1 /* dn.c - routines for dealing with distinguished names */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2007 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
32 #include <ac/socket.h>
33 #include <ac/string.h>
40 * The DN syntax-related functions take advantage of the dn representation
41 * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
42 * aware, so the attributes and their values need be validated (and possibly
43 * normalized). In the current implementation the required validation/nor-
44 * malization/"pretty"ing are done on newly created DN structural represen-
45 * tations; however the idea is to move towards DN handling in structural
46 * representation instead of the current string representation. To this
47 * purpose, we need to do only the required operations and keep track of
48 * what has been done to minimize their impact on performances.
50 * Developers are strongly encouraged to use this feature, to speed-up
54 #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private )
56 int slap_DN_strict = SLAP_AD_NOINSERT;
59 LDAPRDN_validate( LDAPRDN rdn )
64 assert( rdn != NULL );
66 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
67 LDAPAVA *ava = rdn[ iAVA ];
68 AttributeDescription *ad;
69 slap_syntax_validate_func *validate = NULL;
71 assert( ava != NULL );
73 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
74 const char *text = NULL;
76 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
77 if ( rc != LDAP_SUCCESS ) {
78 rc = slap_bv2undef_ad( &ava->la_attr,
80 SLAP_AD_PROXIED|slap_DN_strict );
81 if ( rc != LDAP_SUCCESS ) {
82 return LDAP_INVALID_SYNTAX;
86 ava->la_private = ( void * )ad;
90 * Do not allow X-ORDERED 'VALUES' naming attributes
92 if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
93 return LDAP_INVALID_SYNTAX;
97 * Replace attr oid/name with the canonical name
99 ava->la_attr = ad->ad_cname;
101 validate = ad->ad_type->sat_syntax->ssyn_validate;
105 * validate value by validate function
107 rc = ( *validate )( ad->ad_type->sat_syntax,
110 if ( rc != LDAP_SUCCESS ) {
111 return LDAP_INVALID_SYNTAX;
120 * In-place, schema-aware validation of the
121 * structural representation of a distinguished name.
124 LDAPDN_validate( LDAPDN dn )
129 assert( dn != NULL );
131 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
132 rc = LDAPRDN_validate( dn[ iRDN ] );
133 if ( rc != LDAP_SUCCESS ) {
142 * dn validate routine
152 assert( in != NULL );
154 if ( in->bv_len == 0 ) {
157 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
158 return LDAP_INVALID_SYNTAX;
161 rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
162 if ( rc != LDAP_SUCCESS ) {
163 return LDAP_INVALID_SYNTAX;
166 assert( strlen( in->bv_val ) == in->bv_len );
169 * Schema-aware validate
171 rc = LDAPDN_validate( dn );
174 if ( rc != LDAP_SUCCESS ) {
175 return LDAP_INVALID_SYNTAX;
190 assert( in != NULL );
191 if ( in->bv_len == 0 ) {
194 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
195 return LDAP_INVALID_SYNTAX;
198 rc = ldap_bv2rdn_x( in , &rdn, (char **) &p,
199 LDAP_DN_FORMAT_LDAP, NULL);
200 if ( rc != LDAP_SUCCESS ) {
201 return LDAP_INVALID_SYNTAX;
204 assert( strlen( in->bv_val ) == in->bv_len );
207 * Schema-aware validate
209 rc = LDAPRDN_validate( rdn );
212 if ( rc != LDAP_SUCCESS ) {
213 return LDAP_INVALID_SYNTAX;
221 * AVA sorting inside a RDN
223 * rule: sort attributeTypes in alphabetical order; in case of multiple
224 * occurrences of the same attributeType, sort values in byte order
225 * (use memcmp, which implies alphabetical order in case of IA5 value;
226 * this should guarantee the repeatability of the operation).
228 * Note: the sorting can be slightly improved by sorting first
229 * by attribute type length, then by alphabetical order.
231 * uses a linear search; should be fine since the number of AVAs in
232 * a RDN should be limited.
235 AVA_Sort( LDAPRDN rdn, int iAVA )
238 LDAPAVA *ava_in = rdn[ iAVA ];
240 assert( rdn != NULL );
241 assert( ava_in != NULL );
243 for ( i = 0; i < iAVA; i++ ) {
244 LDAPAVA *ava = rdn[ i ];
247 assert( ava != NULL );
249 a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val );
258 d = ava_in->la_value.bv_len - ava->la_value.bv_len;
260 v = memcmp( ava_in->la_value.bv_val,
261 ava->la_value.bv_val,
262 d <= 0 ? ava_in->la_value.bv_len
263 : ava->la_value.bv_len );
265 if ( v == 0 && d != 0 ) {
284 a = strcmp( ava_in->la_attr.bv_val,
285 ava->la_attr.bv_val );
291 for ( j = iAVA; j > i; j-- ) {
292 rdn[ j ] = rdn[ j - 1 ];
301 LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
306 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
307 LDAPAVA *ava = rdn[ iAVA ];
308 AttributeDescription *ad;
309 slap_syntax_validate_func *validf = NULL;
310 slap_mr_normalize_func *normf = NULL;
311 slap_syntax_transform_func *transf = NULL;
312 MatchingRule *mr = NULL;
313 struct berval bv = BER_BVNULL;
316 assert( ava != NULL );
318 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
319 const char *text = NULL;
321 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
322 if ( rc != LDAP_SUCCESS ) {
323 rc = slap_bv2undef_ad( &ava->la_attr,
325 SLAP_AD_PROXIED|slap_DN_strict );
326 if ( rc != LDAP_SUCCESS ) {
327 return LDAP_INVALID_SYNTAX;
331 ava->la_private = ( void * )ad;
336 * Replace attr oid/name with the canonical name
338 ava->la_attr = ad->ad_cname;
340 if( ava->la_flags & LDAP_AVA_BINARY ) {
341 if( ava->la_value.bv_len == 0 ) {
342 /* BER encoding is empty */
343 return LDAP_INVALID_SYNTAX;
346 /* Do not allow X-ORDERED 'VALUES' naming attributes */
347 } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
348 return LDAP_INVALID_SYNTAX;
350 /* AVA is binary encoded, don't muck with it */
351 } else if( flags & SLAP_LDAPDN_PRETTY ) {
352 transf = ad->ad_type->sat_syntax->ssyn_pretty;
354 validf = ad->ad_type->sat_syntax->ssyn_validate;
356 } else { /* normalization */
357 validf = ad->ad_type->sat_syntax->ssyn_validate;
358 mr = ad->ad_type->sat_equality;
359 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
360 normf = mr->smr_normalize;
365 /* validate value before normalization */
366 rc = ( *validf )( ad->ad_type->sat_syntax,
369 : (struct berval *) &slap_empty_bv );
371 if ( rc != LDAP_SUCCESS ) {
372 return LDAP_INVALID_SYNTAX;
378 * transform value by pretty function
379 * if value is empty, use empty_bv
381 rc = ( *transf )( ad->ad_type->sat_syntax,
384 : (struct berval *) &slap_empty_bv,
387 if ( rc != LDAP_SUCCESS ) {
388 return LDAP_INVALID_SYNTAX;
395 * if value is empty, use empty_bv
398 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
399 ad->ad_type->sat_syntax,
403 : (struct berval *) &slap_empty_bv,
406 if ( rc != LDAP_SUCCESS ) {
407 return LDAP_INVALID_SYNTAX;
413 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
414 ber_memfree_x( ava->la_value.bv_val, ctx );
416 ava->la_flags |= LDAP_AVA_FREE_VALUE;
419 if( do_sort ) AVA_Sort( rdn, iAVA );
425 * In-place, schema-aware normalization / "pretty"ing of the
426 * structural representation of a distinguished name.
429 LDAPDN_rewrite( LDAPDN dn, unsigned flags, void *ctx )
434 assert( dn != NULL );
436 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
437 rc = LDAPRDN_rewrite( dn[ iRDN ], flags, ctx );
438 if ( rc != LDAP_SUCCESS ) {
455 assert( val != NULL );
456 assert( out != NULL );
458 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
460 if ( val->bv_len != 0 ) {
465 * Go to structural representation
467 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
468 if ( rc != LDAP_SUCCESS ) {
469 return LDAP_INVALID_SYNTAX;
472 assert( strlen( val->bv_val ) == val->bv_len );
475 * Schema-aware rewrite
477 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
478 ldap_dnfree_x( dn, ctx );
479 return LDAP_INVALID_SYNTAX;
483 * Back to string representation
485 rc = ldap_dn2bv_x( dn, out,
486 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
488 ldap_dnfree_x( dn, ctx );
490 if ( rc != LDAP_SUCCESS ) {
491 return LDAP_INVALID_SYNTAX;
494 ber_dupbv_x( out, val, ctx );
497 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
511 assert( val != NULL );
512 assert( out != NULL );
514 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
515 if ( val->bv_len != 0 ) {
521 * Go to structural representation
523 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
524 LDAP_DN_FORMAT_LDAP, ctx);
526 if ( rc != LDAP_SUCCESS ) {
527 return LDAP_INVALID_SYNTAX;
530 assert( strlen( val->bv_val ) == val->bv_len );
533 * Schema-aware rewrite
535 if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) {
536 ldap_rdnfree_x( rdn, ctx );
537 return LDAP_INVALID_SYNTAX;
541 * Back to string representation
543 rc = ldap_rdn2bv_x( rdn, out,
544 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
546 ldap_rdnfree_x( rdn, ctx );
548 if ( rc != LDAP_SUCCESS ) {
549 return LDAP_INVALID_SYNTAX;
552 ber_dupbv_x( out, val, ctx );
555 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
567 assert( val != NULL );
568 assert( out != NULL );
570 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
572 if ( val->bv_len == 0 ) {
573 ber_dupbv_x( out, val, ctx );
575 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
576 return LDAP_INVALID_SYNTAX;
582 /* FIXME: should be liberal in what we accept */
583 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
584 if ( rc != LDAP_SUCCESS ) {
585 return LDAP_INVALID_SYNTAX;
588 assert( strlen( val->bv_val ) == val->bv_len );
591 * Schema-aware rewrite
593 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
594 ldap_dnfree_x( dn, ctx );
595 return LDAP_INVALID_SYNTAX;
598 /* FIXME: not sure why the default isn't pretty */
599 /* RE: the default is the form that is used as
600 * an internal representation; the pretty form
602 rc = ldap_dn2bv_x( dn, out,
603 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
605 ldap_dnfree_x( dn, ctx );
607 if ( rc != LDAP_SUCCESS ) {
608 return LDAP_INVALID_SYNTAX;
612 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
624 assert( val != NULL );
625 assert( out != NULL );
627 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
629 if ( val->bv_len == 0 ) {
630 ber_dupbv_x( out, val, ctx );
632 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
633 return LDAP_INVALID_SYNTAX;
640 /* FIXME: should be liberal in what we accept */
641 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
642 LDAP_DN_FORMAT_LDAP, ctx);
643 if ( rc != LDAP_SUCCESS ) {
644 return LDAP_INVALID_SYNTAX;
647 assert( strlen( val->bv_val ) == val->bv_len );
650 * Schema-aware rewrite
652 if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
653 ldap_rdnfree_x( rdn, ctx );
654 return LDAP_INVALID_SYNTAX;
657 /* FIXME: not sure why the default isn't pretty */
658 /* RE: the default is the form that is used as
659 * an internal representation; the pretty form
661 rc = ldap_rdn2bv_x( rdn, out,
662 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
664 ldap_rdnfree_x( rdn, ctx );
666 if ( rc != LDAP_SUCCESS ) {
667 return LDAP_INVALID_SYNTAX;
671 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
685 assert( val != NULL );
686 assert( dn != NULL );
688 Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n",
689 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
692 if ( val->bv_len == 0 ) {
695 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
696 return LDAP_INVALID_SYNTAX;
701 /* FIXME: should be liberal in what we accept */
702 rc = ldap_bv2dn_x( val, dn, LDAP_DN_FORMAT_LDAP, ctx );
703 if ( rc != LDAP_SUCCESS ) {
704 return LDAP_INVALID_SYNTAX;
707 assert( strlen( val->bv_val ) == val->bv_len );
710 * Schema-aware rewrite
712 if ( LDAPDN_rewrite( *dn, flags, ctx ) != LDAP_SUCCESS ) {
713 ldap_dnfree_x( *dn, ctx );
715 return LDAP_INVALID_SYNTAX;
719 Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n",
720 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
727 * Combination of both dnPretty and dnNormalize
733 struct berval *pretty,
734 struct berval *normal,
737 Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
739 assert( val != NULL );
740 assert( pretty != NULL );
741 assert( normal != NULL );
743 if ( val->bv_len == 0 ) {
744 ber_dupbv_x( pretty, val, ctx );
745 ber_dupbv_x( normal, val, ctx );
747 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
749 return LDAP_INVALID_SYNTAX;
755 pretty->bv_val = NULL;
756 normal->bv_val = NULL;
760 /* FIXME: should be liberal in what we accept */
761 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
762 if ( rc != LDAP_SUCCESS ) {
763 return LDAP_INVALID_SYNTAX;
766 assert( strlen( val->bv_val ) == val->bv_len );
769 * Schema-aware rewrite
771 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
772 ldap_dnfree_x( dn, ctx );
773 return LDAP_INVALID_SYNTAX;
776 rc = ldap_dn2bv_x( dn, pretty,
777 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
779 if ( rc != LDAP_SUCCESS ) {
780 ldap_dnfree_x( dn, ctx );
781 return LDAP_INVALID_SYNTAX;
784 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
785 ldap_dnfree_x( dn, ctx );
786 ber_memfree_x( pretty->bv_val, ctx );
787 pretty->bv_val = NULL;
789 return LDAP_INVALID_SYNTAX;
792 rc = ldap_dn2bv_x( dn, normal,
793 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
795 ldap_dnfree_x( dn, ctx );
796 if ( rc != LDAP_SUCCESS ) {
797 ber_memfree_x( pretty->bv_val, ctx );
798 pretty->bv_val = NULL;
800 return LDAP_INVALID_SYNTAX;
804 Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
805 pretty->bv_val, normal->bv_val, 0 );
819 struct berval *value,
820 void *assertedValue )
823 struct berval *asserted = (struct berval *) assertedValue;
825 assert( matchp != NULL );
826 assert( value != NULL );
827 assert( assertedValue != NULL );
828 assert( !BER_BVISNULL( value ) );
829 assert( !BER_BVISNULL( asserted ) );
831 match = value->bv_len - asserted->bv_len;
834 match = memcmp( value->bv_val, asserted->bv_val,
838 Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
839 match, value->bv_val, asserted->bv_val );
846 * dnRelativeMatch routine
854 struct berval *value,
855 void *assertedValue )
858 struct berval *asserted = (struct berval *) assertedValue;
860 assert( matchp != NULL );
861 assert( value != NULL );
862 assert( assertedValue != NULL );
863 assert( !BER_BVISNULL( value ) );
864 assert( !BER_BVISNULL( asserted ) );
866 if( mr == slap_schema.si_mr_dnSubtreeMatch ) {
867 if( asserted->bv_len > value->bv_len ) {
869 } else if ( asserted->bv_len == value->bv_len ) {
870 match = memcmp( value->bv_val, asserted->bv_val,
874 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
877 &value->bv_val[value->bv_len - asserted->bv_len],
889 if( mr == slap_schema.si_mr_dnSuperiorMatch ) {
891 value = (struct berval *) assertedValue;
892 mr = slap_schema.si_mr_dnSubordinateMatch;
895 if( mr == slap_schema.si_mr_dnSubordinateMatch ) {
896 if( asserted->bv_len >= value->bv_len ) {
900 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
903 &value->bv_val[value->bv_len - asserted->bv_len],
915 if( mr == slap_schema.si_mr_dnOneLevelMatch ) {
916 if( asserted->bv_len >= value->bv_len ) {
920 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
923 &value->bv_val[value->bv_len - asserted->bv_len],
929 rdn.bv_val = value->bv_val;
930 rdn.bv_len = value->bv_len - asserted->bv_len - 1;
931 match = dnIsOneLevelRDN( &rdn ) ? 0 : 1;
942 /* should not be reachable */
953 struct berval *value,
954 void *assertedValue )
957 struct berval *asserted = (struct berval *) assertedValue;
959 assert( matchp != NULL );
960 assert( value != NULL );
961 assert( assertedValue != NULL );
963 match = value->bv_len - asserted->bv_len;
966 match = memcmp( value->bv_val, asserted->bv_val,
970 Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
971 match, value->bv_val, asserted->bv_val );
979 * dnParent - dn's parent, in-place
980 * note: the incoming dn is assumed to be normalized/prettyfied,
981 * so that escaped rdn/ava separators are in '\'+hexpair form
983 * note: "dn" and "pdn" can point to the same berval;
