1 /* chain.c - chain LDAP operations */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2003-2004 The OpenLDAP Foundation.
6 * Portions Copyright 2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software.
24 #if defined(SLAPD_LDAP)
26 #ifdef SLAPD_OVER_CHAIN
30 #include <ac/string.h>
31 #include <ac/socket.h>
34 #include "../back-ldap/back-ldap.h"
37 ldap_chain_chk_referrals( Operation *op, SlapReply *rs )
43 ldap_chain_response( Operation *op, SlapReply *rs )
45 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
46 void *private = op->o_bd->be_private;
47 slap_callback *sc = op->o_callback;
48 LDAPControl **prev = op->o_ctrls;
49 LDAPControl **ctrls = NULL, authz;
50 int i, nctrls, rc = 0;
51 int cache = op->o_do_not_cache;
54 struct berval ndn = op->o_ndn;
56 struct ldapinfo li, *lip = (struct ldapinfo *)on->on_bi.bi_private;
58 if ( rs->sr_err != LDAP_REFERRAL && rs->sr_type != REP_SEARCHREF )
59 return SLAP_CB_CONTINUE;
64 op->o_callback = NULL;
66 if ( lip->url == NULL ) {
68 op->o_bd->be_private = &li;
70 if ( rs->sr_type != REP_SEARCHREF ) {
74 /* parse reference and use proto://[host][:port]/ only */
75 rc = ldap_url_parse_ext( ref[0].bv_val, &srv );
76 if ( rc != LDAP_SUCCESS) {
81 /* remove DN essentially because later on
82 * ldap_initialize() will parse the URL
83 * as a comma-separated URL list */
84 save_dn = srv->lud_dn;
86 li.url = ldap_url_desc2str( srv );
87 if ( li.url == NULL ) {
89 srv->lud_dn = save_dn;
90 ldap_free_urldesc( srv );
94 srv->lud_dn = save_dn;
95 ldap_free_urldesc( srv );
99 op->o_bd->be_private = on->on_bi.bi_private;
102 /* Chaining is performed by a privileged user on behalf
103 * of a normal user, using the ProxyAuthz control. However,
104 * Binds are done separately, on an anonymous session.
106 if ( op->o_tag != LDAP_REQ_BIND ) {
107 for (i=0; prev && prev[i]; i++);
110 /* Add an extra NULL slot */
113 ctrls = op->o_tmpalloc((i+1)*sizeof(LDAPControl *),
115 for (i=0; i <nctrls; i++)
117 ctrls[nctrls] = &authz;
118 ctrls[nctrls+1] = NULL;
119 authz.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
120 authz.ldctl_iscritical = 1;
121 authz.ldctl_value = op->o_dn;
122 if ( op->o_dn.bv_len ) {
123 authzid = op->o_tmpalloc( op->o_dn.bv_len + sizeof("dn:") - 1,
125 strcpy(authzid, "dn:");
126 strcpy(authzid + sizeof("dn:") - 1, op->o_dn.bv_val);
127 authz.ldctl_value.bv_len = op->o_dn.bv_len + sizeof("dn:") - 1;
128 authz.ldctl_value.bv_val = authzid;
131 op->o_ndn = op->o_bd->be_rootndn;
134 switch( op->o_tag ) {
135 case LDAP_REQ_BIND: {
136 struct berval rndn = op->o_req_ndn;
137 Connection *conn = op->o_conn;
139 op->o_req_ndn = slap_empty_bv;
142 rc = ldap_back_bind( op, rs );
143 op->o_req_ndn = rndn;
148 rc = ldap_back_add( op, rs );
150 case LDAP_REQ_DELETE:
151 rc = ldap_back_delete( op, rs );
153 case LDAP_REQ_MODRDN:
154 rc = ldap_back_modrdn( op, rs );
156 case LDAP_REQ_MODIFY:
157 rc = ldap_back_modify( op, rs );
159 case LDAP_REQ_COMPARE:
160 rc = ldap_back_compare( op, rs );
162 case LDAP_REQ_SEARCH:
163 if ( rs->sr_type == REP_SEARCHREF ) {
164 struct berval *curr = ref,
166 ondn = op->o_req_ndn;
168 rs->sr_type = REP_SEARCH;
170 /* copy the private info because we need to modify it */
171 for ( ; curr[0].bv_val; curr++ ) {
174 /* parse reference and use proto://[host][:port]/ only */
175 rc = ldap_url_parse_ext( curr[0].bv_val, &srv );
176 if ( rc != LDAP_SUCCESS) {
179 goto end_of_searchref;
182 ber_str2bv(srv->lud_dn, 0, 0, &op->o_req_dn);
183 op->o_req_ndn = op->o_req_dn;
185 /* remove DN essentially because later on
186 * ldap_initialize() will parse the URL
187 * as a comma-separated URL list */
189 li.url = ldap_url_desc2str( srv );
190 if ( li.url == NULL ) {
192 srv->lud_dn = op->o_req_dn.bv_val;
193 ldap_free_urldesc( srv );
195 goto end_of_searchref;
198 /* FIXME: should we also copy filter and scope?
199 * according to RFC3296, no */
201 rc = ldap_back_search( op, rs );
203 ldap_memfree( li.url );
206 srv->lud_dn = op->o_req_dn.bv_val;
207 ldap_free_urldesc( srv );
212 goto end_of_searchref;
218 op->o_req_ndn = ondn;
219 rs->sr_type = REP_SEARCHREF;
222 rc = ldap_back_search( op, rs );
225 case LDAP_REQ_EXTENDED:
226 rc = ldap_back_extended( op, rs );
229 rc = SLAP_CB_CONTINUE;
232 op->o_do_not_cache = cache;
234 op->o_bd->be_private = private;
237 if ( ctrls ) op->o_tmpfree( ctrls, op->o_tmpmemctx );
238 if ( authzid ) op->o_tmpfree( authzid, op->o_tmpmemctx );
240 if ( lip->url == NULL && li.url ) {
241 ldap_memfree( li.url );
247 static int ldap_chain_config(
255 slap_overinst *on = (slap_overinst *) be->bd_info;
256 void *private = be->be_private;
260 be->be_private = on->on_bi.bi_private;
261 if ( strncasecmp( argv[ 0 ], "chain-", sizeof( "chain-" ) - 1 ) == 0 ) {
263 argv[ 0 ] = &argv[ 0 ][ sizeof( "chain-" ) - 1 ];
265 rc = ldap_back_db_config( be, fname, lineno, argc, argv );
270 be->be_private = private;
274 static int ldap_chain_init(
278 slap_overinst *on = (slap_overinst *) be->bd_info;
279 void *private = be->be_private;
282 be->be_private = NULL;
283 rc = ldap_back_db_init( be );
284 on->on_bi.bi_private = be->be_private;
285 be->be_private = private;
290 static int ldap_chain_destroy(
294 slap_overinst *on = (slap_overinst *) be->bd_info;
295 void *private = be->be_private;
298 be->be_private = on->on_bi.bi_private;
299 rc = ldap_back_db_destroy( be );
300 on->on_bi.bi_private = be->be_private;
301 be->be_private = private;
305 static slap_overinst ldapchain;
309 ldapchain.on_bi.bi_type = "chain";
310 ldapchain.on_bi.bi_db_init = ldap_chain_init;
311 ldapchain.on_bi.bi_db_config = ldap_chain_config;
312 ldapchain.on_bi.bi_db_destroy = ldap_chain_destroy;
313 ldapchain.on_response = ldap_chain_response;
315 ldapchain.on_bi.bi_chk_referrals = ldap_chain_chk_referrals;
317 return overlay_register( &ldapchain );
320 #if SLAPD_OVER_CHAIN == SLAPD_MOD_DYNAMIC
321 int init_module(int argc, char *argv[]) {
324 #endif /* SLAPD_OVER_CHAIN == SLAPD_MOD_DYNAMIC */
326 #endif /* SLAPD_OVER_CHAIN */
328 #endif /* ! defined(SLAPD_LDAP) */