]> git.sur5r.net Git - openldap/blob - servers/slapd/back-meta/config.c
Merge remote-tracking branch 'origin/mdb.master'
[openldap] / servers / slapd / back-meta / config.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1999-2014 The OpenLDAP Foundation.
5  * Portions Copyright 2001-2003 Pierangelo Masarati.
6  * Portions Copyright 1999-2003 Howard Chu.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted only as authorized by the OpenLDAP
11  * Public License.
12  *
13  * A copy of this license is available in the file LICENSE in the
14  * top-level directory of the distribution or, alternatively, at
15  * <http://www.OpenLDAP.org/license.html>.
16  */
17 /* ACKNOWLEDGEMENTS:
18  * This work was initially developed by the Howard Chu for inclusion
19  * in OpenLDAP Software and subsequently enhanced by Pierangelo
20  * Masarati.
21  */
22
23 #include "portable.h"
24
25 #include <stdio.h>
26 #include <ctype.h>
27
28 #include <ac/string.h>
29 #include <ac/socket.h>
30
31 #include "slap.h"
32 #include "config.h"
33 #include "lutil.h"
34 #include "ldif.h"
35 #include "../back-ldap/back-ldap.h"
36 #include "back-meta.h"
37
38 #define SLAP_AUTH_DN    1
39
40 static ConfigDriver meta_back_cf_gen;
41 static ConfigLDAPadd meta_ldadd;
42 static ConfigCfAdd meta_cfadd;
43
44 static int ldap_back_map_config(
45         ConfigArgs *c,
46         struct ldapmap  *oc_map,
47         struct ldapmap  *at_map );
48
49 /* Three sets of enums:
50  *      1) attrs that are only valid in the base config
51  *      2) attrs that are valid in base or target
52  *      3) attrs that are only valid in a target
53  */
54
55 /* Base attrs */
56 enum {
57         LDAP_BACK_CFG_CONN_TTL = 1,
58         LDAP_BACK_CFG_DNCACHE_TTL,
59         LDAP_BACK_CFG_IDLE_TIMEOUT,
60         LDAP_BACK_CFG_ONERR,
61         LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
62         LDAP_BACK_CFG_SINGLECONN,
63         LDAP_BACK_CFG_USETEMP,
64         LDAP_BACK_CFG_CONNPOOLMAX,
65         LDAP_BACK_CFG_LAST_BASE
66 };
67
68 /* Base or target */
69 enum {
70         LDAP_BACK_CFG_BIND_TIMEOUT = LDAP_BACK_CFG_LAST_BASE,
71         LDAP_BACK_CFG_CANCEL,
72         LDAP_BACK_CFG_CHASE,
73         LDAP_BACK_CFG_CLIENT_PR,
74         LDAP_BACK_CFG_DEFAULT_T,
75         LDAP_BACK_CFG_NETWORK_TIMEOUT,
76         LDAP_BACK_CFG_NOREFS,
77         LDAP_BACK_CFG_NOUNDEFFILTER,
78         LDAP_BACK_CFG_NRETRIES,
79         LDAP_BACK_CFG_QUARANTINE,
80         LDAP_BACK_CFG_REBIND,
81         LDAP_BACK_CFG_TIMEOUT,
82         LDAP_BACK_CFG_VERSION,
83         LDAP_BACK_CFG_ST_REQUEST,
84         LDAP_BACK_CFG_T_F,
85         LDAP_BACK_CFG_TLS,
86         LDAP_BACK_CFG_LAST_BOTH
87 };
88
89 /* Target attrs */
90 enum {
91         LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
92         LDAP_BACK_CFG_ACL_AUTHCDN,
93         LDAP_BACK_CFG_ACL_PASSWD,
94         LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
95         LDAP_BACK_CFG_IDASSERT_BIND,
96         LDAP_BACK_CFG_REWRITE,
97         LDAP_BACK_CFG_SUFFIXM,
98         LDAP_BACK_CFG_MAP,
99         LDAP_BACK_CFG_SUBTREE_EX,
100         LDAP_BACK_CFG_SUBTREE_IN,
101         LDAP_BACK_CFG_PSEUDOROOTDN,
102         LDAP_BACK_CFG_PSEUDOROOTPW,
103         LDAP_BACK_CFG_KEEPALIVE,
104         LDAP_BACK_CFG_FILTER,
105
106         LDAP_BACK_CFG_LAST
107 };
108
109 static ConfigTable metacfg[] = {
110         { "uri", "uri", 2, 0, 0,
111                 ARG_MAGIC|LDAP_BACK_CFG_URI,
112                 meta_back_cf_gen, "( OLcfgDbAt:0.14 "
113                         "NAME 'olcDbURI' "
114                         "DESC 'URI (list) for remote DSA' "
115                         "SYNTAX OMsDirectoryString "
116                         "SINGLE-VALUE )",
117                 NULL, NULL },
118         { "tls", "what", 2, 0, 0,
119                 ARG_MAGIC|LDAP_BACK_CFG_TLS,
120                 meta_back_cf_gen, "( OLcfgDbAt:3.1 "
121                         "NAME 'olcDbStartTLS' "
122                         "DESC 'StartTLS' "
123                         "SYNTAX OMsDirectoryString "
124                         "SINGLE-VALUE )",
125                 NULL, NULL },
126         { "acl-authcDN", "DN", 2, 2, 0,
127                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
128                 meta_back_cf_gen, "( OLcfgDbAt:3.2 "
129                         "NAME 'olcDbACLAuthcDn' "
130                         "DESC 'Remote ACL administrative identity' "
131                         "OBSOLETE "
132                         "SYNTAX OMsDN "
133                         "SINGLE-VALUE )",
134                 NULL, NULL },
135         /* deprecated, will be removed; aliases "acl-authcDN" */
136         { "binddn", "DN", 2, 2, 0,
137                 ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
138                 meta_back_cf_gen, NULL, NULL, NULL },
139         { "acl-passwd", "cred", 2, 2, 0,
140                 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
141                 meta_back_cf_gen, "( OLcfgDbAt:3.3 "
142                         "NAME 'olcDbACLPasswd' "
143                         "DESC 'Remote ACL administrative identity credentials' "
144                         "OBSOLETE "
145                         "SYNTAX OMsDirectoryString "
146                         "SINGLE-VALUE )",
147                 NULL, NULL },
148         /* deprecated, will be removed; aliases "acl-passwd" */
149         { "bindpw", "cred", 2, 2, 0,
150                 ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
151                 meta_back_cf_gen, NULL, NULL, NULL },
152         { "idassert-bind", "args", 2, 0, 0,
153                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
154                 meta_back_cf_gen, "( OLcfgDbAt:3.7 "
155                         "NAME 'olcDbIDAssertBind' "
156                         "DESC 'Remote Identity Assertion administrative identity auth bind configuration' "
157                         "SYNTAX OMsDirectoryString "
158                         "SINGLE-VALUE )",
159                 NULL, NULL },
160         { "idassert-authzFrom", "authzRule", 2, 2, 0,
161                 ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
162                 meta_back_cf_gen, "( OLcfgDbAt:3.9 "
163                         "NAME 'olcDbIDAssertAuthzFrom' "
164                         "DESC 'Remote Identity Assertion authz rules' "
165                         "EQUALITY caseIgnoreMatch "
166                         "SYNTAX OMsDirectoryString "
167                         "X-ORDERED 'VALUES' )",
168                 NULL, NULL },
169         { "rebind-as-user", "true|FALSE", 1, 2, 0,
170                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_REBIND,
171                 meta_back_cf_gen, "( OLcfgDbAt:3.10 "
172                         "NAME 'olcDbRebindAsUser' "
173                         "DESC 'Rebind as user' "
174                         "SYNTAX OMsBoolean "
175                         "SINGLE-VALUE )",
176                 NULL, NULL },
177         { "chase-referrals", "true|FALSE", 2, 2, 0,
178                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_CHASE,
179                 meta_back_cf_gen, "( OLcfgDbAt:3.11 "
180                         "NAME 'olcDbChaseReferrals' "
181                         "DESC 'Chase referrals' "
182                         "SYNTAX OMsBoolean "
183                         "SINGLE-VALUE )",
184                 NULL, NULL },
185         { "t-f-support", "true|FALSE|discover", 2, 2, 0,
186                 ARG_MAGIC|LDAP_BACK_CFG_T_F,
187                 meta_back_cf_gen, "( OLcfgDbAt:3.12 "
188                         "NAME 'olcDbTFSupport' "
189                         "DESC 'Absolute filters support' "
190                         "SYNTAX OMsDirectoryString "
191                         "SINGLE-VALUE )",
192                 NULL, NULL },
193         { "timeout", "timeout(list)", 2, 0, 0,
194                 ARG_MAGIC|LDAP_BACK_CFG_TIMEOUT,
195                 meta_back_cf_gen, "( OLcfgDbAt:3.14 "
196                         "NAME 'olcDbTimeout' "
197                         "DESC 'Per-operation timeouts' "
198                         "SYNTAX OMsDirectoryString "
199                         "SINGLE-VALUE )",
200                 NULL, NULL },
201         { "idle-timeout", "timeout", 2, 2, 0,
202                 ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT,
203                 meta_back_cf_gen, "( OLcfgDbAt:3.15 "
204                         "NAME 'olcDbIdleTimeout' "
205                         "DESC 'connection idle timeout' "
206                         "SYNTAX OMsDirectoryString "
207                         "SINGLE-VALUE )",
208                 NULL, NULL },
209         { "conn-ttl", "ttl", 2, 2, 0,
210                 ARG_MAGIC|LDAP_BACK_CFG_CONN_TTL,
211                 meta_back_cf_gen, "( OLcfgDbAt:3.16 "
212                         "NAME 'olcDbConnTtl' "
213                         "DESC 'connection ttl' "
214                         "SYNTAX OMsDirectoryString "
215                         "SINGLE-VALUE )",
216                 NULL, NULL },
217         { "network-timeout", "timeout", 2, 2, 0,
218                 ARG_MAGIC|LDAP_BACK_CFG_NETWORK_TIMEOUT,
219                 meta_back_cf_gen, "( OLcfgDbAt:3.17 "
220                         "NAME 'olcDbNetworkTimeout' "
221                         "DESC 'connection network timeout' "
222                         "SYNTAX OMsDirectoryString "
223                         "SINGLE-VALUE )",
224                 NULL, NULL },
225         { "protocol-version", "version", 2, 2, 0,
226                 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
227                 meta_back_cf_gen, "( OLcfgDbAt:3.18 "
228                         "NAME 'olcDbProtocolVersion' "
229                         "DESC 'protocol version' "
230                         "SYNTAX OMsInteger "
231                         "SINGLE-VALUE )",
232                 NULL, NULL },
233         { "single-conn", "true|FALSE", 2, 2, 0,
234                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_SINGLECONN,
235                 meta_back_cf_gen, "( OLcfgDbAt:3.19 "
236                         "NAME 'olcDbSingleConn' "
237                         "DESC 'cache a single connection per identity' "
238                         "SYNTAX OMsBoolean "
239                         "SINGLE-VALUE )",
240                 NULL, NULL },
241         { "cancel", "ABANDON|ignore|exop", 2, 2, 0,
242                 ARG_MAGIC|LDAP_BACK_CFG_CANCEL,
243                 meta_back_cf_gen, "( OLcfgDbAt:3.20 "
244                         "NAME 'olcDbCancel' "
245                         "DESC 'abandon/ignore/exop operations when appropriate' "
246                         "SYNTAX OMsDirectoryString "
247                         "SINGLE-VALUE )",
248                 NULL, NULL },
249         { "quarantine", "retrylist", 2, 2, 0,
250                 ARG_MAGIC|LDAP_BACK_CFG_QUARANTINE,
251                 meta_back_cf_gen, "( OLcfgDbAt:3.21 "
252                         "NAME 'olcDbQuarantine' "
253                         "DESC 'Quarantine database if connection fails and retry according to rule' "
254                         "SYNTAX OMsDirectoryString "
255                         "SINGLE-VALUE )",
256                 NULL, NULL },
257         { "use-temporary-conn", "true|FALSE", 2, 2, 0,
258                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_USETEMP,
259                 meta_back_cf_gen, "( OLcfgDbAt:3.22 "
260                         "NAME 'olcDbUseTemporaryConn' "
261                         "DESC 'Use temporary connections if the cached one is busy' "
262                         "SYNTAX OMsBoolean "
263                         "SINGLE-VALUE )",
264                 NULL, NULL },
265         { "conn-pool-max", "<n>", 2, 2, 0,
266                 ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_CONNPOOLMAX,
267                 meta_back_cf_gen, "( OLcfgDbAt:3.23 "
268                         "NAME 'olcDbConnectionPoolMax' "
269                         "DESC 'Max size of privileged connections pool' "
270                         "SYNTAX OMsInteger "
271                         "SINGLE-VALUE )",
272                 NULL, NULL },
273 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
274         { "session-tracking-request", "true|FALSE", 2, 2, 0,
275                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_ST_REQUEST,
276                 meta_back_cf_gen, "( OLcfgDbAt:3.24 "
277                         "NAME 'olcDbSessionTrackingRequest' "
278                         "DESC 'Add session tracking control to proxied requests' "
279                         "SYNTAX OMsBoolean "
280                         "SINGLE-VALUE )",
281                 NULL, NULL },
282 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
283         { "norefs", "true|FALSE", 2, 2, 0,
284                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOREFS,
285                 meta_back_cf_gen, "( OLcfgDbAt:3.25 "
286                         "NAME 'olcDbNoRefs' "
287                         "DESC 'Do not return search reference responses' "
288                         "SYNTAX OMsBoolean "
289                         "SINGLE-VALUE )",
290                 NULL, NULL },
291         { "noundeffilter", "true|FALSE", 2, 2, 0,
292                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOUNDEFFILTER,
293                 meta_back_cf_gen, "( OLcfgDbAt:3.26 "
294                         "NAME 'olcDbNoUndefFilter' "
295                         "DESC 'Do not propagate undefined search filters' "
296                         "SYNTAX OMsBoolean "
297                         "SINGLE-VALUE )",
298                 NULL, NULL },
299
300         { "rewrite", "arglist", 2, 0, STRLENOF( "rewrite" ),
301                 ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
302                 meta_back_cf_gen, "( OLcfgDbAt:3.101 "
303                         "NAME 'olcDbRewrite' "
304                         "DESC 'DN rewriting rules' "
305                         "EQUALITY caseIgnoreMatch "
306                         "SYNTAX OMsDirectoryString "
307                         "X-ORDERED 'VALUES' )",
308                 NULL, NULL },
309         { "suffixmassage", "virtual> <real", 2, 3, 0,
310                 ARG_MAGIC|LDAP_BACK_CFG_SUFFIXM,
311                 meta_back_cf_gen, NULL, NULL, NULL },
312
313         { "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
314                 ARG_MAGIC|LDAP_BACK_CFG_MAP,
315                 meta_back_cf_gen, "( OLcfgDbAt:3.102 "
316                         "NAME 'olcDbMap' "
317                         "DESC 'Map attribute and objectclass names' "
318                         "EQUALITY caseIgnoreMatch "
319                         "SYNTAX OMsDirectoryString "
320                         "X-ORDERED 'VALUES' )",
321                 NULL, NULL },
322
323         { "subtree-exclude", "pattern", 2, 2, 0,
324                 ARG_MAGIC|LDAP_BACK_CFG_SUBTREE_EX,
325                 meta_back_cf_gen, "( OLcfgDbAt:3.103 "
326                         "NAME 'olcDbSubtreeExclude' "
327                         "DESC 'DN of subtree to exclude from target' "
328                         "EQUALITY caseIgnoreMatch "
329                         "SYNTAX OMsDirectoryString )",
330                 NULL, NULL },
331         { "subtree-include", "pattern", 2, 2, 0,
332                 ARG_MAGIC|LDAP_BACK_CFG_SUBTREE_IN,
333                 meta_back_cf_gen, "( OLcfgDbAt:3.104 "
334                         "NAME 'olcDbSubtreeInclude' "
335                         "DESC 'DN of subtree to include in target' "
336                         "EQUALITY caseIgnoreMatch "
337                         "SYNTAX OMsDirectoryString )",
338                 NULL, NULL },
339         { "default-target", "[none|<target ID>]", 1, 2, 0,
340                 ARG_MAGIC|LDAP_BACK_CFG_DEFAULT_T,
341                 meta_back_cf_gen, "( OLcfgDbAt:3.105 "
342                         "NAME 'olcDbDefaultTarget' "
343                         "DESC 'Specify the default target' "
344                         "SYNTAX OMsDirectoryString "
345                         "SINGLE-VALUE )",
346                 NULL, NULL },
347         { "dncache-ttl", "ttl", 2, 2, 0,
348                 ARG_MAGIC|LDAP_BACK_CFG_DNCACHE_TTL,
349                 meta_back_cf_gen, "( OLcfgDbAt:3.106 "
350                         "NAME 'olcDbDnCacheTtl' "
351                         "DESC 'dncache ttl' "
352                         "SYNTAX OMsDirectoryString "
353                         "SINGLE-VALUE )",
354                 NULL, NULL },
355         { "bind-timeout", "microseconds", 2, 2, 0,
356                 ARG_MAGIC|ARG_ULONG|LDAP_BACK_CFG_BIND_TIMEOUT,
357                 meta_back_cf_gen, "( OLcfgDbAt:3.107 "
358                         "NAME 'olcDbBindTimeout' "
359                         "DESC 'bind timeout' "
360                         "SYNTAX OMsDirectoryString "
361                         "SINGLE-VALUE )",
362                 NULL, NULL },
363         { "onerr", "CONTINUE|report|stop", 2, 2, 0,
364                 ARG_MAGIC|LDAP_BACK_CFG_ONERR,
365                 meta_back_cf_gen, "( OLcfgDbAt:3.108 "
366                         "NAME 'olcDbOnErr' "
367                         "DESC 'error handling' "
368                         "SYNTAX OMsDirectoryString "
369                         "SINGLE-VALUE )",
370                 NULL, NULL },
371         { "pseudoroot-bind-defer", "TRUE|false", 2, 2, 0,
372                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
373                 meta_back_cf_gen, "( OLcfgDbAt:3.109 "
374                         "NAME 'olcDbPseudoRootBindDefer' "
375                         "DESC 'error handling' "
376                         "SYNTAX OMsBoolean "
377                         "SINGLE-VALUE )",
378                 NULL, NULL },
379         { "root-bind-defer", "TRUE|false", 2, 2, 0,
380                 ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER,
381                 meta_back_cf_gen, NULL, NULL, NULL },
382         { "pseudorootdn", "dn", 2, 2, 0,
383                 ARG_MAGIC|ARG_DN|LDAP_BACK_CFG_PSEUDOROOTDN,
384                 meta_back_cf_gen, NULL, NULL, NULL },
385         { "pseudorootpw", "password", 2, 2, 0,
386                 ARG_MAGIC|ARG_STRING|LDAP_BACK_CFG_PSEUDOROOTDN,
387                 meta_back_cf_gen, NULL, NULL, NULL },
388         { "nretries", "NEVER|forever|<number>", 2, 2, 0,
389                 ARG_MAGIC|LDAP_BACK_CFG_NRETRIES,
390                 meta_back_cf_gen, "( OLcfgDbAt:3.110 "
