1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(Entry *e, struct berval *ocname);
22 * entry_schema_check - check that entry e conforms to the schema required
23 * by its object class(es).
25 * returns 0 if so, non-zero otherwise.
30 Entry *e, Attribute *oldattrs, const char** text )
36 AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
39 if( !global_schemacheck ) return LDAP_SUCCESS;
41 /* find the object class attribute - could error out here */
42 if ( (aoc = attr_find( e->e_attrs, ad_objectClass )) == NULL ) {
44 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
45 "entry_schema_check: No object class for entry (%s).\n", e->e_dn ));
47 Debug( LDAP_DEBUG_ANY, "No object class for entry (%s)\n",
51 *text = "no objectClass attribute";
52 return LDAP_OBJECT_CLASS_VIOLATION;
57 /* check that the entry has required attrs for each oc */
58 for ( i = 0; aoc->a_vals[i] != NULL; i++ ) {
59 if ( (oc = oc_find( aoc->a_vals[i]->bv_val )) == NULL ) {
61 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
62 "entry_schema_check: dn (%s), objectclass \"%s\" not recognized\n",
63 e->e_dn, aoc->a_vals[i]->bv_val ));
65 Debug( LDAP_DEBUG_ANY,
66 "entry_check_schema(%s): objectclass \"%s\" not recognized\n",
67 e->e_dn, aoc->a_vals[i]->bv_val, 0 );
70 *text = "unrecognized object class";
71 return LDAP_OBJECT_CLASS_VIOLATION;
74 char *s = oc_check_required( e, aoc->a_vals[i] );
78 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
79 "entry_schema_check: dn (%s) oc \"%s\" requires att \"%s\"\n",
80 e->e_dn, aoc->a_vals[i]->bv_val, s ));
82 Debug( LDAP_DEBUG_ANY,
83 "Entry (%s), oc \"%s\" requires attr \"%s\"\n",
84 e->e_dn, aoc->a_vals[i]->bv_val, s );
87 *text = "missing required attribute";
88 return LDAP_OBJECT_CLASS_VIOLATION;
91 if( oc == slap_schema.si_oc_extensibleObject ) {
102 /* check that each attr in the entry is allowed by some oc */
103 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
104 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals );
106 char *type = a->a_desc->ad_cname->bv_val;
108 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
109 "entry_schema_check: Entry (%s) attr \"%s\" not allowed.\n",
112 Debug( LDAP_DEBUG_ANY,
113 "Entry (%s), attr \"%s\" not allowed\n",
117 *text = "attribute not allowed";
126 oc_check_required( Entry *e, struct berval *ocname )
134 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
135 "oc_check_required: dn (%s), objectclass \"%s\"\n",
136 e->e_dn, ocname->bv_val ));
138 Debug( LDAP_DEBUG_TRACE,
139 "oc_check_required entry (%s), objectclass \"%s\"\n",
140 e->e_dn, ocname->bv_val, 0 );
144 /* find global oc defn. it we don't know about it assume it's ok */
145 if ( (oc = oc_find( ocname->bv_val )) == NULL ) {
149 /* check for empty oc_required */
150 if(oc->soc_required == NULL) {
154 /* for each required attribute */
155 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
156 at = oc->soc_required[i];
157 /* see if it's in the entry */
158 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
159 if( a->a_desc->ad_type == at ) {
163 /* not there => schema violation */
165 return at->sat_cname;
172 int oc_check_allowed(
174 struct berval **ocl )
180 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
181 "oc_check_allowed: type \"%s\"\n", at->sat_cname ));
183 Debug( LDAP_DEBUG_TRACE,
184 "oc_check_allowed type \"%s\"\n",
185 at->sat_cname, 0, 0 );
189 /* always allow objectclass attribute */
190 if ( strcasecmp( at->sat_cname, "objectclass" ) == 0 ) {
196 * All operational attributions are allowed by schema rules.
198 if( is_at_operational(at) ) {
202 /* check that the type appears as req or opt in at least one oc */
203 for ( i = 0; ocl[i] != NULL; i++ ) {
204 /* if we know about the oc */
205 if ( (oc = oc_find( ocl[i]->bv_val )) != NULL ) {
206 /* does it require the type? */
207 for ( j = 0; oc->soc_required != NULL &&
208 oc->soc_required[j] != NULL; j++ )
210 if( at == oc->soc_required[j] ) {
214 /* does it allow the type? */
215 for ( j = 0; oc->soc_allowed != NULL &&
216 oc->soc_allowed[j] != NULL; j++ )
218 if( at == oc->soc_allowed[j] ) {
222 /* maybe the next oc allows it */
224 #ifdef OC_UNDEFINED_IMPLES_EXTENSIBLE
225 /* we don't know about the oc. assume it allows it */
235 /* not allowed by any oc */
236 return LDAP_OBJECT_CLASS_VIOLATION;