X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldbm%2Fsearch.c;h=0f949ca5b00aa35d7d33dc4634259ad9a910ebd1;hb=a4d161cff64c74e03e5898eae104d5d52cc54a91;hp=70fc4c0af9e3d515b944addb9a4c45308e970b23;hpb=3c598e89fb34a892d369a138daa8c3314294493c;p=openldap diff --git a/servers/slapd/back-ldbm/search.c b/servers/slapd/back-ldbm/search.c index 70fc4c0af9..0f949ca5b0 100644 --- a/servers/slapd/back-ldbm/search.c +++ b/servers/slapd/back-ldbm/search.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2004 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -39,24 +39,19 @@ ldbm_back_search( SlapReply *rs ) { struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private; - int rc, err; - const char *text = NULL; + int rc; time_t stoptime; ID_BLOCK *candidates; ID id, cursor; Entry *e; Entry *matched = NULL; - struct berval realbase = { 0, NULL }; + struct berval realbase = BER_BVNULL; int manageDSAit = get_manageDSAit( op ); +#ifdef SLAP_ACL_HONOR_DISCLOSE + slap_mask_t mask; +#endif - struct slap_limits_set *limit = NULL; - int isroot = 0; - -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_search: enter\n", 0, 0, 0 ); -#else Debug(LDAP_DEBUG_TRACE, "=> ldbm_back_search\n", 0, 0, 0); -#endif /* grab giant lock for reading */ ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock); @@ -68,13 +63,13 @@ ldbm_back_search( /* need normalized dn below */ ber_dupbv( &realbase, &e->e_nname ); - candidates = search_candidates( op, e, op->oq_search.rs_filter, - op->oq_search.rs_scope, op->oq_search.rs_deref, + candidates = search_candidates( op, e, op->ors_filter, + op->ors_scope, op->ors_deref, manageDSAit || get_domainScope(op) ); goto searchit; - } else if ( op->oq_search.rs_deref & LDAP_DEREF_FINDING ) { + } else if ( op->ors_deref & LDAP_DEREF_FINDING ) { /* deref dn and get entry with reader lock */ e = deref_dn_r( op->o_bd, &op->o_req_ndn, &rs->sr_err, &matched, &rs->sr_text ); @@ -89,28 +84,40 @@ ldbm_back_search( } if ( e == NULL ) { - struct berval matched_dn = { 0, NULL }; + struct berval matched_dn = BER_BVNULL; if ( matched != NULL ) { - BerVarray erefs; - ber_dupbv( &matched_dn, &matched->e_name ); + BerVarray erefs = NULL; - erefs = is_entry_referral( matched ) - ? get_entry_referrals( op, matched ) - : NULL; +#ifdef SLAP_ACL_HONOR_DISCLOSE + if ( ! access_allowed( op, matched, + slap_schema.si_ad_entry, + NULL, ACL_DISCLOSE, NULL ) ) + { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + + } else +#endif /* SLAP_ACL_HONOR_DISCLOSE */ + { + ber_dupbv( &matched_dn, &matched->e_name ); + + erefs = is_entry_referral( matched ) + ? get_entry_referrals( op, matched ) + : NULL; + } cache_return_entry_r( &li->li_cache, matched ); - if( erefs ) { + if ( erefs ) { rs->sr_ref = referral_rewrite( erefs, &matched_dn, - &op->o_req_dn, op->oq_search.rs_scope ); + &op->o_req_dn, op->ors_scope ); ber_bvarray_free( erefs ); } } else { rs->sr_ref = referral_rewrite( default_referral, - NULL, &op->o_req_dn, op->oq_search.rs_scope ); + NULL, &op->o_req_dn, op->ors_scope ); } ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); @@ -122,66 +129,80 @@ ldbm_back_search( ber_memfree( matched_dn.bv_val ); rs->sr_ref = NULL; rs->sr_matched = NULL; - return LDAP_REFERRAL; + return rs->sr_err; + } + +#ifdef SLAP_ACL_HONOR_DISCLOSE + /* NOTE: __NEW__ "search" access is required + * on searchBase object */ + if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry, + NULL, ACL_SEARCH, NULL, &mask ) ) + { + if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + } else { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + } + + cache_return_entry_r( &li->li_cache, e ); + ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); + + send_ldap_result( op, rs ); + return rs->sr_err; } +#endif /* SLAP_ACL_HONOR_DISCLOSE */ - if (!manageDSAit && is_entry_referral( e ) ) { + if ( !manageDSAit && is_entry_referral( e ) ) { /* entry is a referral, don't allow add */ - struct berval matched_dn; - BerVarray erefs; + struct berval matched_dn = BER_BVNULL; + BerVarray erefs = NULL; + + rs->sr_ref = NULL; + rs->sr_err = LDAP_OTHER; + rs->sr_text = "bad referral object"; ber_dupbv( &matched_dn, &e->e_name ); erefs = get_entry_referrals( op, e ); - rs->sr_ref = NULL; cache_return_entry_r( &li->li_cache, e ); ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: entry (%s) is a referral.