+
+ if ( ( map == at_map )
+ && ( strcasecmp( src, "objectclass" ) == 0
+ || strcasecmp( dst, "objectclass" ) == 0 ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: objectclass attribute cannot be mapped\n",
+ fname, lineno );
+ }
+
+ mapping = (struct ldapmapping *)ch_calloc( 2,
+ sizeof(struct ldapmapping) );
+ if ( mapping == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: out of memory\n",
+ fname, lineno );
+ return 1;
+ }
+ ber_str2bv( src, 0, 1, &mapping->src );
+ ber_str2bv( dst, 0, 1, &mapping->dst );
+ mapping[1].src = mapping->dst;
+ mapping[1].dst = mapping->src;
+
+ /*
+ * schema check
+ */
+ if ( is_oc ) {
+ if ( src[0] != '\0' ) {
+ if ( oc_bvfind( &mapping->src ) == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: warning, source objectClass '%s' "
+ "should be defined in schema\n",
+ fname, lineno, src );
+
+ /*
+ * FIXME: this should become an err
+ */
+ }
+ }
+
+ if ( oc_bvfind( &mapping->dst ) == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: warning, destination objectClass '%s' "
+ "is not defined in schema\n",
+ fname, lineno, dst );
+ }
+ } else {
+ int rc;
+ const char *text = NULL;
+ AttributeDescription *ad = NULL;
+
+ if ( src[0] != '\0' ) {
+ rc = slap_bv2ad( &mapping->src, &ad, &text );
+ if ( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: warning, source attributeType '%s' "
+ "should be defined in schema\n",
+ fname, lineno, src );
+
+ /*
+ * FIXME: this should become an err
+ */
+ }
+
+ ad = NULL;
+ }
+
+ rc = slap_bv2ad( &mapping->dst, &ad, &text );
+ if ( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: warning, destination attributeType '%s' "
+ "is not defined in schema\n",
+ fname, lineno, dst );
+ }
+ }
+
+ if ( (src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL)
+ || avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL)
+ {
+ fprintf( stderr,
+ "%s: line %d: duplicate mapping found (ignored)\n",
+ fname, lineno );
+ /* FIXME: free stuff */
+ goto error_return;
+ }
+
+ if ( src[0] != '\0' ) {
+ avl_insert( &map->map, (caddr_t)mapping,
+ mapping_cmp, mapping_dup );
+ }
+ avl_insert( &map->remap, (caddr_t)&mapping[1],
+ mapping_cmp, mapping_dup );
+
+ return 0;
+
+error_return:;
+ if ( mapping ) {
+ ch_free( mapping->src.bv_val );
+ ch_free( mapping->dst.bv_val );
+ ch_free( mapping );
+ }
+
+ return 1;
+}
+
+static int
+ldap_back_exop_whoami(
+ Operation *op,
+ SlapReply *rs )
+{
+ struct berval *bv = NULL;
+
+ if ( op->oq_extended.rs_reqdata != NULL ) {
+ /* no request data should be provided */
+ rs->sr_text = "no request data expected";
+ return rs->sr_err = LDAP_PROTOCOL_ERROR;
+ }
+
+ rs->sr_err = backend_check_restrictions( op, rs,
+ (struct berval *)&slap_EXOP_WHOAMI );
+ if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err;
+
+ /* if auth'd by back-ldap and request is proxied, forward it */
+ if ( op->o_conn->c_authz_backend && !strcmp(op->o_conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &op->o_conn->c_ndn)) {
+ struct ldapconn *lc;
+
+ LDAPControl c, *ctrls[2] = {NULL, NULL};
+ LDAPMessage *res;
+ Operation op2 = *op;
+ ber_int_t msgid;
+
+ ctrls[0] = &c;
+ op2.o_ndn = op->o_conn->c_ndn;
+ lc = ldap_back_getconn(&op2, rs);
+ if (!lc || !ldap_back_dobind( lc, op, rs )) {
+ return -1;
+ }
+ c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ c.ldctl_iscritical = 1;
+ c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4);
+ c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
+ strcpy(c.ldctl_value.bv_val, "dn:");
+ strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
+
+ rs->sr_err = ldap_whoami(lc->ld, ctrls, NULL, &msgid);
+ if (rs->sr_err == LDAP_SUCCESS) {
+ if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
+ ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
+ &rs->sr_err);
+ } else {
+ rs->sr_err = ldap_parse_whoami(lc->ld, res, &bv);
+ ldap_msgfree(res);
+ }
+ }
+ ch_free(c.ldctl_value.bv_val);
+ if (rs->sr_err != LDAP_SUCCESS) {
+ rs->sr_err = ldap_back_map_result(rs);
+ }
+ } else {
+ /* else just do the same as before */
+ bv = (struct berval *) ch_malloc( sizeof(struct berval) );
+ if( op->o_dn.bv_len ) {
+ bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1;
+ bv->bv_val = ch_malloc( bv->bv_len + 1 );
+ AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:")-1 );
+ AC_MEMCPY( &bv->bv_val[sizeof("dn:")-1], op->o_dn.bv_val,
+ op->o_dn.bv_len );
+ bv->bv_val[bv->bv_len] = '\0';
+ } else {
+ bv->bv_len = 0;
+ bv->bv_val = NULL;
+ }
+ }
+
+ rs->sr_rspdata = bv;
+ return rs->sr_err;
+}
+
+
+#ifdef ENABLE_REWRITE
+static char *
+suffix_massage_regexize( const char *s )
+{
+ char *res, *ptr;
+ const char *p, *r;
+ int i;
+
+ for ( i = 0, p = s;
+ ( r = strchr( p, ',' ) ) != NULL;
+ p = r + 1, i++ )
+ ;
+
+ res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 );
+
+ ptr = lutil_strcopy( res, "(.*)" );
+ for ( i = 0, p = s;
+ ( r = strchr( p, ',' ) ) != NULL;
+ p = r + 1 , i++ ) {
+ ptr = lutil_strncopy( ptr, p, r - p + 1 );
+ ptr = lutil_strcopy( ptr, "[ ]?" );
+
+ if ( r[ 1 ] == ' ' ) {
+ r++;
+ }
+ }
+ lutil_strcopy( ptr, p );
+
+ return res;
+}
+
+static char *
+suffix_massage_patternize( const char *s )
+{
+ ber_len_t len;
+ char *res;
+
+ len = strlen( s );
+
+ res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) );
+ if ( res == NULL ) {
+ return NULL;
+ }
+
+ strcpy( res, "%1" );
+ strcpy( res + sizeof( "%1" ) - 1, s );
+
+ return res;
+}
+
+int
+suffix_massage_config(
+ struct rewrite_info *info,
+ struct berval *pvnc,
+ struct berval *nvnc,
+ struct berval *prnc,
+ struct berval *nrnc
+)
+{
+ char *rargv[ 5 ];
+ int line = 0;
+
+ rargv[ 0 ] = "rewriteEngine";
+ rargv[ 1 ] = "on";
+ rargv[ 2 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
+
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "default";
+ rargv[ 2 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
+
+ rargv[ 0 ] = "rewriteRule";
+ rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
+ rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val );
+ rargv[ 3 ] = ":";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+ ch_free( rargv[ 1 ] );
+ ch_free( rargv[ 2 ] );
+
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "searchResult";
+ rargv[ 2 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
+
+ rargv[ 0 ] = "rewriteRule";
+ rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
+ rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val );
+ rargv[ 3 ] = ":";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+ ch_free( rargv[ 1 ] );
+ ch_free( rargv[ 2 ] );
+
+#if 0
+ /*
+ * FIXME: this is no longer required since now we map filters
+ * based on the parsed filter structure, so we can deal directly
+ * with attribute types and values. The rewriteContext
+ * "searchFilter" now refers to the value of attrbutes
+ * with DN syntax.
+ */
+
+ /*
+ * the filter should be rewritten as
+ *
+ * rewriteRule
+ * "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)"
+ * "%1member=%2,dc=example,dc=com%3"
+ *
+ * where "o=Foo Bar, c=US" is the virtual naming context,
+ * and "dc=example, dc=com" is the real naming context
+ */
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "searchFilter";
+ rargv[ 2 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
+
+#if 1 /* rewrite filters */
+ {
+ /*
+ * Note: this is far more optimistic than desirable:
+ * for any AVA value ending with the virtual naming
+ * context the terminal part will be replaced by the
+ * real naming context; a better solution would be to
+ * walk the filter looking for DN-valued attributes,
+ * and only rewrite those that require rewriting
+ */
+ char vbuf_[BUFSIZ], *vbuf = vbuf_,
+ rbuf_[BUFSIZ], *rbuf = rbuf_;
+ int len;
+
+ len = snprintf( vbuf, sizeof( vbuf_ ),
+ "(.*)%s\\)(.*)", nvnc->bv_val );
+ if ( len == -1 ) {
+ /*
+ * traditional behavior: snprintf returns -1
+ * if buffer is insufficient
+ */
+ return -1;
+
+ } else if ( len >= (int)sizeof( vbuf_ ) ) {
+ /*
+ * C99: snprintf returns the required size
+ */
+ vbuf = ch_malloc( len + 1 );
+ len = snprintf( vbuf, len,
+ "(.*)%s\\)(.*)", nvnc->bv_val );
+ assert( len > 0 );
+ }
+
+ len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
+ nrnc->bv_val );
+ if ( len == -1 ) {
+ return -1;
+
+ } else if ( len >= (int)sizeof( rbuf_ ) ) {
+ rbuf = ch_malloc( len + 1 );
+ len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2",
+ nrnc->bv_val );
+ assert( len > 0 );
+ }
+
+ rargv[ 0 ] = "rewriteRule";
+ rargv[ 1 ] = vbuf;
+ rargv[ 2 ] = rbuf;
+ rargv[ 3 ] = ":";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+
+ if ( vbuf != vbuf_ ) {
+ ch_free( vbuf );
+ }
+
+ if ( rbuf != rbuf_ ) {
+ ch_free( rbuf );
+ }
+ }
+#endif /* rewrite filters */
+#endif
+
+#if 0 /* "matched" is not normalized */
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "matchedDn";
+ rargv[ 2 ] = "alias";
+ rargv[ 3 ] = "searchResult";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+#else /* normalize "matched" */
+
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "matchedDN";
+ rargv[ 2 ] = "alias";
+ rargv[ 3 ] = "searchResult";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+
+ rargv[ 0 ] = "rewriteContext";
+ rargv[ 1 ] = "searchAttrDN";
+ rargv[ 2 ] = "alias";
+ rargv[ 3 ] = "searchResult";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+
+#if 0
+ rargv[ 0 ] = "rewriteRule";
+ rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
+ rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val );
+ rargv[ 3 ] = ":";
+ rargv[ 4 ] = NULL;
+ rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
+ ch_free( rargv[ 1 ] );
+ ch_free( rargv[ 2 ] );
+#endif /* 0 */
+#endif /* normalize "matched" */
+