1 /* memberof.c - back-reference for group membership */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2007 Pierangelo Masarati <ando@sys-net.it>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software, sponsored by SysNet s.r.l.
23 #ifdef SLAPD_OVER_MEMBEROF
27 #include "ac/string.h"
28 #include "ac/socket.h"
37 * GROUP a group object (an entry with GROUP_OC
39 * MEMBER a member object (an entry whose DN is
40 * listed as MEMBER_AT value of a GROUP)
41 * GROUP_OC the objectClass of the group object
42 * (default: groupOfNames)
43 * MEMBER_AT the membership attribute, DN-valued;
44 * note: nameAndOptionalUID is tolerated
45 * as soon as the optionalUID is absent
47 * MEMBER_OF reverse membership attribute
51 * - if the entry that is being added is a GROUP,
52 * the MEMBER_AT defined as values of the add operation
53 * get the MEMBER_OF value directly from the request.
55 * if configured to do so, the MEMBER objects do not exist,
56 * and no relax control is issued, either:
58 * - drop non-existing members
59 * (by default: don't muck with values)
61 * - if (configured to do so,) the referenced GROUP exists,
62 * the relax control is set and the user has
63 * "manage" privileges, allow to add MEMBER_OF values to
67 * - if the entry being modified is a GROUP_OC and the
68 * MEMBER_AT attribute is modified, the MEMBER_OF value
69 * of the (existing) MEMBER_AT entries that are affected
70 * is modified according to the request:
71 * - if a MEMBER is removed from the group,
72 * delete the corresponding MEMBER_OF
73 * - if a MEMBER is added to a group,
74 * add the corresponding MEMBER_OF
76 * We need to determine, from the database, if it is
77 * a GROUP_OC, and we need to check, from the
78 * modification list, if the MEMBER_AT attribute is being
79 * affected, and what MEMBER_AT values are affected.
81 * if configured to do so, the entries corresponding to
82 * the MEMBER_AT values do not exist, and no relax control
85 * - drop non-existing members
86 * (by default: don't muck with values)
88 * - if configured to do so, the referenced GROUP exists,
89 * (the relax control is set) and the user has
90 * "manage" privileges, allow to add MEMBER_OF values to
91 * generic entries; the change is NOT automatically reflected
92 * in the MEMBER attribute of the GROUP referenced
93 * by the value of MEMBER_OF; a separate modification,
94 * with or without relax control, needs to be performed.
97 * - if the entry being renamed is a GROUP, the MEMBER_OF
98 * value of the (existing) MEMBER objects is modified
99 * accordingly based on the newDN of the GROUP.
101 * We need to determine, from the database, if it is
102 * a GROUP; the list of MEMBER objects is obtained from
105 * Non-existing MEMBER objects are ignored, since the
106 * MEMBER_AT is not being addressed by the operation.
108 * - if the entry being renamed has the MEMBER_OF attribute,
109 * the corresponding MEMBER value must be modified in the
110 * respective group entries.
114 * - if the entry being deleted is a GROUP, the (existing)
115 * MEMBER objects are modified accordingly; a copy of the
116 * values of the MEMBER_AT is saved and, if the delete
117 * succeeds, the MEMBER_OF value of the (existing) MEMBER
118 * objects is deleted.
120 * We need to determine, from the database, if it is
123 * Non-existing MEMBER objects are ignored, since the entry
126 * - if the entry being deleted has the MEMBER_OF attribute,
127 * the corresponding value of the MEMBER_AT must be deleted
128 * from the respective GROUP entries.
131 #define SLAPD_MEMBEROF_ATTR "memberOf"
133 static AttributeDescription *ad_member;
134 static AttributeDescription *ad_memberOf;
136 static ObjectClass *oc_group;
138 static slap_overinst memberof;
140 typedef struct memberof_t {
142 struct berval mo_ndn;
144 ObjectClass *mo_oc_group;
145 AttributeDescription *mo_ad_member;
146 AttributeDescription *mo_ad_memberof;
148 struct berval mo_groupFilterstr;
149 AttributeAssertion mo_groupAVA;
150 Filter mo_groupFilter;
152 struct berval mo_memberFilterstr;
153 Filter mo_memberFilter;
156 #define MEMBEROF_NONE 0x00U
157 #define MEMBEROF_FDANGLING_DROP 0x01U
158 #define MEMBEROF_FDANGLING_ERROR 0x02U
159 #define MEMBEROF_FDANGLING_MASK (MEMBEROF_FDANGLING_DROP|MEMBEROF_FDANGLING_ERROR)
160 #define MEMBEROF_FREFINT 0x04U
161 #define MEMBEROF_FREVERSE 0x08U
163 ber_int_t mo_dangling_err;
165 #define MEMBEROF_CHK(mo,f) \
166 (((mo)->mo_flags & (f)) == (f))
167 #define MEMBEROF_DANGLING_CHECK(mo) \
168 ((mo)->mo_flags & MEMBEROF_FDANGLING_MASK)
169 #define MEMBEROF_DANGLING_DROP(mo) \
170 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_DROP)
171 #define MEMBEROF_DANGLING_ERROR(mo) \
172 MEMBEROF_CHK((mo),MEMBEROF_FDANGLING_ERROR)
173 #define MEMBEROF_REFINT(mo) \
174 MEMBEROF_CHK((mo),MEMBEROF_FREFINT)
175 #define MEMBEROF_REVERSE(mo) \
176 MEMBEROF_CHK((mo),MEMBEROF_FREVERSE)
179 typedef enum memberof_is_t {
180 MEMBEROF_IS_NONE = 0x00,
181 MEMBEROF_IS_GROUP = 0x01,
182 MEMBEROF_IS_MEMBER = 0x02,
183 MEMBEROF_IS_BOTH = (MEMBEROF_IS_GROUP|MEMBEROF_IS_MEMBER)
186 typedef struct memberof_cookie_t {
187 AttributeDescription *ad;
192 typedef struct memberof_cbinfo_t {
200 memberof_set_backend( Operation *op_target, Operation *op, slap_overinst *on )
202 BackendInfo *bi = op->o_bd->bd_info;
204 if ( bi->bi_type == memberof.on_bi.bi_type )
205 op_target->o_bd->bd_info = (BackendInfo *)on->on_info;
209 memberof_isGroupOrMember_cb( Operation *op, SlapReply *rs )
211 if ( rs->sr_type == REP_SEARCH ) {
212 memberof_cookie_t *mc;
214 mc = (memberof_cookie_t *)op->o_callback->sc_private;
222 * callback for internal search that saves the member attribute values
223 * of groups being deleted.
226 memberof_saveMember_cb( Operation *op, SlapReply *rs )
228 if ( rs->sr_type == REP_SEARCH ) {
229 memberof_cookie_t *mc;
232 mc = (memberof_cookie_t *)op->o_callback->sc_private;
235 assert( rs->sr_entry != NULL );
236 assert( rs->sr_entry->e_attrs != NULL );
238 a = attr_find( rs->sr_entry->e_attrs, mc->ad );
240 ber_bvarray_dup_x( &mc->vals, a->a_nvals, op->o_tmpmemctx );
242 assert( attr_find( a->a_next, mc->ad ) == NULL );
250 * the delete hook performs an internal search that saves the member
251 * attribute values of groups being deleted.
