manual page.
.LP
Note: It is strongly recommended to set
+.LP
.RS
+.nf
lastmod off
+.fi
.RE
+.LP
for every
.B ldap
and
.B bindpw <password>
Password used with the bind DN above.
.TP
+.B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
+DN which is used to propagate the client's identity to the target
+by means of the proxyAuthz control when the client does not
+belong to the DIT fragment that is being proxyied by back-ldap.
+This is useful when operations performed by users bound to another
+backend are propagated through back-ldap.
+This requires the entry with
+.B proxyauthzdn
+identity on the remote server to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR saslAuthzTo=dn.regex:.* ,
+and the remote server to have
+.B sasl-authz-policy
+set to
+.B to
+or
+.BR both .
+See
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+.TP
+.B proxyauthzpw <password>
+Password used with the proxy authz DN above.
+.TP
.B proxy-whoami
Turns on proxying of the WhoAmI extended operation. If this option is
given, back-ldap will replace slapd's original WhoAmI routine with its
.B <attrlist>
that are prefixed by
.B @
-are directly treated as objectClass names.
+are directly treated as objectClass names. A name prefixed by
+.B !
+is also treated as an objectClass, but in this case the access rule
+affects the attributes that are not required nor allowed
+by that objectClass.
.LP
Using the form
.B attrs=<attr> val[.<style>]=<value>
(generally the
.B ref
attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the
+.B saslAuthzFrom
+attribute of the authorized identity.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
.BR <dnstyle> ,
#define LDAP_SYNC_MODIFY 2
#define LDAP_SYNC_DELETE 3
-#if 0
-#define LDAP_CONTROL_DUPENT_REQUEST "2.16.840.1.113719.1.27.101.1"
-#define LDAP_CONTROL_DUPENT_RESPONSE "2.16.840.1.113719.1.27.101.2"
-#define LDAP_CONTROL_DUPENT_ENTRY "2.16.840.1.113719.1.27.101.3"
-#define LDAP_CONTROL_DUPENT LDAP_CONTROL_DUPENT_REQUEST
-#endif
-
/* controls for MSAD compatibility */
#define LDAP_CONTROL_X_DOMAIN_SCOPE "1.2.840.113556.1.4.1339"
#define LDAP_CONTROL_X_PERMISSIVE_MODIFY "1.2.840.113556.1.4.1413"
"acl_get: val %s\n",
a->acl_attrval.bv_val, 0, 0 );
#endif
- if (value_match( &match, desc,
- desc->ad_type->sat_equality, 0,
- val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
- match )
- return ACL_BREAK;
+
+ if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
+ if (value_match( &match, desc,
+ desc->ad_type->sat_equality, 0,
+ val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
+ match )
+ return ACL_BREAK;
+
+ } else {
+ int patlen, vdnlen, rc, got_match = 0;
+ struct berval vdn = { 0, NULL };
+
+ /* it is a DN */
+ assert( a->acl_attrs[0].an_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName );
+
+ rc = dnNormalize( 0, NULL, NULL, val, &vdn,
+ op->o_tmpmemctx );
+ if ( rc != LDAP_SUCCESS ) {
+ /* error */
+ return ACL_BREAK;
+ }
+
+ patlen = a->acl_attrval.bv_len;
