From: Kurt Zeilenga Date: Tue, 20 Dec 2005 20:08:12 +0000 (+0000) Subject: ITS#4115 fixes for back-meta/ldap X-Git-Tag: OPENLDAP_REL_ENG_2_3_14~43 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=49692915c42d3a75af30176e0f494f63583dde74;p=openldap ITS#4115 fixes for back-meta/ldap --- diff --git a/CHANGES b/CHANGES index 0370c083d5..57118aeef7 100644 --- a/CHANGES +++ b/CHANGES @@ -11,6 +11,7 @@ OpenLDAP 2.3.14 Engineering Fixed slapd-bdb/hdb cn=config olcDbIndex modify/replace (ITS#4262) Fixed slapd-bdb/hdb lockup issue (ITS#4184) Fixed slapo-rwm static DN free bug (ITS#4248) + Fixed slapd-ldap/meta (ITS#4115) Updated slapo-dynlist (ITS#3756,4224) Build environment Updated test033-glue-syncrepl (ITS#4264) diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 8ec1a372bc..33e90f141c 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -79,6 +79,7 @@ typedef struct ldapconn_t { unsigned lc_refcnt; unsigned lc_flags; + time_t lc_time; } ldapconn_t; /* @@ -183,6 +184,8 @@ typedef struct ldapinfo_t { ldap_avl_info_t li_conninfo; + time_t li_network_timeout; + time_t li_idle_timeout; time_t li_timeout[ LDAP_BACK_OP_LAST ]; } ldapinfo_t; diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 6d7899e44d..ac5cef995d 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -301,7 +301,7 @@ ldap_back_start_tls( retry:; rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ); if ( rc < 0 ) { - rc = LDAP_OTHER; + rc = LDAP_UNAVAILABLE; } else if ( rc == 0 ) { if ( retries != LDAP_BACK_RETRY_NEVER ) { @@ -312,7 +312,7 @@ retry:; LDAP_BACK_TV_SET( &tv ); goto retry; } - rc = LDAP_OTHER; + rc = LDAP_UNAVAILABLE; } else if ( rc == LDAP_RES_EXTENDED ) { struct berval *data = NULL; @@ -336,7 +336,7 @@ retry:; rc = ldap_install_tls( ld ); } else if ( rc == LDAP_REFERRAL ) { - rc = LDAP_OTHER; + rc = LDAP_UNWILLING_TO_PERFORM; *text = "unwilling to chase referral returned by Start TLS exop"; } @@ -415,6 +415,10 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac /* Set LDAP version. This will always succeed: If the client * bound with a particular version, then so can we. */ + if ( vers == 0 ) { + /* assume it's an internal op; set to LDAPv3 */ + vers = LDAP_VERSION3; + } ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); /* automatically chase referrals ("[dont-]chase-referrals" statement) */ @@ -581,9 +585,22 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) } } else { - Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n", - (void *)lc, refcnt, 0 ); + if ( li->li_idle_timeout != 0 && op->o_time > lc->lc_time + li->li_idle_timeout ) { + /* in case of failure, it frees/taints lc and sets it to NULL */ + if ( ldap_back_retry( &lc, op, rs, sendok ) ) { + lc = NULL; + } + } + + if ( lc ) { + Debug( LDAP_DEBUG_TRACE, + "=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n", + (void *)lc, refcnt, 0 ); + } + } + + if ( li->li_idle_timeout && lc ) { + lc->lc_time = op->o_time; } done:; @@ -838,7 +855,7 @@ ldap_back_op_result( retry:; /* if result parsing fails, note the failure reason */ - rc = ldap_result( lc->lc_ld, msgid, 1, &tv, &res ); + rc = ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ); switch ( rc ) { case 0: if ( timeout ) { @@ -925,6 +942,9 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ int rc = 0; ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + assert( lcp != NULL ); + assert( *lcp != NULL ); + ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); if ( (*lcp)->lc_refcnt == 1 ) { @@ -940,7 +960,11 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ /* lc here must be the regular lc, reset and ready for init */ rc = ldap_back_prepare_conn( lcp, op, rs, sendok ); - if ( rc == LDAP_SUCCESS ) { + if ( rc != LDAP_SUCCESS ) { + rc = 0; + *lcp = NULL; + + } else { rc = ldap_back_dobind_int( *lcp, op, rs, sendok, 0, 0 ); if ( rc == 0 ) { *lcp = NULL; @@ -959,10 +983,18 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; struct berval binddn = slap_empty_bv; struct berval bindcred = slap_empty_bv; + struct berval ndn; int dobind = 0; int msgid; int rc; + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + ndn = op->o_conn->c_ndn; + + } else { + ndn = op->o_ndn; + } + /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -988,7 +1020,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) * is authorized */ switch ( li->li_idassert_mode ) { case LDAP_BACK_IDASSERT_LEGACY: - if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) { + if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) { if ( !BER_BVISNULL( &li->li_idassert_authcDN ) && !BER_BVISEMPTY( &li->li_idassert_authcDN ) ) { binddn = li->li_idassert_authcDN; @@ -1003,11 +1035,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) if ( li->li_idassert_authz && !be_isroot( op ) ) { struct berval authcDN; - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { authcDN = slap_empty_bv; } else { - authcDN = op->o_conn->c_ndn; + authcDN = ndn; } rs->sr_err = slap_sasl_matches( op, li->li_idassert_authz, &authcDN, &authcDN ); @@ -1054,16 +1086,16 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) break; case LDAP_BACK_IDASSERT_SELF: - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { /* connection is not authc'd, so don't idassert */ BER_BVSTR( &authzID, "dn:" ); break; } - authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len; + authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len; authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), - op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 ); + ndn.bv_val, ndn.bv_len + 1 ); freeauthz = 1; break; @@ -1178,7 +1210,8 @@ ldap_back_proxy_authz_ctrl( LDAPControl **ctrls = NULL; int i = 0, mode; - struct berval assertedID; + struct berval assertedID, + ndn; *pctrls = NULL; @@ -1197,6 +1230,13 @@ ldap_back_proxy_authz_ctrl( goto done; } + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + ndn = op->o_conn->c_ndn; + + } else { + ndn = op->o_ndn; + } + if ( li->li_idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) { if ( op->o_proxy_authz ) { /* @@ -1220,7 +1260,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { goto done; } @@ -1230,13 +1270,13 @@ ldap_back_proxy_authz_ctrl( } else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) { if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) - /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) + /* && ( !BER_BVISNULL( &ndn ) || LDAP_BACK_CONN_ISBOUND( lc ) ) */ ) { /* already asserted in SASL via native authz */ /* NOTE: the test on lc->lc_bound is used to trap * native authorization of anonymous users, - * since in that case op->o_conn->c_ndn is NULL */ + * since in that case ndn is NULL */ goto done; } @@ -1244,17 +1284,17 @@ ldap_back_proxy_authz_ctrl( int rc; struct berval authcDN; - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { authcDN = slap_empty_bv; } else { - authcDN = op->o_conn->c_ndn; + authcDN = ndn; } rc = slap_sasl_matches( op, li->li_idassert_authz, &authcDN, & authcDN ); if ( rc != LDAP_SUCCESS ) { if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { - /* op->o_conn->c_ndn is not authorized + /* ndn is not authorized * to use idassert */ return rc; } @@ -1296,10 +1336,10 @@ ldap_back_proxy_authz_ctrl( case LDAP_BACK_IDASSERT_SELF: /* original behavior: * assert the client's identity */ - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { assertedID = slap_empty_bv; } else { - assertedID = op->o_conn->c_ndn; + assertedID = ndn; } break; diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index f42beab8d5..2f1aa7d1d4 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -78,7 +78,7 @@ typedef struct ldap_chain_t { * the tree? Should be all configurable. */ - /* "common" configuration info (all occurring before an "uri") */ + /* "common" configuration info (anything occurring before an "uri") */ ldapinfo_t *lc_common_li; /* current configuration info */ @@ -875,9 +875,9 @@ static ConfigTable chaincfg[] = { "DESC 'Chaining behavior control parameters (draft-sermersheim-ldap-chaining)' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ - { "chain-cache-uris", "TRUE/FALSE", + { "chain-cache-uri", "TRUE/FALSE", 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|CH_CACHE_URI, chain_cf_gen, - "( OLcfgOvAt:3.2 NAME 'olcCacheURIs' " + "( OLcfgOvAt:3.2 NAME 'olcCacheURI' " "DESC 'Enables caching of URIs not present in configuration' " "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, { NULL, NULL, 0, 0, 0, ARG_IGNORED } @@ -892,7 +892,7 @@ static ConfigOCs chainocs[] = { #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR "olcChainingBehavior $ " #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ - "olcCacheURIs " + "olcCacheURI " ") )", Cft_Overlay, chaincfg, NULL, chain_cfadd }, { "( OLcfgOvOc:3.2 " @@ -1316,11 +1316,44 @@ ldap_chain_db_config( BackendInfo *bd_info = be->bd_info; void *be_private = be->be_private; ConfigOCs *be_cf_ocs = be->be_cf_ocs; - int is_uri = 0; + static char *allowed_argv[] = { + /* special: put URI here, so in the meanwhile + * it detects whether a new URI is being provided */ + "uri", + "nretries", + "timeout", + /* flags */ + "tls", + /* FIXME: maybe rebind-as-user should be allowed + * only within known URIs... */ + "rebind-as-user", + "chase-referrals", + "t-f-support", + "proxy-whoami", + NULL + }; + int which_argv = -1; argv[ 0 ] += STRLENOF( "chain-" ); - if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) { + for ( which_argv = 0; allowed_argv[ which_argv ]; which_argv++ ) { + if ( strcasecmp( argv[ 0 ], allowed_argv[ which_argv ] ) == 0 ) { + break; + } + } + + if ( allowed_argv[ which_argv ] == NULL ) { + which_argv = -1; + + if ( lc->lc_cfg_li == lc->lc_common_li ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "\"%s\" only allowed within a URI directive.\n.", + fname, lineno, argv[ 0 ] ); + return 1; + } + } + + if ( which_argv == 0 ) { rc = ldap_chain_db_init_one( be ); if ( rc != 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: " @@ -1329,7 +1362,6 @@ ldap_chain_db_config( return 1; } lc->lc_cfg_li = be->be_private; - is_uri = 1; } /* TODO: add checks on what other slapd-ldap(5) args @@ -1350,7 +1382,7 @@ ldap_chain_db_config( be->be_private = be_private; be->bd_info = bd_info; - if ( is_uri ) { + if ( which_argv == 0 ) { private_destroy:; if ( rc != 0 ) { BackendDB db = *be; diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index b3ef34d0e8..4a22a48b80 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -60,6 +60,7 @@ enum { LDAP_BACK_CFG_T_F, LDAP_BACK_CFG_WHOAMI, LDAP_BACK_CFG_TIMEOUT, + LDAP_BACK_CFG_IDLE_TIMEOUT, LDAP_BACK_CFG_REWRITE, LDAP_BACK_CFG_LAST @@ -214,6 +215,14 @@ static ConfigTable ldapcfg[] = { "SYNTAX OMsDirectoryString " "SINGLE-VALUE )", NULL, NULL }, + { "idle-timeout", "timeout", 2, 0, 0, + ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT, + ldap_back_cf_gen, "( OLcfgDbAt:3.15 " + "NAME 'olcDbIdleTimeout' " + "DESC 'connection idle timeout' " + "SYNTAX OMsDirectoryString " + "SINGLE-VALUE )", + NULL, NULL }, { "suffixmassage", "[virtual]> li_flags & LDAP_BACK_F_TLS_MASK ), &bv ); - if ( BER_BVISNULL( &bv ) ) { - /* there's something wrong... */ - assert( 0 ); - rc = 1; - - } else { - value_add_one( &c->rvalue_vals, &bv ); - } + assert( !BER_BVISNULL( &bv ) ); + value_add_one( &c->rvalue_vals, &bv ); break; case LDAP_BACK_CFG_ACL_AUTHCDN: @@ -330,6 +334,10 @@ ldap_back_cf_gen( ConfigArgs *c ) case LDAP_BACK_CFG_ACL_BIND: { int i; + if ( li->li_acl_authmethod == LDAP_AUTH_NONE ) { + return 1; + } + bindconf_unparse( &li->li_acl, &bv ); for ( i = 0; isspace( bv.bv_val[ i ] ); i++ ) @@ -373,6 +381,10 @@ ldap_back_cf_gen( ConfigArgs *c ) struct berval bc = BER_BVNULL; char *ptr; + if ( li->li_idassert_authmethod == LDAP_AUTH_NONE ) { + return 1; + } + if ( li->li_idassert_authmethod != LDAP_AUTH_NONE ) { ber_len_t len; @@ -506,22 +518,46 @@ ldap_back_cf_gen( ConfigArgs *c ) case LDAP_BACK_CFG_TIMEOUT: BER_BVZERO( &bv ); + for ( i = 0; i < LDAP_BACK_OP_LAST; i++ ) { + if ( li->li_timeout[ i ] != 0 ) { + break; + } + } + + if ( i == LDAP_BACK_OP_LAST ) { + return 1; + } + slap_cf_aux_table_unparse( li->li_timeout, &bv, timeout_table ); - if ( !BER_BVISNULL( &bv ) ) { - for ( i = 0; isspace( bv.bv_val[ i ] ); i++ ) - /* count spaces */ ; + if ( BER_BVISNULL( &bv ) ) { + return 1; + } - if ( i ) { - bv.bv_len -= i; - AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ], - bv.bv_len + 1 ); - } + for ( i = 0; isspace( bv.bv_val[ i ] ); i++ ) + /* count spaces */ ; - ber_bvarray_add( &c->rvalue_vals, &bv ); + if ( i ) { + bv.bv_len -= i; + AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ], + bv.bv_len + 1 ); } + + ber_bvarray_add( &c->rvalue_vals, &bv ); break; + case LDAP_BACK_CFG_IDLE_TIMEOUT: { + char buf[ SLAP_TEXT_BUFLEN ]; + + if ( li->li_idle_timeout == 0 ) { + return 1; + } + + lutil_unparse_time( buf, sizeof( buf ), li->li_idle_timeout ); + ber_str2bv( buf, 0, 0, &bv ); + value_add_one( &c->rvalue_vals, &bv ); + } break; + default: /* FIXME: we need to handle all... */ assert( 0 ); @@ -599,6 +635,10 @@ ldap_back_cf_gen( ConfigArgs *c ) } break; + case LDAP_BACK_CFG_IDLE_TIMEOUT: + li->li_idle_timeout = 0; + break; + default: /* FIXME: we need to handle all... */ assert( 0 ); @@ -614,14 +654,6 @@ ldap_back_cf_gen( ConfigArgs *c ) char **urllist = NULL; int urlrc = LDAP_URL_SUCCESS, i; - if ( c->argc != 2 ) { - fprintf( stderr, "%s: line %d: " - "missing uri " - "in \"uri \" line\n", - c->fname, c->lineno ); - return 1; - } - if ( li->li_uri != NULL ) { ch_free( li->li_uri ); li->li_uri = NULL; @@ -671,10 +703,11 @@ ldap_back_cf_gen( ConfigArgs *c ) why = "unknown reason"; break; } - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg), "unable to parse uri \"%s\" " - "in \"uri \" line: %s\n", - c->fname, c->lineno, c->value_string, why ); + "in \"uri \" line: %s", + c->value_string, why ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); urlrc = 1; goto done_url; } @@ -690,12 +723,13 @@ ldap_back_cf_gen( ConfigArgs *c ) || tmpludp->lud_filter != NULL || tmpludp->lud_exts != NULL ) { - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg ), "warning, only protocol, " "host and port allowed " "in \"uri \" statement " - "for uri #%d of \"%s\"\n", - c->fname, c->lineno, i, c->value_string ); + "for uri #%d of \"%s\"", + i, c->value_string ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); } } @@ -724,11 +758,12 @@ ldap_back_cf_gen( ConfigArgs *c ) urllist[ i ] = ldap_url_desc2str( &tmplud ); if ( urllist[ i ] == NULL ) { - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg), "unable to rebuild uri " "in \"uri \" statement " - "for \"%s\"\n", - c->fname, c->lineno, c->argv[ 1 ] ); + "for \"%s\"", + c->argv[ 1 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); urlrc = 1; goto done_url; } @@ -777,10 +812,11 @@ done_url:; break; default: - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg), "\"acl-authcDN \" incompatible " - "with auth method %d.", - c->fname, c->lineno, li->li_acl_authmethod ); + "with auth method %d", + li->li_acl_authmethod ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) { @@ -802,10 +838,11 @@ done_url:; break; default: - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg ), "\"acl-passwd \" incompatible " - "with auth method %d.", - c->fname, c->lineno, li->li_acl_authmethod ); + "with auth method %d", + li->li_acl_authmethod ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } if ( !BER_BVISNULL( &li->li_acl_passwd ) ) { @@ -897,10 +934,11 @@ done_url:; break; default: - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-authcDN \" incompatible " - "with auth method %d.", - c->fname, c->lineno, li->li_idassert_authmethod ); + "with auth method %d", + li->li_idassert_authmethod ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) { @@ -922,10 +960,11 @@ done_url:; break; default: - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-passwd \" incompatible " - "with auth method %d.", - c->fname, c->lineno, li->li_idassert_authmethod ); + "with auth method %d", + li->li_idassert_authmethod ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) { @@ -943,10 +982,10 @@ done_url:; ber_str2bv( c->argv[ 1 ], 0, 0, &in ); rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL ); if ( rc != LDAP_SUCCESS ) { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-authzFrom \": " - "invalid syntax.\n", - c->fname, c->lineno ); + "invalid syntax" ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } #else /* !SLAP_AUTHZ_SYNTAX */ @@ -957,10 +996,10 @@ done_url:; case LDAP_BACK_CFG_IDASSERT_METHOD: /* no longer supported */ - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-method \": " - "no longer supported; use \"idassert-bind\".\n", - c->fname, c->lineno ); + "no longer supported; use \"idassert-bind\"" ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; case LDAP_BACK_CFG_IDASSERT_BIND: @@ -971,10 +1010,11 @@ done_url:; j = verb_to_mask( argvi, idassert_mode ); if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-bind \": " - "unknown mode \"%s\".\n", - c->fname, c->lineno, argvi ); + "unknown mode \"%s\"", + argvi ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } @@ -985,11 +1025,11 @@ done_url:; if ( strcasecmp( argvi, "native" ) == 0 ) { if ( li->li_idassert_authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-bind \": " "authz=\"native\" incompatible " - "with auth method.\n", - c->fname, c->lineno ); + "with auth method" ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } li->li_idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ; @@ -998,10 +1038,11 @@ done_url:; li->li_idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ; } else { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-bind \": " - "unknown authz \"%s\".\n", - c->fname, c->lineno, argvi ); + "unknown authz \"%s\"", + argvi ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } @@ -1011,10 +1052,11 @@ done_url:; int j; if ( flags == NULL ) { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-bind \": " - "unable to parse flags \"%s\".\n", - c->fname, c->lineno, argvi ); + "unable to parse flags \"%s\"", + argvi ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } @@ -1029,10 +1071,11 @@ done_url:; li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE ); } else { - fprintf( stderr, "%s: %d: " + snprintf( c->msg, sizeof( c->msg ), "\"idassert-bind \": " - "unknown flag \"%s\".\n", + "unknown flag \"%s\"", c->fname, c->lineno, flags[ j ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } } @@ -1084,10 +1127,6 @@ done_url:; break; case LDAP_BACK_CFG_TIMEOUT: - if ( c->argc < 2 ) { - return 1; - } - for ( i = 1; i < c->argc; i++ ) { if ( isdigit( c->argv[ i ][ 0 ] ) ) { int j; @@ -1110,13 +1149,26 @@ done_url:; } break; + case LDAP_BACK_CFG_IDLE_TIMEOUT: { + unsigned long t; + + if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) { + snprintf( c->msg, sizeof( c->msg), + "unable to parse idle timeout \"%s\"", + c->argv[ 1 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); + return 1; + } + li->li_idle_timeout = (time_t)t; + } break; + case LDAP_BACK_CFG_REWRITE: - fprintf( stderr, "%s: line %d: " + snprintf( c->msg, sizeof( c->msg ), "rewrite/remap capabilities have been moved " "to the \"rwm\" overlay; see slapo-rwm(5) " "for details (hint: add \"overlay rwm\" " - "and prefix all directives with \"rwm-\").\n", - c->fname, c->lineno ); + "and prefix all directives with \"rwm-\")" ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; default: @@ -1196,49 +1248,57 @@ ldap_back_exop_whoami( if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err; /* if auth'd by back-ldap and request is proxied, forward it */ - if ( op->o_conn->c_authz_backend && !strcmp(op->o_conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &op->o_conn->c_ndn)) { + if ( op->o_conn->c_authz_backend + && !strcmp( op->o_conn->c_authz_backend->be_type, "ldap" ) + && !dn_match( &op->o_ndn, &op->o_conn->c_ndn ) ) + { ldapconn_t *lc; - LDAPControl c, *ctrls[2] = {NULL, NULL}; LDAPMessage *res; Operation op2 = *op; ber_int_t msgid; int doretry = 1; + char *ptr; ctrls[0] = &c; op2.o_ndn = op->o_conn->c_ndn; lc = ldap_back_getconn(&op2, rs, LDAP_BACK_SENDERR); - if (!lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR )) { + if ( !lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR ) ) { return -1; } c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; c.ldctl_iscritical = 1; - c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4); + c.ldctl_value.bv_val = op->o_tmpalloc( + op->o_ndn.bv_len + STRLENOF( "dn:" ) + 1, + op->o_tmpmemctx ); c.ldctl_value.bv_len = op->o_ndn.bv_len + 3; - strcpy(c.ldctl_value.bv_val, "dn:"); - strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val); + ptr = c.ldctl_value.bv_val; + ptr = lutil_strcopy( ptr, "dn:" ); + ptr = lutil_strncopy( ptr, op->o_ndn.bv_val, op->o_ndn.bv_len ); + ptr[ 0 ] = '\0'; retry: - rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid); - if (rs->sr_err == LDAP_SUCCESS) { - if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) { - ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER, - &rs->sr_err); + rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid ); + if ( rs->sr_err == LDAP_SUCCESS ) { + if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) { + ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, + &rs->sr_err ); if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) { doretry = 0; - if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) + if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) { goto retry; + } } - ldap_back_freeconn( op, lc, 1 ); - lc = NULL; } else { - rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv); + /* NOTE: are we sure "bv" will be malloc'ed + * with the appropriate memory? */ + rs->sr_err = ldap_parse_whoami( lc->lc_ld, res, &bv ); ldap_msgfree(res); } } - ch_free(c.ldctl_value.bv_val); - if (rs->sr_err != LDAP_SUCCESS) { + op->o_tmpfree( c.ldctl_value.bv_val, op->o_tmpmemctx ); + if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_err = slap_map_api2result( rs ); } @@ -1247,15 +1307,16 @@ retry: } } else { - /* else just do the same as before */ - bv = (struct berval *) ch_malloc( sizeof(struct berval) ); + /* else just do the same as before */ + bv = (struct berval *) ch_malloc( sizeof( struct berval ) ); if ( !BER_BVISEMPTY( &op->o_dn ) ) { - bv->bv_len = op->o_dn.bv_len + STRLENOF("dn:"); + bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" ); bv->bv_val = ch_malloc( bv->bv_len + 1 ); - AC_MEMCPY( bv->bv_val, "dn:", STRLENOF("dn:") ); - AC_MEMCPY( &bv->bv_val[STRLENOF("dn:")], op->o_dn.bv_val, + AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( &bv->bv_val[ STRLENOF( "dn:" ) ], op->o_dn.bv_val, op->o_dn.bv_len ); - bv->bv_val[bv->bv_len] = '\0'; + bv->bv_val[ bv->bv_len ] = '\0'; + } else { bv->bv_len = 0; bv->bv_val = NULL; diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index dae58547f0..5c631ba4a1 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -122,7 +122,7 @@ retry: op->o_ctrls, NULL, &msgid ); if ( rc == LDAP_SUCCESS ) { - if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) { + if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) { ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc ); ldap_back_freeconn( op, lc, 0 ); lc = NULL; diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index 1a30eb6960..166e360d71 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -258,7 +258,7 @@ retry: * but this is necessary for version matching, and for ACL processing. */ - for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, 0, &tv, &res ) ) + for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, LDAP_MSG_ONE, &tv, &res ) ) { /* check for abandon */ if ( op->o_abandon ) { @@ -299,11 +299,11 @@ retry: rc = rs->sr_err = send_search_entry( op, rs ); if ( !BER_BVISNULL( &ent.e_name ) ) { assert( ent.e_name.bv_val != bdn.bv_val ); - free( ent.e_name.bv_val ); + op->o_tmpfree( ent.e_name.bv_val, op->o_tmpmemctx ); BER_BVZERO( &ent.e_name ); } if ( !BER_BVISNULL( &ent.e_nname ) ) { - free( ent.e_nname.bv_val ); + op->o_tmpfree( ent.e_nname.bv_val, op->o_tmpmemctx ); BER_BVZERO( &ent.e_nname ); } entry_clean( &ent ); diff --git a/servers/slapd/back-meta/add.c b/servers/slapd/back-meta/add.c index 84dc2b7f1c..c6c349ab15 100644 --- a/servers/slapd/back-meta/add.c +++ b/servers/slapd/back-meta/add.c @@ -186,7 +186,7 @@ retry:; rs->sr_err = LDAP_OTHER; rc = ldap_result( mc->mc_conns[ candidate ].msc_ld, - msgid, LDAP_MSG_ONE, tvp, &res ); + msgid, LDAP_MSG_ALL, tvp, &res ); switch ( rc ) { case -1: send_ldap_result( op, rs ); diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index 8ac932bb99..a6fbdfa925 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -82,9 +82,6 @@ typedef struct dncookie { #endif } dncookie; -/* TODO: allow to define it on a per-target basis */ -#define META_BIND_TIMEOUT 10000 - int ldap_back_dn_massage(dncookie *dc, struct berval *dn, struct berval *res); @@ -177,6 +174,8 @@ typedef struct metasingleconn_t { #define META_ANONYMOUS 2 #endif + time_t msc_time; + struct metainfo_t *msc_info; } metasingleconn_t; @@ -228,6 +227,10 @@ typedef struct metatarget_t { unsigned mt_flags; int mt_version; + time_t mt_network_timeout; + time_t mt_idle_timeout; + struct timeval mt_bind_timeout; +#define META_BIND_TIMEOUT 10000 time_t mt_timeout[ LDAP_BACK_OP_LAST ]; } metatarget_t; @@ -248,7 +251,6 @@ typedef struct metacandidates_t { typedef struct metainfo_t { int mi_ntargets; int mi_defaulttarget; - int mi_network_timeout; #define META_DEFAULT_TARGET_NONE (-1) int mi_nretries; @@ -271,6 +273,9 @@ typedef struct metainfo_t { #define META_BACK_DEFER_ROOTDN_BIND(mi) ( (mi)->mi_flags & META_BACK_F_DEFER_ROOTDN_BIND ) int mi_version; + time_t mi_network_timeout; + time_t mi_idle_timeout; + struct timeval mi_bind_timeout; time_t mi_timeout[ LDAP_BACK_OP_LAST ]; } metainfo_t; @@ -313,9 +318,8 @@ meta_back_init_one_conn( SlapReply *rs, metatarget_t *mt, metaconn_t *mc, - metasingleconn_t *msc, + int candidate, int ispriv, - int isauthz, ldap_back_send_t sendok ); extern int diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c index ccd2a6c275..f2c2035fb0 100644 --- a/servers/slapd/back-meta/bind.c +++ b/servers/slapd/back-meta/bind.c @@ -147,7 +147,7 @@ meta_back_bind( Operation *op, SlapReply *rs ) */ Debug( LDAP_DEBUG_ANY, "### %s meta_back_bind: more than one" - " candidate is trying to bind...\n", + " candidate selected...\n", op->o_log_prefix, 0, 0 ); } @@ -186,10 +186,8 @@ meta_back_bind( Operation *op, SlapReply *rs ) lerr = meta_back_single_bind( &op2, rs, mc, i, massage ); if ( lerr != LDAP_SUCCESS ) { - rs->sr_err = lerr; + rc = rs->sr_err = lerr; candidates[ i ].sr_tag = META_NOT_CANDIDATE; - - rc = rs->sr_err; break; } } @@ -336,6 +334,7 @@ rebind:; struct timeval tv; int rc; int nretries = mt->mt_nretries; + char buf[ SLAP_TEXT_BUFLEN ]; LDAP_BACK_TV_SET( &tv ); @@ -343,15 +342,15 @@ rebind:; * handle response!!! */ retry:; - tv.tv_sec = 0; - tv.tv_usec = META_BIND_TIMEOUT; - switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) { + tv = mt->mt_bind_timeout; + switch ( ldap_result( msc->msc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) ) { case 0: - Debug( LDAP_DEBUG_ANY, - "%s meta_back_single_bind: " + snprintf( buf, sizeof( buf ), "ldap_result=0 nretries=%d%s\n", - op->o_log_prefix, nretries, - rebinding ? " rebinding" : "" ); + nretries, rebinding ? " rebinding" : "" ); + Debug( LDAP_DEBUG_ANY, + "%s meta_back_single_bind[%d]: %s.\n", + op->o_log_prefix, candidate, buf ); if ( nretries != META_RETRY_NEVER ) { ldap_pvt_thread_yield(); @@ -383,10 +382,12 @@ retry:; ldap_abandon_ext( msc->msc_ld, msgid, NULL, NULL ); } + snprintf( buf, sizeof( buf ), + "err=%d nretries=%d", + rs->sr_err, nretries ); Debug( LDAP_DEBUG_ANY, - "### %s meta_back_single_bind: " - "err=%d nretries=%d\n", - op->o_log_prefix, rs->sr_err, nretries ); + "### %s meta_back_single_bind[%d]: %s.\n", + op->o_log_prefix, candidate, buf ); rc = slap_map_api2result( rs ); if ( rs->sr_err == LDAP_UNAVAILABLE && nretries != META_RETRY_NEVER ) { @@ -489,6 +490,7 @@ rebind:; if ( rc == LDAP_SUCCESS ) { LDAPMessage *res; struct timeval tv; + char buf[ SLAP_TEXT_BUFLEN ]; LDAP_BACK_TV_SET( &tv ); @@ -496,15 +498,15 @@ rebind:; * handle response!!! */ retry:; - tv.tv_sec = 0; - tv.tv_usec = META_BIND_TIMEOUT; - switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) { + tv = mt->mt_bind_timeout; + switch ( ldap_result( msc->msc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) ) { case 0: + snprintf( buf, sizeof( buf ), + "ldap_result=0 nretries=%d%s", + nretries, rebinding ? " rebinding" : "" ); Debug( LDAP_DEBUG_ANY, - "%s meta_back_single_dobind: " - "ldap_result=0 nretries=%d%s\n", - op->o_log_prefix, nretries, - rebinding ? " rebinding" : "" ); + "%s meta_back_single_dobind[%d]: %s.\n", + op->o_log_prefix, candidate, buf ); if ( nretries != META_RETRY_NEVER ) { ldap_pvt_thread_yield(); @@ -537,10 +539,12 @@ retry:; ldap_abandon_ext( msc->msc_ld, msgid, NULL, NULL ); } + snprintf( buf, sizeof( buf ), + "err=%d nretries=%d", + rs->sr_err, nretries ); Debug( LDAP_DEBUG_ANY, - "### %s meta_back_single_dobind: " - "err=%d nretries=%d\n", - op->o_log_prefix, rs->sr_err, nretries ); + "### %s meta_back_single_dobind[%d]: %s.\n", + op->o_log_prefix, candidate, buf ); rc = slap_map_api2result( rs ); if ( rc == LDAP_UNAVAILABLE && nretries != META_RETRY_NEVER ) { @@ -560,9 +564,8 @@ retry:; /* mc here must be the regular mc, * reset and ready for init */ rc = meta_back_init_one_conn( op, rs, - mt, mc, msc, + mt, mc, candidate, LDAP_BACK_CONN_ISPRIV( mc ), - candidate == mc->mc_authz_target, LDAP_BACK_DONTSEND ); } else { diff --git a/servers/slapd/back-meta/compare.c b/servers/slapd/back-meta/compare.c index 65fdde05f0..b0d716c6fc 100644 --- a/servers/slapd/back-meta/compare.c +++ b/servers/slapd/back-meta/compare.c @@ -185,7 +185,7 @@ meta_back_compare( Operation *op, SlapReply *rs ) } lrc = ldap_result( msc->msc_ld, msgid[ i ], - 0, &tv, &res ); + LDAP_MSG_ALL, &tv, &res ); if ( lrc == 0 ) { assert( res == NULL ); diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index 3516b82e35..811154523b 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -35,7 +35,7 @@ #include "back-meta.h" static int -new_target( +meta_back_new_target( metatarget_t *mt ) { struct ldapmapping *mapping; @@ -146,7 +146,7 @@ meta_back_db_config( return 1; } - if ( new_target( &mi->mi_targets[ i ] ) != 0 ) { + if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: unable to init server" " in \"uri ://[:port]/\" line\n", @@ -157,7 +157,9 @@ meta_back_db_config( mi->mi_targets[ i ].mt_nretries = mi->mi_nretries; mi->mi_targets[ i ].mt_flags = mi->mi_flags; mi->mi_targets[ i ].mt_version = mi->mi_version; - + mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout; + mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout; + mi->mi_targets[ i ].mt_bind_timeout = mi->mi_bind_timeout; for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) { mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ]; } @@ -344,7 +346,11 @@ meta_back_db_config( /* network timeout when connecting to ldap servers */ } else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) { + int i = mi->mi_ntargets - 1; unsigned long t; + time_t *tp = mi->mi_ntargets ? + &mi->mi_targets[ mi->mi_ntargets - 1 ].mt_network_timeout + : &mi->mi_network_timeout; if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, @@ -361,7 +367,74 @@ meta_back_db_config( } - mi->mi_network_timeout = (int)t; + *tp = (time_t)t; + + /* idle timeout when connecting to ldap servers */ + } else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) { + int i = mi->mi_ntargets - 1; + unsigned long t; + time_t *tp = mi->mi_ntargets ? + &mi->mi_targets[ mi->mi_ntargets - 1 ].mt_idle_timeout + : &mi->mi_idle_timeout; + + switch ( argc ) { + case 1: + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing timeout value in \"idle-timeout \" line\n", + fname, lineno, 0 ); + return 1; + case 2: + break; + default: + Debug( LDAP_DEBUG_ANY, + "%s: line %d: extra cruft after timeout value in \"idle-timeout \" line\n", + fname, lineno, 0 ); + return 1; + } + + if ( lutil_parse_time( argv[ 1 ], &t ) ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout \" line\n", + fname, lineno, argv[ 1 ] ); + return 1; + + } + + *tp = (time_t)t; + + /* bind timeout when connecting to ldap servers */ + } else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) { + int i = mi->mi_ntargets - 1; + unsigned long t; + struct timeval *tp = mi->mi_ntargets ? + &mi->mi_targets[ mi->mi_ntargets - 1 ].mt_bind_timeout + : &mi->mi_bind_timeout; + + switch ( argc ) { + case 1: + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing timeout value in \"bind-timeout \" line\n", + fname, lineno, 0 ); + return 1; + case 2: + break; + default: + Debug( LDAP_DEBUG_ANY, + "%s: line %d: extra cruft after timeout value in \"bind-timeout \" line\n", + fname, lineno, 0 ); + return 1; + } + + if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout \" line\n", + fname, lineno, argv[ 1 ] ); + return 1; + + } + + tp->tv_sec = t/1000000; + tp->tv_usec = t%1000000; /* name to use for meta_back_group */ } else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0 diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c index 772771abf9..a37f8f4816 100644 --- a/servers/slapd/back-meta/conn.c +++ b/servers/slapd/back-meta/conn.c @@ -206,20 +206,34 @@ meta_back_init_one_conn( SlapReply *rs, metatarget_t *mt, metaconn_t *mc, - metasingleconn_t *msc, + int candidate, int ispriv, - int isauthz, ldap_back_send_t sendok ) { - metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; - int vers; - dncookie dc; + metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; + metasingleconn_t *msc = &mc->mc_conns[ candidate ]; + int vers; + dncookie dc; + int isauthz = ( candidate == mc->mc_authz_target ); /* * Already init'ed */ if ( msc->msc_ld != NULL ) { - return rs->sr_err = LDAP_SUCCESS; + if ( mt->mt_idle_timeout == 0 ) { + return rs->sr_err = LDAP_SUCCESS; + } + + if ( op->o_time > msc->msc_time + mt->mt_idle_timeout ) { + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_init_one_conn[%d]: idle timeout.\n", + op->o_log_prefix, candidate, 0 ); + if ( meta_back_retry( op, rs, mc, candidate, sendok ) ) { + return rs->sr_err; + } + } + + msc->msc_time = op->o_time; } /* @@ -344,11 +358,11 @@ retry:; /* * Set the network timeout if set */ - if ( mi->mi_network_timeout != 0 ) { + if ( mt->mt_network_timeout != 0 ) { struct timeval network_timeout; network_timeout.tv_usec = 0; - network_timeout.tv_sec = mi->mi_network_timeout; + network_timeout.tv_sec = mt->mt_network_timeout; ldap_set_option( msc->msc_ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)&network_timeout ); @@ -414,6 +428,10 @@ error_return:; */ ( void )rewrite_session_init( mt->mt_rwmap.rwm_rw, op->o_conn ); + if ( mt->mt_idle_timeout ) { + msc->msc_time = op->o_time; + } + } else { rs->sr_err = slap_map_api2result( rs ); if ( sendok & LDAP_BACK_SENDERR ) { @@ -449,17 +467,22 @@ retry_lock:; assert( mc->mc_refcnt > 0 ); if ( mc->mc_refcnt == 1 ) { + char buf[ SLAP_TEXT_BUFLEN ]; + while ( ldap_pvt_thread_mutex_trylock( &mc->mc_mutex ) ) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); ldap_pvt_thread_yield(); goto retry_lock; } - Debug( LDAP_DEBUG_ANY, - "%s meta_back_retry: retrying URI=\"%s\" DN=\"%s\"\n", - op->o_log_prefix, mt->mt_uri, + snprintf( buf, sizeof( buf ), + "retrying URI=\"%s\" DN=\"%s\"", + mt->mt_uri, BER_BVISNULL( &msc->msc_bound_ndn ) ? "" : msc->msc_bound_ndn.bv_val ); + Debug( LDAP_DEBUG_ANY, + "%s meta_back_retry[%d]: %s.\n", + op->o_log_prefix, candidate, buf ); meta_clear_one_candidate( msc ); LDAP_BACK_CONN_ISBOUND_CLEAR( msc ); @@ -467,9 +490,8 @@ retry_lock:; ( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn ); /* mc here must be the regular mc, reset and ready for init */ - rc = meta_back_init_one_conn( op, rs, mt, mc, msc, - LDAP_BACK_CONN_ISPRIV( mc ), - candidate == mc->mc_authz_target, sendok ); + rc = meta_back_init_one_conn( op, rs, mt, mc, candidate, + LDAP_BACK_CONN_ISPRIV( mc ), sendok ); if ( rc == LDAP_SUCCESS ) { rc = meta_back_single_dobind( op, rs, mc, candidate, @@ -804,16 +826,14 @@ meta_back_getconn( for ( i = 0; i < mi->mi_ntargets; i++ ) { metatarget_t *mt = &mi->mi_targets[ i ]; - metasingleconn_t *msc = &mc->mc_conns[ i ]; /* * The target is activated; if needed, it is * also init'd */ candidates[ i ].sr_err = meta_back_init_one_conn( op, - rs, mt, mc, msc, - LDAP_BACK_CONN_ISPRIV( &mc_curr ), - i == mc->mc_authz_target, sendok ); + rs, mt, mc, i, + LDAP_BACK_CONN_ISPRIV( &mc_curr ), sendok ); if ( candidates[ i ].sr_err == LDAP_SUCCESS ) { candidates[ i ].sr_tag = META_CANDIDATE; ncandidates++; @@ -920,7 +940,7 @@ meta_back_getconn( } Debug( LDAP_DEBUG_TRACE, - "==>meta_back_getconn: got target %d for ndn=\"%s\" from cache\n", + "==>meta_back_getconn: got target=%d for ndn=\"%s\" from cache\n", i, op->o_req_ndn.bv_val, 0 ); if ( mc == NULL ) { @@ -957,9 +977,8 @@ meta_back_getconn( * also init'd. In case of error, meta_back_init_one_conn * sends the appropriate result. */ - err = meta_back_init_one_conn( op, rs, mt, mc, msc, - LDAP_BACK_CONN_ISPRIV( &mc_curr ), - i == mc->mc_authz_target, sendok ); + err = meta_back_init_one_conn( op, rs, mt, mc, i, + LDAP_BACK_CONN_ISPRIV( &mc_curr ), sendok ); if ( err != LDAP_SUCCESS ) { /* * FIXME: in case one target cannot @@ -1014,16 +1033,15 @@ meta_back_getconn( * also init'd */ int lerr = meta_back_init_one_conn( op, rs, - mt, mc, msc, + mt, mc, i, LDAP_BACK_CONN_ISPRIV( &mc_curr ), - i == mc->mc_authz_target, sendok ); if ( lerr == LDAP_SUCCESS ) { candidates[ i ].sr_tag = META_CANDIDATE; candidates[ i ].sr_err = LDAP_SUCCESS; ncandidates++; - Debug( LDAP_DEBUG_TRACE, "%s: meta_back_init_one_conn(%d)\n", + Debug( LDAP_DEBUG_TRACE, "%s: meta_back_getconn[%d]\n", op->o_log_prefix, i, 0 ); } else { @@ -1040,7 +1058,7 @@ meta_back_getconn( candidates[ i ].sr_err = lerr; err = lerr; - Debug( LDAP_DEBUG_ANY, "%s: meta_back_init_one_conn(%d) failed: %d\n", + Debug( LDAP_DEBUG_ANY, "%s: meta_back_getconn[%d] failed: %d\n", op->o_log_prefix, i, lerr ); continue; diff --git a/servers/slapd/back-meta/delete.c b/servers/slapd/back-meta/delete.c index 42f77bf966..b810a99b6f 100644 --- a/servers/slapd/back-meta/delete.c +++ b/servers/slapd/back-meta/delete.c @@ -84,7 +84,7 @@ retry:; rs->sr_err = LDAP_OTHER; rc = ldap_result( mc->mc_conns[ candidate ].msc_ld, - msgid, LDAP_MSG_ONE, tvp, &res ); + msgid, LDAP_MSG_ALL, tvp, &res ); switch ( rc ) { case -1: rs->sr_err = LDAP_OTHER; diff --git a/servers/slapd/back-meta/init.c b/servers/slapd/back-meta/init.c index 627a26c27b..181fec29c4 100644 --- a/servers/slapd/back-meta/init.c +++ b/servers/slapd/back-meta/init.c @@ -87,6 +87,8 @@ meta_back_db_init( * this may change */ mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE; + mi->mi_bind_timeout.tv_sec = 0; + mi->mi_bind_timeout.tv_usec = META_BIND_TIMEOUT; ldap_pvt_thread_mutex_init( &mi->mi_conninfo.lai_mutex ); ldap_pvt_thread_mutex_init( &mi->mi_cache.mutex ); diff --git a/servers/slapd/back-meta/modify.c b/servers/slapd/back-meta/modify.c index 9701257022..30e48326b6 100644 --- a/servers/slapd/back-meta/modify.c +++ b/servers/slapd/back-meta/modify.c @@ -194,7 +194,7 @@ retry:; rs->sr_err = LDAP_OTHER; rc = ldap_result( mc->mc_conns[ candidate ].msc_ld, - msgid, LDAP_MSG_ONE, tvp, &res ); + msgid, LDAP_MSG_ALL, tvp, &res ); switch ( rc ) { case -1: rc = -1; diff --git a/servers/slapd/back-meta/modrdn.c b/servers/slapd/back-meta/modrdn.c index 1c943b95d3..83efbb176c 100644 --- a/servers/slapd/back-meta/modrdn.c +++ b/servers/slapd/back-meta/modrdn.c @@ -125,7 +125,7 @@ retry:; rs->sr_err = LDAP_OTHER; rc = ldap_result( mc->mc_conns[ candidate ].msc_ld, - msgid, LDAP_MSG_ONE, tvp, &res ); + msgid, LDAP_MSG_ALL, tvp, &res ); switch ( rc ) { case -1: break; diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c index 08f61b904d..a3d55ca3b7 100644 --- a/servers/slapd/back-meta/search.c +++ b/servers/slapd/back-meta/search.c @@ -389,7 +389,7 @@ meta_back_search( Operation *op, SlapReply *rs ) */ get_result:; rc = ldap_result( msc->msc_ld, candidates[ i ].sr_msgid, - 0, &tv, &res ); + LDAP_MSG_ONE, &tv, &res ); if ( rc == 0 ) { /* FIXME: res should not need to be freed */ @@ -453,7 +453,7 @@ really_bad:; ldap_msgfree( res ); res = NULL; - switch ( rc ) { + switch ( rs->sr_err ) { case LDAP_SIZELIMIT_EXCEEDED: savepriv = op->o_private; op->o_private = (void *)i; @@ -566,13 +566,22 @@ really_bad:; candidates[ i ].sr_type = REP_RESULT; } + /* NOTE: ignores response controls + * (and intermediate response controls + * as well, except for those with search + * references); this may not be correct, + * but if they're not ignored then + * back-meta would need to merge them + * consistently (think of pagedResults...) + */ if ( ldap_parse_result( msc->msc_ld, res, &candidates[ i ].sr_err, (char **)&candidates[ i ].sr_matched, NULL /* (char **)&candidates[ i ].sr_text */ , &references, - &candidates[ i ].sr_ctrls, 1 ) != LDAP_SUCCESS ) + NULL /* &candidates[ i ].sr_ctrls (unused) */ , + 1 ) != LDAP_SUCCESS ) { res = NULL; ldap_get_option( msc->msc_ld, diff --git a/servers/slapd/back-meta/unbind.c b/servers/slapd/back-meta/unbind.c index ed98015e57..c9aea2de99 100644 --- a/servers/slapd/back-meta/unbind.c +++ b/servers/slapd/back-meta/unbind.c @@ -44,8 +44,9 @@ meta_back_conn_destroy( Debug( LDAP_DEBUG_TRACE, - "=>meta_back_conn_destroy: fetching conn %ld\n", - conn->c_connid, 0, 0 ); + "=>meta_back_conn_destroy: fetching conn=%ld DN=\"%s\"\n", + conn->c_connid, + BER_BVISNULL( &conn->c_ndn ) ? "" : conn->c_ndn.bv_val, 0 ); mc_curr.mc_conn = conn; mc_curr.mc_local_ndn = conn->c_ndn;