6. Test the standalone system
This step requires the standalone LDAP server, slapd(8), with
- BDB and/or LDBM support.
+ BDB, HDB, and/or LDBM support.
% make test
#define vsprintf ber_pvt_vsprintf
#endif
+#ifdef OPENLDAP_FD_SETSIZE
+ /* assume installer desires to enlarge fd_set */
+#ifdef HAVE_BITS_TYPES_H
+#include <bits/types.h>
+#endif
+#ifdef __FD_SETSIZE
+#undef __FD_SETSIZE
+#define __FD_SETSIZE OPENLDAP_FD_SETSIZE
+#else
+#define FD_SETSIZE OPENLDAP_FD_SETSIZE
+#endif
+#endif
+
#include "ldap_cdefs.h"
#include "ldap_features.h"
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_2,[-ldb-4-2])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4,[-ldb-4])
OL_BERKELEY_DB_TRY(ol_cv_db_db4,[-ldb4])
+OL_BERKELEY_DB_TRY(ol_cv_db_db,[-ldb])
OL_BERKELEY_DB_TRY(ol_cv_db_db41,[-ldb41])
OL_BERKELEY_DB_TRY(ol_cv_db_db_41,[-ldb-41])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_1,[-ldb-4.1])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_1,[-ldb-4-1])
-OL_BERKELEY_DB_TRY(ol_cv_db_db_4,[-ldb-4])
-OL_BERKELEY_DB_TRY(ol_cv_db_db,[-ldb])
OL_BERKELEY_DB_TRY(ol_cv_db_db3,[-ldb3])
OL_BERKELEY_DB_TRY(ol_cv_db_db_3,[-ldb-3])
OL_BERKELEY_DB_TRY(ol_cv_db_db2,[-ldb2])
LDAP_LIBLDAP_LA = $(LDAP_LIBDIR)/libldap/libldap.la
LDAP_LIBLDAP_R_LA = $(LDAP_LIBDIR)/libldap_r/libldap_r.la
-LDAP_LIBLDBM_A_no =
-LDAP_LIBLDBM_A_yes = $(LDAP_LIBDIR)/libldbm/libldbm.a
-
-LDAP_LIBLDBM_A = $(LDAP_LIBLDBM_A_@BUILD_LDBM@)
LDAP_LIBREWRITE_A = $(LDAP_LIBDIR)/librewrite/librewrite.a
LDAP_LIBLUNICODE_A = $(LDAP_LIBDIR)/liblunicode/liblunicode.a
LDAP_LIBLUTIL_A = $(LDAP_LIBDIR)/liblutil/liblutil.a
$(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA)
SLURPD_L = $(LDAP_LIBLUTIL_A) \
$(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
-SLAPD_L = $(LDAP_LIBLDBM_A) \
- $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \
+SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \
$(SLURPD_L)
WRAP_LIBS = @WRAP_LIBS@
MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@
MODULES_LIBS = @MODULES_LIBS@
-TERMCAP_LIBS = @TERMCAP_LIBS@
SLAPD_PERL_LDFLAGS = @SLAPD_PERL_LDFLAGS@
SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
{
static const char *const descriptions[] = {
N_(" -c continuous operation mode (do not stop on errors)\n"),
-N_(" -C chase referrals\n"),
+N_(" -C chase referrals (anonymously)\n"),
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n")
#endif
if ( !not ) {
- /* connect to server */
+ int rc;
+
if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) {
- if ( verbose ) {
- fprintf( stderr, "ldap_init( %s, %d )\n",
- ldaphost != NULL ? ldaphost : "<DEFAULT>",
- ldapport );
- }
+ /* construct URL */
+ LDAPURLDesc url;
+ memset( &url, 0, sizeof(url));
- ld = ldap_init( ldaphost, ldapport );
- if( ld == NULL ) {
- char buf[20 + sizeof(": ldap_init")];
- sprintf( buf, "%.20s: ldap_init", prog );
- perror( buf );
- exit( EXIT_FAILURE );
- }
+ url.lud_scheme = "ldap";
+ url.lud_host = ldaphost;
+ url.lud_port = ldapport;
+ url.lud_scope = LDAP_SCOPE_DEFAULT;
- } else {
- int rc;
- if ( verbose ) {
- fprintf( stderr, "ldap_initialize( %s )\n",
- ldapuri != NULL ? ldapuri : "<DEFAULT>" );
- }
- rc = ldap_initialize( &ld, ldapuri );
- if( rc != LDAP_SUCCESS ) {
- fprintf( stderr,
- "Could not create LDAP session handle (%d): %s\n",
- rc, ldap_err2string(rc) );
- exit( EXIT_FAILURE );
- }
+ ldapuri = ldap_url_desc2str( &url );
+ }
+
+ if ( verbose ) {
+ fprintf( stderr, "ldap_initialize( %s )\n",
+ ldapuri != NULL ? ldapuri : "<DEFAULT>" );
+ }
+ rc = ldap_initialize( &ld, ldapuri );
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "Could not create LDAP session handle (%d): %s\n",
+ rc, ldap_err2string(rc) );
+ exit( EXIT_FAILURE );
}
if( private_setup ) private_setup( ld );
#! /bin/sh
# $OpenLDAP$
-# from OpenLDAP: pkg/ldap/configure.in,v 1.478.2.8 2003/11/30 22:20:22 kurt Exp
+# from OpenLDAP: pkg/ldap/configure.in,v 1.478.2.9 2003/12/01 00:58:21 kurt Exp
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
--with-sql-module module type static|dynamic [static]"
ac_help="$ac_help
+SLAPD Overlay Options:"
+ac_help="$ac_help
+ --with-dyngroup Dynamic Group overlay no|yes|mod [no]"
+ac_help="$ac_help
+ --with-proxycache Proxy Cache overlay no|yes|mod [no]"
+ac_help="$ac_help
+
SLURPD (Replication Daemon) Options:"
ac_help="$ac_help
--enable-slurpd enable building slurpd [auto]"
echo $ac_n "checking host system type""... $ac_c" 1>&6
-echo "configure:881: checking host system type" >&5
+echo "configure:888: checking host system type" >&5
if test "x$ac_cv_host" = "x" || (test "x$host" != "xNONE" && test "x$host" != "x$ac_cv_host_alias"); then
# Make sure we can run config.sub.
echo $ac_n "checking target system type""... $ac_c" 1>&6
-echo "configure:922: checking target system type" >&5
+echo "configure:929: checking target system type" >&5
if test "x$ac_cv_target" = "x" || (test "x$target" != "xNONE" && test "x$target" != "x$ac_cv_target_alias"); then
# Make sure we can run config.sub.
echo $ac_n "checking build system type""... $ac_c" 1>&6
-echo "configure:962: checking build system type" >&5
+echo "configure:969: checking build system type" >&5
if test "x$ac_cv_build" = "x" || (test "x$build" != "xNONE" && test "x$build" != "x$ac_cv_build_alias"); then
# Make sure we can run config.sub.
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# ./install, which can be erroneously created by make from ./install.sh.
echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:1039: checking for a BSD compatible install" >&5
+echo "configure:1046: checking for a BSD compatible install" >&5
if test -z "$INSTALL"; then
if eval "test \"\${ac_cv_path_install+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
echo $ac_n "checking whether build environment is sane""... $ac_c" 1>&6
-echo "configure:1096: checking whether build environment is sane" >&5
+echo "configure:1103: checking whether build environment is sane" >&5
# Just in case
sleep 1
echo timestamp > conftestfile
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1157: checking for $ac_word" >&5
+echo "configure:1164: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_AWK+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
done
echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
-echo "configure:1187: checking whether ${MAKE-make} sets \${MAKE}" >&5
+echo "configure:1194: checking whether ${MAKE-make} sets \${MAKE}" >&5
set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
missing_dir=`cd $ac_aux_dir && pwd`
echo $ac_n "checking for working aclocal""... $ac_c" 1>&6
-echo "configure:1227: checking for working aclocal" >&5
+echo "configure:1234: checking for working aclocal" >&5
# Run test in a subshell; some versions of sh will print an error if
# an executable is not found, even if stderr is redirected.
# Redirect stdin to placate older versions of autoconf. Sigh.
fi
echo $ac_n "checking for working autoconf""... $ac_c" 1>&6
-echo "configure:1240: checking for working autoconf" >&5
+echo "configure:1247: checking for working autoconf" >&5
# Run test in a subshell; some versions of sh will print an error if
# an executable is not found, even if stderr is redirected.
# Redirect stdin to placate older versions of autoconf. Sigh.
fi
echo $ac_n "checking for working automake""... $ac_c" 1>&6
-echo "configure:1253: checking for working automake" >&5
+echo "configure:1260: checking for working automake" >&5
# Run test in a subshell; some versions of sh will print an error if
# an executable is not found, even if stderr is redirected.
# Redirect stdin to placate older versions of autoconf. Sigh.
fi
echo $ac_n "checking for working autoheader""... $ac_c" 1>&6
-echo "configure:1266: checking for working autoheader" >&5
+echo "configure:1273: checking for working autoheader" >&5
# Run test in a subshell; some versions of sh will print an error if
# an executable is not found, even if stderr is redirected.
# Redirect stdin to placate older versions of autoconf. Sigh.
fi
echo $ac_n "checking for working makeinfo""... $ac_c" 1>&6
-echo "configure:1279: checking for working makeinfo" >&5
+echo "configure:1286: checking for working makeinfo" >&5
# Run test in a subshell; some versions of sh will print an error if
# an executable is not found, even if stderr is redirected.
# Redirect stdin to placate older versions of autoconf. Sigh.
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1299: checking for $ac_word" >&5
+echo "configure:1306: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_AMTAR+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
echo $ac_n "checking configure arguments""... $ac_c" 1>&6
-echo "configure:1369: checking configure arguments" >&5
+echo "configure:1376: checking configure arguments" >&5
top_builddir=`pwd`
# end --with-sql_module
+# Check whether --with-xxslapoverlays or --without-xxslapoverlays was given.
+if test "${with_xxslapoverlays+set}" = set; then
+ withval="$with_xxslapoverlays"
+ :
+fi
+
+# OpenLDAP --with-dyngroup
+ # Check whether --with-dyngroup or --without-dyngroup was given.
+if test "${with_dyngroup+set}" = set; then
+ withval="$with_dyngroup"
+
+ ol_arg=invalid
+ for ol_val in no yes mod ; do
+ if test "$withval" = "$ol_val" ; then
+ ol_arg="$ol_val"
+ fi
+ done
+ if test "$ol_arg" = "invalid" ; then
+ { echo "configure: error: bad value $withval for --with-dyngroup" 1>&2; exit 1; }
+ fi
+ ol_with_dyngroup="$ol_arg"
+
+else
+ ol_with_dyngroup="no"
+fi
+# end --with-dyngroup
+
+# OpenLDAP --with-proxycache
+ # Check whether --with-proxycache or --without-proxycache was given.
+if test "${with_proxycache+set}" = set; then
+ withval="$with_proxycache"
+
+ ol_arg=invalid
+ for ol_val in no yes mod ; do
+ if test "$withval" = "$ol_val" ; then
+ ol_arg="$ol_val"
+ fi
+ done
+ if test "$ol_arg" = "invalid" ; then
+ { echo "configure: error: bad value $withval for --with-proxycache" 1>&2; exit 1; }
+ fi
+ ol_with_proxycache="$ol_arg"
+
+else
+ ol_with_proxycache="no"
+fi
+# end --with-proxycache
+
+
# Check whether --with-xxslurpdoptions or --without-xxslurpdoptions was given.
if test "${with_xxslurpdoptions+set}" = set; then
withval="$with_xxslurpdoptions"
if test $ol_enable_rewrite = yes ; then
echo "configure: warning: slapd disabled, ignoring --enable-rewrite argument" 1>&2
fi
+ if test $ol_with_dyngroup != no ; then
+ echo "configure: warning: slapd disabled, ignoring --with-dyngroup argument" 1>&2
+ fi
+ if test $ol_with_proxycache != no ; then
+ echo "configure: warning: slapd disabled, ignoring --with-proxycache argument" 1>&2
+ fi
# force settings to no
ol_enable_slapi=no
ol_enable_rlookups=no
ol_enable_aci=no
ol_enable_wrappers=no
- ol_enable_dynamic=no
ol_with_ldbm_api=no
ol_with_ldbm_type=no
ol_enable_rewrite=no
+ ol_with_dyngroup=no
+ ol_with_proxycache=no
+
elif test $ol_enable_ldbm = no ; then
if test $ol_with_ldbm_api != auto ; then
BUILD_LDBM=no
BUILD_META=no
BUILD_MONITOR=no
-BUILD_CACHE=no
BUILD_NULL=no
BUILD_PASSWD=no
BUILD_PERL=no
BUILD_SHELL_DYNAMIC=static
BUILD_SQL_DYNAMIC=static
+BUILD_DYNGROUP=no
+BUILD_PROXYCACHE=no
+
+SLAPD_DYNAMIC_OVERLAYS=
+
SLAPD_MODULES_LDFLAGS=
SLAPD_MODULES_CPPFLAGS=
KRB4_LIBS=
KRB5_LIBS=
SASL_LIBS=
-TERMCAP_LIBS=
TLS_LIBS=
MODULES_LIBS=
SLAPI_LIBS=
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# ./install, which can be erroneously created by make from ./install.sh.
echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:2853: checking for a BSD compatible install" >&5
+echo "configure:2920: checking for a BSD compatible install" >&5
if test -z "$INSTALL"; then
if eval "test \"\${ac_cv_path_install+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2934: checking for $ac_word" >&5
+echo "configure:3001: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_CC+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2986: checking for $ac_word" >&5
+echo "configure:3053: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_CC+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3028: checking for $ac_word" >&5
+echo "configure:3095: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_AR+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6
-echo "configure:3078: checking for Cygwin environment" >&5
+echo "configure:3145: checking for Cygwin environment" >&5
if eval "test \"\${ac_cv_cygwin+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 3083 "configure"
+#line 3150 "configure"
#include "confdefs.h"
int main() {
return __CYGWIN__;
; return 0; }
EOF
-if { (eval echo configure:3094: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3161: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_cygwin=yes
else
CYGWIN=
test "$ac_cv_cygwin" = yes && CYGWIN=yes
echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6
-echo "configure:3110: checking for mingw32 environment" >&5
+echo "configure:3177: checking for mingw32 environment" >&5
if eval "test \"\${ac_cv_mingw32+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 3115 "configure"
+#line 3182 "configure"
#include "confdefs.h"
int main() {
return __MINGW32__;
; return 0; }
EOF
-if { (eval echo configure:3122: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3189: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_mingw32=yes
else
MINGW32=
test "$ac_cv_mingw32" = yes && MINGW32=yes
echo $ac_n "checking for EMX OS/2 environment""... $ac_c" 1>&6
-echo "configure:3138: checking for EMX OS/2 environment" >&5
+echo "configure:3205: checking for EMX OS/2 environment" >&5
if eval "test \"\${ac_cv_emxos2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 3143 "configure"
+#line 3210 "configure"
#include "confdefs.h"
int main() {
return __EMX__;
; return 0; }
EOF
-if { (eval echo configure:3150: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3217: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_emxos2=yes
else
EMXOS2=
test "$ac_cv_emxos2" = yes && EMXOS2=yes
echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:3166: checking how to run the C preprocessor" >&5
+echo "configure:3233: checking how to run the C preprocessor" >&5
# On Suns, sometimes $CPP names a directory.
if test -n "$CPP" && test -d "$CPP"; then
CPP=
# On the NeXT, cc -E runs the code through the compiler's parser,
# not just through cpp.
cat > conftest.$ac_ext <<EOF
-#line 3181 "configure"
+#line 3248 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3187: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3254: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -E -traditional-cpp"
cat > conftest.$ac_ext <<EOF
-#line 3198 "configure"
+#line 3265 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3204: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3271: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -nologo -E"
cat > conftest.$ac_ext <<EOF
-#line 3215 "configure"
+#line 3282 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3221: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3288: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
# Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3271: checking for $ac_word" >&5
+echo "configure:3338: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_CC+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3301: checking for $ac_word" >&5
+echo "configure:3368: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_CC+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "cl", so it can be a program name with args.
set dummy cl; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3352: checking for $ac_word" >&5
+echo "configure:3419: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_CC+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:3384: checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) works" >&5
+echo "configure:3451: checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) works" >&5
ac_ext=c
# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
cat > conftest.$ac_ext << EOF
-#line 3395 "configure"
+#line 3462 "configure"
#include "confdefs.h"
main(){return(0);}
EOF
-if { (eval echo configure:3400: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3467: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cc_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
{ echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:3426: checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:3493: checking whether the C compiler ($CC $CFLAGS $CPPFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
cross_compiling=$ac_cv_prog_cc_cross
echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:3431: checking whether we are using GNU C" >&5
+echo "configure:3498: checking whether we are using GNU C" >&5
if eval "test \"\${ac_cv_prog_gcc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
yes;
#endif
EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:3440: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:3507: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gcc=yes
else
ac_cv_prog_gcc=no
ac_save_CFLAGS="$CFLAGS"
CFLAGS=
echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:3459: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:3526: checking whether ${CC-cc} accepts -g" >&5
if eval "test \"\${ac_cv_prog_cc_g+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$GCC" = yes; then
# Check if gcc -print-prog-name=ld gives a path.
echo $ac_n "checking for ld used by GCC""... $ac_c" 1>&6
-echo "configure:3502: checking for ld used by GCC" >&5
+echo "configure:3569: checking for ld used by GCC" >&5
case $host in
*-*-mingw*)
# gcc leaves a trailing carriage return which upsets mingw
esac
elif test "$with_gnu_ld" = yes; then
echo $ac_n "checking for GNU ld""... $ac_c" 1>&6
-echo "configure:3532: checking for GNU ld" >&5
+echo "configure:3599: checking for GNU ld" >&5
else
echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
-echo "configure:3535: checking for non-GNU ld" >&5
+echo "configure:3602: checking for non-GNU ld" >&5
fi
if eval "test \"\${lt_cv_path_LD+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
fi
test -z "$LD" && { echo "configure: error: no acceptable ld found in \$PATH" 1>&2; exit 1; }
echo $ac_n "checking if the linker ($LD) is GNU ld""... $ac_c" 1>&6
-echo "configure:3570: checking if the linker ($LD) is GNU ld" >&5
+echo "configure:3637: checking if the linker ($LD) is GNU ld" >&5
if eval "test \"\${lt_cv_prog_gnu_ld+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
echo $ac_n "checking for $LD option to reload object files""... $ac_c" 1>&6
-echo "configure:3587: checking for $LD option to reload object files" >&5
+echo "configure:3654: checking for $LD option to reload object files" >&5
if eval "test \"\${lt_cv_ld_reload_flag+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
test -n "$reload_flag" && reload_flag=" $reload_flag"
echo $ac_n "checking for BSD-compatible nm""... $ac_c" 1>&6
-echo "configure:3599: checking for BSD-compatible nm" >&5
+echo "configure:3666: checking for BSD-compatible nm" >&5
if eval "test \"\${lt_cv_path_NM+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
echo "$ac_t""$NM" 1>&6
echo $ac_n "checking for a sed that does not truncate output""... $ac_c" 1>&6
-echo "configure:3637: checking for a sed that does not truncate output" >&5
+echo "configure:3704: checking for a sed that does not truncate output" >&5
if eval "test \"\${lt_cv_path_SED+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
echo "$ac_t""$SED" 1>&6
echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
-echo "configure:3721: checking whether ln -s works" >&5
+echo "configure:3788: checking whether ln -s works" >&5
if eval "test \"\${ac_cv_prog_LN_S+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking how to recognise dependent libraries""... $ac_c" 1>&6
-echo "configure:3742: checking how to recognise dependent libraries" >&5
+echo "configure:3809: checking how to recognise dependent libraries" >&5
if eval "test \"\${lt_cv_deplibs_check_method+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
deplibs_check_method=$lt_cv_deplibs_check_method
echo $ac_n "checking for object suffix""... $ac_c" 1>&6
-echo "configure:3928: checking for object suffix" >&5
+echo "configure:3995: checking for object suffix" >&5
if eval "test \"\${ac_cv_objext+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
rm -f conftest*
echo 'int i = 1;' > conftest.$ac_ext
-if { (eval echo configure:3934: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:4001: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
for ac_file in conftest.*; do
case $ac_file in
*.c) ;;
echo $ac_n "checking for executable suffix""... $ac_c" 1>&6
-echo "configure:3955: checking for executable suffix" >&5
+echo "configure:4022: checking for executable suffix" >&5
if eval "test \"\${ac_cv_exeext+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
rm -f conftest*
echo 'int main () { return 0; }' > conftest.$ac_ext
ac_cv_exeext=
- if { (eval echo configure:3965: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
+ if { (eval echo configure:4032: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
for file in conftest.*; do
case $file in
*.c | *.C | *.o | *.obj | *.xcoff) ;;
# Check for command to grab the raw symbol name followed by C symbol from nm.
echo $ac_n "checking command to parse $NM output""... $ac_c" 1>&6
-echo "configure:3996: checking command to parse $NM output" >&5
+echo "configure:4063: checking command to parse $NM output" >&5
if eval "test \"\${lt_cv_sys_global_symbol_pipe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
int main(){nm_test_var='a';nm_test_func();return(0);}
EOF
- if { (eval echo configure:4079: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ if { (eval echo configure:4146: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
# Now try to grab the symbols.
nlist=conftest.nm
- if { (eval echo configure:4082: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\") 1>&5; (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5; } && test -s "$nlist"; then
+ if { (eval echo configure:4149: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\") 1>&5; (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5; } && test -s "$nlist"; then
# Try sorting and uniquifying the output.
if sort "$nlist" | uniq > "$nlist"T; then
mv -f "$nlist"T "$nlist"
save_CFLAGS="$CFLAGS"
LIBS="conftstm.$ac_objext"
CFLAGS="$CFLAGS$no_builtin_flag"
- if { (eval echo configure:4133: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+ if { (eval echo configure:4200: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
pipe_works=yes
fi
LIBS="$save_LIBS"
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:4182: checking for $ac_hdr" >&5
+echo "configure:4249: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 4187 "configure"
+#line 4254 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:4192: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:4259: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
file_magic*)
if test "$file_magic_cmd" = '$MAGIC_CMD'; then
echo $ac_n "checking for ${ac_tool_prefix}file""... $ac_c" 1>&6
-echo "configure:4228: checking for ${ac_tool_prefix}file" >&5
+echo "configure:4295: checking for ${ac_tool_prefix}file" >&5
if eval "test \"\${lt_cv_path_MAGIC_CMD+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test -z "$lt_cv_path_MAGIC_CMD"; then
if test -n "$ac_tool_prefix"; then
echo $ac_n "checking for file""... $ac_c" 1>&6
-echo "configure:4290: checking for file" >&5
+echo "configure:4357: checking for file" >&5
if eval "test \"\${lt_cv_path_MAGIC_CMD+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
set dummy ${ac_tool_prefix}ranlib; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4361: checking for $ac_word" >&5
+echo "configure:4428: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_RANLIB+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "ranlib", so it can be a program name with args.
set dummy ranlib; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4393: checking for $ac_word" >&5
+echo "configure:4460: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_RANLIB+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
set dummy ${ac_tool_prefix}strip; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4428: checking for $ac_word" >&5
+echo "configure:4495: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_STRIP+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "strip", so it can be a program name with args.
set dummy strip; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4460: checking for $ac_word" >&5
+echo "configure:4527: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_STRIP+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
case $host in
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 4509 "configure"' > conftest.$ac_ext
- if { (eval echo configure:4510: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ echo '#line 4576 "configure"' > conftest.$ac_ext
+ if { (eval echo configure:4577: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
case `/usr/bin/file conftest.$ac_objext` in
*32-bit*)
LD="${LD-ld} -32"
SAVE_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -belf"
echo $ac_n "checking whether the C compiler needs -belf""... $ac_c" 1>&6
-echo "configure:4531: checking whether the C compiler needs -belf" >&5
+echo "configure:4598: checking whether the C compiler needs -belf" >&5
if eval "test \"\${lt_cv_cc_needs_belf+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cross_compiling=$ac_cv_prog_cc_cross
cat > conftest.$ac_ext <<EOF
-#line 4544 "configure"
+#line 4611 "configure"
#include "confdefs.h"
int main() {
; return 0; }
EOF
-if { (eval echo configure:4551: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:4618: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
lt_cv_cc_needs_belf=yes
else
# Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args.
set dummy ${ac_tool_prefix}dlltool; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4581: checking for $ac_word" >&5
+echo "configure:4648: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_DLLTOOL+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "dlltool", so it can be a program name with args.
set dummy dlltool; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4613: checking for $ac_word" >&5
+echo "configure:4680: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_DLLTOOL+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "${ac_tool_prefix}as", so it can be a program name with args.
set dummy ${ac_tool_prefix}as; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4648: checking for $ac_word" >&5
+echo "configure:4715: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_AS+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "as", so it can be a program name with args.
set dummy as; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4680: checking for $ac_word" >&5
+echo "configure:4747: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_AS+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args.
set dummy ${ac_tool_prefix}objdump; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4715: checking for $ac_word" >&5
+echo "configure:4782: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_OBJDUMP+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "objdump", so it can be a program name with args.
set dummy objdump; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:4747: checking for $ac_word" >&5
+echo "configure:4814: checking for $ac_word" >&5
if eval "test \"\${ac_cv_prog_OBJDUMP+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# recent cygwin and mingw systems supply a stub DllMain which the user
# can override, but on older systems we have to supply one
echo $ac_n "checking if libtool should supply DllMain function""... $ac_c" 1>&6
-echo "configure:4783: checking if libtool should supply DllMain function" >&5
+echo "configure:4850: checking if libtool should supply DllMain function" >&5
if eval "test \"\${lt_cv_need_dllmain+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 4788 "configure"
+#line 4855 "configure"
#include "confdefs.h"
int main() {
DllMain (0, 0, 0);
; return 0; }
EOF
-if { (eval echo configure:4796: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:4863: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
lt_cv_need_dllmain=no
else
SAVE_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -mdll"
echo $ac_n "checking how to link DLLs""... $ac_c" 1>&6
-echo "configure:4817: checking how to link DLLs" >&5
+echo "configure:4884: checking how to link DLLs" >&5
if eval "test \"\${lt_cv_cc_dll_switch+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 4822 "configure"
+#line 4889 "configure"
#include "confdefs.h"
int main() {
; return 0; }
EOF
-if { (eval echo configure:4829: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:4896: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
lt_cv_cc_dll_switch=-mdll
else
compiler="$2"
echo $ac_n "checking for objdir""... $ac_c" 1>&6
-echo "configure:4943: checking for objdir" >&5
+echo "configure:5010: checking for objdir" >&5
rm -f .libs 2>/dev/null
mkdir .libs 2>/dev/null
if test -d .libs; then
# in isolation, and that seeing it set (from the cache) indicates that
# the associated values are set (in the cache) correctly too.
echo $ac_n "checking for $compiler option to produce PIC""... $ac_c" 1>&6
-echo "configure:4970: checking for $compiler option to produce PIC" >&5
+echo "configure:5037: checking for $compiler option to produce PIC" >&5
if eval "test \"\${lt_cv_prog_cc_pic+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Check to make sure the pic_flag actually works.
echo $ac_n "checking if $compiler PIC flag $lt_cv_prog_cc_pic works""... $ac_c" 1>&6
-echo "configure:5118: checking if $compiler PIC flag $lt_cv_prog_cc_pic works" >&5
+echo "configure:5185: checking if $compiler PIC flag $lt_cv_prog_cc_pic works" >&5
if eval "test \"\${lt_cv_prog_cc_pic_works+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $lt_cv_prog_cc_pic -DPIC"
cat > conftest.$ac_ext <<EOF
-#line 5125 "configure"
+#line 5192 "configure"
#include "confdefs.h"
int main() {
; return 0; }
EOF
-if { (eval echo configure:5132: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:5199: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
case $host_os in
hpux9* | hpux10* | hpux11*)
fi
echo $ac_n "checking if $compiler static flag $lt_cv_prog_cc_static works""... $ac_c" 1>&6
-echo "configure:5184: checking if $compiler static flag $lt_cv_prog_cc_static works" >&5
+echo "configure:5251: checking if $compiler static flag $lt_cv_prog_cc_static works" >&5
if eval "test \"\${lt_cv_prog_cc_static_works+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS $lt_cv_prog_cc_static"
cat > conftest.$ac_ext <<EOF
-#line 5192 "configure"
+#line 5259 "configure"
#include "confdefs.h"
int main() {
; return 0; }
EOF
-if { (eval echo configure:5199: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:5266: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
lt_cv_prog_cc_static_works=yes
else
# Check to see if options -o and -c are simultaneously supported by compiler
echo $ac_n "checking if $compiler supports -c -o file.$ac_objext""... $ac_c" 1>&6
-echo "configure:5226: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo "configure:5293: checking if $compiler supports -c -o file.$ac_objext" >&5
if eval "test \"\${lt_cv_compiler_c_o+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -o out/conftest2.$ac_objext"
compiler_c_o=no
-if { (eval echo configure:5245: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$ac_objext; then
+if { (eval echo configure:5312: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$ac_objext; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
if test -s out/conftest.err; then
if test x"$compiler_c_o" = x"yes"; then
# Check to see if we can write to a .lo
echo $ac_n "checking if $compiler supports -c -o file.lo""... $ac_c" 1>&6
-echo "configure:5274: checking if $compiler supports -c -o file.lo" >&5
+echo "configure:5341: checking if $compiler supports -c -o file.lo" >&5
if eval "test \"\${lt_cv_compiler_o_lo+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_objext="$ac_objext"
ac_objext=lo
cat > conftest.$ac_ext <<EOF
-#line 5285 "configure"
+#line 5352 "configure"
#include "confdefs.h"
int main() {
int some_variable = 0;
; return 0; }
EOF
-if { (eval echo configure:5292: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:5359: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
if test "$compiler_c_o" = no && test "$need_locks" != no; then
# do not overwrite the value of need_locks provided by the user
echo $ac_n "checking if we can lock with hard links""... $ac_c" 1>&6
-echo "configure:5323: checking if we can lock with hard links" >&5
+echo "configure:5390: checking if we can lock with hard links" >&5
hard_links=yes
$rm conftest*
ln conftest.a conftest.b 2>/dev/null && hard_links=no
if test "$GCC" = yes; then
# Check to see if options -fno-rtti -fno-exceptions are supported by compiler
echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions""... $ac_c" 1>&6
-echo "configure:5342: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo "configure:5409: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
echo "int some_variable = 0;" > conftest.$ac_ext
save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.$ac_ext"
compiler_rtti_exceptions=no
cat > conftest.$ac_ext <<EOF
-#line 5348 "configure"
+#line 5415 "configure"
#include "confdefs.h"
int main() {
int some_variable = 0;
; return 0; }
EOF
-if { (eval echo configure:5355: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:5422: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
# See if the linker supports building shared libraries.
echo $ac_n "checking whether the linker ($LD) supports shared libraries""... $ac_c" 1>&6
-echo "configure:5382: checking whether the linker ($LD) supports shared libraries" >&5
+echo "configure:5449: checking whether the linker ($LD) supports shared libraries" >&5
allow_undefined_flag=
no_undefined_flag=
# Check hardcoding attributes.
echo $ac_n "checking how to hardcode library paths into programs""... $ac_c" 1>&6
-echo "configure:6081: checking how to hardcode library paths into programs" >&5
+echo "configure:6148: checking how to hardcode library paths into programs" >&5
hardcode_action=
if test -n "$hardcode_libdir_flag_spec" || \
test -n "$runpath_var"; then
striplib=
old_striplib=
echo $ac_n "checking whether stripping libraries is possible""... $ac_c" 1>&6
-echo "configure:6109: checking whether stripping libraries is possible" >&5
+echo "configure:6176: checking whether stripping libraries is possible" >&5
if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
test -z "$striplib" && striplib="$STRIP --strip-unneeded"
# PORTME Fill in your ld.so characteristics
echo $ac_n "checking dynamic linker characteristics""... $ac_c" 1>&6
-echo "configure:6123: checking dynamic linker characteristics" >&5
+echo "configure:6190: checking dynamic linker characteristics" >&5
library_names_spec=
libname_spec='lib$name'
soname_spec=
# Report the final consequences.
echo $ac_n "checking if libtool supports shared libraries""... $ac_c" 1>&6
-echo "configure:6534: checking if libtool supports shared libraries" >&5
+echo "configure:6601: checking if libtool supports shared libraries" >&5
echo "$ac_t""$can_build_shared" 1>&6
echo $ac_n "checking whether to build shared libraries""... $ac_c" 1>&6
-echo "configure:6538: checking whether to build shared libraries" >&5
+echo "configure:6605: checking whether to build shared libraries" >&5
test "$can_build_shared" = "no" && enable_shared=no
# On AIX, shared libraries and static libraries use the same namespace, and
echo "$ac_t""$enable_shared" 1>&6
echo $ac_n "checking whether to build static libraries""... $ac_c" 1>&6
-echo "configure:6561: checking whether to build static libraries" >&5
+echo "configure:6628: checking whether to build static libraries" >&5
# Make sure either enable_shared or enable_static is yes.
test "$enable_shared" = yes || enable_static=yes
echo "$ac_t""$enable_static" 1>&6
*)
echo $ac_n "checking for shl_load""... $ac_c" 1>&6
-echo "configure:6602: checking for shl_load" >&5
+echo "configure:6669: checking for shl_load" >&5
if eval "test \"\${ac_cv_func_shl_load+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 6607 "configure"
+#line 6674 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char shl_load(); below. */
; return 0; }
EOF
-if { (eval echo configure:6631: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6698: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_shl_load=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6
-echo "configure:6649: checking for shl_load in -ldld" >&5
+echo "configure:6716: checking for shl_load in -ldld" >&5
ac_lib_var=`echo dld'_'shl_load | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldld $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 6657 "configure"
+#line 6724 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
shl_load()
; return 0; }
EOF
-if { (eval echo configure:6668: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6735: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dlopen""... $ac_c" 1>&6
-echo "configure:6687: checking for dlopen" >&5
+echo "configure:6754: checking for dlopen" >&5
if eval "test \"\${ac_cv_func_dlopen+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 6692 "configure"
+#line 6759 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char dlopen(); below. */
; return 0; }
EOF
-if { (eval echo configure:6716: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6783: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_dlopen=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
-echo "configure:6734: checking for dlopen in -ldl" >&5
+echo "configure:6801: checking for dlopen in -ldl" >&5
ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 6742 "configure"
+#line 6809 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dlopen()
; return 0; }
EOF
-if { (eval echo configure:6753: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6820: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dlopen in -lsvld""... $ac_c" 1>&6
-echo "configure:6772: checking for dlopen in -lsvld" >&5
+echo "configure:6839: checking for dlopen in -lsvld" >&5
ac_lib_var=`echo svld'_'dlopen | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lsvld $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 6780 "configure"
+#line 6847 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dlopen()
; return 0; }
EOF
-if { (eval echo configure:6791: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6858: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6
-echo "configure:6810: checking for dld_link in -ldld" >&5
+echo "configure:6877: checking for dld_link in -ldld" >&5
ac_lib_var=`echo dld'_'dld_link | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldld $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 6818 "configure"
+#line 6885 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dld_link()
; return 0; }
EOF
-if { (eval echo configure:6829: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:6896: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
LIBS="$lt_cv_dlopen_libs $LIBS"
echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6
-echo "configure:6885: checking whether a program can dlopen itself" >&5
+echo "configure:6952: checking whether a program can dlopen itself" >&5
if eval "test \"\${lt_cv_dlopen_self+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 6895 "configure"
+#line 6962 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
exit (status);
}
EOF
- if { (eval echo configure:6956: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} 2>/dev/null; then
+ if { (eval echo configure:7023: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} 2>/dev/null; then
(./conftest; exit; ) 2>/dev/null
lt_status=$?
case x$lt_status in
if test "x$lt_cv_dlopen_self" = xyes; then
LDFLAGS="$LDFLAGS $link_static_flag"
echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6
-echo "configure:6979: checking whether a statically linked program can dlopen itself" >&5
+echo "configure:7046: checking whether a statically linked program can dlopen itself" >&5
if eval "test \"\${lt_cv_dlopen_self_static+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 6989 "configure"
+#line 7056 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
exit (status);
}
EOF
- if { (eval echo configure:7050: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} 2>/dev/null; then
+ if { (eval echo configure:7117: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} 2>/dev/null; then
(./conftest; exit; ) 2>/dev/null
lt_status=$?
case x$lt_status in
# systems, -lgcc has to come before -lc. If gcc already passes -lc
# to ld, don't add -lc before -lgcc.
echo $ac_n "checking whether -lc should be explicitly linked in""... $ac_c" 1>&6
-echo "configure:7099: checking whether -lc should be explicitly linked in" >&5
+echo "configure:7166: checking whether -lc should be explicitly linked in" >&5
if eval "test \"\${lt_cv_archive_cmds_need_lc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
$rm conftest*
echo 'static int dummy;' > conftest.$ac_ext
- if { (eval echo configure:7106: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ if { (eval echo configure:7173: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
soname=conftest
lib=conftest
libobjs=conftest.$ac_objext
libname=conftest
save_allow_undefined_flag=$allow_undefined_flag
allow_undefined_flag=
- if { (eval echo configure:7119: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\") 1>&5; (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5; }
+ if { (eval echo configure:7186: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\") 1>&5; (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5; }
then
lt_cv_archive_cmds_need_lc=no
else
# test for ln hardlink support
echo $ac_n "checking whether ln works""... $ac_c" 1>&6
-echo "configure:7706: checking whether ln works" >&5
+echo "configure:7773: checking whether ln works" >&5
if eval "test \"\${ol_cv_prog_LN_H+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
-echo "configure:7729: checking whether ln -s works" >&5
+echo "configure:7796: checking whether ln -s works" >&5
if eval "test \"\${ac_cv_prog_LN_S+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:7755: checking for $ac_word" >&5
+echo "configure:7822: checking for $ac_word" >&5
if eval "test \"\${ac_cv_path_PERLBIN+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
else
PERL_CPPFLAGS="`$PERLBIN -MExtUtils::Embed -e ccopts`"
- PERL_LDFLAGS="`$PERLBIN -MExtUtils::Embed -e ldopts|sed -e 's/ -lc / /'`"
+ PERL_LDFLAGS="`$PERLBIN -MExtUtils::Embed -e ldopts|sed -e 's/ -lc / /' -e 's/ -lc$//'`"
if test x"$ol_with_perl_module" = "xstatic" ; then
SLAPD_PERL_LDFLAGS="$PERL_LDFLAGS"
fi
echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:7808: checking how to run the C preprocessor" >&5
+echo "configure:7875: checking how to run the C preprocessor" >&5
# On Suns, sometimes $CPP names a directory.
if test -n "$CPP" && test -d "$CPP"; then
CPP=
# On the NeXT, cc -E runs the code through the compiler's parser,
# not just through cpp.
cat > conftest.$ac_ext <<EOF
-#line 7823 "configure"
+#line 7890 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:7829: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:7896: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -E -traditional-cpp"
cat > conftest.$ac_ext <<EOF
-#line 7840 "configure"
+#line 7907 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:7846: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:7913: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
rm -rf conftest*
CPP="${CC-cc} -nologo -E"
cat > conftest.$ac_ext <<EOF
-#line 7857 "configure"
+#line 7924 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:7863: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:7930: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6
-echo "configure:7902: checking for Cygwin environment" >&5
+echo "configure:7969: checking for Cygwin environment" >&5
if eval "test \"\${ac_cv_cygwin+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 7907 "configure"
+#line 7974 "configure"
#include "confdefs.h"
int main() {
return __CYGWIN__;
; return 0; }
EOF
-if { (eval echo configure:7918: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:7985: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_cygwin=yes
else
CYGWIN=
test "$ac_cv_cygwin" = yes && CYGWIN=yes
echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6
-echo "configure:7934: checking for mingw32 environment" >&5
+echo "configure:8001: checking for mingw32 environment" >&5
if eval "test \"\${ac_cv_mingw32+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 7939 "configure"
+#line 8006 "configure"
#include "confdefs.h"
int main() {
return __MINGW32__;
; return 0; }
EOF
-if { (eval echo configure:7946: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:8013: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_mingw32=yes
else
echo $ac_n "checking for executable suffix""... $ac_c" 1>&6
-echo "configure:7965: checking for executable suffix" >&5
+echo "configure:8032: checking for executable suffix" >&5
if eval "test \"\${ac_cv_exeext+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
rm -f conftest*
echo 'int main () { return 0; }' > conftest.$ac_ext
ac_cv_exeext=
- if { (eval echo configure:7975: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
+ if { (eval echo configure:8042: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
for file in conftest.*; do
case $file in
*.c | *.C | *.o | *.obj | *.xcoff) ;;
ac_exeext=$EXEEXT
echo $ac_n "checking for object suffix""... $ac_c" 1>&6
-echo "configure:7996: checking for object suffix" >&5
+echo "configure:8063: checking for object suffix" >&5
if eval "test \"\${ac_cv_objext+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
rm -f conftest*
echo 'int i = 1;' > conftest.$ac_ext
-if { (eval echo configure:8002: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:8069: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
for ac_file in conftest.*; do
case $ac_file in
*.c) ;;
echo $ac_n "checking for be_app in -lbe""... $ac_c" 1>&6
-echo "configure:8026: checking for be_app in -lbe" >&5
+echo "configure:8093: checking for be_app in -lbe" >&5
ac_lib_var=`echo be'_'be_app | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lbe -lroot -lnet $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8034 "configure"
+#line 8101 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
be_app()
; return 0; }
EOF
-if { (eval echo configure:8045: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8112: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for ${CC-cc} option to accept ANSI C""... $ac_c" 1>&6
-echo "configure:8071: checking for ${CC-cc} option to accept ANSI C" >&5
+echo "configure:8138: checking for ${CC-cc} option to accept ANSI C" >&5
if eval "test \"\${am_cv_prog_cc_stdc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
do
CC="$ac_save_CC $ac_arg"
cat > conftest.$ac_ext <<EOF
-#line 8088 "configure"
+#line 8155 "configure"
#include "confdefs.h"
#include <stdarg.h>
#include <stdio.h>
; return 0; }
EOF
-if { (eval echo configure:8125: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:8192: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
am_cv_prog_cc_stdc="$ac_arg"; break
else
OL_MKDEP="${CC-cc}"
if test -z "${MKDEP_FLAGS}"; then
echo $ac_n "checking for ${OL_MKDEP} depend flag""... $ac_c" 1>&6
-echo "configure:8159: checking for ${OL_MKDEP} depend flag" >&5
+echo "configure:8226: checking for ${OL_MKDEP} depend flag" >&5
if eval "test \"\${ol_cv_mkdep+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.c <<EOF
noCode;
EOF
- if { ac_try='$OL_MKDEP $flag conftest.c'; { (eval echo configure:8169: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } \
+ if { ac_try='$OL_MKDEP $flag conftest.c'; { (eval echo configure:8236: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } \
| egrep '^conftest\.'"${ac_objext}" >/dev/null 2>&1
then
if test ! -f conftest."${ac_object}" ; then
fi
echo $ac_n "checking for afopen in -ls""... $ac_c" 1>&6
-echo "configure:8202: checking for afopen in -ls" >&5
+echo "configure:8269: checking for afopen in -ls" >&5
ac_lib_var=`echo s'_'afopen | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ls $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8210 "configure"
+#line 8277 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
afopen()
; return 0; }
EOF
-if { (eval echo configure:8221: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8288: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:8264: checking for $ac_hdr" >&5
+echo "configure:8331: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8269 "configure"
+#line 8336 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:8274: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:8341: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
fi
echo $ac_n "checking for lt_dlinit in -lltdl""... $ac_c" 1>&6
-echo "configure:8306: checking for lt_dlinit in -lltdl" >&5
+echo "configure:8373: checking for lt_dlinit in -lltdl" >&5
ac_lib_var=`echo ltdl'_'lt_dlinit | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lltdl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8314 "configure"
+#line 8381 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
lt_dlinit()
; return 0; }
EOF
-if { (eval echo configure:8325: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8392: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
ol_with_perl_module=static
ol_with_shell_module=static
ol_with_sql_module=static
+ if test $ol_with_dyngroup = mod ; then
+ echo "configure: warning: building static dyngroup overlay" 1>&2
+ ol_with_dyngroup = yes
+ fi
+ if test $ol_with_proxycache = mod ; then
+ echo "configure: warning: building static proxycache overlay" 1>&2
+ ol_with_proxycache = yes
+ fi
fi
# test for EBCDIC
echo $ac_n "checking for EBCDIC""... $ac_c" 1>&6
-echo "configure:8373: checking for EBCDIC" >&5
+echo "configure:8448: checking for EBCDIC" >&5
if eval "test \"\${ol_cv_cpp_ebcdic+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8379 "configure"
+#line 8454 "configure"
#include "confdefs.h"
#if !('M' == 0xd4)
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:8388: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:8463: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
fi
echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:8412: checking for ANSI C header files" >&5
+echo "configure:8487: checking for ANSI C header files" >&5
if eval "test \"\${ol_cv_header_stdc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8417 "configure"
+#line 8492 "configure"
#include "confdefs.h"
#include <stdlib.h>
#include <stdarg.h>
#include <float.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:8425: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:8500: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ol_cv_header_stdc = yes; then
# SunOS 4.x string.h does not declare mem*, contrary to ANSI.
cat > conftest.$ac_ext <<EOF
-#line 8442 "configure"
+#line 8517 "configure"
#include "confdefs.h"
#include <string.h>
EOF
if test $ol_cv_header_stdc = yes; then
# ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
cat > conftest.$ac_ext <<EOF
-#line 8460 "configure"
+#line 8535 "configure"
#include "confdefs.h"
#include <stdlib.h>
EOF
:
else
cat > conftest.$ac_ext <<EOF
-#line 8481 "configure"
+#line 8556 "configure"
#include "confdefs.h"
#include <ctype.h>
#ifndef HAVE_EBCDIC
exit (0); }
EOF
-if { (eval echo configure:8499: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:8574: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
:
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6
-echo "configure:8533: checking for $ac_hdr that defines DIR" >&5
+echo "configure:8608: checking for $ac_hdr that defines DIR" >&5
if eval "test \"\${ac_cv_header_dirent_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8538 "configure"
+#line 8613 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <$ac_hdr>
DIR *dirp = 0;
; return 0; }
EOF
-if { (eval echo configure:8546: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:8621: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
eval "ac_cv_header_dirent_$ac_safe=yes"
else
# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
if test $ac_header_dirent = dirent.h; then
echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6
-echo "configure:8571: checking for opendir in -ldir" >&5
+echo "configure:8646: checking for opendir in -ldir" >&5
ac_lib_var=`echo dir'_'opendir | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldir $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8579 "configure"
+#line 8654 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
opendir()
; return 0; }
EOF
-if { (eval echo configure:8590: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8665: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
else
echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6
-echo "configure:8612: checking for opendir in -lx" >&5
+echo "configure:8687: checking for opendir in -lx" >&5
ac_lib_var=`echo x'_'opendir | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lx $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8620 "configure"
+#line 8695 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
opendir()
; return 0; }
EOF
-if { (eval echo configure:8631: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8706: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for sys/wait.h that is POSIX.1 compatible""... $ac_c" 1>&6
-echo "configure:8654: checking for sys/wait.h that is POSIX.1 compatible" >&5
+echo "configure:8729: checking for sys/wait.h that is POSIX.1 compatible" >&5
if eval "test \"\${ac_cv_header_sys_wait_h+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8659 "configure"
+#line 8734 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/wait.h>
s = WIFEXITED (s) ? WEXITSTATUS (s) : 1;
; return 0; }
EOF
-if { (eval echo configure:8675: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:8750: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_header_sys_wait_h=yes
else
fi
echo $ac_n "checking POSIX termios""... $ac_c" 1>&6
-echo "configure:8696: checking POSIX termios" >&5
+echo "configure:8771: checking POSIX termios" >&5
if eval "test \"\${am_cv_sys_posix_termios+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8701 "configure"
+#line 8776 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <unistd.h>
tcgetattr(0, 0);
; return 0; }
EOF
-if { (eval echo configure:8711: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8786: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
am_cv_sys_posix_termios=yes
else
echo $ac_n "checking whether use of TIOCGWINSZ requires sys/ioctl.h""... $ac_c" 1>&6
-echo "configure:8727: checking whether use of TIOCGWINSZ requires sys/ioctl.h" >&5
+echo "configure:8802: checking whether use of TIOCGWINSZ requires sys/ioctl.h" >&5
if eval "test \"\${am_cv_sys_tiocgwinsz_needs_sys_ioctl_h+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
gwinsz_in_termios_h=no
if test $am_cv_sys_posix_termios = yes; then
cat > conftest.$ac_ext <<EOF
-#line 8736 "configure"
+#line 8811 "configure"
#include "confdefs.h"
#include <sys/types.h>
# include <termios.h>
if test $gwinsz_in_termios_h = no; then
cat > conftest.$ac_ext <<EOF
-#line 8756 "configure"
+#line 8831 "configure"
#include "confdefs.h"
#include <sys/types.h>
# include <sys/ioctl.h>
arpa/inet.h \
arpa/nameser.h \
assert.h \
+ bits/types.h \
conio.h \
crypt.h \
direct.h \
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:8843: checking for $ac_hdr" >&5
+echo "configure:8919: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8848 "configure"
+#line 8924 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:8853: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:8929: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
echo $ac_n "checking for dlopen""... $ac_c" 1>&6
-echo "configure:8883: checking for dlopen" >&5
+echo "configure:8959: checking for dlopen" >&5
if eval "test \"\${ac_cv_func_dlopen+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 8888 "configure"
+#line 8964 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char dlopen(); below. */
; return 0; }
EOF
-if { (eval echo configure:8912: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:8988: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_dlopen=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
-echo "configure:8930: checking for dlopen in -ldl" >&5
+echo "configure:9006: checking for dlopen in -ldl" >&5
ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8938 "configure"
+#line 9014 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dlopen()
; return 0; }
EOF
-if { (eval echo configure:8949: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9025: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for sigset in -lV3""... $ac_c" 1>&6
-echo "configure:8980: checking for sigset in -lV3" >&5
+echo "configure:9056: checking for sigset in -lV3" >&5
ac_lib_var=`echo V3'_'sigset | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lV3 $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 8988 "configure"
+#line 9064 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
sigset()
; return 0; }
EOF
-if { (eval echo configure:8999: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for winsock""... $ac_c" 1>&6
-echo "configure:9028: checking for winsock" >&5
+echo "configure:9104: checking for winsock" >&5
save_LIBS="$LIBS"
for curlib in ws2_32 wsock32; do
LIBS="$LIBS -l$curlib"
cat > conftest.$ac_ext <<EOF
-#line 9033 "configure"
+#line 9109 "configure"
#include "confdefs.h"
char socket@12();
; return 0; }
EOF
-if { (eval echo configure:9050: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9126: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
have_winsock=yes
else
echo $ac_n "checking for socket""... $ac_c" 1>&6
-echo "configure:9085: checking for socket" >&5
+echo "configure:9161: checking for socket" >&5
if eval "test \"\${ac_cv_func_socket+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9090 "configure"
+#line 9166 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char socket(); below. */
; return 0; }
EOF
-if { (eval echo configure:9114: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9190: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_socket=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6
-echo "configure:9133: checking for main in -lsocket" >&5
+echo "configure:9209: checking for main in -lsocket" >&5
ac_lib_var=`echo socket'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lsocket $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9141 "configure"
+#line 9217 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:9148: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9224: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for main in -lnet""... $ac_c" 1>&6
-echo "configure:9176: checking for main in -lnet" >&5
+echo "configure:9252: checking for main in -lnet" >&5
ac_lib_var=`echo net'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lnet $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9184 "configure"
+#line 9260 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:9191: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9267: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for main in -lnsl_s""... $ac_c" 1>&6
-echo "configure:9219: checking for main in -lnsl_s" >&5
+echo "configure:9295: checking for main in -lnsl_s" >&5
ac_lib_var=`echo nsl_s'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lnsl_s $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9227 "configure"
+#line 9303 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:9234: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9310: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for main in -lnsl""... $ac_c" 1>&6
-echo "configure:9262: checking for main in -lnsl" >&5
+echo "configure:9338: checking for main in -lnsl" >&5
ac_lib_var=`echo nsl'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lnsl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9270 "configure"
+#line 9346 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:9277: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9353: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for socket in -linet""... $ac_c" 1>&6
-echo "configure:9305: checking for socket in -linet" >&5
+echo "configure:9381: checking for socket in -linet" >&5
ac_lib_var=`echo inet'_'socket | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-linet $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9313 "configure"
+#line 9389 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
socket()
; return 0; }
EOF
-if { (eval echo configure:9324: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9400: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
echo $ac_n "checking for main in -lgen""... $ac_c" 1>&6
-echo "configure:9352: checking for main in -lgen" >&5
+echo "configure:9428: checking for main in -lgen" >&5
ac_lib_var=`echo gen'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lgen $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9360 "configure"
+#line 9436 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:9367: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for select""... $ac_c" 1>&6
-echo "configure:9399: checking for select" >&5
+echo "configure:9475: checking for select" >&5
if eval "test \"\${ac_cv_func_select+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9404 "configure"
+#line 9480 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char select(); below. */
; return 0; }
EOF
-if { (eval echo configure:9428: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9504: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_select=yes"
else
if test "${ac_cv_header_winsock_h}" != yes; then
echo $ac_n "checking types of arguments for select()""... $ac_c" 1>&6
-echo "configure:9451: checking types of arguments for select()" >&5
+echo "configure:9527: checking types of arguments for select()" >&5
if eval "test \"\${ac_cv_func_select_arg234+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
for ac_cv_func_select_arg1 in 'int' 'size_t' 'unsigned long' 'unsigned'; do
for ac_cv_func_select_arg5 in 'struct timeval *' 'const struct timeval *'; do
cat > conftest.$ac_ext <<EOF
-#line 9465 "configure"
+#line 9541 "configure"
#include "confdefs.h"
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
; return 0; }
EOF
-if { (eval echo configure:9484: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:9560: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_not_found=no ; break 3
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:9529: checking for $ac_hdr" >&5
+echo "configure:9605: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9534 "configure"
+#line 9610 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:9539: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:9615: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
fi
echo $ac_n "checking for library containing regfree""... $ac_c" 1>&6
-echo "configure:9570: checking for library containing regfree" >&5
+echo "configure:9646: checking for library containing regfree" >&5
if eval "test \"\${ac_cv_search_regfree+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_func_search_save_LIBS="$LIBS"
ac_cv_search_regfree="no"
cat > conftest.$ac_ext <<EOF
-#line 9577 "configure"
+#line 9653 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
regfree()
; return 0; }
EOF
-if { (eval echo configure:9588: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9664: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ac_cv_search_regfree="none required"
else
test "$ac_cv_search_regfree" = "no" && for ac_lib in regex gnuregex; do
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9599 "configure"
+#line 9675 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
regfree()
; return 0; }
EOF
-if { (eval echo configure:9610: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ac_cv_search_regfree="-l$ac_lib"
break
echo $ac_n "checking for compatible POSIX regex""... $ac_c" 1>&6
-echo "configure:9633: checking for compatible POSIX regex" >&5
+echo "configure:9709: checking for compatible POSIX regex" >&5
if eval "test \"\${ol_cv_c_posix_regex+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_cv_c_posix_regex=cross
else
cat > conftest.$ac_ext <<EOF
-#line 9642 "configure"
+#line 9718 "configure"
#include "confdefs.h"
#include <sys/types.h>
return rc;
}
EOF
-if { (eval echo configure:9668: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:9744: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_c_posix_regex=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:9694: checking for $ac_hdr" >&5
+echo "configure:9770: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9699 "configure"
+#line 9775 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:9704: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:9780: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
save_LIBS="$LIBS"
echo $ac_n "checking for library containing uuid_to_str""... $ac_c" 1>&6
-echo "configure:9734: checking for library containing uuid_to_str" >&5
+echo "configure:9810: checking for library containing uuid_to_str" >&5
if eval "test \"\${ac_cv_search_uuid_to_str+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_func_search_save_LIBS="$LIBS"
ac_cv_search_uuid_to_str="no"
cat > conftest.$ac_ext <<EOF
-#line 9741 "configure"
+#line 9817 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
uuid_to_str()
; return 0; }
EOF
-if { (eval echo configure:9752: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9828: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ac_cv_search_uuid_to_str="none required"
else
test "$ac_cv_search_uuid_to_str" = "no" && for ac_lib in uuid; do
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9763 "configure"
+#line 9839 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
uuid_to_str()
; return 0; }
EOF
-if { (eval echo configure:9774: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9850: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ac_cv_search_uuid_to_str="-l$ac_lib"
break
if test $have_uuid = no ; then
echo $ac_n "checking to see if -lrpcrt4 is needed for win32 UUID support""... $ac_c" 1>&6
-echo "configure:9809: checking to see if -lrpcrt4 is needed for win32 UUID support" >&5
+echo "configure:9885: checking to see if -lrpcrt4 is needed for win32 UUID support" >&5
save_LIBS="$LIBS"
LIBS="$LIBS -lrpcrt4"
cat > conftest.$ac_ext <<EOF
-#line 9813 "configure"
+#line 9889 "configure"
#include "confdefs.h"
char UuidCreate@4();
; return 0; }
EOF
-if { (eval echo configure:9826: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
need_rpcrt=yes
else
ol_link_dnssrv=no
echo $ac_n "checking for res_query""... $ac_c" 1>&6
-echo "configure:9845: checking for res_query" >&5
+echo "configure:9921: checking for res_query" >&5
if eval "test \"\${ac_cv_func_res_query+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9850 "configure"
+#line 9926 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char res_query(); below. */
; return 0; }
EOF
-if { (eval echo configure:9874: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:9950: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_res_query=yes"
else
if test $ac_cv_func_res_query = no ; then
echo $ac_n "checking for __res_query""... $ac_c" 1>&6
-echo "configure:9895: checking for __res_query" >&5
+echo "configure:9971: checking for __res_query" >&5
if eval "test \"\${ac_cv_func___res_query+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 9900 "configure"
+#line 9976 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char __res_query(); below. */
; return 0; }
EOF
-if { (eval echo configure:9924: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10000: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func___res_query=yes"
else
if test $ac_cv_func_res_query = no ; then
echo $ac_n "checking for res_query in -lbind""... $ac_c" 1>&6
-echo "configure:9948: checking for res_query in -lbind" >&5
+echo "configure:10024: checking for res_query in -lbind" >&5
ac_lib_var=`echo bind'_'res_query | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lbind $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 9956 "configure"
+#line 10032 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
res_query()
; return 0; }
EOF
-if { (eval echo configure:9967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $ac_cv_func_res_query = no ; then
echo $ac_n "checking for __res_query in -lbind""... $ac_c" 1>&6
-echo "configure:9999: checking for __res_query in -lbind" >&5
+echo "configure:10075: checking for __res_query in -lbind" >&5
ac_lib_var=`echo bind'_'__res_query | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lbind $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10007 "configure"
+#line 10083 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
__res_query()
; return 0; }
EOF
-if { (eval echo configure:10018: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10094: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $ac_cv_func_res_query = no ; then
echo $ac_n "checking for res_query in -lresolv""... $ac_c" 1>&6
-echo "configure:10050: checking for res_query in -lresolv" >&5
+echo "configure:10126: checking for res_query in -lresolv" >&5
ac_lib_var=`echo resolv'_'res_query | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lresolv $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10058 "configure"
+#line 10134 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
res_query()
; return 0; }
EOF
-if { (eval echo configure:10069: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10145: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $ac_cv_func_res_query = no ; then
echo $ac_n "checking for __res_query in -lresolv""... $ac_c" 1>&6
-echo "configure:10101: checking for __res_query in -lresolv" >&5
+echo "configure:10177: checking for __res_query in -lresolv" >&5
ac_lib_var=`echo resolv'_'__res_query | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lresolv $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10109 "configure"
+#line 10185 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
__res_query()
; return 0; }
EOF
-if { (eval echo configure:10120: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10196: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
for ac_func in getaddrinfo getnameinfo gai_strerror inet_ntop
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:10168: checking for $ac_func" >&5
+echo "configure:10244: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10173 "configure"
+#line 10249 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:10197: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10273: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
fi
elif test $ol_enable_ipv6 != no ; then
echo $ac_n "checking INET6_ADDRSTRLEN""... $ac_c" 1>&6
-echo "configure:10229: checking INET6_ADDRSTRLEN" >&5
+echo "configure:10305: checking INET6_ADDRSTRLEN" >&5
if eval "test \"\${ol_cv_inet6_addrstrlen+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10235 "configure"
+#line 10311 "configure"
#include "confdefs.h"
# include <netinet/in.h>
echo $ac_n "checking struct sockaddr_storage""... $ac_c" 1>&6
-echo "configure:10260: checking struct sockaddr_storage" >&5
+echo "configure:10336: checking struct sockaddr_storage" >&5
if eval "test \"\${ol_cv_struct_sockaddr_storage+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10266 "configure"
+#line 10342 "configure"
#include "confdefs.h"
#include <sys/types.h>
; return 0; }
EOF
-if { (eval echo configure:10278: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:10354: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_struct_sockaddr_storage=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10309: checking for $ac_hdr" >&5
+echo "configure:10385: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10314 "configure"
+#line 10390 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10319: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:10395: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10366: checking for $ac_hdr" >&5
+echo "configure:10442: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10371 "configure"
+#line 10447 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10376: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:10452: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10408: checking for $ac_hdr" >&5
+echo "configure:10484: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10413 "configure"
+#line 10489 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10418: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:10494: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $krb5_impl = mit; then
echo $ac_n "checking for main in -lk5crypto""... $ac_c" 1>&6
-echo "configure:10452: checking for main in -lk5crypto" >&5
+echo "configure:10528: checking for main in -lk5crypto" >&5
ac_lib_var=`echo k5crypto'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lk5crypto $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10460 "configure"
+#line 10536 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10467: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10543: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for main in -lkrb5""... $ac_c" 1>&6
-echo "configure:10490: checking for main in -lkrb5" >&5
+echo "configure:10566: checking for main in -lkrb5" >&5
ac_lib_var=`echo krb5'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lkrb5 -l$krb5crypto -lcom_err $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10498 "configure"
+#line 10574 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10505: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10581: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
elif test $krb5_impl = heimdal; then
echo $ac_n "checking for main in -ldes""... $ac_c" 1>&6
-echo "configure:10530: checking for main in -ldes" >&5
+echo "configure:10606: checking for main in -ldes" >&5
ac_lib_var=`echo des'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldes $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10538 "configure"
+#line 10614 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10545: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10621: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for main in -lkrb5""... $ac_c" 1>&6
-echo "configure:10568: checking for main in -lkrb5" >&5
+echo "configure:10644: checking for main in -lkrb5" >&5
ac_lib_var=`echo krb5'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10576 "configure"
+#line 10652 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10583: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10659: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10646: checking for $ac_hdr" >&5
+echo "configure:10722: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10651 "configure"
+#line 10727 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10656: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:10732: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_kerberosIV_krb_h = yes ; then
if test $krb5_impl = mit; then
echo $ac_n "checking for main in -lkrb4""... $ac_c" 1>&6
-echo "configure:10686: checking for main in -lkrb4" >&5
+echo "configure:10762: checking for main in -lkrb4" >&5
ac_lib_var=`echo krb4'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lkrb4 -ldes425 -lkrb5 -l$krb5crypto -lcom_err $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10694 "configure"
+#line 10770 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10701: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10777: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
elif test $krb5_impl = heimdal; then
echo $ac_n "checking for main in -lkrb4""... $ac_c" 1>&6
-echo "configure:10726: checking for main in -lkrb4" >&5
+echo "configure:10802: checking for main in -lkrb4" >&5
ac_lib_var=`echo krb4'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lkrb4 -lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10734 "configure"
+#line 10810 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10741: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10817: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for des_debug in Kerberos libraries""... $ac_c" 1>&6
-echo "configure:10783: checking for des_debug in Kerberos libraries" >&5
+echo "configure:10859: checking for des_debug in Kerberos libraries" >&5
if eval "test \"\${ol_cv_var_des_debug+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_LIBS="$LIBS"
LIBS="$KRB4_LIBS $KRB5_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10791 "configure"
+#line 10867 "configure"
#include "confdefs.h"
#include <kerberosIV/krb.h>
; return 0; }
EOF
-if { (eval echo configure:10804: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_var_des_debug=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10843: checking for $ac_hdr" >&5
+echo "configure:10919: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10848 "configure"
+#line 10924 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10853: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:10929: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_krb_h = yes ; then
echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6
-echo "configure:10882: checking for main in -lkrb" >&5
+echo "configure:10958: checking for main in -lkrb" >&5
ac_lib_var=`echo krb'_'main | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lkrb -ldes $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 10890 "configure"
+#line 10966 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:10897: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10973: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:10967: checking for $ac_hdr" >&5
+echo "configure:11043: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10972 "configure"
+#line 11048 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:10977: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:11053: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_openssl_ssl_h = yes \
-o $ac_cv_header_ssl_h = yes ; then
echo $ac_n "checking for SSLeay_add_ssl_algorithms in -lssl""... $ac_c" 1>&6
-echo "configure:11007: checking for SSLeay_add_ssl_algorithms in -lssl" >&5
+echo "configure:11083: checking for SSLeay_add_ssl_algorithms in -lssl" >&5
ac_lib_var=`echo ssl'_'SSLeay_add_ssl_algorithms | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lssl -lcrypto $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 11015 "configure"
+#line 11091 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
SSLeay_add_ssl_algorithms()
; return 0; }
EOF
-if { (eval echo configure:11026: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11102: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $have_ssleay = no ; then
echo $ac_n "checking for SSL_library_init in -lssl""... $ac_c" 1>&6
-echo "configure:11051: checking for SSL_library_init in -lssl" >&5
+echo "configure:11127: checking for SSL_library_init in -lssl" >&5
ac_lib_var=`echo ssl'_'SSL_library_init | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lssl -lcrypto $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 11059 "configure"
+#line 11135 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
SSL_library_init()
; return 0; }
EOF
-if { (eval echo configure:11070: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11146: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $have_ssleay = no ; then
echo $ac_n "checking for ssl3_accept in -lssl""... $ac_c" 1>&6
-echo "configure:11096: checking for ssl3_accept in -lssl" >&5
+echo "configure:11172: checking for ssl3_accept in -lssl" >&5
ac_lib_var=`echo ssl'_'ssl3_accept | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lssl -lcrypto -lRSAglue -lrsaref $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 11104 "configure"
+#line 11180 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
ssl3_accept()
; return 0; }
EOF
-if { (eval echo configure:11115: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11191: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for _beginthread""... $ac_c" 1>&6
-echo "configure:11199: checking for _beginthread" >&5
+echo "configure:11275: checking for _beginthread" >&5
if eval "test \"\${ac_cv_func__beginthread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11204 "configure"
+#line 11280 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char _beginthread(); below. */
; return 0; }
EOF
-if { (eval echo configure:11228: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11304: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func__beginthread=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:11284: checking for $ac_hdr" >&5
+echo "configure:11360: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11289 "configure"
+#line 11365 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:11294: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:11370: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_pthread_h = yes ; then
echo $ac_n "checking POSIX thread version""... $ac_c" 1>&6
-echo "configure:11323: checking POSIX thread version" >&5
+echo "configure:11399: checking POSIX thread version" >&5
if eval "test \"\${ol_cv_pthread_version+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11329 "configure"
+#line 11405 "configure"
#include "confdefs.h"
# include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:11340: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:11416: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
cat > conftest.$ac_ext <<EOF
-#line 11344 "configure"
+#line 11420 "configure"
#include "confdefs.h"
#include <pthread.h>
EOF
rm -rf conftest*
cat > conftest.$ac_ext <<EOF
-#line 11364 "configure"
+#line 11440 "configure"
#include "confdefs.h"
# include <pthread.h>
rm -rf conftest*
cat > conftest.$ac_ext <<EOF
-#line 11381 "configure"
+#line 11457 "configure"
#include "confdefs.h"
#include <pthread.h>
EOF
rm -rf conftest*
cat > conftest.$ac_ext <<EOF
-#line 11393 "configure"
+#line 11469 "configure"
#include "confdefs.h"
# include <pthread.h>
echo $ac_n "checking for LinuxThreads pthread.h""... $ac_c" 1>&6
-echo "configure:11440: checking for LinuxThreads pthread.h" >&5
+echo "configure:11516: checking for LinuxThreads pthread.h" >&5
if eval "test \"\${ol_cv_header_linux_threads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11445 "configure"
+#line 11521 "configure"
#include "confdefs.h"
#include <pthread.h>
EOF
echo $ac_n "checking for GNU Pth pthread.h""... $ac_c" 1>&6
-echo "configure:11472: checking for GNU Pth pthread.h" >&5
+echo "configure:11548: checking for GNU Pth pthread.h" >&5
if eval "test \"\${ol_cv_header_gnu_pth_pthread_h+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11477 "configure"
+#line 11553 "configure"
#include "confdefs.h"
#include <pthread.h>
#ifdef _POSIX_THREAD_IS_GNU_PTH
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:11506: checking for $ac_hdr" >&5
+echo "configure:11582: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11511 "configure"
+#line 11587 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:11516: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:11592: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
echo $ac_n "checking for pthread_create in default libraries""... $ac_c" 1>&6
-echo "configure:11546: checking for pthread_create in default libraries" >&5
+echo "configure:11622: checking for pthread_create in default libraries" >&5
if eval "test \"\${ol_cv_pthread_create+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 11553 "configure"
+#line 11629 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:11620: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11696: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_create=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 11632 "configure"
+#line 11708 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:11704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:11780: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_create=yes
else
if test "$ol_link_threads" = no ; then
# try -kthread
echo $ac_n "checking for pthread link with -kthread""... $ac_c" 1>&6
-echo "configure:11729: checking for pthread link with -kthread" >&5
+echo "configure:11805: checking for pthread link with -kthread" >&5
if eval "test \"\${ol_cv_pthread_kthread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 11740 "configure"
+#line 11816 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:11807: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11883: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_kthread=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 11819 "configure"
+#line 11895 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:11891: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:11967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_kthread=yes
else
if test "$ol_link_threads" = no ; then
# try -pthread
echo $ac_n "checking for pthread link with -pthread""... $ac_c" 1>&6
-echo "configure:11921: checking for pthread link with -pthread" >&5
+echo "configure:11997: checking for pthread link with -pthread" >&5
if eval "test \"\${ol_cv_pthread_pthread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 11932 "configure"
+#line 12008 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:11999: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:12075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_pthread=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12011 "configure"
+#line 12087 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:12083: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:12159: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_pthread=yes
else
if test "$ol_link_threads" = no ; then
# try -pthreads
echo $ac_n "checking for pthread link with -pthreads""... $ac_c" 1>&6
-echo "configure:12113: checking for pthread link with -pthreads" >&5
+echo "configure:12189: checking for pthread link with -pthreads" >&5
if eval "test \"\${ol_cv_pthread_pthreads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 12124 "configure"
+#line 12200 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:12191: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:12267: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_pthreads=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12203 "configure"
+#line 12279 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:12275: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:12351: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_pthreads=yes
else
if test "$ol_link_threads" = no ; then
# try -mthreads
echo $ac_n "checking for pthread link with -mthreads""... $ac_c" 1>&6
-echo "configure:12305: checking for pthread link with -mthreads" >&5
+echo "configure:12381: checking for pthread link with -mthreads" >&5
if eval "test \"\${ol_cv_pthread_mthreads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 12316 "configure"
+#line 12392 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:12383: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:12459: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_mthreads=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12395 "configure"
+#line 12471 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:12467: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:12543: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_mthreads=yes
else
if test "$ol_link_threads" = no ; then
# try -thread
echo $ac_n "checking for pthread link with -thread""... $ac_c" 1>&6
-echo "configure:12497: checking for pthread link with -thread" >&5
+echo "configure:12573: checking for pthread link with -thread" >&5
if eval "test \"\${ol_cv_pthread_thread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 12508 "configure"
+#line 12584 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:12575: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:12651: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_thread=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12587 "configure"
+#line 12663 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:12659: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:12735: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_thread=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthread -lmach -lexc -lc_r
echo $ac_n "checking for pthread link with -lpthread -lmach -lexc -lc_r""... $ac_c" 1>&6
-echo "configure:12690: checking for pthread link with -lpthread -lmach -lexc -lc_r" >&5
+echo "configure:12766: checking for pthread link with -lpthread -lmach -lexc -lc_r" >&5
if eval "test \"\${ol_cv_pthread_lpthread_lmach_lexc_lc_r+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 12701 "configure"
+#line 12777 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:12768: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:12844: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthread_lmach_lexc_lc_r=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12780 "configure"
+#line 12856 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:12852: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:12928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthread_lmach_lexc_lc_r=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthread -lmach -lexc
echo $ac_n "checking for pthread link with -lpthread -lmach -lexc""... $ac_c" 1>&6
-echo "configure:12882: checking for pthread link with -lpthread -lmach -lexc" >&5
+echo "configure:12958: checking for pthread link with -lpthread -lmach -lexc" >&5
if eval "test \"\${ol_cv_pthread_lpthread_lmach_lexc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 12893 "configure"
+#line 12969 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:12960: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:13036: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthread_lmach_lexc=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 12972 "configure"
+#line 13048 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:13044: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:13120: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthread_lmach_lexc=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthread -Wl,-woff,85
echo $ac_n "checking for pthread link with -lpthread -Wl,-woff,85""... $ac_c" 1>&6
-echo "configure:13075: checking for pthread link with -lpthread -Wl,-woff,85" >&5
+echo "configure:13151: checking for pthread link with -lpthread -Wl,-woff,85" >&5
if eval "test \"\${ol_cv_pthread_lib_lpthread_woff+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 13086 "configure"
+#line 13162 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:13153: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:13229: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lib_lpthread_woff=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 13165 "configure"
+#line 13241 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:13237: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:13313: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lib_lpthread_woff=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthread
echo $ac_n "checking for pthread link with -lpthread""... $ac_c" 1>&6
-echo "configure:13268: checking for pthread link with -lpthread" >&5
+echo "configure:13344: checking for pthread link with -lpthread" >&5
if eval "test \"\${ol_cv_pthread_lpthread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 13279 "configure"
+#line 13355 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:13346: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:13422: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthread=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 13358 "configure"
+#line 13434 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:13430: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:13506: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthread=yes
else
if test "$ol_link_threads" = no ; then
# try -lc_r
echo $ac_n "checking for pthread link with -lc_r""... $ac_c" 1>&6
-echo "configure:13460: checking for pthread link with -lc_r" >&5
+echo "configure:13536: checking for pthread link with -lc_r" >&5
if eval "test \"\${ol_cv_pthread_lc_r+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 13471 "configure"
+#line 13547 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:13538: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:13614: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lc_r=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 13550 "configure"
+#line 13626 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:13622: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:13698: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lc_r=yes
else
if test "$ol_link_threads" = no ; then
# try -threads
echo $ac_n "checking for pthread link with -threads""... $ac_c" 1>&6
-echo "configure:13653: checking for pthread link with -threads" >&5
+echo "configure:13729: checking for pthread link with -threads" >&5
if eval "test \"\${ol_cv_pthread_threads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 13664 "configure"
+#line 13740 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:13731: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:13807: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_threads=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 13743 "configure"
+#line 13819 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:13815: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:13891: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_threads=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthreads -lmach -lexc -lc_r
echo $ac_n "checking for pthread link with -lpthreads -lmach -lexc -lc_r""... $ac_c" 1>&6
-echo "configure:13846: checking for pthread link with -lpthreads -lmach -lexc -lc_r" >&5
+echo "configure:13922: checking for pthread link with -lpthreads -lmach -lexc -lc_r" >&5
if eval "test \"\${ol_cv_pthread_lpthreads_lmach_lexc_lc_r+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 13857 "configure"
+#line 13933 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:13924: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14000: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthreads_lmach_lexc_lc_r=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 13936 "configure"
+#line 14012 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:14008: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:14084: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthreads_lmach_lexc_lc_r=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthreads -lmach -lexc
echo $ac_n "checking for pthread link with -lpthreads -lmach -lexc""... $ac_c" 1>&6
-echo "configure:14038: checking for pthread link with -lpthreads -lmach -lexc" >&5
+echo "configure:14114: checking for pthread link with -lpthreads -lmach -lexc" >&5
if eval "test \"\${ol_cv_pthread_lpthreads_lmach_lexc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 14049 "configure"
+#line 14125 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:14116: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14192: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthreads_lmach_lexc=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 14128 "configure"
+#line 14204 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:14200: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:14276: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthreads_lmach_lexc=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthreads -lexc
echo $ac_n "checking for pthread link with -lpthreads -lexc""... $ac_c" 1>&6
-echo "configure:14230: checking for pthread link with -lpthreads -lexc" >&5
+echo "configure:14306: checking for pthread link with -lpthreads -lexc" >&5
if eval "test \"\${ol_cv_pthread_lpthreads_lexc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 14241 "configure"
+#line 14317 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:14308: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14384: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lpthreads_lexc=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 14320 "configure"
+#line 14396 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:14392: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:14468: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lpthreads_lexc=yes
else
if test "$ol_link_threads" = no ; then
# try -lpthreads
echo $ac_n "checking for pthread link with -lpthreads""... $ac_c" 1>&6
-echo "configure:14423: checking for pthread link with -lpthreads" >&5
+echo "configure:14499: checking for pthread link with -lpthreads" >&5
if eval "test \"\${ol_cv_pthread_lib_lpthreads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test "$cross_compiling" = yes; then
cat > conftest.$ac_ext <<EOF
-#line 14434 "configure"
+#line 14510 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
; return 0; }
EOF
-if { (eval echo configure:14501: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14577: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_pthread_lib_lpthreads=yes
else
rm -f conftest*
else
cat > conftest.$ac_ext <<EOF
-#line 14513 "configure"
+#line 14589 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:14585: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:14661: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_lib_lpthreads=yes
else
for ac_func in sched_yield pthread_yield thr_yield
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:14622: checking for $ac_func" >&5
+echo "configure:14698: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 14627 "configure"
+#line 14703 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:14651: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14727: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
$ac_cv_func_pthread_yield = no -a \
$ac_cv_func_thr_yield = no ; then
echo $ac_n "checking for sched_yield in -lrt""... $ac_c" 1>&6
-echo "configure:14680: checking for sched_yield in -lrt" >&5
+echo "configure:14756: checking for sched_yield in -lrt" >&5
ac_lib_var=`echo rt'_'sched_yield | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lrt $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 14688 "configure"
+#line 14764 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
sched_yield()
; return 0; }
EOF
-if { (eval echo configure:14699: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14775: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
for ac_func in pthread_kill pthread_rwlock_destroy
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:14735: checking for $ac_func" >&5
+echo "configure:14811: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 14740 "configure"
+#line 14816 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:14764: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14840: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
echo $ac_n "checking for pthread_detach with <pthread.h>""... $ac_c" 1>&6
-echo "configure:14
790: checking for pthread_detach with <pthread.h>" >&5
+echo "configure:14
866: checking for pthread_detach with <pthread.h>" >&5
if eval "test \"\${ol_cv_func_pthread_detach+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 14796 "configure"
+#line 14872 "configure"
#include "confdefs.h"
#include <pthread.h>
pthread_detach(NULL);
; return 0; }
EOF
-if { (eval echo configure:14808: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14884: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_func_pthread_detach=yes
else
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:14840: checking for $ac_func" >&5
+echo "configure:14916: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 14845 "configure"
+#line 14921 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:14869: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:14945: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
for ac_func in pthread_kill_other_threads_np
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:14898: checking for $ac_func" >&5
+echo "configure:14974: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 14903 "configure"
+#line 14979 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:14927: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15003: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
done
echo $ac_n "checking for LinuxThreads implementation""... $ac_c" 1>&6
-echo "configure:14952: checking for LinuxThreads implementation" >&5
+echo "configure:15028: checking for LinuxThreads implementation" >&5
if eval "test \"\${ol_cv_sys_linux_threads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
echo $ac_n "checking for LinuxThreads consistency""... $ac_c" 1>&6
-echo "configure:14965: checking for LinuxThreads consistency" >&5
+echo "configure:15041: checking for LinuxThreads consistency" >&5
if eval "test \"\${ol_cv_linux_threads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
fi
echo $ac_n "checking if pthread_create() works""... $ac_c" 1>&6
-echo "configure:14990: checking if pthread_create() works" >&5
+echo "configure:15066: checking if pthread_create() works" >&5
if eval "test \"\${ol_cv_pthread_create_works+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_cv_pthread_create_works=yes
else
cat > conftest.$ac_ext <<EOF
-#line 14999 "configure"
+#line 15075 "configure"
#include "confdefs.h"
/* pthread test headers */
#include <pthread.h>
}
EOF
-if { (eval echo configure:15071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:15147: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_create_works=yes
else
if test $ol_with_yielding_select = auto ; then
echo $ac_n "checking if select yields when using pthreads""... $ac_c" 1>&6
-echo "configure:15093: checking if select yields when using pthreads" >&5
+echo "configure:15169: checking if select yields when using pthreads" >&5
if eval "test \"\${ol_cv_pthread_select_yields+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_cv_pthread_select_yields=cross
else
cat > conftest.$ac_ext <<EOF
-#line 15102 "configure"
+#line 15178 "configure"
#include "confdefs.h"
#include <sys/types.h>
exit(2);
}
EOF
-if { (eval echo configure:15179: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:15255: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_pthread_select_yields=no
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15223: checking for $ac_hdr" >&5
+echo "configure:15299: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15228 "configure"
+#line 15304 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15233: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:15309: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
ol_with_threads=found
echo $ac_n "checking for cthread_fork""... $ac_c" 1>&6
-echo "configure:15263: checking for cthread_fork" >&5
+echo "configure:15339: checking for cthread_fork" >&5
if eval "test \"\${ac_cv_func_cthread_fork+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15268 "configure"
+#line 15344 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char cthread_fork(); below. */
; return 0; }
EOF
-if { (eval echo configure:15292: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15368: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_cthread_fork=yes"
else
if test $ol_link_threads = no ; then
echo $ac_n "checking for cthread_fork with -all_load""... $ac_c" 1>&6
-echo "configure:15314: checking for cthread_fork with -all_load" >&5
+echo "configure:15390: checking for cthread_fork with -all_load" >&5
if eval "test \"\${ol_cv_cthread_all_load+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
save_LIBS="$LIBS"
LIBS="-all_load $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 15322 "configure"
+#line 15398 "configure"
#include "confdefs.h"
#include <mach/cthreads.h>
int main() {
; return 0; }
EOF
-if { (eval echo configure:15331: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15407: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_cthread_all_load=yes
else
save_LIBS="$LIBS"
LIBS="$LIBS -lthreads"
echo $ac_n "checking for cthread_fork""... $ac_c" 1>&6
-echo "configure:15361: checking for cthread_fork" >&5
+echo "configure:15437: checking for cthread_fork" >&5
if eval "test \"\${ac_cv_func_cthread_fork+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15366 "configure"
+#line 15442 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char cthread_fork(); below. */
; return 0; }
EOF
-if { (eval echo configure:15390: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15466: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_cthread_fork=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15440: checking for $ac_hdr" >&5
+echo "configure:15516: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15445 "configure"
+#line 15521 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15450: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:15526: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_pth_h = yes ; then
echo $ac_n "checking for pth_version in -lpth""... $ac_c" 1>&6
-echo "configure:15479: checking for pth_version in -lpth" >&5
+echo "configure:15555: checking for pth_version in -lpth" >&5
ac_lib_var=`echo pth'_'pth_version | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lpth $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 15487 "configure"
+#line 15563 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
pth_version()
; return 0; }
EOF
-if { (eval echo configure:15498: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15574: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15543: checking for $ac_hdr" >&5
+echo "configure:15619: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15548 "configure"
+#line 15624 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15553: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:15629: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_thread_h = yes -a $ac_cv_header_synch_h = yes ; then
echo $ac_n "checking for thr_create in -lthread""... $ac_c" 1>&6
-echo "configure:15581: checking for thr_create in -lthread" >&5
+echo "configure:15657: checking for thr_create in -lthread" >&5
ac_lib_var=`echo thread'_'thr_create | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lthread $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 15589 "configure"
+#line 15665 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
thr_create()
; return 0; }
EOF
-if { (eval echo configure:15600: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:15640: checking for $ac_func" >&5
+echo "configure:15716: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15645 "configure"
+#line 15721 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:15669: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15745: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15700: checking for $ac_hdr" >&5
+echo "configure:15776: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15705 "configure"
+#line 15781 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15710: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:15786: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_lwp_lwp_h = yes ; then
echo $ac_n "checking for lwp_create in -llwp""... $ac_c" 1>&6
-echo "configure:15738: checking for lwp_create in -llwp" >&5
+echo "configure:15814: checking for lwp_create in -llwp" >&5
ac_lib_var=`echo lwp'_'lwp_create | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-llwp $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 15746 "configure"
+#line 15822 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
lwp_create()
; return 0; }
EOF
-if { (eval echo configure:15757: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15833: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15810: checking for $ac_hdr" >&5
+echo "configure:15886: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15815 "configure"
+#line 15891 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15820: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:15896: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
for ac_func in sched_yield pthread_yield
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:15849: checking for $ac_func" >&5
+echo "configure:15925: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15854 "configure"
+#line 15930 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:15878: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:15954: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
echo $ac_n "checking for LinuxThreads pthread.h""... $ac_c" 1>&6
-echo "configure:15904: checking for LinuxThreads pthread.h" >&5
+echo "configure:15980: checking for LinuxThreads pthread.h" >&5
if eval "test \"\${ol_cv_header_linux_threads+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15909 "configure"
+#line 15985 "configure"
#include "confdefs.h"
#include <pthread.h>
EOF
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15939: checking for $ac_hdr" >&5
+echo "configure:16015: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15944 "configure"
+#line 16020 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15949: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:16025: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:15979: checking for $ac_hdr" >&5
+echo "configure:16055: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 15984 "configure"
+#line 16060 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:15989: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:16065: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:16019: checking for $ac_hdr" >&5
+echo "configure:16095: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16024 "configure"
+#line 16100 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:16029: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:16105: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
echo $ac_n "checking for thread specific errno""... $ac_c" 1>&6
-echo "configure:16088: checking for thread specific errno" >&5
+echo "configure:16164: checking for thread specific errno" >&5
if eval "test \"\${ol_cv_errno_thread_specific+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16094 "configure"
+#line 16170 "configure"
#include "confdefs.h"
#include <errno.h>
int main() {
errno = 0;
; return 0; }
EOF
-if { (eval echo configure:16101: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16177: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_errno_thread_specific=yes
else
echo "$ac_t""$ol_cv_errno_thread_specific" 1>&6
echo $ac_n "checking for thread specific h_errno""... $ac_c" 1>&6
-echo "configure:16117: checking for thread specific h_errno" >&5
+echo "configure:16193: checking for thread specific h_errno" >&5
if eval "test \"\${ol_cv_h_errno_thread_specific+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16123 "configure"
+#line 16199 "configure"
#include "confdefs.h"
#include <netdb.h>
int main() {
h_errno = 0;
; return 0; }
EOF
-if { (eval echo configure:16130: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16206: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_h_errno_thread_specific=yes
else
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:16183: checking for $ac_func" >&5
+echo "configure:16259: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16188 "configure"
+#line 16264 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:16212: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16288: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
ol_cv_func_ctime_r_nargs=0
else
echo $ac_n "checking number of arguments of ctime_r""... $ac_c" 1>&6
-echo "configure:16241: checking number of arguments of ctime_r" >&5
+echo "configure:16317: checking number of arguments of ctime_r" >&5
if eval "test \"\${ol_cv_func_ctime_r_nargs+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16246 "configure"
+#line 16322 "configure"
#include "confdefs.h"
#include <time.h>
int main() {
time_t ti; char *buffer; ctime_r(&ti,buffer,32);
; return 0; }
EOF
-if { (eval echo configure:16253: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16329: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_ctime_r_nargs3=yes
else
rm -f conftest*
cat > conftest.$ac_ext <<EOF
-#line 16265 "configure"
+#line 16341 "configure"
#include "confdefs.h"
#include <time.h>
int main() {
time_t ti; char *buffer; ctime_r(&ti,buffer);
; return 0; }
EOF
-if { (eval echo configure:16272: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16348: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_ctime_r_nargs2=yes
else
if test "$ac_cv_func_gethostbyname_r" = yes ; then
echo $ac_n "checking number of arguments of gethostbyname_r""... $ac_c" 1>&6
-echo "configure:16312: checking number of arguments of gethostbyname_r" >&5
+echo "configure:16388: checking number of arguments of gethostbyname_r" >&5
if eval "test \"\${ol_cv_func_gethostbyname_r_nargs+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16317 "configure"
+#line 16393 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
buffer, bufsize, &h_errno);
; return 0; }
EOF
-if { (eval echo configure:16331: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16407: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_gethostbyname_r_nargs5=yes
else
rm -f conftest*
cat > conftest.$ac_ext <<EOF
-#line 16343 "configure"
+#line 16419 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
&rhent, &h_errno);
; return 0; }
EOF
-if { (eval echo configure:16358: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_gethostbyname_r_nargs6=yes
else
if test "$ac_cv_func_gethostbyaddr_r" = yes ; then
echo $ac_n "checking number of arguments of gethostbyaddr_r""... $ac_c" 1>&6
-echo "configure:16399: checking number of arguments of gethostbyaddr_r" >&5
+echo "configure:16475: checking number of arguments of gethostbyaddr_r" >&5
if eval "test \"\${ol_cv_func_gethostbyaddr_r_nargs+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16404 "configure"
+#line 16480 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
alen, AF_INET, &hent, buffer, bufsize, &h_errno);
; return 0; }
EOF
-if { (eval echo configure:16420: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16496: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_gethostbyaddr_r_nargs7=yes
else
rm -f conftest*
cat > conftest.$ac_ext <<EOF
-#line 16432 "configure"
+#line 16508 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
&rhent, &h_errno);
; return 0; }
EOF
-if { (eval echo configure:16450: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:16526: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_func_gethostbyaddr_r_nargs8=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:16500: checking for $ac_hdr" >&5
+echo "configure:16576: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16505 "configure"
+#line 16581 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:16510: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:16586: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_db_185_h = yes -o $ac_cv_header_db_h = yes; then
echo $ac_n "checking if Berkeley DB header compatibility""... $ac_c" 1>&6
-echo "configure:16538: checking if Berkeley DB header compatibility" >&5
+echo "configure:16614: checking if Berkeley DB header compatibility" >&5
if eval "test \"\${ol_cv_header_db1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 16544 "configure"
+#line 16620 "configure"
#include "confdefs.h"
#if HAVE_DB_185_H
ol_cv_lib_db=no
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (default)""... $ac_c" 1>&6
-echo "configure:16581: checking for Berkeley DB link (default)" >&5
+echo "configure:16657: checking for Berkeley DB link (default)" >&5
if eval "test \"\${ol_cv_db_none+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16591 "configure"
+#line 16667 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:16638: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_none=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb42)""... $ac_c" 1>&6
-echo "configure:16662: checking for Berkeley DB link (-ldb42)" >&5
+echo "configure:16738: checking for Berkeley DB link (-ldb42)" >&5
if eval "test \"\${ol_cv_db_db42+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16672 "configure"
+#line 16748 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:16719: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db42=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-42)""... $ac_c" 1>&6
-echo "configure:16743: checking for Berkeley DB link (-ldb-42)" >&5
+echo "configure:16819: checking for Berkeley DB link (-ldb-42)" >&5
if eval "test \"\${ol_cv_db_db_42+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16753 "configure"
+#line 16829 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:16800: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16876: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_42=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4.2)""... $ac_c" 1>&6
-echo "configure:16824: checking for Berkeley DB link (-ldb-4.2)" >&5
+echo "configure:16900: checking for Berkeley DB link (-ldb-4.2)" >&5
if eval "test \"\${ol_cv_db_db_4_dot_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16834 "configure"
+#line 16910 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:16881: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:16957: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4_dot_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4-2)""... $ac_c" 1>&6
-echo "configure:16905: checking for Berkeley DB link (-ldb-4-2)" >&5
+echo "configure:16981: checking for Berkeley DB link (-ldb-4-2)" >&5
if eval "test \"\${ol_cv_db_db_4_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16915 "configure"
+#line 16991 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:16962: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17038: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4)""... $ac_c" 1>&6
-echo "configure:16986: checking for Berkeley DB link (-ldb-4)" >&5
+echo "configure:17062: checking for Berkeley DB link (-ldb-4)" >&5
if eval "test \"\${ol_cv_db_db_4+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 16996 "configure"
+#line 17072 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb4)""... $ac_c" 1>&6
-echo "configure:17067: checking for Berkeley DB link (-ldb4)" >&5
+echo "configure:17143: checking for Berkeley DB link (-ldb4)" >&5
if eval "test \"\${ol_cv_db_db4+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17077 "configure"
+#line 17153 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17124: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17200: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db4=yes
else
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb41)""... $ac_c" 1>&6
-echo "configure:17148: checking for Berkeley DB link (-ldb41)" >&5
-if eval "test \"\${ol_cv_db_db41+set}\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
-
- ol_DB_LIB=-ldb41
- ol_LIBS=$LIBS
- LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
-
- cat > conftest.$ac_ext <<EOF
-#line 17158 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_DB_185_H
-# include <db_185.h>
-#else
-# include <db.h>
-#endif
-
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-
-#ifndef NULL
-#define NULL ((void*)0)
-#endif
-
-int main() {
-
-#if DB_VERSION_MAJOR > 1
- {
- char *version;
- int major, minor, patch;
-
- version = db_version( &major, &minor, &patch );
-
- if( major != DB_VERSION_MAJOR ||
- minor < DB_VERSION_MINOR )
- {
- printf("Berkeley DB version mismatch\n"
- "\texpected: %s\n\tgot: %s\n",
- DB_VERSION_STRING, version);
- return 1;
- }
- }
-#endif
-
-#if DB_VERSION_MAJOR > 2
- db_env_create( NULL, 0 );
-#elif DB_VERSION_MAJOR > 1
- db_appexit( NULL );
-#else
- (void) dbopen( NULL, 0, 0, 0, NULL);
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:17205: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- ol_cv_db_db41=yes
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ol_cv_db_db41=no
-fi
-rm -f conftest*
-
- LIBS="$ol_LIBS"
-
-fi
-
-echo "$ac_t""$ol_cv_db_db41" 1>&6
-
- if test $ol_cv_db_db41 = yes ; then
- ol_cv_lib_db=-ldb41
- fi
-fi
-
-if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-41)""... $ac_c" 1>&6
-echo "configure:17229: checking for Berkeley DB link (-ldb-41)" >&5
-if eval "test \"\${ol_cv_db_db_41+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb)""... $ac_c" 1>&6
+echo "configure:17224: checking for Berkeley DB link (-ldb)" >&5
+if eval "test \"\${ol_cv_db_db+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-41
+ ol_DB_LIB=-ldb
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17239 "configure"
+#line 17234 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17286: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17281: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_41=yes
+ ol_cv_db_db=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_41=no
+ ol_cv_db_db=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_41" 1>&6
+echo "$ac_t""$ol_cv_db_db" 1>&6
- if test $ol_cv_db_db_41 = yes ; then
- ol_cv_lib_db=-ldb-41
+ if test $ol_cv_db_db = yes ; then
+ ol_cv_lib_db=-ldb
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4.1)""... $ac_c" 1>&6
-echo "configure:17310: checking for Berkeley DB link (-ldb-4.1)" >&5
-if eval "test \"\${ol_cv_db_db_4_dot_1+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb41)""... $ac_c" 1>&6
+echo "configure:17305: checking for Berkeley DB link (-ldb41)" >&5
+if eval "test \"\${ol_cv_db_db41+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-4.1
+ ol_DB_LIB=-ldb41
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17320 "configure"
+#line 17315 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17367: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17362: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_4_dot_1=yes
+ ol_cv_db_db41=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_4_dot_1=no
+ ol_cv_db_db41=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_4_dot_1" 1>&6
+echo "$ac_t""$ol_cv_db_db41" 1>&6
- if test $ol_cv_db_db_4_dot_1 = yes ; then
- ol_cv_lib_db=-ldb-4.1
+ if test $ol_cv_db_db41 = yes ; then
+ ol_cv_lib_db=-ldb41
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4-1)""... $ac_c" 1>&6
-echo "configure:17391: checking for Berkeley DB link (-ldb-4-1)" >&5
-if eval "test \"\${ol_cv_db_db_4_1+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-41)""... $ac_c" 1>&6
+echo "configure:17386: checking for Berkeley DB link (-ldb-41)" >&5
+if eval "test \"\${ol_cv_db_db_41+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-4-1
+ ol_DB_LIB=-ldb-41
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17401 "configure"
+#line 17396 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17448: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_4_1=yes
+ ol_cv_db_db_41=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_4_1=no
+ ol_cv_db_db_41=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_4_1" 1>&6
+echo "$ac_t""$ol_cv_db_db_41" 1>&6
- if test $ol_cv_db_db_4_1 = yes ; then
- ol_cv_lib_db=-ldb-4-1
+ if test $ol_cv_db_db_41 = yes ; then
+ ol_cv_lib_db=-ldb-41
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4)""... $ac_c" 1>&6
-echo "configure:17472: checking for Berkeley DB link (-ldb-4)" >&5
-if eval "test \"\${ol_cv_db_db_4+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-4.1)""... $ac_c" 1>&6
+echo "configure:17467: checking for Berkeley DB link (-ldb-4.1)" >&5
+if eval "test \"\${ol_cv_db_db_4_dot_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-4
+ ol_DB_LIB=-ldb-4.1
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17482 "configure"
+#line 17477 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17529: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17524: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_4=yes
+ ol_cv_db_db_4_dot_1=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_4=no
+ ol_cv_db_db_4_dot_1=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_4" 1>&6
+echo "$ac_t""$ol_cv_db_db_4_dot_1" 1>&6
- if test $ol_cv_db_db_4 = yes ; then
- ol_cv_lib_db=-ldb-4
+ if test $ol_cv_db_db_4_dot_1 = yes ; then
+ ol_cv_lib_db=-ldb-4.1
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb)""... $ac_c" 1>&6
-echo "configure:17553: checking for Berkeley DB link (-ldb)" >&5
-if eval "test \"\${ol_cv_db_db+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-4-1)""... $ac_c" 1>&6
+echo "configure:17548: checking for Berkeley DB link (-ldb-4-1)" >&5
+if eval "test \"\${ol_cv_db_db_4_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb
+ ol_DB_LIB=-ldb-4-1
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17563 "configure"
+#line 17558 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17610: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17605: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db=yes
+ ol_cv_db_db_4_1=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db=no
+ ol_cv_db_db_4_1=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db" 1>&6
+echo "$ac_t""$ol_cv_db_db_4_1" 1>&6
- if test $ol_cv_db_db = yes ; then
- ol_cv_lib_db=-ldb
+ if test $ol_cv_db_db_4_1 = yes ; then
+ ol_cv_lib_db=-ldb-4-1
fi
fi
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb3)""... $ac_c" 1>&6
-echo "configure:17634: checking for Berkeley DB link (-ldb3)" >&5
+echo "configure:17629: checking for Berkeley DB link (-ldb3)" >&5
if eval "test \"\${ol_cv_db_db3+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17644 "configure"
+#line 17639 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17691: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db3=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-3)""... $ac_c" 1>&6
-echo "configure:17715: checking for Berkeley DB link (-ldb-3)" >&5
+echo "configure:17710: checking for Berkeley DB link (-ldb-3)" >&5
if eval "test \"\${ol_cv_db_db_3+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17725 "configure"
+#line 17720 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17772: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17767: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_3=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb2)""... $ac_c" 1>&6
-echo "configure:17796: checking for Berkeley DB link (-ldb2)" >&5
+echo "configure:17791: checking for Berkeley DB link (-ldb2)" >&5
if eval "test \"\${ol_cv_db_db2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17806 "configure"
+#line 17801 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17853: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17848: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-2)""... $ac_c" 1>&6
-echo "configure:17877: checking for Berkeley DB link (-ldb-2)" >&5
+echo "configure:17872: checking for Berkeley DB link (-ldb-2)" >&5
if eval "test \"\${ol_cv_db_db_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17887 "configure"
+#line 17882 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:17934: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:17929: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb1)""... $ac_c" 1>&6
-echo "configure:17958: checking for Berkeley DB link (-ldb1)" >&5
+echo "configure:17953: checking for Berkeley DB link (-ldb1)" >&5
if eval "test \"\${ol_cv_db_db1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 17968 "configure"
+#line 17963 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18015: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18010: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db1=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-1)""... $ac_c" 1>&6
-echo "configure:18039: checking for Berkeley DB link (-ldb-1)" >&5
+echo "configure:18034: checking for Berkeley DB link (-ldb-1)" >&5
if eval "test \"\${ol_cv_db_db_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18049 "configure"
+#line 18044 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18096: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18091: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_1=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:18131: checking for $ac_hdr" >&5
+echo "configure:18126: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 18136 "configure"
+#line 18131 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:18141: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:18136: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
ol_cv_lib_db=no
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (default)""... $ac_c" 1>&6
-echo "configure:18171: checking for Berkeley DB link (default)" >&5
+echo "configure:18166: checking for Berkeley DB link (default)" >&5
if eval "test \"\${ol_cv_db_none+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18181 "configure"
+#line 18176 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18228: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18223: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_none=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb42)""... $ac_c" 1>&6
-echo "configure:18252: checking for Berkeley DB link (-ldb42)" >&5
+echo "configure:18247: checking for Berkeley DB link (-ldb42)" >&5
if eval "test \"\${ol_cv_db_db42+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18262 "configure"
+#line 18257 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18309: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18304: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db42=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-42)""... $ac_c" 1>&6
-echo "configure:18333: checking for Berkeley DB link (-ldb-42)" >&5
+echo "configure:18328: checking for Berkeley DB link (-ldb-42)" >&5
if eval "test \"\${ol_cv_db_db_42+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18343 "configure"
+#line 18338 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18390: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_42=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4.2)""... $ac_c" 1>&6
-echo "configure:18414: checking for Berkeley DB link (-ldb-4.2)" >&5
+echo "configure:18409: checking for Berkeley DB link (-ldb-4.2)" >&5
if eval "test \"\${ol_cv_db_db_4_dot_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18424 "configure"
+#line 18419 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18471: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18466: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4_dot_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4-2)""... $ac_c" 1>&6
-echo "configure:18495: checking for Berkeley DB link (-ldb-4-2)" >&5
+echo "configure:18490: checking for Berkeley DB link (-ldb-4-2)" >&5
if eval "test \"\${ol_cv_db_db_4_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18505 "configure"
+#line 18500 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18552: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18547: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-4)""... $ac_c" 1>&6
-echo "configure:18576: checking for Berkeley DB link (-ldb-4)" >&5
+echo "configure:18571: checking for Berkeley DB link (-ldb-4)" >&5
if eval "test \"\${ol_cv_db_db_4+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18586 "configure"
+#line 18581 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18633: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18628: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_4=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb4)""... $ac_c" 1>&6
-echo "configure:18657: checking for Berkeley DB link (-ldb4)" >&5
+echo "configure:18652: checking for Berkeley DB link (-ldb4)" >&5
if eval "test \"\${ol_cv_db_db4+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18667 "configure"
+#line 18662 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18709: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db4=yes
else
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb41)""... $ac_c" 1>&6
-echo "configure:18738: checking for Berkeley DB link (-ldb41)" >&5
-if eval "test \"\${ol_cv_db_db41+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb)""... $ac_c" 1>&6
+echo "configure:18733: checking for Berkeley DB link (-ldb)" >&5
+if eval "test \"\${ol_cv_db_db+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb41
+ ol_DB_LIB=-ldb
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18748 "configure"
+#line 18743 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18790: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db41=yes
+ ol_cv_db_db=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db41=no
+ ol_cv_db_db=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db41" 1>&6
+echo "$ac_t""$ol_cv_db_db" 1>&6
- if test $ol_cv_db_db41 = yes ; then
- ol_cv_lib_db=-ldb41
+ if test $ol_cv_db_db = yes ; then
+ ol_cv_lib_db=-ldb
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-41)""... $ac_c" 1>&6
-echo "configure:18819: checking for Berkeley DB link (-ldb-41)" >&5
-if eval "test \"\${ol_cv_db_db_41+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb41)""... $ac_c" 1>&6
+echo "configure:18814: checking for Berkeley DB link (-ldb41)" >&5
+if eval "test \"\${ol_cv_db_db41+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-41
+ ol_DB_LIB=-ldb41
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18829 "configure"
+#line 18824 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18876: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18871: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_41=yes
+ ol_cv_db_db41=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_41=no
+ ol_cv_db_db41=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_41" 1>&6
+echo "$ac_t""$ol_cv_db_db41" 1>&6
- if test $ol_cv_db_db_41 = yes ; then
- ol_cv_lib_db=-ldb-41
+ if test $ol_cv_db_db41 = yes ; then
+ ol_cv_lib_db=-ldb41
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4.1)""... $ac_c" 1>&6
-echo "configure:18900: checking for Berkeley DB link (-ldb-4.1)" >&5
-if eval "test \"\${ol_cv_db_db_4_dot_1+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-41)""... $ac_c" 1>&6
+echo "configure:18895: checking for Berkeley DB link (-ldb-41)" >&5
+if eval "test \"\${ol_cv_db_db_41+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-4.1
+ ol_DB_LIB=-ldb-41
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 18910 "configure"
+#line 18905 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:18957: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:18952: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_4_dot_1=yes
+ ol_cv_db_db_41=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_4_dot_1=no
-fi
-rm -f conftest*
-
- LIBS="$ol_LIBS"
-
-fi
-
-echo "$ac_t""$ol_cv_db_db_4_dot_1" 1>&6
-
- if test $ol_cv_db_db_4_dot_1 = yes ; then
- ol_cv_lib_db=-ldb-4.1
- fi
-fi
-
-if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4-1)""... $ac_c" 1>&6
-echo "configure:18981: checking for Berkeley DB link (-ldb-4-1)" >&5
-if eval "test \"\${ol_cv_db_db_4_1+set}\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
-
- ol_DB_LIB=-ldb-4-1
- ol_LIBS=$LIBS
- LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
-
- cat > conftest.$ac_ext <<EOF
-#line 18991 "configure"
-#include "confdefs.h"
-
-#ifdef HAVE_DB_185_H
-# include <db_185.h>
-#else
-# include <db.h>
-#endif
-
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-
-#ifndef NULL
-#define NULL ((void*)0)
-#endif
-
-int main() {
-
-#if DB_VERSION_MAJOR > 1
- {
- char *version;
- int major, minor, patch;
-
- version = db_version( &major, &minor, &patch );
-
- if( major != DB_VERSION_MAJOR ||
- minor < DB_VERSION_MINOR )
- {
- printf("Berkeley DB version mismatch\n"
- "\texpected: %s\n\tgot: %s\n",
- DB_VERSION_STRING, version);
- return 1;
- }
- }
-#endif
-
-#if DB_VERSION_MAJOR > 2
- db_env_create( NULL, 0 );
-#elif DB_VERSION_MAJOR > 1
- db_appexit( NULL );
-#else
- (void) dbopen( NULL, 0, 0, 0, NULL);
-#endif
-
-; return 0; }
-EOF
-if { (eval echo configure:19038: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- ol_cv_db_db_4_1=yes
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- ol_cv_db_db_4_1=no
+ ol_cv_db_db_41=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_4_1" 1>&6
+echo "$ac_t""$ol_cv_db_db_41" 1>&6
- if test $ol_cv_db_db_4_1 = yes ; then
- ol_cv_lib_db=-ldb-4-1
+ if test $ol_cv_db_db_41 = yes ; then
+ ol_cv_lib_db=-ldb-41
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb-4)""... $ac_c" 1>&6
-echo "configure:19062: checking for Berkeley DB link (-ldb-4)" >&5
-if eval "test \"\${ol_cv_db_db_4+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-4.1)""... $ac_c" 1>&6
+echo "configure:18976: checking for Berkeley DB link (-ldb-4.1)" >&5
+if eval "test \"\${ol_cv_db_db_4_dot_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb-4
+ ol_DB_LIB=-ldb-4.1
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19072 "configure"
+#line 18986 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19033: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db_4=yes
+ ol_cv_db_db_4_dot_1=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db_4=no
+ ol_cv_db_db_4_dot_1=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db_4" 1>&6
+echo "$ac_t""$ol_cv_db_db_4_dot_1" 1>&6
- if test $ol_cv_db_db_4 = yes ; then
- ol_cv_lib_db=-ldb-4
+ if test $ol_cv_db_db_4_dot_1 = yes ; then
+ ol_cv_lib_db=-ldb-4.1
fi
fi
if test $ol_cv_lib_db = no ; then
- echo $ac_n "checking for Berkeley DB link (-ldb)""... $ac_c" 1>&6
-echo "configure:19143: checking for Berkeley DB link (-ldb)" >&5
-if eval "test \"\${ol_cv_db_db+set}\" = set"; then
+ echo $ac_n "checking for Berkeley DB link (-ldb-4-1)""... $ac_c" 1>&6
+echo "configure:19057: checking for Berkeley DB link (-ldb-4-1)" >&5
+if eval "test \"\${ol_cv_db_db_4_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
- ol_DB_LIB=-ldb
+ ol_DB_LIB=-ldb-4-1
ol_LIBS=$LIBS
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19153 "configure"
+#line 19067 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19200: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19114: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
- ol_cv_db_db=yes
+ ol_cv_db_db_4_1=yes
else
echo "configure: failed program was:" >&5
cat conftest.$ac_ext >&5
rm -rf conftest*
- ol_cv_db_db=no
+ ol_cv_db_db_4_1=no
fi
rm -f conftest*
fi
-echo "$ac_t""$ol_cv_db_db" 1>&6
+echo "$ac_t""$ol_cv_db_db_4_1" 1>&6
- if test $ol_cv_db_db = yes ; then
- ol_cv_lib_db=-ldb
+ if test $ol_cv_db_db_4_1 = yes ; then
+ ol_cv_lib_db=-ldb-4-1
fi
fi
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb3)""... $ac_c" 1>&6
-echo "configure:19224: checking for Berkeley DB link (-ldb3)" >&5
+echo "configure:19138: checking for Berkeley DB link (-ldb3)" >&5
if eval "test \"\${ol_cv_db_db3+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19234 "configure"
+#line 19148 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19281: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19195: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db3=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-3)""... $ac_c" 1>&6
-echo "configure:19305: checking for Berkeley DB link (-ldb-3)" >&5
+echo "configure:19219: checking for Berkeley DB link (-ldb-3)" >&5
if eval "test \"\${ol_cv_db_db_3+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19315 "configure"
+#line 19229 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19362: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19276: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_3=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb2)""... $ac_c" 1>&6
-echo "configure:19386: checking for Berkeley DB link (-ldb2)" >&5
+echo "configure:19300: checking for Berkeley DB link (-ldb2)" >&5
if eval "test \"\${ol_cv_db_db2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19396 "configure"
+#line 19310 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19357: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-2)""... $ac_c" 1>&6
-echo "configure:19467: checking for Berkeley DB link (-ldb-2)" >&5
+echo "configure:19381: checking for Berkeley DB link (-ldb-2)" >&5
if eval "test \"\${ol_cv_db_db_2+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19477 "configure"
+#line 19391 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19524: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19438: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_2=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb1)""... $ac_c" 1>&6
-echo "configure:19548: checking for Berkeley DB link (-ldb1)" >&5
+echo "configure:19462: checking for Berkeley DB link (-ldb1)" >&5
if eval "test \"\${ol_cv_db_db1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19558 "configure"
+#line 19472 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19605: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19519: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db1=yes
else
if test $ol_cv_lib_db = no ; then
echo $ac_n "checking for Berkeley DB link (-ldb-1)""... $ac_c" 1>&6
-echo "configure:19629: checking for Berkeley DB link (-ldb-1)" >&5
+echo "configure:19543: checking for Berkeley DB link (-ldb-1)" >&5
if eval "test \"\${ol_cv_db_db_1+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
LIBS="$ol_DB_LIB $LTHREAD_LIBS $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19639 "configure"
+#line 19553 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
; return 0; }
EOF
-if { (eval echo configure:19686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19600: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_db_db_1=yes
else
if test "$ol_cv_lib_db" != no ; then
ol_cv_berkeley_db=yes
echo $ac_n "checking for Berkeley DB thread support""... $ac_c" 1>&6
-echo "configure:19712: checking for Berkeley DB thread support" >&5
+echo "configure:19626: checking for Berkeley DB thread support" >&5
if eval "test \"\${ol_cv_berkeley_db_thread+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_cv_berkeley_db_thread=cross
else
cat > conftest.$ac_ext <<EOF
-#line 19727 "configure"
+#line 19641 "configure"
#include "confdefs.h"
#ifdef HAVE_DB_185_H
return rc;
}
EOF
-if { (eval echo configure:19794: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:19708: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_berkeley_db_thread=yes
else
{ echo "configure: error: BDB: BerkeleyDB not available" 1>&2; exit 1; }
elif test $ol_enable_bdb != no -a $ol_link_ldbm = berkeley ; then
echo $ac_n "checking Berkeley DB version for BDB backend""... $ac_c" 1>&6
-echo "configure:19856: checking Berkeley DB version for BDB backend" >&5
+echo "configure:19770: checking Berkeley DB version for BDB backend" >&5
if eval "test \"\${ol_cv_bdb_compat+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 19862 "configure"
+#line 19776 "configure"
#include "confdefs.h"
#include <db.h>
if test $ol_with_ldbm_api = auto -o $ol_with_ldbm_api = mdbm ; then
echo $ac_n "checking for MDBM library""... $ac_c" 1>&6
-echo "configure:19915: checking for MDBM library" >&5
+echo "configure:19829: checking for MDBM library" >&5
if eval "test \"\${ol_cv_lib_mdbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_LIBS="$LIBS"
echo $ac_n "checking for mdbm_set_chain""... $ac_c" 1>&6
-echo "configure:19921: checking for mdbm_set_chain" >&5
+echo "configure:19835: checking for mdbm_set_chain" >&5
if eval "test \"\${ac_cv_func_mdbm_set_chain+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 19926 "configure"
+#line 19840 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char mdbm_set_chain(); below. */
; return 0; }
EOF
-if { (eval echo configure:19950: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19864: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_mdbm_set_chain=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for mdbm_set_chain in -lmdbm""... $ac_c" 1>&6
-echo "configure:19969: checking for mdbm_set_chain in -lmdbm" >&5
+echo "configure:19883: checking for mdbm_set_chain in -lmdbm" >&5
ac_lib_var=`echo mdbm'_'mdbm_set_chain | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lmdbm $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 19977 "configure"
+#line 19891 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
mdbm_set_chain()
; return 0; }
EOF
-if { (eval echo configure:19988: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:19902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20023: checking for $ac_hdr" >&5
+echo "configure:19937: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20028 "configure"
+#line 19942 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20033: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:19947: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
done
echo $ac_n "checking for db""... $ac_c" 1>&6
-echo "configure:20060: checking for db" >&5
+echo "configure:19974: checking for db" >&5
if eval "test \"\${ol_cv_mdbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test $ol_with_ldbm_api = auto -o $ol_with_ldbm_api = gdbm ; then
echo $ac_n "checking for GDBM library""... $ac_c" 1>&6
-echo "configure:20093: checking for GDBM library" >&5
+echo "configure:20007: checking for GDBM library" >&5
if eval "test \"\${ol_cv_lib_gdbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_LIBS="$LIBS"
echo $ac_n "checking for gdbm_open""... $ac_c" 1>&6
-echo "configure:20099: checking for gdbm_open" >&5
+echo "configure:20013: checking for gdbm_open" >&5
if eval "test \"\${ac_cv_func_gdbm_open+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20104 "configure"
+#line 20018 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char gdbm_open(); below. */
; return 0; }
EOF
-if { (eval echo configure:20128: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20042: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_gdbm_open=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for gdbm_open in -lgdbm""... $ac_c" 1>&6
-echo "configure:20147: checking for gdbm_open in -lgdbm" >&5
+echo "configure:20061: checking for gdbm_open in -lgdbm" >&5
ac_lib_var=`echo gdbm'_'gdbm_open | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lgdbm $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 20155 "configure"
+#line 20069 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
gdbm_open()
; return 0; }
EOF
-if { (eval echo configure:20166: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20080: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20201: checking for $ac_hdr" >&5
+echo "configure:20115: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20206 "configure"
+#line 20120 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20211: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:20125: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
done
echo $ac_n "checking for db""... $ac_c" 1>&6
-echo "configure:20238: checking for db" >&5
+echo "configure:20152: checking for db" >&5
if eval "test \"\${ol_cv_gdbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
if test $ol_with_ldbm_api = ndbm ; then
echo $ac_n "checking for NDBM library""... $ac_c" 1>&6
-echo "configure:20272: checking for NDBM library" >&5
+echo "configure:20186: checking for NDBM library" >&5
if eval "test \"\${ol_cv_lib_ndbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_LIBS="$LIBS"
echo $ac_n "checking for dbm_open""... $ac_c" 1>&6
-echo "configure:20278: checking for dbm_open" >&5
+echo "configure:20192: checking for dbm_open" >&5
if eval "test \"\${ac_cv_func_dbm_open+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20283 "configure"
+#line 20197 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char dbm_open(); below. */
; return 0; }
EOF
-if { (eval echo configure:20307: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20221: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_dbm_open=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dbm_open in -lndbm""... $ac_c" 1>&6
-echo "configure:20326: checking for dbm_open in -lndbm" >&5
+echo "configure:20240: checking for dbm_open in -lndbm" >&5
ac_lib_var=`echo ndbm'_'dbm_open | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lndbm $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 20334 "configure"
+#line 20248 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dbm_open()
; return 0; }
EOF
-if { (eval echo configure:20345: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20259: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for dbm_open in -ldbm""... $ac_c" 1>&6
-echo "configure:20365: checking for dbm_open in -ldbm" >&5
+echo "configure:20279: checking for dbm_open in -ldbm" >&5
ac_lib_var=`echo dbm'_'dbm_open | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-ldbm $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 20373 "configure"
+#line 20287 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
dbm_open()
; return 0; }
EOF
-if { (eval echo configure:20384: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20298: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20421: checking for $ac_hdr" >&5
+echo "configure:20335: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20426 "configure"
+#line 20340 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20431: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:20345: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
done
echo $ac_n "checking for db""... $ac_c" 1>&6
-echo "configure:20458: checking for db" >&5
+echo "configure:20372: checking for db" >&5
if eval "test \"\${ol_cv_ndbm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20518: checking for $ac_hdr" >&5
+echo "configure:20432: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20523 "configure"
+#line 20437 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20528: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:20442: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
EOF
echo $ac_n "checking for TCP wrappers library""... $ac_c" 1>&6
-echo "configure:20550: checking for TCP wrappers library" >&5
+echo "configure:20464: checking for TCP wrappers library" >&5
save_LIBS="$LIBS"
LIBS="$LIBS -lwrap"
cat > conftest.$ac_ext <<EOF
-#line 20554 "configure"
+#line 20468 "configure"
#include "confdefs.h"
#include <tcpd.h>
; return 0; }
EOF
-if { (eval echo configure:20569: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20483: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
echo "$ac_t""-lwrap" 1>&6
have_wrappers=yes
LIBS="$LIBS -lnsl"
cat > conftest.$ac_ext <<EOF
-#line 20581 "configure"
+#line 20495 "configure"
#include "confdefs.h"
#include <tcpd.h>
; return 0; }
EOF
-if { (eval echo configure:20596: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20510: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
echo "$ac_t""-lwrap -lnsl" 1>&6
have_wrappers=yes
WRAP_LIBS="-lwrap"
elif test $ol_enable_wrappers = yes ; then
- { echo "configure: error: could not find TCP wrappers, select apppropriate options ore disable" 1>&2; exit 1; }
+ { echo "configure: error: could not find TCP wrappers, select apppropriate options or disable" 1>&2; exit 1; }
else
echo "configure: warning: could not find TCP wrappers, support disabled" 1>&2
WRAP_LIBS=""
if test $ol_enable_syslog != no ; then
echo $ac_n "checking for openlog""... $ac_c" 1>&6
-echo "configure:20636: checking for openlog" >&5
+echo "configure:20550: checking for openlog" >&5
if eval "test \"\${ac_cv_func_openlog+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20641 "configure"
+#line 20555 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char openlog(); below. */
; return 0; }
EOF
-if { (eval echo configure:20665: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20579: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_openlog=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20697: checking for $ac_hdr" >&5
+echo "configure:20611: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 20702 "configure"
+#line 20616 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20707: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:20621: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
echo $ac_n "checking for SQLDriverConnect in -liodbc""... $ac_c" 1>&6
-echo "configure:20737: checking for SQLDriverConnect in -liodbc" >&5
+echo "configure:20651: checking for SQLDriverConnect in -liodbc" >&5
ac_lib_var=`echo iodbc'_'SQLDriverConnect | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-liodbc $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 20745 "configure"
+#line 20659 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
SQLDriverConnect()
; return 0; }
EOF
-if { (eval echo configure:20756: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20670: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
ol_link_sql="-liodbc"
else
echo $ac_n "checking for SQLDriverConnect in -lodbc""... $ac_c" 1>&6
-echo "configure:20781: checking for SQLDriverConnect in -lodbc" >&5
+echo "configure:20695: checking for SQLDriverConnect in -lodbc" >&5
ac_lib_var=`echo odbc'_'SQLDriverConnect | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lodbc $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 20789 "configure"
+#line 20703 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
SQLDriverConnect()
; return 0; }
EOF
-if { (eval echo configure:20800: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
fi
-ol_link_termcap=no
-for ac_hdr in termcap.h ncurses.h
-do
-ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
-echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20839: checking for $ac_hdr" >&5
-if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- cat > conftest.$ac_ext <<EOF
-#line 20844 "configure"
-#include "confdefs.h"
-#include <$ac_hdr>
-EOF
-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:20849: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
-ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
-if test -z "$ac_err"; then
- rm -rf conftest*
- eval "ac_cv_header_$ac_safe=yes"
-else
- echo "$ac_err" >&5
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_header_$ac_safe=no"
-fi
-rm -f conftest*
-fi
-if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
- cat >> confdefs.h <<EOF
-#define $ac_tr_hdr 1
-EOF
-
-else
- echo "$ac_t""no" 1>&6
-fi
-done
-
-
-if test $ol_link_termcap = no ; then
- echo $ac_n "checking for tputs in -ltermcap""... $ac_c" 1>&6
-echo "configure:20878: checking for tputs in -ltermcap" >&5
-ac_lib_var=`echo termcap'_'tputs | sed 'y%./+-:%__p__%'`
-if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- ac_save_LIBS="$LIBS"
-LIBS="-ltermcap $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 20886 "configure"
-#include "confdefs.h"
-/* Override any gcc2 internal prototype to avoid an error. */
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char tputs();
-
-int main() {
-tputs()
-; return 0; }
-EOF
-if { (eval echo configure:20897: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=yes"
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- have_termcap=yes
-else
- echo "$ac_t""no" 1>&6
-have_termcap=no
-fi
-
- if test $have_termcap = yes ; then
- cat >> confdefs.h <<\EOF
-#define HAVE_TERMCAP 1
-EOF
-
- ol_link_termcap=yes
- TERMCAP_LIBS=-ltermcap
- fi
-fi
-
-if test $ol_link_termcap = no ; then
- echo $ac_n "checking for initscr in -lncurses""... $ac_c" 1>&6
-echo "configure:20930: checking for initscr in -lncurses" >&5
-ac_lib_var=`echo ncurses'_'initscr | sed 'y%./+-:%__p__%'`
-if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-else
- ac_save_LIBS="$LIBS"
-LIBS="-lncurses $LIBS"
-cat > conftest.$ac_ext <<EOF
-#line 20938 "configure"
-#include "confdefs.h"
-/* Override any gcc2 internal prototype to avoid an error. */
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char initscr();
-
-int main() {
-initscr()
-; return 0; }
-EOF
-if { (eval echo configure:20949: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=yes"
-else
- echo "configure: failed program was:" >&5
- cat conftest.$ac_ext >&5
- rm -rf conftest*
- eval "ac_cv_lib_$ac_lib_var=no"
-fi
-rm -f conftest*
-LIBS="$ac_save_LIBS"
-
-fi
-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
- echo "$ac_t""yes" 1>&6
- have_ncurses=yes
-else
- echo "$ac_t""no" 1>&6
-have_ncurses=no
-fi
-
- if test $have_ncurses = yes ; then
- cat >> confdefs.h <<\EOF
-#define HAVE_NCURSES 1
-EOF
-
- ol_link_termcap=yes
- TERMCAP_LIBS=-lncurses
- fi
-fi
-
-if test $ol_link_termcap = no ; then
- cat >> confdefs.h <<\EOF
-#define NO_TERMCAP 1
-EOF
-
- TERMCAP_LIBS=
-fi
-
ol_link_sasl=no
ol_link_spasswd=no
if test $ol_with_cyrus_sasl != no ; then
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:20995: checking for $ac_hdr" >&5
+echo "configure:20755: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21000 "configure"
+#line 20760 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:21005: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:20765: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_sasl_sasl_h = yes -o $ac_cv_header_sasl_h = yes; then
echo $ac_n "checking for sasl_client_init in -lsasl2""... $ac_c" 1>&6
-echo "configure:21034: checking for sasl_client_init in -lsasl2" >&5
+echo "configure:20794: checking for sasl_client_init in -lsasl2" >&5
ac_lib_var=`echo sasl2'_'sasl_client_init | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lsasl2 $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 21042 "configure"
+#line 20802 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
sasl_client_init()
; return 0; }
EOF
-if { (eval echo configure:21053: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20813: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for sasl_client_init in -lsasl""... $ac_c" 1>&6
-echo "configure:21072: checking for sasl_client_init in -lsasl" >&5
+echo "configure:20832: checking for sasl_client_init in -lsasl" >&5
ac_lib_var=`echo sasl'_'sasl_client_init | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lsasl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 21080 "configure"
+#line 20840 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
sasl_client_init()
; return 0; }
EOF
-if { (eval echo configure:21091: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20851: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
fi
else
echo $ac_n "checking Cyrus SASL library version""... $ac_c" 1>&6
-echo "configure:21127: checking Cyrus SASL library version" >&5
+echo "configure:20887: checking Cyrus SASL library version" >&5
if eval "test \"\${ol_cv_sasl_compat+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21133 "configure"
+#line 20893 "configure"
#include "confdefs.h"
#ifdef HAVE_SASL_SASL_H
ac_save_LIBS="$LIBS"
LIBS="$LIBS $ol_link_sasl"
echo $ac_n "checking for sasl_version""... $ac_c" 1>&6
-echo "configure:21182: checking for sasl_version" >&5
+echo "configure:20942: checking for sasl_version" >&5
if eval "test \"\${ac_cv_func_sasl_version+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21187 "configure"
+#line 20947 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char sasl_version(); below. */
; return 0; }
EOF
-if { (eval echo configure:21211: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:20971: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_sasl_version=yes"
else
ol_LIBS=$LIBS
LIBS="-lfetch -lcom_err $LIBS"
echo $ac_n "checking fetch(3) library""... $ac_c" 1>&6
-echo "configure:21270: checking fetch(3) library" >&5
+echo "configure:21030: checking fetch(3) library" >&5
if eval "test \"\${ol_cv_lib_fetch+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21276 "configure"
+#line 21036 "configure"
#include "confdefs.h"
#include <sys/param.h>
struct url *u = fetchParseURL("file:///");
; return 0; }
EOF
-if { (eval echo configure:21286: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21046: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_lib_fetch=yes
else
LIBS="$TLS_LIBS $LIBS"
echo $ac_n "checking for crypt""... $ac_c" 1>&6
-echo "configure:21323: checking for crypt" >&5
+echo "configure:21083: checking for crypt" >&5
if eval "test \"\${ac_cv_func_crypt+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21328 "configure"
+#line 21088 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char crypt(); below. */
; return 0; }
EOF
-if { (eval echo configure:21352: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21112: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_crypt=yes"
else
LIBS="$save_LIBS"
echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6
-echo "configure:21372: checking for crypt in -lcrypt" >&5
+echo "configure:21132: checking for crypt in -lcrypt" >&5
ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lcrypt $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 21380 "configure"
+#line 21140 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
crypt()
; return 0; }
EOF
-if { (eval echo configure:21391: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21151: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
if test $ol_enable_proctitle != no ; then
echo $ac_n "checking for setproctitle""... $ac_c" 1>&6
-echo "configure:21436: checking for setproctitle" >&5
+echo "configure:21196: checking for setproctitle" >&5
if eval "test \"\${ac_cv_func_setproctitle+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21441 "configure"
+#line 21201 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char setproctitle(); below. */
; return 0; }
EOF
-if { (eval echo configure:21465: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21225: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_setproctitle=yes"
else
echo "$ac_t""no" 1>&6
echo $ac_n "checking for setproctitle in -lutil""... $ac_c" 1>&6
-echo "configure:21484: checking for setproctitle in -lutil" >&5
+echo "configure:21244: checking for setproctitle in -lutil" >&5
ac_lib_var=`echo util'_'setproctitle | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lutil $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 21492 "configure"
+#line 21252 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
setproctitle()
; return 0; }
EOF
-if { (eval echo configure:21503: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21263: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:21543: checking for $ac_hdr" >&5
+echo "configure:21303: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21548 "configure"
+#line 21308 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:21553: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:21313: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_slp_h = yes ; then
echo $ac_n "checking for SLPOpen in -lslp""... $ac_c" 1>&6
-echo "configure:21582: checking for SLPOpen in -lslp" >&5
+echo "configure:21342: checking for SLPOpen in -lslp" >&5
ac_lib_var=`echo slp'_'SLPOpen | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lslp $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 21590 "configure"
+#line 21350 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
SLPOpen()
; return 0; }
EOF
-if { (eval echo configure:21601: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:21361: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking long long""... $ac_c" 1>&6
-echo "configure:21637: checking long long" >&5
+echo "configure:21397: checking long long" >&5
if eval "test \"\${ol_cv_type_long_long+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21643 "configure"
+#line 21403 "configure"
#include "confdefs.h"
int main() {
long long x;
; return 0; }
EOF
-if { (eval echo configure:21650: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21410: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_type_long_long=yes
else
fi
echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:21671: checking for ANSI C header files" >&5
+echo "configure:21431: checking for ANSI C header files" >&5
if eval "test \"\${ac_cv_header_stdc+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21676 "configure"
+#line 21436 "configure"
#include "confdefs.h"
#include <stdlib.h>
#include <stdarg.h>
#include <float.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:21684: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:21444: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
if test $ac_cv_header_stdc = yes; then
# SunOS 4.x string.h does not declare mem*, contrary to ANSI.
cat > conftest.$ac_ext <<EOF
-#line 21701 "configure"
+#line 21461 "configure"
#include "confdefs.h"
#include <string.h>
EOF
if test $ac_cv_header_stdc = yes; then
# ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
cat > conftest.$ac_ext <<EOF
-#line 21719 "configure"
+#line 21479 "configure"
#include "confdefs.h"
#include <stdlib.h>
EOF
:
else
cat > conftest.$ac_ext <<EOF
-#line 21740 "configure"
+#line 21500 "configure"
#include "confdefs.h"
#include <ctype.h>
#if ((' ' & 0x0FF) == 0x020)
exit (0); }
EOF
-if { (eval echo configure:21758: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:21518: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
:
else
fi
echo $ac_n "checking for mode_t""... $ac_c" 1>&6
-echo "configure:21782: checking for mode_t" >&5
+echo "configure:21542: checking for mode_t" >&5
if eval "test \"\${ac_cv_type_mode_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21787 "configure"
+#line 21547 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
fi
echo $ac_n "checking for off_t""... $ac_c" 1>&6
-echo "configure:21818: checking for off_t" >&5
+echo "configure:21578: checking for off_t" >&5
if eval "test \"\${ac_cv_type_off_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21823 "configure"
+#line 21583 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
fi
echo $ac_n "checking for pid_t""... $ac_c" 1>&6
-echo "configure:21854: checking for pid_t" >&5
+echo "configure:21614: checking for pid_t" >&5
if eval "test \"\${ac_cv_type_pid_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21859 "configure"
+#line 21619 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
fi
echo $ac_n "checking for ptrdiff_t""... $ac_c" 1>&6
-echo "configure:21890: checking for ptrdiff_t" >&5
+echo "configure:21650: checking for ptrdiff_t" >&5
if eval "test \"\${am_cv_type_ptrdiff_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21895 "configure"
+#line 21655 "configure"
#include "confdefs.h"
#include <stddef.h>
int main() {
ptrdiff_t p
; return 0; }
EOF
-if { (eval echo configure:21902: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21662: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
am_cv_type_ptrdiff_t=yes
else
fi
echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6
-echo "configure:21923: checking return type of signal handlers" >&5
+echo "configure:21683: checking return type of signal handlers" >&5
if eval "test \"\${ac_cv_type_signal+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21928 "configure"
+#line 21688 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <signal.h>
int i;
; return 0; }
EOF
-if { (eval echo configure:21945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21705: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_type_signal=void
else
echo $ac_n "checking for size_t""... $ac_c" 1>&6
-echo "configure:21964: checking for size_t" >&5
+echo "configure:21724: checking for size_t" >&5
if eval "test \"\${ac_cv_type_size_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 21969 "configure"
+#line 21729 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
-echo "configure:22001: checking for ssize_t" >&5
+echo "configure:21761: checking for ssize_t" >&5
if eval "test \"\${ac_cv_type_ssize_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22006 "configure"
+#line 21766 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
fi
echo $ac_n "checking for caddr_t""... $ac_c" 1>&6
-echo "configure:22037: checking for caddr_t" >&5
+echo "configure:21797: checking for caddr_t" >&5
if eval "test \"\${ac_cv_type_caddr_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22042 "configure"
+#line 21802 "configure"
#include "confdefs.h"
#include <sys/types.h>
#if STDC_HEADERS
echo $ac_n "checking for socklen_t""... $ac_c" 1>&6
-echo "configure:22074: checking for socklen_t" >&5
+echo "configure:21834: checking for socklen_t" >&5
if eval "test \"\${ol_cv_type_socklen_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22079 "configure"
+#line 21839 "configure"
#include "confdefs.h"
#ifdef HAVE_SYS_TYPES_H
socklen_t len;
; return 0; }
EOF
-if { (eval echo configure:22093: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21853: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_type_socklen_t=yes
else
fi
echo $ac_n "checking for member st_blksize in aggregate type struct stat""... $ac_c" 1>&6
-echo "configure:22114: checking for member st_blksize in aggregate type struct stat" >&5
+echo "configure:21874: checking for member st_blksize in aggregate type struct stat" >&5
if eval "test \"\${ac_cv_c_struct_member_st_blksize+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22119 "configure"
+#line 21879 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/stat.h>
struct stat foo; foo.st_blksize;
; return 0; }
EOF
-if { (eval echo configure:22127: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_c_struct_member_st_blksize=yes
else
fi
echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
-echo "configure:22149: checking whether time.h and sys/time.h may both be included" >&5
+echo "configure:21909: checking whether time.h and sys/time.h may both be included" >&5
if eval "test \"\${ac_cv_header_time+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22154 "configure"
+#line 21914 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/time.h>
struct tm *tp;
; return 0; }
EOF
-if { (eval echo configure:22163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21923: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_header_time=yes
else
fi
echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6
-echo "configure:22184: checking whether struct tm is in sys/time.h or time.h" >&5
+echo "configure:21944: checking whether struct tm is in sys/time.h or time.h" >&5
if eval "test \"\${ac_cv_struct_tm+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22189 "configure"
+#line 21949 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <time.h>
struct tm *tp; tp->tm_sec;
; return 0; }
EOF
-if { (eval echo configure:22197: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:21957: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_struct_tm=time.h
else
fi
echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6
-echo "configure:22218: checking for uid_t in sys/types.h" >&5
+echo "configure:21978: checking for uid_t in sys/types.h" >&5
if eval "test \"\${ac_cv_type_uid_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22223 "configure"
+#line 21983 "configure"
#include "confdefs.h"
#include <sys/types.h>
EOF
fi
echo $ac_n "checking for sig_atomic_t""... $ac_c" 1>&6
-echo "configure:22252: checking for sig_atomic_t" >&5
+echo "configure:22012: checking for sig_atomic_t" >&5
if eval "test \"\${ol_cv_type_sig_atomic_t+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22257 "configure"
+#line 22017 "configure"
#include "confdefs.h"
#include <signal.h>
int main() {
sig_atomic_t atomic;
; return 0; }
EOF
-if { (eval echo configure:22264: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22024: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_type_sig_atomic_t=yes
else
# test for pw_gecos in struct passwd
echo $ac_n "checking struct passwd for pw_gecos""... $ac_c" 1>&6
-echo "configure:22288: checking struct passwd for pw_gecos" >&5
+echo "configure:22048: checking struct passwd for pw_gecos" >&5
if eval "test \"\${ol_cv_struct_passwd_pw_gecos+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22294 "configure"
+#line 22054 "configure"
#include "confdefs.h"
#include <pwd.h>
int main() {
; return 0; }
EOF
-if { (eval echo configure:22304: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22064: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_struct_passwd_pw_gecos=yes
else
# test for pw_passwd in struct passwd
echo $ac_n "checking struct passwd for pw_passwd""... $ac_c" 1>&6
-echo "configure:22326: checking struct passwd for pw_passwd" >&5
+echo "configure:22086: checking struct passwd for pw_passwd" >&5
if eval "test \"\${ol_cv_struct_passwd_pw_passwd+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22332 "configure"
+#line 22092 "configure"
#include "confdefs.h"
#include <pwd.h>
int main() {
; return 0; }
EOF
-if { (eval echo configure:22342: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22102: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_struct_passwd_pw_passwd=yes
else
echo $ac_n "checking if toupper() requires islower()""... $ac_c" 1>&6
-echo "configure:22364: checking if toupper() requires islower()" >&5
+echo "configure:22124: checking if toupper() requires islower()" >&5
if eval "test \"\${ol_cv_c_upper_lower+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ol_cv_c_upper_lower=safe
else
cat > conftest.$ac_ext <<EOF
-#line 22373 "configure"
+#line 22133 "configure"
#include "confdefs.h"
#include <ctype.h>
exit(1);
}
EOF
-if { (eval echo configure:22385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:22145: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ol_cv_c_upper_lower=no
else
fi
echo $ac_n "checking for working const""... $ac_c" 1>&6
-echo "configure:22408: checking for working const" >&5
+echo "configure:22168: checking for working const" >&5
if eval "test \"\${ac_cv_c_const+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22413 "configure"
+#line 22173 "configure"
#include "confdefs.h"
int main() {
; return 0; }
EOF
-if { (eval echo configure:22462: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22222: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_c_const=yes
else
fi
echo $ac_n "checking if compiler understands volatile""... $ac_c" 1>&6
-echo "configure:22483: checking if compiler understands volatile" >&5
+echo "configure:22243: checking if compiler understands volatile" >&5
if eval "test \"\${ol_cv_c_volatile+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22488 "configure"
+#line 22248 "configure"
#include "confdefs.h"
int x, y, z;
int main() {
*b = 0;
; return 0; }
EOF
-if { (eval echo configure:22497: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22257: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_c_volatile=yes
else
else
echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
-echo "configure:22527: checking whether byte ordering is bigendian" >&5
+echo "configure:22287: checking whether byte ordering is bigendian" >&5
if eval "test \"\${ac_cv_c_bigendian+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_cv_c_bigendian=unknown
# See if sys/param.h defines the BYTE_ORDER macro.
cat > conftest.$ac_ext <<EOF
-#line 22534 "configure"
+#line 22294 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/param.h>
#endif
; return 0; }
EOF
-if { (eval echo configure:22545: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22305: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
# It does; now see whether it defined to BIG_ENDIAN or not.
cat > conftest.$ac_ext <<EOF
-#line 22549 "configure"
+#line 22309 "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/param.h>
#endif
; return 0; }
EOF
-if { (eval echo configure:22560: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22320: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_c_bigendian=yes
else
{ echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
else
cat > conftest.$ac_ext <<EOF
-#line 22580 "configure"
+#line 22340 "configure"
#include "confdefs.h"
main () {
/* Are we little or big endian? From Harbison&Steele. */
exit (u.c[sizeof (long) - 1] == 1);
}
EOF
-if { (eval echo configure:22593: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:22353: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_c_bigendian=no
else
fi
echo $ac_n "checking size of short""... $ac_c" 1>&6
-echo "configure:22619: checking size of short" >&5
+echo "configure:22379: checking size of short" >&5
if eval "test \"\${ac_cv_sizeof_short+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
for ac_size in 4 8 1 2 16 ; do # List sizes in rough order of prevalence.
cat > conftest.$ac_ext <<EOF
-#line 22625 "configure"
+#line 22385 "configure"
#include "confdefs.h"
#include "confdefs.h"
#include <sys/types.h>
switch (0) case 0: case (sizeof (short) == $ac_size):;
; return 0; }
EOF
-if { (eval echo configure:22635: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22395: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_sizeof_short=$ac_size
else
echo $ac_n "checking size of int""... $ac_c" 1>&6
-echo "configure:22658: checking size of int" >&5
+echo "configure:22418: checking size of int" >&5
if eval "test \"\${ac_cv_sizeof_int+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
for ac_size in 4 8 1 2 16 ; do # List sizes in rough order of prevalence.
cat > conftest.$ac_ext <<EOF
-#line 22664 "configure"
+#line 22424 "configure"
#include "confdefs.h"
#include "confdefs.h"
#include <sys/types.h>
switch (0) case 0: case (sizeof (int) == $ac_size):;
; return 0; }
EOF
-if { (eval echo configure:22674: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_sizeof_int=$ac_size
else
echo $ac_n "checking size of long""... $ac_c" 1>&6
-echo "configure:22697: checking size of long" >&5
+echo "configure:22457: checking size of long" >&5
if eval "test \"\${ac_cv_sizeof_long+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
for ac_size in 4 8 1 2 16 ; do # List sizes in rough order of prevalence.
cat > conftest.$ac_ext <<EOF
-#line 22703 "configure"
+#line 22463 "configure"
#include "confdefs.h"
#include "confdefs.h"
#include <sys/types.h>
switch (0) case 0: case (sizeof (long) == $ac_size):;
; return 0; }
EOF
-if { (eval echo configure:22713: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:22473: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_sizeof_long=$ac_size
else
echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6
-echo "configure:22764: checking for 8-bit clean memcmp" >&5
+echo "configure:22524: checking for 8-bit clean memcmp" >&5
if eval "test \"\${ac_cv_func_memcmp_clean+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_cv_func_memcmp_clean=no
else
cat > conftest.$ac_ext <<EOF
-#line 22772 "configure"
+#line 22532 "configure"
#include "confdefs.h"
main()
}
EOF
-if { (eval echo configure:22782: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:22542: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_func_memcmp_clean=yes
else
test $ac_cv_func_memcmp_clean = no && LIBOBJS="$LIBOBJS memcmp.${ac_objext}"
echo $ac_n "checking for strftime""... $ac_c" 1>&6
-echo "configure:22800: checking for strftime" >&5
+echo "configure:22560: checking for strftime" >&5
if eval "test \"\${ac_cv_func_strftime+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22805 "configure"
+#line 22565 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char strftime(); below. */
; return 0; }
EOF
-if { (eval echo configure:22829: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22589: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_strftime=yes"
else
echo "$ac_t""no" 1>&6
# strftime is in -lintl on SCO UNIX.
echo $ac_n "checking for strftime in -lintl""... $ac_c" 1>&6
-echo "configure:22851: checking for strftime in -lintl" >&5
+echo "configure:22611: checking for strftime in -lintl" >&5
ac_lib_var=`echo intl'_'strftime | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lintl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 22859 "configure"
+#line 22619 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
strftime()
; return 0; }
EOF
-if { (eval echo configure:22870: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22630: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
echo $ac_n "checking for inet_aton()""... $ac_c" 1>&6
-echo "configure:22898: checking for inet_aton()" >&5
+echo "configure:22658: checking for inet_aton()" >&5
if eval "test \"\${ol_cv_func_inet_aton+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22903 "configure"
+#line 22663 "configure"
#include "confdefs.h"
#ifdef HAVE_SYS_TYPES_H
int rc = inet_aton( "255.255.255.255", &in );
; return 0; }
EOF
-if { (eval echo configure:22925: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22685: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_func_inet_aton=yes
else
echo $ac_n "checking for _spawnlp""... $ac_c" 1>&6
-echo "configure:22947: checking for _spawnlp" >&5
+echo "configure:22707: checking for _spawnlp" >&5
if eval "test \"\${ac_cv_func__spawnlp+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 22952 "configure"
+#line 22712 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char _spawnlp(); below. */
; return 0; }
EOF
-if { (eval echo configure:22976: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22736: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func__spawnlp=yes"
else
echo $ac_n "checking for _snprintf""... $ac_c" 1>&6
-echo "configure:23000: checking for _snprintf" >&5
+echo "configure:22760: checking for _snprintf" >&5
if eval "test \"\${ac_cv_func__snprintf+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23005 "configure"
+#line 22765 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char _snprintf(); below. */
; return 0; }
EOF
-if { (eval echo configure:23029: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22789: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func__snprintf=yes"
else
echo $ac_n "checking for _vsnprintf""... $ac_c" 1>&6
-echo "configure:23055: checking for _vsnprintf" >&5
+echo "configure:22815: checking for _vsnprintf" >&5
if eval "test \"\${ac_cv_func__vsnprintf+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23060 "configure"
+#line 22820 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char _vsnprintf(); below. */
; return 0; }
EOF
-if { (eval echo configure:23084: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22844: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func__vsnprintf=yes"
else
echo $ac_n "checking for vprintf""... $ac_c" 1>&6
-echo "configure:23110: checking for vprintf" >&5
+echo "configure:22870: checking for vprintf" >&5
if eval "test \"\${ac_cv_func_vprintf+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23115 "configure"
+#line 22875 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char vprintf(); below. */
; return 0; }
EOF
-if { (eval echo configure:23139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22899: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_vprintf=yes"
else
if test "$ac_cv_func_vprintf" != yes; then
echo $ac_n "checking for _doprnt""... $ac_c" 1>&6
-echo "configure:23163: checking for _doprnt" >&5
+echo "configure:22923: checking for _doprnt" >&5
if eval "test \"\${ac_cv_func__doprnt+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23168 "configure"
+#line 22928 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char _doprnt(); below. */
; return 0; }
EOF
-if { (eval echo configure:23192: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:22952: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func__doprnt=yes"
else
for ac_func in snprintf vsnprintf
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:23221: checking for $ac_func" >&5
+echo "configure:22981: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23226 "configure"
+#line 22986 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:23250: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:23010: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:23336: checking for $ac_func" >&5
+echo "configure:23096: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23341 "configure"
+#line 23101 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:23365: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:23125: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
for ac_func in getopt getpeereid
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:23393: checking for $ac_func" >&5
+echo "configure:23153: checking for $ac_func" >&5
if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23398 "configure"
+#line 23158 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:23422: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:23182: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
fi
if test "$ac_cv_func_getpeereid" != yes; then
echo $ac_n "checking for msg_accrights in msghdr""... $ac_c" 1>&6
-echo "configure:23454: checking for msg_accrights in msghdr" >&5
+echo "configure:23214: checking for msg_accrights in msghdr" >&5
if eval "test \"\${ol_cv_msghdr_msg_accrights+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23459 "configure"
+#line 23219 "configure"
#include "confdefs.h"
#include <sys/socket.h>
int main() {
struct msghdr m; m.msg_accrightslen=0
; return 0; }
EOF
-if { (eval echo configure:23466: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:23226: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_msghdr_msg_accrights=yes
else
# Check Configuration
echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6
-echo "configure:23506: checking declaration of sys_errlist" >&5
+echo "configure:23266: checking declaration of sys_errlist" >&5
if eval "test \"\${ol_cv_dcl_sys_errlist+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23512 "configure"
+#line 23272 "configure"
#include "confdefs.h"
#include <stdio.h>
char *c = (char *) *sys_errlist
; return 0; }
EOF
-if { (eval echo configure:23525: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:23285: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_dcl_sys_errlist=yes
ol_cv_have_sys_errlist=yes
echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6
-echo "configure:23548: checking existence of sys_errlist" >&5
+echo "configure:23308: checking existence of sys_errlist" >&5
if eval "test \"\${ol_cv_have_sys_errlist+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23554 "configure"
+#line 23314 "configure"
#include "confdefs.h"
#include <errno.h>
int main() {
char *c = (char *) *sys_errlist
; return 0; }
EOF
-if { (eval echo configure:23561: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:23321: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_have_sys_errlist=yes
else
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:23589: checking for $ac_hdr" >&5
+echo "configure:23349: checking for $ac_hdr" >&5
if eval "test \"\${ac_cv_header_$ac_safe+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 23594 "configure"
+#line 23354 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:23599: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:23359: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
{ echo "configure: error: could not locate <ltdl.h>" 1>&2; exit 1; }
fi
echo $ac_n "checking for lt_dlinit in -lltdl""... $ac_c" 1>&6
-echo "configure:23630: checking for lt_dlinit in -lltdl" >&5
+echo "configure:23390: checking for lt_dlinit in -lltdl" >&5
ac_lib_var=`echo ltdl'_'lt_dlinit | sed 'y%./+-:%__p__%'`
if eval "test \"\${ac_cv_lib_$ac_lib_var+set}\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
ac_save_LIBS="$LIBS"
LIBS="-lltdl $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 23638 "configure"
+#line 23398 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
lt_dlinit()
; return 0; }
EOF
-if { (eval echo configure:23649: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:23409: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
SLAPD_MODULES_LDFLAGS="-dlopen self"
fi
+cat >> confdefs.h <<\EOF
+#define SLAPD_MOD_STATIC 1
+EOF
+
+cat >> confdefs.h <<\EOF
+#define SLAPD_MOD_DYNAMIC 2
+EOF
+
+
if test "$ol_enable_bdb" != no ; then
cat >> confdefs.h <<\EOF
#define SLAPD_BDB 1
BUILD_SLAPD=yes
BUILD_META=yes
BUILD_REWRITE=yes
- if test $ol_enable_ldbm = yes -o \
- $ol_enable_bdb = yes ; then
- BUILD_CACHE=yes
- fi
if test "$ol_with_meta_module" != static ; then
cat >> confdefs.h <<\EOF
#define SLAPD_META_DYNAMIC 1
fi
fi
+if test "$ol_with_dyngroup" != no ; then
+ BUILD_DYNGROUP=$ol_with_dyngroup
+ if test "$ol_with_dyngroup" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS dyngroup.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ cat >> confdefs.h <<EOF
+#define SLAPD_OVER_DYNGROUP $MFLAG
+EOF
+
+fi
+
+if test "$ol_with_proxycache" != no ; then
+ BUILD_PROXYCACHE=$ol_with_proxycache
+ if test "$ol_with_proxycache" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS pcache.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ cat >> confdefs.h <<EOF
+#define SLAPD_OVER_PROXYCACHE $MFLAG
+EOF
+
+fi
+
if test "$ol_enable_slurpd" != no -a "$ol_link_threads" != no -a \
$BUILD_SLAPD = yes ; then
BUILD_SLURPD=yes
+
libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk \
-libraries/libldbm/Makefile:build/top.mk:libraries/libldbm/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk \
servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk \
servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk \
servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk \
+servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk \
servers/slapd/tools/Makefile:build/top.mk:servers/slapd/tools/Makefile.in \
servers/slurpd/Makefile:build/top.mk:servers/slurpd/Makefile.in:build/srv.mk \
tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk \
s%@BUILD_LDBM@%$BUILD_LDBM%g
s%@BUILD_META@%$BUILD_META%g
s%@BUILD_MONITOR@%$BUILD_MONITOR%g
-s%@BUILD_CACHE@%$BUILD_CACHE%g
s%@BUILD_NULL@%$BUILD_NULL%g
s%@BUILD_PASSWD@%$BUILD_PASSWD%g
s%@BUILD_PERL@%$BUILD_PERL%g
s%@BUILD_PERL_DYNAMIC@%$BUILD_PERL_DYNAMIC%g
s%@BUILD_SHELL_DYNAMIC@%$BUILD_SHELL_DYNAMIC%g
s%@BUILD_SQL_DYNAMIC@%$BUILD_SQL_DYNAMIC%g
+s%@BUILD_DYNGROUP@%$BUILD_DYNGROUP%g
+s%@BUILD_PROXYCACHE@%$BUILD_PROXYCACHE%g
s%@BUILD_SLURPD@%$BUILD_SLURPD%g
s%@LDAP_LIBS@%$LDAP_LIBS%g
s%@SLAPD_LIBS@%$SLAPD_LIBS%g
s%@SLAPD_NO_STATIC@%$SLAPD_NO_STATIC%g
s%@SLAPD_STATIC_BACKENDS@%$SLAPD_STATIC_BACKENDS%g
s%@SLAPD_DYNAMIC_BACKENDS@%$SLAPD_DYNAMIC_BACKENDS%g
+s%@SLAPD_DYNAMIC_OVERLAYS@%$SLAPD_DYNAMIC_OVERLAYS%g
s%@PERL_CPPFLAGS@%$PERL_CPPFLAGS%g
s%@SLAPD_PERL_LDFLAGS@%$SLAPD_PERL_LDFLAGS%g
s%@MOD_PERL_LDFLAGS@%$MOD_PERL_LDFLAGS%g
s%@KRB4_LIBS@%$KRB4_LIBS%g
s%@KRB5_LIBS@%$KRB5_LIBS%g
s%@SASL_LIBS@%$SASL_LIBS%g
-s%@TERMCAP_LIBS@%$TERMCAP_LIBS%g
s%@TLS_LIBS@%$TLS_LIBS%g
s%@MODULES_LIBS@%$MODULES_LIBS%g
s%@SLAPI_LIBS@%$SLAPI_LIBS%g
libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk \
-libraries/libldbm/Makefile:build/top.mk:libraries/libldbm/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk \
servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk \
servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk \
servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk \
+servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk \
servers/slapd/tools/Makefile:build/top.mk:servers/slapd/tools/Makefile.in \
servers/slurpd/Makefile:build/top.mk:servers/slurpd/Makefile.in:build/srv.mk \
tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk \
OL_ARG_WITH(sql_module,[ --with-sql-module module type static|dynamic], static,
[static dynamic])
+dnl ----------------------------------------------------------------
+dnl SLAPD Overlay Options
+AC_ARG_WITH(xxslapoverlays,[
+SLAPD Overlay Options:])
+OL_ARG_WITH(dyngroup,[ --with-dyngroup Dynamic Group overlay no|yes|mod], no,
+ [no yes mod])
+OL_ARG_WITH(proxycache,[ --with-proxycache Proxy Cache overlay no|yes|mod], no,
+ [no yes mod])
+
dnl ----------------------------------------------------------------
dnl SLURPD OPTIONS
AC_ARG_WITH(xxslurpdoptions,[
if test $ol_enable_rewrite = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-rewrite argument])
fi
+ if test $ol_with_dyngroup != no ; then
+ AC_MSG_WARN([slapd disabled, ignoring --with-dyngroup argument])
+ fi
+ if test $ol_with_proxycache != no ; then
+ AC_MSG_WARN([slapd disabled, ignoring --with-proxycache argument])
+ fi
# force settings to no
ol_enable_slapi=no
ol_enable_rlookups=no
ol_enable_aci=no
ol_enable_wrappers=no
- ol_enable_dynamic=no
ol_with_ldbm_api=no
ol_with_ldbm_type=no
ol_enable_rewrite=no
+ ol_with_dyngroup=no
+ ol_with_proxycache=no
+
elif test $ol_enable_ldbm = no ; then
dnl SLAPD without LDBM
BUILD_LDBM=no
BUILD_META=no
BUILD_MONITOR=no
-BUILD_CACHE=no
BUILD_NULL=no
BUILD_PASSWD=no
BUILD_PERL=no
BUILD_SHELL_DYNAMIC=static
BUILD_SQL_DYNAMIC=static
+BUILD_DYNGROUP=no
+BUILD_PROXYCACHE=no
+
+SLAPD_DYNAMIC_OVERLAYS=
+
SLAPD_MODULES_LDFLAGS=
SLAPD_MODULES_CPPFLAGS=
KRB4_LIBS=
KRB5_LIBS=
SASL_LIBS=
-TERMCAP_LIBS=
TLS_LIBS=
MODULES_LIBS=
SLAPI_LIBS=
else
PERL_CPPFLAGS="`$PERLBIN -MExtUtils::Embed -e ccopts`"
- PERL_LDFLAGS="`$PERLBIN -MExtUtils::Embed -e ldopts|sed -e 's/ -lc / /'`"
+ PERL_LDFLAGS="`$PERLBIN -MExtUtils::Embed -e ldopts|sed -e 's/ -lc / /' -e 's/ -lc$//'`"
if test x"$ol_with_perl_module" = "xstatic" ; then
SLAPD_PERL_LDFLAGS="$PERL_LDFLAGS"
ol_with_perl_module=static
ol_with_shell_module=static
ol_with_sql_module=static
+ if test $ol_with_dyngroup = mod ; then
+ AC_MSG_WARN([building static dyngroup overlay])
+ ol_with_dyngroup = yes
+ fi
+ if test $ol_with_proxycache = mod ; then
+ AC_MSG_WARN([building static proxycache overlay])
+ ol_with_proxycache = yes
+ fi
fi
dnl ----------------------------------------------------------------
arpa/inet.h \
arpa/nameser.h \
assert.h \
+ bits/types.h \
conio.h \
crypt.h \
direct.h \
AC_DEFINE(HAVE_TCPD,1, [define if you have -lwrap])
WRAP_LIBS="-lwrap"
elif test $ol_enable_wrappers = yes ; then
- AC_MSG_ERROR([could not find TCP wrappers, select apppropriate options ore disable])
+ AC_MSG_ERROR([could not find TCP wrappers, select apppropriate options or disable])
else
AC_MSG_WARN([could not find TCP wrappers, support disabled])
WRAP_LIBS=""
fi
fi
-dnl ----------------------------------------------------------------
-dnl ud needs termcap (should insert check here)
-ol_link_termcap=no
-AC_CHECK_HEADERS(termcap.h ncurses.h)
-
-if test $ol_link_termcap = no ; then
- AC_CHECK_LIB(termcap, tputs, [have_termcap=yes], [have_termcap=no])
- if test $have_termcap = yes ; then
- AC_DEFINE(HAVE_TERMCAP, 1, [define if you have -ltermcap])
- ol_link_termcap=yes
- TERMCAP_LIBS=-ltermcap
- fi
-fi
-
-if test $ol_link_termcap = no ; then
- AC_CHECK_LIB(ncurses, initscr, [have_ncurses=yes], [have_ncurses=no])
- if test $have_ncurses = yes ; then
- AC_DEFINE(HAVE_NCURSES, 1, [define if you have -lncurses])
- ol_link_termcap=yes
- TERMCAP_LIBS=-lncurses
- fi
-fi
-
-if test $ol_link_termcap = no ; then
- AC_DEFINE(NO_TERMCAP,1, [define if you have no termcap support])
- TERMCAP_LIBS=
-fi
-
dnl ----------------------------------------------------------------
dnl
dnl Check for Cyrus SASL
SLAPD_MODULES_LDFLAGS="-dlopen self"
fi
+AC_DEFINE(SLAPD_MOD_STATIC,1,[statically linked module])
+AC_DEFINE(SLAPD_MOD_DYNAMIC,2,[dynamically linked module])
+
if test "$ol_enable_bdb" != no ; then
AC_DEFINE(SLAPD_BDB,1,[define to support BDB backend])
BUILD_SLAPD=yes
BUILD_SLAPD=yes
BUILD_META=yes
BUILD_REWRITE=yes
- if test $ol_enable_ldbm = yes -o \
- $ol_enable_bdb = yes ; then
- BUILD_CACHE=yes
- fi
if test "$ol_with_meta_module" != static ; then
AC_DEFINE(SLAPD_META_DYNAMIC,1,
[define to support dynamic LDAP Metadirectory backend])
fi
fi
+if test "$ol_with_dyngroup" != no ; then
+ BUILD_DYNGROUP=$ol_with_dyngroup
+ if test "$ol_with_dyngroup" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS dyngroup.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_OVER_DYNGROUP,$MFLAG,[define for Dynamic Group overlay])
+fi
+
+if test "$ol_with_proxycache" != no ; then
+ BUILD_PROXYCACHE=$ol_with_proxycache
+ if test "$ol_with_proxycache" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS pcache.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_OVER_PROXYCACHE,$MFLAG,[define for Proxy Cache overlay])
+fi
+
if test "$ol_enable_slurpd" != no -a "$ol_link_threads" != no -a \
$BUILD_SLAPD = yes ; then
BUILD_SLURPD=yes
AC_SUBST(BUILD_LDBM)
AC_SUBST(BUILD_META)
AC_SUBST(BUILD_MONITOR)
- AC_SUBST(BUILD_CACHE)
AC_SUBST(BUILD_NULL)
AC_SUBST(BUILD_PASSWD)
AC_SUBST(BUILD_PERL)
AC_SUBST(BUILD_PERL_DYNAMIC)
AC_SUBST(BUILD_SHELL_DYNAMIC)
AC_SUBST(BUILD_SQL_DYNAMIC)
+ AC_SUBST(BUILD_DYNGROUP)
+ AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_SLURPD)
AC_SUBST(LDAP_LIBS)
AC_SUBST(SLAPD_NO_STATIC)
AC_SUBST(SLAPD_STATIC_BACKENDS)
AC_SUBST(SLAPD_DYNAMIC_BACKENDS)
+AC_SUBST(SLAPD_DYNAMIC_OVERLAYS)
AC_SUBST(PERL_CPPFLAGS)
AC_SUBST(SLAPD_PERL_LDFLAGS)
AC_SUBST(KRB4_LIBS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(SASL_LIBS)
-AC_SUBST(TERMCAP_LIBS)
AC_SUBST(TLS_LIBS)
AC_SUBST(MODULES_LIBS)
AC_SUBST(SLAPI_LIBS)
libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk \
libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk \
-libraries/libldbm/Makefile:build/top.mk:libraries/libldbm/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk \
libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk \
servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk \
servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk \
servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk \
+servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk \
servers/slapd/tools/Makefile:build/top.mk:servers/slapd/tools/Makefile.in \
servers/slurpd/Makefile:build/top.mk:servers/slurpd/Makefile.in:build/srv.mk \
tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk \
* additional notices.
