X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fchain.c;h=8f37efb236c30ac0f6a80f2ba4f0756f5855fef0;hb=6018fe9671dcbb90e3845bc14851858c5d9fdf2a;hp=f42beab8d5dc7fa365ce9298047307491c2566eb;hpb=6b93c656a1da891d421c2be20b56161c20a0c8f3;p=openldap
diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c
index f42beab8d5..8f37efb236 100644
--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 2003-2005 The OpenLDAP Foundation.
+ * Copyright 2003-2011 The OpenLDAP Foundation.
* Portions Copyright 2003 Howard Chu.
* All rights reserved.
*
@@ -27,9 +27,9 @@
#include
#include
+#include "lutil.h"
#include "slap.h"
#include "back-ldap.h"
-
#include "config.h"
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
@@ -58,9 +58,11 @@
static int sc_chainingBehavior;
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-#define LDAP_CH_NONE ((void *)(0))
-#define LDAP_CH_RES ((void *)(1))
-#define LDAP_CH_ERR ((void *)(2))
+typedef enum {
+ LDAP_CH_NONE = 0,
+ LDAP_CH_RES,
+ LDAP_CH_ERR
+} ldap_chain_status_t;
static BackendInfo *lback;
@@ -78,7 +80,7 @@ typedef struct ldap_chain_t {
* the tree? Should be all configurable.
*/
- /* "common" configuration info (all occurring before an "uri") */
+ /* "common" configuration info (anything occurring before an "uri") */
ldapinfo_t *lc_common_li;
/* current configuration info */
@@ -87,13 +89,19 @@ typedef struct ldap_chain_t {
/* tree of configured[/generated?] "uri" info */
ldap_avl_info_t lc_lai;
+ /* max depth in nested referrals chaining */
+ int lc_max_depth;
+
unsigned lc_flags;
#define LDAP_CHAIN_F_NONE (0x00U)
#define LDAP_CHAIN_F_CHAINING (0x01U)
-#define LDAP_CHAIN_F_CACHE_URI (0x10U)
+#define LDAP_CHAIN_F_CACHE_URI (0x02U)
+#define LDAP_CHAIN_F_RETURN_ERR (0x04U)
-#define LDAP_CHAIN_CHAINING( lc ) ( ( (lc)->lc_flags & LDAP_CHAIN_F_CHAINING ) == LDAP_CHAIN_F_CHAINING )
-#define LDAP_CHAIN_CACHE_URI( lc ) ( ( (lc)->lc_flags & LDAP_CHAIN_F_CACHE_URI ) == LDAP_CHAIN_F_CACHE_URI )
+#define LDAP_CHAIN_ISSET(lc, f) ( ( (lc)->lc_flags & (f) ) == (f) )
+#define LDAP_CHAIN_CHAINING( lc ) LDAP_CHAIN_ISSET( (lc), LDAP_CHAIN_F_CHAINING )
+#define LDAP_CHAIN_CACHE_URI( lc ) LDAP_CHAIN_ISSET( (lc), LDAP_CHAIN_F_CACHE_URI )
+#define LDAP_CHAIN_RETURN_ERR( lc ) LDAP_CHAIN_ISSET( (lc), LDAP_CHAIN_F_RETURN_ERR )
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
LDAPControl lc_chaining_ctrl;
@@ -103,9 +111,33 @@ typedef struct ldap_chain_t {
static int ldap_chain_db_init_common( BackendDB *be );
static int ldap_chain_db_init_one( BackendDB *be );
-#define ldap_chain_db_open_one(be) (lback)->bi_db_open( (be) )
+static int ldap_chain_db_open_one( BackendDB *be );
#define ldap_chain_db_close_one(be) (0)
-#define ldap_chain_db_destroy_one(be) (lback)->bi_db_destroy( (be) )
+#define ldap_chain_db_destroy_one(be, rs) (lback)->bi_db_destroy( (be), (rs) )
+
+typedef struct ldap_chain_cb_t {
+ ldap_chain_status_t lb_status;
+ ldap_chain_t *lb_lc;
+ BI_op_func *lb_op_f;
+ int lb_depth;
+} ldap_chain_cb_t;
+
+static int
+ldap_chain_op(
+ Operation *op,
+ SlapReply *rs,
+ BI_op_func *op_f,
+ BerVarray ref,
+ int depth );
+
+static int
+ldap_chain_search(
+ Operation *op,
+ SlapReply *rs,
+ BerVarray ref,
+ int depth );
+
+static slap_overinst ldapchain;
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
static int
@@ -193,7 +225,6 @@ ldap_chain_uri_cmp( const void *c1, const void *c2 )
assert( !BER_BVISNULL( &li2->li_bvuri[ 0 ] ) );
assert( BER_BVISNULL( &li2->li_bvuri[ 1 ] ) );
- /* If local DNs don't match, it is definitely not a match */
return ber_bvcmp( &li1->li_bvuri[ 0 ], &li2->li_bvuri[ 0 ] );
}
@@ -211,31 +242,11 @@ ldap_chain_uri_dup( void *c1, void *c2 )
assert( !BER_BVISNULL( &li2->li_bvuri[ 0 ] ) );
assert( BER_BVISNULL( &li2->li_bvuri[ 1 ] ) );
- /* Cannot have more than one shared session with same DN */
if ( ber_bvcmp( &li1->li_bvuri[ 0 ], &li2->li_bvuri[ 0 ] ) == 0 ) {
return -1;
}
-
- return 0;
-}
-static int
-ldap_chain_operational( Operation *op, SlapReply *rs )
-{
- /* Trap entries generated by back-ldap.