254 memberof_isGroupOrMember( Operation *op, memberof_cbinfo_t *mci )
256 slap_overinst *on = mci->on;
257 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
260 slap_callback cb = { 0 };
261 BackendInfo *bi = op->o_bd->bd_info;
262 AttributeName an[ 2 ];
264 memberof_is_t iswhat = MEMBEROF_IS_NONE;
265 memberof_cookie_t mc;
267 assert( mci->what != MEMBEROF_IS_NONE );
270 if ( op->o_tag == LDAP_REQ_DELETE ) {
271 cb.sc_response = memberof_saveMember_cb;
274 cb.sc_response = memberof_isGroupOrMember_cb;
277 op2.o_tag = LDAP_REQ_SEARCH;
278 op2.o_callback = &cb;
279 op2.o_dn = op->o_bd->be_rootdn;
280 op2.o_ndn = op->o_bd->be_rootndn;
282 op2.ors_scope = LDAP_SCOPE_BASE;
283 op2.ors_deref = LDAP_DEREF_NEVER;
284 BER_BVZERO( &an[ 1 ].an_name );
286 op2.ors_attrsonly = 0;
287 op2.ors_limit = NULL;
289 op2.ors_tlimit = SLAP_NO_LIMIT;
291 if ( mci->what & MEMBEROF_IS_GROUP ) {
292 SlapReply rs2 = { REP_RESULT };
294 mc.ad = mo->mo_ad_member;
297 an[ 0 ].an_desc = mo->mo_ad_member;
298 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
299 op2.ors_filterstr = mo->mo_groupFilterstr;
300 op2.ors_filter = &mo->mo_groupFilter;
301 op2.o_do_not_cache = 1; /* internal search, don't log */
303 memberof_set_backend( &op2, op, on );
304 (void)op->o_bd->be_search( &op2, &rs2 );
305 op2.o_bd->bd_info = bi;
308 iswhat |= MEMBEROF_IS_GROUP;
309 if ( mc.vals ) mci->member = mc.vals;
314 if ( mci->what & MEMBEROF_IS_MEMBER ) {
315 SlapReply rs2 = { REP_RESULT };
317 mc.ad = mo->mo_ad_memberof;
320 an[ 0 ].an_desc = mo->mo_ad_memberof;
321 an[ 0 ].an_name = an[ 0 ].an_desc->ad_cname;
322 op2.ors_filterstr = mo->mo_memberFilterstr;
323 op2.ors_filter = &mo->mo_memberFilter;
324 op2.o_do_not_cache = 1; /* internal search, don't log */
326 memberof_set_backend( &op2, op, on );
327 (void)op->o_bd->be_search( &op2, &rs2 );
328 op2.o_bd->bd_info = bi;
331 iswhat |= MEMBEROF_IS_MEMBER;
332 if ( mc.vals ) mci->memberof = mc.vals;
343 * response callback that adds memberof values when a group is modified.
346 memberof_value_modify(
349 AttributeDescription *ad,
350 struct berval *old_dn,
351 struct berval *old_ndn,
352 struct berval *new_dn,
353 struct berval *new_ndn )
355 memberof_cbinfo_t *mci = op->o_callback->sc_private;
356 slap_overinst *on = mci->on;
357 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
360 unsigned long opid = op->o_opid;
361 SlapReply rs2 = { REP_RESULT };
362 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
363 Modifications mod[ 2 ] = { { { 0 } } }, *ml;
364 struct berval values[ 4 ], nvalues[ 4 ];
367 op2.o_tag = LDAP_REQ_MODIFY;
370 op2.o_req_ndn = *ndn;
372 op2.o_callback = &cb;
373 op2.o_dn = op->o_bd->be_rootdn;
374 op2.o_ndn = op->o_bd->be_rootndn;
375 op2.orm_modlist = NULL;
377 /* Internal ops, never replicate these */
378 op2.o_opid = 0; /* shared with op, saved above */
379 op2.orm_no_opattrs = 1;
380 op2.o_dont_replicate = 1;
382 if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
385 ml->sml_values = &values[ 0 ];
386 ml->sml_values[ 0 ] = mo->mo_dn;
387 BER_BVZERO( &ml->sml_values[ 1 ] );
388 ml->sml_nvalues = &nvalues[ 0 ];
389 ml->sml_nvalues[ 0 ] = mo->mo_ndn;
390 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
391 ml->sml_desc = slap_schema.si_ad_modifiersName;
392 ml->sml_type = ml->sml_desc->ad_cname;
393 ml->sml_op = LDAP_MOD_REPLACE;
394 ml->sml_flags = SLAP_MOD_INTERNAL;
395 ml->sml_next = op2.orm_modlist;
396 op2.orm_modlist = ml;
403 ml->sml_values = &values[ 2 ];
404 BER_BVZERO( &ml->sml_values[ 1 ] );
405 ml->sml_nvalues = &nvalues[ 2 ];
406 BER_BVZERO( &ml->sml_nvalues[ 1 ] );
408 ml->sml_type = ml->sml_desc->ad_cname;
409 ml->sml_flags = SLAP_MOD_INTERNAL;
410 ml->sml_next = op2.orm_modlist;
411 op2.orm_modlist = ml;
413 if ( new_ndn != NULL ) {
414 BackendInfo *bi = op2.o_bd->bd_info;
417 assert( !BER_BVISNULL( new_dn ) );
418 assert( !BER_BVISNULL( new_ndn ) );
421 ml->sml_op = LDAP_MOD_ADD;
423 ml->sml_values[ 0 ] = *new_dn;
424 ml->sml_nvalues[ 0 ] = *new_ndn;
426 oex.oe_key = (void *)&memberof;
427 LDAP_SLIST_INSERT_HEAD(&op2.o_extra, &oex, oe_next);
428 memberof_set_backend( &op2, op, on );
429 (void)op->o_bd->be_modify( &op2, &rs2 );
430 op2.o_bd->bd_info = bi;
431 LDAP_SLIST_REMOVE(&op2.o_extra, &oex, OpExtra, oe_next);
432 if ( rs2.sr_err != LDAP_SUCCESS ) {
433 char buf[ SLAP_TEXT_BUFLEN ];
434 snprintf( buf, sizeof( buf ),
435 "memberof_value_modify DN=\"%s\" add %s=\"%s\" failed err=%d",
436 op2.o_req_dn.bv_val, ad->ad_cname.bv_val, new_dn->bv_val, rs2.sr_err );
437 Debug( LDAP_DEBUG_ANY, "%s: %s\n",
438 op->o_log_prefix, buf, 0 );
441 assert( op2.orm_modlist == &mod[ mcnt ] );
442 assert( mcnt == 0 || op2.orm_modlist->sml_next == &mod[ 0 ] );
443 ml = op2.orm_modlist->sml_next;
445 assert( ml == &mod[ 0 ] );
449 slap_mods_free( ml, 1 );
452 mod[ 0 ].sml_next = NULL;
455 if ( old_ndn != NULL ) {
456 BackendInfo *bi = op2.o_bd->bd_info;
459 assert( !BER_BVISNULL( old_dn ) );
460 assert( !BER_BVISNULL( old_ndn ) );
463 ml->sml_op = LDAP_MOD_DELETE;
465 ml->sml_values[ 0 ] = *old_dn;
466 ml->sml_nvalues[ 0 ] = *old_ndn;
468 oex.oe_key = (void *)&memberof;
469 LDAP_SLIST_INSERT_HEAD(&op2.o_extra, &oex, oe_next);
470 memberof_set_backend( &op2, op, on );
471 (void)op->o_bd->be_modify( &op2, &rs2 );
472 op2.o_bd->bd_info = bi;
473 LDAP_SLIST_REMOVE(&op2.o_extra, &oex, OpExtra, oe_next);
474 if ( rs2.sr_err != LDAP_SUCCESS ) {
475 char buf[ SLAP_TEXT_BUFLEN ];
476 snprintf( buf, sizeof( buf ),
477 "memberof_value_modify DN=\"%s\" delete %s=\"%s\" failed err=%d",
478 op2.o_req_dn.bv_val, ad->ad_cname.bv_val, old_dn->bv_val, rs2.sr_err );
479 Debug( LDAP_DEBUG_ANY, "%s: %s\n",
480 op->o_log_prefix, buf, 0 );
483 assert( op2.orm_modlist == &mod[ mcnt ] );
484 ml = op2.orm_modlist->sml_next;
486 assert( ml == &mod[ 0 ] );
490 slap_mods_free( ml, 1 );
493 /* restore original opid */
496 /* FIXME: if old_group_ndn doesn't exist, both delete __and__
497 * add will fail; better split in two operations, although
498 * not optimal in terms of performance. At least it would
