1 /* memberof.c - back-reference for group membership */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2007 Pierangelo Masarati <ando@sys-net.it>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software, sponsored by SysNet s.r.l.
23 #ifdef SLAPD_OVER_MEMBEROF
27 #include "ac/string.h"
28 #include "ac/socket.h"
37 * GROUP a group object (an entry with GROUP_OC
39 * MEMBER a member object (an entry whose DN is
40 * listed as MEMBER_AT value of a GROUP)
41 * GROUP_OC the objectClass of the group object
42 * (default: groupOfNames)
43 * MEMBER_AT the membership attribute, DN-valued;
44 * note: nameAndOptionalUID is tolerated
45 * as soon as the optionalUID is absent
47 * MEMBER_OF reverse membership attribute
51 * - if the entry that is being added is a GROUP,
52 * the MEMBER_AT defined as values of the add operation
53 * get the MEMBER_OF value directly from the request.
55 * if configured to do so, the MEMBER objects do not exist,
56 * and no relax control is issued, either:
58 * - drop non-existing members
59 * (by default: don't muck with values)
61 * - if (configured to do so,) the referenced GROUP exists,
62 * the relax control is set and the user has
63 * "manage" privileges, allow to add MEMBER_OF values to
67 * - if the entry being modified is a GROUP_OC and the
68 * MEMBER_AT attribute is modified, the MEMBER_OF value
69 * of the (existing) MEMBER_AT entries that are affected
70 * is modified according to the request:
71 * - if a MEMBER is removed from the group,
72 * delete the corresponding MEMBER_OF
73 * - if a MEMBER is added to a group,
74 * add the corresponding MEMBER_OF
76 * We need to determine, from the database, if it is
77 * a GROUP_OC, and we need to check, from the
78 * modification list, if the MEMBER_AT attribute is being
79 * affected, and what MEMBER_AT values are affected.
81 * if configured to do so, the entries corresponding to
82 * the MEMBER_AT values do not exist, and no relax control
85 * - drop non-existing members
86 * (by default: don't muck with values)
88 * - if configured to do so, the referenced GROUP exists,
89 * (the relax control is set) and the user has
90 * "manage" privileges, allow to add MEMBER_OF values to
91 * generic entries; the change is NOT automatically reflected
92 * in the MEMBER attribute of the GROUP referenced
93 * by the value of MEMBER_OF; a separate modification,
94 * with or without relax control, needs to be performed.
97 * - if the entry being renamed is a GROUP, the MEMBER_OF
98 * value of the (existing) MEMBER objects is modified
99 * accordingly based on the newDN of the GROUP.
101 * We need to determine, from the database, if it is
102 * a GROUP; the list of MEMBER objects is obtained from
105 * Non-existing MEMBER objects are ignored, since the
106 * MEMBER_AT is not being addressed by the operation.
108 * - if the entry being renamed has the MEMBER_OF attribute,
109 * the corresponding MEMBER value must be modified in the
110 * respective group entries.
114 * - if the entry being deleted is a GROUP, the (existing)
115 * MEMBER objects are modified accordingly; a copy of the
116 * values of the MEMBER_AT is saved and, if the delete
117 * succeeds, the MEMBER_OF value of the (existing) MEMBER
118 * objects is deleted.
120 * We need to determine, from the database, if it is
123 * Non-existing MEMBER objects are ignored, since the entry
126 * - if the entry being deleted has the MEMBER_OF attribute,
127 * the corresponding value of the MEMBER_AT must be deleted
128 * from the respective GROUP entries.
131 #define SLAPD_MEMBEROF_ATTR "memberOf"
133 static slap_overinst memberof;
135 typedef struct memberof_t {
137 struct berval mo_ndn;
139 ObjectClass *mo_oc_group;
140 AttributeDescription *mo_ad_member;
141 AttributeDescription *mo_ad_memberof;
143 struct berval mo_groupFilterstr;
144 AttributeAssertion mo_groupAVA;
145 Filter mo_groupFilter;
147 struct berval mo_memberFilterstr;
148 Filter mo_memberFilter;
151 #define MEMBEROF_NONE 0x00U
152 #define MEMBEROF_FDANGLING_DROP 0x01U
153 #define MEMBEROF_FDANGLING_ERROR 0x02U
154 #define MEMBEROF_FDANGLING_MASK (MEMBEROF_FDANGLING_DROP|MEMBEROF_FDANGLING_ERROR)
155 #define MEMBEROF_FREFINT 0x04U
156 #define MEMBEROF_FREVERSE 0x08U
158 ber_int_t mo_dangling_err;
160 #define MEMBEROF_CHK(mo,f) \
161 (((mo)->mo_flags & (f)) == (f))
162 #define MEMBEROF_DANGLING_CHECK(mo) \
163 ((mo)->mo_flags & MEMBEROF_FDANGLING_MASK)
164 #define MEMBEROF_DANGLING_DROP(mo) \
165 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_DROP)
166 #define MEMBEROF_DANGLING_ERROR(mo) \
167 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_ERROR)
168 #define MEMBEROF_REFINT(mo) \
169 MEMBEROF_CHK((mo),MEMBEROF_FREFINT)
170 #define MEMBEROF_REVERSE(mo) \
171 MEMBEROF_CHK((mo),MEMBEROF_FREVERSE)
174 typedef enum memberof_is_t {
175 MEMBEROF_IS_NONE = 0x00,
176 MEMBEROF_IS_GROUP = 0x01,
177 MEMBEROF_IS_MEMBER = 0x02,
178 MEMBEROF_IS_BOTH = (MEMBEROF_IS_GROUP|MEMBEROF_IS_MEMBER)
181 typedef struct memberof_cookie_t {
182 AttributeDescription *ad;
187 typedef struct memberof_cbinfo_t {
195 memberof_isGroupOrMember_cb( Operation *op, SlapReply *rs )
197 if ( rs->sr_type == REP_SEARCH ) {
198 memberof_cookie_t *mc;
200 mc = (memberof_cookie_t *)op->o_callback->sc_private;
208 * callback for internal search that saves the member attribute values
209 * of groups being deleted.
212 memberof_saveMember_cb( Operation *op, SlapReply *rs )
214 if ( rs->sr_type == REP_SEARCH ) {
215 memberof_cookie_t *mc;
218 mc = (memberof_cookie_t *)op->o_callback->sc_private;
221 assert( rs->sr_entry != NULL );
222 assert( rs->sr_entry->e_attrs != NULL );
224 a = attr_find( rs->sr_entry->e_attrs, mc->ad );
226 ber_bvarray_dup_x( &mc->vals, a->a_nvals, op->o_tmpmemctx );
228 assert( attr_find( a->a_next, mc->ad ) == NULL );
236 * the delete hook performs an internal search that saves the member
237 * attribute values of groups being deleted.