- *
- * FIXME: we need a better way to recognize them; a cleaner
- * solution would be to be able to intercept the response
- * of be_operational(), so that we can divert only those
- * calls that fail because operational attributes were
- * requested for entries that do not belong to the underlying
- * database. This fix is likely to intercept also entries
- * generated by back-perl and so. */
- if ( rs->sr_entry->e_private == NULL ) {
- return 0;
- }
-
- return SLAP_CB_CONTINUE;
+ return 0;
}
/*
@@ -244,10 +255,12 @@ ldap_chain_operational( Operation *op, SlapReply *rs )
static int
ldap_chain_cb_search_response( Operation *op, SlapReply *rs )
{
+ ldap_chain_cb_t *lb = (ldap_chain_cb_t *)op->o_callback->sc_private;
+
assert( op->o_tag == LDAP_REQ_SEARCH );
/* if in error, don't proceed any further */
- if ( op->o_callback->sc_private == LDAP_CH_ERR ) {
+ if ( lb->lb_status == LDAP_CH_ERR ) {
return 0;
}
@@ -269,18 +282,25 @@ ldap_chain_cb_search_response( Operation *op, SlapReply *rs )
break;
}
}
+
+ /* tell the frontend not to add generated
+ * operational attributes */
+ rs->sr_flags |= REP_NO_OPERATIONALS;
return SLAP_CB_CONTINUE;
} else if ( rs->sr_type == REP_SEARCHREF ) {
/* if we get it here, it means the library was unable
* to chase the referral... */
+ if ( lb->lb_depth < lb->lb_lc->lc_max_depth && rs->sr_ref != NULL ) {
+ rs->sr_err = ldap_chain_search( op, rs, rs->sr_ref, lb->lb_depth );
+ }
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
- if ( get_chaining( op ) > SLAP_CONTROL_IGNORED ) {
+ if ( rs->sr_err == LDAP_REFERRAL && get_chaining( op ) > SLAP_CONTROL_IGNORED ) {
switch ( get_continuationBehavior( op ) ) {
case SLAP_CH_RESOLVE_CHAINING_REQUIRED:
- op->o_callback->sc_private = LDAP_CH_ERR;
+ lb->lb_status = LDAP_CH_ERR;
return rs->sr_err = LDAP_X_CANNOT_CHAIN;
default:
@@ -291,8 +311,15 @@ ldap_chain_cb_search_response( Operation *op, SlapReply *rs )
return SLAP_CB_CONTINUE;
} else if ( rs->sr_type == REP_RESULT ) {
+ if ( rs->sr_err == LDAP_REFERRAL
+ && lb->lb_depth < lb->lb_lc->lc_max_depth
+ && rs->sr_ref != NULL )
+ {
+ rs->sr_err = ldap_chain_op( op, rs, lb->lb_op_f, rs->sr_ref, lb->lb_depth );
+ }
+
/* back-ldap tried to send result */
- op->o_callback->sc_private = LDAP_CH_RES;
+ lb->lb_status = LDAP_CH_RES;
}
return 0;
@@ -305,12 +332,15 @@ ldap_chain_cb_search_response( Operation *op, SlapReply *rs )
static int
ldap_chain_cb_response( Operation *op, SlapReply *rs )
{
+ ldap_chain_cb_t *lb = (ldap_chain_cb_t *)op->o_callback->sc_private;
+
/* if in error, don't proceed any further */
- if ( op->o_callback->sc_private == LDAP_CH_ERR ) {
+ if ( lb->lb_status == LDAP_CH_ERR ) {
return 0;
}
if ( rs->sr_type == REP_RESULT ) {
+retry:;
switch ( rs->sr_err ) {
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
@@ -320,15 +350,20 @@ ldap_chain_cb_response( Operation *op, SlapReply *rs )
/* fallthru */
case LDAP_SUCCESS:
- op->o_callback->sc_private = LDAP_CH_RES;
+ lb->lb_status = LDAP_CH_RES;
break;
case LDAP_REFERRAL:
+ if ( lb->lb_depth < lb->lb_lc->lc_max_depth && rs->sr_ref != NULL ) {
+ rs->sr_err = ldap_chain_op( op, rs, lb->lb_op_f, rs->sr_ref, lb->lb_depth );
+ goto retry;
+ }
+
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
if ( get_chaining( op ) > SLAP_CONTROL_IGNORED ) {
switch ( get_continuationBehavior( op ) ) {
case SLAP_CH_RESOLVE_CHAINING_REQUIRED:
- op->o_callback->sc_private = LDAP_CH_ERR;
+ lb->lb_status = LDAP_CH_ERR;
return rs->sr_err = LDAP_X_CANNOT_CHAIN;
default:
@@ -355,16 +390,21 @@ static int
ldap_chain_op(
Operation *op,
SlapReply *rs,
- int ( *op_f )( Operation *op, SlapReply *rs ),
- BerVarray ref )
+ BI_op_func *op_f,
+ BerVarray ref,
+ int depth )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+ ldap_chain_cb_t *lb = (ldap_chain_cb_t *)op->o_callback->sc_private;
ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+ struct berval odn = op->o_req_dn,
+ ondn = op->o_req_ndn;
ldapinfo_t li = { 0 }, *lip = NULL;
struct berval bvuri[ 2 ] = { { 0 } };
/* NOTE: returned if ref is empty... */
- int rc = LDAP_OTHER;
+ int rc = LDAP_OTHER,
+ first_rc;
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
LDAPControl **ctrls = NULL;
@@ -373,15 +413,23 @@ ldap_chain_op(
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
li.li_bvuri = bvuri;
+ first_rc = -1;
for ( ; !BER_BVISNULL( ref ); ref++ ) {
- LDAPURLDesc *srv;
- char *save_dn;
+ SlapReply rs2 = { 0 };
+ LDAPURLDesc *srv = NULL;
+ req_search_s save_oq_search = op->oq_search,
+ tmp_oq_search = { 0 };
+ struct berval dn = BER_BVNULL,
+ pdn = odn,
+ ndn = ondn;
+ char *filter = NULL;
int temporary = 0;
+ int free_dn = 0;
/* We're setting the URI of the first referral;
* what if there are more?
-Document: draft-ietf-ldapbis-protocol-27.txt
+Document: RFC 4511
4.1.10. Referral
...
@@ -396,29 +444,379 @@ Document: draft-ietf-ldapbis-protocol-27.txt
/* parse reference and use
* proto://[host][:port]/ only */
- rc = ldap_url_parse_ext( ref->bv_val, &srv );
+ rc = ldap_url_parse_ext( ref->bv_val, &srv, LDAP_PVT_URL_PARSE_NONE );
if ( rc != LDAP_URL_SUCCESS ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: unable to parse ref=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, 0 );
+
/* try next */
rc = LDAP_OTHER;
continue;
}
- /* remove DN essentially because later on
- * ldap_initialize() will parse the URL
- * as a comma-separated URL list */
- save_dn = srv->lud_dn;
- srv->lud_dn = "";
+ if ( op->o_tag == LDAP_REQ_SEARCH ) {
+ if ( srv->lud_scope != LDAP_SCOPE_DEFAULT ) {
+ /* RFC 4511: if scope is present, use it */
+ tmp_oq_search.rs_scope = srv->lud_scope;
+
+ } else {
+ /* RFC 4511: if scope is absent, use original */
+ tmp_oq_search.rs_scope = op->ors_scope;
+ }
+ }
+
+ rc = LDAP_SUCCESS;
srv->lud_scope = LDAP_SCOPE_DEFAULT;
- li.li_uri = ldap_url_desc2str( srv );
- srv->lud_dn = save_dn;
+ dn.bv_val = srv->lud_dn;
+ filter = srv->lud_filter;
+
+ /* normalize DN */
