1 /* accesslog.c - log operations for audit/history purposes */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2012 The OpenLDAP Foundation.
6 * Portions copyright 2004-2005 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Howard Chu for inclusion in
24 #ifdef SLAPD_OVER_ACCESSLOG
28 #include <ac/string.h>
36 #define LOG_OP_ADD 0x001
37 #define LOG_OP_DELETE 0x002
38 #define LOG_OP_MODIFY 0x004
39 #define LOG_OP_MODRDN 0x008
40 #define LOG_OP_COMPARE 0x010
41 #define LOG_OP_SEARCH 0x020
42 #define LOG_OP_BIND 0x040
43 #define LOG_OP_UNBIND 0x080
44 #define LOG_OP_ABANDON 0x100
45 #define LOG_OP_EXTENDED 0x200
46 #define LOG_OP_UNKNOWN 0x400
48 #define LOG_OP_WRITES (LOG_OP_ADD|LOG_OP_DELETE|LOG_OP_MODIFY|LOG_OP_MODRDN)
49 #define LOG_OP_READS (LOG_OP_COMPARE|LOG_OP_SEARCH)
50 #define LOG_OP_SESSION (LOG_OP_BIND|LOG_OP_UNBIND|LOG_OP_ABANDON)
51 #define LOG_OP_ALL (LOG_OP_READS|LOG_OP_WRITES|LOG_OP_SESSION| \
52 LOG_OP_EXTENDED|LOG_OP_UNKNOWN)
54 typedef struct log_attr {
55 struct log_attr *next;
56 AttributeDescription *attr;
59 typedef struct log_base {
60 struct log_base *lb_next;
62 struct berval lb_base;
63 struct berval lb_line;
66 typedef struct log_info {
68 struct berval li_db_suffix;
75 log_attr *li_oldattrs;
76 struct berval li_uuid;
79 ldap_pvt_thread_rmutex_t li_op_rmutex;
80 ldap_pvt_thread_mutex_t li_log_mutex;
83 static ConfigDriver log_cf_gen;
95 static ConfigTable log_cfats[] = {
96 { "logdb", "suffix", 2, 2, 0, ARG_DN|ARG_MAGIC|LOG_DB,
97 log_cf_gen, "( OLcfgOvAt:4.1 NAME 'olcAccessLogDB' "
98 "DESC 'Suffix of database for log content' "
99 "SUP distinguishedName SINGLE-VALUE )", NULL, NULL },
100 { "logops", "op|writes|reads|session|all", 2, 0, 0,
102 log_cf_gen, "( OLcfgOvAt:4.2 NAME 'olcAccessLogOps' "
103 "DESC 'Operation types to log' "
104 "EQUALITY caseIgnoreMatch "
105 "SYNTAX OMsDirectoryString )", NULL, NULL },
106 { "logpurge", "age> <interval", 3, 3, 0, ARG_MAGIC|LOG_PURGE,
107 log_cf_gen, "( OLcfgOvAt:4.3 NAME 'olcAccessLogPurge' "
108 "DESC 'Log cleanup parameters' "
109 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
110 { "logsuccess", NULL, 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|LOG_SUCCESS,
111 log_cf_gen, "( OLcfgOvAt:4.4 NAME 'olcAccessLogSuccess' "
112 "DESC 'Log successful ops only' "
113 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
114 { "logold", "filter", 2, 2, 0, ARG_MAGIC|LOG_OLD,
115 log_cf_gen, "( OLcfgOvAt:4.5 NAME 'olcAccessLogOld' "
116 "DESC 'Log old values when modifying entries matching the filter' "
117 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
118 { "logoldattr", "attrs", 2, 0, 0, ARG_MAGIC|LOG_OLDATTR,
119 log_cf_gen, "( OLcfgOvAt:4.6 NAME 'olcAccessLogOldAttr' "
120 "DESC 'Log old values of these attributes even if unmodified' "
121 "EQUALITY caseIgnoreMatch "
122 "SYNTAX OMsDirectoryString )", NULL, NULL },
123 { "logbase", "op|writes|reads|session|all< <baseDN", 3, 3, 0,
125 log_cf_gen, "( OLcfgOvAt:4.7 NAME 'olcAccessLogBase' "
126 "DESC 'Operation types to log under a specific branch' "
127 "EQUALITY caseIgnoreMatch "
128 "SYNTAX OMsDirectoryString )", NULL, NULL },
132 static ConfigOCs log_cfocs[] = {
134 "NAME 'olcAccessLogConfig' "
135 "DESC 'Access log configuration' "
136 "SUP olcOverlayConfig "
137 "MUST olcAccessLogDB "
138 "MAY ( olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogSuccess $ "
139 "olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase ) )",
140 Cft_Overlay, log_cfats },
144 static slap_verbmasks logops[] = {
145 { BER_BVC("all"), LOG_OP_ALL },
146 { BER_BVC("writes"), LOG_OP_WRITES },
147 { BER_BVC("session"), LOG_OP_SESSION },
148 { BER_BVC("reads"), LOG_OP_READS },
149 { BER_BVC("add"), LOG_OP_ADD },
150 { BER_BVC("delete"), LOG_OP_DELETE },
151 { BER_BVC("modify"), LOG_OP_MODIFY },
152 { BER_BVC("modrdn"), LOG_OP_MODRDN },
153 { BER_BVC("compare"), LOG_OP_COMPARE },
154 { BER_BVC("search"), LOG_OP_SEARCH },
155 { BER_BVC("bind"), LOG_OP_BIND },
156 { BER_BVC("unbind"), LOG_OP_UNBIND },
157 { BER_BVC("abandon"), LOG_OP_ABANDON },
158 { BER_BVC("extended"), LOG_OP_EXTENDED },
159 { BER_BVC("unknown"), LOG_OP_UNKNOWN },
163 /* Start with "add" in logops */
181 static ObjectClass *log_ocs[LOG_EN__COUNT], *log_container,
182 *log_oc_read, *log_oc_write;
184 #define LOG_SCHEMA_ROOT "1.3.6.1.4.1.4203.666.11.5"
186 #define LOG_SCHEMA_AT LOG_SCHEMA_ROOT ".1"
187 #define LOG_SCHEMA_OC LOG_SCHEMA_ROOT ".2"
188 #define LOG_SCHEMA_SYN LOG_SCHEMA_ROOT ".3"
190 static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
191 *ad_reqSession, *ad_reqResult, *ad_reqAuthzID, *ad_reqControls,
192 *ad_reqRespControls, *ad_reqMethod, *ad_reqAssertion, *ad_reqNewRDN,
193 *ad_reqNewSuperior, *ad_reqDeleteOldRDN, *ad_reqMod,
194 *ad_reqScope, *ad_reqFilter, *ad_reqAttr, *ad_reqEntries,
195 *ad_reqSizeLimit, *ad_reqTimeLimit, *ad_reqAttrsOnly, *ad_reqData,
196 *ad_reqId, *ad_reqMessage, *ad_reqVersion, *ad_reqDerefAliases,
197 *ad_reqReferral, *ad_reqOld, *ad_auditContext, *ad_reqEntryUUID;
200 logSchemaControlValidate(
202 struct berval *val );
204 char *mrControl[] = {
205 "objectIdentifierFirstComponentMatch",
211 slap_syntax_defs_rec syn;
214 { LOG_SCHEMA_SYN ".1" ,
215 { "( " LOG_SCHEMA_SYN ".1 DESC 'Control' )",
218 logSchemaControlValidate,
226 AttributeDescription **ad;
228 { "( " LOG_SCHEMA_AT ".1 NAME 'reqDN' "
229 "DESC 'Target DN of request' "
230 "EQUALITY distinguishedNameMatch "
232 "SINGLE-VALUE )", &ad_reqDN },
233 { "( " LOG_SCHEMA_AT ".2 NAME 'reqStart' "
234 "DESC 'Start time of request' "
235 "EQUALITY generalizedTimeMatch "
236 "ORDERING generalizedTimeOrderingMatch "
237 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
238 "SINGLE-VALUE )", &ad_reqStart },
239 { "( " LOG_SCHEMA_AT ".3 NAME 'reqEnd' "
240 "DESC 'End time of request' "
241 "EQUALITY generalizedTimeMatch "
242 "ORDERING generalizedTimeOrderingMatch "
243 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
244 "SINGLE-VALUE )", &ad_reqEnd },
245 { "( " LOG_SCHEMA_AT ".4 NAME 'reqType' "
246 "DESC 'Type of request' "
247 "EQUALITY caseIgnoreMatch "
248 "SYNTAX OMsDirectoryString "
249 "SINGLE-VALUE )", &ad_reqType },
250 { "( " LOG_SCHEMA_AT ".5 NAME 'reqSession' "
251 "DESC 'Session ID of request' "
252 "EQUALITY caseIgnoreMatch "
253 "SYNTAX OMsDirectoryString "
254 "SINGLE-VALUE )", &ad_reqSession },
255 { "( " LOG_SCHEMA_AT ".6 NAME 'reqAuthzID' "
256 "DESC 'Authorization ID of requestor' "
257 "EQUALITY distinguishedNameMatch "
259 "SINGLE-VALUE )", &ad_reqAuthzID },
260 { "( " LOG_SCHEMA_AT ".7 NAME 'reqResult' "
261 "DESC 'Result code of request' "
262 "EQUALITY integerMatch "
