2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1999-2015 The OpenLDAP Foundation.
5 * Portions Copyright 2001-2003 Pierangelo Masarati.
6 * Portions Copyright 1999-2003 Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by the Howard Chu for inclusion
19 * in OpenLDAP Software and subsequently enhanced by Pierangelo
28 #include <ac/string.h>
29 #include <ac/socket.h>
35 #include "../back-ldap/back-ldap.h"
36 #include "back-meta.h"
38 #define SLAP_AUTH_DN 1
40 static ConfigDriver meta_back_cf_gen;
41 static ConfigLDAPadd meta_ldadd;
42 static ConfigCfAdd meta_cfadd;
44 static int ldap_back_map_config(
46 struct ldapmap *oc_map,
47 struct ldapmap *at_map );
49 /* Three sets of enums:
50 * 1) attrs that are only valid in the base config
51 * 2) attrs that are valid in base or target
52 * 3) attrs that are only valid in a target
57 LDAP_BACK_CFG_CONN_TTL = 1,
58 LDAP_BACK_CFG_DNCACHE_TTL,
59 LDAP_BACK_CFG_IDLE_TIMEOUT,
61 LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
62 LDAP_BACK_CFG_SINGLECONN,
63 LDAP_BACK_CFG_USETEMP,
64 LDAP_BACK_CFG_CONNPOOLMAX,
65 LDAP_BACK_CFG_LAST_BASE
70 LDAP_BACK_CFG_BIND_TIMEOUT = LDAP_BACK_CFG_LAST_BASE,
73 LDAP_BACK_CFG_CLIENT_PR,
74 LDAP_BACK_CFG_DEFAULT_T,
75 LDAP_BACK_CFG_NETWORK_TIMEOUT,
77 LDAP_BACK_CFG_NOUNDEFFILTER,
78 LDAP_BACK_CFG_NRETRIES,
79 LDAP_BACK_CFG_QUARANTINE,
81 LDAP_BACK_CFG_TIMEOUT,
82 LDAP_BACK_CFG_VERSION,
83 LDAP_BACK_CFG_ST_REQUEST,
86 LDAP_BACK_CFG_LAST_BOTH
91 LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
92 LDAP_BACK_CFG_ACL_AUTHCDN,
93 LDAP_BACK_CFG_ACL_PASSWD,
94 LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
95 LDAP_BACK_CFG_IDASSERT_BIND,
96 LDAP_BACK_CFG_REWRITE,
97 LDAP_BACK_CFG_SUFFIXM,
99 LDAP_BACK_CFG_SUBTREE_EX,
100 LDAP_BACK_CFG_SUBTREE_IN,
101 LDAP_BACK_CFG_PSEUDOROOTDN,
102 LDAP_BACK_CFG_PSEUDOROOTPW,
103 LDAP_BACK_CFG_KEEPALIVE,
104 LDAP_BACK_CFG_FILTER,
109 static ConfigTable metacfg[] = {
110 { "uri", "uri", 2, 0, 0,
111 ARG_MAGIC|LDAP_BACK_CFG_URI,
112 meta_back_cf_gen, "( OLcfgDbAt:0.14 "
114 "DESC 'URI (list) for remote DSA' "
115 "SYNTAX OMsDirectoryString "
118 { "tls", "what", 2, 0, 0,
119 ARG_MAGIC|LDAP_BACK_CFG_TLS,
120 meta_back_cf_gen, "( OLcfgDbAt:3.1 "
121 "NAME 'olcDbStartTLS' "
123 "SYNTAX OMsDirectoryString "
126 { "acl-authcDN", "DN", 2, 2, 0,
127 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
128 meta_back_cf_gen, "( OLcfgDbAt:3.2 "
129 "NAME 'olcDbACLAuthcDn' "
130 "DESC 'Remote ACL administrative identity' "
135 /* deprecated, will be removed; aliases "acl-authcDN" */
136 { "binddn", "DN", 2, 2, 0,
137 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
138 meta_back_cf_gen, NULL, NULL, NULL },
139 { "acl-passwd", "cred", 2, 2, 0,
140 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
141 meta_back_cf_gen, "( OLcfgDbAt:3.3 "
142 "NAME 'olcDbACLPasswd' "
143 "DESC 'Remote ACL administrative identity credentials' "
145 "SYNTAX OMsDirectoryString "
148 /* deprecated, will be removed; aliases "acl-passwd" */
149 { "bindpw", "cred", 2, 2, 0,
150 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
151 meta_back_cf_gen, NULL, NULL, NULL },
152 { "idassert-bind", "args", 2, 0, 0,
153 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
154 meta_back_cf_gen, "( OLcfgDbAt:3.7 "
155 "NAME 'olcDbIDAssertBind' "
156 "DESC 'Remote Identity Assertion administrative identity auth bind configuration' "
157 "SYNTAX OMsDirectoryString "
160 { "idassert-authzFrom", "authzRule", 2, 2, 0,
161 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
162 meta_back_cf_gen, "( OLcfgDbAt:3.9 "
163 "NAME 'olcDbIDAssertAuthzFrom' "
164 "DESC 'Remote Identity Assertion authz rules' "
165 "EQUALITY caseIgnoreMatch "
166 "SYNTAX OMsDirectoryString "
167 "X-ORDERED 'VALUES' )",
169 { "rebind-as-user", "true|FALSE", 1, 2, 0,
170 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_REBIND,
171 meta_back_cf_gen, "( OLcfgDbAt:3.10 "
172 "NAME 'olcDbRebindAsUser' "
173 "DESC 'Rebind as user' "
177 { "chase-referrals", "true|FALSE", 2, 2, 0,
178 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_CHASE,
179 meta_back_cf_gen, "( OLcfgDbAt:3.11 "
180 "NAME 'olcDbChaseReferrals' "
181 "DESC 'Chase referrals' "
185 { "t-f-support", "true|FALSE|discover", 2, 2, 0,
186 ARG_MAGIC|LDAP_BACK_CFG_T_F,
187 meta_back_cf_gen, "( OLcfgDbAt:3.12 "
188 "NAME 'olcDbTFSupport' "
189 "DESC 'Absolute filters support' "
190 "SYNTAX OMsDirectoryString "
193 { "timeout", "timeout(list)", 2, 0, 0,
194 ARG_MAGIC|LDAP_BACK_CFG_TIMEOUT,
195 meta_back_cf_gen, "( OLcfgDbAt:3.14 "
196 "NAME 'olcDbTimeout' "
197 "DESC 'Per-operation timeouts' "
198 "SYNTAX OMsDirectoryString "
201 { "idle-timeout", "timeout", 2, 2, 0,
202 ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT,
203 meta_back_cf_gen, "( OLcfgDbAt:3.15 "
204 "NAME 'olcDbIdleTimeout' "
205 "DESC 'connection idle timeout' "
206 "SYNTAX OMsDirectoryString "
209 { "conn-ttl", "ttl", 2, 2, 0,
210 ARG_MAGIC|LDAP_BACK_CFG_CONN_TTL,
211 meta_back_cf_gen, "( OLcfgDbAt:3.16 "
212 "NAME 'olcDbConnTtl' "
213 "DESC 'connection ttl' "
214 "SYNTAX OMsDirectoryString "
217 { "network-timeout", "timeout", 2, 2, 0,
218 ARG_MAGIC|LDAP_BACK_CFG_NETWORK_TIMEOUT,
219 meta_back_cf_gen, "( OLcfgDbAt:3.17 "
220 "NAME 'olcDbNetworkTimeout' "
221 "DESC 'connection network timeout' "
222 "SYNTAX OMsDirectoryString "
225 { "protocol-version", "version", 2, 2, 0,
226 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
227 meta_back_cf_gen, "( OLcfgDbAt:3.18 "
228 "NAME 'olcDbProtocolVersion' "
229 "DESC 'protocol version' "
233 { "single-conn", "true|FALSE", 2, 2, 0,
234 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_SINGLECONN,
235 meta_back_cf_gen, "( OLcfgDbAt:3.19 "
236 "NAME 'olcDbSingleConn' "
237 "DESC 'cache a single connection per identity' "
241 { "cancel", "ABANDON|ignore|exop", 2, 2, 0,
242 ARG_MAGIC|LDAP_BACK_CFG_CANCEL,
243 meta_back_cf_gen, "( OLcfgDbAt:3.20 "
244 "NAME 'olcDbCancel' "
245 "DESC 'abandon/ignore/exop operations when appropriate' "
246 "SYNTAX OMsDirectoryString "
249 { "quarantine", "retrylist", 2, 2, 0,
250 ARG_MAGIC|LDAP_BACK_CFG_QUARANTINE,
251 meta_back_cf_gen, "( OLcfgDbAt:3.21 "
252 "NAME 'olcDbQuarantine' "
253 "DESC 'Quarantine database if connection fails and retry according to rule' "
254 "SYNTAX OMsDirectoryString "
257 { "use-temporary-conn", "true|FALSE", 2, 2, 0,
258 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_USETEMP,
259 meta_back_cf_gen, "( OLcfgDbAt:3.22 "
260 "NAME 'olcDbUseTemporaryConn' "
261 "DESC 'Use temporary connections if the cached one is busy' "
265 { "conn-pool-max", "<n>", 2, 2, 0,
266 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_CONNPOOLMAX,
267 meta_back_cf_gen, "( OLcfgDbAt:3.23 "
268 "NAME 'olcDbConnectionPoolMax' "
269 "DESC 'Max size of privileged connections pool' "
273 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
274 { "session-tracking-request", "true|FALSE", 2, 2, 0,
275 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_ST_REQUEST,
276 meta_back_cf_gen, "( OLcfgDbAt:3.24 "
277 "NAME 'olcDbSessionTrackingRequest' "
278 "DESC 'Add session tracking control to proxied requests' "
282 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
283 { "norefs", "true|FALSE", 2, 2, 0,
284 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOREFS,
285 meta_back_cf_gen, "( OLcfgDbAt:3.25 "
286 "NAME 'olcDbNoRefs' "
287 "DESC 'Do not return search reference responses' "
291 { "noundeffilter", "true|FALSE", 2, 2, 0,
292 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOUNDEFFILTER,
293 meta_back_cf_gen, "( OLcfgDbAt:3.26 "
294 "NAME 'olcDbNoUndefFilter' "
295 "DESC 'Do not propagate undefined search filters' "
300 { "rewrite", "arglist", 2, 0, STRLENOF( "rewrite" ),
301 ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
302 meta_back_cf_gen, "( OLcfgDbAt:3.101 "
303 "NAME 'olcDbRewrite' "
304 "DESC 'DN rewriting rules' "
305 "EQUALITY caseIgnoreMatch "
306 "SYNTAX OMsDirectoryString "
307 "X-ORDERED 'VALUES' )",
309 { "suffixmassage", "virtual> <real", 2, 3, 0,
310 ARG_MAGIC|LDAP_BACK_CFG_SUFFIXM,
311 meta_back_cf_gen, NULL, NULL, NULL },
313 { "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
314 ARG_MAGIC|LDAP_BACK_CFG_MAP,
315 meta_back_cf_gen, "( OLcfgDbAt:3.102 "