+ if ( srv->lud_dn == NULL || srv->lud_dn[0] == '\0' ) {
+ if ( srv->lud_dn == NULL ) {
+ srv->lud_dn = "";
+ }
+
+ } else {
+ ber_str2bv( srv->lud_dn, 0, 0, &dn );
+ rc = dnPrettyNormal( NULL, &dn, &pdn, &ndn, op->o_tmpmemctx );
+ if ( rc == LDAP_SUCCESS ) {
+ /* remove DN essentially because later on
+ * ldap_initialize() will parse the URL
+ * as a comma-separated URL list */
+ srv->lud_dn = "";
+ free_dn = 1;
+ }
+ }
+
+ /* prepare filter */
+ if ( rc == LDAP_SUCCESS && op->o_tag == LDAP_REQ_SEARCH ) {
+ /* filter */
+ if ( srv->lud_filter != NULL
+ && srv->lud_filter[0] != '\0'
+ && strcasecmp( srv->lud_filter, "(objectClass=*)" ) != 0 )
+ {
+ /* RFC 4511: if filter is present, use it;
+ * otherwise, use original */
+ tmp_oq_search.rs_filter = str2filter_x( op, srv->lud_filter );
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ filter2bv_x( op, tmp_oq_search.rs_filter, &tmp_oq_search.rs_filterstr );
+
+ } else {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\": unable to parse filter=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, srv->lud_filter );
+ rc = LDAP_OTHER;
+ }
+ }
+ }
+ srv->lud_filter = NULL;
+
+ if ( rc == LDAP_SUCCESS ) {
+ li.li_uri = ldap_url_desc2str( srv );
+ }
+
+ srv->lud_dn = dn.bv_val;
+ srv->lud_filter = filter;
ldap_free_urldesc( srv );
+ if ( rc != LDAP_SUCCESS ) {
+ /* try next */
+ rc = LDAP_OTHER;
+ continue;
+ }
+
if ( li.li_uri == NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\" unable to reconstruct URI\n",
+ op->o_log_prefix, ref->bv_val, 0 );
+
/* try next */
rc = LDAP_OTHER;
+ goto further_cleanup;
+ }
+
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\" -> \"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+
+ op->o_req_dn = pdn;
+ op->o_req_ndn = ndn;
+
+ if ( op->o_tag == LDAP_REQ_SEARCH ) {
+ op->ors_scope = tmp_oq_search.rs_scope;
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ op->ors_filter = tmp_oq_search.rs_filter;
+ op->ors_filterstr = tmp_oq_search.rs_filterstr;
+ }
+ }
+
+ ber_str2bv( li.li_uri, 0, 0, &li.li_bvuri[ 0 ] );
+
+ /* Searches for a ldapinfo in the avl tree */
+ ldap_pvt_thread_mutex_lock( &lc->lc_lai.lai_mutex );
+ lip = (ldapinfo_t *)avl_find( lc->lc_lai.lai_tree,
+ (caddr_t)&li, ldap_chain_uri_cmp );
+ ldap_pvt_thread_mutex_unlock( &lc->lc_lai.lai_mutex );
+
+ if ( lip != NULL ) {
+ op->o_bd->be_private = (void *)lip;
+
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\": URI=\"%s\" found in cache\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+
+ } else {
+ rc = ldap_chain_db_init_one( op->o_bd );
+ if ( rc != 0 ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\" unable to init back-ldap for URI=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+ goto cleanup;
+ }
+ lip = (ldapinfo_t *)op->o_bd->be_private;
+ lip->li_uri = li.li_uri;
+ lip->li_bvuri = bvuri;
+ rc = ldap_chain_db_open_one( op->o_bd );
+ if ( rc != 0 ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\" unable to open back-ldap for URI=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+ lip->li_uri = NULL;
+ lip->li_bvuri = NULL;
+ (void)ldap_chain_db_destroy_one( op->o_bd, NULL);
+ goto cleanup;
+ }
+
+ if ( LDAP_CHAIN_CACHE_URI( lc ) ) {
+ ldap_pvt_thread_mutex_lock( &lc->lc_lai.lai_mutex );
+ if ( avl_insert( &lc->lc_lai.lai_tree,
+ (caddr_t)lip, ldap_chain_uri_cmp, ldap_chain_uri_dup ) )
+ {
+ /* someone just inserted another;
+ * don't bother, use this and then
+ * just free it */
+ temporary = 1;
+ }
+ ldap_pvt_thread_mutex_unlock( &lc->lc_lai.lai_mutex );
+
+ } else {
+ temporary = 1;
+ }
+
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_op: ref=\"%s\" %s\n",
+ op->o_log_prefix, ref->bv_val, temporary ? "temporary" : "caching" );
+ }
+
+ lb->lb_op_f = op_f;
+ lb->lb_depth = depth + 1;
+
+ rc = op_f( op, &rs2 );
+
+ /* note the first error */
+ if ( first_rc == -1 ) {
+ first_rc = rc;
+ }
+
+cleanup:;
+ ldap_memfree( li.li_uri );
+ li.li_uri = NULL;
+
+ if ( temporary ) {
+ lip->li_uri = NULL;
+ lip->li_bvuri = NULL;
+ (void)ldap_chain_db_close_one( op->o_bd );
+ (void)ldap_chain_db_destroy_one( op->o_bd, NULL );
+ }
+
+further_cleanup:;
+ if ( free_dn ) {
+ op->o_tmpfree( pdn.bv_val, op->o_tmpmemctx );
+ op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
+ }
+
+ if ( op->o_tag == LDAP_REQ_SEARCH ) {
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ filter_free_x( op, tmp_oq_search.rs_filter, 1 );
+ }
+
+ if ( !BER_BVISNULL( &tmp_oq_search.rs_filterstr ) ) {
+ slap_sl_free( tmp_oq_search.rs_filterstr.bv_val, op->o_tmpmemctx );
+ }
+
+ op->oq_search = save_oq_search;
+ }
+
+ if ( rc == LDAP_SUCCESS && rs2.sr_err == LDAP_SUCCESS ) {
+ *rs = rs2;
+ break;
+ }
+
+ rc = rs2.sr_err;
+ }
+
+ op->o_req_dn = odn;
+ op->o_req_ndn = ondn;
+
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+ (void)chaining_control_remove( op, &ctrls );
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+
+ if ( rc != LDAP_SUCCESS && first_rc > 0 ) {
+ rc = first_rc;
+ }
+
+ return rc;
+}
+
+static int
+ldap_chain_search(
+ Operation *op,
+ SlapReply *rs,
+ BerVarray ref,
+ int depth )
+
+{
+ slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+ ldap_chain_cb_t *lb = (ldap_chain_cb_t *)op->o_callback->sc_private;
+ ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+ ldapinfo_t li = { 0 }, *lip = NULL;
+ struct berval bvuri[ 2 ] = { { 0 } };
+
+ struct berval odn = op->o_req_dn,
+ ondn = op->o_req_ndn;
+ Entry *save_entry = rs->sr_entry;
+ slap_mask_t save_flags = rs->sr_flags;
+
+ int rc = LDAP_OTHER,
+ first_rc = -1;
+
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+ LDAPControl **ctrls = NULL;
+
+ (void)chaining_control_add( lc, op, &ctrls );
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+
+ assert( rs->sr_type == REP_SEARCHREF );
+
+ rs->sr_type = REP_SEARCH;
+
+ /* if we parse the URI then by no means
+ * we can cache stuff or reuse connections,
+ * because in back-ldap there's no caching
