CONTROL;
 713
 714 #ifdef NEW_LOGGING
 715         LDAP_LOG( OPERATION, ARGS,
 716                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 717                 op->o_connid,
 718                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 719                 0 );
 720 #else
 721         Debug( LDAP_DEBUG_ARGS,
 722                 "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
 723                 op->o_connid,
 724                 ctrl->ldctl_value.bv_len ?  ctrl->ldctl_value.bv_val : "anonymous",
 725                 0 );
 726 #endif
 727
 728         if( ctrl->ldctl_value.bv_len == 0 ) {
 729 #ifdef NEW_LOGGING
 730                 LDAP_LOG( OPERATION, RESULTS,
 731                         "parseProxyAuthz: conn=%lu anonymous\n",
 732                         op->o_connid, 0, 0 );
 733 #else
 734                 Debug( LDAP_DEBUG_TRACE,
 735                         "parseProxyAuthz: conn=%lu anonymous\n",
 736                         op->o_connid, 0, 0 );
 737 #endif
 738
 739                 /* anonymous */
 740                 free( op->o_dn.bv_val );
 741                 op->o_dn.bv_len = 0;
 742                 op->o_dn.bv_val = ch_strdup( "" );
 743
 744                 free( op->o_ndn.bv_val );
 745                 op->o_ndn.bv_len = 0;
 746                 op->o_ndn.bv_val = ch_strdup( "" );
 747
 748                 return LDAP_SUCCESS;
 749         }
 750
 751         /* FIXME: how can we get the realm? */
 752         {
 753                 int     rc;
 754                 char            buf[ SLAP_LDAPDN_MAXLEN ];
 755                 struct berval   id,
 756                                 user = { 0, NULL },
 757                                 realm = { 0, NULL },
 758                                 mech = { 0, NULL };
 759
 760                 if ( sizeof( buf ) <= ctrl->ldctl_value.bv_len ) {
 761                         return LDAP_INVALID_SYNTAX;
 762                 }
 763
 764                 id.bv_len = ctrl->ldctl_value.bv_len;
 765                 id.bv_val = buf;
 766                 strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
 767
 768                 rc = slap_parse_user( &id, &user, &realm, &mech );
 769                 if ( rc == LDAP_SUCCESS ) {
 770                         struct berval authz = BER_BVC( "AUTHZ" );
 771
 772                         if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
 773                                 rs->sr_text = "mech not allowed in authzId";
 774                                 return LDAP_PROXY_AUTHZ_FAILURE;
 775                         }
 776                 } else {
 777                         user = ctrl->ldctl_value;
 778                 }
 779
 780                 rc = slap_sasl_getdn( op->o_conn, op,
 781                                 user.bv_val, user.bv_len,
 782                                 realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
 783
 784                 if( rc != LDAP_SUCCESS || !dn.bv_len ) {
 785                         if ( dn.bv_val ) {
 786                                 ch_free( dn.bv_val );
 787                         }
 788                         rs->sr_text = "authzId mapping failed";
 789                         return LDAP_PROXY_AUTHZ_FAILURE;
 790                 }
 791         }
 792
 793 #ifdef NEW_LOGGING
 794         LDAP_LOG( OPERATION, RESULTS,
 795                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 796                 op->o_connid,
 797                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 798 #else
 799         Debug( LDAP_DEBUG_TRACE,
 800                 "parseProxyAuthz: conn=%lu \"%s\"\n",
 801                 op->o_connid,
 802                 dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 803 #endif
 804
 805         rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
 806
 807         if( rc ) {
 808                 ch_free( dn.bv_val );
 809                 rs->sr_text = "not authorized to assume identity";
 810                 return LDAP_PROXY_AUTHZ_FAILURE;
 811         }
 812
 813         ch_free( op->o_dn.bv_val );
 814         ch_free( op->o_ndn.bv_val );
 815
 816         op->o_dn.bv_val = NULL;
 817         op->o_ndn = dn;
 818
 819         /*
 820          * NOTE: since slap_sasl_getdn() returns a normalized dn,
 821          * from now on op->o_dn is normalized
 822          */
 823         ber_dupbv( &op->o_dn, &dn );
 824
 825         return LDAP_SUCCESS;
 826 }
 827
 828 static int parseNoOp (
 829         Operation *op,
 830         SlapReply *rs,
 831         LDAPControl *ctrl )
 832 {
 833         if ( op->o_noop != SLAP_NO_CONTROL ) {
