1 /* accesslog.c - log operations for audit/history purposes */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2008 The OpenLDAP Foundation.
6 * Portions copyright 2004-2005 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Howard Chu for inclusion in
24 #ifdef SLAPD_OVER_ACCESSLOG
28 #include <ac/string.h>
36 #define LOG_OP_ADD 0x001
37 #define LOG_OP_DELETE 0x002
38 #define LOG_OP_MODIFY 0x004
39 #define LOG_OP_MODRDN 0x008
40 #define LOG_OP_COMPARE 0x010
41 #define LOG_OP_SEARCH 0x020
42 #define LOG_OP_BIND 0x040
43 #define LOG_OP_UNBIND 0x080
44 #define LOG_OP_ABANDON 0x100
45 #define LOG_OP_EXTENDED 0x200
46 #define LOG_OP_UNKNOWN 0x400
48 #define LOG_OP_WRITES (LOG_OP_ADD|LOG_OP_DELETE|LOG_OP_MODIFY|LOG_OP_MODRDN)
49 #define LOG_OP_READS (LOG_OP_COMPARE|LOG_OP_SEARCH)
50 #define LOG_OP_SESSION (LOG_OP_BIND|LOG_OP_UNBIND|LOG_OP_ABANDON)
51 #define LOG_OP_ALL (LOG_OP_READS|LOG_OP_WRITES|LOG_OP_SESSION| \
52 LOG_OP_EXTENDED|LOG_OP_UNKNOWN)
54 typedef struct log_attr {
55 struct log_attr *next;
56 AttributeDescription *attr;
59 typedef struct log_info {
61 struct berval li_db_suffix;
68 log_attr *li_oldattrs;
71 ldap_pvt_thread_rmutex_t li_op_rmutex;
72 ldap_pvt_thread_mutex_t li_log_mutex;
75 static ConfigDriver log_cf_gen;
86 static ConfigTable log_cfats[] = {
87 { "logdb", "suffix", 2, 2, 0, ARG_DN|ARG_MAGIC|LOG_DB,
88 log_cf_gen, "( OLcfgOvAt:4.1 NAME 'olcAccessLogDB' "
89 "DESC 'Suffix of database for log content' "
90 "SUP distinguishedName SINGLE-VALUE )", NULL, NULL },
91 { "logops", "op|writes|reads|session|all", 2, 0, 0,
93 log_cf_gen, "( OLcfgOvAt:4.2 NAME 'olcAccessLogOps' "
94 "DESC 'Operation types to log' "
95 "EQUALITY caseIgnoreMatch "
96 "SYNTAX OMsDirectoryString )", NULL, NULL },
97 { "logpurge", "age> <interval", 3, 3, 0, ARG_MAGIC|LOG_PURGE,
98 log_cf_gen, "( OLcfgOvAt:4.3 NAME 'olcAccessLogPurge' "
99 "DESC 'Log cleanup parameters' "
100 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
101 { "logsuccess", NULL, 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|LOG_SUCCESS,
102 log_cf_gen, "( OLcfgOvAt:4.4 NAME 'olcAccessLogSuccess' "
103 "DESC 'Log successful ops only' "
104 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
105 { "logold", "filter", 2, 2, 0, ARG_MAGIC|LOG_OLD,
106 log_cf_gen, "( OLcfgOvAt:4.5 NAME 'olcAccessLogOld' "
107 "DESC 'Log old values when modifying entries matching the filter' "
108 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
109 { "logoldattr", "attrs", 2, 0, 0, ARG_MAGIC|LOG_OLDATTR,
110 log_cf_gen, "( OLcfgOvAt:4.6 NAME 'olcAccessLogOldAttr' "
111 "DESC 'Log old values of these attributes even if unmodified' "
112 "EQUALITY caseIgnoreMatch "
113 "SYNTAX OMsDirectoryString )", NULL, NULL },
117 static ConfigOCs log_cfocs[] = {
119 "NAME 'olcAccessLogConfig' "
120 "DESC 'Access log configuration' "
121 "SUP olcOverlayConfig "
122 "MUST olcAccessLogDB "
123 "MAY ( olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogSuccess $ "
124 "olcAccessLogOld $ olcAccessLogOldAttr ) )",
125 Cft_Overlay, log_cfats },
129 static slap_verbmasks logops[] = {
130 { BER_BVC("all"), LOG_OP_ALL },
131 { BER_BVC("writes"), LOG_OP_WRITES },
132 { BER_BVC("session"), LOG_OP_SESSION },
133 { BER_BVC("reads"), LOG_OP_READS },
134 { BER_BVC("add"), LOG_OP_ADD },
135 { BER_BVC("delete"), LOG_OP_DELETE },
136 { BER_BVC("modify"), LOG_OP_MODIFY },
137 { BER_BVC("modrdn"), LOG_OP_MODRDN },
138 { BER_BVC("compare"), LOG_OP_COMPARE },
139 { BER_BVC("search"), LOG_OP_SEARCH },
140 { BER_BVC("bind"), LOG_OP_BIND },
141 { BER_BVC("unbind"), LOG_OP_UNBIND },
142 { BER_BVC("abandon"), LOG_OP_ABANDON },
143 { BER_BVC("extended"), LOG_OP_EXTENDED },
144 { BER_BVC("unknown"), LOG_OP_UNKNOWN },
148 /* Start with "add" in logops */
166 static ObjectClass *log_ocs[LOG_EN__COUNT], *log_container,
167 *log_oc_read, *log_oc_write;
169 #define LOG_SCHEMA_ROOT "1.3.6.1.4.1.4203.666.11.5"
171 #define LOG_SCHEMA_AT LOG_SCHEMA_ROOT ".1"
172 #define LOG_SCHEMA_OC LOG_SCHEMA_ROOT ".2"
173 #define LOG_SCHEMA_SYN LOG_SCHEMA_ROOT ".3"
175 static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
176 *ad_reqSession, *ad_reqResult, *ad_reqAuthzID, *ad_reqControls,
177 *ad_reqRespControls, *ad_reqMethod, *ad_reqAssertion, *ad_reqNewRDN,
178 *ad_reqNewSuperior, *ad_reqDeleteOldRDN, *ad_reqMod,
179 *ad_reqScope, *ad_reqFilter, *ad_reqAttr, *ad_reqEntries,
180 *ad_reqSizeLimit, *ad_reqTimeLimit, *ad_reqAttrsOnly, *ad_reqData,
181 *ad_reqId, *ad_reqMessage, *ad_reqVersion, *ad_reqDerefAliases,
182 *ad_reqReferral, *ad_reqOld, *ad_auditContext;
185 logSchemaControlValidate(
187 struct berval *val );
189 char *mrControl[] = {
190 "objectIdentifierFirstComponentMatch",
196 slap_syntax_defs_rec syn;
199 { LOG_SCHEMA_SYN ".1" ,
200 { "( " LOG_SCHEMA_SYN ".1 DESC 'Control' )",
203 logSchemaControlValidate,
211 AttributeDescription **ad;
213 { "( " LOG_SCHEMA_AT ".1 NAME 'reqDN' "
214 "DESC 'Target DN of request' "
215 "EQUALITY distinguishedNameMatch "
217 "SINGLE-VALUE )", &ad_reqDN },
218 { "( " LOG_SCHEMA_AT ".2 NAME 'reqStart' "
219 "DESC 'Start time of request' "
220 "EQUALITY generalizedTimeMatch "
221 "ORDERING generalizedTimeOrderingMatch "
222 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
223 "SINGLE-VALUE )", &ad_reqStart },
224 { "( " LOG_SCHEMA_AT ".3 NAME 'reqEnd' "
225 "DESC 'End time of request' "
226 "EQUALITY generalizedTimeMatch "
227 "ORDERING generalizedTimeOrderingMatch "
228 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
229 "SINGLE-VALUE )", &ad_reqEnd },
230 { "( " LOG_SCHEMA_AT ".4 NAME 'reqType' "
231 "DESC 'Type of request' "
232 "EQUALITY caseIgnoreMatch "
233 "SYNTAX OMsDirectoryString "
234 "SINGLE-VALUE )", &ad_reqType },
235 { "( " LOG_SCHEMA_AT ".5 NAME 'reqSession' "
236 "DESC 'Session ID of request' "
237 "EQUALITY caseIgnoreMatch "
238 "SYNTAX OMsDirectoryString "
239 "SINGLE-VALUE )", &ad_reqSession },
240 { "( " LOG_SCHEMA_AT ".6 NAME 'reqAuthzID' "
241 "DESC 'Authorization ID of requestor' "
242 "EQUALITY distinguishedNameMatch "
244 "SINGLE-VALUE )", &ad_reqAuthzID },
245 { "( " LOG_SCHEMA_AT ".7 NAME 'reqResult' "
246 "DESC 'Result code of request' "
247 "EQUALITY integerMatch "
248 "ORDERING integerOrderingMatch "
250 "SINGLE-VALUE )", &ad_reqResult },
251 { "( " LOG_SCHEMA_AT ".8 NAME 'reqMessage' "
252 "DESC 'Error text of request' "
253 "EQUALITY caseIgnoreMatch "
254 "SUBSTR caseIgnoreSubstringsMatch "
255 "SYNTAX OMsDirectoryString "
256 "SINGLE-VALUE )", &ad_reqMessage },
257 { "( " LOG_SCHEMA_AT ".9 NAME 'reqReferral' "
258 "DESC 'Referrals returned for request' "
259 "SUP labeledURI )", &ad_reqReferral },
260 { "( " LOG_SCHEMA_AT ".10 NAME 'reqControls' "
261 "DESC 'Request controls' "
262 "EQUALITY objectIdentifierFirstComponentMatch "
263 "SYNTAX " LOG_SCHEMA_SYN ".1 "
264 "X-ORDERED 'VALUES' )", &ad_reqControls },
265 { "( " LOG_SCHEMA_AT ".11 NAME 'reqRespControls' "
266 "DESC 'Response controls of request' "
267 "EQUALITY objectIdentifierFirstComponentMatch "
268 "SYNTAX " LOG_SCHEMA_SYN ".1 "
269 "X-ORDERED 'VALUES' )", &ad_reqRespControls },
270 { "( " LOG_SCHEMA_AT ".12 NAME 'reqId' "
271 "DESC 'ID of Request to Abandon' "
272 "EQUALITY integerMatch "
273 "ORDERING integerOrderingMatch "
275 "SINGLE-VALUE )", &ad_reqId },
276 { "( " LOG_SCHEMA_AT ".13 NAME 'reqVersion' "
277 "DESC 'Protocol version of Bind request' "
278 "EQUALITY integerMatch "
279 "ORDERING integerOrderingMatch "
281 "SINGLE-VALUE )", &ad_reqVersion },
282 { "( " LOG_SCHEMA_AT ".14 NAME 'reqMethod' "
283 "DESC 'Bind method of request' "
284 "EQUALITY caseIgnoreMatch "
285 "SYNTAX OMsDirectoryString "
286 "SINGLE-VALUE )", &ad_reqMethod },
287 { "( " LOG_SCHEMA_AT ".15 NAME 'reqAssertion' "
288 "DESC 'Compare Assertion of request' "
289 "SYNTAX OMsDirectoryString "
290 "SINGLE-VALUE )", &ad_reqAssertion },
291 { "( " LOG_SCHEMA_AT ".16 NAME 'reqMod' "
292 "DESC 'Modifications of request' "
293 "EQUALITY octetStringMatch "
294 "SUBSTR octetStringSubstringsMatch "
295 "SYNTAX OMsOctetString )", &ad_reqMod },
296 { "( " LOG_SCHEMA_AT ".17 NAME 'reqOld' "
297 "DESC 'Old values of entry before request completed' "
298 "EQUALITY octetStringMatch "
299 "SUBSTR octetStringSubstringsMatch "
300 "SYNTAX OMsOctetString )", &ad_reqOld },
301 { "( " LOG_SCHEMA_AT ".18 NAME 'reqNewRDN' "
302 "DESC 'New RDN of request' "
303 "EQUALITY distinguishedNameMatch "
305 "SINGLE-VALUE )", &ad_reqNewRDN },
306 { "( " LOG_SCHEMA_AT ".19 NAME 'reqDeleteOldRDN' "
307 "DESC 'Delete old RDN' "
308 "EQUALITY booleanMatch "
310 "SINGLE-VALUE )", &ad_reqDeleteOldRDN },
311 { "( " LOG_SCHEMA_AT ".20 NAME 'reqNewSuperior' "
312 "DESC 'New superior DN of request' "
313 "EQUALITY distinguishedNameMatch "
315 "SINGLE-VALUE )", &ad_reqNewSuperior },
316 { "( " LOG_SCHEMA_AT ".21 NAME 'reqScope' "
317 "DESC 'Scope of request' "
318 "EQUALITY caseIgnoreMatch "
319 "SYNTAX OMsDirectoryString "
320 "SINGLE-VALUE )", &ad_reqScope },
321 { "( " LOG_SCHEMA_AT ".22 NAME 'reqDerefAliases' "
322 "DESC 'Disposition of Aliases in request' "
323 "EQUALITY caseIgnoreMatch "
324 "SYNTAX OMsDirectoryString "
325 "SINGLE-VALUE )", &ad_reqDerefAliases },
326 { "( " LOG_SCHEMA_AT ".23 NAME 'reqAttrsOnly' "
327 "DESC 'Attributes and values of request' "
328 "EQUALITY booleanMatch "
330 "SINGLE-VALUE )", &ad_reqAttrsOnly },
331 { "( " LOG_SCHEMA_AT ".24 NAME 'reqFilter' "
332 "DESC 'Filter of request' "
333 "EQUALITY caseIgnoreMatch "
334 "SUBSTR caseIgnoreSubstringsMatch "
335 "SYNTAX OMsDirectoryString "
336 "SINGLE-VALUE )", &ad_reqFilter },
337 { "( " LOG_SCHEMA_AT ".25 NAME 'reqAttr' "
338 "DESC 'Attributes of request' "
339 "EQUALITY caseIgnoreMatch "
340 "SYNTAX OMsDirectoryString )", &ad_reqAttr },
341 { "( " LOG_SCHEMA_AT ".26 NAME 'reqSizeLimit' "
342 "DESC 'Size limit of request' "
343 "EQUALITY integerMatch "
344 "ORDERING integerOrderingMatch "
346 "SINGLE-VALUE )", &ad_reqSizeLimit },
347 { "( " LOG_SCHEMA_AT ".27 NAME 'reqTimeLimit' "
348 "DESC 'Time limit of request' "
349 "EQUALITY integerMatch "
350 "ORDERING integerOrderingMatch "
352 "SINGLE-VALUE )", &ad_reqTimeLimit },
353 { "( " LOG_SCHEMA_AT ".28 NAME 'reqEntries' "
354 "DESC 'Number of entries returned' "
355 "EQUALITY integerMatch "
356 "ORDERING integerOrderingMatch "
358 "SINGLE-VALUE )", &ad_reqEntries },
359 { "( " LOG_SCHEMA_AT ".29 NAME 'reqData' "
360 "DESC 'Data of extended request' "
361 "EQUALITY octetStringMatch "
362 "SUBSTR octetStringSubstringsMatch "
363 "SYNTAX OMsOctetString "
364 "SINGLE-VALUE )", &ad_reqData },
367 * from <draft-chu-ldap-logschema-01.txt>:
370 ( LOG_SCHEMA_AT .30 NAME 'auditContext'
371 DESC 'DN of auditContainer'
372 EQUALITY distinguishedNameMatch
373 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
374 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
376 * - removed EQUALITY matchingRule
377 * - changed directoryOperation in dSAOperation
379 { "( " LOG_SCHEMA_AT ".30 NAME 'auditContext' "
380 "DESC 'DN of auditContainer' "
381 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
383 "NO-USER-MODIFICATION "
384 "USAGE dSAOperation )", &ad_auditContext },
392 { "( " LOG_SCHEMA_OC ".0 NAME 'auditContainer' "
393 "DESC 'AuditLog container' "
394 "SUP top STRUCTURAL "
395 "MAY ( cn $ reqStart $ reqEnd ) )", &log_container },
396 { "( " LOG_SCHEMA_OC ".1 NAME 'auditObject' "
397 "DESC 'OpenLDAP request auditing' "
398 "SUP top STRUCTURAL "
399 "MUST ( reqStart $ reqType $ reqSession ) "
400 "MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ "
401 "reqResult $ reqMessage $ reqReferral ) )",
402 &log_ocs[LOG_EN_UNBIND] },
403 { "( " LOG_SCHEMA_OC ".2 NAME 'auditReadObject' "
404 "DESC 'OpenLDAP read request record' "
405 "SUP auditObject STRUCTURAL )", &log_oc_read },
406 { "( " LOG_SCHEMA_OC ".3 NAME 'auditWriteObject' "
407 "DESC 'OpenLDAP write request record' "
408 "SUP auditObject STRUCTURAL )", &log_oc_write },
409 { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' "
410 "DESC 'Abandon operation' "
411 "SUP auditObject STRUCTURAL "
412 "MUST reqId )", &log_ocs[LOG_EN_ABANDON] },
413 { "( " LOG_SCHEMA_OC ".5 NAME 'auditAdd' "
414 "DESC 'Add operation' "
415 "SUP auditWriteObject STRUCTURAL "
416 "MUST reqMod )", &log_ocs[LOG_EN_ADD] },
417 { "( " LOG_SCHEMA_OC ".6 NAME 'auditBind' "
418 "DESC 'Bind operation' "
419 "SUP auditObject STRUCTURAL "
420 "MUST ( reqVersion $ reqMethod ) )", &log_ocs[LOG_EN_BIND] },
421 { "( " LOG_SCHEMA_OC ".7 NAME 'auditCompare' "
422 "DESC 'Compare operation' "
423 "SUP auditReadObject STRUCTURAL "
424 "MUST reqAssertion )", &log_ocs[LOG_EN_COMPARE] },
425 { "( " LOG_SCHEMA_OC ".8 NAME 'auditDelete' "
426 "DESC 'Delete operation' "
427 "SUP auditWriteObject STRUCTURAL "
428 "MAY reqOld )", &log_ocs[LOG_EN_DELETE] },
429 { "( " LOG_SCHEMA_OC ".9 NAME 'auditModify' "
430 "DESC 'Modify operation' "
431 "SUP auditWriteObject STRUCTURAL "
432 "MAY reqOld MUST reqMod )", &log_ocs[LOG_EN_MODIFY] },
433 { "( " LOG_SCHEMA_OC ".10 NAME 'auditModRDN' "
434 "DESC 'ModRDN operation' "
435 "SUP auditWriteObject STRUCTURAL "
436 "MUST ( reqNewRDN $ reqDeleteOldRDN ) "
437 "MAY ( reqNewSuperior $ reqMod $ reqOld ) )", &log_ocs[LOG_EN_MODRDN] },
438 { "( " LOG_SCHEMA_OC ".11 NAME 'auditSearch' "
439 "DESC 'Search operation' "
440 "SUP auditReadObject STRUCTURAL "
441 "MUST ( reqScope $ reqDerefAliases $ reqAttrsonly ) "
442 "MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ "
443 "reqTimeLimit ) )", &log_ocs[LOG_EN_SEARCH] },
444 { "( " LOG_SCHEMA_OC ".12 NAME 'auditExtended' "
445 "DESC 'Extended operation' "
446 "SUP auditObject STRUCTURAL "
447 "MAY reqData )", &log_ocs[LOG_EN_EXTENDED] },
451 #define RDNEQ "reqStart="
453 /* Our time intervals are of the form [ddd+]hh:mm[:ss]
454 * If a field is present, it must be two digits. (Except for
455 * days, which can be arbitrary width.)
458 log_age_parse(char *agestr)
464 t1 = strtol( agestr, &endptr, 10 );
465 /* Is there a days delimiter? */
466 if ( *endptr == '+' ) {
467 /* 32 bit time only covers about 68 years */
468 if ( t1 < 0 || t1 > 25000 )
474 if ( agestr[2] != ':' ) {
475 /* No valid delimiter found, fail */
486 /* if there's a delimiter, it can only be a colon */
487 if ( agestr[2] != ':' )
490 /* If we're at the end of the string, and we started with days,
491 * fail because we expected to find minutes too.
493 return gotdays ? -1 : t1 * 60;
499 /* last field can only be seconds */
500 if ( agestr[2] && ( agestr[2] != ':' || !gotdays ))
510 t1 += atoi( agestr );
511 } else if ( gotdays ) {
512 /* only got days+hh:mm */
519 log_age_unparse( int age, struct berval *agebv, size_t size )
521 int dd, hh, mm, ss, len;
537 len = snprintf( ptr, size, "%d+", dd );
538 assert( len >= 0 && len < size );
542 len = snprintf( ptr, size, "%02d:%02d", hh, mm );
543 assert( len >= 0 && len < size );
547 len = snprintf( ptr, size, ":%02d", ss );
548 assert( len >= 0 && len < size );
553 agebv->bv_len = ptr - agebv->bv_val;
556 static slap_callback nullsc = { NULL, NULL, NULL, NULL };
558 #define PURGE_INCREMENT 100
560 typedef struct purge_data {
565 struct berval csn; /* an arbitrary old CSN */
569 log_old_lookup( Operation *op, SlapReply *rs )
571 purge_data *pd = op->o_callback->sc_private;
573 if ( rs->sr_type != REP_SEARCH) return 0;
575 if ( slapd_shutdown ) return 0;
577 /* Remember old CSN */
578 if ( pd->csn.bv_val[0] == '\0' ) {
579 Attribute *a = attr_find( rs->sr_entry->e_attrs,
580 slap_schema.si_ad_entryCSN );
582 int len = a->a_vals[0].bv_len;
583 if ( len > pd->csn.bv_len )
584 len = pd->csn.bv_len;
585 AC_MEMCPY( pd->csn.bv_val, a->a_vals[0].bv_val, len );
586 pd->csn.bv_len = len;
589 if ( pd->used >= pd->slots ) {
590 pd->slots += PURGE_INCREMENT;
591 pd->dn = ch_realloc( pd->dn, pd->slots * sizeof( struct berval ));
592 pd->ndn = ch_realloc( pd->ndn, pd->slots * sizeof( struct berval ));
594 ber_dupbv( &pd->dn[pd->used], &rs->sr_entry->e_name );
595 ber_dupbv( &pd->ndn[pd->used], &rs->sr_entry->e_nname );
600 /* Periodically search for old entries in the log database and delete them */
602 accesslog_purge( void *ctx, void *arg )
604 struct re_s *rtask = arg;
605 struct log_info *li = rtask->arg;
607 Connection conn = {0};
608 OperationBuffer opbuf;
610 SlapReply rs = {REP_RESULT};
611 slap_callback cb = { NULL, log_old_lookup, NULL, NULL };
613 AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
615 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
616 char csnbuf[LDAP_LUTIL_CSNSTR_BUFSIZE];
617 time_t old = slap_get_time();
619 connection_fake_init( &conn, &opbuf, ctx );
622 f.f_choice = LDAP_FILTER_LE;
626 ava.aa_desc = ad_reqStart;
627 ava.aa_value.bv_val = timebuf;
628 ava.aa_value.bv_len = sizeof(timebuf);
631 slap_timestamp( &old, &ava.aa_value );
633 op->o_tag = LDAP_REQ_SEARCH;
634 op->o_bd = li->li_db;
635 op->o_dn = li->li_db->be_rootdn;
636 op->o_ndn = li->li_db->be_rootndn;
637 op->o_req_dn = li->li_db->be_suffix[0];
638 op->o_req_ndn = li->li_db->be_nsuffix[0];
639 op->o_callback = &cb;
640 op->ors_scope = LDAP_SCOPE_ONELEVEL;
641 op->ors_deref = LDAP_DEREF_NEVER;
642 op->ors_tlimit = SLAP_NO_LIMIT;
643 op->ors_slimit = SLAP_NO_LIMIT;
645 filter2bv_x( op, &f, &op->ors_filterstr );
646 op->ors_attrs = slap_anlist_no_attrs;
647 op->ors_attrsonly = 1;
649 pd.csn.bv_len = sizeof( csnbuf );
650 pd.csn.bv_val = csnbuf;
654 op->o_bd->be_search( op, &rs );
655 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
660 op->o_tag = LDAP_REQ_DELETE;
661 op->o_callback = &nullsc;
664 for (i=0; i<pd.used; i++) {
665 op->o_req_dn = pd.dn[i];
666 op->o_req_ndn = pd.ndn[i];
667 if ( !slapd_shutdown )
668 op->o_bd->be_delete( op, &rs );
669 ch_free( pd.ndn[i].bv_val );
670 ch_free( pd.dn[i].bv_val );
676 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
677 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
678 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
684 log_cf_gen(ConfigArgs *c)
686 slap_overinst *on = (slap_overinst *)c->bi;
687 struct log_info *li = on->on_bi.bi_private;
689 slap_mask_t tmask = 0;
690 char agebuf[2*STRLENOF("ddddd+hh:mm:ss ")];
691 struct berval agebv, cyclebv;
694 case SLAP_CONFIG_EMIT:
697 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
698 value_add_one( &c->rvalue_vals, &li->li_db_suffix );
699 value_add_one( &c->rvalue_nvals, &li->li_db_suffix );
700 } else if ( li->li_db ) {
701 value_add_one( &c->rvalue_vals, li->li_db->be_suffix );
702 value_add_one( &c->rvalue_nvals, li->li_db->be_nsuffix );
704 snprintf( c->cr_msg, sizeof( c->cr_msg ),
705 "accesslog: \"logdb <suffix>\" must be specified" );
706 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
707 c->log, c->cr_msg, c->value_dn.bv_val );
713 rc = mask_to_verbs( logops, li->li_ops, &c->rvalue_vals );
720 agebv.bv_val = agebuf;
721 log_age_unparse( li->li_age, &agebv, sizeof( agebuf ) );
722 agebv.bv_val[agebv.bv_len] = ' ';
724 cyclebv.bv_val = agebv.bv_val + agebv.bv_len;
725 log_age_unparse( li->li_cycle, &cyclebv, sizeof( agebuf ) - agebv.bv_len );
726 agebv.bv_len += cyclebv.bv_len;
727 value_add_one( &c->rvalue_vals, &agebv );
730 if ( li->li_success )
731 c->value_int = li->li_success;
737 filter2bv( li->li_oldf, &agebv );
738 ber_bvarray_add( &c->rvalue_vals, &agebv );
744 if ( li->li_oldattrs ) {
747 for ( la = li->li_oldattrs; la; la=la->next )
748 value_add_one( &c->rvalue_vals, &la->attr->ad_cname );
755 case LDAP_MOD_DELETE:
758 /* noop. this should always be a valid backend. */
764 rc = verbs_to_mask( 1, &c->line, logops, &tmask );
766 li->li_ops &= ~tmask;
771 struct re_s *re = li->li_task;
773 if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
774 ldap_pvt_runqueue_stoptask( &slapd_rq, re );
775 ldap_pvt_runqueue_remove( &slapd_rq, re );
785 filter_free( li->li_oldf );
793 for ( la = li->li_oldattrs; la; la = ln ) {
798 log_attr *la = NULL, **lp;
801 for ( lp = &li->li_oldattrs, i=0; i < c->valx; i++ ) {
814 if ( CONFIG_ONLINE_ADD( c )) {
815 li->li_db = select_backend( &c->value_ndn, 0 );
817 snprintf( c->cr_msg, sizeof( c->cr_msg ),
818 "<%s> no matching backend found for suffix",
820 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
821 c->log, c->cr_msg, c->value_dn.bv_val );
824 ch_free( c->value_ndn.bv_val );
826 li->li_db_suffix = c->value_ndn;
828 ch_free( c->value_dn.bv_val );
831 rc = verbs_to_mask( c->argc, c->argv, logops, &tmask );
836 li->li_age = log_age_parse( c->argv[1] );
837 if ( li->li_age < 1 ) {
840 li->li_cycle = log_age_parse( c->argv[2] );
841 if ( li->li_cycle < 1 ) {
843 } else if ( slapMode & SLAP_SERVER_MODE ) {
844 struct re_s *re = li->li_task;
846 re->interval.tv_sec = li->li_cycle;
848 li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
849 li->li_cycle, accesslog_purge, li,
850 "accesslog_purge", li->li_db ?
851 li->li_db->be_suffix[0].bv_val :
852 c->be->be_suffix[0].bv_val );
857 li->li_success = c->value_int;
860 li->li_oldf = str2filter( c->argv[1] );
861 if ( !li->li_oldf ) {
862 snprintf( c->cr_msg, sizeof( c->cr_msg ), "bad filter!" );
868 AttributeDescription *ad;
871 for ( i=1; i< c->argc; i++ ) {
873 if ( slap_str2ad( c->argv[i], &ad, &text ) == LDAP_SUCCESS ) {
874 log_attr *la = ch_malloc( sizeof( log_attr ));
876 la->next = li->li_oldattrs;
877 li->li_oldattrs = la;
879 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s <%s>: %s",
880 c->argv[0], c->argv[i], text );
881 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
882 "%s: %s\n", c->log, c->cr_msg, 0 );
896 logSchemaControlValidate(
898 struct berval *valp )
900 struct berval val, bv;
902 int rc = LDAP_SUCCESS;
904 assert( valp != NULL );
908 /* check minimal size */
909 if ( val.bv_len < STRLENOF( "{*}" ) ) {
910 return LDAP_INVALID_SYNTAX;
915 /* check SEQUENCE boundaries */
916 if ( val.bv_val[ 0 ] != '{' /*}*/ ||
917 val.bv_val[ val.bv_len ] != /*{*/ '}' )
919 return LDAP_INVALID_SYNTAX;
922 /* extract and check OID */
923 for ( i = 1; i < val.bv_len; i++ ) {
924 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
929 bv.bv_val = &val.bv_val[ i ];
931 for ( i++; i < val.bv_len; i++ ) {
932 if ( ASCII_SPACE( val.bv_val[ i ] ) )
938 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
940 rc = numericoidValidate( NULL, &bv );
941 if ( rc != LDAP_SUCCESS ) {
945 if ( i == val.bv_len ) {
949 if ( val.bv_val[ i ] != ' ' ) {
950 return LDAP_INVALID_SYNTAX;
953 for ( i++; i < val.bv_len; i++ ) {
954 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
959 if ( i == val.bv_len ) {
963 /* extract and check criticality */
964 if ( strncasecmp( &val.bv_val[ i ], "criticality ", STRLENOF( "criticality " ) ) == 0 )
966 i += STRLENOF( "criticality " );
967 for ( ; i < val.bv_len; i++ ) {
968 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
973 if ( i == val.bv_len ) {
974 return LDAP_INVALID_SYNTAX;
977 bv.bv_val = &val.bv_val[ i ];
979 for ( ; i < val.bv_len; i++ ) {
980 if ( ASCII_SPACE( val.bv_val[ i ] ) ) {
985 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
987 if ( !bvmatch( &bv, &slap_true_bv ) && !bvmatch( &bv, &slap_false_bv ) )
989 return LDAP_INVALID_SYNTAX;
992 if ( i == val.bv_len ) {
996 if ( val.bv_val[ i ] != ' ' ) {
997 return LDAP_INVALID_SYNTAX;
1000 for ( i++; i < val.bv_len; i++ ) {
1001 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1006 if ( i == val.bv_len ) {
1007 return LDAP_SUCCESS;
1011 /* extract and check controlValue */
1012 if ( strncasecmp( &val.bv_val[ i ], "controlValue ", STRLENOF( "controlValue " ) ) == 0 )
1014 i += STRLENOF( "controlValue " );
1015 for ( ; i < val.bv_len; i++ ) {
1016 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1021 if ( i == val.bv_len ) {
1022 return LDAP_INVALID_SYNTAX;
1025 if ( val.bv_val[ i ] != '"' ) {
1026 return LDAP_INVALID_SYNTAX;
1029 for ( ; i < val.bv_len; i++ ) {
1030 if ( val.bv_val[ i ] == '"' ) {
1034 if ( !ASCII_HEX( val.bv_val[ i ] ) ) {
1035 return LDAP_INVALID_SYNTAX;
1039 if ( val.bv_val[ i ] != '"' ) {
1040 return LDAP_INVALID_SYNTAX;
1043 for ( ; i < val.bv_len; i++ ) {
1044 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1049 if ( i == val.bv_len ) {
1050 return LDAP_SUCCESS;
1054 return LDAP_INVALID_SYNTAX;
1059 LDAPControl **ctrls,
1066 assert( valsp != NULL );
1067 assert( ctrls != NULL );
1072 for ( i = 0; ctrls[ i ] != NULL; i++ ) {
1080 if ( ctrls[ i ]->ldctl_oid == NULL ) {
1081 return LDAP_PROTOCOL_ERROR;
1084 idx.bv_len = snprintf( buf, sizeof( buf ), "{%ld}", i );
1087 ber_str2bv( ctrls[ i ]->ldctl_oid, 0, 0, &oid );
1088 noid.bv_len = idx.bv_len + oid.bv_len;
1089 ptr = noid.bv_val = ber_memalloc_x( noid.bv_len + 1, memctx );
1090 ptr = lutil_strcopy( ptr, idx.bv_val );
1091 ptr = lutil_strcopy( ptr, oid.bv_val );
1093 bv.bv_len = idx.bv_len + STRLENOF( "{}" ) + oid.bv_len;
1095 if ( ctrls[ i ]->ldctl_iscritical ) {
1096 bv.bv_len += STRLENOF( " criticality TRUE" );
1099 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1100 bv.bv_len += STRLENOF( " controlValue \"\"" )
1101 + 2 * ctrls[ i ]->ldctl_value.bv_len;
1104 ptr = bv.bv_val = ber_memalloc_x( bv.bv_len + 1, memctx );
1105 if ( ptr == NULL ) {
1106 ber_bvarray_free( *valsp );
1108 ber_bvarray_free( *nvalsp );
1113 ptr = lutil_strcopy( ptr, idx.bv_val );
1115 *ptr++ = '{' /*}*/ ;
1116 ptr = lutil_strcopy( ptr, oid.bv_val );
1118 if ( ctrls[ i ]->ldctl_iscritical ) {
1119 ptr = lutil_strcopy( ptr, " criticality TRUE" );
1122 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1125 ptr = lutil_strcopy( ptr, " controlValue \"" );
1126 for ( j = 0; j < ctrls[ i ]->ldctl_value.bv_len; j++ )
1130 o = ( ( ctrls[ i ]->ldctl_value.bv_val[ j ] >> 4 ) & 0xF );
1138 o = ( ctrls[ i ]->ldctl_value.bv_val[ j ] & 0xF );
1153 ber_bvarray_add_x( valsp, &bv, memctx );
1154 ber_bvarray_add_x( nvalsp, &noid, memctx );
1161 static Entry *accesslog_entry( Operation *op, SlapReply *rs, int logop,
1163 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1164 log_info *li = on->on_bi.bi_private;
1166 char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1167 char nrdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1169 struct berval rdn, nrdn, timestamp, ntimestamp, bv;
1170 slap_verbmasks *lo = logops+logop+EN_OFFSET;
1172 Entry *e = entry_alloc();
1174 strcpy( rdnbuf, RDNEQ );
1175 rdn.bv_val = rdnbuf;
1176 strcpy( nrdnbuf, RDNEQ );
1177 nrdn.bv_val = nrdnbuf;
1179 timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
1180 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1181 slap_timestamp( &op->o_time, ×tamp );
1182 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op->o_tincr );
1183 timestamp.bv_len += STRLENOF(".123456");
1185 rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
1186 ad_reqStart->ad_type->sat_equality->smr_normalize(
1187 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, ad_reqStart->ad_type->sat_syntax,
1188 ad_reqStart->ad_type->sat_equality, ×tamp, &ntimestamp,
1191 strcpy( nrdn.bv_val + STRLENOF(RDNEQ), ntimestamp.bv_val );
1192 nrdn.bv_len = STRLENOF(RDNEQ)+ntimestamp.bv_len;
1193 build_new_dn( &e->e_name, li->li_db->be_suffix, &rdn, NULL );
1194 build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &nrdn, NULL );
1196 attr_merge_one( e, slap_schema.si_ad_objectClass,
1197 &log_ocs[logop]->soc_cname, NULL );
1198 attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
1199 &log_ocs[logop]->soc_cname, NULL );
1200 attr_merge_one( e, ad_reqStart, ×tamp, &ntimestamp );
1201 op->o_tmpfree( ntimestamp.bv_val, op->o_tmpmemctx );
1203 slap_op_time( &op2->o_time, &op2->o_tincr );
1205 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1206 slap_timestamp( &op2->o_time, ×tamp );
1207 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op2->o_tincr );
1208 timestamp.bv_len += STRLENOF(".123456");
1210 attr_merge_normalize_one( e, ad_reqEnd, ×tamp, op->o_tmpmemctx );
1212 /* Exops have OID appended */
1213 if ( logop == LOG_EN_EXTENDED ) {
1214 bv.bv_len = lo->word.bv_len + op->ore_reqoid.bv_len + 2;
1215 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1216 AC_MEMCPY( bv.bv_val, lo->word.bv_val, lo->word.bv_len );
1217 bv.bv_val[lo->word.bv_len] = '{';
1218 AC_MEMCPY( bv.bv_val+lo->word.bv_len+1, op->ore_reqoid.bv_val,
1219 op->ore_reqoid.bv_len );
1220 bv.bv_val[bv.bv_len-1] = '}';
1221 bv.bv_val[bv.bv_len] = '\0';
1222 attr_merge_one( e, ad_reqType, &bv, NULL );
1224 attr_merge_one( e, ad_reqType, &lo->word, NULL );
1227 rdn.bv_len = snprintf( rdn.bv_val, sizeof( rdnbuf ), "%lu", op->o_connid );
1228 if ( rdn.bv_len >= 0 || rdn.bv_len < sizeof( rdnbuf ) ) {
1229 attr_merge_one( e, ad_reqSession, &rdn, NULL );
1232 if ( BER_BVISNULL( &op->o_dn ) ) {
1233 attr_merge_one( e, ad_reqAuthzID, (struct berval *)&slap_empty_bv,
1234 (struct berval *)&slap_empty_bv );
1236 attr_merge_one( e, ad_reqAuthzID, &op->o_dn, &op->o_ndn );
1239 /* FIXME: need to add reqControls and reqRespControls */
1240 if ( op->o_ctrls ) {
1241 BerVarray vals = NULL,
1244 if ( accesslog_ctrls( op->o_ctrls, &vals, &nvals,
1245 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1247 attr_merge( e, ad_reqControls, vals, nvals );
1248 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1249 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1253 if ( rs->sr_ctrls ) {
1254 BerVarray vals = NULL,
1257 if ( accesslog_ctrls( rs->sr_ctrls, &vals, &nvals,
1258 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1260 attr_merge( e, ad_reqRespControls, vals, nvals );
1261 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1262 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1270 static struct berval scopes[] = {
1277 static struct berval derefs[] = {
1279 BER_BVC("searching"),
1284 static struct berval simple = BER_BVC("SIMPLE");
1286 static void accesslog_val2val(AttributeDescription *ad, struct berval *val,
1287 char c_op, struct berval *dst) {
1290 dst->bv_len = ad->ad_cname.bv_len + val->bv_len + 2;
