X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fslap.h;h=9ebe047e77c619e80cb42e009966cd3062dd1bb7;hb=0f30fb0d8f0adbbb7b41fd455c57aa56d64c9853;hp=65d96c2d2de554c3e1264217da9f5ba98daecb78;hpb=3112f21612ec2f27af9d1dddd87ed9851fcf7a23;p=openldap diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 65d96c2d2d..9ebe047e77 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -19,10 +19,6 @@ #include #include -#ifdef HAVE_CYRUS_SASL -#include -#endif - #include "avl.h" #ifndef ldap_debug @@ -36,12 +32,11 @@ #include #include "ldap_pvt_thread.h" -#include "ldif.h" LDAP_BEGIN_DECL #define SERVICE_NAME OPENLDAP_PACKAGE "-slapd" -#define SLAPD_ANONYMOUS "" +#define SLAPD_ANONYMOUS "cn=anonymous" #ifdef f_next #undef f_next /* name conflict between sys/file.h on SCO and struct filter */ @@ -56,12 +51,15 @@ LDAP_BEGIN_DECL */ #define SLAP_MOD_SOFTADD 0x1000 -#define ON 1 +#define ON (1) #define OFF (-1) -#define UNDEFINED 0 +#define UNDEFINED (0) -#define MAXREMATCHES 10 +#define MAXREMATCHES (10) +#define SLAP_MAX_WORKER_THREADS (32) + +#define SLAP_TEXT_BUFLEN (256) /* psuedo error code indicating abandoned operation */ #define SLAPD_ABANDON (-1) @@ -77,9 +75,19 @@ LDAP_BEGIN_DECL #define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) ) #define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' ) #define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) ) +#define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' ) + +#define SLAP_NIBBLE(c) ((c)&0x0f) +#define SLAP_ESCAPE_CHAR ('\\') +#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] ) +#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) ) + +#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \ + || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) #define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') -#define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+') +#define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */ +#define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c)) #define RDN_NEEDSESCAPE(c) ((c) == '\\' || (c) == '"') #define DESC_LEADCHAR(c) ( ASCII_ALPHA(c) ) @@ -94,8 +102,17 @@ LDAP_BEGIN_DECL #define AD_LEADCHAR(c) ( ATTR_CHAR(c) ) #define AD_CHAR(c) ( ATTR_CHAR(c) || (c) == ';' ) +#define SLAP_NUMERIC(c) ( ASCII_DIGIT(c) || ASCII_SPACE(c) ) + +#define SLAP_PRINTABLE(c) ( ASCII_ALNUM(c) || (c) == '\'' || \ + (c) == '(' || (c) == ')' || (c) == '+' || (c) == ',' || \ + (c) == '-' || (c) == '.' || (c) == '/' || (c) == ':' || \ + (c) == '?' || (c) == ' ' || (c) == '=' ) +#define SLAP_PRINTABLES(c) ( SLAP_PRINTABLE(c) || (c) == '$' ) + /* must match in schema_init.c */ #define SLAPD_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12" +#define SLAPD_NAMEUID_SYNTAX "1.3.6.1.4.1.1466.115.121.1.34" #define SLAPD_GROUP_ATTR "member" #define SLAPD_GROUP_CLASS "groupOfNames" #define SLAPD_ROLE_ATTR "roleOccupant" @@ -104,10 +121,31 @@ LDAP_BEGIN_DECL #define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" #define SLAPD_ACI_ATTR "OpenLDAPaci" +#define SLAPD_OCTETSTRING_SYNTAX "1.3.6.1.4.1.1466.115.121.1.40" + +/* change this to "OpenLDAPset" */ +#define SLAPD_ACI_SET_ATTR "template" + #define SLAPD_TOP_OID "2.5.6.0" LDAP_SLAPD_F (int) slap_debug; +typedef unsigned long slap_mask_t; + +/* Security Strength Factor */ +typedef unsigned slap_ssf_t; + +typedef struct slap_ssf_set { + slap_ssf_t sss_ssf; + slap_ssf_t sss_transport; + slap_ssf_t sss_tls; + slap_ssf_t sss_sasl; + slap_ssf_t sss_update_ssf; + slap_ssf_t sss_update_transport; + slap_ssf_t sss_update_tls; + slap_ssf_t sss_update_sasl; +} slap_ssf_set_t; + /* * Index types */ @@ -128,13 +166,15 @@ LDAP_SLAPD_F (int) slap_debug; #define SLAP_INDEX_SUBSTR_INITIAL ( SLAP_INDEX_SUBSTR | 0x0100UL ) #define SLAP_INDEX_SUBSTR_ANY ( SLAP_INDEX_SUBSTR | 0x0200UL ) #define SLAP_INDEX_SUBSTR_FINAL ( SLAP_INDEX_SUBSTR | 0x0400UL ) -#define SLAP_INDEX_SUBSTR_DEFAULT ( SLAP_INDEX_SUBSTR \ - | SLAP_INDEX_SUBSTR_INITIAL | SLAP_INDEX_SUBSTR_FINAL ) +#define SLAP_INDEX_SUBSTR_DEFAULT \ + ( SLAP_INDEX_SUBSTR \ + | SLAP_INDEX_SUBSTR_INITIAL \ + | SLAP_INDEX_SUBSTR_ANY \ + | SLAP_INDEX_SUBSTR_FINAL ) -#define SLAP_INDEX_SUBSTR_INITIAL_MIN_LEN 2 -#define SLAP_INDEX_SUBSTR_INITIAL_MAX_LEN 4 -#define SLAP_INDEX_SUBSTR_FINAL_MIN_LEN 2 -#define SLAP_INDEX_SUBSTR_FINAL_MAX_LEN 4 +#define SLAP_INDEX_SUBSTR_MINLEN 2 +#define SLAP_INDEX_SUBSTR_MAXLEN 4 +#define SLAP_INDEX_SUBSTR_STEP 2 #define SLAP_INDEX_FLAGS 0xF000UL #define SLAP_INDEX_SUBTYPES 0x1000UL /* use index with subtypes */ @@ -142,8 +182,6 @@ LDAP_SLAPD_F (int) slap_debug; #define SLAP_INDEX_LANG 0x4000UL /* use index with lang subtypes */ #define SLAP_INDEX_AUTO_LANG 0x8000UL /* use mask with lang subtypes */ -typedef long slap_index; - /* * there is a single index for each attribute. these prefixes ensure * that there is no collision among keys. @@ -151,6 +189,8 @@ typedef long slap_index; #define SLAP_INDEX_EQUALITY_PREFIX '=' /* prefix for equality keys */ #define SLAP_INDEX_APPROX_PREFIX '~' /* prefix for approx keys */ #define SLAP_INDEX_SUBSTR_PREFIX '*' /* prefix for substring keys */ +#define SLAP_INDEX_SUBSTR_INITIAL_PREFIX '^' +#define SLAP_INDEX_SUBSTR_FINAL_PREFIX '$' #define SLAP_INDEX_CONT_PREFIX '.' /* prefix for continuation keys */ #define SLAP_INDEX_UNKNOWN_PREFIX '?' /* prefix for unknown keys */ @@ -163,16 +203,31 @@ typedef long slap_index; */ #define SLAP_SCHERR_OUTOFMEM 1 #define SLAP_SCHERR_CLASS_NOT_FOUND 2 -#define SLAP_SCHERR_ATTR_NOT_FOUND 3 -#define SLAP_SCHERR_DUP_CLASS 4 -#define SLAP_SCHERR_DUP_ATTR 5 -#define SLAP_SCHERR_DUP_SYNTAX 6 -#define SLAP_SCHERR_DUP_RULE 7 -#define SLAP_SCHERR_NO_NAME 8 -#define SLAP_SCHERR_ATTR_INCOMPLETE 9 -#define SLAP_SCHERR_MR_NOT_FOUND 10 -#define SLAP_SCHERR_SYN_NOT_FOUND 11 -#define SLAP_SCHERR_MR_INCOMPLETE 12 +#define SLAP_SCHERR_CLASS_BAD_USAGE 3 +#define SLAP_SCHERR_ATTR_NOT_FOUND 4 +#define SLAP_SCHERR_ATTR_BAD_USAGE 5 +#define SLAP_SCHERR_DUP_CLASS 6 +#define SLAP_SCHERR_DUP_ATTR 7 +#define SLAP_SCHERR_DUP_SYNTAX 8 +#define SLAP_SCHERR_DUP_RULE 9 +#define SLAP_SCHERR_NO_NAME 10 +#define SLAP_SCHERR_ATTR_INCOMPLETE 11 +#define SLAP_SCHERR_MR_NOT_FOUND 12 +#define SLAP_SCHERR_SYN_NOT_FOUND 13 +#define SLAP_SCHERR_MR_INCOMPLETE 14 +#define SLAP_SCHERR_NOT_SUPPORTED 15 +#define SLAP_SCHERR_BAD_DESCR 16 + +typedef union slap_sockaddr { + struct sockaddr sa_addr; + struct sockaddr_in sa_in_addr; +#ifdef LDAP_PF_INET6 + struct sockaddr_in6 sa_in6_addr; +#endif +#ifdef LDAP_PF_LOCAL + struct sockaddr_un sa_un_addr; +#endif +} Sockaddr; typedef struct slap_oid_macro { struct berval som_oid; @@ -194,7 +249,7 @@ typedef int slap_syntax_transform_func LDAP_P(( struct berval ** out)); typedef struct slap_syntax { - LDAP_SYNTAX