 834                 rs->sr_text = "noop control specified multiple times";
 835                 return LDAP_PROTOCOL_ERROR;
 836         }
 837
 838         if ( ctrl->ldctl_value.bv_len ) {
 839                 rs->sr_text = "noop control value not empty";
 840                 return LDAP_PROTOCOL_ERROR;
 841         }
 842
 843         op->o_noop = ctrl->ldctl_iscritical
 844                 ? SLAP_CRITICAL_CONTROL
 845                 : SLAP_NONCRITICAL_CONTROL;
 846
 847         return LDAP_SUCCESS;
 848 }
 849
 850 static int parsePagedResults (
 851         Operation *op,
 852         SlapReply *rs,
 853         LDAPControl *ctrl )
 854 {
 855         ber_tag_t tag;
 856         ber_int_t size;
 857         BerElement *ber;
 858         struct berval cookie = { 0, NULL };
 859
 860         if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
 861                 rs->sr_text = "paged results control specified multiple times";
 862                 return LDAP_PROTOCOL_ERROR;
 863         }
 864
 865         if ( ctrl->ldctl_value.bv_len == 0 ) {
 866                 rs->sr_text = "paged results control value is empty (or absent)";
 867                 return LDAP_PROTOCOL_ERROR;
 868         }
 869
 870         /* Parse the control value
 871          *      realSearchControlValue ::= SEQUENCE {
 872          *              size    INTEGER (0..maxInt),
 873          *                              -- requested page size from client
 874          *                              -- result set size estimate from server
 875          *              cookie  OCTET STRING
 876          * }
 877          */
 878         ber = ber_init( &ctrl->ldctl_value );
 879         if( ber == NULL ) {
 880                 rs->sr_text = "internal error";
 881                 return LDAP_OTHER;
 882         }
 883
 884         tag = ber_scanf( ber, "{im}", &size, &cookie );
 885         (void) ber_free( ber, 1 );
 886
 887         if( tag == LBER_ERROR ) {
 888                 rs->sr_text = "paged results control could not be decoded";
 889                 return LDAP_PROTOCOL_ERROR;
 890         }
 891
 892         if( size < 0 ) {
 893                 rs->sr_text = "paged results control size invalid";
 894                 return LDAP_PROTOCOL_ERROR;
 895         }
 896
 897         if( cookie.bv_len ) {
 898                 PagedResultsCookie reqcookie;
 899                 if( cookie.bv_len != sizeof( reqcookie ) ) {
 900                         /* bad cookie */
 901                         rs->sr_text = "paged results cookie is invalid";
 902                         return LDAP_PROTOCOL_ERROR;
 903                 }
 904
 905                 AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
 906
 907                 if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
 908                         /* bad cookie */
 909                         rs->sr_text = "paged results cookie is invalid";
 910                         return LDAP_PROTOCOL_ERROR;
 911
 912                 } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
 913                         rs->sr_text = "paged results cookie is invalid or old";
 914                         return LDAP_UNWILLING_TO_PERFORM;
 915                 }
 916         } else {
 917                 /* Initial request.  Initialize state. */
 918                 op->o_pagedresults_state.ps_cookie = 0;
 919                 op->o_pagedresults_state.ps_id = NOID;
 920         }
 921
 922         op->o_pagedresults_size = size;
 923
 924         op->o_pagedresults = ctrl->ldctl_iscritical
 925                 ? SLAP_CRITICAL_CONTROL
 926                 : SLAP_NONCRITICAL_CONTROL;
 927
 928         return LDAP_SUCCESS;
 929 }
 930
 931 static int parseAssert (
 932         Operation *op,
 933         SlapReply *rs,
 934         LDAPControl *ctrl )
 935 {
 936         BerElement      *ber;
 937         struct berval   fstr = { 0, NULL };
 938         const char *err_msg = "";
 939
 940         if ( op->o_assert != SLAP_NO_CONTROL ) {
 941                 rs->sr_text = "assert control specified multiple times";
 942                 return LDAP_PROTOCOL_ERROR;
 943         }
 944
 945         if ( ctrl->ldctl_value.bv_len == 0 ) {
 946                 rs->sr_text = "assert control value is empty (or absent)";
 947                 return LDAP_PROTOCOL_ERROR;
 948         }
 949
 950         ber = ber_init( &(ctrl->ldctl_value) );
 951         if (ber == NULL) {
 952                 rs->sr_text = "assert control: internal error";
 953                 return LDAP_OTHER;
 954         }
 955
 956         rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
