1 /* dn.c - routines for dealing with distinguished names */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2008 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
32 #include <ac/socket.h>
33 #include <ac/string.h>
40 * The DN syntax-related functions take advantage of the dn representation
41 * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
42 * aware, so the attributes and their values need be validated (and possibly
43 * normalized). In the current implementation the required validation/nor-
44 * malization/"pretty"ing are done on newly created DN structural represen-
45 * tations; however the idea is to move towards DN handling in structural
46 * representation instead of the current string representation. To this
47 * purpose, we need to do only the required operations and keep track of
48 * what has been done to minimize their impact on performances.
50 * Developers are strongly encouraged to use this feature, to speed-up
54 #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private )
57 LDAPRDN_validate( LDAPRDN rdn )
62 assert( rdn != NULL );
64 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
65 LDAPAVA *ava = rdn[ iAVA ];
66 AttributeDescription *ad;
67 slap_syntax_validate_func *validate = NULL;
69 assert( ava != NULL );
71 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
72 const char *text = NULL;
74 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
75 if ( rc != LDAP_SUCCESS ) {
76 rc = slap_bv2undef_ad( &ava->la_attr,
78 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
79 if ( rc != LDAP_SUCCESS ) {
80 return LDAP_INVALID_SYNTAX;
84 ava->la_private = ( void * )ad;
88 * Replace attr oid/name with the canonical name
90 ava->la_attr = ad->ad_cname;
92 validate = ad->ad_type->sat_syntax->ssyn_validate;
96 * validate value by validate function
98 rc = ( *validate )( ad->ad_type->sat_syntax,
101 if ( rc != LDAP_SUCCESS ) {
102 return LDAP_INVALID_SYNTAX;
111 * In-place, schema-aware validation of the
112 * structural representation of a distinguished name.
115 LDAPDN_validate( LDAPDN dn )
120 assert( dn != NULL );
122 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
123 LDAPRDN rdn = dn[ iRDN ];
126 assert( rdn != NULL );
128 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
129 LDAPAVA *ava = rdn[ iAVA ];
130 AttributeDescription *ad;
131 slap_syntax_validate_func *validate = NULL;
133 assert( ava != NULL );
135 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
136 const char *text = NULL;
138 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
139 if ( rc != LDAP_SUCCESS ) {
140 rc = slap_bv2undef_ad( &ava->la_attr,
142 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
143 if ( rc != LDAP_SUCCESS ) {
144 return LDAP_INVALID_SYNTAX;
148 ava->la_private = ( void * )ad;
152 * Replace attr oid/name with the canonical name
154 ava->la_attr = ad->ad_cname;
156 validate = ad->ad_type->sat_syntax->ssyn_validate;
160 * validate value by validate function
162 rc = ( *validate )( ad->ad_type->sat_syntax,
165 if ( rc != LDAP_SUCCESS ) {
166 return LDAP_INVALID_SYNTAX;
176 * dn validate routine
186 assert( in != NULL );
188 if ( in->bv_len == 0 ) {
191 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
192 return LDAP_INVALID_SYNTAX;
195 rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
196 if ( rc != LDAP_SUCCESS ) {
197 return LDAP_INVALID_SYNTAX;
200 assert( strlen( in->bv_val ) == in->bv_len );
203 * Schema-aware validate
205 rc = LDAPDN_validate( dn );
208 if ( rc != LDAP_SUCCESS ) {
209 return LDAP_INVALID_SYNTAX;
224 assert( in != NULL );
225 if ( in->bv_len == 0 ) {
228 } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
229 return LDAP_INVALID_SYNTAX;
232 rc = ldap_bv2rdn_x( in , &rdn, (char **) &p,
233 LDAP_DN_FORMAT_LDAP, NULL);
234 if ( rc != LDAP_SUCCESS ) {
235 return LDAP_INVALID_SYNTAX;
238 assert( strlen( in->bv_val ) == in->bv_len );
241 * Schema-aware validate
243 rc = LDAPRDN_validate( rdn );
246 if ( rc != LDAP_SUCCESS ) {
247 return LDAP_INVALID_SYNTAX;
255 * AVA sorting inside a RDN
257 * rule: sort attributeTypes in alphabetical order; in case of multiple
258 * occurrences of the same attributeType, sort values in byte order
259 * (use memcmp, which implies alphabetical order in case of IA5 value;
260 * this should guarantee the repeatability of the operation).
262 * Note: the sorting can be slightly improved by sorting first
263 * by attribute type length, then by alphabetical order.
265 * uses an insertion sort; should be fine since the number of AVAs in
266 * a RDN should be limited.
269 AVA_Sort( LDAPRDN rdn, int nAVAs )
274 assert( rdn != NULL );
276 for ( i = 1; i < nAVAs; i++ ) {
281 for ( j = i-1; j >=0; j-- ) {
285 a = strcmp( ava_i->la_attr.bv_val, ava_j->la_attr.bv_val );
290 d = ava_i->la_value.bv_len - ava_j->la_value.bv_len;
292 a = memcmp( ava_i->la_value.bv_val,
293 ava_j->la_value.bv_val,
294 d <= 0 ? ava_i->la_value.bv_len
295 : ava_j->la_value.bv_len );
301 /* Duplicates are not allowed */
303 return LDAP_INVALID_DN_SYNTAX;
308 rdn[ j+1 ] = rdn[ j ];
316 LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
319 int rc, iAVA, do_sort = 0;
321 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
322 LDAPAVA *ava = rdn[ iAVA ];
323 AttributeDescription *ad;
324 slap_syntax_validate_func *validf = NULL;
325 slap_mr_normalize_func *normf = NULL;
326 slap_syntax_transform_func *transf = NULL;
327 MatchingRule *mr = NULL;
328 struct berval bv = BER_BVNULL;
330 assert( ava != NULL );
332 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
333 const char *text = NULL;
335 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
336 if ( rc != LDAP_SUCCESS ) {
337 rc = slap_bv2undef_ad( &ava->la_attr,
339 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
340 if ( rc != LDAP_SUCCESS ) {
341 return LDAP_INVALID_SYNTAX;
345 ava->la_private = ( void * )ad;
350 * Replace attr oid/name with the canonical name
352 ava->la_attr = ad->ad_cname;
354 if( ava->la_flags & LDAP_AVA_BINARY ) {
355 if( ava->la_value.bv_len == 0 ) {
356 /* BER encoding is empty */
357 return LDAP_INVALID_SYNTAX;
360 /* AVA is binary encoded, don't muck with it */
361 } else if( flags & SLAP_LDAPDN_PRETTY ) {
362 transf = ad->ad_type->sat_syntax->ssyn_pretty;
364 validf = ad->ad_type->sat_syntax->ssyn_validate;
366 } else { /* normalization */
367 validf = ad->ad_type->sat_syntax->ssyn_validate;
368 mr = ad->ad_type->sat_equality;
369 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
370 normf = mr->smr_normalize;
375 /* validate value before normalization */
376 rc = ( *validf )( ad->ad_type->sat_syntax,
379 : (struct berval *) &slap_empty_bv );
381 if ( rc != LDAP_SUCCESS ) {
382 return LDAP_INVALID_SYNTAX;
388 * transform value by pretty function
389 * if value is empty, use empty_bv
391 rc = ( *transf )( ad->ad_type->sat_syntax,
394 : (struct berval *) &slap_empty_bv,
397 if ( rc != LDAP_SUCCESS ) {
398 return LDAP_INVALID_SYNTAX;
405 * if value is empty, use empty_bv
408 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
409 ad->ad_type->sat_syntax,
413 : (struct berval *) &slap_empty_bv,
416 if ( rc != LDAP_SUCCESS ) {
417 return LDAP_INVALID_SYNTAX;
423 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
424 ber_memfree_x( ava->la_value.bv_val, ctx );
426 ava->la_flags |= LDAP_AVA_FREE_VALUE;
432 rc = AVA_Sort( rdn, iAVA );
439 * In-place, schema-aware normalization / "pretty"ing of the
440 * structural representation of a distinguished name.
