1 /* translucent.c - translucent proxy module */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2004-2010 The OpenLDAP Foundation.
6 * Portions Copyright 2005 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Symas Corp. for inclusion in
19 * OpenLDAP Software. This work was sponsored by Hewlett-Packard.
24 #ifdef SLAPD_OVER_TRANSLUCENT
28 #include <ac/string.h>
29 #include <ac/socket.h>
37 typedef struct translucent_info {
38 BackendDB db; /* captive backend */
39 AttributeName *local; /* valid attrs for local filters */
40 AttributeName *remote; /* valid attrs for remote filters */
48 static ConfigLDAPadd translucent_ldadd;
49 static ConfigCfAdd translucent_cfadd;
51 static ConfigDriver translucent_cf_gen;
58 static ConfigTable translucentcfg[] = {
59 { "translucent_strict", "on|off", 1, 2, 0,
60 ARG_ON_OFF|ARG_OFFSET,
61 (void *)offsetof(translucent_info, strict),
62 "( OLcfgOvAt:14.1 NAME 'olcTranslucentStrict' "
63 "DESC 'Reveal attribute deletion constraint violations' "
64 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
65 { "translucent_no_glue", "on|off", 1, 2, 0,
66 ARG_ON_OFF|ARG_OFFSET,
67 (void *)offsetof(translucent_info, no_glue),
68 "( OLcfgOvAt:14.2 NAME 'olcTranslucentNoGlue' "
69 "DESC 'Disable automatic glue records for ADD and MODRDN' "
70 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
71 { "translucent_local", "attr[,attr...]", 1, 2, 0,
72 ARG_MAGIC|TRANS_LOCAL,
74 "( OLcfgOvAt:14.3 NAME 'olcTranslucentLocal' "
75 "DESC 'Attributes to use in local search filter' "
76 "SYNTAX OMsDirectoryString )", NULL, NULL },
77 { "translucent_remote", "attr[,attr...]", 1, 2, 0,
78 ARG_MAGIC|TRANS_REMOTE,
80 "( OLcfgOvAt:14.4 NAME 'olcTranslucentRemote' "
81 "DESC 'Attributes to use in remote search filter' "
82 "SYNTAX OMsDirectoryString )", NULL, NULL },
83 { "translucent_bind_local", "on|off", 1, 2, 0,
84 ARG_ON_OFF|ARG_OFFSET,
85 (void *)offsetof(translucent_info, bind_local),
86 "( OLcfgOvAt:14.5 NAME 'olcTranslucentBindLocal' "
87 "DESC 'Enable local bind' "
88 "SYNTAX OMsBoolean SINGLE-VALUE)", NULL, NULL },
89 { "translucent_pwmod_local", "on|off", 1, 2, 0,
90 ARG_ON_OFF|ARG_OFFSET,
91 (void *)offsetof(translucent_info, pwmod_local),
92 "( OLcfgOvAt:14.6 NAME 'olcTranslucentPwModLocal' "
93 "DESC 'Enable local RFC 3062 Password Modify extended operation' "
94 "SYNTAX OMsBoolean SINGLE-VALUE)", NULL, NULL },
95 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
98 static ConfigOCs translucentocs[] = {
100 "NAME 'olcTranslucentConfig' "
101 "DESC 'Translucent configuration' "
102 "SUP olcOverlayConfig "
103 "MAY ( olcTranslucentStrict $ olcTranslucentNoGlue $"
104 " olcTranslucentLocal $ olcTranslucentRemote $"
105 " olcTranslucentBindLocal $ olcTranslucentPwModLocal ) )",
106 Cft_Overlay, translucentcfg, NULL, translucent_cfadd },
107 { "( OLcfgOvOc:14.2 "
108 "NAME 'olcTranslucentDatabase' "
109 "DESC 'Translucent target database configuration' "
110 "AUXILIARY )", Cft_Misc, olcDatabaseDummy, translucent_ldadd },
113 /* for translucent_init() */
116 translucent_ldadd_cleanup( ConfigArgs *ca )
118 slap_overinst *on = ca->ca_private;
119 translucent_info *ov = on->on_bi.bi_private;
121 ov->defer_db_open = 0;
122 return backend_startup_one( ca->be, &ca->reply );
126 translucent_ldadd( CfEntryInfo *cei, Entry *e, ConfigArgs *ca )
129 translucent_info *ov;
131 Debug(LDAP_DEBUG_TRACE, "==> translucent_ldadd\n", 0, 0, 0);
133 if ( cei->ce_type != Cft_Overlay || !cei->ce_bi ||
134 cei->ce_bi->bi_cf_ocs != translucentocs )
135 return LDAP_CONSTRAINT_VIOLATION;
137 on = (slap_overinst *)cei->ce_bi;
138 ov = on->on_bi.bi_private;
141 if ( CONFIG_ONLINE_ADD( ca ))
142 ca->cleanup = translucent_ldadd_cleanup;
144 ov->defer_db_open = 0;
150 translucent_cfadd( Operation *op, SlapReply *rs, Entry *e, ConfigArgs *ca )
152 CfEntryInfo *cei = e->e_private;
153 slap_overinst *on = (slap_overinst *)cei->ce_bi;
154 translucent_info *ov = on->on_bi.bi_private;
157 Debug(LDAP_DEBUG_TRACE, "==> translucent_cfadd\n", 0, 0, 0);
159 /* FIXME: should not hardcode "olcDatabase" here */
160 bv.bv_len = snprintf( ca->cr_msg, sizeof( ca->cr_msg ),
161 "olcDatabase=" SLAP_X_ORDERED_FMT "%s",
162 0, ov->db.bd_info->bi_type );
163 if ( bv.bv_len >= sizeof( ca->cr_msg ) ) {
166 bv.bv_val = ca->cr_msg;
168 ov->defer_db_open = 0;
170 /* We can only create this entry if the database is table-driven
172 if ( ov->db.bd_info->bi_cf_ocs )
173 config_build_entry( op, rs, cei, ca, &bv,
174 ov->db.bd_info->bi_cf_ocs,
175 &translucentocs[1] );
181 translucent_cf_gen( ConfigArgs *c )
183 slap_overinst *on = (slap_overinst *)c->bi;
184 translucent_info *ov = on->on_bi.bi_private;
185 AttributeName **an, *a2;
188 if ( c->type == TRANS_LOCAL )
193 if ( c->op == SLAP_CONFIG_EMIT ) {
196 for ( i = 0; !BER_BVISNULL(&(*an)[i].an_name); i++ ) {
197 value_add_one( &c->rvalue_vals, &(*an)[i].an_name );
200 } else if ( c->op == LDAP_MOD_DELETE ) {
202 anlist_free( *an, 1, NULL );
206 ch_free( (*an)[i].an_name.bv_val );
208 (*an)[i] = (*an)[i+1];
210 } while ( !BER_BVISNULL( &(*an)[i].an_name ));
214 a2 = str2anlist( *an, c->argv[1], "," );
216 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s unable to parse attribute %s",
217 c->argv[0], c->argv[1] );
218 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
219 "%s: %s\n", c->log, c->cr_msg, 0 );
226 static slap_overinst translucent;
230 ** call syncrepl_add_glue() with the parent suffix;
234 static struct berval glue[] = { BER_BVC("top"), BER_BVC("glue"), BER_BVNULL };
236 void glue_parent(Operation *op) {
238 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
239 struct berval ndn = BER_BVNULL;
244 dnParent( &op->o_req_ndn, &pdn );
245 ber_dupbv_x( &ndn, &pdn, op->o_tmpmemctx );
247 Debug(LDAP_DEBUG_TRACE, "=> glue_parent: fabricating glue for <%s>\n", ndn.bv_val, 0, 0);
251 ber_dupbv(&e->e_name, &ndn);
252 ber_dupbv(&e->e_nname, &ndn);
254 a = attr_alloc( slap_schema.si_ad_objectClass );
256 a->a_vals = ch_malloc(sizeof(struct berval) * 3);
257 ber_dupbv(&a->a_vals[0], &glue[0]);
258 ber_dupbv(&a->a_vals[1], &glue[1]);
259 ber_dupbv(&a->a_vals[2], &glue[2]);
260 a->a_nvals = a->a_vals;
261 a->a_next = e->e_attrs;
264 a = attr_alloc( slap_schema.si_ad_structuralObjectClass );
266 a->a_vals = ch_malloc(sizeof(struct berval) * 2);
267 ber_dupbv(&a->a_vals[0], &glue[1]);
268 ber_dupbv(&a->a_vals[1], &glue[2]);
269 a->a_nvals = a->a_vals;
270 a->a_next = e->e_attrs;
277 nop.o_bd->bd_info = (BackendInfo *) on->on_info->oi_orig;
278 syncrepl_add_glue(&nop, e);
279 nop.o_bd->bd_info = (BackendInfo *) on;
281 op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
288 ** free only the Attribute*, not the contents;
291 void free_attr_chain(Attribute *b) {
293 for(a=b; a; a=a->a_next) {
303 ** if not bound as root, send ACCESS error;
304 ** if glue, glue_parent();
309 static int translucent_add(Operation *op, SlapReply *rs) {
310 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
311 translucent_info *ov = on->on_bi.bi_private;
312 Debug(LDAP_DEBUG_TRACE, "==> translucent_add: %s\n",
313 op->o_req_dn.bv_val, 0, 0);
315 op->o_bd->bd_info = (BackendInfo *) on->on_info;
316 send_ldap_error(op, rs, LDAP_INSUFFICIENT_ACCESS,
317 "user modification of overlay database not permitted");
318 op->o_bd->bd_info = (BackendInfo *) on;
321 if(!ov->no_glue) glue_parent(op);
322 return(SLAP_CB_CONTINUE);
326 ** translucent_modrdn()
327 ** if not bound as root, send ACCESS error;
328 ** if !glue, glue_parent();
329 ** else return CONTINUE;
333 static int translucent_modrdn(Operation *op, SlapReply *rs) {
334 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
335 translucent_info *ov = on->on_bi.bi_private;
336 Debug(LDAP_DEBUG_TRACE, "==> translucent_modrdn: %s -> %s\n",
337 op->o_req_dn.bv_val, op->orr_newrdn.bv_val, 0);
339 op->o_bd->bd_info = (BackendInfo *) on->on_info;
340 send_ldap_error(op, rs, LDAP_INSUFFICIENT_ACCESS,
341 "user modification of overlay database not permitted");
342 op->o_bd->bd_info = (BackendInfo *) on;
346 op->o_tag = LDAP_REQ_ADD;
348 op->o_tag = LDAP_REQ_MODRDN;
350 return(SLAP_CB_CONTINUE);
354 ** translucent_delete()
355 ** if not bound as root, send ACCESS error;
356 ** else return CONTINUE;
360 static int translucent_delete(Operation *op, SlapReply *rs) {
361 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
362 Debug(LDAP_DEBUG_TRACE, "==> translucent_delete: %s\n",
363 op->o_req_dn.bv_val, 0, 0);
365 op->o_bd->bd_info = (BackendInfo *) on->on_info;
366 send_ldap_error(op, rs, LDAP_INSUFFICIENT_ACCESS,
367 "user modification of overlay database not permitted");
368 op->o_bd->bd_info = (BackendInfo *) on;
371 return(SLAP_CB_CONTINUE);
375 translucent_tag_cb( Operation *op, SlapReply *rs )
377 op->o_tag = LDAP_REQ_MODIFY;
378 op->orm_modlist = op->o_callback->sc_private;
379 rs->sr_tag = slap_req2res( op->o_tag );
381 return SLAP_CB_CONTINUE;
385 ** translucent_modify()
386 ** modify in local backend if exists in both;
387 ** otherwise, add to local backend;
388 ** fail if not defined in captive backend;
392 static int translucent_modify(Operation *op, SlapReply *rs) {
393 SlapReply nrs = { REP_RESULT };
395 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
396 translucent_info *ov = on->on_bi.bi_private;
397 Entry *e = NULL, *re = NULL;
399 Modifications *m, **mm;
401 int del, rc, erc = 0;
402 slap_callback cb = { 0 };
404 Debug(LDAP_DEBUG_TRACE, "==> translucent_modify: %s\n",
405 op->o_req_dn.bv_val, 0, 0);
407 if(ov->defer_db_open) {
408 send_ldap_error(op, rs, LDAP_UNAVAILABLE,
409 "remote DB not available");
413 ** fetch entry from the captive backend;
414 ** if it did not exist, fail;
415 ** release it, if captive backend supports this;
421 ov->db.be_acl = op->o_bd->be_acl;
422 rc = ov->db.bd_info->bi_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &re);
423 if(rc != LDAP_SUCCESS || re == NULL ) {
424 send_ldap_error((op), rs, LDAP_NO_SUCH_OBJECT,
425 "attempt to modify nonexistent local record");
430 ** fetch entry from local backend;
432 ** foreach Modification:
433 ** if attr not present in local:
434 ** if Mod == LDAP_MOD_DELETE:
435 ** if remote attr not present, return NO_SUCH;
436 ** if remote attr present, drop this Mod;
437 ** else force this Mod to LDAP_MOD_ADD;
442 op->o_bd->bd_info = (BackendInfo *) on->on_info;
443 rc = be_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &e);
444 op->o_bd->bd_info = (BackendInfo *) on;
446 if(e && rc == LDAP_SUCCESS) {
447 Debug(LDAP_DEBUG_TRACE, "=> translucent_modify: found local entry\n", 0, 0, 0);
448 for(mm = &op->orm_modlist; *mm; ) {
450 for(a = e->e_attrs; a; a = a->a_next)
451 if(a->a_desc == m->sml_desc) break;
454 continue; /* found local attr */
456 if(m->sml_op == LDAP_MOD_DELETE) {
457 for(a = re->e_attrs; a; a = a->a_next)
458 if(a->a_desc == m->sml_desc) break;
459 /* not found remote attr */
461 erc = LDAP_NO_SUCH_ATTRIBUTE;
465 erc = LDAP_CONSTRAINT_VIOLATION;
468 Debug(LDAP_DEBUG_TRACE,
469 "=> translucent_modify: silently dropping delete: %s\n",
470 m->sml_desc->ad_cname.bv_val, 0, 0);
473 slap_mods_free(m, 1);
476 m->sml_op = LDAP_MOD_ADD;
479 erc = SLAP_CB_CONTINUE;
482 if(ov->db.bd_info->bi_entry_release_rw) {
484 ov->db.bd_info->bi_entry_release_rw(op, re, 0);
489 op->o_bd->bd_info = (BackendInfo *) on->on_info;
490 be_entry_release_r(op, e);
491 op->o_bd->bd_info = (BackendInfo *) on;
492 if(erc == SLAP_CB_CONTINUE) {
495 send_ldap_error(op, rs, erc,
496 "attempt to delete nonexistent attribute");
501 /* don't leak remote entry copy */
503 if(ov->db.bd_info->bi_entry_release_rw) {
505 ov->db.bd_info->bi_entry_release_rw(op, re, 0);
511 ** foreach Modification:
512 ** if MOD_ADD or MOD_REPLACE, add Attribute;
513 ** if no Modifications were suitable:
514 ** if strict, throw CONSTRAINT_VIOLATION;
515 ** else, return early SUCCESS;
516 ** fabricate Entry with new Attribute chain;
517 ** glue_parent() for this Entry;
518 ** call bi_op_add() in local backend;
522 Debug(LDAP_DEBUG_TRACE, "=> translucent_modify: fabricating local add\n", 0, 0, 0);
524 for(del = 0, ax = NULL, m = op->orm_modlist; m; m = m->sml_next) {
526 if(((m->sml_op & LDAP_MOD_OP) != LDAP_MOD_ADD) &&
527 ((m->sml_op & LDAP_MOD_OP) != LDAP_MOD_REPLACE)) {
528 Debug(LDAP_DEBUG_ANY,
529 "=> translucent_modify: silently dropped modification(%d): %s\n",
530 m->sml_op, m->sml_desc->ad_cname.bv_val, 0);
531 if((m->sml_op & LDAP_MOD_OP) == LDAP_MOD_DELETE) del++;
534 atmp.a_desc = m->sml_desc;
535 atmp.a_vals = m->sml_values;
536 atmp.a_nvals = m->sml_nvalues ? m->sml_nvalues : atmp.a_vals;
537 atmp.a_numvals = m->sml_numvals;
539 a = attr_dup( &atmp );
544 if(del && ov->strict) {
546 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION,
547 "attempt to delete attributes from local database");
553 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION,
554 "modification contained other than ADD or REPLACE");
557 /* rs->sr_text = "no valid modification found"; */
558 rs->sr_err = LDAP_SUCCESS;
559 send_ldap_result(op, rs);
564 ber_dupbv( &e->e_name, &op->o_req_dn );
565 ber_dupbv( &e->e_nname, &op->o_req_ndn );
568 op->o_tag = LDAP_REQ_ADD;
569 cb.sc_response = translucent_tag_cb;
570 cb.sc_private = op->orm_modlist;
575 cb.sc_next = op->o_callback;
576 op->o_callback = &cb;
577 rc = on->on_info->oi_orig->bi_op_add(op, &nrs);
578 if ( op->ora_e == e )
580 op->o_callback = cb.sc_next;
585 static int translucent_compare(Operation *op, SlapReply *rs) {
586 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
587 translucent_info *ov = on->on_bi.bi_private;
588 AttributeAssertion *ava = op->orc_ava;
593 Debug(LDAP_DEBUG_TRACE, "==> translucent_compare: <%s> %s:%s\n",
594 op->o_req_dn.bv_val, ava->aa_desc->ad_cname.bv_val, ava->aa_value.bv_val);
597 ** if the local backend has an entry for this attribute:
598 ** CONTINUE and let it do the compare;
601 rc = overlay_entry_get_ov(op, &op->o_req_ndn, NULL, ava->aa_desc, 0, &e, on);
602 if(rc == LDAP_SUCCESS && e) {
603 overlay_entry_release_ov(op, e, 0, on);
604 return(SLAP_CB_CONTINUE);
607 if(ov->defer_db_open) {
608 send_ldap_error(op, rs, LDAP_UNAVAILABLE,
609 "remote DB not available");
613 ** call compare() in the captive backend;
614 ** return the result;
619 ov->db.be_acl = op->o_bd->be_acl;
620 rc = ov->db.bd_info->bi_op_compare(op, rs);
626 static int translucent_pwmod(Operation *op, SlapReply *rs) {
627 SlapReply nrs = { REP_RESULT };
630 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
631 translucent_info *ov = on->on_bi.bi_private;
632 const struct berval bv_exop_pwmod = BER_BVC(LDAP_EXOP_MODIFY_PASSWD);
633 Entry *e = NULL, *re = NULL;
636 slap_callback cb = { 0 };
638 if (!ov->pwmod_local) {
639 rs->sr_err = LDAP_CONSTRAINT_VIOLATION,
640 rs->sr_text = "attempt to modify password in local database";
645 ** fetch entry from the captive backend;
646 ** if it did not exist, fail;
647 ** release it, if captive backend supports this;
652 ov->db.be_acl = op->o_bd->be_acl;
653 rc = ov->db.bd_info->bi_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &re);
654 if(rc != LDAP_SUCCESS || re == NULL ) {
655 send_ldap_error((op), rs, LDAP_NO_SUCH_OBJECT,
656 "attempt to modify nonexistent local record");
661 ** fetch entry from local backend;
666 op->o_bd->bd_info = (BackendInfo *) on->on_info;
667 rc = be_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &e);
668 op->o_bd->bd_info = (BackendInfo *) on;
670 if(e && rc == LDAP_SUCCESS) {
672 if(ov->db.bd_info->bi_entry_release_rw) {
674 ov->db.bd_info->bi_entry_release_rw(op, re, 0);
680 op->o_bd->bd_info = (BackendInfo *) on->on_info;
681 be_entry_release_r(op, e);
682 op->o_bd->bd_info = (BackendInfo *) on;
683 return SLAP_CB_CONTINUE;
686 /* don't leak remote entry copy */
688 if(ov->db.bd_info->bi_entry_release_rw) {
690 ov->db.bd_info->bi_entry_release_rw(op, re, 0);
697 ** glue_parent() for this Entry;
698 ** call bi_op_add() in local backend;
702 ber_dupbv( &e->e_name, &op->o_req_dn );
703 ber_dupbv( &e->e_nname, &op->o_req_ndn );
707 nop.o_tag = LDAP_REQ_ADD;
708 cb.sc_response = slap_null_cb;
713 nop.o_callback = &cb;
714 rc = on->on_info->oi_orig->bi_op_add(&nop, &nrs);
715 if ( nop.ora_e == e ) {
719 if ( rc == LDAP_SUCCESS ) {
720 return SLAP_CB_CONTINUE;
726 static int translucent_exop(Operation *op, SlapReply *rs) {
727 SlapReply nrs = { REP_RESULT };
729 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
730 translucent_info *ov = on->on_bi.bi_private;
731 const struct berval bv_exop_pwmod = BER_BVC(LDAP_EXOP_MODIFY_PASSWD);
733 Debug(LDAP_DEBUG_TRACE, "==> translucent_exop: %s\n",
734 op->o_req_dn.bv_val, 0, 0);
736 if(ov->defer_db_open) {
737 send_ldap_error(op, rs, LDAP_UNAVAILABLE,
738 "remote DB not available");
742 if ( bvmatch( &bv_exop_pwmod, &op->ore_reqoid ) ) {
743 return translucent_pwmod( op, rs );
746 return SLAP_CB_CONTINUE;
750 ** translucent_search_cb()
751 ** merge local data with remote data
754 ** 1: remote search, no local filter
755 ** merge data and send immediately
756 ** 2: remote search, with local filter
757 ** merge data and save
758 ** 3: local search, no remote filter
759 ** merge data and send immediately
760 ** 4: local search, with remote filter
761 ** check list, merge, send, delete
768 typedef struct trans_ctx {
775 AttributeName *attrs;
778 static int translucent_search_cb(Operation *op, SlapReply *rs) {
782 translucent_info *ov;
784 Attribute *a, *ax, *an, *as = NULL;
788 tc = op->o_callback->sc_private;
790 /* Don't let the op complete while we're gathering data */
791 if ( rs->sr_type == REP_RESULT && ( tc->step & USE_LIST ))
794 if(!op || !rs || rs->sr_type != REP_SEARCH || !rs->sr_entry)
795 return(SLAP_CB_CONTINUE);
797 Debug(LDAP_DEBUG_TRACE, "==> translucent_search_cb: %s\n",
798 rs->sr_entry->e_name.bv_val, 0, 0);
800 op->ors_slimit = tc->slimit + ( tc->slimit > 0 ? 1 : 0 );
801 if ( op->ors_attrs == slap_anlist_all_attributes ) {
802 op->ors_attrs = tc->attrs;
803 rs->sr_attrs = tc->attrs;
804 rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs );
808 ov = on->on_bi.bi_private;
813 /* If we have local, get remote */
814 if ( tc->step & LCL_SIDE ) {
816 /* If entry is already on list, use it */
817 if ( tc->step & USE_LIST ) {
818 re = tavl_delete( &tc->list, le, entry_dn_cmp );
820 if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
821 rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
822 overlay_entry_release_ov( op, rs->sr_entry, 0, on );
824 if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
825 rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
826 entry_free( rs->sr_entry );
828 rc = test_filter( op, re, tc->orig );
829 if ( rc == LDAP_COMPARE_TRUE ) {
830 rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
833 if ( tc->slimit >= 0 && rs->sr_nentries >= tc->slimit ) {
834 return LDAP_SIZELIMIT_EXCEEDED;
837 return SLAP_CB_CONTINUE;
846 rc = be_entry_get_rw( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &re );
847 if ( rc == LDAP_SUCCESS && re ) {
848 Entry *tmp = entry_dup( re );
849 be_entry_release_r( op, re );
854 /* Else we have remote, get local */
857 rc = overlay_entry_get_ov(op, &rs->sr_entry->e_nname, NULL, NULL, 0, &le, on);
858 if ( rc == LDAP_SUCCESS && le ) {
859 re = entry_dup( rs->sr_entry );
860 if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
861 rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
862 overlay_entry_release_ov( op, rs->sr_entry, 0, on );
864 if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
865 rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
866 entry_free( rs->sr_entry );
874 ** if we got remote and local entry:
875 ** foreach local attr:
876 ** foreach remote attr:
877 ** if match, remote attr with local attr;
878 ** if new local, add to list;
879 ** append new local attrs to remote;
884 for(ax = le->e_attrs; ax; ax = ax->a_next) {
885 for(a = re->e_attrs; a; a = a->a_next) {
886 if(a->a_desc == ax->a_desc) {
888 if(a->a_vals != a->a_nvals)
889 ber_bvarray_free(a->a_nvals);
890 ber_bvarray_free(a->a_vals);
891 ber_bvarray_dup_x( &a->a_vals, ax->a_vals, NULL );
892 if ( ax->a_vals == ax->a_nvals ) {
893 a->a_nvals = a->a_vals;
895 ber_bvarray_dup_x( &a->a_nvals, ax->a_nvals, NULL );
905 /* Dispose of local entry */
906 if ( tc->step & LCL_SIDE ) {
907 if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
908 rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
909 overlay_entry_release_ov( op, rs->sr_entry, 0, on );
911 if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
912 rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
913 entry_free( rs->sr_entry );
916 overlay_entry_release_ov(op, le, 0, on);
919 /* literally append, so locals are always last */
922 for(ax = re->e_attrs; ax->a_next; ax = ax->a_next);
928 /* If both filters, save entry for later */
929 if ( tc->step == (USE_LIST|RMT_SIDE) ) {
930 tavl_insert( &tc->list, re, entry_dn_cmp, avl_dup_error );
936 rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
938 rc = test_filter( op, rs->sr_entry, tc->orig );
939 if ( rc == LDAP_COMPARE_TRUE ) {
940 rc = SLAP_CB_CONTINUE;
945 rc = SLAP_CB_CONTINUE;
949 /* Only a local entry: remote was deleted
950 * Ought to delete the local too...
953 } else if ( tc->step & USE_LIST ) {
954 /* Only a remote entry, but both filters:
955 * Test the complete filter
957 rc = test_filter( op, rs->sr_entry, tc->orig );
958 if ( rc == LDAP_COMPARE_TRUE ) {
959 rc = SLAP_CB_CONTINUE;
964 /* Only a remote entry, only remote filter:
967 rc = SLAP_CB_CONTINUE;
972 if ( rc == SLAP_CB_CONTINUE && tc->slimit >= 0 && rs->sr_nentries >= tc->slimit ) {
973 return LDAP_SIZELIMIT_EXCEEDED;
979 /* Dup the filter, excluding invalid elements */
981 trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
988 switch( f->f_choice & SLAPD_FILTER_MASK ) {
989 case SLAPD_FILTER_COMPUTED:
990 n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
991 n->f_choice = f->f_choice;
992 n->f_result = f->f_result;
996 case LDAP_FILTER_PRESENT:
997 if ( ad_inlist( f->f_desc, an )) {
998 n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
999 n->f_choice = f->f_choice;
1000 n->f_desc = f->f_desc;
1005 case LDAP_FILTER_EQUALITY:
1006 case LDAP_FILTER_GE:
1007 case LDAP_FILTER_LE:
1008 case LDAP_FILTER_APPROX:
1009 case LDAP_FILTER_SUBSTRINGS:
1010 case LDAP_FILTER_EXT:
1011 if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
1012 n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
1013 n->f_choice = f->f_choice;
1014 n->f_ava = f->f_ava;
1019 case LDAP_FILTER_AND:
1020 case LDAP_FILTER_OR:
1021 case LDAP_FILTER_NOT: {
1024 n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
1025 n->f_choice = f->f_choice;
1028 for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) {
1029 *p = trans_filter_dup( op, f, an );
1034 /* nothing valid in this list */
1036 op->o_tmpfree( n, op->o_tmpmemctx );
1039 /* Only 1 element in this list */
1040 if ((n->f_choice & SLAPD_FILTER_MASK) != LDAP_FILTER_NOT &&
1041 !n->f_list->f_next ) {
1044 op->o_tmpfree( f, op->o_tmpmemctx );
1053 trans_filter_free( Operation *op, Filter *f )
1055 Filter *n, *p, *next;
1057 f->f_choice &= SLAPD_FILTER_MASK;
1059 switch( f->f_choice ) {
1060 case LDAP_FILTER_AND:
1061 case LDAP_FILTER_OR:
1062 case LDAP_FILTER_NOT:
1063 /* Free in reverse order */
1065 for ( p = f->f_list; p; p = next ) {
1070 for ( p = n; p; p = next ) {
1072 trans_filter_free( op, p );
1078 op->o_tmpfree( f, op->o_tmpmemctx );
1082 ** translucent_search()
1083 ** search via captive backend;
1084 ** override results with any local data;
1088 static int translucent_search(Operation *op, SlapReply *rs) {
1089 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
1090 translucent_info *ov = on->on_bi.bi_private;
1091 slap_callback cb = { NULL, NULL, NULL, NULL };
1097 Debug(LDAP_DEBUG_TRACE, "==> translucent_search: <%s> %s\n",
1098 op->o_req_dn.bv_val, op->ors_filterstr.bv_val, 0);
1100 if(ov->defer_db_open) {
1101 send_ldap_error(op, rs, LDAP_UNAVAILABLE,
1102 "remote DB not available");
1106 fr = ov->remote ? trans_filter_dup( op, op->ors_filter, ov->remote ) : NULL;
1107 fl = ov->local ? trans_filter_dup( op, op->ors_filter, ov->local ) : NULL;
1108 cb.sc_response = (slap_response *) translucent_search_cb;
1109 cb.sc_private = &tc;
1110 cb.sc_next = op->o_callback;
1112 ov->db.be_acl = op->o_bd->be_acl;
1115 tc.orig = op->ors_filter;
1118 tc.slimit = op->ors_slimit;
1120 fbv = op->ors_filterstr;
1122 op->o_callback = &cb;
1125 tc.attrs = op->ors_attrs;
1126 op->ors_slimit = SLAP_NO_LIMIT;
1127 op->ors_attrs = slap_anlist_all_attributes;
1129 tc.step |= RMT_SIDE;
1131 tc.step |= USE_LIST;
1132 op->ors_filter = fr;
1133 filter2bv_x( op, fr, &op->ors_filterstr );
1135 rc = ov->db.bd_info->bi_op_search(op, rs);
1136 op->ors_attrs = tc.attrs;
1139 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
1143 tc.step |= LCL_SIDE;
1144 op->ors_filter = fl;
1145 filter2bv_x( op, fl, &op->ors_filterstr );
1146 rc = overlay_op_walk( op, rs, op_search, on->on_info, on->on_next );
1147 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
1149 op->ors_filterstr = fbv;
1150 op->ors_filter = tc.orig;
1151 op->o_callback = cb.sc_next;
1152 rs->sr_attrs = op->ors_attrs;
1153 rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs );
1155 /* Send out anything remaining on the list and finish */
1156 if ( tc.step & USE_LIST ) {
1160 av = tavl_end( tc.list, TAVL_DIR_LEFT );
1162 rs->sr_entry = av->avl_data;
1163 if ( rc == LDAP_SUCCESS && LDAP_COMPARE_TRUE ==
1164 test_filter( op, rs->sr_entry, op->ors_filter ))
1166 rs->sr_flags = REP_ENTRY_MUSTBEFREED;
1167 rc = send_search_entry( op, rs );
1169 entry_free( rs->sr_entry );
1171 av = tavl_next( av, TAVL_DIR_RIGHT );
1173 tavl_free( tc.list, NULL );
1174 rs->sr_entry = NULL;
1176 send_ldap_result( op, rs );
1179 op->ors_slimit = tc.slimit;
1181 /* Free in reverse order */
1183 trans_filter_free( op, fl );
1185 trans_filter_free( op, fr );
1192 ** translucent_bind()
1193 ** pass bind request to captive backend;
1197 static int translucent_bind(Operation *op, SlapReply *rs) {
1198 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
1199 translucent_info *ov = on->on_bi.bi_private;
1201 slap_callback sc = { 0 }, *save_cb;
1204 Debug(LDAP_DEBUG_TRACE, "translucent_bind: <%s> method %d\n",
1205 op->o_req_dn.bv_val, op->orb_method, 0);
1207 if(ov->defer_db_open) {
1208 send_ldap_error(op, rs, LDAP_UNAVAILABLE,
1209 "remote DB not available");
1213 if (ov->bind_local) {
1214 sc.sc_response = slap_null_cb;
1215 save_cb = op->o_callback;
1216 op->o_callback = ≻
1221 ov->db.be_acl = op->o_bd->be_acl;
1222 rc = ov->db.bd_info->bi_op_bind(op, rs);
1225 if (ov->bind_local) {
1226 op->o_callback = save_cb;
1227 if (rc != LDAP_SUCCESS) {
1228 rc = SLAP_CB_CONTINUE;
1236 ** translucent_connection_destroy()
1237 ** pass disconnect notification to captive backend;
1241 static int translucent_connection_destroy(BackendDB *be, Connection *conn) {
1242 slap_overinst *on = (slap_overinst *) be->bd_info;
1243 translucent_info *ov = on->on_bi.bi_private;
1246 Debug(LDAP_DEBUG_TRACE, "translucent_connection_destroy\n", 0, 0, 0);
1248 rc = ov->db.bd_info->bi_connection_destroy(&ov->db, conn);
1254 ** translucent_db_config()
1255 ** pass config directives to captive backend;
1256 ** parse unrecognized directives ourselves;
1260 static int translucent_db_config(
1268 slap_overinst *on = (slap_overinst *) be->bd_info;
1269 translucent_info *ov = on->on_bi.bi_private;
1271 Debug(LDAP_DEBUG_TRACE, "==> translucent_db_config: %s\n",
1272 argc ? argv[0] : "", 0, 0);
1274 /* Something for the captive database? */
1275 if ( ov->db.bd_info && ov->db.bd_info->bi_db_config )
1276 return ov->db.bd_info->bi_db_config( &ov->db, fname, lineno,
1278 return SLAP_CONF_UNKNOWN;
1282 ** translucent_db_init()
1283 ** initialize the captive backend;
1287 static int translucent_db_init(BackendDB *be, ConfigReply *cr) {
1288 slap_overinst *on = (slap_overinst *) be->bd_info;
1289 translucent_info *ov;
1291 Debug(LDAP_DEBUG_TRACE, "==> translucent_db_init\n", 0, 0, 0);
1293 ov = ch_calloc(1, sizeof(translucent_info));
1294 on->on_bi.bi_private = ov;
1296 ov->db.be_private = NULL;
1297 ov->defer_db_open = 1;
1299 if ( !backend_db_init( "ldap", &ov->db, -1, NULL )) {
1300 Debug( LDAP_DEBUG_CONFIG, "translucent: unable to open captive back-ldap\n", 0, 0, 0);
1303 SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NO_SCHEMA_CHECK;
1304 SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD;
1310 ** translucent_db_open()
1311 ** if the captive backend has an open() method, call it;
1315 static int translucent_db_open(BackendDB *be, ConfigReply *cr) {
1316 slap_overinst *on = (slap_overinst *) be->bd_info;
1317 translucent_info *ov = on->on_bi.bi_private;
1320 Debug(LDAP_DEBUG_TRACE, "==> translucent_db_open\n", 0, 0, 0);
1322 /* need to inherit something from the original database... */
1323 ov->db.be_def_limit = be->be_def_limit;
1324 ov->db.be_limits = be->be_limits;
1325 ov->db.be_acl = be->be_acl;
1326 ov->db.be_dfltaccess = be->be_dfltaccess;
1328 if ( ov->defer_db_open )
1331 rc = backend_startup_one( &ov->db, cr );
1333 if(rc) Debug(LDAP_DEBUG_TRACE,
1334 "translucent: bi_db_open() returned error %d\n", rc, 0, 0);
1340 ** translucent_db_close()
1341 ** if the captive backend has a close() method, call it
1346 translucent_db_close( BackendDB *be, ConfigReply *cr )
1348 slap_overinst *on = (slap_overinst *) be->bd_info;
1349 translucent_info *ov = on->on_bi.bi_private;
1352 Debug(LDAP_DEBUG_TRACE, "==> translucent_db_close\n", 0, 0, 0);
1354 if ( ov && ov->db.bd_info && ov->db.bd_info->bi_db_close ) {
1355 rc = ov->db.bd_info->bi_db_close(&ov->db, NULL);
1362 ** translucent_db_destroy()
1363 ** if the captive backend has a db_destroy() method, call it;
1364 ** free any config data
1369 translucent_db_destroy( BackendDB *be, ConfigReply *cr )
1371 slap_overinst *on = (slap_overinst *) be->bd_info;
1372 translucent_info *ov = on->on_bi.bi_private;
1375 Debug(LDAP_DEBUG_TRACE, "==> translucent_db_destroy\n", 0, 0, 0);
1379 anlist_free( ov->remote, 1, NULL );
1381 anlist_free( ov->local, 1, NULL );
1382 if ( ov->db.be_private != NULL ) {
1383 backend_stopdown_one( &ov->db );
1386 ldap_pvt_thread_mutex_destroy( &ov->db.be_pcl_mutex );
1388 on->on_bi.bi_private = NULL;
1395 ** translucent_initialize()
1396 ** initialize the slap_overinst with our entry points;
1400 int translucent_initialize() {
1404 Debug(LDAP_DEBUG_TRACE, "==> translucent_initialize\n", 0, 0, 0);
1406 translucent.on_bi.bi_type = "translucent";
1407 translucent.on_bi.bi_db_init = translucent_db_init;
1408 translucent.on_bi.bi_db_config = translucent_db_config;
1409 translucent.on_bi.bi_db_open = translucent_db_open;
1410 translucent.on_bi.bi_db_close = translucent_db_close;
1411 translucent.on_bi.bi_db_destroy = translucent_db_destroy;
1412 translucent.on_bi.bi_op_bind = translucent_bind;
1413 translucent.on_bi.bi_op_add = translucent_add;
1414 translucent.on_bi.bi_op_modify = translucent_modify;
1415 translucent.on_bi.bi_op_modrdn = translucent_modrdn;
1416 translucent.on_bi.bi_op_delete = translucent_delete;
1417 translucent.on_bi.bi_op_search = translucent_search;
1418 translucent.on_bi.bi_op_compare = translucent_compare;
1419 translucent.on_bi.bi_connection_destroy = translucent_connection_destroy;
1420 translucent.on_bi.bi_extended = translucent_exop;
1422 translucent.on_bi.bi_cf_ocs = translucentocs;
1423 rc = config_register_schema ( translucentcfg, translucentocs );
1424 if ( rc ) return rc;
1426 return(overlay_register(&translucent));
1429 #if SLAPD_OVER_TRANSLUCENT == SLAPD_MOD_DYNAMIC && defined(PIC)
1430 int init_module(int argc, char *argv[]) {
1431 return translucent_initialize();
1435 #endif /* SLAPD_OVER_TRANSLUCENT */