317 "DESC 'Map attribute and objectclass names' "
318 "EQUALITY caseIgnoreMatch "
319 "SYNTAX OMsDirectoryString "
320 "X-ORDERED 'VALUES' )",
323 { "subtree-exclude", "pattern", 2, 2, 0,
324 ARG_MAGIC|LDAP_BACK_CFG_SUBTREE_EX,
325 meta_back_cf_gen, "( OLcfgDbAt:3.103 "
326 "NAME 'olcDbSubtreeExclude' "
327 "DESC 'DN of subtree to exclude from target' "
328 "EQUALITY caseIgnoreMatch "
329 "SYNTAX OMsDirectoryString )",
331 { "subtree-include", "pattern", 2, 2, 0,
332 ARG_MAGIC|LDAP_BACK_CFG_SUBTREE_IN,
333 meta_back_cf_gen, "( OLcfgDbAt:3.104 "
334 "NAME 'olcDbSubtreeInclude' "
335 "DESC 'DN of subtree to include in target' "
336 "EQUALITY caseIgnoreMatch "
337 "SYNTAX OMsDirectoryString )",
339 { "default-target", "[none|<target ID>]", 1, 2, 0,
340 ARG_MAGIC|LDAP_BACK_CFG_DEFAULT_T,
341 meta_back_cf_gen, "( OLcfgDbAt:3.105 "
342 "NAME 'olcDbDefaultTarget' "
343 "DESC 'Specify the default target' "
344 "SYNTAX OMsDirectoryString "
347 { "dncache-ttl", "ttl", 2, 2, 0,
348 ARG_MAGIC|LDAP_BACK_CFG_DNCACHE_TTL,
349 meta_back_cf_gen, "( OLcfgDbAt:3.106 "
350 "NAME 'olcDbDnCacheTtl' "
351 "DESC 'dncache ttl' "
352 "SYNTAX OMsDirectoryString "
355 { "bind-timeout", "microseconds", 2, 2, 0,
356 ARG_MAGIC|ARG_ULONG|LDAP_BACK_CFG_BIND_TIMEOUT,
357 meta_back_cf_gen, "( OLcfgDbAt:3.107 "
358 "NAME 'olcDbBindTimeout' "
359 "DESC 'bind timeout' "
360 "SYNTAX OMsDirectoryString "
363 { "onerr", "CONTINUE|report|stop", 2, 2, 0,
364 ARG_MAGIC|LDAP_BACK_CFG_ONERR,
365 meta_back_cf_gen, "( OLcfgDbAt:3.108 "
367 "DESC 'error handling' "
368 "SYNTAX OMsDirectoryString "
371 { "pseudoroot-bind-defer", "TRUE|false", 2, 2, 0,
372 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
373 meta_back_cf_gen, "( OLcfgDbAt:3.109 "
374 "NAME 'olcDbPseudoRootBindDefer' "
375 "DESC 'error handling' "
379 { "root-bind-defer", "TRUE|false", 2, 2, 0,
380 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
381 meta_back_cf_gen, NULL, NULL, NULL },
382 { "pseudorootdn", "dn", 2, 2, 0,
383 ARG_MAGIC|ARG_DN|LDAP_BACK_CFG_PSEUDOROOTDN,
384 meta_back_cf_gen, NULL, NULL, NULL },
385 { "pseudorootpw", "password", 2, 2, 0,
386 ARG_MAGIC|ARG_STRING|LDAP_BACK_CFG_PSEUDOROOTDN,
387 meta_back_cf_gen, NULL, NULL, NULL },
388 { "nretries", "NEVER|forever|<number>", 2, 2, 0,
389 ARG_MAGIC|LDAP_BACK_CFG_NRETRIES,
390 meta_back_cf_gen, "( OLcfgDbAt:3.110 "
391 "NAME 'olcDbNretries' "
392 "DESC 'retry handling' "
393 "SYNTAX OMsDirectoryString "
396 { "client-pr", "accept-unsolicited|disable|<size>", 2, 2, 0,
397 ARG_MAGIC|LDAP_BACK_CFG_CLIENT_PR,
398 meta_back_cf_gen, "( OLcfgDbAt:3.111 "
399 "NAME 'olcDbClientPr' "
400 "DESC 'PagedResults handling' "
401 "SYNTAX OMsDirectoryString "
405 { "", "", 0, 0, 0, ARG_IGNORED,
406 NULL, "( OLcfgDbAt:3.100 NAME 'olcMetaSub' "
407 "DESC 'Placeholder to name a Target entry' "
408 "EQUALITY caseIgnoreMatch "
409 "SYNTAX OMsDirectoryString "
410 "SINGLE-VALUE X-ORDERED 'SIBLINGS' )", NULL, NULL },
412 { "keepalive", "keepalive", 2, 2, 0,
413 ARG_MAGIC|LDAP_BACK_CFG_KEEPALIVE,
414 meta_back_cf_gen, "( OLcfgDbAt:3.29 "
415 "NAME 'olcDbKeepalive' "
416 "DESC 'TCP keepalive' "
417 "SYNTAX OMsDirectoryString "
421 { "filter", "pattern", 2, 2, 0,
422 ARG_MAGIC|LDAP_BACK_CFG_FILTER,
423 meta_back_cf_gen, "( OLcfgDbAt:3.112 "
424 "NAME 'olcDbFilter' "
425 "DESC 'Filter regex pattern to include in target' "
426 "EQUALITY caseExactMatch "
427 "SYNTAX OMsDirectoryString )",
430 { NULL, NULL, 0, 0, 0, ARG_IGNORED,
431 NULL, NULL, NULL, NULL }
434 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
435 #define ST_ATTR "$ olcDbSessionTrackingRequest "
438 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
440 #define COMMON_ATTRS \
441 "$ olcDbBindTimeout " \
443 "$ olcDbChaseReferrals " \
445 "$ olcDbDefaultTarget " \
446 "$ olcDbNetworkTimeout " \
448 "$ olcDbNoUndefFilter " \
450 "$ olcDbProtocolVersion " \
451 "$ olcDbQuarantine " \
452 "$ olcDbRebindAsUser " \
457 static ConfigOCs metaocs[] = {
459 "NAME 'olcMetaConfig' "
460 "DESC 'Meta backend configuration' "
461 "SUP olcDatabaseConfig "
462 "MAY ( olcDbConnTtl "
464 "$ olcDbIdleTimeout "
466 "$ olcDbPseudoRootBindDefer "
468 "$ olcDbUseTemporaryConn "
469 "$ olcDbConnectionPoolMax "
471 /* defaults, may be overridden per-target */
474 Cft_Database, metacfg, NULL, meta_cfadd },
476 "NAME 'olcMetaTargetConfig' "
477 "DESC 'Meta target configuration' "
478 "SUP olcConfig STRUCTURAL "
479 "MUST ( olcMetaSub $ olcDbURI ) "
480 "MAY ( olcDbACLAuthcDn "
482 "$ olcDbIDAssertAuthzFrom "
483 "$ olcDbIDAssertBind "
486 "$ olcDbSubtreeExclude "
487 "$ olcDbSubtreeInclude "
492 /* defaults may be inherited */
495 Cft_Misc, metacfg, meta_ldadd },
500 meta_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *c )
502 if ( p->ce_type != Cft_Database || !p->ce_be ||
503 p->ce_be->be_cf_ocs != metaocs )
504 return LDAP_CONSTRAINT_VIOLATION;
511 meta_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *c )
513 metainfo_t *mi = ( metainfo_t * )c->be->be_private;
517 bv.bv_val = c->cr_msg;
518 for ( i=0; i<mi->mi_ntargets; i++ ) {
519 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg),
520 "olcMetaSub=" SLAP_X_ORDERED_FMT "uri", i );
521 c->ca_private = mi->mi_targets[i];
523 config_build_entry( op, rs, p->e_private, c,
524 &bv, &metaocs[1], NULL );
531 meta_rwi_init( struct rewrite_info **rwm_rw )
535 *rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
536 if ( *rwm_rw == NULL ) {
540 * the filter rewrite as a string must be disabled
541 * by default; it can be re-enabled by adding rules;
542 * this creates an empty rewriteContext
544 rargv[ 0 ] = "rewriteContext";
545 rargv[ 1 ] = "searchFilter";
547 rewrite_parse( *rwm_rw, "<suffix massage>", 1, 2, rargv );
549 rargv[ 0 ] = "rewriteContext";
550 rargv[ 1 ] = "default";
552 rewrite_parse( *rwm_rw, "<suffix massage>", 1, 2, rargv );
558 meta_back_new_target(
565 mt = ch_calloc( sizeof( metatarget_t ), 1 );
567 if ( meta_rwi_init( &mt->mt_rwmap.rwm_rw )) {
572 ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
574 mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
575 mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
576 mt->mt_idassert_tls = SB_TLS_DEFAULT;
578 /* by default, use proxyAuthz control on each operation */
579 mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
586 /* Validation for suffixmassage_config */
596 struct berval dn, nvnc, pvnc, nrnc, prnc;
602 * suffixmassage <suffix> <massaged suffix>
604 * the <suffix> field must be defined as a valid suffix
605 * (or suffixAlias?) for the current database;
606 * the <massaged suffix> shouldn't have already been
607 * defined as a valid suffix or suffixAlias for the
611 ber_str2bv( argv[ 1 ], 0, 0, &dn );
612 if ( dnPrettyNormal( NULL, &dn, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
613 snprintf( c->cr_msg, sizeof( c->cr_msg ),
614 "suffix \"%s\" is invalid",
616 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
620 for ( j = 0; !BER_BVISNULL( &c->be->be_nsuffix[ j ] ); j++ ) {
621 if ( dnIsSuffix( &nvnc, &c->be->be_nsuffix[ 0 ] ) ) {
626 if ( BER_BVISNULL( &c->be->be_nsuffix[ j ] ) ) {
627 snprintf( c->cr_msg, sizeof( c->cr_msg ),
628 "suffix \"%s\" must be within the database naming context",
630 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
636 ber_str2bv( argv[ 2 ], 0, 0, &dn );
637 if ( dnPrettyNormal( NULL, &dn, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
638 snprintf( c->cr_msg, sizeof( c->cr_msg ),
639 "massaged suffix \"%s\" is invalid",
641 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
647 tmp_bd = select_backend( &nrnc, 0 );
648 if ( tmp_bd != NULL && tmp_bd->be_private == c->be->be_private ) {
649 Debug( LDAP_DEBUG_ANY,
650 "%s: warning: <massaged suffix> \"%s\" resolves to this database, in "
651 "\"suffixMassage <suffix> <massaged suffix>\"\n",
652 c->log, prnc.bv_val, 0 );
656 * The suffix massaging is emulated by means of the
657 * rewrite capabilities
659 rc = suffix_massage_config( mt->mt_rwmap.rwm_rw,
660 &pvnc, &nvnc, &prnc, &nrnc );
671 slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
674 BerVarray bva = NULL;
678 assert( in != NULL );
680 for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
689 bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
