1 /* dn.c - routines for dealing with distinguished names */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2006 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
32 #include <ac/socket.h>
33 #include <ac/string.h>
40 * The DN syntax-related functions take advantage of the dn representation
41 * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
42 * aware, so the attributes and their values need be validated (and possibly
43 * normalized). In the current implementation the required validation/nor-
44 * malization/"pretty"ing are done on newly created DN structural represen-
45 * tations; however the idea is to move towards DN handling in structural
46 * representation instead of the current string representation. To this
47 * purpose, we need to do only the required operations and keep track of
48 * what has been done to minimize their impact on performances.
50 * Developers are strongly encouraged to use this feature, to speed-up
54 #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private )
56 int slap_DN_strict = SLAP_AD_NOINSERT;
59 LDAPRDN_validate( LDAPRDN rdn )
64 assert( rdn != NULL );
66 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
67 LDAPAVA *ava = rdn[ iAVA ];
68 AttributeDescription *ad;
69 slap_syntax_validate_func *validate = NULL;
71 assert( ava != NULL );
73 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
74 const char *text = NULL;
76 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
77 if ( rc != LDAP_SUCCESS ) {
78 rc = slap_bv2undef_ad( &ava->la_attr,
80 SLAP_AD_PROXIED|slap_DN_strict );
81 if ( rc != LDAP_SUCCESS ) {
82 return LDAP_INVALID_SYNTAX;
86 ava->la_private = ( void * )ad;
90 * Replace attr oid/name with the canonical name
92 ava->la_attr = ad->ad_cname;
94 validate = ad->ad_type->sat_syntax->ssyn_validate;
98 * validate value by validate function
100 rc = ( *validate )( ad->ad_type->sat_syntax,
103 if ( rc != LDAP_SUCCESS ) {
104 return LDAP_INVALID_SYNTAX;
113 * In-place, schema-aware validation of the
114 * structural representation of a distinguished name.
117 LDAPDN_validate( LDAPDN dn )
122 assert( dn != NULL );
124 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
125 LDAPRDN rdn = dn[ iRDN ];
128 assert( rdn != NULL );
130 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
131 LDAPAVA *ava = rdn[ iAVA ];
132 AttributeDescription *ad;
133 slap_syntax_validate_func *validate = NULL;
135 assert( ava != NULL );
137 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
138 const char *text = NULL;
140 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
141 if ( rc != LDAP_SUCCESS ) {
142 rc = slap_bv2undef_ad( &ava->la_attr,
144 SLAP_AD_PROXIED|slap_DN_strict );
145 if ( rc != LDAP_SUCCESS ) {
146 return LDAP_INVALID_SYNTAX;
150 ava->la_private = ( void * )ad;
154 * Replace attr oid/name with the canonical name
156 ava->la_attr = ad->ad_cname;
158 validate = ad->ad_type->sat_syntax->ssyn_validate;
162 * validate value by validate function
164 rc = ( *validate )( ad->ad_type->sat_syntax,
167 if ( rc != LDAP_SUCCESS ) {
168 return LDAP_INVALID_SYNTAX;
178 * dn validate routine
188 assert( in != NULL );
190 if ( in->bv_len == 0 ) {
193 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
194 return LDAP_INVALID_SYNTAX;
197 rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
198 if ( rc != LDAP_SUCCESS ) {
199 return LDAP_INVALID_SYNTAX;
202 assert( strlen( in->bv_val ) == in->bv_len );
205 * Schema-aware validate
207 rc = LDAPDN_validate( dn );
210 if ( rc != LDAP_SUCCESS ) {
211 return LDAP_INVALID_SYNTAX;
226 assert( in != NULL );
227 if ( in->bv_len == 0 ) {
230 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
231 return LDAP_INVALID_SYNTAX;
234 rc = ldap_bv2rdn_x( in , &rdn, (char **) &p,
235 LDAP_DN_FORMAT_LDAP, NULL);
236 if ( rc != LDAP_SUCCESS ) {
237 return LDAP_INVALID_SYNTAX;
240 assert( strlen( in->bv_val ) == in->bv_len );
243 * Schema-aware validate
245 rc = LDAPRDN_validate( rdn );
248 if ( rc != LDAP_SUCCESS ) {
249 return LDAP_INVALID_SYNTAX;
257 * AVA sorting inside a RDN
259 * rule: sort attributeTypes in alphabetical order; in case of multiple
260 * occurrences of the same attributeType, sort values in byte order
261 * (use memcmp, which implies alphabetical order in case of IA5 value;
262 * this should guarantee the repeatability of the operation).
