Update slap_op to maintain dn and ndn (derived from conn->c_dn).
Update ldbm_back_bind to return actual bound dn (including rootdn)
for use in slapd_conn. Other backends use client dn.
Modify other codes to use ndn (normalized uppercase dn) most everywhere.
Aliasing, Suffixing and modrdn could use more work.
Applied suffixing to compare and modrdn.
int rc;
if ( verbose ) {
- printf( "%sdeleting entry %s\n", not ? "!" : "", dn );
+ printf( "%sdeleting entry \"%s\"\n",
+ (not ? "!" : ""), dn );
}
if ( not ) {
rc = LDAP_SUCCESS;
if (( rc = ldap_delete_s( ld, dn )) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_delete" );
} else if ( verbose ) {
- printf( "entry removed\n" );
+ printf( "\tremoved\n" );
}
}
#define SLAPD_PIDEXT ".pid"
/* extension of the slapd args file */
#define SLAPD_ARGSEXT ".args"
- /* dn of the special "monitor" entry */
-#define SLAPD_MONITOR_DN "cn=monitor"
- /* dn of the special "config" entry */
-#define SLAPD_CONFIG_DN "cn=config"
/* minimum max ids that a single index entry can map to in ldbm */
#define SLAPD_LDBM_MIN_MAXIDS 4000
+/* the following DNs must be normalized and in uppercase! */
+ /* dn of the special "monitor" entry */
+#define SLAPD_MONITOR_DN "CN=MONITOR"
+ /* dn of the special "config" entry */
+#define SLAPD_CONFIG_DN "CN=CONFIG"
+ /* dn of the special "schema" entry */
+/* #define SLAPD_SCHEMA_DN "CN=SCHEMA" */
+
#endif /* _LDAP_CONFIG_H */
/*
- * access_allowed - check whether dn is allowed the requested access
+ * access_allowed - check whether op->o_ndn is allowed the requested access
* to entry e, attribute attr, value val. if val is null, access to
* the whole attribute is assumed (all values). this routine finds
* the applicable acl and calls acl_access_allowed() to make the
Entry *e,
char *attr,
struct berval *val,
- char *dn,
int access
)
{
return( 0 );
}
- edn = dn_normalize_case( ch_strdup( e->e_dn ) );
+ edn = e->e_ndn;
+
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
{
Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
attr, 0, 0 );
- free( edn );
return(1);
}
memset(matches, 0, sizeof(matches));
- a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches );
+ a = acl_get_applicable( be, op, e, attr, MAXREMATCHES, matches );
if (a) {
for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
}
rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches );
- free( edn );
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n",
e->e_dn, attr, 0);
Operation *op,
Entry *e,
char *attr,
- char *edn,
int nmatch,
regmatch_t *matches
)
{
int i, j;
struct acl *a;
+ char *edn;
Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
- if ( be_isroot( be, op->o_dn ) ) {
+ if ( be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_get: no acl applicable to database root\n", 0, 0,
0 );
return( NULL );
}
+ edn = e->e_ndn;
+
Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 );
/* check for a backend-specific acl that matches the entry */
"\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n",
access2str( access ),
val ? val->bv_val : "any",
- op->o_dn ? op->o_dn : "" );
+ op->o_ndn ? op->o_ndn : "" );
- if ( be_isroot( be, op->o_dn ) ) {
+ if ( be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: granted to database root\n",
0, 0, 0 );
return( default_access >= access );
}
- odn = NULL;
- if ( op->o_dn != NULL ) {
- odn = dn_normalize_case( ch_strdup( op->o_dn ) );
+ odn = op->o_ndn;
+
+ if ( odn != NULL ) {
bv.bv_val = odn;
bv.bv_len = strlen( odn );
}
+
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
if ( b->a_dnpat != NULL ) {
Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
* the entry, OR the given dn matches the dn pattern
*/
if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
- op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL )
+ op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL )
{
- if ( strcasecmp( edn, op->o_dn ) == 0 ) {
+ if ( strcasecmp( edn, op->o_ndn ) == 0 ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >=
access ? "granted" : "denied", 0 );
- if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
} else {
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
- if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
- if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
- if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
- if ( b->a_dnattr != NULL && op->o_dn != NULL ) {
+ if ( b->a_dnattr != NULL && op->o_ndn != NULL ) {
Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
b->a_dnattr, 0, 0);
/* see if asker is listed in dnattr */
continue;
}
- if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl_acces_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
continue;
}
- if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (self) access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ? "granted"
return( (b->a_access & ~ACL_SELF) >= access );
}
#ifdef SLAPD_ACLGROUPS
- if ( b->a_group != NULL && op->o_dn != NULL ) {
- char buf[512];
+ if ( b->a_group != NULL && op->o_ndn != NULL ) {
+ char buf[1024];
/* b->a_group is an unexpanded entry name, expanded it should be an
* entry with objectclass group* and we test to see if odn is one of
*/
/* see if asker is listed in dnattr */
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
+ (void) dn_normalize_case(buf);
if (be_group(be, e, buf, odn,
b->a_objectclassvalue, b->a_groupattrname) == 0)
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
- if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
#endif /* SLAPD_ACLGROUPS */
}
- if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: %s by default (no matching by)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
{
int i;
struct acl *a;
- char *edn;
-
- edn = dn_normalize_case( ch_strdup( e->e_dn ) );
+ char *edn = e->e_ndn;
for ( ; mlist != NULL; mlist = mlist->ml_next ) {
regmatch_t matches[MAXREMATCHES];
continue;
}
- a = acl_get_applicable( be, op, e, mlist->ml_type, edn,
+ a = acl_get_applicable( be, op, e, mlist->ml_type,
MAXREMATCHES, matches );
switch ( mlist->ml_op & ~LDAP_MOD_BVALUES ) {
if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
if ( ! acl_access_allowed( a, be, conn, e,
NULL, op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
break;
if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
}
}
- free(edn);
return( LDAP_SUCCESS );
}
*/
if ( be->be_add != NULL ) {
/* do the update here */
- if ( be->be_updatedn == NULL ||
- strcasecmp( be->be_updatedn, op->o_dn ) == 0 ) {
-
+ if ( be->be_update_ndn == NULL ||
+ strcmp( be->be_update_ndn, op->o_ndn ) == 0 )
+ {
if ( (be->be_lastmod == ON || (be->be_lastmod == UNDEFINED &&
- global_lastmod == ON)) && be->be_updatedn == NULL ) {
+ global_lastmod == ON)) && be->be_update_ndn == NULL ) {
add_created_attrs( op, e );
}
free( matched );
}
- if ( ! access_allowed( be, conn, op, p, "children", NULL,
- op->o_dn, ACL_WRITE ) )
+ if ( ! access_allowed( be, conn, op, p,
+ "children", NULL, ACL_WRITE ) )
{
Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
0, 0 );
} else {
/* no parent, must be adding entry to root */
- if ( ! be_isroot( be, op->o_dn ) ) {
+ if ( ! be_isroot( be, op->o_ndn ) ) {
pthread_mutex_unlock(&li->li_add_mutex);
Debug( LDAP_DEBUG_TRACE, "no parent & not root\n", 0,
0, 0 );
Operation *op,
char *dn,
int method,
- struct berval *cred
+ struct berval *cred,
+ char** edn
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
+ *edn = NULL;
+
/* get entry with reader lock */
if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
/* allow noauth binds */
rc = 1;
} else if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
+ *edn = ch_strdup( be_root_dn( be ) );
rc = 0;
} else {
send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
return( rc );
}
+ *edn = ch_strdup( e->e_dn );
+
/* check for deleted */
switch ( method ) {
goto return_results;
} else if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
+ *edn = ch_strdup( be_root_dn( be ) );
rc = 0;
goto return_results;
}
if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
+ *edn = ch_strdup( be_root_dn( be ) );
rc = 0;
goto return_results;
}
goto return_results;
}
-#ifdef SLAPD_CRYPT
if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
-#else
- if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
-#endif
{
if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
+ *edn = ch_strdup( be_root_dn( be ) );
rc = 0;
goto return_results;
}
}
/* check for deleted */
- if ( ! access_allowed( be, conn, op, e, ava->ava_type, &ava->ava_value,
- op->o_dn, ACL_COMPARE ) ) {
+ if ( ! access_allowed( be, conn, op, e,
+ ava->ava_type, &ava->ava_value, ACL_COMPARE ) )
+ {
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
rc = 1;
goto return_results;
}
#ifdef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
- if ( ! access_allowed( be, conn, op, e, "entry", NULL, op->o_dn,
- ACL_WRITE ) ) {
+ if ( ! access_allowed( be, conn, op, e,
+ "entry", NULL, ACL_WRITE ) )
+ {
Debug(LDAP_DEBUG_ARGS,
"<=- ldbm_back_delete: insufficient access %s\n",
dn, 0, 0);
#ifndef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
/* check parent for "children" acl */
- if ( ! access_allowed( be, conn, op, p, "children", NULL,
- op->o_dn, ACL_WRITE ) )
+ if ( ! access_allowed( be, conn, op, p,
+ "children", NULL, ACL_WRITE ) )
{
Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
0, 0 );
} else {
/* no parent, must be root to delete */
- if( ! be_isroot( be, op->o_dn ) ) {
+ if( ! be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_TRACE, "no parent & not root\n",
0, 0, 0);
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
#ifdef SLAPD_ACLGROUPS
-/* return 0 IFF edn is a value in member attribute
- * of entry with bdn AND that entry has an objectClass
+/* return 0 IFF op_dn is a value in member attribute
+ * of entry with gr_dn AND that entry has an objectClass
* value of groupOfNames
*/
int
ldbm_back_group(
- Backend *be,
+ Backend *be,
Entry *target,
- char *bdn,
- char *edn,
- char *objectclassValue,
- char *groupattrName
+ char *gr_ndn,
+ char *op_ndn,
+ char *objectclassValue,
+ char *groupattrName
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Entry *e;
- char *tdn, *xdn;
char *matched;
Attribute *objectClass;
Attribute *member;
int rc;
- Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
- Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
- Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
- objectclassValue, groupattrName, 0 );
-
- tdn = dn_normalize_case( ch_strdup( target->e_dn ) );
- xdn = dn_normalize_case( ch_strdup( bdn ) );
- Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: tdn: %s\n", tdn, 0, 0 );
- if (strcmp(tdn, xdn) == 0) {
+ Debug( LDAP_DEBUG_TRACE,
+ "=> ldbm_back_group: gr dn: \"%s\"\n",
+ gr_ndn, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE,
+ "=> ldbm_back_group: op dn: \"%s\"\n",
+ op_ndn, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE,
+ "=> ldbm_back_group: objectClass: \"%s\" attrName: \"%s\"\n",
+ objectclassValue, groupattrName, 0 );
+
+ Debug( LDAP_DEBUG_TRACE,
+ "=> ldbm_back_group: tr dn: \"%s\"\n",
+ target->e_ndn, 0, 0 );
+
+ if (strcmp(target->e_ndn, gr_ndn) == 0) {
/* we already have a LOCKED copy of the entry */
e = target;
Debug( LDAP_DEBUG_ARGS,
- "=> ldbm_back_group: target is bdn: %s\n",
- bdn, 0, 0 );
+ "=> ldbm_back_group: target is group: \"%s\"\n",
+ gr_ndn, 0, 0 );
} else {
- /* can we find bdn entry with reader lock */
- if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
+ /* can we find group entry with reader lock */
+ if ((e = dn2entry_r(be, gr_ndn, &matched )) == NULL) {
Debug( LDAP_DEBUG_TRACE,
- "=> ldbm_back_group: cannot find bdn: %s matched: %s\n",
- bdn, (matched ? matched : ""), 0 );
+ "=> ldbm_back_group: cannot find group: \"%s\" matched: \"%s\"\n",
+ gr_ndn, (matched ? matched : ""), 0 );
if (matched != NULL)
free(matched);
- free(tdn);
- free(xdn);
return( 1 );
}
- Debug( LDAP_DEBUG_ARGS,
- "=> ldbm_back_group: found bdn: %s\n",
- bdn, 0, 0 );
+ Debug( LDAP_DEBUG_ARGS,
+ "=> ldbm_back_group: found group: \"%s\"\n",
+ gr_ndn, 0, 0 );
}
- free(tdn);
- free(xdn);
/* check for deleted */
/* find it's objectClass and member attribute values
* make sure this is a group entry
- * finally test if we can find edn in the member attribute value list *
+ * finally test if we can find op_dn in the member attribute value list *
*/
rc = 1;
bvObjectClass.bv_val = objectclassValue;
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
- bvMembers.bv_val = edn;
- bvMembers.bv_len = strlen( edn );
+ bvMembers.bv_val = op_ndn;
+ bvMembers.bv_len = strlen( op_ndn );
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_TRACE,
objectclassValue, 0, 0 );
}
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
- edn, bdn, groupattrName );
+ Debug( LDAP_DEBUG_ACL,
+ "<= ldbm_back_group: \"%s\" not in \"%s\": %s\n",
+ op_ndn, gr_ndn, groupattrName );
}
else {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
- edn, bdn, groupattrName );
+ Debug( LDAP_DEBUG_ACL,
+ "<= ldbm_back_group: \"%s\" is in \"%s\": %s\n",
+ op_ndn, gr_ndn, groupattrName );
rc = 0;
}
}
/* free entry and reader lock */
cache_return_entry_r( &li->li_cache, e );
}
- Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
- return(rc);
+
+ Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
+ return(rc);
}
#endif /* SLAPD_ACLGROUPS */
switch ( mod->mod_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_ADD:
- err = add_values( e, mod, op->o_dn );
+ err = add_values( e, mod, op->o_ndn );
break;
case LDAP_MOD_DELETE:
- err = delete_values( e, mod, op->o_dn );
+ err = delete_values( e, mod, op->o_ndn );
break;
case LDAP_MOD_REPLACE:
- err = replace_values( e, mod, op->o_dn );
+ err = replace_values( e, mod, op->o_ndn );
break;
}
#ifdef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
/* check parent for "children" acl */
- if ( ! access_allowed( be, conn, op, e, "entry", NULL,
- op->o_dn, ACL_WRITE ) )
+ if ( ! access_allowed( be, conn, op, e,
+ "entry", NULL, ACL_WRITE ) )
{
Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0,
0, 0 );
#ifndef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL
/* check parent for "children" acl */
- if ( ! access_allowed( be, conn, op, p, "children", NULL,
- op->o_dn, ACL_WRITE ) )
+ if ( ! access_allowed( be, conn, op, p,
+ "children", NULL, ACL_WRITE ) )
{
Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
0, 0 );
}
} else {
/* no parent, modrdn entry directly under root */
- if( ! be_isroot( be, op->o_dn ) ) {
+ if( ! be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_TRACE, "no parent & not root\n",
0, 0, 0);
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
Debug(LDAP_DEBUG_ARGS, "=> ldbm_back_search\n", 0, 0, 0);
- if ( tlimit == 0 && be_isroot( be, op->o_dn ) ) {
+ if ( tlimit == 0 && be_isroot( be, op->o_ndn ) ) {
tlimit = -1; /* allow root to set no limit */
} else {
tlimit = (tlimit > be->be_timelimit || tlimit < 1) ?
be->be_timelimit : tlimit;
stoptime = op->o_time + tlimit;
}
- if ( slimit == 0 && be_isroot( be, op->o_dn ) ) {
+ if ( slimit == 0 && be_isroot( be, op->o_ndn ) ) {
slimit = -1; /* allow root to set no limit */
} else {
slimit = (slimit > be->be_sizelimit || slimit < 1) ?
realBase = ch_strdup(base);
}
- (void) dn_normalize (realBase);
+ (void) dn_normalize_case( realBase );
Debug( LDAP_DEBUG_TRACE, "using base \"%s\"\n",
realBase, 0, 0 );
* this for subtree searches, and don't check the filter explicitly
* here since it's only a candidate anyway.
*/
- if ( e->e_dn != NULL &&
- strncasecmp( e->e_dn, "ref=", 4 ) == 0 &&
- (ref = attr_find( e->e_attrs, "ref" )) != NULL &&
- scope == LDAP_SCOPE_SUBTREE )
+ if ( scope == LDAP_SCOPE_SUBTREE &&
+ e->e_ndn != NULL &&
+ strncmp( e->e_ndn, "REF=", 4 ) == 0 &&
+ (ref = attr_find( e->e_attrs, "ref" )) != NULL )
{
int i, len;
scopeok = 1;
if ( scope == LDAP_SCOPE_ONELEVEL ) {
if ( (dn = dn_parent( be, e->e_dn )) != NULL ) {
- (void) dn_normalize( dn );
- scopeok = (dn == realBase) ? 1 : (! strcasecmp( dn, realBase ));
+ (void) dn_normalize_case( dn );
+ scopeok = (dn == realBase)
+ ? 1
+ : (strcmp( dn, realBase ) ? 0 : 1 );
free( dn );
} else {
scopeok = (realBase == NULL || *realBase == '\0');
Operation *op,
char *dn,
int method,
- struct berval *cred
+ struct berval *cred,
+ char** edn
)
{
int return_code;
PerlBackend *perl_back = (PerlBackend *) be->be_private;
+ *edn = NULL;
+
pthread_mutex_lock( &perl_interpreter_mutex );
{
Operation *op,
char *dn,
int method,
- struct berval *cred
+ struct berval *cred,
+ char **edn
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
FILE *rfp, *wfp;
int rc;
+ *edn = NULL;
+
if ( si->si_bind == NULL ) {
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL,
"bind not implemented" );
}
int
-be_isroot( Backend *be, char *dn )
+be_isroot( Backend *be, char *ndn )
{
int rc;
- char *ndn;
- if ( dn == NULL || be->be_rootdn == NULL ) {
+ if ( ndn == NULL || be->be_root_ndn == NULL ) {
return( 0 );
}
- ndn = dn_normalize_case( ch_strdup( dn ) );
- rc = strcmp( be->be_rootdn, ndn ) ? 0 : 1;
+ rc = strcmp( be->be_root_ndn, ndn ) ? 0 : 1;
- free(ndn);
return(rc);
}
+char *
+be_root_dn( Backend *be )
+{
+ int rc;
+
+ if ( be->be_root_dn == NULL ) {
+ return( "" );
+ }
+
+ return be->be_root_dn;
+}
+
int
-be_isroot_pw( Backend *be, char *dn, struct berval *cred )
+be_isroot_pw( Backend *be, char *ndn, struct berval *cred )
{
int result;
- if ( ! be_isroot( be, dn ) ) {
+ if ( ! be_isroot( be, ndn ) ) {
return( 0 );
}
pthread_mutex_lock( &crypt_mutex );
#endif
- result = lutil_passwd( cred->bv_val, be->be_rootpw );
+ result = lutil_passwd( cred->bv_val, be->be_root_pw );
#ifdef SLAPD_CRYPT
pthread_mutex_unlock( &crypt_mutex );
int
be_group(
Backend *be,
- Entry *e,
- char *bdn,
- char *edn,
+ Entry *target,
+ char *gr_ndn,
+ char *op_ndn,
char *objectclassValue,
char *groupattrName
)
{
- if (be->be_group)
- return(be->be_group(be, e, bdn, edn,
- objectclassValue, groupattrName));
- else
- return(1);
+ if (be->be_group)
+ return( be->be_group(be, target, gr_ndn, op_ndn,
+ objectclassValue, groupattrName) );
+ else
+ return(1);
}
#endif
{
BerElement *ber = op->o_ber;
int version, method, len;
+ char *cdn, *ndn;
unsigned long rc;
- char *dn;
struct berval cred;
Backend *be;
if ( ber_peek_tag( &tber, &tlen ) == LBER_SEQUENCE ) {
Debug( LDAP_DEBUG_ANY, "version 3.0 detected\n", 0, 0, 0 );
conn->c_version = 30;
- rc = ber_scanf(ber, "{{iato}}", &version, &dn, &method, &cred);
+ rc = ber_scanf(ber, "{{iato}}", &version, &cdn, &method, &cred);
} else {
- rc = ber_scanf( ber, "{iato}", &version, &dn, &method, &cred );
+ rc = ber_scanf( ber, "{iato}", &version, &cdn, &method, &cred );
}
}
#else
- rc = ber_scanf( ber, "{iato}", &version, &dn, &method, &cred );
+ rc = ber_scanf( ber, "{iato}", &version, &cdn, &method, &cred );
#endif
+
if ( rc == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL,
}
}
#endif /* compat30 */
- dn_normalize( dn );
+
+ Debug( LDAP_DEBUG_TRACE, "do_bind: version %d dn (%s) method %d\n",
+ version, cdn, method );
+
+ ndn = dn_normalize_case( ch_strdup( cdn ) );
Statslog( LDAP_DEBUG_STATS, "conn=%d op=%d BIND dn=\"%s\" method=%d\n",
- conn->c_connid, op->o_opid, dn, method, 0 );
+ conn->c_connid, op->o_opid, ndn, method, 0 );
if ( version != LDAP_VERSION2 ) {
- if ( dn != NULL ) {
- free( dn );
+ if ( cdn != NULL ) {
+ free( cdn );
+ }
+ if ( ndn != NULL ) {
+ free( ndn );
}
if ( cred.bv_val != NULL ) {
free( cred.bv_val );
return;
}
- Debug( LDAP_DEBUG_TRACE, "do_bind: version %d dn (%s) method %d\n",
- version, dn, method );
-
/* accept null binds */
- if ( dn == NULL || *dn == '\0' ) {
- if ( dn != NULL ) {
- free( dn );
+ if ( ndn == NULL || *ndn == '\0' ) {
+ if ( cdn != NULL ) {
+ free( cdn );
+ }
+ if ( ndn != NULL ) {
+ free( ndn );
}
if ( cred.bv_val != NULL ) {
free( cred.bv_val );
* if we don't hold it.
*/
- if ( (be = select_backend( dn )) == NULL ) {
- free( dn );
+ if ( (be = select_backend( ndn )) == NULL ) {
+ free( cdn );
+ free( ndn );
if ( cred.bv_val != NULL ) {
free( cred.bv_val );
}
return;
}
- /* alias suffix */
- dn = suffixAlias ( dn, op, be );
-
if ( be->be_bind != NULL ) {
- if ( (*be->be_bind)( be, conn, op, dn, method, &cred ) == 0 ) {
+ /* alias suffix */
+ char *edn;
+
+ ndn = suffixAlias( ndn, op, be );
+ dn_normalize_case( ndn );
+
+ if ( (*be->be_bind)( be, conn, op, ndn, method, &cred, &edn ) == 0 ) {
pthread_mutex_lock( &conn->c_dnmutex );
- if ( conn->c_dn != NULL ) {
+
+ if ( conn->c_cdn != NULL ) {
+ free( conn->c_cdn );
+ }
+
+ conn->c_cdn = cdn;
+ cdn = NULL;
+
+ if ( conn->c_cdn != NULL ) {
free( conn->c_dn );
}
- conn->c_dn = ch_strdup( dn );
+
+ if(edn != NULL) {
+ conn->c_dn = edn;
+ } else {
+ conn->c_dn = ndn;
+ ndn = NULL;
+ }
+
+ Debug( LDAP_DEBUG_TRACE, "do_bind: bound \"%s\" to \"%s\"\n",
+ conn->c_cdn, conn->c_dn, method );
+
pthread_mutex_unlock( &conn->c_dnmutex );
/* send this here to avoid a race condition */
send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
+
+ } else if (edn != NULL) {
+ free( edn );
}
+
} else {
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL,
"Function not implemented" );
}
- free( dn );
+ if( cdn != NULL ) {
+ free( cdn );
+ }
+ if( ndn != NULL ) {
+ free( ndn );
+ }
if ( cred.bv_val != NULL ) {
free( cred.bv_val );
}
Operation *op
)
{
- char *dn;
+ char *ndn;
Ava ava;
int rc;
Backend *be;
* }
*/
- if ( ber_scanf( op->o_ber, "{a{ao}}", &dn, &ava.ava_type,
+ if ( ber_scanf( op->o_ber, "{a{ao}}", &ndn, &ava.ava_type,
&ava.ava_value ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL, "" );
return;
}
value_normalize( ava.ava_value.bv_val, attr_syntax( ava.ava_type ) );
- dn_normalize( dn );
Debug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s) value (%s)\n",
- dn, ava.ava_type, ava.ava_value.bv_val );
+ ndn, ava.ava_type, ava.ava_value.bv_val );
+
+ ndn = dn_normalize( ndn );
Statslog( LDAP_DEBUG_STATS, "conn=%d op=%d CMP dn=\"%s\" attr=\"%s\"\n",
- conn->c_connid, op->o_opid, dn, ava.ava_type, 0 );
+ conn->c_connid, op->o_opid, ndn, ava.ava_type, 0 );
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
- if ( (be = select_backend( dn )) == NULL ) {
- free( dn );
+ if ( (be = select_backend( ndn )) == NULL ) {
+ free( ndn );
ava_free( &ava, 0 );
send_ldap_result( conn, op, LDAP_PARTIAL_RESULTS, NULL,
return;
}
+ /* alias suffix if approp */
+ ndn = suffixAlias( ndn, op, be );
+ dn_normalize_case( ndn );
+
if ( be->be_compare != NULL ) {
- (*be->be_compare)( be, conn, op, dn, &ava );
+ (*be->be_compare)( be, conn, op, ndn, &ava );
} else {
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL,
"Function not implemented" );
}
- free( dn );
+ free( ndn );
ava_free( &ava, 0 );
}
"%s: line %d: rootdn line must appear inside a database definition (ignored)\n",
fname, lineno, 0 );
} else {
- be->be_rootdn = dn_normalize_case( ch_strdup( cargv[1] ) );
+ be->be_root_dn = ch_strdup( cargv[1] );
+ be->be_root_ndn = dn_normalize_case( ch_strdup( cargv[1] ) );
}
/* set super-secret magic database password */
"%s: line %d: rootpw line must appear inside a database definition (ignored)\n",
fname, lineno, 0 );
} else {
- be->be_rootpw = ch_strdup( cargv[1] );
+ be->be_root_pw = ch_strdup( cargv[1] );
}
/* make this database read-only */
"%s: line %d: updatedn line must appear inside a database definition (ignored)\n",
fname, lineno, 0 );
} else {
- be->be_updatedn = ch_strdup( cargv[1] );
- (void) dn_normalize( be->be_updatedn );
+ be->be_update_ndn = ch_strdup( cargv[1] );
+ (void) dn_normalize_case( be->be_update_ndn );
}
/* replication log file to which changes are appended */
for ( i = 0; i < dtblsize; i++ ) {
c[i].c_dn = NULL;
+ c[i].c_cdn = NULL;
c[i].c_addr = NULL;
c[i].c_domain = NULL;
c[i].c_ops = NULL;
free( c[ns].c_dn );
c[ns].c_dn = NULL;
}
+ if ( c[ns].c_cdn != NULL ) {
+ free( c[ns].c_cdn );
+ c[ns].c_cdn = NULL;
+ }
pthread_mutex_unlock( &c[ns].c_dnmutex );
c[ns].c_starttime = currenttime;
c[ns].c_opsinitiated = 0;
Operation *op
)
{
- char *dn, *odn;
+ char *ndn;
Backend *be;
Debug( LDAP_DEBUG_TRACE, "do_delete\n", 0, 0, 0 );
* DelRequest := DistinguishedName
*/
- if ( ber_scanf( op->o_ber, "a", &dn ) == LBER_ERROR ) {
+ if ( ber_scanf( op->o_ber, "a", &ndn ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL, "" );
return;
}
- odn = ch_strdup( dn );
- dn_normalize( dn );
- Debug( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", dn, 0, 0 );
+ Debug( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", ndn, 0, 0 );
- Debug( LDAP_DEBUG_STATS, "DEL dn=\"%s\"\n", dn, 0, 0 );
+ dn_normalize_case( ndn );
+
+ Debug( LDAP_DEBUG_STATS, "DEL dn=\"%s\"\n", ndn, 0, 0 );
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
- if ( (be = select_backend( dn )) == NULL ) {
- free( dn );
- free( odn );
+ if ( (be = select_backend( ndn )) == NULL ) {
+ free( ndn );
send_ldap_result( conn, op, LDAP_PARTIAL_RESULTS, NULL,
default_referral );
return;
}
- /* alias suffix if approp */
- dn = suffixAlias ( dn, op, be );
+ /* alias suffix if approp */
+ ndn = suffixAlias( ndn, op, be );
+ dn_normalize_case( ndn );
/*
* do the delete if 1 && (2 || 3)
* 1) there is a delete function implemented in this backend;
* 2) this backend is master for what it holds;
- * 3) it's a replica and the dn supplied is the updatedn.
+ * 3) it's a replica and the dn supplied is the update_ndn.
*/
if ( be->be_delete != NULL ) {
/* do the update here */
- if ( be->be_updatedn == NULL || strcasecmp( be->be_updatedn,
- op->o_dn ) == 0 ) {
- if ( (*be->be_delete)( be, conn, op, dn ) == 0 ) {
- replog( be, LDAP_REQ_DELETE, odn, NULL, 0 );
+ if ( be->be_update_ndn == NULL ||
+ strcmp( be->be_update_ndn, op->o_ndn ) == 0 )
+ {
+ if ( (*be->be_delete)( be, conn, op, ndn ) == 0 ) {
+ replog( be, LDAP_REQ_DELETE, ndn, NULL, 0 );
}
} else {
send_ldap_result( conn, op, LDAP_PARTIAL_RESULTS, NULL,
"Function not implemented" );
}
- free( dn );
- free( odn );
+ free( ndn );
}
int i, rc;
Attribute *a;
- if ( be != NULL && ! access_allowed( be, conn, op, e, ava->ava_type,
- &ava->ava_value, op->o_dn, ACL_SEARCH ) ) {
+ if ( be != NULL && ! access_allowed( be, conn, op, e,
+ ava->ava_type, &ava->ava_value, ACL_SEARCH ) )
+ {
return( -2 );
}
char *type
)
{
- if ( be != NULL && ! access_allowed( be, conn, op, e, type, NULL,
- op->o_dn, ACL_SEARCH ) ) {
+ if ( be != NULL && ! access_allowed( be, conn, op, e,
+ type, NULL, ACL_SEARCH ) )
+ {
return( -2 );
}
int i, rc, match;
Attribute *a;
- if ( be != NULL && ! access_allowed( be, conn, op, e, ava->ava_type,
- NULL, op->o_dn, ACL_SEARCH ) ) {
+ if ( be != NULL && ! access_allowed( be, conn, op, e,
+ ava->ava_type, NULL, ACL_SEARCH ) )
+ {
return( -2 );
}
Debug( LDAP_DEBUG_FILTER, "begin test_substring_filter\n", 0, 0, 0 );
- if ( be != NULL && ! access_allowed( be, conn, op, e, f->f_sub_type,
- NULL, op->o_dn, ACL_SEARCH ) ) {
+ if ( be != NULL && ! access_allowed( be, conn, op, e,
+ f->f_sub_type, NULL, ACL_SEARCH ) )
+ {
return( -2 );
}
struct hostent *hp;
c.c_dn = NULL;
+ c.c_cdn = NULL;
c.c_ops = NULL;
c.c_sb.sb_sd = 0;
c.c_sb.sb_options = 0;
Operation *op
)
{
- char *dn, *odn;
+ char *ndn;
char *last;
unsigned long tag, len;
LDAPModList *modlist, *tmp;
* }
*/
- if ( ber_scanf( op->o_ber, "{a" /*}*/, &dn ) == LBER_ERROR ) {
+ if ( ber_scanf( op->o_ber, "{a" /*}*/, &ndn ) == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL, "" );
return;
}
- odn = ch_strdup( dn );
- dn_normalize( dn );
- Debug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", dn, 0, 0 );
+ Debug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", ndn, 0, 0 );
+
+ (void) dn_normalize_case( ndn );
/* collect modifications & save for later */
modlist = NULL;
{
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL,
"decoding error" );
- free( dn );
- free( odn );
+ free( ndn );
free( *modtail );
*modtail = NULL;
modlist_free( modlist );
{
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL,
"unrecognized modify operation" );
- free( dn );
- free( odn );
+ free( ndn );
modlist_free( modlist );
return;
}
{
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL,
"no values given" );
- free( dn );
- free( odn );
+ free( ndn );
modlist_free( modlist );
return;
}
#endif
Statslog( LDAP_DEBUG_STATS, "conn=%d op=%d MOD dn=\"%s\"\n",
- conn->c_connid, op->o_opid, dn, 0, 0 );
+ conn->c_connid, op->o_opid, ndn, 0, 0 );
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
- if ( (be = select_backend( dn )) == NULL ) {
- free( dn );
- free( odn );
+ if ( (be = select_backend( ndn )) == NULL ) {
+ free( ndn );
modlist_free( modlist );
send_ldap_result( conn, op, LDAP_PARTIAL_RESULTS, NULL,
default_referral );
return;
}
- /* alias suffix if approp */
- dn = suffixAlias ( dn, op, be );
+ /* alias suffix if approp */
+ ndn = suffixAlias ( ndn, op, be );
+ (void) dn_normalize_case( ndn );
/*
* do the modify if 1 && (2 || 3)
* 1) there is a modify function implemented in this backend;
* 2) this backend is master for what it holds;
- * 3) it's a replica and the dn supplied is the updatedn.
+ * 3) it's a replica and the dn supplied is the update_ndn.
*/
if ( be->be_modify != NULL ) {
/* do the update here */
- if ( be->be_updatedn == NULL ||
- strcasecmp( be->be_updatedn, op->o_dn ) == 0 ) {
-
+ if ( be->be_update_ndn == NULL ||
+ strcmp( be->be_update_ndn, op->o_ndn ) == 0 )
+ {
if ( (be->be_lastmod == ON || ( be->be_lastmod == UNDEFINED &&
- global_lastmod == ON ) ) && be->be_updatedn == NULL ) {
+ global_lastmod == ON ) ) && be->be_update_ndn == NULL ) {
add_lastmods( op, &modlist );
}
- if ( (*be->be_modify)( be, conn, op, odn, modlist ) == 0 ) {
- replog( be, LDAP_REQ_MODIFY, dn, modlist, 0 );
+ if ( (*be->be_modify)( be, conn, op, ndn, modlist ) == 0 ) {
+ replog( be, LDAP_REQ_MODIFY, ndn, modlist, 0 );
}
/* send a referral */
"Function not implemented" );
}
- free( dn );
- free( odn );
+ free( ndn );
modlist_free( modlist );
}
Operation *op
)
{
- char *dn, *odn, *newrdn;
+ char *ndn, *newrdn;
int deloldrdn;
Backend *be;
* }
*/
- if ( ber_scanf( op->o_ber, "{aab}", &dn, &newrdn, &deloldrdn )
+ if ( ber_scanf( op->o_ber, "{aab}", &ndn, &newrdn, &deloldrdn )
== LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
send_ldap_result( conn, op, LDAP_PROTOCOL_ERROR, NULL, "" );
return;
}
- odn = ch_strdup( dn );
- dn_normalize( dn );
Debug( LDAP_DEBUG_ARGS,
- "do_modrdn: dn (%s) newrdn (%s) deloldrdn (%d)\n", dn, newrdn,
+ "do_modrdn: dn (%s) newrdn (%s) deloldrdn (%d)\n", ndn, newrdn,
deloldrdn );
+ dn_normalize_case( ndn );
+
Statslog( LDAP_DEBUG_STATS, "conn=%d op=%d MODRDN dn=\"%s\"\n",
- conn->c_connid, op->o_opid, dn, 0, 0 );
+ conn->c_connid, op->o_opid, ndn, 0, 0 );
/*
* We could be serving multiple database backends. Select the
* if we don't hold it.
*/
- if ( (be = select_backend( dn )) == NULL ) {
- free( dn );
- free( odn );
+ if ( (be = select_backend( ndn )) == NULL ) {
+ free( ndn );
free( newrdn );
send_ldap_result( conn, op, LDAP_PARTIAL_RESULTS, NULL,
default_referral );
return;
}
+ /* alias suffix if approp */
+ ndn = suffixAlias( ndn, op, be );
+ dn_normalize_case( ndn );
+
/*
* do the add if 1 && (2 || 3)
* 1) there is an add function implemented in this backend;
* 2) this backend is master for what it holds;
- * 3) it's a replica and the dn supplied is the updatedn.
+ * 3) it's a replica and the dn supplied is the update_ndn.
*/
if ( be->be_modrdn != NULL ) {
/* do the update here */
- if ( be->be_updatedn == NULL || strcasecmp( be->be_updatedn,
- op->o_dn ) == 0 ) {
- if ( (*be->be_modrdn)( be, conn, op, dn, newrdn,
+ if ( be->be_update_ndn == NULL ||
+ strcmp( be->be_update_ndn, op->o_ndn ) == 0 )
+ {
+ if ( (*be->be_modrdn)( be, conn, op, ndn, newrdn,
deloldrdn ) == 0 ) {
- replog( be, LDAP_REQ_MODRDN, odn, newrdn,
+ replog( be, LDAP_REQ_MODRDN, ndn, newrdn,
deloldrdn );
}
} else {
"Function not implemented" );
}
- free( dn );
- free( odn );
+ free( ndn );
free( newrdn );
}
pthread_mutex_lock( &c[i].c_dnmutex );
sprintf( buf, "%d : %s : %d : %d : %s : %s%s", i,
buf2, c[i].c_opsinitiated, c[i].c_opscompleted,
- c[i].c_dn ? c[i].c_dn : "NULLDN",
+ c[i].c_cdn ? c[i].c_cdn : "NULLDN",
c[i].c_gettingber ? "r" : "",
c[i].c_writewaiter ? "w" : "" );
pthread_mutex_unlock( &c[i].c_dnmutex );
if ( op->o_dn != NULL ) {
free( op->o_dn );
}
+ if ( op->o_ndn != NULL ) {
+ free( op->o_ndn );
+ }
/* pthread_mutex_destroy( &op->o_abandonmutex ); */
free( (char *) op );
}
(*tmp)->o_msgid = msgid;
(*tmp)->o_tag = tag;
(*tmp)->o_abandon = 0;
+
(*tmp)->o_dn = ch_strdup( dn != NULL ? dn : "" );
+ (*tmp)->o_ndn = dn_normalize_case( ch_strdup( (*tmp)->o_dn ) );
+
pthread_mutex_lock( ¤ttime_mutex );
(*tmp)->o_time = currenttime;
pthread_mutex_unlock( ¤ttime_mutex );
* acl.c
*/
-int access_allowed LDAP_P(( Backend *be, Connection *conn, Operation *op, Entry *e,
- char *attr, struct berval *val, char *dn, int access ));
+int access_allowed LDAP_P(( Backend *be, Connection *conn,
+ Operation *op, Entry *e,
+ char *attr, struct berval *val, int access ));
+
+struct acl * acl_get_applicable LDAP_P(( Backend *be,
+ Operation *op, Entry *e,
+ char *attr, int nmatches, regmatch_t *matches ));
-struct acl * acl_get_applicable LDAP_P(( Backend *be, Operation *op, Entry *e,
- char *attr, char *edn, int nmatches, regmatch_t *matches ));
int acl_access_allowed LDAP_P(( struct acl *a, Backend *be, Connection *conn, Entry *e,
struct berval *val, Operation *op, int access, char *edn,
regmatch_t *matches ));
Backend * new_backend LDAP_P(( char *type ));
Backend * select_backend LDAP_P(( char * dn ));
int be_issuffix LDAP_P(( Backend *be, char *suffix ));
-int be_isroot LDAP_P(( Backend *be, char *dn ));
-int be_isroot_pw LDAP_P(( Backend *be, char *dn, struct berval *cred ));
+int be_isroot LDAP_P(( Backend *be, char *ndn ));
+int be_isroot_pw LDAP_P(( Backend *be, char *ndn, struct berval *cred ));
+char* be_root_dn LDAP_P(( Backend *be ));
void be_close LDAP_P(( void ));
/*
extern struct objclass *global_oc;
extern time_t currenttime;
-extern int be_group LDAP_P((Backend *be, Entry *e,
- char *bdn, char *edn, char *objectclassValue, char *groupattrName));
+extern int be_group LDAP_P((Backend *be, Entry *target,
+ char *gr_ndn, char *op_ndn,
+ char *objectclassValue, char *groupattrName));
extern void init LDAP_P((void));
extern void be_unbind LDAP_P((Connection *conn, Operation *op));
extern void config_info LDAP_P((Connection *conn, Operation *op));
#endif
#ifdef SLAPD_LDBM
-extern int ldbm_back_bind LDAP_P((Backend *be, Connection *c, Operation *o, char *dn, int method, struct berval *cred ));
+extern int ldbm_back_bind LDAP_P((Backend *be,
+ Connection *c, Operation *o,
+ char *dn, int method, struct berval *cred, char** edn ));
extern void ldbm_back_unbind LDAP_P((Backend *be, Connection *c, Operation *o ));
extern int ldbm_back_search LDAP_P((Backend *be, Connection *c, Operation *o, char *base, int scope, int deref, int slimit, int tlimit, Filter *f, char *filterstr, char **attrs, int attrsonly));
extern int ldbm_back_compare LDAP_P((Backend *be, Connection *c, Operation *o, char *dn, Ava *ava));
extern void ldbm_back_init LDAP_P((Backend *be));
extern void ldbm_back_close LDAP_P((Backend *be));
extern int ldbm_back_group LDAP_P((Backend *be, Entry *target,
- char *bdn, char *edn, char *objectclassValue, char *groupattrName ));
+ char *gr_ndn, char *op_ndn,
+ char *objectclassValue, char *groupattrName ));
#endif
#ifdef SLAPD_PASSWD
#endif
#ifdef SLAPD_SHELL
-extern int shell_back_bind LDAP_P((Backend *be, Connection *c, Operation *o, char *dn, int method, struct berval *cred ));
+extern int shell_back_bind LDAP_P((Backend *be,
+ Connection *c, Operation *o,
+ char *dn, int method, struct berval *cred, char** edn ));
extern void shell_back_unbind LDAP_P((Backend *be, Connection *c, Operation *o ));
extern int shell_back_search LDAP_P((Backend *be, Connection *c, Operation *o, char *base, int scope, int deref, int slimit, int tlimit, Filter *f, char *filterstr, char **attrs, int attrsonly));
extern int shell_back_compare LDAP_P((Backend *be, Connection *c, Operation *o, char *dn, Ava *ava));
#endif
#ifdef SLAPD_PERL
-extern int perl_back_bind LDAP_P(( Backend *be, Connection *conn, Operation *op, char *dn, int method, struct berval *crede ));
+extern int perl_back_bind LDAP_P(( Backend *be,
+ Connection *conn, Operation *op,
+ char *dn, int method, struct berval *cred, char** edn ));
extern void perl_back_unbind LDAP_P(( Backend *be, Connection *conn, Operation *op ));
extern int perl_back_search LDAP_P(( Backend *be, Connection *conn, Operation *op, char *base, int scope, int deref, int sizelimit, int timelimit, Filter *filter, char *filterstr, char **attrs, int attrsonly ));
extern int perl_back_compare LDAP_P((Backend *be, Connection *conn, Operation *op, char *dn, Ava *ava ));
Debug( LDAP_DEBUG_TRACE, "=> send_search_entry (%s)\n", e->e_dn, 0, 0 );
- if ( ! access_allowed( be, conn, op, e, "entry", NULL, op->o_dn,
- ACL_READ ) ) {
+ if ( ! access_allowed( be, conn, op, e,
+ "entry", NULL, ACL_READ ) )
+ {
Debug( LDAP_DEBUG_ACL, "acl: access to entry not allowed\n",
0, 0, 0 );
return( 1 );
}
- edn = dn_normalize_case( ch_strdup( e->e_dn ) );
+ edn = e->e_ndn;
#ifdef LDAP_COMPAT30
if ( (ber = ber_alloc_t( conn->c_version == 30 ? 0 : LBER_USE_DER ))
a->a_type, 0, 0 );
acl = NULL;
} else {
- acl = acl_get_applicable( be, op, e, a->a_type, edn,
+ acl = acl_get_applicable( be, op, e, a->a_type,
MAXREMATCHES, matches );
}
- if ( ! acl_access_allowed( acl, be, conn, e, NULL, op, ACL_READ,
- edn, matches ) )
+ if ( ! acl_access_allowed( acl, be, conn, e,
+ NULL, op, ACL_READ, edn, matches ) )
{
continue;
}
}
}
- free(edn);
-
#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
rc = ber_printf( ber, "}}}}" );
return( rc );
error_return:;
- free(edn);
return( 1 );
}
"Unknown search scope" );
goto return_results;
}
- (void) dn_normalize( base );
+
+ (void) dn_normalize_case( base );
Debug( LDAP_DEBUG_ARGS, "SRCH \"%s\" %d %d", base, scope, deref );
Debug( LDAP_DEBUG_ARGS, " %d %d %d\n", sizelimit, timelimit,
#if defined( SLAPD_MONITOR_DN ) || defined( SLAPD_CONFIG_DN ) || defined( SLAPD_SCHEMA_DN )
if ( scope == LDAP_SCOPE_BASE ) {
#if defined( SLAPD_MONITOR_DN )
- if ( strcasecmp( base, SLAPD_MONITOR_DN ) == 0 ) {
+ if ( strcmp( base, SLAPD_MONITOR_DN ) == 0 ) {
monitor_info( conn, op );
goto return_results;
}
#endif
#if defined( SLAPD_CONFIG_DN )
- if ( strcasecmp( base, SLAPD_CONFIG_DN ) == 0 ) {
+ if ( strcmp( base, SLAPD_CONFIG_DN ) == 0 ) {
config_info( conn, op );
goto return_results;
}
#endif
#if defined( SLAPD_SCHEMA_DN )
- if ( strcasecmp( base, SLAPD_SCHEMA_DN ) == 0 ) {
+ if ( strcmp( base, SLAPD_SCHEMA_DN ) == 0 ) {
schema_info( conn, op );
goto return_results;
}
/* translate the base if it matches an aliased base part */
base = suffixAlias ( base, op, be );
+ (void) dn_normalize_case( base );
/* actually do the search and send the result(s) */
if ( be->be_search != NULL ) {
struct backend {
char **be_suffix; /* the DN suffixes of data in this backend */
char **be_suffixAlias; /* the DN suffix aliases of data in this backend */
- char *be_rootdn; /* the magic "root" dn for this db */
- char *be_rootpw; /* the magic "root" password for this db */
+ char *be_root_dn; /* the magic "root" dn for this db */
+ char *be_root_ndn; /* the magic "root" normalized dn for this db */
+ char *be_root_pw; /* the magic "root" password for this db */
int be_readonly; /* 1 => db is in "read only" mode */
int be_maxDerefDepth; /* limit for depth of an alias deref */
int be_sizelimit; /* size limit for this backend */
int be_dfltaccess; /* access given if no acl matches */
char **be_replica; /* replicas of this backend (in master) */
char *be_replogfile; /* replication log file (in master) */
- char *be_updatedn; /* allowed to make changes (in replicas) */
+ char *be_update_ndn; /* allowed to make changes (in replicas) */
int be_lastmod; /* keep track of lastmodified{by,time} */
char *be_type; /* type of database */
/* backend routines */
int (*be_bind) LDAP_P((Backend *be,
struct slap_conn *c, struct slap_op *o,
- char *dn, int method, struct berval *cred ));
+ char *dn, int method, struct berval *cred, char** edn ));
void (*be_unbind) LDAP_P((Backend *be,
struct slap_conn *c, struct slap_op *o ));
int (*be_search) LDAP_P((Backend *be,
unsigned long o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */
char *o_dn; /* dn bound when op was initiated */
+ char *o_ndn; /* normalized dn bound when op was initiated */
char *o_suffix; /* suffix if aliased */
char *o_suffixAliased; /* pending suffix translation */
int o_authtype; /* auth method used to bind dn */
typedef struct slap_conn {
Sockbuf c_sb; /* ber connection stuff */
- char *c_dn; /* current DN bound to this conn */
+ char *c_cdn; /* DN provided by the client */
+ char *c_dn; /* DN bound to this conn */
pthread_mutex_t c_dnmutex; /* mutex for c_dn field */
int c_authtype; /* auth method used to bind c_dn */
#ifdef LDAP_COMPAT
joinable: FALSE
multilinedescription: Everyone in the sample data
objectclass: rfc822mailgroup
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
dn: cn=Alumni Assoc Staff,ou=Groups,o=University of Michigan,c=US
member: cn=Manager, o=University of Michigan, c=US
lastmodifiedtime: 960404035839Z
lastmodifiedby: cn=Barbara Jensen, ou=Information Technology Division, ou=Peop
le, o=University of Michigan, c=US
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 3233
facsimiletelephonenumber: +1 313 555 2274
pager: +1 313 555 4474
facsimiletelephonenumber: +1 313 555 2177
telephonenumber: +1 313 555 0355
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
multilinedescription: The replaced multiLineDescription $ Blah Woof.
drink: Iced Tea
drink: Mad Dog 20/20
facsimiletelephonenumber: +1 313 555 3223
telephonenumber: +1 313 555 3664
mail: dots@mail.alumni.umich.edu
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 0454
dn: cn=Gern Jensen, ou=Information Technology Division, ou=People, o=Universit
telephonenumber: +1 313 555 8343
mail: gjensen@mailgw.umich.edu
homephone: +1 313 555 8844
-creatorsname: cn=Manager,o=University of Michigan,c=US
+creatorsname: cn=Manager, o=University of Michigan, c=US
dn: ou=Groups, o=University of Michigan, c=US
objectclass: top
member: cn=James A Jones 1, ou=Alumni Association, ou=People, o=University of
Michigan, c=US
labeledurl: http://www.itd.umich.edu ITD Home Page
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
dn: cn=James A Jones 1, ou=Alumni Association, ou=People, o=University of Mich
igan, c=US
mail: jaj@mail.alumni.umich.edu
facsimiletelephonenumber: +1 313 555 4332
telephonenumber: +1 313 555 0895
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
drink: Orange Juice
dn: cn=Jane Doe, ou=Alumni Association, ou=People, o=University of Michigan, c
drink: diet coke
multilinedescription: Enthusiastic
mail: jdoe@woof.net
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5445
pager: +1 313 555 1220
facsimiletelephonenumber: +1 313 555 2311
homepostaladdress: 1000 Maple #44 $ Ann Arbor, MI 48103
title: Telemarketer, UM Alumni Association
mail: jen@mail.alumni.umich.edu
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 6442
facsimiletelephonenumber: +1 313 555 2756
title: System Administrator, Information Technology Division
multilinedescription: overworked!
mail: johnd@mailgw.umich.edu
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 3774
pager: +1 313 555 6573
facsimiletelephonenumber: +1 313 555 4544
drink: Gasoline
title: Director, UM Alumni Association
mail: melliot@mail.alumni.umich.edu
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
pager: +1 313 555 7671
facsimiletelephonenumber: +1 313 555 7762
telephonenumber: +1 313 555 4177
nobatchupdates: TRUE
onvacation: FALSE
mail: uham@mail.alumni.umich.edu
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 8421
pager: +1 313 555 2844
facsimiletelephonenumber: +1 313 555 9700
lastmodifiedby: cn=Barbara Jensen, ou=Information Technology Division, ou=Peop
le, o=University of Michigan, c=US
modifytimestamp: 960404171405Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 3233
facsimiletelephonenumber: +1 313 555 2274
postaladdress: Info Tech Division $ 535 W. William St. $ Ann Arbor, MI 48103
mail: bjorn@mailgw.umich.edu
modifytimestamp: 960404171424Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5444
pager: +1 313 555 4474
facsimiletelephonenumber: +1 313 555 2177
member: cn=John Doe, ou=Information Technology Division, ou=People, o=Universi
ty of Michigan, c=US
modifytimestamp: 960404171730Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
labeledurl: http://www.itd.umich.edu ITD Home Page
dn: cn=James A Jones 1, ou=Alumni Association, ou=People, o=University of Mich
pager: +1 313 555 3923
mail: jaj@mail.alumni.umich.edu
modifytimestamp: 960404171231Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
facsimiletelephonenumber: +1 313 555 4332
telephonenumber: +1 313 555 0895
dn: cn=All Staff,ou=Groups,o=University of Michigan,c=US
niversity of Michigan, c=US
member: cn=John Doe, ou=Information Technology Division, ou=People, o=Universi
ty of Michigan, c=US
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
labeledurl: http://www.itd.umich.edu ITD Home Page
dn: ou=People, o=University of Michigan, c=US
lastmodifiedby: cn=Barbara Jensen, ou=Information Technology Division, ou=Peop
le, o=University of Michigan, c=US
modifytimestamp: 960404171405Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 3233
facsimiletelephonenumber: +1 313 555 2274
postaladdress: Info Tech Division $ 535 W. William St. $ Ann Arbor, MI 48103
mail: bjorn@mailgw.umich.edu
modifytimestamp: 960404171424Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5444
pager: +1 313 555 4474
facsimiletelephonenumber: +1 313 555 2177
telephonenumber: +1 313 555 3664
mail: dots@mail.alumni.umich.edu
modifytimestamp: 960404171218Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 0454
dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=US
member: cn=John Doe, ou=Information Technology Division, ou=People, o=Universi
ty of Michigan, c=US
modifytimestamp: 960404171730Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
labeledurl: http://www.itd.umich.edu ITD Home Page
dn: cn=James A Jones 1, ou=Alumni Association, ou=People, o=University of Mich
pager: +1 313 555 3923
mail: jaj@mail.alumni.umich.edu
modifytimestamp: 960404171231Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
facsimiletelephonenumber: +1 313 555 4332
telephonenumber: +1 313 555 0895
mail: jjones@mailgw.umich.edu
postaladdress: Info Tech Division $ 535 W William $ Ann Arbor, MI 48103
modifytimestamp: 960404171442Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
pager: +1 313 555 2833
facsimiletelephonenumber: +1 313 555 8688
telephonenumber: +1 313 555 7334
multilinedescription: Enthusiastic
mail: jdoe@woof.net
modifytimestamp: 960404171249Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5445
pager: +1 313 555 1220
facsimiletelephonenumber: +1 313 555 2311
title: Telemarketer, UM Alumni Association
mail: jen@mail.alumni.umich.edu
modifytimestamp: 960404171309Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 6442
facsimiletelephonenumber: +1 313 555 2756
multilinedescription: overworked!
mail: johnd@mailgw.umich.edu
modifytimestamp: 960404171509Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 3774
pager: +1 313 555 6573
facsimiletelephonenumber: +1 313 555 4544
title: Director, UM Alumni Association
mail: melliot@mail.alumni.umich.edu
modifytimestamp: 960404171327Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
pager: +1 313 555 7671
facsimiletelephonenumber: +1 313 555 7762
telephonenumber: +1 313 555 4177
onvacation: FALSE
mail: uham@mail.alumni.umich.edu
modifytimestamp: 960404171346Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 8421
pager: +1 313 555 2844
facsimiletelephonenumber: +1 313 555 9700
lastmodifiedby: cn=Barbara Jensen, ou=Information Technology Division, ou=Peop
le, o=University of Michigan, c=US
modifytimestamp: 960404171405Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 3233
facsimiletelephonenumber: +1 313 555 2274
postaladdress: Info Tech Division $ 535 W. William St. $ Ann Arbor, MI 48103
mail: bjorn@mailgw.umich.edu
modifytimestamp: 960404171424Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5444
pager: +1 313 555 4474
facsimiletelephonenumber: +1 313 555 2177
telephonenumber: +1 313 555 3664
mail: dots@mail.alumni.umich.edu
modifytimestamp: 960404171218Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 0454
dn: ou=Groups, o=University of Michigan, c=US
member: cn=John Doe, ou=Information Technology Division, ou=People, o=Universi
ty of Michigan, c=US
modifytimestamp: 960404171730Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
labeledurl: http://www.itd.umich.edu ITD Home Page
dn: cn=James A Jones 1, ou=Alumni Association, ou=People, o=University of Mich
pager: +1 313 555 3923
mail: jaj@mail.alumni.umich.edu
modifytimestamp: 960404171231Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
facsimiletelephonenumber: +1 313 555 4332
telephonenumber: +1 313 555 0895
mail: jjones@mailgw.umich.edu
postaladdress: Info Tech Division $ 535 W William $ Ann Arbor, MI 48103
modifytimestamp: 960404171442Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
pager: +1 313 555 2833
facsimiletelephonenumber: +1 313 555 8688
telephonenumber: +1 313 555 7334
multilinedescription: Enthusiastic
mail: jdoe@woof.net
modifytimestamp: 960404171249Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 5445
pager: +1 313 555 1220
facsimiletelephonenumber: +1 313 555 2311
title: Telemarketer, UM Alumni Association
mail: jen@mail.alumni.umich.edu
modifytimestamp: 960404171309Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 2333
pager: +1 313 555 6442
facsimiletelephonenumber: +1 313 555 2756
multilinedescription: overworked!
mail: johnd@mailgw.umich.edu
modifytimestamp: 960404171509Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 3774
pager: +1 313 555 6573
facsimiletelephonenumber: +1 313 555 4544
title: Director, UM Alumni Association
mail: melliot@mail.alumni.umich.edu
modifytimestamp: 960404171327Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
pager: +1 313 555 7671
facsimiletelephonenumber: +1 313 555 7762
telephonenumber: +1 313 555 4177
onvacation: FALSE
mail: uham@mail.alumni.umich.edu
modifytimestamp: 960404171346Z
-modifiersname: cn=Manager,o=University of Michigan,c=US
+modifiersname: cn=Manager, o=University of Michigan, c=US
homephone: +1 313 555 8421
pager: +1 313 555 2844
facsimiletelephonenumber: +1 313 555 9700
projects / openldap / commitdiff