/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003-2005 The OpenLDAP Foundation.
+ * Copyright 2003-2006 The OpenLDAP Foundation.
* Portions Copyright 2003 Howard Chu.
* All rights reserved.
*
* the tree? Should be all configurable.
*/
- /* "common" configuration info (all occurring before an "uri") */
+ /* "common" configuration info (anything occurring before an "uri") */
ldapinfo_t *lc_common_li;
/* current configuration info */
return 0;
}
-static int
-ldap_chain_operational( Operation *op, SlapReply *rs )
-{
- /* Trap entries generated by back-ldap.
- *
- * FIXME: we need a better way to recognize them; a cleaner
- * solution would be to be able to intercept the response
- * of be_operational(), so that we can divert only those
- * calls that fail because operational attributes were
- * requested for entries that do not belong to the underlying
- * database. This fix is likely to intercept also entries
- * generated by back-perl and so. */
- if ( rs->sr_entry->e_private == NULL ) {
- return 0;
- }
-
- return SLAP_CB_CONTINUE;
-}
-
/*
* Search specific response that strips entryDN from entries
*/
break;
}
}
+
+ /* tell the frontend not to add generated
+ * operational attributes */
+ rs->sr_flags |= REP_NO_OPERATIONALS;
return SLAP_CB_CONTINUE;
ldap_chain_op(
Operation *op,
SlapReply *rs,
- int ( *op_f )( Operation *op, SlapReply *rs ),
+ BI_op_func *op_f,
BerVarray ref )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
}
}
- rc = ( *op_f )( op, rs );
+ rc = op_f( op, rs );
cleanup:;
ldap_memfree( li.li_uri );
BerVarray ref;
struct berval ndn = op->o_ndn;
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
int sr_err = rs->sr_err;
slap_reply_t sr_type = rs->sr_type;
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
slap_mask_t chain_mask = 0;
ber_len_t chain_shift = 0;
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
}
} else {
- rc = ldap_chain_op( op, rs, lback->bi_op_search, ref );
+ /* we might get here before any database actually
+ * performed a search; in those cases, we need
+ * to check limits, to make sure safe defaults
+ * are in place */
+ if ( op->ors_limit != NULL || limits_check( op, rs ) == 0 ) {
+ rc = ldap_chain_op( op, rs, lback->bi_op_search, ref );
+
+ } else {
+ rc = SLAP_CB_CONTINUE;
+ }
}
break;
/* FIXME: ldap_back_extended() by design
* doesn't send result; frontend is expected
* to send it... */
- /* FIXME: what aboit chaining? */
+ /* FIXME: what about chaining? */
if ( rc != SLAPD_ABANDON ) {
send_ldap_extended( op, rs );
rc = LDAP_SUCCESS;
case LDAP_SUCCESS:
case LDAP_REFERRAL:
/* slapd-ldap sent response */
- assert( sc2.sc_private == LDAP_CH_RES );
+ if ( !op->o_abandon && sc2.sc_private != LDAP_CH_RES ) {
+ /* FIXME: should we send response? */
+ Debug( LDAP_DEBUG_ANY,
+ "%s: ldap_chain_response: "
+ "overlay should have sent result.\n",
+ op->o_log_prefix, 0, 0 );
+ }
break;
default:
send_ldap_result( op, rs );
}
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
dont_chain:;
-#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
rs->sr_err = sr_err;
rs->sr_type = sr_type;
rs->sr_matched = matched;
CH_LAST
};
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
static ConfigDriver chain_cf_gen;
-#endif
static ConfigCfAdd chain_cfadd;
static ConfigLDAPadd chain_ldadd;
"DESC 'Chaining behavior control parameters (draft-sermersheim-ldap-chaining)' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- { "chain-cache-uris", "TRUE/FALSE",
+ { "chain-cache-uri", "TRUE/FALSE",
2, 2, 0, ARG_MAGIC|ARG_ON_OFF|CH_CACHE_URI, chain_cf_gen,
- "( OLcfgOvAt:3.2 NAME 'olcCacheURIs' "
+ "( OLcfgOvAt:3.2 NAME 'olcCacheURI' "
"DESC 'Enables caching of URIs not present in configuration' "
"SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
};
static ConfigOCs chainocs[] = {
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
{ "( OLcfgOvOc:3.1 "
"NAME 'olcChainConfig' "
"DESC 'Chain configuration' "
"SUP olcOverlayConfig "
- "MAY ( olcChainingBehavior "
- "$ olcCacheURIs "
+ "MAY ( "
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+ "olcChainingBehavior $ "
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ "olcCacheURI "
") )",
Cft_Overlay, chaincfg, NULL, chain_cfadd },
-#endif
{ "( OLcfgOvOc:3.2 "
"NAME 'olcChainDatabase' "
"DESC 'Chain remote server configuration' "
}
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
-
static slap_verbmasks chaining_mode[] = {
{ BER_BVC("referralsRequired"), LDAP_REFERRALS_REQUIRED },
{ BER_BVC("referralsPreferred"), LDAP_REFERRALS_PREFERRED },
{ BER_BVC("chainingPreferred"), LDAP_CHAINING_PREFERRED },
{ BER_BVNULL, 0 }
};
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
static int
chain_cf_gen( ConfigArgs *c )
}
switch( c->type ) {
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
case CH_CHAINING: {
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
char **argv = c->argv;
int argc = c->argc;
BerElementBuffer berbuf;
if ( strncasecmp( argv[ 0 ], "resolve=", STRLENOF( "resolve=" ) ) == 0 ) {
resolve = str2chain( argv[ 0 ] + STRLENOF( "resolve=" ) );
if ( resolve == -1 ) {
- fprintf( stderr, "%s line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: "
"illegal <resolve> value %s "
- "in \"chain-chaining>\"\n",
- c->fname, c->lineno, argv[ 0 ] );
+ "in \"chain-chaining>\".\n",
+ c->log, argv[ 0 ], 0 );
return 1;
}
} else if ( strncasecmp( argv[ 0 ], "continuation=", STRLENOF( "continuation=" ) ) == 0 ) {
continuation = str2chain( argv[ 0 ] + STRLENOF( "continuation=" ) );
if ( continuation == -1 ) {
- fprintf( stderr, "%s line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: "
"illegal <continuation> value %s "
- "in \"chain-chaining\"\n",
- c->fname, c->lineno, argv[ 0 ] );
+ "in \"chain-chaining\".\n",
+ c->log, argv[ 0 ], 0 );
return 1;
}
iscritical = 1;
} else {
- fprintf( stderr, "%s line %d: "
- "unknown option in \"chain-chaining\"\n",
- c->fname, c->lineno );
+ Debug( LDAP_DEBUG_ANY, "%s: "
+ "unknown option in \"chain-chaining\".\n",
+ c->log, 0, 0 );
return 1;
}
}
err = ber_printf( ber, "{e" /* } */, resolve );
if ( err == -1 ) {
ber_free( ber, 1 );
- fprintf( stderr, "%s line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: "
"chaining behavior control encoding error!\n",
- c->fname, c->lineno );
+ c->log, 0, 0 );
return 1;
}
err = ber_printf( ber, "e", continuation );
if ( err == -1 ) {
ber_free( ber, 1 );
- fprintf( stderr, "%s line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: "
"chaining behavior control encoding error!\n",
- c->fname, c->lineno );
+ c->log, 0, 0 );
return 1;
}
}
err = ber_printf( ber, /* { */ "N}" );
if ( err == -1 ) {
ber_free( ber, 1 );
- fprintf( stderr, "%s line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: "
"chaining behavior control encoding error!\n",
- c->fname, c->lineno );
+ c->log, 0, 0 );
return 1;
}
if ( ldap_chain_parse_ctrl( &op, &rs, &lc->lc_chaining_ctrl ) != LDAP_SUCCESS )
{
- fprintf( stderr, "%s line %d: "
- "unable to parse chaining control%s%s\n",
- c->fname, c->lineno,
- rs.sr_text ? ": " : "",
+ Debug( LDAP_DEBUG_ANY, "%s: "
+ "unable to parse chaining control%s%s.\n",
+ c->log, rs.sr_text ? ": " : "",
rs.sr_text ? rs.sr_text : "" );
return 1;
}
lc->lc_flags |= LDAP_CHAIN_F_CHAINING;
rc = 0;
-
- break;
- }
+#else /* ! LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ Debug( LDAP_DEBUG_ANY, "%s: "
+ "\"chaining\" control unsupported (ignored).\n",
+ c->log, 0, 0 );
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ } break;
case CH_CACHE_URI:
if ( c->value_int ) {
return rc;
}
-#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-
static int
ldap_chain_db_init(
BackendDB *be )
return 1;
}
memset( lc, 0, sizeof( ldap_chain_t ) );
+ ldap_pvt_thread_mutex_init( &lc->lc_lai.lai_mutex );
on->on_bi.bi_private = (void *)lc;
int rc = SLAP_CONF_UNKNOWN;
if ( lc->lc_common_li == NULL ) {
+ void *be_private = be->be_private;
ldap_chain_db_init_common( be );
lc->lc_common_li = lc->lc_cfg_li = (ldapinfo_t *)be->be_private;
+ be->be_private = be_private;
}
/* Something for the chain database? */
if ( strncasecmp( argv[ 0 ], "chain-", STRLENOF( "chain-" ) ) == 0 ) {
char *save_argv0 = argv[ 0 ];
- BackendInfo *bd_info = bd_info;
+ BackendInfo *bd_info = be->bd_info;
void *be_private = be->be_private;
ConfigOCs *be_cf_ocs = be->be_cf_ocs;
- int is_uri = 0;
+ static char *allowed_argv[] = {
+ /* special: put URI here, so in the meanwhile
+ * it detects whether a new URI is being provided */
+ "uri",
+ "nretries",
+ "timeout",
+ /* flags */
+ "tls",
+ /* FIXME: maybe rebind-as-user should be allowed
+ * only within known URIs... */
+ "rebind-as-user",
+ "chase-referrals",
+ "t-f-support",
+ "proxy-whoami",
+ NULL
+ };
+ int which_argv = -1;
argv[ 0 ] += STRLENOF( "chain-" );
- /* TODO: create a new structure and, after parsing the URI,
- * put it in the lc->lc_lai tree */
- if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
+ for ( which_argv = 0; allowed_argv[ which_argv ]; which_argv++ ) {
+ if ( strcasecmp( argv[ 0 ], allowed_argv[ which_argv ] ) == 0 ) {
+ break;
+ }
+ }
+
+ if ( allowed_argv[ which_argv ] == NULL ) {
+ which_argv = -1;
+
+ if ( lc->lc_cfg_li == lc->lc_common_li ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "\"%s\" only allowed within a URI directive.\n.",
+ fname, lineno, argv[ 0 ] );
+ return 1;
+ }
+ }
+
+ if ( which_argv == 0 ) {
rc = ldap_chain_db_init_one( be );
if ( rc != 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "underlying slapd-ldap initialization failed\n.",
+ "underlying slapd-ldap initialization failed.\n.",
fname, lineno, 0 );
return 1;
}
lc->lc_cfg_li = be->be_private;
- is_uri = 1;
}
+ /* TODO: add checks on what other slapd-ldap(5) args
+ * should be put in the template; this is not quite
+ * harmful, because attributes that shouldn't don't
+ * get actually used, but the user should at least
+ * be warned.
+ */
+
be->bd_info = lback;
be->be_private = (void *)lc->lc_cfg_li;
be->be_cf_ocs = lback->bi_cf_ocs;
be->be_private = be_private;
be->bd_info = bd_info;
- if ( is_uri ) {
+ if ( which_argv == 0 ) {
private_destroy:;
if ( rc != 0 ) {
BackendDB db = *be;
ldap_chain_db_open(
BackendDB *be )
{
+ slap_overinst *on = (slap_overinst *) be->bd_info;
+ ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
int rc = 0;
}
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- /* FIXME: right now slapd-ldap has no open function;
- * in case one is introduced, this needs be fixed */
+ if ( lc->lc_common_li == NULL ) {
+ void *be_private = be->be_private;
+ ldap_chain_db_init_common( be );
+ lc->lc_common_li = lc->lc_cfg_li = (ldapinfo_t *)be->be_private;
+ be->be_private = be_private;
+ }
return ldap_chain_db_func( be, db_open );
}
if ( lc ) {
avl_free( lc->lc_lai.lai_tree, NULL );
+ ldap_pvt_thread_mutex_destroy( &lc->lc_lai.lai_mutex );
ch_free( lc );
}
return rc;
}
+/*
+ * inits one instance of the slapd-ldap backend, and stores
+ * the private info in be_private of the arg
+ */
static int
ldap_chain_db_init_common(
BackendDB *be )
{
- slap_overinst *on = (slap_overinst *)be->bd_info;
- ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
-
BackendInfo *bi = be->bd_info;
-
int t;
- assert( lc->lc_common_li == NULL );
-
be->bd_info = lback;
be->be_private = NULL;
t = lback->bi_db_init( be );
return 0;
}
+/*
+ * inits one instance of the slapd-ldap backend, stores
+ * the private info in be_private of the arg and fills
+ * selected fields with data from the template.
+ *
+ * NOTE: add checks about the other fields of the template,
+ * which are ignored and SHOULD NOT be configured by the user.
+ */
static int
ldap_chain_db_init_one(
BackendDB *be )
static slap_overinst ldapchain;
int
-chain_init( void )
+chain_initialize( void )
{
int rc;
ldap_chain_parse_ctrl, &sc_chainingBehavior );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "slapd-chain: "
- "unable to register chaining behavior control: %d\n",
+ "unable to register chaining behavior control: %d.\n",
rc, 0, 0 );
return rc;
}
ldapchain.on_bi.bi_db_close = ldap_chain_db_close;
ldapchain.on_bi.bi_db_destroy = ldap_chain_db_destroy;
- /* ... otherwise the underlying backend's function would be called,
- * likely passing an invalid entry; on the contrary, the requested
- * operational attributes should have been returned while chasing
- * the referrals. This all in all is a bit messy, because part
- * of the operational attributes are generated by the backend;
- * part by the frontend; back-ldap should receive all the available
- * ones from the remote server, but then, on its own, it strips those
- * it assumes will be (re)generated by the frontend (e.g.
- * subschemaSubentry.) */
- ldapchain.on_bi.bi_operational = ldap_chain_operational;
-
ldapchain.on_bi.bi_connection_destroy = ldap_chain_connection_destroy;
ldapchain.on_response = ldap_chain_response;