499 * move towards self-repairing capabilities. */
503 memberof_cleanup( Operation *op, SlapReply *rs )
505 slap_callback *sc = op->o_callback;
506 memberof_cbinfo_t *mci = sc->sc_private;
508 op->o_callback = sc->sc_next;
510 ber_bvarray_free_x( mci->memberof, op->o_tmpmemctx );
512 ber_bvarray_free_x( mci->member, op->o_tmpmemctx );
513 op->o_tmpfree( sc, op->o_tmpmemctx );
517 static int memberof_res_add( Operation *op, SlapReply *rs );
518 static int memberof_res_delete( Operation *op, SlapReply *rs );
519 static int memberof_res_modify( Operation *op, SlapReply *rs );
520 static int memberof_res_modrdn( Operation *op, SlapReply *rs );
523 memberof_op_add( Operation *op, SlapReply *rs )
525 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
526 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
528 Attribute **ap, **map = NULL;
529 int rc = SLAP_CB_CONTINUE;
531 struct berval save_dn, save_ndn;
533 memberof_cbinfo_t *mci;
536 LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
537 if ( oex->oe_key == (void *)&memberof )
538 return SLAP_CB_CONTINUE;
541 if ( op->ora_e->e_attrs == NULL ) {
542 /* FIXME: global overlay; need to deal with */
543 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
544 "consistency checks not implemented when overlay "
545 "is instantiated as global.\n",
546 op->o_log_prefix, op->o_req_dn.bv_val, 0 );
547 return SLAP_CB_CONTINUE;
550 if ( MEMBEROF_REVERSE( mo ) ) {
551 for ( ap = &op->ora_e->e_attrs; *ap; ap = &(*ap)->a_next ) {
554 if ( a->a_desc == mo->mo_ad_memberof ) {
562 save_ndn = op->o_ndn;
564 if ( MEMBEROF_DANGLING_CHECK( mo )
566 && is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) )
568 op->o_dn = op->o_bd->be_rootdn;
569 op->o_ndn = op->o_bd->be_rootndn;
570 op->o_bd->bd_info = (BackendInfo *)on->on_info;
572 for ( ap = &op->ora_e->e_attrs; *ap; ) {
575 if ( !is_ad_subtype( a->a_desc, mo->mo_ad_member ) ) {
580 assert( a->a_nvals != NULL );
582 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
585 /* ITS#6670 Ignore member pointing to this entry */
586 if ( dn_match( &a->a_nvals[i], &save_ndn ))
589 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
591 if ( rc == LDAP_SUCCESS ) {
592 be_entry_release_r( op, e );
596 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
597 rc = rs->sr_err = mo->mo_dangling_err;
598 rs->sr_text = "adding non-existing object "
600 send_ldap_result( op, rs );
604 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
607 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
608 "member=\"%s\" does not exist (stripping...)\n",
609 op->o_log_prefix, op->ora_e->e_name.bv_val,
610 a->a_vals[ i ].bv_val );
612 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
613 ber_memfree( a->a_vals[ i ].bv_val );
614 BER_BVZERO( &a->a_vals[ i ] );
615 if ( a->a_nvals != a->a_vals ) {
616 ber_memfree( a->a_nvals[ i ].bv_val );
617 BER_BVZERO( &a->a_nvals[ i ] );
624 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
625 sizeof( struct berval ) * ( j - i ) );
626 if ( a->a_nvals != a->a_vals ) {
627 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
628 sizeof( struct berval ) * ( j - i ) );
634 /* If all values have been removed,
635 * remove the attribute itself. */
636 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
645 op->o_ndn = save_ndn;
646 op->o_bd->bd_info = (BackendInfo *)on;
651 AccessControlState acl_state = ACL_STATE_INIT;
653 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
656 op->o_bd->bd_info = (BackendInfo *)on->on_info;
657 /* access is checked with the original identity */
658 rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
659 &a->a_nvals[ i ], ACL_WADD,
662 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
664 send_ldap_result( op, rs );
667 /* ITS#6670 Ignore member pointing to this entry */
668 if ( dn_match( &a->a_nvals[i], &save_ndn ))
671 rc = be_entry_get_rw( op, &a->a_nvals[ i ],
673 op->o_bd->bd_info = (BackendInfo *)on;
674 if ( rc != LDAP_SUCCESS ) {
675 if ( get_relax( op ) ) {
679 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
680 rc = rs->sr_err = mo->mo_dangling_err;
681 rs->sr_text = "adding non-existing object "
683 send_ldap_result( op, rs );
687 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
690 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_add(\"%s\"): "
691 "memberof=\"%s\" does not exist (stripping...)\n",
692 op->o_log_prefix, op->ora_e->e_name.bv_val,
693 a->a_nvals[ i ].bv_val );
695 for ( j = i + 1; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ );
696 ber_memfree( a->a_vals[ i ].bv_val );
697 BER_BVZERO( &a->a_vals[ i ] );
698 if ( a->a_nvals != a->a_vals ) {
699 ber_memfree( a->a_nvals[ i ].bv_val );
700 BER_BVZERO( &a->a_nvals[ i ] );
706 AC_MEMCPY( &a->a_vals[ i ], &a->a_vals[ i + 1 ],
707 sizeof( struct berval ) * ( j - i ) );
708 if ( a->a_nvals != a->a_vals ) {
709 AC_MEMCPY( &a->a_nvals[ i ], &a->a_nvals[ i + 1 ],
710 sizeof( struct berval ) * ( j - i ) );
718 /* access is checked with the original identity */
719 op->o_bd->bd_info = (BackendInfo *)on->on_info;
720 rc = access_allowed( op, e, mo->mo_ad_member,
721 &op->o_req_ndn, ACL_WADD, NULL );
722 be_entry_release_r( op, e );
723 op->o_bd->bd_info = (BackendInfo *)on;
726 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
727 rs->sr_text = "insufficient access to object referenced by memberof";
728 send_ldap_result( op, rs );
733 if ( BER_BVISNULL( &a->a_nvals[ 0 ] ) ) {
739 rc = SLAP_CB_CONTINUE;
741 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
742 sc->sc_private = sc+1;
743 sc->sc_response = memberof_res_add;
744 sc->sc_cleanup = memberof_cleanup;
745 sc->sc_writewait = 0;
746 mci = sc->sc_private;
749 mci->memberof = NULL;
750 sc->sc_next = op->o_callback;
755 op->o_ndn = save_ndn;
756 op->o_bd->bd_info = (BackendInfo *)on;
762 memberof_op_delete( Operation *op, SlapReply *rs )
764 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
765 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
768 memberof_cbinfo_t *mci;
771 LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
772 if ( oex->oe_key == (void *)&memberof )
773 return SLAP_CB_CONTINUE;
776 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
777 sc->sc_private = sc+1;
778 sc->sc_response = memberof_res_delete;
779 sc->sc_cleanup = memberof_cleanup;
780 sc->sc_writewait = 0;
781 mci = sc->sc_private;
784 mci->memberof = NULL;
785 mci->what = MEMBEROF_IS_GROUP;
786 if ( MEMBEROF_REFINT( mo ) ) {
787 mci->what = MEMBEROF_IS_BOTH;
790 memberof_isGroupOrMember( op, mci );
792 sc->sc_next = op->o_callback;
795 return SLAP_CB_CONTINUE;
799 memberof_op_modify( Operation *op, SlapReply *rs )
801 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
802 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
804 Modifications **mlp, **mmlp = NULL;
805 int rc = SLAP_CB_CONTINUE, save_member = 0;
806 struct berval save_dn, save_ndn;
808 memberof_cbinfo_t *mci, mcis;
811 LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
812 if ( oex->oe_key == (void *)&memberof )
813 return SLAP_CB_CONTINUE;
816 if ( MEMBEROF_REVERSE( mo ) ) {
817 for ( mlp = &op->orm_modlist; *mlp; mlp = &(*mlp)->sml_next ) {
818 Modifications *ml = *mlp;
820 if ( ml->sml_desc == mo->mo_ad_memberof ) {
828 save_ndn = op->o_ndn;
830 mcis.what = MEMBEROF_IS_GROUP;
832 if ( memberof_isGroupOrMember( op, &mcis ) == LDAP_SUCCESS
833 && ( mcis.what & MEMBEROF_IS_GROUP ) )
837 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
838 if ( ml->sml_desc == mo->mo_ad_member ) {
839 switch ( ml->sml_op ) {
840 case LDAP_MOD_DELETE:
841 case LDAP_MOD_REPLACE:
842 case SLAP_MOD_SOFTDEL: /* ITS#7487: can be used by syncrepl (in mirror mode?) */
850 if ( MEMBEROF_DANGLING_CHECK( mo )
851 && !get_relax( op ) )
853 op->o_dn = op->o_bd->be_rootdn;
854 op->o_ndn = op->o_bd->be_rootndn;
855 op->o_bd->bd_info = (BackendInfo *)on->on_info;
857 assert( op->orm_modlist != NULL );
859 for ( mlp = &op->orm_modlist; *mlp; ) {
860 Modifications *ml = *mlp;
863 if ( !is_ad_subtype( ml->sml_desc, mo->mo_ad_member ) ) {
868 switch ( ml->sml_op ) {
869 case LDAP_MOD_DELETE:
870 case SLAP_MOD_SOFTDEL: /* ITS#7487: can be used by syncrepl (in mirror mode?) */
871 /* we don't care about cancellations: if the value
872 * exists, fine; if it doesn't, we let the underlying
873 * database fail as appropriate; */
877 case LDAP_MOD_REPLACE:
878 /* Handle this just like a delete (see above) */
879 if ( !ml->sml_values ) {
885 case SLAP_MOD_SOFTADD: /* ITS#7487 */
886 case SLAP_MOD_ADD_IF_NOT_PRESENT: /* ITS#7487 */
887 /* NOTE: right now, the attributeType we use
888 * for member must have a normalized value */
889 assert( ml->sml_nvalues != NULL );
891 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
894 /* ITS#6670 Ignore member pointing to this entry */
895 if ( dn_match( &ml->sml_nvalues[i], &save_ndn ))
898 if ( be_entry_get_rw( op, &ml->sml_nvalues[ i ],
899 NULL, NULL, 0, &e ) == LDAP_SUCCESS )
901 be_entry_release_r( op, e );
905 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
906 rc = rs->sr_err = mo->mo_dangling_err;
907 rs->sr_text = "adding non-existing object "
909 send_ldap_result( op, rs );
913 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
916 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
917 "member=\"%s\" does not exist (stripping...)\n",
918 op->o_log_prefix, op->o_req_dn.bv_val,
919 ml->sml_nvalues[ i ].bv_val );
921 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
922 ber_memfree( ml->sml_values[ i ].bv_val );
923 BER_BVZERO( &ml->sml_values[ i ] );
924 ber_memfree( ml->sml_nvalues[ i ].bv_val );
925 BER_BVZERO( &ml->sml_nvalues[ i ] );
931 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
932 sizeof( struct berval ) * ( j - i ) );
933 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
934 sizeof( struct berval ) * ( j - i ) );
939 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
941 slap_mod_free( &ml->sml_mod, 0 );
957 if ( mmlp != NULL ) {
958 Modifications *ml = *mmlp;
962 op->o_bd->bd_info = (BackendInfo *)on->on_info;
963 rc = be_entry_get_rw( op, &op->o_req_ndn,
964 NULL, NULL, 0, &target );
965 op->o_bd->bd_info = (BackendInfo *)on;
966 if ( rc != LDAP_SUCCESS ) {
967 rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
968 send_ldap_result( op, rs );
972 switch ( ml->sml_op ) {
973 case LDAP_MOD_DELETE:
974 case SLAP_MOD_SOFTDEL: /* ITS#7487: can be used by syncrepl (in mirror mode?) */
975 if ( ml->sml_nvalues != NULL ) {
976 AccessControlState acl_state = ACL_STATE_INIT;
978 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
981 op->o_bd->bd_info = (BackendInfo *)on->on_info;
982 /* access is checked with the original identity */
983 rc = access_allowed( op, target,
985 &ml->sml_nvalues[ i ],
989 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
991 send_ldap_result( op, rs );
995 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
997 op->o_bd->bd_info = (BackendInfo *)on;
998 if ( rc != LDAP_SUCCESS ) {
999 if ( get_relax( op ) ) {
1003 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
1004 rc = rs->sr_err = mo->mo_dangling_err;
1005 rs->sr_text = "deleting non-existing object "
1007 send_ldap_result( op, rs );
1011 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
1014 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
1015 "memberof=\"%s\" does not exist (stripping...)\n",
1016 op->o_log_prefix, op->o_req_ndn.bv_val,
1017 ml->sml_nvalues[ i ].bv_val );
1019 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
1020 ber_memfree( ml->sml_values[ i ].bv_val );
1021 BER_BVZERO( &ml->sml_values[ i ] );
1022 if ( ml->sml_nvalues != ml->sml_values ) {
1023 ber_memfree( ml->sml_nvalues[ i ].bv_val );
1024 BER_BVZERO( &ml->sml_nvalues[ i ] );
1031 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
1032 sizeof( struct berval ) * ( j - i ) );
1033 if ( ml->sml_nvalues != ml->sml_values ) {
1034 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
1035 sizeof( struct berval ) * ( j - i ) );
1043 /* access is checked with the original identity */
1044 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1045 rc = access_allowed( op, e, mo->mo_ad_member,
