3 * Copyright (c) 1996 Regents of the University of Michigan.
6 * Redistribution and use in source and binary forms are permitted
7 * provided that this notice is preserved and that due credit is given
8 * to the University of Michigan at Ann Arbor. The name of the University
9 * may not be used to endorse or promote products derived from this
10 * software without specific prior written permission. This software
11 * is provided ``as is'' without express or implied warranty.
15 * ldap_op.c - routines to perform LDAP operations
22 #include <ac/stdlib.h>
25 #include <ac/string.h>
28 #include <ac/unistd.h>
32 #if defined( STR_TRANSLATION ) && defined( LDAP_DEFAULT_CHARSET )
33 /* Get LDAP->ld_lberoptions. Must precede slurp.h, both define ldap_debug. */
34 #include "../../libraries/libldap/ldap-int.h"
42 /* Forward references */
43 static struct berval **make_singlevalued_berval LDAP_P(( char *, int ));
44 static int op_ldap_add LDAP_P(( Ri *, Re *, char ** ));
45 static int op_ldap_modify LDAP_P(( Ri *, Re *, char ** ));
46 static int op_ldap_delete LDAP_P(( Ri *, Re *, char ** ));
47 static int op_ldap_modrdn LDAP_P(( Ri *, Re *, char ** ));
48 static LDAPMod *alloc_ldapmod LDAP_P(( void ));
49 static void free_ldapmod LDAP_P(( LDAPMod * ));
50 static void free_ldmarr LDAP_P(( LDAPMod ** ));
51 static int getmodtype LDAP_P(( char * ));
52 static void dump_ldm_array LDAP_P(( LDAPMod ** ));
53 static char **read_krbnames LDAP_P(( Ri * ));
54 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
55 static void upcase LDAP_P(( char * ));
57 static int do_bind LDAP_P(( Ri *, int * ));
58 static int do_unbind LDAP_P(( Ri * ));
61 static char *kattrs[] = {"kerberosName", NULL };
62 static struct timeval kst = {30L, 0L};
67 * Determine the type of ldap operation being performed and call the
68 * appropriate routine.
69 * - If successful, returns ERR_DO_LDAP_OK
70 * - If a retryable error occurs, ERR_DO_LDAP_RETRYABLE is returned.
71 * The caller should wait a while and retry the operation.
72 * - If a fatal error occurs, ERR_DO_LDAP_FATAL is returned. The caller
73 * should reject the operation and continue with the next replication
84 int lderr = LDAP_SUCCESS;
90 if ( ri->ri_ldp == NULL ) {
91 rc = do_bind( ri, &lderr );
93 if ( rc != BIND_OK ) {
94 return DO_LDAP_ERR_RETRYABLE;
98 switch ( re->re_changetype ) {
100 lderr = op_ldap_add( ri, re, errmsg );
101 if ( lderr != LDAP_SUCCESS ) {
102 Debug( LDAP_DEBUG_ANY,
103 "Error: ldap_add_s failed adding \"%s\": %s\n",
104 *errmsg ? *errmsg : ldap_err2string( lderr ),
109 lderr = op_ldap_modify( ri, re, errmsg );
110 if ( lderr != LDAP_SUCCESS ) {
111 Debug( LDAP_DEBUG_ANY,
112 "Error: ldap_modify_s failed modifying \"%s\": %s\n",
113 *errmsg ? *errmsg : ldap_err2string( lderr ),
118 lderr = op_ldap_delete( ri, re, errmsg );
119 if ( lderr != LDAP_SUCCESS ) {
120 Debug( LDAP_DEBUG_ANY,
121 "Error: ldap_delete_s failed deleting \"%s\": %s\n",
122 *errmsg ? *errmsg : ldap_err2string( lderr ),
127 lderr = op_ldap_modrdn( ri, re, errmsg );
128 if ( lderr != LDAP_SUCCESS ) {
129 Debug( LDAP_DEBUG_ANY,
130 "Error: ldap_modrdn_s failed modifying %s: %s\n",
131 *errmsg ? *errmsg : ldap_err2string( lderr ),
136 Debug( LDAP_DEBUG_ANY,
137 "Error: do_ldap: bad op \"%d\", dn = \"%s\"\n",
138 re->re_changetype, re->re_dn, 0 );
139 return DO_LDAP_ERR_FATAL;
143 * Analyze return code. If ok, just return. If LDAP_SERVER_DOWN,
144 * we may have been idle long enough that the remote slapd timed
145 * us out. Rebind and try again.
