From: Pierangelo Masarati Date: Sat, 25 Jun 2005 15:13:44 +0000 (+0000) Subject: add "onerr" flag X-Git-Tag: OPENLDAP_AC_BP~500 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=297c7933b1a53e11bea131afde8665ff177c4647;p=openldap add "onerr" flag --- diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 3670ca7352..83b0817e38 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -76,6 +76,7 @@ All the configuration directives that are not specific to targets should be defined first for clarity, including those that are common to all backends. They are: + .TP .B default-target none This directive forces the backend to reject all those operations @@ -87,6 +88,7 @@ matches an attempt is made to perform the operation on any candidate target, with the constraint that at most one must succeed. This directive can also be used when processing targets to mark a specific target as default. + .TP .B dncache-ttl {forever|disabled|} This directive sets the time-to-live of the DN cache. @@ -94,6 +96,7 @@ This caches the target that holds a given DN to speed up target selection in case multiple targets would result from an uncached search; forever means cache never expires; disabled means no DN caching; otherwise a valid ( > 0 ) ttl in seconds is required. + .TP .B nretries {forever|never|} This directive defines how many times a bind should be retried @@ -104,6 +107,7 @@ the global value can be overridden by redefinitions inside each target specification. .SH TARGET SPECIFICATION Target specification starts with a "uri" directive: + .TP .B uri ://[[:]]/ The "server" directive that was allowed in the LDAP backend (although @@ -135,6 +139,7 @@ URL-encoded s), and the additional URIs must have no part. This causes the underlying library to contact the first server of the list that responds. .RE + .TP .B default-target [] The "default-target" directive can also be used during target specification. @@ -142,6 +147,7 @@ With no arguments it marks the current target as the default. The optional number marks target as the default one, starting from 1. Target must be defined. + .TP .B acl-authcDN "" DN which is used to query the target server for acl checking, @@ -151,33 +157,72 @@ There is no risk of giving away such values; they are only used to check permissions. .B The acl-authcDN identity is by no means implicitly used by the proxy .B when the client connects anonymously. + .TP .B acl-passwd Password used with the .B acl-authcDN above. + .TP -.B rebind-as-user +.B rebind-as-user {NO|yes} If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals. + +.TP +.B chase-referrals {YES|no} +enable/disable automatic referral chasing, which is delegated to the +underlying libldap, with rebinding eventually performed if the +\fBrebind-as-user\fP directive is used. The default is to chase referrals. + +.TP +.B tls {[try-]start|[try-]propagate} +execute the start TLS extended operation when the connection is initialized; +only works if the URI directive protocol scheme is not \fBldaps://\fP. +\fBpropagate\fP issues the Start TLS exop only if the original +connection did. +The \fBtry-\fP prefix instructs the proxy to continue operations +if start TLS failed; its use is highly deprecated. + +.TP +.B t-f-support {NO|yes|discover} +enable if the remote server supports absolute filters +(see \fIdraft-zeilenga-ldap-t-f\fP for details). +If set to +.BR discover , +support is detected by reading the remote server's rootDSE. + +.TP +.B onerr {CONTINUE|stop} +This directive allows to select the behavior in case an error is returned +by one targe during a search. +The default, \fBcontinue\fP, consists in continuing the operation, +trying to return as much data as possible. +If this statement is set to \fBstop\fP, the search is terminated as soon +as an error is returned by one target, and the error is immediately +propagated to the client. + .TP .B pseudorootdn "" This directive, if present, sets the DN that will be substituted to the bind DN if a bind with the backend's "rootdn" succeeds. The true "rootdn" of the target server ought not be used; an arbitrary administrative DN should used instead. + .TP .B pseudorootpw "" This directive sets the credential that will be used in case a bind with the backend's "rootdn" succeeds, and the bind is propagated to the target using the "pseudorootdn" DN. -.LP + Note: cleartext credentials must be supplied here; as a consequence, using the pseudorootdn/pseudorootpw directives is inherently unsafe. + .TP .B rewrite* ... The rewrite options are described in the "REWRITING" section. + .TP .B suffixmassage "" "" All the directives starting with "rewrite" refer to the rewrite engine @@ -196,6 +241,7 @@ on (case insensitive) DNs instead of normalized DNs, so "dc=foo, dc=com" would not match "dc=foo,dc=com". .LP See the "REWRITING" section. + .TP .B map "{attribute|objectclass} [|*] {|*}" This maps object classes and attributes as in the LDAP backend. diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index 882a38d747..ccc91fbefb 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -243,16 +243,10 @@ typedef struct metainfo_t { Avlnode *mi_conntree; unsigned flags; -#if 0 -/* defined in */ -#define LDAP_BACK_F_NONE 0x00U -#define LDAP_BACK_F_SAVECRED 0x01U -#define LDAP_BACK_F_USE_TLS 0x02U -#define LDAP_BACK_F_PROPAGATE_TLS 0x04U -#define LDAP_BACK_F_TLS_CRITICAL 0x08U -#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL) -#define LDAP_BACK_F_CHASE_REFERRALS 0x10U -#endif +/* uses flags as defined in */ +#define META_BACK_F_ONERR_STOP 0x00010000U +#define META_BACK_ONERR_STOP(mi) ( (mi)->flags & META_BACK_F_ONERR_STOP ) +#define META_BACK_ONERR_CONTINUE(mi) ( !META_BACK_ONERR_CONTINUE( (mi) ) ) int mi_version; } metainfo_t; diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index 8457cf8510..62fcd5f071 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -351,14 +351,33 @@ meta_back_db_config( /* save bind creds for referral rebinds? */ } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) { - if (argc != 1) { + if ( argc > 2 ) { fprintf( stderr, - "%s: line %d: rebind-as-user takes no arguments\n", + "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n", fname, lineno ); return( 1 ); } - mi->flags |= LDAP_BACK_F_SAVECRED; + if ( argc == 1 ) { + fprintf( stderr, + "%s: line %d: deprecated use of \"rebind-as-user {NO|yes}\" with no arguments.\n", + fname, lineno ); + mi->flags |= LDAP_BACK_F_SAVECRED; + + } else { + if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) { + mi->flags &= ~LDAP_BACK_F_SAVECRED; + + } else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) { + mi->flags |= LDAP_BACK_F_SAVECRED; + + } else { + fprintf( stderr, + "%s: line %d: \"rebind-as-user {NO|yes}\" unknown argument \"%s\".\n", + fname, lineno, argv[ 1 ] ); + return 1; + } + } } else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? @@ -381,7 +400,7 @@ meta_back_db_config( } else { fprintf( stderr, - "%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n", + "%s: line %d: \"chase-referrals {YES|no}\": unknown argument \"%s\".\n", fname, lineno, argv[ 1 ] ); return( 1 ); } @@ -430,7 +449,7 @@ meta_back_db_config( if ( argc != 2 ) { fprintf( stderr, - "%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n", + "%s: line %d: \"t-f-support {NO|yes|discover}\" needs 1 argument.\n", fname, lineno ); return( 1 ); } @@ -451,6 +470,28 @@ meta_back_db_config( return 1; } + /* onerr? */ + } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) { + if ( argc != 2 ) { + fprintf( stderr, + "%s: line %d: \"onerr {CONTINUE|stop}\" takes 1 argument\n", + fname, lineno ); + return( 1 ); + } + + if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) { + mi->flags &= ~META_BACK_F_ONERR_STOP; + + } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) { + mi->flags |= META_BACK_F_ONERR_STOP; + + } else { + fprintf( stderr, + "%s: line %d: \"onerr {CONTINUE|stop}\": invalid arg \"%s\".\n", + fname, lineno, argv[ 1 ] ); + return 1; + } + /* name to use as pseudo-root dn */ } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) { int i = mi->mi_ntargets - 1; diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c index 039e085bdb..7379141d08 100644 --- a/servers/slapd/back-meta/search.c +++ b/servers/slapd/back-meta/search.c @@ -360,8 +360,6 @@ meta_back_search( Operation *op, SlapReply *rs ) 0, &tv, &res ); if ( rc == 0 ) { - /* timeout exceeded */ - /* FIXME: res should not need to be freed */ assert( res == NULL ); @@ -515,7 +513,7 @@ really_bad:; (char **)&candidates[ i ].sr_matched, NULL /* (char **)&candidates[ i ].sr_text */ , &references, - &candidates[ i ].sr_ctrls, 1 ) ) + &candidates[ i ].sr_ctrls, 1 ) != LDAP_SUCCESS ) { res = NULL; ldap_get_option( msc->msc_ld, @@ -524,6 +522,7 @@ really_bad:; sres = slap_map_api2result( rs ); goto really_bad; } + rs->sr_err = candidates[ i ].sr_err; sres = slap_map_api2result( rs ); res = NULL; @@ -597,6 +596,15 @@ really_bad:; rs->sr_err = candidates[ i ].sr_err; sres = slap_map_api2result( rs ); + + snprintf( buf, sizeof( buf ), + "%s meta_back_search[%d] " + "match=\"%s\" err=%d\n", + op->o_log_prefix, i, + candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "", + candidates[ i ].sr_err ); + Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 ); + switch ( sres ) { case LDAP_NO_SUCH_OBJECT: /* is_ok is touched any time a valid @@ -614,15 +622,17 @@ really_bad:; case LDAP_REFERRAL: is_ok++; break; - } - snprintf( buf, sizeof( buf ), - "%s meta_back_search[%d] " - "match=\"%s\" err=%d\n", - op->o_log_prefix, i, - candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "", - candidates[ i ].sr_err ); - Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 ); + default: + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; + op->o_private = (void *)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; + } + break; + } last = i; rc = 0;