+ * based on the URI value, which is supposed
+ * to be set once for all (correct?) */
+ li.li_bvuri = bvuri;
+ for ( ; !BER_BVISNULL( &ref[0] ); ref++ ) {
+ SlapReply rs2 = { REP_RESULT };
+ LDAPURLDesc *srv;
+ req_search_s save_oq_search = op->oq_search,
+ tmp_oq_search = { 0 };
+ struct berval dn,
+ pdn = op->o_req_dn,
+ ndn = op->o_req_ndn;
+ char *filter = NULL;
+ int temporary = 0;
+ int free_dn = 0;
+
+ /* parse reference and use
+ * proto://[host][:port]/ only */
+ rc = ldap_url_parse_ext( ref[0].bv_val, &srv, LDAP_PVT_URL_PARSE_NONE );
+ if ( rc != LDAP_URL_SUCCESS ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: unable to parse ref=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, 0 );
+
+ /* try next */
+ rs->sr_err = LDAP_OTHER;
continue;
}
+ if ( srv->lud_scope != LDAP_SCOPE_DEFAULT ) {
+ /* RFC 4511: if scope is present, use it */
+ tmp_oq_search.rs_scope = srv->lud_scope;
+
+ } else {
+ /* RFC 4511: if scope is absent, use original */
+ /* Section 4.5.3: if scope is onelevel, use base */
+ if ( op->ors_scope == LDAP_SCOPE_ONELEVEL )
+ tmp_oq_search.rs_scope = LDAP_SCOPE_BASE;
+ else
+ tmp_oq_search.rs_scope = op->ors_scope;
+ }
+
+ rc = LDAP_SUCCESS;
+ srv->lud_scope = LDAP_SCOPE_DEFAULT;
+ dn.bv_val = srv->lud_dn;
+ filter = srv->lud_filter;
+
+ /* normalize DN */
+ if ( srv->lud_dn == NULL || srv->lud_dn[0] == '\0' ) {
+ if ( srv->lud_dn == NULL ) {
+ srv->lud_dn = "";
+ }
+
+ if ( save_entry != NULL ) {
+ /* use the "right" DN, if available */
+ pdn = save_entry->e_name;
+ ndn = save_entry->e_nname;
+ } /* else leave the original req DN in place, if any RFC 4511 */
+
+ } else {
+ /* RFC 4511: if DN is present, use it */
+ ber_str2bv( srv->lud_dn, 0, 0, &dn );
+ rc = dnPrettyNormal( NULL, &dn, &pdn, &ndn, op->o_tmpmemctx );
+ if ( rc == LDAP_SUCCESS ) {
+ /* remove DN essentially because later on
+ * ldap_initialize() will parse the URL
+ * as a comma-separated URL list */
+ srv->lud_dn = "";
+ free_dn = 1;
+ }
+ }
+
+ /* prepare filter */
+ if ( rc == LDAP_SUCCESS ) {
+ /* filter */
+ if ( srv->lud_filter != NULL
+ && srv->lud_filter[0] != '\0'
+ && strcasecmp( srv->lud_filter, "(objectClass=*)" ) != 0 )
+ {
+ /* RFC 4511: if filter is present, use it;
+ * otherwise, use original */
+ tmp_oq_search.rs_filter = str2filter_x( op, srv->lud_filter );
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ filter2bv_x( op, tmp_oq_search.rs_filter, &tmp_oq_search.rs_filterstr );
+
+ } else {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\": unable to parse filter=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, srv->lud_filter );
+ rc = LDAP_OTHER;
+ }
+ }
+ }
+ srv->lud_filter = NULL;
+
+ if ( rc == LDAP_SUCCESS ) {
+ li.li_uri = ldap_url_desc2str( srv );
+ }
+
+ srv->lud_dn = dn.bv_val;
+ srv->lud_filter = filter;
+ ldap_free_urldesc( srv );
+
+ if ( rc != LDAP_SUCCESS || li.li_uri == NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\" unable to reconstruct URI\n",
+ op->o_log_prefix, ref->bv_val, 0 );
+
+ /* try next */
+ rc = LDAP_OTHER;
+ goto further_cleanup;
+ }
+
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\" -> \"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+
+ op->o_req_dn = pdn;
+ op->o_req_ndn = ndn;
+ op->ors_scope = tmp_oq_search.rs_scope;
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ op->ors_filter = tmp_oq_search.rs_filter;
+ op->ors_filterstr = tmp_oq_search.rs_filterstr;
+ }
+
ber_str2bv( li.li_uri, 0, 0, &li.li_bvuri[ 0 ] );
/* Searches for a ldapinfo in the avl tree */
@@ -430,9 +828,15 @@ Document: draft-ietf-ldapbis-protocol-27.txt
if ( lip != NULL ) {
op->o_bd->be_private = (void *)lip;
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\": URI=\"%s\" found in cache\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+
} else {
+ /* if none is found, create a temporary... */
rc = ldap_chain_db_init_one( op->o_bd );
if ( rc != 0 ) {
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\" unable to init back-ldap for URI=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
goto cleanup;
}
lip = (ldapinfo_t *)op->o_bd->be_private;
@@ -440,7 +844,11 @@ Document: draft-ietf-ldapbis-protocol-27.txt
lip->li_bvuri = bvuri;
rc = ldap_chain_db_open_one( op->o_bd );
if ( rc != 0 ) {
- (void)ldap_chain_db_destroy_one( op->o_bd );
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\" unable to open back-ldap for URI=\"%s\"\n",
+ op->o_log_prefix, ref->bv_val, li.li_uri );
+ lip->li_uri = NULL;
+ lip->li_bvuri = NULL;
+ (void)ldap_chain_db_destroy_one( op->o_bd, NULL );
goto cleanup;
}
@@ -459,9 +867,20 @@ Document: draft-ietf-ldapbis-protocol-27.txt
} else {
temporary = 1;
}
+
+ Debug( LDAP_DEBUG_TRACE, "%s ldap_chain_search: ref=\"%s\" %s\n",
+ op->o_log_prefix, ref->bv_val, temporary ? "temporary" : "caching" );
}
- rc = ( *op_f )( op, rs );
+ lb->lb_op_f = lback->bi_op_search;
+ lb->lb_depth = depth + 1;
+
+ /* FIXME: should we also copy filter and scope?
+ * according to RFC3296, no */
+ rc = lback->bi_op_search( op, &rs2 );
+ if ( first_rc == -1 ) {
+ first_rc = rc;
+ }
cleanup:;
ldap_memfree( li.li_uri );
@@ -471,18 +890,56 @@ cleanup:;
lip->li_uri = NULL;
lip->li_bvuri = NULL;
(void)ldap_chain_db_close_one( op->o_bd );
- (void)ldap_chain_db_destroy_one( op->o_bd );
+ (void)ldap_chain_db_destroy_one( op->o_bd, NULL );
}
- if ( rc == LDAP_SUCCESS && rs->sr_err == LDAP_SUCCESS ) {
+further_cleanup:;
+ if ( free_dn ) {
+ op->o_tmpfree( pdn.bv_val, op->o_tmpmemctx );
+ op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
+ }
+
+ op->o_req_dn = odn;
+ op->o_req_ndn = ondn;
+
+ if ( tmp_oq_search.rs_filter != NULL ) {
+ filter_free_x( op, tmp_oq_search.rs_filter, 1 );
+ }
+
+ if ( !BER_BVISNULL( &tmp_oq_search.rs_filterstr ) ) {
+ slap_sl_free( tmp_oq_search.rs_filterstr.bv_val, op->o_tmpmemctx );
+ }
+
+ op->oq_search = save_oq_search;
+
+ if ( rc == LDAP_SUCCESS && rs2.sr_err == LDAP_SUCCESS ) {
