#include <ac/time.h>
#include <ac/param.h>
-#ifdef HAVE_CYRUS_SASL
-#include <sasl.h>
-#endif
-
#include "avl.h"
#ifndef ldap_debug
#include <ldap_schema.h>
#include "ldap_pvt_thread.h"
-#include "ldif.h"
LDAP_BEGIN_DECL
#define SERVICE_NAME OPENLDAP_PACKAGE "-slapd"
-#define SLAPD_ANONYMOUS "<anonymous>"
+#define SLAPD_ANONYMOUS "cn=anonymous"
#ifdef f_next
#undef f_next /* name conflict between sys/file.h on SCO and struct filter */
*/
#define SLAP_MOD_SOFTADD 0x1000
-#define ON 1
+#define ON (1)
#define OFF (-1)
-#define UNDEFINED 0
+#define UNDEFINED (0)
-#define MAXREMATCHES 10
+#define MAXREMATCHES (10)
+#define SLAP_MAX_WORKER_THREADS (32)
+
+#define SLAP_TEXT_BUFLEN (256)
/* psuedo error code indicating abandoned operation */
#define SLAPD_ABANDON (-1)
#define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) )
#define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' )
#define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) )
-
#define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' )
-#define FILTER_ESCAPE(c) ( (c) == '\\' || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )
+
+#define SLAP_NIBBLE(c) ((c)&0x0f)
+#define SLAP_ESCAPE_CHAR ('\\')
+#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] )
+#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) )
+
+#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \
+ || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )
#define DN_SEPARATOR(c) ((c) == ',' || (c) == ';')
-#define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+')
+#define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */
+#define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c))
#define RDN_NEEDSESCAPE(c) ((c) == '\\' || (c) == '"')
#define DESC_LEADCHAR(c) ( ASCII_ALPHA(c) )
#define AD_LEADCHAR(c) ( ATTR_CHAR(c) )
#define AD_CHAR(c) ( ATTR_CHAR(c) || (c) == ';' )
+#define SLAP_NUMERIC(c) ( ASCII_DIGIT(c) || ASCII_SPACE(c) )
+
+#define SLAP_PRINTABLE(c) ( ASCII_ALNUM(c) || (c) == '\'' || \
+ (c) == '(' || (c) == ')' || (c) == '+' || (c) == ',' || \
+ (c) == '-' || (c) == '.' || (c) == '/' || (c) == ':' || \
+ (c) == '?' || (c) == ' ' || (c) == '=' )
+#define SLAP_PRINTABLES(c) ( SLAP_PRINTABLE(c) || (c) == '$' )
+
/* must match in schema_init.c */
#define SLAPD_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12"
+#define SLAPD_NAMEUID_SYNTAX "1.3.6.1.4.1.1466.115.121.1.34"
#define SLAPD_GROUP_ATTR "member"
#define SLAPD_GROUP_CLASS "groupOfNames"
#define SLAPD_ROLE_ATTR "roleOccupant"
LDAP_SLAPD_F (int) slap_debug;
+typedef unsigned long slap_mask_t;
+
+/* Security Strength Factor */
+typedef unsigned slap_ssf_t;
+
+typedef struct slap_ssf_set {
+ slap_ssf_t sss_ssf;
+ slap_ssf_t sss_transport;
+ slap_ssf_t sss_tls;
+ slap_ssf_t sss_sasl;
+ slap_ssf_t sss_update_ssf;
+ slap_ssf_t sss_update_transport;
+ slap_ssf_t sss_update_tls;
+ slap_ssf_t sss_update_sasl;
+} slap_ssf_set_t;
+
/*
* Index types
*/
#define SLAP_INDEX_SUBSTR_INITIAL ( SLAP_INDEX_SUBSTR | 0x0100UL )
#define SLAP_INDEX_SUBSTR_ANY ( SLAP_INDEX_SUBSTR | 0x0200UL )
#define SLAP_INDEX_SUBSTR_FINAL ( SLAP_INDEX_SUBSTR | 0x0400UL )
-#define SLAP_INDEX_SUBSTR_DEFAULT ( SLAP_INDEX_SUBSTR \
- | SLAP_INDEX_SUBSTR_INITIAL | SLAP_INDEX_SUBSTR_FINAL )
+#define SLAP_INDEX_SUBSTR_DEFAULT \
