1 /* memberof.c - back-reference for group membership */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2007 Pierangelo Masarati <ando@sys-net.it>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software, sponsored by SysNet s.r.l.
23 #ifdef SLAPD_OVER_MEMBEROF
27 #include "ac/string.h"
28 #include "ac/socket.h"
37 * GROUP a group object (an entry with GROUP_OC
39 * MEMBER a member object (an entry whose DN is
40 * listed as MEMBER_AT value of a GROUP)
41 * GROUP_OC the objectClass of the group object
42 * (default: groupOfNames)
43 * MEMBER_AT the membership attribute, DN-valued;
44 * note: nameAndOptionalUID is tolerated
45 * as soon as the optionalUID is absent
47 * MEMBER_OF reverse membership attribute
51 * - if the entry that is being added is a GROUP,
52 * the MEMBER_AT defined as values of the add operation
53 * get the MEMBER_OF value directly from the request.
55 * if configured to do so, the MEMBER objects do not exist,
56 * and no relax control is issued, either:
58 * - drop non-existing members
59 * (by default: don't muck with values)
61 * - if (configured to do so,) the referenced GROUP exists,
62 * the relax control is set and the user has
63 * "manage" privileges, allow to add MEMBER_OF values to
67 * - if the entry being modified is a GROUP_OC and the
68 * MEMBER_AT attribute is modified, the MEMBER_OF value
69 * of the (existing) MEMBER_AT entries that are affected
70 * is modified according to the request:
71 * - if a MEMBER is removed from the group,
72 * delete the corresponding MEMBER_OF
73 * - if a MEMBER is added to a group,
74 * add the corresponding MEMBER_OF
76 * We need to determine, from the database, if it is
77 * a GROUP_OC, and we need to check, from the
78 * modification list, if the MEMBER_AT attribute is being
79 * affected, and what MEMBER_AT values are affected.
81 * if configured to do so, the entries corresponding to
82 * the MEMBER_AT values do not exist, and no relax control
85 * - drop non-existing members
86 * (by default: don't muck with values)
88 * - if configured to do so, the referenced GROUP exists,
89 * (the relax control is set) and the user has
90 * "manage" privileges, allow to add MEMBER_OF values to
91 * generic entries; the change is NOT automatically reflected
92 * in the MEMBER attribute of the GROUP referenced
93 * by the value of MEMBER_OF; a separate modification,
94 * with or without relax control, needs to be performed.
97 * - if the entry being renamed is a GROUP, the MEMBER_OF
98 * value of the (existing) MEMBER objects is modified
99 * accordingly based on the newDN of the GROUP.
101 * We need to determine, from the database, if it is
102 * a GROUP; the list of MEMBER objects is obtained from
105 * Non-existing MEMBER objects are ignored, since the
106 * MEMBER_AT is not being addressed by the operation.
108 * - if the entry being renamed has the MEMBER_OF attribute,
109 * the corresponding MEMBER value must be modified in the
110 * respective group entries.
114 * - if the entry being deleted is a GROUP, the (existing)
115 * MEMBER objects are modified accordingly; a copy of the
116 * values of the MEMBER_AT is saved and, if the delete
117 * succeeds, the MEMBER_OF value of the (existing) MEMBER
118 * objects is deleted.
120 * We need to determine, from the database, if it is
123 * Non-existing MEMBER objects are ignored, since the entry
126 * - if the entry being deleted has the MEMBER_OF attribute,
127 * the corresponding value of the MEMBER_AT must be deleted
128 * from the respective GROUP entries.
131 #define SLAPD_MEMBEROF_ATTR "memberOf"
133 static slap_overinst memberof;
135 typedef struct memberof_t {
137 struct berval mo_ndn;
139 ObjectClass *mo_oc_group;
140 AttributeDescription *mo_ad_member;
141 AttributeDescription *mo_ad_memberof;
143 struct berval mo_groupFilterstr;
144 AttributeAssertion mo_groupAVA;
145 Filter mo_groupFilter;
147 struct berval mo_memberFilterstr;
148 Filter mo_memberFilter;
151 #define MEMBEROF_NONE 0x00U
152 #define MEMBEROF_FDANGLING_DROP 0x01U
153 #define MEMBEROF_FDANGLING_ERROR 0x02U
154 #define MEMBEROF_FDANGLING_MASK (MEMBEROF_FDANGLING_DROP|MEMBEROF_FDANGLING_ERROR)
155 #define MEMBEROF_FREFINT 0x04U
156 #define MEMBEROF_FREVERSE 0x08U
158 ber_int_t mo_dangling_err;
160 #define MEMBEROF_CHK(mo,f) \
161 (((mo)->mo_flags & (f)) == (f))
162 #define MEMBEROF_DANGLING_CHECK(mo) \
163 ((mo)->mo_flags & MEMBEROF_FDANGLING_MASK)
164 #define MEMBEROF_DANGLING_DROP(mo) \
165 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_DROP)
166 #define MEMBEROF_DANGLING_ERROR(mo) \
167 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_ERROR)
168 #define MEMBEROF_REFINT(mo) \
169 MEMBEROF_CHK((mo),MEMBEROF_FREFINT)
170 #define MEMBEROF_REVERSE(mo) \
171 MEMBEROF_CHK((mo),MEMBEROF_FREVERSE)
174 typedef enum memberof_is_t {
175 MEMBEROF_IS_NONE = 0x00,
176 MEMBEROF_IS_GROUP = 0x01,
177 MEMBEROF_IS_MEMBER = 0x02,
178 MEMBEROF_IS_BOTH = (MEMBEROF_IS_GROUP|MEMBEROF_IS_MEMBER)
182 * failover storage for member attribute values of groups being deleted
183 * handles [no]thread cases.
185 static BerVarray saved_member_vals;
186 static BerVarray saved_memberof_vals;
189 memberof_saved_member_free( void *key, void *data )
191 ber_bvarray_free( (BerVarray)data );
195 memberof_saved_member_get( Operation *op, void *keyp )
198 BerVarray *key = (BerVarray *)keyp;
200 assert( op != NULL );
202 if ( op->o_threadctx == NULL ) {
207 ldap_pvt_thread_pool_getkey( op->o_threadctx,
208 key, (void **)&vals, NULL );
209 ldap_pvt_thread_pool_setkey( op->o_threadctx,
217 memberof_saved_member_set( Operation *op, void *keyp, BerVarray vals )
219 BerVarray saved_vals = NULL;
220 BerVarray *key = (BerVarray*)keyp;
222 assert( op != NULL );
225 ber_bvarray_dup_x( &saved_vals, vals, NULL );
228 if ( op->o_threadctx == NULL ) {
230 ber_bvarray_free( *key );
235 ldap_pvt_thread_pool_setkey( op->o_threadctx, key,
236 saved_vals, memberof_saved_member_free );
240 typedef struct memberof_cookie_t {
241 AttributeDescription *ad;
247 memberof_isGroupOrMember_cb( Operation *op, SlapReply *rs )
249 if ( rs->sr_type == REP_SEARCH ) {
250 memberof_cookie_t *mc;
252 mc = (memberof_cookie_t *)op->o_callback->sc_private;
260 * callback for internal search that saves the member attribute values
261 * of groups being deleted.