1291 if ( c_op ) dst->bv_len++;
1293 dst->bv_val = ch_malloc( dst->bv_len+1 );
1295 ptr = lutil_strcopy( dst->bv_val, ad->ad_cname.bv_val );
1300 AC_MEMCPY( ptr, val->bv_val, val->bv_len );
1301 dst->bv_val[dst->bv_len] = '\0';
1304 static int accesslog_response(Operation *op, SlapReply *rs) {
1305 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1306 log_info *li = on->on_bi.bi_private;
1307 Attribute *a, *last_attr;
1313 Entry *e = NULL, *old = NULL;
1314 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE+8];
1318 Operation op2 = {0};
1319 SlapReply rs2 = {REP_RESULT};
1321 if ( rs->sr_type != REP_RESULT && rs->sr_type != REP_EXTENDED )
1322 return SLAP_CB_CONTINUE;
1324 switch ( op->o_tag ) {
1325 case LDAP_REQ_ADD: logop = LOG_EN_ADD; break;
1326 case LDAP_REQ_DELETE: logop = LOG_EN_DELETE; break;
1327 case LDAP_REQ_MODIFY: logop = LOG_EN_MODIFY; break;
1328 case LDAP_REQ_MODRDN: logop = LOG_EN_MODRDN; break;
1329 case LDAP_REQ_COMPARE: logop = LOG_EN_COMPARE; break;
1330 case LDAP_REQ_SEARCH: logop = LOG_EN_SEARCH; break;
1331 case LDAP_REQ_BIND: logop = LOG_EN_BIND; break;
1332 case LDAP_REQ_EXTENDED: logop = LOG_EN_EXTENDED; break;
1333 default: /* unknown operation type */
1334 logop = LOG_EN_UNKNOWN; break;
1335 } /* Unbind and Abandon never reach here */
1337 lo = logops+logop+EN_OFFSET;
1338 if ( !( li->li_ops & lo->mask ))
1339 return SLAP_CB_CONTINUE;
1341 if ( lo->mask & LOG_OP_WRITES ) {
1342 ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
1346 ldap_pvt_thread_rmutex_unlock( &li->li_op_rmutex, op->o_tid );
1349 if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
1352 e = accesslog_entry( op, rs, logop, &op2 );
1354 attr_merge_one( e, ad_reqDN, &op->o_req_dn, &op->o_req_ndn );
1356 if ( rs->sr_text ) {
1357 ber_str2bv( rs->sr_text, 0, 0, &bv );
1358 attr_merge_one( e, ad_reqMessage, &bv, NULL );
1360 bv.bv_len = snprintf( timebuf, sizeof( timebuf ), "%d", rs->sr_err );
1361 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( timebuf ) ) {
1362 bv.bv_val = timebuf;
1363 attr_merge_one( e, ad_reqResult, &bv, NULL );
1366 last_attr = attr_find( e->e_attrs, ad_reqResult );
1370 case LOG_EN_DELETE: {
1374 if ( logop == LOG_EN_ADD ) {
1383 /* count all the vals */
1385 for ( a=e2->e_attrs; a; a=a->a_next ) {
1388 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1390 for ( a=e2->e_attrs; a; a=a->a_next ) {
1392 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1393 accesslog_val2val( a->a_desc, b, c_op, &vals[i] );
1397 vals[i].bv_val = NULL;
1399 a = attr_alloc( logop == LOG_EN_ADD ? ad_reqMod : ad_reqOld );
1403 last_attr->a_next = a;
1409 /* count all the mods */
1411 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1412 if ( m->sml_values ) {
1413 i += m->sml_numvals;
1414 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1415 m->sml_op == LDAP_MOD_REPLACE )
1420 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1423 /* init flags on old entry */
1425 for ( a = old->e_attrs; a; a = a->a_next ) {
1429 /* look for attrs that are always logged */
1430 for ( la = li->li_oldattrs; la; la = la->next ) {
1431 if ( a->a_desc == la->attr ) {
1438 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1439 /* Mark this attribute as modified */
1441 a = attr_find( old->e_attrs, m->sml_desc );
1447 /* don't log the RDN mods; they're explicitly logged later */
1448 if ( logop == LOG_EN_MODRDN &&
1449 ( m->sml_op == SLAP_MOD_SOFTADD ||
1450 m->sml_op == LDAP_MOD_DELETE ) )
1455 if ( m->sml_values ) {
1456 for ( b = m->sml_values; !BER_BVISNULL( b ); b++, i++ ) {
1459 switch ( m->sml_op ) {
1460 case LDAP_MOD_ADD: c_op = '+'; break;
1461 case LDAP_MOD_DELETE: c_op = '-'; break;
1462 case LDAP_MOD_REPLACE: c_op = '='; break;
1463 case LDAP_MOD_INCREMENT: c_op = '#'; break;
1465 /* unknown op. there shouldn't be any of these. we
1466 * don't know what to do with it, but we shouldn't just
1469 default: c_op = '?'; break;
1471 accesslog_val2val( m->sml_desc, b, c_op, &vals[i] );
1473 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1474 m->sml_op == LDAP_MOD_REPLACE )
1476 vals[i].bv_len = m->sml_desc->ad_cname.bv_len + 2;
1477 vals[i].bv_val = ch_malloc( vals[i].bv_len + 1 );
1478 ptr = lutil_strcopy( vals[i].bv_val,
1479 m->sml_desc->ad_cname.bv_val );
1481 if ( m->sml_op == LDAP_MOD_DELETE ) {
1492 BER_BVZERO( &vals[i] );
1493 a = attr_alloc( ad_reqMod );
1497 last_attr->a_next = a;
1505 /* count all the vals */
1507 for ( a = old->e_attrs; a != NULL; a = a->a_next ) {
1508 if ( a->a_vals && a->a_flags ) {
1512 vals = ch_malloc( (i + 1) * sizeof( struct berval ) );
1514 for ( a=old->e_attrs; a; a=a->a_next ) {
1515 if ( a->a_vals && a->a_flags ) {
1516 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1517 accesslog_val2val( a->a_desc, b, 0, &vals[i] );
1521 vals[i].bv_val = NULL;
1523 a = attr_alloc( ad_reqOld );
1527 last_attr->a_next = a;
1529 if ( logop == LOG_EN_MODIFY ) {
1533 /* Now log the actual modRDN info */
1534 attr_merge_one( e, ad_reqNewRDN, &op->orr_newrdn, &op->orr_nnewrdn );
1535 attr_merge_one( e, ad_reqDeleteOldRDN, op->orr_deleteoldrdn ?
1536 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1538 if ( op->orr_newSup ) {
1539 attr_merge_one( e, ad_reqNewSuperior, op->orr_newSup, op->orr_nnewSup );
1543 case LOG_EN_COMPARE:
1544 bv.bv_len = op->orc_ava->aa_desc->ad_cname.bv_len + 1 +
1545 op->orc_ava->aa_value.bv_len;
1546 bv.bv_val = op->o_tmpalloc( bv.bv_len+1, op->o_tmpmemctx );
1547 ptr = lutil_strcopy( bv.bv_val, op->orc_ava->aa_desc->ad_cname.bv_val );
1549 AC_MEMCPY( ptr, op->orc_ava->aa_value.bv_val, op->orc_ava->aa_value.bv_len );
1550 bv.bv_val[bv.bv_len] = '\0';
1551 attr_merge_one( e, ad_reqAssertion, &bv, NULL );
1552 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1556 attr_merge_one( e, ad_reqScope, &scopes[op->ors_scope], NULL );
1557 attr_merge_one( e, ad_reqDerefAliases, &derefs[op->ors_deref], NULL );
1558 attr_merge_one( e, ad_reqAttrsOnly, op->ors_attrsonly ?
1559 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1561 if ( !BER_BVISEMPTY( &op->ors_filterstr ))
1562 attr_merge_one( e, ad_reqFilter, &op->ors_filterstr, NULL );
1563 if ( op->ors_attrs ) {
1565 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
1567 vals = op->o_tmpalloc( (i+1) * sizeof(struct berval),
1569 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
1570 vals[i] = op->ors_attrs[i].an_name;
1571 vals[i].bv_val = NULL;
1573 attr_merge( e, ad_reqAttr, vals, NULL );
1574 op->o_tmpfree( vals, op->o_tmpmemctx );
1576 bv.bv_val = timebuf;
1577 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", rs->sr_nentries );
1578 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( timebuf ) ) {
1579 attr_merge_one( e, ad_reqEntries, &bv, NULL );
1582 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_tlimit );
1583 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( timebuf ) ) {
1584 attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
1587 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_slimit );
1588 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( timebuf ) ) {
1589 attr_merge_one( e, ad_reqSizeLimit, &bv, NULL );
1594 bv.bv_val = timebuf;
1595 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->o_protocol );
1596 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( timebuf ) ) {
1597 attr_merge_one( e, ad_reqVersion, &bv, NULL );
1599 if ( op->orb_method == LDAP_AUTH_SIMPLE ) {
1600 attr_merge_one( e, ad_reqMethod, &simple, NULL );
1602 bv.bv_len = STRLENOF("SASL()") + op->orb_mech.bv_len;
1603 bv.bv_val = op->o_tmpalloc( bv.bv_len + 1, op->o_tmpmemctx );
1604 ptr = lutil_strcopy( bv.bv_val, "SASL(" );
1605 ptr = lutil_strcopy( ptr, op->orb_mech.bv_val );
1608 attr_merge_one( e, ad_reqMethod, &bv, NULL );
1609 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1614 case LOG_EN_EXTENDED:
1615 if ( op->ore_reqdata ) {
1616 attr_merge_one( e, ad_reqData, op->ore_reqdata, NULL );
1620 case LOG_EN_UNKNOWN:
1621 /* we don't know its parameters, don't add any */
1625 op2.o_hdr = op->o_hdr;
1626 op2.o_tag = LDAP_REQ_ADD;
1627 op2.o_bd = li->li_db;
1628 op2.o_dn = li->li_db->be_rootdn;
1629 op2.o_ndn = li->li_db->be_rootndn;
1630 op2.o_req_dn = e->e_name;
1631 op2.o_req_ndn = e->e_nname;
1633 op2.o_callback = &nullsc;
1635 if (( lo->mask & LOG_OP_WRITES ) && !BER_BVISEMPTY( &op->o_csn )) {
1636 slap_queue_csn( &op2, &op->o_csn );
1639 op2.o_bd->be_add( &op2, &rs2 );
1640 if ( e == op2.ora_e ) entry_free( e );
1644 if ( lo->mask & LOG_OP_WRITES )
1645 ldap_pvt_thread_mutex_unlock( &li->li_log_mutex );
1646 if ( old ) entry_free( old );
1647 return SLAP_CB_CONTINUE;
1650 /* Since Bind success is sent by the frontend, it won't normally enter
1651 * the overlay response callback. Add another callback to make sure it
1655 accesslog_bind_resp( Operation *op, SlapReply *rs )
1664 db.bd_info = op->o_callback->sc_private;
1665 rc = accesslog_response( op, rs );
1667 sc = op->o_callback;
1668 op->o_callback = sc->sc_next;
1669 op->o_tmpfree( sc, op->o_tmpmemctx );
1674 accesslog_op_bind( Operation *op, SlapReply *rs )
1678 sc = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
1679 sc->sc_response = accesslog_bind_resp;
1680 sc->sc_private = op->o_bd->bd_info;
1682 if ( op->o_callback ) {
1683 sc->sc_next = op->o_callback->sc_next;
1684 op->o_callback->sc_next = sc;
1686 op->o_callback = sc;
1688 return SLAP_CB_CONTINUE;
1692 accesslog_mod_cleanup( Operation *op, SlapReply *rs )
1694 slap_callback *sc = op->o_callback;
1695 slap_overinst *on = sc->sc_private;
1696 log_info *li = on->on_bi.bi_private;
1697 op->o_callback = sc->sc_next;
1699 op->o_tmpfree( sc, op->o_tmpmemctx );
1701 if ( li->li_unlock ) {
1702 BackendInfo *bi = op->o_bd->bd_info;
1703 op->o_bd->bd_info = (BackendInfo *)on;
1704 accesslog_response( op, rs );
1705 op->o_bd->bd_info = bi;
1711 accesslog_op_mod( Operation *op, SlapReply *rs )
1713 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1714 log_info *li = on->on_bi.bi_private;
1716 if ( li->li_ops & LOG_OP_WRITES ) {
1717 slap_callback *cb = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx );
1718 cb->sc_cleanup = accesslog_mod_cleanup;
1719 cb->sc_response = NULL;
1720 cb->sc_private = on;
1721 cb->sc_next = op->o_callback;
1722 op->o_callback = cb;
1724 ldap_pvt_thread_rmutex_lock( &li->li_op_rmutex, op->o_tid );
1726 if ( li->li_oldf && ( op->o_tag == LDAP_REQ_DELETE ||
1727 op->o_tag == LDAP_REQ_MODIFY ||
1728 ( op->o_tag == LDAP_REQ_MODRDN && li->li_oldattrs ))) {
1732 op->o_bd->bd_info = on->on_info->oi_orig;
1733 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
1735 if ( test_filter( op, e, li->li_oldf ) == LDAP_COMPARE_TRUE )
1736 li->li_old = entry_dup( e );
1737 be_entry_release_rw( op, e, 0 );
1739 op->o_bd->bd_info = (BackendInfo *)on;
1742 return SLAP_CB_CONTINUE;
1745 /* unbinds are broadcast to all backends; we only log it if this
1746 * backend was used for the original bind.
1749 accesslog_unbind( Operation *op, SlapReply *rs )
1751 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1752 if ( op->o_conn->c_authz_backend == on->on_info->oi_origdb ) {
1753 log_info *li = on->on_bi.bi_private;
1754 Operation op2 = {0};
1755 void *cids[SLAP_MAX_CIDS];
1756 SlapReply rs2 = {REP_RESULT};
1759 if ( !( li->li_ops & LOG_OP_UNBIND ))
1760 return SLAP_CB_CONTINUE;
1762 e = accesslog_entry( op, rs, LOG_EN_UNBIND, &op2 );
1763 op2.o_hdr = op->o_hdr;
1764 op2.o_tag = LDAP_REQ_ADD;
1765 op2.o_bd = li->li_db;
1766 op2.o_dn = li->li_db->be_rootdn;
1767 op2.o_ndn = li->li_db->be_rootndn;
1768 op2.o_req_dn = e->e_name;
1769 op2.o_req_ndn = e->e_nname;
1771 op2.o_callback = &nullsc;
1772 op2.o_controls = cids;
1773 memset(cids, 0, sizeof( cids ));
1775 op2.o_bd->be_add( &op2, &rs2 );
1776 if ( e == op2.ora_e )
1779 return SLAP_CB_CONTINUE;
1783 accesslog_abandon( Operation *op, SlapReply *rs )
1785 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1786 log_info *li = on->on_bi.bi_private;
1787 Operation op2 = {0};
1788 void *cids[SLAP_MAX_CIDS];
1789 SlapReply rs2 = {REP_RESULT};
1794 if ( !op->o_time || !( li->li_ops & LOG_OP_ABANDON ))
1795 return SLAP_CB_CONTINUE;
1797 e = accesslog_entry( op, rs, LOG_EN_ABANDON, &op2 );
1799 bv.bv_len = snprintf( buf, sizeof( buf ), "%d", op->orn_msgid );
1800 if ( bv.bv_len >= 0 && bv.bv_len < sizeof( buf ) ) {
1801 attr_merge_one( e, ad_reqId, &bv, NULL );
1804 op2.o_hdr = op->o_hdr;
1805 op2.o_tag = LDAP_REQ_ADD;
1806 op2.o_bd = li->li_db;
1807 op2.o_dn = li->li_db->be_rootdn;
1808 op2.o_ndn = li->li_db->be_rootndn;
1809 op2.o_req_dn = e->e_name;
1810 op2.o_req_ndn = e->e_nname;
1812 op2.o_callback = &nullsc;
1813 op2.o_controls = cids;
1814 memset(cids, 0, sizeof( cids ));
1816 op2.o_bd->be_add( &op2, &rs2 );
1817 if ( e == op2.ora_e )
1820 return SLAP_CB_CONTINUE;
1824 accesslog_operational( Operation *op, SlapReply *rs )
1826 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1827 log_info *li = on->on_bi.bi_private;
1829 if ( op->o_sync != SLAP_CONTROL_NONE )
1830 return SLAP_CB_CONTINUE;
1832 if ( rs->sr_entry != NULL
1833 && dn_match( &op->o_bd->be_nsuffix[0], &rs->sr_entry->e_nname ) )
1837 for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
1840 if ( SLAP_OPATTRS( rs->sr_attr_flags ) ||
1841 ad_inlist( ad_auditContext, rs->sr_attrs ) )
1843 *ap = attr_alloc( ad_auditContext );
1845 &li->li_db->be_suffix[0],
1846 &li->li_db->be_nsuffix[0], 1 );
1850 return SLAP_CB_CONTINUE;
1853 static slap_overinst accesslog;
1861 slap_overinst *on = (slap_overinst *)be->bd_info;
1862 log_info *li = ch_calloc(1, sizeof(log_info));
1864 on->on_bi.bi_private = li;
1865 ldap_pvt_thread_rmutex_init( &li->li_op_rmutex );
1866 ldap_pvt_thread_mutex_init( &li->li_log_mutex );
1871 accesslog_db_destroy(
1876 slap_overinst *on = (slap_overinst *)be->bd_info;
1877 log_info *li = on->on_bi.bi_private;
1881 filter_free( li->li_oldf );
1882 for ( la=li->li_oldattrs; la; la=li->li_oldattrs ) {
1883 li->li_oldattrs = la->next;
1886 ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
1887 ldap_pvt_thread_rmutex_destroy( &li->li_op_rmutex );
1889 return LDAP_SUCCESS;
1892 /* Create the logdb's root entry if it's missing */
1898 struct re_s *rtask = arg;
1899 slap_overinst *on = rtask->arg;
1900 log_info *li = on->on_bi.bi_private;
1902 Connection conn = {0};
1903 OperationBuffer opbuf;
1909 connection_fake_init( &conn, &opbuf, ctx );
1911 op->o_bd = li->li_db;
1912 op->o_dn = li->li_db->be_rootdn;
1913 op->o_ndn = li->li_db->be_rootndn;
1914 rc = be_entry_get_rw( op, li->li_db->be_nsuffix, NULL, NULL, 0, &e );
1917 be_entry_release_rw( op, e, 0 );
1920 SlapReply rs = {REP_RESULT};
1921 struct berval rdn, nrdn, attr;
1923 AttributeDescription *ad = NULL;
1924 const char *text = NULL;
1928 ber_dupbv( &e->e_name, li->li_db->be_suffix );
1929 ber_dupbv( &e->e_nname, li->li_db->be_nsuffix );
1931 attr_merge_one( e, slap_schema.si_ad_objectClass,
1932 &log_container->soc_cname, NULL );
1934 dnRdn( &e->e_name, &rdn );
1935 dnRdn( &e->e_nname, &nrdn );
1936 ptr = ber_bvchr( &rdn, '=' );
1938 assert( ptr != NULL );
1940 attr.bv_val = rdn.bv_val;
1941 attr.bv_len = ptr - rdn.bv_val;
1943 slap_bv2ad( &attr, &ad, &text );
1946 rdn.bv_len -= attr.bv_len + 1;
1947 ptr = ber_bvchr( &nrdn, '=' );
1948 nrdn.bv_len -= ptr - nrdn.bv_val + 1;
1949 nrdn.bv_val = ptr+1;
1950 attr_merge_one( e, ad, &rdn, &nrdn );
1952 /* Get contextCSN from main DB */
1953 op->o_bd = on->on_info->oi_origdb;
1954 rc = be_entry_get_rw( op, op->o_bd->be_nsuffix, NULL,
1955 slap_schema.si_ad_contextCSN, 0, &e_ctx );
1960 a = attr_find( e_ctx->e_attrs, slap_schema.si_ad_contextCSN );
1962 /* FIXME: contextCSN could have multiple values!
1963 * should select the one with the server's SID */
1964 attr_merge_one( e, slap_schema.si_ad_entryCSN,
1965 &a->a_vals[0], &a->a_nvals[0] );
1966 attr_merge( e, a->a_desc, a->a_vals, a->a_nvals );
1968 be_entry_release_rw( op, e_ctx, 0 );
1970 op->o_bd = li->li_db;
1973 op->o_req_dn = e->e_name;
1974 op->o_req_ndn = e->e_nname;
1975 op->o_callback = &nullsc;
1976 SLAP_DBFLAGS( op->o_bd ) |= SLAP_DBFLAG_NOLASTMOD;
1977 rc = op->o_bd->be_add( op, &rs );
1978 SLAP_DBFLAGS( op->o_bd ) ^= SLAP_DBFLAG_NOLASTMOD;
1979 if ( e == op->ora_e )
1982 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
1983 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
1984 ldap_pvt_runqueue_remove( &slapd_rq, rtask );
1985 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
1996 slap_overinst *on = (slap_overinst *)be->bd_info;
1997 log_info *li = on->on_bi.bi_private;
2000 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
2001 li->li_db = select_backend( &li->li_db_suffix, 0 );
2002 ch_free( li->li_db_suffix.bv_val );
2003 BER_BVZERO( &li->li_db_suffix );
2005 if ( li->li_db == NULL ) {
2006 Debug( LDAP_DEBUG_ANY,
2007 "accesslog: \"logdb <suffix>\" missing or invalid.\n",
2012 if ( slapMode & SLAP_TOOL_MODE )
2015 if ( BER_BVISEMPTY( &li->li_db->be_rootndn )) {
2016 ber_dupbv( &li->li_db->be_rootdn, li->li_db->be_suffix );
2017 ber_dupbv( &li->li_db->be_rootndn, li->li_db->be_nsuffix );
2020 ldap_pvt_runqueue_insert( &slapd_rq, 3600, accesslog_db_root, on,
2021 "accesslog_db_root", li->li_db->be_suffix[0].bv_val );
2026 int accesslog_initialize()
2030 accesslog.on_bi.bi_type = "accesslog";
2031 accesslog.on_bi.bi_db_init = accesslog_db_init;
2032 accesslog.on_bi.bi_db_destroy = accesslog_db_destroy;
2033 accesslog.on_bi.bi_db_open = accesslog_db_open;
2035 accesslog.on_bi.bi_op_add = accesslog_op_mod;
2036 accesslog.on_bi.bi_op_bind = accesslog_op_bind;
2037 accesslog.on_bi.bi_op_delete = accesslog_op_mod;
2038 accesslog.on_bi.bi_op_modify = accesslog_op_mod;
2039 accesslog.on_bi.bi_op_modrdn = accesslog_op_mod;
2040 accesslog.on_bi.bi_op_unbind = accesslog_unbind;
2041 accesslog.on_bi.bi_op_abandon = accesslog_abandon;
2042 accesslog.on_bi.bi_operational = accesslog_operational;
2043 accesslog.on_response = accesslog_response;
2045 accesslog.on_bi.bi_cf_ocs = log_cfocs;
2047 nullsc.sc_response = slap_null_cb;
2049 rc = config_register_schema( log_cfats, log_cfocs );
2050 if ( rc ) return rc;
2052 /* log schema integration */
2053 for ( i=0; lsyntaxes[i].oid; i++ ) {
2056 code = register_syntax( &lsyntaxes[ i ].syn );
2058 Debug( LDAP_DEBUG_ANY,
2059 "accesslog_init: register_syntax failed\n",
2064 if ( lsyntaxes[i].mrs != NULL ) {
2065 code = mr_make_syntax_compat_with_mrs(
2066 lsyntaxes[i].oid, lsyntaxes[i].mrs );
2068 Debug( LDAP_DEBUG_ANY,
2070 "mr_make_syntax_compat_with_mrs "
2078 for ( i=0; lattrs[i].at; i++ ) {
2081 code = register_at( lattrs[i].at, lattrs[i].ad, 0 );
2083 Debug( LDAP_DEBUG_ANY,
2084 "accesslog_init: register_at failed\n",
2089 (*lattrs[i].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
2093 for ( i=0; locs[i].ot; i++ ) {
2096 code = register_oc( locs[i].ot, locs[i].oc, 0 );
2098 Debug( LDAP_DEBUG_ANY,
2099 "accesslog_init: register_oc failed\n",
2104 (*locs[i].oc)->soc_flags |= SLAP_OC_HIDE;
2108 return overlay_register(&accesslog);
2111 #if SLAPD_OVER_ACCESSLOG == SLAPD_MOD_DYNAMIC
2113 init_module( int argc, char *argv[] )
2115 return accesslog_initialize();
2119 #endif /* SLAPD_OVER_ACCESSLOG */