*/
/* ACKNOWLEDGEMENTS:
- * This work was initially developed by John Doe (of FOO Corporation).
- * Additional significant contributors include:
- * Jane Doe of BAR, Inc. (added this and that)
+ * This work was initially developed by Jane Doe for inclusion in
+ * OpenLDAP Software. Additional significant contributors include:
+ * John Doe
*/
Implement DIT Structure Rules and Name Forms
Implement LDAP Transactions extension
Implement native support for simple SASL mechanisms (e.g. EXTERNAL and PLAIN)
-Implement LDAPprep
Redesign slapd memory allocation fault handling
Localize tools
Small projects
--------------
Add dumpasn1 logging support
-Implement SASLprep
-Redesign test suite to use configure generated run script
+Implement LDAPprep and SASLprep
Add tests to test suite
Convert utfconv.txt into man page(s).
Recode linked-list structs to use <ldap_queue.h> macros
-Internet-Drafts are working documents of the Internet Engineering
-Task Force (IETF), its areas, and its working groups. Note that
-other groups may also distribute working documents as Internet-Drafts.
+Internet-Drafts (I-Ds) are working documents of the Internet
+Engineering Task Force (IETF), its areas, its working groups, and
+individual contributors.
-Internet-Drafts are draft documents valid for a maximum of six
-months and may be updated, replaced, or obsoleted by other documents
-at any time. It is inappropriate to use Internet-Drafts as reference
-material or to cite them other than as "work in progress."
+I-Ds are only valid for a maximum of six months and may be updated,
+replaced, or obsoleted by other documents at any time. It is
+inappropriate to use I-Ds as reference material or to cite them
+other than as "work in progress."
-OpenLDAP maintains copies of drafts for which we find interesting.
-Existance here does not necessarily imply any support nor any plans
-to support for the I-D. The I-Ds found in this directory may be
-stale, expired, or otherwise out of date.
+The OpenLDAP Project maintains copies of I-D for which we find
+interesting. Existance here does not necessarily imply any support
+nor any plans to support for the I-D. The I-Ds found in this
+directory may be stale, expired, or otherwise out of date.
-Please refer to http://www.ietf.org/ for latest revisions (and
+Please go to <http://www.ietf.org/> for latest revisions (and
status).
$OpenLDAP$
-
-Internet-Draft Editor: R. Harrison
-Intended Category: Draft Standard Novell, Inc.
-Document: draft-ietf-ldapbis-authmeth-05.txt March 2003
-Obsoletes: RFC 2829, RFC 2830
+INTERNET-DRAFT Editor: R. Harrison
+draft-ietf-ldapbis-authmeth-08.txt Novell, Inc.
+Obsoletes: 2251, 2829, 2830 26 October 2003
+Intended Category: Draft Standard
LDAP: Authentication Methods
Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
Abstract
- This document describes LDAPv3 (Lightweight Directory Access
- Protocol v3) authentication methods and connection level security
- mechanisms that are required of all conforming LDAPv3 server
- implementations and makes recommendations for combinations of these
- mechanisms to be used in various deployment circumstances.
+ This document describes authentication methods and connection level
+ security mechanisms of the Lightweight Directory Access Protocol
+ (LDAP).
+
+ This document details the simple Bind authentication method
+ including anonymous, unauthenticated, and plain-text password
+ methods and the SASL (Simple Authentication and Security Layer) Bind
+ authentication method including the use of DIGEST-MD5 and EXTERNAL
+ mechanisms.
- Among the mechanisms described are
-
- - various forms of authentication including anonymous
- authentication, password-based authentication, and certificate
- based authentication
- - the use of SASL mechanisms with LDAPv3
- - the use of TLS (Transport Layer Security) with LDAPv3
-
-Harrison Expires September 2003 [Page 1]
+Harrison Expires April 2004 [Page 1]
\f
- Authentication Methods for LDAPv3
+Internet-Draft LDAP Authentication Methods 7 October 2003
- - the various authentication and authorization states through
- which a connection to an LDAP server may pass and the actions
- that trigger these state changes.
-
-
-1. Conventions Used in this Document
+ This document also details establishment of TLS (Transport Layer
+ Security) using the Start TLS operation.
-1.1. Glossary of Terms
-
- The following terms are used in this document. To aid the reader,
- these terms are defined here.
-
- - "user" represents any application which is an LDAP client using
- the directory to retrieve or store information.
-
- - "LDAP association" is used to distinguish the LDAP-level
- connection from any underlying TLS-level connection that may or
- may not exist.
-
-1.2. Security Terms and Concepts
-
- In general, security terms in this document are used consistently
- with the definitions provided in [RFC2828]. In addition, several
- terms and concepts relating to security, authentication, and
- authorization are presented in Appendix B of this document. While
- the formal definition of these terms and concepts is outside the
- scope of this document, an understanding of them is prerequisite to
- understanding much of the material in this document. Readers who are
- unfamiliar with security-related concepts are encouraged to review
- Appendix B before reading the remainder of this document.
-
-1.3. Keywords
+ This document describes various authentication and authorization
+ states through which a connection to an LDAP server may pass and the
+ actions that trigger these state changes.
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC2119].
+ This document also prescribes DIGEST-MD5 as LDAP's mandatory-to-
+ implement strong authentication mechanism.
-2. Introduction
+1. Introduction
- This document is an integral part of the LDAP Technical
- Specification [ROADMAP]. This document replaces RFC 2829 and
- portions of RFC 2830. Changes to RFC 2829 are summarized in Appendix
- C and changes to RFC 2830 are summarized in Appendix D.
-
- LDAPv3 is a powerful access protocol for directories. It offers
- means of searching, retrieving and manipulating directory content,
- and ways to access a rich set of security functions.
+ The Lightweight Directory Access Protocol (LDAP) [Protocol] is a
+ powerful access protocol for directories. It offers means of
+ searching, retrieving and manipulating directory content, and ways
+ to access a rich set of security functions.
It is vital that these security functions be interoperable among all
LDAP clients and servers on the Internet; therefore there has to be
a minimum subset of security functions that is common to all
- implementations that claim LDAPv3 conformance.
+ implementations that claim LDAP conformance.
Basic threats to an LDAP directory service include:
-Harrison Expires September 2003 [Page 2]
-\f
- Authentication Methods for LDAPv3
-
-
(1) Unauthorized access to directory data via data-retrieval
operations,
(7) Spoofing of directory: Tricking a client into believing that
information came from the directory when in fact it did not,
either by modifying data in transit or misdirecting the client's
- connection.
+ connection. Also, tricking a client into sending privileged
+ information to a hostile entity that appears to be the directory
+ but is not.
Threats (1), (4), (5) and (6) are due to hostile clients. Threats
(2), (3) and (7) are due to hostile agents on the path between
client and server or hostile agents posing as a server.
- The LDAP protocol suite can be protected with the following security
- mechanisms:
+ LDAP can be protected with the following security mechanisms:
+
+
+
+Harrison Expires April 2004 [Page 2]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
- (1) Client authentication by means of the SASL [RFC2222] mechanism
- set, possibly backed by the TLS [RFC2246] credentials exchange
+ (1) Client authentication by means of the Secure Authentication and
+ Security Layer (SASL) [SASL] mechanism set, possibly backed by
+ the Transport Layer Security (TLS) [TLS] credentials exchange
mechanism,
(2) Client authorization by means of access control based on the
requestor's authenticated identity,
- (3) Data integrity protection by means of the TLS protocol or SASL
- mechanisms that provide data integrity services,
+ (3) Data integrity protection by means of TLS or SASL mechanisms
+ with security layers that provide data integrity services,
(4) Data confidentiality protection against snooping by means of the
TLS protocol or SASL mechanisms that provide data
mechanism.
At the moment, imposition of access controls is done by means
- outside the scope of the LDAPv3 protocol.
-
-3. Rationale for LDAPv3 Security Mechanisms
-
-
-
-Harrison Expires September 2003 [Page 3]
-\f
- Authentication Methods for LDAPv3
-
+ outside the scope of LDAP.
+
It seems clear that allowing any implementation, faced with the
above requirements, to simply pick and choose among the possible
alternatives is not a strategy that is likely to lead to
interoperability. In the absence of mandates, clients will be
written that do not support any security function supported by the
- server, or worse, they will support only mechanisms like the LDAPv3
+ server, or worse, they will support only mechanisms like the LDAP
simple bind using clear text passwords that provide inadequate
security for most circumstances.
of user identities for backwards compatibility with non-LDAP-based
authentication services.
- The set of security mechanisms provided in LDAPv3 and described in
+ The set of security mechanisms provided in LDAP and described in
this document is intended to meet the security needs for a wide
range of deployment scenarios and still provide a high degree of
- interoperability among various LDAPv3 implementations and
- deployments. Appendix A contains example deployment scenarios that
- list the mechanisms that might be used to achieve a reasonable level
- of security in various circumstances.
+ interoperability among various LDAP implementations and deployments.
+ Appendix A contains example deployment scenarios that list the
+ mechanisms that might be used to achieve a reasonable level of
+ security in various circumstances.
+
+ This document is an integral part of the LDAP Technical
+ Specification [Roadmap]. This document replaces RFC 2829 and
+ portions of RFC 2830 and RFC 2251.
+
+Harrison Expires April 2004 [Page 3]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+
+2. Conventions Used in this Document
+
+2.1. Glossary of Terms
+
+ The following terms are used in this document. To aid the reader,
+ these terms are defined here.
+
+ - "user" represents any human or application entity which is
+ accessing the directory using a directory client. A directory
+ client (or client) is also known as a directory user agent
+ (DUA).
+
+ - "connection" and "LDAP connection" both refer to the underlying
+ transport protocol connection between two protocol peers.
+
+ - "TLS connection" refers to a TLS-protected LDAP connection.
+
+ - "association" and "LDAP association" both refer to the
+ association of the LDAP connection and its current
+ authentication and authorization state.
+
+2.2. Security Terms and Concepts
+
+ In general, security terms in this document are used consistently
+ with the definitions provided in [RFC2828]. In addition, several
+ terms and concepts relating to security, authentication, and
+ authorization are presented in Appendix B of this document. While
+ the formal definition of these terms and concepts is outside the
+ scope of this document, an understanding of them is prerequisite to
+ understanding much of the material in this document. Readers who are
+ unfamiliar with security-related concepts are encouraged to review
+ Appendix B before reading the remainder of this document.
+
+2.3. Keywords
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
-4. Bind Operation
+3. Bind Operation
The Bind operation defined in section 4.2 of [Protocol] allows
authentication information to be exchanged between the client and
- server.
+ server to establish a new LDAP association. The new LDAP association
+ is established upon successful completion of the authentication
+ exchange.
+
+
-4.1. Unbound Connection Treated as Anonymous ("Implied Anonymous Bind")
+3.1. Implied Anonymous Bind on LDAP Association
- Unlike LDAP version 2, the client need not send a Bind Request in
- the first PDU of the connection. The client may send any operation
- request prior to binding, and the server MUST treat it as if it had
- been performed after an anonymous bind operation. If the server
- requires that the client bind before browsing or modifying the
- directory, the server MAY reject a request other than binding,
- unbinding or an extended request with the "operationsError" result.
+ Prior to the successful completion of a Bind operation and during
+ any subsequent authentication exchange, the session has an anonymous
+
+Harrison Expires April 2004 [Page 4]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ LDAP association. Among other things this implies that the client
+ need not send a Bind Request in the first PDU of the connection. The
+ client may send any operation request prior to binding, and the
+ server MUST treat it as if it had been performed after an anonymous
+ bind operation. This authentication state on an LDAP association is
+ sometimes referred to as an implied anonymous bind.
+
+3.2. Simple Authentication
+ The simple authentication choice provides minimal facilities for
+ establishing an anonymous association or for establishing an LDAP
+ association based upon credentials consisting of a name (in the form
+ of an [LDAPDN] and a password.
+
+ The simple authentication choice provides two different methods
+ for establishing an anonymous association: anonymous bind and
+ unauthenticated bind (see section 6.1).
-4.2. Simple Authentication
+ The simple authentication choice provides one method for
+ establishing a non-anonymous association: simple password bind.
- The simple authentication option provides minimal authentication
- facilities, with the contents of the authentication field consisting
- only of a cleartext password. Note that the use of cleartext
- passwords is strongly discouraged over open networks when the
- underlying transport service cannot guarantee confidentiality (see
- section 8).
+3.3. SASL Authentication Profile
-4.3. SASL Authentication
+ LDAP allows authentication via any SASL mechanism [SASL]. As LDAP
+ includes native anonymous and plaintext authentication methods, the
+ "ANONYMOUS" [ANONYMOUS] and "PLAIN" [PLAIN] SASL mechanisms are
+ typically not used with LDAP.
-Harrison Expires September 2003 [Page 4]
-\f
- Authentication Methods for LDAPv3
+ Each protocol that utilizes SASL services is required to supply
+ certain information profiling the way they are exposed through the
+ protocol ([SASL] section 5). This section explains how each of these
+ profiling requirements are met by LDAP.
+
+3.3.1. SASL Service Name for LDAP
+ The SASL service name for LDAP is "ldap", which has been registered
+ with the IANA as a GSSAPI service name.
+
+3.3.2. SASL authentication initiation and protocol exchange
+
+ SASL authentication is initiated via an LDAP bind request
+ ([Protocol] section 4.2) with the following parameters:
- The sasl authentication option allows for any mechanism defined for
- use with SASL [RFC2222] not specifically prohibited by this document
- (see section 4.3.1).
+ - The version is 3.
+ - The AuthenticationChoice is sasl.
+ - The mechanism element of the SaslCredentials sequence contains
+ the value of the desired SASL mechanism.
+ - The optional credentials field of the SaslCredentials sequence
+ may be used to provide an initial client response for
+ mechanisms that are defined to have the client send data first
+ (see [SASL] sections 5 and 6.1).
+
+ In general, a SASL authentication protocol exchange consists of a
+ series of server challenges and client responses, the contents of
+
+Harrison Expires April 2004 [Page 5]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ which are specific to and defined by the SASL mechanism. Thus for
+ some SASL authentication mechanisms, it may be necessary for the
+ client to respond to one or more server challenges by invoking the
+ BindRequest multiple times. A challenge is indicated by the server
+ sending a BindResponse with the resultCode set to
+ saslBindInProgress. This indicates that the server requires the
+ client to send a new bind request, with the same sasl mechanism to
+ continue the authentication process.
+
+ To the encapsulating protocol, these challenges and responses are
+ opaque binary tokens of arbitrary length. LDAP servers use the
+ serverSaslCreds field, an OCTET STRING, in a bind response message
+ to transmit each challenge. LDAP clients use the credentials field,
+ an OCTET STRING, in the SaslCredentials sequence of a bind request
+ message to transmit each response. Note that unlike some Internet
+ application protocols where SASL is used, LDAP is not text-based,
+ thus no Base64 transformations are performed on these challenge and
+ response values.
Clients sending a bind request with the sasl choice selected SHOULD
NOT send a value in the name field. Servers receiving a bind request
with the sasl choice selected SHALL ignore any value in the name
field.
- The mechanism field in SaslCredentials contains the name of the
- mechanism. The credentials field contains the arbitrary data used
- for authentication, inside an OCTET STRING wrapper. Note that unlike
- some Internet application protocols where SASL is used, LDAP is not
- text-based, thus no Base64 transformations are performed on the
- credentials.
+ A client may abort a SASL bind negotiation by sending a BindRequest
+ with a different value in the mechanism field of SaslCredentials, or
+ an AuthenticationChoice other than sasl.
+
+ If the client sends a BindRequest with the sasl mechanism field as
+ an empty string, the server MUST return a BindResponse with
+ authMethodNotSupported as the resultCode. This will allow clients to
+ abort a negotiation if it wishes to try again with the same SASL
+ mechanism.
+
+ The server indicates completion of the SASL challenge-response
+ exchange by responding with a bind response in which the resultCode
+ is either success, or an error indication.
+
+ The serverSaslCreds field in the bind response can be used to
+ include an optional challenge with a success notification for
+ mechanisms which are defined to have the server send additional data
+ along with the indication of successful completion.
+
+3.3.3. Octet where negotiated security mechanisms take effect
+
+ When negotiated, SASL security layers take effect following the
+ transmission by the server and reception by the client of the final
+ BindResponse in the exchange.
+
+ Once a SASL security layer providing integrity or confidentiality
+ services takes effect, the layer remains in effect until a new layer
+ is installed (i.e. at the first octet following the final
+ BindResponse of the bind operation that caused the new layer to take
+ effect).
+
+Harrison Expires April 2004 [Page 6]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+
+3.3.4. Determination of supported SASL mechanisms
- If any SASL-based integrity or confidentiality services are enabled,
- they take effect following the transmission by the server and
- reception by the client of the final BindResponse with a resultCode
- of success.
+ An LDAP client may determine the SASL mechanisms a server supports
+ by performing a search request on the root DSE, requesting the
+ supportedSASLMechanisms attribute. The values of this attribute, if
+ any, list the mechanisms the server supports.
- If a SASL security layer is negotiated, the client MUST discard all
+3.3.5. Rules for using SASL security layers
+
+ If a SASL security layer is negotiated, the client SHOULD discard
information about the server fetched prior to the initiation of the
- SASL negotiation. If the client is configured to support multiple
- SASL mechanisms, it SHOULD fetch the supportedSASLmechanisms list
- both before and after the SASL security layer is negotiated. This
- allows the client to detect active attacks that remove supported
- SASL mechanisms from the supportedSASLMechanisms list and allows the
- client to ensure that it is using the best mechanism supported by
- both client and server. (This requirement is a SHOULD to allow for
- environments where the supportedSASLMechanisms list is provided to
- the client through a different trusted source, e.g. as part of a
- digitally signed object.)
-
- The client can request that the server use authentication
- information from a lower layer protocol by using the SASL EXTERNAL
- mechanism (see section 5.2.2.).
-
-4.3.1. Use of ANONYMOUS and PLAIN SASL Mechanisms
-
- As LDAP includes native anonymous and plaintext authentication
- methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are not used
- with LDAP. If an authorization identity of a form different from a
- DN is requested by the client, a data confidentiality mechanism that
- protects the password in transit should be used.
-
-4.3.2. Use of EXTERNAL SASL Mechanism
-
- The "EXTERNAL" SASL mechanism can be used to request the LDAP server
- make use of security credentials exchanged by a lower layer. If a
- TLS session has not been established between the client and server
- prior to making the SASL EXTERNAL Bind request and there is no other
- external source of authentication credentials (e.g. IP-level
-
-Harrison Expires September 2003 [Page 5]
-\f
- Authentication Methods for LDAPv3
-
- security [RFC2401]), or if during the process of establishing the
- TLS session, the server did not request the client's authentication
- credentials, the SASL EXTERNAL bind MUST fail with a resultCode of
- inappropriateAuthentication. Any client authentication and
+ SASL negotiation and not obtained through secure mechanisms.
+
+ If the client is configured to support multiple SASL mechanisms, it
+ SHOULD fetch the supportedSASLmechanisms list both before and after
+ the SASL security layer is negotiated. This allows the client to
+ detect active attacks that remove supported SASL mechanisms from the
+ supportedSASLMechanisms list and allows the client to ensure that it
+ is using the best mechanism supported by both client and server. (In
+ particular, this allows for environments where the
+ supportedSASLMechanisms list is provided to the client through a
+ different trusted source, e.g. as part of a digitally signed
+ object.)
+
+ If a lower level security layer (such as TLS) is negotiated, any
+ SASL security services SHALL be layered on top of such security
+ layers regardless of the order of their negotiation.
+
+3.3.6. Use of EXTERNAL SASL Mechanism
+
+ A client can use the "EXTERNAL" SASL mechanism to request the LDAP
+ server to make use of security credentials exchanged by a lower
+ layer. If authentication credentials have not been established at a
+ lower level (such as by TLS authentication or IP-level security
+ [RFC2401]), the SASL EXTERNAL bind MUST fail with a resultCode of
+ inappropriateAuthentication. Any client authentication and
authorization state of the LDAP association is lost, so the LDAP
association is in an anonymous state after the failure (see
[Protocol] section 4.2.1).
-4.3.3. Other SASL Mechanisms
-
- Other SASL mechanisms may be used with LDAP, but their usage is not
- considered in this document.
-
-4.4. SASL Authorization Identity
-
- The authorization identity is carried as part of the SaslCredentials
- credentials field in the Bind request and response.
+3.4. SASL Authorization Identity
When the "EXTERNAL" SASL mechanism is being negotiated, if the
- credentials field is present, it contains an authorization identity
- of the authzId form described below.
+ SaslCredentials credentials field is present, it contains an
+ authorization identity. Other mechanisms define the location of the
+ authorization identity in the credentials field. In either case, the
+ authorization identity is represented in the authzId form described
+ below.
- Other mechanisms define the location of the authorization identity
- in the credentials field.
-
-4.4.1. Authorization Identity Syntax
+3.4.1. Authorization Identity Syntax
- The authorization identity is a string in the UTF-8 character set,
- corresponding to the following ABNF grammar [RFC2234]:
+ The authorization identity is a string of [UTF-8] encoded [Unicode]
+ characters corresponding to the following ABNF grammar [RFC2234]:
+
+Harrison Expires April 2004 [Page 7]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
; Specific predefined authorization (authz) id schemes are
; defined below -- new schemes may be defined in the future.
userid = utf8string ; syntax unspecified
The dnAuthzId choice allows client applications to assert
- authorization identities in the form of a distinguished name. The
- decision to allow or disallow an authentication identity to have
- access to the requested authorization identity is a matter of local
- policy ([SASL] section 4.2). For this reason there is no requirement
- that the asserted dn be that of an entry in directory.
+ authorization identities in the form of a distinguished name to be
+ matched in accordance with the distinguishedName matching rule
+ [Syntaxes]. The decision to allow or disallow an authentication
+ identity to have access to the requested authorization identity is a
+ matter of local policy ([SASL] section 4.2). For this reason there
+ is no requirement that the asserted dn be that of an entry in
+ directory.
-
-Harrison Expires September 2003 [Page 6]
-\f
- Authentication Methods for LDAPv3
-
The uAuthzId choice allows for compatibility with client
applications that wish to assert an authorization identity to a
local directory but do not have that identity in distinguished name
- form. The format of utf8string is defined as only a sequence of UTF-
- 8 encoded ISO 10646 characters, and further interpretation is
- subject to prior agreement between the client and server.
+ form. The value contained within a uAuthzId MUST be prepared using
+ SASLprep before being compared octet-wise. The format of utf8string
+ is defined as only a sequence of of [UTF-8] encoded [Unicode]
+ characters, and further interpretation is subject to prior agreement
+ between the client and server.
For example, the userid could identify a user of a specific
- directory service, or be a login name or the local-part of an RFC
- 822 email address. In general, a uAuthzId MUST NOT be assumed to be
- globally unique.
+ directory service or be a login name or the local-part of an RFC 822
+ email address. A uAuthzId SHOULD NOT be assumed to be globally
+ unique.
- Additional authorization identity schemes MAY be defined in future
+ Additional authorization identity schemes may be defined in future
versions of this document.
-4.5. SASL Service Name for LDAP
-
- For use with SASL [RFC2222], a protocol must specify a service name
- to be used with various SASL mechanisms, such as GSSAPI. For LDAP,
- the service name is "ldap", which has been registered with the IANA
- as a GSSAPI service name.
-
-4.6. SASL Integrity and Privacy Protections
-
- Any negotiated SASL integrity and privacy protections SHALL start on
- the first octet of the first LDAP PDU following successful
- completion of the SASL bind operation. If lower level security layer
- is negotiated, such as TLS, any SASL security services SHALL be
- layered on top of such security layers regardless of the order of
- their negotiation.
-
-5. Start TLS Operation
+4. Start TLS Operation
The Start Transport Layer Security (StartTLS) operation defined in
- section 4.13 of [Protocol] provides the ability to establish
- Transport Layer Security [RFC2246] on an LDAP association.
+ section 4.13 of [Protocol] provides the ability to establish [TLS]
+ on an LDAP association.
-5.1. Sequencing of the Start TLS Operation
+4.1. Sequencing of the Start TLS Operation
This section describes the overall procedures clients and servers
must follow for TLS establishment. These procedures take into
+
+Harrison Expires April 2004 [Page 8]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
consideration various aspects of the overall security of the LDAP
association including discovery of resultant security level and
assertion of the client's authorization identity.
Note that the precise effects, on a client's authorization identity,
of establishing TLS on an LDAP association are described in detail
- in section 5.5.
+ in section 4.2.
-5.1.1. Requesting to Start TLS on an LDAP Association
+4.1.1. Requesting to Start TLS on an LDAP Connection
The client MAY send the Start TLS extended request at any time after
- establishing an LDAP association, except that in the following cases
- the client MUST NOT send a Start TLS extended request:
-
-Harrison Expires September 2003 [Page 7]
-\f
- Authentication Methods for LDAPv3
-
-
- - if TLS is currently established on the connection, or
- - during a multi-stage SASL negotiation, or
- - if there are any LDAP operations outstanding on the
- connection.
+ establishing an LDAP connection, except:
+
+ - when TLS is currently established on the connection,
+ - when a multi-stage SASL negotiation is in progress on the
+ connection, or
+ - when there are one or more outstanding LDAP operations on the
+ connection.
The result of violating any of these requirements is a resultCode of
- operationsError, as described above in [Protocol] section 14.3.2.2.
+ operationsError, as described in [Protocol] section 4.13.2.2. Client
+ implementers should note that it is possible to receive a resultCode
+ of success for a Start TLS operation that is sent on a connection
+ with outstanding LDAP operations and the server has sufficient time
+ to process them prior to its receiving the Start TLS request.
+ Implementors should ensure that they do not inadvertently depend
+ upon this race condition for proper functioning of their
+ applications.
In particular, there is no requirement that the client have or have
not already performed a Bind operation before sending a Start TLS
other requests, and the server requires the client to establish a
TLS connection before performing a particular request, the server
MUST reject that request by sending a resultCode of
- confidentialityRequired or strongAuthRequired. In response, the
- client MAY send a Start TLS extended request, or it MAY choose to
- close the connection.
+ confidentialityRequired or strongAuthRequired.
-5.1.2. Starting TLS
+4.1.2. Starting TLS
The server will return an extended response with the resultCode of
success if it is willing and able to negotiate TLS. It will return
LDAP requests on the connection) MUST either begin a TLS negotiation
or close the connection. The client will send PDUs in the TLS Record
Protocol directly over the underlying transport connection to the
- server to initiate TLS negotiation [RFC2246].
+ server to initiate [TLS] negotiation.
+
-5.1.3. TLS Version Negotiation
+Harrison Expires April 2004 [Page 9]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+4.1.3. TLS Version Negotiation
Negotiating the version of TLS or SSL to be used is a part of the
- TLS Handshake Protocol, as documented in [RFC2246]. Please refer to
- that document for details.
+ [TLS] Handshake Protocol. Please refer to that document for details.
-5.1.4. Discovery of Resultant Security Level
+4.1.4. Discovery of Resultant Security Level
After a TLS connection is established on an LDAP association, both
parties MUST individually decide whether or not to continue based on
- the privacy level achieved. Ascertaining the TLS connection's
- privacy level is implementation dependent, and accomplished by
+ the security level achieved. Ascertaining the TLS connection's
+ security level is implementation dependent and accomplished by
communicating with one's respective local TLS implementation.
If the client or server decides that the level of authentication or
- privacy is not high enough for it to continue, it SHOULD gracefully
+ security is not high enough for it to continue, it SHOULD gracefully
close the TLS connection immediately after the TLS negotiation has
- completed (see [Protocol] section 4.13.3.1 and section 5.2.3 below).
-
-Harrison Expires September 2003 [Page 8]
-\f
- Authentication Methods for LDAPv3
+ completed (see [Protocol] section 4.13.3.1 and section 4.2.3 below).
+ If the client decides to continue, it may gracefully close the TLS
+ connection and attempt to Start TLS again, it may send an unbind
+ request, or it may send any other LDAP request.
- If the client decides to continue, it MAY attempt to Start TLS
- again, it MAY send an unbind request, or it MAY send any other LDAP
- request.
-
-5.1.5. Assertion of Client's Authorization Identity
-
- The client MAY, upon receipt of a Start TLS response indicating
- success, assert that a specific authorization identity be utilized
- in determining the client's authorization status. The client
- accomplishes this via an LDAP Bind request specifying a SASL
- mechanism of "EXTERNAL" [RFC2222] (see section 5.5.1.2 below).
-
-5.1.6. Server Identity Check
+4.1.5. Server Identity Check
The client MUST check its understanding of the server's hostname
against the server's identity as presented in the server's
- Certificate message, in order to prevent man-in-the-middle attacks.
+ Certificate message in order to prevent man-in-the-middle attacks.
Matching is performed according to these rules:
- - The client MUST use the server hostname it used to open the LDAP
- connection as the value to compare against the server name as
- expressed in the server's certificate. The client MUST NOT use
- the any other derived form of name including the server's
- canonical DNS name.
+ - The client MUST use the server provided by the user (or other
+ trusted entity) as the value to compare against the server name
+ as expressed in the server's certificate. A hostname derived
+ from the user input is to be considered provided by the user
+ only if derived in a secure fashion (e.g., DNSSEC).
- If a subjectAltName extension of type dNSName is present in the
certificate, it SHOULD be used as the source of the server's
- The "*" wildcard character is allowed. If present, it applies
only to the left-most name component.
- For example, *.bar.com would match a.bar.com and b.bar.com, but it
- would not match a.x.bar.com nor would it match bar.com. If more
- than one identity of a given type is present in the certificate
- (e.g. more than one dNSName name), a match in any one of the set is
- considered acceptable.
+ For example, *.bar.com would match a.bar.com and b.bar.com, but
+ it would not match a.x.bar.com nor would it match bar.com. If
+ more than one identity of a given type is present in the
+ certificate (e.g. more than one dNSName name), a match in any
+ one of the set is considered acceptable.
If the hostname does not match the dNSName-based identity in the
certificate per the above check, user-oriented clients SHOULD either
- notify the user (clients MAY give the user the opportunity to
+ notify the user (clients may give the user the opportunity to
continue with the connection in any case) or terminate the
+
+Harrison Expires April 2004 [Page 10]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
connection and indicate that the server's identity is suspect.
Automated clients SHOULD close the connection, returning and/or
logging an error indicating that the server's identity is suspect.
Beyond the server identity checks described in this section, clients
SHOULD be prepared to do further checking to ensure that the server
is authorized to provide the service it is observed to provide. The
- client MAY need to make use of local policy information.
-
-
-Harrison Expires September 2003 [Page 9]
-\f
- Authentication Methods for LDAPv3
+ client may need to make use of local policy information in making
+ this determination.
-5.1.7. Refresh of Server Capabilities Information
+4.1.6. Refresh of Server Capabilities Information
- Upon TLS session establishment, the client MUST discard all
- information about the server fetched prior to the initiation of the
- TLS negotiation and MUST refresh any cached server capabilities
- information (e.g. from the server's root DSE; see section 3.4 of
- [Protocol]). This is necessary to protect against active-
- intermediary attacks that may have altered any server capabilities
- information retrieved prior to TLS establishment.
+ Upon TLS session establishment, the client SHOULD discard or refresh
+ all information about the server fetched prior to the initiation of
+ the TLS negotiation and not obtained through secure mechanisms. This
+ protects against active-intermediary attacks that may have altered
+ any server capabilities information retrieved prior to TLS
+ establishment.
- The server MAY advertise different capabilities after TLS
+ The server may advertise different capabilities after TLS
establishment. In particular, the value of supportedSASLMechanisms
- MAY be different after TLS has been negotiated (specifically, the
- EXTERNAL mechanism or the proposed PLAIN mechanism are likely to
- only be listed after a TLS negotiation has been performed).
+ may be different after TLS has been negotiated (specifically, the
+ EXTERNAL and [PLAIN] mechanisms are likely to be listed only after a
+ TLS negotiation has been performed).
-5.2. Effects of TLS on a Client's Authorization Identity
+4.2. Effects of TLS on a Client's Authorization Identity
This section describes the effects on a client's authorization
identity brought about by establishing TLS on an LDAP association.
Authorization identities and related concepts are described in
Appendix B.
-5.2.1. Default Effects
+4.2.1. Default Effects
Upon establishment of the TLS session onto the LDAP association, any
previously established authentication and authorization identities
MUST remain in force, including anonymous state. This holds even in
the case where the server requests client authentication via TLS --
e.g. requests the client to supply its certificate during TLS
- negotiation (see [RFC2246]).
+ negotiation.
-5.2.2. Client Assertion of Authorization Identity
+4.2.2. Client Assertion of Authorization Identity
- A client MAY either implicitly request that its LDAP authorization
- identity be derived from its authenticated TLS credentials or it MAY
- explicitly provide an authorization identity and assert that it be
- used in combination with its authenticated TLS credentials. The
- former is known as an implicit assertion, and the latter as an
- explicit assertion.
+ The client MAY, upon receipt of a Start TLS response indicating
+ success, assert that a specific authorization identity be utilized
+ in determining the client's authorization status. The client
+ accomplishes this via an LDAP Bind request specifying a SASL
+ mechanism of "EXTERNAL" [SASL]. A client may either implicitly
+ request that its LDAP authorization identity be derived from its
+
+Harrison Expires April 2004 [Page 11]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ authenticated TLS credentials or it may explicitly provide an
+ authorization identity and assert that it be used in combination
+ with its authenticated TLS credentials. The former is known as an
+ implicit assertion, and the latter as an explicit assertion.
-5.2.2.1. Implicit Assertion
+4.2.2.1. Implicit Assertion
An implicit authorization identity assertion is accomplished after
TLS establishment by invoking a Bind request of the SASL form using
- the "EXTERNAL" mechanism name [RFC2222] [Protocol] that SHALL NOT
+ the "EXTERNAL" mechanism name [SASL] [Protocol] that SHALL NOT
include the optional credentials octet string (found within the
SaslCredentials sequence in the Bind Request). The server will
derive the client's authorization identity from the authentication
-
-Harrison Expires September 2003 [Page 10]
-\f
- Authentication Methods for LDAPv3
-
identity supplied in the client's TLS credentials (typically a
public key certificate) according to local policy. The underlying
mechanics of how this is accomplished are implementation specific.
-5.2.2.2. Explicit Assertion
+4.2.2.2. Explicit Assertion
An explicit authorization identity assertion is accomplished after
TLS establishment by invoking a Bind request of the SASL form using
- the "EXTERNAL" mechanism name [RFC2222] [Protocol] that SHALL
- include the credentials octet string. This string MUST be
- constructed as documented in section 4.4.1.
+ the "EXTERNAL" mechanism name [SASL] [Protocol] that SHALL include
+ the credentials octet string. This string MUST be constructed as
+ documented in section 3.4.1.
-5.2.2.3. Error Conditions
+ The server MUST verify that the client's authentication identity as
+ supplied in its TLS credentials is permitted to be mapped to the
+ asserted authorization identity. The server MUST reject the Bind
+ operation with an invalidCredentials resultCode in the Bind response
+ if the client is not so authorized.
- For either form of assertion, the server MUST verify that the
- client's authentication identity as supplied in its TLS credentials
- is permitted to be mapped to the asserted authorization identity.
- The server MUST reject the Bind operation with an invalidCredentials
- resultCode in the Bind response if the client is not so authorized.
+4.2.2.3. Error Conditions
Additionally, with either form of assertion, if a TLS session has
not been established between the client and server prior to making
of authentication credentials (e.g. IP-level security [RFC2401]), or
if during the process of establishing the TLS session, the server
did not request the client's authentication credentials, the SASL
- EXTERNAL bind MUST fail with a result code of
+ EXTERNAL bind MUST fail with a resultCode of
inappropriateAuthentication.
After the above Bind operation failures, any client authentication
close_notify message, based on the Bind failure (as it MAY at any
time).
-5.2.3. TLS Connection Closure Effects
+4.2.3. TLS Connection Closure Effects
Closure of the TLS session MUST cause the LDAP association to move
to an anonymous authentication and authorization state regardless of
+
+Harrison Expires April 2004 [Page 12]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
the state established over TLS and regardless of the authentication
and authorization state prior to TLS session establishment.
-6. LDAP Association State Transition Tables
+5. LDAP Association State Transition Tables
To comprehensively diagram the various authentication and TLS states
through which an LDAP association may pass, this section provides a
states through which an LDAP association may pass during the course
of its existence and the actions that cause these changes in state.
-6.1. LDAP Association States
+5.1. LDAP Association States
-
-Harrison Expires September 2003 [Page 11]
-\f
- Authentication Methods for LDAPv3
-
The following table lists the valid LDAP association states and
provides a description of each state. The ID for each state is used
- in the state transition table in section 6.4.
+ in the state transition table in section 5.4.
ID State Description
-- --------------------------------------------------------------
- S1 no Auth ID
- no AuthZ ID
- [TLS: no Creds, OFF]
+ S1 Anonymous
+ no Authentication ID is associated with the LDAP connection
+ no Authorization ID is in force
+ No security layer is in effect.
+ No TLS credentials have been provided
+ TLS: no Creds, OFF]
S2 no Auth ID
no AuthZ ID
[TLS: no Creds, ON]
AuthZ ID= K
[TLS: Creds Auth ID "I", ON]
-6.2. Actions that Affect LDAP Association State
+5.2. Actions that Affect LDAP Association State
The following table lists the actions that can affect the state of
an LDAP association. The ID for each action is used in the state
- transition table in section 6.4.
+ transition table in section 5.4.
+
+
+Harrison Expires April 2004 [Page 13]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
ID Action
-- ------------------------------------------------
A5 Client or Server: send TLS closure alert ([Protocol] section
X)
A6 Client: Bind w/simple password or SASL mechanism (e.g. DIGEST-
- MD5 password, Kerberos, etc. -û except EXTERNAL [Auth ID "X"
-
-Harrison Expires September 2003 [Page 12]
-\f
- Authentication Methods for LDAPv3
-
+ MD5 password, Kerberos, etc., except EXTERNAL [Auth ID "X"
maps to AuthZ ID "Y"]
A7 Client Binds SASL EXTERNAL with credentials: AuthZ ID "J"
- [Explicit Assertion (section 5.2.1.2.2)]
+ [Explicit Assertion (section 4.2.1.2.2)]
A8 Client Bind SASL EXTERNAL without credentials [Implicit
- Assertion (section 5.2 .1.2.1)]
+ Assertion (section 4.2.1.2.1)]
+ A9 Client abandons a bind operation or bind operation fails
-6.3. Decisions Used in Making LDAP Association State Changes
+5.3. Decisions Used in Making LDAP Association State Changes
Certain changes in the state of an LDAP association are only allowed
if the server can affirmatively answer a question. These questions
are applied as part of the criteria for allowing or disallowing a
- state change in the state transition table in section 6.4.
+ state change in the state transition table in section 5.4.
ID Decision Question
-- --------------------------------------------------------------
D2 Can a valid AuthZ ID "K" be derived from TLS Credentials Auth
ID "I"?
-6.4. LDAP Association State Transition Table
+5.4. LDAP Association State Transition Table
The LDAP Association table below lists the valid states for an LDAP
association and the actions that could affect them. For any given
State Action State Comment
------- ------------- ----- -----------------------------------
S1 A1 S1
+
+Harrison Expires April 2004 [Page 14]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
S1 A2 S1 Error: Inappropriate authentication
S1 A3 S2
S1 A4 S3
S2 A7 ? identity could be provided by
another underlying mechanism such
as IPSec.
-
-Harrison Expires September 2003 [Page 13]
-\f
- Authentication Methods for LDAPv3
-
S2 A8 ? identity could be provided by
another underlying mechanism such
as IPSec.
S3 A8 and D2=NO S3 Error: InvalidCredentials
S3 A8 and D2=YES S8
S4 A1 S1
- S4 A2 S4 Error: Inappropriate Authentication
+ S4 A2 S1 Error: Inappropriate Authentication
S4 A3 S5
S4 A4 S6
S4 A5 S1
another underlying mechanism such
as IPSec.
S5 A1 S2
- S5 A2 S5 Error: Inappropriate Authentication
+ S5 A2 S2 Error: Inappropriate Authentication
S5 A5 S1
S5 A6 S5
S5 A7 ? identity could be provided by
another underlying mechanism such
as IPSec.
S6 A1 S3
- S6 A2 S6 Error: Inappropriate Authentication
+ S6 A2 S2 Error: Inappropriate Authentication
+
+Harrison Expires April 2004 [Page 15]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
S6 A5 S1
S6 A6 S6
S6 A7 and D1=NO S6 Error: InvalidCredentials
S6 A7 and D1=YES S7
- S6 A8 and D2=NO S6 Error: InvalidCredentials
+ S6 A8 and D2=NO S3 Error: InvalidCredentials
S6 A8 and D2=YES S8
S7 A1 S3
- S7 A2 S7 Error: Inappropriate Authentication
+ S7 A2 S2 Error: Inappropriate Authentication
S7 A5 S1
S7 A6 S6
S7 A7 S7
S7 A8 and D2=NO S3 Error: InvalidCredentials
S7 A8 and D2=YES S8
S8 A1 S3
- S8 A2 S8 Error: Inappropriate Authentication
+ S8 A2 S2 Error: Inappropriate Authentication
S8 A5 S1
S8 A6 S6
-
-Harrison Expires September 2003 [Page 14]
-\f
- Authentication Methods for LDAPv3
-
S8 A7 and D1=NO S6 Error: InvalidCredentials
S8 A7 and D1=YES S7
S8 A8 S8
+ Any A9 S1 See [Protocol] section 4.2.1.
-7. Anonymous Authentication
+6. Anonymous Authentication
Directory operations that modify entries or access protected
attributes or entries generally require client authentication.
access sensitive information in directory entries.
LDAP implementations MUST support anonymous authentication, as
- defined in section 7.1.
+ defined in section 6.1.
LDAP implementations MAY support anonymous authentication with TLS,
- as defined in section 7.2.
+ as defined in section 6.2.
While there MAY be access control restrictions to prevent access to
directory entries, an LDAP server SHOULD allow an anonymously-bound
by the lower layers or external means to grant or deny access even
to anonymously authenticated clients.
-7.1. Anonymous Authentication Procedure
+6.1. Anonymous Authentication Procedure
- An LDAPv3 client that has not successfully completed a bind
- operation on a connection is anonymously authenticated. See section
- 4.3.3.
+ Prior to successfully completing a Bind operation, the LDAP
+ association is anonymous. See section 3.1.
+
+
+
+Harrison Expires April 2004 [Page 16]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
- An LDAP client MAY also choose to explicitly bind anonymously. A
- client that wishes to do so MUST choose the simple authentication
- option in the Bind Request (see section 4.1) and set the password to
- be of zero length. (This is often done by LDAPv2 clients.) Typically
- the name is also of zero length.
+ An LDAP client may also explicitly establish an anonymous
+ association. A client that wishes to do so MUST choose the simple
+ authentication option in the Bind Request and set the password to be
+ of zero length. (This is often done by LDAPv2 clients.) Typically
+ the name is also of zero length. A bind request where both the name
+ and password are of zero length is said to be an anonymous bind. A
+ bind request where the name, a DN, is of non-zero length, and the
+ password is of zero length is said to be an unauthenticated bind.
+ Both variations produce an anonymous association.
-7.2. Anonymous Authentication and TLS
+6.2. Anonymous Authentication and TLS
An LDAP client MAY use the Start TLS operation (section 5) to
- negotiate the use of TLS security [RFC2246]. If the client has not
- bound beforehand, then until the client uses the EXTERNAL SASL
- mechanism to negotiate the recognition of the client's certificate,
- the client is anonymously authenticated.
+ negotiate the use of [TLS] security. If the client has not bound
+ beforehand, then until the client uses the EXTERNAL SASL mechanism
+ to negotiate the recognition of the client's certificate, the client
+ is anonymously authenticated.
- Recommendations on TLS ciphersuites are given in section 10.
+ Recommendations on TLS ciphersuites are given in section 9.
An LDAP server which requests that clients provide their certificate
during TLS negotiation MAY use a local security policy to determine
-
-
-Harrison Expires September 2003 [Page 15]
-\f
- Authentication Methods for LDAPv3
-
whether to successfully complete TLS negotiation if the client did
not present a certificate which could be validated.
-8. Password-based Authentication
+7. Password-based Authentication
This section discusses various options for performing password-based
- authentication to LDAPv3 compliant servers and the environments
+ authentication to LDAP compliant servers and the environments
suitable for their use.
-8.1. Simple Authentication
+7.1. Simple Authentication
The LDAP "simple" authentication choice is not suitable for
authentication in environments where there is no network or
transport layer confidentiality. LDAP implementations SHOULD support
authentication with the "simple" authentication choice when the
connection is protected against eavesdropping using TLS, as defined
- in section 5. LDAP implementations SHOULD NOT support authentication
+ in section 4. LDAP implementations SHOULD NOT support authentication
with the "simple" authentication choice unless the data on the
connection is protected using TLS or other data confidentiality and
data integrity protection.
-8.2. Digest Authentication
-
- LDAP servers that implement any password-based authentication method
- MUST support authentication with a password using the DIGEST-MD5
- SASL mechanism for password protection.
-
- An LDAP client MAY determine whether the server supports this
- mechanism by performing a search request on the root DSE, requesting
- the supportedSASLMechanisms attribute, and checking whether the
- string "DIGEST-MD5" is present as a value of this attribute.
-
- In the first stage of authentication, when the client is performing
- an "initial authentication" as defined in section 2.1 of [RFC2831],
- the client sends a bind request in which the version number is 3,
- the authentication choice is sasl, the sasl mechanism name is
- "DIGEST-MD5", and the credentials are absent. The client then waits
- for a response from the server to this request.
-
- The server will respond with a bind response in which the resultCode
- is saslBindInProgress, and the serverSaslCreds field is present. The
- contents of this field is a string defined by "digest-challenge" in
- section 2.1.1 of [RFC2831]. The server SHOULD include a realm
- indication and MUST indicate support for UTF-8.
-
- The client will send a bind request with a distinct message id, in
- which the version number is 3, the authentication choice is sasl,
- the sasl mechanism name is "DIGEST-MD5", and the credentials contain
- the string defined by "digest-response" in section 2.1.2 of
- [RFC2831]. The serv-type is "ldap".
-
- The server will respond with a bind response in which the resultCode
- is either success, or an error indication. If the authentication is
- successful and the server does not support subsequent
-
-Harrison Expires September 2003 [Page 16]
-\f
- Authentication Methods for LDAPv3
-
- authentication, then the credentials field is absent. If the
- authentication is successful and the server supports subsequent
- authentication, then the credentials field contains the string
- defined by "response-auth" in section 2.1.3 of [RFC2831]. Support
- for subsequent authentication is OPTIONAL in clients and servers.
+7.2. Digest Authentication
+
+ LDAP servers that implement any authentication method or mechanism
+ (other than simple anonymous bind) MUST implement the SASL
+ DIGEST-MD5 mechanism [DigestAuth].
+
+ Support for subsequent authentication is OPTIONAL in clients and
+ servers.
+
+
+
-8.3. "simple" authentication choice under TLS encryption
+Harrison Expires April 2004 [Page 17]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ Implementors must take care to ensure that they maintain the
+ semantics of the DIGEST-MD5 specification even when handling data
+ that has different semantics in the LDAP protocol.
+ For example, the SASL DIGEST-MD5 authentication mechanism utilizes
+ realm and username values ([DigestAuth section 2.1) which are
+ syntactically simple strings and semsantically simple realm and
+ username values. These values are not LDAP DNs, and there is no
+ requirement that they be represented or treated as such. Username
+ and realm values that look like LDAP DNs in form, e.g. "cn=bob,
+ o=Ace Industry ", are syntactically allowed, however DIGEST-MD5
+ treats them as simple strings for comparison purposes. To illustrate
+ further, the two DNs "cn=bob, o=Ace Industry" (space between RDNs)
+ and "cn=bob,o=Ace Industry" (no space between RDNs) would be
+ equivalent when being compared semantically as LDAP DNs, however
+ they are not equivalent if they were used to represent username
+ values in DIGEST-MD5 because simple octet-wise comparision semantics
+ are used by DIGEST-MD5.
+
+
+7.3. "simple" authentication choice under TLS encryption
Following the negotiation of an appropriate TLS ciphersuite
- providing connection confidentiality [RFC2246], a client MAY
- authenticate to a directory that supports the simple authentication
- choice by performing a simple bind operation.
+ providing connection confidentiality, a client MAY authenticate to a
+ directory that supports the simple authentication choice by
+ performing a simple bind operation
- The client will use the Start TLS operation [Protocol] to negotiate
- the use of TLS security [RFC2246] on the connection to the LDAP
- server. The client need not have bound to the directory beforehand.
+ Simple authentication with TLS encryption protection is performed as
+ follows:
- For this authentication procedure to be successful, the client and
- server MUST negotiate a ciphersuite which contains a bulk encryption
- algorithm of appropriate strength. Recommendations on cipher suites
- are given in section 10.
+ 1. The client will use the Start TLS operation [Protocol] to
+ negotiate the use of TLS security [TLS] on the connection to
+ the LDAP server. The client need not have bound to the
+ directory beforehand.
+
+ For the subsequent authentication procedure to be performed
+ securely, the client and server MUST negotiate a ciphersuite
+ which contains a bulk encryption algorithm of appropriate
+ strength. Recommendations on cipher suites are given in
+ section 9.
- Following the successful completion of TLS negotiation, the client
- MUST send an LDAP bind request with the version number of 3, the
- name field containing a DN, and the "simple" authentication choice,
- containing a password.
+ 2. Following the successful completion of TLS negotiation, the
+ client MUST send an LDAP bind request with the version number
+ of 3, the name field containing a DN, and the "simple"
+ authentication choice, containing a password.
-8.3.1. "simple" Authentication Choice
+7.3.1. "simple" Authentication Choice
DSAs that map the DN sent in the bind request to a directory entry
with an associated set of one or more passwords will compare the
presented password to the set of passwords associated with that
- entry. If there is a match, then the server will respond with
- resultCode success, otherwise the server will respond with
- resultCode invalidCredentials.
+ entry. If the presented password matches any member of that set,
+ then the server will respond with a success resultCode, otherwise
+ the server will respond with an invalidCredentials resultCode.
-8.4. Other authentication choices with TLS
+
+Harrison Expires April 2004 [Page 18]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+7.4. Other authentication choices with TLS
It is also possible, following the negotiation of TLS, to perform a
SASL authentication that does not involve the exchange of plaintext
negotiate a ciphersuite that provides confidentiality if the only
service required is data integrity.
-9. Certificate-based authentication
+8. Certificate-based authentication
LDAP server implementations SHOULD support authentication via a
- client certificate in TLS, as defined in section 5.2.2.
+ client certificate in TLS, as defined in section 8.1.
-9.1. Certificate-based authentication with TLS
+8.1. Certificate-based authentication with TLS
A user who has a public/private key pair in which the public key has
been signed by a Certification Authority may use this key pair to
authenticate to the directory server if the user's certificate is
-
-Harrison Expires September 2003 [Page 17]
-\f
- Authentication Methods for LDAPv3
-
requested by the server. The user's certificate subject field SHOULD
be the name of the user's directory entry, and the Certification
Authority that issued the user's certificate must be sufficiently
configured to support certificates for which no mapping is required.
The client will use the Start TLS operation [Protocol] to negotiate
- the use of TLS security [RFC2246] on the connection to the LDAP
- server. The client need not have bound to the directory beforehand.
+ the use of TLS security [TLS] on the connection to the LDAP server.
+ The client need not have bound to the directory beforehand.
In the TLS negotiation, the server MUST request a certificate. The
client will provide its certificate to the server, and the server
In deployments that require protection of sensitive data in transit,
the client and server MUST negotiate a ciphersuite that contains a
bulk encryption algorithm of appropriate strength. Recommendations
- of cipher suites are given in section 10.
+ of cipher suites are given in section 9.
The server MUST verify that the client's certificate is valid. The
server will normally check that the certificate is issued by a known
Following the successful completion of TLS negotiation, the client
will send an LDAP bind request with the SASL "EXTERNAL" mechanism.
-10. TLS Ciphersuites
+9. TLS Ciphersuites
+
+Harrison Expires April 2004 [Page 19]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- The following ciphersuites defined in [RFC2246] MUST NOT be used for
+ A client or server that supports TLS MUST support
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA and MAY support other ciphersuites
+ offering equivalent or better protection.
+
+ Several issues should be considered when selecting TLS ciphersuites
+ that are appropriate for use in a given circumstance. These issues
+ include the following:
+
+ - The ciphersuite's ability to provide adequate confidentiality
+ protection for passwords and other data sent over the LDAP
+ connection. Client and server implementers should recognize that
+ some TLS ciphersuites provide no confidentiality protection
+ while other ciphersuites that do provide confidentiality
+ protection may be vulnerable to being cracked using brute force
+ methods, especially in light of ever-increasing CPU speeds that
+ reduce the time needed to successfully mount such attacks.
+
+ Client and server implementers SHOULD carefully consider the
+ value of the password or data being protected versus the level
+ of confidentially protection provided by the ciphersuite to
+ ensure that the level of protection afforded by the ciphersuite
+ is appropriate.
+
+ - The ciphersuite's vulnerability (or lack thereof) to man-in-the-
+ middle attacks. Ciphersuites vulnerable to man-in-the-middle
+ attacks SHOULD NOT be used to protect passwords or sensitive
+ data, unless the network configuration is such that the danger
+ of a man-in-the-middle attack is tolerable.
+
+9.1. TLS Ciphersuites Recommendations
+
+ As of the writing of this document, the following recommendations
+ regarding TLS ciphersuites are applicable. Because circumstances are
+ constantly changing, this list must not be considered exhaustive,
+ but is hoped that it will serve as a useful starting point for
+ implementers.
+
+ The following ciphersuites defined in [TLS] MUST NOT be used for
confidentiality protection of passwords or data:
TLS_NULL_WITH_NULL_NULL
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
- The following ciphersuites defined in [RFC2246] can be cracked
- easily (less than a day of CPU time on a standard CPU in 2000).
- These ciphersuites are NOT RECOMMENDED for use in confidentiality
- protection of passwords or data. Client and server implementers
- SHOULD carefully consider the value of the password or data being
- protected before using these ciphersuites:
+ The following ciphersuites defined in [TLS] can be cracked easily
+ (less than a day of CPU time on a standard CPU in 2000) and are NOT
+ RECOMMENDED for use in confidentiality protection of passwords or
+ data.
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
+ TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
-Harrison Expires September 2003 [Page 18]
+Harrison Expires April 2004 [Page 20]
\f
- Authentication Methods for LDAPv3
+Internet-Draft LDAP Authentication Methods 7 October 2003
- TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
The following ciphersuites are vulnerable to man-in-the-middle
- attacks, and SHOULD NOT be used to protect passwords or sensitive
- data, unless the network configuration is such that the danger of a
- man-in-the-middle attack is tolerable:
+ attacks:
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
- A client or server that supports TLS MUST support
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA and MAY support other ciphersuites
- offering equivalent or better protection.
+
-11. Security Considerations
+10. Security Considerations
Security issues are discussed throughout this memo; the
(unsurprising) conclusion is that mandatory security is important
and that session confidentiality protection is required when
snooping is a problem.
- Servers are encouraged to prevent modifications by anonymous users.
+ Servers are encouraged to prevent modifications by anonymous users.
+
Servers may also wish to minimize denial of service attacks by
timing out idle connections, and returning the unwillingToPerform
- result code rather than performing computationally expensive
+ resultCode rather than performing computationally expensive
operations requested by unauthorized clients.
- Operational experience shows that clients can misuse unauthenticated
- access (simple bind with name but no password). For this reason,
- servers SHOULD by default reject authentication requests that have a
- DN with an empty password with an error of invalidCredentials.
+ The use of cleartext passwords is strongly discouraged over open
+ networks when the underlying transport service cannot guarantee
+ confidentiality.
- Access control SHOULD be applied when reading sensitive information
- or updating directory information.
+ Operational experience shows that clients can misuse unauthenticated
+ access (simple bind with name but no password). For example, a
+ client program might authenticate a user via LDAP and then grant
+ access to information not stored in the directory on the basis of
+ completing a successful bind. Some implementations will return a
+ success response to a simple bind that consists of a user name and
+ an empty password thus leaving the impression that the client has
+ successfully authenticated the identity represented by the user
+ name, when in reality, the directory server has simply performed an
+ anonymous bind. For this reason, servers SHOULD by default reject
+ authentication requests that have a DN with an empty password with
+ an error of invalidCredentials.
+
+ Access control SHOULD always be applied when reading sensitive
+ information or updating directory information.
A connection on which the client has not performed the Start TLS
operation or negotiated a suitable SASL mechanism for connection
+
+
+Harrison Expires April 2004 [Page 21]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
integrity and encryption services is subject to man-in-the-middle
attacks to view and modify information in transit.
-11.1. Start TLS Security Considerations
+10.1. Start TLS Security Considerations
The goals of using the TLS protocol with LDAP are to ensure
connection confidentiality and integrity, and to optionally provide
- for authentication. TLS expressly provides these capabilities, as
- described in [RFC2246].
-
-Harrison Expires September 2003 [Page 19]
-\f
- Authentication Methods for LDAPv3
-
+ for authentication. [TLS] expressly provides these capabilities.
All security gained via use of the Start TLS operation is gained by
the use of TLS itself. The Start TLS operation, on its own, does not
via TLS is required.
Additional security considerations relating to the EXTERNAL
- mechanism to negotiate TLS can be found in [RFC2222] and [RFC2246].
+ mechanism to negotiate TLS can be found in [SASL] and [TLS].
+11. IANA Considerations
-12. Acknowledgements
+ The following IANA considerations apply to this document:
+
+ Please update the GSSAPI service name registry to point to [Roadmap]
+ and this document.
+
+Harrison Expires April 2004 [Page 22]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ [To be completed]
+
+Contributors
+
This document combines information originally contained in RFC 2829
- and RFC 2830. The author acknowledges the work of Harald Tveit
+ and RFC 2830. The editor acknowledges the work of Harald Tveit
Alvestrand, Jeff Hodges, Tim Howes, Steve Kille, RL "Bob" Morgan ,
and Mark Wahl, each of whom authored one or more of these documents.
- RFC 2829 and RFC 2830 were products of the IETF LDAPEXT Working
- Group. RFC 2251 was a product of the ASID Working Group.
+Acknowledgements
+
This document is based upon input of the IETF LDAP Revision working
- group. The contributions of its members is greatly appreciated.
+ group. The contributions and suggestions made by its members in
+ shaping the contents and technical accuracy of this document is
+ greatly appreciated.
-13. Normative References
-
-Harrison Expires September 2003 [Page 20]
-\f
- Authentication Methods for LDAPv3
-
+Normative References
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
- [RFC2222] Myers, J., "Simple Authentication and Security Layer
- (SASL)", draft-myers-saslrev-xx.txt, a work in progress.
-
[RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
- [RFC2246] Dierks, T. and C. Allen. "The TLS Protocol Version 1.0",
- RFC 2246, January 1999.
-
- [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as
- a SASL Mechanism", RFC 2831, May 2000.
+ [DigestAuth] Leach, P. C. Newman, and A. Melnikov, "Using Digest
+ Authentication as a SASL Mechanism", draft-ietf-sasl-rfc2831bis-
+ xx.txt, a work in progress.
[LDAPDN] Zeilenga, Kurt D. (editor), "LDAP: String Representation of
Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work in
progress.
+ [Model] Zeilenga, Kurt D. (editor), "LDAP: Directory Information
+ Models", draft-ietf-ldapbis-models-xx.txt, a work in progress.
+
[Protocol] Sermersheim, J., "LDAP: The Protocol", draft-ietf-
ldapbis-protocol-xx.txt, a work in progress.
- [ROADMAP] K. Zeilenga, "LDAP: Technical Specification Road Map",
+ [Roadmap] K. Zeilenga, "LDAP: Technical Specification Road Map",
draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
-
-14. Informative References
+
+ [SASL] Melnikov, A. (editor), "Simple Authentication and Security
+ Layer (SASL)", draft-ietf-sasl-rfc2222bis-xx.txt, a work in
+ progress.
+
+ [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
+ draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
+
+ [TLS] Dierks, T. and C. Allen. "The TLS Protocol Version 1.1",
+ draft-ietf-tls-rfc2246-bis-xx.txt, a work in progress.
+
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
+ RFC 2279, January 1998.
+
+Harrison Expires April 2004 [Page 23]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
- [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May
+
+ [Unicode] International Organization for Standardization, "Universal
+ Multiple-Octet Coded Character Set (UCS) - Architecture and
+ Basic Multilingual Plane", ISO/IEC 10646-1 : 1993.
+
+Informative References
+
+ [ANONYMOUS] Zeilenga, K.,"Anonymous SASL Mechanism", draft-zeilenga-
+ sasl-anon-xx.txt, a work in progress.
+
+ [PLAIN] Zeilenga, K.,"Plain SASL Mechanism", draft-zeilenga-sasl-
+ plain-xx.txt, a work in progress.
+
+ [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May
2000.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
-15. Author's Address
+Author's Address
Roger Harrison
Novell, Inc.
+1 801 861 2642
roger_harrison@novell.com
-16. Full Copyright Statement
+Full Copyright Statement
- Copyright (C) The Internet Society (2000). All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
-
-Harrison Expires September 2003 [Page 21]
-\f
- Authentication Methods for LDAPv3
-
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+Harrison Expires April 2004 [Page 24]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
sensitive authentication information AND data integrity for all
authentication information.
-
-Harrison Expires September 2003 [Page 22]
-\f
- Authentication Methods for LDAPv3
-
(5) A directory containing sensitive data. This scenario requires
data confidentiality protection AND secure authentication.
An access control policy is a set of rules defining the protection
of resources, generally in terms of the capabilities of persons or
other entities accessing those resources. A common expression of an
+
+Harrison Expires April 2004 [Page 25]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
access control policy is an access control list. Security objects
and mechanisms, such as those described here, enable the expression
of access control policies and their enforcement. Access control
- policies are typically expressed in terms of access control
- attributes as described below.
+ policies are typically expressed in terms of access control factors
+ as described below.
B.2. Access Control Factors
mechanism may constrain the form of authentication identities used
with it.
-Harrison Expires September 2003 [Page 23]
-\f
- Authentication Methods for LDAPv3
-
-
B.4. Authorization Identity
An authorization identity is one kind of access control factor. It
identity distinct from the authentication identity asserted by the
client's credentials. This permits agents such as proxy servers to
authenticate using their own credentials, yet request the access
- privileges of the identity for which they are proxying [RFC2222].
- Also, the form of authentication identity supplied by a service like
- TLS may not correspond to the authorization identities used to
- express a server's access control policy, requiring a server-
- specific mapping to be done. The method by which a server composes
- and validates an authorization identity from the authentication
- credentials supplied by a client is implementation-specific.
+
+Harrison Expires April 2004 [Page 26]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ privileges of the identity for which they are proxying [SASL]. Also,
+ the form of authentication identity supplied by a service like TLS
+ may not correspond to the authorization identities used to express a
+ server's access control policy, requiring a server-specific mapping
+ to be done. The method by which a server composes and validates an
+ authorization identity from the authentication credentials supplied
+ by a client is implementation-specific.
Appendix C. RFC 2829 Change History
C.0. General Editorial Changes
Version -00
- - Changed other instances of the term LDAP to LDAPv3 where v3 of
- the protocol is implied. Also made all references to LDAPv3 use
- the same wording.
+ - Changed other instances of the term LDAP to LDAP where v3 of the
+ protocol is implied. Also made all references to LDAP use the
+ same wording.
- Miscellaneous grammatical changes to improve readability.
Version -01
-
-Harrison Expires September 2003 [Page 24]
-\f
- Authentication Methods for LDAPv3
-
- Moved section to an appendix.
C.3. Changes to Section 3
- Changed "Distinguished Name" to "LDAP distinguished name".
C.5. Changes to Section 5
+
+Harrison Expires April 2004 [Page 27]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
Version -00
authentication unless confidentiality and data integrity
mechanisms are in force.
-
-
-Harrison Expires September 2003 [Page 25]
-\f
- Authentication Methods for LDAPv3
-
2. Moved first paragraph of section 6 (beginning with "LDAP
- implementations MUST support authentication with a passwordà ")
+ implementations MUST support authentication with a password...")
to section on Digest Authentication (Now section 6.2).
C.6.1. Changes to Section 6.1.
Version -00 Renamed section to 6.2
- Added sentence from original section 6 indicating that the
- DIGEST-MD5 SASL mechanism is required for all conforming LDAPv3
+ DIGEST-MD5 SASL mechanism is required for all conforming LDAP
implementations
C.6.2. Changes to Section 6.2
Version -00
+
+Harrison Expires April 2004 [Page 28]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Renamed section to 6.3
- Reworded first paragraph to remove reference to user and the
C.8. Changes to section 8.
-
-Harrison Expires September 2003 [Page 26]
-\f
- Authentication Methods for LDAPv3
-
Version -00
- Removed the first paragraph because simple authentication is
for Other Security Services) to bring material on SASL
mechanisms together into one location.
+Harrison Expires April 2004 [Page 29]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+
C.9. Changes to section 9.
Version -00
and server implementers SHOULD" to sentence just prior the
second list of ciphersuites.
-
-
-Harrison Expires September 2003 [Page 27]
-\f
- Authentication Methods for LDAPv3
-
- Added text: "and MAY support other ciphersuites offering
equivalent or better protection," to the last paragraph of the
section.
- Inserted new section 12 that specifies when SASL protections
begin following SASL negotiation, etc. The original section 12
is renumbered to become section 13.
+
+Harrison Expires April 2004 [Page 30]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
Version -01
- All material from section 4.2 of RFC 2251 was moved into this
document.
-
-Harrison Expires September 2003 [Page 28]
-\f
- Authentication Methods for LDAPv3
-
- A new section was created for the Bind Request
- Section 4.2.1 of RFC 2251 (Sequencing Bind Request) was moved
F.1. Changes for draft-ldap-bis-authmeth-02
General
+
+Harrison Expires April 2004 [Page 31]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Added references to other LDAP standard documents, to sections
within the document, and fixed broken references.
- - General editorial changesùpunctuation, spelling, formatting,
+ - General editorial changes--punctuation, spelling, formatting,
etc.
Section 1.
statement and one that prohibited use of ANONYMOUS and PLAIN
SASL mechanisms.)
-
-Harrison Expires September 2003 [Page 29]
-\f
- Authentication Methods for LDAPv3
-
Section 5.3.6
- Added a.x.bar.com to wildcard matching example on hostname
- Brought security terminology in line with IETF security glossary
throughout the appendix.
+
+Harrison Expires April 2004 [Page 32]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
F.2. Changes for draft-ldap-bis-authmeth-03
General
- Generalized the language of this section to not refer to any
specific password attribute or to refer to the directory entry
as a "user" entry.
-
-Harrison Expires September 2003 [Page 30]
-\f
- Authentication Methods for LDAPv3
-
Section 11
General
+
+
+Harrison Expires April 2004 [Page 33]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Changed references to use [RFCnnnn] format wherever possible.
(References to works in progress still use [name] format.)
- Various edits to correct typos and bring field names, etc. in
-
Section 13
-
-Harrison Expires September 2003 [Page 31]
-\f
- Authentication Methods for LDAPv3
-
- Verified all normative references and moved informative
references to a new section 14.
several changes to correct improper usage.
Abstract
+
+
+Harrison Expires April 2004 [Page 34]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Updated to match current contents of documents. This was needed
due to movement of material on Bind and Start TLS operations to
[Protocol] in this revision.
Section 3.
- - Renamed section to "Rationale for LDAPv3 Security Mechanisms"
- and removed text that did not support this theme. Part of the
+ - Renamed section to "Rationale for LDAP Security Mechanisms" and
+ removed text that did not support this theme. Part of the
motivation for this change was to remove the implication of the
previous section title, "Required Security Mechanisms", and
other text found in the section that everything in the section
mechanisms not explicitly mentioned in this document.
Section 4.4.1.
-
-Harrison Expires September 2003 [Page 32]
-\f
- Authentication Methods for LDAPv3
-
- Added paragraph beginning, "The dnAuthzID choice allows client
applications..." to clarify whether DN form authorization
section.
Section 5.1.7.
+
+Harrison Expires April 2004 [Page 35]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Wording from section 3 paragraph beginning " If TLS is
negotiated, the client MUST discard all information..." was
- Began changes to incorporate information on deployment scenarios
removed from section 3.
+
+F.5. Changes for draft-ldap-bis-authmeth-06
+
+
+ General
+
+ - Combined Section 2 (Introduction) and Section 3 (Motivation) and
+ moved Introduction to section 1. All following sections numbers
+ were decremented by one as result.
+
+ - Edits to fix typos, I-D nits, etc.
+ - Opened several new issues in Appendix G based on feedback from
+ WG. Some of these have been resolved. Others require further
+ discussion.
+
+ Section 1
+Harrison Expires April 2004 [Page 36]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
-Harrison Expires September 2003 [Page 33]
+
+ - Added additional example of spoofing under threat (7).
+
+ Section 2.1
+
+ - Changed definition of "LDAP association" and added terms,
+ "connection" and "TLS connection" to bring usage in line with
+ [Protocol].
+
+ Section 4.1.6
+
+ - Clarified sentence stating that the client MUST NOT use derived
+ forms of DNS names.
+
+ Section 5.1
+
+ - Began edits to LDAP Association state table to clarify meaning
+ of various states and actions.
+
+ - Added action A9 to cover abandoned bind operation and added
+ appropriate transitions to the state transition table to
+ accommodate it.
+
+ Section 7.2
+
+ - Replaced first paragraph to clarify that the "DIGEST-MD5" SASL
+ mechanism is required to implement.
+
+ Section 9
+
+ - Rewrote the section to make the advice more applicable over the
+ long term, i.e. more "timeless." The intent of content in the
+ original section was preserved.
+
+ Section 10
+
+ - Added a clarifying example to the consideration regarding misuse
+ of unauthenticated access.
+
+F.6. Changes for draft-ldap-bis-authmeth-07
+
+
+ General
+
+ - Updated external and internal references to accommodate changes
+ in recent drafts.
+
+ - Opened several new issues in Appendix G based on feedback from
+ WG. Some of these have been resolved. Others require further
+ discussion.
+
+ Section 3
+
+
+
+Harrison Expires April 2004 [Page 37]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ - Rewrote much of section 3.3 to mee the SASL profile requirements
+ of draft-ietf-sasl-rfc2222bis-xx.txt section 5.
+
+ - Changed treatement of SASL ANONYMOUS and PLAIN mechanisms to
+ bring in line with WG consensus.
+
+ Section 4
+
+ - Note to implementers in section 4.1.1 based on operational
+ experience.
+
+ - Clarification on client continuing by performing a Start TLS
+ with TLS already established in section 4.1.4.
+
+ - Moved verification of mapping of client's authentication ID to
+ asserted authorization ID to apply only to explicit assertion.
+ The local policy in place for implicit assertion is adequate.
+
+ Section 7
+
+ - Removed most of section 7.2 as the information is now covered
+ adequately via the new SASL profile in section 3.3. Added note
+ to implementors regarding the treatment of username and realm
+ values in DIGEST-MD5.
+
+ - Section 7.3. Minor clarifications in wording.
+
+ - Section 7.3.1. Clarification that a match of the presented value
+ to any member of the set of stored passwords constitutes a
+ successful authentication.
+
+F.6. Changes for draft-ldap-bis-authmeth-08
+
+
+ General
+
+ - Changed usage from LDAPv3 to LDAP for usage consistency across
+ LDAP technical specification.
+ - Fixed a number of usage nits for consistency and to bring doc in
+ conformance with publication guidelines.
+
+ Abstract
+
+ - Significant cleanup and rewording of abstract based on WG
+ feedback.
+
+ Section 2.1
+
+ - New definition of user.
+
+ Section 3
+
+ - Added 1.5 sentences at end of introductory paragraph indicating
+ the effect of the Bind op on the LDAP association.
+
+Harrison Expires April 2004 [Page 38]
\f
- Authentication Methods for LDAPv3
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ Section 3.1
+
+ - Retitled section and clarified wording
+
+ Section 3.2
+
+ - Clarified that simple authentication choice provides three types
+ of authentication: anonymous, unauthenticated, and simple
+ password.
+
+ Section 3.3.3
+
+ - New wording clarifying when negotiated security mechanisms take
+ effect.
+
+ Section 3.3.5
+
+ - Changed requirement to discard information about server fetched
+ prior to SASL negotion from MUST to SHOULD to allow for
+ information obtained through secure mechanisms.
+
+ Section 3.3.6
+
+ - Simplified wording of first paragraph based on suggestion from
+ WG.
+
+ Section 3.4
+
+ - Minor clarifications in wording.
+
+ Section 3.4.1
+
+ - Minor larifications in wording in first sentence.
+ - Explicitly called out that the DN value in the dnAuthzID form is
+ to be matched using DN matching rules.
+ - Called out that the uAuthzID MUST be prepared using SASLprep
+ rules before being compared.
+ - Clarified requirement on assuming global uniqueness by changing
+ a "generally... MUST" wording to "SHOULD".
+
+ Section 4.1.1
+
+ - Simplified wording describing conditions when Start TLS cannot
+ be sent.
+ - Simplified wording in note to implementers regarding race
+ condition with outstanding LDAP operations on connection.
+
+ Section 4.1.5
+
+ - Removed section and moved relevant text to section 4.2.2.
+
+ Section 4.1.6
+
+
+Harrison Expires April 2004 [Page 39]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ - Renumbered to 4.1.5.
+ - Updated server identity check rules for server's name based on
+ WG list discussion.
+
+ Section 4.1.7
+
+ - Renumbered to 4.1.6
+ - Changed requirement to discard information about server fetched
+ prior to TLS negotion from MUST to SHOULD to allow for
+ information obtained through secure mechanisms.
+
+ Section 6.1
+
+ - Clarified wording.
+ - Added definition of anonymous and unauthenticated binds.
+
+ Section 10
+
+ - Added security consideration (moved from elsewhere) discouraging
+ use of cleartext passwords on unprotected communication
+ channels.
+
+ Section 11
+
+ - Added an IANA consideration to update GSSAPI service name
+ registry to point to [Roadmap] and [Authmeth]
+
Appendix G. Issues to be Resolved
This appendix lists open questions and issues that need to be
Section 2, deployment scenario 2: What is meant by the term "secure
authentication function?"
+
+Harrison Expires April 2004 [Page 40]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
Status: resolved. Based on the idea that a "secure authentication
function" could be provided by TLS, I changed the wording to require
reference is simply too arcane to be left in place. In -03 the text
has been modified to focus on the need to either update password
information in a protected fashion outside of the protocol or to
-
-
-Harrison Expires September 2003 [Page 34]
-\f
- Authentication Methods for LDAPv3
-
update it in session well protected against snooping, and the
reference to /etc/passwd has been removed.
Section 4 paragraph 9 indicates that clients SHOULD check the
supportedSASLMechanisms list both before and after a SASL security
+
+Harrison Expires April 2004 [Page 41]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
layer is negotiated to ensure that they are using the best available
security mechanism supported mutually by the client and server. A
note at the end of the paragraph indicates that this is a SHOULD
G.9.
-
-Harrison Expires September 2003 [Page 35]
-\f
- Authentication Methods for LDAPv3
-
Section 6.3.1 states: "DSAs that map the DN sent in the bind request
to a directory entry with a userPassword attribute will... compare
[each value in the named user's entry]... with the presented
the bind request.
G.11. Meaning of LDAP Association
+
+Harrison Expires April 2004 [Page 42]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
The original RFC 2830 uses the term "LDAP association" in describing
a connection between an LDAP client and server regardless of the
defined in section 6.1."
The thing is for acl it would be nice (though not critical) to be
-
-Harrison Expires September 2003 [Page 36]
-\f
- Authentication Methods for LDAPv3
-
able to default the required authentication level for a subject to a
single "fairly secure" mechanism--if there is no such mandatory
authentication scheme then you cannot do that. (Source: Rob Byrne)
While I'm here...in 2829, I think it would be good to have some
comments or explicit reference to a place where the security
properties of the particular mandatory authentication schemes are
+
+Harrison Expires April 2004 [Page 43]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
outlined. When I say "security properties" I mean stuff like "This
scheme is vulnerable to such and such attacks, is only safe if the
key size is > 50, this hash is widely considered the best, etc...".
members indicate that additional description of each state's meaning
would be helpful.
-
-
-Harrison Expires September 2003 [Page 37]
-\f
- Authentication Methods for LDAPv3
-
G.16. Empty sasl credentials question
I spent some more time looking microscopically at ldap-auth-methods
solution! Wildcard match does not solve this problem. For these
reasons I am inclined to argue for 'SHOULD' instead of
'MUST' in paragraph...
+
+Harrison Expires April 2004 [Page 44]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
Also, The hostname check against the name in the certificate is a
very weak means of preventing man-in-the-middle attacks; the proper
afterward is a SHOULD. This gives server implementations the room to
maneuver as needed.
- G.18. Must SASL DN exist in the directory?
+G.18. Must SASL DN exist in the directory?
If the 'dn:' form of sasl creds is used, is it the intention of the
draft(ers) that this DN must exist in the directory and the client
We already know that if *no* sasl credentials are presented, the DN
or altname in the client certificate may be mapped to a DN in an
implementation-dependent fashion, or indeed to something not in the
-
-Harrison Expires September 2003 [Page 38]
-\f
- Authentication Methods for LDAPv3
-
directory at all. (Right?) (Source: ariel@columbia.edu via Jeff
Hodges)
G.20. Bind states
+
+Harrison Expires April 2004 [Page 45]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
Differences between unauthenticated and anonymous. There are four
states you can get into. One is completely undefined (this is now
explicitly called out in [Protocol]). This text needs to be moved
requests that have a DN with an empty password with an error of
invalidCredentials. (Source: Kurt Zeilenga and Chris Newman (Sun))
- Status: Resolved. Added to security considerations in û03.
+ Status: Resolved. Added to security considerations in -03.
G.22. Need to move StartTLS protocol information to [Protocol]
Status: Resolved. Removed Sections 5.1, 5.2, and 5.4 for -04 and
they are [Protocol] -11.
-Harrison Expires September 2003 [Page 39]
-\f
- Authentication Methods for LDAPv3
-
-
G.23. Split Normative and Non-normative references into separate
sections.
G.24. What is the authentication state if a Bind operation is
abandoned?
- Status: In process. (11/12/02) This text was suggested to be added
- to [Protocol] -11 to cover what happens if a bind operation is
- abandoned:
+ Status: Resolved.
+
+ (3/24/03) This following text appears in section 4.2.1 of [Protocol]
+ revision -13 to cover what happens if a bind operation is abandoned:
- "If a server receives an Abandon request for a Bind operation, the
- server SHOULD leave the connection in the anonymous state. Clients
- that abandon a Bind operation MUST rebind after abandoning the Bind
- request in order to have a known authentication state on the
- connection."
-
- (11/21/02) Jim Sermersheim prposed the following wording on the
- ldapbis mail list: "Authentication from earlier binds are
- subsequently ignored. A failed or abandoned Bind Operation has the
- effect of leaving the connection in an anonymous state. Clients MUST
- rebind after abandoning a bind operation in order to determine a
- known authentication state."
-
- Once this is resolved in [Protocol] the state table in section 6 of
- [AuthMeth] will need to be updated to reflect the consensus wording.
+ A failed or abandoned Bind Operation has the effect of leaving the
+ connection in an anonymous state. To arrive at a known
+ authentication state after abandoning a bind operation, clients may
+ unbind, rebind, or make use of the BindResponse.
+
+ (6/28/03): The state table in section 6 of [AuthMeth] has been
+ updated to reflect this wording.
G.25. Difference between checking server hostname and server's
canonical DNS name in Server Identity Check?
- Section 5.1.6: I now understand the intent of the check (prevent
+ Section 4.1.6: I now understand the intent of the check (prevent
man-in-the-middle attacks). But what is the subtle difference
between the "server hostname" and the "server's canonical DNS name"?
(Source: Tim Hahn)
+
+Harrison Expires April 2004 [Page 46]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
- Status: In Process. (11/12/02) Sent suggested wording change to this
- paragraph to the ldapbis mail list and also asked for opinion as to
- whether we should discuss the distinction between server DNS
- hostname and server canonical DNS hostname in [AuthMeth].
+ Status: Resolved.
+
+ (11/12/02) Sent suggested wording change to this paragraph to the
+ ldapbis mail list and also asked for opinion as to whether we should
+ discuss the distinction between server DNS hostname and server
+ canonical DNS hostname in [AuthMeth].
(11/21/02): RL Bob Morgan will provide wording that allows
derivations of the name that are provided securely.
-6.26. Server Identity Check using servers located via SRV records
+ (6/28/03): posted to the WG list asking Bob or any other WG member
+ who is knowledgeable about the issues involved to help me with
+ wording or other information I can use to make this change and close
+ the work item.
+
+ (10/08/03): Based on WG list feedback, I've updated this text to
+ read what I judge to be the WG consensus, "The client MUST use the
+ server provided by the user (or other trusted entity) as the value
+ to compare against the server name as expressed in the server's
+ certificate. A hostname derived from the user input is to be
+ considered provided by the user only if derived in a secure fashion
+ (e.g., DNSSEC)."
- Section 5.1.6: What should be done if the server was found using SRV
+
+G.26. Server Identity Check using servers located via SRV records
+
+ Section 4.1.6: What should be done if the server was found using SRV
records based on the "locate" draft/RFC? (Source: Tim Hahn).
Status: Resolved. Section 5 of draft-ietf-ldapext-locate-08
specifically calls out how the server identity should be performed
if the server is located using the method defined in that draft.
-
-
-Harrison Expires September 2003 [Page 40]
-\f
- Authentication Methods for LDAPv3
-
This is the right location for this information, and the coverage
appears to be adequate.
G.27 Inconsistency in effect of TLS closure on LDAP association.
- Section 5.4.1 of authmeth -03 (section 4.1 of RFC2830) states that
+ Section 4.4.1 of authmeth -03 (section 4.1 of RFC2830) states that
TLS closure alert will leave the LDAP association intact. Contrast
- this with Section 5.5.2 (section 5.2 of RFC2830) that says that the
+ this with Section 4.5.2 (section 5.2 of RFC2830) that says that the
closure of the TLS connection MUST cause the LDAP association to
move to an anonymous authentication.
- Status: in process. (11/12/02) This is actually a [Protocol] issue
+ Status: Resolved. (11/12/02) This is actually a [Protocol] issue
because these sections have now been moved to [Protocol] -11. I have
- proposed the following text for Section 5.4.1 of [AuthMeth] -03
+ proposed the following text for Section 4.4.1 of [AuthMeth] -03
(section 4.13.3.1 of [Protocol]) to resolve this apparent
discrepancy:
"Either the client or server MAY terminate the TLS connection on an
LDAP association by sending a TLS closure alert. The LDAP
connection remains open for further communication after TLS closure
+
+
+Harrison Expires April 2004 [Page 47]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
occurs although the authentication state of the LDAP connection is
- affected (see [AuthMeth] section 5.2.2).
+ affected (see [AuthMeth] section 4.2.2).
(11/21/02): resolution to this is expected in [Protocol] -12
+
+ (06/28/03): [Protocol]-15 clarifies that a TLS closure alert
+ terminates the TLS connection while leaving the LDAP connection
+ intact. The authentication state table in [AuthMeth] specifies the
+ effect on the LDAP association.
G.28 Ordering of external sources of authorization identities
states that the decision to allow or disallow the asserted identity
is based on an implementation defined policy.
-G.29 Rewrite of Section 10, TLS Ciphersuites
+G.29 Rewrite of Section 9, TLS Ciphersuites
This section contains anachronistic references and needs to be
updated/rewritten in a way that provides useful guidance for future
readers in a way that will transcend the passage of time.
+ Status: Resolved. (6/28/03): Rewrote the section to cover the
+ general issues and considerations involved in selecting TLS
+ ciphersuites.
+
G.30 Update to Appendix A, Example Deployment Scenarios
This section needs to be updated to indicate which security
mechanisms and/or combinations of security mechanisms described
elsewhere in the document can provide the types of protections
suggested in this appendix.
-
+
+G.31 Use of PLAIN SASL Mechanism
+
+ At least one LDAP server implementer has found the SASL "PLAIN"
+ mechanism useful in authenticating to legacy systems that do not
+ represent authentication identities as DNs. Section 3.3.1 appears to
+ implicitly disallow the use of the SASL "PLAIN" mechanism with LDAP.
+ Should we allow the use of this mechanism? I.e. is this "SASL"
+ "PLAIN" MUST NOT be used with LDAP, or is it simply that LDAP
+ doesn't define bindings for these mechanism. If SASL "PLAIN" is
+ allowed, the following adjustments will be needed to section 3.3.1:
+ (a) change section heading, (b) remove reference to "PLAIN" in the
+ section, (c) ensure wording of last sentence regarding non-DN
+ AuthZIDs is consistent with rest of the section.
+
+
+Harrison Expires April 2004 [Page 48]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ Status: Resolved.
+
+ (6/28/03): email to WG list stating issue and asking if we should
+ remove the reference to SASL "PLAIN".
+
+ For -07 draft I've generalized the SASL profile in section 3.3 to
+ allow any SASL mechanism.
+
+
+G.32 Clarification on use of SASL mechanisms
+
+ Section 3.3.1: BTW, what _are_ the "ANONYMOUS" and "PLAIN" SASL
+ mechanisms? They are not defined in RFC2222. If you refer to other
+ SASL mechanisms than those in rfc2222, Maybe you should only list
+ which mechanisms _are_used, instead of which ones are _not. (Source:
+ Hallvard Furuseth)
+
+ I (Kurt Zeilenga) note[s] as well that the ANONYMOUS/PLAIN section
+ (4.2) should
+ be deleted. ANONYMOUS and PLAIN, like in other mechanism,
+ can be used in LDAP if a) supported and b) enabled. I note
+ that they each offer capabilities not found in their simple
+ bind equivalents (and hence are used in some deployments).
+ For example, PLAIN (over TLS) is quite useful when interacting
+ with legacy authentication subsystems. (Source: Kurt Zeilenga)
+
+ Status: Resolved.
+
+ For -07 draft I've generalized the SASL profile in section 3.3 to
+ allow any SASL mechanism.
+
+
+
+G.33 Clarification on use of password protection based on AuthZID form
+
+ Section 3.3.1: "If an authorization identity of a form different
+ from a DN is requested by the client, a mechanism that protects the
+ password in transit SHOULD be used." What has that to do with DNs?
+ A mechanism that protects the password in transit should be used in
+ any case, shouldn't it?
+
+
+G.34 Clarification on use of matching rules in Server Identity Check
+
+ The text in section 4.1.6 isn't explicit on whether all rules apply
+ to both CN and dNSName values. The text should be clear as to which
+ rules apply to which values.... in particular, the wildcard
+ rules. (Source: Kurt Zeilenga)
+
+
+G.35 Requested Additions to Security Considerations
+
+ Requested to mention hostile servers which the user might have been
+ fooled to into contacting. Which mechanisms that are standardized by
+
+Harrison Expires April 2004 [Page 49]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ the LDAP standard do/do not disclose the user's password to the
+ server? (Or to servers doing man-in-the-middle attack? Or is that a
+ stupid question?)
+
+ Requested to mention denial of service attacks.
+
+ Requested list of methods that need/don't need the server to know
+ the user's plaintext password. (I say 'know' instead of 'store'
+ because it could still store the password encrypted, but in a way
+ which it knows how to decrypt.)
+
+ (Source: Hallvard Furuseth)
+
+G.36 Add reference to definition of DIGEST-MD5
+
+ Need a reference to the definition of DIGEST-MD5 SASL mechanism in
+ section 7.2 (Source: Hallvard Furuseth)
+
+ Status: Resolved. A reference to to the DIGEST-MD5 SASL mechanism,
+ [DigestAuth], is included in the -07 revision.
+
+G.37 Clarification on procedure for certificate-based authentication
+
+
+ 8.1. Certificate-based authentication with TLS states: "Following
+ the successful completion of TLS negotiation, the client will send
+ an LDAP bind request with the SASL "EXTERNAL" mechanism." Is this
+ immediately following, or just some time later? Should the wording,
+ "the client will send..." actually read, "the client MUST send..."?
+
+G.38 Effect of StartTLS on authentication state
+
+ Should the server drop all knowledge of connection, i.e. return to
+ anonymous state, if it gets a StartTLS request on a connection that
+ has successfully bound using the simple method?
+
+G.39 Be sure that there is a consideration in [SCHEMA] that discusses
+multiple password values in userPassword
+
+ Allowing multiple values obviously does raise a number of security
+ considerations and these need to be discussed in the document.
+
+ Certainly applications which intend to replace the userPassword with
+ new value(s) should use modify/replaceValues (or
+ modify/deleteAttribute+addAttribute). Additionally, server
+ implementations should be encouraged to provide administrative
+ controls which, if enabled, restrict userPassword to one value.
+
+G.40. Clarify need to verify mapping between authentication identity
+and resulting authorization identity on implicit assertion of AuthZID.
+
+ 4.2.2.3. Error Conditions
+
+ "For either form of assertion, the server MUST verify that the
+
+Harrison Expires April 2004 [Page 50]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ client's authentication identity as supplied in its TLS credentials
+ is permitted to be mapped to the asserted authorization identity."
+
+ This makes sense for the explicit assertion case, but seems to be
+ ambiguous for the implicit case.
+ IMHO, the mapping can be done as two steps:
+ a). deriving LDAP authentication identity from TLS credentials; If t
+ this steps fails, EXTERNAL mechanism returns failure.
+ b). verify that the authorization identity is allowed for the
+ derived authentication identity. This is always "noop" for the
+ implicit case.
+ I am not sure that the text is saying this.
+ (Source: Alexey Melnikov email 8/1/2003 5:30:43 PM)
+
+ Status: Resolved in -07. After reading the comments and the text of
+ the draft, I believe that this should be clarified. The local policy
+ used to map the AuthNID to the AuthZID in the implicit case is
+ sufficient and that no additional verification is useful or needed.
+ This text has been moved to apply only to the explicit assertion
+ case.
+
+G.41. Section 7.2 contains unnecessary and misleading detail.
+
+ " I am not sure why this section is required in the document.
+ DIGEST-MD5 is defined in a separate document and there should be
+ nothing magical about its usage in LDAP. If DIGEST-MD5 description
+ creates confusion for LDAP implementors, let's fix the DIGEST-MD5
+ document! Also, this section tries to redefine DIGEST-MD5 behavior,
+ which is explicitly prohibited by the SASL specification."
+ (Source: Alexey Melnikov: email 8/1/2003 5:30:43 PM)
+
+ Status: Resolved.
+
+ After reading the comments and the text of the draft plus the
+ related text in draft-ietf-sasl-rfc2831bis-02.txt plus
+ http://www.ietf.org/internet-drafts/draft-ietf-sasl-rfc2222bis-
+ 02.txt, I am inclined to agree with Alexey. In -07 I rewrote section
+ 3.3 (SASL mechanisms) to match the profiling requirements
+ rfc2831bis. I then dramatically reduced the material in section 7.2
+ to a bare minimum and let the SASL profile stand on its own.
+
+G.42. Does change for G.41 cause interoperability issue?
+
+ There is one issue with the way the authmeth draft is currently
+ written that changes the SASL DIGEST-MD5 behavior on the way the
+ server responds with the subsequent authentication information .
+ This has been documented in this fashion since RFC 2829 (section
+ 6.1) was originally published and may cause an interoperability
+ issue at this point if it changed to follow the DIGEST-MD5 spec (as
+ it was in -07 of AuthMeth). Take this issue to the list.
+
+ Status: Resolved
+
+
+
+Harrison Expires April 2004 [Page 51]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ (10/08/03) This item was discussed on the WG list between 5/2/03 and
+ 5/9/03. Consensus apppears to support the notion that RFC 2829 was
+ in error and that the semantics of RFC 2831 are correct and should
+ be reflected in authmeth. This is already the case as of the -07
+ draft.
+
+G.43. DIGEST-MD5 Realms recommendations for LDAP
+
+ From http://www.ietf.org/internet-drafts/draft-ietf-sasl-rfc2222bis-
+ 02.txt: A protocol profile SHOULD provide a guidance how realms are
+ to be constructed and used in the protocol and MAY further restrict
+ its syntax and protocol-specific semantics."
+
+ I don't believe that any such guidance exists within the LDAP TS.
+ The most likely place for this to reside is in the authmeth draft.
+
+ Related email from Alexey Melnikov (8/4/2003 1:08:40 PM):
+
+ "The problem I have with the document is that it references realm
+ without explaining what it is (or at least some examples of valid
+ values). For LDAP, some recommendations should be given. For
+ example:
+ 1). Use a hardcoded string as the realm (one of the implementations
+ I worked on was doing that)
+ 2). Use hostname (realm==host) or domain/cluster name (realm
+ includes multiple hosts).
+ 3). Use a node in DIT above user entry, for example for "cn=Barbara
+ Jensen, ou=Accounting, o=Ace Industry, c=US"
+ and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be
+ "ou=Accounting, o=Ace Industry, c=US"
+ (or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product
+ Testing,o=Ace Industry, c=US" realm can be "ou=Product Testing,
+ o=Ace Industry, c=US".
+
+ Of course other choices are possible.
+
+ Alexey
+
+ To summarize: I'd like authmeth to define a realm name for use with
+ Digest-MD5 that corresponds to LDAP DNs known to this server.
+ Authzid is okay, but perhaps could be better put into context.
+
+
+ John McMeeking (5/12/2003)
+
+G.44. Use of DNs in usernames and realms in DIGEST-MD5
+
+ In reading the discussion on the mailing list, I reach the following
+ conclusions:
+
+ DIGEST-MD5 username and realm are simple strings. The syntax of
+ these strings allows strings that look like DNs in form, however,
+ DIGEST-MD5 treats them a simple strings for comparision purposes.
+ For example, the DNs cn=roger, o=US and cn=roger,o=us are equivalent
+
+Harrison Expires April 2004 [Page 52]
+\f
+Internet-Draft LDAP Authentication Methods 7 October 2003
+
+ when being compared semantically as DNs, however, these would be
+ considered two different username values in DIGEST-MD5 because
+ simple octet-wise semantics (rather than DN semantics) are used to
+ compare username values in DIGEST-MD5. Ditto for realm values.
+
+ Status: Resolved.
+
+ In -07 revision I added notes to implementors expressing this issue
+ in section 7.2.
+
+G.45: Open Issue: Is Simple+TLS mandatory to implement?
+
+ Going forward, it would be much better to clarify that simple
+ +TLS is to be used for DN/password credentials and DIGEST-MD5
+ (or PLAIN+TLS) be used for username/password credentials. (Kurt
+ Zeilenga, 5/12/2003)
+
+ I don't believe you can mandate simple/TLS! At the time RFC 2829 was
+ debated, a large number on the WG wanted this. They did not get
+ their way because of the complexity of the solution. It was argued
+ that a password-based method would be better. I think they believed
+ it would still be DN/password, though. (Ron Ramsay, 5/12/2003)
+
+ This was officially opened as an issue by WG co-chair Kurt Zeilenga
+ on 5/12/03. Little direct discussion has occurred since, however
+ there has been significant discussion on the use of DN values as the
+ username for DIGEST-MD5.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-Harrison Expires September 2003 [Page 41]
+Harrison Expires April 2004 [Page 53]
\f
INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 4 May 2003
+Expires in six months 27 October 2003
Obsoletes: 2253
+
LDAP: String Representation of Distinguished Names
- <draft-ietf-ldapbis-dn-10.txt>
+ <draft-ietf-ldapbis-dn-12.txt>
+
Status of Memo
revision, submitted to the RFC Editor as a Standard Track document
replacing RFC 2253. Distribution of this memo is unlimited.
Technical discussion of this document will take place on the IETF LDAP
- Revision (LDAPbis) Working Group mailing list
+ Revision (LDAPBIS) Working Group mailing list
<ietf-ldapbis@openldap.org>. Please send editorial comments directly
to the document editor <Kurt@OpenLDAP.org>.
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2003, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ Please see the Full Copyright section near the end of this document
+ for more information.
+
+
- Please see the Copyright section near the end of this document for
- more information.
-Abstract
- The X.500 Directory uses distinguished names (DNs) as primary keys to
- entries in the directory. This document defines the string
- representation used in the Lightweight Directory Access Protocol
- (LDAP) to transfer distinguished names. The string representation is
Zeilenga LDAP: Distinguished Names [Page 1]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+Abstract
+
+ The X.500 Directory uses distinguished names (DNs) as primary keys to
+ entries in the directory. This document defines the string
+ representation used in the Lightweight Directory Access Protocol
+ (LDAP) to transfer distinguished names. The string representation is
designed to give a clean representation of commonly used distinguished
names, while being able to represent any distinguished name.
In X.500-based directory systems [X.500], including those accessed
using the Lightweight Directory Access Protocol (LDAP) [Roadmap],
- distinguished names (DNs) are used to unambiguously refer to a
- directory entry [X.501][Models].
+ distinguished names (DNs) are used to unambiguously refer to directory
+ entries [X.501][Models].
The structure of a DN [X.501] is described in terms of ASN.1 [X.680].
In the X.500 Directory Access Protocol [X.511] (and other ITU-defined
directory protocols), DNs are encoded using the Basic Encoding Rules
- (BER) [X.690]. In LDAP, DNs are represented in string form.
+ (BER) [X.690]. In LDAP, DNs are represented in the string form
+ described in this document.
It is important to have a common format to be able to unambiguously
represent a distinguished name. The primary goal of this
to have names that are human readable. It is not expected that LDAP
implementations with a human user interface would display these
strings directly to the user, but would most likely be performing
- translations (such as expressing attribute type names in one of the
- local national languages).
+ translations (such as expressing attribute type names in the local
+ national language).
This document defines the string representation of Distinguished Names
used in LDAP [Protocol][Syntaxes]. Section 2 details the RECOMMENDED
from its ASN.1 structured representation to a string, all algorithms
MUST produce strings which adhere to the requirements of Section 3.
+
+
+Zeilenga LDAP: Distinguished Names [Page 2]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+
This document does not define a canonical string representation for
DNs. Comparison of DNs for equality is to be performed in accordance
with the distinguishedNameMatch matching rule [Syntaxes].
This document is an integral part of the LDAP Technical Specification
[Roadmap].
-
-
-Zeilenga LDAP: Distinguished Names [Page 2]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
-
-
This document obsoletes RFC 2253. Changes since RFC 2253 are
summarized in Appendix B.
This section defines the RECOMMENDED algorithm for converting a
distinguished name from an ASN.1 structured representation to an UTF-8
- [RFC2279] encoded Universal Character Set (UCS) [ISO10646] character
+ [UTF-8] encoded Universal Character Set (UCS) [ISO10646] character
string representation. Other documents may describe other algorithms
for converting a distinguished name to a string, but only strings
which conform to the grammar defined in Section 3 MUST be produced by
2.2), starting with the last element of the sequence and moving
backwards toward the first.
- The encodings of adjoining RelativeDistinguishedNames are separated by
- a comma ("," U+002C) character.
-2.2. Converting RelativeDistinguishedName
+Zeilenga LDAP: Distinguished Names [Page 3]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+ The encodings of adjoining RelativeDistinguishedNames are separated by
+ a comma ("," U+002C) character.
-Zeilenga LDAP: Distinguished Names [Page 3]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
-
+2.2. Converting RelativeDistinguishedName
When converting from an ASN.1 RelativeDistinguishedName to a string,
the output consists of the string encodings of each
encoding of the AttributeValue is given in Section 2.4.
If the AttributeType is defined to have a short name and that short
- name is known to be registered [REGISTRY] as identifying the
+ name is known to be registered [REGISTRY][BCP64bis] as identifying the
AttributeType, that short name, a <descr>, is used. Otherwise the
AttributeType is encoded as the dotted-decimal encoding, a
<numericoid>, of its OBJECT IDENTIFIER. The <descr> and <numericoid>
is defined in [Models].
- Implementations are not expected dynamically update their knowledge of
- registered short names. However, implementations SHOULD provide a
+ Implementations are not expected to dynamically update their knowledge
+ of registered short names. However, implementations SHOULD provide a
mechanism to allow its knowledge of registered short names to be
updated.
desired (see Section 5.2).
Otherwise, if the AttributeValue is of a syntax which has a native
- string encoding, the value is converted first to a UTF-8 encoded UCS
- string according to its syntax specification (see for example Section
- 6 of [Syntaxes]). If that UTF-8 encoded UCS string does not have any
- of the following characters which need escaping, then that string can
- be used as the string representation of the value.
-
Zeilenga LDAP: Distinguished Names [Page 4]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+ string encoding, the value is converted first to a UTF-8 encoded UCS
+ string according to its syntax specification (see for example Section
+ 6 of [Syntaxes]). If that UTF-8 encoded UCS string does not have any
+ of the following characters which need escaping, then that string can
+ be used as the string representation of the value.
- a space (" " U+0020) or number sign ("#" U+0023) occurring at
the beginning of the string;
3. Parsing a String back to a Distinguished Name
The string representation of Distinguished Names is restricted to
- UTF-8 [RFC2279] encoded characters from the Universal Character Set
+ UTF-8 [UTF-8] encoded characters from the Universal Character Set
(UCS) [ISO10646]. The structure of this string representation is
specified using the following Augmented BNF [RFC2234] grammar:
attributeTypeAndValue = attributeType EQUALS attributeValue
- attributeType = descr / numericoid
-
- attributeValue = string / hexstring
-
- ; The UTF-8 string shall not contain NULL, ESC, or
-
Zeilenga LDAP: Distinguished Names [Page 5]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+ attributeType = descr / numericoid
+
+ attributeValue = string / hexstring
+
+ ; The UTF-8 string shall not contain NULL, ESC, or
; one of escaped, shall not start with SHARP or SPACE,
; and shall must not end with SPACE.
string = [ (leadchar / pair)
replace <ESC><special> with <special>;
replace <ESC><hexpair> with the octet indicated by the <hexpair>.
- If in <hexstring> form, a BER representation can be obtained from
- converting each <hexpair> of the <hexstring> to the octet indicated by
- the <hexpair>.
-
- One or more attribute values assertions, separated by <PLUS>, for a
Zeilenga LDAP: Distinguished Names [Page 6]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+ If in <hexstring> form, a BER representation can be obtained from
+ converting each <hexpair> of the <hexstring> to the octet indicated by
+ the <hexpair>.
+
+ One or more attribute values assertions, separated by <PLUS>, for a
relative distinguished name.
Zero or more relative distinguished names, separated by <COMMA>, for a
OU=Sales+CN=J. Smith,DC=example,DC=net
This example shows the method of escaping of a comma in a common
- name:
-
- CN=John Smith\, III,DC=example,DC=net
-
- An example name in which a value contains a carriage return
Zeilenga LDAP: Distinguished Names [Page 7]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+ name:
+
+ CN=John Smith\, III,DC=example,DC=net
+ An example name in which a value contains a carriage return
character:
CN=Before\0dAfter,DC=example,DC=net
- the common name of the object (i.e. a person's full name)
- an email or TCP/IP address
- - its physical location (country, locality, city, street address)
- - organizational attributes (such as department name or affiliation)
-
- Most countries have privacy laws regarding the publication of
- information about people.
Zeilenga LDAP: Distinguished Names [Page 8]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+
+ - its physical location (country, locality, city, street address)
+ - organizational attributes (such as department name or affiliation)
+
+ Most countries have privacy laws regarding the publication of
+ information about people.
5.2. Use of Distinguished Names in Security Applications
8. Normative References
- [X.501] "The Directory -- Models," ITU-T Rec. X.501(1993).
+ [X.501] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
- [X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) -
- Specification of Basic Notation", X.680, 1994.
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119).
- [RFC2234] Crocker, D., and P. Overell, "Augmented BNF for Syntax
+Zeilenga LDAP: Distinguished Names [Page 9]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+ -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
-Zeilenga LDAP: Distinguished Names [Page 9]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+ [X.680] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Abstract
+ Syntax Notation One (ASN.1) - Specification of Basic
+ Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- Specifications: ABNF", RFC 2234, November 1997.
+ [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
- [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", RFC 2279, January 1998.
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", draft-yergeau-rfc2279bis-xx.txt, a work in
+ progress.
- [Models] K. Zeilenga (editor), "LDAP: Directory Information
- Models", draft-ietf-ldapbis-models-xx.txt, a work in
- progress.
+ [Models] Zeilenga, K. (editor), "LDAP: Directory Information
+ Models", draft-ietf-ldapbis-models-xx.txt, a work in
+ progress.
- [Roadmap] K. Zeilenga, "LDAP: Technical Specification Road Map",
- draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
+ [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
+ Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
+ progress.
- [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
- draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
+ [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
+ draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
- [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
- draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
+ [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
+ draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
- [Schema] K. Dally (editor), "LDAP: User Schema",
- draft-ietf-ldapbis-user-schema-xx.txt, a work in
- progress.
+ [Schema] Dally, K. (editor), "LDAP: User Schema",
+ draft-ietf-ldapbis-user-schema-xx.txt, a work in
+ progress.
- [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC
- 10646-1 : 1993.
+ [ISO10646] International Organization for Standardization,
+ "Universal Multiple-Octet Coded Character Set (UCS) -
+ Architecture and Basic Multilingual Plane", ISO/IEC
+ 10646-1 : 1993.
+ [REGISTRY] IANA, Object Identifier Descriptors Registry,
+ <http://www.iana.org/...>.
9. Informative References
- [X.500] "The Directory -- overview of concepts, models and
- services," ITU-T Rec. X.500(1993).
+ [ASCII] Coded Character Set--7-bit American Standard Code for
+ Information Interchange, ANSI X3.4-1986.
- [X.690] ITU-T, "Specification of ASN.1 encoding rules: Basic,
- Canonical, and Distinguished Encoding Rules", X.690,
- 1994.
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
- RFC 3383), September 2002.
- [RFC2849] G. Good, "The LDAP Data Interchange Format (LDIF) -
- Technical Specification", RFC 2849, June 2000.
+Zeilenga LDAP: Distinguished Names [Page 10]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
-Appendix A. Presentation Issues
- This appendix is provided for informational purposes only, it is not a
- normative part of this specification.
+ [X.500] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Overview of concepts, models and services,"
+ X.500(1993) (also ISO/IEC 9594-1:1994).
+ [X.690] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Specification
+ of ASN.1 encoding rules: Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER), and Distinguished
+ Encoding Rules (DER)", X.690(1997) (also ISO/IEC
+ 8825-1:1998).
+ [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
+ Technical Specification", RFC 2849, June 2000.
+
+ [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP", draft-
+ ietf-ldapbis-bcp64-xx.txt, a work in progress.
-Zeilenga LDAP: Distinguished Names [Page 10]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+Appendix A. Presentation Issues
+
+ This appendix is provided for informational purposes only, it is not a
+ normative part of this specification.
The string representation described in this document is not intended
to be presented to humans without translation. However, at times it
demonstrated in the final example of Section 4).
When a DN string is displayed in free form text, it is often necessary
+
+
+
+Zeilenga LDAP: Distinguished Names [Page 11]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+
to distinguish the DN string from surrounding text. While this is
often done with white space (as demonstrated in Section 4), it is
noted that DN strings may end with white space. Careful readers of
so it has been line-wrapped for readability. The extra white
space is to be removed before the DN string is used in LDAP.
-
-
-
-Zeilenga LDAP: Distinguished Names [Page 11]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
-
-
It is not advised to insert white space otherwise as it may not be
obvious to the user which white space is part of the DN string and
which white space was added for readability.
The following substantive changes were made to RFC 2253:
- Removed IESG Note. The IESG Note has been addressed.
- - Clarified (in Section 1), that this document does not define a
+ - Clarified (in Section 1) that this document does not define a
+
+
+
+Zeilenga LDAP: Distinguished Names [Page 12]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+
canonical string representation.
+ - Revised specification (in Section 2) to allow short names of any
+ registered attribute type to appear in string representations of
+ DNs instead of being restricted to a "published table". Remove
+ "as an example" language. Added statement (in Section 3) allowing
+ recognition of additional names but require recognization of those
+ names in the published table. The table is now published in
+ Section 3.
- Replaced specification of additional requirements for LDAPv2
implementations which also support LDAPv3 (RFC 2253, Section 4)
with a statement (in Section 3) allowing recognition of
alternative string representations.
- - Clarified (in Section 2.3) that the "published" table of names
- which may be appear in DNs is the table which Section 2.3
- provides. Remove "as an example" language. Noted this table is
- not extensible. Added statement (in Section 3) allowing
- recognition of additional names. Added security considerations
- (Section 5.3) regarding the use of other names.
- Updated Section 2.3 to indicate attribute type name strings are
case insensitive.
- Updated Section 2.4 to allow hex pair escaping of all characters
- Added discussion of presentation issues (Appendix A).
- Added this appendix.
+ In addition, numerous editorial changes were made.
-Zeilenga LDAP: Distinguished Names [Page 12]
+Intellectual Property Rights
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to pertain
+ to the implementation or use of the technology described in this
+ document or the extent to which any license under such rights might or
+ might not be available; neither does it represent that it has made any
+ effort to identify any such rights. Information on the IETF's
+ procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such proprietary
+ rights by implementors or users of this specification can be obtained
+ from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+
+
+
+Zeilenga LDAP: Distinguished Names [Page 13]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-dn-10.txt 4 May 2003
+INTERNET-DRAFT draft-ietf-ldapbis-dn-12.txt 27 October 2003
+
+
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
- In addition, numerous editorial changes were made.
+Full Copyright
-Copyright 2003, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
+ or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-Zeilenga LDAP: Distinguished Names [Page 13]
+
+
+
+Zeilenga LDAP: Distinguished Names [Page 14]
\f
Network Working Group M. Smith, Editor
Request for Comments: DRAFT Netscape Communications Corp.
Obsoletes: RFC 2254 T. Howes
-Expires: 28 August 2003 Opsware, Inc.
- 28 February 2003
+Expires: 25 April 2004 Opsware, Inc.
+ 25 October 2003
LDAP: String Representation of Search Filters
- <draft-ietf-ldapbis-filter-04.txt>
+ <draft-ietf-ldapbis-filter-05.txt>
Smith & Howes Intended Category: Standards Track [Page 1]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
3. Table of Contents
8. Security Considerations........................................7
9. Normative References...........................................7
10. Informative References.........................................8
-11. Acknowledgments................................................8
-12. Authors' Address...............................................8
-13. Full Copyright Statement.......................................9
-14. Appendix A: Changes Since RFC 2254.............................9
-14.1. Technical Changes...........................................9
-14.2. Editorial Changes...........................................10
-15. Appendix B: Changes Since Previous Document Revision...........11
-15.1. Technical Changes...........................................11
-15.2. Editorial Changes...........................................11
+11. Intellectual Property Rights...................................8
+12. Acknowledgments................................................8
+13. Authors' Address...............................................8
+14. Full Copyright Statement.......................................9
+15. Appendix A: Changes Since RFC 2254.............................9
+15.1. Technical Changes...........................................10
+15.2. Editorial Changes...........................................10
+16. Appendix B: Changes Since Previous Document Revision...........11
+16.1. Technical Changes...........................................12
+16.2. Editorial Changes...........................................12
4. Introduction
-
Smith & Howes Intended Category: Standards Track [Page 2]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
Filter ::= CHOICE {
LDAPString ::= OCTET STRING -- UTF-8 encoded,
-- ISO 10646 characters
- where the LDAPString above is limited to the UTF-8 encoding [RFC2279]
+ where the LDAPString above is limited to the UTF-8 encoding [UTF-8]
of the ISO 10646 character set [ISO10646]. The AttributeDescription
is a string representation of the attribute description and is
defined in [Protocol]. The AttributeValue and AssertionValue OCTET
Smith & Howes Intended Category: Standards Track [Page 3]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
STRING have the form defined in [Syntaxes]. The Filter is encoded
extensible = attr [dnattrs] [matchingrule] COLON EQUALS assertionvalue
/ [dnattrs] matchingrule COLON EQUALS assertionvalue
/ COLON EQUALS assertionvalue
- present = attr EQUALS ASTERIX
+ present = attr EQUALS ASTERISK
substring = attr EQUALS [initial] any [final]
initial = assertionvalue
- any = ASTERIX *(assertionvalue ASTERIX)
+ any = ASTERISK *(assertionvalue ASTERISK)
final = assertionvalue
attr = attributedescription
; The attributedescription rule is defined in
escaped = ESC HEX HEX
UTF1SUBSET = %x01-27 / %x2B-5B / %x5D-7F
; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
- ; RPAREN, ASTERIX, and ESC.
+ ; RPAREN, ASTERISK, and ESC.
Smith & Howes Intended Category: Standards Track [Page 4]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
EXCLAMATION = %x21 ; exclamation mark ("!")
AMPERSAND = %x26 ; ampersand (or AND symbol) ("&")
- ASTERIX = %x2A ; asterix ("*")
+ ASTERISK = %x2A ; asterisk ("*")
COLON = %x3A ; colon (":")
VERTBAR = %x7C ; vertical bar (or pipe) ("|")
TILDE = %x7E ; tilde ("~")
As indicated by the valueencoding rule, implementations MUST escape
all octets greater than 0x7F that are not part of a valid UTF-8
encoding sequence when they generate a string representation of a
- search filter. Since RFC 2254 does not clearly define the term
- "string representation" (and in particular does mention that the
- string representation of an LDAP search filter is a string of UTF-8
- encoded ISO 10646-1 characters) implementations SHOULD accept as
- input strings that include invalid UTF-8 octet sequences.
+ search filter. Implementations SHOULD accept as input a string that
+ includes invalid UTF-8 octet sequences. This is necessary because RFC
+ 2254 did not clearly define the term "string representation" (and in
+ particular did not mention that the string representation of an LDAP
+ search filter is a string of UTF-8 encoded ISO 10646-1 characters).
7. Examples
Smith & Howes Intended Category: Standards Track [Page 5]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
(!(cn=Tim Howes))
(o:dn:=Ace Industry)
(:1.2.3:=Wilma Flintstone)
(:dn:2.4.6.8.10:=Dino)
- (:=Fred Flintstone)
The first example shows use of the matching rule "1.2.3.4.5".
The fifth example is a filter that should be applied to any attribute
supporting the matching rule given (since the attr has been omitted).
- The sixth example is also a filter that should be applied to any
- attribute supporting the matching rule given. Attributes supporting
- the matching rule contained in the DN should also be considered.
-
- The seventh and final example is a filter that should be applied to
- any attribute (since both the attr and matching rule have been
- omitted).
+ The sixth and final example is also a filter that should be applied
+ to any attribute supporting the matching rule given. Attributes
+ supporting the matching rule contained in the DN should also be
+ considered.
The following examples illustrate the use of the escaping mechanism.
(sn=Lu\c4\8di\c4\87)
(1.3.6.1.4.1.1466.0=\04\02\48\69)
+ The first example shows the use of the escaping mechanism to
+ represent parenthesis characters. The second shows how to represent a
+ "*" in an assertion value, preventing it from being interpreted as a
+
Smith & Howes Intended Category: Standards Track [Page 6]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
- The first example shows the use of the escaping mechanism to
- represent parenthesis characters. The second shows how to represent a
- "*" in an assertion value, preventing it from being interpreted as a
substring indicator. The third illustrates the escaping of the
backslash character.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
+
Smith & Howes Intended Category: Standards Track [Page 7]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
-
-
- [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
- Specifications: ABNF", RFC 2234, November 1997.
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
- [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
- RFC 2279, January 1998.
[Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification Road
Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
[Syntaxes] Dally, K. (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
syntaxes-xx.txt, a work in progress.
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
+ draft-yergeau-rfc2279bis-xx.txt, a work in progress.
10. Informative References
None.
-
-11. Acknowledgments
+11. Intellectual Property Rights
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+12. Acknowledgments
This document replaces RFC 2254 by Tim Howes. Changes included in
this revised specification are based upon discussions among the
acknowledged.
-12. Authors' Address
+13. Authors' Address
Mark Smith, Editor
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 8]
+\f
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
+
+
Netscape Communications Corp.
360 W. Caribbean Drive
Sunnyvale, CA 94089
USA
+1 650 937-3477
- mcs@netscape.com
+ MarkCSmithWork@aol.com
Tim Howes
Opsware, Inc.
+1 408 744-7509
howes@opsware.com
+14. Full Copyright Statement
-
-
-
-
-Smith & Howes Intended Category: Standards Track [Page 8]
-\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
-
-
-13. Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-14. Appendix A: Changes Since RFC 2254
+15. Appendix A: Changes Since RFC 2254
+
+
+
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 9]
+\f
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
+
-14.1. Technical Changes
+15.1. Technical Changes
The following technical changes were made to the contents of the
"String Search Filter Definition" section:
precisely reference productions from the [Models] and [Protocol]
documents.
-
-
-Smith & Howes Intended Category: Standards Track [Page 9]
-\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
-
-
Introduced the "valueencoding" and associated "normal" and "escaped"
rules to reduce the dependence on descriptive text. The "normal"
production restricts filter strings to valid UTF-8 sequences.
of a clear definition of "string representation."
-14.2. Editorial Changes
+15.2. Editorial Changes
Changed document title to include "LDAP:" prefix.
Header and "Authors' Addresses" sections: added Mark Smith as the
document editor and updated affiliation and contact information.
- "Table of Contents" section: added.
+ "Table of Contents" and "Intellectual Property Rights" sections:
+ added.
- Copyright: updated the year.
+ Copyright: updated per latest IETF guidelines.
"Abstract" section: separated from introductory material.
"Introduction" section: new section; separated from the Abstract.
Updated second paragraph to indicate that RFC 2254 is replaced by
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 10]
+\f
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
+
+
this document (instead of RFC 1960). Added reference to the [Roadmap]
document.
escaped is replaced by a backslash and two hex digits, which
represent a single octet.
- "Examples" section: added five additional examples: (seeAlso=),
- (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), (:=Fred Flintstone),
- and (1.3.6.1.4.1.1466.0=\04\02\48\69). Replaced one occurrence of "a
+ "Examples" section: added four additional examples: (seeAlso=),
+ (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and
+ (1.3.6.1.4.1.1466.0=\04\02\48\69). Replaced one occurrence of "a
value" with "an assertion value".
"Security Considerations" section: added references to [Protocol] and
-
-
-
-Smith & Howes Intended Category: Standards Track [Page 10]
-\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
-
-
[AuthMeth].
"Normative References" section: renamed from "References" per new RFC
guidelines. Changed from [1] style to [Protocol] style throughout the
document. Added entries for [ISO10646], [RFC2119], [AuthMeth],
- [Models], and [Roadmap] and updated UTF-8 reference to RFC 2279.
- Replaced RFC 822 reference with a reference to RFC 2234.
+ [Models], and [Roadmap] and updated the UTF-8 reference. Replaced
+ RFC 822 reference with a reference to RFC 2234.
"Informative References" section: added for clarity.
added.
-15. Appendix B: Changes Since Previous Document Revision
+16. Appendix B: Changes Since Previous Document Revision
- This appendix lists all changes relative to the last published
- revision, draft-ietf-ldapbis-filter-03.txt. Note that when
+ This appendix lists all changes relative to the previously published
+ revision, draft-ietf-ldapbis-filter-04.txt. Note that when
appropriate these changes are also included in Appendix A, but are
also included here for the benefit of the people who have already
- reviewed draft-ietf-ldapbis-filter-03.txt. This section will be
+ reviewed draft-ietf-ldapbis-filter-04.txt. This section will be
removed before this document is published as an RFC.
-15.1. Technical Changes
-
- "String Search Filter Definition" section: Added statement that the
- string representation is a string of UTF-8 encoded ISO 10646-1
- characters and statement about expected behavior in light of RFC
- 2254's lack of a clear definition of "string representation."
-
- "String Search Filter Definition" section: Revised all of the ABNF to
- use common productions from [Models]. Revised the "normal"
- production to restrict filter strings to valid UTF-8 sequences.
-
-
-15.2. Editorial Changes
-
- "Status of this Memo" section: updated boilerplate to match current
- I-D guidelines.
-
- "Examples" section: removed ;binary from an example.
- "LDAP Search Filter Definition " section: updated section references
Smith & Howes Intended Category: Standards Track [Page 11]
\f
-INTERNET-DRAFT LDAP: String Repres. of Search Filters 28 February 2003
-
-
- to match current LDAPBis drafts. Made minor changes to the ASN.1 so
- it exactly matches that used in the Protocol document (added
- comments).
-
- "Normative References" section: added references to [ISO10646],
- [RFC2119] and [Models].
-
- "Informative References" section: added for clarity.
-
- Updated copyright year to 2003.
-
-
-This Internet Draft expires on 28 August 2003.
-
-
+INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
+16.1. Technical Changes
+ "Examples" section: Removed the (:=Fred Flintstone) example which is
+ not allowed by the protocol.
+16.2. Editorial Changes
+ "String Search Filter Definition" section: Revised the last two
+ sentences in this section to improve clarity (the updated text now
+ begins with the text "Implementations SHOULD accept as input a string
+ that includes...."
+ Replaced all occurrences of "asterix" with the correctly spelled
+ "asterisk."
+ "Normative References" section: changed UTF-8 reference to point to
+ the UTF-8 Internet Draft.
+ "Intellectual Property Rights" section: added.
+ Author's Addresses section: New email address for Mark Smith.
+ "Full Copyright Statement" section: updated text to match latest IETF
+ guidelines.
+This Internet Draft expires on 25 April 2004.
INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 1 March 2003
+Expires in six months 27 October 2003
Obsoletes: RFC 2251, RFC 2252, RFC 2256
LDAP: Directory Information Models
- <draft-ietf-ldapbis-models-07.txt>
+ <draft-ietf-ldapbis-models-09.txt>
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2003, The Internet Society. All Rights Reserved. Please
- see the Copyright section near the end of this document for more
- information.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ Please see the Full Copyright section near the end of this document
+ for more information.
Abstract
-
Zeilenga LDAP Models [Page 1]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Table of Contents
Table of Contents 2
1. Introduction 3
1.1. Relationship to Other LDAP Specifications
- 1.2. Relationship to ITU Specifications
- 1.3. Conventions 4
+ 1.2. Relationship to X.501 4
+ 1.3. Conventions
1.4. Common ABNF Productions
2. Model of Directory User Information 6
- 2.1. The Directory Information Tree
- 2.2. Naming of Entries 7
+ 2.1. The Directory Information Tree 7
+ 2.2. Naming of Entries
2.3. Structure of an Entry 8
- 2.4. Object Classes
+ 2.4. Object Classes 9
2.5. Attribute Descriptions 11
2.6. Alias Entries 15
- 3. Directory Administrative and Operational Information 16
+ 3. Directory Administrative and Operational Information 17
3.1. Subtrees
- 3.2. Subentries 17
- 3.3. The 'objectClass' attribute
- 3.4. Operational attributes 18
- 4. Directory Schema 20
- 4.1. Schema Definitions 21
- 4.2. Subschema Subentries 30
+ 3.2. Subentries
+ 3.3. The 'objectClass' attribute 18
+ 3.4. Operational attributes
+ 4. Directory Schema 21
+ 4.1. Schema Definitions 22
+ 4.2. Subschema Subentries 31
4.3. 'extensibleObject' 34
- 4.4. Subschema Discovery
+ 4.4. Subschema Discovery 35
5. DSA (Server) Informational Model
- 5.1. Server-specific Data Requirements 35
- 6. Other Considerations 38
+ 5.1. Server-specific Data Requirements 36
+ 6. Other Considerations 39
6.1. Preservation of User Information
6.2. Short Names
- 6.3. Cache and Shadowing 39
- 7. Implementation Guidelines 40
+ 6.3. Cache and Shadowing 40
+ 7. Implementation Guidelines
7.1. Server Guidelines
- 7.2. Client Guidelines
- 8. Security Considerations 41
+ 7.2. Client Guidelines 41
+ 8. Security Considerations
9. IANA Considerations
10. Acknowledgments 42
11. Author's Address
- 12. References
+ 12. References 43
12.1. Normative References
- 12.2. Informative References 43
+ 12.2. Informative References 44
Appendix A. Changes
A.1 Changes to RFC 2251 44
A.2 Changes to RFC 2252 46
- A.3 Changes to RFC 2256 47
- Copyright
+ A.3 Changes to RFC 2256 48
+ Intellectual Property Rights
Zeilenga LDAP Models [Page 2]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+
+ Full Copyright 49
1. Introduction
This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
portions of sections 4 and 6. Appendix A.1 summaries changes to these
- sections. The remainder of RFC 2251 is obsoleted by the [Protocol],
- [AuthMeth], and [Roadmap] documents.
-
Zeilenga LDAP Models [Page 3]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+ sections. The remainder of RFC 2251 is obsoleted by the [Protocol],
+ [AuthMeth], and [Roadmap] documents.
+
This document obsoletes RFC 2252 sections 4, 5 and 7. Appendix A.2
summaries changes to these sections. The remainder of RFC 2252 is
- obsoleted by [Syntaxes] and [Schema].
+ obsoleted by [Syntaxes].
This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
Appendix A.3 summarizes changes to these sections. The remainder of
1.2. Relationship to X.501
This document includes material, with and without adaptation, from the
- [X.501]. Due to the adaptation, the material included in this
- document takes precedence.
+ [X.501]. The material in this document takes precedence over that in
+ [X.501].
1.3. Conventions
DIGIT = %x30 / LDIGIT ; "0"-"9"
LDIGIT = %x31-39 ; "1"-"9"
- HEX = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f
-
- SP = 1*SPACE ; one or more " "
Zeilenga LDAP Models [Page 4]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+ HEX = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f
+ SP = 1*SPACE ; one or more " "
WSP = 0*SPACE ; zero or more " "
NULL = %x00 ; null (0)
; Any UTF-8 character
UTF8 = UTF1 / UTFMB
- UTFMB = UTF2 / UTF3 / UTF4 / UTF5 / UTF6
+ UTFMB = UTF2 / UTF3 / UTF4
UTF0 = %x80-BF
UTF1 = %x00-7F
- UTF2 = %xC0-DF 1(UTF0)
- UTF3 = %xE0-EF 2(UTF0)
- UTF4 = %xF0-F7 3(UTF0)
- UTF5 = %xF8-FB 4(UTF0)
- UTF6 = %xFC-FD 5(UTF0)
+ UTF2 = %xC2-DF UTF0
+ UTF3 = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
+ %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
+ UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
+ %xF4 %x80-8F 2(UTF0)
; Any octet
OCTET = %x00-FF
- Object identifiers are represented in LDAP using a dot-decimal format
- conforming to the ABNF:
+ Object identifiers (OIDs) [X.680] are represented in LDAP using a dot-
+ decimal format conforming to the ABNF:
numericoid = number *( DOT number )
Short names, also known as descriptors, are used as more readable
aliases for object identifiers. Short names are case insensitive and
- conform to the ABNF:
-
- descr = keystring
Zeilenga LDAP Models [Page 5]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+ conform to the ABNF:
+
+ descr = keystring
Where either an object identifier or a short name may be specified,
the following production is used:
provides alternative naming. A subentry holds administrative and/or
operational information.
- The set of entries representing the DIB are organized hierarchically
- in a tree structure known as the Directory Information Tree (DIT).
-
-
Zeilenga LDAP Models [Page 6]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+ The set of entries representing the DIB are organized hierarchically
+ in a tree structure known as the Directory Information Tree (DIT).
Section 2.1 describes the Directory Information Tree
Section 2.2 discusses naming of entries.
immediate subordinates of the entry's immediate superior (i.e., all
siblings).
- The following are example string representations of RDNs [LDAPDN]:
-
-
Zeilenga LDAP Models [Page 7]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+ The following are example string representations of RDNs [LDAPDN]:
UID=12345
OU=Engineering
CN=Kurt Zeilenga+L=Redwood Shores
-
Zeilenga LDAP Models [Page 8]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Two values are considered equivalent if they would match according to
Zeilenga LDAP Models [Page 9]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
allowed to be present in entries belonging to the class. As an entry
Zeilenga LDAP Models [Page 10]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Structural object classes are related to associated entries:
Zeilenga LDAP Models [Page 11]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
2.5.1) and a set of zero or more attribute options (see Section
Zeilenga LDAP Models [Page 12]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
syntax of its supertype. An attribute type cannot be a subtype of an
Not all options can be associated with attributes held in the
directory. Tagging options can be.
- Not all options can be use in conjunction with all attribute types.
+ Not all options can be used in conjunction with all attribute types.
In such cases, the attribute description is to be treated as
unrecognized.
conforming to the <option> production defined in Section 2.5 of this
document.
- Procedures for registering options are detailed in BCP 64 [RFC3383].
+ Procedures for registering options are detailed in BCP 64 [BCP64bis].
2.5.2.1. Tagging Options
Zeilenga LDAP Models [Page 13]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
An attribute description with N tagging options is considered a direct
Zeilenga LDAP Models [Page 14]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
precisely one attribute description. The description is indicated
Zeilenga LDAP Models [Page 15]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
NOTE - The name within the 'aliasedObjectName' is said to be
Zeilenga LDAP Models [Page 16]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
( 2.5.4.1 NAME 'aliasedObjectName'
Zeilenga LDAP Models [Page 17]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
subentry (e.g., 'subschema' for subschema subentries) to mimic the
all superclasses of the named classes SHALL be implicitly added as
well if not already present. That is, if the auxiliary class 'x-a' is
a subclass of the class 'x-b', adding 'x-a' to 'objectClass' causes
- 'x-b' to added (if is not already present).
+ 'x-b' to be implicitly added (if is not already present).
Servers SHALL restrict modifications of this attribute to prevent a
superclasses of remaining 'objectClass' values from being deleted.
Zeilenga LDAP Models [Page 18]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
A directory operational attribute is used to represent operational
and/or administrative information in the Directory Information Model.
This includes operational attributes maintained by the server (e.g.
- 'createTimeStamp') as well as operational attributes which hold values
+ 'createTimestamp') as well as operational attributes which hold values
administrated by the user (e.g. 'ditContentRules').
A DSA-shared operational attribute is used to represent information of
Zeilenga LDAP Models [Page 19]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
Zeilenga LDAP Models [Page 20]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
( 2.5.18.2 NAME 'modifyTimestamp'
Zeilenga LDAP Models [Page 21]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
structural object classes of the entries;
Zeilenga LDAP Models [Page 22]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
qdstring = SQUOTE dstring SQUOTE
Zeilenga LDAP Models [Page 23]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"
[ SP "NAME" SP qdescrs ] ; short names (descriptors)
[ SP "DESC" SP qdstring ] ; description
[ SP "OBSOLETE" ] ; not active
- [ SP "SUP" SP oid ] ; subtype
+ [ SP "SUP" SP oid ] ; supertype
[ SP "EQUALITY" SP oid ] ; equality matching rule
[ SP "ORDERING" SP oid ] ; ordering matching rule
[ SP "SUBSTR" SP oid ] ; substrings matching rule
Zeilenga LDAP Models [Page 24]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
EQUALITY, ORDERING, SUBSTRING provide the oid of the equality,
Zeilenga LDAP Models [Page 25]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Attribute Type Description. This bound is not part of the syntax name
Zeilenga LDAP Models [Page 26]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
MatchingRuleUseDescription = LPAREN WSP
terms of ASN.1 [X.680] and, optionally, have an octet string encoding
known as the LDAP-specific encoding. Commonly, the LDAP-specific
encoding is constrained to string of Universal Character Set (UCS)
- [ISO10646] characters in UTF-8 [RFC2279] form.
+ [ISO10646] characters in UTF-8 [UTF-8] form.
Each LDAP syntax is identified by an object identifier (OID).
Zeilenga LDAP Models [Page 27]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
For DIT entries of a particular structural object class, a DIT content
Zeilenga LDAP Models [Page 28]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
<numericoid> is the object identifier of the structural object class
Zeilenga LDAP Models [Page 29]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
where:
Zeilenga LDAP Models [Page 30]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
<numericoid> is object identifier which identifies this name form;
Zeilenga LDAP Models [Page 31]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Subschema is held in (sub)entries belonging to the subschema auxiliary
Zeilenga LDAP Models [Page 32]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
4.2.3. 'matchingRules'
Zeilenga LDAP Models [Page 33]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
Zeilenga LDAP Models [Page 34]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
Note that not all servers will implement this object class, and those
Zeilenga LDAP Models [Page 35]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
5.1. Server-specific Data Requirements
- supportedLDAPVersion: LDAP versions supported; and
- - supportedSASLMechanisms: recognized SASL mechnanisms.
+ - supportedSASLMechanisms: recognized Simple Authentication and
+ Security Layers (SASL) [SASL] mechanisms.
The values of these attributes provided may depend on session specific
and other factors. For example, a server supporting the SASL EXTERNAL
Section 4.4.
-5.1.1. 'altServer'
Zeilenga LDAP Models [Page 36]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+5.1.1. 'altServer'
+
The 'altServer' attribute lists URLs referring to alternative servers
which may be contacted when this server becomes unavailable. If the
server does not know of any other servers which could be used this
Object identifiers identifying response controls need not be listed.
Procedures for registering object identifiers used to discovery of
- protocol mechanisms are detailed in BCP 64 [RFC3383].
-
- ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
+ protocol mechanisms are detailed in BCP 64 [BCP64bis].
Zeilenga LDAP Models [Page 37]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+ ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
USAGE dSAOperation )
extended operation need not be listed.
Procedures for registering object identifiers used to discovery of
- protocol mechanisms are detailed in BCP 64 [RFC3383].
+ protocol mechanisms are detailed in BCP 64 [BCP64bis].
( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
5.1.6. 'supportedSASLMechanisms'
The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
- [RFC2222] which the server recognizes. The contents of this attribute
Zeilenga LDAP Models [Page 38]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+ [RFC2222] which the server recognizes. The contents of this attribute
may depend on the current session state. If the server does not
support any SASL mechanisms this attribute will not be present.
Implementations MUST be prepared that the same short name might be
used in a subschema to refer to the different kinds of schema
- elements. That is, there might be an object class 'x-fubar' and an
Zeilenga LDAP Models [Page 39]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+ elements. That is, there might be an object class 'x-fubar' and an
attribute type 'x-fubar' in a subschema.
Implementations MUST be prepared that the same short name might be
in different subschemas.
Procedures for registering short names (descriptors) are detailed in
- BCP 64 [RFC3383bis].
-
- [[The remainder of this subsection will be included a subsequent
- revision of RFC 3383.]]
-
- To avoid interoperability problems, the following additional
- considerations are stated:
-
- Descriptors used to identify various schema elements SHOULD be
- registered unless in private-use name space (e.g., they begin with
- "x-"). Descriptors defined in RFCs MUST be registered.
-
- While the protocol allows the same descriptor to refer to
- different object identifiers in certain cases and the registry
- supports multiple registrations of the same descriptor (each
- indicating a different kind of schema element and different object
- identifier), multiple registrations of the same descriptor are to
- be avoided. All such registration requests require Expert Review.
+ BCP 64 [BCP64bis].
6.3. Cache and Shadowing
the names of attribute types and object classes defined in Section 3
and 4, respectively, of [Schema].
-
-
-
-Zeilenga LDAP Models [Page 40]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
-
-
Servers MUST ensure that entries conform to user and system schema
rules or other data model constraints.
Servers MAY implement additional schema elements. Servers SHOULD
provide definitions of all schema elements they support in subschema
+
+
+
+Zeilenga LDAP Models [Page 40]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+
(sub)entries.
9. IANA Considerations
-
-
-
-Zeilenga LDAP Models [Page 41]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
-
-
It is requested that the Internet Assigned Numbers Authority (IANA)
update the LDAP descriptors registry as indicated the following
template:
The following descriptors (short names) should be updated to refer
to RFC XXXX.
+
+
+Zeilenga LDAP Models [Page 41]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+
NAME Type OID
------------------------ ---- -----------------
alias O 2.5.6.1
10. Acknowledgments
-
-
-Zeilenga LDAP Models [Page 42]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
-
-
This document is based in part on RFC 2251 by M. Wahl, T. Howes, and
S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S. Kille; and
RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
International Telephone Union (ITU). Additional text was borrowed
from RFC 2253 by Mark Wahl, Tim Howes, and Steve Kille.
- This document is a product of the IETF LDAPBIS Working Group.
+ This document is a product of the IETF LDAP Revison (LDAPBIS) Working
+ Group.
11. Author's Address
E-mail: <kurt@openldap.org>
+
+Zeilenga LDAP Models [Page 42]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
+
12. References
12.1. Normative References
- [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
- RFC 2279, January 1998.
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
- [RFC2234] Crocker, D., and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 2234, November 1997.
+ [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP", draft-
+ ietf-ldapbis-bcp64-xx.txt, a work in progress.
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
- RFC 3383), September 2002.
+ [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
+ Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
+ progress.
- [Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road
- Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
- progress.
+ [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
+ draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
- [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
- draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
+ [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
+ Connection Level Security Mechanisms",
+ draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
- [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
- Connection Level Security Mechanisms",
- draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
+ [LDAPDN] Zeilenga, K. (editor), "LDAP: String Representation of
+ Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a
+ work in progress.
- [LDAPDN] K. Zeilenga (editor), "LDAP: String Representation of
- Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
- in progress.
+ [Filters] Smith, M. (editor), LDAPbis WG, "LDAP: String
+ Representation of Search Filters",
+ draft-ietf-ldapbis-filter-xx.txt, a work in progress.
+ [LDAPURL] Smith, M. (editor), "LDAP: Uniform Resource Locator",
+ draft-ietf-ldapbis-url-xx.txt, a work in progress.
+ [SASL] Melnikov, A. (Editor), "Simple Authentication and
+ Security Layer (SASL)",
+ draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.
+ [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
+ draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
-Zeilenga LDAP Models [Page 43]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+ [Schema] Dally, K. (editor), "LDAP: User Schema",
+ draft-ietf-ldapbis-user-schema-xx.txt, a work in
+ progress.
+
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", draft-yergeau-rfc2279bis-xx.txt, a work in
- [Filters] M. Smith (editor), LDAPbis WG, "LDAP: String Representation
- of Search Filters", draft-ietf-ldapbis-filter-xx.txt, a
- work in progress.
- [LDAPURL] M. Smith (editor), "LDAP: Uniform Resource Locator",
- draft-ietf-ldapbis-url-xx.txt, a work in progress.
+Zeilenga LDAP Models [Page 43]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+
- [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
- draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
+ progress.
- [Schema] K. Dally (editor), "LDAP: User Schema",
- draft-ietf-ldapbis-user-schema-xx.txt, a work in progress.
+ [ISO10646] International Organization for Standardization,
+ "Universal Multiple-Octet Coded Character Set (UCS) -
+ Architecture and Basic Multilingual Plane", ISO/IEC
+ 10646-1 : 1993.
- [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
- : 1993.
+ [ASCII] Coded Character Set--7-bit American Standard Code for
+ Information Interchange, ANSI X3.4-1986.
- [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
- Models and Service", 1993.
+ [X.500] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Overview of concepts, models and services,"
+ X.500(1993) (also ISO/IEC 9594-1:1994).
- [X.501] ITU-T Rec. X.501, "The Directory: Models", 1993.
+ [X.501] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
- [X.680] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
- Specification of Basic Notation", 1994.
+ [X.680] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Abstract
+ Syntax Notation One (ASN.1) - Specification of Basic
+ Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
12.2. Informative References
+
Zeilenga LDAP Models [Page 44]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
A.1.1 Section 3.2 of RFC 2251
Changes:
- Clarify that attributes of the root DSE are subject to "other
- restrictions" in addition to acccess controls.
+ restrictions" in addition to access controls.
- Clarify that only recognized extended requests need to be enumerated
'supportedExtension'.
Zeilenga LDAP Models [Page 45]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
- Remove inconsistent text regarding handling of the
Zeilenga LDAP Models [Page 46]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
specification "descr is the syntactic representation of an object
Zeilenga LDAP Models [Page 47]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
interacts with precluded attributes.
document.
-Copyright 2003, The Internet Society. All Rights Reserved.
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be followed,
- or as required to translate it into languages other than English.
+Intellectual Property Rights
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to pertain
+ to the implementation or use of the technology described in this
+ document or the extent to which any license under such rights might or
+ might not be available; neither does it represent that it has made any
+ effort to identify any such rights. Information on the IETF's
+ procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such proprietary
+ rights by implementors or users of this specification can be obtained
+ from the IETF Secretariat.
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
Zeilenga LDAP Models [Page 48]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-models-07 1 March 2003
-
-
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
+INTERNET-DRAFT draft-ietf-ldapbis-models-09 27 October 2003
+Full Copyright
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implmentation may be prepared, copied, published and
+ distributed, in whole or in part, without restriction of any kind,
+ provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be followed,
+ or as required to translate it into languages other than English.
-
Internet-Draft Editor: J. Sermersheim
Intended Category: Standard Track Novell, Inc
-Document: draft-ietf-ldapbis-protocol-13.txt Mar 2003
-Obsoletes: RFC 2251
+Document: draft-ietf-ldapbis-protocol-19.txt Dec 2003
+Obsoletes: RFC 2251, 2830
LDAP: The Protocol
Abstract
This document describes the protocol elements, along with their
- semantics and encodings, for the Lightweight Directory Access
- Protocol (LDAP). LDAP provides access to distributed directory
- services that act in accordance with X.500 data and service models.
- These protocol elements are based on those described in the X.500
- Directory Access Protocol (DAP).
+ semantics and encodings, of the Lightweight Directory Access Protocol
+ (LDAP). LDAP provides access to distributed directory services that
+ act in accordance with X.500 data and service models. These protocol
+ elements are based on those described in the X.500 Directory Access
+ Protocol (DAP).
Table of Contents
- 1. Introduction.....................................................2
- 2. Conventions......................................................3
- 3. Protocol Model...................................................3
- 4. Elements of Protocol.............................................3
- 4.1. Common Elements................................................4
- 4.1.1. Message Envelope.............................................4
- 4.1.2. String Types.................................................6
- 4.1.3. Distinguished Name and Relative Distinguished Name...........6
+ 1. Introduction....................................................2
+ 1.1. Relationship to Obsolete Specifications.......................3
+ 2. Conventions.....................................................3
+ 3. Protocol Model..................................................3
+ 4. Elements of Protocol............................................4
+ 4.1. Common Elements...............................................4
+ 4.1.1. Message Envelope............................................4
+ 4.1.2. String Types................................................6
-Sermersheim Internet-Draft - Expires Sep 2003 Page 1 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 1 \f
Lightweight Directory Access Protocol Version 3
- 4.1.4. Attribute Descriptions.......................................6
- 4.1.5. Attribute Value..............................................7
- 4.1.6. Attribute Value Assertion....................................7
- 4.1.7. Attribute....................................................7
- 4.1.8. Matching Rule Identifier.....................................8
- 4.1.9. Result Message...............................................8
- 4.1.10. Referral...................................................10
- 4.1.11. Controls...................................................11
- 4.2. Bind Operation................................................12
- 4.3. Unbind Operation..............................................14
- 4.4. Unsolicited Notification......................................15
- 4.5. Search Operation..............................................16
- 4.6. Modify Operation..............................................23
- 4.7. Add Operation.................................................24
- 4.8. Delete Operation..............................................25
- 4.9. Modify DN Operation...........................................26
- 4.10. Compare Operation............................................27
- 4.11. Abandon Operation............................................28
- 4.12. Extended Operation...........................................28
- 4.13. Start TLS Operation..........................................29
- 5. Protocol Element Encodings and Transfer.........................31
- 5.1. Protocol Encoding.............................................31
- 5.2. Transfer Protocols............................................31
- 6. Implementation Guidelines.......................................32
- 6.1. Server Implementations........................................32
- 6.2. Client Implementations........................................32
- 7. Security Considerations.........................................32
- 8. Acknowledgements................................................33
- 9. Normative References............................................33
- 10. Editor's Address...............................................34
- Appendix A - LDAP Result Codes.....................................35
- A.1 Non-Error Result Codes.........................................35
- A.2 Error Result Codes.............................................35
- A.3 Classes and Precedence of Error Result Codes...................35
- Appendix C - Change History........................................46
- C.1 Changes made to RFC 2251:......................................46
- C.2 Changes made to draft-ietf-ldapbis-protocol-00.txt:............46
- C.3 Changes made to draft-ietf-ldapbis-protocol-01.txt:............47
- C.4 Changes made to draft-ietf-ldapbis-protocol-02.txt:............47
- C.5 Changes made to draft-ietf-ldapbis-protocol-03.txt:............49
- C.6 Changes made to draft-ietf-ldapbis-protocol-04.txt:............51
- C.7 Changes made to draft-ietf-ldapbis-protocol-05.txt:............51
- C.8 Changes made to draft-ietf-ldapbis-protocol-06.txt:............52
- C.9 Changes made to draft-ietf-ldapbis-protocol-07.txt:............55
- C.10 Changes made to draft-ietf-ldapbis-protocol-08.txt:...........55
- C.11 Changes made to draft-ietf-ldapbis-protocol-09.txt:...........55
- C.12 Changes made to draft-ietf-ldapbis-protocol-10.txt:...........55
- C.13 Changes made to draft-ietf-ldapbis-protocol-11.txt:...........56
- C.14 Changes made to draft-ietf-ldapbis-protocol-12.txt:...........56
- Appendix D - Outstanding Work Items................................56
+ 4.1.3. Distinguished Name and Relative Distinguished Name..........6
+ 4.1.4. Attribute Descriptions......................................7
+ 4.1.5. Attribute Value.............................................7
+ 4.1.6. Attribute Value Assertion...................................7
+ 4.1.7. Attribute and PartialAttribute..............................8
+ 4.1.8. Matching Rule Identifier....................................8
+ 4.1.9. Result Message..............................................8
+ 4.1.10. Referral..................................................10
+ 4.1.11. Controls..................................................11
+ 4.2. Bind Operation...............................................12
+ 4.3. Unbind Operation.............................................15
+ 4.4. Unsolicited Notification.....................................16
+ 4.5. Search Operation.............................................17
+ 4.6. Modify Operation.............................................25
+ 4.7. Add Operation................................................26
+ 4.8. Delete Operation.............................................27
+ 4.9. Modify DN Operation..........................................28
+ 4.10. Compare Operation...........................................29
+ 4.11. Abandon Operation...........................................30
+ 4.12. Extended Operation..........................................30
+ 4.13. StartTLS Operation..........................................31
+ 5. Protocol Element Encodings and Transfer........................33
+ 5.1. Protocol Encoding............................................34
+ 5.2. Transfer Protocols...........................................34
+ 6. Security Considerations........................................34
+ 7. Acknowledgements...............................................36
+ 8. Normative References...........................................36
+ 9. Informative References.........................................37
+ 10. IANA Considerations...........................................37
+ 11. Editor's Address..............................................38
+ Appendix A - LDAP Result Codes....................................39
+ A.1 Non-Error Result Codes........................................39
+ A.2 Result Codes..................................................39
+ Appendix B - Complete ASN.1 Definition............................43
+ Appendix C - Changes..............................................48
+ C.1 Changes made to made to RFC 2251:.............................48
+ C.2 Changes made to made to RFC 2830:.............................53
1. Introduction
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 2 \f
- Lightweight Directory Access Protocol Version 3
-
The Directory is "a collection of open systems cooperating to provide
- directory services" [X.500]. A Directory user, which may be a human
+ directory services" [X.500]. A directory user, which may be a human
or other entity, accesses the Directory through a client (or
Directory User Agent (DUA)). The client, on behalf of the directory
user, interacts with one or more servers (or Directory System Agents
(DSA)). Clients interact with servers using a directory access
protocol.
- This document details the protocol elements of Lightweight Directory
- Access Protocol, along with their semantics. Following the
- description of protocol elements, it describes the way in which the
- protocol is encoded and transferred.
+ This document details the protocol elements of the Lightweight
+ Directory Access Protocol (LDAP), along with their semantics.
+ Following the description of protocol elements, it describes the way
+ in which the protocol elements are encoded and transferred.
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 2 \f
+ Lightweight Directory Access Protocol Version 3
+
+
+1.1. Relationship to Obsolete Specifications
This document is an integral part of the LDAP Technical Specification
- [Roadmap].
+ [Roadmap] which obsoletes the previously defined LDAP technical
+ specification, RFC 3377, in its entirety.
+
+ This document obsoletes all of RFC 2251 except the following:
+ Sections 3.2, 3.4, 4.1.3 (last paragraph), 4.1.4, 4.1.5, 4.1.5.1,
+ 4.1.9 (last paragraph), 5.1, 6.1, and 6.2 (last paragraph) are
+ obsoleted by [Models].
+ Section 3.3 is obsoleted by [Roadmap].
+ Sections 4.2.1 (portions), and 4.2.2 are obsoleted by [AuthMeth].
- This document replaces RFC 2251. Appendix C holds a detailed log of
- changes to RFC 2251. Prior to Working Group Last Call, this appendix
- will be distilled to a summary of changes to RFC 2251.
+ Appendix C.1 summarizes substantive changes to the remaining
+ sections.
+
+ This document also obsoletes RFC 2830, Sections 2 and 4 in entirety.
+ The remainder of RFC 2830 is obsoleted by [AuthMeth]. Appendix C.2
+ summarizes substantive changes to the remaining sections.
2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
- to be interpreted as described in [RFC2119].
+ to be interpreted as described in [Keyword].
+
+ The terms "connection" and "LDAP connection" both refer to the
+ underlying transport protocol connection between two protocol peers.
+
+ The term "TLS connection" refers to a TLS-protected LDAP connection.
+
+ The terms "association" and "LDAP association" both refer to the
+ association of the LDAP connection and its current authentication and
+ authorization state.
3. Protocol Model
performing protocol operations against servers. In this model, a
client transmits a protocol request describing the operation to be
performed to a server. The server is then responsible for performing
- the necessary operation(s) in the directory. Upon completion of the
- operation(s), the server returns a response containing any results or
- errors to the requesting client.
+ the necessary operation(s) in the Directory. Upon completion of the
+ operation(s), the server returns a response containing an appropriate
+ result code to the requesting client.
- Note that although servers are required to return responses whenever
- such responses are defined in the protocol, there is no requirement
- for synchronous behavior on the part of either clients or servers.
+ Although servers are required to return responses whenever such
+ responses are defined in the protocol, there is no requirement for
+ synchronous behavior on the part of either clients or servers.
Requests and responses for multiple operations may be exchanged
between a client and server in any order, provided the client
eventually receives a response for every request that requires one.
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 3 \f
+ Lightweight Directory Access Protocol Version 3
+
- Note that the core protocol operations defined in this document can
- be mapped to a subset of the X.500(1997) directory abstract service.
- However there is not a one-to-one mapping between LDAP protocol
- operations and DAP operations. Server implementations acting as a
- gateway to X.500 directories may need to make multiple DAP requests.
+ The core protocol operations defined in this document can be mapped
+ to a subset of the X.500 (1993) Directory Abstract Service. However
+ there is not a one-to-one mapping between LDAP protocol operations
+ and X.500 Directory Access Protocol (DAP) operations. Server
+ implementations acting as a gateway to X.500 directories may need to
+ make multiple DAP requests to service a single LDAP request.
4. Elements of Protocol
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 3 \f
- Lightweight Directory Access Protocol Version 3
-
- The LDAP protocol is described using Abstract Syntax Notation 1
- (ASN.1) [X.680], and is transferred using a subset of ASN.1 Basic
- Encoding Rules [X.690]. Section 5.1 specifies how the protocol is
+ The LDAP protocol is described using Abstract Syntax Notation One
+ ([ASN.1]), and is transferred using a subset of ASN.1 Basic Encoding
+ Rules ([BER]). Section 5.1 specifies how the protocol elements are
encoded and transferred.
In order to support future Standards Track extensions to this
protocol, extensibility is implied where it is allowed (per ASN.1).
In addition, ellipses (...) have been supplied in ASN.1 types that
are explicitly extensible as discussed in [LDAPIANA]. Because of the
- implied extensibility, clients and servers MUST ignore trailing
- SEQUENCE elements whose tags they do not recognize.
+ implied extensibility, clients and servers MUST (unless otherwise
+ specified) ignore trailing SEQUENCE components whose tags they do not
+ recognize.
Changes to the LDAP protocol other than through the extension
mechanisms described here require a different version number. A
client indicates the version it is using as part of the bind request,
- described in section 4.2. If a client has not sent a bind, the server
+ described in Section 4.2. If a client has not sent a bind, the server
MUST assume the client is using version 3 or later.
Clients may determine the protocol versions a server supports by
- reading the supportedLDAPVersion attribute from the root DSE
- [Models]. Servers which implement version 3 or later MUST provide
- this attribute.
+ reading the supportedLDAPVersion attribute from the root DSE (DSA-
+ Specific Entry) [Models].
4.1. Common Elements
- This section describes the LDAPMessage envelope PDU (Protocol Data
- Unit) format, as well as data type definitions, which are used in the
+ This section describes the LDAPMessage envelope Protocol Data Unit
+ (PDU) format, as well as data type definitions, which are used in the
protocol operations.
as follows:
LDAPMessage ::= SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
+ messageID MessageID,
+ protocolOp CHOICE {
+ bindRequest BindRequest,
+ bindResponse BindResponse,
+ unbindRequest UnbindRequest,
-Sermersheim Internet-Draft - Expires Sep 2003 Page 4 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 4 \f
Lightweight Directory Access Protocol Version 3
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse,
- ... },
- controls [0] Controls OPTIONAL }
+ searchRequest SearchRequest,
+ searchResEntry SearchResultEntry,
+ searchResDone SearchResultDone,
+ searchResRef SearchResultReference,
+ modifyRequest ModifyRequest,
+ modifyResponse ModifyResponse,
+ addRequest AddRequest,
+ addResponse AddResponse,
+ delRequest DelRequest,
+ delResponse DelResponse,
+ modDNRequest ModifyDNRequest,
+ modDNResponse ModifyDNResponse,
+ compareRequest CompareRequest,
+ compareResponse CompareResponse,
+ abandonRequest AbandonRequest,
+ extendedReq ExtendedRequest,
+ extendedResp ExtendedResponse,
+ ... },
+ controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
the tag of the protocolOp is not recognized as a request, or the
encoding structures or lengths of data fields are found to be
- incorrect, then the server MAY return the Notice of Disconnection
- described in section 4.4.1, with resultCode protocolError, and MUST
- immediately close the connection.