263 "ORDERING integerOrderingMatch "
265 "SINGLE-VALUE )", &ad_reqResult },
266 { "( " LOG_SCHEMA_AT ".8 NAME 'reqMessage' "
267 "DESC 'Error text of request' "
268 "EQUALITY caseIgnoreMatch "
269 "SUBSTR caseIgnoreSubstringsMatch "
270 "SYNTAX OMsDirectoryString "
271 "SINGLE-VALUE )", &ad_reqMessage },
272 { "( " LOG_SCHEMA_AT ".9 NAME 'reqReferral' "
273 "DESC 'Referrals returned for request' "
274 "SUP labeledURI )", &ad_reqReferral },
275 { "( " LOG_SCHEMA_AT ".10 NAME 'reqControls' "
276 "DESC 'Request controls' "
277 "EQUALITY objectIdentifierFirstComponentMatch "
278 "SYNTAX " LOG_SCHEMA_SYN ".1 "
279 "X-ORDERED 'VALUES' )", &ad_reqControls },
280 { "( " LOG_SCHEMA_AT ".11 NAME 'reqRespControls' "
281 "DESC 'Response controls of request' "
282 "EQUALITY objectIdentifierFirstComponentMatch "
283 "SYNTAX " LOG_SCHEMA_SYN ".1 "
284 "X-ORDERED 'VALUES' )", &ad_reqRespControls },
285 { "( " LOG_SCHEMA_AT ".12 NAME 'reqId' "
286 "DESC 'ID of Request to Abandon' "
287 "EQUALITY integerMatch "
288 "ORDERING integerOrderingMatch "
290 "SINGLE-VALUE )", &ad_reqId },
291 { "( " LOG_SCHEMA_AT ".13 NAME 'reqVersion' "
292 "DESC 'Protocol version of Bind request' "
293 "EQUALITY integerMatch "
294 "ORDERING integerOrderingMatch "
296 "SINGLE-VALUE )", &ad_reqVersion },
297 { "( " LOG_SCHEMA_AT ".14 NAME 'reqMethod' "
298 "DESC 'Bind method of request' "
299 "EQUALITY caseIgnoreMatch "
300 "SYNTAX OMsDirectoryString "
301 "SINGLE-VALUE )", &ad_reqMethod },
302 { "( " LOG_SCHEMA_AT ".15 NAME 'reqAssertion' "
303 "DESC 'Compare Assertion of request' "
304 "SYNTAX OMsDirectoryString "
305 "SINGLE-VALUE )", &ad_reqAssertion },
306 { "( " LOG_SCHEMA_AT ".16 NAME 'reqMod' "
307 "DESC 'Modifications of request' "
308 "EQUALITY octetStringMatch "
309 "SUBSTR octetStringSubstringsMatch "
310 "SYNTAX OMsOctetString )", &ad_reqMod },
311 { "( " LOG_SCHEMA_AT ".17 NAME 'reqOld' "
312 "DESC 'Old values of entry before request completed' "
313 "EQUALITY octetStringMatch "
314 "SUBSTR octetStringSubstringsMatch "
315 "SYNTAX OMsOctetString )", &ad_reqOld },
316 { "( " LOG_SCHEMA_AT ".18 NAME 'reqNewRDN' "
317 "DESC 'New RDN of request' "
318 "EQUALITY distinguishedNameMatch "
320 "SINGLE-VALUE )", &ad_reqNewRDN },
321 { "( " LOG_SCHEMA_AT ".19 NAME 'reqDeleteOldRDN' "
322 "DESC 'Delete old RDN' "
323 "EQUALITY booleanMatch "
325 "SINGLE-VALUE )", &ad_reqDeleteOldRDN },
326 { "( " LOG_SCHEMA_AT ".20 NAME 'reqNewSuperior' "
327 "DESC 'New superior DN of request' "
328 "EQUALITY distinguishedNameMatch "
330 "SINGLE-VALUE )", &ad_reqNewSuperior },
331 { "( " LOG_SCHEMA_AT ".21 NAME 'reqScope' "
332 "DESC 'Scope of request' "
333 "EQUALITY caseIgnoreMatch "
334 "SYNTAX OMsDirectoryString "
335 "SINGLE-VALUE )", &ad_reqScope },
336 { "( " LOG_SCHEMA_AT ".22 NAME 'reqDerefAliases' "
337 "DESC 'Disposition of Aliases in request' "
338 "EQUALITY caseIgnoreMatch "
339 "SYNTAX OMsDirectoryString "
340 "SINGLE-VALUE )", &ad_reqDerefAliases },
341 { "( " LOG_SCHEMA_AT ".23 NAME 'reqAttrsOnly' "
342 "DESC 'Attributes and values of request' "
343 "EQUALITY booleanMatch "
345 "SINGLE-VALUE )", &ad_reqAttrsOnly },
346 { "( " LOG_SCHEMA_AT ".24 NAME 'reqFilter' "
347 "DESC 'Filter of request' "
348 "EQUALITY caseIgnoreMatch "
349 "SUBSTR caseIgnoreSubstringsMatch "
350 "SYNTAX OMsDirectoryString "
351 "SINGLE-VALUE )", &ad_reqFilter },
352 { "( " LOG_SCHEMA_AT ".25 NAME 'reqAttr' "
353 "DESC 'Attributes of request' "
354 "EQUALITY caseIgnoreMatch "
355 "SYNTAX OMsDirectoryString )", &ad_reqAttr },
356 { "( " LOG_SCHEMA_AT ".26 NAME 'reqSizeLimit' "
357 "DESC 'Size limit of request' "
358 "EQUALITY integerMatch "
359 "ORDERING integerOrderingMatch "
361 "SINGLE-VALUE )", &ad_reqSizeLimit },
362 { "( " LOG_SCHEMA_AT ".27 NAME 'reqTimeLimit' "
363 "DESC 'Time limit of request' "
364 "EQUALITY integerMatch "
365 "ORDERING integerOrderingMatch "
367 "SINGLE-VALUE )", &ad_reqTimeLimit },
368 { "( " LOG_SCHEMA_AT ".28 NAME 'reqEntries' "
369 "DESC 'Number of entries returned' "
370 "EQUALITY integerMatch "
371 "ORDERING integerOrderingMatch "
373 "SINGLE-VALUE )", &ad_reqEntries },
374 { "( " LOG_SCHEMA_AT ".29 NAME 'reqData' "
375 "DESC 'Data of extended request' "
376 "EQUALITY octetStringMatch "
377 "SUBSTR octetStringSubstringsMatch "
378 "SYNTAX OMsOctetString "
379 "SINGLE-VALUE )", &ad_reqData },
382 * from <draft-chu-ldap-logschema-01.txt>:
385 ( LOG_SCHEMA_AT .30 NAME 'auditContext'
386 DESC 'DN of auditContainer'
387 EQUALITY distinguishedNameMatch
388 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
389 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
391 * - removed EQUALITY matchingRule
392 * - changed directoryOperation in dSAOperation
394 { "( " LOG_SCHEMA_AT ".30 NAME 'auditContext' "
395 "DESC 'DN of auditContainer' "
396 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
398 "NO-USER-MODIFICATION "
399 "USAGE dSAOperation )", &ad_auditContext },
404 { "( " LOG_SCHEMA_AT ".31 NAME 'reqEntryUUID' "
405 "DESC 'UUID of entry' "
406 "EQUALITY UUIDMatch "
407 "ORDERING UUIDOrderingMatch "
408 "SYNTAX 1.3.6.1.1.16.1 "
409 "SINGLE-VALUE )", &ad_reqEntryUUID },
417 { "( " LOG_SCHEMA_OC ".0 NAME 'auditContainer' "
418 "DESC 'AuditLog container' "
419 "SUP top STRUCTURAL "
420 "MAY ( cn $ reqStart $ reqEnd ) )", &log_container },
421 { "( " LOG_SCHEMA_OC ".1 NAME 'auditObject' "
422 "DESC 'OpenLDAP request auditing' "
423 "SUP top STRUCTURAL "
424 "MUST ( reqStart $ reqType $ reqSession ) "
425 "MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ "
426 "reqResult $ reqMessage $ reqReferral $ reqEntryUUID ) )",
427 &log_ocs[LOG_EN_UNBIND] },
428 { "( " LOG_SCHEMA_OC ".2 NAME 'auditReadObject' "
429 "DESC 'OpenLDAP read request record' "
430 "SUP auditObject STRUCTURAL )", &log_oc_read },
431 { "( " LOG_SCHEMA_OC ".3 NAME 'auditWriteObject' "
432 "DESC 'OpenLDAP write request record' "
433 "SUP auditObject STRUCTURAL )", &log_oc_write },
434 { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' "
435 "DESC 'Abandon operation' "
436 "SUP auditObject STRUCTURAL "
437 "MUST reqId )", &log_ocs[LOG_EN_ABANDON] },
438 { "( " LOG_SCHEMA_OC ".5 NAME 'auditAdd' "
439 "DESC 'Add operation' "
440 "SUP auditWriteObject STRUCTURAL "
441 "MUST reqMod )", &log_ocs[LOG_EN_ADD] },
442 { "( " LOG_SCHEMA_OC ".6 NAME 'auditBind' "
443 "DESC 'Bind operation' "
444 "SUP auditObject STRUCTURAL "
445 "MUST ( reqVersion $ reqMethod ) )", &log_ocs[LOG_EN_BIND] },
446 { "( " LOG_SCHEMA_OC ".7 NAME 'auditCompare' "
447 "DESC 'Compare operation' "
448 "SUP auditReadObject STRUCTURAL "
449 "MUST reqAssertion )", &log_ocs[LOG_EN_COMPARE] },
450 { "( " LOG_SCHEMA_OC ".8 NAME 'auditDelete' "
451 "DESC 'Delete operation' "
452 "SUP auditWriteObject STRUCTURAL "
453 "MAY reqOld )", &log_ocs[LOG_EN_DELETE] },
454 { "( " LOG_SCHEMA_OC ".9 NAME 'auditModify' "
455 "DESC 'Modify operation' "
456 "SUP auditWriteObject STRUCTURAL "
457 "MAY reqOld MUST reqMod )", &log_ocs[LOG_EN_MODIFY] },
458 { "( " LOG_SCHEMA_OC ".10 NAME 'auditModRDN' "
459 "DESC 'ModRDN operation' "
460 "SUP auditWriteObject STRUCTURAL "
461 "MUST ( reqNewRDN $ reqDeleteOldRDN ) "
462 "MAY ( reqNewSuperior $ reqMod $ reqOld ) )", &log_ocs[LOG_EN_MODRDN] },
463 { "( " LOG_SCHEMA_OC ".11 NAME 'auditSearch' "
464 "DESC 'Search operation' "
465 "SUP auditReadObject STRUCTURAL "
466 "MUST ( reqScope $ reqDerefAliases $ reqAttrsonly ) "
467 "MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ "
468 "reqTimeLimit ) )", &log_ocs[LOG_EN_SEARCH] },
469 { "( " LOG_SCHEMA_OC ".12 NAME 'auditExtended' "
470 "DESC 'Extended operation' "
471 "SUP auditObject STRUCTURAL "
472 "MAY reqData )", &log_ocs[LOG_EN_EXTENDED] },
476 #define RDNEQ "reqStart="
478 /* Our time intervals are of the form [ddd+]hh:mm[:ss]
479 * If a field is present, it must be two digits. (Except for
480 * days, which can be arbitrary width.)
483 log_age_parse(char *agestr)
489 t1 = strtol( agestr, &endptr, 10 );
490 /* Is there a days delimiter? */
491 if ( *endptr == '+' ) {
492 /* 32 bit time only covers about 68 years */
493 if ( t1 < 0 || t1 > 25000 )
499 if ( agestr[2] != ':' ) {
500 /* No valid delimiter found, fail */
511 /* if there's a delimiter, it can only be a colon */
512 if ( agestr[2] != ':' )
515 /* If we're at the end of the string, and we started with days,
516 * fail because we expected to find minutes too.
518 return gotdays ? -1 : t1 * 60;
524 /* last field can only be seconds */
525 if ( agestr[2] && ( agestr[2] != ':' || !gotdays ))
535 t1 += atoi( agestr );
536 } else if ( gotdays ) {
537 /* only got days+hh:mm */
544 log_age_unparse( int age, struct berval *agebv, size_t size )
546 int dd, hh, mm, ss, len;
562 len = snprintf( ptr, size, "%d+", dd );
563 assert( len >= 0 && (unsigned) len < size );
567 len = snprintf( ptr, size, "%02d:%02d", hh, mm );
568 assert( len >= 0 && (unsigned) len < size );
572 len = snprintf( ptr, size, ":%02d", ss );
573 assert( len >= 0 && (unsigned) len < size );
578 agebv->bv_len = ptr - agebv->bv_val;
581 static slap_callback nullsc = { NULL, NULL, NULL, NULL };
583 #define PURGE_INCREMENT 100
585 typedef struct purge_data {
590 struct berval csn; /* an arbitrary old CSN */
594 log_old_lookup( Operation *op, SlapReply *rs )
596 purge_data *pd = op->o_callback->sc_private;
599 if ( rs->sr_type != REP_SEARCH) return 0;
601 if ( slapd_shutdown ) return 0;
603 /* Remember max CSN: should always be the last entry
604 * seen, since log entries are ordered chronologically...
606 a = attr_find( rs->sr_entry->e_attrs,
607 slap_schema.si_ad_entryCSN );
609 ber_len_t len = a->a_nvals[0].bv_len;
610 /* Paranoid len check, normalized CSNs are always the same length */
611 if ( len > LDAP_PVT_CSNSTR_BUFSIZE )
612 len = LDAP_PVT_CSNSTR_BUFSIZE;
613 if ( memcmp( a->a_nvals[0].bv_val, pd->csn.bv_val, len ) > 0 ) {
614 AC_MEMCPY( pd->csn.bv_val, a->a_nvals[0].bv_val, len );
615 pd->csn.bv_len = len;
618 if ( pd->used >= pd->slots ) {
619 pd->slots += PURGE_INCREMENT;
620 pd->dn = ch_realloc( pd->dn, pd->slots * sizeof( struct berval ));
621 pd->ndn = ch_realloc( pd->ndn, pd->slots * sizeof( struct berval ));
623 ber_dupbv( &pd->dn[pd->used], &rs->sr_entry->e_name );
624 ber_dupbv( &pd->ndn[pd->used], &rs->sr_entry->e_nname );
629 /* Periodically search for old entries in the log database and delete them */
631 accesslog_purge( void *ctx, void *arg )
633 struct re_s *rtask = arg;
634 struct log_info *li = rtask->arg;
636 Connection conn = {0};
637 OperationBuffer opbuf;
639 SlapReply rs = {REP_RESULT};
640 slap_callback cb = { NULL, log_old_lookup, NULL, NULL };
642 AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
644 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
645 char csnbuf[LDAP_PVT_CSNSTR_BUFSIZE];
646 time_t old = slap_get_time();
648 connection_fake_init( &conn, &opbuf, ctx );
651 f.f_choice = LDAP_FILTER_LE;
655 ava.aa_desc = ad_reqStart;
656 ava.aa_value.bv_val = timebuf;
657 ava.aa_value.bv_len = sizeof(timebuf);
660 slap_timestamp( &old, &ava.aa_value );
662 op->o_tag = LDAP_REQ_SEARCH;
663 op->o_bd = li->li_db;
664 op->o_dn = li->li_db->be_rootdn;
665 op->o_ndn = li->li_db->be_rootndn;
666 op->o_req_dn = li->li_db->be_suffix[0];
667 op->o_req_ndn = li->li_db->be_nsuffix[0];
668 op->o_callback = &cb;
669 op->ors_scope = LDAP_SCOPE_ONELEVEL;
670 op->ors_deref = LDAP_DEREF_NEVER;
671 op->ors_tlimit = SLAP_NO_LIMIT;
672 op->ors_slimit = SLAP_NO_LIMIT;
674 filter2bv_x( op, &f, &op->ors_filterstr );
675 op->ors_attrs = slap_anlist_no_attrs;
676 op->ors_attrsonly = 1;
678 pd.csn.bv_len = sizeof( csnbuf );
679 pd.csn.bv_val = csnbuf;
683 op->o_bd->be_search( op, &rs );
684 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
689 /* delete the expired entries */
690 op->o_tag = LDAP_REQ_DELETE;
691 op->o_callback = &nullsc;
693 op->o_dont_replicate = 1;
695 for (i=0; i<pd.used; i++) {
696 op->o_req_dn = pd.dn[i];
697 op->o_req_ndn = pd.ndn[i];
698 if ( !slapd_shutdown ) {
699 rs_reinit( &rs, REP_RESULT );
700 op->o_bd->be_delete( op, &rs );
702 ch_free( pd.ndn[i].bv_val );
703 ch_free( pd.dn[i].bv_val );
711 rs_reinit( &rs, REP_RESULT );
712 /* update context's entryCSN to reflect oldest CSN */
717 mod.sml_nvalues = NULL;
718 mod.sml_desc = slap_schema.si_ad_entryCSN;
719 mod.sml_op = LDAP_MOD_REPLACE;
720 mod.sml_flags = SLAP_MOD_INTERNAL;
723 op->o_tag = LDAP_REQ_MODIFY;
724 op->orm_modlist = &mod;
725 op->orm_no_opattrs = 1;
726 op->o_req_dn = li->li_db->be_suffix[0];
727 op->o_req_ndn = li->li_db->be_nsuffix[0];
728 op->o_no_schema_check = 1;
729 op->o_managedsait = SLAP_CONTROL_NONCRITICAL;
730 op->o_bd->be_modify( op, &rs );
731 if ( mod.sml_next ) {
732 slap_mods_free( mod.sml_next, 1 );
737 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
738 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
739 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
745 log_cf_gen(ConfigArgs *c)
747 slap_overinst *on = (slap_overinst *)c->bi;
748 struct log_info *li = on->on_bi.bi_private;
750 slap_mask_t tmask = 0;
751 char agebuf[2*STRLENOF("ddddd+hh:mm:ss ")];
752 struct berval agebv, cyclebv;
755 case SLAP_CONFIG_EMIT:
758 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
759 value_add_one( &c->rvalue_vals, &li->li_db_suffix );