+ vdnlen = vdn.bv_len;
+
+ if ( vdnlen < patlen )
+ goto attrval_cleanup;
+
+ if ( a->acl_dn_style == ACL_STYLE_BASE ) {
+ if ( vdnlen > patlen )
+ goto attrval_cleanup;
+
+ } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
+ int rdnlen = -1;
+
+ if ( !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+ goto attrval_cleanup;
+
+ rdnlen = dn_rdnlen( NULL, &vdn );
+ if ( rdnlen != vdnlen - patlen - 1 )
+ goto attrval_cleanup;
+
+ } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
+ if ( vdnlen > patlen && !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+ goto attrval_cleanup;
+
+ } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
+ if ( vdnlen <= patlen )
+ goto attrval_cleanup;
+
+ if ( !DN_SEPARATOR( vdn.bv_val[vdnlen - patlen - 1] ) )
+ goto attrval_cleanup;
+ }
+
+ got_match = strcmp( a->acl_attrval.bv_val, vdn.bv_val + vdnlen - patlen );
+
+attrval_cleanup:;
+ if ( vdn.bv_val )
+ free( vdn.bv_val );
+
+ if ( !got_match )
+ return ACL_BREAK;
+
+ }
}
}
/*
* EXTENSION: see if requested description is @objectClass
* if so, return attributes which the class requires/allows
+ * else if requested description is !objectClass, return
+ * attributes which the class does not require/allow
*/
oc = attrs->an_oc;
if( oc == NULL && attrs->an_name.bv_val ) {
switch( attrs->an_name.bv_val[0] ) {
case '@': /* @objectClass */
case '+': /* +objectClass (deprecated) */
- {
+ case '!': { /* exclude */
struct berval ocname;
ocname.bv_len = attrs->an_name.bv_len - 1;
ocname.bv_val = &attrs->an_name.bv_val[1];
oc = oc_bvfind( &ocname );
+ attrs->an_oc_exclude = 0;
+ if ( oc && attrs->an_name.bv_val[0] == '!' ) {
+ attrs->an_oc_exclude = 1;
+ }
} break;
+
default: /* old (deprecated) way */
oc = oc_bvfind( &attrs->an_name );
}
attrs->an_oc = oc;
}
if( oc != NULL ) {
+ if ( attrs->an_oc_exclude ) {
+ int gotit = 0;
+
+ if ( oc == slap_schema.si_oc_extensibleObject ) {
+ /* extensibleObject allows the return of anything */
+ return 0;
+ }
+
+ if( oc->soc_required ) {
+ /* allow return of required attributes */
+ int i;
+
+ for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
+ for (a = desc->ad_type; a; a=a->sat_sup) {
+ if ( a == oc->soc_required[i] ) {
+ return 0;
+ }
+ }
+ }
+ }
+
+ if( oc->soc_allowed ) {
+ /* allow return of allowed attributes */
+ int i;
+ for ( i = 0; oc->soc_allowed[i] != NULL; i++ ) {
+ for (a = desc->ad_type; a; a=a->sat_sup) {
+ if ( a == oc->soc_allowed[i] ) {
+ return 0;
+ }
+ }
+ }
+ }
+
+ return 1;
+ }
+
if ( oc == slap_schema.si_oc_extensibleObject ) {
/* extensibleObject allows the return of anything */
return 1;
* on to an existing list if it was given. If the string is not
* a valid attribute name, if a '-' is prepended it is skipped
* and the remaining name is tried again; if a '@' (or '+') is
- * prepended, an objectclass name is searched instead.
+ * prepended, an objectclass name is searched instead; if a '!'
+ * is prepended, the objectclass name is negated.