264 memberof_saveMember_cb( Operation *op, SlapReply *rs )
266 if ( rs->sr_type == REP_SEARCH ) {
267 memberof_cookie_t *mc;
269 BerVarray vals = NULL;
271 mc = (memberof_cookie_t *)op->o_callback->sc_private;
274 assert( rs->sr_entry != NULL );
275 assert( rs->sr_entry->e_attrs != NULL );
277 a = attr_find( rs->sr_entry->e_attrs, mc->ad );
282 memberof_saved_member_set( op, mc->key, vals );
284 if ( a && attr_find( a->a_next, mc->ad ) != NULL ) {
285 Debug( LDAP_DEBUG_ANY,
286 "%s: memberof_saveMember_cb(\"%s\"): "
287 "more than one occurrence of \"%s\" "
290 rs->sr_entry->e_name.bv_val,
291 mc->ad->ad_cname.bv_val );
299 * the delete hook performs an internal search that saves the member
300 * attribute values of groups being deleted.
303 memberof_isGroupOrMember( Operation *op, memberof_is_t *iswhatp )
305 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
306 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
309 SlapReply rs2 = { REP_RESULT };
310 slap_callback cb = { 0 };
311 memberof_cookie_t mc;
312 AttributeName an[ 2 ];
314 memberof_is_t iswhat = MEMBEROF_IS_NONE;
316 assert( iswhatp != NULL );
317 assert( *iswhatp != MEMBEROF_IS_NONE );
320 if ( op->o_tag == LDAP_REQ_DELETE ) {
321 cb.sc_response = memberof_saveMember_cb;
324 cb.sc_response = memberof_isGroupOrMember_cb;
327 op2.o_tag = LDAP_REQ_SEARCH;
328 op2.o_callback = &cb;
329 op2.o_dn = op->o_bd->be_rootdn;
330 op2.o_ndn = op->o_bd->be_rootndn;
332 op2.ors_scope = LDAP_SCOPE_BASE;
333 op2.ors_deref = LDAP_DEREF_NEVER;
334 BER_BVZERO( &an[ 1 ].an_name );
336 op2.ors_attrsonly = 0;
337 op2.ors_limit = NULL;
339 op2.ors_tlimit = SLAP_NO_LIMIT;
341 if ( *iswhatp & MEMBEROF_IS_GROUP ) {
342 mc.ad = mo->mo_ad_member;
343 mc.key = &saved_member_vals;
345 an[ 0 ].an_desc = mo->mo_ad_member;
346 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
347 op2.ors_filterstr = mo->mo_groupFilterstr;
348 op2.ors_filter = &mo->mo_groupFilter;
350 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
351 (void)op->o_bd->be_search( &op2, &rs2 );
352 op2.o_bd->bd_info = (BackendInfo *)on;
355 iswhat |= MEMBEROF_IS_GROUP;
358 memberof_saved_member_set( op, mc.key, NULL );
362 if ( *iswhatp & MEMBEROF_IS_MEMBER ) {
363 mc.ad = mo->mo_ad_memberof;
364 mc.key = &saved_memberof_vals;
366 an[ 0 ].an_desc = mo->mo_ad_memberof;
367 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
368 op2.ors_filterstr = mo->mo_memberFilterstr;
369 op2.ors_filter = &mo->mo_memberFilter;
371 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
372 (void)op->o_bd->be_search( &op2, &rs2 );
373 op2.o_bd->bd_info = (BackendInfo *)on;
376 iswhat |= MEMBEROF_IS_MEMBER;
379 memberof_saved_member_set( op, mc.key, NULL );
389 * response callback that adds memberof values when a group is modified.
392 memberof_value_modify(
396 AttributeDescription *ad,
397 struct berval *old_dn,
398 struct berval *old_ndn,
399 struct berval *new_dn,
400 struct berval *new_ndn )
402 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
403 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
406 SlapReply rs2 = { REP_RESULT };
407 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
408 Modifications mod[ 2 ] = { { { 0 } } }, *ml;
409 struct berval values[ 4 ], nvalues[ 4 ];
411 op2.o_tag = LDAP_REQ_MODIFY;
414 op2.o_req_ndn = *ndn;
416 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
418 op2.o_callback = &cb;
419 op2.o_dn = op->o_bd->be_rootdn;
420 op2.o_ndn = op->o_bd->be_rootndn;
424 ml->sml_values = &values[ 0 ];
425 ml->sml_values[ 0 ] = mo->mo_dn;
426 BER_BVZERO( &ml->sml_values[ 1 ] );
427 ml->sml_nvalues = &nvalues[ 0 ];
428 ml->sml_nvalues[ 0 ] = mo->mo_ndn;
429 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
430 ml->sml_desc = slap_schema.si_ad_modifiersName;
431 ml->sml_type = ml->sml_desc->ad_cname;
432 ml->sml_op = LDAP_MOD_REPLACE;
433 ml->sml_flags = SLAP_MOD_INTERNAL;
435 op2.orm_modlist = ml;
439 ml->sml_values = &values[ 2 ];
440 BER_BVZERO( &ml->sml_values[ 1 ] );
441 ml->sml_nvalues = &nvalues[ 2 ];
442 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
444 ml->sml_type = ml->sml_desc->ad_cname;
445 ml->sml_flags = SLAP_MOD_INTERNAL;
447 op2.orm_modlist->sml_next = ml;
449 if ( new_ndn != NULL ) {
450 assert( !BER_BVISNULL( new_dn ) );
451 assert( !BER_BVISNULL( new_ndn ) );
454 ml->sml_op = LDAP_MOD_ADD;
456 ml->sml_values[ 0 ] = *new_dn;
457 ml->sml_nvalues[ 0 ] = *new_ndn;
459 (void)op->o_bd->be_modify( &op2, &rs2 );
460 if ( rs2.sr_err != LDAP_SUCCESS ) {
461 char buf[ SLAP_TEXT_BUFLEN ];
462 snprintf( buf, sizeof( buf ),
463 "memberof_value_modify %s=\"%s\" failed err=%d",
464 ad->ad_cname.bv_val, new_dn->bv_val, rs2.sr_err );
465 Debug( LDAP_DEBUG_ANY, "%s: %s\n", op->o_log_prefix, buf, 0 );
468 assert( op2.orm_modlist == &mod[ 0 ] );
469 assert( op2.orm_modlist->sml_next == &mod[ 1 ] );
470 ml = op2.orm_modlist->sml_next->sml_next;
472 slap_mods_free( ml, 1 );
476 if ( old_ndn != NULL ) {
477 assert( !BER_BVISNULL( old_dn ) );
478 assert( !BER_BVISNULL( old_ndn ) );
481 ml->sml_op = LDAP_MOD_DELETE;
483 ml->sml_values[ 0 ] = *old_dn;
484 ml->sml_nvalues[ 0 ] = *old_ndn;
486 (void)op->o_bd->be_modify( &op2, &rs2 );
487 if ( rs2.sr_err != LDAP_SUCCESS ) {
488 char buf[ SLAP_TEXT_BUFLEN ];
489 snprintf( buf, sizeof( buf ),
490 "memberof_value_modify %s=\"%s\" failed err=%d",
491 ad->ad_cname.bv_val, old_dn->bv_val, rs2.sr_err );
492 Debug( LDAP_DEBUG_ANY, "%s: %s\n", op->o_log_prefix, buf, 0 );
495 assert( op2.orm_modlist == &mod[ 0 ] );
496 assert( op2.orm_modlist->sml_next == &mod[ 1 ] );
497 ml = op2.orm_modlist->sml_next->sml_next;
499 slap_mods_free( ml, 1 );
503 /* FIXME: if old_group_ndn doesn't exist, both delete __and__
504 * add will fail; better split in two operations, although
505 * not optimal in terms of performance. At least it would
506 * move towards self-repairing capabilities. */
508 op2.o_bd->bd_info = (BackendInfo *)on;
514 memberof_op_add( Operation *op, SlapReply *rs )
516 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
517 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
519 Attribute **ap, **map = NULL;
520 int rc = SLAP_CB_CONTINUE;
522 struct berval save_dn, save_ndn;
524 if ( op->ora_e->e_attrs == NULL ) {
525 /* FIXME: global overlay; need to deal with */
526 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
527 "consistency checks not implemented when overlay "
528 "is instantiated as global.\n",
529 op->o_log_prefix, op->o_req_dn.bv_val, 0 );
530 return SLAP_CB_CONTINUE;
533 if ( MEMBEROF_REVERSE( mo ) ) {
534 for ( ap = &op->ora_e->e_attrs; *ap; ap = &(*ap)->a_next ) {
537 if ( a->a_desc == mo->mo_ad_memberof ) {
545 save_ndn = op->o_ndn;
547 if ( MEMBEROF_DANGLING_CHECK( mo )
549 && is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) )
551 op->o_dn = op->o_bd->be_rootdn;
552 op->o_dn = op->o_bd->be_rootndn;
553 op->o_bd->bd_info = (BackendInfo *)on->on_info;
555 for ( ap = &op->ora_e->e_attrs; *ap; ) {
558 if ( !is_ad_subtype( a->a_desc, mo->mo_ad_member ) ) {
563 assert( a->a_nvals != NULL );
565 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
568 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
570 if ( rc == LDAP_SUCCESS ) {
571 be_entry_release_r( op, e );
575 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
576 rc = rs->sr_err = mo->mo_dangling_err;
577 rs->sr_text = "adding non-existing object "
579 send_ldap_result( op, rs );
583 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
586 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
587 "member=\"%s\" does not exist (stripping...)\n",
588 op->o_log_prefix, op->ora_e->e_name.bv_val,
589 a->a_vals[ i ].bv_val );
591 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
592 ber_memfree( a->a_vals[ i ].bv_val );
593 BER_BVZERO( &a->a_vals[ i ] );
594 if ( a->a_nvals != a->a_vals ) {
595 ber_memfree( a->a_nvals[ i ].bv_val );
596 BER_BVZERO( &a->a_nvals[ i ] );
602 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
603 sizeof( struct berval ) * ( j - i ) );
604 if ( a->a_nvals != a->a_vals ) {
605 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
606 sizeof( struct berval ) * ( j - i ) );
612 /* If all values have been removed,
613 * remove the attribute itself. */
614 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
623 op->o_ndn = save_ndn;
624 op->o_bd->bd_info = (BackendInfo *)on;
629 AccessControlState acl_state = ACL_STATE_INIT;
631 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
634 op->o_bd->bd_info = (BackendInfo *)on->on_info;
635 /* access is checked with the original identity */
636 rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
637 &a->a_nvals[ i ], ACL_WADD,
640 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
642 send_ldap_result( op, rs );
645 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
647 op->o_bd->bd_info = (BackendInfo *)on;
648 if ( rc != LDAP_SUCCESS ) {
649 if ( get_relax( op ) ) {
653 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
654 rc = rs->sr_err = mo->mo_dangling_err;
655 rs->sr_text = "adding non-existing object "
657 send_ldap_result( op, rs );
661 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
664 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
665 "memberof=\"%s\" does not exist (stripping...)\n",
666 op->o_log_prefix, op->ora_e->e_name.bv_val,
667 a->a_nvals[ i ].bv_val );
669 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
670 ber_memfree( a->a_vals[ i ].bv_val );
671 BER_BVZERO( &a->a_vals[ i ] );
672 if ( a->a_nvals != a->a_vals ) {
673 ber_memfree( a->a_nvals[ i ].bv_val );
674 BER_BVZERO( &a->a_nvals[ i ] );
680 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
681 sizeof( struct berval ) * ( j - i ) );
682 if ( a->a_nvals != a->a_vals ) {
683 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
684 sizeof( struct berval ) * ( j - i ) );
692 /* access is checked with the original identity */
693 op->o_bd->bd_info = (BackendInfo *)on->on_info;
694 rc = access_allowed( op, e, mo->mo_ad_member,
695 &op->o_req_ndn, ACL_WADD, NULL );
696 be_entry_release_r( op, e );
697 op->o_bd->bd_info = (BackendInfo *)on;
700 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
701 rs->sr_text = "insufficient access to object referenced by memberof";
702 send_ldap_result( op, rs );
707 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
713 rc = SLAP_CB_CONTINUE;
717 op->o_ndn = save_ndn;
718 op->o_bd->bd_info = (BackendInfo *)on;
724 memberof_op_delete( Operation *op, SlapReply *rs )
726 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
727 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
729 memberof_is_t iswhat = MEMBEROF_IS_GROUP;
731 if ( MEMBEROF_REFINT( mo ) ) {
732 iswhat = MEMBEROF_IS_BOTH;
735 memberof_isGroupOrMember( op, &iswhat );
737 return SLAP_CB_CONTINUE;
741 memberof_op_modify( Operation *op, SlapReply *rs )
743 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
744 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
746 Modifications **mlp, **mmlp = NULL;
747 int rc = SLAP_CB_CONTINUE;
748 struct berval save_dn, save_ndn;
749 memberof_is_t iswhat = MEMBEROF_IS_GROUP;
751 if ( MEMBEROF_REVERSE( mo ) ) {
752 for ( mlp = &op->orm_modlist; *mlp; mlp = &(*mlp)->sml_next ) {
753 Modifications *ml = *mlp;
755 if ( ml->sml_desc == mo->mo_ad_memberof ) {
763 save_ndn = op->o_ndn;
765 if ( memberof_isGroupOrMember( op, &iswhat ) == LDAP_SUCCESS
766 && ( iswhat & MEMBEROF_IS_GROUP ) )
771 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
772 if ( ml->sml_desc == mo->mo_ad_member ) {
773 switch ( ml->sml_op ) {
774 case LDAP_MOD_DELETE:
775 case LDAP_MOD_REPLACE:
783 BerVarray vals = NULL;
785 op->o_dn = op->o_bd->be_rootdn;
786 op->o_dn = op->o_bd->be_rootndn;
787 op->o_bd->bd_info = (BackendInfo *)on->on_info;
788 rc = backend_attribute( op, NULL, &op->o_req_ndn,
789 mo->mo_ad_member, &vals, ACL_READ );
790 op->o_bd->bd_info = (BackendInfo *)on;
791 if ( rc == LDAP_SUCCESS && vals != NULL ) {
792 memberof_saved_member_set( op, &saved_member_vals, vals );
793 ber_bvarray_free_x( vals, op->o_tmpmemctx );
797 if ( MEMBEROF_DANGLING_CHECK( mo )
798 && !get_relax( op ) )
800 op->o_dn = op->o_bd->be_rootdn;
801 op->o_dn = op->o_bd->be_rootndn;
802 op->o_bd->bd_info = (BackendInfo *)on->on_info;
804 assert( op->orm_modlist != NULL );
806 for ( mlp = &op->orm_modlist; *mlp; ) {
807 Modifications *ml = *mlp;
810 if ( !is_ad_subtype( ml->sml_desc, mo->mo_ad_member ) ) {
815 switch ( ml->sml_op ) {
816 case LDAP_MOD_DELETE:
817 /* we don't care about cancellations: if the value
818 * exists, fine; if it doesn't, we let the underlying
819 * database fail as appropriate; */
823 case LDAP_MOD_REPLACE:
825 /* NOTE: right now, the attributeType we use
826 * for member must have a normalized value */
827 assert( ml->sml_nvalues != NULL );
829 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
833 if ( be_entry_get_rw( op, &ml->sml_nvalues[ i ],
834 NULL, NULL, 0, &e ) == LDAP_SUCCESS )
836 be_entry_release_r( op, e );
840 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
841 rc = rs->sr_err = mo->mo_dangling_err;
842 rs->sr_text = "adding non-existing object "
844 send_ldap_result( op, rs );
848 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
851 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
852 "member=\"%s\" does not exist (stripping...)\n",
853 op->o_log_prefix, op->o_req_dn.bv_val,
854 ml->sml_nvalues[ i ].bv_val );
856 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
857 ber_memfree( ml->sml_values[ i ].bv_val );
858 BER_BVZERO( &ml->sml_values[ i ] );
859 ber_memfree( ml->sml_nvalues[ i ].bv_val );
860 BER_BVZERO( &ml->sml_nvalues[ i ] );
866 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
867 sizeof( struct berval ) * ( j - i ) );
868 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
869 sizeof( struct berval ) * ( j - i ) );
874 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
876 slap_mod_free( &ml->sml_mod, 0 );
892 if ( mmlp != NULL ) {
893 Modifications *ml = *mmlp;
897 op->o_bd->bd_info = (BackendInfo *)on->on_info;
898 rc = be_entry_get_rw( op, &op->o_req_ndn,
899 NULL, NULL, 0, &target );
900 op->o_bd->bd_info = (BackendInfo *)on;
901 if ( rc != LDAP_SUCCESS ) {
902 rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
903 send_ldap_result( op, rs );
907 switch ( ml->sml_op ) {
908 case LDAP_MOD_DELETE:
909 if ( ml->sml_nvalues != NULL ) {
910 AccessControlState acl_state = ACL_STATE_INIT;
912 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
915 op->o_bd->bd_info = (BackendInfo *)on->on_info;
916 /* access is checked with the original identity */
917 rc = access_allowed( op, target,
919 &ml->sml_nvalues[ i ],
923 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
925 send_ldap_result( op, rs );
929 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
931 op->o_bd->bd_info = (BackendInfo *)on;
932 if ( rc != LDAP_SUCCESS ) {
933 if ( get_relax( op ) ) {
937 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
938 rc = rs->sr_err = mo->mo_dangling_err;
939 rs->sr_text = "deleting non-existing object "
941 send_ldap_result( op, rs );
945 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
948 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
949 "memberof=\"%s\" does not exist (stripping...)\n",
950 op->o_log_prefix, op->o_req_ndn.bv_val,
951 ml->sml_nvalues[ i ].bv_val );
953 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
954 ber_memfree( ml->sml_values[ i ].bv_val );
955 BER_BVZERO( &ml->sml_values[ i ] );
956 if ( ml->sml_nvalues != ml->sml_values ) {
957 ber_memfree( ml->sml_nvalues[ i ].bv_val );
958 BER_BVZERO( &ml->sml_nvalues[ i ] );
965 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
966 sizeof( struct berval ) * ( j - i ) );
967 if ( ml->sml_nvalues != ml->sml_values ) {
968 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
969 sizeof( struct berval ) * ( j - i ) );
977 /* access is checked with the original identity */
978 op->o_bd->bd_info = (BackendInfo *)on->on_info;
979 rc = access_allowed( op, e, mo->mo_ad_member,
982 be_entry_release_r( op, e );
983 op->o_bd->bd_info = (BackendInfo *)on;
986 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
987 rs->sr_text = "insufficient access to object referenced by memberof";
988 send_ldap_result( op, rs );
993 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
994 *mmlp = ml->sml_next;
995 slap_mod_free( &ml->sml_mod, 0 );
1003 case LDAP_MOD_REPLACE:
1005 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1006 /* access is checked with the original identity */
1007 rc = access_allowed( op, target,
1011 op->o_bd->bd_info = (BackendInfo *)on;
1013 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1015 send_ldap_result( op, rs );
1019 if ( ml->sml_op == LDAP_MOD_DELETE ) {
1024 case LDAP_MOD_ADD: {
1025 AccessControlState acl_state = ACL_STATE_INIT;
1027 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
1030 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1031 /* access is checked with the original identity */
1032 rc = access_allowed( op, target,
1034 &ml->sml_nvalues[ i ],
1038 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1040 send_ldap_result( op, rs );
1044 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
1045 NULL, NULL, 0, &e );
1046 op->o_bd->bd_info = (BackendInfo *)on;
1047 if ( rc != LDAP_SUCCESS ) {
1048 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
1049 rc = rs->sr_err = mo->mo_dangling_err;
1050 rs->sr_text = "adding non-existing object "
1052 send_ldap_result( op, rs );
1056 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
1059 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
1060 "memberof=\"%s\" does not exist (stripping...)\n",
1061 op->o_log_prefix, op->o_req_ndn.bv_val,
1062 ml->sml_nvalues[ i ].bv_val );
1064 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
1065 ber_memfree( ml->sml_values[ i ].bv_val );
1066 BER_BVZERO( &ml->sml_values[ i ] );
1067 if ( ml->sml_nvalues != ml->sml_values ) {
1068 ber_memfree( ml->sml_nvalues[ i ].bv_val );
1069 BER_BVZERO( &ml->sml_nvalues[ i ] );
1076 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
1077 sizeof( struct berval ) * ( j - i ) );
1078 if ( ml->sml_nvalues != ml->sml_values ) {
1079 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
1080 sizeof( struct berval ) * ( j - i ) );
1088 /* access is checked with the original identity */
1089 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1090 rc = access_allowed( op, e, mo->mo_ad_member,
1093 be_entry_release_r( op, e );
1094 op->o_bd->bd_info = (BackendInfo *)on;
1097 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1098 rs->sr_text = "insufficient access to object referenced by memberof";
1099 send_ldap_result( op, rs );
1104 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
1105 *mmlp = ml->sml_next;
1106 slap_mod_free( &ml->sml_mod, 0 );
1117 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1118 be_entry_release_r( op, target );
1119 op->o_bd->bd_info = (BackendInfo *)on;
1122 rc = SLAP_CB_CONTINUE;
1126 op->o_ndn = save_ndn;
1127 op->o_bd->bd_info = (BackendInfo *)on;
1133 * response callback that adds memberof values when a group is added.
1136 memberof_res_add( Operation *op, SlapReply *rs )
1138 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1139 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1143 if ( MEMBEROF_REVERSE( mo ) ) {
1146 ma = attr_find( op->ora_e->e_attrs, mo->mo_ad_memberof );
1148 Operation op2 = *op;
1149 SlapReply rs2 = { 0 };
1151 /* relax is required to allow to add
1152 * a non-existing member */
1153 op2.o_relax = SLAP_CONTROL_CRITICAL;
1155 for ( i = 0; !BER_BVISNULL( &ma->a_nvals[ i ] ); i++ ) {
1157 /* the modification is attempted
1158 * with the original identity */
1159 (void)memberof_value_modify( &op2, &rs2,
1160 &ma->a_nvals[ i ], mo->mo_ad_member,
1161 NULL, NULL, &op->o_req_dn, &op->o_req_ndn );
1166 if ( is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) ) {
1169 for ( a = attrs_find( op->ora_e->e_attrs, mo->mo_ad_member );
1171 a = attrs_find( a->a_next, mo->mo_ad_member ) )
1173 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
1174 (void)memberof_value_modify( op, rs,
1184 return SLAP_CB_CONTINUE;
1188 * response callback that deletes memberof values when a group is deleted.
1191 memberof_res_delete( Operation *op, SlapReply *rs )
1193 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1194 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1199 vals = memberof_saved_member_get( op, &saved_member_vals );
1200 if ( vals != NULL ) {
1201 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1202 (void)memberof_value_modify( op, rs,
1203 &vals[ i ], mo->mo_ad_memberof,
1204 &op->o_req_dn, &op->o_req_ndn,
1208 ber_bvarray_free( vals );
1211 if ( MEMBEROF_REFINT( mo ) ) {
1212 vals = memberof_saved_member_get( op, &saved_memberof_vals );
1213 if ( vals != NULL ) {
1214 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1215 (void)memberof_value_modify( op, rs,
1216 &vals[ i ], mo->mo_ad_member,
1217 &op->o_req_dn, &op->o_req_ndn,
1221 ber_bvarray_free( vals );
1225 return SLAP_CB_CONTINUE;
1229 * response callback that adds/deletes memberof values when a group
1233 memberof_res_modify( Operation *op, SlapReply *rs )
1235 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1236 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1239 Modifications *ml, *mml = NULL;
1241 memberof_is_t iswhat = MEMBEROF_IS_GROUP;
1243 if ( MEMBEROF_REVERSE( mo ) ) {
1244 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1245 if ( ml->sml_desc == mo->mo_ad_memberof ) {
1252 if ( mml != NULL ) {
1253 BerVarray vals = mml->sml_nvalues;
1255 switch ( mml->sml_op ) {
1256 case LDAP_MOD_DELETE:
1257 if ( vals != NULL ) {
1258 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1259 memberof_value_modify( op, rs,
1260 &vals[ i ], mo->mo_ad_member,
1261 &op->o_req_dn, &op->o_req_ndn,
1268 case LDAP_MOD_REPLACE:
1269 /* delete all ... */
1270 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1271 rc = backend_attribute( op, NULL, &op->o_req_ndn,
1272 mo->mo_ad_memberof, &vals, ACL_READ );
1273 op->o_bd->bd_info = (BackendInfo *)on;
1274 if ( rc == LDAP_SUCCESS ) {
1275 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1276 (void)memberof_value_modify( op, rs,