984 * beware that, in this case, the pointer to the original buffer
994 p = ber_bvchr( dn, ',' );
999 pdn->bv_val = dn->bv_val + dn->bv_len;
1003 assert( DN_SEPARATOR( p[ 0 ] ) );
1006 assert( ATTR_LEADCHAR( p[ 0 ] ) );
1007 pdn->bv_len = dn->bv_len - (p - dn->bv_val);
1014 * dnRdn - dn's rdn, in-place
1015 * note: the incoming dn is assumed to be normalized/prettyfied,
1016 * so that escaped rdn/ava separators are in '\'+hexpair form
1021 struct berval *rdn )
1026 p = ber_bvchr( dn, ',' );
1033 assert( DN_SEPARATOR( p[ 0 ] ) );
1034 assert( ATTR_LEADCHAR( p[ 1 ] ) );
1035 rdn->bv_len = p - dn->bv_val;
1050 assert( dn != NULL );
1051 assert( rdn != NULL );
1053 if( dn->bv_len == 0 ) {
1057 rc = ldap_bv2rdn_x( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP, ctx );
1058 if ( rc != LDAP_SUCCESS ) {
1062 rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY,
1065 ldap_rdnfree_x( tmpRDN, ctx );
1070 * We can assume the input is a prettied or normalized DN
1075 struct berval *dn_in )
1079 assert( dn_in != NULL );
1081 if ( dn_in == NULL ) {
1085 if ( !dn_in->bv_len ) {
1089 if ( be != NULL && be_issuffix( be, dn_in ) ) {
1093 p = ber_bvchr( dn_in, ',' );
1095 return p ? p - dn_in->bv_val : dn_in->bv_len;
1101 * LDAP_SUCCESS if rdn is a legal rdn;
1102 * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns)
1105 rdn_validate( struct berval *rdn )
1109 * input is a pretty or normalized DN
1110 * hence, we can just search for ','
1112 if( rdn == NULL || rdn->bv_len == 0 ||
1113 rdn->bv_len > SLAP_LDAPDN_MAXLEN )
1115 return LDAP_INVALID_SYNTAX;
1117 return ber_bvchr( rdn, ',' ) == NULL
1118 ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX;
1121 LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL };
1128 if ( rdn == NULL || rdn == '\0' ) {
1135 rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
1136 if ( rc != LDAP_SUCCESS ) {
1143 if ( p[ 0 ] != '\0' ) {
1148 * Schema-aware validate
1150 if ( rc == LDAP_SUCCESS ) {
1151 rc = LDAPDN_validate( DN );
1153 ldap_rdnfree( RDN );
1156 * Must validate (there's a repeated parsing ...)
1158 return ( rc == LDAP_SUCCESS );
1165 * Used by back-bdb back_modrdn to create the new dn of entries being
1168 * new_dn = parent (p_dn) + separator + rdn (newrdn) + null.
1172 build_new_dn( struct berval * new_dn,
1173 struct berval * parent_dn,
1174 struct berval * newrdn,
1179 if ( parent_dn == NULL || parent_dn->bv_len == 0 ) {
1180 ber_dupbv_x( new_dn, newrdn, memctx );
1184 new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1;
1185 new_dn->bv_val = (char *) slap_sl_malloc( new_dn->bv_len + 1, memctx );
1187 ptr = lutil_strncopy( new_dn->bv_val, newrdn->bv_val, newrdn->bv_len );
1189 strcpy( ptr, parent_dn->bv_val );
1194 * dnIsSuffix - tells whether suffix is a suffix of dn.
1195 * Both dn and suffix must be normalized.
1199 const struct berval *dn,
1200 const struct berval *suffix )
1202 int d = dn->bv_len - suffix->bv_len;
1204 assert( dn != NULL );
1205 assert( suffix != NULL );
1207 /* empty suffix matches any dn */
1208 if ( suffix->bv_len == 0 ) {
1212 /* suffix longer than dn */
1217 /* no rdn separator or escaped rdn separator */
1218 if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) {
1222 /* no possible match or malformed dn */
1228 return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
1232 dnIsOneLevelRDN( struct berval *rdn )
1234 ber_len_t len = rdn->bv_len;
1236 if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) {
1245 static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL;
1248 int register_certificate_map_function(SLAP_CERT_MAP_FN *fn)
1251 if ( DNX509PeerNormalizeCertMap == NULL ) {
1252 DNX509PeerNormalizeCertMap = fn;
1262 * Convert an X.509 DN into a normalized LDAP DN
1265 dnX509normalize( void *x509_name, struct berval *out )
1267 /* Invoke the LDAP library's converter with our schema-rewriter */
1268 int rc = ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
1270 Debug( LDAP_DEBUG_TRACE,
1271 "dnX509Normalize: <%s> (%d)\n",
1272 BER_BVISNULL( out ) ? "(null)" : out->bv_val, rc, 0 );
1278 * Get the TLS session's peer's DN into a normalized LDAP DN
1281 dnX509peerNormalize( void *ssl, struct berval *dn )
1283 int rc = LDAP_INVALID_CREDENTIALS;
1285 if ( DNX509PeerNormalizeCertMap != NULL )
1286 rc = (*DNX509PeerNormalizeCertMap)( ssl, dn );
1288 if ( rc != LDAP_SUCCESS ) {
1289 rc = ldap_pvt_tls_get_peer_dn( ssl, dn,
1290 (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );