1 /* chain.c - chain LDAP operations */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2003-2004 The OpenLDAP Foundation.
6 * Portions Copyright 2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software.
24 #if defined(SLAPD_LDAP)
26 #ifdef SLAPD_OVER_CHAIN
30 #include <ac/string.h>
31 #include <ac/socket.h>
34 #include "../back-ldap/back-ldap.h"
36 static BackendInfo *lback;
39 ldap_chain_chk_referrals( Operation *op, SlapReply *rs )
45 ldap_chain_operational( Operation *op, SlapReply *rs )
47 /* trap entries generated by back-ldap.
48 * FIXME: we need a better way to recognize them; a cleaner
49 * solution would be to be able to intercept the response
50 * of be_operational(), so that we can divert only those
51 * calls that fail because operational attributes were
52 * requested for entries that do not belong to the underlying
53 * database. This fix is likely to intercept also entries
54 * generated by back-perl and so. */
55 if ( rs->sr_entry->e_private == NULL ) {
59 return SLAP_CB_CONTINUE;
63 ldap_chain_cb_response( Operation *op, SlapReply *rs )
65 assert( op->o_tag == LDAP_REQ_SEARCH );
67 if ( rs->sr_type == REP_SEARCH ) {
68 Attribute **ap = &rs->sr_entry->e_attrs;
70 for ( ; *ap != NULL; ap = &(*ap)->a_next ) {
71 /* will be generated later by frontend
72 * (a cleaner solution would be that
73 * the frontend checks if it already exists */
74 if ( ad_cmp( (*ap)->a_desc, slap_schema.si_ad_entryDN ) == 0 )
81 /* there SHOULD be one only! */
86 return SLAP_CB_CONTINUE;
93 ldap_chain_response( Operation *op, SlapReply *rs )
95 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
96 void *private = op->o_bd->be_private;
97 slap_callback *sc = op->o_callback;
98 LDAPControl **prev = op->o_ctrls;
99 LDAPControl **ctrls = NULL, authz;
100 int i, nctrls, rc = 0;
101 int cache = op->o_do_not_cache;
102 char *authzid = NULL;
104 struct berval ndn = op->o_ndn;
106 struct ldapinfo li, *lip = (struct ldapinfo *)on->on_bi.bi_private;
108 if ( rs->sr_err != LDAP_REFERRAL && rs->sr_type != REP_SEARCHREF )
109 return SLAP_CB_CONTINUE;
114 op->o_callback = NULL;
116 if ( lip->url == NULL ) {
117 /* FIXME: we're setting the URI of the first referral;
118 * what if there are more? Is this something we should
121 op->o_bd->be_private = &li;
123 if ( rs->sr_type != REP_SEARCHREF ) {
127 /* parse reference and use
128 * proto://[host][:port]/ only */
129 rc = ldap_url_parse_ext( ref[0].bv_val, &srv );
130 if ( rc != LDAP_URL_SUCCESS) {
135 /* remove DN essentially because later on
136 * ldap_initialize() will parse the URL
137 * as a comma-separated URL list */
138 save_dn = srv->lud_dn;
140 srv->lud_scope = LDAP_SCOPE_DEFAULT;
141 li.url = ldap_url_desc2str( srv );
142 srv->lud_dn = save_dn;
143 ldap_free_urldesc( srv );
145 if ( li.url == NULL ) {
152 op->o_bd->be_private = on->on_bi.bi_private;
155 /* Chaining is performed by a privileged user on behalf
156 * of a normal user, using the ProxyAuthz control. However,
157 * Binds are done separately, on an anonymous session.
159 if ( op->o_tag != LDAP_REQ_BIND ) {
160 for ( i = 0; prev && prev[i]; i++ )
161 /* count and set prev to the last one */ ;
164 /* Add an extra NULL slot */
169 ctrls = op->o_tmpalloc((i + 1)*sizeof(LDAPControl *),
171 for ( i = 0; i < nctrls; i++ ) {
174 ctrls[nctrls] = &authz;
175 ctrls[nctrls + 1] = NULL;
176 authz.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
177 authz.ldctl_iscritical = 1;
178 authz.ldctl_value = op->o_dn;
179 if ( !BER_BVISEMPTY( &op->o_dn ) ) {
180 authzid = op->o_tmpalloc( op->o_dn.bv_len + STRLENOF("dn:"),
182 strcpy(authzid, "dn:");
183 strcpy(authzid + STRLENOF("dn:"), op->o_dn.bv_val);
184 authz.ldctl_value.bv_len = op->o_dn.bv_len + STRLENOF("dn:");
185 authz.ldctl_value.bv_val = authzid;
188 op->o_ndn = op->o_bd->be_rootndn;
191 switch ( op->o_tag ) {
192 case LDAP_REQ_BIND: {
193 struct berval rndn = op->o_req_ndn;
194 Connection *conn = op->o_conn;
196 op->o_req_ndn = slap_empty_bv;
199 rc = lback->bi_op_bind( op, rs );
200 op->o_req_ndn = rndn;
205 rc = lback->bi_op_add( op, rs );
207 case LDAP_REQ_DELETE:
208 rc = lback->bi_op_delete( op, rs );
210 case LDAP_REQ_MODRDN:
211 rc = lback->bi_op_modrdn( op, rs );
213 case LDAP_REQ_MODIFY:
214 rc = lback->bi_op_modify( op, rs );
216 case LDAP_REQ_COMPARE:
217 rc = lback->bi_op_compare( op, rs );
219 case LDAP_REQ_SEARCH:
220 if ( rs->sr_type == REP_SEARCHREF ) {
221 struct berval *curr = ref,
223 ondn = op->o_req_ndn;
224 slap_callback sc2 = { 0 };
226 ber_len_t refcnt = 0;
227 BerVarray newref = NULL;
229 sc2.sc_response = ldap_chain_cb_response;
230 op->o_callback = &sc2;
232 rs->sr_type = REP_SEARCH;
234 /* copy the private info because we need to modify it */
235 for ( ; !BER_BVISNULL( &curr[0] ); curr++ ) {
239 /* parse reference and use
240 * proto://[host][:port]/ only */
241 tmprc = ldap_url_parse_ext( curr[0].bv_val, &srv );
242 if ( tmprc != LDAP_URL_SUCCESS ) {
245 goto end_of_searchref;
248 /* remove DN essentially because later on
249 * ldap_initialize() will parse the URL
250 * as a comma-separated URL list */
251 save_dn = srv->lud_dn;
253 srv->lud_scope = LDAP_SCOPE_DEFAULT;
254 li.url = ldap_url_desc2str( srv );
255 if ( li.url != NULL ) {
256 ber_str2bv_x( save_dn, 0, 1, &op->o_req_dn,
258 ber_dupbv_x( &op->o_req_ndn, &op->o_req_dn,
262 srv->lud_dn = save_dn;
263 ldap_free_urldesc( srv );
265 if ( li.url == NULL ) {
268 goto end_of_searchref;
272 /* FIXME: should we also copy filter and scope?
273 * according to RFC3296, no */
274 tmprc = lback->bi_op_search( op, rs );
276 ldap_memfree( li.url );
279 op->o_tmpfree( op->o_req_dn.bv_val,
281 op->o_tmpfree( op->o_req_ndn.bv_val,
287 goto end_of_searchref;
290 if ( rs->sr_err != LDAP_SUCCESS ) {
291 /* if search was not successful,
292 * at least return the referral! */
293 /* FIXME: assumes referrals
294 * are always created via
295 * referral_rewrite() and freed via
296 * ber_bvarray_free( rs->sr_ref ) */
297 newref = ch_realloc( newref, sizeof( struct berval ) * (refcnt + 2) );
298 ber_dupbv( &newref[ refcnt ], &curr[ 0 ] );
300 BER_BVZERO( &newref[ refcnt ] );
306 op->o_req_ndn = ondn;
307 rs->sr_type = REP_SEARCHREF;
310 /* if the error was bad, it was already returned
311 * by back-ldap; destroy the referrals left;
312 * otherwise, let the frontend return them. */
315 rc = SLAP_CB_CONTINUE;
316 if ( ref != default_referral ) {
317 ber_bvarray_free( ref );
322 ber_bvarray_free( newref );
327 rc = lback->bi_op_search( op, rs );
330 case LDAP_REQ_EXTENDED:
331 rc = lback->bi_extended( op, rs );
334 rc = SLAP_CB_CONTINUE;
337 op->o_do_not_cache = cache;
339 op->o_bd->be_private = private;
343 op->o_tmpfree( ctrls, op->o_tmpmemctx );
346 op->o_tmpfree( authzid, op->o_tmpmemctx );
349 if ( lip->url == NULL && li.url != NULL ) {
350 ldap_memfree( li.url );
365 slap_overinst *on = (slap_overinst *) be->bd_info;
366 void *private = be->be_private;
370 be->be_private = on->on_bi.bi_private;
371 if ( strncasecmp( argv[ 0 ], "chain-", sizeof( "chain-" ) - 1 ) == 0 ) {
373 argv[ 0 ] = &argv[ 0 ][ sizeof( "chain-" ) - 1 ];
375 rc = lback->bi_db_config( be, fname, lineno, argc, argv );
380 be->be_private = private;
389 slap_overinst *on = (slap_overinst *) be->bd_info;
390 void *private = be->be_private;
393 be->be_private = NULL;
394 rc = lback->bi_db_init( be );
395 on->on_bi.bi_private = be->be_private;
396 be->be_private = private;
406 slap_overinst *on = (slap_overinst *) be->bd_info;
407 void *private = be->be_private;
410 be->be_private = on->on_bi.bi_private;
411 rc = lback->bi_db_destroy( be );
412 on->on_bi.bi_private = be->be_private;
413 be->be_private = private;
417 static slap_overinst ldapchain;
422 lback = backend_info( "ldap" );
428 ldapchain.on_bi.bi_type = "chain";
429 ldapchain.on_bi.bi_db_init = ldap_chain_init;
430 ldapchain.on_bi.bi_db_config = ldap_chain_config;
431 ldapchain.on_bi.bi_db_destroy = ldap_chain_destroy;
433 /* ... otherwise the underlying backend's function would be called,
434 * likely passing an invalid entry; on the contrary, the requested
435 * operational attributes should have been returned while chasing
436 * the referrals. This all in all is a bit messy, because part
437 * of the operational attributes are generated by they backend;
438 * part by the frontend; back-ldap should receive all the available
439 * ones from the remote server, but then, on it own, it strips those
440 * it assumes will be (re)generated by the frontend (e.g.
441 * subschemaSubentry.) */
442 ldapchain.on_bi.bi_operational = ldap_chain_operational;
444 ldapchain.on_response = ldap_chain_response;
447 ldapchain.on_bi.bi_chk_referrals = ldap_chain_chk_referrals;
449 return overlay_register( &ldapchain );
452 #if SLAPD_OVER_CHAIN == SLAPD_MOD_DYNAMIC
453 int init_module(int argc, char *argv[]) {
456 #endif /* SLAPD_OVER_CHAIN == SLAPD_MOD_DYNAMIC */
458 #endif /* SLAPD_OVER_CHAIN */
460 #endif /* ! defined(SLAPD_LDAP) */