1 /* refint.c - referential integrity module */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2004-2007 The OpenLDAP Foundation.
6 * Portions Copyright 2004 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Symas Corp. for inclusion in
19 * OpenLDAP Software. This work was sponsored by Hewlett-Packard.
24 /* This module maintains referential integrity for a set of
25 * DN-valued attributes by searching for all references to a given
26 * DN whenever the DN is changed or its entry is deleted, and making
27 * the appropriate update.
29 * Updates are performed using the database rootdn in a separate task
30 * to allow the original operation to complete immediately.
33 #ifdef SLAPD_OVER_REFINT
37 #include <ac/string.h>
38 #include <ac/socket.h>
44 static slap_overinst refint;
46 /* The DN to use in the ModifiersName for all refint updates */
47 static BerValue refint_dn = BER_BVC("cn=Referential Integrity Overlay");
48 static BerValue refint_ndn = BER_BVC("cn=referential integrity overlay");
50 typedef struct refint_attrs_s {
51 struct refint_attrs_s *next;
52 AttributeDescription *attr;
55 typedef struct dependents_s {
56 struct dependents_s *next;
57 BerValue dn; /* target dn */
62 typedef struct refint_q {
63 struct refint_q *next;
64 struct refint_data_s *rdata;
65 dependent_data *attrs; /* entries and attrs returned from callback */
73 typedef struct refint_data_s {
74 const char *message; /* breadcrumbs */
75 struct refint_attrs_s *attrs; /* list of known attrs */
76 BerValue dn; /* basedn in parent, */
77 BerValue nothing; /* the nothing value, if needed */
78 BerValue nnothing; /* normalized nothingness */
82 ldap_pvt_thread_mutex_t qmutex;
85 #define RUNQ_INTERVAL 36000 /* a long time */
92 static ConfigDriver refint_cf_gen;
94 static ConfigTable refintcfg[] = {
95 { "refint_attributes", "attribute...", 2, 0, 0,
96 ARG_MAGIC|REFINT_ATTRS, refint_cf_gen,
97 "( OLcfgOvAt:11.1 NAME 'olcRefintAttribute' "
98 "DESC 'Attributes for referential integrity' "
99 "EQUALITY caseIgnoreMatch "
100 "SYNTAX OMsDirectoryString )", NULL, NULL },
101 { "refint_nothing", "string", 2, 2, 0,
102 ARG_DN|ARG_MAGIC|REFINT_NOTHING, refint_cf_gen,
103 "( OLcfgOvAt:11.2 NAME 'olcRefintNothing' "
104 "DESC 'Replacement DN to supply when needed' "
105 "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
106 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
109 static ConfigOCs refintocs[] = {
110 { "( OLcfgOvOc:11.1 "
111 "NAME 'olcRefintConfig' "
112 "DESC 'Referential integrity configuration' "
113 "SUP olcOverlayConfig "
114 "MAY ( olcRefintAttribute $ olcRefintNothing ) )",
115 Cft_Overlay, refintcfg },
120 refint_cf_gen(ConfigArgs *c)
122 slap_overinst *on = (slap_overinst *)c->bi;
123 refint_data *dd = (refint_data *)on->on_bi.bi_private;
124 refint_attrs *ip, *pip, **pipp = NULL;
125 AttributeDescription *ad;
127 int rc = ARG_BAD_CONF;
131 case SLAP_CONFIG_EMIT:
136 value_add_one( &c->rvalue_vals,
137 &ip->attr->ad_cname );
143 if ( !BER_BVISEMPTY( &dd->nothing )) {
144 rc = value_add_one( &c->rvalue_vals,
147 rc = value_add_one( &c->rvalue_nvals,
157 case LDAP_MOD_DELETE:
170 /* delete from linked list */
171 for ( i=0; i < c->valx; ++i ) {
172 pipp = &(*pipp)->next;
175 *pipp = (*pipp)->next;
177 /* AttributeDescriptions are global so
178 * shouldn't be freed here... */
184 if ( dd->nothing.bv_val )
185 ber_memfree ( dd->nothing.bv_val );
186 if ( dd->nnothing.bv_val )
187 ber_memfree ( dd->nnothing.bv_val );
188 dd->nothing.bv_len = 0;
189 dd->nnothing.bv_len = 0;
196 case SLAP_CONFIG_ADD:
197 /* fallthrough to LDAP_MOD_ADD */
202 for ( i=1; i < c->argc; ++i ) {
204 if ( slap_str2ad ( c->argv[i], &ad, &text )
207 sizeof ( refint_attrs ) );
209 ip->next = dd->attrs;
212 snprintf( c->msg, sizeof( c->msg ),
213 "%s <%s>: %s", c->argv[0], c->argv[i], text );
214 Debug ( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
215 "%s: %s\n", c->log, c->msg, 0 );
221 if ( dd->nothing.bv_val )
222 ber_memfree ( dd->nothing.bv_val );
223 if ( dd->nnothing.bv_val )
224 ber_memfree ( dd->nnothing.bv_val );
225 dd->nothing = c->value_dn;
226 dd->nnothing = c->value_ndn;
241 ** allocate new refint_data;
242 ** store in on_bi.bi_private;
251 slap_overinst *on = (slap_overinst *)be->bd_info;
252 refint_data *id = ch_calloc(1,sizeof(refint_data));
254 id->message = "_init";
255 on->on_bi.bi_private = id;
256 ldap_pvt_thread_mutex_init( &id->qmutex );
265 slap_overinst *on = (slap_overinst *)be->bd_info;
267 if ( on->on_bi.bi_private ) {
268 refint_data *id = on->on_bi.bi_private;
269 on->on_bi.bi_private = NULL;
270 ldap_pvt_thread_mutex_destroy( &id->qmutex );
277 ** initialize, copy basedn if not already set
286 slap_overinst *on = (slap_overinst *)be->bd_info;
287 refint_data *id = on->on_bi.bi_private;
288 id->message = "_open";
290 if ( BER_BVISNULL( &id->dn )) {
291 if ( BER_BVISNULL( &be->be_nsuffix[0] ))
293 ber_dupbv( &id->dn, &be->be_nsuffix[0] );
300 ** foreach configured attribute:
303 ** (do not) free id->message;
304 ** reset on_bi.bi_private;
305 ** free our config data;
314 slap_overinst *on = (slap_overinst *) be->bd_info;
315 refint_data *id = on->on_bi.bi_private;
316 refint_attrs *ii, *ij;
317 id->message = "_close";
319 for(ii = id->attrs; ii; ii = ij) {
325 ch_free( id->dn.bv_val );
326 BER_BVZERO( &id->dn );
327 ch_free( id->nothing.bv_val );
328 BER_BVZERO( &id->nothing );
329 ch_free( id->nnothing.bv_val );
330 BER_BVZERO( &id->nnothing );
337 ** generates a list of Attributes from search results
348 refint_q *rq = op->o_callback->sc_private;
349 refint_data *dd = rq->rdata;
350 refint_attrs *ia, *da = dd->attrs, *na;
354 Debug(LDAP_DEBUG_TRACE, "refint_search_cb <%s>\n",
355 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING", 0, 0);
357 if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
360 ** foreach configured attribute type:
361 ** if this attr exists in the search result,
362 ** and it has a value matching the target:
364 ** if this is a delete and there's only one value:
365 ** allocate the same attr again;
369 ip = op->o_tmpalloc(sizeof(dependent_data), op->o_tmpmemctx );
370 ber_dupbv_x( &ip->dn, &rs->sr_entry->e_name, op->o_tmpmemctx );
371 ber_dupbv_x( &ip->ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
372 ip->next = rq->attrs;
375 for(ia = da; ia; ia = ia->next) {
376 if ( (a = attr_find(rs->sr_entry->e_attrs, ia->attr) ) )
377 for(i = 0, b = a->a_nvals; b[i].bv_val; i++)
378 if(bvmatch(&rq->oldndn, &b[i])) {
379 na = op->o_tmpalloc(sizeof( refint_attrs ), op->o_tmpmemctx );
380 na->next = ip->attrs;
383 /* If this is a delete and there's only one value, and
384 * we have a nothing DN configured, allocate the attr again.
386 if(!b[1].bv_val && BER_BVISEMPTY( &rq->newdn ) &&
387 dd->nothing.bv_val) {
388 na = op->o_tmpalloc(sizeof( refint_attrs ), op->o_tmpmemctx );
389 na->next = ip->attrs;
393 Debug(LDAP_DEBUG_TRACE, "refint_search_cb: %s: %s\n",
394 a->a_desc->ad_cname.bv_val, rq->olddn.bv_val, 0);
402 refint_qtask( void *ctx, void *arg )
404 struct re_s *rtask = arg;
405 refint_data *id = rtask->arg;
406 Connection conn = {0};
407 OperationBuffer opbuf;
409 SlapReply rs = {REP_RESULT};
410 slap_callback cb = { NULL, NULL, NULL, NULL };
414 refint_attrs *ra, *ip;
417 op = (Operation *) &opbuf;
418 connection_fake_init( &conn, op, ctx );
421 ** build a search filter for all configured attributes;
422 ** populate our Operation;
423 ** pass our data (attr list, dn) to backend via sc_private;
424 ** call the backend search function;
425 ** nb: (|(one=thing)) is valid, but do smart formatting anyway;
426 ** nb: 16 is arbitrarily a dozen or so extra bytes;
430 ftop.f_choice = LDAP_FILTER_OR;
433 op->ors_filter = &ftop;
434 for(ip = id->attrs; ip; ip = ip->next) {
435 fptr = op->o_tmpalloc( sizeof(Filter) + sizeof(AttributeAssertion),
437 fptr->f_choice = LDAP_FILTER_EQUALITY;
438 fptr->f_ava = (AttributeAssertion *)(fptr+1);
439 fptr->f_ava->aa_desc = ip->attr;
440 fptr->f_next = ftop.f_or;
446 ldap_pvt_thread_mutex_lock( &id->qmutex );
449 id->qhead = rq->next;
453 ldap_pvt_thread_mutex_unlock( &id->qmutex );
457 for (fptr = ftop.f_or; fptr; fptr=fptr->f_next )
458 fptr->f_av_value = rq->oldndn;
460 filter2bv_x( op, op->ors_filter, &op->ors_filterstr );
462 /* callback gets the searched dn instead */
464 cb.sc_response = refint_search_cb;
465 op->o_callback = &cb;
466 op->o_tag = LDAP_REQ_SEARCH;
467 op->ors_scope = LDAP_SCOPE_SUBTREE;
468 op->ors_deref = LDAP_DEREF_NEVER;
469 op->ors_limit = NULL;
470 op->ors_slimit = SLAP_NO_LIMIT;
471 op->ors_tlimit = SLAP_NO_LIMIT;
474 op->ors_attrs = slap_anlist_no_attrs;
476 op->o_req_ndn = id->dn;
477 op->o_req_dn = id->dn;
479 op->o_dn = op->o_bd->be_rootdn;
480 op->o_ndn = op->o_bd->be_rootndn;
481 slap_op_time( &op->o_time, &op->o_tincr );
484 rc = op->o_bd->be_search(op, &rs);
486 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
488 if(rc != LDAP_SUCCESS) {
489 Debug( LDAP_DEBUG_TRACE,
490 "refint_response: search failed: %d\n",
495 /* safety? paranoid just in case */
497 Debug( LDAP_DEBUG_TRACE,
498 "refint_response: callback wiped out sc_private?!\n",
503 /* Set up the Modify requests */
504 cb.sc_response = &slap_null_cb;
505 op->o_tag = LDAP_REQ_MODIFY;
508 ** [our search callback builds a list of attrs]
510 ** make sure its dn has a backend;
511 ** build Modification* chain;
512 ** call the backend modify function;
516 for(dp = rq->attrs; dp; dp = dp->next) {
517 Modifications *m, *first = NULL;
519 op->orm_modlist = NULL;
521 op->o_req_dn = dp->dn;
522 op->o_req_ndn = dp->ndn;
523 op->o_bd = select_backend(&dp->ndn, 0, 1);
525 Debug( LDAP_DEBUG_TRACE,
526 "refint_response: no backend for DN %s!\n",
527 dp->dn.bv_val, 0, 0 );
530 rs.sr_type = REP_RESULT;
531 for (ra = dp->attrs; ra; ra = dp->attrs) {
532 dp->attrs = ra->next;
533 /* Set our ModifiersName */
534 if ( SLAP_LASTMOD( op->o_bd )) {
535 m = op->o_tmpalloc( sizeof(Modifications) +
536 4*sizeof(BerValue), op->o_tmpmemctx );
537 m->sml_next = op->orm_modlist;
541 m->sml_op = LDAP_MOD_REPLACE;
542 m->sml_flags = SLAP_MOD_INTERNAL;
543 m->sml_desc = slap_schema.si_ad_modifiersName;
544 m->sml_type = m->sml_desc->ad_cname;
545 m->sml_values = (BerVarray)(m+1);
546 m->sml_nvalues = m->sml_values+2;
547 BER_BVZERO( &m->sml_values[1] );
548 BER_BVZERO( &m->sml_nvalues[1] );
549 m->sml_values[0] = refint_dn;
550 m->sml_nvalues[0] = refint_ndn;
552 if ( !BER_BVISEMPTY( &rq->newdn ) || ( ra->next &&
553 ra->attr == ra->next->attr )) {
554 m = op->o_tmpalloc( sizeof(Modifications) +
555 4*sizeof(BerValue), op->o_tmpmemctx );
556 m->sml_next = op->orm_modlist;
560 m->sml_op = LDAP_MOD_ADD;
562 m->sml_desc = ra->attr;
563 m->sml_type = ra->attr->ad_cname;
564 m->sml_values = (BerVarray)(m+1);
565 m->sml_nvalues = m->sml_values+2;
566 BER_BVZERO( &m->sml_values[1] );
567 BER_BVZERO( &m->sml_nvalues[1] );
568 if ( BER_BVISEMPTY( &rq->newdn )) {
569 op->o_tmpfree( ra, op->o_tmpmemctx );
571 dp->attrs = ra->next;
572 m->sml_values[0] = id->nothing;
573 m->sml_nvalues[0] = id->nnothing;
575 m->sml_values[0] = rq->newdn;
576 m->sml_nvalues[0] = rq->newndn;
579 m = op->o_tmpalloc( sizeof(Modifications) + 4*sizeof(BerValue),
581 m->sml_next = op->orm_modlist;
585 m->sml_op = LDAP_MOD_DELETE;
587 m->sml_desc = ra->attr;
588 m->sml_type = ra->attr->ad_cname;
589 m->sml_values = (BerVarray)(m+1);
590 m->sml_nvalues = m->sml_values+2;
591 m->sml_values[0] = rq->olddn;
592 m->sml_nvalues[0] = rq->oldndn;
593 BER_BVZERO( &m->sml_values[1] );
594 BER_BVZERO( &m->sml_nvalues[1] );
595 op->o_tmpfree( ra, op->o_tmpmemctx );
598 op->o_dn = op->o_bd->be_rootdn;
599 op->o_ndn = op->o_bd->be_rootndn;
600 slap_op_time( &op->o_time, &op->o_tincr );
601 if((rc = op->o_bd->be_modify(op, &rs)) != LDAP_SUCCESS) {
602 Debug( LDAP_DEBUG_TRACE,
603 "refint_response: dependent modify failed: %d\n",
607 while (( m = op->orm_modlist )) {
608 op->orm_modlist = m->sml_next;
609 op->o_tmpfree( m, op->o_tmpmemctx );
610 if ( m == first ) break;
612 slap_mods_free( op->orm_modlist, 1 );
613 op->o_tmpfree( dp->ndn.bv_val, op->o_tmpmemctx );
614 op->o_tmpfree( dp->dn.bv_val, op->o_tmpmemctx );
615 op->o_tmpfree( dp, op->o_tmpmemctx );
618 if ( !BER_BVISNULL( &rq->newndn )) {
619 ch_free( rq->newndn.bv_val );
620 ch_free( rq->newdn.bv_val );
622 ch_free( rq->oldndn.bv_val );
623 ch_free( rq->olddn.bv_val );
627 /* wait until we get explicitly scheduled again */
628 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
629 ldap_pvt_runqueue_stoptask( &slapd_rq, id->qtask );
630 ldap_pvt_runqueue_resched( &slapd_rq,id->qtask, 1 );
631 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
638 ** search for matching records and modify them
647 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
648 refint_data *id = on->on_bi.bi_private;
655 id->message = "_refint_response";
657 /* If the main op failed or is not a Delete or ModRdn, ignore it */
658 if (( op->o_tag != LDAP_REQ_DELETE && op->o_tag != LDAP_REQ_MODRDN ) ||
659 rs->sr_err != LDAP_SUCCESS )
660 return SLAP_CB_CONTINUE;
663 ** validate (and count) the list of attrs;
667 for(ip = id->attrs, ac = 0; ip; ip = ip->next, ac++);
669 Debug( LDAP_DEBUG_TRACE,
670 "refint_response called without any attributes\n", 0, 0, 0 );
671 return SLAP_CB_CONTINUE;
675 ** find the backend that matches our configured basedn;
676 ** make sure it exists and has search and modify methods;
680 db = select_backend(&id->dn, 0, 1);
683 if (!db->be_search || !db->be_modify) {
684 Debug( LDAP_DEBUG_TRACE,
685 "refint_response: backend missing search and/or modify\n",
687 return SLAP_CB_CONTINUE;
690 Debug( LDAP_DEBUG_TRACE,
691 "refint_response: no backend for our baseDN %s??\n",
692 id->dn.bv_val, 0, 0 );
693 return SLAP_CB_CONTINUE;
696 rq = ch_calloc( 1, sizeof( refint_q ));
697 ber_dupbv( &rq->olddn, &op->o_req_dn );
698 ber_dupbv( &rq->oldndn, &op->o_req_ndn );
702 if(op->o_tag == LDAP_REQ_MODRDN) {
703 if ( op->oq_modrdn.rs_newSup ) {
704 pdn = *op->oq_modrdn.rs_newSup;
706 dnParent( &op->o_req_dn, &pdn );
708 build_new_dn( &rq->newdn, &pdn, &op->orr_newrdn, NULL );
709 if ( op->oq_modrdn.rs_nnewSup ) {
710 pdn = *op->oq_modrdn.rs_nnewSup;
712 dnParent( &op->o_req_ndn, &pdn );
714 build_new_dn( &rq->newndn, &pdn, &op->orr_nnewrdn, NULL );
717 ldap_pvt_thread_mutex_lock( &id->qmutex );
719 id->qtail->next = rq;
724 ldap_pvt_thread_mutex_unlock( &id->qmutex );
727 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
729 id->qtask = ldap_pvt_runqueue_insert( &slapd_rq, RUNQ_INTERVAL,
730 refint_qtask, id, "refint_qtask",
731 op->o_bd->be_suffix[0].bv_val );
734 if ( !ldap_pvt_runqueue_isrunning( &slapd_rq, id->qtask ) &&
735 !id->qtask->next_sched.tv_sec ) {
736 id->qtask->interval.tv_sec = 0;
737 ldap_pvt_runqueue_resched( &slapd_rq, id->qtask, 0 );
738 id->qtask->interval.tv_sec = RUNQ_INTERVAL;
742 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
744 slap_wake_listener();
746 return SLAP_CB_CONTINUE;
750 ** init_module is last so the symbols resolve "for free" --
751 ** it expects to be called automagically during dynamic module initialization
754 int refint_initialize() {
757 /* statically declared just after the #includes at top */
758 refint.on_bi.bi_type = "refint";
759 refint.on_bi.bi_db_init = refint_db_init;
760 refint.on_bi.bi_db_destroy = refint_db_destroy;
761 refint.on_bi.bi_db_open = refint_open;
762 refint.on_bi.bi_db_close = refint_close;
763 refint.on_response = refint_response;
765 refint.on_bi.bi_cf_ocs = refintocs;
766 rc = config_register_schema ( refintcfg, refintocs );
769 return(overlay_register(&refint));
772 #if SLAPD_OVER_REFINT == SLAPD_MOD_DYNAMIC && defined(PIC)
773 int init_module(int argc, char *argv[]) {
774 return refint_initialize();
778 #endif /* SLAPD_OVER_REFINT */