\n", - e->e_dn, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: entry is referral\n", 0, 0, 0 ); -#endif - if( erefs ) { + if ( erefs ) { rs->sr_ref = referral_rewrite( erefs, &matched_dn, - &op->o_req_dn, op->oq_search.rs_scope ); + &op->o_req_dn, op->ors_scope ); ber_bvarray_free( erefs ); + + if ( rs->sr_ref ) { + rs->sr_err = LDAP_REFERRAL; + rs->sr_text = NULL; + } } rs->sr_matched = matched_dn.bv_val; - if( rs->sr_ref ) { - rs->sr_err = LDAP_REFERRAL; - send_ldap_result( op, rs ); - ber_bvarray_free( rs->sr_ref ); - - } else { - send_ldap_error( op, rs, LDAP_OTHER, - "bad referral object" ); - } - + send_ldap_result( op, rs ); + ber_bvarray_free( rs->sr_ref ); ber_memfree( matched_dn.bv_val ); rs->sr_ref = NULL; rs->sr_matched = NULL; - return LDAP_OTHER; + return rs->sr_err; } if ( is_entry_alias( e ) ) { /* don't deref */ - op->oq_search.rs_deref = LDAP_DEREF_NEVER; + op->ors_deref = LDAP_DEREF_NEVER; } - if ( op->oq_search.rs_scope == LDAP_SCOPE_BASE ) { + if ( op->ors_scope == LDAP_SCOPE_BASE ) { candidates = base_candidate( op->o_bd, e ); } else { - candidates = search_candidates( op, e, op->oq_search.rs_filter, - op->oq_search.rs_scope, op->oq_search.rs_deref, manageDSAit ); + candidates = search_candidates( op, e, op->ors_filter, + op->ors_scope, op->ors_deref, manageDSAit ); } /* need normalized dn below */ @@ -192,13 +213,8 @@ ldbm_back_search( searchit: if ( candidates == NULL ) { /* no candidates */ -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: no candidates\n" , 0, 0, 0); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: no candidates\n", 0, 0, 0 ); -#endif rs->sr_err = LDAP_SUCCESS; send_ldap_result( op, rs ); @@ -207,91 +223,19 @@ searchit: goto done; } - /* if not root, get appropriate limits */ - if ( be_isroot( op->o_bd, &op->o_ndn ) ) - { - /* - * FIXME: I'd consider this dangerous if someone - * uses isroot for anything but handling limits - */ - isroot = 1; - } else { - ( void ) get_limits( op->o_bd, &op->o_ndn, &limit ); - } - /* if candidates exceed to-be-checked entries, abort */ - if ( !isroot && limit->lms_s_unchecked != -1 ) { - if ( ID_BLOCK_NIDS( candidates ) > (unsigned) limit->lms_s_unchecked ) { - send_ldap_error( op, rs, LDAP_ADMINLIMIT_EXCEEDED, - NULL ); - rc = LDAP_SUCCESS; - goto done; - } + if ( op->ors_limit /* isroot == FALSE */ + && op->ors_limit->lms_s_unchecked != -1 + && ID_BLOCK_NIDS( candidates ) > (unsigned) op->ors_limit->lms_s_unchecked ) + { + send_ldap_error( op, rs, LDAP_ADMINLIMIT_EXCEEDED, NULL ); + rc = LDAP_SUCCESS; + goto done; } - /* if root an no specific limit is required, allow unlimited search */ - if ( isroot ) { - if ( op->oq_search.rs_tlimit == 0 ) { - op->oq_search.rs_tlimit = -1; - } - - if ( op->oq_search.rs_slimit == 0 ) { - op->oq_search.rs_slimit = -1; - } - - } else { - /* if no limit is required, use soft limit */ - if ( op->oq_search.rs_tlimit <= 0 ) { - op->oq_search.rs_tlimit = limit->lms_t_soft; - - /* if requested limit higher than hard limit, abort */ - } else if ( op->oq_search.rs_tlimit > limit->lms_t_hard ) { - /* no hard limit means use soft instead */ - if ( limit->lms_t_hard == 0 - && limit->lms_t_soft > -1 - && op->oq_search.rs_tlimit > limit->lms_t_soft ) { - op->oq_search.rs_tlimit = limit->lms_t_soft; - - /* positive hard limit means abort */ - } else if ( limit->lms_t_hard > 0 ) { - send_ldap_error( op, rs, - LDAP_ADMINLIMIT_EXCEEDED, - NULL ); - rc = LDAP_SUCCESS; - goto done; - } - - /* negative hard limit means no limit */ - } - - /* if