X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=servers%2Fslapd%2Fdn.c;h=23aa4e78399eac50b14aee2a5505ef497439b452;hb=40e22918dfa357b5c3f7d787e45bb6404c099022;hp=226937efa99f521a9c0cf0d6ef98deeb631f7fe7;hpb=42e0d83cb3a1a1c5b25183f1ab74ce7edbe25de7;p=openldap diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 226937efa9..23aa4e7839 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -1,262 +1,866 @@ /* dn.c - routines for dealing with distinguished names */ +/* $OpenLDAP$ */ +/* + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ -#include -#include -#include -#include -#include -#include #include "portable.h" + +#include + +#include +#include +#include +#include + +#include "ldap_pvt.h" + #include "slap.h" -static char **dn_explode(); +const struct berval slap_empty_bv = { 0, "" }; + +#define SLAP_LDAPDN_PRETTY 0x1 -#define DNSEPARATOR(c) (c == ',' || c == ';') -#define SEPARATOR(c) (c == ',' || c == ';' || c == '+') -#define SPACE(c) (c == ' ' || c == '\n') -#define NEEDSESCAPE(c) (c == '\\' || c == '"') -#define B4TYPE 0 -#define INTYPE 1 -#define B4EQUAL 2 -#define B4VALUE 3 -#define INVALUE 4 -#define INQUOTEDVALUE 5 -#define B4SEPARATOR 6 +#define SLAP_LDAPDN_MAXLEN 8192 /* - * dn_normalize - put dn into a canonical format. the dn is - * normalized in place, as well as returned. + * The DN syntax-related functions take advantage of the dn representation + * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema- + * aware, so the attributes and their values need be validated (and possibly + * normalized). In the current implementation the required validation/nor- + * malization/"pretty"ing are done on newly created DN structural represen- + * tations; however the idea is to move towards DN handling in structural + * representation instead of the current string representation. To this + * purpose, we need to do only the required operations and keep track of + * what has been done to minimize their impact on performances. + * + * Developers are strongly encouraged to use this feature, to speed-up + * its stabilization. */ -char * -dn_normalize( char *dn ) +#define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private ) + +/* + * In-place, schema-aware validation of the + * structural representation of a distinguished name. + */ +static int +LDAPDN_validate( LDAPDN *dn ) { - char *d, *s; - int state, gotesc; - - /* Debug( LDAP_DEBUG_TRACE, "=> dn_normalize \"%s\"\n", dn, 0, 0 ); */ - - gotesc = 0; - state = B4TYPE; - for ( d = s = dn; *s; s++ ) { - switch ( state ) { - case B4TYPE: - if ( ! SPACE( *s ) ) { - state = INTYPE; - *d++ = *s; + int iRDN; + int rc; + + assert( dn ); + + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; + int iAVA; + + assert( rdn ); + + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validate = NULL; + + assert( ava ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + ava->la_private = ( void * )ad; } - break; - case INTYPE: - if ( *s == '=' ) { - state = B4VALUE; - *d++ = *s; - } else if ( SPACE( *s ) ) { - state = B4EQUAL; - } else { - *d++ = *s; + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + validate = ad->ad_type->sat_syntax->ssyn_validate; + + if ( validate ) { + /* + * validate value by validate function + */ + rc = ( *validate )( ad->ad_type->sat_syntax, + &ava->la_value ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } } + } + } + + return LDAP_SUCCESS; +} + +/* + * dn validate routine + */ +int +dnValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + LDAPDN *dn = NULL; + + assert( in ); + + if ( in->bv_len == 0 ) { + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( in->bv_val ) == in->bv_len ); + + /* + * Schema-aware validate + */ + rc = LDAPDN_validate( dn ); + ldap_dnfree( dn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + +/* + * AVA sorting inside a RDN + * + * rule: sort attributeTypes in alphabetical order; in case of multiple + * occurrences of the same attributeType, sort values in byte order + * (use memcmp, which implies alphabetical order in case of IA5 value; + * this should guarantee the repeatability of the operation). + * + * Note: the sorting can be slightly improved by sorting first + * by attribute type length, then by alphabetical order. + * + * uses a linear search; should be fine since the number of AVAs in + * a RDN should be limited. + */ +static void +AVA_Sort( LDAPRDN *rdn, int iAVA ) +{ + int i; + LDAPAVA *ava_in = rdn[ 0 ][ iAVA ]; + + assert( rdn ); + assert( ava_in ); + + for ( i = 0; i < iAVA; i++ ) { + LDAPAVA *ava = rdn[ 0 ][ i ]; + int a, j; + + assert( ava ); + + a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val ); + + if ( a > 0 ) { break; - case B4EQUAL: - if ( *s == '=' ) { - state = B4VALUE; - *d++ = *s; - } else if ( ! SPACE( *s ) ) { - /* not a valid dn - but what can we do here? */ - *d++ = *s; + } + + while ( a == 0 ) { + int v, d; + + d = ava_in->la_value.bv_len - ava->la_value.bv_len; + + v = memcmp( ava_in->la_value.bv_val, + ava->la_value.bv_val, + d <= 0 ? ava_in->la_value.bv_len + : ava->la_value.bv_len ); + + if ( v == 0 && d != 0 ) { + v = d; } - break; - case B4VALUE: - if ( *s == '"' ) { - state = INQUOTEDVALUE; - *d++ = *s; - } else if ( ! SPACE( *s ) ) { - state = INVALUE; - *d++ = *s; + + if ( v <= 0 ) { + /* + * got it! + */ + break; } - break; - case INVALUE: - if ( !gotesc && SEPARATOR( *s ) ) { - while ( SPACE( *(d - 1) ) ) - d--; - state = B4TYPE; - if ( *s == '+' ) { - *d++ = *s; - } else { - *d++ = ','; + + if ( ++i == iAVA ) { + /* + * already sorted + */ + return; + } + + ava = rdn[ 0 ][ i ]; + a = strcmp( ava_in->la_attr.bv_val, + ava->la_attr.bv_val ); + } + + /* + * move ahead + */ + for ( j = iAVA; j > i; j-- ) { + rdn[ 0 ][ j ] = rdn[ 0 ][ j - 1 ]; + } + rdn[ 0 ][ i ] = ava_in; + + return; + } +} + +/* + * In-place, schema-aware normalization / "pretty"ing of the + * structural representation of a distinguished name. + */ +static int +LDAPDN_rewrite( LDAPDN *dn, unsigned flags ) +{ + int iRDN; + int rc; + + assert( dn ); + + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; + int iAVA; + + assert( rdn ); + + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validf = NULL; + slap_syntax_transform_func *transf = NULL; + MatchingRule *mr; + struct berval bv = { 0, NULL }; + int do_sort = 0; + + assert( ava ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; } - } else if ( gotesc && !NEEDSESCAPE( *s ) && - !SEPARATOR( *s ) ) { - *--d = *s; - d++; - } else { - *d++ = *s; + + ava->la_private = ( void * )ad; + do_sort = 1; } - break; - case INQUOTEDVALUE: - if ( !gotesc && *s == '"' ) { - state = B4SEPARATOR; - *d++ = *s; - } else if ( gotesc && !NEEDSESCAPE( *s ) ) { - *--d = *s; - d++; + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { + /* AVA is binary encoded, don't muck with it */ + validf = NULL; + transf = NULL; + mr = NULL; + } else if( flags & SLAP_LDAPDN_PRETTY ) { + validf = NULL; + transf = ad->ad_type->sat_syntax->ssyn_pretty; + mr = NULL; } else { - *d++ = *s; + validf = ad->ad_type->sat_syntax->ssyn_validate; + transf = ad->ad_type->sat_syntax->ssyn_normalize; + mr = ad->ad_type->sat_equality; } - break; - case B4SEPARATOR: - if ( SEPARATOR( *s ) ) { - state = B4TYPE; - *d++ = *s; + + if ( validf ) { + /* validate value before normalization */ + rc = ( *validf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } } - break; - default: - Debug( LDAP_DEBUG_ANY, - "dn_normalize - unknown state %d\n", state, 0, 0 ); - break; - } - if ( *s == '\\' ) { - gotesc = 