1 /* dn.c - routines for dealing with distinguished names */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
23 const struct berval slap_empty_bv = { 0, "" };
25 #define SLAP_LDAPDN_PRETTY 0x1
27 #define SLAP_LDAPDN_MAXLEN 8192
30 * The DN syntax-related functions take advantage of the dn representation
31 * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
32 * aware, so the attributes and their values need be validated (and possibly
33 * normalized). In the current implementation the required validation/nor-
34 * malization/"pretty"ing are done on newly created DN structural represen-
35 * tations; however the idea is to move towards DN handling in structural
36 * representation instead of the current string representation. To this
37 * purpose, we need to do only the required operations and keep track of
38 * what has been done to minimize their impact on performances.
40 * Developers are strongly encouraged to use this feature, to speed-up
44 #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private )
47 * In-place, schema-aware validation of the
48 * structural representation of a distinguished name.
51 LDAPDN_validate( LDAPDN *dn )
58 for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) {
59 LDAPRDN *rdn = dn[ 0 ][ iRDN ];
64 for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) {
65 LDAPAVA *ava = rdn[ 0 ][ iAVA ];
66 AttributeDescription *ad;
67 slap_syntax_validate_func *validate = NULL;
71 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
72 const char *text = NULL;
74 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
75 if ( rc != LDAP_SUCCESS ) {
76 return LDAP_INVALID_SYNTAX;
79 ava->la_private = ( void * )ad;
83 * Replace attr oid/name with the canonical name
85 ava->la_attr = ad->ad_cname;
87 validate = ad->ad_type->sat_syntax->ssyn_validate;
91 * validate value by validate function
93 rc = ( *validate )( ad->ad_type->sat_syntax,
96 if ( rc != LDAP_SUCCESS ) {
97 return LDAP_INVALID_SYNTAX;
107 * dn validate routine
119 if ( in->bv_len == 0 ) {
122 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
123 return LDAP_INVALID_SYNTAX;
126 rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
127 if ( rc != LDAP_SUCCESS ) {
128 return LDAP_INVALID_SYNTAX;
131 assert( strlen( in->bv_val ) == in->bv_len );
134 * Schema-aware validate
136 rc = LDAPDN_validate( dn );
139 if ( rc != LDAP_SUCCESS ) {
140 return LDAP_INVALID_SYNTAX;
147 * AVA sorting inside a RDN
149 * rule: sort attributeTypes in alphabetical order; in case of multiple
150 * occurrences of the same attributeType, sort values in byte order
151 * (use memcmp, which implies alphabetical order in case of IA5 value;
152 * this should guarantee the repeatability of the operation).
154 * Note: the sorting can be slightly improved by sorting first
155 * by attribute type length, then by alphabetical order.
157 * uses a linear search; should be fine since the number of AVAs in
158 * a RDN should be limited.
161 AVA_Sort( LDAPRDN *rdn, int iAVA )
164 LDAPAVA *ava_in = rdn[ 0 ][ iAVA ];
169 for ( i = 0; i < iAVA; i++ ) {
170 LDAPAVA *ava = rdn[ 0 ][ i ];
175 a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val );
184 d = ava_in->la_value.bv_len - ava->la_value.bv_len;
186 v = memcmp( ava_in->la_value.bv_val,
187 ava->la_value.bv_val,
188 d <= 0 ? ava_in->la_value.bv_len
189 : ava->la_value.bv_len );
191 if ( v == 0 && d != 0 ) {
210 a = strcmp( ava_in->la_attr.bv_val,
211 ava->la_attr.bv_val );
217 for ( j = iAVA; j > i; j-- ) {
218 rdn[ 0 ][ j ] = rdn[ 0 ][ j - 1 ];
220 rdn[ 0 ][ i ] = ava_in;
227 * In-place, schema-aware normalization / "pretty"ing of the
228 * structural representation of a distinguished name.
