X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldbm%2Fsearch.c;h=0f949ca5b00aa35d7d33dc4634259ad9a910ebd1;hb=a4d161cff64c74e03e5898eae104d5d52cc54a91;hp=960209ba12dd7d9060334f016dad953522abe8dd;hpb=1f9c26e69f4950bdac2c88e97ae35d7e3487aa58;p=openldap diff --git a/servers/slapd/back-ldbm/search.c b/servers/slapd/back-ldbm/search.c index 960209ba12..0f949ca5b0 100644 --- a/servers/slapd/back-ldbm/search.c +++ b/servers/slapd/back-ldbm/search.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2004 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -39,8 +39,7 @@ ldbm_back_search( SlapReply *rs ) { struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private; - int rc, err; - const char *text = NULL; + int rc; time_t stoptime; ID_BLOCK *candidates; ID id, cursor; @@ -48,12 +47,11 @@ ldbm_back_search( Entry *matched = NULL; struct berval realbase = BER_BVNULL; int manageDSAit = get_manageDSAit( op ); +#ifdef SLAP_ACL_HONOR_DISCLOSE + slap_mask_t mask; +#endif -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_search: enter\n", 0, 0, 0 ); -#else Debug(LDAP_DEBUG_TRACE, "=> ldbm_back_search\n", 0, 0, 0); -#endif /* grab giant lock for reading */ ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock); @@ -89,16 +87,28 @@ ldbm_back_search( struct berval matched_dn = BER_BVNULL; if ( matched != NULL ) { - BerVarray erefs; - ber_dupbv( &matched_dn, &matched->e_name ); + BerVarray erefs = NULL; + +#ifdef SLAP_ACL_HONOR_DISCLOSE + if ( ! access_allowed( op, matched, + slap_schema.si_ad_entry, + NULL, ACL_DISCLOSE, NULL ) ) + { + rs->sr_err = LDAP_NO_SUCH_OBJECT; - erefs = is_entry_referral( matched ) - ? get_entry_referrals( op, matched ) - : NULL; + } else +#endif /* SLAP_ACL_HONOR_DISCLOSE */ + { + ber_dupbv( &matched_dn, &matched->e_name ); + + erefs = is_entry_referral( matched ) + ? get_entry_referrals( op, matched ) + : NULL; + } cache_return_entry_r( &li->li_cache, matched ); - if( erefs ) { + if ( erefs ) { rs->sr_ref = referral_rewrite( erefs, &matched_dn, &op->o_req_dn, op->ors_scope ); @@ -119,53 +129,67 @@ ldbm_back_search( ber_memfree( matched_dn.bv_val ); rs->sr_ref = NULL; rs->sr_matched = NULL; - return LDAP_REFERRAL; + return rs->sr_err; + } + +#ifdef SLAP_ACL_HONOR_DISCLOSE + /* NOTE: __NEW__ "search" access is required + * on searchBase object */ + if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry, + NULL, ACL_SEARCH, NULL, &mask ) ) + { + if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + } else { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + } + + cache_return_entry_r( &li->li_cache, e ); + ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); + + send_ldap_result( op, rs ); + return rs->sr_err; } +#endif /* SLAP_ACL_HONOR_DISCLOSE */ - if (!manageDSAit && is_entry_referral( e ) ) { + if ( !manageDSAit && is_entry_referral( e ) ) { /* entry is a referral, don't allow add */ - struct berval matched_dn; - BerVarray erefs; + struct berval matched_dn = BER_BVNULL; + BerVarray erefs = NULL; + + rs->sr_ref = NULL; + rs->sr_err = LDAP_OTHER; + rs->sr_text = "bad referral object"; ber_dupbv( &matched_dn, &e->e_name ); erefs = get_entry_referrals( op, e ); - rs->sr_ref = NULL; cache_return_entry_r( &li->li_cache, e ); ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: entry (%s) is a referral.\n", - e->e_dn, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: entry is referral\n", 0, 0, 0 ); -#endif - if( erefs ) { + if ( erefs ) { rs->sr_ref = referral_rewrite( erefs, &matched_dn, &op->o_req_dn, op->ors_scope ); ber_bvarray_free( erefs ); + + if ( rs->sr_ref ) { + rs->sr_err = LDAP_REFERRAL; + rs->sr_text = NULL; + } } rs->sr_matched = matched_dn.bv_val; - if( rs->sr_ref ) { - rs->sr_err = LDAP_REFERRAL; - send_ldap_result( op, rs ); - ber_bvarray_free( rs->sr_ref ); - - } else { - send_ldap_error( op, rs, LDAP_OTHER, - "bad referral object" ); - } - + send_ldap_result( op, rs ); + ber_bvarray_free( rs->sr_ref ); ber_memfree( matched_dn.bv_val ); rs->sr_ref = NULL; rs->sr_matched = NULL; - return LDAP_OTHER; + return rs->sr_err; } if ( is_entry_alias( e ) ) { @@ -189,13 +213,8 @@ ldbm_back_search( searchit: if ( candidates == NULL ) { /* no candidates */ -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: no candidates\n" , 0, 0, 0); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: no candidates\n", 0, 0, 0 ); -#endif rs->sr_err = LDAP_SUCCESS; send_ldap_result( op, rs ); @@ -205,7 +224,7 @@ searchit: } /* if candidates exceed to-be-checked entries, abort */ - if ( op->ors_limit /* isroot == TRUE */ + if ( op->ors_limit /* isroot == FALSE */ && op->ors_limit->lms_s_unchecked != -1 && ID_BLOCK_NIDS( candidates ) > (unsigned) op->ors_limit->lms_s_unchecked ) { @@ -226,12 +245,14 @@ searchit: /* check for abandon */ if ( op->o_abandon ) { - rc = LDAP_SUCCESS; + rc = SLAPD_ABANDON; goto done; } /* check time limit */ - if ( op->ors_tlimit != -1 && slap_get_time() > stoptime ) { + if ( op->ors_tlimit != SLAP_NO_LIMIT + && slap_get_time() > stoptime ) + { rs->sr_err = LDAP_TIMELIMIT_EXCEEDED; send_ldap_result( op, rs ); rc = LDAP_SUCCESS; @@ -242,21 +263,15 @@ searchit: e = id2entry_r( op->o_bd, id ); if ( e == NULL ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, INFO, - "ldbm_search: candidate %ld not found.\n", id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate %ld not found\n", id, 0, 0 ); -#endif goto loop_continue; } rs->sr_entry = e; -#ifdef LDBM_SUBENTRIES if ( is_entry_subentry( e ) ) { if( op->ors_scope != LDAP_SCOPE_BASE ) { if(!get_subentries_visibility( op )) { @@ -273,7 +288,6 @@ searchit: /* only subentries are visible */ goto loop_continue; } -#endif if ( op->ors_deref & LDAP_DEREF_SEARCHING && is_entry_alias( e ) ) @@ -304,15 +318,9 @@ searchit: } else if ( dnIsSuffix( &e->e_nname, &realbase ) ) { /* alias is within scope */ -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL1, - "ldbm_search: alias \"%s\" in subtree\n", - e->e_dn, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: alias \"%s\" in subtree\n", e->e_dn, 0, 0 ); -#endif goto loop_continue; } @@ -367,21 +375,17 @@ searchit: ? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE ); + ber_bvarray_free( erefs ); + send_search_reference( op, rs ); ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate referral %ld scope not okay\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate referral %ld scope not okay\n", id, 0, 0 ); -#endif } goto loop_continue; @@ -411,67 +415,46 @@ searchit: { scopeok = dnIsSuffix( &e->e_nname, &realbase ); -#ifdef LDAP_SCOPE_SUBORDINATE } else if ( !scopeok && op->ors_scope == LDAP_SCOPE_SUBORDINATE ) { scopeok = !dn_match( &e->e_nname, &realbase ) && dnIsSuffix( &e->e_nname, &realbase ); -#endif } else { scopeok = 1; } if ( scopeok ) { - /* check size limit */ - if ( --op->ors_slimit == -1 ) { - cache_return_entry_r( &li->li_cache, e ); - rs->sr_err = LDAP_SIZELIMIT_EXCEEDED; - rs->sr_entry = NULL; - send_ldap_result( op, rs ); - rc = LDAP_SUCCESS; - goto done; - } - if (e) { rs->sr_flags = 0; - result = send_search_entry( op, rs ); - - switch (result) { - case 0: /* entry sent ok */ - break; - case 1: /* entry not sent */ - break; - case -1: /* connection closed */ + rs->sr_err = send_search_entry( op, rs ); + + switch ( rs->sr_err ) { + case LDAP_UNAVAILABLE: /* connection closed */ + cache_return_entry_r( &li->li_cache, e ); + rc = LDAP_SUCCESS; + goto done; + case LDAP_SIZELIMIT_EXCEEDED: cache_return_entry_r( &li->li_cache, e ); + rc = rs->sr_err; + rs->sr_entry = NULL; + send_ldap_result( op, rs ); rc = LDAP_SUCCESS; goto done; } } } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate entry %ld scope not okay\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate entry %ld scope not okay\n", id, 0, 0 ); -#endif } } else { -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL2, - "ldbm_search: candidate entry %ld does not match filter\n", - id, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "ldbm_search: candidate entry %ld does not match filter\n", id, 0, 0 ); -#endif } loop_continue: @@ -508,12 +491,8 @@ base_candidate( { ID_BLOCK *idl; -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, ENTRY, "base_candidate: base (%s)\n", e->e_dn, 0, 0 ); -#else Debug(LDAP_DEBUG_TRACE, "base_candidates: base: \"%s\"\n", e->e_dn, 0, 0); -#endif idl = idl_alloc( 1 ); @@ -536,20 +515,12 @@ search_candidates( AttributeAssertion aa_ref, aa_alias; struct berval bv_ref = { sizeof("referral")-1, "referral" }; struct berval bv_alias = { sizeof("alias")-1, "alias" }; -#ifdef LDBM_SUBENTRIES Filter sf; AttributeAssertion aa_subentry; -#endif -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDBM, DETAIL1, - "search_candidates: base (%s) scope %d deref %d\n", - e->e_ndn, scope, deref ); -#else Debug(LDAP_DEBUG_TRACE, "search_candidates: base=\"%s\" s=%d d=%d\n", e->e_ndn, scope, deref ); -#endif xf.f_or = filter; @@ -585,7 +556,6 @@ search_candidates( fand.f_dn = &e->e_nname; fand.f_next = xf.f_or == filter ? filter : &xf ; -#ifdef LDBM_SUBENTRIES if ( get_subentries_visibility( op )) { struct berval bv_subentry = { sizeof("SUBENTRY")-1, "SUBENTRY" }; sf.f_choice = LDAP_FILTER_EQUALITY; @@ -595,7 +565,6 @@ search_candidates( sf.f_next = fand.f_next; fand.f_next = &sf; } -#endif candidates = filter_candidates( op, &f ); return( candidates );