no limit is required, use soft limit */ - if ( op->oq_search.rs_slimit <= 0 ) { - op->oq_search.rs_slimit = limit->lms_s_soft; - - /* if requested limit higher than hard limit, abort */ - } else if ( op->oq_search.rs_slimit > limit->lms_s_hard ) { - /* no hard limit means use soft instead */ - if ( limit->lms_s_hard == 0 - && limit->lms_s_soft > -1 - && op->oq_search.rs_slimit > limit->lms_s_soft ) { - op->oq_search.rs_slimit = limit->lms_s_soft; - - /* positive hard limit means abort */ - } else if ( limit->lms_s_hard > 0 ) { - send_ldap_error( op, rs, - LDAP_ADMINLIMIT_EXCEEDED, - NULL ); - rc = LDAP_SUCCESS; - goto done; - } - - /* negative hard limit means no limit */ - } - } - /* compute it anyway; root does not use it */ - stoptime = op->o_time + op->oq_search.rs_tlimit; - rs->sr_attrs = op->oq_search.rs_attrs; + stoptime = op->o_time + op->ors_tlimit; + rs->sr_attrs = op->ors_attrs; for ( id = idl_firstid( candidates, &cursor ); id != NOID; id = idl_nextid( candidates, &cursor ) ) @@ -301,12 +245,14 @@ searchit: /* check for abandon */ if ( op->o_abandon ) { - rc = LDAP_SUCCESS; + rc = SLAPD_ABANDON; goto done; } /* check time limit */ - if ( op->oq_search.rs_tlimit != -1 && slap_get_time() > stoptime ) { + if ( op->ors_tlimit != SLAP_NO_LIMIT + && slap_get_time() > stoptime ) + { rs->sr_err = LDAP_TIMELIMIT_EXCEEDED; send_ldap_result( op, rs ); rc = LDAP_SUCCESS; @@ -317,23 +263,17 @@ searchit: e = id2entry_r( op->o_bd, id ); if ( e == NULL ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: candidate %ld not found.\n", id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate %ld not found\n", id, 0, 0 ); -#endif goto loop_continue; } rs->sr_entry = e; -#ifdef LDBM_SUBENTRIES if ( is_entry_subentry( e ) ) { - if( op->oq_search.rs_scope != LDAP_SCOPE_BASE ) { + if( op->ors_scope != LDAP_SCOPE_BASE ) { if(!get_subentries_visibility( op )) { /* only subentries are visible */ goto loop_continue; @@ -348,9 +288,8 @@ searchit: /* only subentries are visible */ goto loop_continue; } -#endif - if ( op->oq_search.rs_deref & LDAP_DEREF_SEARCHING && + if ( op->ors_deref & LDAP_DEREF_SEARCHING && is_entry_alias( e ) ) { Entry *matched; @@ -370,7 +309,7 @@ searchit: } /* need to skip alias which deref into scope */ - if( op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL ) { + if( op->ors_scope == LDAP_SCOPE_ONELEVEL ) { struct berval pdn; dnParent( &e->e_nname, &pdn ); if ( ber_bvcmp( &pdn, &realbase ) ) { @@ -379,15 +318,9 @@ searchit: } else if ( dnIsSuffix( &e->e_nname, &realbase ) ) { /* alias is within scope */ -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL1, - "ldbm_search: alias \"%s\" in subtree\n", - e->e_dn, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: alias \"%s\" in subtree\n", e->e_dn, 0, 0 ); -#endif goto loop_continue; } @@ -403,13 +336,13 @@ searchit: * the filter explicitly here since it's only a candidate * anyway. */ - if ( !manageDSAit && op->oq_search.rs_scope != LDAP_SCOPE_BASE && + if ( !manageDSAit && op->ors_scope != LDAP_SCOPE_BASE && is_entry_referral( e ) ) { struct berval dn; /* check scope */ - if ( !scopeok && op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL ) { + if ( !scopeok && op->ors_scope == LDAP_SCOPE_ONELEVEL ) { if ( !be_issuffix( op->o_bd, &e->e_nname ) ) { dnParent( &e->e_nname, &dn ); scopeok = dn_match( &dn, &realbase ); @@ -418,15 +351,17 @@ searchit: } } else if ( !scopeok - && op->oq_search.rs_scope == LDAP_SCOPE_SUBTREE ) + && op->ors_scope == LDAP_SCOPE_SUBTREE ) { scopeok = dnIsSuffix( &e->e_nname, &realbase ); +#ifdef LDAP_SCOPE_SUBORDINATE } else if ( !scopeok - && op->oq_search.rs_scope == LDAP_SCOPE_SUBORDINATE ) + && op->ors_scope == LDAP_SCOPE_SUBORDINATE ) { scopeok = !dn_match( &e->e_nname, &realbase ) && dnIsSuffix( &e->e_nname, &realbase ); +#endif } else { scopeok = 1; @@ -436,25 +371,21 @@ searchit: BerVarray erefs = get_entry_referrals( op, e ); rs->sr_ref = referral_rewrite( erefs, &e->e_name, NULL, - op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL + op->ors_scope == LDAP_SCOPE_ONELEVEL ? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE ); + ber_bvarray_free( erefs ); + send_search_reference( op, rs ); ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate referral %ld scope not okay\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate referral %ld scope not okay\n", id, 0, 0 ); -#endif } goto loop_continue; @@ -465,13 +396,13 @@ searchit: } /* if it matches the filter and scope, send it */ - result = test_filter( op, e, op->oq_search.rs_filter ); + result = test_filter( op, e, op->ors_filter ); if ( result == LDAP_COMPARE_TRUE ) { struct berval dn; /* check scope */ - if ( !scopeok && op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL ) { + if ( !scopeok && op->ors_scope == LDAP_SCOPE_ONELEVEL ) { if ( !be_issuffix( op->o_bd, &e->e_nname ) ) { dnParent( &e->e_nname, &dn ); scopeok = dn_match( &dn, &realbase ); @@ -480,12 +411,12 @@ searchit: } } else if ( !scopeok && - op->oq_search.rs_scope == LDAP_SCOPE_SUBTREE ) + op->ors_scope == LDAP_SCOPE_SUBTREE ) { scopeok = dnIsSuffix( &e->e_nname, &realbase ); } else if ( !scopeok && - op->oq_search.rs_scope == LDAP_SCOPE_SUBORDINATE ) + op->ors_scope == LDAP_SCOPE_SUBORDINATE ) { scopeok = !dn_match( &e->e_nname, &realbase ) && dnIsSuffix( &e->e_nname, &realbase ); @@ -495,52 +426,35 @@ searchit: } if ( scopeok ) { - /* check size limit */ - if ( --op->oq_search.rs_slimit == -1 ) { - cache_return_entry_r( &li->li_cache, e ); - rs->sr_err = LDAP_SIZELIMIT_EXCEEDED; - send_ldap_result( op, rs ); - rc = LDAP_SUCCESS; - goto done; - } - if (e) { - result = send_search_entry( op, rs ); - - switch (result) { - case 0: /* entry sent ok */ - break; - case 1: /* entry not sent */ - break; - case -1: /* connection closed */ + rs->sr_flags = 0; + rs->sr_err = send_search_entry( op, rs ); + + switch ( rs->sr_err ) { + case LDAP_UNAVAILABLE: /* connection closed */ + cache_return_entry_r( &li->li_cache, e ); + rc = LDAP_SUCCESS; + goto done; + case LDAP_SIZELIMIT_EXCEEDED: cache_return_entry_r( &li->li_cache, e ); + rc = rs->sr_err; + rs->sr_entry = NULL; + send_ldap_result( op, rs ); rc = LDAP_SUCCESS; goto done; } } } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate entry %ld scope not okay\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate entry %ld scope not okay\n", id, 0, 0 ); -#endif } } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate entry %ld does not match filter\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate entry %ld does not match filter\n", id, 0, 0 ); -#endif } loop_continue: @@ -577,12 +491,8 @@ base_candidate( { ID_BLOCK *idl; -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, ENTRY, "base_candidate: base (%s)\n", e->e_dn, 0, 0 ); -#else Debug(LDAP_DEBUG_TRACE, "base_candidates: base: \"%s\"\n", e->e_dn, 0, 0); -#endif idl = idl_alloc( 1 ); @@ -605,20 +515,12 @@ search_candidates( AttributeAssertion aa_ref, aa_alias; struct berval bv_ref = { sizeof("referral")-1, "referral" }; struct berval bv_alias = { sizeof("alias")-1, "alias" }; -#ifdef LDBM_SUBENTRIES Filter sf; AttributeAssertion aa_subentry; -#endif -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL1, - "search_candidates: base (%s) scope %d deref %d\n", - e->e_ndn, scope, deref ); -#else Debug(LDAP_DEBUG_TRACE, "search_candidates: base=\"%s\" s=%d d=%d\n", e->e_ndn, scope, deref ); -#endif xf.f_or = filter; @@ -654,7 +556,6 @@ search_candidates( fand.f_dn = &e->e_nname; fand.f_next = xf.f_or == filter ? filter : &xf ; -#ifdef LDBM_SUBENTRIES if ( get_subentries_visibility( op )) { struct berval bv_subentry = { sizeof("SUBENTRY")-1, "SUBENTRY" }; sf.f_choice = LDAP_FILTER_EQUALITY; @@ -664,7 +565,6 @@ search_candidates( sf.f_next = fand.f_next; fand.f_next = &sf; } -#endif candidates = filter_candidates( op, &f ); return( candidates );