+static int parseProxyAuthz (
+ Connection *conn,
+ Operation *op,
+ LDAPControl *ctrl,
+ const char **text )
+{
+ int rc;
+ struct berval dn;
+
+ if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
+ *text = "proxy authorization control specified multiple times";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ op->o_proxy_authz = ctrl->ldctl_iscritical
+ ? SLAP_CRITICAL_CONTROL
+ : SLAP_NONCRITICAL_CONTROL;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, ARGS,
+ "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
+ conn->c_connid,
+ ctrl->ldctl_value.bv_len ? ctrl->ldctl_value.bv_val : "anonymous",
+ 0 );
+#else
+ Debug( LDAP_DEBUG_ARGS,
+ "parseProxyAuthz: conn %lu authzid=\"%s\"\n",
+ conn->c_connid,
+ ctrl->ldctl_value.bv_len ? ctrl->ldctl_value.bv_val : "anonymous",
+ 0 );
+#endif
+
+ if( ctrl->ldctl_value.bv_len == 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, RESULTS,
+ "parseProxyAuthz: conn=%lu anonymous\n",
+ conn->c_connid, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "parseProxyAuthz: conn=%lu anonymous\n",
+ conn->c_connid, 0, 0 );
+#endif
+
+ /* anonymous */
+ free( op->o_dn.bv_val );
+ op->o_dn.bv_len = 0;
+ op->o_dn.bv_val = ch_strdup( "" );
+
+ free( op->o_ndn.bv_val );
+ op->o_ndn.bv_len = 0;
+ op->o_ndn.bv_val = ch_strdup( "" );
+
+ return LDAP_SUCCESS;
+ }
+
+ rc = slap_sasl_getdn( conn,
+ ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
+ NULL, &dn, SLAP_GETDN_AUTHZID );
+
+ if( rc != LDAP_SUCCESS || !dn.bv_len ) {
+ *text = "authzId mapping failed";
+ return LDAP_PROXY_AUTHZ_FAILURE;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, RESULTS,
+ "parseProxyAuthz: conn=%lu \"%s\"\n",
+ conn->c_connid,
+ dn.bv_len ? dn.bv_val : "(NULL)", 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "parseProxyAuthz: conn=%lu \"%s\"\n",
+ conn->c_connid,
+ dn.bv_len ? dn.bv_val : "(NULL)", 0 );
+#endif
+
+ rc = slap_sasl_authorized( conn, &op->o_ndn, &dn );
+
+ if( rc ) {
+ ch_free( dn.bv_val );
+ *text = "not authorized to assume identity";
+ return LDAP_PROXY_AUTHZ_FAILURE;
+ }
+
+ ch_free( op->o_dn.bv_val );
+ ch_free( op->o_ndn.bv_val );
+
+ op->o_dn.bv_val = NULL;
+ op->o_ndn = dn;
+ ber_dupbv( &op->o_dn, &dn );
+
+ return LDAP_SUCCESS;
+}
+
+static int parseNoOp (
+ Connection *conn,
+ Operation *op,
+ LDAPControl *ctrl,
+ const char **text )
+{
+ if ( op->o_noop != SLAP_NO_CONTROL ) {
+ *text = "noop control specified multiple times";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if ( ctrl->ldctl_value.bv_len ) {
+ *text = "noop control value not empty";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ op->o_noop = ctrl->ldctl_iscritical
+ ? SLAP_CRITICAL_CONTROL
+ : SLAP_NONCRITICAL_CONTROL;
+
+ return LDAP_SUCCESS;
+}
+
+static int parsePagedResults (
+ Connection *conn,
+ Operation *op,
+ LDAPControl *ctrl,
+ const char **text )
+{
+ ber_tag_t tag;
+ ber_int_t size;
+ BerElement *ber;
+ struct berval cookie = { 0, NULL };
+
+ if ( op->o_pagedresults != SLAP_NO_CONTROL ) {
+ *text = "paged results control specified multiple times";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if ( ctrl->ldctl_value.bv_len == 0 ) {
+ *text = "paged results control value is empty (or absent)";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ /* Parse the control value
+ * realSearchControlValue ::= SEQUENCE {
+ * size INTEGER (0..maxInt),
+ * -- requested page size from client
+ * -- result set size estimate from server
+ * cookie OCTET STRING
+ */
+ ber = ber_init( &ctrl->ldctl_value );
+ if( ber == NULL ) {
+ *text = "internal error";
+ return LDAP_OTHER;
+ }
+
+ tag = ber_scanf( ber, "{im}", &size, &cookie );
+ (void) ber_free( ber, 1 );
+
+ if( tag == LBER_ERROR ) {
+ *text = "paged results control could not be decoded";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if( size < 0 ) {
+ *text = "paged results control size invalid";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if( cookie.bv_len ) {
+ PagedResultsCookie reqcookie;
+ if( cookie.bv_len != sizeof( reqcookie ) ) {
+ /* bad cookie */
+ *text = "paged results cookie is invalid";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie ));
+
+ if( reqcookie > op->o_pagedresults_state.ps_cookie ) {
+ /* bad cookie */
+ *text = "paged results cookie is invalid";
+ return LDAP_PROTOCOL_ERROR;
+
+ } else if( reqcookie < op->o_pagedresults_state.ps_cookie ) {
+ *text = "paged results cookie is invalid or old";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ } else {
+ /* Initial request. Initialize state. */
+ op->o_pagedresults_state.ps_cookie = 0;
+ op->o_pagedresults_state.ps_id = NOID;
+ }
+
+ op->o_pagedresults_size = size;
+
+ op->o_pagedresults = ctrl->ldctl_iscritical
+ ? SLAP_CRITICAL_CONTROL
+ : SLAP_NONCRITICAL_CONTROL;
+
+ return LDAP_SUCCESS;
+}
+
+int parseValuesReturnFilter (
+ Connection *conn,
+ Operation *op,
+ LDAPControl *ctrl,
+ const char **text )
+{
+ int rc;
+ BerElement *ber;
+ struct berval fstr = { 0, NULL };
+ const char *err_msg = "";
+
+ if ( op->o_valuesreturnfilter != SLAP_NO_CONTROL ) {
+ *text = "valuesReturnFilter control specified multiple times";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if ( ctrl->ldctl_value.bv_len == 0 ) {
+ *text = "valuesReturnFilter control value is empty (or absent)";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ ber = ber_init( &(ctrl->ldctl_value) );
+ if (ber == NULL) {
+ *text = "internal error";
+ return LDAP_OTHER;
+ }
+
+ rc = get_vrFilter( conn, ber, &(op->vrFilter), &err_msg);
+
+ if( rc != LDAP_SUCCESS ) {
+ text = &err_msg;
+ if( rc == SLAPD_DISCONNECT ) {
+ send_ldap_disconnect( conn, op,
+ LDAP_PROTOCOL_ERROR, *text );
+ } else {
+ send_ldap_result( conn, op, rc,
+ NULL, *text, NULL, NULL );
+ }
+ if( fstr.bv_val != NULL) free( fstr.bv_val );
+ if( op->vrFilter != NULL) vrFilter_free( op->vrFilter );
+
+ } else {
+ vrFilter2bv( op->vrFilter, &fstr );
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, ARGS,
+ "parseValuesReturnFilter: conn %d vrFilter: %s\n",
+ conn->c_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
+#else
+ Debug( LDAP_DEBUG_ARGS, " vrFilter: %s\n",
+ fstr.bv_len ? fstr.bv_val : "empty", 0, 0 );
+#endif
+
+ op->o_valuesreturnfilter = ctrl->ldctl_iscritical
+ ? SLAP_CRITICAL_CONTROL
+ : SLAP_NONCRITICAL_CONTROL;
+
+ return LDAP_SUCCESS;
+}
+
+#ifdef LDAP_CONTROL_SUBENTRIES