git.sur5r.net Git - openldap/blob - servers/slapd/back-ldap/config.c

   1 /* config.c - ldap backend configuration file routine */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 2003-2018 The OpenLDAP Foundation.
   6  * Portions Copyright 1999-2003 Howard Chu.
   7  * Portions Copyright 2000-2003 Pierangelo Masarati.
   8  * All rights reserved.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted only as authorized by the OpenLDAP
  12  * Public License.
  13  *
  14  * A copy of this license is available in the file LICENSE in the
  15  * top-level directory of the distribution or, alternatively, at
  16  * <http://www.OpenLDAP.org/license.html>.
  17  */
  18 /* ACKNOWLEDGEMENTS:
  19  * This work was initially developed by the Howard Chu for inclusion
  20  * in OpenLDAP Software and subsequently enhanced by Pierangelo
  21  * Masarati.
  22  */
  23
  24 #include "portable.h"
  25
  26 #include <stdio.h>
  27
  28 #include <ac/string.h>
  29 #include <ac/ctype.h>
  30 #include <ac/socket.h>
  31
  32 #include "slap.h"
  33 #include "config.h"
  34 #include "back-ldap.h"
  35 #include "lutil.h"
  36 #include "ldif.h"
  37
  38 static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
  39
  40 static ConfigDriver ldap_back_cf_gen;
  41 static ConfigDriver ldap_pbind_cf_gen;
  42
  43 enum {
  44         LDAP_BACK_CFG_URI = 1,
  45         LDAP_BACK_CFG_TLS,
  46         LDAP_BACK_CFG_ACL_AUTHCDN,
  47         LDAP_BACK_CFG_ACL_PASSWD,
  48         LDAP_BACK_CFG_ACL_METHOD,
  49         LDAP_BACK_CFG_ACL_BIND,
  50         LDAP_BACK_CFG_IDASSERT_MODE,
  51         LDAP_BACK_CFG_IDASSERT_AUTHCDN,
  52         LDAP_BACK_CFG_IDASSERT_PASSWD,
  53         LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
  54         LDAP_BACK_CFG_IDASSERT_PASSTHRU,
  55         LDAP_BACK_CFG_IDASSERT_METHOD,
  56         LDAP_BACK_CFG_IDASSERT_BIND,
  57         LDAP_BACK_CFG_REBIND,
  58         LDAP_BACK_CFG_CHASE,
  59         LDAP_BACK_CFG_T_F,
  60         LDAP_BACK_CFG_WHOAMI,
  61         LDAP_BACK_CFG_TIMEOUT,
  62         LDAP_BACK_CFG_IDLE_TIMEOUT,
  63         LDAP_BACK_CFG_CONN_TTL,
  64         LDAP_BACK_CFG_NETWORK_TIMEOUT,
  65         LDAP_BACK_CFG_VERSION,
  66         LDAP_BACK_CFG_SINGLECONN,
  67         LDAP_BACK_CFG_USETEMP,
  68         LDAP_BACK_CFG_CONNPOOLMAX,
  69         LDAP_BACK_CFG_CANCEL,
  70         LDAP_BACK_CFG_QUARANTINE,
  71         LDAP_BACK_CFG_ST_REQUEST,
  72         LDAP_BACK_CFG_NOREFS,
  73         LDAP_BACK_CFG_NOUNDEFFILTER,
  74         LDAP_BACK_CFG_ONERR,
  75
  76         LDAP_BACK_CFG_REWRITE,
  77         LDAP_BACK_CFG_KEEPALIVE,
  78
  79         LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
  80
  81         LDAP_BACK_CFG_LAST
  82 };
  83
  84 static ConfigTable ldapcfg[] = {
  85         { "uri", "uri", 2, 2, 0,
  86                 ARG_MAGIC|LDAP_BACK_CFG_URI,
  87                 ldap_back_cf_gen, "( OLcfgDbAt:0.14 "
  88                         "NAME 'olcDbURI' "
  89                         "DESC 'URI (list) for remote DSA' "
  90                         "SYNTAX OMsDirectoryString "
  91                         "SINGLE-VALUE )",
  92                 NULL, NULL },
  93         { "tls", "what", 2, 0, 0,
  94                 ARG_MAGIC|LDAP_BACK_CFG_TLS,
  95                 ldap_back_cf_gen, "( OLcfgDbAt:3.1 "
  96                         "NAME 'olcDbStartTLS' "
  97                         "DESC 'StartTLS' "
  98                         "SYNTAX OMsDirectoryString "
  99                         "SINGLE-VALUE )",
 100                 NULL, NULL },
 101         { "acl-authcDN", "DN", 2, 2, 0,
 102                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
 103                 ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
 104                         "NAME 'olcDbACLAuthcDn' "
 105                         "DESC 'Remote ACL administrative identity' "
 106                         "OBSOLETE "
 107                         "SYNTAX OMsDN "
 108                         "SINGLE-VALUE )",
 109                 NULL, NULL },
 110         /* deprecated, will be removed; aliases "acl-authcDN" */
 111         { "binddn", "DN", 2, 2, 0,
 112                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
 113                 ldap_back_cf_gen, NULL, NULL, NULL },
 114         { "acl-passwd", "cred", 2, 2, 0,
 115                 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
 116                 ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
 117                         "NAME 'olcDbACLPasswd' "
 118                         "DESC 'Remote ACL administrative identity credentials' "
 119                         "OBSOLETE "
 120                         "SYNTAX OMsDirectoryString "
 121                         "SINGLE-VALUE )",
 122                 NULL, NULL },
 123         /* deprecated, will be removed; aliases "acl-passwd" */
 124         { "bindpw", "cred", 2, 2, 0,
 125                 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
 126                 ldap_back_cf_gen, NULL, NULL, NULL },
 127         /* deprecated, will be removed; aliases "acl-bind" */
 128         { "acl-method", "args", 2, 0, 0,
 129                 ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
 130                 ldap_back_cf_gen, NULL, NULL, NULL },
 131         { "acl-bind", "args", 2, 0, 0,
 132                 ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
 133                 ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
 134                         "NAME 'olcDbACLBind' "
 135                         "DESC 'Remote ACL administrative identity auth bind configuration' "
 136                         "SYNTAX OMsDirectoryString "
 137                         "SINGLE-VALUE )",
 138                 NULL, NULL },
 139         { "idassert-authcDN", "DN", 2, 2, 0,
 140                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
 141                 ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
 142                         "NAME 'olcDbIDAssertAuthcDn' "
 143                         "DESC 'Remote Identity Assertion administrative identity' "
 144                         "OBSOLETE "
 145                         "SYNTAX OMsDN "
 146                         "SINGLE-VALUE )",
 147                 NULL, NULL },
 148         /* deprecated, will be removed; partially aliases "idassert-authcDN" */
 149         { "proxyauthzdn", "DN", 2, 2, 0,
 150                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
 151                 ldap_back_cf_gen, NULL, NULL, NULL },
 152         { "idassert-passwd", "cred", 2, 2, 0,
 153                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
 154                 ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
 155                         "NAME 'olcDbIDAssertPasswd' "
 156                         "DESC 'Remote Identity Assertion administrative identity credentials' "
 157                         "OBSOLETE "
 158                         "SYNTAX OMsDirectoryString "
 159                         "SINGLE-VALUE )",
 160                 NULL, NULL },
 161         /* deprecated, will be removed; partially aliases "idassert-passwd" */
 162         { "proxyauthzpw", "cred", 2, 2, 0,
 163                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
 164                 ldap_back_cf_gen, NULL, NULL, NULL },
 165         { "idassert-bind", "args", 2, 0, 0,
 166                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
 167                 ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
 168                         "NAME 'olcDbIDAssertBind' "
 169                         "DESC 'Remote Identity Assertion administrative identity auth bind configuration' "
 170                         "SYNTAX OMsDirectoryString "
 171                         "SINGLE-VALUE )",
 172                 NULL, NULL },
 173         { "idassert-method", "args", 2, 0, 0,
 174                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
 175                 ldap_back_cf_gen, NULL, NULL, NULL },
 176         { "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
 177                 ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
 178                 ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
 179                         "NAME 'olcDbIDAssertMode' "
 180                         "DESC 'Remote Identity Assertion mode' "
 181                         "OBSOLETE "
 182                         "SYNTAX OMsDirectoryString "
 183                         "SINGLE-VALUE)",
 184                 NULL, NULL },
 185         { "idassert-authzFrom", "authzRule", 2, 2, 0,
 186                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
 187                 ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
 188                         "NAME 'olcDbIDAssertAuthzFrom' "
 189                         "DESC 'Remote Identity Assertion authz rules' "
 190                         "EQUALITY caseIgnoreMatch "
 191                         "SYNTAX OMsDirectoryString "
 192                         "X-ORDERED 'VALUES' )",
 193                 NULL, NULL },
 194         { "rebind-as-user", "true|FALSE", 1, 2, 0,
 195                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_REBIND,
 196                 ldap_back_cf_gen, "( OLcfgDbAt:3.10 "
 197                         "NAME 'olcDbRebindAsUser' "
 198                         "DESC 'Rebind as user' "
 199                         "SYNTAX OMsBoolean "
 200                         "SINGLE-VALUE )",
 201                 NULL, NULL },
 202         { "chase-referrals", "true|FALSE", 2, 2, 0,
 203                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_CHASE,
 204                 ldap_back_cf_gen, "( OLcfgDbAt:3.11 "
 205                         "NAME 'olcDbChaseReferrals' "
 206                         "DESC 'Chase referrals' "
 207                         "SYNTAX OMsBoolean "
 208                         "SINGLE-VALUE )",
 209                 NULL, NULL },
 210         { "t-f-support", "true|FALSE|discover", 2, 2, 0,
 211                 ARG_MAGIC|LDAP_BACK_CFG_T_F,
 212                 ldap_back_cf_gen, "( OLcfgDbAt:3.12 "
 213                         "NAME 'olcDbTFSupport' "
 214                         "DESC 'Absolute filters support' "
 215                         "SYNTAX OMsDirectoryString "
 216                         "SINGLE-VALUE )",
 217                 NULL, NULL },
 218         { "proxy-whoami", "true|FALSE", 1, 2, 0,
 219                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_WHOAMI,
 220                 ldap_back_cf_gen, "( OLcfgDbAt:3.13 "
 221                         "NAME 'olcDbProxyWhoAmI' "
 222                         "DESC 'Proxy whoAmI exop' "
 223                         "SYNTAX OMsBoolean "
 224                         "SINGLE-VALUE )",
 225                 NULL, NULL },
 226         { "timeout", "timeout(list)", 2, 0, 0,
 227                 ARG_MAGIC|LDAP_BACK_CFG_TIMEOUT,
 228                 ldap_back_cf_gen, "( OLcfgDbAt:3.14 "
 229                         "NAME 'olcDbTimeout' "
 230                         "DESC 'Per-operation timeouts' "
 231                         "SYNTAX OMsDirectoryString "
 232                         "SINGLE-VALUE )",
 233                 NULL, NULL },
 234         { "idle-timeout", "timeout", 2, 2, 0,
 235                 ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT,
 236                 ldap_back_cf_gen, "( OLcfgDbAt:3.15 "
 237                         "NAME 'olcDbIdleTimeout' "
 238                         "DESC 'connection idle timeout' "
 239                         "SYNTAX OMsDirectoryString "
 240                         "SINGLE-VALUE )",
 241                 NULL, NULL },
 242         { "conn-ttl", "ttl", 2, 2, 0,
 243                 ARG_MAGIC|LDAP_BACK_CFG_CONN_TTL,
 244                 ldap_back_cf_gen, "( OLcfgDbAt:3.16 "
 245                         "NAME 'olcDbConnTtl' "
 246                         "DESC 'connection ttl' "
 247                         "SYNTAX OMsDirectoryString "
 248                         "SINGLE-VALUE )",
 249                 NULL, NULL },
 250         { "network-timeout", "timeout", 2, 2, 0,
 251                 ARG_MAGIC|LDAP_BACK_CFG_NETWORK_TIMEOUT,
 252                 ldap_back_cf_gen, "( OLcfgDbAt:3.17 "
 253                         "NAME 'olcDbNetworkTimeout' "
 254                         "DESC 'connection network timeout' "
 255                         "SYNTAX OMsDirectoryString "
 256                         "SINGLE-VALUE )",
 257                 NULL, NULL },
 258         { "protocol-version", "version", 2, 2, 0,
 259                 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
 260                 ldap_back_cf_gen, "( OLcfgDbAt:3.18 "
 261                         "NAME 'olcDbProtocolVersion' "
 262                         "DESC 'protocol version' "
 263                         "SYNTAX OMsInteger "
 264                         "SINGLE-VALUE )",
 265                 NULL, NULL },
 266         { "single-conn", "true|FALSE", 2, 2, 0,
 267                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_SINGLECONN,
 268                 ldap_back_cf_gen, "( OLcfgDbAt:3.19 "
 269                         "NAME 'olcDbSingleConn' "
 270                         "DESC 'cache a single connection per identity' "
 271                         "SYNTAX OMsBoolean "
 272                         "SINGLE-VALUE )",
 273                 NULL, NULL },
 274         { "cancel", "ABANDON|ignore|exop", 2, 2, 0,
 275                 ARG_MAGIC|LDAP_BACK_CFG_CANCEL,
 276                 ldap_back_cf_gen, "( OLcfgDbAt:3.20 "
 277                         "NAME 'olcDbCancel' "
 278                         "DESC 'abandon/ignore/exop operations when appropriate' "
 279                         "SYNTAX OMsDirectoryString "
 280                         "SINGLE-VALUE )",
 281                 NULL, NULL },
 282         { "quarantine", "retrylist", 2, 2, 0,
 283                 ARG_MAGIC|LDAP_BACK_CFG_QUARANTINE,
 284                 ldap_back_cf_gen, "( OLcfgDbAt:3.21 "
 285                         "NAME 'olcDbQuarantine' "
 286                         "DESC 'Quarantine database if connection fails and retry according to rule' "
 287                         "SYNTAX OMsDirectoryString "
 288                         "SINGLE-VALUE )",
 289                 NULL, NULL },
 290         { "use-temporary-conn", "true|FALSE", 2, 2, 0,
 291                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_USETEMP,
 292                 ldap_back_cf_gen, "( OLcfgDbAt:3.22 "
 293                         "NAME 'olcDbUseTemporaryConn' "
 294                         "DESC 'Use temporary connections if the cached one is busy' "
 295                         "SYNTAX OMsBoolean "
 296                         "SINGLE-VALUE )",
 297                 NULL, NULL },
 298         { "conn-pool-max", "<n>", 2, 2, 0,
 299                 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_CONNPOOLMAX,
 300                 ldap_back_cf_gen, "( OLcfgDbAt:3.23 "
 301                         "NAME 'olcDbConnectionPoolMax' "
 302                         "DESC 'Max size of privileged connections pool' "
 303                         "SYNTAX OMsInteger "
 304                         "SINGLE-VALUE )",
 305                 NULL, NULL },
 306 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
 307         { "session-tracking-request", "true|FALSE", 2, 2, 0,
 308                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_ST_REQUEST,
 309                 ldap_back_cf_gen, "( OLcfgDbAt:3.24 "
 310                         "NAME 'olcDbSessionTrackingRequest' "
 311                         "DESC 'Add session tracking control to proxied requests' "
 312                         "SYNTAX OMsBoolean "
 313                         "SINGLE-VALUE )",
 314                 NULL, NULL },
 315 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
 316         { "norefs", "true|FALSE", 2, 2, 0,
 317                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOREFS,
 318                 ldap_back_cf_gen, "( OLcfgDbAt:3.25 "
 319                         "NAME 'olcDbNoRefs' "
 320                         "DESC 'Do not return search reference responses' "
 321                         "SYNTAX OMsBoolean "
 322                         "SINGLE-VALUE )",
 323                 NULL, NULL },
 324         { "noundeffilter", "true|FALSE", 2, 2, 0,
 325                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOUNDEFFILTER,
 326                 ldap_back_cf_gen, "( OLcfgDbAt:3.26 "
 327                         "NAME 'olcDbNoUndefFilter' "
 328                         "DESC 'Do not propagate undefined search filters' "
 329                         "SYNTAX OMsBoolean "
 330                         "SINGLE-VALUE )",
 331                 NULL, NULL },
 332         { "onerr", "CONTINUE|report|stop", 2, 2, 0,
 333                 ARG_MAGIC|LDAP_BACK_CFG_ONERR,
 334                 ldap_back_cf_gen, "( OLcfgDbAt:3.108 "
 335                         "NAME 'olcDbOnErr' "
 336                         "DESC 'error handling' "
 337                         "SYNTAX OMsDirectoryString "
 338                         "SINGLE-VALUE )",
 339                 NULL, NULL },
 340         { "idassert-passThru", "authzRule", 2, 2, 0,
 341                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSTHRU,
 342                 ldap_back_cf_gen, "( OLcfgDbAt:3.27 "
 343                         "NAME 'olcDbIDAssertPassThru' "
 344                         "DESC 'Remote Identity Assertion passthru rules' "
 345                         "EQUALITY caseIgnoreMatch "
 346                         "SYNTAX OMsDirectoryString "
 347                         "X-ORDERED 'VALUES' )",
 348                 NULL, NULL },
 349
 350         { "suffixmassage", "[virtual]> <real", 2, 3, 0,
 351                 ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
 352                 ldap_back_cf_gen, NULL, NULL, NULL },
 353         { "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
 354                 ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
 355                 ldap_back_cf_gen, NULL, NULL, NULL },
 356         { "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
 357                 ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
 358                 ldap_back_cf_gen, NULL, NULL, NULL },
 359         { "omit-unknown-schema", "true|FALSE", 2, 2, 0,
 360                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
 361                 ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
 362                         "NAME 'olcDbRemoveUnknownSchema' "
 363                         "DESC 'Omit unknown schema when returning search results' "
 364                         "SYNTAX OMsBoolean "
 365                         "SINGLE-VALUE )",
 366                 NULL, NULL },
 367         { "keepalive", "keepalive", 2, 2, 0,
 368                 ARG_MAGIC|LDAP_BACK_CFG_KEEPALIVE,
 369                 ldap_back_cf_gen, "( OLcfgDbAt:3.29 "
 370                         "NAME 'olcDbKeepalive' "
 371                         "DESC 'TCP keepalive' "
 372                         "SYNTAX OMsDirectoryString "
 373                         "SINGLE-VALUE )",
 374                 NULL, NULL },
 375         { NULL, NULL, 0, 0, 0, ARG_IGNORED,
 376                 NULL, NULL, NULL, NULL }
 377 };
 378
 379 static ConfigOCs ldapocs[] = {
 380         { "( OLcfgDbOc:3.1 "
 381                 "NAME 'olcLDAPConfig' "
 382                 "DESC 'LDAP backend configuration' "
 383                 "SUP olcDatabaseConfig "
 384                 "MAY ( olcDbURI "
 385                         "$ olcDbStartTLS "
 386                         "$ olcDbACLAuthcDn "
 387                         "$ olcDbACLPasswd "
 388                         "$ olcDbACLBind "
 389                         "$ olcDbIDAssertAuthcDn "
 390                         "$ olcDbIDAssertPasswd "
 391                         "$ olcDbIDAssertBind "
 392                         "$ olcDbIDAssertMode "
 393                         "$ olcDbIDAssertAuthzFrom "
 394                         "$ olcDbIDAssertPassThru "
 395                         "$ olcDbRebindAsUser "
 396                         "$ olcDbChaseReferrals "
 397                         "$ olcDbTFSupport "
 398                         "$ olcDbProxyWhoAmI "
 399                         "$ olcDbTimeout "
 400                         "$ olcDbIdleTimeout "
 401                         "$ olcDbConnTtl "
 402                         "$ olcDbNetworkTimeout "
 403                         "$ olcDbProtocolVersion "
 404                         "$ olcDbSingleConn "
 405                         "$ olcDbCancel "
 406                         "$ olcDbQuarantine "
 407                         "$ olcDbUseTemporaryConn "
 408                         "$ olcDbConnectionPoolMax "
 409 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
 410                         "$ olcDbSessionTrackingRequest "
 411 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
 412                         "$ olcDbNoRefs "
 413                         "$ olcDbNoUndefFilter "
 414                         "$ olcDbOnErr "
 415                         "$ olcDbKeepalive "
 416                 ") )",
 417                         Cft_Database, ldapcfg},
 418         { NULL, 0, NULL }
 419 };
 420
 421 static ConfigTable pbindcfg[] = {
 422         { "uri", "uri", 2, 2, 0,
 423                 ARG_MAGIC|LDAP_BACK_CFG_URI,
 424                 ldap_pbind_cf_gen, "( OLcfgDbAt:0.14 "
 425                         "NAME 'olcDbURI' "
 426                         "DESC 'URI (list) for remote DSA' "
 427                         "SYNTAX OMsDirectoryString "
 428                         "SINGLE-VALUE )",
 429                 NULL, NULL },
 430         { "tls", "what", 2, 0, 0,
 431                 ARG_MAGIC|LDAP_BACK_CFG_TLS,
 432                 ldap_pbind_cf_gen, "( OLcfgDbAt:3.1 "
 433                         "NAME 'olcDbStartTLS' "
 434                         "DESC 'StartTLS' "
 435                         "SYNTAX OMsDirectoryString "
 436                         "SINGLE-VALUE )",
 437                 NULL, NULL },
 438         { "network-timeout", "timeout", 2, 2, 0,
 439                 ARG_MAGIC|LDAP_BACK_CFG_NETWORK_TIMEOUT,
 440                 ldap_pbind_cf_gen, "( OLcfgDbAt:3.17 "
 441                         "NAME 'olcDbNetworkTimeout' "
 442                         "DESC 'connection network timeout' "
 443                         "SYNTAX OMsDirectoryString "
 444                         "SINGLE-VALUE )",
 445                 NULL, NULL },
 446         { "quarantine", "retrylist", 2, 2, 0,
 447                 ARG_MAGIC|LDAP_BACK_CFG_QUARANTINE,
 448                 ldap_pbind_cf_gen, "( OLcfgDbAt:3.21 "
 449                         "NAME 'olcDbQuarantine' "
 450                         "DESC 'Quarantine database if connection fails and retry according to rule' "
 451                         "SYNTAX OMsDirectoryString "
 452                         "SINGLE-VALUE )",
 453                 NULL, NULL },
 454         { NULL, NULL, 0, 0, 0, ARG_IGNORED,
 455                 NULL, NULL, NULL, NULL }
 456 };
 457
 458 static ConfigOCs pbindocs[] = {
 459         { "( OLcfgOvOc:3.3 "
 460                 "NAME 'olcPBindConfig' "
 461                 "DESC 'Proxy Bind configuration' "
 462                 "SUP olcOverlayConfig "
 463                 "MUST olcDbURI "
 464                 "MAY ( olcDbStartTLS "
 465                         "$ olcDbNetworkTimeout "
 466                         "$ olcDbQuarantine "
 467                 ") )",
 468                         Cft_Overlay, pbindcfg},
 469         { NULL, 0, NULL }
 470 };
 471
 472 static slap_verbmasks idassert_mode[] = {
 473         { BER_BVC("self"),              LDAP_BACK_IDASSERT_SELF },
 474         { BER_BVC("anonymous"),         LDAP_BACK_IDASSERT_ANONYMOUS },
 475         { BER_BVC("none"),              LDAP_BACK_IDASSERT_NOASSERT },
 476         { BER_BVC("legacy"),            LDAP_BACK_IDASSERT_LEGACY },
 477         { BER_BVNULL,                   0 }
 478 };
 479
 480 static slap_verbmasks tls_mode[] = {
 481         { BER_BVC( "propagate" ),       LDAP_BACK_F_TLS_PROPAGATE_MASK },
 482         { BER_BVC( "try-propagate" ),   LDAP_BACK_F_PROPAGATE_TLS },
 483         { BER_BVC( "start" ),           LDAP_BACK_F_TLS_USE_MASK },
 484         { BER_BVC( "try-start" ),       LDAP_BACK_F_USE_TLS },
 485         { BER_BVC( "ldaps" ),           LDAP_BACK_F_TLS_LDAPS },
 486         { BER_BVC( "none" ),            LDAP_BACK_F_NONE },
 487         { BER_BVNULL,                   0 }
 488 };
 489
 490 static slap_verbmasks t_f_mode[] = {
 491         { BER_BVC( "yes" ),             LDAP_BACK_F_T_F },
 492         { BER_BVC( "discover" ),        LDAP_BACK_F_T_F_DISCOVER },
 493         { BER_BVC( "no" ),              LDAP_BACK_F_NONE },
 494         { BER_BVNULL,                   0 }
 495 };
 496
 497 static slap_verbmasks cancel_mode[] = {
 498         { BER_BVC( "ignore" ),          LDAP_BACK_F_CANCEL_IGNORE },
 499         { BER_BVC( "exop" ),            LDAP_BACK_F_CANCEL_EXOP },
 500         { BER_BVC( "exop-discover" ),   LDAP_BACK_F_CANCEL_EXOP_DISCOVER },
 501         { BER_BVC( "abandon" ),         LDAP_BACK_F_CANCEL_ABANDON },
 502         { BER_BVNULL,                   0 }
 503 };
 504
 505 static slap_verbmasks onerr_mode[] = {
 506         { BER_BVC( "stop" ),            LDAP_BACK_F_ONERR_STOP },
 507         { BER_BVC( "report" ),          LDAP_BACK_F_ONERR_STOP }, /* same behavior */
 508         { BER_BVC( "continue" ),        LDAP_BACK_F_NONE },
 509         { BER_BVNULL,                   0 }
 510 };
 511
 512 /* see enum in slap.h */
 513 static slap_cf_aux_table timeout_table[] = {
 514         { BER_BVC("bind="),     SLAP_OP_BIND * sizeof( time_t ),        'u', 0, NULL },
 515         /* unbind makes no sense */
 516         { BER_BVC("add="),      SLAP_OP_ADD * sizeof( time_t ),         'u', 0, NULL },
 517         { BER_BVC("delete="),   SLAP_OP_DELETE * sizeof( time_t ),      'u', 0, NULL },
 518         { BER_BVC("modrdn="),   SLAP_OP_MODRDN * sizeof( time_t ),      'u', 0, NULL },
 519         { BER_BVC("modify="),   SLAP_OP_MODIFY * sizeof( time_t ),      'u', 0, NULL },
 520         { BER_BVC("compare="),  SLAP_OP_COMPARE * sizeof( time_t ),     'u', 0, NULL },
 521         { BER_BVC("search="),   SLAP_OP_SEARCH * sizeof( time_t ),      'u', 0, NULL },
 522         /* abandon makes little sense */
 523 #if 0   /* not implemented yet */
 524         { BER_BVC("extended="), SLAP_OP_EXTENDED * sizeof( time_t ),    'u', 0, NULL },
 525 #endif
 526         { BER_BVNULL, 0, 0, 0, NULL }
 527 };
 528
 529 int
 530 slap_retry_info_parse(
 531         char                    *in,
 532         slap_retry_info_t       *ri,
 533         char                    *buf,
 534         ber_len_t               buflen )
 535 {
 536         char                    **retrylist = NULL;
 537         int                     rc = 0;
 538         int                     i;
 539
 540         slap_str2clist( &retrylist, in, " ;" );
 541         if ( retrylist == NULL ) {
 542                 return 1;
 543         }
 544
 545         for ( i = 0; retrylist[ i ] != NULL; i++ )
 546                 /* count */ ;
 547
 548         ri->ri_interval = ch_calloc( sizeof( time_t ), i + 1 );
 549         ri->ri_num = ch_calloc( sizeof( int ), i + 1 );
 550
 551         for ( i = 0; retrylist[ i ] != NULL; i++ ) {
 552                 unsigned long   t;
 553                 char            *sep = strchr( retrylist[ i ], ',' );
 554
 555                 if ( sep == NULL ) {
 556                         snprintf( buf, buflen,
 557                                 "missing comma in retry pattern #%d \"%s\"",
 558                                 i, retrylist[ i ] );
 559                         rc = 1;
 560                         goto done;
 561                 }
 562
 563                 *sep++ = '\0';
 564
 565                 if ( lutil_parse_time( retrylist[ i ], &t ) ) {
 566                         snprintf( buf, buflen,
 567                                 "unable to parse interval #%d \"%s\"",
 568                                 i, retrylist[ i ] );
 569                         rc = 1;
 570                         goto done;
 571                 }
 572                 ri->ri_interval[ i ] = (time_t)t;
 573
 574                 if ( strcmp( sep, "+" ) == 0 ) {
 575                         if ( retrylist[ i + 1 ] != NULL ) {
 576                                 snprintf( buf, buflen,
 577                                         "extra cruft after retry pattern "
 578                                         "#%d \"%s,+\" with \"forever\" mark",
 579                                         i, retrylist[ i ] );
 580                                 rc = 1;
 581                                 goto done;
 582                         }
 583                         ri->ri_num[ i ] = SLAP_RETRYNUM_FOREVER;
 584
 585                 } else if ( lutil_atoi( &ri->ri_num[ i ], sep ) ) {
 586                         snprintf( buf, buflen,
 587                                 "unable to parse retry num #%d \"%s\"",
 588                                 i, sep );
 589                         rc = 1;
 590                         goto done;
 591                 }
 592         }
 593
 594         ri->ri_num[ i ] = SLAP_RETRYNUM_TAIL;
 595
 596         ri->ri_idx = 0;
 597         ri->ri_count = 0;
 598         ri->ri_last = (time_t)(-1);
 599
 600 done:;
 601         ldap_charray_free( retrylist );
 602
 603         if ( rc ) {
 604                 slap_retry_info_destroy( ri );
 605         }
 606
 607         return rc;
 608 }
 609
 610 int
 611 slap_retry_info_unparse(
 612         slap_retry_info_t       *ri,
 613         struct berval           *bvout )
 614 {
 615         char            buf[ BUFSIZ * 2 ],
 616                         *ptr = buf;
 617         int             i, len, restlen = (int) sizeof( buf );
 618         struct berval   bv;
 619
 620         assert( ri != NULL );
 621         assert( bvout != NULL );
 622
 623         BER_BVZERO( bvout );
 624
 625         for ( i = 0; ri->ri_num[ i ] != SLAP_RETRYNUM_TAIL; i++ ) {
 626                 if ( i > 0 ) {
 627                         if ( --restlen <= 0 ) {
 628                                 return 1;
 629                         }
 630                         *ptr++ = ';';
 631                 }
 632
 633                 if ( lutil_unparse_time( ptr, restlen, ri->ri_interval[i] ) < 0 ) {
 634                         return 1;
 635                 }
 636                 len = (int) strlen( ptr );
 637                 if ( (restlen -= len + 1) <= 0 ) {
 638                         return 1;
 639                 }
 640                 ptr += len;
 641                 *ptr++ = ',';
 642
 643                 if ( ri->ri_num[i] == SLAP_RETRYNUM_FOREVER ) {
 644                         if ( --restlen <= 0 ) {
 645                                 return 1;
 646                         }
 647                         *ptr++ = '+';
 648
 649                 } else {
 650                         len = snprintf( ptr, restlen, "%d", ri->ri_num[i] );
 651                         if ( (restlen -= len) <= 0 || len < 0 ) {
 652                                 return 1;
 653                         }
 654                         ptr += len;
 655                 }
 656         }
 657
 658         bv.bv_val = buf;
 659         bv.bv_len = ptr - buf;
 660         ber_dupbv( bvout, &bv );
 661
 662         return 0;
 663 }
 664
 665 void
 666 slap_retry_info_destroy(
 667         slap_retry_info_t       *ri )
 668 {
 669         assert( ri != NULL );
 670
 671         assert( ri->ri_interval != NULL );
 672         ch_free( ri->ri_interval );
 673         ri->ri_interval = NULL;
 674
 675         assert( ri->ri_num != NULL );
 676         ch_free( ri->ri_num );
 677         ri->ri_num = NULL;
 678 }
 679
 680 int
 681 slap_idassert_authzfrom_parse( ConfigArgs *c, slap_idassert_t *si )
 682 {
 683         struct berval   bv;
 684         struct berval   in;
 685         int             rc;
 686
 687         if ( strcmp( c->argv[ 1 ], "*" ) == 0
 688                 || strcmp( c->argv[ 1 ], "dn:*" ) == 0
 689                 || strcasecmp( c->argv[ 1 ], "dn.regex:.*" ) == 0 )
 690         {
 691                 if ( si->si_authz != NULL ) {
 692                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
 693                                 "\"idassert-authzFrom <authz>\": "
 694                                 "\"%s\" conflicts with existing authz rules",
 695                                 c->argv[ 1 ] );
 696                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 697                         return 1;
 698                 }
 699
 700                 si->si_flags |= LDAP_BACK_AUTH_AUTHZ_ALL;
 701
 702                 return 0;
 703
 704         } else if ( ( si->si_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) {
 705                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 706                         "\"idassert-authzFrom <authz>\": "
 707                         "\"<authz>\" conflicts with \"*\"" );
 708                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 709                 return 1;
 710         }
 711
 712         ber_str2bv( c->argv[ 1 ], 0, 0, &in );
 713         rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
 714         if ( rc != LDAP_SUCCESS ) {
 715                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 716                         "\"idassert-authzFrom <authz>\": "
 717                         "invalid syntax" );
 718                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 719                 return 1;
 720         }
 721
 722         if ( c->valx == -1 ) {
 723                 ber_bvarray_add( &si->si_authz, &bv );
 724
 725         } else {
 726                 int i = 0;
 727                 if ( si->si_authz != NULL ) {
 728                         for ( ; !BER_BVISNULL( &si->si_authz[ i ] ); i++ )
 729                                 ;
 730                 }
 731
 732                 if ( i <= c->valx ) {
 733                         ber_bvarray_add( &si->si_authz, &bv );
 734
 735                 } else {
 736                         BerVarray tmp = ber_memrealloc( si->si_authz,
 737                                 sizeof( struct berval )*( i + 2 ) );
 738                         if ( tmp == NULL ) {
 739                                 return -1;
 740                         }
 741                         si->si_authz = tmp;
 742                         for ( ; i > c->valx; i-- ) {
 743                                 si->si_authz[ i ] = si->si_authz[ i - 1 ];
 744                         }
 745                         si->si_authz[ c->valx ] = bv;
 746                 }
 747         }
 748
 749         return 0;
 750 }
 751
 752 static int
 753 slap_idassert_passthru_parse( ConfigArgs *c, slap_idassert_t *si )
 754 {
 755         struct berval   bv;
 756         struct berval   in;
 757         int             rc;
 758
 759         ber_str2bv( c->argv[ 1 ], 0, 0, &in );
 760         rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
 761         if ( rc != LDAP_SUCCESS ) {
 762                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 763                         "\"idassert-passThru <authz>\": "
 764                         "invalid syntax" );
 765                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 766                 return 1;
 767         }
 768
 769         if ( c->valx == -1 ) {
 770                 ber_bvarray_add( &si->si_passthru, &bv );
 771
 772         } else {
 773                 int i = 0;
 774                 if ( si->si_passthru != NULL ) {
 775                         for ( ; !BER_BVISNULL( &si->si_passthru[ i ] ); i++ )
 776                                 ;
 777                 }
 778
 779                 if ( i <= c->valx ) {
 780                         ber_bvarray_add( &si->si_passthru, &bv );
 781
 782                 } else {
 783                         BerVarray tmp = ber_memrealloc( si->si_passthru,
 784                                 sizeof( struct berval )*( i + 2 ) );
 785                         if ( tmp == NULL ) {
 786                                 return -1;
 787                         }
 788                         si->si_passthru = tmp;
 789                         for ( ; i > c->valx; i-- ) {
 790                                 si->si_passthru[ i ] = si->si_passthru[ i - 1 ];
 791                         }
 792                         si->si_passthru[ c->valx ] = bv;
 793                 }
 794         }
 795
 796         return 0;
 797 }
 798
 799 int
 800 slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 801 {
 802         int             i;
 803
 804         for ( i = 1; i < c->argc; i++ ) {
 805                 if ( strncasecmp( c->argv[ i ], "mode=", STRLENOF( "mode=" ) ) == 0 ) {
 806                         char    *argvi = c->argv[ i ] + STRLENOF( "mode=" );
 807                         int     j;
 808
 809                         j = verb_to_mask( argvi, idassert_mode );
 810                         if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
 811                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 812                                         "\"idassert-bind <args>\": "
 813                                         "unknown mode \"%s\"",
 814                                         argvi );
 815                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 816                                 return 1;
 817                         }
 818
 819                         si->si_mode = idassert_mode[ j ].mask;
 820
 821                 } else if ( strncasecmp( c->argv[ i ], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
 822                         char    *argvi = c->argv[ i ] + STRLENOF( "authz=" );
 823
 824                         if ( strcasecmp( argvi, "native" ) == 0 ) {
 825                                 if ( si->si_bc.sb_method != LDAP_AUTH_SASL ) {
 826                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
 827                                                 "\"idassert-bind <args>\": "
 828                                                 "authz=\"native\" incompatible "
 829                                                 "with auth method" );
 830                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 831                                         return 1;
 832                                 }
 833                                 si->si_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
 834
 835                         } else if ( strcasecmp( argvi, "proxyAuthz" ) == 0 ) {
 836                                 si->si_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
 837
 838                         } else {
 839                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 840                                         "\"idassert-bind <args>\": "
 841                                         "unknown authz \"%s\"",
 842                                         argvi );
 843                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 844                                 return 1;
 845                         }
 846
 847                 } else if ( strncasecmp( c->argv[ i ], "flags=", STRLENOF( "flags=" ) ) == 0 ) {
 848                         char    *argvi = c->argv[ i ] + STRLENOF( "flags=" );
 849                         char    **flags = ldap_str2charray( argvi, "," );
 850                         int     j, err = 0;
 851
 852                         if ( flags == NULL ) {
 853                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
 854                                         "\"idassert-bind <args>\": "
 855                                         "unable to parse flags \"%s\"",
 856                                         argvi );
 857                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 858                                 return 1;
 859                         }
 860
 861                         for ( j = 0; flags[ j ] != NULL; j++ ) {
 862
 863                                 if ( strcasecmp( flags[ j ], "override" ) == 0 ) {
 864                                         si->si_flags |= LDAP_BACK_AUTH_OVERRIDE;
 865
 866                                 } else if ( strcasecmp( flags[ j ], "prescriptive" ) == 0 ) {
 867                                         si->si_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
 868
 869                                 } else if ( strcasecmp( flags[ j ], "non-prescriptive" ) == 0 ) {
 870                                         si->si_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
 871
 872                                 } else if ( strcasecmp( flags[ j ], "obsolete-proxy-authz" ) == 0 ) {
 873                                         if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
 874                                                 Debug( LDAP_DEBUG_ANY,
 875                                                                 "%s: \"obsolete-proxy-authz\" flag "
 876                                                                 "in \"idassert-mode <args>\" "
 877                                                                 "incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
 878                                                                 c->log, 0, 0 );
 879                                                 err = 1;
 880                                                 break;
 881
 882                                         } else {
 883                                                 si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
 884                                         }
 885
 886                                 } else if ( strcasecmp( flags[ j ], "obsolete-encoding-workaround" ) == 0 ) {
 887                                         if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
 888                                                 Debug( LDAP_DEBUG_ANY,
 889                                                                 "%s: \"obsolete-encoding-workaround\" flag "
 890                                                         "in \"idassert-mode <args>\" "
 891                                                         "incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
 892                                                         c->log, 0, 0 );
 893                                                 err = 1;
 894                                                 break;
 895
 896                                         } else {
 897                                                 si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
 898                                         }
 899
 900                                 } else if ( strcasecmp( flags[ j ], "proxy-authz-critical" ) == 0 ) {
 901                                         si->si_flags |= LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
 902
 903                                 } else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) {
 904                                         si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
 905
 906                                 } else {
 907                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
 908                                                 "\"idassert-bind <args>\": "
 909                                                 "unknown flag \"%s\"",
 910                                                 flags[ j ] );
 911                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 912                                         err = 1;
 913                                         break;
 914                                 }
 915                         }
 916
 917                         ldap_charray_free( flags );
 918                         if ( err ) {
 919                                 return 1;
 920                         }
 921
 922                 } else if ( bindconf_parse( c->argv[ i ], &si->si_bc ) ) {
 923                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
 924                                 "\"idassert-bind <args>\": "
 925                                 "unable to parse field \"%s\"",
 926                                 c->argv[ i ] );
 927                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 928                         return 1;
 929                 }
 930         }
 931
 932         if ( si->si_bc.sb_method == LDAP_AUTH_SIMPLE ) {
 933                 if ( BER_BVISNULL( &si->si_bc.sb_binddn )
 934                         || BER_BVISNULL( &si->si_bc.sb_cred ) )
 935                 {
 936                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
 937                                 "\"idassert-bind <args>\": "
 938                                 "SIMPLE needs \"binddn\" and \"credentials\"" );
 939                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 940                         return 1;
 941                 }
 942         }
 943
 944         bindconf_tls_defaults( &si->si_bc );
 945
 946         return 0;
 947 }
 948
 949 /* NOTE: temporary, until back-meta is ported to back-config */
 950 int
 951 slap_idassert_passthru_parse_cf( const char *fname, int lineno, const char *arg, slap_idassert_t *si )
 952 {
 953         ConfigArgs      c = { 0 };
 954         char            *argv[ 3 ];
 955
 956         snprintf( c.log, sizeof( c.log ), "%s: line %d", fname, lineno );
 957         c.argc = 2;
 958         c.argv = argv;
 959         argv[ 0 ] = "idassert-passThru";
 960         argv[ 1 ] = (char *)arg;
 961         argv[ 2 ] = NULL;
 962
 963         return slap_idassert_passthru_parse( &c, si );
 964 }
 965
 966 static int
 967 ldap_back_cf_gen( ConfigArgs *c )
 968 {
 969         ldapinfo_t      *li = ( ldapinfo_t * )c->be->be_private;
 970         int             rc = 0;
 971         int             i;
 972
 973         if ( c->op == SLAP_CONFIG_EMIT ) {
 974                 struct berval   bv = BER_BVNULL;
 975
 976                 if ( li == NULL ) {
 977                         return 1;
 978                 }
 979
 980                 switch( c->type ) {
 981                 case LDAP_BACK_CFG_URI:
 982                         if ( li->li_uri != NULL ) {
 983                                 struct berval   bv, bv2;
 984
 985                                 ber_str2bv( li->li_uri, 0, 0, &bv );
 986                                 bv2.bv_len = bv.bv_len + STRLENOF( "\"\"" );
 987                                 bv2.bv_val = ch_malloc( bv2.bv_len + 1 );
 988                                 snprintf( bv2.bv_val, bv2.bv_len + 1,
 989                                         "\"%s\"", bv.bv_val );
 990                                 ber_bvarray_add( &c->rvalue_vals, &bv2 );
 991
 992                         } else {
 993                                 rc = 1;
 994                         }
 995                         break;
 996
 997                 case LDAP_BACK_CFG_TLS: {
 998                         struct berval bc = BER_BVNULL, bv2;
 999                         enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
1000                         assert( !BER_BVISNULL( &bv ) );
1001                         bindconf_tls_unparse( &li->li_tls, &bc );
1002
1003                         if ( !BER_BVISEMPTY( &bc )) {
1004                                 bv2.bv_len = bv.bv_len + bc.bv_len + 1;
1005                                 bv2.bv_val = ch_malloc( bv2.bv_len + 1 );
1006                                 strcpy( bv2.bv_val, bv.bv_val );
1007                                 bv2.bv_val[bv.bv_len] = ' ';
1008                                 strcpy( &bv2.bv_val[bv.bv_len + 1], bc.bv_val );
1009                                 ber_bvarray_add( &c->rvalue_vals, &bv2 );
1010
1011                         } else {
1012                                 value_add_one( &c->rvalue_vals, &bv );
1013                         }
1014                         ber_memfree( bc.bv_val );
1015                         }
1016                         break;
1017
1018                 case LDAP_BACK_CFG_ACL_AUTHCDN:
1019                 case LDAP_BACK_CFG_ACL_PASSWD:
1020                 case LDAP_BACK_CFG_ACL_METHOD:
1021                         /* handled by LDAP_BACK_CFG_ACL_BIND */
1022                         rc = 1;
1023                         break;
1024
1025                 case LDAP_BACK_CFG_ACL_BIND: {
1026                         int     i;
1027
1028                         if ( li->li_acl_authmethod == LDAP_AUTH_NONE ) {
1029                                 return 1;
1030                         }
1031
1032                         bindconf_unparse( &li->li_acl, &bv );
1033
1034                         for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
1035                                 /* count spaces */ ;
1036
1037                         if ( i ) {
1038                                 bv.bv_len -= i;
1039                                 AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
1040                                         bv.bv_len + 1 );
1041                         }
1042
1043                         ber_bvarray_add( &c->rvalue_vals, &bv );
1044                         break;
1045                 }
1046
1047                 case LDAP_BACK_CFG_IDASSERT_MODE:
1048                 case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
1049                 case LDAP_BACK_CFG_IDASSERT_PASSWD:
1050                 case LDAP_BACK_CFG_IDASSERT_METHOD:
1051                         /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
1052                         rc = 1;
1053                         break;
1054
1055                 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
1056                 case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
1057                         BerVarray       *bvp;
1058                         int             i;
1059                         struct berval   bv = BER_BVNULL;
1060                         char            buf[SLAP_TEXT_BUFLEN];
1061
1062                         switch ( c->type ) {
1063                         case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: bvp = &li->li_idassert_authz; break;
1064                         case LDAP_BACK_CFG_IDASSERT_PASSTHRU: bvp = &li->li_idassert_passthru; break;
1065                         default: assert( 0 ); break;
1066                         }
1067
1068                         if ( *bvp == NULL ) {
1069                                 if ( bvp == &li->li_idassert_authz
1070                                         && ( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
1071                                 {
1072                                         BER_BVSTR( &bv, "*" );
1073                                         value_add_one( &c->rvalue_vals, &bv );
1074
1075                                 } else {
1076                                         rc = 1;
1077                                 }
1078                                 break;
1079                         }
1080
1081                         for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ ) {
1082                                 char *ptr;
1083                                 int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
1084                                 bv.bv_len = ((*bvp)[ i ]).bv_len + len;
1085                                 bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
1086                                 ptr = bv.bv_val;
1087                                 ptr = lutil_strcopy( ptr, buf );
1088                                 ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
1089                                 value_add_one( &c->rvalue_vals, &bv );
1090                         }
1091                         if ( bv.bv_val ) {
1092                                 ber_memfree( bv.bv_val );
1093                         }
1094                         break;
1095                 }
1096
1097                 case LDAP_BACK_CFG_IDASSERT_BIND: {
1098                         int             i;
1099                         struct berval   bc = BER_BVNULL;
1100                         char            *ptr;
1101
1102                         if ( li->li_idassert_authmethod == LDAP_AUTH_NONE ) {
1103                                 return 1;
1104                         }
1105
1106                         if ( li->li_idassert_authmethod != LDAP_AUTH_NONE ) {
1107                                 ber_len_t       len;
1108
1109                                 switch ( li->li_idassert_mode ) {
1110                                 case LDAP_BACK_IDASSERT_OTHERID:
1111                                 case LDAP_BACK_IDASSERT_OTHERDN:
1112                                         break;
1113
1114                                 default: {
1115                                         struct berval   mode = BER_BVNULL;
1116
1117                                         enum_to_verb( idassert_mode, li->li_idassert_mode, &mode );
1118                                         if ( BER_BVISNULL( &mode ) ) {
1119                                                 /* there's something wrong... */
1120                                                 assert( 0 );
1121                                                 rc = 1;
1122
1123                                         } else {
1124                                                 bv.bv_len = STRLENOF( "mode=" ) + mode.bv_len;
1125                                                 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1126
1127                                                 ptr = lutil_strcopy( bv.bv_val, "mode=" );
1128                                                 ptr = lutil_strcopy( ptr, mode.bv_val );
1129                                         }
1130                                         break;
1131                                 }
1132                                 }
1133
1134                                 if ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
1135                                         len = bv.bv_len + STRLENOF( "authz=native" );
1136
1137                                         if ( !BER_BVISEMPTY( &bv ) ) {
1138                                                 len += STRLENOF( " " );
1139                                         }
1140
1141                                         bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1142
1143                                         ptr = &bv.bv_val[ bv.bv_len ];
1144
1145                                         if ( !BER_BVISEMPTY( &bv ) ) {
1146                                                 ptr = lutil_strcopy( ptr, " " );
1147                                         }
1148
1149                                         (void)lutil_strcopy( ptr, "authz=native" );
1150                                 }
1151
1152                                 len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" );
1153                                 /* flags */
1154                                 if ( !BER_BVISEMPTY( &bv ) ) {
1155                                         len += STRLENOF( " " );
1156                                 }
1157
1158                                 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1159
1160                                 ptr = &bv.bv_val[ bv.bv_len ];
1161
1162                                 if ( !BER_BVISEMPTY( &bv ) ) {
1163                                         ptr = lutil_strcopy( ptr, " " );
1164                                 }
1165
1166                                 ptr = lutil_strcopy( ptr, "flags=" );
1167
1168                                 if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
1169                                         ptr = lutil_strcopy( ptr, "prescriptive" );
1170                                 } else {
1171                                         ptr = lutil_strcopy( ptr, "non-prescriptive" );
1172                                 }
1173
1174                                 if ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
1175                                         ptr = lutil_strcopy( ptr, ",override" );
1176                                 }
1177
1178                                 if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
1179                                         ptr = lutil_strcopy( ptr, ",obsolete-proxy-authz" );
1180
1181                                 } else if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
1182                                         ptr = lutil_strcopy( ptr, ",obsolete-encoding-workaround" );
1183                                 }
1184
1185                                 if ( li->li_idassert_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) {
1186                                         ptr = lutil_strcopy( ptr, ",proxy-authz-critical" );
1187
1188                                 } else {
1189                                         ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
1190                                 }
1191
1192                                 bv.bv_len = ( ptr - bv.bv_val );
1193                                 /* end-of-flags */
1194                         }
1195
1196                         bindconf_unparse( &li->li_idassert.si_bc, &bc );
1197
1198                         if ( !BER_BVISNULL( &bv ) ) {
1199                                 ber_len_t       len = bv.bv_len + bc.bv_len;
1200
1201                                 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1202
1203                                 assert( bc.bv_val[ 0 ] == ' ' );
1204
1205                                 ptr = lutil_strcopy( &bv.bv_val[ bv.bv_len ], bc.bv_val );
1206                                 free( bc.bv_val );
1207                                 bv.bv_len = ptr - bv.bv_val;
1208
1209                         } else {
1210                                 for ( i = 0; isspace( (unsigned char) bc.bv_val[ i ] ); i++ )
1211                                         /* count spaces */ ;
1212
1213                                 if ( i ) {
1214                                         bc.bv_len -= i;
1215                                         AC_MEMCPY( bc.bv_val, &bc.bv_val[ i ], bc.bv_len + 1 );
1216                                 }
1217
1218                                 bv = bc;
1219                         }
1220
1221                         ber_bvarray_add( &c->rvalue_vals, &bv );
1222
1223                         break;
1224                 }
1225
1226                 case LDAP_BACK_CFG_REBIND:
1227                         c->value_int = LDAP_BACK_SAVECRED( li );
1228                         break;
1229
1230                 case LDAP_BACK_CFG_CHASE:
1231                         c->value_int = LDAP_BACK_CHASE_REFERRALS( li );
1232                         break;
1233
1234                 case LDAP_BACK_CFG_T_F:
1235                         enum_to_verb( t_f_mode, (li->li_flags & LDAP_BACK_F_T_F_MASK2), &bv );
1236                         if ( BER_BVISNULL( &bv ) ) {
1237                                 /* there's something wrong... */
1238                                 assert( 0 );
1239                                 rc = 1;
1240
1241                         } else {
1242                                 value_add_one( &c->rvalue_vals, &bv );
1243                         }
1244                         break;
1245
1246                 case LDAP_BACK_CFG_WHOAMI:
1247                         c->value_int = LDAP_BACK_PROXY_WHOAMI( li );
1248                         break;
1249
1250                 case LDAP_BACK_CFG_TIMEOUT:
1251                         BER_BVZERO( &bv );
1252
1253                         for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1254                                 if ( li->li_timeout[ i ] != 0 ) {
1255                                         break;
1256                                 }
1257                         }
1258
1259                         if ( i == SLAP_OP_LAST ) {
1260                                 return 1;
1261                         }
1262
1263                         slap_cf_aux_table_unparse( li->li_timeout, &bv, timeout_table );
1264
1265                         if ( BER_BVISNULL( &bv ) ) {
1266                                 return 1;
1267                         }
1268
1269                         for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
1270                                 /* count spaces */ ;
1271
1272                         if ( i ) {
1273                                 bv.bv_len -= i;
1274                                 AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
1275                                         bv.bv_len + 1 );
1276                         }
1277
1278                         ber_bvarray_add( &c->rvalue_vals, &bv );
1279                         break;
1280
1281                 case LDAP_BACK_CFG_IDLE_TIMEOUT: {
1282                         char    buf[ SLAP_TEXT_BUFLEN ];
1283
1284                         if ( li->li_idle_timeout == 0 ) {
1285                                 return 1;
1286                         }
1287
1288                         lutil_unparse_time( buf, sizeof( buf ), li->li_idle_timeout );
1289                         ber_str2bv( buf, 0, 0, &bv );
1290                         value_add_one( &c->rvalue_vals, &bv );
1291                         } break;
1292
1293                 case LDAP_BACK_CFG_CONN_TTL: {
1294                         char    buf[ SLAP_TEXT_BUFLEN ];
1295
1296                         if ( li->li_conn_ttl == 0 ) {
1297                                 return 1;
1298                         }
1299
1300                         lutil_unparse_time( buf, sizeof( buf ), li->li_conn_ttl );
1301                         ber_str2bv( buf, 0, 0, &bv );
1302                         value_add_one( &c->rvalue_vals, &bv );
1303                         } break;
1304
1305                 case LDAP_BACK_CFG_NETWORK_TIMEOUT: {
1306                         char    buf[ SLAP_TEXT_BUFLEN ];
1307
1308                         if ( li->li_network_timeout == 0 ) {
1309                                 return 1;
1310                         }
1311
1312                         snprintf( buf, sizeof( buf ), "%ld",
1313                                 (long)li->li_network_timeout );
1314                         ber_str2bv( buf, 0, 0, &bv );
1315                         value_add_one( &c->rvalue_vals, &bv );
1316                         } break;
1317
1318                 case LDAP_BACK_CFG_VERSION:
1319                         if ( li->li_version == 0 ) {
1320                                 return 1;
1321                         }
1322
1323                         c->value_int = li->li_version;
1324                         break;
1325
1326                 case LDAP_BACK_CFG_SINGLECONN:
1327                         c->value_int = LDAP_BACK_SINGLECONN( li );
1328                         break;
1329
1330                 case LDAP_BACK_CFG_USETEMP:
1331                         c->value_int = LDAP_BACK_USE_TEMPORARIES( li );
1332                         break;
1333
1334                 case LDAP_BACK_CFG_CONNPOOLMAX:
1335                         c->value_int = li->li_conn_priv_max;
1336                         break;
1337
1338                 case LDAP_BACK_CFG_CANCEL: {
1339                         slap_mask_t     mask = LDAP_BACK_F_CANCEL_MASK2;
1340
1341                         if ( LDAP_BACK_CANCEL_DISCOVER( li ) ) {
1342                                 mask &= ~LDAP_BACK_F_CANCEL_EXOP;
1343                         }
1344                         enum_to_verb( cancel_mode, (li->li_flags & mask), &bv );
1345                         if ( BER_BVISNULL( &bv ) ) {
1346                                 /* there's something wrong... */
1347                                 assert( 0 );
1348                                 rc = 1;
1349
1350                         } else {
1351                                 value_add_one( &c->rvalue_vals, &bv );
1352                         }
1353                         } break;
1354
1355                 case LDAP_BACK_CFG_QUARANTINE:
1356                         if ( !LDAP_BACK_QUARANTINE( li ) ) {
1357                                 rc = 1;
1358                                 break;
1359                         }
1360
1361                         rc = slap_retry_info_unparse( &li->li_quarantine, &bv );
1362                         if ( rc == 0 ) {
1363                                 ber_bvarray_add( &c->rvalue_vals, &bv );
1364                         }
1365                         break;
1366
1367 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1368                 case LDAP_BACK_CFG_ST_REQUEST:
1369                         c->value_int = LDAP_BACK_ST_REQUEST( li );
1370                         break;
1371 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1372
1373                 case LDAP_BACK_CFG_NOREFS:
1374                         c->value_int = LDAP_BACK_NOREFS( li );
1375                         break;
1376
1377                 case LDAP_BACK_CFG_NOUNDEFFILTER:
1378                         c->value_int = LDAP_BACK_NOUNDEFFILTER( li );
1379                         break;
1380
1381                 case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
1382                         c->value_int = LDAP_BACK_OMIT_UNKNOWN_SCHEMA( li );
1383                         break;
1384
1385                 case LDAP_BACK_CFG_ONERR:
1386                         enum_to_verb( onerr_mode, li->li_flags & LDAP_BACK_F_ONERR_STOP, &bv );
1387                         if ( BER_BVISNULL( &bv )) {
1388                                 rc = 1;
1389                         } else {
1390                                 value_add_one( &c->rvalue_vals, &bv );
1391                         }
1392                         break;
1393
1394                 case LDAP_BACK_CFG_KEEPALIVE: {
1395                         struct berval bv;
1396                         char buf[AC_LINE_MAX];
1397                         bv.bv_len = AC_LINE_MAX;
1398                         bv.bv_val = &buf[0];
1399                         slap_keepalive_parse(&bv, &li->li_tls.sb_keepalive, 0, 0, 1);
1400                         value_add_one( &c->rvalue_vals, &bv );
1401                         break;
1402                         }
1403
1404                 default:
1405                         /* FIXME: we need to handle all... */
1406                         assert( 0 );
1407                         break;
1408                 }
1409                 return rc;
1410
1411         } else if ( c->op == LDAP_MOD_DELETE ) {
1412                 switch( c->type ) {
1413                 case LDAP_BACK_CFG_URI:
1414                         if ( li->li_uri != NULL ) {
1415                                 ch_free( li->li_uri );
1416                                 li->li_uri = NULL;
1417
1418                                 assert( li->li_bvuri != NULL );
1419                                 ber_bvarray_free( li->li_bvuri );
1420                                 li->li_bvuri = NULL;
1421                         }
1422
1423                         /* better cleanup the cached connections... */
1424                         /* NOTE: don't worry about locking: if we got here,
1425                          * other threads are suspended. */
1426                         if ( li->li_conninfo.lai_tree != NULL ) {
1427                                 avl_free( li->li_conninfo.lai_tree, ldap_back_conn_free );
1428                                 li->li_conninfo.lai_tree = NULL;
1429                         }
1430
1431                         break;
1432
1433                 case LDAP_BACK_CFG_TLS:
1434                         rc = 1;
1435                         break;
1436
1437                 case LDAP_BACK_CFG_ACL_AUTHCDN:
1438                 case LDAP_BACK_CFG_ACL_PASSWD:
1439                 case LDAP_BACK_CFG_ACL_METHOD:
1440                         /* handled by LDAP_BACK_CFG_ACL_BIND */
1441                         rc = 1;
1442                         break;
1443
1444                 case LDAP_BACK_CFG_ACL_BIND:
1445                         bindconf_free( &li->li_acl );
1446                         break;
1447
1448                 case LDAP_BACK_CFG_IDASSERT_MODE:
1449                 case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
1450                 case LDAP_BACK_CFG_IDASSERT_PASSWD:
1451                 case LDAP_BACK_CFG_IDASSERT_METHOD:
1452                         /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
1453                         rc = 1;
1454                         break;
1455
1456                 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
1457                 case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
1458                         BerVarray *bvp;
1459
1460                         switch ( c->type ) {
1461                         case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: bvp = &li->li_idassert_authz; break;
1462                         case LDAP_BACK_CFG_IDASSERT_PASSTHRU: bvp = &li->li_idassert_passthru; break;
1463                         default: assert( 0 ); break;
1464                         }
1465
1466                         if ( c->valx < 0 ) {
1467                                 if ( *bvp != NULL ) {
1468                                         ber_bvarray_free( *bvp );
1469                                         *bvp = NULL;
1470                                 }
1471
1472                         } else {
1473                                 int i;
1474
1475                                 if ( *bvp == NULL ) {
1476                                         rc = 1;
1477                                         break;
1478                                 }
1479
1480                                 for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ )
1481                                         ;
1482
1483                                 if ( i >= c->valx ) {
1484                                         rc = 1;
1485                                         break;
1486                                 }
1487                                 ber_memfree( ((*bvp)[ c->valx ]).bv_val );
1488                                 for ( i = c->valx; !BER_BVISNULL( &((*bvp)[ i + 1 ]) ); i++ ) {
1489                                         (*bvp)[ i ] = (*bvp)[ i + 1 ];
1490                                 }
1491                                 BER_BVZERO( &((*bvp)[ i ]) );
1492                         }
1493                         } break;
1494
1495                 case LDAP_BACK_CFG_IDASSERT_BIND:
1496                         bindconf_free( &li->li_idassert.si_bc );
1497                         memset( &li->li_idassert, 0, sizeof( slap_idassert_t ) );
1498                         break;
1499
1500                 case LDAP_BACK_CFG_REBIND:
1501                 case LDAP_BACK_CFG_CHASE:
1502                 case LDAP_BACK_CFG_T_F:
1503                 case LDAP_BACK_CFG_WHOAMI:
1504                 case LDAP_BACK_CFG_CANCEL:
1505                         rc = 1;
1506                         break;
1507
1508                 case LDAP_BACK_CFG_TIMEOUT:
1509                         for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1510                                 li->li_timeout[ i ] = 0;
1511                         }
1512                         break;
1513
1514                 case LDAP_BACK_CFG_IDLE_TIMEOUT:
1515                         li->li_idle_timeout = 0;
1516                         break;
1517
1518                 case LDAP_BACK_CFG_CONN_TTL:
1519                         li->li_conn_ttl = 0;
1520                         break;
1521
1522                 case LDAP_BACK_CFG_NETWORK_TIMEOUT:
1523                         li->li_network_timeout = 0;
1524                         break;
1525
1526                 case LDAP_BACK_CFG_VERSION:
1527                         li->li_version = 0;
1528                         break;
1529
1530                 case LDAP_BACK_CFG_SINGLECONN:
1531                         li->li_flags &= ~LDAP_BACK_F_SINGLECONN;
1532                         break;
1533
1534                 case LDAP_BACK_CFG_USETEMP:
1535                         li->li_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
1536                         break;
1537
1538                 case LDAP_BACK_CFG_CONNPOOLMAX:
1539                         li->li_conn_priv_max = LDAP_BACK_CONN_PRIV_MIN;
1540                         break;
1541
1542                 case LDAP_BACK_CFG_QUARANTINE:
1543                         if ( !LDAP_BACK_QUARANTINE( li ) ) {
1544                                 break;
1545                         }
1546
1547                         slap_retry_info_destroy( &li->li_quarantine );
1548                         ldap_pvt_thread_mutex_destroy( &li->li_quarantine_mutex );
1549                         li->li_isquarantined = 0;
1550                         li->li_flags &= ~LDAP_BACK_F_QUARANTINE;
1551                         break;
1552
1553 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1554                 case LDAP_BACK_CFG_ST_REQUEST:
1555                         li->li_flags &= ~LDAP_BACK_F_ST_REQUEST;
1556                         break;
1557 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1558
1559                 case LDAP_BACK_CFG_NOREFS:
1560                         li->li_flags &= ~LDAP_BACK_F_NOREFS;
1561                         break;
1562
1563                 case LDAP_BACK_CFG_NOUNDEFFILTER:
1564                         li->li_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
1565                         break;
1566
1567                 case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
1568                         li->li_flags &= ~LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
1569                         break;
1570
1571                 case LDAP_BACK_CFG_ONERR:
1572                         li->li_flags &= ~LDAP_BACK_F_ONERR_STOP;
1573                         break;
1574
1575                 case LDAP_BACK_CFG_KEEPALIVE:
1576                         li->li_tls.sb_keepalive.sk_idle = 0;
1577                         li->li_tls.sb_keepalive.sk_probes = 0;
1578                         li->li_tls.sb_keepalive.sk_interval = 0;
1579                         break;
1580
1581                 default:
1582                         /* FIXME: we need to handle all... */
1583                         assert( 0 );
1584                         break;
1585                 }
1586                 return rc;
1587
1588         }
1589
1590         switch( c->type ) {
1591         case LDAP_BACK_CFG_URI: {
1592                 LDAPURLDesc     *tmpludp, *lud;
1593                 char            **urllist = NULL;
1594                 int             urlrc = LDAP_URL_SUCCESS, i;
1595
1596                 if ( li->li_uri != NULL ) {
1597                         ch_free( li->li_uri );
1598                         li->li_uri = NULL;
1599
1600                         assert( li->li_bvuri != NULL );
1601                         ber_bvarray_free( li->li_bvuri );
1602                         li->li_bvuri = NULL;
1603                 }
1604
1605                 /* PARANOID: DN and more are not required nor allowed */
1606                 urlrc = ldap_url_parselist_ext( &lud, c->argv[ 1 ], ", \t", LDAP_PVT_URL_PARSE_NONE );
1607                 if ( urlrc != LDAP_URL_SUCCESS ) {
1608                         char    *why;
1609
1610                         switch ( urlrc ) {
1611                         case LDAP_URL_ERR_MEM:
1612                                 why = "no memory";
1613                                 break;
1614                         case LDAP_URL_ERR_PARAM:
1615                                 why = "parameter is bad";
1616                                 break;
1617                         case LDAP_URL_ERR_BADSCHEME:
1618                                 why = "URL doesn't begin with \"[c]ldap[si]://\"";
1619                                 break;
1620                         case LDAP_URL_ERR_BADENCLOSURE:
1621                                 why = "URL is missing trailing \">\"";
1622                                 break;
1623                         case LDAP_URL_ERR_BADURL:
1624                                 why = "URL is bad";
1625                                 break;
1626                         case LDAP_URL_ERR_BADHOST:
1627                                 why = "host/port is bad";
1628                                 break;
1629                         case LDAP_URL_ERR_BADATTRS:
1630                                 why = "bad (or missing) attributes";
1631                                 break;
1632                         case LDAP_URL_ERR_BADSCOPE:
1633                                 why = "scope string is invalid (or missing)";
1634                                 break;
1635                         case LDAP_URL_ERR_BADFILTER:
1636                                 why = "bad or missing filter";
1637                                 break;
1638                         case LDAP_URL_ERR_BADEXTS:
1639                                 why = "bad or missing extensions";
1640                                 break;
1641                         default:
1642                                 why = "unknown reason";
1643                                 break;
1644                         }
1645                         snprintf( c->cr_msg, sizeof( c->cr_msg),
1646                                         "unable to parse uri \"%s\" "
1647                                         "in \"uri <uri>\" line: %s",
1648                                         c->value_string, why );
1649                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1650                         urlrc = 1;
1651                         goto done_url;
1652                 }
1653
1654                 for ( i = 0, tmpludp = lud;
1655                                 tmpludp;
1656                                 i++, tmpludp = tmpludp->lud_next )
1657                 {
1658                         if ( ( tmpludp->lud_dn != NULL
1659                                                 && tmpludp->lud_dn[0] != '\0' )
1660                                         || tmpludp->lud_attrs != NULL
1661                                         /* || tmpludp->lud_scope != LDAP_SCOPE_DEFAULT */
1662                                         || tmpludp->lud_filter != NULL
1663                                         || tmpludp->lud_exts != NULL )
1664                         {
1665                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1666                                                 "warning, only protocol, "
1667                                                 "host and port allowed "
1668                                                 "in \"uri <uri>\" statement "
1669                                                 "for uri #%d of \"%s\"",
1670                                                 i, c->argv[ 1 ] );
1671                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1672                         }
1673                 }
1674
1675                 for ( i = 0, tmpludp = lud;
1676                                 tmpludp;
1677                                 i++, tmpludp = tmpludp->lud_next )
1678                         /* just count */
1679                         ;
1680                 urllist = ch_calloc( sizeof( char * ), i + 1 );
1681
1682                 for ( i = 0, tmpludp = lud;
1683                                 tmpludp;
1684                                 i++, tmpludp = tmpludp->lud_next )
1685                 {
1686                         LDAPURLDesc     tmplud;
1687
1688                         tmplud = *tmpludp;
1689                         tmplud.lud_dn = "";
1690                         tmplud.lud_attrs = NULL;
1691                         tmplud.lud_filter = NULL;
1692                         if ( !ldap_is_ldapi_url( tmplud.lud_scheme ) ) {
1693                                 tmplud.lud_exts = NULL;
1694                                 tmplud.lud_crit_exts = 0;
1695                         }
1696
1697                         urllist[ i ]  = ldap_url_desc2str( &tmplud );
1698
1699                         if ( urllist[ i ] == NULL ) {
1700                                 snprintf( c->cr_msg, sizeof( c->cr_msg),
1701                                         "unable to rebuild uri "
1702                                         "in \"uri <uri>\" statement "
1703                                         "for \"%s\"",
1704                                         c->argv[ 1 ] );
1705                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1706                                 urlrc = 1;
1707                                 goto done_url;
1708                         }
1709                 }
1710
1711                 li->li_uri = ldap_charray2str( urllist, " " );
1712                 for ( i = 0; urllist[ i ] != NULL; i++ ) {
1713                         struct berval   bv;
1714
1715                         ber_str2bv( urllist[ i ], 0, 0, &bv );
1716                         ber_bvarray_add( &li->li_bvuri, &bv );
1717                         urllist[ i ] = NULL;
1718                 }
1719                 ldap_memfree( urllist );
1720                 urllist = NULL;
1721
1722 done_url:;
1723                 if ( urllist ) {
1724                         ldap_charray_free( urllist );
1725                 }
1726                 if ( lud ) {
1727                         ldap_free_urllist( lud );
1728                 }
1729                 if ( urlrc != LDAP_URL_SUCCESS ) {
1730                         return 1;
1731                 }
1732                 break;
1733         }
1734
1735         case LDAP_BACK_CFG_TLS:
1736                 i = verb_to_mask( c->argv[1], tls_mode );
1737                 if ( BER_BVISNULL( &tls_mode[i].word ) ) {
1738                         return 1;
1739                 }
1740                 li->li_flags &= ~LDAP_BACK_F_TLS_MASK;
1741                 li->li_flags |= tls_mode[i].mask;
1742                 if ( c->argc > 2 ) {
1743                         for ( i=2; i<c->argc; i++ ) {
1744                                 if ( bindconf_tls_parse( c->argv[i], &li->li_tls ))
1745                                         return 1;
1746                         }
1747                         bindconf_tls_defaults( &li->li_tls );
1748                 }
1749                 break;
1750
1751         case LDAP_BACK_CFG_ACL_AUTHCDN:
1752                 switch ( li->li_acl_authmethod ) {
1753                 case LDAP_AUTH_NONE:
1754                         li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
1755                         break;
1756
1757                 case LDAP_AUTH_SIMPLE:
1758                         break;
1759
1760                 default:
1761                         snprintf( c->cr_msg, sizeof( c->cr_msg),
1762                                 "\"acl-authcDN <DN>\" incompatible "
1763                                 "with auth method %d",
1764                                 li->li_acl_authmethod );
1765                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1766                         return 1;
1767                 }
1768                 if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
1769                         free( li->li_acl_authcDN.bv_val );
1770                 }
1771                 ber_memfree_x( c->value_dn.bv_val, NULL );
1772                 li->li_acl_authcDN = c->value_ndn;
1773                 BER_BVZERO( &c->value_dn );
1774                 BER_BVZERO( &c->value_ndn );
1775                 break;
1776
1777         case LDAP_BACK_CFG_ACL_PASSWD:
1778                 switch ( li->li_acl_authmethod ) {
1779                 case LDAP_AUTH_NONE:
1780                         li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
1781                         break;
1782
1783                 case LDAP_AUTH_SIMPLE:
1784                         break;
1785
1786                 default:
1787                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1788                                 "\"acl-passwd <cred>\" incompatible "
1789                                 "with auth method %d",
1790                                 li->li_acl_authmethod );
1791                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1792                         return 1;
1793                 }
1794                 if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
1795                         free( li->li_acl_passwd.bv_val );
1796                 }
1797                 ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
1798                 break;
1799
1800         case LDAP_BACK_CFG_ACL_METHOD:
1801         case LDAP_BACK_CFG_ACL_BIND:
1802                 for ( i = 1; i < c->argc; i++ ) {
1803                         if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
1804                                 return 1;
1805                         }
1806                 }
1807                 bindconf_tls_defaults( &li->li_acl );
1808                 break;
1809
1810         case LDAP_BACK_CFG_IDASSERT_MODE:
1811                 i = verb_to_mask( c->argv[1], idassert_mode );
1812                 if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
1813                         if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
1814                                 li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
1815                                 ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
1816                                 li->li_idassert_authzID.bv_val[ 0 ] = 'u';
1817
1818                         } else {
1819                                 struct berval   id, ndn;
1820
1821                                 ber_str2bv( c->argv[1], 0, 0, &id );
1822
1823                                 if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
1824                                         id.bv_val += STRLENOF( "dn:" );
1825                                         id.bv_len -= STRLENOF( "dn:" );
1826                                 }
1827
1828                                 rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
1829                                 if ( rc != LDAP_SUCCESS ) {
1830                                         Debug( LDAP_DEBUG_ANY,
1831                                                 "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
1832                                                 c->fname, c->lineno, c->argv[1] );
1833                                         return 1;
1834                                 }
1835
1836                                 li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
1837                                 li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
1838                                 AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
1839                                 AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
1840                                 ch_free( ndn.bv_val );
1841
1842                                 li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
1843                         }
1844
1845                 } else {
1846                         li->li_idassert_mode = idassert_mode[i].mask;
1847                 }
1848
1849                 if ( c->argc > 2 ) {
1850                         int     i;
1851
1852                         for ( i = 2; i < c->argc; i++ ) {
1853                                 if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
1854                                         li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
1855
1856                                 } else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
1857                                         li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
1858
1859                                 } else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
1860                                         li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
1861
1862                                 } else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
1863                                         if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
1864                                                 Debug( LDAP_DEBUG_ANY,
1865                                                         "%s: line %d: \"obsolete-proxy-authz\" flag "
1866                                                         "in \"idassert-mode <args>\" "
1867                                                         "incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
1868                                                         c->fname, c->lineno, 0 );
1869                                                 return 1;
1870                                         }
1871                                         li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
1872
1873                                 } else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
1874                                         if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
1875                                                 Debug( LDAP_DEBUG_ANY,
1876                                                         "%s: line %d: \"obsolete-encoding-workaround\" flag "
1877                                                         "in \"idassert-mode <args>\" "
1878                                                         "incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
1879                                                         c->fname, c->lineno, 0 );
1880                                                 return 1;
1881                                         }
1882                                         li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
1883
1884                                 } else {
1885                                         Debug( LDAP_DEBUG_ANY,
1886                                                 "%s: line %d: unknown flag #%d "
1887                                                 "in \"idassert-mode <args> "
1888                                                 "[<flags>]\" line.\n",
1889                                                 c->fname, c->lineno, i - 2 );
1890                                         return 1;
1891                                 }
1892                         }
1893                 }
1894                 break;
1895
1896         case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
1897                 switch ( li->li_idassert_authmethod ) {
1898                 case LDAP_AUTH_NONE:
1899                         li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
1900                         break;
1901
1902                 case LDAP_AUTH_SIMPLE:
1903                         break;
1904
1905                 default:
1906                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1907                                 "\"idassert-authcDN <DN>\" incompatible "
1908                                 "with auth method %d",
1909                                 li->li_idassert_authmethod );
1910                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1911                         return 1;
1912                 }
1913                 if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
1914                         free( li->li_idassert_authcDN.bv_val );
1915                 }
1916                 ber_memfree_x( c->value_dn.bv_val, NULL );
1917                 li->li_idassert_authcDN = c->value_ndn;
1918                 BER_BVZERO( &c->value_dn );
1919                 BER_BVZERO( &c->value_ndn );
1920                 break;
1921
1922         case LDAP_BACK_CFG_IDASSERT_PASSWD:
1923                 switch ( li->li_idassert_authmethod ) {
1924                 case LDAP_AUTH_NONE:
1925                         li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
1926                         break;
1927
1928                 case LDAP_AUTH_SIMPLE:
1929                         break;
1930
1931                 default:
1932                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1933                                 "\"idassert-passwd <cred>\" incompatible "
1934                                 "with auth method %d",
1935                                 li->li_idassert_authmethod );
1936                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1937                         return 1;
1938                 }
1939                 if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
1940                         free( li->li_idassert_passwd.bv_val );
1941                 }
1942                 ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
1943                 break;
1944
1945         case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
1946                 rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
1947                 break;
1948
1949         case LDAP_BACK_CFG_IDASSERT_PASSTHRU:
1950                 rc = slap_idassert_passthru_parse( c, &li->li_idassert );
1951                 break;
1952
1953         case LDAP_BACK_CFG_IDASSERT_METHOD:
1954                 /* no longer supported */
1955                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1956                         "\"idassert-method <args>\": "
1957                         "no longer supported; use \"idassert-bind\"" );
1958                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1959                 return 1;
1960
1961         case LDAP_BACK_CFG_IDASSERT_BIND:
1962                 rc = slap_idassert_parse( c, &li->li_idassert );
1963                 break;
1964
1965         case LDAP_BACK_CFG_REBIND:
1966                 if ( c->argc == 1 || c->value_int ) {
1967                         li->li_flags |= LDAP_BACK_F_SAVECRED;
1968
1969                 } else {
1970                         li->li_flags &= ~LDAP_BACK_F_SAVECRED;
1971                 }
1972                 break;
1973
1974         case LDAP_BACK_CFG_CHASE:
1975                 if ( c->argc == 1 || c->value_int ) {
1976                         li->li_flags |= LDAP_BACK_F_CHASE_REFERRALS;
1977
1978                 } else {
1979                         li->li_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
1980                 }
1981                 break;
1982
1983         case LDAP_BACK_CFG_T_F: {
1984                 slap_mask_t             mask;
1985
1986                 i = verb_to_mask( c->argv[1], t_f_mode );
1987                 if ( BER_BVISNULL( &t_f_mode[i].word ) ) {
1988                         return 1;
1989                 }
1990
1991                 mask = t_f_mode[i].mask;
1992
1993                 if ( LDAP_BACK_ISOPEN( li )
1994                         && mask == LDAP_BACK_F_T_F_DISCOVER
1995                         && !LDAP_BACK_T_F( li ) )
1996                 {
1997                         slap_bindconf   sb = { BER_BVNULL };
1998                         int             rc;
1999
2000                         if ( li->li_uri == NULL ) {
2001                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2002                                         "need URI to discover absolute filters support "
2003                                         "in \"t-f-support discover\"" );
2004                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2005                                 return 1;
2006                         }
2007
2008                         ber_str2bv( li->li_uri, 0, 0, &sb.sb_uri );
2009                         sb.sb_version = li->li_version;
2010                         sb.sb_method = LDAP_AUTH_SIMPLE;
2011                         BER_BVSTR( &sb.sb_binddn, "" );
2012
2013                         rc = slap_discover_feature( &sb,
2014                                         slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
2015                                         LDAP_FEATURE_ABSOLUTE_FILTERS );
2016                         if ( rc == LDAP_COMPARE_TRUE ) {
2017                                 mask |= LDAP_BACK_F_T_F;
2018                         }
2019                 }
2020
2021                 li->li_flags &= ~LDAP_BACK_F_T_F_MASK2;
2022                 li->li_flags |= mask;
2023                 } break;
2024
2025         case LDAP_BACK_CFG_WHOAMI:
2026                 if ( c->argc == 1 || c->value_int ) {
2027                         li->li_flags |= LDAP_BACK_F_PROXY_WHOAMI;
2028                         load_extop( (struct berval *)&slap_EXOP_WHOAMI,
2029                                         0, ldap_back_exop_whoami );
2030
2031                 } else {
2032                         li->li_flags &= ~LDAP_BACK_F_PROXY_WHOAMI;
2033                 }
2034                 break;
2035
2036         case LDAP_BACK_CFG_TIMEOUT:
2037                 for ( i = 1; i < c->argc; i++ ) {
2038                         if ( isdigit( (unsigned char) c->argv[ i ][ 0 ] ) ) {
2039                                 int             j;
2040                                 unsigned        u;
2041
2042                                 if ( lutil_atoux( &u, c->argv[ i ], 0 ) != 0 ) {
2043                                         snprintf( c->cr_msg, sizeof( c->cr_msg),
2044                                                 "unable to parse timeout \"%s\"",
2045                                                 c->argv[ i ] );
2046                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2047                                         return 1;
2048                                 }
2049
2050                                 for ( j = 0; j < SLAP_OP_LAST; j++ ) {
2051                                         li->li_timeout[ j ] = u;
2052                                 }
2053
2054                                 continue;
2055                         }
2056
2057                         if ( slap_cf_aux_table_parse( c->argv[ i ], li->li_timeout, timeout_table, "slapd-ldap timeout" ) ) {
2058                                 snprintf( c->cr_msg, sizeof( c->cr_msg),
2059                                         "unable to parse timeout \"%s\"",
2060                                         c->argv[ i ] );
2061                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2062                                 return 1;
2063                         }
2064                 }
2065                 break;
2066
2067         case LDAP_BACK_CFG_IDLE_TIMEOUT: {
2068                 unsigned long   t;
2069
2070                 if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
2071                         snprintf( c->cr_msg, sizeof( c->cr_msg),
2072                                 "unable to parse idle timeout \"%s\"",
2073                                 c->argv[ 1 ] );
2074                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2075                         return 1;
2076                 }
2077                 li->li_idle_timeout = (time_t)t;
2078                 } break;
2079
2080         case LDAP_BACK_CFG_CONN_TTL: {
2081                 unsigned long   t;
2082
2083                 if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
2084                         snprintf( c->cr_msg, sizeof( c->cr_msg),
2085                                 "unable to parse conn ttl\"%s\"",
2086                                 c->argv[ 1 ] );
2087                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2088                         return 1;
2089                 }
2090                 li->li_conn_ttl = (time_t)t;
2091                 } break;
2092
2093         case LDAP_BACK_CFG_NETWORK_TIMEOUT: {
2094                 unsigned long   t;
2095
2096                 if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
2097                         snprintf( c->cr_msg, sizeof( c->cr_msg),
2098                                 "unable to parse network timeout \"%s\"",
2099                                 c->argv[ 1 ] );
2100                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2101                         return 1;
2102                 }
2103                 li->li_network_timeout = (time_t)t;
2104                 } break;
2105
2106         case LDAP_BACK_CFG_VERSION:
2107                 if ( c->value_int != 0 && ( c->value_int < LDAP_VERSION_MIN || c->value_int > LDAP_VERSION_MAX ) ) {
2108                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2109                                 "unsupported version \"%s\" "
2110                                 "in \"protocol-version <version>\"",
2111                                 c->argv[ 1 ] );
2112                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2113                         return 1;
2114                 }
2115
2116                 li->li_version = c->value_int;
2117                 break;
2118
2119         case LDAP_BACK_CFG_SINGLECONN:
2120                 if ( c->value_int ) {
2121                         li->li_flags |= LDAP_BACK_F_SINGLECONN;
2122
2123                 } else {
2124                         li->li_flags &= ~LDAP_BACK_F_SINGLECONN;
2125                 }
2126                 break;
2127
2128         case LDAP_BACK_CFG_USETEMP:
2129                 if ( c->value_int ) {
2130                         li->li_flags |= LDAP_BACK_F_USE_TEMPORARIES;
2131
2132                 } else {
2133                         li->li_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
2134                 }
2135                 break;
2136
2137         case LDAP_BACK_CFG_CONNPOOLMAX:
2138                 if ( c->value_int < LDAP_BACK_CONN_PRIV_MIN
2139                         || c->value_int > LDAP_BACK_CONN_PRIV_MAX )
2140                 {
2141                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2142                                 "invalid max size " "of privileged "
2143                                 "connections pool \"%s\" "
2144                                 "in \"conn-pool-max <n> "
2145                                 "(must be between %d and %d)\"",
2146                                 c->argv[ 1 ],
2147                                 LDAP_BACK_CONN_PRIV_MIN,
2148                                 LDAP_BACK_CONN_PRIV_MAX );
2149                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2150                         return 1;
2151                 }
2152                 li->li_conn_priv_max = c->value_int;
2153                 break;
2154
2155         case LDAP_BACK_CFG_CANCEL: {
2156                 slap_mask_t             mask;
2157
2158                 i = verb_to_mask( c->argv[1], cancel_mode );
2159                 if ( BER_BVISNULL( &cancel_mode[i].word ) ) {
2160                         return 1;
2161                 }
2162
2163                 mask = cancel_mode[i].mask;
2164
2165                 if ( LDAP_BACK_ISOPEN( li )
2166                         && mask == LDAP_BACK_F_CANCEL_EXOP_DISCOVER
2167                         && !LDAP_BACK_CANCEL( li ) )
2168                 {
2169                         slap_bindconf   sb = { BER_BVNULL };
2170                         int             rc;
2171
2172                         if ( li->li_uri == NULL ) {
2173                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2174                                         "need URI to discover \"cancel\" support "
2175                                         "in \"cancel exop-discover\"" );
2176                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2177                                 return 1;
2178                         }
2179
2180                         ber_str2bv( li->li_uri, 0, 0, &sb.sb_uri );
2181                         sb.sb_version = li->li_version;
2182                         sb.sb_method = LDAP_AUTH_SIMPLE;
2183                         BER_BVSTR( &sb.sb_binddn, "" );
2184
2185                         rc = slap_discover_feature( &sb,
2186                                         slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
2187                                         LDAP_EXOP_CANCEL );
2188                         if ( rc == LDAP_COMPARE_TRUE ) {
2189                                 mask |= LDAP_BACK_F_CANCEL_EXOP;
2190                         }
2191                 }
2192
2193                 li->li_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
2194                 li->li_flags |= mask;
2195                 } break;
2196
2197         case LDAP_BACK_CFG_QUARANTINE:
2198                 if ( LDAP_BACK_QUARANTINE( li ) ) {
2199                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2200                                 "quarantine already defined" );
2201                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2202                         return 1;
2203                 }
2204                 rc = slap_retry_info_parse( c->argv[1], &li->li_quarantine,
2205                         c->cr_msg, sizeof( c->cr_msg ) );
2206                 if ( rc ) {
2207                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2208
2209                 } else {
2210                         ldap_pvt_thread_mutex_init( &li->li_quarantine_mutex );
2211                         /* give it a chance to retry if the pattern gets reset
2212                          * via back-config */
2213                         li->li_isquarantined = 0;
2214                         li->li_flags |= LDAP_BACK_F_QUARANTINE;
2215                 }
2216                 break;
2217
2218 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
2219         case LDAP_BACK_CFG_ST_REQUEST:
2220                 if ( c->value_int ) {
2221                         li->li_flags |= LDAP_BACK_F_ST_REQUEST;
2222
2223                 } else {
2224                         li->li_flags &= ~LDAP_BACK_F_ST_REQUEST;
2225                 }
2226                 break;
2227 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
2228
2229         case LDAP_BACK_CFG_NOREFS:
2230                 if ( c->value_int ) {
2231                         li->li_flags |= LDAP_BACK_F_NOREFS;
2232
2233                 } else {
2234                         li->li_flags &= ~LDAP_BACK_F_NOREFS;
2235                 }
2236                 break;
2237
2238         case LDAP_BACK_CFG_NOUNDEFFILTER:
2239                 if ( c->value_int ) {
2240                         li->li_flags |= LDAP_BACK_F_NOUNDEFFILTER;
2241
2242                 } else {
2243                         li->li_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
2244                 }
2245                 break;
2246
2247         case LDAP_BACK_CFG_ONERR:
2248         /* onerr? */
2249                 i = verb_to_mask( c->argv[1], onerr_mode );
2250                 if ( BER_BVISNULL( &onerr_mode[i].word ) ) {
2251                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2252                                 "%s unknown argument \"%s\"",
2253                                 c->argv[0], c->argv[1] );
2254                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2255                         return 1;
2256                 }
2257                 li->li_flags &= ~LDAP_BACK_F_ONERR_STOP;
2258                 li->li_flags |= onerr_mode[i].mask;
2259                 break;
2260
2261         case LDAP_BACK_CFG_REWRITE:
2262                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2263                         "rewrite/remap capabilities have been moved "
2264                         "to the \"rwm\" overlay; see slapo-rwm(5) "
2265                         "for details (hint: add \"overlay rwm\" "
2266                         "and prefix all directives with \"rwm-\")" );
2267                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2268                 return 1;
2269
2270         case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
2271                 if ( c->value_int ) {
2272                         li->li_flags |= LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
2273
2274                 } else {
2275                         li->li_flags &= ~LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
2276                 }
2277                 break;
2278
2279         case LDAP_BACK_CFG_KEEPALIVE:
2280                 slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
2281                                  &li->li_tls.sb_keepalive, 0, 0, 0);
2282                 break;
2283
2284         default:
2285                 /* FIXME: try to catch inconsistencies */
2286                 assert( 0 );
2287                 break;
2288         }
2289
2290         return rc;
2291 }
2292
2293 int
2294 ldap_back_init_cf( BackendInfo *bi )
2295 {
2296         int                     rc;
2297         AttributeDescription    *ad = NULL;
2298         const char              *text;
2299
2300         /* Make sure we don't exceed the bits reserved for userland */
2301         config_check_userland( LDAP_BACK_CFG_LAST );
2302
2303         bi->bi_cf_ocs = ldapocs;
2304
2305         rc = config_register_schema( ldapcfg, ldapocs );
2306         if ( rc ) {
2307                 return rc;
2308         }
2309
2310         /* setup olcDbAclPasswd and olcDbIDAssertPasswd
2311          * to be base64-encoded when written in LDIF form;
2312          * basically, we don't care if it fails */
2313         rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
2314         if ( rc ) {
2315                 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2316                         "warning, unable to get \"olcDbACLPasswd\" "
2317                         "attribute description: %d: %s\n",
2318                         rc, text, 0 );
2319         } else {
2320                 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2321                         ad->ad_type->sat_oid );
2322         }
2323
2324         ad = NULL;
2325         rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
2326         if ( rc ) {
2327                 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2328                         "warning, unable to get \"olcDbIDAssertPasswd\" "
2329                         "attribute description: %d: %s\n",
2330                         rc, text, 0 );
2331         } else {
2332                 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2333                         ad->ad_type->sat_oid );
2334         }
2335
2336         return 0;
2337 }
2338
2339 static int
2340 ldap_pbind_cf_gen( ConfigArgs *c )
2341 {
2342         slap_overinst   *on = (slap_overinst *)c->bi;
2343         void    *private = c->be->be_private;
2344         int             rc;
2345
2346         c->be->be_private = on->on_bi.bi_private;
2347         rc = ldap_back_cf_gen( c );
2348         c->be->be_private = private;
2349         return rc;
2350 }
2351
2352 int
2353 ldap_pbind_init_cf( BackendInfo *bi )
2354 {
2355         bi->bi_cf_ocs = pbindocs;
2356
2357         return config_register_schema( pbindcfg, pbindocs );
2358 }
2359
2360 static int
2361 ldap_back_exop_whoami(
2362                 Operation       *op,
2363                 SlapReply       *rs )
2364 {
2365         struct berval *bv = NULL;
2366
2367         if ( op->oq_extended.rs_reqdata != NULL ) {
2368                 /* no request data should be provided */
2369                 rs->sr_text = "no request data expected";
2370                 return rs->sr_err = LDAP_PROTOCOL_ERROR;
2371         }
2372
2373         Statslog( LDAP_DEBUG_STATS, "%s WHOAMI\n",
2374             op->o_log_prefix, 0, 0, 0, 0 );
2375
2376         rs->sr_err = backend_check_restrictions( op, rs,
2377                         (struct berval *)&slap_EXOP_WHOAMI );
2378         if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err;
2379
2380         /* if auth'd by back-ldap and request is proxied, forward it */
2381         if ( op->o_conn->c_authz_backend
2382                 && !strcmp( op->o_conn->c_authz_backend->be_type, "ldap" )
2383                 && !dn_match( &op->o_ndn, &op->o_conn->c_ndn ) )
2384         {
2385                 ldapconn_t      *lc = NULL;
2386                 LDAPControl c, *ctrls[2] = {NULL, NULL};
2387                 LDAPMessage *res;
2388                 Operation op2 = *op;
2389                 ber_int_t msgid;
2390                 int doretry = 1;
2391                 char *ptr;
2392
2393                 ctrls[0] = &c;
2394                 op2.o_ndn = op->o_conn->c_ndn;
2395                 if ( !ldap_back_dobind( &lc, &op2, rs, LDAP_BACK_SENDERR ) ) {
2396                         return -1;
2397                 }
2398                 c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
2399                 c.ldctl_iscritical = 1;
2400                 c.ldctl_value.bv_val = op->o_tmpalloc(
2401                         op->o_ndn.bv_len + STRLENOF( "dn:" ) + 1,
2402                         op->o_tmpmemctx );
2403                 c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
2404                 ptr = c.ldctl_value.bv_val;
2405                 ptr = lutil_strcopy( ptr, "dn:" );
2406                 ptr = lutil_strncopy( ptr, op->o_ndn.bv_val, op->o_ndn.bv_len );
2407                 ptr[ 0 ] = '\0';
2408
2409 retry:
2410                 rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid );
2411                 if ( rs->sr_err == LDAP_SUCCESS ) {
2412                         /* by now, make sure no timeout is used (ITS#6282) */
2413                         struct timeval tv = { -1, 0 };
2414                         if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) == -1 ) {
2415                                 ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
2416                                         &rs->sr_err );
2417                                 if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {
2418                                         doretry = 0;
2419                                         if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
2420                                                 goto retry;
2421                                         }
2422                                 }
2423
2424                         } else {
2425                                 /* NOTE: are we sure "bv" will be malloc'ed
2426                                  * with the appropriate memory? */
2427                                 rs->sr_err = ldap_parse_whoami( lc->lc_ld, res, &bv );
2428                                 ldap_msgfree(res);
2429                         }
2430                 }
2431                 op->o_tmpfree( c.ldctl_value.bv_val, op->o_tmpmemctx );
2432                 if ( rs->sr_err != LDAP_SUCCESS ) {
2433                         rs->sr_err = slap_map_api2result( rs );
2434                 }
2435
2436                 if ( lc != NULL ) {
2437                         ldap_back_release_conn( (ldapinfo_t *)op2.o_bd->be_private, lc );
2438                 }
2439
2440         } else {
2441                 /* else just do the same as before */
2442                 bv = (struct berval *) ch_malloc( sizeof( struct berval ) );
2443                 if ( !BER_BVISEMPTY( &op->o_dn ) ) {
2444                         bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" );
2445                         bv->bv_val = ch_malloc( bv->bv_len + 1 );
2446                         AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) );
2447                         AC_MEMCPY( &bv->bv_val[ STRLENOF( "dn:" ) ], op->o_dn.bv_val,
2448                                 op->o_dn.bv_len );
2449                         bv->bv_val[ bv->bv_len ] = '\0';
2450
2451                 } else {
2452                         bv->bv_len = 0;
2453                         bv->bv_val = NULL;
2454                 }
2455         }
2456
2457         rs->sr_rspdata = bv;
2458         return rs->sr_err;
2459 }
2460
2461