From bdad40c696b78d3ef75c3191bbc219a90ef2a84a Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 30 May 2002 05:23:37 +0000 Subject: [PATCH] Disallow addition of system schema via config files. --- servers/slapd/config.c | 1 - servers/slapd/oc.c | 32 +++++++++++++++++++------- servers/slapd/proto-slap.h | 1 + servers/slapd/schema_prep.c | 25 +++++++++++--------- servers/slapd/schemaparse.c | 3 ++- servers/slapd/slap.h | 46 +++++++++++++++++++------------------ 6 files changed, 65 insertions(+), 43 deletions(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 23a4599f06..e5dcdbe1c7 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1651,7 +1651,6 @@ read_config( const char *fname ) "%s: line %d: old objectclass format not supported.\n", fname, lineno, 0 ); #endif - } /* specify an attribute type */ diff --git a/servers/slapd/oc.c b/servers/slapd/oc.c index 4e0adde93a..ca7a0d45aa 100644 --- a/servers/slapd/oc.c +++ b/servers/slapd/oc.c @@ -163,6 +163,7 @@ static int oc_create_required( ObjectClass *soc, char **attrs, + int *op, const char **err ) { char **attrs1; @@ -178,6 +179,9 @@ oc_create_required( *err = *attrs1; return SLAP_SCHERR_ATTR_NOT_FOUND; } + + if( is_at_operational( sat )) (*op)++; + if ( at_find_in_list(sat, soc->soc_required) < 0) { if ( at_append_to_list(sat, &soc->soc_required) ) { *err = *attrs1; @@ -201,6 +205,7 @@ static int oc_create_allowed( ObjectClass *soc, char **attrs, + int *op, const char **err ) { char **attrs1; @@ -214,6 +219,9 @@ oc_create_allowed( *err = *attrs1; return SLAP_SCHERR_ATTR_NOT_FOUND; } + + if( is_at_operational( sat )) (*op)++; + if ( at_find_in_list(sat, soc->soc_required) < 0 && at_find_in_list(sat, soc->soc_allowed) < 0 ) { if ( at_append_to_list(sat, &soc->soc_allowed) ) { @@ -231,6 +239,7 @@ static int oc_add_sups( ObjectClass *soc, char **sups, + int *op, const char **err ) { int code; @@ -274,16 +283,19 @@ oc_add_sups( return SLAP_SCHERR_CLASS_BAD_USAGE; } - if ( add_sups ) + if( soc->soc_flags & SLAP_OC_OPERATIONAL ) (*op)++; + + if ( add_sups ) { soc->soc_sups[nsups] = soc1; + } - code = oc_add_sups( soc, soc1->soc_sup_oids, err ); + code = oc_add_sups( soc, soc1->soc_sup_oids, op, err ); if ( code ) return code; - code = oc_create_required( soc, soc1->soc_at_oids_must, err ); + code = oc_create_required( soc, soc1->soc_at_oids_must, op, err ); if ( code ) return code; - code = oc_create_allowed( soc, soc1->soc_at_oids_may, err ); + code = oc_create_allowed( soc, soc1->soc_at_oids_may, op, err ); if ( code ) return code; nsups++; @@ -382,11 +394,13 @@ oc_insert( int oc_add( LDAPObjectClass *oc, + int user, const char **err ) { ObjectClass *soc; int code; + int op = 0; if ( oc->oc_names != NULL ) { int i; @@ -419,19 +433,21 @@ oc_add( { /* structural object classes implicitly inherit from 'top' */ static char *top_oids[] = { SLAPD_TOP_OID, NULL }; - code = oc_add_sups( soc, top_oids, err ); + code = oc_add_sups( soc, top_oids, &op, err ); } else { - code = oc_add_sups( soc, soc->soc_sup_oids, err ); + code = oc_add_sups( soc, soc->soc_sup_oids, &op, err ); } if ( code != 0 ) return code; - code = oc_create_required( soc, soc->soc_at_oids_must, err ); + code = oc_create_required( soc, soc->soc_at_oids_must, &op, err ); if ( code != 0 ) return code; - code = oc_create_allowed( soc, soc->soc_at_oids_may, err ); + code = oc_create_allowed( soc, soc->soc_at_oids_may, &op, err ); if ( code != 0 ) return code; + if( user && op ) return SLAP_SCHERR_CLASS_OPERATIONAL; + code = oc_insert(soc,err); return code; } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 7b2a65a980..ec841a6df9 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -626,6 +626,7 @@ LDAP_SLAPD_F (void) mra_free LDAP_P(( /* oc.c */ LDAP_SLAPD_F (int) oc_add LDAP_P(( LDAPObjectClass *oc, + int user, const char **err)); LDAP_SLAPD_F (void) oc_destroy LDAP_P(( void )); diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index 6d85cc83bc..73c36a7170 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -162,28 +162,29 @@ static struct slap_schema_oc_map { "NAME 'extensibleObject' " "DESC 'RFC2252: extensible object' " "SUP top AUXILIARY )", - 0, 0, offsetof(struct slap_internal_schema, si_oc_extensibleObject) }, + 0, SLAP_OC_OPERATIONAL, + offsetof(struct slap_internal_schema, si_oc_extensibleObject) }, { "alias", "( 2.5.6.1 NAME 'alias' " "DESC 'RFC2256: an alias' " "SUP top STRUCTURAL " "MUST aliasedObjectName )", - aliasObjectClass, SLAP_OC_ALIAS, + aliasObjectClass, SLAP_OC_ALIAS|SLAP_OC_OPERATIONAL, offsetof(struct slap_internal_schema, si_oc_alias) }, { "referral", "( 2.16.840.1.113730.3.2.6 NAME 'referral' " "DESC 'namedref: named subordinate referral' " "SUP top STRUCTURAL MUST ref )", - referralObjectClass, SLAP_OC_REFERRAL, + referralObjectClass, SLAP_OC_REFERRAL|SLAP_OC_OPERATIONAL, offsetof(struct slap_internal_schema, si_oc_referral) }, { "LDAProotDSE", "( 1.3.6.1.4.1.4203.1.4.1 " "NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) " "DESC 'OpenLDAP Root DSE object' " "SUP top STRUCTURAL MAY cn )", - rootDseObjectClass, 0, + rootDseObjectClass, SLAP_OC_OPERATIONAL, offsetof(struct slap_internal_schema, si_oc_rootdse) }, { "subentry", "( 2.5.20.0 NAME 'subentry' " "SUP top STRUCTURAL " "MUST ( cn $ subtreeSpecification ) )", - subentryObjectClass, SLAP_OC_SUBENTRY, + subentryObjectClass, SLAP_OC_SUBENTRY|SLAP_OC_OPERATIONAL, offsetof(struct slap_internal_schema, si_oc_subentry) }, { "subschema", "( 2.5.20.1 NAME 'subschema' " "DESC 'RFC2252: controlling subschema (sub)entry' " @@ -191,17 +192,19 @@ static struct slap_schema_oc_map { "MAY ( dITStructureRules $ nameForms $ ditContentRules $ " "objectClasses $ attributeTypes $ matchingRules $ " "matchingRuleUse ) )", - subentryObjectClass, 0, + subentryObjectClass, SLAP_OC_OPERATIONAL, offsetof(struct slap_internal_schema, si_oc_subschema) }, { "monitor", "( 1.3.6.1.4.1.4203.666.3.2 NAME 'monitor' " "DESC 'OpenLDAP system monitoring' " "STRUCTURAL " "MUST cn )", - 0, 0, offsetof(struct slap_internal_schema, si_oc_monitor) }, + 0, SLAP_OC_OPERATIONAL, + offsetof(struct slap_internal_schema, si_oc_monitor) }, { "collectiveAttributeSubentry", "( 2.5.20.2 " "NAME 'collectiveAttributeSubentry' " "AUXILIARY )", - subentryObjectClass, SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_HIDE, + subentryObjectClass, + SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_OPERATIONAL|SLAP_OC_HIDE, offsetof(struct slap_internal_schema, si_oc_collectiveAttributeSubentry) }, { "dynamicObject", "( 1.3.6.1.4.1.1466.101.119.2 " "NAME 'dynamicObject' " @@ -307,14 +310,14 @@ static struct slap_schema_ad_map { "EQUALITY octetStringMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, NULL, NULL, NULL, + NULL, SLAP_AT_HIDE, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_entryUUID) }, { "entryCSN", "( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' " "DESC 'LCUP/LDUP: change sequence number' " "EQUALITY octetStringMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, NULL, NULL, NULL, + NULL, SLAP_AT_HIDE, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_entryCSN) }, /* root DSE attributes */ @@ -715,7 +718,7 @@ slap_schema_load( void ) return LDAP_OTHER; } - code = oc_add(oc,&err); + code = oc_add(oc,0,&err); if ( code ) { fprintf( stderr, "slap_schema_load: " "%s: %s: \"%s\"\n", diff --git a/servers/slapd/schemaparse.c b/servers/slapd/schemaparse.c index 171bd3473e..bc9dbd7dd9 100644 --- a/servers/slapd/schemaparse.c +++ b/servers/slapd/schemaparse.c @@ -26,6 +26,7 @@ static char *const err2text[SLAP_SCHERR_LAST+1] = { "Out of memory", "ObjectClass not found", "ObjectClass inappropriate SUPerior", + "ObjectClass operational", "AttributeType not found", "AttributeType inappropriate USAGE", "Duplicate objectClass", @@ -118,7 +119,7 @@ parse_oc( return 1; } - code = oc_add(oc,&err); + code = oc_add(oc,1,&err); if ( code ) { fprintf( stderr, "%s: line %d: %s: \"%s\"\n", fname, lineno, scherr2str(code), err); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 9f7a91ffd7..a8efb056e8 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -221,20 +221,21 @@ typedef struct slap_ssf_set { #define SLAP_SCHERR_OUTOFMEM 1 #define SLAP_SCHERR_CLASS_NOT_FOUND 2 #define SLAP_SCHERR_CLASS_BAD_USAGE 3 -#define SLAP_SCHERR_ATTR_NOT_FOUND 4 -#define SLAP_SCHERR_ATTR_BAD_USAGE 5 -#define SLAP_SCHERR_DUP_CLASS 6 -#define SLAP_SCHERR_DUP_ATTR 7 -#define SLAP_SCHERR_DUP_SYNTAX 8 -#define SLAP_SCHERR_DUP_RULE 9 -#define SLAP_SCHERR_NO_NAME 10 -#define SLAP_SCHERR_ATTR_INCOMPLETE 11 -#define SLAP_SCHERR_MR_NOT_FOUND 12 -#define SLAP_SCHERR_SYN_NOT_FOUND 13 -#define SLAP_SCHERR_MR_INCOMPLETE 14 -#define SLAP_SCHERR_NOT_SUPPORTED 15 -#define SLAP_SCHERR_BAD_DESCR 16 -#define SLAP_SCHERR_OIDM 17 +#define SLAP_SCHERR_CLASS_OPERATIONAL 4 +#define SLAP_SCHERR_ATTR_NOT_FOUND 5 +#define SLAP_SCHERR_ATTR_BAD_USAGE 6 +#define SLAP_SCHERR_DUP_CLASS 7 +#define SLAP_SCHERR_DUP_ATTR 8 +#define SLAP_SCHERR_DUP_SYNTAX 9 +#define SLAP_SCHERR_DUP_RULE 10 +#define SLAP_SCHERR_NO_NAME 11 +#define SLAP_SCHERR_ATTR_INCOMPLETE 12 +#define SLAP_SCHERR_MR_NOT_FOUND 13 +#define SLAP_SCHERR_SYN_NOT_FOUND 14 +#define SLAP_SCHERR_MR_INCOMPLETE 15 +#define SLAP_SCHERR_NOT_SUPPORTED 16 +#define SLAP_SCHERR_BAD_DESCR 17 +#define SLAP_SCHERR_OIDM 18 #define SLAP_SCHERR_LAST SLAP_SCHERR_OIDM typedef union slap_sockaddr { @@ -492,14 +493,15 @@ typedef struct slap_object_class { struct slap_object_class *soc_next; } ObjectClass; -#define SLAP_OC_ALIAS 0x01 -#define SLAP_OC_REFERRAL 0x02 -#define SLAP_OC_SUBENTRY 0x04 -#define SLAP_OC_DYNAMICOBJECT 0x08 -#define SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY 0x10 -#define SLAP_OC__MASK 0x1F -#define SLAP_OC__END 0x20 -#define SLAP_OC_HIDE 0x80 +#define SLAP_OC_ALIAS 0x0001 +#define SLAP_OC_REFERRAL 0x0002 +#define SLAP_OC_SUBENTRY 0x0004 +#define SLAP_OC_DYNAMICOBJECT 0x0008 +#define SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY 0x0010 +#define SLAP_OC__MASK 0x001F +#define SLAP_OC__END 0x0020 +#define SLAP_OC_OPERATIONAL 0x4000 +#define SLAP_OC_HIDE 0x8000 #ifdef LDAP_EXTENDED_SCHEMA /* -- 2.39.2