X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbackend.c;h=bad3fccaa8897fce7a2e85d076332262eac92d8e;hb=add9c9c25ecad64233999ac7ec2f89830c78b614;hp=903176c62a4bda7ea6fa4f56005e7e2ff09e7d16;hpb=b85ba35ba704fd9c3f05c17c0c810d0a3dcc05ba;p=openldap diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 903176c62a..bad3fccaa8 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2004 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -37,12 +37,6 @@ #include "lutil.h" #include "lber_pvt.h" -#include "ldap_rq.h" - -#ifdef LDAP_SLAPI -#include "slapi/slapi.h" -#endif - /* * If a module is configured as dynamic, its header should not * get included into slapd. While this is a general rule and does @@ -51,163 +45,76 @@ * imported into slapd without appropriate __declspec(dllimport) directives. */ -#if SLAPD_BDB == SLAPD_MOD_STATIC -#include "back-bdb/external.h" -#endif -#if SLAPD_DNSSRV == SLAPD_MOD_STATIC -#include "back-dnssrv/external.h" -#endif -#if SLAPD_HDB == SLAPD_MOD_STATIC -#include "back-hdb/external.h" -#endif -#if SLAPD_LDAP == SLAPD_MOD_STATIC -#include "back-ldap/external.h" -#endif -#if SLAPD_LDBM == SLAPD_MOD_STATIC -#include "back-ldbm/external.h" -#endif -#if SLAPD_META == SLAPD_MOD_STATIC -#include "back-meta/external.h" -#endif -#if SLAPD_MONITOR == SLAPD_MOD_STATIC -#include "back-monitor/external.h" -#endif -#if SLAPD_NULL == SLAPD_MOD_STATIC -#include "back-null/external.h" -#endif -#if SLAPD_PASSWD == SLAPD_MOD_STATIC -#include "back-passwd/external.h" -#endif -#if SLAPD_PERL == SLAPD_MOD_STATIC -#include "back-perl/external.h" -#endif -#if SLAPD_RELAY == SLAPD_MOD_STATIC -#include "back-relay/external.h" -#endif -#if SLAPD_SHELL == SLAPD_MOD_STATIC -#include "back-shell/external.h" -#endif -#if SLAPD_TCL == SLAPD_MOD_STATIC -#include "back-tcl/external.h" -#endif -#if SLAPD_SQL == SLAPD_MOD_STATIC -#include "back-sql/external.h" -#endif -#if SLAPD_PRIVATE == SLAPD_MOD_STATIC -#include "private/external.h" -#endif - -static BackendInfo binfo[] = { -#if SLAPD_BDB == SLAPD_MOD_STATIC - {"bdb", bdb_initialize}, -#endif -#if SLAPD_DNSSRV == SLAPD_MOD_STATIC - {"dnssrv", dnssrv_back_initialize}, -#endif -#if SLAPD_HDB == SLAPD_MOD_STATIC - {"hdb", hdb_initialize}, -#endif -#if SLAPD_LDAP == SLAPD_MOD_STATIC - {"ldap", ldap_back_initialize}, -#endif -#if SLAPD_LDBM == SLAPD_MOD_STATIC - {"ldbm", ldbm_back_initialize}, -#endif -#if SLAPD_META == SLAPD_MOD_STATIC - {"meta", meta_back_initialize}, -#endif -#if SLAPD_MONITOR == SLAPD_MOD_STATIC - {"monitor", monitor_back_initialize}, -#endif -#if SLAPD_NULL == SLAPD_MOD_STATIC - {"null", null_back_initialize}, -#endif -#if SLAPD_PASSWD == SLAPD_MOD_STATIC - {"passwd", passwd_back_initialize}, -#endif -#if SLAPD_PERL == SLAPD_MOD_STATIC - {"perl", perl_back_initialize}, -#endif -#if SLAPD_RELAY == SLAPD_MOD_STATIC - {"relay", relay_back_initialize}, -#endif -#if SLAPD_SHELL == SLAPD_MOD_STATIC - {"shell", shell_back_initialize}, -#endif -#if SLAPD_TCL == SLAPD_MOD_STATIC - {"tcl", tcl_back_initialize}, -#endif -#if SLAPD_SQL == SLAPD_MOD_STATIC - {"sql", sql_back_initialize}, -#endif - /* for any private backend */ -#if SLAPD_PRIVATE == SLAPD_MOD_STATIC - {"private", private_back_initialize}, -#endif - {NULL} -}; - int nBackendInfo = 0; -BackendInfo *backendInfo = NULL; +slap_bi_head backendInfo = LDAP_STAILQ_HEAD_INITIALIZER(backendInfo); int nBackendDB = 0; -BackendDB *backendDB = NULL; +slap_be_head backendDB = LDAP_STAILQ_HEAD_INITIALIZER(backendDB); + +static int +backend_init_controls( BackendInfo *bi ) +{ + if ( bi->bi_controls ) { + int i; -ldap_pvt_thread_pool_t syncrepl_pool; -int syncrepl_pool_max = SLAP_MAX_SYNCREPL_THREADS; + for ( i = 0; bi->bi_controls[ i ]; i++ ) { + int cid; + + if ( slap_find_control_id( bi->bi_controls[ i ], &cid ) + == LDAP_CONTROL_NOT_FOUND ) + { + if ( !( slapMode & SLAP_TOOL_MODE ) ) { + assert( 0 ); + } + + return -1; + } + + bi->bi_ctrls[ cid ] = 1; + } + } + + return 0; +} int backend_init(void) { int rc = -1; + BackendInfo *bi; - ldap_pvt_thread_pool_init( &syncrepl_pool, syncrepl_pool_max, 0 ); - - if((nBackendInfo != 0) || (backendInfo != NULL)) { + if((nBackendInfo != 0) || !LDAP_STAILQ_EMPTY(&backendInfo)) { /* already initialized */ -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, ERR, - "backend_init: backend already initialized\n", 0, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, - "backend_init: already initialized.\n", 0, 0, 0 ); -#endif + "backend_init: already initialized\n", 0, 0, 0 ); return -1; } - for( ; - binfo[nBackendInfo].bi_type != NULL; - nBackendInfo++ ) - { - assert( binfo[nBackendInfo].bi_init ); + for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) { + assert( bi->bi_init != 0 ); - rc = binfo[nBackendInfo].bi_init( &binfo[nBackendInfo] ); + rc = bi->bi_init( bi ); if(rc != 0) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, INFO, - "backend_init: initialized for type \"%s\"\n", - binfo[nBackendInfo].bi_type, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, "backend_init: initialized for type \"%s\"\n", - binfo[nBackendInfo].bi_type, 0, 0 ); -#endif + bi->bi_type, 0, 0 ); /* destroy those we've already inited */ for( nBackendInfo--; nBackendInfo >= 0 ; nBackendInfo-- ) { - if ( binfo[nBackendInfo].bi_destroy ) { - binfo[nBackendInfo].bi_destroy( - &binfo[nBackendInfo] ); + if ( slap_binfo[nBackendInfo].bi_destroy ) { + slap_binfo[nBackendInfo].bi_destroy( + &slap_binfo[nBackendInfo] ); } } return rc; } + + LDAP_STAILQ_INSERT_TAIL(&backendInfo, bi, bi_next); } if ( nBackendInfo > 0) { - backendInfo = binfo; return 0; } @@ -215,13 +122,9 @@ int backend_init(void) return 0; #else -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, ERR, "backend_init: failed\n", 0, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, "backend_init: failed\n", 0, 0, 0 ); -#endif return rc; #endif /* SLAPD_MODULES */ @@ -229,220 +132,176 @@ int backend_init(void) int backend_add(BackendInfo *aBackendInfo) { - int rc = 0; - - if ( aBackendInfo->bi_init == NULL ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, ERR, - "backend_add: backend type \"%s\" does not have the " - "(mandatory)init function\n", - aBackendInfo->bi_type, 0, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "backend_add: backend type \"%s\" does not have the " - "(mandatory)init function\n", - aBackendInfo->bi_type, 0, 0 ); -#endif - return -1; - } - - if ((rc = aBackendInfo->bi_init(aBackendInfo)) != 0) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, ERR, - "backend_add: initialization for type \"%s\" failed\n", - aBackendInfo->bi_type, 0, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "backend_add: initialization for type \"%s\" failed\n", - aBackendInfo->bi_type, 0, 0 ); -#endif - return rc; - } - - /* now add the backend type to the Backend Info List */ - { - BackendInfo *newBackendInfo = 0; - - /* if backendInfo == binfo no deallocation of old backendInfo */ - if (backendInfo == binfo) { - newBackendInfo = ch_calloc(nBackendInfo + 1, sizeof(BackendInfo)); - AC_MEMCPY(newBackendInfo, backendInfo, sizeof(BackendInfo) * - nBackendInfo); - } else { - newBackendInfo = ch_realloc(backendInfo, sizeof(BackendInfo) * - (nBackendInfo + 1)); - } - AC_MEMCPY(&newBackendInfo[nBackendInfo], aBackendInfo, - sizeof(BackendInfo)); - backendInfo = newBackendInfo; - nBackendInfo++; - - return 0; - } + int rc = 0; + + if ( aBackendInfo->bi_init == NULL ) { + Debug( LDAP_DEBUG_ANY, "backend_add: " + "backend type \"%s\" does not have the (mandatory)init function\n", + aBackendInfo->bi_type, 0, 0 ); + return -1; + } + + rc = aBackendInfo->bi_init(aBackendInfo); + if ( rc != 0) { + Debug( LDAP_DEBUG_ANY, + "backend_add: initialization for type \"%s\" failed\n", + aBackendInfo->bi_type, 0, 0 ); + return rc; + } + + (void)backend_init_controls( aBackendInfo ); + + /* now add the backend type to the Backend Info List */ + LDAP_STAILQ_INSERT_TAIL( &backendInfo, aBackendInfo, bi_next ); + nBackendInfo++; + return 0; +} + +static int +backend_set_controls( BackendDB *be ) +{ + BackendInfo *bi = be->bd_info; + + /* back-relay takes care of itself; so may do other */ + if ( overlay_is_over( be ) ) { + bi = ((slap_overinfo *)be->bd_info->bi_private)->oi_orig; + } + + if ( bi->bi_controls ) { + if ( be->be_ctrls[ SLAP_MAX_CIDS ] == 0 ) { + AC_MEMCPY( be->be_ctrls, bi->bi_ctrls, + sizeof( be->be_ctrls ) ); + be->be_ctrls[ SLAP_MAX_CIDS ] = 1; + + } else { + int i; + + for ( i = 0; i < SLAP_MAX_CIDS; i++ ) { + if ( bi->bi_ctrls[ i ] ) { + be->be_ctrls[ i ] = bi->bi_ctrls[ i ]; + } + } + } + + } + + return 0; +} + +/* startup a specific backend database */ +int backend_startup_one(Backend *be) +{ + int rc = 0; + + assert( be != NULL ); + + be->be_pending_csn_list = (struct be_pcl *) + ch_calloc( 1, sizeof( struct be_pcl ) ); + + LDAP_TAILQ_INIT( be->be_pending_csn_list ); + + Debug( LDAP_DEBUG_TRACE, + "backend_startup_one: starting \"%s\"\n", + be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)", + 0, 0 ); + + /* set database controls */ + (void)backend_set_controls( be ); + + if ( be->bd_info->bi_db_open ) { + rc = be->bd_info->bi_db_open( be ); + if ( rc == 0 ) { + (void)backend_set_controls( be ); + + } else { + Debug( LDAP_DEBUG_ANY, + "backend_startup_one: bi_db_open failed! (%d)\n", + rc, 0, 0 ); + } + } + + return rc; } int backend_startup(Backend *be) { int i; int rc = 0; + BackendInfo *bi; if( ! ( nBackendDB > 0 ) ) { /* no databases */ -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, INFO, - "backend_startup: %d databases to startup. \n", nBackendDB, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, "backend_startup: %d databases to startup.\n", nBackendDB, 0, 0 ); -#endif return 1; } if(be != NULL) { - /* startup a specific backend database */ - - be->be_pending_csn_list = (struct be_pcl *) - ch_calloc( 1, sizeof( struct be_pcl )); - LDAP_TAILQ_INIT( be->be_pending_csn_list ); - -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, DETAIL1, "backend_startup: starting \"%s\"\n", - be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)", - 0, 0 ); -#else - Debug( LDAP_DEBUG_TRACE, - "backend_startup: starting \"%s\"\n", - be->be_suffix ? be->be_suffix[0].bv_val : "(unknown)", - 0, 0 ); -#endif - if ( be->bd_info->bi_open ) { rc = be->bd_info->bi_open( be->bd_info ); if ( rc != 0 ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, "backend_startup: bi_open failed!\n", 0, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, "backend_startup: bi_open failed!\n", 0, 0, 0 ); -#endif return rc; } } + /* append global access controls */ + acl_append( &be->be_acl, frontendDB->be_acl, -1 ); + return backend_startup_one( be ); + } - if ( be->bd_info->bi_db_open ) { - rc = be->bd_info->bi_db_open( be ); - if ( rc != 0 ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, - "backend_startup: bi_db_open failed! (%d)\n", rc, 0, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "backend_startup: bi_db_open failed! (%d)\n", - rc, 0, 0 ); -#endif - return rc; - } + /* open frontend, if required */ + if ( frontendDB->bd_info->bi_db_open ) { + rc = frontendDB->bd_info->bi_db_open( frontendDB ); + if ( rc != 0 ) { + Debug( LDAP_DEBUG_ANY, + "backend_startup: bi_db_open(frontend) failed! (%d)\n", + rc, 0, 0 ); + return rc; } - - return rc; } /* open each backend type */ - for( i = 0; i < nBackendInfo; i++ ) { - if( backendInfo[i].bi_nDB == 0) { + i = -1; + LDAP_STAILQ_FOREACH(bi, &backendInfo, bi_next) { + i++; + if( bi->bi_nDB == 0) { /* no database of this type, don't open */ continue; } - if( backendInfo[i].bi_open ) { - rc = backendInfo[i].bi_open( - &backendInfo[i] ); + if( bi->bi_open ) { + rc = bi->bi_open( bi ); if ( rc != 0 ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, - "backend_startup: bi_open %d failed!\n", i, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, - "backend_startup: bi_open %d failed!\n", - i, 0, 0 ); -#endif + "backend_startup: bi_open %d (%s) failed!\n", + i, bi->bi_type, 0 ); return rc; } } - } - ldap_pvt_thread_mutex_init( &syncrepl_rq.rq_mutex ); - LDAP_STAILQ_INIT( &syncrepl_rq.task_list ); - LDAP_STAILQ_INIT( &syncrepl_rq.run_list ); + (void)backend_init_controls( bi ); + } /* open each backend database */ - for( i = 0; i < nBackendDB; i++ ) { - /* append global access controls */ - acl_append( &backendDB[i].be_acl, global_acl ); - - backendDB[i].be_pending_csn_list = (struct be_pcl *) - ch_calloc( 1, sizeof( struct be_pcl )); - LDAP_TAILQ_INIT( backendDB[i].be_pending_csn_list ); - - if ( backendDB[i].be_suffix == NULL ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, - "backend_startup: warning, database %d (%s) " - "has no suffix\n", - i, backendDB[i].bd_info->bi_type, 0 ); -#else + i = -1; + LDAP_STAILQ_FOREACH(be, &backendDB, be_next) { + i++; + if ( be->be_suffix == NULL ) { Debug( LDAP_DEBUG_ANY, "backend_startup: warning, database %d (%s) " "has no suffix\n", - i, backendDB[i].bd_info->bi_type, 0 ); -#endif - } - - if ( backendDB[i].bd_info->bi_db_open ) { - rc = backendDB[i].bd_info->bi_db_open( - &backendDB[i] ); - if ( rc != 0 ) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, - "backend_startup: bi_db_open(%d) failed! (%d)\n", i, rc, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "backend_startup: bi_db_open(%d) failed! (%d)\n", - i, rc, 0 ); -#endif - return rc; - } + i, be->bd_info->bi_type, 0 ); } + /* append global access controls */ + acl_append( &be->be_acl, frontendDB->be_acl, -1 ); - if ( !LDAP_STAILQ_EMPTY( &backendDB[i].be_syncinfo )) { - syncinfo_t *si; + rc = backend_startup_one( be ); - if ( !( backendDB[i].be_search && backendDB[i].be_add && - backendDB[i].be_modify && backendDB[i].be_delete )) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, CRIT, - "backend_startup: database(%d) does not support " - "operations required for syncrepl", i, 0, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "backend_startup: database(%d) does not support " - "operations required for syncrepl", i, 0, 0 ); -#endif - continue; - } - - LDAP_STAILQ_FOREACH( si, &backendDB[i].be_syncinfo, si_next ) { - si->si_be = &backendDB[i]; - init_syncrepl( si ); - ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex ); - ldap_pvt_runqueue_insert( &syncrepl_rq, - si->si_interval, do_syncrepl, (void *) si ); - ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex ); - } - } + if ( rc ) return rc; } return rc; @@ -450,20 +309,22 @@ int backend_startup(Backend *be) int backend_num( Backend *be ) { - int i; + int i = 0; + BackendDB *b2; if( be == NULL ) return -1; - for( i = 0; i < nBackendDB; i++ ) { - if( be == &backendDB[i] ) return i; + LDAP_STAILQ_FOREACH( b2, &backendDB, be_next ) { + if( be == b2 ) return i; + i++; } return -1; } int backend_shutdown( Backend *be ) { - int i; int rc = 0; + BackendInfo *bi; if( be != NULL ) { /* shutdown a specific backend database */ @@ -485,90 +346,155 @@ int backend_shutdown( Backend *be ) } /* close each backend database */ - for( i = 0; i < nBackendDB; i++ ) { - if ( backendDB[i].bd_info->bi_db_close ) { - backendDB[i].bd_info->bi_db_close( - &backendDB[i] ); + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->bd_info->bi_db_close ) { + be->bd_info->bi_db_close( be ); } if(rc != 0) { -#ifdef NEW_LOGGING - LDAP_LOG( BACKEND, NOTICE, - "backend_shutdown: bi_close %s failed!\n", - backendDB[i].be_type, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, - "backend_close: bi_close %s failed!\n", - backendDB[i].be_type, 0, 0 ); -#endif + "backend_close: bi_db_close %s failed!\n", + be->be_type, 0, 0 ); } } /* close each backend type */ - for( i = 0; i < nBackendInfo; i++ ) { - if( backendInfo[i].bi_nDB == 0 ) { + LDAP_STAILQ_FOREACH( bi, &backendInfo, bi_next ) { + if( bi->bi_nDB == 0 ) { /* no database of this type */ continue; } - if( backendInfo[i].bi_close ) { - backendInfo[i].bi_close( - &backendInfo[i] ); + if( bi->bi_close ) { + bi->bi_close( bi ); + } + } + + /* close frontend, if required */ + if ( frontendDB->bd_info->bi_db_close ) { + rc = frontendDB->bd_info->bi_db_close ( frontendDB ); + if ( rc != 0 ) { + Debug( LDAP_DEBUG_ANY, + "backend_startup: bi_db_close(frontend) failed! (%d)\n", + rc, 0, 0 ); } } return 0; } +void backend_destroy_one( BackendDB *bd, int dynamic ) +{ + if ( dynamic ) { + LDAP_STAILQ_REMOVE(&backendDB, bd, slap_backend_db, be_next ); + } + + if ( bd->be_syncinfo ) { + syncinfo_free( bd->be_syncinfo ); + } + + if ( bd->be_pending_csn_list ) { + struct slap_csn_entry *csne; + csne = LDAP_TAILQ_FIRST( bd->be_pending_csn_list ); + while ( csne ) { + struct slap_csn_entry *tmp_csne = csne; + + LDAP_TAILQ_REMOVE( bd->be_pending_csn_list, csne, ce_csn_link ); + ch_free( csne->ce_csn.bv_val ); + csne = LDAP_TAILQ_NEXT( csne, ce_csn_link ); + ch_free( tmp_csne ); + } + ch_free( bd->be_pending_csn_list ); + } + + if ( bd->bd_info->bi_db_destroy ) { + bd->bd_info->bi_db_destroy( bd ); + } + ber_bvarray_free( bd->be_suffix ); + ber_bvarray_free( bd->be_nsuffix ); + if ( !BER_BVISNULL( &bd->be_rootdn ) ) { + free( bd->be_rootdn.bv_val ); + } + if ( !BER_BVISNULL( &bd->be_rootndn ) ) { + free( bd->be_rootndn.bv_val ); + } + if ( !BER_BVISNULL( &bd->be_rootpw ) ) { + free( bd->be_rootpw.bv_val ); + } + acl_destroy( bd->be_acl, frontendDB->be_acl ); + limits_destroy( bd->be_limits ); + if ( bd->be_replogfile ) { + ch_free( bd->be_replogfile ); + } + destroy_replica_info( bd ); + if ( !BER_BVISNULL( &bd->be_update_ndn ) ) { + ch_free( bd->be_update_ndn.bv_val ); + } + if ( bd->be_update_refs ) { + ber_bvarray_free( bd->be_update_refs ); + } + + if ( dynamic ) { + free( bd ); + } +} + int backend_destroy(void) { - int i; BackendDB *bd; - - ldap_pvt_thread_pool_destroy( &syncrepl_pool, 1 ); + BackendInfo *bi; /* destroy each backend database */ - for( i = 0, bd = backendDB; i < nBackendDB; i++, bd++ ) { + while (( bd = LDAP_STAILQ_FIRST(&backendDB))) { + backend_destroy_one( bd, 1 ); + } + + /* destroy each backend type */ + LDAP_STAILQ_FOREACH( bi, &backendInfo, bi_next ) { + if( bi->bi_destroy ) { + bi->bi_destroy( bi ); + } + } + + nBackendInfo = 0; + LDAP_STAILQ_INIT(&backendInfo); + + /* destroy frontend database */ + bd = frontendDB; + if ( bd ) { if ( bd->bd_info->bi_db_destroy ) { bd->bd_info->bi_db_destroy( bd ); } ber_bvarray_free( bd->be_suffix ); ber_bvarray_free( bd->be_nsuffix ); - if ( bd->be_rootdn.bv_val ) free( bd->be_rootdn.bv_val ); - if ( bd->be_rootndn.bv_val ) free( bd->be_rootndn.bv_val ); - if ( bd->be_rootpw.bv_val ) free( bd->be_rootpw.bv_val ); - acl_destroy( bd->be_acl, global_acl ); - } - free( backendDB ); + if ( !BER_BVISNULL( &bd->be_rootdn ) ) { + free( bd->be_rootdn.bv_val ); + } + if ( !BER_BVISNULL( &bd->be_rootndn ) ) { + free( bd->be_rootndn.bv_val ); + } + if ( !BER_BVISNULL( &bd->be_rootpw ) ) { + free( bd->be_rootpw.bv_val ); + } + acl_destroy( bd->be_acl, frontendDB->be_acl ); - /* destroy each backend type */ - for( i = 0; i < nBackendInfo; i++ ) { - if( backendInfo[i].bi_destroy ) { - backendInfo[i].bi_destroy( - &backendInfo[i] ); + if ( bd->be_replogfile != NULL ) { + free( bd->be_replogfile ); } + assert( bd->be_replica == NULL ); } -#ifdef SLAPD_MODULES - if (backendInfo != binfo) { - free(backendInfo); - } -#endif /* SLAPD_MODULES */ - - nBackendInfo = 0; - backendInfo = NULL; - return 0; } BackendInfo* backend_info(const char *type) { - int i; + BackendInfo *bi; /* search for the backend type */ - for( i = 0; i < nBackendInfo; i++ ) { - if( strcasecmp(backendInfo[i].bi_type, type) == 0 ) { - return &backendInfo[i]; + LDAP_STAILQ_FOREACH(bi,&backendInfo,bi_next) { + if( strcasecmp(bi->bi_type, type) == 0 ) { + return bi; } } @@ -578,10 +504,9 @@ BackendInfo* backend_info(const char *type) BackendDB * backend_db_init( - const char *type -) + const char *type, + BackendDB *be ) { - Backend *be; BackendInfo *bi = backend_info(type); int rc = 0; @@ -590,37 +515,35 @@ backend_db_init( return NULL; } - backendDB = (BackendDB *) ch_realloc( - (char *) backendDB, - (nBackendDB + 1) * sizeof(Backend) ); - - memset( &backendDB[nbackends], '\0', sizeof(Backend) ); - - be = &backends[nbackends++]; + /* If be is provided, treat it as private. Otherwise allocate + * one and add it to the global list. + */ + if ( !be ) { + be = ch_calloc( 1, sizeof(Backend) ); + nbackends++; + LDAP_STAILQ_INSERT_TAIL(&backendDB, be, be_next); + } be->bd_info = bi; - be->be_def_limit = deflimit; - be->be_dfltaccess = global_default_access; - be->be_restrictops = global_restrictops; - be->be_requires = global_requires; - be->be_ssf_set = global_ssf_set; + be->be_def_limit = frontendDB->be_def_limit; + be->be_dfltaccess = frontendDB->be_dfltaccess; - be->be_context_csn.bv_len = 0; - be->be_context_csn.bv_val = NULL; - ldap_pvt_thread_mutex_init( &be->be_pcl_mutex ); - ldap_pvt_thread_mutex_init( &be->be_context_csn_mutex ); + be->be_restrictops = frontendDB->be_restrictops; + be->be_requires = frontendDB->be_requires; + be->be_ssf_set = frontendDB->be_ssf_set; - LDAP_STAILQ_INIT( &be->be_syncinfo ); + be->be_pcl_mutexp = &be->be_pcl_mutex; + ldap_pvt_thread_mutex_init( be->be_pcl_mutexp ); /* assign a default depth limit for alias deref */ be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; - if(bi->bi_db_init) { + if ( bi->bi_db_init ) { rc = bi->bi_db_init( be ); } - if(rc != 0) { + if ( rc != 0 ) { fprintf( stderr, "database init failed (%s)\n", type ); nbackends--; return NULL; @@ -633,13 +556,18 @@ backend_db_init( void be_db_close( void ) { - int i; + BackendDB *be; - for ( i = 0; i < nbackends; i++ ) { - if ( backends[i].bd_info->bi_db_close ) { - (*backends[i].bd_info->bi_db_close)( &backends[i] ); + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->bd_info->bi_db_close ) { + be->bd_info->bi_db_close( be ); } } + + if ( frontendDB->bd_info->bi_db_close ) { + (*frontendDB->bd_info->bi_db_close)( frontendDB ); + } + } Backend * @@ -648,21 +576,23 @@ select_backend( int manageDSAit, int noSubs ) { - int i, j; - ber_len_t len, dnlen = dn->bv_len; - Backend *be = NULL; + int j; + ber_len_t len, dnlen = dn->bv_len; + Backend *be, *b2 = NULL; + + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->be_nsuffix == NULL ) { + continue; + } - for ( i = 0; i < nbackends; i++ ) { - for ( j = 0; backends[i].be_nsuffix != NULL && - backends[i].be_nsuffix[j].bv_val != NULL; j++ ) + for ( j = 0; !BER_BVISNULL( &be->be_nsuffix[j] ); j++ ) { - if ( ( SLAP_GLUE_SUBORDINATE( &backends[i] ) ) - && noSubs ) + if ( ( SLAP_GLUE_SUBORDINATE( be ) ) && noSubs ) { continue; } - len = backends[i].be_nsuffix[j].bv_len; + len = be->be_nsuffix[j].bv_len; if ( len > dnlen ) { /* suffix is longer than DN */ @@ -679,89 +609,82 @@ select_backend( continue; } - if ( strcmp( backends[i].be_nsuffix[j].bv_val, + if ( strcmp( be->be_nsuffix[j].bv_val, &dn->bv_val[dnlen-len] ) == 0 ) { - if( be == NULL ) { - be = &backends[i]; + if( b2 == NULL ) { + b2 = be; if( manageDSAit && len == dnlen && !SLAP_GLUE_SUBORDINATE( be ) ) { continue; } } else { - be = &backends[i]; + /* If any parts of the tree are glued, use the first + * match regardless of manageDSAit. Otherwise use the + * last match. + */ + if( !( SLAP_DBFLAGS( be ) & ( SLAP_DBFLAG_GLUE_INSTANCE | + SLAP_DBFLAG_GLUE_SUBORDINATE ))) + b2 = be; } - return be; + return b2; } } } - return be; + return b2; } int be_issuffix( - Backend *be, - struct berval *bvsuffix -) + Backend *be, + struct berval *bvsuffix ) { int i; - for ( i = 0; be->be_nsuffix != NULL && be->be_nsuffix[i].bv_val != NULL; i++ ) { + if ( be->be_nsuffix == NULL ) { + return 0; + } + + for ( i = 0; !BER_BVISNULL( &be->be_nsuffix[i] ); i++ ) { if ( bvmatch( &be->be_nsuffix[i], bvsuffix ) ) { - return( 1 ); + return 1; } } - return( 0 ); + return 0; } int be_isroot_dn( Backend *be, struct berval *ndn ) { - if ( !ndn->bv_len ) { - return( 0 ); - } - - if ( !be->be_rootndn.bv_len ) { - return( 0 ); + if ( BER_BVISEMPTY( ndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + return 0; } return dn_match( &be->be_rootndn, ndn ); } -int -be_sync_update( Operation *op ) -{ - return ( SLAP_SYNC_SHADOW( op->o_bd ) && syncrepl_isupdate( op ) ); -} - int be_slurp_update( Operation *op ) { - return ( SLAP_SLURP_SHADOW( op->o_bd ) && be_isupdate_dn( op->o_bd, &op->o_ndn )); + return ( SLAP_SLURP_SHADOW( op->o_bd ) && + be_isupdate_dn( op->o_bd, &op->o_ndn ) ); } int be_shadow_update( Operation *op ) { -#if 0 - return ( be_sync_update( op ) || be_slurp_update( op ) ); -#endif - /* NOTE: this is slightly more efficient */ - return ( SLAP_SHADOW( op->o_bd ) && ( syncrepl_isupdate( op ) || be_isupdate_dn( op->o_bd, &op->o_ndn ) ) ); + return ( SLAP_SYNC_SHADOW( op->o_bd ) || + ( SLAP_SHADOW( op->o_bd ) && be_isupdate_dn( op->o_bd, &op->o_ndn ) ) ); } int be_isupdate_dn( Backend *be, struct berval *ndn ) { - if ( !ndn->bv_len ) { - return( 0 ); - } - - if ( !be->be_update_ndn.bv_len ) { - return( 0 ); + if ( BER_BVISEMPTY( ndn ) || BER_BVISEMPTY( &be->be_update_ndn ) ) { + return 0; } return dn_match( &be->be_update_ndn, ndn ); @@ -783,30 +706,24 @@ int be_isroot_pw( Operation *op ) { int result; - char *errmsg; if ( ! be_isroot_dn( op->o_bd, &op->o_req_ndn ) ) { return 0; } - if( op->o_bd->be_rootpw.bv_len == 0 ) { + if ( BER_BVISEMPTY( &op->o_bd->be_rootpw ) ) { return 0; } -#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) - ldap_pvt_thread_mutex_lock( &passwd_mutex ); #ifdef SLAPD_SPASSWD - lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx; -#endif + ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind, + op->o_conn->c_sasl_authctx, NULL ); #endif result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL ); -#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) #ifdef SLAPD_SPASSWD - lutil_passwd_sasl_conn = NULL; -#endif - ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind, NULL, NULL ); #endif return result == 0; @@ -831,50 +748,13 @@ be_entry_release_rw( int backend_unbind( Operation *op, SlapReply *rs ) { - int i; - - for ( i = 0; i < nbackends; i++ ) { -#if defined( LDAP_SLAPI ) - if ( op->o_pb ) { - int rc; - if ( i == 0 ) slapi_int_pblock_set_operation( op->o_pb, op ); - slapi_pblock_set( op->o_pb, SLAPI_BACKEND, (void *)&backends[i] ); - rc = slapi_int_call_plugins( &backends[i], SLAPI_PLUGIN_PRE_UNBIND_FN, - (Slapi_PBlock *)op->o_pb ); - if ( rc < 0 ) { - /* - * A preoperation plugin failure will abort the - * entire operation. - */ -#ifdef NEW_LOGGING - LDAP_LOG( OPERATION, INFO, "do_bind: Unbind preoperation plugin " - "failed\n", 0, 0, 0); -#else - Debug(LDAP_DEBUG_TRACE, "do_bind: Unbind preoperation plugin " - "failed.\n", 0, 0, 0); -#endif - return 0; - } - } -#endif /* defined( LDAP_SLAPI ) */ + BackendDB *be; - if ( backends[i].be_unbind ) { - op->o_bd = &backends[i]; - (*backends[i].be_unbind)( op, rs ); + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->be_unbind ) { + op->o_bd = be; + be->be_unbind( op, rs ); } - -#if defined( LDAP_SLAPI ) - if ( op->o_pb != NULL && slapi_int_call_plugins( &backends[i], SLAPI_PLUGIN_POST_UNBIND_FN, - (Slapi_PBlock *)op->o_pb ) < 0 ) { -#ifdef NEW_LOGGING - LDAP_LOG( OPERATION, INFO, "do_unbind: Unbind postoperation plugins " - "failed\n", 0, 0, 0); -#else - Debug(LDAP_DEBUG_TRACE, "do_unbind: Unbind postoperation plugins " - "failed.\n", 0, 0, 0); -#endif - } -#endif /* defined( LDAP_SLAPI ) */ } return 0; @@ -882,14 +762,13 @@ backend_unbind( Operation *op, SlapReply *rs ) int backend_connection_init( - Connection *conn -) + Connection *conn ) { - int i; + BackendDB *be; - for ( i = 0; i < nbackends; i++ ) { - if ( backends[i].be_connection_init ) { - (*backends[i].be_connection_init)( &backends[i], conn); + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->be_connection_init ) { + be->be_connection_init( be, conn ); } } @@ -898,21 +777,20 @@ backend_connection_init( int backend_connection_destroy( - Connection *conn -) + Connection *conn ) { - int i; + BackendDB *be; - for ( i = 0; i < nbackends; i++ ) { - if ( backends[i].be_connection_destroy ) { - (*backends[i].be_connection_destroy)( &backends[i], conn); + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( be->be_connection_destroy ) { + be->be_connection_destroy( be, conn); } } return 0; } -static int +int backend_check_controls( Operation *op, SlapReply *rs ) @@ -922,16 +800,65 @@ backend_check_controls( if( ctrls ) { for( ; *ctrls != NULL ; ctrls++ ) { - if( (*ctrls)->ldctl_iscritical && !ldap_charray_inlist( - op->o_bd->be_controls, (*ctrls)->ldctl_oid ) ) - { - rs->sr_text = "control unavailable in context"; - rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + int cid; + + switch ( slap_global_control( op, (*ctrls)->ldctl_oid, &cid ) ) { + case LDAP_CONTROL_NOT_FOUND: + /* unrecognized control */ + if ( (*ctrls)->ldctl_iscritical ) { + /* should not be reachable */ + Debug( LDAP_DEBUG_ANY, + "backend_check_controls: unrecognized control: %s\n", + (*ctrls)->ldctl_oid, 0, 0 ); + assert( 0 ); + } break; + + case LDAP_COMPARE_FALSE: + if ( !op->o_bd->be_ctrls[cid] && (*ctrls)->ldctl_iscritical ) { + /* Per RFC 2251 (and LDAPBIS discussions), if the control + * is recognized and appropriate for the operation (which + * we've already verified), then the server should make + * use of the control when performing the operation. + * + * Here we find that operation extended by the control + * is unavailable in a particular context, and the control + * is marked Critical, hence the return of + * unwillingToPerform. + */ + rs->sr_text = "critical control unavailable in context"; + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + goto done; + } + break; + + case LDAP_COMPARE_TRUE: + break; + + default: + /* unreachable */ + Debug( LDAP_DEBUG_ANY, + "backend_check_controls: unable to check control: %s\n", + (*ctrls)->ldctl_oid, 0, 0 ); + assert( 0 ); + + rs->sr_text = "unable to check control"; + rs->sr_err = LDAP_OTHER; + goto done; } } } + /* temporarily removed */ +#if 0 + /* check should be generalized */ + if( get_manageDIT(op) && !be_isroot(op)) { + rs->sr_text = "requires manager authorization"; + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + } +#endif + +done:; return rs->sr_err; } @@ -944,14 +871,24 @@ backend_check_restrictions( slap_mask_t restrictops; slap_mask_t requires; slap_mask_t opflag; - slap_mask_t exopflag; + slap_mask_t exopflag = 0; slap_ssf_set_t *ssf; int updateop = 0; int starttls = 0; int session = 0; - if( op->o_bd ) { - if ( backend_check_controls( op, rs ) != LDAP_SUCCESS ) { + if ( op->o_bd ) { + int rc = SLAP_CB_CONTINUE; + + if ( op->o_bd->be_chk_controls ) { + rc = ( *op->o_bd->be_chk_controls )( op, rs ); + } + + if ( rc == SLAP_CB_CONTINUE ) { + rc = backend_check_controls( op, rs ); + } + + if ( rc != LDAP_SUCCESS ) { return rs->sr_err; } @@ -960,9 +897,9 @@ backend_check_restrictions( ssf = &op->o_bd->be_ssf_set; } else { - restrictops = global_restrictops; - requires = global_requires; - ssf = &global_ssf_set; + restrictops = frontendDB->be_restrictops; + requires = frontendDB->be_requires; + ssf = &frontendDB->be_ssf_set; } switch( op->o_tag ) { @@ -1045,12 +982,16 @@ backend_check_restrictions( rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED; if( op->o_transport_ssf < ssf->sss_transport ) { - rs->sr_text = "transport confidentiality required"; + rs->sr_text = op->o_transport_ssf + ? "stronger transport confidentiality required" + : "transport confidentiality required"; return rs->sr_err; } if( op->o_tls_ssf < ssf->sss_tls ) { - rs->sr_text = "TLS confidentiality required"; + rs->sr_text = op->o_tls_ssf + ? "stronger TLS confidentiality required" + : "TLS confidentiality required"; return rs->sr_err; } @@ -1058,7 +999,9 @@ backend_check_restrictions( if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) { /* simple bind specific check */ if( op->o_ssf < ssf->sss_simple_bind ) { - rs->sr_text = "confidentiality required"; + rs->sr_text = op->o_ssf + ? "stronger confidentiality required" + : "confidentiality required"; return rs->sr_err; } } @@ -1067,39 +1010,51 @@ backend_check_restrictions( /* these checks don't apply to SASL bind */ if( op->o_sasl_ssf < ssf->sss_sasl ) { - rs->sr_text = "SASL confidentiality required"; + rs->sr_text = op->o_sasl_ssf + ? "stronger SASL confidentiality required" + : "SASL confidentiality required"; return rs->sr_err; } if( op->o_ssf < ssf->sss_ssf ) { - rs->sr_text = "confidentiality required"; + rs->sr_text = op->o_ssf + ? "stronger confidentiality required" + : "confidentiality required"; return rs->sr_err; } } if( updateop ) { if( op->o_transport_ssf < ssf->sss_update_transport ) { - rs->sr_text = "transport update confidentiality required"; + rs->sr_text = op->o_transport_ssf + ? "stronger transport confidentiality required for update" + : "transport confidentiality required for update"; return rs->sr_err; } if( op->o_tls_ssf < ssf->sss_update_tls ) { - rs->sr_text = "TLS update confidentiality required"; + rs->sr_text = op->o_tls_ssf + ? "stronger TLS confidentiality required for update" + : "TLS confidentiality required for update"; return rs->sr_err; } if( op->o_sasl_ssf < ssf->sss_update_sasl ) { - rs->sr_text = "SASL update confidentiality required"; + rs->sr_text = op->o_sasl_ssf + ? "stronger SASL confidentiality required for update" + : "SASL confidentiality required for update"; return rs->sr_err; } if( op->o_ssf < ssf->sss_update_ssf ) { - rs->sr_text = "update confidentiality required"; + rs->sr_text = op->o_ssf + ? "stronger confidentiality required for update" + : "confidentiality required for update"; return rs->sr_err; } if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) && - op->o_ndn.bv_len == 0 ) + BER_BVISEMPTY( &op->o_ndn ) ) { rs->sr_text = "modifications require authentication"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; @@ -1107,7 +1062,10 @@ backend_check_restrictions( } #ifdef SLAP_X_LISTENER_MOD - if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_ndn.bv_len > 0 ? S_IWUSR : S_IWOTH ) ) ) { + if ( op->o_conn->c_listener && + ! ( op->o_conn->c_listener->sl_perms & ( !BER_BVISEMPTY( &op->o_ndn ) + ? (S_IWUSR|S_IWOTH) : S_IWOTH ) ) ) + { /* no "w" mode means readonly */ rs->sr_text = "modifications not allowed on this listener"; rs->sr_err = LDAP_UNWILLING_TO_PERFORM; @@ -1124,7 +1082,7 @@ backend_check_restrictions( /* should check mechanism */ if( ( op->o_transport_ssf < ssf->sss_transport && op->o_authtype == LDAP_AUTH_SIMPLE ) - || op->o_dn.bv_len == 0 ) + || BER_BVISEMPTY( &op->o_dn ) ) { rs->sr_text = "strong(er) authentication required"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; @@ -1133,7 +1091,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_SASL ) { - if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) { + if( op->o_authtype != LDAP_AUTH_SASL || BER_BVISEMPTY( &op->o_dn ) ) { rs->sr_text = "SASL authentication required"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; return rs->sr_err; @@ -1141,7 +1099,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_AUTHC ) { - if( op->o_dn.bv_len == 0 ) { + if( BER_BVISEMPTY( &op->o_dn ) ) { rs->sr_text = "authentication required"; rs->sr_err = LDAP_UNWILLING_TO_PERFORM; return rs->sr_err; @@ -1172,8 +1130,10 @@ backend_check_restrictions( } #ifdef SLAP_X_LISTENER_MOD - if ( !starttls && op->o_dn.bv_len == 0 ) { - if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXOTH ) ) { + if ( !starttls && BER_BVISEMPTY( &op->o_dn ) ) { + if ( op->o_conn->c_listener && + !( op->o_conn->c_listener->sl_perms & S_IXOTH )) + { /* no "x" mode means bind required */ rs->sr_text = "bind required on this listener"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; @@ -1182,7 +1142,11 @@ backend_check_restrictions( } if ( !starttls && !updateop ) { - if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_dn.bv_len > 0 ? S_IRUSR : S_IROTH ) ) ) { + if ( op->o_conn->c_listener && + !( op->o_conn->c_listener->sl_perms & + ( !BER_BVISEMPTY( &op->o_dn ) + ? (S_IRUSR|S_IROTH) : S_IROTH ))) + { /* no "r" mode means no read */ rs->sr_text = "read not allowed on this listener"; rs->sr_err = LDAP_UNWILLING_TO_PERFORM; @@ -1234,50 +1198,49 @@ be_entry_get_rw( int rw, Entry **e ) { - int rc; - *e = NULL; - if (op->o_bd == NULL) { - rc = LDAP_NO_SUCH_OBJECT; - } else if ( op->o_bd->be_fetch ) { - rc = ( op->o_bd->be_fetch )( op, ndn, - oc, at, rw, e ); - } else { - rc = LDAP_UNWILLING_TO_PERFORM; + if ( op->o_bd == NULL ) { + return LDAP_NO_SUCH_OBJECT; } - return rc; + + if ( op->o_bd->be_fetch ) { + return op->o_bd->be_fetch( op, ndn, oc, at, rw, e ); + } + + return LDAP_UNWILLING_TO_PERFORM; } int -backend_group( +fe_acl_group( Operation *op, Entry *target, struct berval *gr_ndn, struct berval *op_ndn, ObjectClass *group_oc, - AttributeDescription *group_at -) + AttributeDescription *group_at ) { Entry *e; + void *o_priv = op->o_private, *e_priv = NULL; Attribute *a; int rc; GroupAssertion *g; Backend *be = op->o_bd; - if ( op->o_abandon ) return SLAPD_ABANDON; - op->o_bd = select_backend( gr_ndn, 0, 0 ); - for (g = op->o_groups; g; g=g->ga_next) { - if (g->ga_be != op->o_bd || g->ga_oc != group_oc || - g->ga_at != group_at || g->ga_len != gr_ndn->bv_len) + for ( g = op->o_groups; g; g = g->ga_next ) { + if ( g->ga_be != op->o_bd || g->ga_oc != group_oc || + g->ga_at != group_at || g->ga_len != gr_ndn->bv_len ) + { continue; - if (strcmp( g->ga_ndn, gr_ndn->bv_val ) == 0) + } + if ( strcmp( g->ga_ndn, gr_ndn->bv_val ) == 0 ) { break; + } } - if (g) { + if ( g ) { rc = g->ga_res; goto done; } @@ -1286,7 +1249,10 @@ backend_group( e = target; rc = 0; } else { - rc = be_entry_get_rw(op, gr_ndn, group_oc, group_at, 0, &e ); + op->o_private = NULL; + rc = be_entry_get_rw( op, gr_ndn, group_oc, group_at, 0, &e ); + e_priv = op->o_private; + op->o_private = o_priv; } if ( e ) { a = attr_find( e->e_attrs, group_at ); @@ -1294,72 +1260,93 @@ backend_group( /* If the attribute is a subtype of labeledURI, treat this as * a dynamic group ala groupOfURLs */ - if (is_at_subtype( group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) { + if (is_at_subtype( group_at->ad_type, + slap_schema.si_ad_labeledURI->ad_type ) ) + { int i; LDAPURLDesc *ludp; struct berval bv, nbase; Filter *filter; Entry *user; + void *user_priv = NULL; Backend *b2 = op->o_bd; if ( target && dn_match( &target->e_nname, op_ndn ) ) { user = target; } else { op->o_bd = select_backend( op_ndn, 0, 0 ); + op->o_private = NULL; rc = be_entry_get_rw(op, op_ndn, NULL, NULL, 0, &user ); + user_priv = op->o_private; + op->o_private = o_priv; } if ( rc == 0 ) { - rc = 1; - for (i=0; a->a_vals[i].bv_val; i++) { - if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) != LDAP_SUCCESS ) + rc = LDAP_COMPARE_FALSE; + for ( i = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) { + if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) != + LDAP_URL_SUCCESS ) + { continue; - nbase.bv_val = NULL; + } + BER_BVZERO( &nbase ); /* host part must be empty */ /* attrs and extensions parts must be empty */ - if (( ludp->lud_host && *ludp->lud_host ) - || ludp->lud_attrs || ludp->lud_exts ) + if ( ( ludp->lud_host && *ludp->lud_host ) || + ludp->lud_attrs || ludp->lud_exts ) + { goto loopit; + } ber_str2bv( ludp->lud_dn, 0, 0, &bv ); - if ( dnNormalize( 0, NULL, NULL, &bv, &nbase, op->o_tmpmemctx ) != LDAP_SUCCESS ) + if ( dnNormalize( 0, NULL, NULL, &bv, &nbase, + op->o_tmpmemctx ) != LDAP_SUCCESS ) + { goto loopit; - switch(ludp->lud_scope) { + } + switch ( ludp->lud_scope ) { case LDAP_SCOPE_BASE: - if ( !dn_match( &nbase, op_ndn )) goto loopit; + if ( !dn_match( &nbase, op_ndn ) ) { + goto loopit; + } break; case LDAP_SCOPE_ONELEVEL: - dnParent(op_ndn, &bv ); - if ( !dn_match( &nbase, &bv )) goto loopit; + dnParent( op_ndn, &bv ); + if ( !dn_match( &nbase, &bv ) ) { + goto loopit; + } break; case LDAP_SCOPE_SUBTREE: - if ( !dnIsSuffix( op_ndn, &nbase )) goto loopit; + if ( !dnIsSuffix( op_ndn, &nbase ) ) { + goto loopit; + } break; -#ifdef LDAP_SCOPE_SUBORDINATE case LDAP_SCOPE_SUBORDINATE: - if ( dn_match( &nbase, op_ndn ) && - !dnIsSuffix(op_ndn, &nbase )) + if ( dn_match( &nbase, op_ndn ) || + !dnIsSuffix( op_ndn, &nbase ) ) { goto loopit; } -#endif } filter = str2filter_x( op, ludp->lud_filter ); if ( filter ) { - if ( test_filter( NULL, user, filter ) == LDAP_COMPARE_TRUE ) + if ( test_filter( NULL, user, filter ) == + LDAP_COMPARE_TRUE ) { rc = 0; } filter_free_x( op, filter ); } - loopit: +loopit: ldap_free_urldesc( ludp ); - if ( nbase.bv_val ) { + if ( !BER_BVISNULL( &nbase ) ) { op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx ); } if ( rc == 0 ) break; } if ( user != target ) { + op->o_private = user_priv; be_entry_release_r( op, user ); + op->o_private = o_priv; } } op->o_bd = b2; @@ -1368,25 +1355,30 @@ backend_group( SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, a->a_nvals, op_ndn, op->o_tmpmemctx ); + if ( rc == LDAP_NO_SUCH_ATTRIBUTE ) + rc = LDAP_COMPARE_FALSE; } } else { rc = LDAP_NO_SUCH_ATTRIBUTE; } - if (e != target ) { + if ( e != target ) { + op->o_private = e_priv; be_entry_release_r( op, e ); + op->o_private = o_priv; } } else { rc = LDAP_NO_SUCH_OBJECT; } if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) { - g = op->o_tmpalloc(sizeof(GroupAssertion) + gr_ndn->bv_len, op->o_tmpmemctx); + g = op->o_tmpalloc( sizeof( GroupAssertion ) + gr_ndn->bv_len, + op->o_tmpmemctx ); g->ga_be = op->o_bd; g->ga_oc = group_oc; g->ga_at = group_at; g->ga_res = rc; g->ga_len = gr_ndn->bv_len; - strcpy(g->ga_ndn, gr_ndn->bv_val); + strcpy( g->ga_ndn, gr_ndn->bv_val ); g->ga_next = op->o_groups; op->o_groups = g; } @@ -1396,67 +1388,142 @@ done: } int -backend_attribute( +backend_group( + Operation *op, + Entry *target, + struct berval *gr_ndn, + struct berval *op_ndn, + ObjectClass *group_oc, + AttributeDescription *group_at ) +{ + int rc; + BackendDB *be_orig; + + if ( op->o_abandon ) { + return SLAPD_ABANDON; + } + + be_orig = op->o_bd; + op->o_bd = frontendDB; +#ifdef SLAP_OVERLAY_ACCESS + rc = frontendDB->be_group( op, target, gr_ndn, + op_ndn, group_oc, group_at ); +#else /* ! SLAP_OVERLAY_ACCESS */ + rc = fe_acl_group( op, target, gr_ndn, + op_ndn, group_oc, group_at ); +#endif /* ! SLAP_OVERLAY_ACCESS */ + op->o_bd = be_orig; + + return rc; +} + +int +fe_acl_attribute( Operation *op, Entry *target, struct berval *edn, AttributeDescription *entry_at, - BerVarray *vals -) + BerVarray *vals, + slap_access_t access ) { - Entry *e; - Attribute *a; - int i, j, rc = LDAP_SUCCESS; - AccessControlState acl_state = ACL_STATE_INIT; - Backend *be = op->o_bd; + Entry *e = NULL; + void *o_priv = op->o_private, *e_priv = NULL; + Attribute *a = NULL; + int freeattr = 0, i, j, rc = LDAP_SUCCESS; + AccessControlState acl_state = ACL_STATE_INIT; + Backend *be = op->o_bd; op->o_bd = select_backend( edn, 0, 0 ); if ( target && dn_match( &target->e_nname, edn ) ) { e = target; + } else { - rc = be_entry_get_rw(op, edn, NULL, entry_at, 0, &e ); + op->o_private = NULL; + rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e ); + e_priv = op->o_private; + op->o_private = o_priv; } if ( e ) { a = attr_find( e->e_attrs, entry_at ); + if ( a == NULL ) { + SlapReply rs = { 0 }; + AttributeName anlist[ 2 ]; + + anlist[ 0 ].an_name = entry_at->ad_cname; + anlist[ 0 ].an_desc = entry_at; + BER_BVZERO( &anlist[ 1 ].an_name ); + rs.sr_attrs = anlist; + + /* NOTE: backend_operational() is also called + * when returning results, so it's supposed + * to do no harm to entries */ + rs.sr_entry = e; + rc = backend_operational( op, &rs ); + rs.sr_entry = NULL; + + if ( rc == LDAP_SUCCESS ) { + if ( rs.sr_operational_attrs ) { + freeattr = 1; + a = rs.sr_operational_attrs; + + } else { + rc = LDAP_NO_SUCH_ATTRIBUTE; + } + } + } + if ( a ) { BerVarray v; - if ( op->o_conn && access_allowed( op, - e, entry_at, NULL, ACL_AUTH, - &acl_state ) == 0 ) { + if ( op->o_conn && access > ACL_NONE && + access_allowed( op, e, entry_at, NULL, + access, &acl_state ) == 0 ) + { rc = LDAP_INSUFFICIENT_ACCESS; goto freeit; } - for ( i=0; a->a_vals[i].bv_val; i++ ) ; + for ( i = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) + ; - v = op->o_tmpalloc( sizeof(struct berval) * (i+1), op->o_tmpmemctx ); - for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) { - if ( op->o_conn && access_allowed( op, - e, entry_at, - &a->a_nvals[i], - ACL_AUTH, &acl_state ) == 0 ) { + v = op->o_tmpalloc( sizeof(struct berval) * ( i + 1 ), + op->o_tmpmemctx ); + for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ ) + { + if ( op->o_conn && access > ACL_NONE && + access_allowed( op, e, entry_at, + &a->a_nvals[i], + access, + &acl_state ) == 0 ) + { continue; } - ber_dupbv_x( &v[j], - &a->a_nvals[i], op->o_tmpmemctx ); - if (v[j].bv_val ) j++; + ber_dupbv_x( &v[j], &a->a_nvals[i], + op->o_tmpmemctx ); + if ( !BER_BVISNULL( &v[j] ) ) { + j++; + } } - if (j == 0) { + if ( j == 0 ) { op->o_tmpfree( v, op->o_tmpmemctx ); *vals = NULL; rc = LDAP_INSUFFICIENT_ACCESS; + } else { - v[j].bv_val = NULL; - v[j].bv_len = 0; + BER_BVZERO( &v[j] ); *vals = v; rc = LDAP_SUCCESS; } } -freeit: if (e != target ) { +freeit: if ( e != target ) { + op->o_private = e_priv; be_entry_release_r( op, e ); + op->o_private = o_priv; + } + if ( freeattr ) { + attr_free( a ); } } @@ -1464,28 +1531,201 @@ freeit: if (e != target ) { return rc; } -Attribute *backend_operational( +int +backend_attribute( Operation *op, - SlapReply *rs, - int opattrs ) + Entry *target, + struct berval *edn, + AttributeDescription *entry_at, + BerVarray *vals, + slap_access_t access ) +{ + int rc; + BackendDB *be_orig; + + be_orig = op->o_bd; + op->o_bd = frontendDB; +#ifdef SLAP_OVERLAY_ACCESS + rc = frontendDB->be_attribute( op, target, edn, + entry_at, vals, access ); +#else /* !SLAP_OVERLAY_ACCESS */ + rc = fe_acl_attribute( op, target, edn, + entry_at, vals, access ); +#endif /* !SLAP_OVERLAY_ACCESS */ + op->o_bd = be_orig; + + return rc; +} + +int +backend_access( + Operation *op, + Entry *target, + struct berval *edn, + AttributeDescription *entry_at, + struct berval *nval, + slap_access_t access, + slap_mask_t *mask ) +{ + Entry *e = NULL; + void *o_priv = op->o_private, *e_priv = NULL; + int rc = LDAP_INSUFFICIENT_ACCESS; + Backend *be = op->o_bd; + + /* pedantic */ + assert( op != NULL ); + assert( op->o_conn != NULL ); + assert( edn != NULL ); + assert( access > ACL_NONE ); + + op->o_bd = select_backend( edn, 0, 0 ); + + if ( target && dn_match( &target->e_nname, edn ) ) { + e = target; + + } else { + op->o_private = NULL; + rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e ); + e_priv = op->o_private; + op->o_private = o_priv; + } + + if ( e ) { + Attribute *a = NULL; + int freeattr = 0; + + if ( entry_at == NULL ) { + entry_at = slap_schema.si_ad_entry; + } + + if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children ) + { + if ( access_allowed_mask( op, e, entry_at, + NULL, access, NULL, mask ) == 0 ) + { + rc = LDAP_INSUFFICIENT_ACCESS; + + } else { + rc = LDAP_SUCCESS; + } + + } else { + a = attr_find( e->e_attrs, entry_at ); + if ( a == NULL ) { + SlapReply rs = { 0 }; + AttributeName anlist[ 2 ]; + + anlist[ 0 ].an_name = entry_at->ad_cname; + anlist[ 0 ].an_desc = entry_at; + BER_BVZERO( &anlist[ 1 ].an_name ); + rs.sr_attrs = anlist; + + rs.sr_attr_flags = slap_attr_flags( rs.sr_attrs ); + + /* NOTE: backend_operational() is also called + * when returning results, so it's supposed + * to do no harm to entries */ + rs.sr_entry = e; + rc = backend_operational( op, &rs ); + rs.sr_entry = NULL; + + if ( rc == LDAP_SUCCESS ) { + if ( rs.sr_operational_attrs ) { + freeattr = 1; + a = rs.sr_operational_attrs; + + } else { + rc = LDAP_NO_SUCH_OBJECT; + } + } + } + + if ( a ) { + if ( access_allowed_mask( op, e, entry_at, + nval, access, NULL, mask ) == 0 ) + { + rc = LDAP_INSUFFICIENT_ACCESS; + goto freeit; + } + rc = LDAP_SUCCESS; + } + } +freeit: if ( e != target ) { + op->o_private = e_priv; + be_entry_release_r( op, e ); + op->o_private = o_priv; + } + if ( freeattr ) { + attr_free( a ); + } + } + + op->o_bd = be; + return rc; +} + +int +fe_aux_operational( + Operation *op, + SlapReply *rs ) { - Attribute *a = NULL, **ap = &a; + Attribute **ap; + int rc = 0; + BackendDB *be_orig; + + for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next ) + /* just count them */ ; /* * If operational attributes (allegedly) are required, * and the backend supports specific operational attributes, * add them to the attribute list */ - if ( opattrs || ( op->ors_attrs && - ad_inlist( slap_schema.si_ad_subschemaSubentry, op->ors_attrs )) ) { + if ( !( rs->sr_flags & REP_NO_ENTRYDN ) + && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( rs->sr_attrs && + ad_inlist( slap_schema.si_ad_entryDN, rs->sr_attrs ) ) ) ) + { + *ap = slap_operational_entryDN( rs->sr_entry ); + ap = &(*ap)->a_next; + } + + if ( !( rs->sr_flags & REP_NO_SUBSCHEMA) + && ( SLAP_OPATTRS( rs->sr_attr_flags ) || ( rs->sr_attrs && + ad_inlist( slap_schema.si_ad_subschemaSubentry, rs->sr_attrs ) ) ) ) + { *ap = slap_operational_subschemaSubentry( op->o_bd ); ap = &(*ap)->a_next; } - if ( ( opattrs || op->ors_attrs ) && op->o_bd && op->o_bd->be_operational != NULL ) { - ( void )op->o_bd->be_operational( op, rs, opattrs, ap ); + if ( op->o_bd != NULL ) + { + /* Let the overlays have a chance at this */ + be_orig = op->o_bd; + op->o_bd = select_backend( &op->o_req_ndn, 0, 0 ); + if ( !be_match( op->o_bd, frontendDB ) && + ( SLAP_OPATTRS( rs->sr_attr_flags ) || rs->sr_attrs ) && + op->o_bd != NULL && op->o_bd->be_operational != NULL ) + { + rc = op->o_bd->be_operational( op, rs ); + } + op->o_bd = be_orig; } - return a; + return rc; +} + +int backend_operational( Operation *op, SlapReply *rs ) +{ + int rc; + BackendDB *be_orig; + + /* Moved this into the frontend so global overlays are called */ + + be_orig = op->o_bd; + op->o_bd = frontendDB; + rc = frontendDB->be_operational( op, rs ); + op->o_bd = be_orig; + + return rc; }