760 value_add_one( &c->rvalue_nvals, &li->li_db_suffix );
761 } else if ( li->li_db ) {
762 value_add_one( &c->rvalue_vals, li->li_db->be_suffix );
763 value_add_one( &c->rvalue_nvals, li->li_db->be_nsuffix );
765 snprintf( c->cr_msg, sizeof( c->cr_msg ),
766 "accesslog: \"logdb <suffix>\" must be specified" );
767 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
768 c->log, c->cr_msg, c->value_dn.bv_val );
774 rc = mask_to_verbs( logops, li->li_ops, &c->rvalue_vals );
781 agebv.bv_val = agebuf;
782 log_age_unparse( li->li_age, &agebv, sizeof( agebuf ) );
783 agebv.bv_val[agebv.bv_len] = ' ';
785 cyclebv.bv_val = agebv.bv_val + agebv.bv_len;
786 log_age_unparse( li->li_cycle, &cyclebv, sizeof( agebuf ) - agebv.bv_len );
787 agebv.bv_len += cyclebv.bv_len;
788 value_add_one( &c->rvalue_vals, &agebv );
791 if ( li->li_success )
792 c->value_int = li->li_success;
798 filter2bv( li->li_oldf, &agebv );
799 ber_bvarray_add( &c->rvalue_vals, &agebv );
805 if ( li->li_oldattrs ) {
808 for ( la = li->li_oldattrs; la; la=la->next )
809 value_add_one( &c->rvalue_vals, &la->attr->ad_cname );
815 if ( li->li_bases ) {
818 for ( lb = li->li_bases; lb; lb=lb->lb_next )
819 value_add_one( &c->rvalue_vals, &lb->lb_line );
826 case LDAP_MOD_DELETE:
829 /* noop. this should always be a valid backend. */
835 rc = verbs_to_mask( 1, &c->line, logops, &tmask );
837 li->li_ops &= ~tmask;
842 struct re_s *re = li->li_task;
844 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
845 if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
846 ldap_pvt_runqueue_stoptask( &slapd_rq, re );
847 ldap_pvt_runqueue_remove( &slapd_rq, re );
848 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
858 filter_free( li->li_oldf );
866 for ( la = li->li_oldattrs; la; la = ln ) {
871 log_attr *la = NULL, **lp;
874 for ( lp = &li->li_oldattrs, i=0; i < c->valx; i++ ) {
886 for ( lb = li->li_bases; lb; lb = ln ) {
891 log_base *lb = NULL, **lp;
894 for ( lp = &li->li_bases, i=0; i < c->valx; i++ ) {
907 if ( CONFIG_ONLINE_ADD( c )) {
908 li->li_db = select_backend( &c->value_ndn, 0 );
910 snprintf( c->cr_msg, sizeof( c->cr_msg ),
911 "<%s> no matching backend found for suffix",
913 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
914 c->log, c->cr_msg, c->value_dn.bv_val );
917 ch_free( c->value_ndn.bv_val );
919 li->li_db_suffix = c->value_ndn;
921 ch_free( c->value_dn.bv_val );
924 rc = verbs_to_mask( c->argc, c->argv, logops, &tmask );
929 li->li_age = log_age_parse( c->argv[1] );
930 if ( li->li_age < 1 ) {
933 li->li_cycle = log_age_parse( c->argv[2] );
934 if ( li->li_cycle < 1 ) {
936 } else if ( slapMode & SLAP_SERVER_MODE ) {
937 struct re_s *re = li->li_task;
939 re->interval.tv_sec = li->li_cycle;
941 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
942 li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
943 li->li_cycle, accesslog_purge, li,
944 "accesslog_purge", li->li_db ?
945 li->li_db->be_suffix[0].bv_val :
946 c->be->be_suffix[0].bv_val );
947 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
953 li->li_success = c->value_int;
956 li->li_oldf = str2filter( c->argv[1] );
957 if ( !li->li_oldf ) {
958 snprintf( c->cr_msg, sizeof( c->cr_msg ), "bad filter!" );
964 AttributeDescription *ad;
967 for ( i=1; i< c->argc; i++ ) {
969 if ( slap_str2ad( c->argv[i], &ad, &text ) == LDAP_SUCCESS ) {
970 log_attr *la = ch_malloc( sizeof( log_attr ));
972 la->next = li->li_oldattrs;
973 li->li_oldattrs = la;
975 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s <%s>: %s",
976 c->argv[0], c->argv[i], text );
977 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
978 "%s: %s\n", c->log, c->cr_msg, 0 );
987 rc = verbstring_to_mask( logops, c->argv[1], '|', &m );
989 struct berval dn, ndn;
990 ber_str2bv( c->argv[2], 0, 0, &dn );
991 rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL );
996 mask_to_verbstring( logops, m, '|', &mbv );
997 lb = ch_malloc( sizeof( log_base ) + mbv.bv_len + ndn.bv_len + 3 + 1 );
998 lb->lb_line.bv_val = (char *)(lb + 1);
999 lb->lb_line.bv_len = mbv.bv_len + ndn.bv_len + 3;
1000 ptr = lutil_strcopy( lb->lb_line.bv_val, mbv.bv_val );
1003 lb->lb_base.bv_val = ptr;
1004 lb->lb_base.bv_len = ndn.bv_len;
1005 ptr = lutil_strcopy( ptr, ndn.bv_val );
1008 lb->lb_next = li->li_bases;
1011 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid DN: %s",
1012 c->argv[0], c->argv[2] );
1013 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
1014 "%s: %s\n", c->log, c->cr_msg, 0 );
1018 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid ops: %s",
1019 c->argv[0], c->argv[1] );
1020 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
1021 "%s: %s\n", c->log, c->cr_msg, 0 );
1033 logSchemaControlValidate(
1035 struct berval *valp )
1037 struct berval val, bv;
1039 int rc = LDAP_SUCCESS;
1041 assert( valp != NULL );
1045 /* check minimal size */
1046 if ( val.bv_len < STRLENOF( "{*}" ) ) {
1047 return LDAP_INVALID_SYNTAX;
1052 /* check SEQUENCE boundaries */
1053 if ( val.bv_val[ 0 ] != '{' /*}*/ ||
1054 val.bv_val[ val.bv_len ] != /*{*/ '}' )
1056 return LDAP_INVALID_SYNTAX;
1059 /* extract and check OID */
1060 for ( i = 1; i < val.bv_len; i++ ) {
1061 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1066 bv.bv_val = &val.bv_val[ i ];
1068 for ( i++; i < val.bv_len; i++ ) {
1069 if ( ASCII_SPACE( val.bv_val[ i ] ) )
1075 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
1077 rc = numericoidValidate( NULL, &bv );
1078 if ( rc != LDAP_SUCCESS ) {
1082 if ( i == val.bv_len ) {
1083 return LDAP_SUCCESS;
1086 if ( val.bv_val[ i ] != ' ' ) {
1087 return LDAP_INVALID_SYNTAX;
1090 for ( i++; i < val.bv_len; i++ ) {
1091 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1096 if ( i == val.bv_len ) {
1097 return LDAP_SUCCESS;
1100 /* extract and check criticality */
1101 if ( strncasecmp( &val.bv_val[ i ], "criticality ", STRLENOF( "criticality " ) ) == 0 )
1103 i += STRLENOF( "criticality " );
1104 for ( ; i < val.bv_len; i++ ) {
1105 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1110 if ( i == val.bv_len ) {
1111 return LDAP_INVALID_SYNTAX;
1114 bv.bv_val = &val.bv_val[ i ];
1116 for ( ; i < val.bv_len; i++ ) {
1117 if ( ASCII_SPACE( val.bv_val[ i ] ) ) {
1122 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
1124 if ( !bvmatch( &bv, &slap_true_bv ) && !bvmatch( &bv, &slap_false_bv ) )
1126 return LDAP_INVALID_SYNTAX;
1129 if ( i == val.bv_len ) {
1130 return LDAP_SUCCESS;
1133 if ( val.bv_val[ i ] != ' ' ) {
1134 return LDAP_INVALID_SYNTAX;
1137 for ( i++; i < val.bv_len; i++ ) {
1138 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1143 if ( i == val.bv_len ) {
1144 return LDAP_SUCCESS;