391                         "NAME 'olcDbNretries' "
392                         "DESC 'retry handling' "
393                         "SYNTAX OMsDirectoryString "
394                         "SINGLE-VALUE )",
395                 NULL, NULL },
396         { "client-pr", "accept-unsolicited|disable|<size>", 2, 2, 0,
397                 ARG_MAGIC|LDAP_BACK_CFG_CLIENT_PR,
398                 meta_back_cf_gen, "( OLcfgDbAt:3.111 "
399                         "NAME 'olcDbClientPr' "
400                         "DESC 'PagedResults handling' "
401                         "SYNTAX OMsDirectoryString "
402                         "SINGLE-VALUE )",
403                 NULL, NULL },
404
405         { "", "", 0, 0, 0, ARG_IGNORED,
406                 NULL, "( OLcfgDbAt:3.100 NAME 'olcMetaSub' "
407                         "DESC 'Placeholder to name a Target entry' "
408                         "EQUALITY caseIgnoreMatch "
409                         "SYNTAX OMsDirectoryString "
410                         "SINGLE-VALUE X-ORDERED 'SIBLINGS' )", NULL, NULL },
411
412         { "keepalive", "keepalive", 2, 2, 0,
413                 ARG_MAGIC|LDAP_BACK_CFG_KEEPALIVE,
414                 meta_back_cf_gen, "( OLcfgDbAt:3.29 "
415                         "NAME 'olcDbKeepalive' "
416                         "DESC 'TCP keepalive' "
417                         "SYNTAX OMsDirectoryString "
418                         "SINGLE-VALUE )",
419                 NULL, NULL },
420
421         { "filter", "pattern", 2, 2, 0,
422                 ARG_MAGIC|LDAP_BACK_CFG_FILTER,
423                 meta_back_cf_gen, "( OLcfgDbAt:3.112 "
424                         "NAME 'olcDbFilter' "
425                         "DESC 'Filter regex pattern to include in target' "
426                         "EQUALITY caseExactMatch "
427                         "SYNTAX OMsDirectoryString )",
428                 NULL, NULL },
429
430         { NULL, NULL, 0, 0, 0, ARG_IGNORED,
431                 NULL, NULL, NULL, NULL }
432 };
433
434 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
435 #define ST_ATTR "$ olcDbSessionTrackingRequest "
436 #else
437 #define ST_ATTR ""
438 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
439
440 #define COMMON_ATTRS    \
441                         "$ olcDbBindTimeout " \
442                         "$ olcDbCancel " \
443                         "$ olcDbChaseReferrals " \
444                         "$ olcDbClientPr " \
445                         "$ olcDbDefaultTarget " \
446                         "$ olcDbNetworkTimeout " \
447                         "$ olcDbNoRefs " \
448                         "$ olcDbNoUndefFilter " \
449                         "$ olcDbNretries " \
450                         "$ olcDbProtocolVersion " \
451                         "$ olcDbQuarantine " \
452                         "$ olcDbRebindAsUser " \
453                         ST_ATTR \
454                         "$ olcDbStartTLS " \
455                         "$ olcDbTFSupport "
456
457 static ConfigOCs metaocs[] = {
458         { "( OLcfgDbOc:3.2 "
459                 "NAME 'olcMetaConfig' "
460                 "DESC 'Meta backend configuration' "
461                 "SUP olcDatabaseConfig "
462                 "MAY ( olcDbConnTtl "
463                         "$ olcDbDnCacheTtl "
464                         "$ olcDbIdleTimeout "
465                         "$ olcDbOnErr "
466                         "$ olcDbPseudoRootBindDefer "
467                         "$ olcDbSingleConn "
468                         "$ olcDbUseTemporaryConn "
469                         "$ olcDbConnectionPoolMax "
470
471                         /* defaults, may be overridden per-target */
472                         COMMON_ATTRS
473                 ") )",
474                         Cft_Database, metacfg, NULL, meta_cfadd },
475         { "( OLcfgDbOc:3.3 "
476                 "NAME 'olcMetaTargetConfig' "
477                 "DESC 'Meta target configuration' "
478                 "SUP olcConfig STRUCTURAL "
479                 "MUST ( olcMetaSub $ olcDbURI ) "
480                 "MAY ( olcDbACLAuthcDn "
481                         "$ olcDbACLPasswd "
482                         "$ olcDbIDAssertAuthzFrom "
483                         "$ olcDbIDAssertBind "
484                         "$ olcDbMap "
485                         "$ olcDbRewrite "
486                         "$ olcDbSubtreeExclude "
487                         "$ olcDbSubtreeInclude "
488                         "$ olcDbTimeout "
489                         "$ olcDbKeepalive "
490                         "$ olcDbFilter "
491
492                         /* defaults may be inherited */
493                         COMMON_ATTRS
494                 ") )",
495                         Cft_Misc, metacfg, meta_ldadd },
496         { NULL, 0, NULL }
497 };
498
499 static int
500 meta_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *c )
501 {
502         if ( p->ce_type != Cft_Database || !p->ce_be ||
503                 p->ce_be->be_cf_ocs != metaocs )
504                 return LDAP_CONSTRAINT_VIOLATION;
505
506         c->be = p->ce_be;
507         return LDAP_SUCCESS;
508 }
509
510 static int
511 meta_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *c )
512 {
513         metainfo_t      *mi = ( metainfo_t * )c->be->be_private;
514         struct berval bv;
515         int i;
516
517         bv.bv_val = c->cr_msg;
518         for ( i=0; i<mi->mi_ntargets; i++ ) {
519                 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg),
520                         "olcMetaSub=" SLAP_X_ORDERED_FMT "uri", i );
521                 c->ca_private = mi->mi_targets[i];
522                 c->valx = i;
523                 config_build_entry( op, rs, p->e_private, c,
524                         &bv, &metaocs[1], NULL );
525         }
526
527         return LDAP_SUCCESS;
528 }
529
530 static int
531 meta_rwi_init( struct rewrite_info **rwm_rw )
532 {
533         char                    *rargv[ 3 ];
534
535         *rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
536         if ( *rwm_rw == NULL ) {
537                 return -1;
538         }
539         /*
540          * the filter rewrite as a string must be disabled
541          * by default; it can be re-enabled by adding rules;
542          * this creates an empty rewriteContext
543          */
544         rargv[ 0 ] = "rewriteContext";
545         rargv[ 1 ] = "searchFilter";
546         rargv[ 2 ] = NULL;
547         rewrite_parse( *rwm_rw, "<suffix massage>", 1, 2, rargv );
548
549         rargv[ 0 ] = "rewriteContext";
550         rargv[ 1 ] = "default";
551         rargv[ 2 ] = NULL;
552         rewrite_parse( *rwm_rw, "<suffix massage>", 1, 2, rargv );
553
554         return 0;
555 }
556
557 static int
558 meta_back_new_target(
559         metatarget_t    **mtp )
560 {
561         metatarget_t            *mt;
562
563         *mtp = NULL;
564
565         mt = ch_calloc( sizeof( metatarget_t ), 1 );
566
567         if ( meta_rwi_init( &mt->mt_rwmap.rwm_rw )) {
568                 ch_free( mt );
569                 return -1;
570         }
571
572         ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
573
574         mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
575         mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
576         mt->mt_idassert_tls = SB_TLS_DEFAULT;
577
578         /* by default, use proxyAuthz control on each operation */
579         mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
580
581         *mtp = mt;
582
583         return 0;
584 }
585
586 /* Validation for suffixmassage_config */
587 static int
588 meta_suffixm_config(
589         ConfigArgs *c,
590         int argc,
591         char **argv,
592         metatarget_t *mt
593 )
594 {
595         BackendDB       *tmp_bd;
596         struct berval   dn, nvnc, pvnc, nrnc, prnc;
597         int j, rc;
598
599         /*
600          * syntax:
601          *
602          *      suffixmassage <suffix> <massaged suffix>
603          *
604          * the <suffix> field must be defined as a valid suffix
605          * (or suffixAlias?) for the current database;
606          * the <massaged suffix> shouldn't have already been
607          * defined as a valid suffix or suffixAlias for the
608          * current server
609          */
610
611         ber_str2bv( argv[ 1 ], 0, 0, &dn );
612         if ( dnPrettyNormal( NULL, &dn, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
613                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
614                         "suffix \"%s\" is invalid",
615                         argv[1] );
616                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
617                 return 1;
618         }
619
620         for ( j = 0; !BER_BVISNULL( &c->be->be_nsuffix[ j ] ); j++ ) {
621                 if ( dnIsSuffix( &nvnc, &c->be->be_nsuffix[ 0 ] ) ) {
622                         break;
623                 }
624         }
625
626         if ( BER_BVISNULL( &c->be->be_nsuffix[ j ] ) ) {
627                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
628                         "suffix \"%s\" must be within the database naming context",
629                         argv[1] );
630                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
631                 free( pvnc.bv_val );
632                 free( nvnc.bv_val );
633                 return 1;
634         }
635
636         ber_str2bv( argv[ 2 ], 0, 0, &dn );
637         if ( dnPrettyNormal( NULL, &dn, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
638                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
639                         "massaged suffix \"%s\" is invalid",
640                         argv[2] );
641                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
642                 free( pvnc.bv_val );
643                 free( nvnc.bv_val );
644                 return 1;
645         }
646
647         tmp_bd = select_backend( &nrnc, 0 );
648         if ( tmp_bd != NULL && tmp_bd->be_private == c->be->be_private ) {
649                 Debug( LDAP_DEBUG_ANY,
650         "%s: warning: <massaged suffix> \"%s\" resolves to this database, in "
651         "\"suffixMassage <suffix> <massaged suffix>\"\n",
652                         c->log, prnc.bv_val, 0 );
653         }
654
655         /*
656          * The suffix massaging is emulated by means of the
657          * rewrite capabilities
658          */
659         rc = suffix_massage_config( mt->mt_rwmap.rwm_rw,
660                         &pvnc, &nvnc, &prnc, &nrnc );
661
662         free( pvnc.bv_val );
663         free( nvnc.bv_val );
664         free( prnc.bv_val );
665         free( nrnc.bv_val );
666
667         return rc;
668 }
669
670 static int
671 slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
672 {
673         int             i;
674         BerVarray       bva = NULL;
675         char            ibuf[32], *ptr;
676         struct berval   idx;
677
678         assert( in != NULL );
679
680         for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
681                 /* count'em */ ;
682
683         if ( i == 0 ) {
684                 return 1;
685         }
686
687         idx.bv_val = ibuf;
688
689         bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
690         BER_BVZERO( &bva[ 0 ] );
691
692         for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
693                 idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
694                 if ( idx.bv_len >= sizeof( ibuf ) ) {
695                         ber_bvarray_free( bva );
696                         return 1;
697                 }
698
699                 bva[i].bv_len = idx.bv_len + in[i].bv_len;
700                 bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
701                 ptr = lutil_strcopy( bva[i].bv_val, ibuf );
702                 ptr = lutil_strcopy( ptr, in[i].bv_val );
703                 *ptr = '\0';
704                 BER_BVZERO( &bva[ i + 1 ] );
705         }
706
707         *out = bva;
708         return 0;
709 }
710
711 int
712 meta_subtree_free( metasubtree_t *ms )
713 {
714         switch ( ms->ms_type ) {
715         case META_ST_SUBTREE:
716         case META_ST_SUBORDINATE:
717                 ber_memfree( ms->ms_dn.bv_val );
718                 break;
719
720         case META_ST_REGEX:
721                 regfree( &ms->ms_regex );
722                 ber_memfree( ms->ms_regex_pattern.bv_val );
723                 break;
724
725         default:
726                 return -1;
727         }
728
729         ch_free( ms );
730         return 0;
731 }
732
733 int
734 meta_subtree_destroy( metasubtree_t *ms )
735 {
736         if ( ms->ms_next ) {
737                 meta_subtree_destroy( ms->ms_next );
738         }
739
740         return meta_subtree_free( ms );
741 }
742
743 static void
744 meta_filter_free( metafilter_t *mf )
745 {
746         regfree( &mf->mf_regex );
747         ber_memfree( mf->mf_regex_pattern.bv_val );
748         ch_free( mf );
749 }
750
751 void
752 meta_filter_destroy( metafilter_t *mf )
753 {
754         if ( mf->mf_next )
755                 meta_filter_destroy( mf->mf_next );
756         meta_filter_free( mf );
757 }
758
759 static struct berval st_styles[] = {
760         BER_BVC("subtree"),
761         BER_BVC("children"),
762         BER_BVC("regex")
763 };
764
765 static int
766 meta_subtree_unparse(
767         ConfigArgs *c,
768         metatarget_t *mt )
769 {
770         metasubtree_t   *ms;
771         struct berval bv, *style;
772
773         if ( !mt->mt_subtree )
774                 return 1;
775
776         /* can only be one of exclude or include */
777         if (( c->type == LDAP_BACK_CFG_SUBTREE_EX ) ^ mt->mt_subtree_exclude )
778                 return 1;
779
780         bv.bv_val = c->cr_msg;
781         for ( ms=mt->mt_subtree; ms; ms=ms->ms_next ) {
782                 if (ms->ms_type == META_ST_SUBTREE)
783                         style = &st_styles[0];
784                 else if ( ms->ms_type == META_ST_SUBORDINATE )
785                         style = &st_styles[1];
786                 else if ( ms->ms_type == META_ST_REGEX )
787                         style = &st_styles[2];
788                 else {
789                         assert(0);
790                         continue;
791                 }
792                 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg),
793                         "dn.%s:%s", style->bv_val, ms->ms_dn.bv_val );
794                 value_add_one( &c->rvalue_vals, &bv );
795         }
796         return 0;
797 }
798
799 static int
800 meta_subtree_config(
801         metatarget_t *mt,
802         ConfigArgs *c )
803 {
804         meta_st_t       type = META_ST_SUBTREE;
805         char            *pattern;
806         struct berval   ndn = BER_BVNULL;
807         metasubtree_t   *ms = NULL;
808
809         if ( c->type == LDAP_BACK_CFG_SUBTREE_EX ) {
810                 if ( mt->mt_subtree && !mt->mt_subtree_exclude ) {
811                         snprintf( c->cr_msg, sizeof(c->cr_msg),
812                                 "\"subtree-exclude\" incompatible with previous \"subtree-include\" directives" );
813                         return 1;
814                 }
815
816                 mt->mt_subtree_exclude = 1;
817
818         } else {
819                 if ( mt->mt_subtree && mt->mt_subtree_exclude ) {
820                         snprintf( c->cr_msg, sizeof(c->cr_msg),
821                                 "\"subtree-include\" incompatible with previous \"subtree-exclude\" directives" );
822                         return 1;
823                 }
824         }
825
826         pattern = c->argv[1];
827         if ( strncasecmp( pattern, "dn", STRLENOF( "dn" ) ) == 0 ) {
828                 char *style;
829
830                 pattern = &pattern[STRLENOF( "dn")];
831
832                 if ( pattern[0] == '.' ) {
833                         style = &pattern[1];
834
835                         if ( strncasecmp( style, "subtree", STRLENOF( "subtree" ) ) == 0 ) {
836                                 type = META_ST_SUBTREE;
837                                 pattern = &style[STRLENOF( "subtree" )];
838
839                         } else if ( strncasecmp( style, "children", STRLENOF( "children" ) ) == 0 ) {
840                                 type = META_ST_SUBORDINATE;
841                                 pattern = &style[STRLENOF( "children" )];
842
843                         } else if ( strncasecmp( style, "sub", STRLENOF( "sub" ) ) == 0 ) {
844                                 type = META_ST_SUBTREE;
845                                 pattern = &style[STRLENOF( "sub" )];
846
847                         } else if ( strncasecmp( style, "regex", STRLENOF( "regex" ) ) == 0 ) {
848                                 type = META_ST_REGEX;
849                                 pattern = &style[STRLENOF( "regex" )];
850
851                         } else {
852                                 snprintf( c->cr_msg, sizeof(c->cr_msg), "unknown style in \"dn.<style>\"" );
853                                 return 1;
854                         }
855                 }
856
857                 if ( pattern[0] != ':' ) {
858                         snprintf( c->cr_msg, sizeof(c->cr_msg), "missing colon after \"dn.<style>\"" );
859                         return 1;
860                 }
861                 pattern++;
862         }
863
864         switch ( type ) {
865         case META_ST_SUBTREE:
866         case META_ST_SUBORDINATE: {
867                 struct berval dn;
868
869                 ber_str2bv( pattern, 0, 0, &dn );
870                 if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
871                         != LDAP_SUCCESS )
872                 {
873                         snprintf( c->cr_msg, sizeof(c->cr_msg), "DN=\"%s\" is invalid", pattern );
874                         return 1;
875                 }
876
877                 if ( !dnIsSuffix( &ndn, &mt->mt_nsuffix ) ) {
878                         snprintf( c->cr_msg, sizeof(c->cr_msg),
879                                 "DN=\"%s\" is not a subtree of target \"%s\"",
880                                 pattern, mt->mt_nsuffix.bv_val );
881                         ber_memfree( ndn.bv_val );
882                         return( 1 );
883                 }
884                 } break;
885
886         default:
887                 /* silence warnings */
888                 break;
889         }
890
891         ms = ch_calloc( sizeof( metasubtree_t ), 1 );