 957
 958         if( rs->sr_err != LDAP_SUCCESS ) {
 959                 if( rs->sr_err == SLAPD_DISCONNECT ) {
 960                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 961                         send_ldap_disconnect( op, rs );
 962                         rs->sr_err = SLAPD_DISCONNECT;
 963                 } else {
 964                         send_ldap_result( op, rs );
 965                 }
 966                 if( op->o_assertion != NULL ) {
 967                         filter_free_x( op, op->o_assertion );
 968                 }
 969                 return rs->sr_err;
 970         }
 971
 972 #ifdef LDAP_DEBUG
 973         filter2bv_x( op, op->o_assertion, &fstr );
 974
 975 #ifdef NEW_LOGGING
 976         LDAP_LOG( OPERATION, ARGS,
 977                 "parseAssert: conn %ld assert: %s\n",
 978                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 979 #else
 980         Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n",
 981                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
 982 #endif
 983         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
 984 #endif
 985
 986         op->o_assert = ctrl->ldctl_iscritical
 987                 ? SLAP_CRITICAL_CONTROL
 988                 : SLAP_NONCRITICAL_CONTROL;
 989
 990         rs->sr_err = LDAP_SUCCESS;
 991         return LDAP_SUCCESS;
 992 }
 993
 994 static int parsePreRead (
 995         Operation *op,
 996         SlapReply *rs,
 997         LDAPControl *ctrl )
 998 {
 999         ber_len_t siz, off, i;
1000         AttributeName *an = NULL;
1001         BerElement      *ber;
1002
1003         if ( op->o_preread != SLAP_NO_CONTROL ) {
1004                 rs->sr_text = "preread control specified multiple times";
1005                 return LDAP_PROTOCOL_ERROR;
1006         }
1007
1008         if ( ctrl->ldctl_value.bv_len == 0 ) {
1009                 rs->sr_text = "preread control value is empty (or absent)";
1010                 return LDAP_PROTOCOL_ERROR;
1011         }
1012
1013         ber = ber_init( &(ctrl->ldctl_value) );
1014         if (ber == NULL) {
1015                 rs->sr_text = "preread control: internal error";
1016                 return LDAP_OTHER;
1017         }
1018
1019         siz = sizeof( AttributeName );
1020         off = offsetof( AttributeName, an_name );
1021         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1022                 rs->sr_text = "preread control: decoding error";
1023                 return LDAP_PROTOCOL_ERROR;
1024         }
1025
1026         for( i=0; i<siz; i++ ) {
1027                 int             rc = LDAP_SUCCESS;
1028                 const char      *dummy = NULL;
1029
1030                 an[i].an_desc = NULL;
1031                 an[i].an_oc = NULL;
1032                 an[i].an_oc_exclude = 0;
1033                 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1034                 if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1035                         rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
1036                         return rc;
1037                 }
1038         }
1039
1040         op->o_preread = ctrl->ldctl_iscritical
1041                 ? SLAP_CRITICAL_CONTROL
1042                 : SLAP_NONCRITICAL_CONTROL;
1043
1044         op->o_preread_attrs = an;
1045
1046         rs->sr_err = LDAP_SUCCESS;
1047         return LDAP_SUCCESS;
1048 }
1049
1050 static int parsePostRead (
1051         Operation *op,
1052         SlapReply *rs,
1053         LDAPControl *ctrl )
1054 {
1055         ber_len_t siz, off, i;
1056         AttributeName *an = NULL;
1057         BerElement      *ber;
1058
1059         if ( op->o_postread != SLAP_NO_CONTROL ) {
1060                 rs->sr_text = "postread control specified multiple times";
1061                 return LDAP_PROTOCOL_ERROR;
1062         }
1063
1064         if ( ctrl->ldctl_value.bv_len == 0 ) {
1065                 rs->sr_text = "postread control value is empty (or absent)";
1066                 return LDAP_PROTOCOL_ERROR;
1067         }
1068
1069         ber = ber_init( &(ctrl->ldctl_value) );
1070         if (ber == NULL) {
1071                 rs->sr_text = "postread control: internal error";
1072                 return LDAP_OTHER;
1073         }
1074
1075         siz = sizeof( AttributeName );
1076         off = offsetof( AttributeName, an_name );
1077         if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) {
1078                 rs->sr_text = "postread control: decoding error";
1079                 return LDAP_PROTOCOL_ERROR;
1080         }
1081
1082         for( i=0; i<siz; i++ ) {