+ incorrect, then the server SHOULD return the Notice of Disconnection
+ described in Section 4.4.1, with the resultCode set to protocolError,
+ and MUST immediately close the connection.
In other cases where the client or server cannot parse a PDU, it
SHOULD abruptly close the connection where further communication
implementations MUST return an appropriate response to the request,
with the resultCode set to protocolError.
- The ASN.1 type Controls is defined in section 4.1.11.
+ The ASN.1 type Controls is defined in Section 4.1.11.
4.1.1.1. Message ID
messageID value of the corresponding request LDAPMessage.
The message ID of a request MUST have a non-zero value different from
- the values of any other requests outstanding in the LDAP session of
- which this message is a part. The zero value is reserved for the
+ the values of any other requests outstanding in the LDAP association
+ of which this message is a part. The zero value is reserved for the
unsolicited notification message.
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 5 \f
+ Lightweight Directory Access Protocol Version 3
+
Typical clients increment a counter for each request.
A client MUST NOT send a request with the same message ID as an
- earlier request on the same connection unless it can be determined
- that the server is no longer servicing the earlier request. Otherwise
- the behavior is undefined. For operations that do not return
- responses (unbind, abandon, and abandoned operations), the client
- SHOULD assume the operation is in progress until a subsequent bind
- request completes.
+ earlier request on the same LDAP association unless it can be
+ determined that the server is no longer servicing the earlier
+ request. Otherwise the behavior is undefined. For operations that do
+ not return responses (unbind, abandon, and abandoned operations), the
+ client SHOULD assume the operation is in progress until a subsequent
+ bind request completes.
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 5 \f
- Lightweight Directory Access Protocol Version 3
-
4.1.2. String Types
The LDAPString is a notational convenience to indicate that, although
- strings of LDAPString type encode as OCTET STRING types, the
- [ISO10646] character set (a superset of Unicode) is used, encoded
- following the UTF-8 algorithm [RFC2279]. Note that in the UTF-8
- algorithm characters which are the same as ASCII (0x0000 through
- 0x007F) are represented as that same ASCII character in a single
- byte. The other byte values are used to form a variable-length
- encoding of an arbitrary character.
+ strings of LDAPString type encode as ASN.1 OCTET STRING types, the
+ [ISO10646] character set (a superset of [Unicode]) is used, encoded
+ following the [UTF-8] algorithm. Note that Unicode characters U+0000
+ through U+007F are the same as ASCII 0 through 127, respectively, and
+ have the same single octet UTF-8 encoding. Other Unicode characters
+ have a multiple octet UTF-8 encoding.
LDAPString ::= OCTET STRING -- UTF-8 encoded,
- -- ISO 10646 characters
+ -- [ISO10646] characters
The LDAPOID is a notational convenience to indicate that the
permitted value of this string is a (UTF-8 encoded) dotted-decimal
representation of an OBJECT IDENTIFIER. Although an LDAPOID is
encoded as an OCTET STRING, values are limited to the definition of
- numericoid given in Section 1.3 of [Models].
+ <numericoid> given in Section 1.3 of [Models].
- LDAPOID ::= OCTET STRING -- Constrained to numericoid [Models]
+ LDAPOID ::= OCTET STRING -- Constrained to <numericoid> [Models]
For example,
4.1.3. Distinguished Name and Relative Distinguished Name
- An LDAPDN and a RelativeLDAPDN are respectively defined to be the
- representation of a distinguished-name and a relative-distinguished-
- name after encoding according to the specification in [LDAPDN].
+ An LDAPDN is defined to be the representation of a Distinguished Name
+ (DN) after encoding according to the specification in [LDAPDN].
+
+ LDAPDN ::= LDAPString
+ -- Constrained to <distinguishedName> [LDAPDN]
- LDAPDN ::= LDAPString
- -- Constrained to distinguishedName [LDAPDN]
+ A RelativeLDAPDN is defined to be the representation of a Relative
+ Distinguished Name (RDN) after encoding according to the
+ specification in [LDAPDN].
- RelativeLDAPDN ::= LDAPString
- -- Constrained to name-component [LDAPDN]
+ RelativeLDAPDN ::= LDAPString
+ -- Constrained to <name-component> [LDAPDN]
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 6 \f
+ Lightweight Directory Access Protocol Version 3
+
4.1.4. Attribute Descriptions
The definition and encoding rules for attribute descriptions are
is an attribute type and zero or more options.
AttributeDescription ::= LDAPString
- -- Constrained to attributedescription
- -- [Models]
+ -- Constrained to <attributedescription>
+ -- [Models]
- An AttributeDescriptionList describes a list of 0 or more attribute
- descriptions. (A list of zero elements has special significance in
- the Search request.)
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 6 \f
- Lightweight Directory Access Protocol Version 3
-
-
- AttributeDescriptionList ::= SEQUENCE OF
- AttributeDescription
-
4.1.5. Attribute Value
A field of type AttributeValue is an OCTET STRING containing an
- encoded attribute value data type. The value is encoded according to
- its LDAP-specific encoding definition. The LDAP-specific encoding
- definitions for different syntaxes and attribute types may be found
- in other documents, and in particular [Syntaxes].
+ encoded attribute value. The attribute value is encoded according to
+ the LDAP-specific encoding definition of its corresponding syntax.
+ The LDAP-specific encoding definitions for different syntaxes and
+ attribute types may be found in other documents and in particular
+ [Syntaxes].
AttributeValue ::= OCTET STRING
photographs).
Attributes may be defined which have arbitrary and non-printable
- syntax. Implementations MUST NOT display nor attempt to decode as
- ASN.1, a value if its syntax is not known. The implementation may
- attempt to discover the subschema of the source entry, and retrieve
- the values of attributeTypes from it.
+ syntax. Implementations MUST NOT display nor attempt to decode a
+ value if its syntax is not known. The implementation may attempt to
+ discover the subschema of the source entry, and retrieve the
+ descriptions of attributeTypes from it [Models].
Clients MUST NOT send attribute values in a request that are not
valid according to the syntax defined for the attributes.
4.1.6. Attribute Value Assertion
The AttributeValueAssertion type definition is similar to the one in
- the X.500 directory standards. It contains an attribute description
+ the X.500 Directory standards. It contains an attribute description
and a matching rule assertion value suitable for that type.
AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
+ attributeDesc AttributeDescription,
+ assertionValue AssertionValue }
AssertionValue ::= OCTET STRING
matching rule for an attribute is used when performing a Compare
operation. Often this is the same syntax used for values of the
attribute type, but in some cases the assertion syntax differs from
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 7 \f
+ Lightweight Directory Access Protocol Version 3
+
the value syntax. See objectIdentiferFirstComponentMatch in
[Syntaxes] for an example.
-4.1.7. Attribute
+4.1.7. Attribute and PartialAttribute
- An attribute consists of an attribute description and one or more
- values of that attribute description. (Though attributes MUST have at
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 7 \f
- Lightweight Directory Access Protocol Version 3
-
- least one value when stored, due to access control restrictions the
- set may be empty when transferred from the server to the client. This
- is described in section 4.5.2, concerning the PartialAttributeList
- type.)
+ Attributes and partial attributes consist of an attribute description
+ and values of that attribute description. A PartialAttribute allows
+ zero values, while Attribute requires at least one value.
- Attribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ PartialAttribute ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF value AttributeValue }
- Each attribute value is distinct in the set (no duplicates). The set
- of attribute values is unordered. Implementations MUST NOT reply upon
- any apparent ordering being repeatable.
+ Attribute ::= PartialAttribute(WITH COMPONENTS {
+ ...,
+ vals (SIZE(1..MAX))})
+ Each attribute value is distinct in the set (no duplicates). The set
+ of attribute values is unordered. Implementations MUST NOT rely upon
+ the ordering being repeatable.
4.1.8. Matching Rule Identifier
Matching rules are defined in 4.1.3 of [Models]. A matching rule is
identified in the LDAP protocol by the printable representation of
- either its numericoid, or one of its short name descriptors, e.g.
- "caseIgnoreIA5Match" or "1.3.6.1.4.1.453.33.33".
+ either its <numericoid>, or one of its short name descriptors
+ [Models], e.g. "caseIgnoreIA5Match" or "1.3.6.1.4.1.453.33.33".
MatchingRuleId ::= LDAPString
-
- Servers which support matching rules for use in the extensibleMatch
- search filter MUST list the matching rules they implement in
- subschema entries, using the matchingRules attributes. The server
- SHOULD also list there, using the matchingRuleUse attribute, the
- attribute types with which each matching rule can be used. More
- information is given in section 4.5 of [Syntaxes].
-
+
4.1.9. Result Message
of a protocol operation request.
LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongAuthRequired (8),
- -- 9 reserved --
- referral (10),
- adminLimitExceeded (11),
- unavailableCriticalExtension (12),
+ resultCode ENUMERATED {
+ success (0),
+ operationsError (1),
+ protocolError (2),
+ timeLimitExceeded (3),
+ sizeLimitExceeded (4),
+ compareFalse (5),
+ compareTrue (6),
+ authMethodNotSupported (7),
+ strongAuthRequired (8),
+ -- 9 reserved --
+ referral (10),
+ adminLimitExceeded (11),
-Sermersheim Internet-Draft - Expires Sep 2003 Page 8 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 8 \f
Lightweight Directory Access Protocol Version 3
- confidentialityRequired (13),
- saslBindInProgress (14),
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- -- 22-31 unused --
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71),
- -- 72-79 unused --
- other (80),
- ... },
- -- 81-90 reserved for APIs --
- matchedDN LDAPDN,
- diagnosticMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- The result codes enumeration is extensible as defined in Section 3.5
- of [LDAPIANA]. The meanings of the result codes are given in Appendix
- A.
+ unavailableCriticalExtension (12),
+ confidentialityRequired (13),
+ saslBindInProgress (14),
+ noSuchAttribute (16),
+ undefinedAttributeType (17),
+ inappropriateMatching (18),
+ constraintViolation (19),
+ attributeOrValueExists (20),
+ invalidAttributeSyntax (21),
+ -- 22-31 unused --
+ noSuchObject (32),
+ aliasProblem (33),
+ invalidDNSyntax (34),
+ -- 35 reserved for undefined isLeaf --
+ aliasDereferencingProblem (36),
+ -- 37-47 unused --
+ inappropriateAuthentication (48),
+ invalidCredentials (49),
+ insufficientAccessRights (50),
+ busy (51),
+ unavailable (52),
+ unwillingToPerform (53),
+ loopDetect (54),
+ -- 55-63 unused --
+ namingViolation (64),
+ objectClassViolation (65),
+ notAllowedOnNonLeaf (66),
+ notAllowedOnRDN (67),
+ entryAlreadyExists (68),
+ objectClassModsProhibited (69),
+ -- 70 reserved for CLDAP --
+ affectsMultipleDSAs (71),
+ -- 72-79 unused --
+ other (80),
+ ... },
+ -- 81-90 reserved for APIs --
+ matchedDN LDAPDN,
+ diagnosticMessage LDAPString,
+ referral [3] Referral OPTIONAL }
+
+ The resultCode enumeration is extensible as defined in Section 3.5 of
+ [LDAPIANA]. The meanings of the result codes are given in Appendix A.
+ If a server detects multiple errors for an operation, only one result
+ code is returned. The server should return the result code that best
+ indicates the nature of the error encountered.
The diagnosticMessage field of this construct may, at the server's
option, be used to return a string containing a textual, human-
avoided) diagnostic message. As this diagnostic message is not
standardized, implementations MUST NOT rely on the values returned.
If the server chooses not to return a textual diagnostic, the
- diagnosticMessage field of the LDAPResult type MUST contain a zero
- length string.
+ diagnosticMessage field MUST be empty.
- For certain result codes (typically, but not restricted to
- noSuchObject, aliasProblem, invalidDNSyntax and
-Sermersheim Internet-Draft - Expires Sep 2003 Page 9 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 9 \f
Lightweight Directory Access Protocol Version 3
+ For certain result codes (typically, but not restricted to
+ noSuchObject, aliasProblem, invalidDNSyntax and
aliasDereferencingProblem), the matchedDN field is set to the name of
- the lowest entry (object or alias) in the directory that was matched.
+ the lowest entry (object or alias) in the Directory that was matched.
If no aliases were dereferenced while attempting to locate the entry,
this will be a truncated form of the name provided, or if aliases
- were dereferenced, of the resulting name, as defined in section 12.5
- of [X.511]. The matchedDN field contains a zero length string with
- all other result codes.
+ were dereferenced, of the resulting name, as defined in Section 12.5
+ of [X.511]. Otherwise the matchedDN field is empty.
4.1.10. Referral
The referral result code indicates that the contacted server does not
hold the target entry of the request. The referral field is present
- in an LDAPResult if the LDAPResult.resultCode field value is
- referral, and absent with all other result codes. It contains one or
- more references to one or more servers or services that may be
- accessed via LDAP or other protocols. Referrals can be returned in
- response to any operation request (except unbind and abandon which do
- not have responses). At least one URL MUST be present in the
- Referral.
+ in an LDAPResult if the resultCode field value is referral, and
+ absent with all other result codes. It contains one or more
+ references to one or more servers or services that may be accessed
+ via LDAP or other protocols. Referrals can be returned in response to
+ any operation request (except unbind and abandon which do not have
+ responses). At least one URI MUST be present in the Referral.
During a search operation, after the baseObject is located, and
entries are being evaluated, the referral is not returned. Instead,
- continuation references, described in section 4.5.3, are returned
+ continuation references, described in Section 4.5.3, are returned
when the search scope spans multiple naming contexts, and several
different servers would need to be contacted to complete the
operation.
- Referral ::= SEQUENCE OF LDAPURL -- one or more
+ Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
- LDAPURL ::= LDAPString -- limited to characters permitted in
- -- URLs
+ URI ::= LDAPString -- limited to characters permitted in
+ -- URIs
If the client wishes to progress the operation, it MUST follow the
- referral by contacting one of the servers. If multiple URLs are
- present, the client assumes that any URL may be used to progress the
+ referral by contacting one of the services. If multiple URIs are
+ present, the client assumes that any URI may be used to progress the
operation.
- URLs for servers implementing the LDAP protocol are written according
- to [LDAPURL]. If an alias was dereferenced, the <dn> part of the URL
- MUST be present, with the new target object name. If the <dn> part is
- present, the client MUST use this name in its next request to
- progress the operation, and if it is not present the client will use
- the same name as in the original request. Some servers (e.g.
- participating in distributed indexing) may provide a different filter
- in a referral for a search operation. If the filter part of the URL
- is present in an LDAPURL, the client MUST use this filter in its next
- request to progress this search, and if it is not present the client
- MUST use the same filter as it used for that search. Other aspects of
- the new request may be the same or different as the request which
- generated the referral.
+ Clients that follow referrals MUST ensure that they do not loop
+ between servers. They MUST NOT repeatedly contact the same server for
+ the same request with the same target entry name, scope and filter.
+ Some clients use a counter that is incremented each time referral
+ handling occurs for an operation, and these kinds of clients MUST be
+ able to handle at least ten nested referrals between the root and a
+ leaf entry.
-
+ A URI for a server implementing LDAP and accessible via [TCP]/[IP]
+ (v4 or v6) is written as an LDAP URL according to [LDAPURL].
+
+ When an LDAP URL is used, the following instructions are followed:
+ - If an alias was dereferenced, the <dn> part of the URL MUST be
+ present, with the new target object name. Note that UTF-8
+ characters appearing in a DN or search filter may not be legal
-Sermersheim Internet-Draft - Expires Sep 2003 Page 10 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 10 \f
Lightweight Directory Access Protocol Version 3
- Note that UTF-8 characters appearing in a DN or search filter may not
- be legal for URLs (e.g. spaces) and MUST be escaped using the %
- method in [RFC2396].
-
- Other kinds of URLs may be returned, so long as the operation could
- be performed using that protocol.
+ for URLs (e.g. spaces) and MUST be escaped using the % method in
+ [URI].
+ - It is RECOMMENDED that the <dn> part be present to avoid
+ ambiguity.
+ - If the <dn> part is present, the client MUST use this name in
+ its next request to progress the operation, and if it is not
+ present the client will use the same name as in the original
+ request.
+ - Some servers (e.g. participating in distributed indexing) may
+ provide a different filter in a URL of a referral for a search
+ operation.
+ - If the <filter> part of the LDAP URL is present, the client MUST
+ use this filter in its next request to progress this search, and
+ if it is not present the client MUST use the same filter as it
+ used for that search.
+ - For search, it is RECOMMENDED that the <scope> part be present
+ to avoid ambiguity.
+ - If the <scope> part is missing, the scope of the original search
+ is used by the client to progress the operation.
+ - Other aspects of the new request may be the same as or different
+ from the request which generated the referral.
+
+ Other kinds of URIs may be returned. The syntax and semantics of such
+ URIs is left to future specifications. Clients ignore URIs that they
+ do not support.
4.1.11. Controls
message. A control only alters the semantics of the message it is
attached to.
- Controls ::= SEQUENCE OF Control
+ Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
+ controlType LDAPOID,
+ criticality BOOLEAN DEFAULT FALSE,
+ controlValue OCTET STRING OPTIONAL }
- The controlType field MUST be a UTF-8 encoded dotted-decimal
+ The controlType field is the UTF-8 encoded dotted-decimal
representation of an OBJECT IDENTIFIER which uniquely identifies the
- control. This prevents conflicts between control names.
+ control, or the request control and its paired response control. This
+ prevents conflicts between control names.
The criticality field is either TRUE or FALSE and only applies to
request messages that have a corresponding response message. For all
other messages (such as abandonRequest, unbindRequest and all
- response messages), the criticality field is treated as FALSE.
+ response messages), the criticality field SHOULD be FALSE.
If the server recognizes the control type and it is appropriate for
the operation, the server will make use of the control when
performing the operation.
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 11 \f
+ Lightweight Directory Access Protocol Version 3
+
If the server does not recognize the control type or it is not
appropriate for the operation, and the criticality field is TRUE, the
- server MUST NOT perform the operation, and MUST instead return the
- resultCode unavailableCriticalExtension.
+ server MUST NOT perform the operation, and for operations that have a
+ response, MUST set the resultCode to unavailableCriticalExtension.
If the control is unrecognized or inappropriate but the criticality
field is FALSE, the server MUST ignore the control.
The controlValue contains any information associated with the
- control, and its format is defined for the control. Implementations
- MUST be prepared to handle arbitrary contents of the controlValue
- octet string, including zero bytes. It is absent only if there is no
- value information which is associated with a control of its type.
+ control. Its format is defined by the specification of the control.
+ Implementations MUST be prepared to handle arbitrary contents of the
+ controlValue octet string, including zero bytes. It is absent only if
+ there is no value information which is associated with a control of
+ its type. controlValues that are defined in terms of ASN.1 and BER
+ encoded according to Section 5.1, also follow the extensibility rules
+ in Section 4.
+
+ Servers list the controlType of all request controls they recognize
+ in the supportedControl attribute [Models] in the root DSE.
+
+ Controls SHOULD NOT be combined unless the semantics of the
+ combination has been specified. The semantics of control
+ combinations, if specified, are generally found in the control
+ specification most recently published. In the absence of combination
+ semantics, the behavior of the operation is undefined.
+ Additionally, unless order-dependent semantics are given in a
+ specification, the order of a combination of controls in the SEQUENCE
+ is ignored.
This document does not specify any controls. Controls may be
specified in other documents. The specification of a control consists
- the OBJECT IDENTIFIER assigned to the control,
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 11 \f
- Lightweight Directory Access Protocol Version 3
-
- - whether the control is always noncritical, always critical, or
- critical at the client's option,
+ - whether the control is always non critical, always critical, or
+ optionally critical,
- - the format of the controlValue contents of the control,
+ - whether there is information associated with the control, and if
+ so, the format of the controlValue contents,
- - the semantics of the control,
+ - the semantics of the control, and
- - and optionally, semantics regarding the combination of the control
+ - optionally, semantics regarding the combination of the control
with other controls.
- Servers list the controlType of all request controls they recognize
- in the supportedControl attribute [Models] in the root DSE.
-
- Controls should not be combined unless the semantics of the
- combination has been specified. The semantics of control
- combinations, if specified, are generally found in the control
- specification most recently published. In the absence of combination
- semantics, the behavior of the operation is undefined.
- Additionally, the order of a combination of controls in the SEQUENCE
- is ignored unless the control specification(s) describe(s)
- combination semantics.
-
4.2. Bind Operation
The function of the Bind Operation is to allow authentication
- information to be exchanged between the client and server. Prior to
- the first BindRequest, the implied identity is anonymous. Refer to
- [AuthMeth] for the authentication-related semantics of this
- operation.
+ information to be exchanged between the client and server. The Bind
+ operation should be thought of as the "authenticate" operation.
+ Authentication and security-related semantics of this operation are
+ given in [AuthMeth].
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 12 \f
+ Lightweight Directory Access Protocol Version 3
+
The Bind Request is defined as follows:
BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
+ version INTEGER (1 .. 127),
+ name LDAPDN,
+ authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials,
- ... }
+ simple [0] OCTET STRING,
+ -- 1 and 2 reserved
+ sasl [3] SaslCredentials,
+ ... }
SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
+ mechanism LDAPString,
+ credentials OCTET STRING OPTIONAL }
Parameters of the Bind Request are:
- version: A version number indicating the version of the protocol
- to be used in this protocol session. This document describes
+ to be used in this protocol association. This document describes
version 3 of the LDAP protocol. Note that there is no version
- negotiation, and the client just sets this parameter to the
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 12 \f
- Lightweight Directory Access Protocol Version 3
-
- version it desires. If the server does not support the specified
- version, it responds with protocolError in the resultCode field of
- the BindResponse.
+ negotiation. The client sets this parameter to the version it
+ desires. If the server does not support the specified version, it
+ MUST respond with protocolError in the resultCode field of the
+ BindResponse.
- - name: The name of the directory object that the client wishes to
+ - name: The name of the Directory object that the client wishes to
bind as. This field may take on a null value (a zero length
- string) for the purposes of anonymous binds ([AuthMeth] section 7)
- or when using SASL authentication ([AuthMeth] section 4.3). Server
- behavior is undefined when the name is a null value, simple
- authentication is used, and a password is specified. The server
- SHOULD NOT perform any alias dereferencing in determining the
- object to bind as.
+ string) for the purposes of anonymous binds ([AuthMeth] Section 7)
+ or when using Simple Authentication and Security Layer [SASL]
+ authentication ([AuthMeth] Section 4.3). Server behavior is
+ undefined when the name is a null value, simple authentication is
+ used, and a password is specified. The server SHALL NOT perform
+ alias dereferencing in determining the object to bind as.
- authentication: information used to authenticate the name, if any,
provided in the Bind Request. This type is extensible as defined
in Section 3.6 of [LDAPIANA]. Servers that do not support a choice
supplied by a client will return authMethodNotSupported in the
- result code of the BindResponse.
+ resultCode field of the BindResponse.
+ The simple form of an AuthenticationChoice specifies a simple
+ password to be used for authentication.
+ Textual passwords (consisting of a character sequence with a known
+ character set and encoding) SHALL be transferred as [UTF-8]
+ encoded [Unicode]. The determination of whether a password is
+ textual is a local client matter.
+ Prior to transfer, clients SHOULD prepare text passwords by
+ applying the [SASLprep] profile of the [Stringprep] algorithm.
+ Passwords consisting of other data (such as random octets) MUST
+ NOT be altered.
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 13 \f
+ Lightweight Directory Access Protocol Version 3
+
Authorization is the use of this authentication information when
performing operations. Authorization MAY be affected by factors
- outside of the LDAP Bind Request, such as lower layer security
- services.
+ outside of the LDAP Bind Request, such as those provided by lower
+ layer security services.
4.2.1. Processing of the Bind Request
- Upon receipt of a BindRequest, the server MUST ensure there are no
- outstanding operations in progress on the connection (This simplifies
- server implementation). The server then proceeds to authenticate the
- client in either a single-step, or multi-step bind process. Each step
- requires the server to return a BindResponse to indicate the status
- of authentication.
+ Before processing a BindResponse, all outstanding operations MUST
+ either complete or be abandoned. The server may either wait for the
+ outstanding operations to complete, or abandon them. The server then
+ proceeds to authenticate the client in either a single-step, or
+ multi-step bind process. Each step requires the server to return a
+ BindResponse to indicate the status of authentication.
If the client did not bind before sending a request and receives an
- operationsError, it may then send a Bind Request. If this also fails
- or the client chooses not to bind on the existing connection, it may
- close the connection, reopen it and begin again by first sending a
- PDU with a Bind Request. This will aid in interoperating with servers
- implementing other versions of LDAP.
-
- Clients MAY send multiple Bind Requests on a connection to change
- their credentials. Authentication from earlier binds is subsequently
- ignored. A failed or abandoned Bind Operation has the effect of
- leaving the connection in an anonymous state. To arrive at a known
- authentication state after abandoning a bind operation, clients may
- unbind, rebind, or make use of the BindResponse. If a SASL transfer
- encryption or integrity mechanism has been negotiated, and that
- mechanism does not support the changing of credentials from one
- identity to another, then the client MUST instead establish a new
- connection.
+ operationsError to that request, it may then send a Bind Request. If
+ this also fails or the client chooses not to bind on the existing
+ connection, it may close the connection, reopen it and begin again by
+ first sending a PDU with a Bind Request. This will aid in
+ interoperating with servers implementing other versions of LDAP.
+ Clients may send multiple Bind Requests on a connection to change the
+ authentication and/or security associations or to complete a multi-
+ stage bind process. Authentication from earlier binds is subsequently
+ ignored.
+
For some SASL authentication mechanisms, it may be necessary for the
client to invoke the BindRequest multiple times. This is indicated by
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 13 \f
- Lightweight Directory Access Protocol Version 3
-
the server sending a BindResponse with the resultCode set to
saslBindInProgress. This indicates that the server requires the
client to send a new bind request, with the same sasl mechanism, to
abort a negotiation if it wishes to try again with the same SASL
mechanism.
+ A failed Bind Operation has the effect of leaving the connection in
+ an anonymous state. An abandoned Bind operation also has the effect
+ of leaving the connection in an anonymous state when (and if) the
+ server processes the abandonment of the bind. Client implementers
+ should note that the client has no way of being sure when (or if) an
+ abandon request succeeds, therefore, to arrive at a known
+ authentication state after abandoning a bind operation, clients may
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 14 \f
+ Lightweight Directory Access Protocol Version 3
+
+ either unbind (which results in the underlying connection being
+ closed) or by issuing a bind request and then examining the
+ BindResponse returned by the server.
4.2.2. Bind Response
status of the client's request for authentication.
A successful bind operation is indicated by a BindResponse with a
- resultCode set to success (0). Otherwise, an appropriate resultCode
- is set in the BindResponse. For bind, the protocolError (2)
- resultCode may be used to indicate that the version number supplied
- by the client is unsupported.
-
- If the server does not support the client's requested protocol
- version, it MUST set the resultCode to protocolError.
-
+ resultCode set to success. Otherwise, an appropriate result code is
+ set in the BindResponse. For bind, the protocolError result code may
+ be used to indicate that the version number supplied by the client is
+ unsupported.
+
If the client receives a BindResponse response where the resultCode
- was protocolError, it MUST close the connection as the server will be
- unwilling to accept further operations. (This is for compatibility
- with earlier versions of LDAP, in which the bind was always the first
- operation, and there was no negotiation.)
+ field is protocolError, it MUST close the connection as the server
+ will be unwilling to accept further operations. (This is for
+ compatibility with earlier versions of LDAP, in which the bind was
+ always the first operation, and there was no negotiation.)
The serverSaslCreds are used as part of a SASL-defined bind mechanism
to allow the client to authenticate the server to which it is
communicating, or to perform "challenge-response" authentication. If
the client bound with the simple choice, or the SASL mechanism does
not require the server to return information to the client, then this
- field is not to be included in the result.
+ field SHALL NOT be included in the BindResponse.
4.3. Unbind Operation
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 14 \f
- Lightweight Directory Access Protocol Version 3
-
- The function of the Unbind Operation is to terminate a protocol
- session. The Unbind Operation is defined as follows:
+ The function of the Unbind Operation is to terminate an LDAP
+ association and connection. The Unbind operation is not the
+ antithesis of the Bind operation as the name implies. The naming of
+ these operations is historical. The Unbind operation should be
+ thought of as the "quit" operation.
+
+ The Unbind Operation is defined as follows:
UnbindRequest ::= [APPLICATION 2] NULL
- The Unbind Operation has no response defined. Upon transmission of an
- UnbindRequest, a protocol client MUST assume that the protocol
- session is terminated. Upon receipt of an UnbindRequest, a protocol
- server MUST assume that the requesting client has terminated the
- session and that all outstanding requests may be discarded, and MUST
- close the connection.
+ The Unbind Operation has no response defined. Upon transmission of
+ the UnbindRequest, each protocol peer is to consider the LDAP
+ association terminated, MUST cease transmission of messages to the
+ other peer, and MUST close the connection. Any outstanding operations
+ on the server are, when possible, abandoned, and when not possible,
+ completed without transmission of the response.
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 15 \f
+ Lightweight Directory Access Protocol Version 3
+
4.4. Unsolicited Notification
any response to be returned from the client.
The unsolicited notification is structured as an LDAPMessage in which
- the messageID is 0 and protocolOp is of the extendedResp form. The
- responseName field of the ExtendedResponse is present. The LDAPOID
- value MUST be unique for this notification, and not be used in any
- other situation.
+ the messageID is zero and protocolOp is of the extendedResp form. The
+ responseName field of the ExtendedResponse always contains an LDAPOID
+ which is unique for this notification.
One unsolicited notification (Notice of Disconnection) is defined in
- this document.
+ this document. The specification of an unsolicited notification
+ consists of:
+
+ - the OBJECT IDENTIFIER assigned to the notification (to be
+ specified in the responseName,
+
+ - the format of the contents (if any) of the responseValue,
+
+ - the circumstances which will cause the notification to be
+ returned, and
+
+ - the semantics of the operation.
4.4.1. Notice of Disconnection
the server is about to close the connection due to an error
condition. Note that this notification is NOT a response to an unbind
requested by the client: the server MUST follow the procedures of
- section 4.3. This notification is intended to assist clients in
+ Section 4.3. This notification is intended to assist clients in
distinguishing between an error condition and a transient network
failure. As with a connection close due to network failure, the
client MUST NOT assume that any outstanding requests which modified
- the directory have succeeded or failed.
+ the Directory have succeeded or failed.
The responseName is 1.3.6.1.4.1.1466.20036, the response field is
absent, and the resultCode is used to indicate the reason for the
disconnection.
- The following resultCode values are to be used in this notification:
+ The following result codes have these meanings when used in this
+ notification:
- protocolError: The server has received data from the client in
which the LDAPMessage structure could not be parsed.
+ - strongAuthRequired: The server has detected that an established
+ security association between the client and server has
-Sermersheim Internet-Draft - Expires Sep 2003 Page 15 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 16 \f
Lightweight Directory Access Protocol Version 3
- - strongAuthRequired: The server has detected that an established
- underlying security association protecting communication between
- the client and server has unexpectedly failed or been compromised.
+ unexpectedly failed or been compromised, or that the server now
+ requires the client to authenticate using a strong(er) mechanism.
- unavailable: This server will stop accepting new connections and
operations on all existing connections, and be unavailable for an
extended period of time. The client may make use of an alternative
server.
- After sending this notice, the server MUST close the connection.
- After receiving this notice, the client MUST NOT transmit any further
- on the connection, and may abruptly close the connection.
+ Upon transmission of the UnbindRequest, each protocol peer is to
+ consider the LDAP association terminated, MUST cease transmission of
+ messages to the other peer, and MUST close the connection.
4.5. Search Operation
- The Search Operation allows a client to request that a search be
- performed on its behalf by a server. This can be used to read
- attributes from a single entry, from entries immediately below a
- particular entry, or a whole subtree of entries.
+ The Search Operation is used to request a server to return, subject
+ to access controls and other restrictions, a set of entries matching
+ a complex search criterion. This can be used to read attributes from
+ a single entry, from entries immediately subordinate to a particular
+ entry, or a whole subtree of entries.
4.5.1. Search Request
The Search Request is defined as follows:
SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2) },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeDescriptionList }
+ baseObject LDAPDN,
+ scope ENUMERATED {
+ baseObject (0),
+ singleLevel (1),
+ wholeSubtree (2) },
+ derefAliases ENUMERATED {
+ neverDerefAliases (0),
+ derefInSearching (1),
+ derefFindingBaseObj (2),
+ derefAlways (3) },
+ sizeLimit INTEGER (0 .. maxInt),
+ timeLimit INTEGER (0 .. maxInt),
+ typesOnly BOOLEAN,
+ filter Filter,
+ attributes AttributeSelection }
+
+ AttributeSelection ::= SEQUENCE OF selection LDAPString
+ -- constrained to <attributeSelection> below
Filter ::= CHOICE {
- and [0] SET SIZE (1..MAX) OF Filter,
- or [1] SET SIZE (1..MAX) OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion }
+ and [0] SET SIZE (1..MAX) OF filter Filter,
+ or [1] SET SIZE (1..MAX) OF filter Filter,
+ not [2] Filter,
+ equalityMatch [3] AttributeValueAssertion,
+ substrings [4] SubstringFilter,
+ greaterOrEqual [5] AttributeValueAssertion,
+ lessOrEqual [6] AttributeValueAssertion,
-Sermersheim Internet-Draft - Expires Sep 2003 Page 16 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 17 \f
Lightweight Directory Access Protocol Version 3
+ present [7] AttributeDescription,
+ approxMatch [8] AttributeValueAssertion,
+ extensibleMatch [9] MatchingRuleAssertion }
SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- -- at least one must be present,
- -- initial and final can occur at most once
- substrings SEQUENCE OF CHOICE {
- initial [0] AssertionValue,
- any [1] AssertionValue,
- final [2] AssertionValue } }
+ type AttributeDescription,
+ -- at least one must be present,
+ -- initial and final can occur at most once
+ substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
+ initial [0] AssertionValue,
+ any [1] AssertionValue,
+ final [2] AssertionValue } }
MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
+ matchingRule [1] MatchingRuleId OPTIONAL,
+ type [2] AttributeDescription OPTIONAL,
+ matchValue [3] AssertionValue,
+ dnAttributes [4] BOOLEAN DEFAULT FALSE }
Parameters of the Search Request are:
- - baseObject: An LDAPDN that is the base object entry relative to
- which the search is to be performed.
+ - baseObject: The name of the base object entry relative to which
+ the search is to be performed.
+
+ - scope: Specifies the scope of the search to be performed. The
+ semantics (as described in [X.511]) of the possible values of this
+ field are:
+
+ baseObject: The scope is constrained to the entry named by
+ baseObject.
+
+ oneLevel: The scope is constrained to the immediate
+ subordinates of the entry named by baseObject.
+
+ wholeSubtree: the scope is constrained to the entry named
+ by the baseObject, and all its subordinates.
- - scope: An indicator of the scope of the search to be performed.
- The semantics of the possible values of this field are identical
- to the semantics of the scope field in the X.511 Search Operation.
- derefAliases: An indicator as to how alias objects (as defined in
- X.501) are to be handled in searching. The semantics of the
+ [X.501]) are to be handled in searching. The semantics of the
possible values of this field are:
- neverDerefAliases: do not dereference aliases in searching
- or in locating the base object of the search;
-
- derefInSearching: dereference aliases in subordinates of
- the base object in searching, but not in locating the base
- object of the search;
-
- derefFindingBaseObj: dereference aliases in locating the
+ neverDerefAliases: Do not dereference aliases in searching
+ or in locating the base object of the search.
+
+ derefInSearching: While searching, dereference any alias
+ object subordinate to the base object which is also in the
+ search scope. The filter is applied to the dereferenced
+ object(s). If the search scope is wholeSubtree, the search
+ continues in the subtree of any dereferenced object.
+ Aliases in that subtree are also dereferenced. Servers
+ SHOULD detect looping in this process to prevent denial of
+ service attacks and duplicate entries.
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 18 \f
+ Lightweight Directory Access Protocol Version 3
+
+ derefFindingBaseObj: Dereference aliases in locating the
base object of the search, but not when searching
- subordinates of the base object;
+ subordinates of the base object.
- derefAlways: dereference aliases both in searching and in
+ derefAlways: Dereference aliases both in searching and in
locating the base object of the search.
- sizeLimit: A size limit that restricts the maximum number of
- entries to be returned as a result of the search. A value of 0 in
- this field indicates that no client-requested size limit
+ entries to be returned as a result of the search. A value of zero
+ in this field indicates that no client-requested size limit
restrictions are in effect for the search. Servers may enforce a
maximum number of entries to return.
- timeLimit: A time limit that restricts the maximum time (in
- seconds) allowed for a search. A value of 0 in this field
+ seconds) allowed for a search. A value of zero in this field
indicates that no client-requested time limit restrictions are in
- effect for the search.
+ effect for the search. Servers may enforce a maximum time limit
+ for the search.
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 17 \f
- Lightweight Directory Access Protocol Version 3
-
- - typesOnly: An indicator as to whether search results will contain
- both attribute descriptions and values, or just attribute
+ - typesOnly: An indicator as to whether search results are to
+ contain both attribute descriptions and values, or just attribute
descriptions. Setting this field to TRUE causes only attribute
descriptions (no values) to be returned. Setting this field to
FALSE causes both attribute descriptions and values to be
if the tag was explicit.)
A server MUST evaluate filters according to the three-valued logic
- of X.511 (1993) section 7.8.1. In summary, a filter is evaluated
+ of X.511 (1993) Section 7.8.1. In summary, a filter is evaluated
to either "TRUE", "FALSE" or "Undefined". If the filter evaluates
to TRUE for a particular entry, then the attributes of that entry
are returned as part of the search result (subject to any
is TRUE, and Undefined if it is Undefined.
The present match evaluates to TRUE where there is an attribute or
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 19 \f
+ Lightweight Directory Access Protocol Version 3
+
subtype of the specified attribute description present in an
entry, and FALSE otherwise (including a presence test with an
unrecognized attribute description.)
The matching rule for equalityMatch filter items is defined by the
EQUALITY matching rule for the attribute type.
- The matching rule and assertion syntax for AssertionValues in a
- substrings filter item is defined by the SUBSTR matching rule for
- the attribute type.
+ The matching rule for AssertionValues in a substrings filter item
+ is defined by the SUBSTR matching rule for the attribute type.
+ Note that the AssertionValue in a substrings filter item MUST
+ conform to the assertion syntax of the EQUALITY matching rule for
+ the attribute type rather than the assertion syntax of the SUBSTR
+ matching rule for the attribute type. The entire SubstringFilter
+ is converted into an assertion value of the substrings matching
+ rule prior to applying the rule.
The matching rule for greaterOrEqual and lessOrEqual filter items
is defined by the ORDERING matching rule for the attribute type.
- The matching rule for approxMatch filter items is implementation-
- defined. If approximate matching is not supported by the server,
- the filter item should be treated as an equalityMatch.
+ The approxMatch evaluates to TRUE when there is a value of the
+ attribute or subtype for which some locally-defined approximate
+ matching algorithm (e.g. spelling variations, phonetic match,
+ etc.) returns TRUE. If an item matches for equality, it also
+ satisfies an approximate match. If approximate matching is not
+ supported, this filter item should be treated as an equalityMatch.
+
+ An extensibleMatch is evaluated as follows:
+
- The extensibleMatch is new in this version of LDAP. If the
+ If the matchingRule field is absent, the type field MUST be
+ present, and an equality match is performed for that type.
+
+
+ If the type field is absent and the matchingRule is present, the
+ matchValue is compared against all attributes in an entry which
+ support that matchingRule. The matchingRule determines the
+ syntax for the assertion value. The filter item evaluates to
+ TRUE if it matches with at least one attribute in the entry,
+ FALSE if it does not match any attribute in the entry, and
+ Undefined if the matchingRule is not recognized or the
+ assertionValue is invalid.
+
+
+ If the type field is present and the matchingRule is present,
+ the matchValue is compared against entry attributes of the
+ specified type. In this case, the matchingRule MUST be one
+ suitable for use with the specified type (see [Syntaxes]),
+ otherwise the filter item is undefined.
+
+
+ If the dnAttributes field is set to TRUE, the match is
+ additionally applied against all the AttributeValueAssertions in
+ an entry's distinguished name, and evaluates to TRUE if there is
+ at least one attribute in the distinguished name for which the
+ filter item evaluates to TRUE. The dnAttributes field is present
+ to alleviate the need for multiple versions of generic matching
+ rules (such as word matching), where one applies to entries and
+
-Sermersheim Internet-Draft - Expires Sep 2003 Page 18 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 20 \f
Lightweight Directory Access Protocol Version 3
- matchingRule field is absent, the type field MUST be present, and
- the equality match is performed for that type. If the type field
- is absent and matchingRule is present, the matchValue is compared
- against all attributes in an entry which support that
- matchingRule, and the matchingRule determines the syntax for the
- assertion value (the filter item evaluates to TRUE if it matches
- with at least one attribute in the entry, FALSE if it does not
- match any attribute in the entry, and Undefined if the
- matchingRule is not recognized or the assertionValue cannot be
- parsed.) If the type field is present and matchingRule is present,
- the matchingRule MUST be one permitted for use with that type,
- otherwise the filter item is undefined. If the dnAttributes field
- is set to TRUE, the match is applied against all the
- AttributeValueAssertions in an entry's distinguished name as well,
- and also evaluates to TRUE if there is at least one attribute in
- the distinguished name for which the filter item evaluates to
- TRUE. (Editors note: The dnAttributes field is present so that
- there does not need to be multiple versions of generic matching
- rules such as for word matching, one to apply to entries and
- another to apply to entries and dn attributes as well).
-
+ another applies to entries and dn attributes as well.
+
A filter item evaluates to Undefined when the server would not be
able to determine whether the assertion value matches an entry. If
an attribute description in an equalityMatch, substrings,
greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch filter
is not recognized by the server, a matching rule id in the
extensibleMatch is not recognized by the server, the assertion
- value cannot be parsed, or the type of filtering requested is not
+ value is invalid, or the type of filtering requested is not
implemented, then the filter is Undefined. Thus for example if a
server did not recognize the attribute type shoeSize, a filter of
(shoeSize=*) would evaluate to FALSE, and the filters
Undefined.
Servers MUST NOT return errors if attribute descriptions or
- matching rule ids are not recognized, or assertion values cannot
- be parsed. More details of filter processing are given in section
- 7.8 of [X.511].
+ matching rule ids are not recognized, assertion values are
+ invalid, or the assertion syntax is not supported. More details of
+ filter processing are given in Section 7.8 of [X.511].
- attributes: A list of the attributes to be returned from each
- entry which matches the search filter. There are two special
- values which may be used: an empty list with no attributes, and
- the attribute description string "*". Both of these signify that
- all user attributes are to be returned. (The "*" allows the client
- to request all user attributes in addition to any specified
- operational attributes).
-
- Attributes MUST be named at most once in the list, and are
+ entry which matches the search filter. LDAPString values of this
+ field are constrained to the following Augmented Backus-Naur Form
+ [(ABNF)]:
+
+ attributeSelection = noattrs /
+ *( attributedescription / specialattr )
+
+ noattrs = %x31 %x2E %x31 ; "1.1"
+
+ specialattr = ASTERISK
+
+ ASTERISK = %x2A ; asterisk ("*")
+
+ <attributedescription> is defined in Section 2.5 of [Models].
+
+ There are two special values which may be used: an empty list with
+ no attributes, and the attribute description string "*". Both of
+ these signify that all user attributes are to be returned. (The
+ "*" allows the client to request all user attributes in addition
+ to any specified operational attributes). Client implementors
+ should note that even if all user attributes are requested, some
+ attributes and or attribute values of the entry may not be
+ included in search results due to access controls or other
+ restrictions. Furthermore, servers will not return operational
+ attributes, such as objectClasses or attributeTypes, unless they
+ are listed by name. Operational attributes are described in
+ [Models].
+
+ Attributes MUST NOT be named more than once in the list, and are
returned at most once in an entry. If there are attribute
descriptions in the list which are not recognized, they are
ignored by the server.
- If the client does not want any attributes returned, it can
- specify a list containing only the attribute with OID "1.1". This
-Sermersheim Internet-Draft - Expires Sep 2003 Page 19 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 21 \f
Lightweight Directory Access Protocol Version 3
- OID was chosen arbitrarily and does not correspond to any
+ If the client does not want any attributes returned, it can
+ specify a list containing only the attribute with OID "1.1". This
+ OID was chosen because it does not (and can not) correspond to any
attribute in use.
-
- Client implementors should note that even if all user attributes
- are requested, some attributes of the entry may not be included in
- search results due to access controls or other restrictions.
- Furthermore, servers will not return operational attributes, such
- as objectClasses or attributeTypes, unless they are listed by
- name, since there may be extremely large number of values for
- certain operational attributes. (A list of operational attributes
- for use in LDAP is given in [Syntaxes].)
Note that an X.500 "list"-like operation can be emulated by the
client requesting a one-level LDAP search operation with a filter
4.5.2. Search Result
- The results of the search attempted by the server upon receipt of a
- Search Request are returned in Search Responses, which are LDAP
- messages containing either SearchResultEntry, SearchResultReference,
- or SearchResultDone data types.
+ The results of the search operation are returned as zero or more
+ searchResultEntry messages, zero or more SearchResultReference
+ messages, followed by a single searchResultDone message.
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes PartialAttributeList }
+ objectName LDAPDN,
+ attributes PartialAttributeList }
- PartialAttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
- -- implementors should note that the PartialAttributeList may
- -- have zero elements (if none of the attributes of that entry
- -- were requested, or could be returned), and that the vals set
- -- may also have zero elements (if types only was requested, or
- -- all values were excluded from the result.)
+ PartialAttributeList ::= SEQUENCE OF
+ partialAttribute PartialAttribute
+ -- Note that the PartialAttributeList may hold zero elements.
+ -- This may happen when none of the attributes of an entry
+ -- were requested, or could be returned.
+ -- Note also that the partialAttribute vals set may hold zero
+ -- elements. This may happen when typesOnly is requested, access
+ -- controls prevent the return of values, or other reasons.
- SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
- -- at least one LDAPURL element must be present
+ SearchResultReference ::= [APPLICATION 19] SEQUENCE
+ SIZE (1..MAX) OF uri URI
SearchResultDone ::= [APPLICATION 5] LDAPResult
- Upon receipt of a Search Request, a server will perform the necessary
- search of the DIT.
-
- If the LDAP session is operating over a connection-oriented transport
- such as TCP, the server will return to the client a sequence of
- responses in separate LDAP messages. There may be zero or more
- responses containing SearchResultEntry, one for each entry found
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 20 \f
- Lightweight Directory Access Protocol Version 3
-
- during the search. There may also be zero or more responses
- containing SearchResultReference, one for each area not explored by
- this server during the search. The SearchResultEntry and
- SearchResultReference PDUs may come in any order. Following all the
- SearchResultReference responses and all SearchResultEntry responses
- to be returned by the server, the server will return a response
- containing the SearchResultDone, which contains an indication of
- success, or detailing any errors that have occurred.
+ Each SearchResultEntry represents an entry found during the search.
+ Each SearchResultReference represents an area not yet explored during
+ the search. The SearchResultEntry and SearchResultReference PDUs may
+ come in any order. Following all the SearchResultReference and
+ SearchResultEntry responses, the server returns a SearchResultDone
+ response, which contains an indication of success, or detailing any
+ errors that have occurred.
Each entry returned in a SearchResultEntry will contain all
appropriate attributes as specified in the attributes field of the
Some attributes may be constructed by the server and appear in a
SearchResultEntry attribute list, although they are not stored
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 22 \f
+ Lightweight Directory Access Protocol Version 3
+
attributes of an entry. Clients SHOULD NOT assume that all attributes
can be modified, even if permitted by access control.
- If the server's schema defines a textual name for an attribute type,
- it MUST use a textual name for attributes of that attribute type by
- specifying one of the textual names as the value of the attribute
- type. Otherwise, the server uses the object identifier for the
- attribute type by specifying the object identifier, in ldapOID form,
- as the value of attribute type.
+ If the server's schema defines short names [Models] for an attribute
+ type then the server SHOULD use one of those names in attribute
+ descriptions for that attribute type (in preference to using the
+ <numericoid> [Models] format of the attribute type's object
+ identifier). The server SHOULD NOT use the short name if that name is
+ known by the server to be ambiguous, or otherwise likely to cause
+ interoperability problems.
4.5.3. Continuation References in the Search Result
If the server was able to locate the entry referred to by the
baseObject but was unable to search all the entries in the scope at
- and under the baseObject, the server may return one or more
+ and subordinate to the baseObject, the server may return one or more
SearchResultReference entries, each containing a reference to another
set of servers for continuing the operation. A server MUST NOT return
any SearchResultReference if it has not located the baseObject and
thus has not searched any entries; in this case it would return a
- SearchResultDone containing a referral resultCode.
+ SearchResultDone containing a referral result code.
If a server holds a copy or partial copy of the subordinate naming
context, it may use the search filter to determine whether or not to
return a SearchResultReference response. Otherwise
SearchResultReference responses are always returned when in scope.
- The SearchResultReference is of the same data type as the Referral.
- URLs for servers implementing the LDAP protocol are written according
- to [LDAPURL]. The <dn> part MUST be present in the URL, with the new
- target object name. The client MUST use this name in its next
- request. Some servers (e.g. part of a distributed index exchange
- system) may provide a different filter in the URLs of the
- SearchResultReference. If the filter part of the URL is present in an
- LDAP URL, the client MUST use the new filter in its next request to
- progress the search, and if the filter part is absent the client will
- use again the same filter. If the originating search scope was
- singleLevel, the scope part of the URL will be baseObject. Other
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 21 \f
- Lightweight Directory Access Protocol Version 3
-
- aspects of the new search request may be the same or different as the
- search which generated the continuation references.
- Other kinds of URLs may be returned so long as the operation could be
- performed using that protocol.
+ The SearchResultReference is of the same data type as the Referral.
- The name of an unexplored subtree in a SearchResultReference need not
- be subordinate to the base object.
+ A URI for a server implementing LDAP and accessible via [TCP]/[IP]
+ (v4 or v6) is written as an LDAP URL according to [LDAPURL].
- In order to complete the search, the client MUST issue a new search
+ In order to complete the search, the client issues a new search
operation for each SearchResultReference that is returned. Note that
- the abandon operation described in section 4.11 applies only to a
- particular operation sent on a connection between a client and
- server, and if the client has multiple outstanding search operations,
- it MUST abandon each operation individually.
-
+ the abandon operation described in Section 4.11 applies only to a
+ particular operation sent on an association between a client and
+ server. The client must abandon subsequent search operations it
+ wishes to individually.
+
+ Clients that follow search continuation references MUST ensure that
+ they do not loop between servers. They MUST NOT repeatedly contact
+ the same server for the same request with the same target entry name,
+ scope and filter. Some clients use a counter that is incremented each
+ time search result reference handling occurs for an operation, and
+ these kinds of clients MUST be able to handle at least ten nested
+ search result references between the root and a leaf entry.
+
+ When an LDAP URL is used, the following instructions are followed:
+ - The <dn> part of the URL MUST be present, with the new target
+ object name. The client MUST use this name when following the
+ referral. Note that UTF-8 characters appearing in a DN or search
+ filter may not be legal for URLs (e.g. spaces) and MUST be
+ escaped using the % method in [URI].
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 23 \f
+ Lightweight Directory Access Protocol Version 3
+
+ - It is RECOMMENDED that the <dn> part be present to avoid
+ ambiguity.
+ - Some servers (e.g. participating in distributed indexing) may
+ provide a different filter in a URL of a SearchResultReference.
+ - If the <filter> part of the URL is present, the client MUST use
+ this filter in its next request to progress this search, and if
+ it is not present the client MUST use the same filter as it used
+ for that search.
+ - If the originating search scope was singleLevel, the <scope>
+ part of the URL will be "base".
+ - it is RECOMMENDED that the <scope> part be present to avoid
+ ambiguity.
+ - If the <scope> part is missing, the scope of the original search
+ is used by the client to progress the operation.
+ - Other aspects of the new search request may be the same as or
+ different from the search request which generated the
+ SearchResultReference.
+ - The name of an unexplored subtree in a SearchResultReference
+ need not be subordinate to the base object.
+
+ Other kinds of URIs may be returned. The syntax and semantics of such
+ URIs is left to future specifications. Clients ignore URIs that they
+ do not support.
+
4.5.3.1. Example
SearchResultEntry for DC=Example,DC=NET
SearchResultEntry for CN=Manager,DC=Example,DC=NET
SearchResultReference {
- ldap://hostb/OU=People,DC=Example,DC=NET
- ldap://hostc/OU=People,DC=Example,DC=NET
- }
+ ldap://hostb/OU=People,DC=Example,DC=NET??sub
+ ldap://hostc/OU=People,DC=Example,DC=NET??sub }
SearchResultReference {
- ldap://hostd/OU=Roles,DC=Example,DC=NET
- }
+ ldap://hostd/OU=Roles,DC=Example,DC=NET??sub }
SearchResultDone (success)
Client implementors should note that when following a
SearchResultEntry for OU=People,DC=Example,DC=NET
SearchResultReference {
- ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET
- }
- SearchResultReference {
- ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET
- }
- SearchResultDone (success)
-
-
+ ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET??sub }
-Sermersheim Internet-Draft - Expires Sep 2003 Page 22 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 24 \f
Lightweight Directory Access Protocol Version 3
+ SearchResultReference {
+ ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET??sub }
+ SearchResultDone (success)
+
If the contacted server does not hold the base object for the search,
then it will return a referral to the client. For example, if the
client requests a subtree search of "DC=Example,DC=ORG" to hosta, the
server may return only a SearchResultDone containing a referral.
SearchResultDone (referral) {
- ldap://hostg/DC=Example,DC=ORG??sub
- }
+ ldap://hostg/DC=Example,DC=ORG??sub }
4.6. Modify Operation
Request is defined as follows:
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- modification SEQUENCE OF SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2) },
- modification AttributeTypeAndValues } }
-
- AttributeTypeAndValues ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
+ object LDAPDN,
+ changes SEQUENCE OF change SEQUENCE {
+ operation ENUMERATED {
+ add (0),
+ delete (1),
+ replace (2) },
+ modification PartialAttribute } }
+
Parameters of the Modify Request are:
- - object: The object to be modified. The value of this field
- contains the DN of the entry to be modified. The server will not
- perform any alias dereferencing in determining the object to be
- modified.
+ - object: The name of the object to be modified. The value of this
+ field contains the DN of the entry to be modified. The server
+ SHALL NOT perform any alias dereferencing in determining the
+ object to be modified.
- - modification: A list of modifications to be performed on the
- entry. The entire list of entry modifications MUST be performed in
- the order they are listed, as a single atomic operation. While
- individual modifications may violate the directory schema, the
+ - changes: A list of modifications to be performed on the entry. The
+ entire list of modifications MUST be performed in the order they
+ are listed, as a single atomic operation. While individual
+ modifications may violate certain aspects of the directory schema
+ (such as the object class definition and DIT content rule), the
resulting entry after the entire list of modifications is
performed MUST conform to the requirements of the directory
- schema. The values that may be taken on by the 'operation' field
- in each modification construct have the following semantics
- respectively:
+ schema.
- add: add values listed to the given attribute, creating the
- attribute if necessary;
+ - operation: Used to specify the type of modification being
+ performed. Each operation type acts on the following
+ modification. The values of this field have the following
+ semantics respectively:
- delete: delete values listed from the given attribute,
- removing the entire attribute if no values are listed, or
- if all current values of the attribute are listed for
- deletion;
+ add: add values listed to the modification attribute,
+ creating the attribute if necessary;
+ delete: delete values listed from the modification
+ attribute, removing the entire attribute if no values are
-Sermersheim Internet-Draft - Expires Sep 2003 Page 23 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 25 \f
Lightweight Directory Access Protocol Version 3
- replace: replace all existing values of the given attribute
- with the new values listed, creating the attribute if it
- did not already exist. A replace with no value will delete
- the entire attribute if it exists, and is ignored if the
- attribute does not exist.
+ listed, or if all current values of the attribute are
+ listed for deletion;
- The result of the modification attempted by the server upon receipt
- of a Modify Request is returned in a Modify Response, defined as
- follows:
+ replace: replace all existing values of the modification
+ attribute with the new values listed, creating the
+ attribute if it did not already exist. A replace with no
+ value will delete the entire attribute if it exists, and is
+ ignored if the attribute does not exist.
- ModifyResponse ::= [APPLICATION 7] LDAPResult
+ - modification: A PartialAttribute (which may have an empty SET of
+ vals) used to hold the attribute type or attribute type and
+ values being modified.
+
+ Upon receipt of a Modify Request, the server attempts to perform the
+ necessary modifications to the DIT and returns the result in a Modify
+ Response, defined as follows:
- Upon receipt of a Modify Request, a server will perform the necessary
- modifications to the DIT.
+ ModifyResponse ::= [APPLICATION 7] LDAPResult
The server will return to the client a single Modify Response
indicating either the successful completion of the DIT modification,
the DIT have been performed if the Modify Response received indicates
any sort of error, and that all requested modifications have been
performed if the Modify Response indicates successful completion of
- the Modify Operation. If the connection fails, whether the
- modification occurred or not is indeterminate.
+ the Modify Operation. If the association changes or the connection
+ fails, whether the modification occurred or not is indeterminate.
The Modify Operation cannot be used to remove from an entry any of
- its distinguished values, those values which form the entry's
+ its distinguished values, i.e. those values which form the entry's
relative distinguished name. An attempt to do so will result in the
- server returning the error notAllowedOnRDN. The Modify DN Operation
- described in section 4.9 is used to rename an entry.
+ server returning the notAllowedOnRDN result code. The Modify DN
+ Operation described in Section 4.9 is used to rename an entry.
Note that due to the simplifications made in LDAP, there is not a
- direct mapping of the modifications in an LDAP ModifyRequest onto the
- EntryModifications of a DAP ModifyEntry operation, and different
- implementations of LDAP-DAP gateways may use different means of
- representing the change. If successful, the final effect of the
- operations on the entry MUST be identical.
+ direct mapping of the changes in an LDAP ModifyRequest onto the
+ changes of a DAP ModifyEntry operation, and different implementations
+ of LDAP-DAP gateways may use different means of representing the
+ change. If successful, the final effect of the operations on the
+ entry MUST be identical.
4.7. Add Operation
The Add Operation allows a client to request the addition of an entry
- into the directory. The Add Request is defined as follows:
+ into the Directory. The Add Request is defined as follows:
AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
-
- AttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ entry LDAPDN,
+ attributes AttributeList }
- Parameters of the Add Request are:
+ AttributeList ::= SEQUENCE OF attribute Attribute
-Sermersheim Internet-Draft - Expires Sep 2003 Page 24 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 26 \f
Lightweight Directory Access Protocol Version 3
- - entry: the Distinguished Name of the entry to be added. Note that
- the server will not dereference any aliases in locating the entry
- to be added.
+ Parameters of the Add Request are:
+
+ - entry: the name of the entry to be added. Note that the server
+ SHALL NOT dereference any aliases in locating the entry to be
+ added.
- attributes: the list of attributes that make up the content of the
entry being added. Clients MUST include distinguished values
since the server maintains these automatically.
The entry named in the entry field of the AddRequest MUST NOT exist
- for the AddRequest to succeed. The parent of the object and alias
- entries to be added MUST exist. For example, if the client attempted
- to add "CN=JS,DC=Example,DC=NET", the "DC=Example,DC=NET" entry did
- not exist, and the "DC=NET" entry did exist, then the server would
- return the error noSuchObject with the matchedDN field containing
- "DC=NET". If the parent entry exists but is not in a naming context
- held by the server, the server SHOULD return a referral to the server
- holding the parent entry.
+ for the AddRequest to succeed. The immediate superior (parent) of an
+ object or alias entry to be added MUST exist. For example, if the
+ client attempted to add "CN=JS,DC=Example,DC=NET", the
+ "DC=Example,DC=NET" entry did not exist, and the "DC=NET" entry did
+ exist, then the server would return the noSuchObject result code with
+ the matchedDN field containing "DC=NET". If the parent entry exists
+ but is not in a naming context held by the server, the server SHOULD
+ return a referral to the server holding the parent entry.
Server implementations SHOULD NOT restrict where entries can be
- located in the directory unless DIT structure rules are in place.
- Some servers MAY allow the administrator to restrict the classes of
- entries which can be added to the directory.
+ located in the Directory unless DIT structure rules are in place.
+ Some servers allow the administrator to restrict the classes of
+ entries which can be added to the Directory.
Upon receipt of an Add Request, a server will attempt to add the
requested entry. The result of the add attempt will be returned to
AddResponse ::= [APPLICATION 9] LDAPResult
A response of success indicates that the new entry is present in the
- directory.
+ Directory.
4.8. Delete Operation
The Delete Operation allows a client to request the removal of an
- entry from the directory. The Delete Request is defined as follows:
+ entry from the Directory. The Delete Request is defined as follows:
DelRequest ::= [APPLICATION 10] LDAPDN
- The Delete Request consists of the Distinguished Name of the entry to
- be deleted. Note that the server will not dereference aliases while
- resolving the name of the target entry to be removed, and that only
- leaf entries (those with no subordinate entries) can be deleted with
- this operation.
+ The Delete Request consists of the name of the entry to be deleted.
+ The server SHALL NOT dereference aliases while resolving the name of
+ the target entry to be removed.
+
+ Only leaf entries (those with no subordinate entries) can be deleted
+ with this operation.
- The result of the delete attempted by the server upon receipt of a
- Delete Request is returned in the Delete Response, defined as
- follows:
-Sermersheim Internet-Draft - Expires Sep 2003 Page 25 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 27 \f
Lightweight Directory Access Protocol Version 3
+ Upon receipt of a Delete Request, a server will attempt to perform
+ the entry removal requested and return the result in the Delete
+ Response defined as follows:
DelResponse ::= [APPLICATION 11] LDAPResult
- Upon receipt of a Delete Request, a server will attempt to perform
- the entry removal requested. The result of the delete attempt will be
- returned to the client in the Delete Response.
-
4.9. Modify DN Operation
- The Modify DN Operation allows a client to change the leftmost (least
- significant) component of the name of an entry in the directory,
- and/or to move a subtree of entries to a new location in the
- directory. The Modify DN Request is defined as follows:
+ The Modify DN Operation allows a client to change the Relative
+ Distinguished Name (RDN) of an entry in the Directory, and/or to move
+ a subtree of entries to a new location in the Directory. The Modify
+ DN Request is defined as follows:
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
+ entry LDAPDN,
+ newrdn RelativeLDAPDN,
+ deleteoldrdn BOOLEAN,
+ newSuperior [0] LDAPDN OPTIONAL }
Parameters of the Modify DN Request are:
- - entry: the Distinguished Name of the entry to be changed. This
- entry may or may not have subordinate entries. Note that the
- server will not dereference any aliases in locating the entry to
- be changed.
+ - entry: the name of the entry to be changed. This entry may or may
+ not have subordinate entries. Note that the server SHALL NOT
+ dereference any aliases in locating the entry to be changed.
- - newrdn: the RDN that will form the leftmost component of the new
- name of the entry.
+ - newrdn: the new RDN of the entry.
- deleteoldrdn: a boolean parameter that controls whether the old
RDN attribute values are to be retained as attributes of the
entry, or deleted from the entry.
- - newSuperior: if present, this is the Distinguished Name of an
- existing object entry which becomes the immediate superior of the
+ - newSuperior: if present, this is the name of an existing object
+ entry which becomes the immediate superior (parent) of the
existing entry.
- The result of the name change attempted by the server upon receipt of
- a Modify DN Request is returned in the Modify DN Response, defined as
- follows:
+ Upon receipt of a ModifyDNRequest, a server will attempt to perform
+ the name change and return the result in the Modify DN Response,
+ defined as follows:
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
- Upon receipt of a ModifyDNRequest, a server will attempt to perform
- the name change. The result of the name change attempt will be
- returned to the client in the Modify DN Response.
-
For example, if the entry named in the "entry" parameter was "cn=John
Smith,c=US", the newrdn parameter was "cn=John Cougar Smith", and the
newSuperior parameter was absent, then this operation would attempt
to rename the entry to be "cn=John Cougar Smith,c=US". If there was
-
+ already an entry with that name, the operation would fail with the
+ entryAlreadyExists result code.
+
+ The object named in newSuperior MUST exist. For example, if the
+ client attempted to add "CN=JS,DC=Example,DC=NET", the
+ "DC=Example,DC=NET" entry did not exist, and the "DC=NET" entry did
+ exist, then the server would return the noSuchObject result code with
+ the matchedDN field containing "DC=NET".
-Sermersheim Internet-Draft - Expires Sep 2003 Page 26 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 28 \f
Lightweight Directory Access Protocol Version 3
- already an entry with that name, the operation would fail with error
- code entryAlreadyExists.
-
+
If the deleteoldrdn parameter is TRUE, the values forming the old RDN
are deleted from the entry. If the deleteoldrdn parameter is FALSE,
the values forming the old RDN will be retained as non-distinguished
- attribute values of the entry. The server may not perform the
- operation and return an error code if the setting of the deleteoldrdn
+ attribute values of the entry. The server MUST fail the operation and
+ return an error in the result code if the setting of the deleteoldrdn
parameter would cause a schema inconsistency in the entry.
Note that X.500 restricts the ModifyDN operation to only affect
entries that are contained within a single server. If the LDAP server
is mapped onto DAP, then this restriction will apply, and the
- resultCode affectsMultipleDSAs will be returned if this error
- occurred. In general clients MUST NOT expect to be able to perform
- arbitrary movements of entries and subtrees between servers.
+ affectsMultipleDSAs result code will be returned if this error
+ occurred. In general, clients MUST NOT expect to be able to perform
+ arbitrary movements of entries and subtrees between servers or
+ between naming contexts.
4.10. Compare Operation
The Compare Operation allows a client to compare an assertion
- provided with an entry in the directory. The Compare Request is
+ provided with an entry in the Directory. The Compare Request is
defined as follows:
CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
+ entry LDAPDN,
+ ava AttributeValueAssertion }
Parameters of the Compare Request are:
- - entry: the name of the entry to be compared with. Note that the
- server SHOULD NOT dereference any aliases in locating the entry to
- be compared with.
+ - entry: the name of the entry to be compared. Note that the server
+ SHALL NOT dereference any aliases in locating the entry to be
+ compared.
- ava: the assertion with which an attribute in the entry is to be
compared.
- The result of the compare attempted by the server upon receipt of a
- Compare Request is returned in the Compare Response, defined as
- follows:
+ Upon receipt of a Compare Request, a server will attempt to perform
+ the requested comparison using the EQUALITY matching rule for the
+ attribute type and return the result in the Compare Response, defined
+ as follows:
CompareResponse ::= [APPLICATION 15] LDAPResult
- Upon receipt of a Compare Request, a server will attempt to perform
- the requested comparison using the EQUALITY matching rule for the
- attribute type. The result of the comparison will be returned to the
- client in the Compare Response. Note that errors and the result of
- comparison are all returned in the same construct.
+ In the event that the attribute or subtype is not present in the
+ entry, the resultCode field is set to noSuchAttribute. If the
+ attribute is unknown, the resultCode is set to
+ undefinedAttributeType. Note that errors and the result of comparison
+ are all returned in the same construct.
Note that some directory systems may establish access controls which
permit the values of certain attributes (such as userPassword) to be
-Sermersheim Internet-Draft - Expires Sep 2003 Page 27 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 29 \f
Lightweight Directory Access Protocol Version 3
4.11. Abandon Operation
AbandonRequest ::= [APPLICATION 16] MessageID
The MessageID MUST be that of an operation which was requested
- earlier in this connection. The abandon request itself has its own
- message id. This is distinct from the id of the earlier operation
+ earlier in this LDAP association. The abandon request itself has its
+ own message id. This is distinct from the id of the earlier operation
being abandoned.
- There is no response defined in the Abandon Operation. Upon
- transmission of an Abandon Operation, the server MAY abandon the
- operation identified by the Message ID in the Abandon Request.
- Operation responses are not sent for successfully abandoned
- operations. Clients can determine that an operation has been
- abandoned by performing a subsequent bind operation.
+ There is no response defined in the Abandon operation. Upon receipt
+ of an AbandonRequest, the server MAY abandon the operation identified
+ by the MessageID. Operation responses are not sent for successfully
+ abandoned operations, thus the application of the Abandon operation
+ is limited to uses where the client does not require an indication of
+ its outcome.
Abandon and Unbind operations cannot be abandoned. The ability to
abandon other (particularly update) operations is at the discretion
4.12. Extended Operation
- An extension mechanism has been added in this version of LDAP, in
- order to allow additional operations to be defined for services not
- available elsewhere in this protocol, for instance digitally signed
- operations and results.
+ The extended operation allows additional operations to be defined for
+ services not already available in the protocol. For example, to add
+ operations to install transport layer security (see Section 4.13).
The extended operation allows clients to make requests and receive
responses with predefined syntaxes and semantics. These may be
- defined in RFCs or be private to particular implementations. Each
- request MUST have a unique OBJECT IDENTIFIER assigned to it.
+ defined in RFCs or be private to particular implementations.
+
+ Each extended operation consists of an extended request and an
+ extended response.
- ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
-Sermersheim Internet-Draft - Expires Sep 2003 Page 28 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 30 \f
Lightweight Directory Access Protocol Version 3
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
+ ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
+ requestName [0] LDAPOID,
+ requestValue [1] OCTET STRING OPTIONAL }
- The requestName is a dotted-decimal representation of the OBJECT
- IDENTIFIER corresponding to the request. The requestValue is
+ The requestName is a dotted-decimal representation of the unique
+ OBJECT IDENTIFIER corresponding to the request. The requestValue is
information in a form defined by that request, encapsulated inside an
OCTET STRING.
ExtendedResponse.
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- response [11] OCTET STRING OPTIONAL }
+ COMPONENTS OF LDAPResult,
+ responseName [10] LDAPOID OPTIONAL,
+ responseValue [11] OCTET STRING OPTIONAL }
+
+ The responseName is typically not required to be present as the
+ syntax and semantics of the response (including the format of the
+ responseValue) is implicitly known and associated with the request by
+ the messageID.
+
+ If the requestName is not recognized by the server, the server MUST
+ NOT provide a responseName nor a responseValue and MUST return a
+ resultCode of protocolError.
+
+ The requestValue and responseValue fields contain any information
+ associated with the operation. The format of these fields is defined
+ by the specification of the extended operation. Implementations MUST
+ be prepared to handle arbitrary contents of these fields, including
+ zero bytes. Values that are defined in terms of ASN.1 and BER encoded
+ according to Section 5.1, also follow the extensibility rules in
+ Section 4.
+
+ It is RECOMMENDED that servers list the requestName of extended
+ operations they support in the supportedExtension attribute [Models]
+ of the root DSE.
+
+ Extended operations may be specified in other documents. The
+ specification of an extended operation consists of:
+
+ - the OBJECT IDENTIFIER assigned to the requestName (and possibly
+ responseName),
- If the server does not recognize the request name, it MUST return
- only the response fields from LDAPResult, containing the
- protocolError result code.
+ - the format of the contents of the requestValue and responseValue
+ (if any),
-4.13. Start TLS Operation
+ - the semantics of the operation,
+
+4.13. StartTLS Operation
+
+
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 31 \f
+ Lightweight Directory Access Protocol Version 3
+
The Start Transport Layer Security (StartTLS) operation provides the
- ability to establish Transport Layer Security [RFC2246] on an LDAP
- connection.
+ ability to establish Transport Layer Security ([TLS]) on an LDAP
+ connection. The StartTLS operation is defined using the extended
+ operation mechanism described in Section 4.12.
-4.13.1. Start TLS Request
+4.13.1. StartTLS Request
- A client requests TLS establishment by transmitting a Start TLS
- request PDU to the server. The Start TLS request is defined in terms
+ A client requests TLS establishment by transmitting a StartTLS
+ request PDU to the server. The StartTLS request is defined in terms
of an ExtendedRequest. The requestName is "1.3.6.1.4.1.1466.20037",
- and the requestValue field is absent.
+ and the requestValue field is always absent.
The client MUST NOT send any PDUs on this connection following this
- request until it receives a Start TLS extended response.
+ request until it receives a StartTLS extended response.
-4.13.2. Start TLS Response
+4.13.2. StartTLS Response
- When a Start TLS request is made, servers supporting the operation
- MUST return a Start TLS response PDU to the requestor. The Start TLS
+ When a StartTLS request is made, servers supporting the operation
+ MUST return a StartTLS response PDU to the requestor. The StartTLS
response responseName is also "1.3.6.1.4.1.1466.20037", and the
response field is absent.
The server MUST set the resultCode field to either success or one of
- the other values outlined in section 4.13.2.2.
+ the other values outlined in Section 4.13.2.2.
4.13.2.1. "Success" Response
- If the Start TLS Response contains a resultCode of success, this
+ If the StartTLS Response contains a result code of success, this
indicates that the server is willing and able to negotiate TLS. Refer
- to section 5.3 of [AuthMeth] for details.
+ to Section 5.3 of [AuthMeth] for details.
4.13.2.2. Response other than "success"
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 29 \f
- Lightweight Directory Access Protocol Version 3
-
- If the ExtendedResponse contains a resultCode other than success,
+ If the ExtendedResponse contains a result code other than success,
this indicates that the server is unwilling or unable to negotiate
- TLS.
-
- If the Start TLS extended request was not successful, the resultCode
- will be one of:
-
- operationsError (operations sequencing incorrect; e.g. TLS already
- established)
+ TLS. The following result codes have these meanings for this
+ operation:
- protocolError (TLS not supported or incorrect PDU structure)
+ - operationsError: operations sequencing incorrect; e.g. TLS is
+ already established.
- referral (this server doesn't do TLS, try this one)
+ - protocolError: TLS is not supported or incorrect PDU structure.
- unavailable (e.g. some major problem with TLS, or server is
- shutting down)
+ - unavailable: Some major problem with TLS, or the server is
+ shutting down.
The server MUST return operationsError if the client violates any of
- the Start TLS extended operation sequencing requirements described in
- section 5.3 of [AuthMeth].
+ the StartTLS extended operation sequencing requirements described in
+ Section 5.3 of [AuthMeth].
If the server does not support TLS (whether by design or by current
- configuration), it MUST set the resultCode to protocolError, or to
- referral. The server MUST include an actual referral value in the
- LDAP Result if it returns a resultCode of referral. The client's
- current session is unaffected if the server does not support TLS. The
- client MAY proceed with any LDAP operation, or it MAY close the
- connection.
+ configuration), it MUST set the resultCode field to protocolError.
+ The client's current association is unaffected if the server does not
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 32 \f
+ Lightweight Directory Access Protocol Version 3
+
+ support TLS. The client may proceed with any LDAP operation, or it
+ may close the connection.
The server MUST return unavailable if it supports TLS but cannot
establish a TLS connection for some reason, e.g. the certificate
server not responding, it cannot contact its TLS implementation, or
- if the server is in process of shutting down. The client MAY retry
- the StartTLS operation, or it MAY proceed with any other LDAP
- operation, or it MAY close the connection.
+ if the server is in process of shutting down. The client may retry
+ the StartTLS operation, or it may proceed with any other LDAP
+ operation, or it may close the LDAP connection.
4.13.3. Closing a TLS Connection
- Two forms of TLS connection closure--graceful and abrupt--are
+ Two forms of TLS connection closure -- graceful and abrupt -- are
supported.
4.13.3.1. Graceful Closure
Either the client or server MAY terminate the TLS connection and
- leave the LDAP session intact by sending a TLS closure alert.
+ leave the LDAP connection intact by sending and receiving a TLS
+ closure alert.
- Before sending a TLS closure alert, the client MUST either wait for
- any outstanding LDAP operations to complete, or explicitly abandon
- them.
+ The initiating protocol peer sends the TLS closure alert. If it
+ wishes to leave the LDAP connection intact, it then MUST cease to
+ send further PDUs and MUST ignore any received PDUs until it receives
+ a TLS closure alert from the other peer.
- After the initiator of a close has sent a TLS closure alert, it MUST
- discard any TLS messages until it has received a TLS closure alert
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 30 \f
- Lightweight Directory Access Protocol Version 3
-
- from the other party. It will cease to send TLS Record Protocol
- PDUs, and following the receipt of the alert, MAY send and receive
- LDAP PDUs.
+ Once the initiating protocol peer receives a TLS closure alert from
+ the other peer it MAY send and receive LDAP PDUs.
- The other party, if it receives a TLS closure alert, MUST immediately
- transmit a TLS closure alert. It will subsequently cease to send TLS
- Record Protocol PDUs, and MAY send and receive LDAP PDUs.
+ When a protocol peer receives the initial TLS closure alert, it may
+ choose to allow the underlying LDAP connection intact. In this case,
+ it MUST immediately transmit a TLS closure alert. Following this, it
+ MAY send and receive LDAP PDUs.
+
+ Protocol peers MAY drop the underlying LDAP connection after sending
+ or receiving a TLS closure alert.
+
+ After the TLS connection has been closed, the server MUST NOT send
+ responses to any request message received before the TLS closure.
+ Thus, clients wishing to receive responses to messages sent while the
+ TLS connection is intact MUST wait for those message responses before
+ sending the TLS closure alert.
4.13.3.2. Abrupt Closure
Either the client or server MAY abruptly close the TLS connection by
dropping the underlying transfer protocol connection. In this
circumstance, a server MAY send the client a Notice of Disconnection
- before dropping the underlying connection.
+ before dropping the underlying LDAP connection.
5. Protocol Element Encodings and Transfer
- One underlying service is defined here. Clients and servers SHOULD
- implement the mapping of LDAP over TCP described in 5.2.1.
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 33 \f
+ Lightweight Directory Access Protocol Version 3
+
+ One underlying service, LDAP over TCP, is defined here. This service
+ is generally applicable to applications providing or consuming X.500-
+ based directory services on the Internet.
+ Implementations of LDAP over TCP MUST implement the mapping as
+ described in Section 5.2.1
+
5.1. Protocol Encoding
- The protocol elements of LDAP are encoded for exchange using the
- Basic Encoding Rules (BER) [X.690] of ASN.1 [X.680]. However, due to
- the high overhead involved in using certain elements of the BER, the
- following additional restrictions are placed on BER-encodings of LDAP
- protocol elements:
+ The protocol elements of LDAP SHALL be encoded for exchange using the
+ Basic Encoding Rules [BER] of [ASN.1] with the following
+ restrictions:
- (1) Only the definite form of length encoding will be used.
+ (1) Only the definite form of length encoding is used.
- (2) OCTET STRING values will be encoded in the primitive form only.
+ (2) OCTET STRING values are encoded in the primitive form only.
- (3) If the value of a BOOLEAN type is true, the encoding MUST have
- its contents octets set to hex "FF".
+ (3) If the value of a BOOLEAN type is true, the encoding of the
+ value octet is set to hex "FF".
- (4) If a value of a type is its default value, it MUST be absent.
- Only some BOOLEAN and INTEGER types have default values in this
+ (4) If a value of a type is its default value, it is absent. Only
+ some BOOLEAN and INTEGER types have default values in this
protocol definition.
+ These restrictions are meant to ease the overhead of encoding and
+ decoding certain elements in BER.
+
These restrictions do not apply to ASN.1 types encapsulated inside of
OCTET STRING values, such as attribute values, unless otherwise
- noted.
+ stated.
5.2. Transfer Protocols
stream.
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 31 \f
- Lightweight Directory Access Protocol Version 3
-
5.2.1. Transmission Control Protocol (TCP)
- The encoded LDAPMessage PDUs are mapped directly onto the TCP
- bytestream using the BER-based encoding described in section 5.1. It
+ The encoded LDAPMessage PDUs are mapped directly onto the [TCP]
+ bytestream using the BER-based encoding described in Section 5.1. It
is recommended that server implementations running over the TCP
provide a protocol listener on the assigned port, 389. Servers may
instead provide a listener on a different port number. Clients MUST
support contacting servers on any valid TCP port.
-6. Implementation Guidelines
-
-
-6.1. Server Implementations
-
- The server MUST be capable of recognizing all the mandatory attribute
- type names and implement the syntaxes specified in [Syntaxes].
- Servers MAY also recognize additional attribute type names.
-
+6. Security Considerations
-6.2. Client Implementations
-
- Clients that follow referrals or search continuation references MUST
- ensure that they do not loop between servers. They MUST NOT
- repeatedly contact the same server for the same request with the same
- target entry name, scope and filter. Some clients use a counter that
- is incremented each time referral handling occurs for an operation,
- and these kinds of clients MUST be able to handle a DIT with at least
- ten layers of naming contexts between the root and a leaf entry.
-
- In the absence of prior agreements with servers, clients SHOULD NOT
- assume that servers support any particular schemas beyond those
- referenced in section 6.1. Different schemas can have different
- attribute types with the same names. The client can retrieve the
- subschema entries referenced by the subschemaSubentry attribute in
- the entries held by the server.
-
-
-7. Security Considerations
-
- When used with a connection-oriented transport, this version of the
- protocol provides facilities for simple authentication using a
- cleartext password, as well as any SASL mechanism [RFC2222]. SASL
- allows for integrity and privacy services to be negotiated.
+ This version of the protocol provides facilities for simple
+ authentication using a cleartext password, as well as any [SASL]
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 34 \f
+ Lightweight Directory Access Protocol Version 3
+
+ mechanism. SASL allows for integrity and privacy services to be
+ negotiated.
It is also permitted that the server can return its credentials to
the client, if it chooses to do so.
underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties.
- When used with SASL, it should be noted that the name field of the
- BindRequest is not protected against modification. Thus if the
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 32 \f
- Lightweight Directory Access Protocol Version 3
-
- distinguished name of the client (an LDAPDN) is agreed through the
- negotiation of the credentials, it takes precedence over any value in
- the unprotected name field.
+ Servers are encouraged to prevent directory modifications by clients
+ that have authenticated anonymously [AuthMeth].
+
+ Requirements of authentication methods, SASL mechanisms, and TLS are
+ described in [AuthMeth].
+
+ It should be noted that SASL authentication exchanges do not provide
+ data confidentiality nor integrity protection for the version or name
+ fields of the bind request nor the resultCode, diagnosticMessage, or
+ referral fields of the bind response nor of any information contained
+ in controls attached to bind request or responses. Thus information
+ contained in these fields SHOULD NOT be relied on unless otherwise
+ protected (such as by establishing protections at the transport
+ layer).
+
+ Server implementors should plan for the possibility of an identity
+ associated with an LDAP connection being deleted, renamed, or
+ modified, and take appropriate actions to prevent insecure side
+ effects. Likewise, server implementors should plan for the
+ possibility of an associated identity's credentials becoming invalid,
+ or an identities privileges being changed. The way in which these
+ issues are addressed are application
+ and/or implementation specific.
Implementations which cache attributes and entries obtained via LDAP
MUST ensure that access controls are maintained if that information
such referrals into the data stream in an attempt to redirect a
client to a rogue server. Protocol clients are advised to be aware of
this, and possibly reject referrals when confidentiality measures are
- in place. Protocol clients are advised to ignore referrals from the
- Start TLS operation.
+ not in place. Protocol clients are advised to reject referrals from
+ the StartTLS operation.
+
+ Protocol peers MUST be prepared to handle invalid and arbitrary
+ length protocol encodings. A number of LDAP security advisories are
+ available through [CERT].
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 35 \f
+ Lightweight Directory Access Protocol Version 3
+
-8. Acknowledgements
+7. Acknowledgements
- This document is an update to RFC 2251, by Mark Wahl, Tim Howes, and
- Steve Kille. Their work along with the input of individuals of the
- IETF LDAPEXT, LDUP, LDAPBIS, and other Working Groups is gratefully
+ This document updates RFC 2251 by Mark Wahl, Tim Howes, and Steve
+ Kille. It also updates RFC 2830 by Jeff Hodges, RL "Bob" Morgan, and
+ Mark Wahl. Their work along with the input of individuals of the IETF
+ ASID, LDAPEXT, LDUP, LDAPBIS, and other Working Groups is gratefully
acknowledged.
-9. Normative References
-
- [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
- Models and Service", 1993.
-
- [Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road
- Map", draft-ietf-ldapbis-roadmap-xx.txt (a work in
- progress).
+8. Normative References
+
+ [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", RFC 2119, March 1997.
-
- [X.680] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998
- Information Technology - Abstract Syntax Notation One
- (ASN.1): Specification of basic notation
+ [ASN.1] ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824-1:2002
+ "Information Technology - Abstract Syntax Notation One
+ (ASN.1): Specification of basic notation"
- [X.690] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules:
- Basic, Canonical, and Distinguished Encoding Rules", 1994.
+ [AuthMeth] Harrison, R., "LDAP: Authentication Methods and Connection
+ Level Security Mechanisms ", draft-ietf-ldapbis-authmeth-
+ xx.txt, (a work in progress).
- [LDAPIANA] K. Zeilenga, "IANA Considerations for LDAP", draft-ietf-
- ldapbis-xx.txt (a work in progress).
+ [BER] ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002,
+ "Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER), Canonical
+ Encoding Rules (CER) and Distinguished Encoding Rules
+ (DER)", 2002.
+
+ [IP] Postel, J., "Internet Protocol", STD5 and RFC 791,
+ September 1981
[ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
: 1993.
+
+ [Keyword] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", RFC 2119, March 1997.
+
+ [LDAPDN] Zeilenga, K., "LDAP: String Representation of
+ Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, (a
+ work in progress).
+
+ [LDAPIANA] Zeilenga, K., "IANA Considerations for LDAP", draft-ietf-
+ ldapbis-bcp64-xx.txt, (a work in progress).
+
+ [LDAPURL] Smith, M., "LDAP: Uniform Resource Locator", draft-ietf-
+ ldapbis-url-xx.txt, (a work in progress).
+
+ [Models] Zeilenga, K., "LDAP: Directory Information Models", draft-
+ ietf-ldapbis-models-xx.txt (a work in progress).
+
+ [Roadmap] Zeilenga, K., "LDAP: Technical Specification Road Map",
+ draft-ietf-ldapbis-roadmap-xx.txt (a work in progress).
-Sermersheim Internet-Draft - Expires Sep 2003 Page 33 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 36 \f
Lightweight Directory Access Protocol Version 3
- [RFC2279] Yergeau, F., "UTF-8, a transformation format of Unicode
- and ISO 10646", RFC 2279, January 1998.
+ [SASL] Melnikov, A., "Simple Authentication and Security Layer",
+ draft-ietf-sasl-rfc2222bis-xx.txt (a work in progress).
- [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
- models-xx.txt (a work in progress).
+ [SASLPrep] Zeilenga, K., "Stringprep profile for user names and
+ passwords", draft-ietf-sasl-saslprep-xx.txt, (a work in
+ progress).
- [LDAPDN] K. Zeilenga (editor), "LDAP: String Representation of
- Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, (a
- work in progress).
+ [StringPrep] Hoffman P. and M. Blanchet, "Preparation of
+ Internationalized Strings ('stringprep')", draft-hoffman-
+ rfc3454bis-xx.txt, a work in progress.
+
+ [Syntaxes] Legg, S., and K. Dally, "LDAP: Syntaxes and Matching
+ Rules", draft-ietf-ldapbis-syntaxes-xx.txt, (a work in
+ progress).
+
+ [TCP] Postel, J., "Transmission Control Protocol", STD7 and RFC
+ 793, September 1981
- [Syntaxes] K. Dally (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
- syntaxes-xx.txt, (a work in progress).
+ [TLS] Dierks, T. and C. Allen. "The TLS Protocol Version 1.1",
+ draft-ietf-tls-rfc2246-bis-xx.txt, a work in progress.
+ [Unicode] The Unicode Consortium, "The Unicode Standard, Version
+ 3.2.0" is defined by "The Unicode Standard, Version 3.0"
+ (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
+ as amended by the "Unicode Standard Annex #27: Unicode
+ 3.1" (http://www.unicode.org/reports/tr27/) and by the
+ "Unicode Standard Annex #28: Unicode 3.2"
+ (http://www.unicode.org/reports/tr28/).
+
+ [URI] Berners-Lee, T., Fielding, R., and L. Masinter Uniform
+ Resource Identifiers (URI): Generic Syntax", RFC 2396,
+ August 1998.
+
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of Unicode
+ and ISO 10646", STD63 and RFC3629.
+
+ [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
+ Models and Service", 1993.
+
[X.501] ITU-T Rec. X.501, "The Directory: Models", 1993.
[X.511] ITU-T Rec. X.511, "The Directory: Abstract Service
Definition", 1993.
- [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter Uniform
- Resource Identifiers (URI): Generic Syntax", RFC 2396,
- August 1998.
- [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods",
- draft-ietf-ldapbis-authmeth-xx.txt, (a work in progress).
+9. Informative References
- [RFC2222] Meyers, J., "Simple Authentication and Security Layer",
- RFC 2222, October 1997.
+ [CERT] the CERT(R) Center, (http://www.cert.org)
+10. IANA Considerations
+
+
+
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 37 \f
+ Lightweight Directory Access Protocol Version 3
+
+ It is requested that the Internet Assigned Numbers Authority (IANA)
+ update the occurrence of "RFC XXXX" in Appendix B with this RFC
+ number at publication.
-10. Editor's Address
+11. Editor's Address
Jim Sermersheim
Novell, Inc.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-Sermersheim Internet-Draft - Expires Sep 2003 Page 34 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 38 \f
Lightweight Directory Access Protocol Version 3
Appendix A - LDAP Result Codes
LDAP result codes and provides a brief, general description of each
LDAP result code enumerated in Section 4.1.10.
- Additional result codes MAY be defined for use with extensions.
- Client implementations SHALL treat any result code which they do not
- recognize as an unknown error condition.
+ Additional result codes MAY be defined for use with extensions
+ [LDAPIANA]. Client implementations SHALL treat any result code which
+ they do not recognize as an unknown error condition.
A.1 Non-Error Result Codes
+
These result codes (called "non-error" result codes) do not indicate
an error condition:
- success(0),
- compareTrue(6),
- compareFalse(7),
- referral(10), and
- saslBindInProgress(14).
-
- The success(0), compareTrue(6), and compare(7) result codes indicate
- successful completion (and, hence, are called to as "successful"
+ success (0),
+ compareTrue (6),
+ compareFalse (7),
+ referral (10), and
+ saslBindInProgress (14).
+
+ The success, compareTrue, and compare result codes indicate
+ successful completion (and, hence, are referred to as "successful"
result codes).
- The referral(10) and saslBindInProgress(14) indicate the client is
- required to take additional action to complete the operation
+ The referral and saslBindInProgress result codes indicate the client
+ is required to take additional action to complete the operation
-A.2 Error Result Codes
-
-A.3 Classes and Precedence of Error Result Codes
-
- Result codes that indicate error conditions (and, hence, are called
- "error" result codes) fall into 6 classes. The following list
- specifies the precedence of error classes to be used when more than
- one error is detected [X511]:
- 1) Name Errors (codes 32 - 34, 36)
- - a problem related to a name (DN or RDN),
- 2) Update Errors (codes 64 - 69, 71)
- - a problem related to an update operation,
- 3) Attribute Errors (codes 16 - 21)
- - a problem related to a supplied attribute,
- 4) Security Errors (codes 8, 13, 48 - 50)
- - a security related problem,
- 5) Service Problem (codes 3, 4, 7, 11, 12, 51 - 54, 80)
- - a problem related to the provision of the service, and
- 6) Protocol Problem (codes 1, 2)
- - a problem related to protocol structure or semantics.
-
- If the server detects multiple errors simultaneously, the server
- SHOULD report the error with the highest precedence.
+A.2 Result Codes
Existing LDAP result codes are described as follows:
success (0)
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 35 \f
- Lightweight Directory Access Protocol Version 3
-
-
- Indicates successful completion of an operation.
-
- This result code is normally not returned by the compare
- operation, see compareFalse (5) and compareTrue (6). It is
- possible that a future extension mechanism would allow this
- to be returned by a compare operation.
-
+ Indicates the successful completion of an operation. Note:
+ this code is not used with the compare operation. See
+ compareTrue (5) and compareFalse (6).
operationsError (1)
-
Indicates that the operation is not properly sequenced with
relation to other operations (of same or different type).
For example, this code is returned if the client attempts to
- Start TLS [RFC2246] while there are other operations
+ StartTLS [RFC2246] while there are other operations
outstanding or if TLS was already established.
-
-
protocolError (2)
-
Indicates the server received data which has incorrect
structure.
- For bind operation only, the code may be resulted to indicate
- the server does not support the requested protocol version.
+ For bind operation only, this code is also used to indicate
+ that the server does not support the requested protocol
+ version.
-
timeLimitExceeded (3)
-
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 39 \f
+ Lightweight Directory Access Protocol Version 3
+
Indicates that the time limit specified by the client was
exceeded before the operation could be completed.
-
-
+
sizeLimitExceeded (4)
-
Indicates that the size limit specified by the client was
exceeded before the operation could be completed.
-
compareFalse (5)
-
- Indicates that the operation successfully completes and the
- assertion has evaluated to FALSE.
-
- This result code is normally only returned by the compare
- operation.
-
+ Indicates that the compare operation has successfully
+ completed and the assertion has evaluated to FALSE.
compareTrue (6)
-
- Indicates that the operation successfully completes and the
- assertion has evaluated to TRUE.
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 36 \f
- Lightweight Directory Access Protocol Version 3
-
-
- This result code is normally only returned by the compare
- operation.
-
+ Indicates that the compare operation has successfully
+ completed and the assertion has evaluated to TRUE.
authMethodNotSupported (7)
-
Indicates that the authentication method or mechanism is not
supported.
-
strongAuthRequired (8)
-
- Except when returned in a Notice of Disconnect (see section
- 4.4.1), this indicates that the server requires the client to
- authentication using a strong(er) mechanism.
-
+ Indicates that the server has detected that an established
+ security association between the client and server has
+ unexpectedly failed or been compromised, or that the server
+ now requires the client to authenticate using a strong(er)
+ mechanism.
referral (10)
-
Indicates that a referral needs to be chased to complete the
- operation (see section 4.1.11).
-
+ operation (see Section 4.1.11).
adminLimitExceeded (11)
-
Indicates that an administrative limit has been exceeded.
-
unavailableCriticalExtension (12)
-
- Indicates that server cannot perform a critical extension
- (see section 4.1.12).
-
+ Indicates that the server is unable or unwilling to perform a
+ critical extension (see Section 4.1.12).
confidentialityRequired (13)
-
Indicates that data confidentiality protections are required.
-
saslBindInProgress (14)
-
Indicates the server requires the client to send a new bind
request, with the same SASL mechanism, to continue the
- authentication process (see section 4.2).
-
+ authentication process (see Section 4.2).
noSuchAttribute (16)
-
Indicates that the named entry does not contain the specified
attribute or attribute value.
-
undefinedAttributeType (17)
+ Indicates that a request field contains an unrecognized
+ attribute description.
+
+ inappropriateMatching (18)
-Sermersheim Internet-Draft - Expires Sep 2003 Page 37 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 40 \f
Lightweight Directory Access Protocol Version 3
-
- Indicates that a request field contains an undefined
- attribute type.
-
-
- inappropriateMatching (18)
-
- Indicates that a request cannot be completed due to an
- inappropriate matching.
-
+ Indicates that an attempt was made, e.g. in a filter, to use
+ a matching rule not defined for the attribute type concerned.
constraintViolation (19)
-
Indicates that the client supplied an attribute value which
- does not conform to constraints placed upon it by the data
- model.
-
- For example, this code is returned when the multiple values
- are supplied to an attribute which has a SINGLE-VALUE
- constraint.
+ does not conform to the constraints placed upon it by the
+ data model.
+ For example, this code is returned when multiple values are
+ supplied to an attribute which has a SINGLE-VALUE constraint.
attributeOrValueExists (20)
-
Indicates that the client supplied an attribute or value to
- be added to an entry already exists.
-
+ be added to an entry, but the attribute or value already
+ exists.
invalidAttributeSyntax (21)
-
Indicates that a purported attribute value does not conform
to the syntax of the attribute.
-
noSuchObject (32)
-
Indicates that the object does not exist in the DIT.
-
aliasProblem (33)
-
- Indicates that an alias problem has occurred. Typically an
- alias has been dereferenced which names no object.
-
+ Indicates that an alias problem has occurred. For example,
+ the code may used to indicate an alias has been dereferenced
+ which names no object.
invalidDNSyntax (34)
-
- Indicates that a LDAPDN or RelativeLDAPDN field (e.g. search
+ Indicates that an LDAPDN or RelativeLDAPDN field (e.g. search
base, target entry, ModifyDN newrdn, etc.) of a request does
not conform to the required syntax or contains attribute
values which do not conform to the syntax of the attribute's
type.
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 38 \f
- Lightweight Directory Access Protocol Version 3
-
aliasDereferencingProblem (36)
-
Indicates that a problem occurred while dereferencing an
alias. Typically an alias was encountered in a situation
where it was not allowed or where access was denied.
-
inappropriateAuthentication (48)
-
Indicates the server requires the client which had attempted
to bind anonymously or without supplying credentials to
- provide some form of credentials,
-
+ provide some form of credentials.
invalidCredentials (49)
-
- Indicates the supplied password or SASL credentials are
- invalid.
-
+ Indicates that the provided credentials (e.g. the user's name
+ and password) are invalid.
insufficientAccessRights (50)
-
Indicates that the client does not have sufficient access
rights to perform the operation.
-
busy (51)
-
- Indicates that the server is busy.
-
+
+Sermersheim Internet-Draft - Expires Jun 2004 Page 41 \f
+ Lightweight Directory Access Protocol Version 3
+
+ Indicates that the server is too busy to service the
+ operation.
unavailable (52)
-
Indicates that the server is shutting down or a subsystem
necessary to complete the operation is offline.
-
unwillingToPerform (53)
-
Indicates that the server is unwilling to perform the
operation.
-
loopDetect (54)
-
Indicates that the server has detected an internal loop.
-
namingViolation (64)
-
- Indicates that the entry name violates naming restrictions.
+ Indicates that the entry's name violates naming restrictions.
objectClassViolation (65)
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 39 \f
- Lightweight Directory Access Protocol Version 3
-
Indicates that the entry violates object class restrictions.
-
notAllowedOnNonLeaf (66)
-
- Indicates that operation is inappropriately acting upon a
+ Indicates that the operation is inappropriately acting upon a
non-leaf entry.
-
notAllowedOnRDN (67)
-
Indicates that the operation is inappropriately attempting to
remove a value which forms the entry's relative distinguished
name.
-
entryAlreadyExists (68)
-
- Indicates that the request cannot be added fulfilled as the
- entry already exists.
-
+ Indicates that the request cannot be fulfilled (added, moved,
+ or renamed) as the target entry already exists.
objectClassModsProhibited (69)
+ Indicates that an attempt to modify the object class(es) of
+ an entry's objectClass attribute is prohibited.
- Indicates that the attempt to modify the object class(es) of
- an entry objectClass attribute is prohibited.
-
- For example, this code is returned when a when a client
- attempts to modify the structural object class of an entry.
-
+ For example, this code is returned when a client attempts to
+ modify the structural object class of an entry.
affectsMultipleDSAs (71)
-
Indicates that the operation cannot be completed as it
affects multiple servers (DSAs).
-
other (80)
-
Indicates the server has encountered an internal error.
-
-
-
-
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 40 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 42 \f
Lightweight Directory Access Protocol Version 3
- Appendix B - Complete ASN.1 Definition
+Appendix B - Complete ASN.1 Definition
This appendix is normative.
- Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
+ Lightweight-Directory-Access-Protocol-V3
+ -- Copyright (C) The Internet Society (2003). This version of
+ -- this ASN.1 module is part of RFC XXXX; see the RFC itself
+ -- for full legal notices.
+ DEFINITIONS
IMPLICIT TAGS
EXTENSIBILITY IMPLIED ::=
BEGIN
LDAPMessage ::= SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse,
- ... },
- controls [0] Controls OPTIONAL }
+ messageID MessageID,
+ protocolOp CHOICE {
+ bindRequest BindRequest,
+ bindResponse BindResponse,
+ unbindRequest UnbindRequest,
+ searchRequest SearchRequest,
+ searchResEntry SearchResultEntry,
+ searchResDone SearchResultDone,
+ searchResRef SearchResultReference,
+ modifyRequest ModifyRequest,
+ modifyResponse ModifyResponse,
+ addRequest AddRequest,
+ addResponse AddResponse,
+ delRequest DelRequest,
+ delResponse DelResponse,
+ modDNRequest ModifyDNRequest,
+ modDNResponse ModifyDNResponse,
+ compareRequest CompareRequest,
+ compareResponse CompareResponse,
+ abandonRequest AbandonRequest,
+ extendedReq ExtendedRequest,
+ extendedResp ExtendedResponse,
+ ... },
+ controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
LDAPString ::= OCTET STRING -- UTF-8 encoded,
-- [ISO10646] characters
- LDAPOID ::= OCTET STRING -- Constrained to numericoid [Models]
+ LDAPOID ::= OCTET STRING -- Constrained to <numericoid> [Models]
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
AttributeDescription ::= LDAPString
- -- Constrained to attributedescription
- -- [Models]
-
- AttributeDescriptionList ::= SEQUENCE OF
-Sermersheim Internet-Draft - Expires Sep 2003 Page 41 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 43 \f
Lightweight Directory Access Protocol Version 3
- AttributeDescription
+ -- Constrained to <attributedescription>
+ -- [Models]
AttributeValue ::= OCTET STRING
AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
+ attributeDesc AttributeDescription,
+ assertionValue AssertionValue }
AssertionValue ::= OCTET STRING
- Attribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ PartialAttribute ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF value AttributeValue }
+
+ Attribute ::= PartialAttribute(WITH COMPONENTS {
+ ...,
+ vals (SIZE(1..MAX))})
MatchingRuleId ::= LDAPString
LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongAuthRequired (8),
- -- 9 reserved --
- referral (10),
- adminLimitExceeded (11),
- unavailableCriticalExtension (12),
- confidentialityRequired (13),
- saslBindInProgress (14),
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- -- 22-31 unused --
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
+ resultCode ENUMERATED {
+ success (0),
+ operationsError (1),
+ protocolError (2),
+ timeLimitExceeded (3),
+ sizeLimitExceeded (4),
+ compareFalse (5),
+ compareTrue (6),
+ authMethodNotSupported (7),
+ strongAuthRequired (8),
+ -- 9 reserved --
+ referral (10),
+ adminLimitExceeded (11),
+ unavailableCriticalExtension (12),
+ confidentialityRequired (13),
+ saslBindInProgress (14),
+ noSuchAttribute (16),
+ undefinedAttributeType (17),
+ inappropriateMatching (18),
+ constraintViolation (19),
+ attributeOrValueExists (20),
+ invalidAttributeSyntax (21),
+ -- 22-31 unused --
+ noSuchObject (32),
+ aliasProblem (33),
+ invalidDNSyntax (34),
+ -- 35 reserved for undefined isLeaf --
+ aliasDereferencingProblem (36),
+ -- 37-47 unused --
+ inappropriateAuthentication (48),
+ invalidCredentials (49),
+ insufficientAccessRights (50),
-Sermersheim Internet-Draft - Expires Sep 2003 Page 42 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 44 \f
Lightweight Directory Access Protocol Version 3
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71),
- -- 72-79 unused --
- other (80),
- ... },
- -- 81-90 reserved for APIs --
- matchedDN LDAPDN,
- diagnosticMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- Referral ::= SEQUENCE OF LDAPURL
-
- LDAPURL ::= LDAPString -- limited to characters permitted in
- -- URLs
-
- Controls ::= SEQUENCE OF Control
+ busy (51),
+ unavailable (52),
+ unwillingToPerform (53),
+ loopDetect (54),
+ -- 55-63 unused --
+ namingViolation (64),
+ objectClassViolation (65),
+ notAllowedOnNonLeaf (66),
+ notAllowedOnRDN (67),
+ entryAlreadyExists (68),
+ objectClassModsProhibited (69),
+ -- 70 reserved for CLDAP --
+ affectsMultipleDSAs (71),
+ -- 72-79 unused --
+ other (80),
+ ... },
+ -- 81-90 reserved for APIs --
+ matchedDN LDAPDN,
+ diagnosticMessage LDAPString,
+ referral [3] Referral OPTIONAL }
+
+ Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
+
+ URI ::= LDAPString -- limited to characters permitted in
+ -- URIs
+
+ Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
+ controlType LDAPOID,
+ criticality BOOLEAN DEFAULT FALSE,
+ controlValue OCTET STRING OPTIONAL }
BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
+ version INTEGER (1 .. 127),
+ name LDAPDN,
+ authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials,
- ... }
+ simple [0] OCTET STRING,
+ -- 1 and 2 reserved
+ sasl [3] SaslCredentials,
+ ... }
SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
+ mechanism LDAPString,
+ credentials OCTET STRING OPTIONAL }
BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
UnbindRequest ::= [APPLICATION 2] NULL
- SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
-Sermersheim Internet-Draft - Expires Sep 2003 Page 43 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 45 \f
Lightweight Directory Access Protocol Version 3
- wholeSubtree (2) },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeDescriptionList }
+ SearchRequest ::= [APPLICATION 3] SEQUENCE {
+ baseObject LDAPDN,
+ scope ENUMERATED {
+ baseObject (0),
+ singleLevel (1),
+ wholeSubtree (2) },
+ derefAliases ENUMERATED {
+ neverDerefAliases (0),
+ derefInSearching (1),
+ derefFindingBaseObj (2),
+ derefAlways (3) },
+ sizeLimit INTEGER (0 .. maxInt),
+ timeLimit INTEGER (0 .. maxInt),
+ typesOnly BOOLEAN,
+ filter Filter,
+ attributes AttributeSelection }
+
+ AttributeSelection ::= SEQUENCE OF selection LDAPString
Filter ::= CHOICE {
- and [0] SET SIZE (1..MAX) OF Filter,
- or [1] SET SIZE (1..MAX) OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion }
+ and [0] SET SIZE (1..MAX) OF filter Filter,
+ or [1] SET SIZE (1..MAX) OF filter Filter,
+ not [2] Filter,
+ equalityMatch [3] AttributeValueAssertion,
+ substrings [4] SubstringFilter,
+ greaterOrEqual [5] AttributeValueAssertion,
+ lessOrEqual [6] AttributeValueAssertion,
+ present [7] AttributeDescription,
+ approxMatch [8] AttributeValueAssertion,
+ extensibleMatch [9] MatchingRuleAssertion }
SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- -- at least one must be present,
- -- initial and final can occur at most once
- substrings SEQUENCE OF CHOICE {
- initial [0] AssertionValue,
- any [1] AssertionValue,
- final [2] AssertionValue } }
+ type AttributeDescription,
+ -- at least one must be present,
+ -- initial and final can occur at most once
+ substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
+ initial [0] AssertionValue,
+ any [1] AssertionValue,
+ final [2] AssertionValue } }
MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
+ matchingRule [1] MatchingRuleId OPTIONAL,
+ type [2] AttributeDescription OPTIONAL,
+ matchValue [3] AssertionValue,
+ dnAttributes [4] BOOLEAN DEFAULT FALSE }
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes PartialAttributeList }
+ objectName LDAPDN,
+ attributes PartialAttributeList }
- PartialAttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ PartialAttributeList ::= SEQUENCE OF
+ partialAttribute PartialAttribute
- SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
-
- SearchResultDone ::= [APPLICATION 5] LDAPResult
-
- ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- modification SEQUENCE OF SEQUENCE {
+ SearchResultReference ::= [APPLICATION 19] SEQUENCE
-Sermersheim Internet-Draft - Expires Sep 2003 Page 44 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 46 \f
Lightweight Directory Access Protocol Version 3
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2) },
- modification AttributeTypeAndValues } }
+ SIZE (1..MAX) OF uri URI
- AttributeTypeAndValues ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ SearchResultDone ::= [APPLICATION 5] LDAPResult
+
+ ModifyRequest ::= [APPLICATION 6] SEQUENCE {
+ object LDAPDN,
+ changes SEQUENCE OF change SEQUENCE {
+ operation ENUMERATED {
+ add (0),
+ delete (1),
+ replace (2) },
+ modification PartialAttribute } }
ModifyResponse ::= [APPLICATION 7] LDAPResult
AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
+ entry LDAPDN,
+ attributes AttributeList }
- AttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
+ AttributeList ::= SEQUENCE OF attribute Attribute
AddResponse ::= [APPLICATION 9] LDAPResult
DelResponse ::= [APPLICATION 11] LDAPResult
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
+ entry LDAPDN,
+ newrdn RelativeLDAPDN,
+ deleteoldrdn BOOLEAN,
+ newSuperior [0] LDAPDN OPTIONAL }
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
+ entry LDAPDN,
+ ava AttributeValueAssertion }
CompareResponse ::= [APPLICATION 15] LDAPResult
AbandonRequest ::= [APPLICATION 16] MessageID
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
+ requestName [0] LDAPOID,
+ requestValue [1] OCTET STRING OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- response [11] OCTET STRING OPTIONAL }
+ COMPONENTS OF LDAPResult,
+ responseName [10] LDAPOID OPTIONAL,
+ responseValue [11] OCTET STRING OPTIONAL }
END
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 45 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 47 \f
Lightweight Directory Access Protocol Version 3
-Appendix C - Change History
- <Note to RFC editor: This section is to be removed prior to RFC
- publication>
-
-C.1 Changes made to RFC 2251:
+Appendix C - Changes
-C.1.1 Editorial
-
- - Bibliography References: Changed all bibliography references to
- use a long name form for readability.
- - Changed occurrences of "unsupportedCriticalExtension"
- "unavailableCriticalExtension"
- - Fixed a small number of misspellings (mostly dropped letters).
-
-C.1.2 Section 1
-
- - Removed IESG note.
-
-C.1.3 Section 9
+ This appendix is non-normative.
- - Added references to RFCs 1823, 2234, 2829 and 2830.
+ This appendix summarizes substantive changes made to RFC 2251 and RFC
+ 2830.
-
-C.2 Changes made to draft-ietf-ldapbis-protocol-00.txt:
-C.2.1 Section 4.1.6
+C.1 Changes made to made to RFC 2251:
- - In the first paragraph, clarified what the contents of an
- AttributeValue are. There was confusion regarding whether or not
- an AttributeValue that is BER encoded (due to the "binary" option)
- is to be wrapped in an extra OCTET STRING.
- - To the first paragraph, added wording that doesn't restrict other
- transfer encoding specifiers from being used. The previous wording
- only allowed for the string encoding and the ;binary encoding.
- - To the first paragraph, added a statement restricting multiple
- options that specify transfer encoding from being present. This
- was never specified in the previous version and was seen as a
- potential interoperability problem.
- - Added a third paragraph stating that the ;binary option is
- currently the only option defined that specifies the transfer
- encoding. This is for completeness.
+ This section summarizes the substantive changes made to Sections 1,
+ 2, 3.1, and 4 through the remainder of RFC 2251. Readers should
+ consult [Models] and [AuthMeth] for summaries of changes to other
+ sections.
-C.2.2 Section 4.1.7
- - Generalized the second paragraph to read "If an option specifying
- the transfer encoding is present in attributeDesc, the
- AssertionValue is encoded as specified by the option...".
- Previously, only the ;binary option was mentioned.
+C.1.1 Section 1
-C.2.3 Sections 4.2, 4.9, 4.10
+ - Removed IESG note. Post publication of RFC 2251, mandatory LDAP
+ authentication mechanisms have been standardized which are
+ sufficient to remove this note. See [AuthMeth] for authentication
+ mechanisms.
- - Added alias dereferencing specifications. In the case of modDN,
- followed precedent set on other update operations (... alias is
- not dereferenced...) In the case of bind and compare stated that
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 46 \f
- Lightweight Directory Access Protocol Version 3
-
- servers SHOULD NOT dereference aliases. Specifications were added
- because they were missing from the previous version and caused
- interoperability problems. Concessions were made for bind and
- compare (neither should have ever allowed alias dereferencing) by
- using SHOULD NOT language, due to the behavior of some existing
- implementations.
-C.2.4 Sections 4.5 and Appendix A
+C.1.2 Section 3.1 and others
+
+ - Removed notes giving history between LDAP v1, v2 and v3. Instead,
+ added sufficient language so that this document can stand on its
+ own.
- - Changed SubstringFilter.substrings.initial, any, and all from
- LDAPString to AssertionValue. This was causing an incompatibility
- with X.500 and confusion among other TS RFCs.
+C.1.3 Section 4
-C.3 Changes made to draft-ietf-ldapbis-protocol-01.txt:
+ - Clarified where the extensibility features of ASN.1 apply to the
+ protocol. This change also affected various ASN.1 types.
+ - Removed the requirement that servers which implement version 3 or
+ later MUST provide the supportedLDAPVersion attribute. This
+ statement provided no interoperability advantages.
-C.3.1 Section 3.4
-
- - Reworded text surrounding subschemaSubentry to reflect that it is
- a single-valued attribute that holds the schema for the root DSE.
- Also noted that if the server masters entries that use differing
- schema, each entry's subschemaSubentry attribute must be
- interrogated. This may change as further fine-tuning is done to
- the data model.
-
-C.3.2 Section 4.1.12
-
- - Specified that the criticality field is only used for requests and
- not for unbind or abandon. Noted that it is ignored for all other
- operations.
-
-C.3.3 Section 4.2
-
- - Noted that Server behavior is undefined when the name is a null
- value, simple authentication is used, and a password is specified.
-
-C.3.4 Section 4.2.(various)
-
- - Changed "unauthenticated" to "anonymous" and "DN" and "LDAPDN" to
- "name"
-
-C.3.5 Section 4.2.2
-
- - Changed "there is no authentication or encryption being performed
- by a lower layer" to "the underlying transport service cannot
- guarantee confidentiality"
-
-C.3.6 Section 4.5.2
-
- - Removed all mention of ExtendedResponse due to lack of
- implementation.
-
-C.4 Changes made to draft-ietf-ldapbis-protocol-02.txt:
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 47 \f
- Lightweight Directory Access Protocol Version 3
-
-C.4.1 Section 4
-
- - Removed "typically" from "and is typically transferred" in the
- first paragraph. We know of no (and can conceive of no) case where
- this isn't true.
- - Added "Section 5.1 specifies how the LDAP protocol is encoded." To
- the first paragraph. Added this cross reference for readability.
- - Changed "version 3 " to "version 3 or later" in the second
- paragraph. This was added to clarify the original intent.
- - Changed "protocol version" to "protocol versions" in the third
- paragraph. This attribute is multi-valued with the intent of
- holding all supported versions, not just one.
-
-C.4.2 Section 4.1.8
-
- - Changed "when transferred in protocol" to "when transferred from
- the server to the client" in the first paragraph. This is to
- clarify that this behavior only happens when attributes are being
- sent from the server.
-
-C.4.3 Section 4.1.10
-
- - Changed "servers will return responses containing fields of type
- LDAPResult" to "servers will return responses of LDAPResult or
- responses containing the components of LDAPResponse". This
- statement was incorrect and at odds with the ASN.1. The fix here
- reflects the original intent.
- - Dropped '--new' from result codes ASN.1. This simplification in
- comments just reduces unneeded verbiage.
-
-C.4.4 Section 4.1.11
-
- - Changed "It contains a reference to another server (or set of
- servers)" to "It contains one or more references to one or more
- servers or services" in the first paragraph. This reflects the
- original intent and clarifies that the URL may point to non-LDAP
- services.
-
-C.4.5 Section 4.1.12
-
- - Changed "The server MUST be prepared" to "Implementations MUST be
- prepared" in the eighth paragraph to reflect that both client and
- server implementations must be able to handle this (as both parse
- controls).
-
-C.4.6 Section 4.4
-
- - Changed "One unsolicited notification is defined" to "One
- unsolicited notification (Notice of Disconnection) is defined" in
- the third paragraph. For clarity and readability.
+C.1.4 Section 4.1.1
-C.4.7 Section 4.5.1
-
+ - There was a mandatory requirement for the server to return a
+ Notice of Disconnection and drop the connection when a PDU is
+ malformed in a certain way. This has been clarified such that the
+ server SHOULD return the Notice of Disconnection, and MUST drop
+ the connection.
+
+
+C.1.5 Section 4.1.1.1
+
+ - Clarified that the messageID of requests MUST be non-zero.
+
-Sermersheim Internet-Draft - Expires Sep 2003 Page 48 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 48 \f
Lightweight Directory Access Protocol Version 3
- - Changed "checking for the existence of the objectClass attribute"
- to "checking for the presence of the objectClass attribute" in the
- last paragraph. This was done as a measure of consistency (we use
- the terms present and presence rather than exists and existence in
- search filters).
+ - Clarified when it is and isn't appropriate to return an already
+ used message id. RFC 2251 accidentally imposed synchronous server
+ behavior in its wording of this.
-C.4.8 Section 4.5.3
-
- - Changed "outstanding search operations to different servers," to
- "outstanding search operations" in the fifth paragraph as they may
- be to the same server. This is a point of clarification.
-C.4.9 Section 4.6
-
- - Changed "clients MUST NOT attempt to delete" to "clients MUST NOT
- attempt to add or delete" in the second to last paragraph.
- - Change "using the "delete" form" to "using the "add" or "delete"
- form" in the second to last paragraph.
+C.1.6 Section 4.1.2
-C.4.10 Section 4.7
-
- - Changed "Clients MUST NOT supply the createTimestamp or
- creatorsName attributes, since these will be generated
- automatically by the server." to "Clients MUST NOT supply NO-USER-
- MODIFICATION attributes such as createTimestamp or creatorsName
- attributes, since these are provided by the server." in the
- definition of the attributes field. This tightens the language to
- reflect the original intent and to not leave a hole in which one
- could interpret the two attributes mentioned as the only non-
- writable attributes.
+ - Stated that LDAPOID is constrained to <numericoid> from [Models].
-C.4.11 Section 4.11
-
- - Changed "has been" to "will be" in the fourth paragraph. This
- clarifies that the server will (not has) abandon the operation.
-
-C.5 Changes made to draft-ietf-ldapbis-protocol-03.txt:
-
-C.5.1 Section 3.2.1
-
- - Changed "An attribute is a type with one or more associated
- values. The attribute type is identified by a short descriptive
- name and an OID (object identifier). The attribute type governs
- whether there can be more than one value of an attribute of that
- type in an entry, the syntax to which the values must conform, the
- kinds of matching which can be performed on values of that
- attribute, and other functions." to " An attribute is a
- description (a type and zero or more options) with one or more
- associated values. The attribute type governs whether the
- attribute can have multiple values, the syntax and matching rules
- used to construct and compare values of that attribute, and other
- functions. Options indicate modes of transfer and other
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 49 \f
- Lightweight Directory Access Protocol Version 3
-
- functions.". This points out that an attribute consists of both
- the type and options.
-
-C.5.2 Section 4
-
- - Changed "Section 5.1 specifies the encoding rules for the LDAP
- protocol" to "Section 5.1 specifies how the protocol is encoded
- and transferred."
-
-C.5.3 Section 4.1.2
-
- - Added ABNF for the textual representation of LDAPOID. Previously,
- there was no formal BNF for this construct.
-
-C.5.4 Section 4.1.4
-
- - Changed "This identifier may be written as decimal digits with
- components separated by periods, e.g. "2.5.4.10"" to "may be
- written as defined by ldapOID in section 4.1.2" in the second
- paragraph. This was done because we now have a formal BNF
- definition of an oid.
-
-C.5.5 Section 4.1.5
-
- - Changed the BNF for AttributeDescription to ABNF. This was done
- for readability and consistency (no functional changes involved).
- - Changed "Options present in an AttributeDescription are never
- mutually exclusive." to "Options MAY be mutually exclusive. An
- AttributeDescription with mutually exclusive options is treated as
- an undefined attribute type." for clarity. It is generally
- understood that this is the original intent, but the wording could
- be easily misinterpreted.
- - Changed "Any option could be associated with any AttributeType,
- although not all combinations may be supported by a server." to
- "Though any option or set of options could be associated with any
- AttributeType, the server support for certain combinations may be
- restricted by attribute type, syntaxes, or other factors.". This
- is to clarify the meaning of 'combination' (it applies both to
- combination of attribute type and options, and combination of
- options). It also gives examples of *why* they might be
- unsupported.
-
-C.5.6 Section 4.1.11
-
- - Changed the wording regarding 'equally capable' referrals to "If
- multiple URLs are present, the client assumes that any URL may be
- used to progress the operation.". The previous language implied
- that the server MUST enforce rules that it was practically
- incapable of. The new language highlights the original intent--
- that is, that any of the referrals may be used to progress the
- operation, there is no inherent 'weighting' mechanism.
-
-C.5.7 Section 4.5.1 and Appendix A
-
+C.1.7 Section 4.1.5.1
+
+ - Removed the Binary Option from the specification. There are
+ numerous interoperability problems associated with this method of
+ alternate attribute type encoding. Work to specify a suitable
+ replacement is ongoing.
+
+
+C.1.8 Section 4.1.6
+
+ - Removed references to the "binary" encoding as it has been removed
+ from the specification.
+
+
+C.1.9 Section 4.1.7
+
+ - Removed references to the "binary" encoding as it has been removed
+ from the specification.
+
+
+C.1.10 Section 4.1.8
+
+ - Combined the definitions of PartialAttribute and Attribute here,
+ and defined Attribute in terms of PartialAttribute.
+
+
+C.1.11 Section 4.1.10
+
+ - Renamed "errorMessage" to "diagnosticMessage" as it is allowed to
+ be sent for non-error results.
+ - Moved some language into Appendix A, and refer the reader there.
+ - Allowed matchedDN to be present for other result codes than those
+ listed in RFC 2251.
+
+
+C.1.12 Section 4.1.11
+
+ - Defined referrals in terms of URIs rather than URLs.
+ - Removed the requirement that all referral URIs MUST be equally
+ capable of progressing the operation. The statement was ambiguous
+ and provided no instructions on how to carry it out.
+ - Added the requirement that clients MUST NOT loop between servers.
+ - Clarified the instructions for using LDAPURLs in referrals, and in
+ doing so added a recommendation that the scope part be present.
-Sermersheim Internet-Draft - Expires Sep 2003 Page 50 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 49 \f
Lightweight Directory Access Protocol Version 3
- - Added the comment "-- initial and final can occur at most once",
- to clarify this restriction.
-
-C.5.8 Section 5.1
-
- - Changed heading from "Mapping Onto BER-based Transport Services"
- to "Protocol Encoding".
-
-C.5.9 Section 5.2.1
-
- - Changed "The LDAPMessage PDUs" to "The encoded LDAPMessage PDUs"
- to point out that the PDUs are encoded before being streamed to
- TCP.
-
-C.6 Changes made to draft-ietf-ldapbis-protocol-04.txt:
-
-C.6.1 Section 4.5.1 and Appendix A
- - Changed the ASN.1 for the and and or choices of Filter to have a
- lower range of 1. This was an omission in the original ASN.1
-
-C.6.2 Various
-
- - Fixed various typo's
-C.7 Changes made to draft-ietf-ldapbis-protocol-05.txt:
-
-C.7.1 Section 3.2.1
+C.1.13 Section 4.1.12
- - Added "(as defined in Section 12.4.1 of [X.501])" to the fifth
- paragraph when talking about "operational attributes". This is
- because the term "operational attributes" is never defined.
- Alternately, we could drag a definition into the spec, for now,
- I'm just pointing to the reference in X.501.
-
-C.7.2 Section 4.1.5
-
- - Changed "And is also case insensitive" to "The entire
- AttributeDescription is case insensitive". This is to clarify
- whether we're talking about the entire attribute description, or
- just the options.
-
- - Expounded on the definition of attribute description options. This
- doc now specifies a difference between transfer and tagging
- options and describes the semantics of each, and how and when
- subtyping rules apply. Now allow options to be transmitted in any
- order but disallow any ordering semantics to be implied. These
- changes are the result of ongoing input from an engineering team
- designed to deal with ambiguity issues surrounding attribute
- options.
-
-C.7.3 Sections 4.1.5.1 and 4.1.6
-
-
+ - Specified how control values defined in terms of ASN.1 are to be
+ encoded.
+ - Added language regarding combinations of controls on a message.
+ - Changed "The server MUST be prepared" to "Implementations MUST be
+ prepared" in the eighth paragraph to reflect that both client and
+ server implementations must be able to handle this (as both parse
+ controls).
+
+
+C.1.14 Section 4.2
+
+ - Mandated that servers return protocolError when the version is not
+ supported.
+ - Clarified behavior when the simple authentication is used, the
+ name is empty and the password is non-empty.
+ - Required servers to not dereference aliases for bind. This was
+ added for consistency with other operations and to help ensure
+ data consistency
+ - Required that textual passwords be transferred as UTF-8 encoded
+ Unicode, and added recommendations on string preparation. This was
+ to help ensure interoperability of passwords being sent from
+ different clients.
+
+
+C.1.15 Section 4.2.1
+
+ - This section was largely reorganized for readability and language
+ was added to clarify the authentication state of failed and
+ abandoned bind operations.
+ - Removed: "If a SASL transfer encryption or integrity mechanism has
+ been negotiated, that mechanism does not support the changing of
+ credentials from one identity to another, then the client MUST
+ instead establish a new connection."
+ Each SASL negotiation is, generally, independent of other SASL
+ negotiations. If there were dependencies between multiple
+ negotiations of a particular mechanism, the mechanism technical
+ specification should detail how applications are to deal with
+ them. LDAP should not require any special handling. And if an LDAP
+ client had used such a mechanism, it would have the option of
+ using another mechanism.
+ - Dropped MUST imperative in paragraph 3 to align with [Keywords].
+
+
+C.1.16 Section 4.2.3
+
+ - Moved most error-related text to Appendix A, and added text
+ regarding certain errors used in conjunction with the bind
+ operation.
+ - Prohibited the server from specifying serverSaslCreds when not
+ appropriate.
-Sermersheim Internet-Draft - Expires Sep 2003 Page 51 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 50 \f
Lightweight Directory Access Protocol Version 3
- - Refer to non "binary" transfer encodings as "native encoding"
- rather than "string" encoding to clarify and avoid confusion.
-C.8 Changes made to draft-ietf-ldapbis-protocol-06.txt:
-C.8.1 Title
-
- - Changed to "LDAP: The Protocol" to be consisted with other working
- group documents
-
-C.8.2 Abstract
-
- - Moved above TOC to conform to new guidelines
-
- - Reworded to make consistent with other WG documents.
-
- - Moved 2119 conventions to "Conventions" section
-
-C.8.3 Introduction
-
- - Created to conform to new guidelines
-
-C.8.4 Models
+C.1.17 Section 4.3
+
+ - Required both peers to cease transmission and close the connection
+ for the unbind operation.
- - Removed section. There is only one model in this document
- (Protocol Model)
-C.8.5 Protocol Model
+C.1.18 Section 4.4
+
+ - Added instructions for future specifications of Unsolicited
+ Notifications.
- - Removed antiquated paragraph: "In keeping with the goal of easing
- the costs associated with use of the directory, it is an objective
- of this protocol to minimize the complexity of clients so as to
- facilitate widespread deployment of applications capable of using
- the directory."
- - Removed antiquated paragraph concerning LDAP v1 and v2 and
- referrals.
+C.1.19 Section 4.5.1
+
+ - SearchRequest attributes is now defined as an AttributeSelection
+ type rather than AttributeDescriptionList.
+ - The Filter choices 'and' and 'or', and the SubstringFilter
+ substrings types are now defined with a lower bound of 1.
+ - The SubstringFilter substrings 'initial, 'any', and 'final' types
+ are now AssertionValue rather than LDAPString.
+ - Clarified the semantics of the derefAliases choices.
+ - Added instructions for equalityMatch, substrings, greaterOrEqual,
+ lessOrEqual, and approxMatch.
-C.8.6 Data Model
- - Removed Section 3.2 and subsections. These have been moved to
- [Models]
+C.1.20 Section 4.5.2
+
+ - Recommended that servers not use attribute short names when it
+ knows they are ambiguous or may cause interoperability problems.
+ - Removed all mention of ExtendedResponse due to lack of
+ implementation.
-C.8.7 Relationship to X.500
- - Removed section. It has been moved to [Roadmap]
+C.1.21 Section 4.5.3
+
+ - Made changes similar to those made to Section 4.1.11.
-C.8.8 Server Specific Data Requirements
- - Removed section. It has been moved to [Models]
+C.1.22 Section 4.5.3.1
+
+ - Fixed examples to adhere to changes made to Section 4.5.3.
-C.8.9 Elements of Protocol
+C.1.23 Section 4.6
+
+ - Removed restriction that required an equality match filter in
+ order to perform value delete modifications. It is sufficiently
+ documented that in absence of an equality matching rule, octet
+ equality is used.
+ - Replaced AttributeTypeAndValues with Attribute as they are
+ equivalent.
-Sermersheim Internet-Draft - Expires Sep 2003 Page 52 \f
- Lightweight Directory Access Protocol Version 3
-
- - Added "Section 5.1 specifies how the protocol is encoded and
- transferred." to the end of the first paragraph for reference.
-
- - Reworded notes about extensibility, and now talk about implied
- extensibility and the use of ellipses in the ASN.1
-
- - Removed references to LDAPv2 in third and fourth paragraphs.
-
-C.8.10 Message ID
-
- - Reworded second paragraph to "The message ID of a request MUST
- have a non-zero value different from the values of any other
- requests outstanding in the LDAP session of which this message is
- a part. The zero value is reserved for the unsolicited
- notification message." (Added notes about non-zero and the zero
- value).
-
-C.8.11 String Types
-
- - Removed ABNF for LDAPOID and added "Although an LDAPOID is encoded
- as an OCTET STRING, values are limited to the definition of
- numericoid given in Section 1.3 of [Models]."
-
-C.8.12 Distinguished Name and Relative Distinguished Name
-
- - Removed ABNF and referred to [Models] and [LDAPDN] where this is
- defined.
-
-C.8.13 Attribute Type
-
- - Removed sections. It's now in the [Models] doc.
-
-C.8.14 Attribute Description
-
- - Removed ABNF and aligned section with [Models]
-
- - Moved AttributeDescriptionList here.
-
-C.8.15 Transfer Options
-
- - Added section and consumed much of old options language (while
- aligning with [Models]
-
-C.8.16 Binary Transfer Option
-
- - Clarified intent regarding exactly what is to be BER encoded.
-
- - Clarified that clients must not expect ;binary when not asking for
- it (;binary, as opposed to ber encoded data).
-
-
-C.8.17 Attribute
-
- - Use the term "attribute description" in lieu of "type"
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 53 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 51 \f
Lightweight Directory Access Protocol Version 3
+ - Clarified what type of modification changes might temporarily
+ violate schema.
- - Clarified the fact that clients cannot rely on any apparent
- ordering of attribute values.
-
-C.8.18 LDAPResult
-
- - To resultCode, added ellipses "..." to the enumeration to indicate
- extensibility. and added a note, pointing to [LDAPIANA]
-
- - Removed error groupings ad refer to Appendix A.
-
-C.8.19 Bind Operation
-
- - Added "Prior to the BindRequest, the implied identity is
- anonymous. Refer to [AuthMeth] for the authentication-related
- semantics of this operation." to the first paragraph.
-
- - Added ellipses "..." to AuthenticationChoice and added a note
- "This type is extensible as defined in Section 3.6 of [LDAPIANA].
- Servers that do not support a choice supplied by a client will
- return authMethodNotSupported in the result code of the
- BindResponse."
-
- - Simplified text regarding how the server handles unknown versions.
- Removed references to LDAPv2
-
-C.8.20 Sequencing of the Bind Request
-
- - Aligned with [AuthMeth] In particular, paragraphs 4 and 6 were
- removed, while a portion of 4 was retained (see C.8.9)
-
-C.8.21 Authentication and other Security Service
-
- - Section was removed. Now in [AuthMeth]
-
-C.8.22 Continuation References in the Search Result
-
- - Added "If the originating search scope was singleLevel, the scope
- part of the URL will be baseObject."
-
-C.8.23 Security Considerations
-
- - Removed reference to LDAPv2
-C.8.24 Result Codes
-
- - Added as normative appendix A
-
-C.8.25 ASN.1
-
- - Added EXTENSIBILITY IMPLIED
-
- - Added a number of comments holding referenced to [Models] and
- [ISO10646].
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 54 \f
- Lightweight Directory Access Protocol Version 3
-
-
- - Removed AttributeType. It is not used.
-
-
-C.9 Changes made to draft-ietf-ldapbis-protocol-07.txt:
-
- - Removed all mention of transfer encodings and the binary attribute
- option
-
- - Further alignment with [Models].
-
- - Added extensibility ellipsis to protocol op choice
-
- - In 4.1.1, clarified when connections may be dropped due to
- malformed PDUs
-
- - Specified which matching rules and syntaxes are used for various
- filter items
+C.1.24 Section 4.9
-C.10 Changes made to draft-ietf-ldapbis-protocol-08.txt:
-
-C.10.1 Section 4.1.1.1:
-
- - Clarified when it is and isn't appropriate to return an already
- used message id.
-
-C.10.2 Section 4.1.11:
-
- - Clarified that a control only applies to the message it's attached
- to.
-
- - Explained that the criticality field is only applicable to certain
- request messages.
-
- - Added language regarding the combination of controls.
+ - Required servers to not dereference aliases for modify DN. This
+ was added for consistency with other operations and to help ensure
+ data consistency.
+ - Allow modify DN to fail when moving between naming contexts.
-C.10.3 Section 4.11:
-
- - Explained that Abandon and Unbind cannot be abandoned, and
- illustrated how to determine whether an operation has been
- abandoned.
+C.1.25 Section 4.10
-C.11 Changes made to draft-ietf-ldapbis-protocol-09.txt:
+ - Clarified the semantics of Compare when the attribute is not
+ present and when it is unknown.
+ - Required servers to not dereference aliases for compare. This was
+ added for consistency with other operations and to help ensure
+ data consistency.
- - Fixed formatting
+C.1.26 Section 4.11
-C.12 Changes made to draft-ietf-ldapbis-protocol-10.txt:
-
-C.12.1 Section 4.1.4:
+ - Explained that since abandon returns no response, clients hould
+ not use it if they need to know the outcome.
+ - Specified that Abandon and Unbind cannot be abandoned.
- - Removed second paragraph as this language exists in MODELS
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 55 \f
- Lightweight Directory Access Protocol Version 3
-
-C.12.2 Section 4.2.1:
-
- - Replaced fourth paragraph. It was accidentally removed in an
- earlier edit.
+C.1.27 Section 4.12
-C.12.2 Section 4.13:
-
- - Added section describing the StartTLS operation (moved from
- authmeth)
+ - Specified how values of extended operations defined in terms of
+ ASN.1 are to be encoded.
+ - Added instructions on what extended operation specifications
+ consist of.
+ - Added a recommendation that servers advertise supported extended
+ operations.
-C.13 Changes made to draft-ietf-ldapbis-protocol-11.txt:
-
-C.13.1 Section 4.1.9
- - Changed "errorMessage" to "diagnosticMessage". Simply to indicate
- that the field may be non-empty even if a non-error resultCode is
- present.
+C.1.28 Section 5.2
-C.13.2 Section 4.2:
-
- - Reconciled language in "name" definition with [AuthMeth]
-
-C.13.3 Section 4.2.1
-
- - Renamed to "Processing of the Bind Request", and moved some text
- from 4.2 into this section.
-
- - Rearranged paragraphs to flow better.
-
- - Specified that (as well as failed) an abandoned bind operation
- will leave the connection in an anonymous state.
-
-C.13.4 Section 4.5.3
-
- - Generalized the second paragraph which cited indexing and
- searchreferralreferences.
+ - Moved referral-specific instructions into referral-related
+ sections.
-C.14 Changes made to draft-ietf-ldapbis-protocol-12.txt:
-
- - Reworked bind errors.
- - General clarifications and edits
-
-Appendix D - Outstanding Work Items
-D.0 General
- - Integrate notational consistency agreements WG will discuss
- notation consistency. Once agreement happens, reconcile draft.
-
- - Reconcile problems with [Models]. Section 3.2 was wholly removed.
- There were some protocol semantics in that section that need to be
- brought back. Specifically, there was the notion of the server
- implicitly adding objectclass superclasses when a value is added.
-
-D.1 Make result code usage consistent.
+C.1.29 Section 7
+
+ - Reworded notes regarding SASL not protecting certain aspects of
+ the LDAP bind PDU.
+ - Noted that Servers are encouraged to prevent directory
+ modifications by clients that have authenticated anonymously
+ [AuthMeth].
+ - Added a note regarding the scenario where an identity is changed
+ (deleted, privileges or credentials modified, etc.).
+
-Sermersheim Internet-Draft - Expires Sep 2003 Page 56 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 52 \f
Lightweight Directory Access Protocol Version 3
+ - Warned against following referrals that may have been injected in
+ the data stream.
+ - Added a note regarding malformed and long encodings.
- - While there is a result code appendix, ensure it speaks of result
- codes in a general sense, and only highlight specific result codes
- in the context of an operation when that operation ties more
- specific meanings to that result code.
-
-
-D.2 Verify references.
-
- - Many referenced documents have changed. Ensure references and
- section numbers are correct.
-
-D.3 Usage of Naming Context
- - Make sure occurrences of "namingcontext" and "naming context" are
- consistent with [Models]. Use in section 6.2 should be reworked.
- It's layers of indirection that matter, not number of contexts.
- (That is, referrals can be returned for a number of reasons (cross
- reference, superior, subordinate, busy, not master, etc.)
-
- Other uses are fine.
+C.1.30 Appendix A
-D.4 Review 2119 usage
-
-
-D.5 Reconcile with I-D Nits
-
+ - Added "EXTESIBILITY IMPLIED" to ASN.1 definition.
+ - Removed AttributeType. It is not used.
-D.23 Section 4.5.3
-
- - A server MUST NOT return any SearchResultReference if it has not
- located the baseObject and thus has not searched any entries; in
- this case it would return a SearchResultDone containing a referral
- resultCode.
-
- - Add "Similarly, a server MUST NOT return a SearchResultReference
- when the scope of the search is baseObject. If a client receives
- such a SearchResultReference it MUST interpret is as a protocol
- error and MUST NOT follow it." to the first paragraph.
- The technical specification doesn't have to describe how a
- protocol peer should react when its partner violates an absolute.
- OR return noSuchObject.
+C.2 Changes made to made to RFC 2830:
- - Add "If the scope part of the LDAP URL is present, the client MUST
- use the new scope in its next request to progress the search. If
- the scope part is absent the client MUST use subtree scope to
- complete subtree searches and base scope to complete one level
- searches." to the third paragraph.
+ This section summarizes the substantive changes made to Sections of
+ RFC 2830. Readers should consult [AuthMeth] for summaries of changes
+ to other sections.
-D.25 Section 4.6
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 57 \f
- Lightweight Directory Access Protocol Version 3
-
- - Resolve the meaning of "and is ignored if the attribute does not
- exist". See "modify: "non-existent attribute"" on the list. Not
- sure if there's really an issue here. Will look at archive
-
-D.27 Section 4.10
-
- - Specify what happens when the attr is missing vs. attr isn't in
- schema. Also what happens if there's no equality matching rule.
- noSuchAttribute, undefinedAttributeType, inappropriateMatching
-
-D.30 Section 5.1
-
- - Add "control and extended operation values" to last paragraph. See
- "LBER (BER Restrictions)" on list.
-
-D.32 Section 6.1
-
- - Add "that are used by those attributes" to the first paragraph.
- - Add "Servers which support update operations MUST, and other
- servers SHOULD, support strong authentication mechanisms described
- in [RFC2829]." as a second paragraph. Likely should just say
- Requirements of authentication methods, SASL mechanisms, and TLS
- are described in [AUTHMETH]." (also apply to next two below)
- - Add "Servers which provide access to sensitive information MUST,
- and other servers SHOULD support privacy protections such as those
- described in [RFC2829] and [RFC2830]." as a third paragraph.
+C.2.1 Section 2.3
+
+ - Removed wording indicating that referrals can be returned from
+ StartTLS
-D.33 Section 7
- - Add "Servers which support update operations MUST, and other
- servers SHOULD, support strong authentication mechanisms described
- in [RFC2829]." as a fourth paragraph.
- - Add "In order to automatically follow referrals, clients may need
- to hold authentication secrets. This poses significant privacy and
- security concerns and SHOULD be avoided." as a sixth paragraph.
- There are concerns with "automatic" chasing regardless of which,
- if any, authentication method/mechanism is used.
+C.2.1 Section 4.13.3.1
- - Add notes regarding DoS attack found by CERT advisories.
+ - Reworded most of this section and added the requirement that after
+ the TLS connection has been closed, the server MUST NOT send
+ responses to any request message received before the TLS closure.
-D.34 Appendix C
- - C.9. Explain why we removed ;binary, and what clients can do to
- get around potential problems (likely refer to an I-D)
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-Sermersheim Internet-Draft - Expires Sep 2003 Page 58 \f
+Sermersheim Internet-Draft - Expires Jun 2004 Page 53 \f
Lightweight Directory Access Protocol Version 3
- Full Copyright Statement
+Intellectual Property Rights
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+Full Copyright Statement
- Copyright (C) The Internet Society (2002). All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim Internet-Draft - Expires Sep 2003 Page 59 \f
\ No newline at end of file
+Sermersheim Internet-Draft - Expires Jun 2004 Page 54 \f
+
INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 1 March 2003
+Expires in six months 30 June 2003
Obsoletes: RFC 2251-2256, 2829-2830, 3377
LDAP: Technical Specification Road Map
- <draft-ietf-ldapbis-roadmap-02.txt>
+ <draft-ietf-ldapbis-roadmap-03.txt>
Status of this Memo
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2003, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
- Please see the Copyright section near the end of this document for
- more information.
+ Please see the Full Copyright section near the end of this document
+ for more information.
Abstract
Zeilenga LDAP: TS Road Map [Page 1]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-roadmap-02 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-roadmap-03 30 June 2003
Conventions
LDAP: String Representation of Distinguished Names [LDAPDN],
LDAP: String Representation of Search Filters [Filters],
LDAP: Uniform Resource Locator [LDAPURL],
- LDAP: Syntaxes [Syntaxes], and
+ LDAP: Syntaxes and Matching Rules [Syntaxes],
+ LDAP: Internationalized String Preparation [LDAPprep], and
LDAP: User Schema [Schema].
The terms "LDAP" and "LDAPv3" are commonly used to informally refer to
this document but may be defined in some future document(s).
IANA (Internet Assigned Numbers Authority) considerations for LDAP
- described in BCP 64 [RFC3383] apply fully to this revision of the LDAP
- technical specification.
+ described in BCP 64 [BCP64bis] apply fully to this revision of the
+ LDAP technical specification.
2. Relationship to X.500
This technical specification defines LDAP in terms of [X.500] as an
X.500 access mechanism. An LDAP server MUST act in accordance with
- X.500(1993) series of International Telephone Union (ITU)
- Recommendations when providing the service. However, it is not
- required that an LDAP server make use of any X.500 protocols in
- providing this service, e.g. LDAP can be mapped onto any other
- directory system so long as the X.500 data and service models
+ X.500(1993) series of International Telecommunication Union - Telecom
+ Standardization (ITU-T) Recommendations when providing the service.
+ However, it is not required that an LDAP server make use of any X.500
+ protocols in providing this service, e.g. LDAP can be mapped onto any
+ other directory system so long as the X.500 data and service models
[X.501][X.511] as used in LDAP is not violated in the LDAP interface.
-
Zeilenga LDAP: TS Road Map [Page 2]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-roadmap-02 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-roadmap-03 30 June 2003
This technical specification explicitly incorporates portions of
[Models] replaces portions of RFC 2251, RFC 2252 and RFC 2256.
[Protocol] replaces the majority RFC 2251 and portions of RFC 2252.
[AuthMeth] replaces RFC 2829, RFC 2830, and portions of RFC 2251.
- [Syntax] replaces the majority of RFC 2252 and portions of RFC 2256.
+ [Syntaxes] replaces the majority of RFC 2252 and portions of RFC 2256.
[Schema] replaces the majority of RFC 2256. [LDAPDN] replaces RFC
2253. [Filters] replaces RFC 2254. [LDAPURL] replaces RFC 2255.
+ [LDAPprep] is new to this revision of the LDAP technical
+ specification.
+
Each document of this specification contains appendices summarizing
changes to all sections of the specifications they replace. Appendix
A.1 of this document details changes made to RFC 3377. Appendix A.2
E-mail: <kurt@openldap.org>
-7. References
-
-
Zeilenga LDAP: TS Road Map [Page 3]
\f
-INTERNET-DRAFT draft-ietf-ldapbis-roadmap-02 1 March 2003
+INTERNET-DRAFT draft-ietf-ldapbis-roadmap-03 30 June 2003
+
+7. References
7.1. Normative References
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
- RFC 3383), September 2002.
+ [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP", draft-
+ ietf-ldapbis-bcp64-xx.txt, a work in progress.
- [Models] K. Zeilenga (editor), "LDAP: Directory Information Models",
- draft-ietf-ldapbis-models-xx.txt, a work in progress.
+ [Models] Zeilenga, K. (editor), "LDAP: Directory Information
+ Models", draft-ietf-ldapbis-models-xx.txt, a work in
+ progress.
- [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
- draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
+ [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
+ draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
- [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
- Connection Level Security Mechanisms",
- draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
+ [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
+ Connection Level Security Mechanisms",
+ draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
- [LDAPDN] K. Zeilenga (editor), "LDAP: String Representation of
- Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
- in progress.
+ [LDAPDN] Zeilenga, K. (editor), "LDAP: String Representation of
+ Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a
+ work in progress.
- [Filters] M. Smith (editor), LDAPbis WG, "LDAP: String Representation
- of Search Filters", draft-ietf-ldapbis-filter-xx.txt, a
- work in progress.
+ [Filters] Smith, M. (editor), LDAPbis WG, "LDAP: String
+ Representation of Search Filters",
+ draft-ietf-ldapbis-filter-xx.txt, a work in progress.
- [LDAPURL] M. Smith (editor), "LDAP: Uniform Resource Locator",
- draft-ietf-ldapbis-url-xx.txt, a work in progress.
+ [LDAPURL] Smith, M. (editor), "LDAP: Uniform Resource Locator",
+ draft-ietf-ldapbis-url-xx.txt, a work in progress.
- [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
- draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
+ [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
+ draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
- [Schema] K. Dally (editor), "LDAP: User Schema",
- draft-ietf-ldapbis-user-schema-xx.txt, a work in progress.
+ [LDAPprep] Zeilenga, K., "LDAP: Internationalized String
+ Preparation", draft-ietf-ldapbis-strpro-xx.txt, a work
+ in progress.
- [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
- Models and Service", 1993.
+ [Schema] Dally, K. (editor), "LDAP: User Schema",
+ draft-ietf-ldapbis-user-schema-xx.txt, a work in
+ progress.
- [X.501] ITU-T Rec. X.501, "The Directory: Models", 1993.
+ [X.500] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Overview of concepts, models and services,"
+ X.500(1993) (also ISO/IEC 9594-1:1994).
- [X.511] ITU-T Rec. X.511, "The Directory: Abstract Service
- Definition", 1993.
-7.2. Informative References
- None.
+Zeilenga LDAP: TS Road Map [Page 4]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-roadmap-03 30 June 2003
+ [X.501] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
+ [X.511] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The
+ Directory: Abstract Service Definition", X.511(1993).
-Zeilenga LDAP: TS Road Map [Page 4]
-\f
-INTERNET-DRAFT draft-ietf-ldapbis-roadmap-02 1 March 2003
+
+7.2. Informative References
+
+ None.
Appendix A. Changes to Previous Documents
- This appendix outlines changes this document makes relative
- to the documents it replaces (in whole or in part).
+ This appendix outlines changes this document makes relative to the
+ documents it replaces (in whole or in part).
Appendix A.1. Changes to RFC 3377
- This document is nearly a complete rewrite of RFC 3377 as
- much of the material of RFC 3377 is no longer applicable.
- These changes include defining the terms "LDAP" and
- "LDAPv3" to refer to this revision of the technical
- specification.
+ This document is nearly a complete rewrite of RFC 3377 as much of the
+ material of RFC 3377 is no longer applicable. The changes include
+ redefining the terms "LDAP" and "LDAPv3" to refer to this revision of
+ the technical specification.
Appendix A.2. Changes to Section 3.3 of RFC 2251
- The section was modified slightly (the word "document" was
- replaced with "technical specification") to clarify that it
- applies to the entire LDAP technical specification.
+ The section was modified slightly (the word "document" was replaced
+ with "technical specification") to clarify that it applies to the
+ entire LDAP technical specification.
+
-Copyright 2003, The Internet Society. All Rights Reserved.
+Intellectual Property Rights
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to pertain
+ to the implementation or use of the technology described in this
+ document or the extent to which any license under such rights might or
+ might not be available; neither does it represent that it has made any
+ effort to identify any such rights. Information on the IETF's
+ procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+
+
+
+Zeilenga LDAP: TS Road Map [Page 5]
+\f
+INTERNET-DRAFT draft-ietf-ldapbis-roadmap-03 30 June 2003
+
+
+ obtain a general license or permission for the use of such proprietary
+ rights by implementors or users of this specification can be obtained
+ from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+
+Full Copyright
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
+ or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-Zeilenga LDAP: TS Road Map [Page 5]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga LDAP: TS Road Map [Page 6]
\f
Internet-Draft Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 26 May 2003
+Expires in six months 27 October 2003
LDAP: Internationalized String Preparation
- <draft-ietf-ldapbis-strprep-00.txt>
+ <draft-ietf-ldapbis-strprep-02.txt>
Status of this Memo
Abstract
The previous Lightweight Directory Access Protocol (LDAP) technical
- specifications did not precisely define how string matching is to be
- performed. This lead to a number of usability and interoperability
- problems. This document defines string preparation algorithms for
- matching rules defined for use in LDAP.
+ specifications did not precisely define how character string matching
+ is to be performed. This lead to a number of usability and
+ interoperability problems. This document defines string preparation
+ algorithms for character-based matching rules defined for use in LDAP.
Zeilenga LDAPprep [Page 1]
\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
Conventions
Zeilenga LDAPprep [Page 2]
\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
The caseIgnoreMatch matching rule [X.520], for example, is simply
(Zs) property as a space, and another implementation may view any
character with the whitespace (WS) category as a space.
- The lack of precise specification for string matching has led to
- significant interoperability problems. When used in certificate chain
- validation, security vulnerabilities can arise. To address these
- problems, this document defines precise algorithms for preparing
- strings for matching.
+ The lack of precise specification for character string matching has
+ led to significant interoperability problems. When used in
+ certificate chain validation, security vulnerabilities can arise. To
+ address these problems, this document defines precise algorithms for
+ preparing character strings for matching.
1.3. Relationship to "stringprep"
- The string preparation algorithms described in this document are based
- upon the "stringprep" approach [RFC3454]. In "stringprep", presented
- and stored values are first prepared for comparison and so that a
- character-by-character comparison yields the "correct" result.
+ The character string preparation algorithms described in this document
+ are based upon the "stringprep" approach [StringPrep]. In
+ "stringprep", presented and stored values are first prepared for
+ comparison and so that a character-by-character comparison yields the
+ "correct" result.
- The approach used here is a refinement of the "stringprep" [RFC3454]
- approach. Each algorithm involves two additional preparation steps.
+ The approach used here is a refinement of the "stringprep"
+ [StringPrep] approach. Each algorithm involves two additional
+ preparation steps.
a) prior to applying the Unicode string preparation steps outlined in
"stringprep", the string is transcoded to Unicode;
"stringprep", characters insignificant to the matching rules are
removed.
- Hence, preparation of strings for X.500 matching involves the
- following steps:
+ Hence, preparation of character strings for X.500 matching involves
+ the following steps:
1) Transcode
2) Map
3) Normalize
4) Prohibit
5) Check Bidi (Bidirectional)
- 6) Insignificant Character Removal
-
Zeilenga LDAPprep [Page 3]
\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+ 6) Insignificant Character Removal
+
These steps are described in Section 2.
[Roadmap] which obsoletes the previously defined LDAP technical
specification [RFC3377] in its entirety.
- This document details new LDAP internationalized string preparation
- algorithms used by [Syntaxes] and possible other technical
+ This document details new LDAP internationalized character string
+ preparation algorithms used by [Syntaxes] and possible other technical
specifications defining LDAP syntaxes and/or matching rules.
LDAP is defined [Roadmap] in X.500 terms as an X.500 access mechanism.
As such, there is a strong desire for alignment between LDAP and X.500
- syntax and semantics. The string preparation algorithms described in
- this document are based upon "Internationalized String Matching Rules
- for X.500" [XMATCH] proposal to ITU/ISO Joint Study Group 2.
+ syntax and semantics. The character string preparation algorithms
+ described in this document are based upon "Internationalized String
+ Matching Rules for X.500" [XMATCH] proposal to ITU/ISO Joint Study
+ Group 2.
2. String Preparation
The following six-step process SHALL be applied to each presented and
- attribute value in preparation for string match rule evaluation.
+ attribute value in preparation for character string matching rule
+ evaluation.
1) Transcode
2) Map
5) Check bidi
6) Insignificant Character Removal
- Failure in any step is be cause the assertion to be Undefined.
+ Failure in any step causes the assertion to evaluate to Undefined.
+
+ This process is intended to act upon non-empty character strings. If
+ the string to prepare is empty, this process is not applied and the
+ assertion is evaluated to Undefined.
The character repertoire of this process is Unicode 3.2 [Unicode].
+
+
+
+Zeilenga LDAPprep [Page 4]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
2.1. Transcode
Each non-Unicode string value is transcoded to Unicode.
PrintableString [X.680] value are transcoded directly to Unicode.
-
-
-Zeilenga LDAPprep [Page 4]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
UniversalString, UTF8String, and bmpString [X.680] values need not be
transcoded as they are Unicode-based strings (in the case of
bmpString, a subset of Unicode).
- If the implementation is unable or unwilling to perform the
- transcoding as described above, or the transcoding fails, this step
- fails and the assertion is evaluated to Undefined.
-
- The transcoded string is the output string.
+ The output is the transcoded string.
2.2. Map
Zp) are mapped to SPACE (U+0020).
For case ignore, numeric, and stored prefix string matching rules,
- characters are case folded per B.2 of [RFC3454].
+ characters are case folded per B.2 of [StringPrep].
+
+ The output is the mapped string.
2.3. Normalize
The input string is be normalized to Unicode Form KC (compatibility
- composed) as described in [UAX15].
+ composed) as described in [UAX15]. The output is the normalized
+ string.
-2.4. Prohibit
- All Unassigned, Private Use, and non-character code points are
- prohibited. Surrogate codes (U+D800-DFFFF) are prohibited.
- The REPLACEMENT CHARACTER (U+FFFD) code point is prohibited.
- The first code point of a string is prohibited from being a combining
+Zeilenga LDAPprep [Page 5]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+2.4. Prohibit
-Zeilenga LDAPprep [Page 5]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
+ All Unassigned code points are prohibited. Unassigned code points are
+ listed in Table A.1 of [StringPrep].
+ Private Use (U+E000-F8FF, F0000-FFFFD, 100000-10FFFD) code points are
+ prohibited.
- character.
+ All non-character code points (U+FDD0-FDEF, FFFE-FFFF, 1FFFE-1FFFF,
+ 2FFFE-2FFFF, 3FFFE-3FFFF, 4FFFE-4FFFF, 5FFFE-5FFFF, 6FFFE-6FFFF,
+ 7FFFE-7FFFF, 8FFFE-8FFFF, 9FFFE-9FFFF, AFFFE-AFFFF, BFFFE-BFFFF,
+ CFFFE-CFFFF, DFFFE-DFFFF, EFFFE-EFFFF, FFFFE-FFFFF, 10FFFE-10FFFF) are
+ prohibited.
- Empty strings are prohibited.
+ Surrogate codes (U+D800-DFFFF) are prohibited.
- The step fails and the assertion is evaluated to Undefined if the
- input string contains any prohibited code point. The output string is
- the input string.
+ The REPLACEMENT CHARACTER (U+FFFD) code point is prohibited.
+
+ The first code point of a string is prohibited from being a combining
+ character.
+
+ The step fails if the input string contains any prohibited code point.
+ The output is the input string.
2.5. Check bidi
- There are no bidirectional restrictions. The output string is the
- input string.
+ There are no bidirectional restrictions. The output is the input
+ string.
2.5. Insignificant Character Removal
removed. The characters to be removed differ from matching rule to
matching rule.
- Section 2.6.1 applies to case ignore and exact string matching.
- Section 2.6.2 applies to numericString matching.
- Section 2.6.3 applies to telephoneNumber matching
+ Section 2.5.1 applies to case ignore and exact string matching.
+ Section 2.5.2 applies to numericString matching.
+ Section 2.5.3 applies to telephoneNumber matching
-2.6.1. Insignificant Space Removal
+2.5.1. Insignificant Space Removal
For the purposes of this section, a space is defined to be the SPACE
(U+0020) code point followed by no combining marks.
NOTE - The previous steps ensure that the string cannot contain any
+
+
+
+Zeilenga LDAPprep [Page 6]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
code points in the separator class, other than SPACE (U+0020).
- The following spaces are regarded as not significant and are to be
- removed:
+ If the input string consists entirely of spaces or is empty, the
+ output is a string consisting of exactly one space (e.g. " ").
+
+ Otherwise, the following spaces are removed:
- leading spaces (i.e. those preceding the first character that is
not a space);
- trailing spaces (i.e. those following the last character that is
- multiple consecutive spaces (these are taken as equivalent to a
single space character).
- A string consisting entirely of spaces is equivalent to a string
- containing exactly one space.
-
For example, removal of spaces from the Form KC string:
"<SPACE><SPACE>foo<SPACE><SPACE>bar<SPACE><SPACE>"
-
-
-
-Zeilenga LDAPprep [Page 6]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
would result in the output string:
"foo<SPACE>bar"
and the Form KC string:
"<SPACE>".
-2.6.2. numericString Insignificant Character Removal
+2.5.2. numericString Insignificant Character Removal
For the purposes of this section, a space is defined to be the SPACE
(U+0020) code point followed by no combining marks.
- All spaces are regarded as not significant and are to be removed.
+ All spaces are regarded as not significant. If the input string
+ consists entirely of spaces or is empty, the output is a string
+ consisting of exactly one space (e.g. " "). Otherwise, all spaces are
+ to be removed.
