#ifdef SLAP_AUTH_REWRITE
static BerVarray authz_rewrites;
#endif
+static AccessControl *defacl_parsed = NULL;
static struct berval cfdir;
static ConfigDriver config_loglevel;
static ConfigDriver config_updatedn;
static ConfigDriver config_updateref;
+static ConfigDriver config_extra_attrs;
static ConfigDriver config_include;
static ConfigDriver config_obsolete;
#ifdef HAVE_TLS
* OLcfg{Bk|Db}{Oc|At}:3 -> back-ldap
* OLcfg{Bk|Db}{Oc|At}:4 -> back-monitor
* OLcfg{Bk|Db}{Oc|At}:5 -> back-relay
- * OLcfg{Bk|Db}{Oc|At}:6 -> back-sql
+ * OLcfg{Bk|Db}{Oc|At}:6 -> back-sql(/back-ndb)
* OLcfg{Bk|Db}{Oc|At}:7 -> back-sock
* OLcfg{Bk|Db}{Oc|At}:8 -> back-null
+ * OLcfg{Bk|Db}{Oc|At}:9 -> back-passwd
+ * OLcfg{Bk|Db}{Oc|At}:10 -> back-shell
+ * OLcfg{Bk|Db}{Oc|At}:11 -> back-perl
+ * OLcfg{Bk|Db}{Oc|At}:12 -> back-mdb
*/
/*
&config_generic, "( OLcfgGlAt:4 NAME 'olcAttributeTypes' "
"DESC 'OpenLDAP attributeTypes' "
"EQUALITY caseIgnoreMatch "
+ "SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
{ "authid-rewrite", NULL, 2, 0, STRLENOF( "authid-rewrite" ),
&config_generic, "( OLcfgGlAt:16 NAME 'olcDitContentRules' "
"DESC 'OpenLDAP DIT content rules' "
"EQUALITY caseIgnoreMatch "
+ "SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
+ { "extra_attrs", "attrlist", 2, 2, 0, ARG_DB|ARG_MAGIC,
+ &config_extra_attrs, "( OLcfgDbAt:0.20 NAME 'olcExtraAttrs' "
+ "EQUALITY caseIgnoreMatch "
+ "SYNTAX OMsDirectoryString )", NULL, NULL },
{ "gentlehup", "on|off", 2, 2, 0,
#ifdef SIGHUP
ARG_ON_OFF, &global_gentlehup,
&config_generic, "( OLcfgGlAt:85 NAME 'olcLdapSyntaxes' "
"DESC 'OpenLDAP ldapSyntax' "
"EQUALITY caseIgnoreMatch "
+ "SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
{ "limits", "limits", 2, 0, 0, ARG_DB|ARG_MAGIC|CFG_LIMITS,
&config_generic, "( OLcfgGlAt:32 NAME 'olcObjectClasses' "
"DESC 'OpenLDAP object classes' "
"EQUALITY caseIgnoreMatch "
+ "SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
{ "objectidentifier", "name> <oid", 3, 3, 0, ARG_MAGIC|CFG_OID,
&config_generic, "( OLcfgGlAt:33 NAME 'olcObjectIdentifier' "
"EQUALITY caseIgnoreMatch "
+ "SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
{ "overlay", "overlay", 2, 2, 0, ARG_MAGIC,
&config_overlay, "( OLcfgGlAt:34 NAME 'olcOverlay' "
{ "timelimit", "limit", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC,
&config_timelimit, "( OLcfgGlAt:67 NAME 'olcTimeLimit' "
"SYNTAX OMsDirectoryString )", NULL, NULL },
- { "TLSCACertificateFile", NULL, 0, 0, 0,
+ { "TLSCACertificateFile", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_CA_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCACertificatePath", NULL, 0, 0, 0,
+ { "TLSCACertificatePath", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_CA_PATH|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCertificateFile", NULL, 0, 0, 0,
+ { "TLSCertificateFile", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_CERT_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCertificateKeyFile", NULL, 0, 0, 0,
+ { "TLSCertificateKeyFile", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_CERT_KEY|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCipherSuite", NULL, 0, 0, 0,
+ { "TLSCipherSuite", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_CIPHER|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCRLCheck", NULL, 0, 0, 0,
+ { "TLSCRLCheck", NULL, 2, 2, 0,
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL)
CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else
#endif
"( OLcfgGlAt:73 NAME 'olcTLSCRLCheck' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSCRLFile", NULL, 0, 0, 0,
+ { "TLSCRLFile", NULL, 2, 2, 0,
#if defined(HAVE_GNUTLS)
CFG_TLS_CRL_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:82 NAME 'olcTLSCRLFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSRandFile", NULL, 0, 0, 0,
+ { "TLSRandFile", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_RAND|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:74 NAME 'olcTLSRandFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSVerifyClient", NULL, 0, 0, 0,
+ { "TLSVerifyClient", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_VERIFY|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else
#endif
"( OLcfgGlAt:75 NAME 'olcTLSVerifyClient' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSDHParamFile", NULL, 0, 0, 0,
+ { "TLSDHParamFile", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_DH_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option,
#else
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { "TLSProtocolMin", NULL, 0, 0, 0,
+ { "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else
"NAME 'olcSchemaConfig' "
"DESC 'OpenLDAP schema object' "
"SUP olcConfig STRUCTURAL "
- "MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ "
- "olcObjectClasses $ olcDitContentRules $ olcLdapSyntaxes ) )",
+ "MAY ( cn $ olcObjectIdentifier $ olcLdapSyntaxes $ "
+ "olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) )",
Cft_Schema, NULL, cfAddSchema },
{ "( OLcfgGlOc:3 "
"NAME 'olcBackendConfig' "
"olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
"olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ "
"olcTimeLimit $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ "
- "olcMonitoring ) )",
+ "olcMonitoring $ olcExtraAttrs ) )",
Cft_Database, NULL, cfAddDatabase },
{ "( OLcfgGlOc:5 "
"NAME 'olcOverlayConfig' "
*prev = a->acl_next;
acl_free( a );
}
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) {
+ Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): "
+ "Last explicit ACL for back-config removed. "
+ "Using hardcoded default\n", 0, 0, 0 );
+ c->be->be_acl = defacl_parsed;
+ }
break;
case CFG_OC: {
int i;
for (i=0, oc = cfn->c_oc_head; i<c->valx; i++) {
prev = oc;
- oc_next( &oc );
+ if ( !oc_next( &oc ))
+ break;
}
} else
/* If adding the first, and head exists, find its prev */
int i;
for (i=0, at = cfn->c_at_head; i<c->valx; i++) {
prev = at;
- at_next( &at );
+ if ( !at_next( &at ))
+ break;
}
} else
/* If adding the first, and head exists, find its prev */
int i;
for ( i = 0, syn = cfn->c_syn_head; i < c->valx; i++ ) {
prev = syn;
- syn_next( &syn );
+ if ( !syn_next( &syn ))
+ break;
}
} else
/* If adding the first, and head exists, find its prev */
break;
case CFG_ACL:
+ if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) {
+ c->be->be_acl = NULL;
+ }
/* Don't append to the global ACL if we're on a specific DB */
i = c->valx;
if ( c->valx == -1 ) {
i++;
}
if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) {
+ c->be->be_acl = defacl_parsed;
+ }
return 1;
}
break;
return(0);
}
+static int
+config_extra_attrs(ConfigArgs *c)
+{
+ assert( c->be != NULL );
+
+ if ( c->op == SLAP_CONFIG_EMIT ) {
+ int i;
+
+ if ( c->be->be_extra_anlist == NULL ) {
+ return 1;
+ }
+
+ for ( i = 0; !BER_BVISNULL( &c->be->be_extra_anlist[i].an_name ); i++ ) {
+ value_add_one( &c->rvalue_vals, &c->be->be_extra_anlist[i].an_name );
+ }
+
+ } else if ( c->op == LDAP_MOD_DELETE ) {
+ if ( c->be->be_extra_anlist == NULL ) {
+ return 1;
+ }
+
+ if ( c->valx < 0 ) {
+ anlist_free( c->be->be_extra_anlist, 1, NULL );
+ c->be->be_extra_anlist = NULL;
+
+ } else {
+ int i;
+
+ for ( i = 0; i < c->valx && !BER_BVISNULL( &c->be->be_extra_anlist[i + 1].an_name ); i++ )
+ ;
+
+ if ( BER_BVISNULL( &c->be->be_extra_anlist[i].an_name ) ) {
+ return 1;
+ }
+
+ ch_free( c->be->be_extra_anlist[i].an_name.bv_val );
+
+ for ( ; !BER_BVISNULL( &c->be->be_extra_anlist[i].an_name ); i++ ) {
+ c->be->be_extra_anlist[i] = c->be->be_extra_anlist[i + 1];
+ }
+ }
+
+ } else {
+ c->be->be_extra_anlist = str2anlist( c->be->be_extra_anlist, c->argv[1], " ,\t" );
+ if ( c->be->be_extra_anlist == NULL ) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
static slap_verbmasks *loglevel_ops;
static int
return rc;
}
+/* Insert all superior classes of the given class */
static int
count_oc( ObjectClass *oc, ConfigOCs ***copp, int *nocs )
{
ConfigOCs co, *cop;
ObjectClass **sups;
+ for ( sups = oc->soc_sups; sups && *sups; sups++ ) {
+ if ( count_oc( *sups, copp, nocs ) ) {
+ return -1;
+ }
+ }
+
co.co_name = &oc->soc_cname;
cop = avl_find( CfOcTree, &co, CfOc_cmp );
if ( cop ) {
}
}
- for ( sups = oc->soc_sups; sups && *sups; sups++ ) {
- if ( count_oc( *sups, copp, nocs ) ) {
- return -1;
- }
- }
-
return 0;
}
+/* Find all superior classes of the given objectclasses,
+ * return list in order of most-subordinate first.
+ *
+ * Special / auxiliary / Cft_Misc classes always take precedence.
+ */
static ConfigOCs **
count_ocs( Attribute *oc_at, int *nocs )
{
- int i;
+ int i, j, misc = -1;
ConfigOCs **colst = NULL;
*nocs = 0;
- for ( i = 0; !BER_BVISNULL( &oc_at->a_nvals[i] ); i++ )
- /* count attrs */ ;
-
- for ( ; i--; ) {
+ for ( i = oc_at->a_numvals; i--; ) {
ObjectClass *oc = oc_bvfind( &oc_at->a_nvals[i] );
assert( oc != NULL );
}
}
+ /* invert order */
+ i = 0;
+ j = *nocs - 1;
+ while ( i < j ) {
+ ConfigOCs *tmp = colst[i];
+ colst[i] = colst[j];
+ colst[j] = tmp;
+ if (tmp->co_type == Cft_Misc)
+ misc = j;
+ i++; j--;
+ }
+ /* Move misc class to front of list */
+ if (misc > 0) {
+ ConfigOCs *tmp = colst[misc];
+ for (i=misc; i>0; i--)
+ colst[i] = colst[i-1];
+ colst[0] = tmp;
+ }
+
return colst;
}
oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION;
+ for (ml = op->orm_modlist; ml; ml=ml->sml_next) {
+ if (ml->sml_desc == slap_schema.si_ad_objectClass)
+ return rc;
+ }
+
colst = count_ocs( oc_at, &nocs );
/* make sure add/del flags are clear; should always be true */
ct = config_find_table( colst, nocs, ml->sml_desc, ca );
switch (ml->sml_op) {
case LDAP_MOD_DELETE:
- case LDAP_MOD_REPLACE: {
+ case LDAP_MOD_REPLACE:
+ case SLAP_MOD_SOFTDEL:
+ {
BerVarray vals = NULL, nvals = NULL;
int *idx = NULL;
if ( ct && ( ct->arg_type & ARG_NO_DELETE )) {
ml->sml_values = vals;
ml->sml_nvalues = nvals;
}
+ if ( rc == LDAP_NO_SUCH_ATTRIBUTE && ml->sml_op == SLAP_MOD_SOFTDEL )
+ {
+ rc = LDAP_SUCCESS;
+ }
+ /* FIXME: check rc before fallthru? */
if ( !vals )
break;
- }
+ }
/* FALLTHRU: LDAP_MOD_REPLACE && vals */
+ case SLAP_MOD_ADD_IF_NOT_PRESENT:
+ if ( ml->sml_op == SLAP_MOD_ADD_IF_NOT_PRESENT
+ && attr_find( e->e_attrs, ml->sml_desc ) )
+ {
+ rc = LDAP_SUCCESS;
+ break;
+ }
+
case LDAP_MOD_ADD:
case SLAP_MOD_SOFTADD: {
int mop = ml->sml_op;
/* FALLTHRU: LDAP_MOD_REPLACE && vals */
case LDAP_MOD_ADD:
+ if ( !a )
+ break;
for (i=0; ml->sml_values[i].bv_val; i++) {
ca->line = ml->sml_values[i].bv_val;
ca->valx = -1;
bv.bv_len );
c->value_dn.bv_len += bv.bv_len;
c->value_dn.bv_val[c->value_dn.bv_len] ='\0';
- rdn = c->value_dn;
+ rdnNormalize( 0, NULL, NULL, &c->value_dn, &rdn, NULL );
c->ca_private = cf;
e = config_build_entry( op, rs, ceparent, c, &rdn,
&CFOC_SCHEMA, NULL );
+ ch_free( rdn.bv_val );
if ( !e ) {
return -1;
} else if ( e && cf->c_kids ) {
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
SlapReply rs = {REP_RESULT};
void *thrctx = NULL;
+ AccessControl *save_access;
Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
/* If we have no explicitly configured ACLs, don't just use
* the global ACLs. Explicitly deny access to everything.
*/
- if ( !be->be_acl ) {
- parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 );
+ save_access = be->bd_self->be_acl;
+ be->bd_self->be_acl = NULL;
+ parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
+ defacl_parsed = be->bd_self->be_acl;
+ if ( save_access ) {
+ be->bd_self->be_acl = save_access;
+ } else {
+ Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: "
+ "No explicit ACL for back-config configured. "
+ "Using hardcoded default\n", 0, 0, 0 );
}
thrctx = ldap_pvt_thread_pool_context();
backend_shutdown( &cfb->cb_db );
}
+ if ( defacl_parsed && be->be_acl != defacl_parsed ) {
+ acl_free( defacl_parsed );
+ defacl_parsed = NULL;
+ }
+
return 0;
}
Operation *op = NULL;
void *thrctx;
int isFrontend = 0;
+ int isFrontendChild = 0;
/* Create entry for frontend database if it does not exist already */
if ( !entry_put_got_frontend ) {
return NOID;
}
} else {
+ if ( !strncmp( e->e_nname.bv_val +
+ STRLENOF( "olcDatabase" ), "=frontend",
+ STRLENOF( "=frontend" ) ) )
+ {
+ struct berval rdn, pdn, ndn;
+ dnParent( &e->e_nname, &pdn );
+ rdn.bv_val = ca.log;
+ rdn.bv_len = snprintf(rdn.bv_val, sizeof( ca.log ),
+ "%s=" SLAP_X_ORDERED_FMT "%s",
+ cfAd_database->ad_cname.bv_val, -1,
+ frontendDB->bd_info->bi_type );
+ build_new_dn( &ndn, &pdn, &rdn, NULL );
+ ber_memfree( e->e_name.bv_val );
+ e->e_name = ndn;
+ ber_bvreplace( &e->e_nname, &e->e_name );
+ }
entry_put_got_frontend++;
isFrontend = 1;
}
}
}
+
+ /* Child entries of the frontend database, e.g. slapo-chain's back-ldap
+ * instances, may appear before the config database entry in the ldif, skip
+ * auto-creation of olcDatabase={0}config in such a case */
+ if ( !entry_put_got_config &&
+ !strncmp( e->e_nname.bv_val, "olcDatabase", STRLENOF( "olcDatabase" ))) {
+ struct berval pdn;
+ dnParent( &e->e_nname, &pdn );
+ while ( pdn.bv_len ) {
+ if ( !strncmp( pdn.bv_val, "olcDatabase",
+ STRLENOF( "olcDatabase" ))) {
+ if ( !strncmp( pdn.bv_val +
+ STRLENOF( "olcDatabase" ), "={-1}frontend",
+ STRLENOF( "={-1}frontend" )) ||
+ !strncmp( pdn.bv_val +
+ STRLENOF( "olcDatabase" ), "=frontend",
+ STRLENOF( "=frontend" ))) {
+
+ isFrontendChild = 1;
+ break;
+ }
+ }
+ dnParent( &pdn, &pdn );
+ }
+ }
+
/* Create entry for config database if it does not exist already */
- if ( !entry_put_got_config && !isFrontend ) {
+ if ( !entry_put_got_config && !isFrontend && !isFrontendChild ) {
if ( !strncmp( e->e_nname.bv_val, "olcDatabase",
STRLENOF( "olcDatabase" ))) {
if ( strncmp( e->e_nname.bv_val +