1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(Entry *e, struct berval *ocname);
22 * entry_schema_check - check that entry e conforms to the schema required
23 * by its object class(es).
25 * returns 0 if so, non-zero otherwise.
30 Entry *e, Attribute *oldattrs, const char** text,
31 char *textbuf, size_t textlen )
37 AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
40 if( !global_schemacheck ) return LDAP_SUCCESS;
44 /* find the object class attribute - could error out here */
45 if ( (aoc = attr_find( e->e_attrs, ad_objectClass )) == NULL ) {
47 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
48 "entry_schema_check: No objectClass for entry (%s).\n", e->e_dn ));
50 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
54 *text = "no objectClass attribute";
55 return LDAP_OBJECT_CLASS_VIOLATION;
58 /* check that the entry has required attrs for each oc */
59 for ( i = 0; aoc->a_vals[i] != NULL; i++ ) {
60 if ( (oc = oc_find( aoc->a_vals[i]->bv_val )) == NULL ) {
61 snprintf( textbuf, textlen,
62 "unrecognized objectClass '%s'",
63 aoc->a_vals[i]->bv_val );
66 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
67 "entry_schema_check: dn (%s), %s\n",
70 Debug( LDAP_DEBUG_ANY,
71 "entry_check_schema(%s): \"%s\" not recognized\n",
72 e->e_dn, textbuf, 0 );
75 return LDAP_OBJECT_CLASS_VIOLATION;
78 char *s = oc_check_required( e, aoc->a_vals[i] );
81 snprintf( textbuf, textlen,
82 "object class '%s' requires attribute '%s'",
83 aoc->a_vals[i]->bv_val, s );
86 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
87 "entry_schema_check: dn=\"%s\" %s",
90 Debug( LDAP_DEBUG_ANY,
92 e->e_dn, textbuf, 0 );
95 return LDAP_OBJECT_CLASS_VIOLATION;
98 if( oc == slap_schema.si_oc_extensibleObject ) {
112 /* check that each attr in the entry is allowed by some oc */
113 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
114 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals );
116 char *type = a->a_desc->ad_cname->bv_val;
118 snprintf( textbuf, textlen,
119 "attribute '%s' not allowed",
123 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
124 "entry_schema_check: dn=\"%s\" %s\n",
127 Debug( LDAP_DEBUG_ANY,
129 e->e_dn, textbuf, 0 );
140 oc_check_required( Entry *e, struct berval *ocname )
148 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
149 "oc_check_required: dn (%s), objectClass \"%s\"\n",
150 e->e_dn, ocname->bv_val ));
152 Debug( LDAP_DEBUG_TRACE,
153 "oc_check_required entry (%s), objectClass \"%s\"\n",
154 e->e_dn, ocname->bv_val, 0 );
158 /* find global oc defn. it we don't know about it assume it's ok */
159 if ( (oc = oc_find( ocname->bv_val )) == NULL ) {
163 /* check for empty oc_required */
164 if(oc->soc_required == NULL) {
168 /* for each required attribute */
169 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
170 at = oc->soc_required[i];
171 /* see if it's in the entry */
172 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
173 if( a->a_desc->ad_type == at ) {
177 /* not there => schema violation */
179 return at->sat_cname;
186 int oc_check_allowed(
188 struct berval **ocl )
194 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
195 "oc_check_allowed: type \"%s\"\n", at->sat_cname ));
197 Debug( LDAP_DEBUG_TRACE,
198 "oc_check_allowed type \"%s\"\n",
199 at->sat_cname, 0, 0 );
202 /* always allow objectClass attribute */
203 if ( strcasecmp( at->sat_cname, "objectClass" ) == 0 ) {
209 * All operational attributions are allowed by schema rules.
211 if( is_at_operational(at) ) {
215 /* check that the type appears as req or opt in at least one oc */
216 for ( i = 0; ocl[i] != NULL; i++ ) {
217 /* if we know about the oc */
218 if ( (oc = oc_find( ocl[i]->bv_val )) != NULL ) {
219 /* does it require the type? */
220 for ( j = 0; oc->soc_required != NULL &&
221 oc->soc_required[j] != NULL; j++ )
223 if( at == oc->soc_required[j] ) {
227 /* does it allow the type? */
228 for ( j = 0; oc->soc_allowed != NULL &&
229 oc->soc_allowed[j] != NULL; j++ )
231 if( at == oc->soc_allowed[j] ) {
235 /* maybe the next oc allows it */
239 /* not allowed by any oc */
240 return LDAP_OBJECT_CLASS_VIOLATION;