+ ( SLAP_INDEX_SUBSTR \
+ | SLAP_INDEX_SUBSTR_INITIAL \
+ | SLAP_INDEX_SUBSTR_ANY \
+ | SLAP_INDEX_SUBSTR_FINAL )
-#define SLAP_INDEX_SUBSTR_INITIAL_MIN_LEN 2
-#define SLAP_INDEX_SUBSTR_INITIAL_MAX_LEN 4
-#define SLAP_INDEX_SUBSTR_FINAL_MIN_LEN 2
-#define SLAP_INDEX_SUBSTR_FINAL_MAX_LEN 4
+#define SLAP_INDEX_SUBSTR_MINLEN 2
+#define SLAP_INDEX_SUBSTR_MAXLEN 4
+#define SLAP_INDEX_SUBSTR_STEP 2
#define SLAP_INDEX_FLAGS 0xF000UL
#define SLAP_INDEX_SUBTYPES 0x1000UL /* use index with subtypes */
#define SLAP_INDEX_LANG 0x4000UL /* use index with lang subtypes */
#define SLAP_INDEX_AUTO_LANG 0x8000UL /* use mask with lang subtypes */
-typedef long slap_index;
-
/*
* there is a single index for each attribute. these prefixes ensure
* that there is no collision among keys.
#define SLAP_INDEX_EQUALITY_PREFIX '=' /* prefix for equality keys */
#define SLAP_INDEX_APPROX_PREFIX '~' /* prefix for approx keys */
#define SLAP_INDEX_SUBSTR_PREFIX '*' /* prefix for substring keys */
+#define SLAP_INDEX_SUBSTR_INITIAL_PREFIX '^'
+#define SLAP_INDEX_SUBSTR_FINAL_PREFIX '$'
#define SLAP_INDEX_CONT_PREFIX '.' /* prefix for continuation keys */
#define SLAP_INDEX_UNKNOWN_PREFIX '?' /* prefix for unknown keys */
*/
#define SLAP_SCHERR_OUTOFMEM 1
#define SLAP_SCHERR_CLASS_NOT_FOUND 2
-#define SLAP_SCHERR_ATTR_NOT_FOUND 3
-#define SLAP_SCHERR_DUP_CLASS 4
-#define SLAP_SCHERR_DUP_ATTR 5
-#define SLAP_SCHERR_DUP_SYNTAX 6
-#define SLAP_SCHERR_DUP_RULE 7
-#define SLAP_SCHERR_NO_NAME 8
-#define SLAP_SCHERR_ATTR_INCOMPLETE 9
-#define SLAP_SCHERR_MR_NOT_FOUND 10
-#define SLAP_SCHERR_SYN_NOT_FOUND 11
-#define SLAP_SCHERR_MR_INCOMPLETE 12
+#define SLAP_SCHERR_CLASS_BAD_USAGE 3
+#define SLAP_SCHERR_ATTR_NOT_FOUND 4
+#define SLAP_SCHERR_ATTR_BAD_USAGE 5
+#define SLAP_SCHERR_DUP_CLASS 6
+#define SLAP_SCHERR_DUP_ATTR 7
+#define SLAP_SCHERR_DUP_SYNTAX 8
+#define SLAP_SCHERR_DUP_RULE 9
+#define SLAP_SCHERR_NO_NAME 10
+#define SLAP_SCHERR_ATTR_INCOMPLETE 11
+#define SLAP_SCHERR_MR_NOT_FOUND 12
+#define SLAP_SCHERR_SYN_NOT_FOUND 13
+#define SLAP_SCHERR_MR_INCOMPLETE 14
+#define SLAP_SCHERR_NOT_SUPPORTED 15
+#define SLAP_SCHERR_BAD_DESCR 16
+
+typedef union slap_sockaddr {
+ struct sockaddr sa_addr;
+ struct sockaddr_in sa_in_addr;
+#ifdef LDAP_PF_INET6
+ struct sockaddr_in6 sa_in6_addr;
+#endif
+#ifdef LDAP_PF_LOCAL
+ struct sockaddr_un sa_un_addr;
+#endif
+} Sockaddr;
typedef struct slap_oid_macro {
struct berval som_oid;
struct berval ** out));
typedef struct slap_syntax {
- LDAP_SYNTAX ssyn_syn;
+ LDAPSyntax ssyn_syn;
#define ssyn_oid ssyn_syn.syn_oid
#define ssyn_desc ssyn_syn.syn_desc
#define ssyn_extensions ssyn_syn.syn_extensions
#define slap_syntax_is_ber(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
#define slap_syntax_is_hidden(s) slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE)
-/* XXX -> UCS-2 Converter */
+/* X -> Y Converter */
typedef int slap_mr_convert_func LDAP_P((
struct berval * in,
struct berval ** out ));
/* Normalizer */
typedef int slap_mr_normalize_func LDAP_P((
- unsigned use,
+ slap_mask_t use,
struct slap_syntax *syntax, /* NULL if in is asserted value */
struct slap_matching_rule *mr,
struct berval * in,
/* Match (compare) function */
typedef int slap_mr_match_func LDAP_P((
int *match,
- unsigned flags,