1; - } else { - gotesc = 0; + + if ( transf ) { + /* + * transform value by normalize/pretty function + * if value is empty, use empty_bv + */ + rc = ( *transf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) { + char *s = bv.bv_val; + + if ( UTF8bvnormalize( &bv, &bv, + LDAP_UTF8_CASEFOLD ) == NULL ) { + return LDAP_INVALID_SYNTAX; + } + free( s ); + } + + if( bv.bv_val ) { + free( ava->la_value.bv_val ); + ava->la_value = bv; + } + + if( do_sort ) AVA_Sort( rdn, iAVA ); } } - *d = '\0'; - /* Debug( LDAP_DEBUG_TRACE, "<= dn_normalize \"%s\"\n", dn, 0, 0 ); */ - return( dn ); + return LDAP_SUCCESS; } /* - * dn_normalize_case - put dn into a canonical form suitable for storing - * in a hash database. this involves normalizing the case as well as - * the format. the dn is normalized in place as well as returned. + * dn normalize routine */ +int +dnNormalize( + Syntax *syntax, + struct berval *val, + struct berval **normalized ) +{ + struct berval *out; + int rc; + + assert( normalized && *normalized == NULL ); -char * -dn_normalize_case( char *dn ) + out = ch_malloc( sizeof( struct berval ) ); + rc = dnNormalize2( syntax, val, out ); + if ( rc != LDAP_SUCCESS ) + free( out ); + else + *normalized = out; + return rc; +} + +int +dnNormalize2( + Syntax *syntax, + struct berval *val, + struct berval *out ) { - char *s; + assert( val ); + assert( out ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 ); - /* normalize format */ - dn_normalize( dn ); + if ( val->bv_len != 0 ) { + LDAPDN *dn = NULL; + int rc; - /* normalize case */ - for ( s = dn; *s; s++ ) { - *s = TOUPPER( *s ); + /* + * Go to structural representation + */ + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; + } + + /* + * Back to string representation + */ + rc = ldap_dn2bv( dn, out, LDAP_DN_FORMAT_LDAPV3 ); + + ldap_dnfree( dn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } else { + ber_dupbv( out, val ); } - return( dn ); + Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 ); + + return LDAP_SUCCESS; } /* - * dn_parent - return a copy of the dn of dn's parent + * dn "pretty"ing routine */ +int +dnPretty( + Syntax *syntax, + struct berval *val, + struct berval **pretty) +{ + struct berval *out; + int rc; + + assert( pretty && *pretty == NULL ); -char * -dn_parent( - Backend *be, - char *dn -) + out = ch_malloc( sizeof( struct berval ) ); + rc = dnPretty2( syntax, val, out ); + if ( rc != LDAP_SUCCESS ) + free( out ); + else + *pretty = out; + return rc; +} + +int +dnPretty2( + Syntax *syntax, + struct berval *val, + struct berval *out) { - char *s; - int inquote, gotesc; + assert( val ); + assert( out ); - if ( dn == NULL || *dn == '\0' || be_issuffix( be, dn ) ) { - return( NULL ); - } +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ARGS, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#endif - /* - * no =, assume it is a dns name, like blah@some.domain.name - * if the blah@ part is there, return some.domain.name. if - * it's just some.domain.name, return domain.name. - */ - if ( strchr( dn, '=' ) == NULL ) { - if ( (s = strchr( dn, '@' )) == NULL ) { - if ( (s = strchr( dn, '.' )) == NULL ) { - return( NULL ); - } + if ( val->bv_len == 0 ) { + ber_dupbv( out, val ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { + LDAPDN *dn = NULL; + int rc; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; } - if ( *(s + 1) == '\0' ) { - return( NULL ); - } else { - return( strdup( s + 1 ) ); + + /* FIXME: not sure why the default isn't pretty */ + /* RE: the default is the form that is used as + * an internal representation; the pretty form + * is a variant */ + rc = ldap_dn2bv( dn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); + + ldap_dnfree( dn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; } } - /* - * else assume it is an X.500-style name, which looks like - * foo=bar,sha=baz,... - */ + Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); + + return LDAP_SUCCESS; +} + +/* + * Combination of both dnPretty and dnNormalize + */ +int +dnPrettyNormal( + Syntax *syntax, + struct berval *val, + struct berval *pretty, + struct berval *normal) +{ +#ifdef NEW_LOGGING + LDAP_LOG ( OPERATION, ENTRY, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#endif + + assert( val ); + assert( pretty ); + assert( normal ); + + if ( val->bv_len == 0 ) { + ber_dupbv( pretty, val ); + ber_dupbv( normal, val ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + /* too big */ + return LDAP_INVALID_SYNTAX; + + } else { + LDAPDN *dn = NULL; + int rc; + + pretty->bv_val = NULL; + normal->bv_val = NULL; + pretty->bv_len = 0; + normal->bv_len = 0; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_dn2bv( dn, pretty, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); - inquote = 0; - for ( s = dn; *s; s++ ) { - if ( *s == '\\' ) { - if ( *(s + 1) ) - s++; - continue; + if ( rc != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; } - if ( inquote ) { - if ( *s == '"' ) - inquote = 0; - } else { - if ( *s == '"' ) - inquote = 1; - else if ( DNSEPARATOR( *s ) ) - return( strdup( s + 1 ) ); + + if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + free( pretty->bv_val ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_dn2bv( dn, normal, LDAP_DN_FORMAT_LDAPV3 ); + + ldap_dnfree( dn ); + if ( rc != LDAP_SUCCESS ) { + free( pretty->bv_val ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; } } - return( NULL ); +#ifdef NEW_LOGGING + LDAP_LOG (OPERATION, RESULTS, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val, normal->bv_val, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val, normal->bv_val, 0 ); +#endif + + return LDAP_SUCCESS; +} + +/* + * dnMatch routine + */ +int +dnMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp ); + assert( value ); + assert( assertedValue ); + + match = value->bv_len - asserted->bv_len; + + if ( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } + +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, ENTRY, "dnMatch: %d\n %s\n %s\n", + match, value->bv_val, asserted->bv_val ); +#else + Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", + match, value->bv_val, asserted->bv_val ); +#endif + + *matchp = match; + return( LDAP_SUCCESS ); } /* - * dn_issuffix - tells whether suffix is a suffix of dn. both dn - * and suffix must be normalized. + * dnParent - dn's parent, in-place + * + * note: the incoming dn is assumed to be normalized/prettyfied, + * so that escaped rdn/ava separators are in '\'+hexpair form */ +void +dnParent( + struct berval *dn, + struct berval *pdn ) +{ + char *p; + + p = strchr( dn->bv_val, ',' ); + + /* one-level dn */ + if ( p == NULL ) { + pdn->bv_len = 0; + pdn->bv_val = dn->bv_val + dn->bv_len; + return; + } + + assert( DN_SEPARATOR( p[ 0 ] ) ); + p++; + + assert( ATTR_LEADCHAR( p[ 0 ] ) ); + pdn->bv_val = p; + pdn->bv_len = dn->bv_len - (p - dn->bv_val); + + return; +} int -dn_issuffix( - char *dn, - char *suffix -) +dnExtractRdn( + struct berval *dn, + struct berval *rdn ) { - int dnlen, suffixlen; + LDAPRDN *tmpRDN; + const char *p; + int rc; - if ( dn == NULL ) { - return( 0 ); + assert( dn ); + assert( rdn ); + + if( dn->bv_len == 0 ) { + return LDAP_OTHER; } - suffixlen = strlen( suffix ); - dnlen = strlen( dn ); + rc = ldap_bv2rdn( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } - if ( suffixlen > dnlen ) { - return( 0 ); + rc = ldap_rdn2bv( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 ); + ldap_rdnfree( tmpRDN ); + if ( rc != LDAP_SUCCESS ) { + return rc; } - return( strcasecmp( dn + dnlen - suffixlen, suffix ) == 0 ); + return LDAP_SUCCESS; } /* - * dn_type - tells whether the given dn is an X.500 thing or DNS thing - * returns (defined in slap.h): DN_DNS dns-style thing - * DN_X500 x500-style thing + * We can assume the input is a prettied or normalized DN */ +int +dn_rdnlen( + Backend *be, + struct berval *dn_in ) +{ + const char *p; + + assert( dn_in ); + + if ( dn_in == NULL ) { + return 0; + } + + if ( !dn_in->bv_len ) { + return 0; + } + if ( be != NULL && be_issuffix( be, dn_in ) ) { + return 0; + } + + p = strchr( dn_in->bv_val, ',' ); + + return p ? p - dn_in->bv_val : dn_in->bv_len; +} + + +/* rdnValidate: + * + * LDAP_SUCCESS if rdn is a legal rdn; + * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns) + */ int -dn_type( char *dn ) +rdnValidate( struct berval *rdn ) +{ +#if 1 + /* Major cheat! + * input is a pretty or normalized DN + * hence, we can just search for ',' + */ + if( rdn == NULL || rdn->bv_len == 0 || + rdn->bv_len > SLAP_LDAPDN_MAXLEN ) + { + return LDAP_INVALID_SYNTAX; + } + + return strchr( rdn->bv_val, ',' ) == NULL + ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX; + +#else + LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL }; + const char *p; + int rc; + + /* + * must be non-empty + */ + if ( rdn == NULL || rdn == '\0' ) { + return 0; + } + + /* + * must be parsable + */ + rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return 0; + } + + /* + * Must be one-level + */ + if ( p[ 0 ] != '\0' ) { + return 0; + } + + /* + * Schema-aware validate + */ + if ( rc == LDAP_SUCCESS ) { + rc = LDAPDN_validate( DN ); + } + ldap_rdnfree( RDN ); + + /* + * Must validate (there's a repeated parsing ...) + */ + return ( rc == LDAP_SUCCESS ); +#endif +} + + +/* build_new_dn: + * + * Used by ldbm/bdb2 back_modrdn to create the new dn of entries being + * renamed. + * + * new_dn = parent (p_dn) + separator + rdn (newrdn) + null. + */ + +void +build_new_dn( struct berval * new_dn, + struct berval * parent_dn, + struct berval * newrdn ) { - return( strchr( dn, '=' ) == NULL ? DN_DNS : DN_X500 ); + char *ptr; + + if ( parent_dn == NULL ) { + ber_dupbv( new_dn, newrdn ); + return; + } + + new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1; + new_dn->bv_val = (char *) ch_malloc( new_dn->bv_len + 1 ); + + ptr = lutil_strcopy( new_dn->bv_val, newrdn->bv_val ); + *ptr++ = ','; + strcpy( ptr, parent_dn->bv_val ); } -char * -dn_upcase( char *dn ) + +/* + * dnIsSuffix - tells whether suffix is a suffix of dn. + * Both dn and suffix must be normalized. + */ +int +dnIsSuffix( + const struct berval *dn, + const struct berval *suffix ) { - char *s; + int d = dn->bv_len - suffix->bv_len; + + assert( dn ); + assert( suffix ); + + /* empty suffix matches any dn */ + if ( suffix->bv_len == 0 ) { + return 1; + } + + /* suffix longer than dn */ + if ( d < 0 ) { + return 0; + } + + /* no rdn separator or escaped rdn separator */ + if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) { + return 0; + } - /* normalize case */ - for ( s = dn; *s; s++ ) { - *s = TOUPPER( *s ); + /* no possible match or malformed dn */ + if ( d == 1 ) { + return 0; } - return( dn ); + /* compare */ + return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 ); +} + +#ifdef HAVE_TLS +/* + * Convert an X.509 DN into a normalized LDAP DN + */ +int +dnX509normalize( void *x509_name, struct berval *out ) +{ + /* Invoke the LDAP library's converter with our schema-rewriter */ + return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 ); +} + +/* + * Get the TLS session's peer's DN into a normalized LDAP DN + */ +int +dnX509peerNormalize( void *ssl, struct berval *dn ) +{ + + return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); } +#endif