264 * Note: the sorting can be slightly improved by sorting first
265 * by attribute type length, then by alphabetical order.
267 * uses a linear search; should be fine since the number of AVAs in
268 * a RDN should be limited.
271 AVA_Sort( LDAPRDN rdn, int iAVA )
274 LDAPAVA *ava_in = rdn[ iAVA ];
276 assert( rdn != NULL );
277 assert( ava_in != NULL );
279 for ( i = 0; i < iAVA; i++ ) {
280 LDAPAVA *ava = rdn[ i ];
283 assert( ava != NULL );
285 a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val );
294 d = ava_in->la_value.bv_len - ava->la_value.bv_len;
296 v = memcmp( ava_in->la_value.bv_val,
297 ava->la_value.bv_val,
298 d <= 0 ? ava_in->la_value.bv_len
299 : ava->la_value.bv_len );
301 if ( v == 0 && d != 0 ) {
320 a = strcmp( ava_in->la_attr.bv_val,
321 ava->la_attr.bv_val );
327 for ( j = iAVA; j > i; j-- ) {
328 rdn[ j ] = rdn[ j - 1 ];
337 LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
342 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
343 LDAPAVA *ava = rdn[ iAVA ];
344 AttributeDescription *ad;
345 slap_syntax_validate_func *validf = NULL;
346 slap_mr_normalize_func *normf = NULL;
347 slap_syntax_transform_func *transf = NULL;
348 MatchingRule *mr = NULL;
349 struct berval bv = BER_BVNULL;
352 assert( ava != NULL );
354 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
355 const char *text = NULL;
357 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
358 if ( rc != LDAP_SUCCESS ) {
359 rc = slap_bv2undef_ad( &ava->la_attr,
361 SLAP_AD_PROXIED|slap_DN_strict );
362 if ( rc != LDAP_SUCCESS ) {
363 return LDAP_INVALID_SYNTAX;
367 ava->la_private = ( void * )ad;
372 * Replace attr oid/name with the canonical name
374 ava->la_attr = ad->ad_cname;
376 if( ava->la_flags & LDAP_AVA_BINARY ) {
377 if( ava->la_value.bv_len == 0 ) {
378 /* BER encoding is empty */
379 return LDAP_INVALID_SYNTAX;
382 /* AVA is binary encoded, don't muck with it */
383 } else if( flags & SLAP_LDAPDN_PRETTY ) {
384 transf = ad->ad_type->sat_syntax->ssyn_pretty;
386 validf = ad->ad_type->sat_syntax->ssyn_validate;
388 } else { /* normalization */
389 validf = ad->ad_type->sat_syntax->ssyn_validate;
390 mr = ad->ad_type->sat_equality;
391 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
392 normf = mr->smr_normalize;
397 /* validate value before normalization */
398 rc = ( *validf )( ad->ad_type->sat_syntax,
401 : (struct berval *) &slap_empty_bv );
403 if ( rc != LDAP_SUCCESS ) {
404 return LDAP_INVALID_SYNTAX;
410 * transform value by pretty function
411 * if value is empty, use empty_bv
413 rc = ( *transf )( ad->ad_type->sat_syntax,
416 : (struct berval *) &slap_empty_bv,
419 if ( rc != LDAP_SUCCESS ) {
420 return LDAP_INVALID_SYNTAX;
427 * if value is empty, use empty_bv
430 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
431 ad->ad_type->sat_syntax,
435 : (struct berval *) &slap_empty_bv,
438 if ( rc != LDAP_SUCCESS ) {
439 return LDAP_INVALID_SYNTAX;
445 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
446 ber_memfree_x( ava->la_value.bv_val, ctx );
448 ava->la_flags |= LDAP_AVA_FREE_VALUE;
451 if( do_sort ) AVA_Sort( rdn, iAVA );
457 * In-place, schema-aware normalization / "pretty"ing of the
458 * structural representation of a distinguished name.