+ slap_mask_t use,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval * value,
/* Index generation function */
typedef int slap_mr_indexer_func LDAP_P((
- unsigned flags,
+ slap_mask_t use,
+ slap_mask_t mask,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval *prefix,
/* Filter index function */
typedef int slap_mr_filter_func LDAP_P((
- unsigned flags,
+ slap_mask_t use,
+ slap_mask_t mask,
struct slap_syntax *syntax, /* syntax of stored value */
struct slap_matching_rule *mr,
struct berval *prefix,
struct berval ***keys ));
typedef struct slap_matching_rule {
- LDAP_MATCHING_RULE smr_mrule;
- unsigned smr_usage;
+ LDAPMatchingRule smr_mrule;
+ slap_mask_t smr_usage;
#define SLAP_MR_TYPE_MASK 0xFF00U
#define SLAP_MR_SUBTYPE_MASK 0x00F0U
/* this is used to kludge objectClass testing */
#define SLAP_MR_MODIFY_MATCHING 0x0001U
+/* are we matching from a mr asserted value or a real value */
+#define SLAP_MR_VALUE_IS_IN_MR_SYNTAX 0x0002U
Syntax *smr_syntax;
slap_mr_convert_func *smr_convert;
slap_mr_match_func *smr_match;
slap_mr_indexer_func *smr_indexer;
slap_mr_filter_func *smr_filter;
+
+ struct slap_matching_rule *smr_associated;
struct slap_matching_rule *smr_next;
+
#define smr_oid smr_mrule.mr_oid
#define smr_names smr_mrule.mr_names
#define smr_desc smr_mrule.mr_desc
#define smr_extensions smr_mrule.mr_extensions
} MatchingRule;
+struct slap_attr_desc;
+
typedef struct slap_attribute_type {
- char *sat_cname;
- LDAP_ATTRIBUTE_TYPE sat_atype;
+ LDAPAttributeType sat_atype;
+ struct berval sat_cname;
struct slap_attribute_type *sat_sup;
struct slap_attribute_type **sat_subtypes;
MatchingRule *sat_equality;
MatchingRule *sat_ordering;
MatchingRule *sat_substr;
Syntax *sat_syntax;
+ struct slap_attr_desc *sat_ad;
struct slap_attribute_type *sat_next;
+ ldap_pvt_thread_mutex_t sat_ad_mutex;
#define sat_oid sat_atype.at_oid
#define sat_names sat_atype.at_names
#define sat_desc sat_atype.at_desc
#define is_at_operational(at) ((at)->sat_usage)
#define is_at_single_value(at) ((at)->sat_single_value)
#define is_at_collective(at) ((at)->sat_collective)
+#define is_at_obsolete(at) ((at)->sat_obsolete)
#define is_at_no_user_mod(at) ((at)->sat_no_user_mod)
typedef struct slap_object_class {
- LDAP_OBJECT_CLASS soc_oclass;
+ LDAPObjectClass soc_oclass;
struct slap_object_class **soc_sups;
AttributeType **soc_required;
AttributeType **soc_allowed;
* represents a recognized attribute description ( type + options )
*/
typedef struct slap_attr_desc {
- struct berval *ad_cname; /* canonical name, must be specified */
+ struct slap_attr_desc *ad_next;
AttributeType *ad_type; /* attribute type, must be specified */
- char *ad_lang; /* NULL if no language tags */
+ struct berval ad_cname; /* canonical name, must be specified */
+ struct berval ad_lang; /* empty if no language tags */
unsigned ad_flags;
#define SLAP_DESC_NONE 0x0U
#define SLAP_DESC_BINARY 0x1U
} AttributeDescription;
-#define slap_ad_is_lang(ad) ( (ad)->ad_lang != NULL )
+#define slap_ad_is_lang(ad) ( (ad)->ad_lang.bv_len != 0 )
#define slap_ad_is_binary(ad) ( (int)((ad)->ad_flags & SLAP_DESC_BINARY) ? 1 : 0 )
/*
AttributeDescription *si_ad_supportedExtension;
AttributeDescription *si_ad_supportedLDAPVersion;
AttributeDescription *si_ad_supportedSASLMechanisms;
+ AttributeDescription *si_ad_supportedFeatures;