240 memberof_isGroupOrMember( Operation *op, memberof_cbinfo_t *mci )
242 slap_overinst *on = mci->on;
243 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
246 slap_callback cb = { 0 };
247 BackendInfo *bi = op->o_bd->bd_info;
248 AttributeName an[ 2 ];
250 memberof_is_t iswhat = MEMBEROF_IS_NONE;
251 memberof_cookie_t mc;
253 assert( mci->what != MEMBEROF_IS_NONE );
256 if ( op->o_tag == LDAP_REQ_DELETE ) {
257 cb.sc_response = memberof_saveMember_cb;
260 cb.sc_response = memberof_isGroupOrMember_cb;
263 op2.o_tag = LDAP_REQ_SEARCH;
264 op2.o_callback = &cb;
265 op2.o_dn = op->o_bd->be_rootdn;
266 op2.o_ndn = op->o_bd->be_rootndn;
268 op2.ors_scope = LDAP_SCOPE_BASE;
269 op2.ors_deref = LDAP_DEREF_NEVER;
270 BER_BVZERO( &an[ 1 ].an_name );
272 op2.ors_attrsonly = 0;
273 op2.ors_limit = NULL;
275 op2.ors_tlimit = SLAP_NO_LIMIT;
277 if ( mci->what & MEMBEROF_IS_GROUP ) {
278 SlapReply rs2 = { REP_RESULT };
280 mc.ad = mo->mo_ad_member;
283 an[ 0 ].an_desc = mo->mo_ad_member;
284 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
285 op2.ors_filterstr = mo->mo_groupFilterstr;
286 op2.ors_filter = &mo->mo_groupFilter;
288 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
289 (void)op->o_bd->be_search( &op2, &rs2 );
290 op2.o_bd->bd_info = bi;
293 iswhat |= MEMBEROF_IS_GROUP;
294 if ( mc.vals ) mci->member = mc.vals;
299 if ( mci->what & MEMBEROF_IS_MEMBER ) {
300 SlapReply rs2 = { REP_RESULT };
302 mc.ad = mo->mo_ad_memberof;
305 an[ 0 ].an_desc = mo->mo_ad_memberof;
306 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
307 op2.ors_filterstr = mo->mo_memberFilterstr;
308 op2.ors_filter = &mo->mo_memberFilter;
310 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
311 (void)op->o_bd->be_search( &op2, &rs2 );
312 op2.o_bd->bd_info = bi;
315 iswhat |= MEMBEROF_IS_MEMBER;
316 if ( mc.vals ) mci->memberof = mc.vals;
327 * response callback that adds memberof values when a group is modified.
330 memberof_value_modify(
333 AttributeDescription *ad,
334 struct berval *old_dn,
335 struct berval *old_ndn,
336 struct berval *new_dn,
337 struct berval *new_ndn )
339 memberof_cbinfo_t *mci = op->o_callback->sc_private;
340 slap_overinst *on = mci->on;
341 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
344 SlapReply rs2 = { REP_RESULT };
345 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
346 Modifications mod[ 2 ] = { { { 0 } } }, *ml;
347 struct berval values[ 4 ], nvalues[ 4 ];
350 op2.o_tag = LDAP_REQ_MODIFY;
353 op2.o_req_ndn = *ndn;
355 op2.o_callback = &cb;
356 op2.o_dn = op->o_bd->be_rootdn;
357 op2.o_ndn = op->o_bd->be_rootndn;
358 op2.orm_modlist = NULL;
360 if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
363 ml->sml_values = &values[ 0 ];
364 ml->sml_values[ 0 ] = mo->mo_dn;
365 BER_BVZERO( &ml->sml_values[ 1 ] );
366 ml->sml_nvalues = &nvalues[ 0 ];
367 ml->sml_nvalues[ 0 ] = mo->mo_ndn;
368 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
369 ml->sml_desc = slap_schema.si_ad_modifiersName;
370 ml->sml_type = ml->sml_desc->ad_cname;
371 ml->sml_op = LDAP_MOD_REPLACE;
372 ml->sml_flags = SLAP_MOD_INTERNAL;
373 ml->sml_next = op2.orm_modlist;
374 op2.orm_modlist = ml;
381 ml->sml_values = &values[ 2 ];
382 BER_BVZERO( &ml->sml_values[ 1 ] );
383 ml->sml_nvalues = &nvalues[ 2 ];
384 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
386 ml->sml_type = ml->sml_desc->ad_cname;
387 ml->sml_flags = SLAP_MOD_INTERNAL;
388 ml->sml_next = op2.orm_modlist;
389 op2.orm_modlist = ml;
390 op2.orm_no_opattrs = 0;
392 if ( new_ndn != NULL ) {
393 BackendInfo *bi = op2.o_bd->bd_info;
395 assert( !BER_BVISNULL( new_dn ) );
396 assert( !BER_BVISNULL( new_ndn ) );
399 ml->sml_op = LDAP_MOD_ADD;
401 ml->sml_values[ 0 ] = *new_dn;
402 ml->sml_nvalues[ 0 ] = *new_ndn;
404 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
405 (void)op->o_bd->be_modify( &op2, &rs2 );
406 op2.o_bd->bd_info = bi;
407 if ( rs2.sr_err != LDAP_SUCCESS ) {
408 char buf[ SLAP_TEXT_BUFLEN ];
409 snprintf( buf, sizeof( buf ),
410 "memberof_value_modify DN=\"%s\" add %s=\"%s\" failed err=%d",
411 op2.o_req_dn.bv_val, ad->ad_cname.bv_val, new_dn->bv_val, rs2.sr_err );
412 Debug( LDAP_DEBUG_ANY, "%s: %s\n",
413 op->o_log_prefix, buf, 0 );
416 assert( op2.orm_modlist == &mod[ mcnt ] );
417 assert( mcnt == 0 || op2.orm_modlist->sml_next == &mod[ 0 ] );
418 ml = op2.orm_modlist->sml_next;
420 assert( ml == &mod[ 0 ] );
424 slap_mods_free( ml, 1 );
427 mod[ 0 ].sml_next = NULL;
430 if ( old_ndn != NULL ) {
431 BackendInfo *bi = op2.o_bd->bd_info;
433 assert( !BER_BVISNULL( old_dn ) );
434 assert( !BER_BVISNULL( old_ndn ) );
437 ml->sml_op = LDAP_MOD_DELETE;
439 ml->sml_values[ 0 ] = *old_dn;
440 ml->sml_nvalues[ 0 ] = *old_ndn;
442 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
443 (void)op->o_bd->be_modify( &op2, &rs2 );
444 op2.o_bd->bd_info = bi;
445 if ( rs2.sr_err != LDAP_SUCCESS ) {
446 char buf[ SLAP_TEXT_BUFLEN ];
447 snprintf( buf, sizeof( buf ),
448 "memberof_value_modify DN=\"%s\" delete %s=\"%s\" failed err=%d",
449 op2.o_req_dn.bv_val, ad->ad_cname.bv_val, old_dn->bv_val, rs2.sr_err );
450 Debug( LDAP_DEBUG_ANY, "%s: %s\n",
451 op->o_log_prefix, buf, 0 );
454 assert( op2.orm_modlist == &mod[ mcnt ] );
455 ml = op2.orm_modlist->sml_next;
457 assert( ml == &mod[ 0 ] );
461 slap_mods_free( ml, 1 );
465 /* FIXME: if old_group_ndn doesn't exist, both delete __and__
466 * add will fail; better split in two operations, although
467 * not optimal in terms of performance. At least it would
468 * move towards self-repairing capabilities. */
472 memberof_cleanup( Operation *op, SlapReply *rs )
474 slap_callback *sc = op->o_callback;
