X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbconfig.c;h=b98f578fc4303624f22ca3bb064eb68f64f57e4e;hb=a720011c8a05d610c737c4e7e299b03506ce810f;hp=39c8af54bd09929c603f54d2b3a691ad34377975;hpb=5360a5dc21d4e85cb6c191e906f6300bb03bcaf4;p=openldap diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 39c8af54bd..b98f578fc4 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -37,8 +37,13 @@ #include "config.h" -static struct berval config_rdn = BER_BVC("cn=config"); -static struct berval schema_rdn = BER_BVC("cn=schema"); +#define CONFIG_RDN "cn=config" +#define SCHEMA_RDN "cn=schema" + +static struct berval config_rdn = BER_BVC(CONFIG_RDN); +static struct berval schema_rdn = BER_BVC(SCHEMA_RDN); + +extern int slap_DN_strict; /* dn.c */ #ifdef SLAPD_MODULES typedef struct modpath_s { @@ -69,6 +74,8 @@ typedef struct { int cb_use_ldif; } CfBackInfo; +static CfBackInfo cfBackInfo; + static char *passwd_salt; static char *logfileName; #ifdef SLAP_AUTH_REWRITE @@ -79,14 +86,24 @@ static struct berval cfdir; /* Private state */ static AttributeDescription *cfAd_backend, *cfAd_database, *cfAd_overlay, - *cfAd_include; + *cfAd_include, *cfAd_attr, *cfAd_oc, *cfAd_om; static ConfigFile *cfn; static Avlnode *CfOcTree; +/* System schema state */ +extern AttributeType *at_sys_tail; /* at.c */ +extern ObjectClass *oc_sys_tail; /* oc.c */ +extern OidMacro *om_sys_tail; /* oidm.c */ +static AttributeType *cf_at_tail; +static ObjectClass *cf_oc_tail; +static OidMacro *cf_om_tail; + static int config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, - SlapReply *rs, int *renumber ); + SlapReply *rs, int *renumber, Operation *op ); + +static int config_check_schema( CfBackInfo *cfb ); static ConfigDriver config_fname; static ConfigDriver config_cfdir; @@ -159,6 +176,9 @@ enum { CFG_SSTR_IF_MAX, CFG_SSTR_IF_MIN, CFG_TTHREADS, + CFG_MIRRORMODE, + CFG_HIDDEN, + CFG_MONITORING, CFG_LAST }; @@ -212,6 +232,12 @@ static OidRec OidMacros[] = { * OLcfgOv{Oc|At}:7 -> distproc * OLcfgOv{Oc|At}:8 -> dynlist * OLcfgOv{Oc|At}:9 -> dds + * OLcfgOv{Oc|At}:10 -> unique + * OLcfgOv{Oc|At}:11 -> refint + * OLcfgOv{Oc|At}:12 -> ppolicy + * OLcfgOv{Oc|At}:13 -> constraint + * OLcfgOv{Oc|At}:14 -> translucent + * OLcfgOv{Oc|At}:15 -> auditlog */ /* alphabetical ordering */ @@ -248,7 +274,7 @@ static ConfigTable config_back_cf_table[] = { "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString )", NULL, NULL }, { "attribute", "attribute", 2, 0, STRLENOF( "attribute" ), - ARG_PAREN|ARG_MAGIC|CFG_ATTR|ARG_NO_DELETE|ARG_NO_INSERT, + ARG_PAREN|ARG_MAGIC|CFG_ATTR, &config_generic, "( OLcfgGlAt:4 NAME 'olcAttributeTypes' " "DESC 'OpenLDAP attributeTypes' " "EQUALITY caseIgnoreMatch " @@ -311,6 +337,9 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:17 NAME 'olcGentleHUP' " "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, + { "hidden", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_HIDDEN, + &config_generic, "( OLcfgDbAt:0.17 NAME 'olcHidden' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, { "idletimeout", "timeout", 2, 2, 0, ARG_INT, &global_idletimeout, "( OLcfgGlAt:18 NAME 'olcIdleTimeout' " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, @@ -334,6 +363,7 @@ static ConfigTable config_back_cf_table[] = { "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, { "limits", "limits", 2, 0, 0, ARG_DB|ARG_MAGIC|CFG_LIMITS, &config_generic, "( OLcfgDbAt:0.5 NAME 'olcLimits' " + "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL }, { "localSSF", "ssf", 2, 2, 0, ARG_INT, &local_ssf, "( OLcfgGlAt:26 NAME 'olcLocalSSF' " @@ -343,10 +373,14 @@ static ConfigTable config_back_cf_table[] = { "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, { "loglevel", "level", 2, 0, 0, ARG_MAGIC, &config_loglevel, "( OLcfgGlAt:28 NAME 'olcLogLevel' " + "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString )", NULL, NULL }, { "maxDerefDepth", "depth", 2, 2, 0, ARG_DB|ARG_INT|ARG_MAGIC|CFG_DEPTH, &config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "mirrormode", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MIRRORMODE, + &config_generic, "( OLcfgDbAt:0.16 NAME 'olcMirrorMode' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, { "moduleload", "file", 2, 0, 0, #ifdef SLAPD_MODULES ARG_MAGIC|CFG_MODLOAD, &config_generic, @@ -354,6 +388,7 @@ static ConfigTable config_back_cf_table[] = { ARG_IGNORED, NULL, #endif "( OLcfgGlAt:30 NAME 'olcModuleLoad' " + "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL }, { "modulepath", "path", 2, 2, 0, #ifdef SLAPD_MODULES @@ -363,14 +398,19 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:31 NAME 'olcModulePath' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, - { "objectclass", "objectclass", 2, 0, 0, ARG_PAREN|ARG_MAGIC|CFG_OC|ARG_NO_DELETE|ARG_NO_INSERT, + { "monitoring", "TRUE|FALSE", 2, 2, 0, + ARG_MAGIC|CFG_MONITORING|ARG_DB|ARG_ON_OFF, &config_generic, + "( OLcfgDbAt:0.18 NAME 'olcMonitoring' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, + { "objectclass", "objectclass", 2, 0, 0, ARG_PAREN|ARG_MAGIC|CFG_OC, &config_generic, "( OLcfgGlAt:32 NAME 'olcObjectClasses' " "DESC 'OpenLDAP object classes' " "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL }, - { "objectidentifier", NULL, 0, 0, 0, ARG_MAGIC|CFG_OID, + { "objectidentifier", "name> op == SLAP_CONFIG_EMIT ) { @@ -777,6 +832,13 @@ config_generic(ConfigArgs *c) { case CFG_DEPTH: c->value_int = c->be->be_max_deref_depth; break; + case CFG_HIDDEN: + if ( SLAP_DBHIDDEN( c->be )) { + c->value_int = 1; + } else { + rc = 1; + } + break; case CFG_OID: { ConfigFile *cf = c->private; if ( !cf ) @@ -842,7 +904,7 @@ config_generic(ConfigArgs *c) { AC_MEMCPY( abv.bv_val, ibuf, abv.bv_len ); /* Turn TAB / EOL into plain space */ for (src=bv.bv_val,dst=abv.bv_val+abv.bv_len; *src; src++) { - if (isspace(*src)) *dst++ = ' '; + if (isspace((unsigned char)*src)) *dst++ = ' '; else *dst++ = *src; } *dst = '\0'; @@ -893,6 +955,15 @@ config_generic(ConfigArgs *c) { case CFG_LASTMOD: c->value_int = (SLAP_NOLASTMOD(c->be) == 0); break; + case CFG_MIRRORMODE: + if ( SLAP_SHADOW(c->be)) + c->value_int = (SLAP_SINGLE_SHADOW(c->be) == 0); + else + rc = 1; + break; + case CFG_MONITORING: + c->value_int = (SLAP_DBMONITORING(c->be) != 0); + break; case CFG_SSTR_IF_MAX: c->value_int = index_substr_if_maxlen; break; @@ -979,6 +1050,8 @@ config_generic(ConfigArgs *c) { case CFG_AZPOLICY: case CFG_DEPTH: case CFG_LASTMOD: + case CFG_MIRRORMODE: + case CFG_MONITORING: case CFG_SASLSECP: case CFG_SSTR_IF_MAX: case CFG_SSTR_IF_MIN: @@ -1021,6 +1094,10 @@ config_generic(ConfigArgs *c) { logfileName = NULL; break; + case CFG_HIDDEN: + c->be->be_flags &= ~SLAP_DBFLAG_HIDDEN; + break; + case CFG_ACL: if ( c->valx < 0 ) { AccessControl *end; @@ -1045,6 +1122,76 @@ config_generic(ConfigArgs *c) { } break; + case CFG_OC: { + CfEntryInfo *ce = c->ca_entry->e_private; + /* can't modify the hardcoded schema */ + if ( ce->ce_parent->ce_type == Cft_Global ) + return 1; + } + cfn = c->private; + if ( c->valx < 0 ) { + ObjectClass *oc; + + for( oc = cfn->c_oc_head; oc; oc_next( &oc )) { + oc_delete( oc ); + if ( oc == cfn->c_oc_tail ) + break; + } + cfn->c_oc_head = cfn->c_oc_tail = NULL; + } else { + ObjectClass *oc, *prev = NULL; + int i; + + for ( i=0, oc=cfn->c_oc_head; ivalx; i++) { + prev = oc; + oc_next( &oc ); + } + oc_delete( oc ); + if ( cfn->c_oc_tail == oc ) { + cfn->c_oc_tail = prev; + } + if ( cfn->c_oc_head == oc ) { + oc_next( &oc ); + cfn->c_oc_head = oc; + } + } + break; + + case CFG_ATTR: { + CfEntryInfo *ce = c->ca_entry->e_private; + /* can't modify the hardcoded schema */ + if ( ce->ce_parent->ce_type == Cft_Global ) + return 1; + } + cfn = c->private; + if ( c->valx < 0 ) { + AttributeType *at; + + for( at = cfn->c_at_head; at; at_next( &at )) { + at_delete( at ); + if ( at == cfn->c_at_tail ) + break; + } + cfn->c_at_head = cfn->c_at_tail = NULL; + } else { + AttributeType *at, *prev = NULL; + int i; + + for ( i=0, at=cfn->c_at_head; ivalx; i++) { + prev = at; + at_next( &at ); + } + at_delete( at ); + if ( cfn->c_at_tail == at ) { + cfn->c_at_tail = prev; + } + if ( cfn->c_at_head == at ) { + at_next( &at ); + cfn->c_at_head = at; + } + } + break; + case CFG_LIMITS: /* FIXME: there is no limits_free function */ case CFG_ATOPT: @@ -1053,9 +1200,7 @@ config_generic(ConfigArgs *c) { /* FIXME: there is no way to remove attributes added by a DSE file */ case CFG_OID: - case CFG_OC: case CFG_DIT: - case CFG_ATTR: case CFG_MODPATH: default: rc = 1; @@ -1064,8 +1209,6 @@ config_generic(ConfigArgs *c) { return rc; } - p = strchr(c->line,'(' /*')'*/); - switch(c->type) { case CFG_BACKEND: if(!(c->bi = backend_info(c->argv[1]))) { @@ -1085,7 +1228,7 @@ config_generic(ConfigArgs *c) { } else if ( !strcasecmp( c->argv[1], "frontend" )) { c->be = frontendDB; } else { - c->be = backend_db_init(c->argv[1], NULL); + c->be = backend_db_init(c->argv[1], NULL, c->valx); if ( !c->be ) { snprintf( c->msg, sizeof( c->msg ), "<%s> failed init", c->argv[0] ); Debug(LDAP_DEBUG_ANY, "%s: %s (%s)!\n", @@ -1100,7 +1243,15 @@ config_generic(ConfigArgs *c) { break; case CFG_THREADS: - if ( c->value_int > 2 * SLAP_MAX_WORKER_THREADS ) { + if ( c->value_int < 2 ) { + snprintf( c->msg, sizeof( c->msg ), + "threads=%d smaller than minimum value 2", + c->value_int ); + Debug(LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->msg, 0 ); + return 1; + + } else if ( c->value_int > 2 * SLAP_MAX_WORKER_THREADS ) { snprintf( c->msg, sizeof( c->msg ), "warning, threads=%d larger than twice the default (2*%d=%d); YMMV", c->value_int, SLAP_MAX_WORKER_THREADS, 2 * SLAP_MAX_WORKER_THREADS ); @@ -1172,7 +1323,9 @@ config_generic(ConfigArgs *c) { case CFG_OID: { OidMacro *om; - if(parse_oidm(c->fname, c->lineno, c->argc, c->argv, 1, &om)) + if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private ) + cfn = c->private; + if(parse_oidm(c, 1, &om)) return(1); if (!cfn->c_om_head) cfn->c_om_head = om; cfn->c_om_tail = om; @@ -1180,29 +1333,77 @@ config_generic(ConfigArgs *c) { break; case CFG_OC: { - ObjectClass *oc; + ObjectClass *oc, *prev; - if(parse_oc(c->fname, c->lineno, p, c->argv, &oc)) return(1); + if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private ) + cfn = c->private; + if ( c->valx < 0 ) { + prev = cfn->c_oc_tail; + } else { + prev = NULL; + /* If adding anything after the first, prev is easy */ + if ( c->valx ) { + int i; + for (i=0, oc = cfn->c_oc_head; ivalx; i++) { + prev = oc; + oc_next( &oc ); + } + } else + /* If adding the first, and head exists, find its prev */ + if (cfn->c_oc_head) { + for ( oc_start( &oc ); oc != cfn->c_oc_head; ) { + prev = oc; + oc_next( &oc ); + } + } + /* else prev is NULL, append to end of global list */ + } + if(parse_oc(c, &oc, prev)) return(1); if (!cfn->c_oc_head) cfn->c_oc_head = oc; - cfn->c_oc_tail = oc; + if (cfn->c_oc_tail == prev) cfn->c_oc_tail = oc; } break; - case CFG_DIT: { - ContentRule *cr; + case CFG_ATTR: { + AttributeType *at, *prev; - if(parse_cr(c->fname, c->lineno, p, c->argv, &cr)) return(1); - if (!cfn->c_cr_head) cfn->c_cr_head = cr; - cfn->c_cr_tail = cr; + if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private ) + cfn = c->private; + if ( c->valx < 0 ) { + prev = cfn->c_at_tail; + } else { + prev = NULL; + /* If adding anything after the first, prev is easy */ + if ( c->valx ) { + int i; + for (i=0, at = cfn->c_at_head; ivalx; i++) { + prev = at; + at_next( &at ); + } + } else + /* If adding the first, and head exists, find its prev */ + if (cfn->c_at_head) { + for ( at_start( &at ); at != cfn->c_at_head; ) { + prev = at; + at_next( &at ); + } + } + /* else prev is NULL, append to end of global list */ + } + if(parse_at(c, &at, prev)) return(1); + if (!cfn->c_at_head) cfn->c_at_head = at; + if (cfn->c_at_tail == prev) cfn->c_at_tail = at; } break; - case CFG_ATTR: { - AttributeType *at; + case CFG_DIT: { + ContentRule *cr; - if(parse_at(c->fname, c->lineno, p, c->argv, &at)) return(1); - if (!cfn->c_at_head) cfn->c_at_head = at; - cfn->c_at_tail = at; + if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private ) + cfn = c->private; + if(parse_cr(c, &cr)) return(1); + if (!cfn->c_cr_head) cfn->c_cr_head = cr; + cfn->c_cr_tail = cr; } break; @@ -1214,7 +1415,16 @@ config_generic(ConfigArgs *c) { break; case CFG_ACL: - if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, c->valx ) ) { + /* Don't append to the global ACL if we're on a specific DB */ + i = c->valx; + if ( c->be != frontendDB && frontendDB->be_acl && c->valx == -1 ) { + AccessControl *a; + i = 0; + for ( a=c->be->be_acl; a && a != frontendDB->be_acl; + a = a->acl_next ) + i++; + } + if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { return 1; } break; @@ -1299,7 +1509,7 @@ config_generic(ConfigArgs *c) { break; case CFG_ROOTDSE: - if(read_root_dse_file(c->argv[1])) { + if(root_dse_read_file(c->argv[1])) { snprintf( c->msg, sizeof( c->msg ), "<%s> could not read file", c->argv[0] ); Debug(LDAP_DEBUG_ANY, "%s: %s %s\n", c->log, c->msg, c->argv[1] ); @@ -1308,6 +1518,8 @@ config_generic(ConfigArgs *c) { { struct berval bv; ber_str2bv( c->argv[1], 0, 1, &bv ); + if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private ) + cfn = c->private; ber_bvarray_add( &cfn->c_dseFiles, &bv ); } break; @@ -1334,6 +1546,34 @@ config_generic(ConfigArgs *c) { SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_NOLASTMOD; break; + case CFG_MIRRORMODE: + if(!SLAP_SHADOW(c->be)) { + snprintf( c->msg, sizeof( c->msg ), "<%s> database is not a shadow", + c->argv[0] ); + Debug(LDAP_DEBUG_ANY, "%s: %s\n", + c->log, c->msg, 0 ); + return(1); + } + if(c->value_int) + SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_SINGLE_SHADOW; + else + SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_SINGLE_SHADOW; + break; + + case CFG_MONITORING: + if(c->value_int) + SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_MONITORING; + else + SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_MONITORING; + break; + + case CFG_HIDDEN: + if (c->value_int) + SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_HIDDEN; + else + SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_HIDDEN; + break; + case CFG_SSTR_IF_MAX: if (c->value_int < index_substr_if_minlen) { snprintf( c->msg, sizeof( c->msg ), "<%s> invalid value", c->argv[0] ); @@ -1378,14 +1618,18 @@ config_generic(ConfigArgs *c) { char *ptr; if ( c->op == SLAP_CONFIG_ADD ) { ptr = c->line + STRLENOF("moduleload"); - while (!isspace(*ptr)) ptr++; - while (isspace(*ptr)) ptr++; + while (!isspace((unsigned char) *ptr)) ptr++; + while (isspace((unsigned char) *ptr)) ptr++; } else { ptr = c->line; } ber_str2bv(ptr, 0, 1, &bv); ber_bvarray_add( &modcur->mp_loads, &bv ); } + /* Check for any new hardcoded schema */ + if ( c->op == LDAP_MOD_ADD && CONFIG_ONLINE_ADD( c )) { + config_check_schema( &cfBackInfo ); + } break; case CFG_MODPATH: @@ -1450,13 +1694,10 @@ config_generic(ConfigArgs *c) { default: - Debug( SLAPD_DEBUG_CONFIG_ERROR, - "%s: unknown CFG_TYPE %d" - SLAPD_CONF_UNKNOWN_IGNORED ".\n", + Debug( LDAP_DEBUG_ANY, + "%s: unknown CFG_TYPE %d.\n", c->log, c->type, 0 ); -#ifdef SLAPD_CONF_UNKNOWN_BAILOUT return 1; -#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */ } return(0); @@ -1693,28 +1934,21 @@ config_timelimit(ConfigArgs *c) { static int config_overlay(ConfigArgs *c) { - slap_overinfo *oi; if (c->op == SLAP_CONFIG_EMIT) { return 1; } else if ( c->op == LDAP_MOD_DELETE ) { assert(0); } - if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1])) { + if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1], + c->valx, &c->bi)) { /* log error */ - Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: (optional) %s overlay \"%s\" configuration failed" - SLAPD_CONF_UNKNOWN_IGNORED ".\n", + Debug( LDAP_DEBUG_ANY, + "%s: (optional) %s overlay \"%s\" configuration failed.\n", c->log, c->be == frontendDB ? "global " : "", &c->argv[1][1]); -#ifdef SLAPD_CONF_UNKNOWN_BAILOUT return 1; -#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */ - } else if(overlay_config(c->be, c->argv[1])) { + } else if(overlay_config(c->be, c->argv[1], c->valx, &c->bi)) { return(1); } - /* Setup context for subsequent config directives. - * The newly added overlay is at the head of the list. - */ - oi = (slap_overinfo *)c->be->bd_info; - c->bi = &oi->oi_list->on_bi; return(0); } @@ -1846,34 +2080,41 @@ config_suffix(ConfigArgs *c) pdn = c->value_dn; ndn = c->value_ndn; - tbe = select_backend(&ndn, 0, 0); + if (SLAP_DBHIDDEN( c->be )) + tbe = NULL; + else + tbe = select_backend(&ndn, 0, 0); if(tbe == c->be) { - Debug( SLAPD_DEBUG_CONFIG_ERROR, - "%s: suffix already served by this backend!" - SLAPD_CONF_UNKNOWN_IGNORED ".\n", + Debug( LDAP_DEBUG_ANY, "%s: suffix already served by this backend!.\n", c->log, 0, 0); -#ifdef SLAPD_CONF_UNKNOWN_BAILOUT return 1; -#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */ free(pdn.bv_val); free(ndn.bv_val); } else if(tbe) { - char *type = tbe->bd_info->bi_type; + BackendDB *b2 = tbe; - if ( overlay_is_over( tbe ) ) { - slap_overinfo *oi = (slap_overinfo *)tbe->bd_info->bi_private; - type = oi->oi_orig->bi_type; - } + /* Does tbe precede be? */ + while (( b2 = LDAP_STAILQ_NEXT(b2, be_next )) && b2 && b2 != c->be ); - snprintf( c->msg, sizeof( c->msg ), "<%s> namingContext \"%s\" already served by " - "a preceding %s database serving namingContext", - c->argv[0], pdn.bv_val, type ); - Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", - c->log, c->msg, tbe->be_suffix[0].bv_val); - free(pdn.bv_val); - free(ndn.bv_val); - return(1); - } else if(pdn.bv_len == 0 && default_search_nbase.bv_len) { + if ( b2 ) { + char *type = tbe->bd_info->bi_type; + + if ( overlay_is_over( tbe ) ) { + slap_overinfo *oi = (slap_overinfo *)tbe->bd_info->bi_private; + type = oi->oi_orig->bi_type; + } + + snprintf( c->msg, sizeof( c->msg ), "<%s> namingContext \"%s\" " + "already served by a preceding %s database", + c->argv[0], pdn.bv_val, type ); + Debug(LDAP_DEBUG_ANY, "%s: %s serving namingContext \"%s\"\n", + c->log, c->msg, tbe->be_suffix[0].bv_val); + free(pdn.bv_val); + free(ndn.bv_val); + return(1); + } + } + if(pdn.bv_len == 0 && default_search_nbase.bv_len) { Debug(LDAP_DEBUG_ANY, "%s: suffix DN empty and default search " "base provided \"%s\" (assuming okay)\n", c->log, default_search_base.bv_val, 0); @@ -1956,7 +2197,7 @@ config_restrict(ConfigArgs *c) { { BER_BVC("compare"), SLAP_RESTRICT_OP_COMPARE }, { BER_BVC("read"), SLAP_RESTRICT_OP_READS }, { BER_BVC("write"), SLAP_RESTRICT_OP_WRITES }, - { BER_BVC("extended"), SLAP_RESTRICT_OP_EXTENDED }, + { BER_BVC("extended"), SLAP_RESTRICT_OP_EXTENDED }, { BER_BVC("extended=" LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS }, { BER_BVC("extended=" LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD }, { BER_BVC("extended=" LDAP_EXOP_X_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI }, @@ -2060,8 +2301,10 @@ config_disallows(ConfigArgs *c) { static int config_requires(ConfigArgs *c) { - slap_mask_t requires = 0; - int i; + slap_mask_t requires = frontendDB->be_requires; + int i, argc = c->argc; + char **argv = c->argv; + slap_verbmasks requires_ops[] = { { BER_BVC("bind"), SLAP_REQUIRE_BIND }, { BER_BVC("LDAPv3"), SLAP_REQUIRE_LDAP_V3 }, @@ -2081,11 +2324,23 @@ config_requires(ConfigArgs *c) { } return 0; } - i = verbs_to_mask(c->argc, c->argv, requires_ops, &requires); + /* "none" can only be first, to wipe out default/global values */ + if ( strcasecmp( c->argv[ 1 ], "none" ) == 0 ) { + argv++; + argc--; + requires = 0; + } + i = verbs_to_mask(argc, argv, requires_ops, &requires); if ( i ) { - snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature", c->argv[0] ); - Debug(LDAP_DEBUG_ANY, "%s: %s %s\n", - c->log, c->msg, c->argv[i]); + if (strcasecmp( c->argv[ i ], "none" ) == 0 ) { + snprintf( c->msg, sizeof( c->msg ), "<%s> \"none\" (#%d) must be listed first", c->argv[0], i - 1 ); + Debug(LDAP_DEBUG_ANY, "%s: %s\n", + c->log, c->msg, 0); + } else { + snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature #%d", c->argv[0], i - 1 ); + Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", + c->log, c->msg, c->argv[i]); + } return(1); } c->be->be_requires = requires; @@ -2180,7 +2435,7 @@ slap_loglevel_get( struct berval *s, int *l ) rc = slap_verbmasks_append( &loglevel_ops, i, s, loglevel_ignore ); if ( rc != 0 ) { - Debug( LDAP_DEBUG_ANY, "slap_loglevel_register(%lu, \"%s\") failed\n", + Debug( LDAP_DEBUG_ANY, "slap_loglevel_get(%lu, \"%s\") failed\n", i, s->bv_val, 0 ); } else { @@ -2242,6 +2497,28 @@ loglevel2bvarray( int l, BerVarray *bva ) return mask_to_verbs( loglevel_ops, l, bva ); } +int +loglevel_print( FILE *out ) +{ + int i; + + if ( loglevel_ops == NULL ) { + loglevel_init(); + } + + fprintf( out, "Installed log subsystems:\n\n" ); + for ( i = 0; !BER_BVISNULL( &loglevel_ops[ i ].word ); i++ ) { + fprintf( out, "\t%-30s (%lu)\n", + loglevel_ops[ i ].word.bv_val, + loglevel_ops[ i ].mask ); + } + + fprintf( out, "\nNOTE: custom log subsystems may be later installed " + "by specific code\n\n" ); + + return 0; +} + static int config_syslog; static int @@ -2276,7 +2553,7 @@ config_loglevel(ConfigArgs *c) { for( i=1; i < c->argc; i++ ) { int level; - if ( isdigit( c->argv[i][0] ) || c->argv[i][0] == '-' ) { + if ( isdigit((unsigned char)c->argv[i][0]) || c->argv[i][0] == '-' ) { if( lutil_atoi( &level, c->argv[i] ) != 0 ) { snprintf( c->msg, sizeof( c->msg ), "<%s> unable to parse level", c->argv[0] ); Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", @@ -2382,7 +2659,7 @@ config_security(ConfigArgs *c) { } for(i = 1; i < c->argc; i++) { slap_ssf_t *tgt = NULL; - char *src; + char *src = NULL; for ( j=0; !BER_BVISNULL( &sec_keys[j].key ); j++ ) { if(!strncasecmp(c->argv[i], sec_keys[j].key.bv_val, sec_keys[j].key.bv_len)) { @@ -2531,6 +2808,8 @@ config_replica(ConfigArgs *c) { nr = add_replica_info(c->be, replicauri, replicahost); break; } else if(!strncasecmp(c->argv[i], "uri=", STRLENOF("uri="))) { + ber_len_t len; + if ( replicauri ) { snprintf( c->msg, sizeof( c->msg ), "<%s> replica host/URI already specified", c->argv[0] ); Debug(LDAP_DEBUG_ANY, "%s: %s \"%s\"\n", c->log, c->msg, replicauri ); @@ -2549,11 +2828,28 @@ config_replica(ConfigArgs *c) { Debug(LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->msg, 0 ); return(1); } + + len = strlen(ludp->lud_scheme) + strlen(ludp->lud_host) + + STRLENOF("://") + 1; + if (ludp->lud_port != LDAP_PORT) { + if (ludp->lud_port < 1 || ludp->lud_port > 65535) { + ldap_free_urldesc(ludp); + snprintf( c->msg, sizeof( c->msg ), "<%s> invalid port", + c->argv[0] ); + Debug(LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->msg, 0 ); + return(1); + } + len += STRLENOF(":65535"); + } + replicauri = ch_malloc( len ); + replicahost = lutil_strcopy( replicauri, ludp->lud_scheme ); + replicahost = lutil_strcopy( replicahost, "://" ); + if (ludp->lud_port == LDAP_PORT) { + strcpy( replicahost, ludp->lud_host ); + } else { + sprintf( replicahost, "%s:%d",ludp->lud_host,ludp->lud_port ); + } ldap_free_urldesc(ludp); - replicauri = c->argv[i] + STRLENOF("uri="); - replicauri = ch_strdup( replicauri ); - replicahost = strchr( replicauri, '/' ); - replicahost += 2; nr = add_replica_info(c->be, replicauri, replicahost); break; } @@ -2573,25 +2869,23 @@ config_replica(ConfigArgs *c) { /* dealt with separately; don't let it get to bindconf */ ; + } else if(!strncasecmp(c->argv[i], "host=", STRLENOF("host="))) { + /* dealt with separately; don't let it get to bindconf */ + ; + } else if(!strncasecmp(c->argv[i], "suffix=", STRLENOF( "suffix="))) { switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) { case 1: - Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: " - "suffix \"%s\" in \"replica\" line is not valid for backend" - SLAPD_CONF_UNKNOWN_IGNORED ".\n", - c->log, c->argv[i] + STRLENOF("suffix="), 0); -#ifdef SLAPD_CONF_UNKNOWN_BAILOUT + Debug( LDAP_DEBUG_ANY, "%s: " + "suffix \"%s\" in \"replica\" line is not valid for backend.\n", + c->log, c->argv[i] + STRLENOF("suffix="), 0); return 1; -#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */ break; case 2: - Debug( SLAPD_DEBUG_CONFIG_ERROR, "%s: " - "unable to normalize suffix in \"replica\" line" - SLAPD_CONF_UNKNOWN_IGNORED ".\n", - c->log, 0, 0); -#ifdef SLAPD_CONF_UNKNOWN_BAILOUT + Debug( LDAP_DEBUG_ANY, "%s: " + "unable to normalize suffix in \"replica\" line.\n", + c->log, 0, 0); return 1; -#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */ break; } @@ -2684,7 +2978,7 @@ config_shadow( ConfigArgs *c, int flag ) return 1; } - SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | flag); + SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag); return 0; } @@ -2773,8 +3067,9 @@ config_include(ConfigArgs *c) { static int config_tls_option(ConfigArgs *c) { int flag; + LDAP *ld = slap_tls_ld; switch(c->type) { - case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; break; + case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; ld = NULL; break; case CFG_TLS_CIPHER: flag = LDAP_OPT_X_TLS_CIPHER_SUITE; break; case CFG_TLS_CERT_FILE: flag = LDAP_OPT_X_TLS_CERTFILE; break; case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break; @@ -2787,12 +3082,12 @@ config_tls_option(ConfigArgs *c) { return 1; } if (c->op == SLAP_CONFIG_EMIT) { - return ldap_pvt_tls_get_option( NULL, flag, &c->value_string ); + return ldap_pvt_tls_get_option( ld, flag, &c->value_string ); } else if ( c->op == LDAP_MOD_DELETE ) { - return ldap_pvt_tls_set_option( NULL, flag, NULL ); + return ldap_pvt_tls_set_option( ld, flag, NULL ); } ch_free(c->value_string); - return(ldap_pvt_tls_set_option(NULL, flag, c->argv[1])); + return(ldap_pvt_tls_set_option(ld, flag, c->argv[1])); } /* FIXME: this ought to be provided by libldap */ @@ -2822,7 +3117,7 @@ config_tls_config(ConfigArgs *c) { return 1; } if (c->op == SLAP_CONFIG_EMIT) { - ldap_pvt_tls_get_option( NULL, flag, &c->value_int ); + ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int ); for (i=0; !BER_BVISNULL(&keys[i].word); i++) { if (keys[i].mask == c->value_int) { c->value_string = ch_strdup( keys[i].word.bv_val ); @@ -2832,7 +3127,7 @@ config_tls_config(ConfigArgs *c) { return 1; } else if ( c->op == LDAP_MOD_DELETE ) { int i = 0; - return ldap_pvt_tls_set_option( NULL, flag, &i ); + return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i ); } ch_free( c->value_string ); if ( isdigit( (unsigned char)c->argv[1][0] ) ) { @@ -2842,9 +3137,9 @@ config_tls_config(ConfigArgs *c) { c->log, c->argv[0], c->argv[1] ); return 1; } - return(ldap_pvt_tls_set_option(NULL, flag, &i)); + return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i)); } else { - return(ldap_int_tls_config(NULL, flag, c->argv[1])); + return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1])); } } #endif @@ -2891,6 +3186,10 @@ config_find_base( CfEntryInfo *root, struct berval *dn, CfEntryInfo **last ) typedef struct setup_cookie { CfBackInfo *cfb; ConfigArgs *ca; + Entry *frontend; + Entry *config; + int got_frontend; + int got_config; } setup_cookie; static int @@ -2900,7 +3199,61 @@ config_ldif_resp( Operation *op, SlapReply *rs ) setup_cookie *sc = op->o_callback->sc_private; sc->cfb->cb_got_ldif = 1; - rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL ); + /* Does the frontend exist? */ + if ( !sc->got_frontend ) { + if ( !strncmp( rs->sr_entry->e_nname.bv_val, + "olcDatabase", STRLENOF( "olcDatabase" ))) { + if ( strncmp( rs->sr_entry->e_nname.bv_val + + STRLENOF( "olcDatabase" ), "={-1}frontend", + STRLENOF( "={-1}frontend" ))) { + struct berval rdn; + int i = op->o_noop; + sc->ca->be = frontendDB; + sc->ca->bi = frontendDB->bd_info; + frontendDB->be_cf_ocs = &CFOC_FRONTEND; + rdn.bv_val = sc->ca->log; + rdn.bv_len = snprintf(rdn.bv_val, sizeof( sc->ca->log ), + "%s=" SLAP_X_ORDERED_FMT "%s", + cfAd_database->ad_cname.bv_val, -1, + sc->ca->bi->bi_type); + op->o_noop = 1; + sc->frontend = config_build_entry( op, rs, + sc->cfb->cb_root, sc->ca, &rdn, &CFOC_DATABASE, + sc->ca->be->be_cf_ocs ); + op->o_noop = i; + sc->got_frontend++; + } else { + sc->got_frontend++; + goto ok; + } + } + } + /* Does the configDB exist? */ + if ( sc->got_frontend && !sc->got_config && + !strncmp( rs->sr_entry->e_nname.bv_val, + "olcDatabase", STRLENOF( "olcDatabase" ))) { + if ( strncmp( rs->sr_entry->e_nname.bv_val + + STRLENOF( "olcDatabase" ), "={0}config", + STRLENOF( "={0}config" ))) { + struct berval rdn; + int i = op->o_noop; + sc->ca->be = LDAP_STAILQ_FIRST( &backendDB ); + sc->ca->bi = sc->ca->be->bd_info; + rdn.bv_val = sc->ca->log; + rdn.bv_len = snprintf(rdn.bv_val, sizeof( sc->ca->log ), + "%s=" SLAP_X_ORDERED_FMT "%s", + cfAd_database->ad_cname.bv_val, 0, + sc->ca->bi->bi_type); + op->o_noop = 1; + sc->config = config_build_entry( op, rs, sc->cfb->cb_root, + sc->ca, &rdn, &CFOC_DATABASE, sc->ca->be->be_cf_ocs ); + op->o_noop = i; + } + sc->got_config++; + } + +ok: + rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL, NULL ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "config error processing %s: %s\n", rs->sr_entry->e_name.bv_val, sc->ca->msg, 0 ); @@ -2939,7 +3292,7 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) { if ( !cfb->cb_db.bd_info ) return 0; /* FIXME: eventually this will be a fatal error */ - if ( backend_db_init( "ldif", &cfb->cb_db ) == NULL ) + if ( backend_db_init( "ldif", &cfb->cb_db, -1 ) == NULL ) return 1; cfb->cb_db.be_suffix = be->be_suffix; @@ -2973,6 +3326,7 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) { if ( readit ) { void *thrctx = ldap_pvt_thread_pool_context(); + int prev_DN_strict; op = (Operation *) &opbuf; connection_fake_init( &conn, op, thrctx ); @@ -3001,10 +3355,31 @@ config_setup_ldif( BackendDB *be, const char *dir, int readit ) { sc.cfb = cfb; sc.ca = &c; cb.sc_private = ≻ + sc.got_frontend = 0; + sc.got_config = 0; + sc.frontend = NULL; + sc.config = NULL; op->o_bd = &cfb->cb_db; + + /* Allow unknown attrs in DNs */ + prev_DN_strict = slap_DN_strict; + slap_DN_strict = 0; + rc = op->o_bd->be_search( op, &rs ); + /* Restore normal DN validation */ + slap_DN_strict = prev_DN_strict; + + op->o_tag = LDAP_REQ_ADD; + if ( rc == LDAP_SUCCESS && sc.frontend ) { + op->ora_e = sc.frontend; + rc = op->o_bd->be_add( op, &rs ); + } + if ( rc == LDAP_SUCCESS && sc.config ) { + op->ora_e = sc.config; + rc = op->o_bd->be_add( op, &rs ); + } ldap_pvt_thread_pool_context_reset( thrctx ); } @@ -3053,11 +3428,12 @@ read_config(const char *fname, const char *dir) { int rc; /* Setup the config backend */ - be = backend_db_init( "config", NULL ); + be = backend_db_init( "config", NULL, 0 ); if ( !be ) return 1; cfb = be->be_private; + be->be_dfltaccess = ACL_NONE; /* If no .conf, or a dir was specified, setup the dir */ if ( !fname || dir ) { @@ -3083,10 +3459,18 @@ read_config(const char *fname, const char *dir) { if ( rc != LDAP_NO_SUCH_OBJECT ) return 1; /* ITS#4194: But if dir was specified and no fname, - * then we were supposed to read the dir. + * then we were supposed to read the dir. Unless we're + * trying to slapadd the dir... */ - if ( dir && !fname ) - return 1; + if ( dir && !fname ) { + if ( slapMode & (SLAP_SERVER_MODE|SLAP_TOOL_READMAIN|SLAP_TOOL_READONLY)) + return 1; + /* Assume it's slapadd with a config dir, let it continue */ + rc = 0; + cfb->cb_got_ldif = 1; + cfb->cb_use_ldif = 1; + goto done; + } } /* If we read the config from back-ldif, nothing to do here */ @@ -3106,25 +3490,6 @@ read_config(const char *fname, const char *dir) { if ( rc == 0 ) ber_str2bv( cfname, 0, 1, &cfb->cb_config->c_file ); - /* If we got this far and failed, it may be a serious problem. In server - * mode, we should never come to this. However, it may be alright if we're - * using slapadd to create the conf dir. - */ - while ( rc ) { - if ( slapMode & (SLAP_SERVER_MODE|SLAP_TOOL_READMAIN|SLAP_TOOL_READONLY)) - break; - /* If a config file was explicitly given, fail */ - if ( fname ) - break; - - /* Seems to be slapadd with a config dir, let it continue */ - if ( cfb->cb_use_ldif ) { - rc = 0; - cfb->cb_got_ldif = 1; - } - break; - } - done: if ( rc == 0 && BER_BVISNULL( &frontendDB->be_schemadn ) ) { ber_str2bv( SLAPD_SCHEMA_DN, STRLENOF( SLAPD_SCHEMA_DN ), 1, @@ -3261,7 +3626,7 @@ check_vals( ConfigTable *ct, ConfigArgs *ca, void *ptr, int isAttr ) AttributeDescription *ad; BerVarray vals; - int i, rc = 0, sort = 0; + int i, rc = 0; if ( isAttr ) { a = ptr; @@ -3274,7 +3639,6 @@ check_vals( ConfigTable *ct, ConfigArgs *ca, void *ptr, int isAttr ) } if ( a && ( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL )) { - sort = 1; rc = ordered_value_sort( a, 1 ); if ( rc ) { snprintf(ca->msg, sizeof( ca->msg ), "ordered_value_sort failed on attr %s\n", @@ -3284,7 +3648,8 @@ check_vals( ConfigTable *ct, ConfigArgs *ca, void *ptr, int isAttr ) } for ( i=0; vals[i].bv_val; i++ ) { ca->line = vals[i].bv_val; - if ( sort ) { + if (( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) && + ca->line[0] == '{' ) { char *idx = strchr( ca->line, '}' ); if ( idx ) ca->line = idx+1; } @@ -3296,12 +3661,177 @@ check_vals( ConfigTable *ct, ConfigArgs *ca, void *ptr, int isAttr ) return rc; } +static int +config_rename_attr( SlapReply *rs, Entry *e, struct berval *rdn, + Attribute **at ) +{ + struct berval rtype, rval; + Attribute *a; + AttributeDescription *ad = NULL; + + dnRdn( &e->e_name, rdn ); + rval.bv_val = strchr(rdn->bv_val, '=' ) + 1; + rval.bv_len = rdn->bv_len - (rval.bv_val - rdn->bv_val); + rtype.bv_val = rdn->bv_val; + rtype.bv_len = rval.bv_val - rtype.bv_val - 1; + + /* Find attr */ + slap_bv2ad( &rtype, &ad, &rs->sr_text ); + a = attr_find( e->e_attrs, ad ); + if (!a ) return LDAP_NAMING_VIOLATION; + *at = a; + + return 0; +} + +static void +config_rename_kids( CfEntryInfo *ce ) +{ + CfEntryInfo *ce2; + struct berval rdn, nrdn; + + for (ce2 = ce->ce_kids; ce2; ce2 = ce2->ce_sibs) { + dnRdn ( &ce2->ce_entry->e_name, &rdn ); + dnRdn ( &ce2->ce_entry->e_nname, &nrdn ); + free( ce2->ce_entry->e_name.bv_val ); + free( ce2->ce_entry->e_nname.bv_val ); + build_new_dn( &ce2->ce_entry->e_name, &ce->ce_entry->e_name, + &rdn, NULL ); + build_new_dn( &ce2->ce_entry->e_nname, &ce->ce_entry->e_nname, + &nrdn, NULL ); + config_rename_kids( ce2 ); + } +} + +static int +config_rename_one( Operation *op, SlapReply *rs, Entry *e, + CfEntryInfo *parent, Attribute *a, struct berval *newrdn, + struct berval *nnewrdn, int use_ldif ) +{ + char *ptr1; + int rc = 0; + struct berval odn, ondn; + + odn = e->e_name; + ondn = e->e_nname; + build_new_dn( &e->e_name, &parent->ce_entry->e_name, newrdn, NULL ); + build_new_dn( &e->e_nname, &parent->ce_entry->e_nname, nnewrdn, NULL ); + + /* Replace attr */ + free( a->a_vals[0].bv_val ); + ptr1 = strchr( newrdn->bv_val, '=' ) + 1; + a->a_vals[0].bv_len = newrdn->bv_len - (ptr1 - newrdn->bv_val); + a->a_vals[0].bv_val = ch_malloc( a->a_vals[0].bv_len + 1 ); + strcpy( a->a_vals[0].bv_val, ptr1 ); + + if ( a->a_nvals != a->a_vals ) { + free( a->a_nvals[0].bv_val ); + ptr1 = strchr( nnewrdn->bv_val, '=' ) + 1; + a->a_nvals[0].bv_len = nnewrdn->bv_len - (ptr1 - nnewrdn->bv_val); + a->a_nvals[0].bv_val = ch_malloc( a->a_nvals[0].bv_len + 1 ); + strcpy( a->a_nvals[0].bv_val, ptr1 ); + } + if ( use_ldif ) { + CfBackInfo *cfb = (CfBackInfo *)op->o_bd->be_private; + BackendDB *be = op->o_bd; + slap_callback sc = { NULL, slap_null_cb, NULL, NULL }; + struct berval dn, ndn, xdn, xndn; + + op->o_bd = &cfb->cb_db; + + /* Save current rootdn; use the underlying DB's rootdn */ + dn = op->o_dn; + ndn = op->o_ndn; + xdn = op->o_req_dn; + xndn = op->o_req_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + op->o_req_dn = odn; + op->o_req_ndn = ondn; + + sc.sc_next = op->o_callback; + op->o_callback = ≻ + op->orr_newrdn = *newrdn; + op->orr_nnewrdn = *nnewrdn; + op->orr_deleteoldrdn = 1; + op->orr_modlist = NULL; + slap_modrdn2mods( op, rs ); + rc = op->o_bd->be_modrdn( op, rs ); + slap_mods_free( op->orr_modlist, 1 ); + + op->o_bd = be; + op->o_callback = sc.sc_next; + op->o_dn = dn; + op->o_ndn = ndn; + op->o_req_dn = xdn; + op->o_req_ndn = xndn; + } + free( odn.bv_val ); + free( ondn.bv_val ); + if ( e->e_private ) + config_rename_kids( e->e_private ); + return rc; +} + +static int +config_renumber_one( Operation *op, SlapReply *rs, CfEntryInfo *parent, + Entry *e, int idx, int tailindex, int use_ldif ) +{ + struct berval ival, newrdn, nnewrdn; + struct berval rdn; + Attribute *a; + char ibuf[32], *ptr1, *ptr2 = NULL; + int rc = 0; + + rc = config_rename_attr( rs, e, &rdn, &a ); + if ( rc ) return rc; + + ival.bv_val = ibuf; + ival.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, idx ); + if ( ival.bv_len >= sizeof( ibuf ) ) { + return LDAP_NAMING_VIOLATION; + } + + newrdn.bv_len = rdn.bv_len + ival.bv_len; + newrdn.bv_val = ch_malloc( newrdn.bv_len+1 ); + + if ( tailindex ) { + ptr1 = lutil_strncopy( newrdn.bv_val, rdn.bv_val, rdn.bv_len ); + ptr1 = lutil_strcopy( ptr1, ival.bv_val ); + } else { + int xlen; + ptr2 = ber_bvchr( &rdn, '}' ); + if ( ptr2 ) { + ptr2++; + } else { + ptr2 = rdn.bv_val + a->a_desc->ad_cname.bv_len + 1; + } + xlen = rdn.bv_len - (ptr2 - rdn.bv_val); + ptr1 = lutil_strncopy( newrdn.bv_val, a->a_desc->ad_cname.bv_val, + a->a_desc->ad_cname.bv_len ); + *ptr1++ = '='; + ptr1 = lutil_strcopy( ptr1, ival.bv_val ); + ptr1 = lutil_strncopy( ptr1, ptr2, xlen ); + *ptr1 = '\0'; + } + + /* Do the equivalent of ModRDN */ + /* Replace DN / NDN */ + newrdn.bv_len = ptr1 - newrdn.bv_val; + rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); + rc = config_rename_one( op, rs, e, parent, a, &newrdn, &nnewrdn, use_ldif ); + + free( nnewrdn.bv_val ); + free( newrdn.bv_val ); + return rc; +} + static int check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e, - SlapReply *rs, int *renum ) + SlapReply *rs, int *renum, int *ibase ) { CfEntryInfo *ce; - int index = -1, gotindex = 0, nsibs; + int index = -1, gotindex = 0, nsibs, rc = 0; int renumber = 0, tailindex = 0; char *ptr1, *ptr2 = NULL; struct berval rdn; @@ -3352,83 +3882,14 @@ check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e, renumber = 1; } } + /* just make index = nsibs */ if ( !renumber ) { - struct berval ival, newrdn, nnewrdn; - struct berval rtype, rval; - Attribute *a; - AttributeDescription *ad = NULL; - char ibuf[32]; - const char *text; - - rval.bv_val = strchr(rdn.bv_val, '=' ) + 1; - rval.bv_len = rdn.bv_len - (rval.bv_val - rdn.bv_val); - rtype.bv_val = rdn.bv_val; - rtype.bv_len = rval.bv_val - rtype.bv_val - 1; - - /* Find attr */ - slap_bv2ad( &rtype, &ad, &text ); - a = attr_find( e->e_attrs, ad ); - if (!a ) return LDAP_NAMING_VIOLATION; - - ival.bv_val = ibuf; - ival.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, nsibs ); - if ( ival.bv_len >= sizeof( ibuf ) ) { - return LDAP_NAMING_VIOLATION; - } - - newrdn.bv_len = rdn.bv_len + ival.bv_len; - newrdn.bv_val = ch_malloc( newrdn.bv_len+1 ); - - if ( tailindex ) { - ptr1 = lutil_strncopy( newrdn.bv_val, rdn.bv_val, rdn.bv_len ); - ptr1 = lutil_strcopy( ptr1, ival.bv_val ); - } else { - int xlen; - if ( !gotindex ) { - ptr2 = rval.bv_val; - xlen = rval.bv_len; - } else { - xlen = rdn.bv_len - (ptr2 - rdn.bv_val); - } - ptr1 = lutil_strncopy( newrdn.bv_val, rtype.bv_val, - rtype.bv_len ); - *ptr1++ = '='; - ptr1 = lutil_strcopy( ptr1, ival.bv_val ); - ptr1 = lutil_strncopy( ptr1, ptr2, xlen ); - *ptr1 = '\0'; - } - - /* Do the equivalent of ModRDN */ - /* Replace DN / NDN */ - newrdn.bv_len = ptr1 - newrdn.bv_val; - rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); - free( e->e_name.bv_val ); - build_new_dn( &e->e_name, &parent->ce_entry->e_name, - &newrdn, NULL ); - free( e->e_nname.bv_val ); - build_new_dn( &e->e_nname, &parent->ce_entry->e_nname, - &nnewrdn, NULL ); - - /* Replace attr */ - free( a->a_vals[0].bv_val ); - ptr1 = strchr( newrdn.bv_val, '=' ) + 1; - a->a_vals[0].bv_len = newrdn.bv_len - (ptr1 - newrdn.bv_val); - a->a_vals[0].bv_val = ch_malloc( a->a_vals[0].bv_len + 1 ); - strcpy( a->a_vals[0].bv_val, ptr1 ); - - if ( a->a_nvals != a->a_vals ) { - free( a->a_nvals[0].bv_val ); - ptr1 = strchr( nnewrdn.bv_val, '=' ) + 1; - a->a_nvals[0].bv_len = nnewrdn.bv_len - (ptr1 - nnewrdn.bv_val); - a->a_nvals[0].bv_val = ch_malloc( a->a_nvals[0].bv_len + 1 ); - strcpy( a->a_nvals[0].bv_val, ptr1 ); - } - free( nnewrdn.bv_val ); - free( newrdn.bv_val ); + rc = config_renumber_one( NULL, rs, parent, e, index, tailindex, 0 ); } } + if ( ibase ) *ibase = index; if ( renum ) *renum = renumber; - return 0; + return rc; } static ConfigOCs ** @@ -3533,19 +3994,23 @@ cfAddOverlay( CfEntryInfo *p, Entry *e, struct config_args_s *ca ) /* Parse an LDAP entry into config directives */ static int -config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, int *renum ) +config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, + int *renum, Operation *op ) { CfEntryInfo *ce, *last; ConfigOCs **colst; Attribute *a, *oc_at; - int i, nocs, rc = 0; + int i, ibase = -1, nocs, rc = 0; struct berval pdn; ConfigTable *ct; char *ptr; - /* Make sure parent exists and entry does not */ + /* Make sure parent exists and entry does not. But allow + * Databases and Overlays to be inserted. + */ ce = config_find_base( cfb->cb_root, &e->e_nname, &last ); - if ( ce ) + if ( ce && ce->ce_type != Cft_Database && + ce->ce_type != Cft_Overlay ) return LDAP_ALREADY_EXISTS; dnParent( &e->e_nname, &pdn ); @@ -3559,6 +4024,15 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i return LDAP_NO_SUCH_OBJECT; } + if ( op ) { + /* No parent, must be root. This will never happen... */ + if ( !last && !be_isroot( op ) && !be_shadow_update( op )) + return LDAP_NO_SUCH_OBJECT; + if ( last && !access_allowed( op, last->ce_entry, + slap_schema.si_ad_children, NULL, ACL_WADD, NULL )) + return LDAP_INSUFFICIENT_ACCESS; + } + oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass ); if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION; @@ -3627,12 +4101,13 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i * but only the other types support auto-renumbering of siblings. */ { - int renumber = renum ? *renum : 0; - rc = check_name_index( last, colst[0]->co_type, e, rs, renum ); + rc = check_name_index( last, colst[0]->co_type, e, rs, renum, + &ibase ); if ( rc ) { goto done; } - if ( renum && *renum && renumber == -1 ) { + if ( renum && *renum && colst[0]->co_type != Cft_Database && + colst[0]->co_type != Cft_Overlay ) { snprintf( ca->msg, sizeof( ca->msg ), "operation requires sibling renumbering" ); rc = LDAP_UNWILLING_TO_PERFORM; @@ -3659,13 +4134,25 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i ct = config_find_table( colst, nocs, a->a_desc ); if ( !ct ) continue; /* user data? */ for (i=0; a->a_vals[i].bv_val; i++) { + char *iptr = NULL; ca->line = a->a_vals[i].bv_val; if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED ) { ptr = strchr( ca->line, '}' ); - if ( ptr ) ca->line = ptr+1; + if ( ptr ) { + iptr = strchr( ca->line, '{' ); + ca->line = ptr+1; + } + } + if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED_SIB ) { + if ( iptr ) { + ca->valx = strtol( iptr+1, NULL, 0 ); + } else { + ca->valx = -1; + } + } else { + ca->valx = i; } - ca->valx = i; - rc = config_parse_add( ct, ca ); + rc = config_parse_add( ct, ca, i ); if ( rc ) { rc = LDAP_OTHER; goto done; @@ -3695,6 +4182,7 @@ ok: } } + ca->valx = ibase; ce = ch_calloc( 1, sizeof(CfEntryInfo) ); ce->ce_parent = last; ce->ce_entry = entry_dup( e ); @@ -3703,14 +4191,41 @@ ok: ce->ce_be = ca->be; ce->ce_bi = ca->bi; ce->ce_private = ca->private; + ca->ca_entry = ce->ce_entry; if ( !last ) { cfb->cb_root = ce; } else if ( last->ce_kids ) { - CfEntryInfo *c2; + CfEntryInfo *c2, **cprev; - for (c2=last->ce_kids; c2 && c2->ce_sibs; c2 = c2->ce_sibs); - - c2->ce_sibs = ce; + /* Advance to first of this type */ + cprev = &last->ce_kids; + for ( c2 = *cprev; c2 && c2->ce_type != ce->ce_type; ) { + cprev = &c2->ce_sibs; + c2 = c2->ce_sibs; + } + /* Account for the (-1) frontendDB entry */ + if ( ce->ce_type == Cft_Database ) { + if ( ca->be == frontendDB ) + ibase = 0; + else if ( ibase != -1 ) + ibase++; + } + /* Append */ + if ( ibase < 0 ) { + for (c2 = *cprev; c2 && c2->ce_type == ce->ce_type;) { + cprev = &c2->ce_sibs; + c2 = c2->ce_sibs; + } + } else { + /* Insert */ + int i; + for ( i=0; ice_sibs; + } + } + ce->ce_sibs = *cprev; + *cprev = ce; } else { last->ce_kids = ce; } @@ -3730,6 +4245,76 @@ done: return rc; } +#define BIGTMP 10000 +static int +config_rename_add( Operation *op, SlapReply *rs, CfEntryInfo *ce, + int base, int rebase, int max, int use_ldif ) +{ + CfEntryInfo *ce2, *ce3, *cetmp = NULL, *cerem = NULL; + ConfigType etype = ce->ce_type; + int count = 0, rc = 0; + + /* Reverse ce list */ + for (ce2 = ce->ce_sibs;ce2;ce2 = ce3) { + if (ce2->ce_type != etype) { + cerem = ce2; + break; + } + ce3 = ce2->ce_sibs; + ce2->ce_sibs = cetmp; + cetmp = ce2; + count++; + if ( max && count >= max ) { + cerem = ce3; + break; + } + } + + /* Move original to a temp name until increments are done */ + if ( rebase ) { + ce->ce_entry->e_private = NULL; + rc = config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry, + base+BIGTMP, 0, use_ldif ); + ce->ce_entry->e_private = ce; + } + /* start incrementing */ + for (ce2=cetmp; ce2; ce2=ce3) { + ce3 = ce2->ce_sibs; + ce2->ce_sibs = cerem; + cerem = ce2; + if ( rc == 0 ) + rc = config_renumber_one( op, rs, ce2->ce_parent, ce2->ce_entry, + count+base, 0, use_ldif ); + count--; + } + if ( rebase ) + rc = config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry, + base, 0, use_ldif ); + return rc; +} + +static int +config_rename_del( Operation *op, SlapReply *rs, CfEntryInfo *ce, + CfEntryInfo *ce2, int old, int use_ldif ) +{ + int count = 0; + + /* Renumber original to a temp value */ + ce->ce_entry->e_private = NULL; + config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry, + old+BIGTMP, 0, use_ldif ); + ce->ce_entry->e_private = ce; + + /* start decrementing */ + for (; ce2 != ce; ce2=ce2->ce_sibs) { + config_renumber_one( op, rs, ce2->ce_parent, ce2->ce_entry, + count+old, 0, use_ldif ); + count++; + } + return config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry, + count+old, 0, use_ldif ); +} + /* Parse an LDAP entry into config directives, then store in underlying * database. */ @@ -3740,7 +4325,8 @@ config_back_add( Operation *op, SlapReply *rs ) int renumber; ConfigArgs ca; - if ( !be_isroot( op ) ) { + if ( !access_allowed( op, op->ora_e, slap_schema.si_ad_entry, + NULL, ACL_WADD, NULL )) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto out; } @@ -3753,17 +4339,27 @@ config_back_add( Operation *op, SlapReply *rs ) * 1) check for existence of entry * 2) check for sibling renumbering * 3) perform internal add - * 4) store entry in underlying database - * 5) perform any necessary renumbering + * 4) perform any necessary renumbering + * 5) store entry in underlying database */ - /* NOTE: by now we do not accept adds that require renumbering */ - renumber = -1; - rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber ); + rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber, op ); if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_text = ca.msg; goto out2; } + if ( renumber ) { + CfEntryInfo *ce = ca.ca_entry->e_private; + req_add_s addr = op->oq_add; + op->o_tag = LDAP_REQ_MODRDN; + rs->sr_err = config_rename_add( op, rs, ce, ca.valx, 0, 0, cfb->cb_use_ldif ); + op->o_tag = LDAP_REQ_ADD; + op->oq_add = addr; + if ( rs->sr_err != LDAP_SUCCESS ) { + goto out2; + } + } + if ( cfb->cb_use_ldif ) { BackendDB *be = op->o_bd; slap_callback sc = { NULL, slap_null_cb, NULL, NULL }; @@ -3786,10 +4382,6 @@ config_back_add( Operation *op, SlapReply *rs ) op->o_ndn = ndn; } - if ( renumber ) { - /* TODO */ - } - out2:; ldap_pvt_thread_pool_resume( &connection_pool ); @@ -3941,7 +4533,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, if(rc == LDAP_SUCCESS) { /* check that the entry still obeys the schema */ - rc = entry_schema_check(op, e, NULL, 0, + rc = entry_schema_check(op, e, NULL, 0, 0, &rs->sr_text, ca->msg, sizeof(ca->msg) ); } if ( rc == LDAP_SUCCESS ) { @@ -4003,8 +4595,9 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, if ( rc ) rc = LDAP_OTHER; } if ( ml->sml_values ) { + d = d->next; ch_free( dels ); - dels = d->next; + dels = d; } if ( ml->sml_op == LDAP_MOD_REPLACE ) { ml->sml_values = vals; @@ -4034,7 +4627,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, ca->line = ptr+1; } } - rc = config_parse_add( ct, ca ); + rc = config_parse_add( ct, ca, i ); if ( rc ) { rc = LDAP_OTHER; goto out; @@ -4057,6 +4650,11 @@ out: } ch_free( ca->argv ); if ( colst ) ch_free( colst ); + while( dels ) { + deltail = dels->next; + ch_free( dels ); + dels = deltail; + } return rc; } @@ -4072,11 +4670,6 @@ config_back_modify( Operation *op, SlapReply *rs ) char *ptr; AttributeDescription *rad = NULL; - if ( !be_isroot( op ) ) { - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - goto out; - } - cfb = (CfBackInfo *)op->o_bd->be_private; ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); @@ -4087,6 +4680,11 @@ config_back_modify( Operation *op, SlapReply *rs ) goto out; } + if ( !acl_check_modlist( op, ce->ce_entry, op->orm_modlist )) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + goto out; + } + /* Get type of RDN */ rdn = ce->ce_entry->e_nname; ptr = strchr( rdn.bv_val, '=' ); @@ -4146,11 +4744,8 @@ config_back_modrdn( Operation *op, SlapReply *rs ) { CfBackInfo *cfb; CfEntryInfo *ce, *last; - - if ( !be_isroot( op ) ) { - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - goto out; - } + struct berval rdn; + int ixold, ixnew; cfb = (CfBackInfo *)op->o_bd->be_private; @@ -4161,6 +4756,22 @@ config_back_modrdn( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_NO_SUCH_OBJECT; goto out; } + if ( !access_allowed( op, ce->ce_entry, slap_schema.si_ad_entry, + NULL, ACL_WRITE, NULL )) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + goto out; + } + { Entry *parent; + if ( ce->ce_parent ) + parent = ce->ce_parent->ce_entry; + else + parent = (Entry *)&slap_entry_root; + if ( !access_allowed( op, parent, slap_schema.si_ad_children, + NULL, ACL_WRITE, NULL )) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + goto out; + } + } /* We don't allow moving objects to new parents. * Generally we only allow reordering a set of ordered entries. @@ -4169,10 +4780,155 @@ config_back_modrdn( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_UNWILLING_TO_PERFORM; goto out; } + + /* If newRDN == oldRDN, quietly succeed */ + dnRdn( &op->o_req_ndn, &rdn ); + if ( dn_match( &rdn, &op->orr_nnewrdn )) { + rs->sr_err = LDAP_SUCCESS; + goto out; + } + + /* Current behavior, subject to change as needed: + * + * For backends and overlays, we only allow renumbering. + * For schema, we allow renaming with the same number. + * Otherwise, the op is not allowed. + */ + + if ( ce->ce_type == Cft_Schema ) { + char *ptr1, *ptr2; + int len; + + /* Can't alter the main cn=schema entry */ + if ( ce->ce_parent->ce_type == Cft_Global ) { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "renaming not allowed for this entry"; + goto out; + } + + /* We could support this later if desired */ + ptr1 = ber_bvchr( &rdn, '}' ); + ptr2 = ber_bvchr( &op->orr_newrdn, '}' ); + len = ptr1 - rdn.bv_val; + if ( len != ptr2 - op->orr_newrdn.bv_val || + strncmp( rdn.bv_val, op->orr_newrdn.bv_val, len )) { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "schema reordering not supported"; + goto out; + } + } else if ( ce->ce_type == Cft_Database || + ce->ce_type == Cft_Overlay ) { + char *ptr1, *ptr2, *iptr1, *iptr2; + int len1, len2; + + iptr2 = ber_bvchr( &op->orr_newrdn, '=' ) + 1; + if ( *iptr2 != '{' ) { + rs->sr_err = LDAP_NAMING_VIOLATION; + rs->sr_text = "new ordering index is required"; + goto out; + } + iptr2++; + iptr1 = ber_bvchr( &rdn, '{' ) + 1; + ptr1 = ber_bvchr( &rdn, '}' ); + ptr2 = ber_bvchr( &op->orr_newrdn, '}' ); + if ( !ptr2 ) { + rs->sr_err = LDAP_NAMING_VIOLATION; + rs->sr_text = "new ordering index is required"; + goto out; + } + + len1 = ptr1 - rdn.bv_val; + len2 = ptr2 - op->orr_newrdn.bv_val; + + if ( rdn.bv_len - len1 != op->orr_newrdn.bv_len - len2 || + strncmp( ptr1, ptr2, rdn.bv_len - len1 )) { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "changing database/overlay type not allowed"; + goto out; + } + ixold = strtol( iptr1, NULL, 0 ); + ixnew = strtol( iptr2, &ptr1, 0 ); + if ( ptr1 != ptr2 || ixold < 0 || ixnew < 0 ) { + rs->sr_err = LDAP_NAMING_VIOLATION; + goto out; + } + /* config DB is always 0, cannot be changed */ + if ( ce->ce_type == Cft_Database && ( ixold == 0 || ixnew == 0 )) { + rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto out; + } + } else { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "renaming not supported for this entry"; + goto out; + } + ldap_pvt_thread_pool_pause( &connection_pool ); - rs->sr_err = LDAP_UNWILLING_TO_PERFORM; - rs->sr_text = "renaming not implemented yet within naming context"; + if ( ce->ce_type == Cft_Schema ) { + req_modrdn_s modr = op->oq_modrdn; + struct berval rdn; + Attribute *a; + rs->sr_err = config_rename_attr( rs, ce->ce_entry, &rdn, &a ); + if ( rs->sr_err == LDAP_SUCCESS ) { + rs->sr_err = config_rename_one( op, rs, ce->ce_entry, + ce->ce_parent, a, &op->orr_newrdn, &op->orr_nnewrdn, + cfb->cb_use_ldif ); + } + op->oq_modrdn = modr; + } else { + CfEntryInfo *ce2, *cebase, **cprev, **cbprev, *ceold; + req_modrdn_s modr = op->oq_modrdn; + int i; + + /* Advance to first of this type */ + cprev = &ce->ce_parent->ce_kids; + for ( ce2 = *cprev; ce2 && ce2->ce_type != ce->ce_type; ) { + cprev = &ce2->ce_sibs; + ce2 = ce2->ce_sibs; + } + /* Skip the -1 entry */ + if ( ce->ce_type == Cft_Database ) { + cprev = &ce2->ce_sibs; + ce2 = ce2->ce_sibs; + } + cebase = ce2; + cbprev = cprev; + + /* Remove from old slot */ + for ( ce2 = *cprev; ce2 && ce2 != ce; ce2 = ce2->ce_sibs ) + cprev = &ce2->ce_sibs; + *cprev = ce->ce_sibs; + ceold = ce->ce_sibs; + + /* Insert into new slot */ + cprev = cbprev; + for ( i=0; ice_sibs; + } + ce->ce_sibs = *cprev; + *cprev = ce; + + ixnew = i; + + /* NOTE: These should be encoded in the OC tables, not inline here */ + if ( ce->ce_type == Cft_Database ) + backend_db_move( ce->ce_be, ixnew ); + else if ( ce->ce_type == Cft_Overlay ) + overlay_move( ce->ce_be, (slap_overinst *)ce->ce_bi, ixnew ); + + if ( ixold < ixnew ) { + rs->sr_err = config_rename_del( op, rs, ce, ceold, ixold, + cfb->cb_use_ldif ); + } else { + rs->sr_err = config_rename_add( op, rs, ce, ixnew, 1, + ixold - ixnew, cfb->cb_use_ldif ); + } + op->oq_modrdn = modr; + } ldap_pvt_thread_pool_resume( &connection_pool ); out: @@ -4185,11 +4941,7 @@ config_back_search( Operation *op, SlapReply *rs ) { CfBackInfo *cfb; CfEntryInfo *ce, *last; - - if ( !be_isroot( op ) ) { - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - goto out; - } + slap_mask_t mask; cfb = (CfBackInfo *)op->o_bd->be_private; @@ -4200,6 +4952,16 @@ config_back_search( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_NO_SUCH_OBJECT; goto out; } + if ( !access_allowed_mask( op, ce->ce_entry, slap_schema.si_ad_entry, NULL, + ACL_SEARCH, NULL, &mask )) + { + if ( !ACL_GRANT( mask, ACL_DISCLOSE )) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + } else { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + } + goto out; + } switch ( op->ors_scope ) { case LDAP_SCOPE_BASE: case LDAP_SCOPE_SUBTREE: @@ -4254,7 +5016,7 @@ Entry * config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, ConfigArgs *c, struct berval *rdn, ConfigOCs *main, ConfigOCs *extra ) { - Entry *e = ch_calloc( 1, sizeof(Entry) ); + Entry *e = entry_alloc(); CfEntryInfo *ce = ch_calloc( 1, sizeof(CfEntryInfo) ); struct berval val; struct berval ad_name; @@ -4267,6 +5029,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, ObjectClass *oc; CfEntryInfo *ceprev = NULL; + Debug( LDAP_DEBUG_TRACE, "config_build_entry: \"%s\"\n", rdn->bv_val, 0, 0); e->e_private = ce; ce->ce_entry = e; ce->ce_parent = parent; @@ -4320,12 +5083,16 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, } oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass ); - rc = structural_class(oc_at->a_vals, &val, NULL, &text, c->msg, - sizeof(c->msg)); - attr_merge_normalize_one(e, slap_schema.si_ad_structuralObjectClass, &val, NULL ); - if ( op ) { + rc = structural_class(oc_at->a_vals, &oc, NULL, &text, c->msg, + sizeof(c->msg), op->o_tmpmemctx ); + attr_merge_normalize_one(e, slap_schema.si_ad_structuralObjectClass, &oc->soc_cname, NULL ); + if ( !op->o_noop ) { op->ora_e = e; op->o_bd->be_add( op, rs ); + if ( ( rs->sr_err != LDAP_SUCCESS ) + && (rs->sr_err != LDAP_ALREADY_EXISTS) ) { + return NULL; + } } if ( ceprev ) { ceprev->ce_sibs = ce; @@ -4336,7 +5103,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, return e; } -static void +static int config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent, Operation *op, SlapReply *rs ) { @@ -4360,7 +5127,7 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent, c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=" SLAP_X_ORDERED_FMT, c->depth); if ( c->value_dn.bv_len >= sizeof( c->log ) ) { /* FIXME: how can indicate error? */ - return; + return -1; } strncpy( c->value_dn.bv_val + c->value_dn.bv_len, bv.bv_val, bv.bv_len ); @@ -4370,14 +5137,17 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent, c->private = cf; e = config_build_entry( op, rs, ceparent, c, &c->value_dn, &CFOC_SCHEMA, NULL ); - if ( e && cf->c_kids ) { + if ( !e ) { + return -1; + } else if ( e && cf->c_kids ) { c->private = cf->c_kids; config_build_schema_inc( c, e->e_private, op, rs ); } } + return 0; } -static void +static int config_build_includes( ConfigArgs *c, CfEntryInfo *ceparent, Operation *op, SlapReply *rs ) { @@ -4390,21 +5160,24 @@ config_build_includes( ConfigArgs *c, CfEntryInfo *ceparent, c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=include" SLAP_X_ORDERED_FMT, i); if ( c->value_dn.bv_len >= sizeof( c->log ) ) { /* FIXME: how can indicate error? */ - return; + return -1; } c->private = cf; e = config_build_entry( op, rs, ceparent, c, &c->value_dn, &CFOC_INCLUDE, NULL ); - if ( e && cf->c_kids ) { + if ( ! e ) { + return -1; + } else if ( e && cf->c_kids ) { c->private = cf->c_kids; config_build_includes( c, e->e_private, op, rs ); } } + return 0; } #ifdef SLAPD_MODULES -static void +static int config_build_modules( ConfigArgs *c, CfEntryInfo *ceparent, Operation *op, SlapReply *rs ) { @@ -4418,15 +5191,102 @@ config_build_modules( ConfigArgs *c, CfEntryInfo *ceparent, c->value_dn.bv_len = snprintf(c->value_dn.bv_val, sizeof( c->log ), "cn=module" SLAP_X_ORDERED_FMT, i); if ( c->value_dn.bv_len >= sizeof( c->log ) ) { /* FIXME: how can indicate error? */ - return; + return -1; } c->private = mp; - config_build_entry( op, rs, ceparent, c, &c->value_dn, - &CFOC_MODULE, NULL ); + if ( ! config_build_entry( op, rs, ceparent, c, &c->value_dn, &CFOC_MODULE, NULL )) { + return -1; + } } + return 0; } #endif +static int +config_check_schema(CfBackInfo *cfb) +{ + struct berval schema_dn = BER_BVC(SCHEMA_RDN "," CONFIG_RDN); + ConfigArgs c = {0}; + ConfigFile *cf = cfb->cb_config; + CfEntryInfo *ce, *last; + Entry *e; + + /* If there's no root entry, we must be in the midst of converting */ + if ( !cfb->cb_root ) + return 0; + + /* Make sure the main schema entry exists */ + ce = config_find_base( cfb->cb_root, &schema_dn, &last ); + if ( ce ) { + Attribute *a; + struct berval *bv; + + e = ce->ce_entry; + + /* Make sure it's up to date */ + if ( cf_om_tail != om_sys_tail ) { + a = attr_find( e->e_attrs, cfAd_om ); + if ( a ) { + if ( a->a_nvals != a->a_vals ) + ber_bvarray_free( a->a_nvals ); + ber_bvarray_free( a->a_vals ); + a->a_vals = NULL; + a->a_nvals = NULL; + } + oidm_unparse( &bv, NULL, NULL, 1 ); + attr_merge_normalize( e, cfAd_om, bv, NULL ); + ber_bvarray_free( bv ); + cf_om_tail = om_sys_tail; + } + if ( cf_at_tail != at_sys_tail ) { + a = attr_find( e->e_attrs, cfAd_attr ); + if ( a ) { + if ( a->a_nvals != a->a_vals ) + ber_bvarray_free( a->a_nvals ); + ber_bvarray_free( a->a_vals ); + a->a_vals = NULL; + a->a_nvals = NULL; + } + at_unparse( &bv, NULL, NULL, 1 ); + attr_merge_normalize( e, cfAd_attr, bv, NULL ); + ber_bvarray_free( bv ); + cf_at_tail = at_sys_tail; + } + if ( cf_oc_tail != oc_sys_tail ) { + a = attr_find( e->e_attrs, cfAd_oc ); + if ( a ) { + if ( a->a_nvals != a->a_vals ) + ber_bvarray_free( a->a_nvals ); + ber_bvarray_free( a->a_vals ); + a->a_vals = NULL; + a->a_nvals = NULL; + } + oc_unparse( &bv, NULL, NULL, 1 ); + attr_merge_normalize( e, cfAd_oc, bv, NULL ); + ber_bvarray_free( bv ); + cf_oc_tail = oc_sys_tail; + } + } else { + SlapReply rs = {REP_RESULT}; + c.private = NULL; + e = config_build_entry( NULL, &rs, cfb->cb_root, &c, &schema_rdn, + &CFOC_SCHEMA, NULL ); + if ( !e ) { + return -1; + } + ce = e->e_private; + ce->ce_private = cfb->cb_config; + cf_at_tail = at_sys_tail; + cf_oc_tail = oc_sys_tail; + cf_om_tail = om_sys_tail; + } + return 0; +} + +static const char *defacl[] = { + NULL, "to", "*", "by", "*", "none", NULL +}; + static int config_back_db_open( BackendDB *be ) { @@ -4444,22 +5304,32 @@ config_back_db_open( BackendDB *be ) SlapReply rs = {REP_RESULT}; void *thrctx = NULL; - /* If we read the config from back-ldif, nothing to do here */ - if ( cfb->cb_got_ldif ) - return 0; + Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0); - if ( cfb->cb_use_ldif ) { - thrctx = ldap_pvt_thread_pool_context(); - op = (Operation *) &opbuf; - connection_fake_init( &conn, op, thrctx ); + /* If we have no explicitly configured ACLs, don't just use + * the global ACLs. Explicitly deny access to everything. + */ + if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) { + parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 ); + } - op->o_tag = LDAP_REQ_ADD; - op->o_callback = &cb; - op->o_bd = &cfb->cb_db; - op->o_dn = op->o_bd->be_rootdn; - op->o_ndn = op->o_bd->be_rootndn; - } else { - op = NULL; + /* If we read the config from back-ldif, do some quick sanity checks */ + if ( cfb->cb_got_ldif ) { + return config_check_schema( cfb ); + } + + thrctx = ldap_pvt_thread_pool_context(); + op = (Operation *) &opbuf; + connection_fake_init( &conn, op, thrctx ); + + op->o_tag = LDAP_REQ_ADD; + op->o_callback = &cb; + op->o_bd = &cfb->cb_db; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + if ( !cfb->cb_use_ldif ) { + op->o_noop = 1; } /* create root of tree */ @@ -4467,6 +5337,9 @@ config_back_db_open( BackendDB *be ) c.private = cfb->cb_config; c.be = frontendDB; e = config_build_entry( op, &rs, NULL, &c, &rdn, &CFOC_GLOBAL, NULL ); + if ( !e ) { + return -1; + } ce = e->e_private; cfb->cb_root = ce; @@ -4477,13 +5350,17 @@ config_back_db_open( BackendDB *be ) if ( cfb->cb_config->c_kids ) { c.depth = 0; c.private = cfb->cb_config->c_kids; - config_build_includes( &c, ceparent, op, &rs ); + if ( config_build_includes( &c, ceparent, op, &rs ) ) { + return -1; + } } #ifdef SLAPD_MODULES /* Create Module nodes... */ if ( modpaths.mp_loads ) { - config_build_modules( &c, ceparent, op, &rs ); + if ( config_build_modules( &c, ceparent, op, &rs ) ){ + return -1; + } } #endif @@ -4494,13 +5371,22 @@ config_back_db_open( BackendDB *be ) rdn = schema_rdn; c.private = NULL; e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_SCHEMA, NULL ); + if ( !e ) { + return -1; + } ce = e->e_private; + ce->ce_private = cfb->cb_config; + cf_at_tail = at_sys_tail; + cf_oc_tail = oc_sys_tail; + cf_om_tail = om_sys_tail; /* Create schema nodes for included schema... */ if ( cfb->cb_config->c_kids ) { c.depth = 0; c.private = cfb->cb_config->c_kids; - config_build_schema_inc( &c, ce, op, &rs ); + if (config_build_schema_inc( &c, ce, op, &rs )) { + return -1; + } } /* Create backend nodes. Skip if they don't provide a cf_table. @@ -4530,6 +5416,9 @@ config_back_db_open( BackendDB *be ) c.bi = bi; e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_BACKEND, bi->bi_cf_ocs ); + if ( !e ) { + return -1; + } } /* Create database nodes... */ @@ -4566,6 +5455,9 @@ config_back_db_open( BackendDB *be ) c.bi = bi; e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_DATABASE, be->be_cf_ocs ); + if ( !e ) { + return -1; + } ce = e->e_private; if ( be->be_cf_ocs && be->be_cf_ocs->co_cfadd ) be->be_cf_ocs->co_cfadd( op, &rs, e, &c ); @@ -4593,6 +5485,9 @@ config_back_db_open( BackendDB *be ) c.bi = &on->on_bi; oe = config_build_entry( op, &rs, ce, &c, &rdn, &CFOC_OVERLAY, c.bi->bi_cf_ocs ); + if ( !oe ) { + return -1; + } if ( c.bi->bi_cf_ocs && c.bi->bi_cf_ocs->co_cfadd ) c.bi->bi_cf_ocs->co_cfadd( op, &rs, oe, &c ); } @@ -4674,8 +5569,6 @@ config_back_db_destroy( BackendDB *be ) backend_destroy_one( &cfb->cb_db, 0 ); } - free( be->be_private ); - loglevel_destroy(); return 0; @@ -4687,7 +5580,7 @@ config_back_db_init( BackendDB *be ) struct berval dn; CfBackInfo *cfb; - cfb = ch_calloc( 1, sizeof(CfBackInfo)); + cfb = &cfBackInfo; cfb->cb_config = ch_calloc( 1, sizeof(ConfigFile)); cfn = cfb->cb_config; be->be_private = cfb; @@ -4781,7 +5674,7 @@ config_tool_entry_put( BackendDB *be, Entry *e, struct berval *text ) ConfigArgs ca; if ( bi && bi->bi_tool_entry_put && - config_add_internal( cfb, e, &ca, NULL, NULL ) == 0 ) + config_add_internal( cfb, e, &ca, NULL, NULL, NULL ) == 0 ) return bi->bi_tool_entry_put( &cfb->cb_db, e, text ); else return NOID; @@ -4791,9 +5684,12 @@ static struct { char *name; AttributeDescription **desc; } ads[] = { + { "attribute", &cfAd_attr }, { "backend", &cfAd_backend }, { "database", &cfAd_database }, { "include", &cfAd_include }, + { "objectclass", &cfAd_oc }, + { "objectidentifier", &cfAd_om }, { "overlay", &cfAd_overlay }, { NULL, NULL } }; @@ -4825,6 +5721,7 @@ int config_back_initialize( BackendInfo *bi ) { ConfigTable *ct = config_back_cf_table; + ConfigArgs ca; char *argv[4]; int i; AttributeDescription *ad = NULL; @@ -4864,9 +5761,7 @@ config_back_initialize( BackendInfo *bi ) bi->bi_chk_referrals = 0; -#ifdef SLAP_OVERLAY_ACCESS - bi->bi_access_allowed = slap_access_always_allowed; -#endif /* SLAP_OVERLAY_ACCESS */ + bi->bi_access_allowed = slap_access_allowed; bi->bi_connection_init = 0; bi->bi_connection_destroy = 0; @@ -4878,11 +5773,17 @@ config_back_initialize( BackendInfo *bi ) bi->bi_tool_entry_get = config_tool_entry_get; bi->bi_tool_entry_put = config_tool_entry_put; + ca.argv = argv; + argv[ 0 ] = "slapd"; + ca.argv = argv; + ca.argc = 3; + ca.fname = argv[0]; + argv[3] = NULL; for (i=0; OidMacros[i].name; i++ ) { argv[1] = OidMacros[i].name; argv[2] = OidMacros[i].oid; - parse_oidm( "slapd", i, 3, argv, 0, NULL ); + parse_oidm( &ca, 0, NULL ); } bi->bi_cf_ocs = cf_ocs;