LDAP_BEGIN_DECL
+
#ifdef LDAP_DEVEL
#define SLAP_ACL_HONOR_DISCLOSE /* partially implemented */
+#define SLAP_ACL_HONOR_MANAGE /* not yet implemented */
#define SLAP_DYNACL
-#define LDAP_COMP_MATCH /* experimental */
+#define SLAP_OVERLAY_ACCESS
+#define LDAP_COMP_MATCH
#define LDAP_DYNAMIC_OBJECTS
#define LDAP_SYNC_TIMESTAMP
#define LDAP_COLLECTIVE_ATTRIBUTES
#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#define SLAPD_CONF_UNKNOWN_BAILOUT
+
+#ifdef ENABLE_REWRITE
+#define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */
+#endif
#endif
-#if defined(LDAP_DEVEL) && defined(ENABLE_REWRITE)
-/* use librewrite for sasl-regexp */
-#define SLAP_AUTH_REWRITE 1
-#endif /* LDAP_DEVEL && ENABLE_REWRITE */
+#if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS)
+#define SLAP_OVERLAY_ACCESS
+#endif
+
+/*
+ * ITS#3705: bail out if unknown config directives appear in slapd.conf
+ */
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+#define SLAPD_CONF_UNKNOWN_IGNORED ""
+#define SLAPD_DEBUG_CONFIG_ERROR LDAP_DEBUG_ANY
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
+#define SLAPD_CONF_UNKNOWN_IGNORED " (ignored)"
+#define SLAPD_DEBUG_CONFIG_ERROR LDAP_DEBUG_CONFIG
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
/*
* SLAPD Memory allocation macros
#endif
#define SERVICE_NAME OPENLDAP_PACKAGE "-slapd"
-#define SLAPD_ANONYMOUS "cn=anonymous"
+#define SLAPD_ANONYMOUS ""
/* LDAPMod.mod_op value ===> Must be kept in sync with ldap.h!
* This is a value used internally by the backends. It is needed to allow
#ifdef SLAPD_ACI_ENABLED
#define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1"
-#endif
+#endif /* SLAPD_ACI_ENABLED */
/* change this to "OpenLDAPset" */
#define SLAPD_ACI_SET_ATTR "template"
/*
* represents schema information for a database
*/
-#define SLAP_SCHERR_OUTOFMEM 1
-#define SLAP_SCHERR_CLASS_NOT_FOUND 2
-#define SLAP_SCHERR_CLASS_BAD_USAGE 3
-#define SLAP_SCHERR_CLASS_BAD_SUP 4
-#define SLAP_SCHERR_CLASS_DUP 5
-#define SLAP_SCHERR_ATTR_NOT_FOUND 6
-#define SLAP_SCHERR_ATTR_BAD_MR 7
-#define SLAP_SCHERR_ATTR_BAD_USAGE 8
-#define SLAP_SCHERR_ATTR_BAD_SUP 9
-#define SLAP_SCHERR_ATTR_INCOMPLETE 10
-#define SLAP_SCHERR_ATTR_DUP 11
-#define SLAP_SCHERR_MR_NOT_FOUND 12
-#define SLAP_SCHERR_MR_INCOMPLETE 13
-#define SLAP_SCHERR_MR_DUP 14
-#define SLAP_SCHERR_SYN_NOT_FOUND 15
-#define SLAP_SCHERR_SYN_DUP 16
-#define SLAP_SCHERR_NO_NAME 17
-#define SLAP_SCHERR_NOT_SUPPORTED 18
-#define SLAP_SCHERR_BAD_DESCR 19
-#define SLAP_SCHERR_OIDM 20
-#define SLAP_SCHERR_CR_DUP 21
-#define SLAP_SCHERR_CR_BAD_STRUCT 22
-#define SLAP_SCHERR_CR_BAD_AUX 23
-#define SLAP_SCHERR_CR_BAD_AT 24
-#define SLAP_SCHERR_LAST SLAP_SCHERR_CR_BAD_AT
+enum {
+ SLAP_SCHERR_OUTOFMEM = 1,
+ SLAP_SCHERR_CLASS_NOT_FOUND,
+ SLAP_SCHERR_CLASS_BAD_USAGE,
+ SLAP_SCHERR_CLASS_BAD_SUP,
+ SLAP_SCHERR_CLASS_DUP,
+ SLAP_SCHERR_CLASS_INCONSISTENT,
+ SLAP_SCHERR_ATTR_NOT_FOUND,
+ SLAP_SCHERR_ATTR_BAD_MR,
+ SLAP_SCHERR_ATTR_BAD_USAGE,
