X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fcontrols.c;h=33d71d1f01471c177f83b5b6c49784a0b7b260df;hb=cbc11c92331833b426a1f78ff4e49b873ac568dd;hp=5699329c6efa64eb0c135f62086310cff94d8831;hpb=8ef743309b8ffea471dbd41cd8e70de85d220b35;p=openldap diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 5699329c6e..33d71d1f01 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2005 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,10 +29,10 @@ static SLAP_CTRL_PARSE_FN parsePreRead; static SLAP_CTRL_PARSE_FN parsePostRead; static SLAP_CTRL_PARSE_FN parseProxyAuthz; #ifdef LDAP_DEVEL +static SLAP_CTRL_PARSE_FN parseDontUseCopy; static SLAP_CTRL_PARSE_FN parseManageDIT; #endif static SLAP_CTRL_PARSE_FN parseManageDSAit; -static SLAP_CTRL_PARSE_FN parseModifyIncrement; static SLAP_CTRL_PARSE_FN parseNoOp; static SLAP_CTRL_PARSE_FN parsePagedResults; #ifdef LDAP_DEVEL @@ -41,7 +41,9 @@ static SLAP_CTRL_PARSE_FN parseSortedResults; static SLAP_CTRL_PARSE_FN parseValuesReturnFilter; static SLAP_CTRL_PARSE_FN parsePermissiveModify; static SLAP_CTRL_PARSE_FN parseDomainScope; +#ifdef SLAP_CONTROL_X_TREE_DELETE static SLAP_CTRL_PARSE_FN parseTreeDelete; +#endif static SLAP_CTRL_PARSE_FN parseSearchOptions; static SLAP_CTRL_PARSE_FN parseSubentries; @@ -63,7 +65,8 @@ struct slap_control { slap_mask_t sc_mask; /* Extended operations supported by control */ - char **sc_extendedops; + char **sc_extendedops; /* input */ + BerVarray sc_extendedopsbv; /* run-time use */ /* Control parsing callback */ SLAP_CTRL_PARSE_FN *sc_parse; @@ -94,108 +97,129 @@ static int num_known_controls = 1; static char *proxy_authz_extops[] = { LDAP_EXOP_MODIFY_PASSWD, LDAP_EXOP_X_WHO_AM_I, + LDAP_EXOP_REFRESH, + NULL +}; + +static char *manageDSAit_extops[] = { + LDAP_EXOP_REFRESH, NULL }; static struct slap_control control_defs[] = { { LDAP_CONTROL_ASSERT, (int)offsetof(struct slap_control_ids, sc_assert), - SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL, + SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME| + SLAP_CTRL_COMPARE|SLAP_CTRL_SEARCH, + NULL, NULL, parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_PRE_READ, (int)offsetof(struct slap_control_ids, sc_preRead), - SLAP_CTRL_HIDE|SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL, + SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, + NULL, NULL, parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_POST_READ, (int)offsetof(struct slap_control_ids, sc_postRead), - SLAP_CTRL_HIDE|SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, NULL, + SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, + NULL, NULL, parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_VALUESRETURNFILTER, (int)offsetof(struct slap_control_ids, sc_valuesReturnFilter), - SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH, + NULL, NULL, parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_PAGEDRESULTS, (int)offsetof(struct slap_control_ids, sc_pagedResults), - SLAP_CTRL_SEARCH, NULL, + SLAP_CTRL_SEARCH, + NULL, NULL, parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) }, #ifdef LDAP_DEVEL { LDAP_CONTROL_SORTREQUEST, (int)offsetof(struct slap_control_ids, sc_sortedResults), - SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, + NULL, NULL, parseSortedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) }, #endif -#ifdef LDAP_CONTROL_X_DOMAIN_SCOPE { LDAP_CONTROL_X_DOMAIN_SCOPE, (int)offsetof(struct slap_control_ids, sc_domainScope), - SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, + NULL, NULL, parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#endif -#ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY { LDAP_CONTROL_X_PERMISSIVE_MODIFY, (int)offsetof(struct slap_control_ids, sc_permissiveModify), - SLAP_CTRL_MODIFY, NULL, + SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, + NULL, NULL, parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#endif #ifdef SLAP_CONTROL_X_TREE_DELETE { LDAP_CONTROL_X_TREE_DELETE, (int)offsetof(struct slap_control_ids, sc_treeDelete), - SLAP_CTRL_HIDE|SLAP_CTRL_DELETE, NULL, + SLAP_CTRL_DELETE|SLAP_CTRL_HIDE, + NULL, NULL, parseTreeDelete, LDAP_SLIST_ENTRY_INITIALIZER(next) }, #endif -#ifdef LDAP_CONTROL_X_SEARCH_OPTIONS { LDAP_CONTROL_X_SEARCH_OPTIONS, (int)offsetof(struct slap_control_ids, sc_searchOptions), - SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, + NULL, NULL, parseSearchOptions, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#endif -#ifdef LDAP_CONTROL_SUBENTRIES { LDAP_CONTROL_SUBENTRIES, (int)offsetof(struct slap_control_ids, sc_subentries), - SLAP_CTRL_SEARCH, NULL, + SLAP_CTRL_SEARCH, + NULL, NULL, parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#endif { LDAP_CONTROL_NOOP, (int)offsetof(struct slap_control_ids, sc_noOp), - SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, NULL, + SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, + NULL, NULL, parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#ifdef LDAP_CONTROL_MODIFY_INCREMENT - { LDAP_CONTROL_MODIFY_INCREMENT, - (int)offsetof(struct slap_control_ids, sc_modifyIncrement), - SLAP_CTRL_HIDE|SLAP_CTRL_MODIFY, NULL, - parseModifyIncrement, LDAP_SLIST_ENTRY_INITIALIZER(next) }, -#endif #ifdef LDAP_DEVEL + { LDAP_CONTROL_DONTUSECOPY, + (int)offsetof(struct slap_control_ids, sc_dontUseCopy), + SLAP_CTRL_INTROGATE|SLAP_CTRL_HIDE, + NULL, NULL, + parseDontUseCopy, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_MANAGEDIT, (int)offsetof(struct slap_control_ids, sc_manageDIT), - SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE, + NULL, NULL, parseManageDIT, LDAP_SLIST_ENTRY_INITIALIZER(next) }, #endif { LDAP_CONTROL_MANAGEDSAIT, (int)offsetof(struct slap_control_ids, sc_manageDSAit), - SLAP_CTRL_ACCESS, NULL, + SLAP_CTRL_ACCESS, + manageDSAit_extops, NULL, parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_PROXY_AUTHZ, (int)offsetof(struct slap_control_ids, sc_proxyAuthz), - SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS, proxy_authz_extops, + SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS, + proxy_authz_extops, NULL, parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) }, - { NULL, 0, 0, NULL, 0, LDAP_SLIST_ENTRY_INITIALIZER(next) } + { NULL, 0, 0, NULL, 0, NULL, LDAP_SLIST_ENTRY_INITIALIZER(next) } }; +static struct slap_control * +find_ctrl( const char *oid ); + /* * Register a supported control. * * This can be called by an OpenLDAP plugin or, indirectly, by a * SLAPI plugin calling slapi_register_supported_control(). + * + * NOTE: if flags == 1 the control is replaced if already registered; + * otherwise registering an already registered control is not allowed. */ int -register_supported_control(const char *controloid, +register_supported_control2(const char *controloid, slap_mask_t controlmask, char **controlexops, SLAP_CTRL_PARSE_FN *controlparsefn, + unsigned flags, int *controlcid) { - struct slap_control *sc; + struct slap_control *sc = NULL; int i; + BerVarray extendedopsbv = NULL; if ( num_known_controls >= SLAP_MAX_CIDS ) { Debug( LDAP_DEBUG_ANY, "Too many controls registered." @@ -204,11 +228,23 @@ register_supported_control(const char *controloid, return LDAP_OTHER; } - if ( controloid == NULL ) return LDAP_PARAM_ERROR; + if ( controloid == NULL ) { + return LDAP_PARAM_ERROR; + } - /* sanity check - should never happen */ + /* check if already registered */ for ( i = 0; slap_known_controls[ i ]; i++ ) { if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) { + if ( flags == 1 ) { + Debug( LDAP_DEBUG_TRACE, + "Control %s already registered; replacing.\n", + controloid, 0, 0 ); + /* (find and) replace existing handler */ + sc = find_ctrl( controloid ); + assert( sc != NULL ); + break; + } + Debug( LDAP_DEBUG_ANY, "Control %s already registered.\n", controloid, 0, 0 ); @@ -216,31 +252,62 @@ register_supported_control(const char *controloid, } } - sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) ); - if ( sc == NULL ) return LDAP_NO_MEMORY; - - sc->sc_oid = ch_strdup( controloid ); - sc->sc_mask = controlmask; + /* turn compatible extended operations into bervals */ if ( controlexops != NULL ) { - sc->sc_extendedops = ldap_charray_dup( controlexops ); - if ( sc->sc_extendedops == NULL ) { - ch_free( sc ); + int i; + + for ( i = 0; controlexops[ i ]; i++ ); + + extendedopsbv = ber_memcalloc( i + 1, sizeof( struct berval ) ); + if ( extendedopsbv == NULL ) { return LDAP_NO_MEMORY; } - } else { - sc->sc_extendedops = NULL; + + for ( i = 0; controlexops[ i ]; i++ ) { + ber_str2bv( controlexops[ i ], 0, 1, &extendedopsbv[ i ] ); + } } - sc->sc_parse = controlparsefn; - if ( controlcid ) *controlcid = num_known_controls; - sc->sc_cid = num_known_controls; + if ( sc == NULL ) { + sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) ); + if ( sc == NULL ) { + return LDAP_NO_MEMORY; + } + + sc->sc_oid = ch_strdup( controloid ); + sc->sc_cid = num_known_controls; + + /* Update slap_known_controls, too. */ + slap_known_controls[num_known_controls - 1] = sc->sc_oid; + slap_known_controls[num_known_controls++] = NULL; - /* Update slap_known_controls, too. */ - slap_known_controls[num_known_controls-1] = sc->sc_oid; - slap_known_controls[num_known_controls++] = NULL; + LDAP_SLIST_NEXT( sc, sc_next ) = NULL; + LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next ); + + } else { + if ( sc->sc_extendedopsbv ) { + /* FIXME: in principle, we should rather merge + * existing extops with those supported by the + * new control handling implementation. + * In fact, whether a control is compatible with + * an extop should not be a matter of implementation. + * We likely also need a means for a newly + * registered extop to declare that it is + * comptible with an already registered control. + */ + ber_bvarray_free( sc->sc_extendedopsbv ); + sc->sc_extendedopsbv = NULL; + sc->sc_extendedops = NULL; + } + } + + sc->sc_extendedopsbv = extendedopsbv; + sc->sc_mask = controlmask; + sc->sc_parse = controlparsefn; + if ( controlcid ) { + *controlcid = sc->sc_cid; + } - LDAP_SLIST_NEXT( sc, sc_next ) = NULL; - LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next ); return LDAP_SUCCESS; } @@ -251,7 +318,6 @@ int slap_controls_init( void ) { int i, rc; - struct slap_control *sc; rc = LDAP_SUCCESS; @@ -279,8 +345,8 @@ controls_destroy( void ) LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next); ch_free( sc->sc_oid ); - if ( sc->sc_extendedops != NULL ) { - ldap_charray_free( sc->sc_extendedops ); + if ( sc->sc_extendedopsbv != NULL ) { + ber_bvarray_free( sc->sc_extendedopsbv ); } ch_free( sc ); } @@ -324,10 +390,9 @@ int get_supported_controls(char ***ctrloidsp, slap_mask_t **ctrlmasks) { - int i, n; + int n; char **oids; slap_mask_t *masks; - int rc; struct slap_control *sc; n = 0; @@ -439,6 +504,95 @@ void slap_free_ctrls( op->o_tmpfree( ctrls, op->o_tmpmemctx ); } +int slap_parse_ctrl( + Operation *op, + SlapReply *rs, + LDAPControl *control, + const char **text ) +{ + struct slap_control *sc; + + sc = find_ctrl( control->ldctl_oid ); + if( sc != NULL ) { + /* recognized control */ + slap_mask_t tagmask; + switch( op->o_tag ) { + case LDAP_REQ_ADD: + tagmask = SLAP_CTRL_ADD; + break; + case LDAP_REQ_BIND: + tagmask = SLAP_CTRL_BIND; + break; + case LDAP_REQ_COMPARE: + tagmask = SLAP_CTRL_COMPARE; + break; + case LDAP_REQ_DELETE: + tagmask = SLAP_CTRL_DELETE; + break; + case LDAP_REQ_MODIFY: + tagmask = SLAP_CTRL_MODIFY; + break; + case LDAP_REQ_RENAME: + tagmask = SLAP_CTRL_RENAME; + break; + case LDAP_REQ_SEARCH: + tagmask = SLAP_CTRL_SEARCH; + break; + case LDAP_REQ_UNBIND: + tagmask = SLAP_CTRL_UNBIND; + break; + case LDAP_REQ_ABANDON: + tagmask = SLAP_CTRL_ABANDON; + break; + case LDAP_REQ_EXTENDED: + tagmask=~0L; + assert( op->ore_reqoid.bv_val != NULL ); + if( sc->sc_extendedopsbv != NULL ) { + int i; + for( i=0; !BER_BVISNULL( &sc->sc_extendedopsbv[i] ); i++ ) { + if( bvmatch( &op->ore_reqoid, + &sc->sc_extendedopsbv[i] ) ) + { + tagmask=0L; + break; + } + } + } + break; + default: + *text = "controls internal error"; + return LDAP_OTHER; + } + + if (( sc->sc_mask & tagmask ) == tagmask ) { + /* available extension */ + int rc; + + if( !sc->sc_parse ) { + *text = "not yet implemented"; + return LDAP_OTHER; + } + + rc = sc->sc_parse( op, rs, control ); + if ( rc ) { + assert( rc != LDAP_UNAVAILABLE_CRITICAL_EXTENSION ); + return rc; + } + + } else if( control->ldctl_iscritical ) { + /* unavailable CRITICAL control */ + *text = "critical extension is unavailable"; + return LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + } + } else if( control->ldctl_iscritical ) { + /* unrecognized CRITICAL control */ + *text = "critical extension is not recognized"; + return LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + } + + return LDAP_SUCCESS; +} + int get_ctrls( Operation *op, SlapReply *rs, @@ -449,7 +603,6 @@ int get_ctrls( ber_len_t len; char *opaque; BerElement *ber = op->o_ber; - struct slap_control *sc; struct berval bv; len = ber_pvt_ber_remaining(ber); @@ -589,90 +742,10 @@ int get_ctrls( "=> get_ctrls: oid=\"%s\" (%scritical)\n", c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 ); - sc = find_ctrl( c->ldctl_oid ); - if( sc != NULL ) { - /* recognized control */ - slap_mask_t tagmask; - switch( op->o_tag ) { - case LDAP_REQ_ADD: - tagmask = SLAP_CTRL_ADD; - break; - case LDAP_REQ_BIND: - tagmask = SLAP_CTRL_BIND; - break; - case LDAP_REQ_COMPARE: - tagmask = SLAP_CTRL_COMPARE; - break; - case LDAP_REQ_DELETE: - tagmask = SLAP_CTRL_DELETE; - break; - case LDAP_REQ_MODIFY: - tagmask = SLAP_CTRL_MODIFY; - break; - case LDAP_REQ_RENAME: - tagmask = SLAP_CTRL_RENAME; - break; - case LDAP_REQ_SEARCH: - tagmask = SLAP_CTRL_SEARCH; - break; - case LDAP_REQ_UNBIND: - tagmask = SLAP_CTRL_UNBIND; - break; - case LDAP_REQ_ABANDON: - tagmask = SLAP_CTRL_ABANDON; - break; - case LDAP_REQ_EXTENDED: - tagmask=~0L; - assert( op->ore_reqoid.bv_val != NULL ); - if( sc->sc_extendedops != NULL ) { - int i; - for( i=0; sc->sc_extendedops[i] != NULL; i++ ) { - if( strcmp( op->ore_reqoid.bv_val, - sc->sc_extendedops[i] ) == 0 ) - { - tagmask=0L; - break; - } - } - } - break; - default: - rs->sr_err = LDAP_OTHER; - rs->sr_text = "controls internal error"; - goto return_results; - } - - if (( sc->sc_mask & tagmask ) == tagmask ) { - /* available extension */ - int rc; - - if( !sc->sc_parse ) { - rs->sr_err = LDAP_OTHER; - rs->sr_text = "not yet implemented"; - goto return_results; - } - - rc = sc->sc_parse( op, rs, c ); - if ( rc ) { - assert( rc != LDAP_UNAVAILABLE_CRITICAL_EXTENSION ); - rs->sr_err = rc; - goto return_results; - } - - } else if( c->ldctl_iscritical ) { - /* unavailable CRITICAL control */ - rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; - rs->sr_text = "critical extension is unavailable"; - goto return_results; - } - - } else if( c->ldctl_iscritical ) { - /* unrecognized CRITICAL control */ - rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; - rs->sr_text = "critical extension is not recognized"; + rs->sr_err = slap_parse_ctrl( op, rs, c, &rs->sr_text ); + if ( rs->sr_err != LDAP_SUCCESS ) { goto return_results; } -next_ctrl:; } return_results: @@ -693,33 +766,100 @@ return_results: return rs->sr_err; } -static int parseModifyIncrement ( +int +slap_remove_control( + Operation *op, + SlapReply *rs, + int ctrl, + BI_chk_controls fnc ) +{ + int i, j; + + switch ( op->o_ctrlflag[ ctrl ] ) { + case SLAP_CONTROL_NONCRITICAL: + for ( i = 0, j = -1; op->o_ctrls[ i ] != NULL; i++ ) { + if ( strcmp( op->o_ctrls[ i ]->ldctl_oid, + slap_known_controls[ ctrl - 1 ] ) == 0 ) + { + j = i; + } + } + + if ( j == -1 ) { + rs->sr_err = LDAP_OTHER; + break; + } + + if ( fnc ) { + (void)fnc( op, rs ); + } + + op->o_tmpfree( op->o_ctrls[ j ], op->o_tmpmemctx ); + + if ( i > 1 ) { + AC_MEMCPY( &op->o_ctrls[ j ], &op->o_ctrls[ j + 1 ], + ( i - j ) * sizeof( LDAPControl * ) ); + + } else { + op->o_tmpfree( op->o_ctrls, op->o_tmpmemctx ); + op->o_ctrls = NULL; + } + + op->o_ctrlflag[ ctrl ] = SLAP_CONTROL_IGNORED; + + Debug( LDAP_DEBUG_ANY, "%s: " + "non-critical control \"%s\" not supported; stripped.\n", + op->o_log_prefix, slap_known_controls[ ctrl ], 0 ); + /* fall thru */ + + case SLAP_CONTROL_IGNORED: + case SLAP_CONTROL_NONE: + rs->sr_err = SLAP_CB_CONTINUE; + break; + + case SLAP_CONTROL_CRITICAL: + rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + if ( fnc ) { + (void)fnc( op, rs ); + } + Debug( LDAP_DEBUG_ANY, "%s: " + "critical control \"%s\" not supported.\n", + op->o_log_prefix, slap_known_controls[ ctrl ], 0 ); + break; + + default: + /* handle all cases! */ + assert( 0 ); + } + + return rs->sr_err; +} + +#ifdef LDAP_DEVEL +static int parseDontUseCopy ( Operation *op, SlapReply *rs, LDAPControl *ctrl ) { -#if 0 - if ( op->o_modifyIncrement != SLAP_CONTROL_NONE ) { - rs->sr_text = "modifyIncrement control specified multiple times"; + if ( op->o_dontUseCopy != SLAP_CONTROL_NONE ) { + rs->sr_text = "dontUseCopy control specified multiple times"; return LDAP_PROTOCOL_ERROR; } -#endif if ( ctrl->ldctl_value.bv_len ) { - rs->sr_text = "modifyIncrement control value not empty"; + rs->sr_text = "dontUseCopy control value not empty"; return LDAP_PROTOCOL_ERROR; } -#if 0 - op->o_modifyIncrement = ctrl->ldctl_iscritical - ? SLAP_CONTROL_CRITICAL - : SLAP_CONTROL_NONCRITICAL; -#endif + if ( ctrl->ldctl_iscritical != SLAP_CONTROL_CRITICAL ) { + rs->sr_text = "dontUseCopy criticality of FALSE not allowed"; + return LDAP_PROTOCOL_ERROR; + } + op->o_dontUseCopy = SLAP_CONTROL_CRITICAL; return LDAP_SUCCESS; } -#ifdef LDAP_DEVEL static int parseManageDIT ( Operation *op, SlapReply *rs, @@ -778,6 +918,13 @@ static int parseProxyAuthz ( return LDAP_PROTOCOL_ERROR; } + if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON ) + && BER_BVISEMPTY( &op->o_ndn ) ) + { + rs->sr_text = "anonymous proxied authorization not allowed"; + return LDAP_PROXIED_AUTHORIZATION_DENIED; + } + op->o_proxy_authz = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; @@ -794,10 +941,14 @@ static int parseProxyAuthz ( op->o_connid, 0, 0 ); /* anonymous */ - op->o_ndn.bv_val[ 0 ] = '\0'; + if ( !BER_BVISNULL( &op->o_ndn ) ) { + op->o_ndn.bv_val[ 0 ] = '\0'; + } op->o_ndn.bv_len = 0; - op->o_dn.bv_val[ 0 ] = '\0'; + if ( !BER_BVISNULL( &op->o_dn ) ) { + op->o_dn.bv_val[ 0 ] = '\0'; + } op->o_dn.bv_len = 0; return LDAP_SUCCESS; @@ -812,7 +963,7 @@ static int parseProxyAuthz ( ch_free( dn.bv_val ); } rs->sr_text = "authzId mapping failed"; - return LDAP_PROXY_AUTHZ_FAILURE; + return LDAP_PROXIED_AUTHORIZATION_DENIED; } Debug( LDAP_DEBUG_TRACE, @@ -825,7 +976,7 @@ static int parseProxyAuthz ( if ( rc ) { ch_free( dn.bv_val ); rs->sr_text = "not authorized to assume identity"; - return LDAP_PROXY_AUTHZ_FAILURE; + return LDAP_PROXIED_AUTHORIZATION_DENIED; } ch_free( op->o_ndn.bv_val ); @@ -917,48 +1068,6 @@ static int parsePagedResults ( goto done; } -#if 0 - /* defer cookie decoding/checks to backend... */ - if ( cookie.bv_len ) { - PagedResultsCookie reqcookie; - if( cookie.bv_len != sizeof( reqcookie ) ) { - /* bad cookie */ - rs->sr_text = "paged results cookie is invalid"; - rc = LDAP_PROTOCOL_ERROR; - goto done; - } - - AC_MEMCPY( &reqcookie, cookie.bv_val, sizeof( reqcookie )); - - if ( reqcookie > op->o_pagedresults_state.ps_cookie ) { - /* bad cookie */ - rs->sr_text = "paged results cookie is invalid"; - rc = LDAP_PROTOCOL_ERROR; - goto done; - - } else if ( reqcookie < op->o_pagedresults_state.ps_cookie ) { - rs->sr_text = "paged results cookie is invalid or old"; - rc = LDAP_UNWILLING_TO_PERFORM; - goto done; - } - - } else { - /* Initial request. Initialize state. */ -#if 0 - if ( op->o_conn->c_pagedresults_state.ps_cookie != 0 ) { - /* There's another pagedResults control on the - * same connection; reject new pagedResults controls - * (allowed by RFC2696) */ - rs->sr_text = "paged results cookie unavailable; try later"; - rc = LDAP_UNWILLING_TO_PERFORM; - goto done; - } -#endif - op->o_pagedresults_state.ps_cookie = 0; - op->o_pagedresults_state.ps_count = 0; - } -#endif - ps = op->o_tmpalloc( sizeof(PagedResultsState), op->o_tmpmemctx ); *ps = op->o_conn->c_pagedresults_state; ps->ps_size = size; @@ -1024,7 +1133,6 @@ static int parseAssert ( { BerElement *ber; struct berval fstr = BER_BVNULL; - const char *err_msg = ""; if ( op->o_assert != SLAP_CONTROL_NONE ) { rs->sr_text = "assert control specified multiple times"; @@ -1042,8 +1150,8 @@ static int parseAssert ( return LDAP_OTHER; } - rs->sr_err = get_filter( op, ber, (Filter **)&(op->o_assertion), &rs->sr_text); - + rs->sr_err = get_filter( op, ber, (Filter **)&(op->o_assertion), + &rs->sr_text); if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { rs->sr_err = LDAP_PROTOCOL_ERROR; @@ -1190,14 +1298,13 @@ static int parsePostRead ( return LDAP_SUCCESS; } -int parseValuesReturnFilter ( +static int parseValuesReturnFilter ( Operation *op, SlapReply *rs, LDAPControl *ctrl ) { BerElement *ber; struct berval fstr = BER_BVNULL; - const char *err_msg = ""; if ( op->o_valuesreturnfilter != SLAP_CONTROL_NONE ) { rs->sr_text = "valuesReturnFilter control specified multiple times"; @@ -1215,7 +1322,8 @@ int parseValuesReturnFilter ( return LDAP_OTHER; } - rs->sr_err = get_vrFilter( op, ber, (ValuesReturnFilter **)&(op->o_vrFilter), &rs->sr_text); + rs->sr_err = get_vrFilter( op, ber, + (ValuesReturnFilter **)&(op->o_vrFilter), &rs->sr_text); if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { @@ -1245,7 +1353,6 @@ int parseValuesReturnFilter ( return LDAP_SUCCESS; } -#ifdef LDAP_CONTROL_SUBENTRIES static int parseSubentries ( Operation *op, SlapReply *rs, @@ -1275,9 +1382,7 @@ static int parseSubentries ( return LDAP_SUCCESS; } -#endif -#ifdef LDAP_CONTROL_X_PERMISSIVE_MODIFY static int parsePermissiveModify ( Operation *op, SlapReply *rs, @@ -1299,9 +1404,7 @@ static int parsePermissiveModify ( return LDAP_SUCCESS; } -#endif -#ifdef LDAP_CONTROL_X_DOMAIN_SCOPE static int parseDomainScope ( Operation *op, SlapReply *rs, @@ -1323,9 +1426,8 @@ static int parseDomainScope ( return LDAP_SUCCESS; } -#endif -#ifdef LDAP_CONTROL_X_TREE_DELETE +#ifdef SLAP_CONTROL_X_TREE_DELETE static int parseTreeDelete ( Operation *op, SlapReply *rs, @@ -1349,7 +1451,6 @@ static int parseTreeDelete ( } #endif -#ifdef LDAP_CONTROL_X_SEARCH_OPTIONS static int parseSearchOptions ( Operation *op, SlapReply *rs, @@ -1360,7 +1461,7 @@ static int parseSearchOptions ( ber_tag_t tag; if ( ctrl->ldctl_value.bv_len == 0 ) { - rs->sr_text = "searchOptions control value not empty"; + rs->sr_text = "searchOptions control value is empty (or absent)"; return LDAP_PROTOCOL_ERROR; } @@ -1394,11 +1495,10 @@ static int parseSearchOptions ( * including: * LDAP_SEARCH_FLAG_PHANTOM_ROOM */ - rs->sr_text = "searchOptions contained unrecongized flag"; + rs->sr_text = "searchOptions contained unrecognized flag"; return LDAP_UNWILLING_TO_PERFORM; } return LDAP_SUCCESS; } -#endif