+ *rs = rs2;
break;
}
+
+ rc = rs2.sr_err;
}
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
(void)chaining_control_remove( op, &ctrls );
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ op->o_req_dn = odn;
+ op->o_req_ndn = ondn;
+ rs->sr_type = REP_SEARCHREF;
+ rs->sr_entry = save_entry;
+ rs->sr_flags = save_flags;
+
+ if ( rc != LDAP_SUCCESS ) {
+ /* couldn't chase any of the referrals */
+ if ( first_rc != -1 ) {
+ rc = first_rc;
+
+ } else {
+ rc = SLAP_CB_CONTINUE;
+ }
+ }
+
return rc;
}
@@ -490,10 +947,13 @@ static int
ldap_chain_response( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
- void *private = op->o_bd->be_private;
+ ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+ BackendDB db, *bd = op->o_bd;
+ ldap_chain_cb_t lb = { 0 };
slap_callback *sc = op->o_callback,
sc2 = { 0 };
int rc = 0;
+ const char *text = NULL;
const char *matched;
BerVarray ref;
struct berval ndn = op->o_ndn;
@@ -545,12 +1005,21 @@ ldap_chain_response( Operation *op, SlapReply *rs )
* e) what ssf
*/
+ db = *op->o_bd;
+ SLAP_DBFLAGS( &db ) &= ~SLAP_DBFLAG_MONITORING;
+ op->o_bd = &db;
+
+ text = rs->sr_text;
+ rs->sr_text = NULL;
matched = rs->sr_matched;
rs->sr_matched = NULL;
ref = rs->sr_ref;
rs->sr_ref = NULL;
/* we need this to know if back-ldap returned any result */
+ lb.lb_lc = lc;
+ sc2.sc_next = sc->sc_next;
+ sc2.sc_private = &lb;
sc2.sc_response = ldap_chain_cb_response;
op->o_callback = &sc2;
@@ -571,30 +1040,30 @@ ldap_chain_response( Operation *op, SlapReply *rs )
/* FIXME: can we really get a referral for binds? */
op->o_req_ndn = slap_empty_bv;
op->o_conn = NULL;
- rc = ldap_chain_op( op, rs, lback->bi_op_bind, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_bind, ref, 0 );
op->o_req_ndn = rndn;
op->o_conn = conn;
}
break;
case LDAP_REQ_ADD:
- rc = ldap_chain_op( op, rs, lback->bi_op_add, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_add, ref, 0 );
break;
case LDAP_REQ_DELETE:
- rc = ldap_chain_op( op, rs, lback->bi_op_delete, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_delete, ref, 0 );
break;
case LDAP_REQ_MODRDN:
- rc = ldap_chain_op( op, rs, lback->bi_op_modrdn, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_modrdn, ref, 0 );
break;
case LDAP_REQ_MODIFY:
- rc = ldap_chain_op( op, rs, lback->bi_op_modify, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_modify, ref, 0 );
break;
case LDAP_REQ_COMPARE:
- rc = ldap_chain_op( op, rs, lback->bi_op_compare, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_op_compare, ref, 0 );
if ( rs->sr_err == LDAP_COMPARE_TRUE || rs->sr_err == LDAP_COMPARE_FALSE ) {
rc = LDAP_SUCCESS;
}
@@ -602,167 +1071,35 @@ ldap_chain_response( Operation *op, SlapReply *rs )
case LDAP_REQ_SEARCH:
if ( rs->sr_type == REP_SEARCHREF ) {
- ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
- ldapinfo_t li = { 0 }, *lip = NULL;
- struct berval bvuri[ 2 ] = { { 0 } };
-
- struct berval *curr = ref,
- odn = op->o_req_dn,
- ondn = op->o_req_ndn;
-
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
- LDAPControl **ctrls = NULL;
-
- (void)chaining_control_add( lc, op, &ctrls );
-#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-
- rs->sr_type = REP_SEARCH;
-
sc2.sc_response = ldap_chain_cb_search_response;
+ rc = ldap_chain_search( op, rs, ref, 0 );
+
+ } else {
+ /* we might get here before any database actually
+ * performed a search; in those cases, we need
+ * to check limits, to make sure safe defaults
+ * are in place */
+ if ( op->ors_limit != NULL || limits_check( op, rs ) == 0 ) {
+ rc = ldap_chain_op( op, rs, lback->bi_op_search, ref, 0 );
- /* if we parse the URI then by no means
- * we can cache stuff or reuse connections,
- * because in back-ldap there's no caching
- * based on the URI value, which is supposed
- * to be set once for all (correct?) */
- li.li_bvuri = bvuri;
- for ( ; !BER_BVISNULL( &curr[0] ); curr++ ) {
- LDAPURLDesc *srv;
- char *save_dn;
- int temporary = 0;
-
- /* parse reference and use
- * proto://[host][:port]/ only */
- rc = ldap_url_parse_ext( curr[0].bv_val, &srv );
- if ( rc != LDAP_URL_SUCCESS ) {
- /* try next */
- rs->sr_err = LDAP_OTHER;
- continue;
- }
-
- /* remove DN essentially because later on
- * ldap_initialize() will parse the URL
- * as a comma-separated URL list */
- save_dn = srv->lud_dn;
- srv->lud_dn = "";
- srv->lud_scope = LDAP_SCOPE_DEFAULT;
- li.li_uri = ldap_url_desc2str( srv );
- if ( li.li_uri != NULL ) {
- ber_str2bv_x( save_dn, 0, 1, &op->o_req_dn,
- op->o_tmpmemctx );
- ber_dupbv_x( &op->o_req_ndn, &op->o_req_dn,
- op->o_tmpmemctx );
- }
-
- srv->lud_dn = save_dn;
- ldap_free_urldesc( srv );
-
- if ( li.li_uri == NULL ) {
- /* try next */
- rs->sr_err = LDAP_OTHER;
- continue;
- }
-
- ber_str2bv( li.li_uri, 0, 0, &li.li_bvuri[ 0 ] );
-
- /* Searches for a ldapinfo in the avl tree */
- ldap_pvt_thread_mutex_lock( &lc->lc_lai.lai_mutex );
- lip = (ldapinfo_t *)avl_find( lc->lc_lai.lai_tree,
- (caddr_t)&li, ldap_chain_uri_cmp );
- ldap_pvt_thread_mutex_unlock( &lc->lc_lai.lai_mutex );
-
- if ( lip != NULL ) {
- op->o_bd->be_private = (void *)lip;
-
- } else {
- /* if none is found, create a temporary... */
- rc = ldap_chain_db_init_one( op->o_bd );
- if ( rc != 0 ) {
- goto cleanup;
- }
- lip = (ldapinfo_t *)op->o_bd->be_private;
- lip->li_uri = li.li_uri;
- lip->li_bvuri = bvuri;
- rc = ldap_chain_db_open_one( op->o_bd );
- if ( rc != 0 ) {
- (void)ldap_chain_db_destroy_one( op->o_bd );
- goto cleanup;
- }
-
- if ( LDAP_CHAIN_CACHE_URI( lc ) ) {
- ldap_pvt_thread_mutex_lock( &lc->lc_lai.lai_mutex );
- if ( avl_insert( &lc->lc_lai.lai_tree,
- (caddr_t)lip, ldap_chain_uri_cmp, ldap_chain_uri_dup ) )
- {
- /* someone just inserted another;
- * don't bother, use this and then
- * just free it */
- temporary = 1;
- }
- ldap_pvt_thread_mutex_unlock( &lc->lc_lai.lai_mutex );
-
- } else {
- temporary = 1;
- }
- }
-
- /* FIXME: should we also copy filter and scope?
