1 /* dn.c - routines for dealing with distinguished names */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2006 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
32 #include <ac/socket.h>
33 #include <ac/string.h>
40 * The DN syntax-related functions take advantage of the dn representation
41 * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
42 * aware, so the attributes and their values need be validated (and possibly
43 * normalized). In the current implementation the required validation/nor-
44 * malization/"pretty"ing are done on newly created DN structural represen-
45 * tations; however the idea is to move towards DN handling in structural
46 * representation instead of the current string representation. To this
47 * purpose, we need to do only the required operations and keep track of
48 * what has been done to minimize their impact on performances.
50 * Developers are strongly encouraged to use this feature, to speed-up
54 #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private )
56 int slap_DN_strict = SLAP_AD_NOINSERT;
59 LDAPRDN_validate( LDAPRDN rdn )
64 assert( rdn != NULL );
66 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
67 LDAPAVA *ava = rdn[ iAVA ];
68 AttributeDescription *ad;
69 slap_syntax_validate_func *validate = NULL;
71 assert( ava != NULL );
73 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
74 const char *text = NULL;
76 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
77 if ( rc != LDAP_SUCCESS ) {
78 rc = slap_bv2undef_ad( &ava->la_attr,
80 SLAP_AD_PROXIED|slap_DN_strict );
81 if ( rc != LDAP_SUCCESS ) {
82 return LDAP_INVALID_SYNTAX;
86 ava->la_private = ( void * )ad;
90 * Do not allow X-ORDERED 'VALUES' naming attributes
92 if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
93 return LDAP_INVALID_SYNTAX;
97 * Replace attr oid/name with the canonical name
99 ava->la_attr = ad->ad_cname;
101 validate = ad->ad_type->sat_syntax->ssyn_validate;
105 * validate value by validate function
107 rc = ( *validate )( ad->ad_type->sat_syntax,
110 if ( rc != LDAP_SUCCESS ) {
111 return LDAP_INVALID_SYNTAX;
120 * In-place, schema-aware validation of the
121 * structural representation of a distinguished name.
124 LDAPDN_validate( LDAPDN dn )
129 assert( dn != NULL );
131 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
132 LDAPRDN rdn = dn[ iRDN ];
135 assert( rdn != NULL );
137 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
138 LDAPAVA *ava = rdn[ iAVA ];
139 AttributeDescription *ad;
140 slap_syntax_validate_func *validate = NULL;
142 assert( ava != NULL );
144 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
145 const char *text = NULL;
147 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
148 if ( rc != LDAP_SUCCESS ) {
149 rc = slap_bv2undef_ad( &ava->la_attr,
151 SLAP_AD_PROXIED|slap_DN_strict );
152 if ( rc != LDAP_SUCCESS ) {
153 return LDAP_INVALID_SYNTAX;
157 ava->la_private = ( void * )ad;
161 * Replace attr oid/name with the canonical name
163 ava->la_attr = ad->ad_cname;
165 validate = ad->ad_type->sat_syntax->ssyn_validate;
169 * validate value by validate function
171 rc = ( *validate )( ad->ad_type->sat_syntax,
174 if ( rc != LDAP_SUCCESS ) {
175 return LDAP_INVALID_SYNTAX;
185 * dn validate routine
195 assert( in != NULL );
197 if ( in->bv_len == 0 ) {
200 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
201 return LDAP_INVALID_SYNTAX;
204 rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
205 if ( rc != LDAP_SUCCESS ) {
206 return LDAP_INVALID_SYNTAX;
209 assert( strlen( in->bv_val ) == in->bv_len );
212 * Schema-aware validate
214 rc = LDAPDN_validate( dn );
217 if ( rc != LDAP_SUCCESS ) {
218 return LDAP_INVALID_SYNTAX;
233 assert( in != NULL );
234 if ( in->bv_len == 0 ) {
237 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
238 return LDAP_INVALID_SYNTAX;
241 rc = ldap_bv2rdn_x( in , &rdn, (char **) &p,
242 LDAP_DN_FORMAT_LDAP, NULL);
243 if ( rc != LDAP_SUCCESS ) {
244 return LDAP_INVALID_SYNTAX;
247 assert( strlen( in->bv_val ) == in->bv_len );
250 * Schema-aware validate
252 rc = LDAPRDN_validate( rdn );
255 if ( rc != LDAP_SUCCESS ) {
256 return LDAP_INVALID_SYNTAX;
264 * AVA sorting inside a RDN
266 * rule: sort attributeTypes in alphabetical order; in case of multiple
267 * occurrences of the same attributeType, sort values in byte order
268 * (use memcmp, which implies alphabetical order in case of IA5 value;
269 * this should guarantee the repeatability of the operation).
