From 82d7e9d8ab221a99bb91fecd1cf802b221b80210 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 23 May 2013 10:17:15 -0700 Subject: [PATCH] ITS#7581 fix back-meta config checks Allow base entry to be added online with targets added later. Add SLAP_SERVER_RUNNING flag to note that main slap_startup has already occurred. --- servers/slapd/back-meta/back-meta.h | 5 + servers/slapd/back-meta/config.c | 10 ++ servers/slapd/back-meta/init.c | 186 +++++++++++++++------------- servers/slapd/init.c | 7 +- servers/slapd/slap.h | 2 + 5 files changed, 119 insertions(+), 91 deletions(-) diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index d116c2e95f..90104d82f5 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -681,6 +681,11 @@ meta_back_map_free( struct ldapmap *lm ); extern int meta_subtree_destroy( metasubtree_t *ms ); +extern int +meta_target_finish( metainfo_t *mi, metatarget_t *mt, + const char *log, char *msg, size_t msize +); + extern LDAP_REBIND_PROC meta_back_default_rebind; extern LDAP_URLLIST_PROC meta_back_default_urllist; diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index 06027a5adb..81e6c355ea 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -1089,6 +1089,15 @@ static slap_cf_aux_table timeout_table[] = { { BER_BVNULL, 0, 0, 0, NULL } }; +static int +meta_cf_cleanup( ConfigArgs *c ) +{ + metainfo_t *mi = ( metainfo_t * )c->be->be_private; + metatarget_t *mt = c->ca_private; + + return meta_target_finish( mi, mt, c->log, c->cr_msg, sizeof( c->cr_msg )); +} + static int meta_back_cf_gen( ConfigArgs *c ) { @@ -2061,6 +2070,7 @@ meta_back_cf_gen( ConfigArgs *c ) return 1; } c->ca_private = mt; + c->cleanup = meta_cf_cleanup; } break; case LDAP_BACK_CFG_SUBTREE_EX: case LDAP_BACK_CFG_SUBTREE_IN: diff --git a/servers/slapd/back-meta/init.c b/servers/slapd/back-meta/init.c index 3038b8191e..b6daaf1740 100644 --- a/servers/slapd/back-meta/init.c +++ b/servers/slapd/back-meta/init.c @@ -113,7 +113,10 @@ meta_back_db_init( /* set default flags */ mi->mi_flags = - META_BACK_F_DEFER_ROOTDN_BIND; + META_BACK_F_DEFER_ROOTDN_BIND + | META_BACK_F_PROXYAUTHZ_ALWAYS + | META_BACK_F_PROXYAUTHZ_ANON + | META_BACK_F_PROXYAUTHZ_NOANON; /* * At present the default is no default target; @@ -147,20 +150,106 @@ meta_back_db_init( return 0; } +int +meta_target_finish( + metainfo_t *mi, + metatarget_t *mt, + const char *log, + char *msg, + size_t msize +) +{ + slap_bindconf sb = { BER_BVNULL }; + struct berval mapped; + int rc; + + ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); + sb.sb_version = mt->mt_version; + sb.sb_method = LDAP_AUTH_SIMPLE; + BER_BVSTR( &sb.sb_binddn, "" ); + + if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { + rc = slap_discover_feature( &sb, + slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, + LDAP_FEATURE_ABSOLUTE_FILTERS ); + if ( rc == LDAP_COMPARE_TRUE ) { + mt->mt_flags |= LDAP_BACK_F_T_F; + } + } + + if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { + rc = slap_discover_feature( &sb, + slap_schema.si_ad_supportedExtension->ad_cname.bv_val, + LDAP_EXOP_CANCEL ); + if ( rc == LDAP_COMPARE_TRUE ) { + mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; + } + } + + if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) + || mt->mt_idassert_authz != NULL ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS; + } + + if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) + && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) + { + snprintf( msg, msize, + "%s: inconsistent idassert configuration " + "(likely authz=\"*\" used with \"non-prescriptive\" flag)", + log ); + Debug( LDAP_DEBUG_ANY, "%s (target %s)\n", + msg, mt->mt_uri, 0 ); + return 1; + } + + if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON; + } + + if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) + { + mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON; + } + + BER_BVZERO( &mapped ); + ldap_back_map( &mt->mt_rwmap.rwm_at, + &slap_schema.si_ad_entryDN->ad_cname, &mapped, + BACKLDAP_REMAP ); + if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { + mt->mt_rep_flags |= REP_NO_ENTRYDN; + } + + BER_BVZERO( &mapped ); + ldap_back_map( &mt->mt_rwmap.rwm_at, + &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, + BACKLDAP_REMAP ); + if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { + mt->mt_rep_flags |= REP_NO_SUBSCHEMA; + } + + return 0; +} + int meta_back_db_open( Backend *be, ConfigReply *cr ) { metainfo_t *mi = (metainfo_t *)be->be_private; + char msg[SLAP_TEXT_BUFLEN]; - int i, - not_always = 0, - not_always_anon_proxyauthz = 0, - not_always_anon_non_prescriptive = 0, - rc; + int i, rc; if ( mi->mi_ntargets == 0 ) { + /* Dynamically added, nothing to check here until + * some targets get added + */ + if ( slapMode & SLAP_SERVER_RUNNING ) + return 0; + Debug( LDAP_DEBUG_ANY, "meta_back_db_open: no targets defined\n", 0, 0, 0 ); @@ -168,92 +257,11 @@ meta_back_db_open( } for ( i = 0; i < mi->mi_ntargets; i++ ) { - slap_bindconf sb = { BER_BVNULL }; metatarget_t *mt = mi->mi_targets[ i ]; - struct berval mapped; - - ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri ); - sb.sb_version = mt->mt_version; - sb.sb_method = LDAP_AUTH_SIMPLE; - BER_BVSTR( &sb.sb_binddn, "" ); - - if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) { - rc = slap_discover_feature( &sb, - slap_schema.si_ad_supportedFeatures->ad_cname.bv_val, - LDAP_FEATURE_ABSOLUTE_FILTERS ); - if ( rc == LDAP_COMPARE_TRUE ) { - mt->mt_flags |= LDAP_BACK_F_T_F; - } - } - - if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) { - rc = slap_discover_feature( &sb, - slap_schema.si_ad_supportedExtension->ad_cname.bv_val, - LDAP_EXOP_CANCEL ); - if ( rc == LDAP_COMPARE_TRUE ) { - mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP; - } - } - - if ( not_always == 0 ) { - if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) - || mt->mt_idassert_authz != NULL ) - { - not_always = 1; - } - } - - if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) - && !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) - { - Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): " - "target #%d inconsistent idassert configuration " - "(likely authz=\"*\" used with \"non-prescriptive\" flag)\n", - be->be_suffix[ 0 ].bv_val, i, 0 ); + if ( meta_target_finish( mi, mt, + "meta_back_db_open", msg, sizeof( msg ))) return 1; - } - - if ( not_always_anon_proxyauthz == 0 ) { - if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) - { - not_always_anon_proxyauthz = 1; - } - } - - if ( not_always_anon_non_prescriptive == 0 ) { - if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) ) - { - not_always_anon_non_prescriptive = 1; - } - } - - BER_BVZERO( &mapped ); - ldap_back_map( &mt->mt_rwmap.rwm_at, - &slap_schema.si_ad_entryDN->ad_cname, &mapped, - BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { - mt->mt_rep_flags |= REP_NO_ENTRYDN; - } - - BER_BVZERO( &mapped ); - ldap_back_map( &mt->mt_rwmap.rwm_at, - &slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped, - BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { - mt->mt_rep_flags |= REP_NO_SUBSCHEMA; - } - } - - if ( not_always == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS; - } - - if ( not_always_anon_proxyauthz == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON; - - } else if ( not_always_anon_non_prescriptive == 0 ) { - mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON; } return 0; diff --git a/servers/slapd/init.c b/servers/slapd/init.c index 4d2f463605..f134903f35 100644 --- a/servers/slapd/init.c +++ b/servers/slapd/init.c @@ -211,12 +211,15 @@ slap_init( int mode, const char *name ) int slap_startup( Backend *be ) { + int rc; Debug( LDAP_DEBUG_TRACE, "%s startup: initiated.\n", slap_name, 0, 0 ); - - return backend_startup( be ); + rc = backend_startup( be ); + if ( !rc && ( slapMode & SLAP_SERVER_MODE )) + slapMode |= SLAP_SERVER_RUNNING; + return rc; } int slap_shutdown( Backend *be ) diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 717d07f005..294ac3dc1e 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1605,6 +1605,8 @@ LDAP_SLAPD_V (int) slapMode; #define SLAP_TOOL_NO_SCHEMA_CHECK 0x1000 #define SLAP_TOOL_VALUE_CHECK 0x2000 +#define SLAP_SERVER_RUNNING 0x8000 + #define SB_TLS_DEFAULT (-1) #define SB_TLS_OFF 0 #define SB_TLS_ON 1 -- 2.39.5