690 BER_BVZERO( &bva[ 0 ] );
692 for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
693 idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
694 if ( idx.bv_len >= sizeof( ibuf ) ) {
695 ber_bvarray_free( bva );
699 bva[i].bv_len = idx.bv_len + in[i].bv_len;
700 bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
701 ptr = lutil_strcopy( bva[i].bv_val, ibuf );
702 ptr = lutil_strcopy( ptr, in[i].bv_val );
704 BER_BVZERO( &bva[ i + 1 ] );
712 meta_subtree_free( metasubtree_t *ms )
714 switch ( ms->ms_type ) {
715 case META_ST_SUBTREE:
716 case META_ST_SUBORDINATE:
717 ber_memfree( ms->ms_dn.bv_val );
721 regfree( &ms->ms_regex );
722 ber_memfree( ms->ms_regex_pattern.bv_val );
734 meta_subtree_destroy( metasubtree_t *ms )
737 meta_subtree_destroy( ms->ms_next );
740 return meta_subtree_free( ms );
744 meta_filter_free( metafilter_t *mf )
746 regfree( &mf->mf_regex );
747 ber_memfree( mf->mf_regex_pattern.bv_val );
752 meta_filter_destroy( metafilter_t *mf )
755 meta_filter_destroy( mf->mf_next );
756 meta_filter_free( mf );
759 static struct berval st_styles[] = {
766 meta_subtree_unparse(
771 struct berval bv, *style;
773 if ( !mt->mt_subtree )
776 /* can only be one of exclude or include */
777 if (( c->type == LDAP_BACK_CFG_SUBTREE_EX ) ^ mt->mt_subtree_exclude )
780 bv.bv_val = c->cr_msg;
781 for ( ms=mt->mt_subtree; ms; ms=ms->ms_next ) {
782 if (ms->ms_type == META_ST_SUBTREE)
783 style = &st_styles[0];
784 else if ( ms->ms_type == META_ST_SUBORDINATE )
785 style = &st_styles[1];
786 else if ( ms->ms_type == META_ST_REGEX )
787 style = &st_styles[2];
792 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg),
793 "dn.%s:%s", style->bv_val, ms->ms_dn.bv_val );
794 value_add_one( &c->rvalue_vals, &bv );
804 meta_st_t type = META_ST_SUBTREE;
806 struct berval ndn = BER_BVNULL;
807 metasubtree_t *ms = NULL;
809 if ( c->type == LDAP_BACK_CFG_SUBTREE_EX ) {
810 if ( mt->mt_subtree && !mt->mt_subtree_exclude ) {
811 snprintf( c->cr_msg, sizeof(c->cr_msg),
812 "\"subtree-exclude\" incompatible with previous \"subtree-include\" directives" );
816 mt->mt_subtree_exclude = 1;
819 if ( mt->mt_subtree && mt->mt_subtree_exclude ) {
820 snprintf( c->cr_msg, sizeof(c->cr_msg),
821 "\"subtree-include\" incompatible with previous \"subtree-exclude\" directives" );
826 pattern = c->argv[1];
827 if ( strncasecmp( pattern, "dn", STRLENOF( "dn" ) ) == 0 ) {
830 pattern = &pattern[STRLENOF( "dn")];
832 if ( pattern[0] == '.' ) {
835 if ( strncasecmp( style, "subtree", STRLENOF( "subtree" ) ) == 0 ) {
836 type = META_ST_SUBTREE;
837 pattern = &style[STRLENOF( "subtree" )];
839 } else if ( strncasecmp( style, "children", STRLENOF( "children" ) ) == 0 ) {
840 type = META_ST_SUBORDINATE;
841 pattern = &style[STRLENOF( "children" )];
843 } else if ( strncasecmp( style, "sub", STRLENOF( "sub" ) ) == 0 ) {
844 type = META_ST_SUBTREE;
845 pattern = &style[STRLENOF( "sub" )];
847 } else if ( strncasecmp( style, "regex", STRLENOF( "regex" ) ) == 0 ) {
848 type = META_ST_REGEX;
849 pattern = &style[STRLENOF( "regex" )];
852 snprintf( c->cr_msg, sizeof(c->cr_msg), "unknown style in \"dn.<style>\"" );
857 if ( pattern[0] != ':' ) {
858 snprintf( c->cr_msg, sizeof(c->cr_msg), "missing colon after \"dn.<style>\"" );
865 case META_ST_SUBTREE:
866 case META_ST_SUBORDINATE: {
869 ber_str2bv( pattern, 0, 0, &dn );
870 if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
873 snprintf( c->cr_msg, sizeof(c->cr_msg), "DN=\"%s\" is invalid", pattern );
877 if ( !dnIsSuffix( &ndn, &mt->mt_nsuffix ) ) {
878 snprintf( c->cr_msg, sizeof(c->cr_msg),
879 "DN=\"%s\" is not a subtree of target \"%s\"",
880 pattern, mt->mt_nsuffix.bv_val );
881 ber_memfree( ndn.bv_val );
887 /* silence warnings */
891 ms = ch_calloc( sizeof( metasubtree_t ), 1 );
894 switch ( ms->ms_type ) {
895 case META_ST_SUBTREE:
896 case META_ST_SUBORDINATE:
900 case META_ST_REGEX: {
903 rc = regcomp( &ms->ms_regex, pattern, REG_EXTENDED|REG_ICASE );
905 char regerr[ SLAP_TEXT_BUFLEN ];
907 regerror( rc, &ms->ms_regex, regerr, sizeof(regerr) );
909 snprintf( c->cr_msg, sizeof( c->cr_msg ),
910 "regular expression \"%s\" bad because of %s",
915 ber_str2bv( pattern, 0, 1, &ms->ms_regex_pattern );
919 if ( mt->mt_subtree == NULL ) {
925 for ( msp = &mt->mt_subtree; *msp; ) {
926 switch ( ms->ms_type ) {
927 case META_ST_SUBTREE:
928 switch ( (*msp)->ms_type ) {
929 case META_ST_SUBTREE:
930 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
931 metasubtree_t *tmp = *msp;
932 Debug( LDAP_DEBUG_CONFIG,
933 "%s: previous rule \"dn.subtree:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
934 c->log, pattern, (*msp)->ms_dn.bv_val );
935 *msp = (*msp)->ms_next;
937 meta_subtree_destroy( tmp );
940 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
941 Debug( LDAP_DEBUG_CONFIG,
942 "%s: previous rule \"dn.subtree:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
943 c->log, (*msp)->ms_dn.bv_val, pattern );
944 meta_subtree_destroy( ms );
950 case META_ST_SUBORDINATE:
951 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
952 metasubtree_t *tmp = *msp;
953 Debug( LDAP_DEBUG_CONFIG,
954 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
955 c->log, pattern, (*msp)->ms_dn.bv_val );
956 *msp = (*msp)->ms_next;
958 meta_subtree_destroy( tmp );
961 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
962 Debug( LDAP_DEBUG_CONFIG,
963 "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
964 c->log, (*msp)->ms_dn.bv_val, pattern );
965 meta_subtree_destroy( ms );
972 if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
973 Debug( LDAP_DEBUG_CONFIG,
974 "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
975 c->log, (*msp)->ms_regex_pattern.bv_val, ms->ms_dn.bv_val );
981 case META_ST_SUBORDINATE:
982 switch ( (*msp)->ms_type ) {
983 case META_ST_SUBTREE:
984 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
985 metasubtree_t *tmp = *msp;
986 Debug( LDAP_DEBUG_CONFIG,
987 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
988 c->log, pattern, (*msp)->ms_dn.bv_val );
989 *msp = (*msp)->ms_next;
991 meta_subtree_destroy( tmp );
994 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
995 Debug( LDAP_DEBUG_CONFIG,
996 "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
997 c->log, (*msp)->ms_dn.bv_val, pattern );
998 meta_subtree_destroy( ms );
1004 case META_ST_SUBORDINATE:
1005 if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
1006 metasubtree_t *tmp = *msp;
1007 Debug( LDAP_DEBUG_CONFIG,
1008 "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.children:%s\" (replaced)\n",
1009 c->log, pattern, (*msp)->ms_dn.bv_val );
1010 *msp = (*msp)->ms_next;
1011 tmp->ms_next = NULL;
1012 meta_subtree_destroy( tmp );
1015 } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
1016 Debug( LDAP_DEBUG_CONFIG,
1017 "%s: previous rule \"dn.children:%s\" contains rule \"dn.children:%s\" (ignored)\n",
1018 c->log, (*msp)->ms_dn.bv_val, pattern );
1019 meta_subtree_destroy( ms );
1026 if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
1027 Debug( LDAP_DEBUG_CONFIG,
1028 "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
1029 c->log, (*msp)->ms_regex_pattern.bv_val, ms->ms_dn.bv_val );
1036 switch ( (*msp)->ms_type ) {
1037 case META_ST_SUBTREE:
1038 case META_ST_SUBORDINATE:
1039 if ( regexec( &ms->ms_regex, (*msp)->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
1040 Debug( LDAP_DEBUG_CONFIG,
1041 "%s: previous rule \"dn.subtree:%s\" may be contained in rule \"dn.regex:%s\"\n",
1042 c->log, (*msp)->ms_dn.bv_val, ms->ms_regex_pattern.bv_val );
1047 /* no check possible */
1053 msp = &(*msp)->ms_next;
1062 static slap_verbmasks idassert_mode[] = {
1063 { BER_BVC("self"), LDAP_BACK_IDASSERT_SELF },
1064 { BER_BVC("anonymous"), LDAP_BACK_IDASSERT_ANONYMOUS },
1065 { BER_BVC("none"), LDAP_BACK_IDASSERT_NOASSERT },
1066 { BER_BVC("legacy"), LDAP_BACK_IDASSERT_LEGACY },
1070 static slap_verbmasks tls_mode[] = {
1071 { BER_BVC( "propagate" ), LDAP_BACK_F_TLS_PROPAGATE_MASK },
1072 { BER_BVC( "try-propagate" ), LDAP_BACK_F_PROPAGATE_TLS },
1073 { BER_BVC( "start" ), LDAP_BACK_F_TLS_USE_MASK },
1074 { BER_BVC( "try-start" ), LDAP_BACK_F_USE_TLS },
1075 { BER_BVC( "ldaps" ), LDAP_BACK_F_TLS_LDAPS },