1148 /* extract and check controlValue */
1149 if ( strncasecmp( &val.bv_val[ i ], "controlValue ", STRLENOF( "controlValue " ) ) == 0 )
1151 ber_len_t valueStart, valueLen;
1153 i += STRLENOF( "controlValue " );
1154 for ( ; i < val.bv_len; i++ ) {
1155 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1160 if ( i == val.bv_len ) {
1161 return LDAP_INVALID_SYNTAX;
1164 if ( val.bv_val[ i ] != '"' ) {
1165 return LDAP_INVALID_SYNTAX;
1171 for ( ; i < val.bv_len; i++ ) {
1172 if ( val.bv_val[ i ] == '"' ) {
1176 if ( !ASCII_HEX( val.bv_val[ i ] ) ) {
1177 return LDAP_INVALID_SYNTAX;
1181 if ( val.bv_val[ i ] != '"' ) {
1182 return LDAP_INVALID_SYNTAX;
1185 valueLen = i - valueStart;
1186 if ( (valueLen/2)*2 != valueLen ) {
1187 return LDAP_INVALID_SYNTAX;
1190 for ( i++; i < val.bv_len; i++ ) {
1191 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1196 if ( i == val.bv_len ) {
1197 return LDAP_SUCCESS;
1201 return LDAP_INVALID_SYNTAX;
1206 LDAPControl **ctrls,
1213 assert( valsp != NULL );
1214 assert( ctrls != NULL );
1219 for ( i = 0; ctrls[ i ] != NULL; i++ ) {
1227 if ( ctrls[ i ]->ldctl_oid == NULL ) {
1228 return LDAP_PROTOCOL_ERROR;
1231 idx.bv_len = snprintf( buf, sizeof( buf ), "{%ld}", i );
1234 ber_str2bv( ctrls[ i ]->ldctl_oid, 0, 0, &oid );
1235 noid.bv_len = idx.bv_len + oid.bv_len;
1236 ptr = noid.bv_val = ber_memalloc_x( noid.bv_len + 1, memctx );
1237 ptr = lutil_strcopy( ptr, idx.bv_val );
1238 ptr = lutil_strcopy( ptr, oid.bv_val );
1240 bv.bv_len = idx.bv_len + STRLENOF( "{}" ) + oid.bv_len;
1242 if ( ctrls[ i ]->ldctl_iscritical ) {
1243 bv.bv_len += STRLENOF( " criticality TRUE" );
1246 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1247 bv.bv_len += STRLENOF( " controlValue \"\"" )
1248 + 2 * ctrls[ i ]->ldctl_value.bv_len;
1251 ptr = bv.bv_val = ber_memalloc_x( bv.bv_len + 1, memctx );
1252 if ( ptr == NULL ) {
1253 ber_bvarray_free( *valsp );
1255 ber_bvarray_free( *nvalsp );
1260 ptr = lutil_strcopy( ptr, idx.bv_val );
1262 *ptr++ = '{' /*}*/ ;
1263 ptr = lutil_strcopy( ptr, oid.bv_val );
1265 if ( ctrls[ i ]->ldctl_iscritical ) {
1266 ptr = lutil_strcopy( ptr, " criticality TRUE" );
1269 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1272 ptr = lutil_strcopy( ptr, " controlValue \"" );
1273 for ( j = 0; j < ctrls[ i ]->ldctl_value.bv_len; j++ ) {
1274 *ptr++ = SLAP_ESCAPE_HI(ctrls[ i ]->ldctl_value.bv_val[ j ]);
1275 *ptr++ = SLAP_ESCAPE_LO(ctrls[ i ]->ldctl_value.bv_val[ j ]);
1284 ber_bvarray_add_x( valsp, &bv, memctx );
1285 ber_bvarray_add_x( nvalsp, &noid, memctx );
1292 static Entry *accesslog_entry( Operation *op, SlapReply *rs, int logop,
1294 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1295 log_info *li = on->on_bi.bi_private;
1297 char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1298 char nrdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1300 struct berval rdn, nrdn, timestamp, ntimestamp, bv;
1301 slap_verbmasks *lo = logops+logop+EN_OFFSET;
1303 Entry *e = entry_alloc();
1305 strcpy( rdnbuf, RDNEQ );
1306 rdn.bv_val = rdnbuf;
1307 strcpy( nrdnbuf, RDNEQ );
1308 nrdn.bv_val = nrdnbuf;
1310 timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
1311 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1312 slap_timestamp( &op->o_time, ×tamp );
1313 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op->o_tincr );
1314 timestamp.bv_len += STRLENOF(".123456");
1316 rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
1317 ad_reqStart->ad_type->sat_equality->smr_normalize(
1318 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, ad_reqStart->ad_type->sat_syntax,
1319 ad_reqStart->ad_type->sat_equality, ×tamp, &ntimestamp,
1322 strcpy( nrdn.bv_val + STRLENOF(RDNEQ), ntimestamp.bv_val );
1323 nrdn.bv_len = STRLENOF(RDNEQ)+ntimestamp.bv_len;
1324 build_new_dn( &e->e_name, li->li_db->be_suffix, &rdn, NULL );
1325 build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &nrdn, NULL );
1327 attr_merge_one( e, slap_schema.si_ad_objectClass,
1328 &log_ocs[logop]->soc_cname, NULL );
1329 attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
1330 &log_ocs[logop]->soc_cname, NULL );
1331 attr_merge_one( e, ad_reqStart, ×tamp, &ntimestamp );
1332 op->o_tmpfree( ntimestamp.bv_val, op->o_tmpmemctx );
1334 slap_op_time( &op2->o_time, &op2->o_tincr );
1336 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1337 slap_timestamp( &op2->o_time, ×tamp );
1338 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op2->o_tincr );
1339 timestamp.bv_len += STRLENOF(".123456");
1341 attr_merge_normalize_one( e, ad_reqEnd, ×tamp, op->o_tmpmemctx );
1343 /* Exops have OID appended */
1344 if ( logop == LOG_EN_EXTENDED ) {
1345 bv.bv_len = lo->word.bv_len + op->ore_reqoid.bv_len + 2;
1346 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1347 AC_MEMCPY( bv.bv_val, lo->word.bv_val, lo->word.bv_len );
1348 bv.bv_val[lo->word.bv_len] = '{';
1349 AC_MEMCPY( bv.bv_val+lo->word.bv_len+1, op->ore_reqoid.bv_val,
1350 op->ore_reqoid.bv_len );
1351 bv.bv_val[bv.bv_len-1] = '}';
1352 bv.bv_val[bv.bv_len] = '\0';
1353 attr_merge_one( e, ad_reqType, &bv, NULL );
1355 attr_merge_one( e, ad_reqType, &lo->word, NULL );
1358 rdn.bv_len = snprintf( rdn.bv_val, sizeof( rdnbuf ), "%lu", op->o_connid );
1359 if ( rdn.bv_len < sizeof( rdnbuf ) ) {
1360 attr_merge_one( e, ad_reqSession, &rdn, NULL );
1363 if ( BER_BVISNULL( &op->o_dn ) ) {
1364 attr_merge_one( e, ad_reqAuthzID, (struct berval *)&slap_empty_bv,
1365 (struct berval *)&slap_empty_bv );
1367 attr_merge_one( e, ad_reqAuthzID, &op->o_dn, &op->o_ndn );
1370 /* FIXME: need to add reqControls and reqRespControls */
1371 if ( op->o_ctrls ) {
1372 BerVarray vals = NULL,
1375 if ( accesslog_ctrls( op->o_ctrls, &vals, &nvals,
1376 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1378 attr_merge( e, ad_reqControls, vals, nvals );
1379 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1380 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1384 if ( rs->sr_ctrls ) {
1385 BerVarray vals = NULL,
1388 if ( accesslog_ctrls( rs->sr_ctrls, &vals, &nvals,
1389 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1391 attr_merge( e, ad_reqRespControls, vals, nvals );
1392 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1393 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1401 static struct berval scopes[] = {
1408 static struct berval derefs[] = {
1410 BER_BVC("searching"),
1415 static struct berval simple = BER_BVC("SIMPLE");
1417 static void accesslog_val2val(AttributeDescription *ad, struct berval *val,
1418 char c_op, struct berval *dst) {
1421 dst->bv_len = ad->ad_cname.bv_len + val->bv_len + 2;