ssyn_syn; + LDAPSyntax ssyn_syn; #define ssyn_oid ssyn_syn.syn_oid #define ssyn_desc ssyn_syn.syn_desc #define ssyn_extensions ssyn_syn.syn_extensions @@ -226,14 +281,14 @@ typedef struct slap_syntax { #define slap_syntax_is_ber(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BER) #define slap_syntax_is_hidden(s) slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE) -/* XXX -> UCS-2 Converter */ +/* X -> Y Converter */ typedef int slap_mr_convert_func LDAP_P(( struct berval * in, struct berval ** out )); /* Normalizer */ typedef int slap_mr_normalize_func LDAP_P(( - unsigned use, + slap_mask_t use, struct slap_syntax *syntax, /* NULL if in is asserted value */ struct slap_matching_rule *mr, struct berval * in, @@ -242,7 +297,7 @@ typedef int slap_mr_normalize_func LDAP_P(( /* Match (compare) function */ typedef int slap_mr_match_func LDAP_P(( int *match, - unsigned flags, + slap_mask_t use, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, struct berval * value, @@ -250,7 +305,8 @@ typedef int slap_mr_match_func LDAP_P(( /* Index generation function */ typedef int slap_mr_indexer_func LDAP_P(( - unsigned flags, + slap_mask_t use, + slap_mask_t mask, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, struct berval *prefix, @@ -259,7 +315,8 @@ typedef int slap_mr_indexer_func LDAP_P(( /* Filter index function */ typedef int slap_mr_filter_func LDAP_P(( - unsigned flags, + slap_mask_t use, + slap_mask_t mask, struct slap_syntax *syntax, /* syntax of stored value */ struct slap_matching_rule *mr, struct berval *prefix, @@ -267,8 +324,8 @@ typedef int slap_mr_filter_func LDAP_P(( struct berval ***keys )); typedef struct slap_matching_rule { - LDAP_MATCHING_RULE smr_mrule; - unsigned smr_usage; + LDAPMatchingRule smr_mrule; + slap_mask_t smr_usage; #define SLAP_MR_TYPE_MASK 0xFF00U #define SLAP_MR_SUBTYPE_MASK 0x00F0U @@ -288,6 +345,8 @@ typedef struct slap_matching_rule { /* this is used to kludge objectClass testing */ #define SLAP_MR_MODIFY_MATCHING 0x0001U +/* are we matching from a mr asserted value or a real value */ +#define SLAP_MR_VALUE_IS_IN_MR_SYNTAX 0x0002U Syntax *smr_syntax; slap_mr_convert_func *smr_convert; @@ -295,7 +354,10 @@ typedef struct slap_matching_rule { slap_mr_match_func *smr_match; slap_mr_indexer_func *smr_indexer; slap_mr_filter_func *smr_filter; + + struct slap_matching_rule *smr_associated; struct slap_matching_rule *smr_next; + #define smr_oid smr_mrule.mr_oid #define smr_names smr_mrule.mr_names #define smr_desc smr_mrule.mr_desc @@ -304,9 +366,11 @@ typedef struct slap_matching_rule { #define smr_extensions smr_mrule.mr_extensions } MatchingRule; +struct slap_attr_desc; + typedef struct slap_attribute_type { - char *sat_cname; - LDAP_ATTRIBUTE_TYPE sat_atype; + LDAPAttributeType sat_atype; + struct berval sat_cname; struct slap_attribute_type *sat_sup; struct slap_attribute_type **sat_subtypes; MatchingRule *sat_equality; @@ -314,7 +378,9 @@ typedef struct slap_attribute_type { MatchingRule *sat_ordering; MatchingRule *sat_substr; Syntax *sat_syntax; + struct slap_attr_desc *sat_ad; struct slap_attribute_type *sat_next; + ldap_pvt_thread_mutex_t sat_ad_mutex; #define sat_oid sat_atype.at_oid #define sat_names sat_atype.at_names #define sat_desc sat_atype.at_desc @@ -334,10 +400,11 @@ typedef struct slap_attribute_type { #define is_at_operational(at) ((at)->sat_usage) #define is_at_single_value(at) ((at)->sat_single_value) #define is_at_collective(at) ((at)->sat_collective) +#define is_at_obsolete(at) ((at)->sat_obsolete) #define is_at_no_user_mod(at) ((at)->sat_no_user_mod) typedef struct slap_object_class { - LDAP_OBJECT_CLASS soc_oclass; + LDAPObjectClass soc_oclass; struct slap_object_class **soc_sups; AttributeType **soc_required; AttributeType **soc_allowed; @@ -358,15 +425,16 @@ typedef struct slap_object_class { * represents a recognized attribute description ( type + options ) */ typedef struct slap_attr_desc { - struct berval *ad_cname; /* canonical name */ - AttributeType *ad_type; /* NULL if unknown */ - char *ad_lang; /* NULL if no language tags */ + struct slap_attr_desc *ad_next; + AttributeType *ad_type; /* attribute type, must be specified */ + struct berval ad_cname; /* canonical name, must be specified */ + struct berval ad_lang; /* empty if no language tags */ unsigned ad_flags; #define SLAP_DESC_NONE 0x0U #define SLAP_DESC_BINARY 0x1U } AttributeDescription; -#define slap_ad_is_lang(ad) ( (ad)->ad_lang != NULL ) +#define slap_ad_is_lang(ad) ( (ad)->ad_lang.bv_len != 0 ) #define slap_ad_is_binary(ad) ( (int)((ad)->ad_flags & SLAP_DESC_BINARY) ? 1 : 0 ) /* @@ -382,10 +450,10 @@ struct slap_internal_schema { ObjectClass *si_oc_subschema; ObjectClass *si_oc_rootdse; - /* objectClass attribute */ + /* objectClass attribute descriptions */ AttributeDescription *si_ad_objectClass; - /* operational attributes */ + /* operational attribute descriptions */ AttributeDescription *si_ad_structuralObjectClass; AttributeDescription *si_ad_creatorsName; AttributeDescription *si_ad_createTimestamp; @@ -393,14 +461,15 @@ struct slap_internal_schema { AttributeDescription *si_ad_modifyTimestamp; AttributeDescription *si_ad_subschemaSubentry; - /* root DSE attributes */ + /* root DSE attribute descriptions */ AttributeDescription *si_ad_namingContexts; AttributeDescription *si_ad_supportedControl; AttributeDescription *si_ad_supportedExtension; AttributeDescription *si_ad_supportedLDAPVersion; AttributeDescription *si_ad_supportedSASLMechanisms; + AttributeDescription *si_ad_supportedFeatures; - /* subschema subentry attributes */ + /* subschema subentry attribute descriptions */ AttributeDescription *si_ad_objectClasses; AttributeDescription *si_ad_attributeTypes; AttributeDescription *si_ad_ldapSyntaxes; @@ -418,12 +487,23 @@ struct slap_internal_schema { AttributeDescription *si_ad_aci; #endif - /* Other */ + /* Other attributes descriptions */ AttributeDescription *si_ad_userPassword; AttributeDescription *si_ad_authPassword; #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND AttributeDescription *si_ad_krbName; #endif + + /* Undefined Attribute Type */ + AttributeType *si_at_undefined; + + /* Matching Rules */ + MatchingRule *si_mr_distinguishedNameMatch; + MatchingRule *si_mr_integerMatch; + + /* Syntaxes */ + Syntax *si_syn_distinguishedName; + Syntax *si_syn_integer; }; typedef struct slap_attr_assertion { @@ -439,7 +519,8 @@ typedef struct slap_ss_assertion { } SubstringsAssertion; typedef struct slap_mr_assertion { - char *ma_rule; /* optional */ + MatchingRule *ma_rule; /* optional */ + char *ma_rule_text; /* optional */ AttributeDescription *ma_desc; /* optional */ int ma_dnattrs; /* boolean */ struct berval *ma_value; /* required */ @@ -487,9 +568,10 @@ typedef struct slap_filter { #define f_sub_final f_un.f_un_ssa->sa_final #define f_mra f_un.f_un_mra #define f_mr_rule f_un.f_un_mra->ma_rule +#define f_mr_rule_text f_un.f_un_mra->ma_rule_text #define f_mr_desc f_un.f_un_mra->ma_desc #define f_mr_value f_un.f_un_mra->ma_value -#define f_mr_dnaddrs f_un.f_un_mra->ma_dnattrs +#define f_mr_dnattrs f_un.f_un_mra->ma_dnattrs /* and, or, not */ struct slap_filter *f_un_complex; @@ -593,10 +675,25 @@ typedef enum slap_style_e { ACL_STYLE_BASE, ACL_STYLE_ONE, ACL_STYLE_SUBTREE, - ACL_STYLE_CHILDREN + ACL_STYLE_CHILDREN, + ACL_STYLE_ATTROF, + + /* alternate names */ + ACL_STYLE_EXACT = ACL_STYLE_BASE } slap_style_t; -typedef unsigned long slap_access_mask_t; +typedef struct slap_authz_info { + ber_tag_t sai_method; /* LDAP_AUTH_* from */ + char * sai_mech; /* SASL Mechanism */ + char * sai_dn; /* DN for reporting purposes */ + char * sai_ndn; /* Normalized DN */ + + /* Security Strength Factors */ + slap_ssf_t sai_ssf; /* Overall SSF */ + slap_ssf_t sai_transport_ssf; /* Transport SSF */ + slap_ssf_t sai_tls_ssf; /* TLS SSF */ + slap_ssf_t sai_sasl_ssf; /* SASL SSF */ +} AuthorizationInformation; /* the "by" part */ typedef struct slap_access { @@ -659,10 +756,12 @@ typedef struct slap_access { #define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ) #define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE) - slap_access_mask_t a_mask; + slap_mask_t a_access_mask; + + AuthorizationInformation a_authz; +#define a_dn_pat a_authz.sai_dn slap_style_t a_dn_style; - char *a_dn_pat; AttributeDescription *a_dn_at; int a_dn_self; @@ -675,6 +774,8 @@ typedef struct slap_access { char *a_domain_pat; slap_style_t a_sockurl_style; char *a_sockurl_pat; + slap_style_t a_set_style; + char *a_set_pat; #ifdef SLAPD_ACI_ENABLED AttributeDescription *a_aci_at; @@ -734,6 +835,32 @@ LDAP_SLAPD_F (int) slapMode; #define SLAP_TRUNCATE_MODE 0x0100 +struct slap_replica_info { + char *ri_host; /* supersedes be_replica */ + char **ri_nsuffix; /* array of suffixes this replica accepts */ +}; + +struct slap_limits_set { + /* time limits */ + int lms_t_soft; + int lms_t_hard; + + /* size limits */ + int lms_s_soft; + int lms_s_hard; + int lms_s_unchecked; +}; + +struct slap_limits { + int lm_type; /* type of pattern */ +#define SLAP_LIMITS_UNDEFINED 0x0000 +#define SLAP_LIMITS_EXACT 0x0001 +#define SLAP_LIMITS_REGEX 0x0002 + regex_t lm_dn_regex; /* regex-based size and time limits */ + char *lm_dn_pat; /* ndn for EXACT; pattern for REGEX */ + struct slap_limits_set lm_limits; +}; + /* temporary aliases */ typedef BackendDB Backend; #define nbackends nBackendDB @@ -772,18 +899,54 @@ struct slap_backend_db { #define be_entry_close bd_info->bi_tool_entry_close #define be_entry_first bd_info->bi_tool_entry_first #define be_entry_next bd_info->bi_tool_entry_next +#define be_entry_reindex bd_info->bi_tool_entry_reindex #define be_entry_get bd_info->bi_tool_entry_get #define be_entry_put bd_info->bi_tool_entry_put -#define be_index_attr bd_info->bi_tool_index_attr -#define be_index_change bd_info->bi_tool_index_change #define be_sync bd_info->bi_tool_sync #endif -#ifdef HAVE_CYRUS_SASL -#define be_sasl_authorize bd_info->bi_sasl_authorize -#define be_sasl_getsecret bd_info->bi_sasl_getsecret -#define be_sasl_putsecret bd_info->bi_sasl_putsecret -#endif + slap_mask_t be_restrictops; /* restriction operations */ +#define SLAP_RESTRICT_OP_ADD 0x0001U +#define SLAP_RESTRICT_OP_BIND 0x0002U +#define SLAP_RESTRICT_OP_COMPARE 0x0004U +#define SLAP_RESTRICT_OP_DELETE 0x0008U +#define SLAP_RESTRICT_OP_EXTENDED 0x0010U +#define SLAP_RESTRICT_OP_MODIFY 0x0020U +#define SLAP_RESTRICT_OP_RENAME 0x0040U +#define SLAP_RESTRICT_OP_SEARCH 0x0080U + +#define SLAP_RESTRICT_OP_READS \ + ( SLAP_RESTRICT_OP_COMPARE \ + | SLAP_RESTRICT_OP_SEARCH ) +#define SLAP_RESTRICT_OP_WRITES \ + ( SLAP_RESTRICT_OP_ADD \ + | SLAP_RESTRICT_OP_DELETE \ + | SLAP_RESTRICT_OP_MODIFY \ + | SLAP_RESTRICT_OP_RENAME ) + +#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */ + +#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ +#define SLAP_DISALLOW_BIND_ANON_CRED \ + 0x0004U /* cred should be empty */ +#define SLAP_DISALLOW_BIND_ANON_DN \ + 0x0008U /* dn should be empty */ + +#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ + +#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */ + + slap_mask_t be_requires; /* pre-operation requirements */ +#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ +#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ +#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */ +#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ +#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ + + /* Required Security Strength Factor */ + slap_ssf_set_t be_ssf_set; /* these should be renamed from be_ to bd_ */ char **be_suffix; /* the DN suffixes of data in this backend */ @@ -792,13 +955,14 @@ struct slap_backend_db { char *be_root_dn; /* the magic "root" dn for this db */ char *be_root_ndn; /* the magic "root" normalized dn for this db */ struct berval be_root_pw; /* the magic "root" password for this db */ - int be_readonly; /* 1 => db is in "read only" mode */ unsigned int be_max_deref_depth; /* limit for depth of an alias deref */ - int be_sizelimit; /* size limit for this backend */ - int be_timelimit; /* time limit for this backend */ +#define be_sizelimit be_def_limit.lms_s_soft +#define be_timelimit be_def_limit.lms_t_soft + struct slap_limits_set be_def_limit; /* default limits */ + struct slap_limits **be_limits; /* regex-based size and time limits */ AccessControl *be_acl; /* access control list for this backend */ slap_access_t be_dfltaccess; /* access given if no acl matches */ - char **be_replica; /* replicas of this backend (in master) */ + struct slap_replica_info **be_replica; /* replicas of this backend (in master) */ char *be_replogfile; /* replication log file (in master) */ char *be_update_ndn; /* allowed to make changes (in replicas) */ struct berval **be_update_refs; /* where to refer modifying clients to */ @@ -813,8 +977,8 @@ struct slap_conn; struct slap_op; typedef int (*SLAP_EXTENDED_FN) LDAP_P(( - Backend *be, - struct slap_conn *conn, + BackendDB *be, + struct slap_conn *conn, struct slap_op *op, const char *reqoid, struct berval * reqdata, @@ -922,7 +1086,9 @@ struct slap_backend_info { SLAP_EXTENDED_FN bi_extended; /* Auxilary Functions */ - int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw)); + int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, + struct slap_conn *c, struct slap_op *o, + Entry *e, int rw)); int (*bi_chk_referrals) LDAP_P((BackendDB *bd, struct slap_conn *c, struct slap_op *o, @@ -930,6 +1096,7 @@ struct slap_backend_info { const char **text )); int (*bi_acl_group) LDAP_P((Backend *bd, + struct slap_conn *c, struct slap_op *o, Entry *e, const char *bdn, const char *edn, ObjectClass *group_oc, AttributeDescription *group_at )); @@ -951,25 +1118,9 @@ struct slap_backend_info { ID (*bi_tool_entry_next) LDAP_P(( BackendDB *be )); Entry* (*bi_tool_entry_get) LDAP_P(( BackendDB *be, ID id )); ID (*bi_tool_entry_put) LDAP_P(( BackendDB *be, Entry *e )); - int (*bi_tool_index_attr) LDAP_P(( BackendDB *be, - AttributeDescription *desc )); - int (*bi_tool_index_change) LDAP_P(( BackendDB *be, - AttributeDescription *desc, - struct berval **bv, ID id, int op )); + int (*bi_tool_entry_reindex) LDAP_P(( BackendDB *be, ID id )); int (*bi_tool_sync) LDAP_P(( BackendDB *be )); -#ifdef HAVE_CYRUS_SASL - int (*bi_sasl_authorize) LDAP_P(( BackendDB *be, - const char *authnid, const char *authzid, - const char **canon_authzid, const char **errstr )); - int (*bi_sasl_getsecret) LDAP_P(( BackendDB *be, - const char *mechanism, const char *authzid, - const char *realm, sasl_secret_t **secret )); - int (*bi_sasl_putsecret) LDAP_P(( BackendDB *be, - const char *mechanism, const char *auth_identity, - const char *realm, const sasl_secret_t *secret )); -#endif /* HAVE_CYRUS_SASL */ - #define SLAP_INDEX_ADD_OP 0x0001 #define SLAP_INDEX_DELETE_OP 0x0002 @@ -979,49 +1130,48 @@ struct slap_backend_info { void *bi_private; /* anything the backend type needs */ }; +#define c_authtype c_authz.sai_method +#define c_authmech c_authz.sai_mech +#define c_dn c_authz.sai_dn +#define c_ssf c_authz.sai_ssf +#define c_transport_ssf c_authz.sai_transport_ssf +#define c_tls_ssf c_authz.sai_tls_ssf +#define c_sasl_ssf c_authz.sai_sasl_ssf + +#define o_authtype o_authz.sai_method +#define o_authmech o_authz.sai_mech +#define o_dn o_authz.sai_dn +#define o_ndn o_authz.sai_ndn +#define o_ssf o_authz.sai_ssf +#define o_transport_ssf o_authz.sai_transport_ssf +#define o_tls_ssf o_authz.sai_tls_ssf +#define o_sasl_ssf o_authz.sai_sasl_ssf + /* * represents an operation pending from an ldap client */ typedef struct slap_op { ber_int_t o_opid; /* id of this operation */ ber_int_t o_msgid; /* msgid of the request */ +#ifdef LDAP_CONNECTIONLESS + Sockaddr o_peeraddr; /* UDP peer address */ +#endif - ldap_pvt_thread_t o_tid; /* thread handling this op */ + ldap_pvt_thread_t o_tid; /* thread handling this op */ BerElement *o_ber; /* ber of the request */ ber_tag_t o_tag; /* tag of the request */ time_t o_time; /* time op was initiated */ -#ifdef SLAP_AUTHZID - /* should only be used for reporting purposes */ - char *o_authc_dn; /* authentication DN */ - - /* should be used as the DN of the User */ - char *o_authz_dn; /* authorization DN */ - char *o_authz_ndn; /* authorizaiton NDN */ - -#else - char *o_dn; /* dn bound when op was initiated */ - char *o_ndn; /* normalized dn bound when op was initiated */ -#endif + AuthorizationInformation o_authz; ber_int_t o_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t o_authtype; /* auth method used to bind dn */ - /* values taken from ldap.h */ - /* LDAP_AUTH_* */ - char *o_authmech; /* SASL mechanism used to bind dn */ LDAPControl **o_ctrls; /* controls */ unsigned long o_connid; /* id of conn initiating this op */ -#ifdef LDAP_CONNECTIONLESS - int o_cldap; /* != 0 if this came in via CLDAP */ - struct sockaddr o_clientaddr; /* client address if via CLDAP */ - char o_searchbase; /* search base if via CLDAP */ -#endif - ldap_pvt_thread_mutex_t o_abandonmutex; /* protects o_abandon */ int o_abandon; /* abandon flag */ @@ -1029,6 +1179,19 @@ typedef struct slap_op { void *o_private; /* anything the backend needs */ } Operation; +/* + * Caches the result of a backend_group check for ACL evaluation + */ +typedef struct slap_gacl { + struct slap_gacl *next; + Backend *be; + ObjectClass *oc; + AttributeDescription *at; + int res; + int len; + char ndn[1]; +} GroupAssertion; + /* * represents a connection from an ldap client */ @@ -1052,9 +1215,7 @@ typedef struct slap_conn { /* only can be changed by binding thread */ int c_sasl_bind_in_progress; /* multi-op bind in progress */ char *c_sasl_bind_mech; /* mech in progress */ -#ifdef HAVE_CYRUS_SASL - sasl_conn_t *c_sasl_bind_context; /* Cyrus SASL state data */ -#endif + char *c_cdn; /* authentication backend */ Backend *c_authc_backend; @@ -1062,23 +1223,10 @@ typedef struct slap_conn { /* authorization backend - normally same as c_authc_backend */ Backend *c_authz_backend; -#ifdef SLAP_AUTHZID - /* authentication backend */ - /* should only be used for reporting purposes */ - char *c_authc_dn; /* authentication DN */ - - /* should be used as the DN of the User */ - char *c_authz_dn; /* authorization DN */ - char *c_authz_ndn; /* authorization NDN */ - -#else - char *c_cdn; /* DN provided by the client */ - char *c_dn; /* DN bound to this conn */ -#endif + AuthorizationInformation c_authz; + GroupAssertion *c_groups; ber_int_t c_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t c_authtype;/* auth method used to bind c_dn */ - char *c_authmech; /* SASL mechanism used to bind c_dn */ Operation *c_ops; /* list of operations being processed */ Operation *c_pending_ops; /* list of pending operations */ @@ -1089,10 +1237,16 @@ typedef struct slap_conn { BerElement *c_currentber; /* ber we're attempting to read */ int c_writewaiter; /* true if writer is waiting */ +#ifdef LDAP_CONNECTIONLESS + int c_is_udp; /* true if this is (C)LDAP over UDP */ +#endif #ifdef HAVE_TLS int c_is_tls; /* true if this LDAP over raw TLS */ int c_needs_tls_accept; /* true if SSL_accept should be called */ #endif + int c_sasl_layers; /* true if we need to install SASL i/o handlers */ + void *c_sasl_context; /* SASL session context */ + void *c_sasl_extra; /* SASL session extra stuff */ long c_n_ops_received; /* num of ops received (next op_id) */ long c_n_ops_executing; /* num of ops currently executing */ @@ -1117,6 +1271,25 @@ typedef struct slap_conn { #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 ) #endif + +#define SASLREGEX_REPLACE 10 +#define SASL_AUTHZ_SOURCE_ATTR "saslAuthzTo" +#define SASL_AUTHZ_DEST_ATTR "saslAuthzFrom" + +typedef struct sasl_regexp { + char *match; /* regexp match pattern */ + char *replace; /* regexp replace pattern */ + regex_t workspace; /* workspace for regexp engine */ + regmatch_t strings[SASLREGEX_REPLACE]; /* strings matching $1,$2 ... */ + int offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */ +} SaslRegexp_t; + +/* Flags for telling slap_sasl_getdn() what type of identity is being passed */ +#define FLAG_GETDN_FINAL 1 +#define FLAG_GETDN_AUTHCID 2 +#define FLAG_GETDN_AUTHZID 4 + + LDAP_END_DECL #include "proto-slap.h"