+ SLAP_SCHERR_ATTR_BAD_SUP,
+ SLAP_SCHERR_ATTR_INCOMPLETE,
+ SLAP_SCHERR_ATTR_DUP,
+ SLAP_SCHERR_ATTR_INCONSISTENT,
+ SLAP_SCHERR_MR_NOT_FOUND,
+ SLAP_SCHERR_MR_INCOMPLETE,
+ SLAP_SCHERR_MR_DUP,
+ SLAP_SCHERR_SYN_NOT_FOUND,
+ SLAP_SCHERR_SYN_DUP,
+ SLAP_SCHERR_NO_NAME,
+ SLAP_SCHERR_NOT_SUPPORTED,
+ SLAP_SCHERR_BAD_DESCR,
+ SLAP_SCHERR_OIDM,
+ SLAP_SCHERR_CR_DUP,
+ SLAP_SCHERR_CR_BAD_STRUCT,
+ SLAP_SCHERR_CR_BAD_AUX,
+ SLAP_SCHERR_CR_BAD_AT,
+
+ SLAP_SCHERR_LAST
+};
typedef union slap_sockaddr {
struct sockaddr sa_addr;
typedef struct slap_oid_macro {
struct berval som_oid;
- char **som_names;
- LDAP_SLIST_ENTRY(slap_oid_macro) som_next;
+ BerVarray som_names;
+ BerVarray som_subs;
+#define SLAP_OM_HARDCODE 0x10000U /* This is hardcoded schema */
+ int som_flags;
+ LDAP_STAILQ_ENTRY(slap_oid_macro) som_next;
} OidMacro;
/* forward declarations */
Syntax *sat_syntax;
AttributeTypeSchemaCheckFN *sat_check;
+ char *sat_oidmacro;
-#define SLAP_AT_NONE 0x0000U
-#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */
-#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */
+#define SLAP_AT_NONE 0x0000U
+#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */
+#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */
#ifdef LDAP_DEVEL
-#define SLAP_AT_HIDE 0x0000U /* publish everything */
+#define SLAP_AT_HIDE 0x0000U /* publish everything */
#else
-#define SLAP_AT_HIDE 0x8000U /* hide attribute */
+#define SLAP_AT_HIDE 0x8000U /* hide attribute */
#endif
-#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */
+#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */
+
+#define SLAP_AT_MANAGEABLE 0x0800U /* no-user-mod can be by-passed */
+
+#define SLAP_AT_ORDERED_VAL 0x0001U /* values are ordered */
+#define SLAP_AT_ORDERED_SIB 0x0002U /* siblings are ordered */
+#define SLAP_AT_ORDERED 0x0003U /* value has order index */
+
+#define SLAP_AT_HARDCODE 0x10000U /* hardcoded schema */
slap_mask_t sat_flags;
- LDAP_SLIST_ENTRY(slap_attribute_type) sat_next;
+ LDAP_STAILQ_ENTRY(slap_attribute_type) sat_next;
#define sat_oid sat_atype.at_oid
#define sat_names sat_atype.at_names
AttributeType **soc_required;
AttributeType **soc_allowed;
ObjectClassSchemaCheckFN *soc_check;
+ char *soc_oidmacro;
slap_mask_t soc_flags;
#define soc_oid soc_oclass.oc_oid
#define soc_names soc_oclass.oc_names
#define soc_at_oids_may soc_oclass.oc_at_oids_may
#define soc_extensions soc_oclass.oc_extensions
- LDAP_SLIST_ENTRY(slap_object_class) soc_next;
+ LDAP_STAILQ_ENTRY(slap_object_class) soc_next;
} ObjectClass;
#define SLAP_OC_ALIAS 0x0001
#else
#define SLAP_OC_HIDE 0x8000
#endif
+#define SLAP_OC_HARDCODE 0x10000U /* This is hardcoded schema */
/*
* DIT content rule
#define scr_at_oids_may scr_crule.cr_at_oids_may
#define scr_at_oids_not scr_crule.cr_at_oids_not
- LDAP_SLIST_ENTRY( slap_content_rule ) scr_next;
+ char *scr_oidmacro;
+#define SLAP_CR_HARDCODE 0x10000U
+ int scr_flags;
+
+ LDAP_STAILQ_ENTRY( slap_content_rule ) scr_next;
} ContentRule;
