1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 #ifndef SLAPD_SCHEMA_NOT_COMPAT
20 static int oc_check_allowed(char *type, struct berval **oclist);
22 static char * oc_check_required(Entry *e, struct berval *ocname);
25 * entry_schema_check - check that entry e conforms to the schema required
26 * by its object class(es).
28 * returns 0 if so, non-zero otherwise.
33 Entry *e, Attribute *oldattrs, const char** text )
39 #ifdef SLAPD_SCHEMA_NOT_COMPAT
40 AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
42 static const char *ad_objectClass = "objectclass";
46 if( !global_schemacheck ) return LDAP_SUCCESS;
48 /* find the object class attribute - could error out here */
49 if ( (aoc = attr_find( e->e_attrs, ad_objectClass )) == NULL ) {
50 Debug( LDAP_DEBUG_ANY, "No object class for entry (%s)\n",
52 *text = "no objectclass attribute";
53 return oldattrs != NULL
54 ? LDAP_OBJECT_CLASS_VIOLATION
55 : LDAP_NO_OBJECT_CLASS_MODS;
60 /* check that the entry has required attrs for each oc */
61 for ( i = 0; aoc->a_vals[i] != NULL; i++ ) {
62 if ( (oc = oc_find( aoc->a_vals[i]->bv_val )) == NULL ) {
63 Debug( LDAP_DEBUG_ANY,
64 "entry_check_schema(%s): objectclass \"%s\" not defined\n",
65 e->e_dn, aoc->a_vals[i]->bv_val, 0 );
68 char *s = oc_check_required( e, aoc->a_vals[i] );
71 Debug( LDAP_DEBUG_ANY,
72 "Entry (%s), oc \"%s\" requires attr \"%s\"\n",
73 e->e_dn, aoc->a_vals[i]->bv_val, s );
74 *text = "missing required attribute";
75 ret = LDAP_OBJECT_CLASS_VIOLATION;
79 #ifdef SLAPD_SCHEMA_NOT_COMPAT
80 if( oc == slap_schema.si_oc_extensibleObject )
82 if( !strcmp( aoc->a_vals[i]->bv_val, "extensibleObject" ) == 0 )
91 if ( ret != LDAP_SUCCESS ) {
99 /* check that each attr in the entry is allowed by some oc */
100 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
101 #ifdef SLAPD_SCHEMA_NOT_COMPAT
102 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals );
104 ret = oc_check_allowed( a->a_type, aoc->a_vals );
107 #ifdef SLAPD_SCHEMA_NOT_COMPAT
108 char *type = a->a_desc->ad_cname->bv_val;
110 char *type = a->a_type;
112 Debug( LDAP_DEBUG_ANY,
113 "Entry (%s), attr \"%s\" not allowed\n",
115 *text = "attribute not allowed";
124 oc_check_required( Entry *e, struct berval *ocname )
131 Debug( LDAP_DEBUG_TRACE,
132 "oc_check_required entry (%s), objectclass \"%s\"\n",
133 e->e_dn, ocname->bv_val, 0 );
135 /* find global oc defn. it we don't know about it assume it's ok */
136 if ( (oc = oc_find( ocname->bv_val )) == NULL ) {
140 /* check for empty oc_required */
141 if(oc->soc_required == NULL) {
145 /* for each required attribute */
146 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
147 at = oc->soc_required[i];
148 /* see if it's in the entry */
149 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
150 #ifdef SLAPD_SCHEMA_NOT_COMPAT
151 if( a->a_desc->ad_type == at ) {
158 strcmp( a->a_type, at->sat_oid ) == 0 ) {
163 /* Empty name list => not found */
168 if ( strcasecmp( a->a_type, *pp ) == 0 ) {
178 /* not there => schema violation */
180 #ifdef SLAPD_SCHEMA_NOT_COMPAT
181 return at->sat_cname;
183 if ( at->sat_names && at->sat_names[0] ) {
184 return at->sat_names[0];
195 #ifndef SLAPD_SCHEMA_NOT_COMPAT
198 int oc_check_allowed(
199 #ifdef SLAPD_SCHEMA_NOT_COMPAT
204 struct berval **ocl )
209 #ifdef SLAPD_SCHEMA_NOT_COMPAT
210 Debug( LDAP_DEBUG_TRACE,
211 "oc_check_allowed type \"%s\"\n",
212 at->sat_cname, 0, 0 );
214 /* always allow objectclass attribute */
215 if ( strcasecmp( at->sat_cname, "objectclass" ) == 0 ) {
225 Debug( LDAP_DEBUG_TRACE,
226 "oc_check_allowed type \"%s\"\n", type, 0, 0 );
228 /* always allow objectclass attribute */
229 if ( strcasecmp( type, "objectclass" ) == 0 ) {
234 #ifdef SLAPD_SCHEMA_NOT_COMPAT
236 * All operational attributions are allowed by schema rules.
238 if( is_at_operational(at) ) {
243 * The "type" we have received is actually an AttributeDescription.
244 * Let's find out the corresponding type.
246 p = strchr( type, ';' );
248 t = ch_malloc( p-type+1 );
249 strncpy( t, type, p-type );
251 Debug( LDAP_DEBUG_TRACE,
252 "oc_check_allowed type \"%s\" from \"%s\"\n",
261 * All operational attributions are allowed by schema rules.
263 if ( oc_check_op_attr( t ) ) {
268 /* check that the type appears as req or opt in at least one oc */
269 for ( i = 0; ocl[i] != NULL; i++ ) {
270 /* if we know about the oc */
271 if ( (oc = oc_find( ocl[i]->bv_val )) != NULL ) {
272 /* does it require the type? */
273 for ( j = 0; oc->soc_required != NULL &&
274 oc->soc_required[j] != NULL; j++ )
276 #ifdef SLAPD_SCHEMA_NOT_COMPAT
277 if( at == oc->soc_required[j] ) {
281 at = oc->soc_required[j];
283 strcmp(at->sat_oid, t ) == 0 ) {
292 if ( strcasecmp( *pp, t ) == 0 ) {
301 /* does it allow the type? */
302 for ( j = 0; oc->soc_allowed != NULL &&
303 oc->soc_allowed[j] != NULL; j++ )
305 #ifdef SLAPD_SCHEMA_NOT_COMPAT
306 if( at == oc->soc_allowed[j] ) {
310 at = oc->soc_allowed[j];
312 strcmp( at->sat_oid, t ) == 0 ) {
321 if ( strcasecmp( *pp, t ) == 0 ||
322 strcmp( *pp, "*" ) == 0 ) {
331 /* maybe the next oc allows it */
333 #ifdef OC_UNDEFINED_IMPLES_EXTENSIBLE
334 /* we don't know about the oc. assume it allows it */
343 #ifndef SLAPD_SCHEMA_NOT_COMPAT
348 /* not allowed by any oc */
349 return LDAP_OBJECT_CLASS_VIOLATION;
projects / openldap / blob