]> git.sur5r.net Git - openldap/commitdiff
remove rewrite stuff -- now delegted to rwm overlay
authorPierangelo Masarati <ando@openldap.org>
Sat, 13 Nov 2004 14:43:30 +0000 (14:43 +0000)
committerPierangelo Masarati <ando@openldap.org>
Sat, 13 Nov 2004 14:43:30 +0000 (14:43 +0000)
14 files changed:
servers/slapd/back-ldap/Makefile.in
servers/slapd/back-ldap/TODO.proxy
servers/slapd/back-ldap/add.c
servers/slapd/back-ldap/back-ldap.h
servers/slapd/back-ldap/bind.c
servers/slapd/back-ldap/compare.c
servers/slapd/back-ldap/config.c
servers/slapd/back-ldap/delete.c
servers/slapd/back-ldap/extended.c
servers/slapd/back-ldap/init.c
servers/slapd/back-ldap/modify.c
servers/slapd/back-ldap/modrdn.c
servers/slapd/back-ldap/search.c
servers/slapd/back-ldap/unbind.c

index f18c15353295c216d7ee7a6d1705807f3ec14013..cb52d04282e0897f5aaa39d137d168d4f2f562d1 100644 (file)
 ## <http://www.OpenLDAP.org/license.html>.
 
 SRCS   = init.c config.c search.c bind.c unbind.c add.c compare.c \
-               delete.c modify.c modrdn.c \
-               suffixmassage.c map.c extended.c
+               delete.c modify.c modrdn.c extended.c
 OBJS   = init.lo config.lo search.lo bind.lo unbind.lo add.lo compare.lo \
-               delete.lo modify.lo modrdn.lo \
-               suffixmassage.lo map.lo extended.lo
+               delete.lo modify.lo modrdn.lo extended.lo
 
 LDAP_INCDIR= ../../../include       
 LDAP_LIBDIR= ../../../libraries
@@ -29,12 +27,9 @@ BUILD_MOD = @BUILD_LDAP@
 mod_DEFS = -DSLAPD_IMPORT
 MOD_DEFS = $(@BUILD_LDAP@_DEFS)
 
-mod_REWRITE = $(LDAP_LIBREWRITE_A)
-
-REWRITE = $(@BUILD_META@_REWRITE) $(@BUILD_LDAP@_REWRITE)
 shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
-NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
-UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
+NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
 
 LIBBASE = back_ldap
 
index 41ada65624ef4dff9659060fa078020db36a3b2f..4e6109548a01f8e41ee32d85b594487e94ac1fc9 100644 (file)
@@ -13,11 +13,11 @@ and it wants to propose to the outer world as a unique URI
 
 "ldap://ldap.company.net/dc=company, dc=net"
 
-It could do some rewriting to map everything that comes in with a base dn
+It could do some rewriting to map everything that comes in with a base DN
 of "o=Branch 1, dc=company, dc=net" as the URI of the Branch 1, and
-everything that comes in with a base dn of "o=Branch 2, dc=company, dc=net"
-as the URI of Branch 2, and by rewriting all the dns back to the new, uniform 
-base. Everything that comes in with a base dn of "dc=company, dc=net" should 
+everything that comes in with a base DN of "o=Branch 2, dc=company, dc=net"
+as the URI of Branch 2, and by rewriting all the DNs back to the new, uniform 
+base. Everything that comes in with a base DN of "dc=company, dc=net" should 
 be handled locally and propagated to the two branch URIs if a subtree 
 (or at least onelevel) search is required.
 
@@ -35,7 +35,7 @@ Operations:
 
 The input of each operation may be related to:
 
-               exact dn        exact parent    ancestor
+               exact DN        exact parent    ancestor
 -------------------------------------------------------------
 bind           x
 unbind
@@ -47,20 +47,20 @@ modrdn              x
 delete         x
 abandon
 
-The backend must rely on a dn fetching mechanism. Each operation requires
+The backend must rely on a DN fetching mechanism. Each operation requires
 to determine as early as possible which URI will be able to satisfy it.
 Apart from searches, which by definition are usually allowed to return
 multiple results, and apart from unbind and abandon, which do not return any
 result, all the remaining operations require the related entry to be unique.
 
-A major problem isposed by the uniqueness of the dns. As far as the suffixes
-are masqueraded by a common suffix, tyhe dns are no longer guaranteed to be
+A major problem isposed by the uniqueness of the DNs. As far as the suffixes
+are masqueraded by a common suffix, the DNs are no longer guaranteed to be
 unique. This backend relies on the assumption that the uniqueness of the
-dns is guaranteed.
+DNs is guaranteed.
 
-Two layers of depth in dn fetching are envisaged.
+Two layers of depth in DN fetching are envisaged.
 The first layer is provided by a backend-side cache made of previously
-retrieved entries. The cache relates each rdn (i.e. the dn apart from the
+retrieved entries. The cache relates each RDN (i.e. the DN apart from the
 common suffix) to the pool of URIs that are expected to contain a subset
 of its children.
 
@@ -74,14 +74,14 @@ So write operations will require to skip the cache search and to perform
 the exaustive search of all the URIs unless some hint mechanism is provided
 to the backend (e.g. a server is read-only).
 
-Again, the lag between the fetching of the required dn and the actual
+Again, the lag between the fetching of the required DN and the actual
 read/write may result in a failure; however, this applies to any LDAP 
 operation AFAIK.
 
 - bind
 if updates are to be strictly honored, a bind operation is performed against
 each URI; otherwise, it is performed against the URIs resulting from a
-cache-level dn fetch.
+cache-level DN fetch.
 
 - unbind
 nothing to say; all the open handles related to the connection are reset.
@@ -90,12 +90,12 @@ nothing to say; all the open handles related to the connection are reset.
 if updates are to be strictly honored, a search operation is performed agaist
 each URI. Note that this needs be performed also when the backend suffix
 is used as base. In case the base is stricter, the URI pool may be restricted 
-by performing a cache dn fetch of the base first.
+by performing a cache DN fetch of the base first.
 
 - compare
-the same applies to the compare dn.
+the same applies to the compare DN.
 
 - add
-this operation is delicate. Unless the dn up to the top-level part excluded
+this operation is delicate. Unless the DN up to the top-level part excluded
 can be uniquely associated to a URI, and unless its uniqueness can be trusted,
 no add operation should be allowed.
index 638acfa6b11a874f374214612dfc5bc6758aacbc..3f4262a9fe370b9a9d67c2306fd4ff5204e5c649 100644 (file)
 
 int
 ldap_back_add(
-    Operation  *op,
-    SlapReply  *rs )
+       Operation       *op,
+       SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct ldapconn *lc;
-       int i, j;
-       Attribute *a;
-       LDAPMod **attrs;
-       struct berval mapped;
-       struct berval mdn = BER_BVNULL;
-       ber_int_t msgid;
-       dncookie dc;
-       int isupdate;
-       int do_retry = 1;
-       LDAPControl **ctrls = NULL;
-       int rc = LDAP_SUCCESS;
-
-       Debug(LDAP_DEBUG_ARGS, "==> ldap_back_add: %s\n", op->o_req_dn.bv_val, 0, 0);
-       
-       lc = ldap_back_getconn(op, rs);
+       struct ldapconn *lc;
+       int             i = 0,
+                       j = 0;
+       Attribute       *a;
+       LDAPMod         **attrs = NULL,
+                       *attrs2 = NULL;
+       ber_int_t       msgid;
+       int             isupdate;
+       int             do_retry = 1;
+       LDAPControl     **ctrls = NULL;
+       int             rc = LDAP_SUCCESS;
+
+       Debug( LDAP_DEBUG_ARGS, "==> ldap_back_add(\"%s\")\n",
+                       op->o_req_dn.bv_val, 0, 0 );
+
+       lc = ldap_back_getconn( op, rs );
        if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
-               return( -1 );
-       }
-
-       /*
-        * Rewrite the add dn, if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "addDN";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
-               send_ldap_result( op, rs );
-               return -1;
+               rc = -1;
+               goto cleanup;
        }
 
        /* Count number of attributes in entry */
        for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next)
-               ;
+               /* just count attrs */ ;
        
        /* Create array of LDAPMods for ldap_add() */
-       attrs = (LDAPMod **)ch_malloc(sizeof(LDAPMod *)*i);
-
-#ifdef ENABLE_REWRITE
-       dc.ctx = "addAttrDN";
-#endif
+       attrs = (LDAPMod **)ch_malloc( sizeof( LDAPMod * )*i 
+                       + sizeof( LDAPMod )*( i - 1 ) );
+       attrs2 = ( LDAPMod * )&attrs[ i ];
 
        isupdate = be_shadow_update( op );
-       for (i=0, a=op->oq_add.rs_e->e_attrs; a; a=a->a_next) {
+       for ( i = 0, a = op->oq_add.rs_e->e_attrs; a; a = a->a_next ) {
                if ( !isupdate && a->a_desc->ad_type->sat_no_user_mod  ) {
                        continue;
                }
 
-               ldap_back_map(&li->rwmap.rwm_at, &a->a_desc->ad_cname, &mapped,
-                               BACKLDAP_MAP);
-               if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
-                       continue;
-               }
+               attrs[ i ] = &attrs2[ i ];
+               attrs[ i ]->mod_op = LDAP_MOD_BVALUES;
+               attrs[ i ]->mod_type = a->a_desc->ad_cname.bv_val;
 
-               attrs[i] = (LDAPMod *)ch_malloc(sizeof(LDAPMod));
-               if (attrs[i] == NULL) {
-                       continue;
+               for ( j = 0; a->a_vals[ j ].bv_val; j++ )
+                       /* just count vals */ ;
+               attrs[i]->mod_vals.modv_bvals = 
+                       ch_malloc( ( j + 1 )*sizeof( struct berval * ) );
+               for ( j = 0; a->a_vals[ j ].bv_val; j++ ) {
+                       attrs[ i ]->mod_vals.modv_bvals[ j ] = &a->a_vals[ j ];
                }
-
-               attrs[i]->mod_op = LDAP_MOD_BVALUES;
-               attrs[i]->mod_type = mapped.bv_val;
-
-               if ( a->a_desc->ad_type->sat_syntax ==
-                       slap_schema.si_syn_distinguishedName ) {
-                       /*
-                        * FIXME: rewrite could fail; in this case
-                        * the operation should give up, right?
-                        */
-                       (void)ldap_dnattr_rewrite( &dc, a->a_vals );
-               }
-
-               for (j=0; a->a_vals[j].bv_val; j++);
-               attrs[i]->mod_vals.modv_bvals = ch_malloc((j+1)*sizeof(struct berval *));
-               for (j=0; a->a_vals[j].bv_val; j++)
-                       attrs[i]->mod_vals.modv_bvals[j] = &a->a_vals[j];
-               attrs[i]->mod_vals.modv_bvals[j] = NULL;
+               attrs[ i ]->mod_vals.modv_bvals[ j ] = NULL;
                i++;
        }
-       attrs[i] = NULL;
+       attrs[ i ] = NULL;
 
        ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
@@ -134,28 +99,31 @@ ldap_back_add(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
-       rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
-                       ctrls, NULL, &msgid);
+       rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs,
+                       ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
        if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
                do_retry = 0;
-               if ( ldap_back_retry (lc, op, rs )) goto retry;
+               if ( ldap_back_retry( lc, op, rs ) ) {
+                       goto retry;
+               }
        }
-#ifdef LDAP_BACK_PROXY_AUTHZ
+
 cleanup:
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       } 
+#ifdef LDAP_BACK_PROXY_AUTHZ
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
-       for (--i; i>= 0; --i) {
-               ch_free(attrs[i]->mod_vals.modv_bvals);
-               ch_free(attrs[i]);
-       }
-       ch_free(attrs);
-       if ( mdn.bv_val != op->o_req_dn.bv_val ) {
-               free( mdn.bv_val );
+
+       if ( attrs ) {
+               for ( --i; i >= 0; --i ) {
+                       ch_free( attrs[ i ]->mod_vals.modv_bvals );
+               }
+               ch_free( attrs );
        }
+
+       Debug( LDAP_DEBUG_ARGS, "<== ldap_back_add(\"%s\"): %d\n",
+                       op->o_req_dn.bv_val, rc, 0 );
+
        return rc;
 }
 
index 00f9b9a80f24098fa2a01935c0277fe3a3697f21..60ffa0ac1cc9bcce9842079e14e6e965f86ab782 100644 (file)
 
 #include "proto-ldap.h"
 
-/* String rewrite library */
-#ifdef ENABLE_REWRITE
-#include "rewrite.h"
-#endif /* ENABLE_REWRITE */
-
 #ifdef LDAP_DEVEL
 #define LDAP_BACK_PROXY_AUTHZ
 #endif
@@ -42,44 +37,13 @@ struct slap_op;
 struct slap_backend_db;
 
 struct ldapconn {
-       struct slap_conn        *conn;
-       LDAP            *ld;
-       struct berval   cred;
-       struct berval   bound_dn;
-       struct berval   local_dn;
-       int             bound;
-       ldap_pvt_thread_mutex_t         lc_mutex;
-};
-
-struct ldapmap {
-       int drop_missing;
-
-       Avlnode *map;
-       Avlnode *remap;
-};
-
-struct ldapmapping {
-       struct berval src;
-       struct berval dst;
-};
-
-struct ldaprwmap {
-       /*
-        * DN rewriting
-        */
-#ifdef ENABLE_REWRITE
-       struct rewrite_info *rwm_rw;
-#else /* !ENABLE_REWRITE */
-       /* some time the suffix massaging without librewrite
-        * will be disabled */
-       BerVarray rwm_suffix_massage;
-#endif /* !ENABLE_REWRITE */
-
-       /*
-        * Attribute/objectClass mapping
-        */
-       struct ldapmap rwm_oc;
-       struct ldapmap rwm_at;
+       struct slap_conn        *lc_conn;
+       LDAP                    *lc_ld;
+       struct berval           lc_cred;
+       struct berval           lc_bound_ndn;
+       struct berval           lc_local_ndn;
+       int                     lc_bound;
+       ldap_pvt_thread_mutex_t lc_mutex;
 };
 
 struct ldapauth {
@@ -94,9 +58,10 @@ struct ldapauth {
        struct berval   la_sasl_mech;
        struct berval   la_sasl_realm;
        
-#define LDAP_BACK_AUTH_NONE            0x00
-#define        LDAP_BACK_AUTH_NATIVE_AUTHZ     0x01
-       int             la_flags;
+#define LDAP_BACK_AUTH_NONE            0x00U
+#define        LDAP_BACK_AUTH_NATIVE_AUTHZ     0x01U
+#define        LDAP_BACK_AUTH_OVERRIDE         0x02U
+       unsigned        la_flags;
 };
 
 struct ldapinfo {
@@ -135,35 +100,8 @@ struct ldapinfo {
        ldap_pvt_thread_mutex_t         conn_mutex;
        int savecred;
        Avlnode *conntree;
-
-#if 0
-#ifdef ENABLE_REWRITE
-       struct rewrite_info *rwinfo;
-#else /* !ENABLE_REWRITE */
-       BerVarray suffix_massage;
-#endif /* !ENABLE_REWRITE */
-
-       struct ldapmap oc_map;
-       struct ldapmap at_map;
-#endif
-
-       struct ldaprwmap rwmap;
 };
 