1076 { BER_BVC( "none" ), LDAP_BACK_F_NONE },
1080 static slap_verbmasks t_f_mode[] = {
1081 { BER_BVC( "yes" ), LDAP_BACK_F_T_F },
1082 { BER_BVC( "discover" ), LDAP_BACK_F_T_F_DISCOVER },
1083 { BER_BVC( "no" ), LDAP_BACK_F_NONE },
1087 static slap_verbmasks cancel_mode[] = {
1088 { BER_BVC( "ignore" ), LDAP_BACK_F_CANCEL_IGNORE },
1089 { BER_BVC( "exop" ), LDAP_BACK_F_CANCEL_EXOP },
1090 { BER_BVC( "exop-discover" ), LDAP_BACK_F_CANCEL_EXOP_DISCOVER },
1091 { BER_BVC( "abandon" ), LDAP_BACK_F_CANCEL_ABANDON },
1095 static slap_verbmasks onerr_mode[] = {
1096 { BER_BVC( "stop" ), META_BACK_F_ONERR_STOP },
1097 { BER_BVC( "report" ), META_BACK_F_ONERR_REPORT },
1098 { BER_BVC( "continue" ), LDAP_BACK_F_NONE },
1102 /* see enum in slap.h */
1103 static slap_cf_aux_table timeout_table[] = {
1104 { BER_BVC("bind="), SLAP_OP_BIND * sizeof( time_t ), 'u', 0, NULL },
1105 /* unbind makes no sense */
1106 { BER_BVC("add="), SLAP_OP_ADD * sizeof( time_t ), 'u', 0, NULL },
1107 { BER_BVC("delete="), SLAP_OP_DELETE * sizeof( time_t ), 'u', 0, NULL },
1108 { BER_BVC("modrdn="), SLAP_OP_MODRDN * sizeof( time_t ), 'u', 0, NULL },
1109 { BER_BVC("modify="), SLAP_OP_MODIFY * sizeof( time_t ), 'u', 0, NULL },
1110 { BER_BVC("compare="), SLAP_OP_COMPARE * sizeof( time_t ), 'u', 0, NULL },
1111 { BER_BVC("search="), SLAP_OP_SEARCH * sizeof( time_t ), 'u', 0, NULL },
1112 /* abandon makes little sense */
1113 #if 0 /* not implemented yet */
1114 { BER_BVC("extended="), SLAP_OP_EXTENDED * sizeof( time_t ), 'u', 0, NULL },
1116 { BER_BVNULL, 0, 0, 0, NULL }
1120 meta_cf_cleanup( ConfigArgs *c )
1122 metainfo_t *mi = ( metainfo_t * )c->be->be_private;
1123 metatarget_t *mt = c->ca_private;
1125 return meta_target_finish( mi, mt, c->log, c->cr_msg, sizeof( c->cr_msg ));
1129 meta_back_cf_gen( ConfigArgs *c )
1131 metainfo_t *mi = ( metainfo_t * )c->be->be_private;
1137 assert( mi != NULL );
1139 if ( c->op == SLAP_CONFIG_EMIT || c->op == LDAP_MOD_DELETE ) {
1143 if ( c->table == Cft_Database ) {
1152 if ( c->op == SLAP_CONFIG_EMIT ) {
1153 struct berval bv = BER_BVNULL;
1157 case LDAP_BACK_CFG_CONN_TTL:
1158 if ( mi->mi_conn_ttl == 0 ) {
1161 char buf[ SLAP_TEXT_BUFLEN ];
1163 lutil_unparse_time( buf, sizeof( buf ), mi->mi_conn_ttl );
1164 ber_str2bv( buf, 0, 0, &bv );
1165 value_add_one( &c->rvalue_vals, &bv );
1169 case LDAP_BACK_CFG_DNCACHE_TTL:
1170 if ( mi->mi_cache.ttl == META_DNCACHE_DISABLED ) {
1172 } else if ( mi->mi_cache.ttl == META_DNCACHE_FOREVER ) {
1173 BER_BVSTR( &bv, "forever" );
1175 char buf[ SLAP_TEXT_BUFLEN ];
1177 lutil_unparse_time( buf, sizeof( buf ), mi->mi_cache.ttl );
1178 ber_str2bv( buf, 0, 0, &bv );
1180 value_add_one( &c->rvalue_vals, &bv );
1183 case LDAP_BACK_CFG_IDLE_TIMEOUT:
1184 if ( mi->mi_idle_timeout == 0 ) {
1187 char buf[ SLAP_TEXT_BUFLEN ];
1189 lutil_unparse_time( buf, sizeof( buf ), mi->mi_idle_timeout );
1190 ber_str2bv( buf, 0, 0, &bv );
1191 value_add_one( &c->rvalue_vals, &bv );
1195 case LDAP_BACK_CFG_ONERR:
1196 enum_to_verb( onerr_mode, mi->mi_flags & META_BACK_F_ONERR_MASK, &bv );
1197 if ( BER_BVISNULL( &bv )) {
1200 value_add_one( &c->rvalue_vals, &bv );
1204 case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
1205 c->value_int = META_BACK_DEFER_ROOTDN_BIND( mi );
1208 case LDAP_BACK_CFG_SINGLECONN:
1209 c->value_int = LDAP_BACK_SINGLECONN( mi );
1212 case LDAP_BACK_CFG_USETEMP:
1213 c->value_int = LDAP_BACK_USE_TEMPORARIES( mi );
1216 case LDAP_BACK_CFG_CONNPOOLMAX:
1217 c->value_int = mi->mi_conn_priv_max;
1221 case LDAP_BACK_CFG_BIND_TIMEOUT:
1222 if ( mc->mc_bind_timeout.tv_sec == 0 &&
1223 mc->mc_bind_timeout.tv_usec == 0 ) {
1226 c->value_ulong = mc->mc_bind_timeout.tv_sec * 1000000UL +
1227 mc->mc_bind_timeout.tv_usec;
1231 case LDAP_BACK_CFG_CANCEL: {
1232 slap_mask_t mask = LDAP_BACK_F_CANCEL_MASK2;
1234 if ( mt && META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
1235 mask &= ~LDAP_BACK_F_CANCEL_EXOP;
1237 enum_to_verb( cancel_mode, (mc->mc_flags & mask), &bv );
1238 if ( BER_BVISNULL( &bv ) ) {
1239 /* there's something wrong... */
1244 value_add_one( &c->rvalue_vals, &bv );
1248 case LDAP_BACK_CFG_CHASE:
1249 c->value_int = META_BACK_CMN_CHASE_REFERRALS(mc);
1252 #ifdef SLAPD_META_CLIENT_PR
1253 case LDAP_BACK_CFG_CLIENT_PR:
1254 if ( mc->mc_ps == META_CLIENT_PR_DISABLE ) {
1256 } else if ( mc->mc_ps == META_CLIENT_PR_ACCEPT_UNSOLICITED ) {
1257 BER_BVSTR( &bv, "accept-unsolicited" );
1259 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d", mc->mc_ps );
1260 bv.bv_val = c->cr_msg;
1262 value_add_one( &c->rvalue_vals, &bv );
1264 #endif /* SLAPD_META_CLIENT_PR */
1266 case LDAP_BACK_CFG_DEFAULT_T:
1267 if ( mt || mi->mi_defaulttarget == META_DEFAULT_TARGET_NONE )
1269 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d", mi->mi_defaulttarget );
1270 bv.bv_val = c->cr_msg;
1271 value_add_one( &c->rvalue_vals, &bv );
1274 case LDAP_BACK_CFG_NETWORK_TIMEOUT:
1275 if ( mc->mc_network_timeout == 0 ) {
1278 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%ld",
1279 mc->mc_network_timeout );
1280 bv.bv_val = c->cr_msg;
1281 value_add_one( &c->rvalue_vals, &bv );
1284 case LDAP_BACK_CFG_NOREFS:
1285 c->value_int = META_BACK_CMN_NOREFS(mc);
1288 case LDAP_BACK_CFG_NOUNDEFFILTER:
1289 c->value_int = META_BACK_CMN_NOUNDEFFILTER(mc);
1292 case LDAP_BACK_CFG_NRETRIES:
1293 if ( mc->mc_nretries == META_RETRY_FOREVER ) {
1294 BER_BVSTR( &bv, "forever" );
1295 } else if ( mc->mc_nretries == META_RETRY_NEVER ) {
1296 BER_BVSTR( &bv, "never" );
1298 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d",
1300 bv.bv_val = c->cr_msg;
1302 value_add_one( &c->rvalue_vals, &bv );
1305 case LDAP_BACK_CFG_QUARANTINE:
1306 if ( !META_BACK_CMN_QUARANTINE( mc )) {
1310 rc = mi->mi_ldap_extra->retry_info_unparse( &mc->mc_quarantine, &bv );
1312 ber_bvarray_add( &c->rvalue_vals, &bv );
1316 case LDAP_BACK_CFG_REBIND:
1317 c->value_int = META_BACK_CMN_SAVECRED(mc);
1320 case LDAP_BACK_CFG_TIMEOUT:
1321 for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1322 if ( mc->mc_timeout[ i ] != 0 ) {
1327 if ( i == SLAP_OP_LAST ) {
1332 slap_cf_aux_table_unparse( mc->mc_timeout, &bv, timeout_table );
1334 if ( BER_BVISNULL( &bv ) ) {
1338 for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
1339 /* count spaces */ ;
1343 AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
1347 ber_bvarray_add( &c->rvalue_vals, &bv );
1350 case LDAP_BACK_CFG_VERSION:
1351 if ( mc->mc_version == 0 )
1353 c->value_int = mc->mc_version;
1356 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1357 case LDAP_BACK_CFG_ST_REQUEST:
1358 c->value_int = META_BACK_CMN_ST_REQUEST( mc );
1360 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1362 case LDAP_BACK_CFG_T_F:
1363 enum_to_verb( t_f_mode, (mc->mc_flags & LDAP_BACK_F_T_F_MASK2), &bv );
1364 if ( BER_BVISNULL( &bv ) ) {
1365 /* there's something wrong... */
1370 value_add_one( &c->rvalue_vals, &bv );
1374 case LDAP_BACK_CFG_TLS: {
1375 struct berval bc = BER_BVNULL, bv2;
1377 if (( mc->mc_flags & LDAP_BACK_F_TLS_MASK ) == LDAP_BACK_F_NONE ) {
1381 enum_to_verb( tls_mode, ( mc->mc_flags & LDAP_BACK_F_TLS_MASK ), &bv );
1382 assert( !BER_BVISNULL( &bv ) );
1385 bindconf_tls_unparse( &mt->mt_tls, &bc );
1388 if ( !BER_BVISEMPTY( &bc )) {
1389 bv2.bv_len = bv.bv_len + bc.bv_len + 1;
1390 bv2.bv_val = ch_malloc( bv2.bv_len + 1 );
1391 strcpy( bv2.bv_val, bv.bv_val );
1392 bv2.bv_val[bv.bv_len] = ' ';
1393 strcpy( &bv2.bv_val[bv.bv_len + 1], bc.bv_val );
1394 ber_memfree( bc.bv_val );
1395 ber_bvarray_add( &c->rvalue_vals, &bv2 );
1397 value_add_one( &c->rvalue_vals, &bv );
1402 case LDAP_BACK_CFG_URI: {
1403 char *p2, *p1 = strchr( mt->mt_uri, ' ' );
1404 bv.bv_len = strlen( mt->mt_uri ) + 3 + mt->mt_psuffix.bv_len;
1405 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1409 p2 = lutil_strncopy( p2, mt->mt_uri, p1 - mt->mt_uri );
1411 p2 = lutil_strcopy( p2, mt->mt_uri );
1414 p2 = lutil_strcopy( p2, mt->mt_psuffix.bv_val );
1419 ber_bvarray_add( &c->rvalue_vals, &bv );
1422 case LDAP_BACK_CFG_ACL_AUTHCDN:
1423 case LDAP_BACK_CFG_ACL_PASSWD:
1424 /* FIXME no point here, there is no code implementing
1425 * their features. Was this supposed to implement
1426 * acl-bind like back-ldap?