*
* NOTE: currently, if a valid attribute name is not found, the
* same string is also checked as valid objectclass name; however,
{
anew->an_desc = NULL;
anew->an_oc = NULL;
+ anew->an_oc_exclude = 0;
ber_str2bv(s, 0, 1, &anew->an_name);
slap_bv2ad(&anew->an_name, &anew->an_desc, &text);
if ( !anew->an_desc ) {
case '@':
case '+': /* (deprecated) */
- {
+ case '!': {
struct berval ocname;
ocname.bv_len = anew->an_name.bv_len - 1;
ocname.bv_val = &anew->an_name.bv_val[1];
strcpy( in, s );
return NULL;
}
+
+ if ( anew->an_name.bv_val[0] == '!' ) {
+ anew->an_oc_exclude = 1;
+ }
} break;
default:
null_attr.an_desc = NULL;
null_attr.an_oc = NULL;
+ null_attr.an_oc_exclude = 0;
null_attr.an_name.bv_len = 0;
null_attr.an_name.bv_val = NULL;
attrs = uuid_attr;
attrs[0].an_desc = NULL;
attrs[0].an_oc = NULL;
+ attrs[0].an_oc_exclude = 0;
attrs[0].an_name.bv_len = 0;
attrs[0].an_name.bv_val = NULL;
}
goto loopit;
switch(ludp->lud_scope) {
case LDAP_SCOPE_BASE:
- if ( !dn_match(&nbase, op_ndn)) goto loopit;
+ if ( !dn_match( &nbase, op_ndn )) goto loopit;
break;
case LDAP_SCOPE_ONELEVEL:
dnParent(op_ndn, &bv );
- if ( !dn_match(&nbase, &bv)) goto loopit;
+ if ( !dn_match( &nbase, &bv )) goto loopit;
break;
case LDAP_SCOPE_SUBTREE:
- if ( !dnIsSuffix(op_ndn, &nbase)) goto loopit;
+ if ( !dnIsSuffix( op_ndn, &nbase )) goto loopit;
break;
}
filter = str2filter_x( op, ludp->lud_filter );
}
op->o_bd = gi->n[i].be;
if (scope0 == LDAP_SCOPE_ONELEVEL &&
- dn_match(&gi->n[i].pdn, &ndn)) {
+ dn_match(&gi->n[i].pdn, &ndn))
+ {
op->ors_scope = LDAP_SCOPE_BASE;
op->o_req_dn = op->o_bd->be_suffix[0];
op->o_req_ndn = op->o_bd->be_nsuffix[0];
rs->sr_err = op->o_bd->be_search(op, rs);
} else if (scope0 == LDAP_SCOPE_SUBTREE &&
- dnIsSuffix(&op->o_bd->be_nsuffix[0], &ndn)) {
+ dnIsSuffix(&op->o_bd->be_nsuffix[0], &ndn))
+ {
op->o_req_dn = op->o_bd->be_suffix[0];
op->o_req_ndn = op->o_bd->be_nsuffix[0];
rs->sr_err = op->o_bd->be_search( op, rs );
}
for( i=0; i<siz; i++ ) {
- const char *dummy;
+ int rc = LDAP_SUCCESS;
+ const char *dummy = NULL;
+
an[i].an_desc = NULL;
an[i].an_oc = NULL;
- slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+ an[i].an_oc_exclude = 0;
+ rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+ if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
+ rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
+ return rc;
+ }
}
op->o_preread = ctrl->ldctl_iscritical
}
for( i=0; i<siz; i++ ) {
- const char *dummy;
+ int rc = LDAP_SUCCESS;
+ const char *dummy = NULL;
+
an[i].an_desc = NULL;
an[i].an_oc = NULL;
- slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+ an[i].an_oc_exclude = 0;
+ rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy );
+ if ( rc != LDAP_SUCCESS && ctrl->ldctl_iscritical ) {
+ rs->sr_text = dummy ? dummy : "postread control: unknown attributeType";
+ return rc;
+ }
}
op->o_postread = ctrl->ldctl_iscritical
static void
print_vals( FILE *fp, struct berval *type, struct berval *bv );
static void
-replog1( struct slap_replica_info *ri, Operation *op, FILE *fp, void *first);
+replog1( struct slap_replica_info *ri, Operation *op, FILE *fp, long now);
void
replog( Operation *op )
}
#endif
- fprintf( fp, "time: %ld\n", now );
- fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
-
- replog1( NULL, op, fp, NULL );
+ replog1( NULL, op, fp, now );
if ( subsets > 0 ) {
- void *first;
- for ( i = subsets - 1; op->o_bd->be_replica != NULL && op->o_bd->be_replica[i] != NULL; i++ ) {
+ for ( i = subsets - 1; op->o_bd->be_replica[i] != NULL; i++ ) {
/* If no attrs, we already did this above */
if ( op->o_bd->be_replica[i]->ri_attrs == NULL ) {
}
if ( !op->o_bd->be_replica[i]->ri_nsuffix[j].bv_val ) {
- /* do not add "replica:" line */
+ /* no matching suffix found, skip it */
continue;
}
}
- subsets = 0;
- first = NULL;
switch( op->o_tag ) {
case LDAP_REQ_EXTENDED:
/* quick hack for extended operations */
- /* assume change parameter is a Modfications* */
+ /* assume change parameter is a Modifications* */
/* fall thru */
case LDAP_REQ_MODIFY:
- for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) {
- int is_in, exclude;
-
- is_in = ad_inlist( ml->sml_desc, op->o_bd->be_replica[i]->ri_attrs );
- exclude = op->o_bd->be_replica[i]->ri_exclude;
-
- /*
- * there might be a more clever way to do this test,
- * but this way, at least, is comprehensible :)
- */
- if ( ( is_in && !exclude ) || ( !is_in && exclude ) ) {
- subsets = 1;
- first = ml;
- break;
- }
- }
- if ( !subsets ) {
- continue;
- }
- break;
case LDAP_REQ_ADD:
- for ( a = op->ora_e->e_attrs; a != NULL; a = a->a_next ) {
- int is_in, exclude;
-
- is_in = ad_inlist( a->a_desc, op->o_bd->be_replica[i]->ri_attrs );
- exclude = op->o_bd->be_replica[i]->ri_exclude;
-
- if ( ( is_in && !exclude ) || ( !is_in && exclude ) ) {
- subsets = 1;
- first = a;
- break;
- }
- }
- if ( !subsets ) {
- continue;
- }
break;
default:
/* Other operations were logged in the first pass */
continue;
}
- fprintf( fp, "replica: %s\n", op->o_bd->be_replica[i]->ri_host );
- fprintf( fp, "time: %ld\n", now );
- fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
- replog1( op->o_bd->be_replica[i], op, fp, first );
+ replog1( op->o_bd->be_replica[i], op, fp, now );
}
}
ldap_pvt_thread_mutex_unlock( &replog_mutex );
}
+static void
+rephdr(
+ struct slap_replica_info *ri,
+ Operation *op,
+ FILE *fp,
+ long now
+)
+{
+ if ( ri ) {
+ fprintf( fp, "replica: %s\n", ri->ri_host );
+ }
+ fprintf( fp, "time: %ld\n", now );
+ fprintf( fp, "dn: %s\n", op->o_req_dn.bv_val );
+}
static void
replog1(
- struct slap_replica_info *ri,
- Operation *op,
- FILE *fp,
- void *first
+ struct slap_replica_info *ri,
+ Operation *op,
+ FILE *fp,
+ long now
)
{
Modifications *ml;
Attribute *a;
+ AttributeName *an;
+ int dohdr = 1, ocs = -1;
+ struct berval vals[2];
+
+ vals[1].bv_val = NULL;
+ vals[1].bv_len = 0;
switch ( op->o_tag ) {
case LDAP_REQ_EXTENDED:
/* quick hack for extended operations */
- /* assume change parameter is a Modfications* */
+ /* assume change parameter is a Modifications* */
/* fall thru */
case LDAP_REQ_MODIFY:
- fprintf( fp, "changetype: modify\n" );
- ml = first ? first : op->orm_modlist;
- for ( ; ml != NULL; ml = ml->sml_next ) {
- char *type;
+ for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) {
+ char *did, *type = ml->sml_desc->ad_cname.bv_val;
+ switch ( ml->sml_op ) {
+ case LDAP_MOD_ADD:
+ did = "add"; break;
+
+ case LDAP_MOD_DELETE:
+ did = "delete"; break;
+
+ case LDAP_MOD_REPLACE:
+ did = "replace"; break;
+
+ case LDAP_MOD_INCREMENT:
+ did = "increment"; break;
+ }
if ( ri && ri->ri_attrs ) {
int is_in = ad_inlist( ml->sml_desc, ri->ri_attrs );
{
continue;
}
- }
- type = ml->sml_desc->ad_cname.bv_val;
- switch ( ml->sml_op ) {
- case LDAP_MOD_ADD:
- fprintf( fp, "add: %s\n", type );
- break;
-
- case LDAP_MOD_DELETE:
- fprintf( fp, "delete: %s\n", type );
- break;
-
- case LDAP_MOD_REPLACE:
- fprintf( fp, "replace: %s\n", type );
- break;
+ /* If this is objectClass, see if the value is included
+ * in any subset, otherwise drop it.
+ */
+ if ( ocs && ml->sml_desc == slap_schema.si_ad_objectClass
+ && ml->sml_bvalues ) {
+ int i, first = 1;
+
+ if ( ocs == -1 ) ocs = 0;
+
+ for ( i=0; ml->sml_bvalues[i].bv_val; i++ ) {
+ int match = 0;
+ for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
+ if ( an->an_oc ) {
+ ocs = 1;
+ match |= an->an_oc_exclude;
+ if ( ml->sml_bvalues[i].bv_len == an->an_name.bv_len
+ && !strcasecmp(ml->sml_bvalues[i].bv_val,
+ an->an_name.bv_val ) ) {
+ match = !an->an_oc_exclude;
+ break;
+ }
+ }
+ }
+ /* Objectclasses need no special treatment, drop into
+ * regular processing
+ */
+ if ( !ocs ) break;
+
+ match ^= ri->ri_exclude;
+ /* Found a match, log it */
+ if ( match ) {
+ if ( dohdr ) {
+ rephdr( ri, op, fp, now );
+ fprintf( fp, "changetype: modify\n" );
+ dohdr = 0;
+ }
+ if ( first ) {
+ fprintf( fp, "%s: %s\n", did, type );
+ first = 0;
+ }
+ vals[0] = an->an_name;
+ print_vals( fp, &ml->sml_desc->ad_cname, vals );
+ ocs = 2;
+ }
- case LDAP_MOD_INCREMENT:
- fprintf( fp, "increment: %s\n", type );
- break;
+ }
+ /* Explicit objectclasses have been handled already */
+ if ( ocs ) {
+ if ( ocs == 2 ) {
+ fprintf( fp, "-\n" );
+ }
+ continue;
+ }
+ }
+ }
+ if ( dohdr ) {
+ rephdr( ri, op, fp, now );
+ fprintf( fp, "changetype: modify\n" );
+ dohdr = 0;
}
+ fprintf( fp, "%s: %s\n", did, type );
if ( ml->sml_bvalues ) {
print_vals( fp, &ml->sml_desc->ad_cname, ml->sml_bvalues );
}
break;
case LDAP_REQ_ADD:
- fprintf( fp, "changetype: add\n" );
- a = first ? first : op->ora_e->e_attrs;
- for ( ; a != NULL; a=a->a_next ) {
+ for ( a = op->ora_e->e_attrs ; a != NULL; a=a->a_next ) {
if ( ri && ri->ri_attrs ) {
int is_in = ad_inlist( a->a_desc, ri->ri_attrs );
if ( ( !is_in && !ri->ri_exclude ) || ( is_in && ri->ri_exclude ) ) {
continue;
}
+
/* If the list includes objectClass names,
* only include those classes in the
* objectClass attribute
*/
- if ( a->a_desc == slap_schema.si_ad_objectClass ) {
- int ocs = 0;
- AttributeName *an;
- struct berval vals[2];
- vals[1].bv_val = NULL;
- vals[1].bv_len = 0;
- for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
- if ( an->an_oc ) {
- int i;
-
- for ( i=0; a->a_vals[i].bv_val; i++ ) {
+ if ( ocs && a->a_desc == slap_schema.si_ad_objectClass ) {
+ int i;
+
+ if ( ocs == -1 ) ocs = 0;
+
+ for ( i=0; a->a_vals[i].bv_val; i++ ) {
+ int match = 0;
+ for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
+ if ( an->an_oc ) {
+ ocs = 1;
+ match |= an->an_oc_exclude;
if ( a->a_vals[i].bv_len == an->an_name.bv_len
&& !strcasecmp(a->a_vals[i].bv_val,
an->an_name.bv_val ) ) {
- ocs = 1;
- vals[0] = an->an_name;
- print_vals( fp, &a->a_desc->ad_cname, vals );
+ match = !an->an_oc_exclude;
break;
}
}
}
+ if ( !ocs ) break;
+
+ match ^= ri->ri_exclude;
+ if ( match ) {
+ if ( dohdr ) {
+ rephdr( ri, op, fp, now );
+ fprintf( fp, "changetype: add\n" );
+ dohdr = 0;
+ }
+ vals[0] = an->an_name;
+ print_vals( fp, &a->a_desc->ad_cname, vals );
+ }
}
if ( ocs ) continue;
}
}
+ if ( dohdr ) {
+ rephdr( ri, op, fp, now );
+ fprintf( fp, "changetype: add\n" );
+ dohdr = 0;
+ }
print_vals( fp, &a->a_desc->ad_cname, a->a_vals );
}
break;
case LDAP_REQ_DELETE:
+ rephdr( ri, op, fp, now );
fprintf( fp, "changetype: delete\n" );
break;
case LDAP_REQ_MODRDN:
+ rephdr( ri, op, fp, now );
fprintf( fp, "changetype: modrdn\n" );
fprintf( fp, "newrdn: %s\n", op->orr_newrdn.bv_val );
fprintf( fp, "deleteoldrdn: %d\n", op->orr_deleteoldrdn ? 1 : 0 );
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *) &berbuf;
- int rc;
+ int rc = LDAP_SUCCESS;
long bytes;
if (op->o_callback) {
{
Connection c = *op->o_conn;
char buf[ SLAP_LDAPDN_MAXLEN ];
- struct berval id = { uri->bv_len, (char *)buf },
+ struct berval id,
user = { 0, NULL },
realm = { 0, NULL },
mech = { 0, NULL };
return LDAP_INVALID_SYNTAX;
}
+ id.bv_len = uri->bv_len;
+ id.bv_val = buf;
strncpy( buf, uri->bv_val, sizeof( buf ) );
rc = slap_parse_user( &id, &user, &realm, &mech );
goto exact_match;
} else if ( d > 0 ) {
- struct berval bv = { op.o_req_ndn.bv_len, assertDN->bv_val + d };
+ struct berval bv;
+
+ bv.bv_len = op.o_req_ndn.bv_len;
+ bv.bv_val = assertDN->bv_val + d;
if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
rc = LDAP_SUCCESS;
static int certificateValidate( Syntax *syntax, struct berval *in )
{
X509 *xcert=NULL;
- unsigned char *p = in->bv_val;
+ unsigned char *p = (unsigned char *)in->bv_val;
xcert = d2i_X509(NULL, &p, in->bv_len);
if ( !xcert ) return LDAP_INVALID_SYNTAX;
HASH_CONTEXT HASHcontext;
unsigned char HASHdigest[HASH_BYTES];
struct berval digest;
- digest.bv_val = HASHdigest;
+ digest.bv_val = (char *)HASHdigest;
digest.bv_len = sizeof(HASHdigest);
for( i=0; values[i].bv_val != NULL; i++ ) {
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val,
+ prefix->bv_len );
}
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- values[i].bv_val, values[i].bv_len );
+ (unsigned char *)values[i].bv_val, values[i].bv_len );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[i], &digest, ctx );
unsigned char HASHdigest[HASH_BYTES];
struct berval *value = (struct berval *) assertedValue;
struct berval digest;
- digest.bv_val = HASHdigest;
+ digest.bv_val = (char *)HASHdigest;
digest.bv_len = sizeof(HASHdigest);
slen = syntax->ssyn_oidlen;
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- value->bv_val, value->bv_len );
+ (unsigned char *)value->bv_val, value->bv_len );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( keys, &digest, ctx );
HASH_CONTEXT HASHcontext;
unsigned char HASHdigest[HASH_BYTES];
struct berval digest;
- digest.bv_val = HASHdigest;
+ digest.bv_val = (char *)HASHdigest;
digest.bv_len = sizeof(HASHdigest);
nkeys=0;
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- &values[i].bv_val[j],
+ (unsigned char *)&values[i].bv_val[j],
SLAP_INDEX_SUBSTR_MAXLEN );
HASH_Final( HASHdigest, &HASHcontext );
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- values[i].bv_val, j );
+ (unsigned char *)values[i].bv_val, j );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[nkeys++], &digest, ctx );
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- &values[i].bv_val[values[i].bv_len-j], j );
+ (unsigned char *)&values[i].bv_val[values[i].bv_len-j], j );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[nkeys++], &digest, ctx );
return LDAP_SUCCESS;
}
- digest.bv_val = HASHdigest;
+ digest.bv_val = (char *)HASHdigest;
digest.bv_len = sizeof(HASHdigest);
slen = syntax->ssyn_oidlen;
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- value->bv_val, klen );
+ (unsigned char *)value->bv_val, klen );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[nkeys++], &digest, ctx );
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- &value->bv_val[j], klen );
+ (unsigned char *)&value->bv_val[j], klen );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[nkeys++], &digest, ctx );
HASH_Init( &HASHcontext );
if( prefix != NULL && prefix->bv_len > 0 ) {
HASH_Update( &HASHcontext,
- prefix->bv_val, prefix->bv_len );
+ (unsigned char *)prefix->bv_val, prefix->bv_len );
}
HASH_Update( &HASHcontext,
- &pre, sizeof( pre ) );
+ (unsigned char *)&pre, sizeof( pre ) );
HASH_Update( &HASHcontext,
- syntax->ssyn_oid, slen );
+ (unsigned char *)syntax->ssyn_oid, slen );
HASH_Update( &HASHcontext,
- mr->smr_oid, mlen );
+ (unsigned char *)mr->smr_oid, mlen );
HASH_Update( &HASHcontext,
- &value->bv_val[value->bv_len-klen], klen );
+ (unsigned char *)&value->bv_val[value->bv_len-klen], klen );
HASH_Final( HASHdigest, &HASHcontext );
ber_dupbv_x( &keys[nkeys++], &digest, ctx );
{
ber_len_t count;
int len;
- unsigned char *u = in->bv_val;
+ unsigned char *u = (unsigned char *)in->bv_val;
if( in->bv_len == 0 && syntax == slap_schema.si_syn_directoryString ) {
/* directory strings cannot be empty */
/* make sure len corresponds with the offset
to the next character */
- if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX;
+ if( LDAP_UTF8_OFFSET( (char *)u ) != len ) return LDAP_INVALID_SYNTAX;
}
if( count != 0 ) {
struct berval *normalized,
void *ctx )
{
- unsigned char octet;
+ unsigned char octet = '\0';
int i;
int j;
normalized->bv_len = 16;
assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) );
- p = val->bv_val;
+ p = (unsigned char *)val->bv_val;
xcert = d2i_X509( NULL, &p, val->bv_len);
if( xcert == NULL ) goto done;
if( rc != LDAP_SUCCESS ) goto done;
normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
- p = normalized->bv_val = ch_malloc(normalized->bv_len+1);
+ normalized->bv_val = ch_malloc(normalized->bv_len+1);
+ p = (unsigned char *)normalized->bv_val;
AC_MEMCPY(p, serial, seriallen);
p += seriallen;
*p++ = '$';
* scope ENUMERATED {
* baseObject (0),
* singleLevel (1),
- * wholeSubtree (2)
+ * wholeSubtree (2)
* },
* derefAliases ENUMERATED {
* neverDerefaliases (0),
const char *dummy; /* ignore msgs from bv2ad */
op->ors_attrs[i].an_desc = NULL;
op->ors_attrs[i].an_oc = NULL;
+ op->ors_attrs[i].an_oc_exclude = 0;
slap_bv2ad(&op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy);
}
be_manageDSAit = manageDSAit;
}
- if ( (op->o_bd = select_backend( &op->o_req_ndn, be_manageDSAit, 1 )) == NULL ) {
+ op->o_bd = select_backend( &op->o_req_ndn, be_manageDSAit, 1 );
+ if ( op->o_bd == NULL ) {
rs->sr_ref = referral_rewrite( default_referral,
NULL, &op->o_req_dn, op->ors_scope );
uuid_attr[0].an_desc = NULL;
uuid_attr[0].an_oc = NULL;
+ uuid_attr[0].an_oc_exclude = 0;
uuid_attr[0].an_name.bv_len = 0;
uuid_attr[0].an_name.bv_val = NULL;
e.e_attrs = NULL;
rs->sr_ctrls = NULL;
}
}
+ return LDAP_SUCCESS;
}
int
typedef struct slap_attr_name {
struct berval an_name;
AttributeDescription *an_desc;
+ int an_oc_exclude;
ObjectClass *an_oc;
} AttributeName;
*/
typedef struct slap_filter {
ber_tag_t f_choice; /* values taken from ldap.h, plus: */
-#define SLAPD_FILTER_COMPUTED ((ber_tag_t) -1)
-#define SLAPD_FILTER_DN_ONE ((ber_tag_t) -2)
-#define SLAPD_FILTER_DN_SUBTREE ((ber_tag_t) -3)
+#define SLAPD_FILTER_COMPUTED ((ber_tag_t) -1)
+#define SLAPD_FILTER_DN_ONE ((ber_tag_t) -2)
+#define SLAPD_FILTER_DN_SUBTREE ((ber_tag_t) -3)
union f_un_u {
/* precomputed result */
struct slap_limits {
int lm_type; /* type of pattern */
#define SLAP_LIMITS_UNDEFINED 0x0000
-#define SLAP_LIMITS_EXACT 0x0001
-#define SLAP_LIMITS_BASE SLAP_LIMITS_EXACT
-#define SLAP_LIMITS_ONE 0x0002
-#define SLAP_LIMITS_SUBTREE 0x0003
+#define SLAP_LIMITS_EXACT 0x0001
+#define SLAP_LIMITS_BASE SLAP_LIMITS_EXACT
+#define SLAP_LIMITS_ONE 0x0002
+#define SLAP_LIMITS_SUBTREE 0x0003
#define SLAP_LIMITS_CHILDREN 0x0004
-#define SLAP_LIMITS_REGEX 0x0005
+#define SLAP_LIMITS_REGEX 0x0005
#define SLAP_LIMITS_ANONYMOUS 0x0006
-#define SLAP_LIMITS_USERS 0x0007
-#define SLAP_LIMITS_ANY 0x0008
+#define SLAP_LIMITS_USERS 0x0007
+#define SLAP_LIMITS_ANY 0x0008
regex_t lm_dn_regex; /* regex data for REGEX */
/*
+- de-IBM SLAPI
- add a config statement, or redefine the dynamic backend one,
"modulepath", to set/modify the load path also for plugins
(both plugins and modules use ltdl, so "modulepath" suffices ...)
- use syslog where available?
- add some plugin monitoring stuff in back-monitor (e.g. a subentry
for each plugin with data from struct Slapi_PluginDesc)
-
-
-
- This is a very tough task: try to implement a sandbox to execute
plugins in, trap deadly signals and possibly disable unsafe plugins
without crashing slapd (fork from inside thread? trap signals
for (i = 0; attrs[i] != 0; i++) {
an[i].an_desc = NULL;
an[i].an_oc = NULL;
+ an[i].an_oc_exclude = 0;
an[i].an_name.bv_val = slapi_ch_strdup(attrs[i]);
an[i].an_name.bv_len = strlen(attrs[i]);
slap_bv2ad( &an[i].an_name, &an[i].an_desc, &text );