- * according to RFC3296, no */
- rc = lback->bi_op_search( op, rs );
-
-cleanup:;
- ldap_memfree( li.li_uri );
- li.li_uri = NULL;
-
- op->o_tmpfree( op->o_req_dn.bv_val,
- op->o_tmpmemctx );
- op->o_tmpfree( op->o_req_ndn.bv_val,
- op->o_tmpmemctx );
-
- if ( temporary ) {
- lip->li_uri = NULL;
- lip->li_bvuri = NULL;
- (void)ldap_chain_db_close_one( op->o_bd );
- (void)ldap_chain_db_destroy_one( op->o_bd );
- }
-
- if ( rc == LDAP_SUCCESS && rs->sr_err == LDAP_SUCCESS ) {
- break;
- }
-
- rc = rs->sr_err;
- }
-
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
- (void)chaining_control_remove( op, &ctrls );
-#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-
- op->o_req_dn = odn;
- op->o_req_ndn = ondn;
- rs->sr_type = REP_SEARCHREF;
- rs->sr_entry = NULL;
-
- if ( rc != LDAP_SUCCESS ) {
- /* couldn't chase any of the referrals */
+ } else {
rc = SLAP_CB_CONTINUE;
}
-
- } else {
- rc = ldap_chain_op( op, rs, lback->bi_op_search, ref );
}
break;
case LDAP_REQ_EXTENDED:
- rc = ldap_chain_op( op, rs, lback->bi_extended, ref );
+ rc = ldap_chain_op( op, rs, lback->bi_extended, ref, 0 );
/* FIXME: ldap_back_extended() by design
* doesn't send result; frontend is expected
* to send it... */
- /* FIXME: what aboit chaining? */
+ /* FIXME: what about chaining? */
if ( rc != SLAPD_ABANDON ) {
+ rs->sr_err = rc;
send_ldap_extended( op, rs );
rc = LDAP_SUCCESS;
}
- sc2.sc_private = LDAP_CH_RES;
+ lb.lb_status = LDAP_CH_RES;
break;
default:
@@ -776,13 +1113,20 @@ cleanup:;
case LDAP_SUCCESS:
case LDAP_REFERRAL:
+ sr_err = rs->sr_err;
/* slapd-ldap sent response */
- assert( sc2.sc_private == LDAP_CH_RES );
+ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) {
+ /* FIXME: should we send response? */
+ Debug( LDAP_DEBUG_ANY,
+ "%s: ldap_chain_response: "
+ "overlay should have sent result.\n",
+ op->o_log_prefix, 0, 0 );
+ }
break;
default:
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
- if ( sc2.sc_private == LDAP_CH_ERR && rs->sr_err == LDAP_X_CANNOT_CHAIN ) {
+ if ( lb.lb_status == LDAP_CH_ERR && rs->sr_err == LDAP_X_CANNOT_CHAIN ) {
goto cannot_chain;
}
@@ -796,19 +1140,27 @@ cannot_chain:;
default:
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- rc = SLAP_CB_CONTINUE;
- rs->sr_err = sr_err;
- rs->sr_type = sr_type;
- rs->sr_matched = matched;
- rs->sr_ref = ref;
+ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) {
+ sr_err = rs->sr_err = rc;
+ rs->sr_type = sr_type;
+
+ } else {
+ rc = SLAP_CB_CONTINUE;
+ rs->sr_err = sr_err;
+ rs->sr_type = sr_type;
+ rs->sr_text = text;
+ rs->sr_matched = matched;
+ rs->sr_ref = ref;
+ }
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
break;
}
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
}
- if ( sc2.sc_private == LDAP_CH_NONE && rc != SLAPD_ABANDON ) {
- op->o_callback = NULL;
+ if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) {
+ /* give the remaining callbacks a chance */
+ op->o_callback = sc->sc_next;
rc = rs->sr_err = slap_map_api2result( rs );
send_ldap_result( op, rs );
}
@@ -816,9 +1168,10 @@ cannot_chain:;
dont_chain:;
rs->sr_err = sr_err;
rs->sr_type = sr_type;
+ rs->sr_text = text;
rs->sr_matched = matched;
rs->sr_ref = ref;
- op->o_bd->be_private = private;
+ op->o_bd = bd;
op->o_callback = sc;
op->o_ndn = ndn;
@@ -858,7 +1211,9 @@ str2chain( const char *s )
enum {
CH_CHAINING = 1,
- CH_CACHE_URI = 2,
+ CH_CACHE_URI,
+ CH_MAX_DEPTH,
+ CH_RETURN_ERR,
CH_LAST
};
@@ -866,6 +1221,9 @@ enum {
static ConfigDriver chain_cf_gen;
static ConfigCfAdd chain_cfadd;
static ConfigLDAPadd chain_ldadd;
+#ifdef SLAP_CONFIG_DELETE
+static ConfigLDAPdel chain_lddel;
+#endif
static ConfigTable chaincfg[] = {
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
@@ -875,11 +1233,23 @@ static ConfigTable chaincfg[] = {
"DESC 'Chaining behavior control parameters (draft-sermersheim-ldap-chaining)' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- { "chain-cache-uris", "TRUE/FALSE",
+ { "chain-cache-uri", "TRUE/FALSE",
2, 2, 0, ARG_MAGIC|ARG_ON_OFF|CH_CACHE_URI, chain_cf_gen,
- "( OLcfgOvAt:3.2 NAME 'olcCacheURIs' "
+ "( OLcfgOvAt:3.2 NAME 'olcChainCacheURI' "
"DESC 'Enables caching of URIs not present in configuration' "
"SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+ { "chain-max-depth", "args",
+ 2, 2, 0, ARG_MAGIC|ARG_INT|CH_MAX_DEPTH, chain_cf_gen,
+ "( OLcfgOvAt:3.3 NAME 'olcChainMaxReferralDepth' "
+ "DESC 'max referral depth' "
+ "SYNTAX OMsInteger "
+ "EQUALITY integerMatch "
+ "SINGLE-VALUE )", NULL, NULL },
+ { "chain-return-error", "TRUE/FALSE",
+ 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|CH_RETURN_ERR, chain_cf_gen,
+ "( OLcfgOvAt:3.4 NAME 'olcChainReturnError' "
+ "DESC 'Errors are returned instead of the original referral' "
+ "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
};
@@ -892,14 +1262,20 @@ static ConfigOCs chainocs[] = {
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
"olcChainingBehavior $ "
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- "olcCacheURIs "
+ "olcChainCacheURI $ "
+ "olcChainMaxReferralDepth $ "
+ "olcChainReturnError "
") )",
Cft_Overlay, chaincfg, NULL, chain_cfadd },
{ "( OLcfgOvOc:3.2 "
"NAME 'olcChainDatabase' "
"DESC 'Chain remote server configuration' "
"AUXILIARY )",
- Cft_Misc, chaincfg, chain_ldadd },
+ Cft_Misc, olcDatabaseDummy, chain_ldadd
+#ifdef SLAP_CONFIG_DELETE
+ , NULL, chain_lddel
+#endif
+ },
{ NULL, 0, NULL }
};
@@ -936,6 +1312,7 @@ chain_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca )
assert( rc == LDAP_SUCCESS );
at = attr_find( e->e_attrs, ad );
+#if 0
if ( lc->lc_common_li == NULL && at != NULL ) {
/* FIXME: we should generate an empty default entry
* if none is supplied */
@@ -946,7 +1323,9 @@ chain_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca )
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
- } else if ( lc->lc_common_li != NULL && at == NULL ) {
+ } else
+#endif
+ if ( lc->lc_common_li != NULL && at == NULL ) {
/* FIXME: we should generate an empty default entry
* if none is supplied */
Debug( LDAP_DEBUG_ANY, "slapd-chain: "
@@ -976,19 +1355,25 @@ chain_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca )
if ( lc->lc_common_li == NULL ) {
lc->lc_common_li = li;
- } else if ( avl_insert( &lc->lc_lai.lai_tree, (caddr_t)li,
- ldap_chain_uri_cmp, ldap_chain_uri_dup ) )
- {
- Debug( LDAP_DEBUG_ANY, "slapd-chain: "
- "database \"%s\" insert failed.\n",
- e->e_name.bv_val, 0, 0 );
- rc = LDAP_CONSTRAINT_VIOLATION;
- goto done;
+ } else {
+ li->li_uri = ch_strdup( at->a_vals[ 0 ].bv_val );
+ value_add_one( &li->li_bvuri, &at->a_vals[ 0 ] );
+ if ( avl_insert( &lc->lc_lai.lai_tree, (caddr_t)li,
+ ldap_chain_uri_cmp, ldap_chain_uri_dup ) )
+ {
+ Debug( LDAP_DEBUG_ANY, "slapd-chain: "
+ "database \"%s\" insert failed.\n",
+ e->e_name.bv_val, 0, 0 );
+ rc = LDAP_CONSTRAINT_VIOLATION;
+ goto done;
+ }
}
+ ca->ca_private = on;
+
done:;
if ( rc != LDAP_SUCCESS ) {
- (void)ldap_chain_db_destroy_one( ca->be );
+ (void)ldap_chain_db_destroy_one( ca->be, NULL );
ch_free( ca->be );
ca->be = NULL;
}
@@ -1013,9 +1398,9 @@ ldap_chain_cfadd_apply( void *datum, void *arg )
struct berval bv;
/* FIXME: should not hardcode "olcDatabase" here */
- bv.bv_len = snprintf( lca->ca->msg, sizeof( lca->ca->msg ),
+ bv.bv_len = snprintf( lca->ca->cr_msg, sizeof( lca->ca->cr_msg ),
"olcDatabase={%d}%s", lca->count, lback->bi_type );
- bv.bv_val = lca->ca->msg;
+ bv.bv_val = lca->ca->cr_msg;
lca->ca->be->be_private = (void *)li;
config_build_entry( lca->op, lca->rs, lca->p->e_private, lca->ca,
@@ -1054,6 +1439,45 @@ chain_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *ca )
return 0;
}
+#ifdef SLAP_CONFIG_DELETE
+static int
+chain_lddel( CfEntryInfo *ce, Operation *op )
+{
+ CfEntryInfo *pe = ce->ce_parent;
+ slap_overinst *on = (slap_overinst *)pe->ce_bi;
+ ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+ ldapinfo_t *li = (ldapinfo_t *) ce->ce_be->be_private;
+
+ if ( li != lc->lc_common_li ) {
+ if (! avl_delete( &lc->lc_lai.lai_tree, li, ldap_chain_uri_cmp ) ) {
+ Debug( LDAP_DEBUG_ANY, "slapd-chain: avl_delete failed. "
+ "\"%s\" not found.\n", li->li_uri, 0, 0 );
+ return -1;
+ }
+ } else if ( lc->lc_lai.lai_tree ) {
+ Debug( LDAP_DEBUG_ANY, "slapd-chain: cannot delete first underlying "
+ "LDAP database when other databases are still present.\n", 0, 0, 0 );
+ return -1;
+ } else {
+ lc->lc_common_li = NULL;
+ }
+
+ ce->ce_be->bd_info = lback;
+
+ if ( ce->ce_be->bd_info->bi_db_close ) {
+ ce->ce_be->bd_info->bi_db_close( ce->ce_be, NULL );
+ }
+ if ( ce->ce_be->bd_info->bi_db_destroy ) {
+ ce->ce_be->bd_info->bi_db_destroy( ce->ce_be, NULL );
+ }
+
+ ch_free(ce->ce_be);
+ ce->ce_be = NULL;
+
+ return LDAP_SUCCESS;
+}
+#endif /* SLAP_CONFIG_DELETE */
+
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
static slap_verbmasks chaining_mode[] = {
{ BER_BVC("referralsRequired"), LDAP_REFERRALS_REQUIRED },
@@ -1110,6 +1534,14 @@ chain_cf_gen( ConfigArgs *c )
c->value_int = LDAP_CHAIN_CACHE_URI( lc );
break;
+ case CH_MAX_DEPTH:
+ c->value_int = lc->lc_max_depth;
+ break;
+
+ case CH_RETURN_ERR:
+ c->value_int = LDAP_CHAIN_RETURN_ERR( lc );
+ break;
+
default:
assert( 0 );
rc = 1;
@@ -1125,6 +1557,14 @@ chain_cf_gen( ConfigArgs *c )
lc->lc_flags &= ~LDAP_CHAIN_F_CACHE_URI;
break;
+ case CH_MAX_DEPTH:
+ c->value_int = 0;
+ break;
+
+ case CH_RETURN_ERR:
+ lc->lc_flags &= ~LDAP_CHAIN_F_RETURN_ERR;
+ break;
+
default:
return 1;
}
@@ -1257,6 +1697,26 @@ chain_cf_gen( ConfigArgs *c )
}
break;
+ case CH_MAX_DEPTH:
+ if ( c->value_int < 0 ) {
+ snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ "<%s> invalid max referral depth %d",
+ c->argv[0], c->value_int );
+ Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
+ c->log, c->cr_msg, 0 );
+ rc = 1;
+ break;
+ }
+ lc->lc_max_depth = c->value_int;
+
+ case CH_RETURN_ERR:
+ if ( c->value_int ) {
+ lc->lc_flags |= LDAP_CHAIN_F_RETURN_ERR;
+ } else {
+ lc->lc_flags &= ~LDAP_CHAIN_F_RETURN_ERR;
+ }
+ break;
+
default:
assert( 0 );
return 1;
@@ -1266,7 +1726,8 @@ chain_cf_gen( ConfigArgs *c )
static int
ldap_chain_db_init(
- BackendDB *be )
+ BackendDB *be,
+ ConfigReply *cr )
{
slap_overinst *on = (slap_overinst *)be->bd_info;
ldap_chain_t *lc = NULL;
@@ -1284,6 +1745,8 @@ ldap_chain_db_init(
return 1;
}
memset( lc, 0, sizeof( ldap_chain_t ) );
+ lc->lc_max_depth = 1;
+ ldap_pvt_thread_mutex_init( &lc->lc_lai.lai_mutex );
on->on_bi.bi_private = (void *)lc;
@@ -1302,34 +1765,63 @@ ldap_chain_db_config(
ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
int rc = SLAP_CONF_UNKNOWN;
-
+
if ( lc->lc_common_li == NULL ) {
- void *be_private = be->be_private;
- ldap_chain_db_init_common( be );
- lc->lc_common_li = lc->lc_cfg_li = (ldapinfo_t *)be->be_private;
- be->be_private = be_private;
+ BackendDB db = *be;
+ ldap_chain_db_init_common( &db );
+ lc->lc_common_li = lc->lc_cfg_li = (ldapinfo_t *)db.be_private;
}
/* Something for the chain database? */
if ( strncasecmp( argv[ 0 ], "chain-", STRLENOF( "chain-" ) ) == 0 ) {
char *save_argv0 = argv[ 0 ];
- BackendInfo *bd_info = be->bd_info;
- void *be_private = be->be_private;
- ConfigOCs *be_cf_ocs = be->be_cf_ocs;
- int is_uri = 0;
+ BackendDB db = *be;
+ static char *allowed_argv[] = {
+ /* special: put URI here, so in the meanwhile
+ * it detects whether a new URI is being provided */
+ "uri",
+ "nretries",
+ "timeout",
+ /* flags */
+ "tls",
+ /* FIXME: maybe rebind-as-user should be allowed
+ * only within known URIs... */
+ "rebind-as-user",
+ "chase-referrals",
+ "t-f-support",
+ "proxy-whoami",
+ NULL
+ };
+ int which_argv = -1;
argv[ 0 ] += STRLENOF( "chain-" );
- if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
- rc = ldap_chain_db_init_one( be );
+ for ( which_argv = 0; allowed_argv[ which_argv ]; which_argv++ ) {
+ if ( strcasecmp( argv[ 0 ], allowed_argv[ which_argv ] ) == 0 ) {
+ break;
+ }
+ }
+
+ if ( allowed_argv[ which_argv ] == NULL ) {
+ which_argv = -1;
+
+ if ( lc->lc_cfg_li == lc->lc_common_li ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "\"%s\" only allowed within a URI directive.\n.",
+ fname, lineno, argv[ 0 ] );
+ return 1;
+ }
+ }
+
+ if ( which_argv == 0 ) {
+ rc = ldap_chain_db_init_one( &db );
if ( rc != 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"underlying slapd-ldap initialization failed.\n.",
fname, lineno, 0 );
return 1;
}
- lc->lc_cfg_li = be->be_private;
- is_uri = 1;
+ lc->lc_cfg_li = db.be_private;
}
/* TODO: add checks on what other slapd-ldap(5) args
@@ -1339,27 +1831,21 @@ ldap_chain_db_config(
* be warned.
*/
- be->bd_info = lback;
- be->be_private = (void *)lc->lc_cfg_li;
- be->be_cf_ocs = lback->bi_cf_ocs;
+ db.bd_info = lback;
+ db.be_private = (void *)lc->lc_cfg_li;
+ db.be_cf_ocs = lback->bi_cf_ocs;
- rc = config_generic_wrapper( be, fname, lineno, argc, argv );
+ rc = config_generic_wrapper( &db, fname, lineno, argc, argv );
argv[ 0 ] = save_argv0;
- be->be_cf_ocs = be_cf_ocs;
- be->be_private = be_private;
- be->bd_info = bd_info;
- if ( is_uri ) {
+ if ( which_argv == 0 ) {
private_destroy:;
if ( rc != 0 ) {
- BackendDB db = *be;
-
db.bd_info = lback;
db.be_private = (void *)lc->lc_cfg_li;
- ldap_chain_db_destroy_one( &db );
+ ldap_chain_db_destroy_one( &db, NULL );
lc->lc_cfg_li = NULL;
-
} else {
if ( lc->lc_cfg_li->li_bvuri == NULL
|| BER_BVISNULL( &lc->lc_cfg_li->li_bvuri[ 0 ] )
@@ -1385,7 +1871,7 @@ private_destroy:;
}
}
}
-
+
return rc;
}
@@ -1410,7 +1896,7 @@ ldap_chain_db_apply( void *datum, void *arg )
lca->be->be_private = (void *)li;
- return lca->func( lca->be );
+ return lca->func( lca->be, NULL );
}
static int
@@ -1433,7 +1919,7 @@ ldap_chain_db_func(
db.bd_info = lback;
db.be_private = lc->lc_common_li;
- rc = func( &db );
+ rc = func( &db, NULL );
if ( rc != 0 ) {
return rc;
@@ -1457,30 +1943,54 @@ ldap_chain_db_func(
static int
ldap_chain_db_open(
- BackendDB *be )
+ BackendDB *be,
+ ConfigReply *cr )
{
-#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
- int rc = 0;
+ slap_overinst *on = (slap_overinst *) be->bd_info;
+ ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
+ slap_mask_t monitoring;
+ int rc = 0;
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
rc = overlay_register_control( be, LDAP_CONTROL_X_CHAINING_BEHAVIOR );
if ( rc != 0 ) {
return rc;
}
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
- return ldap_chain_db_func( be, db_open );
+ if ( lc->lc_common_li == NULL ) {
+ void *be_private = be->be_private;
+ ldap_chain_db_init_common( be );
+ lc->lc_common_li = lc->lc_cfg_li = (ldapinfo_t *)be->be_private;
+ be->be_private = be_private;
+ }
+
+ /* filter out and restore monitoring */
+ monitoring = ( SLAP_DBFLAGS( be ) & SLAP_DBFLAG_MONITORING );
+ SLAP_DBFLAGS( be ) &= ~SLAP_DBFLAG_MONITORING;
+ rc = ldap_chain_db_func( be, db_open );
+ SLAP_DBFLAGS( be ) |= monitoring;
+
+ return rc;
}
static int
ldap_chain_db_close(
- BackendDB *be )
+ BackendDB *be,
+ ConfigReply *cr )
{
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+#ifdef SLAP_CONFIG_DELETE
+ overlay_unregister_control( be, LDAP_CONTROL_X_CHAINING_BEHAVIOR );
+#endif /* SLAP_CONFIG_DELETE */
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
return ldap_chain_db_func( be, db_close );
}
static int
ldap_chain_db_destroy(
- BackendDB *be )
+ BackendDB *be,
+ ConfigReply *cr )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
ldap_chain_t *lc = (ldap_chain_t *)on->on_bi.bi_private;
@@ -1491,6 +2001,7 @@ ldap_chain_db_destroy(
if ( lc ) {
avl_free( lc->lc_lai.lai_tree, NULL );
+ ldap_pvt_thread_mutex_destroy( &lc->lc_lai.lai_mutex );
ch_free( lc );
}
@@ -1506,14 +2017,19 @@ ldap_chain_db_init_common(
BackendDB *be )
{
BackendInfo *bi = be->bd_info;
- int t;
+ ldapinfo_t *li;
+ int rc;
be->bd_info = lback;
be->be_private = NULL;
- t = lback->bi_db_init( be );
- if ( t != 0 ) {
- return t;
+ rc = lback->bi_db_init( be, NULL );
+ if ( rc != 0 ) {
+ return rc;
}
+ li = (ldapinfo_t *)be->be_private;
+ li->li_urllist_f = NULL;
+ li->li_urllist_p = NULL;
+
be->bd_info = bi;
return 0;
@@ -1537,21 +2053,23 @@ ldap_chain_db_init_one(
BackendInfo *bi = be->bd_info;
ldapinfo_t *li;
- int t;
+ slap_op_t t;
be->bd_info = lback;
be->be_private = NULL;
- t = lback->bi_db_init( be );
+ t = lback->bi_db_init( be, NULL );
if ( t != 0 ) {
return t;
}
li = (ldapinfo_t *)be->be_private;
+ li->li_urllist_f = NULL;
+ li->li_urllist_p = NULL;
/* copy common data */
li->li_nretries = lc->lc_common_li->li_nretries;
li->li_flags = lc->lc_common_li->li_flags;
li->li_version = lc->lc_common_li->li_version;
- for ( t = 0; t < LDAP_BACK_OP_LAST; t++ ) {
+ for ( t = 0; t < SLAP_OP_LAST; t++ ) {
li->li_timeout[ t ] = lc->lc_common_li->li_timeout[ t ];
}
be->bd_info = bi;
@@ -1559,6 +2077,33 @@ ldap_chain_db_init_one(
return 0;
}
+static int
+ldap_chain_db_open_one(
+ BackendDB *be )
+{
+ if ( SLAP_DBMONITORING( be ) ) {
+ ldapinfo_t *li = (ldapinfo_t *)be->be_private;
+
+ if ( li->li_uri == NULL ) {
+ ber_str2bv( "cn=Common Connections", 0, 1,
+ &li->li_monitor_info.lmi_rdn );
+
+ } else {
+ char *ptr;
+
+ li->li_monitor_info.lmi_rdn.bv_len
+ = STRLENOF( "cn=" ) + strlen( li->li_uri );
+ ptr = li->li_monitor_info.lmi_rdn.bv_val
+ = ch_malloc( li->li_monitor_info.lmi_rdn.bv_len + 1 );
+ ptr = lutil_strcopy( ptr, "cn=" );
+ ptr = lutil_strcopy( ptr, li->li_uri );
+ ptr[ 0 ] = '\0';
+ }
+ }
+
+ return lback->bi_db_open( be, NULL );
+}
+
typedef struct ldap_chain_conn_apply_t {
BackendDB *be;
Connection *conn;
@@ -1727,12 +2272,10 @@ ldap_chain_parse_ctrl(
}
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-static slap_overinst ldapchain;
-
int
-chain_init( void )
+chain_initialize( void )
{
- int rc;
+ int rc;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( CH_LAST );
@@ -1756,17 +2299,6 @@ chain_init( void )
ldapchain.on_bi.bi_db_close = ldap_chain_db_close;
ldapchain.on_bi.bi_db_destroy = ldap_chain_db_destroy;
- /* ... otherwise the underlying backend's function would be called,
- * likely passing an invalid entry; on the contrary, the requested
- * operational attributes should have been returned while chasing
- * the referrals. This all in all is a bit messy, because part
- * of the operational attributes are generated by the backend;
- * part by the frontend; back-ldap should receive all the available
- * ones from the remote server, but then, on its own, it strips those
- * it assumes will be (re)generated by the frontend (e.g.
- * subschemaSubentry.) */
- ldapchain.on_bi.bi_operational = ldap_chain_operational;
-
ldapchain.on_bi.bi_connection_destroy = ldap_chain_connection_destroy;
ldapchain.on_response = ldap_chain_response;