From f176935a586fb46ebeed6d4d79b77f8ca020ccb9 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 13 Nov 2004 14:43:30 +0000 Subject: [PATCH] remove rewrite stuff -- now delegted to rwm overlay --- servers/slapd/back-ldap/Makefile.in | 13 +- servers/slapd/back-ldap/TODO.proxy | 32 +- servers/slapd/back-ldap/add.c | 140 ++---- servers/slapd/back-ldap/back-ldap.h | 141 +----- servers/slapd/back-ldap/bind.c | 730 +++++++++++++--------------- servers/slapd/back-ldap/compare.c | 93 +--- servers/slapd/back-ldap/config.c | 494 +++---------------- servers/slapd/back-ldap/delete.c | 51 +- servers/slapd/back-ldap/extended.c | 133 +++-- servers/slapd/back-ldap/init.c | 154 +++--- servers/slapd/back-ldap/modify.c | 152 ++---- servers/slapd/back-ldap/modrdn.c | 83 +--- servers/slapd/back-ldap/search.c | 396 +++++---------- servers/slapd/back-ldap/unbind.c | 19 +- 14 files changed, 854 insertions(+), 1777 deletions(-) diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in index f18c153532..cb52d04282 100644 --- a/servers/slapd/back-ldap/Makefile.in +++ b/servers/slapd/back-ldap/Makefile.in @@ -14,11 +14,9 @@ ## . SRCS = init.c config.c search.c bind.c unbind.c add.c compare.c \ - delete.c modify.c modrdn.c \ - suffixmassage.c map.c extended.c + delete.c modify.c modrdn.c extended.c OBJS = init.lo config.lo search.lo bind.lo unbind.lo add.lo compare.lo \ - delete.lo modify.lo modrdn.lo \ - suffixmassage.lo map.lo extended.lo + delete.lo modify.lo modrdn.lo extended.lo LDAP_INCDIR= ../../../include LDAP_LIBDIR= ../../../libraries @@ -29,12 +27,9 @@ BUILD_MOD = @BUILD_LDAP@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) -mod_REWRITE = $(LDAP_LIBREWRITE_A) - -REWRITE = $(@BUILD_META@_REWRITE) $(@BUILD_LDAP@_REWRITE) shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) -NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) -UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) +NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) LIBBASE = back_ldap diff --git a/servers/slapd/back-ldap/TODO.proxy b/servers/slapd/back-ldap/TODO.proxy index 41ada65624..4e6109548a 100644 --- a/servers/slapd/back-ldap/TODO.proxy +++ b/servers/slapd/back-ldap/TODO.proxy @@ -13,11 +13,11 @@ and it wants to propose to the outer world as a unique URI "ldap://ldap.company.net/dc=company, dc=net" -It could do some rewriting to map everything that comes in with a base dn +It could do some rewriting to map everything that comes in with a base DN of "o=Branch 1, dc=company, dc=net" as the URI of the Branch 1, and -everything that comes in with a base dn of "o=Branch 2, dc=company, dc=net" -as the URI of Branch 2, and by rewriting all the dns back to the new, uniform -base. Everything that comes in with a base dn of "dc=company, dc=net" should +everything that comes in with a base DN of "o=Branch 2, dc=company, dc=net" +as the URI of Branch 2, and by rewriting all the DNs back to the new, uniform +base. Everything that comes in with a base DN of "dc=company, dc=net" should be handled locally and propagated to the two branch URIs if a subtree (or at least onelevel) search is required. @@ -35,7 +35,7 @@ Operations: The input of each operation may be related to: - exact dn exact parent ancestor + exact DN exact parent ancestor ------------------------------------------------------------- bind x unbind @@ -47,20 +47,20 @@ modrdn x delete x abandon -The backend must rely on a dn fetching mechanism. Each operation requires +The backend must rely on a DN fetching mechanism. Each operation requires to determine as early as possible which URI will be able to satisfy it. Apart from searches, which by definition are usually allowed to return multiple results, and apart from unbind and abandon, which do not return any result, all the remaining operations require the related entry to be unique. -A major problem isposed by the uniqueness of the dns. As far as the suffixes -are masqueraded by a common suffix, tyhe dns are no longer guaranteed to be +A major problem isposed by the uniqueness of the DNs. As far as the suffixes +are masqueraded by a common suffix, the DNs are no longer guaranteed to be unique. This backend relies on the assumption that the uniqueness of the -dns is guaranteed. +DNs is guaranteed. -Two layers of depth in dn fetching are envisaged. +Two layers of depth in DN fetching are envisaged. The first layer is provided by a backend-side cache made of previously -retrieved entries. The cache relates each rdn (i.e. the dn apart from the +retrieved entries. The cache relates each RDN (i.e. the DN apart from the common suffix) to the pool of URIs that are expected to contain a subset of its children. @@ -74,14 +74,14 @@ So write operations will require to skip the cache search and to perform the exaustive search of all the URIs unless some hint mechanism is provided to the backend (e.g. a server is read-only). -Again, the lag between the fetching of the required dn and the actual +Again, the lag between the fetching of the required DN and the actual read/write may result in a failure; however, this applies to any LDAP operation AFAIK. - bind if updates are to be strictly honored, a bind operation is performed against each URI; otherwise, it is performed against the URIs resulting from a -cache-level dn fetch. +cache-level DN fetch. - unbind nothing to say; all the open handles related to the connection are reset. @@ -90,12 +90,12 @@ nothing to say; all the open handles related to the connection are reset. if updates are to be strictly honored, a search operation is performed agaist each URI. Note that this needs be performed also when the backend suffix is used as base. In case the base is stricter, the URI pool may be restricted -by performing a cache dn fetch of the base first. +by performing a cache DN fetch of the base first. - compare -the same applies to the compare dn. +the same applies to the compare DN. - add -this operation is delicate. Unless the dn up to the top-level part excluded +this operation is delicate. Unless the DN up to the top-level part excluded can be uniquely associated to a URI, and unless its uniqueness can be trusted, no add operation should be allowed. diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c index 638acfa6b1..3f4262a9fe 100644 --- a/servers/slapd/back-ldap/add.c +++ b/servers/slapd/back-ldap/add.c @@ -33,95 +33,60 @@ int ldap_back_add( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct ldapconn *lc; - int i, j; - Attribute *a; - LDAPMod **attrs; - struct berval mapped; - struct berval mdn = BER_BVNULL; - ber_int_t msgid; - dncookie dc; - int isupdate; - int do_retry = 1; - LDAPControl **ctrls = NULL; - int rc = LDAP_SUCCESS; - - Debug(LDAP_DEBUG_ARGS, "==> ldap_back_add: %s\n", op->o_req_dn.bv_val, 0, 0); - - lc = ldap_back_getconn(op, rs); + struct ldapconn *lc; + int i = 0, + j = 0; + Attribute *a; + LDAPMod **attrs = NULL, + *attrs2 = NULL; + ber_int_t msgid; + int isupdate; + int do_retry = 1; + LDAPControl **ctrls = NULL; + int rc = LDAP_SUCCESS; + + Debug( LDAP_DEBUG_ARGS, "==> ldap_back_add(\"%s\")\n", + op->o_req_dn.bv_val, 0, 0 ); + + lc = ldap_back_getconn( op, rs ); if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { - return( -1 ); - } - - /* - * Rewrite the add dn, if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "addDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; + rc = -1; + goto cleanup; } /* Count number of attributes in entry */ for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next) - ; + /* just count attrs */ ; /* Create array of LDAPMods for ldap_add() */ - attrs = (LDAPMod **)ch_malloc(sizeof(LDAPMod *)*i); - -#ifdef ENABLE_REWRITE - dc.ctx = "addAttrDN"; -#endif + attrs = (LDAPMod **)ch_malloc( sizeof( LDAPMod * )*i + + sizeof( LDAPMod )*( i - 1 ) ); + attrs2 = ( LDAPMod * )&attrs[ i ]; isupdate = be_shadow_update( op ); - for (i=0, a=op->oq_add.rs_e->e_attrs; a; a=a->a_next) { + for ( i = 0, a = op->oq_add.rs_e->e_attrs; a; a = a->a_next ) { if ( !isupdate && a->a_desc->ad_type->sat_no_user_mod ) { continue; } - ldap_back_map(&li->rwmap.rwm_at, &a->a_desc->ad_cname, &mapped, - BACKLDAP_MAP); - if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') { - continue; - } + attrs[ i ] = &attrs2[ i ]; + attrs[ i ]->mod_op = LDAP_MOD_BVALUES; + attrs[ i ]->mod_type = a->a_desc->ad_cname.bv_val; - attrs[i] = (LDAPMod *)ch_malloc(sizeof(LDAPMod)); - if (attrs[i] == NULL) { - continue; + for ( j = 0; a->a_vals[ j ].bv_val; j++ ) + /* just count vals */ ; + attrs[i]->mod_vals.modv_bvals = + ch_malloc( ( j + 1 )*sizeof( struct berval * ) ); + for ( j = 0; a->a_vals[ j ].bv_val; j++ ) { + attrs[ i ]->mod_vals.modv_bvals[ j ] = &a->a_vals[ j ]; } - - attrs[i]->mod_op = LDAP_MOD_BVALUES; - attrs[i]->mod_type = mapped.bv_val; - - if ( a->a_desc->ad_type->sat_syntax == - slap_schema.si_syn_distinguishedName ) { - /* - * FIXME: rewrite could fail; in this case - * the operation should give up, right? - */ - (void)ldap_dnattr_rewrite( &dc, a->a_vals ); - } - - for (j=0; a->a_vals[j].bv_val; j++); - attrs[i]->mod_vals.modv_bvals = ch_malloc((j+1)*sizeof(struct berval *)); - for (j=0; a->a_vals[j].bv_val; j++) - attrs[i]->mod_vals.modv_bvals[j] = &a->a_vals[j]; - attrs[i]->mod_vals.modv_bvals[j] = NULL; + attrs[ i ]->mod_vals.modv_bvals[ j ] = NULL; i++; } - attrs[i] = NULL; + attrs[ i ] = NULL; ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ @@ -134,28 +99,31 @@ ldap_back_add( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs, - ctrls, NULL, &msgid); + rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs, + ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry( lc, op, rs ) ) { + goto retry; + } } -#ifdef LDAP_BACK_PROXY_AUTHZ + cleanup: - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } +#ifdef LDAP_BACK_PROXY_AUTHZ + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ - for (--i; i>= 0; --i) { - ch_free(attrs[i]->mod_vals.modv_bvals); - ch_free(attrs[i]); - } - ch_free(attrs); - if ( mdn.bv_val != op->o_req_dn.bv_val ) { - free( mdn.bv_val ); + + if ( attrs ) { + for ( --i; i >= 0; --i ) { + ch_free( attrs[ i ]->mod_vals.modv_bvals ); + } + ch_free( attrs ); } + + Debug( LDAP_DEBUG_ARGS, "<== ldap_back_add(\"%s\"): %d\n", + op->o_req_dn.bv_val, rc, 0 ); + return rc; } diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 00f9b9a80f..60ffa0ac1c 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -26,11 +26,6 @@ #include "proto-ldap.h" -/* String rewrite library */ -#ifdef ENABLE_REWRITE -#include "rewrite.h" -#endif /* ENABLE_REWRITE */ - #ifdef LDAP_DEVEL #define LDAP_BACK_PROXY_AUTHZ #endif @@ -42,44 +37,13 @@ struct slap_op; struct slap_backend_db; struct ldapconn { - struct slap_conn *conn; - LDAP *ld; - struct berval cred; - struct berval bound_dn; - struct berval local_dn; - int bound; - ldap_pvt_thread_mutex_t lc_mutex; -}; - -struct ldapmap { - int drop_missing; - - Avlnode *map; - Avlnode *remap; -}; - -struct ldapmapping { - struct berval src; - struct berval dst; -}; - -struct ldaprwmap { - /* - * DN rewriting - */ -#ifdef ENABLE_REWRITE - struct rewrite_info *rwm_rw; -#else /* !ENABLE_REWRITE */ - /* some time the suffix massaging without librewrite - * will be disabled */ - BerVarray rwm_suffix_massage; -#endif /* !ENABLE_REWRITE */ - - /* - * Attribute/objectClass mapping - */ - struct ldapmap rwm_oc; - struct ldapmap rwm_at; + struct slap_conn *lc_conn; + LDAP *lc_ld; + struct berval lc_cred; + struct berval lc_bound_ndn; + struct berval lc_local_ndn; + int lc_bound; + ldap_pvt_thread_mutex_t lc_mutex; }; struct ldapauth { @@ -94,9 +58,10 @@ struct ldapauth { struct berval la_sasl_mech; struct berval la_sasl_realm; -#define LDAP_BACK_AUTH_NONE 0x00 -#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01 - int la_flags; +#define LDAP_BACK_AUTH_NONE 0x00U +#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01U +#define LDAP_BACK_AUTH_OVERRIDE 0x02U + unsigned la_flags; }; struct ldapinfo { @@ -135,35 +100,8 @@ struct ldapinfo { ldap_pvt_thread_mutex_t conn_mutex; int savecred; Avlnode *conntree; - -#if 0 -#ifdef ENABLE_REWRITE - struct rewrite_info *rwinfo; -#else /* !ENABLE_REWRITE */ - BerVarray suffix_massage; -#endif /* !ENABLE_REWRITE */ - - struct ldapmap oc_map; - struct ldapmap at_map; -#endif - - struct ldaprwmap rwmap; }; -/* Whatever context ldap_back_dn_massage needs... */ -typedef struct dncookie { - struct ldaprwmap *rwmap; - -#ifdef ENABLE_REWRITE - Connection *conn; - char *ctx; - SlapReply *rs; -#else - int normalized; - int tofrom; -#endif -} dncookie; - int ldap_back_freeconn( Operation *op, struct ldapconn *lc ); struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs); int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs); @@ -173,62 +111,10 @@ int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, ber_int_t msgid, int sendok); int back_ldap_LTX_init_module(int argc, char *argv[]); -int ldap_back_dn_massage(dncookie *dc, struct berval *dn, - struct berval *res); - extern int ldap_back_conn_cmp( const void *c1, const void *c2); extern int ldap_back_conn_dup( void *c1, void *c2 ); extern void ldap_back_conn_free( void *c ); -/* attributeType/objectClass mapping */ -int mapping_cmp (const void *, const void *); -int mapping_dup (void *, void *); - -void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** ); -void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m, - int remap ); -#define BACKLDAP_MAP 0 -#define BACKLDAP_REMAP 1 -char * -ldap_back_map_filter( - struct ldapmap *at_map, - struct ldapmap *oc_map, - struct berval *f, - int remap -); - -int -ldap_back_map_attrs( - struct ldapmap *at_map, - AttributeName *a, - int remap, - char ***mapped_attrs -); - -extern int ldap_back_map_config( - struct ldapmap *oc_map, - struct ldapmap *at_map, - const char *fname, - int lineno, - int argc, - char **argv ); - -extern int -ldap_back_filter_map_rewrite( - dncookie *dc, - Filter *f, - struct berval *fstr, - int remap ); - -/* suffix massaging by means of librewrite */ -#ifdef ENABLE_REWRITE -extern int suffix_massage_config( struct rewrite_info *info, - struct berval *pvnc, struct berval *nvnc, - struct berval *prnc, struct berval *nrnc); -#endif /* ENABLE_REWRITE */ -extern int ldap_dnattr_rewrite( dncookie *dc, BerVarray a_vals ); -extern int ldap_dnattr_result_rewrite( dncookie *dc, BerVarray a_vals ); - #ifdef LDAP_BACK_PROXY_AUTHZ extern int ldap_back_proxy_authz_ctrl( @@ -236,6 +122,11 @@ ldap_back_proxy_authz_ctrl( Operation *op, SlapReply *rs, LDAPControl ***pctrls ); + +extern int +ldap_back_proxy_authz_ctrl_free( + Operation *op, + LDAPControl ***pctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ LDAP_END_DECL diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index dd660a7295..5c12055615 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -38,79 +38,74 @@ static LDAP_REBIND_PROC ldap_back_rebind; +#ifdef LDAP_BACK_PROXY_AUTHZ +static int +ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ); +#endif /* LDAP_BACK_PROXY_AUTHZ */ + int -ldap_back_bind( - Operation *op, - SlapReply *rs ) +ldap_back_bind( Operation *op, SlapReply *rs ) { struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapconn *lc; - struct berval mdn = BER_BVNULL; int rc = 0; ber_int_t msgid; - dncookie dc; - lc = ldap_back_getconn(op, rs); + lc = ldap_back_getconn( op, rs ); if ( !lc ) { return( -1 ); } - /* - * Rewrite the bind dn if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "bindDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; + if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { + ch_free( lc->lc_bound_ndn.bv_val ); + BER_BVZERO( &lc->lc_bound_ndn ); } + lc->lc_bound = 0; - if ( !BER_BVISNULL( &lc->bound_dn ) ) { - ch_free( lc->bound_dn.bv_val ); - BER_BVZERO( &lc->bound_dn ); - } - lc->bound = 0; /* method is always LDAP_AUTH_SIMPLE if we got here */ - rs->sr_err = ldap_sasl_bind(lc->ld, mdn.bv_val, LDAP_SASL_SIMPLE, - &op->oq_bind.rb_cred, op->o_ctrls, NULL, &msgid); + rs->sr_err = ldap_sasl_bind( lc->lc_ld, op->o_req_dn.bv_val, + LDAP_SASL_SIMPLE, + &op->orb_cred, op->o_ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); - if (rc == LDAP_SUCCESS) { - lc->bound = 1; - if ( mdn.bv_val != op->o_req_dn.bv_val ) { - lc->bound_dn = mdn; - } else { - ber_dupbv( &lc->bound_dn, &op->o_req_dn ); + + if ( rc == LDAP_SUCCESS ) { +#ifdef LDAP_BACK_PROXY_AUTHZ + if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { + ldap_back_proxy_authz_bind( lc, op, rs ); + if ( lc->lc_bound == 0 ) { + rc = 1; + goto done; + } } - BER_BVZERO( &mdn ); +#endif /* LDAP_BACK_PROXY_AUTHZ */ + + lc->lc_bound = 1; + ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn ); if ( li->savecred ) { - if ( !BER_BVISNULL( &lc->cred ) ) { - memset( lc->cred.bv_val, 0, lc->cred.bv_len ); - ch_free( lc->cred.bv_val ); + if ( !BER_BVISNULL( &lc->lc_cred ) ) { + memset( lc->lc_cred.bv_val, 0, + lc->lc_cred.bv_len ); + ch_free( lc->lc_cred.bv_val ); } - ber_dupbv( &lc->cred, &op->oq_bind.rb_cred ); - ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc ); + ber_dupbv( &lc->lc_cred, &op->orb_cred ); + ldap_set_rebind_proc( lc->lc_ld, ldap_back_rebind, lc ); } } +done:; /* must re-insert if local DN changed as result of bind */ - if ( lc->bound && !bvmatch(&op->o_req_ndn, &lc->local_dn ) ) { - int lerr; + if ( lc->lc_bound && !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) ) { + int lerr; ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = avl_delete( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp ); - if ( !BER_BVISNULL( &lc->local_dn ) ) - ch_free( lc->local_dn.bv_val ); - ber_dupbv( &lc->local_dn, &op->o_req_ndn ); + if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) { + ch_free( lc->lc_local_ndn.bv_val ); + } + ber_dupbv( &lc->lc_local_ndn, &op->o_req_ndn ); lerr = avl_insert( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp, ldap_back_conn_dup ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); @@ -119,10 +114,6 @@ ldap_back_bind( } } - if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) { - free( mdn.bv_val ); - } - return( rc ); } @@ -133,23 +124,22 @@ ldap_back_bind( * used by avl stuff */ int -ldap_back_conn_cmp( - const void *c1, - const void *c2 - ) +ldap_back_conn_cmp( const void *c1, const void *c2 ) { const struct ldapconn *lc1 = (const struct ldapconn *)c1; const struct ldapconn *lc2 = (const struct ldapconn *)c2; int rc; - + /* If local DNs don't match, it is definitely not a match */ - if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) ) + rc = ber_bvcmp( &lc1->lc_local_ndn, &lc2->lc_local_ndn ); + if ( rc ) { return rc; + } /* For shared sessions, conn is NULL. Only explicitly * bound sessions will have non-NULL conn. */ - return SLAP_PTRCMP(lc1->conn, lc2->conn); + return SLAP_PTRCMP( lc1->lc_conn, lc2->lc_conn ); } /* @@ -159,51 +149,56 @@ ldap_back_conn_cmp( * used by avl stuff */ int -ldap_back_conn_dup( - void *c1, - void *c2 - ) +ldap_back_conn_dup( void *c1, void *c2 ) { struct ldapconn *lc1 = (struct ldapconn *)c1; struct ldapconn *lc2 = (struct ldapconn *)c2; /* Cannot have more than one shared session with same DN */ - if ( dn_match( &lc1->local_dn, &lc2->local_dn ) && - lc1->conn == lc2->conn ) return -1; + if ( dn_match( &lc1->lc_local_ndn, &lc2->lc_local_ndn ) && + lc1->lc_conn == lc2->lc_conn ) + { + return -1; + } return 0; } #if PRINT_CONNTREE > 0 -static void ravl_print( Avlnode *root, int depth ) +static void +ravl_print( Avlnode *root, int depth ) { int i; struct ldapconn *lc; - if ( root == 0 ) + if ( root == 0 ) { return; + } ravl_print( root->avl_right, depth+1 ); - for ( i = 0; i < depth; i++ ) + for ( i = 0; i < depth; i++ ) { printf( " " ); + } lc = root->avl_data; printf( "lc(%lx) local(%s) conn(%lx) %d\n", - lc, lc->local_dn.bv_val, lc->conn, root->avl_bf ); + lc, lc->lc_local_ndn.bv_val, lc->lc_conn, root->avl_bf ); ravl_print( root->avl_left, depth+1 ); } -static void myprint( Avlnode *root ) +static void +myprint( Avlnode *root ) { printf( "********\n" ); - if ( root == 0 ) + if ( root == 0 ) { printf( "\tNULL\n" ); - else + } else { ravl_print( root, 0 ); + } printf( "********\n" ); } @@ -224,7 +219,7 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc ) } struct ldapconn * -ldap_back_getconn(Operation *op, SlapReply *rs) +ldap_back_getconn( Operation *op, SlapReply *rs ) { struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; struct ldapconn *lc, lc_curr; @@ -237,108 +232,75 @@ ldap_back_getconn(Operation *op, SlapReply *rs) if ( op->o_tag == LDAP_REQ_BIND || ( op->o_conn && op->o_conn->c_authz_backend - && op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) ) { - lc_curr.conn = op->o_conn; + && op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) ) + { + lc_curr.lc_conn = op->o_conn; } else { - lc_curr.conn = NULL; + lc_curr.lc_conn = NULL; } /* Internal searches are privileged and shared. So is root. */ if ( op->o_do_not_cache || be_isroot( op ) ) { - lc_curr.local_dn = op->o_bd->be_rootndn; - lc_curr.conn = NULL; + lc_curr.lc_local_ndn = op->o_bd->be_rootndn; + lc_curr.lc_conn = NULL; is_priv = 1; } else { - lc_curr.local_dn = op->o_ndn; + lc_curr.lc_local_ndn = op->o_ndn; } ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = (struct ldapconn *)avl_find( li->conntree, - (caddr_t)&lc_curr, ldap_back_conn_cmp ); + (caddr_t)&lc_curr, ldap_back_conn_cmp ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); /* Looks like we didn't get a bind. Open a new session... */ - if (!lc) { + if ( !lc ) { int vers = op->o_protocol; - rs->sr_err = ldap_initialize(&ld, li->url); + rs->sr_err = ldap_initialize( &ld, li->url ); - if (rs->sr_err != LDAP_SUCCESS) { + if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_err = slap_map_api2result( rs ); - if (rs->sr_text == NULL) { + if ( rs->sr_text == NULL ) { rs->sr_text = "ldap_initialize() failed"; } - if (op->o_conn) send_ldap_result( op, rs ); + if ( op->o_conn ) { + send_ldap_result( op, rs ); + } rs->sr_text = NULL; return( NULL ); } /* Set LDAP version. This will always succeed: If the client * bound with a particular version, then so can we. */ - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, - (const void *)&vers); + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&vers ); /* FIXME: configurable? */ - ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON); + ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); - lc = (struct ldapconn *)ch_malloc(sizeof(struct ldapconn)); - lc->conn = lc_curr.conn; - lc->ld = ld; - ber_dupbv( &lc->local_dn, &lc_curr.local_dn ); - -#ifdef ENABLE_REWRITE - /* - * Sets a cookie for the rewrite session - * - * FIXME: the o_conn might be no longer valid, - * since we may have different entries - * for the same connection - */ - ( void )rewrite_session_init( li->rwmap.rwm_rw, op->o_conn ); -#endif /* ENABLE_REWRITE */ + lc = (struct ldapconn *)ch_malloc( sizeof( struct ldapconn ) ); + lc->lc_conn = lc_curr.lc_conn; + lc->lc_ld = ld; + ber_dupbv( &lc->lc_local_ndn, &lc_curr.lc_local_ndn ); ldap_pvt_thread_mutex_init( &lc->lc_mutex ); if ( is_priv ) { - ber_dupbv( &lc->cred, &li->acl_passwd ); - ber_dupbv( &lc->bound_dn, &li->acl_authcDN ); + ber_dupbv( &lc->lc_cred, &li->acl_passwd ); + ber_dupbv( &lc->lc_bound_ndn, &li->acl_authcDN ); } else { - BER_BVZERO( &lc->cred ); - BER_BVZERO( &lc->bound_dn ); - if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn ) - && ( op->o_bd == op->o_conn->c_authz_backend ) ) { - - dncookie dc; - struct berval bv; - - /* - * Rewrite the bind dn if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "bindDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - - if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn, &bv ) ) { - send_ldap_result( op, rs ); - return NULL; - } - - if ( bv.bv_val == op->o_conn->c_dn.bv_val ) { - ber_dupbv( &lc->bound_dn, &bv ); - } else { - lc->bound_dn = bv; - } + BER_BVZERO( &lc->lc_cred ); + BER_BVZERO( &lc->lc_bound_ndn ); + if ( op->o_conn && !BER_BVISEMPTY( &op->o_ndn ) + && op->o_bd == op->o_conn->c_authz_backend ) + { + ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn ); } } - lc->bound = 0; + lc->lc_bound = 0; /* Inserts the newly created ldapconn in the avl tree */ ldap_pvt_thread_mutex_lock( &li->conn_mutex ); @@ -357,7 +319,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs) /* Err could be -1 in case a duplicate ldapconn is inserted */ if ( rs->sr_err != 0 ) { ldap_back_conn_free( lc ); - if (op->o_conn) { + if ( op->o_conn ) { send_ldap_error( op, rs, LDAP_OTHER, "internal server error" ); } @@ -374,19 +336,18 @@ ldap_back_getconn(Operation *op, SlapReply *rs) /* * ldap_back_dobind * - * Note: as the check for the value of lc->bound was already here, I removed + * Note: as the check for the value of lc->lc_bound was already here, I removed * it from all the callers, and I made the function return the flag, so * it can be used to simplify the check. */ int ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - int rc; - ber_int_t msgid; + int rc; + ber_int_t msgid; ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); - if ( !lc->bound ) { + if ( !lc->lc_bound ) { #ifdef LDAP_BACK_PROXY_AUTHZ /* * FIXME: we need to let clients use proxyAuthz @@ -407,161 +368,25 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) * control to every operation with the dn bound * to the connection as control value. */ - if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) { - struct berval binddn = slap_empty_bv; - struct berval bindcred = slap_empty_bv; - int dobind = 0; - - /* bind as proxyauthzdn only if no idassert mode - * is requested, or if the client's identity - * is authorized */ - switch ( li->idassert_mode ) { - case LDAP_BACK_IDASSERT_LEGACY: - if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) ) { - if ( !BER_BVISNULL( &li->idassert_authcDN ) && !BER_BVISEMPTY( &li->idassert_authcDN ) ) - { - binddn = li->idassert_authcDN; - bindcred = li->idassert_passwd; - dobind = 1; - } - } - break; - - default: - if ( li->idassert_authz ) { - struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn; - - rs->sr_err = slap_sasl_matches( op, li->idassert_authz, - &authcDN, &authcDN ); - if ( rs->sr_err != LDAP_SUCCESS ) { - send_ldap_result( op, rs ); - lc->bound = 0; - goto done; - } - } - - binddn = li->idassert_authcDN; - bindcred = li->idassert_passwd; - dobind = 1; - break; - } - - if ( dobind && li->idassert_authmethod == LDAP_AUTH_SASL ) { -#ifdef HAVE_CYRUS_SASL - void *defaults = NULL; - struct berval authzID = BER_BVNULL; - int freeauthz = 0; - - /* if SASL supports native authz, prepare for it */ - if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) && - ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) ) - { - switch ( li->idassert_mode ) { - case LDAP_BACK_IDASSERT_OTHERID: - case LDAP_BACK_IDASSERT_OTHERDN: - authzID = li->idassert_authzID; - break; - - case LDAP_BACK_IDASSERT_ANONYMOUS: - BER_BVSTR( &authzID, "dn:" ); - break; - - case LDAP_BACK_IDASSERT_SELF: - if ( BER_BVISNULL( &op->o_conn->c_dn ) ) { - /* connection is not authc'd, so don't idassert */ - BER_BVSTR( &authzID, "dn:" ); - break; - } - authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len; - authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); - AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); - AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), - op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 ); - freeauthz = 1; - break; - - default: - break; - } - } - -#if 0 /* will deal with this later... */ - if ( sasl_secprops != NULL ) { - rs->sr_err = ldap_set_option( lc->ld, LDAP_OPT_X_SASL_SECPROPS, - (void *) sasl_secprops ); - - if ( rs->sr_err != LDAP_OPT_SUCCESS ) { - send_ldap_result( op, rs ); - lc->bound = 0; - goto done; - - } - } -#endif - - defaults = lutil_sasl_defaults( lc->ld, - li->idassert_sasl_mech.bv_val, - li->idassert_sasl_realm.bv_val, - li->idassert_authcID.bv_val, - li->idassert_passwd.bv_val, - authzID.bv_val ); - - rs->sr_err = ldap_sasl_interactive_bind_s( lc->ld, binddn.bv_val, - li->idassert_sasl_mech.bv_val, NULL, NULL, - li->idassert_sasl_flags, lutil_sasl_interact, - defaults ); - - lutil_sasl_freedefs( defaults ); - if ( freeauthz ) { - slap_sl_free( authzID.bv_val, op->o_tmpmemctx ); - } - - rs->sr_err = slap_map_api2result( rs ); - if ( rs->sr_err != LDAP_SUCCESS ) { - lc->bound = 0; - send_ldap_result( op, rs ); - - } else { - lc->bound = 1; - } - goto done; -#endif /* HAVE_CYRUS_SASL */ - } - - switch ( li->idassert_authmethod ) { - case LDAP_AUTH_SIMPLE: - rs->sr_err = ldap_sasl_bind(lc->ld, - binddn.bv_val, LDAP_SASL_SIMPLE, - &bindcred, NULL, NULL, &msgid); - break; - - case LDAP_AUTH_NONE: - lc->bound = 1; - goto done; - - default: - /* unsupported! */ - lc->bound = 0; - rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED; - send_ldap_result( op, rs ); - goto done; - } - - } else -#endif /* LDAP_BACK_PROXY_AUTHZ */ - { - rs->sr_err = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val, - LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid); + if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) { + (void)ldap_back_proxy_authz_bind( lc, op, rs ); + goto done; } +#endif /* LDAP_BACK_PROXY_AUTHZ */ + + rs->sr_err = ldap_sasl_bind( lc->lc_ld, + lc->lc_bound_ndn.bv_val, + LDAP_SASL_SIMPLE, &lc->lc_cred, + NULL, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 0 ); - if (rc == LDAP_SUCCESS) { - lc->bound = 1; + if ( rc == LDAP_SUCCESS ) { + lc->lc_bound = 1; } } done:; - rc = lc->bound; + rc = lc->lc_bound; ldap_pvt_thread_mutex_unlock( &lc->lc_mutex ); return rc; } @@ -578,67 +403,21 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, { struct ldapconn *lc = params; - return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); -} - -#if 0 /* deprecated in favour of slap_map_api2result() */ -/* Map API errors to protocol errors... */ -int -ldap_back_map_result( SlapReply *rs ) -{ - switch(rs->sr_err) - { - case LDAP_SERVER_DOWN: - return LDAP_UNAVAILABLE; - case LDAP_LOCAL_ERROR: - return LDAP_OTHER; - case LDAP_ENCODING_ERROR: - case LDAP_DECODING_ERROR: - return LDAP_PROTOCOL_ERROR; - case LDAP_TIMEOUT: - return LDAP_UNAVAILABLE; - case LDAP_AUTH_UNKNOWN: - return LDAP_AUTH_METHOD_NOT_SUPPORTED; - case LDAP_FILTER_ERROR: - rs->sr_text = "Filter error"; - return LDAP_OTHER; - case LDAP_USER_CANCELLED: - rs->sr_text = "User cancelled"; - return LDAP_OTHER; - case LDAP_PARAM_ERROR: - return LDAP_PROTOCOL_ERROR; - case LDAP_NO_MEMORY: - return LDAP_OTHER; - case LDAP_CONNECT_ERROR: - return LDAP_UNAVAILABLE; - case LDAP_NOT_SUPPORTED: - return LDAP_UNWILLING_TO_PERFORM; - case LDAP_CONTROL_NOT_FOUND: - return LDAP_PROTOCOL_ERROR; - case LDAP_NO_RESULTS_RETURNED: - return LDAP_NO_SUCH_OBJECT; - case LDAP_MORE_RESULTS_TO_RETURN: - rs->sr_text = "More results to return"; - return LDAP_OTHER; - case LDAP_CLIENT_LOOP: - case LDAP_REFERRAL_LIMIT_EXCEEDED: - return LDAP_LOOP_DETECT; - default: - if ( LDAP_API_ERROR(rs->sr_err) ) - return LDAP_OTHER; - return rs->sr_err; - } + return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val, + LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, NULL ); } -#endif int -ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, - ber_int_t msgid, int sendok) +ldap_back_op_result( + struct ldapconn *lc, + Operation *op, + SlapReply *rs, + ber_int_t msgid, + int sendok ) { - struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - char *match = NULL; - LDAPMessage *res = NULL; - char *text = NULL; + char *match = NULL; + LDAPMessage *res = NULL; + char *text = NULL; #define ERR_OK(err) ((err) == LDAP_SUCCESS || (err) == LDAP_COMPARE_FALSE || (err) == LDAP_COMPARE_TRUE) @@ -650,8 +429,8 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, * remote server response */ if ( ERR_OK( rs->sr_err ) ) { /* if result parsing fails, note the failure reason */ - if ( ldap_result( lc->ld, msgid, 1, NULL, &res ) == -1 ) { - ldap_get_option( lc->ld, LDAP_OPT_ERROR_NUMBER, + if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) { + ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rs->sr_err ); /* otherwise get the result; if it is not @@ -659,10 +438,12 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, * structure (this includes * LDAP_COMPARE_{TRUE|FALSE}) */ } else { - int rc = ldap_parse_result( lc->ld, res, &rs->sr_err, + int rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err, &match, &text, NULL, NULL, 1 ); rs->sr_text = text; - if ( rc != LDAP_SUCCESS ) rs->sr_err = rc; + if ( rc != LDAP_SUCCESS ) { + rs->sr_err = rc; + } } } @@ -675,25 +456,10 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, /* internal ops ( op->o_conn == NULL ) * must not reply to client */ if ( op->o_conn && !op->o_do_not_cache && match ) { - struct berval dn, mdn; - dncookie dc; - - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "matchedDN"; -#else - dc.tofrom = 0; - dc.normalized = 0; -#endif - ber_str2bv(match, 0, 0, &dn); - ldap_back_dn_massage(&dc, &dn, &mdn); /* record the (massaged) matched * DN into the reply structure */ - rs->sr_matched = mdn.bv_val; - + rs->sr_matched = match; } } if ( op->o_conn && ( sendok || rs->sr_err != LDAP_SUCCESS ) ) { @@ -722,31 +488,205 @@ ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs ) LDAP *ld; ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); - ldap_unbind( lc->ld ); - lc->bound = 0; - rs->sr_err = ldap_initialize(&ld, li->url); + ldap_unbind_ext_s( lc->lc_ld, NULL, NULL ); + lc->lc_bound = 0; + rs->sr_err = ldap_initialize( &ld, li->url ); - if (rs->sr_err != LDAP_SUCCESS) { + if ( rs->sr_err != LDAP_SUCCESS ) { rs->sr_err = slap_map_api2result( rs ); - if (rs->sr_text == NULL) { + if ( rs->sr_text == NULL ) { rs->sr_text = "ldap_initialize() failed"; } - if (op->o_conn) send_ldap_result( op, rs ); + if ( op->o_conn ) { + send_ldap_result( op, rs ); + } rs->sr_text = NULL; return 0; } /* Set LDAP version. This will always succeed: If the client * bound with a particular version, then so can we. */ - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers); + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); /* FIXME: configurable? */ - ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON); - lc->ld = ld; + ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); + lc->lc_ld = ld; ldap_pvt_thread_mutex_unlock( &lc->lc_mutex ); return ldap_back_dobind( lc, op, rs ); } #ifdef LDAP_BACK_PROXY_AUTHZ +static int +ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) +{ + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + struct berval binddn = slap_empty_bv; + struct berval bindcred = slap_empty_bv; + int dobind = 0; + int msgid; + int rc; + + /* + * FIXME: we need to let clients use proxyAuthz + * otherwise we cannot do symmetric pools of servers; + * we have to live with the fact that a user can + * authorize itself as any ID that is allowed + * by the authzTo directive of the "proxyauthzdn". + */ + /* + * NOTE: current Proxy Authorization specification + * and implementation do not allow proxy authorization + * control to be provided with Bind requests + */ + /* + * if no bind took place yet, but the connection is bound + * and the "proxyauthzdn" is set, then bind as + * "proxyauthzdn" and explicitly add the proxyAuthz + * control to every operation with the dn bound + * to the connection as control value. + */ + + /* bind as proxyauthzdn only if no idassert mode + * is requested, or if the client's identity + * is authorized */ + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_LEGACY: + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) { + if ( !BER_BVISNULL( &li->idassert_authcDN ) && !BER_BVISEMPTY( &li->idassert_authcDN ) ) + { + binddn = li->idassert_authcDN; + bindcred = li->idassert_passwd; + dobind = 1; + } + } + break; + + default: + if ( li->idassert_authz ) { + struct berval authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; + + rs->sr_err = slap_sasl_matches( op, li->idassert_authz, + &authcDN, &authcDN ); + if ( rs->sr_err != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + lc->lc_bound = 0; + goto done; + } + } + + binddn = li->idassert_authcDN; + bindcred = li->idassert_passwd; + dobind = 1; + break; + } + + if ( dobind && li->idassert_authmethod == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults = NULL; + struct berval authzID = BER_BVNULL; + int freeauthz = 0; + + /* if SASL supports native authz, prepare for it */ + if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) && + ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) ) + { + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_OTHERID: + case LDAP_BACK_IDASSERT_OTHERDN: + authzID = li->idassert_authzID; + break; + + case LDAP_BACK_IDASSERT_ANONYMOUS: + BER_BVSTR( &authzID, "dn:" ); + break; + + case LDAP_BACK_IDASSERT_SELF: + if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + /* connection is not authc'd, so don't idassert */ + BER_BVSTR( &authzID, "dn:" ); + break; + } + authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len; + authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); + AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), + op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 ); + freeauthz = 1; + break; + + default: + break; + } + } + +#if 0 /* will deal with this later... */ + if ( sasl_secprops != NULL ) { + rs->sr_err = ldap_set_option( lc->lc_ld, LDAP_OPT_X_SASL_SECPROPS, + (void *) sasl_secprops ); + + if ( rs->sr_err != LDAP_OPT_SUCCESS ) { + send_ldap_result( op, rs ); + lc->lc_bound = 0; + goto done; + } + } +#endif + + defaults = lutil_sasl_defaults( lc->lc_ld, + li->idassert_sasl_mech.bv_val, + li->idassert_sasl_realm.bv_val, + li->idassert_authcID.bv_val, + li->idassert_passwd.bv_val, + authzID.bv_val ); + + rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val, + li->idassert_sasl_mech.bv_val, NULL, NULL, + li->idassert_sasl_flags, lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + if ( freeauthz ) { + slap_sl_free( authzID.bv_val, op->o_tmpmemctx ); + } + + rs->sr_err = slap_map_api2result( rs ); + if ( rs->sr_err != LDAP_SUCCESS ) { + lc->lc_bound = 0; + send_ldap_result( op, rs ); + + } else { + lc->lc_bound = 1; + } + goto done; +#endif /* HAVE_CYRUS_SASL */ + } + + switch ( li->idassert_authmethod ) { + case LDAP_AUTH_SIMPLE: + rs->sr_err = ldap_sasl_bind( lc->lc_ld, + binddn.bv_val, LDAP_SASL_SIMPLE, + &bindcred, NULL, NULL, &msgid ); + break; + + case LDAP_AUTH_NONE: + lc->lc_bound = 1; + goto done; + + default: + /* unsupported! */ + lc->lc_bound = 0; + rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED; + send_ldap_result( op, rs ); + goto done; + } + + rc = ldap_back_op_result( lc, op, rs, msgid, 0 ); + if ( rc == LDAP_SUCCESS ) { + lc->lc_bound = 1; + } +done:; + return lc->lc_bound; +} + /* * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control * to existing server-side controls if required; if not, @@ -812,11 +752,11 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( !BER_BVISNULL( &lc->bound_dn ) ) { + if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { goto done; } - if ( BER_BVISNULL( &op->o_conn->c_dn ) ) { + if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { goto done; } @@ -826,24 +766,24 @@ ldap_back_proxy_authz_ctrl( } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) { if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) - /* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ ) + /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) || lc->lc_bound ) */ ) { /* already asserted in SASL via native authz */ - /* NOTE: the test on lc->bound is used to trap + /* NOTE: the test on lc->lc_bound is used to trap * native authorization of anonymous users, - * since in that case op->o_conn->c_dn is NULL */ + * since in that case op->o_conn->c_ndn is NULL */ goto done; } } else if ( li->idassert_authz ) { int rc; - struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn; + struct berval authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; rc = slap_sasl_matches( op, li->idassert_authz, &authcDN, & authcDN ); if ( rc != LDAP_SUCCESS ) { - /* op->o_conn->c_dn is not authorized + /* op->o_conn->c_ndn is not authorized * to use idassert */ return rc; } @@ -883,7 +823,7 @@ ldap_back_proxy_authz_ctrl( case LDAP_BACK_IDASSERT_SELF: /* original behavior: * assert the client's identity */ - assertedID = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn; + assertedID = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; break; case LDAP_BACK_IDASSERT_ANONYMOUS: @@ -909,6 +849,11 @@ ldap_back_proxy_authz_ctrl( assertedID = slap_empty_bv; } + if ( op->o_ctrls ) { + for ( i = 0; op->o_ctrls[ i ]; i++ ) + /* just count ctrls */ ; + } + ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) ); ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) ); @@ -948,4 +893,25 @@ done:; return rs->sr_err; } + +int +ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) +{ + LDAPControl **ctrls = *pctrls; + + if ( ctrls && ctrls != op->o_ctrls ) { + assert( ctrls[ 0 ] ); + + if ( !BER_BVISNULL( &ctrls[ 0 ]->ldctl_value ) ) { + free( ctrls[ 0 ]->ldctl_value.bv_val ); + } + + free( ctrls[ 0 ] ); + free( ctrls ); + } + + *pctrls = NULL; + + return 0; +} #endif /* LDAP_BACK_PROXY_AUTHZ */ diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c index 635a2868d6..0670a51911 100644 --- a/servers/slapd/back-ldap/compare.c +++ b/servers/slapd/back-ldap/compare.c @@ -33,70 +33,19 @@ int ldap_back_compare( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct ldapconn *lc; - struct berval mapped_at = BER_BVNULL, mapped_val = BER_BVNULL; - struct berval mdn = BER_BVNULL; - ber_int_t msgid; - int freeval = 0; - int do_retry = 1; - dncookie dc; - LDAPControl **ctrls = NULL; - int rc = LDAP_SUCCESS; + struct ldapconn *lc; + ber_int_t msgid; + int do_retry = 1; + LDAPControl **ctrls = NULL; + int rc = LDAP_SUCCESS; - lc = ldap_back_getconn(op, rs); + lc = ldap_back_getconn( op, rs ); if (!lc || !ldap_back_dobind( lc, op, rs ) ) { - return( -1 ); - } - - /* - * Rewrite the compare dn, if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "compareDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; - } - - if ( op->orc_ava->aa_desc == slap_schema.si_ad_objectClass - || op->orc_ava->aa_desc == slap_schema.si_ad_structuralObjectClass ) { - ldap_back_map(&li->rwmap.rwm_oc, &op->orc_ava->aa_value, - &mapped_val, BACKLDAP_MAP); - if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') { - return( -1 ); - } - mapped_at = op->orc_ava->aa_desc->ad_cname; - } else { - ldap_back_map(&li->rwmap.rwm_at, - &op->orc_ava->aa_desc->ad_cname, &mapped_at, - BACKLDAP_MAP); - if (mapped_at.bv_val == NULL || mapped_at.bv_val[0] == '\0') { - return( -1 ); - } - if (op->orc_ava->aa_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { -#ifdef ENABLE_REWRITE - dc.ctx = "compareAttrDN"; -#endif - ldap_back_dn_massage( &dc, &op->orc_ava->aa_value, &mapped_val ); - if (mapped_val.bv_val == NULL || mapped_val.bv_val[0] == '\0') { - mapped_val = op->orc_ava->aa_value; - } else if (mapped_val.bv_val != op->orc_ava->aa_value.bv_val) { - freeval = 1; - } - } else { - mapped_val = op->orc_ava->aa_value; - } + rc = -1; + goto cleanup; } ctrls = op->o_ctrls; @@ -110,28 +59,22 @@ ldap_back_compare( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val, - mapped_at.bv_val, &mapped_val, + rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val, + op->orc_ava->aa_desc->ad_cname.bv_val, + &op->orc_ava->aa_value, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry(lc, op, rs ) ) { + goto retry; + } } -#ifdef LDAP_BACK_PROXY_AUTHZ cleanup: - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } +#ifdef LDAP_BACK_PROXY_AUTHZ + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ - if ( mdn.bv_val != op->o_req_ndn.bv_val ) { - free( mdn.bv_val ); - } - if ( freeval ) { - free( mapped_val.bv_val ); - } return rc; } diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 91de42d173..848464b7ac 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -43,36 +43,40 @@ parse_idassert( BackendDB *be, const char *fname, int lineno, int ldap_back_db_config( - BackendDB *be, - const char *fname, - int lineno, - int argc, - char **argv -) + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv ) { struct ldapinfo *li = (struct ldapinfo *) be->be_private; if ( li == NULL ) { fprintf( stderr, "%s: line %d: ldap backend info is null!\n", - fname, lineno ); - return( 1 ); + fname, lineno ); + return 1; } /* server address to query (depricated, use "uri" directive) */ if ( strcasecmp( argv[0], "server" ) == 0 ) { ber_len_t l; - if (argc != 2) { + fprintf( stderr, + "%s: line %d: \"server
\" directive is deprecated\n", + fname, lineno ); + + if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing address in \"server
\" line\n", - fname, lineno ); - return( 1 ); + fname, lineno ); + return 1; + } + if ( li->url != NULL ) { + ch_free( li->url ); } - if (li->url != NULL) - ch_free(li->url); l = strlen( argv[1] ) + STRLENOF( "ldap:///") + 1; li->url = ch_calloc( l, sizeof( char ) ); - if (li->url == NULL) { + if ( li->url == NULL ) { fprintf( stderr, "%s: line %d: malloc failed\n" ); return 1; } @@ -81,15 +85,15 @@ ldap_back_db_config( /* URI of server to query (preferred over "server" directive) */ } else if ( strcasecmp( argv[0], "uri" ) == 0 ) { - LDAPURLDesc tmplud, *tmpludp; + LDAPURLDesc *tmpludp; int urlrc; - if (argc != 2) { + if ( argc != 2 ) { fprintf( stderr, "%s: line %d: " - "missing uri " - "in \"uri \" line\n", - fname, lineno ); - return( 1 ); + "missing uri " + "in \"uri \" line\n", + fname, lineno ); + return 1; } if ( li->url != NULL ) { ch_free( li->url ); @@ -142,29 +146,31 @@ ldap_back_db_config( break; } fprintf( stderr, "%s: line %d: " - "unable to parse uri \"%s\" " - "in \"uri \" line: %s\n", - fname, lineno, argv[ 1 ], why ); + "unable to parse uri \"%s\" " + "in \"uri \" line: %s\n", + fname, lineno, argv[ 1 ], why ); return 1; } for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) { - if ( ( tmpludp->lud_dn != NULL && tmpludp->lud_dn[0] != '\0' ) + if ( ( tmpludp->lud_dn != NULL + && tmpludp->lud_dn[0] != '\0' ) || tmpludp->lud_attrs != NULL || tmpludp->lud_filter != NULL || tmpludp->lud_exts != NULL ) { fprintf( stderr, "%s: line %d: " - "warning, only protocol, " - "host and port allowed " - "in \"uri \" statement " - "for \"%s\"\n", - fname, lineno, argv[1] ); + "warning, only protocol, " + "host and port allowed " + "in \"uri \" statement " + "for \"%s\"\n", + fname, lineno, argv[1] ); } } #if 0 for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) { + LDAPURLDesc tmplud; char *tmpurl; ber_len_t oldlen = 0, len; @@ -206,10 +212,10 @@ ldap_back_db_config( /* name to use for ldap_back_group */ } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0 || strcasecmp( argv[0], "binddn" ) == 0 ) { - if (argc != 2) { + if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing name in \"%s \" line\n", - fname, lineno, argv[0] ); + fname, lineno, argv[0] ); return( 1 ); } ber_str2bv( argv[1], 0, 1, &li->acl_authcDN ); @@ -217,10 +223,10 @@ ldap_back_db_config( /* password to use for ldap_back_group */ } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0 || strcasecmp( argv[0], "bindpw" ) == 0 ) { - if (argc != 2) { + if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing password in \"%s \" line\n", - fname, lineno, argv[0] ); + fname, lineno, argv[0] ); return( 1 ); } ber_str2bv( argv[1], 0, 1, &li->acl_passwd ); @@ -234,304 +240,37 @@ ldap_back_db_config( /* save bind creds for referral rebinds? */ } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) { - if (argc != 1) { + if ( argc != 1 ) { fprintf( stderr, "%s: line %d: rebind-as-user takes no arguments\n", - fname, lineno ); + fname, lineno ); return( 1 ); } li->savecred = 1; /* intercept exop_who_am_i? */ } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) { - if (argc != 1) { + if ( argc != 1 ) { fprintf( stderr, "%s: line %d: proxy-whoami takes no arguments\n", - fname, lineno ); + fname, lineno ); return( 1 ); } load_extop( (struct berval *)&slap_EXOP_WHOAMI, - 0, ldap_back_exop_whoami ); + 0, ldap_back_exop_whoami ); - /* dn massaging */ - } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) { - BackendDB *tmp_be; - struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc; -#ifdef ENABLE_REWRITE - int rc; -#endif /* ENABLE_REWRITE */ - - /* - * syntax: - * - * suffixmassage - * - * the field must be defined as a valid suffix - * (or suffixAlias?) for the current database; - * the shouldn't have already been - * defined as a valid suffix or suffixAlias for the - * current server - */ - if ( argc != 3 ) { - fprintf( stderr, "%s: line %d: syntax is" - " \"suffixMassage " - " \"\n", - fname, lineno ); - return( 1 ); - } - - ber_str2bv( argv[1], 0, 0, &bvnc ); - if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) { - fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n", - fname, lineno, bvnc.bv_val ); - return( 1 ); - } - tmp_be = select_backend( &nvnc, 0, 0 ); - if ( tmp_be != NULL && tmp_be != be ) { - fprintf( stderr, "%s: line %d: suffix already in use" - " by another backend in" - " \"suffixMassage " - " \"\n", - fname, lineno ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - return( 1 ); - } - - ber_str2bv( argv[2], 0, 0, &brnc ); - if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) { - fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n", - fname, lineno, brnc.bv_val ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - return( 1 ); - } - -#if 0 - tmp_be = select_backend( &nrnc, 0, 0 ); - if ( tmp_be != NULL ) { - fprintf( stderr, "%s: line %d: massaged suffix" - " already in use by another backend in" - " \"suffixMassage " - " \"\n", - fname, lineno ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - free( nrnc.bv_val ); - free( prnc.bv_val ); - return( 1 ); - } -#endif - -#ifdef ENABLE_REWRITE - /* - * The suffix massaging is emulated by means of the - * rewrite capabilities - * FIXME: no extra rewrite capabilities should be added - * to the database - */ - rc = suffix_massage_config( li->rwmap.rwm_rw, - &pvnc, &nvnc, &prnc, &nrnc ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - free( nrnc.bv_val ); - free( prnc.bv_val ); - - return( rc ); - -#else /* !ENABLE_REWRITE */ - ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &pvnc ); - ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nvnc ); - - ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &prnc ); - ber_bvarray_add( &li->rwmap.rwm_suffix_massage, &nrnc ); -#endif /* !ENABLE_REWRITE */ - - /* rewrite stuff ... */ - } else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) { -#ifdef ENABLE_REWRITE - return rewrite_parse( li->rwmap.rwm_rw, - fname, lineno, argc, argv ); - -#else /* !ENABLE_REWRITE */ - fprintf( stderr, "%s: line %d: rewrite capabilities " - "are not enabled\n", fname, lineno ); -#endif /* !ENABLE_REWRITE */ - - /* objectclass/attribute mapping */ - } else if ( strcasecmp( argv[0], "map" ) == 0 ) { - return ldap_back_map_config( &li->rwmap.rwm_oc, - &li->rwmap.rwm_at, - fname, lineno, argc, argv ); - /* anything else */ } else { return SLAP_CONF_UNKNOWN; } - return 0; -} - -int -ldap_back_map_config( - struct ldapmap *oc_map, - struct ldapmap *at_map, - const char *fname, - int lineno, - int argc, - char **argv ) -{ - struct ldapmap *map; - struct ldapmapping *mapping; - char *src, *dst; - int is_oc = 0; - - if ( argc < 3 || argc > 4 ) { - fprintf( stderr, - "%s: line %d: syntax is \"map {objectclass | attribute} [ | *] { | *}\"\n", - fname, lineno ); - return 1; - } - - if ( strcasecmp( argv[1], "objectclass" ) == 0 ) { - map = oc_map; - is_oc = 1; - - } else if ( strcasecmp( argv[1], "attribute" ) == 0 ) { - map = at_map; - - } else { - fprintf( stderr, "%s: line %d: syntax is " - "\"map {objectclass | attribute} [ | *] " - "{ | *}\"\n", - fname, lineno ); - return 1; - } - - if ( strcmp( argv[2], "*" ) == 0 ) { - if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) { - map->drop_missing = ( argc < 4 ); - return 0; - } - src = dst = argv[3]; - - } else if ( argc < 4 ) { - src = ""; - dst = argv[2]; - - } else { - src = argv[2]; - dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] ); - } - - if ( ( map == at_map ) - && ( strcasecmp( src, "objectclass" ) == 0 - || strcasecmp( dst, "objectclass" ) == 0 ) ) - { - fprintf( stderr, - "%s: line %d: objectclass attribute cannot be mapped\n", - fname, lineno ); - } - - mapping = (struct ldapmapping *)ch_calloc( 2, - sizeof(struct ldapmapping) ); - if ( mapping == NULL ) { - fprintf( stderr, - "%s: line %d: out of memory\n", - fname, lineno ); - return 1; - } - ber_str2bv( src, 0, 1, &mapping->src ); - ber_str2bv( dst, 0, 1, &mapping->dst ); - mapping[1].src = mapping->dst; - mapping[1].dst = mapping->src; - - /* - * schema check - */ - if ( is_oc ) { - if ( src[0] != '\0' ) { - if ( oc_bvfind( &mapping->src ) == NULL ) { - fprintf( stderr, - "%s: line %d: warning, source objectClass '%s' " - "should be defined in schema\n", - fname, lineno, src ); - - /* - * FIXME: this should become an err - */ - goto error_return; - } - } - - if ( oc_bvfind( &mapping->dst ) == NULL ) { - fprintf( stderr, - "%s: line %d: warning, destination objectClass '%s' " - "is not defined in schema\n", - fname, lineno, dst ); - } - } else { - int rc; - const char *text = NULL; - AttributeDescription *ad = NULL; - - if ( src[0] != '\0' ) { - rc = slap_bv2ad( &mapping->src, &ad, &text ); - if ( rc != LDAP_SUCCESS ) { - fprintf( stderr, - "%s: line %d: warning, source attributeType '%s' " - "should be defined in schema\n", - fname, lineno, src ); - - /* - * FIXME: this should become an err - */ - goto error_return; - } - - ad = NULL; - } - - rc = slap_bv2ad( &mapping->dst, &ad, &text ); - if ( rc != LDAP_SUCCESS ) { - fprintf( stderr, - "%s: line %d: warning, destination attributeType '%s' " - "is not defined in schema\n", - fname, lineno, dst ); - } - } - - if ( (src[0] != '\0' && avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL) - || avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL) - { - fprintf( stderr, - "%s: line %d: duplicate mapping found (ignored)\n", - fname, lineno ); - goto error_return; - } - - if ( src[0] != '\0' ) { - avl_insert( &map->map, (caddr_t)mapping, - mapping_cmp, mapping_dup ); - } - avl_insert( &map->remap, (caddr_t)&mapping[1], - mapping_cmp, mapping_dup ); return 0; - -error_return:; - if ( mapping ) { - ch_free( mapping->src.bv_val ); - ch_free( mapping->dst.bv_val ); - ch_free( mapping ); - } - - return 1; } static int ldap_back_exop_whoami( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { struct berval *bv = NULL; @@ -569,10 +308,10 @@ ldap_back_exop_whoami( strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val); retry: - rs->sr_err = ldap_whoami(lc->ld, ctrls, NULL, &msgid); + rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid); if (rs->sr_err == LDAP_SUCCESS) { - if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) { - ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, + if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) { + ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rs->sr_err); if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) { do_retry = 0; @@ -583,7 +322,7 @@ retry: lc = NULL; } else { - rs->sr_err = ldap_parse_whoami(lc->ld, res, &bv); + rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv); ldap_msgfree(res); } } @@ -594,7 +333,7 @@ retry: } else { /* else just do the same as before */ bv = (struct berval *) ch_malloc( sizeof(struct berval) ); - if( op->o_dn.bv_len ) { + if ( !BER_BVISEMPTY( &op->o_dn ) ) { bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1; bv->bv_val = ch_malloc( bv->bv_len + 1 ); AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 ); @@ -612,119 +351,6 @@ retry: } -#ifdef ENABLE_REWRITE -static char * -suffix_massage_regexize( const char *s ) -{ - char *res, *ptr; - const char *p, *r; - int i; - - for ( i = 0, p = s; - ( r = strchr( p, ',' ) ) != NULL; - p = r + 1, i++ ) - ; - - res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 ); - - ptr = lutil_strcopy( res, "(.*)" ); - for ( i = 0, p = s; - ( r = strchr( p, ',' ) ) != NULL; - p = r + 1 , i++ ) { - ptr = lutil_strncopy( ptr, p, r - p + 1 ); - ptr = lutil_strcopy( ptr, "[ ]?" ); - - if ( r[ 1 ] == ' ' ) { - r++; - } - } - lutil_strcopy( ptr, p ); - - return res; -} - -static char * -suffix_massage_patternize( const char *s ) -{ - ber_len_t len; - char *res; - - len = strlen( s ); - - res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) ); - if ( res == NULL ) { - return NULL; - } - - strcpy( res, "%1" ); - strcpy( res + sizeof( "%1" ) - 1, s ); - - return res; -} - -int -suffix_massage_config( - struct rewrite_info *info, - struct berval *pvnc, - struct berval *nvnc, - struct berval *prnc, - struct berval *nrnc -) -{ - char *rargv[ 5 ]; - int line = 0; - - rargv[ 0 ] = "rewriteEngine"; - rargv[ 1 ] = "on"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "default"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchResult"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "matchedDN"; - rargv[ 2 ] = "alias"; - rargv[ 3 ] = "searchResult"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchAttrDN"; - rargv[ 2 ] = "alias"; - rargv[ 3 ] = "searchResult"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - - return 0; -} -#endif /* ENABLE_REWRITE */ - #ifdef LDAP_BACK_PROXY_AUTHZ static int parse_idassert( @@ -739,9 +365,9 @@ parse_idassert( /* identity assertion mode */ if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) { - if ( argc != 2 ) { + if ( argc < 2 ) { Debug( LDAP_DEBUG_ANY, - "%s: line %d: illegal args number %d in \"idassert-mode \" line.\n", + "%s: line %d: illegal args number %d in \"idassert-mode [ [...]]\" line.\n", fname, lineno, argc ); return 1; } @@ -802,6 +428,20 @@ parse_idassert( } } + for ( argc -= 2, argv += 2; argc--; argv++ ) { + if ( strcasecmp( argv[0], "override" ) == 0 ) { + li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE; + + } else { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown flag \"%s\" " + "in \"idassert-mode " + "[]\" line.\n", + fname, lineno, argv[0] ); + return 1; + } + } + /* name to use for proxyAuthz propagation */ } else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0 || strcasecmp( argv[0], "proxyauthzdn" ) == 0 ) diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c index 9efc3fe932..b05872c9a6 100644 --- a/servers/slapd/back-ldap/delete.c +++ b/servers/slapd/back-ldap/delete.c @@ -33,40 +33,20 @@ int ldap_back_delete( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct ldapconn *lc; - ber_int_t msgid; - dncookie dc; - LDAPControl **ctrls = NULL; - int do_retry = 1; - int rc = LDAP_SUCCESS; - - struct berval mdn = BER_BVNULL; + struct ldapconn *lc; + ber_int_t msgid; + LDAPControl **ctrls = NULL; + int do_retry = 1; + int rc = LDAP_SUCCESS; lc = ldap_back_getconn( op, rs ); if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { - return( -1 ); - } - - /* - * Rewrite the request dn, if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "deleteDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; + rc = -1; + goto cleanup; } #ifdef LDAP_BACK_PROXY_AUTHZ @@ -80,7 +60,7 @@ ldap_back_delete( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val, + rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) { @@ -88,17 +68,10 @@ retry: if ( ldap_back_retry (lc, op, rs )) goto retry; } -#ifdef LDAP_BACK_PROXY_AUTHZ cleanup: - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } +#ifdef LDAP_BACK_PROXY_AUTHZ + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ - if ( mdn.bv_val != op->o_req_ndn.bv_val ) { - free( mdn.bv_val ); - } - return rc; } diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index 5008de7acc..879c0ce7ca 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -31,7 +31,7 @@ BI_op_extended ldap_back_exop_passwd; static struct exop { - struct berval *oid; + struct berval *oid; BI_op_extended *extended; } exop_table[] = { { (struct berval *)&slap_EXOP_MODIFY_PASSWD, ldap_back_exop_passwd }, @@ -40,36 +40,39 @@ static struct exop { int ldap_back_extended( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - int i; + int i; - for( i=0; exop_table[i].extended != NULL; i++ ) { - if( ber_bvcmp( exop_table[i].oid, &op->oq_extended.rs_reqoid ) == 0 ) { + for ( i = 0; exop_table[i].extended != NULL; i++ ) { + if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) ) + { #ifdef LDAP_BACK_PROXY_AUTHZ - struct ldapconn *lc; - LDAPControl **oldctrls = NULL; - int rc; + struct ldapconn *lc; + LDAPControl **oldctrls = NULL; + int rc; /* FIXME: this needs to be called here, so it is * called twice; maybe we could avoid the * ldap_back_dobind() call inside each extended() * call ... */ - lc = ldap_back_getconn(op, rs); - if (!lc || !ldap_back_dobind(lc, op, rs) ) { + lc = ldap_back_getconn( op, rs ); + if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { return -1; } oldctrls = op->o_ctrls; - if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) { + if ( ldap_back_proxy_authz_ctrl( lc, op, rs, + &op->o_ctrls ) ) + { op->o_ctrls = oldctrls; send_ldap_result( op, rs ); rs->sr_text = NULL; return rs->sr_err; } - rc = (exop_table[i].extended)( op, rs ); + rc = ( *exop_table[i].extended )( op, rs ); if ( op->o_ctrls && op->o_ctrls != oldctrls ) { free( op->o_ctrls[ 0 ] ); @@ -79,7 +82,7 @@ ldap_back_extended( return rc; #else /* ! LDAP_BACK_PROXY_AUTHZ */ - return (exop_table[i].extended)( op, rs ); + return ( *exop_table[i].extended )( op, rs ); #endif /* ! LDAP_BACK_PROXY_AUTHZ */ } } @@ -90,94 +93,86 @@ ldap_back_extended( int ldap_back_exop_passwd( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct ldapconn *lc; - req_pwdexop_s *qpw = &op->oq_pwdexop; - struct berval mdn = BER_BVNULL, newpw; - LDAPMessage *res; - ber_int_t msgid; - int rc, isproxy; - int do_retry = 1; - dncookie dc; - - lc = ldap_back_getconn(op, rs); - if (!lc || !ldap_back_dobind(lc, op, rs) ) { + struct ldapconn *lc; + req_pwdexop_s *qpw = &op->oq_pwdexop; + LDAPMessage *res; + ber_int_t msgid; + int rc, isproxy; + int do_retry = 1; + + lc = ldap_back_getconn( op, rs ); + if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { return -1; } isproxy = ber_bvcmp( &op->o_req_ndn, &op->o_ndn ); - Debug( LDAP_DEBUG_TRACE, "ldap_back_exop_passwd: \"%s\"%s\n", + Debug( LDAP_DEBUG_ARGS, "==> ldap_back_exop_passwd(\"%s\")%s\n", op->o_req_dn.bv_val, isproxy ? " (proxy)" : "", 0 ); - if ( isproxy ) { - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "exopPasswdDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; - } - } - retry: - rc = ldap_passwd(lc->ld, isproxy ? &mdn : NULL, + rc = ldap_passwd( lc->lc_ld, isproxy ? &op->o_req_dn : NULL, qpw->rs_old.bv_val ? &qpw->rs_old : NULL, qpw->rs_new.bv_val ? &qpw->rs_new : NULL, - op->o_ctrls, NULL, &msgid); + op->o_ctrls, NULL, &msgid ); - if (rc == LDAP_SUCCESS) { - if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) { - ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &rc); + if ( rc == LDAP_SUCCESS ) { + if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) { + ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc ); ldap_back_freeconn( op, lc ); lc = NULL; } else { - /* sigh. parse twice, because parse_passwd doesn't give - * us the err / match / msg info. + /* sigh. parse twice, because parse_passwd + * doesn't give us the err / match / msg info. */ - rc = ldap_parse_result(lc->ld, res, &rs->sr_err, (char **)&rs->sr_matched, (char **)&rs->sr_text, - NULL, NULL, 0); - if (rc == LDAP_SUCCESS) { - if (rs->sr_err == LDAP_SUCCESS) { - rc = ldap_parse_passwd(lc->ld, res, &newpw); - if (rc == LDAP_SUCCESS && newpw.bv_val) { + rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err, + (char **)&rs->sr_matched, + (char **)&rs->sr_text, + NULL, NULL, 0 ); + if ( rc == LDAP_SUCCESS ) { + if ( rs->sr_err == LDAP_SUCCESS ) { + struct berval newpw; + + rc = ldap_parse_passwd( lc->lc_ld, res, + &newpw); + if ( rc == LDAP_SUCCESS && + !BER_BVISNULL( &newpw ) ) + { rs->sr_type = REP_EXTENDED; - rs->sr_rspdata = slap_passwd_return(&newpw); - free(newpw.bv_val); + rs->sr_rspdata = slap_passwd_return( &newpw ); + free( newpw.bv_val ); } + } else { rc = rs->sr_err; } } - ldap_msgfree(res); + ldap_msgfree( res ); } } - if (rc != LDAP_SUCCESS) { + if ( rc != LDAP_SUCCESS ) { rs->sr_err = slap_map_api2result( rs ); if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry(lc, op, rs ) ) { + goto retry; + } + } + send_ldap_result( op, rs ); + if ( rs->sr_matched ) { + free( (char *)rs->sr_matched ); + } + if ( rs->sr_text ) { + free( (char *)rs->sr_text ); } - send_ldap_result(op, rs); - if (rs->sr_matched) free((char *)rs->sr_matched); - if (rs->sr_text) free((char *)rs->sr_text); rs->sr_matched = NULL; rs->sr_text = NULL; rc = -1; } - if (mdn.bv_val != op->o_req_dn.bv_val) { - free(mdn.bv_val); - } return rc; } diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index bbf35ef531..26db3c83b7 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -33,33 +33,31 @@ #include "external.h" #if SLAPD_LDAP == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + BackendInfo bi; -int init_module(int argc, char *argv[]) { - BackendInfo bi; - - memset( &bi, '\0', sizeof(bi) ); - bi.bi_type = "ldap"; - bi.bi_init = ldap_back_initialize; + memset( &bi, '\0', sizeof( bi ) ); + bi.bi_type = "ldap"; + bi.bi_init = ldap_back_initialize; - backend_add(&bi); - return 0; + backend_add( &bi ); + + return 0; } #endif /* SLAPD_LDAP */ int -ldap_back_open( - BackendInfo *bi -) +ldap_back_open( BackendInfo *bi ) { bi->bi_controls = slap_known_controls; return 0; } int -ldap_back_initialize( - BackendInfo *bi -) +ldap_back_initialize( BackendInfo *bi ) { bi->bi_open = ldap_back_open; bi->bi_config = 0; @@ -94,14 +92,11 @@ ldap_back_initialize( } int -ldap_back_db_init( - Backend *be -) +ldap_back_db_init( Backend *be ) { struct ldapinfo *li; - struct ldapmapping *mapping; - li = (struct ldapinfo *) ch_calloc( 1, sizeof(struct ldapinfo) ); + li = (struct ldapinfo *)ch_calloc( 1, sizeof( struct ldapinfo ) ); if ( li == NULL ) { return -1; } @@ -130,42 +125,10 @@ ldap_back_db_init( li->idassert_flags = LDAP_BACK_AUTH_NONE; #endif /* LDAP_BACK_PROXY_AUTHZ */ -#ifdef ENABLE_REWRITE - li->rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT ); - if ( li->rwmap.rwm_rw == NULL ) { - ch_free( li ); - return -1; - } - - { - char *rargv[3]; - - /* - * the filter rewrite as a string must be disabled - * by default; it can be re-enabled by adding rules; - * this creates an empty rewriteContext - */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchFilter"; - rargv[ 2 ] = NULL; - rewrite_parse( li->rwmap.rwm_rw, "", - 1, 2, rargv ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "default"; - rargv[ 2 ] = NULL; - rewrite_parse( li->rwmap.rwm_rw, "", - 1, 2, rargv ); - } -#endif /* ENABLE_REWRITE */ - ldap_pvt_thread_mutex_init( &li->conn_mutex ); - ldap_back_map_init( &li->rwmap.rwm_oc, &mapping ); - ldap_back_map_init( &li->rwmap.rwm_at, &mapping ); - be->be_private = li; - SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD; + SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_NOLASTMOD; return 0; } @@ -176,7 +139,7 @@ ldap_back_db_open( BackendDB *be ) struct ldapinfo *li = (struct ldapinfo *)be->be_private; Debug( LDAP_DEBUG_TRACE, - "ldap_back_db_open: URI=%s\n", li->url, 0, 0 ); + "ldap_back_db_open: URI=%s\n", li->url, 0, 0 ); #ifdef LDAP_BACK_PROXY_AUTHZ /* by default, use proxyAuthz control on each operation */ @@ -193,39 +156,55 @@ ldap_back_db_open( BackendDB *be ) } #endif /* LDAP_BACK_PROXY_AUTHZ */ +#ifdef SLAPD_MONITOR + { + struct berval filter, + base = BER_BVC( "cn=Databases,cn=Monitor" ); + const char *text; + struct berval vals[ 2 ]; + Attribute a = { 0 }; + + filter.bv_len = STRLENOF( "(&(namingContexts=)(monitoredInfo=ldap))" ) + + be->be_nsuffix[ 0 ].bv_len; + filter.bv_val = ch_malloc( filter.bv_len + 1 ); + snprintf( filter.bv_val, filter.bv_len + 1, + "(&(namingContexts=%s)(monitoredInfo=ldap))", + be->be_nsuffix[ 0 ].bv_val ); + + a.a_desc = slap_schema.si_ad_labeledURI; + ber_str2bv( li->url, 0, 0, &vals[ 0 ] ); + BER_BVZERO( &vals[ 1 ] ); + a.a_vals = vals; + a.a_nvals = vals; + if ( monitor_back_register_entry_attrs( NULL, &a, NULL, &base, LDAP_SCOPE_SUBTREE, &filter ) ) { + /* error */ + } + } +#endif /* SLAPD_MONITOR */ + return 0; } void -ldap_back_conn_free( - void *v_lc -) +ldap_back_conn_free( void *v_lc ) { - struct ldapconn *lc = v_lc; - ldap_unbind( lc->ld ); - if ( lc->bound_dn.bv_val ) { - ch_free( lc->bound_dn.bv_val ); + struct ldapconn *lc = v_lc; + + ldap_unbind_ext_s( lc->lc_ld, NULL, NULL ); + if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { + ch_free( lc->lc_bound_ndn.bv_val ); } - if ( lc->cred.bv_val ) { - memset( lc->cred.bv_val, 0, lc->cred.bv_len ); - ch_free( lc->cred.bv_val ); + if ( !BER_BVISNULL( &lc->lc_cred ) ) { + memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len ); + ch_free( lc->lc_cred.bv_val ); } - if ( lc->local_dn.bv_val ) { - ch_free( lc->local_dn.bv_val ); + if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) { + ch_free( lc->lc_local_ndn.bv_val ); } ldap_pvt_thread_mutex_destroy( &lc->lc_mutex ); ch_free( lc ); } -static void -mapping_free( void *v_mapping ) -{ - struct ldapmapping *mapping = v_mapping; - ch_free( mapping->src.bv_val ); - ch_free( mapping->dst.bv_val ); - ch_free( mapping ); -} - int ldap_back_db_destroy( Backend *be @@ -233,13 +212,13 @@ ldap_back_db_destroy( { struct ldapinfo *li; - if (be->be_private) { - li = (struct ldapinfo *)be->be_private; + if ( be->be_private ) { + li = ( struct ldapinfo * )be->be_private; ldap_pvt_thread_mutex_lock( &li->conn_mutex ); - if (li->url) { - ch_free(li->url); + if ( li->url ) { + ch_free( li->url ); li->url = NULL; } if ( li->lud ) { @@ -280,28 +259,15 @@ ldap_back_db_destroy( BER_BVZERO( &li->idassert_sasl_realm ); } #endif /* LDAP_BACK_PROXY_AUTHZ */ - if (li->conntree) { + if ( li->conntree ) { avl_free( li->conntree, ldap_back_conn_free ); } -#ifdef ENABLE_REWRITE - if (li->rwmap.rwm_rw) { - rewrite_info_delete( &li->rwmap.rwm_rw ); - } -#else /* !ENABLE_REWRITE */ - if (li->rwmap.rwm_suffix_massage) { - ber_bvarray_free( li->rwmap.rwm_suffix_massage ); - } -#endif /* !ENABLE_REWRITE */ - - avl_free( li->rwmap.rwm_oc.remap, NULL ); - avl_free( li->rwmap.rwm_oc.map, mapping_free ); - avl_free( li->rwmap.rwm_at.remap, NULL ); - avl_free( li->rwmap.rwm_at.map, mapping_free ); - + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); ldap_pvt_thread_mutex_destroy( &li->conn_mutex ); } ch_free( be->be_private ); + return 0; } diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c index 891cc7038a..bdfbdc7d1b 100644 --- a/servers/slapd/back-ldap/modify.c +++ b/servers/slapd/back-ldap/modify.c @@ -33,130 +33,67 @@ int ldap_back_modify( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct ldapconn *lc; - LDAPMod **modv = NULL; - LDAPMod *mods; - Modifications *ml; - int i, j, rc; - struct berval mapped; - struct berval mdn = BER_BVNULL; - ber_int_t msgid; - dncookie dc; - int isupdate; - int do_retry = 1; - LDAPControl **ctrls = NULL; - - lc = ldap_back_getconn(op, rs); + struct ldapconn *lc; + LDAPMod **modv = NULL, + *mods = NULL; + Modifications *ml; + int i, j, rc; + ber_int_t msgid; + int isupdate; + int do_retry = 1; + LDAPControl **ctrls = NULL; + + lc = ldap_back_getconn( op, rs ); if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { - return( -1 ); - } - - /* - * Rewrite the modify dn, if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "modifyDN"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) { - send_ldap_result( op, rs ); return -1; } - for (i=0, ml=op->oq_modify.rs_modlist; ml; i++,ml=ml->sml_next) - ; + for ( i = 0, ml = op->oq_modify.rs_modlist; ml; i++, ml = ml->sml_next ) + /* just count mods */ ; - mods = (LDAPMod *)ch_malloc(i*sizeof(LDAPMod)); - if (mods == NULL) { - rc = LDAP_NO_MEMORY; - goto cleanup; - } - modv = (LDAPMod **)ch_malloc((i+1)*sizeof(LDAPMod *)); - if (modv == NULL) { + modv = (LDAPMod **)ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) + + i*sizeof( LDAPMod ) ); + if ( modv == NULL ) { rc = LDAP_NO_MEMORY; goto cleanup; } - -#ifdef ENABLE_REWRITE - dc.ctx = "modifyAttrDN"; -#endif + mods = (LDAPMod *)&modv[ i + 1 ]; isupdate = be_shadow_update( op ); - for (i=0, ml=op->oq_modify.rs_modlist; ml; ml=ml->sml_next) { - int is_oc = 0; - + for ( i = 0, ml = op->oq_modify.rs_modlist; ml; ml = ml->sml_next ) { if ( !isupdate && ml->sml_desc->ad_type->sat_no_user_mod ) { continue; } - if ( ml->sml_desc == slap_schema.si_ad_objectClass - || ml->sml_desc == slap_schema.si_ad_structuralObjectClass ) { - is_oc = 1; - mapped = ml->sml_desc->ad_cname; + modv[ i ] = &mods[ i ]; + mods[ i ].mod_op = ( ml->sml_op | LDAP_MOD_BVALUES ); + mods[ i ].mod_type = ml->sml_desc->ad_cname.bv_val; - } else { - ldap_back_map(&li->rwmap.rwm_at, - &ml->sml_desc->ad_cname, - &mapped, BACKLDAP_MAP); - if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') { + if ( ml->sml_values != NULL ) { + if ( ml->sml_values == NULL ) { continue; } - } - - modv[i] = &mods[i]; - mods[i].mod_op = ml->sml_op | LDAP_MOD_BVALUES; - mods[i].mod_type = mapped.bv_val; - if ( ml->sml_values != NULL ) { - if ( is_oc ) { - for (j = 0; ml->sml_values[j].bv_val; j++); - mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) * - sizeof(struct berval *)); - for (j = 0; ml->sml_values[j].bv_val; j++) { - ldap_back_map(&li->rwmap.rwm_oc, - &ml->sml_values[j], - &mapped, BACKLDAP_MAP); - if (mapped.bv_val == NULL || mapped.bv_val[0] == '\0') { - continue; - } - mods[i].mod_bvalues[j] = &mapped; - } - mods[i].mod_bvalues[j] = NULL; - - } else { - if ( ml->sml_desc->ad_type->sat_syntax == - slap_schema.si_syn_distinguishedName ) { - ldap_dnattr_rewrite( &dc, ml->sml_values ); - } - - if ( ml->sml_values == NULL ) { - continue; - } - - for (j = 0; ml->sml_values[j].bv_val; j++); - mods[i].mod_bvalues = (struct berval **)ch_malloc((j+1) * - sizeof(struct berval *)); - for (j = 0; ml->sml_values[j].bv_val; j++) - mods[i].mod_bvalues[j] = &ml->sml_values[j]; - mods[i].mod_bvalues[j] = NULL; + for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) + /* just count mods */ ; + mods[ i ].mod_bvalues = + (struct berval **)ch_malloc( ( j + 1 )*sizeof( struct berval * ) ); + for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ ) + { + mods[ i ].mod_bvalues[ j ] = &ml->sml_values[ j ]; } + mods[ i ].mod_bvalues[ j ] = NULL; } else { - mods[i].mod_bvalues = NULL; + mods[ i ].mod_bvalues = NULL; } i++; } - modv[i] = 0; + modv[ i ] = 0; ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ @@ -169,29 +106,24 @@ ldap_back_modify( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv, + rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry(lc, op, rs ) ) { + goto retry; + } } cleanup:; #ifdef LDAP_BACK_PROXY_AUTHZ - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ - if ( mdn.bv_val != op->o_req_ndn.bv_val ) { - free( mdn.bv_val ); - } - for (i=0; modv[i]; i++) { - ch_free(modv[i]->mod_bvalues); + for ( i = 0; modv[ i ]; i++ ) { + ch_free( modv[ i ]->mod_bvalues ); } - ch_free( mods ); ch_free( modv ); return rc; diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c index 604325a542..35a8125b7b 100644 --- a/servers/slapd/back-ldap/modrdn.c +++ b/servers/slapd/back-ldap/modrdn.c @@ -33,58 +33,26 @@ int ldap_back_modrdn( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapconn *lc; - ber_int_t msgid; - dncookie dc; - LDAPControl **ctrls = NULL; - int do_retry = 1; - int rc = LDAP_SUCCESS; - - struct berval mdn = BER_BVNULL, mnewSuperior = BER_BVNULL; + ber_int_t msgid; + LDAPControl **ctrls = NULL; + int do_retry = 1; + int rc = LDAP_SUCCESS; + char *newSup = NULL; lc = ldap_back_getconn( op, rs ); - if ( !lc || !ldap_back_dobind(lc, op, rs) ) { + if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { return( -1 ); } - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if (op->orr_newSup) { - int version = LDAP_VERSION3; - ldap_set_option( lc->ld, LDAP_OPT_PROTOCOL_VERSION, &version); + if ( op->orr_newSup ) { + int version = LDAP_VERSION3; - /* - * Rewrite the new superior, if defined and required - */ -#ifdef ENABLE_REWRITE - dc.ctx = "newSuperiorDN"; -#endif - if ( ldap_back_dn_massage( &dc, op->orr_newSup, - &mnewSuperior ) ) { - send_ldap_result( op, rs ); - return -1; - } - } - - /* - * Rewrite the modrdn dn, if required - */ -#ifdef ENABLE_REWRITE - dc.ctx = "modrDN"; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) { - send_ldap_result( op, rs ); - return -1; + ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version ); + newSup = op->orr_newSup->bv_val; } ctrls = op->o_ctrls; @@ -98,33 +66,22 @@ ldap_back_modrdn( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_rename( lc->ld, mdn.bv_val, - op->orr_newrdn.bv_val, mnewSuperior.bv_val, - op->orr_deleteoldrdn, - ctrls, - NULL, &msgid ); + rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val, + op->orr_newrdn.bv_val, newSup, + op->orr_deleteoldrdn, ctrls, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry( lc, op, rs ) ) { + goto retry; + } } -#ifdef LDAP_BACK_PROXY_AUTHZ cleanup: - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } +#ifdef LDAP_BACK_PROXY_AUTHZ + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ - if ( mdn.bv_val != op->o_req_ndn.bv_val ) { - free( mdn.bv_val ); - } - if ( mnewSuperior.bv_val != NULL - && mnewSuperior.bv_val != op->oq_modrdn.rs_newSup->bv_val ) { - free( mnewSuperior.bv_val ); - } - return rc; } diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index b071217c0d..408fb61a2d 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -43,27 +43,26 @@ ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent, int ldap_back_search( - Operation *op, - SlapReply *rs ) + Operation *op, + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapconn *lc; struct timeval tv; - LDAPMessage *res, *e; - int rc = 0, msgid; - struct berval match = BER_BVNULL; - char **mapped_attrs = NULL; - struct berval mbase; - struct berval mfilter = BER_BVNULL; - int dontfreetext = 0; - int freeconn = 0; - int do_retry = 1; - dncookie dc; - LDAPControl **ctrls = NULL; - - lc = ldap_back_getconn(op, rs); + LDAPMessage *res, + *e; + int rc = 0, + msgid; + struct berval match = BER_BVNULL; + int i; + char **attrs = NULL; + int dontfreetext = 0; + int freeconn = 0; + int do_retry = 1; + LDAPControl **ctrls = NULL; + + lc = ldap_back_getconn( op, rs ); if ( !lc ) { - return( -1 ); + return -1; } /* @@ -71,12 +70,13 @@ ldap_back_search( * to map attrs and maybe rewrite value */ if ( !ldap_back_dobind( lc, op, rs ) ) { - return( -1 ); + return -1; } /* should we check return values? */ if ( op->ors_deref != -1 ) { - ldap_set_option( lc->ld, LDAP_OPT_DEREF, (void *)&op->ors_deref ); + ldap_set_option( lc->lc_ld, LDAP_OPT_DEREF, + (void *)&op->ors_deref ); } if ( op->ors_tlimit != SLAP_NO_LIMIT ) { @@ -87,50 +87,21 @@ ldap_back_search( tv.tv_sec = 0; } - /* - * Rewrite the search base, if required - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = rs; - dc.ctx = "searchBase"; -#else - dc.tofrom = 1; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mbase ) ) { - send_ldap_result( op, rs ); - return -1; - } - - rc = ldap_back_filter_map_rewrite( &dc, op->ors_filter, - &mfilter, BACKLDAP_MAP ); - - switch ( rc ) { - case LDAP_SUCCESS: - break; + if ( op->ors_attrs ) { + for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ ) + /* just count attrs */ ; - case LDAP_COMPARE_FALSE: - rs->sr_err = LDAP_SUCCESS; - rs->sr_text = NULL; - rc = 0; - goto finish; - - default: - rs->sr_err = LDAP_OTHER; - rs->sr_text = "Rewrite error"; - dontfreetext = 1; - rc = -1; - goto finish; - } - - rs->sr_err = ldap_back_map_attrs( &li->rwmap.rwm_at, - op->ors_attrs, - BACKLDAP_MAP, &mapped_attrs ); - if ( rs->sr_err != LDAP_SUCCESS ) { - rc = -1; - goto finish; + attrs = ch_malloc( ( i + 1 )*sizeof( char * ) ); + if ( attrs == NULL ) { + rs->sr_err = LDAP_NO_MEMORY; + rc = -1; + goto finish; + } + + for ( i = 0; !BER_BVISNULL( &op->ors_attrs[i].an_name ); i++ ) { + attrs[ i ] = op->ors_attrs[i].an_name.bv_val; + } + attrs[ i ] = NULL; } ctrls = op->o_ctrls; @@ -143,12 +114,11 @@ ldap_back_search( #endif /* LDAP_BACK_PROXY_AUTHZ */ retry: - rs->sr_err = ldap_search_ext( lc->ld, mbase.bv_val, - op->ors_scope, mfilter.bv_val, - mapped_attrs, op->ors_attrsonly, - ctrls, NULL, - tv.tv_sec ? &tv : NULL, op->ors_slimit, - &msgid ); + rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val, + op->ors_scope, op->ors_filterstr.bv_val, + attrs, op->ors_attrsonly, ctrls, NULL, + tv.tv_sec ? &tv : NULL, + op->ors_slimit, &msgid ); if ( rs->sr_err != LDAP_SUCCESS ) { fail:; @@ -165,11 +135,11 @@ fail:; * but this is necessary for version matching, and for ACL processing. */ - for ( rc = 0; rc != -1; rc = ldap_result( lc->ld, msgid, 0, &tv, &res ) ) + for ( rc = 0; rc != -1; rc = ldap_result( lc->lc_ld, msgid, 0, &tv, &res ) ) { /* check for abandon */ if ( op->o_abandon ) { - ldap_abandon( lc->ld, msgid ); + ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL ); rc = 0; goto finish; } @@ -180,12 +150,13 @@ fail:; ldap_pvt_thread_yield(); } else if ( rc == LDAP_RES_SEARCH_ENTRY ) { - Entry ent = {0}; - struct berval bdn; - int abort = 0; + Entry ent = {0}; + struct berval bdn; + int abort = 0; + do_retry = 0; - e = ldap_first_entry( lc->ld, res ); + e = ldap_first_entry( lc->lc_ld, res ); rc = ldap_build_entry( op, e, &ent, &bdn, LDAP_BUILD_ENTRY_PRIVATE ); if ( rc == LDAP_SUCCESS ) { @@ -194,31 +165,33 @@ fail:; rs->sr_operational_attrs = NULL; rs->sr_flags = 0; abort = send_search_entry( op, rs ); - while (ent.e_attrs) { - Attribute *a; - BerVarray v; + while ( ent.e_attrs ) { + Attribute *a; + BerVarray v; a = ent.e_attrs; ent.e_attrs = a->a_next; v = a->a_vals; if ( a->a_vals != &slap_dummy_bv ) { - ber_bvarray_free(a->a_vals); + ber_bvarray_free( a->a_vals ); } if ( a->a_nvals != v ) { - ber_bvarray_free(a->a_nvals); + ber_bvarray_free( a->a_nvals ); } - ch_free(a); + ch_free( a ); } - if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) ) + if ( ent.e_dn && ( ent.e_dn != bdn.bv_val ) ) { free( ent.e_dn ); - if ( ent.e_ndn ) + } + if ( ent.e_ndn ) { free( ent.e_ndn ); + } } ldap_msgfree( res ); if ( abort ) { - ldap_abandon( lc->ld, msgid ); + ldap_abandon_ext( lc->lc_ld, msgid, NULL, NULL ); goto finish; } @@ -227,7 +200,7 @@ fail:; int cnt; do_retry = 0; - rc = ldap_parse_reference( lc->ld, res, + rc = ldap_parse_reference( lc->lc_ld, res, &references, &rs->sr_ctrls, 1 ); if ( rc != LDAP_SUCCESS ) { @@ -263,7 +236,7 @@ fail:; } } else { - rc = ldap_parse_result( lc->ld, res, &rs->sr_err, + rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err, &match.bv_val, (char **)&rs->sr_text, NULL, &rs->sr_ctrls, 1 ); if (rc != LDAP_SUCCESS ) { @@ -278,8 +251,9 @@ fail:; if ( rc == -1 ) { if ( do_retry ) { do_retry = 0; - if ( ldap_back_retry( lc, op, rs )) + if ( ldap_back_retry( lc, op, rs ) ) { goto retry; + } } /* FIXME: invalidate the connection? */ rs->sr_err = LDAP_SERVER_DOWN; @@ -290,18 +264,8 @@ fail:; /* * Rewrite the matched portion of the search base, if required */ - if ( match.bv_val && *match.bv_val ) { - struct berval mdn; - -#ifdef ENABLE_REWRITE - dc.ctx = "matchedDN"; -#else - dc.tofrom = 0; - dc.normalized = 0; -#endif - match.bv_len = strlen( match.bv_val ); - ldap_back_dn_massage( &dc, &match, &mdn ); - rs->sr_matched = mdn.bv_val; + if ( !BER_BVISNULL( &match ) && !BER_BVISEMPTY( &match ) ) { + rs->sr_matched = match.bv_val; } if ( rs->sr_v2ref ) { rs->sr_err = LDAP_REFERRAL; @@ -311,10 +275,7 @@ finish:; send_ldap_result( op, rs ); #ifdef LDAP_BACK_PROXY_AUTHZ - if ( ctrls && ctrls != op->o_ctrls ) { - free( ctrls[ 0 ] ); - free( ctrls ); - } + (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); #endif /* LDAP_BACK_PROXY_AUTHZ */ if ( rs->sr_ctrls ) { @@ -323,9 +284,6 @@ finish:; } if ( match.bv_val ) { - if ( rs->sr_matched != match.bv_val ) { - free( (char *)rs->sr_matched ); - } rs->sr_matched = NULL; LDAP_FREE( match.bv_val ); } @@ -335,62 +293,36 @@ finish:; } rs->sr_text = NULL; } - if ( mapped_attrs ) { - ch_free( mapped_attrs ); - } - if ( mfilter.bv_val != op->ors_filterstr.bv_val ) { - ch_free( mfilter.bv_val ); + if ( attrs ) { + ch_free( attrs ); } - if ( mbase.bv_val != op->o_req_ndn.bv_val ) { - free( mbase.bv_val ); - } - + return rc; } static int ldap_build_entry( - Operation *op, - LDAPMessage *e, - Entry *ent, - struct berval *bdn, - int flags -) + Operation *op, + LDAPMessage *e, + Entry *ent, + struct berval *bdn, + int flags ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; - struct berval a, mapped; - BerElement ber = *e->lm_ber; - Attribute *attr, **attrp; - struct berval *bv; - const char *text; - int last; - int private = flags & LDAP_BUILD_ENTRY_PRIVATE; - dncookie dc; + struct berval a; + BerElement ber = *e->lm_ber; + Attribute *attr, **attrp; + const char *text; + int last; + int private = flags & LDAP_BUILD_ENTRY_PRIVATE; /* safe assumptions ... */ assert( ent ); - ent->e_bv.bv_val = NULL; + BER_BVZERO( &ent->e_bv ); if ( ber_scanf( &ber, "{m{", bdn ) == LBER_ERROR ) { return LDAP_DECODING_ERROR; } - /* - * Rewrite the dn of the result, if needed - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = NULL; - dc.ctx = "searchResult"; -#else - dc.tofrom = 0; - dc.normalized = 0; -#endif - if ( ldap_back_dn_massage( &dc, bdn, &ent->e_name ) ) { - return LDAP_OTHER; - } - /* * Note: this may fail if the target host(s) schema differs * from the one known to the meta, and a DN with unknown @@ -401,7 +333,7 @@ ldap_build_entry( /* Note: if the distinguished values or the naming attributes * change, should we massage them as well? */ - if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname, + if ( dnPrettyNormal( NULL, bdn, &ent->e_name, &ent->e_nname, op->o_tmpmemctx ) != LDAP_SUCCESS ) { return LDAP_INVALID_DN_SYNTAX; @@ -409,29 +341,27 @@ ldap_build_entry( attrp = &ent->e_attrs; -#ifdef ENABLE_REWRITE - dc.ctx = "searchAttrDN"; -#endif while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) { int i; slap_syntax_validate_func *validate; slap_syntax_transform_func *pretty; - ldap_back_map( &li->rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) - continue; attr = (Attribute *)ch_malloc( sizeof( Attribute ) ); - if ( attr == NULL ) + if ( attr == NULL ) { continue; + } attr->a_flags = 0; attr->a_next = 0; attr->a_desc = NULL; - if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS ) { - if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text ) + if ( slap_bv2ad( &a, &attr->a_desc, &text ) + != LDAP_SUCCESS ) + { + if ( slap_bv2undef_ad( &a, &attr->a_desc, &text ) != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, - "slap_bv2undef_ad(%s): %s\n", mapped.bv_val, text, 0 ); + "slap_bv2undef_ad(%s): %s\n", + a.bv_val, text, 0 ); ch_free( attr ); continue; } @@ -449,7 +379,7 @@ ldap_build_entry( */ ( void )ber_scanf( &ber, "x" /* [W] */ ); - ch_free(attr); + ch_free( attr ); continue; } @@ -461,60 +391,17 @@ ldap_build_entry( * values result filter */ if ( private ) { - attr->a_vals = &slap_dummy_bv; + attr->a_vals = (struct berval *)&slap_dummy_bv; + } else { attr->a_vals = ch_malloc( sizeof( struct berval ) ); - BER_BVZERO( &attr->a_vals[0] ); + BER_BVZERO( &attr->a_vals[ 0 ] ); } last = 0; } else { - for ( last = 0; !BER_BVISNULL( &attr->a_vals[last] ); last++ ); - } - - if ( last == 0 ) { - /* empty */ - } else if ( attr->a_desc == slap_schema.si_ad_objectClass - || attr->a_desc == slap_schema.si_ad_structuralObjectClass ) - { - for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) { - ldap_back_map( &li->rwmap.rwm_oc, bv, &mapped, - BACKLDAP_REMAP ); - if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) { - LBER_FREE( bv->bv_val ); - BER_BVZERO( bv ); - if (--last < 0) - break; - *bv = attr->a_vals[last]; - BER_BVZERO( &attr->a_vals[last] ); - bv--; - - } else if ( mapped.bv_val != bv->bv_val ) { - /* - * FIXME: after LBER_FREEing - * the value is replaced by - * ch_alloc'ed memory - */ - LBER_FREE( bv->bv_val ); - ber_dupbv( bv, &mapped ); - } - } - - /* - * It is necessary to try to rewrite attributes with - * dn syntax because they might be used in ACLs as - * members of groups; since ACLs are applied to the - * rewritten stuff, no dn-based subject clause could - * be used at the ldap backend side (see - * http://www.OpenLDAP.org/faq/data/cache/452.html) - * The problem can be overcome by moving the dn-based - * ACLs to the target directory server, and letting - * everything pass thru the ldap backend. - */ - } else if ( attr->a_desc->ad_type->sat_syntax == - slap_schema.si_syn_distinguishedName ) - { - ldap_dnattr_result_rewrite( &dc, attr->a_vals ); + for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); last++ ) + /* just count vals */ ; } validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate; @@ -585,10 +472,6 @@ ldap_build_entry( next_attr:; } - /* make sure it's free'able */ - if ( !private && ent->e_name.bv_val == bdn->bv_val ) { - ber_dupbv( &ent->e_name, bdn ); - } return LDAP_SUCCESS; } @@ -596,33 +479,33 @@ next_attr:; */ int ldap_back_entry_get( - Operation *op, - struct berval *ndn, - ObjectClass *oc, - AttributeDescription *at, - int rw, - Entry **ent + Operation *op, + struct berval *ndn, + ObjectClass *oc, + AttributeDescription *at, + int rw, + Entry **ent ) { - struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapconn *lc; - int rc = 1, is_oc; - struct berval mapped = BER_BVNULL, bdn, mdn; - LDAPMessage *result = NULL, *e = NULL; - char *gattr[3]; - char *filter = NULL; - Connection *oconn; - SlapReply rs; - dncookie dc; - int do_retry = 1; + int rc = 1, + is_oc; + struct berval bdn; + LDAPMessage *result = NULL, + *e = NULL; + char *gattr[3]; + char *filter = NULL; + Connection *oconn; + SlapReply rs; + int do_retry = 1; /* Tell getconn this is a privileged op */ is_oc = op->o_do_not_cache; op->o_do_not_cache = 1; - lc = ldap_back_getconn(op, &rs); + lc = ldap_back_getconn( op, &rs ); oconn = op->o_conn; op->o_conn = NULL; - if ( !lc || !ldap_back_dobind(lc, op, &rs) ) { + if ( !lc || !ldap_back_dobind( lc, op, &rs ) ) { op->o_do_not_cache = is_oc; op->o_conn = oconn; return 1; @@ -630,66 +513,45 @@ ldap_back_entry_get( op->o_do_not_cache = is_oc; op->o_conn = oconn; - /* - * Rewrite the search base, if required - */ - dc.rwmap = &li->rwmap; -#ifdef ENABLE_REWRITE - dc.conn = op->o_conn; - dc.rs = &rs; - dc.ctx = "searchBase"; -#else - dc.tofrom = 1; - dc.normalized = 1; -#endif - if ( ldap_back_dn_massage( &dc, ndn, &mdn ) ) { - return 1; - } - if ( at ) { - ldap_back_map(&li->rwmap.rwm_at, &at->ad_cname, &mapped, BACKLDAP_MAP); - if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) { - rc = 1; - goto cleanup; - } - is_oc = ( strcasecmp( "objectclass", mapped.bv_val ) == 0 ); + is_oc = ( strcasecmp( "objectclass", at->ad_cname.bv_val ) == 0 ); if ( oc && !is_oc ) { gattr[0] = "objectclass"; - gattr[1] = mapped.bv_val; + gattr[1] = at->ad_cname.bv_val; gattr[2] = NULL; } else { - gattr[0] = mapped.bv_val; + gattr[0] = at->ad_cname.bv_val; gattr[1] = NULL; } } - if (oc) { - char *ptr; - ldap_back_map(&li->rwmap.rwm_oc, &oc->soc_cname, &mapped, - BACKLDAP_MAP); - filter = ch_malloc( STRLENOF( "(objectclass=)" ) + mapped.bv_len + 1 ); + if ( oc ) { + char *ptr; + + filter = ch_malloc( STRLENOF( "(objectclass=)" ) + + oc->soc_cname.bv_len + 1 ); ptr = lutil_strcopy( filter, "(objectclass=" ); - ptr = lutil_strcopy( ptr, mapped.bv_val ); + ptr = lutil_strcopy( ptr, oc->soc_cname.bv_val ); *ptr++ = ')'; *ptr++ = '\0'; } retry: - rc = ldap_search_ext_s( lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter, + rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter, gattr, 0, NULL, NULL, LDAP_NO_LIMIT, - LDAP_NO_LIMIT, &result); - if ( rc != LDAP_SUCCESS ) - { + LDAP_NO_LIMIT, &result ); + if ( rc != LDAP_SUCCESS ) { if ( rc == LDAP_SERVER_DOWN && do_retry ) { do_retry = 0; - if ( ldap_back_retry( lc, op, &rs )) - goto retry; + if ( ldap_back_retry( lc, op, &rs ) ) { + goto retry; + } } goto cleanup; } - e = ldap_first_entry( lc->ld, result ); + e = ldap_first_entry( lc->lc_ld, result ); if ( e == NULL ) { goto cleanup; } @@ -712,10 +574,6 @@ cleanup: ch_free( filter ); } - if ( mdn.bv_val != ndn->bv_val ) { - ch_free( mdn.bv_val ); - } - return rc; } diff --git a/servers/slapd/back-ldap/unbind.c b/servers/slapd/back-ldap/unbind.c index 8217ce6ef6..dbed6f577b 100644 --- a/servers/slapd/back-ldap/unbind.c +++ b/servers/slapd/back-ldap/unbind.c @@ -33,8 +33,8 @@ int ldap_back_conn_destroy( - Backend *be, - Connection *conn + Backend *be, + Connection *conn ) { struct ldapinfo *li = (struct ldapinfo *) be->be_private; @@ -44,24 +44,17 @@ ldap_back_conn_destroy( "=>ldap_back_conn_destroy: fetching conn %ld\n", conn->c_connid, 0, 0 ); - lc_curr.conn = conn; - lc_curr.local_dn = conn->c_ndn; + lc_curr.lc_conn = conn; + lc_curr.lc_local_ndn = conn->c_ndn; ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = avl_delete( &li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); -#ifdef ENABLE_REWRITE - /* - * Cleanup rewrite session - */ - rewrite_session_delete( li->rwmap.rwm_rw, conn ); -#endif /* ENABLE_REWRITE */ - - if (lc) { + if ( lc ) { Debug( LDAP_DEBUG_TRACE, "=>ldap_back_conn_destroy: destroying conn %ld\n", - lc->conn->c_connid, 0, 0 ); + lc->lc_conn->c_connid, 0, 0 ); /* * Needs a test because the handler may be corrupted, -- 2.39.5