892         ms->ms_type = type;
893
894         switch ( ms->ms_type ) {
895         case META_ST_SUBTREE:
896         case META_ST_SUBORDINATE:
897                 ms->ms_dn = ndn;
898                 break;
899
900         case META_ST_REGEX: {
901                 int rc;
902
903                 rc = regcomp( &ms->ms_regex, pattern, REG_EXTENDED|REG_ICASE );
904                 if ( rc != 0 ) {
905                         char regerr[ SLAP_TEXT_BUFLEN ];
906
907                         regerror( rc, &ms->ms_regex, regerr, sizeof(regerr) );
908
909                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
910                                 "regular expression \"%s\" bad because of %s",
911                                 pattern, regerr );
912                         ch_free( ms );
913                         return 1;
914                 }
915                 ber_str2bv( pattern, 0, 1, &ms->ms_regex_pattern );
916                 } break;
917         }
918
919         if ( mt->mt_subtree == NULL ) {
920                  mt->mt_subtree = ms;
921
922         } else {
923                 metasubtree_t **msp;
924
925                 for ( msp = &mt->mt_subtree; *msp; ) {
926                         switch ( ms->ms_type ) {
927                         case META_ST_SUBTREE:
928                                 switch ( (*msp)->ms_type ) {
929                                 case META_ST_SUBTREE:
930                                         if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
931                                                 metasubtree_t *tmp = *msp;
932                                                 Debug( LDAP_DEBUG_CONFIG,
933                                                         "%s: previous rule \"dn.subtree:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
934                                                         c->log, pattern, (*msp)->ms_dn.bv_val );
935                                                 *msp = (*msp)->ms_next;
936                                                 tmp->ms_next = NULL;
937                                                 meta_subtree_destroy( tmp );
938                                                 continue;
939
940                                         } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
941                                                 Debug( LDAP_DEBUG_CONFIG,
942                                                         "%s: previous rule \"dn.subtree:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
943                                                         c->log, (*msp)->ms_dn.bv_val, pattern );
944                                                 meta_subtree_destroy( ms );
945                                                 ms = NULL;
946                                                 return( 0 );
947                                         }
948                                         break;
949
950                                 case META_ST_SUBORDINATE:
951                                         if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
952                                                 metasubtree_t *tmp = *msp;
953                                                 Debug( LDAP_DEBUG_CONFIG,
954                                                         "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
955                                                         c->log, pattern, (*msp)->ms_dn.bv_val );
956                                                 *msp = (*msp)->ms_next;
957                                                 tmp->ms_next = NULL;
958                                                 meta_subtree_destroy( tmp );
959                                                 continue;
960
961                                         } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
962                                                 Debug( LDAP_DEBUG_CONFIG,
963                                                         "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
964                                                         c->log, (*msp)->ms_dn.bv_val, pattern );
965                                                 meta_subtree_destroy( ms );
966                                                 ms = NULL;
967                                                 return( 0 );
968                                         }
969                                         break;
970
971                                 case META_ST_REGEX:
972                                         if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
973                                                 Debug( LDAP_DEBUG_CONFIG,
974                                                         "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
975                                                         c->log, (*msp)->ms_regex_pattern.bv_val, ms->ms_dn.bv_val );
976                                         }
977                                         break;
978                                 }
979                                 break;
980
981                         case META_ST_SUBORDINATE:
982                                 switch ( (*msp)->ms_type ) {
983                                 case META_ST_SUBTREE:
984                                         if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
985                                                 metasubtree_t *tmp = *msp;
986                                                 Debug( LDAP_DEBUG_CONFIG,
987                                                         "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
988                                                         c->log, pattern, (*msp)->ms_dn.bv_val );
989                                                 *msp = (*msp)->ms_next;
990                                                 tmp->ms_next = NULL;
991                                                 meta_subtree_destroy( tmp );
992                                                 continue;
993
994                                         } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
995                                                 Debug( LDAP_DEBUG_CONFIG,
996                                                         "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
997                                                         c->log, (*msp)->ms_dn.bv_val, pattern );
998                                                 meta_subtree_destroy( ms );
999                                                 ms = NULL;
1000                                                 return( 0 );
1001                                         }
1002                                         break;
1003
1004                                 case META_ST_SUBORDINATE:
1005                                         if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
1006                                                 metasubtree_t *tmp = *msp;
1007                                                 Debug( LDAP_DEBUG_CONFIG,
1008                                                         "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.children:%s\" (replaced)\n",
1009                                                         c->log, pattern, (*msp)->ms_dn.bv_val );
1010                                                 *msp = (*msp)->ms_next;
1011                                                 tmp->ms_next = NULL;
1012                                                 meta_subtree_destroy( tmp );
1013                                                 continue;
1014
1015                                         } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
1016                                                 Debug( LDAP_DEBUG_CONFIG,
1017                                                         "%s: previous rule \"dn.children:%s\" contains rule \"dn.children:%s\" (ignored)\n",
1018                                                         c->log, (*msp)->ms_dn.bv_val, pattern );
1019                                                 meta_subtree_destroy( ms );
1020                                                 ms = NULL;
1021                                                 return( 0 );
1022                                         }
1023                                         break;
1024
1025                                 case META_ST_REGEX:
1026                                         if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
1027                                                 Debug( LDAP_DEBUG_CONFIG,
1028                                                         "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
1029                                                         c->log, (*msp)->ms_regex_pattern.bv_val, ms->ms_dn.bv_val );
1030                                         }
1031                                         break;
1032                                 }
1033                                 break;
1034
1035                         case META_ST_REGEX:
1036                                 switch ( (*msp)->ms_type ) {
1037                                 case META_ST_SUBTREE:
1038                                 case META_ST_SUBORDINATE:
1039                                         if ( regexec( &ms->ms_regex, (*msp)->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
1040                                                 Debug( LDAP_DEBUG_CONFIG,
1041                                                         "%s: previous rule \"dn.subtree:%s\" may be contained in rule \"dn.regex:%s\"\n",
1042                                                         c->log, (*msp)->ms_dn.bv_val, ms->ms_regex_pattern.bv_val );
1043                                         }
1044                                         break;
1045
1046                                 case META_ST_REGEX:
1047                                         /* no check possible */
1048                                         break;
1049                                 }
1050                                 break;
1051                         }
1052
1053                         msp = &(*msp)->ms_next;
1054                 }
1055
1056                 *msp = ms;
1057         }
1058
1059         return 0;
1060 }
1061
1062 static slap_verbmasks idassert_mode[] = {
1063         { BER_BVC("self"),              LDAP_BACK_IDASSERT_SELF },
1064         { BER_BVC("anonymous"),         LDAP_BACK_IDASSERT_ANONYMOUS },
1065         { BER_BVC("none"),              LDAP_BACK_IDASSERT_NOASSERT },
1066         { BER_BVC("legacy"),            LDAP_BACK_IDASSERT_LEGACY },
1067         { BER_BVNULL,                   0 }
1068 };
1069
1070 static slap_verbmasks tls_mode[] = {
1071         { BER_BVC( "propagate" ),       LDAP_BACK_F_TLS_PROPAGATE_MASK },
1072         { BER_BVC( "try-propagate" ),   LDAP_BACK_F_PROPAGATE_TLS },
1073         { BER_BVC( "start" ),           LDAP_BACK_F_TLS_USE_MASK },
1074         { BER_BVC( "try-start" ),       LDAP_BACK_F_USE_TLS },
1075         { BER_BVC( "ldaps" ),           LDAP_BACK_F_TLS_LDAPS },
1076         { BER_BVC( "none" ),            LDAP_BACK_F_NONE },
1077         { BER_BVNULL,                   0 }
1078 };
1079
1080 static slap_verbmasks t_f_mode[] = {
1081         { BER_BVC( "yes" ),             LDAP_BACK_F_T_F },
1082         { BER_BVC( "discover" ),        LDAP_BACK_F_T_F_DISCOVER },
1083         { BER_BVC( "no" ),              LDAP_BACK_F_NONE },
1084         { BER_BVNULL,                   0 }
1085 };
1086
1087 static slap_verbmasks cancel_mode[] = {
1088         { BER_BVC( "ignore" ),          LDAP_BACK_F_CANCEL_IGNORE },
1089         { BER_BVC( "exop" ),            LDAP_BACK_F_CANCEL_EXOP },
1090         { BER_BVC( "exop-discover" ),   LDAP_BACK_F_CANCEL_EXOP_DISCOVER },
1091         { BER_BVC( "abandon" ),         LDAP_BACK_F_CANCEL_ABANDON },
1092         { BER_BVNULL,                   0 }
1093 };
1094
1095 static slap_verbmasks onerr_mode[] = {
1096         { BER_BVC( "stop" ),            META_BACK_F_ONERR_STOP },
1097         { BER_BVC( "report" ),  META_BACK_F_ONERR_REPORT },
1098         { BER_BVC( "continue" ),                LDAP_BACK_F_NONE },
1099         { BER_BVNULL,                   0 }
1100 };
1101
1102 /* see enum in slap.h */
1103 static slap_cf_aux_table timeout_table[] = {
1104         { BER_BVC("bind="),     SLAP_OP_BIND * sizeof( time_t ),        'u', 0, NULL },
1105         /* unbind makes no sense */
1106         { BER_BVC("add="),      SLAP_OP_ADD * sizeof( time_t ),         'u', 0, NULL },
1107         { BER_BVC("delete="),   SLAP_OP_DELETE * sizeof( time_t ),      'u', 0, NULL },
1108         { BER_BVC("modrdn="),   SLAP_OP_MODRDN * sizeof( time_t ),      'u', 0, NULL },
1109         { BER_BVC("modify="),   SLAP_OP_MODIFY * sizeof( time_t ),      'u', 0, NULL },
1110         { BER_BVC("compare="),  SLAP_OP_COMPARE * sizeof( time_t ),     'u', 0, NULL },
1111         { BER_BVC("search="),   SLAP_OP_SEARCH * sizeof( time_t ),      'u', 0, NULL },
1112         /* abandon makes little sense */
1113 #if 0   /* not implemented yet */
1114         { BER_BVC("extended="), SLAP_OP_EXTENDED * sizeof( time_t ),    'u', 0, NULL },
1115 #endif
1116         { BER_BVNULL, 0, 0, 0, NULL }
1117 };
1118
1119 static int
1120 meta_cf_cleanup( ConfigArgs *c )
1121 {
1122         metainfo_t      *mi = ( metainfo_t * )c->be->be_private;
1123         metatarget_t    *mt = c->ca_private;
1124
1125         return meta_target_finish( mi, mt, c->log, c->cr_msg, sizeof( c->cr_msg ));
1126 }
1127
1128 static int
1129 meta_back_cf_gen( ConfigArgs *c )
1130 {
1131         metainfo_t      *mi = ( metainfo_t * )c->be->be_private;
1132         metatarget_t    *mt;
1133         metacommon_t    *mc;
1134
1135         int i, rc = 0;
1136
1137         assert( mi != NULL );
1138
1139         if ( c->op == SLAP_CONFIG_EMIT || c->op == LDAP_MOD_DELETE ) {
1140                 if ( !mi )
1141                         return 1;
1142
1143                 if ( c->table == Cft_Database ) {
1144                         mt = NULL;
1145                         mc = &mi->mi_mc;
1146                 } else {
1147                         mt = c->ca_private;
1148                         mc = &mt->mt_mc;
1149                 }
1150         }
1151
1152         if ( c->op == SLAP_CONFIG_EMIT ) {
1153                 struct berval bv = BER_BVNULL;
1154
1155                 switch( c->type ) {
1156                 /* Base attrs */
1157                 case LDAP_BACK_CFG_CONN_TTL:
1158                         if ( mi->mi_conn_ttl == 0 ) {
1159                                 return 1;
1160                         } else {
1161                                 char    buf[ SLAP_TEXT_BUFLEN ];
1162
1163                                 lutil_unparse_time( buf, sizeof( buf ), mi->mi_conn_ttl );
1164                                 ber_str2bv( buf, 0, 0, &bv );
1165                                 value_add_one( &c->rvalue_vals, &bv );
1166                         }
1167                         break;
1168
1169                 case LDAP_BACK_CFG_DNCACHE_TTL:
1170                         if ( mi->mi_cache.ttl == META_DNCACHE_DISABLED ) {
1171                                 return 1;
1172                         } else if ( mi->mi_cache.ttl == META_DNCACHE_FOREVER ) {
1173                                 BER_BVSTR( &bv, "forever" );
1174                         } else {
1175                                 char    buf[ SLAP_TEXT_BUFLEN ];
1176
1177                                 lutil_unparse_time( buf, sizeof( buf ), mi->mi_cache.ttl );
1178                                 ber_str2bv( buf, 0, 0, &bv );
1179                         }
1180                         value_add_one( &c->rvalue_vals, &bv );
1181                         break;
1182
1183                 case LDAP_BACK_CFG_IDLE_TIMEOUT:
1184                         if ( mi->mi_idle_timeout == 0 ) {
1185                                 return 1;
1186                         } else {
1187                                 char    buf[ SLAP_TEXT_BUFLEN ];
1188
1189                                 lutil_unparse_time( buf, sizeof( buf ), mi->mi_idle_timeout );
1190                                 ber_str2bv( buf, 0, 0, &bv );
1191                                 value_add_one( &c->rvalue_vals, &bv );
1192                         }
1193                         break;
1194
1195                 case LDAP_BACK_CFG_ONERR:
1196                         enum_to_verb( onerr_mode, mi->mi_flags & META_BACK_F_ONERR_MASK, &bv );
1197                         if ( BER_BVISNULL( &bv )) {
1198                                 rc = 1;
1199                         } else {
1200                                 value_add_one( &c->rvalue_vals, &bv );
1201                         }
1202                         break;
1203
1204                 case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
1205                         c->value_int = META_BACK_DEFER_ROOTDN_BIND( mi );
1206                         break;
1207
1208                 case LDAP_BACK_CFG_SINGLECONN:
1209                         c->value_int = LDAP_BACK_SINGLECONN( mi );
1210                         break;
1211
1212                 case LDAP_BACK_CFG_USETEMP:
1213                         c->value_int = LDAP_BACK_USE_TEMPORARIES( mi );
1214                         break;
1215
1216                 case LDAP_BACK_CFG_CONNPOOLMAX:
1217                         c->value_int = mi->mi_conn_priv_max;
1218                         break;
1219
1220                 /* common attrs */
1221                 case LDAP_BACK_CFG_BIND_TIMEOUT:
1222                         if ( mc->mc_bind_timeout.tv_sec == 0 &&
1223                                 mc->mc_bind_timeout.tv_usec == 0 ) {
1224                                 return 1;
1225                         } else {
1226                                 c->value_ulong = mc->mc_bind_timeout.tv_sec * 1000000UL +
1227                                         mc->mc_bind_timeout.tv_usec;
1228                         }
1229                         break;
1230
1231                 case LDAP_BACK_CFG_CANCEL: {
1232                         slap_mask_t     mask = LDAP_BACK_F_CANCEL_MASK2;
1233
1234                         if ( mt && META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
1235                                 mask &= ~LDAP_BACK_F_CANCEL_EXOP;
1236                         }
1237                         enum_to_verb( cancel_mode, (mc->mc_flags & mask), &bv );
1238                         if ( BER_BVISNULL( &bv ) ) {
1239                                 /* there's something wrong... */
