#include <ac/ctype.h>
#include <ac/socket.h>
+#include "lutil.h"
#include "ldap_pvt.h"
#include "slap.h"
-#define MAXARGS 100
+#define MAXARGS 200
/*
* defaults for various global variables
int deftime = SLAPD_DEFAULT_TIMELIMIT;
AccessControl *global_acl = NULL;
slap_access_t global_default_access = ACL_READ;
-int global_readonly = 0;
+slap_mask_t global_restrictops = 0;
+slap_mask_t global_allows = 0;
+slap_mask_t global_disallows = 0;
+slap_mask_t global_requires = 0;
+slap_ssf_set_t global_ssf_set;
char *replogfile;
int global_lastmod = ON;
int global_idletimeout = 0;
+char *global_host = NULL;
char *global_realm = NULL;
char *ldap_srvtab = "";
char *default_passwd_hash;
+char *default_search_base = NULL;
+char *default_search_nbase = NULL;
char *slapd_pid_file = NULL;
char *slapd_args_file = NULL;
+int nSaslRegexp = 0;
+SaslRegexp_t *SaslRegexp = NULL;
+
static char *fp_getline(FILE *fp, int *lineno);
static void fp_getline_init(int *lineno);
static int fp_parse_line(char *line, int *argcp, char **argv);
static char *strtok_quote(char *line, char *sep);
+static int load_ucdata(char *path);
int
read_config( const char *fname )
cargv[1], 0, 0 );
return( 1 );
}
-
- /* start of a new database definition */
} else if ( strcasecmp( cargv[0], "database" ) == 0 ) {
if ( cargc < 2 ) {
Debug( LDAP_DEBUG_ANY,
ldap_pvt_thread_set_concurrency( c );
+ /* default search base */
+ } else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) {
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "missing dn in \"defaultSearchBase <dn>\" line\n",
+ fname, lineno, 0 );
+ return 1;
+
+ } else if ( cargc > 2 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "extra cruft after <dn> in \"defaultSearchBase %s\", "
+ "line (ignored)\n",
+ fname, lineno, cargv[1] );
+ }
+
+ if ( bi != NULL || be != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "defaultSearchBaase line must appear prior to "
+ "any backend or database definition\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ if ( default_search_nbase != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "default search base \"%s\" already defined "
+ "(discarding old)\n",
+ fname, lineno, default_search_base );
+ free( default_search_base );
+ free( default_search_nbase );
+ }
+
+ default_search_base = ch_strdup( cargv[1] );
+ default_search_nbase = ch_strdup( cargv[1] );
+
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
+ if( dn_normalize( default_search_nbase ) == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "invalid default search base \"%s\"\n",
+ fname, lineno, default_search_base );
+ return 1;
+ }
+
/* set maximum threads in thread pool */
} else if ( strcasecmp( cargv[0], "threads" ) == 0 ) {
int c;
default_passwd_hash = ch_strdup( cargv[1] );
}
+ /* set SASL host */
+ } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing host in \"sasl-host <host>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ if ( global_host != NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: already set sasl-host!\n",
+ fname, lineno, 0 );
+ return 1;
+
+ } else {
+ global_host = ch_strdup( cargv[1] );
+ }
+
/* set SASL realm */
} else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) {
if ( cargc < 2 ) {
fname, lineno, 0 );
return( 1 );
}
- if ( be != NULL ) {
- be->be_realm = ch_strdup( cargv[1] );
- } else if ( global_realm != NULL ) {
+ if ( global_realm != NULL ) {
Debug( LDAP_DEBUG_ANY,
- "%s: line %d: already set global realm!\n",
+ "%s: line %d: already set sasl-realm!\n",
fname, lineno, 0 );
return 1;
global_realm = ch_strdup( cargv[1] );
}
+ } else if ( !strcasecmp( cargv[0], "sasl-regexp" )
+ || !strcasecmp( cargv[0], "saslregexp" ) )
+ {
+ int rc;
+ if ( cargc != 3 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: need 2 args in \"saslregexp <match> <replace>\"\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+ rc = slap_sasl_regexp_config( cargv[1], cargv[2] );
+ if ( rc ) {
+ return rc;
+ }
+
/* SASL security properties */
} else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) {
char *txt;
return 1;
}
+ /* set UCDATA path */
+ } else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) {
+ int err;
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing path in \"ucdata-path <path>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ err = load_ucdata( cargv[1] );
+ if ( err <= 0 ) {
+ if ( err == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: ucdata already loaded, ucdata-path must be set earlier in the file and/or be specified only once!\n",
+ fname, lineno, 0 );
+ }
+ return( 1 );
+ }
+
/* set time limit */
} else if ( strcasecmp( cargv[0], "sizelimit" ) == 0 ) {
if ( cargc < 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: suffix line must appear inside a database definition (ignored)\n",
fname, lineno, 0 );
- } else if ( ( tmp_be = select_backend( cargv[1] ) ) == be ) {
+ } else if ( ( tmp_be = select_backend( cargv[1], 0 ) ) == be ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: suffix already served by this backend (ignored)\n",
fname, lineno, 0 );
fname, lineno, tmp_be->be_suffix[0] );
} else {
char *dn = ch_strdup( cargv[1] );
- (void) dn_validate( dn );
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
+ if( dn_validate( dn ) == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "suffix DN invalid \"%s\"\n",
+ fname, lineno, cargv[1] );
+ return 1;
+
+ } else if( *dn == '\0' && default_search_nbase != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "suffix DN empty and default "
+ "search base provided \"%s\" (assuming okay)\n",
+ fname, lineno, default_search_base );
+ }
charray_add( &be->be_suffix, dn );
(void) ldap_pvt_str2upper( dn );
charray_add( &be->be_nsuffix, dn );
"%s: line %d: suffixAlias line"
" must appear inside a database definition (ignored)\n",
fname, lineno, 0 );
- } else if ( (tmp_be = select_backend( cargv[1] )) != NULL ) {
+ } else if ( (tmp_be = select_backend( cargv[1], 0 )) != NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: suffixAlias served by"
" a preceeding backend \"%s\" (ignored)\n",
fname, lineno, tmp_be->be_suffix[0] );
- } else if ( (tmp_be = select_backend( cargv[2] )) != NULL ) {
+ } else if ( (tmp_be = select_backend( cargv[2], 0 )) != NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: suffixAlias derefs to differnet backend"
" a preceeding backend \"%s\" (ignored)\n",
char *alias, *aliased_dn;
alias = ch_strdup( cargv[1] );
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
(void) dn_normalize( alias );
aliased_dn = ch_strdup( cargv[2] );
be->be_root_dn = ch_strdup( cargv[1] );
be->be_root_ndn = ch_strdup( cargv[1] );
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
if( dn_normalize( be->be_root_ndn ) == NULL ) {
free( be->be_root_dn );
free( be->be_root_ndn );
return( 1 );
}
if ( be == NULL ) {
- global_readonly = (strcasecmp( cargv[1], "on" ) == 0);
+ if ( strcasecmp( cargv[1], "on" ) == 0 ) {
+ global_restrictops |= SLAP_RESTRICT_OP_WRITES;
+ } else {
+ global_restrictops &= ~SLAP_RESTRICT_OP_WRITES;
+ }
} else {
if ( strcasecmp( cargv[1], "on" ) == 0 ) {
- be->be_readonly = 1;
+ be->be_restrictops |= SLAP_RESTRICT_OP_WRITES;
} else {
- be->be_readonly = 0;
+ be->be_restrictops &= ~SLAP_RESTRICT_OP_WRITES;
+ }
+ }
+
+
+ /* allow these features */
+ } else if ( strcasecmp( cargv[0], "allows" ) == 0 ||
+ strcasecmp( cargv[0], "allow" ) == 0 )
+ {
+ slap_mask_t allows;
+
+ if ( be != NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+"%s: line %d: allow line must appear prior to database definitions\n",
+ fname, lineno, 0 );
+ }
+
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing feature(s) in \"allow <features>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ allows = 0;
+
+ for( i=1; i < cargc; i++ ) {
+ if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
+ allows |= SLAP_ALLOW_TLS_2_ANON;
+
+ } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unknown feature %s in \"allow <features>\" line\n",
+ fname, lineno, cargv[i] );
+ return( 1 );
+ }
+ }
+
+ global_allows = allows;
+
+ /* disallow these features */
+ } else if ( strcasecmp( cargv[0], "disallows" ) == 0 ||
+ strcasecmp( cargv[0], "disallow" ) == 0 )
+ {
+ slap_mask_t disallows;
+
+ if ( be != NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+"%s: line %d: disallow line must appear prior to database definitions\n",
+ fname, lineno, 0 );
+ }
+
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing feature(s) in \"disallow <features>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ disallows = 0;
+
+ for( i=1; i < cargc; i++ ) {
+ if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_V2;
+
+ } else if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_ANON;
+
+ } else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_ANON_CRED;
+
+ } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_ANON_DN;
+
+ } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_SIMPLE;
+
+ } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_BIND_KRBV4;
+
+ } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_TLS_AUTHC;
+
+ } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unknown feature %s in \"disallow <features>\" line\n",
+ fname, lineno, cargv[i] );
+ return( 1 );
+ }
+ }
+
+ global_disallows = disallows;
+
+ /* require these features */
+ } else if ( strcasecmp( cargv[0], "requires" ) == 0 ||
+ strcasecmp( cargv[0], "require" ) == 0 )
+ {
+ slap_mask_t requires;
+
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing feature(s) in \"require <features>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ requires = 0;
+
+ for( i=1; i < cargc; i++ ) {
+ if( strcasecmp( cargv[i], "bind" ) == 0 ) {
+ requires |= SLAP_REQUIRE_BIND;
+
+ } else if( strcasecmp( cargv[i], "LDAPv3" ) == 0 ) {
+ requires |= SLAP_REQUIRE_LDAP_V3;
+
+ } else if( strcasecmp( cargv[i], "authc" ) == 0 ) {
+ requires |= SLAP_REQUIRE_AUTHC;
+
+ } else if( strcasecmp( cargv[i], "SASL" ) == 0 ) {
+ requires |= SLAP_REQUIRE_SASL;
+
+ } else if( strcasecmp( cargv[i], "strong" ) == 0 ) {
+ requires |= SLAP_REQUIRE_STRONG;
+
+ } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unknown feature %s in \"require <features>\" line\n",
+ fname, lineno, cargv[i] );
+ return( 1 );
}
}
+ if ( be == NULL ) {
+ global_requires = requires;
+ } else {
+ be->be_requires = requires;
+ }
+
+ /* required security factors */
+ } else if ( strcasecmp( cargv[0], "security" ) == 0 ) {
+ slap_ssf_set_t *set;
+
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing factor(s) in \"security <factors>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ if ( be == NULL ) {
+ set = &global_ssf_set;
+ } else {
+ set = &be->be_ssf_set;
+ }
+
+ for( i=1; i < cargc; i++ ) {
+ if( strncasecmp( cargv[i], "ssf=",
+ sizeof("ssf") ) == 0 )
+ {
+ set->sss_ssf =
+ atoi( &cargv[i][sizeof("ssf")] );
+
+ } else if( strncasecmp( cargv[i], "transport=",
+ sizeof("transport") ) == 0 )
+ {
+ set->sss_transport =
+ atoi( &cargv[i][sizeof("transport")] );
+
+ } else if( strncasecmp( cargv[i], "tls=",
+ sizeof("tls") ) == 0 )
+ {
+ set->sss_tls =
+ atoi( &cargv[i][sizeof("tls")] );
+
+ } else if( strncasecmp( cargv[i], "sasl=",
+ sizeof("sasl") ) == 0 )
+ {
+ set->sss_sasl =
+ atoi( &cargv[i][sizeof("sasl")] );
+
+ } else if( strncasecmp( cargv[i], "update_ssf=",
+ sizeof("update_ssf") ) == 0 )
+ {
+ set->sss_update_ssf =
+ atoi( &cargv[i][sizeof("update_ssf")] );
+
+ } else if( strncasecmp( cargv[i], "update_transport=",
+ sizeof("update_transport") ) == 0 )
+ {
+ set->sss_update_transport =
+ atoi( &cargv[i][sizeof("update_transport")] );
+
+ } else if( strncasecmp( cargv[i], "update_tls=",
+ sizeof("update_tls") ) == 0 )
+ {
+ set->sss_update_tls =
+ atoi( &cargv[i][sizeof("update_tls")] );
+
+ } else if( strncasecmp( cargv[i], "update_sasl=",
+ sizeof("update_sasl") ) == 0 )
+ {
+ set->sss_update_sasl =
+ atoi( &cargv[i][sizeof("update_sasl")] );
+
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unknown factor %s in \"security <factors>\" line\n",
+ fname, lineno, cargv[i] );
+ return( 1 );
+ }
+ }
/* where to send clients when we don't hold it */
} else if ( strcasecmp( cargv[0], "referral" ) == 0 ) {
if ( cargc < 2 ) {
vals[0]->bv_len = strlen( vals[0]->bv_val );
value_add( &default_referral, vals );
+#ifdef NEW_LOGGING
+ } else if ( strcasecmp( cargv[0], "logfile" ) == 0 ) {
+ FILE *logfile;
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: Error in logfile directive, \"logfile filename\"\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+ logfile = fopen( cargv[1], "w" );
+ if ( logfile != NULL ) lutil_debug_file( logfile );
+
+#endif
+ /* start of a new database definition */
+ } else if ( strcasecmp( cargv[0], "debug" ) == 0 ) {
+ int level;
+ if ( cargc < 3 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: Error in debug directive, \"debug subsys level\"\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+ level = atoi( cargv[2] );
+ if ( level <= 0 ) level = lutil_mnem2level( cargv[2] );
+ lutil_set_debug_level( cargv[1], level );
/* specify an Object Identifier macro */
} else if ( strcasecmp( cargv[0], "objectidentifier" ) == 0 ) {
parse_oidm( fname, lineno, cargc, cargv );
} else if ( strcasecmp( cargv[0], "access" ) == 0 ) {
parse_acl( be, fname, lineno, cargc, cargv );
- /* specify default access control info */
- } else if ( strcasecmp( cargv[0], "defaultaccess" ) == 0 ) {
- slap_access_t access;
-
- if ( cargc < 2 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: missing limit in \"defaultaccess <access>\" line\n",
- fname, lineno, 0 );
- return( 1 );
- }
-
- access = str2access( cargv[1] );
-
- if ( access == ACL_INVALID_ACCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: bad access level \"%s\", "
- "expecting none|auth|compare|search|read|write\n",
- fname, lineno, cargv[1] );
- return( 1 );
- }
-
- if ( be == NULL ) {
- global_default_access = access;
- } else {
- be->be_dfltaccess = access;
- }
-
/* debug level to log things to syslog */
} else if ( strcasecmp( cargv[0], "loglevel" ) == 0 ) {
if ( cargc < 2 ) {
fname, lineno, 0 );
return( 1 );
}
- ldap_syslog = atoi( cargv[1] );
+
+ ldap_syslog = 0;
+
+ for( i=1; i < cargc; i++ ) {
+ ldap_syslog += atoi( cargv[1] );
+ }
/* list of replicas of the data in this backend (master only) */
} else if ( strcasecmp( cargv[0], "replica" ) == 0 ) {
fname, lineno, 0 );
} else {
be->be_update_ndn = ch_strdup( cargv[1] );
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
if( dn_normalize( be->be_update_ndn ) == NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: updatedn DN is invalid\n",
if ( rc )
return rc;
} else if ( !strcasecmp( cargv[0], "TLSVerifyClient" ) ) {
+ i = atoi(cargv[1]);
rc = ldap_pvt_tls_set_option( NULL,
LDAP_OPT_X_TLS_REQUIRE_CERT,
- cargv[1] );
+ &i );
if ( rc )
return rc;
free( saveline );
}
fclose( fp );
+ if ( load_ucdata( NULL ) < 0 ) {
+ return( 1 );
+ }
return( 0 );
}
*lineno = -1;
buf[0] = '\0';
}
+
+/* Loads ucdata, returns 1 if loading, 0 if already loaded, -1 on error */
+static int
+load_ucdata( char *path )
+{
+ static int loaded = 0;
+ int err;
+
+ if ( loaded ) {
+ return( 0 );
+ }
+ err = ucdata_load( path ? path : SLAPD_DEFAULT_UCDATA,
+ UCDATA_CASE|UCDATA_CTYPE|UCDATA_NUM );
+ if ( err ) {
+ Debug( LDAP_DEBUG_ANY, "error loading ucdata (error %d)\n",
+ err, 0, 0 );
+ return( -1 );
+ }
+ loaded = 1;
+ return( 1 );
+}