443 LDAPDN_rewrite( LDAPDN dn, unsigned flags, void *ctx )
445 int iRDN, do_sort = 0;
448 assert( dn != NULL );
450 for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) {
451 LDAPRDN rdn = dn[ iRDN ];
454 assert( rdn != NULL );
456 for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {
457 LDAPAVA *ava = rdn[ iAVA ];
458 AttributeDescription *ad;
459 slap_syntax_validate_func *validf = NULL;
460 slap_mr_normalize_func *normf = NULL;
461 slap_syntax_transform_func *transf = NULL;
462 MatchingRule *mr = NULL;
463 struct berval bv = BER_BVNULL;
465 assert( ava != NULL );
467 if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) {
468 const char *text = NULL;
470 rc = slap_bv2ad( &ava->la_attr, &ad, &text );
471 if ( rc != LDAP_SUCCESS ) {
472 rc = slap_bv2undef_ad( &ava->la_attr,
474 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
475 if ( rc != LDAP_SUCCESS ) {
476 return LDAP_INVALID_SYNTAX;
480 ava->la_private = ( void * )ad;
485 * Replace attr oid/name with the canonical name
487 ava->la_attr = ad->ad_cname;
489 if( ava->la_flags & LDAP_AVA_BINARY ) {
490 if( ava->la_value.bv_len == 0 ) {
491 /* BER encoding is empty */
492 return LDAP_INVALID_SYNTAX;
495 /* AVA is binary encoded, don't muck with it */
496 } else if( flags & SLAP_LDAPDN_PRETTY ) {
497 transf = ad->ad_type->sat_syntax->ssyn_pretty;
499 validf = ad->ad_type->sat_syntax->ssyn_validate;
501 } else { /* normalization */
502 validf = ad->ad_type->sat_syntax->ssyn_validate;
503 mr = ad->ad_type->sat_equality;
504 if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) {
505 normf = mr->smr_normalize;
510 /* validate value before normalization */
511 rc = ( *validf )( ad->ad_type->sat_syntax,
514 : (struct berval *) &slap_empty_bv );
516 if ( rc != LDAP_SUCCESS ) {
517 return LDAP_INVALID_SYNTAX;
523 * transform value by pretty function
524 * if value is empty, use empty_bv
526 rc = ( *transf )( ad->ad_type->sat_syntax,
529 : (struct berval *) &slap_empty_bv,
532 if ( rc != LDAP_SUCCESS ) {
533 return LDAP_INVALID_SYNTAX;
540 * if value is empty, use empty_bv
543 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
544 ad->ad_type->sat_syntax,
548 : (struct berval *) &slap_empty_bv,
551 if ( rc != LDAP_SUCCESS ) {
552 return LDAP_INVALID_SYNTAX;
558 if ( ava->la_flags & LDAP_AVA_FREE_VALUE )
559 ber_memfree_x( ava->la_value.bv_val, ctx );
561 ava->la_flags |= LDAP_AVA_FREE_VALUE;
566 rc = AVA_Sort( rdn, iAVA );
567 if ( rc != LDAP_SUCCESS )
583 assert( val != NULL );
584 assert( out != NULL );
586 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
588 if ( val->bv_len != 0 ) {
593 * Go to structural representation
595 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
596 if ( rc != LDAP_SUCCESS ) {
597 return LDAP_INVALID_SYNTAX;
600 assert( strlen( val->bv_val ) == val->bv_len );
603 * Schema-aware rewrite
605 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
606 ldap_dnfree_x( dn, ctx );
607 return LDAP_INVALID_SYNTAX;
611 * Back to string representation
613 rc = ldap_dn2bv_x( dn, out,
614 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
616 ldap_dnfree_x( dn, ctx );
618 if ( rc != LDAP_SUCCESS ) {
619 return LDAP_INVALID_SYNTAX;
622 ber_dupbv_x( out, val, ctx );
625 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
639 assert( val != NULL );
640 assert( out != NULL );
642 Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 );
643 if ( val->bv_len != 0 ) {
649 * Go to structural representation
651 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
652 LDAP_DN_FORMAT_LDAP, ctx);
654 if ( rc != LDAP_SUCCESS ) {
655 return LDAP_INVALID_SYNTAX;
658 assert( strlen( val->bv_val ) == val->bv_len );
661 * Schema-aware rewrite
663 if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) {
664 ldap_rdnfree_x( rdn, ctx );
665 return LDAP_INVALID_SYNTAX;
669 * Back to string representation
671 rc = ldap_rdn2bv_x( rdn, out,
672 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
674 ldap_rdnfree_x( rdn, ctx );
676 if ( rc != LDAP_SUCCESS ) {
677 return LDAP_INVALID_SYNTAX;
680 ber_dupbv_x( out, val, ctx );
683 Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 );
695 assert( val != NULL );
696 assert( out != NULL );
698 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
700 if ( val->bv_len == 0 ) {
701 ber_dupbv_x( out, val, ctx );
703 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
704 return LDAP_INVALID_SYNTAX;
710 /* FIXME: should be liberal in what we accept */
711 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
712 if ( rc != LDAP_SUCCESS ) {
713 return LDAP_INVALID_SYNTAX;
716 assert( strlen( val->bv_val ) == val->bv_len );
719 * Schema-aware rewrite
721 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
722 ldap_dnfree_x( dn, ctx );
723 return LDAP_INVALID_SYNTAX;
726 /* FIXME: not sure why the default isn't pretty */
727 /* RE: the default is the form that is used as
728 * an internal representation; the pretty form
730 rc = ldap_dn2bv_x( dn, out,
731 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
733 ldap_dnfree_x( dn, ctx );
735 if ( rc != LDAP_SUCCESS ) {
736 return LDAP_INVALID_SYNTAX;
740 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
752 assert( val != NULL );
753 assert( out != NULL );
755 Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
757 if ( val->bv_len == 0 ) {
758 ber_dupbv_x( out, val, ctx );
760 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
761 return LDAP_INVALID_SYNTAX;
768 /* FIXME: should be liberal in what we accept */
769 rc = ldap_bv2rdn_x( val , &rdn, (char **) &p,
770 LDAP_DN_FORMAT_LDAP, ctx);
771 if ( rc != LDAP_SUCCESS ) {
772 return LDAP_INVALID_SYNTAX;
775 assert( strlen( val->bv_val ) == val->bv_len );
778 * Schema-aware rewrite
780 if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
781 ldap_rdnfree_x( rdn, ctx );
782 return LDAP_INVALID_SYNTAX;
785 /* FIXME: not sure why the default isn't pretty */
786 /* RE: the default is the form that is used as
787 * an internal representation; the pretty form
789 rc = ldap_rdn2bv_x( rdn, out,
790 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
792 ldap_rdnfree_x( rdn, ctx );
794 if ( rc != LDAP_SUCCESS ) {
795 return LDAP_INVALID_SYNTAX;
799 Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
813 assert( val != NULL );
814 assert( dn != NULL );
816 Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n",
817 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
820 if ( val->bv_len == 0 ) {
823 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
824 return LDAP_INVALID_SYNTAX;
829 /* FIXME: should be liberal in what we accept */
830 rc = ldap_bv2dn_x( val, dn, LDAP_DN_FORMAT_LDAP, ctx );
831 if ( rc != LDAP_SUCCESS ) {
832 return LDAP_INVALID_SYNTAX;
835 assert( strlen( val->bv_val ) == val->bv_len );
838 * Schema-aware rewrite
840 if ( LDAPDN_rewrite( *dn, flags, ctx ) != LDAP_SUCCESS ) {
841 ldap_dnfree_x( *dn, ctx );
843 return LDAP_INVALID_SYNTAX;
847 Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n",
848 flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal",
855 * Combination of both dnPretty and dnNormalize
861 struct berval *pretty,
862 struct berval *normal,
865 Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 );
867 assert( val != NULL );
868 assert( pretty != NULL );
869 assert( normal != NULL );
871 if ( val->bv_len == 0 ) {
872 ber_dupbv_x( pretty, val, ctx );
873 ber_dupbv_x( normal, val, ctx );
875 } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
877 return LDAP_INVALID_SYNTAX;
883 pretty->bv_val = NULL;
884 normal->bv_val = NULL;
888 /* FIXME: should be liberal in what we accept */
889 rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx );
890 if ( rc != LDAP_SUCCESS ) {
891 return LDAP_INVALID_SYNTAX;
894 assert( strlen( val->bv_val ) == val->bv_len );
897 * Schema-aware rewrite
899 if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) {
900 ldap_dnfree_x( dn, ctx );
901 return LDAP_INVALID_SYNTAX;
904 rc = ldap_dn2bv_x( dn, pretty,
905 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
907 if ( rc != LDAP_SUCCESS ) {
908 ldap_dnfree_x( dn, ctx );
909 return LDAP_INVALID_SYNTAX;
912 if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) {
913 ldap_dnfree_x( dn, ctx );
914 ber_memfree_x( pretty->bv_val, ctx );
915 pretty->bv_val = NULL;
917 return LDAP_INVALID_SYNTAX;
920 rc = ldap_dn2bv_x( dn, normal,
921 LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx );
923 ldap_dnfree_x( dn, ctx );
924 if ( rc != LDAP_SUCCESS ) {
925 ber_memfree_x( pretty->bv_val, ctx );
926 pretty->bv_val = NULL;
928 return LDAP_INVALID_SYNTAX;
932 Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
933 pretty->bv_val, normal->bv_val, 0 );
947 struct berval *value,
948 void *assertedValue )
951 struct berval *asserted = (struct berval *) assertedValue;
953 assert( matchp != NULL );
954 assert( value != NULL );
955 assert( assertedValue != NULL );
956 assert( !BER_BVISNULL( value ) );
957 assert( !BER_BVISNULL( asserted ) );
959 match = value->bv_len - asserted->bv_len;
962 match = memcmp( value->bv_val, asserted->bv_val,
966 Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
967 match, value->bv_val, asserted->bv_val );
974 * dnRelativeMatch routine
982 struct berval *value,
983 void *assertedValue )
986 struct berval *asserted = (struct berval *) assertedValue;
988 assert( matchp != NULL );
989 assert( value != NULL );
990 assert( assertedValue != NULL );
991 assert( !BER_BVISNULL( value ) );
992 assert( !BER_BVISNULL( asserted ) );
994 if( mr == slap_schema.si_mr_dnSubtreeMatch ) {
995 if( asserted->bv_len > value->bv_len ) {
997 } else if ( asserted->bv_len == value->bv_len ) {
998 match = memcmp( value->bv_val, asserted->bv_val,
1002 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1005 &value->bv_val[value->bv_len - asserted->bv_len],
1014 return LDAP_SUCCESS;
1017 if( mr == slap_schema.si_mr_dnSuperiorMatch ) {
1019 value = (struct berval *) assertedValue;
1020 mr = slap_schema.si_mr_dnSubordinateMatch;
1023 if( mr == slap_schema.si_mr_dnSubordinateMatch ) {
1024 if( asserted->bv_len >= value->bv_len ) {
1028 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1031 &value->bv_val[value->bv_len - asserted->bv_len],
1040 return LDAP_SUCCESS;
1043 if( mr == slap_schema.si_mr_dnOneLevelMatch ) {
1044 if( asserted->bv_len >= value->bv_len ) {
1048 value->bv_val[value->bv_len - asserted->bv_len - 1] ))
1051 &value->bv_val[value->bv_len - asserted->bv_len],
1057 rdn.bv_val = value->bv_val;
1058 rdn.bv_len = value->bv_len - asserted->bv_len - 1;
1059 match = dnIsOneLevelRDN( &rdn ) ? 0 : 1;
1067 return LDAP_SUCCESS;
1070 /* should not be reachable */
1081 struct berval *value,
1082 void *assertedValue )
1085 struct berval *asserted = (struct berval *) assertedValue;
1087 assert( matchp != NULL );
1088 assert( value != NULL );
1089 assert( assertedValue != NULL );
1091 match = value->bv_len - asserted->bv_len;
1094 match = memcmp( value->bv_val, asserted->bv_val,
1098 Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n",
1099 match, value->bv_val, asserted->bv_val );
1102 return LDAP_SUCCESS;
1107 * dnParent - dn's parent, in-place
1108 * note: the incoming dn is assumed to be normalized/prettyfied,
1109 * so that escaped rdn/ava separators are in '\'+hexpair form
1111 * note: "dn" and "pdn" can point to the same berval;
1112 * beware that, in this case, the pointer to the original buffer
1118 struct berval *pdn )
1122 p = ber_bvchr( dn, ',' );
1127 pdn->bv_val = dn->bv_val + dn->bv_len;
1131 assert( DN_SEPARATOR( p[ 0 ] ) );
1134 assert( ATTR_LEADCHAR( p[ 0 ] ) );
1135 pdn->bv_len = dn->bv_len - (p - dn->bv_val);
1142 * dnRdn - dn's rdn, in-place
1143 * note: the incoming dn is assumed to be normalized/prettyfied,
1144 * so that escaped rdn/ava separators are in '\'+hexpair form
1149 struct berval *rdn )
1154 p = ber_bvchr( dn, ',' );
1161 assert( DN_SEPARATOR( p[ 0 ] ) );
1162 assert( ATTR_LEADCHAR( p[ 1 ] ) );
1163 rdn->bv_len = p - dn->bv_val;
1178 assert( dn != NULL );
1179 assert( rdn != NULL );
1181 if( dn->bv_len == 0 ) {
1185 rc = ldap_bv2rdn_x( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP, ctx );
1186 if ( rc != LDAP_SUCCESS ) {
1190 rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY,
1193 ldap_rdnfree_x( tmpRDN, ctx );
1198 * We can assume the input is a prettied or normalized DN
1203 struct berval *dn_in )
1207 assert( dn_in != NULL );
1209 if ( dn_in == NULL ) {
1213 if ( !dn_in->bv_len ) {
1217 if ( be != NULL && be_issuffix( be, dn_in ) ) {
1221 p = ber_bvchr( dn_in, ',' );
1223 return p ? p - dn_in->bv_val : dn_in->bv_len;
1229 * LDAP_SUCCESS if rdn is a legal rdn;
1230 * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns)
1233 rdn_validate( struct berval *rdn )
1237 * input is a pretty or normalized DN
1238 * hence, we can just search for ','
1240 if( rdn == NULL || rdn->bv_len == 0 ||
1241 rdn->bv_len > SLAP_LDAPDN_MAXLEN )
1243 return LDAP_INVALID_SYNTAX;
1245 return ber_bvchr( rdn, ',' ) == NULL
1246 ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX;
1249 LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL };
1256 if ( rdn == NULL || rdn == '\0' ) {
1263 rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP );
1264 if ( rc != LDAP_SUCCESS ) {
1271 if ( p[ 0 ] != '\0' ) {
1276 * Schema-aware validate
1278 if ( rc == LDAP_SUCCESS ) {
1279 rc = LDAPDN_validate( DN );
1281 ldap_rdnfree( RDN );
1284 * Must validate (there's a repeated parsing ...)
1286 return ( rc == LDAP_SUCCESS );
1293 * Used by ldbm/bdb2 back_modrdn to create the new dn of entries being
1296 * new_dn = parent (p_dn) + separator + rdn (newrdn) + null.
1300 build_new_dn( struct berval * new_dn,
1301 struct berval * parent_dn,
1302 struct berval * newrdn,
1307 if ( parent_dn == NULL || parent_dn->bv_len == 0 ) {
1308 ber_dupbv( new_dn, newrdn );
1312 new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1;
1313 new_dn->bv_val = (char *) slap_sl_malloc( new_dn->bv_len + 1, memctx );
1315 ptr = lutil_strncopy( new_dn->bv_val, newrdn->bv_val, newrdn->bv_len );
1317 strcpy( ptr, parent_dn->bv_val );
1322 * dnIsSuffix - tells whether suffix is a suffix of dn.
1323 * Both dn and suffix must be normalized.
1327 const struct berval *dn,
1328 const struct berval *suffix )
1330 int d = dn->bv_len - suffix->bv_len;
1332 assert( dn != NULL );
1333 assert( suffix != NULL );
1335 /* empty suffix matches any dn */
1336 if ( suffix->bv_len == 0 ) {
1340 /* suffix longer than dn */
1345 /* no rdn separator or escaped rdn separator */
1346 if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) {
1350 /* no possible match or malformed dn */
1356 return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
1360 dnIsOneLevelRDN( struct berval *rdn )
1362 ber_len_t len = rdn->bv_len;
1364 if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) {
1373 static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL;
1376 int register_certificate_map_function(SLAP_CERT_MAP_FN *fn)
1379 if ( DNX509PeerNormalizeCertMap == NULL ) {
1380 DNX509PeerNormalizeCertMap = fn;
1390 * Convert an X.509 DN into a normalized LDAP DN
1393 dnX509normalize( void *x509_name, struct berval *out )
1395 /* Invoke the LDAP library's converter with our schema-rewriter */
1396 int rc = ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
1398 Debug( LDAP_DEBUG_TRACE,
1399 "dnX509Normalize: <%s> (%d)\n",
1400 BER_BVISNULL( out ) ? "(null)" : out->bv_val, rc, 0 );
1406 * Get the TLS session's peer's DN into a normalized LDAP DN
1409 dnX509peerNormalize( void *ssl, struct berval *dn )
1411 int rc = LDAP_INVALID_CREDENTIALS;
1413 if ( DNX509PeerNormalizeCertMap != NULL )
1414 rc = (*DNX509PeerNormalizeCertMap)( ssl, dn );
1416 if ( rc != LDAP_SUCCESS ) {
1417 rc = ldap_pvt_tls_get_peer_dn( ssl, dn,
1418 (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );