From 297c7933b1a53e11bea131afde8665ff177c4647 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 25 Jun 2005 15:13:44 +0000
Subject: [PATCH] add "onerr" flag

---
 doc/man/man5/slapd-meta.5           | 50 ++++++++++++++++++++++++++--
 servers/slapd/back-meta/back-meta.h | 14 +++-----
 servers/slapd/back-meta/config.c    | 51 ++++++++++++++++++++++++++---
 servers/slapd/back-meta/search.c    | 32 +++++++++++-------
 4 files changed, 119 insertions(+), 28 deletions(-)

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 3670ca7352..83b0817e38 100644
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -76,6 +76,7 @@ All the configuration directives that are not specific to targets
 should be defined first for clarity, including those that are common
 to all backends.
 They are:
+
 .TP
 .B default-target none
 This directive forces the backend to reject all those operations
@@ -87,6 +88,7 @@ matches an attempt is made to perform the operation on any candidate
 target, with the constraint that at most one must succeed.
 This directive can also be used when processing targets to mark a
 specific target as default.
+
 .TP
 .B dncache-ttl {forever|disabled|<ttl>}
 This directive sets the time-to-live of the DN cache.
@@ -94,6 +96,7 @@ This caches the target that holds a given DN to speed up target
 selection in case multiple targets would result from an uncached
 search; forever means cache never expires; disabled means no DN
 caching; otherwise a valid ( > 0 ) ttl in seconds is required.
+
 .TP
 .B nretries {forever|never|<nretries>}
 This directive defines how many times a bind should be retried
@@ -104,6 +107,7 @@ the global value can be overridden by redefinitions inside each target
 specification.
 .SH TARGET SPECIFICATION
 Target specification starts with a "uri" directive:
+
 .TP
 .B uri <protocol>://[<host>[:<port>]]/<naming context>
 The "server" directive that was allowed in the LDAP backend (although
@@ -135,6 +139,7 @@ URL-encoded <namimg context>s), and the additional URIs must have
 no <naming context> part.  This causes the underlying library
 to contact the first server of the list that responds.
 .RE
+
 .TP
 .B default-target [<target>]
 The "default-target" directive can also be used during target specification.
@@ -142,6 +147,7 @@ With no arguments it marks the current target as the default.
 The optional number marks target <target> as the default one, starting
 from 1.
 Target <target> must be defined.
+
 .TP
 .B acl-authcDN "<administrative DN for access control purposes>"
 DN which is used to query the target server for acl checking,
@@ -151,33 +157,72 @@ There is no risk of giving away such values; they are only used to
 check permissions.
 .B The acl-authcDN identity is by no means implicitly used by the proxy 
 .B when the client connects anonymously.
+
 .TP
 .B acl-passwd <password>
 Password used with the
 .B 
 acl-authcDN
 above.
+
 .TP
-.B rebind-as-user
+.B rebind-as-user {NO|yes}
 If this option is given, the client's bind credentials are remembered
 for rebinds when chasing referrals.
+
+.TP
+.B chase-referrals {YES|no}
+enable/disable automatic referral chasing, which is delegated to the
+underlying libldap, with rebinding eventually performed if the
+\fBrebind-as-user\fP directive is used.  The default is to chase referrals.
+
+.TP
+.B tls {[try-]start|[try-]propagate}
+execute the start TLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the Start TLS exop only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if start TLS failed; its use is highly deprecated.
+
+.TP
+.B t-f-support {NO|yes|discover}
+enable if the remote server supports absolute filters
+(see \fIdraft-zeilenga-ldap-t-f\fP for details).
+If set to
+.BR discover ,
+support is detected by reading the remote server's rootDSE.
+
+.TP
+.B onerr {CONTINUE|stop}
+This directive allows to select the behavior in case an error is returned
+by one targe during a search. 
+The default, \fBcontinue\fP, consists in continuing the operation, 
+trying to return as much data as possible.
+If this statement is set to \fBstop\fP, the search is terminated as soon 
+as an error is returned by one target, and the error is immediately 
+propagated to the client.
+
 .TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
 This directive, if present, sets the DN that will be substituted to
 the bind DN if a bind with the backend's "rootdn" succeeds.
 The true "rootdn" of the target server ought not be used; an arbitrary
 administrative DN should used instead.
+
 .TP
 .B pseudorootpw "<substitute password in case of rootdn bind>"
 This directive sets the credential that will be used in case a bind
 with the backend's "rootdn" succeeds, and the bind is propagated to
 the target using the "pseudorootdn" DN.
-.LP
+
 Note: cleartext credentials must be supplied here; as a consequence,
 using the pseudorootdn/pseudorootpw directives is inherently unsafe.
+
 .TP
 .B rewrite* ...
 The rewrite options are described in the "REWRITING" section.
+
 .TP
 .B suffixmassage "<virtual naming context>" "<real naming context>"
 All the directives starting with "rewrite" refer to the rewrite engine
@@ -196,6 +241,7 @@ on (case insensitive) DNs instead of normalized DNs,
 so "dc=foo, dc=com" would not match "dc=foo,dc=com".
 .LP
 See the "REWRITING" section.
+
 .TP
 .B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
 This maps object classes and attributes as in the LDAP backend.
diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h
index 882a38d747..ccc91fbefb 100644
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -243,16 +243,10 @@ typedef struct metainfo_t {
 	Avlnode			*mi_conntree;
 
 	unsigned		flags;
-#if 0
-/* defined in <back-ldap/back-ldap.h> */
-#define LDAP_BACK_F_NONE		0x00U
-#define LDAP_BACK_F_SAVECRED		0x01U
-#define LDAP_BACK_F_USE_TLS		0x02U
-#define LDAP_BACK_F_PROPAGATE_TLS	0x04U
-#define LDAP_BACK_F_TLS_CRITICAL	0x08U
-#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_USE_TLS|LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
-#define LDAP_BACK_F_CHASE_REFERRALS	0x10U
-#endif
+/* uses flags as defined in <back-ldap/back-ldap.h> */
+#define	META_BACK_F_ONERR_STOP	0x00010000U
+#define	META_BACK_ONERR_STOP(mi)	( (mi)->flags & META_BACK_F_ONERR_STOP )
+#define	META_BACK_ONERR_CONTINUE(mi)	( !META_BACK_ONERR_CONTINUE( (mi) ) )
 
 	int			mi_version;
 } metainfo_t;
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 8457cf8510..62fcd5f071 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -351,14 +351,33 @@ meta_back_db_config(
 		
 	/* save bind creds for referral rebinds? */
 	} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
-		if (argc != 1) {
+		if ( argc > 2 ) {
 			fprintf( stderr,
-	"%s: line %d: rebind-as-user takes no arguments\n",
+	"%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
 			    fname, lineno );
 			return( 1 );
 		}
 
-		mi->flags |= LDAP_BACK_F_SAVECRED;
+		if ( argc == 1 ) {
+			fprintf( stderr,
+	"%s: line %d: deprecated use of \"rebind-as-user {NO|yes}\" with no arguments.\n",
+			    fname, lineno );
+			mi->flags |= LDAP_BACK_F_SAVECRED;
+
+		} else {
+			if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+				mi->flags &= ~LDAP_BACK_F_SAVECRED;
+
+			} else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+				mi->flags |= LDAP_BACK_F_SAVECRED;
+
+			} else {
+				fprintf( stderr,
+	"%s: line %d: \"rebind-as-user {NO|yes}\" unknown argument \"%s\".\n",
+				    fname, lineno, argv[ 1 ] );
+				return 1;
+			}
+		}
 
 	} else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
 		unsigned	*flagsp = mi->mi_ntargets ?
@@ -381,7 +400,7 @@ meta_back_db_config(
 
 		} else {
 			fprintf( stderr,
-		"%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+		"%s: line %d: \"chase-referrals {YES|no}\": unknown argument \"%s\".\n",
 					fname, lineno, argv[ 1 ] );
 			return( 1 );
 		}
@@ -430,7 +449,7 @@ meta_back_db_config(
 
 		if ( argc != 2 ) {
 			fprintf( stderr,
-		"%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
+		"%s: line %d: \"t-f-support {NO|yes|discover}\" needs 1 argument.\n",
 					fname, lineno );
 			return( 1 );
 		}
@@ -451,6 +470,28 @@ meta_back_db_config(
 			return 1;
 		}
 
+	/* onerr? */
+	} else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
+		if ( argc != 2 ) {
+			fprintf( stderr,
+	"%s: line %d: \"onerr {CONTINUE|stop}\" takes 1 argument\n",
+			    fname, lineno );
+			return( 1 );
+		}
+
+		if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
+			mi->flags &= ~META_BACK_F_ONERR_STOP;
+
+		} else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
+			mi->flags |= META_BACK_F_ONERR_STOP;
+
+		} else {
+			fprintf( stderr,
+	"%s: line %d: \"onerr {CONTINUE|stop}\": invalid arg \"%s\".\n",
+				fname, lineno, argv[ 1 ] );
+			return 1;
+		}
+
 	/* name to use as pseudo-root dn */
 	} else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
 		int 		i = mi->mi_ntargets - 1;
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 039e085bdb..7379141d08 100644
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -360,8 +360,6 @@ meta_back_search( Operation *op, SlapReply *rs )
 					0, &tv, &res );
 
 			if ( rc == 0 ) {
-				/* timeout exceeded */
-
 				/* FIXME: res should not need to be freed */
 				assert( res == NULL );
 
@@ -515,7 +513,7 @@ really_bad:;
 							(char **)&candidates[ i ].sr_matched,
 							NULL /* (char **)&candidates[ i ].sr_text */ ,
 							&references,
-							&candidates[ i ].sr_ctrls, 1 ) )
+							&candidates[ i ].sr_ctrls, 1 ) != LDAP_SUCCESS )
 				{
 					res = NULL;
 					ldap_get_option( msc->msc_ld,
@@ -524,6 +522,7 @@ really_bad:;
 					sres = slap_map_api2result( rs );
 					goto really_bad;
 				}
+
 				rs->sr_err = candidates[ i ].sr_err;
 				sres = slap_map_api2result( rs );
 				res = NULL;
@@ -597,6 +596,15 @@ really_bad:;
 
 				rs->sr_err = candidates[ i ].sr_err;
 				sres = slap_map_api2result( rs );
+
+				snprintf( buf, sizeof( buf ),
+					"%s meta_back_search[%d] "
+					"match=\"%s\" err=%d\n",
+					op->o_log_prefix, i,
+					candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "",
+					candidates[ i ].sr_err );
+				Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 );
+
 				switch ( sres ) {
 				case LDAP_NO_SUCH_OBJECT:
 					/* is_ok is touched any time a valid
@@ -614,15 +622,17 @@ really_bad:;
 				case LDAP_REFERRAL:
 					is_ok++;
 					break;
-				}
 
-				snprintf( buf, sizeof( buf ),
-					"%s meta_back_search[%d] "
-					"match=\"%s\" err=%d\n",
-					op->o_log_prefix, i,
-					candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "",
-					candidates[ i ].sr_err );
-				Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 );
+				default:
+					if ( META_BACK_ONERR_STOP( mi ) ) {
+						savepriv = op->o_private;
+						op->o_private = (void *)i;
+						send_ldap_result( op, rs );
+						op->o_private = savepriv;
+						goto finish;
+					}
+					break;
+				}
 
 				last = i;
 				rc = 0;
-- 
2.39.5