1277 &vals[ i ], mo->mo_ad_member,
1278 &op->o_req_dn, &op->o_req_ndn,
1281 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1284 if ( ml->sml_op == LDAP_MOD_DELETE ) {
1290 assert( vals != NULL );
1292 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1293 memberof_value_modify( op, rs,
1294 &vals[ i ], mo->mo_ad_member,
1296 &op->o_req_dn, &op->o_req_ndn );
1305 if ( memberof_isGroupOrMember( op, &iswhat ) == LDAP_SUCCESS
1306 && ( iswhat & MEMBEROF_IS_GROUP ) )
1308 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1309 if ( ml->sml_desc != mo->mo_ad_member ) {
1313 switch ( ml->sml_op ) {
1314 case LDAP_MOD_DELETE:
1315 vals = ml->sml_nvalues;
1316 if ( vals != NULL ) {
1317 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1318 memberof_value_modify( op, rs,
1319 &vals[ i ], mo->mo_ad_memberof,
1320 &op->o_req_dn, &op->o_req_ndn,
1327 case LDAP_MOD_REPLACE:
1328 vals = memberof_saved_member_get( op, &saved_member_vals );
1330 /* delete all ... */
1331 if ( vals != NULL ) {
1332 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1333 (void)memberof_value_modify( op, rs,
1334 &vals[ i ], mo->mo_ad_memberof,
1335 &op->o_req_dn, &op->o_req_ndn,
1338 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1341 if ( ml->sml_op == LDAP_MOD_DELETE ) {
1347 assert( ml->sml_nvalues != NULL );
1348 vals = ml->sml_nvalues;
1349 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1350 memberof_value_modify( op, rs,
1351 &vals[ i ], mo->mo_ad_memberof,
1353 &op->o_req_dn, &op->o_req_ndn );
1363 return SLAP_CB_CONTINUE;
1367 * response callback that adds/deletes member values when a group member
1371 memberof_res_rename( Operation *op, SlapReply *rs )
1373 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1374 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1376 struct berval newPDN, newDN = BER_BVNULL, newPNDN, newNDN;
1380 struct berval save_dn, save_ndn;
1381 memberof_is_t iswhat = MEMBEROF_IS_GROUP;
1383 if ( MEMBEROF_REFINT( mo ) ) {
1384 iswhat |= MEMBEROF_IS_MEMBER;
1387 if ( op->orr_nnewSup ) {
1388 newPNDN = *op->orr_nnewSup;
1391 dnParent( &op->o_req_ndn, &newPNDN );
1394 build_new_dn( &newNDN, &newPNDN, &op->orr_nnewrdn, op->o_tmpmemctx );
1396 save_dn = op->o_req_dn;
1397 save_ndn = op->o_req_ndn;
1399 op->o_req_dn = newNDN;
1400 op->o_req_ndn = newNDN;
1401 rc = memberof_isGroupOrMember( op, &iswhat );
1402 op->o_req_dn = save_dn;
1403 op->o_req_ndn = save_ndn;
1405 if ( rc != LDAP_SUCCESS || iswhat == MEMBEROF_IS_NONE ) {
1409 if ( op->orr_newSup ) {
1410 newPDN = *op->orr_newSup;
1413 dnParent( &op->o_req_dn, &newPDN );
1416 build_new_dn( &newDN, &newPDN, &op->orr_newrdn, op->o_tmpmemctx );
1418 if ( iswhat & MEMBEROF_IS_GROUP ) {
1419 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1420 rc = backend_attribute( op, NULL, &newNDN,
1421 mo->mo_ad_member, &vals, ACL_READ );
1422 op->o_bd->bd_info = (BackendInfo *)on;
1424 if ( rc == LDAP_SUCCESS ) {
1425 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1426 (void)memberof_value_modify( op, rs,
1427 &vals[ i ], mo->mo_ad_memberof,
1428 &op->o_req_dn, &op->o_req_ndn,
1431 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1435 if ( MEMBEROF_REFINT( mo ) && ( iswhat & MEMBEROF_IS_MEMBER ) ) {
1436 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1437 rc = backend_attribute( op, NULL, &newNDN,
1438 mo->mo_ad_memberof, &vals, ACL_READ );
1439 op->o_bd->bd_info = (BackendInfo *)on;
1441 if ( rc == LDAP_SUCCESS ) {
1442 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1443 (void)memberof_value_modify( op, rs,
1444 &vals[ i ], mo->mo_ad_member,
1445 &op->o_req_dn, &op->o_req_ndn,
1448 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1453 if ( !BER_BVISNULL( &newDN ) ) {
1454 op->o_tmpfree( newDN.bv_val, op->o_tmpmemctx );
1456 op->o_tmpfree( newNDN.bv_val, op->o_tmpmemctx );
1458 return SLAP_CB_CONTINUE;
1462 memberof_response( Operation *op, SlapReply *rs )
1464 if ( rs->sr_err != LDAP_SUCCESS ) {
1465 return SLAP_CB_CONTINUE;
1468 switch ( op->o_tag ) {
1470 return memberof_res_add( op, rs );
1472 case LDAP_REQ_DELETE:
1473 return memberof_res_delete( op, rs );
1475 case LDAP_REQ_MODIFY:
1476 return memberof_res_modify( op, rs );
1478 case LDAP_REQ_MODDN:
1479 return memberof_res_rename( op, rs );
1482 return SLAP_CB_CONTINUE;
1491 slap_overinst *on = (slap_overinst *)be->bd_info;
1492 memberof_t tmp_mo = { 0 }, *mo;
1494 mo = (memberof_t *)ch_calloc( 1, sizeof( memberof_t ) );
1497 mo->mo_dangling_err = LDAP_CONSTRAINT_VIOLATION;
1499 on->on_bi.bi_private = (void *)mo;
1520 static ConfigDriver mo_cf_gen;
1522 #define OID "1.3.6.1.4.1.7136.2.666.4"
1523 #define OIDAT OID ".1.1"
1524 #define OIDCFGAT OID ".1.2"
1525 #define OIDOC OID ".2.1"
1526 #define OIDCFGOC OID ".2.2"
1529 static ConfigTable mo_cfg[] = {
1530 { "memberof-dn", "modifiersName",
1531 2, 2, 0, ARG_MAGIC|ARG_DN|MO_DN, mo_cf_gen,
1532 "( OLcfgOvAt:18.0 NAME 'olcMemberOfDN' "
1533 "DESC 'DN to be used as modifiersName' "
1534 "SYNTAX OMsDN SINGLE-VALUE )",
1537 { "memberof-dangling", "ignore|drop|error",
1538 2, 2, 0, ARG_MAGIC|MO_DANGLING, mo_cf_gen,
1539 "( OLcfgOvAt:18.1 NAME 'olcMemberOfDangling' "
1540 "DESC 'Behavior with respect to dangling members, "
1541 "constrained to ignore, drop, error' "
1542 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1545 { "memberof-refint", "true|FALSE",
1546 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REFINT, mo_cf_gen,
1547 "( OLcfgOvAt:18.2 NAME 'olcMemberOfRefInt' "
1548 "DESC 'Take care of referential integrity' "
1549 "SYNTAX OMsBoolean SINGLE-VALUE )",
1552 { "memberof-group-oc", "objectClass",
1553 2, 2, 0, ARG_MAGIC|MO_GROUP_OC, mo_cf_gen,
1554 "( OLcfgOvAt:18.3 NAME 'olcMemberOfGroupOC' "
1555 "DESC 'Group objectClass' "
1556 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1559 { "memberof-member-ad", "member attribute",
1560 2, 2, 0, ARG_MAGIC|MO_MEMBER_AD, mo_cf_gen,
1561 "( OLcfgOvAt:18.4 NAME 'olcMemberOfMemberAD' "
1562 "DESC 'member attribute' "
1563 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1566 { "memberof-memberof-ad", "memberOf attribute",
1567 2, 2, 0, ARG_MAGIC|MO_MEMBER_OF_AD, mo_cf_gen,
1568 "( OLcfgOvAt:18.5 NAME 'olcMemberOfMemberOfAD' "
1569 "DESC 'memberOf attribute' "
1570 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1574 { "memberof-reverse", "true|FALSE",
1575 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REVERSE, mo_cf_gen,
1576 "( OLcfgOvAt:18.6 NAME 'olcMemberOfReverse' "
1577 "DESC 'Take care of referential integrity "
1578 "also when directly modifying memberOf' "
1579 "SYNTAX OMsBoolean SINGLE-VALUE )",
1583 { "memberof-dangling-error", "error code",
1584 2, 2, 0, ARG_MAGIC|MO_DANGLING_ERROR, mo_cf_gen,
1585 "( OLcfgOvAt:18.7 NAME 'olcMemberOfDanglingError' "
1586 "DESC 'Error code returned in case of dangling back reference' "
1587 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1590 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
1593 static ConfigOCs mo_ocs[] = {
1594 { "( OLcfgOvOc:18.1 "
1595 "NAME 'olcMemberOf' "
1596 "DESC 'Member-of configuration' "
1597 "SUP olcOverlayConfig "
1600 "$ olcMemberOfDangling "
1601 "$ olcMemberOfDanglingError"
1602 "$ olcMemberOfRefInt "
1603 "$ olcMemberOfGroupOC "
1604 "$ olcMemberOfMemberAD "
1605 "$ olcMemberOfMemberOfAD "
1607 "$ olcMemberOfReverse "
1611 Cft_Overlay, mo_cfg, NULL, NULL },
1615 static slap_verbmasks dangling_mode[] = {
1616 { BER_BVC( "ignore" ), MEMBEROF_NONE },
1617 { BER_BVC( "drop" ), MEMBEROF_FDANGLING_DROP },
1618 { BER_BVC( "error" ), MEMBEROF_FDANGLING_ERROR },
1623 memberof_make_group_filter( memberof_t *mo )
1627 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
1628 ch_free( mo->mo_groupFilterstr.bv_val );
1631 mo->mo_groupFilter.f_choice = LDAP_FILTER_EQUALITY;
1632 mo->mo_groupFilter.f_ava = &mo->mo_groupAVA;
1634 mo->mo_groupFilter.f_av_desc = slap_schema.si_ad_objectClass;
1635 mo->mo_groupFilter.f_av_value = mo->mo_oc_group->soc_cname;
1637 mo->mo_groupFilterstr.bv_len = STRLENOF( "(=)" )
1638 + slap_schema.si_ad_objectClass->ad_cname.bv_len
1639 + mo->mo_oc_group->soc_cname.bv_len;
1640 ptr = mo->mo_groupFilterstr.bv_val = ch_malloc( mo->mo_groupFilterstr.bv_len + 1 );
1642 ptr = lutil_strcopy( ptr, slap_schema.si_ad_objectClass->ad_cname.bv_val );
1644 ptr = lutil_strcopy( ptr, mo->mo_oc_group->soc_cname.bv_val );
1652 memberof_make_member_filter( memberof_t *mo )
1656 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
1657 ch_free( mo->mo_memberFilterstr.bv_val );
1660 mo->mo_memberFilter.f_choice = LDAP_FILTER_PRESENT;
1661 mo->mo_memberFilter.f_desc = mo->mo_ad_memberof;
1663 mo->mo_memberFilterstr.bv_len = STRLENOF( "(=*)" )
1664 + mo->mo_ad_memberof->ad_cname.bv_len;
1665 ptr = mo->mo_memberFilterstr.bv_val = ch_malloc( mo->mo_memberFilterstr.bv_len + 1 );
1667 ptr = lutil_strcopy( ptr, mo->mo_ad_memberof->ad_cname.bv_val );
1668 ptr = lutil_strcopy( ptr, "=*)" );
1674 mo_cf_gen( ConfigArgs *c )
1676 slap_overinst *on = (slap_overinst *)c->bi;
1677 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1681 if ( c->op == SLAP_CONFIG_EMIT ) {
1682 struct berval bv = BER_BVNULL;
1686 if ( mo->mo_dn.bv_val != NULL) {
1687 value_add_one( &c->rvalue_vals, &mo->mo_dn );
1688 value_add_one( &c->rvalue_nvals, &mo->mo_ndn );
1693 enum_to_verb( dangling_mode, (mo->mo_flags & MEMBEROF_FDANGLING_MASK), &bv );
1694 if ( BER_BVISNULL( &bv ) ) {
1695 /* there's something wrong... */
1700 value_add_one( &c->rvalue_vals, &bv );
1704 case MO_DANGLING_ERROR:
1705 if ( mo->mo_flags & MEMBEROF_FDANGLING_ERROR ) {
1706 char buf[ SLAP_TEXT_BUFLEN ];
1707 enum_to_verb( slap_ldap_response_code, mo->mo_dangling_err, &bv );
1708 if ( BER_BVISNULL( &bv ) ) {
1709 bv.bv_len = snprintf( buf, sizeof( buf ), "0x%x", mo->mo_dangling_err );
1710 if ( bv.bv_len < sizeof( buf ) ) {
1717 value_add_one( &c->rvalue_vals, &bv );
1724 c->value_int = MEMBEROF_REFINT( mo );
1729 c->value_int = MEMBEROF_REVERSE( mo );
1734 if ( mo->mo_oc_group != NULL ){
1735 value_add_one( &c->rvalue_vals, &mo->mo_oc_group->soc_cname );
1740 if ( mo->mo_ad_member != NULL ){
1741 value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname );
1745 case MO_MEMBER_OF_AD:
1746 if ( mo->mo_ad_memberof != NULL ){
1747 value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname );
1758 } else if ( c->op == LDAP_MOD_DELETE ) {
1759 return 1; /* FIXME */
1764 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
1765 ber_memfree( mo->mo_dn.bv_val );
1766 ber_memfree( mo->mo_ndn.bv_val );
1768 mo->mo_dn = c->value_dn;
1769 mo->mo_ndn = c->value_ndn;
1773 i = verb_to_mask( c->argv[ 1 ], dangling_mode );
1774 if ( BER_BVISNULL( &dangling_mode[ i ].word ) ) {
1778 mo->mo_flags &= ~MEMBEROF_FDANGLING_MASK;
1779 mo->mo_flags |= dangling_mode[ i ].mask;
1782 case MO_DANGLING_ERROR:
1783 i = verb_to_mask( c->argv[ 1 ], slap_ldap_response_code );
1784 if ( !BER_BVISNULL( &slap_ldap_response_code[ i ].word ) ) {
1785 mo->mo_dangling_err = slap_ldap_response_code[ i ].mask;
1786 } else if ( lutil_atoix( &mo->mo_dangling_err, c->argv[ 1 ], 0 ) ) {
1792 if ( c->value_int ) {
1793 mo->mo_flags |= MEMBEROF_FREFINT;
