X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fslap.h;h=9ebe047e77c619e80cb42e009966cd3062dd1bb7;hb=0f30fb0d8f0adbbb7b41fd455c57aa56d64c9853;hp=44fba01fc9943c484e248880a3d4a14e65f16bbc;hpb=df7ca2c3f3fa7e874e740ee540b649f7bd9cf235;p=openldap diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 44fba01fc9..9ebe047e77 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1,7 +1,7 @@ /* slap.h - stand alone ldap server include file */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -19,10 +19,6 @@ #include #include -#ifdef HAVE_CYRUS_SASL -#include -#endif - #include "avl.h" #ifndef ldap_debug @@ -36,16 +32,16 @@ #include #include "ldap_pvt_thread.h" -#include "ldif.h" LDAP_BEGIN_DECL +#define SERVICE_NAME OPENLDAP_PACKAGE "-slapd" +#define SLAPD_ANONYMOUS "cn=anonymous" + #ifdef f_next #undef f_next /* name conflict between sys/file.h on SCO and struct filter */ #endif -#define SERVICE_NAME OPENLDAP_PACKAGE "-slapd" - /* LDAPMod.mod_op value ===> Must be kept in sync with ldap.h! * * This is a value used internally by the backends. It is needed to allow @@ -55,17 +51,21 @@ LDAP_BEGIN_DECL */ #define SLAP_MOD_SOFTADD 0x1000 -#define ON 1 +#define ON (1) #define OFF (-1) -#define UNDEFINED 0 +#define UNDEFINED (0) -#define MAXREMATCHES 10 +#define MAXREMATCHES (10) -/* psuedo error code indicating disconnect */ -#define SLAPD_DISCONNECT -1 +#define SLAP_MAX_WORKER_THREADS (32) + +#define SLAP_TEXT_BUFLEN (256) /* psuedo error code indicating abandoned operation */ -#define SLAPD_ABANDON -2 +#define SLAPD_ABANDON (-1) + +/* psuedo error code indicating disconnect */ +#define SLAPD_DISCONNECT (-2) /* We assume "C" locale, that is US-ASCII */ @@ -75,15 +75,26 @@ LDAP_BEGIN_DECL #define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) ) #define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' ) #define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) ) +#define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' ) + +#define SLAP_NIBBLE(c) ((c)&0x0f) +#define SLAP_ESCAPE_CHAR ('\\') +#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] ) +#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) ) + +#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \ + || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) #define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') -#define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+') +#define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */ +#define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c)) #define RDN_NEEDSESCAPE(c) ((c) == '\\' || (c) == '"') #define DESC_LEADCHAR(c) ( ASCII_ALPHA(c) ) #define DESC_CHAR(c) ( ASCII_ALNUM(c) || (c) == '-' ) #define OID_LEADCHAR(c) ( ASCII_DIGIT(c) ) -#define OID_CHAR(c) ( ASCII_DIGIT(c) || (c) == '.' ) +#define OID_SEPARATOR(c) ( (c) == '.' ) +#define OID_CHAR(c) ( OID_LEADCHAR(c) || OID_SEPARATOR(c) ) #define ATTR_LEADCHAR(c) ( DESC_LEADCHAR(c) || OID_LEADCHAR(c) ) #define ATTR_CHAR(c) ( DESC_CHAR((c)) || (c) == '.' ) @@ -91,40 +102,132 @@ LDAP_BEGIN_DECL #define AD_LEADCHAR(c) ( ATTR_CHAR(c) ) #define AD_CHAR(c) ( ATTR_CHAR(c) || (c) == ';' ) -#define SLAPD_ACI_DEFAULT_ATTR "aci" +#define SLAP_NUMERIC(c) ( ASCII_DIGIT(c) || ASCII_SPACE(c) ) + +#define SLAP_PRINTABLE(c) ( ASCII_ALNUM(c) || (c) == '\'' || \ + (c) == '(' || (c) == ')' || (c) == '+' || (c) == ',' || \ + (c) == '-' || (c) == '.' || (c) == '/' || (c) == ':' || \ + (c) == '?' || (c) == ' ' || (c) == '=' ) +#define SLAP_PRINTABLES(c) ( SLAP_PRINTABLE(c) || (c) == '$' ) + +/* must match in schema_init.c */ +#define SLAPD_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12" +#define SLAPD_NAMEUID_SYNTAX "1.3.6.1.4.1.1466.115.121.1.34" +#define SLAPD_GROUP_ATTR "member" +#define SLAPD_GROUP_CLASS "groupOfNames" +#define SLAPD_ROLE_ATTR "roleOccupant" +#define SLAPD_ROLE_CLASS "organizationalRole" + +#define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" +#define SLAPD_ACI_ATTR "OpenLDAPaci" + +#define SLAPD_OCTETSTRING_SYNTAX "1.3.6.1.4.1.1466.115.121.1.40" + +/* change this to "OpenLDAPset" */ +#define SLAPD_ACI_SET_ATTR "template" -/* schema needed by slapd */ -#define SLAPD_OID_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12" -#define SLAPD_OID_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" /* experimental */ +#define SLAPD_TOP_OID "2.5.6.0" -LIBSLAPD_F (int) slap_debug; +LDAP_SLAPD_F (int) slap_debug; + +typedef unsigned long slap_mask_t; + +/* Security Strength Factor */ +typedef unsigned slap_ssf_t; + +typedef struct slap_ssf_set { + slap_ssf_t sss_ssf; + slap_ssf_t sss_transport; + slap_ssf_t sss_tls; + slap_ssf_t sss_sasl; + slap_ssf_t sss_update_ssf; + slap_ssf_t sss_update_transport; + slap_ssf_t sss_update_tls; + slap_ssf_t sss_update_sasl; +} slap_ssf_set_t; /* * Index types */ -#define SLAP_INDEX_PRESENCE 0x0001U -#define SLAP_INDEX_EQUALITY 0x0002U -#define SLAP_INDEX_APPROX 0x0004U -#define SLAP_INDEX_SUB 0x0008U -#define SLAP_INDEX_UNKNOWN 0x0010U -#define SLAP_INDEX_FROMINIT 0x8000U /* psuedo type */ +#define SLAP_INDEX_TYPE 0x00FFUL +#define SLAP_INDEX_UNDEFINED 0x0001UL +#define SLAP_INDEX_PRESENT 0x0002UL +#define SLAP_INDEX_EQUALITY 0x0004UL +#define SLAP_INDEX_APPROX 0x0008UL +#define SLAP_INDEX_SUBSTR 0x0010UL +#define SLAP_INDEX_EXTENDED 0x0020UL + +#define SLAP_INDEX_DEFAULT SLAP_INDEX_EQUALITY + +#define IS_SLAP_INDEX(mask, type) (((mask) & (type)) == (type) ) + +#define SLAP_INDEX_SUBSTR_TYPE 0x0F00UL + +#define SLAP_INDEX_SUBSTR_INITIAL ( SLAP_INDEX_SUBSTR | 0x0100UL ) +#define SLAP_INDEX_SUBSTR_ANY ( SLAP_INDEX_SUBSTR | 0x0200UL ) +#define SLAP_INDEX_SUBSTR_FINAL ( SLAP_INDEX_SUBSTR | 0x0400UL ) +#define SLAP_INDEX_SUBSTR_DEFAULT \ + ( SLAP_INDEX_SUBSTR \ + | SLAP_INDEX_SUBSTR_INITIAL \ + | SLAP_INDEX_SUBSTR_ANY \ + | SLAP_INDEX_SUBSTR_FINAL ) + +#define SLAP_INDEX_SUBSTR_MINLEN 2 +#define SLAP_INDEX_SUBSTR_MAXLEN 4 +#define SLAP_INDEX_SUBSTR_STEP 2 + +#define SLAP_INDEX_FLAGS 0xF000UL +#define SLAP_INDEX_SUBTYPES 0x1000UL /* use index with subtypes */ +#define SLAP_INDEX_AUTO_SUBTYPES 0x2000UL /* use mask with subtypes */ +#define SLAP_INDEX_LANG 0x4000UL /* use index with lang subtypes */ +#define SLAP_INDEX_AUTO_LANG 0x8000UL /* use mask with lang subtypes */ +/* + * there is a single index for each attribute. these prefixes ensure + * that there is no collision among keys. + */ +#define SLAP_INDEX_EQUALITY_PREFIX '=' /* prefix for equality keys */ +#define SLAP_INDEX_APPROX_PREFIX '~' /* prefix for approx keys */ +#define SLAP_INDEX_SUBSTR_PREFIX '*' /* prefix for substring keys */ +#define SLAP_INDEX_SUBSTR_INITIAL_PREFIX '^' +#define SLAP_INDEX_SUBSTR_FINAL_PREFIX '$' +#define SLAP_INDEX_CONT_PREFIX '.' /* prefix for continuation keys */ +#define SLAP_INDEX_UNKNOWN_PREFIX '?' /* prefix for unknown keys */ + +#define SLAP_SYNTAX_MATCHINGRULES_OID "1.3.6.1.4.1.1466.115.121.1.30" +#define SLAP_SYNTAX_ATTRIBUTETYPES_OID "1.3.6.1.4.1.1466.115.121.1.3" +#define SLAP_SYNTAX_OBJECTCLASSES_OID "1.3.6.1.4.1.1466.115.121.1.37" /* * represents schema information for a database */ #define SLAP_SCHERR_OUTOFMEM 1 #define SLAP_SCHERR_CLASS_NOT_FOUND 2 -#define SLAP_SCHERR_ATTR_NOT_FOUND 3 -#define SLAP_SCHERR_DUP_CLASS 4 -#define SLAP_SCHERR_DUP_ATTR 5 -#define SLAP_SCHERR_DUP_SYNTAX 6 -#define SLAP_SCHERR_DUP_RULE 7 -#define SLAP_SCHERR_NO_NAME 8 -#define SLAP_SCHERR_ATTR_INCOMPLETE 9 -#define SLAP_SCHERR_MR_NOT_FOUND 10 -#define SLAP_SCHERR_SYN_NOT_FOUND 11 -#define SLAP_SCHERR_MR_INCOMPLETE 12 +#define SLAP_SCHERR_CLASS_BAD_USAGE 3 +#define SLAP_SCHERR_ATTR_NOT_FOUND 4 +#define SLAP_SCHERR_ATTR_BAD_USAGE 5 +#define SLAP_SCHERR_DUP_CLASS 6 +#define SLAP_SCHERR_DUP_ATTR 7 +#define SLAP_SCHERR_DUP_SYNTAX 8 +#define SLAP_SCHERR_DUP_RULE 9 +#define SLAP_SCHERR_NO_NAME 10 +#define SLAP_SCHERR_ATTR_INCOMPLETE 11 +#define SLAP_SCHERR_MR_NOT_FOUND 12 +#define SLAP_SCHERR_SYN_NOT_FOUND 13 +#define SLAP_SCHERR_MR_INCOMPLETE 14 +#define SLAP_SCHERR_NOT_SUPPORTED 15 +#define SLAP_SCHERR_BAD_DESCR 16 + +typedef union slap_sockaddr { + struct sockaddr sa_addr; + struct sockaddr_in sa_in_addr; +#ifdef LDAP_PF_INET6 + struct sockaddr_in6 sa_in6_addr; +#endif +#ifdef LDAP_PF_LOCAL + struct sockaddr_un sa_un_addr; +#endif +} Sockaddr; typedef struct slap_oid_macro { struct berval som_oid; @@ -146,31 +249,46 @@ typedef int slap_syntax_transform_func LDAP_P(( struct berval ** out)); typedef struct slap_syntax { - LDAP_SYNTAX ssyn_syn; + LDAPSyntax ssyn_syn; +#define ssyn_oid ssyn_syn.syn_oid +#define ssyn_desc ssyn_syn.syn_desc +#define ssyn_extensions ssyn_syn.syn_extensions + unsigned ssyn_flags; -#define SLAP_SYNTAX_NONE 0x0U -#define SLAP_SYNTAX_BINARY 0x1U +#define SLAP_SYNTAX_NONE 0x00U +#define SLAP_SYNTAX_BLOB 0x01U /* syntax treated as blob (audio) */ +#define SLAP_SYNTAX_BINARY 0x02U /* binary transfer required (certificate) */ +#define SLAP_SYNTAX_BER 0x04U /* stored using BER encoding (binary,certificate) */ +#define SLAP_SYNTAX_HIDE 0x80U /* hide (do not publish) */ slap_syntax_validate_func *ssyn_validate; + slap_syntax_transform_func *ssyn_normalize; + slap_syntax_transform_func *ssyn_pretty; +#ifdef SLAPD_BINARY_CONVERSION /* convert to and from binary */ slap_syntax_transform_func *ssyn_ber2str; slap_syntax_transform_func *ssyn_str2ber; +#endif struct slap_syntax *ssyn_next; -#define ssyn_oid ssyn_syn.syn_oid -#define ssyn_desc ssyn_syn.syn_desc } Syntax; -/* XXX -> UCS-2 Converter */ +#define slap_syntax_is_flag(s,flag) ((int)((s)->ssyn_flags & (flag)) ? 