For example, removal of spaces from the Form KC string:
- "<SPACE><SPACE>123<SPACE><SPACE>456<SPACE><SPACE>" would result in
- the output string:
+ "<SPACE><SPACE>123<SPACE><SPACE>456<SPACE><SPACE>"
+ would result in the output string:
"123456"
and the Form KC string:
"<SPACE><SPACE><SPACE>"
- would result in an empty output string.
+ would result in the output string:
+ "<SPACE>".
-2.6.3. telephoneNumber Insignificant Character Removal
+2.5.3. telephoneNumber Insignificant Character Removal
For the purposes of this section, a hyphen is defined to be
HYPHEN-MINUS (U+002D), ARMENIAN HYPHEN (U+058A), HYPHEN (U+2010),
NON-BREAKING HYPHEN (U+2011), MINUS SIGN (U+2212), SMALL HYPHEN-MINUS
+
+
+
+Zeilenga LDAPprep [Page 7]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
(U+FE63), or FULLWIDTH HYPHEN-MINUS (U+FF0D) code point followed by no
combining marks and a space is defined to be the SPACE (U+0020) code
point followed by no combining marks.
- All hyphens and spaces are regarded as not significant and are to be
+ All hyphens and spaces are considered insignificant. If the string
+ contains only spaces and hyphens or is empty, then the output is a
+ string consisting of one space. Otherwise, all hyphens and spaces are
removed.
+ For example, removal of hyphens and spaces from the Form KC string:
+ "<SPACE><HYPHEN>123<SPACE><SPACE>456<SPACE><HYPHEN>"
+ would result in the output string:
+ "123456"
+ and the Form KC string:
+ "<HYPHEN><HYPHEN><HYPHEN>"
+ would result in the output string:
+ "<SPACE>".
+
3. Security Considerations
- "Preparation for International Strings ('stringprep')" [RFC3454]
+ "Preparation for International Strings ('stringprep')" [StringPrep]
security considerations generally apply to the algorithms described
here.
Appendix A and B of this document were authored by Howard Chu
<hyc@symas.com> of Symas Corporation (based upon information provided
-
-
-
-Zeilenga LDAPprep [Page 7]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
in RFC 1345).
The approach used in this document is based upon design principles and
algorithms described in "Preparation of Internationalized Strings
- ('stringprep')" [RFC3454] by Paul Hoffman and Marc Blanchet. Some
+ ('stringprep')" [StringPrep] by Paul Hoffman and Marc Blanchet. Some
additional guidance was drawn from Unicode Technical Standards,
Technical Reports, and Notes.
+ This document is a product of the IETF LDAP Revision (LDAPBIS) Working
+ Group.
+
6. Author's Address
Kurt Zeilenga
+
+
+
+Zeilenga LDAPprep [Page 8]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
E-mail: <kurt@openldap.org>
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ('stringprep')", RFC 3454,
- December 2002.
-
[Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
progress.
+ [StringPrep] Hoffman P. and M. Blanchet, "Preparation of
+ Internationalized Strings ('stringprep')",
+ draft-hoffman-rfc3454bis-xx.txt, a work in progress.
+
[Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
"Unicode Standard Annex #28: Unicode 3.2"
(http://www.unicode.org/reports/tr28/).
-
-
-Zeilenga LDAPprep [Page 8]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
[UAX15] Davis, M. and M. Duerst, "Unicode Standard Annex #15:
Unicode Normalization Forms, Version 3.2.0".
<http://www.unicode.org/unicode/reports/tr15/tr15-22.html>,
Character Sets for the International Teletex Service",
T.61, 1988.
+
+
+
+Zeilenga LDAPprep [Page 9]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
7.2. Informative References
[X.500] International Telecommunication Union -
2000.
[XMATCH] Zeilenga, K., "Internationalized String Matching Rules
- for X.500", draft-zeilenga-ldapbis-strmatch-xx.txt a
+ for X.500", draft-zeilenga-ldapbis-strmatch-xx.txt, a
work in progress.
[RFC1345] Simonsen, K., "Character Mnemonics & Character Sets",
Appendix A. Teletex (T.61) to Unicode
-
-
-
-Zeilenga LDAPprep [Page 9]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
This appendix defines an algorithm for transcoding [T.61] characters
to [Unicode] characters for use in string preparation for LDAP
- matching rules. This appendix is a normative.
+ matching rules. This appendix is normative.
The transcoding algorithm is derived from the T.61-8bit definition
provided in [RFC1345]. With a few exceptions, the T.61 character
The codes from x80 to x9f are also equivalent to the corresponding
Unicode code points. This is specified for completeness only, as
+
+
+
+Zeilenga LDAPprep [Page 10]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
these codes are control characters, and will be mapped to nothing in
the LDAP String Preparation Mapping step.
Undefined matching result. For diagnostic purposes, this algorithm
does not fail for undefined input codes. Instead, undefined codes in
the input are mapped to the Unicode REPLACEMENT CHARACTER (U+FFFD).
- As the LDAP String Preparation Probhibit step disallows the
- REPLACEMENT CHARACTER from appearing in its output, this transcoding
- yields the desired effect.
+ As the LDAP String Preparation Prohibit step disallows the REPLACEMENT
+ CHARACTER from appearing in its output, this transcoding yields the
+ desired effect.
Note: RFC 1345 listed the non-spacing accent codepoints as residing in
the range starting at (U+E000). In the current Unicode
e8| 0141 | 00d8 | 0152 | 00ba | 00de | 0166 | 014a | 0149 |
f0| 0138 | 00e6 | 0111 | 00f0 | 0127 | 0131 | 0133 | 0140 |
f8| 0142 | 00f8 | 0153 | 00df | 00fe | 0167 | 014b | ?? |
-
-
-
-Zeilenga LDAPprep [Page 10]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
--+------+------+------+------+------+------+------+------+
Table A.1: Mapping of 8-bit T.61 codes to Unicode
Appendix B. Additional Teletex (T.61) to Unicode Tables
+
+
+Zeilenga LDAPprep [Page 11]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
All of the accented characters in T.61 have a corresponding code point
in Unicode. For the sake of completeness, the combined character
codes are presented in the following tables. This is informational
only; for matching purposes it is sufficient to map the non-spacing
accent and exchange the order of the character pair as specified in
- Appendix A.
+ Appendix A. This appendix is informative.
B.1. Combinations with SPACE
40| ?? | 00c0 | ?? | ?? | ?? | 00c8 | ?? | ?? |
48| ?? | 00cc | ?? | ?? | ?? | ?? | 01f8 | 00d2 |
50| ?? | ?? | ?? | ?? | ?? | 00d9 | ?? | 1e80 |
-
-
-
-Zeilenga LDAPprep [Page 11]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
58| ?? | 1ef2 | ?? | ?? | ?? | ?? | ?? | ?? |
60| ?? | 00e0 | ?? | ?? | ?? | 00e8 | ?? | ?? |
68| ?? | 00ec | ?? | ?? | ?? | ?? | 01f9 | 00f2 |
C, L, N, R, S, and Z. Unicode also defines G, K, M, P, and W. All of
these combinations are present in Table B.3.
+
+
+
+Zeilenga LDAPprep [Page 12]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
--+------+------+------+------+------+------+------+------+
40| ?? | 00c1 | ?? | 0106 | ?? | 00c9 | ?? | 01f4 |
Table B.4: Mapping of T.61 Circumflex Accent Combinations
-
-
-Zeilenga LDAPprep [Page 12]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
B.5. Combinations for xc4: (Tilde)
T.61 has predefined characters for combinations with A, I, O, U, and
58| ?? | 1ef8 | ?? | ?? | ?? | ?? | ?? | ?? |
60| ?? | 00e3 | ?? | ?? | ?? | 1ebd | ?? | ?? |
68| ?? | 0129 | ?? | ?? | ?? | ?? | 00f1 | 00f5 |
+
+
+
+Zeilenga LDAPprep [Page 13]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
70| ?? | ?? | ?? | ?? | ?? | 0169 | 1e7d | ?? |
78| ?? | 1ef9 | ?? | ?? | ?? | ?? | ?? | ?? |
--+------+------+------+------+------+------+------+------+
Unicode also defines E, I, and O. All of these combinations are
present in Table B.7.
-
-
-
-Zeilenga LDAPprep [Page 13]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
--+------+------+------+------+------+------+------+------+
40| ?? | 0102 | ?? | ?? | ?? | 0114 | ?? | 011e |
Table B.7: Mapping of T.61 Breve Accent Combinations
+
+
+
+Zeilenga LDAPprep [Page 14]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
B.8. Combinations for xc7: (Dot Above)
T.61 has predefined characters for C, E, G, I, and Z. Unicode also
58| 1e8c | 0178 | ?? | ?? | ?? | ?? | ?? | ?? |
60| ?? | 00e4 | ?? | ?? | ?? | 00eb | ?? | ?? |
68| 1e27 | 00ef | ?? | ?? | ?? | ?? | ?? | 00f6 |
-
-
-
-Zeilenga LDAPprep [Page 14]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
70| ?? | ?? | ?? | ?? | 1e97 | 00fc | ?? | 1e85 |
78| 1e8d | 00ff | ?? | ?? | ?? | ?? | ?? | ?? |
--+------+------+------+------+------+------+------+------+
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
--+------+------+------+------+------+------+------+------+
40| ?? | 00c5 | ?? | ?? | ?? | ?? | ?? | ?? |
+
+
+
+Zeilenga LDAPprep [Page 15]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
48| ?? | ?? | ?? | ?? | ?? | ?? | ?? | ?? |
50| ?? | ?? | ?? | ?? | ?? | 016e | ?? | ?? |
58| ?? | ?? | ?? | ?? | ?? | ?? | ?? | ?? |
B.12. Combinations for xcd: (Double Acute Accent)
T.61 has predefined characters for O, and U. These combinations are
-
-
-
-Zeilenga LDAPprep [Page 15]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
present in Table B.12.
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
B.13. Combinations for xce: (Ogonek)
+
+
+
+Zeilenga LDAPprep [Page 16]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
T.61 has predefined characters for A, E, I, and U. Unicode also
defines the combination for O. All of these combinations are present
in Table B.13.
68| 021f | 01d0 | 01f0 | 01e9 | 013e | ?? | 0148 | 01d2 |
70| ?? | ?? | 0159 | 0161 | 0165 | 01d4 | ?? | ?? |
78| ?? | ?? | 017e | ?? | ?? | ?? | ?? | ?? |
-
-
-
-Zeilenga LDAPprep [Page 16]
-\f
-Internet-Draft draft-ietf-ldapbis-strprep-00 26 May 2003
-
-
--+------+------+------+------+------+------+------+------+
Table B.14: Mapping of T.61 Caron Accent Combinations
-
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and
+
+
+
+Zeilenga LDAPprep [Page 17]
+\f
+Internet-Draft draft-ietf-ldapbis-strprep-02 27 October 2003
+
+
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
-Zeilenga LDAPprep [Page 17]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga LDAPprep [Page 18]
\f
INTERNET-DRAFT S. Legg, Editor
-draft-ietf-ldapbis-syntaxes-05.txt Adacel Technologies
-Intended Category: Standard Track K. Dally
+draft-ietf-ldapbis-syntaxes-07.txt Adacel Technologies
+Intended Category: Standards Track K. Dally
Obsoletes: RFC 2252, RFC 2256 The MITRE Corp.
- 27 February 2003
+ 27 October 2003
LDAP: Syntaxes and Matching Rules
send editorial comments directly to the editor
<steven.legg@adacel.com.au>.
- This Internet-Draft expires on 27 August 2003.
+ This Internet-Draft expires on 27 April 2004.
Abstract
-Legg & Dally Expires 27 August 2003 [Page 1]
+Legg & Dally Expires 27 April 2004 [Page 1]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
protocol, has a defined syntax which constrains the structure and
-Legg & Dally Expires 27 August 2003 [Page 2]
+Legg & Dally Expires 27 April 2004 [Page 2]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
-1. Table of Contents
-
- 1. Table of Contents ............................................. 3
- 2. Introduction .................................................. 4
- 3. Conventions ................................................... 5
- 4. Syntaxes ...................................................... 5
- 4.1 General Considerations .................................... 5
- 4.2 Common Definitions ........................................ 6
- 4.3 Syntax Definitions ........................................ 7
- 4.3.1 Attribute Type Description ........................... 7
- 4.3.2 Bit String ........................................... 7
- 4.3.3 Boolean .............................................. 8
- 4.3.4 Country String ....................................... 8
- 4.3.5 Delivery Method ...................................... 9
- 4.3.6 Directory String ..................................... 9
- 4.3.7 DIT Content Rule Description ......................... 10
- 4.3.8 DIT Structure Rule Description ....................... 11
- 4.3.9 DN ................................................... 11
- 4.3.10 Enhanced Guide ...................................... 12
- 4.3.11 Facsimile Telephone Number .......................... 13
- 4.3.12 Fax ................................................. 13
- 4.3.13 Generalized Time .................................... 14
- 4.3.14 Guide ............................................... 15
- 4.3.15 IA5 String .......................................... 15
- 4.3.16 Integer ............................................. 16
- 4.3.17 JPEG ................................................ 16
- 4.3.18 LDAP Syntax Description ............................. 16
- 4.3.19 Matching Rule Description ........................... 17
- 4.3.20 Matching Rule Use Description ....................... 17
- 4.3.21 Name and Optional UID ............................... 18
- 4.3.22 Name Form Description ............................... 18
- 4.3.23 Numeric String ...................................... 19
- 4.3.24 Object Class Description ............................ 19
- 4.3.25 Octet String ........................................ 20
- 4.3.26 OID ................................................. 20
- 4.3.27 Other Mailbox ....................................... 21
- 4.3.28 Postal Address ...................................... 21
- 4.3.29 Printable String .................................... 22
- 4.3.30 Substring Assertion ................................. 23
- 4.3.31 Telephone Number .................................... 23
- 4.3.32 Teletex Terminal Identifier ......................... 24
- 4.3.33 Telex Number ........................................ 25
- 4.3.34 UTC Time ............................................ 25
- 5. Matching Rules ................................................ 26
- 5.1 General Considerations .................................... 26
- 5.2 Matching Rule Definitions ................................. 28
- 5.2.1 bitStringMatch ....................................... 28
- 5.2.2 caseExactIA5Match .................................... 28
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 3]
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3. Syntaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.1. General Considerations . . . . . . . . . . . . . . . . . 6
+ 3.2. Common Definitions . . . . . . . . . . . . . . . . . . . 6
+ 3.3. Syntax Definitions . . . . . . . . . . . . . . . . . . . 7
+ 3.3.1. Attribute Type Description . . . . . . . . . . . 7
+ 3.3.2. Bit String . . . . . . . . . . . . . . . . . . . 7
+ 3.3.3. Boolean. . . . . . . . . . . . . . . . . . . . . 8
+ 3.3.4. Country String . . . . . . . . . . . . . . . . . 8
+ 3.3.5. Delivery Method. . . . . . . . . . . . . . . . . 9
+ 3.3.6. Directory String . . . . . . . . . . . . . . . . 9
+ 3.3.7. DIT Content Rule Description . . . . . . . . . . 10
+ 3.3.8. DIT Structure Rule Description . . . . . . . . . 11
+ 3.3.9. DN . . . . . . . . . . . . . . . . . . . . . . . 11
+ 3.3.10. Enhanced Guide . . . . . . . . . . . . . . . . . 12
+ 3.3.11. Facsimile Telephone Number . . . . . . . . . . . 13
+ 3.3.12. Fax. . . . . . . . . . . . . . . . . . . . . . . 13
+ 3.3.13. Generalized Time . . . . . . . . . . . . . . . . 14
+ 3.3.14. Guide. . . . . . . . . . . . . . . . . . . . . . 15
+ 3.3.15. IA5 String . . . . . . . . . . . . . . . . . . . 15
+ 3.3.16. Integer. . . . . . . . . . . . . . . . . . . . . 15
+ 3.3.17. JPEG . . . . . . . . . . . . . . . . . . . . . . 16
+ 3.3.18. LDAP Syntax Description. . . . . . . . . . . . . 16
+ 3.3.19. Matching Rule Description. . . . . . . . . . . . 17
+ 3.3.20. Matching Rule Use Description. . . . . . . . . . 17
+ 3.3.21. Name and Optional UID. . . . . . . . . . . . . . 18
+ 3.3.22. Name Form Description. . . . . . . . . . . . . . 18
+ 3.3.23. Numeric String . . . . . . . . . . . . . . . . . 19
+ 3.3.24. Object Class Description . . . . . . . . . . . . 19
+ 3.3.25. Octet String . . . . . . . . . . . . . . . . . . 19
+ 3.3.26. OID. . . . . . . . . . . . . . . . . . . . . . . 20
+ 3.3.27. Other Mailbox. . . . . . . . . . . . . . . . . . 20
+ 3.3.28. Postal Address . . . . . . . . . . . . . . . . . 21
+ 3.3.29. Printable String . . . . . . . . . . . . . . . . 22
+ 3.3.30. Substring Assertion. . . . . . . . . . . . . . . 22
+ 3.3.31. Telephone Number . . . . . . . . . . . . . . . . 23
+ 3.3.32. Teletex Terminal Identifier. . . . . . . . . . . 24
+ 3.3.33. Telex Number . . . . . . . . . . . . . . . . . . 24
+ 3.3.34. UTC Time . . . . . . . . . . . . . . . . . . . . 25
+ 4. Matching Rules . . . . . . . . . . . . . . . . . . . . . . . . 25
+ 4.1. General Considerations . . . . . . . . . . . . . . . . . 26
+ 4.2. Matching Rule Definitions. . . . . . . . . . . . . . . . 27
+ 4.2.1. bitStringMatch . . . . . . . . . . . . . . . . . 27
+ 4.2.2. caseExactIA5Match. . . . . . . . . . . . . . . . 28
+ 4.2.3. caseIgnoreIA5Match . . . . . . . . . . . . . . . 28
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 3]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
- 5.2.3 caseIgnoreIA5Match ................................... 29
- 5.2.4 caseIgnoreIA5SubstringsMatch ......................... 29
- 5.2.5 caseIgnoreListMatch .................................. 29
- 5.2.6 caseIgnoreListSubstringsMatch ........................ 30
- 5.2.7 caseIgnoreMatch ...................................... 31
- 5.2.8 caseIgnoreOrderingMatch .............................. 31
- 5.2.9 caseIgnoreSubstringsMatch ............................ 32
- 5.2.10 distinguishedNameMatch .............................. 32
- 5.2.11 generalizedTimeMatch ................................ 33
- 5.2.12 generalizedTimeOrderingMatch ........................ 33
- 5.2.13 integerFirstComponentMatch .......................... 34
- 5.2.14 integerMatch ........................................ 34
- 5.2.15 numericStringMatch .................................. 34
- 5.2.16 numericStringSubstringsMatch ........................ 35
- 5.2.17 objectIdentifierFirstComponentMatch ................. 35
- 5.2.18 objectIdentifierMatch ............................... 36
- 5.2.19 octetStringMatch .................................... 36
- 5.2.20 telephoneNumberMatch ................................ 37
- 5.2.21 telephoneNumberSubstringsMatch ...................... 37
- 5.2.22 uniqueMemberMatch ................................... 38
- 6. Security Considerations ....................................... 38
- 7. Acknowledgements .............................................. 39
- 8. IANA Considerations ........................................... 39
- 9. Normative References .......................................... 40
- 10. Informative References ....................................... 42
- 11. Authors' Addresses ........................................... 42
- 12. Copyright Notice ............................................. 43
- Appendix A. Summary of Syntax Object Identifiers ................. 43
- Appendix B. Changes from RFC 2252 & RFC 2256 ..................... 44
-
-
-2. Introduction
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
+ 4.2.4. caseIgnoreIA5SubstringsMatch . . . . . . . . . . 29
+ 4.2.5. caseIgnoreListMatch. . . . . . . . . . . . . . . 29
+ 4.2.6. caseIgnoreListSubstringsMatch. . . . . . . . . . 30
+ 4.2.7. caseIgnoreMatch. . . . . . . . . . . . . . . . . 31
+ 4.2.8. caseIgnoreOrderingMatch. . . . . . . . . . . . . 31
+ 4.2.9. caseIgnoreSubstringsMatch. . . . . . . . . . . . 32
+ 4.2.10. distinguishedNameMatch . . . . . . . . . . . . . 32
+ 4.2.11. generalizedTimeMatch . . . . . . . . . . . . . . 33
+ 4.2.12. generalizedTimeOrderingMatch . . . . . . . . . . 33
+ 4.2.13. integerFirstComponentMatch . . . . . . . . . . . 34
+ 4.2.14. integerMatch . . . . . . . . . . . . . . . . . . 34
+ 4.2.15. numericStringMatch . . . . . . . . . . . . . . . 35
+ 4.2.16. numericStringSubstringsMatch . . . . . . . . . . 35
+ 4.2.17. objectIdentifierFirstComponentMatch. . . . . . . 36
+ 4.2.18. objectIdentifierMatch. . . . . . . . . . . . . . 36
+ 4.2.19. octetStringMatch . . . . . . . . . . . . . . . . 37
+ 4.2.20. telephoneNumberMatch . . . . . . . . . . . . . . 37
+ 4.2.21. telephoneNumberSubstringsMatch . . . . . . . . . 38
+ 4.2.22. uniqueMemberMatch. . . . . . . . . . . . . . . . 38
+ 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 39
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 39
+ 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 39
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . 41
+ 8.2. Informative References . . . . . . . . . . . . . . . . . 42
+ 9. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 43
+ 10. Intellectual Property Notice . . . . . . . . . . . . . . . . . 44
+ Appendix A. Summary of Syntax Object Identifiers . . . . . . . . . 44
+ Appendix B. Changes from RFC 2252 & RFC 2256 . . . . . . . . . . . 45
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 47
+
+1. Introduction
Each attribute stored in a Lightweight Directory Access Protocol
(LDAP) directory [ROADMAP], and whose values may be transfered in the
- LDAP protocol [PROT], has a defined syntax (i.e. data type) which
+ LDAP protocol [PROT], has a defined syntax (i.e., data type) which
constrains the structure and format of its values. The comparison
semantics for values of a syntax are not part of the syntax
definition but are instead provided through separately defined
Readers are advised to familiarize themselves with the Directory
Information Models [MODELS] before reading the rest of this document.
- Section 4 provides definitions for the base set of LDAP syntaxes.
- Section 5 provides definitions for the base set of matching rules for
+ Section 3 provides definitions for the base set of LDAP syntaxes.
+ Section 4 provides definitions for the base set of matching rules for
-Legg & Dally Expires 27 August 2003 [Page 4]
+Legg & Dally Expires 27 April 2004 [Page 4]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
LDAP.
Sections 4, 5 and 7 of RFC 2252 [RFC2252] are obsoleted by [MODELS].
The remainder of RFC 2252 is obsoleted by this document. Sections 6
- and 8 of RFC 2256 are obsoleted by this document. The changes from
- RFC 2252 and RFC 2256 [RFC2256] are described in Appendix B of this
- document.
+ and 8 of RFC 2256 [RFC2256] are obsoleted by this document. The
+ remainder of RFC 2256 is obsoleted by [SCHEMA] and [MODELS].
+ A number of schema elements which were included in the previous
+ revision of the LDAP technical specification are not included in this
+ revision of LDAP. Public Key Infrastructure schema elements are now
+ specified in [LDAP-PKI]. Unless reintroduced in future technical
+ specifications, the remainder are to be considered Historic.
-3. Conventions
+ The changes from RFC 2252 and RFC 2256 are described in Appendix B of
+ this document.
+
+2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [KEYWORD].
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [KEYWORD].
Syntax definitions are written according to the <SyntaxDescription>
ABNF [ABNF] rule specified in [MODELS], and matching rule definitions
specified in [MODELS], except that the syntax and matching rule
definitions provided in this document are line-wrapped for
readability. When such definitions are transfered as attribute
- values in the LDAP protocol (e.g. as values of the ldapSyntaxes and
+ values in the LDAP protocol (e.g., as values of the ldapSyntaxes and
matchingRules attributes [MODELS] respectively) then those values
would not contain line breaks.
-
-4. Syntaxes
+3. Syntaxes
Syntax definitions constrain the structure of attribute values stored
in an LDAP directory, and determine the representation of attribute
Syntaxes that are required for directory operation, or that are in
common use, are specified in this section. Servers SHOULD recognize
- all the syntaxes listed in this document, but are NOT REQUIRED to
+ all the syntaxes listed in this document, but are not required to
otherwise support them, and MAY recognise or support other syntaxes.
However, the definition of additional arbitrary syntaxes is
- discouraged since it will hinder interoperability. Client and server
- implementations typically do not have the ability to dynamically
- recognize new syntaxes.
-
-4.1 General Considerations
+Legg & Dally Expires 27 April 2004 [Page 5]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
-Legg & Dally Expires 27 August 2003 [Page 5]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+ discouraged since it will hinder interoperability. Client and server
+ implementations typically do not have the ability to dynamically
+ recognize new syntaxes.
+3.1. General Considerations
The description of each syntax specifies how attribute or assertion
values conforming to the syntax are to be represented when transfered
in the LDAP protocol [PROT]. This representation is referred to as
the LDAP-specific encoding to distinguish it from other methods of
- encoding attribute values (e.g. the BER encoding [BER] used by X.500
- [X.500] directories).
+ encoding attribute values (e.g., the Basic Encoding Rules (BER)
+ encoding [BER] used by X.500 [X.500] directories).
The LDAP-specific encoding of a given attribute syntax always
produces octet-aligned values. To the greatest extent possible,
that can be displayed with little or no translation by clients
implementing LDAP. However, clients MUST NOT assume that the
LDAP-specific encoding of a value of an unrecognized syntax is a
- human-readable character string. There are a few cases (e.g. the
+ human-readable character string. There are a few cases (e.g., the
JPEG syntax) when it is not reasonable to produce a human-readable
representation.
the attribute to be up to 64 characters long, although it may allow
longer character strings. Note that a single character of the
Directory String syntax can be encoded in more than one octet since
- UTF-8 [UTF-8] is a variable-length encoding. Therefore a 64
- character string may be more than 64 octets in length.
-
+ UTF-8 [UTF8] is a variable-length encoding. Therefore a 64 character
+ string may be more than 64 octets in length.
-4.2 Common Definitions
+3.2. Common Definitions
The following ABNF rules are used in a number of the syntax
- definitions in Section 4.3.
-
- PrintableCharacter = ALPHA / DIGIT / SQUOTE / LPAREN / RPAREN /
- PLUS / COMMA / HYPHEN / DOT / EQUALS /
- SLASH / COLON / QUESTION / SPACE
- PrintableString = 1*PrintableCharacter
+ definitions in Section 3.3.
-Legg & Dally Expires 27 August 2003 [Page 6]
+Legg & Dally Expires 27 April 2004 [Page 6]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+ PrintableCharacter = ALPHA / DIGIT / SQUOTE / LPAREN / RPAREN /
+ PLUS / COMMA / HYPHEN / DOT / EQUALS /
+ SLASH / COLON / QUESTION / SPACE
+ PrintableString = 1*PrintableCharacter
IA5String = *(%x00-7F)
HEX-DIGIT = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
; N.B. allows upper and lower case
<COMMA>, <HYPHEN>, <DOT>, <EQUALS> and <SPACE> rules are defined in
[MODELS].
+3.3. Syntax Definitions
-4.3 Syntax Definitions
-
-4.3.1 Attribute Type Description
+3.3.1. Attribute Type Description
A value of the Attribute Type Description syntax is the definition of
an attribute type. The LDAP-specific encoding of a value of this
This syntax corresponds to the AttributeTypeDescription ASN.1 type
from [X.501].
-
-4.3.2 Bit String
+3.3.2. Bit String
A value of the Bit String syntax is a sequence of binary digits. The
LDAP-specific encoding of a value of this syntax is defined by the
following ABNF:
BitString = SQUOTE *binary-digit SQUOTE "B"
- binary-digit = "0" / "1"
-
-Legg & Dally Expires 27 August 2003 [Page 7]
+Legg & Dally Expires 27 April 2004 [Page 7]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+ binary-digit = "0" / "1"
The <SQUOTE> rule is defined in [MODELS].
This syntax corresponds to the BIT STRING ASN.1 type from [ASN.1].
-
-4.3.3 Boolean
+3.3.3. Boolean
A value of the Boolean syntax is one of the Boolean values, true or
false. The LDAP-specific encoding of a value of this syntax is
This syntax corresponds to the BOOLEAN ASN.1 type from [ASN.1].
-
-4.3.4 Country String
+3.3.4. Country String
A value of the Country String syntax is one of the two-character
codes from ISO 3166 [ISO3166] for representing a country. The
CountryString = 2(PrintableCharacter)
- The <PrintableCharacter> rule is defined in Section 4.2.
+ The <PrintableCharacter> rule is defined in Section 3.2.
Examples:
US
-Legg & Dally Expires 27 August 2003 [Page 8]
+Legg & Dally Expires 27 April 2004 [Page 8]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- PrintableString (SIZE (2)) -- IS 3166 codes only
+ PrintableString (SIZE (2)) -- ISO 3166 codes only
-4.3.5 Delivery Method
+3.3.5. Delivery Method
A value of the Delivery Method syntax is a sequence of items that
indicate, in preference order, the service(s) by which an entity is
videotex-delivery (8),
telephone-delivery (9) }
-
-4.3.6 Directory String
+3.3.6. Directory String
A value of the Directory String syntax is a string of one or more
arbitrary characters from the Universal Character Set (UCS) [UCS]. A
zero length character string is not permitted. The LDAP-specific
- encoding of a value of this syntax is the UTF-8 encoding [UTF-8] of
+ encoding of a value of this syntax is the UTF-8 encoding [UTF8] of
the character string. Such encodings conform to the following ABNF:
DirectoryString = 1*UTF8
+ The <UTF8> rule is defined in [MODELS].
+
-Legg & Dally Expires 27 August 2003 [Page 9]
+Legg & Dally Expires 27 April 2004 [Page 9]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- The <UTF8> rule is defined in [MODELS].
Example:
This is a value of Directory String containing #!%#@.
and code points not presently assigned to any character.
Attribute type definitions using the Directory String syntax should
- not restrict the format of Directory String values, e.g. by requiring
- that the character string conforms to specific patterns described by
- ABNF. A new syntax should be defined in such cases.
+ not restrict the format of Directory String values, e.g., by
+ requiring that the character string conforms to specific patterns
+ described by ABNF. A new syntax should be defined in such cases.
The LDAP definition for the Directory String syntax is:
LDAP-specific encoding the characters must be converted from the
character encoding of the chosen alternative into the UTF-8 encoding.
-
-4.3.7 DIT Content Rule Description
+3.3.7. DIT Content Rule Description
A value of the DIT Content Rule Description syntax is the definition
- of a DIT content rule. The LDAP-specific encoding of a value of this
- syntax is defined by the <DITContentRuleDescription> rule in
- [MODELS].
+ of a DIT (Directory Information Tree) content rule. The
+ LDAP-specific encoding of a value of this syntax is defined by the
+ <DITContentRuleDescription> rule in [MODELS].
Example:
( 2.5.6.4 DESC 'content rule for organization'
NOT ( x121Address $ telexNumber ) )
+ Note: a line break has been added for readability - it is not part of
+ the value.
+
-Legg & Dally Expires 27 August 2003 [Page 10]
+Legg & Dally Expires 27 April 2004 [Page 10]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- Note: a line break has been added for readability - it is not part of
- the value.
The LDAP definition for the DIT Content Rule Description syntax is:
This syntax corresponds to the DITContentRuleDescription ASN.1 type
from [X.501].
-
-4.3.8 DIT Structure Rule Description
+3.3.8. DIT Structure Rule Description
A value of the DIT Structure Rule Description syntax is the
definition of a DIT structure rule. The LDAP-specific encoding of a
This syntax corresponds to the DITStructureRuleDescription ASN.1 type
from [X.501].
+3.3.9. DN
-4.3.9 DN
-
- A value of the DN syntax is the (purported) distinguished name of an
- entry [MODELS]. The LDAP-specific encoding of a value of this syntax
- is defined by the <distinguishedName> rule in [LDAPDN].
+ A value of the DN syntax is the (purported) distinguished name (DN)
+ of an entry [MODELS]. The LDAP-specific encoding of a value of this
+ syntax is defined by the <distinguishedName> rule in [LDAPDN].
Examples (from [LDAPDN]):
UID=jsmith,DC=example,DC=net
( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )
+ The DN syntax corresponds to the DistinguishedName ASN.1 type from
+ [X.501]. Note that a BER encoded distinguished name (as used by
+ X.500) re-encoded into the LDAP-specific encoding is not necessarily
+ reversible to the original BER encoding since the chosen string type
+
-Legg & Dally Expires 27 August 2003 [Page 11]
+Legg & Dally Expires 27 April 2004 [Page 11]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- The DN syntax corresponds to the DistinguishedName ASN.1 type from
- [X.501]. Note that a BER encoded distinguished name (as used by
- X.500) re-encoded into the LDAP-specific encoding is not necessarily
- reversible to the original BER encoding since the chosen string type
in any DirectoryString components of the distinguished name is not
indicated in the LDAP-specific encoding of the distinguished name
- (see Section 4.3.6).
-
+ (see Section 3.3.6).
-4.3.10 Enhanced Guide
+3.3.10. Enhanced Guide
A value of the Enhanced Guide syntax suggests criteria, which consist
of combinations of attribute types and filter operators, to be used
Example:
+ person#(sn$EQ)#oneLevel
+
+ The Enhanced Guide syntax corresponds to the EnhancedGuide ASN.1 type
+ from [X.520]. The EnhancedGuide type references the Criteria ASN.1
+ type, also from [X.520]. The <true> rule above represents an empty
-Legg & Dally Expires 27 August 2003 [Page 12]
+Legg & Dally Expires 27 April 2004 [Page 12]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- person#(sn$EQ)#oneLevel
- The Enhanced Guide syntax corresponds to the EnhancedGuide ASN.1 type
- from [X.520]. The EnhancedGuide type references the Criteria ASN.1
- type, also from [X.520]. The <true> rule above represents an empty
"and" expression in a value of the Criteria type. The <false> rule
above represents an empty "or" expression in a value of the Criteria
type.
-
-4.3.11 Facsimile Telephone Number
+3.3.11. Facsimile Telephone Number
A value of the Facsimile Telephone Number syntax is a subscriber
number of a facsimile device on the public switched telephone
The <telephone-number> is a string of printable characters that
complies with the internationally agreed format for representing
international telephone numbers [E.123]. The <PrintableString> rule
- is defined in Section 4.2. The <DOLLAR> rule is defined in [MODELS].
+ is defined in Section 3.2. The <DOLLAR> rule is defined in [MODELS].
The LDAP definition for the Facsimile Telephone Number syntax is:
The Facsimile Telephone Number syntax corresponds to the
FacsimileTelephoneNumber ASN.1 type from [X.520].
-
-4.3.12 Fax
+3.3.12. Fax
A value of the Fax syntax is an image which is produced using the
Group 3 facsimile process [FAX] to duplicate an object, such as a
The LDAP definition for the Fax syntax is:
-
-
-Legg & Dally Expires 27 August 2003 [Page 13]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' )
The ASN.1 type corresponding to the Fax syntax is defined as follows,
assuming EXPLICIT TAGS:
Fax ::= CHOICE {
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 13]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
g3-facsimile [3] G3FacsimileBodyPart
}
The G3FacsimileBodyPart ASN.1 type is defined in [X.420].
-
-4.3.13 Generalized Time
+3.3.13. Generalized Time
A value of the Generalized Time syntax is a character string
representing a date and time. The LDAP-specific encoding of a value
/ ( %x33 %x30-31 ) ; "30" to "31"
hour = ( %x30-31 %x30-39 ) / ( %x32 %x30-33 ) ; "00" to "23"
minute = %x30-35 %x30-39 ; "00" to "59"
- second = %x30-35 %x30-39 ; "00" to "59"
+ second = ( %x30-35 %x30-39 ) ; "00" to "59"
+ / ( %x36 %x30 ) ; "60" (a leap second)
GeneralizedTime = century year month day hour
[ minute [ second ] ] [ fraction ]
the local time. The "Z" form of <g-time-zone> SHOULD be used in
preference to <g-differential>.
-
-
-Legg & Dally Expires 27 August 2003 [Page 14]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
Examples:
199412161032Z
199412160532-0500
Both example values represent the same coordinated universal time:
- 40:32 am, December 16, 1994.
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 14]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
+ 10:32 AM, December 16, 1994.
The LDAP definition for the Generalized Time syntax is:
[ASN.1], with the constraint that local time without a differential
SHALL NOT be used.
-
-4.3.14 Guide
+3.3.14. Guide
A value of the Guide syntax suggests criteria, which consist of
combinations of attribute types and filter operators, to be used in
Guide = [ object-class SHARP ] criteria
The <object-class> and <criteria> rules are defined in Section
- 4.3.10. The <SHARP> rule is defined in [MODELS].
+ 3.3.10. The <SHARP> rule is defined in [MODELS].
The LDAP definition for the Guide syntax is:
The Guide syntax corresponds to the Guide ASN.1 type from [X.520].
-
-4.3.15 IA5 String
+3.3.15. IA5 String
A value of the IA5 String syntax is a string of zero, one or more
characters from International Alphabet 5 (IA5) [T.50], the
international version of the ASCII character set. The LDAP-specific
encoding of a value of this syntax is the unconverted string of
- characters, which conforms to the <IA5String> rule in Section 4.2.
+ characters, which conforms to the <IA5String> rule in Section 3.2.
The LDAP definition for the IA5 String syntax is:
+ ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
+ This syntax corresponds to the IA5String ASN.1 type from [ASN.1].
-Legg & Dally Expires 27 August 2003 [Page 15]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+3.3.16. Integer
- ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
- This syntax corresponds to the IA5String ASN.1 type from [ASN.1].
+Legg & Dally Expires 27 April 2004 [Page 15]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
-4.3.16 Integer
A value of the Integer syntax is a whole number of unlimited
magnitude. The LDAP-specific encoding of a value of this syntax is
character string "1321"). The encoding is defined by the following
ABNF:
- Integer = [ HYPHEN ] number
+ Integer = ( HYPHEN LDIGIT *DIGIT ) / number
- The <HYPHEN> and <number> rules are defined in [MODELS].
+ The <HYPHEN>, <LDIGIT>, <DIGIT> and <number> rules are defined in
+ [MODELS].
The LDAP definition for the Integer syntax is:
This syntax corresponds to the INTEGER ASN.1 type from [ASN.1].
-
-4.3.17 JPEG
+3.3.17. JPEG
A value of the JPEG syntax is an image in the JPEG File Interchange
Format (JFIF), as described in [JPEG]. The LDAP-specific encoding of
{ -- contents octets are an image in the --
-- JPEG File Interchange Format -- })
-
-4.3.18 LDAP Syntax Description
+3.3.18. LDAP Syntax Description
A value of the LDAP Syntax Description syntax is the description of
an LDAP syntax. The LDAP-specific encoding of a value of this syntax
is defined by the <SyntaxDescription> rule in [MODELS].
-
-
-Legg & Dally Expires 27 August 2003 [Page 16]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
The LDAP definition for the LDAP Syntax Description syntax is:
( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description' )
The above LDAP definition for the LDAP Syntax Description syntax is
itself a legal value of the LDAP Syntax Description syntax.
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 16]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
The ASN.1 type corresponding to the LDAP Syntax Description syntax is
defined as follows, assuming EXPLICIT TAGS:
The value of ub-schema (an integer) is implementation defined. A
non-normative definition appears in [X.520].
-
-4.3.19 Matching Rule Description
+3.3.19. Matching Rule Description
A value of the Matching Rule Description syntax is the definition of
a matching rule. The LDAP-specific encoding of a value of this
This syntax corresponds to the MatchingRuleDescription ASN.1 type
from [X.501].
-
-4.3.20 Matching Rule Use Description
+3.3.20. Matching Rule Use Description
A value of the Matching Rule Use Description syntax indicates the
attribute types to which a matching rule may be applied in an
a value of this syntax is defined by the <MatchingRuleUseDescription>
rule in [MODELS].
-
-
-Legg & Dally Expires 27 August 2003 [Page 17]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
Example:
( 2.5.13.16 APPLIES ( givenName $ surname ) )
( 1.3.6.1.4.1.1466.115.121.1.31
DESC 'Matching Rule Use Description' )
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 17]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
This syntax corresponds to the MatchingRuleUseDescription ASN.1 type
from [X.501].
-
-4.3.21 Name and Optional UID
+3.3.21. Name and Optional UID
A value of the Name and Optional UID syntax is the distinguished name
[MODELS] of an entity optionally accompanied by a unique identifier
NameAndOptionalUID = distinguishedName [ SHARP BitString ]
- The <BitString> rule is defined in Section 4.3.2. The
+ The <BitString> rule is defined in Section 3.3.2. The
<distinguishedName> rule is defined in [LDAPDN]. The <SHARP> rule is
defined in [MODELS].
This syntax corresponds to the NameAndOptionalUID ASN.1 type from
[X.520].
-
-4.3.22 Name Form Description
+3.3.22. Name Form Description
A value of the Name Form Description syntax is the definition of a
name form, which regulates how entries may be named. The
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 18]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
LDAP-specific encoding of a value of this syntax is defined by the
<NameFormDescription> rule in [MODELS].
( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 18]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
This syntax corresponds to the NameFormDescription ASN.1 type from
[X.501].
-
-4.3.23 Numeric String
+3.3.23. Numeric String
A value of the Numeric String syntax is a sequence of one or more
numerals and spaces. The LDAP-specific encoding of a value of this
This syntax corresponds to the NumericString ASN.1 type from [ASN.1].
-
-4.3.24 Object Class Description
+3.3.24. Object Class Description
A value of the Object Class Description syntax is the definition of
an object class. The LDAP-specific encoding of a value of this
Note: a line break has been added for readability - it is not part of
the syntax.
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 19]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
The LDAP definition for the Object Class Description syntax is:
( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Description' )
This syntax corresponds to the ObjectClassDescription ASN.1 type from
[X.501].
-
-4.3.25 Octet String
+3.3.25. Octet String
A value of the Octet String syntax is a sequence of zero, one or more
arbitrary octets. The LDAP-specific encoding of a value of this
syntax is the unconverted sequence of octets, which conforms to the
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 19]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
following ABNF:
OctetString = *OCTET
This syntax corresponds to the OCTET STRING ASN.1 type from [ASN.1].
-
-4.3.26 OID
+3.3.26. OID
A value of the OID syntax is an object identifier; a sequence of two
or more non-negative integers that uniquely identify some object or
This syntax corresponds to the OBJECT IDENTIFIER ASN.1 type from
[ASN.1].
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 20]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
-4.3.27 Other Mailbox
+3.3.27. Other Mailbox
A value of the Other Mailbox syntax identifies an electronic mailbox,
in a particular named mail system. The LDAP-specific encoding of a
The <mailbox-type> rule represents the type of mail system in which
the mailbox resides, for example "MCIMail", and <mailbox> is the
actual mailbox in the mail system described by <mailbox-type>. The
- <PrintableString> and <IA5String> rules are defined in Section 4.2.
+ <PrintableString> and <IA5String> rules are defined in Section 3.2.
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 20]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
The <DOLLAR> rule is defined in [MODELS].
The LDAP definition for the Other Mailbox syntax is:
mailbox IA5String
}
-
-4.3.28 Postal Address
+3.3.28. Postal Address
A value of the Postal Address syntax is a sequence of strings of one
or more arbitrary UCS characters, which form an address in a physical
/ %x5D-7F
/ UTFMB
- Each character string (i.e. <line>) of a postal address value is
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 21]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
- encoded as a UTF-8 [UTF-8] string except that "\" and "$" characters,
+ Each character string (i.e., <line>) of a postal address value is
+ encoded as a UTF-8 [UTF8] string except that "\" and "$" characters,
if they occur in the string, are escaped by a "\" character followed
by the two hexadecimal digit code for the character. The <HEX-DIGIT>
- rule is defined in Section 4.2. The <DOLLAR> and <UTFMB> rules are
+ rule is defined in Section 3.2. The <DOLLAR> and <UTFMB> rules are
defined in [MODELS].
Many servers limit the postal address to no more than six lines of no
The LDAP definition for the Postal Address syntax is:
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 21]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
This syntax corresponds to the PostalAddress ASN.1 type from [X.520],
- i.e.
+ i.e.,
PostalAddress ::= SEQUENCE SIZE(1..ub-postal-line) OF
DirectoryString { ub-postal-string }
The values of ub-postal-line and ub-postal-string (both integers) are
implementation defined. Non-normative definitions appear in [X.520].
+3.3.29. Printable String
-4.3.29 Printable String
-
- A value of the Printable String syntax is a string of latin
- alphabetic, numeric, and (limited) punctuation characters as
- specified by the <PrintableCharacter> rule in Section 4.2.
+ A value of the Printable String syntax is a string of one or more
+ latin alphabetic, numeric, and selected punctuation characters as
+ specified by the <PrintableCharacter> rule in Section 3.2.
The LDAP-specific encoding of a value of this syntax is the
unconverted string of characters, which conforms to the
- <PrintableString> rule in Section 4.2.
+ <PrintableString> rule in Section 3.2.
Example:
This is a PrintableString.
This syntax corresponds to the PrintableString ASN.1 type from
[ASN.1].
-
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 22]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
-4.3.30 Substring Assertion
+3.3.30. Substring Assertion
A value of the Substring Assertion syntax is a sequence of zero, one
or more character substrings used as an argument for substring
- extensible matching of character string attribute values, i.e. as the
- matchValue of a MatchingRuleAssertion [PROT]. Each substring is a
- string of one or more arbitrary characters from the Universal
+ extensible matching of character string attribute values, i.e., as
+ the matchValue of a MatchingRuleAssertion [PROT]. Each substring is
+ a string of one or more arbitrary characters from the Universal
Character Set (UCS) [UCS]. A zero length substring is not permitted.
The LDAP-specific encoding of a value of this syntax is defined by
initial = substring
any = ASTERISK *(substring ASTERISK)
final = substring
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 22]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
ASTERISK = %x2A ; asterisk ("*")
substring = 1*substring-character
/ UTFMB
Each <substring> of a Substring Assertion value is encoded as a UTF-8
- [UTF-8] string, except that "\" and "*" characters, if they occur in
+ [UTF8] string, except that "\" and "*" characters, if they occur in
the substring, are escaped by a "\" character followed by the two
hexadecimal digit code for the character.
This syntax corresponds to the SubstringAssertion ASN.1 type from
[X.520].
-
-4.3.31 Telephone Number
+3.3.31. Telephone Number
A value of the Telephone Number syntax is a string of printable
characters that complies with the internationally agreed format for
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 23]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
representing international telephone numbers [E.123].
The LDAP-specific encoding of a value of this syntax is the
unconverted string of characters, which conforms to the
- <PrintableString> rule in Section 4.2.
+ <PrintableString> rule in Section 3.2.
Example: +1 512 315 0280
PrintableString (SIZE(1..ub-telephone-number))
The value of ub-telephone-number (an integer) is implementation
- defined. A non-normative definition appears in [X.520].
-4.3.32 Teletex Terminal Identifier
+
+Legg & Dally Expires 27 April 2004 [Page 23]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
+ defined. A non-normative definition appears in [X.520].
+
+3.3.32. Teletex Terminal Identifier
A value of this syntax specifies the identifier and (optionally)
parameters of a teletex terminal.
/ (%x5C "5C") ; escaped "\"
/ %x5D-FF
- The <PrintableString> and <COLON> rules are defined in Section 4.2.
+ The <PrintableString> and <COLON> rules are defined in Section 3.2.
The <DOLLAR> rule is defined in [MODELS].
The LDAP definition for the Teletex Terminal Identifier syntax is:
( 1.3.6.1.4.1.1466.115.121.1.51
DESC 'Teletex Terminal Identifier' )
-
-
-Legg & Dally Expires 27 August 2003 [Page 24]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
This syntax corresponds to the TeletexTerminalIdentifier ASN.1 type
from [X.520].
-
-4.3.33 Telex Number
+3.3.33. Telex Number
A value of the Telex Number syntax specifies the telex number,
country code and answerback code of a telex terminal.
country-code = PrintableString
answerback = PrintableString
- The <PrintableString> rule is defined in Section 4.2. The <DOLLAR>
+ The <PrintableString> rule is defined in Section 3.2. The <DOLLAR>
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 24]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
rule is defined in [MODELS].
The LDAP definition for the Telex Number syntax is:
This syntax corresponds to the TelexNumber ASN.1 type from [X.520].
-
-4.3.34 UTC Time
+3.3.34. UTC Time
A value of the UTC Time syntax is a character string representing a
date and time to a precision of one minute or one second. The year
u-differential = ( MINUS / PLUS ) hour minute
The <year>, <month>, <day>, <hour>, <minute>, <second> and <MINUS>
- rules are defined in Section
4.3.13. The <PLUS> rule is defined in
+ rules are defined in Section
3.3.13. The <PLUS> rule is defined in
[MODELS].
The time value represents coordinated universal time if the "Z" form
of <u-time-zone> is used, otherwise the value represents a local
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 25]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
time. In the latter case, if <u-differential> is provided then
coordinated universal time can be calculated by subtracting the
differential from the local time. The <u-time-zone> SHOULD be
The UTC Time syntax corresponds to the UTCTime ASN.1 type from
[ASN.1].
-
-5. Matching Rules
+4. Matching Rules
Matching rules are used by directory implementations to compare
attribute values against assertion values when performing Search and
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 25]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
Compare operations [PROT]. They are also used when comparing a
purported distinguished name [MODELS] with the name of an entry.
When modifying entries, matching rules are used to identify values to
Matching rules that are required for directory operation, or that are
in common use, are specified in this section.
-5.1 General Considerations
+4.1. General Considerations
A matching rule is applied to attribute values through an
AttributeValueAssertion or MatchingRuleAssertion [PROT]. The
may be applied. Note that the AssertionValue in a SubstringFilter
[PROT] MUST conform to the assertion syntax of the equality matching
rule for the attribute type rather than the assertion syntax of the
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 26]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
substrings matching rule for the attribute type. The entire
SubstringFilter is converted into an assertion value of the
substrings matching rule prior to applying the rule.
corresponding ASN.1 type of a candidate attribute syntax must
satisfy. These conditions are also satisfied if the corresponding
ASN.1 type is a tagged or constrained derivative of the ASN.1 type
- explicitly mentioned in the rule description (i.e. ASN.1 tags and
+ explicitly mentioned in the rule description (i.e., ASN.1 tags and
constraints are ignored in checking applicability), or an alternative
reference notation for the explicitly mentioned type. Each rule
description lists as examples of applicable attribute syntaxes, the
The description of each matching rule indicates whether the rule is
suitable for use as the equality matching rule (EQUALITY), ordering
matching rule (ORDERING) or substrings matching rule (SUBSTR) in an
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 26]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
attribute type definition [MODELS].
Each matching rule is uniquely identified with an object identifier.
If a change is desirable then a new matching rule with a different
object identifier should be defined instead.
- Servers SHOULD implement all the matching rules in Section 5.2.
+ Servers SHOULD implement all the matching rules in Section 4.2.
Servers MAY implement additional matching rules.
Servers which implement the extensibleMatch filter SHOULD allow the
- matching rules listed in Section 5.2 to be used in the
+ matching rules listed in Section 4.2 to be used in the
extensibleMatch filter and SHOULD allow matching rules to be used
with all attribute types known to the server, where the assertion
syntax of the matching rule is the same as the value syntax of the
(in an extensibleMatch filter) of selected matching rules to
nominated attribute types.
+4.2. Matching Rule Definitions
+ When evaluating the numericStringMatch, numericStringSubstringsMatch,
+ caseExactIA5Match, caseIgnoreIA5Match, caseIgnoreIA5SubstringsMatch,
+ caseIgnoreListMatch, caseIgnoreListSubstringsMatch, caseIgnoreMatch,
+ caseIgnoreOrderingMatch, caseIgnoreSubstringsMatch,
+ telephoneNumberMatch and telephoneNumberSubstringsMatch matching
+ rules the assertion value and attribute value are prepared according
+ to the string preparation algorithms [PREP] for LDAP before being
+ compared. The Transcode, Normalize, Prohibit and Check bidi steps
+ are the same for each of the matching rules. However, the Map and
+ Insignificant Character Removal steps depends on the specific rule,
+ as detailed in the description of these matching rules in the
+ sections that follow.
-Legg & Dally Expires 27 August 2003 [Page 27]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+4.2.1. bitStringMatch
+ The bitStringMatch rule compares an assertion value of the Bit String
+ syntax to an attribute value of a syntax (e.g., the Bit String
+ syntax) whose corresponding ASN.1 type is BIT STRING.
-5.2 Matching Rule Definitions
-
- When evaluating the caseExactIA5Match, caseIgnoreIA5Match,
- caseIgnoreIA5SubstringsMatch, caseIgnoreListMatch,
- caseIgnoreListSubstringsMatch, caseIgnoreMatch,
- caseIgnoreOrderingMatch and caseIgnoreSubstringsMatch matching rules
- multiple adjoining whitespace characters are treated the same as an
- individual space, and leading and trailing whitespace is ignored.
-5.2.1 bitStringMatch
+Legg & Dally Expires 27 April 2004 [Page 27]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- The bitStringMatch rule compares an assertion value of the Bit String
- syntax to an attribute value of a syntax (e.g. the Bit String syntax)
- whose corresponding ASN.1 type is BIT STRING.
If the corresponding ASN.1 type of the attribute syntax does not have
a named bit list (which is the case for the Bit String syntax) then
The bitStringMatch rule is an equality matching rule.
-
-5.2.2 caseExactIA5Match
+4.2.2. caseExactIA5Match
The caseExactIA5Match rule compares an assertion value of the IA5
String syntax to an attribute value of a syntax (e.g the IA5 String
syntax) whose corresponding ASN.1 type is IA5String.
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of characters and corresponding
- characters are the same. Letter case is significant in the
- comparison.
+ The rule evaluates to TRUE if and only if the prepared attribute
+ value character string and the prepared assertion value character
+ string have the same number of characters and corresponding
+ characters have the same code point.
+
+ In preparing the attribute value and assertion value for comparison,
+ characters are not case folded in the Map preparation step, and only
+ Insignificant Space Removal is applied in the Insignificant Character
+ Removal step.
The LDAP definition for the caseExactIA5Match rule is:
( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ The caseExactIA5Match rule is an equality matching rule.
+4.2.3. caseIgnoreIA5Match
-Legg & Dally Expires 27 August 2003 [Page 28]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+ The caseIgnoreIA5Match rule compares an assertion value of the IA5
+ String syntax to an attribute value of a syntax (e.g the IA5 String
+ syntax) whose corresponding ASN.1 type is IA5String.
+ The rule evaluates to TRUE if and only if the prepared attribute
+ value character string and the prepared assertion value character
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- The caseExactIA5Match rule is an equality matching rule.
+Legg & Dally Expires 27 April 2004 [Page 28]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
-5.2.3 caseIgnoreIA5Match
- The caseIgnoreIA5Match rule compares an assertion value of the IA5
- String syntax to an attribute value of a syntax (e.g the IA5 String
- syntax) whose corresponding ASN.1 type is IA5String.
+ string have the same number of characters and corresponding
+ characters have the same code point.
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of characters and corresponding
- characters are the same, ignoring the case of letters.
+ In preparing the attribute value and assertion value for comparison,
+ characters are case folded in the Map preparation step, and only
+ Insignificant Space Removal is applied in the Insignificant Character
+ Removal step.
The LDAP definition for the caseIgnoreIA5Match rule is:
The caseIgnoreIA5Match rule is an equality matching rule.
-
-5.2.4 caseIgnoreIA5SubstringsMatch
+4.2.4. caseIgnoreIA5SubstringsMatch
The caseIgnoreIA5SubstringsMatch rule compares an assertion value of
the Substring Assertion syntax to an attribute value of a syntax (e.g
the IA5 String syntax) whose corresponding ASN.1 type is IA5String.
- The rule evaluates to TRUE if and only if the substrings of the
- assertion value match disjoint portions of the attribute value in the
- order of the substrings in the assertion value, and an <initial>
- substring, if present, matches the beginning of the attribute value,
- and a <final> substring, if present, matches the end of the attribute
- value. A substring matches a portion of the attribute value if
- corresponding characters are the same, ignoring the case of letters.
+ The rule evaluates to TRUE if and only if the prepared substrings of
+ the assertion value match disjoint portions of the prepared attribute
+ value character string in the order of the substrings in the
+ assertion value, and an <initial> substring, if present, matches the
+ beginning of the prepared attribute value character string, and a
+ <final> substring, if present, matches the end of the prepared
+ attribute value character string. A prepared substring matches a
+ portion of the prepared attribute value character string if
+ corresponding characters have the same code point.
+
+ In preparing the attribute value and assertion value substrings for
+ comparison, characters are case folded in the Map preparation step,
+ and only Insignificant Space Removal is applied in the Insignificant
+ Character Removal step.
( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
The caseIgnoreIA5SubstringsMatch rule is a substrings matching rule.
-
-5.2.5 caseIgnoreListMatch
+4.2.5. caseIgnoreListMatch
The caseIgnoreListMatch rule compares an assertion value that is a
- sequence of strings to an attribute value of a syntax (e.g. the
+ sequence of strings to an attribute value of a syntax (e.g., the
Postal Address syntax) whose corresponding ASN.1 type is a SEQUENCE
+ OF the DirectoryString ASN.1 type.
-Legg & Dally Expires 27 August 2003 [Page 29]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+Legg & Dally Expires 27 April 2004 [Page 29]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
- OF the DirectoryString ASN.1 type.
The rule evaluates to TRUE if and only if the attribute value and the
assertion value have the same number of strings and corresponding
SEQUENCE OF DirectoryString {ub-match}
- i.e. different from the corresponding type for the Postal Address
+ i.e., different from the corresponding type for the Postal Address
syntax. The choice of the Postal Address syntax for the assertion
syntax of the caseIgnoreListMatch in LDAP should not be seen as
limiting the matching rule to only apply to attributes with the
The caseIgnoreListMatch rule is an equality matching rule.
-
-5.2.6 caseIgnoreListSubstringsMatch
+4.2.6. caseIgnoreListSubstringsMatch
The caseIgnoreListSubstringsMatch rule compares an assertion value of
the Substring Assertion syntax to an attribute value of a syntax
- (e.g. the Postal Address syntax) whose corresponding ASN.1 type is a
+ (e.g., the Postal Address syntax) whose corresponding ASN.1 type is a
SEQUENCE OF the DirectoryString ASN.1 type.
The rule evaluates to TRUE if and only if the assertion value
The LDAP definition for the caseIgnoreListSubstringsMatch rule is:
( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
+ The caseIgnoreListSubstringsMatch rule is a substrings matching rule.
-Legg & Dally Expires 27 August 2003 [Page 30]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
- The caseIgnoreListSubstringsMatch rule is a substrings matching rule.
+Legg & Dally Expires 27 April 2004 [Page 30]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
-5.2.7 caseIgnoreMatch
+4.2.7. caseIgnoreMatch
The caseIgnoreMatch rule compares an assertion value of the Directory
- String syntax to an attribute value of a syntax (e.g. the Directory
+ String syntax to an attribute value of a syntax (e.g., the Directory
String, Printable String, Country String or Telephone Number syntax)
whose corresponding ASN.1 type is DirectoryString or one of the
- alternative string types of DirectoryString, e.g. PrintableString
+ alternative string types of DirectoryString, e.g., PrintableString
(the other alternatives do not correspond to any syntax defined in
this document).
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of characters and corresponding
- characters are the same, ignoring the case of letters.
+ The rule evaluates to TRUE if and only if the prepared attribute
+ value character string and the prepared assertion value character
+ string have the same number of characters and corresponding
+ characters have the same code point.
+
+ In preparing the attribute value and assertion value for comparison,
+ characters are case folded in the Map preparation step, and only
+ Insignificant Space Removal is applied in the Insignificant Character
+ Removal step.
The LDAP definition for the caseIgnoreMatch rule is:
The caseIgnoreMatch rule is an equality matching rule.
-
-5.2.8 caseIgnoreOrderingMatch
+4.2.8. caseIgnoreOrderingMatch
The caseIgnoreOrderingMatch rule compares an assertion value of the
- Directory String syntax to an attribute value of a syntax (e.g. the
+ Directory String syntax to an attribute value of a syntax (e.g., the
Directory String, Printable String, Country String or Telephone
Number syntax) whose corresponding ASN.1 type is DirectoryString or
one of its alternative string types.
- The rule evaluates to TRUE if, and only if, in the normal collation
- order for the attribute syntax after lower-case letters in both the
- attribute and assertion values have been replaced by their upper-case
- equivalents, the attribute value appears earlier than the assertion
- value, i.e. the attribute value is "less than" the assertion value.
+ The rule evaluates to TRUE if, and only if, in the code point
+ collation order, the prepared attribute value character string
+ appears earlier than the prepared assertion value character string,
+ i.e., the attribute value is "less than" the assertion value.
- The collation order for values of the DirectoryString syntax is
- implementation-defined. [Editor's note: this will be specified by a
- stringprep profile before final publication.]
+ In preparing the attribute value and assertion value for comparison,
+ characters are case folded in the Map preparation step, and only
+ Insignificant Space Removal is applied in the Insignificant Character
+ Removal step.
The LDAP definition for the caseIgnoreOrderingMatch rule is:
-Legg & Dally Expires 27 August 2003 [Page 31]
+Legg & Dally Expires 27 April 2004 [Page 31]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The caseIgnoreOrderingMatch rule is an ordering matching rule.
-
-5.2.9 caseIgnoreSubstringsMatch
+4.2.9. caseIgnoreSubstringsMatch
The caseIgnoreSubstringsMatch rule compares an assertion value of the
- Substring Assertion syntax to an attribute value of a syntax (e.g.
+ Substring Assertion syntax to an attribute value of a syntax (e.g.,
the Directory String, Printable String, Country String or Telephone
Number syntax) whose corresponding ASN.1 type is DirectoryString or
one of its alternative string types.
- The rule evaluates to TRUE if and only if the substrings of the
- assertion value match disjoint portions of the attribute value in the
- order of the substrings in the assertion value, and an <initial>
- substring, if present, matches the beginning of the attribute value,
- and a <final> substring, if present, matches the end of the attribute
- value. A substring matches a portion of the attribute value if
- corresponding characters are the same, ignoring the case of letters.
+ The rule evaluates to TRUE if and only if the prepared substrings of
+ the assertion value match disjoint portions of the prepared attribute
+ value character string in the order of the substrings in the
+ assertion value, and an <initial> substring, if present, matches the
+ beginning of the prepared attribute value character string, and a
+ <final> substring, if present, matches the end of the prepared
+ attribute value character string. A prepared substring matches a
+ portion of the prepared attribute value character string if
+ corresponding characters have the same code point.
+
+ In preparing the attribute value and assertion value substrings for
+ comparison, characters are case folded in the Map preparation step,
+ and only Insignificant Space Removal is applied in the Insignificant
+ Character Removal step.
The LDAP definition for the caseIgnoreSubstringsMatch rule is:
The caseIgnoreSubstringsMatch rule is a substrings matching rule.
-
-5.2.10 distinguishedNameMatch
+4.2.10. distinguishedNameMatch
The distinguishedNameMatch rule compares an assertion value of the DN
- syntax to an attribute value of a syntax (e.g. the DN syntax) whose
+ syntax to an attribute value of a syntax (e.g., the DN syntax) whose
corresponding ASN.1 type is DistinguishedName.
The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of RDNs and corresponding RDNs
- (by position) are the same. An RDN of the assertion value is the
- same as an RDN of the attribute value if and only if they have the
- same number of attribute value assertions (AVAs) and each AVA of the
- first RDN is the same as the AVA of the second RDN with the same
- attribute type. The order of the AVAs is not significant. Also note
- that a particular attribute type may appear in at most one AVA in an
- RDN. Two AVAs with the same attribute type are the same if their
- values are equal according to the equality matching rule of the
- attribute type. If one or more of the AVA comparisons evaluate to
- Undefined and the remaining AVA comparisons return TRUE then the
- distinguishedNameMatch rule evaluates to Undefined.
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 32]
+ assertion value have the same number of relative distinguished names
+ and corresponding relative distinguished names (by position) are the
+ same. A relative distinguished name (RDN) of the assertion value is
+ the same as an RDN of the attribute value if and only if they have
+ the same number of attribute value assertions and each attribute
+ value assertion (AVA) of the first RDN is the same as the AVA of the
+ second RDN with the same attribute type. The order of the AVAs is
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 32]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+ not significant. Also note that a particular attribute type may
+ appear in at most one AVA in an RDN. Two AVAs with the same
+ attribute type are the same if their values are equal according to
+ the equality matching rule of the attribute type. If one or more of
+ the AVA comparisons evaluate to Undefined and the remaining AVA
+ comparisons return TRUE then the distinguishedNameMatch rule
+ evaluates to Undefined.
+
The LDAP definition for the distinguishedNameMatch rule is:
( 2.5.13.1 NAME 'distinguishedNameMatch'
The distinguishedNameMatch rule is an equality matching rule.
-
-5.2.11 generalizedTimeMatch
+4.2.11. generalizedTimeMatch
The generalizedTimeMatch rule compares an assertion value of the
Generalized Time syntax to an attribute value of a syntax (e.g the
The generalizedTimeMatch rule is an equality matching rule.
+4.2.12. generalizedTimeOrderingMatch
-5.2.12 generalizedTimeOrderingMatch
-
- The generalizedTimeMatch rule compares the time ordering of an
- assertion value of the Generalized Time syntax to an attribute value
- of a syntax (e.g the Generalized Time syntax) whose corresponding
- ASN.1 type is GeneralizedTime.
+ The generalizedTimeOrderingMatch rule compares the time ordering of
+ an assertion value of the Generalized Time syntax to an attribute
+ value of a syntax (e.g the Generalized Time syntax) whose
+ corresponding ASN.1 type is GeneralizedTime.
The rule evaluates to TRUE if and only if the attribute value
represents a universal coordinated time which is earlier than the
The LDAP definition for the generalizedTimeOrderingMatch rule is:
- ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- The generalizedTimeOrderingMatch rule is an ordering matching rule.
+Legg & Dally Expires 27 April 2004 [Page 33]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
-Legg & Dally Expires 27 August 2003 [Page 33]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+ ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+ The generalizedTimeOrderingMatch rule is an ordering matching rule.
-5.2.13 integerFirstComponentMatch
+4.2.13. integerFirstComponentMatch
The integerFirstComponentMatch rule compares an assertion value of
the Integer syntax to an attribute value of a syntax (e.g the DIT
from an attribute value by taking the first component of that
attribute value.
-
-5.2.14 integerMatch
+4.2.14. integerMatch
The integerMatch rule compares an assertion value of the Integer
syntax to an attribute value of a syntax (e.g the Integer syntax)
The integerMatch rule is an equality matching rule.
-5.2.15 numericStringMatch
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 34]
+Legg & Dally Expires 27 April 2004 [Page 34]
\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+4.2.15. numericStringMatch
+
The numericStringMatch rule compares an assertion value of the
Numeric String syntax to an attribute value of a syntax (e.g the
Numeric String syntax) whose corresponding ASN.1 type is
NumericString.
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value are the same string of numerals, ignoring any space
- characters.
+ The rule evaluates to TRUE if and only if the prepared attribute
+ value character string and the prepared assertion value character
+ string have the same number of characters and corresponding
+ characters have the same code point.
+
+ In preparing the attribute value and assertion value for comparison,
+ characters are not case folded in the Map preparation step, and only
+ numericString Insignificant Character Removal is applied in the
+ Insignificant Character Removal step.
The LDAP definition for the numericStringMatch matching rule is:
The numericStringMatch rule is an equality matching rule.
-
-5.2.16 numericStringSubstringsMatch
+4.2.16. numericStringSubstringsMatch
The numericStringSubstringsMatch rule compares an assertion value of
the Substring Assertion syntax to an attribute value of a syntax (e.g
the Numeric String syntax) whose corresponding ASN.1 type is
NumericString.
- The rule evaluates to TRUE if and only if the substrings of the
- assertion value match disjoint portions of the attribute value in the
- order of the substrings in the assertion value, and an <initial>
- substring, if present, matches the beginning of the attribute value,
- and a <final> substring, if present, matches the end of the attribute
- value. A substring matches a portion of the attribute value if
- corresponding characters are the same, ignoring any space characters.
+ The rule evaluates to TRUE if and only if the prepared substrings of
+ the assertion value match disjoint portions of the prepared attribute
+ value character string in the order of the substrings in the
+ assertion value, and an <initial> substring, if present, matches the
+ beginning of the prepared attribute value character string, and a
+ <final> substring, if present, matches the end of the prepared
+ attribute value character string. A prepared substring matches a
+ portion of the prepared attribute value character string if
+ corresponding characters have the same code point.
+
+ In preparing the attribute value and assertion value for comparison,
+ characters are not case folded in the Map preparation step, and only
+ numericString Insignificant Character Removal is applied in the
+ Insignificant Character Removal step.
+
+ The LDAP definition for the numericStringSubstringsMatch matching
+ rule is:
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 35]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
( 2.5.13.10 NAME 'numericStringSubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
The numericStringSubstringsMatch rule is a substrings matching rule.
-
-5.2.17 objectIdentifierFirstComponentMatch
+4.2.17. objectIdentifierFirstComponentMatch
The objectIdentifierFirstComponentMatch rule compares an assertion
value of the OID syntax to an attribute value of a syntax (e.g the
syntax) whose corresponding ASN.1 type is a SEQUENCE with a mandatory
first component of the OBJECT IDENTIFIER ASN.1 type.
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 35]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
Note that the assertion syntax of this matching rule differs from the
attribute syntax of attributes for which this is the equality
matching rule.
value can be derived from an attribute value by taking the first
component of that attribute value.
-
-5.2.18 objectIdentifierMatch
+4.2.18. objectIdentifierMatch
The objectIdentifierMatch rule compares an assertion value of the OID
syntax to an attribute value of a syntax (e.g the OID syntax) whose
<numericoid> form of <oid> or implicitly in the <descr> form (see
[MODELS]).
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 36]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
If an LDAP client supplies an assertion value in the <descr> form,
and the chosen descriptor is not recognized by the server, then the
objectIdentifierMatch rule evaluates to Undefined.
The objectIdentifierMatch rule is an equality matching rule.
-
-5.2.19 octetStringMatch
-
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 36]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+4.2.19. octetStringMatch
The octetStringMatch rule compares an assertion value of the Octet
String syntax to an attribute value of a syntax (e.g the Octet String
The octetStringMatch rule is an equality matching rule.
-
-5.2.20 telephoneNumberMatch
+4.2.20. telephoneNumberMatch
The telephoneNumberMatch rule compares an assertion value of the
Telephone Number syntax to an attribute value of a syntax (e.g the
Telephone Number syntax) whose corresponding ASN.1 type is a
PrintableString representing a telephone number.
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of characters and corresponding
- characters are the same, ignoring the case of letters, and ignoring
- space and `-' characters.
+ The rule evaluates to TRUE if and only if the prepared attribute
+ value character string and the prepared assertion value character
+ string have the same number of characters and corresponding
+ characters have the same code point.
+
+ In preparing the attribute value and assertion value for comparison,
+ characters are case folded in the Map preparation step, and only
+ telephoneNumber Insignificant Character Removal is applied in the
+ Insignificant Character Removal step.
The LDAP definition for the telephoneNumberMatch matching rule is:
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 37]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
( 2.5.13.20 NAME 'telephoneNumberMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
The telephoneNumberMatch rule is an equality matching rule.
-
-5.2.21 telephoneNumberSubstringsMatch
+4.2.21. telephoneNumberSubstringsMatch
The telephoneNumberSubstringsMatch rule compares an assertion value
of the Substring Assertion syntax to an attribute value of a syntax
(e.g the Telephone Number syntax) whose corresponding ASN.1 type is a
PrintableString representing a telephone number.
- The rule evaluates to TRUE if and only if the substrings of the
- assertion value match disjoint portions of the attribute value in the
- order of the substrings in the assertion value, and an <initial>
- substring, if present, matches the beginning of the attribute value,
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 37]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
- and a <final> substring, if present, matches the end of the attribute
- value. A substring matches a portion of the attribute value if
- corresponding characters are the same, ignoring the case of letters,
- and ignoring space and `-' characters.
+ The rule evaluates to TRUE if and only if the prepared substrings of
+ the assertion value match disjoint portions of the prepared attribute
+ value character string in the order of the substrings in the
+ assertion value, and an <initial> substring, if present, matches the
+ beginning of the prepared attribute value character string, and a
+ <final> substring, if present, matches the end of the prepared
+ attribute value character string. A prepared substring matches a
+ portion of the prepared attribute value character string if
+ corresponding characters have the same code point.
+
+ In preparing the attribute value and assertion value substrings for
+ comparison, characters are case folded in the Map preparation step,
+ and only telephoneNumber Insignificant Character Removal is applied
+ in the Insignificant Character Removal step.
The LDAP definition for the telephoneNumberSubstringsMatch matching
rule is:
The telephoneNumberSubstringsMatch rule is a substrings matching
rule.
-
-5.2.22 uniqueMemberMatch
+4.2.22. uniqueMemberMatch
The uniqueMemberMatch rule compares an assertion value of the Name
And Optional UID syntax to an attribute value of a syntax (e.g the
absent from the attribute value or matches the <BitString> component
of the assertion value according to the bitStringMatch rule.
+
+
+Legg & Dally Expires 27 April 2004 [Page 38]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
The LDAP definition for the uniqueMemberMatch matching rule is:
( 2.5.13.23 NAME 'uniqueMemberMatch'
The uniqueMemberMatch rule is an equality matching rule.
-
-6. Security Considerations
+5. Security Considerations
In general, the LDAP-specific encodings for syntaxes defined in this
document do not define canonical encodings. That is, a
transformation from an LDAP-specific encoding into some other
- encoding (e.g. BER) and back into the LDAP-specific encoding will not
- necessarily reproduce exactly the original octets of the
+ encoding (e.g., BER) and back into the LDAP-specific encoding will
+ not necessarily reproduce exactly the original octets of the
LDAP-specific encoding. Therefore an LDAP-specific encoding should
not be used where a canonical encoding is required.
Furthermore, the LDAP-specific encodings do not necessarily enable an
alternative encoding of values of the Directory String and DN
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 38]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
- syntaxes to be reconstructed, e.g. a transformation from DER to
- LDAP-specific encoding and back to DER may not reproduce the original
+ syntaxes to be reconstructed, e.g., a transformation from a
+ Distinguished Encoding Rules (DER) [BER] encoding to an LDAP-specific
+ encoding and back to a DER encoding may not reproduce the original
DER encoding. Therefore LDAP-specific encodings should not be used
- where reversibility to DER is needed, e.g. for the verification of
+ where reversibility to DER is needed, e.g., for the verification of
digital signatures. Instead, DER or a DER-reversible encoding should
be used.
matching rule comparisons are done on the underlying abstract value,
regardless of the particular encoding used.
-
-7. Acknowledgements
+6. Acknowledgements
This document is an revision of RFC 2252 by M. Wahl, A. Coulbeck, T.
Howes, and S. Kille. RFC 2252 was a product of the IETF ASID Working
The authors wish to thank J. Sermersheim and K. Zeilenga for their
significant contribution to this revision.
-
-8. IANA Considerations
+7. IANA Considerations
The Internet Assigned Numbers Authority (IANA) is requested to update
- the LDAP descriptors registry as indicated by the following
+ the LDAP descriptors registry [BCP64] as indicated by the following
templates:
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 39]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comment
bitStringMatch M 2.5.13.16
caseExactIA5Match M 1.3.6.1.4.1.1466.109.114.1
caseIgnoreIA5Match M 1.3.6.1.4.1.1466.109.114.2
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 39]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
caseIgnoreListMatch M 2.5.13.11
caseIgnoreMatch M 2.5.13.2
caseIgnoreOrderingMatch M 2.5.13.3
uniqueMemberMatch M 2.5.13.23
The descriptor for the object identifier 2.5.13.0 was incorrectly
- registered as objectIdentifiersMatch (extraneous `s') in RFC 3383.
+ registered as objectIdentifiersMatch (extraneous `s') in BCP 64.
It should be changed to the following with a reference to RFC
XXXX.
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): caseIgnoreIA5SubstringsMatch
Object Identifier: 1.3.6.1.4.1.1466.109.114.3
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 40]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
Person & email address to contact for further information:
Steven Legg <steven.legg@adacel.com.au>
Usage: other (M)
Specification: RFC XXXX
Author/Change Controller: IESG
+8. References
-9. Normative References
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 40]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
+8.1. Normative References
[KEYWORD] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
- [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", RFC 2279, January 1998.
+ [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", draft-yergeau-rfc2279bis-xx.txt, a work in
+ progress, June 2003.
- [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64, RFC
- 3383, September 2002.
+ [BCP64] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
+ Considerations for the Lightweight Directory Access
+ Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
[LDAPDN] Zeilenga, K., "LDAP: String Representation of
Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
- in progress, August 2002.
+ in progress, June 2003.
[PROT] Sermersheim, J., "LDAP: The Protocol", draft-ietf-ldapbis-
- protocol-xx.txt, a work in progress, December 2002.
+ protocol-xx.txt, a work in progress, September 2003.
[E.123] Notation for national and international telephone numbers,
ITU-T Recommendation E.123, 1988.
document transmission - Terminal Equipment and Protocols
for Telematic Services, ITU-T Recommendation T.4, 1993
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 41]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
[T.50] International Reference Alphabet (IRA) (Formerly
International Alphabet No. 5 or IA5) Information
Technology - 7-Bit Coded Character Set for Information
Information Technology - Open Systems Interconnection -
The Directory: Selected attribute types
- [ASN.1] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998
- Information Technology - Abstract Syntax Notation One
+ [ASN.1] ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1:2002,
+ Information technology - Abstract Syntax Notation One
(ASN.1): Specification of basic notation
[ISO3166] ISO 3166, "Codes for the representation of names of
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 41]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
countries".
[UCS] Universal Multiple-Octet Coded Character Set (UCS) -
Hamilton, C-Cube Microsystems, Milpitas, CA, September 1,
1992.
+ [ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map",
+ draft-ietf-ldapbis-roadmap-xx.txt, a work in progress,
+ June 2003.
+
+ [MODELS] Zeilenga, K., "LDAP: Directory Information Models", draft-
+ ietf-ldapbis-models-xx.txt, a work in progress, June 2003.
+
+ [PREP] Zeilenga, K., "LDAP: Internationalized String
+ Preparation", draft-ietf-ldapbis-strprep-xx.txt, a work in
+ progress, June 2003.
-10. Informative References
+8.2. Informative References
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
+
+
+Legg & Dally Expires 27 April 2004 [Page 42]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
[RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use
with LDAPv3", RFC 2256, December 1997.
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
+ [SCHEMA] Dally, K., "LDAP: Schema for User Applications", draft-
+ ietf-ldapbis-user-schema-xx.txt, a work in progress, June
+ 2003.
+
+ [LDAP-PKI] Chadwick, D. W. and S. Legg, "LDAP Schema and Syntaxes for
+ PKIs", draft-ietf-pkix-ldap-pki-schema-xx.txt, a work in
+ progress, July 2002.
+
[X.500] ITU-T Recommendation X.500 (1993) | ISO/IEC 9594-1:1994,
Information Technology - Open Systems Interconnection -
The Directory: Overview of concepts, models and services
- [BER] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998
- Information Technology - ASN.1 encoding rules:
+ [BER] ITU-T Recommendation X.690 (07/02) | ISO/IEC 8825-1:2002,
+ Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER)
-
-11. Authors' Addresses
+9. Authors' Addresses
Steven Legg
Adacel Technologies Ltd.
- 405-409 Ferntree Gully Road
- Mount Waverley, Victoria 3149
+ 250 Bay Street
+ Brighton, Victoria 3186
AUSTRALIA
- Phone: +61 3 9451 2107
- Fax: +61 3 9541 2121
+ Phone: +61 3 8530 7710
+ Fax: +61 3 8530 7888
Email: steven.legg@adacel.com.au
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 42]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
Kathy Dally
The MITRE Corp.
7515 Colshire Dr., ms-W650
Email: kdally@mitre.org
-12. Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Legg & Dally Expires 27 April 2004 [Page 43]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
+10. Intellectual Property Notice
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
Appendix A. Summary of Syntax Object Identifiers
Syntax OBJECT IDENTIFIER
==============================================================
Attribute Type Description 1.3.6.1.4.1.1466.115.121.1.3
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 43]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
Bit String 1.3.6.1.4.1.1466.115.121.1.6
Boolean 1.3.6.1.4.1.1466.115.121.1.7
Country String 1.3.6.1.4.1.1466.115.121.1.11
JPEG 1.3.6.1.4.1.1466.115.121.1.28
LDAP Syntax Description 1.3.6.1.4.1.1466.115.121.1.54
Matching Rule Description 1.3.6.1.4.1.1466.115.121.1.30
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 44]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
Matching Rule Use Description 1.3.6.1.4.1.1466.115.121.1.31
Name And Optional UID 1.3.6.1.4.1.1466.115.121.1.34
Name Form Description 1.3.6.1.4.1.1466.115.121.1.35
Telex Number 1.3.6.1.4.1.1466.115.121.1.52
UTC Time 1.3.6.1.4.1.1466.115.121.1.53
-
Appendix B. Changes from RFC 2252 & RFC 2256
This annex lists the significant differences between this
and revised. Changes to the parts of these sections moved to
[MODELS] are detailed in [MODELS].
-
-
-Legg & Dally Expires 27 August 2003 [Page 44]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
3. BNF descriptions of syntax formats have been replaced by ABNF
[ABNF] specifications.
4. The ambiguous statement in RFC 2252, Section 4.3 regarding the
use of a backslash quoting mechanism to escape separator symbols
- has been removed. The escaping mechanism is now explicitly
+ has been removed. The escaping mechanism is now explicitly
represented in the ABNF for the syntaxes where this provision
applies.
7. The set of characters allowed in a <PrintableString> (formerly
<printablestring>) has been corrected to align with the
+
+
+
+Legg & Dally Expires 27 April 2004 [Page 45]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
PrintableString ASN.1 type in [ASN.1]. Specifically, the double
quote character has been removed and the single quote character
and equals sign have been added.
transfer encoding.
13. All discussion of transfer options, including the ";binary"
- option, has been removed. All imperatives regarding binary
+ option, has been removed. All imperatives regarding binary
transfer of values have been removed.
14. The Delivery Method, Enhanced Guide, Guide, Octet String, Teletex
been incorporated.
15. The <criteria> rule for the Enhanced Guide and Guide syntaxes has
-
-
-
-Legg & Dally Expires 27 August 2003 [Page 45]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
been extended to accommodate empty "and" and "or" expressions.
16. An encoding for the <ttx-value> rule in the Teletex Terminal
20. The Presentation Address syntax has been removed since its
specification (in RFC 1278) is not at draft standard maturity.
+
+
+Legg & Dally Expires 27 April 2004 [Page 46]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+
+
21. The ACI Item, Access Point, Audio, Data Quality, DSA Quality, DSE
Type, LDAP Schema Description, Master And Shadow Access Points,
Modify Rights, Protocol Information, Subtree Specification,
24. The caseIgnoreIA5SubstringsMatch matching rule from RFC 2798 has
been added.
- 25. The caseIgnoreIA5SubstringsMatch, caseIgnoreListSubstringsMatch,
- caseIgnoreOrderingMatch and caseIgnoreSubstringsMatch matching
- rules have been added to the list of matching rules for which the
- provisions for handling leading, trailing and multiple adjoining
- whitespace characters apply. This is consistent with the
- definitions of these matching rules in X.500. The
- telephoneNumberMatch rule has been removed from the list since it
- completely ignores all space characters.
+ 25. The caseIgnoreListSubstringsMatch, caseIgnoreOrderingMatch and
+ caseIgnoreSubstringsMatch matching rules have been added to the
+ list of matching rules for which the provisions for handling
+ leading, trailing and multiple adjoining whitespace characters
+ apply (now through string preparation). This is consistent with
+ the definitions of these matching rules in X.500. The
+ caseIgnoreIA5SubstringsMatch rule has also been added to the
+ list.
26. The specification of the octetStringMatch matching rule from RFC
2256 has been added to this document.
-
-
-Legg & Dally Expires 27 August 2003 [Page 46]
-\f
-INTERNET-DRAFT LDAP: Syntaxes and Matching Rules February 27, 2003
-
-
27. The presentationAddressMatch matching rule has been removed as it
depends on an assertion syntax (Presentation Address) that is not
at draft standard maturity.
30. The specification of the caseIgnoreListSubstringsMatch matching
rule from RFC 2798 & X.520 has been added to this document.
+ 31. String preparation algorithms have been applied to the character
+ string matching rules.
+Full Copyright Statement
+Legg & Dally Expires 27 April 2004 [Page 47]
+\f
+INTERNET-DRAFT LDAP: Syntaxes and Matching Rules October 27, 2003
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assignees.
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Legg & Dally Expires 27 August 2003 [Page 47]
+Legg & Dally Expires 27 April 2004 [Page 48]
\f
Network Working Group Mark Smith, Editor
Request for Comments: DRAFT Netscape Communications Corp.
Obsoletes: RFC 2255 Tim Howes
-Expires: 28 August 2003 Opsware, Inc.
+Expires: 25 April 2004 Opsware, Inc.
- 28 February 2003
+ 25 October 2003
LDAP: Uniform Resource Locator
- <draft-ietf-ldapbis-url-03.txt>
+ <draft-ietf-ldapbis-url-04.txt>
Smith & Howes Intended Category: Standards Track [Page 1]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
3. Table of Contents
3. Table of Contents..............................................2
4. Introduction...................................................2
5. URL Definition.................................................2
+5.1. Escaping Using the Method.................................4
6. Defaults for Fields of the LDAP URL............................5
-7. Examples.......................................................5
-8. Security Considerations........................................7
-9. Acknowledgements...............................................8
-10. Normative References...........................................9
-11. Informative References.........................................9
-12. Authors' Address...............................................9
-13. Full Copyright Statement.......................................10
-14. Appendix A: Changes Since RFC 2255.............................10
-14.1. Technical Changes...........................................10
-14.2. Editorial Changes...........................................11
-15. Appendix B: Changes Since Previous Document Revision...........13
-15.1. Technical Changes...........................................13
-15.2. Editorial Changes...........................................13
+7. Examples.......................................................6
+8. Security Considerations........................................8
+9. Normative References...........................................8
+10. Informative References.........................................9
+11. Intellectual Property Rights...................................9
+12. Acknowledgements...............................................10
+13. Authors' Address...............................................10
+14. Full Copyright Statement.......................................11
+15. Appendix A: Changes Since RFC 2255.............................11
+15.1. Technical Changes...........................................11
+15.2. Editorial Changes...........................................12
+16. Appendix B: Changes Since Previous Document Revision...........13
+16.1. Technical Changes...........................................14
+16.2. Editorial Changes...........................................14
4. Introduction
5. URL Definition
An LDAP URL begins with the protocol prefix "ldap" and is defined by
- the following grammar, following the ABNF notation defined in
- [RFC2234].
Smith & Howes Intended Category: Standards Track [Page 2]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+ the following grammar, following the ABNF notation defined in
+ [RFC2234].
+
ldapurl = scheme COLON SLASH SLASH [hostport] [SLASH dn
[QUESTION [attributes] [QUESTION [scope]
[QUESTION [filter] [QUESTION extensions]]]]]
scheme = "ldap"
hostport = <hostport from Section 3.2.2 of [RFC2396]>
- ; as updated by [RFC2732] to allow IPv6 literal addresses
+ ; as updated by [RFC2732] to allow IPv6 literal addresses
dn = <distinguishedName from Section 3 of [LDAPDN]>
+ ; see the "Escaping Using the % Method" section below.
attributes = attrdesc *(COMMA attrdesc)
attrdesc = <AttributeDescription from Section 4.1.4 of [Protocol]>
- / ASTERIX
+ / ASTERISK
+ ; see the "Escaping Using the % Method" section below.
scope = "base" / "one" / "sub"
filter = <filter from Section 4 of [Filters]>
+ ; see the "Escaping Using the % Method" section below.
extensions = extension *(COMMA extension)
extension = [EXCLAMATION] extype [EQUALS exvalue]
extype = oid / oiddescr
exvalue = <LDAPString from section 4.1.2 of [Protocol]>
+ ; see the "Escaping Using the % Method" section below.
oid = <LDAPOID from section 4.1.2 of [Protocol]>
- oiddescr = <name from section 3.3 of [LDAPIANA]>
+ oiddescr = <name from section 3.3 of [RFC3383]>
EXCLAMATION = %x21 ; exclamation mark ("!")
- ASTERIX = %x2A ; asterix ("*")
+ ASTERISK = %x2A ; asterisk ("*")
COLON = %x3A ; colon (":")
QUESTION = %x3F ; question mark ("?")
SLASH = %x5C; forward slash ("/")
The scope construct is used to specify the scope of the search to
perform in the given LDAP server. The allowable scopes are "base"
- for a base object search, "one" for a one-level search, or "sub" for
- a subtree search.
-
- The filter is used to specify the search filter to apply to entries
- within the specified scope during the search. It has the format
- specified in [Filters].
-
Smith & Howes Intended Category: Standards Track [Page 3]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+ for a base object search, "one" for a one-level search, or "sub" for
+ a subtree search.
+
+ The filter is used to specify the search filter to apply to entries
+ within the specified scope during the search. It has the format
+ specified in [Filters].
+
The extensions construct provides the LDAP URL with an extensibility
mechanism, allowing the capabilities of the URL to be extended in the
future. Extensions are a simple comma-separated list of type=value
The extension type (extype) MAY be specified using the oid form
(e.g., 1.2.3.4) or the oiddesc form (e.g., myLDAPURLExtension). Use
of the oiddesc form SHOULD be restricted to registered object
- identifier descriptive names. See [LDAPIANA] for registration
- details and usage guidelines for descriptive names.
+ identifier descriptive names. See [RFC3383] for registration details
+ and usage guidelines for descriptive names.
No LDAP URL extensions are defined in this document. Other documents
or a future version of this document MAY define one or more
extensions.
+5.1. Escaping Using the % Method
+
A generated LDAP URL MUST consist only of the restricted set of
characters included in the uric production that is defined in section
2 of [RFC2396]. Implementations SHOULD accept other valid UTF-8
- strings as input. An octet MUST be escaped using the % method
- described in section 2.4 of [RFC2396] in any of these situations:
+ strings [UTF-8] as input. An octet MUST be escaped using the %
+ method described in section 2.4 of [RFC2396] in any of these
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 4]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
+ situations:
The octet is not in the reserved set defined in section 2.2 of
[RFC2396] or in the unreserved set defined in section 2.3 of
It is a comma character ',' that occurs inside an extension value.
-
-
-Smith & Howes Intended Category: Standards Track [Page 4]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
-
-
6. Defaults for Fields of the LDAP URL
Some fields of the LDAP URL are optional, as described above. In the
If extensions is omitted, no extensions are assumed.
+
+
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 5]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
7. Examples
The following are some example LDAP URLs using the format defined
ldap://ldap1.example.net/o=University%20of%20Michigan,c=US
-
-
-Smith & Howes Intended Category: Standards Track [Page 5]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
-
-
Both of these URLs correspond to a base object search of the
"o=University of Michigan,c=US" entry using a filter of
"(objectclass=*)", requesting all attributes.
the LDAP entry named "o=Question?,c=US" is given below, illustrating
the use of the escaping mechanism on the reserved character '?'.
- ldap://ldap2.example.com/o=Question%3f,c=US?mail
- The next example illustrates the interaction between the LDAP string
- representation of filters quoting mechanism and URL quoting
- mechanisms.
- ldap://ldap3.example.com/o=Babsco,c=US???(int=%5c00%5c00%5c00%5c04)
- The filter in this example uses the LDAP escaping mechanism of \ to
- encode three zero or null bytes in the value. In LDAP, the filter
- would be written as (int=\00\00\00\04). Because the \ character must
- be escaped in a URL, the \'s are escaped as %5c in the URL encoding.
-
- The next example illustrates the interaction between the LDAP string
+Smith & Howes Intended Category: Standards Track [Page 6]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+ ldap://ldap2.example.com/o=Question%3f,c=US?mail
-Smith & Howes Intended Category: Standards Track [Page 6]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+ The next example illustrates the interaction between the LDAP string
+ representation of filters quoting mechanism and URL quoting
+ mechanisms.
+ ldap://ldap3.example.com/o=Babsco,c=US???(four-octet=%5c00%5c00%5c00%5c04)
+ IP The filter in this example uses the LDAP escaping mechanism of \
+ to encode three zero or null bytes in the value. In LDAP, the filter
+ would be written as (four-octet=\00\00\00\04). Because the \
+ character must be escaped in a URL, the \'s are escaped as %5c in the
+ URL encoding.
+ The next example illustrates the interaction between the LDAP string
representation of DNs quoting mechanism and URL quoting mechanisms.
ldap://ldap.example.com/o=An%20Example%5c2c%20Inc.,c=US
the e-bindname extension.
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 7]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
8. Security Considerations
General URL security considerations discussed in [RFC2396] are
with this policy. If a client chooses to reuse an existing
connection when resolving one or more LDAP URL, it MUST ensure that
the connection is compatible with the URL and that no security
-
-
-
-Smith & Howes Intended Category: Standards Track [Page 7]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
-
-
policies are violated.
Sending authentication information, no matter the mechanism, may
search, etc. The security implications of resolving an LDAP URL are
the same as those of resolving an LDAP search query.
-9. Acknowledgements
-
- The LDAP URL format was originally defined at the University of
- Michigan. This material is based upon work supported by the National
- Science Foundation under Grant No. NCR-9416667. The support of both
- the University of Michigan and the National Science Foundation is
- gratefully acknowledged.
+9. Normative References
- This document is an update to RFC 2255 by Tim Howes and Mark Smith.
- Changes included in this revised specification are based upon
- discussions among the authors, discussions within the LDAP (v3)
- Revision Working Group (ldapbis), and discussions within other IETF
- Working Groups. The contributions of individuals in these working
- groups is gratefully acknowledged. Several people in particular have
- made valuable comments on this document; RL "Bob" Morgan, Mark Wahl,
- Kurt Zeilenga, Jim Sermersheim, and Hallvard Furuseth deserve special
- thanks for their contributions.
+ [LDAPDN] Zeilenga, K. (editor), "LDAP: String Representation of
Smith & Howes Intended Category: Standards Track [Page 8]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
-10. Normative References
-
- [LDAPDN] Zeilenga, K. (editor), "LDAP: String Representation of
Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work in
progress.
- [LDAPIANA] Zeilenga, K., "IANA Considerations for LDAP", draft-ietf-
- ldapbis-iana-xx.txt, a work in progress.
-
[Filters] Smith, M. and Howes, T., "LDAP: String Representation of
Search Filters", draft-ietf-ldapbis-filter-xx.txt, a work in
- progress. [RFC2119] Bradner, S., "Key Words for use in RFCs to
- Indicate Requirement Levels," RFC 2119, BCP 14, March 1997.
+ progress.
+
+ [RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
+ Requirement Levels," RFC 2119, BCP 14, March 1997.
[Protocol] Sermersheim, J. (editor), "LDAP: The Protocol", draft-
ietf-ldapbis-protocol-xx.txt, a work in progress.
[RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
- [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
- RFC 2279, January 1998.
-
[RFC2396] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998.
[RFC2732] Hinden, R., Carpenter, B., Masinter, L., "Format for
Literal IPv6 Addresses in URL's", RFC 2732, December 1999.
+ [RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
+ Considerations for the Lightweight Directory Access Protocol
+ (LDAP)", RFC 3383, September 2002.
+
[AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods",
draft-ietf-ldapbis-authmeth-xx.txt, a work in progress. a work in
progress.
[Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road
Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
-11. Informative References
+ [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
+ draft-yergeau-rfc2279bis-xx.txt, a work in progress.
+
+10. Informative References
None.
-12. Authors' Address
+11. Intellectual Property Rights
- Mark Smith, Editor
- Netscape Communications Corp.
- 360 W. Caribbean Drive
- Sunnyvale, CA 94089
- USA
- +1 650 937-3477
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
Smith & Howes Intended Category: Standards Track [Page 9]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+12. Acknowledgements
+
+ The LDAP URL format was originally defined at the University of
+ Michigan. This material is based upon work supported by the National
+ Science Foundation under Grant No. NCR-9416667. The support of both
+ the University of Michigan and the National Science Foundation is
+ gratefully acknowledged.
+
+ This document is an update to RFC 2255 by Tim Howes and Mark Smith.
+ Changes included in this revised specification are based upon
+ discussions among the authors, discussions within the LDAP (v3)
+ Revision Working Group (ldapbis), and discussions within other IETF
+ Working Groups. The contributions of individuals in these working
+ groups is gratefully acknowledged. Several people in particular have
+ made valuable comments on this document; RL "Bob" Morgan, Mark Wahl,
+ Kurt Zeilenga, Jim Sermersheim, and Hallvard Furuseth deserve special
+ thanks for their contributions.
+13. Authors' Address
- mcs@netscape.com
+ Mark Smith, Editor
+ Netscape Communications Corp.
+ 360 W. Caribbean Drive
+ Sunnyvale, CA 94089
+ USA
+ +1 650 937-3477
+ MarkCSmithWork@aol.com
Tim Howes
Opsware, Inc.
Sunnyvale, CA 94085
USA
+1 408 744-7509
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 10]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
howes@opsware.com
-13. Full Copyright Statement
+14. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+15. Appendix A: Changes Since RFC 2255
-14. Appendix A: Changes Since RFC 2255
-
-14.1. Technical Changes
+15.1. Technical Changes
The following technical changes were made to the contents of the "URL
Definition" section:
Revised all of the ABNF to use common productions from [Models].
-
-
-
-Smith & Howes Intended Category: Standards Track [Page 10]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
-
-
Added note and references to [RFC2732] to allow literal IPv6
addresses inside the hostport portion of the URL.
- Added missing ASTERIX as an alternative for the attrdesc part of the
+ Added missing ASTERISK as an alternative for the attrdesc part of the
URL. It is believed that existing implementations of RFC 2255
already support this.
Added angle brackets around free-form prose in the "dn", "hostport",
"attrdesc", "filter", and "exvalue" rules.
+
+
+Smith & Howes Intended Category: Standards Track [Page 11]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
Changed the ABNF for ldapurl to group the dn component with the
preceding slash.
Changed the extype rule to be an LDAPOID from [Protocol] or an OID
- description from [LDAPIANA].
+ description from [RFC3383].
- Changed the text about extension types so it references [LDAPIANA].
+ Changed the text about extension types so it references [RFC3383].
Reordered rules to more closely follow the order the elements appear
in the URL.
"Bindname Extension": removed due to lack of known implementations.
-14.2. Editorial Changes
+15.2. Editorial Changes
Changed document title to include "LDAP:" prefix.
"URL Definition" section: removed second copy of ldapurl grammar and
following two paragraphs (editorial error in RFC 2255). Fixed line
-
-
-
-Smith & Howes Intended Category: Standards Track [Page 11]
-\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
-
-
break within '!' sequence. Reworded last paragraph to clarify which
characters must be URL escaped. Added text to indicate that LDAP
URLs are used for references and referrals. Added text that refers
"URL Processing" section: clarified that connections MAY be reused
only if the open connection is compatible with the URL. Added text
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 12]
+\f
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
+
+
to indicate that use of security services is encouraged and that they
SHOULD be used when updates are involved. Removed "dn" from
discussion of authentication methods. Added note that the client MAY
example.net hostnames. Added missing '?' to the LDAP URL example
whose filter contains three null bytes. Removed space after one
comma within a DN. Revised the bindname example to use e-bindname.
- Added an example that demonstrates the interaction between DN
- escaping and URL escaping. Added some examples to show URL
- equivalence with respect to the dn portion of the URL.
+ Changed the name of an attribute used in one example from "int" to
+ "four-octet" to avoid potential confusion. Added an example that
+ demonstrates the interaction between DN escaping and URL escaping.
+ Added some examples to show URL equivalence with respect to the dn
+ portion of the URL.
"Security Considerations" section: Added a note about connection
reuse. Added a note about using strong authentication methods for
"Normative References" section: renamed from "References" per new RFC
guidelines. Changed from [1] style to [Protocol] style throughout the
- document. Added references to RFCs 2234 and 2829. Updated RFC 1738
- references to the appropriate sections within RFC 2396. Updated the
- references to refer to LDAPBis WG documents. Removed the reference to
- the LDAP Attribute Syntaxes document and added references to the LDAP
- IANA and Roadmap documents.
+ document. Added references to RFCs 2234, 2829, and 3383. Updated
+ RFC 1738 references to the appropriate sections within RFC 2396.
+ Updated the references to refer to LDAPBis WG documents. Removed the
+ reference to the LDAP Attribute Syntaxes document and added a
+ reference to the Roadmap document.
"Informative References" section: added for clarity.
Copyright: updated the year.
+16. Appendix B: Changes Since Previous Document Revision
+ This appendix lists all changes relative to the previously published
+ revision, draft-ietf-ldapbis-url-03.txt. Note that when appropriate
+ these changes are also included in Appendix A, but are also included
+ here for the benefit of the people who have already reviewed draft-
+ ietf-ldapbis-url-03.txt. This section will be removed before this
+ document is published as an RFC.
-Smith & Howes Intended Category: Standards Track [Page 12]
+
+Smith & Howes Intended Category: Standards Track [Page 13]
\f
-INTERNET-DRAFT LDAP: Uniform Resource Locator 28 February 2003
+INTERNET-DRAFT LDAP: Uniform Resource Locator 25 October 2003
-15. Appendix B: Changes Since Previous Document Revision
+16.1. Technical Changes
- This appendix lists all changes relative to the last published
- revision, draft-ietf-ldapbis-url-02.txt. Note that when appropriate
- these changes are also included in Appendix A, but are also included
- here for the benefit of the people who have already reviewed draft-
- ietf-ldapbis-url-02.txt. This section will be removed before this
- document is published as an RFC.
+ None.
-15.1. Technical Changes
+16.2. Editorial Changes
- "URL Definition" section: revised all of the ABNF to use common
- productions from [Models] and added note and references to [RFC2732]
- to allow literal IPv6 addresses inside the hostport portion of the
- URL.
+ "URL Definition" section: added comments in the ABNF to point the
+ reader to the "Escaping Using the % Method" section, which was
+ changed into a section of its own to highlight the importance of
+ escaping the URL components correctly.
+ "Examples" section: changed the name of an attribute used in one
+ example from "int" to "four-octet" to avoid potential confusion.
-15.2. Editorial Changes
+ Replaced all occurrences of "asterix" with the correctly spelled
+ "asterisk."
- "Status of this Memo" section: updated boilerplate to match current
- I-D guidelines.
+ "Normative References" section: changed UTF-8 reference to point to
+ the UTF-8 Internet Draft; replace [LDAPIANA] Internet Draft reference
+ with a reference to RFC 3383.
- "URL Definition" section: replaced misleading phrase "MAY define
- other extensions" with "MAY define one or more extensions" (this
- document no longer defines any extensions). Rewrote the last
- paragraph of this section to more clearly describe the escaping rules
- and to reference [RFC2396] accurately.
+ "Intellectual Property Rights" section: added.
- "Examples" section: added an example that demonstrates the
- interaction between DN escaping and URL escaping and clarified the
- text that introduces the LDAP filter escaping interaction example.
+ Author's Addresses section: New email address for Mark Smith.
- "Acknowledgements" section: added Hallvard Furuseth.
+ "Full Copyright Statement" section: updated text to match latest IETF
+ guidelines.
- "Normative References" section: added a reference to [RFC2732].
- "Informative References" section: added for clarity.
+This Internet Draft expires on 25 April 2004.
- Copyright: updated the year to 2003.
- "Authors' Address" section: updated Tim's contact information.
- Appendix A: added an older editorial change that was accidently
- overlooked (Changed document title to include "LDAP:" prefix).
-This Internet Draft expires on 28 August 2003.
-Smith & Howes Intended Category: Standards Track [Page 13]
+
+
+
+
+
+
+
+
+
+
+
+
+Smith & Howes Intended Category: Standards Track [Page 14]
\f
INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp.
-Expires: October 2003 April 2003
-Updates: RFC 2247
+Expires: December 2003 June 2003
+Updates: RFC 2247, RFC 2798
Obsoletes: RFC 2256
- LDAP: User Schema
- <draft-ietf-ldapbis-user-schema-05>
+ LDAP: Schema for User Applications
+ <draft-ietf-ldapbis-user-schema-06>
Status of this Memo
Abstract
- This document is a integral part of the LDAP technical specification
- [ROADMAP]. It provides an overview of attribute types and object
- classes intended for use by LDAP directory clients for many
- directory services, such as, White Pages. Originally specified the
- ISO/IEC 9594 and X.500 documents, these objects are widely used as a
+ This document is a integral part of the Lightweight Directory Access
+ Protocol (LDAP) technical specification [ROADMAP]. It provides a
+ technical specification of attribute types and object classes
+ intended for use by LDAP directory clients for many directory
+ services, such as, White Pages. These objects are widely used as a
basis for the schema in many LDAP directories. This document does
not cover attributes used for the administration of directory
servers, nor does it include directory objects defined for specific
uses in other documents.
-Dally Expires October 2003 [Page 1]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+Dally Expires December 2003 [Page 1]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
- Table of Contents
+ Table of Contents
Status of this Memo 1
2.3 cn 6
2.4 dc 6
2.5 description 6
- 2.6 destinationIndicator 6
+ 2.6 destinationIndicator 7
2.7 distinguishedName 7
2.8 dnQualifier 7
- 2.9 enhancedSearchGuide 7
- 2.10 facsimileTelephoneNumber 7
+ 2.9 enhancedSearchGuide 8
+ 2.10 facsimileTelephoneNumber 8
2.11 generationQualifier 8
2.12 givenName 8
- 2.13 houseIdentifier 8
- 2.14 initials 8
- 2.15 internationalISDNNumber 8
+ 2.13 houseIdentifier 9
+ 2.14 initials 9
+ 2.15 internationalISDNNumber 9
2.16 l 9
- 2.17 member 9
- 2.18 name 9
- 2.19 o 9
- 2.20 ou 9
- 2.21 owner 10
- 2.22 physicalDeliveryOfficeName 10
- 2.23 postalAddress 10
- 2.24 postalCode 10
- 2.25 postOfficeBox 10
- 2.26 preferredDeliveryMethod 11
- 2.27 registeredAddress 11
- 2.28 roleOccupant 11
- 2.29 searchGuide 11
- 2.30 seeAlso 12
- 2.31 serialNumber 12
- 2.32 sn 12
- 2.33 st 12
- 2.34 street 12
- 2.35 telephoneNumber 12
+ 2.17 member 10
+ 2.18 name 10
+ 2.19 o 10
+ 2.20 ou 10
+ 2.21 owner 11
+ 2.22 physicalDeliveryOfficeName 11
+ 2.23 postalAddress 11
+ 2.24 postalCode 11
+ 2.25 postOfficeBox 12
+ 2.26 preferredDeliveryMethod 12
+ 2.27 registeredAddress 12
+ 2.28 roleOccupant 13
+ 2.29 searchGuide 13
+ 2.30 seeAlso 13
+ 2.31 serialNumber 13
+ 2.32 sn 14
+ 2.33 st 14
+ 2.34 street 14
+ 2.35 telephoneNumber 14
-Dally Expires October 2003 [Page 2]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+Dally Expires December 2003 [Page 2]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
- 2.36 teletexTerminalIdentifier 13
- 2.37 telexNumber 13
- 2.38 title 13
- 2.39 uniqueMember 13
- 2.40 userPassword 14
- 2.41 x121Address 14
- 2.42 x500UniqueIdentifier 14
+ 2.36 teletexTerminalIdentifier 14
+ 2.37 telexNumber 15
+ 2.38 title 15
+ 2.39 uid 15
+ 2.40 uniqueMember 15
+ 2.41 userPassword 16
+ 2.42 x121Address 16
+ 2.43 x500UniqueIdentifier 16
-3. Object Classes 15
- 3.1 applicationProcess 15
- 3.2 country 15
- 3.3 device 15
- 3.4 domain 15
- 3.5 groupOfNames 16
- 3.6 groupOfUniqueNames 16
- 3.7 locality 17
- 3.8 organization 17
- 3.9 organizationalPerson 17
- 3.10 organizationalRole 18
- 3.11 organizationalUnit 18
- 3.12 person 18
- 3.13 residentialPerson 19
+3. Object Classes 17
+ 3.1 applicationProcess 17
+ 3.2 country 17
+ 3.3 device 17
+ 3.4 groupOfNames 18
+ 3.5 groupOfUniqueNames 18
+ 3.6 locality 18
+ 3.7 organization 19
+ 3.8 organizationalPerson 19
+ 3.9 organizationalRole 19
+ 3.10 organizationalUnit 20
+ 3.11 person 20
+ 3.12 residentialPerson 20
-4. IANA Considerations 19
+4. IANA Considerations 21
-5. Security Considerations 19
+5. Security Considerations 22
-6. Acknowledgements 19
+6. Acknowledgements 23
-7. References 20
- 7.1 Normative 20
- 7.2 Informative 20
+7. References 23
+ 7.1 Normative 23
+ 7.2 Informative 24
-8. Author's Address 21
+8. Author's Address 25
-9. Full Copyright Statement 21
+9. Full Copyright Statement 25
-Dally Expires October 2003 [Page 3]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2002
+Dally Expires December 2003 [Page 3]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2002
1. Introduction
This document provides an overview of attribute types and object
- classes intended for use by LDAP directory clients for many
- directory services, such as, White Pages. Originally specified in
- the ISO/IEC 9594 and X.500 documents, these objects are widely used
- as a basis for the schema in many LDAP directories. This document
- does not cover attributes used for the administration of directory
- servers, nor does it include directory objects defined for specific
- uses in other documents.
+ classes intended for use by Lightweight Directory Access Protocol
+ directory clients for many directory services, such as, White Pages.
+ Originally specified in the X.500 [X.500] documents, these objects
+ are widely used as a basis for the schema in many LDAP
+ directories. This document does not cover attributes used for the
+ administration of directory servers, nor does it include directory
+ objects defined for specific uses in other documents.
1.1 Situation
This document is a integral part of the LDAP technical specification
[ROADMAP] which obsoletes the previously defined LDAP technical
specification [RFC3377] in its entirety. In terms of RFC 2256,
- Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].
- Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].
- The remainder of RFC 2256 is obsoleted by this document. Sections
- 3.4 and 4.4 of this document supercede the technical specifications
- for the 'dc' attribute type and 'domain' object class found in
- RFC 2247. The remainder of RFC 2247 remains in force.
+ Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes]. Sections
+ 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models]. The
+ remainder of RFC 2256 is obsoleted by this document. Section 3.4 of
+ this document supercedes the technical specification for the 'dc'
+ attribute type found in RFC 2247.[editor's note: Substitute
+ replacement RFC at time of publication.] The remainder of RFC 2247
+ remains in force.
+
+ This document updates RFC 2798 by replacing the informative
+ description of the 'uid' attribute type, with the definitive
+ description provided in Section 2.39 of this document.
A number of schema elements which were included in the previous
revision of the LDAP Technical Specification are not included in this
-
-
-
-
-
-Dally Expires October 2003 [Page 4]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+Dally Expires December 2003 [Page 4]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
1.4 Source
The schema definitions in this document are based on those found in
- the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247],
- specifically:
+ the X.500-series [X.520] and [X.521], RFC 2798 [RFC2798] and
+ RFC 2247 [RFC2247], specifically:
+
+ Sections Source
+ ============ ==================
+ 2.1 - 2.3 X.520 [X.520]
+ 2.4 RFC 2247 [RFC2247]
+ 2.5 - 2.38 X.520 [X.520]
+ 2.39 RFC 2798 [2798]
+ 2.40 - 2.43 X.520 [X.520]
+ 3.1 - 3.12 X.521 [X.521]
- Sections Source
- ============ ==================
- 2.1 - 2.3 X.520 [X.520]
- 2.4 RFC 2247 [RFC2247]
- 2.5 - 2.42 X.520 [X.520]
- 3.1 - 3.3 X.521 [X.521]
- 3.4 RFC 2247 [RFC2247]
- 3.5 - 3.13 X.521 [X.521]
+ However, the descriptions in this document SHALL be considered
+ definitive for use in LDAP.
-2. Attribute Types
+2. Attribute Types
The Attribute Types contained in this section hold user information.
There is no requirement that servers implement the following
- Attribute Types:
+ attribute types:
- searchGuide
- teletexTerminalIdentifier
+ searchGuide
+ teletexTerminalIdentifier
In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the
- Attribute Types described in this section.
+ attribute types described in this section.
2.1 businessCategory
- This Attribute Type describes the kind of business performed by
- an organization.
+ The businessCategory attribute type describes the kinds of business
+ performed by an organization (e.g., "banking", "transportation").
+ Each kind is one value of this multi-valued attribute.
( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.2 c
- This is the X.520 [X.520] countryName Attribute Type, which contains
- a two-letter ISO 3166 [ISO3166]country code.
-
- ( 2.5.4.6 NAME 'c'
- SUP name
- SINGLE-VALUE )
+ The c (countryName) attribute type contains a two-letter ISO 3166
+ [ISO3166] country code (e.g., "DE"). (Source: X.520)
+Dally Expires December 2003 [Page 5]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
-Dally Expires October 2003 [Page 5]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ ( 2.5.4.6 NAME 'c'
+ SUP name
+ SINGLE-VALUE )
2.3 cn
- This is the X.520 [X.520] commonName Attribute Type, which contains
- a name of an object. If the object corresponds to a person, it is
- typically the person's full name.
+ The cn (commonName) attribute type contains names of an object
+ (e.g., "Martin K Smith", "Marty Smith", "printer12"). Each name is
+ one value of this multi-valued attribute. If the object corresponds
+ to a person, it is typically the person's full name.
+ (Source: X.520)
( 2.5.4.3 NAME 'cn'
SUP name )
2.4 dc
- The dc (short for domainComponent) attribute type is defined as
- follows:
+ The dc (short for domainComponent) attribute type is a string
+ holding one component, a <label> [RFC1034}, of a DNS domain name
+ (e.g., "example" or "com", but not "example.com"). The encoding of
+ IA5String for use in LDAP is simply the characters of the string
+ itself. The equality matching rule is case insensitive, as is
+ today's DNS.
( 0.9.2342.19200300.100.1.25 NAME 'dc'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
- The value of this attribute is a string holding one component of a
- DNS domain name. The encoding of IA5String for use in LDAP is simply
- the characters of the string itself. The equality matching rule is
- case insensitive, as is today's DNS.
+ 1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String
+ syntax [Syntaxes].
+
+ It is noted that the directory will not ensure that values of this
+ attribute conform to the label production [RFC1034]. It is the
+ application responsibility to ensure domains it stores in this
+ attribute are appropriately represented.
+
+ It is also noted that applications supporting Internationalized
+ Domain Names SHALL use the ToASCII method [RFC3490] to produce
+ <label> components of the <domain> production.
2.5 description
- This Attribute Type contains a human-readable description of
- the object.
+ The description attribute type contains human-readable descriptive
+ phrases about the object (e.g., "a color printer", "Maintenance is
+ done every Monday, at 1pm."). Each description is one value of this
+ multi-valued attribute.
( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
-
- The SYNTAX oid indicates the Directory String syntax.
-2.6 destinationIndicator
-
- This attribute is used for the telegram service.
-
- ( 2.5.4.27 NAME 'destinationIndicator'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
- The SYNTAX oid indicates the Printable String syntax.
+Dally Expires December 2003 [Page 6]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
+2.6 destinationIndicator
+ The destinationIndicator attribute type contains country and city
+ strings, associated with the object (the addressee), needed to
+ provide the Public Telegram Service. Each string is one value of
+ this multi-valued attribute. The strings are composed in accordance
+ with CCITT Recommendations F.1 [F.1] and F.31 [F.31].
-Dally Expires October 2003 [Page 6]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ ( 2.5.4.27 NAME 'destinationIndicator'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+ 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
+ syntax [Syntaxes].
2.7 distinguishedName
- This Attribute Type is not used as the name of the object itself,
- but it is instead a base type from which attributes with DN syntax
- inherit.
+ The distinguishedName attribute type is the attribute supertype from
+ which attribute types with DN syntax inherit, instead of containing
+ values which name the object itself. The attribute type is
+ multi-valued.
It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
- The SYNTAX oid indicates the DN syntax.
+ 1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [Syntaxes].
2.8 dnQualifier
- The dnQualifier Attribute Type specifies disambiguating information
- to add to the relative distinguished name of an entry. It is
- intended for use when merging data from multiple sources in order to
- prevent conflicts between entries which would otherwise have the same
- name. It is recommended that the value of the dnQualifier attribute
- be the same for all entries from a particular source.
+ The dnQualifier attribute type contains disambiguating information
+ strings to add to the relative distinguished name of an entry. The
+ information is intended for use when merging data from multiple
+ sources in order to prevent conflicts between entries which would
+ otherwise have the same name. Each string is one value of this
+ multi-valued attribute. It is recommended that a value of the
+ dnQualifier attribute be the same for all entries from a
+ particular source.
+
+
+
+Dally Expires December 2003 [Page 7]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
- The SYNTAX oid indicates the Printable String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
+ syntax [Syntaxes].
2.9 enhancedSearchGuide
- This attribute is for use by X.500 clients in constructing search
- filters.
+ The enhancedSearchGuide attribute type contains sets of information
+ for use by directory clients in constructing search filters. Each
+ set is one value of this multi-valued attribute.
( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
- The SYNTAX oid indicates the Enhanced Guide syntax.
+ 1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide
+ syntax [Syntaxes].
2.10 facsimileTelephoneNumber
- A value of this Attribute Type is a telephone number for a facsimile
- terminal (and, optionally, its parameters).
+ The facsimileTelephoneNumber attribute type contains telephone
+ numbers (and, optionally, the parameters) for facsimile terrminals.
+ Each telephone number is one value of this multi-valued attribute.
( 2.5.4.23 NAME 'facsimileTelephoneNumber'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
-
-
-Dally Expires October 2003 [Page 7]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
- The SYNTAX oid indicates the Facsimile Telephone Number syntax.
+ 1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
+ Number syntax [Syntaxes].
2.11 generationQualifier
- The generationQualifier Attribute Type contains the part of a
- person's name which typically is the suffix, as in "IIIrd".
+ The generationQualifier attribute type contains name strings that
+ are the part of a person's name which typically is the suffix, as in
+ "IIIrd" or "3rd". Each string is one value of this multi-valued
+ attribute.
( 2.5.4.44 NAME 'generationQualifier'
SUP name )
2.12 givenName
- The givenName Attribute Type is used to hold the part of a person's
- name which is not their surname nor middle name.
+ The givenName attribute type contains name strings that are the part
+ of a person's name which is not their surname. Each string is one
+ value of this multi-valued attribute.
( 2.5.4.42 NAME 'givenName'
SUP name )
+
+
+Dally Expires December 2003 [Page 8]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
2.13 houseIdentifier
- This Attribute Type is used to identify a building within a location.
+ The houseIdentifier attribute type contains identifiers for a
+ building within a location. Each identifier is one value of this
+ multi-valued attribute.
( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.14 initials
- The initials Attribute Type contains the initials of some or all of
- an individuals names, except the surname(s).
+ The initials attribute type contains strings of initials of some or
+ all of an individual's names, except the surname(s)
+ (e.g., "K. A.", "K"). Each string is one value of this multi-valued
+ attribute.
- ( 2.5.4.43 NAME 'initials'
+ ( 2.5.4.43 NAME 'initials'
SUP name )
2.15 internationalISDNNumber
- A value of this Attribute Type is an ISDN address, as defined in
- ITU Recommendation E.164 [E.164].
+ The internationalISDNNumber attribute type contains ISDN addresses,
+ as defined in ITU Recommendation E.164 [E.164]. Each address is one
+ value of this multi-valued attribute.
( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
+
+ 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
+ syntax [Syntaxes].
- The SYNTAX oid indicates the Numeric String syntax.
+2.16 l
+ The l (localityName) attribute type contains names of a locality or
+ place, such as a city, county or other geographic region (e.g.,
+ "Geneva"). Each name is one value of this multi-valued attribute.
+ (Source: X.520)
+ ( 2.5.4.7 NAME 'l'
+ SUP name )
-Dally Expires October 2003 [Page 8]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-2.16 l
- This is the X.520 [X.520] localityName Attribute Type, which
- contains the name of a locality or place, such as a city, county or
- other geographic region.
+Dally Expires December 2003 [Page 9]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
- ( 2.5.4.7 NAME 'l'
- SUP name )
2.17 member
- A value of this Attribute Type is the Distinguished Name of an
- object that is on a list or in a group.
+ The member attribute type contains the Distinguished Names of
+ objects that are on a list or in a group. Each name is one value of
+ this multi-valued attribute.
( 2.5.4.31 NAME 'member'
SUP distinguishedName )
2.18 name
- The name Attribute Type is the attribute supertype from which string
- Attribute Types typically used for naming may be formed. It is
- unlikely that values of this type itself will occur in an entry.
- LDAP server implementations which do not support attribute subtyping
- need not recognize this attribute in requests. Client
+ The name attribute type is the attribute supertype from which
+ attributes with the name syntax inherit. Such attributes are
+ typically used for naming. The attribute type is multi-valued.
+
+ It is unlikely that values of this type itself will occur in an
+ entry. LDAP server implementations which do not support attribute
+ subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.19 o
- This is the X.520 [X.520] organizationName Attribute Type, which
- contains the name of an organization.
+ The o (organizationName) attribute type contains the names of an
+ organization (e.g., "IETF", "Internet Engineering Task Force").
+ Each name is one value of this multi-valued attribute.
+ (Source: X.520)
( 2.5.4.10 NAME 'o'
SUP name )
2.20 ou
- This is the X.520 [X.520] organizationalUnitName Attribute Type,
- which contains the name of an organizational unit.
+ The ou (organizationalUnitName) attribute type contains the names of
+ an organizational unit (e.g., "Application Area", "LDAPbis WG").
+ Each name is one value of this multi-valued attribute.
+ (Source: X.520)
- ( 2.5.4.11 NAME 'ou'
+ ( 2.5.4.11 NAME 'ou'
SUP name )
-Dally Expires October 2003 [Page 9]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+
+Dally Expires December 2003 [Page 10]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
2.21 owner
- A value of this Attribute Type is the Distinguished Name of an
- object that has an ownership responsibility for the object that
- is owned.
+ The owner attribute type contains the Distinguished Names of objects
+ that have an ownership responsibility for the object that is owned.
+ (e.g., The list object, "cn=All Employees, ou=Mailing List,
+ o=Widget, Inc.", is owned by the role object, "cn=ou=Human Resources
+ Director, ou=employee, o=Widget, Inc.") Each name is one value of
+ this multi-valued attribute.
- ( 2.5.4.32 NAME 'owner'
+ ( 2.5.4.32 NAME 'owner'
SUP distinguishedName )
2.22 physicalDeliveryOfficeName
- This attribute contains the name that a Postal Service uses to
- identify a post office.
+ The physicalDeliveryOfficeName attribute type contains names that a
+ Postal Service uses to identify a post office (e.g., "Bremerhaven,
+ Main", "Bremerhaven, Bonnstrasse").
( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.23 postalAddress
- This attribute contains an address used by a Postal Service to
- perform services for the object.
+ The postalAddress attribute type contains addresses used by a Postal
+ Service to perform services for the object (e.g., "15 Main St.,
+ Ottawa, Canada"). Each address is one value of this multi-valued
+ attribute.
( 2.5.4.16 NAME 'postalAddress'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
- SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
- The SYNTAX oid indicates the Postal Address syntax.
+ 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
+ syntax [Syntaxes].
2.24 postalCode
- This attribute contains a code used by a Postal Service to identify
- a postal service zone, such as the southern quadrant of a city.
+ The postalCode attribute type contains codes used by a Postal
+ Service to identify a postal service zones, such as the southern
+ quadrant of a city (e.g., "22180"). Each code is one value of this
+ multi-valued attribute.
( 2.5.4.17 NAME 'postalCode'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
-2.25 postOfficeBox
-
- This attribute contains the number that a Postal Service uses when a
- customer arranges to receive mail at a box on premises of the Postal
- Service.
+Dally Expires December 2003 [Page 11]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
+2.25 postOfficeBox
-Dally Expires October 2003 [Page 10]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ The postOfficeBox attribute type contains numbers that a Postal
+ Service uses when a customer arranges to receive mail at a box on
+ premises of the Postal Service (e.g., "Box 45"). Each number is one
+ value of this multi-valued attribute.
( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.26 preferredDeliveryMethod
- This attribute contains an indication of the preferred method of
- getting a message to the object.
+ The preferredDeliveryMethod attribute type contains an indication of
+ the preferred method of getting a message to the object. For example,
+ if mhs-delivery is preferred over telephone-delivery, which is
+ preferred over all other methods, the value of the value would
+ be {1, 9}.
( 2.5.4.28 NAME 'preferredDeliveryMethod'
- SYNTAX 1.5.6.1.4.1.1466.115.121.1.14
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE )
- The SYNTAX oid indicates the Delivery Method syntax.
+ 1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method
+ syntax [Syntaxes].
2.27 registeredAddress
- This attribute holds a postal address suitable for reception of
- telegrams or expedited documents, where it is necessary to have the
- recipient accept delivery.
+ The registeredAddress attribute type contains postal addresses
+ suitable for reception of telegrams or expedited documents, where it
+ is necessary to have the recipient accept delivery (e.g.,
+ "Receptionist, Widget Inc., 15 Main St., Ottawa, Canada"). Each
+ address is one value of this multi-valued attribute.
( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
- The SYNTAX oid indicates the Postal Address syntax.
+ 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
+ syntax [Syntaxes].
-2.28 roleOccupant
- A value of this Attribute Type is the Distinguished Name of an
- object (normally a person) that fulfills the responsibilities of a
- role object.
- ( 2.5.4.33 NAME 'roleOccupant'
- SUP distinguishedName )
-2.29 searchGuide
- This Attribute Type is for use by clients in constructing search
- filters. It is superseded by enhancedSearchGuide, described above
- in section 2.9.
- ( 2.5.4.14 NAME 'searchGuide'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
+Dally Expires December 2003 [Page 12]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
-The SYNTAX oid indicates the Guide syntax.
+2.28 roleOccupant
+ The roleOccupant attribute type contains the Distinguished Names of
+ objects(normally people) that fulfill the responsibilities of a role
+ object. For example, the role object, "cn=Human Resources Director,
+ ou=Position, o=Widget, Inc.", is fulfilled by two people whose
+ object names are "cn=Mary Smith, ou=employee, o=Widget, Inc." and
+ "cn=James Brown, ou=employee, o=Widget, Inc." Each name is one
+ value of this multi-valued attribute.
+ ( 2.5.4.33 NAME 'roleOccupant'
+ SUP distinguishedName )
+
+2.29 searchGuide
+ The searchGuide attribute type contains sets of information for use
+ by clients in constructing search filters. It is superseded by
+ enhancedSearchGuide, described above in section 2.9.
-Dally Expires October 2003 [Page 11]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ ( 2.5.4.14 NAME 'searchGuide'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+ 1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [Syntaxes].
2.30 seeAlso
- A value of this Attribute Type is the Distinguished Name of an
- object that is related to the subject object.
+ The seeAlso attribute type contains Distinguished Names of objects
+ that are related to the subject object. For example, the person
+ object, "cn=James Brown, ou=employee, o=Widget Inc." is related to
+ the role objects, "cn=Football Team Captain, ou=sponsored
+ activities, o=Widget Inc." and "cn=Chess Team, ou=sponsored
+ activities, o=Widget Inc.". Each name is one value of this
+ multi-valued attribute.
- ( 2.5.4.34 NAME 'seeAlso'
+ ( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName )
2.31 serialNumber
- This attribute contains the serial number of a device.
+ The serialNumber attribute type contains the serial numbers of
+ devices (e.g., "WI-3005". Each number is one value of this
+ multi-valued attribute.
- ( 2.5.4.5 NAME 'serialNumber'
+ ( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+
+ 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
+ syntax [Syntaxes].
+
+
+
+
+Dally Expires December 2003 [Page 13]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
- The SYNTAX oid indicates the Printable String syntax.
2.32 sn
- This is the X.520 [X.520] surname Attribute Type, which contains the
- family name of a person.
+ The sn (surname)attribute type contains name strings for the family
+ names of a person (e.g., "Smith"). Each string is one value of this
+ multi-valued attribute. (Source: X.520)
( 2.5.4.4 NAME 'sn'
SUP name )
2.33 st
- This is the X.520 [X.520] stateOrProvinceName attribute, which
- contains the full name of a state or province.
+ The st (stateOrProvinceName) attribute type contains the full names
+ of states or provinces, (e.g. "California"). Each name is one value
+ of this multi-valued attribute.
( 2.5.4.8 NAME 'st'
SUP name )
2.34 street
- This is the X.520 [X.520] streetAddress attribute, which contains the
- physical address of the object to which the entry corresponds, such
- as an address for package delivery.
+ The street (streetAddress) attribute type contains physical
+ addresses of the object to which the entry corresponds, such as an
+ address for package delivery. Each address is one value of this
+ multi-valued attribute.
( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- The SYNTAX oid indicates the Directory String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
2.35 telephoneNumber
- A value of this Attribute Type is a telephone number complying with
- ITU Recommendation E.123 [E.123].
-
-
-Dally Expires October 2003 [Page 12]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
+ The telephoneNumber attribute type contains telephone numbers
+ complying with ITU Recommendation E.123 [E.123]
+ (e.g., 1 234 567 8901) Each number is one value of this
+ multi-valued attribute.
( 2.5.4.20 NAME 'telephoneNumber'
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
- The SYNTAX oid indicates the Telephone Number syntax.
+ 1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number
+ syntax [Syntaxes].
2.36 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute.
- ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
- The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
+Dally Expires December 2003 [Page 14]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
2.37 telexNumber
- A value of this Attribute Type is a telex number, country code, and
- answerback code of a telex terminal.
+ The telexNumber attribute type contains sets of strings which are a
+ telex number, country code, and answerback code of a telex
+ terminal. Each set is one value of this multi-valued attribute.
( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
- The SYNTAX oid indicates the Telex Number syntax.
+ 1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number
+ syntax [Syntaxes].
2.38 title
This attribute contains the title, such as "Vice President", of a
- person in their organizational context. The "personalTitle"
- attribute would be used for a person's title independent of their
- job function.
+ person in their organizational context.
( 2.5.4.12 NAME 'title'
SUP name )
-2.39 uniqueMember
+2.39 uid
- A value of this Attribute Type is the Distinguished Name of an
- object that is on a list or in a group, where the Relative
- Distinguished Name of the object includes a value that distinguishs
- between objects when a distinguished name has been reused.
+ The uid attribute type contains computer system login names
+ associated with the object. (Source: RFC 1274,
+ RFC 2798). Each name is one value of this multi-valued attribute.
+
+ ( 0.9.2342.19200300.100.1.1
+ NAME 'uid'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+ 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
+ syntax [Syntaxes].
+
+2.40 uniqueMember
+
+ The uniqueMember attribute type contains the Distinguished Names of
+ an object that is on a list or in a group, where the Relative
+ Distinguished Names of the object include a value that distinguishs
+ between objects when a distinguished name has been reused. For
+ example, if "ou=1st Battalion, o=Defense, c=US" is a battalion that
+ was disbanded, establishing a new battalion with the "same" name
+ would have a uid value added, resulting in
+ "ou=1st Battalion#'010101', o=Defense, c=US".
( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-The SYNTAX oid indicates the Name and Optional UID syntax.
-
-
+Dally Expires December 2003 [Page 15]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
-Dally Expires October 2003 [Page 13]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ 1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
+ syntax [Syntaxes].
+2.41 userPassword
-2.40 userPassword
+ The userPassword attribute type contains character strings that are
+ known only to the user and the system to which the user has access.
+ Each string is one value of this multi-valued attribute.
- A value of this Attribute Type is a character string that is known
- only to the user and the system to which the user has access.
+ The application SHOULD prepare textual strings used as passwords by
+ transcoding them to Unicode, applying SASLprep [SASLprep], and
+ encoding as UTF-8.
( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
- The SYNTAX oid indicates the Octet String syntax.
+ 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String
+ syntax [Syntaxes].
Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged
confidentiality and may result in disclosure of the password to
unauthorized parties.
-2.41 x121Address
+ An example of a need for multiple values in the userPassword
+ attribute is an environment where every month the user was expected
+ to use a different password generated by some automated system.
+ During transitional periods, like say the last and first day of the
+ periods, it may be necessary to allow two passwords for the two
+ consecutive periods to be valid in the system.
- A value of this Attribute Type is a data network address as defined
- by ITU Recommendation X.121 [X.121].
+2.42 x121Address
+
+ The x121Address attribute type contains data network addresses
+ (e.g., 36111222333444555) as defined by ITU Recommendation X.121
+ [X.121]. Each address is one value of this multi-valued attribute.
( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
-
- The SYNTAX oid indicates the Numeric String syntax.
-
-2.42 x500UniqueIdentifier
-
- The x500UniqueIdentifier Attribute Type is used to distinguish
- between objects when a distinguished name has been reused. In X.520
- [X.520], this Attribute Type is called uniqueIdentifier. This is a
- different Attribute Type from both the "uid" and "uniqueIdentifier"
- Attribute Types.
-
- ( 2.5.4.45 NAME 'x500UniqueIdentifier'
- EQUALITY bitStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-
- The SYNTAX oid indicates the Bit String syntax.
-
-
-
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
+ 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
+ syntax [Syntaxes].
+2.43 x500UniqueIdentifier
+ The x500UniqueIdentifier attribute type contains binary strings that
+ are used to distinguish between objects when a distinguished name
+ has been reused. Each string is one value of this multi-valued
+Dally Expires December 2003 [Page 16]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+ attribute. In X.520 [X.520], this attribute type is called
+ uniqueIdentifier. This is a different attribute type from both the
+ "uid" and "uniqueIdentifier" attribute types.
+ ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+ EQUALITY bitStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-Dally Expires October 2003 [Page 14]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+ 1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String
+ syntax [Syntaxes].
3. Object Classes
LDAP servers SHOULD recognize all the Object Classes listed here as
- values of the objectClass attribute.
+ values of the objectClass attribute (see [Models]).
3.1 applicationProcess
- The applicationProcess Object Class definition is the basis of an
+ The applicationProcess object class definition is the basis of an
entry which represents an application executing in a computer system.
( 2.5.6.11 NAME 'applicationProcess'
3.2 country
- The country Object Class definition is the basis of an entry which
+ The country object class definition is the basis of an entry which
represents a country.
( 2.5.6.2 NAME 'country'
3.3 device
- The device Object Class is the basis of an entry which represents
- an appliance or computer or network element.
+ The device object class is the basis of an entry which represents an
+ appliance or computer or network element.
( 2.5.6.14 NAME 'device'
SUP top
STRUCTURAL
MUST cn
+
+
+Dally Expires December 2003 [Page 17]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
MAY ( serialNumber $
seeAlso $
owner $
l $
description ) )
-3.4 domain
+3.4 groupOfNames
- The domain Object Class is the basis of an entry which represents a
- portion of a network, as organized by DNS.
-
-
-Dally Expires October 2003 [Page 15]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
- ( 0.9.2342.19200300.100.4.13 NAME 'domain'
- SUP top
- STRUCTURAL
- MUST dc
- MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
- x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $
- teletexTerminalIdentifier $ telephoneNumber $
- internationaliSDNNumber $ facsimileTelephoneNumber $ street $
- postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l $ description $ o $
- associatedName ) )
-
- An example entry would be:
-
- dn: dc=tcp,dc=critical-angle,dc=com
- objectClass: top
- objectClass: domain
- dc: tcp
- description: a placeholder entry used with SRV records
-
-3.5 groupOfNames
-
- The groupOfNames Object Class is the basis of an entry which
+ The groupOfNames object class is the basis of an entry which
represents a set of named objects including information related to
the purpose or maintenance of the set.
SUP top
STRUCTURAL
MUST ( member $
- cn )
+ cn )
MAY ( businessCategory $
seeAlso $
owner $
o $
description ) )
-3.6 groupOfUniqueNames
+3.5 groupOfUniqueNames
- The groupOfUniqueNames Object Class is the same as the groupOfNames
+ The groupOfUniqueNames object class is the same as the groupOfNames
object class except that the object names are not repeated or
reassigned within a set scope.
SUP top
STRUCTURAL
MUST ( uniqueMember $
- cn )
+ cn )
MAY ( businessCategory $
seeAlso $
-
-
-Dally Expires October 2003 [Page 16]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
owner $
ou $
o $
description ) )
-3.7 locality
+3.6 locality
- The locality Object Class is the basis of an entry which
- represents a place in the physical world.
+ The locality object class is the basis of an entry which represents
+ a place in the physical world.
( 2.5.6.3 NAME 'locality'
SUP top
STRUCTURAL
+
+
+Dally Expires December 2003 [Page 18]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
MAY ( street $
seeAlso $
searchGuide $
l $
description ) )
-3.8 organization
+3.7 organization
- The organization Object Class is the basis of an entry which
+ The organization object class is the basis of an entry which
represents a structured group of people.
( 2.5.6.4 NAME 'organization'
postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) )
-3.9 organizationalPerson
+3.8 organizationalPerson
- The organizationalPerson Object Class is the basis of an entry which
+ The organizationalPerson object class is the basis of an entry which
represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson'
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) )
+3.9 organizationalRole
-Dally Expires October 2003 [Page 17]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
-3.10 organizationalRole
-
- The organizationalRole Object Class is the basis of an entry which
+ The organizationalRole object class is the basis of an entry which
represents a job or function or position in an organization.
( 2.5.6.8 NAME 'organizationalRole'
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
+
+
+Dally Expires December 2003 [Page 19]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
-3.11 organizationalUnit
+3.10 organizationalUnit
- The organizationalUnit Object Class is the basis of an entry which
+ The organizationalUnit object class is the basis of an entry which
represents a piece of an organization.
( 2.5.6.5 NAME 'organizationalUnit'
telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
userPassword $ x121Address ) )
-3.12 person
+3.11 person
- The person Object Class is the basis of an entry which represents a
+ The person object class is the basis of an entry which represents a
human being.
( 2.5.6.6 NAME 'person'
SUP top
STRUCTURAL
MUST ( sn $
- cn )
+ cn )
MAY ( userPassword $
telephoneNumber $
seeAlso $
description ) )
+3.12 residentialPerson
-
-
-
-
-Dally Expires October 2003 [Page 18]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
-3.13 residentialPerson
-
- The residentialPerson Object Class is the basis of an entry which
+ The residentialPerson object class is the basis of an entry which
includes a person's residence in the representation of the person.
( 2.5.6.10 NAME 'residentialPerson'
STRUCTURAL
MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
- destinationIndicator $ preferredDeliveryMethod $
- telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
- internationaliSDNNumber $ facsimileTelephoneNumber $
- preferredDeliveryMethod $ street $ postOfficeBox $
- postalCode $ postalAddress $ physicalDeliveryOfficeName $
- st $ l ) )
+ destinationIndicator $ preferredDeliveryMethod $
+ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
+ internationaliSDNNumber $ facsimileTelephoneNumber $
+ preferredDeliveryMethod $ street $ postOfficeBox $
+
+
+
+Dally Expires December 2003 [Page 20]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ postalCode $ postalAddress $ physicalDeliveryOfficeName $
+ st $ l ) )
4. IANA Considerations
- It is requested that the Internet Assigned Numbers Authority (IANA)
- update the LDAP descriptors registry as indicated in the following
+ It is requested that the Internet Assigned Numbers Authority (IANA)
+ update the LDAP descriptors registry as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comment
Person & email address to contact for further information:
- Kathy Dally <kdally@mitre.org>
- Usage: (A = Attribute Type, O = Object Class) see comment
- Specification: RFC XXXX
+ Kathy Dally <kdally@mitre.org>
+ Usage: (A = attribute type, O = Object Class) see comment
+ Specification: RFC XXXX [editor's note: The RFC number will be
+ the one assigned to this document.
Author/Change Controller: IESG
-
-
-Dally Expires October 2003 [Page 19]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
- Comments:
- The following descriptors (short names) should be updated to
- refer to RFC XXXX.
-
- NAME Type OID
- ------------------------ ---- ----------------------------
- applicationProcess O 2.5.6.11
- businessCategory A 2.5.4.15
- c A 2.5.4.6
- cn A 2.5.4.3
- country O 2.5.6.2
- dc A 0.9.2342.19200300.100.1.25
- description A 2.5.4.13
- destinationIndicator A 2.5.4.27
- device O 2.5.6.14
- distinguishedName A 2.5.4.49
- dnQualifier A 2.5.4.46
- domain O 0.9.2342.19200300.100.4.13
- enhancedSearchGuide A 2.5.4.47
- facsimileTelephoneNumber A 2.5.4.23
- generationQualifier A 2.5.4.44
- givenName A 2.5.4.42
- groupOfNames O 2.5.6.9
- groupOfUniqueNames O 2.5.6.17
- houseIdentifier A 2.5.4.51
- initials A 2.5.4.43
- internationalISDNNumber A 2.5.4.25
- l A 2.5.4.7
- locality O 2.5.6.3
- member A 2.5.4.31
- name A 2.5.4.41
- o A 2.5.4.10
- organization O 2.5.6.4
- organizationalPerson O 2.5.6.7
- organizationalRole O 2.5.6.8
- organizationalUnit O 2.5.6.5
- ou A 2.5.4.11
- owner A 2.5.4.32
- person O 2.5.6.6
- physicalDeliveryOfficeName A 2.5.4.19
- postalAddress A 2.5.4.16
- postalCode A 2.5.4.17
- postOfficeBox A 2.5.4.18
- preferredDeliveryMethod A 2.5.4.28
- registeredAddress A 2.5.4.26
- residentialPerson O 2.5.6.10
- roleOccupant A 2.5.4.33
- searchGuide A 2.5.4.14
- seeAlso A 2.5.4.34
- serialNumber A 2.5.4.5
- sn A 2.5.4.4
-
-
-Dally Expires October 2003 [Page 20]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
- st A 2.5.4.8
- street A 2.5.4.9
- telephoneNumber A 2.5.4.20
- teletexTerminalIdentifier A 2.5.4.22
- telexNumber A 2.5.4.21
- title A 2.5.4.12
- uniqueMember A 2.5.4.50
- userPassword A 2.5.4.35
- x121Address A 2.5.4.24
- x500UniqueIdentifier A 2.5.4.45
+ Comments
+ In the LDAP descriptors registry, the following descriptors (short
+ names) should be updated to refer to RFC XXXX [editor's note: This
+ document].
+
+ NAME Type OID
+ ------------------------ ---- ----------------------------
+ applicationProcess O 2.5.6.11
+ businessCategory A 2.5.4.15
+ c A 2.5.4.6
+ cn A 2.5.4.3
+ country O 2.5.6.2
+ dc A 0.9.2342.19200300.100.1.25
+ description A 2.5.4.13
+ destinationIndicator A 2.5.4.27
+ device O 2.5.6.14
+ distinguishedName A 2.5.4.49
+ dnQualifier A 2.5.4.46
+ enhancedSearchGuide A 2.5.4.47
+ facsimileTelephoneNumber A 2.5.4.23
+ generationQualifier A 2.5.4.44
+ givenName A 2.5.4.42
+ groupOfNames O 2.5.6.9
+ groupOfUniqueNames O 2.5.6.17
+ houseIdentifier A 2.5.4.51
+ initials A 2.5.4.43
+ internationalISDNNumber A 2.5.4.25
+ l A 2.5.4.7
+ locality O 2.5.6.3
+ member A 2.5.4.31
+ name A 2.5.4.41
+ o A 2.5.4.10
+
+
+Dally Expires December 2003 [Page 21]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ organization O 2.5.6.4
+ organizationalPerson O 2.5.6.7
+ organizationalRole O 2.5.6.8
+ organizationalUnit O 2.5.6.5
+ ou A 2.5.4.11
+ owner A 2.5.4.32
+ person O 2.5.6.6
+ physicalDeliveryOfficeName A 2.5.4.19
+ postalAddress A 2.5.4.16
+ postalCode A 2.5.4.17
+ postOfficeBox A 2.5.4.18
+ preferredDeliveryMethod A 2.5.4.28
+ registeredAddress A 2.5.4.26
+ residentialPerson O 2.5.6.10
+ roleOccupant A 2.5.4.33
+ searchGuide A 2.5.4.14
+ seeAlso A 2.5.4.34
+ serialNumber A 2.5.4.5
+ sn A 2.5.4.4
+ st A 2.5.4.8
+ street A 2.5.4.9
+ telephoneNumber A 2.5.4.20
+ teletexTerminalIdentifier A 2.5.4.22
+ telexNumber A 2.5.4.21
+ title A 2.5.4.12
+ uid A 0.9.2342.19200300.100.1.1
+ uniqueMember A 2.5.4.50
+ userPassword A 2.5.4.35
+ x121Address A 2.5.4.24
+ x500UniqueIdentifier A 2.5.4.45
5. Security Considerations
underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties.
- It is required that strong authentication be performed in order to
- modify directory entries using LDAP.
+ Multiple attribute values for the userPassword needs to be used with
+ care. Especially reset/deletion of a password by an admin without
+ knowing the old user password gets tricky or impossible if multiple
+ values for different applications are present.
+
+ Certainly, applications which intend to replace the userPassword
+ value(s) with new value(s) should use modify/replaceValues (or
+ modify/deleteAttribute+addAttribute). Additionally, server
+
+
+
+Dally Expires December 2003 [Page 22]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ implementations are encouraged to provide administrative controls
+ which, if enabled, restrict the userPassword attributer to one value.
+
+ Note that when used for authentication purposes [AuthMeth], the user
+ need only prove knowledge of one of the values, not all of
+ the values.
6. Acknowledgements
The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards.
- No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF ASID Working Group.
+ The dc attribute type definition in this document supercedes the
+ specification in RFC 2247 by S. Kille, M. Wahl, A. Grimstad,
+ R. Huber, and S. Sataluri.
+
+ The uid attribute type definition in this document supercedes the
+ specification of the userid in RFC 1274 by P. Barker and S. Kille
+ and of the uid in RFC 2798 by M. Smith.
+
This document is based upon input of the IETF LDAPBIS working group.
The author wishes to thank S. Legg and K. Zeilenga for their
significant contribution to this update.
[E.164] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997
-
-
-Dally Expires October 2003 [Page 21]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-
-
[ISO3166] ISO 3166, "Codes for the representation of names of
countries".
- [LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for
- PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in
- progress)
-
[Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
models-xx (a work in progress)
+ [RFC1034] P. Mockapetris, " DOMAIN NAMES - CONCEPTS AND
+ FACILITIES", RFC 1034, November 1987
+
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997
- [RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002
+
+
+
+Dally Expires December 2003 [Page 23]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ [RFC3490] Faltstrom P., Hoffman P., Costello A. "Internationalizing
+ Domain Names in Applications (IDNA)", RFC 3490, March 2003
...[ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map",
draft-ietf-ldapbis-roadmap-xx (a work in progress)
- [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
- draft-ietf-ldapbis-syntaxes-xx (a work in progress)
+ [Syntaxes] S. Legg (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
+ syntaxes-xx (a work in progress)
[X.121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996
7.2 Informative
- [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
- Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names",
- RFC 2247, January 1998
-
-
+ [AUTHMETH] Harrison R., "LDAP: Authentication Methods and
+ Connection Level Security Mechanisms", draft-ietf-
+ ldapbis-authmeth-xx (a work in progress)
+ [F.1] Operational Provisions For The International Public Telegram
+ Service Transmission System, CCITT Recommmendation F.1, 1992
+ [F.31] Telegram Retransmission System, CCITT Recommendation
+ F.31, 1988
+ [LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for
+ PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in
+ progress)
+ [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
+ Sataluri, S., "Using Domains in LDAP/X.500 Distinguished
+ Names", RFC 2247, January 1998
+ [RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002
+ [SASLprep] Zeilenga K., "SASLprep: Stringprep profile for user
+ names and passwords", draft-ietf-sasl-saslprep-xx (a
+ work in progress)
+ [X.500] The Directory, ITU-T Recommendations X.501-X.525, 1993
-Dally Expires October 2003 [Page 22]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+Dally Expires December 2003 [Page 24]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
8. Author's Address
Kathy Dally
The MITRE Corp.
- 1575 Colshire Dr., H300
+ 7515 Colshire Dr., H300
McLean VA 22102
USA
-Dally Expires October 2003 [Page 23]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
+
+Dally Expires December 2003 [Page 25]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
Appendix A Changes RFC 2256
This appendix lists the changes that have been made from RFC 2256 to
this I-D.
- 1. Revised the Status of this Memo.
+ 1. Replaced the document title.
2. Removed the IESG Note.
3. Dependencies on RFC 1274 have been eliminated.
- 4. Added a Security Considerations section, requiring strong
- authentication in order to modify directory entries.
+ 4. Added a Security Considerations section.
5. Deleted the conformance requirement for subschema object
classes in favor of a statement in [Syntaxes].
- 6. Added a Table of Contents.
-
- 7. Added explanations to many attributes.
+ 6. Added explanations to many attribute types and to each object
+ class.
- 8. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
+ 7. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
(moved to [Syntaxes]).
- 9. Reordered Section 3, Attributes, and Section 4, Object
- Classes, alphabetically.
-
- 10. Added an explanation for each object class.
-
- 11. Removed the certificate-related Attribute Types:
+ 8. Removed the certificate-related attribute types:
authorityRevocationList,
cACertificate,
certificateRevocationList,
strongAuthenticationUser, and
userSecurityInformation
- Noted that they are covered in PKIX WG documents.
+ LDAP PKI is now discussed in [LDAP-PKI].
+
+ 9. Removed the dmdName, knowledgeInformation,
+ presentationAddress, protocolInformation, and
+ supportedApplicationContext attribute types and the dmd,
+ applicationEntity, and dSA object classes.
+
+ 10. Deleted the aliasedObjectName and objectClass attribute
+ type definitions. Deleted the alias and top object class
+ definitions. They are included in [Models].
+
+ 11. Added the 'dc' attribute type from RFC 2247.
+
+
+
+
+Dally Expires December 2003 [Page 26]
+INTERNET-DRAFT draft-ietf-ldapbis-user-schema-06 June 2003
+
+
+ 12. Added an IANA Considerations section.
+
+ 13. Numerous edititorial changes.
+
+
+
+
- 12. Removed the dmdName Attribute Type and dmd Object Class
- because they are not in the version of X.500 which
- is referenced.
-Dally Expires October 2003 [Page 24]
-INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
-......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute
- type definitions. They are included in [Models].
- 14. Deleted the 'alias' and 'top' object class definitions. They
- are included in [Models].
- 15. Replaced the document title.
- 16. Added the 'dc' attribute and the 'domain' object class from
- RFC 2247.
- 17. Deleted the 'knowledgeInformation', 'presentationAddress',
- 'protocolInformation', and 'supportedApplicationContext'
- attributes.
- 18. Deleted the 'applicationEntity' and 'dSA' object classes.
- 19. Added an IANA Considerations section.
-Dally Expires October 2003 [Page 25]
+Dally Expires December 2003 [Page 27]
+++ /dev/null
-
-
-Internet Draft R. Megginson, Editor
-Document: <draft-ietf-ldup-lcup-03.txt> M. Smith
-Category: Proposed Standard Netscape
- Communications Corp.
- O. Natkovich
- Yahoo
- J. Parham
- Microsoft Corporation
- June 2002
-
-
- LDAP Client Update Protocol
-
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026 [1].
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six
- months and may be updated, replaced, or obsoleted by other documents
- at any time. It is inappropriate to use Internet- Drafts as
- reference material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
- Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-1. Abstract
-
- This document defines the LDAP Client Update Protocol (LCUP). The
- protocol is intended to allow an LDAP client to synchronize with the
- content of a directory information tree (DIT) stored by an LDAP
- server and to be notified about the changes to that content.
-
-
-2. Conventions used in this document
-
- In the protocol flow definition, the notation C->S and S->C
- specifies the direction of the data flow from the client to the
- server and from the server to the client respectively.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
- this document are to be interpreted as described in RFC-2119
- [KEYWORDS].
-
-
-3. Overview
-
-\f
-
-
- The LCUP protocol is intended to allow LDAP clients to synchronize
- with the content stored by LDAP servers.
-
- The problem areas addressed by the protocol include:
-
- - mobile clients that maintain a local read-only copy of the
- directory data. While off-line, the client uses the local copy of
- the data. When the client connects to the network, it
- synchronizes with the current directory content and can be
- optionally notified about the changes that occur while it is on-
- line. For example, a mail client can maintain a local copy of the
- corporate address book that it synchronizes with the master copy
- whenever the client gets connected to the corporate network.
-
- - applications intending to synchronize heterogeneous data stores.
- A meta directory application, for instance, would periodically
- retrieve a list of modified entries from the directory, construct
- the changes and apply them to a foreign data store.
-
- - clients that need to take certain actions when a directory entry
- is modified. For instance, an electronic mail repository may want
- to perform a "create mailbox" task when a new person entry is
- added to an LDAP directory and a "delete mailbox" task when a
- person entry is removed.
-
- The problem areas not being considered:
-
- - directory server to directory server synchronization. The IETF is
- developing a LDAP replication protocol, called [LDUP], which is
- specifically designed to address this problem area.
-
- There are currently several protocols in use for LDAP client server
- synchronization. While each protocol addresses the needs of a
- particular group of clients (e.g., on-line clients or off-line
- clients) none satisfies the requirements of all clients in the
- target group. For instance, a mobile client that was off-line and
- wants to become up to date with the server and stay up to date while
- connected can't be easily supported by any of the existing
- protocols.
-
- Several features of the protocol distinguish it from LDUP
- replication. LCUP is designed such that the server does not need to
- maintain state information on behalf of the client. The clients are
- responsible for storing the information about how up to date they
- are with respect to the server's content. LCUP design avoids the
- need for LCUP-specific update agreements to be made between client
- and server prior to LCUP use. The client decides when and from where
- to retrieve the changes. LCUP design requires clients to initiate
- the update session and "pull" the changes from server.
-
- LCUP operations are subject to administrative and access
- control policies enforced by the server.
-
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 2
-\f
-
-
- A part of the DIT which is enabled for LCUP is referred to as an
- LCUP Context. A server may support one or more LCUP Contexts.
-
-4. Protocol Specification
-
- This section describes the protocol elements and the protocol flow.
-
-4.1 Universally Unique Identifiers
-
- Distinguished names can change, so are therefore unreliable
- as identifiers. The server SHOULD assign a Universally Unique
- Identifier (or UUID for short) to each entry as it is created. This
- identifier will be stored as an operational attribute of the entry,
- named `entryUUID'. The entryUUID attribute is single valued. A
- consistent algorithm for generating such universally unique
- identifiers may be standardized at some point in the future.
- The definition of the entryUUID attribute type, written using the
- BNF form of AttributeDescription described in RFC 2252 [RFC2252] is:
-
- ( OID-To-Be-Specified
- NAME `entryUUID'
- DESC `universally unique entry identifier'
- EQUALITY caseIgnoreMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- SINGLE-VALUE
- NO-USER-MODIFICATION
- USAGE directoryOperation )
-
-4.2 LCUP Cookie Value
-
- The LCUP protocol uses a cookie to hold the state of the client's
- data with respect to the server's data. The LCUP Cookie is a value
- of the following ASN.1 type:
-
- LCUPCookie ::= SEQUENCE {
- scheme LDAPOID,
- value OCTET STRING OPTIONAL
- }
-
- scheme - this is the OID which identifies the format of the value.
- The scheme OID, like all object identifiers, MUST be unique for a
- given cookie scheme. The cookie value may be opaque or it may be
- exposed to LCUP clients. For cookie schemes that expose their
- value, the preferred form of documentation is an RFC. It is
- expected that there will be one or more standards track cookie
- schemes where the value format is exposed and described in detail.
-
- value - this is the actual data describing the state of the
- client's data. This value may be opaque, or its value may have
- some well-known format, depending on the scheme. The cookie value
- MUST be included except when a client has no stored state; i.e.,
- when the client is requesting a full synchronization. When the
- server sends back a cookie, the cookie value MUST be present.
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 3
-\f
-
-
- Further uses of the LCUP Cookie value are described below.
-
-4.3 Additional LDAP Result Codes defined by LCUP
-
- The LDAP result code names and numbers defined in the following
- table are to be replaced with IANA assigned result code names and
- numbers per draft-ietf-ldapbis-iana-xx.txt.
-
- lcupResourcesExhausted (TBD) the server is running out of
- resources
- lcupSecurityViolation (TBD) the client is suspected of malicious
- actions
- lcupInvalidCookie (TBD) invalid cookie was supplied by the
- client - both/either the scheme
- and/or the value part was invalid
- lcupUnsupportedScheme (TBD) The scheme part of the cookie is a
- valid OID but is not supported by
- this server
- lcupClientDisconnect (TBD) client requested search termination
- using the LDAP Cancel extended
- operation request [CANCEL]
- lcupReloadRequired (TBD) indicates that client data needs to
- be reinitialized. This reason is
- returned if the server does not
- contain sufficient information to
- synchronize the client or if the
- server's data was reloaded since the
- last synchronization session
-
- The uses of these codes are described below.
-
-4.4 Client Update Control Value
-
- A client initiates a synchronization session with a server by
- attaching a clientUpdate control to an LDAP searchRequest message.
- The client SHOULD specify entryUUID in the attributes list in the
- searchRequest message. The search specification determines the part
- of the directory information tree (DIT) the client wishes to
- synchronize with, the set of attributes it is interested in and the
- amount of data the client is willing to receive. The clientUpdate
- control contains the client's synchronization specification. The
- controlType field for the clientUpdate control is
- ClientUpdateControlOID (to be assigned). The controlValue is an
- OCTET STRING, whose contents are the bytes of the BER encoding of
- the following:
-
-
-
-
-
-
-
-
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 4
-\f
-
-
- ClientUpdateControlValue ::= SEQUENCE {
- updateType ENUMERATED {
- synchronizeOnly (0),
- synchronizeAndPersist (1),
- persistOnly (2) },
- sendCookieInterval INTEGER OPTIONAL,
- cookie LCUPCookie OPTIONAL
- }
-
- updateType - specifies the type of update requested by the client
-
- synchronizeOnly - the server sends all the data needed to
- synchronize the client with the server, then closes the
- connection
-
- synchronizeAndPersist - the server sends all the data needed to
- synchronize the client with the server, then leaves open the
- connection, sending to the client any new added, modified, or
- deleted entries that satisfy the search criteria.
-
- persistOnly - the server does not synchronize the data with the
- client but leaves open the connection and sends over any new
- added, modified, or deleted entries that satisfy the search
- criteria.
-
- sendCookieInterval û (optional) the server SHOULD send the cookie
- back in the entryUpdate control value for every
- sendCookieInterval number of SearchResultEntry PDUs returned to
- the client. For example, if the value is 5, the server SHOULD
- send the cookie back in the entryUpdate control value for every 5
- search results returned to the client. If this value is absent,
- zero or less than zero, the server chooses the interval.
-
- cookie - a value that represents the current state of the client's
- data. If a cookie is provided, the server MUST use the enclosed
- scheme throughout the duration of the LCUP session or until an
- LCUP context boundary is crossed, since a new cookie may be
- required in that case. If the value or scheme part of the cookie
- is invalid, the server MUST return immediately with a
- SearchResultDone message with the resultCode set to the value of
- lcupInvalidCookie. If the scheme part of the cookie is a valid
- OID, but is not supported, the server MUST return immediately
- with a SearchResultDone message with the resultCode set to the
- value of lcupUnsupportedScheme.
-
- If the cookie is omitted, the server MAY use any scheme it
- supports.
-
-4.5 Entry Update Control Value
-
- In response to the client's synchronization request, the server
- returns one or more SearchResultEntry PDU that fits the client's
- specification. Each SearchResultEntry PDU also contains an
- entryUpdateControl that describes the LCUP state of the returned
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 5
-\f
-
-
- entry. To represent a deleted entry, the server attaches an
- entryUpdate control to the corresponding SearchResultEntry. The
- SearchResultEntry corresponding to a deleted entry MUST contain a
- valid DN and SHOULD contain a valid UUID but, to reduce the amount
- of data sent to the client, it SHOULD not contain any other
- attributes.
-
- Furthermore, the server may elect to periodically return to the
- client the cookie that represents the state of the client's data.
- This information is useful in case the client crashes or gets
- disconnected. The client MAY specify how often to receive the cookie
- by the use of the sendCookieInterval in the clientUpdate control
- value (see above). If the client does not specify a value, the
- server will determine the interval.
-
- The controlType field for the entryUpdate control is
- EntryUpdateControlOID (to be assigned). The controlValue is an
- OCTET STRING, whose contents are the bytes of the BER encoding of
- the following:
-
- EntryUpdateControlValue ::= SEQUENCE {
- stateUpdate BOOLEAN,
- entryDeleted BOOLEAN,
- cookie LCUPCookie OPTIONAL
-
- }
-
- stateUpdate - if set to TRUE, indicates that the entry to which the
- control is attached contains no changes and it is sent only to
- communicate to the client the new cookie. In this case, the
- entryDeleted field MUST be ignored and the cookie field MUST
- contain the updated cookie. This feature allows updating the
- client's cookie when there are no changes that effect the
- client's data store. Note that the control MUST be attached to a
- valid SearchResultEntry, which should contain a valid LDAPDN in
- the objectName field, and MAY contain an entryUUID attribute, but
- SHOULD NOT contain any other attributes. The server MAY send the
- entry named by the baseObject from the client's search request.
-
- entryDeleted - if set to TRUE, indicates that the entry to which
- the control is attached was deleted. The server MAY also set
- this to TRUE if the entry has left the client's search result
- set. As far as the client is concerned, a deleted entry is no
- different than an entry that has left the result set.
-
- cookie - the LCUP cookie value that represents the current state of
- the client's data.
-
-4.6 Client Update Done Control Value
-
- When the server has finished processing the client's request, it
- attaches a clientUpdateDone control to the SearchResultDone message
- and sends it to the client. However, if the SearchResultDone message
- contains a resultCode that is not success or lcupClientDisconnect,
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 6
-\f
-
-
- the clientUpdateDone control MAY be omitted. The controlType field
- for the clientUpdateDone control is ClientUpdateDoneControlOID (to
- be assigned). The controlValue is an OCTET STRING, whose contents
- are the bytes of the BER encoding of the following:
-
- ClientUpdateDoneControlValue ::= SEQUENCE {
- cookie LCUPCookie OPTIONAL
- }
-
- cookie - the LCUP cookie value that represents the current state of
- the client's data. Although this value is OPTIONAL, it MUST be set
- in the ClientUpdateDoneControlValue if the SearchResultDone
- resultCode is success or lcupClientDisconnect. This provides a
- good "checksum" of what the server thinks the state of the client
- is. If some error occurred, either an LDAP search error (e.g.
- insufficientAccessRights) or an LCUP error (e.g.
- lcupUnsupportedScheme), the cookie MAY be omitted.
-
- If server resources become tight, the server can terminate one or
- more search operations by sending a SearchResultDone message to the
- client(s) with a resultCode of lcupResourcesExhausted. Unless the
- client sets the updateType field to persistOnly, the server attaches
- a clientUpdateDone control that contains the cookie that corresponds
- to the current state of the client's data. A server set policy is
- used to decide which searches to terminate. This can also be used as
- a security mechanism to disconnect clients that are suspected of
- malicious actions, but if the server can infer that the client is
- malicious, the server should return lcupSecurityViolation instead.
-
-4.7 Client Initiated Termination
-
- If the client needs to terminate the synchronization process and it
- wishes to obtain the cookie that represents the current state of its
- data, it issues an LDAP Cancel operation [CANCEL]. The server
- responds immediately with a LDAP Cancel response [CANCEL]. The
- server MAY send any pending SearchResultEntry PDUs if the server
- cannot easily abort or remove those search results from its outgoing
- queue. The server SHOULD send as few of these remaining
- SearchResultEntry PDUs as possible. Finally, the server sends the
- message SearchResultDone with the clientUpdateDone control attached.
-
- If the client is not interested in the state information, it can
- simply abandon the search operation or disconnect from the server.
-
-4.8 Protocol Flow
-
- The client server interaction can proceed in three different ways
- depending on the client's requirements. Protocol flows beginning
- with an asterisk (*) are optional or conditional.
-
- If the client's intent is not to synchronize data but to trigger
- actions in response to directory modifications, the protocol
- proceeds as follows:
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 7
-\f
-
-
- C->S Sends a search operation with a clientUpdate control attached.
- The search specification determines the part of the DIT the
- client wishes to synchronize with and the set of attributes it
- is interested in. The updateType field of the control value
- should be set to persistOnly.
- *S->C If there is an error (invalid search scope, invalid cookie)
- the server returns the appropriate error codes and terminates
- the request (SearchResultDone message with optional
- clientUpdateDone control)
- S->C Sends change notification to the client for each change to the
- data within the client's search specification. Each
- SearchResultEntry may have an entryUpdate control attached.
- *S->C If the server starts to run out of resources or the client is
- suspected of malicious actions, the server SHOULD terminate
- the search operation by sending to the client a
- SearchResultDone message with optional clientUpdateDone
- control attached. The resultCode in the SearchResultDone
- mesasge SHOULD be set to lcupResourcesExhausted or
- lcupSecurityViolation depending on the reason for termination.
- *C->S If the client receives lcupResourcesExhausted error from the
- server, it MUST wait for a while before attempting another
- synchronization session with the server. It is RECOMMENDED
- that clients use an exponential backoff strategy.
- C->S The client terminates the search. The client can do this by
- abandoning the search operation, disconnecting from the
- server, or by sending an LDAP Cancel operation.
- *S->C If the server receives the LDAP Cancel op, it will immediately
- send back the LDAP Cancel response
- *S->C If the server sent the LDAP Cancel response, the server MAY
- send any pending SearchResultEntry PDUs in its outgoing queue
- *S->C If the server sent the LDAP Cancel response, after the server
- sends the response and any pending SearchResultEntry PDUs, the
- server sends the SearchResultDone message with the
- clientUpdateDone control attached. The resultCode in the
- SearchResultDone message will be either lcupClientDisconnect
- or some LDAP error code (not success).
- S->C Stops sending changes to the client and closes the connection.
-
- If the client's intent is to synchronize with the server and then
- disconnect, the protocol proceeds as follows:
-
- C->S Sends a search operation with the clientUpdate control
- attached. The search specification determines the part of the
- DIT the client wishes to synchronize with, the set of
- attributes it is interested in and the amount of data the
- client is willing to receive. If this is the initial
- synchronization session, the client either does not provide a
- cookie or provides a cookie with no value; otherwise, the
- cookie field of the control is set to the cookie received from
- the server at the end of the last synchronization session. If
- the scheme field of the cookie was provided, the server MUST
- use that scheme throughout the duration of the LCUP session or
- until an LCUP boundary is crossed, since the server will
- usually require a different cookie in that case anyway. (Note
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 8
-\f
-
-
- that the client can synchronize with different servers during
- different synchronization sessions.) The updateType field of
- the control value is set to synchronizeOnly.
- *S->C If there is an error (invalid search scope, invalid cookie)
- the server returns the appropriate error codes and terminates
- the request (SearchResultDone message with optional
- clientUpdateDone control)
- *S->C If no cookie is specified in the clientUpdate control, or if
- the value field of the cookie is empty, the server sends all
- data that matches the client's search specification followed
- by the SearchResultDone message with a clientUpdateDone
- control attached. The control contains the cookie that
- corresponds to the current state of the client's data. If
- synchronization was successful, the resultCode in the
- SearchResultDone message should be success.
- *S->C If an invalid cookie is specified, the server sends the
- SearchResultDone message with the resultCode set to
- lcupInvalidCookie.
- *S->C If a valid cookie is specified and the data that matches the
- search specification has been reloaded or the server does not
- contain enough state information to synchronize the client,
- the server sends a SearchResultDone message with the
- resultCode set to lcupReloadRequired.
- *S->C If the cookie is valid and the client is up to date, the
- server sends a success response to the client.
- S->C If the cookie is valid and there is data to be sent, the
- server sends the modified entries to the client. Each
- SearchResultEntry contains the attributes requested by the
- client in the search specification regardless of whether they
- were modified. An entryUpdate control with the entryDeleted
- field set to TRUE MUST be attached to every deleted entry. The
- server may also periodically attach an entryUpdate control to
- the entries sent to the client to indicate the current state
- of the client's data. In that case, the cookie field of the
- control represents the state of the client's data including
- the entry to which the control is attached. Once all the
- changes are sent successfully, the server sends a
- SearchResultDone with the clientUpdateDone control attached.
- The control contains the cookie that represents the current
- state of the client's data. The resultCode in the
- SearchResultDone message is set to success. If the resultCode
- is not success, the server may OPTIONALLY attach the
- clientUpdateDone control to the SearchResultDone message.
- The client stores the cookie received from the server until
- the next synchronization session.
- *C->S If the resultCode in the SearchResultDone message is set
- lcupReloadRequired, the client clears its data store and
- repeats the synchronization process by sending the search
- operation with clientUpdate control that contains no cookie,
- or that contains a cookie with no value field.
-
- If the client's intent is to be synchronized with the server and
- stay notified about data modifications, the protocol proceeds as
- follows:
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 9
-\f
-
-
-
- C->S The client behaves exactly as in the previous case except it
- sets the updateType field in the control value to
- synchronizeAndPersist.
- S->C The server behaves exactly as in the previous case except the
- connection is kept open after the initial set of changes is
- sent to the client. A SearchResultDone message is not sent to
- the client; instead, the server keeps sending changes to the
- client.
- *S->C If the server starts to run out of resources or the client is
- suspected of malicious actions, the server SHOULD terminate
- the search operation by sending to the client a
- SearchResultDone message with the resultCode set to
- lcupResourcesExhausted or lcupSecurityViolation depending on
- the reason for termination.
- *C->S If the client receives lcupResourcesExhausted error from the
- server, it MUST wait for a while before attempting another
- synchronization session with the server. We recommend
- exponential backoff strategy.
- C->S Sends an LDAP Cancel operation to the server to terminate the
- synchronization session.
- S->C Responds with an LDAP Cancel response, followed optionally by
- SearchResultEntry PDUs, followed by a SearchResultDone with
- the clientUpdateDone control optionally attached. If the
- control is present, it contains the cookie that represents the
- current state of the client's data. The value of the
- resultCode in the SearchResultDone message will be either
- lcupClientDisconnect or some other LDAPResult resultCode (not
- success). The control may not be present if some error
- occurred.
-
-4.9 Size and Time Limits
-
- The search request size or the time limits can only be imposed for
- non-persistent operations, those that set the updateType field of
- the ClientUpdateControlValue to synchronizeOnly (for the entire
- operation) or synchronizeAndPersist (for the initial synchronization
- phase only). All other operations MUST set both limits to 0. The
- server SHOULD ignore the limits set for persistent operations.
-
-4.10 Changes vs. Operations
-
- A server that supports UUIDs SHOULD communicate a modifyDN
- operation by sending the client the current form of the entry (with
- its new DN) along with an entryUUID attribute. A server that does
- not support UUIDs SHOULD communicate a modifyDN operation by sending
- the client a deletion for the previous DN followed by an entry for
- the new DN. Note that for servers that do not support UUIDs, no
- guarantees are made about the correctness of the client state in the
- presence of modifyDN operations.
-
- Communicating modifyDN operations by sending a delete of the old DN
- followed by an entry with the new DN makes it impossible for an LCUP
- client to distinguish between a modifyDN operation, which is one
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 10
-\f
-
-
- atomic operation, and an delete operation followed by an add of a
- new entry. The loss of information about atomicity may cause
- problems for some LCUP clients. For example, when an entry is
- renamed, a client that manages resources such as a person's mailbox
- might delete the mailbox and everything in it instead of merely
- changing the name associated with the mailbox.
-
- Also note that regardless of how a modifyDN operation is
- communicated to the client, if the client state shows that the
- object that underwent the modifyDN operation was the root of a
- subtree, the client MUST infer that the DNs of all objects in the
- subtree have changed such that they reflect the new DN of the
- subtree root.
-
-4.11 Operations on the Same Connection
-
- It is permissible for the client to issue other LDAP operations on
- the connection used by the protocol. Since each LDAP
- request/response carries a message id there will be no ambiguity
- about which PDU belongs to which operation. By sharing the
- connection among multiple operations, the server will be able to
- conserve its resources.
-
-4.12 Interactions with Other LDAP Search and Response Controls
-
- LCUP defines neither restrictions nor guarantees about the ability
- to use the LDAP client update control defined in this document in
- conjunction with other LDAP controls, except for the following: A
- server MAY ignore non-critical controls supplied with the LCUP
- control. A server MAY ignore the LCUP control if it is non-critical
- and it is supplied with other critical controls. If a server
- receives a critical LCUP control with another critical control, and
- the server does not support both controls at the same time, the
- server SHOULD return unavailableCriticalExtension.
-
-5. Additional Features
-
- There are several features present in other protocols or considered
- useful by clients that are currently not included in the protocol
- primarily because they are difficult to implement on the server.
- These features are briefly discussed in this section. This section
- is intended to open a discussion on the merits of including and
- approaches to implementing these features.
-
-5.1 Triggered Search Change Type
-
- This feature is present in the Triggered Search specification. A
- flag is attached to each entry returned to the client indicating the
- reason why this entry is returned. The possible reasons from the
- draft are
- "- notChange: the entry existed in the directory and matched the
- search at the time the operation is being performed,
- - enteredSet: the entry entered the result,
- - leftSet: the entry left the result,
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 11
-\f
-
-
- - modified: the entry was part of the result set, was modified or
- renamed, and still is in the result set."
-
- The leftSet feature is particularly useful because it indicates to
- the client that an entry is no longer within the client's search
- specification and the client can remove the associated data from its
- data store. Ironically, this feature is the hardest to implement on
- the server because the server does not keep track of the client's
- state and has no easy way of telling which entries moved out of
- scope between synchronization sessions with the client.
-
- A compromise could be reached by only providing this feature for the
- operations that occur while the client is connected to the server.
- This is easier to accomplish because the decision about the change
- type can be made based only on the change without need for any
- historical information. This, however, would add complexity to the
- protocol.
-
-5.2 Persistent Search Change Type
-
- This feature is present in the Persistent Search specification.
- Persistent search has the notion of changeTypes. The client
- specifies which type of updates will cause entries to be returned,
- and optionally whether the server tags each returned entry with the
- type of change that caused that entry to be returned.
-
- For LCUP, the intention is full synchronization, not partial. Each
- entry returned by an LCUP search will have some change associated
- with it that may concern the client. The client may have to have a
- local index of entries by DN or UUID to determine if the entry has
- been added or just modified. It is easy for clients to determine if
- the entry has been deleted because the entryDeleted value of the
- entryUpdateControl will be TRUE.
-
-5.3 Sending Changes
-
- Some earlier synchronization protocols sent the client(s) only the
- modified attributes of the entry rather than the entire entry. While
- this approach can significantly reduce the amount of data returned
- to the client, it has several disadvantages. First, unless a
- separate mechanism (like the change type described above) is used to
- notify the client about entries moving into the search scope,
- sending only the changes can result in the client having an
- incomplete version of the data. Let's consider an example. An
- attribute of an entry is modified. As a result of the change, the
- entry enters the scope of the client's search. If only the changes
- are sent, the client would never see the initial data of the entry.
- Second, this feature is hard to implement since the server might not
- contain sufficient information to construct the changes based solely
- on the server's state and the client's cookie. On the other hand,
- this feature can be easily implemented by the client assuming that
- the client has the previous version of the data and can perform
- value by value comparisons.
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 12
-\f
-
-
-5.4 Data Size Limits
-
- Some earlier synchronization protocols allowed clients to control
- the amount of data sent to them in the search response. This feature
- was intended to allow clients with limited resources to process
- synchronization data in batches. However, an LDAP search operation
- already provides the means for the client to specify the size limit
- by setting the sizeLimit field in the SearchRequest to the maximum
- number of entries the client is willing to receive. While the
- granularity is not the same, the assumption is that regular LDAP
- clients that can deal with the limitations of the LDAP protocol will
- implement LCUP.
-
-5.5 Data Ordering
-
- Some earlier synchronization protocols allowed a client to specify
- that parent entries should be sent before the children for add
- operations and children entries sent before their parents during
- delete operations. This ordering helps clients to maintain a
- hierarchical view of the data in their data store. While possibly
- useful, this feature is relatively hard to implement and is
- expensive to perform.
-
-6. Client Side Considerations
-
- Clients SHOULD always specify entryUUID in the SearchRequest
- attribute list.
-
- The cookie received from the server after a synchronization session
- can only be used with the same or more restrictive search
- specification than the search that generated the cookie. The server
- will reject the search operation with a cookie that does not satisfy
- this condition. This is because the client can end up with an
- incomplete data store otherwise. A more restrictive search
- specification is the one that generates a subset of the data
- produced by the original search specification.
-
- Because an LCUP client specifies the area of the tree with which it
- wishes to synchronize through the standard LDAP search
- specification, the client can be returned noSuchObject error if the
- root of the synchronization area was renamed between the
- synchronization sessions or during a synchronization session. If
- this condition occurs, the client can attempt to locate the root by
- using the root's UUID saved in client's local data store. It then
- can repeat the synchronization request using the new search base. In
- general, a client can detect that an entry was renamed and apply the
- changes received to the right entry by using the UUID rather than DN
- based addressing.
-
- Each active persistent operation requires that an open TCP
- connection be maintained between an LDAP client and an LDAP server
- that might not otherwise be kept open. Therefore, client
- implementors are encouraged to avoid using persistent operations for
- non-essential tasks and to close idle LDAP connections as soon as
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 13
-\f
-
-
- practical. The server may close connections if server resources
- become tight.
-
- The client MAY receive a continuation reference
- (SearchResultReference [RFC2251 SECTION 4.5.3]) if the search
- request spans multiple parts of the DIT, some of which may require a
- different LCUP cookie, some of which may not even be managed by
- LCUP. The client SHOULD maintain a cache of the LDAP URLs returned
- in the continuation references and the cookies associated with them.
- The client is responsible for performing another LCUP search to
- follow the references, and SHOULD use the cookie corresponding to
- the LDAP URL for that reference (if it has a cookie).
-
- The client may receive a referral (Referral [RFC2251 SECTION
- 4.1.11]) when the search base is a subordinate reference, and this
- will end the operation.
-
- For alias dereferencing, the server will behave as if the client had
- requested neverDerefAliases or derefFindingBaseObj as the
- derefAliases field in the search request [RFC2251, Section 4.5.1].
- If the client specifies a value other than neverDerefAliases or
- derefFindingBaseObj, the server will return protocolError to the
- client.
-
- Changes to data (e.g., that might affect the LCUP client's filter or
- scope) or meta-data (e.g., that might affect the client's read
- access) may affect the presence of entries in the search set.
- Servers MAY notify LCUP clients of changes to the search set that
- result from such changes, but an LCUP client MUST NOT assume that
- such notification will occur. Therefore, in the case where a client
- is maintaining a cache of entries using LCUP, the data held by the
- client may be a superset or a subset of the entries that would be
- returned by a new search request. For example, if access control
- meta information is changed to deny access to particular entries in
- the search result set, and the access control information is outside
- of the search scope (e.g., in a parent entry), the client may have
- entries stored locally which are no longer part of its desired
- search set. Similarly, if entries are added to the search result
- set due to changes in meta-data, the client's cache of entries may
- not include these entries.
-
- Some clients may wish to perform an initial synchronization in order
- to prime a cache or establish a baseline set of entries, then look
- for changes after that. The recommended way to do this is to first
- issue an LCUP search with the updateType field of the clientUpdate
- control value set to synchronizeOnly, then after that search
- successfully completes, immediately issue an LCUP search with the
- updateType field of the clientUpdate control value set to
- synchronizeAndPersist.
-
- Some clients may have unreliable connections, for example, a
- wireless device or a WAN connection. These clients may want to
- insure that the cookie is returned often in the entryUpdate control
- value, so that if they have to reconnect, they do not have to
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 14
-\f
-
-
- process many redundant entries. These clients should set the
- sendCookieInterval in the clientUpdate control value to a low
- number, perhaps even 1. Also, some clients may have a limited
- bandwidth connection, and may not want to receive the cookie very
- often, or even at all (however, the cookie is always sent back in
- the clientUpdateDone control value upon successful completion).
- These clients should set the sendCookieInterval in the clientUpdate
- control value to a high number.
-
-7. Server Implementation Considerations
-
- Servers SHOULD support UUIDs. Otherwise, it will be very difficult
- to support modifyDN operations. Adding support for UUIDs should be
- seen as a necessary component of LCUP.
-
- By design, the protocol supports multiple cookie schemes. This is
- to allow different implementations the flexibility of storing any
- information applicable to their environment. A reasonable
- implementation for an LDUP compliant server would be to use the
- Replica Update Vector (RUV). For each master, RUV contains the
- largest CSN seen from this master. In addition, the RUV implemented
- by some directory servers (not yet in LDUP) contains replica
- generation - an opaque string that identifies the replica's data
- store. The replica generation value changes whenever the replica's
- data is reloaded. Replica generation is intended to signal the
- replication/synchronization peers that the replica's data was
- reloaded and that all other replicas need to be reinitialized. RUV
- satisfies the three most important properties of the cookie: (1) it
- uniquely identifies the state of client's data, (2) it can be used
- to synchronize with multiple servers, and (3) it can be used to
- detect that the server's data was reloaded.
-
- A server may support one or more LCUP cookie schemes. It is
- expected that schemes will be published along with their OIDs as
- RFCs. If a client initiates an LCUP session with a particular
- scheme, the server MUST use that same scheme throughout the LCUP
- session, or until an LCUP context boundary is crossed, in which case
- the server will usually require a different cookie anyway.
-
- In addition, the cookie must contain enough information to allow the
- server to determine whether the cookie can be safely used with the
- search specification it is attached to. As discussed earlier in the
- document, the cookie can only be used with the search specification
- that is equally or more restrictive than the one for which the
- cookie was generated.
-
- An implementation must make sure that it can correctly update the
- client's cookie when there is a size limit imposed on the search
- results by either the client's request or by the server's
- configuration. If RUV is used as the cookie, entries last modified
- by a particular master must be sent to the client in the order of
- their last modified CSN. This ordering guarantees that the RUV can
- be updated after each entry is sent.
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 15
-\f
-
-
- The server's DIT may be partitioned into different sections which
- may have different cookies associated with them. For example, some
- servers may use some sort of replication mechanism to support LCUP.
- If so, the DIT may be partitioned into multiple replicas. A client
- may send an LCUP search request that spans multiple replicas. Some
- parts of the DIT spanned by the search request scope may be managed
- by LCUP and some may not. A part of the DIT which is enabled for
- LCUP is referred to as an LCUP Context. The server SHOULD send a
- SearchResultReference [RFC2251, SECTION 4.5.3] when the LCUP Context
- for a returned entry changes. The server SHOULD return all entries
- for a particular LCUP Context before returning a reference to other
- LCUP Contexts or non-LCUP enabled parts of the DIT, in order to
- minimize the processing burden on the clients. The LDAP URL(s)
- returned MUST contain the DN(s) of the base of another section of
- the DIT (however the server implementation has partitioned the DIT).
- The client will then issue another LCUP search using the LDAP URL
- returned. Each section of the DIT MAY require a different cookie
- value, so the client SHOULD maintain a cache, mapping the different
- LDAP URL values to different cookies. If the cookie changes, the
- scheme may change as well, but the cookie scheme MUST be the same
- within a given LCUP Context.
-
- An implementation SHOULD notify the client about all entries deleted
- from the search set since the client's last session, but an LCUP
- client MUST NOT assume that such notification will occur. For
- example, the server might not notify the client of the deletion of
- an object if the object left the search set following the client's
- last synchronization and prior to the object's deletion. An LDUP
- compliant implementation can achieve this through the use of entry
- tombstones. The implementation should avoid aggressive tombstone
- purging since lack of tombstones would cause client's data to be
- reloaded. We suggest that only the tombstone content be removed
- during the regular trimming cycle while tombstones themselves are
- discarded much less frequently.
-
- The specification makes no guarantees about how soon a server should
- send notification of a changed entry to the client when the
- connection between the client and the server is kept open. This is
- intentional as any specific maximum delay would be impossible to
- meet in a distributed directory service implementation. Server
- implementors are encouraged to minimize the delay before sending
- notifications to ensure that clients' needs for timeliness of change
- notification are met.
-
- Implementors of servers that support the mechanism described in this
- document should ensure that their implementation scales well as the
- number of active persistent operations and the number of changes
- made in the directory increases. Server implementors are also
- encouraged to support a large number of client connections if they
- need to support large numbers of persistent operations.
-
-8. Synchronizing Heterogeneous Data Stores
-
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 16
-\f
-
-
- Clients, like a meta directory join engine, synchronizing multiple
- writable data stores will only work correctly if each piece of
- information is single mastered (for instance, only by an LDUP
- compliant directory). This is because different systems have
- different notions of time and different update resolution
- procedures. As a result, a change applied on one system can be
- discarded by the other, thus preventing the data stores from
- converging.
-
-9. Security Considerations
-
- In some situations, it may be important to prevent general exposure
- of information about changes that occur in an LDAP server.
- Therefore, servers that implement the mechanism described in this
- document SHOULD provide a means to enforce access control on the
- entries returned and MAY also provide specific access control
- mechanisms to control the use of the controls and extended
- operations defined in this document.
-
- As with normal LDAP search requests, a malicious client can initiate
- a large number of persistent search requests in an attempt to
- consume all available server resources and deny service to
- legitimate clients. The protocol provides the means to stop
- malicious clients by disconnecting them from the server. The servers
- that implement the mechanism SHOULD provide the means to detect the
- malicious clients. In addition, the servers SHOULD provide the means
- to limit the number of resources that can be consumed by a single
- client.
-
- Access control on the data can be modified in such a way that the
- data is no longer visible to the client. The specification does not
- specify how the server should handle this condition. Moreover, data
- consistency is not guaranteed if access control is changed from a
- more restrictive to a less restrictive one. This is because access
- control can be considered as an additional filter on the search
- specification and the protocol does not support going from a more to
- a less restrictive search specification. See Client Side
- Considerations Section for more detailed explanation of the problem.
-
-10. Normative References
-
- [KEYWORDS] S. Bradner, "Keywords for use in RFCs to Indicate
- Requirement Levels", RFC 2119, March 1997.
-
- [RFC2251] M. Wahl, T. Howes, S. Kille "Lightweight Directory
- Access Protocol", RFC 2251, December 1997.
-
- [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax
- Definitions", RFC 2252, December 1997.
-
- [CANCEL] K. Zeilenga, "LDAP Cancel Extended Operation",
- draft-zeilenga-ldap-cancel-xx.txt, a work in progress.
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 17
-\f
-
-
-11. Acknowledgements
-
- The LCUP protocol is based in part on the Persistent Search Change
- Notification Mechanism defined by Mark Smith, Gordon Good, Tim
- Howes, and Rob Weltman, the LDAPv3 Triggered Search Control defined
- by Mark Wahl, and the LDAP Control for Directory Synchronization
- defined by Michael Armijo.
-
-12. Author's Addresses
-
- Rich Megginson
- Netscape Communications Corp.
- 901 San Antonio Rd.
- Palo Alto, CA 94303-4900
- Mail Stop SCA17 - 201
- Phone: +1 505 797-7762
- Email: richm@netscape.com
-
- Olga Natkovich
- Yahoo, Inc.
- 701 First Ave.
- Sunnyvale, CA 94089
- Phone: +1 408 349-6153
- Email: olgan@yahoo-inc.com
-
- Mark Smith
- Netscape Communications Corp.
- 901 San Antonio Rd.
- Palo Alto, CA 94303-4900
- Mail Stop SCA17 - 201
- Phone: +1 650 937-3477
- Email: mcs@netscape.com
-
- Jeff Parham
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052-6399
- Phone: +1 425 882-8080
- Email: jeffparh@microsoft.com
-
-13. Full Copyright Statement
- "Copyright (C) The Internet Society (date). All Rights Reserved.
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph
- are included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 18
-\f
-
-
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-14. Appendix A - Summary of Changes
-
- Changes new to version 03:
-
- Emphasized the use of UUIDs throughout the document. Implementers
- are strongly encouraged to use UUIDs as a necessary component of
- the protocol.
-
- Removed the LCUP Cancel extended operation in favor of the new
- LDAP Cancel operation [CANCEL].
-
- Got rid of the lcupSuccess result code. All result codes will be
- added to the IANA LDAP result code registry as part of the LDAP
- standard. Also removed the result code and text from the client
- update done control value.
-
- Changed any and all wording suggesting an LCUP Context is related
- to a naming context. New text says an LCUP Context is a part of
- the DIT that supports LCUP, and that a server may have one or more
- LCUP Contexts.
-
- Removed Old Section 4.2: lcupCookieScheme
- We decided that LCUP did not need a discovery mechanism. The
- controls and extended operations will be published in the root DSE
- as per the LDAP standards.
-
- Changed references to "Unique Identifier" to either "Universally
- Unique Identifier" or "UUID".
-
- Added this text to section 6 "Client Side Considerations":
- "- The client may receive a referral (Referral [RFC2251 SECTION
- 4.1.11]) when the search base is a subordinate reference, and
- this will end the operation."
-
- Added a note to section 6 "Client Side Considerations" about how
- to establish a baseline set of entries or entry cache.
-
- Added the field sendCookieInterval to the clientUpdate control
- value.
-
- Added a note to section 6 "Client Side Considerations" explaining
- possible uses of the sendCookieInterval.
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 19
-\f
-
-
-
- Changes new to version 02:
-
- Section 4.2: The lcupCookieScheme operational attribute MUST be
- present in the root DSE, and MAY be present in entries. Each
- value of the attribute in the root DSE will be a list of OIDs of
- cookie schemes followed by the DN of the LCUP context which
- supports the schemes. The attribute value in the DIT entries will
- be the list of OIDs followed by the DN of the LCUP context.
-
- section 4.5 - the entry uuid is now MAY instead of MUST - if
- implementers do not wish to identify entries by a unique ID other
- than DN (which may not be unique), then so be it. For returned
- SearchResultEntry PDUs other than deleted entries, the client MAY
- request that the Unique Identifier attribute be returned by
- specifying it in the attribute list to be returned by the search
- request.
-
- section 4.5 - added "or the base DN of the client's search
- request." to the phrase. "The server MAY send the entry at the
- root of the client's tree, or the base DN of the client's search
- request." I think this clarifies which entry the client may
- search for.
-
- section 4.6 - the clientUpdateDone control is now optional for
- error conditions. Also, the cookie value of the control is now
- optional for lcup error conditions (e.g. not lcupSuccess or
- lcupClientDisconnect).
-
- Added section 4.12 - Interactions with Other LDAP Search and
- Response Controls
-
- Added blurb about alias dereferencing back to section 6:
- "For alias dereferencing, the server will behave as if the client
- had requested neverDerefAliases or derefFindingBaseObj as the
- derefAliases field in the search request [RFC2251, Section 4.5.1].
- If the client specifies a value other than neverDerefAliases or
- derefFindingBaseObj, the server will return protocolError to the
- client."
-
- Changed this in section 6:
- Because an LCUP client specifies the area of the tree with which
- it wishes to synchronize through the standard LDAP search
- specification, the client can be returned noSuchObject error if
- the root of the synchronization area was renamed between the
- synchronization sessions "or during a synchronization session"
-
- Changes new to version 01:
-
- The opaque cookie has been split into two parts - a scheme which
- is an OID, and a value. The value may or may not have a format
- known to the client, depending on the specified scheme. Section
- 4.2 describes the new cookie format and defines the LCUP Cookie
- Value.
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 20
-\f
-
-
-
- Added new section 4.3 - the lcupCookieScheme operational
- attribute.
-
- Changes new to version 00:
-
- Added the definition for Unique Identifier (basically copied from
- the LDUP model doc http://search.ietf.org/internet-drafts/draft-
- ietf-ldup-model-06.txt. I needed to add the definition here
- because LCUP needs a Unique Identifier but should not be dependent
- on LDUP.
-
- Removed all normative references to LDUP. I've left the
- implementation suggestions that refer to LDUP, but LCUP should not
- be dependent on LDUP.
-
- Cleaned up the protocol flows.
-
- Removed this text from section 4.8: "Clients MUST NOT issue
- multiple synchronization requests on the same connection. This is
- because the protocol includes an extended operation and it would
- be impossible to decide which synchronization session it belongs
- to." - This is no longer true, since the extended operation now
- includes the message ID of the search request.
-
- "Client Side Consideration" section - the client will never
- receive a referral or continuation reference
-
- Added section 12. Acknowledgements
-
- Removed normative references to documents not depended on.
-
- Removed explicit references to software vendors.
-
- Section 4.1 - Changed ClientUpdateControlValue to remove the
- keepConnection and changesOnly fields and replace them with
- updateType which is an ENUMERATED with three values:
- synchronizeOnly, synchronizeAndPersist, and persistOnly.
-
- Section 4.2 - The EntryUpdateControlValue fields stateUpdate and
- entryDeleted no longer have DEFAULT values, they must be specified
- - this eliminates any potential ambiguity.
-
- Added this text to the description of the entryDeleted field
- (section 4.2): "The server SHOULD also set this to TRUE if the
- entry has left the clients search result set. As far as the client
- is concerned, a deleted entry is no different than an entry which
- has left the result set."
- Section 4.2 - Added an explanation of the concept and requirement
- for the Unique Identifier.
-
- Section 4.4 - Added to the extended operation a request value
- containing the message id of the operation to stop.
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 21
-\f
-
-
- Updated contact information for Olga.
-
- Removed Michael Armijo and added Jeff Parham as an author.
-
- Changes new to previous version:
-
- "Authors" section - added Rich Megginson as the new editor.
-
- "Client Side Consideration" section - added a note and a question
- concerning referral and continuation reference handling.
-
- "Client Update Control Value" section (4.1) - clarified the meaning
- of keepConnection and added a table summarizing the effects of
- different values of keepConnection and changesOnly.
-
- "Stop Client Update Request and Response" - added section 4.4
- describing this extended operation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Megginson, et. al. Proposed Standard - Expires: December 2002 22
-\f
\ No newline at end of file
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Informational OpenLDAP Foundation
-Expires in six months 20 December 2002
+Expires in six months 26 October 2003
LDAP: Requesting Attributes by Object Class
- <draft-zeilenga-ldap-adlist-04.txt>
+ <draft-zeilenga-ldap-adlist-06.txt>
Status of this Memo
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as an Informational document.
Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF LDAP Extensions Working Group
- mailing list <ldapext@ietf.org>. Please send editorial comments
- directly to the author <Kurt@OpenLDAP.org>.
+ document will take place on the IETF LDAP Extensions mailing list
+ <ldapext@ietf.org>. Please send editorial comments directly to the
+ author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2002, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
- Please see the Copyright section near the end of this document for
- more information.
+ Please see the Full Copyright section near the end of this document
+ for more information.
Abstract
Zeilenga Requesting Attributes by Object Class [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-adlist-04 20 December 2002
+INTERNET-DRAFT draft-zeilenga-ldap-adlist-06 26 October 2003
1. Overview
[RFC2256].
This extension is intended to be used where the user is in direct
- control of the parameters of the LDAP search operation.
+ control of the parameters of the LDAP search operation, such as when
+ entering a LDAP URL [RFC2255] into a web browser.
+
+
+2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
+ DSA stands for Directory System Agent (or server).
+ DSE stands for DSA-specific Entry.
+
-2. Return of all Attributes of an Object Class
+3. Return of all Attributes of an Object Class
This extension allows object class identifiers is to be provided in
the attributes field of the LDAP SearchRequest [RFC2251]. For each
unrecognized attribute description.
This extension redefines the attributes field of the SearchRequest to
+
+
+
+Zeilenga Requesting Attributes by Object Class [Page 2]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-adlist-06 26 October 2003
+
+
be a DescriptionList described by the following ASN.1 [X.680] data
type:
The Description is string conforming to the ABNF [RFC2234]:
-
-
-Zeilenga Requesting Attributes by Object Class [Page 2]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-adlist-04 20 December 2002
-
-
Description = AttributeDescription | ObjectClassDescription.
ObjectClassDescription = "+" ObjectClass *( ";" options )
zero options in the attributes field of a SearchRequest. Other uses
may be defined in future specifications.
- Servers supporting this feature SHOULD publish the Object Identifier
- 1.3.6.1.4.1.4203.1.11.2 as a value of the 'supportedFeatures'
- [FEATURES] attribute in the root DSE.
+ Servers supporting this feature SHOULD publish the object identifier
+ (OID) 1.3.6.1.4.1.4203.1.11.2 as a value of the 'supportedFeatures'
+ [FEATURES] attribute in the root DSE. Clients supporting this feature
+ SHOULD NOT use the feature unless they have knowledge the server
+ supports it.
3. Security Considerations
4. IANA Considerations
- This OID 1.3.6.1.4.1.4203.1.11.2 to identify the LDAP "OC AD List?
- feature. This OID was assigned [ASSIGN] by OpenLDAP Foundation, under
- its IANA-assigned private enterprise allocation [PRIVATE], for use in
- this specification.
+ The OID 1.3.6.1.4.1.4203.1.11.2 is used to identify the LDAP "OC AD
+ List" feature. This OID was assigned [ASSIGN] by OpenLDAP Foundation,
+ under its IANA-assigned private enterprise allocation [PRIVATE], for
+ use in this specification.
- Registration of this protocol mechansism is requested per BCP 64
+ Registration of this protocol mechanism is requested per BCP 64
[RFC3383].
- Subject: Request for LDAP Protocol Mechansism Registration
+
+
+Zeilenga Requesting Attributes by Object Class [Page 3]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-adlist-06 26 October 2003
+
+
+ Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.4.1.4203.1.5.2
Description: OC AD Lists
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Feature
- Specification: RFCxxxx
+ Specification: RFC XXXX
Author/Change Controller: Kurt Zeilenga <kurt@openldap.org>
Comments: none
-
-Zeilenga Requesting Attributes by Object Class [Page 3]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-adlist-04 20 December 2002
-
-
5. Author's Address
Kurt D. Zeilenga
6. Normative References
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC2234] D. Crocker, P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 2234, November 1997.
+ [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
- [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
+ [RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
+ Access Protocol (v3)", RFC 2251, December 1997.
- [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax
- Definitions", RFC 2252, December 1997.
+ [RFC2252] Wahl, M., A. Coulbeck, T. Howes, and S. Kille,
+ "Lightweight Directory Access Protocol (v3): Attribute
+ Syntax Definitions", RFC 2252, December 1997.
- [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
+ [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
- [FEATURES] K. Zeilenga, "Feature Discovery in LDAP",
- draft-zeilenga-ldap-features-xx.txt (a work in progress).
+ [FEATURES] Zeilenga, K., "Feature Discovery in LDAP",
+ draft-zeilenga-ldap-features-xx.txt, a work in progress.
- [X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) -
- Specification of Basic Notation", X.680, 1994.
+ [X.680] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Abstract
+ Syntax Notation One (ASN.1) - Specification of Basic
+ Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
7. Informative References
- [RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
- with LDAPv3", RFC 2256, December 1997.
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", RFC 3383,
- September 2002.
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
+Zeilenga Requesting Attributes by Object Class [Page 4]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-adlist-06 26 October 2003
+ [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255,
+ December, 1997.
+ [RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for
+ use with LDAPv3", RFC 2256, December 1997.
+
+ [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
+ (also RFC 3383), September 2002.
+
+ [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
+ http://www.openldap.org/foundation/oid-delegate.txt.
+
+ [PRIVATE] IANA, "Private Enterprise Numbers",
+ http://www.iana.org/assignments/enterprise-numbers.
-Zeilenga Requesting Attributes by Object Class [Page 4]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-adlist-04 20 December 2002
+Full Copyright
-Copyright 2002, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
+ or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 11 May 2003
+Expires in six months 25 October 2003
The LDAP Assertion Control
- <draft-zeilenga-ldap-assert-00.txt>
+ <draft-zeilenga-ldap-assert-01.txt>
Status of this Memo
revision, submitted to the IESG for consideration as a Standard Track
document. Distribution of this memo is unlimited. Technical
discussion of this document will take place on the IETF LDAP
- Extensions Working Group mailing list <ldapext@ietf.org>. Please send
- editorial comments directly to the author <Kurt@OpenLDAP.org>.
+ Extensions mailing list <ldapext@ietf.org>. Please send editorial
+ comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
This document defines the Lightweight Directory Access Protocol (LDAP)
Assertion Control which allows a client to specify that a directory
- operation should only be processed if the assertion when applied to
- the target entry of the operation. It can be used to construct "test
- and set" and "test and clear" operations.
+ operation should only be processed if an assertion applied to the
+ target entry of the operation is true. It can be used to construct
+ "test and set" and "test and clear" and other conditional operations.
Zeilenga LDAP Assertion Control [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-assert-00 11 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-assert-01 25 October 2003
1. Overview
This document defines the Lightweight Directory Access Protocol (LDAP)
[RFC3377] assertion control. The assertion control allows the client
- to specify a condition which allows the operation to be processed
- normally only when true. Otherwise the operation fails.
+ to specify a condition which must be true for the operation to be
+ processed normally. Otherwise the operation fails.
The control can be used with the Modify operation [RFC2251] to perform
- atomic "test and set" and "test and clear" operations as the the
- asserted condition is evaluated as an integral part the operation.
- The control may be attached to other update operations to support
- conditional add, delete, and renaming of objects.
+ atomic "test and set" and "test and clear" operations as the asserted
+ condition is evaluated as an integral part the operation. The control
+ may be attached to other update operations to support conditional add,
+ delete, and renaming of objects.
The control may also be used with the search operation. Here the
assertion is applied to the base object of the search before searching
2. Terminology
- Protocol elements are described using ASN.1 [X.680]. The term
- "BER-encoded" means the element is to be encoded using the Basic
- Encoding Rules [X.690] under the restrictions detailed in Section 5.1
- of [RFC2251].
+ Protocol elements are described using ASN.1 [X.680] with implicit
+ tags. The term "BER-encoded" means the element is to be encoded using
+ the Basic Encoding Rules [X.690] under the restrictions detailed in
+ Section 5.1 of [RFC2251].
- DN stands for Distinguished Name.
- DSA stands for Directory System Agent (i.e., a directory server).
+ DSA stands for Directory System Agent (or server).
DSE stands for DSA-specific Entry.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
[RFC2251, Section 4.5.1]. The criticality may be TRUE or FALSE.
There is no corresponding response control.
- Servers implementing this technical specification SHOULD publish
- IANA-ASSIGNED-OID as a value of the 'supportedControl' attribute
- [RFC2252] in their root DSE.
-
+ The control is appropriate for both LDAP interrogation and update
+ operations [RFC2251] including Add, Compare, Delete, Modify, ModifyDN
+ (rename), and Search. It is inappropriate for Abandon, Bind nor
+ Unbind operations. It is also inappropriate for the Start TLS
+ [RFC2830] operation.
Zeilenga LDAP Assertion Control [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-assert-00 11 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-assert-01 25 October 2003
- The control is appropriate for both LDAP interrogation and update
- operations [RFC2251] including Add, Compare, Delete, Modify, ModifyDN
- (rename), and Search. It is not appropriate for Abandon, Bind nor
- Unbind operations. Nor is it appropriate for the Start TLS [RFC2830]
- operation.
-
When the control is attached to an LDAP request, the processing of the
request is conditional on the evaluation of the Filter as applied
against the target of the operation. If the Filter evaluates to TRUE,
then the request is processed normally. If the Filter evaluates to
- FALSE, then assertionFailed (IANA-ASSIGNED-CODE) resultCode is
- returned and no further processing is performed.
+ FALSE or Undefined, then assertionFailed (IANA-ASSIGNED-CODE)
+ resultCode is returned and no further processing is performed.
For Add, Compare, and ModifyDN the target is indicated by the entry
field in the request. For Modify, the target is indicated by the
type. For the Compare operation and all update operations, the
evaluation of the assertion MUST be performed as an integral part of
the operation. That is, the evaluation of the assertion and the
- normal processing SHALL be done as one atomic action.
+ normal processing of the operation SHALL be done as one atomic action.
For search operation, the target is indicated by the baseObject field
and the evaluation is done after "finding" but before "searching"
[RFC2251]. Hence, if the evaluation fails, no entries or
continuations references are returned.
+ Servers implementing this technical specification SHOULD publish the
+ object identifier IANA-ASSIGNED-OID as a value of the
+ 'supportedControl' attribute [RFC2252] in their root DSE. A server
+ MAY choose to advertise this extension only when the client is
+ authorized to use it.
+
Other documents may specify how this control applies to other LDAP
- operations. In doing so, they must how the target entry is
+ operations. In doing so, they must state how the target entry is
determined.
-3. Security Considerations
+4. Security Considerations
- The filter may, like other values of the request, contain sensitive
- information. When so, this information should be appropriately
- protected.
+ The filter may, like other components of the request, contain
+ sensitive information. When so, this information should be
+ appropriately protected.
As with any general assertion mechanism, the mechanism can be used to
determine directory content. Hence, the mechanism SHOULD be subject
Zeilenga LDAP Assertion Control [Page 3]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-assert-00 11 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-assert-01 25 October 2003
-4. IANA Considerations
+5. IANA Considerations
-4.1. Object Identifier
+5.1. Object Identifier
- It is requested that IANA register upon Standards Action an LDAP
- Object Identifier [RFC3383] to identify the LDAP Assertion Control
- defined in this document.
+ It is requested that IANA assign upon Standards Action an LDAP Object
+ Identifier [RFC3383] to identify the LDAP Assertion Control defined in
+ this document.
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Comments:
Identifies the LDAP Assertion Control
-4.2 LDAP Protocol Mechanism
+5.2 LDAP Protocol Mechanism
Registration of this protocol mechanism [RFC3383] is requested.
Comments: none
-4.3 LDAP Result Code
+5.3 LDAP Result Code
Assignment of an LDAP Result Code [RFC3383] called 'assertionFailed'
is requested.
Comments: none
-5. Acknowledgments
+6. Acknowledgments
The assertion control concept is attributed to Morteza Ansari.
Zeilenga LDAP Assertion Control [Page 4]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-assert-00 11 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-assert-01 25 October 2003
-6. Author's Address
+7. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
<Kurt@OpenLDAP.org>
-7. Normative References
+8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
September 2002.
-8. Informative References
+9. Informative References
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
(also RFC 3383), September 2002.
Zeilenga LDAP Assertion Control [Page 5]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-assert-00 11 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-assert-01 25 October 2003
copyrights, patents or patent applications, or other proprietary
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 17 May 2002
+Expires in six months 1 November 2002
LDAP "Who am I?" Operation
- <draft-zeilenga-ldap-authzid-06.txt>
+ <draft-zeilenga-ldap-authzid-08.txt>
Status of this Memo
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extension Working Group
- mailing list <ietf-ldapext@netscape.com>. Please send editorial
- comments directly to the author <Kurt@OpenLDAP.org>.
+ mailing list <ldapext@ietf.org>. Please send editorial comments
+ directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
Zeilenga LDAP "Who am I?" [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
Conventions
1. Background and Intent of Use
This specification describes a Lightweight Directory Access Protocol
- (LDAP) [RFC2251] extended operation which clients can use to obtain
- the primary authorization identity in its primary form which the
- server has associated with the user or application entity.
-
- Servers often associate multiple authorization identities with the
- client and each authorization identity may be represented by multiple
- authzId [RFC2829] strings. This operation requests and returns the
- authzId the server considers to be primary. In the specification, the
- term "the authorization identity" and "the authzid" are to generally
- read as "the primary authorization identity" and the "the primary
- authzid", respectively.
+ (LDAP) [RFC3377] operation which clients can use to obtain the primary
+ authorization identity in its primary form which the server has
+ associated with the user or application entity. The operation is
+ called the "Who am I?" operation.
This specification is intended to replace the existing [AUTHCTL]
mechanism which uses Bind request and response controls to request and
return the authorization identity. Bind controls are not protected by
the security layers established by the Bind operation which they are
transferred as part of. While it is possible to establish security
- layers prior to the Bind operation, it is often desirable to only use
- security layers established by the Bind operation. An extended
- operation sent after a Bind operation is protected by the security
- layers established by the Bind operation.
+ layers using Start TLS [RFC2830] prior to the Bind operation, it is
+ often desirable to use security layers established by the Bind
+ operation. An extended operation sent after a Bind operation is
+ protected by the security layers established by the Bind operation.
There are other cases where it is desirable to request the
authorization identity which the server associated with the client
Control. The "Who am I?" operation can also be used prior to the Bind
operation.
- The LDAP "Who am I?" operation is named after the UNIX whoami(1)
- command. The whoami(1) command displays the effective user id.
+ Servers often associate multiple authorization identities with the
+ client and each authorization identity may be represented by multiple
+ authzId [RFC2829] strings. This operation requests and returns the
+ authzId the server considers to be primary. In the specification, the
+ term "the authorization identity" and "the authzId" are generally to
+ be read as "the primary authorization identity" and the "the primary
+ authzId", respectively.
2. The "Who am I?" Operation
The "Who am I?" operation is defined as an LDAP Extended Operation
+ [RFC2251, Section 4.12] identified by the whoamiOID Object Identifier
+ (OID). This section details the syntax of the operation's whoami
Zeilenga LDAP "Who am I?" [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
- [RFC2251, Section 4.12] identified by the whoamiOID Object Identifier
- (OID). This section details the syntax of the operation's whoami
request and response messages.
- whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
+ whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
2.1. The whoami Request
example, a whoami request could be encoded as the sequence of octets
(in hex):
+ 30 1e 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31
+ 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 33
+
2.2. The whoami Response
The whoami response is an ExtendedResponse where the responseName
- field is absent and, if present, the response field is empty or an
+ field is absent and the response field, if present, is empty or an
authzId [RFC2829]. For example, a whoami response returning the
- authzid "u:kurt@OPENLDAP.ORG" (in response to the example request)
+ authzId "u:kurt@OPENLDAP.ORG" (in response to the example request)
would be encoded as the sequence of octets (in hex):
+ 30 21 02 01 02 78 1c 0a 01 00 04 00 04 00 8b 13
+ 75 3a 6b 75 72 74 40 4f 50 45 4e 4c 44 41 50 2e
+ 4f 52 47
3. Operational Semantics
- The function of the "Who am I?" operation is to request that the
- server returns the authorization identity it currently associates with
- the client. The client requests this authorization identity by
- issuing a whoami Request. The server responds to this request with a
- whoami Response.
+ The "Who am I?" operation provides a mechanism, a whoami Request, for
+ the client to request that the server returns the authorization
+ identity it currently associates with the client and provides a
+ mechanism, a whoami Response, for the server to respond to that
+ request.
If the server is willing and able to provide the authorization
identity it associates with the client, the server SHALL return a
whoami Response with a success resultCode. If the server is treating
- the client as an anonymous entity, the response field is empty.
- Otherwise the server is to provide the authzId [RFC2829] representing
- the authorization identity it currently associates with the client in
- the response field.
+ the client as an anonymous entity, the response field is present but
+ empty. Otherwise the server provides the authzId [RFC2829]
+ representing the authorization identity it currently associates with
+ the client in the response field.
If the server is unwilling or unable to provide the authorization
identity it associates with the client, the server SHALL return a
whoami Response with an appropriate non-success resultCode (such as
- operationsError, protocolError, confidentialityRequired,
- insufficientAccessRights, busy, unavailable, unwillingToPerform, or
- other) and an absent response field.
-
Zeilenga LDAP "Who am I?" [Page 3]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
+ operationsError, protocolError, confidentialityRequired,
+ insufficientAccessRights, busy, unavailable, unwillingToPerform, or
+ other) and an absent response field.
+
As described in [RFC2251] and [RFC2829], an LDAP session has an
"anonymous" association until the client has been successfully
authenticated using the Bind operation. Clients MUST NOT invoke the
4. Extending the "Who am I?" operation with controls
Future specifications may extend the "Who am I?" operation using the
- control mechanism. When extended by controls, the "Who am I?"
- operation requests and returns the authorization identity the server
- associates with the client in a particular context indicated by the
- controls.
+ control mechanism [RFC2251]. When extended by controls, the "Who am
+ I?" operation requests and returns the authorization identity the
+ server associates with the client in a particular context indicated by
+ the controls.
4.1. Proxied Authorization Control
it associates with the assumed identity.
When a Proxied Authorization Control is be attached to the "Who Am I?"
- operation, the operation requests the return of the authzid the server
+ operation, the operation requests the return of the authzId the server
associates with the identity asserted in the Proxied Authorization
Control. The TBD result code is used to indicate that the server does
not allow the client to assume the asserted identity. [[Note to RFC
Identities associated with users may be sensitive information. When
so, security layers [RFC2829][RFC2830] should be established to
- protect this information. This mechanism is specifically designed to
- allow security layers established by a Bind operation to protect the
- integrity and/or confidentiality of the authorization identity.
-
Zeilenga LDAP "Who am I?" [Page 4]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
+ protect this information. This mechanism is specifically designed to
+ allow security layers established by a Bind operation to protect the
+ integrity and/or confidentiality of the authorization identity.
+
Servers may place access control or other restrictions upon the use of
this operation.
- As with any other extended operations, general LDAP considerations
- apply. These are detailed in [RFC2251], [RFC2829], and [RFC2830].
+ As with any other extended operations, general LDAP security
+ considerations [RFC3377] apply.
6. IANA Considerations
- No IANA assignments are requested.
+ This OID 1.3.6.1.4.1.4203.1.11.3 to identify the LDAP "Who Am I?
+ extended operation. This OID was assigned [ASSIGN] by OpenLDAP
+ Foundation, under its IANA-assigned private enterprise allocation
+ [PRIVATE], for use in this specification.
+
+ Registration of this protocol mechansism is requested [RFC3383].
+
+ Subject: Request for LDAP Protocol Mechansism Registration
+
+ Object Identifier: 1.3.6.1.4.1.4203.1.11.3
+
+ Description: Who am I?
+
+ Person & email address to contact for further information:
+ Kurt Zeilenga <kurt@openldap.org>
+
+ Usage: Extended Operation
+
+ Specification: RFCxxxx
+
+ Author/Change Controller: IESG
- This document uses the OID 1.3.6.1.4.1.4203.1.11.3 to identify the
- LDAP "Who Am I? extended operation. This OID was assigned [ASSIGN] by
- OpenLDAP Foundation under its IANA assigned private enterprise
- allocation [PRIVATE] for use in this specification.
+ Comments: none
7. Acknowledgment
"Authentication Response Control" [AUTHCTL] by Rob Weltman, Mark Smith
and Mark Wahl.
+ The LDAP "Who am I?" operation takes it name from the UNIX whoami(1)
+ command. The whoami(1) command displays the effective user id.
+
+
+
+
+
+Zeilenga LDAP "Who am I?" [Page 5]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
+
8. Author's Address
Access Protocol (v3): Extension for Transport Layer
Security", RFC 2830, May 2000.
+ [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
+
[PROXYCTL] R. Weltman, "LDAP Proxied Authentication Control", draft-
weltman-ldapv3-proxy-xx.txt (a work in progress).
-
-Zeilenga LDAP "Who am I?" [Page 5]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
-
-
10. Informative References
+ [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
+ RFC 3383), September 2002.
+
[ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
http://www.openldap.org/foundation/oid-delegate.txt.
Copyright 2002, The Internet Society. All Rights Reserved.
+
+
+
+Zeilenga LDAP "Who am I?" [Page 6]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
+
+
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
-Zeilenga LDAP "Who am I?" [Page 6]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga LDAP "Who am I?" [Page 7]
\f
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 3 May 2003
+Expires in six months 25 October 2003
- LDAP Cancel Extended Operation
- <draft-zeilenga-ldap-cancel-08.txt>
+ LDAP Cancel Operation
+ <draft-zeilenga-ldap-cancel-10.txt>
1. Status of this Memo
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF LDAP Extension Working Group
- mailing list <ldapext@ietf.org>. Please send editorial comments
- directly to the author <Kurt@OpenLDAP.org>.
+ document will take place on the IETF LDAP Extensions mailing list
+ <ldapext@ietf.org>. Please send editorial comments directly to the
+ author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2003, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
- Please see the Copyright section near the end of this document for
- more information.
+ Please see the Full Copyright section near the end of this document
+ for more information.
Abstract
Zeilenga LDAP Cancel [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
-Conventions
+Terminology
+
+ Protocol elements are described using ASN.1 [X.680] with implicit
+ tags. The term "BER-encoded" means the element is to be encoded using
+ the Basic Encoding Rules [X.690] under the restrictions detailed in
+ Section 5.1 of [RFC2251].
+
+ DSA stands for Directory System Agent (or server).
+ DSE stands for DSA-specific Entry.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
- Protocol elements are described using ASN.1 [X.680]. The term
- "BER-encoded" means the element is to be encoded using the Basic
- Encoding Rules [X.690] under the restrictions detailed in Section 5.1
- of [RFC2251].
-
1. Background and Intent of Use
X.511 Directory Access Protocol (DAP) [X.511] provides an Abandon
operation which does have a response and also requires the abandoned
- operation to return a response indicating it was canceled. The Cancel
- operation is modeled after the DAP Abandon operation.
+ operation to return a response indicating it was canceled. The LDAP
+ Cancel operation is modeled after the DAP Abandon operation.
- The Cancel operation SHOULD be used instead of the LDAP Abandon
+ The LDAP Cancel operation SHOULD be used instead of the LDAP Abandon
operation when the client needs an indication of the outcome. This
operation may be used to cancel both interrogation and update
operations.
2.1. Cancel Request
- The Cancel request is an ExtendedRequest with the requestName field
- containing the IANA-0IGNED-OID and a requestValue field which contains
-
Zeilenga LDAP Cancel [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
- a BER-encoded cancelRequestValue value. The cancelID field contains
- the message id associated with the operation to be canceled.
+ The Cancel request is an ExtendedRequest with the requestName field
+ containing the IANA-ASSIGNED-OID and a requestValue field which
+ contains a BER-encoded cancelRequestValue value. The cancelID field
+ contains the message id associated with the operation to be canceled.
2.2. Cancel Response
cancel an outstanding operation issued within the same session.
The client requests the cancelation of an outstanding operation by
- issuing a Cancel Response with a cancelID with the message id
- identifying the outstanding operation. The Cancel Request itself has
- a distinct message id. Clients SHOULD NOT request cancelation of an
- operation multiple times.
+ issuing a Cancel Response with a cancelID set to the message id of the
+ outstanding operation. The Cancel Request itself has a distinct
+ message id. Clients SHOULD NOT request cancelation of an operation
+ multiple times.
If the server is willing and able to cancel the outstanding operation
identified by the cancelId, the server SHALL return a Cancel Response
knowledge of the operation requested to be canceled.
The cannotCancel resultCode is returned if the identified operation
- does not support cancelation or the cancel operation could not be
- performed. The following classes of operations are not cancelable:
Zeilenga LDAP Cancel [Page 3]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
+ does not support cancelation or the cancel operation could not be
+ performed. The following classes of operations are not cancelable:
+
- operations which have no response,
- - operations which associate or disassociate authentication and/or
+ - operations which create, alter, or destroy authentication and/or
authorization associations,
- - operations which establish or tear-down security services, and
+ - operations which establish, alter, or tear-down security services,
+ and
- operations which abandon or cancel other operations.
The tooLate resultCode is returned to indicate that it is too late to
cancel the outstanding operation. For example, the server may return
tooLate for a request to cancel an outstanding modify operation which
- as already commited updates to the underlying datastore.
+ as already committed updates to the underlying data store.
Servers SHOULD indicate their support for this extended operation by
- providing IANA-ASSIGNED-OID as a value of the supportedExtension
+ providing IANA-ASSIGNED-OID as a value of the 'supportedExtension'
attribute type in their root DSE. A server MAY choose to advertise
- this extension only when the client is authorized to use this
- operation.
+ this extension only when the client is authorized to use it.
4. Security Considerations
- This operation is intended to allow a user to cancel operations they
- previously issued. No user should be allowed to cancel an operation
- issued by another user.
+ This operation is intended to allow user to cancel operations they
+ previously issued during the current LDAP association. In certain
+ cases, such as when the Proxy Authorization Control is in use,
+ different outstanding operations may be processed under different LDAP
+ associations. Servers MUST NOT allow a user to cancel an operation
+ belonging to another user.
Some operations should not be cancelable for security reasons. This
specification disallows cancelation of Bind operation and Start TLS
Registration of the following values [RFC3383] is requested.
-5.1. Object Identifier
-
- It is requested that IANA register upon Standards Action an LDAP
- Object Identifier to identify the LDAP Cancel Extended Operation as
- defined in this document.
-
Zeilenga LDAP Cancel [Page 4]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
+
+5.1. Object Identifier
- The following registration template is suggested:
+ It is requested that IANA register upon Standards Action an LDAP
+ Object Identifier to identify the LDAP Cancel Operation as defined in
+ this document.
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
- Specification: RFCXXXX
+ Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
- Identifies the LDAP Cancel Extended Operation
+ Identifies the LDAP Cancel Operation
5.2. LDAP Protocol Mechanism
It is requested that IANA register upon Standards Action the LDAP
Protocol Mechanism described in this document.
- Subject: Request for LDAP Protocol Mechansism Registration
+ Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: IANA-ASSIGNED-OID
- Description: LDAP Cancel Extended Operation
+ Description: LDAP Cancel Operation
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Extended Operation
- Specification: RFCXXXX
+ Specification: RFC XXXX
Author/Change Controller: IESG
Comments: none
in 2
Result Code Name: noSuchOperation
Result Code Name: tooLate
Result Code Name: cannotCancel
- Specification: RFCXXXX
+ Specification: RFC XXXX
Author/Change Controller: IESG
Comments: request four consecutive result codes be assigned
-6. Acknowledgment
-
- The LDAP Cancel operation is modeled after the X.511 DAP Abandon
-
Zeilenga LDAP Cancel [Page 5]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
+
+6. Acknowledgment
+ The LDAP Cancel operation is modeled after the X.511 DAP Abandon
operation.
7. Normative References
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
+ [RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
+ Access Protocol (v3)", RFC 2251, December 1997.
- [RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
- Access Protocol (v3): Extension for Transport Layer
- Security", RFC 2830, May 2000.
+ [RFC2830] Hodges, J., R. Morgan, and M. Wahl, "Lightweight
+ Directory Access Protocol (v3): Extension for Transport
+ Layer Security", RFC 2830, May 2000.
- [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access Protocol
- (v3): Technical Specification", RFC 3377, September 2002.
+ [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
- [X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) - Specification
- of Basic Notation", X.680, 1994.
+ [X.680] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Abstract
+ Syntax Notation One (ASN.1) - Specification of Basic
+ Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
- [X.690] ITU-T, "Specification of ASN.1 encoding rules: Basic,
- Canonical, and Distinguished Encoding Rules", X.690, 1994.
+ [X.690] International Telecommunication Union -
+ Telecommunication Standardization Sector, "Specification
+ of ASN.1 encoding rules: Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER), and Distinguished
+ Encoding Rules (DER)", X.690(1997) (also ISO/IEC
+ 8825-1:1998).
8. Informative References
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", RFC 3383,
- September 2002.
+ [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
+ (also RFC 3383), September 2002.
- [X.511] ITU-T, "The Directory: Abstract Service Definition", X.511,
- 1993.
+ [X.511] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The
+ Directory: Abstract Service Definition", X.511(1993).
9. Author's Address
Kurt D. Zeilenga
- OpenLDAP Foundation
- <Kurt@OpenLDAP.org>
-
-
-Copyright 2003, The Internet Society. All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
Zeilenga LDAP Cancel [Page 6]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-cancel-08 3 May 2003
-
-
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be followed,
- or as required to translate it into languages other than English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+INTERNET-DRAFT draft-zeilenga-ldap-cancel-10 25 Octeboer 2003
+ OpenLDAP Foundation
+ <Kurt@OpenLDAP.org>
+Intellectual Property Rights
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to pertain
+ to the implementation or use of the technology described in this
+ document or the extent to which any license under such rights might or
+ might not be available; neither does it represent that it has made any
+ effort to identify any such rights. Information on the IETF's
+ procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such proprietary
+ rights by implementors or users of this specification can be obtained
+ from the IETF Secretariat.
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+Full Copyright
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implmentation may be prepared, copied, published and
+ distributed, in whole or in part, without restriction of any kind,
+ provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be followed,
+ or as required to translate it into languages other than English.
INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 1 March 2002
+Expires in six months 9 December 2002
Obsoletes: RFC 2596
Language Tags and Ranges in LDAP
- draft-zeilenga-ldap-rfc2596-01.txt
+ draft-zeilenga-ldap-rfc2596-04.txt
Status of Memo
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extensions Working Group
- (LDAPext) mailing list <ietf-ldapext@netscape.com>. Please send
- editorial comments directly to the document editor
- <Kurt@OpenLDAP.org>.
+ (LDAPext) mailing list <ldapext@ietf.org>. Please send editorial
+ comments directly to the document editor <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
+
Zeilenga Language Tags and Ranges in LDAP [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
Conventions
1. Background and Intended Use
- The Lightweight Directory Access Protocol (LDAP) [Roadmap] provides a
+ The Lightweight Directory Access Protocol (LDAP) [RFC3377] provides a
means for clients to interrogate and modify information stored in a
distributed directory system. The information in the directory is
maintained as attributes of entries. Most of these attributes have
This document describes how language tags and ranges [RFC3066] are
carried in LDAP and are to be interpreted by LDAP implementations.
- All implementations MUST be prepared to accept language tags and
- ranges in the LDAP protocol.
+ All LDAP implementations MUST be prepared to accept language tags and
+ ranges.
This document replaces RFC 2596. Appendix A summaries changes made
since RFC 2596.
Appendix B discusses differences from X.500(1997) "contexts"
mechanism.
- Appendix A and B are provided for information purposes and are not a
- normative part of this specification.
+ Appendix A and B are provided for informational purposes only.
The remainder of this section provides a summary of Language Tags,
Language Ranges, and Attribute Descriptions.
1.1. Language Tags
Section 2 of BCP 47 [RFC3066] describes the language tag format which
- is used in LDAP. Briefly, it is a string of ASCII alphabetic
- characters and hyphens. Examples include "fr", "en-US" and "ja-JP".
- Language tags are case insensitive. For example, the language tag
- "en-us" is the same as "EN-US".
+ is used in LDAP. Briefly, it is a string of ASCII letters and
+ hyphens. Examples include "fr", "en-US" and "ja-JP". Language tags
+ are case insensitive. That is, the language tag "en-us" is the same
+ as "EN-US".
Section 2 of this document details use of language tags in LDAP.
1.2. Language Ranges
+ Section 2.5 of BCP 47 [RFC3066] describes the language ranges.
Zeilenga Language Tags and Ranges in LDAP [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
- Section 2.5 of BCP 47 [RFC3066] describes the language ranges.
Language ranges are used to specify sets of language tags.
- A language range matches a language tag if it exactly equals the tag,
- or if it exactly equals a prefix of the tag such that the first
- character following the prefix is "-". The special tag "*" matches
- all tags.
+ A language range matches a language tag if it is exactly equal to the
+ tag, or if it is exactly equal to a prefix of the tag such that the
+ first character following the prefix is "-". That is, the language
+ range "de" matches the language tags "de" and "de-CH" but not "den".
+ The special language range "*" matches all language tags.
- Due to restrictions upon option naming in LDAP, this document uses a
- different language range syntax. However, the semantics of language
- ranges in LDAP is consistent with BCP 47.
+ Due to attribute description option naming restrictions in LDAP, this
+ document defines a different language range syntax. However, the
+ semantics of language ranges in LDAP is consistent with BCP 47.
Section 3 of this document details use of language ranges in LDAP.
1.3. Attribute Descriptions
- This section provides an overview of attributes in LDAP. LDAP
- attributes are defined in [Models].
+ This section provides an overview of attribute descriptions in LDAP.
+ LDAP attributes and attribute descriptions are defined in [RFC2251].
An attribute consists of a type, a set of zero or more associated
tagging options, and a set of one or more values. The type and the
options are combined into the AttributeDescription.
AttributeDescriptions can also contain options which are not part of
- the attribute, but indicate some other function such as the transfer
- encoding.
+ the attribute, but indicate some other function (such as range
+ assertion or transfer encoding).
- An attribute with one or more tagging options is a direct subtype of
- each attribute of the same with all but one of the tagging options.
- If the attribute's type is a direct subtype of some other type, then
- the attribute is also a direct subtype of the attribute whose
- description consists of the the supertype and all of the tagging
- options. That is, CN;x-bar;x-foo is a direct subtype of CN;x-bar,
- CN;x-foo, and name;x-bar;x-foo. Note that CN is a subtype of name.
-
- If the attribute description contains an unrecognized option, the
- attribute description is treated as an unrecognized attribute type.
-
- As language tags are intended to stored with the attribute, they are
- to treated as tagging options as described in Section 2. Language
- range are used only to match against language ranges and are not
- stored with the attribute. They are not treated tagging options (nor
- as transfer options), but as described in Section 3.
+ An AttributeDescription with one or more tagging options is a direct
+ subtype of each AttributeDescription of the same type with all but one
+ of the tagging options. If the AttributeDescription's type is a
+ direct subtype of some other type, then the AttributeDescription is
+ also a direct subtype of the AttributeDescription which consists of
+ the supertype and all of the tagging options. That is,
+ "CN;x-bar;x-foo" is a direct subtype of "CN;x-bar", "CN;x-foo", and
+ "name;x-bar;x-foo". Note that "CN" is a subtype of "name".
2. Use of Language Tags in LDAP
This section describes how LDAP implementations MUST interpret
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 3]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
language tags in performing operations.
Servers which support storing attributes with language tag options in
the Directory Information Tree (DIT) SHOULD allow any attribute type
it recognizes that has the Directory String, IA5 String, or other
- textual string syntax to have language tag options associated with it.
- Servers MAY allow language options to be associated with other
+ textual string syntaxes to have language tag options associated with
+ it. Servers MAY allow language options to be associated with other
attributes types.
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 3]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
Clients SHOULD NOT assume servers are capable of storing attributes
with language tags in the directory.
2.1. Language Tag Options
A language tag option associates a natural language with values of an
- attribute. An attribute description MAY contain multiple language tag
- options. An entry MAY contain multiple attributes with same attribute
+ attribute. An attribute description may contain multiple language tag
+ options. An entry may contain multiple attributes with same attribute
type but different combinations of language tag (and other) options.
A language tag option conforms to the following ABNF [RFC2234]:
DIGIT = %x30-39 ; 0-9
- A language tag option is a tagging option [Models]. A language tag
- option has no effect on the syntax of the attribute's values nor their
- transfer encoding.
-
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 4]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
+ A language tag option is a tagging option. A language tag option has
+ no effect on the syntax of the attribute's values nor their transfer
+ encoding.
Examples of valid AttributeDescription:
description;x-foobar
CN
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 4]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
Notes: The last two have no language tag options. The x-foobar option
is fictious and used for example purposes.
type or its subtypes and contains each of the presented (and possibly
other) options is to be matched.
- Thus for example a filter of an equality match of type
+ Thus, for example, a filter of an equality match of type
"name;lang-en-US" and assertion value "Billy Ray", against the
- following directory entry
+ following directory entry:
dn: SN=Ray,DC=example,DC=com
- objectclass: top DOES NOT MATCH (wrong type)
objectclass: person DOES NOT MATCH (wrong type)
+ objectclass: extensibleObject DOES NOT MATCH (wrong type)
name;lang-en-US: Billy Ray MATCHES
name;lang-en-US: Billy Bob DOES NOT MATCH (wrong value)
CN;lang-en-US: Billy Ray MATCHES
SN: Ray DOES NOT MATCH (no lang-,
wrong value)
- (Note that "CN" and "SN" are subtypes of "name".)
+ Note that "CN" and "SN" are subtypes of "name".
It is noted that providing a language tag option in a search filter
AttributeDescription will filter out desirable values where the tag
If the server does not support storing attributes with language tag
options in the DIT, then any assertion which includes a language tag
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 5]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
option will not match as such it is an unrecognized attribute type.
No error would be returned because of this; a presence assertion would
evaluate to FALSE and all other assertions to Undefined.
attribute type and the assertion value need match the value in the
directory.
- Thus for example a filter of an equality match of type "name" and
- assertion value "Billy Ray", against the following directory entry
+ Thus, for example, a filter of an equality match of type "name" and
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 5]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
- dn: SN=Ray,DC=example,DC=net
- objectclass: top DOES NOT MATCH (wrong type)
+
+ assertion value "Billy Ray", against the following directory entry:
+
+ dn: SN=Ray,DC=example,DC=com
objectclass: person DOES NOT MATCH (wrong type)
+ objectclass: extensibleObject DOES NOT MATCH (wrong type)
name;lang-en-US: Billy Ray MATCHES
name;lang-en-US: Billy Bob DOES NOT MATCH (wrong value)
CN;lang-en-US;x-foobar: Billy Ray MATCHES
2.3. Requested Attributes in Search
- Clients can provide language tag options in AttributeDescription in
- the requested attribute list in a search request.
+ Clients can provide language tag options in each AttributeDescription
+ in the requested attribute list in a search request.
If language tag options are provided in an attribute description, then
only attributes in a directory entry whose attribute descriptions have
- the same attribute type or its subtype and the provided language tags
- options are to be returned. Thus if a client requests just the
- attribute "name;lang-en", the server would return "name;lang-en" and
+ the same attribute type or its subtype and contains each of the
+ presented (and possibly other) language tag options are to be
+ returned. Thus if a client requests just the attribute
+ "name;lang-en", the server would return "name;lang-en" and
"CN;lang-en;lang-ja" but not "SN" nor "name;lang-fr".
Clients can provide in the attribute list multiple
- AttributeDescription which have the same base attribute type but
- different options. For example a client could provide both
+ AttributeDescriptions which have the same base attribute type but
+ different options. For example, a client could provide both
"name;lang-en" and "name;lang-fr", and this would permit an attribute
with either language tag option to be returned. Note there would be
no need to provide both "name" and "name;lang-en" since all subtypes
include language tag options are to be ignored, just as if they were
unknown attribute types.
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 6]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
If a request is made specifying all attributes or an attribute is
requested without providing a language tag option, then all attribute
values regardless of their language tag option are returned.
For example, if the client requests a "description" attribute, and a
matching entry contains the following attributes:
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 6]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
objectclass: top
objectclass: organization
O: Software GmbH
- description: software
+ description: software products
description;lang-en: software products
description;lang-de: Softwareprodukte
- postalAddress: Berlin 8001 Germany
- postalAddress;lang-de: Berlin 8001 Deutschland
The server would return:
- description: software
+ description: software products
description;lang-en: software products
description;lang-de: Softwareprodukte
a compare request AttributeValueAssertion. This is to be treated by
servers the same as the use of language tag options in a search filter
with an equality match, as described in Section 2.2. If there is no
- attribute in the entry with the same subtype and language tag options,
- the noSuchAttributeType error will be returned.
+ attribute in the entry with the same attribute type or its subtype and
+ and contains each of the presented (or possibly other) language tag
+ options, the noSuchAttributeType error will be returned.
- Thus for example a compare request of type "name" and assertion value
- "Johann", against an entry containing the following attributes:
+ Thus, for example, a compare request of type "name" and assertion
+ value "Johann", against an entry containing the following attributes:
objectclass: top
objectclass: person
would fail with the noSuchAttributeType error.
If the server does not support storing attributes with language tag
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 7]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
options in the DIT, then any comparison which includes a language tag
option will always fail to locate an attribute, and
noSuchAttributeType will be returned.
2.5. Add Operation
Clients can provide language options in AttributeDescription in
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 7]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
attributes of a new entry to be created.
A client can provide multiple attributes with the same attribute type
and value, so long as each attribute has a different set of language
tag options.
- For example, the following is a legal request.
+ For example, the following is a valid request:
dn: CN=John Smith,DC=example,DC=com
- objectclass: top
- objectclass: person
objectclass: residentialPerson
- name: John Smith
CN: John Smith
CN;lang-en: John Smith
SN: Smith
- SN;lang-en;lang-en-US: Smith
+ SN;lang-en: Smith
streetAddress: 1 University Street
- streetAddress;lang-en: 1 University Street
+ streetAddress;lang-en-US: 1 University Street
streetAddress;lang-fr: 1 rue Universite
houseIdentifier;lang-fr: 9e etage
"delete", then if the stored values to be deleted have language tag
options, then those language tag options MUST be provided in the
modify operation, and if the stored values to be deleted do not have
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 8]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
any language tag option, then no language tag option is to be
provided.
3. Use of Language Ranges in LDAP
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 8]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
Since the publication of RFC 2596, it has become apparent that there
is a need to provide a mechanism for a client to request attributes
based upon set of language tag options whose tags all begin with the
language-range-option = "lang-" [ Language-Tag "-" ]
where the Language-Tag production is as defined in BCP 47 [RFC3066].
- This production and those it imports from [RFC2234] are provided here
- for convenience:
-
- Language-Tag = Primary-subtag *( "-" Subtag )
-
- Primary-subtag = 1*8ALPHA
-
- Subtag = 1*8(ALPHA / DIGIT)
-
- ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
-
- DIGIT = %x30-39 ; 0-9
+ This production and those it imports from [RFC2234] are provided in
+ Section 2.1 for convenience.
- A language range option matches a language tag option if language
+ A language range option matches a language tag option if the language
range option less the trailing "-" matches exactly the language tag or
if the language range option (including the trailing "-") matches a
prefix of the language tag option. Note that the language range
Examples of valid AttributeDescription containing language range
options:
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 9]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
givenName;lang-en-
CN;lang-
+ SN;lang-de-;lang-gem-
O;lang-x-;x-foobar
A language range option is not a tagging option. Attributes cannot be
the syntax of the attribute values.
Servers SHOULD support assertion of language ranges for any attribute
- which they allow to stored with language tags.
+ type which they allow to be stored with language tags.
3.1. Search Filter
If a language range option is present in an AttributeDescription in an
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 9]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
assertion, then for each entry within scope, the values of each
attribute whose AttributeDescription consists of the same attribute
type or its subtypes and contains a language tag option matching the
language range option are to be returned.
- Thus for example a filter of an equality match of type "name;lang-en-"
- and assertion value "Billy Ray", against the following directory entry
+ Thus, for example, a filter of an equality match of type
+ "name;lang-en-" and assertion value "Billy Ray", against the following
+ directory entry:
dn: SN=Ray,DC=example,DC=com
- objectclass: top DOES NOT MATCH (wrong type)
objectclass: person DOES NOT MATCH (wrong type)
+ objectclass: extensibleObject DOES NOT MATCH (wrong type)
name;lang-en-US: Billy Ray MATCHES
name;lang-en-US: Billy Bob DOES NOT MATCH (wrong value)
CN;lang-en-US: Billy Ray MATCHES
SN: Ray DOES NOT MATCH (no lang-,
wrong value)
- (Note that "CN" and "SN" are subtypes of "name".)
+ Note that "CN" and "SN" are subtypes of "name".
If the server does not support storing attributes with language tag
options in the DIT, then any assertion which includes a language range
evaluate to FALSE and all other assertions to Undefined.
-
-Zeilenga Language Tags and Ranges in LDAP [Page 10]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
3.2. Requested Attributes in Search
- Clients can provide language range options in AttributeDescription in
- the requested attribute list in a search request.
+ Clients can provide language range options in each
+ AttributeDescription in the requested attribute list in a search
+ request.
If a language range option is provided in an attribute description,
then only attributes in a directory entry whose attribute descriptions
nor "name;lang-fr".
Clients can provide in the attribute list multiple
- AttributeDescription which have the same base attribute type but
+ AttributeDescriptions which have the same base attribute type but
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 10]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
different options. For example a client could provide both
"name;lang-en-" and "name;lang-fr-", and this would permit an
attribute whose type was name or subtype of name and with a language
is no attribute in the entry with the same subtype and a matching
language tag option, the noSuchAttributeType error will be returned.
- Thus for example a compare request of type "name;lang-" and assertion
- value "Johann", against the entry with the following attributes:
+ Thus, for example, a compare request of type "name;lang-" and
+ assertion value "Johann", against the entry with the following
+ attributes:
objectclass: top
objectclass: person
range option "lang-" matches any language tag option.)
However, if the client issued a compare request of type "name;lang-de"
-
-
-
-Zeilenga Language Tags and Ranges in LDAP [Page 11]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
and assertion value "Sibelius" against the above entry, the request
would fail with the noSuchAttributeType error.
4. Discovering Language Option Support
A server SHOULD indicate that it supports storing attributes with
- language tag options in the DIT by publishing OID.TDB as a value of
- the supportedFeatures [FEATURES] attribute in the root DSE.
+ language tag options in the DIT by publishing 1.3.6.1.4.1.4203.1.5.4
+ as a value of the "supportedFeatures" [FEATURES] attribute in the root
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 11]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
+ DSE.
A server SHOULD indicate that it supports language range matching of
attributes with language tag options stored in the DIT by publishing
- OID.TDB as a value of the supportedFeatures [FEATURES] attribute in
- the root DSE.
+ 1.3.6.1.4.1.4203.1.5.5 as a value of the "supportedFeatures"
+ [FEATURES] attribute in the root DSE.
A server MAY restrict use of language tag options to a subset of the
attribute types it recognizes. This document does not define a
fulfill the user's language needed. These options are not known to
raise specific security considerations. However, the reader should
consider general directory security issues detailed in the LDAP
- technical specification [Roadmap].
+ technical specification [RFC3377].
-6. Acknowledgments
+6. IANA Considerations
- This document is a revision of RFC 2596 by Mark Wahl and Tim Howes.
- RFC 2596 was a product of the IETF ASID and LDAPEXT working groups.
+ The OIDs 1.3.6.1.4.1.4203.1.5.4 and 1.3.6.1.4.1.4203.1.5.5 identify
+ the features described above. These OIDs were assigned [ASSIGN] by
+ OpenLDAP Foundation, under its IANA-assigned private enterprise
+ allocation [PRIVATE], for use in this specification.
- This document borrows from a number of IETF documents including BCP
- 47.
+ Registration of these protocol mechanisms [RFC3383] is requested.
+ Subject: Request for LDAP Protocol Mechanism Registration
-7. Normative References
+ Object Identifier: 1.3.6.1.4.1.4203.1.5.4
+ Description: Language Tag Options
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Object Identifier: 1.3.6.1.4.1.4203.1.5.5
+ Description: Language Range Options
+
+ Person & email address to contact for further information:
+ Kurt Zeilenga <kurt@openldap.org>
+
+ Usage: Feature
+
+ Specification: RFCxxxx
+
+ Author/Change Controller: IESG
Zeilenga Language Tags and Ranges in LDAP [Page 12]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
+ Comments: none
+7. Acknowledgments
+
+ This document is a revision of RFC 2596 by Mark Wahl and Tim Howes.
+ RFC 2596 was a product of the IETF ASID and LDAPEXT working groups.
+ This document also borrows from a number of IETF documents including
+ BCP 47 by H. Alvestrand.
+
+
+8. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC2234] D. Crocker, P. Overell, "Augmented BNF for Syntax
+ [RFC2234] D. Crocker, P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
+ [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
+ Protocol (v3)", RFC 2251, December 1997.
+
[RFC3066] Alvestrand, H., "Tags for the Identification of Languages",
BCP 47 (also RFC 3066), January 2001.
- [Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road
- Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
- progress.
-
- [Models] K. Zeilenga (editor), "LDAP: Directory Information Models",
- draft-ietf-ldapbis-models-xx.txt, a work in progress.
+ [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
[FEATURES] K. Zeilenga, "Feature Discovery in LDAP",
draft-zeilenga-ldap-features-xx.txt (a work in progress).
-8. Informative References
+9. Informative References
+
+ [X.501] ITU, "The Directory: Models", ITU-T Recommendation X.501,
+ 1997.
+
+ [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
+ RFC 3383), September 2002.
+
+ [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
+ http://www.openldap.org/foundation/oid-delegate.txt.
+
+ [PRIVATE] IANA, "Private Enterprise Numbers",
+ http://www.iana.org/assignments/enterprise-numbers.
+
+
+
- [X.501] "The Directory: Models", ITU-T Recommendation X.501, 1997.
+
+Zeilenga Language Tags and Ranges in LDAP [Page 13]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
Appendix A. Differences from RFC 2596
matches a value in the directory without a language code.
b) LDAP references BCP 47 [RFC3066], which allows for IANA
registration of new tags as well as unregistered tags.
- c) LDAP supports language ranges.
+ c) LDAP supports language ranges (new in this revision).
d) LDAP does not allow language tags (and ranges) in distinguished
names.
e) X.500 describes subschema administration procedures to allow
language codes to be associated with particular attributes types.
-
-Zeilenga Language Tags and Ranges in LDAP [Page 13]
-\f
-INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-01.txt 1 March 2002
-
-
Copyright 2002, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 14]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-rfc2596-04.txt 9 December 2002
+
+
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-Zeilenga Language Tags and Ranges in LDAP [Page 14]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga Language Tags and Ranges in LDAP [Page 15]
\f
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 3 May 2003
+Expires in six months 25 October 2003
LDAP Absolute True and False Filters
- <draft-zeilenga-ldap-t-f-05.txt>
+ <draft-zeilenga-ldap-t-f-07.txt>
Status of this Memo
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF LDAP Extensions Working Group
- mailing list <ldapext@ietf.org>. Please send editorial comments
- directly to the author <Kurt@OpenLDAP.org>.
+ document will take place on the IETF LDAP Extensions mailing list
+ <ldapext@ietf.org>. Please send editorial comments directly to the
+ author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
- Copyright 2003, The Internet Society. All Rights Reserved.
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
- Please see the Copyright section near the end of this document for
- more information.
+ Please see the Full Copyright section near the end of this document
+ for more information.
Abstract
Zeilenga LDAP True & False Filters [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-t-f-05.txt 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-t-f-07.txt 25 October 2003
-1. Background and Intended Use
+1. Background
The X.500 Directory Access Protocol (DAP) [X.511] supports absolute
True and False assertions. An 'and' filter with zero elements always
specific Entries (DSEs) which do not necessarily have 'objectClass'
attributes. That is, where "(objectClass=*)" may evaluate to False.
- While LDAPv2 [RFC1777] placed no restriction on the number of elements
- in 'and' and 'or' filter sets, the LDAPv2 string representation
- [RFC1960] could not represent empty 'and' and 'or' filter sets. Due
- to this, absolute True or False filters were (unfortunately)
- eliminated from LDAPv3 [RFC3377].
+ While LDAPv2 [RFC1777][RFC3494] placed no restriction on the number of
+ elements in 'and' and 'or' filter sets, the LDAPv2 string
+ representation [RFC1960] could not represent empty 'and' and 'or'
+ filter sets. Due to this, absolute True or False filters were
+ (unfortunately) eliminated from LDAPv3 [RFC3377].
This documents extends LDAPv3 to support absolute True and False
matches by allowing empty 'and' and 'or' in Search filters [RFC2251]
and extends the filter string representation [RFC2254] to allow empty
filter lists.
+ This feature is intended to allow a more direct mapping between DAP
+ and LDAP (as needed to implement DAP-to-LDAP gateways).
+
+
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
False. This filter is represented by the string "(|)".
Servers supporting this feature SHOULD publish the Object Identifier
- 1.3.6.1.4.1.4203.1.5.3 as a value of the supportedFeatures [FEATURES]
- attribute in the root DSE.
+ (OID) 1.3.6.1.4.1.4203.1.5.3 as a value of the 'supportedFeatures'
+ [FEATURES] attribute in the root DSE.
Clients supporting this feature SHOULD NOT use the feature unless they
have knowledge the server supports it.
-3. Security Considerations
-
- The (re)introduction of absolute True and False filters is not
- believed to raise any new security considerations.
Zeilenga LDAP True & False Filters [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-t-f-05.txt 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-t-f-07.txt 25 October 2003
+3. Security Considerations
+
+ The (re)introduction of absolute True and False filters is not
+ believed to raise any new security considerations.
+
Implementors of this (or any) LDAPv3 extension should be familiar with
general LDAPv3 security considerations [RFC3377].
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Feature
- Specification: RFCxxxx
+ Specification: RFC XXXX
Author/Change Controller: IESG
Comments: none
6. Normative References
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
-
- [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14 (also RFC 2119), March 1997.
- [RFC2254] T. Howes, "A String Representation of LDAP Search Filters",
- RFC 2254, December 1997.
+ [RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
+ Access Protocol (v3)", RFC 2251, December 1997.
- [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
+ [RFC2254] Howes, T., "A String Representation of LDAP Search
+ Filters", RFC 2254, December 1997.
- [FEATURES] K. Zeilenga, "Feature Discovery in LDAP",
- draft-zeilenga-ldap-features-xx.txt (a work in progress).
+ [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
Zeilenga LDAP True & False Filters [Page 3]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-t-f-05.txt 3 May 2003
+INTERNET-DRAFT draft-zeilenga-ldap-t-f-07.txt 25 October 2003
+
+
+ Protocol (v3): Technical Specification", RFC 3377,
+ September 2002.
+
+ [FEATURES] Zeilenga, K., "Feature Discovery in LDAP",
+ draft-zeilenga-ldap-features-xx.txt, a work in progress.
7. Informative References
- [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
- Access Protocol", RFC 1777, March 1995.
+ [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight
+ Directory Access Protocol", RFC 1777, March 1995.
+
+ [RFC1960] Howes, T., "A String Representation of LDAP Search
+ Filters", RFC 1960, June 1996.
+
+ [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
+ (also RFC 3383), September 2002.
+
+ [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
+ version 2 (LDAPv2) to Historic Status", RFC 3494, March
+ 2003.
+
+ [X.500] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Overview of concepts, models and services,"
+ X.500(1993) (also ISO/IEC 9594-1:1994).
+
+ [X.501] International Telecommunication Union -
+ Telecommunication Standardization Sector, "The Directory
+ -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
+
+ [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
+ http://www.openldap.org/foundation/oid-delegate.txt.
+
+ [PRIVATE] IANA, "Private Enterprise Numbers",
+ http://www.iana.org/assignments/enterprise-numbers.
+
- [RFC1960] T. Howes, "A String Representation of LDAP Search Filters",
- RFC 1960, June 1996.
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
- RFC 3383), September 2002.
+Intellectual Property Rights
- [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
- Models and Service", 1993.
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to pertain
+ to the implementation or use of the technology described in this
+ document or the extent to which any license under such rights might or
+ might not be available; neither does it represent that it has made any
+ effort to identify any such rights. Information on the IETF's
+ procedures with respect to rights in standards-track and
- [X.511] ITU-T Rec. X.511, "The Directory: Abstract Service
- Definition", 1993.
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
+Zeilenga LDAP True & False Filters [Page 4]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-t-f-07.txt 25 October 2003
+
+
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such proprietary
+ rights by implementors or users of this specification can be obtained
+ from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
-Copyright 2003, The Internet Society. All Rights Reserved.
+Full Copyright
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
+ or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-Zeilenga LDAP True & False Filters [Page 4]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga LDAP True & False Filters [Page 5]
\f
+++ /dev/null
-
-
-
-
-
-
-INTERNET-DRAFT Editor: Kurt D. Zeilenga
-Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 17 May 2002
-Obsoletes: RFC 1274
-Updates: RFC 2798
-
-
- LDAPv3: A Collection of User Schema
- <draft-zeilenga-ldap-user-schema-06.txt>
-
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with all
- provisions of Section 10 of RFC2026.
-
- This document is intended to be, after appropriate review and
- revision, submitted to the RFC Editor as a Standard Track document.
- Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF Directory Interest mailing list
- <directory@apps.ietf.org>. Please send editorial comments directly to
- the author <Kurt@OpenLDAP.org>.
-
- Internet-Drafts are working documents of the Internet Engineering Task
- Force (IETF), its areas, and its working groups. Note that other
- groups may also distribute working documents as Internet-Drafts.
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as ``work in progress.''
-
- The list of current Internet-Drafts can be accessed at
- <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
- Internet-Draft Shadow Directories can be accessed at
- <http://www.ietf.org/shadow.html>.
-
- Copyright 2002, The Internet Society. All Rights Reserved.
-
- Please see the Copyright section near the end of this document for
- more information.
-
-
-Abstract
-
- This document provides a collection of user schema elements for use
- with LDAP (Lightweight Directory Access Protocol) from both ITU-T
- Recommendations for the X.500 Directory and COSINE and Internet X.500
- pilot projects.
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 1]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
-Conventions
-
- Schema definitions are provided using LDAPv3 description formats
- [RFC2252]. Definitions provided here are formatted (line wrapped) for
- readability.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-
-Table of Contents (to be expanded by editor)
-
- Status of this Memo 1
- Abstract
- Conventions 2
- Table of Contents
- 1. Background and Intended Use 3
- 2. Matching Rules
- 2.1. booleanMatch 4
- 2.2. caseExactMatch
- 2.3. caseExactOrderingMatch
- 2.4. caseExactSubstringsMatch
- 2.5. caseIgnoreListSubstringsMatch
- 2.6. directoryStringFirstComponentMatch 5
- 2.7. integerOrderingMatch
- 2.8. keywordMatch
- 2.9. numericStringOrderingMatch 6
- 2.10. octetStringOrderingMatch
- 2.11. storedPrefixMatch
- 2.12. wordMatch 7
- 3. Attribute Types
- 3.1. associatedDomain
- 3.2. associatedName
- 3.3. buildingName
- 3.3. co 8
- 3.5. documentAuthor
- 3.6. documentIdentifier
- 3.7. documentLocation
- 3.8. documentPublisher 9
- 3.9. documentTitle
- 3.10. documentVersion
- 3.11. drink
- 3.12. homePhone 10
- 3.13. homePostalAddress
- 3.14. host
- 3.16. info
- 3.17. mail 11
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 2]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- 3.18. manager
- 3.19. mobile
- 3.20. organizationalStatus
- 3.21. otherMailbox 12
- 3.22. pager
- 3.23. personalTitle
- 3.24. roomNumber 13
- 3.25. secretary
- 3.26. uid
- 3.27. uniqueIdentifier
- 3.28. userClass 14
- 4. Object Classes
- 4.1. account
- 4.2. document 15
- 4.3. documentSeries
- 4.4. domainRelatedObject
- 4.5. friendlyCountry
- 4.6. rFC822LocalPart 16
- 4.7. room
- 4.8. simpleSecurityObject
- 5. Security Considerations 17
- 6. IANA Considerations
- 7. Acknowledgments 19
- 8. Author's Address
- 9. Normative References
- 10. Informative References
- Full Copyright 20
-
-
-1. Background and Intended Use
-
- This document provides descriptions [RFC2252] of user schema for use
- with LDAP [LDAPTS] collected from numerous sources.
-
- This document includes a summary of select schema introduced for the
- COSINE and Internet X.500 pilot projects [RFC1274]. This document
- obsoletes RFC 1274.
-
- This document includes a summary of X.500 user schema [X.520] not
- previously specified for use with LDAP. Some of these items were
- described in the inetOrgPerson [RFC2798] schema. This document
- supersedes these descriptions, replacing sections 9.1.3 and 9.3.3 of
- RFC 2798.
-
-
-2. Matching Rules
-
- This section introduces LDAP matching rules based upon descriptions of
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 3]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- their X.500 counterparts.
-
-
-2.1. booleanMatch
-
- BooleanMatch compares for equality a asserted Boolean value with an
- attribute value of BOOLEAN syntax. The rule returns TRUE if and only
- if the values are the same, i.e. both are TRUE or both are FALSE.
- (Source: X.520)
-
- ( 2.5.13.13 NAME 'booleanMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
-
-
-2.2. caseExactMatch
-
- CaseExactMatch compares for equality the asserted value with an
- attribute value of DirectoryString syntax. The rule is identical to
- the caseIgnoreMatch [RFC2252] rule except that case is not ignored.
- (Source: X.520)
-
- ( 2.5.13.5 NAME 'caseExactMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-2.3. caseExactOrderingMatch
-
- CaseExactOrderingMatch compares the collation order of the asserted
- string with an attribute value of DirectoryString syntax. The rule is
- identical to the caseIgnoreOrderingMatch [RFC2252] rule except that
- letters are not folded. (Source: X.520)
-
- ( 2.5.13.6 NAME 'caseExactOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-2.4. caseExactSubstringsMatch
-
- CaseExactSubstringsMatch determines whether the asserted value(s) are
- substrings of an attribute value of DirectoryString syntax. The rule
- is identical to the caseIgnoreSubstringsMatch [RFC2252] rule except
- that case is not ignored. (Source: X.520)
-
- ( 2.5.13.7 NAME 'caseExactSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
-
-2.5. caseIgnoreListSubstringsMatch
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 4]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- CaseIgnoreListSubstringMatch compares the asserted substring with an
- attribute value which is a sequence of DirectoryStrings, but where the
- case (upper or lower) is not significant for comparison purposes. The
- asserted value matches a stored value if and only if the asserted
- value matches the string formed by concatenating the strings of the
- stored value. This matching is done according to the
- caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the
- initial, any, or final values of the asserted value are considered to
- match a substring of the concatenated string which spans more than one
- of the strings of the stored value. (Source: X.520)
-
- ( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
-
-2.6. directoryStringFirstComponentMatch
-
- DirectoryStringFirstComponentMatch compares for equality the asserted
- DirectoryString value with an attribute value of type SEQUENCE whose
- first component is mandatory and of type DirectoryString. The rule
- returns TRUE if and only if the attribute value has a first component
- whose value matches the asserted DirectoryString using the rules of
- caseIgnoreMatch [RFC2252]. A value of the assertion syntax is derived
- from a value of the attribute syntax by using the value of the first
- component of the SEQUENCE. (Source: X.520)
-
- ( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-2.7. integerOrderingMatch
-
- The integerOrderingMatch rule compares the ordering of the asserted
- integer with an attribute value of Integer syntax. The rule returns
- True if the attribute value is less than the asserted value. (Source:
- X.520)
-
- ( 2.5.13.15 NAME 'integerOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-
-2.8. keywordMatch
-
- The keywordMatch rule compares the asserted string with keywords in an
- attribute value of DirectoryString syntax. The rule returns TRUE if
- and only if the asserted value matches any keyword in the attribute
- value. The identification of keywords in an attribute value and of
- the exactness of match are both implementation specific. (Source:
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 5]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- X.520)
-
- ( 2.5.13.32 NAME 'keywordMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-2.9. numericStringOrderingMatch
-
- NumericStringOrderingMatch compares the collation order of the
- asserted string with an attribute value of NumericString syntax. The
- rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule except
- that all space characters are skipped during comparison (case is
- irrelevant as characters are numeric). (Source: X.520)
-
- ( 2.5.13.9 NAME 'numericStringOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
-
-2.10. octetStringOrderingMatch
-
- OctetStringOrderingMatch compares the collation order of the asserted
- octet string with an attribute value of OCTET STRING syntax. The rule
- compares octet strings from first octet to last octet, and from the
- most significant bit to the least significant bit within the octet.
- The first occurrence of a different bit determines the ordering of the
- strings. A zero bit precedes a one bit. If the strings are identical
- but contain different numbers of octets, the shorter string precedes
- the longer string. (Source: X.520)
-
- ( 2.5.13.18 NAME 'octetStringOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
-
-2.11. storedPrefixMatch
-
- StoredPrefixMatch determines whether an attribute value, whose syntax
- is DirectoryString, is a prefix (i.e. initial substring) of the
- asserted value, without regard to the case (upper or lower) of the
- strings. The rule returns TRUE if and only if the attribute value is
- an initial substring of the asserted value with corresponding
- characters identical except possibly with regard to case. (Source:
- X.520)
-
- ( 2.5.13.41 NAME 'storedPrefixMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- Note: This rule can be used, for example, to compare values in the
- Directory which are telephone area codes with a purported value
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 6]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- which is a telephone number.
-
-
-2.12. wordMatch
-
- The wordMatch rule compares the asserted string with words in an
- attribute value of DirectoryString syntax. The rule returns TRUE if
- and only if the asserted word matches any word in the attribute value.
- Individual word matching is as for the caseIgnoreMatch [RFC2252]
- matching rule. The precise definition of a "word" is implementation
- specific. (Source: X.520)
-
- ( 2.5.13.32 NAME 'wordMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-3. Attribute Types
-
- This section details attribute types for use in LDAP.
-
-
-3.1. associatedDomain
-
- The associatedDomain attribute type specifies a DNS domain [RFC1034]
- which is associated with an object. For example, the entry in the DIT
- with a distinguished name "DC=example,DC=com" might have an associated
- domain of "example.com". (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-3.2. associatedName
-
- The associatedName attribute type specifies an entry in the
- organizational DIT associated with a DNS domain [RFC1034]. (Source:
- RFC 1274)
-
- ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-
-3.3. buildingName
-
- The buildingName attribute type specifies the name of the building
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 7]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- where an organization or organizational unit is based. (Source: RFC
- 1274)
-
- ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.3. co
-
- The co (Friendly Country Name) attribute type specifies names of
- countries in human readable format. It is commonly used in
- conjunction with the c (Country Name) [RFC2256] attribute type (which
- restricted to one of the two-letter codes defined in [ISO3166]).
- (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.43
- NAME ( 'co' 'friendlyCountryName' )
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-3.5. documentAuthor
-
- The documentAuthor attribute type specifies the distinguished name of
- the author of a document. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-
-3.6. documentIdentifier
-
- The documentIdentifier attribute type specifies a unique identifier
- for a document. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.7. documentLocation
-
- The documentLocation attribute type specifies the location of the
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 8]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- document original. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.8. documentPublisher
-
- The documentPublisher attribute is the person and/or organization that
- published a document. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-
-3.9. documentTitle
-
- The documentTitle attribute type specifies the title of a document.
- (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.10. documentVersion
-
- The documentVersion attribute type specifies the version number of a
- document. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.11. drink
-
- The drink (Favourite Drink) attribute type specifies the favorite
- drink of an object (or person). (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDrink' )
- EQUALITY caseIgnoreMatch
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 9]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.12. homePhone
-
- The homePhone (Home Telephone Number) attribute type specifies a home
- telephone number (e.g., "+44 71 123 4567") associated with a person.
- (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.20
- NAME ( 'homePhone' 'homeTelephoneNumber' )
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
-
-3.13. homePostalAddress
-
- The homePostalAddress attribute type specifies a home postal address
- for an object. This SHOULD be limited to up to 6 lines of 30
- characters each. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.39
- NAME 'homePostalAddress'
- EQUALITY caseIgnoreListMatch
- SUBSTR caseIgnoreListSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
-
-3.14. host
-
- The host attribute type specifies a host computer. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.9
- NAME 'host'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.16. info
-
- The info (Information) attribute type specifies any general
- information pertinent to an object. It is RECOMMENDED that specific
- usage of this attribute type is avoided, and that specific
- requirements are met by other (possibly additional) attribute types.
- Note that the description attribute type [RFC2256] is available for
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 10]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- specifying descriptive information pertinent to an object. (Source:
- RFC 1274)
-
- ( 0.9.2342.19200300.100.1.4
- NAME 'info'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
-
-
-3.17. mail
-
- The mail (rfc822mailbox) attribute type holds an the electronic mail
- address in [RFC822] form (e.g.: user@example.com). Note that this
- attribute SHOULD NOT be used to hold non-Internet addresses. (Source:
- RFC 1274)
-
-
- ( 0.9.2342.19200300.100.1.3
- NAME ( 'mail' 'rfc822Mailbox' )
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
-
-
-3.18. manager
-
- The Manager attribute type specifies the manager of an object
- represented by an entry. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.10
- NAME 'manager'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-
-3.19. mobile
-
- The mobile (Mobile Telephone Number) attribute type specifies a mobile
- telephone number (e.g., "+44 71 123 4567") associated with a person.
- (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.41
- NAME ( 'mobile' 'mobileTelephoneNumber' )
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 11]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
-3.20. organizationalStatus
-
- The organizationalStatus attribute type specifies a category by which
- a person is often referred to in an organization. Examples of usage
- in academia might include undergraduate student, researcher, lecturer,
- etc.
-
- A Directory administrator SHOULD consider carefully the distinctions
- between this and the title and userClass attributes. (Source: RFC
- 1274)
-
- ( 0.9.2342.19200300.100.1.45
- NAME 'organizationalStatus'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.21. otherMailbox
-
- The otherMailbox attribute type specifies values for electronic
- mailbox types other than X.400 and RFC822. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.22
- NAME 'otherMailbox'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )
-
-
-3.22. pager
-
- The pager (Pager Telephone Number) attribute type specifies a pager
- telephone number (e.g., "+44 71 123 4567") for an object. (Source:
- RFC 1274)
-
- ( 0.9.2342.19200300.100.1.42
- NAME ( 'pager' 'pagerTelephoneNumber' )
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
-
-3.23. personalTitle
-
- The personalTitle attribute type specifies a personal title for a
- person. Examples of personal titles are "Frau", "Dr", "Herr", and
- "Prof". (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.40
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 12]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- NAME 'personalTitle'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.24. roomNumber
-
- The roomNumber attribute type specifies the room number of an object.
- Note that the cn (commonName) attribute type SHOULD be used for naming
- room objects. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.6
- NAME 'roomNumber'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.25. secretary
-
- The secretary attribute type specifies the secretary of a person. The
- attribute value for Secretary is a distinguished name. (Source: RFC
- 1274)
-
- ( 0.9.2342.19200300.100.1.21
- NAME 'secretary'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-
-3.26. uid
-
- The uid (userid) attribute type specifies a computer system login
- name. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.1
- NAME ( 'uid' 'userid' )
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-3.27. uniqueIdentifier
-
- The Unique Identifier attribute type specifies a "unique identifier"
- for an object represented in the Directory. The domain within which
- the identifier is unique, and the exact semantics of the identifier,
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 13]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- are for local definition. For a person, this might be an institution-
- wide payroll number. For an organizational unit, it might be a
- department code. An attribute value for uniqueIdentifier is a
- directoryString. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- Note: X.520 describes an attribute also called 'uniqueIdentifier'
- (2.5.4.45) which is called 'x500UniqueIdentifier' in LDAP
- [RFC2256]. The attribute detailed here ought not be confused
- with x500UniqueIdentifier.
-
-
-3.28. userClass
-
- The userClass attribute type specifies a category of computer user.
- The semantics placed on this attribute are for local interpretation.
- Examples of current usage od this attribute in academia are
- undergraduate student, researcher, lecturer, etc. Note that the
- organizationalStatus attribute type is now often be preferred as it
- makes no distinction between computer users and others. (Source: RFC
- 1274)
-
- ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-4. Object Classes
-
- This section details object classes for use in LDAP.
-
-
-4.1. account
-
- The account object class is used to define entries representing
- computer accounts. The uid (userid) attribute SHOULD be used for
- naming entries of this object class. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.5
- NAME 'account'
- SUP top STRUCTURAL
- MUST uid
- MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 14]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
-4.2. document
-
- The document object class is used to define entries which represent
- documents. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.6
- NAME 'document'
- SUP top STRUCTURAL
- MUST documentIdentifier
- MAY ( cn $ description $ seeAlso $ l $ o $ ou $
- documentTitle $ documentVersion $ documentAuthor $
- documentLocation $ documentPublisher ) )
-
-
-4.3. documentSeries
-
- The documentSeries object class is used to define an entry which
- represents a series of documents (e.g., The Request For Comments
- memos). (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.9
- NAME 'documentSeries'
- SUP top STRUCTURAL
- MUST cn
- MAY ( description $ l $ o $ ou $ seeAlso $
- telephonenumber ) )
-
-
-4.4. domainRelatedObject
-
- The domainRelatedObject object class is used to define entries which
- represent DNS domains which are "equivalent" to an X.500 domain: e.g.,
- an organization or organizational unit. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.17
- NAME 'domainRelatedObject'
- SUP top AUXILIARY
- MUST associatedDomain )
-
-
-4.5. friendlyCountry
-
- The friendlyCountry object class is used to define country entries in
- the DIT. The object class is used to allow friendlier naming of
- countries than that allowed by the object class country [RFC2256].
- (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.18
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 15]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- NAME 'friendlyCountry'
- SUP country STRUCTURAL
- MUST co )
-
-
-4.6. rFC822LocalPart
-
- The rFC822LocalPart object class is used to define entries which
- represent the local part of [RFC822] mail addresses. This treats this
- part of an RFC 822 address as a domain [RFC2247]. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.14
- NAME 'rFC822localPart'
- SUP domain STRUCTURAL
- MAY ( cn $ description $ destinationIndicator $
- facsimileTelephoneNumber $ internationaliSDNNumber $
- physicalDeliveryOfficeName $ postalAddress $
- postalCode $ postOfficeBox $ preferredDeliveryMethod $
- registeredAddress $ seeAlso $ sn $ street $
- telephoneNumber $ teletexTerminalIdentifier $
- telexNumber $ x121Address ) )
-
-
-4.7. room
-
- The room object class is used to define entries representing rooms.
- The cn (commonName) attribute SHOULD be used for naming entries of
- this object class. (Source: RFC 1274)
-
- ( 0.9.2342.19200300.100.4.7 NAME 'room'
- SUP top STRUCTURAL
- MUST cn
- MAY ( roomNumber $ description $
- seeAlso $ telephoneNumber ) )
-
-
-4.8. simpleSecurityObject
-
- The simpleSecurityObject object class is used to require an entry to
- have a userPassword attribute when the entry's structural object class
- does not require (or allow) the userPassword attribute. (Source: RFC
- 1274)
-
-
- ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
- SUP top AUXILIARY
- MUST userPassword )
-
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 16]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- Note: Security considerations related to the use of simple
- authentication mechanisms in LDAP are discussed in RFC 2829
- [RFC2829].
-
-
-5. Security Considerations
-
- General LDAP security considerations [LDAPTS] is applicable to the use
- of this schema. Additional considerations are noted above where
- appropriate.
-
-
-6. IANA Considerations
-
- It is requested that IANA update the LDAP descriptors registry as
- indicated the following template:
-
- Subject: Request for LDAP Descriptor Registration Update
- Descriptor (short name): see comment
- Object Identifier: see comment
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt@OpenLDAP.org>
- Usage: see comment
- Specification: RFCXXXX
- Author/Change Controller: IESG
- Comments:
-
- The following descriptors should be added:
-
- NAME Type OID
- ------------------------ ---- ---------
- booleanMatch M 2.5.13.13
- caseExactMatch M 2.5.13.5
- caseExactOrderingMatch M 2.5.13.6
- caseExactSubstringsMatch M 2.5.13.7
- caseIgnoreListSubstringsMatch M 2.5.13.12
- directoryStringFirstComponentMatch M 2.5.13.31
- integerOrderingMatch M 2.5.13.15
- keywordMatch M 2.5.13.32
- numericStringOrderingMatch M 2.5.13.9
- octetStringOrderingMatch M 2.5.13.18
- storedPrefixMatch M 2.5.13.41
- wordMatch M 2.5.13.32
-
- The following descriptors should be updated to refer to RFC XXXX.
-
- NAME Type OID
- ------------------------ ---- --------------------------
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 17]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- account O 0.9.2342.19200300.100.4.5
- associatedDomain A 0.9.2342.19200300.100.1.37
- associatedName A 0.9.2342.19200300.100.1.38
- buildingName A 0.9.2342.19200300.100.1.48
- co A 0.9.2342.19200300.100.1.43
- document O 0.9.2342.19200300.100.4.6
- documentAuthor A 0.9.2342.19200300.100.1.14
- documentIdentifier A 0.9.2342.19200300.100.1.11
- documentLocation A 0.9.2342.19200300.100.1.15
- documentPublisher A 0.9.2342.19200300.100.1.56
- documentSeries O 0.9.2342.19200300.100.4.8
- documentTitle A 0.9.2342.19200300.100.1.12
- documentVersion A 0.9.2342.19200300.100.1.13
- domainRelatedObject O 0.9.2342.19200300.100.4.17
- drink A 0.9.2342.19200300.100.1.5
- favouriteDrink A 0.9.2342.19200300.100.1.5
- friendlyCountry O 0.9.2342.19200300.100.4.18
- friendlyCountryName A 0.9.2342.19200300.100.1.43
- homePhone A 0.9.2342.19200300.100.1.20
- homePostalAddress A 0.9.2342.19200300.100.1.39
- homeTelephone A 0.9.2342.19200300.100.1.20
- host A 0.9.2342.19200300.100.1.9
- info A 0.9.2342.19200300.100.1.4
- mail A 0.9.2342.19200300.100.1.3
- manager A 0.9.2342.19200300.100.1.10
- mobile A 0.9.2342.19200300.100.1.41
- mobileTelephoneNumber A 0.9.2342.19200300.100.1.41
- organizationalStatus A 0.9.2342.19200300.100.1.45
- otherMailbox A 0.9.2342.19200300.100.1.22
- pager A 0.9.2342.19200300.100.1.42
- pagerTelephoneNumber A 0.9.2342.19200300.100.1.42
- personalTitle A 0.9.2342.19200300.100.1.40
- RFC822LocalPart O 0.9.2342.19200300.100.4.14
- RFC822Mailbox A 0.9.2342.19200300.100.1.3
- room O 0.9.2342.19200300.100.4.7
- roomNumber A 0.9.2342.19200300.100.1.6
- secretary A 0.9.2342.19200300.100.1.21
- simpleSecurityObject O 0.9.2342.19200300.100.4.19
- singleLevelQuality A 0.9.2342.19200300.100.1.50
- uid A 0.9.2342.19200300.100.1.1
- uniqueIdentifier A 0.9.2342.19200300.100.1.44
- userClass A 0.9.2342.19200300.100.1.8
- userId A 0.9.2342.19200300.100.1.1
-
- where Type A is Attribute, Type O is ObjectClass, and Type M
- is Matching Rule.
-
-
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 18]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
- This document make no OID assignments, it only associates LDAP schema
- descriptions with existing elements of X.500 schema.
-
-
-7. Acknowledgments
-
- This document borrows from a number of IETF documents including RFC
- 1274 by Paul Barker and Steve Kille. This document also borrows from
- a number of ITU documents including X.520.
-
-
-8. Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
- <Kurt@OpenLDAP.org>
-
-
-9. Normative References
-
- [RFC822] D. Crocker, "Standard for the format of ARPA Internet text
- messages", STD 11 (also RFC 822), August 1982.
-
- [RFC1034] P.V. Mockapetris, "Domain names - concepts and facilities",
- STD 13 (also RFC 1034), November 1987.
-
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
-
- [RFC2247] S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri,
- "Using Domains in LDAP/X.500 Distinguished Names", January
- 1998.
-
- [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax
- Definitions", RFC 2252, December 1997.
-
- [RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
- with LDAPv3", RFC 2256, December 1997.
-
- [RFC2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
- "Authentication Methods for LDAP", RFC 2829, May 2000.
-
- [LDAPTS] J. Hodges, R. Morgan, "Lightweight Directory Access Protocol
- (v3): Technical Specification", draft-ietf-ldapbis-
- ldapv3-ts-00.txt.
-
-
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 19]
-\f
-INTERNET-DRAFT LDAPv3: A Collection of User Schema 17 May 2002
-
-
-10. Informative References
-
- [ISO3166] International Standards Organization, "Codes for the
- representation of names of countries", ISO 3166.
-
- [RFC1274] P. Barker, S. Kille, "The COSINE and Internet X.500 Schema",
- November 1991.
-
- [RFC2798] M. Smith, "The LDAP inetOrgPerson Object Class", RFC 2798,
- April 2000.
-
- [X.520] International Telephone Union, "The Directory: Selected
- Attribute Types", X.520, 1997.
-
-
-Full Copyright
-
- Copyright 2002, The Internet Society. All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be followed,
- or as required to translate it into languages other than English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-Zeilenga draft-zeilenga-ldap-user-schema-06 [Page 20]
-\f
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
-Expires in six months 11 May 2003
+Expires in six months 25 October 2003
The LDAP entryUUID operational attribute
- <draft-zeilenga-ldap-uuid-00.txt>
+ <draft-zeilenga-ldap-uuid-02.txt>
Status of this Memo
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as an Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF LDAP Extension Working Group
- mailing list <ldapext@ietf.org>. Please send editorial comments
- directly to the author <Kurt@OpenLDAP.org>.
+ document will take place on the IETF LDAP Extensions mailing list
+ <ldapext@ietf.org>. Please send editorial comments directly to the
+ author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 1]
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 1]
\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
1. Background and Intended Use
DN which previously identified another (now renamed or deleted)
object.
- This document describes the 'entryUUID' operational attribute holds
- the Universally Unique Identifier (UUID) [ISO11578] assigned to the
- object by the server. Clients may use this attribute to distinguish
- objects identified by a distinguished name or to locate an object
- after renaming.
+ This document describes the 'entryUUID' operational attribute which
+ holds the Universally Unique Identifier (UUID) [ISO11578] assigned to
+ the object by the server. Clients may use this attribute to
+ distinguish objects identified by a distinguished name or to locate an
+ object after renaming.
This document defines the UUID syntax, the 'uuidMatch' and
'uuidOrderingMatch' matching rules, the 'entryUUID' attribute type.
2.1 UUID Syntax
- A Universally Unique Identifier (UUID) [ISO11578] is a 16-octet value
- which identifies object. The ASN.1 [X.690] type UUID is defined to
- represent UUIDs.
+ A Universally Unique Identifier (UUID) [ISO11578] is a 16-octet
+ (128-bit) value which identifies an object. The ASN.1 [X.690] type
+ UUID is defined to represent UUIDs.
- UUID ::= OCTET STRING{16} -- constrained to an UUID [ISO 11578]
+ UUID ::= OCTET STRING (SIZE(16))
+ -- constrained to an UUID [ISO 11578]
- In LDAP, values of the UUID are encoded using the string
- representation described in [ISO11578]. For example,
- 597ae2f6-16a6-1027-98f4-d28b5365dc14.
+ In LDAP, values of the UUID type are encoded using the [ASCII]
+ character string representation described in [ISO11578]. For example,
+ "597ae2f6-16a6-1027-98f4-d28b5365dc14".
- ( IANA-ASSIGNED-OID.1 DESC 'UUID' )
+ The following is a LDAP syntax description [RFC2252] suitable for
+ publication in the subschema.
+ ( IANA-ASSIGNED-OID.1 DESC 'UUID' )
-2.2 'uuidMatch' Matching Rule
- The 'uuidMatch' matching rule compares an asserted UUID with a stored
- UUID for equality. Its semantics are same as octetStringMatch
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 2]
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 2]
\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
- [X.520][RFC2252].
+2.2 'uuidMatch' Matching Rule
+
+ The 'uuidMatch' matching rule compares an asserted UUID with a stored
+ UUID for equality. Its semantics are same as the octetStringMatch
+ [X.520][RFC2252] matching rule. The rule differs from
+ octetStringMatch in that the assertion value is encoded using the UUID
+ string representation instead of the normal OCTET STRING string
+ representation.
+
+ The following is a LDAP matching rule description [RFC2252] suitable
+ for publication in the subschema.
( IANA-ASSIGNED-OID.2 NAME 'uuidMatch'
SYNTAX IANA-ASSIGNED-OID.1 )
2.3 'uuidOrderingMatch' Matching Rule
The 'uuidOrderingMatch' matching rule compares an asserted UUID
- with a stored UUID for ordering. Its semantics are the same as
- octetStringOrderingMatch [X.520][RFC2252].
+ with a stored UUID for ordering. Its semantics are the same as the
+ octetStringOrderingMatch [X.520][RFC2252] matching rule. The rule
+ differs from octetStringOrderingMatch in that the assertion value
+ is encoded using the UUID string representation instead of the
+ normal OCTET STRING string representation.
+
+ The following is a LDAP matching rule description [RFC2252] suitable
+ for publication in the subschema.
( IANA-ASSIGNED-OID.3 NAME 'uuidMatch'
SYNTAX IANA-ASSIGNED-OID.1 )
+ It is noted that not all UUID variants have a defined ordering and,
+ even where so, servers are not obligated to assign UUIDs in any
+ particular order. This matching rule is provided for completeness.
+
2.4. 'entryUUID' attribute
The 'entryUUID' operational attribute provides the Universally Unique
Identifier (UUID) [ISO11578] assigned to the entry.
+ The following is a LDAP attribute type description [RFC2252] suitable
+ for publication in the subschema.
+
( IANA-ASSIGNED-OID.4 NAME 'entryUUID'
DESC 'UUID of the entry'
EQUALITY uuidMatch
ORDERING uuidOrderingMatch
+
+
+
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 3]
+\f
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
+
+
SYNTAX IANA-ASSIGNED-OID.1
SINGLE-VALUE
NO-USER-MODIFICATION
4.1. Object Identifier Registration
It is requested that IANA register upon Standards Action an LDAP
-
-
-
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 3]
-\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
-
-
Object Identifier for use in this technical specification.
Subject: Request for LDAP OID Registration
Author/Change Controller: IESG
+
+
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 4]
+\f
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
+
+
4.3. Registration of the uuidOrderingMatch descriptor
It is requested that IANA register upon Standards Action the LDAP
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): entryUUID
-
-
-
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 4]
-\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
-
-
Object Identifier: IANA-ASSIGNED-OID.4
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
5. Acknowledgments
This document is based upon discussions in the LDAP Update and
- Duplication Protocols (LDUP) WG.
+ Duplication Protocols (LDUP) WG. Members of the concluded LDAP
+ Extensions (LDAPEXT) Working Group provided review.
6. Author's Address
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+
+
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 5]
+\f
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
+
+
[RFC2252] Wahl, M., A. Coulbeck, T. Howes, and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
"Information technology - Open Systems Interconnection -
Remote Procedure Call", ISO/IEC 11578:1996.
+ [ASCII] Coded Character Set--7-bit American Standard Code for
+ Information Interchange, ANSI X3.4-1986.
+
[X.501] International Telecommunication Union -
Telecommunication Standardization Sector, "The Directory
-- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
ISO/IEC 9594-6:1994).
[X.680] International Telecommunication Union -
-
-
-
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 5]
-\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
-
-
Telecommunication Standardization Sector, "Abstract
Syntax Notation One (ASN.1) - Specification of Basic
Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
(also RFC 3383), September 2002.
- [UUIDinfo] The Open Group, "Universally Unique Identifier" section
- of "CDE 1.1: Remote Procedure Calls",
- <http://www.opengroup.org/onlinepubs/9629399/apdxa.htm>,
- April 1997.
+ [UUIDinfo] The Open Group, "Universally Unique Identifier" appendix
+ of the CAE Specification "DCE 1.1: Remote Procedure
+ Calls", Document Number C706,
+ <http://www.opengroup.org/products/publications/catalog/c706.htm>
+ (appendix available at:
+ <http://www.opengroup.org/onlinepubs/9629399/apdxa.htm>),
+ August 1997.
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
+
+
+
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 6]
+\f
+INTERNET-DRAFT LDAP entryUUID 25 October 2003
+
+
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
-
-
-
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 6]
-\f
-INTERNET-DRAFT LDAP entryUUID 11 May 2003
-
-
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga draft-zeilenga-ldap-uuid-00 [Page 7]
+Zeilenga draft-zeilenga-ldap-uuid-02 [Page 7]
\f
+++ /dev/null
-
-
-
-
-
-
-INTERNET-DRAFT Kurt D. Zeilenga
- OpenLDAP Foundation
-Expires in six months 1 October 2002
-
-
-
- LDAP (Alternative) Virtual List View Operation
- <draft-zeilenga-ldapext-vlv-00.txt>
-
-
-
-1. Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with all
- provisions of Section 10 of RFC2026.
-
- This document is offered to IETF LDAPEXT WG as an alternative to
- draft-ietf-ldapext-ldapv3-vlv-xx.txt.
-
- This document is intended to be, after appropriate review and
- revision, submitted to the RFC Editor as a Standard Track document.
- Distribution of this memo is unlimited. Technical discussion of this
- document will take place on the IETF LDAPEXT Working Group mailing
- list <ldapext@ietf.org>. Please send editorial comments directly to
- the author <Kurt@OpenLDAP.org>.
-
- Internet-Drafts are working documents of the Internet Engineering Task
- Force (IETF), its areas, and its working groups. Note that other
- groups may also distribute working documents as Internet-Drafts.
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as ``work in progress.''
-
- The list of current Internet-Drafts can be accessed at
- <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
- Internet-Draft Shadow Directories can be accessed at
- <http://www.ietf.org/shadow.html>.
-
- Copyright 2002, The Internet Society. All Rights Reserved.
-
- Please see the Copyright section near the end of this document for
- more information.
-
-
-
-
-
-
-
-
-Zeilenga LDAP Virtual List View [Page 1]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
-Abstract
-
- This document describes an LDAP (Lightweight Directory Access
- Protocol) Virtual List View (VLV) operation. The operation allows the
- client to obtain portion (the view) of an ordered set (the list) of
- entries visible through a virtual window. The client can reissue the
- operation with different criteria to obtain a different view of the
- list. Clients may use this operation to page, scroll, or browse
- directory content.
-
- The VLV operation is defined as a set of LDAP controls which extend
- the Search operation. The VLV controls may be used in conjunction
- with a number of other search controls, such as the Server Side
- Sorting of Search Results (RFC 2891) control.
-
-
-1. Overview
-
- A "virtual list" is a graphical user interface (GUI) technique
- employed where a list containing a large number of entries need to be
- displayed. A window containing a small number of list entries are
- visible. This window can be relocated such that another set of list
- entries are visible. The set of entries visible through the window is
- the view.
-
- The Lightweight Directory Access Protocol (LDAP) [RFC3377] Virtual
- List View (VLV) operation allows a client to obtain the set of entries
- of an ordered list visible through a window from a server. The set of
- entries are selected based on search criteria. In absence of a
- control specifying a particular order, the order is determined by the
- server. The position and size of the window is determined by
- parameters of the VLV request control.
-
- The VLV operation is defined as an extended Search operation. The VLV
- operation is state-less.
-
- Appendix A. discusses how a client can use VLV operations to provide a
- GUI to page, scroll, and browse directory content.
-
-
-1.1. Relationship to other LDAP extensions
-
- The VLV operation may be used with
-
- - Duplicate Entry Control [DUPENT],
- - ManageDsaIT Control [RFC3296],
- - Matched Values Control [MATCHED],
- - Server-Side Sorting Control [RFC2891], and
-
-
-
-Zeilenga LDAP Virtual List View [Page 2]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- - Subentries Control [SUBENTRY].
-
- as described in Section 5. The VLV operation may be used with other
- LDAP extensions as detailed in other documents.
-
- This document provides a standardized mechanism for scrolling, paging,
- and browsing DIT content. It is intended to replace Scrolling View
- Browsing [SVB] and the the Simple Paged Results Manipulation [RFC2696]
- control extensions.
-
-
-1.2. Comparison to Scrolling View Browsing
-
- This document was originally offered as an alternative to the
- Scrolling View Browsing (SVB) [SVB] approach. While both SVB and VLV
- are upon a Virtual View List metaphor, they differ in many ways. This
- section highlights a few of the differences.
-
- SVB was designed to work in static environments. Small DIT changes
- between related SVB operations can yield astonishing results. For
- example, an SVB operation intended to page the view down, may jump
- over entries or an SVB operation intended to scroll a view up can
- actually return entries which are below the current view. This is
- because SVB relies on the ordinal position of entries in the list to
- be stable.
-
- VLV addresses this problem by selecting the target entry which the
- view is centered about by DN. An VLV intended to page down the view,
- selects the next page based upon the position of a particular entry.
- Likewise for scrolling. Even where the target entry is modified (and
- hence now appears next to other entries in the list), the client can,
- by requesting overlapping entries, determine whether the returned view
- is adjacent to the previous view or not. Based upon intended result,
- the client can choose to display this view to the user or request
- another view centered about other entries in the previous view.
-
- SVB provides a mechanism allowing selection of the target entry by its
- offset from the head of the list, but not the tail of the list. VLV
- provides selection by offsets from the head or the tail.
-
- SVB provides a "type down" selection mechanism limited to the list
- primary sort key. VLV provides a "type down" selection mechanism
- which allows selection by all of the sort keys.
-
- SVB requires that entries be sorted using the Server-Side Sorting
- Control [RFC2891]. VLV only requires that the list be ordered by a
- deterministic algorithm. VLV allows, but does not require, a
- particular ordering algorithm to be requested.
-
-
-
-Zeilenga LDAP Virtual List View [Page 3]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
-1.3. Terminology and Conventions
-
- The term "list" (of entries) refers to an ordered set of entries by a
- deterministic algorithm. The list may contain both returnable and
- non-returnable entries.
-
- The term "returnable entry" refers to an entry which the server is
- willing and able to return. A "non-returnable entry" refers to an
- entry which the server is unwilling or unable to return.
-
- The term "target" refers to the entry used to position the window.
-
- The term "view" refers to the portion of a list of entries visible
- through a window.
-
- The term "window" refers to the criteria for selecting the portion of
- the list to be viewed.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-
-2. Protocol Elements
-
- Protocol elements are described using ASN.1 [X.680]. The term
- "BER-encoded" means the element is to be encoded using the Basic
- Encoding Rules [X.690] per Section 5.1 of [RFC2251].
-
-
-2.1. VLV Request Control
-
- The VLV Request Control is an LDAPControl [RFC2251] whose controlType
- is the "IANA-ASSIGNED-OID.1", criticality is True or False (the
- DEFAULT), and the controlValue, an OCTET STRING, contains a
- BER-encoded value of the vlvRequestValue data type:
-
- target ::= SEQUENCE {
- tSelect CHOICE {
- tName [0] LDAPDN,
- tFraction [1] SEQUENCE {
- tNumerator INTEGER,
- -- constrained to (0..tDenominator))
- tDenominator INTEGER (1..maxint)
- },
- tOffset [2] INTEGER (0..maxint),
- tTypeDown [3] SEQUENCE OF AssertionValue
- -- contains at least one AssertionValue
-
-
-
-Zeilenga LDAP Virtual List View [Page 4]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- ...
- },
- tReverse BOOLEAN DEFAULT False
- -- for tTypeDown, tReverse is constrained to False
- }
-
- window ::= SEQUENCE {
- wOffset INTEGER,
- wCount INTEGER (0..maxInt)
- wReverse BOOLEAN DEFAULT False
- }
-
- vlvRequestValue ::= SEQUENCE {
- COMPONENTS OF target
- COMPONENTS OF window
- }
-
- The VLV Request Control is applicable to the SearchRequest message.
-
-
-2.2. VLV Target Response Control
-
- The VLV Target Response Control is an LDAPControl [RFC2251] whose
- controlType is the "IANA-ASSIGNED-OID.2", criticality is False (the
- DEFAULT), and the controlValue is absent.
-
- The VLV Target Response Control is applicable to the SearchResultEntry
- message.
-
-
-2.3. VLV Done Response Control
-
- The VLV Done Response Control is an LDAPControl [RFC2251] whose
- controlType is the "IANA-ASSIGNED-OID.3", criticality is False (the
- DEFAULT), and the controlValue is absent.
-
- The VLV Done Response Control is applicable to the SearchResultDone
- message.
-
-
-2.4. VLV Result Codes
-
- Implementations of this specification SHALL recognize the following
- additional resultCode [RFC2251] values:
-
- vlvTargetInvalid (IANA-ASSIGNED-1)
- vlvTargetNotFound (IANA-ASSIGNED-2)
- vlvWindowInvalid (IANA-ASSIGNED-3)
-
-
-
-Zeilenga LDAP Virtual List View [Page 5]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
-3. The VLV Operation
-
- The VLV operation is defined as an extension to the Search operation.
- The operation is initiated by the client sending a VLV request
- message, a SearchRequest which includes a VLV Request Control. In
- response to this request, the server returns zero or more
- SearchResultEntry messages, one of which may include the VLV Target
- Control. The operation is completed by the server returning a VLV
- done response message, a SearchResultDone message which includes VLV
- Response Done Control.
-
- No searchResultReference messages are returned in response to a VLV
- Request. Continuation references are discussed further in Section
- 4.1.
-
- In the VLV request message, fields of searchRequest structure specify
- the list of entries. The searchRequest fields have the same semantics
- as defined in Section 4.5.1 of [RFC2251]. The fields of the VLV
- Request Control specify the desired target as well as the window.
-
-
-3.1. Target Selection
-
- The target may be select from the list by multiple means.
-
-
-3.1.1. Target Selection by DN
-
- The target tName choice allows selection of the target by
- distinguished name (DN). If the provided LDAPDN is not a valid string
- representation [RFC2253] of a DN, vlvTargetInvalid is returned. If
- the entry named cannot be found, is not in the list, or is not
- returnable, vlvTargetNotFound is returned.
-
- When the request is accompanied by a Duplicate Entry control [DUPENT],
- tReverse=False indicates that first duplicate of the entry in the list
- is the target and tReverse=True indicates that last duplicate of the
- entry in the list is the target. If a Duplicate Entry control was not
- provided, tReverse is ignored.
-
-
-3.1.2. Target Selection by Offset
-
- The target tOffset choice selects the target based on ordinal position
- in the list. When tReverse is False (DEFAULT), a tOffset value of N
- selects the first returnable entry whose ordinal position is greater
- than N. When tReverse is True, a tOffset value of N selects the last
- returnable entry in a list of size M whose ordinal position is less
-
-
-
-Zeilenga LDAP Virtual List View [Page 6]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- than or equal to the value M-N. For example, in a list of 100
- entries:
-
- <tOffset=0,tReverse=False> selects the first returnable entry;
-
- <tOffset=0,tReverse=True> selects the first returnable entry;
-
- <tOffset=10,tReverse=True> selects the first returnable entry
- whose ordinal position is greater than 10;
-
- <tOffset=5,tReverse=True> selects the last returnable entry whose
- ordinal position is less than or equal to 95 (100-5).
-
- If the value of tOffset is greater than or equal to the size of the
- list, vlvTargetInvalid is returned. If no entry meets the criteria,
- vlvTargetNotFound is returned.
-
-
-3.1.2. Target Selection by Fraction
-
- The target tFraction choice selects the target based on proportional
- position of entries on the list. The target is the first returnable
- entry whose ordinal position is closest to quantity 0.5 plus product
- of the size of the list, less one, and the quotient of the value
- tNumerator divided by the value of tDenominator. That is, the target
- is the returnable entry of whose ordinal position in a list of N
- entries is closest to
-
- (0.5 + (N - 1) * (tNumerator / tDenominator))).
-
- Where the two closest returnable entries are equally close, the entry
- which appears later in the list is targeted.
-
- For a list of any size:
-
- <tNumerator=0,tDenominator=1> selects the first returnable entry;
- and
- <tNumerator=1,tDenominator=1> selects the last returnable entry;
-
- For a list of size 100:
- <tNumerator=1,tDenominator=2> selects the returnable entry closest
- to 51 (e.g., the returnable entry closest to the middle);
- <tNumerator=2,tDenominator=3> selects the returnable entry closest
- to 65.49.
-
- For a list of size 101:
- <tNumerator=1,tDenominator=2> selects the returnable entry closest
- to 50.5 (e.g., the returnable entry closest to the middle);
-
-
-
-Zeilenga LDAP Virtual List View [Page 7]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- <tNumerator=2,tDenominator=3> selects the returnable entry closest
- to 67.2.
-
- If the list is empty or contains no returnable entries,
- vlvTargetNotFound is returned. If tReverse is True, protocolError is
- returned.
-
-
-3.1.3. Target Selection by Type Down
-
- The target tTypeDown choice selects the target whose based upon "type
- down" criteria.
-
- The first tTypeDown AssertionValue is associated with the first sort
- key. The second AssertionValue is associated with the second key.
- And so on.
-
- If there are more AssertionValues than keys, protocolError is
- returned. If there are more keys than AssertionValues, only the keys
- which have associated AssertionValues are used.
-
- If tReverse is True, protocolError is returned.
-
- To select the target, the set of returnable entries whose least
- attribute value for the first key is equal to the first AssertionValue
- is determined. If the set contains one entry, that entry is the
- target. If this set is empty, the first returnable greater than the
- AssertionValue is the target. If none, vlvTargetNotFound is returned.
- If the set contains multiple entries, additional key and
- AssertionValue pairs are used in turn as detailed in the next
- paragraph. If there are no additional pairs, the target is the first
- entry in the set.
-
- Using the next key and AssertionValue, a subset of the set (from the
- preceding step) whose least attribute value for the key is equal to
- the AssertionValue is determined. If the set contains one entry, that
- entry is the target. If this subset is empty, first entry in the set
- greater than the AssertionValue is the target. If none, the first
- returnable entry entry greater than the first AssertionValue is the
- target. In none, vlvTargetNotFound is returned. If the set contains
- multiple entries, then this step is repeated with the next key and
- AssertionValue pair. If there are no additional pairs, the target is
- the first entry in the subset.
-
- For example, consider a list sorted by list sorted first by 'sn', then
- by 'givenName', and then by 'initials' and a target criteria of
- <tTypeDown={"James", "J"}>. First, the set of returnable entries
- whose least value of 'sn' is "James" is determined. Second, assuming
-
-
-
-Zeilenga LDAP Virtual List View [Page 8]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- the set is non-empty, the subset of this set whose least value of
- 'givenName' is "J" is determined. If the subset is non-empty, the
- first entry of the subset is the target (as there are no further key /
- AssertionValue pairs). If this subset is empty then, the target is
- the first entry in the set which has a 'givenName' greater than "J".
- If none, then the target is the first entry in the list which contains
- a 'sn' value greater than 'James'.
-
-
-3.2. View Selection and Return
-
- If wCount is 0, the view is empty and no entries are returned.
- Otherwise, the window is positioned relative to the target entry to
- determine the view.
-
- The positioning index is the value of wOffset plus the ordinal
- position of the target entry. If this index is less than 1, the first
- entry of the list is first entry of the view. If the index is greater
- than the size of the list, the last entry in the list is the first
- entry in the view. Otherwise, the entry whose ordinal position in the
- list is equal to this index is the first entry of the view.
-
- If the entry at the positioning index is returnable, it is returned
- first and wCount is reduced by one.
-
- If wReverse=False, the next wCount returnable entries from the
- position index towards the tail of the list are in the view and are
- returned in increase ordinal order.
-
- If wReverse=True, the next wCount returnable entries from the position
- index towards the head of the list are in the view and are returned in
- decreasing ordinal order.
-
- If the target entry is within view, it is returned with a Virtual
- Target Response control.
-
-
-3.3. Done Response Message
-
- The VLV Done Response message is returned on completion of the VLV
- operation.
-
-
-4. Other considerations
-
-4.1. Continuation References
-
- As indicated above, no searchResultReference messages are returned in
-
-
-
-Zeilenga LDAP Virtual List View [Page 9]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- response to a VLV Request.
-
- Where the content contains references to other servers, the server MAY
- obtain entries from these others in order to fulfill the VLV request.
- Otherwise, the server SHALL ignore these references.
-
-
-4.2. Changes to content between VLV operations
-
- While individual entries tend to change infrequently, changes to a
- list of entries is likely change frequently. For example, if the
- average entry changes once per (8 hour) work day, a list of 28,800
- entries will change approximately once per second during the work day.
-
- The client SHOULD NOT assume the directory content is static.
-
-
-4.3. Changes to content during a VLV operation
-
- Server implementations which allows directory content to change (due
- to other operations) during processing of the VLV operation, need to
- take special care to ensure the operation behaves in a consistent
- manner.
-
- During the processing of the VLV operation, an entry is modified in a
- manner which changes in a manner which affects it position in the
- list. If only the old position is in the view, the server MUST either
- return the old entry in the old position or not return the entry. If
- only the new position is in the view, the server MUST either return
- new entry in the new position or not return the entry. If both
- positions are in the view, the server MUST either return the old entry
- in the old position, the new entry in the new position, or not return
- the entry.
-
- If the target entry is modified, then the server MUST select all
- returned entries based upon the old position of the target entry or
- select all returned entries based upon the new entry.
-
-
-5. Interaction with Other Controls
-
- The VLV operation may be used with
-
- - Duplicate Entry Control [DUPENT],
- - ManageDsaIT Control [RFC3296],
- - Matched Values Control [MATCHED],
- - Server-Side Sorting Control [RFC2891], and
- - Subentries Control [SUBENTRY].
-
-
-
-Zeilenga LDAP Virtual List View [Page 10]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- as described below. The VLV operation may be used with other LDAP
- extensions as detailed in other documents.
-
-
-5.1. Server-Side Sorting Control
-
- VLV operations provide a view into an ordered list. When the Server-
- Side Sorting Control (SSS) [RFC2891] indicates the particular sorting
- algorithm to be used to determining the order of entries in the list.
- Where the sorting algorithm allows for two or more entries to be
- presented in any order, the server MUST choose the order which these
- entries appear in the list by a deterministic algorithm.
-
- That is, if the Sort Control indicates the list is to sorted by their
- CN values and two or more entries have the same CN value, the server
- is not free to return the entries in randomly selected order.
-
-
-5.2. Duplicate Entry Control
-
- It is often desirable to include an entry which has multiple values
- for the sort key(s) in the list multiple times, once for each value of
- a sort key. For example, when constructing a list of entries by
- ordered by common name (CN), it is often desirable for the entry to
- appear in the list under each CN value. The Duplicate Entry Control
- provides a mechanism by which the "client requests that the server
- return separate entries for each value held in the specified
- attribute(s)" [DUPENT].
-
- When used with the VLV Operation, the Duplicate Entry Control
- logically applies to entries before list ordering. That is, each
- duplicate entry is ordered independently in respect to other entries
- (duplicates or not) in the list.
-
- A particular ordering algorithm may be specified by use of a sorting
- control.
-
-
-5.3. Matched Values Control
-
- The Matched Values control is "used to return a subset of attribute
- values from an entry, specifically, only those values that match a
- "values return" filter" [MATCHED].
-
- When used with the VLV Operation, the Matched Values control logically
- applies to entries before list ordering. That is, entries are to
- ordered based only upon a subset of attribute values selected by the
- Matched Values control. Other values are eliminated.
-
-
-
-Zeilenga LDAP Virtual List View [Page 11]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- Matched Values control SHOULD precede other controls are specified
- which affect the number and ordering entries in the list.
-
-
-5.4. ManageDsaIT control
-
- As when used with other operations, the ManageDsaIT control [RFC3296]
- causes referral and other special objects to be treated as normal
- objects with respect to the VLV Operation and other controls. That
- is, the referral and other special objects appear in the list if they
- were normal objects.
-
-
-5.5. Subentries control
-
- The Subentries control is used with the search operation "to control
- the visibility of entries and subentries which are within scope"
- [SUBENTRY]. When used with the VLV Operation, the subentries control
- and other factors (search scope, filter, etc.) is used to determining
- whether an entry or subentry in the list is returnable or not.
-
-
-6. Security Considerations
-
- Significant resources (CPU, memory, etc.) may be required at the
- server to process a VLV Operation, especially where the VLV Operation
- has been extended by Server-Side Sorting, Duplicate Entry, and other
- controls. Servers SHOULD provide administrative controls to limit the
- rate and/or kinds of VLV operations which can be submitted by
- authorized users.
-
- A single VLV operation does not directly disclose the size of the
- list. However, by issuing multiple VLV operations, an authorized
- client can determine the size of the list.
-
-
-7. IANA Considerations
-
- Registration of the following values is requested [RFC3383].
-
-
-7.1. Object Identifiers
-
- It is requested that IANA register upon Standards Action an LDAP
- Object Identifier in identifying the protocol elements defined in this
- technical specification. The following registration template is
- suggested:
-
-
-
-
-Zeilenga LDAP Virtual List View [Page 12]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- Subject: Request for LDAP OID Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt@OpenLDAP.org>
- Specification: RFCXXXX
- Author/Change Controller: IESG
- Comments:
- Three delegations will be made under the assigned OID:
-
- IANA-ASSIGNED-OID.1 VLV Request Control
- IANA-ASSIGNED-OID.2 VLV Target Response Control
- IANA-ASSIGNED-OID.3 VLV Done Response Control
-
-
-7.2. LDAP Protocol Mechanism
-
- It is requested that IANA register upon Standards Action the LDAP
- protocol mechanism described in this document. The following
- registration template is suggested:
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: IANA-ASSIGNED-OID.1
- Description: VLV Request Control
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt@openldap.org>
- Usage: Control
- Specification: RFCxxxx
- Author/Change Controller: IESG
- Comments: none
- in 2
-
-
-7.3. LDAP Result Codes
-
- It is requested that IANA register upon Standards Action the LDAP
- result codes:
-
- vlvTargetInvalid (IANA-ASSIGNED-1)
- vlvTargetNotFound (IANA-ASSIGNED-2)
- vlvWindowInvalid (IANA-ASSIGNED-3)
-
- The following registration template is suggested:
-
- Subject: LDAP Result Code Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt@OpenLDAP.org>
- Result Code Name: vlvTargetInvalid
- Result Code Name: vlvTargetNotFound
- Result Code Name: vlvWindowInvalid
-
-
-
-Zeilenga LDAP Virtual List View [Page 13]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- Specification: RFCXXXX
- Author/Change Controller: IESG
- Comments: request consecutive result codes be assigned
-
-
-8. Normative References
-
- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
-
- [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
-
- [RFC2253] M. Wahl, S. Kille, T. Howes, "Lightweight Directory Access
- Protocol (v3): UTF-8 String Representation of Distinguished
- Names", RFC 2253, December 1997.
-
- [RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
- Access Protocol (v3): Extension for Transport Layer
- Security", RFC 2830, May 2000.
-
- [RFC2891] T. Howes, M. Wahl, A. Anantha, "LDAP Control Extension for
- Server Side Sorting of Search Results", RFC 2891, August
- 2000
-
- [RFC3296] K. Zeilenga, "Named Subordinate References in Lightweight
- Directory Access Protocol (LDAP) Directories", RFC 3296,
- July 2002.
-
- [RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access Protocol
- (v3): Technical Specification", RFC 3377, September 2002.
-
- [DUPENT] J. Sermersheim. "LDAP Control for a Duplicate Entry
- Representation of Search Results",
- draft-ietf-ldapext-ldapv3-dupent-xx.txt (a work in
- progress).
-
- [MATCHED] D. Chadwick, "Returning Matched Values with LDAPv3",
- draft-ietf-ldapext-matchedval-xx.txt (a work in progress).
-
- [X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) - Specification
- of Basic Notation", X.680, 1994.
-
- [X.690] ITU-T, "Specification of ASN.1 encoding rules: Basic,
- Canonical, and Distinguished Encoding Rules", X.690, 1994.
-
-
-9. Informative References
-
-
-
-Zeilenga LDAP Virtual List View [Page 14]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- [RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
- RFC 3383), September 2002.
-
- [SVB] D. Bozeman, J. Sermersheim, A. Kashi, "LDAP Extensions for
- Scrolling View Browsing of Search Results", draft-ietf-
- ldapext-ldapv3-vlv-08.txt (a work in progress).
-
-
-10. Acknowledgment
-
- This work benefited from prior work in this area, especially the
- paging and scrolling work done in IETF ASID and LDAPEXT working
- groups.
-
- This borrows significantly (both concepts and text) from the "LDAP
- Extensions for Scrolling View Browsing of Search Results" [SVB]
- Internet-Draft written by Dave Boreham, Jim Sermersheim, and Asaf
- Kashi.
-
-
-11. Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
- <Kurt@OpenLDAP.org>
-
-Appendix A. Using the VLV Operation
-
- This informative appendix discusses how the VLV operation can be used
- to page, scroll, and browse directory content.
-
- For the purposes of this discussion, let's assume we want to implement
- an address book application which allows the user to page, scroll, and
- browse address information held in an LDAP-accessible directory system
- using inetOrgPerson [RFC2798] schema.
-
- Say this application has a widget which is capable of displaying 10
- rows of information. In each row, we'll display the values of
- 'displayName' and 'mail' attributes of an entry.
-
- Aside from the usual search parameters (baseObject, scope, filter), we
- likely also want to sort the entries. So, initially, we'll provide a
- sort control which requests values be sorted by displayName.
-
-A.1. Widget Initialization
-
- There are multiple VLV operations which might be used to initialize
- the widget. To initialize the widget with the first 10 entries of the
-
-
-
-Zeilenga LDAP Virtual List View [Page 15]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- list, the VLV request <tOffset=0, tReverse=False, wOffset=0,
- wCount=10, wReverse=False> can be used. To initialize the widget with
- the middle 10 entries, the VLV request <tNumerator=1, tDenominator=2,
- tReverse=False, wOffset=-5, wCount=10, wReverse=False> can be used.
- To initialize the widget to the last 10 entries, the VLV request
- <tNumerator=1, tDenominator=1, tReverse=False, wOffset=-9, wCount=10,
- wReverse=False> can be used.
-
- However, as the last 10 entries of in the list may not be returnable,
- it may be more appropriate to request <tNumerator=1, tDenominator=1,
- tReverse=False, wOffset=0, wCount=10, wReverse=True> instead. Note
- that since wReverse is selected, the last entry is returned first.
-
- The widget can also be initialized to the entries surrounding a known
- DN by sending the request <tName="cn=kdz,dc=example,dc=com",
- tReverse=False, wOffset=-5, wCount=10, wReverse=False>.
-
- The widget can also be initialized based upon "typedown" criteria.
- Typedown is discussed in A.4.
-
-
-A.2. Slider navigation
-
- Most list widgets allow based upon proportional positioning of a
- slider. Our widget reports the slider's position as the percentage
- the area above the slider position to the total slider area. When it
- is repositioned, the application can request <tNumerator=percent,
- tDenominator=100, tReverse=False, wOffset=-5, wCount=10,
- wReverse=False> when percent is less than or equal to 50 and
- <tNumerator=percent, tDenominator=100, tReverse=False, wOffset=5,
- wCount=10, wReverse=True> when percent is less than or equal to 50.
- Because the list may contain non-returnable entries, we reverse the
- window as we approach the tail of the list. When wReverse is True,
- the last entry is returned first.
-
-
-A.3. Page navigation
-
- Most list widgets provide page up/down controls.
-
- When page down is selected, the application can request <tName=last,
- tReverse=False, wOffset=0, wCount=10, wReverse=False> where last is
- the name of the entry presently at the bottom of the current widget
- view. The server will then return a new view in forward order. When
- inserted into the widget, the target will appear at the top of the
- current widget view.
-
- When page up is selected, the application can request <tName=first,
-
-
-
-Zeilenga LDAP Virtual List View [Page 16]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- tReverse=False, wOffset=0, wCount=10, wReverse=Reverse> where first is
- the name of the entry presently at the top of the current view. The
- server will then return a new view in reverse order with the named
- entry returned first. When inserted into the widget, the target will
- appear at the bottom the current widget view.
-
- If the page up/down VLV operation returns vlvTargetNotFound, the
- application can reissue the page up/down VLV operation with the name
- of the entry nearest the top/bottom of the present widget view.
-
- It is noted that when named entry is modified prior to issuing of the
- VLV operation in a manner which affects its position in the list, the
- view will follow the named entry.
-
-
-A.4. Type down navigation
-
- Type down navigation can be used to navigate the list.
-
- The list is sorted by 'displayName'. When the user types in a partial
- or complete value, the application can use this value to present the
- 10 values at are below the value.
-
- So, for example, the user inputs "K", the application can request
- <tTypeDown="K", tReverse=False, wOffset=0, wCount=10, wReverse>.
- Desiring further typedown, the user inputs "Kurt" and the application
- requests <tTypeDown="Kurt", tReverse=False, wOffset=0, wCount=10,
- wReverse>. Etc.
-
-
-Copyright 2002, The Internet Society. All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be followed,
- or as required to translate it into languages other than English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
-
-
-
-Zeilenga LDAP Virtual List View [Page 17]
-\f
-INTERNET-DRAFT draft-zeilenga-ldapext-vlv-00 1 October 2002
-
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga LDAP Virtual List View [Page 18]
-\f
used.
.LP
Arguments that should be replaced by actual text are shown in
-brackets <>. The structure of the access control directives is
+brackets <>.
+.SH THE ACCESS DIRECTIVE
+The structure of the access control directives is
.TP
.B access to <what> "[ by <who> <access> [ <control> ] ]+"
Grant access (specified by
.BR <what> )
by one or more requestors (specified by
.BR <who> ).
-.LP
+.SH THE <WHAT> FIELD
The field
.BR <what>
specifies the entity the access control directive applies to.
The dn, filter, and attrs statements are additive; they can be used in sequence
to select entities the access rule applies to based on naming context,
value and attribute type simultaneously.
-.LP
+.SH THE <WHO> FIELD
The field
.B <who>
indicates whom the access rules apply to.
and
.BR sasl_ssf=<n>
set the required Security Strength Factor (ssf) required to grant access.
-.LP
+.SH THE <ACCESS> FIELD
The field
.B <access> ::= [self]{<level>|<priv>}
determines the access level or the specific access privileges the
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated clients.
+.SH OPERATION REQUIREMENTS
+Operations require different privileges on different portions of entries.
+The following summary applies to primary database backends such as
+the LDBM, BDB, and HDB backends. Requirements for other backends may
+(and often do) differ.
+.LP
+The
+.B add
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry being added, and
+.B write (=w)
+privileges on the pseudo-attribute
+.B children
+of the entry's parent.
+.LP
+The
+.B bind
+operation, when credentials are stored in the directory, requires
+.B auth (=x)
+privileges on the attribute the credentials are stored in (usually
+.BR userPassword ).
+.LP
+The
+.B compare
+operation requires
+.B compare (=c)
+privileges on the attribute that is being compared.
+.LP
+The
+.B delete
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry being deleted, and
+.B write (=w)
+privileges on the
+.B children
+pseudo-attribute of the entry's parent.
+.LP
+The
+.B modify
+operation requires
+.B write (=w)
+privileges on the attibutes being modified.
+.LP
+The
+.B modrdn
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
+.B entry
+of the entry whose relative DN is being modified,
+.B write (=w)
+privileges on the pseudo-attribute
+.B children
+of the old and new entry's parents, and
+.B write (=w)
+privileges on the attributes that are present in the new relative DN.
+.B Write (=w)
+privileges are also required on the attributes that are present
+in the old relative DN if
+.B deleteoldrdn
+is set to 1.
+.LP
+The
+.B search
+operation, for each entry, requires
+.B search (=s)
+privileges on the attributes that are defined in the filter.
+Then, the resulting entries are tested for
+.B read (=r)
+privileges on the pseudo-attribute
+.B entry
+(for read access to the entry itself)
+and for
+.B read (=r)
+access on each value of each attribute that is requested.
+Also, for each
+.B referral
+object used in generating continuation references, the operation requires
+.B read (=r)
+access on the pseudo-attribute
+.B entry
+(for read access to the referral object itself),
+as well as
+.B read (=r)
+access to the attribute holding the referral information
+(generally the
+.B ref
+attribute).
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
DN
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
-RFC2251 reserves options beginning with `x-' for private experiments.
-Other options should be registered with IANA, see RFC3383 section 3.4.
+RFC 2251 reserves options beginning with `x-' for private experiments.
+Other options should be registered with IANA, see RFC 3383 section 3.4.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
.B password-hash <hash>
This option sets the hash to be used in generation of user
passwords, stored in userPassword, during processing of
-LDAP Password Modify Extended Operations (RFC 3052).
+LDAP Password Modify Extended Operations (RFC 3062).
The <hash> must be one of
.BR {SSHA} ,
.BR {SHA} ,
parameter specifies the DN in the consumer site
which is allowed to make changes to the replica.
The DN should have read/write access to the replica database.
+Generally, this DN
+.I should not
+be the same as the
+.BR rootdn .
A
.B bindmethod
of
It specifies the DN permitted to update (subject to access controls)
the replica (typically, this is the DN
.BR slurpd (8)
-binds to update the replica).
+binds to update the replica). Generally, this DN
+.I should not
+be the same as the
+.BR rootdn .
