int
entry_schema_check(
- Entry *e, Attribute *oldattrs,
+ Backend *be,
+ Entry *e,
+ Attribute *oldattrs,
const char** text,
char *textbuf, size_t textlen )
{
Attribute *a, *asc, *aoc;
ObjectClass *sc, *oc;
+#ifdef SLAP_EXTENDED_SCHEMA
+ AttributeType *at;
+ ContentRule *cr;
+#endif
int rc, i;
struct berval nsc;
AttributeDescription *ad_structuralObjectClass
AttributeDescription *ad_objectClass
= slap_schema.si_ad_objectClass;
int extensible = 0;
+ int subentry = is_entry_subentry( e );
+ int collectiveSubentry = 0;
+
+ if( subentry ) {
+ collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
+ }
*text = textbuf;
- /* check single-valued attrs for multiple values */
+ /* misc attribute checks */
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
+ const char *type = a->a_desc->ad_cname.bv_val;
+
/* there should be at least one value */
assert( a->a_vals );
assert( a->a_vals[0].bv_val != NULL );
+ if( a->a_desc->ad_type->sat_check ) {
+ int rc = (a->a_desc->ad_type->sat_check)(
+ be, e, a, text, textbuf, textlen );
+ if( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+ }
+
+ if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
+ snprintf( textbuf, textlen,
+ "'%s' can only appear in collectiveAttributeSubentry",
+ type );
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
/* if single value type, check for multiple values */
if( is_at_single_value( a->a_desc->ad_type ) &&
a->a_vals[1].bv_val != NULL )
{
- char *type = a->a_desc->ad_cname.bv_val;
-
snprintf( textbuf, textlen,
"attribute '%s' cannot have multiple values",
type );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn=\"%s\" %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"Entry (%s), %s\n",
/* it's a REALLY bad idea to disable schema checks */
if( !global_schemacheck ) return LDAP_SUCCESS;
- /* find the object class attribute - could error out here */
+ /* find the structural object class attribute */
asc = attr_find( e->e_attrs, ad_structuralObjectClass );
if ( asc == NULL ) {
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO, "entry_schema_check: "
- "No structuralObjectClass for entry (%s)\n",
- e->e_dn ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: No structuralObjectClass for entry (%s)\n",
+ e->e_dn, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"No structuralObjectClass for entry (%s)\n",
#endif
*text = "no structuralObjectClass operational attribute";
- return LDAP_OBJECT_CLASS_VIOLATION;
+ return LDAP_OTHER;
}
assert( asc->a_vals != NULL );
asc->a_vals[0].bv_val );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn (%s), %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"entry_check_schema(%s): %s\n",
asc->a_vals[0].bv_val );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn (%s), %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "entry_check_schema(%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OTHER;
+ }
+
+ if( sc->soc_obsolete ) {
+ snprintf( textbuf, textlen,
+ "structuralObjectClass '%s' is OBSOLETE",
+ asc->a_vals[0].bv_val );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"entry_check_schema(%s): %s\n",
aoc = attr_find( e->e_attrs, ad_objectClass );
if ( aoc == NULL ) {
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: No objectClass for entry (%s).\n"
- e->e_dn ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: No objectClass for entry (%s).\n",
+ e->e_dn, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
e->e_dn, 0, 0 );
rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
if( rc != LDAP_SUCCESS ) {
return rc;
- } else if ( nsc.bv_len == 0 ) {
- return LDAP_OBJECT_CLASS_VIOLATION;
}
*text = textbuf;
} else if ( sc != oc ) {
snprintf( textbuf, textlen,
- "structuralObjectClass modification from '%s' to '%s' not allowed",
+ "structural object class modification from '%s' to '%s' not allowed",
asc->a_vals[0].bv_val, nsc.bv_val );
return LDAP_NO_OBJECT_CLASS_MODS;
}
+#ifdef SLAP_EXTENDED_SCHEMA
+ /* find the content rule for the structural class */
+ cr = cr_find( sc->soc_oid );
+
+ /* the cr must be same as the structural class */
+ assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
+
+ /* check that the entry has required attrs of the content rule */
+ if( cr ) {
+ if( cr->scr_obsolete ) {
+ snprintf( textbuf, textlen,
+ "content rule '%s' is obsolete",
+ ldap_contentrule2name( &cr->scr_crule ));
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Entry (%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
+ if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
+ at = cr->scr_required[i];
+
+ for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
+ if( a->a_desc->ad_type == at ) {
+ break;
+ }
+ }
+
+ /* not there => schema violation */
+ if ( a == NULL ) {
+ snprintf( textbuf, textlen,
+ "content rule '%s' requires attribute '%s'",
+ ldap_contentrule2name( &cr->scr_crule ),
+ at->sat_cname.bv_val );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Entry (%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+ }
+
+ if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
+ at = cr->scr_precluded[i];
+
+ for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
+ if( a->a_desc->ad_type == at ) {
+ break;
+ }
+ }
+
+ /* there => schema violation */
+ if ( a != NULL ) {
+ snprintf( textbuf, textlen,
+ "content rule '%s' precluded attribute '%s'",
+ ldap_contentrule2name( &cr->scr_crule ),
+ at->sat_cname.bv_val );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Entry (%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+ }
+ }
+#endif /* SLAP_EXTENDED_SCHEMA */
+
/* check that the entry has required attrs for each oc */
for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
aoc->a_vals[i].bv_val );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn (%s), %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "entry_check_schema(%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
+ if ( oc->soc_obsolete ) {
+ /* disallow obsolete classes */
+ snprintf( textbuf, textlen,
+ "objectClass '%s' is OBSOLETE",
+ aoc->a_vals[i].bv_val );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"entry_check_schema(%s): %s\n",
#endif
return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
+ if ( oc->soc_check ) {
+ int rc = (oc->soc_check)( be, e, oc,
+ text, textbuf, textlen );
+ if( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+ }
- } else if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
+ if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
/* object class is abstract */
if ( oc != slap_schema.si_oc_top &&
!is_object_subclass( oc, sc ))
aoc->a_vals[i].bv_val );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
+ LDAP_LOG( OPERATION, INFO,
"entry_schema_check: dn (%s), %s\n",
- e->e_dn, textbuf ));
+ e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"entry_check_schema(%s): %s\n",
if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
is_object_subclass( oc, xc ) )
{
- break;;
+ xc = NULL;
+ break;
}
-
- xc = NULL;
}
}
aoc->a_vals[i].bv_val );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn (%s), %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn (%s), %s\n",
+ e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"entry_check_schema(%s): %s\n",
}
} else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
- char *s = oc_check_required( e, oc, &aoc->a_vals[i] );
+ char *s;
+
+#ifdef SLAP_EXTENDED_SCHEMA
+ if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
+ int k=0;
+ if( cr ) {
+ if( cr->scr_auxiliaries ) {
+ for( ; cr->scr_auxiliaries[k]; k++ ) {
+ if( cr->scr_auxiliaries[k] == oc ) {
+ k=-1;
+ break;
+ }
+ }
+ }
+ } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
+ k=-1;
+ }
+
+ if( k == -1 ) {
+ snprintf( textbuf, textlen,
+ "content rule '%s' does not allow class '%s'",
+ ldap_contentrule2name( &cr->scr_crule ),
+ oc->soc_cname.bv_val );
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s",
+ e->e_dn, textbuf, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Entry (%s): %s\n",
+ e->e_dn, textbuf, 0 );
+#endif
+
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+ }
+#endif /* SLAP_EXTENDED_SCHEMA */
+
+ s = oc_check_required( e, oc, &aoc->a_vals[i] );
if (s != NULL) {
snprintf( textbuf, textlen,
"object class '%s' requires attribute '%s'",
aoc->a_vals[i].bv_val, s );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn=\"%s\" %s",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"Entry (%s): %s\n",
/* check that each attr in the entry is allowed by some oc */
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
- int ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
+ int ret;
+
+#ifdef SLAP_EXTENDED_SCHEMA
+ ret = LDAP_OBJECT_CLASS_VIOLATION;
+
+ if( cr && cr->scr_required ) {
+ for( i=0; cr->scr_required[i]; i++ ) {
+ if( cr->scr_required[i] == a->a_desc->ad_type ) {
+ ret = LDAP_SUCCESS;
+ break;
+ }
+ }
+ }
+
+ if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
+ for( i=0; cr->scr_allowed[i]; i++ ) {
+ if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
+ ret = LDAP_SUCCESS;
+ break;
+ }
+ }
+ }
+
+ if( ret != LDAP_SUCCESS )
+#endif /* SLAP_EXTENDED_SCHEMA */
+ {
+ ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
+ }
+
if ( ret != LDAP_SUCCESS ) {
char *type = a->a_desc->ad_cname.bv_val;
type );
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
- "entry_schema_check: dn=\"%s\" %s\n",
- e->e_dn, textbuf ));
+ LDAP_LOG( OPERATION, INFO,
+ "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
#else
Debug( LDAP_DEBUG_ANY,
"Entry (%s), %s\n",
Attribute *a;
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
- "oc_check_required: dn (%s), objectClass \"%s\"\n",
- e->e_dn, ocname->bv_val ));
+ LDAP_LOG( OPERATION, ENTRY,
+ "oc_check_required: dn (%s), objectClass \"%s\"\n",
+ e->e_dn, ocname->bv_val, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"oc_check_required entry (%s), objectClass \"%s\"\n",
int oc_check_allowed(
AttributeType *at,
- BVarray ocl,
+ BerVarray ocl,
ObjectClass *sc )
{
int i, j;
#ifdef NEW_LOGGING
- LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
- "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val ));
+ LDAP_LOG( OPERATION, ENTRY,
+ "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"oc_check_allowed type \"%s\"\n",
* Determine the structural object class from a set of OIDs
*/
int structural_class(
- BVarray ocs,
+ BerVarray ocs,
struct berval *scbv,
ObjectClass **scp,
const char **text,
if( oc == NULL ) {
snprintf( textbuf, textlen,
- "unrecongized objectClass '%s'",
+ "unrecognized objectClass '%s'",
ocs[i].bv_val );
*text = textbuf;
return LDAP_OBJECT_CLASS_VIOLATION;
if( xc == NULL ) {
snprintf( textbuf, textlen,
- "unrecongized objectClass '%s'",
+ "unrecognized objectClass '%s'",
ocs[i].bv_val );
*text = textbuf;
return LDAP_OBJECT_CLASS_VIOLATION;
}
}
- if( scp )
+ if( scp ) {
*scp = sc;
+ }
if( sc == NULL ) {
- *text = "no structural object classes provided";
+ *text = "no structural object class provided";
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
+ if( scn < 0 ) {
+ *text = "invalid structural object class";
return LDAP_OBJECT_CLASS_VIOLATION;
}
*scbv = ocs[scn];
+
+ if( scbv->bv_len == 0 ) {
+ *text = "invalid structural object class";
+ return LDAP_OBJECT_CLASS_VIOLATION;
+ }
+
return LDAP_SUCCESS;
}