1 : 0) +#define slap_syntax_is_blob(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BLOB) +#define slap_syntax_is_binary(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BINARY) +#define slap_syntax_is_ber(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BER) +#define slap_syntax_is_hidden(s) slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE) + +/* X -> Y Converter */ typedef int slap_mr_convert_func LDAP_P(( struct berval * in, struct berval ** out )); /* Normalizer */ typedef int slap_mr_normalize_func LDAP_P(( - unsigned use, + slap_mask_t use, struct slap_syntax *syntax, /* NULL if in is asserted value */ struct slap_matching_rule *mr, struct berval * in, @@ -178,7 +296,8 @@ typedef int slap_mr_normalize_func LDAP_P(( /* Match (compare) function */ typedef int slap_mr_match_func LDAP_P(( - unsigned use, + int *match, + slap_mask_t use, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, struct berval * value, @@ -186,61 +305,82 @@ typedef int slap_mr_match_func LDAP_P(( /* Index generation function */ typedef int slap_mr_indexer_func LDAP_P(( - unsigned use, + slap_mask_t use, + slap_mask_t mask, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, + struct berval *prefix, struct berval **values, - struct berval **keys )); - -struct slap_filter; /* forward declaration */ + struct berval ***keys )); /* Filter index function */ typedef int slap_mr_filter_func LDAP_P(( - unsigned use, + slap_mask_t use, + slap_mask_t mask, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, - struct slap_filter *filter, - struct berval **keys )); + struct berval *prefix, + void * assertValue, + struct berval ***keys )); typedef struct slap_matching_rule { - LDAP_MATCHING_RULE smr_mrule; - unsigned smr_usage; -#define SLAP_MR_NONE 0x00U -#define SLAP_MR_EQUALITY 0x01U -#define SLAP_MR_APPROX 0x02U -#define SLAP_MR_ORDERING 0x04U -#define SLAP_MR_SUBSTR 0x08U -#define SLAP_MR_EXT 0x10U + LDAPMatchingRule smr_mrule; + slap_mask_t smr_usage; + +#define SLAP_MR_TYPE_MASK 0xFF00U +#define SLAP_MR_SUBTYPE_MASK 0x00F0U +#define SLAP_MR_USAGE 0x000FU + +#define SLAP_MR_NONE 0x0000U +#define SLAP_MR_EQUALITY 0x0100U +#define SLAP_MR_ORDERING 0x0200U +#define SLAP_MR_SUBSTR 0x0400U +#define SLAP_MR_EXT 0x0800U + +#define SLAP_MR_EQUALITY_APPROX ( SLAP_MR_EQUALITY | 0x0010U ) + +#define SLAP_MR_SUBSTR_INITIAL ( SLAP_MR_SUBSTR | 0x0010U ) +#define SLAP_MR_SUBSTR_ANY ( SLAP_MR_SUBSTR | 0x0020U ) +#define SLAP_MR_SUBSTR_FINAL ( SLAP_MR_SUBSTR | 0x0040U ) + +/* this is used to kludge objectClass testing */ +#define SLAP_MR_MODIFY_MATCHING 0x0001U +/* are we matching from a mr asserted value or a real value */ +#define SLAP_MR_VALUE_IS_IN_MR_SYNTAX 0x0002U + Syntax *smr_syntax; slap_mr_convert_func *smr_convert; slap_mr_normalize_func *smr_normalize; slap_mr_match_func *smr_match; slap_mr_indexer_func *smr_indexer; slap_mr_filter_func *smr_filter; + + struct slap_matching_rule *smr_associated; struct slap_matching_rule *smr_next; + #define smr_oid smr_mrule.mr_oid #define smr_names smr_mrule.mr_names #define smr_desc smr_mrule.mr_desc #define smr_obsolete smr_mrule.mr_obsolete #define smr_syntax_oid smr_mrule.mr_syntax_oid +#define smr_extensions smr_mrule.mr_extensions } MatchingRule; +struct slap_attr_desc; + typedef struct slap_attribute_type { -#ifdef SLAPD_SCHEMA_NOT_COMPAT - char *sat_cname; -#endif - LDAP_ATTRIBUTE_TYPE sat_atype; + LDAPAttributeType sat_atype; + struct berval sat_cname; struct slap_attribute_type *sat_sup; struct slap_attribute_type **sat_subtypes; MatchingRule *sat_equality; + MatchingRule *sat_approx; MatchingRule *sat_ordering; MatchingRule *sat_substr; Syntax *sat_syntax; -#ifndef SLAPD_SCHEMA_NOT_COMPAT - /* The next one is created to help in the transition */ - int sat_syntax_compat; -#endif + struct slap_attr_desc *sat_ad; struct slap_attribute_type *sat_next; + ldap_pvt_thread_mutex_t sat_ad_mutex; #define sat_oid sat_atype.at_oid #define sat_names sat_atype.at_names #define sat_desc sat_atype.at_desc @@ -254,15 +394,17 @@ typedef struct slap_attribute_type { #define sat_collective sat_atype.at_collective #define sat_no_user_mod sat_atype.at_no_user_mod #define sat_usage sat_atype.at_usage +#define sat_extensions sat_atype.at_extensions } AttributeType; #define is_at_operational(at) ((at)->sat_usage) #define is_at_single_value(at) ((at)->sat_single_value) #define is_at_collective(at) ((at)->sat_collective) +#define is_at_obsolete(at) ((at)->sat_obsolete) #define is_at_no_user_mod(at) ((at)->sat_no_user_mod) typedef struct slap_object_class { - LDAP_OBJECT_CLASS soc_oclass; + LDAPObjectClass soc_oclass; struct slap_object_class **soc_sups; AttributeType **soc_required; AttributeType **soc_allowed; @@ -275,22 +417,95 @@ typedef struct slap_object_class { #define soc_kind soc_oclass.oc_kind #define soc_at_oids_must soc_oclass.oc_at_oids_must #define soc_at_oids_may soc_oclass.oc_at_oids_may +#define soc_extensions soc_oclass.oc_extensions } ObjectClass; -#ifdef SLAPD_SCHEMA_NOT_COMPAT /* * represents a recognized attribute description ( type + options ) */ typedef struct slap_attr_desc { - struct berval *ad_cname; /* canonical name */ - AttributeType *ad_type; /* NULL if unknown */ - char *ad_lang; /* NULL if no language tags */ + struct slap_attr_desc *ad_next; + AttributeType *ad_type; /* attribute type, must be specified */ + struct berval ad_cname; /* canonical name, must be specified */ + struct berval ad_lang; /* empty if no language tags */ unsigned ad_flags; #define SLAP_DESC_NONE 0x0U #define SLAP_DESC_BINARY 0x1U } AttributeDescription; +#define slap_ad_is_lang(ad) ( (ad)->ad_lang.bv_len != 0 ) +#define slap_ad_is_binary(ad) ( (int)((ad)->ad_flags & SLAP_DESC_BINARY) ? 