/* Represents a recognized attribute description ( type + options ). */
AttributeDescription *si_ad_monitorContext;
AttributeDescription *si_ad_vendorName;
AttributeDescription *si_ad_vendorVersion;
+ AttributeDescription *si_ad_configContext;
/* subentry attribute descriptions */
AttributeDescription *si_ad_administrativeRole;
AttributeDescription *si_ad_saslAuthzFrom;
#ifdef SLAPD_ACI_ENABLED
AttributeDescription *si_ad_aci;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
/* dynamic entries */
AttributeDescription *si_ad_entryTtl;
AttributeDescription *si_ad_labeledURI;
#ifdef SLAPD_AUTHPASSWD
AttributeDescription *si_ad_authPassword;
+ AttributeDescription *si_ad_authPasswordSchemes;
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
AttributeDescription *si_ad_krbName;
#endif
+ AttributeDescription *si_ad_description;
+ AttributeDescription *si_ad_seeAlso;
/* Undefined Attribute Type */
AttributeType *si_at_undefined;
typedef struct slap_attr_assertion {
AttributeDescription *aa_desc;
struct berval aa_value;
+#ifdef LDAP_COMP_MATCH
+ struct slap_component_filter *aa_cf;/* for attribute aliasing */
+#endif
} AttributeAssertion;
typedef struct slap_ss_assertion {
* A list of LDAPMods
*/
typedef struct slap_mod {
- int sm_op;
+ short sm_op;
+ short sm_flags;
+/* Set for internal mods, will bypass ACL checks. Only needed when
+ * running as non-root user, for user modifiable attributes.
+ */
+#define SLAP_MOD_INTERNAL 0x01
+
AttributeDescription *sm_desc;
struct berval sm_type;
BerVarray sm_values;
typedef struct slap_mod_list {
Modification sml_mod;
#define sml_op sml_mod.sm_op
+#define sml_flags sml_mod.sm_flags
#define sml_desc sml_mod.sm_desc
#define sml_type sml_mod.sm_type
#define sml_values sml_mod.sm_values
ACL_SEARCH,
ACL_READ,
ACL_WRITE,
- ACL_MANAGE
+ ACL_MANAGE,
+
+ /* always leave at end of levels but not greater than ACL_LEVEL_MASK */
+ ACL_LAST,
+
+ /* ACL level mask and modifiers */
+ ACL_LEVEL_MASK = 0x000f,
+ ACL_QUALIFIER1 = 0x0100,
+ ACL_QUALIFIER2 = 0x0200,
+ ACL_QUALIFIER3 = 0x0400,
+ ACL_QUALIFIER4 = 0x0800,
+ ACL_QUALIFIER_MASK = 0x0f00,
+
+ /* write granularity */
+ ACL_WADD = ACL_WRITE|ACL_QUALIFIER1,
+ ACL_WDEL = ACL_WRITE|ACL_QUALIFIER2
} slap_access_t;
typedef enum slap_control_e {
ACL_STYLE_ONE,
ACL_STYLE_SUBTREE,
ACL_STYLE_CHILDREN,
+ ACL_STYLE_LEVEL,
ACL_STYLE_ATTROF,
ACL_STYLE_ANONYMOUS,
ACL_STYLE_USERS,
/*
* "dynamic" ACL infrastructure (for ACIs and more)
*/
-typedef int (*slap_dynacl_parse)( const char *fname, int lineno, slap_style_t, const char *, void **privp );
-typedef int (*slap_dynacl_print)( void *priv );
-typedef int (*slap_dynacl_mask)(
+typedef int (slap_dynacl_parse)( const char *fname, int lineno, slap_style_t, const char *, void **privp );
+typedef int (slap_dynacl_unparse)( void *priv, struct berval *bv );
+typedef int (slap_dynacl_mask)(
void *priv,
struct slap_op *op,
Entry *e,
regmatch_t *matches,
slap_access_t *grant,
slap_access_t *deny );
-typedef int (*slap_dynacl_destroy)( void *priv );
+typedef int (slap_dynacl_destroy)( void *priv );
typedef struct slap_dynacl_t {
char *da_name;
- slap_dynacl_parse da_parse;
- slap_dynacl_print da_print;
- slap_dynacl_mask da_mask;
- slap_dynacl_destroy da_destroy;
+ slap_dynacl_parse *da_parse;
+ slap_dynacl_unparse *da_unparse;
+ slap_dynacl_mask *da_mask;
+ slap_dynacl_destroy *da_destroy;
void *da_private;
struct slap_dynacl_t *da_next;
} slap_dynacl_t;
#endif /* SLAP_DYNACL */
+/* the DN portion of the "by" part */
+typedef struct slap_dn_access {
+ /* DN pattern */
+ AuthorizationInformation a_dnauthz;
+#define a_pat a_dnauthz.sai_dn
+
+ slap_style_t a_style;
+ int a_level;
+ int a_self_level;
+ AttributeDescription *a_at;
+ int a_self;
+ int a_expand;
+} slap_dn_access;
+
/* the "by" part */
typedef struct slap_access {
slap_control_t a_type;
-#define ACL_ACCESS2PRIV(access) (0x01U << (access))
+/* strip qualifiers */
+#define ACL_LEVEL(p) ((p) & ACL_LEVEL_MASK)
+#define ACL_QUALIFIERS(p) ((p) & ~ACL_LEVEL_MASK)
+
+#define ACL_ACCESS2PRIV(access) ((0x01U << ACL_LEVEL((access))) | ACL_QUALIFIERS((access)))
#define ACL_PRIV_NONE ACL_ACCESS2PRIV( ACL_NONE )
#define ACL_PRIV_DISCLOSE ACL_ACCESS2PRIV( ACL_DISCLOSE )
#define ACL_PRIV_COMPARE ACL_ACCESS2PRIV( ACL_COMPARE )
#define ACL_PRIV_SEARCH ACL_ACCESS2PRIV( ACL_SEARCH )
#define ACL_PRIV_READ ACL_ACCESS2PRIV( ACL_READ )
-#define ACL_PRIV_WRITE ACL_ACCESS2PRIV( ACL_WRITE )
+#define ACL_PRIV_WADD ACL_ACCESS2PRIV( ACL_WADD )
+#define ACL_PRIV_WDEL ACL_ACCESS2PRIV( ACL_WDEL )
+#define ACL_PRIV_WRITE ( ACL_PRIV_WADD | ACL_PRIV_WDEL )
#define ACL_PRIV_MANAGE ACL_ACCESS2PRIV( ACL_MANAGE )
-#define ACL_PRIV_MASK 0x00ffUL
+/* NOTE: always use the highest level; current: 0x00ffUL */
+#define ACL_PRIV_MASK ((ACL_ACCESS2PRIV(ACL_LAST) - 1) | ACL_QUALIFIER_MASK)
/* priv flags */
#define ACL_PRIV_LEVEL 0x1000UL
#define ACL_PRIV_ADDITIVE 0x2000UL
-#define ACL_PRIV_SUBSTRACTIVE 0x4000UL
+#define ACL_PRIV_SUBSTRACTIVE 0x4000UL
/* invalid privs */
#define ACL_PRIV_INVALID 0x0UL
#define ACL_PRIV_ISSET(m,p) (((m) & (p)) == (p))
-#define ACL_PRIV_ASSIGN(m,p) do { (m) = (p); } while(0)
+#define ACL_PRIV_ASSIGN(m,p) do { (m) = (p); } while(0)
#define ACL_PRIV_SET(m,p) do { (m) |= (p); } while(0)
#define ACL_PRIV_CLR(m,p) do { (m) &= ~(p); } while(0)
-#define ACL_INIT(m) ACL_PRIV_ASSIGN(m, ACL_PRIV_NONE)
+#define ACL_INIT(m) ACL_PRIV_ASSIGN(m, ACL_PRIV_NONE)
#define ACL_INVALIDATE(m) ACL_PRIV_ASSIGN(m, ACL_PRIV_INVALID)
#define ACL_GRANT(m,a) ACL_PRIV_ISSET((m),ACL_ACCESS2PRIV(a))
#define ACL_IS_LEVEL(m) ACL_PRIV_ISSET((m),ACL_PRIV_LEVEL)
#define ACL_IS_ADDITIVE(m) ACL_PRIV_ISSET((m),ACL_PRIV_ADDITIVE)
-#define ACL_IS_SUBTRACTIVE(m) ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
+#define ACL_IS_SUBTRACTIVE(m) ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
#define ACL_LVL_NONE (ACL_PRIV_NONE|ACL_PRIV_LEVEL)
#define ACL_LVL_DISCLOSE (ACL_PRIV_DISCLOSE|ACL_LVL_NONE)
#define ACL_LVL_COMPARE (ACL_PRIV_COMPARE|ACL_LVL_AUTH)
#define ACL_LVL_SEARCH (ACL_PRIV_SEARCH|ACL_LVL_COMPARE)
#define ACL_LVL_READ (ACL_PRIV_READ|ACL_LVL_SEARCH)
+#define ACL_LVL_WADD (ACL_PRIV_WADD|ACL_LVL_READ)
+#define ACL_LVL_WDEL (ACL_PRIV_WDEL|ACL_LVL_READ)
#define ACL_LVL_WRITE (ACL_PRIV_WRITE|ACL_LVL_READ)
#define ACL_LVL_MANAGE (ACL_PRIV_MANAGE|ACL_LVL_WRITE)
#define ACL_LVL(m,l) (((m)&ACL_PRIV_MASK) == ((l)&ACL_PRIV_MASK))
#define ACL_LVL_IS_NONE(m) ACL_LVL((m),ACL_LVL_NONE)
-#define ACL_LVL_IS_DISCLOSE(m) ACL_LVL((m),ACL_LVL_DISCLOSE)
+#define ACL_LVL_IS_DISCLOSE(m) ACL_LVL((m),ACL_LVL_DISCLOSE)
#define ACL_LVL_IS_AUTH(m) ACL_LVL((m),ACL_LVL_AUTH)
-#define ACL_LVL_IS_COMPARE(m) ACL_LVL((m),ACL_LVL_COMPARE)
-#define ACL_LVL_IS_SEARCH(m) ACL_LVL((m),ACL_LVL_SEARCH)
+#define ACL_LVL_IS_COMPARE(m) ACL_LVL((m),ACL_LVL_COMPARE)
+#define ACL_LVL_IS_SEARCH(m) ACL_LVL((m),ACL_LVL_SEARCH)
#define ACL_LVL_IS_READ(m) ACL_LVL((m),ACL_LVL_READ)
+#define ACL_LVL_IS_WADD(m) ACL_LVL((m),ACL_LVL_WADD)
+#define ACL_LVL_IS_WDEL(m) ACL_LVL((m),ACL_LVL_WDEL)
#define ACL_LVL_IS_WRITE(m) ACL_LVL((m),ACL_LVL_WRITE)
-#define ACL_LVL_IS_MANAGE(m) ACL_LVL((m),ACL_LVL_MANAGE)
+#define ACL_LVL_IS_MANAGE(m) ACL_LVL((m),ACL_LVL_MANAGE)
#define ACL_LVL_ASSIGN_NONE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_NONE)
#define ACL_LVL_ASSIGN_DISCLOSE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_DISCLOSE)
#define ACL_LVL_ASSIGN_COMPARE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_COMPARE)
#define ACL_LVL_ASSIGN_SEARCH(m) ACL_PRIV_ASSIGN((m),ACL_LVL_SEARCH)
#define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
+#define ACL_LVL_ASSIGN_WADD(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WADD)
+#define ACL_LVL_ASSIGN_WDEL(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WDEL)
#define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
#define ACL_LVL_ASSIGN_MANAGE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_MANAGE)
slap_mask_t a_access_mask;
- AuthorizationInformation a_authz;
-#define a_dn_pat a_authz.sai_dn
+ /* DN pattern */
+ slap_dn_access a_dn;
+#define a_dn_pat a_dn.a_dnauthz.sai_dn
+#define a_dn_at a_dn.a_at
+#define a_dn_self a_dn.a_self
- slap_style_t a_dn_style;
- AttributeDescription *a_dn_at;
- int a_dn_self;
- int a_dn_expand;
+ /* real DN pattern */
+ slap_dn_access a_realdn;
+#define a_realdn_pat a_realdn.a_dnauthz.sai_dn
+#define a_realdn_at a_realdn.a_at
+#define a_realdn_self a_realdn.a_self
+ /* used for ssf stuff
+ * NOTE: the ssf stuff in a_realdn is ignored */
+#define a_authz a_dn.a_dnauthz
+
+ /* connection related stuff */
slap_style_t a_peername_style;
struct berval a_peername_pat;
unsigned long a_peername_addr,
slap_dynacl_t *a_dynacl;
#else /* ! SLAP_DYNACL */
#ifdef SLAPD_ACI_ENABLED
+ /* NOTE: ACIs have been moved under the "dynacl" interface,
+ * which is currently built only when LDAP_DEVEL is defined.
+ *
+ * In any case, SLAPD_ACI_ENABLED, set by --enable-aci,
+ * is required to enable ACI support.
+ */
AttributeDescription *a_aci_at;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
#endif /* SLAP_DYNACL */
/* ACL Groups */
regex_t acl_dn_re;
struct berval acl_dn_pat;
AttributeName *acl_attrs;
+ MatchingRule *acl_attrval_mr;
slap_style_t acl_attrval_style;
regex_t acl_attrval_re;
struct berval acl_attrval;
typedef struct slap_backend_info BackendInfo; /* per backend type */
typedef struct slap_backend_db BackendDB; /* per backend database */
+typedef LDAP_STAILQ_HEAD(BeI, slap_backend_info) slap_bi_head;
+typedef LDAP_STAILQ_HEAD(BeDB, slap_backend_db) slap_be_head;
LDAP_SLAPD_V (int) nBackendInfo;
LDAP_SLAPD_V (int) nBackendDB;
-LDAP_SLAPD_V (BackendInfo *) backendInfo;
-LDAP_SLAPD_V (BackendDB *) backendDB;
+LDAP_SLAPD_V (slap_bi_head) backendInfo;
+LDAP_SLAPD_V (slap_be_head) backendDB;
LDAP_SLAPD_V (BackendDB *) frontendDB;
LDAP_SLAPD_V (int) slapMode;
#define SLAP_TOOL_READONLY 0x0400
#define SLAP_TOOL_QUICK 0x0800
+#define SB_TLS_DEFAULT (-1)
+#define SB_TLS_OFF 0
+#define SB_TLS_ON 1
+#define SB_TLS_CRITICAL 2
+
+typedef struct slap_bindconf {
+ int sb_tls;
+ int sb_method;
+ struct berval sb_binddn;
+ struct berval sb_cred;
+ struct berval sb_saslmech;
+ char *sb_secprops;
+ struct berval sb_realm;
+ struct berval sb_authcId;
+ struct berval sb_authzId;
+} slap_bindconf;
+
struct slap_replica_info {
- char *ri_host; /* supersedes be_replica */
- BerVarray ri_nsuffix; /* array of suffixes this replica accepts */
+ const char *ri_uri; /* supersedes be_replica */
+ const char *ri_host; /* points to host part of uri */
+ BerVarray ri_nsuffix; /* array of suffixes this replica accepts */
AttributeName *ri_attrs; /* attrs to replicate, NULL=all */
- int ri_exclude; /* 1 => exclude ri_attrs */
+ int ri_exclude; /* 1 => exclude ri_attrs */
+ slap_bindconf ri_bindconf; /* for back-config */
};
+typedef struct slap_verbmasks {
+ struct berval word;
+ const slap_mask_t mask;
+} slap_verbmasks;
+
+#define SLAP_LIMIT_TIME 1
+#define SLAP_LIMIT_SIZE 2
+
struct slap_limits_set {
/* time limits */
int lms_t_soft;
* syncinfo structure for syncrepl
*/
-#define SLAP_SYNC_SID_SIZE 3
+struct syncinfo_s;
+
#define SLAP_SYNC_RID_SIZE 3
#define SLAP_SYNCUUID_SET_SIZE 256
#define SLAP_SYNC_UPDATE_MSGID 2
-struct nonpresent_entry {
- struct berval *npe_name;
- struct berval *npe_nname;
- LDAP_LIST_ENTRY(nonpresent_entry) npe_link;
-};
-
struct sync_cookie {
struct berval ctxcsn;
struct berval octet_str;
LDAP_STAILQ_HEAD( slap_sync_cookie_s, sync_cookie );
-typedef struct syncinfo_s {
- struct slap_backend_db *si_be;
- long si_rid;
- struct berval si_provideruri;
-#define SYNCINFO_TLS_OFF 0
-#define SYNCINFO_TLS_ON 1
-#define SYNCINFO_TLS_CRITICAL 2
- int si_tls;
- int si_bindmethod;
- char *si_binddn;
- char *si_passwd;
- char *si_saslmech;
- char *si_secprops;
- char *si_realm;
- char *si_authcId;
- char *si_authzId;
- int si_schemachecking;
- struct berval si_filterstr;
- struct berval si_base;
- int si_scope;
- int si_attrsonly;
- AttributeName *si_anlist;
- AttributeName *si_exanlist;
- char **si_attrs;
- int si_allattrs;
- int si_allopattrs;
- char **si_exattrs;
- int si_type;
- time_t si_interval;
- time_t *si_retryinterval;
- int *si_retrynum_init;
- int *si_retrynum;
- struct sync_cookie si_syncCookie;
- int si_manageDSAit;
- int si_slimit;
- int si_tlimit;
- int si_refreshDelete;
- int si_refreshPresent;
- Avlnode *si_presentlist;
- LDAP *si_ld;
- LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
-} syncinfo_t;
-
LDAP_TAILQ_HEAD( be_pcl, slap_csn_entry );
#ifndef SLAP_MAX_CIDS
#define SLAP_MAX_CIDS 32 /* Maximum number of supported controls */
#endif
+struct ConfigOCs; /* config.h */
+
struct slap_backend_db {
BackendInfo *bd_info; /* pointer to shared backend info */
struct be_pcl *be_pending_csn_list;
ldap_pvt_thread_mutex_t be_pcl_mutex;
ldap_pvt_thread_mutex_t *be_pcl_mutexp;
- syncinfo_t *be_syncinfo; /* For syncrepl */
+ struct syncinfo_s *be_syncinfo; /* For syncrepl */
- char *be_realm;
void *be_pb; /* Netscape plugin */
+ struct ConfigOCs *be_cf_ocs;
void *be_private; /* anything the backend database needs */
+ LDAP_STAILQ_ENTRY(slap_backend_db) be_next;
};
struct slap_conn;
AttributeName *rs_attrs;
Filter *rs_filter;
struct berval rs_filterstr;
- int rs_post_search_id;
} req_search_s;
typedef struct req_compare_s {
slap_mask_t sr_flags;
#define REP_ENTRY_MODIFIABLE 0x0001U
#define REP_ENTRY_MUSTBEFREED 0x0002U
+#define REP_ENTRY_MUSTRELEASE 0x0004U
#define REP_MATCHED_MUSTBEFREED 0x0010U
#define REP_REF_MUSTBEFREED 0x0020U
} SlapReply;
typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs ));
typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op,
Entry *e, int *hasSubs ));
+#ifdef SLAP_OVERLAY_ACCESS
+typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e,
+ AttributeDescription *desc, struct berval *val, slap_access_t access,
+ AccessControlState *state, slap_mask_t *maskp ));
+typedef int (BI_acl_group) LDAP_P(( struct slap_op *op, Entry *target,
+ struct berval *gr_ndn, struct berval *op_ndn,
+ ObjectClass *group_oc, AttributeDescription *group_at ));
+typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target,
+ struct berval *entry_ndn, AttributeDescription *entry_at,
+ BerVarray *vals, slap_access_t access ));
+#endif /* SLAP_OVERLAY_ACCESS */
typedef int (BI_connection_init) LDAP_P(( BackendDB *bd,
struct slap_conn *c ));
BI_entry_release_rw *bi_entry_release_rw;
BI_has_subordinates *bi_has_subordinates;
+#ifdef SLAP_OVERLAY_ACCESS
+ BI_access_allowed *bi_access_allowed;
+ BI_acl_group *bi_acl_group;
+ BI_acl_attribute *bi_acl_attribute;
+#endif /* SLAP_OVERLAY_ACCESS */
BI_connection_init *bi_connection_init;
BI_connection_destroy *bi_connection_destroy;
slap_mask_t bi_flags; /* backend flags */
#define SLAP_BFLAG_MONITOR 0x0001U /* a monitor backend */
+#define SLAP_BFLAG_CONFIG 0x0002U /* a config backend */
+#define SLAP_BFLAG_FRONTEND 0x0004U /* the frontendDB */
#define SLAP_BFLAG_NOLASTMODCMD 0x0010U
#define SLAP_BFLAG_INCREMENT 0x0100U
#define SLAP_BFLAG_ALIASES 0x1000U
#define SLAP_BFLAGS(be) ((be)->bd_info->bi_flags)
#define SLAP_MONITOR(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_MONITOR)
+#define SLAP_CONFIG(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_CONFIG)
+#define SLAP_FRONTEND(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_FRONTEND)
#define SLAP_INCREMENT(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_INCREMENT)
#define SLAP_ALIASES(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_ALIASES)
#define SLAP_REFERRALS(be) (SLAP_BFLAGS(be) & SLAP_BFLAG_REFERRALS)
char bi_ctrls[SLAP_MAX_CIDS + 1];
unsigned int bi_nDB; /* number of databases of this type */
+ struct ConfigOCs *bi_cf_ocs;
void *bi_private; /* anything the backend type needs */
+ LDAP_STAILQ_ENTRY(slap_backend_info) bi_next ;
};
#define c_authtype c_authz.sai_method
struct slap_overinfo;
+typedef enum slap_operation_e {
+ op_bind = 0,
+ op_unbind,
+ op_search,
+ op_compare,
+ op_modify,
+ op_modrdn,
+ op_add,
+ op_delete,
+ op_abandon,
+ op_cancel,
+ op_extended,
+ op_aux_operational,
+ op_aux_chk_referrals,
+ op_aux_chk_controls,
+ op_last
+} slap_operation_t;
+
typedef struct slap_overinst {
BackendInfo on_bi;
slap_response *on_response;
int sc_preRead;
int sc_postRead;
int sc_proxyAuthz;
+ int sc_manageDIT;
int sc_manageDSAit;
int sc_modifyIncrement;
int sc_noOp;
int sc_pagedResults;
+#ifdef LDAP_DEVEL
+ int sc_sortedResults;
+#endif
int sc_valuesReturnFilter;
int sc_permissiveModify;
int sc_domainScope;
char oh_log_prefix[sizeof("conn=18446744073709551615 op=18446744073709551615")];
#ifdef LDAP_SLAPI
- void *oh_pb; /* NS-SLAPI plugin */
void *oh_extensions; /* NS-SLAPI plugin */
#endif
} Opheader;
#define o_log_prefix o_hdr->oh_log_prefix
-#ifdef LDAP_SLAPI
-#define o_pb o_hdr->oh_pb
-#define o_extensions o_hdr->oh_extensions
-#endif
-
ber_tag_t o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */
+ int o_tincr; /* counter for multiple ops with same o_time */
BackendDB *o_bd; /* backend DB processing this op */
struct berval o_req_dn; /* DN of target of request */
#define ors_attrs oq_search.rs_attrs
#define ors_filter oq_search.rs_filter
#define ors_filterstr oq_search.rs_filterstr
-#define ors_post_search_id oq_search.rs_post_search_id
#define orr_newrdn oq_modrdn.rs_newrdn
#define orr_nnewrdn oq_modrdn.rs_nnewrdn
char o_do_not_cache; /* don't cache groups from this op */
char o_is_auth_check; /* authorization in progress */
+ char o_nocaching;
+ char o_delete_glue_parent;
+
#define SLAP_CONTROL_NONE 0
#define SLAP_CONTROL_IGNORED 1
#define SLAP_CONTROL_NONCRITICAL 2
char o_ctrlflag[SLAP_MAX_CIDS]; /* per-control flags */
void **o_controls; /* per-control state */
+#define o_managedit o_ctrlflag[slap_cids.sc_manageDIT]
+#define get_manageDIT(op) _SCM((op)->o_managedit)
+
#define o_managedsait o_ctrlflag[slap_cids.sc_manageDSAit]
#define get_manageDSAit(op) _SCM((op)->o_managedsait)
#define get_domainScope(op) (0)
#endif
-#ifdef LDAP_CONTROL_X_TREE_DELETE
+#ifdef SLAP_CONTROL_X_TREE_DELETE
#define o_tree_delete o_ctrlflag[slap_cids.sc_treeDelete]
#define get_treeDelete(op) ((int)(op)->o_tree_delete)
#else
#define o_pagedresults o_ctrlflag[slap_cids.sc_pagedResults]
#define o_pagedresults_state o_controls[slap_cids.sc_pagedResults]
+#define get_pagedresults(op) ((int)(op)->o_pagedresults)
-#define o_sync o_ctrlflag[slap_cids.sc_LDAPsync]
+#ifdef LDAP_DEVEL
+#define o_sortedresults o_ctrlflag[slap_cids.sc_sortedResults]
+#endif
-#define get_pagedresults(op) ((int)(op)->o_pagedresults)
+#define o_sync o_ctrlflag[slap_cids.sc_LDAPsync]
AuthorizationInformation o_authz;
LDAP_STAILQ_ENTRY(slap_op) o_next; /* next operation in list */
- int o_nocaching;
- int o_delete_glue_parent;
-
} Operation;
#define OPERATION_BUFFER_SIZE (sizeof(Operation)+sizeof(Opheader)+SLAP_MAX_CIDS*sizeof(void *))
int c_sasl_bind_in_progress; /* multi-op bind in progress */
struct berval c_sasl_bind_mech; /* mech in progress */
struct berval c_sasl_dn; /* temporary storage */
+ struct berval c_sasl_authz_dn; /* SASL proxy authz */
/* authorization backend */
Backend *c_authz_backend;
#define SLAP_CTRL_HIDE 0x80000000U
#endif
+#define SLAP_CTRL_REQUIRES_ROOT 0x40000000U /* for ManageDIT */
+
#define SLAP_CTRL_GLOBAL 0x00800000U
#define SLAP_CTRL_GLOBAL_SEARCH 0x00010000U /* for NOOP */
#endif
#define SLAP_BACKEND_INIT_MODULE(b) \
+ static BackendInfo bi; \
int \
init_module( int argc, char *argv[] ) \
{ \
- BackendInfo bi; \
- memset( &bi, '\0', sizeof( bi ) ); \
bi.bi_type = #b ; \
bi.bi_init = b ## _back_initialize; \
backend_add( &bi ); \