1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 #ifdef SLAPD_SCHEMA_NOT_COMPAT
20 static int oc_check_allowed(
22 struct berval **oclist );
24 static int oc_check_allowed(char *type, struct berval **oclist);
26 static char * oc_check_required(Entry *e, struct berval *ocname);
29 * entry_schema_check - check that entry e conforms to the schema required
30 * by its object class(es).
32 * returns 0 if so, non-zero otherwise.
36 schema_check_entry( Entry *e )
43 if( !global_schemacheck ) return 0;
45 /* find the object class attribute - could error out here */
46 if ( (aoc = attr_find( e->e_attrs, "objectclass" )) == NULL ) {
47 Debug( LDAP_DEBUG_ANY, "No object class for entry (%s)\n",
52 /* check that the entry has required attrs for each oc */
53 for ( i = 0; aoc->a_vals[i] != NULL; i++ ) {
54 if ( (oc = oc_find( aoc->a_vals[i]->bv_val )) == NULL ) {
55 Debug( LDAP_DEBUG_ANY,
56 "Objectclass \"%s\" not defined\n",
57 aoc->a_vals[i]->bv_val, 0, 0 );
61 char *s = oc_check_required( e, aoc->a_vals[i] );
64 Debug( LDAP_DEBUG_ANY,
65 "Entry (%s), oc \"%s\" requires attr \"%s\"\n",
66 e->e_dn, aoc->a_vals[i]->bv_val, s );
76 /* check that each attr in the entry is allowed by some oc */
77 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
78 #ifdef SLAPD_SCHEMA_NOT_COMPAT
79 if ( oc_check_allowed( a->a_desc.ad_type, aoc->a_vals ) != 0 ) {
80 Debug( LDAP_DEBUG_ANY,
81 "Entry (%s), attr \"%s\" not allowed\n",
82 e->e_dn, a->a_desc.ad_cname->bv_val, 0 );
86 if ( oc_check_allowed( a->a_type, aoc->a_vals ) != 0 ) {
87 Debug( LDAP_DEBUG_ANY,
88 "Entry (%s), attr \"%s\" not allowed\n",
89 e->e_dn, a->a_type, 0 );
99 oc_check_required( Entry *e, struct berval *ocname )
106 Debug( LDAP_DEBUG_TRACE,
107 "oc_check_required entry (%s), objectclass \"%s\"\n",
108 e->e_dn, ocname, 0 );
110 /* find global oc defn. it we don't know about it assume it's ok */
111 if ( (oc = oc_find( ocname->bv_val )) == NULL ) {
115 /* check for empty oc_required */
116 if(oc->soc_required == NULL) {
120 /* for each required attribute */
121 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
122 at = oc->soc_required[i];
123 /* see if it's in the entry */
124 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
125 #ifdef SLAPD_SCHEMA_NOT_COMPAT
126 if( a->a_desc.ad_type == at ) {
133 strcmp( a->a_type, at->sat_oid ) == 0 ) {
138 /* Empty name list => not found */
143 if ( strcasecmp( a->a_type, *pp ) == 0 ) {
153 /* not there => schema violation */
155 #ifdef SLAPD_SCHEMA_NOT_COMPAT
156 return at->sat_cname;
158 if ( at->sat_names && at->sat_names[0] ) {
159 return at->sat_names[0];
172 #ifdef SLAPD_SCHEMA_NOT_COMPAT
177 struct berval **ocl )
182 #ifdef SLAPD_SCHEMA_NOT_COMPAT
183 Debug( LDAP_DEBUG_TRACE,
184 "oc_check_allowed type \"%s\"\n",
185 at->sat_cname, 0, 0 );
187 /* always allow objectclass attribute */
188 if ( strcasecmp( at->sat_cname, "objectclass" ) == 0 ) {
198 Debug( LDAP_DEBUG_TRACE,
199 "oc_check_allowed type \"%s\"\n", type, 0, 0 );
201 /* always allow objectclass attribute */
202 if ( strcasecmp( type, "objectclass" ) == 0 ) {
207 #ifdef SLAPD_SCHEMA_NOT_COMPAT
208 if( is_at_operational(at) ) {
213 * The "type" we have received is actually an AttributeDescription.
214 * Let's find out the corresponding type.
216 p = strchr( type, ';' );
218 t = ch_malloc( p-type+1 );
219 strncpy( t, type, p-type );
221 Debug( LDAP_DEBUG_TRACE,
222 "oc_check_allowed type \"%s\" from \"%s\"\n",
231 * All operational attributions are allowed by schema rules.
233 if ( oc_check_op_attr( t ) ) {
238 /* check that the type appears as req or opt in at least one oc */
239 for ( i = 0; ocl[i] != NULL; i++ ) {
240 /* if we know about the oc */
241 if ( (oc = oc_find( ocl[i]->bv_val )) != NULL ) {
242 /* does it require the type? */
243 for ( j = 0; oc->soc_required != NULL &&
244 oc->soc_required[j] != NULL; j++ )
246 #ifdef SLAPD_SCHEMA_NOT_COMPAT
247 if( at == oc->soc_required[j] ) {
251 at = oc->soc_required[j];
253 strcmp(at->sat_oid, t ) == 0 ) {
262 if ( strcasecmp( *pp, t ) == 0 ) {
271 /* does it allow the type? */
272 for ( j = 0; oc->soc_allowed != NULL &&
273 oc->soc_allowed[j] != NULL; j++ )
275 #ifdef SLAPD_SCHEMA_NOT_COMPAT
276 if( at == oc->soc_allowed[j] ) {
280 at = oc->soc_allowed[j];
282 strcmp( at->sat_oid, t ) == 0 ) {
291 if ( strcasecmp( *pp, t ) == 0 ||
292 strcmp( *pp, "*" ) == 0 ) {
301 /* maybe the next oc allows it */
303 #ifdef OC_UNDEFINED_IMPLES_EXTENSIBLE
304 /* we don't know about the oc. assume it allows it */
313 #ifndef SLAPD_SCHEMA_NOT_COMPAT
318 /* not allowed by any oc */