1240                                 assert( 0 );
1241                                 rc = 1;
1242
1243                         } else {
1244                                 value_add_one( &c->rvalue_vals, &bv );
1245                         }
1246                         } break;
1247
1248                 case LDAP_BACK_CFG_CHASE:
1249                         c->value_int = META_BACK_CMN_CHASE_REFERRALS(mc);
1250                         break;
1251
1252 #ifdef SLAPD_META_CLIENT_PR
1253                 case LDAP_BACK_CFG_CLIENT_PR:
1254                         if ( mc->mc_ps == META_CLIENT_PR_DISABLE ) {
1255                                 return 1;
1256                         } else if ( mc->mc_ps == META_CLIENT_PR_ACCEPT_UNSOLICITED ) {
1257                                 BER_BVSTR( &bv, "accept-unsolicited" );
1258                         } else {
1259                                 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d", mc->mc_ps );
1260                                 bv.bv_val = c->cr_msg;
1261                         }
1262                         value_add_one( &c->rvalue_vals, &bv );
1263                         break;
1264 #endif /* SLAPD_META_CLIENT_PR */
1265
1266                 case LDAP_BACK_CFG_DEFAULT_T:
1267                         if ( mt || mi->mi_defaulttarget == META_DEFAULT_TARGET_NONE )
1268                                 return 1;
1269                         bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d", mi->mi_defaulttarget );
1270                         bv.bv_val = c->cr_msg;
1271                         value_add_one( &c->rvalue_vals, &bv );
1272                         break;
1273
1274                 case LDAP_BACK_CFG_NETWORK_TIMEOUT:
1275                         if ( mc->mc_network_timeout == 0 ) {
1276                                 return 1;
1277                         }
1278                         bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%ld",
1279                                 mc->mc_network_timeout );
1280                         bv.bv_val = c->cr_msg;
1281                         value_add_one( &c->rvalue_vals, &bv );
1282                         break;
1283
1284                 case LDAP_BACK_CFG_NOREFS:
1285                         c->value_int = META_BACK_CMN_NOREFS(mc);
1286                         break;
1287
1288                 case LDAP_BACK_CFG_NOUNDEFFILTER:
1289                         c->value_int = META_BACK_CMN_NOUNDEFFILTER(mc);
1290                         break;
1291
1292                 case LDAP_BACK_CFG_NRETRIES:
1293                         if ( mc->mc_nretries == META_RETRY_FOREVER ) {
1294                                 BER_BVSTR( &bv, "forever" );
1295                         } else if ( mc->mc_nretries == META_RETRY_NEVER ) {
1296                                 BER_BVSTR( &bv, "never" );
1297                         } else {
1298                                 bv.bv_len = snprintf( c->cr_msg, sizeof(c->cr_msg), "%d",
1299                                         mc->mc_nretries );
1300                                 bv.bv_val = c->cr_msg;
1301                         }
1302                         value_add_one( &c->rvalue_vals, &bv );
1303                         break;
1304
1305                 case LDAP_BACK_CFG_QUARANTINE:
1306                         if ( !META_BACK_CMN_QUARANTINE( mc )) {
1307                                 rc = 1;
1308                                 break;
1309                         }
1310                         rc = mi->mi_ldap_extra->retry_info_unparse( &mc->mc_quarantine, &bv );
1311                         if ( rc == 0 ) {
1312                                 ber_bvarray_add( &c->rvalue_vals, &bv );
1313                         }
1314                         break;
1315
1316                 case LDAP_BACK_CFG_REBIND:
1317                         c->value_int = META_BACK_CMN_SAVECRED(mc);
1318                         break;
1319
1320                 case LDAP_BACK_CFG_TIMEOUT:
1321                         for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1322                                 if ( mc->mc_timeout[ i ] != 0 ) {
1323                                         break;
1324                                 }
1325                         }
1326
1327                         if ( i == SLAP_OP_LAST ) {
1328                                 return 1;
1329                         }
1330
1331                         BER_BVZERO( &bv );
1332                         slap_cf_aux_table_unparse( mc->mc_timeout, &bv, timeout_table );
1333
1334                         if ( BER_BVISNULL( &bv ) ) {
1335                                 return 1;
1336                         }
1337
1338                         for ( i = 0; isspace( (unsigned char) bv.bv_val[ i ] ); i++ )
1339                                 /* count spaces */ ;
1340
1341                         if ( i ) {
1342                                 bv.bv_len -= i;
1343                                 AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
1344                                         bv.bv_len + 1 );
1345                         }
1346
1347                         ber_bvarray_add( &c->rvalue_vals, &bv );
1348                         break;
1349
1350                 case LDAP_BACK_CFG_VERSION:
1351                         if ( mc->mc_version == 0 )
1352                                 return 1;
1353                         c->value_int = mc->mc_version;
1354                         break;
1355
1356 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1357                 case LDAP_BACK_CFG_ST_REQUEST:
1358                         c->value_int = META_BACK_CMN_ST_REQUEST( mc );
1359                         break;
1360 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1361
1362                 case LDAP_BACK_CFG_T_F:
1363                         enum_to_verb( t_f_mode, (mc->mc_flags & LDAP_BACK_F_T_F_MASK2), &bv );
1364                         if ( BER_BVISNULL( &bv ) ) {
1365                                 /* there's something wrong... */
1366                                 assert( 0 );
1367                                 rc = 1;
1368
1369                         } else {
1370                                 value_add_one( &c->rvalue_vals, &bv );
1371                         }
1372                         break;
1373
1374                 case LDAP_BACK_CFG_TLS: {
1375                         struct berval bc = BER_BVNULL, bv2;
1376
1377                         if (( mc->mc_flags & LDAP_BACK_F_TLS_MASK ) == LDAP_BACK_F_NONE ) {
1378                                 rc = 1;
1379                                 break;
1380                         }
1381                         enum_to_verb( tls_mode, ( mc->mc_flags & LDAP_BACK_F_TLS_MASK ), &bv );
1382                         assert( !BER_BVISNULL( &bv ) );
1383
1384                         if ( mt ) {
1385                                 bindconf_tls_unparse( &mt->mt_tls, &bc );
1386                         }
1387
1388                         if ( !BER_BVISEMPTY( &bc )) {
1389                                 bv2.bv_len = bv.bv_len + bc.bv_len + 1;
1390                                 bv2.bv_val = ch_malloc( bv2.bv_len + 1 );
1391                                 strcpy( bv2.bv_val, bv.bv_val );
1392                                 bv2.bv_val[bv.bv_len] = ' ';
1393                                 strcpy( &bv2.bv_val[bv.bv_len + 1], bc.bv_val );
1394                                 ber_memfree( bc.bv_val );
1395                                 ber_bvarray_add( &c->rvalue_vals, &bv2 );
1396                         } else {
1397                                 value_add_one( &c->rvalue_vals, &bv );
1398                         }
1399                         } break;
1400
1401                 /* target attrs */
1402                 case LDAP_BACK_CFG_URI: {
1403                         char *p2, *p1 = strchr( mt->mt_uri, ' ' );
1404                         bv.bv_len = strlen( mt->mt_uri ) + 3 + mt->mt_psuffix.bv_len;
1405                         bv.bv_val = ch_malloc( bv.bv_len + 1 );
1406                         p2 = bv.bv_val;
1407                         *p2++ = '"';
1408                         if ( p1 ) {
1409                                 p2 = lutil_strncopy( p2, mt->mt_uri, p1 - mt->mt_uri );
1410                         } else {
1411                                 p2 = lutil_strcopy( p2, mt->mt_uri );
1412                         }
1413                         *p2++ = '/';
1414                         p2 = lutil_strcopy( p2, mt->mt_psuffix.bv_val );
1415                         *p2++ = '"';
1416                         if ( p1 ) {
1417                                 strcpy( p2, p1 );
1418                         }
1419                         ber_bvarray_add( &c->rvalue_vals, &bv );
1420                         } break;
1421
1422                 case LDAP_BACK_CFG_ACL_AUTHCDN:
1423                 case LDAP_BACK_CFG_ACL_PASSWD:
1424                         /* FIXME no point here, there is no code implementing
1425                          * their features. Was this supposed to implement
1426                          * acl-bind like back-ldap?
1427                          */
1428                         rc = 1;
1429                         break;
1430
1431                 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
1432                         BerVarray       *bvp;
1433                         int             i;
1434                         struct berval   bv = BER_BVNULL;
1435                         char            buf[SLAP_TEXT_BUFLEN];
1436
1437                         bvp = &mt->mt_idassert_authz;
1438                         if ( *bvp == NULL ) {
1439                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
1440                                 {
1441                                         BER_BVSTR( &bv, "*" );
1442                                         value_add_one( &c->rvalue_vals, &bv );
1443
1444                                 } else {
1445                                         rc = 1;
1446                                 }
1447                                 break;
1448                         }
1449
1450                         for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ ) {
1451                                 char *ptr;
1452                                 int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
1453                                 bv.bv_len = ((*bvp)[ i ]).bv_len + len;
1454                                 bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
1455                                 ptr = bv.bv_val;
1456                                 ptr = lutil_strcopy( ptr, buf );
1457                                 ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
1458                                 value_add_one( &c->rvalue_vals, &bv );
1459                         }
1460                         if ( bv.bv_val ) {
1461                                 ber_memfree( bv.bv_val );
1462                         }
1463                         break;
1464                 }
1465
1466                 case LDAP_BACK_CFG_IDASSERT_BIND: {
1467                         int             i;
1468                         struct berval   bc = BER_BVNULL;
1469                         char            *ptr;
1470
1471                         if ( mt->mt_idassert_authmethod == LDAP_AUTH_NONE ) {
1472                                 return 1;
1473                         } else {
1474                                 ber_len_t       len;
1475
1476                                 switch ( mt->mt_idassert_mode ) {
1477                                 case LDAP_BACK_IDASSERT_OTHERID:
1478                                 case LDAP_BACK_IDASSERT_OTHERDN:
1479                                         break;
1480
1481                                 default: {
1482                                         struct berval   mode = BER_BVNULL;
1483
1484                                         enum_to_verb( idassert_mode, mt->mt_idassert_mode, &mode );
1485                                         if ( BER_BVISNULL( &mode ) ) {
1486                                                 /* there's something wrong... */
1487                                                 assert( 0 );
1488                                                 rc = 1;
1489
1490                                         } else {
1491                                                 bv.bv_len = STRLENOF( "mode=" ) + mode.bv_len;
1492                                                 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1493
1494                                                 ptr = lutil_strcopy( bv.bv_val, "mode=" );
1495                                                 ptr = lutil_strcopy( ptr, mode.bv_val );
1496                                         }
1497                                         break;
1498                                 }
1499                                 }
1500
1501                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
1502                                         len = bv.bv_len + STRLENOF( "authz=native" );
1503
1504                                         if ( !BER_BVISEMPTY( &bv ) ) {
1505                                                 len += STRLENOF( " " );
1506                                         }
1507
1508                                         bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1509
1510                                         ptr = &bv.bv_val[ bv.bv_len ];
1511
1512                                         if ( !BER_BVISEMPTY( &bv ) ) {
1513                                                 ptr = lutil_strcopy( ptr, " " );
1514                                         }
1515
1516                                         (void)lutil_strcopy( ptr, "authz=native" );
1517                                 }
1518
1519                                 len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical,dn-authzid" );
1520                                 /* flags */
1521                                 if ( !BER_BVISEMPTY( &bv ) ) {
1522                                         len += STRLENOF( " " );
1523                                 }
1524
1525                                 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1526
1527                                 ptr = &bv.bv_val[ bv.bv_len ];
1528
1529                                 if ( !BER_BVISEMPTY( &bv ) ) {
1530                                         ptr = lutil_strcopy( ptr, " " );
1531                                 }
1532
1533                                 ptr = lutil_strcopy( ptr, "flags=" );
1534
1535                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
1536                                         ptr = lutil_strcopy( ptr, "prescriptive" );
1537                                 } else {
1538                                         ptr = lutil_strcopy( ptr, "non-prescriptive" );
1539                                 }
1540
1541                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
1542                                         ptr = lutil_strcopy( ptr, ",override" );
1543                                 }
1544
1545                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
1546                                         ptr = lutil_strcopy( ptr, ",obsolete-proxy-authz" );
1547
1548                                 } else if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
1549                                         ptr = lutil_strcopy( ptr, ",obsolete-encoding-workaround" );
1550                                 }
1551
1552                                 if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) {
1553                                         ptr = lutil_strcopy( ptr, ",proxy-authz-critical" );
1554
1555                                 } else {
1556                                         ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
1557                                 }
1558
1559 #ifdef SLAP_AUTH_DN
1560                                 switch ( mt->mt_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) {
1561                                 case LDAP_BACK_AUTH_DN_AUTHZID:
1562                                         ptr = lutil_strcopy( ptr, ",dn-authzid" );
1563                                         break;
1564
1565                                 case LDAP_BACK_AUTH_DN_WHOAMI:
1566                                         ptr = lutil_strcopy( ptr, ",dn-whoami" );
1567                                         break;
1568
1569                                 default:
1570 #if 0 /* implicit */
1571                                         ptr = lutil_strcopy( ptr, ",dn-none" );
1572 #endif
1573                                         break;
1574                                 }
1575 #endif
1576
1577                                 bv.bv_len = ( ptr - bv.bv_val );
1578                                 /* end-of-flags */
1579                         }
1580
1581                         bindconf_unparse( &mt->mt_idassert.si_bc, &bc );
1582
1583                         if ( !BER_BVISNULL( &bv ) ) {
1584                                 ber_len_t       len = bv.bv_len + bc.bv_len;
1585
1586                                 bv.bv_val = ch_realloc( bv.bv_val, len + 1 );
1587
1588                                 assert( bc.bv_val[ 0 ] == ' ' );
1589
1590                                 ptr = lutil_strcopy( &bv.bv_val[ bv.bv_len ], bc.bv_val );
1591                                 free( bc.bv_val );
1592                                 bv.bv_len = ptr - bv.bv_val;
1593
1594                         } else {
1595                                 for ( i = 0; isspace( (unsigned char) bc.bv_val[ i ] ); i++ )
1596                                         /* count spaces */ ;
1597
1598                                 if ( i ) {
1599                                         bc.bv_len -= i;
1600                                         AC_MEMCPY( bc.bv_val, &bc.bv_val[ i ], bc.bv_len + 1 );
1601                                 }
1602
1603                                 bv = bc;
1604                         }
1605
1606                         ber_bvarray_add( &c->rvalue_vals, &bv );
1607
1608                         break;
1609                 }
1610
1611                 case LDAP_BACK_CFG_SUFFIXM:     /* unused */
1612                 case LDAP_BACK_CFG_REWRITE:
1613                         if ( mt->mt_rwmap.rwm_bva_rewrite == NULL ) {
1614                                 rc = 1;
1615                         } else {