1422 if ( c_op ) dst->bv_len++;
1424 dst->bv_val = ch_malloc( dst->bv_len+1 );
1426 ptr = lutil_strcopy( dst->bv_val, ad->ad_cname.bv_val );
1431 AC_MEMCPY( ptr, val->bv_val, val->bv_len );
1432 dst->bv_val[dst->bv_len] = '\0';
1436 accesslog_op2logop( Operation *op )
1438 switch ( op->o_tag ) {
1439 case LDAP_REQ_ADD: return LOG_EN_ADD;
1440 case LDAP_REQ_DELETE: return LOG_EN_DELETE;
1441 case LDAP_REQ_MODIFY: return LOG_EN_MODIFY;
1442 case LDAP_REQ_MODRDN: return LOG_EN_MODRDN;
1443 case LDAP_REQ_COMPARE: return LOG_EN_COMPARE;
1444 case LDAP_REQ_SEARCH: return LOG_EN_SEARCH;
1445 case LDAP_REQ_BIND: return LOG_EN_BIND;
1446 case LDAP_REQ_EXTENDED: return LOG_EN_EXTENDED;
1447 default: /* unknown operation type */
1449 } /* Unbind and Abandon never reach here */
1450 return LOG_EN_UNKNOWN;
1453 static int accesslog_response(Operation *op, SlapReply *rs) {
1454 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1455 log_info *li = on->on_bi.bi_private;
1456 Attribute *a, *last_attr;
1458 struct berval *b, uuid = BER_BVNULL;
1460 int logop, do_graduate = 0;
1462 Entry *e = NULL, *old = NULL, *e_uuid = NULL;
1463 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE+8];
1467 Operation op2 = {0};
1468 SlapReply rs2 = {REP_RESULT};
1470 if ( rs->sr_type != REP_RESULT && rs->sr_type != REP_EXTENDED )
1471 return SLAP_CB_CONTINUE;
1473 logop = accesslog_op2logop( op );
1474 lo = logops+logop+EN_OFFSET;
1475 if ( !( li->li_ops & lo->mask )) {
1479 for ( lb = li->li_bases; lb; lb=lb->lb_next )
1480 if (( lb->lb_ops & lo->mask ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
1485 return SLAP_CB_CONTINUE;
1488 /* mutex and so were only set for write operations;
1489 * if we got here, the operation must be logged */
1490 if ( lo->mask & LOG_OP_WRITES ) {
1493 /* These internal ops are not logged */
1494 if ( op->o_dont_replicate && op->orm_no_opattrs )
1495 return SLAP_CB_CONTINUE;
1497 ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
1501 BER_BVZERO( &li->li_uuid );
1502 /* Disarm mod_cleanup */
1503 for ( cb = op->o_callback; cb; cb = cb->sc_next ) {
1504 if ( cb->sc_private == (void *)on ) {
1505 cb->sc_private = NULL;
1509 ldap_pvt_thread_rmutex_unlock( &li->li_op_rmutex, op->o_tid );
1512 if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
1515 e = accesslog_entry( op, rs, logop, &op2 );
1517 attr_merge_one( e, ad_reqDN, &op->o_req_dn, &op->o_req_ndn );
1519 if ( rs->sr_text ) {
1520 ber_str2bv( rs->sr_text, 0, 0, &bv );
1521 attr_merge_one( e, ad_reqMessage, &bv, NULL );
1523 bv.bv_len = snprintf( timebuf, sizeof( timebuf ), "%d", rs->sr_err );
1524 if ( bv.bv_len < sizeof( timebuf ) ) {
1525 bv.bv_val = timebuf;
1526 attr_merge_one( e, ad_reqResult, &bv, NULL );
1529 last_attr = attr_find( e->e_attrs, ad_reqResult );
1534 case LOG_EN_DELETE: {
1538 if ( logop == LOG_EN_ADD ) {
1549 /* count all the vals */
1551 for ( a=e2->e_attrs; a; a=a->a_next ) {
1554 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1556 for ( a=e2->e_attrs; a; a=a->a_next ) {
1558 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1559 accesslog_val2val( a->a_desc, b, c_op, &vals[i] );
1563 vals[i].bv_val = NULL;
1565 a = attr_alloc( logop == LOG_EN_ADD ? ad_reqMod : ad_reqOld );
1569 last_attr->a_next = a;
1575 /* count all the mods */
1577 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1578 if ( m->sml_values ) {
1579 i += m->sml_numvals;
1580 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1581 m->sml_op == LDAP_MOD_REPLACE )
1586 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1589 /* init flags on old entry */
1591 for ( a = old->e_attrs; a; a = a->a_next ) {
1595 /* look for attrs that are always logged */
1596 for ( la = li->li_oldattrs; la; la = la->next ) {
1597 if ( a->a_desc == la->attr ) {
1604 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1605 /* Mark this attribute as modified */
1607 a = attr_find( old->e_attrs, m->sml_desc );
1613 /* don't log the RDN mods; they're explicitly logged later */
1614 if ( logop == LOG_EN_MODRDN &&
1615 ( m->sml_op == SLAP_MOD_SOFTADD ||
1616 m->sml_op == LDAP_MOD_DELETE ) )
1621 if ( m->sml_values ) {
1622 for ( b = m->sml_values; !BER_BVISNULL( b ); b++, i++ ) {
1625 switch ( m->sml_op ) {
1626 case LDAP_MOD_ADD: c_op = '+'; break;
1627 case LDAP_MOD_DELETE: c_op = '-'; break;
1628 case LDAP_MOD_REPLACE: c_op = '='; break;
1629 case LDAP_MOD_INCREMENT: c_op = '#'; break;
1631 /* unknown op. there shouldn't be any of these. we
1632 * don't know what to do with it, but we shouldn't just
1635 default: c_op = '?'; break;
1637 accesslog_val2val( m->sml_desc, b, c_op, &vals[i] );
1639 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1640 m->sml_op == LDAP_MOD_REPLACE )
1642 vals[i].bv_len = m->sml_desc->ad_cname.bv_len + 2;
1643 vals[i].bv_val = ch_malloc( vals[i].bv_len + 1 );
1644 ptr = lutil_strcopy( vals[i].bv_val,
1645 m->sml_desc->ad_cname.bv_val );
1647 if ( m->sml_op == LDAP_MOD_DELETE ) {
1658 BER_BVZERO( &vals[i] );
1659 a = attr_alloc( ad_reqMod );
1663 last_attr->a_next = a;
1671 /* count all the vals */
1673 for ( a = old->e_attrs; a != NULL; a = a->a_next ) {
1674 if ( a->a_vals && a->a_flags ) {
1679 vals = ch_malloc( (i + 1) * sizeof( struct berval ) );
1681 for ( a=old->e_attrs; a; a=a->a_next ) {
1682 if ( a->a_vals && a->a_flags ) {
1683 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1684 accesslog_val2val( a->a_desc, b, 0, &vals[i] );
1688 vals[i].bv_val = NULL;
1690 a = attr_alloc( ad_reqOld );
1694 last_attr->a_next = a;
1697 if ( logop == LOG_EN_MODIFY ) {
1701 /* Now log the actual modRDN info */
1702 attr_merge_one( e, ad_reqNewRDN, &op->orr_newrdn, &op->orr_nnewrdn );
1703 attr_merge_one( e, ad_reqDeleteOldRDN, op->orr_deleteoldrdn ?
1704 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1706 if ( op->orr_newSup ) {
1707 attr_merge_one( e, ad_reqNewSuperior, op->orr_newSup, op->orr_nnewSup );
1711 case LOG_EN_COMPARE:
1712 bv.bv_len = op->orc_ava->aa_desc->ad_cname.bv_len + 1 +
1713 op->orc_ava->aa_value.bv_len;
1714 bv.bv_val = op->o_tmpalloc( bv.bv_len+1, op->o_tmpmemctx );
1715 ptr = lutil_strcopy( bv.bv_val, op->orc_ava->aa_desc->ad_cname.bv_val );
1717 AC_MEMCPY( ptr, op->orc_ava->aa_value.bv_val, op->orc_ava->aa_value.bv_len );
1718 bv.bv_val[bv.bv_len] = '\0';
1719 attr_merge_one( e, ad_reqAssertion, &bv, NULL );
1720 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1724 attr_merge_one( e, ad_reqScope, &scopes[op->ors_scope], NULL );
1725 attr_merge_one( e, ad_reqDerefAliases, &derefs[op->ors_deref], NULL );
1726 attr_merge_one( e, ad_reqAttrsOnly, op->ors_attrsonly ?
