1 /* refint.c - referential integrity module */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2004-2006 The OpenLDAP Foundation.
6 * Portions Copyright 2004 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Symas Corp. for inclusion in
19 * OpenLDAP Software. This work was sponsored by Hewlett-Packard.
24 /* This module maintains referential integrity for a set of
25 * DN-valued attributes by searching for all references to a given
26 * DN whenever the DN is changed or its entry is deleted, and making
27 * the appropriate update.
29 * Updates are performed using the database rootdn, but the ModifiersName
30 * is always set to refint_dn.
33 #ifdef SLAPD_OVER_REFINT
37 #include <ac/string.h>
38 #include <ac/socket.h>
43 static slap_overinst refint;
45 /* The DN to use in the ModifiersName for all refint updates */
46 static BerValue refint_dn = BER_BVC("cn=Referential Integrity Overlay");
48 typedef struct refint_attrs_s {
49 struct refint_attrs_s *next;
50 AttributeDescription *attr;
53 typedef struct dependents_s {
54 struct dependents_s *next;
55 BerValue dn; /* target dn */
59 typedef struct refint_data_s {
60 const char *message; /* breadcrumbs */
61 struct refint_attrs_s *attrs; /* list of known attrs */
62 struct dependents_s *mods; /* modifications returned from callback */
63 BerValue dn; /* basedn in parent, searchdn in call */
64 BerValue newdn; /* replacement value for modrdn callback */
65 BerValue nnewdn; /* normalized replacement value */
66 BerValue nothing; /* the nothing value, if needed */
67 BerValue nnothing; /* normalized nothingness */
75 static ConfigDriver refint_cf_gen;
77 static ConfigTable refintcfg[] = {
78 { "refint_attributes", "attribute...", 2, 0, 0,
79 ARG_MAGIC|REFINT_ATTRS, refint_cf_gen,
80 "( OLcfgOvAt:11.1 NAME 'olcRefintAttribute' "
81 "DESC 'Attributes for referential integrity' "
82 "SYNTAX OMsDirectoryString )", NULL, NULL },
83 { "refint_nothing", "string", 2, 2, 0,
84 ARG_DN|ARG_MAGIC|REFINT_NOTHING, refint_cf_gen,
85 "( OLcfgOvAt:11.2 NAME 'olcRefintNothing' "
86 "DESC 'Replacement DN to supply when needed' "
87 "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
88 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
91 static ConfigOCs refintocs[] = {
93 "NAME 'olcRefintConfig' "
94 "DESC 'Referential integrity configuration' "
95 "SUP olcOverlayConfig "
96 "MAY ( olcRefintAttribute $ olcRefintNothing ) )",
97 Cft_Overlay, refintcfg },
102 refint_cf_gen(ConfigArgs *c)
104 slap_overinst *on = (slap_overinst *)c->bi;
105 refint_data *dd = (refint_data *)on->on_bi.bi_private;
106 BackendDB *be = (BackendDB *)c->be;
107 refint_attrs *ip, *pip, **pipp = NULL;
108 AttributeDescription *ad;
110 int rc = ARG_BAD_CONF;
114 case SLAP_CONFIG_EMIT:
119 value_add_one( &c->rvalue_vals,
120 &ip->attr->ad_cname );
126 if ( !BER_BVISEMPTY( &dd->nothing )) {
127 rc = value_add_one( &c->rvalue_vals,
130 rc = value_add_one( &c->rvalue_nvals,
140 case LDAP_MOD_DELETE:
153 /* delete from linked list */
154 for ( i=0; i < c->valx; ++i ) {
155 pipp = &(*pipp)->next;
158 *pipp = (*pipp)->next;
160 /* AttributeDescriptions are global so
161 * shouldn't be freed here... */
167 if ( dd->nothing.bv_val )
168 ber_memfree ( dd->nothing.bv_val );
169 if ( dd->nnothing.bv_val )
170 ber_memfree ( dd->nnothing.bv_val );
171 dd->nothing.bv_len = 0;
172 dd->nnothing.bv_len = 0;
179 case SLAP_CONFIG_ADD:
180 /* fallthrough to LDAP_MOD_ADD */
185 for ( i=1; i < c->argc; ++i ) {
187 if ( slap_str2ad ( c->argv[i], &ad, &text )
190 sizeof ( refint_attrs ) );
192 ip->next = dd->attrs;
195 Debug ( LDAP_DEBUG_CONFIG,
196 "refint add: <%s>: %s\n",
197 c->argv[i], text, NULL );
200 SLAP_TEXT_BUFLEN-1 );
201 c->msg[SLAP_TEXT_BUFLEN-1] = '\0';
207 if ( dd->nothing.bv_val )
208 ber_memfree ( dd->nothing.bv_val );
209 if ( dd->nnothing.bv_val )
210 ber_memfree ( dd->nnothing.bv_val );
211 dd->nothing = c->value_dn;
212 dd->nnothing = c->value_ndn;
227 ** allocate new refint_data;
228 ** store in on_bi.bi_private;
237 slap_overinst *on = (slap_overinst *)be->bd_info;
238 refint_data *id = ch_calloc(1,sizeof(refint_data));
240 id->message = "_init";
241 on->on_bi.bi_private = id;
250 slap_overinst *on = (slap_overinst *)be->bd_info;
252 if ( on->on_bi.bi_private ) {
253 ch_free( on->on_bi.bi_private );
254 on->on_bi.bi_private = NULL;
260 ** initialize, copy basedn if not already set
269 slap_overinst *on = (slap_overinst *)be->bd_info;
270 refint_data *id = on->on_bi.bi_private;
271 id->message = "_open";
273 if ( BER_BVISNULL( &id->dn )) {
274 if ( BER_BVISNULL( &be->be_nsuffix[0] ))
276 ber_dupbv( &id->dn, &be->be_nsuffix[0] );
283 ** foreach configured attribute:
286 ** (do not) free id->message;
287 ** reset on_bi.bi_private;
288 ** free our config data;
297 slap_overinst *on = (slap_overinst *) be->bd_info;
298 refint_data *id = on->on_bi.bi_private;
299 refint_attrs *ii, *ij;
300 id->message = "_close";
302 for(ii = id->attrs; ii; ii = ij) {
307 ch_free(id->dn.bv_val);
308 ch_free(id->nothing.bv_val);
309 ch_free(id->nnothing.bv_val);
311 memset( id, 0, sizeof(*id));
318 ** generates a list of Modification* from search results
329 refint_data *dd = op->o_callback->sc_private;
330 refint_attrs *ia, *da = dd->attrs;
332 Modifications *mp, *ma;
335 Debug(LDAP_DEBUG_TRACE, "refint_delete_cb <%s>\n",
336 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING", 0, 0);
338 if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
339 dd->message = "_delete_cb";
342 ** foreach configured attribute type:
343 ** if this attr exists in the search result,
344 ** and it has a value matching the target:
345 ** allocate a Modification;
346 ** allocate its array of 2 BerValues;
347 ** if only one value, and we have a configured Nothing:
348 ** allocate additional Modification
350 ** BerValues[] = { Nothing, NULL };
353 ** BerValues[] = { our target dn, NULL };
354 ** add this mod to the list of mods;
358 ip = ch_malloc(sizeof(dependent_data));
359 ip->dn.bv_val = NULL;
363 for(ia = da; ia; ia = ia->next) {
364 if ( (a = attr_find(rs->sr_entry->e_attrs, ia->attr) ) )
365 for(i = 0, b = a->a_nvals; b[i].bv_val; i++)
366 if(bvmatch(&dd->dn, &b[i])) {
367 if(!ip->dn.bv_val) ber_dupbv(&ip->dn, &rs->sr_entry->e_nname);
368 if(!b[1].bv_val && dd->nothing.bv_val) {
369 mp = ch_malloc(sizeof(Modifications));