271 * Note: the sorting can be slightly improved by sorting first
272 * by attribute type length, then by alphabetical order.
274 * uses a linear search; should be fine since the number of AVAs in
275 * a RDN should be limited.
278 AVA_Sort( LDAPRDN rdn, int iAVA )
281 LDAPAVA *ava_in = rdn[ iAVA ];
283 assert( rdn != NULL );
284 assert( ava_in != NULL );
286 for ( i = 0; i < iAVA; i++ ) {
287 LDAPAVA *ava = rdn[ i ];
290 assert( ava != NULL );
292 a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val );
301 d = ava_in->la_value.bv_len - ava->la_value.bv_len;
303 v = memcmp( ava_in->la_value.bv_val,
304 ava->la_value.bv_val,
305 d <= 0 ? ava_in->la_value.bv_len
306 : ava->la_value.bv_len );
308 if ( v == 0 && d != 0 ) {
327 a = strcmp( ava_in->la_attr.bv_val,
328 ava->la_attr.bv_val );
334 for ( j = iAVA; j > i; j-- ) {
335 rdn[ j ] = rdn[ j - 1 ];
344 LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
349 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
350 LDAPAVA *ava = rdn[ iAVA ];
351 AttributeDescription *ad;
352 slap_syntax_validate_func *validf = NULL;
353 slap_mr_normalize_func *normf = NULL;
354 slap_syntax_transform_func *transf = NULL;
355 MatchingRule *mr = NULL;
356 struct berval bv = BER_BVNULL;
359 assert( ava != NULL );
361 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
362 const char *text = NULL;
364 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
365 if ( rc != LDAP_SUCCESS ) {
366 rc = slap_bv2undef_ad( &ava->la_attr,
368 SLAP_AD_PROXIED|slap_DN_strict );
369 if ( rc != LDAP_SUCCESS ) {
370 return LDAP_INVALID_SYNTAX;
374 ava->la_private = ( void * )ad;
379 * Replace attr oid/name with the canonical name
381 ava->la_attr = ad->ad_cname;
383 if( ava->la_flags & LDAP_AVA_BINARY ) {
384 if( ava->la_value.bv_len == 0 ) {
385 /* BER encoding is empty */
386 return LDAP_INVALID_SYNTAX;
389 /* Do not allow X-ORDERED 'VALUES' naming attributes */
390 } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
391 return LDAP_INVALID_SYNTAX;
393 /* AVA is binary encoded, don't muck with it */
394 } else if( flags & SLAP_LDAPDN_PRETTY ) {
395 transf = ad->ad_type->sat_syntax->ssyn_pretty;
397 validf = ad->ad_type->sat_syntax->ssyn_validate;
399 } else { /* normalization */
400 validf = ad->ad_type->sat_syntax->ssyn_validate;
401 mr = ad->ad_type->sat_equality;
402 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
403 normf = mr->smr_normalize;
408 /* validate value before normalization */
409 rc = ( *validf )( ad->ad_type->sat_syntax,
412 : (struct berval *) &slap_empty_bv );
414 if ( rc != LDAP_SUCCESS ) {
415 return LDAP_INVALID_SYNTAX;
421 * transform value by pretty function
422 * if value is empty, use empty_bv
424 rc = ( *transf )( ad->ad_type->sat_syntax,
427 : (struct berval *) &slap_empty_bv,
430 if ( rc != LDAP_SUCCESS ) {
431 return LDAP_INVALID_SYNTAX;
438 * if value is empty, use empty_bv
441 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
442 ad->ad_type->sat_syntax,
446 : (struct berval *) &slap_empty_bv,
449 if ( rc != LDAP_SUCCESS ) {
450 return LDAP_INVALID_SYNTAX;
456 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
457 ber_memfree_x( ava->la_value.bv_val, ctx );
459 ava->la_flags |= LDAP_AVA_FREE_VALUE;
462 if( do_sort ) AVA_Sort( rdn, iAVA );
468 * In-place, schema-aware normalization / "pretty"ing of the
469 * structural representation of a distinguished name.