475 memberof_cbinfo_t *mci = sc->sc_private;
477 op->o_callback = sc->sc_next;
479 ber_bvarray_free_x( mci->memberof, op->o_tmpmemctx );
481 ber_bvarray_free_x( mci->member, op->o_tmpmemctx );
482 op->o_tmpfree( sc, op->o_tmpmemctx );
486 static int memberof_res_add( Operation *op, SlapReply *rs );
487 static int memberof_res_delete( Operation *op, SlapReply *rs );
488 static int memberof_res_modify( Operation *op, SlapReply *rs );
489 static int memberof_res_modrdn( Operation *op, SlapReply *rs );
492 memberof_op_add( Operation *op, SlapReply *rs )
494 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
495 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
497 Attribute **ap, **map = NULL;
498 int rc = SLAP_CB_CONTINUE;
500 struct berval save_dn, save_ndn;
502 memberof_cbinfo_t *mci;
504 if ( op->ora_e->e_attrs == NULL ) {
505 /* FIXME: global overlay; need to deal with */
506 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
507 "consistency checks not implemented when overlay "
508 "is instantiated as global.\n",
509 op->o_log_prefix, op->o_req_dn.bv_val, 0 );
510 return SLAP_CB_CONTINUE;
513 if ( MEMBEROF_REVERSE( mo ) ) {
514 for ( ap = &op->ora_e->e_attrs; *ap; ap = &(*ap)->a_next ) {
517 if ( a->a_desc == mo->mo_ad_memberof ) {
525 save_ndn = op->o_ndn;
527 if ( MEMBEROF_DANGLING_CHECK( mo )
529 && is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) )
531 op->o_dn = op->o_bd->be_rootdn;
532 op->o_ndn = op->o_bd->be_rootndn;
533 op->o_bd->bd_info = (BackendInfo *)on->on_info;
535 for ( ap = &op->ora_e->e_attrs; *ap; ) {
538 if ( !is_ad_subtype( a->a_desc, mo->mo_ad_member ) ) {
543 assert( a->a_nvals != NULL );
545 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
548 /* ITS#6670 Ignore member pointing to this entry */
549 if ( dn_match( &a->a_nvals[i], &save_ndn ))
552 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
554 if ( rc == LDAP_SUCCESS ) {
555 be_entry_release_r( op, e );
559 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
560 rc = rs->sr_err = mo->mo_dangling_err;
561 rs->sr_text = "adding non-existing object "
563 send_ldap_result( op, rs );
567 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
570 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
571 "member=\"%s\" does not exist (stripping...)\n",
572 op->o_log_prefix, op->ora_e->e_name.bv_val,
573 a->a_vals[ i ].bv_val );
575 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
576 ber_memfree( a->a_vals[ i ].bv_val );
577 BER_BVZERO( &a->a_vals[ i ] );
578 if ( a->a_nvals != a->a_vals ) {
579 ber_memfree( a->a_nvals[ i ].bv_val );
580 BER_BVZERO( &a->a_nvals[ i ] );
586 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
587 sizeof( struct berval ) * ( j - i ) );
588 if ( a->a_nvals != a->a_vals ) {
589 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
590 sizeof( struct berval ) * ( j - i ) );
597 /* If all values have been removed,
598 * remove the attribute itself. */
599 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
608 op->o_ndn = save_ndn;
609 op->o_bd->bd_info = (BackendInfo *)on;
614 AccessControlState acl_state = ACL_STATE_INIT;
616 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
619 op->o_bd->bd_info = (BackendInfo *)on->on_info;
620 /* access is checked with the original identity */
621 rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
622 &a->a_nvals[ i ], ACL_WADD,
625 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
627 send_ldap_result( op, rs );
630 /* ITS#6670 Ignore member pointing to this entry */
631 if ( dn_match( &a->a_nvals[i], &save_ndn ))
634 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
636 op->o_bd->bd_info = (BackendInfo *)on;
637 if ( rc != LDAP_SUCCESS ) {
638 if ( get_relax( op ) ) {
642 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
643 rc = rs->sr_err = mo->mo_dangling_err;
644 rs->sr_text = "adding non-existing object "
646 send_ldap_result( op, rs );
650 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
653 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
654 "memberof=\"%s\" does not exist (stripping...)\n",
655 op->o_log_prefix, op->ora_e->e_name.bv_val,
656 a->a_nvals[ i ].bv_val );
658 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
659 ber_memfree( a->a_vals[ i ].bv_val );
660 BER_BVZERO( &a->a_vals[ i ] );
661 if ( a->a_nvals != a->a_vals ) {
662 ber_memfree( a->a_nvals[ i ].bv_val );
663 BER_BVZERO( &a->a_nvals[ i ] );
669 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
670 sizeof( struct berval ) * ( j - i ) );
671 if ( a->a_nvals != a->a_vals ) {
672 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
673 sizeof( struct berval ) * ( j - i ) );
681 /* access is checked with the original identity */
682 op->o_bd->bd_info = (BackendInfo *)on->on_info;
683 rc = access_allowed( op, e, mo->mo_ad_member,
684 &op->o_req_ndn, ACL_WADD, NULL );
685 be_entry_release_r( op, e );
686 op->o_bd->bd_info = (BackendInfo *)on;
689 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
690 rs->sr_text = "insufficient access to object referenced by memberof";
691 send_ldap_result( op, rs );
696 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
702 rc = SLAP_CB_CONTINUE;
704 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
705 sc->sc_private = sc+1;
706 sc->sc_response = memberof_res_add;
707 sc->sc_cleanup = memberof_cleanup;
708 mci = sc->sc_private;
711 mci->memberof = NULL;
712 sc->sc_next = op->o_callback;
717 op->o_ndn = save_ndn;
718 op->o_bd->bd_info = (BackendInfo *)on;
724 memberof_op_delete( Operation *op, SlapReply *rs )
726 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