1431 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
1434 struct berval bv = BER_BVNULL;
1435 char buf[SLAP_TEXT_BUFLEN];
1437 bvp = &mt->mt_idassert_authz;
1438 if ( *bvp == NULL ) {
1439 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
1441 BER_BVSTR( &bv, "*" );
1442 value_add_one( &c->rvalue_vals, &bv );
1450 for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ ) {
1452 int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
1453 bv.bv_len = ((*bvp)[ i ]).bv_len + len;
1454 bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
1456 ptr = lutil_strcopy( ptr, buf );
1457 ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
1458 value_add_one( &c->rvalue_vals, &bv );
1461 ber_memfree( bv.bv_val );
1466 case LDAP_BACK_CFG_IDASSERT_BIND: {
1468 struct berval bc = BER_BVNULL;
1471 if ( mt->mt_idassert_authmethod == LDAP_AUTH_NONE ) {
1476 switch ( mt->mt_idassert_mode ) {
1477 case LDAP_BACK_IDASSERT_OTHERID:
1478 case LDAP_BACK_IDASSERT_OTHERDN:
1482 struct berval mode = BER_BVNULL;
1484 enum_to_verb( idassert_mode, mt->mt_idassert_mode, &mode );
1485 if ( BER_BVISNULL( &mode ) ) {
1486 /* there's something wrong... */
1491 bv.bv_len = STRLENOF( "mode=" ) + mode.bv_len;
1492 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1494 ptr = lutil_strcopy( bv.bv_val, "mode=" );
1495 ptr = lutil_strcopy( ptr, mode.bv_val );
1501 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
1502 len = bv.bv_len + STRLENOF( "authz=native" );
1504 if ( !BER_BVISEMPTY( &bv ) ) {
1505 len += STRLENOF( " " );
1508 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1510 ptr = &bv.bv_val[ bv.bv_len ];
1512 if ( !BER_BVISEMPTY( &bv ) ) {
1513 ptr = lutil_strcopy( ptr, " " );
1516 (void)lutil_strcopy( ptr, "authz=native" );
1519 len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical,dn-authzid" );
1521 if ( !BER_BVISEMPTY( &bv ) ) {
1522 len += STRLENOF( " " );
1525 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1527 ptr = &bv.bv_val[ bv.bv_len ];
1529 if ( !BER_BVISEMPTY( &bv ) ) {
1530 ptr = lutil_strcopy( ptr, " " );
1533 ptr = lutil_strcopy( ptr, "flags=" );
1535 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
1536 ptr = lutil_strcopy( ptr, "prescriptive" );
1538 ptr = lutil_strcopy( ptr, "non-prescriptive" );
1541 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
1542 ptr = lutil_strcopy( ptr, ",override" );
1545 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
1546 ptr = lutil_strcopy( ptr, ",obsolete-proxy-authz" );
1548 } else if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
1549 ptr = lutil_strcopy( ptr, ",obsolete-encoding-workaround" );
1552 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) {
1553 ptr = lutil_strcopy( ptr, ",proxy-authz-critical" );
1556 ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
1560 switch ( mt->mt_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) {
1561 case LDAP_BACK_AUTH_DN_AUTHZID:
1562 ptr = lutil_strcopy( ptr, ",dn-authzid" );
1565 case LDAP_BACK_AUTH_DN_WHOAMI:
1566 ptr = lutil_strcopy( ptr, ",dn-whoami" );
1570 #if 0 /* implicit */
1571 ptr = lutil_strcopy( ptr, ",dn-none" );
1577 bv.bv_len = ( ptr - bv.bv_val );
1581 bindconf_unparse( &mt->mt_idassert.si_bc, &bc );
1583 if ( !BER_BVISNULL( &bv ) ) {
1584 ber_len_t len = bv.bv_len + bc.bv_len;
1586 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1588 assert( bc.bv_val[ 0 ] == ' ' );
1590 ptr = lutil_strcopy( &bv.bv_val[ bv.bv_len ], bc.bv_val );
1592 bv.bv_len = ptr - bv.bv_val;
1595 for ( i = 0; isspace( (unsigned char) bc.bv_val[ i ] ); i++ )
1596 /* count spaces */ ;
1600 AC_MEMCPY( bc.bv_val, &bc.bv_val[ i ], bc.bv_len + 1 );
1606 ber_bvarray_add( &c->rvalue_vals, &bv );
1611 case LDAP_BACK_CFG_SUFFIXM: /* unused */
1612 case LDAP_BACK_CFG_REWRITE:
1613 if ( mt->mt_rwmap.rwm_bva_rewrite == NULL ) {
1616 rc = slap_bv_x_ordered_unparse( mt->mt_rwmap.rwm_bva_rewrite, &c->rvalue_vals );
1620 case LDAP_BACK_CFG_MAP:
1621 if ( mt->mt_rwmap.rwm_bva_map == NULL ) {
1624 rc = slap_bv_x_ordered_unparse( mt->mt_rwmap.rwm_bva_map, &c->rvalue_vals );
1628 case LDAP_BACK_CFG_SUBTREE_EX:
1629 case LDAP_BACK_CFG_SUBTREE_IN:
1630 rc = meta_subtree_unparse( c, mt );
1633 case LDAP_BACK_CFG_FILTER:
1634 if ( mt->mt_filter == NULL ) {
1638 for ( mf = mt->mt_filter; mf; mf = mf->mf_next )
1639 value_add_one( &c->rvalue_vals, &mf->mf_regex_pattern );
1643 /* replaced by idassert */
1644 case LDAP_BACK_CFG_PSEUDOROOTDN:
1645 case LDAP_BACK_CFG_PSEUDOROOTPW:
1649 case LDAP_BACK_CFG_KEEPALIVE: {
1651 char buf[AC_LINE_MAX];
1652 bv.bv_len = AC_LINE_MAX;
1653 bv.bv_val = &buf[0];
1654 slap_keepalive_parse(&bv, &mt->mt_tls.sb_keepalive, 0, 0, 1);
1655 value_add_one( &c->rvalue_vals, &bv );
1663 } else if ( c->op == LDAP_MOD_DELETE ) {
1666 case LDAP_BACK_CFG_CONN_TTL:
1667 mi->mi_conn_ttl = 0;
1670 case LDAP_BACK_CFG_DNCACHE_TTL:
1671 mi->mi_cache.ttl = META_DNCACHE_DISABLED;
1674 case LDAP_BACK_CFG_IDLE_TIMEOUT:
1675 mi->mi_idle_timeout = 0;
1678 case LDAP_BACK_CFG_ONERR:
1679 mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
1682 case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
1683 mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
1686 case LDAP_BACK_CFG_SINGLECONN:
1687 mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
1690 case LDAP_BACK_CFG_USETEMP:
1691 mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
1694 case LDAP_BACK_CFG_CONNPOOLMAX:
1695 mi->mi_conn_priv_max = LDAP_BACK_CONN_PRIV_MIN;
1699 case LDAP_BACK_CFG_BIND_TIMEOUT:
1700 mc->mc_bind_timeout.tv_sec = 0;
1701 mc->mc_bind_timeout.tv_usec = 0;
1704 case LDAP_BACK_CFG_CANCEL:
1705 mc->mc_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
1708 case LDAP_BACK_CFG_CHASE:
1709 mc->mc_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
1712 #ifdef SLAPD_META_CLIENT_PR
1713 case LDAP_BACK_CFG_CLIENT_PR:
1714 mc->mc_ps = META_CLIENT_PR_DISABLE;
1716 #endif /* SLAPD_META_CLIENT_PR */
1718 case LDAP_BACK_CFG_DEFAULT_T:
1719 mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
1722 case LDAP_BACK_CFG_NETWORK_TIMEOUT:
1723 mc->mc_network_timeout = 0;
1726 case LDAP_BACK_CFG_NOREFS:
1727 mc->mc_flags &= ~LDAP_BACK_F_NOREFS;
1730 case LDAP_BACK_CFG_NOUNDEFFILTER:
1731 mc->mc_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
1734 case LDAP_BACK_CFG_NRETRIES:
1735 mc->mc_nretries = META_RETRY_DEFAULT;
1738 case LDAP_BACK_CFG_QUARANTINE:
1739 if ( META_BACK_CMN_QUARANTINE( mc )) {
1740 mi->mi_ldap_extra->retry_info_destroy( &mc->mc_quarantine );
1741 mc->mc_flags &= ~LDAP_BACK_F_QUARANTINE;
1742 if ( mc == &mt->mt_mc ) {
1743 ldap_pvt_thread_mutex_destroy( &mt->mt_quarantine_mutex );
1744 mt->mt_isquarantined = 0;
1749 case LDAP_BACK_CFG_REBIND:
1750 mc->mc_flags &= ~LDAP_BACK_F_SAVECRED;
1753 case LDAP_BACK_CFG_TIMEOUT:
1754 for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1755 mc->mc_timeout[ i ] = 0;
1759 case LDAP_BACK_CFG_VERSION:
1763 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1764 case LDAP_BACK_CFG_ST_REQUEST:
1765 mc->mc_flags &= ~LDAP_BACK_F_ST_REQUEST;
1767 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1769 case LDAP_BACK_CFG_T_F:
1770 mc->mc_flags &= ~LDAP_BACK_F_T_F_MASK2;
1773 case LDAP_BACK_CFG_TLS:
1774 mc->mc_flags &= ~LDAP_BACK_F_TLS_MASK;
1776 bindconf_free( &mt->mt_tls );
1780 case LDAP_BACK_CFG_URI:
1782 ch_free( mt->mt_uri );
1785 /* FIXME: should have a way to close all cached
1786 * connections associated with this target.
1790 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
1793 bvp = &mt->mt_idassert_authz;
1794 if ( c->valx < 0 ) {
1795 if ( *bvp != NULL ) {
1796 ber_bvarray_free( *bvp );
1801 if ( *bvp == NULL ) {
1806 for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ )
1809 if ( i >= c->valx ) {
1813 ber_memfree( ((*bvp)[ c->valx ]).bv_val );
1814 for ( i = c->valx; !BER_BVISNULL( &((*bvp)[ i + 1 ]) ); i++ ) {
1815 (*bvp)[ i ] = (*bvp)[ i + 1 ];
1817 BER_BVZERO( &((*bvp)[ i ]) );
1821 case LDAP_BACK_CFG_IDASSERT_BIND:
1822 bindconf_free( &mt->mt_idassert.si_bc );
1823 memset( &mt->mt_idassert, 0, sizeof( slap_idassert_t ) );
1826 case LDAP_BACK_CFG_SUFFIXM: /* unused */
1827 case LDAP_BACK_CFG_REWRITE:
1828 if ( mt->mt_rwmap.rwm_bva_rewrite ) {
1829 ber_bvarray_free( mt->mt_rwmap.rwm_bva_rewrite );
1830 mt->mt_rwmap.rwm_bva_rewrite = NULL;
1832 if ( mt->mt_rwmap.rwm_rw )
1833 rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
1836 case LDAP_BACK_CFG_MAP:
1837 if ( mt->mt_rwmap.rwm_bva_map ) {
1838 ber_bvarray_free( mt->mt_rwmap.rwm_bva_map );
1839 mt->mt_rwmap.rwm_bva_map = NULL;
1841 meta_back_map_free( &mt->mt_rwmap.rwm_oc );
1842 meta_back_map_free( &mt->mt_rwmap.rwm_at );
1843 mt->mt_rwmap.rwm_oc.drop_missing = 0;
1844 mt->mt_rwmap.rwm_at.drop_missing = 0;
1847 case LDAP_BACK_CFG_SUBTREE_EX:
1848 case LDAP_BACK_CFG_SUBTREE_IN:
1849 /* can only be one of exclude or include */
1850 if (( c->type == LDAP_BACK_CFG_SUBTREE_EX ) ^ mt->mt_subtree_exclude ) {
1854 if ( c->valx < 0 ) {
1855 meta_subtree_destroy( mt->mt_subtree );
1856 mt->mt_subtree = NULL;
1858 metasubtree_t *ms, **mprev;
1859 for (i=0, mprev = &mt->mt_subtree, ms = *mprev; ms; ms = *mprev) {
1860 if ( i == c->valx ) {
1861 *mprev = ms->ms_next;
1862 meta_subtree_free( ms );
1866 mprev = &ms->ms_next;
1873 case LDAP_BACK_CFG_FILTER:
1874 if ( c->valx < 0 ) {
1875 meta_filter_destroy( mt->mt_filter );
1876 mt->mt_filter = NULL;
1878 metafilter_t *mf, **mprev;
1879 for (i=0, mprev = &mt->mt_filter, mf = *mprev; mf; mf = *mprev) {
1880 if ( i == c->valx ) {
1881 *mprev = mf->mf_next;
1882 meta_filter_free( mf );
1886 mprev = &mf->mf_next;
1893 case LDAP_BACK_CFG_KEEPALIVE:
1894 mt->mt_tls.sb_keepalive.sk_idle = 0;
1895 mt->mt_tls.sb_keepalive.sk_probes = 0;
1896 mt->mt_tls.sb_keepalive.sk_interval = 0;
1907 if ( c->op == SLAP_CONFIG_ADD ) {
1908 if ( c->type >= LDAP_BACK_CFG_LAST_BASE ) {
1909 /* exclude CFG_URI from this check */
1910 if ( c->type > LDAP_BACK_CFG_LAST_BOTH ) {
1911 if ( !mi->mi_ntargets ) {
1912 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1913 "need \"uri\" directive first" );
1914 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1918 if ( mi->mi_ntargets ) {
1919 mt = mi->mi_targets[ mi->mi_ntargets-1 ];
1927 if ( c->table == Cft_Database ) {
1940 case LDAP_BACK_CFG_URI: {
1947 if ( c->be->be_nsuffix == NULL ) {
1948 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1949 "the suffix must be defined before any target" );
1950 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1954 i = mi->mi_ntargets++;
1956 mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets,
1957 sizeof( metatarget_t * ) * mi->mi_ntargets );
1958 if ( mi->mi_targets == NULL ) {
1959 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1960 "out of memory while storing server name"
1961 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1963 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1967 if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
1968 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1969 "unable to init server"
1970 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1972 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1976 mt = mi->mi_targets[ i ];
1978 mt->mt_rebind_f = mi->mi_rebind_f;
1979 mt->mt_urllist_f = mi->mi_urllist_f;
1980 mt->mt_urllist_p = mt;
1982 if ( META_BACK_QUARANTINE( mi ) ) {
1983 ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
1985 mt->mt_mc = mi->mi_mc;
1987 for ( j = 1; j < c->argc; j++ ) {
1988 char **tmpuris = ldap_str2charray( c->argv[ j ], "\t" );
1990 if ( tmpuris == NULL ) {
1991 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1992 "unable to parse URIs #%d"
1993 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1995 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2003 ldap_charray_merge( &uris, tmpuris );
2004 ldap_charray_free( tmpuris );
2008 for ( j = 0; uris[ j ] != NULL; j++ ) {
2009 char *tmpuri = NULL;
2012 * uri MUST be legal!
2014 if ( ldap_url_parselist_ext( &ludp, uris[ j ], "\t",
2015 LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
2016 || ludp->lud_next != NULL )
2018 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2019 "unable to parse URI #%d"
2020 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
2022 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2023 ldap_charray_free( uris );
2030 * uri MUST have the <dn> part!
2032 if ( ludp->lud_dn == NULL ) {
2033 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2034 "missing <naming context> "
2035 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
2037 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2038 ldap_free_urllist( ludp );
2039 ldap_charray_free( uris );
2044 * copies and stores uri and suffix
2046 ber_str2bv( ludp->lud_dn, 0, 0, &dn );
2047 rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
2048 &mt->mt_nsuffix, NULL );
2049 if ( rc != LDAP_SUCCESS ) {
2050 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2051 "target DN is invalid \"%s\"",
2053 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2054 ldap_free_urllist( ludp );
2055 ldap_charray_free( uris );
2059 ludp->lud_dn[ 0 ] = '\0';
2061 switch ( ludp->lud_scope ) {
2062 case LDAP_SCOPE_DEFAULT:
2063 mt->mt_scope = LDAP_SCOPE_SUBTREE;
2066 case LDAP_SCOPE_SUBTREE:
2067 case LDAP_SCOPE_SUBORDINATE:
2068 mt->mt_scope = ludp->lud_scope;
2072 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2073 "invalid scope for target \"%s\"",
2075 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2076 ldap_free_urllist( ludp );
2077 ldap_charray_free( uris );
2082 /* check all, to apply the scope check on the first one */
2083 if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
2084 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2085 "multiple URIs must have no DN part" );
2086 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2087 ldap_free_urllist( ludp );
2088 ldap_charray_free( uris );
2094 tmpuri = ldap_url_list2urls( ludp );
2095 ldap_free_urllist( ludp );
2096 if ( tmpuri == NULL ) {
2097 snprintf( c->cr_msg, sizeof( c->cr_msg ), "no memory?" );
2098 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2099 ldap_charray_free( uris );
2102 ldap_memfree( uris[ j ] );
2106 mt->mt_uri = ldap_charray2str( uris, " " );
2107 ldap_charray_free( uris );
2108 if ( mt->mt_uri == NULL) {
2109 snprintf( c->cr_msg, sizeof( c->cr_msg ), "no memory?" );
2110 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2115 * uri MUST be a branch of suffix!
2117 for ( j = 0; !BER_BVISNULL( &c->be->be_nsuffix[ j ] ); j++ ) {
2118 if ( dnIsSuffix( &mt->mt_nsuffix, &c->be->be_nsuffix[ j ] ) ) {
2123 if ( BER_BVISNULL( &c->be->be_nsuffix[ j ] ) ) {
2124 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2125 "<naming context> of URI must be within the naming context of this database." );
2126 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2130 c->cleanup = meta_cf_cleanup;
2132 case LDAP_BACK_CFG_SUBTREE_EX:
2133 case LDAP_BACK_CFG_SUBTREE_IN:
2134 /* subtree-exclude */
2135 if ( meta_subtree_config( mt, c )) {
2136 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2141 case LDAP_BACK_CFG_FILTER: {
2142 metafilter_t *mf, **m2;
2143 mf = ch_malloc( sizeof( metafilter_t ));
2144 rc = regcomp( &mf->mf_regex, c->argv[1], REG_EXTENDED );
2146 char regerr[ SLAP_TEXT_BUFLEN ];
2147 regerror( rc, &mf->mf_regex, regerr, sizeof(regerr) );
2148 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2149 "regular expression \"%s\" bad because of %s",
2150 c->argv[1], regerr );
2154 ber_str2bv( c->argv[1], 0, 1, &mf->mf_regex_pattern );
2155 for ( m2 = &mt->mt_filter; *m2; m2 = &(*m2)->mf_next )
2160 case LDAP_BACK_CFG_DEFAULT_T:
2161 /* default target directive */
2162 i = mi->mi_ntargets - 1;
2164 if ( c->argc == 1 ) {
2166 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2167 "\"%s\" alone must be inside a \"uri\" directive",
2169 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2172 mi->mi_defaulttarget = i;
2175 if ( strcasecmp( c->argv[ 1 ], "none" ) == 0 ) {
2177 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2178 "\"%s none\" should go before uri definitions",
2180 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2182 mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
2186 if ( lutil_atoi( &mi->mi_defaulttarget, c->argv[ 1 ] ) != 0
2187 || mi->mi_defaulttarget < 0
2188 || mi->mi_defaulttarget >= i - 1 )
2190 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2191 "illegal target number %d",
2192 mi->mi_defaulttarget );
2193 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2200 case LDAP_BACK_CFG_DNCACHE_TTL:
2201 /* ttl of dn cache */
2202 if ( strcasecmp( c->argv[ 1 ], "forever" ) == 0 ) {
2203 mi->mi_cache.ttl = META_DNCACHE_FOREVER;
2205 } else if ( strcasecmp( c->argv[ 1 ], "disabled" ) == 0 ) {
2206 mi->mi_cache.ttl = META_DNCACHE_DISABLED;
2211 if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
2212 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2213 "unable to parse dncache ttl \"%s\"",
2215 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2218 mi->mi_cache.ttl = (time_t)t;
2222 case LDAP_BACK_CFG_NETWORK_TIMEOUT: {
2223 /* network timeout when connecting to ldap servers */
2226 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2227 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2228 "unable to parse network timeout \"%s\"",
2230 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2233 mc->mc_network_timeout = (time_t)t;
2236 case LDAP_BACK_CFG_IDLE_TIMEOUT: {
2237 /* idle timeout when connecting to ldap servers */
2240 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2241 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2242 "unable to parse idle timeout \"%s\"",
2244 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2248 mi->mi_idle_timeout = (time_t)t;
2251 case LDAP_BACK_CFG_CONN_TTL: {
2255 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2256 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2257 "unable to parse conn ttl \"%s\"",
2259 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2263 mi->mi_conn_ttl = (time_t)t;
2266 case LDAP_BACK_CFG_BIND_TIMEOUT:
2267 /* bind timeout when connecting to ldap servers */
2268 mc->mc_bind_timeout.tv_sec = c->value_ulong/1000000;
2269 mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
2272 case LDAP_BACK_CFG_ACL_AUTHCDN:
2273 /* name to use for meta_back_group */
2274 if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
2275 Debug( LDAP_DEBUG_ANY, "%s: "
2276 "\"binddn\" statement is deprecated; "
2277 "use \"acl-authcDN\" instead\n",
2279 /* FIXME: some day we'll need to throw an error */
2282 ber_memfree_x( c->value_dn.bv_val, NULL );
2283 mt->mt_binddn = c->value_ndn;
2284 BER_BVZERO( &c->value_dn );
2285 BER_BVZERO( &c->value_ndn );
2288 case LDAP_BACK_CFG_ACL_PASSWD:
2289 /* password to use for meta_back_group */
2290 if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
2291 Debug( LDAP_DEBUG_ANY, "%s "
2292 "\"bindpw\" statement is deprecated; "
2293 "use \"acl-passwd\" instead\n",
2295 /* FIXME: some day we'll need to throw an error */
2298 ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
2301 case LDAP_BACK_CFG_REBIND:
2302 /* save bind creds for referral rebinds? */
2303 if ( c->argc == 1 || c->value_int ) {
2304 mc->mc_flags |= LDAP_BACK_F_SAVECRED;
2306 mc->mc_flags &= ~LDAP_BACK_F_SAVECRED;
2310 case LDAP_BACK_CFG_CHASE:
2311 if ( c->argc == 1 || c->value_int ) {
2312 mc->mc_flags |= LDAP_BACK_F_CHASE_REFERRALS;
2314 mc->mc_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
2318 case LDAP_BACK_CFG_TLS:
2319 i = verb_to_mask( c->argv[1], tls_mode );
2320 if ( BER_BVISNULL( &tls_mode[i].word ) ) {
2321 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2322 "%s unknown argument \"%s\"",
2323 c->argv[0], c->argv[1] );
2324 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2327 mc->mc_flags &= ~LDAP_BACK_F_TLS_MASK;
2328 mc->mc_flags |= tls_mode[i].mask;
2330 if ( c->argc > 2 ) {
2331 if ( c->op == SLAP_CONFIG_ADD && mi->mi_ntargets == 0 ) {
2332 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2333 "need \"uri\" directive first" );
2334 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2338 for ( i = 2; i < c->argc; i++ ) {
2339 if ( bindconf_tls_parse( c->argv[i], &mt->mt_tls ))
2342 bindconf_tls_defaults( &mt->mt_tls );
2346 case LDAP_BACK_CFG_T_F:
2347 i = verb_to_mask( c->argv[1], t_f_mode );
2348 if ( BER_BVISNULL( &t_f_mode[i].word ) ) {
2349 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2350 "%s unknown argument \"%s\"",
2351 c->argv[0], c->argv[1] );
2352 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2355 mc->mc_flags &= ~LDAP_BACK_F_T_F_MASK2;
2356 mc->mc_flags |= t_f_mode[i].mask;
2359 case LDAP_BACK_CFG_ONERR:
2361 i = verb_to_mask( c->argv[1], onerr_mode );
2362 if ( BER_BVISNULL( &onerr_mode[i].word ) ) {
2363 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2364 "%s unknown argument \"%s\"",
2365 c->argv[0], c->argv[1] );
2366 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2369 mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
2370 mi->mi_flags |= onerr_mode[i].mask;
2373 case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
2375 if ( c->argc == 1 || c->value_int ) {
2376 mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
2378 mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
2382 case LDAP_BACK_CFG_SINGLECONN:
2384 if ( mi->mi_ntargets > 0 ) {
2385 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2386 "\"%s\" must appear before target definitions",
2388 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2391 if ( c->value_int ) {
2392 mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
2394 mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
2398 case LDAP_BACK_CFG_USETEMP:
2399 /* use-temporaries? */
2400 if ( mi->mi_ntargets > 0 ) {
2401 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2402 "\"%s\" must appear before target definitions",
2404 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2407 if ( c->value_int ) {
2408 mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
2410 mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
2414 case LDAP_BACK_CFG_CONNPOOLMAX:
2415 /* privileged connections pool max size ? */
2416 if ( mi->mi_ntargets > 0 ) {
2417 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2418 "\"%s\" must appear before target definitions",
2420 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2424 if ( c->value_int < LDAP_BACK_CONN_PRIV_MIN
2425 || c->value_int > LDAP_BACK_CONN_PRIV_MAX )
2427 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2428 "invalid max size " "of privileged "
2429 "connections pool \"%s\" "
2430 "in \"conn-pool-max <n> "
2431 "(must be between %d and %d)\"",
2433 LDAP_BACK_CONN_PRIV_MIN,
2434 LDAP_BACK_CONN_PRIV_MAX );
2435 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2438 mi->mi_conn_priv_max = c->value_int;
2441 case LDAP_BACK_CFG_CANCEL:
2442 i = verb_to_mask( c->argv[1], cancel_mode );
2443 if ( BER_BVISNULL( &cancel_mode[i].word ) ) {
2444 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2445 "%s unknown argument \"%s\"",
2446 c->argv[0], c->argv[1] );
2447 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2450 mc->mc_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
2451 mc->mc_flags |= cancel_mode[i].mask;
2454 case LDAP_BACK_CFG_TIMEOUT:
2455 for ( i = 1; i < c->argc; i++ ) {
2456 if ( isdigit( (unsigned char) c->argv[ i ][ 0 ] ) ) {
2460 if ( lutil_atoux( &u, c->argv[ i ], 0 ) != 0 ) {
2461 snprintf( c->cr_msg, sizeof( c->cr_msg),
2462 "unable to parse timeout \"%s\"",
2464 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2468 for ( j = 0; j < SLAP_OP_LAST; j++ ) {
2469 mc->mc_timeout[ j ] = u;
2475 if ( slap_cf_aux_table_parse( c->argv[ i ], mc->mc_timeout, timeout_table, "slapd-meta timeout" ) ) {
2476 snprintf( c->cr_msg, sizeof( c->cr_msg),
2477 "unable to parse timeout \"%s\"",
2479 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2485 case LDAP_BACK_CFG_PSEUDOROOTDN:
2486 /* name to use as pseudo-root dn */
2488 * exact replacement:
2491 idassert-bind bindmethod=simple
2492 binddn=<pseudorootdn>
2493 credentials=<pseudorootpw>
2495 flags=non-prescriptive
2496 idassert-authzFrom "dn:<rootdn>"
2498 * so that only when authc'd as <rootdn> the proxying occurs
2499 * rebinding as the <pseudorootdn> without proxyAuthz.
2502 Debug( LDAP_DEBUG_ANY,
2503 "%s: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
2504 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
2508 char binddn[ SLAP_TEXT_BUFLEN ];
2511 "bindmethod=simple",
2514 "flags=non-prescriptive",
2523 if ( BER_BVISNULL( &c->be->be_rootndn ) ) {
2524 Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
2529 if ( sizeof( binddn ) <= (unsigned) snprintf( binddn,
2530 sizeof( binddn ), "binddn=%s", c->argv[ 1 ] ))
2532 Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootdn\" too long.\n",
2536 cargv[ 2 ] = binddn;
2542 rc = mi->mi_ldap_extra->idassert_parse( c, &mt->mt_idassert );
2548 if ( mt->mt_idassert_authz != NULL ) {
2549 Debug( LDAP_DEBUG_ANY, "%s: \"idassert-authzFrom\" already defined (discarded).\n",
2551 ber_bvarray_free( mt->mt_idassert_authz );
2552 mt->mt_idassert_authz = NULL;
2555 assert( !BER_BVISNULL( &mt->mt_idassert_authcDN ) );
2557 bv.bv_len = STRLENOF( "dn:" ) + c->be->be_rootndn.bv_len;
2558 bv.bv_val = ber_memalloc( bv.bv_len + 1 );
2559 AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
2560 AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], c->be->be_rootndn.bv_val, c->be->be_rootndn.bv_len + 1 );
2562 ber_bvarray_add( &mt->mt_idassert_authz, &bv );
2569 case LDAP_BACK_CFG_PSEUDOROOTPW:
2570 /* password to use as pseudo-root */
2571 Debug( LDAP_DEBUG_ANY,
2572 "%s: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
2573 "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
2576 if ( BER_BVISNULL( &mt->mt_idassert_authcDN ) ) {
2577 Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
2582 if ( !BER_BVISNULL( &mt->mt_idassert_passwd ) ) {
2583 memset( mt->mt_idassert_passwd.bv_val, 0,
2584 mt->mt_idassert_passwd.bv_len );
2585 ber_memfree( mt->mt_idassert_passwd.bv_val );
2587 ber_str2bv( c->argv[ 1 ], 0, 1, &mt->mt_idassert_passwd );
2590 case LDAP_BACK_CFG_IDASSERT_BIND:
2592 rc = mi->mi_ldap_extra->idassert_parse( c, &mt->mt_idassert );
2595 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
2596 /* idassert-authzFrom */
2597 rc = mi->mi_ldap_extra->idassert_authzfrom_parse( c, &mt->mt_idassert );
2600 case LDAP_BACK_CFG_QUARANTINE:
2602 if ( META_BACK_CMN_QUARANTINE( mc ) )
2604 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2605 "quarantine already defined" );
2606 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2611 mc->mc_quarantine.ri_interval = NULL;
2612 mc->mc_quarantine.ri_num = NULL;
2613 if ( !META_BACK_QUARANTINE( mi ) ) {
2614 ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
2618 if ( mi->mi_ldap_extra->retry_info_parse( c->argv[ 1 ], &mc->mc_quarantine, c->cr_msg, sizeof( c->cr_msg ) ) ) {
2619 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2623 mc->mc_flags |= LDAP_BACK_F_QUARANTINE;
2626 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
2627 case LDAP_BACK_CFG_ST_REQUEST:
2628 /* session tracking request */
2629 if ( c->value_int ) {
2630 mc->mc_flags |= LDAP_BACK_F_ST_REQUEST;
2632 mc->mc_flags &= ~LDAP_BACK_F_ST_REQUEST;
2635 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
2637 case LDAP_BACK_CFG_SUFFIXM: /* FALLTHRU */
2638 case LDAP_BACK_CFG_REWRITE: {
2639 /* rewrite stuff ... */
2640 ConfigArgs ca = { 0 };
2642 struct rewrite_info *rwi;
2643 int cnt = 0, argc, ix = c->valx;
2645 if ( mt->mt_rwmap.rwm_bva_rewrite ) {
2646 for ( ; !BER_BVISNULL( &mt->mt_rwmap.rwm_bva_rewrite[ cnt ] ); cnt++ )
2650 if ( ix >= cnt || ix < 0 ) {
2653 rwi = mt->mt_rwmap.rwm_rw;
2655 mt->mt_rwmap.rwm_rw = NULL;
2656 rc = meta_rwi_init( &mt->mt_rwmap.rwm_rw );
2658 /* re-parse all rewrite rules, up to the one
2659 * that needs to be added */
2661 ca.fname = c->fname;
2662 ca.lineno = c->lineno;
2663 for ( i = 0; i < ix; i++ ) {
2664 ca.line = mt->mt_rwmap.rwm_bva_rewrite[ i ].bv_val;
2666 config_fp_parse_line( &ca );
2668 if ( !strcasecmp( ca.argv[0], "suffixmassage" )) {
2669 rc = meta_suffixm_config( &ca, ca.argc, ca.argv, mt );
2671 rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2672 c->fname, c->lineno, ca.argc, ca.argv );
2676 ch_free( ca.tline );
2681 if ( c->op != SLAP_CONFIG_ADD ) {
2685 /* add the new rule */
2686 if ( !strcasecmp( argv[0], "suffixmassage" )) {
2687 rc = meta_suffixm_config( c, argc, argv, mt );
2689 rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2690 c->fname, c->lineno, argc, argv );
2694 rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
2695 mt->mt_rwmap.rwm_rw = rwi;
2700 for ( ; i < cnt; i++ ) {
2701 ca.line = mt->mt_rwmap.rwm_bva_rewrite[ i ].bv_val;
2703 config_fp_parse_line( &ca );
2705 if ( !strcasecmp( ca.argv[0], "suffixmassage" )) {
2706 rc = meta_suffixm_config( &ca, ca.argc, ca.argv, mt );
2708 rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2709 c->fname, c->lineno, ca.argc, argv );
2713 ch_free( ca.tline );
2717 /* save the rule info */
2718 line = ldap_charray2str( argv, "\" \"" );
2719 if ( line != NULL ) {
2721 int len = strlen( argv[ 0 ] );
2723 ber_str2bv( line, 0, 0, &bv );
2724 AC_MEMCPY( &bv.bv_val[ len ], &bv.bv_val[ len + 1 ],
2725 bv.bv_len - ( len + 1 ));
2726 bv.bv_val[ bv.bv_len - 1] = '"';
2727 ber_bvarray_add( &mt->mt_rwmap.rwm_bva_rewrite, &bv );
2728 /* move it to the right slot */
2730 for ( i=cnt; i>ix; i-- )
2731 mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i];
2732 mt->mt_rwmap.rwm_bva_rewrite[i] = bv;
2734 /* destroy old rules */
2735 rewrite_info_delete( &rwi );
2740 case LDAP_BACK_CFG_MAP: {
2741 /* objectclass/attribute mapping */
2742 ConfigArgs ca = { 0 };
2744 struct ldapmap rwm_oc;
2745 struct ldapmap rwm_at;
2746 int cnt = 0, ix = c->valx;
2748 if ( mt->mt_rwmap.rwm_bva_map ) {
2749 for ( ; !BER_BVISNULL( &mt->mt_rwmap.rwm_bva_map[ cnt ] ); cnt++ )
2753 if ( ix >= cnt || ix < 0 ) {
2756 rwm_oc = mt->mt_rwmap.rwm_oc;
2757 rwm_at = mt->mt_rwmap.rwm_at;
2759 memset( &mt->mt_rwmap.rwm_oc, 0, sizeof( mt->mt_rwmap.rwm_oc ) );
2760 memset( &mt->mt_rwmap.rwm_at, 0, sizeof( mt->mt_rwmap.rwm_at ) );
2762 /* re-parse all mappings, up to the one
2763 * that needs to be added */
2764 argv[0] = c->argv[0];
2765 ca.fname = c->fname;
2766 ca.lineno = c->lineno;
2767 for ( i = 0; i < ix; i++ ) {
2768 ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
2770 config_fp_parse_line( &ca );
2772 argv[1] = ca.argv[0];
2773 argv[2] = ca.argv[1];
2774 argv[3] = ca.argv[2];
2775 argv[4] = ca.argv[3];
2779 rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
2780 &mt->mt_rwmap.rwm_at );
2782 ch_free( ca.tline );
2786 /* in case of failure, restore
2787 * the existing mapping */
2793 /* add the new mapping */
2794 rc = ldap_back_map_config( c, &mt->mt_rwmap.rwm_oc,
2795 &mt->mt_rwmap.rwm_at );
2801 for ( ; i<cnt ; cnt++ ) {
2802 ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
2804 config_fp_parse_line( &ca );
2806 argv[1] = ca.argv[0];
2807 argv[2] = ca.argv[1];
2808 argv[3] = ca.argv[2];
2809 argv[4] = ca.argv[3];
2814 rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
2815 &mt->mt_rwmap.rwm_at );
2817 ch_free( ca.tline );
2821 /* in case of failure, restore
2822 * the existing mapping */
2829 /* save the map info */
2830 argv[0] = ldap_charray2str( &c->argv[ 1 ], " " );
2831 if ( argv[0] != NULL ) {
2833 ber_str2bv( argv[0], 0, 0, &bv );
2834 ber_bvarray_add( &mt->mt_rwmap.rwm_bva_map, &bv );
2835 /* move it to the right slot */
2837 for ( i=cnt; i>ix; i-- )
2838 mt->mt_rwmap.rwm_bva_map[i+1] = mt->mt_rwmap.rwm_bva_map[i];
2839 mt->mt_rwmap.rwm_bva_map[i] = bv;
2841 /* destroy old mapping */
2842 meta_back_map_free( &rwm_oc );
2843 meta_back_map_free( &rwm_at );
2850 meta_back_map_free( &mt->mt_rwmap.rwm_oc );
2851 meta_back_map_free( &mt->mt_rwmap.rwm_at );
2852 mt->mt_rwmap.rwm_oc = rwm_oc;
2853 mt->mt_rwmap.rwm_at = rwm_at;
2857 case LDAP_BACK_CFG_NRETRIES: {
2858 int nretries = META_RETRY_UNDEFINED;
2860 if ( strcasecmp( c->argv[ 1 ], "forever" ) == 0 ) {
2861 nretries = META_RETRY_FOREVER;
2863 } else if ( strcasecmp( c->argv[ 1 ], "never" ) == 0 ) {
2864 nretries = META_RETRY_NEVER;
2867 if ( lutil_atoi( &nretries, c->argv[ 1 ] ) != 0 ) {
2868 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2869 "unable to parse nretries {never|forever|<retries>}: \"%s\"",
2871 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2876 mc->mc_nretries = nretries;
2879 case LDAP_BACK_CFG_VERSION:
2880 if ( c->value_int != 0 && ( c->value_int < LDAP_VERSION_MIN || c->value_int > LDAP_VERSION_MAX ) ) {
2881 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2882 "unsupported protocol version \"%s\"",
2884 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2887 mc->mc_version = c->value_int;
2890 case LDAP_BACK_CFG_NOREFS:
2891 /* do not return search references */
2892 if ( c->value_int ) {
2893 mc->mc_flags |= LDAP_BACK_F_NOREFS;
2895 mc->mc_flags &= ~LDAP_BACK_F_NOREFS;
2899 case LDAP_BACK_CFG_NOUNDEFFILTER:
2900 /* do not propagate undefined search filters */
2901 if ( c->value_int ) {
2902 mc->mc_flags |= LDAP_BACK_F_NOUNDEFFILTER;
2904 mc->mc_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
2908 #ifdef SLAPD_META_CLIENT_PR
2909 case LDAP_BACK_CFG_CLIENT_PR:
2910 if ( strcasecmp( c->argv[ 1 ], "accept-unsolicited" ) == 0 ) {
2911 mc->mc_ps = META_CLIENT_PR_ACCEPT_UNSOLICITED;
2913 } else if ( strcasecmp( c->argv[ 1 ], "disable" ) == 0 ) {
2914 mc->mc_ps = META_CLIENT_PR_DISABLE;
2916 } else if ( lutil_atoi( &mc->mc_ps, c->argv[ 1 ] ) || mc->mc_ps < -1 ) {
2917 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2918 "unable to parse client-pr {accept-unsolicited|disable|<size>}: \"%s\"",
2920 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2924 #endif /* SLAPD_META_CLIENT_PR */
2926 case LDAP_BACK_CFG_KEEPALIVE:
2927 slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
2928 &mt->mt_tls.sb_keepalive, 0, 0, 0);
2933 return SLAP_CONF_UNKNOWN;
2940 meta_back_init_cf( BackendInfo *bi )
2943 AttributeDescription *ad = NULL;
2946 /* Make sure we don't exceed the bits reserved for userland */
2947 config_check_userland( LDAP_BACK_CFG_LAST );
2949 bi->bi_cf_ocs = metaocs;
2951 rc = config_register_schema( metacfg, metaocs );
2956 /* setup olcDbAclPasswd and olcDbIDAssertPasswd
2957 * to be base64-encoded when written in LDIF form;
2958 * basically, we don't care if it fails */
2959 rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
2961 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2962 "warning, unable to get \"olcDbACLPasswd\" "
2963 "attribute description: %d: %s\n",
2966 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2967 ad->ad_type->sat_oid );
2971 rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
2973 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2974 "warning, unable to get \"olcDbIDAssertPasswd\" "
2975 "attribute description: %d: %s\n",
2978 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2979 ad->ad_type->sat_oid );
2986 ldap_back_map_config(
2988 struct ldapmap *oc_map,
2989 struct ldapmap *at_map )
2991 struct ldapmap *map;
2992 struct ldapmapping *mapping;
2996 if ( strcasecmp( c->argv[ 1 ], "objectclass" ) == 0 ) {
3000 } else if ( strcasecmp( c->argv[ 1 ], "attribute" ) == 0 ) {
3004 snprintf( c->cr_msg, sizeof(c->cr_msg),
3005 "%s unknown argument \"%s\"",
3006 c->argv[0], c->argv[1] );
3007 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3011 if ( !is_oc && map->map == NULL ) {
3012 /* only init if required */
3013 ldap_back_map_init( map, &mapping );
3016 if ( strcmp( c->argv[ 2 ], "*" ) == 0 ) {
3017 if ( c->argc < 4 || strcmp( c->argv[ 3 ], "*" ) == 0 ) {
3018 map->drop_missing = ( c->argc < 4 );
3019 goto success_return;
3021 src = dst = c->argv[ 3 ];
3023 } else if ( c->argc < 4 ) {
3029 dst = ( strcmp( c->argv[ 3 ], "*" ) == 0 ? src : c->argv[ 3 ] );
3032 if ( ( map == at_map )
3033 && ( strcasecmp( src, "objectclass" ) == 0
3034 || strcasecmp( dst, "objectclass" ) == 0 ) )
3036 snprintf( c->cr_msg, sizeof(c->cr_msg),
3037 "objectclass attribute cannot be mapped" );
3038 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3042 mapping = (struct ldapmapping *)ch_calloc( 2,
3043 sizeof(struct ldapmapping) );
3044 if ( mapping == NULL ) {
3045 snprintf( c->cr_msg, sizeof(c->cr_msg),
3047 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3050 ber_str2bv( src, 0, 1, &mapping[ 0 ].src );
3051 ber_str2bv( dst, 0, 1, &mapping[ 0 ].dst );
3052 mapping[ 1 ].src = mapping[ 0 ].dst;
3053 mapping[ 1 ].dst = mapping[ 0 ].src;
3059 if ( src[ 0 ] != '\0' ) {
3060 if ( oc_bvfind( &mapping[ 0 ].src ) == NULL ) {
3061 Debug( LDAP_DEBUG_ANY,
3062 "warning, source objectClass '%s' should be defined in schema\n",
3066 * FIXME: this should become an err
3072 if ( oc_bvfind( &mapping[ 0 ].dst ) == NULL ) {
3073 Debug( LDAP_DEBUG_ANY,
3074 "warning, destination objectClass '%s' is not defined in schema\n",
3079 const char *text = NULL;
3080 AttributeDescription *ad = NULL;
3082 if ( src[ 0 ] != '\0' ) {
3083 rc = slap_bv2ad( &mapping[ 0 ].src, &ad, &text );
3084 if ( rc != LDAP_SUCCESS ) {
3085 Debug( LDAP_DEBUG_ANY,
3086 "warning, source attributeType '%s' should be defined in schema\n",
3090 * FIXME: this should become an err
3093 * we create a fake "proxied" ad
3097 rc = slap_bv2undef_ad( &mapping[ 0 ].src,
3098 &ad, &text, SLAP_AD_PROXIED );
3099 if ( rc != LDAP_SUCCESS ) {
3100 snprintf( c->cr_msg, sizeof( c->cr_msg ),
3101 "source attributeType \"%s\": %d (%s)",
3102 src, rc, text ? text : "" );
3103 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3111 rc = slap_bv2ad( &mapping[ 0 ].dst, &ad, &text );
3112 if ( rc != LDAP_SUCCESS ) {
3113 Debug( LDAP_DEBUG_ANY,
3114 "warning, destination attributeType '%s' is not defined in schema\n",
3118 * we create a fake "proxied" ad
3122 rc = slap_bv2undef_ad( &mapping[ 0 ].dst,
3123 &ad, &text, SLAP_AD_PROXIED );
3124 if ( rc != LDAP_SUCCESS ) {
3125 snprintf( c->cr_msg, sizeof( c->cr_msg ),
3126 "destination attributeType \"%s\": %d (%s)\n",
3127 dst, rc, text ? text : "" );
3128 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3134 if ( (src[ 0 ] != '\0' && avl_find( map->map, (caddr_t)&mapping[ 0 ], mapping_cmp ) != NULL)
3135 || avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
3137 snprintf( c->cr_msg, sizeof( c->cr_msg ),
3138 "duplicate mapping found." );
3139 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3143 if ( src[ 0 ] != '\0' ) {
3144 avl_insert( &map->map, (caddr_t)&mapping[ 0 ],
3145 mapping_cmp, mapping_dup );
3147 avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
3148 mapping_cmp, mapping_dup );
3155 ch_free( mapping[ 0 ].src.bv_val );
3156 ch_free( mapping[ 0 ].dst.bv_val );
3164 #ifdef ENABLE_REWRITE
3166 suffix_massage_regexize( const char *s )
3172 if ( s[ 0 ] == '\0' ) {
3173 return ch_strdup( "^(.+)$" );
3177 ( r = strchr( p, ',' ) ) != NULL;
3181 res = ch_calloc( sizeof( char ),
3183 + STRLENOF( "((.+),)?" )
3184 + STRLENOF( "[ ]?" ) * i
3185 + STRLENOF( "$" ) + 1 );
3187 ptr = lutil_strcopy( res, "((.+),)?" );
3189 ( r = strchr( p, ',' ) ) != NULL;
3191 ptr = lutil_strncopy( ptr, p, r - p + 1 );
3192 ptr = lutil_strcopy( ptr, "[ ]?" );
3194 if ( r[ 1 ] == ' ' ) {
3198 ptr = lutil_strcopy( ptr, p );
3207 suffix_massage_patternize( const char *s, const char *p )
3214 if ( s[ 0 ] == '\0' ) {
3218 res = ch_calloc( sizeof( char ), len + STRLENOF( "%1" ) + 1 );
3219 if ( res == NULL ) {
3223 ptr = lutil_strcopy( res, ( p[ 0 ] == '\0' ? "%2" : "%1" ) );
3224 if ( s[ 0 ] == '\0' ) {
3228 lutil_strcopy( ptr, p );
3234 suffix_massage_config(
3235 struct rewrite_info *info,
3236 struct berval *pvnc,
3237 struct berval *nvnc,
3238 struct berval *prnc,
3245 rargv[ 0 ] = "rewriteEngine";
3248 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3250 rargv[ 0 ] = "rewriteContext";
3251 rargv[ 1 ] = "default";
3253 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3255 rargv[ 0 ] = "rewriteRule";
3256 rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
3257 rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val, prnc->bv_val );
3260 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3261 ch_free( rargv[ 1 ] );
3262 ch_free( rargv[ 2 ] );
3264 if ( BER_BVISEMPTY( pvnc ) ) {
3265 rargv[ 0 ] = "rewriteRule";
3267 rargv[ 2 ] = prnc->bv_val;
3270 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3273 rargv[ 0 ] = "rewriteContext";
3274 rargv[ 1 ] = "searchEntryDN";
3276 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3278 rargv[ 0 ] = "rewriteRule";
3279 rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
3280 rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val, pvnc->bv_val );
3283 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3284 ch_free( rargv[ 1 ] );
3285 ch_free( rargv[ 2 ] );
3287 if ( BER_BVISEMPTY( prnc ) ) {
3288 rargv[ 0 ] = "rewriteRule";
3290 rargv[ 2 ] = pvnc->bv_val;
3293 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3296 /* backward compatibility */
3297 rargv[ 0 ] = "rewriteContext";
3298 rargv[ 1 ] = "searchResult";
3299 rargv[ 2 ] = "alias";
3300 rargv[ 3 ] = "searchEntryDN";
3302 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3304 rargv[ 0 ] = "rewriteContext";
3305 rargv[ 1 ] = "matchedDN";
3306 rargv[ 2 ] = "alias";
3307 rargv[ 3 ] = "searchEntryDN";
3309 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3311 rargv[ 0 ] = "rewriteContext";
3312 rargv[ 1 ] = "searchAttrDN";
3313 rargv[ 2 ] = "alias";
3314 rargv[ 3 ] = "searchEntryDN";
3316 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3318 /* NOTE: this corresponds to #undef'ining RWM_REFERRAL_REWRITE;
3319 * see servers/slapd/overlays/rwm.h for details */
3320 rargv[ 0 ] = "rewriteContext";
3321 rargv[ 1 ] = "referralAttrDN";
3323 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3325 rargv[ 0 ] = "rewriteContext";
3326 rargv[ 1 ] = "referralDN";
3328 rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3332 #endif /* ENABLE_REWRITE */
projects / openldap / blob