472 LDAPDN_rewrite( LDAPDN dn, unsigned flags, void *ctx )
477 assert( dn != NULL );
479 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
480 LDAPRDN rdn = dn[ iRDN ];
483 assert( rdn != NULL );
485 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
486 LDAPAVA *ava = rdn[ iAVA ];
487 AttributeDescription *ad;
488 slap_syntax_validate_func *validf = NULL;
489 slap_mr_normalize_func *normf = NULL;
490 slap_syntax_transform_func *transf = NULL;
491 MatchingRule *mr = NULL;
492 struct berval bv = BER_BVNULL;
495 assert( ava != NULL );
497 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
498 const char *text = NULL;
500 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
501 if ( rc != LDAP_SUCCESS ) {
502 rc = slap_bv2undef_ad( &ava->la_attr,
504 SLAP_AD_PROXIED|slap_DN_strict );
505 if ( rc != LDAP_SUCCESS ) {
506 return LDAP_INVALID_SYNTAX;
510 ava->la_private = ( void * )ad;
515 * Replace attr oid/name with the canonical name
517 ava->la_attr = ad->ad_cname;
519 if( ava->la_flags & LDAP_AVA_BINARY ) {
520 if( ava->la_value.bv_len == 0 ) {
521 /* BER encoding is empty */
522 return LDAP_INVALID_SYNTAX;
525 /* AVA is binary encoded, don't muck with it */
526 } else if( flags & SLAP_LDAPDN_PRETTY ) {
527 transf = ad->ad_type->sat_syntax->ssyn_pretty;
529 validf = ad->ad_type->sat_syntax->ssyn_validate;
531 } else { /* normalization */
532 validf = ad->ad_type->sat_syntax->ssyn_validate;
533 mr = ad->ad_type->sat_equality;
534 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
535 normf = mr->smr_normalize;
540 /* validate value before normalization */
541 rc = ( *validf )( ad->ad_type->sat_syntax,
544 : (struct berval *) &slap_empty_bv );
546 if ( rc != LDAP_SUCCESS ) {
547 return LDAP_INVALID_SYNTAX;
553 * transform value by pretty function
554 * if value is empty, use empty_bv
556 rc = ( *transf )( ad->ad_type->sat_syntax,
559 : (struct berval *) &slap_empty_bv,
562 if ( rc != LDAP_SUCCESS ) {
563 return LDAP_INVALID_SYNTAX;
570 * if value is empty, use empty_bv
573 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
574 ad->ad_type->sat_syntax,
578 : (struct berval *) &slap_empty_bv,
581 if ( rc != LDAP_SUCCESS ) {
582 return LDAP_INVALID_SYNTAX;
588 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
589 ber_memfree_x( ava->la_value.bv_val, ctx );
591 ava->la_flags |= LDAP_AVA_FREE_VALUE;
594 if( do_sort ) AVA_Sort( rdn, iAVA );
610 assert( val != NULL );
611 assert( out != NULL );
613 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
615 if ( val->bv_len != 0 ) {
620 * Go to structural representation
622 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
623 if ( rc != LDAP_SUCCESS ) {
624 return LDAP_INVALID_SYNTAX;
627 assert( strlen( val->bv_val ) == val->bv_len );
630 * Schema-aware rewrite
632 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
633 ldap_dnfree_x( dn, ctx );
634 return LDAP_INVALID_SYNTAX;
638 * Back to string representation
640 rc = ldap_dn2bv_x( dn, out,
641 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
643 ldap_dnfree_x( dn, ctx );
645 if ( rc != LDAP_SUCCESS ) {
646 return LDAP_INVALID_SYNTAX;
649 ber_dupbv_x( out, val, ctx );
652 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
666 assert( val != NULL );
667 assert( out != NULL );
669 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
670 if ( val->bv_len != 0 ) {
676 * Go to structural representation
678 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
679 LDAP_DN_FORMAT_LDAP, ctx);
681 if ( rc != LDAP_SUCCESS ) {
682 return LDAP_INVALID_SYNTAX;
685 assert( strlen( val->bv_val ) == val->bv_len );
688 * Schema-aware rewrite
690 if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) {
691 ldap_rdnfree_x( rdn, ctx );
692 return LDAP_INVALID_SYNTAX;
696 * Back to string representation
698 rc = ldap_rdn2bv_x( rdn, out,
699 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
701 ldap_rdnfree_x( rdn, ctx );
703 if ( rc != LDAP_SUCCESS ) {
