]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/back-meta/search.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix prev commit, return generated passwd
[openldap] / servers / slapd / back-meta / search.c
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 310be190235f6b270bdb7109d845a998b55a8490..2fe1b3bad5ac93d6ea30f1b10450fac7e669ca25 100644 (file)
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -1,7 +1,24 @@
-/*
- * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * All rights reserved.
  *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by the Howard Chu for inclusion
+ * in OpenLDAP Software and subsequently enhanced by Pierangelo
+ * Masarati.
+ */
+/* This is an altered version */
+/*
  * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
  *
  * This work has been developed to fulfill the requirements
@@ -103,32 +120,22 @@ meta_back_search( Operation *op, SlapReply *rs )
        struct metasingleconn *lsc;
        struct timeval  tv = { 0, 0 };
        LDAPMessage     *res, *e;
-       int     count, rc = 0, *msgid, sres = LDAP_NO_SUCH_OBJECT;
-       char *match = NULL, *err = NULL;
-       char *mbase = NULL, *mmatch = NULL;
-       struct berval mfilter;
+       int     rc = 0, *msgid, sres = LDAP_NO_SUCH_OBJECT;
+       char *err = NULL;
+       struct berval match = { 0, NULL }, mmatch = { 0, NULL };
        BerVarray v2refs = NULL;
                
-       int i, last = 0, candidates = 0;
+       int i, last = 0, candidates = 0, initial_candidates = 0,
+                       candidate_match = 0;
        struct slap_limits_set *limit = NULL;
        int isroot = 0;
+       dncookie dc;
 
-#ifdef LDAP_CACHING
        cache_manager*  cm = li->cm;
 
        if (cm->caching) {
-               return meta_back_cache_search(op->o_bd, op->o_conn, op,
-                               &op->o_req_dn, &op->o_req_ndn, 
-                               op->oq_search.rs_scope,
-                               op->oq_search.rs_deref,
-                               op->oq_search.rs_slimit,
-                               op->oq_search.rs_tlimit,
-                               op->oq_search.rs_filter,
-                               &op->oq_search.rs_filterstr,
-                               op->oq_search.rs_attrs,
-                               op->oq_search.rs_attrsonly); 
+               return meta_back_cache_search(op, rs);
        }
-#endif /* LDAP_CACHING */
        
        /*
         * controls are set in ldap_back_dobind()
@@ -206,14 +213,20 @@ meta_back_search( Operation *op, SlapReply *rs )
                /* negative hard limit means no limit */
        }
 
+
+       dc.conn = op->o_conn;
+       dc.rs = rs;
+
        /*
         * Inits searches
         */
        for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) {
-               char    *realbase = ( char * )op->o_req_dn.bv_val;
-               int     realscope = op->oq_search.rs_scope;
-               ber_len_t suffixlen;
-               char    **mapped_attrs;
+               struct berval   realbase = op->o_req_dn;
+               int             realscope = op->oq_search.rs_scope;
+               ber_len_t       suffixlen = 0;
+               struct berval   mbase = { 0, NULL }; 
+               struct berval   mfilter = { 0, NULL };
+               char            **mapped_attrs = NULL;
 
                if ( lsc->candidate != META_CANDIDATE ) {
                        msgid[ i ] = -1;
@@ -234,6 +247,8 @@ meta_back_search( Operation *op, SlapReply *rs )
                                        ( void * )&op->oq_search.rs_slimit);
                }
 
+               dc.rwmap = &li->targets[ i ]->rwmap;
+
                /*
                 * modifies the base according to the scope, if required
                 */
@@ -249,7 +264,7 @@ meta_back_search( Operation *op, SlapReply *rs )
                                 */
                                if ( dnIsSuffix( &li->targets[ i ]->suffix,
                                                &op->o_req_ndn ) ) {
-                                       realbase = li->targets[ i ]->suffix.bv_val;
+                                       realbase = li->targets[ i ]->suffix;
                                } else {
                                        /*
                                         * this target is no longer candidate
@@ -268,7 +283,7 @@ meta_back_search( Operation *op, SlapReply *rs )
                                         * make the target suffix the new
                                         * base, and make scope "base"
                                         */
-                                       realbase = li->targets[ i ]->suffix.bv_val;
+                                       realbase = li->targets[ i ]->suffix;
                                        realscope = LDAP_SCOPE_BASE;
                                        break;
                                } /* else continue with the next case */
@@ -286,24 +301,11 @@ meta_back_search( Operation *op, SlapReply *rs )
                /*
                 * Rewrite the search base, if required
                 */
-               switch ( rewrite_session( li->targets[ i ]->rwinfo,
-                                       "searchBase",
-                                       realbase, op->o_conn, &mbase ) ) {
-               case REWRITE_REGEXEC_OK:
-               if ( mbase == NULL ) {
-                       mbase = realbase;
-               }
-#ifdef NEW_LOGGING
-               LDAP_LOG( BACK_META, DETAIL1,
-                       "[rw] searchBase [%d]: \"%s\" -> \"%s\"\n",
-                       i, op->o_req_dn.bv_val, mbase );
-#else /* !NEW_LOGGING */
-               Debug( LDAP_DEBUG_ARGS,
-                       "rw> searchBase [%d]: \"%s\" -> \"%s\"\n",
-                               i, op->o_req_dn.bv_val, mbase );
-#endif /* !NEW_LOGGING */
-               break;
-               
+               dc.ctx = "searchBase";
+               switch ( ldap_back_dn_massage( &dc, &realbase, &mbase ) ) {
+               default:
+                       break;
+
                case REWRITE_REGEXEC_UNWILLING:
                        rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
                        rs->sr_text = "Operation not allowed";
@@ -312,96 +314,53 @@ meta_back_search( Operation *op, SlapReply *rs )
                        goto finish;
 
                case REWRITE_REGEXEC_ERR:
+#if 0
                        rs->sr_err = LDAP_OTHER;
-                       rs->sr_text = "rewrite error";
+                       rs->sr_text = "Rewrite error";
                        send_ldap_result( op, rs );
                        rc = -1;
                        goto finish;
-               }
-
-#if 0
-               /*
-                * Rewrite the search filter, if required
-                */
-               switch ( rewrite_session( li->targets[ i ]->rwinfo,
-                                       "searchFilter",
-                                       filterstr->bv_val, conn, &mfilter.bv_val ) ) {
-               case REWRITE_REGEXEC_OK:
-                       if ( mfilter.bv_val != NULL && mfilter.bv_val[ 0 ] != '\0') {
-                               mfilter.bv_len = strlen( mfilter.bv_val );
-                       } else {
-                               if ( mfilter.bv_val != NULL ) {
-                                       free( mfilter.bv_val );
-                               }
-                               mfilter = *filterstr;
-                       }
-#ifdef NEW_LOGGING
-                       LDAP_LOG( BACK_META, DETAIL1,
-                               "[rw] searchFilter [%d]: \"%s\" -> \"%s\"\n",
-                               i, filterstr->bv_val, mfilter.bv_val );
-#else /* !NEW_LOGGING */
-                       Debug( LDAP_DEBUG_ARGS,
-                               "rw> searchFilter [%d]: \"%s\" -> \"%s\"\n",
-                               i, filterstr->bv_val, mfilter.bv_val );
-#endif /* !NEW_LOGGING */
-                       break;
-               
-               case REWRITE_REGEXEC_UNWILLING:
-                       send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM,
-                                       NULL, "Operation not allowed",
-                                       NULL, NULL );
-                       rc = -1;
-                       goto finish;
+#endif 
 
-               case REWRITE_REGEXEC_ERR:
-                       send_ldap_result( conn, op, LDAP_OTHER,
-                                       NULL, "Rewrite error", NULL, NULL );
-                       rc = -1;
-                       goto finish;
+                       /*
+                        * this target is no longer candidate
+                        */
+                       msgid[ i ] = -1;
+                       goto new_candidate;
                }
 
                /*
-                * Maps attributes in filter
+                * Maps filter
                 */
-               mapped_filter = ldap_back_map_filter( &li->targets[ i ]->at_map,
-                               &li->targets[ i ]->oc_map, &mfilter,
-                               BACKLDAP_MAP );
-               if ( mapped_filter == NULL ) {
-                       mapped_filter = ( char * )mfilter.bv_val;
-               } else {
-                       if ( mfilter.bv_val != filterstr->bv_val ) {
-                               free( mfilter.bv_val );
-                       }
-               }
-               mfilter.bv_val = NULL;
-               mfilter.bv_len = 0;
-#endif
-       
-               rc = ldap_back_filter_map_rewrite_( li->targets[ i ]->rwinfo,
-                               op->o_conn,
-                               &li->targets[ i ]->at_map,
-                               &li->targets[ i ]->oc_map, 
+               rc = ldap_back_filter_map_rewrite( &dc,
                                op->oq_search.rs_filter,
                                &mfilter, BACKLDAP_MAP );
+               if ( rc != 0 ) {
+                       /*
+                        * this target is no longer candidate
+                        */
+                       msgid[ i ] = -1;
+                       goto new_candidate;
+               }
 
                /*
                 * Maps required attributes
                 */
-               mapped_attrs = ldap_back_map_attrs( &li->targets[ i ]->at_map,
-                               op->oq_search.rs_attrs, BACKLDAP_MAP );
-               if ( mapped_attrs == NULL && op->oq_search.rs_attrs) {
-                       for ( count = 0; op->oq_search.rs_attrs[ count ].an_name.bv_val; count++ );
-                       mapped_attrs = ch_malloc( ( count + 1 ) * sizeof(char *));
-                       for ( count = 0; op->oq_search.rs_attrs[ count ].an_name.bv_val; count++ ) {
-                               mapped_attrs[ count ] = op->oq_search.rs_attrs[ count ].an_name.bv_val;
-                       }
-                       mapped_attrs[ count ] = NULL;
+               rc = ldap_back_map_attrs( &li->targets[ i ]->rwmap.rwm_at,
+                               op->oq_search.rs_attrs, BACKLDAP_MAP,
+                               &mapped_attrs );
+               if ( rc != LDAP_SUCCESS ) {
+                       /*
+                        * this target is no longer candidate
+                        */
+                       msgid[ i ] = -1;
+                       goto new_candidate;
                }
 
                /*
                 * Starts the search
                 */
-               msgid[ i ] = ldap_search( lsc->ld, mbase, realscope,
+               msgid[ i ] = ldap_search( lsc->ld, mbase.bv_val, realscope,
                                mfilter.bv_val, mapped_attrs,
                                op->oq_search.rs_attrsonly ); 
                if ( mapped_attrs ) {
@@ -412,9 +371,9 @@ meta_back_search( Operation *op, SlapReply *rs )
                        free( mfilter.bv_val );
                        mfilter.bv_val = NULL;
                }
-               if ( mbase != realbase ) {
-                       free( mbase );
-                       mbase = NULL;
+               if ( mbase.bv_val != realbase.bv_val ) {
+                       free( mbase.bv_val );
+                       mbase.bv_val = NULL;
                }
 
                if ( msgid[ i ] == -1 ) {
@@ -426,6 +385,8 @@ meta_back_search( Operation *op, SlapReply *rs )
 new_candidate:;
        }
 
+       initial_candidates = candidates;
+
        /* We pull apart the ber result, stuff it into a slapd entry, and
         * let send_search_entry stuff it back into ber format. Slow & ugly,
         * but this is necessary for version matching, and for ACL processing.
@@ -553,32 +514,32 @@ new_candidate:;
                                }
 
                        } else {
-                               sres = ldap_result2error( lsc->ld,
+                               rs->sr_err = ldap_result2error( lsc->ld,
                                                res, 1 );
-                               sres = ldap_back_map_result( sres );
+                               sres = ldap_back_map_result( rs );
                                if ( err != NULL ) {
                                        free( err );
                                }
                                ldap_get_option( lsc->ld,
                                                LDAP_OPT_ERROR_STRING, &err );
-                               if ( match != NULL ) {
-                                       free( match );
+                               if ( match.bv_val != NULL ) {
+                                       free( match.bv_val );
                                }
                                ldap_get_option( lsc->ld,
-                                               LDAP_OPT_MATCHED_DN, &match );
+                                               LDAP_OPT_MATCHED_DN, &match.bv_val );
 
 #ifdef NEW_LOGGING
                                LDAP_LOG( BACK_META, ERR,
                                        "meta_back_search [%d] "
                                        "match=\"%s\" err=\"%s\"\n",
-                                       i, match, err );
+                                       i, match.bv_val, err );
 #else /* !NEW_LOGGING */
                                Debug( LDAP_DEBUG_ANY,
                                        "=>meta_back_search [%d] "
                                        "match=\"%s\" err=\"%s\"\n",
-                                       i, match, err );        
+                                       i, match.bv_val, err ); 
 #endif /* !NEW_LOGGING */
-                               
+                               candidate_match++;
                                last = i;
                                rc = 0;
 
@@ -618,31 +579,13 @@ new_candidate:;
         * 
         * FIXME: only the last one gets caught!
         */
-       if ( match != NULL ) {
-               switch ( rewrite_session( li->targets[ last ]->rwinfo,
-                                       "matchedDn", match, op->o_conn,
-                                       &mmatch ) ) {
-               case REWRITE_REGEXEC_OK:
-                       if ( mmatch == NULL ) {
-                               mmatch = ( char * )match;
-                       }
-#ifdef NEW_LOGGING
-                       LDAP_LOG( BACK_META, DETAIL1,
-                               "[rw] matchedDn: \"%s\" -> \"%s\"\n",
-                               match, mmatch, 0 );
-#else /* !NEW_LOGGING */
-                       Debug( LDAP_DEBUG_ARGS,
-                               "rw> matchedDn: \"%s\" -> \"%s\"\n",
-                               match, mmatch, 0 );
-#endif /* !NEW_LOGGING */
-                       break;
-                       
-               case REWRITE_REGEXEC_UNWILLING:
-                       
-               case REWRITE_REGEXEC_ERR:
-                       /* FIXME: no error, but no matched ... */
-                       mmatch = NULL;
-                       break;
+       if ( candidate_match == initial_candidates
+                       && match.bv_val != NULL && *match.bv_val ) {
+               dc.ctx = "matchedDn";
+               dc.rwmap = &li->targets[ last ]->rwmap;
+
+               if ( ldap_back_dn_massage( &dc, &match, &mmatch ) ) {
+                       mmatch.bv_val = NULL;
                }
        }
 
@@ -657,7 +600,7 @@ new_candidate:;
                sres = LDAP_REFERRAL;
        }
        rs->sr_err = sres;
-       rs->sr_matched = mmatch;
+       rs->sr_matched = mmatch.bv_val;
        rs->sr_v2ref = v2refs;
        send_ldap_result( op, rs );
        rs->sr_matched = NULL;
@@ -665,11 +608,11 @@ new_candidate:;
 
 
 finish:;
-       if ( match ) {
-               if ( mmatch != match ) {
-                       free( mmatch );
+       if ( match.bv_val ) {
+               if ( mmatch.bv_val != match.bv_val ) {
+                       free( mmatch.bv_val );
                }
-               free(match);
+               free( match.bv_val );
        }
        
        if ( err ) {
@@ -700,6 +643,7 @@ meta_send_entry(
        struct berval           dummy = { 0, NULL };
        struct berval           *bv, bdn;
        const char              *text;
+       dncookie                dc;
 
        if ( ber_scanf( &ber, "{m{", &bdn ) == LBER_ERROR ) {
                return LDAP_DECODING_ERROR;
@@ -708,32 +652,14 @@ meta_send_entry(
        /*
         * Rewrite the dn of the result, if needed
         */
-       switch ( rewrite_session( li->targets[ target ]->rwinfo,
-                               "searchResult", bdn.bv_val, lc->conn,
-                               &ent.e_name.bv_val ) ) {
-       case REWRITE_REGEXEC_OK:
-               if ( ent.e_name.bv_val == NULL ) {
-                       ent.e_name = bdn;
-
-               } else {
-#ifdef NEW_LOGGING
-                       LDAP_LOG( BACK_META, DETAIL1,
-                               "[rw] searchResult[%d]: \"%s\" -> \"%s\"\n",
-                               target, bdn.bv_val, ent.e_name.bv_val );
-#else /* !NEW_LOGGING */
-                       Debug( LDAP_DEBUG_ARGS, "rw> searchResult[%d]: \"%s\""
-                                       " -> \"%s\"\n", target, bdn.bv_val,
-                                       ent.e_name.bv_val );
-#endif /* !NEW_LOGGING */
-                       ent.e_name.bv_len = strlen( ent.e_name.bv_val );
-               }
-               break;
-               
-       case REWRITE_REGEXEC_UNWILLING:
-               return LDAP_UNWILLING_TO_PERFORM;
-
-       case REWRITE_REGEXEC_ERR:
-               return LDAP_OTHER;
+       dc.rwmap = &li->targets[ target ]->rwmap;
+       dc.conn = op->o_conn;
+       dc.rs = rs;
+       dc.ctx = "searchResult";
+
+       rs->sr_err = ldap_back_dn_massage( &dc, &bdn, &ent.e_name );
+       if ( rs->sr_err != LDAP_SUCCESS) {
+               return rs->sr_err;
        }
 
        /*
@@ -741,9 +667,11 @@ meta_send_entry(
         * from the one known to the meta, and a DN with unknown
         * attributes is returned.
         * 
-        * FIXME: should we log anything, or delegate to dnNormalize2?
+        * FIXME: should we log anything, or delegate to dnNormalize?
         */
-       if ( dnNormalize2( NULL, &ent.e_name, &ent.e_nname ) != LDAP_SUCCESS ) {
+       if ( dnNormalize( 0, NULL, NULL, &ent.e_name, &ent.e_nname,
+               &op->o_tmpmemctx ) != LDAP_SUCCESS )
+       {
                return LDAP_INVALID_DN_SYNTAX;
        }
 
@@ -752,8 +680,7 @@ meta_send_entry(
         */
        if ( li->cache.ttl != META_DNCACHE_DISABLED ) {
                ( void )meta_dncache_update_entry( &li->cache,
-                                                  &ent.e_nname,
-                                                  target );
+                               &ent.e_nname, target );
        }
 
        ent.e_id = 0;
@@ -761,8 +688,11 @@ meta_send_entry(
        ent.e_private = 0;
        attrp = &ent.e_attrs;
 
+       dc.ctx = "searchAttrDN";
        while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
-               ldap_back_map( &li->targets[ target ]->at_map, 
+               int             last = 0;
+
+               ldap_back_map( &li->targets[ target ]->rwmap.rwm_at, 
                                &a, &mapped, BACKLDAP_REMAP );
                if ( mapped.bv_val == NULL || mapped.bv_val[0] == '\0' ) {
                        continue;
@@ -793,6 +723,16 @@ meta_send_entry(
 
                /* no subschemaSubentry */
                if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry ) {
+
+                       /* 
+                        * We eat target's subschemaSubentry because
+                        * a search for this value is likely not
+                        * to resolve to the appropriate backend;
+                        * later, the local subschemaSubentry is
+                        * added.
+                        */
+                       ( void )ber_scanf( &ber, "x" /* [W] */ );
+
                        ch_free(attr);
                        continue;
                }
@@ -803,12 +743,11 @@ meta_send_entry(
 
                } else if ( attr->a_desc == slap_schema.si_ad_objectClass
                                || attr->a_desc == slap_schema.si_ad_structuralObjectClass ) {
-                       int             last;
 
                        for ( last = 0; attr->a_vals[ last ].bv_val; ++last );
 
                        for ( bv = attr->a_vals; bv->bv_val; bv++ ) {
-                               ldap_back_map( &li->targets[ target]->oc_map,
+                               ldap_back_map( &li->targets[ target ]->rwmap.rwm_oc,
                                                bv, &mapped, BACKLDAP_REMAP );
                                if ( mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
                                        free( bv->bv_val );
@@ -836,63 +775,29 @@ meta_send_entry(
                 * ACLs to the target directory server, and letting
                 * everything pass thru the ldap backend.
                 */
-               } else if ( strcmp( attr->a_desc->ad_type->sat_syntax->ssyn_oid,
-                                       SLAPD_DN_SYNTAX ) == 0 ) {
-                       int             last;
-
-                       for ( last = 0; attr->a_vals[ last ].bv_val; ++last );
-
-                       for ( bv = attr->a_vals; bv->bv_val; bv++ ) {
-                               char *newval;
-
-                               switch ( rewrite_session( li->targets[ target ]->rwinfo,
-                                                       "searchResult",
-                                                       bv->bv_val,
-                                                       lc->conn, &newval )) {
-                               case REWRITE_REGEXEC_OK:
-                                       /* left as is */
-                                       if ( newval == NULL ) {
-                                               break;
-                                       }
-#ifdef NEW_LOGGING
-                                       LDAP_LOG( BACK_META, DETAIL1,
-                                               "[rw] searchResult on attr=%s: \"%s\" -> \"%s\"\n",
-                                               attr->a_desc->ad_type->sat_cname.bv_val,
-                                               bv->bv_val, newval );
-#else /* !NEW_LOGGING */
-                                       Debug( LDAP_DEBUG_ARGS,
-                                               "rw> searchResult on attr=%s:"
-                                               " \"%s\" -> \"%s\"\n",
-                                       attr->a_desc->ad_type->sat_cname.bv_val,
-                                               bv->bv_val, newval );
-#endif /* !NEW_LOGGING */
-                                       free( bv->bv_val );
-                                       bv->bv_val = newval;
-                                       bv->bv_len = strlen( newval );
-
-                                       break;
-
-                               case REWRITE_REGEXEC_UNWILLING:
-                                       LBER_FREE(bv->bv_val);
-                                       bv->bv_val = NULL;
-                                       if (--last < 0)
-                                               goto next_attr;
-                                       *bv = attr->a_vals[last];
-                                       attr->a_vals[last].bv_val = NULL;
-                                       bv--;
-                                       break;
+               } else if ( attr->a_desc->ad_type->sat_syntax ==
+                               slap_schema.si_syn_distinguishedName ) {
+                       ldap_dnattr_result_rewrite( &dc, attr->a_vals );
+               }
 
-                               case REWRITE_REGEXEC_ERR:
-                                       /*
-                                        * FIXME: better give up,
-                                        * skip the attribute
-                                        * or leave it untouched?
-                                        */
-                                       break;
-                               }
+               if ( last && attr->a_desc->ad_type->sat_equality &&
+                       attr->a_desc->ad_type->sat_equality->smr_normalize ) {
+                       int i;
+
+                       attr->a_nvals = ch_malloc((last + 1)*sizeof(struct berval));
+                       for ( i = 0; i<last; i++ ) {
+                               attr->a_desc->ad_type->sat_equality->smr_normalize(
+                                       SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
+                                       attr->a_desc->ad_type->sat_syntax,
+                                       attr->a_desc->ad_type->sat_equality,
+                                       &attr->a_vals[i], &attr->a_nvals[i],
+                                       op->o_tmpmemctx );
                        }
+                       attr->a_nvals[i].bv_val = NULL;
+                       attr->a_nvals[i].bv_len = 0;
+               } else {
+                       attr->a_nvals = attr->a_vals;
                }
-next_attr:;
 
                *attrp = attr;
                attrp = &attr->a_next;
Cloned from git://git.openldap.org/openldap.git