/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1999-2006 The OpenLDAP Foundation.
+ * Copyright 1999-2009 The OpenLDAP Foundation.
* Portions Copyright 2001-2003 Pierangelo Masarati.
* Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
#include <ac/socket.h>
#include "slap.h"
+#include "config.h"
#include "../back-ldap/back-ldap.h"
#include "back-meta.h"
SLAP_BFLAG_DYNAMIC |
#endif /* LDAP_DYNAMIC_OBJECTS */
#endif
- 0;
+
+ /* back-meta recognizes RFC4525 increment;
+ * let the remote server complain, if needed (ITS#5912) */
+ SLAP_BFLAG_INCREMENT;
bi->bi_open = meta_back_open;
bi->bi_config = 0;
int
meta_back_db_init(
- Backend *be )
+ Backend *be,
+ ConfigReply *cr)
{
metainfo_t *mi;
+ int i;
+ BackendInfo *bi;
+
+ bi = backend_info( "ldap" );
+ if ( !bi || !bi->bi_extra ) {
+ Debug( LDAP_DEBUG_ANY,
+ "meta_back_db_init: needs back-ldap\n",
+ 0, 0, 0 );
+ return 1;
+ }
mi = ch_calloc( 1, sizeof( metainfo_t ) );
if ( mi == NULL ) {
return -1;
}
+ /* set default flags */
+ mi->mi_flags =
+ META_BACK_F_DEFER_ROOTDN_BIND;
+
/*
* At present the default is no default target;
* this may change
/* safe default */
mi->mi_nretries = META_RETRY_DEFAULT;
mi->mi_version = LDAP_VERSION3;
+
+ for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
+ mi->mi_conn_priv[ i ].mic_num = 0;
+ LDAP_TAILQ_INIT( &mi->mi_conn_priv[ i ].mic_priv );
+ }
+ mi->mi_conn_priv_max = LDAP_BACK_CONN_PRIV_DEFAULT;
+ mi->mi_ldap_extra = (ldap_extra_t *)bi->bi_extra;
+
be->be_private = mi;
return 0;
int
meta_back_db_open(
- Backend *be )
+ Backend *be,
+ ConfigReply *cr )
{
metainfo_t *mi = (metainfo_t *)be->be_private;
- int i, rc;
+ int i,
+ not_always = 0,
+ not_always_anon_proxyauthz = 0,
+ not_always_anon_non_prescriptive = 0,
+ rc;
+
+ if ( mi->mi_ntargets == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "meta_back_db_open: no targets defined\n",
+ 0, 0, 0 );
+ return 1;
+ }
for ( i = 0; i < mi->mi_ntargets; i++ ) {
+ slap_bindconf sb = { BER_BVNULL };
metatarget_t *mt = mi->mi_targets[ i ];
+ struct berval mapped;
+
+ ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri );
+ sb.sb_version = mt->mt_version;
+ sb.sb_method = LDAP_AUTH_SIMPLE;
+ BER_BVSTR( &sb.sb_binddn, "" );
+
if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
- rc = slap_discover_feature( mt->mt_uri,
- mt->mt_version,
+ rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
LDAP_FEATURE_ABSOLUTE_FILTERS );
if ( rc == LDAP_COMPARE_TRUE ) {
}
if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
- rc = slap_discover_feature( mt->mt_uri,
- mt->mt_version,
+ rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
LDAP_EXOP_CANCEL );
if ( rc == LDAP_COMPARE_TRUE ) {
mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
}
}
+
+ if ( not_always == 0 ) {
+ if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
+ || mt->mt_idassert_authz != NULL )
+ {
+ not_always = 1;
+ }
+ }
+
+ if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
+ && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
+ {
+ Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): "
+ "target #%d inconsistent idassert configuration "
+ "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n",
+ be->be_suffix[ 0 ].bv_val, i, 0 );
+ return 1;
+ }
+
+ if ( not_always_anon_proxyauthz == 0 ) {
+ if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
+ {
+ not_always_anon_proxyauthz = 1;
+ }
+ }
+
+ if ( not_always_anon_non_prescriptive == 0 ) {
+ if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
+ {
+ not_always_anon_non_prescriptive = 1;
+ }
+ }
+
+ BER_BVZERO( &mapped );
+ ldap_back_map( &mt->mt_rwmap.rwm_at,
+ &slap_schema.si_ad_entryDN->ad_cname, &mapped,
+ BACKLDAP_REMAP );
+ if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
+ mt->mt_rep_flags |= REP_NO_ENTRYDN;
+ }
+
+ BER_BVZERO( &mapped );
+ ldap_back_map( &mt->mt_rwmap.rwm_at,
+ &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped,
+ BACKLDAP_REMAP );
+ if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
+ mt->mt_rep_flags |= REP_NO_SUBSCHEMA;
+ }
+ }
+
+ if ( not_always == 0 ) {
+ mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS;
+ }
+
+ if ( not_always_anon_proxyauthz == 0 ) {
+ mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON;
+
+ } else if ( not_always_anon_non_prescriptive == 0 ) {
+ mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON;
}
return 0;
}
+/*
+ * meta_back_conn_free()
+ *
+ * actually frees a connection; the reference count must be 0,
+ * and it must not (or no longer) be in the cache.
+ */
void
meta_back_conn_free(
void *v_mc )
{
metaconn_t *mc = v_mc;
- int i, ntargets;
+ int ntargets;
assert( mc != NULL );
assert( mc->mc_refcnt == 0 );
- if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
- free( mc->mc_local_ndn.bv_val );
- }
-
- assert( mc->mc_conns != NULL );
-
/* at least one must be present... */
- ntargets = mc->mc_conns[ 0 ].msc_info->mi_ntargets;
+ ntargets = mc->mc_info->mi_ntargets;
+ assert( ntargets > 0 );
- for ( i = 0; i < ntargets; i++ ) {
- (void)meta_clear_one_candidate( &mc->mc_conns[ i ] );
+ for ( ; ntargets--; ) {
+ (void)meta_clear_one_candidate( NULL, mc, ntargets );
+ }
+
+ if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
+ free( mc->mc_local_ndn.bv_val );
}
free( mc );
if ( !BER_BVISNULL( &mt->mt_bindpw ) ) {
free( mt->mt_bindpw.bv_val );
}
- if ( !BER_BVISNULL( &mt->mt_pseudorootdn ) ) {
- free( mt->mt_pseudorootdn.bv_val );
+ if ( !BER_BVISNULL( &mt->mt_idassert_authcID ) ) {
+ ch_free( mt->mt_idassert_authcID.bv_val );
+ }
+ if ( !BER_BVISNULL( &mt->mt_idassert_authcDN ) ) {
+ ch_free( mt->mt_idassert_authcDN.bv_val );
+ }
+ if ( !BER_BVISNULL( &mt->mt_idassert_passwd ) ) {
+ ch_free( mt->mt_idassert_passwd.bv_val );
+ }
+ if ( !BER_BVISNULL( &mt->mt_idassert_authzID ) ) {
+ ch_free( mt->mt_idassert_authzID.bv_val );
+ }
+ if ( !BER_BVISNULL( &mt->mt_idassert_sasl_mech ) ) {
+ ch_free( mt->mt_idassert_sasl_mech.bv_val );
}
- if ( !BER_BVISNULL( &mt->mt_pseudorootpw ) ) {
- free( mt->mt_pseudorootpw.bv_val );
+ if ( !BER_BVISNULL( &mt->mt_idassert_sasl_realm ) ) {
+ ch_free( mt->mt_idassert_sasl_realm.bv_val );
+ }
+ if ( mt->mt_idassert_authz != NULL ) {
+ ber_bvarray_free( mt->mt_idassert_authz );
}
if ( mt->mt_rwmap.rwm_rw ) {
rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
int
meta_back_db_destroy(
- Backend *be )
+ Backend *be,
+ ConfigReply *cr )
{
metainfo_t *mi;
if ( mi->mi_conninfo.lai_tree ) {
avl_free( mi->mi_conninfo.lai_tree, meta_back_conn_free );
}
+ for ( i = LDAP_BACK_PCONN_FIRST; i < LDAP_BACK_PCONN_LAST; i++ ) {
+ while ( !LDAP_TAILQ_EMPTY( &mi->mi_conn_priv[ i ].mic_priv ) ) {
+ metaconn_t *mc = LDAP_TAILQ_FIRST( &mi->mi_conn_priv[ i ].mic_priv );
+
+ LDAP_TAILQ_REMOVE( &mi->mi_conn_priv[ i ].mic_priv, mc, mc_q );
+ meta_back_conn_free( mc );
+ }
+ }
/*
* Destroy the per-target stuff (assuming there's at
*/
if ( mi->mi_targets != NULL ) {
for ( i = 0; i < mi->mi_ntargets; i++ ) {
- if ( META_BACK_QUARANTINE( mi )
- && mi->mi_targets[ i ]->mt_quarantine.ri_num != mi->mi_quarantine.ri_num )
- {
- slap_retry_info_destroy( &mi->mi_targets[ i ]->mt_quarantine );
+ metatarget_t *mt = mi->mi_targets[ i ];
+
+ if ( META_BACK_TGT_QUARANTINE( mt ) ) {
+ if ( mt->mt_quarantine.ri_num != mi->mi_quarantine.ri_num )
+ {
+ mi->mi_ldap_extra->retry_info_destroy( &mt->mt_quarantine );
+ }
+
+ ldap_pvt_thread_mutex_destroy( &mt->mt_quarantine_mutex );
}
- target_free( mi->mi_targets[ i ] );
+ target_free( mt );
}
free( mi->mi_targets );
}
if ( META_BACK_QUARANTINE( mi ) ) {
- slap_retry_info_destroy( &mi->mi_quarantine );
+ mi->mi_ldap_extra->retry_info_destroy( &mi->mi_quarantine );
}
}
projects / openldap / blobdiff