704 return LDAP_INVALID_SYNTAX;
707 ber_dupbv_x( out, val, ctx );
710 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
722 assert( val != NULL );
723 assert( out != NULL );
725 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
727 if ( val->bv_len == 0 ) {
728 ber_dupbv_x( out, val, ctx );
730 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
731 return LDAP_INVALID_SYNTAX;
737 /* FIXME: should be liberal in what we accept */
738 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
739 if ( rc != LDAP_SUCCESS ) {
740 return LDAP_INVALID_SYNTAX;
743 assert( strlen( val->bv_val ) == val->bv_len );
746 * Schema-aware rewrite
748 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
749 ldap_dnfree_x( dn, ctx );
750 return LDAP_INVALID_SYNTAX;
753 /* FIXME: not sure why the default isn't pretty */
754 /* RE: the default is the form that is used as
755 * an internal representation; the pretty form
757 rc = ldap_dn2bv_x( dn, out,
758 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
760 ldap_dnfree_x( dn, ctx );
762 if ( rc != LDAP_SUCCESS ) {
763 return LDAP_INVALID_SYNTAX;
767 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
779 assert( val != NULL );
780 assert( out != NULL );
782 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
784 if ( val->bv_len == 0 ) {
785 ber_dupbv_x( out, val, ctx );
787 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
788 return LDAP_INVALID_SYNTAX;
795 /* FIXME: should be liberal in what we accept */
796 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
797 LDAP_DN_FORMAT_LDAP, ctx);
798 if ( rc != LDAP_SUCCESS ) {
799 return LDAP_INVALID_SYNTAX;
802 assert( strlen( val->bv_val ) == val->bv_len );
805 * Schema-aware rewrite
807 if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
808 ldap_rdnfree_x( rdn, ctx );
809 return LDAP_INVALID_SYNTAX;
812 /* FIXME: not sure why the default isn't pretty */
813 /* RE: the default is the form that is used as
814 * an internal representation; the pretty form
816 rc = ldap_rdn2bv_x( rdn, out,
817 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
819 ldap_rdnfree_x( rdn, ctx );
821 if ( rc != LDAP_SUCCESS ) {
822 return LDAP_INVALID_SYNTAX;
826 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
840 assert( val != NULL );
841 assert( dn != NULL );
843 Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n",
844 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
847 if ( val->bv_len == 0 ) {
850 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
851 return LDAP_INVALID_SYNTAX;
856 /* FIXME: should be liberal in what we accept */
857 rc = ldap_bv2dn_x( val, dn, LDAP_DN_FORMAT_LDAP, ctx );
858 if ( rc != LDAP_SUCCESS ) {
859 return LDAP_INVALID_SYNTAX;
862 assert( strlen( val->bv_val ) == val->bv_len );
865 * Schema-aware rewrite
867 if ( LDAPDN_rewrite( *dn, flags, ctx ) != LDAP_SUCCESS ) {
868 ldap_dnfree_x( *dn, ctx );
870 return LDAP_INVALID_SYNTAX;
874 Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n",
875 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
882 * Combination of both dnPretty and dnNormalize
888 struct berval *pretty,
889 struct berval *normal,
892 Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
894 assert( val != NULL );
895 assert( pretty != NULL );
896 assert( normal != NULL );
898 if ( val->bv_len == 0 ) {
899 ber_dupbv_x( pretty, val, ctx );
900 ber_dupbv_x( normal, val, ctx );
902 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
904 return LDAP_INVALID_SYNTAX;
910 pretty->bv_val = NULL;
911 normal->bv_val = NULL;
915 /* FIXME: should be liberal in what we accept */
916 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
917 if ( rc != LDAP_SUCCESS ) {
918 return LDAP_INVALID_SYNTAX;
921 assert( strlen( val->bv_val ) == val->bv_len );
924 * Schema-aware rewrite
926 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
927 ldap_dnfree_x( dn, ctx );
928 return LDAP_INVALID_SYNTAX;
931 rc = ldap_dn2bv_x( dn, pretty,
932 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
934 if ( rc != LDAP_SUCCESS ) {
935 ldap_dnfree_x( dn, ctx );
936 return LDAP_INVALID_SYNTAX;
939 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
940 ldap_dnfree_x( dn, ctx );
941 ber_memfree_x( pretty->bv_val, ctx );
942 pretty->bv_val = NULL;
944 return LDAP_INVALID_SYNTAX;
947 rc = ldap_dn2bv_x( dn, normal,
948 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
950 ldap_dnfree_x( dn, ctx );
951 if ( rc != LDAP_SUCCESS ) {
952 ber_memfree_x( pretty->bv_val, ctx );
953 pretty->bv_val = NULL;
955 return LDAP_INVALID_SYNTAX;
959 Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
960 pretty->bv_val, normal->bv_val, 0 );
974 struct berval *value,
975 void *assertedValue )
978 struct berval *asserted = (struct berval *) assertedValue;
980 assert( matchp != NULL );
981 assert( value != NULL );
982 assert( assertedValue != NULL );
983 assert( !BER_BVISNULL( value ) );
984 assert( !BER_BVISNULL( asserted ) );
986 match = value->bv_len - asserted->bv_len;
989 match = memcmp( value->bv_val, asserted->bv_val,
993 Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
994 match, value->bv_val, asserted->bv_val );
1001 * dnRelativeMatch routine
1009 struct berval *value,
1010 void *assertedValue )
1013 struct berval *asserted = (struct berval *) assertedValue;
1015 assert( matchp != NULL );
1016 assert( value != NULL );
1017 assert( assertedValue != NULL );
1018 assert( !BER_BVISNULL( value ) );
1019 assert( !BER_BVISNULL( asserted ) );
1021 if( mr == slap_schema.si_mr_dnSubtreeMatch ) {
1022 if( asserted->bv_len > value->bv_len ) {
1024 } else if ( asserted->bv_len == value->bv_len ) {
1025 match = memcmp( value->bv_val, asserted->bv_val,
1029 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1032 &value->bv_val[value->bv_len - asserted->bv_len],
1041 return LDAP_SUCCESS;
1044 if( mr == slap_schema.si_mr_dnSuperiorMatch ) {
1046 value = (struct berval *) assertedValue;
1047 mr = slap_schema.si_mr_dnSubordinateMatch;
1050 if( mr == slap_schema.si_mr_dnSubordinateMatch ) {
1051 if( asserted->bv_len >= value->bv_len ) {
1055 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1058 &value->bv_val[value->bv_len - asserted->bv_len],
1067 return LDAP_SUCCESS;
1070 if( mr == slap_schema.si_mr_dnOneLevelMatch ) {
1071 if( asserted->bv_len >= value->bv_len ) {
1075 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1078 &value->bv_val[value->bv_len - asserted->bv_len],
1084 rdn.bv_val = value->bv_val;
1085 rdn.bv_len = value->bv_len - asserted->bv_len - 1;
1086 match = dnIsOneLevelRDN( &rdn ) ? 0 : 1;
1094 return LDAP_SUCCESS;
1097 /* should not be reachable */
1108 struct berval *value,
1109 void *assertedValue )
1112 struct berval *asserted = (struct berval *) assertedValue;
1114 assert( matchp != NULL );
1115 assert( value != NULL );
1116 assert( assertedValue != NULL );
1118 match = value->bv_len - asserted->bv_len;
1121 match = memcmp( value->bv_val, asserted->bv_val,
1125 Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
1126 match, value->bv_val, asserted->bv_val );
1129 return LDAP_SUCCESS;
1134 * dnParent - dn's parent, in-place
1135 * note: the incoming dn is assumed to be normalized/prettyfied,
1136 * so that escaped rdn/ava separators are in '\'+hexpair form
1138 * note: "dn" and "pdn" can point to the same berval;
1139 * beware that, in this case, the pointer to the original buffer
1145 struct berval *pdn )
1149 p = ber_bvchr( dn, ',' );
1154 pdn->bv_val = dn->bv_val + dn->bv_len;
1158 assert( DN_SEPARATOR( p[ 0 ] ) );
1161 assert( ATTR_LEADCHAR( p[ 0 ] ) );
1162 pdn->bv_len = dn->bv_len - (p - dn->bv_val);
1169 * dnRdn - dn's rdn, in-place
1170 * note: the incoming dn is assumed to be normalized/prettyfied,
1171 * so that escaped rdn/ava separators are in '\'+hexpair form
1176 struct berval *rdn )
1181 p = ber_bvchr( dn, ',' );
1188 assert( DN_SEPARATOR( p[ 0 ] ) );