1616                                 rc = slap_bv_x_ordered_unparse( mt->mt_rwmap.rwm_bva_rewrite, &c->rvalue_vals );
1617                         }
1618                         break;
1619
1620                 case LDAP_BACK_CFG_MAP:
1621                         if ( mt->mt_rwmap.rwm_bva_map == NULL ) {
1622                                 rc = 1;
1623                         } else {
1624                                 rc = slap_bv_x_ordered_unparse( mt->mt_rwmap.rwm_bva_map, &c->rvalue_vals );
1625                         }
1626                         break;
1627
1628                 case LDAP_BACK_CFG_SUBTREE_EX:
1629                 case LDAP_BACK_CFG_SUBTREE_IN:
1630                         rc = meta_subtree_unparse( c, mt );
1631                         break;
1632
1633                 case LDAP_BACK_CFG_FILTER:
1634                         if ( mt->mt_filter == NULL ) {
1635                                 rc = 1;
1636                         } else {
1637                                 metafilter_t *mf;
1638                                 for ( mf = mt->mt_filter; mf; mf = mf->mf_next )
1639                                         value_add_one( &c->rvalue_vals, &mf->mf_regex_pattern );
1640                         }
1641                         break;
1642
1643                 /* replaced by idassert */
1644                 case LDAP_BACK_CFG_PSEUDOROOTDN:
1645                 case LDAP_BACK_CFG_PSEUDOROOTPW:
1646                         rc = 1;
1647                         break;
1648
1649                 case LDAP_BACK_CFG_KEEPALIVE: {
1650                                 struct berval bv;
1651                                 char buf[AC_LINE_MAX];
1652                                 bv.bv_len = AC_LINE_MAX;
1653                                 bv.bv_val = &buf[0];
1654                                 slap_keepalive_parse(&bv, &mt->mt_tls.sb_keepalive, 0, 0, 1);
1655                                 value_add_one( &c->rvalue_vals, &bv );
1656                                 break;
1657                         }
1658
1659                 default:
1660                         rc = 1;
1661                 }
1662                 return rc;
1663         } else if ( c->op == LDAP_MOD_DELETE ) {
1664                 switch( c->type ) {
1665                 /* Base attrs */
1666                 case LDAP_BACK_CFG_CONN_TTL:
1667                         mi->mi_conn_ttl = 0;
1668                         break;
1669
1670                 case LDAP_BACK_CFG_DNCACHE_TTL:
1671                         mi->mi_cache.ttl = META_DNCACHE_DISABLED;
1672                         break;
1673
1674                 case LDAP_BACK_CFG_IDLE_TIMEOUT:
1675                         mi->mi_idle_timeout = 0;
1676                         break;
1677
1678                 case LDAP_BACK_CFG_ONERR:
1679                         mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
1680                         break;
1681
1682                 case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
1683                         mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
1684                         break;
1685
1686                 case LDAP_BACK_CFG_SINGLECONN:
1687                         mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
1688                         break;
1689
1690                 case LDAP_BACK_CFG_USETEMP:
1691                         mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
1692                         break;
1693
1694                 case LDAP_BACK_CFG_CONNPOOLMAX:
1695                         mi->mi_conn_priv_max = LDAP_BACK_CONN_PRIV_MIN;
1696                         break;
1697
1698                 /* common attrs */
1699                 case LDAP_BACK_CFG_BIND_TIMEOUT:
1700                         mc->mc_bind_timeout.tv_sec = 0;
1701                         mc->mc_bind_timeout.tv_usec = 0;
1702                         break;
1703
1704                 case LDAP_BACK_CFG_CANCEL:
1705                         mc->mc_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
1706                         break;
1707
1708                 case LDAP_BACK_CFG_CHASE:
1709                         mc->mc_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
1710                         break;
1711
1712 #ifdef SLAPD_META_CLIENT_PR
1713                 case LDAP_BACK_CFG_CLIENT_PR:
1714                         mc->mc_ps = META_CLIENT_PR_DISABLE;
1715                         break;
1716 #endif /* SLAPD_META_CLIENT_PR */
1717
1718                 case LDAP_BACK_CFG_DEFAULT_T:
1719                         mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
1720                         break;
1721
1722                 case LDAP_BACK_CFG_NETWORK_TIMEOUT:
1723                         mc->mc_network_timeout = 0;
1724                         break;
1725
1726                 case LDAP_BACK_CFG_NOREFS:
1727                         mc->mc_flags &= ~LDAP_BACK_F_NOREFS;
1728                         break;
1729
1730                 case LDAP_BACK_CFG_NOUNDEFFILTER:
1731                         mc->mc_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
1732                         break;
1733
1734                 case LDAP_BACK_CFG_NRETRIES:
1735                         mc->mc_nretries = META_RETRY_DEFAULT;
1736                         break;
1737
1738                 case LDAP_BACK_CFG_QUARANTINE:
1739                         if ( META_BACK_CMN_QUARANTINE( mc )) {
1740                                 mi->mi_ldap_extra->retry_info_destroy( &mc->mc_quarantine );
1741                                 mc->mc_flags &= ~LDAP_BACK_F_QUARANTINE;
1742                                 if ( mc == &mt->mt_mc ) {
1743                                         ldap_pvt_thread_mutex_destroy( &mt->mt_quarantine_mutex );
1744                                         mt->mt_isquarantined = 0;
1745                                 }
1746                         }
1747                         break;
1748
1749                 case LDAP_BACK_CFG_REBIND:
1750                         mc->mc_flags &= ~LDAP_BACK_F_SAVECRED;
1751                         break;
1752
1753                 case LDAP_BACK_CFG_TIMEOUT:
1754                         for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1755                                 mc->mc_timeout[ i ] = 0;
1756                         }
1757                         break;
1758
1759                 case LDAP_BACK_CFG_VERSION:
1760                         mc->mc_version = 0;
1761                         break;
1762
1763 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
1764                 case LDAP_BACK_CFG_ST_REQUEST:
1765                         mc->mc_flags &= ~LDAP_BACK_F_ST_REQUEST;
1766                         break;
1767 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
1768
1769                 case LDAP_BACK_CFG_T_F:
1770                         mc->mc_flags &= ~LDAP_BACK_F_T_F_MASK2;
1771                         break;
1772
1773                 case LDAP_BACK_CFG_TLS:
1774                         mc->mc_flags &= ~LDAP_BACK_F_TLS_MASK;
1775                         if ( mt )
1776                                 bindconf_free( &mt->mt_tls );
1777                         break;
1778
1779                 /* target attrs */
1780                 case LDAP_BACK_CFG_URI:
1781                         if ( mt->mt_uri ) {
1782                                 ch_free( mt->mt_uri );
1783                                 mt->mt_uri = NULL;
1784                         }
1785                         /* FIXME: should have a way to close all cached
1786                          * connections associated with this target.
1787                          */
1788                         break;
1789
1790                 case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
1791                         BerVarray *bvp;
1792
1793                         bvp = &mt->mt_idassert_authz; break;
1794                         if ( c->valx < 0 ) {
1795                                 if ( *bvp != NULL ) {
1796                                         ber_bvarray_free( *bvp );
1797                                         *bvp = NULL;
1798                                 }
1799
1800                         } else {
1801                                 if ( *bvp == NULL ) {
1802                                         rc = 1;
1803                                         break;
1804                                 }
1805
1806                                 for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ )
1807                                         ;
1808
1809                                 if ( i >= c->valx ) {
1810                                         rc = 1;
1811                                         break;
1812                                 }
1813                                 ber_memfree( ((*bvp)[ c->valx ]).bv_val );
1814                                 for ( i = c->valx; !BER_BVISNULL( &((*bvp)[ i + 1 ]) ); i++ ) {
1815                                         (*bvp)[ i ] = (*bvp)[ i + 1 ];
1816                                 }
1817                                 BER_BVZERO( &((*bvp)[ i ]) );
1818                         }
1819                         } break;
1820
1821                 case LDAP_BACK_CFG_IDASSERT_BIND:
1822                         bindconf_free( &mt->mt_idassert.si_bc );
1823                         memset( &mt->mt_idassert, 0, sizeof( slap_idassert_t ) );
1824                         break;
1825
1826                 case LDAP_BACK_CFG_SUFFIXM:     /* unused */
1827                 case LDAP_BACK_CFG_REWRITE:
1828                         if ( mt->mt_rwmap.rwm_bva_rewrite ) {
1829                                 ber_bvarray_free( mt->mt_rwmap.rwm_bva_rewrite );
1830                                 mt->mt_rwmap.rwm_bva_rewrite = NULL;
1831                         }
1832                         if ( mt->mt_rwmap.rwm_rw )
1833                                 rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
1834                         break;
1835
1836                 case LDAP_BACK_CFG_MAP:
1837                         if ( mt->mt_rwmap.rwm_bva_map ) {
1838                                 ber_bvarray_free( mt->mt_rwmap.rwm_bva_map );
1839                                 mt->mt_rwmap.rwm_bva_map = NULL;
1840                         }
1841                         meta_back_map_free( &mt->mt_rwmap.rwm_oc );
1842                         meta_back_map_free( &mt->mt_rwmap.rwm_at );
1843                         mt->mt_rwmap.rwm_oc.drop_missing = 0;
1844                         mt->mt_rwmap.rwm_at.drop_missing = 0;
1845                         break;
1846
1847                 case LDAP_BACK_CFG_SUBTREE_EX:
1848                 case LDAP_BACK_CFG_SUBTREE_IN:
1849                         /* can only be one of exclude or include */
1850                         if (( c->type == LDAP_BACK_CFG_SUBTREE_EX ) ^ mt->mt_subtree_exclude ) {
1851                                 rc = 1;
1852                                 break;
1853                         }
1854                         if ( c->valx < 0 ) {
1855                                 meta_subtree_destroy( mt->mt_subtree );
1856                                 mt->mt_subtree = NULL;
1857                         } else {
1858                                 metasubtree_t *ms, **mprev;
1859                                 for (i=0, mprev = &mt->mt_subtree, ms = *mprev; ms; ms = *mprev) {
1860                                         if ( i == c->valx ) {
1861                                                 *mprev = ms->ms_next;
1862                                                 meta_subtree_free( ms );
1863                                                 break;
1864                                         }
1865                                         i++;
1866                                         mprev = &ms->ms_next;
1867                                 }
1868                                 if ( i != c->valx )
1869                                         rc = 1;
1870                         }
1871                         break;
1872
1873                 case LDAP_BACK_CFG_FILTER:
1874                         if ( c->valx < 0 ) {
1875                                 meta_filter_destroy( mt->mt_filter );
1876                                 mt->mt_filter = NULL;
1877                         } else {
1878                                 metafilter_t *mf, **mprev;
1879                                 for (i=0, mprev = &mt->mt_filter, mf = *mprev; mf; mf = *mprev) {
1880                                         if ( i == c->valx ) {
1881                                                 *mprev = mf->mf_next;
1882                                                 meta_filter_free( mf );
1883                                                 break;
1884                                         }
1885                                         i++;
1886                                         mprev = &mf->mf_next;
1887                                 }
1888                                 if ( i != c->valx )
1889                                         rc = 1;
1890                         }
1891                         break;
1892
1893                 case LDAP_BACK_CFG_KEEPALIVE:
1894                         mt->mt_tls.sb_keepalive.sk_idle = 0;
1895                         mt->mt_tls.sb_keepalive.sk_probes = 0;
1896                         mt->mt_tls.sb_keepalive.sk_interval = 0;
1897                         break;
1898
1899                 default:
1900                         rc = 1;
1901                         break;
1902                 }
1903
1904                 return rc;
1905         }
1906
1907         if ( c->op == SLAP_CONFIG_ADD ) {
1908                 if ( c->type >= LDAP_BACK_CFG_LAST_BASE ) {
1909                         /* exclude CFG_URI from this check */
1910                         if ( c->type > LDAP_BACK_CFG_LAST_BOTH ) {
1911                                 if ( !mi->mi_ntargets ) {
1912                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1913                                                 "need \"uri\" directive first" );
1914                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1915                                         return 1;
1916                                 }
1917                         }
1918                         if ( mi->mi_ntargets ) {
1919                                 mt = mi->mi_targets[ mi->mi_ntargets-1 ];
1920                                 mc = &mt->mt_mc;
1921                         } else {
1922                                 mt = NULL;
1923                                 mc = &mi->mi_mc;
1924                         }
1925                 }
1926         } else {
1927                 if ( c->table == Cft_Database ) {
1928                         mt = NULL;
1929                         mc = &mi->mi_mc;
1930                 } else {
1931                         mt = c->ca_private;
1932                         if ( mt )
1933                                 mc = &mt->mt_mc;
1934                         else
1935                                 mc = NULL;
1936                 }
1937         }
1938
1939         switch( c->type ) {
1940         case LDAP_BACK_CFG_URI: {
1941                 LDAPURLDesc     *ludp;
1942                 struct berval   dn;
1943                 int             j;
1944
1945                 char            **uris = NULL;
1946
1947                 if ( c->be->be_nsuffix == NULL ) {
1948                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1949                                 "the suffix must be defined before any target" );
1950                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1951                         return 1;
1952                 }
1953
1954                 i = mi->mi_ntargets++;
1955
1956                 mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets,
1957                         sizeof( metatarget_t * ) * mi->mi_ntargets );
1958                 if ( mi->mi_targets == NULL ) {
1959                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1960                                 "out of memory while storing server name"
1961                                 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1962                                 c->argv[0] );
1963                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1964                         return 1;
1965                 }
1966
1967                 if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
1968                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
1969                                 "unable to init server"
1970                                 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1971                                 c->argv[0] );
1972                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1973                         return 1;
1974                 }
1975
1976                 mt = mi->mi_targets[ i ];
1977
1978                 mt->mt_rebind_f = mi->mi_rebind_f;
1979                 mt->mt_urllist_f = mi->mi_urllist_f;
1980                 mt->mt_urllist_p = mt;
1981
1982                 if ( META_BACK_QUARANTINE( mi ) ) {
1983                         ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
1984                 }
1985                 mt->mt_mc = mi->mi_mc;
1986
1987                 for ( j = 1; j < c->argc; j++ ) {
1988                         char    **tmpuris = ldap_str2charray( c->argv[ j ], "\t" );
1989
1990                         if ( tmpuris == NULL ) {
1991                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
1992                                         "unable to parse URIs #%d"
1993                                         " in \"%s <protocol>://<server>[:port]/<naming context>\"",
1994                                         j-1, c->argv[0] );
1995                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
1996                                 return 1;
1997                         }
1998
1999                         if ( j == 1 ) {
2000                                 uris = tmpuris;
2001
2002                         } else {
2003                                 ldap_charray_merge( &uris, tmpuris );
2004                                 ldap_charray_free( tmpuris );
2005                         }
2006                 }
2007
2008                 for ( j = 0; uris[ j ] != NULL; j++ ) {
2009                         char *tmpuri = NULL;
2010
2011                         /*
2012                          * uri MUST be legal!
2013                          */
2014                         if ( ldap_url_parselist_ext( &ludp, uris[ j ], "\t",
2015                                         LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
2016                                 || ludp->lud_next != NULL )
2017                         {
2018                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2019                                         "unable to parse URI #%d"
2020                                         " in \"%s <protocol>://<server>[:port]/<naming context>\"",
2021                                         j-1, c->argv[0] );
2022                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2023                                 ldap_charray_free( uris );
2024                                 return 1;
2025                         }
2026
2027                         if ( j == 0 ) {
2028
2029                                 /*
2030                                  * uri MUST have the <dn> part!
2031                                  */
2032                                 if ( ludp->lud_dn == NULL ) {
2033                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2034                                                 "missing <naming context> "
2035                                                 " in \"%s <protocol>://<server>[:port]/<naming context>\"",
2036                                                 c->argv[0] );
2037                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2038                                         ldap_free_urllist( ludp );
2039                                         ldap_charray_free( uris );
2040                                         return 1;
2041                                 }
2042
2043                                 /*
2044                                  * copies and stores uri and suffix
2045                                  */
2046                                 ber_str2bv( ludp->lud_dn, 0, 0, &dn );
2047                                 rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
2048                                         &mt->mt_nsuffix, NULL );
2049                                 if ( rc != LDAP_SUCCESS ) {
2050                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2051                                                 "target DN is invalid \"%s\"",
2052                                                 c->argv[1] );
2053                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2054                                         ldap_free_urllist( ludp );
2055                                         ldap_charray_free( uris );
2056                                         return( 1 );
2057                                 }
2058
2059                                 ludp->lud_dn[ 0 ] = '\0';
2060
2061                                 switch ( ludp->lud_scope ) {
2062                                 case LDAP_SCOPE_DEFAULT:
2063                                         mt->mt_scope = LDAP_SCOPE_SUBTREE;
2064                                         break;
2065
2066                                 case LDAP_SCOPE_SUBTREE:
2067                                 case LDAP_SCOPE_SUBORDINATE:
2068                                         mt->mt_scope = ludp->lud_scope;
2069                                         break;
2070
2071                                 default:
2072                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2073                                                 "invalid scope for target \"%s\"",
2074                                                 c->argv[1] );
2075                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2076                                         ldap_free_urllist( ludp );
2077                                         ldap_charray_free( uris );
2078                                         return( 1 );
2079                                 }
2080
2081                         } else {
2082                                 /* check all, to apply the scope check on the first one */
2083                                 if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
2084                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2085                                                 "multiple URIs must have no DN part" );
2086                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2087                                         ldap_free_urllist( ludp );
2088                                         ldap_charray_free( uris );
2089                                         return( 1 );
2090
2091                                 }
2092                         }
2093
2094                         tmpuri = ldap_url_list2urls( ludp );
2095                         ldap_free_urllist( ludp );
2096                         if ( tmpuri == NULL ) {
2097                                 snprintf( c->cr_msg, sizeof( c->cr_msg ), "no memory?" );
2098                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2099                                 ldap_charray_free( uris );
2100                                 return( 1 );
2101                         }
2102                         ldap_memfree( uris[ j ] );
2103                         uris[ j ] = tmpuri;
2104                 }
2105
2106                 mt->mt_uri = ldap_charray2str( uris, " " );
2107                 ldap_charray_free( uris );
2108                 if ( mt->mt_uri == NULL) {
2109                         snprintf( c->cr_msg, sizeof( c->cr_msg ), "no memory?" );
2110                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2111                         return( 1 );
2112                 }
2113
2114                 /*
2115                  * uri MUST be a branch of suffix!
2116                  */
2117                 for ( j = 0; !BER_BVISNULL( &c->be->be_nsuffix[ j ] ); j++ ) {
2118                         if ( dnIsSuffix( &mt->mt_nsuffix, &c->be->be_nsuffix[ j ] ) ) {
2119                                 break;
2120                         }
2121                 }
2122
2123                 if ( BER_BVISNULL( &c->be->be_nsuffix[ j ] ) ) {
2124                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2125                                 "<naming context> of URI must be within the naming context of this database." );
2126                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2127                         return 1;
2128                 }
2129                 c->ca_private = mt;
2130                 c->cleanup = meta_cf_cleanup;
2131         } break;
2132         case LDAP_BACK_CFG_SUBTREE_EX:
2133         case LDAP_BACK_CFG_SUBTREE_IN:
2134         /* subtree-exclude */
2135                 if ( meta_subtree_config( mt, c )) {
2136                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2137                         return 1;
2138                 }
2139                 break;
2140
2141         case LDAP_BACK_CFG_FILTER: {
2142                 metafilter_t *mf, **m2;
2143                 mf = ch_malloc( sizeof( metafilter_t ));
2144                 rc = regcomp( &mf->mf_regex, c->argv[1], REG_EXTENDED );
2145                 if ( rc ) {
2146                         char regerr[ SLAP_TEXT_BUFLEN ];
2147                         regerror( rc, &mf->mf_regex, regerr, sizeof(regerr) );
2148                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2149                                 "regular expression \"%s\" bad because of %s",
2150                                 c->argv[1], regerr );
2151                         ch_free( mf );
2152                         return 1;
2153                 }
2154                 ber_str2bv( c->argv[1], 0, 1, &mf->mf_regex_pattern );
2155                 for ( m2 = &mt->mt_filter; *m2; m2 = &(*m2)->mf_next )
2156                         ;
2157                 *m2 = mf;
2158         } break;
2159
2160         case LDAP_BACK_CFG_DEFAULT_T:
2161         /* default target directive */
2162                 i = mi->mi_ntargets - 1;
2163
2164                 if ( c->argc == 1 ) {
2165                         if ( i < 0 ) {
2166                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2167                                         "\"%s\" alone must be inside a \"uri\" directive",
2168                                         c->argv[0] );
2169                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2170                                 return 1;
2171                         }
2172                         mi->mi_defaulttarget = i;
2173
2174                 } else {
2175                         if ( strcasecmp( c->argv[ 1 ], "none" ) == 0 ) {
2176                                 if ( i >= 0 ) {
2177                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2178                                                 "\"%s none\" should go before uri definitions",
2179                                                 c->argv[0] );
2180                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2181                                 }
2182                                 mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
2183
2184                         } else {
2185
2186                                 if ( lutil_atoi( &mi->mi_defaulttarget, c->argv[ 1 ] ) != 0
2187                                         || mi->mi_defaulttarget < 0
2188                                         || mi->mi_defaulttarget >= i - 1 )
2189                                 {
2190                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2191                                                 "illegal target number %d",
2192                                                 mi->mi_defaulttarget );
2193                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2194                                         return 1;
2195                                 }
2196                         }
2197                 }
2198                 break;
2199
2200         case LDAP_BACK_CFG_DNCACHE_TTL:
2201         /* ttl of dn cache */
2202                 if ( strcasecmp( c->argv[ 1 ], "forever" ) == 0 ) {
2203                         mi->mi_cache.ttl = META_DNCACHE_FOREVER;
2204
2205                 } else if ( strcasecmp( c->argv[ 1 ], "disabled" ) == 0 ) {
2206                         mi->mi_cache.ttl = META_DNCACHE_DISABLED;
2207
2208                 } else {
2209                         unsigned long   t;
2210
2211                         if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
2212                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2213                                         "unable to parse dncache ttl \"%s\"",
2214                                         c->argv[ 1 ] );
2215                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2216                                 return 1;
2217                         }
2218                         mi->mi_cache.ttl = (time_t)t;
2219                 }
2220                 break;
2221
2222         case LDAP_BACK_CFG_NETWORK_TIMEOUT: {
2223         /* network timeout when connecting to ldap servers */
2224                 unsigned long t;
2225
2226                 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2227                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2228                                 "unable to parse network timeout \"%s\"",
2229                                 c->argv[ 1 ] );
2230                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2231                         return 1;
2232                 }
2233                 mc->mc_network_timeout = (time_t)t;
2234                 } break;
2235
2236         case LDAP_BACK_CFG_IDLE_TIMEOUT: {
2237         /* idle timeout when connecting to ldap servers */
2238                 unsigned long   t;
2239
2240                 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2241                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2242                                 "unable to parse idle timeout \"%s\"",
2243                                 c->argv[ 1 ] );
2244                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2245                         return 1;
2246
2247                 }
2248                 mi->mi_idle_timeout = (time_t)t;
2249                 } break;
2250
2251         case LDAP_BACK_CFG_CONN_TTL: {
2252         /* conn ttl */
2253                 unsigned long   t;
2254
2255                 if ( lutil_parse_time( c->argv[ 1 ], &t ) ) {
2256                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2257                                 "unable to parse conn ttl \"%s\"",
2258                                 c->argv[ 1 ] );
2259                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2260                         return 1;
2261
2262                 }
2263                 mi->mi_conn_ttl = (time_t)t;
2264                 } break;
2265
2266         case LDAP_BACK_CFG_BIND_TIMEOUT:
2267         /* bind timeout when connecting to ldap servers */
2268                 mc->mc_bind_timeout.tv_sec = c->value_ulong/1000000;
2269                 mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
2270                 break;
2271
2272         case LDAP_BACK_CFG_ACL_AUTHCDN:
2273         /* name to use for meta_back_group */
2274                 if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
2275                         Debug( LDAP_DEBUG_ANY, "%s: "
2276                                 "\"binddn\" statement is deprecated; "
2277                                 "use \"acl-authcDN\" instead\n",
2278                                 c->log, 0, 0 );
2279                         /* FIXME: some day we'll need to throw an error */
2280                 }
2281
2282                 ber_memfree_x( c->value_dn.bv_val, NULL );
2283                 mt->mt_binddn = c->value_ndn;
2284                 BER_BVZERO( &c->value_dn );
2285                 BER_BVZERO( &c->value_ndn );
2286                 break;
2287
2288         case LDAP_BACK_CFG_ACL_PASSWD:
2289         /* password to use for meta_back_group */
2290                 if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
2291                         Debug( LDAP_DEBUG_ANY, "%s "
2292                                 "\"bindpw\" statement is deprecated; "
2293                                 "use \"acl-passwd\" instead\n",
2294                                 c->log, 0, 0 );
2295                         /* FIXME: some day we'll need to throw an error */
2296                 }
2297
2298                 ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
2299                 break;
2300
2301         case LDAP_BACK_CFG_REBIND:
2302         /* save bind creds for referral rebinds? */
2303                 if ( c->argc == 1 || c->value_int ) {
2304                         mc->mc_flags |= LDAP_BACK_F_SAVECRED;
2305                 } else {
2306                         mc->mc_flags &= ~LDAP_BACK_F_SAVECRED;
2307                 }
2308                 break;
2309
2310         case LDAP_BACK_CFG_CHASE:
2311                 if ( c->argc == 1 || c->value_int ) {
2312                         mc->mc_flags |= LDAP_BACK_F_CHASE_REFERRALS;
2313                 } else {
2314                         mc->mc_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
2315                 }
2316                 break;
2317
2318         case LDAP_BACK_CFG_TLS:
2319                 i = verb_to_mask( c->argv[1], tls_mode );
2320                 if ( BER_BVISNULL( &tls_mode[i].word ) ) {
2321                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2322                                 "%s unknown argument \"%s\"",
2323                                 c->argv[0], c->argv[1] );
2324                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2325                         return 1;
2326                 }
2327                 mc->mc_flags &= ~LDAP_BACK_F_TLS_MASK;
2328                 mc->mc_flags |= tls_mode[i].mask;
2329
2330                 if ( c->argc > 2 ) {
2331                         if ( c->op == SLAP_CONFIG_ADD && mi->mi_ntargets == 0 ) {
2332                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2333                                         "need \"uri\" directive first" );
2334                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2335                                 return 1;
2336                         }
2337
2338                         for ( i = 2; i < c->argc; i++ ) {
2339                                 if ( bindconf_tls_parse( c->argv[i], &mt->mt_tls ))
2340                                         return 1;
2341                         }
2342                         bindconf_tls_defaults( &mt->mt_tls );
2343                 }
2344                 break;
2345
2346         case LDAP_BACK_CFG_T_F:
2347                 i = verb_to_mask( c->argv[1], t_f_mode );
2348                 if ( BER_BVISNULL( &t_f_mode[i].word ) ) {
2349                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2350                                 "%s unknown argument \"%s\"",
2351                                 c->argv[0], c->argv[1] );
2352                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2353                         return 1;
2354                 }
2355                 mc->mc_flags &= ~LDAP_BACK_F_T_F_MASK2;
2356                 mc->mc_flags |= t_f_mode[i].mask;
2357                 break;
2358
2359         case LDAP_BACK_CFG_ONERR:
2360         /* onerr? */
2361                 i = verb_to_mask( c->argv[1], onerr_mode );
2362                 if ( BER_BVISNULL( &onerr_mode[i].word ) ) {
2363                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2364                                 "%s unknown argument \"%s\"",
2365                                 c->argv[0], c->argv[1] );
2366                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2367                         return 1;
2368                 }
2369                 mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
2370                 mi->mi_flags |= onerr_mode[i].mask;
2371                 break;
2372
2373         case LDAP_BACK_CFG_PSEUDOROOT_BIND_DEFER:
2374         /* bind-defer? */
2375                 if ( c->argc == 1 || c->value_int ) {
2376                         mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
2377                 } else {
2378                         mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
2379                 }
2380                 break;
2381
2382         case LDAP_BACK_CFG_SINGLECONN:
2383         /* single-conn? */
2384                 if ( mi->mi_ntargets > 0 ) {
2385                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2386                                 "\"%s\" must appear before target definitions",
2387                                 c->argv[0] );
2388                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2389                         return( 1 );
2390                 }
2391                 if ( c->value_int ) {
2392                         mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
2393                 } else {
2394                         mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
2395                 }
2396                 break;
2397
2398         case LDAP_BACK_CFG_USETEMP:
2399         /* use-temporaries? */
2400                 if ( mi->mi_ntargets > 0 ) {
2401                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2402                                 "\"%s\" must appear before target definitions",
2403                                 c->argv[0] );
2404                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2405                         return( 1 );
2406                 }
2407                 if ( c->value_int ) {
2408                         mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
2409                 } else {
2410                         mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
2411                 }
2412                 break;
2413
2414         case LDAP_BACK_CFG_CONNPOOLMAX:
2415         /* privileged connections pool max size ? */
2416                 if ( mi->mi_ntargets > 0 ) {
2417                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2418                                 "\"%s\" must appear before target definitions",
2419                                 c->argv[0] );
2420                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2421                         return( 1 );
2422                 }
2423
2424                 if ( c->value_int < LDAP_BACK_CONN_PRIV_MIN
2425                         || c->value_int > LDAP_BACK_CONN_PRIV_MAX )
2426                 {
2427                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2428                                 "invalid max size " "of privileged "
2429                                 "connections pool \"%s\" "
2430                                 "in \"conn-pool-max <n> "
2431                                 "(must be between %d and %d)\"",
2432                                 c->argv[ 1 ],
2433                                 LDAP_BACK_CONN_PRIV_MIN,
2434                                 LDAP_BACK_CONN_PRIV_MAX );
2435                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2436                         return 1;
2437                 }
2438                 mi->mi_conn_priv_max = c->value_int;
2439                 break;
2440
2441         case LDAP_BACK_CFG_CANCEL:
2442                 i = verb_to_mask( c->argv[1], cancel_mode );
2443                 if ( BER_BVISNULL( &cancel_mode[i].word ) ) {
2444                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2445                                 "%s unknown argument \"%s\"",
2446                                 c->argv[0], c->argv[1] );
2447                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2448                         return 1;
2449                 }
2450                 mc->mc_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
2451                 mc->mc_flags |= t_f_mode[i].mask;
2452                 break;
2453
2454         case LDAP_BACK_CFG_TIMEOUT:
2455                 for ( i = 1; i < c->argc; i++ ) {
2456                         if ( isdigit( (unsigned char) c->argv[ i ][ 0 ] ) ) {
2457                                 int             j;
2458                                 unsigned        u;
2459
2460                                 if ( lutil_atoux( &u, c->argv[ i ], 0 ) != 0 ) {
2461                                         snprintf( c->cr_msg, sizeof( c->cr_msg),
2462                                                 "unable to parse timeout \"%s\"",
2463                                                 c->argv[ i ] );
2464                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2465                                         return 1;
2466                                 }
2467
2468                                 for ( j = 0; j < SLAP_OP_LAST; j++ ) {
2469                                         mc->mc_timeout[ j ] = u;
2470                                 }
2471
2472                                 continue;
2473                         }
2474
2475                         if ( slap_cf_aux_table_parse( c->argv[ i ], mc->mc_timeout, timeout_table, "slapd-meta timeout" ) ) {
2476                                 snprintf( c->cr_msg, sizeof( c->cr_msg),
2477                                         "unable to parse timeout \"%s\"",
2478                                         c->argv[ i ] );
2479                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2480                                 return 1;
2481                         }
2482                 }
2483                 break;
2484
2485         case LDAP_BACK_CFG_PSEUDOROOTDN:
2486         /* name to use as pseudo-root dn */
2487                 /*
2488                  * exact replacement:
2489                  *
2490
2491 idassert-bind   bindmethod=simple
2492                 binddn=<pseudorootdn>
2493                 credentials=<pseudorootpw>
2494                 mode=none
2495                 flags=non-prescriptive
2496 idassert-authzFrom      "dn:<rootdn>"
2497
2498                  * so that only when authc'd as <rootdn> the proxying occurs
2499                  * rebinding as the <pseudorootdn> without proxyAuthz.
2500                  */
2501
2502                 Debug( LDAP_DEBUG_ANY,
2503                         "%s: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
2504                         "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
2505                         c->log, 0, 0 );
2506
2507                 {
2508                         char    binddn[ SLAP_TEXT_BUFLEN ];
2509                         char    *cargv[] = {
2510                                 "idassert-bind",
2511                                 "bindmethod=simple",
2512                                 NULL,
2513                                 "mode=none",
2514                                 "flags=non-prescriptive",
2515                                 NULL
2516                         };
2517                         char **oargv;
2518                         int oargc;
2519                         int     cargc = 5;
2520                         int     rc;
2521
2522
2523                         if ( BER_BVISNULL( &c->be->be_rootndn ) ) {
2524                                 Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
2525                                         c->log, 0, 0 );
2526                                 return 1;
2527                         }
2528
2529                         if ( sizeof( binddn ) <= (unsigned) snprintf( binddn,
2530                                         sizeof( binddn ), "binddn=%s", c->argv[ 1 ] ))
2531                         {
2532                                 Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootdn\" too long.\n",
2533                                         c->log, 0, 0 );
2534                                 return 1;
2535                         }
2536                         cargv[ 2 ] = binddn;
2537
2538                         oargv = c->argv;
2539                         oargc = c->argc;
2540                         c->argv = cargv;
2541                         c->argc = cargc;
2542                         rc = mi->mi_ldap_extra->idassert_parse( c, &mt->mt_idassert );
2543                         c->argv = oargv;
2544                         c->argc = oargc;
2545                         if ( rc == 0 ) {
2546                                 struct berval   bv;
2547
2548                                 if ( mt->mt_idassert_authz != NULL ) {
2549                                         Debug( LDAP_DEBUG_ANY, "%s: \"idassert-authzFrom\" already defined (discarded).\n",
2550                                                 c->log, 0, 0 );
2551                                         ber_bvarray_free( mt->mt_idassert_authz );
2552                                         mt->mt_idassert_authz = NULL;
2553                                 }
2554
2555                                 assert( !BER_BVISNULL( &mt->mt_idassert_authcDN ) );
2556
2557                                 bv.bv_len = STRLENOF( "dn:" ) + c->be->be_rootndn.bv_len;
2558                                 bv.bv_val = ber_memalloc( bv.bv_len + 1 );
2559                                 AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
2560                                 AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], c->be->be_rootndn.bv_val, c->be->be_rootndn.bv_len + 1 );
2561
2562                                 ber_bvarray_add( &mt->mt_idassert_authz, &bv );
2563                         }
2564
2565                         return rc;
2566                 }
2567                 break;
2568
2569         case LDAP_BACK_CFG_PSEUDOROOTPW:
2570         /* password to use as pseudo-root */
2571                 Debug( LDAP_DEBUG_ANY,
2572                         "%s: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
2573                         "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
2574                         c->log, 0, 0 );
2575
2576                 if ( BER_BVISNULL( &mt->mt_idassert_authcDN ) ) {
2577                         Debug( LDAP_DEBUG_ANY, "%s: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
2578                                 c->log, 0, 0 );
2579                         return 1;
2580                 }
2581
2582                 if ( !BER_BVISNULL( &mt->mt_idassert_passwd ) ) {
2583                         memset( mt->mt_idassert_passwd.bv_val, 0,
2584                                 mt->mt_idassert_passwd.bv_len );
2585                         ber_memfree( mt->mt_idassert_passwd.bv_val );
2586                 }
2587                 ber_str2bv( c->argv[ 1 ], 0, 1, &mt->mt_idassert_passwd );
2588                 break;
2589
2590         case LDAP_BACK_CFG_IDASSERT_BIND:
2591         /* idassert-bind */
2592                 rc = mi->mi_ldap_extra->idassert_parse( c, &mt->mt_idassert );
2593                 break;
2594
2595         case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
2596         /* idassert-authzFrom */
2597                 rc = mi->mi_ldap_extra->idassert_authzfrom_parse( c, &mt->mt_idassert );
2598                 break;
2599
2600         case LDAP_BACK_CFG_QUARANTINE:
2601         /* quarantine */
2602                 if ( META_BACK_CMN_QUARANTINE( mc ) )
2603                 {
2604                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2605                                 "quarantine already defined" );
2606                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2607                         return 1;
2608                 }
2609
2610                 if ( mt ) {
2611                         mc->mc_quarantine.ri_interval = NULL;
2612                         mc->mc_quarantine.ri_num = NULL;
2613                         if ( !META_BACK_QUARANTINE( mi ) ) {
2614                                 ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
2615                         }
2616                 }
2617
2618                 if ( mi->mi_ldap_extra->retry_info_parse( c->argv[ 1 ], &mc->mc_quarantine, c->cr_msg, sizeof( c->cr_msg ) ) ) {
2619                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2620                         return 1;
2621                 }
2622
2623                 mc->mc_flags |= LDAP_BACK_F_QUARANTINE;
2624                 break;
2625
2626 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
2627         case LDAP_BACK_CFG_ST_REQUEST:
2628         /* session tracking request */
2629                 if ( c->value_int ) {
2630                         mc->mc_flags |= LDAP_BACK_F_ST_REQUEST;
2631                 } else {
2632                         mc->mc_flags &= ~LDAP_BACK_F_ST_REQUEST;
2633                 }
2634                 break;
2635 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
2636
2637         case LDAP_BACK_CFG_SUFFIXM:     /* FALLTHRU */
2638         case LDAP_BACK_CFG_REWRITE: {
2639         /* rewrite stuff ... */
2640                 ConfigArgs ca = { 0 };
2641                 char *line, **argv;
2642                 struct rewrite_info *rwi;
2643                 int cnt = 0, argc, ix = c->valx;
2644
2645                 if ( mt->mt_rwmap.rwm_bva_rewrite ) {
2646                         for ( ; !BER_BVISNULL( &mt->mt_rwmap.rwm_bva_rewrite[ cnt ] ); cnt++ )
2647                                 /* count */ ;
2648                 }
2649
2650                 if ( ix >= cnt || ix < 0 ) {
2651                         ix = cnt;
2652                 } else {
2653                         rwi = mt->mt_rwmap.rwm_rw;
2654
2655                         mt->mt_rwmap.rwm_rw = NULL;
2656                         rc = meta_rwi_init( &mt->mt_rwmap.rwm_rw );
2657
2658                         /* re-parse all rewrite rules, up to the one
2659                          * that needs to be added */
2660                         ca.fname = c->fname;
2661                         ca.lineno = c->lineno;
2662                         for ( i = 0; i < ix; i++ ) {
2663                                 ca.line = mt->mt_rwmap.rwm_bva_rewrite[ i ].bv_val;
2664                                 ca.argc = 0;
2665                                 config_fp_parse_line( &ca );
2666
2667                                 if ( !strcasecmp( ca.argv[0], "suffixmassage" )) {
2668                                         rc = meta_suffixm_config( &ca, ca.argc, ca.argv, mt );
2669                                 } else {
2670                                         rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2671                                                 c->fname, c->lineno, ca.argc, ca.argv );
2672                                 }
2673                                 assert( rc == 0 );
2674                                 ch_free( ca.argv );
2675                                 ch_free( ca.tline );
2676                         }
2677                 }
2678                 argc = c->argc;
2679                 argv = c->argv;
2680                 if ( c->op != SLAP_CONFIG_ADD ) {
2681                         argc--;
2682                         argv++;
2683                 }
2684                 /* add the new rule */
2685                 if ( !strcasecmp( argv[0], "suffixmassage" )) {
2686                         rc = meta_suffixm_config( c, argc, argv, mt );
2687                 } else {
2688                         rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2689                                                 c->fname, c->lineno, argc, argv );
2690                 }
2691                 if ( rc ) {
2692                         if ( ix < cnt ) {
2693                                 rewrite_info_delete( &mt->mt_rwmap.rwm_rw );
2694                                 mt->mt_rwmap.rwm_rw = rwi;
2695                         }
2696                         return 1;
2697                 }
2698                 if ( ix < cnt ) {
2699                         for ( ; i < cnt; i++ ) {
2700                                 ca.line = mt->mt_rwmap.rwm_bva_rewrite[ i ].bv_val;
2701                                 ca.argc = 0;
2702                                 config_fp_parse_line( &ca );
2703
2704                                 if ( !strcasecmp( ca.argv[0], "suffixmassage" )) {
2705                                         rc = meta_suffixm_config( &ca, ca.argc, ca.argv, mt );
2706                                 } else {
2707                                         rc = rewrite_parse( mt->mt_rwmap.rwm_rw,
2708                                                 c->fname, c->lineno, ca.argc, argv );
2709                                 }
2710                                 assert( rc == 0 );
2711                                 ch_free( ca.argv );
2712                                 ch_free( ca.tline );
2713                         }
2714                 }
2715
2716                 /* save the rule info */
2717                 line = ldap_charray2str( argv, "\" \"" );
2718                 if ( line != NULL ) {
2719                         struct berval bv;
2720                         int len = strlen( argv[ 0 ] );
2721
2722                         ber_str2bv( line, 0, 0, &bv );
2723                         AC_MEMCPY( &bv.bv_val[ len ], &bv.bv_val[ len + 1 ],
2724                                 bv.bv_len - ( len + 1 ));
2725                         bv.bv_val[ bv.bv_len - 1] = '"';
2726                         ber_bvarray_add( &mt->mt_rwmap.rwm_bva_rewrite, &bv );
2727                         /* move it to the right slot */
2728                         if ( ix < cnt ) {
2729                                 for ( i=cnt; i>ix; i-- )
2730                                         mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i];
2731                                 mt->mt_rwmap.rwm_bva_rewrite[i] = bv;
2732
2733                                 /* destroy old rules */
2734                                 rewrite_info_delete( &rwi );
2735                         }
2736                 }
2737                 } break;
2738
2739         case LDAP_BACK_CFG_MAP: {
2740         /* objectclass/attribute mapping */
2741                 ConfigArgs ca = { 0 };
2742                 char *argv[5];
2743                 struct ldapmap rwm_oc;
2744                 struct ldapmap rwm_at;
2745                 int cnt = 0, ix = c->valx;
2746
2747                 if ( mt->mt_rwmap.rwm_bva_map ) {
2748                         for ( ; !BER_BVISNULL( &mt->mt_rwmap.rwm_bva_map[ cnt ] ); cnt++ )
2749                                 /* count */ ;
2750                 }
2751
2752                 if ( ix >= cnt || ix < 0 ) {
2753                         ix = cnt;
2754                 } else {
2755                         rwm_oc = mt->mt_rwmap.rwm_oc;
2756                         rwm_at = mt->mt_rwmap.rwm_at;
2757
2758                         memset( &mt->mt_rwmap.rwm_oc, 0, sizeof( mt->mt_rwmap.rwm_oc ) );
2759                         memset( &mt->mt_rwmap.rwm_at, 0, sizeof( mt->mt_rwmap.rwm_at ) );
2760
2761                         /* re-parse all mappings, up to the one
2762                          * that needs to be added */
2763                         argv[0] = c->argv[0];
2764                         ca.fname = c->fname;
2765                         ca.lineno = c->lineno;
2766                         for ( i = 0; i < ix; i++ ) {
2767                                 ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
2768                                 ca.argc = 0;
2769                                 config_fp_parse_line( &ca );
2770
2771                                 argv[1] = ca.argv[0];
2772                                 argv[2] = ca.argv[1];
2773                                 argv[3] = ca.argv[2];
2774                                 argv[4] = ca.argv[3];
2775                                 ch_free( ca.argv );
2776                                 ca.argv = argv;
2777                                 ca.argc++;
2778                                 rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
2779                                         &mt->mt_rwmap.rwm_at );
2780
2781                                 ch_free( ca.tline );
2782                                 ca.tline = NULL;
2783                                 ca.argv = NULL;
2784
2785                                 /* in case of failure, restore
2786                                  * the existing mapping */
2787                                 if ( rc ) {
2788                                         goto map_fail;
2789                                 }
2790                         }
2791                 }
2792                 /* add the new mapping */
2793                 rc = ldap_back_map_config( c, &mt->mt_rwmap.rwm_oc,
2794                                         &mt->mt_rwmap.rwm_at );
2795                 if ( rc ) {
2796                         goto map_fail;
2797                 }
2798
2799                 if ( ix < cnt ) {
2800                         for ( ; i<cnt ; cnt++ ) {
2801                                 ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
2802                                 ca.argc = 0;
2803                                 config_fp_parse_line( &ca );
2804
2805                                 argv[1] = ca.argv[0];
2806                                 argv[2] = ca.argv[1];
2807                                 argv[3] = ca.argv[2];
2808                                 argv[4] = ca.argv[3];
2809
2810                                 ch_free( ca.argv );
2811                                 ca.argv = argv;
2812                                 ca.argc++;
2813                                 rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
2814                                         &mt->mt_rwmap.rwm_at );
2815
2816                                 ch_free( ca.tline );
2817                                 ca.tline = NULL;
2818                                 ca.argv = NULL;
2819
2820                                 /* in case of failure, restore
2821                                  * the existing mapping */
2822                                 if ( rc ) {
2823                                         goto map_fail;
2824                                 }
2825                         }
2826                 }
2827
2828                 /* save the map info */
2829                 argv[0] = ldap_charray2str( &c->argv[ 1 ], " " );
2830                 if ( argv[0] != NULL ) {
2831                         struct berval bv;
2832                         ber_str2bv( argv[0], 0, 0, &bv );
2833                         ber_bvarray_add( &mt->mt_rwmap.rwm_bva_map, &bv );
2834                         /* move it to the right slot */
2835                         if ( ix < cnt ) {
2836                                 for ( i=cnt; i>ix; i-- )
2837                                         mt->mt_rwmap.rwm_bva_map[i+1] = mt->mt_rwmap.rwm_bva_map[i];
2838                                 mt->mt_rwmap.rwm_bva_map[i] = bv;
2839
2840                                 /* destroy old mapping */
2841                                 meta_back_map_free( &rwm_oc );
2842                                 meta_back_map_free( &rwm_at );
2843                         }
2844                 }
2845                 break;
2846
2847 map_fail:;
2848                 if ( ix < cnt ) {
2849                         meta_back_map_free( &mt->mt_rwmap.rwm_oc );
2850                         meta_back_map_free( &mt->mt_rwmap.rwm_at );
2851                         mt->mt_rwmap.rwm_oc = rwm_oc;
2852                         mt->mt_rwmap.rwm_at = rwm_at;
2853                 }
2854                 } break;
2855
2856         case LDAP_BACK_CFG_NRETRIES: {
2857                 int             nretries = META_RETRY_UNDEFINED;
2858
2859                 if ( strcasecmp( c->argv[ 1 ], "forever" ) == 0 ) {
2860                         nretries = META_RETRY_FOREVER;
2861
2862                 } else if ( strcasecmp( c->argv[ 1 ], "never" ) == 0 ) {
2863                         nretries = META_RETRY_NEVER;
2864
2865                 } else {
2866                         if ( lutil_atoi( &nretries, c->argv[ 1 ] ) != 0 ) {
2867                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2868                                         "unable to parse nretries {never|forever|<retries>}: \"%s\"",
2869                                         c->argv[ 1 ] );
