2 * Copyright (c) 1996 Regents of the University of Michigan.
5 * Redistribution and use in source and binary forms are permitted
6 * provided that this notice is preserved and that due credit is given
7 * to the University of Michigan at Ann Arbor. The name of the University
8 * may not be used to endorse or promote products derived from this
9 * software without specific prior written permission. This software
10 * is provided ``as is'' without express or implied warranty.
14 * ldap_op.c - routines to perform LDAP operations
20 #include <ac/string.h>
22 #include <sys/types.h>
26 #include <kerberosIV/krb.h>
29 #endif /* KERBEROS_V */
37 /* Forward references */
38 static int get_changetype LDAP_P(( char * ));
39 static struct berval **make_singlevalued_berval LDAP_P(( char *, int ));
40 static int op_ldap_add LDAP_P(( Ri *, Re *, char ** ));
41 static int op_ldap_modify LDAP_P(( Ri *, Re *, char ** ));
42 static int op_ldap_delete LDAP_P(( Ri *, Re *, char ** ));
43 static int op_ldap_modrdn LDAP_P(( Ri *, Re *, char ** ));
44 static LDAPMod *alloc_ldapmod LDAP_P(());
45 static void free_ldapmod LDAP_P(( LDAPMod * ));
46 static void free_ldmarr LDAP_P(( LDAPMod ** ));
47 static int getmodtype LDAP_P(( char * ));
48 static void dump_ldm_array LDAP_P(( LDAPMod ** ));
49 static char **read_krbnames LDAP_P(( Ri * ));
50 static void upcase LDAP_P(( char * ));
51 static int do_bind LDAP_P(( Ri *, int * ));
52 static int do_unbind LDAP_P(( Ri * ));
55 /* External references */
56 #ifdef DECL_SYS_ERRLIST
57 extern char *sys_errlist[];
58 #endif /* DECL_SYS_ERRLIST */
60 extern char *ch_malloc( unsigned long );
62 static char *kattrs[] = {"kerberosName", NULL };
63 static struct timeval kst = {30L, 0L};
68 * Determine the type of ldap operation being performed and call the
69 * appropriate routine.
70 * - If successful, returns ERR_DO_LDAP_OK
71 * - If a retryable error occurs, ERR_DO_LDAP_RETRYABLE is returned.
72 * The caller should wait a while and retry the operation.
73 * - If a fatal error occurs, ERR_DO_LDAP_FATAL is returned. The caller
74 * should reject the operation and continue with the next replication
85 int lderr = LDAP_SUCCESS;
92 if ( ri->ri_ldp == NULL ) {
93 rc = do_bind( ri, &lderr );
94 if ( rc != BIND_OK ) {
95 return DO_LDAP_ERR_RETRYABLE;
99 switch ( re->re_changetype ) {
101 lderr = op_ldap_add( ri, re, errmsg );
102 if ( lderr != LDAP_SUCCESS ) {
103 Debug( LDAP_DEBUG_ANY,
104 "Error: ldap_add_s failed adding \"%s\": %s\n",
105 *errmsg ? *errmsg : ldap_err2string( lderr ),
110 lderr = op_ldap_modify( ri, re, errmsg );
111 if ( lderr != LDAP_SUCCESS ) {
112 Debug( LDAP_DEBUG_ANY,
113 "Error: ldap_modify_s failed modifying \"%s\": %s\n",
114 *errmsg ? *errmsg : ldap_err2string( lderr ),
119 lderr = op_ldap_delete( ri, re, errmsg );
120 if ( lderr != LDAP_SUCCESS ) {
121 Debug( LDAP_DEBUG_ANY,
122 "Error: ldap_delete_s failed deleting \"%s\": %s\n",
123 *errmsg ? *errmsg : ldap_err2string( lderr ),
128 lderr = op_ldap_modrdn( ri, re, errmsg );
129 if ( lderr != LDAP_SUCCESS ) {
130 Debug( LDAP_DEBUG_ANY,
131 "Error: ldap_modrdn_s failed modifying %s: %s\n",
132 *errmsg ? *errmsg : ldap_err2string( lderr ),
137 Debug( LDAP_DEBUG_ANY,
138 "Error: do_ldap: bad op \"%d\", dn = \"%s\"\n",
139 re->re_changetype, re->re_dn, 0 );
140 return DO_LDAP_ERR_FATAL;
144 * Analyze return code. If ok, just return. If LDAP_SERVER_DOWN,
145 * we may have been idle long enough that the remote slapd timed
146 * us out. Rebind and try again.
148 if ( lderr == LDAP_SUCCESS ) {
150 } else if ( lderr == LDAP_SERVER_DOWN ) {
151 /* The LDAP server may have timed us out - rebind and try again */
152 (void) do_unbind( ri );
155 return DO_LDAP_ERR_FATAL;
158 return DO_LDAP_ERR_FATAL;
165 * Perform an ldap add operation.
175 int nattrs, rc = 0, i;
176 LDAPMod *ldm, **ldmarr;
183 * Construct a null-terminated array of LDAPMod structs.
186 while ( mi[ i ].mi_type != NULL ) {
187 ldm = alloc_ldapmod();
188 ldmarr = ( LDAPMod ** ) ch_realloc( ldmarr,
189 ( nattrs + 2 ) * sizeof( LDAPMod * ));
190 ldmarr[ nattrs ] = ldm;
191 ldm->mod_op = LDAP_MOD_BVALUES;
192 ldm->mod_type = mi[ i ].mi_type;
194 make_singlevalued_berval( mi[ i ].mi_val, mi[ i ].mi_len );
199 if ( ldmarr != NULL ) {
200 ldmarr[ nattrs ] = NULL;
202 /* Perform the operation */
203 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - add dn \"%s\"\n",
204 ri->ri_hostname, ri->ri_port, re->re_dn );
205 rc = ldap_add_s( ri->ri_ldp, re->re_dn, ldmarr );
206 lderr = ri->ri_ldp->ld_errno;
208 *errmsg = "No modifications to do";
209 Debug( LDAP_DEBUG_ANY,
210 "Error: op_ldap_add: no mods to do (%s)!", re->re_dn, 0, 0 );
212 free_ldmarr( ldmarr );
220 * Perform an ldap modify operation.
222 #define AWAITING_OP -1
231 int state; /* This code is a simple-minded state machine */
232 int nvals; /* Number of values we're modifying */
233 int nops; /* Number of LDAPMod structs in ldmarr */
234 LDAPMod *ldm, *nldm, **ldmarr;
244 if ( re->re_mods == NULL ) {
245 *errmsg = "No arguments given";
246 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modify: no arguments\n",
252 * Construct a null-terminated array of LDAPMod structs.
254 for ( mi = re->re_mods, i = 0; mi[ i ].mi_type != NULL; i++ ) {
255 type = mi[ i ].mi_type;
256 value = mi[ i ].mi_val;
257 len = mi[ i ].mi_len;
258 switch ( getmodtype( type )) {
260 state = T_MODSEP; /* Got a separator line "-\n" */
264 ldmarr = ( LDAPMod ** )
265 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
266 ldmarr[ nops ] = ldm = alloc_ldapmod();
267 ldm->mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
268 ldm->mod_type = value;
273 state = T_MODOPREPLACE;
274 ldmarr = ( LDAPMod ** )
275 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
276 ldmarr[ nops ] = ldm = alloc_ldapmod();
277 ldm->mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
278 ldm->mod_type = value;
283 state = T_MODOPDELETE;
284 ldmarr = ( LDAPMod ** )
285 ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
286 ldmarr[ nops ] = ldm = alloc_ldapmod();
287 ldm->mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES;
288 ldm->mod_type = value;
293 if ( state == AWAITING_OP ) {
294 Debug( LDAP_DEBUG_ANY,
295 "Error: op_ldap_modify: unknown mod type \"%s\"\n",
301 * We should have an attribute: value pair here.
302 * Construct the mod_bvalues part of the ldapmod struct.
304 if ( strcasecmp( type, ldm->mod_type )) {
305 Debug( LDAP_DEBUG_ANY,
306 "Error: malformed modify op, %s: %s (expecting %s:)\n",
307 type, value, ldm->mod_type );
310 ldm->mod_bvalues = ( struct berval ** )
311 ch_realloc( ldm->mod_bvalues,
312 ( nvals + 2 ) * sizeof( struct berval * ));
313 ldm->mod_bvalues[ nvals + 1 ] = NULL;
314 ldm->mod_bvalues[ nvals ] = ( struct berval * )
315 ch_malloc( sizeof( struct berval ));
316 ldm->mod_bvalues[ nvals ]->bv_val = value;
317 ldm->mod_bvalues[ nvals ]->bv_len = len;
321 ldmarr[ nops ] = NULL;
324 /* Actually perform the LDAP operation */
325 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - modify dn \"%s\"\n",
326 ri->ri_hostname, ri->ri_port, re->re_dn );
327 rc = ldap_modify_s( ri->ri_ldp, re->re_dn, ldmarr );
329 free_ldmarr( ldmarr );
337 * Perform an ldap delete operation.
348 Debug( LDAP_DEBUG_ARGS, "replica %s:%d - delete dn \"%s\"\n",
349 ri->ri_hostname, ri->ri_port, re->re_dn );
350 rc = ldap_delete_s( ri->ri_ldp, re->re_dn );
359 * Perform an ldap modrdn operation.
362 #define GOT_DRDNFLAGSTR 2
363 #define GOT_ALLNEWRDNFLAGS ( GOT_NEWRDN | GOT_DRDNFLAGSTR )
378 if ( re->re_mods == NULL ) {
379 *errmsg = "No arguments given";
380 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: no arguments\n",
386 * Get the arguments: should see newrdn: and deleteoldrdn: args.
388 for ( mi = re->re_mods, i = 0; mi[ i ].mi_type != NULL; i++ ) {
389 if ( !strcmp( mi[ i ].mi_type, T_NEWRDNSTR )) {
390 newrdn = mi[ i ].mi_val;
392 } else if ( !strcmp( mi[ i ].mi_type, T_DRDNFLAGSTR )) {
393 state |= GOT_DRDNFLAGSTR;
394 if ( !strcmp( mi[ i ].mi_val, "0" )) {
396 } else if ( !strcmp( mi[ i ].mi_val, "1" )) {
399 Debug( LDAP_DEBUG_ANY,
400 "Error: op_ldap_modrdn: bad deleteoldrdn arg \"%s\"\n",
401 mi[ i ].mi_val, 0, 0 );
402 *errmsg = "Incorrect argument to deleteoldrdn";
406 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: bad type \"%s\"\n",
407 mi[ i ].mi_type, 0, 0 );
408 *errmsg = "Bad value in replication log entry";
414 * Punt if we don't have all the args.
416 if ( state != GOT_ALLNEWRDNFLAGS ) {
417 Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: missing arguments\n",
419 *errmsg = "Missing argument: requires \"newrdn\" and \"deleteoldrdn\"";
424 if ( ldap_debug & LDAP_DEBUG_ARGS ) {
427 sprintf( buf, "%s:%d", ri->ri_hostname, ri->ri_port );
428 buf2 = (char *) ch_malloc( strlen( re->re_dn ) + strlen( mi->mi_val )
430 sprintf( buf2, "(\"%s\" -> \"%s\")", re->re_dn, mi->mi_val );
431 Debug( LDAP_DEBUG_ARGS,
432 "replica %s - modify rdn %s (flag: %d)\n",
433 buf, buf2, drdnflag );
436 #endif /* LDAP_DEBUG */
439 rc = ldap_modrdn2_s( ri->ri_ldp, re->re_dn, mi->mi_val, drdnflag );
441 return( ri->ri_ldp->ld_errno );
447 * Allocate and initialize an ldapmod struct.
454 ldm = ( struct ldapmod * ) ch_malloc( sizeof ( struct ldapmod ));
455 ldm->mod_type = NULL;
456 ldm->mod_bvalues = ( struct berval ** ) NULL;
463 * Free an ldapmod struct associated mod_bvalues. NOTE - it is assumed
464 * that mod_bvalues and mod_type contain pointers to the same block of memory
465 * pointed to by the repl struct. Therefore, it's not freed here.
476 if ( ldm->mod_bvalues != NULL ) {
477 for ( i = 0; ldm->mod_bvalues[ i ] != NULL; i++ ) {
478 free( ldm->mod_bvalues[ i ] );
480 free( ldm->mod_bvalues );
488 * Free an an array of LDAPMod pointers and the LDAPMod structs they point
497 for ( i = 0; ldmarr[ i ] != NULL; i++ ) {
498 free_ldapmod( ldmarr[ i ] );
505 * Create a berval with a single value.
507 static struct berval **
508 make_singlevalued_berval(
514 p = ( struct berval ** ) ch_malloc( 2 * sizeof( struct berval * ));
515 p[ 0 ] = ( struct berval * ) ch_malloc( sizeof( struct berval ));
517 p[ 0 ]->bv_val = value;
518 p[ 0 ]->bv_len = len;
524 * Given a modification type (string), return an enumerated type.
525 * Avoids ugly copy in op_ldap_modify - lets us use a switch statement
532 if ( !strcmp( type, T_MODSEPSTR )) {
535 if ( !strcmp( type, T_MODOPADDSTR )) {
536 return( T_MODOPADD );
538 if ( !strcmp( type, T_MODOPREPLACESTR )) {
539 return( T_MODOPREPLACE );
541 if ( !strcmp( type, T_MODOPDELETESTR )) {
542 return( T_MODOPDELETE );
549 * Perform an LDAP unbind operation. If replica is NULL, or the
550 * repl_ldp is NULL, just return LDAP_SUCCESS. Otherwise, unbind,
551 * set the ldp to NULL, and return the result of the unbind call.
558 int rc = LDAP_SUCCESS;
560 if (( ri != NULL ) && ( ri->ri_ldp != NULL )) {
561 rc = ldap_unbind( ri->ri_ldp );
562 if ( rc != LDAP_SUCCESS ) {
563 Debug( LDAP_DEBUG_ANY,
564 "Error: do_unbind: ldap_unbind failed for %s:%d: %s\n",
565 ldap_err2string( rc ), ri->ri_hostname, ri->ri_port );
575 * Perform an LDAP bind operation to the replication site given
576 * by replica. If replica->repl_ldp is non-NULL, then we unbind
577 * from the replica before rebinding. It should be safe to call
578 * this to re-connect if the replica's connection goes away
581 * Returns 0 on success, -1 if an LDAP error occurred, and a return
582 * code > 0 if some other error occurred, e.g. invalid bind method.
583 * If an LDAP error occurs, the LDAP error is returned in lderr.
598 char *skrbnames[ 2 ];
599 char realm[ REALM_SZ ];
600 char name[ ANAME_SZ ];
601 char instance[ INST_SZ ];
602 #endif /* KERBEROS */
607 Debug( LDAP_DEBUG_ANY, "Error: do_bind: null ri ptr\n", 0, 0, 0 );
608 return( BIND_ERR_BADRI );
611 if ( ri->ri_ldp != NULL ) {
612 ldrc = ldap_unbind( ri->ri_ldp );
613 if ( ldrc != LDAP_SUCCESS ) {
614 Debug( LDAP_DEBUG_ANY,
615 "Error: do_bind: ldap_unbind failed: %s\n",
616 ldap_err2string( ldrc ), 0, 0 );
621 Debug( LDAP_DEBUG_ARGS, "Open connection to %s:%d\n",
622 ri->ri_hostname, ri->ri_port, 0 );
623 ri->ri_ldp = ldap_open( ri->ri_hostname, ri->ri_port );
624 if ( ri->ri_ldp == NULL ) {
625 Debug( LDAP_DEBUG_ANY, "Error: ldap_open(%s, %d) failed: %s\n",
626 ri->ri_hostname, ri->ri_port, sys_errlist[ errno ] );
627 return( BIND_ERR_OPEN );
631 * Set ldap library options to (1) not follow referrals, and
632 * (2) restart the select() system call.
634 #ifdef LDAP_REFERRALS
635 ri->ri_ldp->ld_options &= ~LDAP_OPT_REFERRALS;
636 #endif /* LDAP_REFERRALS */
637 ri->ri_ldp->ld_options |= LDAP_OPT_RESTART;
639 switch ( ri->ri_bind_method ) {
642 Debug( LDAP_DEBUG_ANY,
643 "Error: Kerberos bind for %s:%d, but not compiled w/kerberos\n",
644 ri->ri_hostname, ri->ri_port, 0 );
645 return( BIND_ERR_KERBEROS_FAILED );
648 * Bind using kerberos.
649 * If "bindprincipal" was given in the config file, then attempt
650 * to get a TGT for that principal (via the srvtab file). If only
651 * a binddn was given, then we need to read that entry to get
652 * the kerberosName attributes, and try to get a TGT for one
653 * of them. All are tried. The first one which succeeds is
654 * returned. XXX It might be a good idea to just require a
655 * bindprincipal. Reading the entry every time might be a significant
656 * amount of overhead, if the connection is closed between most
660 if ( ri->ri_principal != NULL ) {
661 skrbnames[ 0 ] = ri->ri_principal;
662 skrbnames[ 1 ] = NULL;
663 krbnames = skrbnames;
665 krbnames = read_krbnames( ri );
668 if (( krbnames == NULL ) || ( krbnames[ 0 ] == NULL )) {
669 Debug( LDAP_DEBUG_ANY,
670 "Error: Can't find krbname for binddn \"%s\"\n",
671 ri->ri_bind_dn, 0, 0 );
672 retval = BIND_ERR_KERBEROS_FAILED;
676 * Now we've got one or more kerberos principals. See if any
677 * of them are in the srvtab file.
680 for ( kni = 0; krbnames[ kni ] != NULL; kni++ ) {
681 rc = kname_parse( name, instance, realm, krbnames[ kni ]);
682 if ( rc != KSUCCESS ) {
686 rc = krb_get_svc_in_tkt( name, instance, realm, "krbtgt", realm,
688 if ( rc != KSUCCESS) {
689 Debug( LDAP_DEBUG_ANY, "Error: Can't get TGT for %s: %s\n",
690 krbnames[ kni ], krb_err_txt[ rc ], 0 );
697 Debug( LDAP_DEBUG_ANY,
698 "Error: Could not obtain TGT for DN \"%s\"\n",
699 ri->ri_bind_dn, 0, 0 );
700 retval = BIND_ERR_KERBEROS_FAILED;
704 * We've got a TGT. Do a kerberos bind.
706 Debug( LDAP_DEBUG_ARGS, "bind to %s:%d as %s (kerberos)\n",
707 ri->ri_hostname, ri->ri_port, ri->ri_bind_dn );
708 ldrc = ldap_kerberos_bind_s( ri->ri_ldp, ri->ri_bind_dn );
709 ri->ri_principal = strdup( krbnames[ kni ] );
710 if ( ldrc != LDAP_SUCCESS ) {
711 Debug( LDAP_DEBUG_ANY, "Error: kerberos bind for %s:%dfailed: %s\n",
712 ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
714 retval = BIND_ERR_KERBEROS_FAILED;
717 kexit: if ( krbnames != NULL ) {
718 ldap_value_free( krbnames );
722 #endif /* KERBEROS */
725 * Bind with a plaintext password.
727 Debug( LDAP_DEBUG_ARGS, "bind to %s:%d as %s (simple)\n",
728 ri->ri_hostname, ri->ri_port, ri->ri_bind_dn );
729 ldrc = ldap_simple_bind_s( ri->ri_ldp, ri->ri_bind_dn,
731 if ( ldrc != LDAP_SUCCESS ) {
732 Debug( LDAP_DEBUG_ANY,
733 "Error: ldap_simple_bind_s for %s:%d failed: %s\n",
734 ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
736 return( BIND_ERR_SIMPLE_FAILED );
742 Debug( LDAP_DEBUG_ANY,
743 "Error: do_bind: unknown auth type \"%d\" for %s:%d\n",
744 ri->ri_bind_method, ri->ri_hostname, ri->ri_port );
745 return( BIND_ERR_BAD_ATYPE );
754 * For debugging. Print the contents of an ldmarr array.
765 for ( i = 0; ldmarr[ i ] != NULL; i++ ) {
767 Debug( LDAP_DEBUG_TRACE,
768 "Trace (%d): *** ldmarr[ %d ] contents:\n",
770 Debug( LDAP_DEBUG_TRACE,
771 "Trace (%d): *** ldm->mod_op: %d\n",
772 getpid(), ldm->mod_op, 0 );
773 Debug( LDAP_DEBUG_TRACE,
774 "Trace (%d): *** ldm->mod_type: %s\n",
775 getpid(), ldm->mod_type, 0 );
776 if ( ldm->mod_bvalues != NULL ) {
777 for ( j = 0; ( b = ldm->mod_bvalues[ j ] ) != NULL; j++ ) {
778 msgbuf = ch_malloc( b->bv_len + 512 );
779 sprintf( msgbuf, "***** bv[ %d ] len = %d, val = <%s>",
780 j, b->bv_len, b->bv_val );
781 Debug( LDAP_DEBUG_TRACE,
782 "Trace (%d):%s\n", getpid(), msgbuf, 0 );
791 * Get the kerberos names from the binddn for "replica" via an ldap search.
792 * Returns a null-terminated array of char *, or NULL if the entry could
793 * not be found or there were no kerberosName attributes. The caller is
794 * responsible for freeing the returned array and strings it points to.
804 LDAPMessage *result, *entry;
806 /* First need to bind as NULL */
807 rc = ldap_simple_bind_s( ri->ri_ldp, NULL, NULL );
808 if ( rc != LDAP_SUCCESS ) {
809 Debug( LDAP_DEBUG_ANY,
810 "Error: null bind failed getting krbnames for %s:%d: %s\n",
811 ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
814 rc = ldap_search_st( ri->ri_ldp, ri->ri_bind_dn, LDAP_SCOPE_BASE,
815 "objectclass=*", kattrs, 0, &kst, &result );
816 if ( rc != LDAP_SUCCESS ) {
817 Debug( LDAP_DEBUG_ANY,
818 "Error: search failed getting krbnames for %s:%d: %s\n",
819 ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
822 ne = ldap_count_entries( ri->ri_ldp, result );
824 Debug( LDAP_DEBUG_ANY,
825 "Error: Can't find entry \"%s\" for %s:%d kerberos bind\n",
826 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
830 Debug( LDAP_DEBUG_ANY,
831 "Error: Kerberos binddn \"%s\" for %s:%dis ambiguous\n",
832 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
835 entry = ldap_first_entry( ri->ri_ldp, result );
836 if ( entry == NULL ) {
837 Debug( LDAP_DEBUG_ANY,
838 "Error: Can't find \"%s\" for kerberos binddn for %s:%d\n",
839 ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
842 krbnames = ldap_get_values( ri->ri_ldp, entry, "kerberosName" );
843 ldap_msgfree( result );
858 for ( p = s; ( p != NULL ) && ( *p != '\0' ); p++ ) {
859 if ( islower( *p )) {