147 if ( lderr == LDAP_SUCCESS ) {
149 } else if ( lderr == LDAP_SERVER_DOWN ) {
150 /* The LDAP server may have timed us out - rebind and try again */
151 (void) do_unbind( ri );
154 return DO_LDAP_ERR_FATAL;
157 return DO_LDAP_ERR_FATAL;
164 * Perform an ldap add operation.
174 int nattrs, rc = 0, i;
175 LDAPMod *ldm, **ldmarr;
182 * Construct a null-terminated array of LDAPMod structs.
185 while ( mi[ i ].mi_type != NULL ) {
186 ldm = alloc_ldapmod();
187 ldmarr = ( LDAPMod ** ) ch_realloc( ldmarr,
188 ( nattrs + 2 ) * sizeof( LDAPMod * ));
189 ldmarr[ nattrs ] = ldm;
190 ldm->mod_op = LDAP_MOD_BVALUES;
191 ldm->mod_type = mi[ i ].mi_type;
193 make_singlevalued_berval( mi[ i ].mi_val, mi[ i ].mi_len );
198 if ( ldmarr != NULL ) {
199 ldmarr[ nattrs ] = NULL;
201 /* Perform the operation */
202 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - add dn \"%s\"\n",
203 ri->ri_hostname, ri->ri_port, re->re_dn );
204 rc = ldap_add_s( ri->ri_ldp, re->re_dn, ldmarr );
206 ldap_get_option( ri->ri_ldp, LDAP_OPT_ERROR_NUMBER, &lderr);
209 *errmsg = "No modifications to do";
210 Debug( LDAP_DEBUG_ANY,
211 "Error: op_ldap_add: no mods to do (%s)!\n", re->re_dn, 0, 0 );
213 free_ldmarr( ldmarr );
221 * Perform an ldap modify operation.
223 #define AWAITING_OP -1
232 int state; /* This code is a simple-minded state machine */
233 int nvals; /* Number of values we're modifying */
234 int nops; /* Number of LDAPMod structs in ldmarr */
235 LDAPMod *ldm, **ldmarr;
245 if ( re->re_mods == NULL ) {
246 *errmsg = "No arguments given";
247 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modify: no arguments\n",
253 * Construct a null-terminated array of LDAPMod structs.
255 for ( mi = re->re_mods, i = 0; mi[ i ].mi_type != NULL; i++ ) {
256 type = mi[ i ].mi_type;
257 value = mi[ i ].mi_val;
258 len = mi[ i ].mi_len;
259 switch ( getmodtype( type )) {
261 state = T_MODSEP; /* Got a separator line "-\n" */
265 ldmarr = ( LDAPMod ** )
266 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
267 ldmarr[ nops ] = ldm = alloc_ldapmod();
268 ldm->mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
269 ldm->mod_type = value;
274 state = T_MODOPREPLACE;
275 ldmarr = ( LDAPMod ** )
276 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
277 ldmarr[ nops ] = ldm = alloc_ldapmod();
278 ldm->mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
279 ldm->mod_type = value;
284 state = T_MODOPDELETE;
285 ldmarr = ( LDAPMod ** )
286 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
287 ldmarr[ nops ] = ldm = alloc_ldapmod();
288 ldm->mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES;
289 ldm->mod_type = value;
294 if ( state == AWAITING_OP ) {
295 Debug( LDAP_DEBUG_ANY,
296 "Error: op_ldap_modify: unknown mod type \"%s\"\n",
302 * We should have an attribute: value pair here.
303 * Construct the mod_bvalues part of the ldapmod struct.
305 if ( strcasecmp( type, ldm->mod_type )) {
306 Debug( LDAP_DEBUG_ANY,
307 "Error: malformed modify op, %s: %s (expecting %s:)\n",
308 type, value, ldm->mod_type );
311 ldm->mod_bvalues = ( struct berval ** )
312 ch_realloc( ldm->mod_bvalues,
313 ( nvals + 2 ) * sizeof( struct berval * ));
314 ldm->mod_bvalues[ nvals + 1 ] = NULL;
315 ldm->mod_bvalues[ nvals ] = ( struct berval * )
316 ch_malloc( sizeof( struct berval ));
317 ldm->mod_bvalues[ nvals ]->bv_val = value;
318 ldm->mod_bvalues[ nvals ]->bv_len = len;
322 ldmarr[ nops ] = NULL;
325 /* Actually perform the LDAP operation */
326 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - modify dn \"%s\"\n",
327 ri->ri_hostname, ri->ri_port, re->re_dn );
328 rc = ldap_modify_s( ri->ri_ldp, re->re_dn, ldmarr );
330 free_ldmarr( ldmarr );
338 * Perform an ldap delete operation.
349 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - delete dn \"%s\"\n",
350 ri->ri_hostname, ri->ri_port, re->re_dn );
351 rc = ldap_delete_s( ri->ri_ldp, re->re_dn );
360 * Perform an ldap modrdn operation.
362 #define GOT_NEWRDN 0x1
363 #define GOT_DELOLDRDN 0x2
364 #define GOT_NEWSUP 0x4
366 #define GOT_MODDN_REQ (GOT_NEWRDN|GOT_DELOLDRDN)
367 #define GOT_ALL_MODDN(f) (((f) & GOT_MODDN_REQ) == GOT_MODDN_REQ)
384 if ( re->re_mods == NULL ) {
385 *errmsg = "No arguments given";
386 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: no arguments\n",
392 * Get the arguments: should see newrdn: and deleteoldrdn: args.
394 for ( mi = re->re_mods, i = 0; mi[ i ].mi_type != NULL; i++ ) {
395 if ( !strcmp( mi[ i ].mi_type, T_NEWRDNSTR )) {
396 if( state & GOT_NEWRDN ) {
397 Debug( LDAP_DEBUG_ANY,
398 "Error: op_ldap_modrdn: multiple newrdn arg \"%s\"\n",
399 mi[ i ].mi_val, 0, 0 );
400 *errmsg = "Multiple newrdn argument";
404 newrdn = mi[ i ].mi_val;
407 } else if ( !strcmp( mi[ i ].mi_type, T_DELOLDRDNSTR )) {
408 if( state & GOT_DELOLDRDN ) {
409 Debug( LDAP_DEBUG_ANY,
410 "Error: op_ldap_modrdn: multiple deleteoldrdn arg \"%s\"\n",
411 mi[ i ].mi_val, 0, 0 );
412 *errmsg = "Multiple newrdn argument";
416 state |= GOT_DELOLDRDN;
417 if ( !strcmp( mi[ i ].mi_val, "0" )) {
419 } else if ( !strcmp( mi[ i ].mi_val, "1" )) {
422 Debug( LDAP_DEBUG_ANY,
423 "Error: op_ldap_modrdn: bad deleteoldrdn arg \"%s\"\n",
424 mi[ i ].mi_val, 0, 0 );
425 *errmsg = "Incorrect argument to deleteoldrdn";
429 } else if ( !strcmp( mi[ i ].mi_type, T_NEWSUPSTR )) {
430 if( state & GOT_NEWSUP ) {
431 Debug( LDAP_DEBUG_ANY,
432 "Error: op_ldap_modrdn: multiple newsuperior arg \"%s\"\n",
433 mi[ i ].mi_val, 0, 0 );
434 *errmsg = "Multiple newrdn argument";
438 newrdn = mi[ i ].mi_val;
442 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: bad type \"%s\"\n",
443 mi[ i ].mi_type, 0, 0 );
444 *errmsg = "Bad value in replication log entry";
450 * Punt if we don't have all the args.
452 if ( GOT_ALL_MODDN(state) ) {
453 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: missing arguments\n",
455 *errmsg = "Missing argument: requires \"newrdn\" and \"deleteoldrdn\"";
460 if ( ldap_debug & LDAP_DEBUG_ARGS ) {
463 sprintf( buf, "%s:%d", ri->ri_hostname, ri->ri_port );
464 buf2 = (char *) ch_malloc( strlen( re->re_dn ) + strlen( mi->mi_val )
466 sprintf( buf2, "(\"%s\" -> \"%s\")", re->re_dn, mi->mi_val );
467 Debug( LDAP_DEBUG_ARGS,
468 "replica %s - modify rdn %s (flag: %d)\n",
469 buf, buf2, drdnflag );
472 #endif /* LDAP_DEBUG */
475 rc = ldap_rename2_s( ri->ri_ldp, re->re_dn, mi->mi_val, newsup, drdnflag );
477 ldap_get_option( ri->ri_ldp, LDAP_OPT_ERROR_NUMBER, &lderr);
484 * Allocate and initialize an ldapmod struct.
487 alloc_ldapmod( void )
491 ldm = ( struct ldapmod * ) ch_malloc( sizeof ( struct ldapmod ));
492 ldm->mod_type = NULL;
493 ldm->mod_bvalues = ( struct berval ** ) NULL;
500 * Free an ldapmod struct associated mod_bvalues. NOTE - it is assumed
501 * that mod_bvalues and mod_type contain pointers to the same block of memory
502 * pointed to by the repl struct. Therefore, it's not freed here.
513 if ( ldm->mod_bvalues != NULL ) {
514 for ( i = 0; ldm->mod_bvalues[ i ] != NULL; i++ ) {
515 free( ldm->mod_bvalues[ i ] );
517 free( ldm->mod_bvalues );
525 * Free an an array of LDAPMod pointers and the LDAPMod structs they point
534 for ( i = 0; ldmarr[ i ] != NULL; i++ ) {
535 free_ldapmod( ldmarr[ i ] );
542 * Create a berval with a single value.
544 static struct berval **
545 make_singlevalued_berval(
551 p = ( struct berval ** ) ch_malloc( 2 * sizeof( struct berval * ));
552 p[ 0 ] = ( struct berval * ) ch_malloc( sizeof( struct berval ));
554 p[ 0 ]->bv_val = value;
555 p[ 0 ]->bv_len = len;
561 * Given a modification type (string), return an enumerated type.
562 * Avoids ugly copy in op_ldap_modify - lets us use a switch statement
569 if ( !strcmp( type, T_MODSEPSTR )) {
572 if ( !strcmp( type, T_MODOPADDSTR )) {
573 return( T_MODOPADD );
575 if ( !strcmp( type, T_MODOPREPLACESTR )) {
576 return( T_MODOPREPLACE );
578 if ( !strcmp( type, T_MODOPDELETESTR )) {
579 return( T_MODOPDELETE );
586 * Perform an LDAP unbind operation. If replica is NULL, or the
587 * repl_ldp is NULL, just return LDAP_SUCCESS. Otherwise, unbind,
588 * set the ldp to NULL, and return the result of the unbind call.
595 int rc = LDAP_SUCCESS;
597 if (( ri != NULL ) && ( ri->ri_ldp != NULL )) {
598 rc = ldap_unbind( ri->ri_ldp );
599 if ( rc != LDAP_SUCCESS ) {
600 Debug( LDAP_DEBUG_ANY,
601 "Error: do_unbind: ldap_unbind failed for %s:%d: %s\n",
602 ri->ri_hostname, ri->ri_port, ldap_err2string( rc ) );
612 * Perform an LDAP bind operation to the replication site given
613 * by replica. If replica->repl_ldp is non-NULL, then we unbind
614 * from the replica before rebinding. It should be safe to call
615 * this to re-connect if the replica's connection goes away
618 * Returns 0 on success, -1 if an LDAP error occurred, and a return
619 * code > 0 if some other error occurred, e.g. invalid bind method.
620 * If an LDAP error occurs, the LDAP error is returned in lderr.
633 Debug( LDAP_DEBUG_ANY, "Error: do_bind: null ri ptr\n", 0, 0, 0 );
634 return( BIND_ERR_BADRI );
637 if ( ri->ri_ldp != NULL ) {
638 ldrc = ldap_unbind( ri->ri_ldp );
639 if ( ldrc != LDAP_SUCCESS ) {
640 Debug( LDAP_DEBUG_ANY,
641 "Error: do_bind: ldap_unbind failed: %s\n",
642 ldap_err2string( ldrc ), 0, 0 );
647 Debug( LDAP_DEBUG_ARGS, "Initializing session to %s:%d\n",
648 ri->ri_hostname, ri->ri_port, 0 );
650 ri->ri_ldp = ldap_init( ri->ri_hostname, ri->ri_port );
651 if ( ri->ri_ldp == NULL ) {
652 Debug( LDAP_DEBUG_ANY, "Error: ldap_init(%s, %d) failed: %s\n",
653 ri->ri_hostname, ri->ri_port, sys_errlist[ errno ] );
654 return( BIND_ERR_OPEN );
657 { /* set version 3 */
658 int err, version = 3;
659 err = ldap_set_option(ri->ri_ldp,
660 LDAP_OPT_PROTOCOL_VERSION, &version);
662 if( err != LDAP_OPT_SUCCESS ) {
663 Debug( LDAP_DEBUG_ANY,
664 "Error: ldap_set_option(%s, LDAP_OPT_VERSION, 3) failed!\n",
665 ri->ri_hostname, NULL, NULL );
667 ldap_unbind( ri->ri_ldp );
669 return BIND_ERR_VERSION;
674 * Set ldap library options to (1) not follow referrals, and
675 * (2) restart the select() system call.
679 err = ldap_set_option(ri->ri_ldp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
681 if( err != LDAP_OPT_SUCCESS ) {
682 Debug( LDAP_DEBUG_ANY,
683 "Error: ldap_set_option(%s,REFERRALS, OFF) failed!\n",
684 ri->ri_hostname, NULL, NULL );
685 ldap_unbind( ri->ri_ldp );
687 return BIND_ERR_REFERRALS;
690 ldap_set_option(ri->ri_ldp, LDAP_OPT_RESTART, LDAP_OPT_ON);
692 switch ( ri->ri_bind_method ) {
695 * Bind with a plaintext password.
697 Debug( LDAP_DEBUG_ARGS, "bind to %s:%d as %s (simple)\n",
698 ri->ri_hostname, ri->ri_port, ri->ri_bind_dn );
699 ldrc = ldap_simple_bind_s( ri->ri_ldp, ri->ri_bind_dn,
701 if ( ldrc != LDAP_SUCCESS ) {
702 Debug( LDAP_DEBUG_ANY,
703 "Error: ldap_simple_bind_s for %s:%d failed: %s\n",
704 ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
706 ldap_unbind( ri->ri_ldp );
708 return( BIND_ERR_SIMPLE_FAILED );
712 Debug( LDAP_DEBUG_ANY,
713 "Error: do_bind: unknown auth type \"%d\" for %s:%d\n",
714 ri->ri_bind_method, ri->ri_hostname, ri->ri_port );
715 ldap_unbind( ri->ri_ldp );
717 return( BIND_ERR_BAD_ATYPE );
723 LDAPControl *ctrls[2];
727 c.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
728 c.ldctl_value.bv_val = NULL;
729 c.ldctl_value.bv_len = 0;
730 c.ldctl_iscritical = 1;
732 err = ldap_set_option(ri->ri_ldp, LDAP_OPT_SERVER_CONTROLS, &ctrls);
734 if( err != LDAP_OPT_SUCCESS ) {
735 Debug( LDAP_DEBUG_ANY,
736 "Error: ldap_set_option(%s, SERVER_CONTROLS, ManageDSAit) failed!\n",
737 ri->ri_hostname, NULL, NULL );
738 ldap_unbind( ri->ri_ldp );
740 return BIND_ERR_MANAGEDSAIT;
752 * For debugging. Print the contents of an ldmarr array.
764 for ( i = 0; ldmarr[ i ] != NULL; i++ ) {
766 Debug( LDAP_DEBUG_TRACE,
767 "Trace (%ld): *** ldmarr[ %d ] contents:\n",
768 (long) getpid(), i, 0 );
769 Debug( LDAP_DEBUG_TRACE,
770 "Trace (%ld): *** ldm->mod_op: %d\n",
771 (long) getpid(), ldm->mod_op, 0 );
772 Debug( LDAP_DEBUG_TRACE,
773 "Trace (%ld): *** ldm->mod_type: %s\n",
774 (long) getpid(), ldm->mod_type, 0 );
775 if ( ldm->mod_bvalues != NULL ) {
776 for ( j = 0; ( b = ldm->mod_bvalues[ j ] ) != NULL; j++ ) {
777 msgbuf = ch_malloc( b->bv_len + 512 );
778 sprintf( msgbuf, "***** bv[ %d ] len = %ld, val = <%s>",
779 j, b->bv_len, b->bv_val );
780 Debug( LDAP_DEBUG_TRACE,
781 "Trace (%ld):%s\n", (long) getpid(), msgbuf, 0 );
790 * Get the kerberos names from the binddn for "replica" via an ldap search.
791 * Returns a null-terminated array of char *, or NULL if the entry could
792 * not be found or there were no kerberosName attributes. The caller is
793 * responsible for freeing the returned array and strings it points to.
803 LDAPMessage *result, *entry;
805 /* First need to bind as NULL */
806 rc = ldap_simple_bind_s( ri->ri_ldp, NULL, NULL );
807 if ( rc != LDAP_SUCCESS ) {
808 Debug( LDAP_DEBUG_ANY,
809 "Error: null bind failed getting krbnames for %s:%d: %s\n",
810 ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
813 rc = ldap_search_st( ri->ri_ldp, ri->ri_bind_dn, LDAP_SCOPE_BASE,
814 NULL, kattrs, 0, &kst, &result );
815 if ( rc != LDAP_SUCCESS ) {
816 Debug( LDAP_DEBUG_ANY,
817 "Error: search failed getting krbnames for %s:%d: %s\n",
818 ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
821 ne = ldap_count_entries( ri->ri_ldp, result );
823 Debug( LDAP_DEBUG_ANY,
824 "Error: Can't find entry \"%s\" for %s:%d kerberos bind\n",
825 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
829 Debug( LDAP_DEBUG_ANY,
830 "Error: Kerberos binddn \"%s\" for %s:%dis ambiguous\n",
831 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
834 entry = ldap_first_entry( ri->ri_ldp, result );
835 if ( entry == NULL ) {
836 Debug( LDAP_DEBUG_ANY,
837 "Error: Can't find \"%s\" for kerberos binddn for %s:%d\n",
838 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
841 krbnames = ldap_get_values( ri->ri_ldp, entry, "kerberosName" );
842 ldap_msgfree( result );
847 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
859 for ( p = s; ( p != NULL ) && ( *p != '\0' ); p++ ) {
860 *p = TOUPPER( (unsigned char) *p );
864 #endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */