From 439c0c796ded2be4d3236b981eb20eb2992402df Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sun, 28 May 2000 16:36:34 +0000 Subject: [PATCH] SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify --- servers/slapd/acl.c | 127 ++++++++++++++++------------- servers/slapd/aclparse.c | 62 ++++++++++++++ servers/slapd/back-ldbm/compare.c | 2 +- servers/slapd/back-ldbm/external.h | 7 +- servers/slapd/back-ldbm/group.c | 37 +++++---- servers/slapd/back-ldbm/modify.c | 55 ++++++++----- servers/slapd/back-ldbm/modrdn.c | 63 +++++++++----- servers/slapd/backend.c | 7 +- servers/slapd/modify.c | 4 +- servers/slapd/oc.c | 23 ++++++ servers/slapd/proto-slap.h | 30 +++++-- servers/slapd/schema_check.c | 12 ++- servers/slapd/schema_prep.c | 2 - servers/slapd/slap.h | 9 +- servers/slapd/slapd.conf | 2 + servers/slapd/value.c | 14 +++- 16 files changed, 306 insertions(+), 150 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index d44f218676..d693500da1 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -448,38 +448,34 @@ acl_mask( bv.bv_val = op->o_ndn; bv.bv_len = strlen( bv.bv_val ); - /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL + /* see if asker is listed in dnattr */ #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else - && value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 -#endif - ) + for( at = attrs_find( e->e_attrs, b->a_dn_at ); + at == NULL; + at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) ) { - if ( b->a_dn_self && - (val == NULL -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) { + } + } + #else - || value_cmp( &bv, val, at->a_syntax, 2 ) -#endif - ) ) + /* see if asker is listed in dnattr */ + if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && + value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) + { + if ( b->a_dn_self && (val == NULL + || value_cmp( &bv, val, at->a_syntax, 2 ) ) ) { continue; } /* asker not listed in dnattr - check for self access */ } else if ( ! b->a_dn_self || val == NULL -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else - || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 -#endif - ) + || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { continue; } +#endif } if ( b->a_group_pat != NULL && op->o_ndn != NULL ) { @@ -695,10 +691,15 @@ acl_check_modlist( * by the user */ #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) ) { + Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:" + " modify access granted\n", + mlist->sml_desc->ad_cname->bv_val, 0, 0 ); + continue; + } #else if ( oc_check_op_no_usermod_attr( mlist->sml_type ) ) { - Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" + Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:" " modify access granted\n", mlist->sml_type, 0, 0 ); continue; @@ -984,10 +985,12 @@ aci_group_member ( char *grpoc; char *grpat; #ifdef SLAPD_SCHEMA_NOT_COMPAT - AttributeDescription *grpad = NULL; + ObjectClass *grp_oc = NULL; + AttributeDescription *grp_ad = NULL; char *text; #else - char *grpad; + char *grp_oc; + char *grp_ad; #endif int rc; @@ -1014,28 +1017,28 @@ aci_group_member ( } #ifdef SLAPD_SCHEMA_NOT_COMPAT - rc = slap_str2ad( grpat, &grpad, &text ); + rc = slap_str2ad( grpat, &grp_ad, &text ); if( rc != LDAP_SUCCESS ) { rc = 0; goto done; } #else - grpad = grpat; + grp_ad = grpat; #endif rc = 0; grpdn = (char *)ch_malloc(1024); - if (grpoc != NULL && grpad != NULL && grpdn != NULL) { + if (grp_oc != NULL && grp_ad != NULL && grpdn != NULL) { string_expand(grpdn, 1024, subjdn, e->e_ndn, matches); if ( dn_normalize(grpdn) != NULL ) { - rc = (backend_group(be, e, grpdn, op->o_ndn, grpoc, grpad) == 0); + rc = (backend_group(be, e, grpdn, op->o_ndn, grp_oc, grp_ad) == 0); } } -done: #ifdef SLAPD_SCHEMA_NOT_COMPAT - if( grpad != NULL ) ad_free( grpad, 1 ); +done: + if( grp_ad != NULL ) ad_free( grp_ad, 1 ); #endif ch_free(grpdn); ch_free(grpat); @@ -1130,41 +1133,51 @@ aci_mask( return(1); } else if (aci_strbvcmp( "dnattr", &bv ) == 0) { - Attribute *at; char *dnattr = aci_bvstrdup(&sdn); #ifdef SLAPD_SCHEMA_NOT_COMPAT - AttributeDescription *dnad = NULL; - char *text; - rc = slap_str2ad( dnattr, &dnad, &text ); + Attribute *at; + AttributeDescription *ad = NULL; + const char *text; + + rc = slap_str2ad( dnattr, &ad, &text ); ch_free( dnattr ); - if ( rc == LDAP_SUCCESS ) { -#else - char *dnad = dnattr; -#endif - at = attr_find( e->e_attrs, dnad ); -#ifdef SLAPD_SCHEMA_NOT_COMAT - ad_free( dnad, 1 ); -#else - ch_free( dnad ); -#endif - if (at != NULL) { - bv.bv_val = op->o_ndn; - bv.bv_len = strlen( bv.bv_val ); + if( rc != LDAP_SUCCESS ) { + return 0; + } -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else - if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) - return(1); -#endif + rc = 0; + + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + for(at = attrs_find( e->e_attrs, ad ); + at != NULL; + at = attrs_find( at->a_next, ad ) ) + { + if (value_find( ad, at->a_vals, &bv) == 0 ) { + rc = 1; + break; } -#ifdef SLAPD_SCHEMA_NOT_COMPAT - } else { - ad_free( dnad, 1 ); -#endif } + ad_free( ad, 1 ); + return rc; + +#else + Attribute *at; + at = attr_find( e->e_attrs, dnattr ); + ch_free( dnattr ); + + if (at != NULL) { + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) + return(1); + } +#endif + } else if (aci_strbvcmp( "group", &bv ) == 0) { if (aci_group_member(&sdn, "groupOfNames", "member", be, e, op, matches)) return(1); diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 946e0e1396..bcd648cfaf 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -384,12 +384,49 @@ parse_acl( b->a_group_pat = ch_strdup( right ); if (value && *value) { +#ifdef SLAPD_SCHEMA_NOT_COMPAT + b->a_group_oc = oc_find( value ); +#else b->a_group_oc = ch_strdup(value); +#endif + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" unknown\n", + fname, lineno, value ); + acl_usage(); + } + +#ifdef SLAPD_SCHEMA_NOT_COMPAT + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_referral ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" is subclass of referral\n", + fname, lineno, value ); + acl_usage(); + } + + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_alias ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" is subclass of alias\n", + fname, lineno, value ); + acl_usage(); + } +#endif + *--value = '/'; + } else { +#ifdef SLAPD_SCHEMA_NOT_COMPAT + b->a_group_oc = slap_schema.si_oc_groupOfNames; +#else b->a_group_oc = ch_strdup("groupOfNames"); +#endif } + if (name && *name) { #ifdef SLAPD_SCHEMA_NOT_COMPAT rc = slap_str2ad( right, &b->a_group_at, &text ); @@ -430,6 +467,31 @@ parse_acl( fname, lineno ); acl_usage(); } + + + { + int rc; + struct berval val; + struct berval *vals[2]; + + val.bv_val = b->a_group_oc->soc_oid; + val.bv_len = strlen(val.bv_val); + vals[0] = &val; + vals[1] = NULL; + + + rc = oc_check_allowed( b->a_group_at->ad_type, vals ); + + if( rc != 0 ) { + fprintf( stderr, + "%s: line %d: group: \"%s\" not allowed by \"%s\"\n", + fname, lineno, + b->a_group_at->ad_type, + b->a_group_oc->soc_oid ); + acl_usage(); + } + } + #endif /* SLAPD_SCHEMA_NOT_COMPAT */ continue; } diff --git a/servers/slapd/back-ldbm/compare.c b/servers/slapd/back-ldbm/compare.c index cd087aa82f..56a7bd4978 100644 --- a/servers/slapd/back-ldbm/compare.c +++ b/servers/slapd/back-ldbm/compare.c @@ -107,7 +107,7 @@ ldbm_back_compare( rc = LDAP_COMPARE_FALSE; #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + if ( value_find( ava->aa_desc, a->a_vals, ava->aa_value ) == 0 ) #else if ( value_find( a->a_vals, &ava->ava_value, a->a_syntax, 1 ) == 0 ) #endif diff --git a/servers/slapd/back-ldbm/external.h b/servers/slapd/back-ldbm/external.h index 65c9fd790f..c0c9ab901b 100644 --- a/servers/slapd/back-ldbm/external.h +++ b/servers/slapd/back-ldbm/external.h @@ -83,14 +83,15 @@ extern int ldbm_back_abandon LDAP_P(( BackendDB *bd, #ifdef SLAPD_SCHEMA_NOT_COMPAT extern int ldbm_back_group LDAP_P(( BackendDB *bd, Entry *target, - const char* gr_ndn, const char* op_ndn, - const char* objectclassValue, + const char* gr_ndn, + const char* op_ndn, + ObjectClass* group_oc, AttributeDescription* group_at)); #else extern int ldbm_back_group LDAP_P(( BackendDB *bd, Entry *target, const char* gr_ndn, const char* op_ndn, - const char* objectclassValue, + const char* group_oc, const char* group_at)); #endif diff --git a/servers/slapd/back-ldbm/group.c b/servers/slapd/back-ldbm/group.c index 5c1973a7db..c929987191 100644 --- a/servers/slapd/back-ldbm/group.c +++ b/servers/slapd/back-ldbm/group.c @@ -27,10 +27,11 @@ ldbm_back_group( Entry *target, const char *gr_ndn, const char *op_ndn, - const char *objectclassValue, #ifdef SLAPD_SCHEMA_NOT_COMPAT + ObjectClass *group_oc, AttributeDescription *group_at #else + const char *group_oc, const char *group_at #endif ) @@ -41,12 +42,20 @@ ldbm_back_group( Attribute *attr; #ifdef SLAPD_SCHEMA_NOT_COMPAT - AttributeDescription *objectClass = slap_schema.si_ad_objectClass; - const char *groupattrName = group_at->ad_cname->bv_val; + AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass; + const char *group_oc_name = NULL; + const char *group_at_name = group_at->ad_cname->bv_val; + + if( group_oc->soc_names && group_oc->soc_names[0] ) { + group_oc_name = group_oc->soc_names[0]; + } else { + group_oc_name = group_oc->soc_oid; + } #else struct berval bv; - const char *objectClass = "objectclass"; - const char *groupattrName = group_at; + const char *ad_objectClass = "objectclass"; + const char *group_oc_name = group_oc; + const char *group_at_name = group_at; #endif Debug( LDAP_DEBUG_ARGS, @@ -56,8 +65,8 @@ ldbm_back_group( "=> ldbm_back_group: op dn: \"%s\"\n", op_ndn, 0, 0 ); Debug( LDAP_DEBUG_ARGS, - "=> ldbm_back_group: objectClass: \"%s\" attrName: \"%s\"\n", - objectclassValue, groupattrName, 0 ); + "=> ldbm_back_group: oc: \"%s\" at: \"%s\"\n", + group_oc_name, group_at_name, 0 ); Debug( LDAP_DEBUG_ARGS, "=> ldbm_back_group: tr dn: \"%s\"\n", @@ -91,7 +100,7 @@ ldbm_back_group( rc = 1; - if ((attr = attr_find(e->e_attrs, objectClass)) == NULL) { + if ((attr = attr_find(e->e_attrs, ad_objectClass)) == NULL) { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 ); goto return_results; @@ -120,26 +129,26 @@ ldbm_back_group( goto return_results; } - bv.bv_val = (char *) objectclassValue; + bv.bv_val = (char *) group_oc_name; bv.bv_len = strlen( bv.bv_val ); if (value_find(attr->a_vals, &bv, attr->a_syntax, 1) != 0) { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: failed to find %s in objectClass\n", - objectclassValue, 0, 0 ); + group_oc_name, 0, 0 ); goto return_results; } if ((attr = attr_find(e->e_attrs, group_at)) == NULL) { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: failed to find %s\n", - groupattrName, 0, 0 ); + group_at_name, 0, 0 ); goto return_results; } Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: found objectClass %s and %s\n", - objectclassValue, groupattrName, 0 ); + group_oc_name, group_at_name, 0 ); bv.bv_val = (char *) op_ndn; bv.bv_len = strlen( op_ndn ); @@ -148,14 +157,14 @@ ldbm_back_group( { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: \"%s\" not in \"%s\": %s\n", - op_ndn, gr_ndn, groupattrName ); + op_ndn, gr_ndn, group_at_name ); goto return_results; } #endif Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: \"%s\" is in \"%s\": %s\n", - op_ndn, gr_ndn, groupattrName ); + op_ndn, gr_ndn, group_at_name ); rc = 0; diff --git a/servers/slapd/back-ldbm/modify.c b/servers/slapd/back-ldbm/modify.c index 6c2ac4cd2f..892507489d 100644 --- a/servers/slapd/back-ldbm/modify.c +++ b/servers/slapd/back-ldbm/modify.c @@ -123,13 +123,13 @@ int ldbm_modify_internal( switch ( mod->sm_op ) { case LDAP_MOD_REPLACE: { /* Need to remove all values from indexes */ +#ifdef SLAPD_SCHEMA_NOT_COMPAT + /* not yet implemented */ +#else Attribute *a = save_attrs ? attr_find( save_attrs, mod->sm_desc ) : NULL; -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else if( a != NULL ) { (void) index_change_values( be, mod->mod_type, @@ -177,13 +177,13 @@ int ldbm_modify_internal( case LDAP_MOD_DELETE: { /* Need to add all remaining values */ +#ifdef SLAPD_SCHEMA_NOT_COMPAT + /* not yet implemented */ +#else Attribute *a = e->e_attrs ? attr_find( e->e_attrs, mod->sm_desc ) : NULL; -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else if( a != NULL ) { (void) index_change_values( be, mod->mod_type, @@ -313,14 +313,14 @@ add_values( if ( a != NULL ) { for ( i = 0; mod->sm_bvalues[i] != NULL; i++ ) { #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + if ( value_find( desc, a->a_vals, mod->sm_bvalues[i] ) == 0 ) #else if ( value_find( a->a_vals, mod->sm_bvalues[i], a->a_syntax, 3 ) == 0 ) +#endif { return( LDAP_TYPE_OR_VALUE_EXISTS ); } -#endif } } @@ -339,33 +339,45 @@ delete_values( char *dn ) { -#ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ -#else int i, j, k, found; Attribute *a; +#ifdef SLAPD_SCHEMA_NOT_COMPAT + char *desc = mod->sm_desc->ad_cname->bv_val; +#else + char *desc = mod->mod_type; +#endif /* delete the entire attribute */ - if ( mod->mod_bvalues == NULL ) { + if ( mod->sm_bvalues == NULL ) { Debug( LDAP_DEBUG_ARGS, "removing entire attribute %s\n", - mod->mod_type, 0, 0 ); - return( attr_delete( &e->e_attrs, mod->mod_type ) ? + desc, 0, 0 ); + return( attr_delete( &e->e_attrs, mod->sm_desc ) ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS ); } /* delete specific values - find the attribute first */ - if ( (a = attr_find( e->e_attrs, mod->mod_type )) == NULL ) { + if ( (a = attr_find( e->e_attrs, mod->sm_desc )) == NULL ) { Debug( LDAP_DEBUG_ARGS, "could not find attribute %s\n", - mod->mod_type, 0, 0 ); + desc, 0, 0 ); return( LDAP_NO_SUCH_ATTRIBUTE ); } /* find each value to delete */ - for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) { + for ( i = 0; mod->sm_bvalues[i] != NULL; i++ ) { found = 0; for ( j = 0; a->a_vals[j] != NULL; j++ ) { +#ifdef SLAPD_SCHEMA_NOT_COMPAT + int match; + const char *text; + int rc = value_match( &match, mod->sm_desc, NULL, + mod->sm_bvalues[i], a->a_vals[j], &text ); + + if( rc == LDAP_SUCCESS && match == 0 ) +#else if ( value_cmp( mod->mod_bvalues[i], a->a_vals[j], - a->a_syntax, 3 ) != 0 ) { + a->a_syntax, 3 ) != 0 ) +#endif + { continue; } found = 1; @@ -381,8 +393,8 @@ delete_values( if ( a->a_vals[0] == NULL) { Debug( LDAP_DEBUG_ARGS, "removing entire attribute %s\n", - mod->mod_type, 0, 0 ); - if ( attr_delete( &e->e_attrs, mod->mod_type ) ) { + desc, 0, 0 ); + if ( attr_delete( &e->e_attrs, mod->sm_desc ) ) { return LDAP_NO_SUCH_ATTRIBUTE; } } @@ -394,11 +406,10 @@ delete_values( if ( ! found ) { Debug( LDAP_DEBUG_ARGS, "could not find value for attr %s\n", - mod->mod_type, 0, 0 ); + desc, 0, 0 ); return LDAP_NO_SUCH_ATTRIBUTE; } } -#endif return( LDAP_SUCCESS ); } diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c index 839a396157..83474d7787 100644 --- a/servers/slapd/back-ldbm/modrdn.c +++ b/servers/slapd/back-ldbm/modrdn.c @@ -320,34 +320,28 @@ ldbm_back_modrdn( /* Retrieve the old rdn from the entry's dn */ if ( (old_rdn = dn_rdn( be, dn )) == NULL ) { - Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: can't figure out old_rdn from dn\n", 0, 0, 0 ); send_ldap_result( conn, op, LDAP_OTHER, NULL, "could not parse old DN", NULL, NULL ); goto return_results; - } if ( (old_rdn_type = rdn_attr_type( old_rdn )) == NULL ) { - Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: can't figure out the old_rdn type\n", 0, 0, 0 ); send_ldap_result( conn, op, LDAP_OTHER, NULL, "count parse RDN from old DN", NULL, NULL ); goto return_results; - } if ( strcasecmp( old_rdn_type, new_rdn_type ) != 0 ) { - /* Not a big deal but we may say something */ Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: old_rdn_type=%s, new_rdn_type=%s!\n", old_rdn_type, new_rdn_type, 0 ); - } Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: DN_X500\n", @@ -363,13 +357,28 @@ ldbm_back_modrdn( add_bv.bv_len = strlen(new_rdn_val); #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + { + int rc; + const char *text; + + mod[0].sml_desc = NULL; + rc = slap_str2ad( new_rdn_type, &mod[0].sml_desc, &text ); + + if( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "ldbm_back_modrdn: %s: %s (new)\n", + text, new_rdn_type, 0 ); + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + goto return_results; + } + } #else - mod[0].ml_type = new_rdn_type; - mod[0].ml_bvalues = add_bvals; - mod[0].ml_op = SLAP_MOD_SOFTADD; - mod[0].ml_next = NULL; + mod[0].sml_type = new_rdn_type; #endif + mod[0].sml_bvalues = add_bvals; + mod[0].sml_op = SLAP_MOD_SOFTADD; + mod[0].sml_next = NULL; /* Remove old rdn value if required */ @@ -383,7 +392,7 @@ ldbm_back_modrdn( "ldbm_back_modrdn: can't figure out old_rdn_val from old_rdn\n", 0, 0, 0 ); send_ldap_result( conn, op, LDAP_OTHER, - NULL, "cound not parse value from old RDN", NULL, NULL ); + NULL, "could not parse value from old RDN", NULL, NULL ); goto return_results; } @@ -396,17 +405,29 @@ ldbm_back_modrdn( del_bv.bv_len = strlen(old_rdn_val); #ifdef SLAPD_SCHEMA_NOT_COMPAT - /* not yet implemented */ + { + int rc; + const char *text; + + mod[1].sml_desc = NULL; + rc = slap_str2ad( old_rdn_type, &mod[0].sml_desc, &text ); + + if( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "ldbm_back_modrdn: %s: %s (old)\n", + text, old_rdn_type, 0 ); + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + goto return_results; + } + } #else - /* No need to normalize old_rdn_type, delete_values() - * does that for us - */ - mod[0].ml_next = &mod[1]; - mod[1].ml_type = old_rdn_type; - mod[1].ml_bvalues = del_bvals; - mod[1].ml_op = LDAP_MOD_DELETE; - mod[1].ml_next = NULL; + mod[1].sml_type = old_rdn_type; #endif + mod[0].sml_next = &mod[1]; + mod[1].sml_bvalues = del_bvals; + mod[1].sml_op = LDAP_MOD_DELETE; + mod[1].sml_next = NULL; Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: removing old_rdn_val=%s\n", diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 1baf074841..e9f4c0e4de 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -635,19 +635,20 @@ backend_group( Entry *target, const char *gr_ndn, const char *op_ndn, - const char *objectclassValue, #ifdef SLAPD_SCHEMA_NOT_COMPAT + ObjectClass *group_oc, AttributeDescription *group_at #else + const char *group_oc, const char *group_at #endif ) { if (be->be_group) return( be->be_group(be, target, gr_ndn, op_ndn, - objectclassValue, group_at) ); + group_oc, group_at) ); else - return(1); + return LDAP_UNWILLING_TO_PERFORM; } #ifdef SLAPD_SCHEMA_DN diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 394956569d..58e5ba7daa 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -453,7 +453,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_calloc( 1, sizeof( Modifications ) ); mod->sml_op = mop; - mod->sml_desc = slap_schema.si_ad_modifiersName; + mod->sml_desc = ad_dup( slap_schema.si_ad_modifiersName ); mod->sml_bvalues = (struct berval **) malloc( 2 * sizeof( struct berval * ) ); mod->sml_bvalues[0] = ber_bvdup( &name ); mod->sml_bvalues[1] = NULL; @@ -462,7 +462,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_calloc( 1, sizeof( Modifications ) ); mod->sml_op = mop; - mod->sml_desc = slap_schema.si_ad_modifyTimestamp; + mod->sml_desc = ad_dup( slap_schema.si_ad_modifyTimestamp ); mod->sml_bvalues = (struct berval **) malloc( 2 * sizeof( struct berval * ) ); mod->sml_bvalues[0] = ber_bvdup( ×tamp ); mod->sml_bvalues[1] = NULL; diff --git a/servers/slapd/oc.c b/servers/slapd/oc.c index 6fa5dcfa0a..1361706687 100644 --- a/servers/slapd/oc.c +++ b/servers/slapd/oc.c @@ -16,6 +16,29 @@ #include "slap.h" #include "ldap_pvt.h" +int is_object_subclass( + ObjectClass *sub, + ObjectClass *sup ) +{ + int i; + + if( sup == sub ) { + return 1; + } + + if( sup->soc_sups == NULL ) { + return 0; + } + + for( i=0; sup->soc_sups[i] != NULL; i++ ) { + if( is_object_subclass( sup->soc_sups[i], sup ) ) { + return 1; + } + } + + return 0; +} + int is_entry_objectclass( Entry* e, #ifdef SLAPD_SCHEMA_NOT_COMPAT diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index f6f6c76fa6..c1b268ed22 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -197,16 +197,16 @@ LIBSLAPD_F (int) backend_group LDAP_P((Backend *be, Entry *target, const char *gr_ndn, const char *op_ndn, - const char *objectclassValue, - AttributeDescription *groupAttrType + ObjectClass *group_oc, + AttributeDescription *group_at )); #else LIBSLAPD_F (int) backend_group LDAP_P((Backend *be, Entry *target, const char *gr_ndn, const char *op_ndn, - const char *objectclassValue, - const char *groupattrName + const char *group_oc, + const char *group_at )); #endif @@ -568,8 +568,17 @@ LIBSLAPD_F (int) oc_check_op_attr LDAP_P(( const char *type )); LIBSLAPD_F (int) oc_check_op_usermod_attr LDAP_P(( const char *type )); LIBSLAPD_F (int) oc_check_op_no_usermod_attr LDAP_P(( const char *type )); #endif -LIBSLAPD_F (ObjectClass *) oc_find LDAP_P((const char *ocname)); -LIBSLAPD_F (int) oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err)); +LIBSLAPD_F (ObjectClass *) oc_find LDAP_P(( + const char *ocname)); + +LIBSLAPD_F (int) oc_add LDAP_P(( + LDAP_OBJECT_CLASS *oc, + const char **err)); + +LIBSLAPD_F (int) is_object_subclass LDAP_P(( + ObjectClass *sub, + ObjectClass *sup )); + LIBSLAPD_F (Syntax *) syn_find LDAP_P((const char *synname)); LIBSLAPD_F (Syntax *) syn_find_desc LDAP_P((const char *syndesc, int *slen)); @@ -637,6 +646,11 @@ LIBSLAPD_F (int) is_entry_objectclass LDAP_P(( /* * schema_check.c */ +#ifdef SLAPD_SCHEMA_NOT_COMPAT +int oc_check_allowed( + AttributeType *type, + struct berval **oclist ); +#endif LIBSLAPD_F (int) entry_schema_check LDAP_P(( Entry *e, Attribute *attrs, const char** text )); @@ -707,10 +721,8 @@ LIBSLAPD_F (int) value_match LDAP_P(( const char ** text )); LIBSLAPD_F (int) value_find LDAP_P(( AttributeDescription *ad, - MatchingRule *mr, struct berval **values, - struct berval *value, - const char ** text )); + struct berval *value )); #else LIBSLAPD_F (int) value_add_fast LDAP_P(( struct berval ***vals, struct berval **addvals, int nvals, int naddvals, int *maxvals )); LIBSLAPD_F (void) value_normalize LDAP_P(( char *s, int syntax )); diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c index 5ada57b7bc..4f76da0e36 100644 --- a/servers/slapd/schema_check.c +++ b/servers/slapd/schema_check.c @@ -16,11 +16,7 @@ #include "slap.h" #include "ldap_pvt.h" -#ifdef SLAPD_SCHEMA_NOT_COMPAT -static int oc_check_allowed( - AttributeType *type, - struct berval **oclist ); -#else +#ifndef SLAPD_SCHEMA_NOT_COMPAT static int oc_check_allowed(char *type, struct berval **oclist); #endif static char * oc_check_required(Entry *e, struct berval *ocname); @@ -181,8 +177,10 @@ oc_check_required( Entry *e, struct berval *ocname ) return( NULL ); } -static int -oc_check_allowed( +#ifndef SLAPD_SCHEMA_NOT_COMPAT +static +#endif +int oc_check_allowed( #ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeType *at, #else diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index 051c98d583..c40a086e18 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -47,9 +47,7 @@ struct slap_schema_oc_map { { "LDAProotDSE", offsetof(struct slap_internal_schema, si_oc_rootdse) }, { "LDAPsubentry", offsetof(struct slap_internal_schema, si_oc_subentry) }, { "subschema", offsetof(struct slap_internal_schema, si_oc_subschema) }, -#ifdef SLAPD_ACI_ENABLED { "groupOfNames", offsetof(struct slap_internal_schema, si_oc_groupOfNames) }, -#endif { NULL, 0 } }; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index a88d38448a..70f60ecef0 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -336,9 +336,7 @@ struct slap_internal_schema { ObjectClass *si_oc_subentry; ObjectClass *si_oc_subschema; ObjectClass *si_oc_rootdse; -#ifdef SLAPD_ACI_ENABLED ObjectClass *si_oc_groupOfNames; -#endif /* objectClass attribute */ AttributeDescription *si_ad_objectClass; @@ -734,10 +732,11 @@ typedef struct slap_access { /* ACL Groups */ char *a_group_pat; - char *a_group_oc; #ifdef SLAPD_SCHEMA_NOT_COMPAT + ObjectClass *a_group_oc; AttributeDescription *a_group_at; #else + char *a_group_oc; char *a_group_at; #endif @@ -989,12 +988,12 @@ struct slap_backend_info { #ifdef SLAPD_SCHEMA_NOT_COMPAT int (*bi_acl_group) LDAP_P((Backend *bd, Entry *e, const char *bdn, const char *edn, - const char *objectclassValue, + ObjectClass *group_oc, AttributeDescription *group_at )); #else int (*bi_acl_group) LDAP_P((Backend *bd, Entry *e, const char *bdn, const char *edn, - const char *objectclassValue, + const char *group_oc, const char *group_at )); #endif diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf index ea9b076b41..a2cc809599 100644 --- a/servers/slapd/slapd.conf +++ b/servers/slapd/slapd.conf @@ -39,4 +39,6 @@ rootdn "cn=Manager, dc=my-domain, dc=com" # cleartext passwords, especially for the rootdn, should # be avoid. See slapd.conf(5) for details. rootpw secret +# this directory MUST exist and be writable by the slapd/tools +# process before running slapd and/or tools. directory %LOCALSTATEDIR%/openldap-ldbm diff --git a/servers/slapd/value.c b/servers/slapd/value.c index 05af2ff085..3cc7ba54a3 100644 --- a/servers/slapd/value.c +++ b/servers/slapd/value.c @@ -274,10 +274,8 @@ value_cmp( #ifdef SLAPD_SCHEMA_NOT_COMPAT int value_find( AttributeDescription *ad, - MatchingRule *mr, struct berval **vals, - struct berval *val, - const char ** text ) + struct berval *val ) #else int value_find( @@ -288,12 +286,20 @@ value_find( #endif { int i; +#ifdef SLAPD_SCHEMA_NOT_COMPAT + MatchingRule *mr = ad->ad_type->sat_equality; + + if( mr == NULL ) { + return LDAP_INAPPROPRIATE_MATCHING; + } +#endif for ( i = 0; vals[i] != NULL; i++ ) { #ifdef SLAPD_SCHEMA_NOT_COMPAT int rc; int match; - rc = value_match( &match, ad, mr, vals[i], val, text ); + const char *text; + rc = value_match( &match, ad, mr, vals[i], val, &text ); if( rc == LDAP_SUCCESS && match == 0 ) #else -- 2.39.5