1727 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1729 if ( !BER_BVISEMPTY( &op->ors_filterstr ))
1730 attr_merge_one( e, ad_reqFilter, &op->ors_filterstr, NULL );
1731 if ( op->ors_attrs ) {
1734 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
1736 vals = op->o_tmpalloc( (i+1) * sizeof(struct berval),
1738 for (i=0, j=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++) {
1739 if (!BER_BVISEMPTY(&op->ors_attrs[i].an_name)) {
1740 vals[j] = op->ors_attrs[i].an_name;
1744 BER_BVZERO(&vals[j]);
1745 attr_merge( e, ad_reqAttr, vals, NULL );
1746 op->o_tmpfree( vals, op->o_tmpmemctx );
1748 bv.bv_val = timebuf;
1749 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", rs->sr_nentries );
1750 if ( bv.bv_len < sizeof( timebuf ) ) {
1751 attr_merge_one( e, ad_reqEntries, &bv, NULL );
1754 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_tlimit );
1755 if ( bv.bv_len < sizeof( timebuf ) ) {
1756 attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
1759 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_slimit );
1760 if ( bv.bv_len < sizeof( timebuf ) ) {
1761 attr_merge_one( e, ad_reqSizeLimit, &bv, NULL );
1766 bv.bv_val = timebuf;
1767 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->o_protocol );
1768 if ( bv.bv_len < sizeof( timebuf ) ) {
1769 attr_merge_one( e, ad_reqVersion, &bv, NULL );
1771 if ( op->orb_method == LDAP_AUTH_SIMPLE ) {
1772 attr_merge_one( e, ad_reqMethod, &simple, NULL );
1774 bv.bv_len = STRLENOF("SASL()") + op->orb_mech.bv_len;
1775 bv.bv_val = op->o_tmpalloc( bv.bv_len + 1, op->o_tmpmemctx );
1776 ptr = lutil_strcopy( bv.bv_val, "SASL(" );
1777 ptr = lutil_strcopy( ptr, op->orb_mech.bv_val );
1780 attr_merge_one( e, ad_reqMethod, &bv, NULL );
1781 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1786 case LOG_EN_EXTENDED:
1787 if ( op->ore_reqdata ) {
1788 attr_merge_one( e, ad_reqData, op->ore_reqdata, NULL );
1792 case LOG_EN_UNKNOWN:
1793 /* we don't know its parameters, don't add any */
1797 if ( e_uuid || !BER_BVISNULL( &uuid ) ) {
1798 struct berval *pbv = NULL;
1800 if ( !BER_BVISNULL( &uuid ) ) {
1804 a = attr_find( e_uuid->e_attrs, slap_schema.si_ad_entryUUID );
1806 pbv = &a->a_vals[0];
1811 attr_merge_normalize_one( e, ad_reqEntryUUID, pbv, op->o_tmpmemctx );
1814 if ( !BER_BVISNULL( &uuid ) ) {
1815 ber_memfree( uuid.bv_val );
1816 BER_BVZERO( &uuid );
1820 op2.o_hdr = op->o_hdr;
1821 op2.o_tag = LDAP_REQ_ADD;
1822 op2.o_bd = li->li_db;
1823 op2.o_dn = li->li_db->be_rootdn;
1824 op2.o_ndn = li->li_db->be_rootndn;
1825 op2.o_req_dn = e->e_name;
1826 op2.o_req_ndn = e->e_nname;
1828 op2.o_callback = &nullsc;
1830 if (( lo->mask & LOG_OP_WRITES ) && !BER_BVISEMPTY( &op->o_csn )) {
1831 slap_queue_csn( &op2, &op->o_csn );
1835 op2.o_bd->be_add( &op2, &rs2 );
1836 if ( e == op2.ora_e ) entry_free( e );
1838 if ( do_graduate ) {
1839 slap_graduate_commit_csn( &op2 );
1840 if ( op2.o_csn.bv_val )
1841 op->o_tmpfree( op2.o_csn.bv_val, op->o_tmpmemctx );
1845 if ( lo->mask & LOG_OP_WRITES )
1846 ldap_pvt_thread_mutex_unlock( &li->li_log_mutex );
1847 if ( old ) entry_free( old );
1848 return SLAP_CB_CONTINUE;
1851 /* Since Bind success is sent by the frontend, it won't normally enter
1852 * the overlay response callback. Add another callback to make sure it
1856 accesslog_bind_resp( Operation *op, SlapReply *rs )
1865 db.bd_info = op->o_callback->sc_private;
1866 rc = accesslog_response( op, rs );
1868 sc = op->o_callback;
1869 op->o_callback = sc->sc_next;
1870 op->o_tmpfree( sc, op->o_tmpmemctx );
1875 accesslog_op_bind( Operation *op, SlapReply *rs )
1879 sc = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
1880 sc->sc_response = accesslog_bind_resp;
1881 sc->sc_private = op->o_bd->bd_info;
1883 if ( op->o_callback ) {
1884 sc->sc_next = op->o_callback->sc_next;
1885 op->o_callback->sc_next = sc;
1887 op->o_callback = sc;
1889 return SLAP_CB_CONTINUE;
1893 accesslog_mod_cleanup( Operation *op, SlapReply *rs )
1895 slap_callback *sc = op->o_callback;
1896 slap_overinst *on = sc->sc_private;
1897 op->o_callback = sc->sc_next;
1899 op->o_tmpfree( sc, op->o_tmpmemctx );
1902 BackendInfo *bi = op->o_bd->bd_info;
1903 op->o_bd->bd_info = (BackendInfo *)on;
1904 accesslog_response( op, rs );
1905 op->o_bd->bd_info = bi;
1911 accesslog_op_mod( Operation *op, SlapReply *rs )
1913 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1914 log_info *li = on->on_bi.bi_private;
1919 /* These internal ops are not logged */
1920 if ( op->o_dont_replicate && op->orm_no_opattrs )
1921 return SLAP_CB_CONTINUE;
1923 logop = accesslog_op2logop( op );
1924 lo = logops+logop+EN_OFFSET;
1926 if ( li->li_ops & lo->mask ) {
1930 for ( lb = li->li_bases; lb; lb = lb->lb_next )
1931 if (( lb->lb_ops & lo->mask ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
1938 slap_callback *cb = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx ), *cb2;
1939 cb->sc_cleanup = accesslog_mod_cleanup;
1940 cb->sc_response = NULL;
1941 cb->sc_private = on;
1943 for ( cb2 = op->o_callback; cb2->sc_next; cb2 = cb2->sc_next );
1946 ldap_pvt_thread_rmutex_lock( &li->li_op_rmutex, op->o_tid );
1947 if ( li->li_oldf && ( op->o_tag == LDAP_REQ_DELETE ||
1948 op->o_tag == LDAP_REQ_MODIFY ||
1949 ( op->o_tag == LDAP_REQ_MODRDN && li->li_oldattrs )))
1954 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1955 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
1957 if ( test_filter( op, e, li->li_oldf ) == LDAP_COMPARE_TRUE )
1958 li->li_old = entry_dup( e );
1959 be_entry_release_rw( op, e, 0 );
1961 op->o_bd->bd_info = (BackendInfo *)on;
1967 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1968 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
1970 Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID );
1972 ber_dupbv( &li->li_uuid, &a->a_vals[0] );
1974 be_entry_release_rw( op, e, 0 );
1976 op->o_bd->bd_info = (BackendInfo *)on;
1979 return SLAP_CB_CONTINUE;
1982 /* unbinds are broadcast to all backends; we only log it if this
1983 * backend was used for the original bind.
1986 accesslog_unbind( Operation *op, SlapReply *rs )
1988 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1989 if ( op->o_conn->c_authz_backend == on->on_info->oi_origdb ) {
1990 log_info *li = on->on_bi.bi_private;
1991 Operation op2 = {0};
1992 void *cids[SLAP_MAX_CIDS];
1993 SlapReply rs2 = {REP_RESULT};
1996 if ( !( li->li_ops & LOG_OP_UNBIND )) {
2000 for ( lb = li->li_bases; lb; lb=lb->lb_next )
2001 if (( lb->lb_ops & LOG_OP_UNBIND ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
2006 return SLAP_CB_CONTINUE;
2009 e = accesslog_entry( op, rs, LOG_EN_UNBIND, &op2 );
2010 op2.o_hdr = op->o_hdr;
2011 op2.o_tag = LDAP_REQ_ADD;
2012 op2.o_bd = li->li_db;
2013 op2.o_dn = li->li_db->be_rootdn;
2014 op2.o_ndn = li->li_db->be_rootndn;
2015 op2.o_req_dn = e->e_name;
2016 op2.o_req_ndn = e->e_nname;
2018 op2.o_callback = &nullsc;
2019 op2.o_controls = cids;
2020 memset(cids, 0, sizeof( cids ));
2022 op2.o_bd->be_add( &op2, &rs2 );
2023 if ( e == op2.ora_e )
2026 return SLAP_CB_CONTINUE;
2030 accesslog_abandon( Operation *op, SlapReply *rs )
2032 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
2033 log_info *li = on->on_bi.bi_private;
2034 Operation op2 = {0};
2035 void *cids[SLAP_MAX_CIDS];
2036 SlapReply rs2 = {REP_RESULT};
2042 return SLAP_CB_CONTINUE;
2044 if ( !( li->li_ops & LOG_OP_ABANDON )) {
2048 for ( lb = li->li_bases; lb; lb=lb->lb_next )
2049 if (( lb->lb_ops & LOG_OP_ABANDON ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
2054 return SLAP_CB_CONTINUE;
2057 e = accesslog_entry( op, rs, LOG_EN_ABANDON, &op2 );
2059 bv.bv_len = snprintf( buf, sizeof( buf ), "%d", op->orn_msgid );
2060 if ( bv.bv_len < sizeof( buf ) ) {
2061 attr_merge_one( e, ad_reqId, &bv, NULL );
2064 op2.o_hdr = op->o_hdr;
2065 op2.o_tag = LDAP_REQ_ADD;
2066 op2.o_bd = li->li_db;
2067 op2.o_dn = li->li_db->be_rootdn;
2068 op2.o_ndn = li->li_db->be_rootndn;
2069 op2.o_req_dn = e->e_name;
2070 op2.o_req_ndn = e->e_nname;
2072 op2.o_callback = &nullsc;
2073 op2.o_controls = cids;
2074 memset(cids, 0, sizeof( cids ));
2076 op2.o_bd->be_add( &op2, &rs2 );
2077 if ( e == op2.ora_e )
2080 return SLAP_CB_CONTINUE;
2084 accesslog_operational( Operation *op, SlapReply *rs )
2086 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
2087 log_info *li = on->on_bi.bi_private;
2089 if ( op->o_sync != SLAP_CONTROL_NONE )
2090 return SLAP_CB_CONTINUE;
2092 if ( rs->sr_entry != NULL
2093 && dn_match( &op->o_bd->be_nsuffix[0], &rs->sr_entry->e_nname ) )
2097 for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
2100 if ( SLAP_OPATTRS( rs->sr_attr_flags ) ||
2101 ad_inlist( ad_auditContext, rs->sr_attrs ) )
2103 *ap = attr_alloc( ad_auditContext );
2105 &li->li_db->be_suffix[0],
2106 &li->li_db->be_nsuffix[0], 1 );
2110 return SLAP_CB_CONTINUE;
2113 static slap_overinst accesslog;
2121 slap_overinst *on = (slap_overinst *)be->bd_info;
2122 log_info *li = ch_calloc(1, sizeof(log_info));
2124 on->on_bi.bi_private = li;
2125 ldap_pvt_thread_rmutex_init( &li->li_op_rmutex );
2126 ldap_pvt_thread_mutex_init( &li->li_log_mutex );
2131 accesslog_db_destroy(
2136 slap_overinst *on = (slap_overinst *)be->bd_info;
2137 log_info *li = on->on_bi.bi_private;
2141 filter_free( li->li_oldf );
2142 for ( la=li->li_oldattrs; la; la=li->li_oldattrs ) {
2143 li->li_oldattrs = la->next;
2146 ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
2147 ldap_pvt_thread_rmutex_destroy( &li->li_op_rmutex );
2149 return LDAP_SUCCESS;
2152 /* Create the logdb's root entry if it's missing */
2158 struct re_s *rtask = arg;
2159 slap_overinst *on = rtask->arg;
2160 log_info *li = on->on_bi.bi_private;
2162 Connection conn = {0};
2163 OperationBuffer opbuf;
2169 connection_fake_init( &conn, &opbuf, ctx );
2171 op->o_bd = li->li_db;
2172 op->o_dn = li->li_db->be_rootdn;
2173 op->o_ndn = li->li_db->be_rootndn;
2174 rc = be_entry_get_rw( op, li->li_db->be_nsuffix, NULL, NULL, 0, &e );
2177 be_entry_release_rw( op, e, 0 );
2180 SlapReply rs = {REP_RESULT};
2181 struct berval rdn, nrdn, attr;
2183 AttributeDescription *ad = NULL;
2184 const char *text = NULL;
2189 ber_dupbv( &e->e_name, li->li_db->be_suffix );
2190 ber_dupbv( &e->e_nname, li->li_db->be_nsuffix );
2192 attr_merge_one( e, slap_schema.si_ad_objectClass,
2193 &log_container->soc_cname, NULL );
2195 dnRdn( &e->e_name, &rdn );
2196 dnRdn( &e->e_nname, &nrdn );
2197 ptr = ber_bvchr( &rdn, '=' );
2199 assert( ptr != NULL );
2201 attr.bv_val = rdn.bv_val;
2202 attr.bv_len = ptr - rdn.bv_val;
2204 slap_bv2ad( &attr, &ad, &text );
2207 rdn.bv_len -= attr.bv_len + 1;
2208 ptr = ber_bvchr( &nrdn, '=' );
2209 nrdn.bv_len -= ptr - nrdn.bv_val + 1;
2210 nrdn.bv_val = ptr+1;
2211 attr_merge_one( e, ad, &rdn, &nrdn );
2213 /* Get contextCSN from main DB */
2214 op->o_bd = on->on_info->oi_origdb;
2215 rc = be_entry_get_rw( op, op->o_bd->be_nsuffix, NULL,
2216 slap_schema.si_ad_contextCSN, 0, &e_ctx );
2221 a = attr_find( e_ctx->e_attrs, slap_schema.si_ad_contextCSN );
2223 /* FIXME: contextCSN could have multiple values!
2224 * should select the one with the server's SID */
2225 attr_merge_one( e, slap_schema.si_ad_entryCSN,
2226 &a->a_vals[0], &a->a_nvals[0] );
2227 attr_merge( e, a->a_desc, a->a_vals, a->a_nvals );
2229 be_entry_release_rw( op, e_ctx, 0 );
2235 op->o_req_dn = e->e_name;
2236 op->o_req_ndn = e->e_nname;
2237 op->o_callback = &nullsc;
2238 SLAP_DBFLAGS( op->o_bd ) |= SLAP_DBFLAG_NOLASTMOD;
2239 rc = op->o_bd->be_add( op, &rs );
2240 if ( e == op->ora_e )
2243 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
2244 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
2245 ldap_pvt_runqueue_remove( &slapd_rq, rtask );
2246 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
2257 slap_overinst *on = (slap_overinst *)be->bd_info;
2258 log_info *li = on->on_bi.bi_private;
2261 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
2262 li->li_db = select_backend( &li->li_db_suffix, 0 );
2263 ch_free( li->li_db_suffix.bv_val );
2264 BER_BVZERO( &li->li_db_suffix );
2266 if ( li->li_db == NULL ) {
2267 Debug( LDAP_DEBUG_ANY,
2268 "accesslog: \"logdb <suffix>\" missing or invalid.\n",
2273 if ( slapMode & SLAP_TOOL_MODE )
2276 if ( BER_BVISEMPTY( &li->li_db->be_rootndn )) {
2277 ber_dupbv( &li->li_db->be_rootdn, li->li_db->be_suffix );
2278 ber_dupbv( &li->li_db->be_rootndn, li->li_db->be_nsuffix );
2281 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
2282 ldap_pvt_runqueue_insert( &slapd_rq, 3600, accesslog_db_root, on,
2283 "accesslog_db_root", li->li_db->be_suffix[0].bv_val );
2284 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
2289 int accesslog_initialize()
2293 accesslog.on_bi.bi_type = "accesslog";
2294 accesslog.on_bi.bi_db_init = accesslog_db_init;
2295 accesslog.on_bi.bi_db_destroy = accesslog_db_destroy;
2296 accesslog.on_bi.bi_db_open = accesslog_db_open;
2298 accesslog.on_bi.bi_op_add = accesslog_op_mod;
2299 accesslog.on_bi.bi_op_bind = accesslog_op_bind;
2300 accesslog.on_bi.bi_op_delete = accesslog_op_mod;
2301 accesslog.on_bi.bi_op_modify = accesslog_op_mod;
2302 accesslog.on_bi.bi_op_modrdn = accesslog_op_mod;
2303 accesslog.on_bi.bi_op_unbind = accesslog_unbind;
2304 accesslog.on_bi.bi_op_abandon = accesslog_abandon;
2305 accesslog.on_bi.bi_operational = accesslog_operational;
2306 accesslog.on_response = accesslog_response;
2308 accesslog.on_bi.bi_cf_ocs = log_cfocs;
2310 nullsc.sc_response = slap_null_cb;
2312 rc = config_register_schema( log_cfats, log_cfocs );
2313 if ( rc ) return rc;
2315 /* log schema integration */
2316 for ( i=0; lsyntaxes[i].oid; i++ ) {
2319 code = register_syntax( &lsyntaxes[ i ].syn );
2321 Debug( LDAP_DEBUG_ANY,
2322 "accesslog_init: register_syntax failed\n",
2327 if ( lsyntaxes[i].mrs != NULL ) {
2328 code = mr_make_syntax_compat_with_mrs(
2329 lsyntaxes[i].oid, lsyntaxes[i].mrs );
2331 Debug( LDAP_DEBUG_ANY,
2333 "mr_make_syntax_compat_with_mrs "
2341 for ( i=0; lattrs[i].at; i++ ) {
2344 code = register_at( lattrs[i].at, lattrs[i].ad, 0 );
2346 Debug( LDAP_DEBUG_ANY,
2347 "accesslog_init: register_at failed\n",
2352 (*lattrs[i].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
2356 for ( i=0; locs[i].ot; i++ ) {
2359 code = register_oc( locs[i].ot, locs[i].oc, 0 );
2361 Debug( LDAP_DEBUG_ANY,
2362 "accesslog_init: register_oc failed\n",
2367 (*locs[i].oc)->soc_flags |= SLAP_OC_HIDE;
2371 return overlay_register(&accesslog);
2374 #if SLAPD_OVER_ACCESSLOG == SLAPD_MOD_DYNAMIC
2376 init_module( int argc, char *argv[] )
2378 return accesslog_initialize();
2382 #endif /* SLAPD_OVER_ACCESSLOG */