1189 assert( ATTR_LEADCHAR( p[ 1 ] ) );
1190 rdn->bv_len = p - dn->bv_val;
1205 assert( dn != NULL );
1206 assert( rdn != NULL );
1208 if( dn->bv_len == 0 ) {
1212 rc = ldap_bv2rdn_x( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP, ctx );
1213 if ( rc != LDAP_SUCCESS ) {
1217 rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY,
1220 ldap_rdnfree_x( tmpRDN, ctx );
1225 * We can assume the input is a prettied or normalized DN
1230 struct berval *dn_in )
1234 assert( dn_in != NULL );
1236 if ( dn_in == NULL ) {
1240 if ( !dn_in->bv_len ) {
1244 if ( be != NULL && be_issuffix( be, dn_in ) ) {
1248 p = ber_bvchr( dn_in, ',' );
1250 return p ? p - dn_in->bv_val : dn_in->bv_len;
1256 * LDAP_SUCCESS if rdn is a legal rdn;
1257 * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns)
1260 rdn_validate( struct berval *rdn )
1264 * input is a pretty or normalized DN
1265 * hence, we can just search for ','
1267 if( rdn == NULL || rdn->bv_len == 0 ||
1268 rdn->bv_len > SLAP_LDAPDN_MAXLEN )
1270 return LDAP_INVALID_SYNTAX;
1272 return ber_bvchr( rdn, ',' ) == NULL
1273 ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX;
1276 LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL };
1283 if ( rdn == NULL || rdn == '\0' ) {
1290 rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
1291 if ( rc != LDAP_SUCCESS ) {
1298 if ( p[ 0 ] != '\0' ) {
1303 * Schema-aware validate
1305 if ( rc == LDAP_SUCCESS ) {
1306 rc = LDAPDN_validate( DN );
1308 ldap_rdnfree( RDN );
1311 * Must validate (there's a repeated parsing ...)
1313 return ( rc == LDAP_SUCCESS );
1320 * Used by back-bdb back_modrdn to create the new dn of entries being
1323 * new_dn = parent (p_dn) + separator + rdn (newrdn) + null.
1327 build_new_dn( struct berval * new_dn,
1328 struct berval * parent_dn,
1329 struct berval * newrdn,
1334 if ( parent_dn == NULL || parent_dn->bv_len == 0 ) {
1335 ber_dupbv_x( new_dn, newrdn, memctx );
1339 new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1;
1340 new_dn->bv_val = (char *) slap_sl_malloc( new_dn->bv_len + 1, memctx );
1342 ptr = lutil_strncopy( new_dn->bv_val, newrdn->bv_val, newrdn->bv_len );
1344 strcpy( ptr, parent_dn->bv_val );
1349 * dnIsSuffix - tells whether suffix is a suffix of dn.
1350 * Both dn and suffix must be normalized.
1354 const struct berval *dn,
1355 const struct berval *suffix )
1357 int d = dn->bv_len - suffix->bv_len;
1359 assert( dn != NULL );
1360 assert( suffix != NULL );
1362 /* empty suffix matches any dn */
1363 if ( suffix->bv_len == 0 ) {
1367 /* suffix longer than dn */
1372 /* no rdn separator or escaped rdn separator */
1373 if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) {
1377 /* no possible match or malformed dn */
1383 return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
1387 dnIsOneLevelRDN( struct berval *rdn )
1389 ber_len_t len = rdn->bv_len;
1391 if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) {
1400 static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL;
1403 int register_certificate_map_function(SLAP_CERT_MAP_FN *fn)
1406 if ( DNX509PeerNormalizeCertMap == NULL ) {
1407 DNX509PeerNormalizeCertMap = fn;
1417 * Convert an X.509 DN into a normalized LDAP DN
1420 dnX509normalize( void *x509_name, struct berval *out )
1422 /* Invoke the LDAP library's converter with our schema-rewriter */
1423 int rc = ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
1425 Debug( LDAP_DEBUG_TRACE,
1426 "dnX509Normalize: <%s> (%d)\n",
1427 BER_BVISNULL( out ) ? "(null)" : out->bv_val, rc, 0 );
1433 * Get the TLS session's peer's DN into a normalized LDAP DN
1436 dnX509peerNormalize( void *ssl, struct berval *dn )
1438 int rc = LDAP_INVALID_CREDENTIALS;
1440 if ( DNX509PeerNormalizeCertMap != NULL )
1441 rc = (*DNX509PeerNormalizeCertMap)( ssl, dn );
1443 if ( rc != LDAP_SUCCESS ) {
1444 rc = ldap_pvt_tls_get_peer_dn( ssl, dn,
1445 (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );