1 /* refint.c - referential integrity module */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2004-2005 The OpenLDAP Foundation.
6 * Portions Copyright 2004 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Symas Corp. for inclusion in
19 * OpenLDAP Software. This work was sponsored by Hewlett-Packard.
24 /* This module maintains referential integrity for a set of
25 * DN-valued attributes by searching for all references to a given
26 * DN whenever the DN is changed or its entry is deleted, and making
27 * the appropriate update.
29 * Updates are performed using the database rootdn, but the ModifiersName
30 * is always set to refint_dn.
33 #ifdef SLAPD_OVER_REFINT
37 #include <ac/string.h>
38 #include <ac/socket.h>
42 static slap_overinst refint;
44 /* The DN to use in the ModifiersName for all refint updates */
45 static BerValue refint_dn = BER_BVC("cn=Referential Integrity Overlay");
47 typedef struct refint_attrs_s {
48 struct refint_attrs_s *next;
49 AttributeDescription *attr;
52 typedef struct dependents_s {
53 struct dependents_s *next;
54 BerValue dn; /* target dn */
58 typedef struct refint_data_s {
59 const char *message; /* breadcrumbs */
60 struct refint_attrs_s *attrs; /* list of known attrs */
61 struct dependents_s *mods; /* modifications returned from callback */
62 BerValue dn; /* basedn in parent, searchdn in call */
63 BerValue newdn; /* replacement value for modrdn callback */
64 BerValue nnewdn; /* normalized replacement value */
65 BerValue nothing; /* the nothing value, if needed */
66 BerValue nnothing; /* normalized nothingness */
70 ** allocate new refint_data;
71 ** initialize, copy basedn;
72 ** store in on_bi.bi_private;
81 slap_overinst *on = (slap_overinst *)be->bd_info;
82 refint_data *id = ch_malloc(sizeof(refint_data));
84 id->message = "_init";
86 id->newdn.bv_val = NULL;
87 id->nothing.bv_val = NULL;
88 id->nnothing.bv_val = NULL;
89 ber_dupbv( &id->dn, &be->be_nsuffix[0] );
90 on->on_bi.bi_private = id;
96 ** if command = attributes:
98 ** convert to attribute;
99 ** add to configured attribute list;
100 ** elseif command = basedn:
101 ** set our basedn to argument;
114 slap_overinst *on = (slap_overinst *) be->bd_info;
115 refint_data *id = on->on_bi.bi_private;
118 AttributeDescription *ad;
122 if(!strcasecmp(*argv, "refint_attributes")) {
123 for(i = 1; i < argc; i++) {
124 for(ip = id->attrs; ip; ip = ip->next)
125 if(!strcmp(argv[i], ip->attr->ad_cname.bv_val)) {
126 Debug(LDAP_DEBUG_ANY,
127 "%s: line %d: duplicate attribute <s>, ignored\n",
128 fname, lineno, argv[i]);
132 if(slap_str2ad(argv[i], &ad, &text) != LDAP_SUCCESS) {
133 Debug(LDAP_DEBUG_ANY,
134 "%s: line %d: bad attribute <%s>, ignored\n",
135 fname, lineno, text);
137 } else if(ad->ad_next) {
138 Debug(LDAP_DEBUG_ANY,
139 "%s: line %d: multiple attributes match <%s>, ignored\n",
140 fname, lineno, argv[i]);
143 ip = ch_malloc(sizeof(refint_attrs));
145 ip->next = id->attrs;
147 Debug(LDAP_DEBUG_ANY, "%s: line %d: new attribute <%s>\n",
148 fname, lineno, argv[i]);
150 } else if(!strcasecmp(*argv, "refint_base")) {
151 /* XXX only one basedn (yet) - need validate argument! */
152 if(id->dn.bv_val) ch_free(id->dn.bv_val);
153 ber_str2bv( argv[1], 0, 0, &dn );
154 Debug(LDAP_DEBUG_ANY, "%s: line %d: new baseDN <%s>\n",
155 fname, lineno, argv[1]);
156 if(dnNormalize(0, NULL, NULL, &dn, &id->dn, NULL)) {
157 Debug(LDAP_DEBUG_ANY, "%s: line %d: bad baseDN!\n", fname, lineno, 0);
160 } else if(!strcasecmp(*argv, "refint_nothing")) {
161 if(id->nothing.bv_val) ch_free(id->nothing.bv_val);
162 if(id->nnothing.bv_val) ch_free(id->nnothing.bv_val);
163 ber_str2bv( argv[1], 0, 1, &id->nothing );
164 if(dnNormalize(0, NULL, NULL, &id->nothing, &id->nnothing, NULL)) {
165 Debug(LDAP_DEBUG_ANY, "%s: line %d: bad nothingDN!\n", fname, lineno, 0);
168 Debug(LDAP_DEBUG_ANY, "%s: line %d: new nothingDN<%s>\n",
169 fname, lineno, argv[1]);
171 return(SLAP_CONF_UNKNOWN);
174 id->message = "_config";
180 ** nothing really happens here;
189 slap_overinst *on = (slap_overinst *)be->bd_info;
190 refint_data *id = on->on_bi.bi_private;
191 id->message = "_open";
197 ** foreach configured attribute:
200 ** (do not) free id->message;
201 ** reset on_bi.bi_private;
202 ** free our config data;
211 slap_overinst *on = (slap_overinst *) be->bd_info;
212 refint_data *id = on->on_bi.bi_private;
213 refint_attrs *ii, *ij;
214 id->message = "_close";
216 for(ii = id->attrs; ii; ii = ij) {
221 ch_free(id->dn.bv_val);
222 ch_free(id->nothing.bv_val);
223 ch_free(id->nnothing.bv_val);
225 on->on_bi.bi_private = NULL; /* XXX */
234 ** generates a list of Modification* from search results
245 refint_data *dd = op->o_callback->sc_private;
246 refint_attrs *ia, *da = dd->attrs;
248 Modifications *mp, *ma;
251 Debug(LDAP_DEBUG_TRACE, "refint_delete_cb <%s>\n",
252 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING", 0, 0);
254 if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
255 dd->message = "_delete_cb";
258 ** foreach configured attribute type:
259 ** if this attr exists in the search result,
260 ** and it has a value matching the target:
261 ** allocate a Modification;
262 ** allocate its array of 2 BerValues;
263 ** if only one value, and we have a configured Nothing:
264 ** allocate additional Modification
266 ** BerValues[] = { Nothing, NULL };
269 ** BerValues[] = { our target dn, NULL };
270 ** add this mod to the list of mods;
274 ip = ch_malloc(sizeof(dependent_data));
275 ip->dn.bv_val = NULL;
279 for(ia = da; ia; ia = ia->next) {
280 if ( (a = attr_find(rs->sr_entry->e_attrs, ia->attr) ) )
281 for(i = 0, b = a->a_nvals; b[i].bv_val; i++)
282 if(bvmatch(&dd->dn, &b[i])) {
283 if(!ip->dn.bv_val) ber_dupbv(&ip->dn, &rs->sr_entry->e_nname);
284 if(!b[1].bv_val && dd->nothing.bv_val) {
285 mp = ch_malloc(sizeof(Modifications));
286 mp->sml_desc = ia->attr; /* XXX */
287 mp->sml_type = a->a_desc->ad_cname;
288 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
289 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
290 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
291 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
293 mp->sml_op = LDAP_MOD_ADD;
295 ber_dupbv(&mp->sml_values[0], &dd->nothing);
296 ber_dupbv(&mp->sml_nvalues[0], &dd->nnothing);
297 mp->sml_managing = 0;
301 /* this might violate the object class */
302 mp = ch_malloc(sizeof(Modifications));
303 mp->sml_desc = ia->attr; /* XXX */
304 mp->sml_type = a->a_desc->ad_cname;
305 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
306 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
307 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
308 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
309 mp->sml_op = LDAP_MOD_DELETE;
311 ber_dupbv(&mp->sml_values[0], &dd->dn);
312 ber_dupbv(&mp->sml_nvalues[0], &mp->sml_values[0]);
313 mp->sml_managing = 0;
316 Debug(LDAP_DEBUG_TRACE, "refint_delete_cb: %s: %s\n",
317 a->a_desc->ad_cname.bv_val, dd->dn.bv_val, 0);
339 ((refint_data *)op->o_callback->sc_private)->message = "_null_cb";
340 return(LDAP_SUCCESS);
345 ** generates a list of Modification* from search results
356 refint_data *dd = op->o_callback->sc_private;
357 refint_attrs *ia, *da = dd->attrs;
358 dependent_data *ip = NULL;
362 Debug(LDAP_DEBUG_TRACE, "refint_modrdn_cb <%s>\n",
363 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING", 0, 0);
365 if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
366 dd->message = "_modrdn_cb";
369 ** foreach configured attribute type:
370 ** if this attr exists in the search result,
371 ** and it has a value matching the target:
372 ** allocate a pair of Modifications;
373 ** make it MOD_ADD the new value and MOD_DELETE the old;
374 ** allocate its array of BerValues;
375 ** foreach value in the search result:
376 ** if it matches our target value, replace it;
377 ** otherwise, copy from the search result;
378 ** terminate the array of BerValues;
379 ** add these mods to the list of mods;
383 for(ia = da; ia; ia = ia->next) {
384 if((a = attr_find(rs->sr_entry->e_attrs, ia->attr))) {
385 for(fix = 0, i = 0, b = a->a_nvals; b[i].bv_val; i++)
386 if(bvmatch(&dd->dn, &b[i])) { fix++; break; }
389 ip = ch_malloc(sizeof(dependent_data));
392 ber_dupbv(&ip->dn, &rs->sr_entry->e_nname);
394 mp = ch_malloc(sizeof(Modifications));
395 mp->sml_op = LDAP_MOD_ADD;
397 mp->sml_desc = ia->attr; /* XXX */
398 mp->sml_type = ia->attr->ad_cname;
399 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
400 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
401 ber_dupbv(&mp->sml_values[0], &dd->newdn);
402 ber_dupbv(&mp->sml_nvalues[0], &dd->nnewdn);
403 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
404 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
405 mp->sml_managing = 0;
406 mp->sml_next = ip->mm;
408 mp = ch_malloc(sizeof(Modifications));
409 mp->sml_op = LDAP_MOD_DELETE;
411 mp->sml_desc = ia->attr; /* XXX */
412 mp->sml_type = ia->attr->ad_cname;
413 mp->sml_values = ch_malloc(2 * sizeof(BerValue));
414 mp->sml_nvalues = ch_malloc(2 * sizeof(BerValue));
415 ber_dupbv(&mp->sml_values[0], &dd->dn);
416 ber_dupbv(&mp->sml_nvalues[0], &dd->dn);
417 mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
418 mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
419 mp->sml_managing = 0;
420 mp->sml_next = ip->mm;
422 Debug(LDAP_DEBUG_TRACE, "refint_modrdn_cb: %s: %s\n",
423 a->a_desc->ad_cname.bv_val, dd->dn.bv_val, 0);
438 ** search for matching records and modify them
448 SlapReply nrs = { REP_RESULT };
449 slap_callback cb = { NULL, NULL, NULL, NULL };
450 slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
451 slap_callback *cbo, *cbp;
452 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
453 refint_data *id = on->on_bi.bi_private;
454 refint_data dd = *id;
461 id->message = "_refint_response";
463 /* If the main op failed or is not a Delete or ModRdn, ignore it */
464 if (( op->o_tag != LDAP_REQ_DELETE && op->o_tag != LDAP_REQ_MODRDN ) ||
465 rs->sr_err != LDAP_SUCCESS )
466 return SLAP_CB_CONTINUE;
469 ** validate (and count) the list of attrs;
473 for(ip = id->attrs, ac = 0; ip; ip = ip->next, ac++);
475 rs->sr_err = LDAP_OTHER;
476 rs->sr_text = "refint_response called without any attributes";
477 return SLAP_CB_CONTINUE;
481 ** find the backend that matches our configured basedn;
482 ** make sure it exists and has search and modify methods;
486 nop.o_bd = select_backend(&id->dn, 0, 1);
489 if (!nop.o_bd->be_search || !nop.o_bd->be_modify) {
490 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
491 rs->sr_text = "backend missing search and/or modify";
492 return SLAP_CB_CONTINUE;
495 rs->sr_err = LDAP_OTHER;
496 rs->sr_text = "no known backend? this shouldn't be happening!";
497 return SLAP_CB_CONTINUE;
503 ** if delete: set delete callback;
504 ** else modrdn: create a newdn, set modify callback;
508 if(op->o_tag == LDAP_REQ_DELETE) {
509 cb.sc_response = &refint_delete_cb;
510 dd.newdn.bv_val = NULL;
511 dd.nnewdn.bv_val = NULL;
513 cb.sc_response = &refint_modrdn_cb;
514 if ( op->oq_modrdn.rs_newSup ) {
515 pdn = *op->oq_modrdn.rs_newSup;
517 dnParent( &op->o_req_dn, &pdn );
519 build_new_dn( &dd.newdn, &pdn, &op->orr_newrdn, NULL );
520 if ( op->oq_modrdn.rs_nnewSup ) {
521 pdn = *op->oq_modrdn.rs_nnewSup;
523 dnParent( &op->o_req_ndn, &pdn );
525 build_new_dn( &dd.nnewdn, &pdn, &op->orr_nnewrdn, NULL );
529 ** build a search filter for all configured attributes;
530 ** populate our Operation;
531 ** pass our data (attr list, dn) to backend via sc_private;
532 ** call the backend search function;
533 ** nb: (|(one=thing)) is valid, but do smart formatting anyway;
534 ** nb: 16 is arbitrarily a dozen or so extra bytes;
538 ftop.f_choice = LDAP_FILTER_OR;
541 nop.ors_filter = &ftop;
542 for(ip = id->attrs; ip; ip = ip->next) {
543 fptr = ch_malloc( sizeof(Filter) + sizeof(AttributeAssertion) );
544 fptr->f_choice = LDAP_FILTER_EQUALITY;
545 fptr->f_ava = (AttributeAssertion *)(fptr+1);
546 fptr->f_ava->aa_desc = ip->attr;
547 fptr->f_ava->aa_value = op->o_req_ndn;
548 fptr->f_next = ftop.f_or;
551 filter2bv( nop.ors_filter, &nop.ors_filterstr );
553 /* callback gets the searched dn instead */
554 dd.dn = op->o_req_ndn;
555 dd.message = "_dependent_search";
558 nop.o_callback = &cb;
559 nop.o_tag = LDAP_REQ_SEARCH;
560 nop.ors_scope = LDAP_SCOPE_SUBTREE;
561 nop.ors_deref = LDAP_DEREF_NEVER;
562 nop.ors_limit = NULL;
563 nop.ors_slimit = SLAP_NO_LIMIT;
564 nop.ors_tlimit = SLAP_NO_LIMIT;
567 nop.ors_attrs = slap_anlist_no_attrs;
568 nop.ors_attrsonly = 1;
570 nop.o_req_ndn = id->dn;
571 nop.o_req_dn = id->dn;
574 rc = nop.o_bd->be_search(&nop, &nrs);
576 ch_free( nop.ors_filterstr.bv_val );
577 while ( (fptr = ftop.f_or) != NULL ) {
578 ftop.f_or = fptr->f_next;
581 ch_free(dd.nnewdn.bv_val);
582 ch_free(dd.newdn.bv_val);
583 dd.newdn.bv_val = NULL;
584 dd.nnewdn.bv_val = NULL;
586 if(rc != LDAP_SUCCESS) {
587 rs->sr_err = nrs.sr_err;
588 rs->sr_text = "refint_response search failed";
592 /* safety? paranoid just in case */
594 rs->sr_err = LDAP_OTHER;
595 rs->sr_text = "whoa! refint_response callback wiped out sc_private?!";
599 /* presto! now it's a modify request with null callback */
600 cb.sc_response = &refint_null_cb;
601 nop.o_tag = LDAP_REQ_MODIFY;
602 dd.message = "_dependent_modify";
604 /* See if the parent operation is going into the replog */
605 for (cbo=op->o_callback, cbp = cbo->sc_next; cbp; cbo=cbp,cbp=cbp->sc_next) {
606 if (cbp->sc_response == slap_replog_cb) {
607 /* Invoke replog now, arrange for our
608 * dependent mods to also be logged
610 cbo->sc_next = cbp->sc_next;
612 nop.o_callback = &cb2;
618 ** [our search callback builds a list of mods]
620 ** make sure its dn has a backend;
621 ** connect Modification* chain to our op;
622 ** call the backend modify function;
623 ** pass any errors upstream;
627 for(dp = dd.mods; dp; dp = dp->next) {
628 Modifications **tail, *m;
630 for(m = dp->mm; m && m->sml_next; m = m->sml_next);
632 nop.o_req_dn = dp->dn;
633 nop.o_req_ndn = dp->dn;
634 nop.o_bd = select_backend(&dp->dn, 0, 1);
636 rs->sr_err = LDAP_OTHER;
637 rs->sr_text = "this should never happen either!";
640 nrs.sr_type = REP_RESULT;
641 nop.orm_modlist = dp->mm; /* callback did all the work */
642 nop.o_dn = refint_dn;
643 nop.o_ndn = refint_dn;
644 rs->sr_err = slap_mods_opattrs( &nop, nop.orm_modlist,
645 tail, &rs->sr_text, NULL, 0, 1 );
646 nop.o_dn = nop.o_bd->be_rootdn;
647 nop.o_ndn = nop.o_bd->be_rootndn;
648 if(rs->sr_err != LDAP_SUCCESS) goto done;
649 if((rc = nop.o_bd->be_modify(&nop, &nrs)) != LDAP_SUCCESS) {
650 rs->sr_err = nrs.sr_err;
651 rs->sr_text = "dependent modify failed";
657 for(dp = dd.mods; dp; dp = dd.mods) {
659 ch_free(dp->dn.bv_val);
660 slap_mods_free(dp->mm, 1);
664 return(SLAP_CB_CONTINUE);
668 ** init_module is last so the symbols resolve "for free" --
669 ** it expects to be called automagically during dynamic module initialization
674 /* statically declared just after the #includes at top */
675 refint.on_bi.bi_type = "refint";
676 refint.on_bi.bi_db_init = refint_db_init;
677 refint.on_bi.bi_db_config = refint_config;
678 refint.on_bi.bi_db_open = refint_open;
679 refint.on_bi.bi_db_close = refint_close;
680 refint.on_response = refint_response;
682 return(overlay_register(&refint));
685 #if SLAPD_OVER_REFINT == SLAPD_MOD_DYNAMIC && defined(PIC)
686 int init_module(int argc, char *argv[]) {
687 return refint_init();
691 #endif /* SLAPD_OVER_REFINT */
projects / openldap / blob