Fixed liblutil opendir/closedir on windows (ITS#6041)
Fixed liblutil for _GNU_SOURCE (ITS#5464,ITS#5666)
Added slapd sasl auxprop support (ITS#6147)
+ Added slapd schema checking tool (ITS#6150)
Fixed slapd assert with closing connections (ITS#6111)
Fixed slapd cert validation (ITS#6098)
Fixed slapd errno handling (ITS#6037)
--- /dev/null
+.TH SLAPSCHEMA 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapschema \- SLAPD in-database schema checking utility
+.SH SYNOPSIS
+.B SBINDIR/slapschema
+.B [\-a filter]
+.B [\-b suffix]
+.B [\-c]
+.B [\-d level]
+.B [\-f slapd.conf]
+.B [\-F confdir]
+.B [\-g]
+.B [\-l error-file]
+.B [\-n dbnum]
+.B [\-o name[=value]]
+.B [\-s subtree-dn]
+.B [\-v]
+.B
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapschema
+is used to check schema compliance of the contents of a
+.BR slapd (8)
+database.
+It opens the given database determined by the database number or
+suffix and checks the compliance of its contents with the corresponding
+schema. Errors are written to standard output or the specified file.
+Databases configured as
+.B subordinate
+of this one are also output, unless \fB-g\fP is specified.
+.LP
+Administrators may need to modify existing schema items, including
+adding new required attributes to objectClasses,
+removing existing required or allowed attributes from objectClasses,
+entirely removing objectClasses,
+or any other change that may result in making perfectly valid entries
+no longer compliant with the modified schema.
+The execution of the
+.B slapschema tool after modifying the schema can point out
+inconsistencies that would otherwise surface only as soon as
+inconsistent entries need to be modified.
+
+.LP
+The entry records are checked in database order, not superior first
+order. The entry records will be checked considering all
+(user and operational) attributes stored in the database.
+Dynamically generated attributes (such as subschemaSubentry)
+will not be considered.
+.SH OPTIONS
+.TP
+.BI \-a " filter"
+Only check entries matching the asserted filter.
+For example
+
+slapschema -a \\
+ "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
+
+will check all but the "ou=People,dc=example,dc=com" subtree
+of the "dc=example,dc=com" database.
+.TP
+.BI \-b " suffix"
+Use the specified \fIsuffix\fR to determine which database to
+check. The \-b cannot be used in conjunction
+with the
+.B \-n
+option.
+.TP
+.B \-c
+Enable continue (ignore errors) mode.
+.TP
+.BI \-d " level"
+Enable debugging messages as defined by the specified
+.IR level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f " slapd.conf"
+Specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F " confdir"
+specify a config directory.
+If both
+.B -f
+and
+.B -F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.BI \-l " error-file"
+Write errors to specified file instead of standard output.
+.TP
+.BI \-n " dbnum"
+Check the \fIdbnum\fR\-th database listed in the
+configuration file. The config database
+.BR slapd-config (5),
+is always the first database, so use
+.B \-n 0
+
+The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog-level=<level> (see `\-S' in slapd(8))
+ syslog-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-s " subtree-dn"
+Only check entries in the subtree specified by this DN.
+Implies `-b subtree-dn' if no
+.B \-b
+nor
+.B \-n
+option is given.
+.TP
+.B \-v
+Enable verbose mode.
+.SH LIMITATIONS
+For some backend types, your
+.BR slapd (8)
+should not be running (at least, not in read-write
+mode) when you do this to ensure consistency of the database. It is
+always safe to run
+.B slapschema
+with the
+.BR slapd-bdb (5),
+.BR slapd-hdb (5),
+and
+.BR slapd-null (5)
+backends.
+.SH EXAMPLES
+To check the schema compliance of your SLAPD database after modifications
+to the schema, and put any error in a file called
+.BR errors.ldif ,
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapcat -l errors.ldif
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
-SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl
+SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema
PROGRAMS=slapd $(SLAPTOOLS)
XPROGRAMS=sslapd libbackends.a .backend liboverlays.a
XSRCS=version.c
backglue.c backover.c ctxcsn.c ldapsync.c frontend.c \
slapadd.c slapcat.c slapcommon.c slapdn.c slapindex.c \
slappasswd.c slaptest.c slapauth.c slapacl.c component.c \
- aci.c alock.c txn.c \
+ aci.c alock.c txn.c slapschema.c \
$(@PLAT@_SRCS)
OBJS = main.o globals.o bconfig.o config.o daemon.o \
backglue.o backover.o ctxcsn.o ldapsync.o frontend.o \
slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o \
slappasswd.o slaptest.o slapauth.o slapacl.o component.o \
- aci.o alock.o txn.o \
+ aci.o alock.o txn.o slapschema.o \
$(@PLAT@_OBJS)
LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/slapi -I.
typedef int (MainFunc) LDAP_P(( int argc, char *argv[] ));
extern MainFunc slapadd, slapcat, slapdn, slapindex, slappasswd,
- slaptest, slapauth, slapacl;
+ slaptest, slapauth, slapacl, slapschema;
static struct {
char *name;
{"slapdn", slapdn},
{"slapindex", slapindex},
{"slappasswd", slappasswd},
+ {"slapschema", slapschema},
{"slaptest", slaptest},
{"slapauth", slapauth},
{"slapacl", slapacl},
case SLAPTEST:
options = " [-u]\n";
break;
+
+ case SLAPSCHEMA:
+ options = " [-c]\n\t[-g] [-n databasenumber | -b suffix]"
+ " [-l errorfile] [-a filter] [-s subtree]\n";
+ break;
}
if ( options != NULL ) {
int mode = SLAP_TOOL_MODE;
int truncatemode = 0;
int use_glue = 1;
+ int writer;
#ifdef LDAP_DEBUG
/* tools default to "none", so that at least LDAP_DEBUG_ANY
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
break;
+ case SLAPSCHEMA:
+ options = "a:b:cd:f:F:gl:n:o:s:v";
+ mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
+ break;
+
case SLAPTEST:
options = "d:f:F:o:Quv";
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
case 's': /* dump subtree */
if ( tool == SLAPADD )
mode |= SLAP_TOOL_NO_SCHEMA_CHECK;
- else if ( tool == SLAPCAT )
+ else if ( tool == SLAPCAT || tool == SLAPSCHEMA )
subtree = ch_strdup( optarg );
break;
}
#endif /* LDAP_DEBUG && LDAP_SYSLOG */
+ switch ( tool ) {
+ case SLAPCAT:
+ case SLAPSCHEMA:
+ writer = 1;
+ break;
+
+ default:
+ writer = 0;
+ break;
+ }
+
switch ( tool ) {
case SLAPADD:
case SLAPCAT:
+ case SLAPSCHEMA:
if ( ( argc != optind ) || (dbnum >= 0 && base.bv_val != NULL ) ) {
usage( tool, progname );
}
}
if ( ldiffile == NULL ) {
- dummy.fp = tool == SLAPCAT ? stdout : stdin;
+ dummy.fp = writer ? stdout : stdin;
ldiffp = &dummy;
- } else if ((ldiffp = ldif_open( ldiffile, tool == SLAPCAT ? "w" : "r" ))
+ } else if ((ldiffp = ldif_open( ldiffile, writer ? "w" : "r" ))
== NULL )
{
perror( ldiffile );
case SLAPADD:
case SLAPCAT:
case SLAPINDEX:
+ case SLAPSCHEMA:
if ( !nbackends ) {
fprintf( stderr, "No databases found "
"in config file\n" );
SLAPDN, /* DN check w/ syntax tool */
SLAPINDEX, /* database index tool */
SLAPPASSWD, /* password generation tool */
+ SLAPSCHEMA, /* schema checking tool */
SLAPTEST, /* slapd.conf test tool */
SLAPAUTH, /* test authz-regexp and authc/authz stuff */
SLAPACL, /* test acl */
--- /dev/null
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2009 The OpenLDAP Foundation.
+ * Portions Copyright 1998-2003 Kurt D. Zeilenga.
+ * Portions Copyright 2003 IBM Corporation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Pierangelo Masarati for inclusion
+ * in OpenLDAP Software. Code portions borrowed from slapcat.c;
+ * contributors are Kurt Zeilenga and Jong Hyuk Choi
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+
+#include "ac/stdlib.h"
+#include "ac/ctype.h"
+#include "ac/socket.h"
+#include "ac/string.h"
+
+#include "slapcommon.h"
+#include "ldif.h"
+
+static volatile sig_atomic_t gotsig;
+
+static RETSIGTYPE
+slapcat_sig( int sig )
+{
+ gotsig=1;
+}
+
+int
+slapschema( int argc, char **argv )
+{
+ ID id;
+ int rc = EXIT_SUCCESS;
+ const char *progname = "slapschema";
+ Connection conn = { 0 };
+ OperationBuffer opbuf;
+ Operation *op = NULL;
+
+ slap_tool_init( progname, SLAPCAT, argc, argv );
+
+#ifdef SIGPIPE
+ (void) SIGNAL( SIGPIPE, slapcat_sig );
+#endif
+#ifdef SIGHUP
+ (void) SIGNAL( SIGHUP, slapcat_sig );
+#endif
+ (void) SIGNAL( SIGINT, slapcat_sig );
+ (void) SIGNAL( SIGTERM, slapcat_sig );
+
+ if( !be->be_entry_open ||
+ !be->be_entry_close ||
+ !be->be_entry_first ||
+ !be->be_entry_next ||
+ !be->be_entry_get )
+ {
+ fprintf( stderr, "%s: database doesn't support necessary operations.\n",
+ progname );
+ exit( EXIT_FAILURE );
+ }
+
+ if( be->be_entry_open( be, 0 ) != 0 ) {
+ fprintf( stderr, "%s: could not open database.\n",
+ progname );
+ exit( EXIT_FAILURE );
+ }
+
+ connection_fake_init( &conn, &opbuf, &conn );
+ op = &opbuf.ob_op;
+ op->o_tmpmemctx = NULL;
+ op->o_bd = be;
+
+ for ( id = be->be_entry_first( be );
+ id != NOID;
+ id = be->be_entry_next( be ) )
+ {
+ Entry* e;
+ char textbuf[SLAP_TEXT_BUFLEN];
+ size_t textlen = sizeof(textbuf);
+ const char *text = NULL;
+
+ if ( gotsig )
+ break;
+
+ e = be->be_entry_get( be, id );
+ if ( e == NULL ) {
+ printf("# no data for entry id=%08lx\n\n", (long) id );
+ rc = EXIT_FAILURE;
+ if( continuemode ) continue;
+ break;
+ }
+
+ if( sub_ndn.bv_len && !dnIsSuffix( &e->e_nname, &sub_ndn ) ) {
+ be_entry_release_r( op, e );
+ continue;
+ }
+
+ if( filter != NULL ) {
+ int rc = test_filter( NULL, e, filter );
+ if( rc != LDAP_COMPARE_TRUE ) {
+ be_entry_release_r( op, e );
+ continue;
+ }
+ }
+
+ if( verbose ) {
+ printf( "# id=%08lx\n", (long) id );
+ }
+
+ rc = entry_schema_check( op, e, NULL, 0, 0, NULL,
+ &text, textbuf, textlen );
+ if ( rc != LDAP_SUCCESS ) {
+ fprintf( ldiffp->fp, "# (%d) %s%s%s\n",
+ rc, ldap_err2string( rc ),
+ text ? ": " : "",
+ text ? text : "" );
+ fprintf( ldiffp->fp, "dn: %s\n\n", e->e_name.bv_val );
+ }
+
+ be_entry_release_r( op, e );
+ }
+
+ be->be_entry_close( be );
+
+ if ( slap_tool_destroy() )
+ rc = EXIT_FAILURE;
+
+ return rc;
+}
projects / openldap / commitdiff