1083                 int             rc = LDAP_SUCCESS;
1084                 const char      *dummy = NULL;
1085
1086                 an[i].an_desc = NULL;
1087                 an[i].an_oc = NULL;
1088                 an[i].an_oc_exclude = 0;
1089                 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
1090                 if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
1091                         rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
1092                         return rc;
1093                 }
1094         }
1095
1096         op->o_postread = ctrl->ldctl_iscritical
1097                 ? SLAP_CRITICAL_CONTROL
1098                 : SLAP_NONCRITICAL_CONTROL;
1099
1100         op->o_postread_attrs = an;
1101
1102         rs->sr_err = LDAP_SUCCESS;
1103         return LDAP_SUCCESS;
1104 }
1105
1106 int parseValuesReturnFilter (
1107         Operation *op,
1108         SlapReply *rs,
1109         LDAPControl *ctrl )
1110 {
1111         BerElement      *ber;
1112         struct berval   fstr = { 0, NULL };
1113         const char *err_msg = "";
1114
1115         if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
1116                 rs->sr_text = "valuesReturnFilter control specified multiple times";
1117                 return LDAP_PROTOCOL_ERROR;
1118         }
1119
1120         if ( ctrl->ldctl_value.bv_len == 0 ) {
1121                 rs->sr_text = "valuesReturnFilter control value is empty (or absent)";
1122                 return LDAP_PROTOCOL_ERROR;
1123         }
1124
1125         ber = ber_init( &(ctrl->ldctl_value) );
1126         if (ber == NULL) {
1127                 rs->sr_text = "internal error";
1128                 return LDAP_OTHER;
1129         }
1130
1131         rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
1132
1133         if( rs->sr_err != LDAP_SUCCESS ) {
1134                 if( rs->sr_err == SLAPD_DISCONNECT ) {
1135                         rs->sr_err = LDAP_PROTOCOL_ERROR;
1136                         send_ldap_disconnect( op, rs );
1137                         rs->sr_err = SLAPD_DISCONNECT;
1138                 } else {
1139                         send_ldap_result( op, rs );
1140                 }
1141                 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
1142         }
1143 #ifdef LDAP_DEBUG
1144         else {
1145                 vrFilter2bv( op, op->o_vrFilter, &fstr );
1146         }
1147
1148 #ifdef NEW_LOGGING
1149         LDAP_LOG( OPERATION, ARGS,
1150                 "parseValuesReturnFilter: conn %d       vrFilter: %s\n",
1151                 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
1152 #else
1153         Debug( LDAP_DEBUG_ARGS, "       vrFilter: %s\n",
1154                 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
1155 #endif
1156         op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
1157 #endif
1158
1159         op->o_valuesreturnfilter = ctrl->ldctl_iscritical
1160                 ? SLAP_CRITICAL_CONTROL
1161                 : SLAP_NONCRITICAL_CONTROL;
1162
1163         rs->sr_err = LDAP_SUCCESS;
1164         return LDAP_SUCCESS;
1165 }
1166
1167 #ifdef LDAP_CONTROL_SUBENTRIES
1168 static int parseSubentries (
1169         Operation *op,
1170         SlapReply *rs,
1171         LDAPControl *ctrl )
1172 {
1173         if ( op->o_subentries != SLAP_NO_CONTROL ) {
1174                 rs->sr_text = "subentries control specified multiple times";
1175                 return LDAP_PROTOCOL_ERROR;
1176         }
1177
1178         /* FIXME: should use BER library */
1179         if( ( ctrl->ldctl_value.bv_len != 3 )
1180                 && ( ctrl->ldctl_value.bv_val[0] != 0x01 )
1181                 && ( ctrl->ldctl_value.bv_val[1] != 0x01 ))
1182         {
1183                 rs->sr_text = "subentries control value encoding is bogus";
1184                 return LDAP_PROTOCOL_ERROR;
1185         }
1186
1187         op->o_subentries = ctrl->ldctl_iscritical
1188                 ? SLAP_CRITICAL_CONTROL
1189                 : SLAP_NONCRITICAL_CONTROL;
1190
1191         op->o_subentries_visibility = (ctrl->ldctl_value.bv_val[2] != 0x00);
1192
1193         return LDAP_SUCCESS;
1194 }
1195 #endif
1196
1197 #ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY
1198 static int parsePermissiveModify (
1199         Operation *op,
1200         SlapReply *rs,
1201         LDAPControl *ctrl )
1202 {
1203         if ( op->o_permissive_modify != SLAP_NO_CONTROL ) {
1204                 rs->sr_text = "permissiveModify control specified multiple times";
1205                 return LDAP_PROTOCOL_ERROR;
1206         }
1207
1208         if ( ctrl->ldctl_value.bv_len ) {