727 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
730 memberof_cbinfo_t *mci;
733 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
734 sc->sc_private = sc+1;
735 sc->sc_response = memberof_res_delete;
736 sc->sc_cleanup = memberof_cleanup;
737 mci = sc->sc_private;
740 mci->memberof = NULL;
741 mci->what = MEMBEROF_IS_GROUP;
742 if ( MEMBEROF_REFINT( mo ) ) {
743 mci->what = MEMBEROF_IS_BOTH;
746 memberof_isGroupOrMember( op, mci );
748 sc->sc_next = op->o_callback;
751 return SLAP_CB_CONTINUE;
755 memberof_op_modify( Operation *op, SlapReply *rs )
757 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
758 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
760 Modifications **mlp, **mmlp = NULL;
761 int rc = SLAP_CB_CONTINUE, save_member = 0;
762 struct berval save_dn, save_ndn;
764 memberof_cbinfo_t *mci, mcis;
766 if ( MEMBEROF_REVERSE( mo ) ) {
767 for ( mlp = &op->orm_modlist; *mlp; mlp = &(*mlp)->sml_next ) {
768 Modifications *ml = *mlp;
770 if ( ml->sml_desc == mo->mo_ad_memberof ) {
778 save_ndn = op->o_ndn;
780 mcis.what = MEMBEROF_IS_GROUP;
782 if ( memberof_isGroupOrMember( op, &mcis ) == LDAP_SUCCESS
783 && ( mcis.what & MEMBEROF_IS_GROUP ) )
787 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
788 if ( ml->sml_desc == mo->mo_ad_member ) {
789 switch ( ml->sml_op ) {
790 case LDAP_MOD_DELETE:
791 case LDAP_MOD_REPLACE:
799 if ( MEMBEROF_DANGLING_CHECK( mo )
800 && !get_relax( op ) )
802 op->o_dn = op->o_bd->be_rootdn;
803 op->o_ndn = op->o_bd->be_rootndn;
804 op->o_bd->bd_info = (BackendInfo *)on->on_info;
806 assert( op->orm_modlist != NULL );
808 for ( mlp = &op->orm_modlist; *mlp; ) {
809 Modifications *ml = *mlp;
812 if ( !is_ad_subtype( ml->sml_desc, mo->mo_ad_member ) ) {
817 switch ( ml->sml_op ) {
818 case LDAP_MOD_DELETE:
819 /* we don't care about cancellations: if the value
820 * exists, fine; if it doesn't, we let the underlying
821 * database fail as appropriate; */
825 case LDAP_MOD_REPLACE:
826 /* Handle this just like a delete (see above) */
827 if ( !ml->sml_values ) {
833 /* NOTE: right now, the attributeType we use
834 * for member must have a normalized value */
835 assert( ml->sml_nvalues != NULL );
837 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
841 /* ITS#6670 Ignore member pointing to this entry */
842 if ( dn_match( &ml->sml_nvalues[i], &save_ndn ))
845 if ( be_entry_get_rw( op, &ml->sml_nvalues[ i ],
846 NULL, NULL, 0, &e ) == LDAP_SUCCESS )
848 be_entry_release_r( op, e );
852 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
853 rc = rs->sr_err = mo->mo_dangling_err;
854 rs->sr_text = "adding non-existing object "
856 send_ldap_result( op, rs );
860 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
863 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
864 "member=\"%s\" does not exist (stripping...)\n",
865 op->o_log_prefix, op->o_req_dn.bv_val,
866 ml->sml_nvalues[ i ].bv_val );
868 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
869 ber_memfree( ml->sml_values[ i ].bv_val );
870 BER_BVZERO( &ml->sml_values[ i ] );
871 ber_memfree( ml->sml_nvalues[ i ].bv_val );
872 BER_BVZERO( &ml->sml_nvalues[ i ] );
878 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
879 sizeof( struct berval ) * ( j - i ) );
880 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
881 sizeof( struct berval ) * ( j - i ) );
886 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
888 slap_mod_free( &ml->sml_mod, 0 );
904 if ( mmlp != NULL ) {
905 Modifications *ml = *mmlp;
909 op->o_bd->bd_info = (BackendInfo *)on->on_info;
910 rc = be_entry_get_rw( op, &op->o_req_ndn,
911 NULL, NULL, 0, &target );
912 op->o_bd->bd_info = (BackendInfo *)on;
913 if ( rc != LDAP_SUCCESS ) {
914 rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
915 send_ldap_result( op, rs );
919 switch ( ml->sml_op ) {
920 case LDAP_MOD_DELETE:
921 if ( ml->sml_nvalues != NULL ) {
922 AccessControlState acl_state = ACL_STATE_INIT;
924 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
927 op->o_bd->bd_info = (BackendInfo *)on->on_info;
928 /* access is checked with the original identity */
929 rc = access_allowed( op, target,
931 &ml->sml_nvalues[ i ],
935 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
937 send_ldap_result( op, rs );
941 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
943 op->o_bd->bd_info = (BackendInfo *)on;
944 if ( rc != LDAP_SUCCESS ) {
945 if ( get_relax( op ) ) {
949 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
950 rc = rs->sr_err = mo->mo_dangling_err;
951 rs->sr_text = "deleting non-existing object "
953 send_ldap_result( op, rs );
957 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
960 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
961 "memberof=\"%s\" does not exist (stripping...)\n",
962 op->o_log_prefix, op->o_req_ndn.bv_val,
963 ml->sml_nvalues[ i ].bv_val );
965 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
966 ber_memfree( ml->sml_values[ i ].bv_val );
967 BER_BVZERO( &ml->sml_values[ i ] );
968 if ( ml->sml_nvalues != ml->sml_values ) {
969 ber_memfree( ml->sml_nvalues[ i ].bv_val );
970 BER_BVZERO( &ml->sml_nvalues[ i ] );
977 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
978 sizeof( struct berval ) * ( j - i ) );
979 if ( ml->sml_nvalues != ml->sml_values ) {
980 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
981 sizeof( struct berval ) * ( j - i ) );
989 /* access is checked with the original identity */
990 op->o_bd->bd_info = (BackendInfo *)on->on_info;
991 rc = access_allowed( op, e, mo->mo_ad_member,
994 be_entry_release_r( op, e );
995 op->o_bd->bd_info = (BackendInfo *)on;
998 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
999 rs->sr_text = "insufficient access to object referenced by memberof";
1000 send_ldap_result( op, rs );
1005 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
1006 *mmlp = ml->sml_next;
1007 slap_mod_free( &ml->sml_mod, 0 );
1015 case LDAP_MOD_REPLACE:
1017 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1018 /* access is checked with the original identity */
1019 rc = access_allowed( op, target,
1023 op->o_bd->bd_info = (BackendInfo *)on;
1025 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1027 send_ldap_result( op, rs );
1031 if ( ml->sml_op == LDAP_MOD_DELETE || !ml->sml_values ) {
1036 case LDAP_MOD_ADD: {
1037 AccessControlState acl_state = ACL_STATE_INIT;
1039 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
1042 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1043 /* access is checked with the original identity */
1044 rc = access_allowed( op, target,
1046 &ml->sml_nvalues[ i ],
1050 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1052 send_ldap_result( op, rs );
1056 /* ITS#6670 Ignore member pointing to this entry */
1057 if ( dn_match( &ml->sml_nvalues[i], &save_ndn ))
1060 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
1061 NULL, NULL, 0, &e );
1062 op->o_bd->bd_info = (BackendInfo *)on;
1063 if ( rc != LDAP_SUCCESS ) {
1064 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
1065 rc = rs->sr_err = mo->mo_dangling_err;
1066 rs->sr_text = "adding non-existing object "
1068 send_ldap_result( op, rs );
1072 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
1075 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
1076 "memberof=\"%s\" does not exist (stripping...)\n",
1077 op->o_log_prefix, op->o_req_ndn.bv_val,
1078 ml->sml_nvalues[ i ].bv_val );
1080 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
1081 ber_memfree( ml->sml_values[ i ].bv_val );
1082 BER_BVZERO( &ml->sml_values[ i ] );
1083 if ( ml->sml_nvalues != ml->sml_values ) {
1084 ber_memfree( ml->sml_nvalues[ i ].bv_val );
1085 BER_BVZERO( &ml->sml_nvalues[ i ] );
1092 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
1093 sizeof( struct berval ) * ( j - i ) );
1094 if ( ml->sml_nvalues != ml->sml_values ) {
1095 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
1096 sizeof( struct berval ) * ( j - i ) );
1104 /* access is checked with the original identity */
1105 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1106 rc = access_allowed( op, e, mo->mo_ad_member,
1109 be_entry_release_r( op, e );
1110 op->o_bd->bd_info = (BackendInfo *)on;
1113 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1114 rs->sr_text = "insufficient access to object referenced by memberof";
1115 send_ldap_result( op, rs );
1120 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
1121 *mmlp = ml->sml_next;
1122 slap_mod_free( &ml->sml_mod, 0 );
1133 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1134 be_entry_release_r( op, target );
1135 op->o_bd->bd_info = (BackendInfo *)on;
1138 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
1139 sc->sc_private = sc+1;
1140 sc->sc_response = memberof_res_modify;
1141 sc->sc_cleanup = memberof_cleanup;
1142 mci = sc->sc_private;
1145 mci->memberof = NULL;
1146 mci->what = mcis.what;
1148 if ( save_member ) {
1149 op->o_dn = op->o_bd->be_rootdn;
1150 op->o_ndn = op->o_bd->be_rootndn;
1151 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1152 rc = backend_attribute( op, NULL, &op->o_req_ndn,
1153 mo->mo_ad_member, &mci->member, ACL_READ );
1154 op->o_bd->bd_info = (BackendInfo *)on;
1157 sc->sc_next = op->o_callback;
1158 op->o_callback = sc;
1160 rc = SLAP_CB_CONTINUE;
1164 op->o_ndn = save_ndn;
1165 op->o_bd->bd_info = (BackendInfo *)on;
1171 memberof_op_modrdn( Operation *op, SlapReply *rs )
1173 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1175 memberof_cbinfo_t *mci;
1177 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
1178 sc->sc_private = sc+1;
1179 sc->sc_response = memberof_res_modrdn;
1180 sc->sc_cleanup = memberof_cleanup;
1181 mci = sc->sc_private;
1184 mci->memberof = NULL;
1186 sc->sc_next = op->o_callback;
1187 op->o_callback = sc;
1189 return SLAP_CB_CONTINUE;
1193 * response callback that adds memberof values when a group is added.
1196 memberof_res_add( Operation *op, SlapReply *rs )
1198 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1199 slap_overinst *on = mci->on;
1200 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1204 if ( rs->sr_err != LDAP_SUCCESS ) {
1205 return SLAP_CB_CONTINUE;
1208 if ( MEMBEROF_REVERSE( mo ) ) {
1211 ma = attr_find( op->ora_e->e_attrs, mo->mo_ad_memberof );
1213 /* relax is required to allow to add
1214 * a non-existing member */
1215 op->o_relax = SLAP_CONTROL_CRITICAL;
1217 for ( i = 0; !BER_BVISNULL( &ma->a_nvals[ i ] ); i++ ) {
1219 /* ITS#6670 Ignore member pointing to this entry */
1220 if ( dn_match( &ma->a_nvals[i], &op->o_req_ndn ))
1223 /* the modification is attempted
1224 * with the original identity */
1225 memberof_value_modify( op,
1226 &ma->a_nvals[ i ], mo->mo_ad_member,
1227 NULL, NULL, &op->o_req_dn, &op->o_req_ndn );
1232 if ( is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) ) {
1235 for ( a = attrs_find( op->ora_e->e_attrs, mo->mo_ad_member );
1237 a = attrs_find( a->a_next, mo->mo_ad_member ) )
1239 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
1240 /* ITS#6670 Ignore member pointing to this entry */
1241 if ( dn_match( &a->a_nvals[i], &op->o_req_ndn ))
1244 memberof_value_modify( op,
1254 return SLAP_CB_CONTINUE;
1258 * response callback that deletes memberof values when a group is deleted.
1261 memberof_res_delete( Operation *op, SlapReply *rs )
1263 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1264 slap_overinst *on = mci->on;
1265 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1270 if ( rs->sr_err != LDAP_SUCCESS ) {
1271 return SLAP_CB_CONTINUE;
1275 if ( vals != NULL ) {
1276 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1277 memberof_value_modify( op,
1278 &vals[ i ], mo->mo_ad_memberof,
1279 &op->o_req_dn, &op->o_req_ndn,
1284 if ( MEMBEROF_REFINT( mo ) ) {
1285 vals = mci->memberof;
1286 if ( vals != NULL ) {
1287 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1288 memberof_value_modify( op,
1289 &vals[ i ], mo->mo_ad_member,
1290 &op->o_req_dn, &op->o_req_ndn,
1296 return SLAP_CB_CONTINUE;
1300 * response callback that adds/deletes memberof values when a group
1304 memberof_res_modify( Operation *op, SlapReply *rs )
1306 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1307 slap_overinst *on = mci->on;
1308 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1311 Modifications *ml, *mml = NULL;
1314 if ( rs->sr_err != LDAP_SUCCESS ) {
1315 return SLAP_CB_CONTINUE;
1318 if ( MEMBEROF_REVERSE( mo ) ) {
1319 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1320 if ( ml->sml_desc == mo->mo_ad_memberof ) {
1327 if ( mml != NULL ) {
1328 BerVarray vals = mml->sml_nvalues;
1330 switch ( mml->sml_op ) {
1331 case LDAP_MOD_DELETE:
1332 if ( vals != NULL ) {
1333 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1334 memberof_value_modify( op,
1335 &vals[ i ], mo->mo_ad_member,
1336 &op->o_req_dn, &op->o_req_ndn,
1343 case LDAP_MOD_REPLACE:
1344 /* delete all ... */
1345 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1346 rc = backend_attribute( op, NULL, &op->o_req_ndn,
1347 mo->mo_ad_memberof, &vals, ACL_READ );
1348 op->o_bd->bd_info = (BackendInfo *)on;
1349 if ( rc == LDAP_SUCCESS ) {
1350 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1351 memberof_value_modify( op,
1352 &vals[ i ], mo->mo_ad_member,
1353 &op->o_req_dn, &op->o_req_ndn,
1356 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1359 if ( ml->sml_op == LDAP_MOD_DELETE || !mml->sml_values ) {
1365 assert( vals != NULL );
1367 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1368 memberof_value_modify( op,
1369 &vals[ i ], mo->mo_ad_member,
1371 &op->o_req_dn, &op->o_req_ndn );
1380 if ( mci->what & MEMBEROF_IS_GROUP )
1382 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1383 if ( ml->sml_desc != mo->mo_ad_member ) {
1387 switch ( ml->sml_op ) {
1388 case LDAP_MOD_DELETE:
1389 vals = ml->sml_nvalues;
1390 if ( vals != NULL ) {
1391 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1392 memberof_value_modify( op,
1393 &vals[ i ], mo->mo_ad_memberof,
1394 &op->o_req_dn, &op->o_req_ndn,
1401 case LDAP_MOD_REPLACE:
1404 /* delete all ... */
1405 if ( vals != NULL ) {
1406 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1407 memberof_value_modify( op,
1408 &vals[ i ], mo->mo_ad_memberof,
1409 &op->o_req_dn, &op->o_req_ndn,
1414 if ( ml->sml_op == LDAP_MOD_DELETE || !ml->sml_values ) {
1420 assert( ml->sml_nvalues != NULL );
1421 vals = ml->sml_nvalues;
1422 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1423 memberof_value_modify( op,
1424 &vals[ i ], mo->mo_ad_memberof,
1426 &op->o_req_dn, &op->o_req_ndn );
1436 return SLAP_CB_CONTINUE;
1440 * response callback that adds/deletes member values when a group member
1444 memberof_res_modrdn( Operation *op, SlapReply *rs )
1446 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1447 slap_overinst *on = mci->on;
1448 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1450 struct berval newPDN, newDN = BER_BVNULL, newPNDN, newNDN;
1454 struct berval save_dn, save_ndn;
1456 if ( rs->sr_err != LDAP_SUCCESS ) {
1457 return SLAP_CB_CONTINUE;
1460 mci->what = MEMBEROF_IS_GROUP;
1461 if ( MEMBEROF_REFINT( mo ) ) {
1462 mci->what |= MEMBEROF_IS_MEMBER;
1465 if ( op->orr_nnewSup ) {
1466 newPNDN = *op->orr_nnewSup;
1469 dnParent( &op->o_req_ndn, &newPNDN );
1472 build_new_dn( &newNDN, &newPNDN, &op->orr_nnewrdn, op->o_tmpmemctx );
1474 save_dn = op->o_req_dn;
1475 save_ndn = op->o_req_ndn;
1477 op->o_req_dn = newNDN;
1478 op->o_req_ndn = newNDN;
1479 rc = memberof_isGroupOrMember( op, mci );
1480 op->o_req_dn = save_dn;
1481 op->o_req_ndn = save_ndn;
1483 if ( rc != LDAP_SUCCESS || mci->what == MEMBEROF_IS_NONE ) {
1487 if ( op->orr_newSup ) {
1488 newPDN = *op->orr_newSup;
1491 dnParent( &op->o_req_dn, &newPDN );
1494 build_new_dn( &newDN, &newPDN, &op->orr_newrdn, op->o_tmpmemctx );
1496 if ( mci->what & MEMBEROF_IS_GROUP ) {
1497 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1498 rc = backend_attribute( op, NULL, &newNDN,
1499 mo->mo_ad_member, &vals, ACL_READ );
1500 op->o_bd->bd_info = (BackendInfo *)on;
1502 if ( rc == LDAP_SUCCESS ) {
1503 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1504 memberof_value_modify( op,
1505 &vals[ i ], mo->mo_ad_memberof,
1506 &op->o_req_dn, &op->o_req_ndn,
1509 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1513 if ( MEMBEROF_REFINT( mo ) && ( mci->what & MEMBEROF_IS_MEMBER ) ) {
1514 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1515 rc = backend_attribute( op, NULL, &newNDN,
1516 mo->mo_ad_memberof, &vals, ACL_READ );
1517 op->o_bd->bd_info = (BackendInfo *)on;
1519 if ( rc == LDAP_SUCCESS ) {
1520 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1521 memberof_value_modify( op,
1522 &vals[ i ], mo->mo_ad_member,
1523 &op->o_req_dn, &op->o_req_ndn,
1526 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1531 if ( !BER_BVISNULL( &newDN ) ) {
1532 op->o_tmpfree( newDN.bv_val, op->o_tmpmemctx );
1534 op->o_tmpfree( newNDN.bv_val, op->o_tmpmemctx );
1536 return SLAP_CB_CONTINUE;
1545 slap_overinst *on = (slap_overinst *)be->bd_info;
1548 mo = (memberof_t *)ch_calloc( 1, sizeof( memberof_t ) );
1551 mo->mo_dangling_err = LDAP_CONSTRAINT_VIOLATION;
1553 on->on_bi.bi_private = (void *)mo;
1574 static ConfigDriver mo_cf_gen;
1576 #define OID "1.3.6.1.4.1.7136.2.666.4"
1577 #define OIDAT OID ".1.1"
1578 #define OIDCFGAT OID ".1.2"
1579 #define OIDOC OID ".2.1"
1580 #define OIDCFGOC OID ".2.2"
1583 static ConfigTable mo_cfg[] = {
1584 { "memberof-dn", "modifiersName",
1585 2, 2, 0, ARG_MAGIC|ARG_DN|MO_DN, mo_cf_gen,
1586 "( OLcfgOvAt:18.0 NAME 'olcMemberOfDN' "
1587 "DESC 'DN to be used as modifiersName' "
1588 "SYNTAX OMsDN SINGLE-VALUE )",
1591 { "memberof-dangling", "ignore|drop|error",
1592 2, 2, 0, ARG_MAGIC|MO_DANGLING, mo_cf_gen,
1593 "( OLcfgOvAt:18.1 NAME 'olcMemberOfDangling' "
1594 "DESC 'Behavior with respect to dangling members, "
1595 "constrained to ignore, drop, error' "
1596 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1599 { "memberof-refint", "true|FALSE",
1600 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REFINT, mo_cf_gen,
1601 "( OLcfgOvAt:18.2 NAME 'olcMemberOfRefInt' "
1602 "DESC 'Take care of referential integrity' "
1603 "SYNTAX OMsBoolean SINGLE-VALUE )",
1606 { "memberof-group-oc", "objectClass",
1607 2, 2, 0, ARG_MAGIC|MO_GROUP_OC, mo_cf_gen,
1608 "( OLcfgOvAt:18.3 NAME 'olcMemberOfGroupOC' "
1609 "DESC 'Group objectClass' "
1610 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1613 { "memberof-member-ad", "member attribute",
1614 2, 2, 0, ARG_MAGIC|MO_MEMBER_AD, mo_cf_gen,
1615 "( OLcfgOvAt:18.4 NAME 'olcMemberOfMemberAD' "
1616 "DESC 'member attribute' "
1617 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1620 { "memberof-memberof-ad", "memberOf attribute",
1621 2, 2, 0, ARG_MAGIC|MO_MEMBER_OF_AD, mo_cf_gen,
1622 "( OLcfgOvAt:18.5 NAME 'olcMemberOfMemberOfAD' "
1623 "DESC 'memberOf attribute' "
1624 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1628 { "memberof-reverse", "true|FALSE",
1629 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REVERSE, mo_cf_gen,
1630 "( OLcfgOvAt:18.6 NAME 'olcMemberOfReverse' "
1631 "DESC 'Take care of referential integrity "
1632 "also when directly modifying memberOf' "
1633 "SYNTAX OMsBoolean SINGLE-VALUE )",
1637 { "memberof-dangling-error", "error code",
1638 2, 2, 0, ARG_MAGIC|MO_DANGLING_ERROR, mo_cf_gen,
1639 "( OLcfgOvAt:18.7 NAME 'olcMemberOfDanglingError' "
1640 "DESC 'Error code returned in case of dangling back reference' "
1641 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1644 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
1647 static ConfigOCs mo_ocs[] = {
1648 { "( OLcfgOvOc:18.1 "
1649 "NAME 'olcMemberOf' "
1650 "DESC 'Member-of configuration' "
1651 "SUP olcOverlayConfig "
1654 "$ olcMemberOfDangling "
1655 "$ olcMemberOfDanglingError"
1656 "$ olcMemberOfRefInt "
1657 "$ olcMemberOfGroupOC "
1658 "$ olcMemberOfMemberAD "
1659 "$ olcMemberOfMemberOfAD "
1661 "$ olcMemberOfReverse "
1665 Cft_Overlay, mo_cfg, NULL, NULL },
1669 static slap_verbmasks dangling_mode[] = {
1670 { BER_BVC( "ignore" ), MEMBEROF_NONE },
1671 { BER_BVC( "drop" ), MEMBEROF_FDANGLING_DROP },
1672 { BER_BVC( "error" ), MEMBEROF_FDANGLING_ERROR },
1677 memberof_make_group_filter( memberof_t *mo )
1681 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
1682 ch_free( mo->mo_groupFilterstr.bv_val );
1685 mo->mo_groupFilter.f_choice = LDAP_FILTER_EQUALITY;
1686 mo->mo_groupFilter.f_ava = &mo->mo_groupAVA;
1688 mo->mo_groupFilter.f_av_desc = slap_schema.si_ad_objectClass;
1689 mo->mo_groupFilter.f_av_value = mo->mo_oc_group->soc_cname;
1691 mo->mo_groupFilterstr.bv_len = STRLENOF( "(=)" )
1692 + slap_schema.si_ad_objectClass->ad_cname.bv_len
1693 + mo->mo_oc_group->soc_cname.bv_len;
1694 ptr = mo->mo_groupFilterstr.bv_val = ch_malloc( mo->mo_groupFilterstr.bv_len + 1 );
1696 ptr = lutil_strcopy( ptr, slap_schema.si_ad_objectClass->ad_cname.bv_val );
1698 ptr = lutil_strcopy( ptr, mo->mo_oc_group->soc_cname.bv_val );
1706 memberof_make_member_filter( memberof_t *mo )
1710 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
1711 ch_free( mo->mo_memberFilterstr.bv_val );
1714 mo->mo_memberFilter.f_choice = LDAP_FILTER_PRESENT;
1715 mo->mo_memberFilter.f_desc = mo->mo_ad_memberof;
1717 mo->mo_memberFilterstr.bv_len = STRLENOF( "(=*)" )
1718 + mo->mo_ad_memberof->ad_cname.bv_len;
1719 ptr = mo->mo_memberFilterstr.bv_val = ch_malloc( mo->mo_memberFilterstr.bv_len + 1 );
1721 ptr = lutil_strcopy( ptr, mo->mo_ad_memberof->ad_cname.bv_val );
1722 ptr = lutil_strcopy( ptr, "=*)" );
1728 mo_cf_gen( ConfigArgs *c )
1730 slap_overinst *on = (slap_overinst *)c->bi;
1731 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1735 if ( c->op == SLAP_CONFIG_EMIT ) {
1736 struct berval bv = BER_BVNULL;
1740 if ( mo->mo_dn.bv_val != NULL) {
1741 value_add_one( &c->rvalue_vals, &mo->mo_dn );
1742 value_add_one( &c->rvalue_nvals, &mo->mo_ndn );
1747 enum_to_verb( dangling_mode, (mo->mo_flags & MEMBEROF_FDANGLING_MASK), &bv );
1748 if ( BER_BVISNULL( &bv ) ) {
1749 /* there's something wrong... */
1754 value_add_one( &c->rvalue_vals, &bv );
1758 case MO_DANGLING_ERROR:
1759 if ( mo->mo_flags & MEMBEROF_FDANGLING_ERROR ) {
1760 char buf[ SLAP_TEXT_BUFLEN ];
1761 enum_to_verb( slap_ldap_response_code, mo->mo_dangling_err, &bv );
1762 if ( BER_BVISNULL( &bv ) ) {
1763 bv.bv_len = snprintf( buf, sizeof( buf ), "0x%x", mo->mo_dangling_err );
1764 if ( bv.bv_len < sizeof( buf ) ) {
1771 value_add_one( &c->rvalue_vals, &bv );
1778 c->value_int = MEMBEROF_REFINT( mo );
1783 c->value_int = MEMBEROF_REVERSE( mo );
1788 if ( mo->mo_oc_group != NULL ){
1789 value_add_one( &c->rvalue_vals, &mo->mo_oc_group->soc_cname );
1794 if ( mo->mo_ad_member != NULL ){
1795 value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname );
1799 case MO_MEMBER_OF_AD:
1800 if ( mo->mo_ad_memberof != NULL ){
1801 value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname );
1812 } else if ( c->op == LDAP_MOD_DELETE ) {
1813 return 1; /* FIXME */
1818 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
1819 ber_memfree( mo->mo_dn.bv_val );
1820 ber_memfree( mo->mo_ndn.bv_val );
1822 mo->mo_dn = c->value_dn;
1823 mo->mo_ndn = c->value_ndn;
1827 i = verb_to_mask( c->argv[ 1 ], dangling_mode );
1828 if ( BER_BVISNULL( &dangling_mode[ i ].word ) ) {