2870                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2871                                 return 1;
2872                         }
2873                 }
2874
2875                 mc->mc_nretries = nretries;
2876                 } break;
2877
2878         case LDAP_BACK_CFG_VERSION:
2879                 if ( c->value_int != 0 && ( c->value_int < LDAP_VERSION_MIN || c->value_int > LDAP_VERSION_MAX ) ) {
2880                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2881                                 "unsupported protocol version \"%s\"",
2882                                 c->argv[ 1 ] );
2883                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2884                         return 1;
2885                 }
2886                 mc->mc_version = c->value_int;
2887                 break;
2888
2889         case LDAP_BACK_CFG_NOREFS:
2890         /* do not return search references */
2891                 if ( c->value_int ) {
2892                         mc->mc_flags |= LDAP_BACK_F_NOREFS;
2893                 } else {
2894                         mc->mc_flags &= ~LDAP_BACK_F_NOREFS;
2895                 }
2896                 break;
2897
2898         case LDAP_BACK_CFG_NOUNDEFFILTER:
2899         /* do not propagate undefined search filters */
2900                 if ( c->value_int ) {
2901                         mc->mc_flags |= LDAP_BACK_F_NOUNDEFFILTER;
2902                 } else {
2903                         mc->mc_flags &= ~LDAP_BACK_F_NOUNDEFFILTER;
2904                 }
2905                 break;
2906
2907 #ifdef SLAPD_META_CLIENT_PR
2908         case LDAP_BACK_CFG_CLIENT_PR:
2909                 if ( strcasecmp( c->argv[ 1 ], "accept-unsolicited" ) == 0 ) {
2910                         mc->mc_ps = META_CLIENT_PR_ACCEPT_UNSOLICITED;
2911
2912                 } else if ( strcasecmp( c->argv[ 1 ], "disable" ) == 0 ) {
2913                         mc->mc_ps = META_CLIENT_PR_DISABLE;
2914
2915                 } else if ( lutil_atoi( &mc->mc_ps, c->argv[ 1 ] ) || mc->mc_ps < -1 ) {
2916                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
2917                                 "unable to parse client-pr {accept-unsolicited|disable|<size>}: \"%s\"",
2918                                 c->argv[ 1 ] );
2919                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
2920                         return( 1 );
2921                 }
2922                 break;
2923 #endif /* SLAPD_META_CLIENT_PR */
2924
2925         case LDAP_BACK_CFG_KEEPALIVE:
2926                 slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
2927                                  &mt->mt_tls.sb_keepalive, 0, 0, 0);
2928                 break;
2929
2930         /* anything else */
2931         default:
2932                 return SLAP_CONF_UNKNOWN;
2933         }
2934
2935         return rc;
2936 }
2937
2938 int
2939 meta_back_init_cf( BackendInfo *bi )
2940 {
2941         int                     rc;
2942         AttributeDescription    *ad = NULL;
2943         const char              *text;
2944
2945         /* Make sure we don't exceed the bits reserved for userland */
2946         config_check_userland( LDAP_BACK_CFG_LAST );
2947
2948         bi->bi_cf_ocs = metaocs;
2949
2950         rc = config_register_schema( metacfg, metaocs );
2951         if ( rc ) {
2952                 return rc;
2953         }
2954
2955         /* setup olcDbAclPasswd and olcDbIDAssertPasswd
2956          * to be base64-encoded when written in LDIF form;
2957          * basically, we don't care if it fails */
2958         rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
2959         if ( rc ) {
2960                 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2961                         "warning, unable to get \"olcDbACLPasswd\" "
2962                         "attribute description: %d: %s\n",
2963                         rc, text, 0 );
2964         } else {
2965                 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2966                         ad->ad_type->sat_oid );
2967         }
2968
2969         ad = NULL;
2970         rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
2971         if ( rc ) {
2972                 Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
2973                         "warning, unable to get \"olcDbIDAssertPasswd\" "
2974                         "attribute description: %d: %s\n",
2975                         rc, text, 0 );
2976         } else {
2977                 (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
2978                         ad->ad_type->sat_oid );
2979         }
2980
2981         return 0;
2982 }
2983
2984 static int
2985 ldap_back_map_config(
2986                 ConfigArgs *c,
2987                 struct ldapmap  *oc_map,
2988                 struct ldapmap  *at_map )
2989 {
2990         struct ldapmap          *map;
2991         struct ldapmapping      *mapping;
2992         char                    *src, *dst;
2993         int                     is_oc = 0;
2994
2995         if ( strcasecmp( c->argv[ 1 ], "objectclass" ) == 0 ) {
2996                 map = oc_map;
2997                 is_oc = 1;
2998
2999         } else if ( strcasecmp( c->argv[ 1 ], "attribute" ) == 0 ) {
3000                 map = at_map;
3001
3002         } else {
3003                 snprintf( c->cr_msg, sizeof(c->cr_msg),
3004                         "%s unknown argument \"%s\"",
3005                         c->argv[0], c->argv[1] );
3006                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3007                 return 1;
3008         }
3009
3010         if ( !is_oc && map->map == NULL ) {
3011                 /* only init if required */
3012                 ldap_back_map_init( map, &mapping );
3013         }
3014
3015         if ( strcmp( c->argv[ 2 ], "*" ) == 0 ) {
3016                 if ( c->argc < 4 || strcmp( c->argv[ 3 ], "*" ) == 0 ) {
3017                         map->drop_missing = ( c->argc < 4 );
3018                         goto success_return;
3019                 }
3020                 src = dst = c->argv[ 3 ];
3021
3022         } else if ( c->argc < 4 ) {
3023                 src = "";
3024                 dst = c->argv[ 2 ];
3025
3026         } else {
3027                 src = c->argv[ 2 ];
3028                 dst = ( strcmp( c->argv[ 3 ], "*" ) == 0 ? src : c->argv[ 3 ] );
3029         }
3030
3031         if ( ( map == at_map )
3032                 && ( strcasecmp( src, "objectclass" ) == 0
3033                         || strcasecmp( dst, "objectclass" ) == 0 ) )
3034         {
3035                 snprintf( c->cr_msg, sizeof(c->cr_msg),
3036                         "objectclass attribute cannot be mapped" );
3037                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3038                 return 1;
3039         }
3040
3041         mapping = (struct ldapmapping *)ch_calloc( 2,
3042                 sizeof(struct ldapmapping) );
3043         if ( mapping == NULL ) {
3044                 snprintf( c->cr_msg, sizeof(c->cr_msg),
3045                         "out of memory" );
3046                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3047                 return 1;
3048         }
3049         ber_str2bv( src, 0, 1, &mapping[ 0 ].src );
3050         ber_str2bv( dst, 0, 1, &mapping[ 0 ].dst );
3051         mapping[ 1 ].src = mapping[ 0 ].dst;
3052         mapping[ 1 ].dst = mapping[ 0 ].src;
3053
3054         /*
3055          * schema check
3056          */
3057         if ( is_oc ) {
3058                 if ( src[ 0 ] != '\0' ) {
3059                         if ( oc_bvfind( &mapping[ 0 ].src ) == NULL ) {
3060                                 Debug( LDAP_DEBUG_ANY,
3061         "warning, source objectClass '%s' should be defined in schema\n",
3062                                         c->log, src, 0 );
3063
3064                                 /*
3065                                  * FIXME: this should become an err
3066                                  */
3067                                 goto error_return;
3068                         }
3069                 }
3070
3071                 if ( oc_bvfind( &mapping[ 0 ].dst ) == NULL ) {
3072                         Debug( LDAP_DEBUG_ANY,
3073         "warning, destination objectClass '%s' is not defined in schema\n",
3074                                 c->log, dst, 0 );
3075                 }
3076         } else {
3077                 int                     rc;
3078                 const char              *text = NULL;
3079                 AttributeDescription    *ad = NULL;
3080
3081                 if ( src[ 0 ] != '\0' ) {
3082                         rc = slap_bv2ad( &mapping[ 0 ].src, &ad, &text );
3083                         if ( rc != LDAP_SUCCESS ) {
3084                                 Debug( LDAP_DEBUG_ANY,
3085         "warning, source attributeType '%s' should be defined in schema\n",
3086                                         c->log, src, 0 );
3087
3088                                 /*
3089                                  * FIXME: this should become an err
3090                                  */
3091                                 /*
3092                                  * we create a fake "proxied" ad
3093                                  * and add it here.
3094                                  */
3095
3096                                 rc = slap_bv2undef_ad( &mapping[ 0 ].src,
3097                                                 &ad, &text, SLAP_AD_PROXIED );
3098                                 if ( rc != LDAP_SUCCESS ) {
3099                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
3100                                                 "source attributeType \"%s\": %d (%s)",
3101                                                 src, rc, text ? text : "" );
3102                                         Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3103                                         goto error_return;
3104                                 }
3105                         }
3106
3107                         ad = NULL;
3108                 }
3109
3110                 rc = slap_bv2ad( &mapping[ 0 ].dst, &ad, &text );
3111                 if ( rc != LDAP_SUCCESS ) {
3112                         Debug( LDAP_DEBUG_ANY,
3113         "warning, destination attributeType '%s' is not defined in schema\n",
3114                                 c->log, dst, 0 );
3115
3116                         /*
3117                          * we create a fake "proxied" ad
3118                          * and add it here.
3119                          */
3120
3121                         rc = slap_bv2undef_ad( &mapping[ 0 ].dst,
3122                                         &ad, &text, SLAP_AD_PROXIED );
3123                         if ( rc != LDAP_SUCCESS ) {
3124                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
3125                                         "destination attributeType \"%s\": %d (%s)\n",
3126                                         dst, rc, text ? text : "" );
3127                                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3128                                 return 1;
3129                         }
3130                 }
3131         }
3132
3133         if ( (src[ 0 ] != '\0' && avl_find( map->map, (caddr_t)&mapping[ 0 ], mapping_cmp ) != NULL)
3134                         || avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
3135         {
3136                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
3137                         "duplicate mapping found." );
3138                 Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
3139                 goto error_return;
3140         }
3141
3142         if ( src[ 0 ] != '\0' ) {
3143                 avl_insert( &map->map, (caddr_t)&mapping[ 0 ],
3144                                         mapping_cmp, mapping_dup );
3145         }
3146         avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
3147                                 mapping_cmp, mapping_dup );
3148
3149 success_return:;
3150         return 0;
3151
3152 error_return:;
3153         if ( mapping ) {
3154                 ch_free( mapping[ 0 ].src.bv_val );
3155                 ch_free( mapping[ 0 ].dst.bv_val );
3156                 ch_free( mapping );
3157         }
3158
3159         return 1;
3160 }
3161
3162
3163 #ifdef ENABLE_REWRITE
3164 static char *
3165 suffix_massage_regexize( const char *s )
3166 {
3167         char *res, *ptr;
3168         const char *p, *r;
3169         int i;
3170
3171         if ( s[ 0 ] == '\0' ) {
3172                 return ch_strdup( "^(.+)$" );
3173         }
3174
3175         for ( i = 0, p = s;
3176                         ( r = strchr( p, ',' ) ) != NULL;
3177                         p = r + 1, i++ )
3178                 ;
3179
3180         res = ch_calloc( sizeof( char ),
3181                         strlen( s )
3182                         + STRLENOF( "((.+),)?" )
3183                         + STRLENOF( "[ ]?" ) * i
3184                         + STRLENOF( "$" ) + 1 );
3185
3186         ptr = lutil_strcopy( res, "((.+),)?" );
3187         for ( i = 0, p = s;
3188                         ( r = strchr( p, ',' ) ) != NULL;
3189                         p = r + 1 , i++ ) {
3190                 ptr = lutil_strncopy( ptr, p, r - p + 1 );
3191                 ptr = lutil_strcopy( ptr, "[ ]?" );
3192
3193                 if ( r[ 1 ] == ' ' ) {
3194                         r++;
3195                 }
3196         }
3197         ptr = lutil_strcopy( ptr, p );
3198         ptr[ 0 ] = '$';
3199         ptr++;
3200         ptr[ 0 ] = '\0';
3201
3202         return res;
3203 }
3204
3205 static char *
3206 suffix_massage_patternize( const char *s, const char *p )
3207 {
3208         ber_len_t       len;
3209         char            *res, *ptr;
3210
3211         len = strlen( p );
3212
3213         if ( s[ 0 ] == '\0' ) {
3214                 len++;
3215         }
3216
3217         res = ch_calloc( sizeof( char ), len + STRLENOF( "%1" ) + 1 );
3218         if ( res == NULL ) {
3219                 return NULL;
3220         }
3221
3222         ptr = lutil_strcopy( res, ( p[ 0 ] == '\0' ? "%2" : "%1" ) );
3223         if ( s[ 0 ] == '\0' ) {
3224                 ptr[ 0 ] = ',';
3225                 ptr++;
3226         }
3227         lutil_strcopy( ptr, p );
3228
3229         return res;
3230 }
3231
3232 int
3233 suffix_massage_config(
3234                 struct rewrite_info *info,
3235                 struct berval *pvnc,
3236                 struct berval *nvnc,
3237                 struct berval *prnc,
3238                 struct berval *nrnc
3239 )
3240 {
3241         char *rargv[ 5 ];
3242         int line = 0;
3243
3244         rargv[ 0 ] = "rewriteEngine";
3245         rargv[ 1 ] = "on";
3246         rargv[ 2 ] = NULL;
3247         rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3248
3249         rargv[ 0 ] = "rewriteContext";
3250         rargv[ 1 ] = "default";
3251         rargv[ 2 ] = NULL;
3252         rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3253
3254         rargv[ 0 ] = "rewriteRule";
3255         rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
3256         rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val, prnc->bv_val );
3257         rargv[ 3 ] = ":";
3258         rargv[ 4 ] = NULL;
3259         rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3260         ch_free( rargv[ 1 ] );
3261         ch_free( rargv[ 2 ] );
3262
3263         if ( BER_BVISEMPTY( pvnc ) ) {
3264                 rargv[ 0 ] = "rewriteRule";
3265                 rargv[ 1 ] = "^$";
3266                 rargv[ 2 ] = prnc->bv_val;
3267                 rargv[ 3 ] = ":";
3268                 rargv[ 4 ] = NULL;
3269                 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3270         }
3271
3272         rargv[ 0 ] = "rewriteContext";
3273         rargv[ 1 ] = "searchEntryDN";
3274         rargv[ 2 ] = NULL;
3275         rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3276
3277         rargv[ 0 ] = "rewriteRule";
3278         rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
3279         rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val, pvnc->bv_val );
3280         rargv[ 3 ] = ":";
3281         rargv[ 4 ] = NULL;
3282         rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3283         ch_free( rargv[ 1 ] );
3284         ch_free( rargv[ 2 ] );
3285
3286         if ( BER_BVISEMPTY( prnc ) ) {
3287                 rargv[ 0 ] = "rewriteRule";
3288                 rargv[ 1 ] = "^$";
3289                 rargv[ 2 ] = pvnc->bv_val;
3290                 rargv[ 3 ] = ":";
3291                 rargv[ 4 ] = NULL;
3292                 rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3293         }
3294
3295         /* backward compatibility */
3296         rargv[ 0 ] = "rewriteContext";
3297         rargv[ 1 ] = "searchResult";
3298         rargv[ 2 ] = "alias";
3299         rargv[ 3 ] = "searchEntryDN";
3300         rargv[ 4 ] = NULL;
3301         rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3302
3303         rargv[ 0 ] = "rewriteContext";
3304         rargv[ 1 ] = "matchedDN";
3305         rargv[ 2 ] = "alias";
3306         rargv[ 3 ] = "searchEntryDN";
3307         rargv[ 4 ] = NULL;
3308         rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3309
3310         rargv[ 0 ] = "rewriteContext";
3311         rargv[ 1 ] = "searchAttrDN";
3312         rargv[ 2 ] = "alias";
3313         rargv[ 3 ] = "searchEntryDN";
3314         rargv[ 4 ] = NULL;
3315         rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
3316
3317         /* NOTE: this corresponds to #undef'ining RWM_REFERRAL_REWRITE;
3318          * see servers/slapd/overlays/rwm.h for details */
3319         rargv[ 0 ] = "rewriteContext";
3320         rargv[ 1 ] = "referralAttrDN";
3321         rargv[ 2 ] = NULL;
3322         rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3323
3324         rargv[ 0 ] = "rewriteContext";
3325         rargv[ 1 ] = "referralDN";
3326         rargv[ 2 ] = NULL;
3327         rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
3328
3329         return 0;
3330 }
3331 #endif /* ENABLE_REWRITE */
3332