231 LDAPDN_rewrite( LDAPDN *dn, unsigned flags )
238 for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) {
239 LDAPRDN *rdn = dn[ 0 ][ iRDN ];
244 for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) {
245 LDAPAVA *ava = rdn[ 0 ][ iAVA ];
246 AttributeDescription *ad;
247 slap_syntax_validate_func *validf = NULL;
248 slap_syntax_transform_func *transf = NULL;
250 struct berval bv = { 0, NULL };
255 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
256 const char *text = NULL;
258 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
259 if ( rc != LDAP_SUCCESS ) {
260 return LDAP_INVALID_SYNTAX;
263 ava->la_private = ( void * )ad;
268 * Replace attr oid/name with the canonical name
270 ava->la_attr = ad->ad_cname;
272 if( ava->la_flags & LDAP_AVA_BINARY ) {
273 /* AVA is binary encoded, don't muck with it */
277 } else if( flags & SLAP_LDAPDN_PRETTY ) {
279 transf = ad->ad_type->sat_syntax->ssyn_pretty;
282 validf = ad->ad_type->sat_syntax->ssyn_validate;
283 transf = ad->ad_type->sat_syntax->ssyn_normalize;
284 mr = ad->ad_type->sat_equality;
288 /* validate value before normalization */
289 rc = ( *validf )( ad->ad_type->sat_syntax,
292 : (struct berval *) &slap_empty_bv );
294 if ( rc != LDAP_SUCCESS ) {
295 return LDAP_INVALID_SYNTAX;
301 * transform value by normalize/pretty function
302 * if value is empty, use empty_bv
304 rc = ( *transf )( ad->ad_type->sat_syntax,
307 : (struct berval *) &slap_empty_bv,
310 if ( rc != LDAP_SUCCESS ) {
311 return LDAP_INVALID_SYNTAX;
315 if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) {
318 if ( UTF8bvnormalize( &bv, &bv,
319 LDAP_UTF8_CASEFOLD ) == NULL ) {
320 return LDAP_INVALID_SYNTAX;
326 free( ava->la_value.bv_val );
330 if( do_sort ) AVA_Sort( rdn, iAVA );
338 * dn normalize routine
344 struct berval **normalized )
349 assert( normalized && *normalized == NULL );
351 out = ch_malloc( sizeof( struct berval ) );
352 rc = dnNormalize2( syntax, val, out );
353 if ( rc != LDAP_SUCCESS )
369 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
371 if ( val->bv_len != 0 ) {
376 * Go to structural representation
378 rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP );
379 if ( rc != LDAP_SUCCESS ) {
380 return LDAP_INVALID_SYNTAX;
383 assert( strlen( val->bv_val ) == val->bv_len );
386 * Schema-aware rewrite
388 if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) {
390 return LDAP_INVALID_SYNTAX;
394 * Back to string representation
396 rc = ldap_dn2bv( dn, out,
397 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY );
401 if ( rc != LDAP_SUCCESS ) {
402 return LDAP_INVALID_SYNTAX;
405 ber_dupbv( out, val );
408 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
414 * dn "pretty"ing routine
420 struct berval **pretty)
425 assert( pretty && *pretty == NULL );
427 out = ch_malloc( sizeof( struct berval ) );
428 rc = dnPretty2( syntax, val, out );
429 if ( rc != LDAP_SUCCESS )
446 LDAP_LOG( OPERATION, ARGS, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
448 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
451 if ( val->bv_len == 0 ) {
452 ber_dupbv( out, val );
454 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
455 return LDAP_INVALID_SYNTAX;
461 /* FIXME: should be liberal in what we accept */
462 rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP );
463 if ( rc != LDAP_SUCCESS ) {
464 return LDAP_INVALID_SYNTAX;
467 assert( strlen( val->bv_val ) == val->bv_len );
470 * Schema-aware rewrite
472 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY ) != LDAP_SUCCESS ) {
474 return LDAP_INVALID_SYNTAX;
477 /* FIXME: not sure why the default isn't pretty */
478 /* RE: the default is the form that is used as
479 * an internal representation; the pretty form
481 rc = ldap_dn2bv( dn, out,
482 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY );
486 if ( rc != LDAP_SUCCESS ) {
487 return LDAP_INVALID_SYNTAX;
491 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
497 * Combination of both dnPretty and dnNormalize
503 struct berval *pretty,
504 struct berval *normal)
507 LDAP_LOG ( OPERATION, ENTRY, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
509 Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
516 if ( val->bv_len == 0 ) {
517 ber_dupbv( pretty, val );
518 ber_dupbv( normal, val );
520 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
522 return LDAP_INVALID_SYNTAX;
528 pretty->bv_val = NULL;
529 normal->bv_val = NULL;
533 /* FIXME: should be liberal in what we accept */
534 rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP );
535 if ( rc != LDAP_SUCCESS ) {
536 return LDAP_INVALID_SYNTAX;
539 assert( strlen( val->bv_val ) == val->bv_len );
542 * Schema-aware rewrite
544 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY ) != LDAP_SUCCESS ) {
546 return LDAP_INVALID_SYNTAX;
549 rc = ldap_dn2bv( dn, pretty,
550 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY );
552 if ( rc != LDAP_SUCCESS ) {
554 return LDAP_INVALID_SYNTAX;
557 if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) {
559 free( pretty->bv_val );
560 pretty->bv_val = NULL;
562 return LDAP_INVALID_SYNTAX;
565 rc = ldap_dn2bv( dn, normal,
566 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY );
569 if ( rc != LDAP_SUCCESS ) {
570 free( pretty->bv_val );
571 pretty->bv_val = NULL;
573 return LDAP_INVALID_SYNTAX;
578 LDAP_LOG (OPERATION, RESULTS, "<<< dnPrettyNormal: <%s>, <%s>\n",
579 pretty->bv_val, normal->bv_val, 0 );
581 Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
582 pretty->bv_val, normal->bv_val, 0 );
597 struct berval *value,
598 void *assertedValue )
601 struct berval *asserted = (struct berval *) assertedValue;
605 assert( assertedValue );
607 match = value->bv_len - asserted->bv_len;
610 match = memcmp( value->bv_val, asserted->bv_val,
615 LDAP_LOG( CONFIG, ENTRY, "dnMatch: %d\n %s\n %s\n",
616 match, value->bv_val, asserted->bv_val );
618 Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
619 match, value->bv_val, asserted->bv_val );
623 return( LDAP_SUCCESS );
627 * dnParent - dn's parent, in-place
629 * note: the incoming dn is assumed to be normalized/prettyfied,
630 * so that escaped rdn/ava separators are in '\'+hexpair form
639 p = strchr( dn->bv_val, ',' );
644 pdn->bv_val = dn->bv_val + dn->bv_len;
648 assert( DN_SEPARATOR( p[ 0 ] ) );
651 assert( ATTR_LEADCHAR( p[ 0 ] ) );
653 pdn->bv_len = dn->bv_len - (p - dn->bv_val);
670 if( dn->bv_len == 0 ) {
674 rc = ldap_bv2rdn( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
675 if ( rc != LDAP_SUCCESS ) {
679 rc = ldap_rdn2bv( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY );
681 ldap_rdnfree( tmpRDN );
682 if ( rc != LDAP_SUCCESS ) {
690 * We can assume the input is a prettied or normalized DN
695 struct berval *dn_in )
701 if ( dn_in == NULL ) {
705 if ( !dn_in->bv_len ) {
709 if ( be != NULL && be_issuffix( be, dn_in ) ) {
713 p = strchr( dn_in->bv_val, ',' );
715 return p ? p - dn_in->bv_val : dn_in->bv_len;
721 * LDAP_SUCCESS if rdn is a legal rdn;
722 * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns)
725 rdnValidate( struct berval *rdn )
729 * input is a pretty or normalized DN
730 * hence, we can just search for ','
732 if( rdn == NULL || rdn->bv_len == 0 ||
733 rdn->bv_len > SLAP_LDAPDN_MAXLEN )
735 return LDAP_INVALID_SYNTAX;
738 return strchr( rdn->bv_val, ',' ) == NULL
739 ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX;
742 LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL };
749 if ( rdn == NULL || rdn == '\0' ) {
756 rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
757 if ( rc != LDAP_SUCCESS ) {
764 if ( p[ 0 ] != '\0' ) {
769 * Schema-aware validate
771 if ( rc == LDAP_SUCCESS ) {
772 rc = LDAPDN_validate( DN );
777 * Must validate (there's a repeated parsing ...)
779 return ( rc == LDAP_SUCCESS );
786 * Used by ldbm/bdb2 back_modrdn to create the new dn of entries being
789 * new_dn = parent (p_dn) + separator + rdn (newrdn) + null.
793 build_new_dn( struct berval * new_dn,
794 struct berval * parent_dn,
795 struct berval * newrdn )
799 if ( parent_dn == NULL ) {
800 ber_dupbv( new_dn, newrdn );
804 new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1;
805 new_dn->bv_val = (char *) ch_malloc( new_dn->bv_len + 1 );
807 ptr = lutil_strcopy( new_dn->bv_val, newrdn->bv_val );
809 strcpy( ptr, parent_dn->bv_val );
814 * dnIsSuffix - tells whether suffix is a suffix of dn.
815 * Both dn and suffix must be normalized.
819 const struct berval *dn,
820 const struct berval *suffix )
822 int d = dn->bv_len - suffix->bv_len;
827 /* empty suffix matches any dn */
828 if ( suffix->bv_len == 0 ) {
832 /* suffix longer than dn */
837 /* no rdn separator or escaped rdn separator */
838 if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) {
842 /* no possible match or malformed dn */
848 return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
853 * Convert an X.509 DN into a normalized LDAP DN
856 dnX509normalize( void *x509_name, struct berval *out )
858 /* Invoke the LDAP library's converter with our schema-rewriter */
859 return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
863 * Get the TLS session's peer's DN into a normalized LDAP DN
866 dnX509peerNormalize( void *ssl, struct berval *dn )
869 return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );
projects / openldap / blob