should be defined first for clarity, including those that are common
to all backends.
They are:
+
.TP
.B default-target none
This directive forces the backend to reject all those operations
target, with the constraint that at most one must succeed.
This directive can also be used when processing targets to mark a
specific target as default.
+
.TP
.B dncache-ttl {forever|disabled|<ttl>}
This directive sets the time-to-live of the DN cache.
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl in seconds is required.
+
.TP
.B nretries {forever|never|<nretries>}
This directive defines how many times a bind should be retried
specification.
.SH TARGET SPECIFICATION
Target specification starts with a "uri" directive:
+
.TP
.B uri <protocol>://[<host>[:<port>]]/<naming context>
The "server" directive that was allowed in the LDAP backend (although
no <naming context> part. This causes the underlying library
to contact the first server of the list that responds.
.RE
+
.TP
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
+
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
+
.TP
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
+
.TP
-.B rebind-as-user
+.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
+
+.TP
+.B chase-referrals {YES|no}
+enable/disable automatic referral chasing, which is delegated to the
+underlying libldap, with rebinding eventually performed if the
+\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+
+.TP
+.B tls {[try-]start|[try-]propagate}
+execute the start TLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the Start TLS exop only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if start TLS failed; its use is highly deprecated.
+
+.TP
+.B t-f-support {NO|yes|discover}
+enable if the remote server supports absolute filters
+(see \fIdraft-zeilenga-ldap-t-f\fP for details).
+If set to
+.BR discover ,
+support is detected by reading the remote server's rootDSE.
+
+.TP
+.B onerr {CONTINUE|stop}
+This directive allows to select the behavior in case an error is returned
+by one targe during a search.
+The default, \fBcontinue\fP, consists in continuing the operation,
+trying to return as much data as possible.
+If this statement is set to \fBstop\fP, the search is terminated as soon
+as an error is returned by one target, and the error is immediately
+propagated to the client.
+
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
This directive, if present, sets the DN that will be substituted to
the bind DN if a bind with the backend's "rootdn" succeeds.
The true "rootdn" of the target server ought not be used; an arbitrary
administrative DN should used instead.
+
.TP
.B pseudorootpw "<substitute password in case of rootdn bind>"
This directive sets the credential that will be used in case a bind
with the backend's "rootdn" succeeds, and the bind is propagated to
the target using the "pseudorootdn" DN.
-.LP
+
Note: cleartext credentials must be supplied here; as a consequence,
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
+
.TP
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
+
.TP
.B suffixmassage "<virtual naming context>" "<real naming context>"
All the directives starting with "rewrite" refer to the rewrite engine
so "dc=foo, dc=com" would not match "dc=foo,dc=com".
.LP
See the "REWRITING" section.
+
.TP
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
Avlnode *mi_conntree;
unsigned flags;
-#if 0
-/* defined in <back-ldap/back-ldap.h> */
-#define LDAP_BACK_F_NONE 0x00U
-#define LDAP_BACK_F_SAVECRED 0x01U
-#define LDAP_BACK_F_USE_TLS 0x02U
-#define LDAP_BACK_F_PROPAGATE_TLS 0x04U
-#define LDAP_BACK_F_TLS_CRITICAL 0x08U
-#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
-#define LDAP_BACK_F_CHASE_REFERRALS 0x10U
-#endif
+/* uses flags as defined in <back-ldap/back-ldap.h> */
+#define META_BACK_F_ONERR_STOP 0x00010000U
+#define META_BACK_ONERR_STOP(mi) ( (mi)->flags & META_BACK_F_ONERR_STOP )
+#define META_BACK_ONERR_CONTINUE(mi) ( !META_BACK_ONERR_CONTINUE( (mi) ) )
int mi_version;
} metainfo_t;
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
- if (argc != 1) {
+ if ( argc > 2 ) {
fprintf( stderr,
- "%s: line %d: rebind-as-user takes no arguments\n",
+ "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
fname, lineno );
return( 1 );
}
- mi->flags |= LDAP_BACK_F_SAVECRED;
+ if ( argc == 1 ) {
+ fprintf( stderr,
+ "%s: line %d: deprecated use of \"rebind-as-user {NO|yes}\" with no arguments.\n",
+ fname, lineno );
+ mi->flags |= LDAP_BACK_F_SAVECRED;
+
+ } else {
+ if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+ mi->flags &= ~LDAP_BACK_F_SAVECRED;
+
+ } else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+ mi->flags |= LDAP_BACK_F_SAVECRED;
+
+ } else {
+ fprintf( stderr,
+ "%s: line %d: \"rebind-as-user {NO|yes}\" unknown argument \"%s\".\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+ }
} else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
unsigned *flagsp = mi->mi_ntargets ?
} else {
fprintf( stderr,
- "%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+ "%s: line %d: \"chase-referrals {YES|no}\": unknown argument \"%s\".\n",
fname, lineno, argv[ 1 ] );
return( 1 );
}
if ( argc != 2 ) {
fprintf( stderr,
- "%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
+ "%s: line %d: \"t-f-support {NO|yes|discover}\" needs 1 argument.\n",
fname, lineno );
return( 1 );
}
return 1;
}
+ /* onerr? */
+ } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: \"onerr {CONTINUE|stop}\" takes 1 argument\n",
+ fname, lineno );
+ return( 1 );
+ }
+
+ if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
+ mi->flags &= ~META_BACK_F_ONERR_STOP;
+
+ } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
+ mi->flags |= META_BACK_F_ONERR_STOP;
+
+ } else {
+ fprintf( stderr,
+ "%s: line %d: \"onerr {CONTINUE|stop}\": invalid arg \"%s\".\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
/* name to use as pseudo-root dn */
} else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
int i = mi->mi_ntargets - 1;
0, &tv, &res );
if ( rc == 0 ) {
- /* timeout exceeded */
-
/* FIXME: res should not need to be freed */
assert( res == NULL );
(char **)&candidates[ i ].sr_matched,
NULL /* (char **)&candidates[ i ].sr_text */ ,
&references,
- &candidates[ i ].sr_ctrls, 1 ) )
+ &candidates[ i ].sr_ctrls, 1 ) != LDAP_SUCCESS )
{
res = NULL;
ldap_get_option( msc->msc_ld,
sres = slap_map_api2result( rs );
goto really_bad;
}
+
rs->sr_err = candidates[ i ].sr_err;
sres = slap_map_api2result( rs );
res = NULL;
rs->sr_err = candidates[ i ].sr_err;
sres = slap_map_api2result( rs );
+
+ snprintf( buf, sizeof( buf ),
+ "%s meta_back_search[%d] "
+ "match=\"%s\" err=%d\n",
+ op->o_log_prefix, i,
+ candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "",
+ candidates[ i ].sr_err );
+ Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 );
+
switch ( sres ) {
case LDAP_NO_SUCH_OBJECT:
/* is_ok is touched any time a valid
case LDAP_REFERRAL:
is_ok++;
break;
- }
- snprintf( buf, sizeof( buf ),
- "%s meta_back_search[%d] "
- "match=\"%s\" err=%d\n",
- op->o_log_prefix, i,
- candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "",
- candidates[ i ].sr_err );
- Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 );
+ default:
+ if ( META_BACK_ONERR_STOP( mi ) ) {
+ savepriv = op->o_private;
+ op->o_private = (void *)i;
+ send_ldap_result( op, rs );
+ op->o_private = savepriv;
+ goto finish;
+ }
+ break;
+ }
last = i;
rc = 0;
projects / openldap / commitdiff