1 : 0 ) + +/* + * pointers to schema elements used internally + */ +struct slap_internal_schema { + /* objectClass */ + ObjectClass *si_oc_top; + ObjectClass *si_oc_extensibleObject; + ObjectClass *si_oc_alias; + ObjectClass *si_oc_referral; + ObjectClass *si_oc_subentry; + ObjectClass *si_oc_subschema; + ObjectClass *si_oc_rootdse; + + /* objectClass attribute descriptions */ + AttributeDescription *si_ad_objectClass; + + /* operational attribute descriptions */ + AttributeDescription *si_ad_structuralObjectClass; + AttributeDescription *si_ad_creatorsName; + AttributeDescription *si_ad_createTimestamp; + AttributeDescription *si_ad_modifiersName; + AttributeDescription *si_ad_modifyTimestamp; + AttributeDescription *si_ad_subschemaSubentry; + + /* root DSE attribute descriptions */ + AttributeDescription *si_ad_namingContexts; + AttributeDescription *si_ad_supportedControl; + AttributeDescription *si_ad_supportedExtension; + AttributeDescription *si_ad_supportedLDAPVersion; + AttributeDescription *si_ad_supportedSASLMechanisms; + AttributeDescription *si_ad_supportedFeatures; + + /* subschema subentry attribute descriptions */ + AttributeDescription *si_ad_objectClasses; + AttributeDescription *si_ad_attributeTypes; + AttributeDescription *si_ad_ldapSyntaxes; + AttributeDescription *si_ad_matchingRules; + AttributeDescription *si_ad_matchingRulesUse; + + /* Aliases & Referrals */ + AttributeDescription *si_ad_aliasedObjectName; + AttributeDescription *si_ad_ref; + + /* Access Control Internals */ + AttributeDescription *si_ad_entry; + AttributeDescription *si_ad_children; +#ifdef SLAPD_ACI_ENABLED + AttributeDescription *si_ad_aci; +#endif + + /* Other attributes descriptions */ + AttributeDescription *si_ad_userPassword; + AttributeDescription *si_ad_authPassword; +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + AttributeDescription *si_ad_krbName; +#endif + + /* Undefined Attribute Type */ + AttributeType *si_at_undefined; + + /* Matching Rules */ + MatchingRule *si_mr_distinguishedNameMatch; + MatchingRule *si_mr_integerMatch; + + /* Syntaxes */ + Syntax *si_syn_distinguishedName; + Syntax *si_syn_integer; +}; + typedef struct slap_attr_assertion { AttributeDescription *aa_desc; struct berval *aa_value; @@ -301,50 +516,31 @@ typedef struct slap_ss_assertion { struct berval *sa_initial; struct berval **sa_any; struct berval *sa_final; -} SubstringAssertion; +} SubstringsAssertion; typedef struct slap_mr_assertion { - char *ma_rule; /* optional */ + MatchingRule *ma_rule; /* optional */ + char *ma_rule_text; /* optional */ AttributeDescription *ma_desc; /* optional */ int ma_dnattrs; /* boolean */ struct berval *ma_value; /* required */ } MatchingRuleAssertion; -#else - -/* - * represents an attribute value assertion (i.e., attr;option=value) - */ -typedef struct slap_ava { - char *ava_type; /* attribute description */ - struct berval ava_value; -} Ava; - -/* - * represents an matching rule assertion - */ -typedef struct slap_mra { - char *mra_rule; /* optional */ - char *mra_type; /* attribute description -- optional */ - int mra_dnattrs; - struct berval *mra_value; -} Mra; - -#endif /* * represents a search filter */ - typedef struct slap_filter { ber_tag_t f_choice; /* values taken from ldap.h, plus: */ -#define SLAPD_FILTER_COMPUTED ((ber_tag_t) 0x01U) +#define SLAPD_FILTER_COMPUTED ((ber_tag_t) -1) +#define SLAPD_FILTER_DN_ONE ((ber_tag_t) -2) +#define SLAPD_FILTER_DN_SUBTREE ((ber_tag_t) -3) + union f_un_u { /* precomputed result */ ber_int_t f_un_result; -#ifdef SLAPD_SCHEMA_NOT_COMPAT /* DN */ char *f_un_dn; @@ -355,7 +551,7 @@ typedef struct slap_filter { AttributeAssertion *f_un_ava; /* substring assertion */ - SubstringAssertion *f_un_ssa; + SubstringsAssertion *f_un_ssa; /* matching rule assertion */ MatchingRuleAssertion *f_un_mra; @@ -372,43 +568,10 @@ typedef struct slap_filter { #define f_sub_final f_un.f_un_ssa->sa_final #define f_mra f_un.f_un_mra #define f_mr_rule f_un.f_un_mra->ma_rule +#define f_mr_rule_text f_un.f_un_mra->ma_rule_text #define f_mr_desc f_un.f_un_mra->ma_desc #define f_mr_value f_un.f_un_mra->ma_value -#define f_mr_dnaddrs f_un.f_un_mra->ma_dnattrs -#else - /* present */ - char *f_un_type; - - /* equality, lessorequal, greaterorequal, approx */ - Ava f_un_ava; - - /* extensible */ - Mra f_un_fra; - - /* substrings */ - struct sub { - char *f_un_sub_type; - - struct berval *f_un_sub_initial; - struct berval **f_un_sub_any; - struct berval *f_un_sub_final; - } f_un_sub; - -#define f_dn f_un.f_un_type /* used for DN indices */ -#define f_type f_un.f_un_type -#define f_ava f_un.f_un_ava -#define f_avtype f_un.f_un_ava.ava_type -#define f_avvalue f_un.f_un_ava.ava_value -#define f_mra f_un.f_un_mra -#define f_mrtype f_un.f_un_mra.mra_type -#define f_mrvalue f_un.f_un_mra.mra_value -#define f_mrdnaddrs f_un.f_un_mra.mra_dnattrs -#define f_sub f_un.f_un_sub -#define f_sub_type f_un.f_un_sub.f_un_sub_type -#define f_sub_initial f_un.f_un_sub.f_un_sub_initial -#define f_sub_any f_un.f_un_sub.f_un_sub_any -#define f_sub_final f_un.f_un_sub.f_un_sub_final -#endif +#define f_mr_dnattrs f_un.f_un_mra->ma_dnattrs /* and, or, not */ struct slap_filter *f_un_complex; @@ -424,33 +587,17 @@ typedef struct slap_filter { } Filter; /* compare routines can return undefined */ -#define SLAPD_COMPARE_UNDEFINED ((ber_tag_t) -1) +#define SLAPD_COMPARE_UNDEFINED ((ber_int_t) -1) /* * represents an attribute (description + values) */ typedef struct slap_attr { -#ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeDescription *a_desc; -#else - char *a_type; /* description */ - int a_syntax; -#endif struct berval **a_vals; struct slap_attr *a_next; } Attribute; -#ifndef SLAPD_SCHEMA_NOT_COMPAT -/* - * the attr_syntax() routine returns one of these values - * telling what kind of syntax an attribute supports. - */ -#define SYNTAX_CIS 0x01 /* case insensitive string */ -#define SYNTAX_CES 0x02 /* case sensitive string */ -#define SYNTAX_BIN 0x04 /* binary data */ -#define SYNTAX_TEL 0x08 /* telephone number string */ -#define SYNTAX_DN 0x10 /* dn string */ -#endif /* * the id used in the indexes to refer to an entry @@ -480,31 +627,20 @@ typedef struct slap_entry { /* * A list of LDAPMods */ -#ifdef SLAPD_SCHEMA_NOT_COMPAT typedef struct slap_mod { int sm_op; AttributeDescription *sm_desc; struct berval **sm_bvalues; } Modification; -#else -#define Modification LDAPMod -#define sm_op mod_op -#define sm_desc mod_type -#define sm_bvalues mod_bvalues -#endif typedef struct slap_mod_list { Modification sml_mod; #define sml_op sml_mod.sm_op #define sml_desc sml_mod.sm_desc #define sml_bvalues sml_mod.sm_bvalues -#ifndef SLAPD_SCHEMA_NOT_COMPAT -#define sml_type sml_mod.sm_desc -#endif struct slap_mod_list *sml_next; } Modifications; -#ifdef SLAPD_SCHEMA_NOT_COMPAT typedef struct slap_ldap_modlist { LDAPMod ml_mod; struct slap_ldap_modlist *ml_next; @@ -513,20 +649,10 @@ typedef struct slap_ldap_modlist { #define ml_values ml_mod.mod_values #define ml_bvalues ml_mod.mod_bvalues } LDAPModList; -#else -#define LDAPModList Modifications -#define ml_mod sml_mod -#define ml_op sml_mod.mod_op -#define ml_type sml_mod.mod_type -#define ml_values sml_mod.mod_values -#define ml_bvalues sml_mod.mod_bvalues -#define ml_next sml_next -#endif /* * represents an access control list */ - typedef enum slap_access_e { ACL_INVALID_ACCESS = -1, ACL_NONE = 0, @@ -544,7 +670,30 @@ typedef enum slap_control_e { ACL_BREAK } slap_control_t; -typedef unsigned long slap_access_mask_t; +typedef enum slap_style_e { + ACL_STYLE_REGEX = 0, + ACL_STYLE_BASE, + ACL_STYLE_ONE, + ACL_STYLE_SUBTREE, + ACL_STYLE_CHILDREN, + ACL_STYLE_ATTROF, + + /* alternate names */ + ACL_STYLE_EXACT = ACL_STYLE_BASE +} slap_style_t; + +typedef struct slap_authz_info { + ber_tag_t sai_method; /* LDAP_AUTH_* from */ + char * sai_mech; /* SASL Mechanism */ + char * sai_dn; /* DN for reporting purposes */ + char * sai_ndn; /* Normalized DN */ + + /* Security Strength Factors */ + slap_ssf_t sai_ssf; /* Overall SSF */ + slap_ssf_t sai_transport_ssf; /* Transport SSF */ + slap_ssf_t sai_tls_ssf; /* TLS SSF */ + slap_ssf_t sai_sasl_ssf; /* SASL SSF */ +} AuthorizationInformation; /* the "by" part */ typedef struct slap_access { @@ -607,38 +756,36 @@ typedef struct slap_access { #define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ) #define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE) - slap_access_mask_t a_mask; + slap_mask_t a_access_mask; + + AuthorizationInformation a_authz; +#define a_dn_pat a_authz.sai_dn - char *a_dn_pat; -#ifdef SLAPD_SCHEMA_NOT_COMPAT + slap_style_t a_dn_style; AttributeDescription *a_dn_at; -#else - char *a_dn_at; -#endif int a_dn_self; + slap_style_t a_peername_style; char *a_peername_pat; + slap_style_t a_sockname_style; char *a_sockname_pat; + slap_style_t a_domain_style; char *a_domain_pat; + slap_style_t a_sockurl_style; char *a_sockurl_pat; + slap_style_t a_set_style; + char *a_set_pat; #ifdef SLAPD_ACI_ENABLED -#ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeDescription *a_aci_at; -#else - char *a_aci_at; -#endif #endif /* ACL Groups */ + slap_style_t a_group_style; char *a_group_pat; - char *a_group_oc; -#ifdef SLAPD_SCHEMA_NOT_COMPAT + ObjectClass *a_group_oc; AttributeDescription *a_group_at; -#else - char *a_group_at; -#endif struct slap_access *a_next; } Access; @@ -647,6 +794,7 @@ typedef struct slap_access { typedef struct slap_acl { /* "to" part: the entries this acl applies to */ Filter *acl_filter; + slap_style_t acl_dn_style; regex_t acl_dn_re; char *acl_dn_pat; char **acl_attrs; @@ -674,22 +822,44 @@ struct replog_moddn { typedef struct slap_backend_info BackendInfo; /* per backend type */ typedef struct slap_backend_db BackendDB; /* per backend database */ -LIBSLAPD_F (int) nBackendInfo; -LIBSLAPD_F (int) nBackendDB; -LIBSLAPD_F (BackendInfo *) backendInfo; -LIBSLAPD_F (BackendDB *) backendDB; +LDAP_SLAPD_F (int) nBackendInfo; +LDAP_SLAPD_F (int) nBackendDB; +LDAP_SLAPD_F (BackendInfo *) backendInfo; +LDAP_SLAPD_F (BackendDB *) backendDB; -LIBSLAPD_F (int) slapMode; +LDAP_SLAPD_F (int) slapMode; #define SLAP_UNDEFINED_MODE 0x0000 #define SLAP_SERVER_MODE 0x0001 #define SLAP_TOOL_MODE 0x0002 #define SLAP_MODE 0x0003 #define SLAP_TRUNCATE_MODE 0x0100 -#ifdef SLAPD_BDB2 -#define SLAP_TIMED_MODE 0x1000 -#endif -#define SLAP_TOOLID_MODE 4 + +struct slap_replica_info { + char *ri_host; /* supersedes be_replica */ + char **ri_nsuffix; /* array of suffixes this replica accepts */ +}; + +struct slap_limits_set { + /* time limits */ + int lms_t_soft; + int lms_t_hard; + + /* size limits */ + int lms_s_soft; + int lms_s_hard; + int lms_s_unchecked; +}; + +struct slap_limits { + int lm_type; /* type of pattern */ +#define SLAP_LIMITS_UNDEFINED 0x0000 +#define SLAP_LIMITS_EXACT 0x0001 +#define SLAP_LIMITS_REGEX 0x0002 + regex_t lm_dn_regex; /* regex-based size and time limits */ + char *lm_dn_pat; /* ndn for EXACT; pattern for REGEX */ + struct slap_limits_set lm_limits; +}; /* temporary aliases */ typedef BackendDB Backend; @@ -715,7 +885,9 @@ struct slap_backend_db { #define be_extended bd_info->bi_extended #define be_release bd_info->bi_entry_release_rw +#define be_chk_referrals bd_info->bi_chk_referrals #define be_group bd_info->bi_acl_group +#define be_attribute bd_info->bi_acl_attribute #define be_controls bd_info->bi_controls @@ -727,18 +899,54 @@ struct slap_backend_db { #define be_entry_close bd_info->bi_tool_entry_close #define be_entry_first bd_info->bi_tool_entry_first #define be_entry_next bd_info->bi_tool_entry_next +#define be_entry_reindex bd_info->bi_tool_entry_reindex #define be_entry_get bd_info->bi_tool_entry_get #define be_entry_put bd_info->bi_tool_entry_put -#define be_index_attr bd_info->bi_tool_index_attr -#define be_index_change bd_info->bi_tool_index_change #define be_sync bd_info->bi_tool_sync #endif -#ifdef HAVE_CYRUS_SASL -#define be_sasl_authorize bd_info->bi_sasl_authorize -#define be_sasl_getsecret bd_info->bi_sasl_getsecret -#define be_sasl_putsecret bd_info->bi_sasl_putsecret -#endif + slap_mask_t be_restrictops; /* restriction operations */ +#define SLAP_RESTRICT_OP_ADD 0x0001U +#define SLAP_RESTRICT_OP_BIND 0x0002U +#define SLAP_RESTRICT_OP_COMPARE 0x0004U +#define SLAP_RESTRICT_OP_DELETE 0x0008U +#define SLAP_RESTRICT_OP_EXTENDED 0x0010U +#define SLAP_RESTRICT_OP_MODIFY 0x0020U +#define SLAP_RESTRICT_OP_RENAME 0x0040U +#define SLAP_RESTRICT_OP_SEARCH 0x0080U + +#define SLAP_RESTRICT_OP_READS \ + ( SLAP_RESTRICT_OP_COMPARE \ + | SLAP_RESTRICT_OP_SEARCH ) +#define SLAP_RESTRICT_OP_WRITES \ + ( SLAP_RESTRICT_OP_ADD \ + | SLAP_RESTRICT_OP_DELETE \ + | SLAP_RESTRICT_OP_MODIFY \ + | SLAP_RESTRICT_OP_RENAME ) + +#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */ + +#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ +#define SLAP_DISALLOW_BIND_ANON_CRED \ + 0x0004U /* cred should be empty */ +#define SLAP_DISALLOW_BIND_ANON_DN \ + 0x0008U /* dn should be empty */ + +#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ + +#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */ + + slap_mask_t be_requires; /* pre-operation requirements */ +#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ +#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ +#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */ +#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ +#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ + + /* Required Security Strength Factor */ + slap_ssf_set_t be_ssf_set; /* these should be renamed from be_ to bd_ */ char **be_suffix; /* the DN suffixes of data in this backend */ @@ -747,13 +955,14 @@ struct slap_backend_db { char *be_root_dn; /* the magic "root" dn for this db */ char *be_root_ndn; /* the magic "root" normalized dn for this db */ struct berval be_root_pw; /* the magic "root" password for this db */ - int be_readonly; /* 1 => db is in "read only" mode */ unsigned int be_max_deref_depth; /* limit for depth of an alias deref */ - int be_sizelimit; /* size limit for this backend */ - int be_timelimit; /* time limit for this backend */ +#define be_sizelimit be_def_limit.lms_s_soft +#define be_timelimit be_def_limit.lms_t_soft + struct slap_limits_set be_def_limit; /* default limits */ + struct slap_limits **be_limits; /* regex-based size and time limits */ AccessControl *be_acl; /* access control list for this backend */ slap_access_t be_dfltaccess; /* access given if no acl matches */ - char **be_replica; /* replicas of this backend (in master) */ + struct slap_replica_info **be_replica; /* replicas of this backend (in master) */ char *be_replogfile; /* replication log file (in master) */ char *be_update_ndn; /* allowed to make changes (in replicas) */ struct berval **be_update_refs; /* where to refer modifying clients to */ @@ -768,15 +977,15 @@ struct slap_conn; struct slap_op; typedef int (*SLAP_EXTENDED_FN) LDAP_P(( - Backend *be, - struct slap_conn *conn, + BackendDB *be, + struct slap_conn *conn, struct slap_op *op, - char *reqoid, + const char *reqoid, struct berval * reqdata, char **rspoid, struct berval ** rspdata, LDAPControl *** rspctrls, - char ** text, + const char ** text, struct berval *** refs )); struct slap_backend_info { @@ -840,38 +1049,35 @@ struct slap_backend_info { /* LDAP Operations Handling Routines */ int (*bi_op_bind) LDAP_P(( BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn, int method, char* mechanism, + const char *dn, const char *ndn, int method, struct berval *cred, char** edn )); int (*bi_op_unbind) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o )); int (*bi_op_search) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *base, char *nbase, int scope, int deref, + const char *base, const char *nbase, + int scope, int deref, int slimit, int tlimit, - Filter *f, char *filterstr, char **attrs, - int attrsonly)); -#ifdef SLAPD_SCHEMA_NOT_COMPAT + Filter *f, const char *filterstr, + char **attrs, int attrsonly)); int (*bi_op_compare)LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn, AttributeAssertion *ava)); -#else - int (*bi_op_compare)LDAP_P((BackendDB *bd, - struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn, Ava *ava)); -#endif + const char *dn, const char *ndn, + AttributeAssertion *ava)); int (*bi_op_modify) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn, Modifications *m)); + const char *dn, const char *ndn, Modifications *m)); int (*bi_op_modrdn) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn, char *newrdn, int deleteoldrdn, - char *newSuperior)); + const char *dn, const char *ndn, + const char *newrdn, int deleteoldrdn, + const char *newSuperior)); int (*bi_op_add) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, Entry *e)); int (*bi_op_delete) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, - char *dn, char *ndn)); + const char *dn, const char *ndn)); int (*bi_op_abandon) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, ber_int_t msgid)); @@ -880,19 +1086,25 @@ struct slap_backend_info { SLAP_EXTENDED_FN bi_extended; /* Auxilary Functions */ - int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw)); + int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, + struct slap_conn *c, struct slap_op *o, + Entry *e, int rw)); + + int (*bi_chk_referrals) LDAP_P((BackendDB *bd, + struct slap_conn *c, struct slap_op *o, + const char *dn, const char *ndn, + const char **text )); -#ifdef SLAPD_SCHEMA_NOT_COMPAT int (*bi_acl_group) LDAP_P((Backend *bd, + struct slap_conn *c, struct slap_op *o, Entry *e, const char *bdn, const char *edn, - const char *objectclassValue, + ObjectClass *group_oc, AttributeDescription *group_at )); -#else - int (*bi_acl_group) LDAP_P((Backend *bd, - Entry *e, const char *bdn, const char *edn, - const char *objectclassValue, - const char *group_at )); -#endif + int (*bi_acl_attribute) LDAP_P((Backend *bd, + struct slap_conn *c, struct slap_op *o, + Entry *e, const char *edn, + AttributeDescription *entry_at, + struct berval ***vals )); int (*bi_connection_init) LDAP_P((BackendDB *bd, struct slap_conn *c)); @@ -906,32 +1118,9 @@ struct slap_backend_info { ID (*bi_tool_entry_next) LDAP_P(( BackendDB *be )); Entry* (*bi_tool_entry_get) LDAP_P(( BackendDB *be, ID id )); ID (*bi_tool_entry_put) LDAP_P(( BackendDB *be, Entry *e )); -#ifdef SLAPD_SCHEMA_NOT_COMPAT - int (*bi_tool_index_attr) LDAP_P(( BackendDB *be, - AttributeDescription *desc )); - int (*bi_tool_index_change) LDAP_P(( BackendDB *be, - AttributeDescription *desc, - struct berval **bv, ID id, int op )); -#else - int (*bi_tool_index_attr) LDAP_P(( BackendDB *be, - char* type )); - int (*bi_tool_index_change) LDAP_P(( BackendDB *be, - char* type, struct berval **bv, ID id, int op )); -#endif + int (*bi_tool_entry_reindex) LDAP_P(( BackendDB *be, ID id )); int (*bi_tool_sync) LDAP_P(( BackendDB *be )); -#ifdef HAVE_CYRUS_SASL - int (*bi_sasl_authorize) LDAP_P(( BackendDB *be, - const char *authnid, const char *authzid, - const char **canon_authzid, const char **errstr )); - int (*bi_sasl_getsecret) LDAP_P(( BackendDB *be, - const char *mechanism, const char *authzid, - const char *realm, sasl_secret_t **secret )); - int (*bi_sasl_putsecret) LDAP_P(( BackendDB *be, - const char *mechanism, const char *auth_identity, - const char *realm, const sasl_secret_t *secret )); -#endif /* HAVE_CYRUS_SASL */ - #define SLAP_INDEX_ADD_OP 0x0001 #define SLAP_INDEX_DELETE_OP 0x0002 @@ -941,50 +1130,48 @@ struct slap_backend_info { void *bi_private; /* anything the backend type needs */ }; +#define c_authtype c_authz.sai_method +#define c_authmech c_authz.sai_mech +#define c_dn c_authz.sai_dn +#define c_ssf c_authz.sai_ssf +#define c_transport_ssf c_authz.sai_transport_ssf +#define c_tls_ssf c_authz.sai_tls_ssf +#define c_sasl_ssf c_authz.sai_sasl_ssf + +#define o_authtype o_authz.sai_method +#define o_authmech o_authz.sai_mech +#define o_dn o_authz.sai_dn +#define o_ndn o_authz.sai_ndn +#define o_ssf o_authz.sai_ssf +#define o_transport_ssf o_authz.sai_transport_ssf +#define o_tls_ssf o_authz.sai_tls_ssf +#define o_sasl_ssf o_authz.sai_sasl_ssf + /* * represents an operation pending from an ldap client */ - typedef struct slap_op { ber_int_t o_opid; /* id of this operation */ ber_int_t o_msgid; /* msgid of the request */ +#ifdef LDAP_CONNECTIONLESS + Sockaddr o_peeraddr; /* UDP peer address */ +#endif - ldap_pvt_thread_t o_tid; /* thread handling this op */ + ldap_pvt_thread_t o_tid; /* thread handling this op */ BerElement *o_ber; /* ber of the request */ ber_tag_t o_tag; /* tag of the request */ time_t o_time; /* time op was initiated */ -#ifdef SLAP_AUTHZID - /* should only be used for reporting purposes */ - char *o_authc_dn; /* authentication DN */ - - /* should be used as the DN of the User */ - char *o_authz_dn; /* authorization DN */ - char *o_authz_ndn; /* authorizaiton NDN */ - -#else - char *o_dn; /* dn bound when op was initiated */ - char *o_ndn; /* normalized dn bound when op was initiated */ -#endif + AuthorizationInformation o_authz; ber_int_t o_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t o_authtype; /* auth method used to bind dn */ - /* values taken from ldap.h */ - /* LDAP_AUTH_* */ - char *o_authmech; /* SASL mechanism used to bind dn */ LDAPControl **o_ctrls; /* controls */ unsigned long o_connid; /* id of conn initiating this op */ -#ifdef LDAP_CONNECTIONLESS - int o_cldap; /* != 0 if this came in via CLDAP */ - struct sockaddr o_clientaddr; /* client address if via CLDAP */ - char o_searchbase; /* search base if via CLDAP */ -#endif - ldap_pvt_thread_mutex_t o_abandonmutex; /* protects o_abandon */ int o_abandon; /* abandon flag */ @@ -993,9 +1180,21 @@ typedef struct slap_op { } Operation; /* - * represents a connection from an ldap client + * Caches the result of a backend_group check for ACL evaluation */ +typedef struct slap_gacl { + struct slap_gacl *next; + Backend *be; + ObjectClass *oc; + AttributeDescription *at; + int res; + int len; + char ndn[1]; +} GroupAssertion; +/* + * represents a connection from an ldap client + */ typedef struct slap_conn { int c_struct_state; /* structure management state */ int c_conn_state; /* connection state */ @@ -1016,9 +1215,7 @@ typedef struct slap_conn { /* only can be changed by binding thread */ int c_sasl_bind_in_progress; /* multi-op bind in progress */ char *c_sasl_bind_mech; /* mech in progress */ -#ifdef HAVE_CYRUS_SASL - sasl_conn_t *c_sasl_bind_context; /* Cyrus SASL state data */ -#endif + char *c_cdn; /* authentication backend */ Backend *c_authc_backend; @@ -1026,23 +1223,10 @@ typedef struct slap_conn { /* authorization backend - normally same as c_authc_backend */ Backend *c_authz_backend; -#ifdef SLAP_AUTHZID - /* authentication backend */ - /* should only be used for reporting purposes */ - char *c_authc_dn; /* authentication DN */ - - /* should be used as the DN of the User */ - char *c_authz_dn; /* authorization DN */ - char *c_authz_ndn; /* authorization NDN */ - -#else - char *c_cdn; /* DN provided by the client */ - char *c_dn; /* DN bound to this conn */ -#endif + AuthorizationInformation c_authz; + GroupAssertion *c_groups; ber_int_t c_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t c_authtype;/* auth method used to bind c_dn */ - char *c_authmech; /* SASL mechanism used to bind c_dn */ Operation *c_ops; /* list of operations being processed */ Operation *c_pending_ops; /* list of pending operations */ @@ -1053,10 +1237,16 @@ typedef struct slap_conn { BerElement *c_currentber; /* ber we're attempting to read */ int c_writewaiter; /* true if writer is waiting */ +#ifdef LDAP_CONNECTIONLESS + int c_is_udp; /* true if this is (C)LDAP over UDP */ +#endif #ifdef HAVE_TLS int c_is_tls; /* true if this LDAP over raw TLS */ int c_needs_tls_accept; /* true if SSL_accept should be called */ #endif + int c_sasl_layers; /* true if we need to install SASL i/o handlers */ + void *c_sasl_context; /* SASL session context */ + void *c_sasl_extra; /* SASL session extra stuff */ long c_n_ops_received; /* num of ops received (next op_id) */ long c_n_ops_executing; /* num of ops currently executing */ @@ -1081,6 +1271,25 @@ typedef struct slap_conn { #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 ) #endif + +#define SASLREGEX_REPLACE 10 +#define SASL_AUTHZ_SOURCE_ATTR "saslAuthzTo" +#define SASL_AUTHZ_DEST_ATTR "saslAuthzFrom" + +typedef struct sasl_regexp { + char *match; /* regexp match pattern */ + char *replace; /* regexp replace pattern */ + regex_t workspace; /* workspace for regexp engine */ + regmatch_t strings[SASLREGEX_REPLACE]; /* strings matching $1,$2 ... */ + int offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */ +} SaslRegexp_t; + +/* Flags for telling slap_sasl_getdn() what type of identity is being passed */ +#define FLAG_GETDN_FINAL 1 +#define FLAG_GETDN_AUTHCID 2 +#define FLAG_GETDN_AUTHZID 4 + + LDAP_END_DECL #include "proto-slap.h"