.TP
.B updateref <url>
Specify the referral to pass back when
struct berval *src ));
LBER_F( struct berval * )
-ber_str2bv LDAP_P((
+ber_mem2bv LDAP_P((
LDAP_CONST char *, ber_len_t len, int dup, struct berval *bv));
LBER_F( struct berval * )
-ber_mem2bv LDAP_P((
+ber_str2bv LDAP_P((
LDAP_CONST char *, ber_len_t len, int dup, struct berval *bv));
-#define ber_bvstr(a) ber_str2bv(a, 0, 0, NULL)
-#define ber_bvstrdup(a) ber_str2bv(a, 0, 1, NULL)
+#define ber_bvstr(a) ((ber_str2bv)((a), 0, 0, NULL))
+#define ber_bvstrdup(a) ((ber_str2bv)((a), 0, 1, NULL))
LBER_F( char * )
ber_strdup LDAP_P((
/* #define LDAP_API_OPERATION_SESSION_SAFE 1 */
#endif
+
#define LDAP_PORT 389 /* ldap:/// default LDAP port */
#define LDAPS_PORT 636 /* ldaps:/// default LDAP over TLS port */
#define LDAP_CONTROL_SYNC_DONE "1.3.6.1.4.1.4203.666.5.8"
#define LDAP_SYNC_INFO "1.3.6.1.4.1.4203.666.10.2"
-#define LDAP_SYNC_REFRESH_PRESENTS 0
-#define LDAP_SYNC_REFRESH_DELETES 1
+#define LDAP_SYNC_NONE 0x00
+#define LDAP_SYNC_REFRESH_ONLY 0x01
+#define LDAP_SYNC_RESERVED 0x02
+#define LDAP_SYNC_REFRESH_AND_PERSIST 0x03
+
+#define LDAP_SYNC_REFRESH_PRESENTS 0
+#define LDAP_SYNC_REFRESH_DELETES 1
#define LDAP_TAG_SYNC_NEW_COOKIE ((ber_tag_t) 0x80U)
#define LDAP_TAG_SYNC_REFRESH_DELETE ((ber_tag_t) 0xa1U)
#define LDAP_TAG_SYNC_REFRESH_PRESENT ((ber_tag_t) 0xa2U)
#define LDAP_TAG_SYNC_ID_SET ((ber_tag_t) 0xa3U)
-#define LDAP_TAG_SYNC_COOKIE ((ber_tag_t) 0x04U)
-#define LDAP_TAG_REFRESHDELETES ((ber_tag_t) 0x01U)
-#define LDAP_TAG_REFRESHDONE ((ber_tag_t) 0x01U)
-#define LDAP_TAG_RELOAD_HINT ((ber_tag_t) 0x01U)
+#define LDAP_TAG_SYNC_COOKIE ((ber_tag_t) 0x04U)
+#define LDAP_TAG_REFRESHDELETES ((ber_tag_t) 0x01U)
+#define LDAP_TAG_REFRESHDONE ((ber_tag_t) 0x01U)
+#define LDAP_TAG_RELOAD_HINT ((ber_tag_t) 0x01U)
-#define LDAP_SYNC_PRESENT 0
-#define LDAP_SYNC_ADD 1
-#define LDAP_SYNC_MODIFY 2
-#define LDAP_SYNC_DELETE 3
+#define LDAP_SYNC_PRESENT 0
+#define LDAP_SYNC_ADD 1
+#define LDAP_SYNC_MODIFY 2
+#define LDAP_SYNC_DELETE 3
#define LDAP_CONTROL_SORTREQUEST "1.2.840.113556.1.4.473"
#define LDAP_CONTROL_SORTRESPONSE "1.2.840.113556.1.4.474"
#define LDAP_OTHER 0x50
-#define LDAP_API_ERROR(n) LDAP_RANGE((n),0x51,0x61) /* 81-97 */
-#define LDAP_API_RESULT(n) (((n) == LDAP_SUCCESS) || \
- LDAP_RANGE((n),0x51,0x61)) /* 0,81-97 */
-
-/* reserved for APIs */
-#define LDAP_SERVER_DOWN 0x51
-#define LDAP_LOCAL_ERROR 0x52
-#define LDAP_ENCODING_ERROR 0x53
-#define LDAP_DECODING_ERROR 0x54
-#define LDAP_TIMEOUT 0x55
-#define LDAP_AUTH_UNKNOWN 0x56
-#define LDAP_FILTER_ERROR 0x57
-#define LDAP_USER_CANCELLED 0x58
-#define LDAP_PARAM_ERROR 0x59
-#define LDAP_NO_MEMORY 0x5a
-
-/* used but not reserved for APIs */
-#define LDAP_CONNECT_ERROR 0x5b /* draft-ietf-ldap-c-api-xx */
-#define LDAP_NOT_SUPPORTED 0x5c /* draft-ietf-ldap-c-api-xx */
-#define LDAP_CONTROL_NOT_FOUND 0x5d /* draft-ietf-ldap-c-api-xx */
-#define LDAP_NO_RESULTS_RETURNED 0x5e /* draft-ietf-ldap-c-api-xx */
-#define LDAP_MORE_RESULTS_TO_RETURN 0x5f /* draft-ietf-ldap-c-api-xx */
-#define LDAP_CLIENT_LOOP 0x60 /* draft-ietf-ldap-c-api-xx */
-#define LDAP_REFERRAL_LIMIT_EXCEEDED 0x61 /* draft-ietf-ldap-c-api-xx */
-
-#define LDAP_SYNC_RESOURCES_EXHAUSTED 0x100
-#define LDAP_SYNC_SECURITY_VIOLATION 0x101
-#define LDAP_SYNC_INVALID_COOKIE 0x102
-#define LDAP_SYNC_UNSUPPORTED_SCHEME 0x103
-#define LDAP_SYNC_CLIENT_DISCONNECT 0x104
-#define LDAP_SYNC_RELOAD_REQUIRED 0x105
-
-#define LDAP_ASSERTION_FAILED 0x10f
-
-#ifdef LDAP_EXOP_X_CANCEL
+/* Expermental result codes */
+#define LDAP_X_ERROR(n) LDAP_RANGE((n),0x1000,0x3FFF) /* experimental */
+#define LDAP_PVT_ERROR(n) LDAP_RANGE((n),0x4000,0xFFFF) /* private use */
+
+#define LDAP_SYNC_RESOURCES_EXHAUSTED 0x4100
+#define LDAP_SYNC_SECURITY_VIOLATION 0x4101
+#define LDAP_SYNC_INVALID_COOKIE 0x4102
+#define LDAP_SYNC_UNSUPPORTED_SCHEME 0x4103
+#define LDAP_SYNC_CLIENT_DISCONNECT 0x4104
+#define LDAP_SYNC_RELOAD_REQUIRED 0x4105
+
+#define LDAP_ASSERTION_FAILED 0x410f
+
/* resultCode for Cancel Response */
-#define LDAP_CANCELLED 0x110
-#define LDAP_NO_SUCH_OPERATION 0x111
-#define LDAP_TOO_LATE 0x112
-#define LDAP_CANNOT_CANCEL 0x113
-#endif
+#define LDAP_CANCELLED 0x4110
+#define LDAP_NO_SUCH_OPERATION 0x4111
+#define LDAP_TOO_LATE 0x4112
+#define LDAP_CANNOT_CANCEL 0x4113
+
+/* API Error Codes
+ *
+ * Based on draft-ietf-ldap-c-api-xx
+ * but with new (negative) codes
+ */
+#define LDAP_API_ERROR(n) ((n)<0)
+#define LDAP_API_RESULT(n) ((n)<=0)
+
+#define LDAP_SERVER_DOWN (-1)
+#define LDAP_LOCAL_ERROR (-2)
+#define LDAP_ENCODING_ERROR (-3)
+#define LDAP_DECODING_ERROR (-4)
+#define LDAP_TIMEOUT (-5)
+#define LDAP_AUTH_UNKNOWN (-6)
+#define LDAP_FILTER_ERROR (-7)
+#define LDAP_USER_CANCELLED (-8)
+#define LDAP_PARAM_ERROR (-9)
+#define LDAP_NO_MEMORY (-10)
+#define LDAP_CONNECT_ERROR (-11)
+#define LDAP_NOT_SUPPORTED (-12)
+#define LDAP_CONTROL_NOT_FOUND (-13)
+#define LDAP_NO_RESULTS_RETURNED (-14)
+#define LDAP_MORE_RESULTS_TO_RETURN (-15)
+#define LDAP_CLIENT_LOOP (-16)
+#define LDAP_REFERRAL_LIMIT_EXCEEDED (-17)
-/* LDAP SYNC request type */
-#define LDAP_SYNC_NONE 0x00
-#define LDAP_SYNC_REFRESH_ONLY 0x01
-#define LDAP_SYNC_REFRESH_AND_PERSIST 0x03
/*
* This structure represents both ldap messages and ldap responses.
LDAPControl **serverctrls,
LDAPControl **clientctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_abandon LDAP_P(( /* deprecated */
LDAP *ld,
int msgid ));
+#endif
/*
LDAPControl **serverctrls,
LDAPControl **clientctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_add LDAP_P(( /* deprecated */
LDAP *ld,
LDAP *ld,
LDAP_CONST char *dn,
LDAPMod **attrs ));
+#endif
/*
struct berval **servercredp,
int freeit ));
+#ifdef LDAP_DEPRECATED
/*
* in bind.c:
* (deprecated)
* in sbind.c:
*/
LDAP_F( int )
-ldap_simple_bind LDAP_P((
+ldap_simple_bind LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *who,
LDAP_CONST char *passwd ));
LDAP_F( int )
-ldap_simple_bind_s LDAP_P((
+ldap_simple_bind_s LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *who,
LDAP_CONST char *passwd ));
ldap_kerberos_bind2_s LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *who ));
+#endif
/*
LDAPControl **serverctrls,
LDAPControl **clientctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_compare LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *dn,
LDAP_CONST char *attr,
LDAP_CONST char *value ));
+#endif
/*
LDAPControl **serverctrls,
LDAPControl **clientctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_delete LDAP_P(( /* deprecated */
LDAP *ld,
ldap_delete_s LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *dn ));
+#endif
/*
ldap_err2string LDAP_P((
int err ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_result2error LDAP_P(( /* deprecated */
LDAP *ld,
ldap_perror LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *s ));
+#endif
/*
LDAPControl **serverctrls,
LDAPControl **clientctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_modify LDAP_P(( /* deprecated */
LDAP *ld,
LDAP *ld,
LDAP_CONST char *dn,
LDAPMod **mods ));
+#endif
/*
LDAPControl **sctrls,
LDAPControl **cctrls ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_rename2 LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *dn,
LDAP_CONST char *newrdn,
int deleteoldrdn));
+#endif
/*
* in open.c:
*/
+#ifdef LDAP_DEPRECATED
LDAP_F( LDAP * )
-ldap_init LDAP_P((
+ldap_init LDAP_P(( /* deprecated */
LDAP_CONST char *host,
int port ));
ldap_open LDAP_P(( /* deprecated */
LDAP_CONST char *host,
int port ));
+#endif
LDAP_F( int )
ldap_create LDAP_P((
ldap_value_free_len LDAP_P((
struct berval **vals ));
+#ifdef LDAP_DEPRECATED
LDAP_F( char ** )
ldap_get_values LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_F( void )
ldap_value_free LDAP_P(( /* deprecated */
char **vals ));
+#endif
/*
* in result.c:
int sizelimit,
LDAPMessage **res ));
+#ifdef LDAP_DEPRECATED
LDAP_F( int )
ldap_search LDAP_P(( /* deprecated */
LDAP *ld,
int attrsonly,
struct timeval *timeout,
LDAPMessage **res ));
+#endif
/*
* in unbind.c
*/
LDAP_F( int )
-ldap_unbind LDAP_P(( /* deprecated */
- LDAP *ld ));
-
-LDAP_F( int )
-ldap_unbind_s LDAP_P(( /* deprecated */
- LDAP *ld ));
-
-LDAP_F( int )
ldap_unbind_ext LDAP_P((
LDAP *ld,
LDAPControl **serverctrls,
LDAPControl **serverctrls,
LDAPControl **clientctrls));
+#ifdef LDAP_DEPRECATED
+LDAP_F( int )
+ldap_unbind LDAP_P(( /* deprecated */
+ LDAP *ld ));
+
+LDAP_F( int )
+ldap_unbind_s LDAP_P(( /* deprecated */
+ LDAP *ld ));
+#endif
+
/*
* in filter.c
*/
int freemods ));
+#ifdef LDAP_DEPRECATED
/*
- * in sort.c
- * (deprecated)
+ * in sort.c (deprecated)
*/
typedef int (LDAP_SORT_AD_CMP_PROC) LDAP_P(( /* deprecated */
LDAP_CONST char *left,
ldap_sort_strcasecmp LDAP_P((
LDAP_CONST void *a,
LDAP_CONST void *b ));
-
+#endif
/*
* in url.c
ldap_free_urldesc LDAP_P((
LDAPURLDesc *ludp ));
+
/*
- * in sortctrl.c
- */
-/*
- * structure for a sort-key
+ * LDAP Server Side Sort
+ * in sortctrl.c
*/
+#define LDAP_API_FEATURE_SERVER_SIDE_SORT 1000
+
+/* structure for a sort-key */
typedef struct ldapsortkey {
char * attributeType;
char * orderingRule;
/*
- * in vlvctrl.c
+ * LDAP Virtual List View
+ * in vlvctrl.c
*/
+#define LDAP_API_FEATURE_VIRTUAL_LIST_VIEW 1000
-/*
- * structure for virtual list.
- */
+/* structure for virtual list */
typedef struct ldapvlvinfo {
int ldvlv_version;
unsigned long ldvlv_before_count;
unsigned long ldvlv_after_count;
unsigned long ldvlv_offset;
unsigned long ldvlv_count;
- struct berval *ldvlv_attrvalue;
- struct berval *ldvlv_context;
- void *ldvlv_extradata;
+ struct berval * ldvlv_attrvalue;
+ struct berval * ldvlv_context;
+ void * ldvlv_extradata;
} LDAPVLVInfo;
LDAP_F( int )
int *errcodep ));
/*
- * LDAP Who Am I? (whoami.c)
+ * LDAP Who Am I?
+ * in whoami.c
*/
LDAP_F( int )
LDAPControl **cctrls ));
/*
- * in passwd.c
+ * LDAP Password Modify
+ * in passwd.c
*/
LDAP_F( int )
LDAPControl **sctrls,
LDAPControl **cctrls ));
+
LDAP_END_DECL
#endif /* _LDAP_H */
/* LDAP v2 Referrals */
#undef LDAP_API_FEATURE_X_OPENLDAP_V2_REFERRALS
-/* LDAP Server Side Sort. */
-#define LDAP_API_FEATURE_SERVER_SIDE_SORT 1000
-
-/* LDAP Virtual List View. */
-#define LDAP_API_FEATURE_VIRTUAL_LIST_VIEW 1000
-
#endif /* LDAP_FEATURES */
#include <lber.h> /* get ber_slen_t */
+#include <ac/bytes.h>
#include "../libraries/liblunicode/ucdata/ucdata.h"
LDAP_BEGIN_DECL
+++ /dev/null
-/* $OpenLDAP$ */
-/* ldbm.h - ldap dbm compatibility routine header file */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2003 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#ifndef _LDBM_H_
-#define _LDBM_H_
-
-#include <ldap_cdefs.h>
-#include <ac/string.h>
-
-/* dummy DB_ENV for non Berkeley DB */
-#if !defined( LDBM_USE_DBBTREE ) && !defined( LDBM_USE_DBHASH )
-# define DB_ENV void
-#endif
-
-#if defined( LDBM_USE_DBBTREE ) || defined( LDBM_USE_DBHASH )
-
-/*****************************************************************
- * *
- * use berkeley db btree or hash package *
- * *
- *****************************************************************/
-#include <sys/types.h>
-#include <limits.h>
-#include <fcntl.h>
-
-#ifdef HAVE_DB_185_H
-# include <db_185.h>
-#else
-# ifdef HAVE_DB1_DB_H
-# include <db1/db.h>
-# else
-# include <db.h>
-# endif
-#endif
-
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 85
-#endif
-
-#if DB_VERSION_MAJOR >= 2
-# define R_NOOVERWRITE DB_NOOVERWRITE
-# ifndef DEFAULT_DB_PAGE_SIZE
-# define DEFAULT_DB_PAGE_SIZE 4096
-# endif
-#else
-# define DB_ENV void
-#endif
-
-
-LDAP_BEGIN_DECL
-
-typedef DBT Datum;
-#define dsize size
-#define dptr data
-
-typedef DB *LDBM;
-
-
-/* for ldbm_open */
-#if DB_VERSION_MAJOR >= 2
-typedef DBC LDBMCursor;
-
-# define LDBM_READER DB_RDONLY
-# define LDBM_WRITER 0x00000 /* hopefully */
-# if defined( HAVE_BERKELEY_DB_THREAD )
-# define LDBM_WRCREAT (DB_NOMMAP|DB_CREATE|DB_THREAD)
-# define LDBM_NEWDB (DB_TRUNCATE|DB_CREATE|DB_THREAD)
-# else
-# define LDBM_WRCREAT (DB_NOMMAP|DB_CREATE)
-# define LDBM_NEWDB (DB_TRUNCATE|DB_CREATE)
-# endif
-
-#else
-typedef void LDBMCursor;
-# define LDBM_READER O_RDONLY
-# define LDBM_WRITER O_RDWR
-# define LDBM_WRCREAT (O_RDWR|O_CREAT)
-# define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
-#endif
-
-LDAP_END_DECL
-
-/* for ldbm_open */
-#define LDBM_NOSYNC 0
-#define LDBM_SYNC 0
-#define LDBM_LOCKING 0
-#define LDBM_NOLOCKING 0
-
-/* for ldbm_insert */
-#define LDBM_INSERT R_NOOVERWRITE
-#define LDBM_REPLACE 0
-
-#ifdef LDBM_USE_DBBTREE
-# define LDBM_ORDERED 1
-# define LDBM_SUFFIX ".dbb"
-# define DB_TYPE DB_BTREE
-#else
-# define LDBM_SUFFIX ".dbh"
-# define DB_TYPE DB_HASH
-#endif
-
-#elif defined( HAVE_GDBM )
-
-/*****************************************************************
- * *
- * use gdbm if possible *
- * *
- *****************************************************************/
-
-#include <gdbm.h>
-
-LDAP_BEGIN_DECL
-
-typedef datum Datum;
-typedef Datum LDBMCursor;
-typedef GDBM_FILE LDBM;
-
-LDAP_END_DECL
-
-/* for ldbm_open */
-#define LDBM_READER GDBM_READER
-#define LDBM_WRITER GDBM_WRITER
-#define LDBM_WRCREAT GDBM_WRCREAT
-#define LDBM_NEWDB GDBM_NEWDB
-
-#ifdef GDBM_FAST
-#define LDBM_NOSYNC GDBM_FAST
-#else
-#define LDBM_NOSYNC 0
-#endif
-
-#ifdef GDBM_SYNC
-#define LDBM_SYNC GDBM_SYNC
-#else
-#define LDBM_SYNC 0
-#endif
-
-#define LDBM_LOCKING 0
-#ifdef GDBM_NOLOCK
-#define LDBM_NOLOCKING GDBM_NOLOCK
-#else
-#define LDBM_NOLOCKING 0
-#endif
-
-#define LDBM_SUFFIX ".gdbm"
-
-/* for ldbm_insert */
-#define LDBM_INSERT GDBM_INSERT
-#define LDBM_REPLACE GDBM_REPLACE
-
-#elif defined( HAVE_MDBM )
-
-/*****************************************************************
- * *
- * use mdbm if possible *
- * *
- *****************************************************************/
-
-#include <mdbm.h>
-
-LDAP_BEGIN_DECL
-
-typedef datum Datum;
-typedef int LDBMCursor;
-typedef MDBM *LDBM;
-
-LDAP_END_DECL
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-/* for ldbm_open */
-#define LDBM_READER O_RDONLY
-#define LDBM_WRITER O_RDWR
-#define LDBM_WRCREAT (O_RDWR|O_CREAT)
-#define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
-
-#define LDBM_SYNC 0
-#define LDBM_NOSYNC 0
-#define LDBM_LOCKING 0
-#define LDBM_NOLOCKING 0
-
-#define LDBM_SUFFIX ".mdbm"
-
-/* for ldbm_insert */
-#define LDBM_INSERT MDBM_INSERT
-#define LDBM_REPLACE MDBM_REPLACE
-
-#elif defined( HAVE_NDBM )
-
-/*****************************************************************
- * *
- * if none of the above use ndbm, the standard unix thing *
- * *
- *****************************************************************/
-
-#include <ndbm.h>
-
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-
-LDAP_BEGIN_DECL
-
-typedef datum Datum;
-typedef int LDBMCursor;
-typedef DBM *LDBM;
-
-LDAP_END_DECL
-
-/* for ldbm_open */
-#define LDBM_READER O_RDONLY
-#define LDBM_WRITER O_WRONLY
-#define LDBM_WRCREAT (O_RDWR|O_CREAT)
-#define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
-
-#define LDBM_NOSYNC 0
-#define LDBM_SYNC 0
-#define LDBM_NOLOCK 0
-#define LDBM_SYNC 0
-
-#define LDBM_SUFFIX ".ndbm"
-
-/* for ldbm_insert */
-#define LDBM_INSERT DBM_INSERT
-#define LDBM_REPLACE DBM_REPLACE
-
-#endif
-
-LDAP_BEGIN_DECL
-
-LDAP_LDBM_F (int) ldbm_initialize( const char * );
-LDAP_LDBM_F (int) ldbm_shutdown( void );
-
-LDAP_LDBM_F (DB_ENV*) ldbm_initialize_env(const char *, int dbcachesize, int *envdirok);
-LDAP_LDBM_F (void) ldbm_shutdown_env(DB_ENV *);
-
-LDAP_LDBM_F (int) ldbm_errno( LDBM ldbm );
-LDAP_LDBM_F (LDBM) ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize );
-LDAP_LDBM_F (void) ldbm_close( LDBM ldbm );
-LDAP_LDBM_F (void) ldbm_sync( LDBM ldbm );
-LDAP_LDBM_F (void) ldbm_datum_free( LDBM ldbm, Datum data );
-LDAP_LDBM_F (Datum) ldbm_datum_dup( LDBM ldbm, Datum data );
-LDAP_LDBM_F (Datum) ldbm_fetch( LDBM ldbm, Datum key );
-LDAP_LDBM_F (int) ldbm_store( LDBM ldbm, Datum key, Datum data, int flags );
-LDAP_LDBM_F (int) ldbm_delete( LDBM ldbm, Datum key );
-
-LDAP_LDBM_F (Datum) ldbm_firstkey( LDBM ldbm, LDBMCursor **cursor );
-LDAP_LDBM_F (Datum) ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *cursor );
-
-/* initialization of Datum structures */
-#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2)
- LDAP_LDBM_F (void *) ldbm_malloc( size_t size );
-# define ldbm_datum_init(d) ((void)memset(&(d), '\0', sizeof(Datum)))
-#else
-# define ldbm_datum_init(d) ((void)0)
-#endif /* HAVE_BERKELEY_DB */
-
-LDAP_END_DECL
-
-#endif /* _ldbm_h_ */
/* Avoid floating point math through extra padding */
#define LUTIL_BASE64_ENCODE_LEN(n) (((n)+2)/3 * 4)
-#define LUTIL_BASE64_DECODE_LEN(n) (((n)+3)/4 * 3)
+#define LUTIL_BASE64_DECODE_LEN(n) ((n)/4*3)
/* ISC Base64 Routines */
/* base64.c */
/* Define if you have the <assert.h> header file. */
#undef HAVE_ASSERT_H
+/* Define if you have the <bits/types.h> header file. */
+#undef HAVE_BITS_TYPES_H
+
/* Define if you have the <conio.h> header file. */
#undef HAVE_CONIO_H
/* Define if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
-/* Define if you have the <ncurses.h> header file. */
-#undef HAVE_NCURSES_H
-
/* Define if you have the <ndbm.h> header file. */
#undef HAVE_NDBM_H
/* Define if you have the <tcpd.h> header file. */
#undef HAVE_TCPD_H
-/* Define if you have the <termcap.h> header file. */
-#undef HAVE_TERMCAP_H
-
/* Define if you have the <termios.h> header file. */
#undef HAVE_TERMIOS_H
/* define if you have -lwrap */
#undef HAVE_TCPD
-/* define if you have -ltermcap */
-#undef HAVE_TERMCAP
-
-/* define if you have -lncurses */
-#undef HAVE_NCURSES
-
-/* define if you have no termcap support */
-#undef NO_TERMCAP
-
/* define if you have Cyrus SASL */
#undef HAVE_CYRUS_SASL
/* define to support modules */
#undef SLAPD_MODULES
+/* statically linked module */
+#undef SLAPD_MOD_STATIC
+
+/* dynamically linked module */
+#undef SLAPD_MOD_DYNAMIC
+
/* define to support BDB backend */
#undef SLAPD_BDB
/* define to support dynamic SQL backend */
#undef SLAPD_SQL_DYNAMIC
+/* define for Dynamic Group overlay */
+#undef SLAPD_OVER_DYNGROUP
+
+/* define for Proxy Cache overlay */
+#undef SLAPD_OVER_PROXYCACHE
+
/* define to enable rewriting in back-ldap and back-meta */
#undef ENABLE_REWRITE
#define vsprintf ber_pvt_vsprintf
#endif
+#ifdef OPENLDAP_FD_SETSIZE
+ /* assume installer desires to enlarge fd_set */
+#ifdef HAVE_BITS_TYPES_H
+#include <bits/types.h>
+#endif
+#ifdef __FD_SETSIZE
+#undef __FD_SETSIZE
+#define __FD_SETSIZE OPENLDAP_FD_SETSIZE
+#else
+#define FD_SETSIZE OPENLDAP_FD_SETSIZE
+#endif
+#endif
+
#include "ldap_cdefs.h"
#include "ldap_features.h"
liblber \
liblunicode \
libldap libldap_r \
- libldbm \
librewrite
#include "lber.h"
#include "ldap_pvt.h"
-struct DEBUGLEVEL
-{
- char *subsystem;
- int level;
-};
-
int ldap_loglevels[LDAP_SUBSYS_NUM];
static FILE *log_file = NULL;
}
#endif
-static char *lutil_levels[] = {
+static char *debug_levels[] = {
"emergency", "alert", "critical",
"error", "warning", "notice",
"information", "entry", "args",
"results", "detail1", "detail2",
NULL };
-static char *lutil_subsys[LDAP_SUBSYS_NUM] = {
- "global","operation", "transport",
- "connection", "filter", "ber",
- "config", "acl", "cache", "index",
- "ldif", "tools", "slapd", "slurpd",
- "backend", "back_bdb", "back_ldbm",
- "back_ldap", "back_meta", "back_mon" };
+static char *debug_subsys[LDAP_SUBSYS_NUM] = {
+ "GLOBAL", "OPERATION", "TRANSPORT",
+ "CONNECTION", "FILTER", "BER",
+ "CONFIG", "ACL", "CACHE", "INDEX",
+ "LDIF", "TOOLS", "SLAPD", "SLURPD",
+ "BACKEND", "BACK_BDB", "BACK_LDBM",
+ "BACK_LDAP", "BACK_META", "BACK_MON" };
int lutil_mnem2subsys( const char *subsys )
{
int i;
for( i = 0; i < LDAP_SUBSYS_NUM; i++ ) {
- if ( !strcasecmp( subsys, lutil_subsys[i] ) ) {
+ if ( !strcasecmp( subsys, debug_subsys[i] ) ) {
return i;
}
}
void lutil_set_all_backends( int level )
{
int i;
-
for( i = 0; i < LDAP_SUBSYS_NUM; i++ ) {
- if ( !strncasecmp( "back_", lutil_subsys[i], strlen("back_") ) ) {
+ if ( !strncasecmp( "BACK_", debug_subsys[i], sizeof("BACK_")-1 ) ) {
ldap_loglevels[i] = level;
}
}
int lutil_mnem2level( const char *level )
{
int i;
- for( i = 0; lutil_levels[i] != NULL; i++ ) {
- if ( !strcasecmp( level, lutil_levels[i] ) ) {
+ for( i = 0; debug_levels[i] != NULL; i++ ) {
+ if ( !strcasecmp( level, debug_levels[i] ) ) {
return i;
}
}
{
int subsys_num;
- if ( !strcasecmp( subsys, "backend" ) ) {
+ if ( !strcasecmp( subsys, "BACKEND" ) ) {
lutil_set_all_backends( level );
return level;
struct tm *today;
#endif
size_t i;
- char * t_subsys;
char * tmp;
- t_subsys = strdup(subsys);
-
- for(tmp = t_subsys, i = 0; i < strlen(t_subsys); i++, tmp++) {
- *tmp = TOUPPER( (unsigned char) *tmp );
- }
-
#ifdef LDAP_SYSLOG
/* we're configured to use syslog */
if( use_syslog ) {
* format the output data.
*/
- fprintf(file, "\n%s:: ", t_subsys );
+ fprintf(file, "\n%s:: ", subsys );
vfprintf( file, fmt, vl );
fflush( file );
}
va_list vl;
va_start( vl, fmt );
ber_get_option( NULL, LBER_OPT_LOG_PRINT_FILE, &outfile );
- lutil_log_int( outfile, lutil_subsys[subsys], level, fmt, vl );
+ lutil_log_int( outfile, debug_subsys[subsys], level, fmt, vl );
va_end( vl );
}
global_level = atoi( optarg );
ldap_loglevels[0] = global_level;
/*
- * if a negative number was used, make the global level the
- * maximum sane level.
- */
+ * if a negative number was used, make the global level the
+ * maximum sane level.
+ */
if ( global_level < 0 ) {
global_level = 65535;
ldap_loglevels[0] = 65535;
ber_set_option( NULL, LBER_OPT_LOG_PRINT_FILE, log_file );
}
#endif
- va_start( vl, fmt );
+ va_start( vl, fmt );
vsnprintf( buffer, sizeof(buffer), fmt, vl );
buffer[sizeof(buffer)-1] = '\0';
-
if( log_file != NULL ) {
fputs( buffer, log_file );
fflush( log_file );
}
-
fputs( buffer, stderr );
va_end( vl );
}
return ld->ld_errno;
}
+ if ( ldap_int_sasl_init() ) {
+ ld->ld_errno = LDAP_LOCAL_ERROR;
+ return ld->ld_errno;
+ }
+
#if SASL_VERSION_MAJOR >= 2
rc = sasl_client_new( "ldap", host, NULL, NULL,
NULL, 0, &ctx );
{LDAP_CANNOT_CANCEL, N_("Cannot Cancel")},
#endif
- {-1, NULL}
+ {0, NULL}
};
static struct ldaperror *ldap_errlist = ldap_builtin_errlist;
}
openldap_ldap_init_w_env(gopts, NULL);
-
- ldap_int_sasl_init();
}
* Note: Deallocate structure when the process exits
*/
# define LDAP_INT_GLOBAL_OPT() ldap_int_global_opt()
- struct ldapoptions *ldap_int_global_opt(void);
+ struct ldapoptions *ldap_int_global_opt(void);
#else
# define LDAP_INT_GLOBAL_OPT() (&ldap_int_global_options)
#endif
#endif /* LDAP_DEBUG */
+#define LDAP_DEPRECATED 1
#include "ldap.h"
#include "ldap_pvt.h"
int (*cmp) (LDAP_CONST char *, LDAP_CONST char *)
)
{
- int i, count;
+ int i, count = 0;
struct entrything *et;
- LDAPMessage *e, *last;
+ LDAPMessage *e, *ehead = NULL, *etail = NULL;
+ LDAPMessage *ohead = NULL, *otail = NULL;
LDAPMessage **ep;
assert( ld != NULL );
- count = ldap_count_entries( ld, *chain );
-
- if ( count < 0 ) {
- return -1;
+ /* Separate entries from non-entries */
+ for ( e = *chain; e; e=e->lm_chain ) {
+ if ( e->lm_msgtype == LDAP_RES_SEARCH_ENTRY ) {
+ count++;
+ if ( !ehead ) ehead = e;
+ if ( etail ) etail->lm_chain = e;
+ etail = e;
+ } else {
+ if ( !ohead ) ohead = e;
+ if ( otail ) otail->lm_chain = e;
+ otail = e;
+ }
+ }
- } else if ( count < 2 ) {
+ if ( count < 2 ) {
/* zero or one entries -- already sorted! */
+ if ( ehead ) {
+ etail->lm_chain = ohead;
+ *chain = ehead;
+ } else {
+ *chain = ohead;
+ }
return 0;
}
return( -1 );
}
- e = *chain;
+ e = ehead;
for ( i = 0; i < count; i++ ) {
et[i].et_cmp_fn = cmp;
et[i].et_msg = e;
e = e->lm_chain;
}
- last = e;
qsort( et, count, sizeof(struct entrything), et_cmp );
LDAP_VFREE( et[i].et_vals );
}
- *ep = last;
+ *ep = ohead;
+
LDAP_FREE( (char *) et );
return( 0 );
+++ /dev/null
-# Makefile for -lldbm
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2003 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-LIBRARY = libldbm.a
-SRCS = ldbm.c
-OBJS = ldbm.o
-
-LDAP_INCDIR= ../../include
-LDAP_LIBDIR= ../../libraries
-
-XLIBS = $(LIBRARY)
-XXLIBS = $(LDBM_LIBS)
-
+++ /dev/null
-/* ldbm.c - ldap dbm compatibility routines */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2003 The OpenLDAP Foundation.
- * Portions Copyright 1998-2003 Kurt D. Zeilenga.
- * Portions Copyright 1998-2001 Net Boolean Incorporated.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was originally developed by the University of Michigan
- * (as part of U-MICH LDAP). Additional significant contributors
- * include:
- * Gary Williams
- * Howard Chu
- * Juan Gomez
- * Kurt D. Zeilenga
- * Kurt Spanier
- * Mark Whitehouse
- * Randy Kundee
- */
-
-#include "portable.h"
-
-#ifdef SLAPD_LDBM
-
-#include <stdio.h>
-
-#include <ac/stdlib.h>
-#include <ac/string.h>
-#include <ac/errno.h>
-
-#include "ldbm.h"
-#include "ldap_pvt_thread.h"
-
-void
-ldbm_datum_free( LDBM ldbm, Datum data )
-{
- if ( data.dptr ) {
- free( data.dptr );
- memset( &data, '\0', sizeof( Datum ));
- data.dptr = NULL;
- }
-}
-
-Datum
-ldbm_datum_dup( LDBM ldbm, Datum data )
-{
- Datum dup;
-
- ldbm_datum_init( dup );
-
- if ( data.dsize == 0 ) {
- dup.dsize = 0;
- dup.dptr = NULL;
-
- return( dup );
- }
- dup.dsize = data.dsize;
-
- if ( (dup.dptr = (char *) malloc( data.dsize )) != NULL ) {
- AC_MEMCPY( dup.dptr, data.dptr, data.dsize );
- }
-
- return( dup );
-}
-
-static int ldbm_initialized = 0;
-
-#if defined( USE_BERKELEY_CDB )
- /* not currently supported */
-#define LDBM_RWLOCK_INIT ((void) 0)
-#define LDBM_RWLOCK_DESTROY ((void) 0)
-#define LDBM_WLOCK ((void) 0)
-#define LDBM_WUNLOCK ((void) 0)
-#define LDBM_RLOCK ((void) 0)
-#define LDBM_RUNLOCK ((void) 0)
-
-#elif defined( HAVE_BERKELEY_DB_THREAD )
-static ldap_pvt_thread_rdwr_t ldbm_big_rdwr;
-#define LDBM_RWLOCK_INIT (ldap_pvt_thread_rdwr_init( &ldbm_big_rdwr ))
-#define LDBM_RWLOCK_DESTROY (ldap_pvt_thread_rdwr_destroy( &ldbm_big_rdwr ))
-#define LDBM_WLOCK (ldap_pvt_thread_rdwr_wlock(&ldbm_big_rdwr))
-#define LDBM_WUNLOCK (ldap_pvt_thread_rdwr_wunlock(&ldbm_big_rdwr))
-#define LDBM_RLOCK (ldap_pvt_thread_rdwr_rlock(&ldbm_big_rdwr))
-#define LDBM_RUNLOCK (ldap_pvt_thread_rdwr_runlock(&ldbm_big_rdwr))
-
-#else
-static ldap_pvt_thread_mutex_t ldbm_big_mutex;
-#define LDBM_RWLOCK_INIT (ldap_pvt_thread_mutex_init( &ldbm_big_mutex ))
-#define LDBM_RWLOCK_DESTROY (ldap_pvt_thread_mutex_destroy( &ldbm_big_mutex ))
-#define LDBM_WLOCK (ldap_pvt_thread_mutex_lock(&ldbm_big_mutex))
-#define LDBM_WUNLOCK (ldap_pvt_thread_mutex_unlock(&ldbm_big_mutex))
-#define LDBM_RLOCK LDBM_WLOCK
-#define LDBM_RUNLOCK LDBM_WUNLOCK
-#endif
-
-#if !defined( HAVE_BERKELEY_DB ) || (DB_VERSION_MAJOR < 3)
- /* a dbEnv for BERKELEYv2 */
-DB_ENV *ldbm_Env = NULL; /* real or fake, depending on db and version */
-#endif
-
-/* Let's make the version comparisons a little easier... */
-#undef DB_VERSION_X
-#ifdef HAVE_BERKELEY_DB
-#define DB_VERSION_X ((DB_VERSION_MAJOR<<16)|(DB_VERSION_MINOR<<8)|DB_VERSION_PATCH)
-#endif
-
-/*******************************************************************
- * *
- * Create some special functions to initialize Berkeley DB for *
- * versions greater than 2. *
- * *
- *******************************************************************/
-#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2)
-
-void *
-ldbm_malloc( size_t size )
-{
- /* likely should use ber_mem* routines */
- return( calloc( 1, size ) );
-}
-
-#ifdef LDAP_SYSLOG
-#include <ac/syslog.h>
-#endif
-
-static void
-ldbm_db_errcall( const char *prefix, char *message )
-{
-#ifdef LDAP_SYSLOG
- syslog( LOG_INFO, "ldbm: %s %s", prefix, message );
-#endif
-}
-
-int ldbm_initialize( const char* home )
-{
-#if DB_VERSION_MAJOR < 3
- int err;
- u_int32_t envFlags;
-#endif
-
- if(ldbm_initialized++) return 1;
-
- {
- char *version;
- int major, minor, patch;
- version = db_version( &major, &minor, &patch );
-
- if( major != DB_VERSION_MAJOR ||
- minor < DB_VERSION_MINOR )
- {
-#ifdef LDAP_SYSLOG
- syslog( LOG_INFO,
- "ldbm_initialize(): version mismatch\nexpected: %s\ngot: %s\n",
- DB_VERSION_STRING, version );
-#endif
- return 1;
- }
- }
-
-#if DB_VERSION_MAJOR < 3
- ldbm_Env = calloc( 1, sizeof( DB_ENV ));
-
- if( ldbm_Env == NULL ) return 1;
-
- ldbm_Env->db_errcall = ldbm_db_errcall;
- ldbm_Env->db_errpfx = "==>";
-
- envFlags = DB_CREATE | DB_USE_ENVIRON;
-
- /* add optional flags */
-#ifdef DB_PRIVATE
- envFlags |= DB_PRIVATE;
-#endif
-#ifdef HAVE_BERKELEY_DB_THREAD
- envFlags |= DB_THREAD;
-#endif
-
- err = db_appinit( home, NULL, ldbm_Env, envFlags );
-
- if ( err ) {
-#ifdef LDAP_SYSLOG
- syslog( LOG_INFO, "ldbm_initialize(): "
- "FATAL error (%d) in db_appinit()\n", err );
-#endif
- return( 1 );
- }
-#endif
-
- LDBM_RWLOCK_INIT;
-
- return 0;
-}
-
-int ldbm_shutdown( void )
-{
- if( !ldbm_initialized ) return 1;
-
-#if DB_VERSION_MAJOR < 3
- db_appexit( ldbm_Env );
-#endif
-
- LDBM_RWLOCK_DESTROY;
- return 0;
-}
-
-#else /* some DB other than Berkeley V2 or greater */
-
-int ldbm_initialize( const char * home )
-{
- if(ldbm_initialized++) return 1;
-
- LDBM_RWLOCK_INIT;
-
- return 0;
-}
-
-int ldbm_shutdown( void )
-{
- if( !ldbm_initialized ) return 1;
-
- LDBM_RWLOCK_DESTROY;
-
- return 0;
-}
-
-#endif /* HAVE_BERKELEY_DB */
-
-#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 3)
-
-DB_ENV *ldbm_initialize_env(const char *home, int dbcachesize, int *envdirok)
-{
- DB_ENV *env = NULL;
- int err;
- u_int32_t envFlags;
-#ifdef HAVE_EBCDIC
- char n2[2048];
-#endif
-
- err = db_env_create( &env, 0 );
-
- if ( err ) {
-#ifdef LDAP_SYSLOG
- syslog( LOG_INFO, "ldbm_initialize_env(): "
- "FATAL error in db_env_create() : %s (%d)\n",
- db_strerror( err ), err );
-#endif
- return NULL;
- }
-
-#if DB_VERSION_X >= 0x030300
- /* This interface appeared in 3.3 */
- env->set_alloc( env, ldbm_malloc, NULL, NULL );
-#endif
-
- env->set_errcall( env, ldbm_db_errcall );
- env->set_errpfx( env, "==>" );
- if (dbcachesize) {
- env->set_cachesize( env, 0, dbcachesize, 0 );
- }
-
- envFlags = DB_CREATE | DB_INIT_MPOOL | DB_USE_ENVIRON;
-#ifdef DB_PRIVATE
- envFlags |= DB_PRIVATE;
-#endif
-#ifdef DB_MPOOL_PRIVATE
- envFlags |= DB_MPOOL_PRIVATE;
-#endif
-#ifdef HAVE_BERKELEY_DB_THREAD
- envFlags |= DB_THREAD;
-#endif
-
-#ifdef HAVE_EBCDIC
- strncpy(n2, home, sizeof(n2)-1);
- n2[sizeof(n2)-1] = '\0';
- __atoe(n2);
- home = n2;
-#endif
-#if DB_VERSION_X >= 0x030100
- err = env->open( env, home, envFlags, 0 );
-#else
- /* 3.0.x requires an extra argument */
- err = env->open( env, home, NULL, envFlags, 0 );
-#endif
-
- if ( err != 0 ) {
-#ifdef LDAP_SYSLOG
- syslog( LOG_INFO, "ldbm_initialize_env(): "
- "FATAL error in dbEnv->open() : %s (%d)\n",
- db_strerror( err ), err );
-#endif
- env->close( env, 0 );
- return NULL;
- }
-
- *envdirok = 1;
- return env;
-}
-
-void ldbm_shutdown_env(DB_ENV *env)
-{
- env->close( env, 0 );
-}
-
-#else
-
-DB_ENV *ldbm_initialize_env(const char *home, int dbcachesize, int *envdirok)
-{
- return ldbm_Env;
-}
-
-void ldbm_shutdown_env(DB_ENV *env)
-{
-}
-
-#endif
-
-#if defined( LDBM_USE_DBHASH ) || defined( LDBM_USE_DBBTREE )
-
-/*****************************************************************
- * *
- * use berkeley db hash or btree package *
- * *
- *****************************************************************/
-
-LDBM
-ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
-{
- LDBM ret = NULL;
-#ifdef HAVE_EBCDIC
- char n2[2048];
-#endif
-
-#if DB_VERSION_MAJOR >= 3
- int err;
-
- LDBM_WLOCK;
-
- err = db_create( &ret, env, 0 );
- if ( err != 0 ) {
- (void)ret->close(ret, 0);
- LDBM_WUNLOCK;
-
- return NULL;
- }
-
-#if DB_VERSION_X < 0x030300
- ret->set_malloc( ret, ldbm_malloc );
-#endif
-
- ret->set_pagesize( ret, DEFAULT_DB_PAGE_SIZE );
-
- /* likely should use ber_mem* routines */
-
-#ifdef HAVE_EBCDIC
- strncpy(n2, name, sizeof(n2)-1);
- n2[sizeof(n2)-1] = '\0';
- __atoe(n2);
- name = n2;
-#endif
-#if DB_VERSION_X >= 0x040111
- err = ret->open( ret, NULL, name, NULL, DB_TYPE, rw, mode);
-#else
- err = ret->open( ret, name, NULL, DB_TYPE, rw, mode);
-#endif
-
- if ( err != 0 ) {
- int tmp = errno;
- (void)ret->close(ret, 0);
- errno = tmp;
-
- LDBM_WUNLOCK;
- return NULL;
- }
-
- LDBM_WUNLOCK;
-
-#elif DB_VERSION_MAJOR >= 2
- DB_INFO dbinfo;
-
- memset( &dbinfo, '\0', sizeof( dbinfo ));
-
-#if DB_VERSION_MAJOR == 2 && DB_VERSION_MINOR == 4
- /*
- * BerkeleyDB 2.4 do not allow db_cachesize
- * to be specified if an DB_ENV is.
- */
-#else
- /* set db_cachesize of MPOOL is NOT being used. */
- if (( ldbm_Env == NULL ) || ( ldbm_Env->mp_info == NULL )) {
- dbinfo.db_cachesize = dbcachesize;
- }
-#endif
-
- dbinfo.db_pagesize = DEFAULT_DB_PAGE_SIZE;
- dbinfo.db_malloc = ldbm_malloc;
-
- LDBM_WLOCK;
- (void) db_open( name, DB_TYPE, rw, mode, ldbm_Env, &dbinfo, &ret );
- LDBM_WUNLOCK;
-
-#else
- void *info;
- BTREEINFO binfo;
- HASHINFO hinfo;
-
- if ( DB_TYPE == DB_HASH ) {
- memset( (char *) &hinfo, '\0', sizeof(hinfo) );
- hinfo.cachesize = dbcachesize;
- info = &hinfo;
- } else if ( DB_TYPE == DB_BTREE ) {
- memset( (char *) &binfo, '\0', sizeof(binfo) );
- binfo.cachesize = dbcachesize;
- info = &binfo;
- } else {
- info = NULL;
- }
-
- LDBM_WLOCK;
- ret = dbopen( name, rw, mode, DB_TYPE, info );
- LDBM_WUNLOCK;
-#endif
-
- return ret;
-}
-
-void
-ldbm_close( LDBM ldbm )
-{
- LDBM_WLOCK;
-#if DB_VERSION_MAJOR >= 2
- ldbm->close( ldbm, 0 );
-#else
- ldbm->close( ldbm );
-#endif
- LDBM_WUNLOCK;
-}
-
-void
-ldbm_sync( LDBM ldbm )
-{
- LDBM_WLOCK;
- (*ldbm->sync)( ldbm, 0 );
- LDBM_WUNLOCK;
-}
-
-Datum
-ldbm_fetch( LDBM ldbm, Datum key )
-{
- Datum data;
- int rc;
-
- LDBM_RLOCK;
-
-#if DB_VERSION_MAJOR >= 2
- ldbm_datum_init( data );
-
- data.flags = DB_DBT_MALLOC;
-
- if ( (rc = ldbm->get( ldbm, NULL, &key, &data, 0 )) != 0 ) {
- ldbm_datum_free( ldbm, data );
- data.dptr = NULL;
- data.dsize = 0;
- }
-#else
- if ( (rc = ldbm->get( ldbm, &key, &data, 0 )) == 0 ) {
- /* Berkeley DB 1.85 don't malloc the data for us */
- /* duplicate it for to ensure reentrancy */
- data = ldbm_datum_dup( ldbm, data );
- } else {
- data.dptr = NULL;
- data.dsize = 0;
- }
-#endif
-
- LDBM_RUNLOCK;
-
- return( data );
-}
-
-int
-ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
-{
- int rc;
-
- LDBM_WLOCK;
-
-#if DB_VERSION_MAJOR >= 2
- rc = ldbm->put( ldbm, NULL, &key, &data, flags & ~LDBM_SYNC );
- rc = (-1) * rc;
-#else
- rc = ldbm->put( ldbm, &key, &data, flags & ~LDBM_SYNC );
-#endif
-
- if ( flags & LDBM_SYNC )
- ldbm->sync( ldbm, 0 );
-
- LDBM_WUNLOCK;
-
- return( rc );
-}
-
-int
-ldbm_delete( LDBM ldbm, Datum key )
-{
- int rc;
-
- LDBM_WLOCK;
-
-#if DB_VERSION_MAJOR >= 2
- rc = ldbm->del( ldbm, NULL, &key, 0 );
- rc = (-1) * rc;
-#else
- rc = ldbm->del( ldbm, &key, 0 );
-#endif
- ldbm->sync( ldbm, 0 );
-
- LDBM_WUNLOCK;
-
- return( rc );
-}
-
-Datum
-ldbm_firstkey( LDBM ldbm, LDBMCursor **dbch )
-{
- Datum key, data;
- int rc;
-
-#if DB_VERSION_MAJOR >= 2
- LDBMCursor *dbci;
-
- ldbm_datum_init( key );
- ldbm_datum_init( data );
-
- key.flags = data.flags = DB_DBT_MALLOC;
-
- LDBM_RLOCK;
-
- /* acquire a cursor for the DB */
-# if DB_VERSION_X >= 0x020600
- rc = ldbm->cursor( ldbm, NULL, &dbci, 0 );
-# else
- rc = ldbm->cursor( ldbm, NULL, &dbci );
-# endif
-
- if( rc ) {
- key.dptr = NULL;
- } else {
- *dbch = dbci;
- if ( dbci->c_get( dbci, &key, &data, DB_NEXT ) == 0 ) {
- ldbm_datum_free( ldbm, data );
- } else {
- key.dptr = NULL;
- key.dsize = 0;
- }
- }
-
- LDBM_RUNLOCK;
-
-#else
- LDBM_RLOCK;
-
- rc = ldbm->seq( ldbm, &key, &data, R_FIRST );
-
- if ( rc == 0 ) {
- key = ldbm_datum_dup( ldbm, key );
- } else {
- key.dptr = NULL;
- key.dsize = 0;
- }
-
- LDBM_RUNLOCK;
-#endif
-
- return( key );
-}
-
-Datum
-ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
-{
- int rc;
- Datum data;
-
- LDBM_RLOCK;
-
-#if DB_VERSION_MAJOR >= 2
- ldbm_datum_init( data );
-
- ldbm_datum_free( ldbm, key );
- key.flags = data.flags = DB_DBT_MALLOC;
-
- rc = dbcp->c_get( dbcp, &key, &data, DB_NEXT );
- if ( rc == 0 ) {
- ldbm_datum_free( ldbm, data );
- } else
-#else
- rc = ldbm->seq( ldbm, &key, &data, R_NEXT );
-
- if ( rc == 0 ) {
- key = ldbm_datum_dup( ldbm, key );
- } else
-#endif
- {
- key.dptr = NULL;
- key.dsize = 0;
- }
-
- LDBM_RUNLOCK;
- return( key );
-}
-
-int
-ldbm_errno( LDBM ldbm )
-{
- return( errno );
-}
-
-/******************************************************************
- * *
- * END Berkeley section *
- * *
- ******************************************************************/
-
-#elif defined( HAVE_GDBM )
-
-#ifdef HAVE_ST_BLKSIZE
-#include <sys/stat.h>
-#endif
-
-/*****************************************************************
- * *
- * use gdbm *
- * *
- *****************************************************************/
-
-LDBM
-ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
-{
- LDBM db;
-#ifdef HAVE_ST_BLKSIZE
- struct stat st;
-#endif
-#ifdef HAVE_EBCDIC
- char n2[2048];
-
- strncpy(n2, name, sizeof(n2)-1);
- n2[sizeof(n2)-1] = '\0';
- __atoe(n2);
- name = n2;
-#endif
-
- LDBM_WLOCK;
-
- if ( (db = gdbm_open( name, 0, rw | GDBM_FAST, mode, 0 )) == NULL ) {
- LDBM_WUNLOCK;
- return( NULL );
- }
-
-#ifdef HAVE_ST_BLKSIZE
- if ( dbcachesize > 0 && stat( name, &st ) == 0 ) {
- dbcachesize /= st.st_blksize;
- if( dbcachesize == 0 ) dbcachesize = 1;
- gdbm_setopt( db, GDBM_CACHESIZE, &dbcachesize, sizeof(int) );
- }
-#else
- if ( dbcachesize > 0 ) {
- dbcachesize /= 4096;
- if( dbcachesize == 0 ) dbcachesize = 1;
- gdbm_setopt( db, GDBM_CACHESIZE, &dbcachesize, sizeof(int) );
- }
-#endif
-
- LDBM_WUNLOCK;
-
- return( db );
-}
-
-void
-ldbm_close( LDBM ldbm )
-{
- LDBM_WLOCK;
- gdbm_close( ldbm );
- LDBM_WUNLOCK;
-}
-
-void
-ldbm_sync( LDBM ldbm )
-{
- LDBM_WLOCK;
- gdbm_sync( ldbm );
- LDBM_WUNLOCK;
-}
-
-Datum
-ldbm_fetch( LDBM ldbm, Datum key )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = gdbm_fetch( ldbm, key );
- LDBM_RUNLOCK;
-
- return d;
-}
-
-int
-ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
-{
- int rc;
-
- LDBM_WLOCK;
- rc = gdbm_store( ldbm, key, data, flags & ~LDBM_SYNC );
- if ( flags & LDBM_SYNC )
- gdbm_sync( ldbm );
- LDBM_WUNLOCK;
-
- return( rc );
-}
-
-int
-ldbm_delete( LDBM ldbm, Datum key )
-{
- int rc;
-
- LDBM_WLOCK;
- rc = gdbm_delete( ldbm, key );
- gdbm_sync( ldbm );
- LDBM_WUNLOCK;
-
- return( rc );
-}
-
-Datum
-ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = gdbm_firstkey( ldbm );
- LDBM_RUNLOCK;
-
- if ( d.dptr != NULL ) {
- *dbcp = (Datum *) malloc( sizeof( Datum ) );
- **dbcp = ldbm_datum_dup( ldbm, d );
- }
-
- return d;
-}
-
-Datum
-ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = gdbm_nextkey( ldbm, *dbcp );
- LDBM_RUNLOCK;
-
- ldbm_datum_free( ldbm, *dbcp );
-
- if ( d.dptr != NULL ) {
- *dbcp = ldbm_datum_dup( ldbm, d );
- } else {
- free( dbcp );
- }
-
- return d;
-}
-
-int
-ldbm_errno( LDBM ldbm )
-{
- int err;
-
- LDBM_WLOCK;
- err = gdbm_errno;
- LDBM_WUNLOCK;
-
- return( err );
-}
-
-#elif HAVE_MDBM
-
-/* MMAPED DBM HASHING DATABASE */
-
-#include <ac/string.h>
-
-/* #define MDBM_DEBUG */
-
-#ifdef MDBM_DEBUG
-#include <stdio.h>
-#endif
-
-#define NO_NULL_KEY
-/* #define MDBM_CHAIN */
-
-#ifdef MDBM_CHAIN
-
-/* Use chaining */
-
-#define mdbm_store mdbm_chain_store
-#define mdbm_fetch mdbm_chain_fetch
-#define mdbm_delete mdbm_chain_delete
-#define mdbm_first mdbm_chain_first
-#define mdbm_next mdbm_chain_next
-
-#endif
-
-#define MDBM_PG_SZ (4*1024)
-
-/*****************************************************************
- * *
- * use mdbm *
- * *
- *****************************************************************/
-
-LDBM
-ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
-{
- LDBM db;
-
-#ifdef MDBM_DEBUG
- fprintf( stdout,
- "==>(mdbm)ldbm_open(name=%s,rw=%x,mode=%x,cachesize=%d)\n",
- name ? name : "NULL", rw, mode, dbcachesize );
- fflush( stdout );
-#endif
-
- LDBM_WLOCK; /* We need locking here, this is the only non-thread
- * safe function we have. */
-
- if ( (db = mdbm_open( name, rw, mode, MDBM_PG_SZ )) == NULL ) {
- LDBM_WUNLOCK;
-#ifdef MDBM_DEBUG
- fprintf( stdout, "<==(mdbm)ldbm_open(db=NULL)\n" );
- fflush( stdout );
-#endif
- return( NULL );
- }
-
-#ifdef MDBM_CHAIN
- (void)mdbm_set_chain(db);
-#endif
-
- LDBM_WUNLOCK;
-
-#ifdef MDBM_DEBUG
- fprintf( stdout, "<==(mdbm)ldbm_open(db=%p)\n", db );
- fflush( stdout );
-#endif
-
- return( db );
-}
-
-void
-ldbm_close( LDBM ldbm )
-{
- /* Open and close are not reentrant so we need to use locks here */
-
-#ifdef MDBM_DEBUG
- fprintf( stdout,
- "==>(mdbm)ldbm_close(db=%p)\n", ldbm );
- fflush( stdout );
-#endif
-
- LDBM_WLOCK;
- mdbm_close( ldbm );
- LDBM_WUNLOCK;
-
-#ifdef MDBM_DEBUG
- fprintf( stdout, "<==(mdbm)ldbm_close()\n" );
- fflush( stdout );
-#endif
-}
-
-void
-ldbm_sync( LDBM ldbm )
-{
- /* XXX: Not sure if this is re-entrant need to check code, if so
- * you can leave LOCKS out.
- */
-
- LDBM_WLOCK;
- mdbm_sync( ldbm );
- LDBM_WUNLOCK;
-}
-
-#define MAX_MDBM_RETRY 5
-
-Datum
-ldbm_fetch( LDBM ldbm, Datum key )
-{
- Datum d;
- kvpair k;
- int retry = 0;
-
- /* This hack is needed because MDBM does not take keys
- * which begin with NULL when working in the chaining
- * mode.
- */
-
-#ifdef NO_NULL_KEY
- k.key.dsize = key.dsize + 1;
- k.key.dptr = malloc(k.key.dsize);
- *(k.key.dptr) = 'l';
- AC_MEMCPY( (void *)(k.key.dptr + 1), key.dptr, key.dsize );
-#else
- k.key = key;
-#endif
-
- k.val.dptr = NULL;
- k.val.dsize = 0;
-
- /* LDBM_RLOCK; */
- do {
- d = mdbm_fetch( ldbm, k );
-
- if ( d.dsize > 0 ) {
- if ( k.val.dptr != NULL ) {
- free( k.val.dptr );
- }
-
- if ( (k.val.dptr = malloc( d.dsize )) != NULL ) {
- k.val.dsize = d.dsize;
- d = mdbm_fetch( ldbm, k );
-
- } else {
- d.dsize = 0;
- break;
- }
- }/* if ( d.dsize > 0 ) */
- } while ((d.dsize > k.val.dsize) && (++retry < MAX_MDBM_RETRY));
- /* LDBM_RUNLOCK; */
-
-#ifdef NO_NULL_KEY
- free(k.key.dptr);
-#endif
-
- return d;
-}
-
-int
-ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
-{
- int rc;
- Datum int_key; /* Internal key */
-
-#ifdef MDBM_DEBUG
- fprintf( stdout,
- "==>(mdbm)ldbm_store(db=%p, key(dptr=%p,sz=%d), data(dptr=%p,sz=%d), flags=%x)\n",
- ldbm, key.dptr, key.dsize, data.dptr, data.dsize, flags );
- fflush( stdout );
-#endif
-
- /* LDBM_WLOCK; */
-
-#ifdef NO_NULL_KEY
- int_key.dsize = key.dsize + 1;
- int_key.dptr = malloc( int_key.dsize );
- *(int_key.dptr) = 'l'; /* Must not be NULL !*/
- AC_MEMCPY( (void *)(int_key.dptr + 1), key.dptr, key.dsize );
-#else
- int_key = key;
-#endif
-
- rc = mdbm_store( ldbm, int_key, data, flags );
- if ( flags & LDBM_SYNC ) {
- mdbm_sync( ldbm );
- }
-
- /* LDBM_WUNLOCK; */
-
-#ifdef MDBM_DEBUG
- fprintf( stdout, "<==(mdbm)ldbm_store(rc=%d)\n", rc );
- fflush( stdout );
-#endif
-
-#ifdef NO_NULL_KEY
- free(int_key.dptr);
-#endif
-
- return( rc );
-}
-
-int
-ldbm_delete( LDBM ldbm, Datum key )
-{
- int rc;
- Datum int_key;
-
- /* LDBM_WLOCK; */
-
-#ifdef NO_NULL_KEY
- int_key.dsize = key.dsize + 1;
- int_key.dptr = malloc(int_key.dsize);
- *(int_key.dptr) = 'l';
- AC_MEMCPY( (void *)(int_key.dptr + 1), key.dptr, key.dsize );
-#else
- int_key = key;
-#endif
-
- rc = mdbm_delete( ldbm, int_key );
-
- /* LDBM_WUNLOCK; */
-#ifdef NO_NULL_KEY
- free(int_key.dptr);
-#endif
-
- return( rc );
-}
-
-static Datum
-ldbm_get_next( LDBM ldbm, kvpair (*fptr)(MDBM *, kvpair) )
-{
- kvpair out;
- kvpair in;
- Datum ret;
- size_t sz = MDBM_PAGE_SIZE(ldbm);
-#ifdef NO_NULL_KEY
- int delta = 1;
-#else
- int delta = 0;
-#endif
-
- /* LDBM_RLOCK; */
-
- in.key.dsize = sz; /* Assume first key in one pg */
- in.key.dptr = malloc(sz);
-
- in.val.dptr = NULL; /* Don't need data just key */
- in.val.dsize = 0;
-
- ret.dptr = NULL;
- ret.dsize = NULL;
-
- out = fptr( ldbm, in );
-
- if (out.key.dsize > 0) {
- ret.dsize = out.key.dsize - delta;
-
- if ((ret.dptr = (char *)malloc(ret.dsize)) == NULL) {
- ret.dsize = 0;
- ret.dptr = NULL;
-
- } else {
- AC_MEMCPY(ret.dptr, (void *)(out.key.dptr + delta),
- ret.dsize );
- }
- }
-
- /* LDBM_RUNLOCK; */
-
- free(in.key.dptr);
- return ret;
-}
-
-Datum
-ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
-{
- return ldbm_get_next( ldbm, mdbm_first );
-}
-
-Datum
-ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
-{
- /* XXX:
- * don't know if this will affect the LDAP server operation
- * but mdbm cannot take and input key.
- */
-
- return ldbm_get_next( ldbm, mdbm_next );
-}
-
-int
-ldbm_errno( LDBM ldbm )
-{
- /* XXX: best we can do with current mdbm interface */
- return( errno );
-}
-
-#elif defined( HAVE_NDBM )
-
-/*****************************************************************
- * *
- * if no gdbm or mdbm, fall back to using ndbm, the standard unix thing *
- * *
- *****************************************************************/
-
-/* ARGSUSED */
-LDBM
-ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
-{
- LDBM ldbm;
-
- LDBM_WLOCK;
- ldbm = dbm_open( name, rw, mode );
- LDBM_WUNLOCK;
-
- return( ldbm );
-}
-
-void
-ldbm_close( LDBM ldbm )
-{
- LDBM_WLOCK;
- dbm_close( ldbm );
- LDBM_WUNLOCK;
-}
-
-/* ARGSUSED */
-void
-ldbm_sync( LDBM ldbm )
-{
- return;
-}
-
-Datum
-ldbm_fetch( LDBM ldbm, Datum key )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = ldbm_datum_dup( ldbm, dbm_fetch( ldbm, key ) );
- LDBM_RUNLOCK;
-
- return d;
-}
-
-int
-ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
-{
- int rc;
-
- LDBM_WLOCK;
- rc = dbm_store( ldbm, key, data, flags );
- LDBM_WUNLOCK;
-
- return rc;
-}
-
-int
-ldbm_delete( LDBM ldbm, Datum key )
-{
- int rc;
-
- LDBM_WLOCK;
- rc = dbm_delete( ldbm, key );
- LDBM_WUNLOCK;
-
- return rc;
-}
-
-Datum
-ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = dbm_firstkey( ldbm );
- LDBM_RUNLOCK;
-
- return d;
-}
-
-Datum
-ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
-{
- Datum d;
-
- LDBM_RLOCK;
- d = dbm_nextkey( ldbm );
- LDBM_RUNLOCK;
-
- return d;
-}
-
-int
-ldbm_errno( LDBM ldbm )
-{
- int err;
-
- LDBM_WLOCK;
- err = dbm_error( ldbm );
- LDBM_WUNLOCK;
-
- return err;
-}
-
-#endif /* ndbm */
-#endif /* ldbm */
+++ /dev/null
-# Microsoft Developer Studio Project File - Name="libldbm" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 5.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Static Library" 0x0104
-
-CFG=libldbm - Win32 Single Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE
-!MESSAGE NMAKE /f "libldbm.mak".
-!MESSAGE
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE
-!MESSAGE NMAKE /f "libldbm.mak" CFG="libldbm - Win32 Single Debug"
-!MESSAGE
-!MESSAGE Possible choices for configuration are:
-!MESSAGE
-!MESSAGE "libldbm - Win32 Release" (based on "Win32 (x86) Static Library")
-!MESSAGE "libldbm - Win32 Debug" (based on "Win32 (x86) Static Library")
-!MESSAGE "libldbm - Win32 Single Debug" (based on "Win32 (x86) Static Library")
-!MESSAGE "libldbm - Win32 Single Release" (based on\
- "Win32 (x86) Static Library")
-!MESSAGE
-
-# Begin Project
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-
-!IF "$(CFG)" == "libldbm - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "..\..\Release"
-# PROP Intermediate_Dir "..\..\Release\libldbm"
-# PROP Target_Dir ""
-RSC=rc.exe
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c
-# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LIB32=link.exe -lib
-# ADD BASE LIB32 /nologo
-# ADD LIB32 /nologo /out:"..\..\Release\oldbm32.lib"
-
-!ELSEIF "$(CFG)" == "libldbm - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "..\..\Debug"
-# PROP Intermediate_Dir "..\..\Debug\libldbm"
-# PROP Target_Dir ""
-RSC=rc.exe
-# ADD BASE CPP /nologo /W3 /GX /Z7 /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c
-# ADD CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LIB32=link.exe -lib
-# ADD BASE LIB32 /nologo
-# ADD LIB32 /nologo /out:"..\..\Debug\oldbm32.lib"
-
-!ELSEIF "$(CFG)" == "libldbm - Win32 Single Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "libldbm_"
-# PROP BASE Intermediate_Dir "libldbm_"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "..\..\SDebug"
-# PROP Intermediate_Dir "..\..\SDebug\libldbm"
-# PROP Target_Dir ""
-RSC=rc.exe
-# ADD BASE CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c
-# ADD CPP /nologo /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LIB32=link.exe -lib
-# ADD BASE LIB32 /nologo /out:"..\Debug\oldbm32.lib"
-# ADD LIB32 /nologo /out:"..\..\SDebug\oldbm32.lib"
-
-!ELSEIF "$(CFG)" == "libldbm - Win32 Single Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "libldbm0"
-# PROP BASE Intermediate_Dir "libldbm0"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "..\..\SRelease"
-# PROP Intermediate_Dir "..\..\SRelease\libldbm"
-# PROP Target_Dir ""
-RSC=rc.exe
-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c
-# ADD CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LIB32=link.exe -lib
-# ADD BASE LIB32 /nologo /out:"..\Release\oldbm32.lib"
-# ADD LIB32 /nologo /out:"..\..\SRelease\oldbm32.lib"
-
-!ENDIF
-
-# Begin Target
-
-# Name "libldbm - Win32 Release"
-# Name "libldbm - Win32 Debug"
-# Name "libldbm - Win32 Single Debug"
-# Name "libldbm - Win32 Single Release"
-# Begin Source File
-
-SOURCE=.\ldbm.c
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\ldbm.h
-# End Source File
-# End Target
-# End Project
/*
* A simple array of 32-bit masks for lookup.
*/
-static unsigned long masks32[32] = {
+static ac_uint4 masks32[32] = {
0x00000001UL, 0x00000002UL, 0x00000004UL, 0x00000008UL,
0x00000010UL, 0x00000020UL, 0x00000040UL, 0x00000080UL,
0x00000100UL, 0x00000200UL, 0x00000400UL, 0x00000800UL,
*
**************************************************************************/
-static unsigned long _ucprop_size;
-static unsigned short *_ucprop_offsets;
-static unsigned long *_ucprop_ranges;
+static ac_uint4 _ucprop_size;
+static ac_uint2 *_ucprop_offsets;
+static ac_uint4 *_ucprop_ranges;
/*
* Return -1 on error, 0 if okay
_ucprop_load(char *paths, int reload)
{
FILE *in;
- unsigned long size, i;
+ ac_uint4 size, i;
_ucheader_t hdr;
if (_ucprop_size > 0) {
/*
* Allocate all the storage needed for the lookup table.
*/
- _ucprop_offsets = (unsigned short *) malloc(hdr.size.bytes);
+ _ucprop_offsets = (ac_uint2 *) malloc(hdr.size.bytes);
/*
* Calculate the offset into the storage for the ranges. The offsets
* the header count field. This means the offset to the ranges must be
* calculated after aligning the count to a 4-byte boundary.
*/
- if ((size = ((hdr.cnt + 1) * sizeof(unsigned short))) & 3)
+ if ((size = ((hdr.cnt + 1) * sizeof(ac_uint2))) & 3)
size += 4 - (size & 3);
size >>= 1;
- _ucprop_ranges = (unsigned long *) (_ucprop_offsets + size);
+ _ucprop_ranges = (ac_uint4 *) (_ucprop_offsets + size);
/*
* Load the offset array.
*/
- fread((char *) _ucprop_offsets, sizeof(unsigned short), size, in);
+ fread((char *) _ucprop_offsets, sizeof(ac_uint2), size, in);
/*
* Do an endian swap if necessary. Don't forget there is an extra node on
* Load the ranges. The number of elements is in the last array position
* of the offsets.
*/
- fread((char *) _ucprop_ranges, sizeof(unsigned long),
+ fread((char *) _ucprop_ranges, sizeof(ac_uint4),
_ucprop_offsets[_ucprop_size], in);
fclose(in);
}
static int
-_ucprop_lookup(unsigned long code, unsigned long n)
+_ucprop_lookup(ac_uint4 code, ac_uint4 n)
{
long l, r, m;
}
int
-ucisprop(unsigned long code, unsigned long mask1, unsigned long mask2)
+ucisprop(ac_uint4 code, ac_uint4 mask1, ac_uint4 mask2)
{
- unsigned long i;
+ ac_uint4 i;
if (mask1 == 0 && mask2 == 0)
return 0;
*
**************************************************************************/
-static unsigned long _uccase_size;
-static unsigned short _uccase_len[2];
-static unsigned long *_uccase_map;
+static ac_uint4 _uccase_size;
+static ac_uint2 _uccase_len[2];
+static ac_uint4 *_uccase_map;
/*
* Return -1 on error, 0 if okay
_uccase_load(char *paths, int reload)
{
FILE *in;
- unsigned long i;
+ ac_uint4 i;
_ucheader_t hdr;
if (_uccase_size > 0) {
_uccase_len[0] = hdr.size.len[0] * 3;
_uccase_len[1] = hdr.size.len[1] * 3;
- _uccase_map = (unsigned long *)
- malloc(_uccase_size * sizeof(unsigned long));
+ _uccase_map = (ac_uint4 *)
+ malloc(_uccase_size * sizeof(ac_uint4));
/*
* Load the case mapping table.
*/
- fread((char *) _uccase_map, sizeof(unsigned long), _uccase_size, in);
+ fread((char *) _uccase_map, sizeof(ac_uint4), _uccase_size, in);
/*
* Do an endian swap if necessary.
_uccase_size = 0;
}
-static unsigned long
-_uccase_lookup(unsigned long code, long l, long r, int field)
+static ac_uint4
+_uccase_lookup(ac_uint4 code, long l, long r, int field)
{
long m;
return code;
}
-unsigned long
-uctoupper(unsigned long code)
+ac_uint4
+uctoupper(ac_uint4 code)
{
int field;
long l, r;
return _uccase_lookup(code, l, r, field);
}
-unsigned long
-uctolower(unsigned long code)
+ac_uint4
+uctolower(ac_uint4 code)
{
int field;
long l, r;
return _uccase_lookup(code, l, r, field);
}
-unsigned long
-uctotitle(unsigned long code)
+ac_uint4
+uctotitle(ac_uint4 code)
{
int field;
long l, r;
*
**************************************************************************/
-static unsigned long _uccomp_size;
-static unsigned long *_uccomp_data;
+static ac_uint4 _uccomp_size;
+static ac_uint4 *_uccomp_data;
/*
* Return -1 on error, 0 if okay
_uccomp_load(char *paths, int reload)
{
FILE *in;
- unsigned long size, i;
+ ac_uint4 size, i;
_ucheader_t hdr;
if (_uccomp_size > 0) {
}
_uccomp_size = hdr.cnt;
- _uccomp_data = (unsigned long *) malloc(hdr.size.bytes);
+ _uccomp_data = (ac_uint4 *) malloc(hdr.size.bytes);
/*
* Read the composition data in.
*/
- size = hdr.size.bytes / sizeof(unsigned long);
- fread((char *) _uccomp_data, sizeof(unsigned long), size, in);
+ size = hdr.size.bytes / sizeof(ac_uint4);
+ fread((char *) _uccomp_data, sizeof(ac_uint4), size, in);
/*
* Do an endian swap if necessary.
}
int
-uccomp(unsigned long node1, unsigned long node2, unsigned long *comp)
+uccomp(ac_uint4 node1, ac_uint4 node2, ac_uint4 *comp)
{
int l, r, m;
}
int
-uccomp_hangul(unsigned long *str, int len)
+uccomp_hangul(ac_uint4 *str, int len)
{
const int SBase = 0xAC00, LBase = 0x1100,
VBase = 0x1161, TBase = 0x11A7,
SCount = LCount * NCount; /* 11172 */
int i, rlen;
- unsigned long ch, last, lindex, sindex;
+ ac_uint4 ch, last, lindex, sindex;
last = str[0];
rlen = 1;
/* check if two current characters are L and V */
lindex = last - LBase;
- if (lindex < (unsigned long) LCount) {
- unsigned long vindex = ch - VBase;
- if (vindex < (unsigned long) VCount) {
+ if (lindex < (ac_uint4) LCount) {
+ ac_uint4 vindex = ch - VBase;
+ if (vindex < (ac_uint4) VCount) {
/* make syllable of form LV */
last = SBase + (lindex * VCount + vindex) * TCount;
str[rlen-1] = last; /* reset last */
/* check if two current characters are LV and T */
sindex = last - SBase;
- if (sindex < (unsigned long) SCount
+ if (sindex < (ac_uint4) SCount
&& (sindex % TCount) == 0)
{
- unsigned long tindex = ch - TBase;
- if (tindex <= (unsigned long) TCount) {
+ ac_uint4 tindex = ch - TBase;
+ if (tindex <= (ac_uint4) TCount) {
/* make syllable of form LVT */
last += tindex;
str[rlen-1] = last; /* reset last */
}
int
-uccanoncomp(unsigned long *str, int len)
+uccanoncomp(ac_uint4 *str, int len)
{
int i, stpos, copos;
- unsigned long cl, prevcl, st, ch, co;
+ ac_uint4 cl, prevcl, st, ch, co;
st = str[0];
stpos = 0;
*
**************************************************************************/
-static unsigned long _ucdcmp_size;
-static unsigned long *_ucdcmp_nodes;
-static unsigned long *_ucdcmp_decomp;
+static ac_uint4 _ucdcmp_size;
+static ac_uint4 *_ucdcmp_nodes;
+static ac_uint4 *_ucdcmp_decomp;
-static unsigned long _uckdcmp_size;
-static unsigned long *_uckdcmp_nodes;
-static unsigned long *_uckdcmp_decomp;
+static ac_uint4 _uckdcmp_size;
+static ac_uint4 *_uckdcmp_nodes;
+static ac_uint4 *_uckdcmp_decomp;
/*
* Return -1 on error, 0 if okay
_ucdcmp_load(char *paths, int reload)
{
FILE *in;
- unsigned long size, i;
+ ac_uint4 size, i;
_ucheader_t hdr;
if (_ucdcmp_size > 0) {
}
_ucdcmp_size = hdr.cnt << 1;
- _ucdcmp_nodes = (unsigned long *) malloc(hdr.size.bytes);
+ _ucdcmp_nodes = (ac_uint4 *) malloc(hdr.size.bytes);
_ucdcmp_decomp = _ucdcmp_nodes + (_ucdcmp_size + 1);
/*
* Read the decomposition data in.
*/
- size = hdr.size.bytes / sizeof(unsigned long);
- fread((char *) _ucdcmp_nodes, sizeof(unsigned long), size, in);
+ size = hdr.size.bytes / sizeof(ac_uint4);
+ fread((char *) _ucdcmp_nodes, sizeof(ac_uint4), size, in);
/*
* Do an endian swap if necessary.
_uckdcmp_load(char *paths, int reload)
{
FILE *in;
- unsigned long size, i;
+ ac_uint4 size, i;
_ucheader_t hdr;
if (_uckdcmp_size > 0) {
}
_uckdcmp_size = hdr.cnt << 1;
- _uckdcmp_nodes = (unsigned long *) malloc(hdr.size.bytes);
+ _uckdcmp_nodes = (ac_uint4 *) malloc(hdr.size.bytes);
_uckdcmp_decomp = _uckdcmp_nodes + (_uckdcmp_size + 1);
/*
* Read the decomposition data in.
*/
- size = hdr.size.bytes / sizeof(unsigned long);
- fread((char *) _uckdcmp_nodes, sizeof(unsigned long), size, in);
+ size = hdr.size.bytes / sizeof(ac_uint4);
+ fread((char *) _uckdcmp_nodes, sizeof(ac_uint4), size, in);
/*
* Do an endian swap if necessary.
}
int
-ucdecomp(unsigned long code, unsigned long *num, unsigned long **decomp)
+ucdecomp(ac_uint4 code, ac_uint4 *num, ac_uint4 **decomp)
{
long l, r, m;
}
int
-uckdecomp(unsigned long code, unsigned long *num, unsigned long **decomp)
+uckdecomp(ac_uint4 code, ac_uint4 *num, ac_uint4 **decomp)
{
long l, r, m;
}
int
-ucdecomp_hangul(unsigned long code, unsigned long *num, unsigned long decomp[])
+ucdecomp_hangul(ac_uint4 code, ac_uint4 *num, ac_uint4 decomp[])
{
if (!ucishangul(code))
return 0;
code -= 0xac00;
- decomp[0] = 0x1100 + (unsigned long) (code / 588);
- decomp[1] = 0x1161 + (unsigned long) ((code % 588) / 28);
- decomp[2] = 0x11a7 + (unsigned long) (code % 28);
+ decomp[0] = 0x1100 + (ac_uint4) (code / 588);
+ decomp[1] = 0x1161 + (ac_uint4) ((code % 588) / 28);
+ decomp[2] = 0x11a7 + (ac_uint4) (code % 28);
*num = (decomp[2] != 0x11a7) ? 3 : 2;
return 1;
/* mode == 0 for canonical, mode == 1 for compatibility */
static int
-uccanoncompatdecomp(const unsigned long *in, int inlen,
- unsigned long **out, int *outlen, short mode, void *ctx)
+uccanoncompatdecomp(const ac_uint4 *in, int inlen,
+ ac_uint4 **out, int *outlen, short mode, void *ctx)
{
int l, size;
unsigned i, j, k;
- unsigned long num, class, *decomp, hangdecomp[3];
+ ac_uint4 num, class, *decomp, hangdecomp[3];
size = inlen * 2;
- *out = (unsigned long *) ber_memalloc_x(size * sizeof(**out), ctx);
+ *out = (ac_uint4 *) ber_memalloc_x(size * sizeof(**out), ctx);
if (*out == NULL)
return *outlen = -1;
if (mode ? uckdecomp(in[j], &num, &decomp) : ucdecomp(in[j], &num, &decomp)) {
if ( size - i < num) {
size = inlen + i - j + num - 1;
- *out = (unsigned long *) ber_memrealloc_x(*out, size * sizeof(**out), ctx );
+ *out = (ac_uint4 *) ber_memrealloc_x(*out, size * sizeof(**out), ctx );
if (*out == NULL)
return *outlen = -1;
}
} else if (ucdecomp_hangul(in[j], &num, hangdecomp)) {
if (size - i < num) {
size = inlen + i - j + num - 1;
- *out = (unsigned long *) ber_memrealloc_x(*out, size * sizeof(**out), ctx);
+ *out = (ac_uint4 *) ber_memrealloc_x(*out, size * sizeof(**out), ctx);
if (*out == NULL)
return *outlen = -1;
}
} else {
if (size - i < 1) {
size = inlen + i - j;
- *out = (unsigned long *) ber_memrealloc_x(*out, size * sizeof(**out), ctx);
+ *out = (ac_uint4 *) ber_memrealloc_x(*out, size * sizeof(**out), ctx);
if (*out == NULL)
return *outlen = -1;
}
}
int
-uccanondecomp(const unsigned long *in, int inlen,
- unsigned long **out, int *outlen, void *ctx)
+uccanondecomp(const ac_uint4 *in, int inlen,
+ ac_uint4 **out, int *outlen, void *ctx)
{
return uccanoncompatdecomp(in, inlen, out, outlen, 0, ctx);
}
int
-uccompatdecomp(const unsigned long *in, int inlen,
- unsigned long **out, int *outlen, void *ctx)
+uccompatdecomp(const ac_uint4 *in, int inlen,
+ ac_uint4 **out, int *outlen, void *ctx)
{
return uccanoncompatdecomp(in, inlen, out, outlen, 1, ctx);
}
*
**************************************************************************/
-static unsigned long _uccmcl_size;
-static unsigned long *_uccmcl_nodes;
+static ac_uint4 _uccmcl_size;
+static ac_uint4 *_uccmcl_nodes;
/*
* Return -1 on error, 0 if okay
_uccmcl_load(char *paths, int reload)
{
FILE *in;
- unsigned long i;
+ ac_uint4 i;
_ucheader_t hdr;
if (_uccmcl_size > 0) {
}
_uccmcl_size = hdr.cnt * 3;
- _uccmcl_nodes = (unsigned long *) malloc(hdr.size.bytes);
+ _uccmcl_nodes = (ac_uint4 *) malloc(hdr.size.bytes);
/*
* Read the combining classes in.
*/
- fread((char *) _uccmcl_nodes, sizeof(unsigned long), _uccmcl_size, in);
+ fread((char *) _uccmcl_nodes, sizeof(ac_uint4), _uccmcl_size, in);
/*
* Do an endian swap if necessary.
_uccmcl_size = 0;
}
-unsigned long
-uccombining_class(unsigned long code)
+ac_uint4
+uccombining_class(ac_uint4 code)
{
long l, r, m;
*
**************************************************************************/
-static unsigned long *_ucnum_nodes;
-static unsigned long _ucnum_size;
+static ac_uint4 *_ucnum_nodes;
+static ac_uint4 _ucnum_size;
static short *_ucnum_vals;
/*
_ucnumb_load(char *paths, int reload)
{
FILE *in;
- unsigned long size, i;
+ ac_uint4 size, i;
_ucheader_t hdr;
if (_ucnum_size > 0) {
}
_ucnum_size = hdr.cnt;
- _ucnum_nodes = (unsigned long *) malloc(hdr.size.bytes);
+ _ucnum_nodes = (ac_uint4 *) malloc(hdr.size.bytes);
_ucnum_vals = (short *) (_ucnum_nodes + _ucnum_size);
/*
* Determine the number of values that have to be adjusted.
*/
size = (hdr.size.bytes -
- (_ucnum_size * (sizeof(unsigned long) << 1))) /
+ (_ucnum_size * (sizeof(ac_uint4) << 1))) /
sizeof(short);
for (i = 0; i < size; i++)
}
int
-ucnumber_lookup(unsigned long code, struct ucnumber *num)
+ucnumber_lookup(ac_uint4 code, struct ucnumber *num)
{
long l, r, m;
short *vp;
}
int
-ucdigit_lookup(unsigned long code, int *digit)
+ucdigit_lookup(ac_uint4 code, int *digit)
{
long l, r, m;
short *vp;
}
struct ucnumber
-ucgetnumber(unsigned long code)
+ucgetnumber(ac_uint4 code)
{
struct ucnumber num;
}
int
-ucgetdigit(unsigned long code)
+ucgetdigit(ac_uint4 code)
{
int dig;
main(void)
{
int dig;
- unsigned long i, lo, *dec;
+ ac_uint4 i, lo, *dec;
struct ucnumber num;
ucdata_setup(".");
* call this function with some set of masks.
*/
LDAP_LUNICODE_F (int)
-ucisprop LDAP_P((unsigned long code, unsigned long mask1,
- unsigned long mask2));
+ucisprop LDAP_P((ac_uint4 code, ac_uint4 mask1, ac_uint4 mask2));
#define ucisalpha(cc) ucisprop(cc, UC_LU|UC_LL|UC_LM|UC_LO|UC_LT, 0)
#define ucisdigit(cc) ucisprop(cc, UC_ND, 0)
*
**************************************************************************/
-LDAP_LUNICODE_F (unsigned long) uctoupper LDAP_P((unsigned long code));
-LDAP_LUNICODE_F (unsigned long) uctolower LDAP_P((unsigned long code));
-LDAP_LUNICODE_F (unsigned long) uctotitle LDAP_P((unsigned long code));
+LDAP_LUNICODE_F (ac_uint4) uctoupper LDAP_P((ac_uint4 code));
+LDAP_LUNICODE_F (ac_uint4) uctolower LDAP_P((ac_uint4 code));
+LDAP_LUNICODE_F (ac_uint4) uctotitle LDAP_P((ac_uint4 code));
/**************************************************************************
*
* If it returns 0, there is no composition. Any other value indicates a
* composition was returned in comp.
*/
-LDAP_LUNICODE_F (int) uccomp LDAP_P((unsigned long node1, unsigned long node2,
- unsigned long *comp));
+LDAP_LUNICODE_F (int) uccomp LDAP_P((ac_uint4 node1, ac_uint4 node2,
+ ac_uint4 *comp));
/*
* Does Hangul composition on the string str with length len, and returns
* the length of the composed string.
*/
-LDAP_LUNICODE_F (int) uccomp_hangul LDAP_P((unsigned long *str, int len));
+LDAP_LUNICODE_F (int) uccomp_hangul LDAP_P((ac_uint4 *str, int len));
/*
* Does canonical composition on the string str with length len, and returns
* the length of the composed string.
*/
-LDAP_LUNICODE_F (int) uccanoncomp LDAP_P((unsigned long *str, int len));
+LDAP_LUNICODE_F (int) uccanoncomp LDAP_P((ac_uint4 *str, int len));
/**************************************************************************
*
* returned.
*/
LDAP_LUNICODE_F (int)
-ucdecomp LDAP_P((unsigned long code, unsigned long *num,
- unsigned long **decomp));
+ucdecomp LDAP_P((ac_uint4 code, ac_uint4 *num,
+ ac_uint4 **decomp));
/*
* Equivalent to ucdecomp() except that it includes compatibility
* decompositions.
*/
LDAP_LUNICODE_F (int)
-uckdecomp LDAP_P((unsigned long code, unsigned long *num,
- unsigned long **decomp));
+uckdecomp LDAP_P((ac_uint4 code, ac_uint4 *num,
+ ac_uint4 **decomp));
/*
* If the code is a Hangul syllable, this routine decomposes it into the array
* passed. The array size should be at least 3.
*/
LDAP_LUNICODE_F (int)
-ucdecomp_hangul LDAP_P((unsigned long code, unsigned long *num,
- unsigned long decomp[]));
+ucdecomp_hangul LDAP_P((ac_uint4 code, ac_uint4 *num,
+ ac_uint4 decomp[]));
/*
* This routine does canonical decomposition of the string in of length
* of the decomposed string if okay, and -1 on error.
*/
LDAP_LUNICODE_F (int)
-uccanondecomp LDAP_P((const unsigned long *in, int inlen,
- unsigned long **out, int *outlen, void *ctx));
+uccanondecomp LDAP_P((const ac_uint4 *in, int inlen,
+ ac_uint4 **out, int *outlen, void *ctx));
/*
* Equivalent to uccanondecomp() except that it includes compatibility
* decompositions.
*/
LDAP_LUNICODE_F (int)
-uccompatdecomp LDAP_P((const unsigned long *in, int inlen,
- unsigned long **out, int *outlen, void *ctx));
+uccompatdecomp LDAP_P((const ac_uint4 *in, int inlen,
+ ac_uint4 **out, int *outlen, void *ctx));
/**************************************************************************
*
* This will return the combining class for a character to be used with the
* Canonical Ordering algorithm.
*/
-LDAP_LUNICODE_F (unsigned long) uccombining_class LDAP_P((unsigned long code));
+LDAP_LUNICODE_F (ac_uint4) uccombining_class LDAP_P((ac_uint4 code));
/**************************************************************************
*
};
LDAP_LUNICODE_F (int)
-ucnumber_lookup LDAP_P((unsigned long code, struct ucnumber *num));
+ucnumber_lookup LDAP_P((ac_uint4 code, struct ucnumber *num));
LDAP_LUNICODE_F (int)
-ucdigit_lookup LDAP_P((unsigned long code, int *digit));
+ucdigit_lookup LDAP_P((ac_uint4 code, int *digit));
/*
* For compatibility with John Cowan's "uctype" package.
*/
-LDAP_LUNICODE_F (struct ucnumber) ucgetnumber LDAP_P((unsigned long code));
-LDAP_LUNICODE_F (int) ucgetdigit LDAP_P((unsigned long code));
+LDAP_LUNICODE_F (struct ucnumber) ucgetnumber LDAP_P((ac_uint4 code));
+LDAP_LUNICODE_F (int) ucgetdigit LDAP_P((ac_uint4 code));
/**************************************************************************
*
* A header written to the output file with the byte-order-mark and the number
* of property nodes.
*/
-static unsigned short hdr[2] = {0xfeff, 0};
+static ac_uint2 hdr[2] = {0xfeff, 0};
#define NUMPROPS 50
#define NEEDPROPS (NUMPROPS + (4 - (NUMPROPS & 3)))
};
typedef struct {
- unsigned long *ranges;
- unsigned short used;
- unsigned short size;
+ ac_uint4 *ranges;
+ ac_uint2 used;
+ ac_uint2 size;
} _ranges_t;
static _ranges_t proptbl[NUMPROPS];
/*
* Make sure this array is sized to be on a 4-byte boundary at compile time.
*/
-static unsigned short propcnt[NEEDPROPS];
+static ac_uint2 propcnt[NEEDPROPS];
/*
* Array used to collect a decomposition before adding it to the decomposition
* table.
*/
-static unsigned long dectmp[64];
-static unsigned long dectmp_size;
+static ac_uint4 dectmp[64];
+static ac_uint4 dectmp_size;
typedef struct {
- unsigned long code;
- unsigned short size;
- unsigned short used;
- unsigned long *decomp;
+ ac_uint4 code;
+ ac_uint2 size;
+ ac_uint2 used;
+ ac_uint4 *decomp;
} _decomp_t;
/*
* compatibility mappings.
*/
static _decomp_t *decomps;
-static unsigned long decomps_used;
-static unsigned long decomps_size;
+static ac_uint4 decomps_used;
+static ac_uint4 decomps_size;
static _decomp_t *kdecomps;
-static unsigned long kdecomps_used;
-static unsigned long kdecomps_size;
+static ac_uint4 kdecomps_used;
+static ac_uint4 kdecomps_size;
/*
* Composition exclusion table stuff.
*/
#define COMPEX_SET(c) (compexs[(c) >> 5] |= (1 << ((c) & 31)))
#define COMPEX_TEST(c) (compexs[(c) >> 5] & (1 << ((c) & 31)))
-static unsigned long compexs[2048];
+static ac_uint4 compexs[2048];
/*
* Struct for holding a composition pair, and array of composition pairs
*/
typedef struct {
- unsigned long comp;
- unsigned long count;
- unsigned long code1;
- unsigned long code2;
+ ac_uint4 comp;
+ ac_uint4 count;
+ ac_uint4 code1;
+ ac_uint4 code2;
} _comp_t;
static _comp_t *comps;
-static unsigned long comps_used;
+static ac_uint4 comps_used;
/*
* Types and lists for handling lists of case mappings.
*/
typedef struct {
- unsigned long key;
- unsigned long other1;
- unsigned long other2;
+ ac_uint4 key;
+ ac_uint4 other1;
+ ac_uint4 other2;
} _case_t;
static _case_t *upper;
static _case_t *lower;
static _case_t *title;
-static unsigned long upper_used;
-static unsigned long upper_size;
-static unsigned long lower_used;
-static unsigned long lower_size;
-static unsigned long title_used;
-static unsigned long title_size;
+static ac_uint4 upper_used;
+static ac_uint4 upper_size;
+static ac_uint4 lower_used;
+static ac_uint4 lower_size;
+static ac_uint4 title_used;
+static ac_uint4 title_size;
/*
* Array used to collect case mappings before adding them to a list.
*/
-static unsigned long cases[3];
+static ac_uint4 cases[3];
/*
* An array to hold ranges for combining classes.
*/
-static unsigned long *ccl;
-static unsigned long ccl_used;
-static unsigned long ccl_size;
+static ac_uint4 *ccl;
+static ac_uint4 ccl_used;
+static ac_uint4 ccl_size;
/*
* Structures for handling numbers.
*/
typedef struct {
- unsigned long code;
- unsigned long idx;
+ ac_uint4 code;
+ ac_uint4 idx;
} _codeidx_t;
typedef struct {
* Arrays to hold the mapping of codes to numbers.
*/
static _codeidx_t *ncodes;
-static unsigned long ncodes_used;
-static unsigned long ncodes_size;
+static ac_uint4 ncodes_used;
+static ac_uint4 ncodes_size;
static _num_t *nums;
-static unsigned long nums_used;
-static unsigned long nums_size;
+static ac_uint4 nums_used;
+static ac_uint4 nums_size;
/*
* Array for holding numbers.
*/
static _num_t *nums;
-static unsigned long nums_used;
-static unsigned long nums_size;
+static ac_uint4 nums_used;
+static ac_uint4 nums_size;
static void
-add_range(unsigned long start, unsigned long end, char *p1, char *p2)
+add_range(ac_uint4 start, ac_uint4 end, char *p1, char *p2)
{
int i, j, k, len;
_ranges_t *rlp;
*/
if (rlp->used == rlp->size) {
if (rlp->size == 0)
- rlp->ranges = (unsigned long *)
- malloc(sizeof(unsigned long) << 3);
+ rlp->ranges = (ac_uint4 *)
+ malloc(sizeof(ac_uint4) << 3);
else
- rlp->ranges = (unsigned long *)
+ rlp->ranges = (ac_uint4 *)
realloc((char *) rlp->ranges,
- sizeof(unsigned long) * (rlp->size + 8));
+ sizeof(ac_uint4) * (rlp->size + 8));
rlp->size += 8;
}
}
static void
-ordered_range_insert(unsigned long c, char *name, int len)
+ordered_range_insert(ac_uint4 c, char *name, int len)
{
int i, j;
- unsigned long s, e;
+ ac_uint4 s, e;
_ranges_t *rlp;
if (len == 0)
*/
if (rlp->used == rlp->size) {
if (rlp->size == 0)
- rlp->ranges = (unsigned long *)
- malloc(sizeof(unsigned long) << 3);
+ rlp->ranges = (ac_uint4 *)
+ malloc(sizeof(ac_uint4) << 3);
else
- rlp->ranges = (unsigned long *)
+ rlp->ranges = (ac_uint4 *)
realloc((char *) rlp->ranges,
- sizeof(unsigned long) * (rlp->size + 8));
+ sizeof(ac_uint4) * (rlp->size + 8));
rlp->size += 8;
}
}
static void
-add_decomp(unsigned long code, short compat)
+add_decomp(ac_uint4 code, short compat)
{
- unsigned long i, j, size;
+ ac_uint4 i, j, size;
_decomp_t **pdecomps;
- unsigned long *pdecomps_used;
- unsigned long *pdecomps_size;
+ ac_uint4 *pdecomps_used;
+ ac_uint4 *pdecomps_size;
if (compat) {
pdecomps = &kdecomps;
size = dectmp_size + (4 - (dectmp_size & 3));
if ((*pdecomps)[i].size < size) {
if ((*pdecomps)[i].size == 0)
- (*pdecomps)[i].decomp = (unsigned long *)
- malloc(sizeof(unsigned long) * size);
+ (*pdecomps)[i].decomp = (ac_uint4 *)
+ malloc(sizeof(ac_uint4) * size);
else
- (*pdecomps)[i].decomp = (unsigned long *)
+ (*pdecomps)[i].decomp = (ac_uint4 *)
realloc((char *) (*pdecomps)[i].decomp,
- sizeof(unsigned long) * size);
+ sizeof(ac_uint4) * size);
(*pdecomps)[i].size = size;
}
(*pdecomps)[i].code = code;
(*pdecomps)[i].used = dectmp_size;
(void) AC_MEMCPY((char *) (*pdecomps)[i].decomp, (char *) dectmp,
- sizeof(unsigned long) * dectmp_size);
+ sizeof(ac_uint4) * dectmp_size);
/*
* NOTICE: This needs changing later so it is more general than simply
}
static void
-add_title(unsigned long code)
+add_title(ac_uint4 code)
{
- unsigned long i, j;
+ ac_uint4 i, j;
/*
* Always map the code to itself.
}
static void
-add_upper(unsigned long code)
+add_upper(ac_uint4 code)
{
- unsigned long i, j;
+ ac_uint4 i, j;
/*
* Always map the code to itself.
}
static void
-add_lower(unsigned long code)
+add_lower(ac_uint4 code)
{
- unsigned long i, j;
+ ac_uint4 i, j;
/*
* Always map the code to itself.
}
static void
-ordered_ccl_insert(unsigned long c, unsigned long ccl_code)
+ordered_ccl_insert(ac_uint4 c, ac_uint4 ccl_code)
{
- unsigned long i, j;
+ ac_uint4 i, j;
if (ccl_used == ccl_size) {
if (ccl_size == 0)
- ccl = (unsigned long *) malloc(sizeof(unsigned long) * 24);
+ ccl = (ac_uint4 *) malloc(sizeof(ac_uint4) * 24);
else
- ccl = (unsigned long *)
- realloc((char *) ccl, sizeof(unsigned long) * (ccl_size + 24));
+ ccl = (ac_uint4 *)
+ realloc((char *) ccl, sizeof(ac_uint4) * (ccl_size + 24));
ccl_size += 24;
}
* Adds a number if it does not already exist and returns an index value
* multiplied by 2.
*/
-static unsigned long
+static ac_uint4
make_number(short num, short denom)
{
- unsigned long n;
+ ac_uint4 n;
/*
* Determine if the number already exists.
}
static void
-add_number(unsigned long code, short num, short denom)
+add_number(ac_uint4 code, short num, short denom)
{
- unsigned long i, j;
+ ac_uint4 i, j;
/*
* Insert the code in order.
static void
read_cdata(FILE *in)
{
- unsigned long i, lineno, skip, code, ccl_code;
+ ac_uint4 i, lineno, skip, code, ccl_code;
short wnum, neg, number[2], compat;
char line[512], *s, *e;
}
static _decomp_t *
-find_decomp(unsigned long code, short compat)
+find_decomp(ac_uint4 code, short compat)
{
long l, r, m;
_decomp_t *decs;
static void
decomp_it(_decomp_t *d, short compat)
{
- unsigned long i;
+ ac_uint4 i;
_decomp_t *dp;
for (i = 0; i < d->used; i++) {
static void
expand_decomp(void)
{
- unsigned long i;
+ ac_uint4 i;
for (i = 0; i < decomps_used; i++) {
dectmp_size = 0;
static void
read_compexdata(FILE *in)
{
- unsigned short i, code;
+ ac_uint2 i, code;
char line[512], *s;
- (void) memset((char *) compexs, 0, sizeof(unsigned long) << 11);
+ (void) memset((char *) compexs, 0, sizeof(ac_uint4) << 11);
while (fgets(line, sizeof(line), in)) {
if( (s=strchr(line, '\n')) ) *s = '\0';
static void
create_comps(void)
{
- unsigned long i, cu;
+ ac_uint4 i, cu;
comps = (_comp_t *) malloc(comps_used * sizeof(_comp_t));
{
FILE *out;
ac_uint4 bytes;
- unsigned long i, idx, nprops;
- unsigned short casecnt[2];
+ ac_uint4 i, idx, nprops;
+ ac_uint2 casecnt[2];
char path[BUFSIZ];
/*****************************************************************
* Calculate the byte count needed and pad the property counts array to a
* 4-byte boundary.
*/
- if ((bytes = sizeof(unsigned short) * (NUMPROPS + 1)) & 3)
+ if ((bytes = sizeof(ac_uint2) * (NUMPROPS + 1)) & 3)
bytes += 4 - (bytes & 3);
- nprops = bytes / sizeof(unsigned short);
- bytes += sizeof(unsigned long) * idx;
+ nprops = bytes / sizeof(ac_uint2);
+ bytes += sizeof(ac_uint4) * idx;
/*
* Write the header.
/*
* Write the byte count.
*/
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
/*
* Write the property list counts.
*/
- fwrite((char *) propcnt, sizeof(unsigned short), nprops, out);
+ fwrite((char *) propcnt, sizeof(ac_uint2), nprops, out);
/*
* Write the property lists.
*/
for (i = 0; i < NUMPROPS; i++) {
if (proptbl[i].used > 0)
- fwrite((char *) proptbl[i].ranges, sizeof(unsigned long),
+ fwrite((char *) proptbl[i].ranges, sizeof(ac_uint4),
proptbl[i].used, out);
}
/*
* Write the header.
*/
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write the upper and lower case table sizes.
*/
- fwrite((char *) casecnt, sizeof(unsigned short), 2, out);
+ fwrite((char *) casecnt, sizeof(ac_uint2), 2, out);
if (upper_used > 0)
/*
/*
* Write the header.
*/
- hdr[1] = (unsigned short) comps_used * 4;
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ hdr[1] = (ac_uint2) comps_used * 4;
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write out the byte count to maintain header size.
*/
bytes = comps_used * sizeof(_comp_t);
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
/*
* Now, if comps exist, write them out.
/*
* Write the header.
*/
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write a temporary byte count which will be calculated as the
* decompositions are written out.
*/
bytes = 0;
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
if (decomps_used) {
/*
* Write the list of decomp nodes.
*/
for (i = idx = 0; i < decomps_used; i++) {
- fwrite((char *) &decomps[i].code, sizeof(unsigned long), 1, out);
- fwrite((char *) &idx, sizeof(unsigned long), 1, out);
+ fwrite((char *) &decomps[i].code, sizeof(ac_uint4), 1, out);
+ fwrite((char *) &idx, sizeof(ac_uint4), 1, out);
idx += decomps[i].used;
}
/*
* Write the sentinel index as the last decomp node.
*/
- fwrite((char *) &idx, sizeof(unsigned long), 1, out);
+ fwrite((char *) &idx, sizeof(ac_uint4), 1, out);
/*
* Write the decompositions themselves.
*/
for (i = 0; i < decomps_used; i++)
- fwrite((char *) decomps[i].decomp, sizeof(unsigned long),
+ fwrite((char *) decomps[i].decomp, sizeof(ac_uint4),
decomps[i].used, out);
/*
* Seek back to the beginning and write the byte count.
*/
- bytes = (sizeof(unsigned long) * idx) +
- (sizeof(unsigned long) * ((hdr[1] << 1) + 1));
- fseek(out, sizeof(unsigned short) << 1, 0L);
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ bytes = (sizeof(ac_uint4) * idx) +
+ (sizeof(ac_uint4) * ((hdr[1] << 1) + 1));
+ fseek(out, sizeof(ac_uint2) << 1, 0L);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
fclose(out);
}
/*
* Write the header.
*/
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write a temporary byte count which will be calculated as the
* decompositions are written out.
*/
bytes = 0;
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
if (kdecomps_used) {
/*
* Write the list of kdecomp nodes.
*/
for (i = idx = 0; i < kdecomps_used; i++) {
- fwrite((char *) &kdecomps[i].code, sizeof(unsigned long), 1, out);
- fwrite((char *) &idx, sizeof(unsigned long), 1, out);
+ fwrite((char *) &kdecomps[i].code, sizeof(ac_uint4), 1, out);
+ fwrite((char *) &idx, sizeof(ac_uint4), 1, out);
idx += kdecomps[i].used;
}
/*
* Write the sentinel index as the last decomp node.
*/
- fwrite((char *) &idx, sizeof(unsigned long), 1, out);
+ fwrite((char *) &idx, sizeof(ac_uint4), 1, out);
/*
* Write the decompositions themselves.
*/
for (i = 0; i < kdecomps_used; i++)
- fwrite((char *) kdecomps[i].decomp, sizeof(unsigned long),
+ fwrite((char *) kdecomps[i].decomp, sizeof(ac_uint4),
kdecomps[i].used, out);
/*
* Seek back to the beginning and write the byte count.
*/
- bytes = (sizeof(unsigned long) * idx) +
- (sizeof(unsigned long) * ((hdr[1] << 1) + 1));
- fseek(out, sizeof(unsigned short) << 1, 0L);
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ bytes = (sizeof(ac_uint4) * idx) +
+ (sizeof(ac_uint4) * ((hdr[1] << 1) + 1));
+ fseek(out, sizeof(ac_uint2) << 1, 0L);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
fclose(out);
}
/*
* Write the header.
*/
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write out the byte count to maintain header size.
*/
- bytes = ccl_used * sizeof(unsigned long);
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ bytes = ccl_used * sizeof(ac_uint4);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
if (ccl_used > 0)
/*
* Write the combining class ranges out.
*/
- fwrite((char *) ccl, sizeof(unsigned long), ccl_used, out);
+ fwrite((char *) ccl, sizeof(ac_uint4), ccl_used, out);
fclose(out);
* The count part of the header will be the total number of codes that
* have numbers.
*/
- hdr[1] = (unsigned short) (ncodes_used << 1);
+ hdr[1] = (ac_uint2) (ncodes_used << 1);
bytes = (ncodes_used * sizeof(_codeidx_t)) + (nums_used * sizeof(_num_t));
/*
* Write the header.
*/
- fwrite((char *) hdr, sizeof(unsigned short), 2, out);
+ fwrite((char *) hdr, sizeof(ac_uint2), 2, out);
/*
* Write out the byte count to maintain header size.
*/
- fwrite((char *) &bytes, sizeof(unsigned long), 1, out);
+ fwrite((char *) &bytes, sizeof(ac_uint4), 1, out);
/*
* Now, if number mappings exist, write them out.
#include "portable.h"
+#include <ac/bytes.h>
#include <ac/ctype.h>
#include <ac/string.h>
#include <ac/stdlib.h>
{
int i, j, len, clen, outpos, ucsoutlen, outsize, last;
char *out, *outtmp, *s;
- unsigned long *ucs, *p, *ucsout;
+ ac_uint4 *ucs, *p, *ucsout;
static unsigned char mask[] = {
0, 0x7f, 0x1f, 0x0f, 0x07, 0x03, 0x01 };
{
int i, l1, l2, len, ulen, res = 0;
char *s1, *s2, *done;
- unsigned long *ucs, *ucsout1, *ucsout2;
+ ac_uint4 *ucs, *ucsout1, *ucsout2;
unsigned casefold = flags & LDAP_UTF8_CASEFOLD;
unsigned norm1 = flags & LDAP_UTF8_ARG1NFC;
/*
* XXYYZ: we convert to ucs4 even though -llunicode
- * expects ucs2 in an unsigned long
+ * expects ucs2 in an ac_uint4
*/
/* convert and normalize 1st string */
*/
/* $Id: urestubs.c,v 1.2 1999/09/21 15:47:44 mleisher Exp $" */
+#include "portable.h"
+#include <ac/bytes.h>
+
#include "ure.h"
#ifdef _MSC_VER
time_t t;
unsigned int op;
struct tm *ltm;
+#ifdef HAVE_GMTIME_R
+ struct tm ltm_buf;
+#endif
int n;
time( &t );
}
op = ++csnop;
+#ifdef HAVE_GMTIME_R
+ ltm = gmtime_r( &t, <m_buf );
+#else
ltm = gmtime( &t );
+#endif
n = snprintf( buf, len,
"%4d%02d%02d%02d%02d%02dZ#%06x#%02x#%06x",
ltm->tm_year + 1900, ltm->tm_mon + 1, ltm->tm_mday, ltm->tm_hour,
/* $OpenLDAP$ */
-/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2003 The OpenLDAP Foundation.
/* password check routines */
+#define SALT_SIZE 4
+
static LUTIL_PASSWD_CHK_FUNC chk_md5;
static LUTIL_PASSWD_CHK_FUNC chk_smd5;
static LUTIL_PASSWD_HASH_FUNC hash_smd5;
unsigned char *orig_pass = NULL;
/* safety check */
- if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) {
+ if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
+ sizeof(SHA1digest)+SALT_SIZE) {
return -1;
}
rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
- if (rc < 0 || (unsigned)rc <= sizeof(SHA1digest)) {
+ if (rc < (int)(sizeof(SHA1digest)+SALT_SIZE)) {
ber_memfree(orig_pass);
return -1;
}
int rc;
unsigned char *orig_pass = NULL;
+ /* safety check */
+ if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHA1digest)) {
+ return -1;
+ }
+
/* base64 un-encode password */
orig_pass = (unsigned char *) ber_memalloc( (size_t) (
LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
unsigned char *orig_pass = NULL;
/* safety check */
- if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
+ if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
+ sizeof(MD5digest)+SALT_SIZE) {
return -1;
}
rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
- if (rc < 0 || (unsigned)rc <= sizeof(MD5digest)) {
+ if (rc < (int)(sizeof(MD5digest)+SALT_SIZE)) {
ber_memfree(orig_pass);
return -1;
}
int rc;
unsigned char *orig_pass = NULL;
+ /* safety check */
+ if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(MD5digest)) {
+ return -1;
+ }
+
/* base64 un-encode password */
orig_pass = (unsigned char *) ber_memalloc( (size_t) (
LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
{
lutil_SHA1_CTX SHA1context;
unsigned char SHA1digest[LUTIL_SHA1_BYTES];
- char saltdata[4];
+ char saltdata[SALT_SIZE];
struct berval digest;
struct berval salt;
{
lutil_MD5_CTX MD5context;
unsigned char MD5digest[LUTIL_MD5_BYTES];
- char saltdata[4];
+ char saltdata[SALT_SIZE];
struct berval digest;
struct berval salt;
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
+#define LDAP_DEPRECATED 1
#include "rewrite-int.h"
#include "rewrite-map.h"
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#ifndef REWRITE_INT_H
#define REWRITE_INT_H
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#ifndef MAP_H
#define MAP_H
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
-/******************************************************************************
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright (C) 2000 Pierangelo Masarati, <ando@sys-net.it>
+ * Copyright 2000-2003 The OpenLDAP Foundation.
* All rights reserved.
*
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- ******************************************************************************/
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENT:
+ * This work was initially developed by Pierangelo Masarati for
+ * inclusion in OpenLDAP Software.
+ */
#include <portable.h>
#include <pwd.h>
#endif
+#define LDAP_DEPRECATED 1
#include "rewrite-int.h"
#include "rewrite-map.h"
## <http://www.OpenLDAP.org/license.html>.
PROGRAMS=slapd
-XPROGRAMS=sslapd libbackends.a .backend
+XPROGRAMS=sslapd libbackends.a .backend liboverlays.a
XSRCS=version.c
+SUBDIRS=back-* shell-backends slapi overlays tools
+
NT_SRCS = nt_svc.c
NT_OBJS = nt_svc.o ../../libraries/liblutil/slapdmsg.res
LDAP_LIBDIR= ../../libraries
SLAP_DIR=
-SLAPD_STATIC_DEPENDS=@SLAPD_NO_STATIC@ libbackends.a
+SLAPD_STATIC_DEPENDS=@SLAPD_NO_STATIC@ libbackends.a liboverlays.a
SLAPD_STATIC_BACKENDS=@SLAPD_STATIC_BACKENDS@
SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BACKENDS@
fi
@ls -l libbackends.a; echo ""
+liboverlays.a: FORCE
+ @cd overlays; $(MAKE) $(MFLAGS) all
+
version.c: Makefile
@-$(RM) $@
$(MKVERSION) -s -n Versionstr slapd > $@
version.o: version.c $(OBJS) $(SLAPD_LIBDEPEND)
depend-local-srv: FORCE
- @for i in back-* shell-backends slapi tools; do \
+ @for i in $(SUBDIRS); do \
if test -d $$i -a -f $$i/Makefile ; then \
echo; echo " cd $$i; $(MAKE) $(MFLAGS) depend"; \
( cd $$i; $(MAKE) $(MFLAGS) depend ); \
rm -f *.exp *.def *.base *.a *.objs symdummy.c
clean-local-srv: FORCE
- @for i in back-* shell-backends slapi tools; do \
+ @for i in $(SUBDIRS); do \
if test -d $$i -a -f $$i/Makefile ; then \
echo; echo " cd $$i; $(MAKE) $(MFLAGS) clean"; \
( cd $$i; $(MAKE) $(MFLAGS) clean ); \
rm -f *.tmp all-cffiles
veryclean-local-srv: FORCE
- @for i in back-* shell-backends slapi tools; do \
+ @for i in $(SUBDIRS); do \
if test -d $$i -a -f $$i/Makefile ; then \
echo; echo " cd $$i; $(MAKE) $(MFLAGS) clean"; \
( cd $$i; $(MAKE) $(MFLAGS) veryclean ); \
-$(MKDIR) $(DESTDIR)$(localstatedir)
$(LTINSTALL) $(INSTALLFLAGS) -s -m 755 \
slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
- @for i in back-* shell-backends slapi tools; do \
+ @for i in $(SUBDIRS); do \
if test -d $$i -a -f $$i/Makefile ; then \
echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \
( cd $$i; $(MAKE) $(MFLAGS) install ); \
slap_entry2mods(
Entry *e,
Modifications **mods,
- const char **text
-)
+ const char **text,
+ char *textbuf, size_t textlen )
{
Modifications *modhead = NULL;
Modifications *mod;
Modifications **modtail = &modhead;
Attribute *a_new;
AttributeDescription *a_new_desc;
- int i, count, rc;
+ int i, count;
a_new = e->e_attrs;
a_new_desc = a_new->a_desc;
mod = (Modifications *) malloc( sizeof( Modifications ));
- if ( a_new_desc != slap_schema.si_ad_queryid )
- mod->sml_op = LDAP_MOD_REPLACE;
- else
- mod->sml_op = LDAP_MOD_ADD;
+ mod->sml_op = LDAP_MOD_REPLACE;
- ber_dupbv( &mod->sml_type, &a_new_desc->ad_cname );
+ mod->sml_type = a_new_desc->ad_cname;
for ( count = 0; a_new->a_vals[count].bv_val; count++ );
* entire operation.
*/
#ifdef NEW_LOGGING
- LDAP_LOG( OPERATION, INFO, "do_add: add preoperation plugin failed\n",
- 0, 0, 0);
+ LDAP_LOG( OPERATION, INFO,
+ "do_add: add preoperation plugin failed\n",
+ 0, 0, 0);
#else
- Debug(LDAP_DEBUG_TRACE, "do_add: add preoperation plugin failed.\n",
- 0, 0, 0);
- if ( ( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE, (void *)&rc ) != 0 ) ||
- rc == LDAP_SUCCESS ) {
+ Debug(LDAP_DEBUG_TRACE,
+ "do_add: add preoperation plugin failed.\n",
+ 0, 0, 0);
+#endif
+
+ if (( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
+ (void *)&rc ) != 0 ) || rc == LDAP_SUCCESS )
+ {
rc = LDAP_OTHER;
}
-#endif
} else {
rc = LDAP_SUCCESS;
}
rc = doPluginFNs( op->o_bd, SLAPI_PLUGIN_POST_ADD_FN, op->o_pb );
if ( rc < 0 ) {
#ifdef NEW_LOGGING
- LDAP_LOG( OPERATION, INFO, "do_add: add postoperation plugin failed\n",
- 0, 0, 0);
+ LDAP_LOG( OPERATION, INFO,
+ "do_add: add postoperation plugin failed\n",
+ 0, 0, 0);
#else
- Debug(LDAP_DEBUG_TRACE, "do_add: add postoperation plugin failed.\n",
- 0, 0, 0);
+ Debug(LDAP_DEBUG_TRACE,
+ "do_add: add postoperation plugin failed\n",
+ 0, 0, 0);
#endif
}
}
rc = slap_bv2ad( &type, &aa->aa_desc, text );
if( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( FILTER, ERR,
+ "get_ava: unknown attributeType %s\n", type.bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_FILTER,
+ "get_ava: unknown attributeType %s\n", type.bv_val, 0, 0 );
+#endif
op->o_tmpfree( aa, op->o_tmpmemctx );
return rc;
}
usage, &value, &aa->aa_value, text, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( FILTER, ERR,
+ "get_ava: illegal value for attributeType %s\n", type.bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_FILTER,
+ "get_ava: illegal value for attributeType %s\n", type.bv_val, 0, 0 );
+#endif
op->o_tmpfree( aa, op->o_tmpmemctx );
return rc;
}
SRCS = init.c tools.c config.c \
add.c bind.c compare.c delete.c modify.c modrdn.c search.c \
- extended.c passwd.c referral.c operational.c \
+ extended.c referral.c operational.c \
attr.c index.c key.c dbcache.c filterindex.c \
dn2entry.c dn2id.c error.c id2entry.c idl.c \
nextid.c cache.c trans.c ctxcsn.c
OBJS = init.lo tools.lo config.lo \
add.lo bind.lo compare.lo delete.lo modify.lo modrdn.lo search.lo \
- extended.lo passwd.lo referral.lo operational.lo \
+ extended.lo referral.lo operational.lo \
attr.lo index.lo key.lo dbcache.lo filterindex.lo \
dn2entry.lo dn2id.lo error.lo id2entry.lo idl.lo \
nextid.lo cache.lo trans.lo ctxcsn.lo
}
}
+ if ( rs->sr_err == LDAP_SUCCESS && !noop && !op->o_no_psearch ) {
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
+ LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
+ bdb_psearch( op, rs, ps_list, op->oq_add.rs_e, LDAP_PSEARCH_BY_ADD );
+ }
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
+ }
+
if(( rs->sr_err=TXN_COMMIT( ltid, 0 )) != 0 ) {
rs->sr_text = "txn_commit failed";
} else {
return_results:
send_ldap_result( op, rs );
- if ( rs->sr_err == LDAP_SUCCESS && !noop && !op->o_no_psearch ) {
- LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
- bdb_psearch( op, rs, ps_list, op->oq_add.rs_e, LDAP_PSEARCH_BY_ADD );
- }
- }
-
if( rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp ) {
ldap_pvt_thread_yield();
TXN_CHECKPOINT( bdb->bi_dbenv,
ID bi_lastid;
ldap_pvt_thread_mutex_t bi_lastid_mutex;
LDAP_LIST_HEAD(pl, slap_op) bi_psearch_list;
- ldap_pvt_thread_mutex_t bi_pslist_mutex;
+ ldap_pvt_thread_rdwr_t bi_pslist_rwlock;
LDAP_LIST_HEAD(se, slap_session_entry) bi_session_list;
#ifdef SLAP_IDL_CACHE
int bi_idl_cache_max_size;
/* anything else */
} else {
- fprintf( stderr, "%s: line %d: "
- "unknown directive \"%s\" in bdb database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
}
}
+ if ( rs->sr_err == LDAP_SUCCESS && !noop && !op->o_no_psearch ) {
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
+ LDAP_LIST_FOREACH( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
+ bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_DELETE );
+ }
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
+ }
+
rs->sr_err = TXN_COMMIT( ltid, 0 );
}
ltid = NULL;
return_results:
send_ldap_result( op, rs );
- if ( rs->sr_err == LDAP_SUCCESS && !noop && !op->o_no_psearch ) {
- LDAP_LIST_FOREACH( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
- bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_DELETE );
- }
- }
-
if(rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp ) {
ldap_pvt_thread_yield();
TXN_CHECKPOINT( bdb->bi_dbenv,
struct berval *oid;
BI_op_extended *extended;
} exop_table[] = {
- { (struct berval *)&slap_EXOP_MODIFY_PASSWD, bdb_exop_passwd },
{ NULL, NULL }
};
const char *text;
DB *db;
struct berval *keys;
- void *mark;
assert( mask );
return LDAP_OTHER;
}
-#if 0 /* No longer needed, our frees are in order so nothing accumulates */
- mark = sl_mark(op->o_tmpmemctx);
-#endif
-
if( IS_SLAP_INDEX( mask, SLAP_INDEX_PRESENT ) ) {
rc = bdb_key_change( op->o_bd, db, txn, &presence_key, id, opid );
if( rc ) {
}
done:
-#if 0
- sl_release( mark, op->o_tmpmemctx );
-#endif
return rc;
}
ldap_pvt_thread_mutex_init( &bdb->bi_database_mutex );
ldap_pvt_thread_mutex_init( &bdb->bi_lastid_mutex );
+ ldap_pvt_thread_rdwr_init ( &bdb->bi_pslist_rwlock );
ldap_pvt_thread_mutex_init( &bdb->bi_cache.lru_mutex );
ldap_pvt_thread_mutex_init( &bdb->bi_cache.c_dntree.bei_kids_mutex );
ldap_pvt_thread_rdwr_init ( &bdb->bi_cache.c_rwlock );
path,
/* bdbi_databases[i].name, */ NULL,
bdbi_databases[i].type,
- bdbi_databases[i].flags | flags | DB_AUTO_COMMIT,
+ bdbi_databases[i].flags | flags,
bdb->bi_dbenv_mode );
#else
rc = DB_OPEN( db->bdi_db,
bdbi_databases[i].file,
/* bdbi_databases[i].name, */ NULL,
bdbi_databases[i].type,
- bdbi_databases[i].flags | flags | DB_AUTO_COMMIT,
+ bdbi_databases[i].flags | flags,
bdb->bi_dbenv_mode );
#endif
ldap_pvt_thread_rdwr_destroy ( &bdb->bi_cache.c_rwlock );
ldap_pvt_thread_mutex_destroy( &bdb->bi_cache.lru_mutex );
ldap_pvt_thread_mutex_destroy( &bdb->bi_cache.c_dntree.bei_kids_mutex );
+ ldap_pvt_thread_rdwr_destroy ( &bdb->bi_pslist_rwlock );
ldap_pvt_thread_mutex_destroy( &bdb->bi_lastid_mutex );
ldap_pvt_thread_mutex_destroy( &bdb->bi_database_mutex );
#ifdef SLAP_IDL_CACHE
LDAP_CONTROL_ASSERT,
LDAP_CONTROL_MANAGEDSAIT,
LDAP_CONTROL_NOOP,
-#ifdef LDAP_CONTROL_PAGEDRESULTS
LDAP_CONTROL_PAGEDRESULTS,
-#endif
#ifdef LDAP_CONTROL_SUBENTRIES
LDAP_CONTROL_SUBENTRIES,
#endif
}
if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop && !op->o_no_psearch ) {
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
bdb_psearch(op, rs, ps_list, e, LDAP_PSEARCH_BY_PREMODIFY );
}
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
}
if( op->o_preread ) {
}
}
+ if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
+ /* Loop through in-scope entries for each psearch spec */
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
+ LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
+ bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_MODIFY );
+ }
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
+ pm_list = LDAP_LIST_FIRST(&op->o_pm_list);
+ while ( pm_list != NULL ) {
+ bdb_psearch(op, rs, pm_list->ps_op,
+ e, LDAP_PSEARCH_BY_SCOPEOUT);
+ LDAP_LIST_REMOVE ( pm_list, ps_link );
+ pm_prev = pm_list;
+ pm_list = LDAP_LIST_NEXT ( pm_list, ps_link );
+ ch_free( pm_prev );
+ }
+ }
+
rs->sr_err = TXN_COMMIT( ltid, 0 );
}
ltid = NULL;
return_results:
send_ldap_result( op, rs );
- if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
- /* Loop through in-scope entries for each psearch spec */
- LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
- bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_MODIFY );
- }
- pm_list = LDAP_LIST_FIRST(&op->o_pm_list);
- while ( pm_list != NULL ) {
- bdb_psearch(op, rs, pm_list->ps_op,
- e, LDAP_PSEARCH_BY_SCOPEOUT);
- LDAP_LIST_REMOVE ( pm_list, ps_link );
- pm_prev = pm_list;
- pm_list = LDAP_LIST_NEXT ( pm_list, ps_link );
- ch_free( pm_prev );
- }
- }
-
if( rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp ) {
ldap_pvt_thread_yield();
TXN_CHECKPOINT( bdb->bi_dbenv,
}
if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop && !op->o_no_psearch ) {
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_PREMODIFY );
}
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
}
/* modify entry */
}
}
+ if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
+ /* Loop through in-scope entries for each psearch spec */
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
+ LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
+ bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_MODIFY );
+ }
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
+ pm_list = LDAP_LIST_FIRST(&op->o_pm_list);
+ while ( pm_list != NULL ) {
+ bdb_psearch(op, rs, pm_list->ps_op,
+ e, LDAP_PSEARCH_BY_SCOPEOUT);
+ pm_prev = pm_list;
+ LDAP_LIST_REMOVE ( pm_list, ps_link );
+ pm_list = LDAP_LIST_NEXT ( pm_list, ps_link );
+ ch_free( pm_prev );
+ }
+ }
+
if(( rs->sr_err=TXN_COMMIT( ltid, 0 )) != 0 ) {
rs->sr_text = "txn_commit failed";
} else {
return_results:
send_ldap_result( op, rs );
- if ( rs->sr_err == LDAP_SUCCESS && !op->o_noop ) {
- /* Loop through in-scope entries for each psearch spec */
- LDAP_LIST_FOREACH ( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
- bdb_psearch( op, rs, ps_list, e, LDAP_PSEARCH_BY_MODIFY );
- }
- pm_list = LDAP_LIST_FIRST(&op->o_pm_list);
- while ( pm_list != NULL ) {
- bdb_psearch(op, rs, pm_list->ps_op,
- e, LDAP_PSEARCH_BY_SCOPEOUT);
- pm_prev = pm_list;
- LDAP_LIST_REMOVE ( pm_list, ps_link );
- pm_list = LDAP_LIST_NEXT ( pm_list, ps_link );
- ch_free( pm_prev );
- }
- }
-
if( rs->sr_err == LDAP_SUCCESS && bdb->bi_txn_cp ) {
ldap_pvt_thread_yield();
TXN_CHECKPOINT( bdb->bi_dbenv,
+++ /dev/null
-/* passwd.c - bdb backend password routines */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 2000-2003 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-#include <ac/string.h>
-
-#include "back-bdb.h"
-#include "external.h"
-#include "lber_pvt.h"
-
-int
-bdb_exop_passwd( Operation *op, SlapReply *rs )
-{
- struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
- int rc;
- Entry *e = NULL;
- EntryInfo *ei;
- struct berval hash = { 0, NULL };
- DB_TXN *ltid = NULL, *lt2;
- struct bdb_op_info opinfo;
- char textbuf[SLAP_TEXT_BUFLEN];
- size_t textlen = sizeof textbuf;
-
- struct berval id = { 0, NULL };
- struct berval new = { 0, NULL };
-
- struct berval dn = { 0, NULL };
- struct berval ndn = { 0, NULL };
-
- u_int32_t locker = 0;
- DB_LOCK lock;
-
- int num_retries = 0;
-
- assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->oq_extended.rs_reqoid ) == 0 );
-
- rc = slap_passwd_parse( op->oq_extended.rs_reqdata,
- &id, NULL, &new, &rs->sr_text );
-
-#ifdef NEW_LOGGING
- LDAP_LOG ( ACL, ENTRY,
- "==>bdb_exop_passwd: \"%s\"\n", id.bv_val ? id.bv_val : "", 0, 0 );
-#else
- Debug( LDAP_DEBUG_ARGS, "==> bdb_exop_passwd: \"%s\"\n",
- id.bv_val ? id.bv_val : "", 0, 0 );
-#endif
-
- if( rc != LDAP_SUCCESS ) {
- goto done;
- }
-
- if( new.bv_len == 0 ) {
- slap_passwd_generate(&new);
-
- if( new.bv_len == 0 ) {
- rs->sr_text = "password generation failed.";
- rc = LDAP_OTHER;
- goto done;
- }
-
- rs->sr_rspdata = slap_passwd_return( &new );
- }
-
- slap_passwd_hash( &new, &hash, &rs->sr_text );
-
- if( hash.bv_len == 0 ) {
- if( !rs->sr_text ) rs->sr_text = "password hash failed";
- rc = LDAP_OTHER;
- goto done;
- }
-
- if( id.bv_len ) {
- dn = id;
- } else {
- dn = op->o_dn;
- }
-
-#ifdef NEW_LOGGING
- LDAP_LOG ( ACL, DETAIL1, "bdb_exop_passwd: \"%s\"%s\"\n",
- dn.bv_val, id.bv_len ? " (proxy)" : "", 0 );
-#else
- Debug( LDAP_DEBUG_TRACE, "bdb_exop_passwd: \"%s\"%s\n",
- dn.bv_val, id.bv_len ? " (proxy)" : "", 0 );
-#endif
-
- if( dn.bv_len == 0 ) {
- rs->sr_text = "No password is associated with the Root DSE";
- rc = LDAP_UNWILLING_TO_PERFORM;
- goto done;
- }
-
- rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
- if( rc != LDAP_SUCCESS ) {
- rs->sr_text = "Invalid DN";
- goto done;
- }
-
- if( 0 ) {
-retry: /* transaction retry */
- if ( e != NULL ) {
- bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e);
- }
-#ifdef NEW_LOGGING
- LDAP_LOG ( ACL, DETAIL1, "bdb_exop_passwd: retrying...\n", 0, 0, 0 );
-#else
- Debug( LDAP_DEBUG_TRACE, "bdb_exop_passwd: retrying...\n", 0, 0, 0 );
-#endif
- rc = TXN_ABORT( ltid );
- ltid = NULL;
- op->o_private = NULL;
- op->o_do_not_cache = opinfo.boi_acl_cache;
- if( rc != 0 ) {
- rc = LDAP_OTHER;
- rs->sr_text = "internal error";
- goto done;
- }
- ldap_pvt_thread_yield();
- bdb_trans_backoff( ++num_retries );
- }
-
- /* begin transaction */
- rc = TXN_BEGIN( bdb->bi_dbenv, NULL, <id,
- bdb->bi_db_opflags );
- rs->sr_text = NULL;
- if( rc != 0 ) {
-#ifdef NEW_LOGGING
- LDAP_LOG ( ACL, ERR,
- "bdb_exop_passwd: txn_begin failed: %s (%d)\n",
- db_strerror(rc), rc, 0 );
-#else
- Debug( LDAP_DEBUG_TRACE,
- "bdb_exop_passwd: txn_begin failed: %s (%d)\n",
- db_strerror(rc), rc, 0 );
-#endif
- rc = LDAP_OTHER;
- rs->sr_text = "internal error";
- goto done;
- }
-
- locker = TXN_ID ( ltid );
-
- opinfo.boi_bdb = op->o_bd;
- opinfo.boi_txn = ltid;
- opinfo.boi_locker = locker;
- opinfo.boi_err = 0;
- opinfo.boi_acl_cache = op->o_do_not_cache;
- op->o_private = &opinfo;
-
- /* get entry */
- rc = bdb_dn2entry( op, ltid, &ndn, &ei, 0 , locker, &lock );
-
- switch(rc) {
- case DB_LOCK_DEADLOCK:
- case DB_LOCK_NOTGRANTED:
- goto retry;
- case DB_NOTFOUND:
- case 0:
- break;
- case LDAP_BUSY:
- rs->sr_text = "ldap server busy";
- goto done;
- default:
- rc = LDAP_OTHER;
- rs->sr_text = "internal error";
- goto done;
- }
-
- if ( ei ) e = ei->bei_e;
-
- if ( e == NULL || is_entry_glue( e )) {
- /* FIXME: dn2entry() should return non-glue entry */
- rs->sr_text = "could not locate authorization entry";
- rc = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
-
-#ifdef BDB_SUBENTRIES
- if( is_entry_subentry( e ) ) {
- /* entry is a subentry, don't allow operation */
- rs->sr_text = "authorization entry is subentry";
- rc = LDAP_OTHER;
- goto done;
- }
-#endif
-
-#ifdef BDB_ALIASES
- if( is_entry_alias( e ) ) {
- /* entry is an alias, don't allow operation */
- rs->sr_text = "authorization entry is alias";
- rc = LDAP_ALIAS_PROBLEM;
- goto done;
- }
-#endif
-
- if( is_entry_referral( e ) ) {
- /* entry is an referral, don't allow operation */
- rs->sr_text = "authorization entry is referral";
- rc = LDAP_OTHER;
- goto done;
- }
-
- /* nested transaction */
- rc = TXN_BEGIN( bdb->bi_dbenv, ltid, <2,
- bdb->bi_db_opflags );
- rs->sr_text = NULL;
- if( rc != 0 ) {
-#ifdef NEW_LOGGING
- LDAP_LOG ( OPERATION, ERR,
- "bdb_exop_passwd: txn_begin(2) failed: %s (%d)\n",
- db_strerror(rs->sr_err), rs->sr_err, 0 );
-#else
- Debug( LDAP_DEBUG_TRACE,
- "bdb_exop_passwd: txn_begin(2) failed: %s (%d)\n",
- db_strerror(rs->sr_err), rs->sr_err, 0 );
-#endif
- rc = LDAP_OTHER;
- rs->sr_text = "internal error";
- goto done;
- }
-
- {
- Modifications ml;
- struct berval vals[2];
- Entry dummy, *save;
-
- save = e;
- dummy = *e;
- e = &dummy;
-
- vals[0] = hash;
- vals[1].bv_val = NULL;
-
- ml.sml_desc = slap_schema.si_ad_userPassword;
- ml.sml_values = vals;
- ml.sml_nvalues = NULL;
- ml.sml_op = LDAP_MOD_REPLACE;
- ml.sml_next = NULL;
-
- rc = bdb_modify_internal( op, lt2,
- &ml, e, &rs->sr_text, textbuf, textlen );
-
- if ( (rc == LDAP_INSUFFICIENT_ACCESS) && opinfo.boi_err ) {
- rc = opinfo.boi_err;
- }
- switch(rc) {
- case DB_LOCK_DEADLOCK:
- case DB_LOCK_NOTGRANTED:
- rs->sr_text = NULL;
- goto retry;
- case 0:
- rs->sr_text = NULL;
- break;
- default:
- rc = LDAP_OTHER;
- rs->sr_text = "entry modify failed";
- goto done;
- }
-
- /* change the entry itself */
- rc = bdb_id2entry_update( op->o_bd, lt2, e );
- if( rc != 0 ) {
- switch(rc) {
- case DB_LOCK_DEADLOCK:
- case DB_LOCK_NOTGRANTED:
- goto retry;
- }
- rs->sr_text = "entry update failed";
- rc = LDAP_OTHER;
- }
- if ( TXN_COMMIT( lt2, 0 ) != 0 ) {
- rc = LDAP_OTHER;
- rs->sr_text = "txn_commit(2) failed";
- }
-
- if( rc == 0 ) {
- if( op->o_noop ) {
- rc = TXN_ABORT( ltid );
- } else {
- bdb_cache_modify( save, e->e_attrs,
- bdb->bi_dbenv, locker, &lock );
- rc = TXN_COMMIT( ltid, 0 );
- }
- ltid = NULL;
- }
- op->o_private = NULL;
-
- if( rc == LDAP_SUCCESS ) {
- op->o_req_dn = e->e_name;
- op->o_req_ndn = e->e_nname;
- op->oq_modify.rs_modlist = &ml;
- replog( op );
- op->oq_extended.rs_reqoid = slap_EXOP_MODIFY_PASSWD;
- }
- }
-
-done:
- if( e != NULL ) {
- bdb_unlocked_cache_return_entry_w( &bdb->bi_cache, e );
- }
-
- if( hash.bv_val != NULL ) {
- free( hash.bv_val );
- }
-
- if( ndn.bv_val != NULL ) {
- op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
- }
-
- if( ltid != NULL ) {
- TXN_ABORT( ltid );
- op->o_private = NULL;
- }
-
- return rc;
-}
char *textbuf,
size_t textlen );
-/*
- * passwd.c
- */
-#define bdb_exop_passwd BDB_SYMBOL(exop_passwd)
-
-BI_op_extended bdb_exop_passwd;
-
/*
* cache.c
/* psearch needs to be registered before refresh begins */
/* psearch and refresh transmission is serialized in send_ldap_ber() */
if ( !IS_PSEARCH && sop->o_sync_mode & SLAP_SYNC_PERSIST ) {
- ldap_pvt_thread_mutex_lock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_wlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_INSERT_HEAD( &bdb->bi_psearch_list, sop, o_ps_link );
- ldap_pvt_thread_mutex_unlock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_wunlock( &bdb->bi_pslist_rwlock );
} else if ( !IS_PSEARCH && sop->o_sync_mode & SLAP_SYNC_REFRESH_AND_PERSIST
&& sop->o_sync_slog_size >= 0 ) {
- ldap_pvt_thread_mutex_lock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_wlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_FOREACH( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
if ( ps_list->o_sync_slog_size >= 0 ) {
if ( ps_list->o_sync_state.sid == sop->o_sync_state.sid ) {
} else {
sop->o_sync_state.sid = -1;
}
- ldap_pvt_thread_mutex_unlock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_wunlock( &bdb->bi_pslist_rwlock );
}
null_attr.an_desc = NULL;
}
e = NULL;
- rs->sr_err = bdb_get_commit_csn( sop, rs, &search_context_csn, locker, &ctxcsn_lock );
+ if ( !IS_PSEARCH ) {
+ rs->sr_err = bdb_get_commit_csn( sop, rs, &search_context_csn, locker, &ctxcsn_lock );
- if ( rs->sr_err != LDAP_SUCCESS ) {
- send_ldap_error( sop, rs, rs->sr_err, "error in csn management in search" );
- goto done;
- }
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ send_ldap_error( sop, rs, rs->sr_err, "error in csn management in search" );
+ goto done;
+ }
- if ( sop->o_sync_mode != SLAP_SYNC_NONE && sop->o_sync_state.ctxcsn &&
- sop->o_sync_state.ctxcsn->bv_val &&
- ber_bvcmp( &sop->o_sync_state.ctxcsn[0], search_context_csn ) == 0 )
- {
- bdb_cache_entry_db_unlock( bdb->bi_dbenv, &ctxcsn_lock );
- goto nochange;
+ if ( sop->o_sync_mode != SLAP_SYNC_NONE && sop->o_sync_state.ctxcsn &&
+ sop->o_sync_state.ctxcsn->bv_val &&
+ ber_bvcmp( &sop->o_sync_state.ctxcsn[0], search_context_csn ) == 0 )
+ {
+ bdb_cache_entry_db_unlock( bdb->bi_dbenv, &ctxcsn_lock );
+ goto nochange;
+ }
+ } else {
+ search_context_csn = ber_dupbv( NULL, &op->o_sync_csn );
}
/* select candidates */
rs->sr_err = search_candidates( op, sop, rs, &base, locker, candidates, scopes );
}
- if ( sop->o_sync_mode != SLAP_SYNC_NONE ) {
- bdb_cache_entry_db_unlock( bdb->bi_dbenv, &ctxcsn_lock );
+ if ( !IS_PSEARCH ) {
+ if ( sop->o_sync_mode != SLAP_SYNC_NONE ) {
+ bdb_cache_entry_db_unlock( bdb->bi_dbenv, &ctxcsn_lock );
+ }
}
/* start cursor at beginning of candidates.
tentries = BDB_IDL_N(candidates);
}
-#ifdef LDAP_CONTROL_PAGEDRESULTS
if ( get_pagedresults(sop) ) {
if ( sop->o_pagedresults_state.ps_cookie == 0 ) {
id = 0;
}
goto loop_begin;
}
-#endif
if ( (sop->o_sync_mode & SLAP_SYNC_REFRESH) || IS_PSEARCH )
{
goto done;
}
-#ifdef LDAP_CONTROL_PAGEDRESULTS
if ( get_pagedresults(sop) ) {
if ( rs->sr_nentries >= sop->o_pagedresults_size ) {
send_pagerequest_response( sop, rs,
}
lastid = id;
}
-#endif
if (e) {
/* safe default */
} else {
if ( !no_sync_state_change ) {
int slog_found = 0;
- ldap_pvt_thread_mutex_lock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_FOREACH( ps_list, &bdb->bi_psearch_list, o_ps_link ) {
if ( ps_list->o_sync_slog_size > 0 ) {
if ( ps_list->o_sync_state.sid == sop->o_sync_state.sid ) {
rs->sr_ctrls = NULL;
slap_send_session_log( op, ps_list, rs );
}
- ldap_pvt_thread_mutex_unlock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
}
rs->sr_err = LDAP_SUCCESS;
rs->sr_rspoid = LDAP_SYNC_INFO;
} else {
if ( !no_sync_state_change ) {
int slog_found = 0;
- ldap_pvt_thread_mutex_lock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_rlock( &bdb->bi_pslist_rwlock );
LDAP_LIST_FOREACH( ps_list, &bdb->bi_psearch_list,
o_ps_link ) {
if ( ps_list->o_sync_slog_size > 0 ) {
if ( slog_found ) {
slap_send_session_log( op, ps_list, rs );
}
- ldap_pvt_thread_mutex_unlock( &bdb->bi_pslist_mutex );
+ ldap_pvt_thread_rdwr_runlock( &bdb->bi_pslist_rwlock );
}
slap_build_sync_done_ctrl( sop, rs, ctrls,
num_ctrls++, 1, &cookie, LDAP_SYNC_REFRESH_DELETES );
{
int rc = 0;
+ assert( f );
+
if( cur > *max ) *max = cur;
switch(f->f_choice) {
return rc;
}
-#ifdef LDAP_CONTROL_PAGEDRESULTS
static void
send_pagerequest_response(
Operation *op,
done:
(void) ber_free_buf( ber );
}
-#endif
/* no configuration options (yet) */
{
- fprintf( stderr,
- "%s: line %d: unknown directive \"%s\""
- " in DNSSRV database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
}
XXSRCS = init.c tools.c config.c \
add.c bind.c compare.c delete.c modify.c modrdn.c search.c \
- extended.c passwd.c referral.c operational.c \
+ extended.c referral.c operational.c \
attr.c index.c key.c dbcache.c filterindex.c trans.c \
dn2entry.c dn2id.c error.c id2entry.c idl.c nextid.c cache.c ctxcsn.c
SRCS = $(XXSRCS)
OBJS = init.lo tools.lo config.lo \
add.lo bind.lo compare.lo delete.lo modify.lo modrdn.lo search.lo \
- extended.lo passwd.lo referral.lo operational.lo \
+ extended.lo referral.lo operational.lo \
attr.lo index.lo key.lo dbcache.lo filterindex.lo trans.lo \
dn2entry.lo dn2id.lo error.lo id2entry.lo idl.lo nextid.lo cache.lo ctxcsn.lo
+++ /dev/null
-Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
-
-The backend back-ldap has been modified as follows:
-
-* The LDAP handlers have been put under an avl tree, in an attempt
- to improve the access to connections in heavy loaded environments
- (many clients connecting simultaneously for long times, e.g.
- authenticators that make successive searches and binds without
- renewing the handler).
- This required to change the lcs member of struct ldapinfo into
- an (Avlnode *) member called conntree.
- The member next in the ldapconn struct has been eliminated because
- it is no longer needed.
-
-* The ldap_back_dobind function has been forced to return the value
- of the bound flag instead of void; there is no longer need to test
- for the flag outside the function as a test was already in.
- Now the function can be called as
-
- if ( !ldap_back_dobind( lc, op ) ) {
- /* handle error */
- }
-
-* The suffix of the operations can be "massaged", i.e. changed to
- a different suffix to implement what has been termed a
- "virtual naming context": an incoming request with a certain
- base or related to a certain dn is turned into a request to a different
- server with the base or the dn changed in its terminal part (the naming
- context). The resulting entries, if any, have the real naming context
- changed back into the virtual naming context.
-
- This required to add a suffixMassage configuration line of the form
-
- suffix "virtual naming context"
- suffixMassage "virtual naming context" "real naming context"
-
- (the name of the configuration parameter will be changed to something
- more appropriate as will result from a debate in the -devel mailing
- list).
- The "virtual naming context" must appear in a suffix configuration line
- so the server can select the appropriate backend; then the suffixMassage
- configuration line maps the "virtual" and the "real" naming contexts
- back and forth.
- This allows one to map multiple real naming contexts as branches
- of a single naming context, provided these reside on the same server:
-
- suffix "ou=Branch 1, o=My Org, c=IT"
- suffixMassage "ou=Branch 1, o=My Org, c=IT" "o=Org 1, c=IT"
- suffix "ou=Branch 2, o=My Org, c=IT"
- suffixMassage "ou=Branch 2, o=My Org, c=IT" "dc=host, dc=net"
- suffix "o=My Org, c=IT"
- suffixMassage "o=My Org, c=IT" "dc=host, dc=it"
-
- Note that the "same server" limitation can be overcome by using
- multiple back-ldap databases, each pointing to the appropriate
- server.
-
- Another choice, which would not allow multiple naming contexts
- being served by the same database, is to use the "dn" part of the
- "uri" configuration parameter, e.g.:
-
- suffix "virtual naming context"
- uri "ldap://ldap.my.org:port/real naming context"
-
- This has not been implemented yet.
-
- A possible future enhancement will allow the ldap backend to handle
- multiple servers within a single naming context.
-
- Two functions, ldap_back_dn_massage and ldap_back_dn_restore, have
- been added. The former changes the bind dn or the search base,
- in case its terminal portion matches the "virtual naming context"
- of a suffixMassage entry, to the corresponding "real naming context"
- suffixed value.
- The latter turns the entry's dn back to the "virtual naming context"
- suffixed form if the real dn terminal portion matches any "real naming
- context" part of a suffixMassage configuration line.
- The deferred bind required to add the bound_dn member to the ldapconn
- struct.
- As of the time of this writing, all the backend operations that
- require writing (add, delete, modify, modrdn) have been added the
- massaging capability; it can be safely turned off by turning on
- the readonly mode at the backend level. The massaging is performed
- only on the dn of the entry that is modified, and in the modrdn
- operation it affects both the old and the newSuperior dn.
-
-* Cleanup/minor bug fixes/software enhancements:
-
- - the suffix member (unused) has been eliminated (commented out)
- from the ldapinfo struct.
-
- - bind.c:ldap_back_op_result: a check of the value of "match" and
- "msg" variables is added before freeing them (got a NULL "match"
- when the server the backend points to was restarted).
-
- - search.c:ldap_send_entry: the member a_desc in the (Attribute *)
- "attr" must be set to NULL before calling slap_str2ad, otherwise
- an assertion fails (ITS #919).
-
- - search.c:ldap_send_entry: the entry's ent.e_dn and ent.e_ndn members
- need be freed before returning because they were allocated inside
- the routine.
-
- - modify.c:ldap_back_modify: the Modifications member sml_op needs be
- ORed with LDAP_MOD_BVALUES to force the ldap_modify_s routine
- handle the modifications as bervals:
-
- mods[i].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
-
-* Notes:
- - there a possible memory leak in the backend, because the memory
- occupation of the slapd processes steadily grows when it is
- repeatedly accessed.
-
- - when writing (add/modify) lastmod must be set to OFF otherwise
- the lastmod attributes will be added to the entry mods and the
- target server will complain about
-
- ldap_modify: Constraint violation
- ldap_modify: additional info: no user modification allowed
-
+++ /dev/null
-Copyright 1999-2003 The OpenLDAP Foundation.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted only as authorized by the OpenLDAP
-Public License.
-
-A copy of this license is available in the file LICENSE in the
-top-level directory of the distribution or, alternatively, at
-<http://www.OpenLDAP.org/license.html>.
-
----
-This is an "altered version".
----
-
-Portions Copyright 1999, Howard Chu, All rights reserved.
-<hyc@highlandsun.com>
-
-Permission is granted to anyone to use this software for any purpose
-on any computer system, and to alter it and redistribute it, subject
-to the following restrictions:
-
-1. The author is not responsible for the consequences of use of this
- software, no matter how awful, even if they arise from flaws in it.
-
-2. The origin of this software must not be misrepresented, either by
- explicit claim or by omission. Since few users ever read sources,
- credits should appear in the documentation.
-
-3. Altered versions must be plainly marked as such, and must not be
- misrepresented as being the original software. Since few users
- ever read sources, credits should appear in the documentation.
-
-4. This notice may not be removed or altered.
-
----
-
-Portions Copyright 2000, Pierangelo Masarati, All rights reserved.
-<ando@sys-net.it>
-
-This software is being modified by Pierangelo Masarati.
-The previously reported conditions apply to the modified code as well.
-Changes in the original code are highlighted where required.
-Credits for the original code go to the author, Howard Chu.
-
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
+mod_REWRITE = $(LDAP_LIBREWRITE_A)
+
+REWRITE = $(@BUILD_META@_REWRITE) $(@BUILD_LDAP@_REWRITE)
shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
-NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
-UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
+UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE)
LIBBASE = back_ldap
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
struct berval mdn = { 0, NULL };
ber_int_t msgid;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+ int rc = LDAP_SUCCESS;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDAP, ENTRY, "ldap_back_add: %s\n", op->o_req_dn.bv_val, 0, 0 );
}
attrs[i] = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ goto cleanup;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
- op->o_ctrls, NULL, &msgid);
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
+ NULL, &msgid);
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+cleanup:
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
for (--i; i>= 0; --i) {
ch_free(attrs[i]->mod_vals.modv_bvals);
ch_free(attrs[i]);
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
-
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( rc != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
+ return -1;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
return ldap_back_op_result( lc, op, rs, msgid, 1 ) != LDAP_SUCCESS;
}
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#ifndef SLAPD_LDAP_H
#define SLAPD_LDAP_H
char *url;
struct berval binddn;
struct berval bindpw;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ struct berval proxyauthzdn;
+ struct berval proxyauthzpw;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
ldap_pvt_thread_mutex_t conn_mutex;
int savecred;
Avlnode *conntree;
extern int ldap_chain_setup();
+#ifdef LDAP_BACK_PROXY_AUTHZ
+extern int
+ldap_back_proxy_authz_ctrl(
+ struct ldapconn *lc,
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl ***pctrls );
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
LDAP_END_DECL
#endif /* SLAPD_LDAP_H */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
int
ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
{
+ struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
int rc;
ber_int_t msgid;
ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
if ( !lc->bound ) {
- rs->sr_err = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val,
- LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid);
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ int gotit = 0;
+#if 0
+ /*
+ * FIXME: we need to let clients use proxyAuthz
+ * otherwise we cannot do symmetric pools of servers;
+ * we have to live with the fact that a user can
+ * authorize itself as any ID that is allowed
+ * by the saslAuthzTo directive of the "proxyauthzdn".
+ */
+ /*
+ * NOTE: current Proxy Authorization specification
+ * and implementation do not allow proxy authorization
+ * control to be provided with Bind requests
+ */
+ gotit = op->o_proxy_authz;
+#endif
+
+ /*
+ * if no bind took place yet, but the connection is bound
+ * and the "proxyauthzdn" is set, then bind as
+ * "proxyauthzdn" and explicitly add the proxyAuthz
+ * control to every operation with the dn bound
+ * to the connection as control value.
+ */
+ if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
+ && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
+ && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 )
+ && ! gotit ) {
+ rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val,
+ LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid);
+
+ } else
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+ {
+ rs->sr_err = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val,
+ LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid);
+ }
+
rc = ldap_back_op_result( lc, op, rs, msgid, 0 );
if (rc == LDAP_SUCCESS) {
lc->bound = 1;
return( (rs->sr_err == LDAP_SUCCESS) ? 0 : -1 );
}
+#ifdef LDAP_BACK_PROXY_AUTHZ
+/*
+ * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control
+ * to existing server-side controls if required; if not,
+ * the existing server-side controls are placed in *pctrls.
+ * The caller, after using the controls in client API
+ * operations, if ( *pctrls != op->o_ctrls ), should
+ * free( (*pctrls)[ 0 ] ) and free( *pctrls ).
+ * The function returns success if the control could
+ * be added if required, or if it did nothing; in the future,
+ * it might return some error if it failed.
+ *
+ * if no bind took place yet, but the connection is bound
+ * and the "proxyauthzdn" is set, then bind as "proxyauthzdn"
+ * and explicitly add proxyAuthz the control to every operation
+ * with the dn bound to the connection as control value.
+ *
+ * If no server-side controls are defined for the operation,
+ * simply add the proxyAuthz control; otherwise, if the
+ * proxyAuthz control is not already set, add it as
+ * the first one (FIXME: is controls order significant
+ * for security?).
+ */
+int
+ldap_back_proxy_authz_ctrl(
+ struct ldapconn *lc,
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl ***pctrls )
+{
+ struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
+ LDAPControl **ctrls = NULL;
+
+ *pctrls = NULL;
+
+ if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
+ && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
+ && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) {
+ int i = 0;
+
+ if ( !op->o_proxy_authz ) {
+ ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
+ ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
+
+ ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ ctrls[ 0 ]->ldctl_iscritical = 1;
+ ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3;
+ ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
+ AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 );
+ AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1,
+ op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
+
+ if ( op->o_ctrls ) {
+ for ( i = 0; op->o_ctrls[ i ]; i++ ) {
+ ctrls[ i + 1 ] = op->o_ctrls[ i ];
+ }
+ }
+ ctrls[ i + 1 ] = NULL;
+
+ } else {
+ /*
+ * FIXME: we do not want to perform proxyAuthz
+ * on behalf of the client, because this would
+ * be performed with "proxyauthzdn" privileges.
+ *
+ * This might actually be too strict, since
+ * the "proxyauthzdn" saslAuthzTo, and each entry's
+ * saslAuthzFrom attributes may be crafted
+ * to avoid unwanted proxyAuthz to take place.
