OpenLDAP 2.4.12 Engineering
Fixed slapd socket closing on Windows (ITS#5606)
+ Fixed slapd-ldap,slapd-meta invalid filter behavior (ITS#5614)
Fixed slapd-meta quarantine behavior (ITS#5592)
Fixed slapd-sql freeing of connection (ITS#5607)
Fixed slapo-constraint string termination (ITS#5609)
Fixed slapo-rwm callback cleanup (ITS#5601)
Build Environment
Fixed ODBC library detection (ITS#5602)
+ Documentation
+ Added slapd-ldap(5), slapd-meta(5) noundeffilter (ITS#5614)
OpenLDAP 2.4.11 Release (2008/07/16)
Fixed liblber ber_get_next length decoding (ITS#5580)
do not return search reference responses.
By default, they are returned unless request is LDAPv2.
+.TP
+.B noundeffilter <NO|yes>
+If
+.BR yes ,
+return success instead of searching if a filter is undefined or contains
+undefined portions.
+By default, the search is propagated after replacing undefined portions
+with
+.BR (!(objectClass=*)) ,
+which corresponds to the empty result set.
+
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
+.TP
+.B noundeffilter <NO|yes>
+If
+.BR yes ,
+return success instead of searching if a filter is undefined or contains
+undefined portions.
+By default, the search is propagated after replacing undefined portions
+with
+.BR (!(objectClass=*)) ,
+which corresponds to the empty result set.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define LDAP_BACK_F_NOREFS (0x00080000U)
+#define LDAP_BACK_F_NOUNDEFFILTER (0x00100000U)
#define LDAP_BACK_ISSET_F(ff,f) ( ( (ff) & (f) ) == (f) )
#define LDAP_BACK_ISMASK_F(ff,m,f) ( ( (ff) & (m) ) == (f) )
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define LDAP_BACK_NOREFS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_NOREFS)
+#define LDAP_BACK_NOUNDEFFILTER(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_NOUNDEFFILTER)
int li_version;
LDAP_BACK_CFG_QUARANTINE,
LDAP_BACK_CFG_ST_REQUEST,
LDAP_BACK_CFG_NOREFS,
+ LDAP_BACK_CFG_NOUNDEFFILTER,
LDAP_BACK_CFG_REWRITE,
{ "norefs", "true|FALSE", 2, 2, 0,
ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOREFS,
ldap_back_cf_gen, "( OLcfgDbAt:3.25 "
- "NAME 'olcDbNorefs' "
+ "NAME 'olcDbNoRefs' "
"DESC 'Do not return search reference responses' "
"SYNTAX OMsBoolean "
"SINGLE-VALUE )",
NULL, NULL },
+ { "noundeffilter", "true|FALSE", 2, 2, 0,
+ ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOUNDEFFILTER,
+ ldap_back_cf_gen, "( OLcfgDbAt:3.26 "
+ "NAME 'olcDbNoUndefFilter' "
+ "DESC 'Do not propagate undefined search filters' "
+ "SYNTAX OMsBoolean "
+ "SINGLE-VALUE )",
+ NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
#ifdef SLAP_CONTROL_X_SESSION_TRACKING
"$ olcDbSessionTrackingRequest "
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
- "$ olcDbNorefs "
+ "$ olcDbNoRefs "
+ "$ olcDbNoUndefFilter "
") )",
Cft_Database, ldapcfg},
{ NULL, 0, NULL }
c->value_int = LDAP_BACK_NOREFS( li );
break;
+ case LDAP_BACK_CFG_NOUNDEFFILTER:
+ c->value_int = LDAP_BACK_NOUNDEFFILTER( li );
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
li->li_flags &= ~LDAP_BACK_F_NOREFS;
break;
+ case LDAP_BACK_CFG_NOUNDEFFILTER:
+ li->li_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
}
break;
+ case LDAP_BACK_CFG_NOUNDEFFILTER:
+ if ( c->value_int ) {
+ li->li_flags |= LDAP_BACK_F_NOUNDEFFILTER;
+
+ } else {
+ li->li_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
+ }
+ break;
+
case LDAP_BACK_CFG_REWRITE:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"rewrite/remap capabilities have been moved "
} else if ( strncmp( ptr, bv_undefined.bv_val, bv_undefined.bv_len ) == 0 )
{
+ /* if undef or invalid filter is not allowed,
+ * don't rewrite filter */
+ if ( LDAP_BACK_NOUNDEFFILTER( li ) ) {
+ if ( filter->bv_val != op->ors_filterstr.bv_val ) {
+ op->o_tmpfree( filter->bv_val, op->o_tmpmemctx );
+ }
+ BER_BVZERO( filter );
+ gotit = -1;
+ goto done;
+ }
+
oldbv = &bv_undefined;
newbv = &bv_F;
}
oldfilter = *filter;
- if ( newbv->bv_len > oldbv->bv_len ) {
- filter->bv_len += newbv->bv_len - oldbv->bv_len;
- if ( filter->bv_val == op->ors_filterstr.bv_val ) {
- filter->bv_val = op->o_tmpalloc( filter->bv_len + 1,
- op->o_tmpmemctx );
-
- AC_MEMCPY( filter->bv_val, op->ors_filterstr.bv_val,
- op->ors_filterstr.bv_len + 1 );