1209                 rs->sr_text = "permissiveModify control value not empty";
1210                 return LDAP_PROTOCOL_ERROR;
1211         }
1212
1213         op->o_permissive_modify = ctrl->ldctl_iscritical
1214                 ? SLAP_CRITICAL_CONTROL
1215                 : SLAP_NONCRITICAL_CONTROL;
1216
1217         return LDAP_SUCCESS;
1218 }
1219 #endif
1220
1221 #ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
1222 static int parseDomainScope (
1223         Operation *op,
1224         SlapReply *rs,
1225         LDAPControl *ctrl )
1226 {
1227         if ( op->o_domain_scope != SLAP_NO_CONTROL ) {
1228                 rs->sr_text = "domainScope control specified multiple times";
1229                 return LDAP_PROTOCOL_ERROR;
1230         }
1231
1232         if ( ctrl->ldctl_value.bv_len ) {
1233                 rs->sr_text = "domainScope control value not empty";
1234                 return LDAP_PROTOCOL_ERROR;
1235         }
1236
1237         op->o_domain_scope = ctrl->ldctl_iscritical
1238                 ? SLAP_CRITICAL_CONTROL
1239                 : SLAP_NONCRITICAL_CONTROL;
1240
1241         return LDAP_SUCCESS;
1242 }
1243 #endif
1244
1245 static int parseLDAPsync (
1246         Operation *op,
1247         SlapReply *rs,
1248         LDAPControl *ctrl )
1249 {
1250         ber_tag_t tag;
1251         BerElement *ber;
1252         ber_int_t mode;
1253         ber_len_t len;
1254         struct slap_session_entry *se;
1255
1256         if ( op->o_sync != SLAP_NO_CONTROL ) {
1257                 rs->sr_text = "LDAP Sync control specified multiple times";
1258                 return LDAP_PROTOCOL_ERROR;
1259         }
1260
1261         if ( ctrl->ldctl_value.bv_len == 0 ) {
1262                 rs->sr_text = "LDAP Sync control value is empty (or absent)";
1263                 return LDAP_PROTOCOL_ERROR;
1264         }
1265
1266         /* Parse the control value
1267          *      syncRequestValue ::= SEQUENCE {
1268          *              mode   ENUMERATED {
1269          *                      -- 0 unused
1270          *                      refreshOnly             (1),
1271          *                      -- 2 reserved
1272          *                      refreshAndPersist       (3)
1273          *              },
1274          *              cookie  syncCookie OPTIONAL
1275          *      }
1276          */
1277
1278         ber = ber_init( &ctrl->ldctl_value );
1279         if( ber == NULL ) {
1280                 rs->sr_text = "internal error";
1281                 return LDAP_OTHER;
1282         }
1283
1284         if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) {
1285                 rs->sr_text = "LDAP Sync control : mode decoding error";
1286                 return LDAP_PROTOCOL_ERROR;
1287         }
1288
1289         switch( mode ) {
1290         case LDAP_SYNC_REFRESH_ONLY:
1291                 mode = SLAP_SYNC_REFRESH;
1292                 break;
1293         case LDAP_SYNC_REFRESH_AND_PERSIST:
1294                 mode = SLAP_SYNC_REFRESH_AND_PERSIST;
1295                 break;
1296         default:
1297                 rs->sr_text = "LDAP Sync control : unknown update mode";
1298                 return LDAP_PROTOCOL_ERROR;
1299         }
1300
1301         tag = ber_peek_tag( ber, &len );
1302
1303         if ( tag == LDAP_TAG_SYNC_COOKIE ) {
1304                 struct berval tmp_bv;
1305                 if (( ber_scanf( ber, /*{*/ "o", &tmp_bv )) == LBER_ERROR ) {
1306                         rs->sr_text = "LDAP Sync control : cookie decoding error";
1307                         return LDAP_PROTOCOL_ERROR;
1308                 }
1309                 ber_bvarray_add( &op->o_sync_state.octet_str, &tmp_bv );
1310                 slap_parse_sync_cookie( &op->o_sync_state );
1311         }
1312         if ( tag == LDAP_TAG_RELOAD_HINT ) {
1313                 if (( ber_scanf( ber, /*{*/ "b", &op->o_sync_rhint )) == LBER_ERROR ) {
1314                         rs->sr_text = "LDAP Sync control : rhint decoding error";
1315                         return LDAP_PROTOCOL_ERROR;
1316                 }
1317         }
1318         if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) {
1319                         rs->sr_text = "LDAP Sync control : decoding error";
1320                         return LDAP_PROTOCOL_ERROR;
1321         }
1322
1323         (void) ber_free( ber, 1 );
1324
1325         op->o_sync_mode = (char) mode;
1326
1327         op->o_sync = ctrl->ldctl_iscritical
1328                 ? SLAP_CRITICAL_CONTROL
1329                 : SLAP_NONCRITICAL_CONTROL;
1330
1331         return LDAP_SUCCESS;
1332 }