461 LDAPDN_rewrite( LDAPDN dn, unsigned flags, void *ctx )
466 assert( dn != NULL );
468 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
469 LDAPRDN rdn = dn[ iRDN ];
472 assert( rdn != NULL );
474 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
475 LDAPAVA *ava = rdn[ iAVA ];
476 AttributeDescription *ad;
477 slap_syntax_validate_func *validf = NULL;
478 slap_mr_normalize_func *normf = NULL;
479 slap_syntax_transform_func *transf = NULL;
480 MatchingRule *mr = NULL;
481 struct berval bv = BER_BVNULL;
484 assert( ava != NULL );
486 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
487 const char *text = NULL;
489 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
490 if ( rc != LDAP_SUCCESS ) {
491 rc = slap_bv2undef_ad( &ava->la_attr,
493 SLAP_AD_PROXIED|slap_DN_strict );
494 if ( rc != LDAP_SUCCESS ) {
495 return LDAP_INVALID_SYNTAX;
499 ava->la_private = ( void * )ad;
504 * Replace attr oid/name with the canonical name
506 ava->la_attr = ad->ad_cname;
508 if( ava->la_flags & LDAP_AVA_BINARY ) {
509 if( ava->la_value.bv_len == 0 ) {
510 /* BER encoding is empty */
511 return LDAP_INVALID_SYNTAX;
514 /* AVA is binary encoded, don't muck with it */
515 } else if( flags & SLAP_LDAPDN_PRETTY ) {
516 transf = ad->ad_type->sat_syntax->ssyn_pretty;
518 validf = ad->ad_type->sat_syntax->ssyn_validate;
520 } else { /* normalization */
521 validf = ad->ad_type->sat_syntax->ssyn_validate;
522 mr = ad->ad_type->sat_equality;
523 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
524 normf = mr->smr_normalize;
529 /* validate value before normalization */
530 rc = ( *validf )( ad->ad_type->sat_syntax,
533 : (struct berval *) &slap_empty_bv );
535 if ( rc != LDAP_SUCCESS ) {
536 return LDAP_INVALID_SYNTAX;
542 * transform value by pretty function
543 * if value is empty, use empty_bv
545 rc = ( *transf )( ad->ad_type->sat_syntax,
548 : (struct berval *) &slap_empty_bv,
551 if ( rc != LDAP_SUCCESS ) {
552 return LDAP_INVALID_SYNTAX;
559 * if value is empty, use empty_bv
562 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
563 ad->ad_type->sat_syntax,
567 : (struct berval *) &slap_empty_bv,
570 if ( rc != LDAP_SUCCESS ) {
571 return LDAP_INVALID_SYNTAX;
577 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
578 ber_memfree_x( ava->la_value.bv_val, ctx );
580 ava->la_flags |= LDAP_AVA_FREE_VALUE;
583 if( do_sort ) AVA_Sort( rdn, iAVA );
599 assert( val != NULL );
600 assert( out != NULL );
602 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
604 if ( val->bv_len != 0 ) {
609 * Go to structural representation
611 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
612 if ( rc != LDAP_SUCCESS ) {
613 return LDAP_INVALID_SYNTAX;
616 assert( strlen( val->bv_val ) == val->bv_len );
619 * Schema-aware rewrite
621 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
622 ldap_dnfree_x( dn, ctx );
623 return LDAP_INVALID_SYNTAX;
627 * Back to string representation
629 rc = ldap_dn2bv_x( dn, out,
630 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
632 ldap_dnfree_x( dn, ctx );
634 if ( rc != LDAP_SUCCESS ) {
635 return LDAP_INVALID_SYNTAX;
638 ber_dupbv_x( out, val, ctx );
641 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
655 assert( val != NULL );
656 assert( out != NULL );
658 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
659 if ( val->bv_len != 0 ) {
665 * Go to structural representation
667 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
668 LDAP_DN_FORMAT_LDAP, ctx);
670 if ( rc != LDAP_SUCCESS ) {
671 return LDAP_INVALID_SYNTAX;
674 assert( strlen( val->bv_val ) == val->bv_len );
677 * Schema-aware rewrite
679 if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) {
680 ldap_rdnfree_x( rdn, ctx );
681 return LDAP_INVALID_SYNTAX;
685 * Back to string representation
687 rc = ldap_rdn2bv_x( rdn, out,
688 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
690 ldap_rdnfree_x( rdn, ctx );
692 if ( rc != LDAP_SUCCESS ) {
693 return LDAP_INVALID_SYNTAX;
696 ber_dupbv_x( out, val, ctx );
699 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
711 assert( val != NULL );
712 assert( out != NULL );
714 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
716 if ( val->bv_len == 0 ) {
717 ber_dupbv_x( out, val, ctx );
719 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
720 return LDAP_INVALID_SYNTAX;
726 /* FIXME: should be liberal in what we accept */
727 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
728 if ( rc != LDAP_SUCCESS ) {
729 return LDAP_INVALID_SYNTAX;
732 assert( strlen( val->bv_val ) == val->bv_len );
735 * Schema-aware rewrite
737 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
738 ldap_dnfree_x( dn, ctx );
739 return LDAP_INVALID_SYNTAX;
742 /* FIXME: not sure why the default isn't pretty */
743 /* RE: the default is the form that is used as
744 * an internal representation; the pretty form
746 rc = ldap_dn2bv_x( dn, out,
747 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
749 ldap_dnfree_x( dn, ctx );
751 if ( rc != LDAP_SUCCESS ) {
752 return LDAP_INVALID_SYNTAX;
756 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
768 assert( val != NULL );
769 assert( out != NULL );
771 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
773 if ( val->bv_len == 0 ) {
774 ber_dupbv_x( out, val, ctx );
776 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
777 return LDAP_INVALID_SYNTAX;
784 /* FIXME: should be liberal in what we accept */
785 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
786 LDAP_DN_FORMAT_LDAP, ctx);
787 if ( rc != LDAP_SUCCESS ) {
788 return LDAP_INVALID_SYNTAX;
791 assert( strlen( val->bv_val ) == val->bv_len );
794 * Schema-aware rewrite
796 if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
797 ldap_rdnfree_x( rdn, ctx );
798 return LDAP_INVALID_SYNTAX;
801 /* FIXME: not sure why the default isn't pretty */
802 /* RE: the default is the form that is used as
803 * an internal representation; the pretty form
805 rc = ldap_rdn2bv_x( rdn, out,
806 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
808 ldap_rdnfree_x( rdn, ctx );
810 if ( rc != LDAP_SUCCESS ) {
811 return LDAP_INVALID_SYNTAX;
815 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
829 assert( val != NULL );
830 assert( dn != NULL );
832 Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n",
833 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
836 if ( val->bv_len == 0 ) {
839 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
840 return LDAP_INVALID_SYNTAX;
845 /* FIXME: should be liberal in what we accept */
846 rc = ldap_bv2dn_x( val, dn, LDAP_DN_FORMAT_LDAP, ctx );
847 if ( rc != LDAP_SUCCESS ) {
848 return LDAP_INVALID_SYNTAX;
851 assert( strlen( val->bv_val ) == val->bv_len );
854 * Schema-aware rewrite
856 if ( LDAPDN_rewrite( *dn, flags, ctx ) != LDAP_SUCCESS ) {
857 ldap_dnfree_x( *dn, ctx );
859 return LDAP_INVALID_SYNTAX;
863 Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n",
864 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
871 * Combination of both dnPretty and dnNormalize
877 struct berval *pretty,
878 struct berval *normal,
881 Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
883 assert( val != NULL );
884 assert( pretty != NULL );
885 assert( normal != NULL );
887 if ( val->bv_len == 0 ) {
888 ber_dupbv_x( pretty, val, ctx );
889 ber_dupbv_x( normal, val, ctx );
891 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
893 return LDAP_INVALID_SYNTAX;
899 pretty->bv_val = NULL;
900 normal->bv_val = NULL;
904 /* FIXME: should be liberal in what we accept */
905 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
906 if ( rc != LDAP_SUCCESS ) {
907 return LDAP_INVALID_SYNTAX;
910 assert( strlen( val->bv_val ) == val->bv_len );
913 * Schema-aware rewrite
915 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
916 ldap_dnfree_x( dn, ctx );
917 return LDAP_INVALID_SYNTAX;
920 rc = ldap_dn2bv_x( dn, pretty,
921 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
923 if ( rc != LDAP_SUCCESS ) {
924 ldap_dnfree_x( dn, ctx );
925 return LDAP_INVALID_SYNTAX;
928 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
929 ldap_dnfree_x( dn, ctx );
930 ber_memfree_x( pretty->bv_val, ctx );
931 pretty->bv_val = NULL;
933 return LDAP_INVALID_SYNTAX;
936 rc = ldap_dn2bv_x( dn, normal,
937 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
939 ldap_dnfree_x( dn, ctx );
940 if ( rc != LDAP_SUCCESS ) {
941 ber_memfree_x( pretty->bv_val, ctx );
942 pretty->bv_val = NULL;
944 return LDAP_INVALID_SYNTAX;
948 Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
949 pretty->bv_val, normal->bv_val, 0 );
963 struct berval *value,
964 void *assertedValue )
967 struct berval *asserted = (struct berval *) assertedValue;
969 assert( matchp != NULL );
970 assert( value != NULL );
971 assert( assertedValue != NULL );
972 assert( !BER_BVISNULL( value ) );
973 assert( !BER_BVISNULL( asserted ) );
975 match = value->bv_len - asserted->bv_len;
978 match = memcmp( value->bv_val, asserted->bv_val,
982 Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
983 match, value->bv_val, asserted->bv_val );
990 * dnRelativeMatch routine
998 struct berval *value,
999 void *assertedValue )
1002 struct berval *asserted = (struct berval *) assertedValue;
1004 assert( matchp != NULL );
1005 assert( value != NULL );
1006 assert( assertedValue != NULL );
1007 assert( !BER_BVISNULL( value ) );
1008 assert( !BER_BVISNULL( asserted ) );
1010 if( mr == slap_schema.si_mr_dnSubtreeMatch ) {
1011 if( asserted->bv_len > value->bv_len ) {
1013 } else if ( asserted->bv_len == value->bv_len ) {
1014 match = memcmp( value->bv_val, asserted->bv_val,
1018 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1021 &value->bv_val[value->bv_len - asserted->bv_len],
1030 return LDAP_SUCCESS;
1033 if( mr == slap_schema.si_mr_dnSuperiorMatch ) {
1035 value = (struct berval *) assertedValue;
1036 mr = slap_schema.si_mr_dnSubordinateMatch;
1039 if( mr == slap_schema.si_mr_dnSubordinateMatch ) {
1040 if( asserted->bv_len >= value->bv_len ) {
1044 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1047 &value->bv_val[value->bv_len - asserted->bv_len],
1056 return LDAP_SUCCESS;
1059 if( mr == slap_schema.si_mr_dnOneLevelMatch ) {
1060 if( asserted->bv_len >= value->bv_len ) {
1064 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1067 &value->bv_val[value->bv_len - asserted->bv_len],
1073 rdn.bv_val = value->bv_val;
1074 rdn.bv_len = value->bv_len - asserted->bv_len - 1;
1075 match = dnIsOneLevelRDN( &rdn ) ? 0 : 1;
1083 return LDAP_SUCCESS;
1086 /* should not be reachable */
1097 struct berval *value,
1098 void *assertedValue )
1101 struct berval *asserted = (struct berval *) assertedValue;
1103 assert( matchp != NULL );
1104 assert( value != NULL );
1105 assert( assertedValue != NULL );
1107 match = value->bv_len - asserted->bv_len;
1110 match = memcmp( value->bv_val, asserted->bv_val,
1114 Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
1115 match, value->bv_val, asserted->bv_val );
1118 return LDAP_SUCCESS;
1123 * dnParent - dn's parent, in-place
1124 * note: the incoming dn is assumed to be normalized/prettyfied,
1125 * so that escaped rdn/ava separators are in '\'+hexpair form
1127 * note: "dn" and "pdn" can point to the same berval;
1128 * beware that, in this case, the pointer to the original buffer
1134 struct berval *pdn )
1138 p = ber_bvchr( dn, ',' );
1143 pdn->bv_val = dn->bv_val + dn->bv_len;
1147 assert( DN_SEPARATOR( p[ 0 ] ) );
1150 assert( ATTR_LEADCHAR( p[ 0 ] ) );
1151 pdn->bv_len = dn->bv_len - (p - dn->bv_val);
1158 * dnRdn - dn's rdn, in-place
1159 * note: the incoming dn is assumed to be normalized/prettyfied,
1160 * so that escaped rdn/ava separators are in '\'+hexpair form
1165 struct berval *rdn )
1170 p = ber_bvchr( dn, ',' );
1177 assert( DN_SEPARATOR( p[ 0 ] ) );