-/* Whatever context ldap_back_dn_massage needs... */
-typedef struct dncookie {
-       struct ldaprwmap *rwmap;
-
-#ifdef ENABLE_REWRITE
-       Connection *conn;
-       char *ctx;
-       SlapReply *rs;
-#else
-       int normalized;
-       int tofrom;
-#endif
-} dncookie;
-
 int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
 struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
 int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
@@ -173,62 +111,10 @@ int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
        ber_int_t msgid, int sendok);
 int    back_ldap_LTX_init_module(int argc, char *argv[]);
 
-int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
-       struct berval *res);
-
 extern int ldap_back_conn_cmp( const void *c1, const void *c2);
 extern int ldap_back_conn_dup( void *c1, void *c2 );
 extern void ldap_back_conn_free( void *c );
 
-/* attributeType/objectClass mapping */
-int mapping_cmp (const void *, const void *);
-int mapping_dup (void *, void *);
-
-void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** );
-void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m,
-       int remap );
-#define BACKLDAP_MAP   0
-#define BACKLDAP_REMAP 1
-char *
-ldap_back_map_filter(
-               struct ldapmap *at_map,
-               struct ldapmap *oc_map,
-               struct berval *f,
-               int remap
-);
-
-int
-ldap_back_map_attrs(
-               struct ldapmap *at_map,
-               AttributeName *a,
-               int remap,
-               char ***mapped_attrs
-);
-
-extern int ldap_back_map_config(
-               struct ldapmap  *oc_map,
-               struct ldapmap  *at_map,
-               const char      *fname,
-               int             lineno,
-               int             argc,
-               char            **argv );
-
-extern int
-ldap_back_filter_map_rewrite(
-               dncookie                *dc,
-               Filter                  *f,
-               struct berval           *fstr,
-               int                     remap );
-
-/* suffix massaging by means of librewrite */
-#ifdef ENABLE_REWRITE
-extern int suffix_massage_config( struct rewrite_info *info,
-               struct berval *pvnc, struct berval *nvnc,
-               struct berval *prnc, struct berval *nrnc);
-#endif /* ENABLE_REWRITE */
-extern int ldap_dnattr_rewrite( dncookie *dc, BerVarray a_vals );
-extern int ldap_dnattr_result_rewrite( dncookie *dc, BerVarray a_vals );
-
 #ifdef LDAP_BACK_PROXY_AUTHZ
 extern int
 ldap_back_proxy_authz_ctrl(
@@ -236,6 +122,11 @@ ldap_back_proxy_authz_ctrl(
                Operation       *op,
                SlapReply       *rs,
                LDAPControl     ***pctrls );
+
+extern int
+ldap_back_proxy_authz_ctrl_free(
+               Operation       *op,
+               LDAPControl     ***pctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 LDAP_END_DECL
index dd660a729567c46c58b27d5edf987613c5a6d251..5c1205561580a020120076c80681062885b853d3 100644 (file)
 
 static LDAP_REBIND_PROC        ldap_back_rebind;
 
+#ifdef LDAP_BACK_PROXY_AUTHZ
+static int
+ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs );
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
 int
-ldap_back_bind(
-    Operation          *op,
-    SlapReply          *rs )
+ldap_back_bind( Operation *op, SlapReply *rs )
 {
        struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
        struct ldapconn *lc;
 
-       struct berval mdn = BER_BVNULL;
        int rc = 0;
        ber_int_t msgid;
-       dncookie dc;
 
-       lc = ldap_back_getconn(op, rs);
+       lc = ldap_back_getconn( op, rs );
        if ( !lc ) {
                return( -1 );
        }
 
-       /*
-        * Rewrite the bind dn if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "bindDN";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
-               send_ldap_result( op, rs );
-               return -1;
+       if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+               ch_free( lc->lc_bound_ndn.bv_val );
+               BER_BVZERO( &lc->lc_bound_ndn );
        }
+       lc->lc_bound = 0;
 
-       if ( !BER_BVISNULL( &lc->bound_dn ) ) {
-               ch_free( lc->bound_dn.bv_val );
-               BER_BVZERO( &lc->bound_dn );
-       }
-       lc->bound = 0;
        /* method is always LDAP_AUTH_SIMPLE if we got here */
-       rs->sr_err = ldap_sasl_bind(lc->ld, mdn.bv_val, LDAP_SASL_SIMPLE,
-               &op->oq_bind.rb_cred, op->o_ctrls, NULL, &msgid);
+       rs->sr_err = ldap_sasl_bind( lc->lc_ld, op->o_req_dn.bv_val,
+                       LDAP_SASL_SIMPLE,
+                       &op->orb_cred, op->o_ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
-       if (rc == LDAP_SUCCESS) {
-               lc->bound = 1;
-               if ( mdn.bv_val != op->o_req_dn.bv_val ) {
-                       lc->bound_dn = mdn;
-               } else {
-                       ber_dupbv( &lc->bound_dn, &op->o_req_dn );
+
+       if ( rc == LDAP_SUCCESS ) {
+#ifdef LDAP_BACK_PROXY_AUTHZ
+               if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
+                       ldap_back_proxy_authz_bind( lc, op, rs );
+                       if ( lc->lc_bound == 0 ) {
+                               rc = 1;
+                               goto done;
+                       }
                }
-               BER_BVZERO( &mdn );
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+               lc->lc_bound = 1;
+               ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
 
                if ( li->savecred ) {
-                       if ( !BER_BVISNULL( &lc->cred ) ) {
-                               memset( lc->cred.bv_val, 0, lc->cred.bv_len );
-                               ch_free( lc->cred.bv_val );
+                       if ( !BER_BVISNULL( &lc->lc_cred ) ) {
+                               memset( lc->lc_cred.bv_val, 0,
+                                               lc->lc_cred.bv_len );
+                               ch_free( lc->lc_cred.bv_val );
                        }
-                       ber_dupbv( &lc->cred, &op->oq_bind.rb_cred );
-                       ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc );
+                       ber_dupbv( &lc->lc_cred, &op->orb_cred );
+                       ldap_set_rebind_proc( lc->lc_ld, ldap_back_rebind, lc );
                }
        }
+done:;
 
        /* must re-insert if local DN changed as result of bind */
-       if ( lc->bound && !bvmatch(&op->o_req_ndn, &lc->local_dn ) ) {
-               int lerr;
+       if ( lc->lc_bound && !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) ) {
+               int     lerr;
 
                ldap_pvt_thread_mutex_lock( &li->conn_mutex );
                lc = avl_delete( &li->conntree, (caddr_t)lc,
                                ldap_back_conn_cmp );
-               if ( !BER_BVISNULL( &lc->local_dn ) )
-                       ch_free( lc->local_dn.bv_val );
-               ber_dupbv( &lc->local_dn, &op->o_req_ndn );
+               if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) {
+                       ch_free( lc->lc_local_ndn.bv_val );
+               }
+               ber_dupbv( &lc->lc_local_ndn, &op->o_req_ndn );
                lerr = avl_insert( &li->conntree, (caddr_t)lc,
                        ldap_back_conn_cmp, ldap_back_conn_dup );
                ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
@@ -119,10 +114,6 @@ ldap_back_bind(
                }
        }
 
-       if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) {
-               free( mdn.bv_val );
-       }
-
        return( rc );
 }
 
@@ -133,23 +124,22 @@ ldap_back_bind(
  * used by avl stuff
  */
 int
-ldap_back_conn_cmp(
-       const void *c1,
-       const void *c2
-       )
+ldap_back_conn_cmp( const void *c1, const void *c2 )
 {
        const struct ldapconn *lc1 = (const struct ldapconn *)c1;
        const struct ldapconn *lc2 = (const struct ldapconn *)c2;
        int rc;
-       
+
        /* If local DNs don't match, it is definitely not a match */
-       if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) )
+       rc = ber_bvcmp( &lc1->lc_local_ndn, &lc2->lc_local_ndn );
+       if ( rc ) {
                return rc;
+       }
 
        /* For shared sessions, conn is NULL. Only explicitly
         * bound sessions will have non-NULL conn.
         */
-       return SLAP_PTRCMP(lc1->conn, lc2->conn);
+       return SLAP_PTRCMP( lc1->lc_conn, lc2->lc_conn );
 }
 
 /*
@@ -159,51 +149,56 @@ ldap_back_conn_cmp(
  * used by avl stuff
  */
 int
-ldap_back_conn_dup(
-       void *c1,
-       void *c2
-       )
+ldap_back_conn_dup( void *c1, void *c2 )
 {
        struct ldapconn *lc1 = (struct ldapconn *)c1;
        struct ldapconn *lc2 = (struct ldapconn *)c2;
 
        /* Cannot have more than one shared session with same DN */
-       if ( dn_match( &lc1->local_dn, &lc2->local_dn ) &&
-                lc1->conn == lc2->conn ) return -1;
+       if ( dn_match( &lc1->lc_local_ndn, &lc2->lc_local_ndn ) &&
+                               lc1->lc_conn == lc2->lc_conn )
+       {
+               return -1;
+       }
                
        return 0;
 }
 
 #if PRINT_CONNTREE > 0
-static void ravl_print( Avlnode *root, int depth )
+static void
+ravl_print( Avlnode *root, int depth )
 {
        int     i;
        struct ldapconn *lc;
        
-       if ( root == 0 )
+       if ( root == 0 ) {
                return;
+       }
        
        ravl_print( root->avl_right, depth+1 );
        
-       for ( i = 0; i < depth; i++ )
+       for ( i = 0; i < depth; i++ ) {
                printf( "   " );
+       }
 
        lc = root->avl_data;
        printf( "lc(%lx) local(%s) conn(%lx) %d\n",
-                       lc, lc->local_dn.bv_val, lc->conn, root->avl_bf );
+                       lc, lc->lc_local_ndn.bv_val, lc->lc_conn, root->avl_bf );
        
        ravl_print( root->avl_left, depth+1 );
 }
 
-static void myprint( Avlnode *root )
+static void
+myprint( Avlnode *root )
 {
        printf( "********\n" );
        
-       if ( root == 0 )
+       if ( root == 0 ) {
                printf( "\tNULL\n" );
 
-       else
+       } else {
                ravl_print( root, 0 );
+       }
        
        printf( "********\n" );
 }
@@ -224,7 +219,7 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
 }
 
 struct ldapconn *
-ldap_back_getconn(Operation *op, SlapReply *rs)
+ldap_back_getconn( Operation *op, SlapReply *rs )
 {
        struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
        struct ldapconn *lc, lc_curr;
@@ -237,108 +232,75 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
        if ( op->o_tag == LDAP_REQ_BIND
                || ( op->o_conn
                        && op->o_conn->c_authz_backend
-                       && op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) ) {
-               lc_curr.conn = op->o_conn;
+                       && op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) )
+       {
+               lc_curr.lc_conn = op->o_conn;
 
        } else {
-               lc_curr.conn = NULL;
+               lc_curr.lc_conn = NULL;
        }
        
        /* Internal searches are privileged and shared. So is root. */
        if ( op->o_do_not_cache || be_isroot( op ) ) {
-               lc_curr.local_dn = op->o_bd->be_rootndn;
-               lc_curr.conn = NULL;
+               lc_curr.lc_local_ndn = op->o_bd->be_rootndn;
+               lc_curr.lc_conn = NULL;
                is_priv = 1;
 
        } else {
-               lc_curr.local_dn = op->o_ndn;
+               lc_curr.lc_local_ndn = op->o_ndn;
        }
 
        ldap_pvt_thread_mutex_lock( &li->conn_mutex );
        lc = (struct ldapconn *)avl_find( li->conntree, 
-               (caddr_t)&lc_curr, ldap_back_conn_cmp );
+                       (caddr_t)&lc_curr, ldap_back_conn_cmp );
        ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
 
        /* Looks like we didn't get a bind. Open a new session... */
-       if (!lc) {
+       if ( !lc ) {
                int vers = op->o_protocol;
-               rs->sr_err = ldap_initialize(&ld, li->url);
+               rs->sr_err = ldap_initialize( &ld, li->url );
                
-               if (rs->sr_err != LDAP_SUCCESS) {
+               if ( rs->sr_err != LDAP_SUCCESS ) {
                        rs->sr_err = slap_map_api2result( rs );
-                       if (rs->sr_text == NULL) {
+                       if ( rs->sr_text == NULL ) {
                                rs->sr_text = "ldap_initialize() failed";
                        }
-                       if (op->o_conn) send_ldap_result( op, rs );
+                       if ( op->o_conn ) {
+                               send_ldap_result( op, rs );
+                       }
                        rs->sr_text = NULL;
                        return( NULL );
                }
                /* Set LDAP version. This will always succeed: If the client
                 * bound with a particular version, then so can we.
                 */
-               ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
-                               (const void *)&vers);
+               ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
+                               (const void *)&vers );
                /* FIXME: configurable? */
-               ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
+               ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON );
 
-               lc = (struct ldapconn *)ch_malloc(sizeof(struct ldapconn));
-               lc->conn = lc_curr.conn;
-               lc->ld = ld;
-               ber_dupbv( &lc->local_dn, &lc_curr.local_dn );
-
-#ifdef ENABLE_REWRITE
-               /*
-                * Sets a cookie for the rewrite session
-                *
-                * FIXME: the o_conn might be no longer valid,
-                * since we may have different entries
-                * for the same connection
-                */
-               ( void )rewrite_session_init( li->rwmap.rwm_rw, op->o_conn );
-#endif /* ENABLE_REWRITE */
+               lc = (struct ldapconn *)ch_malloc( sizeof( struct ldapconn ) );
+               lc->lc_conn = lc_curr.lc_conn;
+               lc->lc_ld = ld;
+               ber_dupbv( &lc->lc_local_ndn, &lc_curr.lc_local_ndn );
 
                ldap_pvt_thread_mutex_init( &lc->lc_mutex );
 
                if ( is_priv ) {
-                       ber_dupbv( &lc->cred, &li->acl_passwd );
-                       ber_dupbv( &lc->bound_dn, &li->acl_authcDN );
+                       ber_dupbv( &lc->lc_cred, &li->acl_passwd );
+                       ber_dupbv( &lc->lc_bound_ndn, &li->acl_authcDN );
 
                } else {
-                       BER_BVZERO( &lc->cred );
-                       BER_BVZERO( &lc->bound_dn );
-                       if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn )
-                                       && ( op->o_bd == op->o_conn->c_authz_backend ) ) {
-                               
-                               dncookie dc;
-                               struct berval bv;
-
-                               /*
-                                * Rewrite the bind dn if needed
-                                */
-                               dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-                               dc.conn = op->o_conn;
-                               dc.rs = rs;
-                               dc.ctx = "bindDN";
-#else
-                               dc.tofrom = 1;
-                               dc.normalized = 0;
-#endif
-
-                               if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn, &bv ) ) {
-                                       send_ldap_result( op, rs );
-                                       return NULL;
-                               }
-
-                               if ( bv.bv_val == op->o_conn->c_dn.bv_val ) {
-                                       ber_dupbv( &lc->bound_dn, &bv );
-                               } else {
-                                       lc->bound_dn = bv;
-                               }
+                       BER_BVZERO( &lc->lc_cred );
+                       BER_BVZERO( &lc->lc_bound_ndn );
+                       if ( op->o_conn && !BER_BVISEMPTY( &op->o_ndn )
+                                       && op->o_bd == op->o_conn->c_authz_backend )
+                       {
+                               ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn );
                        }
                }
 
-               lc->bound = 0;
+               lc->lc_bound = 0;
 
                /* Inserts the newly created ldapconn in the avl tree */
                ldap_pvt_thread_mutex_lock( &li->conn_mutex );
@@ -357,7 +319,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
                /* Err could be -1 in case a duplicate ldapconn is inserted */
                if ( rs->sr_err != 0 ) {
                        ldap_back_conn_free( lc );
-                       if (op->o_conn) {
+                       if ( op->o_conn ) {
                                send_ldap_error( op, rs, LDAP_OTHER,
                                "internal server error" );
                        }
@@ -374,19 +336,18 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
 /*
  * ldap_back_dobind
  *
- * Note: as the check for the value of lc->bound was already here, I removed
+ * Note: as the check for the value of lc->lc_bound was already here, I removed
  * it from all the callers, and I made the function return the flag, so
  * it can be used to simplify the check.
  */
 int
 ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 {      
-       struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
-       int rc;
-       ber_int_t msgid;
+       int             rc;
+       ber_int_t       msgid;
 
        ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
-       if ( !lc->bound ) {
+       if ( !lc->lc_bound ) {
 #ifdef LDAP_BACK_PROXY_AUTHZ
                /*
                 * FIXME: we need to let clients use proxyAuthz
@@ -407,161 +368,25 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
                 * control to every operation with the dn bound 
                 * to the connection as control value.
                 */
-               if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) {
-                       struct berval   binddn = slap_empty_bv;
-                       struct berval   bindcred = slap_empty_bv;
-                       int             dobind = 0;
-
-                       /* bind as proxyauthzdn only if no idassert mode
-                        * is requested, or if the client's identity
-                        * is authorized */
-                       switch ( li->idassert_mode ) {
-                       case LDAP_BACK_IDASSERT_LEGACY:
-                               if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
-                                       if ( !BER_BVISNULL( &li->idassert_authcDN ) && !BER_BVISEMPTY( &li->idassert_authcDN ) )
-                                       {
-                                               binddn = li->idassert_authcDN;
-                                               bindcred = li->idassert_passwd;
-                                               dobind = 1;
-                                       }
-                               }
-                               break;
-
-                       default:
-                               if ( li->idassert_authz ) {
-                                       struct berval   authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
-
-                                       rs->sr_err = slap_sasl_matches( op, li->idassert_authz,
-                                                       &authcDN, &authcDN );
-                                       if ( rs->sr_err != LDAP_SUCCESS ) {
-                                               send_ldap_result( op, rs );
-                                               lc->bound = 0;
-                                               goto done;
-                                       }
-                               }
-
-                               binddn = li->idassert_authcDN;
-                               bindcred = li->idassert_passwd;
-                               dobind = 1;
-                               break;
-                       }
-
-                       if ( dobind && li->idassert_authmethod == LDAP_AUTH_SASL ) {
-#ifdef HAVE_CYRUS_SASL
-                               void            *defaults = NULL;
-                               struct berval   authzID = BER_BVNULL;
-                               int             freeauthz = 0;
-
-                               /* if SASL supports native authz, prepare for it */
-                               if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
-                                               ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
-                               {
-                                       switch ( li->idassert_mode ) {
-                                       case LDAP_BACK_IDASSERT_OTHERID:
-                                       case LDAP_BACK_IDASSERT_OTHERDN:
-                                               authzID = li->idassert_authzID;
-                                               break;
-
-                                       case LDAP_BACK_IDASSERT_ANONYMOUS:
-                                               BER_BVSTR( &authzID, "dn:" );
-                                               break;
-
-                                       case LDAP_BACK_IDASSERT_SELF:
-                                               if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
-                                                       /* connection is not authc'd, so don't idassert */
-                                                       BER_BVSTR( &authzID, "dn:" );
-                                                       break;
-                                               }
-                                               authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
-                                               authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
-                                               AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
-                                               AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
-                                                               op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
-                                               freeauthz = 1;
-                                               break;
-
-                                       default:
-                                               break;
-                                       }
-                               }
-
-#if 0  /* will deal with this later... */
-                               if ( sasl_secprops != NULL ) {
-                                       rs->sr_err = ldap_set_option( lc->ld, LDAP_OPT_X_SASL_SECPROPS,
-                                               (void *) sasl_secprops );
-
-                                       if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
-                                               send_ldap_result( op, rs );
-                                               lc->bound = 0;
-                                               goto done;
-                                               
-                                       }
-                               }
-#endif
-
-                               defaults = lutil_sasl_defaults( lc->ld,
-                                               li->idassert_sasl_mech.bv_val,
-                                               li->idassert_sasl_realm.bv_val,
-                                               li->idassert_authcID.bv_val,
-                                               li->idassert_passwd.bv_val,
-                                               authzID.bv_val );
-
-                               rs->sr_err = ldap_sasl_interactive_bind_s( lc->ld, binddn.bv_val,
-                                               li->idassert_sasl_mech.bv_val, NULL, NULL,
-                                               li->idassert_sasl_flags, lutil_sasl_interact,
-                                               defaults );
-
-                               lutil_sasl_freedefs( defaults );
-                               if ( freeauthz ) {
-                                       slap_sl_free( authzID.bv_val, op->o_tmpmemctx );
-                               }
-
-                               rs->sr_err = slap_map_api2result( rs );
-                               if ( rs->sr_err != LDAP_SUCCESS ) {
-                                       lc->bound = 0;
-                                       send_ldap_result( op, rs );
-
-                               } else {
-                                       lc->bound = 1;
-                               }
-                               goto done;
-#endif /* HAVE_CYRUS_SASL */
-                       }
-
-                       switch ( li->idassert_authmethod ) {
-                       case LDAP_AUTH_SIMPLE:
-                               rs->sr_err = ldap_sasl_bind(lc->ld,
-                                               binddn.bv_val, LDAP_SASL_SIMPLE,
-                                               &bindcred, NULL, NULL, &msgid);
-                               break;
-
-                       case LDAP_AUTH_NONE:
-                               lc->bound = 1;
-                               goto done;
-
-                       default:
-                               /* unsupported! */
-                               lc->bound = 0;
-                               rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
-                               send_ldap_result( op, rs );
-                               goto done;
-                       }
-
-               } else
-#endif /* LDAP_BACK_PROXY_AUTHZ */
-               {
-                       rs->sr_err = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val,
-                               LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid);
+               if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+                       (void)ldap_back_proxy_authz_bind( lc, op, rs );
+                       goto done;
                }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+               rs->sr_err = ldap_sasl_bind( lc->lc_ld,
+                               lc->lc_bound_ndn.bv_val,
+                               LDAP_SASL_SIMPLE, &lc->lc_cred,
+                               NULL, NULL, &msgid );
                
                rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
-               if (rc == LDAP_SUCCESS) {
-                       lc->bound = 1;
+               if ( rc == LDAP_SUCCESS ) {
+                       lc->lc_bound = 1;
                }
        }
 
 done:;
-       rc = lc->bound;
+       rc = lc->lc_bound;
        ldap_pvt_thread_mutex_unlock( &lc->lc_mutex );
        return rc;
 }
@@ -578,67 +403,21 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
 {
        struct ldapconn *lc = params;
 
-       return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE );
-}
-
-#if 0 /* deprecated in favour of slap_map_api2result() */
-/* Map API errors to protocol errors... */
-int
-ldap_back_map_result( SlapReply *rs )
-{
-       switch(rs->sr_err)
-       {
-       case LDAP_SERVER_DOWN:
-               return LDAP_UNAVAILABLE;
-       case LDAP_LOCAL_ERROR:
-               return LDAP_OTHER;
-       case LDAP_ENCODING_ERROR:
-       case LDAP_DECODING_ERROR:
-               return LDAP_PROTOCOL_ERROR;
-       case LDAP_TIMEOUT:
-               return LDAP_UNAVAILABLE;
-       case LDAP_AUTH_UNKNOWN:
-               return LDAP_AUTH_METHOD_NOT_SUPPORTED;
-       case LDAP_FILTER_ERROR:
-               rs->sr_text = "Filter error";
-               return LDAP_OTHER;
-       case LDAP_USER_CANCELLED:
-               rs->sr_text = "User cancelled";
-               return LDAP_OTHER;
-       case LDAP_PARAM_ERROR:
-               return LDAP_PROTOCOL_ERROR;
-       case LDAP_NO_MEMORY:
-               return LDAP_OTHER;
-       case LDAP_CONNECT_ERROR:
-               return LDAP_UNAVAILABLE;
-       case LDAP_NOT_SUPPORTED:
-               return LDAP_UNWILLING_TO_PERFORM;
-       case LDAP_CONTROL_NOT_FOUND:
-               return LDAP_PROTOCOL_ERROR;
-       case LDAP_NO_RESULTS_RETURNED:
-               return LDAP_NO_SUCH_OBJECT;
-       case LDAP_MORE_RESULTS_TO_RETURN:
-               rs->sr_text = "More results to return";
-               return LDAP_OTHER;
-       case LDAP_CLIENT_LOOP:
-       case LDAP_REFERRAL_LIMIT_EXCEEDED:
-               return LDAP_LOOP_DETECT;
-       default:
-               if ( LDAP_API_ERROR(rs->sr_err) )
-                       return LDAP_OTHER;
-               return rs->sr_err;
-       }
+       return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val,
+                       LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, NULL );
 }
-#endif
 
 int
-ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
-       ber_int_t msgid, int sendok)
+ldap_back_op_result(
+               struct ldapconn *lc,
+               Operation       *op,
+               SlapReply       *rs,
+               ber_int_t       msgid,
+               int             sendok )
 {
-       struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
-       char *match = NULL;
-       LDAPMessage *res = NULL;
-       char *text = NULL;
+       char            *match = NULL;
+       LDAPMessage     *res = NULL;
+       char            *text = NULL;
 
 #define        ERR_OK(err) ((err) == LDAP_SUCCESS || (err) == LDAP_COMPARE_FALSE || (err) == LDAP_COMPARE_TRUE)
 
@@ -650,8 +429,8 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
         * remote server response */
        if ( ERR_OK( rs->sr_err ) ) {
                /* if result parsing fails, note the failure reason */
-               if ( ldap_result( lc->ld, msgid, 1, NULL, &res ) == -1 ) {
-                       ldap_get_option( lc->ld, LDAP_OPT_ERROR_NUMBER,
+               if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) {
+                       ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
                                        &rs->sr_err );
 
                /* otherwise get the result; if it is not
@@ -659,10 +438,12 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
                 * structure (this includes 
                 * LDAP_COMPARE_{TRUE|FALSE}) */
                } else {
-                       int rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
+                       int rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
                                        &match, &text, NULL, NULL, 1 );
                        rs->sr_text = text;
-                       if ( rc != LDAP_SUCCESS ) rs->sr_err = rc;
+                       if ( rc != LDAP_SUCCESS ) {
+                               rs->sr_err = rc;
+                       }
                }
        }
 
@@ -675,25 +456,10 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
                /* internal ops ( op->o_conn == NULL ) 
                 * must not reply to client */
                if ( op->o_conn && !op->o_do_not_cache && match ) {
-                       struct berval dn, mdn;
-                       dncookie dc;
-
-                       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-                       dc.conn = op->o_conn;
-                       dc.rs = rs;
-                       dc.ctx = "matchedDN";
-#else
-                       dc.tofrom = 0;
-                       dc.normalized = 0;
-#endif
-                       ber_str2bv(match, 0, 0, &dn);
-                       ldap_back_dn_massage(&dc, &dn, &mdn);
 
                        /* record the (massaged) matched
                         * DN into the reply structure */
-                       rs->sr_matched = mdn.bv_val;
-                               
+                       rs->sr_matched = match;
                }
        }
        if ( op->o_conn && ( sendok || rs->sr_err != LDAP_SUCCESS ) ) {
@@ -722,31 +488,205 @@ ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs )
        LDAP *ld;
 
        ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
-       ldap_unbind( lc->ld );
-       lc->bound = 0;
-       rs->sr_err = ldap_initialize(&ld, li->url);
+       ldap_unbind_ext_s( lc->lc_ld, NULL, NULL );
+       lc->lc_bound = 0;
+       rs->sr_err = ldap_initialize( &ld, li->url );
                
-       if (rs->sr_err != LDAP_SUCCESS) {
+       if ( rs->sr_err != LDAP_SUCCESS ) {
                rs->sr_err = slap_map_api2result( rs );
-               if (rs->sr_text == NULL) {
+               if ( rs->sr_text == NULL ) {
                        rs->sr_text = "ldap_initialize() failed";
                }
-               if (op->o_conn) send_ldap_result( op, rs );
+               if ( op->o_conn ) {
+                       send_ldap_result( op, rs );
+               }
                rs->sr_text = NULL;
                return 0;
        }
        /* Set LDAP version. This will always succeed: If the client
         * bound with a particular version, then so can we.
         */
-       ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers);
+       ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers );
        /* FIXME: configurable? */
-       ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
-       lc->ld = ld;
+       ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON );
+       lc->lc_ld = ld;
        ldap_pvt_thread_mutex_unlock( &lc->lc_mutex );
        return ldap_back_dobind( lc, op, rs );
 }
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
+static int
+ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs )
+{
+       struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
+       struct berval   binddn = slap_empty_bv;
+       struct berval   bindcred = slap_empty_bv;
+       int             dobind = 0;
+       int             msgid;
+       int             rc;
+
+       /*
+        * FIXME: we need to let clients use proxyAuthz
+        * otherwise we cannot do symmetric pools of servers;
+        * we have to live with the fact that a user can
+        * authorize itself as any ID that is allowed
+        * by the authzTo directive of the "proxyauthzdn".
+        */
+       /*
+        * NOTE: current Proxy Authorization specification
+        * and implementation do not allow proxy authorization
+        * control to be provided with Bind requests
+        */
+       /*
+        * if no bind took place yet, but the connection is bound
+        * and the "proxyauthzdn" is set, then bind as 
+        * "proxyauthzdn" and explicitly add the proxyAuthz 
+        * control to every operation with the dn bound 
+        * to the connection as control value.
+        */
+
+       /* bind as proxyauthzdn only if no idassert mode
+        * is requested, or if the client's identity
+        * is authorized */
+       switch ( li->idassert_mode ) {
+       case LDAP_BACK_IDASSERT_LEGACY:
+               if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {
+                       if ( !BER_BVISNULL( &li->idassert_authcDN ) && !BER_BVISEMPTY( &li->idassert_authcDN ) )
+                       {
+                               binddn = li->idassert_authcDN;
+                               bindcred = li->idassert_passwd;
+                               dobind = 1;
+                       }
+               }
+               break;
+
+       default:
+               if ( li->idassert_authz ) {
+                       struct berval   authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn;
+
+                       rs->sr_err = slap_sasl_matches( op, li->idassert_authz,
+                                       &authcDN, &authcDN );
+                       if ( rs->sr_err != LDAP_SUCCESS ) {
+                               send_ldap_result( op, rs );
+                               lc->lc_bound = 0;
+                               goto done;
+                       }
+               }
+
+               binddn = li->idassert_authcDN;
+               bindcred = li->idassert_passwd;
+               dobind = 1;
+               break;
+       }
+
+       if ( dobind && li->idassert_authmethod == LDAP_AUTH_SASL ) {
+#ifdef HAVE_CYRUS_SASL
+               void            *defaults = NULL;
+               struct berval   authzID = BER_BVNULL;
+               int             freeauthz = 0;
+
+               /* if SASL supports native authz, prepare for it */
+               if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
+                               ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
+               {
+                       switch ( li->idassert_mode ) {
+                       case LDAP_BACK_IDASSERT_OTHERID:
+                       case LDAP_BACK_IDASSERT_OTHERDN:
+                               authzID = li->idassert_authzID;
+                               break;
+
+                       case LDAP_BACK_IDASSERT_ANONYMOUS:
+                               BER_BVSTR( &authzID, "dn:" );
+                               break;
+
+                       case LDAP_BACK_IDASSERT_SELF:
+                               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+                                       /* connection is not authc'd, so don't idassert */
+                                       BER_BVSTR( &authzID, "dn:" );
+                                       break;
+                               }
+                               authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len;
+                               authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+                               AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+                               AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+                                               op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 );
+                               freeauthz = 1;
+                               break;
+
+                       default:
+                               break;
+                       }
+               }
+
+#if 0  /* will deal with this later... */
+               if ( sasl_secprops != NULL ) {
+                       rs->sr_err = ldap_set_option( lc->lc_ld, LDAP_OPT_X_SASL_SECPROPS,
+                               (void *) sasl_secprops );
+
+                       if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
+                               send_ldap_result( op, rs );
+                               lc->lc_bound = 0;
+                               goto done;
+                       }
+               }
+#endif
+
+               defaults = lutil_sasl_defaults( lc->lc_ld,
+                               li->idassert_sasl_mech.bv_val,
+                               li->idassert_sasl_realm.bv_val,
+                               li->idassert_authcID.bv_val,
+                               li->idassert_passwd.bv_val,
+                               authzID.bv_val );
+
+               rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val,
+                               li->idassert_sasl_mech.bv_val, NULL, NULL,
+                               li->idassert_sasl_flags, lutil_sasl_interact,
+                               defaults );
+
+               lutil_sasl_freedefs( defaults );
+               if ( freeauthz ) {
+                       slap_sl_free( authzID.bv_val, op->o_tmpmemctx );
+               }
+
+               rs->sr_err = slap_map_api2result( rs );
+               if ( rs->sr_err != LDAP_SUCCESS ) {
+                       lc->lc_bound = 0;
+                       send_ldap_result( op, rs );
+
+               } else {
+                       lc->lc_bound = 1;
+               }
+               goto done;
+#endif /* HAVE_CYRUS_SASL */
+       }
+
+       switch ( li->idassert_authmethod ) {
+       case LDAP_AUTH_SIMPLE:
+               rs->sr_err = ldap_sasl_bind( lc->lc_ld,
+                               binddn.bv_val, LDAP_SASL_SIMPLE,
+                               &bindcred, NULL, NULL, &msgid );
+               break;
+
+       case LDAP_AUTH_NONE:
+               lc->lc_bound = 1;
+               goto done;
+
+       default:
+               /* unsupported! */
+               lc->lc_bound = 0;
+               rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+               send_ldap_result( op, rs );
+               goto done;
+       }
+
+       rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
+       if ( rc == LDAP_SUCCESS ) {
+               lc->lc_bound = 1;
+       }
+done:;
+       return lc->lc_bound;
+}
+
 /*
  * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control
  * to existing server-side controls if required; if not,
@@ -812,11 +752,11 @@ ldap_back_proxy_authz_ctrl(
                        goto done;
                }
 
-               if ( !BER_BVISNULL( &lc->bound_dn ) ) {
+               if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
                        goto done;
                }
 
-               if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
+               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
                        goto done;
                }
 
@@ -826,24 +766,24 @@ ldap_back_proxy_authz_ctrl(
 
        } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
                if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
-                               /* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ )
+                               /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) || lc->lc_bound ) */ )
                {
                        /* already asserted in SASL via native authz */
-                       /* NOTE: the test on lc->bound is used to trap
+                       /* NOTE: the test on lc->lc_bound is used to trap
                         * native authorization of anonymous users,
-                        * since in that case op->o_conn->c_dn is NULL */
+                        * since in that case op->o_conn->c_ndn is NULL */
                        goto done;
                }
 
        } else if ( li->idassert_authz ) {
                int             rc;
-               struct berval   authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+               struct berval   authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn;
 
 
                rc = slap_sasl_matches( op, li->idassert_authz,
                                &authcDN, & authcDN );
                if ( rc != LDAP_SUCCESS ) {
-                       /* op->o_conn->c_dn is not authorized
+                       /* op->o_conn->c_ndn is not authorized
                         * to use idassert */
                        return rc;
                }
@@ -883,7 +823,7 @@ ldap_back_proxy_authz_ctrl(
        case LDAP_BACK_IDASSERT_SELF:
                /* original behavior:
                 * assert the client's identity */
-               assertedID = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+               assertedID = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn;
                break;
 
        case LDAP_BACK_IDASSERT_ANONYMOUS:
@@ -909,6 +849,11 @@ ldap_back_proxy_authz_ctrl(
                assertedID = slap_empty_bv;
        }
 
+       if ( op->o_ctrls ) {
+               for ( i = 0; op->o_ctrls[ i ]; i++ )
+                       /* just count ctrls */ ;
+       }
+
        ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
        ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
        
@@ -948,4 +893,25 @@ done:;
        
        return rs->sr_err;
 }
+
+int
+ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls )
+{
+       LDAPControl     **ctrls = *pctrls;
+
+       if ( ctrls && ctrls != op->o_ctrls ) {
+               assert( ctrls[ 0 ] );
+
+               if ( !BER_BVISNULL( &ctrls[ 0 ]->ldctl_value ) ) {
+                       free( ctrls[ 0 ]->ldctl_value.bv_val );
+               }
+
+               free( ctrls[ 0 ] );
+               free( ctrls );
+       } 
+
+       *pctrls = NULL;
+
+       return 0;
+}
 #endif /* LDAP_BACK_PROXY_AUTHZ */
index 635a2868d661f538d5f3be89d56a4ecc30fcd1b2..0670a51911b84f45ae9c73fe85da571b83a47753 100644 (file)
 
 int
 ldap_back_compare(
-    Operation  *op,
-    SlapReply  *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct ldapconn *lc;
-       struct berval mapped_at = BER_BVNULL, mapped_val = BER_BVNULL;
-       struct berval mdn = BER_BVNULL;
-       ber_int_t msgid;
-       int freeval = 0;
-       int do_retry = 1;
-       dncookie dc;
-       LDAPControl **ctrls = NULL;
-       int rc = LDAP_SUCCESS;
+       struct ldapconn *lc;
+       ber_int_t       msgid;
+       int             do_retry = 1;
+       LDAPControl     **ctrls = NULL;
+       int             rc = LDAP_SUCCESS;
 
-       lc = ldap_back_getconn(op, rs);
+       lc = ldap_back_getconn( op, rs );
        if (!lc || !ldap_back_dobind( lc, op, rs ) ) {
-               return( -1 );
-       }
-
-       /*
-        * Rewrite the compare dn, if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "compareDN";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
-               send_ldap_result( op, rs );
-               return -1;
-       }
-
-       if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass
-               || op->orc_ava->aa_desc == slap_schema.si_ad_structuralObjectClass ) {
-               ldap_back_map(&li->rwmap.rwm_oc, &op->orc_ava->aa_value,
-                               &mapped_val, BACKLDAP_MAP);
-               if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') {
-                       return( -1 );
-               }
-               mapped_at = op->orc_ava->aa_desc->ad_cname;
-       } else {
-               ldap_back_map(&li->rwmap.rwm_at,
-                               &op->orc_ava->aa_desc->ad_cname, &mapped_at, 
-                               BACKLDAP_MAP);
-               if (mapped_at.bv_val == NULL || mapped_at.bv_val[0] == '\0') {
-                       return( -1 );
-               }
-               if (op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
-#ifdef ENABLE_REWRITE
-                       dc.ctx = "compareAttrDN";
-#endif
-                       ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_val );
-                       if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') {
-                               mapped_val = op->orc_ava->aa_value;
-                       } else if (mapped_val.bv_val != op->orc_ava->aa_value.bv_val) {
-                               freeval = 1;
-                       }
-               } else {
-                       mapped_val = op->orc_ava->aa_value;
-               }
+               rc = -1;
+               goto cleanup;
        }
 
        ctrls = op->o_ctrls;
@@ -110,28 +59,22 @@ ldap_back_compare(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
-       rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
-                       mapped_at.bv_val, &mapped_val, 
+       rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val,
+                       op->orc_ava->aa_desc->ad_cname.bv_val,
+                       &op->orc_ava->aa_value, 
                        ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
        if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
                do_retry = 0;
-               if ( ldap_back_retry (lc, op, rs )) goto retry;
+               if ( ldap_back_retry(lc, op, rs ) ) {
+                       goto retry;
+               }
        }
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       }
+#ifdef LDAP_BACK_PROXY_AUTHZ
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
        
-       if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
-               free( mdn.bv_val );
-       }
-       if ( freeval ) {
-               free( mapped_val.bv_val );
-       }
        return rc;
 }
index 91de42d173784dfaa4dc34093a54e5b21a5f3c42..848464b7acc5a09a1249bb207ec03e98b2a9648b 100644 (file)
@@ -43,36 +43,40 @@ parse_idassert( BackendDB *be, const char *fname, int lineno,
 
 int
 ldap_back_db_config(
-    BackendDB  *be,
-    const char *fname,
-    int                lineno,
-    int                argc,
-    char       **argv
-)
+               BackendDB       *be,
+               const char      *fname,
+               int             lineno,
+               int             argc,
+               char            **argv )
 {
        struct ldapinfo *li = (struct ldapinfo *) be->be_private;
 
        if ( li == NULL ) {
                fprintf( stderr, "%s: line %d: ldap backend info is null!\n",
-                   fname, lineno );
-               return( 1 );
+                               fname, lineno );
+               return 1;
        }
 
        /* server address to query (depricated, use "uri" directive) */
        if ( strcasecmp( argv[0], "server" ) == 0 ) {
                ber_len_t       l;
 
-               if (argc != 2) {
+               fprintf( stderr,
+       "%s: line %d: \"server <address>\" directive is deprecated\n",
+                                       fname, lineno );
+
+               if ( argc != 2 ) {
                        fprintf( stderr,
        "%s: line %d: missing address in \"server <address>\" line\n",
-                           fname, lineno );
-                       return( 1 );
+                                       fname, lineno );
+                       return 1;
+               }
+               if ( li->url != NULL ) {
+                       ch_free( li->url );
                }
-               if (li->url != NULL)
-                       ch_free(li->url);
                l = strlen( argv[1] ) + STRLENOF( "ldap:///") + 1;
                li->url = ch_calloc( l, sizeof( char ) );
-               if (li->url == NULL) {
+               if ( li->url == NULL ) {
                        fprintf( stderr, "%s: line %d: malloc failed\n" );
                        return 1;
                }
@@ -81,15 +85,15 @@ ldap_back_db_config(
 
        /* URI of server to query (preferred over "server" directive) */
        } else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
-               LDAPURLDesc     tmplud, *tmpludp;
+               LDAPURLDesc     *tmpludp;
                int             urlrc;
 
-               if (argc != 2) {
+               if ( argc != 2 ) {
                        fprintf( stderr, "%s: line %d: "
-                               "missing uri "
-                               "in \"uri <uri>\" line\n",
-                               fname, lineno );
-                       return( 1 );
+                                       "missing uri "
+                                       "in \"uri <uri>\" line\n",
+                                       fname, lineno );
+                       return 1;
                }
                if ( li->url != NULL ) {
                        ch_free( li->url );
@@ -142,29 +146,31 @@ ldap_back_db_config(
                                break;
                        }
                        fprintf( stderr, "%s: line %d: "
-                               "unable to parse uri \"%s\" "
-                               "in \"uri <uri>\" line: %s\n",
-                               fname, lineno, argv[ 1 ], why );
+                                       "unable to parse uri \"%s\" "
+                                       "in \"uri <uri>\" line: %s\n",
+                                       fname, lineno, argv[ 1 ], why );
                        return 1;
                }
 
                for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) {
-                       if ( ( tmpludp->lud_dn != NULL && tmpludp->lud_dn[0] != '\0' )
+                       if ( ( tmpludp->lud_dn != NULL
+                                               && tmpludp->lud_dn[0] != '\0' )
                                        || tmpludp->lud_attrs != NULL
                                        || tmpludp->lud_filter != NULL
                                        || tmpludp->lud_exts != NULL )
                        {
                                fprintf( stderr, "%s: line %d: "
-                                       "warning, only protocol, "
-                                       "host and port allowed "
-                                       "in \"uri <uri>\" statement "
-                                       "for \"%s\"\n",
-                                       fname, lineno, argv[1] );
+                                               "warning, only protocol, "
+                                               "host and port allowed "
+                                               "in \"uri <uri>\" statement "
+                                               "for \"%s\"\n",
+                                               fname, lineno, argv[1] );
                        }
                }
 
 #if 0
                for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) {
+                       LDAPURLDesc     tmplud;
                        char            *tmpurl;
                        ber_len_t       oldlen = 0, len;
 
@@ -206,10 +212,10 @@ ldap_back_db_config(
        /* name to use for ldap_back_group */
        } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
                        || strcasecmp( argv[0], "binddn" ) == 0 ) {
-               if (argc != 2) {
+               if ( argc != 2 ) {
                        fprintf( stderr,
        "%s: line %d: missing name in \"%s <name>\" line\n",
-                           fname, lineno, argv[0] );
+                                       fname, lineno, argv[0] );
                        return( 1 );
                }
                ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
@@ -217,10 +223,10 @@ ldap_back_db_config(
        /* password to use for ldap_back_group */
        } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
                        || strcasecmp( argv[0], "bindpw" ) == 0 ) {
-               if (argc != 2) {
+               if ( argc != 2 ) {
                        fprintf( stderr,
        "%s: line %d: missing password in \"%s <password>\" line\n",
-                           fname, lineno, argv[0] );
+                                       fname, lineno, argv[0] );
                        return( 1 );
                }
                ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
@@ -234,304 +240,37 @@ ldap_back_db_config(
 
        /* save bind creds for referral rebinds? */
        } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
-               if (argc != 1) {
+               if ( argc != 1 ) {
                        fprintf( stderr,
        "%s: line %d: rebind-as-user takes no arguments\n",
-                           fname, lineno );
+                                       fname, lineno );
                        return( 1 );
                }
                li->savecred = 1;
        
        /* intercept exop_who_am_i? */
        } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
-               if (argc != 1) {
+               if ( argc != 1 ) {
                        fprintf( stderr,
        "%s: line %d: proxy-whoami takes no arguments\n",
-                           fname, lineno );
+                                       fname, lineno );
                        return( 1 );
                }
                load_extop( (struct berval *)&slap_EXOP_WHOAMI,
-                       0, ldap_back_exop_whoami );
+                               0, ldap_back_exop_whoami );
        
-       /* dn massaging */
-       } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) {
-               BackendDB *tmp_be;
-               struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc;
-#ifdef ENABLE_REWRITE
-               int rc;
-#endif /* ENABLE_REWRITE */
-               
-               /*
-                * syntax:
-                * 
-                *      suffixmassage <suffix> <massaged suffix>
-                *
-                * the <suffix> field must be defined as a valid suffix
-                * (or suffixAlias?) for the current database;
-                * the <massaged suffix> shouldn't have already been
-                * defined as a valid suffix or suffixAlias for the 
-                * current server
-                */
-               if ( argc != 3 ) {
-                       fprintf( stderr, "%s: line %d: syntax is"
-                                      " \"suffixMassage <suffix>"
-                                      " <massaged suffix>\"\n",
-                               fname, lineno );
-                       return( 1 );
-               }
-               
-               ber_str2bv( argv[1], 0, 0, &bvnc );
-               if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
-                       fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
-                               fname, lineno, bvnc.bv_val );
-                       return( 1 );
-               }
-               tmp_be = select_backend( &nvnc, 0, 0 );
-               if ( tmp_be != NULL && tmp_be != be ) {
-                       fprintf( stderr, "%s: line %d: suffix already in use"
-                                      " by another backend in"
-                                      " \"suffixMassage <suffix>"
-                                      " <massaged suffix>\"\n",
-                               fname, lineno );
-                       free( nvnc.bv_val );
-                       free( pvnc.bv_val );
-                       return( 1 );
-               }
-
-               ber_str2bv( argv[2], 0, 0, &brnc );
-               if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
-                       fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n",
-                               fname, lineno, brnc.bv_val );
-                       free( nvnc.bv_val );
-                       free( pvnc.bv_val );
-                       return( 1 );
-               }
-
-#if 0
-               tmp_be = select_backend( &nrnc, 0, 0 );
-               if ( tmp_be != NULL ) {
-                       fprintf( stderr, "%s: line %d: massaged suffix"
-                                      " already in use by another backend in" 
-                                      " \"suffixMassage <suffix>"
-                                      " <massaged suffix>\"\n",
-                                fname, lineno );
-                       free( nvnc.bv_val );
-                       free( pvnc.bv_val );
-                       free( nrnc.bv_val );
-                       free( prnc.bv_val );
-                        return( 1 );
-               }
-#endif
-
-#ifdef ENABLE_REWRITE
-               /*
-                * The suffix massaging is emulated by means of the
-                * rewrite capabilities
-                * FIXME: no extra rewrite capabilities should be added
-                * to the database
-                */
-               rc = suffix_massage_config( li->rwmap.rwm_rw,
-                               &pvnc, &nvnc, &prnc, &nrnc );
-               free( nvnc.bv_val );
-               free( pvnc.bv_val );
-               free( nrnc.bv_val );
-               free( prnc.bv_val );
-
-               return( rc );
-
-#else /* !ENABLE_REWRITE */
-               ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &pvnc );
-               ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nvnc );
-               
-               ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &prnc );
-               ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nrnc );
-#endif /* !ENABLE_REWRITE */
-
-       /* rewrite stuff ... */
-       } else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) {
-#ifdef ENABLE_REWRITE
-               return rewrite_parse( li->rwmap.rwm_rw,
-                               fname, lineno, argc, argv );
-
-#else /* !ENABLE_REWRITE */
-               fprintf( stderr, "%s: line %d: rewrite capabilities "
-                               "are not enabled\n", fname, lineno );
-#endif /* !ENABLE_REWRITE */
-               
-       /* objectclass/attribute mapping */
-       } else if ( strcasecmp( argv[0], "map" ) == 0 ) {
-               return ldap_back_map_config( &li->rwmap.rwm_oc,
-                               &li->rwmap.rwm_at,
-                               fname, lineno, argc, argv );
-
        /* anything else */
        } else {
                return SLAP_CONF_UNKNOWN;
        }
-       return 0;
-}
-
-int
-ldap_back_map_config(
-               struct ldapmap  *oc_map,
-               struct ldapmap  *at_map,
-               const char      *fname,
-               int             lineno,
-               int             argc,
-               char            **argv )
-{
-       struct ldapmap          *map;
-       struct ldapmapping      *mapping;
-       char                    *src, *dst;
-       int                     is_oc = 0;
-
-       if ( argc < 3 || argc > 4 ) {
-               fprintf( stderr,
-       "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
-                       fname, lineno );
-               return 1;
-       }
-
-       if ( strcasecmp( argv[1], "objectclass" ) == 0 ) {
-               map = oc_map;
-               is_oc = 1;
-
-       } else if ( strcasecmp( argv[1], "attribute" ) == 0 ) {
-               map = at_map;
-
-       } else {
-               fprintf( stderr, "%s: line %d: syntax is "
-                       "\"map {objectclass | attribute} [<local> | *] "
-                       "{<foreign> | *}\"\n",
-                       fname, lineno );
-               return 1;
-       }
-
-       if ( strcmp( argv[2], "*" ) == 0 ) {
-               if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) {
-                       map->drop_missing = ( argc < 4 );
-                       return 0;
-               }
-               src = dst = argv[3];
-
-       } else if ( argc < 4 ) {
-               src = "";
-               dst = argv[2];
-
-       } else {
-               src = argv[2];
-               dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] );
-       }
-
-       if ( ( map == at_map )
-                       && ( strcasecmp( src, "objectclass" ) == 0
-                       || strcasecmp( dst, "objectclass" ) == 0 ) )
-       {
-               fprintf( stderr,
-                       "%s: line %d: objectclass attribute cannot be mapped\n",
-                       fname, lineno );
-       }
-
-       mapping = (struct ldapmapping *)ch_calloc( 2,
-               sizeof(struct ldapmapping) );
-       if ( mapping == NULL ) {
-               fprintf( stderr,
-                       "%s: line %d: out of memory\n",
-                       fname, lineno );
-               return 1;
-       }
-       ber_str2bv( src, 0, 1, &mapping->src );
-       ber_str2bv( dst, 0, 1, &mapping->dst );
-       mapping[1].src = mapping->dst;
-       mapping[1].dst = mapping->src;
-
-       /*
-        * schema check
-        */
-       if ( is_oc ) {
-               if ( src[0] != '\0' ) {
-                       if ( oc_bvfind( &mapping->src ) == NULL ) {
-                               fprintf( stderr,
-       "%s: line %d: warning, source objectClass '%s' "
-       "should be defined in schema\n",
-                                       fname, lineno, src );
-
-                               /*
-                                * FIXME: this should become an err
-                                */
-                               goto error_return;
-                       }
-               }
-
-               if ( oc_bvfind( &mapping->dst ) == NULL ) {
-                       fprintf( stderr,
-       "%s: line %d: warning, destination objectClass '%s' "
-       "is not defined in schema\n",
-                               fname, lineno, dst );
-               }
-       } else {
-               int                     rc;
-               const char              *text = NULL;
-               AttributeDescription    *ad = NULL;
-
-               if ( src[0] != '\0' ) {
-                       rc = slap_bv2ad( &mapping->src, &ad, &text );
-                       if ( rc != LDAP_SUCCESS ) {
-                               fprintf( stderr,
-       "%s: line %d: warning, source attributeType '%s' "
-       "should be defined in schema\n",
-                                       fname, lineno, src );
-
-                               /*
-                                * FIXME: this should become an err
-                                */
-                               goto error_return;
-                       }
-
-                       ad = NULL;
-               }
-
-               rc = slap_bv2ad( &mapping->dst, &ad, &text );
-               if ( rc != LDAP_SUCCESS ) {
-                       fprintf( stderr,
-       "%s: line %d: warning, destination attributeType '%s' "
-       "is not defined in schema\n",
-                               fname, lineno, dst );
-               }
-       }
-
-       if ( (src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL)
-                       || avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL)
-       {
-               fprintf( stderr,
-                       "%s: line %d: duplicate mapping found (ignored)\n",
-                       fname, lineno );
-               goto error_return;
-       }
-
-       if ( src[0] != '\0' ) {
-               avl_insert( &map->map, (caddr_t)mapping,
-                                       mapping_cmp, mapping_dup );
-       }
-       avl_insert( &map->remap, (caddr_t)&mapping[1],
-                               mapping_cmp, mapping_dup );
 
        return 0;
-
-error_return:;
-       if ( mapping ) {
-               ch_free( mapping->src.bv_val );
-               ch_free( mapping->dst.bv_val );
-               ch_free( mapping );
-       }
-
-       return 1;
 }
 
 static int
 ldap_back_exop_whoami(
-       Operation *op,
-       SlapReply *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
        struct berval *bv = NULL;
 
@@ -569,10 +308,10 @@ ldap_back_exop_whoami(
                strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val);
 
 retry:
-               rs->sr_err = ldap_whoami(lc->ld, ctrls, NULL, &msgid);
+               rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid);
                if (rs->sr_err == LDAP_SUCCESS) {
-                       if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
-                               ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
+                       if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) {
+                               ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
                                        &rs->sr_err);
                                if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
                                        do_retry = 0;
@@ -583,7 +322,7 @@ retry:
                                lc = NULL;
 
                        } else {
-                               rs->sr_err = ldap_parse_whoami(lc->ld, res, &bv);
+                               rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv);
                                ldap_msgfree(res);
                        }
                }
@@ -594,7 +333,7 @@ retry:
        } else {
        /* else just do the same as before */
                bv = (struct berval *) ch_malloc( sizeof(struct berval) );
-               if( op->o_dn.bv_len ) {
+               if ( !BER_BVISEMPTY( &op->o_dn ) ) {
                        bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1;
                        bv->bv_val = ch_malloc( bv->bv_len + 1 );
                        AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 );
@@ -612,119 +351,6 @@ retry:
 }
 
 
-#ifdef ENABLE_REWRITE
-static char *
-suffix_massage_regexize( const char *s )
-{
-       char *res, *ptr;
-       const char *p, *r;
-       int i;
-
-       for ( i = 0, p = s; 
-                       ( r = strchr( p, ',' ) ) != NULL; 
-                       p = r + 1, i++ )
-               ;
-
-       res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 );
-
-       ptr = lutil_strcopy( res, "(.*)" );
-       for ( i = 0, p = s;
-                       ( r = strchr( p, ',' ) ) != NULL;
-                       p = r + 1 , i++ ) {
-               ptr = lutil_strncopy( ptr, p, r - p + 1 );
-               ptr = lutil_strcopy( ptr, "[ ]?" );
-
-               if ( r[ 1 ] == ' ' ) {
-                       r++;
-               }
-       }
-       lutil_strcopy( ptr, p );
-
-       return res;
-}
-
-static char *
-suffix_massage_patternize( const char *s )
-{
-       ber_len_t       len;
-       char            *res;
-
-       len = strlen( s );
-
-       res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) );
-       if ( res == NULL ) {
-               return NULL;
-       }
-
-       strcpy( res, "%1" );
-       strcpy( res + sizeof( "%1" ) - 1, s );
-
-       return res;
-}
-
-int
-suffix_massage_config( 
-               struct rewrite_info *info,
-               struct berval *pvnc,
-               struct berval *nvnc,
-               struct berval *prnc,
-               struct berval *nrnc
-)
-{
-       char *rargv[ 5 ];
-       int line = 0;
-
-       rargv[ 0 ] = "rewriteEngine";
-       rargv[ 1 ] = "on";
-       rargv[ 2 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
-
-       rargv[ 0 ] = "rewriteContext";
-       rargv[ 1 ] = "default";
-       rargv[ 2 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
-
-       rargv[ 0 ] = "rewriteRule";
-       rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
-       rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val );
-       rargv[ 3 ] = ":";
-       rargv[ 4 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
-       ch_free( rargv[ 1 ] );
-       ch_free( rargv[ 2 ] );
-       
-       rargv[ 0 ] = "rewriteContext";
-       rargv[ 1 ] = "searchResult";
-       rargv[ 2 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
-       
-       rargv[ 0 ] = "rewriteRule";
-       rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
-       rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val );
-       rargv[ 3 ] = ":";
-       rargv[ 4 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
-       ch_free( rargv[ 1 ] );
-       ch_free( rargv[ 2 ] );
-
-       rargv[ 0 ] = "rewriteContext";
-       rargv[ 1 ] = "matchedDN";
-       rargv[ 2 ] = "alias";
-       rargv[ 3 ] = "searchResult";
-       rargv[ 4 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
-
-       rargv[ 0 ] = "rewriteContext";
-       rargv[ 1 ] = "searchAttrDN";
-       rargv[ 2 ] = "alias";
-       rargv[ 3 ] = "searchResult";
-       rargv[ 4 ] = NULL;
-       rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
-
-       return 0;
-}
-#endif /* ENABLE_REWRITE */
-
 #ifdef LDAP_BACK_PROXY_AUTHZ
 static int
 parse_idassert(
@@ -739,9 +365,9 @@ parse_idassert(
 
        /* identity assertion mode */
        if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
-               if ( argc != 2 ) {
+               if ( argc < 2 ) {
                        Debug( LDAP_DEBUG_ANY,
-                               "%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
+                               "%s: line %d: illegal args number %d in \"idassert-mode <args> [<flag> [...]]\" line.\n",
                                fname, lineno, argc );
                        return 1;
                }
@@ -802,6 +428,20 @@ parse_idassert(
                        }
                }
 
+               for ( argc -= 2, argv += 2; argc--; argv++ ) {
+                       if ( strcasecmp( argv[0], "override" ) == 0 ) {
+                               li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
+
+                       } else {
+                               Debug( LDAP_DEBUG_ANY,
+                                       "%s: line %d: unknown flag \"%s\" "
+                                       "in \"idassert-mode <args> "
+                                       "[<flags>]\" line.\n",
+                                       fname, lineno, argv[0] );
+                               return 1;
+                       }
+               }
+
        /* name to use for proxyAuthz propagation */
        } else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0
                        || strcasecmp( argv[0], "proxyauthzdn" ) == 0 )
index 9efc3fe9322ea2fd1953fa284f4a0048550586f2..b05872c9a64744d15449bdcbd0779acc706b3b57 100644 (file)
 
 int
 ldap_back_delete(
-    Operation  *op,
-    SlapReply  *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct ldapconn *lc;
-       ber_int_t msgid;
-       dncookie dc;
-       LDAPControl **ctrls = NULL;
-       int do_retry = 1;
-       int rc = LDAP_SUCCESS;
-
-       struct berval mdn = BER_BVNULL;
+       struct ldapconn *lc;
+       ber_int_t       msgid;
+       LDAPControl     **ctrls = NULL;
+       int             do_retry = 1;
+       int             rc = LDAP_SUCCESS;
 
        lc = ldap_back_getconn( op, rs );
        
        if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
-               return( -1 );
-       }
-
-       /*
-        * Rewrite the request dn, if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "deleteDN";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
-               send_ldap_result( op, rs );
-               return -1;
+               rc = -1;
+               goto cleanup;
        }
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
@@ -80,7 +60,7 @@ ldap_back_delete(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
-       rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
+       rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val,
                        ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
        if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
@@ -88,17 +68,10 @@ retry:
                if ( ldap_back_retry (lc, op, rs )) goto retry;
        }
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       }
+#ifdef LDAP_BACK_PROXY_AUTHZ
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
-       if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
-               free( mdn.bv_val );
-       }
-
        return rc;
 }
index 5008de7acc2e33ec2fb7bdcb848227ca41cf0090..879c0ce7ca0cda8696dd01bbf65f4d56f213690d 100644 (file)
@@ -31,7 +31,7 @@
 BI_op_extended ldap_back_exop_passwd;
 
 static struct exop {
-       struct berval *oid;
+       struct berval   *oid;
        BI_op_extended  *extended;
 } exop_table[] = {
        { (struct berval *)&slap_EXOP_MODIFY_PASSWD, ldap_back_exop_passwd },
@@ -40,36 +40,39 @@ static struct exop {
 
 int
 ldap_back_extended(
-       Operation               *op,
-       SlapReply               *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       int i;
+       int     i;
 
-       for( i=0; exop_table[i].extended != NULL; i++ ) {
-               if( ber_bvcmp( exop_table[i].oid, &op->oq_extended.rs_reqoid ) == 0 ) {
+       for ( i = 0; exop_table[i].extended != NULL; i++ ) {
+               if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) )
+               {
 #ifdef LDAP_BACK_PROXY_AUTHZ 
-                       struct ldapconn *lc;
-                       LDAPControl **oldctrls = NULL;
-                       int rc;
+                       struct ldapconn *lc;
+                       LDAPControl     **oldctrls = NULL;
+                       int             rc;
 
                        /* FIXME: this needs to be called here, so it is
                         * called twice; maybe we could avoid the 
                         * ldap_back_dobind() call inside each extended()
                         * call ... */
-                       lc = ldap_back_getconn(op, rs);
-                       if (!lc || !ldap_back_dobind(lc, op, rs) ) {
+                       lc = ldap_back_getconn( op, rs );
+                       if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
                                return -1;
                        }
 
                        oldctrls = op->o_ctrls;
-                       if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) {
+                       if ( ldap_back_proxy_authz_ctrl( lc, op, rs,
+                                               &op->o_ctrls ) )
+                       {
                                op->o_ctrls = oldctrls;
                                send_ldap_result( op, rs );
                                rs->sr_text = NULL;
                                return rs->sr_err;
                        }
 
-                       rc = (exop_table[i].extended)( op, rs );
+                       rc = ( *exop_table[i].extended )( op, rs );
 
                        if ( op->o_ctrls && op->o_ctrls != oldctrls ) {
                                free( op->o_ctrls[ 0 ] );
@@ -79,7 +82,7 @@ ldap_back_extended(
 
                        return rc;
 #else /* ! LDAP_BACK_PROXY_AUTHZ */
-                       return (exop_table[i].extended)( op, rs );
+                       return ( *exop_table[i].extended )( op, rs );
 #endif /* ! LDAP_BACK_PROXY_AUTHZ */
                }
        }
@@ -90,94 +93,86 @@ ldap_back_extended(
 
 int
 ldap_back_exop_passwd(
-       Operation               *op,
-       SlapReply               *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct ldapconn *lc;
-       req_pwdexop_s *qpw = &op->oq_pwdexop;
-       struct berval mdn = BER_BVNULL, newpw;
-       LDAPMessage *res;
-       ber_int_t msgid;
-       int rc, isproxy;
-       int do_retry = 1;
-       dncookie dc;
-
-       lc = ldap_back_getconn(op, rs);
-       if (!lc || !ldap_back_dobind(lc, op, rs) ) {
+       struct ldapconn *lc;
+       req_pwdexop_s   *qpw = &op->oq_pwdexop;
+       LDAPMessage     *res;
+       ber_int_t       msgid;
+       int             rc, isproxy;
+       int             do_retry = 1;
+
+       lc = ldap_back_getconn( op, rs );
+       if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
                return -1;
        }
 
        isproxy = ber_bvcmp( &op->o_req_ndn, &op->o_ndn );
 
-       Debug( LDAP_DEBUG_TRACE, "ldap_back_exop_passwd: \"%s\"%s\n",
+       Debug( LDAP_DEBUG_ARGS, "==> ldap_back_exop_passwd(\"%s\")%s\n",
                op->o_req_dn.bv_val, isproxy ? " (proxy)" : "", 0 );
 
-       if ( isproxy ) {
-               dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-               dc.conn = op->o_conn;
-               dc.rs = rs;
-               dc.ctx = "exopPasswdDN";
-#else
-               dc.tofrom = 1;
-               dc.normalized = 0;
-#endif
-               if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
-                       send_ldap_result( op, rs );
-                       return -1;
-               }
-       }
-
 retry:
-       rc = ldap_passwd(lc->ld, isproxy ? &mdn : NULL,
+       rc = ldap_passwd( lc->lc_ld, isproxy ? &op->o_req_dn : NULL,
                qpw->rs_old.bv_val ? &qpw->rs_old : NULL,
                qpw->rs_new.bv_val ? &qpw->rs_new : NULL,
-               op->o_ctrls, NULL, &msgid);
+               op->o_ctrls, NULL, &msgid );
 
-       if (rc == LDAP_SUCCESS) {
-               if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
-                       ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &rc);
+       if ( rc == LDAP_SUCCESS ) {
+               if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) {
+                       ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc );
                        ldap_back_freeconn( op, lc );
                        lc = NULL;
 
                } else {
-                       /* sigh. parse twice, because parse_passwd doesn't give
-                        * us the err / match / msg info.
+                       /* sigh. parse twice, because parse_passwd
+                        * doesn't give us the err / match / msg info.
                         */
-                       rc = ldap_parse_result(lc->ld, res, &rs->sr_err, (char **)&rs->sr_matched, (char **)&rs->sr_text,
-                               NULL, NULL, 0);
-                       if (rc == LDAP_SUCCESS) {
-                               if (rs->sr_err == LDAP_SUCCESS) {
-                                       rc = ldap_parse_passwd(lc->ld, res, &newpw);
-                                       if (rc == LDAP_SUCCESS && newpw.bv_val) {
+                       rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
+                                       (char **)&rs->sr_matched,
+                                       (char **)&rs->sr_text,
+                                       NULL, NULL, 0 );
+                       if ( rc == LDAP_SUCCESS ) {
+                               if ( rs->sr_err == LDAP_SUCCESS ) {
+                                       struct berval   newpw;
+                                       
+                                       rc = ldap_parse_passwd( lc->lc_ld, res,
+                                                       &newpw);
+                                       if ( rc == LDAP_SUCCESS &&
+                                                       !BER_BVISNULL( &newpw ) )
+                                       {
                                                rs->sr_type = REP_EXTENDED;
-                                               rs->sr_rspdata = slap_passwd_return(&newpw);
-                                               free(newpw.bv_val);
+                                               rs->sr_rspdata = slap_passwd_return( &newpw );
+                                               free( newpw.bv_val );
                                        }
+
                                } else {
                                        rc = rs->sr_err;
                                }
                        }
-                       ldap_msgfree(res);
+                       ldap_msgfree( res );
                }
        }
-       if (rc != LDAP_SUCCESS) {
+       if ( rc != LDAP_SUCCESS ) {
                rs->sr_err = slap_map_api2result( rs );
                if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
                        do_retry = 0;
-                       if ( ldap_back_retry (lc, op, rs )) goto retry;
+                       if ( ldap_back_retry(lc, op, rs ) ) {
+                               goto retry;
+                       }
+               }
+               send_ldap_result( op, rs );
+               if ( rs->sr_matched ) {
+                       free( (char *)rs->sr_matched );
+               }
+               if ( rs->sr_text ) {
+                       free( (char *)rs->sr_text );
                }
-               send_ldap_result(op, rs);
-               if (rs->sr_matched) free((char *)rs->sr_matched);
-               if (rs->sr_text) free((char *)rs->sr_text);
                rs->sr_matched = NULL;
                rs->sr_text = NULL;
                rc = -1;
        }
-       if (mdn.bv_val != op->o_req_dn.bv_val) {
-               free(mdn.bv_val);
-       }
 
        return rc;
 }
index bbf35ef531e3bd1fbab427a69786eb18796e189b..26db3c83b7c2e3387470adbfefa23b64dd6d04a7 100644 (file)
 #include "external.h"
 
 #if SLAPD_LDAP == SLAPD_MOD_DYNAMIC
+int
+init_module( int argc, char *argv[] )
+{
+       BackendInfo     bi;
 
-int init_module(int argc, char *argv[]) {
-    BackendInfo bi;
-
-    memset( &bi, '\0', sizeof(bi) );
-    bi.bi_type = "ldap";
-    bi.bi_init = ldap_back_initialize;
+       memset( &bi, '\0', sizeof( bi ) );
+       bi.bi_type = "ldap";
+       bi.bi_init = ldap_back_initialize;
 
-    backend_add(&bi);
-    return 0;
+       backend_add( &bi );
+    
+       return 0;
 }
 
 #endif /* SLAPD_LDAP */
 
 int
-ldap_back_open(
-       BackendInfo *bi
-)
+ldap_back_open( BackendInfo    *bi )
 {
        bi->bi_controls = slap_known_controls;
        return 0;
 }
 
 int
-ldap_back_initialize(
-    BackendInfo        *bi
-)
+ldap_back_initialize( BackendInfo *bi )
 {
        bi->bi_open = ldap_back_open;
        bi->bi_config = 0;
@@ -94,14 +92,11 @@ ldap_back_initialize(
 }
 
 int
-ldap_back_db_init(
-    Backend    *be
-)
+ldap_back_db_init( Backend *be )
 {
        struct ldapinfo *li;
-       struct ldapmapping *mapping;
 
-       li = (struct ldapinfo *) ch_calloc( 1, sizeof(struct ldapinfo) );
+       li = (struct ldapinfo *)ch_calloc( 1, sizeof( struct ldapinfo ) );
        if ( li == NULL ) {
                return -1;
        }
@@ -130,42 +125,10 @@ ldap_back_db_init(
        li->idassert_flags = LDAP_BACK_AUTH_NONE;
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
-#ifdef ENABLE_REWRITE
-       li->rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
-       if ( li->rwmap.rwm_rw == NULL ) {
-               ch_free( li );
-               return -1;
-       }
-
-       {
-               char    *rargv[3];
-
-               /*
-                * the filter rewrite as a string must be disabled
-                * by default; it can be re-enabled by adding rules;
-                * this creates an empty rewriteContext
-                */
-               rargv[ 0 ] = "rewriteContext";
-               rargv[ 1 ] = "searchFilter";
-               rargv[ 2 ] = NULL;
-               rewrite_parse( li->rwmap.rwm_rw, "<suffix massage>", 
-                               1, 2, rargv );
-
-               rargv[ 0 ] = "rewriteContext";
-               rargv[ 1 ] = "default";
-               rargv[ 2 ] = NULL;
-               rewrite_parse( li->rwmap.rwm_rw, "<suffix massage>", 
-                               1, 2, rargv );
-       }
-#endif /* ENABLE_REWRITE */
-
        ldap_pvt_thread_mutex_init( &li->conn_mutex );
 
-       ldap_back_map_init( &li->rwmap.rwm_oc, &mapping );
-       ldap_back_map_init( &li->rwmap.rwm_at, &mapping );
-
        be->be_private = li;
-       SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD;
+       SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_NOLASTMOD;
 
        return 0;
 }
@@ -176,7 +139,7 @@ ldap_back_db_open( BackendDB *be )
        struct ldapinfo *li = (struct ldapinfo *)be->be_private;
 
        Debug( LDAP_DEBUG_TRACE,
-               "ldap_back_db_open: URI=%s\n",  li->url, 0, 0 );
+               "ldap_back_db_open: URI=%s\n", li->url, 0, 0 );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
        /* by default, use proxyAuthz control on each operation */
@@ -193,39 +156,55 @@ ldap_back_db_open( BackendDB *be )
        }
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
+#ifdef SLAPD_MONITOR
+       {
+               struct berval   filter,
+                               base = BER_BVC( "cn=Databases,cn=Monitor" );
+               const char      *text;
+               struct berval   vals[ 2 ];
+               Attribute       a = { 0 };
+
+               filter.bv_len = STRLENOF( "(&(namingContexts=)(monitoredInfo=ldap))" )
+                       + be->be_nsuffix[ 0 ].bv_len;
+               filter.bv_val = ch_malloc( filter.bv_len + 1 );
+               snprintf( filter.bv_val, filter.bv_len + 1,
+                               "(&(namingContexts=%s)(monitoredInfo=ldap))",
+                               be->be_nsuffix[ 0 ].bv_val );
+
+               a.a_desc = slap_schema.si_ad_labeledURI;
+               ber_str2bv( li->url, 0, 0, &vals[ 0 ] );
+               BER_BVZERO( &vals[ 1 ] );
+               a.a_vals = vals;
+               a.a_nvals = vals;
+               if ( monitor_back_register_entry_attrs( NULL, &a, NULL, &base, LDAP_SCOPE_SUBTREE, &filter ) ) {
+                       /* error */
+               }
+       }
+#endif /* SLAPD_MONITOR */
+
        return 0;
 }
 
 void
-ldap_back_conn_free( 
-       void *v_lc
-)
+ldap_back_conn_free( void *v_lc )
 {
-       struct ldapconn *lc = v_lc;
-       ldap_unbind( lc->ld );
-       if ( lc->bound_dn.bv_val ) {
-               ch_free( lc->bound_dn.bv_val );
+       struct ldapconn *lc = v_lc;
+       
+       ldap_unbind_ext_s( lc->lc_ld, NULL, NULL );
+       if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+               ch_free( lc->lc_bound_ndn.bv_val );
        }
-       if ( lc->cred.bv_val ) {
-               memset( lc->cred.bv_val, 0, lc->cred.bv_len );
-               ch_free( lc->cred.bv_val );
+       if ( !BER_BVISNULL( &lc->lc_cred ) ) {
+               memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len );
+               ch_free( lc->lc_cred.bv_val );
        }
-       if ( lc->local_dn.bv_val ) {
-               ch_free( lc->local_dn.bv_val );
+       if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) {
+               ch_free( lc->lc_local_ndn.bv_val );
        }
        ldap_pvt_thread_mutex_destroy( &lc->lc_mutex );
        ch_free( lc );
 }
 
-static void
-mapping_free( void *v_mapping )
-{
-       struct ldapmapping *mapping = v_mapping;
-       ch_free( mapping->src.bv_val );
-       ch_free( mapping->dst.bv_val );
-       ch_free( mapping );
-}
-
 int
 ldap_back_db_destroy(
     Backend    *be
@@ -233,13 +212,13 @@ ldap_back_db_destroy(
 {
        struct ldapinfo *li;
 
-       if (be->be_private) {
-               li = (struct ldapinfo *)be->be_private;
+       if ( be->be_private ) {
+               li = ( struct ldapinfo * )be->be_private;
 
                ldap_pvt_thread_mutex_lock( &li->conn_mutex );
 
-               if (li->url) {
-                       ch_free(li->url);
+               if ( li->url ) {
+                       ch_free( li->url );
                        li->url = NULL;
                }
                if ( li->lud ) {
@@ -280,28 +259,15 @@ ldap_back_db_destroy(
                        BER_BVZERO( &li->idassert_sasl_realm );
                }
 #endif /* LDAP_BACK_PROXY_AUTHZ */
-                if (li->conntree) {
+                if ( li->conntree ) {
                        avl_free( li->conntree, ldap_back_conn_free );
                }
-#ifdef ENABLE_REWRITE
-               if (li->rwmap.rwm_rw) {
-                       rewrite_info_delete( &li->rwmap.rwm_rw );
-               }
-#else /* !ENABLE_REWRITE */
-               if (li->rwmap.rwm_suffix_massage) {
-                       ber_bvarray_free( li->rwmap.rwm_suffix_massage );
-               }
-#endif /* !ENABLE_REWRITE */
-
-               avl_free( li->rwmap.rwm_oc.remap, NULL );
-               avl_free( li->rwmap.rwm_oc.map, mapping_free );
-               avl_free( li->rwmap.rwm_at.remap, NULL );
-               avl_free( li->rwmap.rwm_at.map, mapping_free );
-               
+
                ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
                ldap_pvt_thread_mutex_destroy( &li->conn_mutex );
        }
 
        ch_free( be->be_private );
+
        return 0;
 }
index 891cc7038ace2de3d6159d4ef42cf13bed2237a2..bdfbdc7d1bfcfe90e28f53bb636695e3252b28f6 100644 (file)
 
 int
 ldap_back_modify(
-    Operation  *op,
-    SlapReply  *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct ldapconn *lc;
-       LDAPMod **modv = NULL;
-       LDAPMod *mods;
-       Modifications *ml;
-       int i, j, rc;
-       struct berval mapped;
-       struct berval mdn = BER_BVNULL;
-       ber_int_t msgid;
-       dncookie dc;
-       int isupdate;
-       int do_retry = 1;
-       LDAPControl **ctrls = NULL;
-
-       lc = ldap_back_getconn(op, rs);
+       struct ldapconn *lc;
+       LDAPMod         **modv = NULL,
+                       *mods = NULL;
+       Modifications   *ml;
+       int             i, j, rc;
+       ber_int_t       msgid;
+       int             isupdate;
+       int             do_retry = 1;
+       LDAPControl     **ctrls = NULL;
+
+       lc = ldap_back_getconn( op, rs );
        if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
-               return( -1 );
-       }
-
-       /*
-        * Rewrite the modify dn, if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "modifyDN";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
-               send_ldap_result( op, rs );
                return -1;
        }
 
-       for (i=0, ml=op->oq_modify.rs_modlist; ml; i++,ml=ml->sml_next)
-               ;
+       for ( i = 0, ml = op->oq_modify.rs_modlist; ml; i++, ml = ml->sml_next )
+               /* just count mods */ ;
 
-       mods = (LDAPMod *)ch_malloc(i*sizeof(LDAPMod));
-       if (mods == NULL) {
-               rc = LDAP_NO_MEMORY;
-               goto cleanup;
-       }
-       modv = (LDAPMod **)ch_malloc((i+1)*sizeof(LDAPMod *));
-       if (modv == NULL) {
+       modv = (LDAPMod **)ch_malloc( ( i + 1 )*sizeof( LDAPMod * )
+                       + i*sizeof( LDAPMod ) );
+       if ( modv == NULL ) {
                rc = LDAP_NO_MEMORY;
                goto cleanup;
        }
-
-#ifdef ENABLE_REWRITE
-       dc.ctx = "modifyAttrDN";
-#endif
+       mods = (LDAPMod *)&modv[ i + 1 ];
 
        isupdate = be_shadow_update( op );
-       for (i=0, ml=op->oq_modify.rs_modlist; ml; ml=ml->sml_next) {
-               int     is_oc = 0;
-
+       for ( i = 0, ml = op->oq_modify.rs_modlist; ml; ml = ml->sml_next ) {
                if ( !isupdate && ml->sml_desc->ad_type->sat_no_user_mod  ) {
                        continue;
                }
 
-               if ( ml->sml_desc == slap_schema.si_ad_objectClass 
-                               || ml->sml_desc == slap_schema.si_ad_structuralObjectClass ) {
-                       is_oc = 1;
-                       mapped = ml->sml_desc->ad_cname;
+               modv[ i ] = &mods[ i ];
+               mods[ i ].mod_op = ( ml->sml_op | LDAP_MOD_BVALUES );
+               mods[ i ].mod_type = ml->sml_desc->ad_cname.bv_val;
 
-               } else {
-                       ldap_back_map(&li->rwmap.rwm_at,
-                                       &ml->sml_desc->ad_cname,
-                                       &mapped, BACKLDAP_MAP);
-                       if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
+               if ( ml->sml_values != NULL ) {
+                       if ( ml->sml_values == NULL ) { 
                                continue;
                        }
-               }
-
-               modv[i] = &mods[i];
-               mods[i].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
-               mods[i].mod_type = mapped.bv_val;
 
-               if ( ml->sml_values != NULL ) {
-                       if ( is_oc ) {
-                               for (j = 0; ml->sml_values[j].bv_val; j++);
-                               mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) *
-                                       sizeof(struct berval *));
-                               for (j = 0; ml->sml_values[j].bv_val; j++) {
-                                       ldap_back_map(&li->rwmap.rwm_oc,
-                                                       &ml->sml_values[j],
-                                                       &mapped, BACKLDAP_MAP);
-                                       if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') {
-                                               continue;
-                                       }
-                                       mods[i].mod_bvalues[j] = &mapped;
-                               }
-                               mods[i].mod_bvalues[j] = NULL;
-
-                       } else {
-                               if ( ml->sml_desc->ad_type->sat_syntax ==
-                                       slap_schema.si_syn_distinguishedName ) {
-                                       ldap_dnattr_rewrite( &dc, ml->sml_values );
-                               }
-
-                               if ( ml->sml_values == NULL ) { 
-                                       continue;
-                               }
-
-                               for (j = 0; ml->sml_values[j].bv_val; j++);
-                               mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) *
-                                       sizeof(struct berval *));
-                               for (j = 0; ml->sml_values[j].bv_val; j++)
-                                       mods[i].mod_bvalues[j] = &ml->sml_values[j];
-                               mods[i].mod_bvalues[j] = NULL;
+                       for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
+                               /* just count mods */ ;
+                       mods[ i ].mod_bvalues =
+                               (struct berval **)ch_malloc( ( j + 1 )*sizeof( struct berval * ) );
+                       for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )
+                       {
+                               mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ];
                        }
+                       mods[ i ].mod_bvalues[ j ] = NULL;
 
                } else {
-                       mods[i].mod_bvalues = NULL;
+                       mods[ i ].mod_bvalues = NULL;
                }
 
                i++;
        }
-       modv[i] = 0;
+       modv[ i ] = 0;
 
        ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
@@ -169,29 +106,24 @@ ldap_back_modify(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
-       rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
+       rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv,
                        ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
        if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
                do_retry = 0;
-               if ( ldap_back_retry (lc, op, rs )) goto retry;
+               if ( ldap_back_retry(lc, op, rs ) ) {
+                       goto retry;
+               }
        }
 
 cleanup:;
 #ifdef LDAP_BACK_PROXY_AUTHZ
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       }
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
-       if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
-               free( mdn.bv_val );
-       }
-       for (i=0; modv[i]; i++) {
-               ch_free(modv[i]->mod_bvalues);
+       for ( i = 0; modv[ i ]; i++ ) {
+               ch_free( modv[ i ]->mod_bvalues );
        }
-       ch_free( mods );
        ch_free( modv );
 
        return rc;
index 604325a54212244f3bd6bc98723ce6810cc17084..35a8125b7b6d33d1fce8a253ee09e6ec0efe8825 100644 (file)
 
 int
 ldap_back_modrdn(
-    Operation  *op,
-    SlapReply  *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
        struct ldapconn *lc;
-       ber_int_t msgid;
-       dncookie dc;
-       LDAPControl **ctrls = NULL;
-       int do_retry = 1;
-       int rc = LDAP_SUCCESS;
-
-       struct berval mdn = BER_BVNULL, mnewSuperior = BER_BVNULL;
+       ber_int_t       msgid;
+       LDAPControl     **ctrls = NULL;
+       int             do_retry = 1;
+       int             rc = LDAP_SUCCESS;
+       char            *newSup = NULL;
 
        lc = ldap_back_getconn( op, rs );
-       if ( !lc || !ldap_back_dobind(lc, op, rs) ) {
+       if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
                return( -1 );
        }
 
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if (op->orr_newSup) {
-               int version = LDAP_VERSION3;
-               ldap_set_option( lc->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+       if ( op->orr_newSup ) {
+               int     version = LDAP_VERSION3;
                
-               /*
-                * Rewrite the new superior, if defined and required
-                */
-#ifdef ENABLE_REWRITE
-               dc.ctx = "newSuperiorDN";
-#endif
-               if ( ldap_back_dn_massage( &dc, op->orr_newSup,
-                       &mnewSuperior ) ) {
-                       send_ldap_result( op, rs );
-                       return -1;
-               }
-       }
-
-       /*
-        * Rewrite the modrdn dn, if required
-        */
-#ifdef ENABLE_REWRITE
-       dc.ctx = "modrDN";
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) {
-               send_ldap_result( op, rs );
-               return -1;
+               ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
+               newSup = op->orr_newSup->bv_val;
        }
 
        ctrls = op->o_ctrls;
@@ -98,33 +66,22 @@ ldap_back_modrdn(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
-       rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
-                       op->orr_newrdn.bv_val, mnewSuperior.bv_val,
-                       op->orr_deleteoldrdn,
-                       ctrls,
-                       NULL, &msgid );
+       rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val,
+                       op->orr_newrdn.bv_val, newSup,
+                       op->orr_deleteoldrdn, ctrls, NULL, &msgid );
        rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
        if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
                do_retry = 0;
-               if ( ldap_back_retry (lc, op, rs )) goto retry;
+               if ( ldap_back_retry( lc, op, rs ) ) {
+                       goto retry;
+               }
        }
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       }
+#ifdef LDAP_BACK_PROXY_AUTHZ
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
-       if ( mdn.bv_val != op->o_req_ndn.bv_val ) {
-               free( mdn.bv_val );
-       }
-       if ( mnewSuperior.bv_val != NULL
-               && mnewSuperior.bv_val != op->oq_modrdn.rs_newSup->bv_val ) {
-               free( mnewSuperior.bv_val );
-       }
-
        return rc;
 }
 
index b071217c0d1f4749cfb3e9d1eb2465ad5451786f..408fb61a2d68a539b731f39616dc7a91efdcb88c 100644 (file)
@@ -43,27 +43,26 @@ ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
 
 int
 ldap_back_search(
-    Operation  *op,
-    SlapReply *rs )
+               Operation       *op,
+               SlapReply       *rs )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
        struct ldapconn *lc;
        struct timeval  tv;
-       LDAPMessage             *res, *e;
-       int     rc = 0, msgid; 
-       struct berval match = BER_BVNULL;
-       char **mapped_attrs = NULL;
-       struct berval mbase;
-       struct berval mfilter = BER_BVNULL;
-       int dontfreetext = 0;
-       int freeconn = 0;
-       int do_retry = 1;
-       dncookie dc;
-       LDAPControl **ctrls = NULL;
-
-       lc = ldap_back_getconn(op, rs);
+       LDAPMessage     *res,
+                       *e;
+       int             rc = 0,
+                       msgid; 
+       struct berval   match = BER_BVNULL;
+       int             i;
+       char            **attrs = NULL;
+       int             dontfreetext = 0;
+       int             freeconn = 0;
+       int             do_retry = 1;
+       LDAPControl     **ctrls = NULL;
+
+       lc = ldap_back_getconn( op, rs );
        if ( !lc ) {
-               return( -1 );
+               return -1;
        }
 
        /*
@@ -71,12 +70,13 @@ ldap_back_search(
         * to map attrs and maybe rewrite value
         */
        if ( !ldap_back_dobind( lc, op, rs ) ) {
-               return( -1 );
+               return -1;
        }
 
        /* should we check return values? */
        if ( op->ors_deref != -1 ) {
-               ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref );
+               ldap_set_option( lc->lc_ld, LDAP_OPT_DEREF,
+                               (void *)&op->ors_deref );
        }
 
        if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
@@ -87,50 +87,21 @@ ldap_back_search(
                tv.tv_sec = 0;
        }
 
-       /*
-        * Rewrite the search base, if required
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = rs;
-       dc.ctx = "searchBase";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) {
-               send_ldap_result( op, rs );
-               return -1;
-       }
-
-       rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter,
-                       &mfilter, BACKLDAP_MAP );
-
-       switch ( rc ) {
-       case LDAP_SUCCESS:
-               break;
+       if ( op->ors_attrs ) {
+               for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ )
+                       /* just count attrs */ ;
 
-       case LDAP_COMPARE_FALSE:
-               rs->sr_err = LDAP_SUCCESS;
-               rs->sr_text = NULL;
-               rc = 0;
-               goto finish;
-
-       default:
-               rs->sr_err = LDAP_OTHER;
-               rs->sr_text = "Rewrite error";
-               dontfreetext = 1;
-               rc = -1;
-               goto finish;
-       }
-
-       rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at,
-                       op->ors_attrs,
-                       BACKLDAP_MAP, &mapped_attrs );
-       if ( rs->sr_err != LDAP_SUCCESS ) {
-               rc = -1;
-               goto finish;
+               attrs = ch_malloc( ( i + 1 )*sizeof( char * ) );
+               if ( attrs == NULL ) {
+                       rs->sr_err = LDAP_NO_MEMORY;
+                       rc = -1;
+                       goto finish;
+               }
+       
+               for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ ) {
+                       attrs[ i ] = op->ors_attrs[i].an_name.bv_val;
+               }
+               attrs[ i ] = NULL;
        }
 
        ctrls = op->o_ctrls;
@@ -143,12 +114,11 @@ ldap_back_search(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
        
 retry:
-       rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val,
-                       op->ors_scope, mfilter.bv_val,
-                       mapped_attrs, op->ors_attrsonly,
-                       ctrls, NULL,
-                       tv.tv_sec ? &tv : NULL, op->ors_slimit,
-                       &msgid );
+       rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val,
+                       op->ors_scope, op->ors_filterstr.bv_val,
+                       attrs, op->ors_attrsonly, ctrls, NULL,
+                       tv.tv_sec ? &tv : NULL,
+                       op->ors_slimit, &msgid );
 
        if ( rs->sr_err != LDAP_SUCCESS ) {
 fail:;
@@ -165,11 +135,11 @@ fail:;
         * but this is necessary for version matching, and for ACL processing.
         */
 
-       for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) )
+       for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, 0, &tv, &res ) )
        {
                /* check for abandon */
                if ( op->o_abandon ) {
-                       ldap_abandon( lc->ld, msgid );
+                       ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
                        rc = 0;
                        goto finish;
                }
@@ -180,12 +150,13 @@ fail:;
                        ldap_pvt_thread_yield();
 
                } else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
-                       Entry ent = {0};
-                       struct berval bdn;
-                       int abort = 0;
+                       Entry           ent = {0};
+                       struct berval   bdn;
+                       int             abort = 0;
+
                        do_retry = 0;
 
-                       e = ldap_first_entry( lc->ld, res );
+                       e = ldap_first_entry( lc->lc_ld, res );
                        rc = ldap_build_entry( op, e, &ent, &bdn,
                                        LDAP_BUILD_ENTRY_PRIVATE );
                       if ( rc == LDAP_SUCCESS ) {
@@ -194,31 +165,33 @@ fail:;
                                rs->sr_operational_attrs = NULL;
                                rs->sr_flags = 0;
                                abort = send_search_entry( op, rs );
-                               while (ent.e_attrs) {
-                                       Attribute *a;
-                                       BerVarray v;
+                               while ( ent.e_attrs ) {
+                                       Attribute       *a;
+                                       BerVarray       v;
 
                                        a = ent.e_attrs;
                                        ent.e_attrs = a->a_next;
 
                                        v = a->a_vals;
                                        if ( a->a_vals != &slap_dummy_bv ) {
-                                               ber_bvarray_free(a->a_vals);
+                                               ber_bvarray_free( a->a_vals );
                                        }
                                        if ( a->a_nvals != v ) {
-                                               ber_bvarray_free(a->a_nvals);
+                                               ber_bvarray_free( a->a_nvals );
                                        }
-                                       ch_free(a);
+                                       ch_free( a );
                                }
                                
-                               if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) )
+                               if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) ) {
                                        free( ent.e_dn );
-                               if ( ent.e_ndn )
+                               }
+                               if ( ent.e_ndn ) {
                                        free( ent.e_ndn );
+                               }
                        }
                        ldap_msgfree( res );
                        if ( abort ) {
-                               ldap_abandon( lc->ld, msgid );
+                               ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL );
                                goto finish;
                        }
 
@@ -227,7 +200,7 @@ fail:;
                        int             cnt;
 
                        do_retry = 0;
-                       rc = ldap_parse_reference( lc->ld, res,
+                       rc = ldap_parse_reference( lc->lc_ld, res,
                                        &references, &rs->sr_ctrls, 1 );
 
                        if ( rc != LDAP_SUCCESS ) {
@@ -263,7 +236,7 @@ fail:;
                        }
 
                } else {
-                       rc = ldap_parse_result( lc->ld, res, &rs->sr_err,
+                       rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err,
                                        &match.bv_val, (char **)&rs->sr_text,
                                        NULL, &rs->sr_ctrls, 1 );
                        if (rc != LDAP_SUCCESS ) {
@@ -278,8 +251,9 @@ fail:;
        if ( rc == -1 ) {
                if ( do_retry ) {
                        do_retry = 0;
-                       if ( ldap_back_retry( lc, op, rs ))
+                       if ( ldap_back_retry( lc, op, rs ) ) {
                                goto retry;
+                       }
                }
                /* FIXME: invalidate the connection? */
                rs->sr_err = LDAP_SERVER_DOWN;
@@ -290,18 +264,8 @@ fail:;
        /*
         * Rewrite the matched portion of the search base, if required
         */
-       if ( match.bv_val && *match.bv_val ) {
-               struct berval mdn;
-
-#ifdef ENABLE_REWRITE
-               dc.ctx = "matchedDN";
-#else
-               dc.tofrom = 0;
-               dc.normalized = 0;
-#endif
-               match.bv_len = strlen( match.bv_val );
-               ldap_back_dn_massage( &dc, &match, &mdn );
-               rs->sr_matched = mdn.bv_val;
+       if ( !BER_BVISNULL( &match ) && !BER_BVISEMPTY( &match ) ) {
+               rs->sr_matched = match.bv_val;
        }
        if ( rs->sr_v2ref ) {
                rs->sr_err = LDAP_REFERRAL;
@@ -311,10 +275,7 @@ finish:;
        send_ldap_result( op, rs );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
-       if ( ctrls && ctrls != op->o_ctrls ) {
-               free( ctrls[ 0 ] );
-               free( ctrls );
-       }
+       (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
        if ( rs->sr_ctrls ) {
@@ -323,9 +284,6 @@ finish:;
        }
 
        if ( match.bv_val ) {
-               if ( rs->sr_matched != match.bv_val ) {
-                       free( (char *)rs->sr_matched );
-               }
                rs->sr_matched = NULL;
                LDAP_FREE( match.bv_val );
        }
@@ -335,62 +293,36 @@ finish:;
                }
                rs->sr_text = NULL;
        }
-       if ( mapped_attrs ) {
-               ch_free( mapped_attrs );
-       }
-       if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
-               ch_free( mfilter.bv_val );
+       if ( attrs ) {
+               ch_free( attrs );
        }
-       if ( mbase.bv_val != op->o_req_ndn.bv_val ) {
-               free( mbase.bv_val );
-       }
-       
+
        return rc;
 }
 
 static int
 ldap_build_entry(
-       Operation *op,
-       LDAPMessage *e,
-       Entry *ent,
-       struct berval *bdn,
-       int flags
-)
+               Operation       *op,
+               LDAPMessage     *e,
+               Entry           *ent,
+               struct berval   *bdn,
+               int             flags )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
-       struct berval a, mapped;
-       BerElement ber = *e->lm_ber;
-       Attribute *attr, **attrp;
-       struct berval *bv;
-       const char *text;
-       int last;
-       int private = flags & LDAP_BUILD_ENTRY_PRIVATE;
-       dncookie dc;
+       struct berval   a;
+       BerElement      ber = *e->lm_ber;
+       Attribute       *attr, **attrp;
+       const char      *text;
+       int             last;
+       int             private = flags & LDAP_BUILD_ENTRY_PRIVATE;
 
        /* safe assumptions ... */
        assert( ent );
-       ent->e_bv.bv_val = NULL;
+       BER_BVZERO( &ent->e_bv );
 
        if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) {
                return LDAP_DECODING_ERROR;
        }
 
-       /*
-        * Rewrite the dn of the result, if needed
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = NULL;
-       dc.ctx = "searchResult";
-#else
-       dc.tofrom = 0;
-       dc.normalized = 0;
-#endif
-       if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) {
-               return LDAP_OTHER;
-       }
-
        /*
         * Note: this may fail if the target host(s) schema differs
         * from the one known to the meta, and a DN with unknown
@@ -401,7 +333,7 @@ ldap_build_entry(
        /* Note: if the distinguished values or the naming attributes
         * change, should we massage them as well?
         */
-       if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname,
+       if ( dnPrettyNormal( NULL, bdn, &ent->e_name, &ent->e_nname,
                op->o_tmpmemctx ) != LDAP_SUCCESS )
        {
                return LDAP_INVALID_DN_SYNTAX;
@@ -409,29 +341,27 @@ ldap_build_entry(
 
        attrp = &ent->e_attrs;
 
-#ifdef ENABLE_REWRITE
-       dc.ctx = "searchAttrDN";
-#endif
        while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
                int                             i;
                slap_syntax_validate_func       *validate;
                slap_syntax_transform_func      *pretty;
 
-               ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP );
-               if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) )
-                       continue;
                attr = (Attribute *)ch_malloc( sizeof( Attribute ) );
-               if ( attr == NULL )
+               if ( attr == NULL ) {
                        continue;
+               }
                attr->a_flags = 0;
                attr->a_next = 0;
                attr->a_desc = NULL;
-               if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) {
-                       if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text ) 
+               if ( slap_bv2ad( &a, &attr->a_desc, &text ) 
+                               != LDAP_SUCCESS )
+               {
+                       if ( slap_bv2undef_ad( &a, &attr->a_desc, &text ) 
                                        != LDAP_SUCCESS )
                        {
                                Debug( LDAP_DEBUG_ANY, 
-                                       "slap_bv2undef_ad(%s):  %s\n", mapped.bv_val, text, 0 );
+                                       "slap_bv2undef_ad(%s):  %s\n",
+                                       a.bv_val, text, 0 );
                                ch_free( attr );
                                continue;
                        }
@@ -449,7 +379,7 @@ ldap_build_entry(
                         */
                        ( void )ber_scanf( &ber, "x" /* [W] */ );
 
-                       ch_free(attr);
+                       ch_free( attr );
                        continue;
                }
                
@@ -461,60 +391,17 @@ ldap_build_entry(
                         * values result filter
                         */
                        if ( private ) {
-                               attr->a_vals = &slap_dummy_bv;
+                               attr->a_vals = (struct berval *)&slap_dummy_bv;
+                               
                        } else {
                                attr->a_vals = ch_malloc( sizeof( struct berval ) );
-                               BER_BVZERO( &attr->a_vals[0] );
+                               BER_BVZERO( &attr->a_vals[ 0 ] );
                        }
                        last = 0;
 
                } else {
-                       for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ );
-               }
-
-               if ( last == 0 ) {
-                       /* empty */
-               } else if ( attr->a_desc == slap_schema.si_ad_objectClass
-                               || attr->a_desc == slap_schema.si_ad_structuralObjectClass )
-               {
-                       for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
-                               ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped,
-                                               BACKLDAP_REMAP );
-                               if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
-                                       LBER_FREE( bv->bv_val );
-                                       BER_BVZERO( bv );
-                                       if (--last < 0)
-                                               break;
-                                       *bv = attr->a_vals[last];
-                                       BER_BVZERO( &attr->a_vals[last] );
-                                       bv--;
-
-                               } else if ( mapped.bv_val != bv->bv_val ) {
-                                       /*
-                                        * FIXME: after LBER_FREEing
-                                        * the value is replaced by
-                                        * ch_alloc'ed memory
-                                        */
-                                       LBER_FREE( bv->bv_val );
-                                       ber_dupbv( bv, &mapped );
-                               }
-                       }
-
-               /*
-                * It is necessary to try to rewrite attributes with
-                * dn syntax because they might be used in ACLs as
-                * members of groups; since ACLs are applied to the
-                * rewritten stuff, no dn-based subject clause could
-                * be used at the ldap backend side (see
-                * http://www.OpenLDAP.org/faq/data/cache/452.html)
-                * The problem can be overcome by moving the dn-based
-                * ACLs to the target directory server, and letting
-                * everything pass thru the ldap backend.
-                */
-               } else if ( attr->a_desc->ad_type->sat_syntax ==
-                               slap_schema.si_syn_distinguishedName )
-               {
-                       ldap_dnattr_result_rewrite( &dc, attr->a_vals );
+                       for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); last++ )
+                               /* just count vals */ ;
                }
 
                validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
@@ -585,10 +472,6 @@ ldap_build_entry(
 next_attr:;
        }
 
-       /* make sure it's free'able */
-       if ( !private && ent->e_name.bv_val == bdn->bv_val ) {
-               ber_dupbv( &ent->e_name, bdn );
-       }
        return LDAP_SUCCESS;
 }
 
@@ -596,33 +479,33 @@ next_attr:;
  */
 int
 ldap_back_entry_get(
-       Operation *op,
-       struct berval   *ndn,
-       ObjectClass *oc,
-       AttributeDescription *at,
-       int rw,
-       Entry **ent
+               Operation               *op,
+               struct berval           *ndn,
+               ObjectClass             *oc,
+               AttributeDescription    *at,
+               int                     rw,
+               Entry                   **ent
 )
 {
-       struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;    
        struct ldapconn *lc;
-       int rc = 1, is_oc;
-       struct berval mapped = BER_BVNULL, bdn, mdn;
-       LDAPMessage     *result = NULL, *e = NULL;
-       char *gattr[3];
-       char *filter = NULL;
-       Connection *oconn;
-       SlapReply rs;
-       dncookie dc;
-       int do_retry = 1;
+       int             rc = 1,
+                       is_oc;
+       struct berval   bdn;
+       LDAPMessage     *result = NULL,
+                       *e = NULL;
+       char            *gattr[3];
+       char            *filter = NULL;
+       Connection      *oconn;
+       SlapReply       rs;
+       int             do_retry = 1;
 
        /* Tell getconn this is a privileged op */
        is_oc = op->o_do_not_cache;
        op->o_do_not_cache = 1;
-       lc = ldap_back_getconn(op, &rs);
+       lc = ldap_back_getconn( op, &rs );
        oconn = op->o_conn;
        op->o_conn = NULL;
-       if ( !lc || !ldap_back_dobind(lc, op, &rs) ) {
+       if ( !lc || !ldap_back_dobind( lc, op, &rs ) ) {
                op->o_do_not_cache = is_oc;
                op->o_conn = oconn;
                return 1;
@@ -630,66 +513,45 @@ ldap_back_entry_get(
        op->o_do_not_cache = is_oc;
        op->o_conn = oconn;
 
-       /*
-        * Rewrite the search base, if required
-        */
-       dc.rwmap = &li->rwmap;
-#ifdef ENABLE_REWRITE
-       dc.conn = op->o_conn;
-       dc.rs = &rs;
-       dc.ctx = "searchBase";
-#else
-       dc.tofrom = 1;
-       dc.normalized = 1;
-#endif
-       if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) {
-               return 1;
-       }
-
        if ( at ) {
-               ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP);
-               if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {
-                       rc = 1;
-                       goto cleanup;
-               }
-               is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 );
+               is_oc = ( strcasecmp( "objectclass", at->ad_cname.bv_val ) == 0 );
                if ( oc && !is_oc ) {
                        gattr[0] = "objectclass";
-                       gattr[1] = mapped.bv_val;
+                       gattr[1] = at->ad_cname.bv_val;
                        gattr[2] = NULL;
 
                } else {
-                       gattr[0] = mapped.bv_val;
+                       gattr[0] = at->ad_cname.bv_val;
                        gattr[1] = NULL;
                }
        }
 
-       if (oc) {
-               char *ptr;
-               ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped,
-                                               BACKLDAP_MAP);
-               filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 );
+       if ( oc ) {
+               char    *ptr;
+
+               filter = ch_malloc( STRLENOF( "(objectclass=)" ) 
+                               + oc->soc_cname.bv_len + 1 );
                ptr = lutil_strcopy( filter, "(objectclass=" );
-               ptr = lutil_strcopy( ptr, mapped.bv_val );
+               ptr = lutil_strcopy( ptr, oc->soc_cname.bv_val );
                *ptr++ = ')';
                *ptr++ = '\0';
        }
 
 retry:
-       rc = ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
+       rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter,
                                gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
-                               LDAP_NO_LIMIT, &result);
-       if ( rc != LDAP_SUCCESS )
-       {
+                               LDAP_NO_LIMIT, &result );
+       if ( rc != LDAP_SUCCESS ) {
                if ( rc == LDAP_SERVER_DOWN && do_retry ) {
                        do_retry = 0;
-                               if ( ldap_back_retry( lc, op, &rs ))
-                                       goto retry;
+                       if ( ldap_back_retry( lc, op, &rs ) ) {
+                               goto retry;
+                       }
                }
                goto cleanup;
        }
 
-       e = ldap_first_entry( lc->ld, result );
+       e = ldap_first_entry( lc->lc_ld, result );
        if ( e == NULL ) {
                goto cleanup;
        }
@@ -712,10 +574,6 @@ cleanup:
                ch_free( filter );
        }
 
-       if ( mdn.bv_val != ndn->bv_val ) {
-               ch_free( mdn.bv_val );
-       }
-
        return rc;
 }
 
index 8217ce6ef66908ecb6ccf4ff5722ff06fe9d368b..dbed6f577b65410b1bb173477adbd69f8c14d2fc 100644 (file)
@@ -33,8 +33,8 @@
 
 int
 ldap_back_conn_destroy(
-    Backend            *be,
-    Connection         *conn
+               Backend         *be,
+               Connection      *conn
 )
 {
        struct ldapinfo *li = (struct ldapinfo *) be->be_private;
@@ -44,24 +44,17 @@ ldap_back_conn_destroy(
                "=>ldap_back_conn_destroy: fetching conn %ld\n",
                conn->c_connid, 0, 0 );
 
-       lc_curr.conn = conn;
-       lc_curr.local_dn = conn->c_ndn;
+       lc_curr.lc_conn = conn;
+       lc_curr.lc_local_ndn = conn->c_ndn;
        
        ldap_pvt_thread_mutex_lock( &li->conn_mutex );
        lc = avl_delete( &li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp );
        ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
 
-#ifdef ENABLE_REWRITE
-       /*
-        * Cleanup rewrite session
-        */
-       rewrite_session_delete( li->rwmap.rwm_rw, conn );
-#endif /* ENABLE_REWRITE */
-
-       if (lc) {
+       if ( lc ) {
                Debug( LDAP_DEBUG_TRACE,
                        "=>ldap_back_conn_destroy: destroying conn %ld\n",
-                       lc->conn->c_connid, 0, 0 );
+                       lc->lc_conn->c_connid, 0, 0 );
 
                /*
                 * Needs a test because the handler may be corrupted,