1796 mo->mo_flags &= ~MEMBEROF_FREFINT;
1802 if ( c->value_int ) {
1803 mo->mo_flags |= MEMBEROF_FREVERSE;
1806 mo->mo_flags &= ~MEMBEROF_FREVERSE;
1812 ObjectClass *oc = NULL;
1814 oc = oc_find( c->argv[ 1 ] );
1816 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1817 "unable to find group objectClass=\"%s\"",
1819 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1820 c->log, c->cr_msg, 0 );
1824 mo->mo_oc_group = oc;
1825 memberof_make_group_filter( mo );
1828 case MO_MEMBER_AD: {
1829 AttributeDescription *ad = NULL;
1830 const char *text = NULL;
1833 rc = slap_str2ad( c->argv[ 1 ], &ad, &text );
1834 if ( rc != LDAP_SUCCESS ) {
1835 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1836 "unable to find member attribute=\"%s\": %s (%d)",
1837 c->argv[ 1 ], text, rc );
1838 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1839 c->log, c->cr_msg, 0 );
1843 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
1844 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
1846 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1847 "member attribute=\"%s\" must either "
1848 "have DN (%s) or nameUID (%s) syntax",
1849 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
1850 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1851 c->log, c->cr_msg, 0 );
1855 mo->mo_ad_member = ad;
1858 case MO_MEMBER_OF_AD: {
1859 AttributeDescription *ad = NULL;
1860 const char *text = NULL;
1863 rc = slap_str2ad( c->argv[ 1 ], &ad, &text );
1864 if ( rc != LDAP_SUCCESS ) {
1865 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1866 "unable to find memberof attribute=\"%s\": %s (%d)",
1867 c->argv[ 1 ], text, rc );
1868 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1869 c->log, c->cr_msg, 0 );
1873 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
1874 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
1876 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1877 "memberof attribute=\"%s\" must either "
1878 "have DN (%s) or nameUID (%s) syntax",
1879 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
1880 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
1881 c->log, c->cr_msg, 0 );
1885 mo->mo_ad_memberof = ad;
1886 memberof_make_member_filter( mo );
1903 slap_overinst *on = (slap_overinst *)be->bd_info;
1904 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1907 const char *text = NULL;
1909 if( ! mo->mo_ad_memberof ){
1910 rc = slap_str2ad( SLAPD_MEMBEROF_ATTR, &mo->mo_ad_memberof, &text );
1911 if ( rc != LDAP_SUCCESS ) {
1912 Debug( LDAP_DEBUG_ANY, "memberof_db_open: "
1913 "unable to find attribute=\"%s\": %s (%d)\n",
1914 SLAPD_MEMBEROF_ATTR, text, rc );
1919 if( ! mo->mo_ad_member ){
1920 rc = slap_str2ad( SLAPD_GROUP_ATTR, &mo->mo_ad_member, &text );
1921 if ( rc != LDAP_SUCCESS ) {
1922 Debug( LDAP_DEBUG_ANY, "memberof_db_open: "
1923 "unable to find attribute=\"%s\": %s (%d)\n",
1924 SLAPD_GROUP_ATTR, text, rc );
1929 if( ! mo->mo_oc_group ){
1930 mo->mo_oc_group = oc_find( SLAPD_GROUP_CLASS );
1931 if ( mo->mo_oc_group == NULL ) {
1932 Debug( LDAP_DEBUG_ANY,
1933 "memberof_db_open: "
1934 "unable to find objectClass=\"%s\"\n",
1935 SLAPD_GROUP_CLASS, 0, 0 );
1940 if ( BER_BVISNULL( &mo->mo_dn ) ) {
1941 ber_dupbv( &mo->mo_dn, &be->be_rootdn );
1942 ber_dupbv( &mo->mo_ndn, &be->be_rootndn );
1945 if ( BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
1946 memberof_make_group_filter( mo );
1949 if ( BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
1950 memberof_make_member_filter( mo );
1957 memberof_db_destroy(
1961 slap_overinst *on = (slap_overinst *)be->bd_info;
1962 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1965 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
1966 ber_memfree( mo->mo_dn.bv_val );
1967 ber_memfree( mo->mo_ndn.bv_val );
1970 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
1971 ber_memfree( mo->mo_groupFilterstr.bv_val );
1974 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
1975 ber_memfree( mo->mo_memberFilterstr.bv_val );
1985 static AttributeDescription *ad_memberOf;
1989 AttributeDescription **adp;
1991 { "( 1.2.840.113556.1.2.102 "
1993 "DESC 'Group that the entry belongs to' "
1994 "SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' "
1995 "EQUALITY distinguishedNameMatch " /* added */
1996 "USAGE dSAOperation " /* added; questioned */
1997 /* "NO-USER-MODIFICATION " */ /* add? */
1998 "X-ORIGIN 'iPlanet Delegated Administrator' )",
2003 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2005 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2007 memberof_initialize( void )
2011 for ( i = 0; as[ i ].desc != NULL; i++ ) {
2012 code = register_at( as[ i ].desc, as[ i ].adp, 0 );
2014 Debug( LDAP_DEBUG_ANY,
2015 "memberof_initialize: register_at #%d failed\n",
2021 memberof.on_bi.bi_type = "memberof";
2023 memberof.on_bi.bi_db_init = memberof_db_init;
2024 memberof.on_bi.bi_db_open = memberof_db_open;
2025 memberof.on_bi.bi_db_destroy = memberof_db_destroy;
2027 memberof.on_bi.bi_op_add = memberof_op_add;
2028 memberof.on_bi.bi_op_delete = memberof_op_delete;
2029 memberof.on_bi.bi_op_modify = memberof_op_modify;
2031 memberof.on_response = memberof_response;
2033 memberof.on_bi.bi_cf_ocs = mo_ocs;
2035 code = config_register_schema( mo_cfg, mo_ocs );
2036 if ( code ) return code;
2038 return overlay_register( &memberof );
2041 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2043 init_module( int argc, char *argv[] )
2045 return memberof_initialize();
2047 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2049 #endif /* SLAPD_OVER_MEMBEROF */