1048 be_entry_release_r( op, e );
1049 op->o_bd->bd_info = (BackendInfo *)on;
1052 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1053 rs->sr_text = "insufficient access to object referenced by memberof";
1054 send_ldap_result( op, rs );
1059 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
1060 *mmlp = ml->sml_next;
1061 slap_mod_free( &ml->sml_mod, 0 );
1069 case LDAP_MOD_REPLACE:
1071 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1072 /* access is checked with the original identity */
1073 rc = access_allowed( op, target,
1077 op->o_bd->bd_info = (BackendInfo *)on;
1079 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1081 send_ldap_result( op, rs );
1085 if ( ml->sml_op == LDAP_MOD_DELETE || ml->sml_op == SLAP_MOD_SOFTDEL || !ml->sml_values ) {
1091 case SLAP_MOD_SOFTADD: /* ITS#7487 */
1092 case SLAP_MOD_ADD_IF_NOT_PRESENT: /* ITS#7487 */
1094 AccessControlState acl_state = ACL_STATE_INIT;
1096 for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
1099 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1100 /* access is checked with the original identity */
1101 rc = access_allowed( op, target,
1103 &ml->sml_nvalues[ i ],
1107 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1109 send_ldap_result( op, rs );
1113 /* ITS#6670 Ignore member pointing to this entry */
1114 if ( dn_match( &ml->sml_nvalues[i], &save_ndn ))
1117 rc = be_entry_get_rw( op, &ml->sml_nvalues[ i ],
1118 NULL, NULL, 0, &e );
1119 op->o_bd->bd_info = (BackendInfo *)on;
1120 if ( rc != LDAP_SUCCESS ) {
1121 if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
1122 rc = rs->sr_err = mo->mo_dangling_err;
1123 rs->sr_text = "adding non-existing object "
1125 send_ldap_result( op, rs );
1129 if ( MEMBEROF_DANGLING_DROP( mo ) ) {
1132 Debug( LDAP_DEBUG_ANY, "%s: memberof_op_modify(\"%s\"): "
1133 "memberof=\"%s\" does not exist (stripping...)\n",
1134 op->o_log_prefix, op->o_req_ndn.bv_val,
1135 ml->sml_nvalues[ i ].bv_val );
1137 for ( j = i + 1; !BER_BVISNULL( &ml->sml_nvalues[ j ] ); j++ );
1138 ber_memfree( ml->sml_values[ i ].bv_val );
1139 BER_BVZERO( &ml->sml_values[ i ] );
1140 if ( ml->sml_nvalues != ml->sml_values ) {
1141 ber_memfree( ml->sml_nvalues[ i ].bv_val );
1142 BER_BVZERO( &ml->sml_nvalues[ i ] );
1149 AC_MEMCPY( &ml->sml_values[ i ], &ml->sml_values[ i + 1 ],
1150 sizeof( struct berval ) * ( j - i ) );
1151 if ( ml->sml_nvalues != ml->sml_values ) {
1152 AC_MEMCPY( &ml->sml_nvalues[ i ], &ml->sml_nvalues[ i + 1 ],
1153 sizeof( struct berval ) * ( j - i ) );
1161 /* access is checked with the original identity */
1162 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1163 rc = access_allowed( op, e, mo->mo_ad_member,
1166 be_entry_release_r( op, e );
1167 op->o_bd->bd_info = (BackendInfo *)on;
1170 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
1171 rs->sr_text = "insufficient access to object referenced by memberof";
1172 send_ldap_result( op, rs );
1177 if ( BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) {
1178 *mmlp = ml->sml_next;
1179 slap_mod_free( &ml->sml_mod, 0 );
1190 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1191 be_entry_release_r( op, target );
1192 op->o_bd->bd_info = (BackendInfo *)on;
1195 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
1196 sc->sc_private = sc+1;
1197 sc->sc_response = memberof_res_modify;
1198 sc->sc_cleanup = memberof_cleanup;
1199 sc->sc_writewait = 0;
1200 mci = sc->sc_private;
1203 mci->memberof = NULL;
1204 mci->what = mcis.what;
1206 if ( save_member ) {
1207 op->o_dn = op->o_bd->be_rootdn;
1208 op->o_ndn = op->o_bd->be_rootndn;
1209 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1210 rc = backend_attribute( op, NULL, &op->o_req_ndn,
1211 mo->mo_ad_member, &mci->member, ACL_READ );
1212 op->o_bd->bd_info = (BackendInfo *)on;
1215 sc->sc_next = op->o_callback;
1216 op->o_callback = sc;
1218 rc = SLAP_CB_CONTINUE;
1222 op->o_ndn = save_ndn;
1223 op->o_bd->bd_info = (BackendInfo *)on;
1229 memberof_op_modrdn( Operation *op, SlapReply *rs )
1231 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1233 memberof_cbinfo_t *mci;
1236 LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
1237 if ( oex->oe_key == (void *)&memberof )
1238 return SLAP_CB_CONTINUE;
1241 sc = op->o_tmpalloc( sizeof(slap_callback)+sizeof(*mci), op->o_tmpmemctx );
1242 sc->sc_private = sc+1;
1243 sc->sc_response = memberof_res_modrdn;
1244 sc->sc_cleanup = memberof_cleanup;
1245 sc->sc_writewait = 0;
1246 mci = sc->sc_private;
1249 mci->memberof = NULL;
1251 sc->sc_next = op->o_callback;
1252 op->o_callback = sc;
1254 return SLAP_CB_CONTINUE;
1258 * response callback that adds memberof values when a group is added.
1261 memberof_res_add( Operation *op, SlapReply *rs )
1263 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1264 slap_overinst *on = mci->on;
1265 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1269 if ( rs->sr_err != LDAP_SUCCESS ) {
1270 return SLAP_CB_CONTINUE;
1273 if ( MEMBEROF_REVERSE( mo ) ) {
1276 ma = attr_find( op->ora_e->e_attrs, mo->mo_ad_memberof );
1278 /* relax is required to allow to add
1279 * a non-existing member */
1280 op->o_relax = SLAP_CONTROL_CRITICAL;
1282 for ( i = 0; !BER_BVISNULL( &ma->a_nvals[ i ] ); i++ ) {
1284 /* ITS#6670 Ignore member pointing to this entry */
1285 if ( dn_match( &ma->a_nvals[i], &op->o_req_ndn ))
1288 /* the modification is attempted
1289 * with the original identity */
1290 memberof_value_modify( op,
1291 &ma->a_nvals[ i ], mo->mo_ad_member,
1292 NULL, NULL, &op->o_req_dn, &op->o_req_ndn );
1297 if ( is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) ) {
1300 for ( a = attrs_find( op->ora_e->e_attrs, mo->mo_ad_member );
1302 a = attrs_find( a->a_next, mo->mo_ad_member ) )
1304 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
1305 /* ITS#6670 Ignore member pointing to this entry */
1306 if ( dn_match( &a->a_nvals[i], &op->o_req_ndn ))
1309 memberof_value_modify( op,
1319 return SLAP_CB_CONTINUE;
1323 * response callback that deletes memberof values when a group is deleted.