/* subschema subentry attribute descriptions */
AttributeDescription *si_ad_objectClasses;
/* Undefined Attribute Type */
AttributeType *si_at_undefined;
+
+ /* Matching Rules */
+ MatchingRule *si_mr_distinguishedNameMatch;
+ MatchingRule *si_mr_integerMatch;
+
+ /* Syntaxes */
+ Syntax *si_syn_distinguishedName;
+ Syntax *si_syn_integer;
};
typedef struct slap_attr_assertion {
} SubstringsAssertion;
typedef struct slap_mr_assertion {
- char *ma_rule; /* optional */
+ MatchingRule *ma_rule; /* optional */
+ char *ma_rule_text; /* optional */
AttributeDescription *ma_desc; /* optional */
int ma_dnattrs; /* boolean */
struct berval *ma_value; /* required */
#define f_sub_final f_un.f_un_ssa->sa_final
#define f_mra f_un.f_un_mra
#define f_mr_rule f_un.f_un_mra->ma_rule
+#define f_mr_rule_text f_un.f_un_mra->ma_rule_text
#define f_mr_desc f_un.f_un_mra->ma_desc
#define f_mr_value f_un.f_un_mra->ma_value
-#define f_mr_dnaddrs f_un.f_un_mra->ma_dnattrs
+#define f_mr_dnattrs f_un.f_un_mra->ma_dnattrs
/* and, or, not */
struct slap_filter *f_un_complex;
ACL_STYLE_EXACT = ACL_STYLE_BASE
} slap_style_t;
-typedef unsigned long slap_access_mask_t;
+typedef struct slap_authz_info {
+ ber_tag_t sai_method; /* LDAP_AUTH_* from <ldap.h> */
+ char * sai_mech; /* SASL Mechanism */
+ char * sai_dn; /* DN for reporting purposes */
+ char * sai_ndn; /* Normalized DN */
+
+ /* Security Strength Factors */
+ slap_ssf_t sai_ssf; /* Overall SSF */
+ slap_ssf_t sai_transport_ssf; /* Transport SSF */
+ slap_ssf_t sai_tls_ssf; /* TLS SSF */
+ slap_ssf_t sai_sasl_ssf; /* SASL SSF */
+} AuthorizationInformation;
/* the "by" part */
typedef struct slap_access {
#define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
#define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
- slap_access_mask_t a_mask;
+ slap_mask_t a_access_mask;
+
+ AuthorizationInformation a_authz;
+#define a_dn_pat a_authz.sai_dn
slap_style_t a_dn_style;
- char *a_dn_pat;
AttributeDescription *a_dn_at;
int a_dn_self;
#define SLAP_TRUNCATE_MODE 0x0100
+struct slap_replica_info {
+ char *ri_host; /* supersedes be_replica */
+ char **ri_nsuffix; /* array of suffixes this replica accepts */
+};
+
+struct slap_limits_set {
+ /* time limits */
+ int lms_t_soft;
+ int lms_t_hard;
+
+ /* size limits */
+ int lms_s_soft;
+ int lms_s_hard;
+ int lms_s_unchecked;
+};
+
+struct slap_limits {
+ int lm_type; /* type of pattern */
+#define SLAP_LIMITS_UNDEFINED 0x0000
+#define SLAP_LIMITS_EXACT 0x0001
+#define SLAP_LIMITS_REGEX 0x0002
+ regex_t lm_dn_regex; /* regex-based size and time limits */
+ char *lm_dn_pat; /* ndn for EXACT; pattern for REGEX */
+ struct slap_limits_set lm_limits;
+};
+
/* temporary aliases */
typedef BackendDB Backend;
#define nbackends nBackendDB
#define be_entry_close bd_info->bi_tool_entry_close
#define be_entry_first bd_info->bi_tool_entry_first
#define be_entry_next bd_info->bi_tool_entry_next
+#define be_entry_reindex bd_info->bi_tool_entry_reindex
#define be_entry_get bd_info->bi_tool_entry_get
#define be_entry_put bd_info->bi_tool_entry_put
-#define be_index_attr bd_info->bi_tool_index_attr
-#define be_index_change bd_info->bi_tool_index_change
#define be_sync bd_info->bi_tool_sync
#endif
-#ifdef HAVE_CYRUS_SASL
-#define be_sasl_authorize bd_info->bi_sasl_authorize
-#define be_sasl_getsecret bd_info->bi_sasl_getsecret
-#define be_sasl_putsecret bd_info->bi_sasl_putsecret
-#endif
+ slap_mask_t be_restrictops; /* restriction operations */
+#define SLAP_RESTRICT_OP_ADD 0x0001U
+#define SLAP_RESTRICT_OP_BIND 0x0002U
+#define SLAP_RESTRICT_OP_COMPARE 0x0004U
+#define SLAP_RESTRICT_OP_DELETE 0x0008U
+#define SLAP_RESTRICT_OP_EXTENDED 0x0010U
+#define SLAP_RESTRICT_OP_MODIFY 0x0020U
+#define SLAP_RESTRICT_OP_RENAME 0x0040U
+#define SLAP_RESTRICT_OP_SEARCH 0x0080U
+
+#define SLAP_RESTRICT_OP_READS \
+ ( SLAP_RESTRICT_OP_COMPARE \
+ | SLAP_RESTRICT_OP_SEARCH )
+#define SLAP_RESTRICT_OP_WRITES \
+ ( SLAP_RESTRICT_OP_ADD \
+ | SLAP_RESTRICT_OP_DELETE \
+ | SLAP_RESTRICT_OP_MODIFY \
+ | SLAP_RESTRICT_OP_RENAME )
+
+#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */
+
+#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
+#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
+#define SLAP_DISALLOW_BIND_ANON_CRED \
+ 0x0004U /* cred should be empty */
+#define SLAP_DISALLOW_BIND_ANON_DN \
+ 0x0008U /* dn should be empty */
+
+#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
+#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */
+
+#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
+
+ slap_mask_t be_requires; /* pre-operation requirements */
+#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */
+#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */
+#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */
+#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */
+#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */
+
+ /* Required Security Strength Factor */
+ slap_ssf_set_t be_ssf_set;
/* these should be renamed from be_ to bd_ */
char **be_suffix; /* the DN suffixes of data in this backend */
char *be_root_dn; /* the magic "root" dn for this db */
char *be_root_ndn; /* the magic "root" normalized dn for this db */
struct berval be_root_pw; /* the magic "root" password for this db */
- int be_readonly; /* 1 => db is in "read only" mode */
unsigned int be_max_deref_depth; /* limit for depth of an alias deref */
- int be_sizelimit; /* size limit for this backend */
- int be_timelimit; /* time limit for this backend */
+#define be_sizelimit be_def_limit.lms_s_soft
+#define be_timelimit be_def_limit.lms_t_soft
+ struct slap_limits_set be_def_limit; /* default limits */
+ struct slap_limits **be_limits; /* regex-based size and time limits */
AccessControl *be_acl; /* access control list for this backend */
slap_access_t be_dfltaccess; /* access given if no acl matches */
- char **be_replica; /* replicas of this backend (in master) */
+ struct slap_replica_info **be_replica; /* replicas of this backend (in master) */
char *be_replogfile; /* replication log file (in master) */
char *be_update_ndn; /* allowed to make changes (in replicas) */
struct berval **be_update_refs; /* where to refer modifying clients to */
struct slap_op;
typedef int (*SLAP_EXTENDED_FN) LDAP_P((
- Backend *be,
- struct slap_conn *conn,
+ BackendDB *be,
+ struct slap_conn *conn,
struct slap_op *op,
const char *reqoid,
struct berval * reqdata,
SLAP_EXTENDED_FN bi_extended;
/* Auxilary Functions */
- int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw));
+ int (*bi_entry_release_rw) LDAP_P((BackendDB *bd,
+ struct slap_conn *c, struct slap_op *o,
+ Entry *e, int rw));
int (*bi_chk_referrals) LDAP_P((BackendDB *bd,
struct slap_conn *c, struct slap_op *o,
const char **text ));
int (*bi_acl_group) LDAP_P((Backend *bd,
+ struct slap_conn *c, struct slap_op *o,
Entry *e, const char *bdn, const char *edn,
ObjectClass *group_oc,
AttributeDescription *group_at ));
ID (*bi_tool_entry_next) LDAP_P(( BackendDB *be ));
Entry* (*bi_tool_entry_get) LDAP_P(( BackendDB *be, ID id ));
ID (*bi_tool_entry_put) LDAP_P(( BackendDB *be, Entry *e ));
- int (*bi_tool_index_attr) LDAP_P(( BackendDB *be,
- AttributeDescription *desc ));
- int (*bi_tool_index_change) LDAP_P(( BackendDB *be,
- AttributeDescription *desc,
- struct berval **bv, ID id, int op ));
+ int (*bi_tool_entry_reindex) LDAP_P(( BackendDB *be, ID id ));
int (*bi_tool_sync) LDAP_P(( BackendDB *be ));
-#ifdef HAVE_CYRUS_SASL
- int (*bi_sasl_authorize) LDAP_P(( BackendDB *be,
- const char *authnid, const char *authzid,
- const char **canon_authzid, const char **errstr ));
- int (*bi_sasl_getsecret) LDAP_P(( BackendDB *be,
- const char *mechanism, const char *authzid,
- const char *realm, sasl_secret_t **secret ));
- int (*bi_sasl_putsecret) LDAP_P(( BackendDB *be,
- const char *mechanism, const char *auth_identity,
- const char *realm, const sasl_secret_t *secret ));
-#endif /* HAVE_CYRUS_SASL */
-
#define SLAP_INDEX_ADD_OP 0x0001
#define SLAP_INDEX_DELETE_OP 0x0002
void *bi_private; /* anything the backend type needs */
};
+#define c_authtype c_authz.sai_method
+#define c_authmech c_authz.sai_mech
+#define c_dn c_authz.sai_dn
+#define c_ssf c_authz.sai_ssf
+#define c_transport_ssf c_authz.sai_transport_ssf
+#define c_tls_ssf c_authz.sai_tls_ssf
+#define c_sasl_ssf c_authz.sai_sasl_ssf
+
+#define o_authtype o_authz.sai_method
+#define o_authmech o_authz.sai_mech
+#define o_dn o_authz.sai_dn
+#define o_ndn o_authz.sai_ndn
+#define o_ssf o_authz.sai_ssf
+#define o_transport_ssf o_authz.sai_transport_ssf
+#define o_tls_ssf o_authz.sai_tls_ssf
+#define o_sasl_ssf o_authz.sai_sasl_ssf
+
/*
* represents an operation pending from an ldap client
*/
typedef struct slap_op {
ber_int_t o_opid; /* id of this operation */
ber_int_t o_msgid; /* msgid of the request */
+#ifdef LDAP_CONNECTIONLESS
+ Sockaddr o_peeraddr; /* UDP peer address */
+#endif
- ldap_pvt_thread_t o_tid; /* thread handling this op */
+ ldap_pvt_thread_t o_tid; /* thread handling this op */
BerElement *o_ber; /* ber of the request */
ber_tag_t o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */
-#ifdef SLAP_AUTHZID
- /* should only be used for reporting purposes */
- char *o_authc_dn; /* authentication DN */
-
- /* should be used as the DN of the User */
- char *o_authz_dn; /* authorization DN */
- char *o_authz_ndn; /* authorizaiton NDN */
-
-#else
- char *o_dn; /* dn bound when op was initiated */
- char *o_ndn; /* normalized dn bound when op was initiated */
-#endif
+ AuthorizationInformation o_authz;
ber_int_t o_protocol; /* version of the LDAP protocol used by client */
- ber_tag_t o_authtype; /* auth method used to bind dn */
- /* values taken from ldap.h */
- /* LDAP_AUTH_* */
- char *o_authmech; /* SASL mechanism used to bind dn */
LDAPControl **o_ctrls; /* controls */
unsigned long o_connid; /* id of conn initiating this op */
-#ifdef LDAP_CONNECTIONLESS
- int o_cldap; /* != 0 if this came in via CLDAP */
- struct sockaddr o_clientaddr; /* client address if via CLDAP */
- char o_searchbase; /* search base if via CLDAP */
-#endif
-
ldap_pvt_thread_mutex_t o_abandonmutex; /* protects o_abandon */
int o_abandon; /* abandon flag */
void *o_private; /* anything the backend needs */
} Operation;
+/*
+ * Caches the result of a backend_group check for ACL evaluation
+ */
+typedef struct slap_gacl {
+ struct slap_gacl *next;
+ Backend *be;
+ ObjectClass *oc;
+ AttributeDescription *at;
+ int res;
+ int len;
+ char ndn[1];
+} GroupAssertion;
+
/*
* represents a connection from an ldap client
*/
/* only can be changed by binding thread */
int c_sasl_bind_in_progress; /* multi-op bind in progress */
char *c_sasl_bind_mech; /* mech in progress */
-#ifdef HAVE_CYRUS_SASL
- sasl_conn_t *c_sasl_bind_context; /* Cyrus SASL state data */
-#endif
+ char *c_cdn;
/* authentication backend */
Backend *c_authc_backend;
/* authorization backend - normally same as c_authc_backend */
Backend *c_authz_backend;
-#ifdef SLAP_AUTHZID
- /* authentication backend */
- /* should only be used for reporting purposes */
- char *c_authc_dn; /* authentication DN */
-
- /* should be used as the DN of the User */
- char *c_authz_dn; /* authorization DN */
- char *c_authz_ndn; /* authorization NDN */
-
-#else
- char *c_cdn; /* DN provided by the client */
- char *c_dn; /* DN bound to this conn */
-#endif
+ AuthorizationInformation c_authz;
+ GroupAssertion *c_groups;
ber_int_t c_protocol; /* version of the LDAP protocol used by client */
- ber_tag_t c_authtype;/* auth method used to bind c_dn */
- char *c_authmech; /* SASL mechanism used to bind c_dn */
Operation *c_ops; /* list of operations being processed */
Operation *c_pending_ops; /* list of pending operations */
BerElement *c_currentber; /* ber we're attempting to read */
int c_writewaiter; /* true if writer is waiting */
+#ifdef LDAP_CONNECTIONLESS
+ int c_is_udp; /* true if this is (C)LDAP over UDP */
+#endif
#ifdef HAVE_TLS
int c_is_tls; /* true if this LDAP over raw TLS */
int c_needs_tls_accept; /* true if SSL_accept should be called */
#endif
+ int c_sasl_layers; /* true if we need to install SASL i/o handlers */
+ void *c_sasl_context; /* SASL session context */
+ void *c_sasl_extra; /* SASL session extra stuff */
long c_n_ops_received; /* num of ops received (next op_id) */
long c_n_ops_executing; /* num of ops currently executing */
#define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )
#endif
+
+#define SASLREGEX_REPLACE 10
+#define SASL_AUTHZ_SOURCE_ATTR "saslAuthzTo"
+#define SASL_AUTHZ_DEST_ATTR "saslAuthzFrom"
+
+typedef struct sasl_regexp {
+ char *match; /* regexp match pattern */
+ char *replace; /* regexp replace pattern */
+ regex_t workspace; /* workspace for regexp engine */
+ regmatch_t strings[SASLREGEX_REPLACE]; /* strings matching $1,$2 ... */
+ int offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */
+} SaslRegexp_t;
+
+/* Flags for telling slap_sasl_getdn() what type of identity is being passed */
+#define FLAG_GETDN_FINAL 1
+#define FLAG_GETDN_AUTHCID 2
+#define FLAG_GETDN_AUTHZID 4
+
+
LDAP_END_DECL
#include "proto-slap.h"
projects / openldap / blobdiff