X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-meta%2Finit.c;h=73c3fd431839d7f83ec2f8996ff8b8eec4262e35;hb=e17878933fc540dcd533e3a96f0a2a393e2a8427;hp=56f96532d3790f796bbd0c672810ad96e7815da8;hpb=f51efd4b0345baea1a9c977d0763292891c37436;p=openldap diff --git a/servers/slapd/back-meta/init.c b/servers/slapd/back-meta/init.c index 56f96532d3..73c3fd4318 100644 --- a/servers/slapd/back-meta/init.c +++ b/servers/slapd/back-meta/init.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1999-2012 The OpenLDAP Foundation. + * Copyright 1999-2014 The OpenLDAP Foundation. * Portions Copyright 2001-2003 Pierangelo Masarati. * Portions Copyright 1999-2003 Howard Chu. * All rights reserved. @@ -113,7 +113,10 @@ meta_back_db_init( /* set default flags */ mi->mi_flags = - META_BACK_F_DEFER_ROOTDN_BIND; + META_BACK_F_DEFER_ROOTDN_BIND + | META_BACK_F_PROXYAUTHZ_ALWAYS + | META_BACK_F_PROXYAUTHZ_ANON + | META_BACK_F_PROXYAUTHZ_NOANON; /* * At present the default is no default target; @@ -147,20 +150,106 @@ meta_back_db_init( return 0; } +int +meta_target_finish( + metainfo_t *mi, + metatarget_t *mt, + const char *log, + char *msg, + size_t msize +) +{ + slap_bindconf sb = { BER_BVNULL }; + struct berval mapped; + int rc; + + ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); + sb.sb_version = mt->mt_version; + sb.sb_method = LDAP_AUTH_SIMPLE; + BER_BVSTR( &sb.sb_binddn, "" ); + + if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { + rc = slap_discover_feature( &sb, + slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, + LDAP_FEATURE_ABSOLUTE_FILTERS ); + if ( rc == LDAP_COMPARE_TRUE ) { + mt->mt_flags |= LDAP_BACK_F_T_F; + } + } + + if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { + rc = slap_discover_feature( &sb, + slap_schema.si_ad_supportedExtension->ad_cname.bv_val, + LDAP_EXOP_CANCEL ); + if ( rc == LDAP_COMPARE_TRUE ) { + mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; + } + } + + if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) + || mt->mt_idassert_authz != NULL ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS; + } + + if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) + && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) + { + snprintf( msg, msize, + "%s: inconsistent idassert configuration " + "(likely authz=\"*\" used with \"non-prescriptive\" flag)", + log ); + Debug( LDAP_DEBUG_ANY, "%s (target %s)\n", + msg, mt->mt_uri, 0 ); + return 1; + } + + if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON; + } + + if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON; + } + + BER_BVZERO( &mapped ); + ldap_back_map( &mt->mt_rwmap.rwm_at, + &slap_schema.si_ad_entryDN->ad_cname, &mapped, + BACKLDAP_REMAP ); + if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { + mt->mt_rep_flags |= REP_NO_ENTRYDN; + } + + BER_BVZERO( &mapped ); + ldap_back_map( &mt->mt_rwmap.rwm_at, + &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, + BACKLDAP_REMAP ); + if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { + mt->mt_rep_flags |= REP_NO_SUBSCHEMA; + } + + return 0; +} + int meta_back_db_open( Backend *be, ConfigReply *cr ) { metainfo_t *mi = (metainfo_t *)be->be_private; + char msg[SLAP_TEXT_BUFLEN]; - int i, - not_always = 0, - not_always_anon_proxyauthz = 0, - not_always_anon_non_prescriptive = 0, - rc; + int i, rc; if ( mi->mi_ntargets == 0 ) { + /* Dynamically added, nothing to check here until + * some targets get added + */ + if ( slapMode & SLAP_SERVER_RUNNING ) + return 0; + Debug( LDAP_DEBUG_ANY, "meta_back_db_open: no targets defined\n", 0, 0, 0 ); @@ -168,92 +257,11 @@ meta_back_db_open( } for ( i = 0; i < mi->mi_ntargets; i++ ) { - slap_bindconf sb = { BER_BVNULL }; metatarget_t *mt = mi->mi_targets[ i ]; - struct berval mapped; - - ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); - sb.sb_version = mt->mt_version; - sb.sb_method = LDAP_AUTH_SIMPLE; - BER_BVSTR( &sb.sb_binddn, "" ); - - if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { - rc = slap_discover_feature( &sb, - slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, - LDAP_FEATURE_ABSOLUTE_FILTERS ); - if ( rc == LDAP_COMPARE_TRUE ) { - mt->mt_flags |= LDAP_BACK_F_T_F; - } - } - - if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { - rc = slap_discover_feature( &sb, - slap_schema.si_ad_supportedExtension->ad_cname.bv_val, - LDAP_EXOP_CANCEL ); - if ( rc == LDAP_COMPARE_TRUE ) { - mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; - } - } - - if ( not_always == 0 ) { - if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) - || mt->mt_idassert_authz != NULL ) - { - not_always = 1; - } - } - - if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) - && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) - { - Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): " - "target #%d inconsistent idassert configuration " - "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n", - be->be_suffix[ 0 ].bv_val, i, 0 ); + if ( meta_target_finish( mi, mt, + "meta_back_db_open", msg, sizeof( msg ))) return 1; - } - - if ( not_always_anon_proxyauthz == 0 ) { - if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) - { - not_always_anon_proxyauthz = 1; - } - } - - if ( not_always_anon_non_prescriptive == 0 ) { - if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) - { - not_always_anon_non_prescriptive = 1; - } - } - - BER_BVZERO( &mapped ); - ldap_back_map( &mt->mt_rwmap.rwm_at, - &slap_schema.si_ad_entryDN->ad_cname, &mapped, - BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { - mt->mt_rep_flags |= REP_NO_ENTRYDN; - } - - BER_BVZERO( &mapped ); - ldap_back_map( &mt->mt_rwmap.rwm_at, - &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, - BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { - mt->mt_rep_flags |= REP_NO_SUBSCHEMA; - } - } - - if ( not_always == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS; - } - - if ( not_always_anon_proxyauthz == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON; - - } else if ( not_always_anon_non_prescriptive == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON; } return 0; @@ -332,6 +340,10 @@ target_free( meta_subtree_destroy( mt->mt_subtree ); mt->mt_subtree = NULL; } + if ( mt->mt_filter ) { + meta_filter_destroy( mt->mt_filter ); + mt->mt_filter = NULL; + } if ( !BER_BVISNULL( &mt->mt_psuffix ) ) { free( mt->mt_psuffix.bv_val ); }