+ */
+#if 0
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";
+#endif
+ }
+ }
+
+ if ( ctrls == NULL ) {
+ ctrls = op->o_ctrls;
+ }
+
+ *pctrls = ctrls;
+
+ return rs->sr_err;
+}
+#endif /* LDAP_BACK_PROXY_AUTHZ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by the Howard Chu for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2003, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
struct ldapconn *lc;
- struct berval mapped_at, mapped_val;
+ struct berval mapped_at = { 0, NULL }, mapped_val = { 0, NULL };
struct berval mdn = { 0, NULL };
ber_int_t msgid;
int freeval = 0;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+ int rc = LDAP_SUCCESS;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if (!lc || !ldap_back_dobind( lc, op, rs ) ) {
} else if (mapped_val.bv_val != op->orc_ava->aa_value.bv_val) {
freeval = 1;
}
+ } else {
+ mapped_val = op->orc_ava->aa_value;
}
}
- rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val, mapped_at.bv_val,
- &mapped_val, op->o_ctrls, NULL, &msgid );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ goto cleanup;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+ rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
+ mapped_at.bv_val, &mapped_val,
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
+ NULL, &msgid );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+cleanup:
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
if ( freeval ) {
free( mapped_val.bv_val );
}
-
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( rc != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
+ return -1;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
return( ldap_back_op_result( lc, op, rs, msgid, 1 ) );
}
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
return( 1 );
}
ber_str2bv( argv[1], 0, 1, &li->bindpw );
-
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ /* name to use for proxyAuthz propagation */
+ } else if ( strcasecmp( argv[0], "proxyauthzdn" ) == 0 ) {
+ if (argc != 2) {
+ fprintf( stderr,
+ "%s: line %d: missing name in \"proxyauthzdn <name>\" line\n",
+ fname, lineno );
+ return( 1 );
+ }
+ ber_str2bv( argv[1], 0, 1, &li->proxyauthzdn );
+
+ /* password to use for proxyAuthz propagation */
+ } else if ( strcasecmp( argv[0], "proxyauthzpw" ) == 0 ) {
+ if (argc != 2) {
+ fprintf( stderr,
+ "%s: line %d: missing password in \"proxyauthzpw <password>\" line\n",
+ fname, lineno );
+ return( 1 );
+ }
+ ber_str2bv( argv[1], 0, 1, &li->proxyauthzpw );
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
if (argc != 1) {
/* anything else */
} else {
- fprintf( stderr, "%s: line %d: unknown directive \"%s\" "
- "in ldap database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
}
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+ int rc = LDAP_SUCCESS;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
struct berval mdn = { 0, NULL };
send_ldap_result( op, rs );
return -1;
}
-
- rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val, op->o_ctrls,
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ goto cleanup;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+ rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+cleanup:
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
-
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( rc != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
+ return -1;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
return( ldap_back_op_result( lc, op, rs, msgid, 1 ) );
}
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
#include "portable.h"
for( i=0; exop_table[i].extended != NULL; i++ ) {
if( ber_bvcmp( exop_table[i].oid, &op->oq_extended.rs_reqoid ) == 0 ) {
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ struct ldapconn *lc;
+ LDAPControl **oldctrls = NULL;
+ int rc;
+
+ /* FIXME: this needs to be called here, so it is
+ * called twice; maybe we could avoid the
+ * ldap_back_dobind() call inside each extended()
+ * call ... */
+ lc = ldap_back_getconn(op, rs);
+ if (!lc || !ldap_back_dobind(lc, op, rs) ) {
+ return -1;
+ }
+
+ oldctrls = op->o_ctrls;
+ if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) {
+ op->o_ctrls = oldctrls;
+ send_ldap_result( op, rs );
+ rs->sr_text = NULL;
+ return rs->sr_err;
+ }
+
+ rc = (exop_table[i].extended)( op, rs );
+
+ if ( op->o_ctrls && op->o_ctrls != oldctrls ) {
+ free( op->o_ctrls[ 0 ] );
+ free( op->o_ctrls );
+ }
+ op->o_ctrls = oldctrls;
+
+ return rc;
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
return (exop_table[i].extended)( op, rs );
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
}
}
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
#ifndef _LDAP_EXTERNAL_H
#define _LDAP_EXTERNAL_H
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
li->bindpw.bv_val = NULL;
li->bindpw.bv_len = 0;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ li->proxyauthzdn.bv_val = NULL;
+ li->proxyauthzdn.bv_len = 0;
+ li->proxyauthzpw.bv_val = NULL;
+ li->proxyauthzpw.bv_len = 0;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
#ifdef ENABLE_REWRITE
li->rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
if ( li->rwmap.rwm_rw == NULL ) {
ch_free(li->bindpw.bv_val);
li->bindpw.bv_val = NULL;
}
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if (li->proxyauthzdn.bv_val) {
+ ch_free(li->proxyauthzdn.bv_val);
+ li->proxyauthzdn.bv_val = NULL;
+ }
+ if (li->proxyauthzpw.bv_val) {
+ ch_free(li->proxyauthzpw.bv_val);
+ li->proxyauthzpw.bv_val = NULL;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
if (li->conntree) {
avl_free( li->conntree, ldap_back_conn_free );
}
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
struct berval mdn = { 0, NULL };
ber_int_t msgid;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
}
modv[i] = 0;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ goto cleanup;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
- op->o_ctrls, NULL, &msgid );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
+ NULL, &msgid );
cleanup:;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
ch_free( mods );
ch_free( modv );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( rc != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
+ return -1;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
return ldap_back_op_result( lc, op, rs, msgid, 1 );
}
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+ int rc = LDAP_SUCCESS;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
struct berval mdn = { 0, NULL }, mnewSuperior = { 0, NULL };
return -1;
}
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ goto cleanup;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
op->orr_newrdn.bv_val, mnewSuperior.bv_val,
- op->orr_deleteoldrdn, op->o_ctrls,
+ op->orr_deleteoldrdn,
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+cleanup:
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
&& mnewSuperior.bv_val != op->oq_modrdn.rs_newSup->bv_val ) {
free( mnewSuperior.bv_val );
}
-
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( rc != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
+ return -1;
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
return( ldap_back_op_result( lc, op, rs, msgid, 1 ) );
}
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
struct berval mfilter = { 0, NULL };
struct slap_limits_set *limit = NULL;
int isroot = 0;
+ int dontfreetext = 0;
dncookie dc;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ LDAPControl **ctrls = NULL;
+#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc ) {
if ( rc ) {
rs->sr_err = LDAP_OTHER;
rs->sr_text = "Rewrite error";
+ dontfreetext = 1;
rc = -1;
goto finish;
}
goto finish;
}
-#if 0
- if ( mapped_attrs == NULL && op->oq_search.rs_attrs) {
- int count;
-
- /* this can happen only if ch_calloc() fails
- * in ldap_back_map_attrs() */
- for (count=0; op->oq_search.rs_attrs[count].an_name.bv_val; count++);
- mapped_attrs = ch_malloc( (count+1) * sizeof(char *));
- for (count=0; op->oq_search.rs_attrs[count].an_name.bv_val; count++) {
- mapped_attrs[count] = op->oq_search.rs_attrs[count].an_name.bv_val;
- }
- mapped_attrs[count] = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+ if ( rc != LDAP_SUCCESS ) {
+ dontfreetext = 1;
+ goto finish;
}
-#endif
-
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
rs->sr_err = ldap_search_ext(lc->ld, mbase.bv_val,
op->oq_search.rs_scope, mfilter.bv_val,
mapped_attrs, op->oq_search.rs_attrsonly,
- op->o_ctrls, NULL,
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls,
+#else /* ! LDAP_BACK_PROXY_AUTHZ */
+ op->o_ctrls,
+#endif /* ! LDAP_BACK_PROXY_AUTHZ */
+ NULL,
tv.tv_sec ? &tv : NULL, op->oq_search.rs_slimit,
- &msgid);
+ &msgid );
+
if ( rs->sr_err != LDAP_SUCCESS ) {
fail:;
rc = ldap_back_op_result(lc, op, rs, msgid, 0);
ldap_pvt_thread_yield();
} else if (rc == LDAP_RES_SEARCH_ENTRY) {
- Entry ent;
+ Entry ent = {0};
struct berval bdn;
e = ldap_first_entry(lc->ld,res);
if ( ldap_build_entry(op, e, &ent, &bdn,
finish:;
send_ldap_result( op, rs );
+#ifdef LDAP_BACK_PROXY_AUTHZ
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
if ( match.bv_val ) {
if ( rs->sr_matched != match.bv_val ) {
free( (char *)rs->sr_matched );
LDAP_FREE( match.bv_val );
}
if ( rs->sr_text ) {
- LDAP_FREE( (char *)rs->sr_text );
+ if ( !dontfreetext ) {
+ LDAP_FREE( (char *)rs->sr_text );
+ }
rs->sr_text = NULL;
}
if ( mapped_attrs ) {
return LDAP_INVALID_DN_SYNTAX;
}
- ent->e_id = 0;
- ent->e_attrs = 0;
- ent->e_private = 0;
attrp = &ent->e_attrs;
#ifdef ENABLE_REWRITE
} else if ( attr->a_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName ) {
ldap_dnattr_result_rewrite( &dc, attr->a_vals );
-
}
if ( normalize && last && attr->a_desc->ad_type->sat_equality &&
attr->a_desc->ad_type->sat_syntax,
attr->a_desc->ad_type->sat_equality,
&attr->a_vals[i], &attr->a_nvals[i],
- op->o_tmpmemctx );
+ NULL /* op->o_tmpmemctx */ );
}
attr->a_nvals[i].bv_val = NULL;
attr->a_nvals[i].bv_len = 0;
*attrp = attr;
attrp = &attr->a_next;
}
+
/* make sure it's free'able */
if (!private && ent->e_name.bv_val == bdn->bv_val)
ber_dupbv( &ent->e_name, bdn );
*ptr++ = ')';
*ptr++ = '\0';
}
-
+
if (ldap_search_ext_s(lc->ld, mdn.bv_val, LDAP_SCOPE_BASE, filter,
gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result) != LDAP_SUCCESS)
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * Module back-ldap, originally developed by Howard Chu
- *
- * has been modified by Pierangelo Masarati. The original copyright
- * notice has been maintained.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999-2003 Howard Chu.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
id2entry.c index.c id2children.c nextid.c \
compare.c modify.c modrdn.c delete.c init.c \
config.c bind.c attr.c filterindex.c close.c \
- alias.c tools.c key.c extended.c passwd.c \
- referral.c operational.c
+ alias.c tools.c key.c extended.c \
+ referral.c operational.c ldbm.c
OBJS = idl.lo add.lo search.lo cache.lo dbcache.lo dn2id.lo entry.lo \
id2entry.lo index.lo id2children.lo nextid.lo \
compare.lo modify.lo modrdn.lo delete.lo init.lo \
config.lo bind.lo attr.lo filterindex.lo close.lo \
- alias.lo tools.lo key.lo extended.lo passwd.lo \
- referral.lo operational.lo $(@BUILD_LDBM@_OBJS)
+ alias.lo tools.lo key.lo extended.lo \
+ referral.lo operational.lo ldbm.lo
LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries
BUILD_MOD = @BUILD_LDBM@
BUILD_MOD_DYNAMIC = @BUILD_LDBM_DYNAMIC@
-mod_SRCS = ldbm.c
-mod_OBJS = ldbm.lo
-
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDBM@_DEFS)
shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
-NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(LDBM_LIBS)
-UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(LDBM_LIBS)
+NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBBASE = back_ldbm
../.backend: lib$(LIBBASE).a
@touch $@
-ldbm.c : $(srcdir)/../../../libraries/libldbm/ldbm.c
- $(RM) $@; $(LN_S) $(srcdir)/../../../libraries/libldbm/ldbm.c $@
-
depend-common: $(XXSRCS)
/* anything else */
} else {
- fprintf( stderr,
-"%s: line %d: unknown directive \"%s\" in ldbm database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
struct berval *oid;
BI_op_extended *extended;
} exop_table[] = {
- { (struct berval *)&slap_EXOP_MODIFY_PASSWD, ldbm_back_exop_passwd },
{ NULL, NULL }
};
{
int rc, i;
const char *text;
- DBCache *db;
+ DBCache *db;
AttributeDescription *ad = NULL;
struct berval *keys;
- void *mark;
assert( mask );
return LDAP_OTHER;
}
- mark = sl_mark( op->o_tmpmemctx );
-
if( IS_SLAP_INDEX( mask, SLAP_INDEX_PRESENT ) ) {
key_change( op->o_bd, db, atname, id, opid );
}
ldbm_cache_close( op->o_bd, db );
- sl_release( mark, op->o_tmpmemctx );
-
return LDAP_SUCCESS;
}
--- /dev/null
+/* ldbm.c - ldap dbm compatibility routines */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1998-2003 Kurt D. Zeilenga.
+ * Portions Copyright 1998-2001 Net Boolean Incorporated.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was originally developed by the University of Michigan
+ * (as part of U-MICH LDAP). Additional significant contributors
+ * include:
+ * Gary Williams
+ * Howard Chu
+ * Juan Gomez
+ * Kurt D. Zeilenga
+ * Kurt Spanier
+ * Mark Whitehouse
+ * Randy Kundee
+ */
+
+#include "portable.h"
+
+#ifdef SLAPD_LDBM
+
+#include <stdio.h>
+
+#include <ac/stdlib.h>
+#include <ac/string.h>
+#include <ac/errno.h>
+
+#include "ldbm.h"
+#include "ldap_pvt_thread.h"
+
+void
+ldbm_datum_free( LDBM ldbm, Datum data )
+{
+ if ( data.dptr ) {
+ free( data.dptr );
+ memset( &data, '\0', sizeof( Datum ));
+ data.dptr = NULL;
+ }
+}
+
+Datum
+ldbm_datum_dup( LDBM ldbm, Datum data )
+{
+ Datum dup;
+
+ ldbm_datum_init( dup );
+
+ if ( data.dsize == 0 ) {
+ dup.dsize = 0;
+ dup.dptr = NULL;
+
+ return( dup );
+ }
+ dup.dsize = data.dsize;
+
+ if ( (dup.dptr = (char *) malloc( data.dsize )) != NULL ) {
+ AC_MEMCPY( dup.dptr, data.dptr, data.dsize );
+ }
+
+ return( dup );
+}
+
+static int ldbm_initialized = 0;
+
+#if defined( USE_BERKELEY_CDB )
+ /* not currently supported */
+#define LDBM_RWLOCK_INIT ((void) 0)
+#define LDBM_RWLOCK_DESTROY ((void) 0)
+#define LDBM_WLOCK ((void) 0)
+#define LDBM_WUNLOCK ((void) 0)
+#define LDBM_RLOCK ((void) 0)
+#define LDBM_RUNLOCK ((void) 0)
+
+#elif defined( HAVE_BERKELEY_DB_THREAD )
+static ldap_pvt_thread_rdwr_t ldbm_big_rdwr;
+#define LDBM_RWLOCK_INIT (ldap_pvt_thread_rdwr_init( &ldbm_big_rdwr ))
+#define LDBM_RWLOCK_DESTROY (ldap_pvt_thread_rdwr_destroy( &ldbm_big_rdwr ))
+#define LDBM_WLOCK (ldap_pvt_thread_rdwr_wlock(&ldbm_big_rdwr))
+#define LDBM_WUNLOCK (ldap_pvt_thread_rdwr_wunlock(&ldbm_big_rdwr))
+#define LDBM_RLOCK (ldap_pvt_thread_rdwr_rlock(&ldbm_big_rdwr))
+#define LDBM_RUNLOCK (ldap_pvt_thread_rdwr_runlock(&ldbm_big_rdwr))
+
+#else
+static ldap_pvt_thread_mutex_t ldbm_big_mutex;
+#define LDBM_RWLOCK_INIT (ldap_pvt_thread_mutex_init( &ldbm_big_mutex ))
+#define LDBM_RWLOCK_DESTROY (ldap_pvt_thread_mutex_destroy( &ldbm_big_mutex ))
+#define LDBM_WLOCK (ldap_pvt_thread_mutex_lock(&ldbm_big_mutex))
+#define LDBM_WUNLOCK (ldap_pvt_thread_mutex_unlock(&ldbm_big_mutex))
+#define LDBM_RLOCK LDBM_WLOCK
+#define LDBM_RUNLOCK LDBM_WUNLOCK
+#endif
+
+#if !defined( HAVE_BERKELEY_DB ) || (DB_VERSION_MAJOR < 3)
+ /* a dbEnv for BERKELEYv2 */
+DB_ENV *ldbm_Env = NULL; /* real or fake, depending on db and version */
+#endif
+
+/* Let's make the version comparisons a little easier... */
+#undef DB_VERSION_X
+#ifdef HAVE_BERKELEY_DB
+#define DB_VERSION_X ((DB_VERSION_MAJOR<<16)|(DB_VERSION_MINOR<<8)|DB_VERSION_PATCH)
+#endif
+
+/*******************************************************************
+ * *
+ * Create some special functions to initialize Berkeley DB for *
+ * versions greater than 2. *
+ * *
+ *******************************************************************/
+#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2)
+
+void *
+ldbm_malloc( size_t size )
+{
+ /* likely should use ber_mem* routines */
+ return( calloc( 1, size ) );
+}
+
+#ifdef LDAP_SYSLOG
+#include <ac/syslog.h>
+#endif
+
+static void
+ldbm_db_errcall( const char *prefix, char *message )
+{
+#ifdef LDAP_SYSLOG
+ syslog( LOG_INFO, "ldbm: %s %s", prefix, message );
+#endif
+}
+
+int ldbm_initialize( const char* home )
+{
+#if DB_VERSION_MAJOR < 3
+ int err;
+ u_int32_t envFlags;
+#endif
+
+ if(ldbm_initialized++) return 1;
+
+ {
+ char *version;
+ int major, minor, patch;
+ version = db_version( &major, &minor, &patch );
+
+ if( major != DB_VERSION_MAJOR ||
+ minor < DB_VERSION_MINOR )
+ {
+#ifdef LDAP_SYSLOG
+ syslog( LOG_INFO,
+ "ldbm_initialize(): version mismatch\nexpected: %s\ngot: %s\n",
+ DB_VERSION_STRING, version );
+#endif
+ return 1;
+ }
+ }
+
+#if DB_VERSION_MAJOR < 3
+ ldbm_Env = calloc( 1, sizeof( DB_ENV ));
+
+ if( ldbm_Env == NULL ) return 1;
+
+ ldbm_Env->db_errcall = ldbm_db_errcall;
+ ldbm_Env->db_errpfx = "==>";
+
+ envFlags = DB_CREATE | DB_USE_ENVIRON;
+
+ /* add optional flags */
+#ifdef DB_PRIVATE
+ envFlags |= DB_PRIVATE;
+#endif
+#ifdef HAVE_BERKELEY_DB_THREAD
+ envFlags |= DB_THREAD;
+#endif
+
+ err = db_appinit( home, NULL, ldbm_Env, envFlags );
+
+ if ( err ) {
+#ifdef LDAP_SYSLOG
+ syslog( LOG_INFO, "ldbm_initialize(): "
+ "FATAL error (%d) in db_appinit()\n", err );
+#endif
+ return( 1 );
+ }
+#endif
+
+ LDBM_RWLOCK_INIT;
+
+ return 0;
+}
+
+int ldbm_shutdown( void )
+{
+ if( !ldbm_initialized ) return 1;
+
+#if DB_VERSION_MAJOR < 3
+ db_appexit( ldbm_Env );
+#endif
+
+ LDBM_RWLOCK_DESTROY;
+ return 0;
+}
+
+#else /* some DB other than Berkeley V2 or greater */
+
+int ldbm_initialize( const char * home )
+{
+ if(ldbm_initialized++) return 1;
+
+ LDBM_RWLOCK_INIT;
+
+ return 0;
+}
+
+int ldbm_shutdown( void )
+{
+ if( !ldbm_initialized ) return 1;
+
+ LDBM_RWLOCK_DESTROY;
+
+ return 0;
+}
+
+#endif /* HAVE_BERKELEY_DB */
+
+#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 3)
+
+DB_ENV *ldbm_initialize_env(const char *home, int dbcachesize, int *envdirok)
+{
+ DB_ENV *env = NULL;
+ int err;
+ u_int32_t envFlags;
+#ifdef HAVE_EBCDIC
+ char n2[2048];
+#endif
+
+ err = db_env_create( &env, 0 );
+
+ if ( err ) {
+#ifdef LDAP_SYSLOG
+ syslog( LOG_INFO, "ldbm_initialize_env(): "
+ "FATAL error in db_env_create() : %s (%d)\n",
+ db_strerror( err ), err );
+#endif
+ return NULL;
+ }
+
+#if DB_VERSION_X >= 0x030300
+ /* This interface appeared in 3.3 */
+ env->set_alloc( env, ldbm_malloc, NULL, NULL );
+#endif
+
+ env->set_errcall( env, ldbm_db_errcall );
+ env->set_errpfx( env, "==>" );
+ if (dbcachesize) {
+ env->set_cachesize( env, 0, dbcachesize, 0 );
+ }
+
+ envFlags = DB_CREATE | DB_INIT_MPOOL | DB_USE_ENVIRON;
+#ifdef DB_PRIVATE
+ envFlags |= DB_PRIVATE;
+#endif
+#ifdef DB_MPOOL_PRIVATE
+ envFlags |= DB_MPOOL_PRIVATE;
+#endif
+#ifdef HAVE_BERKELEY_DB_THREAD
+ envFlags |= DB_THREAD;
+#endif
+
+#ifdef HAVE_EBCDIC
+ strncpy(n2, home, sizeof(n2)-1);
+ n2[sizeof(n2)-1] = '\0';
+ __atoe(n2);
+ home = n2;
+#endif
+#if DB_VERSION_X >= 0x030100
+ err = env->open( env, home, envFlags, 0 );
+#else
+ /* 3.0.x requires an extra argument */
+ err = env->open( env, home, NULL, envFlags, 0 );
+#endif
+
+ if ( err != 0 ) {
+#ifdef LDAP_SYSLOG
+ syslog( LOG_INFO, "ldbm_initialize_env(): "
+ "FATAL error in dbEnv->open() : %s (%d)\n",
+ db_strerror( err ), err );
+#endif
+ env->close( env, 0 );
+ return NULL;
+ }
+
+ *envdirok = 1;
+ return env;
+}
+
+void ldbm_shutdown_env(DB_ENV *env)
+{
+ env->close( env, 0 );
+}
+
+#else
+
+DB_ENV *ldbm_initialize_env(const char *home, int dbcachesize, int *envdirok)
+{
+ return ldbm_Env;
+}
+
+void ldbm_shutdown_env(DB_ENV *env)
+{
+}
+
+#endif
+
+#if defined( LDBM_USE_DBHASH ) || defined( LDBM_USE_DBBTREE )
+
+/*****************************************************************
+ * *
+ * use berkeley db hash or btree package *
+ * *
+ *****************************************************************/
+
+LDBM
+ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
+{
+ LDBM ret = NULL;
+#ifdef HAVE_EBCDIC
+ char n2[2048];
+#endif
+
+#if DB_VERSION_MAJOR >= 3
+ int err;
+
+ LDBM_WLOCK;
+
+ err = db_create( &ret, env, 0 );
+ if ( err != 0 ) {
+ (void)ret->close(ret, 0);
+ LDBM_WUNLOCK;
+
+ return NULL;
+ }
+
+#if DB_VERSION_X < 0x030300
+ ret->set_malloc( ret, ldbm_malloc );
+#endif
+
+ ret->set_pagesize( ret, DEFAULT_DB_PAGE_SIZE );
+
+ /* likely should use ber_mem* routines */
+
+#ifdef HAVE_EBCDIC
+ strncpy(n2, name, sizeof(n2)-1);
+ n2[sizeof(n2)-1] = '\0';
+ __atoe(n2);
+ name = n2;
+#endif
+#if DB_VERSION_X >= 0x040111
+ err = ret->open( ret, NULL, name, NULL, DB_TYPE, rw, mode);
+#else
+ err = ret->open( ret, name, NULL, DB_TYPE, rw, mode);
+#endif
+
+ if ( err != 0 ) {
+ int tmp = errno;
+ (void)ret->close(ret, 0);
+ errno = tmp;
+
+ LDBM_WUNLOCK;
+ return NULL;
+ }
+
+ LDBM_WUNLOCK;
+
+#elif DB_VERSION_MAJOR >= 2
+ DB_INFO dbinfo;
+
+ memset( &dbinfo, '\0', sizeof( dbinfo ));
+
+#if DB_VERSION_MAJOR == 2 && DB_VERSION_MINOR == 4
+ /*
+ * BerkeleyDB 2.4 do not allow db_cachesize
+ * to be specified if an DB_ENV is.
+ */
+#else
+ /* set db_cachesize of MPOOL is NOT being used. */
+ if (( ldbm_Env == NULL ) || ( ldbm_Env->mp_info == NULL )) {
+ dbinfo.db_cachesize = dbcachesize;
+ }
+#endif
+
+ dbinfo.db_pagesize = DEFAULT_DB_PAGE_SIZE;
+ dbinfo.db_malloc = ldbm_malloc;
+
+ LDBM_WLOCK;
+ (void) db_open( name, DB_TYPE, rw, mode, ldbm_Env, &dbinfo, &ret );
+ LDBM_WUNLOCK;
+
+#else
+ void *info;
+ BTREEINFO binfo;
+ HASHINFO hinfo;
+
+ if ( DB_TYPE == DB_HASH ) {
+ memset( (char *) &hinfo, '\0', sizeof(hinfo) );
+ hinfo.cachesize = dbcachesize;
+ info = &hinfo;
+ } else if ( DB_TYPE == DB_BTREE ) {
+ memset( (char *) &binfo, '\0', sizeof(binfo) );
+ binfo.cachesize = dbcachesize;
+ info = &binfo;
+ } else {
+ info = NULL;
+ }
+
+ LDBM_WLOCK;
+ ret = dbopen( name, rw, mode, DB_TYPE, info );
+ LDBM_WUNLOCK;
+#endif
+
+ return ret;
+}
+
+void
+ldbm_close( LDBM ldbm )
+{
+ LDBM_WLOCK;
+#if DB_VERSION_MAJOR >= 2
+ ldbm->close( ldbm, 0 );
+#else
+ ldbm->close( ldbm );
+#endif
+ LDBM_WUNLOCK;
+}
+
+void
+ldbm_sync( LDBM ldbm )
+{
+ LDBM_WLOCK;
+ (*ldbm->sync)( ldbm, 0 );
+ LDBM_WUNLOCK;
+}
+
+Datum
+ldbm_fetch( LDBM ldbm, Datum key )
+{
+ Datum data;
+ int rc;
+
+ LDBM_RLOCK;
+
+#if DB_VERSION_MAJOR >= 2
+ ldbm_datum_init( data );
+
+ data.flags = DB_DBT_MALLOC;
+
+ if ( (rc = ldbm->get( ldbm, NULL, &key, &data, 0 )) != 0 ) {
+ ldbm_datum_free( ldbm, data );
+ data.dptr = NULL;
+ data.dsize = 0;
+ }
+#else
+ if ( (rc = ldbm->get( ldbm, &key, &data, 0 )) == 0 ) {
+ /* Berkeley DB 1.85 don't malloc the data for us */
+ /* duplicate it for to ensure reentrancy */
+ data = ldbm_datum_dup( ldbm, data );
+ } else {
+ data.dptr = NULL;
+ data.dsize = 0;
+ }
+#endif
+
+ LDBM_RUNLOCK;
+
+ return( data );
+}
+
+int
+ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
+{
+ int rc;
+
+ LDBM_WLOCK;
+
+#if DB_VERSION_MAJOR >= 2
+ rc = ldbm->put( ldbm, NULL, &key, &data, flags & ~LDBM_SYNC );
+ rc = (-1) * rc;
+#else
+ rc = ldbm->put( ldbm, &key, &data, flags & ~LDBM_SYNC );
+#endif
+
+ if ( flags & LDBM_SYNC )
+ ldbm->sync( ldbm, 0 );
+
+ LDBM_WUNLOCK;
+
+ return( rc );
+}
+
+int
+ldbm_delete( LDBM ldbm, Datum key )
+{
+ int rc;
+
+ LDBM_WLOCK;
+
+#if DB_VERSION_MAJOR >= 2
+ rc = ldbm->del( ldbm, NULL, &key, 0 );
+ rc = (-1) * rc;
+#else
+ rc = ldbm->del( ldbm, &key, 0 );
+#endif
+ ldbm->sync( ldbm, 0 );
+
+ LDBM_WUNLOCK;
+
+ return( rc );
+}
+
+Datum
+ldbm_firstkey( LDBM ldbm, LDBMCursor **dbch )
+{
+ Datum key, data;
+ int rc;
+
+#if DB_VERSION_MAJOR >= 2
+ LDBMCursor *dbci;
+
+ ldbm_datum_init( key );
+ ldbm_datum_init( data );
+
+ key.flags = data.flags = DB_DBT_MALLOC;
+
+ LDBM_RLOCK;
+
+ /* acquire a cursor for the DB */
+# if DB_VERSION_X >= 0x020600
+ rc = ldbm->cursor( ldbm, NULL, &dbci, 0 );
+# else
+ rc = ldbm->cursor( ldbm, NULL, &dbci );
+# endif
+
+ if( rc ) {
+ key.dptr = NULL;
+ } else {
+ *dbch = dbci;
+ if ( dbci->c_get( dbci, &key, &data, DB_NEXT ) == 0 ) {
+ ldbm_datum_free( ldbm, data );
+ } else {
+ key.dptr = NULL;
+ key.dsize = 0;
+ }
+ }
+
+ LDBM_RUNLOCK;
+
+#else
+ LDBM_RLOCK;
+
+ rc = ldbm->seq( ldbm, &key, &data, R_FIRST );
+
+ if ( rc == 0 ) {
+ key = ldbm_datum_dup( ldbm, key );
+ } else {
+ key.dptr = NULL;
+ key.dsize = 0;
+ }
+
+ LDBM_RUNLOCK;
+#endif
+
+ return( key );
+}
+
+Datum
+ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
+{
+ int rc;
+ Datum data;
+
+ LDBM_RLOCK;
+
+#if DB_VERSION_MAJOR >= 2
+ ldbm_datum_init( data );
+
+ ldbm_datum_free( ldbm, key );
+ key.flags = data.flags = DB_DBT_MALLOC;
+
+ rc = dbcp->c_get( dbcp, &key, &data, DB_NEXT );
+ if ( rc == 0 ) {
+ ldbm_datum_free( ldbm, data );
+ } else
+#else
+ rc = ldbm->seq( ldbm, &key, &data, R_NEXT );
+
+ if ( rc == 0 ) {
+ key = ldbm_datum_dup( ldbm, key );
+ } else
+#endif
+ {
+ key.dptr = NULL;
+ key.dsize = 0;
+ }
+
+ LDBM_RUNLOCK;
+ return( key );
+}
+
+int
+ldbm_errno( LDBM ldbm )
+{
+ return( errno );
+}
+
+/******************************************************************
+ * *
+ * END Berkeley section *
+ * *
+ ******************************************************************/
+
+#elif defined( HAVE_GDBM )
+
+#ifdef HAVE_ST_BLKSIZE
+#include <sys/stat.h>
+#endif
+
+/*****************************************************************
+ * *
+ * use gdbm *
+ * *
+ *****************************************************************/
+
+LDBM
+ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
+{
+ LDBM db;
+#ifdef HAVE_ST_BLKSIZE
+ struct stat st;
+#endif
+#ifdef HAVE_EBCDIC
+ char n2[2048];
+
+ strncpy(n2, name, sizeof(n2)-1);
+ n2[sizeof(n2)-1] = '\0';
+ __atoe(n2);
+ name = n2;
+#endif
+
+ LDBM_WLOCK;
+
+ if ( (db = gdbm_open( name, 0, rw | GDBM_FAST, mode, 0 )) == NULL ) {
+ LDBM_WUNLOCK;
+ return( NULL );
+ }
+
+#ifdef HAVE_ST_BLKSIZE
+ if ( dbcachesize > 0 && stat( name, &st ) == 0 ) {
+ dbcachesize /= st.st_blksize;
+ if( dbcachesize == 0 ) dbcachesize = 1;
+ gdbm_setopt( db, GDBM_CACHESIZE, &dbcachesize, sizeof(int) );
+ }
+#else
+ if ( dbcachesize > 0 ) {
+ dbcachesize /= 4096;
+ if( dbcachesize == 0 ) dbcachesize = 1;
+ gdbm_setopt( db, GDBM_CACHESIZE, &dbcachesize, sizeof(int) );
+ }
+#endif
+
+ LDBM_WUNLOCK;
+
+ return( db );
+}
+
+void
+ldbm_close( LDBM ldbm )
+{
+ LDBM_WLOCK;
+ gdbm_close( ldbm );
+ LDBM_WUNLOCK;
+}
+
+void
+ldbm_sync( LDBM ldbm )
+{
+ LDBM_WLOCK;
+ gdbm_sync( ldbm );
+ LDBM_WUNLOCK;
+}
+
+Datum
+ldbm_fetch( LDBM ldbm, Datum key )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = gdbm_fetch( ldbm, key );
+ LDBM_RUNLOCK;
+
+ return d;
+}
+
+int
+ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
+{
+ int rc;
+
+ LDBM_WLOCK;
+ rc = gdbm_store( ldbm, key, data, flags & ~LDBM_SYNC );
+ if ( flags & LDBM_SYNC )
+ gdbm_sync( ldbm );
+ LDBM_WUNLOCK;
+
+ return( rc );
+}
+
+int
+ldbm_delete( LDBM ldbm, Datum key )
+{
+ int rc;
+
+ LDBM_WLOCK;
+ rc = gdbm_delete( ldbm, key );
+ gdbm_sync( ldbm );
+ LDBM_WUNLOCK;
+
+ return( rc );
+}
+
+Datum
+ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = gdbm_firstkey( ldbm );
+ LDBM_RUNLOCK;
+
+ if ( d.dptr != NULL ) {
+ *dbcp = (Datum *) malloc( sizeof( Datum ) );
+ **dbcp = ldbm_datum_dup( ldbm, d );
+ }
+
+ return d;
+}
+
+Datum
+ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = gdbm_nextkey( ldbm, *dbcp );
+ LDBM_RUNLOCK;
+
+ ldbm_datum_free( ldbm, *dbcp );
+
+ if ( d.dptr != NULL ) {
+ *dbcp = ldbm_datum_dup( ldbm, d );
+ } else {
+ free( dbcp );
+ }
+
+ return d;
+}
+
+int
+ldbm_errno( LDBM ldbm )
+{
+ int err;
+
+ LDBM_WLOCK;
+ err = gdbm_errno;
+ LDBM_WUNLOCK;
+
+ return( err );
+}
+
+#elif HAVE_MDBM
+
+/* MMAPED DBM HASHING DATABASE */
+
+#include <ac/string.h>
+
+/* #define MDBM_DEBUG */
+
+#ifdef MDBM_DEBUG
+#include <stdio.h>
+#endif
+
+#define NO_NULL_KEY
+/* #define MDBM_CHAIN */
+
+#ifdef MDBM_CHAIN
+
+/* Use chaining */
+
+#define mdbm_store mdbm_chain_store
+#define mdbm_fetch mdbm_chain_fetch
+#define mdbm_delete mdbm_chain_delete
+#define mdbm_first mdbm_chain_first
+#define mdbm_next mdbm_chain_next
+
+#endif
+
+#define MDBM_PG_SZ (4*1024)
+
+/*****************************************************************
+ * *
+ * use mdbm *
+ * *
+ *****************************************************************/
+
+LDBM
+ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
+{
+ LDBM db;
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout,
+ "==>(mdbm)ldbm_open(name=%s,rw=%x,mode=%x,cachesize=%d)\n",
+ name ? name : "NULL", rw, mode, dbcachesize );
+ fflush( stdout );
+#endif
+
+ LDBM_WLOCK; /* We need locking here, this is the only non-thread
+ * safe function we have. */
+
+ if ( (db = mdbm_open( name, rw, mode, MDBM_PG_SZ )) == NULL ) {
+ LDBM_WUNLOCK;
+#ifdef MDBM_DEBUG
+ fprintf( stdout, "<==(mdbm)ldbm_open(db=NULL)\n" );
+ fflush( stdout );
+#endif
+ return( NULL );
+ }
+
+#ifdef MDBM_CHAIN
+ (void)mdbm_set_chain(db);
+#endif
+
+ LDBM_WUNLOCK;
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout, "<==(mdbm)ldbm_open(db=%p)\n", db );
+ fflush( stdout );
+#endif
+
+ return( db );
+}
+
+void
+ldbm_close( LDBM ldbm )
+{
+ /* Open and close are not reentrant so we need to use locks here */
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout,
+ "==>(mdbm)ldbm_close(db=%p)\n", ldbm );
+ fflush( stdout );
+#endif
+
+ LDBM_WLOCK;
+ mdbm_close( ldbm );
+ LDBM_WUNLOCK;
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout, "<==(mdbm)ldbm_close()\n" );
+ fflush( stdout );
+#endif
+}
+
+void
+ldbm_sync( LDBM ldbm )
+{
+ /* XXX: Not sure if this is re-entrant need to check code, if so
+ * you can leave LOCKS out.
+ */
+
+ LDBM_WLOCK;
+ mdbm_sync( ldbm );
+ LDBM_WUNLOCK;
+}
+
+#define MAX_MDBM_RETRY 5
+
+Datum
+ldbm_fetch( LDBM ldbm, Datum key )
+{
+ Datum d;
+ kvpair k;
+ int retry = 0;
+
+ /* This hack is needed because MDBM does not take keys
+ * which begin with NULL when working in the chaining
+ * mode.
+ */
+
+#ifdef NO_NULL_KEY
+ k.key.dsize = key.dsize + 1;
+ k.key.dptr = malloc(k.key.dsize);
+ *(k.key.dptr) = 'l';
+ AC_MEMCPY( (void *)(k.key.dptr + 1), key.dptr, key.dsize );
+#else
+ k.key = key;
+#endif
+
+ k.val.dptr = NULL;
+ k.val.dsize = 0;
+
+ /* LDBM_RLOCK; */
+ do {
+ d = mdbm_fetch( ldbm, k );
+
+ if ( d.dsize > 0 ) {
+ if ( k.val.dptr != NULL ) {
+ free( k.val.dptr );
+ }
+
+ if ( (k.val.dptr = malloc( d.dsize )) != NULL ) {
+ k.val.dsize = d.dsize;
+ d = mdbm_fetch( ldbm, k );
+
+ } else {
+ d.dsize = 0;
+ break;
+ }
+ }/* if ( d.dsize > 0 ) */
+ } while ((d.dsize > k.val.dsize) && (++retry < MAX_MDBM_RETRY));
+ /* LDBM_RUNLOCK; */
+
+#ifdef NO_NULL_KEY
+ free(k.key.dptr);
+#endif
+
+ return d;
+}
+
+int
+ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
+{
+ int rc;
+ Datum int_key; /* Internal key */
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout,
+ "==>(mdbm)ldbm_store(db=%p, key(dptr=%p,sz=%d), data(dptr=%p,sz=%d), flags=%x)\n",
+ ldbm, key.dptr, key.dsize, data.dptr, data.dsize, flags );
+ fflush( stdout );
+#endif
+
+ /* LDBM_WLOCK; */
+
+#ifdef NO_NULL_KEY
+ int_key.dsize = key.dsize + 1;
+ int_key.dptr = malloc( int_key.dsize );
+ *(int_key.dptr) = 'l'; /* Must not be NULL !*/
+ AC_MEMCPY( (void *)(int_key.dptr + 1), key.dptr, key.dsize );
+#else
+ int_key = key;
+#endif
+
+ rc = mdbm_store( ldbm, int_key, data, flags );
+ if ( flags & LDBM_SYNC ) {
+ mdbm_sync( ldbm );
+ }
+
+ /* LDBM_WUNLOCK; */
+
+#ifdef MDBM_DEBUG
+ fprintf( stdout, "<==(mdbm)ldbm_store(rc=%d)\n", rc );
+ fflush( stdout );
+#endif
+
+#ifdef NO_NULL_KEY
+ free(int_key.dptr);
+#endif
+
+ return( rc );
+}
+
+int
+ldbm_delete( LDBM ldbm, Datum key )
+{
+ int rc;
+ Datum int_key;
+
+ /* LDBM_WLOCK; */
+
+#ifdef NO_NULL_KEY
+ int_key.dsize = key.dsize + 1;
+ int_key.dptr = malloc(int_key.dsize);
+ *(int_key.dptr) = 'l';
+ AC_MEMCPY( (void *)(int_key.dptr + 1), key.dptr, key.dsize );
+#else
+ int_key = key;
+#endif
+
+ rc = mdbm_delete( ldbm, int_key );
+
+ /* LDBM_WUNLOCK; */
+#ifdef NO_NULL_KEY
+ free(int_key.dptr);
+#endif
+
+ return( rc );
+}
+
+static Datum
+ldbm_get_next( LDBM ldbm, kvpair (*fptr)(MDBM *, kvpair) )
+{
+ kvpair out;
+ kvpair in;
+ Datum ret;
+ size_t sz = MDBM_PAGE_SIZE(ldbm);
+#ifdef NO_NULL_KEY
+ int delta = 1;
+#else
+ int delta = 0;
+#endif
+
+ /* LDBM_RLOCK; */
+
+ in.key.dsize = sz; /* Assume first key in one pg */
+ in.key.dptr = malloc(sz);
+
+ in.val.dptr = NULL; /* Don't need data just key */
+ in.val.dsize = 0;
+
+ ret.dptr = NULL;
+ ret.dsize = NULL;
+
+ out = fptr( ldbm, in );
+
+ if (out.key.dsize > 0) {
+ ret.dsize = out.key.dsize - delta;
+
+ if ((ret.dptr = (char *)malloc(ret.dsize)) == NULL) {
+ ret.dsize = 0;
+ ret.dptr = NULL;
+
+ } else {
+ AC_MEMCPY(ret.dptr, (void *)(out.key.dptr + delta),
+ ret.dsize );
+ }
+ }
+
+ /* LDBM_RUNLOCK; */
+
+ free(in.key.dptr);
+ return ret;
+}
+
+Datum
+ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
+{
+ return ldbm_get_next( ldbm, mdbm_first );
+}
+
+Datum
+ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
+{
+ /* XXX:
+ * don't know if this will affect the LDAP server operation
+ * but mdbm cannot take and input key.
+ */
+
+ return ldbm_get_next( ldbm, mdbm_next );
+}
+
+int
+ldbm_errno( LDBM ldbm )
+{
+ /* XXX: best we can do with current mdbm interface */
+ return( errno );
+}
+
+#elif defined( HAVE_NDBM )
+
+/*****************************************************************
+ * *
+ * if no gdbm or mdbm, fall back to using ndbm, the standard unix thing *
+ * *
+ *****************************************************************/
+
+/* ARGSUSED */
+LDBM
+ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize )
+{
+ LDBM ldbm;
+
+ LDBM_WLOCK;
+ ldbm = dbm_open( name, rw, mode );
+ LDBM_WUNLOCK;
+
+ return( ldbm );
+}
+
+void
+ldbm_close( LDBM ldbm )
+{
+ LDBM_WLOCK;
+ dbm_close( ldbm );
+ LDBM_WUNLOCK;
+}
+
+/* ARGSUSED */
+void
+ldbm_sync( LDBM ldbm )
+{
+ return;
+}
+
+Datum
+ldbm_fetch( LDBM ldbm, Datum key )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = ldbm_datum_dup( ldbm, dbm_fetch( ldbm, key ) );
+ LDBM_RUNLOCK;
+
+ return d;
+}
+
+int
+ldbm_store( LDBM ldbm, Datum key, Datum data, int flags )
+{
+ int rc;
+
+ LDBM_WLOCK;
+ rc = dbm_store( ldbm, key, data, flags );
+ LDBM_WUNLOCK;
+
+ return rc;
+}
+
+int
+ldbm_delete( LDBM ldbm, Datum key )
+{
+ int rc;
+
+ LDBM_WLOCK;
+ rc = dbm_delete( ldbm, key );
+ LDBM_WUNLOCK;
+
+ return rc;
+}
+
+Datum
+ldbm_firstkey( LDBM ldbm, LDBMCursor **dbcp )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = dbm_firstkey( ldbm );
+ LDBM_RUNLOCK;
+
+ return d;
+}
+
+Datum
+ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *dbcp )
+{
+ Datum d;
+
+ LDBM_RLOCK;
+ d = dbm_nextkey( ldbm );
+ LDBM_RUNLOCK;
+
+ return d;
+}
+
+int
+ldbm_errno( LDBM ldbm )
+{
+ int err;
+
+ LDBM_WLOCK;
+ err = dbm_error( ldbm );
+ LDBM_WUNLOCK;
+
+ return err;
+}
+
+#endif /* ndbm */
+#endif /* ldbm */
--- /dev/null
+/* ldbm.h - ldap dbm compatibility routine header file */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2003 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+
+#ifndef _LDBM_H_
+#define _LDBM_H_
+
+#include <ldap_cdefs.h>
+#include <ac/string.h>
+
+/* dummy DB_ENV for non Berkeley DB */
+#if !defined( LDBM_USE_DBBTREE ) && !defined( LDBM_USE_DBHASH )
+# define DB_ENV void
+#endif
+
+#if defined( LDBM_USE_DBBTREE ) || defined( LDBM_USE_DBHASH )
+
+/*****************************************************************
+ * *
+ * use berkeley db btree or hash package *
+ * *
+ *****************************************************************/
+#include <sys/types.h>
+#include <limits.h>
+#include <fcntl.h>
+
+#ifdef HAVE_DB_185_H
+# include <db_185.h>
+#else
+# ifdef HAVE_DB1_DB_H
+# include <db1/db.h>
+# else
+# include <db.h>
+# endif
+#endif
+
+#ifndef DB_VERSION_MAJOR
+# define DB_VERSION_MAJOR 1
+#endif
+#ifndef DB_VERSION_MINOR
+# define DB_VERSION_MINOR 85
+#endif
+
+#if DB_VERSION_MAJOR >= 2
+# define R_NOOVERWRITE DB_NOOVERWRITE
+# ifndef DEFAULT_DB_PAGE_SIZE
+# define DEFAULT_DB_PAGE_SIZE 4096
+# endif
+#else
+# define DB_ENV void
+#endif
+
+
+LDAP_BEGIN_DECL
+
+typedef DBT Datum;
+#define dsize size
+#define dptr data
+
+typedef DB *LDBM;
+
+
+/* for ldbm_open */
+#if DB_VERSION_MAJOR >= 2
+typedef DBC LDBMCursor;
+
+# define LDBM_READER DB_RDONLY
+# define LDBM_WRITER 0x00000 /* hopefully */
+# if defined( HAVE_BERKELEY_DB_THREAD )
+# define LDBM_WRCREAT (DB_NOMMAP|DB_CREATE|DB_THREAD)
+# define LDBM_NEWDB (DB_TRUNCATE|DB_CREATE|DB_THREAD)
+# else
+# define LDBM_WRCREAT (DB_NOMMAP|DB_CREATE)
+# define LDBM_NEWDB (DB_TRUNCATE|DB_CREATE)
+# endif
+
+#else
+typedef void LDBMCursor;
+# define LDBM_READER O_RDONLY
+# define LDBM_WRITER O_RDWR
+# define LDBM_WRCREAT (O_RDWR|O_CREAT)
+# define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
+#endif
+
+LDAP_END_DECL
+
+/* for ldbm_open */
+#define LDBM_NOSYNC 0
+#define LDBM_SYNC 0
+#define LDBM_LOCKING 0
+#define LDBM_NOLOCKING 0
+
+/* for ldbm_insert */
+#define LDBM_INSERT R_NOOVERWRITE
+#define LDBM_REPLACE 0
+
+#ifdef LDBM_USE_DBBTREE
+# define LDBM_ORDERED 1
+# define LDBM_SUFFIX ".dbb"
+# define DB_TYPE DB_BTREE
+#else
+# define LDBM_SUFFIX ".dbh"
+# define DB_TYPE DB_HASH
+#endif
+
+#elif defined( HAVE_GDBM )
+
+/*****************************************************************
+ * *
+ * use gdbm if possible *
+ * *
+ *****************************************************************/
+
+#include <gdbm.h>
+
+LDAP_BEGIN_DECL
+
+typedef datum Datum;
+typedef Datum LDBMCursor;
+typedef GDBM_FILE LDBM;
+
+LDAP_END_DECL
+
+/* for ldbm_open */
+#define LDBM_READER GDBM_READER
+#define LDBM_WRITER GDBM_WRITER
+#define LDBM_WRCREAT GDBM_WRCREAT
+#define LDBM_NEWDB GDBM_NEWDB
+
+#ifdef GDBM_FAST
+#define LDBM_NOSYNC GDBM_FAST
+#else
+#define LDBM_NOSYNC 0
+#endif
+
+#ifdef GDBM_SYNC
+#define LDBM_SYNC GDBM_SYNC
+#else
+#define LDBM_SYNC 0
+#endif
+
+#define LDBM_LOCKING 0
+#ifdef GDBM_NOLOCK
+#define LDBM_NOLOCKING GDBM_NOLOCK
+#else
+#define LDBM_NOLOCKING 0
+#endif
+
+#define LDBM_SUFFIX ".gdbm"
+
+/* for ldbm_insert */
+#define LDBM_INSERT GDBM_INSERT
+#define LDBM_REPLACE GDBM_REPLACE
+
+#elif defined( HAVE_MDBM )
+
+/*****************************************************************
+ * *
+ * use mdbm if possible *
+ * *
+ *****************************************************************/
+
+#include <mdbm.h>
+
+LDAP_BEGIN_DECL
+
+typedef datum Datum;
+typedef int LDBMCursor;
+typedef MDBM *LDBM;
+
+LDAP_END_DECL
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+/* for ldbm_open */
+#define LDBM_READER O_RDONLY
+#define LDBM_WRITER O_RDWR
+#define LDBM_WRCREAT (O_RDWR|O_CREAT)
+#define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
+
+#define LDBM_SYNC 0
+#define LDBM_NOSYNC 0
+#define LDBM_LOCKING 0
+#define LDBM_NOLOCKING 0
+
+#define LDBM_SUFFIX ".mdbm"
+
+/* for ldbm_insert */
+#define LDBM_INSERT MDBM_INSERT
+#define LDBM_REPLACE MDBM_REPLACE
+
+#elif defined( HAVE_NDBM )
+
+/*****************************************************************
+ * *
+ * if none of the above use ndbm, the standard unix thing *
+ * *
+ *****************************************************************/
+
+#include <ndbm.h>
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+LDAP_BEGIN_DECL
+
+typedef datum Datum;
+typedef int LDBMCursor;
+typedef DBM *LDBM;
+
+LDAP_END_DECL
+
+/* for ldbm_open */
+#define LDBM_READER O_RDONLY
+#define LDBM_WRITER O_WRONLY
+#define LDBM_WRCREAT (O_RDWR|O_CREAT)
+#define LDBM_NEWDB (O_RDWR|O_TRUNC|O_CREAT)
+
+#define LDBM_NOSYNC 0
+#define LDBM_SYNC 0
+#define LDBM_NOLOCK 0
+#define LDBM_SYNC 0
+
+#define LDBM_SUFFIX ".ndbm"
+
+/* for ldbm_insert */
+#define LDBM_INSERT DBM_INSERT
+#define LDBM_REPLACE DBM_REPLACE
+
+#endif
+
+LDAP_BEGIN_DECL
+
+LDAP_LDBM_F (int) ldbm_initialize( const char * );
+LDAP_LDBM_F (int) ldbm_shutdown( void );
+
+LDAP_LDBM_F (DB_ENV*) ldbm_initialize_env(const char *, int dbcachesize, int *envdirok);
+LDAP_LDBM_F (void) ldbm_shutdown_env(DB_ENV *);
+
+LDAP_LDBM_F (int) ldbm_errno( LDBM ldbm );
+LDAP_LDBM_F (LDBM) ldbm_open( DB_ENV *env, char *name, int rw, int mode, int dbcachesize );
+LDAP_LDBM_F (void) ldbm_close( LDBM ldbm );
+LDAP_LDBM_F (void) ldbm_sync( LDBM ldbm );
+LDAP_LDBM_F (void) ldbm_datum_free( LDBM ldbm, Datum data );
+LDAP_LDBM_F (Datum) ldbm_datum_dup( LDBM ldbm, Datum data );
+LDAP_LDBM_F (Datum) ldbm_fetch( LDBM ldbm, Datum key );
+LDAP_LDBM_F (int) ldbm_store( LDBM ldbm, Datum key, Datum data, int flags );
+LDAP_LDBM_F (int) ldbm_delete( LDBM ldbm, Datum key );
+
+LDAP_LDBM_F (Datum) ldbm_firstkey( LDBM ldbm, LDBMCursor **cursor );
+LDAP_LDBM_F (Datum) ldbm_nextkey( LDBM ldbm, Datum key, LDBMCursor *cursor );
+
+/* initialization of Datum structures */
+#if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2)
+ LDAP_LDBM_F (void *) ldbm_malloc( size_t size );
+# define ldbm_datum_init(d) ((void)memset(&(d), '\0', sizeof(Datum)))
+#else
+# define ldbm_datum_init(d) ((void)0)
+#endif /* HAVE_BERKELEY_DB */
+
+LDAP_END_DECL
+
+#endif /* _ldbm_h_ */
struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private;
struct berval p_dn, p_ndn;
struct berval new_dn = { 0, NULL}, new_ndn = { 0, NULL };
+ struct berval old_ndn = { 0, NULL };
Entry *e, *p = NULL;
Entry *matched;
/* LDAP v2 supporting correct attribute handling. */
LDAPRDN new_rdn = NULL;
LDAPRDN old_rdn = NULL;
int isroot = -1;
-#define CAN_ROLLBACK -1
-#define MUST_DESTROY 1
- int rc = CAN_ROLLBACK;
int rc_id = 0;
ID id = NOID;
const char *text = NULL;
"type(s)/values(s) of newrdn\n",
0, 0, 0 );
#endif
+ send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX,
+ "unknown type(s) used in RDN" );
goto return_results;
}
"the old_rdn type(s)/value(s)\n",
0, 0, 0 );
#endif
+ send_ldap_error( op, rs, LDAP_OTHER,
+ "cannot parse RDN from old DN" );
goto return_results;
}
}
#endif
if ( slap_modrdn2mods( op, rs, e, old_rdn, new_rdn, &mod ) != LDAP_SUCCESS ) {
+ send_ldap_result( op, rs );
goto return_results;
}
-
/* check for abandon */
if ( op->o_abandon ) {
goto return_results;
}
- /* delete old one */
- if ( dn2id_delete( op->o_bd, &e->e_nname, e->e_id ) != 0 ) {
- send_ldap_error( op, rs, LDAP_OTHER,
- "DN index delete fail" );
- goto return_results;
- }
-
(void) cache_delete_entry( &li->li_cache, e );
- rc = MUST_DESTROY;
-
- /* XXX: there is no going back! */
free( e->e_dn );
- free( e->e_ndn );
+ old_ndn = e->e_nname;
e->e_name = new_dn;
e->e_nname = new_ndn;
new_dn.bv_val = NULL;
* They are used by cache.
*/
- /* add new one */
- if ( dn2id_add( op->o_bd, &e->e_nname, e->e_id ) != 0 ) {
- send_ldap_error( op, rs, LDAP_OTHER,
- "DN index add failed" );
- goto return_results;
- }
-
/* modify memory copy of entry */
- rc_id = ldbm_modify_internal( op, &mod[0], e,
+ rs->sr_err = ldbm_modify_internal( op, &mod[0], e,
&rs->sr_text, textbuf, textlen );
- switch ( rc_id ) {
+ switch ( rs->sr_err ) {
case LDAP_SUCCESS:
break;
- case SLAPD_ABANDON:
- /* too late ... */
- rs->sr_err = rc_id;
- send_ldap_result( op, rs );
- goto return_results;
-
default:
- /* here we may try to delete the newly added dn */
- if ( dn2id_delete( op->o_bd, &e->e_nname, e->e_id ) != 0 ) {
- /* we already are in trouble ... */
- ;
- }
+ send_ldap_result( op, rs );
+ /* FALLTHRU */
+ case SLAPD_ABANDON:
goto return_results;
}
- (void) cache_update_entry( &li->li_cache, e );
+ /* add new one */
+ if ( dn2id_add( op->o_bd, &e->e_nname, e->e_id ) != 0 ) {
+ send_ldap_error( op, rs, LDAP_OTHER,
+ "DN index add failed" );
+ goto return_results;
+ }
+ /* delete old one */
+ if ( dn2id_delete( op->o_bd, &old_ndn, e->e_id ) != 0 ) {
+ /* undo add of new one */
+ dn2id_delete( op->o_bd, &e->e_nname, e->e_id );
+ send_ldap_error( op, rs, LDAP_OTHER,
+ "DN index delete fail" );
+ goto return_results;
+ }
/* id2entry index */
if ( id2entry_add( op->o_bd, e ) != 0 ) {
+ /* Try to undo */
+ dn2id_delete( op->o_bd, &e->e_nname, e->e_id );
+ dn2id_add( op->o_bd, &old_ndn, e->e_id );
send_ldap_error( op, rs, LDAP_OTHER,
"entry update failed" );
goto return_results;
}
+ (void) cache_update_entry( &li->li_cache, e );
+
rs->sr_err = LDAP_SUCCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
- rc = 0;
cache_entry_commit( e );
return_results:
if( new_dn.bv_val != NULL ) free( new_dn.bv_val );
if( new_ndn.bv_val != NULL ) free( new_ndn.bv_val );
+ if( old_ndn.bv_val != NULL ) free( old_ndn.bv_val );
/* LDAP v2 supporting correct attribute handling. */
if ( new_rdn != NULL ) {
/* free entry and writer lock */
cache_return_entry_w( &li->li_cache, e );
- if ( rc == MUST_DESTROY ) {
- /* if rc == MUST_DESTROY the entry is uncached
- * and its private data is destroyed;
- * the entry must be freed */
- entry_free( e );
- }
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
rs->sr_text = NULL;
- return( rc );
+ return( rs->sr_err );
}
+++ /dev/null
-/* passwd.c - ldbm backend password routines */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2003 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-
-#include "slap.h"
-#include "back-ldbm.h"
-#include "proto-back-ldbm.h"
-#include "lber_pvt.h"
-
-int
-ldbm_back_exop_passwd(
- Operation *op,
- SlapReply *rs )
-{
- struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private;
- int rc;
- Entry *e = NULL;
- struct berval hash = { 0, NULL };
-
- struct berval id = { 0, NULL };
- struct berval new = { 0, NULL };
-
- struct berval dn = { 0, NULL };
- struct berval ndn = { 0, NULL };
-
- assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->oq_extended.rs_reqoid ) == 0 );
-
- rc = slap_passwd_parse( op->oq_extended.rs_reqdata,
- &id, NULL, &new, &rs->sr_text );
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_LDBM, ENTRY,
- "ldbm_back_exop_passwd: \"%s\"\n", id.bv_val ? id.bv_val : "", 0,0 );
-#else
- Debug( LDAP_DEBUG_ARGS, "==> ldbm_back_exop_passwd: \"%s\"\n",
- id.bv_val ? id.bv_val : "", 0, 0 );
-#endif
-
- if( rc != LDAP_SUCCESS ) {
- goto done;
- }
-
- if( new.bv_len == 0 ) {
- slap_passwd_generate(&new);
-
- if( new.bv_len == 0 ) {
- rs->sr_text = "password generation failed.";
- rc = LDAP_OTHER;
- goto done;
- }
-
- rs->sr_rspdata = slap_passwd_return( &new );
- }
-
- slap_passwd_hash( &new, &hash, &rs->sr_text );
-
- if( hash.bv_len == 0 ) {
- if( !rs->sr_text ) rs->sr_text = "password hash failed";
- rc = LDAP_OTHER;
- goto done;
- }
-
- if( id.bv_len ) {
- dn = id;
- } else {
- dn = op->o_dn;
- }
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_LDBM, DETAIL1,
- "ldbm_back_exop_passwd: \"%s\"%s\n",
- dn.bv_val, id.bv_len ? " (proxy)" : "", 0 );
-#else
- Debug( LDAP_DEBUG_TRACE, "passwd: \"%s\"%s\n",
- dn.bv_val, id.bv_len ? " (proxy)" : "", 0 );
-#endif
-
- if( dn.bv_len == 0 ) {
- rs->sr_text = "No password is associated with the Root DSE";
- rc = LDAP_UNWILLING_TO_PERFORM;
- goto done;
- }
-
- rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
- if( rc != LDAP_SUCCESS ) {
- rs->sr_text = "Invalid DN";
- goto done;
- }
-
- /* grab giant lock for writing */
- ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
-
- e = dn2entry_w( op->o_bd, &ndn, NULL );
-
- if ( e == NULL || is_entry_glue( e )) {
- /* FIXME : dn2entry() should return non-glue entry */
- ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
- rs->sr_text = "could not locate authorization entry";
- rc = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
-
-#ifdef LDBM_SUBENTRIES
- if( is_entry_subentry( e ) ) {
- /* entry is a subentry, don't allow operation */
- rs->sr_text = "authorization entry is subentry";
- rc = LDAP_OTHER;
- goto done;
- }
-#endif
-
- if( is_entry_alias( e ) ) {
- /* entry is an alias, don't allow operation */
- rs->sr_text = "authorization entry is alias";
- rc = LDAP_ALIAS_PROBLEM;
- goto done;
- }
-
- rc = LDAP_OTHER;
-
- if( is_entry_referral( e ) ) {
- /* entry is an referral, don't allow operation */
- rs->sr_text = "authorization entry is referral";
- goto done;
- }
-
- {
- Modifications ml;
- struct berval vals[2];
- char textbuf[SLAP_TEXT_BUFLEN]; /* non-returnable */
-
- vals[0] = hash;
- vals[1].bv_val = NULL;
-
- ml.sml_desc = slap_schema.si_ad_userPassword;
- ml.sml_values = vals;
- ml.sml_nvalues = vals;
- ml.sml_op = LDAP_MOD_REPLACE;
- ml.sml_next = NULL;
-
- rc = ldbm_modify_internal( op,
- &ml, e, &rs->sr_text, textbuf,
- sizeof( textbuf ) );
-
- /* FIXME: ldbm_modify_internal may set *text = textbuf,
- * which is BAD */
- if ( rs->sr_text == textbuf ) {
- rs->sr_text = NULL;
- }
-
- if( rc ) {
- /* cannot return textbuf */
- rs->sr_text = "entry modify failed";
- goto done;
- }
-
- /* change the entry itself */
- if( id2entry_add( op->o_bd, e ) != 0 ) {
- rs->sr_text = "entry update failed";
- rc = LDAP_OTHER;
- }
-
- if( rc == LDAP_SUCCESS ) {
- replog( op );
- }
- }
-
-done:
- if( e != NULL ) {
- cache_return_entry_w( &li->li_cache, e );
- ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
- }
-
- if( hash.bv_val != NULL ) {
- free( hash.bv_val );
- }
-
- if( ndn.bv_val != NULL ) {
- op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
- }
-
- return rc;
-}
struct berval *k,
ID_BLOCK **idout ));
-/*
- * passwd.c
- */
-extern BI_op_extended ldbm_back_exop_passwd;
-
/*
* modify.c
* These prototypes are placed here because they are used by modify and
+++ /dev/null
-Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
-
-* Mon Apr 30 2001 Pierangelo Masarati <ando@sys-net.it>
-- split back-meta from back-ldap
-- inplement init, config, bind, search, unbind
-
-* Tue May 01 2001 Pierangelo Masarati <ando@sys-net.it>
-- refined search propagation based on scope; in case of base shorter
- than candidate target suffix:
- "sub" propagates to all candidate targets,
- "one" propagates to candidate targets only if base is
- no more than one level shorter than suffix; in such
- case scope is changed into "base"
- "base" does not propagate (no such object error)
-
-* Tue May 01 2001 Pierangelo Masarati <ando@sys-net.it>
-- added checks in config.c
-- fixed leaks in search.c
-
-* Fri May 04 2001 Pierangelo Masarati <ando@sys-net.it>
-- added dn cache
-- added test
-
-* Sat May 05 2001 Pierangelo Masarati <ando@sys-net.it>
-- added missing functions
-- fixed flaw in group/attribute funcs (affects also back-ldap)
- now meta_back_group works fine (group ACLS); nothing to say
- about meta_back_attribute: unable to trigger it!
-- attributes with dn syntax are rewritten back in search results
- (otherwise "dnattr"-style ACLs don't work). Now attrs with
- dn syntax need be rewritten forth in add/modify ...
-
-* Sun May 06 2001 Pierangelo Masarati <ando@sys-net.it>
-- attributes with dn syntax are rewritten during add/modify operations
- (otherwise "dnattr"-style ACLs don't work).
-- same back/forth rewriting has been applied to back-ldap;
- actually, the add/modify rewriting function has been implemented
- in bacl-ldap (ldap_dnattr_rewrite) and recycled in back-meta
-- fixed bug in invocation of meta_back_dobind in delete.c
-- code for deletion of "lastmod" attrs has been commented;
- explicit "lastmod off" has been recommended in FAQ.
-- fixed a missing return in suffix_massage_config
-
-* Sun May 06 2001 Pierangelo Masarati <ando@sys-net.it>
-- fixed flaw in group.c both in back-ldap and back-meta: the group ndn
- was not rewritten.
-
-* Tue May 08 2001 Pierangelo Masarati <ando@sys-net.it>
-- removed the limitation on target naming contexts; now they can be the same
-- added support for default target; it may be disabled or set to one of
- the targets, resulting in that target being selected any time there's
- a non-unique target selection (the target is missing or multiple targets
- are selected for a add/modify/delete/compare/... operation).
- TODO: should be more flexible, e.g. let the administrator decide
- whether the default target may be used or not.
-- fixed a subtle bind/cache bug.
-- added helpers to clear target connections when they're no longer candidate.
-
-* Wed May 09 2001 Pierangelo Masarati <ando@sys-net.it>
-- reworked connection stuff in a separate file
-- reworked meta_back_getconn to handle singe/multiple target selection
- correctly and atomicly
-- checked attribute mapping stuff
-
-* Fri May 11 2001 Pierangelo Masarati <ando@sys-net.it>
-- reworked compare to spawn the request on candidate targets
-
+++ /dev/null
-Copyright 1999-2003 The OpenLDAP Foundation.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted only as authorized by the OpenLDAP
-Public License.
-
-A copy of this license is available in the file LICENSE in the
-top-level directory of the distribution or, alternatively, at
-<http://www.OpenLDAP.org/license.html>.
-
----
-This is an altered version.
----
-
-Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
-
-This work has been developed to fulfill the requirements
-of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
-to the OpenLDAP Foundation in the hope that it may be useful
-to the Open Source community, but WITHOUT ANY WARRANTY.
-
-Permission is granted to anyone to use this software for any purpose
-on any computer system, and to alter it and redistribute it, subject
-to the following restrictions:
-
-1. The author and SysNet s.n.c. are not responsible for the consequences
- of use of this software, no matter how awful, even if they arise from
- flaws in it.
-
-2. The origin of this software must not be misrepresented, either by
- explicit claim or by omission. Since few users ever read sources,
- credits should appear in the documentation.
-
-3. Altered versions must be plainly marked as such, and must not be
- misrepresented as being the original software. Since few users
- ever read sources, credits should appear in the documentation.
- SysNet s.n.c. cannot be responsible for the consequences of the
- alterations.
-
-4. This notice may not be removed or altered.
-
-This software is based on the backend back-ldap, implemented by
-Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
-<kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and
-other contributors. The contribution of the original software to
-the present implementation is acknowledged in this copyright
-statement.
-
-A special acknowledgement goes to Howard for the overall architecture
-(and for borrowing large pieces of code), and to Mark, who implemented
-from scratch the attribute/objectclass mapping.
-
-The original copyright statement follows.
-
-Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
-
-Permission is granted to anyone to use this software for any purpose
-on any computer system, and to alter it and redistribute it, subject
-to the following restrictions:
-
-1. The author is not responsible for the consequences of use of this
- software, no matter how awful, even if they arise from flaws in it.
-
-2. The origin of this software must not be misrepresented, either by
- explicit claim or by omission. Since few users ever read sources,
- credits should appear in the documentation.
-
-3. Altered versions must be plainly marked as such, and must not be
- misrepresented as being the original software. Since few users
- ever read sources, credits should appear in the documentation.
-
-4. This notice may not be removed or altered.
-
-
+++ /dev/null
-The Meta Backend is described in the slapd-meta(5) manual page.
## <http://www.OpenLDAP.org/license.html>.
SRCS = init.c config.c search.c bind.c unbind.c add.c compare.c \
- cache-query.c cache-search.c cache-config.c cache-merge.c \
- cache-template.c cache-substring.c cache-remove.c \
delete.c modify.c modrdn.c \
conn.c candidates.c dncache.c
OBJS = init.lo config.lo search.lo bind.lo unbind.lo add.lo compare.lo \
- cache-query.lo cache-search.lo cache-config.lo cache-merge.lo \
- cache-template.lo cache-substring.lo cache-remove.lo \
delete.lo modify.lo modrdn.lo \
conn.lo candidates.lo dncache.lo
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/* Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#ifndef SLAPD_LDAP_H
#error "include servers/slapd/back-ldap/back-ldap.h before this file!"
/* String rewrite library */
#include "rewrite.h"
-#include "cache.h"
LDAP_BEGIN_DECL
struct slap_conn;
struct metatarget **targets;
struct rewrite_info *rwinfo;
- cache_manager *cm;
Backend *glue_be;
struct metadncache cache;
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/string.h>
-#include <ac/socket.h>
-
-#include "slap.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-
-#define MAX_ATTR_SETS 500
-static void find_supersets( struct attr_set* attr_sets, int numsets );
-static int compare_sets( struct attr_set* setA, int, int );
-
-int
-meta_back_cache_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
-{
- struct metainfo *li = ( struct metainfo * )be->be_private;
-
- cache_manager* cm = li->cm;
- query_manager* qm = cm->qm;
- QueryTemplate* temp;
- AttributeName* attr_name;
- AttributeName* attrs;
- AttributeName* attrarray;
- const char* text=NULL;
-
- int index, i;
- int num;
-
- if ( li == NULL ) {
- fprintf( stderr, "%s: line %d: meta backend info is null!\n",
- fname, lineno );
- return 1;
- }
-
- if ( strcasecmp( argv[0], "cacheparams" ) == 0 ) {
- struct berval cache_suffix;
-
- if ( argc < 6 ) {
- fprintf( stderr, "%s: line %d: missing arguments in \"cacheparams"
- " <thresh_lo> <thresh_hi> <numattrsets> <entry limit> "
- "<cycle_time>\" \n", fname, lineno );
- return( 1 );
- }
-
- cm->caching = 1;
- cm->thresh_lo = atoi( argv[1] );
- cm->thresh_hi = atoi( argv[2] );
- if ( cm->thresh_hi <= cm->thresh_lo ) {
- fprintf( stderr, "%s: line %d: <thresh_lo> must be < <thresh_hi> "
- "in \"cacheparams <thresh_lo> <thresh_hi> <numattrsets> "
- "<entry limit> <cycle_time>\" \n", fname, lineno );
- return( 1 );
- }
-
- cm->numattrsets = atoi( argv[3] );
- if ( cm->numattrsets > MAX_ATTR_SETS ) {
- fprintf( stderr, "%s: line %d: <numattrsets> must be <= %d in "
- "\"cacheparams <thresh_lo> <thresh_hi> <numattrsets> "
- "<entry limit> <cycle_time>\" \n",
- fname, lineno, MAX_ATTR_SETS );
- return( 1 );
- }
-
- cm->num_entries_limit = atoi( argv[4] );
- cm->cc_period = atoi( argv[5] );
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Total # of attribute sets to be cached = %d\n",
- cm->numattrsets, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "Total # of attribute sets to be cached = %d\n",
- cm->numattrsets, 0, 0 );
-#endif
- qm->attr_sets = ( struct attr_set * )malloc( cm->numattrsets *
- sizeof( struct attr_set ));
- for ( i = 0; i < cm->numattrsets; i++ ) {
- qm->attr_sets[i].attrs = NULL;
- }
- rewrite_session( li->rwinfo, "cacheBase", be->be_nsuffix[0].bv_val,
- 0, &cache_suffix.bv_val );
- if ( cache_suffix.bv_val != NULL ) {
- cache_suffix.bv_len = strlen( cache_suffix.bv_val );
- } else {
- cache_suffix = be->be_nsuffix[0];
- }
- li->glue_be = select_backend( &cache_suffix, 0, 1 );
- li->glue_be->be_flags |= SLAP_BFLAG_NO_SCHEMA_CHECK;
- if ( cache_suffix.bv_val != be->be_nsuffix[0].bv_val ) {
- ch_free( cache_suffix.bv_val );
- }
-
- } else if ( strcasecmp( argv[0], "attrset" ) == 0 ) {
- if ( argc < 3 ) {
- fprintf( stderr, "%s: line %d: missing arguments in \"attr-set "
- "<index> <attributes>\" line\n", fname, lineno );
- return( 1 );
- }
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Attribute Set # %d\n",
- atoi( argv[1] ), 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Attribute Set # %d\n",
- atoi( argv[1] ), 0, 0 );
-#endif
- if (atoi(argv[1]) >= cm->numattrsets) {
- fprintf( stderr, "%s; line %d index out of bounds \n",
- fname, lineno );
- return 1;
- }
- index = atoi( argv[1] );
- if ( argv[2] && ( strcmp( argv[2], "*" ) != 0 )) {
- for ( i = 2; argv[i] != NULL; i++ ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "\t %s\n",
- argv[i], 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "\t %s\n",
- argv[i], 0, 0 );
-#endif
- attrs = qm->attr_sets[index].attrs;
- qm->attr_sets[index].attrs = (AttributeName*)realloc(
- attrs, i * sizeof( AttributeName ));
- attr_name = qm->attr_sets[index].attrs + ( i - 2 );
- ber_str2bv( argv[i], strlen(argv[i]), 1,
- &attr_name->an_name);
- attr_name->an_desc = NULL;
- slap_bv2ad( &attr_name->an_name,
- &attr_name->an_desc, &text );
- attr_name++;
- attr_name->an_name.bv_val = NULL;
- attr_name->an_name.bv_len = 0;
- }
- qm->attr_sets[index].count = i - 2;
- }
- } else if ( strcasecmp( argv[0], "addtemplate" ) == 0 ) {
- if ( argc != 4 ) {
- fprintf( stderr, "%s: line %d: missing argument(s) in "
- "\"addtemplate <filter> <proj attr set> <TTL>\" line\n",
- fname, lineno );
- return( 1 );
- }
- if (( i = atoi( argv[2] )) >= cm->numattrsets ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "%s: line %d, template index invalid\n",
- fname, lineno, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d, template index invalid\n",
- fname, lineno, 0 );
-#endif
- return 1;
- }
- num = cm->numtemplates;
- if ( num == 0 )
- find_supersets( qm->attr_sets, cm->numattrsets );
- qm->templates = ( QueryTemplate* )realloc( qm->templates,
- ( num + 2 ) * sizeof( QueryTemplate ));
- temp = qm->templates + num;
- ldap_pvt_thread_rdwr_init( &temp->t_rwlock );
- temp->query = temp->query_last = NULL;
- temp->ttl = atoi( argv[3] );
- temp->no_of_queries = 0;
- if ( argv[1] == NULL ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Templates string not specified "
- "for template %d\n", num, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "Templates string not specified "
- "for template %d\n", num, 0, 0 );
-#endif
- return 1;
- }
- temp->querystr = ch_strdup( argv[1] );
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Template:\n", 0, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Template:\n", 0, 0, 0 );
-#endif
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, " query template: %s\n",
- temp->querystr, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, " query template: %s\n",
- temp->querystr, 0, 0 );
-#endif
- temp->attr_set_index = i;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, " attributes: \n", 0, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, " attributes: \n", 0, 0, 0 );
-#endif
- if ( ( attrarray = qm->attr_sets[i].attrs ) != NULL ) {
- for ( i=0; attrarray[i].an_name.bv_val; i++ )
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "\t%s\n",
- attrarray[i].an_name.bv_val, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "\t%s\n",
- attrarray[i].an_name.bv_val, 0, 0 );
-#endif
- }
- temp++;
- temp->querystr = NULL;
- cm->numtemplates++;
- }
- /* anything else */
- else {
- fprintf( stderr, "%s: line %d: unknown directive \"%s\" in meta "
- "database definition (ignored)\n",
- fname, lineno, argv[0] );
- }
- return 0;
-}
-
-void
-find_supersets ( struct attr_set* attr_sets, int numsets )
-{
- int num[MAX_ATTR_SETS];
- int i, j, res;
- int* id_array;
- for ( i = 0; i < MAX_ATTR_SETS; i++ )
- num[i] = 0;
-
- for ( i = 0; i < numsets; i++ ) {
- attr_sets[i].ID_array = (int*) malloc( sizeof( int ) );
- attr_sets[i].ID_array[0] = -1;
- }
-
- for ( i = 0; i < numsets; i++ ) {
- for ( j=i+1; j < numsets; j++ ) {
- res = compare_sets( attr_sets, i, j );
- switch ( res ) {
- case 0:
- break;
- case 3:
- case 1:
- id_array = attr_sets[i].ID_array;
- attr_sets[i].ID_array = (int *) realloc( id_array,
- ( num[i] + 2 ) * sizeof( int ));
- attr_sets[i].ID_array[num[i]] = j;
- attr_sets[i].ID_array[num[i]+1] = -1;
- num[i]++;
- if (res == 1)
- break;
- case 2:
- id_array = attr_sets[j].ID_array;
- attr_sets[j].ID_array = (int *) realloc( id_array,
- ( num[j] + 2 ) * sizeof( int ));
- attr_sets[j].ID_array[num[j]] = i;
- attr_sets[j].ID_array[num[j]+1] = -1;
- num[j]++;
- break;
- }
- }
- }
-}
-
-/*
- * compares two sets of attributes (indices i and j)
- * returns 0: if neither set is contained in the other set
- * 1: if set i is contained in set j
- * 2: if set j is contained in set i
- * 3: the sets are equivalent
- */
-
-int
-compare_sets(struct attr_set* set, int i, int j)
-{
- int k,l,numI,numJ;
- int common=0;
- int result=0;
-
- if (( set[i].attrs == NULL ) && ( set[j].attrs == NULL ))
- return 3;
-
- if ( set[i].attrs == NULL )
- return 2;
-
- if ( set[j].attrs == NULL )
- return 1;
-
- numI = set[i].count;
- numJ = set[j].count;
-
- for ( l=0; l < numI; l++ ) {
- for ( k = 0; k < numJ; k++ ) {
- if ( strcmp( set[i].attrs[l].an_name.bv_val,
- set[j].attrs[k].an_name.bv_val ) == 0 )
- common++;
- }
- }
-
- if ( common == numI )
- result = 1;
-
- if ( common == numJ )
- result += 2;
-
- return result;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-#include <ac/time.h>
-
-#include "slap.h"
-#include "ldif.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-#include "ldap_pvt.h"
-#undef ldap_debug /* silence a warning in ldap-int.h */
-#include "ldap_log.h"
-#include "../../../libraries/libldap/ldap-int.h"
-#include <sys/time.h>
-
-static struct berval bv_queryid_any = BER_BVC( "(queryid=*)" );
-
-static Attribute*
-add_attribute(AttributeDescription *ad,
- Entry* e,
- BerVarray value_array
-);
-
-static int
-null_response (
- Operation *op,
- SlapReply *rs
-);
-
-static int
-normalize_values( Attribute* attr );
-
-struct entry_info {
- int size_init;
- int size_final;
- int added;
- Entry* entry;
- struct berval* uuid;
- struct timeval tv; /* time */
- enum type_of_result err;
- Backend* glue_be;
-};
-
-
-int
-get_entry_size(
- Entry* e,
- int size_init,
- struct exception* result )
-{
- Attribute *a;
- struct berval bv;
- int i;
- int tmplen;
- int size=0;
-
- if ( result )
- result->type = SUCCESS;
-
- if ( e->e_dn != NULL ) {
- tmplen = strlen( e->e_dn );
- size = LDIF_SIZE_NEEDED( 2, tmplen );
- }
-
- for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
- for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) {
- bv = a->a_vals[i];
- tmplen = a->a_desc->ad_cname.bv_len;
- size += LDIF_SIZE_NEEDED( tmplen, bv.bv_len);
- }
- }
- if ((size < size_init) && result) {
- result->type = SIZE_ERR;
- }
- return size;
-}
-
-int
-merge_entry(
- Operation *op,
- SlapReply *rs,
- struct berval* query_uuid,
- struct exception* result )
-{
- struct entry_info info;
- int rc;
- Modifications* modlist = NULL;
- const char* text = NULL;
- BerVarray value_array;
- Attribute *uuid_attr, *attr;
- Entry *e;
-
- SlapReply sreply = {REP_RESULT};
-
- Operation op_tmp = *op;
- slap_callback cb;
-
- sreply.sr_entry = NULL;
- sreply.sr_nentries = 0;
-
- e = ( Entry * ) ch_calloc( 1, sizeof( Entry ));
-
- dnPrettyNormal(0, &rs->sr_entry->e_name, &op_tmp.o_req_dn, &op_tmp.o_req_ndn, op->o_tmpmemctx);
- ber_dupbv( &e->e_name, &op_tmp.o_req_dn );
- ber_dupbv( &e->e_nname, &op_tmp.o_req_ndn );
- sl_free( op_tmp.o_req_ndn.bv_val, op->o_tmpmemctx );
- sl_free( op_tmp.o_req_dn.bv_val, op->o_tmpmemctx );
- op_tmp.o_req_dn = e->e_name;
- op_tmp.o_req_ndn = e->e_nname;
-
- e->e_private = NULL;
- e->e_attrs = NULL;
- e->e_bv.bv_val = NULL;
-
- /* add queryid attribute */
- value_array = (struct berval *)malloc(2 * sizeof( struct berval) );
- ber_dupbv(value_array, query_uuid);
- value_array[1].bv_val = NULL;
- value_array[1].bv_len = 0;
-
- uuid_attr = add_attribute(slap_schema.si_ad_queryid, e, value_array);
-
- /* append the attribute list from the fetched entry */
- uuid_attr->a_next = rs->sr_entry->e_attrs;
- rs->sr_entry->e_attrs = NULL;
-
- for ( attr = e->e_attrs; attr; attr = attr->a_next ) {
- if ( normalize_values( attr ) ) {
- info.err = MERGE_ERR;
- result->rc = info.err;
- return 0;
- }
- }
-
- info.entry = e;
- info.uuid = query_uuid;
- info.size_init = get_entry_size( rs->sr_entry, 0, 0 );
- info.size_final = 0;
- info.added = 0;
- info.glue_be = op->o_bd;
- info.err = SUCCESS;
- cb.sc_private = &info;
- cb.sc_response = null_response;
-
- op_tmp.o_tag = LDAP_REQ_ADD;
- op_tmp.o_protocol = LDAP_VERSION3;
- op_tmp.o_callback = &cb;
- op_tmp.o_time = slap_get_time();
- op_tmp.o_do_not_cache = 1;
-
- op_tmp.ora_e = e;
- rc = op->o_bd->be_add( &op_tmp, &sreply );
-
- if ( rc != LDAP_SUCCESS ) {
- if ( rc == LDAP_ALREADY_EXISTS ) {
- slap_entry2mods( e, &modlist, &text );
- op_tmp.o_tag = LDAP_REQ_MODIFY;
- op_tmp.orm_modlist = modlist;
- op_tmp.o_req_dn = e->e_name;
- op_tmp.o_req_ndn = e->e_nname;
- rc = op->o_bd->be_modify( &op_tmp, &sreply );
- result->rc = info.added;
- } else if ( rc == LDAP_REFERRAL ||
- rc == LDAP_NO_SUCH_OBJECT ) {
- syncrepl_add_glue( &op_tmp, e );
- result->rc = info.added;
- } else {
- result->rc = 0;
- }
- if ( modlist != NULL ) slap_mods_free( modlist );
- } else {
- info.size_init = 0;
- result->rc = info.added;
- be_entry_release_w( &op_tmp, e );
- }
-
- if ( result->rc )
- info.size_final = get_entry_size( e, info.size_init, result );
- else
- info.size_final = info.size_init;
-
- return ( info.size_final - info.size_init );
-}
-
-static Attribute*
-add_attribute(AttributeDescription *ad,
- Entry* e,
- BerVarray value_array)
-{
- Attribute* new_attr, *last_attr;
- const char* text;
-
- if (e->e_attrs == NULL)
- last_attr = NULL;
- else
- for (last_attr = e->e_attrs; last_attr->a_next;
- last_attr = last_attr->a_next)
- ;
-
- new_attr = (Attribute*)malloc(sizeof(Attribute));
- if (last_attr)
- last_attr->a_next = new_attr;
- else
- e->e_attrs = new_attr;
-
- new_attr->a_next = NULL;
- new_attr->a_desc = NULL;
- new_attr->a_vals = value_array;
- new_attr->a_desc = ad;
-
- return new_attr;
-}
-
-static int
-null_response (
- Operation *op,
- SlapReply *rs )
-{
- return 0;
-}
-
-static int
-normalize_values( Attribute* attr )
-{
- int nvals, rc, i;
-
- if (attr->a_vals == NULL) {
- attr->a_nvals = NULL;
- return 0;
- }
-
- for ( nvals = 0; attr->a_vals[nvals].bv_val; nvals++ )
- ;
-
- attr->a_nvals = (struct berval*)ch_malloc((nvals+1)*sizeof(struct berval));
-
- if ( attr->a_desc->ad_type->sat_equality &&
- attr->a_desc->ad_type->sat_equality->smr_normalize )
- {
- for ( i = 0; i < nvals; i++ ) {
- rc = attr->a_desc->ad_type->sat_equality->smr_normalize(
- SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
- attr->a_desc->ad_type->sat_syntax,
- attr->a_desc->ad_type->sat_equality,
- &attr->a_vals[i], &attr->a_nvals[i], NULL );
- if ( rc ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( OPERATION, DETAIL1,
- "Error in normalizing attribute %s value %d (%d)\n",
- attr->a_desc->ad_cname.bv_val, i, rc );
-#else
- Debug( LDAP_DEBUG_ANY,
- "Error in normalizing attribute %s value %d (%d)\n",
- attr->a_desc->ad_cname.bv_val, i, rc );
-#endif
- return rc;
- }
- }
- } else {
- for ( i = 0; i < nvals; i++ ) {
- ber_dupbv( &attr->a_nvals[i], &attr->a_vals[i] );
- }
- }
-
- attr->a_nvals[i].bv_val = NULL;
- attr->a_nvals[i].bv_len = 0;
-
- return LDAP_SUCCESS;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/string.h>
-
-#include "slap.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-
-static void add_query_on_top (query_manager*, CachedQuery*);
-static int base_scope_compare(struct berval* dn_stored,
- struct berval* dn_incoming, int scope_stored,
- int scope_incoming);
-
-/* check whether query is contained in any of
- * the cached queries in template template_index
- */
-int
-query_containment(query_manager* qm,
- Query* query,
- int template_index)
-{
- QueryTemplate* templa= qm->templates;
- CachedQuery* qc;
- Query* q;
- Query* prev_q;
- Filter* inputf = query->filter;
- struct berval* base = &(query->base);
- int scope = query->scope;
- int i,res=0;
- Filter* fs;
- Filter* fi;
- int ret, rc;
- const char* text;
-
- MatchingRule* mrule = NULL;
- if (inputf != NULL) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Lock QC index = %d\n",
- template_index, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Lock QC index = %d\n",
- template_index, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_rlock(&(templa[template_index].t_rwlock));
- for(qc=templa[template_index].query; qc != NULL; qc= qc->next) {
- q = (Query*)qc;
- if(base_scope_compare(&(q->base), base, q->scope, scope)) {
- fi = inputf;
- fs = q->filter;
- do {
- res=0;
- switch (fs->f_choice) {
- case LDAP_FILTER_EQUALITY:
- if (fi->f_choice == LDAP_FILTER_EQUALITY)
- mrule = fs->f_ava->aa_desc->ad_type->sat_equality;
- else
- ret = 1;
- break;
- case LDAP_FILTER_GE:
- case LDAP_FILTER_LE:
- mrule = fs->f_ava->aa_desc->ad_type->sat_ordering;
- break;
- default:
- mrule = NULL;
- }
- if (mrule) {
- rc = value_match(&ret, fs->f_ava->aa_desc, mrule,
- SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
- &(fi->f_ava->aa_value),
- &(fs->f_ava->aa_value), &text);
- if (rc != LDAP_SUCCESS) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Unlock: Exiting QC index=%d\n",
- template_index, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "Unlock: Exiting QC index=%d\n",
- template_index, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_runlock(&(templa[template_index].t_rwlock));
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "query_containment: Required "
- "matching rule not defined for "
- "a filter attribute",
- 0, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "query_containment: Required "
- "matching rule not defined for "
- "a filter attribute",
- 0, 0, 0 );
-#endif
- return 0;
- }
- }
- switch (fs->f_choice) {
- case LDAP_FILTER_OR:
- case LDAP_FILTER_AND:
- fs = fs->f_and;
- fi = fi->f_and;
- res=1;
- break;
- case LDAP_FILTER_SUBSTRINGS:
- /* check if the equality query can be
- * answered with cached substring query */
- if ((fi->f_choice == LDAP_FILTER_EQUALITY)
- && substr_containment_equality(
- fs, fi))
- res=1;
- /* check if the substring query can be
- * answered with cached substring query */
- if ((fi->f_choice ==LDAP_FILTER_SUBSTRINGS
- ) && substr_containment_substr(
- fs, fi))
- res= 1;
- fs=fs->f_next;
- fi=fi->f_next;
- break;
- case LDAP_FILTER_PRESENT:
- res=1;
- fs=fs->f_next;
- fi=fi->f_next;
- break;
- case LDAP_FILTER_EQUALITY:
- if (ret == 0)
- res = 1;
- fs=fs->f_next;
- fi=fi->f_next;
- break;
- case LDAP_FILTER_GE:
- if (ret >= 0)
- res = 1;
- fs=fs->f_next;
- fi=fi->f_next;
- break;
- case LDAP_FILTER_LE:
- if (ret <= 0)
- res = 1;
- fs=fs->f_next;
- fi=fi->f_next;
- break;
- case LDAP_FILTER_NOT:
- res=0;
- break;
- default:
- break;
- }
- } while((res) && (fi != NULL) && (fs != NULL));
-
- if(res) {
- ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
- if (qm->lru_top != qc) {
- remove_query(qm, qc);
- add_query_on_top(qm, qc);
- }
- ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
- return 1;
- }
- }
- }
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Not answerable: Unlock QC index=%d\n",
- template_index, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY,
- "Not answerable: Unlock QC index=%d\n",
- template_index, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_runlock(&(templa[template_index].t_rwlock));
- }
- return 0;
-}
-
-/* remove_query from LRU list */
-
-void
-remove_query (query_manager* qm, CachedQuery* qc)
-{
- CachedQuery* up;
- CachedQuery* down;
-
- if (!qc)
- return;
-
- up = qc->lru_up;
- down = qc->lru_down;
-
- if (!up)
- qm->lru_top = down;
-
- if (!down)
- qm->lru_bottom = up;
-
- if (down)
- down->lru_up = up;
-
- if (up)
- up->lru_down = down;
-
- qc->lru_up = qc->lru_down = NULL;
-}
-
-/* add query on top of LRU list */
-void
-add_query_on_top (query_manager* qm, CachedQuery* qc)
-{
- CachedQuery* top = qm->lru_top;
- Query* q = (Query*)qc;
-
- qm->lru_top = qc;
-
- if (top)
- top->lru_up = qc;
- else
- qm->lru_bottom = qc;
-
- qc->lru_down = top;
- qc->lru_up = NULL;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Base of added query = %s\n",
- q->base.bv_val, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Base of added query = %s\n",
- q->base.bv_val, 0, 0 );
-#endif
-}
-
-void
-free_query (CachedQuery* qc)
-{
- Query* q = (Query*)qc;
- free(qc->q_uuid);
- filter_free(q->filter);
- free (q->base.bv_val);
-
- free(q->attrs);
- free(qc);
-}
-
-/* compare base and scope of incoming and cached queries */
-int base_scope_compare(
- struct berval* dn_stored,
- struct berval* dn_incoming,
- int scope_stored,
- int scope_incoming )
-{
- struct berval ndn_incoming = { 0L, NULL };
- struct berval pdn_incoming = { 0L, NULL };
- struct berval ndn_stored = { 0L, NULL };
-
- int i;
-
- if (scope_stored < scope_incoming)
- return 0;
-
- dnNormalize(0, NULL, NULL, dn_incoming, &ndn_incoming, NULL);
- dnNormalize(0, NULL, NULL, dn_stored, &ndn_stored, NULL);
-
- i = dnIsSuffix(&ndn_incoming, &ndn_stored);
-
- if ( i == 0 )
- return 0;
-
- switch(scope_stored) {
- case LDAP_SCOPE_BASE:
- if (strlen(ndn_incoming.bv_val) == strlen(ndn_stored.bv_val))
- return 1;
- else
- return 0;
- break;
- case LDAP_SCOPE_ONELEVEL:
- switch(scope_incoming){
- case LDAP_SCOPE_BASE:
- dnParent(&ndn_incoming, &pdn_incoming);
- if(strcmp(pdn_incoming.bv_val, ndn_stored.bv_val) == 0)
- return 1;
- else
- return 0;
- break;
- case LDAP_SCOPE_ONELEVEL:
- if (ndn_incoming.bv_len == ndn_stored.bv_len)
- return 1;
- else
- return 0;
- break;
- default:
- return 0;
- break;
- }
- case LDAP_SCOPE_SUBTREE:
- return 1;
- break;
- default:
- return 0;
- break;
- }
-}
-
-/* Add query to query cache */
-void add_query(
- query_manager* qm,
- Query* query,
- int template_index,
- char* uuid,
- struct exception* result)
-{
- CachedQuery* new_cached_query = (CachedQuery*) malloc(sizeof(CachedQuery));
- QueryTemplate* templ = (qm->templates)+template_index;
- Query* new_query;
- new_cached_query->template_id = template_index;
- new_cached_query->q_uuid = uuid;
- new_cached_query->lru_up = NULL;
- new_cached_query->lru_down = NULL;
- new_cached_query->expiry_time = slap_get_time() + templ->ttl;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Added query expires at %ld\n",
- (long) new_cached_query->expiry_time, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Added query expires at %ld\n",
- (long) new_cached_query->expiry_time, 0, 0 );
-#endif
- new_query = (Query*)new_cached_query;
-
- new_query->base.bv_val = ch_strdup(query->base.bv_val);
- new_query->base.bv_len = query->base.bv_len;
- new_query->scope = query->scope;
- new_query->filter = query->filter;
- new_query->attrs = query->attrs;
-
- /* Adding a query */
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Lock AQ index = %d\n",
- template_index, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Lock AQ index = %d\n",
- template_index, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_wlock(&templ->t_rwlock);
- if (templ->query == NULL)
- templ->query_last = new_cached_query;
- else
- templ->query->prev = new_cached_query;
- new_cached_query->next = templ->query;
- new_cached_query->prev = NULL;
- templ->query = new_cached_query;
- templ->no_of_queries++;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "TEMPLATE %d QUERIES++ %d\n",
- template_index, templ->no_of_queries, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES++ %d\n",
- template_index, templ->no_of_queries, 0 );
-#endif
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Unlock AQ index = %d \n",
- template_index, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Unlock AQ index = %d \n",
- template_index, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_wunlock(&templ->t_rwlock);
-
- /* Adding on top of LRU list */
- ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
- add_query_on_top(qm, new_cached_query);
- ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
-
-}
-
-/* remove bottom query of LRU list from the query cache */
-char* cache_replacement(query_manager* qm)
-{
- char* result = (char*)(malloc(40));
- CachedQuery* bottom;
- QueryTemplate* templ;
- CachedQuery* query_curr;
- int temp_id;
-
- ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
- bottom = qm->lru_bottom;
-
- if (!bottom) {
-#ifdef NEW_LOGGING
- LDAP_LOG ( BACK_META, DETAIL1,
- "Cache replacement invoked without "
- "any query in LRU list\n", 0, 0, 0 );
-#else
- Debug ( LDAP_DEBUG_ANY,
- "Cache replacement invoked without "
- "any query in LRU list\n", 0, 0, 0 );
-#endif
- return 0;
- }
-
- temp_id = bottom->template_id;
- remove_query(qm, bottom);
- ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
-
- strcpy(result, bottom->q_uuid);
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Lock CR index = %d\n", temp_id, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Lock CR index = %d\n", temp_id, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_wlock(&(qm->templates[temp_id].t_rwlock));
- remove_from_template(bottom, (qm->templates+temp_id));
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "TEMPLATE %d QUERIES-- %d\n",
- temp_id, qm->templates[temp_id].no_of_queries, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES-- %d\n",
- temp_id, qm->templates[temp_id].no_of_queries, 0 );
-#endif
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Unlock CR index = %d\n", temp_id, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "Unlock CR index = %d\n", temp_id, 0, 0 );
-#endif
- ldap_pvt_thread_rdwr_wunlock(&(qm->templates[temp_id].t_rwlock));
- free_query(bottom);
- return result;
-}
-
-void
-remove_from_template (CachedQuery* qc, QueryTemplate* template)
-{
- if (!qc->prev && !qc->next) {
- template->query_last = template->query = NULL;
- } else if (qc->prev == NULL) {
- qc->next->prev = NULL;
- template->query = qc->next;
- } else if (qc->next == NULL) {
- qc->prev->next = NULL;
- template->query_last = qc->prev;
- } else {
- qc->next->prev = qc->prev;
- qc->prev->next = qc->next;
- }
-
- template->no_of_queries--;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-#include <ac/time.h>
-
-#include "slap.h"
-#include "ldif.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-#include "ldap_pvt.h"
-#undef ldap_debug /* silence a warning in ldap-int.h */
-#include "ldap_log.h"
-#include "../../../libraries/libldap/ldap-int.h"
-#include <sys/time.h>
-
-static int
-remove_func (
- Operation *op,
- SlapReply *rs
-);
-
-struct query_info {
- int freed;
- int deleted;
- struct berval* uuid;
- struct timeval tv;
- enum type_of_result err;
-};
-
-int
-remove_query_data (
- Operation *op,
- SlapReply *rs,
- struct berval* query_uuid,
- struct exception* result)
-{
- struct query_info info;
- char filter_str[64];
- Operation op_tmp = *op;
- Filter *filter;
- long timediff;
- SlapReply sreply = {REP_RESULT};
- slap_callback cb = { remove_func, NULL };
-
- sreply.sr_entry = NULL;
- sreply.sr_nentries = 0;
- snprintf(filter_str, sizeof(filter_str), "(queryid=%s)",
- query_uuid->bv_val);
- filter = str2filter(filter_str);
- info.uuid = query_uuid;
- info.freed = 0;
- info.deleted = 0;
- info.err = SUCCESS;
- cb.sc_private = &info;
-
- op_tmp.o_tag = LDAP_REQ_SEARCH;
- op_tmp.o_protocol = LDAP_VERSION3;
- op_tmp.o_callback = &cb;
- op_tmp.o_time = slap_get_time();
- op_tmp.o_do_not_cache = 1;
-
- op_tmp.o_req_dn = op->o_bd->be_suffix[0];
- op_tmp.o_req_ndn = op->o_bd->be_nsuffix[0];
- op_tmp.ors_scope = LDAP_SCOPE_SUBTREE;
- op_tmp.ors_deref = LDAP_DEREF_NEVER;
- op_tmp.ors_slimit = 0;
- op_tmp.ors_tlimit = 0;
- op_tmp.ors_filter = filter;
- op_tmp.ors_filterstr.bv_val = filter_str;
- op_tmp.ors_filterstr.bv_len = strlen(filter_str);
- op_tmp.ors_attrs = NULL;
- op_tmp.ors_attrsonly = 0;
-
- op->o_bd->be_search( &op_tmp, &sreply );
-
- result->type = info.err;
- result->rc = info.deleted;
-
- return info.freed;
-}
-
-static int
-remove_func (
- Operation *op,
- SlapReply *rs
-)
-{
- struct query_info *info = op->o_callback->sc_private;
- int count = 0;
- int size;
- long timediff;
- Modifications *mod;
-
- Attribute *attr;
- Operation op_tmp = *op;
-
- SlapReply sreply = {REP_RESULT};
-
- if (rs->sr_type == REP_RESULT)
- return 0;
-
- size = get_entry_size(rs->sr_entry, 0, NULL);
-
- for (attr = rs->sr_entry->e_attrs; attr!= NULL; attr = attr->a_next) {
- if (attr->a_desc == slap_schema.si_ad_queryid) {
- for (count=0; attr->a_vals[count].bv_val; count++)
- ;
- break;
- }
- }
-
- if (count == 0) {
- info->err = REMOVE_ERR;
- return 0;
- }
- if (count == 1) {
- info->freed += size;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "DELETING ENTRY SIZE=%d TEMPLATE=%s\n",
- size, attr->a_vals[0].bv_val, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "DELETING ENTRY SIZE=%d TEMPLATE=%s\n",
- size, attr->a_vals[0].bv_val, 0 );
-#endif
-
- op_tmp.o_req_dn = rs->sr_entry->e_name;
- op_tmp.o_req_ndn = rs->sr_entry->e_nname;
-
- if (op->o_bd->be_delete(&op_tmp, rs)) {
- info->err = REMOVE_ERR;
- } else {
- info->deleted++;
- }
- return 0;
- }
-
- mod = (Modifications*)malloc(sizeof(Modifications));
- mod->sml_op = LDAP_MOD_DELETE;
- mod->sml_type.bv_len = sizeof("queryid");
- mod->sml_type.bv_val = "queryid";
- mod->sml_desc = slap_schema.si_ad_queryid;
- mod->sml_bvalues = (struct berval*) malloc( 2 * sizeof( struct berval) );
- ber_dupbv(mod->sml_bvalues, info->uuid);
- mod->sml_bvalues[1].bv_val = NULL;
- mod->sml_bvalues[1].bv_len = 0;
- mod->sml_next = NULL;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "REMOVING TEMP ATTR : TEMPLATE=%s\n",
- attr->a_vals[0].bv_val, 0, 0 );
-#else
- Debug( LDAP_DEBUG_ANY, "REMOVING TEMP ATTR : TEMPLATE=%s\n",
- attr->a_vals[0].bv_val, 0, 0 );
-#endif
-
- op_tmp.o_req_dn = rs->sr_entry->e_name;
- op_tmp.o_req_ndn = rs->sr_entry->e_nname;
- op_tmp.orm_modlist = mod;
-
- if (op->o_bd->be_modify( &op_tmp, &sreply )) {
- info->err = REMOVE_ERR;
- }
-
- info->freed += LDIF_SIZE_NEEDED(9, (strlen(info->uuid->bv_val)));
-
- return 0;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Howard Chu for inclusion
- * in OpenLDAP Software and subsequently enhanced by Pierangelo
- * Masarati and Apurva Kumar.
- */
-/* This is an altered version */
-/*
- * This software is based on the backends back-ldap and back-meta, implemented
- * by Howard Chu <hyc@highlandsun.com>, Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors.
- *
- * The original copyright statements follow.
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- *
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-#include <ac/time.h>
-
-#include "ldap_pvt.h"
-#include "lutil.h"
-#include "slap.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-#undef ldap_debug /* silence a warning in ldap-int.h */
-#include "ldap_log.h"
-#include "../../../libraries/libldap/ldap-int.h"
-
-static Entry*
-meta_create_entry(
- Backend *be,
- struct metaconn *lc,
- int target,
- LDAPMessage *e,
- struct exception* result
-);
-
-static int
-is_one_level_rdn(
- const char *rdn,
- int from
-);
-
-static struct metaconn*
-metaConnect(
- Operation *op,
- SlapReply *rs,
- int op_type,
- struct berval *nbase,
- struct exception *result
-);
-
-static void
-add_filter_attrs(
- AttributeName** newattrs,
- AttributeName* attrs,
- AttributeName* filter_attrs
-);
-
-static int
-handleLdapResult(
- struct metaconn* lc,
- Operation* op,
- SlapReply *rs,
- int* msgid, Backend* be,
- AttributeName* attrs,
- int attrsonly,
- int candidates,
- int cacheable,
- Entry*** entry_array,
- int curr_limit,
- int slimit,
- struct exception* result
-);
-
-static Entry*
-get_result_entry(
- Backend* be,
- struct metaconn* lc,
- struct metasingleconn* lsc,
- int* msgid,
- int i,
- struct timeval* tv,
- struct exception* result
-);
-
-static void
-rewriteSession(
- struct rewrite_info* info,
- const char* rewriteContext,
- const char* string,
- const void* cookie,
- char** base,
- struct exception* result
-);
-
-static int
-get_attr_set(
- AttributeName* attrs,
- query_manager* qm,
- int num
-);
-
-static int
-attrscmp(
- AttributeName* attrs_in,
- AttributeName* attrs
-);
-
-static char*
-cache_entries(
- Operation *op,
- SlapReply *rs,
- Entry** entry_array,
- cache_manager* cm,
- struct exception* result
-);
-
-static int
-is_temp_answerable(
- int attr_set,
- struct berval* tempstr,
- query_manager* qm,
- int template_id
-);
-
-static void*
-consistency_check(
- void *op
-);
-
-static int
-cache_back_sentry(
- Operation* op,
- SlapReply *rs
-);
-
-
-int
-meta_back_cache_search(
- Operation *op,
- SlapReply *rs )
- /*
- Backend *be,
- Connection *conn,
- Operation *op,
- struct berval *base,
- struct berval *nbase,
- int scope,
- int deref,
- int slimit,
- int tlimit,
- Filter *filt,
- struct berval *filterstr,
- AttributeName *attributes,
- int attrsonly
-) */
-{
- struct metainfo *li = ( struct metainfo * )op->o_bd->be_private;
- struct metaconn *lc;
- struct metasingleconn *lsc;
- cache_manager* cm = li->cm;
- query_manager* qm = cm->qm;
-
- Operation *oper;
-
- time_t curr_time;
-
- int count, rc = 0, *msgid = NULL;
- char *mbase = NULL;
- char *cbase = NULL;
- char *uuid;
-
- int i = -1, last = 0, candidates = 0, op_type;
-
- struct berval mfilter;
- struct berval cachebase = { 0L, NULL };
- struct berval ncachebase = { 0L, NULL };
- struct berval cache_suffix;
- struct berval tempstr = { 0L, NULL };
-
- AttributeName *filter_attrs = NULL;
- AttributeName *new_attrs = NULL;
- AttributeName *attrs = NULL;
-
- Entry *e;
- Entry **entry_array = NULL;
-
- Query query;
-
- int attr_set = -1;
- int template_id = -1;
- int answerable = 0;
- int cacheable = 0;
- int num_entries = 0;
- int curr_limit;
- int fattr_cnt=0;
- int oc_attr_absent = 1;
-
- struct exception result[1];
-
- Filter* filter = str2filter(op->ors_filterstr.bv_val);
- slap_callback cb = {cache_back_sentry, NULL};
-
- cb.sc_private = op->o_bd;
-
- if (op->ors_attrs) {
- for ( count=0; op->ors_attrs[ count ].an_name.bv_val; count++ ) {
- if ( op->ors_attrs[count].an_desc == slap_schema.si_ad_objectClass )
- oc_attr_absent = 0;
- }
- attrs = (AttributeName*)malloc( ( count + 1 + oc_attr_absent )
- *sizeof(AttributeName));
- for ( count=0; op->ors_attrs[ count ].an_name.bv_val; count++ ) {
- ber_dupbv(&attrs[ count ].an_name,
- &op->ors_attrs[ count ].an_name);
- attrs[count].an_desc = op->ors_attrs[count].an_desc;
- }
- attrs[ count ].an_name.bv_val = NULL;
- attrs[ count ].an_name.bv_len = 0;
- }
-
- result->type = SUCCESS;
- result->rc = 0;
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- cm->threads++;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Threads++ = %d\n", cm->threads, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Threads++ = %d\n", cm->threads, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
-
- ldap_pvt_thread_mutex_lock(&cm->cc_mutex);
- if (!cm->cc_thread_started) {
- oper = (Operation*)malloc(sizeof(Operation));
- *oper = *op;
- cm->cc_thread_started = 1;
- ldap_pvt_thread_create(&(cm->cc_thread), 1, consistency_check, (void*)oper);
- }
- ldap_pvt_thread_mutex_unlock(&cm->cc_mutex);
-
- filter2template(filter, &tempstr, &filter_attrs, &fattr_cnt, result);
- if (result->type != SUCCESS)
- goto Catch;
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "query template of incoming query = %s\n",
- tempstr.bv_val, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "query template of incoming query = %s\n",
- tempstr.bv_val, 0, 0 );
-#endif /* !NEW_LOGGING */
- curr_limit = cm->num_entries_limit ;
-
- /* find attr set */
- attr_set = get_attr_set(attrs, qm, cm->numattrsets);
-
- query.filter = filter;
- query.attrs = attrs;
- query.base = op->o_req_dn;
- query.scope = op->ors_scope;
-
- /* check for query containment */
- if (attr_set > -1) {
- for (i=0; i<cm->numtemplates; i++) {
- /* find if template i can potentially answer tempstr */
- if (!is_temp_answerable(attr_set, &tempstr, qm, i))
- continue;
- if (attr_set == qm->templates[i].attr_set_index) {
- cacheable = 1;
- template_id = i;
- }
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL2,
- "Entering QC, querystr = %s\n",
- op->ors_filterstr.bv_val, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_NONE, "Entering QC, querystr = %s\n",
- op->ors_filterstr.bv_val, 0, 0 );
-#endif /* !NEW_LOGGING */
- answerable = (*(qm->qcfunc))(qm, &query, i);
-
- if (answerable)
- break;
- }
- }
-
- if ( attrs && oc_attr_absent ) {
- for ( count = 0; attrs[count].an_name.bv_val; count++) ;
- attrs[ count ].an_name.bv_val = "objectClass";
- attrs[ count ].an_name.bv_len = strlen( "objectClass" );
- attrs[ count ].an_desc = slap_schema.si_ad_objectClass;
- attrs[ count + 1 ].an_name.bv_val = NULL;
- attrs[ count + 1 ].an_name.bv_len = 0;
- }
-
- if (answerable) {
- Operation op_tmp;
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "QUERY ANSWERABLE\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "QUERY ANSWERABLE\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- rewriteSession(li->rwinfo, "cacheBase", op->o_req_dn.bv_val,
- op->o_conn, &cbase, result);
- if (result->type != SUCCESS) {
- ldap_pvt_thread_rdwr_runlock(&qm->templates[i].t_rwlock);
- goto Catch;
- }
- if ( cbase == NULL ) {
- cachebase = op->o_req_dn;
- } else {
- cachebase.bv_val = cbase;
- cachebase.bv_len = strlen(cbase);
- }
- dnNormalize(0, NULL, NULL, &cachebase, &ncachebase,
- op->o_tmpmemctx);
-
- /* FIXME: safe default? */
- op_tmp = *op;
-
- op_tmp.o_bd = li->glue_be;
- op_tmp.o_req_dn = cachebase;
- op_tmp.o_req_ndn = ncachebase;
-
- op_tmp.o_callback = &cb;
-
- li->glue_be->be_search(&op_tmp, rs);
- free( ncachebase.bv_val );
- if ( cachebase.bv_val != op->o_req_dn.bv_val ) {
- /* free only if rewritten */
- free( cachebase.bv_val );
- }
-
- ldap_pvt_thread_rdwr_runlock(&qm->templates[i].t_rwlock);
- } else {
- Operation op_tmp;
- op_tmp = *op;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "QUERY NOT ANSWERABLE\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "QUERY NOT ANSWERABLE\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
-
- if ( op->ors_scope == LDAP_SCOPE_BASE ) {
- op_type = META_OP_REQUIRE_SINGLE;
- } else {
- op_type = META_OP_ALLOW_MULTIPLE;
- }
-
- lc = metaConnect(&op_tmp, rs, op_type,
- &op->o_req_ndn, result);
-
- if (result->type != SUCCESS)
- goto Catch;
-
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- if (cm->num_cached_queries >= cm->max_queries) {
- cacheable = 0;
- }
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
-
- if (cacheable) {
- add_filter_attrs(&new_attrs, attrs, filter_attrs);
- } else {
- new_attrs = attrs;
- }
-
- free(filter_attrs);
-
- /*
- * Array of message id of each target
- */
- msgid = ch_calloc( sizeof( int ), li->ntargets );
- if ( msgid == NULL ) {
- result->type = CONN_ERR;
- goto Catch;
- }
-
- /*
- if (slimit > 0 && (slimit <= cm->num_entries_limit))
- slimit = cm->num_entries_limit;
- */
-
- /*
- * Inits searches
- */
-
- for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) {
- char *realbase = ( char * )op->o_req_dn.bv_val;
- int realscope = op->ors_scope;
- ber_len_t suffixlen;
- char *mapped_filter, **mapped_attrs;
-
- /* FIXME: Check for more than one targets */
- if ( meta_back_is_candidate(
- &li->targets[i]->suffix,
- &op->o_req_ndn ))
- lsc->candidate = META_CANDIDATE;
-
- if ( lsc->candidate != META_CANDIDATE )
- continue;
-
- if ( op->ors_deref != -1 ) {
- ldap_set_option( lsc->ld, LDAP_OPT_DEREF,
- ( void * )&op->ors_deref);
- }
- if ( op->ors_tlimit != -1 ) {
- ldap_set_option( lsc->ld, LDAP_OPT_TIMELIMIT,
- ( void * )&op->ors_tlimit);
- }
- if ( op->ors_slimit != -1 ) {
- ldap_set_option( lsc->ld, LDAP_OPT_SIZELIMIT,
- ( void * )&op->ors_slimit);
- }
-
- /*
- * modifies the base according to the scope, if required
- */
- suffixlen = li->targets[ i ]->suffix.bv_len;
- if ( suffixlen > op->o_req_ndn.bv_len ) {
- switch ( op->ors_scope ) {
- case LDAP_SCOPE_SUBTREE:
- /*
- * make the target suffix the new base
- * FIXME: this is very forgiving,
- * because illegal bases may be turned
- * into the suffix of the target.
- */
- if ( dnIsSuffix(
- &li->targets[ i ]->suffix,
- &op->o_req_ndn ) ) {
- realbase =
- li->targets[i]->suffix.bv_val;
- } else {
- /*
- * this target is no longer
- * candidate
- */
- lsc->candidate =
- META_NOT_CANDIDATE;
- continue;
- }
- break;
-
- case LDAP_SCOPE_ONELEVEL:
- if ( is_one_level_rdn(
- li->targets[ i ]->suffix.bv_val,
- suffixlen - op->o_req_ndn.bv_len - 1 )
- && dnIsSuffix(
- &li->targets[ i ]->suffix,
- &op->o_req_ndn ) ) {
- /*
- * if there is exactly one
- * level, make the target suffix
- * the new base, and make scope
- * "base"
- */
- realbase =
- li->targets[i]->suffix.bv_val;
- realscope = LDAP_SCOPE_BASE;
- break;
- } /* else continue with the next case */
-
- case LDAP_SCOPE_BASE:
- /*
- * this target is no longer candidate
- */
- lsc->candidate = META_NOT_CANDIDATE;
- continue;
- }
- }
-
- /*
- * Rewrite the search base, if required
- */
-
- rewriteSession(li->targets[i]->rwmap.rwm_rw,
- "searchBase",
- realbase, op->o_conn, &mbase, result);
-
- if (result->type != SUCCESS)
- goto Catch;
-
- if ( mbase == NULL ) {
- mbase = realbase;
- }
-
- /*
- * Rewrite the search filter, if required
- */
- rewriteSession( li->targets[i]->rwmap.rwm_rw,
- "searchFilter",
- op->ors_filterstr.bv_val, op->o_conn,
- &mfilter.bv_val, result);
- if (result->type != SUCCESS)
- goto Catch;
-
- if ( mfilter.bv_val != NULL && mfilter.bv_val[ 0 ]
- != '\0') {
- mfilter.bv_len = strlen( mfilter.bv_val );
- } else {
- if ( mfilter.bv_val != NULL ) {
- free( mfilter.bv_val );
- }
- mfilter = op->ors_filterstr;
- }
-
-#if 0
- /*
- * Maps attributes in filter
- */
- mapped_filter = ldap_back_map_filter(
- &li->targets[i]->rwmap.rwm_at,
- &li->targets[i]->rwmap.rwm_oc,
- &mfilter, 0 );
- if ( mapped_filter == NULL ) {
- mapped_filter = ( char * )mfilter.bv_val;
- } else {
- if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
- free( mfilter.bv_val );
- }
- }
- mfilter.bv_val = NULL;
- mfilter.bv_len = 0;
-#else
- mapped_filter = (char *) mfilter.bv_val;
-#endif
-
- /*
- * Maps required attributes
- */
- if ( ldap_back_map_attrs(
- &li->targets[ i ]->rwmap.rwm_at,
- new_attrs, 0, &mapped_attrs ) ) {
- goto Catch;
- }
-
- /*
- * Starts the search
- */
- msgid[ i ] = ldap_search( lsc->ld, mbase, realscope,
- mapped_filter, mapped_attrs,
- op->ors_attrsonly );
-
- if ( msgid[ i ] == -1 ) {
- result->type = CONN_ERR;
- goto Catch;
- /*
- lsc->candidate = META_NOT_CANDIDATE;
- continue;
- */
- }
-
- if ( mapped_attrs ) {
- free( mapped_attrs );
- mapped_attrs = NULL;
- }
-
- if ( mapped_filter != op->ors_filterstr.bv_val ) {
- free( mapped_filter );
- mapped_filter = NULL;
- }
-
- if ( mbase != realbase ) {
- free( mbase );
- mbase = NULL;
- }
-
- ++candidates;
- }
-
- num_entries = handleLdapResult(lc, &op_tmp, rs, msgid,
- op->o_bd, attrs,
- op->ors_attrsonly, candidates,
- cacheable, &entry_array,
- curr_limit, op->ors_slimit, result);
-
- if (result->type != SUCCESS)
- goto Catch;
- if (cacheable && (num_entries <= curr_limit)) {
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "QUERY CACHEABLE\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "QUERY CACHEABLE\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- op_tmp.o_bd = li->glue_be;
- uuid = cache_entries(&op_tmp, rs, entry_array, cm, result);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Added query %s UUID %s ENTRIES %d\n",
- op->ors_filterstr.bv_val,
- uuid, num_entries );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Added query %s UUID %s ENTRIES %d\n",
- op->ors_filterstr.bv_val,
- uuid, num_entries );
-#endif /* !NEW_LOGGING */
-
- if (result->type != SUCCESS)
- goto Catch;
- (*(qm->addfunc))(qm, &query, template_id, uuid, result);
- if (result->type != SUCCESS)
- goto Catch;
- filter = 0;
- attrs = 0;
-
- /* FIXME : launch do_syncrepl() threads around here
- *
- * entryUUID and entryCSN need also to be requested by :
- */
- /*
- msgid[ i ] = ldap_search( lsc->ld, mbase, realscope,
- mapped_filter, mapped_attrs, op->ors_attrsonly );
- */
- /* Also, mbase, realscope, mapped_filter, mapped_attrs need
- * be managed as arrays. Each element needs to be retained by this point.
- */
-
- } else {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "QUERY NOT CACHEABLE no\n",
- 0, 0, 0);
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "QUERY NOT CACHEABLE no\n",
- 0, 0, 0);
-#endif /* !NEW_LOGGING */
- }
- }
-
-Catch:;
- switch (result->type) {
- case SUCCESS:
- rc = 0;
- break;
-
- case FILTER_ERR:
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Invalid template error\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Invalid template error\n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- break;
-
- case CONN_ERR:
- rc = -1;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Could not connect to a remote server\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Could not connect to a remote server\n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- send_ldap_error(op, rs, LDAP_OTHER,
- "Connection error" );
- break;
-
- case RESULT_ERR:
- rc = -1;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Error in handling ldap_result\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Error in handling ldap_result\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- break;
-
- case REWRITING_ERR:
- rc = -1;
- if (result->rc == REWRITE_REGEXEC_UNWILLING) {
- send_ldap_error( op, rs,
- LDAP_UNWILLING_TO_PERFORM,
- "Unwilling to perform" );
- } else {
- send_ldap_error( op, rs, LDAP_OTHER,
- "Rewrite error" );
- }
- break;
-
- case MERGE_ERR:
- rc = -1;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Error in merging entry \n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Error in merging entry \n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- break;
-
- case REMOVE_ERR:
- rc = -1;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Error in removing query \n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Error in removing query \n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- break;
-
- default:
- /* assert(0); */
- break;
- }
-
-
- if ( msgid ) {
- ch_free( msgid );
- }
- if (entry_array) {
- for (i=0; (e = entry_array[i]); i++) {
- entry_free(e);
- }
- free(entry_array);
- }
- if (filter)
- filter_free(filter);
-
- if (new_attrs) {
- if (new_attrs != attrs)
- free(new_attrs);
- }
-
- if (attrs)
- free(attrs);
-
- if (tempstr.bv_val ) {
- free(tempstr.bv_val);
- }
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- cm->threads--;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Threads-- = %d\n", cm->threads, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Threads-- = %d\n", cm->threads, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
- return rc;
-}
-
-
-static Entry*
-meta_create_entry (
- Backend *be,
- struct metaconn *lc,
- int target,
- LDAPMessage *e,
- struct exception* result
-)
-{
- struct metainfo *li = ( struct metainfo * )be->be_private;
- struct berval a, mapped;
- Entry* ent;
- BerElement ber = *e->lm_ber;
- Attribute *attr, *soc_attr, **attrp;
- struct berval dummy = { 0, NULL };
- struct berval *bv, bdn;
- const char *text = NULL;
- char* ename = NULL;
- struct berval sc = { 0, NULL };
- char textbuf[SLAP_TEXT_BUFLEN];
- size_t textlen = sizeof(textbuf);
-
- if ( ber_scanf( &ber, "{m{", &bdn ) == LBER_ERROR ) {
- result->type = CREATE_ENTRY_ERR;
- return NULL;
- }
- ent = (Entry*)malloc(sizeof(Entry));
-
- /*
- * Rewrite the dn of the result, if needed
- */
- rewriteSession( li->targets[ target ]->rwmap.rwm_rw, "searchResult",
- bdn.bv_val, lc->conn, &ent->e_name.bv_val, result );
-
- if (result->type != SUCCESS) {
- return NULL;
- }
- if ( ent->e_name.bv_val == NULL ) {
- ber_dupbv(&(ent->e_name), &bdn);
- } else {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "[rw] searchResult[%d]: \"%s\" -> \"%s\"\n",
- target, bdn.bv_val, ent->e_name.bv_val );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ARGS, "rw> searchResult[%d]: \"%s\""
- " -> \"%s\"\n",
- target, bdn.bv_val, ent->e_name.bv_val );
-#endif /* !NEW_LOGGING */
- ent->e_name.bv_len = strlen( ent->e_name.bv_val );
- }
-
- /*
- * Note: this may fail if the target host(s) schema differs
- * from the one known to the meta, and a DN with unknown
- * attributes is returned.
- *
- * FIXME: should we log anything, or delegate to dnNormalize?
- */
- dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname, NULL );
-
- /*
- if ( dnNormalize( 0, NULL, NULL, &ent->e_name, &ent->e_nname )
- != LDAP_SUCCESS )
- {
- return LDAP_INVALID_DN_SYNTAX;
- }
- */
-
- /*
- * cache dn
- */
- if ( li->cache.ttl != META_DNCACHE_DISABLED ) {
- meta_dncache_update_entry( &li->cache, &ent->e_nname, target );
- }
-
- ent->e_id = 0;
- ent->e_attrs = 0;
- ent->e_private = 0;
- ent->e_bv.bv_val = 0;
-
- attrp = &ent->e_attrs;
-
- while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
- ldap_back_map( &li->targets[ target ]->rwmap.rwm_at,
- &a, &mapped, 1 );
- if ( mapped.bv_val == NULL ) {
- continue;
- }
- attr = ( Attribute * )ch_malloc( sizeof( Attribute ) );
- if ( attr == NULL ) {
- continue;
- }
- attr->a_flags = 0;
- attr->a_next = 0;
- attr->a_desc = NULL;
- attr->a_nvals = NULL;
- if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS) {
- if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text )
- != LDAP_SUCCESS) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "slap_bv2undef_ad(%s): %s\n",
- mapped.bv_val, text, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "slap_bv2undef_ad(%s): "
- "%s\n%s", mapped.bv_val, text, "" );
-#endif /* !NEW_LOGGING */
- ch_free( attr );
- continue;
- }
- }
-
- /* no subschemaSubentry */
- if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry ) {
- ch_free(attr);
- continue;
- }
-
- if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR
- || attr->a_vals == NULL ) {
- attr->a_vals = &dummy;
-#if 0
- } else if ( attr->a_desc == slap_schema.si_ad_objectClass ||
- attr->a_desc ==
- slap_schema.si_ad_structuralObjectClass) {
-#else
- } else if ( attr->a_desc == slap_schema.si_ad_objectClass ) {
-#endif
- int i, last;
- for ( last = 0; attr->a_vals[ last ].bv_val; ++last )
- ;
- for ( i = 0, bv = attr->a_vals; bv->bv_val; bv++,i++ ) {
- ldap_back_map( &li->targets[ target]->rwmap.rwm_oc,
- bv, &mapped, 1 );
- if ( mapped.bv_val == NULL ) {
- free( bv->bv_val );
- bv->bv_val = NULL;
- if ( --last < 0 ) {
- break;
- }
- *bv = attr->a_vals[ last ];
- attr->a_vals[ last ].bv_val = NULL;
- i--;
- } else if ( mapped.bv_val != bv->bv_val ) {
- free( bv->bv_val );
- ber_dupbv( bv, &mapped );
- }
- }
-
- structural_class( attr->a_vals, &sc, NULL, &text, textbuf, textlen );
- soc_attr = (Attribute*) ch_malloc( sizeof( Attribute ));
- soc_attr->a_desc = slap_schema.si_ad_structuralObjectClass;
- soc_attr->a_vals = (BerVarray) ch_malloc( 2* sizeof( BerValue ));
- ber_dupbv( &soc_attr->a_vals[0], &sc );
- soc_attr->a_vals[1].bv_len = 0;
- soc_attr->a_vals[1].bv_val = NULL;
- soc_attr->a_nvals = (BerVarray) ch_malloc( 2* sizeof( BerValue ));
- ber_dupbv( &soc_attr->a_nvals[0], &sc );
- soc_attr->a_nvals[1].bv_len = 0;
- soc_attr->a_nvals[1].bv_val = NULL;
-
- *attrp = soc_attr;
- attrp = &soc_attr->a_next;
-
- /*
- * It is necessary to try to rewrite attributes with
- * dn syntax because they might be used in ACLs as
- * members of groups; since ACLs are applied to the
- * rewritten stuff, no dn-based subecj clause could
- * be used at the ldap backend side (see
- * http://www.OpenLDAP.org/faq/data/cache/452.html)
- * The problem can be overcome by moving the dn-based
- * ACLs to the target directory server, and letting
- * everything pass thru the ldap backend.
- */
- } else if ( strcmp( attr->a_desc->ad_type->sat_syntax->ssyn_oid,
- SLAPD_DN_SYNTAX ) == 0 ) {
- int i;
- for ( i = 0, bv = attr->a_vals; bv->bv_val; bv++,i++ ) {
- char *newval;
- rewriteSession(li->targets[ target ]->rwmap.rwm_rw,
- "searchResult", bv->bv_val,
- lc->conn, &newval, result);
- if (result->type != SUCCESS) {
- /* FIXME : Handle error */
- result->type = SUCCESS;
- } else {
- /* left as is */
- if ( newval == NULL ) {
- break;
- }
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "[rw] searchResult on "
- "attr=%s: \"%s\" -> \"%s\"\n",
- attr->a_desc->ad_type->
- sat_cname.bv_val,
- bv->bv_val, newval );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ARGS,
- "rw> searchResult on attr=%s:"
- " \"%s\" -> \"%s\"\n",
- attr->a_desc->ad_type->
- sat_cname.bv_val,
- bv->bv_val, newval );
-#endif /* !NEW_LOGGING */
- free( bv->bv_val );
- bv->bv_val = newval;
- bv->bv_len = strlen( newval );
- }
- }
- }
- *attrp = attr;
- attrp = &attr->a_next;
- }
-
- return ent;
-}
-
-static int
-is_one_level_rdn(
- const char *rdn,
- int from
-)
-{
- for ( ; from--; ) {
- if ( DN_SEPARATOR( rdn[ from ] ) ) {
- return 0;
- }
- }
- return 1;
-}
-
-static struct metaconn*
-metaConnect(
- Operation* op,
- SlapReply *rs,
- int op_type,
- struct berval *nbase,
- struct exception *result)
-{
- struct metaconn *lc;
-
- result->type = SUCCESS;
- lc = meta_back_getconn( op, rs, op_type, nbase, NULL );
- if (!lc) {
- result->type = CONN_ERR;
- return 0;
- }
- return lc;
-}
-
-static void
-add_filter_attrs(
- AttributeName** new_attrs,
- AttributeName* attrs,
- AttributeName* filter_attrs )
-{
- struct berval all_user = { sizeof(LDAP_ALL_USER_ATTRIBUTES) -1,
- LDAP_ALL_USER_ATTRIBUTES };
-
- struct berval all_op = { sizeof(LDAP_ALL_OPERATIONAL_ATTRIBUTES) -1,
- LDAP_ALL_OPERATIONAL_ATTRIBUTES};
-
- int alluser = 0;
- int allop = 0;
- int i;
- int count;
-
- /* duplicate attrs */
- if (attrs == NULL) {
- count = 1;
- } else {
- for (count=0; attrs[count].an_name.bv_val; count++)
- ;
- }
- *new_attrs = (AttributeName*)(malloc((count+1)*sizeof(AttributeName)));
- if (attrs == NULL) {
- (*new_attrs)[0].an_name.bv_val = "*";
- (*new_attrs)[0].an_name.bv_len = 1;
- (*new_attrs)[1].an_name.bv_val = NULL;
- (*new_attrs)[1].an_name.bv_len = 0;
- alluser = 1;
- allop = 0;
- } else {
- for (i=0; i<count; i++) {
- (*new_attrs)[i].an_name = attrs[i].an_name;
- (*new_attrs)[i].an_desc = attrs[i].an_desc;
- }
- (*new_attrs)[count].an_name.bv_val = NULL;
- (*new_attrs)[count].an_name.bv_len = 0;
- alluser = an_find(*new_attrs, &all_user);
- allop = an_find(*new_attrs, &all_op);
- }
-
- for ( i=0; filter_attrs[i].an_name.bv_val; i++ ) {
- if ( an_find(*new_attrs, &filter_attrs[i].an_name ))
- continue;
- if ( is_at_operational(filter_attrs[i].an_desc->ad_type) ) {
- if (allop)
- continue;
- } else if (alluser)
- continue;
- *new_attrs = (AttributeName*)(realloc(*new_attrs,
- (count+2)*sizeof(AttributeName)));
- (*new_attrs)[count].an_name.bv_val =
- filter_attrs[i].an_name.bv_val;
- (*new_attrs)[count].an_name.bv_len =
- filter_attrs[i].an_name.bv_len;
- (*new_attrs)[count].an_desc = filter_attrs[i].an_desc;
- (*new_attrs)[count+1].an_name.bv_val = NULL;
- (*new_attrs)[count+1].an_name.bv_len = 0;
- count++;
- }
-}
-
-static int
-handleLdapResult(
- struct metaconn* lc,
- Operation* op,
- SlapReply *rs,
- int* msgid, Backend* be,
- AttributeName* attrs,
- int attrsonly,
- int candidates,
- int cacheable,
- Entry*** entry_array,
- int curr_limit,
- int slimit,
- struct exception* result)
-{
- Entry *entry;
- char *match = NULL, *err = NULL, *cache_ename = NULL;
- int sres;
- int mres = LDAP_SUCCESS;
- int num_entries = 0, count, i, rc;
- struct timeval tv = {0, 0};
- struct metasingleconn* lsc;
- struct metainfo *li = ( struct metainfo * )be->be_private;
- result->rc = 0;
- result->type = SUCCESS;
-
- for ( count = 0, rc = 0; candidates > 0; ) {
- int ab, gotit = 0;
-
- /* check for abandon */
- ab = op->o_abandon;
-
- for ( i = 0, lsc = lc->conns; !META_LAST(lsc); lsc++, i++ ) {
- if ( lsc->candidate != META_CANDIDATE ) {
- continue;
- }
-
- if ( ab ) {
- ldap_abandon( lsc->ld, msgid[ i ] );
- result->type = ABANDON_ERR;
- break;
- }
-
- if ( slimit > 0 && num_entries == slimit ) {
- result->type = SLIMIT_ERR;
- break;
- }
-
- if ((entry = get_result_entry(be, lc, lsc,
- msgid, i, &tv, result))) {
- rs->sr_entry = entry;
- rs->sr_attrs = op->ors_attrs;
- send_search_entry( op, rs );
- rs->sr_entry = NULL;
- rs->sr_attrs = NULL;
- if ((cacheable) &&
- (num_entries < curr_limit)) {
- rewriteSession( li->rwinfo,
- "cacheResult",
- entry->e_name.bv_val,
- lc->conn,
- &cache_ename, result );
- free(entry->e_name.bv_val);
- if (result->type != SUCCESS) {
- return 0;
- }
- ber_str2bv(cache_ename,
- strlen(cache_ename),
- 0, &entry->e_name);
- ber_dupbv(&entry->e_nname,
- &entry->e_name);
- *entry_array = (Entry**)realloc(
- *entry_array,
- (( num_entries+2 ) *
- sizeof( Entry* )));
- (*entry_array)[num_entries] = entry;
- (*entry_array)[num_entries+1] = NULL;
- }
- num_entries++;
- gotit = 1;
- } else if (result->type == REWRITING_ERR) {
- return 0;
- } else if (result->type == TIMEOUT_ERR) {
- result->type = SUCCESS;
- continue;
- } else if (result->type == CREATE_ENTRY_ERR) {
- break;
- } else if (result->rc == -1) {
- break;
- } else {
- rs->sr_err = result->rc;
- sres = ldap_back_map_result(rs);
- if (mres == LDAP_SUCCESS &&
- sres != LDAP_SUCCESS) {
- mres = sres;
- ldap_get_option(lsc->ld,
- LDAP_OPT_ERROR_STRING, &err);
- ldap_get_option(lsc->ld,
- LDAP_OPT_MATCHED_DN, &match);
- }
- lsc->candidate = META_NOT_CANDIDATE;
- candidates--;
- result->type = SUCCESS;
- }
- }
- switch (result->type) {
- case RESULT_ERR:
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "ldap_result error, rc = -1\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "ldap_result error, rc = -1\n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- rs->sr_err = LDAP_OTHER;
- send_ldap_result( op, rs );
- return 0;
-
- case CREATE_ENTRY_ERR:
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Error in parsing result \n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Error in parsing result \n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- rs->sr_err = LDAP_OTHER;
- send_ldap_result( op, rs );
- result->type = RESULT_ERR;
- return 0;
-
- case SLIMIT_ERR:
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Size limit exceeded \n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Size limit exceeded \n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- rs->sr_err = LDAP_SIZELIMIT_EXCEEDED;
- send_ldap_result( op, rs );
- result->type = RESULT_ERR;
- return 0;
-
- case ABANDON_ERR:
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "search operation abandoned \n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "search operation abandoned \n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- result->type = RESULT_ERR;
- return 0;
-
- default:
- /* assert( 0 ); */
- break;
- }
- if ( gotit == 0 ) {
- tv.tv_sec = 0;
- tv.tv_usec = 100000;
- ldap_pvt_thread_yield();
- } else {
- tv.tv_sec = 0;
- tv.tv_usec = 0;
- }
- }
-
- rs->sr_err = mres;
- rs->sr_text = err;
- rs->sr_matched = match;
-
- send_ldap_result( op, rs );
-
- rs->sr_text = NULL;
- rs->sr_matched = NULL;
-
- if (err)
- free(err);
-
- if (match)
- free(match);
-
- result->type = (mres == LDAP_SUCCESS) ? SUCCESS : RESULT_ERR;
- return num_entries;
-}
-
-static Entry*
-get_result_entry(
- Backend* be,
- struct metaconn* lc,
- struct metasingleconn* lsc,
- int* msgid,
- int i,
- struct timeval* tv,
- struct exception* result)
-{
- Entry* entry;
- LDAPMessage *res, *e;
- int rc;
- int sres = LDAP_SUCCESS;
-
- rc = ldap_result( lsc->ld, msgid[ i ],
- 0, tv, &res );
-
- if ( rc == 0 ) {
- result->type = TIMEOUT_ERR;
- return NULL;
- } else if ( rc == -1 ) {
- result->rc = -1;
- result->type = RESULT_ERR;
- return NULL;
- } else if ( rc == LDAP_RES_SEARCH_ENTRY ) {
- e = ldap_first_entry( lsc->ld, res );
- entry = meta_create_entry(be, lc, i, e, result);
- if (!entry) {
- return NULL;
- }
- ldap_msgfree( res );
- result->type = SUCCESS;
- return entry;
- } else {
- sres = ldap_result2error( lsc->ld,
- res, 1 );
- result->rc = sres;
- result->type = RESULT_ERR;
- return NULL;
- }
-}
-
-static void
-rewriteSession(
- struct rewrite_info* info,
- const char* rewriteContext,
- const char* string,
- const void* cookie,
- char** base,
- struct exception* result)
-{
- int rc = rewrite_session(info, rewriteContext, string, cookie, base);
- if (rc != REWRITE_REGEXEC_OK) {
- result->rc = rc;
- result->type = REWRITING_ERR;
-
- if (strcmp(rewriteContext, "searchBase") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting search base\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting search base\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (strcmp(rewriteContext, "searchFilter") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting search filter\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting search filter\n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (strcmp(rewriteContext, "searchResult") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting DN, or DN syntax "
- "attributes of search result\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting DN, or DN syntax "
- "attributes of search result\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (strcmp(rewriteContext, "cacheBase") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting search base with "
- "cache base\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting search base with "
- "cache base\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (strcmp(rewriteContext, "cacheResult") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting DN for cached entries\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting DN for cached entries\n",
- 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (strcmp(rewriteContext, "cacheReturn") == 0)
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Problem in rewriting DN for answerable "
- "entries\n", 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Problem in rewriting DN for answerable "
- "entries\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- } else {
- result->type = SUCCESS;
- }
-}
-
-static int
-get_attr_set(
- AttributeName* attrs,
- query_manager* qm,
- int num )
-{
- int i;
- for (i=0; i<num; i++) {
- if (attrscmp(attrs, qm->attr_sets[i].attrs))
- return i;
- }
- return -1;
-}
-
-static int
-attrscmp(
- AttributeName* attrs_in,
- AttributeName* attrs)
-{
- int i, count1, count2;
- if ( attrs_in == NULL ) {
- return (attrs ? 0 : 1);
- }
- if ( attrs == NULL )
- return 0;
-
- for ( count1=0;
- attrs_in && attrs_in[count1].an_name.bv_val != NULL;
- count1++ )
- ;
- for ( count2=0;
- attrs && attrs[count2].an_name.bv_val != NULL;
- count2++)
- ;
- if ( count1 != count2 )
- return 0;
-
- for ( i=0; i<count1; i++ ) {
- if ( !an_find(attrs, &attrs_in[i].an_name ))
- return 0;
- }
- return 1;
-}
-
-static char*
-cache_entries(
- Operation *op,
- SlapReply *rs,
- Entry** entry_array,
- cache_manager* cm,
- struct exception* result)
-{
- int i;
- int return_val;
- int cache_size;
- Entry *e;
- struct berval query_uuid;
- struct berval crp_uuid;
- char uuidbuf[ LDAP_LUTIL_UUIDSTR_BUFSIZE ], *crpid;
- char crpuuid[40];
- query_manager *qm = cm->qm;
-
- result->type = SUCCESS;
- query_uuid.bv_len = lutil_uuidstr(uuidbuf, sizeof(uuidbuf));
- query_uuid.bv_val = ch_strdup(uuidbuf);
-
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "UUID for query being added = %s\n",
- uuidbuf, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "UUID for query being added = %s\n",
- uuidbuf, 0, 0 );
-#endif /* !NEW_LOGGING */
-
- for ( i=0; ( entry_array && (e=entry_array[i]) ); i++ ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL2, "LOCKING REMOVE MUTEX\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_NONE, "LOCKING REMOVE MUTEX\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_lock(&cm->remove_mutex);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL2, "LOCKED REMOVE MUTEX\n", 0, 0, 0);
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_NONE, "LOCKED REMOVE MUTEX\n", 0, 0, 0);
-#endif /* !NEW_LOGGING */
- if ( cm->cache_size > (cm->thresh_hi) ) {
- while(cm->cache_size > (cm->thresh_lo)) {
- crpid = cache_replacement(qm);
- if (crpid == NULL) {
- result->type = REMOVE_ERR;
- } else {
- strcpy(crpuuid, crpid);
- crp_uuid.bv_val = crpuuid;
- crp_uuid.bv_len = strlen(crpuuid);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "Removing query UUID %s\n",
- crpuuid, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "Removing query UUID %s\n",
- crpuuid, 0, 0 );
-#endif /* !NEW_LOGGING */
- return_val = remove_query_data(op, rs,
- &crp_uuid, result);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "QUERY REMOVED, SIZE=%d\n",
- return_val, 0, 0);
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "QUERY REMOVED, SIZE=%d\n",
- return_val, 0, 0);
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_lock(
- &cm->cache_mutex );
- cm->total_entries -= result->rc;
- cm->num_cached_queries--;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(
- &cm->cache_mutex );
- cm->cache_size = (return_val >
- cm->cache_size) ?
- 0 : (cm->cache_size-return_val);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "QUERY REMOVED, CACHE SIZE="
- "%lu bytes %d entries\n",
- cm->cache_size,
- cm->total_entries, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "QUERY REMOVED, CACHE SIZE="
- "%lu bytes %d entries\n",
- cm->cache_size,
- cm->total_entries, 0 );
-#endif /* !NEW_LOGGING */
- }
- }
- }
-
- rs->sr_entry = e;
- return_val = merge_entry(op, rs, &query_uuid, result);
- rs->sr_entry = NULL;
- cm->cache_size += return_val;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "ENTRY ADDED/MERGED, CACHE SIZE=%lu bytes\n",
- cm->cache_size, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "ENTRY ADDED/MERGED, CACHE SIZE=%lu bytes\n",
- cm->cache_size, 0, 0 );
-#endif /* !NEW_LOGGING */
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL2, "UNLOCKING REMOVE MUTEX\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_NONE, "UNLOCKING REMOVE MUTEX\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->remove_mutex);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL2, "UNLOCKED REMOVE MUTEX\n",
- 0, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_NONE, "UNLOCKED REMOVE MUTEX\n", 0, 0, 0 );
-#endif /* !NEW_LOGGING */
- if (result->type != SUCCESS)
- return 0;
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- cm->total_entries += result->rc;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "ENTRY ADDED/MERGED, SIZE=%d, CACHED ENTRIES=%d\n",
- return_val, cm->total_entries, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "ENTRY ADDED/MERGED, SIZE=%d, CACHED ENTRIES=%d\n",
- return_val, cm->total_entries, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
- }
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- cm->num_cached_queries++;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
-
- return query_uuid.bv_val;
-}
-
-static int
-is_temp_answerable(
- int attr_set,
- struct berval* tempstr,
- query_manager* qm,
- int template_id )
-{
- int i;
- int* id_array;
- char* str;
- int result = 0;
- i = qm->templates[template_id].attr_set_index;
- str = qm->templates[template_id].querystr;
-
- if (attr_set == i) {
- result = 1;
- } else {
- id_array = qm->attr_sets[attr_set].ID_array;
-
- while (*id_array != -1) {
- if (*id_array == i)
- result = 1;
- id_array++;
- }
- }
- if (!result)
- return 0;
- if (strcasecmp(str, tempstr->bv_val) == 0)
- return 1;
- return 0;
-}
-
-static void*
-consistency_check(void* operation)
-{
- Operation* op = (Operation*)operation;
-
- SlapReply rs = {REP_RESULT};
-
- struct metainfo *li = ( struct metainfo * )op->o_bd->be_private;
- cache_manager* cm = li->cm;
- query_manager* qm = cm->qm;
- CachedQuery* query, *query_prev;
- time_t curr_time;
- struct berval uuid;
- struct exception result;
- int i, return_val;
- QueryTemplate* templ;
-
-
- op->o_bd = li->glue_be;
-
- for(;;) {
- ldap_pvt_thread_sleep(cm->cc_period);
- for (i=0; qm->templates[i].querystr; i++) {
- templ = qm->templates + i;
- query = templ->query_last;
- curr_time = slap_get_time();
- ldap_pvt_thread_mutex_lock(&cm->remove_mutex);
- while (query && (query->expiry_time < curr_time)) {
- ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
- remove_query(qm, query);
- ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Lock CR index = %d\n",
- i, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Lock CR index = %d\n",
- i, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_rdwr_wlock(&templ->t_rwlock);
- remove_from_template(query, templ);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "TEMPLATE %d QUERIES-- %d\n",
- i, templ->no_of_queries, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES-- %d\n",
- i, templ->no_of_queries, 0 );
-#endif /* !NEW_LOGGING */
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "Unlock CR index = %d\n",
- i, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "Unlock CR index = %d\n",
- i, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_rdwr_wunlock(&templ->t_rwlock);
- uuid.bv_val = query->q_uuid;
- uuid.bv_len = strlen(query->q_uuid);
- return_val = remove_query_data(op, &rs, &uuid, &result);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "STALE QUERY REMOVED, SIZE=%d\n",
- return_val, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "STALE QUERY REMOVED, SIZE=%d\n",
- return_val, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
- cm->total_entries -= result.rc;
- cm->num_cached_queries--;
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1, "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY, "STORED QUERIES = %lu\n",
- cm->num_cached_queries, 0, 0 );
-#endif /* !NEW_LOGGING */
- ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
- cm->cache_size = (return_val > cm->cache_size) ?
- 0: (cm->cache_size-return_val);
-#ifdef NEW_LOGGING
- LDAP_LOG( BACK_META, DETAIL1,
- "STALE QUERY REMOVED, CACHE SIZE=%lu bytes %d "
- "entries\n", cm->cache_size,
- cm->total_entries, 0 );
-#else /* !NEW_LOGGING */
- Debug( LDAP_DEBUG_ANY,
- "STALE QUERY REMOVED, CACHE SIZE=%lu bytes %d "
- "entries\n", cm->cache_size,
- cm->total_entries, 0 );
-#endif /* !NEW_LOGGING */
- query_prev = query;
- query = query->prev;
- free_query(query_prev);
- }
- ldap_pvt_thread_mutex_unlock(&cm->remove_mutex);
- }
- }
-}
-
-static int
-cache_back_sentry(
- Operation* op,
- SlapReply *rs )
-{
- slap_callback *cb = op->o_callback;
- /*struct metainfo *li = ( struct metainfo * )op->o_bd->be_private;*/
- Backend* be = (Backend*)(cb->sc_private);
- struct metainfo *li = ( struct metainfo * )be->be_private;
-
- char *ename = NULL;
- struct exception result;
- struct berval dn;
- struct berval ndn;
-
- if (rs->sr_type == REP_SEARCH) {
- dn = rs->sr_entry->e_name;
- ndn = rs->sr_entry->e_nname;
-
- rewriteSession( li->rwinfo, "cacheReturn",
- rs->sr_entry->e_name.bv_val, op->o_conn,
- &ename, &result );
- ber_str2bv(ename, strlen(ename), 0, &rs->sr_entry->e_name);
- /* FIXME: should we normalize this? */
- ber_dupbv(&rs->sr_entry->e_nname, &rs->sr_entry->e_name);
-
- op->o_callback = NULL;
-
- send_search_entry( op, rs );
-
- rs->sr_entry->e_name = dn;
- rs->sr_entry->e_nname = ndn;
-
- op->o_callback = cb;
- return LDAP_SUCCESS;
-
- } else if (rs->sr_type == REP_RESULT) {
- op->o_callback = NULL;
- send_ldap_result( op, rs );
- return LDAP_SUCCESS;
- }
-
- return LDAP_SUCCESS;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-#include <ac/time.h>
-
-#include "slap.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-#include "ldap_pvt.h"
-#undef ldap_debug /* silence a warning in ldap-int.h */
-#include "ldap_log.h"
-#include "../../../libraries/libldap/ldap-int.h"
-
-#include "slap.h"
-#include "back-meta.h"
-
-static char* invert_string(char* string);
-static struct berval* merge_init_final(struct berval*, struct berval*, struct berval*);
-static int strings_containment(struct berval* stored, struct berval* incoming);
-
-/* find and remove string2 from string1
- * from start if position = 1,
- * from end if position = 3,
- * from anywhere if position = 2
- */
-
-int
-find_and_remove(struct berval* ber1, struct berval* ber2, int position)
-{
- char* temp;
- int len;
- int ret=0;
-
- char* arg1, *arg2;
- char* string1=ber1->bv_val;
- char* string2=ber2->bv_val;
-
- if (string2 == NULL)
- return 1;
- if (string1 == NULL)
- return 0;
-
- if (position == 3) {
- arg1 = invert_string(string1);
- arg2 = invert_string(string2);
- } else {
- arg1 = string1;
- arg2 = string2;
- }
-
- temp = strstr(arg1, arg2);
- len = strlen(arg2);
-
- if (!temp)
- return 0;
-
- switch (position) {
- case 1:
- if (temp == arg1) {
- string1 += len;
- ret = 1;
- } else {
- ret = 0;
- }
- break;
- case 2:
- string1 = temp+len;
- ret = 1;
- break;
- case 3:
- temp = strstr(arg1, arg2);
- len = strlen(arg2);
- if (temp == arg1) {
- /*arg1 += len;*/
- string1 = invert_string(arg1+len);
- free(arg1);
- free(arg2);
- ret = 1;
- } else {
- free(arg1);
- free(arg2);
- ret = 0;
- }
- break;
- }
- temp = (char*) malloc( strlen( string1 ) + 1 );
- strcpy( temp, string1 );
- free( ber1->bv_val );
- ber1->bv_val = temp;
- return ret;
-}
-
-char*
-invert_string( char* string )
-{
- int len = strlen(string);
- int i;
-
- char* inverted = (char*)(malloc(len+1));
-
- for (i=0; i<len; i++)
- inverted[i] = string[len-i-1];
-
- inverted[len] ='\0';
-
- return inverted;
-}
-
-struct berval*
-merge_init_final(struct berval* init, struct berval* any, struct berval* final)
-{
- struct berval* merged, *temp;
- int i, any_count, count;
-
- for (any_count=0; any && any[any_count].bv_val; any_count++)
- ;
-
- count = any_count;
-
- if (init->bv_val)
- count++;
- if (final->bv_val)
- count++;
-
- merged = (struct berval*)(malloc((count+1)*sizeof(struct berval)));
- temp = merged;
-
- if (init->bv_val) {
- ber_dupbv(temp, init);
- temp++;
- }
-
- for (i=0; i<any_count; i++) {
- ber_dupbv(temp, any);
- any++;
- temp++;
- }
-
- if (final->bv_val){
- ber_dupbv(temp, final);
- temp++;
- }
- temp->bv_val = NULL;
- temp->bv_len = 0;
- return merged;
-}
-
-int
-strings_containment(struct berval* stored, struct berval* incoming)
-{
- struct berval* element;
- int k=0;
- int j, rc = 0;
-
- for ( element=stored; element->bv_val != NULL; element++ ) {
- for (j = k; incoming[j].bv_val != NULL; j++) {
- if (find_and_remove(&(incoming[j]), element, 2)) {
- k = j;
- rc = 1;
- break;
- }
- rc = 0;
- }
- if ( rc ) {
- continue;
- } else {
- return 0;
- }
- }
- return 1;
-}
-
-int
-substr_containment_substr(Filter* stored, Filter* incoming)
-{
- int i;
- int k=0;
- int rc;
- int any_count = 0;
-
- struct berval* init_incoming = (struct berval*)(malloc(sizeof(struct berval)));
- struct berval* final_incoming = (struct berval*)(malloc(sizeof(struct berval)));
- struct berval* any_incoming = NULL;
- struct berval* remaining_incoming;
- struct berval* any_element;
-
- if ((!(incoming->f_sub_initial.bv_val) && (stored->f_sub_initial.bv_val))
- || (!(incoming->f_sub_final.bv_val) && (stored->f_sub_final.bv_val)))
- return 0;
-
-
- ber_dupbv(init_incoming, &(incoming->f_sub_initial));
- ber_dupbv(final_incoming, &(incoming->f_sub_final));
-
- if (incoming->f_sub_any) {
- for ( any_count=0; incoming->f_sub_any[any_count].bv_val != NULL;
- any_count++ )
- ;
-
- any_incoming = (struct berval*)malloc((any_count+1) *
- sizeof(struct berval));
-
- for (i=0; i<any_count; i++) {
- ber_dupbv(&(any_incoming[i]), &(incoming->f_sub_any[i]));
- }
- any_incoming[any_count].bv_val = NULL;
- any_incoming[any_count].bv_len = 0;
- }
-
- if (find_and_remove(init_incoming,
- &(stored->f_sub_initial), 1) && find_and_remove(final_incoming,
- &(stored->f_sub_final), 3))
- {
- if (stored->f_sub_any == NULL) {
- rc = 1;
- goto final;
- }
- remaining_incoming = merge_init_final(init_incoming,
- any_incoming, final_incoming);
- rc = strings_containment(stored->f_sub_any, remaining_incoming);
- goto final;
- }
- rc = 0;
-final:
- /*
- ber_bvfree(init_incoming);
- ber_bvfree(final_incoming);
- if (any_incoming) {
- for (i=0; i < any_count; i++)
- free(any_incoming[i].bv_val);
- free(any_incoming);
- }
- */
-
- return rc;
-}
-
-int
-substr_containment_equality(Filter* stored, Filter* incoming)
-{
-
- struct berval* incoming_val = (struct berval*)(malloc(2*sizeof(struct berval)));
- int rc;
-
- ber_dupbv(incoming_val, &(incoming->f_av_value));
- incoming_val[1].bv_val = NULL;
- incoming_val[1].bv_len = 0;
-
- if (find_and_remove(incoming_val,
- &(stored->f_sub_initial), 1) && find_and_remove(incoming_val,
- &(stored->f_sub_final), 3)) {
- if (stored->f_sub_any == NULL){
- rc = 1;
- goto final;
- }
- rc = strings_containment(stored->f_sub_any, incoming_val);
- goto final;
- }
- rc=0;
-final:
- /*
- if(incoming_val[0].bv_val)
- free(incoming_val[0].bv_val);
- free(incoming_val);
- */
- return rc;
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software based, in part, on existing OpenLDAP Software.
- */
-
-#include "portable.h"
-
-#include <stdio.h>
-
-#include <ac/socket.h>
-#include <ac/string.h>
-#include <ac/time.h>
-
-#include "slap.h"
-#include "../back-ldap/back-ldap.h"
-#include "back-meta.h"
-#undef ldap_debug /* silence a warning in ldap-int.h */
-#include "../../../libraries/libldap/ldap-int.h"
-
-void
-filter2template(
- Filter *f,
- struct berval *fstr,
- AttributeName** filter_attrs,
- int* filter_cnt,
- struct exception* result )
-{
- int i;
- Filter *p;
- struct berval tmp;
- ber_len_t len;
- const char* text;
-
- /*
- * FIXME: should we use an assert here?
- */
- if ( f == NULL ) {
- ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
- result->type = FILTER_ERR;
- return;
- }
-
- switch ( f->f_choice ) {
- case LDAP_FILTER_EQUALITY:
- fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
- ( sizeof("(=)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=)",
- f->f_av_desc->ad_cname.bv_val );
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt + 2)*sizeof(AttributeName));
-
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[*filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_av_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_av_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt)++;
- break;
- case LDAP_FILTER_GE:
- fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
- + ( sizeof("(>=)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=)",
- f->f_av_desc->ad_cname.bv_val);
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt + 2)*sizeof(AttributeName));
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_av_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_av_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt)++;
-
- break;
-
- case LDAP_FILTER_LE:
- fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
- + ( sizeof("(<=)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=)",
- f->f_av_desc->ad_cname.bv_val);
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt + 2)*sizeof(AttributeName));
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_av_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_av_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt++);
-
- break;
-
- case LDAP_FILTER_APPROX:
- fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
- + ( sizeof("(~=)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=)",
- f->f_av_desc->ad_cname.bv_val);
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt + 2)*sizeof(AttributeName));
-
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_av_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_av_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt)++;
-
- break;
-
- case LDAP_FILTER_SUBSTRINGS:
- fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
- ( sizeof("(=)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=)",
- f->f_sub_desc->ad_cname.bv_val );
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt + 2)*sizeof(AttributeName));
-
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_av_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_av_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt)++;
-
- break;
-
- case LDAP_FILTER_PRESENT:
- fstr->bv_len = f->f_desc->ad_cname.bv_len +
- ( sizeof("(=*)") - 1 );
- fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
- f->f_desc->ad_cname.bv_val );
-
- *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
- (*filter_cnt+2)*sizeof(AttributeName));
-
-#if 0 /* ? */
- ber_dupbv(&(*filter_attrs)[filter_cnt].an_name,
- &f->f_av_desc->ad_cname);
-#endif
-
- (*filter_attrs)[*filter_cnt].an_name = f->f_desc->ad_cname;
- (*filter_attrs)[*filter_cnt].an_desc = NULL;
- slap_bv2ad(&f->f_desc->ad_cname,
- &(*filter_attrs)[*filter_cnt].an_desc, &text);
- (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
- (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
- (*filter_cnt)++;
-
- break;
-
- case LDAP_FILTER_AND:
- case LDAP_FILTER_OR:
- case LDAP_FILTER_NOT:
- fstr->bv_len = sizeof("(%)") - 1;
- fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
-
- snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
- f->f_choice == LDAP_FILTER_AND ? '&' :
- f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
-
- for ( p = f->f_list; p != NULL; p = p->f_next ) {
- len = fstr->bv_len;
-
- filter2template( p, &tmp, filter_attrs, filter_cnt,
- result);
- if (result->type != SUCCESS) {
- return;
- }
-
- fstr->bv_len += tmp.bv_len;
- fstr->bv_val = ch_realloc( fstr->bv_val,
- fstr->bv_len + 1 );
-
- snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
- /*"("*/ "%s)", tmp.bv_val );
-
- ch_free( tmp.bv_val );
- }
-
- break;
-
- default:
- ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
- result->type = FILTER_ERR;
- return;
- }
-}
+++ /dev/null
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1999-2003 The OpenLDAP Foundation.
- * Portions Copyright 2003 IBM Corporation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Apurva Kumar for inclusion
- * in OpenLDAP Software.
- */
-
-#ifndef META_CACHE_H
-#define META_CACHE_H
-#include "slap.h"
-
-/* cache specific errors */
-enum type_of_result {
- SUCCESS,
- CONN_ERR,
- RESULT_ERR,
- FILTER_ERR,
- REWRITING_ERR,
- MERGE_ERR,
- REMOVE_ERR,
- SLIMIT_ERR,
- ABANDON_ERR,
- CREATE_ENTRY_ERR,
- TIMEOUT_ERR,
- SIZE_ERR,
- GET_SIZE_ERR
-};
-
-
-struct exception {
- enum type_of_result type;
- int rc;
-};
-
-/* query cache structs */
-/* query */
-
-typedef struct Query_s {
- Filter* filter; /* Search Filter */
- AttributeName* attrs; /* Projected attributes */
- struct berval base; /* Search Base */
- int scope; /* Search scope */
-} Query;
-
-/* struct representing a cached query */
-typedef struct cached_query_s {
- Query query; /* LDAP query */
- char* q_uuid; /* query identifier */
- int template_id; /* template of the query */
- time_t expiry_time; /* time till the query is considered valid */
- struct cached_query_s *next; /* next query in the template */
- struct cached_query_s *prev; /* previous query in the template */
- struct cached_query_s *lru_up; /* previous query in the LRU list */
- struct cached_query_s *lru_down; /* next query in the LRU list */
-} CachedQuery;
-
-/* struct representing a query template
- * e.g. template string = &(cn=)(mail=)
- */
-typedef struct query_template_s {
- char* querystr; /* Filter string corresponding to the QT */
- char* base; /* Search base */
- int attr_set_index; /* determines the projected attributes */
-
- CachedQuery* query; /* most recent query cached for the template */
- CachedQuery* query_last; /* oldest query cached for the template */
-
- int no_of_queries; /* Total number of queries in the template */
- long ttl; /* TTL for the queries of this template */
- ldap_pvt_thread_rdwr_t t_rwlock; /* Rd/wr lock for accessing queries in the template */
-} QueryTemplate;
-
-/*
- * Represents a set of projected attributes and any
- * supersets among all specified sets of attributes.
- */
-
-struct attr_set {
- AttributeName* attrs; /* specifies the set */
- int count; /* number of attributes */
- int* ID_array; /* array of indices of supersets of 'attrs' */
-};
-
-struct query_manager_s;
-
-/* prototypes for functions for 1) query containment
- * 2) query addition, 3) cache replacement
- */
-typedef int (*QCfunc)(struct query_manager_s*, Query*, int );
-typedef void (*AddQueryfunc)(struct query_manager_s*, Query*, int, char*, struct exception* );
-typedef char* (*CRfunc)(struct query_manager_s* );
-
-/* LDAP query cache */
-typedef struct query_manager_s {
- struct attr_set* attr_sets; /* possible sets of projected attributes */
- QueryTemplate* templates; /* cacheable templates */
-
- CachedQuery* lru_top; /* top and bottom of LRU list */
- CachedQuery* lru_bottom;
-
- ldap_pvt_thread_mutex_t lru_mutex; /* mutex for accessing LRU list */
-
- /* Query cache methods */
- QCfunc qcfunc; /* Query containment*/
- CRfunc crfunc; /* cache replacement */
- AddQueryfunc addfunc; /* add query */
-} query_manager;
-
-/* LDAP query cache manager */
-typedef struct cache_manager_s {
- unsigned long cache_size; /* current cache size (bytes) */
- unsigned long thresh_hi; /* cache capacity (bytes) */
- unsigned long thresh_lo; /* lower threshold for cache replacement */
- unsigned long num_cached_queries; /* total number of cached queries */
- unsigned long max_queries; /* upper bound on # of cached queries */
- int caching;
-
- int numattrsets; /* number of attribute sets */
- int numtemplates; /* number of cacheable templates */
- int total_entries; /* total number of entries cached */
- int num_entries_limit; /* max # of entries in a cacheable query */
- int threads; /* number of threads currently in meta_back_search */
-
- int cc_period; /* interval between successive consistency checks (sec) */
- int cc_thread_started;
- ldap_pvt_thread_t cc_thread;
-
- ldap_pvt_thread_mutex_t cache_mutex;
- ldap_pvt_thread_mutex_t remove_mutex;
- ldap_pvt_thread_mutex_t cc_mutex;
-
- query_manager* qm; /* query cache managed by the cache manager */
-} cache_manager;
-
-/* search-cache.c */
-int
-meta_back_cache_search(
- Operation *op,
- SlapReply *rs
-);
-
-/* config-cache.c */
-int
-meta_back_cache_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-);
-
-/* query-cache.c */
-int query_containment(query_manager*, Query*, int);
-void add_query(query_manager*, Query*, int, char*, struct exception*);
-char* cache_replacement(query_manager*);
-void remove_from_template (CachedQuery*, QueryTemplate*);
-void remove_query (query_manager*, CachedQuery*);
-void free_query (CachedQuery*);
-
-/* substring.c */
-int substr_containment_substr(Filter*, Filter*);
-int substr_containment_equality(Filter*, Filter*);
-
-/* template.c */
-void
-filter2template( Filter *f,
- struct berval *fstr,
- AttributeName** filter_attrs,
- int* filter_cnt,
- struct exception* result
-);
-
-/* merge.c */
-
-int
-merge_entry (
- Operation *op,
- SlapReply *rs,
- struct berval *query_uuid,
- struct exception *result
-);
-
-int
-get_entry_size(Entry* e,
- int size_init,
- struct exception* result
-);
-
-/* remove.c */
-int
-remove_query_data (
- Operation* conn,
- SlapReply *rs,
- struct berval* query_uuid,
- struct exception* result
-);
-#endif
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
fname, lineno, argc, argv );
/* anything else */
} else {
- if ( meta_back_cache_config( be, fname, lineno, argc, argv ) == 0 ) {
- return 0;
- }
-
- fprintf( stderr,
- "%s: line %d: unknown directive \"%s\" in meta database definition"
- " (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
}
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#ifndef META_EXTERNAL_H
#define META_EXTERNAL_H
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
-/* ACKNOWLEDGEMENTS:
- * This work was initially developed by the Howard Chu for inclusion
- * in OpenLDAP Software and subsequently enhanced by Pierangelo
- * Masarati.