1326 memberof_res_delete( Operation *op, SlapReply *rs )
1328 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1329 slap_overinst *on = mci->on;
1330 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1335 if ( rs->sr_err != LDAP_SUCCESS ) {
1336 return SLAP_CB_CONTINUE;
1340 if ( vals != NULL ) {
1341 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1342 memberof_value_modify( op,
1343 &vals[ i ], mo->mo_ad_memberof,
1344 &op->o_req_dn, &op->o_req_ndn,
1349 if ( MEMBEROF_REFINT( mo ) ) {
1350 vals = mci->memberof;
1351 if ( vals != NULL ) {
1352 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1353 memberof_value_modify( op,
1354 &vals[ i ], mo->mo_ad_member,
1355 &op->o_req_dn, &op->o_req_ndn,
1361 return SLAP_CB_CONTINUE;
1365 * response callback that adds/deletes memberof values when a group
1369 memberof_res_modify( Operation *op, SlapReply *rs )
1371 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1372 slap_overinst *on = mci->on;
1373 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1376 Modifications *ml, *mml = NULL;
1379 if ( rs->sr_err != LDAP_SUCCESS ) {
1380 return SLAP_CB_CONTINUE;
1383 if ( MEMBEROF_REVERSE( mo ) ) {
1384 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1385 if ( ml->sml_desc == mo->mo_ad_memberof ) {
1392 if ( mml != NULL ) {
1393 BerVarray vals = mml->sml_nvalues;
1395 switch ( mml->sml_op ) {
1396 case LDAP_MOD_DELETE:
1397 case SLAP_MOD_SOFTDEL: /* ITS#7487: can be used by syncrepl (in mirror mode?) */
1398 if ( vals != NULL ) {
1399 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1400 memberof_value_modify( op,
1401 &vals[ i ], mo->mo_ad_member,
1402 &op->o_req_dn, &op->o_req_ndn,
1409 case LDAP_MOD_REPLACE:
1410 /* delete all ... */
1411 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1412 rc = backend_attribute( op, NULL, &op->o_req_ndn,
1413 mo->mo_ad_memberof, &vals, ACL_READ );
1414 op->o_bd->bd_info = (BackendInfo *)on;
1415 if ( rc == LDAP_SUCCESS ) {
1416 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1417 memberof_value_modify( op,
1418 &vals[ i ], mo->mo_ad_member,
1419 &op->o_req_dn, &op->o_req_ndn,
1422 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1425 if ( ml->sml_op == LDAP_MOD_DELETE || !mml->sml_values ) {
1431 case SLAP_MOD_SOFTADD: /* ITS#7487 */
1432 case SLAP_MOD_ADD_IF_NOT_PRESENT: /* ITS#7487 */
1433 assert( vals != NULL );
1435 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1436 memberof_value_modify( op,
1437 &vals[ i ], mo->mo_ad_member,
1439 &op->o_req_dn, &op->o_req_ndn );
1448 if ( mci->what & MEMBEROF_IS_GROUP )
1450 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
1451 if ( ml->sml_desc != mo->mo_ad_member ) {
1455 switch ( ml->sml_op ) {
1456 case LDAP_MOD_DELETE:
1457 case SLAP_MOD_SOFTDEL: /* ITS#7487: can be used by syncrepl (in mirror mode?) */
1458 vals = ml->sml_nvalues;
1459 if ( vals != NULL ) {
1460 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1461 memberof_value_modify( op,
1462 &vals[ i ], mo->mo_ad_memberof,
1463 &op->o_req_dn, &op->o_req_ndn,
1470 case LDAP_MOD_REPLACE:
1473 /* delete all ... */
1474 if ( vals != NULL ) {
1475 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1476 memberof_value_modify( op,
1477 &vals[ i ], mo->mo_ad_memberof,
1478 &op->o_req_dn, &op->o_req_ndn,
1483 if ( ml->sml_op == LDAP_MOD_DELETE || ml->sml_op == SLAP_MOD_SOFTDEL || !ml->sml_values ) {
1489 case SLAP_MOD_SOFTADD: /* ITS#7487 */
1490 case SLAP_MOD_ADD_IF_NOT_PRESENT : /* ITS#7487 */
1491 assert( ml->sml_nvalues != NULL );
1492 vals = ml->sml_nvalues;
1493 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1494 memberof_value_modify( op,
1495 &vals[ i ], mo->mo_ad_memberof,
1497 &op->o_req_dn, &op->o_req_ndn );
1507 return SLAP_CB_CONTINUE;
1511 * response callback that adds/deletes member values when a group member
1515 memberof_res_modrdn( Operation *op, SlapReply *rs )
1517 memberof_cbinfo_t *mci = op->o_callback->sc_private;
1518 slap_overinst *on = mci->on;
1519 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1521 struct berval newPDN, newDN = BER_BVNULL, newPNDN, newNDN;
1525 struct berval save_dn, save_ndn;
1527 if ( rs->sr_err != LDAP_SUCCESS ) {
1528 return SLAP_CB_CONTINUE;
1531 mci->what = MEMBEROF_IS_GROUP;
1532 if ( MEMBEROF_REFINT( mo ) ) {
1533 mci->what |= MEMBEROF_IS_MEMBER;
1536 if ( op->orr_nnewSup ) {
1537 newPNDN = *op->orr_nnewSup;
1540 dnParent( &op->o_req_ndn, &newPNDN );
1543 build_new_dn( &newNDN, &newPNDN, &op->orr_nnewrdn, op->o_tmpmemctx );
1545 save_dn = op->o_req_dn;
1546 save_ndn = op->o_req_ndn;
1548 op->o_req_dn = newNDN;
1549 op->o_req_ndn = newNDN;
1550 rc = memberof_isGroupOrMember( op, mci );
1551 op->o_req_dn = save_dn;
1552 op->o_req_ndn = save_ndn;
1554 if ( rc != LDAP_SUCCESS || mci->what == MEMBEROF_IS_NONE ) {
1558 if ( op->orr_newSup ) {
1559 newPDN = *op->orr_newSup;
1562 dnParent( &op->o_req_dn, &newPDN );
1565 build_new_dn( &newDN, &newPDN, &op->orr_newrdn, op->o_tmpmemctx );
1567 if ( mci->what & MEMBEROF_IS_GROUP ) {
1568 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1569 rc = backend_attribute( op, NULL, &newNDN,
1570 mo->mo_ad_member, &vals, ACL_READ );
1571 op->o_bd->bd_info = (BackendInfo *)on;
1573 if ( rc == LDAP_SUCCESS ) {
1574 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1575 memberof_value_modify( op,
1576 &vals[ i ], mo->mo_ad_memberof,
1577 &op->o_req_dn, &op->o_req_ndn,
1580 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1584 if ( MEMBEROF_REFINT( mo ) && ( mci->what & MEMBEROF_IS_MEMBER ) ) {
1585 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1586 rc = backend_attribute( op, NULL, &newNDN,
1587 mo->mo_ad_memberof, &vals, ACL_READ );
1588 op->o_bd->bd_info = (BackendInfo *)on;
1590 if ( rc == LDAP_SUCCESS ) {
1591 for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
1592 memberof_value_modify( op,
1593 &vals[ i ], mo->mo_ad_member,
1594 &op->o_req_dn, &op->o_req_ndn,
1597 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1602 if ( !BER_BVISNULL( &newDN ) ) {
1603 op->o_tmpfree( newDN.bv_val, op->o_tmpmemctx );
1605 op->o_tmpfree( newNDN.bv_val, op->o_tmpmemctx );
1607 return SLAP_CB_CONTINUE;
1616 slap_overinst *on = (slap_overinst *)be->bd_info;
1618 const char *text = NULL;
1621 mo = (memberof_t *)ch_calloc( 1, sizeof( memberof_t ) );
1624 mo->mo_dangling_err = LDAP_CONSTRAINT_VIOLATION;
1626 if ( !ad_memberOf ) {
1627 rc = slap_str2ad( SLAPD_MEMBEROF_ATTR, &ad_memberOf, &text );
1628 if ( rc != LDAP_SUCCESS ) {
1629 Debug( LDAP_DEBUG_ANY, "memberof_db_init: "
1630 "unable to find attribute=\"%s\": %s (%d)\n",
1631 SLAPD_MEMBEROF_ATTR, text, rc );
1637 rc = slap_str2ad( SLAPD_GROUP_ATTR, &ad_member, &text );
1638 if ( rc != LDAP_SUCCESS ) {
1639 Debug( LDAP_DEBUG_ANY, "memberof_db_init: "
1640 "unable to find attribute=\"%s\": %s (%d)\n",
1641 SLAPD_GROUP_ATTR, text, rc );
1647 oc_group = oc_find( SLAPD_GROUP_CLASS );
1648 if ( oc_group == NULL ) {
1649 Debug( LDAP_DEBUG_ANY,
1650 "memberof_db_init: "
1651 "unable to find objectClass=\"%s\"\n",
1652 SLAPD_GROUP_CLASS, 0, 0 );
1657 on->on_bi.bi_private = (void *)mo;
1678 static ConfigDriver mo_cf_gen;
1680 #define OID "1.3.6.1.4.1.7136.2.666.4"
1681 #define OIDAT OID ".1.1"
1682 #define OIDCFGAT OID ".1.2"
1683 #define OIDOC OID ".2.1"
1684 #define OIDCFGOC OID ".2.2"
1687 static ConfigTable mo_cfg[] = {
1688 { "memberof-dn", "modifiersName",
1689 2, 2, 0, ARG_MAGIC|ARG_DN|MO_DN, mo_cf_gen,
1690 "( OLcfgOvAt:18.0 NAME 'olcMemberOfDN' "
1691 "DESC 'DN to be used as modifiersName' "
1692 "SYNTAX OMsDN SINGLE-VALUE )",
1695 { "memberof-dangling", "ignore|drop|error",
1696 2, 2, 0, ARG_MAGIC|MO_DANGLING, mo_cf_gen,
1697 "( OLcfgOvAt:18.1 NAME 'olcMemberOfDangling' "
1698 "DESC 'Behavior with respect to dangling members, "
1699 "constrained to ignore, drop, error' "
1700 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1703 { "memberof-refint", "true|FALSE",
1704 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REFINT, mo_cf_gen,
1705 "( OLcfgOvAt:18.2 NAME 'olcMemberOfRefInt' "
1706 "DESC 'Take care of referential integrity' "
1707 "SYNTAX OMsBoolean SINGLE-VALUE )",
1710 { "memberof-group-oc", "objectClass",
1711 2, 2, 0, ARG_MAGIC|MO_GROUP_OC, mo_cf_gen,
1712 "( OLcfgOvAt:18.3 NAME 'olcMemberOfGroupOC' "
1713 "DESC 'Group objectClass' "
1714 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1717 { "memberof-member-ad", "member attribute",
1718 2, 2, 0, ARG_MAGIC|ARG_ATDESC|MO_MEMBER_AD, mo_cf_gen,
1719 "( OLcfgOvAt:18.4 NAME 'olcMemberOfMemberAD' "
1720 "DESC 'member attribute' "
1721 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1724 { "memberof-memberof-ad", "memberOf attribute",
1725 2, 2, 0, ARG_MAGIC|ARG_ATDESC|MO_MEMBER_OF_AD, mo_cf_gen,
1726 "( OLcfgOvAt:18.5 NAME 'olcMemberOfMemberOfAD' "
1727 "DESC 'memberOf attribute' "
1728 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1732 { "memberof-reverse", "true|FALSE",
1733 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|MO_REVERSE, mo_cf_gen,
1734 "( OLcfgOvAt:18.6 NAME 'olcMemberOfReverse' "
1735 "DESC 'Take care of referential integrity "
1736 "also when directly modifying memberOf' "
1737 "SYNTAX OMsBoolean SINGLE-VALUE )",
1741 { "memberof-dangling-error", "error code",
1742 2, 2, 0, ARG_MAGIC|MO_DANGLING_ERROR, mo_cf_gen,
1743 "( OLcfgOvAt:18.7 NAME 'olcMemberOfDanglingError' "
1744 "DESC 'Error code returned in case of dangling back reference' "
1745 "SYNTAX OMsDirectoryString SINGLE-VALUE )",
1748 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
1751 static ConfigOCs mo_ocs[] = {
1752 { "( OLcfgOvOc:18.1 "
1753 "NAME 'olcMemberOf' "
1754 "DESC 'Member-of configuration' "
1755 "SUP olcOverlayConfig "
1758 "$ olcMemberOfDangling "
1759 "$ olcMemberOfDanglingError"
1760 "$ olcMemberOfRefInt "
1761 "$ olcMemberOfGroupOC "
1762 "$ olcMemberOfMemberAD "
1763 "$ olcMemberOfMemberOfAD "
1765 "$ olcMemberOfReverse "
1769 Cft_Overlay, mo_cfg, NULL, NULL },
1773 static slap_verbmasks dangling_mode[] = {
1774 { BER_BVC( "ignore" ), MEMBEROF_NONE },
1775 { BER_BVC( "drop" ), MEMBEROF_FDANGLING_DROP },
1776 { BER_BVC( "error" ), MEMBEROF_FDANGLING_ERROR },
1781 memberof_make_group_filter( memberof_t *mo )
1785 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
1786 ch_free( mo->mo_groupFilterstr.bv_val );
1789 mo->mo_groupFilter.f_choice = LDAP_FILTER_EQUALITY;
1790 mo->mo_groupFilter.f_ava = &mo->mo_groupAVA;
1792 mo->mo_groupFilter.f_av_desc = slap_schema.si_ad_objectClass;
1793 mo->mo_groupFilter.f_av_value = mo->mo_oc_group->soc_cname;
1795 mo->mo_groupFilterstr.bv_len = STRLENOF( "(=)" )
1796 + slap_schema.si_ad_objectClass->ad_cname.bv_len
1797 + mo->mo_oc_group->soc_cname.bv_len;
1798 ptr = mo->mo_groupFilterstr.bv_val = ch_malloc( mo->mo_groupFilterstr.bv_len + 1 );
1800 ptr = lutil_strcopy( ptr, slap_schema.si_ad_objectClass->ad_cname.bv_val );
1802 ptr = lutil_strcopy( ptr, mo->mo_oc_group->soc_cname.bv_val );
1810 memberof_make_member_filter( memberof_t *mo )
1814 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
1815 ch_free( mo->mo_memberFilterstr.bv_val );
1818 mo->mo_memberFilter.f_choice = LDAP_FILTER_PRESENT;
1819 mo->mo_memberFilter.f_desc = mo->mo_ad_memberof;
1821 mo->mo_memberFilterstr.bv_len = STRLENOF( "(=*)" )
1822 + mo->mo_ad_memberof->ad_cname.bv_len;
1823 ptr = mo->mo_memberFilterstr.bv_val = ch_malloc( mo->mo_memberFilterstr.bv_len + 1 );
1825 ptr = lutil_strcopy( ptr, mo->mo_ad_memberof->ad_cname.bv_val );
1826 ptr = lutil_strcopy( ptr, "=*)" );
1832 mo_cf_gen( ConfigArgs *c )
1834 slap_overinst *on = (slap_overinst *)c->bi;
1835 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
1839 if ( c->op == SLAP_CONFIG_EMIT ) {
1840 struct berval bv = BER_BVNULL;
1844 if ( mo->mo_dn.bv_val != NULL) {
1845 value_add_one( &c->rvalue_vals, &mo->mo_dn );
1846 value_add_one( &c->rvalue_nvals, &mo->mo_ndn );
1851 enum_to_verb( dangling_mode, (mo->mo_flags & MEMBEROF_FDANGLING_MASK), &bv );
1852 if ( BER_BVISNULL( &bv ) ) {
1853 /* there's something wrong... */
1858 value_add_one( &c->rvalue_vals, &bv );
1862 case MO_DANGLING_ERROR:
1863 if ( mo->mo_flags & MEMBEROF_FDANGLING_ERROR ) {
1864 char buf[ SLAP_TEXT_BUFLEN ];
1865 enum_to_verb( slap_ldap_response_code, mo->mo_dangling_err, &bv );
1866 if ( BER_BVISNULL( &bv ) ) {
1867 bv.bv_len = snprintf( buf, sizeof( buf ), "0x%x", mo->mo_dangling_err );
1868 if ( bv.bv_len < sizeof( buf ) ) {
1875 value_add_one( &c->rvalue_vals, &bv );
1882 c->value_int = MEMBEROF_REFINT( mo );
1887 c->value_int = MEMBEROF_REVERSE( mo );
1892 if ( mo->mo_oc_group != NULL ){
1893 value_add_one( &c->rvalue_vals, &mo->mo_oc_group->soc_cname );
1898 if ( mo->mo_ad_member != NULL ){
1899 value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname );
1903 case MO_MEMBER_OF_AD:
1904 if ( mo->mo_ad_memberof != NULL ){
1905 value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname );
1916 } else if ( c->op == LDAP_MOD_DELETE ) {
1919 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
1920 ber_memfree( mo->mo_dn.bv_val );
1921 ber_memfree( mo->mo_ndn.bv_val );
1922 BER_BVZERO( &mo->mo_dn );
1923 BER_BVZERO( &mo->mo_ndn );
1928 mo->mo_flags &= ~MEMBEROF_FDANGLING_MASK;
1931 case MO_DANGLING_ERROR:
1932 mo->mo_dangling_err = LDAP_CONSTRAINT_VIOLATION;
1936 mo->mo_flags &= ~MEMBEROF_FREFINT;
1941 mo->mo_flags &= ~MEMBEROF_FREVERSE;
1946 mo->mo_oc_group = oc_group;
1947 memberof_make_group_filter( mo );
1951 mo->mo_ad_member = ad_member;
1954 case MO_MEMBER_OF_AD:
1955 mo->mo_ad_memberof = ad_memberOf;
1956 memberof_make_member_filter( mo );
1967 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
1968 ber_memfree( mo->mo_dn.bv_val );
1969 ber_memfree( mo->mo_ndn.bv_val );
1971 mo->mo_dn = c->value_dn;
1972 mo->mo_ndn = c->value_ndn;
1976 i = verb_to_mask( c->argv[ 1 ], dangling_mode );
1977 if ( BER_BVISNULL( &dangling_mode[ i ].word ) ) {
1981 mo->mo_flags &= ~MEMBEROF_FDANGLING_MASK;
1982 mo->mo_flags |= dangling_mode[ i ].mask;
1985 case MO_DANGLING_ERROR:
1986 i = verb_to_mask( c->argv[ 1 ], slap_ldap_response_code );
1987 if ( !BER_BVISNULL( &slap_ldap_response_code[ i ].word ) ) {
1988 mo->mo_dangling_err = slap_ldap_response_code[ i ].mask;
1989 } else if ( lutil_atoix( &mo->mo_dangling_err, c->argv[ 1 ], 0 ) ) {
1995 if ( c->value_int ) {
1996 mo->mo_flags |= MEMBEROF_FREFINT;
1999 mo->mo_flags &= ~MEMBEROF_FREFINT;
2005 if ( c->value_int ) {
2006 mo->mo_flags |= MEMBEROF_FREVERSE;
2009 mo->mo_flags &= ~MEMBEROF_FREVERSE;
2015 ObjectClass *oc = NULL;
2017 oc = oc_find( c->argv[ 1 ] );
2019 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2020 "unable to find group objectClass=\"%s\"",
2022 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
2023 c->log, c->cr_msg, 0 );
2027 mo->mo_oc_group = oc;
2028 memberof_make_group_filter( mo );
2031 case MO_MEMBER_AD: {
2032 AttributeDescription *ad = c->value_ad;
2034 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
2035 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
2037 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2038 "member attribute=\"%s\" must either "
2039 "have DN (%s) or nameUID (%s) syntax",
2040 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
2041 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
2042 c->log, c->cr_msg, 0 );
2046 mo->mo_ad_member = ad;
2049 case MO_MEMBER_OF_AD: {
2050 AttributeDescription *ad = c->value_ad;
2052 if ( !is_at_syntax( ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */
2053 && !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */
2055 snprintf( c->cr_msg, sizeof( c->cr_msg ),
2056 "memberof attribute=\"%s\" must either "
2057 "have DN (%s) or nameUID (%s) syntax",
2058 c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX );
2059 Debug( LDAP_DEBUG_CONFIG, "%s: %s.\n",
2060 c->log, c->cr_msg, 0 );
2064 mo->mo_ad_memberof = ad;
2065 memberof_make_member_filter( mo );
2082 slap_overinst *on = (slap_overinst *)be->bd_info;
2083 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
2087 if ( !mo->mo_ad_memberof ) {
2088 mo->mo_ad_memberof = ad_memberOf;
2091 if ( ! mo->mo_ad_member ) {
2092 mo->mo_ad_member = ad_member;
2095 if ( ! mo->mo_oc_group ) {
2096 mo->mo_oc_group = oc_group;
2099 if ( BER_BVISNULL( &mo->mo_dn ) && !BER_BVISNULL( &be->be_rootdn ) ) {
2100 ber_dupbv( &mo->mo_dn, &be->be_rootdn );
2101 ber_dupbv( &mo->mo_ndn, &be->be_rootndn );
2104 if ( BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
2105 memberof_make_group_filter( mo );
2108 if ( BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
2109 memberof_make_member_filter( mo );
2116 memberof_db_destroy(
2120 slap_overinst *on = (slap_overinst *)be->bd_info;
2121 memberof_t *mo = (memberof_t *)on->on_bi.bi_private;
2124 if ( !BER_BVISNULL( &mo->mo_dn ) ) {
2125 ber_memfree( mo->mo_dn.bv_val );
2126 ber_memfree( mo->mo_ndn.bv_val );
2129 if ( !BER_BVISNULL( &mo->mo_groupFilterstr ) ) {
2130 ber_memfree( mo->mo_groupFilterstr.bv_val );
2133 if ( !BER_BVISNULL( &mo->mo_memberFilterstr ) ) {
2134 ber_memfree( mo->mo_memberFilterstr.bv_val );
2145 AttributeDescription **adp;
2147 { "( 1.2.840.113556.1.2.102 "
2149 "DESC 'Group that the entry belongs to' "
2150 "SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' "
2151 "EQUALITY distinguishedNameMatch " /* added */
2152 "USAGE dSAOperation " /* added; questioned */
2153 /* "NO-USER-MODIFICATION " */ /* add? */
2154 "X-ORIGIN 'iPlanet Delegated Administrator' )",
2159 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2161 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2163 memberof_initialize( void )
2167 for ( i = 0; as[ i ].desc != NULL; i++ ) {
2168 code = register_at( as[ i ].desc, as[ i ].adp, 0 );
2170 Debug( LDAP_DEBUG_ANY,
2171 "memberof_initialize: register_at #%d failed\n",
2177 memberof.on_bi.bi_type = "memberof";
2179 memberof.on_bi.bi_db_init = memberof_db_init;
2180 memberof.on_bi.bi_db_open = memberof_db_open;
2181 memberof.on_bi.bi_db_destroy = memberof_db_destroy;
2183 memberof.on_bi.bi_op_add = memberof_op_add;
2184 memberof.on_bi.bi_op_delete = memberof_op_delete;
2185 memberof.on_bi.bi_op_modify = memberof_op_modify;
2186 memberof.on_bi.bi_op_modrdn = memberof_op_modrdn;
2188 memberof.on_bi.bi_cf_ocs = mo_ocs;
2190 code = config_register_schema( mo_cfg, mo_ocs );
2191 if ( code ) return code;
2193 return overlay_register( &memberof );
2196 #if SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC
2198 init_module( int argc, char *argv[] )
2200 return memberof_initialize();
2202 #endif /* SLAPD_OVER_MEMBEROF == SLAPD_MOD_DYNAMIC */
2204 #endif /* SLAPD_OVER_MEMBEROF */