1178 assert( ATTR_LEADCHAR( p[ 1 ] ) );
1179 rdn->bv_len = p - dn->bv_val;
1194 assert( dn != NULL );
1195 assert( rdn != NULL );
1197 if( dn->bv_len == 0 ) {
1201 rc = ldap_bv2rdn_x( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP, ctx );
1202 if ( rc != LDAP_SUCCESS ) {
1206 rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY,
1209 ldap_rdnfree_x( tmpRDN, ctx );
1214 * We can assume the input is a prettied or normalized DN
1219 struct berval *dn_in )
1223 assert( dn_in != NULL );
1225 if ( dn_in == NULL ) {
1229 if ( !dn_in->bv_len ) {
1233 if ( be != NULL && be_issuffix( be, dn_in ) ) {
1237 p = ber_bvchr( dn_in, ',' );
1239 return p ? p - dn_in->bv_val : dn_in->bv_len;
1245 * LDAP_SUCCESS if rdn is a legal rdn;
1246 * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns)
1249 rdn_validate( struct berval *rdn )
1253 * input is a pretty or normalized DN
1254 * hence, we can just search for ','
1256 if( rdn == NULL || rdn->bv_len == 0 ||
1257 rdn->bv_len > SLAP_LDAPDN_MAXLEN )
1259 return LDAP_INVALID_SYNTAX;
1261 return ber_bvchr( rdn, ',' ) == NULL
1262 ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX;
1265 LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL };
1272 if ( rdn == NULL || rdn == '\0' ) {
1279 rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
1280 if ( rc != LDAP_SUCCESS ) {
1287 if ( p[ 0 ] != '\0' ) {
1292 * Schema-aware validate
1294 if ( rc == LDAP_SUCCESS ) {
1295 rc = LDAPDN_validate( DN );
1297 ldap_rdnfree( RDN );
1300 * Must validate (there's a repeated parsing ...)
1302 return ( rc == LDAP_SUCCESS );
1309 * Used by back-bdb back_modrdn to create the new dn of entries being
1312 * new_dn = parent (p_dn) + separator + rdn (newrdn) + null.
1316 build_new_dn( struct berval * new_dn,
1317 struct berval * parent_dn,
1318 struct berval * newrdn,
1323 if ( parent_dn == NULL || parent_dn->bv_len == 0 ) {
1324 ber_dupbv_x( new_dn, newrdn, memctx );
1328 new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1;
1329 new_dn->bv_val = (char *) slap_sl_malloc( new_dn->bv_len + 1, memctx );
1331 ptr = lutil_strncopy( new_dn->bv_val, newrdn->bv_val, newrdn->bv_len );
1333 strcpy( ptr, parent_dn->bv_val );
1338 * dnIsSuffix - tells whether suffix is a suffix of dn.
1339 * Both dn and suffix must be normalized.
1343 const struct berval *dn,
1344 const struct berval *suffix )
1346 int d = dn->bv_len - suffix->bv_len;
1348 assert( dn != NULL );
1349 assert( suffix != NULL );
1351 /* empty suffix matches any dn */
1352 if ( suffix->bv_len == 0 ) {
1356 /* suffix longer than dn */
1361 /* no rdn separator or escaped rdn separator */
1362 if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) {
1366 /* no possible match or malformed dn */
1372 return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
1376 dnIsOneLevelRDN( struct berval *rdn )
1378 ber_len_t len = rdn->bv_len;
1380 if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) {
1389 static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL;
1392 int register_certificate_map_function(SLAP_CERT_MAP_FN *fn)
1395 if ( DNX509PeerNormalizeCertMap == NULL ) {
1396 DNX509PeerNormalizeCertMap = fn;
1406 * Convert an X.509 DN into a normalized LDAP DN
1409 dnX509normalize( void *x509_name, struct berval *out )
1411 /* Invoke the LDAP library's converter with our schema-rewriter */
1412 int rc = ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
1414 Debug( LDAP_DEBUG_TRACE,
1415 "dnX509Normalize: <%s> (%d)\n",
1416 BER_BVISNULL( out ) ? "(null)" : out->bv_val, rc, 0 );
1422 * Get the TLS session's peer's DN into a normalized LDAP DN
1425 dnX509peerNormalize( void *ssl, struct berval *dn )
1427 int rc = LDAP_INVALID_CREDENTIALS;
1429 if ( DNX509PeerNormalizeCertMap != NULL )
1430 rc = (*DNX509PeerNormalizeCertMap)( ssl, dn );
1432 if ( rc != LDAP_SUCCESS ) {
1433 rc = ldap_pvt_tls_get_peer_dn( ssl, dn,
1434 (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );