]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/back-ldap/config.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Reverse last commit. Wrong tree.
[openldap] / servers / slapd / back-ldap / config.c
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 2cc55fec88d4845f4948267b3a96f9977da1247c..38c9a95296473d0a1e571c003b54144226b71ef7 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2005 The OpenLDAP Foundation.
+ * Copyright 2003-2006 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.
@@ -60,12 +60,16 @@ enum {
        LDAP_BACK_CFG_T_F,
        LDAP_BACK_CFG_WHOAMI,
        LDAP_BACK_CFG_TIMEOUT,
-       LDAP_BACK_CFG_REWRITE
+       LDAP_BACK_CFG_IDLE_TIMEOUT,
+       LDAP_BACK_CFG_CONN_TTL,
+       LDAP_BACK_CFG_REWRITE,
+
+       LDAP_BACK_CFG_LAST
 };
 
 static ConfigTable ldapcfg[] = {
        { "uri", "uri", 2, 2, 0,
-               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_URI,
+               ARG_MAGIC|LDAP_BACK_CFG_URI,
                ldap_back_cf_gen, "( OLcfgDbAt:0.14 "
                        "NAME 'olcDbURI' "
                        "DESC 'URI (list) for remote DSA' "
@@ -173,19 +177,19 @@ static ConfigTable ldapcfg[] = {
                        "X-ORDERED 'VALUES' )",
                NULL, NULL },
        { "rebind-as-user", "NO|yes", 1, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_REBIND,
+               ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_REBIND,
                ldap_back_cf_gen, "( OLcfgDbAt:3.10 "
                        "NAME 'olcDbRebindAsUser' "
                        "DESC 'Rebind as user' "
-                       "SYNTAX OMsDirectoryString "
+                       "SYNTAX OMsBoolean "
                        "SINGLE-VALUE )",
                NULL, NULL },
        { "chase-referrals", "YES|no", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_CHASE,
+               ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_CHASE,
                ldap_back_cf_gen, "( OLcfgDbAt:3.11 "
                        "NAME 'olcDbChaseReferrals' "
                        "DESC 'Chase referrals' "
-                       "SYNTAX OMsDirectoryString "
+                       "SYNTAX OMsBoolean "
                        "SINGLE-VALUE )",
                NULL, NULL },
        { "t-f-support", "NO|yes|discover", 2, 2, 0,
@@ -197,14 +201,14 @@ static ConfigTable ldapcfg[] = {
                        "SINGLE-VALUE )",
                NULL, NULL },
        { "proxy-whoami", "NO|yes", 1, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_WHOAMI,
+               ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_WHOAMI,
                ldap_back_cf_gen, "( OLcfgDbAt:3.13 "
                        "NAME 'olcDbProxyWhoAmI' "
                        "DESC 'Proxy whoAmI exop' "
-                       "SYNTAX OMsDirectoryString "
+                       "SYNTAX OMsBoolean "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "timeout", "timeout", 0, 2, 0,
+       { "timeout", "timeout(list)", 2, 0, 0,
                ARG_MAGIC|LDAP_BACK_CFG_TIMEOUT,
                ldap_back_cf_gen, "( OLcfgDbAt:3.14 "
                        "NAME 'olcDbTimeout' "
@@ -212,6 +216,22 @@ static ConfigTable ldapcfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
+       { "idle-timeout", "timeout", 2, 0, 0,
+               ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.15 "
+                       "NAME 'olcDbIdleTimeout' "
+                       "DESC 'connection idle timeout' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+       { "conn-ttl", "ttl", 2, 0, 0,
+               ARG_MAGIC|LDAP_BACK_CFG_CONN_TTL,
+               ldap_back_cf_gen, "( OLcfgDbAt:3.16 "
+                       "NAME 'olcDbConnTtl' "
+                       "DESC 'connection ttl' "
+                       "SYNTAX OMsDirectoryString "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
        { "suffixmassage", "[virtual]> <real", 2, 3, 0,
                ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
                ldap_back_cf_gen, NULL, NULL, NULL },
@@ -245,19 +265,12 @@ static ConfigOCs ldapocs[] = {
                        "$ olcDbTFSupport "
                        "$ olcDbProxyWhoAmI "
                        "$ olcDbTimeout "
+                       "$ olcDbIdleTimeout "
                ") )",
                        Cft_Database, ldapcfg},
        { NULL, 0, NULL }
 };
 
-#define        LDAP_BACK_C_NO                  (0x0U)
-#define        LDAP_BACK_C_YES                 (0x1U)
-static slap_verbmasks yn_mode[] = {
-       { BER_BVC( "yes" ),             LDAP_BACK_C_YES},
-       { BER_BVC( "no" ),              LDAP_BACK_C_NO },
-       { BER_BVNULL,                   0 }
-};
-
 static slap_verbmasks idassert_mode[] = {
        { BER_BVC("self"),              LDAP_BACK_IDASSERT_SELF },
        { BER_BVC("anonymous"),         LDAP_BACK_IDASSERT_ANONYMOUS },
@@ -271,14 +284,14 @@ static slap_verbmasks tls_mode[] = {
        { BER_BVC( "try-propagate" ),   LDAP_BACK_F_PROPAGATE_TLS },
        { BER_BVC( "start" ),           LDAP_BACK_F_TLS_USE_MASK },
        { BER_BVC( "try-start" ),       LDAP_BACK_F_USE_TLS },
-       { BER_BVC( "none" ),            LDAP_BACK_C_NO },
+       { BER_BVC( "none" ),            LDAP_BACK_F_NONE },
        { BER_BVNULL,                   0 }
 };
 
 static slap_verbmasks t_f_mode[] = {
        { BER_BVC( "yes" ),             LDAP_BACK_F_SUPPORT_T_F },
        { BER_BVC( "discover" ),        LDAP_BACK_F_SUPPORT_T_F_DISCOVER },
-       { BER_BVC( "no" ),              LDAP_BACK_C_NO },
+       { BER_BVC( "no" ),              LDAP_BACK_F_NONE },
        { BER_BVNULL,                   0 }
 };
 
@@ -301,10 +314,17 @@ ldap_back_cf_gen( ConfigArgs *c )
                struct berval   bv = BER_BVNULL;
                rc = 0;
 
+               if ( li == NULL ) {
+                       return 1;
+               }
+
                switch( c->type ) {
                case LDAP_BACK_CFG_URI:
                        if ( li->li_uri != NULL ) {
-                               c->value_string = ch_strdup( li->li_uri );
+                               struct berval   bv;
+
+                               ber_str2bv( li->li_uri, 0, 0, &bv );
+                               value_add_one( &c->rvalue_vals, &bv );
 
                        } else {
                                rc = 1;
@@ -313,14 +333,8 @@ ldap_back_cf_gen( ConfigArgs *c )
 
                case LDAP_BACK_CFG_TLS:
                        enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
-                       if ( BER_BVISNULL( &bv ) ) {
-                               /* there's something wrong... */
-                               assert( 0 );
-                               rc = 1;
-
-                       } else {
-                               value_add_one( &c->rvalue_vals, &bv );
-                       }
+                       assert( !BER_BVISNULL( &bv ) );
+                       value_add_one( &c->rvalue_vals, &bv );
                        break;
 
                case LDAP_BACK_CFG_ACL_AUTHCDN:
@@ -333,9 +347,13 @@ ldap_back_cf_gen( ConfigArgs *c )
                case LDAP_BACK_CFG_ACL_BIND: {
                        int     i;
 
+                       if ( li->li_acl_authmethod == LDAP_AUTH_NONE ) {
+                               return 1;
+                       }
+
                        bindconf_unparse( &li->li_acl, &bv );
 
-                       for ( i = 0; isspace( bv.bv_val[ i ] ); i++ )
+                       for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
                                /* count spaces */ ;
 
                        if ( i ) {
@@ -376,6 +394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
                        struct berval   bc = BER_BVNULL;
                        char            *ptr;
 
+                       if ( li->li_idassert_authmethod == LDAP_AUTH_NONE ) {
+                               return 1;
+                       }
+
                        if ( li->li_idassert_authmethod != LDAP_AUTH_NONE ) {
                                ber_len_t       len;
 
@@ -466,7 +488,7 @@ ldap_back_cf_gen( ConfigArgs *c )
                                bv.bv_len = ptr - bv.bv_val;
 
                        } else {
-                               for ( i = 0; isspace( bc.bv_val[ i ] ); i++ )
+                               for ( i = 0; isspace( (unsigned char) bc.bv_val[ i ] ); i++ )
                                        /* count spaces */ ;
 
                                if ( i ) {
@@ -483,31 +505,15 @@ ldap_back_cf_gen( ConfigArgs *c )
                }
 
                case LDAP_BACK_CFG_REBIND:
-                       enum_to_verb( yn_mode, ( ( li->li_flags & LDAP_BACK_F_SAVECRED ) == LDAP_BACK_F_SAVECRED ), &bv );
-                       if ( BER_BVISNULL( &bv ) ) {
-                               /* there's something wrong... */
-                               assert( 0 );
-                               rc = 1;
-
-                       } else {
-                               value_add_one( &c->rvalue_vals, &bv );
-                       }
+                       c->value_int = LDAP_BACK_SAVECRED( li );
                        break;
 
                case LDAP_BACK_CFG_CHASE:
-                       enum_to_verb( yn_mode, ( ( li->li_flags & LDAP_BACK_F_CHASE_REFERRALS ) == LDAP_BACK_F_CHASE_REFERRALS ), &bv );
-                       if ( BER_BVISNULL( &bv ) ) {
-                               /* there's something wrong... */
-                               assert( 0 );
-                               rc = 1;
-
-                       } else {
-                               value_add_one( &c->rvalue_vals, &bv );
-                       }
+                       c->value_int = LDAP_BACK_CHASE_REFERRALS( li );
                        break;
 
                case LDAP_BACK_CFG_T_F:
-                       enum_to_verb( t_f_mode, ( ( li->li_flags & LDAP_BACK_F_SUPPORT_T_F_MASK ) == LDAP_BACK_F_SUPPORT_T_F_MASK ), &bv );
+                       enum_to_verb( t_f_mode, (li->li_flags & LDAP_BACK_F_SUPPORT_T_F_MASK), &bv );
                        if ( BER_BVISNULL( &bv ) ) {
                                /* there's something wrong... */
                                assert( 0 );
@@ -519,36 +525,64 @@ ldap_back_cf_gen( ConfigArgs *c )
                        break;
 
                case LDAP_BACK_CFG_WHOAMI:
-                       enum_to_verb( yn_mode, ( ( li->li_flags & LDAP_BACK_F_PROXY_WHOAMI ) == LDAP_BACK_F_PROXY_WHOAMI ), &bv );
-                       if ( BER_BVISNULL( &bv ) ) {
-                               /* there's something wrong... */
-                               assert( 0 );
-                               rc = 1;
-
-                       } else {
-                               value_add_one( &c->rvalue_vals, &bv );
-                       }
+                       c->value_int = LDAP_BACK_PROXY_WHOAMI( li );
                        break;
 
                case LDAP_BACK_CFG_TIMEOUT:
                        BER_BVZERO( &bv );
 
+                       for ( i = 0; i < LDAP_BACK_OP_LAST; i++ ) {
+                               if ( li->li_timeout[ i ] != 0 ) {
+                                       break;
+                               }
+                       }
+
+                       if ( i == LDAP_BACK_OP_LAST ) {
+                               return 1;
+                       }
+
                        slap_cf_aux_table_unparse( li->li_timeout, &bv, timeout_table );
 
-                       if ( !BER_BVISNULL( &bv ) ) {   
-                               for ( i = 0; isspace( bv.bv_val[ i ] ); i++ )
-                                       /* count spaces */ ;
+                       if ( BER_BVISNULL( &bv ) ) {
+                               return 1;
+                       }
 
-                               if ( i ) {
-                                       bv.bv_len -= i;
-                                       AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
-                                               bv.bv_len + 1 );
-                               }
+                       for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
+                               /* count spaces */ ;
 
-                               ber_bvarray_add( &c->rvalue_vals, &bv );
+                       if ( i ) {
+                               bv.bv_len -= i;
+                               AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
+                                       bv.bv_len + 1 );
                        }
+
+                       ber_bvarray_add( &c->rvalue_vals, &bv );
                        break;
 
+               case LDAP_BACK_CFG_IDLE_TIMEOUT: {
+                       char    buf[ SLAP_TEXT_BUFLEN ];
+
+                       if ( li->li_idle_timeout == 0 ) {
+                               return 1;
+                       }
+
+                       lutil_unparse_time( buf, sizeof( buf ), li->li_idle_timeout );
+                       ber_str2bv( buf, 0, 0, &bv );
+                       value_add_one( &c->rvalue_vals, &bv );
+                       } break;
+
+               case LDAP_BACK_CFG_CONN_TTL: {
+                       char    buf[ SLAP_TEXT_BUFLEN ];
+
+                       if ( li->li_conn_ttl == 0 ) {
+                               return 1;
+                       }
+
+                       lutil_unparse_time( buf, sizeof( buf ), li->li_conn_ttl );
+                       ber_str2bv( buf, 0, 0, &bv );
+                       value_add_one( &c->rvalue_vals, &bv );
+                       } break;
+
                default:
                        /* FIXME: we need to handle all... */
                        assert( 0 );
@@ -626,6 +660,14 @@ ldap_back_cf_gen( ConfigArgs *c )
                        }
                        break;
 
+               case LDAP_BACK_CFG_IDLE_TIMEOUT:
+                       li->li_idle_timeout = 0;
+                       break;
+
+               case LDAP_BACK_CFG_CONN_TTL:
+                       li->li_conn_ttl = 0;
+                       break;
+
                default:
                        /* FIXME: we need to handle all... */
                        assert( 0 );
@@ -641,14 +683,6 @@ ldap_back_cf_gen( ConfigArgs *c )
                char            **urllist = NULL;
                int             urlrc = LDAP_URL_SUCCESS, i;
 
-               if ( c->argc != 2 ) {
-                       fprintf( stderr, "%s: line %d: "
-                                       "missing uri "
-                                       "in \"uri <uri>\" line\n",
-                                       c->fname, c->lineno );
-                       return 1;
-               }
-
                if ( li->li_uri != NULL ) {
                        ch_free( li->li_uri );
                        li->li_uri = NULL;
@@ -659,7 +693,7 @@ ldap_back_cf_gen( ConfigArgs *c )
                }
 
                /* PARANOID: DN and more are not required nor allowed */
-               urlrc = ldap_url_parselist_ext( &lud, c->value_string, ", \t" );
+               urlrc = ldap_url_parselist_ext( &lud, c->argv[ 1 ], ", \t" );
                if ( urlrc != LDAP_URL_SUCCESS ) {
                        char    *why;
 
@@ -698,10 +732,11 @@ ldap_back_cf_gen( ConfigArgs *c )
                                why = "unknown reason";
                                break;
                        }
-                       fprintf( stderr, "%s: line %d: "
+                       snprintf( c->msg, sizeof( c->msg),
                                        "unable to parse uri \"%s\" "
-                                       "in \"uri <uri>\" line: %s\n",
-                                       c->fname, c->lineno, c->value_string, why );
+                                       "in \"uri <uri>\" line: %s",
+                                       c->value_string, why );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        urlrc = 1;
                        goto done_url;
                }
@@ -717,12 +752,13 @@ ldap_back_cf_gen( ConfigArgs *c )
                                        || tmpludp->lud_filter != NULL
                                        || tmpludp->lud_exts != NULL )
                        {
-                               fprintf( stderr, "%s: line %d: "
+                               snprintf( c->msg, sizeof( c->msg ),
                                                "warning, only protocol, "
                                                "host and port allowed "
                                                "in \"uri <uri>\" statement "
-                                               "for uri #%d of \"%s\"\n",
-                                               c->fname, c->lineno, i, c->value_string );
+                                               "for uri #%d of \"%s\"",
+                                               i, c->value_string );
+                               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        }
                }
 
@@ -738,7 +774,6 @@ ldap_back_cf_gen( ConfigArgs *c )
                                i++, tmpludp = tmpludp->lud_next )
                {
                        LDAPURLDesc     tmplud;
-                       ber_len_t       oldlen = 0, len;
 
                        tmplud = *tmpludp;
                        tmplud.lud_dn = "";
@@ -752,11 +787,12 @@ ldap_back_cf_gen( ConfigArgs *c )
                        urllist[ i ]  = ldap_url_desc2str( &tmplud );
 
                        if ( urllist[ i ] == NULL ) {
-                               fprintf( stderr, "%s: line %d: "
+                               snprintf( c->msg, sizeof( c->msg),
                                        "unable to rebuild uri "
                                        "in \"uri <uri>\" statement "
-                                       "for \"%s\"\n",
-                                       c->fname, c->lineno, c->argv[ 1 ] );
+                                       "for \"%s\"",
+                                       c->argv[ 1 ] );
+                               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                                urlrc = 1;
                                goto done_url;
                        }
@@ -805,10 +841,11 @@ done_url:;
                        break;
 
                default:
-                       fprintf( stderr, "%s: line %d: "
+                       snprintf( c->msg, sizeof( c->msg),
                                "\"acl-authcDN <DN>\" incompatible "
-                               "with auth method %d.",
-                               c->fname, c->lineno, li->li_acl_authmethod );
+                               "with auth method %d",
+                               li->li_acl_authmethod );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        return 1;
                }
                if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
@@ -830,10 +867,11 @@ done_url:;
                        break;
 
                default:
-                       fprintf( stderr, "%s: line %d: "
+                       snprintf( c->msg, sizeof( c->msg ),
                                "\"acl-passwd <cred>\" incompatible "
-                               "with auth method %d.",
-                               c->fname, c->lineno, li->li_acl_authmethod );
+                               "with auth method %d",
+                               li->li_acl_authmethod );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        return 1;
                }
                if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
@@ -925,10 +963,11 @@ done_url:;
                        break;
 
                default:
-                       fprintf( stderr, "%s: line %d: "
+                       snprintf( c->msg, sizeof( c->msg ),
                                "\"idassert-authcDN <DN>\" incompatible "
-                               "with auth method %d.",
-                               c->fname, c->lineno, li->li_idassert_authmethod );
+                               "with auth method %d",
+                               li->li_idassert_authmethod );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        return 1;
                }
                if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
@@ -950,10 +989,11 @@ done_url:;
                        break;
 
                default:
-                       fprintf( stderr, "%s: line %d: "
+                       snprintf( c->msg, sizeof( c->msg ),
                                "\"idassert-passwd <cred>\" incompatible "
-                               "with auth method %d.",
-                               c->fname, c->lineno, li->li_idassert_authmethod );
+                               "with auth method %d",
+                               li->li_idassert_authmethod );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        return 1;
                }
                if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
@@ -971,10 +1011,10 @@ done_url:;
                ber_str2bv( c->argv[ 1 ], 0, 0, &in );
                rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
                if ( rc != LDAP_SUCCESS ) {
-                       fprintf( stderr, "%s: %d: "
+                       snprintf( c->msg, sizeof( c->msg ),
                                "\"idassert-authzFrom <authz>\": "
-                               "invalid syntax.\n",
-                               c->fname, c->lineno );
+                               "invalid syntax" );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                        return 1;
                }
 #else /* !SLAP_AUTHZ_SYNTAX */
@@ -985,10 +1025,10 @@ done_url:;
 
        case LDAP_BACK_CFG_IDASSERT_METHOD:
                /* no longer supported */
-               fprintf( stderr, "%s: %d: "
+               snprintf( c->msg, sizeof( c->msg ),
                        "\"idassert-method <args>\": "
-                       "no longer supported; use \"idassert-bind\".\n",
-                       c->fname, c->lineno );
+                       "no longer supported; use \"idassert-bind\"" );
+               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                return 1;
 
        case LDAP_BACK_CFG_IDASSERT_BIND:
@@ -999,10 +1039,11 @@ done_url:;
 
                                j = verb_to_mask( argvi, idassert_mode );
                                if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
-                                       fprintf( stderr, "%s: %d: "
+                                       snprintf( c->msg, sizeof( c->msg ),
                                                "\"idassert-bind <args>\": "
-                                               "unknown mode \"%s\".\n",
-                                               c->fname, c->lineno, argvi );
+                                               "unknown mode \"%s\"",
+                                               argvi );
+                                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                                        return 1;
                                }
 
@@ -1013,11 +1054,11 @@ done_url:;
 
                                if ( strcasecmp( argvi, "native" ) == 0 ) {
                                        if ( li->li_idassert_authmethod != LDAP_AUTH_SASL ) {
-                                               fprintf( stderr, "%s: %d: "
+                                               snprintf( c->msg, sizeof( c->msg ),
                                                        "\"idassert-bind <args>\": "
                                                        "authz=\"native\" incompatible "
-                                                       "with auth method.\n",
-                                                       c->fname, c->lineno );
+                                                       "with auth method" );
+                                               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                                                return 1;
                                        }
                                        li->li_idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
@@ -1026,10 +1067,11 @@ done_url:;
                                        li->li_idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
 
                                } else {
-                                       fprintf( stderr, "%s: %d: "
+                                       snprintf( c->msg, sizeof( c->msg ),
                                                "\"idassert-bind <args>\": "
-                                               "unknown authz \"%s\".\n",
-                                               c->fname, c->lineno, argvi );
+                                               "unknown authz \"%s\"",
+                                               argvi );
+                                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                                        return 1;
                                }
 
@@ -1039,10 +1081,11 @@ done_url:;
                                int     j;
 
                                if ( flags == NULL ) {
-                                       fprintf( stderr, "%s: %d: "
+                                       snprintf( c->msg, sizeof( c->msg ),
                                                "\"idassert-bind <args>\": "
-                                               "unable to parse flags \"%s\".\n",
-                                               c->fname, c->lineno, argvi );
+                                               "unable to parse flags \"%s\"",
+                                               argvi );
+                                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                                        return 1;
                                }
 
@@ -1057,10 +1100,12 @@ done_url:;
                                                li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
 
                                        } else {
-                                               fprintf( stderr, "%s: %d: "
+                                               snprintf( c->msg, sizeof( c->msg ),
                                                        "\"idassert-bind <args>\": "
-                                                       "unknown flag \"%s\".\n",
-                                                       c->fname, c->lineno, flags[ j ] );
+                                                       "unknown flag \"%s\"",
+                                                       flags[ j ] );
+                                               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
+                                               ldap_charray_free( flags );
                                                return 1;
                                        }
                                }
@@ -1073,55 +1118,23 @@ done_url:;
                }
                break;
 
-       case LDAP_BACK_CFG_REBIND: {
-               int     dorebind = 0;
-
-               if ( c->argc == 1 ) {
-                       /* legacy */
-                       dorebind = 1;
-
-               } else {
-                       i = verb_to_mask( c->argv[1], yn_mode );
-                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
-                               return 1;
-                       }
-                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
-                               dorebind = 1;
-                       }
-               }
-
-               if ( dorebind ) {
+       case LDAP_BACK_CFG_REBIND:
+               if ( c->argc == 1 || c->value_int ) {
                        li->li_flags |= LDAP_BACK_F_SAVECRED;
 
                } else {
                        li->li_flags &= ~LDAP_BACK_F_SAVECRED;
                }
-               } break;
-
-       case LDAP_BACK_CFG_CHASE: {
-               int     dochase = 0;
-
-               if ( c->argc == 1 ) {
-                       /* legacy */
-                       dochase = 1;
-
-               } else {
-                       i = verb_to_mask( c->argv[1], yn_mode );
-                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
-                               return 1;
-                       }
-                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
-                               dochase = 1;
-                       }
-               }
+               break;
 
-               if ( dochase ) {
+       case LDAP_BACK_CFG_CHASE:
+               if ( c->argc == 1 || c->value_int ) {
                        li->li_flags |= LDAP_BACK_F_CHASE_REFERRALS;
 
                } else {
                        li->li_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
                }
-               break;
+               break;
 
        case LDAP_BACK_CFG_T_F:
                i = verb_to_mask( c->argv[1], t_f_mode );
@@ -1132,47 +1145,24 @@ done_url:;
                li->li_flags |= t_f_mode[i].mask;
                break;
 
-       case LDAP_BACK_CFG_WHOAMI: {
-               int     dowhoami = 0;
-
-               if ( c->argc == 1 ) {
-                       /* legacy */
-                       dowhoami = 1;
-
-               } else {
-                       i = verb_to_mask( c->argv[1], yn_mode );
-                       if ( BER_BVISNULL( &yn_mode[i].word ) ) {
-                               return 1;
-                       }
-                       if ( yn_mode[i].mask & LDAP_BACK_C_YES ) {
-                               dowhoami = 1;
-                       }
-               }
-
-               if ( dowhoami ) {
+       case LDAP_BACK_CFG_WHOAMI:
+               if ( c->argc == 1 || c->value_int ) {
                        li->li_flags |= LDAP_BACK_F_PROXY_WHOAMI;
-
                        load_extop( (struct berval *)&slap_EXOP_WHOAMI,
                                        0, ldap_back_exop_whoami );
 
                } else {
                        li->li_flags &= ~LDAP_BACK_F_PROXY_WHOAMI;
                }
-               break;
+               break;
 
        case LDAP_BACK_CFG_TIMEOUT:
-               if ( c->argc < 2 ) {
-                       return 1;
-               }
-
                for ( i = 1; i < c->argc; i++ ) {
-                       if ( isdigit( c->argv[ i ][ 0 ] ) ) {
-                               char            *next;
+                       if ( isdigit( (unsigned char) c->argv[ i ][ 0 ] ) ) {
                                int             j;
                                unsigned        u;
 
-                               u = strtoul( c->argv[ i ], &next, 0 );
-                               if ( next == c->argv[ i ] || next[ 0 ] != '\0' ) {
+                               if ( lutil_atoux( &u, c->argv[ i ], 0 ) != 0 ) {
                                        return 1;
                                }
 
@@ -1189,13 +1179,39 @@ done_url:;
                }
                break;
 
+       case LDAP_BACK_CFG_IDLE_TIMEOUT: {
+               unsigned long   t;
+
+               if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
+                       snprintf( c->msg, sizeof( c->msg),
+                               "unable to parse idle timeout \"%s\"",
+                               c->argv[ 1 ] );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
+                       return 1;
+               }
+               li->li_idle_timeout = (time_t)t;
+               } break;
+
+       case LDAP_BACK_CFG_CONN_TTL: {
+               unsigned long   t;
+
+               if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
+                       snprintf( c->msg, sizeof( c->msg),
+                               "unable to parse conn ttl\"%s\"",
+                               c->argv[ 1 ] );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
+                       return 1;
+               }
+               li->li_conn_ttl = (time_t)t;
+               } break;
+
        case LDAP_BACK_CFG_REWRITE:
-               fprintf( stderr, "%s: line %d: "
+               snprintf( c->msg, sizeof( c->msg ),
                        "rewrite/remap capabilities have been moved "
                        "to the \"rwm\" overlay; see slapo-rwm(5) "
                        "for details (hint: add \"overlay rwm\" "
-                       "and prefix all directives with \"rwm-\").\n",
-                       c->fname, c->lineno );
+                       "and prefix all directives with \"rwm-\")" );
+               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
                return 1;
                
        default:
@@ -1214,6 +1230,9 @@ ldap_back_init_cf( BackendInfo *bi )
        AttributeDescription    *ad = NULL;
        const char              *text;
 
+       /* Make sure we don't exceed the bits reserved for userland */
+       config_check_userland( LDAP_BACK_CFG_LAST );
+
        bi->bi_cf_ocs = ldapocs;
 
        rc = config_register_schema( ldapcfg, ldapocs );
@@ -1272,49 +1291,57 @@ ldap_back_exop_whoami(
        if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err;
 
        /* if auth'd by back-ldap and request is proxied, forward it */
-       if ( op->o_conn->c_authz_backend && !strcmp(op->o_conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &op->o_conn->c_ndn)) {
+       if ( op->o_conn->c_authz_backend
+               && !strcmp( op->o_conn->c_authz_backend->be_type, "ldap" )
+               && !dn_match( &op->o_ndn, &op->o_conn->c_ndn ) )
+       {
                ldapconn_t      *lc;
-
                LDAPControl c, *ctrls[2] = {NULL, NULL};
                LDAPMessage *res;
                Operation op2 = *op;
                ber_int_t msgid;
                int doretry = 1;
+               char *ptr;
 
                ctrls[0] = &c;
                op2.o_ndn = op->o_conn->c_ndn;
                lc = ldap_back_getconn(&op2, rs, LDAP_BACK_SENDERR);
-               if (!lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR )) {
+               if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) {
                        return -1;
                }
                c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
                c.ldctl_iscritical = 1;
-               c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4);
+               c.ldctl_value.bv_val = op->o_tmpalloc(
+                       op->o_ndn.bv_len + STRLENOF( "dn:" ) + 1,
+                       op->o_tmpmemctx );
                c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
-               strcpy(c.ldctl_value.bv_val, "dn:");
-               strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
+               ptr = c.ldctl_value.bv_val;
+               ptr = lutil_strcopy( ptr, "dn:" );
+               ptr = lutil_strncopy( ptr, op->o_ndn.bv_val, op->o_ndn.bv_len );
+               ptr[ 0 ] = '\0';
 
 retry:
-               rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid);
-               if (rs->sr_err == LDAP_SUCCESS) {
-                       if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) {
-                               ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
-                                       &rs->sr_err);
+               rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid );
+               if ( rs->sr_err == LDAP_SUCCESS ) {
+                       if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
+                               ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
+                                       &rs->sr_err );
                                if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {
                                        doretry = 0;
-                                       if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) )
+                                       if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
                                                goto retry;
+                                       }
                                }
-                               ldap_back_freeconn( op, lc, 1 );
-                               lc = NULL;
 
                        } else {
-                               rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv);
+                               /* NOTE: are we sure "bv" will be malloc'ed
+                                * with the appropriate memory? */
+                               rs->sr_err = ldap_parse_whoami( lc->lc_ld, res, &bv );
                                ldap_msgfree(res);
                        }
                }
-               ch_free(c.ldctl_value.bv_val);
-               if (rs->sr_err != LDAP_SUCCESS) {
+               op->o_tmpfree( c.ldctl_value.bv_val, op->o_tmpmemctx );
+               if ( rs->sr_err != LDAP_SUCCESS ) {
                        rs->sr_err = slap_map_api2result( rs );
                }
 
@@ -1323,15 +1350,16 @@ retry:
                }
 
        } else {
-       /* else just do the same as before */
-               bv = (struct berval *) ch_malloc( sizeof(struct berval) );
+               /* else just do the same as before */
+               bv = (struct berval *) ch_malloc( sizeof( struct berval ) );
                if ( !BER_BVISEMPTY( &op->o_dn ) ) {
-                       bv->bv_len = op->o_dn.bv_len + STRLENOF("dn:");
+                       bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" );
                        bv->bv_val = ch_malloc( bv->bv_len + 1 );
-                       AC_MEMCPY( bv->bv_val, "dn:", STRLENOF("dn:") );
-                       AC_MEMCPY( &bv->bv_val[STRLENOF("dn:")], op->o_dn.bv_val,
+                       AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) );
+                       AC_MEMCPY( &bv->bv_val[ STRLENOF( "dn:" ) ], op->o_dn.bv_val,
                                op->o_dn.bv_len );
-                       bv->bv_val[bv->bv_len] = '\0';
+                       bv->bv_val[ bv->bv_len ] = '\0';
+
                } else {
                        bv->bv_len = 0;
                        bv->bv_val = NULL;
Cloned from git://git.openldap.org/openldap.git