370 mp->sml_desc = ia->attr; /* XXX */
371 mp->sml_type = a->a_desc->ad_cname;
372 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
373 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
374 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
375 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
377 mp->sml_op = LDAP_MOD_ADD;
379 ber_dupbv(&mp->sml_values[0], &dd->nothing);
380 ber_dupbv(&mp->sml_nvalues[0], &dd->nnothing);
384 /* this might violate the object class */
385 mp = ch_malloc(sizeof(Modifications));
386 mp->sml_desc = ia->attr; /* XXX */
387 mp->sml_type = a->a_desc->ad_cname;
388 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
389 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
390 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
391 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
392 mp->sml_op = LDAP_MOD_DELETE;
394 ber_dupbv(&mp->sml_values[0], &dd->dn);
395 ber_dupbv(&mp->sml_nvalues[0], &mp->sml_values[0]);
398 Debug(LDAP_DEBUG_TRACE, "refint_delete_cb: %s: %s\n",
399 a->a_desc->ad_cname.bv_val, dd->dn.bv_val, 0);
421 ((refint_data *)op->o_callback->sc_private)->message = "_null_cb";
422 return(LDAP_SUCCESS);
427 ** generates a list of Modification* from search results
438 refint_data *dd = op->o_callback->sc_private;
439 refint_attrs *ia, *da = dd->attrs;
440 dependent_data *ip = NULL;
444 Debug(LDAP_DEBUG_TRACE, "refint_modrdn_cb <%s>\n",
445 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING", 0, 0);
447 if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
448 dd->message = "_modrdn_cb";
451 ** foreach configured attribute type:
452 ** if this attr exists in the search result,
453 ** and it has a value matching the target:
454 ** allocate a pair of Modifications;
455 ** make it MOD_ADD the new value and MOD_DELETE the old;
456 ** allocate its array of BerValues;
457 ** foreach value in the search result:
458 ** if it matches our target value, replace it;
459 ** otherwise, copy from the search result;
460 ** terminate the array of BerValues;
461 ** add these mods to the list of mods;
465 for(ia = da; ia; ia = ia->next) {
466 if((a = attr_find(rs->sr_entry->e_attrs, ia->attr))) {
467 for(fix = 0, i = 0, b = a->a_nvals; b[i].bv_val; i++)
468 if(bvmatch(&dd->dn, &b[i])) { fix++; break; }
471 ip = ch_malloc(sizeof(dependent_data));
474 ber_dupbv(&ip->dn, &rs->sr_entry->e_nname);
476 mp = ch_malloc(sizeof(Modifications));
477 mp->sml_op = LDAP_MOD_ADD;
479 mp->sml_desc = ia->attr; /* XXX */
480 mp->sml_type = ia->attr->ad_cname;
481 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
482 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
483 ber_dupbv(&mp->sml_values[0], &dd->newdn);
484 ber_dupbv(&mp->sml_nvalues[0], &dd->nnewdn);
485 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
486 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
487 mp->sml_next = ip->mm;
489 mp = ch_malloc(sizeof(Modifications));
490 mp->sml_op = LDAP_MOD_DELETE;
492 mp->sml_desc = ia->attr; /* XXX */
493 mp->sml_type = ia->attr->ad_cname;
494 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
495 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
496 ber_dupbv(&mp->sml_values[0], &dd->dn);
497 ber_dupbv(&mp->sml_nvalues[0], &dd->dn);
498 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
499 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
500 mp->sml_next = ip->mm;
502 Debug(LDAP_DEBUG_TRACE, "refint_modrdn_cb: %s: %s\n",
503 a->a_desc->ad_cname.bv_val, dd->dn.bv_val, 0);
518 ** search for matching records and modify them
528 SlapReply nrs = { REP_RESULT };
529 slap_callback cb = { NULL, NULL, NULL, NULL };
530 slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
531 slap_callback *cbo, *cbp;
532 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
533 refint_data *id = on->on_bi.bi_private;
534 refint_data dd = *id;
541 id->message = "_refint_response";
543 /* If the main op failed or is not a Delete or ModRdn, ignore it */
544 if (( op->o_tag != LDAP_REQ_DELETE && op->o_tag != LDAP_REQ_MODRDN ) ||
545 rs->sr_err != LDAP_SUCCESS )
546 return SLAP_CB_CONTINUE;
549 ** validate (and count) the list of attrs;
553 for(ip = id->attrs, ac = 0; ip; ip = ip->next, ac++);
555 Debug( LDAP_DEBUG_TRACE,
556 "refint_response called without any attributes\n", 0, 0, 0 );
557 return SLAP_CB_CONTINUE;
561 ** find the backend that matches our configured basedn;
562 ** make sure it exists and has search and modify methods;
566 nop.o_bd = select_backend(&id->dn, 0, 1);
569 if (!nop.o_bd->be_search || !nop.o_bd->be_modify) {
570 Debug( LDAP_DEBUG_TRACE,
571 "refint_response: backend missing search and/or modify\n",
573 return SLAP_CB_CONTINUE;
576 Debug( LDAP_DEBUG_TRACE,
577 "refint_response: no backend for our baseDN %s??\n",
578 id->dn.bv_val, 0, 0 );
579 return SLAP_CB_CONTINUE;
585 ** if delete: set delete callback;
586 ** else modrdn: create a newdn, set modify callback;
590 if(op->o_tag == LDAP_REQ_DELETE) {
591 cb.sc_response = &refint_delete_cb;
592 dd.newdn.bv_val = NULL;
593 dd.nnewdn.bv_val = NULL;
595 cb.sc_response = &refint_modrdn_cb;
596 if ( op->oq_modrdn.rs_newSup ) {
597 pdn = *op->oq_modrdn.rs_newSup;
599 dnParent( &op->o_req_dn, &pdn );
601 build_new_dn( &dd.newdn, &pdn, &op->orr_newrdn, NULL );
602 if ( op->oq_modrdn.rs_nnewSup ) {
603 pdn = *op->oq_modrdn.rs_nnewSup;
605 dnParent( &op->o_req_ndn, &pdn );
607 build_new_dn( &dd.nnewdn, &pdn, &op->orr_nnewrdn, NULL );
611 ** build a search filter for all configured attributes;
612 ** populate our Operation;
613 ** pass our data (attr list, dn) to backend via sc_private;
614 ** call the backend search function;
615 ** nb: (|(one=thing)) is valid, but do smart formatting anyway;
616 ** nb: 16 is arbitrarily a dozen or so extra bytes;
620 ftop.f_choice = LDAP_FILTER_OR;
623 nop.ors_filter = &ftop;
624 for(ip = id->attrs; ip; ip = ip->next) {
625 fptr = ch_malloc( sizeof(Filter) + sizeof(AttributeAssertion) );
626 fptr->f_choice = LDAP_FILTER_EQUALITY;
627 fptr->f_ava = (AttributeAssertion *)(fptr+1);
628 fptr->f_ava->aa_desc = ip->attr;
629 fptr->f_ava->aa_value = op->o_req_ndn;
630 fptr->f_next = ftop.f_or;
633 filter2bv( nop.ors_filter, &nop.ors_filterstr );
635 /* callback gets the searched dn instead */
636 dd.dn = op->o_req_ndn;
637 dd.message = "_dependent_search";
640 nop.o_callback = &cb;
641 nop.o_tag = LDAP_REQ_SEARCH;
642 nop.ors_scope = LDAP_SCOPE_SUBTREE;
643 nop.ors_deref = LDAP_DEREF_NEVER;
644 nop.ors_limit = NULL;
645 nop.ors_slimit = SLAP_NO_LIMIT;
646 nop.ors_tlimit = SLAP_NO_LIMIT;
649 nop.ors_attrs = slap_anlist_no_attrs;
650 nop.ors_attrsonly = 1;
652 nop.o_req_ndn = id->dn;
653 nop.o_req_dn = id->dn;
656 rc = nop.o_bd->be_search(&nop, &nrs);
658 ch_free( nop.ors_filterstr.bv_val );
659 while ( (fptr = ftop.f_or) != NULL ) {
660 ftop.f_or = fptr->f_next;
663 ch_free(dd.nnewdn.bv_val);
664 ch_free(dd.newdn.bv_val);
665 dd.newdn.bv_val = NULL;
666 dd.nnewdn.bv_val = NULL;
668 if(rc != LDAP_SUCCESS) {
669 Debug( LDAP_DEBUG_TRACE,
670 "refint_response: search failed: %d\n",
675 /* safety? paranoid just in case */
677 Debug( LDAP_DEBUG_TRACE,
678 "refint_response: callback wiped out sc_private?!\n",
683 /* presto! now it's a modify request with null callback */
684 cb.sc_response = &refint_null_cb;
685 nop.o_tag = LDAP_REQ_MODIFY;
686 dd.message = "_dependent_modify";
688 /* See if the parent operation is going into the replog */
689 for (cbo=op->o_callback, cbp = cbo->sc_next; cbp; cbo=cbp,cbp=cbp->sc_next) {
690 if (cbp->sc_response == slap_replog_cb) {
691 /* Invoke replog now, arrange for our
692 * dependent mods to also be logged
694 cbo->sc_next = cbp->sc_next;
696 nop.o_callback = &cb2;
702 ** [our search callback builds a list of mods]
704 ** make sure its dn has a backend;
705 ** connect Modification* chain to our op;
706 ** call the backend modify function;
707 ** pass any errors upstream;
711 for(dp = dd.mods; dp; dp = dp->next) {
712 nop.o_req_dn = dp->dn;
713 nop.o_req_ndn = dp->dn;
714 nop.o_bd = select_backend(&dp->dn, 0, 1);
716 Debug( LDAP_DEBUG_TRACE,
717 "refint_response: no backend for DN %s!\n",
718 dp->dn.bv_val, 0, 0 );
721 nrs.sr_type = REP_RESULT;
722 nop.orm_modlist = dp->mm; /* callback did all the work */
723 nop.o_dn = refint_dn;
724 nop.o_ndn = refint_dn;
725 nop.o_dn = nop.o_bd->be_rootdn;
726 nop.o_ndn = nop.o_bd->be_rootndn;
727 if(rs->sr_err != LDAP_SUCCESS) goto done;
728 if((rc = nop.o_bd->be_modify(&nop, &nrs)) != LDAP_SUCCESS) {
729 Debug( LDAP_DEBUG_TRACE,
730 "refint_response: dependent modify failed: %d\n",
737 for(dp = dd.mods; dp; dp = dd.mods) {
739 ch_free(dp->dn.bv_val);
740 slap_mods_free(dp->mm, 1);
744 return(SLAP_CB_CONTINUE);
748 ** init_module is last so the symbols resolve "for free" --
749 ** it expects to be called automagically during dynamic module initialization
752 int refint_initialize() {
755 /* statically declared just after the #includes at top */
756 refint.on_bi.bi_type = "refint";
757 refint.on_bi.bi_db_init = refint_db_init;
758 refint.on_bi.bi_db_destroy = refint_db_destroy;
759 refint.on_bi.bi_db_open = refint_open;
760 refint.on_bi.bi_db_close = refint_close;
761 refint.on_response = refint_response;
763 refint.on_bi.bi_cf_ocs = refintocs;
764 rc = config_register_schema ( refintcfg, refintocs );
767 return(overlay_register(&refint));
770 #if SLAPD_OVER_REFINT == SLAPD_MOD_DYNAMIC && defined(PIC)
771 int init_module(int argc, char *argv[]) {
772 return refint_initialize();
776 #endif /* SLAPD_OVER_REFINT */