1832 mo->mo_flags &= ~MEMBEROF_FDANGLING_MASK;
1833 mo->mo_flags |= dangling_mode[ i ].mask;
1836 case MO_DANGLING_ERROR:
1837 i = verb_to_mask( c->argv[ 1 ], slap_ldap_response_code );
1838 if ( !BER_BVISNULL( &slap_ldap_response_code[ i ].word ) ) {
1839 mo->mo_dangling_err = slap_ldap_response_code[ i ].mask;
1840 } else if ( lutil_atoix( &mo->mo_dangling_err, c->argv[ 1 ], 0 ) ) {
1846 if ( c->value_int ) {
1847 mo->mo_flags |= MEMBEROF_FREFINT;
1850 mo->mo_flags &= ~MEMBEROF_FREFINT;
1856 if ( c->value_int ) {
1857 mo->mo_flags |= MEMBEROF_FREVERSE;
1860 mo->mo_flags &= ~MEMBEROF_FREVERSE;
1866 ObjectClass *oc = NULL;
1868 oc = oc_find( c->argv[ 1 ] );
1870 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1871 "unable to find group objectClass=\"%s\"",
1873 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1874 c->log, c->cr_msg, 0 );
1878 mo->mo_oc_group = oc;
1879 memberof_make_group_filter( mo );
1882 case MO_MEMBER_AD: {
1883 AttributeDescription *ad = NULL;
1884 const char *text = NULL;
1887 rc = slap_str2ad( c->argv[ 1 ], &ad, &text );
1888 if ( rc != LDAP_SUCCESS ) {
1889 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1890 "unable to find member attribute=\"%s\": %s (%d)",
1891 c->argv[ 1 ], text, rc );
1892 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1893 c->log, c->cr_msg, 0 );
1897 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
1898 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
1900 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1901 "member attribute=\"%s\" must either "
1902 "have DN (%s) or nameUID (%s) syntax",
1903 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
1904 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1905 c->log, c->cr_msg, 0 );
1909 mo->mo_ad_member = ad;
1912 case MO_MEMBER_OF_AD: {
1913 AttributeDescription *ad = NULL;
1914 const char *text = NULL;
1917 rc = slap_str2ad( c->argv[ 1 ], &ad, &text );
1918 if ( rc != LDAP_SUCCESS ) {
1919 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1920 "unable to find memberof attribute=\"%s\": %s (%d)",
1921 c->argv[ 1 ], text, rc );
1922 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1923 c->log, c->cr_msg, 0 );
1927 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
1928 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
1930 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1931 "memberof attribute=\"%s\" must either "
1932 "have DN (%s) or nameUID (%s) syntax",
1933 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
1934 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1935 c->log, c->cr_msg, 0 );
1939 mo->mo_ad_memberof = ad;
1940 memberof_make_member_filter( mo );
1957 slap_overinst *on = (slap_overinst *)be->bd_info;
1958 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1961 const char *text = NULL;
1963 if( ! mo->mo_ad_memberof ){
1964 rc = slap_str2ad( SLAPD_MEMBEROF_ATTR, &mo->mo_ad_memberof, &text );
1965 if ( rc != LDAP_SUCCESS ) {
1966 Debug( LDAP_DEBUG_ANY, "memberof_db_open: "
1967 "unable to find attribute=\"%s\": %s (%d)\n",
1968 SLAPD_MEMBEROF_ATTR, text, rc );
1973 if( ! mo->mo_ad_member ){
1974 rc = slap_str2ad( SLAPD_GROUP_ATTR, &mo->mo_ad_member, &text );
1975 if ( rc != LDAP_SUCCESS ) {
1976 Debug( LDAP_DEBUG_ANY, "memberof_db_open: "
1977 "unable to find attribute=\"%s\": %s (%d)\n",
1978 SLAPD_GROUP_ATTR, text, rc );
1983 if( ! mo->mo_oc_group ){
1984 mo->mo_oc_group = oc_find( SLAPD_GROUP_CLASS );
1985 if ( mo->mo_oc_group == NULL ) {
1986 Debug( LDAP_DEBUG_ANY,
1987 "memberof_db_open: "
1988 "unable to find objectClass=\"%s\"\n",
1989 SLAPD_GROUP_CLASS, 0, 0 );
1994 if ( BER_BVISNULL( &mo->mo_dn ) && !BER_BVISNULL( &be->be_rootdn ) ) {
1995 ber_dupbv( &mo->mo_dn, &be->be_rootdn );
1996 ber_dupbv( &mo->mo_ndn, &be->be_rootndn );
1999 if ( BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
2000 memberof_make_group_filter( mo );
2003 if ( BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
2004 memberof_make_member_filter( mo );
2011 memberof_db_destroy(
2015 slap_overinst *on = (slap_overinst *)be->bd_info;
2016 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
2019 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
2020 ber_memfree( mo->mo_dn.bv_val );
2021 ber_memfree( mo->mo_ndn.bv_val );
2024 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
2025 ber_memfree( mo->mo_groupFilterstr.bv_val );
2028 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
2029 ber_memfree( mo->mo_memberFilterstr.bv_val );
2039 static AttributeDescription *ad_memberOf;
2043 AttributeDescription **adp;
2045 { "( 1.2.840.113556.1.2.102 "
2047 "DESC 'Group that the entry belongs to' "
2048 "SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' "
2049 "EQUALITY distinguishedNameMatch " /* added */
2050 "USAGE dSAOperation " /* added; questioned */
2051 /* "NO-USER-MODIFICATION " */ /* add? */
2052 "X-ORIGIN 'iPlanet Delegated Administrator' )",
2057 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2059 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2061 memberof_initialize( void )
2065 for ( i = 0; as[ i ].desc != NULL; i++ ) {
2066 code = register_at( as[ i ].desc, as[ i ].adp, 0 );
2068 Debug( LDAP_DEBUG_ANY,
2069 "memberof_initialize: register_at #%d failed\n",
2075 memberof.on_bi.bi_type = "memberof";
2077 memberof.on_bi.bi_db_init = memberof_db_init;
2078 memberof.on_bi.bi_db_open = memberof_db_open;
2079 memberof.on_bi.bi_db_destroy = memberof_db_destroy;
2081 memberof.on_bi.bi_op_add = memberof_op_add;
2082 memberof.on_bi.bi_op_delete = memberof_op_delete;
2083 memberof.on_bi.bi_op_modify = memberof_op_modify;
2084 memberof.on_bi.bi_op_modrdn = memberof_op_modrdn;
2086 memberof.on_bi.bi_cf_ocs = mo_ocs;
2088 code = config_register_schema( mo_cfg, mo_ocs );
2089 if ( code ) return code;
2091 return overlay_register( &memberof );
2094 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2096 init_module( int argc, char *argv[] )
2098 return memberof_initialize();
2100 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2102 #endif /* SLAPD_OVER_MEMBEROF */