- */
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
struct metainfo *li;
struct rewrite_info *rwinfo;
- cache_manager *cm;
- query_manager *qm;
rwinfo = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
if ( rwinfo == NULL ) {
return -1;
}
-
- cm = (cache_manager *)ch_malloc(sizeof(cache_manager));
- if ( cm == NULL ) {
- rewrite_info_delete( &rwinfo );
- return -1;
- }
-
- qm = (query_manager*)ch_malloc(sizeof(query_manager));
- if ( qm == NULL ) {
- rewrite_info_delete( &rwinfo );
- ch_free( cm );
- return -1;
- }
-
- cm->caching = 0;
- cm->qm = qm;
- cm->numattrsets = 0;
- cm->numtemplates = 0;
- cm->num_entries_limit = 5;
- cm->cache_size = 0;
- cm->thresh_hi = 500000;
- cm->thresh_lo = 700000;
- cm->num_cached_queries = 0;
- cm->total_entries = 0;
- cm->max_queries = 10000;
- cm->threads = 0;
- cm->cc_thread_started = 0;
- cm->cc_period = 1000;
-
- qm->attr_sets = NULL;
- qm->templates = NULL;
- qm->lru_top = NULL;
- qm->lru_bottom = NULL;
-
- qm->qcfunc = query_containment;
- qm->crfunc = cache_replacement;
- qm->addfunc = add_query;
- ldap_pvt_thread_mutex_init(&qm->lru_mutex);
-
- ldap_pvt_thread_mutex_init(&cm->cache_mutex);
- ldap_pvt_thread_mutex_init(&cm->remove_mutex);
- ldap_pvt_thread_mutex_init( &cm->cc_mutex );
li = ch_calloc( 1, sizeof( struct metainfo ) );
if ( li == NULL ) {
+ rewrite_info_delete( &rwinfo );
return -1;
}
-
+
/*
* At present the default is no default target;
* this may change
*/
li->defaulttarget = META_DEFAULT_TARGET_NONE;
- li->cm = cm;
li->rwinfo = rwinfo;
- /* FIXME: what about qm ? */
ldap_pvt_thread_mutex_init( &li->conn_mutex );
ldap_pvt_thread_mutex_init( &li->cache.mutex );
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
int isroot = 0;
dncookie dc;
- cache_manager* cm = li->cm;
-
- if (cm->caching) {
- return meta_back_cache_search(op, rs);
- }
-
/*
* controls are set in ldap_back_dobind()
*
{
struct metainfo *li = ( struct metainfo * )op->o_bd->be_private;
struct berval a, mapped;
- Entry ent;
+ Entry ent = {0};
BerElement ber = *e->lm_ber;
Attribute *attr, **attrp;
struct berval dummy = { 0, NULL };
&ent.e_nname, target );
}
- ent.e_id = 0;
- ent.e_attrs = 0;
- ent.e_private = 0;
attrp = &ent.e_attrs;
dc.ctx = "searchAttrDN";
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has been developed to fulfill the requirements
- * of SysNet s.n.c. <http:www.sys-net.it> and it has been donated
- * to the OpenLDAP Foundation in the hope that it may be useful
- * to the Open Source community, but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- * This software is based on the backend back-ldap, implemented
- * by Howard Chu <hyc@highlandsun.com>, and modified by Mark Valence
- * <kurash@sassafras.com>, Pierangelo Masarati <ando@sys-net.it> and other
- * contributors. The contribution of the original software to the present
- * implementation is acknowledged in this copyright statement.
- *
- * A special acknowledgement goes to Howard for the overall architecture
- * (and for borrowing large pieces of code), and to Mark, who implemented
- * from scratch the attribute/objectclass mapping.
- *
- * The original copyright statement follows.
- *
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the
- * documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- */
#include "portable.h"
+++ /dev/null
-This work is part of OpenLDAP Software <http://www.openldap.org/>.
-
-Copyright 1998-2003 The OpenLDAP Foundation.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted only as authorized by the OpenLDAP
-Public License.
-
-A copy of this license is available in file LICENSE in the
-top-level directory of the distribution or, alternatively, at
-<http://www.OpenLDAP.org/license.html>.
-
-ACKNOWLEDGEMENTS:
-This work was initially developed by Pierangelo Masarati for inclusion
-in OpenLDAP Software.
-
---- This is an altered version ---
-
-Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
-
-This work has beed deveolped for the OpenLDAP Foundation
-in the hope that it may be useful to the Open Source community,
-but WITHOUT ANY WARRANTY.
-
-Permission is granted to anyone to use this software for any purpose
-on any computer system, and to alter it and redistribute it, subject
-to the following restrictions:
-
-1. The author and SysNet s.n.c. are not responsible for the consequences
- of use of this software, no matter how awful, even if they arise from
- flaws in it.
-
-2. The origin of this software must not be misrepresented, either by
- explicit claim or by omission. Since few users ever read sources,
- credits should appear in the documentation.
-
-3. Altered versions must be plainly marked as such, and must not be
- misrepresented as being the original software. Since few users
- ever read sources, credits should appear in the documentation.
- SysNet s.n.c. cannot be responsible for the consequences of the
- alterations.
-
-4. This notice may not be removed or altered.
-
LIBBASE = back_monitor
-XINCPATH = -I.. -I$(srcdir)/.. -I../slapi
+XINCPATH = -I.. -I$(srcdir)/.. -I$(srcdir)/../slapi
XDEFS = $(MODULES_CPPFLAGS)
all-local-lib: ../.backend
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#ifndef _BACK_MONITOR_H_
#define _BACK_MONITOR_H_
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
char ctmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
struct tm *mtm;
char mtmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
+#ifdef HAVE_GMTIME_R
+ struct tm tm_buf;
+#endif /* HAVE_GMTIME_R */
assert( c != NULL );
assert( ep != NULL );
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
+#endif
#ifdef HACK_LOCAL_TIME
+# ifdef HAVE_LOCALTIME_R
+ ctm = localtime_r( &c->c_starttime, &tm_buf );
+ lutil_localtime( ctmbuf, sizeof( ctmbuf ), ctm, -timezone );
+ mtm = localtime_r( &c->c_activitytime, &tm_buf );
+ lutil_localtime( mtmbuf, sizeof( mtmbuf ), mtm, -timezone );
+# else
ctm = localtime( &c->c_starttime );
lutil_localtime( ctmbuf, sizeof( ctmbuf ), ctm, -timezone );
mtm = localtime( &c->c_activitytime );
lutil_localtime( mtmbuf, sizeof( mtmbuf ), mtm, -timezone );
+# endif /* HAVE_LOCALTIME_R */
#else /* !HACK_LOCAL_TIME */
+# ifdef HAVE_GMTIME_R
+ ctm = gmtime_r( &c->c_starttime, &tm_buf );
+ lutil_gentime( ctmbuf, sizeof( ctmbuf ), ctm );
+ mtm = gmtime_r( &c->c_activitytime, &tm_buf );
+ lutil_gentime( mtmbuf, sizeof( mtmbuf ), mtm );
+# else
ctm = gmtime( &c->c_starttime );
lutil_gentime( ctmbuf, sizeof( ctmbuf ), ctm );
mtm = gmtime( &c->c_activitytime );
lutil_gentime( mtmbuf, sizeof( mtmbuf ), mtm );
+# endif /* HAVE_GMTIME_R */
#endif /* !HACK_LOCAL_TIME */
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif
snprintf( buf, sizeof( buf ),
"dn: cn=" CONN_CN_PREFIX " %ld,%s\n"
return( -1 );
}
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
-
+#endif
+
+#ifdef HAVE_GMTIME_R
+ ltm = gmtime_r( &c->c_starttime, &tm_buf );
+#else
ltm = gmtime( &c->c_starttime );
+#endif
lutil_gentime( buf2, sizeof( buf2 ), ltm );
-
+
+#ifdef HAVE_GMTIME_R
+ ltm = gmtime_r( &c->c_activitytime, &tm_buf );
+#else
ltm = gmtime( &c->c_activitytime );
+#endif
lutil_gentime( buf3, sizeof( buf3 ), ltm );
-
+
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif /* HAVE_GMTIME_R */
/* monitored info */
sprintf( buf,
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#ifndef _MONITOR_EXTERNAL_H
#define _MONITOR_EXTERNAL_H
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
};
struct tm *tms;
+#ifdef HAVE_GMTIME_R
+ struct tm tm_buf;
+#endif
static char tmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
/*
* Start
*/
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
+#endif
#ifdef HACK_LOCAL_TIME
+# ifdef HAVE_LOCALTIME_R
+ tms = localtime_r( &starttime, &tm_buf );
+# else
tms = localtime( &starttime );
+# endif /* HAVE_LOCALTIME_R */
lutil_localtime( tmbuf, sizeof(tmbuf), tms, -timezone );
#else /* !HACK_LOCAL_TIME */
+# ifdef HAVE_GMTIME_R
+ tms = gmtime_r( &starttime, &tm_buf );
+# else
tms = gmtime( &starttime );
+# endif /* HAVE_GMTIME_R */
lutil_gentime( tmbuf, sizeof(tmbuf), tms );
#endif /* !HACK_LOCAL_TIME */
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif
mi->mi_startTime.bv_val = tmbuf;
mi->mi_startTime.bv_len = strlen( tmbuf );
/*
* eventually, will hold backend specific configuration parameters
*/
- return 0;
+ return SLAP_CONF_UNKNOWN;
}
int
ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_l );
} else {
-#ifdef NEW_LOGGING
- LDAP_LOG( CONFIG, INFO,
- "line %d of file '%s' will be ignored\n",
- lineno, fname, 0 );
-#else
- Debug( LDAP_DEBUG_CONFIG,
- "line %d of file '%s' will be ignored\n",
- lineno, fname, 0 );
-#endif
+ return SLAP_CONF_UNKNOWN;
}
return( 0 );
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#ifndef _PROTO_BACK_MONITOR
#define _PROTO_BACK_MONITOR
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 2001-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2001-2003 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
-/* This is an altered version */
-/*
- * Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This work has beed deveolped for the OpenLDAP Foundation
- * in the hope that it may be useful to the Open Source community,
- * but WITHOUT ANY WARRANTY.
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author and SysNet s.n.c. are not responsible for the consequences
- * of use of this software, no matter how awful, even if they arise from
- * flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- * SysNet s.n.c. cannot be responsible for the consequences of the
- * alterations.
- *
- * 4. This notice may not be removed or altered.
- */
#include "portable.h"
if ( strncmp( e->e_nname.bv_val, "cn=current",
sizeof("cn=current") - 1 ) == 0 ) {
struct tm *tm;
+#ifdef HAVE_GMTIME_R
+ struct tm tm_buf;
+#endif
char tmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
Attribute *a;
ber_len_t len;
currtime = slap_get_time();
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
+#endif
#ifdef HACK_LOCAL_TIME
+# ifdef HAVE_LOCALTIME_R
+ tm = localtime_r( &currtime, &tm_buf );
+# else
tm = localtime( &currtime );
+# endif /* HAVE_LOCALTIME_R */
lutil_localtime( tmbuf, sizeof( tmbuf ), tm, -timezone );
#else /* !HACK_LOCAL_TIME */
+# ifdef HAVE_GMTIME_R
+ tm = gmtime_r( &currtime, &tm_buf );
+# else
tm = gmtime( &currtime );
+# endif /* HAVE_GMTIME_R */
lutil_gentime( tmbuf, sizeof( tmbuf ), tm );
#endif /* !HACK_LOCAL_TIME */
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif
len = strlen( tmbuf );
/* anything else */
} else {
- fprintf( stderr,
-"%s: line %d: unknown directive \"%s\" in null database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
/* anything else */
} else {
- fprintf( stderr,
-"%s: line %d: unknown directive \"%s\" in passwd database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return( 0 );
-
Differences from 2.0 Perl API:
- Perl 5.6 is supported
# This is a sample Perl module for the OpenLDAP server slapd.
-#
# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2003 The OpenLDAP Foundation.
+## Portions Copyright 1999 John C. Quillan.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
#
# Usage: Add something this to slapd.conf:
#
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
/* This file is probably obsolete. If it is not, */
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
} else if ( strcasecmp( argv[0], "filterSearchResults" ) == 0 ) {
perl_back->pb_filter_search_results = 1;
} else {
+ return_code = SLAP_CONF_UNKNOWN;
/*
* Pass it to Perl module if defined
*/
}
- /* if the module rejected it then we should reject it */
- if ( return_code != 0 ) {
- fprintf( stderr,
- "Unknown perl backend config: %s\n", argv[0]);
- exit( EXIT_FAILURE );
- }
+ return return_code;
}
return 0;
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
+
#ifndef _PERL_EXTERNAL_H
#define _PERL_EXTERNAL_H
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
- */
-
-/*
- * LDAP v3 newSuperior support.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1999, Juan C. Gomez, All rights reserved.
- * This software is not subject to any license of Silicon Graphics
- * Inc. or Purdue University.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted
- * without restriction or fee of any kind as long as this notice
- * is preserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
+
#ifndef PERL_BACK_H
#define PERL_BACK_H 1
/* $OpenLDAP$ */
-/*
- * Copyright 1999-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-/*
- * Copyright 1999, John C. Quillan, All rights reserved.
- * Portions Copyright 2002, myinternet Limited. All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 John C. Quillan.
+ * Portions Copyright 2002 myinternet Limited.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
#include <EXTERN.h>
/* anything else */
} else {
- fprintf( stderr,
-"%s: line %d: unknown directive \"%s\" in shell database definition (ignored)\n",
- fname, lineno, argv[0] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
- */
-/*
- * Copyright 2002, Pierangelo Masarati <ando@OpenLDAP.org>.
- * All rights reserved.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * Portions Copyright 2002 Pierangelo Mararati.
+ * All rights reserved.
*
- * This is a modified version of back-sql; the same conditions
- * of the above reported Copyright statement, and sigificantly
- * the OpenLDAP Public License apply. Credits go to Dmitry
- * Kovalev for the initial development of the backend.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * This copyright statement cannot be altered.
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software. Additional significant contributors include
+ * Pierangelo Mararati
+ */
+
/*
- * The following changes have been addressed:
+ * The following changes have been addressed:
*
* Enhancements:
* - re-styled code for better readability
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
BACKSQL_FAIL_IF_NO_MAPPING( si ) ? "yes" : "no", 0, 0 );
} else {
- Debug( LDAP_DEBUG_TRACE, "<==backsql_db_config (%s line %d): "
- "unknown directive \"%s\" (ignored)\n",
- fname, lineno, argv[ 0 ] );
+ return SLAP_CONF_UNKNOWN;
}
return 0;
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-#ifndef __BACKSQL_ENTRYID_H__
-#define __BACKSQL_ENTRYID_H__
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
+#ifndef __BACKSQL_ENTRYID_H__
+#define __BACKSQL_ENTRYID_H__
typedef struct backsql_entryID {
unsigned long id;
/* $OpenLDAP$ */
-#ifndef _SQL_EXTERNAL_H
-#define _SQL_EXTERNAL_H
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
+#ifndef _SQL_EXTERNAL_H
+#define _SQL_EXTERNAL_H
LDAP_BEGIN_DECL
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-#ifndef __BACKSQL_SCHEMA_MAP_H__
-#define __BACKSQL_SCHEMA_MAP_H__
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
+ */
+
+#ifndef __BACKSQL_SCHEMA_MAP_H__
+#define __BACKSQL_SCHEMA_MAP_H__
typedef struct {
/*
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-#ifndef __BACKSQL_SQL_TYPES_H__
-#define __BACKSQL_SQL_TYPES_H__
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
+#ifndef __BACKSQL_SQL_TYPES_H__
+#define __BACKSQL_SQL_TYPES_H__
#include <sql.h>
#include <sqlext.h>
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-#ifndef __BACKSQL_SQL_WRAP_H__
-#define __BACKSQL_SQL_WRAP_H__
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
+#ifndef __BACKSQL_SQL_WRAP_H__
+#define __BACKSQL_SQL_WRAP_H__
#include "back-sql.h"
#include "sql-types.h"
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
*/
#include "portable.h"
-#ifndef __BACKSQL_UTIL_H__
-#define __BACKSQL_UTIL_H__
-
-/*
- * Copyright 1999, Dmitry Kovalev <mit@openldap.org>, All rights reserved.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Portions Copyright 1999 Dmitry Kovalev.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
*
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License. A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
*/
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Dmitry Kovalev for inclusion
+ * by OpenLDAP Software.
+ */
+
+#ifndef __BACKSQL_UTIL_H__
+#define __BACKSQL_UTIL_H__
#include "entry-id.h"
/* open each backend database */
for( i = 0; i < nBackendDB; i++ ) {
-#ifndef SLAPD_MULTIMASTER
- if ( backendDB[i].be_update_ndn.bv_val && (
- !backendDB[i].be_update_refs &&
- LDAP_STAILQ_EMPTY( &backendDB[i].be_syncinfo ) &&
- !default_referral ) )
- {
-#ifdef NEW_LOGGING
- LDAP_LOG( BACKEND, CRIT,
- "backend_startup: slave \"%s\" updateref missing\n",
- backendDB[i].be_suffix[0].bv_val, 0, 0 );
-
-#else
- Debug( LDAP_DEBUG_ANY,
- "backend_startup: slave \"%s\" updateref missing\n",
- backendDB[i].be_suffix[0].bv_val, 0, 0 );
-#endif
- return -1;
- }
-#endif
-
/* append global access controls */
acl_append( &backendDB[i].be_acl, global_acl );
if( requires & SLAP_REQUIRE_STRONG ) {
/* should check mechanism */
if( ( op->o_transport_ssf < ssf->sss_transport
- && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 )
+ && op->o_authtype == LDAP_AUTH_SIMPLE ) || op->o_dn.bv_len == 0 )
{
rs->sr_text = "strong authentication required";
rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
}
if( requires & SLAP_REQUIRE_SASL ) {
- if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) {
+ if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) {
rs->sr_text = "SASL authentication required";
rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
return rs->sr_err;
char *matched;
int nrefs;
BerVarray refs;
- slap_callback *prevcb;
} glue_state;
static int
glue_back_response ( Operation *op, SlapReply *rs )
{
glue_state *gs = op->o_callback->sc_private;
- slap_callback *tmp = op->o_callback;
switch(rs->sr_type) {
case REP_SEARCH:
case REP_SEARCHREF:
- op->o_callback = gs->prevcb;
- if (op->o_callback && op->o_callback->sc_response) {
- rs->sr_err = op->o_callback->sc_response( op, rs );
- } else rs->sr_err = SLAP_CB_CONTINUE;
- op->o_callback = tmp;
- return rs->sr_err;
+ return SLAP_CB_CONTINUE;
default:
if (rs->sr_err == LDAP_SUCCESS || gs->err != LDAP_SUCCESS)
glueinfo *gi = (glueinfo *) b0->bd_info;
int i;
long stoptime = 0;
- glue_state gs = {0, 0, NULL, 0, NULL, NULL};
- slap_callback cb = { glue_back_response, NULL };
+ glue_state gs = {0, 0, NULL, 0, NULL};
+ slap_callback cb = { NULL, glue_back_response, NULL, NULL };
int scope0, slimit0, tlimit0;
struct berval dn, ndn;
cb.sc_private = &gs;
- gs.prevcb = op->o_callback;
+ cb.sc_next = op->o_callback;
if (op->ors_tlimit) {
stoptime = slap_get_time () + op->ors_tlimit;
break;
}
- op->o_callback = gs.prevcb;
+ op->o_callback = cb.sc_next;
rs->sr_err = gs.err;
rs->sr_matched = gs.matched;
rs->sr_ref = gs.refs;
if ( oi->oi_bd.bd_info->bi_db_config ) {
rc = oi->oi_bd.bd_info->bi_db_config( &oi->oi_bd, fname, lineno,
argc, argv );
- if ( rc ) return rc;
+ if ( rc != SLAP_CONF_UNKNOWN ) return rc;
}
bd = *be;
if (on->on_bi.bi_db_config) {
rc = on->on_bi.bi_db_config( &bd, fname, lineno,
argc, argv );
- if ( rc ) break;
+ if ( rc != SLAP_CONF_UNKNOWN ) break;
}
}
return rc;
slap_overinst *on = oi->oi_list;
int rc = SLAP_CB_CONTINUE;
BackendDB *be = op->o_bd, db = *op->o_bd;
- slap_callback *sc = op->o_callback->sc_private;
- slap_callback *s0 = op->o_callback;
op->o_bd = &db;
- op->o_callback = sc;
for (; on; on=on->on_next ) {
if ( on->on_response ) {
db.bd_info = (BackendInfo *)on;
if ( rc != SLAP_CB_CONTINUE ) break;
}
}
- if ( sc && (rc == SLAP_CB_CONTINUE) ) {
- rc = sc->sc_response( op, rs );
- }
op->o_bd = be;
- op->o_callback = s0;
return rc;
}
slap_overinst *on = oi->oi_list;
BI_op_bind **func;
BackendDB *be = op->o_bd, db = *op->o_bd;
- slap_callback cb = {over_back_response, NULL};
+ slap_callback cb = {NULL, over_back_response, NULL, NULL};
int rc = SLAP_CB_CONTINUE;
op->o_bd = &db;
- cb.sc_private = op->o_callback;
+ cb.sc_next = op->o_callback;
op->o_callback = &cb;
for (; on; on=on->on_next ) {
if ( rc == SLAP_CB_CONTINUE ) {
rc = LDAP_UNWILLING_TO_PERFORM;
}
- op->o_callback = cb.sc_private;
+ op->o_callback = cb.sc_next;
return rc;
}
}
if ( method == LDAP_AUTH_SIMPLE ) {
+ ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech );
/* accept "anonymous" binds */
if ( op->orb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) {
rs->sr_err = LDAP_SUCCESS;
#endif
goto cleanup;
}
+ ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech );
#endif
} else {
}
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND dn=\"%s\" mech=simple (SLAPI) ssf=0\n",
+ "conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
op->o_connid, op->o_opid,
op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
- 0, 0 );
+ mech.bv_val, 0 );
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
}
goto cleanup;
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND dn=\"%s\" mech=simple ssf=0\n",
+ "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n",
op->o_connid, op->o_opid,
- op->o_conn->c_dn.bv_val, 0, 0 );
+ op->o_conn->c_dn.bv_val, mech.bv_val, 0 );
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
#endif /* defined( LDAP_SLAPI ) */
cleanup:
+ if ( rs->sr_err == LDAP_SUCCESS ) {
+ if ( method != LDAP_AUTH_SASL ) {
+ ber_dupbv( &op->o_conn->c_authmech, &mech );
+ }
+ op->o_conn->c_authtype = method;
+ }
op->o_conn->c_sasl_bindop = NULL;
/* pass anything else to the current backend info/db config routine */
} else {
if ( bi != NULL ) {
- if ( bi->bi_config == 0 ) {
+ if ( bi->bi_config ) {
+ rc = (*bi->bi_config)( bi, fname, lineno, cargc, cargv );
+
+ switch ( rc ) {
+ case 0:
+ break;
+
+ case SLAP_CONF_UNKNOWN:
#ifdef NEW_LOGGING
- LDAP_LOG( CONFIG, INFO,
- "%s: line %d: unknown directive \"%s\" inside "
- "backend info definition (ignored).\n",
- fname, lineno, cargv[0] );
+ LDAP_LOG( CONFIG, INFO,
+ "%s: line %d: unknown directive \"%s\" inside "
+ "backend info definition (ignored).\n",
+ fname, lineno, cargv[0] );
#else
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown directive \"%s\" inside backend info definition (ignored)\n",
- fname, lineno, cargv[0] );
+ fname, lineno, cargv[0] );
#endif
+ break;
- } else {
- if ( (*bi->bi_config)( bi, fname, lineno, cargc, cargv )
- != 0 )
- {
- return( 1 );
+ default:
+ return 1;
}
}
+
} else if ( be != NULL ) {
- if ( be->be_config == 0 ) {
+ if ( be->be_config ) {
+ rc = (*be->be_config)( be, fname, lineno, cargc, cargv );
+
+ switch ( rc ) {
+ case 0:
+ break;
+
+ case SLAP_CONF_UNKNOWN:
#ifdef NEW_LOGGING
- LDAP_LOG( CONFIG, INFO,
- "%s: line %d: uknown directive \"%s\" inside "
- "backend database definition (ignored).\n",
- fname, lineno, cargv[0] );
+ LDAP_LOG( CONFIG, INFO,
+ "%s: line %d: unknown directive \"%s\" inside "
+ "backend database definition (ignored).\n",
+ fname, lineno, cargv[0] );
#else
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown directive \"%s\" inside backend database definition (ignored)\n",
- fname, lineno, cargv[0] );
+ fname, lineno, cargv[0] );
#endif
+ break;
- } else {
- if ( (*be->be_config)( be, fname, lineno, cargc, cargv )
- != 0 )
- {
- return( 1 );
+ default:
+ return 1;
}
}
+
} else {
#ifdef NEW_LOGGING
LDAP_LOG( CONFIG, INFO,
/* We can use Thread-Local storage for most mallocs. We can
* also use TL for ber parsing, but not on Add or Modify.
*/
-#define SLAB_SIZE 1048576
#if 0
memsiz = ber_len( op->o_ber ) * 64;
- if ( SLAB_SIZE > memsiz ) memsiz = SLAB_SIZE;
+ if ( SLMALLOC_SLAB_SIZE > memsiz ) memsiz = SLMALLOC_SLAB_SIZE;
#endif
- memsiz = SLAB_SIZE;
+ memsiz = SLMALLOC_SLAB_SIZE;
memctx = sl_mem_create( memsiz, ctx );
op->o_tmpmemctx = memctx;
#define CONNECTION_INPUT_LOOP 1
/* #define DATA_READY_LOOP 1 */
- do
- {
+ do {
/* How do we do this without getting into a busy loop ? */
rc = connection_input( c );
}
#ifdef DATA_READY_LOOP
- while( !rc && ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_DATA_READY, NULL ) );
+ while( !rc && ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_DATA_READY, NULL ));
#elif CONNECTION_INPUT_LOOP
while(!rc);
#else
op->o_preread_attrs = NULL;
op->o_postread_attrs = NULL;
op->o_vrFilter = NULL;
-
-#ifdef LDAP_CONTROL_PAGEDRESULTS
op->o_pagedresults_state = conn->c_pagedresults_state;
-#endif
op->o_res_ber = NULL;
{ LDAP_CONTROL_VALUESRETURNFILTER,
SLAP_CTRL_SEARCH, NULL,
parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
-#ifdef LDAP_CONTROL_PAGEDRESULTS
{ LDAP_CONTROL_PAGEDRESULTS,
SLAP_CTRL_SEARCH, NULL,
parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) },
-#endif
#ifdef LDAP_CONTROL_X_DOMAIN_SCOPE
{ LDAP_CONTROL_X_DOMAIN_SCOPE,
SLAP_CTRL_FRONTEND|SLAP_CTRL_SEARCH, NULL,
SlapReply *rs,
LDAPControl *ctrl )
{
- int rc;
- struct berval dn = { 0, NULL };
+ int rc;
+ struct berval dn = { 0, NULL };
if ( op->o_proxy_authz != SLAP_NO_CONTROL ) {
rs->sr_text = "proxy authorization control specified multiple times";
return LDAP_SUCCESS;
}
- rc = slap_sasl_getdn( op->o_conn, op,
- ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
- NULL, &dn, SLAP_GETDN_AUTHZID );
+ /* FIXME: how can we get the realm? */
+ {
+ int rc;
+ char buf[ SLAP_LDAPDN_MAXLEN ];
+ struct berval id = { ctrl->ldctl_value.bv_len, (char *)buf },
+ user = { 0, NULL },
+ realm = { 0, NULL },
+ mech = { 0, NULL };
+
+ strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
+
+ rc = slap_parse_user( &id, &user, &realm, &mech );
+ if ( rc == LDAP_SUCCESS ) {
+ struct berval authz = BER_BVC( "AUTHZ" );
+
+ if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
+ rs->sr_text = "mech not allowed in authzId";
+ return LDAP_PROXY_AUTHZ_FAILURE;
+ }
+ } else {
+ user = ctrl->ldctl_value;
+ }
+
+ rc = slap_sasl_getdn( op->o_conn, op,
+ user.bv_val, user.bv_len,
+ realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
- if( rc != LDAP_SUCCESS || !dn.bv_len ) {
- if ( dn.bv_val ) {
- ch_free( dn.bv_val );
+ if( rc != LDAP_SUCCESS || !dn.bv_len ) {
+ if ( dn.bv_val ) {
+ ch_free( dn.bv_val );
+ }
+ rs->sr_text = "authzId mapping failed";
+ return LDAP_PROXY_AUTHZ_FAILURE;
}
- rs->sr_text = "authzId mapping failed";
- return LDAP_PROXY_AUTHZ_FAILURE;
}
#ifdef NEW_LOGGING
return LDAP_SUCCESS;
}
-#ifdef LDAP_CONTROL_PAGEDRESULTS
static int parsePagedResults (
Operation *op,
SlapReply *rs,
return LDAP_SUCCESS;
}
-#endif
static int parseAssert (
Operation *op,
void
slap_get_commit_csn( Operation *op, struct berval *csn )
{
- struct slap_csn_entry *csne = NULL, *committed_csne = NULL;
+ struct slap_csn_entry *csne, *committed_csne = NULL;
int i = 0;
csn->bv_val = NULL;
ldap_pvt_thread_mutex_lock( &op->o_bd->be_pcl_mutex );
LDAP_TAILQ_FOREACH( csne, &op->o_bd->be_pending_csn_list, csn_link ) {
- if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) break;
- }
-
- if ( csne ) {
- csne->state = SLAP_CSN_COMMIT;
+ if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) {
+ csne->state = SLAP_CSN_COMMIT;
+ break;
+ }
}
LDAP_TAILQ_FOREACH( csne, &op->o_bd->be_pending_csn_list, csn_link ) {
if ( csne->state == SLAP_CSN_PENDING ) break;
}
- ldap_pvt_thread_mutex_unlock( &op->o_bd->be_pcl_mutex );
-
if ( committed_csne ) {
ber_dupbv( csn, committed_csne->csn );
}
+
+ ldap_pvt_thread_mutex_unlock( &op->o_bd->be_pcl_mutex );
+
}
void
slap_rewind_commit_csn( Operation *op )
{
- struct slap_csn_entry *csne = NULL;
+ struct slap_csn_entry *csne;
ldap_pvt_thread_mutex_lock( &op->o_bd->be_pcl_mutex );
LDAP_TAILQ_FOREACH( csne, &op->o_bd->be_pending_csn_list, csn_link ) {
- if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) break;
+ if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) {
+ csne->state = SLAP_CSN_PENDING;
+ break;
+ }
}
- if ( csne ) {
- csne->state = SLAP_CSN_PENDING;
- }
-
ldap_pvt_thread_mutex_unlock( &op->o_bd->be_pcl_mutex );
}
void
slap_graduate_commit_csn( Operation *op )
{
- struct slap_csn_entry *csne = NULL;
+ struct slap_csn_entry *csne;
if ( op == NULL )
return;
ldap_pvt_thread_mutex_lock( &op->o_bd->be_pcl_mutex );
LDAP_TAILQ_FOREACH( csne, &op->o_bd->be_pending_csn_list, csn_link ) {
- if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) break;
- }
-
- if ( csne ) {
- LDAP_TAILQ_REMOVE( &op->o_bd->be_pending_csn_list, csne, csn_link );
- ch_free( csne->csn->bv_val );
- ch_free( csne->csn );
- ch_free( csne );
+ if ( csne->opid == op->o_opid && csne->connid == op->o_connid ) {
+ LDAP_TAILQ_REMOVE( &op->o_bd->be_pending_csn_list, csne, csn_link );
+ ch_free( csne->csn->bv_val );
+ ch_free( csne->csn );
+ ch_free( csne );
+ break;
+ }
}
ldap_pvt_thread_mutex_unlock( &op->o_bd->be_pcl_mutex );
return e;
}
-static int
-slap_contextcsn_callback(
- Operation* op,
- SlapReply* rs
-)
-{
- if ( rs->sr_type != REP_SEARCH ) {
- *((int*)op->o_callback->sc_private) = 0;
- } else {
- *((int*)op->o_callback->sc_private) = 1;
- }
- return LDAP_SUCCESS;
-}
-
int
slap_get_csn(
Operation *op,
BerVarray bptr;
i = entry_getlen(&ptr);
+ if (!i) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, INFO,
+ "entry_decode: entry length was zero\n", 0, 0, 0);
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "entry_decode: entry length was zero\n", 0, 0, 0);
+#endif
+ return LDAP_OTHER;
+ }
x = ch_calloc(1, i);
i = entry_getlen(&ptr);
x->e_name.bv_val = (char *) ptr;
if ( rs->sr_err == LDAP_REFERRAL && rs->sr_ref == NULL ) {
rs->sr_ref = referral_rewrite( default_referral,
NULL, NULL, LDAP_SCOPE_DEFAULT );
+ if ( !rs->sr_ref ) rs->sr_ref = default_referral;
+ if ( !rs->sr_ref ) {
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "referral missing";
+ }
}
send_ldap_extended( op, rs );
- ber_bvarray_free( rs->sr_ref );
+ if ( rs->sr_ref != default_referral ) {
+ ber_bvarray_free( rs->sr_ref );
+ rs->sr_ref = NULL;
+ }
}
if ( rs->sr_rspoid != NULL ) {
*/
ldap_pvt_thread_pool_t connection_pool;
int connection_pool_max = SLAP_MAX_WORKER_THREADS;
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_t gmtime_mutex;
+#endif
#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
ldap_pvt_thread_mutex_t passwd_mutex;
#endif
}
#endif
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_init( &gmtime_mutex );
+#endif
#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
ldap_pvt_thread_mutex_init( &passwd_mutex );
#endif
#endif /* LOG_LOCAL4 */
static int check_config = 0;
+static int version = 0;
static void
usage( char *name )
"\t-t\t\tCheck configuration file and exit\n"
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
"\t-u user\t\tUser (id or name) to run as\n"
+ "\t-V\t\tprint version info (-VV only)\n"
#endif
);
}
#endif
while ( (i = getopt( argc, argv,
- "c:d:f:h:s:n:t"
+ "c:d:f:h:s:n:t:V"
#if LDAP_PF_INET6
"46"
#endif
case 't':
check_config++;
break;
+ case 'V':
+ version++;
+ break;
default:
usage( argv[0] );
ldif_debug = slap_debug;
#endif
-#ifdef NEW_LOGGING
- LDAP_LOG( SLAPD, INFO, "%s", Versionstr, 0, 0 );
-#else
- Debug( LDAP_DEBUG_TRACE, "%s", Versionstr, 0, 0 );
-#endif
+ if ( version ) {
+ fprintf( stderr, "%s\n", Versionstr );
+ if ( version > 1 ) goto stop;
+ }
if( serverName == NULL ) {
if ( (serverName = strrchr( argv[0], *LDAP_DIRSEP )) == NULL ) {
openlog( serverName, OPENLOG_OPTIONS );
#endif
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLAPD, INFO, "%s", Versionstr, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "%s", Versionstr, 0, 0 );
+#endif
+
if( !check_config && slapd_daemon_init( urls ) != 0 ) {
rc = 1;
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 16 );
}
#endif /* LDAP_SLAPI */
+ if ( overlay_init() ) {
+ goto destroy;
+ }
+
if ( read_config( configfile, 0 ) != 0 ) {
rc = 1;
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 19 );
if ( SLAP_LASTMOD( op->o_bd )) {
struct tm *ltm;
+#ifdef HAVE_GMTIME_R
+ struct tm ltm_buf;
+#endif
time_t now = slap_get_time();
+#ifdef HAVE_GMTIME_R
+ ltm = gmtime_r( &now, <m_buf );
+#else
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
ltm = gmtime( &now );
+#endif /* HAVE_GMTIME_R */
lutil_gentime( timebuf, sizeof(timebuf), ltm );
slap_get_csn( op, csnbuf, sizeof(csnbuf), &csn, 1 );
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif
timestamp.bv_val = timebuf;
timestamp.bv_len = strlen(timebuf);
--- /dev/null
+# Makefile.in for overlays
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2003 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+SRCS = overlays.c dyngroup.c pcache.c
+OBJS = overlays.lo dyngroup.lo pcache.lo
+
+LDAP_INCDIR= ../../../include
+LDAP_LIBDIR= ../../../libraries
+
+MOD_DEFS = -DSLAPD_IMPORT
+
+shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
+NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+LIBRARY = ../liboverlays.a
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+
+XINCPATH = -I.. -I$(srcdir)/..
+XDEFS = $(MODULES_CPPFLAGS)
+
+dyngroup.la : dyngroup.lo $(@PLAT@_LINK_LIBS)
+ $(LTLINK_MOD) -module -o $@ dyngroup.lo version.lo $(LINK_LIBS)
+
+pcache.la : pcache.lo $(@PLAT@_LINK_LIBS)
+ $(LTLINK_MOD) -module -o $@ pcache.lo version.lo $(LINK_LIBS)
+
+install-local: $(PROGRAMS)
+ @-$(MKDIR) $(DESTDIR)$(moduledir)
+ @for i in $? ; do \
+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $$i $(DESTDIR)$(moduledir);\
+ done
+
+MKDEPFLAG = -l
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LTCOMPILE_LIB) $<
+
+$(LIBRARY): version.lo
+ $(LTLINK_LIB) -o $@ $(OBJS) version.lo
+
+++ /dev/null
-# $OpenLDAP$
-
-This directory is still a work in progress. As such, no explicit makefile
-is provided.
-
-The overlays are meant to be built as dynamically loaded modules.
-To build a particular overlay, use commands of this form:
-
- libtool --mode=compile cc -I../../../include -I.. -c dyngroup.c
- libtool --mode=link cc -rpath /module/executable/path \
- -module -o dyngroup.la dyngroup.lo
-
-To use the dyngroup overlay on a backend, set slapd.conf as follows:
-
- moduleload /module/executable/path/dyngroup.la
-
- database bdb
- ... (BDB configuration)
- overlay dyngroup
- attrpair member memberurl
-
-Replace "/module/executable/path" with the full pathname of the directory
-where the module will be installed.
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 2003 by Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
-/* This is an altered version */
-/*
- * Copyright 2003, Howard Chu, All rights reserved. <hyc@symas.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- */
/* ACKNOWLEDGEMENTS:
* This work was initially developed by Howard Chu for inclusion in
* OpenLDAP Software.
#include "portable.h"
+#ifdef SLAPD_OVER_DYNGROUP
+
#include <stdio.h>
#include <ac/string.h>
a2->ap_mem = ap.ap_mem;
a2->ap_uri = ap.ap_uri;
on->on_bi.bi_private = a2;
+ } else {
+ return SLAP_CONF_UNKNOWN;
}
return 0;
}
* initialized and registered by some other function inside slapd.
*/
-int init_module(int argc, char *argv[]) {
+int dyngroup_init() {
dyngroup.on_bi.bi_type = "dyngroup";
dyngroup.on_bi.bi_db_config = dyngroup_config;
dyngroup.on_bi.bi_db_close = dyngroup_close;
return overlay_register( &dyngroup );
}
+
+#if SLAPD_OVER_DYNGROUP == SLAPD_MOD_DYNAMIC
+int init_module(int argc, char *argv[]) {
+ return dyngroup_init();
+}
+#endif
+
+#endif /* defined(SLAPD_OVER_DYNGROUP) */
--- /dev/null
+/* overlays.c - Static overlay framework */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2003 The OpenLDAP Foundation.
+ * Copyright 2003 by Howard Chu.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Howard Chu for inclusion in
+ * OpenLDAP Software.
+ */
+
+#include "portable.h"
+
+#include "slap.h"
+
+
+#if SLAPD_OVER_DYNGROUP == SLAPD_MOD_STATIC
+extern int dyngroup_init();
+#endif
+#if SLAPD_OVER_PROXYCACHE == SLAPD_MOD_STATIC
+extern int pcache_init();
+#endif
+#if SLAPD_OVER_RWM == SLAPD_MOD_STATIC
+extern int rwm_init();
+#endif
+
+static struct {
+ char *name;
+ int (*func)();
+} funcs[] = {
+#if SLAPD_OVER_DYNGROUP == SLAPD_MOD_STATIC
+ { "Dynamic Group", dyngroup_init },
+#endif
+#if SLAPD_OVER_PROXYCACHE == SLAPD_MOD_STATIC
+ { "Proxy Cache", pcache_init },
+#endif
+#if SLAPD_OVER_RWM == SLAPD_MOD_STATIC
+ { "Rewrite/Remap", rwm_init },
+#endif
+ { NULL, NULL }
+};
+
+int
+overlay_init(void)
+{
+ int i, rc = 0;
+
+ for ( i=0; funcs[i].name; i++ ) {
+ rc = funcs[i].func();
+ if ( rc ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACKEND, ERR,
+ "%s overlay setup failed, err %d\n", funcs[i].name, rc, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s overlay setup failed, err %d\n", funcs[i].name, rc, 0 );
+#endif
+ break;
+ }
+ }
+ return rc;
+}
--- /dev/null
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2003 The OpenLDAP Foundation.
+ * Portions Copyright 2003 IBM Corporation.
+ * Portions Copyright 2003 Symas Corporation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Apurva Kumar for inclusion
+ * in OpenLDAP Software and subsequently rewritten by Howard Chu.
+ */
+
+#include "portable.h"
+
+#ifdef SLAPD_OVER_PROXYCACHE
+
+#include <stdio.h>
+
+#include <ac/string.h>
+#include <ac/time.h>
+
+#include "slap.h"
+#include "ldap_pvt.h"
+#include "lutil.h"
+#include "ldap_rq.h"
+
+/* query cache structs */
+/* query */
+
+typedef struct Query_s {
+ Filter* filter; /* Search Filter */
+ AttributeName* attrs; /* Projected attributes */
+ struct berval base; /* Search Base */
+ int scope; /* Search scope */
+} Query;
+
+/* struct representing a cached query */
+typedef struct cached_query_s {
+ Query query; /* LDAP query */
+ struct berval q_uuid; /* query identifier */
+ int template_id; /* template of the query */
+ time_t expiry_time; /* time till the query is considered valid */
+ struct cached_query_s *next; /* next query in the template */
+ struct cached_query_s *prev; /* previous query in the template */
+ struct cached_query_s *lru_up; /* previous query in the LRU list */
+ struct cached_query_s *lru_down; /* next query in the LRU list */
+} CachedQuery;
+
+/* struct representing a query template
+ * e.g. template string = &(cn=)(mail=)
+ */
+typedef struct query_template_s {
+ struct berval querystr; /* Filter string corresponding to the QT */
+ int attr_set_index; /* determines the projected attributes */
+
+ CachedQuery* query; /* most recent query cached for the template */
+ CachedQuery* query_last; /* oldest query cached for the template */
+
+ int no_of_queries; /* Total number of queries in the template */
+ long ttl; /* TTL for the queries of this template */
+ ldap_pvt_thread_rdwr_t t_rwlock; /* Rd/wr lock for accessing queries in the template */
+} QueryTemplate;
+
+/*
+ * Represents a set of projected attributes and any
+ * supersets among all specified sets of attributes.
+ */
+
+struct attr_set {
+ AttributeName* attrs; /* specifies the set */
+ int count; /* number of attributes */
+ int* ID_array; /* array of indices of supersets of 'attrs' */
+};
+
+struct query_manager_s;
+
+/* prototypes for functions for 1) query containment
+ * 2) query addition, 3) cache replacement
+ */
+typedef int (QCfunc)(struct query_manager_s*, Query*, int );
+typedef void (AddQueryfunc)(struct query_manager_s*, Query*, int, struct berval*);
+typedef void (CRfunc)(struct query_manager_s*, struct berval * );
+
+/* LDAP query cache */
+typedef struct query_manager_s {
+ struct attr_set* attr_sets; /* possible sets of projected attributes */
+ QueryTemplate* templates; /* cacheable templates */
+
+ CachedQuery* lru_top; /* top and bottom of LRU list */
+ CachedQuery* lru_bottom;
+
+ ldap_pvt_thread_mutex_t lru_mutex; /* mutex for accessing LRU list */
+
+ /* Query cache methods */
+ QCfunc *qcfunc; /* Query containment*/
+ CRfunc *crfunc; /* cache replacement */
+ AddQueryfunc *addfunc; /* add query */
+} query_manager;
+
+/* LDAP query cache manager */
+typedef struct cache_manager_s {
+ BackendInfo *bi; /* underlying database info */
+ void *be_private; /* for the underlying database */
+ unsigned long num_cached_queries; /* total number of cached queries */
+ unsigned long max_queries; /* upper bound on # of cached queries */
+ int numattrsets; /* number of attribute sets */
+ int numtemplates; /* number of cacheable templates */
+ int cur_entries; /* current number of entries cached */
+ int max_entries; /* max number of entries cached */
+ int num_entries_limit; /* max # of entries in a cacheable query */
+
+ int cc_period; /* interval between successive consistency checks (sec) */
+ int cc_paused;
+ void *cc_arg;
+
+ ldap_pvt_thread_mutex_t cache_mutex;
+ ldap_pvt_thread_mutex_t remove_mutex;
+
+ query_manager* qm; /* query cache managed by the cache manager */
+} cache_manager;
+
+static AttributeDescription *ad_queryid;
+static char *queryid_schema = "( 1.3.6.1.4.1.4203.666.1.12 NAME 'queryid' "
+ "DESC 'list of queries the entry belongs to' "
+ "EQUALITY octetStringMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
+ "NO-USER-MODIFICATION USAGE directoryOperation )";
+
+/* Return 1 for an added entry, else 0 */
+static int
+merge_entry(
+ Operation *op,
+ Entry *e,
+ struct berval* query_uuid )
+{
+ int rc;
+ Modifications* modlist = NULL;
+ const char* text = NULL;
+ Attribute *attr;
+ char textbuf[SLAP_TEXT_BUFLEN];
+ size_t textlen = sizeof(textbuf);
+
+ SlapReply sreply = {REP_RESULT};
+
+ slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
+
+ attr = e->e_attrs;
+ e->e_attrs = NULL;
+
+ /* add queryid attribute */
+ attr_merge_one( e, ad_queryid, query_uuid, NULL );
+
+ /* append the attribute list from the fetched entry */
+ e->e_attrs->a_next = attr;
+
+ op->o_tag = LDAP_REQ_ADD;
+ op->o_protocol = LDAP_VERSION3;
+ op->o_callback = &cb;
+ op->o_time = slap_get_time();
+ op->o_do_not_cache = 1;
+
+ op->ora_e = e;
+ op->o_req_dn = e->e_name;
+ op->o_req_ndn = e->e_nname;
+ rc = op->o_bd->be_add( op, &sreply );
+
+ if ( rc != LDAP_SUCCESS ) {
+ if ( rc == LDAP_ALREADY_EXISTS ) {
+ slap_entry2mods( e, &modlist, &text, textbuf, textlen );
+ modlist->sml_op = LDAP_MOD_ADD;
+ op->o_tag = LDAP_REQ_MODIFY;
+ op->orm_modlist = modlist;
+ op->o_bd->be_modify( op, &sreply );
+ slap_mods_free( modlist );
+ } else if ( rc == LDAP_REFERRAL ||
+ rc == LDAP_NO_SUCH_OBJECT ) {
+ syncrepl_add_glue( op, e );
+ e = NULL;
+ rc = 1;
+ }
+ if ( e ) {
+ entry_free( e );
+ rc = 0;
+ }
+ } else {
+ be_entry_release_w( op, e );
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* compare base and scope of incoming and cached queries */
+static int base_scope_compare(
+ struct berval* ndn_stored,
+ struct berval* ndn_incoming,
+ int scope_stored,
+ int scope_incoming )
+{
+ struct berval pdn_incoming = { 0, NULL };
+
+ if (scope_stored < scope_incoming)
+ return 0;
+
+ if ( !dnIsSuffix(ndn_incoming, ndn_stored))
+ return 0;
+
+ switch(scope_stored) {
+ case LDAP_SCOPE_BASE:
+ return (ndn_incoming->bv_len == ndn_stored->bv_len);
+
+ case LDAP_SCOPE_ONELEVEL:
+ switch(scope_incoming){
+ case LDAP_SCOPE_BASE:
+ dnParent(ndn_incoming, &pdn_incoming);
+ return (pdn_incoming.bv_len == ndn_stored->bv_len);
+
+ case LDAP_SCOPE_ONELEVEL:
+ return (ndn_incoming->bv_len == ndn_stored->bv_len);
+
+ default:
+ return 0;
+ }
+ case LDAP_SCOPE_SUBTREE:
+ return 1;
+ break;
+ default:
+ return 0;
+ break;
+ }
+}
+
+/* add query on top of LRU list */
+static void
+add_query_on_top (query_manager* qm, CachedQuery* qc)
+{
+ CachedQuery* top = qm->lru_top;
+ Query* q = (Query*)qc;
+
+ qm->lru_top = qc;
+
+ if (top)
+ top->lru_up = qc;
+ else
+ qm->lru_bottom = qc;
+
+ qc->lru_down = top;
+ qc->lru_up = NULL;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Base of added query = %s\n",
+ q->base.bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Base of added query = %s\n",
+ q->base.bv_val, 0, 0 );
+#endif
+}
+
+/* remove_query from LRU list */
+
+static void
+remove_query (query_manager* qm, CachedQuery* qc)
+{
+ CachedQuery* up;
+ CachedQuery* down;
+
+ if (!qc)
+ return;
+
+ up = qc->lru_up;
+ down = qc->lru_down;
+
+ if (!up)
+ qm->lru_top = down;
+
+ if (!down)
+ qm->lru_bottom = up;
+
+ if (down)
+ down->lru_up = up;
+
+ if (up)
+ up->lru_down = down;
+
+ qc->lru_up = qc->lru_down = NULL;
+}
+
+static void
+invert_string( struct berval *bv )
+{
+ int i;
+ char c;
+
+ for (i=0; i<bv->bv_len/2; i++) {
+ c = bv->bv_val[i];
+ bv->bv_val[i] = bv->bv_val[bv->bv_len-i-1];
+ bv->bv_val[bv->bv_len-i-1] = c;
+ }
+}
+
+/* find and remove string2 from string1
+ * from start if position = 1,
+ * from end if position = 3,
+ * from anywhere if position = 2
+ */
+
+static int
+find_and_remove(struct berval* ber1, struct berval* ber2, int position)
+{
+ char* temp;
+ int len;
+ int ret=0;
+
+ char* arg1, *arg2;
+ char* string1=ber1->bv_val;
+ char* string2=ber2->bv_val;
+
+ if (string2 == NULL)
+ return 1;
+ if (string1 == NULL)
+ return 0;
+
+ if (position == 3) {
+ invert_string(ber1);
+ invert_string(ber2);
+ }
+
+ arg1 = string1;
+ arg2 = string2;
+
+ temp = strstr(arg1, arg2);
+
+ len = ber2->bv_len;
+
+ if ( temp && (position == 2 || temp == arg1) ) {
+ string1 = temp+len;
+ strcpy( arg1, string1 );
+ ber1->bv_len -= len;
+ ret = 1;
+ }
+ if ( position == 3 ) {
+ invert_string(ber1);
+ invert_string(ber2);
+ }
+ return ret;
+}
+
+
+static struct berval*
+merge_init_final(struct berval* init, struct berval* any, struct berval* final)
+{
+ struct berval* merged, *temp;
+ int i, any_count, count;
+
+ for (any_count=0; any && any[any_count].bv_val; any_count++)
+ ;
+
+ count = any_count;
+
+ if (init->bv_val)
+ count++;
+ if (final->bv_val)
+ count++;
+
+ merged = (struct berval*)(ch_malloc((count+1)*sizeof(struct berval)));
+ temp = merged;
+
+ if (init->bv_val) {
+ *temp++ = *init;
+ }
+
+ for (i=0; i<any_count; i++) {
+ *temp++ = *any++;
+ }
+
+ if (final->bv_val){
+ *temp++ = *final;
+ }
+ temp->bv_val = NULL;
+ temp->bv_len = 0;
+ return merged;
+}
+
+static int
+strings_containment(struct berval* stored, struct berval* incoming)
+{
+ struct berval* element;
+ int k=0;
+ int j, rc = 0;
+
+ for ( element=stored; element->bv_val != NULL; element++ ) {
+ for (j = k; incoming[j].bv_val != NULL; j++) {
+ if (find_and_remove(&(incoming[j]), element, 2)) {
+ k = j;
+ rc = 1;
+ break;
+ }
+ rc = 0;
+ }
+ if ( rc ) {
+ continue;
+ } else {
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static int
+substr_containment_substr(Filter* stored, Filter* incoming)
+{
+ int i;
+ int rc = 0;
+ int any_count = 0;
+
+ struct berval init_incoming;
+ struct berval final_incoming;
+ struct berval *any_incoming = NULL;
+ struct berval *remaining_incoming = NULL;
+
+ if ((!(incoming->f_sub_initial.bv_val) && (stored->f_sub_initial.bv_val))
+ || (!(incoming->f_sub_final.bv_val) && (stored->f_sub_final.bv_val)))
+ return 0;
+
+
+ ber_dupbv(&init_incoming, &(incoming->f_sub_initial));
+ ber_dupbv(&final_incoming, &(incoming->f_sub_final));
+
+ if (incoming->f_sub_any) {
+ for ( any_count=0; incoming->f_sub_any[any_count].bv_val != NULL;
+ any_count++ )
+ ;
+
+ any_incoming = (struct berval*)ch_malloc((any_count+1) *
+ sizeof(struct berval));
+
+ for (i=0; i<any_count; i++) {
+ ber_dupbv(&(any_incoming[i]), &(incoming->f_sub_any[i]));
+ }
+ any_incoming[any_count].bv_val = NULL;
+ any_incoming[any_count].bv_len = 0;
+ }
+
+ if (find_and_remove(&init_incoming,
+ &(stored->f_sub_initial), 1) && find_and_remove(&final_incoming,
+ &(stored->f_sub_final), 3))
+ {
+ if (stored->f_sub_any == NULL) {
+ rc = 1;
+ goto final;
+ }
+ remaining_incoming = merge_init_final(&init_incoming,
+ any_incoming, &final_incoming);
+ rc = strings_containment(stored->f_sub_any, remaining_incoming);
+ }
+final:
+ free(init_incoming.bv_val);
+ free(final_incoming.bv_val);
+ if (any_incoming) ber_bvarray_free( any_incoming );
+ free(remaining_incoming);
+
+ return rc;
+}
+
+static int
+substr_containment_equality(Filter* stored, Filter* incoming)
+{
+ struct berval incoming_val[2];
+ int rc = 0;
+
+ ber_dupbv(incoming_val, &(incoming->f_av_value));
+ incoming_val[1].bv_val = NULL;
+ incoming_val[1].bv_len = 0;
+
+ if (find_and_remove(incoming_val,
+ &(stored->f_sub_initial), 1) && find_and_remove(incoming_val,
+ &(stored->f_sub_final), 3)) {
+ if (stored->f_sub_any == NULL){
+ rc = 1;
+ goto final;
+ }
+ rc = strings_containment(stored->f_sub_any, incoming_val);
+ }
+final:
+ free(incoming_val[0].bv_val);
+ return rc;
+}
+
+/* check whether query is contained in any of
+ * the cached queries in template template_index
+ */
+static int
+query_containment(query_manager *qm,
+ Query *query,
+ int template_index)
+{
+ QueryTemplate* templa= qm->templates;
+ CachedQuery* qc;
+ Query* q;
+ Filter* inputf = query->filter;
+ struct berval* base = &(query->base);
+ int scope = query->scope;
+ int res=0;
+ Filter* fs;
+ Filter* fi;
+ int ret, rc;
+ const char* text;
+
+ MatchingRule* mrule = NULL;
+ if (inputf != NULL) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Lock QC index = %d\n",
+ template_index, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Lock QC index = %d\n",
+ template_index, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_rlock(&(templa[template_index].t_rwlock));
+ for(qc=templa[template_index].query; qc != NULL; qc= qc->next) {
+ q = (Query*)qc;
+ if(base_scope_compare(&(q->base), base, q->scope, scope)) {
+ fi = inputf;
+ fs = q->filter;
+ do {
+ res=0;
+ switch (fs->f_choice) {
+ case LDAP_FILTER_EQUALITY:
+ if (fi->f_choice == LDAP_FILTER_EQUALITY)
+ mrule = fs->f_ava->aa_desc->ad_type->sat_equality;
+ else
+ ret = 1;
+ break;
+ case LDAP_FILTER_GE:
+ case LDAP_FILTER_LE:
+ mrule = fs->f_ava->aa_desc->ad_type->sat_ordering;
+ break;
+ default:
+ mrule = NULL;
+ }
+ if (mrule) {
+ rc = value_match(&ret, fs->f_ava->aa_desc, mrule,
+ SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+ &(fi->f_ava->aa_value),
+ &(fs->f_ava->aa_value), &text);
+ if (rc != LDAP_SUCCESS) {
+ ldap_pvt_thread_rdwr_runlock(&(templa[template_index].t_rwlock));
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "Unlock: Exiting QC index=%d\n",
+ template_index, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Unlock: Exiting QC index=%d\n",
+ template_index, 0, 0 );
+#endif
+ return 0;
+ }
+ }
+ switch (fs->f_choice) {
+ case LDAP_FILTER_OR:
+ case LDAP_FILTER_AND:
+ fs = fs->f_and;
+ fi = fi->f_and;
+ res=1;
+ break;
+ case LDAP_FILTER_SUBSTRINGS:
+ /* check if the equality query can be
+ * answered with cached substring query */
+ if ((fi->f_choice == LDAP_FILTER_EQUALITY)
+ && substr_containment_equality(
+ fs, fi))
+ res=1;
+ /* check if the substring query can be
+ * answered with cached substring query */
+ if ((fi->f_choice ==LDAP_FILTER_SUBSTRINGS
+ ) && substr_containment_substr(
+ fs, fi))
+ res= 1;
+ fs=fs->f_next;
+ fi=fi->f_next;
+ break;
+ case LDAP_FILTER_PRESENT:
+ res=1;
+ fs=fs->f_next;
+ fi=fi->f_next;
+ break;
+ case LDAP_FILTER_EQUALITY:
+ if (ret == 0)
+ res = 1;
+ fs=fs->f_next;
+ fi=fi->f_next;
+ break;
+ case LDAP_FILTER_GE:
+ if (ret >= 0)
+ res = 1;
+ fs=fs->f_next;
+ fi=fi->f_next;
+ break;
+ case LDAP_FILTER_LE:
+ if (ret <= 0)
+ res = 1;
+ fs=fs->f_next;
+ fi=fi->f_next;
+ break;
+ case LDAP_FILTER_NOT:
+ res=0;
+ break;
+ default:
+ break;
+ }
+ } while((res) && (fi != NULL) && (fs != NULL));
+
+ if(res) {
+ ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
+ if (qm->lru_top != qc) {
+ remove_query(qm, qc);
+ add_query_on_top(qm, qc);
+ }
+ ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
+ return 1;
+ }
+ }
+ }
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "Not answerable: Unlock QC index=%d\n",
+ template_index, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Not answerable: Unlock QC index=%d\n",
+ template_index, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_runlock(&(templa[template_index].t_rwlock));
+ }
+ return 0;
+}
+
+static void
+free_query (CachedQuery* qc)
+{
+ Query* q = (Query*)qc;
+ int i;
+
+ free(qc->q_uuid.bv_val);
+ filter_free(q->filter);
+ free (q->base.bv_val);
+ for (i=0; q->attrs[i].an_name.bv_val; i++) {
+ free(q->attrs[i].an_name.bv_val);
+ }
+ free(q->attrs);
+ free(qc);
+}
+
+
+/* Add query to query cache */
+static void add_query(
+ query_manager* qm,
+ Query* query,
+ int template_index,
+ struct berval* uuid)
+{
+ CachedQuery* new_cached_query = (CachedQuery*) ch_malloc(sizeof(CachedQuery));
+ QueryTemplate* templ = (qm->templates)+template_index;
+ Query* new_query;
+ new_cached_query->template_id = template_index;
+ new_cached_query->q_uuid = *uuid;
+ new_cached_query->lru_up = NULL;
+ new_cached_query->lru_down = NULL;
+ new_cached_query->expiry_time = slap_get_time() + templ->ttl;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Added query expires at %ld\n",
+ (long) new_cached_query->expiry_time, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Added query expires at %ld\n",
+ (long) new_cached_query->expiry_time, 0, 0 );
+#endif
+ new_query = (Query*)new_cached_query;
+
+ ber_dupbv(&new_query->base, &query->base);
+ new_query->scope = query->scope;
+ new_query->filter = query->filter;
+ new_query->attrs = query->attrs;
+
+ /* Adding a query */
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Lock AQ index = %d\n",
+ template_index, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Lock AQ index = %d\n",
+ template_index, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_wlock(&templ->t_rwlock);
+ if (templ->query == NULL)
+ templ->query_last = new_cached_query;
+ else
+ templ->query->prev = new_cached_query;
+ new_cached_query->next = templ->query;
+ new_cached_query->prev = NULL;
+ templ->query = new_cached_query;
+ templ->no_of_queries++;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "TEMPLATE %d QUERIES++ %d\n",
+ template_index, templ->no_of_queries, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES++ %d\n",
+ template_index, templ->no_of_queries, 0 );
+#endif
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Unlock AQ index = %d \n",
+ template_index, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Unlock AQ index = %d \n",
+ template_index, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_wunlock(&templ->t_rwlock);
+
+ /* Adding on top of LRU list */
+ ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
+ add_query_on_top(qm, new_cached_query);
+ ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
+}
+
+static void
+remove_from_template (CachedQuery* qc, QueryTemplate* template)
+{
+ if (!qc->prev && !qc->next) {
+ template->query_last = template->query = NULL;
+ } else if (qc->prev == NULL) {
+ qc->next->prev = NULL;
+ template->query = qc->next;
+ } else if (qc->next == NULL) {
+ qc->prev->next = NULL;
+ template->query_last = qc->prev;
+ } else {
+ qc->next->prev = qc->prev;
+ qc->prev->next = qc->next;
+ }
+
+ template->no_of_queries--;
+}
+
+/* remove bottom query of LRU list from the query cache */
+static void cache_replacement(query_manager* qm, struct berval *result)
+{
+ CachedQuery* bottom;
+ int temp_id;
+
+ ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
+ bottom = qm->lru_bottom;
+
+ result->bv_val = NULL;
+ result->bv_len = 0;
+
+ if (!bottom) {
+#ifdef NEW_LOGGING
+ LDAP_LOG ( BACK_META, DETAIL1,
+ "Cache replacement invoked without "
+ "any query in LRU list\n", 0, 0, 0 );
+#else
+ Debug ( LDAP_DEBUG_ANY,
+ "Cache replacement invoked without "
+ "any query in LRU list\n", 0, 0, 0 );
+#endif
+ return;
+ }
+
+ temp_id = bottom->template_id;
+ remove_query(qm, bottom);
+ ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
+
+ *result = bottom->q_uuid;
+ bottom->q_uuid.bv_val = NULL;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Lock CR index = %d\n", temp_id, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Lock CR index = %d\n", temp_id, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_wlock(&(qm->templates[temp_id].t_rwlock));
+ remove_from_template(bottom, (qm->templates+temp_id));
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "TEMPLATE %d QUERIES-- %d\n",
+ temp_id, qm->templates[temp_id].no_of_queries, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES-- %d\n",
+ temp_id, qm->templates[temp_id].no_of_queries, 0 );
+#endif
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Unlock CR index = %d\n", temp_id, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Unlock CR index = %d\n", temp_id, 0, 0 );
+#endif
+ ldap_pvt_thread_rdwr_wunlock(&(qm->templates[temp_id].t_rwlock));
+ free_query(bottom);
+}
+
+struct query_info {
+ struct berval* uuid;
+ int deleted;
+};
+
+static int
+remove_func (
+ Operation *op,
+ SlapReply *rs
+)
+{
+ struct query_info *info = op->o_callback->sc_private;
+ int count = 0;
+ Modifications mod;
+ struct berval vals[2];
+
+ Attribute *attr;
+ Operation op_tmp = *op;
+
+ SlapReply sreply = {REP_RESULT};
+
+ if (rs->sr_type == REP_RESULT)
+ return 0;
+
+ for (attr = rs->sr_entry->e_attrs; attr!= NULL; attr = attr->a_next) {
+ if (attr->a_desc == ad_queryid) {
+ for (count=0; attr->a_vals[count].bv_val; count++)
+ ;
+ break;
+ }
+ }
+
+ if (count == 0) {
+ return 0;
+ }
+ if (count == 1) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "DELETING ENTRY TEMPLATE=%s\n",
+ attr->a_vals[0].bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "DELETING ENTRY TEMPLATE=%s\n",
+ attr->a_vals[0].bv_val, 0, 0 );
+#endif
+
+ op_tmp.o_req_dn = rs->sr_entry->e_name;
+ op_tmp.o_req_ndn = rs->sr_entry->e_nname;
+
+ if (op->o_bd->be_delete(&op_tmp, rs) == LDAP_SUCCESS) {
+ info->deleted++;
+ }
+ return 0;
+ }
+
+ vals[0] = *info->uuid;
+ vals[1].bv_val = NULL;
+ vals[1].bv_len = 0;
+ mod.sml_op = LDAP_MOD_DELETE;
+ mod.sml_desc = ad_queryid;
+ mod.sml_type = ad_queryid->ad_cname;
+ mod.sml_bvalues = vals;
+ mod.sml_next = NULL;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "REMOVING TEMP ATTR : TEMPLATE=%s\n",
+ attr->a_vals[0].bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "REMOVING TEMP ATTR : TEMPLATE=%s\n",
+ attr->a_vals[0].bv_val, 0, 0 );
+#endif
+
+ op_tmp.o_req_dn = rs->sr_entry->e_name;
+ op_tmp.o_req_ndn = rs->sr_entry->e_nname;
+ op_tmp.orm_modlist = &mod;
+
+ op->o_bd->be_modify( &op_tmp, &sreply );
+
+ return 0;
+}
+
+static int
+remove_query_data (
+ Operation *op,
+ SlapReply *rs,
+ struct berval* query_uuid)
+{
+ struct query_info info;
+ char filter_str[64];
+ Filter filter = {LDAP_FILTER_EQUALITY};
+ SlapReply sreply = {REP_RESULT};
+ slap_callback cb = { NULL, remove_func, NULL, NULL };
+
+ sreply.sr_entry = NULL;
+ sreply.sr_nentries = 0;
+ op->ors_filterstr.bv_len = snprintf(filter_str, sizeof(filter_str),
+ "(%s=%s)", ad_queryid->ad_cname.bv_val, query_uuid->bv_val);
+ filter.f_av_desc = ad_queryid;
+ filter.f_av_value = *query_uuid;
+ info.uuid = query_uuid;
+ info.deleted = 0;
+ cb.sc_private = &info;
+
+ op->o_tag = LDAP_REQ_SEARCH;
+ op->o_protocol = LDAP_VERSION3;
+ op->o_callback = &cb;
+ op->o_time = slap_get_time();
+ op->o_do_not_cache = 1;
+
+ op->o_req_dn = op->o_bd->be_suffix[0];
+ op->o_req_ndn = op->o_bd->be_nsuffix[0];
+ op->ors_scope = LDAP_SCOPE_SUBTREE;
+ op->ors_deref = LDAP_DEREF_NEVER;
+ op->ors_slimit = 0;
+ op->ors_tlimit = 0;
+ op->ors_filter = &filter;
+ op->ors_filterstr.bv_val = filter_str;
+ op->ors_filterstr.bv_len = strlen(filter_str);
+ op->ors_attrs = NULL;
+ op->ors_attrsonly = 0;
+
+ op->o_bd->be_search( op, &sreply );
+
+ return info.deleted;
+}
+
+static int
+get_attr_set(
+ AttributeName* attrs,
+ query_manager* qm,
+ int num
+);
+
+static int
+attrscmp(
+ AttributeName* attrs_in,
+ AttributeName* attrs
+);
+
+static int
+is_temp_answerable(
+ int attr_set,
+ struct berval* tempstr,
+ query_manager* qm,
+ int template_id )
+{
+ QueryTemplate *qt = qm->templates + template_id;
+
+ if (attr_set != qt->attr_set_index) {
+ int* id_array = qm->attr_sets[attr_set].ID_array;
+
+ while (*id_array != -1) {
+ if (*id_array == qt->attr_set_index)
+ break;
+ id_array++;
+ }
+ if (*id_array == -1)
+ return 0;
+ }
+ return (qt->querystr.bv_len == tempstr->bv_len &&
+ strcasecmp(qt->querystr.bv_val, tempstr->bv_val) == 0);
+}
+
+static int
+filter2template(
+ Filter *f,
+ struct berval *fstr,
+ AttributeName** filter_attrs,
+ int* filter_cnt )
+{
+ AttributeDescription *ad;
+
+ switch ( f->f_choice ) {
+ case LDAP_FILTER_EQUALITY:
+ ad = f->f_av_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s=)", ad->ad_cname.bv_val );
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(=)") - 1 );
+ break;
+
+ case LDAP_FILTER_GE:
+ ad = f->f_av_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s>=)", ad->ad_cname.bv_val);
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(>=)") - 1 );
+ break;
+
+ case LDAP_FILTER_LE:
+ ad = f->f_av_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s<=)", ad->ad_cname.bv_val);
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(<=)") - 1 );
+ break;
+
+ case LDAP_FILTER_APPROX:
+ ad = f->f_av_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s~=)", ad->ad_cname.bv_val);
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(~=)") - 1 );
+ break;
+
+ case LDAP_FILTER_SUBSTRINGS:
+ ad = f->f_sub_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s=)", ad->ad_cname.bv_val );
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(=)") - 1 );
+ break;
+
+ case LDAP_FILTER_PRESENT:
+ ad = f->f_desc;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%s=*)", ad->ad_cname.bv_val );
+ fstr->bv_len += ad->ad_cname.bv_len + ( sizeof("(=*)") - 1 );
+ break;
+
+ case LDAP_FILTER_AND:
+ case LDAP_FILTER_OR:
+ case LDAP_FILTER_NOT: {
+ int rc = 0;
+ sprintf( fstr->bv_val+fstr->bv_len, "(%c",
+ f->f_choice == LDAP_FILTER_AND ? '&' :
+ f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
+ fstr->bv_len += sizeof("(%") - 1;
+
+ for ( f = f->f_list; f != NULL; f = f->f_next ) {
+ rc = filter2template( f, fstr, filter_attrs, filter_cnt );
+ if ( rc ) break;
+ }
+ sprintf( fstr->bv_val+fstr->bv_len, ")" );
+ fstr->bv_len += sizeof(")") - 1;
+
+ return rc;
+ }
+
+ default:
+ strcpy( fstr->bv_val, "(?=?)" );
+ fstr->bv_len += sizeof("(?=?)")-1;
+ return -1;
+ }
+
+ *filter_attrs = (AttributeName *)ch_realloc(*filter_attrs,
+ (*filter_cnt + 2)*sizeof(AttributeName));
+
+ (*filter_attrs)[*filter_cnt].an_desc = ad;
+ (*filter_attrs)[*filter_cnt].an_name = ad->ad_cname;
+ (*filter_attrs)[*filter_cnt+1].an_name.bv_val = NULL;
+ (*filter_attrs)[*filter_cnt+1].an_name.bv_len = 0;
+ (*filter_cnt)++;
+ return 0;
+}
+
+struct search_info {
+ slap_overinst *on;
+ Query query;
+ int template_id;
+ int max;
+ int over;
+ int count;
+ Entry *head, *tail;
+};
+
+static int
+cache_entries(
+ Operation *op,
+ SlapReply *rs,
+ struct berval *query_uuid)
+{
+ struct search_info *si = op->o_callback->sc_private;
+ slap_overinst *on = si->on;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager* qm = cm->qm;
+ int i;
+ int return_val;
+ Entry *e;
+ struct berval crp_uuid;
+ char uuidbuf[ LDAP_LUTIL_UUIDSTR_BUFSIZE ];
+ Operation op_tmp = *op;
+ BackendDB db = *op->o_bd;
+
+ query_uuid->bv_len = lutil_uuidstr(uuidbuf, sizeof(uuidbuf));
+ ber_str2bv(uuidbuf, query_uuid->bv_len, 1, query_uuid);
+
+ op_tmp.o_bd = &db;
+ op_tmp.o_dn = db.be_rootdn;
+ op_tmp.o_ndn = db.be_rootndn;
+ db.bd_info = cm->bi;
+ db.be_private =cm->be_private;
+ db.be_flags |= SLAP_BFLAG_NO_SCHEMA_CHECK;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "UUID for query being added = %s\n",
+ uuidbuf, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "UUID for query being added = %s\n",
+ uuidbuf, 0, 0 );
+#endif /* !NEW_LOGGING */
+
+ for ( e=si->head; e; e=si->head ) {
+ si->head = e->e_private;
+ e->e_private = NULL;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL2, "LOCKING REMOVE MUTEX\n",
+ 0, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_NONE, "LOCKING REMOVE MUTEX\n", 0, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_lock(&cm->remove_mutex);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL2, "LOCKED REMOVE MUTEX\n", 0, 0, 0);
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_NONE, "LOCKED REMOVE MUTEX\n", 0, 0, 0);
+#endif /* !NEW_LOGGING */
+ while ( cm->cur_entries > (cm->max_entries) ) {
+ qm->crfunc(qm, &crp_uuid);
+ if (crp_uuid.bv_val) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "Removing query UUID %s\n",
+ crp_uuid.bv_val, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "Removing query UUID %s\n",
+ crp_uuid.bv_val, 0, 0 );
+#endif /* !NEW_LOGGING */
+ return_val = remove_query_data(&op_tmp, rs, &crp_uuid);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "QUERY REMOVED, SIZE=%d\n",
+ return_val, 0, 0);
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "QUERY REMOVED, SIZE=%d\n",
+ return_val, 0, 0);
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_lock(
+ &cm->cache_mutex );
+ cm->cur_entries -= return_val;
+ cm->num_cached_queries--;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_unlock(
+ &cm->cache_mutex );
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "QUERY REMOVED, CACHE ="
+ "%d entries\n",
+ cm->cur_entries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "QUERY REMOVED, CACHE ="
+ "%d entries\n",
+ cm->cur_entries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ }
+ }
+
+ return_val = merge_entry(&op_tmp, e, query_uuid);
+ ldap_pvt_thread_mutex_unlock(&cm->remove_mutex);
+ ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
+ cm->cur_entries += return_val;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "ENTRY ADDED/MERGED, CACHED ENTRIES=%d\n",
+ cm->cur_entries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "ENTRY ADDED/MERGED, CACHED ENTRIES=%d\n",
+ cm->cur_entries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ return_val = 0;
+ ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
+ }
+ ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
+ cm->num_cached_queries++;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
+
+ return return_val;
+}
+
+static int
+proxy_cache_response(
+ Operation *op,
+ SlapReply *rs )
+{
+ struct search_info *si = op->o_callback->sc_private;
+ slap_overinst *on = si->on;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager* qm = cm->qm;
+ struct berval uuid;
+
+ if ( rs->sr_type == REP_SEARCH ) {
+ Entry *e;
+ /* If we haven't exceeded the limit for this query,
+ * build a chain of answers to store. If we hit the
+ * limit, empty the chain and ignore the rest.
+ */
+ if ( !si->over ) {
+ if ( si->count < si->max ) {
+ si->count++;
+ e = entry_dup( rs->sr_entry );
+ if ( !si->head ) si->head = e;
+ if ( si->tail ) si->tail->e_private = e;
+ si->tail = e;
+ } else {
+ si->over = 1;
+ si->count = 0;
+ for (;si->head; si->head=e) {
+ e = si->head->e_private;
+ si->head->e_private = NULL;
+ entry_free(si->head);
+ }
+ si->tail = NULL;
+ }
+ }
+ } else if ( rs->sr_type == REP_RESULT && !si->over ) {
+ if ( cache_entries( op, rs, &uuid ) == 0) {
+ qm->addfunc(qm, &si->query, si->template_id, &uuid);
+ /* If the consistency checker suspended itself,
+ * wake it back up
+ */
+ if ( cm->cc_paused ) {
+ ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex );
+ if ( cm->cc_paused ) {
+ cm->cc_paused = 0;
+ ldap_pvt_runqueue_resched( &syncrepl_rq, cm->cc_arg, 0 );
+ }
+ ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex );
+ }
+ }
+ }
+ return SLAP_CB_CONTINUE;
+}
+
+static void
+add_filter_attrs(
+ Operation *op,
+ AttributeName** new_attrs,
+ AttributeName* attrs,
+ AttributeName* filter_attrs )
+{
+ int alluser = 0;
+ int allop = 0;
+ int i;
+ int count;
+
+ /* duplicate attrs */
+ if (attrs == NULL) {
+ count = 1;
+ } else {
+ for (count=0; attrs[count].an_name.bv_val; count++)
+ ;
+ }
+ *new_attrs = (AttributeName*)(op->o_tmpalloc((count+1)*
+ sizeof(AttributeName), op->o_tmpmemctx));
+ if (attrs == NULL) {
+ (*new_attrs)[0].an_name.bv_val = "*";
+ (*new_attrs)[0].an_name.bv_len = 1;
+ (*new_attrs)[1].an_name.bv_val = NULL;
+ (*new_attrs)[1].an_name.bv_len = 0;
+ alluser = 1;
+ allop = 0;
+ } else {
+ for (i=0; i<count; i++) {
+ (*new_attrs)[i].an_name = attrs[i].an_name;
+ (*new_attrs)[i].an_desc = attrs[i].an_desc;
+ }
+ (*new_attrs)[count].an_name.bv_val = NULL;
+ (*new_attrs)[count].an_name.bv_len = 0;
+ alluser = an_find(*new_attrs, &AllUser);
+ allop = an_find(*new_attrs, &AllOper);
+ }
+
+ for ( i=0; filter_attrs[i].an_name.bv_val; i++ ) {
+ if ( an_find(*new_attrs, &filter_attrs[i].an_name ))
+ continue;
+ if ( is_at_operational(filter_attrs[i].an_desc->ad_type) ) {
+ if (allop)
+ continue;
+ } else if (alluser)
+ continue;
+ *new_attrs = (AttributeName*)(op->o_tmprealloc(*new_attrs,
+ (count+2)*sizeof(AttributeName), op->o_tmpmemctx));
+ (*new_attrs)[count].an_name = filter_attrs[i].an_name;
+ (*new_attrs)[count].an_desc = filter_attrs[i].an_desc;
+ count++;
+ (*new_attrs)[count].an_name.bv_val = NULL;
+ (*new_attrs)[count].an_name.bv_len = 0;
+ }
+}
+
+static int
+proxy_cache_search(
+ Operation *op,
+ SlapReply *rs )
+{
+ slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager* qm = cm->qm;
+
+ int count;
+
+ int i = -1;
+
+ AttributeName *filter_attrs = NULL;
+ AttributeName *new_attrs = NULL;
+
+ Query query;
+
+ int attr_set = -1;
+ int template_id = -1;
+ int answerable = 0;
+ int cacheable = 0;
+ int fattr_cnt=0;
+ int oc_attr_absent = 1;
+
+ struct berval tempstr;
+
+ tempstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len+1, op->o_tmpmemctx );
+ tempstr.bv_len = 0;
+ if (filter2template(op->ors_filter, &tempstr, &filter_attrs, &fattr_cnt)) {
+ op->o_tmpfree( tempstr.bv_val, op->o_tmpmemctx );
+ return SLAP_CB_CONTINUE;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "query template of incoming query = %s\n",
+ tempstr.bv_val, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "query template of incoming query = %s\n",
+ tempstr.bv_val, 0, 0 );
+#endif /* !NEW_LOGGING */
+
+ /* find attr set */
+ attr_set = get_attr_set(op->ors_attrs, qm, cm->numattrsets);
+
+ query.filter = op->ors_filter;
+ query.attrs = op->ors_attrs;
+ query.base = op->o_req_ndn;
+ query.scope = op->ors_scope;
+
+ /* check for query containment */
+ if (attr_set > -1) {
+ for (i=0; i<cm->numtemplates; i++) {
+ /* find if template i can potentially answer tempstr */
+ if (!is_temp_answerable(attr_set, &tempstr, qm, i))
+ continue;
+ if (attr_set == qm->templates[i].attr_set_index) {
+ cacheable = 1;
+ template_id = i;
+ }
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL2,
+ "Entering QC, querystr = %s\n",
+ op->ors_filterstr.bv_val, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_NONE, "Entering QC, querystr = %s\n",
+ op->ors_filterstr.bv_val, 0, 0 );
+#endif /* !NEW_LOGGING */
+ answerable = (*(qm->qcfunc))(qm, &query, i);
+
+ if (answerable)
+ break;
+ }
+ }
+ op->o_tmpfree( tempstr.bv_val, op->o_tmpmemctx );
+
+ if (answerable) {
+ BackendDB db, *be;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "QUERY ANSWERABLE\n", 0, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "QUERY ANSWERABLE\n", 0, 0, 0 );
+#endif /* !NEW_LOGGING */
+ free(filter_attrs);
+ ldap_pvt_thread_rdwr_runlock(&qm->templates[i].t_rwlock);
+ db = *op->o_bd;
+ db.bd_info = cm->bi;
+ db.be_private = cm->be_private;
+ be = op->o_bd;
+ op->o_bd = &db;
+ i = cm->bi->bi_op_search( op, rs );
+ op->o_bd = be;
+ return i;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "QUERY NOT ANSWERABLE\n",
+ 0, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "QUERY NOT ANSWERABLE\n", 0, 0, 0 );
+#endif /* !NEW_LOGGING */
+
+ ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
+ if (cm->num_cached_queries >= cm->max_queries) {
+ cacheable = 0;
+ }
+ ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
+
+ if (cacheable) {
+ slap_callback *cb;
+ struct search_info *si;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "QUERY CACHEABLE\n", 0, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "QUERY CACHEABLE\n", 0, 0, 0 );
+#endif /* !NEW_LOGGING */
+ query.filter = str2filter(op->ors_filterstr.bv_val);
+ if (op->ors_attrs) {
+ for ( count=0; op->ors_attrs[ count ].an_name.bv_val; count++ ) {
+ if ( op->ors_attrs[count].an_desc == slap_schema.si_ad_objectClass )
+ oc_attr_absent = 0;
+ }
+ query.attrs = (AttributeName*)ch_malloc( ( count + 1 + oc_attr_absent )
+ *sizeof(AttributeName));
+ for ( count=0; op->ors_attrs[ count ].an_name.bv_val; count++ ) {
+ ber_dupbv( &query.attrs[count].an_name, &op->ors_attrs[count].an_name );
+ query.attrs[count].an_desc = op->ors_attrs[count].an_desc;
+ }
+ if ( oc_attr_absent ) {
+ query.attrs[ count ].an_desc = slap_schema.si_ad_objectClass;
+ ber_dupbv( &query.attrs[count].an_name,
+ &slap_schema.si_ad_objectClass->ad_cname );
+ count++;
+ }
+ query.attrs[ count ].an_name.bv_val = NULL;
+ query.attrs[ count ].an_name.bv_len = 0;
+ }
+ op->o_tmpfree(op->ors_attrs, op->o_tmpmemctx);
+ add_filter_attrs(op, &op->ors_attrs, query.attrs, filter_attrs);
+ cb = op->o_tmpalloc( sizeof(*cb) + sizeof(*si), op->o_tmpmemctx);
+ cb->sc_next = op->o_callback;
+ cb->sc_response = proxy_cache_response;
+ cb->sc_cleanup = NULL;
+ cb->sc_private = (cb+1);
+ si = cb->sc_private;
+ si->on = on;
+ si->query = query;
+ si->template_id = template_id;
+ si->max = cm->num_entries_limit ;
+ si->over = 0;
+ si->count = 0;
+ si->head = NULL;
+ si->tail = NULL;
+ op->o_callback = cb;
+ } else {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "QUERY NOT CACHEABLE\n",
+ 0, 0, 0);
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "QUERY NOT CACHEABLE\n",
+ 0, 0, 0);
+#endif /* !NEW_LOGGING */
+ }
+
+ free(filter_attrs);
+
+ return SLAP_CB_CONTINUE;
+}
+
+static int
+attrscmp(
+ AttributeName* attrs_in,
+ AttributeName* attrs)
+{
+ int i, count1, count2;
+ if ( attrs_in == NULL ) {
+ return (attrs ? 0 : 1);
+ }
+ if ( attrs == NULL )
+ return 0;
+
+ for ( count1=0;
+ attrs_in && attrs_in[count1].an_name.bv_val != NULL;
+ count1++ )
+ ;
+ for ( count2=0;
+ attrs && attrs[count2].an_name.bv_val != NULL;
+ count2++)
+ ;
+ if ( count1 != count2 )
+ return 0;
+
+ for ( i=0; i<count1; i++ ) {
+ if ( !an_find(attrs, &attrs_in[i].an_name ))
+ return 0;
+ }
+ return 1;
+}
+
+static int
+get_attr_set(
+ AttributeName* attrs,
+ query_manager* qm,
+ int num )
+{
+ int i;
+ for (i=0; i<num; i++) {
+ if (attrscmp(attrs, qm->attr_sets[i].attrs))
+ return i;
+ }
+ return -1;
+}
+
+static void*
+consistency_check(
+ void *ctx,
+ void *arg )
+{
+ struct re_s *rtask = arg;
+ slap_overinst *on = rtask->arg;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager *qm = cm->qm;
+ Operation op = {0};
+ BackendDB be = on->on_info->oi_bd;
+
+ SlapReply rs = {REP_RESULT};
+ CachedQuery* query, *query_prev;
+ int i, return_val, pause = 1;
+ QueryTemplate* templ;
+
+ op.o_bd = &be;
+ op.o_dn = be.be_rootdn;
+ op.o_ndn = be.be_rootndn;
+ op.o_threadctx = ctx;
+
+ op.o_tmpmemctx = sl_mem_create( SLMALLOC_SLAB_SIZE, ctx );
+ op.o_tmpmfuncs = &sl_mfuncs;
+
+ be.bd_info = cm->bi;
+ be.be_private = cm->be_private;
+
+ cm->cc_arg = arg;
+
+ for (i=0; qm->templates[i].querystr.bv_val; i++) {
+ templ = qm->templates + i;
+ query = templ->query_last;
+ if ( query ) pause = 0;
+ op.o_time = slap_get_time();
+ ldap_pvt_thread_mutex_lock(&cm->remove_mutex);
+ while (query && (query->expiry_time < op.o_time)) {
+ ldap_pvt_thread_mutex_lock(&qm->lru_mutex);
+ remove_query(qm, query);
+ ldap_pvt_thread_mutex_unlock(&qm->lru_mutex);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Lock CR index = %d\n",
+ i, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "Lock CR index = %d\n",
+ i, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_rdwr_wlock(&templ->t_rwlock);
+ remove_from_template(query, templ);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "TEMPLATE %d QUERIES-- %d\n",
+ i, templ->no_of_queries, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "TEMPLATE %d QUERIES-- %d\n",
+ i, templ->no_of_queries, 0 );
+#endif /* !NEW_LOGGING */
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Unlock CR index = %d\n",
+ i, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "Unlock CR index = %d\n",
+ i, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_rdwr_wunlock(&templ->t_rwlock);
+ return_val = remove_query_data(&op, &rs, &query->q_uuid);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "STALE QUERY REMOVED, SIZE=%d\n",
+ return_val, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "STALE QUERY REMOVED, SIZE=%d\n",
+ return_val, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
+ cm->cur_entries -= return_val;
+ cm->num_cached_queries--;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY, "STORED QUERIES = %lu\n",
+ cm->num_cached_queries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ ldap_pvt_thread_mutex_unlock(&cm->cache_mutex);
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "STALE QUERY REMOVED, CACHE ="
+ "%d entries\n",
+ cm->cur_entries, 0, 0 );
+#else /* !NEW_LOGGING */
+ Debug( LDAP_DEBUG_ANY,
+ "STALE QUERY REMOVED, CACHE ="
+ "%d entries\n",
+ cm->cur_entries, 0, 0 );
+#endif /* !NEW_LOGGING */
+ query_prev = query;
+ query = query->prev;
+ free_query(query_prev);
+ }
+ ldap_pvt_thread_mutex_unlock(&cm->remove_mutex);
+ }
+ /* If there were no queries, defer processing for a while */
+ if ( pause ) {
+ ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex );
+ cm->cc_paused = 1;
+ if ( ldap_pvt_runqueue_isrunning( &syncrepl_rq, rtask )) {
+ ldap_pvt_runqueue_stoptask( &syncrepl_rq, rtask );
+ }
+ ldap_pvt_runqueue_resched( &syncrepl_rq, rtask, 1 );
+ ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex );
+ }
+ return NULL;
+}
+
+
+#define MAX_ATTR_SETS 500
+static void find_supersets( struct attr_set* attr_sets, int numsets );
+static int compare_sets( struct attr_set* setA, int, int );
+
+static int
+proxy_cache_config(
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv
+)
+{
+ slap_overinst *on = (slap_overinst *)be->bd_info;
+ cache_manager* cm = on->on_bi.bi_private;
+ query_manager* qm = cm->qm;
+ QueryTemplate* temp;
+ AttributeName* attr_name;
+ AttributeName* attrarray;
+ const char* text=NULL;
+ void *private = be->be_private;
+
+ int index, i;
+ int num;
+
+ if ( strcasecmp( argv[0], "proxycache" ) == 0 ) {
+ if ( argc < 6 ) {
+ fprintf( stderr, "%s: line %d: missing arguments in \"proxycache"
+ " <backend> <max_entries> <numattrsets> <entry limit> "
+ "<cycle_time>\"\n", fname, lineno );
+ return( 1 );
+ }
+
+ cm->bi = backend_info( argv[1] );
+ if ( !cm->bi ) {
+ fprintf( stderr, "%s: line %d: backend %s unknown\n",
+ fname, lineno, argv[1] );
+ return( 1 );
+ }
+ be->be_private = NULL;
+ i = cm->bi->bi_db_init( be );
+ cm->be_private = be->be_private;
+ be->be_private = private;
+ if ( i ) return( 1 );
+
+ cm->max_entries = atoi( argv[2] );
+
+ cm->numattrsets = atoi( argv[3] );
+ if ( cm->numattrsets > MAX_ATTR_SETS ) {
+ fprintf( stderr, "%s: line %d: numattrsets must be <= %d\n",
+ fname, lineno, MAX_ATTR_SETS );
+ return( 1 );
+ }
+
+ cm->num_entries_limit = atoi( argv[4] );
+ cm->cc_period = atoi( argv[5] );
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "Total # of attribute sets to be cached = %d\n",
+ cm->numattrsets, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Total # of attribute sets to be cached = %d\n",
+ cm->numattrsets, 0, 0 );
+#endif
+ qm->attr_sets = ( struct attr_set * )ch_malloc( cm->numattrsets *
+ sizeof( struct attr_set ));
+ for ( i = 0; i < cm->numattrsets; i++ ) {
+ qm->attr_sets[i].attrs = NULL;
+ }
+
+ } else if ( strcasecmp( argv[0], "proxyattrset" ) == 0 ) {
+ if ( argc < 3 ) {
+ fprintf( stderr, "%s: line %d: missing arguments in \"proxyattrset "
+ "<index> <attributes>\"\n", fname, lineno );
+ return( 1 );
+ }
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Attribute Set # %d\n",
+ atoi( argv[1] ), 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Attribute Set # %d\n",
+ atoi( argv[1] ), 0, 0 );
+#endif
+ if (atoi(argv[1]) >= cm->numattrsets) {
+ fprintf( stderr, "%s; line %d index out of bounds \n",
+ fname, lineno );
+ return 1;
+ }
+ index = atoi( argv[1] );
+ if ( argv[2] && strcmp( argv[2], "*" ) ) {
+ qm->attr_sets[index].count = argc - 2;
+ qm->attr_sets[index].attrs = (AttributeName*)ch_malloc(
+ (argc-1) * sizeof( AttributeName ));
+ attr_name = qm->attr_sets[index].attrs;
+ for ( i = 2; i < argc; i++ ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "\t %s\n",
+ argv[i], 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "\t %s\n",
+ argv[i], 0, 0 );
+#endif
+ ber_str2bv( argv[i], 0, 1,
+ &attr_name->an_name);
+ attr_name->an_desc = NULL;
+ slap_bv2ad( &attr_name->an_name,
+ &attr_name->an_desc, &text );
+ attr_name++;
+ attr_name->an_name.bv_val = NULL;
+ attr_name->an_name.bv_len = 0;
+ }
+ }
+ } else if ( strcasecmp( argv[0], "proxytemplate" ) == 0 ) {
+ if ( argc != 4 ) {
+ fprintf( stderr, "%s: line %d: missing argument(s) in "
+ "\"proxytemplate <filter> <proj attr set> <TTL>\" line\n",
+ fname, lineno );
+ return( 1 );
+ }
+ if (( i = atoi( argv[2] )) >= cm->numattrsets ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "%s: line %d, template index invalid\n",
+ fname, lineno, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d, template index invalid\n",
+ fname, lineno, 0 );
+#endif
+ return 1;
+ }
+ num = cm->numtemplates;
+ if ( num == 0 )
+ find_supersets( qm->attr_sets, cm->numattrsets );
+ qm->templates = ( QueryTemplate* )ch_realloc( qm->templates,
+ ( num + 2 ) * sizeof( QueryTemplate ));
+ temp = qm->templates + num;
+ ldap_pvt_thread_rdwr_init( &temp->t_rwlock );
+ temp->query = temp->query_last = NULL;
+ temp->ttl = atoi( argv[3] );
+ temp->no_of_queries = 0;
+ if ( argv[1] == NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1,
+ "Templates string not specified "
+ "for template %d\n", num, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Templates string not specified "
+ "for template %d\n", num, 0, 0 );
+#endif
+ return 1;
+ }
+ ber_str2bv( argv[1], 0, 1, &temp->querystr );
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "Template:\n", 0, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Template:\n", 0, 0, 0 );
+#endif
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, " query template: %s\n",
+ temp->querystr.bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, " query template: %s\n",
+ temp->querystr.bv_val, 0, 0 );
+#endif
+ temp->attr_set_index = i;
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, " attributes: \n", 0, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, " attributes: \n", 0, 0, 0 );
+#endif
+ if ( ( attrarray = qm->attr_sets[i].attrs ) != NULL ) {
+ for ( i=0; attrarray[i].an_name.bv_val; i++ )
+#ifdef NEW_LOGGING
+ LDAP_LOG( BACK_META, DETAIL1, "\t%s\n",
+ attrarray[i].an_name.bv_val, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "\t%s\n",
+ attrarray[i].an_name.bv_val, 0, 0 );
+#endif
+ }
+ temp++;
+ temp->querystr.bv_val = NULL;
+ cm->numtemplates++;
+ }
+ /* anything else */
+ else {
+ be->be_private = cm->be_private;
+ i = cm->bi->bi_db_config( be, fname, lineno, argc, argv );
+ be->be_private = private;
+ return i;
+ }
+ return 0;
+}
+
+static int
+proxy_cache_init(
+ BackendDB *be
+)
+{
+ slap_overinst *on = (slap_overinst *)be->bd_info;
+ cache_manager *cm;
+ query_manager *qm;
+
+ cm = (cache_manager *)ch_malloc(sizeof(cache_manager));
+ on->on_bi.bi_private = cm;
+
+ qm = (query_manager*)ch_malloc(sizeof(query_manager));
+
+ cm->qm = qm;
+ cm->numattrsets = 0;
+ cm->numtemplates = 0;
+ cm->num_entries_limit = 5;
+ cm->num_cached_queries = 0;
+ cm->max_entries = 0;
+ cm->cur_entries = 0;
+ cm->max_queries = 10000;
+ cm->cc_period = 1000;
+ cm->cc_paused = 0;
+
+ qm->attr_sets = NULL;
+ qm->templates = NULL;
+ qm->lru_top = NULL;
+ qm->lru_bottom = NULL;
+
+ qm->qcfunc = query_containment;
+ qm->crfunc = cache_replacement;
+ qm->addfunc = add_query;
+ ldap_pvt_thread_mutex_init(&qm->lru_mutex);
+
+ ldap_pvt_thread_mutex_init(&cm->cache_mutex);
+ ldap_pvt_thread_mutex_init(&cm->remove_mutex);
+ return 0;
+}
+
+static int
+proxy_cache_open(
+ BackendDB *be
+)
+{
+ slap_overinst *on = (slap_overinst *)be->bd_info;
+ cache_manager *cm = on->on_bi.bi_private;
+ void *private = be->be_private;
+ int rc = 0;
+
+ if ( cm->be_private && cm->bi->bi_db_open ) {
+ be->be_private = cm->be_private;
+ rc = cm->bi->bi_db_open( be );
+ be->be_private = private;
+ }
+
+ ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex );
+ ldap_pvt_runqueue_insert( &syncrepl_rq, cm->cc_period,
+ consistency_check, on );
+ ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex );
+
+ return rc;
+}
+
+static int
+proxy_cache_close(
+ BackendDB *be
+)
+{
+ slap_overinst *on = (slap_overinst *)be->bd_info;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager *qm = cm->qm;
+ void *private = be->be_private;
+ int i, j, rc = 0;
+
+ if ( cm->be_private && cm->bi->bi_db_close ) {
+ be->be_private = cm->be_private;
+ rc = cm->bi->bi_db_close( be );
+ be->be_private = private;
+ }
+ for ( i=0; i<cm->numtemplates; i++ ) {
+ CachedQuery *qc, *qn;
+ for ( qc = qm->templates[i].query; qc; qc = qn ) {
+ qn = qc->next;
+ free_query( qc );
+ }
+ free( qm->templates[i].querystr.bv_val );
+ ldap_pvt_thread_rdwr_destroy( &qm->templates[i].t_rwlock );
+ }
+ free( qm->templates );
+ qm->templates = NULL;
+
+ for ( i=0; i<cm->numattrsets; i++ ) {
+ free( qm->attr_sets[i].ID_array );
+ for ( j=0; j<qm->attr_sets[i].count; j++ ) {
+ free( qm->attr_sets[i].attrs[j].an_name.bv_val );
+ }
+ free( qm->attr_sets[i].attrs );
+ }
+ free( qm->attr_sets );
+ qm->attr_sets = NULL;
+
+ return rc;
+}
+
+static int
+proxy_cache_destroy(
+ BackendDB *be
+)
+{
+ slap_overinst *on = (slap_overinst *)be->bd_info;
+ cache_manager *cm = on->on_bi.bi_private;
+ query_manager *qm = cm->qm;
+ void *private = be->be_private;
+ int rc = 0;
+
+ if ( cm->be_private && cm->bi->bi_db_destroy ) {
+ be->be_private = cm->be_private;
+ rc = cm->bi->bi_db_destroy( be );
+ be->be_private = private;
+ }
+ ldap_pvt_thread_mutex_destroy(&qm->lru_mutex);
+ ldap_pvt_thread_mutex_destroy(&cm->cache_mutex);
+ ldap_pvt_thread_mutex_destroy(&cm->remove_mutex);
+ free( qm );
+ free( cm );
+ return rc;
+}
+
+static void
+find_supersets ( struct attr_set* attr_sets, int numsets )
+{
+ int num[MAX_ATTR_SETS];
+ int i, j, res;
+ int* id_array;
+ for ( i = 0; i < MAX_ATTR_SETS; i++ )
+ num[i] = 0;
+
+ for ( i = 0; i < numsets; i++ ) {
+ attr_sets[i].ID_array = (int*) ch_malloc( sizeof( int ) );
+ attr_sets[i].ID_array[0] = -1;
+ }
+
+ for ( i = 0; i < numsets; i++ ) {
+ for ( j=i+1; j < numsets; j++ ) {
+ res = compare_sets( attr_sets, i, j );
+ switch ( res ) {
+ case 0:
+ break;
+ case 3:
+ case 1:
+ id_array = attr_sets[i].ID_array;
+ attr_sets[i].ID_array = (int *) ch_realloc( id_array,
+ ( num[i] + 2 ) * sizeof( int ));
+ attr_sets[i].ID_array[num[i]] = j;
+ attr_sets[i].ID_array[num[i]+1] = -1;
+ num[i]++;
+ if (res == 1)
+ break;
+ case 2:
+ id_array = attr_sets[j].ID_array;
+ attr_sets[j].ID_array = (int *) ch_realloc( id_array,
+ ( num[j] + 2 ) * sizeof( int ));
+ attr_sets[j].ID_array[num[j]] = i;
+ attr_sets[j].ID_array[num[j]+1] = -1;
+ num[j]++;
+ break;
+ }
+ }
+ }
+}
+
+/*
+ * compares two sets of attributes (indices i and j)
+ * returns 0: if neither set is contained in the other set
+ * 1: if set i is contained in set j
+ * 2: if set j is contained in set i
+ * 3: the sets are equivalent
+ */
+
+static int
+compare_sets(struct attr_set* set, int i, int j)
+{
+ int k,l,numI,numJ;
+ int common=0;
+ int result=0;
+
+ if (( set[i].attrs == NULL ) && ( set[j].attrs == NULL ))
+ return 3;
+
+ if ( set[i].attrs == NULL )
+ return 2;
+
+ if ( set[j].attrs == NULL )
+ return 1;
+
+ numI = set[i].count;
+ numJ = set[j].count;
+
+ for ( l=0; l < numI; l++ ) {
+ for ( k = 0; k < numJ; k++ ) {
+ if ( strcmp( set[i].attrs[l].an_name.bv_val,
+ set[j].attrs[k].an_name.bv_val ) == 0 )
+ common++;
+ }
+ }
+
+ if ( common == numI )
+ result = 1;
+
+ if ( common == numJ )
+ result += 2;
+
+ return result;
+}
+
+static slap_overinst proxy_cache;
+
+int pcache_init()
+{
+ LDAPAttributeType *at;
+ int code;
+ const char *err;
+
+ at = ldap_str2attributetype( queryid_schema, &code, &err,
+ LDAP_SCHEMA_ALLOW_ALL );
+ if ( !at ) {
+ fprintf( stderr, "AttributeType Load failed %s %s\n",
+ ldap_scherr2str(code), err );
+ return code;
+ }
+ code = at_add( at, &err );
+ if ( !code ) {
+ slap_str2ad( at->at_names[0], &ad_queryid, &err );
+ }
+ ldap_memfree( at );
+ if ( code ) {
+ fprintf( stderr, "AttributeType Load failed %s %s\n",
+ scherr2str(code), err );
+ return code;
+ }
+
+ proxy_cache.on_bi.bi_type = "proxycache";
+ proxy_cache.on_bi.bi_db_init = proxy_cache_init;
+ proxy_cache.on_bi.bi_db_config = proxy_cache_config;
+ proxy_cache.on_bi.bi_db_open = proxy_cache_open;
+ proxy_cache.on_bi.bi_db_close = proxy_cache_close;
+ proxy_cache.on_bi.bi_db_destroy = proxy_cache_destroy;
+ proxy_cache.on_bi.bi_op_search = proxy_cache_search;
+
+ return overlay_register( &proxy_cache );
+}
+
+#if SLAPD_OVER_PROXYCACHE == SLAPD_MOD_DYNAMIC
+int init_module(int argc, char *argv[]) {
+ return pcache_init();
+}
+#endif
+
+#endif /* defined(SLAPD_OVER_PROXYCACHE) */
Operation *op,
SlapReply *rs )
{
+ struct berval id = {0, NULL}, old = {0, NULL}, new = {0, NULL},
+ dn, ndn, hash, vals[2], tmpbv, *rsp = NULL;
+ Modifications ml, **modtail;
+ Operation op2;
+ slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
+
assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
if( op->o_dn.bv_len == 0 ) {
return LDAP_STRONG_AUTH_REQUIRED;
}
- ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
- op->o_bd = op->o_conn->c_authz_backend;
- ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
-
- if( op->o_bd && !op->o_bd->be_extended ) {
- rs->sr_text = "operation not supported for current user";
- return LDAP_UNWILLING_TO_PERFORM;
+ if( op->oq_extended.rs_reqdata ) {
+ ber_dupbv_x( &tmpbv, op->oq_extended.rs_reqdata, op->o_tmpmemctx );
}
+ rs->sr_err = slap_passwd_parse(
+ op->oq_extended.rs_reqdata ? &tmpbv : NULL,
+ &id, &old, &new, &rs->sr_text );
- if (backend_check_restrictions( op, rs,
- (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
+ if ( rs->sr_err != LDAP_SUCCESS ) {
return rs->sr_err;
}
+ if ( id.bv_len ) {
+ dn = id;
+ /* ndn is in tmpmem, so we don't need to free it */
+ rs->sr_err = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ rs->sr_text = "Invalid DN";
+ return rs->sr_err;
+ }
+ op->o_bd = select_backend( &ndn, 0, 0 );
+ } else {
+ dn = op->o_dn;
+ ndn = op->o_ndn;
+ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
+ op->o_bd = op->o_conn->c_authz_backend;
+ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
+ }
+
if( op->o_bd == NULL ) {
#ifdef HAVE_CYRUS_SASL
- rs->sr_err = slap_sasl_setpass( op, rs );
+ return slap_sasl_setpass( op, rs );
#else
rs->sr_text = "no authz backend";
- rs->sr_err = LDAP_OTHER;
+ return LDAP_OTHER;
#endif
+ }
+
+ if ( ndn.bv_len == 0 ) {
+ rs->sr_text = "no password is associated with the Root DSE";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+
+ if (backend_check_restrictions( op, rs,
+ (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
+ return rs->sr_err;
+ }
+
#ifndef SLAPD_MULTIMASTER
/* This does not apply to multi-master case */
- } else if( op->o_bd->be_update_ndn.bv_len ) {
+ if( op->o_bd->be_update_ndn.bv_len ) {
/* we SHOULD return a referral in this case */
BerVarray defref = NULL;
if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
NULL, NULL, LDAP_SCOPE_DEFAULT );
}
rs->sr_ref = defref;
- rs->sr_err = LDAP_REFERRAL;
+ return LDAP_REFERRAL;
+ }
#endif /* !SLAPD_MULTIMASTER */
- } else {
+ /* Give the backend a chance to handle this itself */
+ if ( op->o_bd->be_extended ) {
rs->sr_err = op->o_bd->be_extended( op, rs );
+ if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM ) {
+ return rs->sr_err;
+ }
+ }
+
+ /* The backend didn't handle it, so try it here */
+ if( op->o_bd && !op->o_bd->be_modify ) {
+ rs->sr_text = "operation not supported for current user";
+ return LDAP_UNWILLING_TO_PERFORM;
}
+ if ( new.bv_len == 0 ) {
+ slap_passwd_generate( &new );
+ rsp = slap_passwd_return( &new );
+ }
+ if ( new.bv_len == 0 ) {
+ rs->sr_text = "password generation failed";
+ return LDAP_OTHER;
+ }
+ slap_passwd_hash( &new, &hash, &rs->sr_text );
+ if ( rsp ) {
+ free( new.bv_val );
+ }
+ if ( hash.bv_len == 0 ) {
+ if ( !rs->sr_text ) {
+ rs->sr_text = "password hash failed";
+ }
+ return LDAP_OTHER;
+ }
+ vals[0] = hash;
+ vals[1].bv_val = NULL;
+ ml.sml_desc = slap_schema.si_ad_userPassword;
+ ml.sml_values = vals;
+ ml.sml_nvalues = NULL;
+ ml.sml_op = LDAP_MOD_REPLACE;
+ ml.sml_next = NULL;
+
+ op2 = *op;
+ op2.o_tag = LDAP_REQ_MODIFY;
+ op2.o_callback = &cb;
+ op2.o_req_dn = dn;
+ op2.o_req_ndn = ndn;
+ op2.orm_modlist = &ml;
+
+ modtail = &ml.sml_next;
+ rs->sr_err = slap_mods_opattrs( &op2, &ml, modtail, &rs->sr_text,
+ NULL, 0 );
+
+ if ( rs->sr_err == LDAP_SUCCESS ) {
+ rs->sr_err = op2.o_bd->be_modify( &op2, rs );
+ }
+ if ( rs->sr_err == LDAP_SUCCESS ) {
+ replog( &op2 );
+ rs->sr_rspdata = rsp;
+ } else if ( rsp ) {
+ ber_bvfree( rsp );
+ }
+ slap_mods_free( ml.sml_next );
+ free( hash.bv_val );
+
return rs->sr_err;
}
{
int rc = LDAP_SUCCESS;
ber_tag_t tag;
- ber_len_t len;
+ ber_len_t len = -1;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
tag = ber_scanf( ber, "{" /*}*/ );
- if( tag != LBER_ERROR ) {
- tag = ber_peek_tag( ber, &len );
+ if( tag == LBER_ERROR ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, ERR,
+ "slap_passwd_parse: decoding error\n", 0, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "slap_passwd_parse: decoding error\n", 0, 0, 0 );
+#endif
+ rc = LDAP_PROTOCOL_ERROR;
+ goto done;
}
+ tag = ber_peek_tag( ber, &len );
if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
if( id == NULL ) {
#ifdef NEW_LOGGING
int repl_user, int dup, const char **text, char *textbuf, size_t textlen ));
LDAP_SLAPD_F (int) slap_entry2mods LDAP_P(( Entry *e,
- Modifications **mods, const char **text ));
+ Modifications **mods, const char **text,
+ char *textbuf, size_t textlen ));
/*
* at.c
LDAP_SLAPD_F (Attribute *) slap_operational_subschemaSubentry( Backend *be );
LDAP_SLAPD_F (Attribute *) slap_operational_hasSubordinate( int has );
+/*
+ * overlays.c
+ */
+LDAP_SLAPD_F (int) overlay_init( void );
+
/*
* passwd.c
*/
LDAP_SLAPD_F (void) slap_send_search_result LDAP_P(( Operation *op, SlapReply *rs ));
LDAP_SLAPD_F (int) slap_send_search_reference LDAP_P(( Operation *op, SlapReply *rs ));
LDAP_SLAPD_F (int) slap_send_search_entry LDAP_P(( Operation *op, SlapReply *rs ));
+LDAP_SLAPD_F (int) slap_null_cb LDAP_P(( Operation *op, SlapReply *rs ));
LDAP_SLAPD_V( const struct berval ) slap_pre_read_bv;
LDAP_SLAPD_V( const struct berval ) slap_post_read_bv;
/*
* saslauthz.c
*/
+LDAP_SLAPD_F (int) slap_parse_user LDAP_P((
+ struct berval *id, struct berval *user,
+ struct berval *realm, struct berval *mech ));
LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
Operation *op,
struct berval *saslname,
LDAP_SLAPD_F (void *) sl_mem_create LDAP_P(( ber_len_t size, void *ctx ));
LDAP_SLAPD_F (void) sl_mem_detach LDAP_P(( void *ctx, void *memctx ));
LDAP_SLAPD_F (void) sl_mem_destroy LDAP_P(( void *key, void *data ));
-LDAP_SLAPD_F (void *) sl_mark LDAP_P(( void *ctx ));
-LDAP_SLAPD_F (void) sl_release LDAP_P(( void *, void *ctx ));
LDAP_SLAPD_F (void *) sl_context LDAP_P(( void *ptr ));
/*
#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) passwd_mutex;
#endif
+#ifndef HAVE_GMTIME_R
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) gmtime_mutex;
+#endif
LDAP_SLAPD_V (AccessControl *) global_acl;
#include "slapi.h"
#endif
+int slap_null_cb( Operation *op, SlapReply *rs )
+{
+ return 0;
+}
+
static char *v2ref( BerVarray ref, const char *text )
{
size_t len = 0, i = 0;
int rc;
long bytes;
- if (op->o_callback && op->o_callback->sc_response) {
- rc = op->o_callback->sc_response( op, rs );
- if ( rc != SLAP_CB_CONTINUE ) return;
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; ) {
+ if ( op->o_callback->sc_response ) {
+ rc = op->o_callback->sc_response( op, rs );
+ if ( rc != SLAP_CB_CONTINUE ) break;
+ }
+ op->o_callback = op->o_callback->sc_next;
+ }
+ op->o_callback = sc;
+ if ( rc != SLAP_CB_CONTINUE ) goto cleanup;
}
#ifdef LDAP_CONNECTIONLESS
if (!op->o_conn || op->o_conn->c_is_udp == 0)
#endif
ber_free_buf( ber );
- return;
+ goto cleanup;
}
/* send BER */
0, 0, 0 );
#endif
- return;
+ goto cleanup;
}
#ifdef LDAP_SLAPI
num_bytes_sent += bytes;
num_pdu_sent++;
ldap_pvt_thread_mutex_unlock( &num_sent_mutex );
+
+cleanup:;
+ if ( rs->sr_matched && rs->sr_flags & REP_MATCHED_MUSTBEFREED ) {
+ free( (char *)rs->sr_matched );
+ rs->sr_matched = NULL;
+ }
+
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; op->o_callback = op->o_callback->sc_next ) {
+ if ( op->o_callback->sc_cleanup ) {
+ op->o_callback->sc_cleanup( op, rs );
+ }
+ }
+ op->o_callback = sc;
+ }
+
return;
}
computed_attr_context ctx;
AttributeName *anp;
#endif
- void *mark = NULL;
-
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
/* a_flags: array of flags telling if the i-th element will be
char **e_flags = NULL;
rs->sr_type = REP_SEARCH;
- if (op->o_callback && op->o_callback->sc_response) {
- rc = op->o_callback->sc_response( op, rs );
- if ( rc != SLAP_CB_CONTINUE ) return rc;
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; ) {
+ if ( op->o_callback->sc_response ) {
+ rc = op->o_callback->sc_response( op, rs );
+ if ( rc != SLAP_CB_CONTINUE ) break;
+ }
+ op->o_callback = op->o_callback->sc_next;
+ }
+ op->o_callback = sc;
+ if ( rc != SLAP_CB_CONTINUE ) goto error_return;
}
#ifdef NEW_LOGGING
op->ors_attrsonly ? " (attrsOnly)" : "", 0 );
#endif
- mark = sl_mark( op->o_tmpmemctx );
-
if ( !access_allowed( op, rs->sr_entry, ad_entry, NULL, ACL_READ, NULL )) {
#ifdef NEW_LOGGING
LDAP_LOG( ACL, INFO,
0, 0, 0 );
#endif
- sl_release( mark, op->o_tmpmemctx );
- return( 1 );
+ rc = 1;
+ goto error_return;
}
edn = rs->sr_entry->e_nname.bv_val;
if ( op->o_res_ber == NULL ) ber_free_buf( ber );
send_ldap_error( op, rs, LDAP_OTHER, "encode entry end error" );
- sl_release( mark, op->o_tmpmemctx );
- return( 1 );
+ rc = 1;
+ goto error_return;
}
if ( op->o_res_ber == NULL ) {
0, 0, 0 );
#endif
- sl_release( mark, op->o_tmpmemctx );
- return -1;
+ rc = -1;
+ goto error_return;
}
rs->sr_nentries++;
rc = 0;
error_return:;
- sl_release( mark, op->o_tmpmemctx );
+ /* FIXME: I think rs->sr_type should be explicitly set to
+ * REP_SEARCH here. That's what it was when we entered this
+ * function. send_ldap_error may have changed it, but we
+ * should set it back so that the cleanup functions know
+ * what they're doing.
+ */
+ if ( op->o_tag == LDAP_REQ_SEARCH && rs->sr_type == REP_SEARCH
+ && rs->sr_entry
+ && (rs->sr_flags & REP_ENTRY_MUSTBEFREED) )
+ {
+ entry_free( rs->sr_entry );
+ rs->sr_entry = NULL;
+ rs->sr_flags &= ~REP_ENTRY_MUSTBEFREED;
+ }
+
if ( e_flags ) sl_free( e_flags, op->o_tmpmemctx );
+
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; op->o_callback = op->o_callback->sc_next ) {
+ if ( op->o_callback->sc_cleanup ) {
+ op->o_callback->sc_cleanup( op, rs );
+ }
+ }
+ op->o_callback = sc;
+ }
return( rc );
}
BerElement *ber = (BerElement *) &berbuf;
int rc = 0;
int bytes;
- void *mark;
AttributeDescription *ad_ref = slap_schema.si_ad_ref;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
rs->sr_type = REP_SEARCHREF;
- if (op->o_callback && op->o_callback->sc_response) {
- rc = op->o_callback->sc_response( op, rs );
- if ( rc != SLAP_CB_CONTINUE ) return rc;
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; ) {
+ if ( op->o_callback->sc_response ) {
+ rc = op->o_callback->sc_response( op, rs );
+ if ( rc != SLAP_CB_CONTINUE ) break;
+ }
+ op->o_callback = op->o_callback->sc_next;
+ }
+ op->o_callback = sc;
+ if ( rc != SLAP_CB_CONTINUE ) goto rel;
}
- mark = sl_mark( op->o_tmpmemctx );
-
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, ENTRY,
"send_search_reference: conn %lu dn=\"%s\"\n",
}
if( op->o_protocol < LDAP_VERSION3 ) {
+ rc = 0;
/* save the references for the result */
if( rs->sr_ref[0].bv_val != NULL ) {
if( value_add( &rs->sr_v2ref, rs->sr_ref ) )
- return LDAP_OTHER;
+ rc = LDAP_OTHER;
}
- rc = 0;
goto rel;
}
#endif
rel:
- sl_release( mark, op->o_tmpmemctx );
+ if (op->o_callback) {
+ slap_callback *sc = op->o_callback;
+ for ( ; op->o_callback; op->o_callback = op->o_callback->sc_next ) {
+ if ( op->o_callback->sc_cleanup ) {
+ op->o_callback->sc_cleanup( op, rs );
+ }
+ }
+ op->o_callback = sc;
+ }
return rc;
}
sasl_server_params_t *sparams;
} lookup_info;
-static slap_response sasl_ap_lookup, sasl_ap_store, sasl_cb_checkpass;
+static slap_response sasl_ap_lookup, sasl_cb_checkpass;
static int
sasl_ap_lookup( Operation *op, SlapReply *rs )
unsigned ulen)
{
Operation op = {0};
- int rc, i, doit=0;
+ int i, doit = 0;
Connection *conn = NULL;
lookup_info sl;
}
if (doit) {
- slap_callback cb = { sasl_ap_lookup, NULL };
+ slap_callback cb = { NULL, sasl_ap_lookup, NULL, NULL };
cb.sc_private = &sl;
}
#if SASL_VERSION_FULL >= 0x020110
-static int
-sasl_ap_store( Operation *op, SlapReply *rs )
-{
- return 0;
-}
-
static int
slap_auxprop_store(
void *glob_context,
Connection *conn = NULL;
const struct propval *pr;
Modifications *modlist = NULL, **modtail = &modlist, *mod;
- slap_callback cb = { sasl_ap_store, NULL };
+ slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
char textbuf[SLAP_TEXT_BUFLEN];
const char *text;
size_t textlen = sizeof(textbuf);
op.o_bd = select_backend( &op.o_req_ndn, 0, 1 );
if ( op.o_bd && op.o_bd->be_search ) {
- slap_callback cb = { sasl_cb_checkpass, NULL };
+ slap_callback cb = { NULL, sasl_cb_checkpass, NULL, NULL };
SlapReply rs = {REP_RESULT};
ci.cred.bv_val = (char *)pass;
int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
char *user_realm, struct berval *dn, int flags )
{
- char *c1;
int rc, is_dn = SET_NONE, do_norm = 1;
- struct berval dn2;
+ struct berval dn2, *mech;
+
+ assert( conn );
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_getdn: conn %d id=%s [len=%d]\n",
- conn ? conn->c_connid : -1, id ? (*id ? id : "<empty>") : "NULL", len );
+ conn->c_connid, id ? (*id ? id : "<empty>") : "NULL", len );
#else
Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s [len=%d]\n",
id ? ( *id ? id : "<empty>" ) : "NULL", len, 0 );
len = 0;
}
+ if ( conn->c_sasl_bind_mech.bv_len ) {
+ mech = &conn->c_sasl_bind_mech;
+ } else {
+ mech = &conn->c_authmech;
+ }
+
/* An authcID needs to be converted to authzID form. Set the
* values directly into *dn; they will be normalized later. (and
* normalizing always makes a new copy.) An ID from a TLS certificate
* is already normalized, so copy it and skip normalization.
*/
if( flags & SLAP_GETDN_AUTHCID ) {
- if( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len &&
- strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
+ if( mech->bv_len == ext_bv.bv_len &&
+ strcasecmp( ext_bv.bv_val, mech->bv_val ) == 0 )
{
/* EXTERNAL DNs are already normalized */
do_norm = 0;
/* Username strings */
if( is_dn == SET_U ) {
- char *p, *realm;
+ char *p;
+ struct berval realm = { 0, NULL }, c1 = *dn;
+
len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
+#if 0
/* username may have embedded realm name */
- if( ( realm = strchr( dn->bv_val, '@') ) ) {
- *realm++ = '\0';
- len += sizeof(",cn=")-2;
- } else if( user_realm && *user_realm ) {
- len += strlen( user_realm ) + sizeof(",cn=")-1;
+ /* FIXME:
+ * userids can legally have embedded '@' chars;
+ * the relm should be set by those mechanisms
+ * that support it by means of the user_realm
+ * variable
+ */
+ if( ( realm.bv_val = strrchr( dn->bv_val, '@') ) ) {
+ char *r = realm.bv_val;
+
+ realm.bv_val++;
+ realm.bv_len = dn->bv_len - ( realm.bv_val - dn->bv_val );
+ len += sizeof( ",cn=" ) - 2;
+ c1.bv_len -= realm.bv_len + 1;
+
+ if ( strchr( dn->bv_val, '@') == r ) {
+ /* FIXME: ambiguity, is it the realm
+ * or something else? */
+ }
+
+ } else
+#endif
+ if( user_realm && *user_realm ) {
+ realm.bv_val = user_realm;
+ realm.bv_len = strlen( user_realm );
+ len += realm.bv_len + sizeof(",cn=") - 1;
}
- if( conn->c_sasl_bind_mech.bv_len ) {
- len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1;
+ if( mech->bv_len ) {
+ len += mech->bv_len + sizeof(",cn=")-1;
}
/* Build the new dn */
- c1 = dn->bv_val;
dn->bv_val = sl_malloc( len+1, op->o_tmpmemctx );
if( dn->bv_val == NULL ) {
#ifdef NEW_LOGGING
return LDAP_OTHER;
}
p = lutil_strcopy( dn->bv_val, "uid=" );
- p = lutil_strncopy( p, c1, dn->bv_len );
+ p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
- if( realm ) {
- int rlen = dn->bv_len - ( realm - c1 );
- p = lutil_strcopy( p, ",cn=" );
- p = lutil_strncopy( p, realm, rlen );
- realm[-1] = '@';
- } else if( user_realm && *user_realm ) {
+ if( realm.bv_len ) {
p = lutil_strcopy( p, ",cn=" );
- p = lutil_strcopy( p, user_realm );
+ p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
}
- if( conn->c_sasl_bind_mech.bv_len ) {
+ if( mech->bv_len ) {
p = lutil_strcopy( p, ",cn=" );
- p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val );
+ p = lutil_strcopy( p, mech->bv_val );
}
p = lutil_strcopy( p, ",cn=auth" );
dn->bv_len = p - dn->bv_val;
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 );
#else
- Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+ Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
#endif
} else {
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2003 The OpenLDAP Foundation.
+ * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
-/* Portions Copyright (c) 2000, Mark Adamson, Carnegie Mellon.
- * All rights reserved.
- * This software is not subject to any license of Carnegie Mellon University.
- *
- * Redistribution and use in source and binary forms are permitted without
- * restriction or fee of any kind as long as this notice is preserved.
- *
- * The name "Carnegie Mellon" must not be used to endorse or promote
- * products derived from this software without prior written permission.
- */
#include "portable.h"
#define SASLREGEX_REPLACE 10
+#define LDAP_X_SCOPE_EXACT ((ber_int_t) 0x0010)
+#define LDAP_X_SCOPE_REGEX ((ber_int_t) 0x0020)
+#define LDAP_X_SCOPE_CHILDREN ((ber_int_t) 0x0030)
+#define LDAP_X_SCOPE_SUBTREE ((ber_int_t) 0x0040)
+
+/*
+ * IDs in DNauthzid form can now have a type specifier, that
+ * influences how they are used in related operations.
+ *
+ * syntax: dn[.{exact|regex}]:<val>
+ *
+ * dn.exact: the value must pass normalization and is used
+ * in exact DN match.
+ * dn.regex: the value is treated as a regular expression
+ * in matching DN values in saslAuthz{To|From}
+ * attributes.
+ * dn: for backwards compatibility reasons, the value
+ * is treated as a regular expression, and thus
+ * it is not normalized nor validated; it is used
+ * in exact or regex comparisons based on the
+ * context.
+ *
+ * IDs in DNauthzid form can now have a type specifier, that
+ * influences how they are used in related operations.
+ *
+ * syntax: u[.mech[/realm]]:<val>
+ *
+ * where mech is a SIMPLE, AUTHZ, or a SASL mechanism name
+ * and realm is mechanism specific realm (separate to those
+ * which are representable as part of the principal).
+ */
+
typedef struct sasl_regexp {
- char *sr_match; /* regexp match pattern */
- char *sr_replace; /* regexp replace pattern */
- regex_t sr_workspace; /* workspace for regexp engine */
- int sr_offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */
+ char *sr_match; /* regexp match pattern */
+ char *sr_replace; /* regexp replace pattern */
+ regex_t sr_workspace; /* workspace for regexp engine */
+ int sr_offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */
} SaslRegexp_t;
static int nSaslRegexp = 0;
return rc;
}
+int slap_parse_user( struct berval *id, struct berval *user,
+ struct berval *realm, struct berval *mech )
+{
+ char u;
+
+ assert( id );
+ assert( id->bv_val );
+ assert( user );
+ assert( realm );
+ assert( mech );
+
+ u = id->bv_val[ 0 ];
+
+ if ( u != 'u' && u != 'U' ) {
+ /* called with something other than u: */
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ /* uauthzid form:
+ * u[.mech[/realm]]:user
+ */
+
+ user->bv_val = strchr( id->bv_val, ':' );
+ if ( user->bv_val == NULL ) {
+ return LDAP_PROTOCOL_ERROR;
+ }
+ user->bv_val[ 0 ] = '\0';
+ user->bv_val++;
+ user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
+
+ mech->bv_val = strchr( id->bv_val, '.' );
+ if ( mech->bv_val != NULL ) {
+ mech->bv_val[ 0 ] = '\0';
+ mech->bv_val++;
+
+ realm->bv_val = strchr( mech->bv_val, '/' );
+
+ if ( realm->bv_val ) {
+ realm->bv_val[ 0 ] = '\0';
+ realm->bv_val++;
+ mech->bv_len = realm->bv_val - mech->bv_val - 1;
+ realm->bv_len = user->bv_val - realm->bv_val - 1;
+ } else {
+ mech->bv_len = user->bv_val - mech->bv_val - 1;
+ }
+
+ } else {
+ realm->bv_val = NULL;
+ }
+
+ if ( id->bv_val[ 1 ] != '\0' ) {
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if ( mech->bv_val != NULL ) {
+ assert( mech->bv_val == id->bv_val + 2 );
+
+ AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
+ mech->bv_val -= 2;
+ }
+
+ if ( realm->bv_val ) {
+ assert( realm->bv_val >= id->bv_val + 2 );
+
+ AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
+ realm->bv_val -= 2;
+ }
+
+ /* leave "u:" before user */
+ user->bv_val -= 2;
+ user->bv_len += 2;
+ user->bv_val[ 0 ] = u;
+ user->bv_val[ 1 ] = ':';
+
+ return LDAP_SUCCESS;
+}
+
static int slap_parseURI( Operation *op, struct berval *uri,
struct berval *base, struct berval *nbase,
int *scope, Filter **filter, struct berval *fstr )
"slap_parseURI: parsing %s\n", uri->bv_val, 0, 0 );
#endif
- /* If it does not look like a URI, assume it is a DN */
- if( !strncasecmp( uri->bv_val, "dn:", sizeof("dn:")-1 ) ) {
- bv.bv_val = uri->bv_val + sizeof("dn:")-1;
+ rc = LDAP_PROTOCOL_ERROR;
+ if ( !strncasecmp( uri->bv_val, "dn", sizeof( "dn" ) - 1 ) ) {
+ bv.bv_val = uri->bv_val + sizeof( "dn" ) - 1;
+
+ if ( bv.bv_val[ 0 ] == '.' ) {
+ bv.bv_val++;
+
+ if ( !strncasecmp( bv.bv_val, "exact:", sizeof( "exact:" ) - 1 ) ) {
+ bv.bv_val += sizeof( "exact" ) - 1;
+ *scope = LDAP_X_SCOPE_EXACT;
+
+ } else if ( !strncasecmp( bv.bv_val, "regex:", sizeof( "regex:" ) - 1 ) ) {
+ bv.bv_val += sizeof( "regex" ) - 1;
+ *scope = LDAP_X_SCOPE_REGEX;
+
+ } else if ( !strncasecmp( bv.bv_val, "children:", sizeof( "chldren:" ) - 1 ) ) {
+ bv.bv_val += sizeof( "children" ) - 1;
+ *scope = LDAP_X_SCOPE_CHILDREN;
+
+ } else if ( !strncasecmp( bv.bv_val, "subtree:", sizeof( "subtree:" ) - 1 ) ) {
+ bv.bv_val += sizeof( "subtree" ) - 1;
+ *scope = LDAP_X_SCOPE_SUBTREE;
+
+ } else {
+ return LDAP_PROTOCOL_ERROR;
+ }
+ }
+
+ if ( bv.bv_val[ 0 ] != ':' ) {
+ return LDAP_PROTOCOL_ERROR;
+ }
+ bv.bv_val++;
+
bv.bv_val += strspn( bv.bv_val, " " );
+ /* jump here in case no type specification was present
+ * and uir was not an URI... HEADS-UP: assuming EXACT */
+is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
+
+ switch ( *scope ) {
+ case LDAP_X_SCOPE_EXACT:
+ case LDAP_X_SCOPE_CHILDREN:
+ case LDAP_X_SCOPE_SUBTREE:
+ rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
+ if( rc != LDAP_SUCCESS ) {
+ *scope = -1;
+ }
+ break;
-is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
+ case LDAP_X_SCOPE_REGEX:
+ ber_dupbv_x( nbase, &bv, op->o_tmpmemctx );
+ rc = LDAP_SUCCESS;
+ break;
- rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
- if( rc == LDAP_SUCCESS ) {
- *scope = LDAP_SCOPE_BASE;
+ default:
+ *scope = -1;
+ break;
}
- return( rc );
- }
+ return rc;
+
+ } else if ( ( uri->bv_val[ 0 ] == 'u' || uri->bv_val[ 0 ] == 'U' )
+ && ( uri->bv_val[ 1 ] == ':'
+ || uri->bv_val[ 1 ] == '/'
+ || uri->bv_val[ 1 ] == '.' ) )
+ {
+ Connection c = *op->o_conn;
+ char buf[ SLAP_LDAPDN_MAXLEN ];
+ struct berval id = { uri->bv_len, (char *)buf },
+ user = { 0, NULL },
+ realm = { 0, NULL },
+ mech = { 0, NULL };
+
+ if ( sizeof( buf ) <= uri->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ strncpy( buf, uri->bv_val, sizeof( buf ) );
+
+ rc = slap_parse_user( &id, &user, &realm, &mech );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+
+ if ( mech.bv_val ) {
+ c.c_sasl_bind_mech = mech;
+ } else {
+ c.c_sasl_bind_mech.bv_val = "AUTHZ";
+ c.c_sasl_bind_mech.bv_len = sizeof( "AUTHZ" ) - 1;
+ }
+
+ rc = slap_sasl_getdn( &c, op, user.bv_val, user.bv_len,
+ realm.bv_val, nbase, SLAP_GETDN_AUTHZID );
+
+ if ( rc == LDAP_SUCCESS ) {
+ *scope = LDAP_X_SCOPE_EXACT;
+ }
+
+ return rc;
+ }
+
rc = ldap_url_parse( uri->bv_val, &ludp );
if ( rc == LDAP_URL_ERR_BADSCHEME ) {
+ /* last chance: assume it's a(n exact) DN ... */
bv.bv_val = uri->bv_val;
+ *scope = LDAP_X_SCOPE_EXACT;
goto is_dn;
}
{
/* host part must be empty */
/* attrs and extensions parts must be empty */
- rc = LDAP_PROTOCOL_ERROR;
+ rc = LDAP_PROTOCOL_ERROR;
goto done;
}
} else {
/* Don't free these, return them to caller */
ludp->lud_filter = NULL;
- ludp->lud_dn= NULL;
+ ludp->lud_dn = NULL;
}
ldap_free_urldesc( ludp );
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, DETAIL1,
- "slap_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
+ "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
- "slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 );
+ "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
#endif
return -1;
}
int rc;
regex_t reg;
smatch_info sm;
- slap_callback cb = { sasl_sc_smatch, NULL };
+ slap_callback cb = { NULL, sasl_sc_smatch, NULL, NULL };
Operation op = {0};
SlapReply rs = {REP_RESULT};
if( rc != LDAP_SUCCESS ) goto CONCLUDED;
/* Massive shortcut: search scope == base */
- if( op.oq_search.rs_scope == LDAP_SCOPE_BASE ) {
+ switch ( op.oq_search.rs_scope ) {
+ case LDAP_SCOPE_BASE:
+ case LDAP_X_SCOPE_EXACT:
+exact_match:
+ if ( dn_match( &op.o_req_ndn, assertDN ) ) {
+ rc = LDAP_SUCCESS;
+ } else {
+ rc = LDAP_INAPPROPRIATE_AUTH;
+ }
+ goto CONCLUDED;
+
+ case LDAP_X_SCOPE_CHILDREN:
+ case LDAP_X_SCOPE_SUBTREE:
+ {
+ int d = assertDN->bv_len - op.o_req_ndn.bv_len;
+
+ rc = LDAP_INAPPROPRIATE_AUTH;
+
+ if ( d == 0 && op.oq_search.rs_scope == LDAP_X_SCOPE_SUBTREE ) {
+ goto exact_match;
+
+ } else if ( d > 0 ) {
+ struct berval bv = { op.o_req_ndn.bv_len, assertDN->bv_val + d };
+
+ if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
+ rc = LDAP_SUCCESS;
+ }
+ }
+ goto CONCLUDED;
+ }
+
+ case LDAP_X_SCOPE_REGEX:
rc = regcomp(®, op.o_req_ndn.bv_val,
REG_EXTENDED|REG_ICASE|REG_NOSUB);
if ( rc == 0 ) {
rc = LDAP_INAPPROPRIATE_AUTH;
}
goto CONCLUDED;
+
+ default:
+ break;
}
/* Must run an internal search. */
+ if ( op.oq_search.rs_filter == NULL ) {
+ rc = LDAP_FILTER_ERROR;
+ goto CONCLUDED;
+ }
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, DETAIL1,
struct berval *saslname, struct berval *sasldn )
{
int rc;
- slap_callback cb = { sasl_sc_sasl2dn, NULL };
+ slap_callback cb = { NULL, sasl_sc_sasl2dn, NULL, NULL };
Operation op = {0};
SlapReply rs = {REP_RESULT};
struct berval regout = { 0, NULL };
op.o_bd = select_backend( &op.o_req_ndn, 0, 1 );
/* Massive shortcut: search scope == base */
- if( op.oq_search.rs_scope == LDAP_SCOPE_BASE ) {
+ switch ( op.oq_search.rs_scope ) {
+ case LDAP_SCOPE_BASE:
+ case LDAP_X_SCOPE_EXACT:
*sasldn = op.o_req_ndn;
op.o_req_ndn.bv_len = 0;
op.o_req_ndn.bv_val = NULL;
+ /* intentionally continue to next case */
+
+ case LDAP_X_SCOPE_REGEX:
+ case LDAP_X_SCOPE_SUBTREE:
+ case LDAP_X_SCOPE_CHILDREN:
+ /* correctly parsed, but illegal */
goto FINISHED;
+
+ case LDAP_SCOPE_ONELEVEL:
+ case LDAP_SCOPE_SUBTREE:
+ /* do a search */
+ break;
+
+ default:
+ /* catch unhandled cases (there shouldn't be) */
+ assert( 0 );
}
#ifdef NEW_LOGGING
{
struct tm *ltm;
+#ifdef HAVE_GMTIME_R
+ struct tm ltm_buf;
+#endif
char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
/*
* AND modified at server startup time ...
*/
+#ifdef HAVE_GMTIME_R
+ ltm = gmtime_r( &starttime, <m_buf );
+#else
ldap_pvt_thread_mutex_lock( &gmtime_mutex );
ltm = gmtime( &starttime );
+#endif /* HAVE_GMTIME_R */
lutil_gentime( timebuf, sizeof(timebuf), ltm );
+#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_unlock( &gmtime_mutex );
+#endif
vals[0].bv_val = timebuf;
vals[0].bv_len = strlen( timebuf );
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_superiorUUID) },
- /* LDAP cache specific operational attribute */
- { "queryid", "( 1.3.6.1.4.1.4203.666.1.12 NAME 'queryid' "
- "DESC 'list of queries the entry belongs to' "
- "EQUALITY octetStringMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
- "NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, SLAP_AT_HIDE,
- NULL, NULL,
- NULL, NULL, NULL, NULL, NULL,
- offsetof(struct slap_internal_schema, si_ad_queryid) },
-
{ "syncreplCookie", "( 1.3.6.1.4.1.4203.666.1.23 "
"NAME 'syncreplCookie' "
"DESC 'syncrepl Cookie for shadow copy' "
}
}
-void
-sl_release( void *ptr, void *ctx )
-{
- struct slab_heap *sh = ctx;
-
- if ( sh && ptr >= sh->h_base && ptr <= sh->h_end ) {
- sh->h_last = ptr;
- }
-}
-
-void *
-sl_mark( void *ctx )
-{
- struct slab_heap *sh = ctx;
- void *ret = NULL;
-
- if (sh) ret = sh->h_last;
-
- return ret;
-}
-
void *
sl_context( void *ptr )
{
#define SLAP_TEXT_BUFLEN (256)
/* psuedo error code indicating abandoned operation */
-#define SLAPD_ABANDON (-1)
+#define SLAPD_ABANDON (-1024)
/* psuedo error code indicating disconnect */
-#define SLAPD_DISCONNECT (-2)
+#define SLAPD_DISCONNECT (-1025)
+/* unknown config file directive */
+#define SLAP_CONF_UNKNOWN (-1026)
/* We assume "C" locale, that is US-ASCII */
#define ASCII_SPACE(c) ( (c) == ' ' )
AttributeDescription *si_ad_namingCSN;
AttributeDescription *si_ad_superiorUUID;
- /* LDAP cache specific operational attribute */
- AttributeDescription *si_ad_queryid;
-
AttributeDescription *si_ad_dseType;
AttributeDescription *si_ad_syncreplCookie;
AttributeDescription *si_ad_contextCSN;
rep_extended_s sru_extended;
rep_search_s sru_search;
} sr_un;
+ slap_mask_t sr_flags;
+#define REP_ENTRY_MODIFIABLE 0x00000001
+#define REP_ENTRY_MUSTBEFREED 0x00000002
+#define REP_MATCHED_MUSTBEFREED 0x00000010
} SlapReply;
/* short hands for response members */
typedef int (slap_response)( struct slap_op *, struct slap_rep * );
typedef struct slap_callback {
+ struct slap_callback *sc_next;
slap_response *sc_response;
+ slap_response *sc_cleanup;
void *sc_private;
} slap_callback;
AttributeName *o_preread_attrs;
AttributeName *o_postread_attrs;
-#ifdef LDAP_CONTROL_PAGEDRESULTS
char o_pagedresults;
#define get_pagedresults(op) ((int)(op)->o_pagedresults)
ber_int_t o_pagedresults_size;
PagedResultsState o_pagedresults_state;
-#else
-#define get_pagedresults(op) (0)
-#endif
char o_sync;
char o_sync_mode;
-#define SLAP_SYNC_NONE (0x0)
-#define SLAP_SYNC_REFRESH (0x1)
-#define SLAP_SYNC_PERSIST (0x2)
-#define SLAP_SYNC_REFRESH_AND_PERSIST (0x3)
+#define SLAP_SYNC_NONE LDAP_SYNC_NONE
+#define SLAP_SYNC_REFRESH LDAP_SYNC_REFRESH_ONLY
+#define SLAP_SYNC_PERSIST LDAP_SYNC_RESERVED
+#define SLAP_SYNC_REFRESH_AND_PERSIST LDAP_SYNC_REFRESH_AND_PERSIST
struct sync_cookie o_sync_state;
int o_sync_rhint;
struct berval o_sync_cid;
SlapReply *rs,
LDAPControl *ctrl ));
+#define SLMALLOC_SLAB_SIZE (1024*1024)
+
LDAP_END_DECL
#include "proto-slap.h"
#define SLAPI_ENTRY_POST_OP 53
#define SLAPI_RESCONTROLS 55
+/* This is the spelling in the SunOne 5.2 docs */
+#define SLAPI_RES_CONTROLS SLAPI_RESCONTROLS
#define SLAPI_ADD_RESCONTROL 56
#define SLAPI_ADD_TARGET SLAPI_TARGET_DN
{
#if defined(LDAP_SLAPI)
int i, freeit;
+ int addcon = 0;
if ( isValidParam( pb, param ) == INVALID_PARAM ) {
return PBLOCK_ERROR;
return PBLOCK_ERROR;
}
+ if ( param == SLAPI_ADD_RESCONTROL ) {
+ addcon = 1;
+ param = SLAPI_RES_CONTROLS;
+ }
+
switch ( param ) {
case SLAPI_CONN_DN:
case SLAPI_CONN_AUTHMETHOD:
pb->curParams[i] = param;
pb->numParams++;
}
- if ( freeit ) ch_free( pb->curVals[i] );
- pb->curVals[i] = val;
+ if ( addcon ) {
+ LDAPControl **ctrls = pb->curVals[i];
+ int j;
+
+ for (j=0; ctrls[j]; j++);
+ ctrls = ch_realloc( ctrls, (j+2)*sizeof(LDAPControl *) );
+ ctrls[j] = val;
+ ctrls[j+1] = NULL;
+ pb->curVals[i] = ctrls;
+ } else {
+ if ( freeit ) ch_free( pb->curVals[i] );
+ pb->curVals[i] = val;
+ }
unLock( pb );
return LDAP_SUCCESS;
int rc, err, i;
ber_len_t len;
- slap_callback cb;
-
int rc_efree;
struct berval *psub;
Debug( LDAP_DEBUG_TRACE, "=>do_syncrep2\n", 0, 0, 0 );
#endif
- op->o_callback = &cb;
-
psub = &si->si_be->be_nsuffix[0];
slap_dup_sync_cookie( &syncCookie_req, &si->si_syncCookie );
conn.c_peer_name = slap_empty_bv;
/* set memory context */
-#define SLAB_SIZE 1048576
- op.o_tmpmemctx = sl_mem_create( SLAB_SIZE, ctx );
+ op.o_tmpmemctx = sl_mem_create( SLMALLOC_SLAB_SIZE, ctx );
op.o_tmpmfuncs = &sl_mfuncs;
op.o_dn = si->si_updatedn;
)
{
Backend *be = op->o_bd;
- slap_callback cb;
+ slap_callback cb = { NULL };
struct berval *syncuuid_bv = NULL;
struct berval syncUUID_strrep = { 0, NULL };
)
{
Backend* be = op->o_bd;
- slap_callback cb;
+ slap_callback cb = { NULL };
SlapReply rs = {REP_RESULT};
struct nonpresent_entry *np_list, *np_prev;
)
{
Backend *be = op->o_bd;
- slap_callback cb;
+ slap_callback cb = { NULL };
Attribute *a;
int rc;
int suffrdns;
struct berval slap_syncrepl_dn_bv = BER_BVNULL;
struct berval slap_syncrepl_cn_bv = BER_BVNULL;
- slap_callback cb;
+ slap_callback cb = { NULL };
SlapReply rs = {REP_RESULT};
slap_sync_cookie_free( &si->si_syncCookie, 0 );
assert(0);
}
+int
+slap_null_cb(
+ Operation *op, SlapReply *rs
+)
+{
+ assert(0);
+}
+
void
slap_send_ldap_extended(
Operation *op, SlapReply *rs
return -1;
}
-int slap_entry2mods( Entry *e, Modifications **mods, const char **text )
+int slap_entry2mods( Entry *e, Modifications **mods, const char **text,
+ char *textbuf, size_t textlen )
{
return -1;
}
volatile sig_atomic_t slapd_abrupt_shutdown;
int slap_mods_check( Modifications *ml, int update, const char **text,
- char *textbuf, size_t textlen, void *ctx )
+ char *textbuf, size_t textlen, void *ctx )
{
return -1;
}
int slap_mods2entry( Modifications *mods, Entry **e, int repl_user,
- int dup, const char **text, char *textbuf, size_t textlen )
+ int dup, const char **text, char *textbuf, size_t textlen )
{
return -1;
}
int slap_mods_opattrs( Operation *op, Modifications *mods,
- Modifications **modtail, const char **text,
- char *textbuf, size_t textlen )
+ Modifications **modtail, const char **text,
+ char *textbuf, size_t textlen )
{
return -1;
}
+int slap_parse_user( struct berval *id, struct berval *user,
+ struct berval *realm, struct berval *mech )
+{
+ return -1;
+}
Entry* e = be->be_entry_get( be, id );
op.o_bd = be;
+ if ( e == NULL ) {
+ printf("# no data for entry id=%08lx\n\n", (long) id );
+ rc = EXIT_FAILURE;
+ if( continuemode ) continue;
+ break;
+ }
+
if( sub_ndn.bv_len && !dnIsSuffix( &e->e_nname, &sub_ndn ) ) {
be_entry_release_r( &op, e );
continue;
printf( "# id=%08lx\n", (long) id );
}
- if ( e == NULL ) {
- printf("# no data for entry id=%08lx\n\n", (long) id );
- rc = EXIT_FAILURE;
- if( continuemode ) continue;
- break;
- }
-
data = entry2str( e, &len );
be_entry_release_r( &op, e );
mal_leaktrace(1);
#endif
- slap_startup( be );
+ if ( slap_startup( be ) ) {
+ fprintf( stderr, "slap_startup failed\n" );
+ exit( EXIT_FAILURE );
+ }
}
void slap_tool_destroy( void )
version.c: Makefile
@-$(RM) $@
- $(MKVERSION) slurpd > $@
+ $(MKVERSION) -s -n Versionstr slurpd > $@
version.o: version.c $(OBJS) $(SLURPD_L)
g->myname = strdup( g->myname + 1 );
}
- while ( (i = getopt( argc, argv, "d:f:n:or:t:" )) != EOF ) {
+ while ( (i = getopt( argc, argv, "d:f:n:or:t:V" )) != EOF ) {
switch ( i ) {
case 'd': /* set debug level and 'do not detach' flag */
g->no_detach = 1;
snprintf(g->slurpd_rdir, sz,
"%s" LDAP_DIRSEP "replica", optarg);
} break;
+ case 'V':
+ (g->version)++;
+ break;
default:
usage( g->myname );
return( -1 );
g->myname = NULL;
g->serverName = NULL;
g->srpos = 0L;
+ g->version = 0;
if ( St_init( &(g->st)) < 0 ) {
fprintf( stderr, "Cannot initialize status data\n" );
exit( EXIT_FAILURE );
/* Default name of kerberos srvtab file */
char *default_srvtab;
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
+ /* Non-zero if we shall print the version */
+ int version;
} Globals;
#include <ac/time.h>
#include <ac/unistd.h>
+#define LDAP_DEPRECATED 1
#include <ldap.h>
#include "lutil_ldap.h"
#include "slurp.h"
#define MAIN_RETURN(x) return(x)
#endif
+#ifndef HAVE_MKVERSION
+const char Versionstr[] =
+ OPENLDAP_PACKAGE " " OPENLDAP_VERSION " Standalone LDAP Replicator (slurpd)";
+#endif
+
#ifdef HAVE_NT_SERVICE_MANAGER
void WINAPI ServiceMain( DWORD argc, LPTSTR *argv )
#else
goto stop;
}
+ if ( sglob->version ) {
+ fprintf(stderr, "%s\n", Versionstr);
+ if (sglob->version > 1 ) {
+ rc = 1;
+ goto stop;
+ }
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO, "%s\n", Versionstr, 0, 0 );
+#else
+ Debug ( LDAP_DEBUG_ANY, "%s\n", Versionstr, 0, 0 );
+#endif
+
/*
* Read slapd config file and initialize Re (per-replica) structs.
*/
void start_lwp_scheduler LDAP_P(( void ));
#endif
+/*main.c */
+extern const char Versionstr[];
+
#endif /* _PROTO_SLURP */
# requesting: 1.1
#
+# University of Michigan, US
+dn: o=University of Michigan,c=US
+
# search reference
ref: ldap://hostA/o=abc,c=us??base
ref: ldap://hostB/o=ABC,c=US??base
# search reference
ref: ldap://hostC/o=xyz,c=us??base
-# University of Michigan, US
-dn: o=University of Michigan,c=US
-
# search result
search: 2
result: 0 Success
# requesting: 1.1
#
-# search reference
-ref: ldap://hostA/o=abc,c=us??sub
-ref: ldap://hostB/o=ABC,c=US??sub
+# Manager, University of Michigan, US
+dn: cn=Manager,o=University of Michigan,c=US
-# search reference
-ref: ldap://hostC/o=xyz,c=us??sub
+# University of Michigan, US
+dn: o=University of Michigan,c=US
# US
dn: c=US
-# University of Michigan, US
-dn: o=University of Michigan,c=US
+# search reference
+ref: ldap://hostA/o=abc,c=us??sub
+ref: ldap://hostB/o=ABC,c=US??sub
-# Manager, University of Michigan, US
-dn: cn=Manager,o=University of Michigan,c=US
+# search reference
+ref: ldap://hostC/o=xyz,c=us??sub
# search result
search: 2
access to dn.base="" attr=objectClass by users read
access to * by * read
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# database definitions
sasl-secprops noanonymous
#sasl-secprops none
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./test-db/slapd.pid
argsfile ./test-db/slapd.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./test-db/slapd.pid
argsfile ./test-db/slapd.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
-access to * by write
-
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+#ldapmod#moduleload ../servers/slapd/back-ldap/back_ldap.la
+#pcachemod#moduleload ../servers/slapd/overlays/pcache.la
#######################################################################
# database definitions
#######################################################################
-database @BACKEND@
-
-suffix "o=University of Michigan,c=US,cn=cache"
+database ldap
+suffix "o=University of Michigan,c=US"
+rootdn "o=University of Michigan,c=US"
+uri ldap://127.0.0.1:9011/o=University%20of%20Michigan%2cc=US
+
+overlay proxycache
+proxycache @BACKEND@ 100 2 @ENTRY_LIMIT@ @CACHETTL@
+proxyattrset 0 sn cn title uid
+proxyattrset 1 mail postaladdress telephonenumber cn uid
+proxytemplate (|(cn=)(sn=)) 0 @CACHETTL@
+proxytemplate (sn=) 0 @CACHETTL@
+proxytemplate (uid=) 1 @CACHETTL@
+proxytemplate (mail=) 0 @CACHETTL@
+
cachesize 20
directory ./testrun/db.2.a
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
-
-database meta
-rewriteEngine on
-rewriteContext cacheResult
-rewriteRule "(.*)o=University of Michigan,c=US" "%1o=University of Michigan,c=US,cn=cache" ":"
-rewriteContext cacheBase
-rewriteRule "(.*)o=University of Michigan,c=US" "%1o=university of michigan,c=us,cn=cache" ":"
-rewriteContext cacheReturn
-rewriteRule "(.*)o=University of Michigan,c=US,cn=cache" "%1o=University of Michigan,c=US" ":"
-
-
-suffix "o=University of Michigan,c=US"
-uri ldap://127.0.0.1:9011/o=University%20of%20Michigan,c=US
-cacheparams 10000 15000 2 @ENTRY_LIMIT@ @CACHETTL@
-
-attrset 0 sn cn title uid
-attrset 1 mail postaladdress telephonenumber cn uid
-addtemplate (|(cn=)(sn=)) 0 @CACHETTL@
-addtemplate (sn=) 0 @CACHETTL@
-addtemplate (uid=) 1 @CACHETTL@
-addtemplate (mail=) 0 @CACHETTL@
-
-
# password-hash {md5}
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.pid
argsfile ./testrun/slapd.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
#
rootdse ./testdata/rootdse.ldif
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# master database definitions
pidfile ./testrun/slapd.4.pid
argsfile ./testrun/slapd.4.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# consumer database definitions
pidfile ./testrun/slapd.5.pid
argsfile ./testrun/slapd.5.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# consumer database definitions
pidfile ./testrun/slapd.6.pid
argsfile ./testrun/slapd.6.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# consumer database definitions
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# consumer database definitions
pidfile ./testrun/slapd.3.pid
argsfile ./testrun/slapd.3.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# consumer database definitions
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
-
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# database definitions
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
-modulepath ../servers/slapd/back-@BACKEND@/
-@MODULELOAD@
-
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
#######################################################################
# database definitions
#include <ac/unistd.h>
#include <ac/wait.h>
+#define LDAP_DEPRECATED 1
#include <ldap.h>
#define LOOPS 100
#include <ac/unistd.h>
#include <ac/wait.h>
+#define LDAP_DEPRECATED 1
#include <ldap.h>
#define LOOPS 100
#include <ac/unistd.h>
#include <ac/wait.h>
+#define LDAP_DEPRECATED 1
#include <ldap.h>
#define LOOPS 100
#include <ac/unistd.h>
#include <ac/wait.h>
-
+#define LDAP_DEPRECATED 1
#include <ldap.h>
#define LOOPS 100
export SRCDIR TOPSRCDIR LN_S
-AC_BDB=@BUILD_BDB@
-AC_HDB=@BUILD_HDB@
-AC_LDBM=@BUILD_LDBM@
+AC_bdb=@BUILD_BDB@
+AC_hdb=@BUILD_HDB@
+AC_ldbm=@BUILD_LDBM@
+AC_ldap=ldap@BUILD_LDAP@
+AC_pcache=pcache@BUILD_PROXYCACHE@
AC_MONITOR=@BUILD_MONITOR@
-AC_CACHE=@BUILD_CACHE@
AC_WITH_TLS=@WITH_TLS@
-export AC_MONITOR AC_CACHE AC_WITH_TLS
+export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache
if test ! -x ../servers/slapd/slapd ; then
echo "Could not locate slapd(8)"
exit 1
fi
-if test $AC_BDB = yes ; then
+if test $AC_bdb != no ; then
BACKEND=bdb
-elif test $AC_LDBM = yes ; then
+elif test $AC_ldbm != no ; then
BACKEND=ldbm
-elif test $AC_HDB = yes ; then
- BACKEND=hdbm
+elif test $AC_hdb != no ; then
+ BACKEND=hdb
else
echo "Not configured with a suitable database backend"
exit 1
esac
done
-export BACKEND WAIT KILLSERVERS PRESERVE USERDATA
+BACKENDTYPE=`eval 'echo $AC_'$BACKEND`
+export BACKEND BACKENDTYPE WAIT KILLSERVERS PRESERVE USERDATA
if test $# = 0 ; then
echo "$USAGE"; exit 1
else
MON=nomonitor
fi
-if [ x"$BACKENDTYPE" = x"mod" ]; then
- MODULELOAD="moduleload back_${BACKEND}.la"
-fi
sed -e "s/@BACKEND@/${BACKEND}/" \
- -e "s/@MODULELOAD@/${MODULELOAD}/" \
-e "s/^#${BACKEND}#//" \
+ -e "s/^#${BACKENDTYPE}#//" \
+ -e "s/^#${AC_ldap}#//" \
+ -e "s/^#${AC_pcache}#//" \
-e "s/^#${MON}#//" \
-e "s/@CACHETTL@/${CACHETTL}/" \
-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"
## <http://www.OpenLDAP.org/license.html>.
MONITORDB=${AC_MONITOR-no}
-PROXYCACHE=${AC_CACHE-no}
+PROXYCACHE=${AC_pcache-pcacheno}
WITHTLS=${AC_WITHTLS-yes}
DATADIR=./testdata
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
-if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" -o ; then
+if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" ; then
echo "Test does not support $BACKEND"
exit 0
fi
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
-if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" -o ; then
+if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" ; then
echo "Test does not support $BACKEND"
exit 0
fi
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
-if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" -o ; then
+if test "$BACKEND" != "bdb" -a "$BACKEND" != "hdb" ; then
echo "Test does not support $BACKEND"
exit 0
fi
. $SRCDIR/scripts/defines.sh
-if test $PROXYCACHE = no; then
- echo "Proxy caching requires back-meta AND (back-ldbm OR back-bdb)"
+if test $PROXYCACHE = pcacheno; then
+ echo "Proxy cache overlay not available, test skipped"
exit 0
fi
projects / openldap / commitdiff