#define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) )
#define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' )
#define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) )
-
#define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' )
-#define FILTER_ESCAPE(c) ( (c) == '\\' || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )
+
+#define SLAP_NIBBLE(c) ((c)&0x0f)
+#define SLAP_ESCAPE_CHAR ('\\')
+#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] )
+#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) )
+
+#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \
+ || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )
#define DN_SEPARATOR(c) ((c) == ',' || (c) == ';')
#define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+')
/* must match in schema_init.c */
#define SLAPD_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12"
+#define SLAPD_NAMEUID_SYNTAX "1.3.6.1.4.1.1466.115.121.1.34"
#define SLAPD_GROUP_ATTR "member"
#define SLAPD_GROUP_CLASS "groupOfNames"
#define SLAPD_ROLE_ATTR "roleOccupant"
LDAP_SLAPD_F (int) slap_debug;
+typedef unsigned long slap_mask_t;
+
+/* Security Strength Factor */
+typedef unsigned slap_ssf_t;
+
+typedef struct slap_ssf_set {
+ slap_ssf_t sss_ssf;
+ slap_ssf_t sss_transport;
+ slap_ssf_t sss_tls;
+ slap_ssf_t sss_sasl;
+ slap_ssf_t sss_update_ssf;
+ slap_ssf_t sss_update_transport;
+ slap_ssf_t sss_update_tls;
+ slap_ssf_t sss_update_sasl;
+} slap_ssf_set_t;
+
/*
* Index types
*/
#define SLAP_INDEX_SUBSTR_INITIAL ( SLAP_INDEX_SUBSTR | 0x0100UL )
#define SLAP_INDEX_SUBSTR_ANY ( SLAP_INDEX_SUBSTR | 0x0200UL )
#define SLAP_INDEX_SUBSTR_FINAL ( SLAP_INDEX_SUBSTR | 0x0400UL )
-#define SLAP_INDEX_SUBSTR_DEFAULT ( SLAP_INDEX_SUBSTR \
- | SLAP_INDEX_SUBSTR_INITIAL | SLAP_INDEX_SUBSTR_FINAL )
+#define SLAP_INDEX_SUBSTR_DEFAULT \
+ ( SLAP_INDEX_SUBSTR \
+ | SLAP_INDEX_SUBSTR_INITIAL \
+ | SLAP_INDEX_SUBSTR_ANY \
+ | SLAP_INDEX_SUBSTR_FINAL )
#define SLAP_INDEX_SUBSTR_MINLEN 2
#define SLAP_INDEX_SUBSTR_MAXLEN 4
+#define SLAP_INDEX_SUBSTR_STEP 2
#define SLAP_INDEX_FLAGS 0xF000UL
#define SLAP_INDEX_SUBTYPES 0x1000UL /* use index with subtypes */
#define SLAP_INDEX_LANG 0x4000UL /* use index with lang subtypes */
#define SLAP_INDEX_AUTO_LANG 0x8000UL /* use mask with lang subtypes */
-typedef long slap_index;
-
/*
* there is a single index for each attribute. these prefixes ensure
* that there is no collision among keys.
#define slap_syntax_is_ber(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
#define slap_syntax_is_hidden(s) slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE)
-/* XXX -> UCS-2 Converter */
+/* X -> Y Converter */
typedef int slap_mr_convert_func LDAP_P((
struct berval * in,
struct berval ** out ));
/* Normalizer */
typedef int slap_mr_normalize_func LDAP_P((
- unsigned use,
+ slap_mask_t use,
struct slap_syntax *syntax, /* NULL if in is asserted value */
struct slap_matching_rule *mr,
struct berval * in,
/* Match (compare) function */
typedef int slap_mr_match_func LDAP_P((
int *match,
- unsigned flags,
+ slap_mask_t use,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval * value,
/* Index generation function */
typedef int slap_mr_indexer_func LDAP_P((
- unsigned flags,
+ slap_mask_t use,
+ slap_mask_t mask,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval *prefix,
/* Filter index function */
typedef int slap_mr_filter_func LDAP_P((
- unsigned flags,
+ slap_mask_t use,
+ slap_mask_t mask,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval *prefix,
typedef struct slap_matching_rule {
LDAPMatchingRule smr_mrule;
- unsigned smr_usage;
+ slap_mask_t smr_usage;
#define SLAP_MR_TYPE_MASK 0xFF00U
#define SLAP_MR_SUBTYPE_MASK 0x00F0U
slap_mr_match_func *smr_match;
slap_mr_indexer_func *smr_indexer;
slap_mr_filter_func *smr_filter;
+
+ struct slap_matching_rule *smr_associated;
struct slap_matching_rule *smr_next;
+
#define smr_oid smr_mrule.mr_oid
#define smr_names smr_mrule.mr_names
#define smr_desc smr_mrule.mr_desc
} SubstringsAssertion;
typedef struct slap_mr_assertion {
- char *ma_rule; /* optional */
+ MatchingRule *ma_rule; /* optional */
+ char *ma_rule_text; /* optional */
AttributeDescription *ma_desc; /* optional */
int ma_dnattrs; /* boolean */
struct berval *ma_value; /* required */
#define f_sub_final f_un.f_un_ssa->sa_final
#define f_mra f_un.f_un_mra
#define f_mr_rule f_un.f_un_mra->ma_rule
+#define f_mr_rule_text f_un.f_un_mra->ma_rule_text
#define f_mr_desc f_un.f_un_mra->ma_desc
#define f_mr_value f_un.f_un_mra->ma_value
-#define f_mr_dnaddrs f_un.f_un_mra->ma_dnattrs
+#define f_mr_dnattrs f_un.f_un_mra->ma_dnattrs
/* and, or, not */
struct slap_filter *f_un_complex;
ACL_STYLE_EXACT = ACL_STYLE_BASE
} slap_style_t;
-typedef unsigned long slap_access_mask_t;
+typedef struct slap_authz_info {
+ ber_tag_t sai_method; /* LDAP_AUTH_* from <ldap.h> */
+ char * sai_mech; /* SASL Mechanism */
+ char * sai_dn; /* DN for reporting purposes */
+ char * sai_ndn; /* Normalized DN */
+
+ /* Security Strength Factors */
+ slap_ssf_t sai_ssf; /* Overall SSF */
+ slap_ssf_t sai_transport_ssf; /* Transport SSF */
+ slap_ssf_t sai_tls_ssf; /* TLS SSF */
+ slap_ssf_t sai_sasl_ssf; /* SASL SSF */
+} AuthorizationInformation;
/* the "by" part */
typedef struct slap_access {
#define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
#define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
- slap_access_mask_t a_mask;
+ slap_mask_t a_access_mask;
+
+ AuthorizationInformation a_authz;
+#define a_dn_pat a_authz.sai_dn
slap_style_t a_dn_style;
- char *a_dn_pat;
AttributeDescription *a_dn_at;
int a_dn_self;
#define be_sync bd_info->bi_tool_sync
#endif
+ slap_mask_t be_restrictops; /* restriction operations */
+#define SLAP_RESTRICT_OP_ADD 0x0001U
+#define SLAP_RESTRICT_OP_BIND 0x0002U
+#define SLAP_RESTRICT_OP_COMPARE 0x0004U
+#define SLAP_RESTRICT_OP_DELETE 0x0008U
+#define SLAP_RESTRICT_OP_EXTENDED 0x0010U
+#define SLAP_RESTRICT_OP_MODIFY 0x0020U
+#define SLAP_RESTRICT_OP_RENAME 0x0040U
+#define SLAP_RESTRICT_OP_SEARCH 0x0080U
+
+#define SLAP_RESTRICT_OP_READS \
+ ( SLAP_RESTRICT_OP_COMPARE \
+ | SLAP_RESTRICT_OP_SEARCH )
+#define SLAP_RESTRICT_OP_WRITES \
+ ( SLAP_RESTRICT_OP_ADD \
+ | SLAP_RESTRICT_OP_DELETE \
+ | SLAP_RESTRICT_OP_MODIFY \
+ | SLAP_RESTRICT_OP_RENAME )
+
+#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */
+
+#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
+#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
+#define SLAP_DISALLOW_BIND_ANON_CRED \
+ 0x0004U /* cred should be empty */
+#define SLAP_DISALLOW_BIND_ANON_DN \
+ 0x0008U /* dn should be empty */
+
+#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
+#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */
+
+#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
+
+ slap_mask_t be_requires; /* pre-operation requirements */
+#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */
+#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */
+#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */
+#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */
+#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */
+
+ /* Required Security Strength Factor */
+ slap_ssf_set_t be_ssf_set;
+
/* these should be renamed from be_ to bd_ */
char **be_suffix; /* the DN suffixes of data in this backend */
char **be_nsuffix; /* the normalized DN suffixes in this backend */
char *be_root_dn; /* the magic "root" dn for this db */
char *be_root_ndn; /* the magic "root" normalized dn for this db */
struct berval be_root_pw; /* the magic "root" password for this db */
- int be_readonly; /* 1 => db is in "read only" mode */
unsigned int be_max_deref_depth; /* limit for depth of an alias deref */
int be_sizelimit; /* size limit for this backend */
int be_timelimit; /* time limit for this backend */
struct slap_op;
typedef int (*SLAP_EXTENDED_FN) LDAP_P((
- Backend *be,
- struct slap_conn *conn,
+ BackendDB *be,
+ struct slap_conn *conn,
struct slap_op *op,
const char *reqoid,
struct berval * reqdata,
SLAP_EXTENDED_FN bi_extended;
/* Auxilary Functions */
- int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw));
+ int (*bi_entry_release_rw) LDAP_P((BackendDB *bd,
+ struct slap_conn *c, struct slap_op *o,
+ Entry *e, int rw));
int (*bi_chk_referrals) LDAP_P((BackendDB *bd,
struct slap_conn *c, struct slap_op *o,
const char **text ));
int (*bi_acl_group) LDAP_P((Backend *bd,
+ struct slap_conn *c, struct slap_op *o,
Entry *e, const char *bdn, const char *edn,
ObjectClass *group_oc,
AttributeDescription *group_at ));
void *bi_private; /* anything the backend type needs */
};
-typedef struct slap_authz_info {
- unsigned sai_ssf; /* Security Strength Factor */
- ber_tag_t sai_method; /* LDAP_AUTH_* from <ldap.h> */
- char * sai_mech; /* SASL Mechanism */
- char * sai_dn; /* DN for reporting purposes */
- char * sai_ndn; /* Normalized DN */
-} AuthorizationInformation;
-
#define c_authtype c_authz.sai_method
#define c_authmech c_authz.sai_mech
#define c_dn c_authz.sai_dn
+#define c_ssf c_authz.sai_ssf
+#define c_transport_ssf c_authz.sai_transport_ssf
+#define c_tls_ssf c_authz.sai_tls_ssf
+#define c_sasl_ssf c_authz.sai_sasl_ssf
#define o_authtype o_authz.sai_method
#define o_authmech o_authz.sai_mech
#define o_dn o_authz.sai_dn
#define o_ndn o_authz.sai_ndn
+#define o_ssf o_authz.sai_ssf
+#define o_transport_ssf o_authz.sai_transport_ssf
+#define o_tls_ssf o_authz.sai_tls_ssf
+#define o_sasl_ssf o_authz.sai_sasl_ssf
/*
* represents an operation pending from an ldap client
unsigned long o_connid; /* id of conn initiating this op */
-#ifdef LDAP_CONNECTIONLESS
- int o_cldap; /* != 0 if this came in via CLDAP */
- struct sockaddr o_clientaddr; /* client address if via CLDAP */
- char o_searchbase; /* search base if via CLDAP */
-#endif
-
ldap_pvt_thread_mutex_t o_abandonmutex; /* protects o_abandon */
int o_abandon; /* abandon flag */
int c_is_tls; /* true if this LDAP over raw TLS */
int c_needs_tls_accept; /* true if SSL_accept should be called */
#endif
+ int c_sasl_layers; /* true if we need to install SASL i/o handlers */
void *c_sasl_context; /* SASL session context */
void *c_sasl_extra; /* SASL session extra stuff */
#define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )
#endif
+
+#define SASLREGEX_REPLACE 10
+#define SASL_AUTHZ_SOURCE_ATTR "saslAuthzTo"
+#define SASL_AUTHZ_DEST_ATTR "saslAuthzFrom"
+
+typedef struct sasl_regexp {
+ char *match; /* regexp match pattern */
+ char *replace; /* regexp replace pattern */
+ regex_t workspace; /* workspace for regexp engine */
+ regmatch_t strings[SASLREGEX_REPLACE]; /* strings matching $1,$2 ... */
+ int offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */
+} SaslRegexp_t;
+
+
LDAP_END_DECL
#include "proto-slap.h"
projects / openldap / blobdiff