+ filter->bv_len += newbv->bv_len - oldbv->bv_len;
+ if ( filter->bv_val == op->ors_filterstr.bv_val ) {
+ filter->bv_val = op->o_tmpalloc( filter->bv_len + 1,
+ op->o_tmpmemctx );
- } else {
- filter->bv_val = op->o_tmprealloc( filter->bv_val,
- filter->bv_len + 1, op->o_tmpmemctx );
- }
+ AC_MEMCPY( filter->bv_val, op->ors_filterstr.bv_val,
+ op->ors_filterstr.bv_len + 1 );
- ptr = filter->bv_val + ( ptr - oldfilter.bv_val );
+ } else {
+ filter->bv_val = op->o_tmprealloc( filter->bv_val,
+ filter->bv_len + 1, op->o_tmpmemctx );
}
+ ptr = filter->bv_val + ( ptr - oldfilter.bv_val );
+
AC_MEMCPY( &ptr[ newbv->bv_len ],
&ptr[ oldbv->bv_len ],
oldfilter.bv_len - ( ptr - filter->bv_val ) - oldbv->bv_len + 1 );
msgid;
struct berval match = BER_BVNULL,
filter = BER_BVNULL;
- int free_filter = 0;
int i;
char **attrs = NULL;
int freetext = 0;
goto finish;
case LDAP_FILTER_ERROR:
- if ( ldap_back_munge_filter( op, &filter ) ) {
- free_filter = 1;
+ if (ldap_back_munge_filter( op, &filter ) > 0 ) {
goto retry;
}
ldap_back_quarantine( op, rs );
}
+ if ( filter.bv_val != op->ors_filterstr.bv_val ) {
+ op->o_tmpfree( filter.bv_val, op->o_tmpmemctx );
+ }
+
#if 0
/* let send_ldap_result play cleanup handlers (ITS#4645) */
if ( rc != SLAPD_ABANDON )
rs->sr_matched = save_matched;
}
- if ( free_filter ) {
- op->o_tmpfree( filter.bv_val, op->o_tmpmemctx );
- }
-
if ( rs->sr_text ) {
if ( freetext ) {
LDAP_FREE( (char *)rs->sr_text );
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define META_BACK_TGT_NOREFS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_NOREFS )
+#define META_BACK_TGT_NOUNDEFFILTER(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_NOUNDEFFILTER )
int mt_version;
time_t mt_network_timeout;
unsigned mi_flags;
#define li_flags mi_flags
/* uses flags as defined in <back-ldap/back-ldap.h> */
-#define META_BACK_F_ONERR_STOP (0x00100000U)
-#define META_BACK_F_ONERR_REPORT (0x00200000U)
+#define META_BACK_F_ONERR_STOP (0x01000000U)
+#define META_BACK_F_ONERR_REPORT (0x02000000U)
#define META_BACK_F_ONERR_MASK (META_BACK_F_ONERR_STOP|META_BACK_F_ONERR_REPORT)
-#define META_BACK_F_DEFER_ROOTDN_BIND (0x00400000U)
-#define META_BACK_F_PROXYAUTHZ_ALWAYS (0x00800000U) /* users always proxyauthz */
-#define META_BACK_F_PROXYAUTHZ_ANON (0x01000000U) /* anonymous always proxyauthz */
-#define META_BACK_F_PROXYAUTHZ_NOANON (0x02000000U) /* anonymous remains anonymous */
+#define META_BACK_F_DEFER_ROOTDN_BIND (0x04000000U)
+#define META_BACK_F_PROXYAUTHZ_ALWAYS (0x08000000U) /* users always proxyauthz */
+#define META_BACK_F_PROXYAUTHZ_ANON (0x10000000U) /* anonymous always proxyauthz */
+#define META_BACK_F_PROXYAUTHZ_NOANON (0x20000000U) /* anonymous remains anonymous */
#define META_BACK_ONERR_STOP(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_STOP )
#define META_BACK_ONERR_REPORT(mi) LDAP_BACK_ISSET( (mi), META_BACK_F_ONERR_REPORT )
return( 1 );
}
+ /* do not propagate undefined search filters */
+ } else if ( strcasecmp( argv[ 0 ], "noundeffilter" ) == 0 ) {
+ unsigned *flagsp = mi->mi_ntargets ?
+ &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
+ : &mi->mi_flags;
+
+ if ( argc != 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: \"noundeffilter {TRUE|false}\" needs 1 argument.\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ /* this is the default; we add it because the default might change... */
+ switch ( check_true_false( argv[ 1 ] ) ) {
+ case 1:
+ *flagsp |= LDAP_BACK_F_NOUNDEFFILTER;
+ break;
+
+ case 0:
+ *flagsp &= ~LDAP_BACK_F_NOUNDEFFILTER;
+ break;
+
+ default:
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: \"noundeffilter {TRUE|false}\": unknown argument \"%s\".\n",
+ fname, lineno, argv[ 1 ] );
+ return( 1 );
+ }
+
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;
case SLAPD_FILTER_COMPUTED:
switch ( f->f_result ) {
- case LDAP_COMPARE_FALSE:
/* FIXME: treat UNDEFINED as FALSE */
case SLAPD_COMPARE_UNDEFINED:
computed:;
+ if ( META_BACK_TGT_NOUNDEFFILTER( dc->target ) ) {
+ return LDAP_COMPARE_FALSE;
+ }
+ /* fallthru */
+
+ case LDAP_COMPARE_FALSE:
if ( META_BACK_TGT_T_F( dc->target ) ) {
tmp = &ber_bvtf_false;
break;
projects / openldap / commitdiff