mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
122 lines
5.1 KiB
Plaintext
122 lines
5.1 KiB
Plaintext
|
Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
|
||
|
|
||
|
The backend back-ldap has been modified as follows:
|
||
|
|
||
|
* The LDAP handlers have been put under an avl tree, in an attempt
|
||
|
to improve the access to connections in heavy loaded environments
|
||
|
(many clients connecting simultaneously for long times, e.g.
|
||
|
authenticators that make successive searches and binds without
|
||
|
renewing the handler).
|
||
|
This required to change the lcs member of struct ldapinfo into
|
||
|
an (Avlnode *) member called conntree.
|
||
|
The member next in the ldapconn struct has been eliminated because
|
||
|
it is no longer needed.
|
||
|
|
||
|
* The ldap_back_dobind function has been forced to return the value
|
||
|
of the bound flag instead of void; there is no longer need to test
|
||
|
for the flag outside the function as a test was already in.
|
||
|
Now the function can be called as
|
||
|
|
||
|
if ( !ldap_back_dobind( lc, op ) ) {
|
||
|
/* handle error */
|
||
|
}
|
||
|
|
||
|
* The suffix of the operations can be "massaged", i.e. changed to
|
||
|
a different suffix to implement what has been termed a
|
||
|
"virtual naming context": an incoming request with a certain
|
||
|
base or related to a certain dn is turned into a request to a different
|
||
|
server with the base or the dn changed in its terminal part (the naming
|
||
|
context). The resulting entries, if any, have the real naming context
|
||
|
changed back into the virtual naming context.
|
||
|
|
||
|
This required to add a suffixMassage configuration line of the form
|
||
|
|
||
|
suffix "virtual naming context"
|
||
|
suffixMassage "virtual naming context" "real naming context"
|
||
|
|
||
|
(the name of the configuration parameter will be changed to something
|
||
|
more appropriate as will result from a debate in the -devel mailing
|
||
|
list).
|
||
|
The "virtual naming context" must appear in a suffix configuration line
|
||
|
so the server can select the appropriate backend; then the suffixMassage
|
||
|
configuration line maps the "virtual" and the "real" naming contexts
|
||
|
back and forth.
|
||
|
This allows one to map multiple real naming contexts as branches
|
||
|
of a single naming context, provided these reside on the same server:
|
||
|
|
||
|
suffix "ou=Branch 1, o=My Org, c=IT"
|
||
|
suffixMassage "ou=Branch 1, o=My Org, c=IT" "o=Org 1, c=IT"
|
||
|
suffix "ou=Branch 2, o=My Org, c=IT"
|
||
|
suffixMassage "ou=Branch 2, o=My Org, c=IT" "dc=host, dc=net"
|
||
|
suffix "o=My Org, c=IT"
|
||
|
suffixMassage "o=My Org, c=IT" "dc=host, dc=it"
|
||
|
|
||
|
Note that the "same server" limitation can be overcome by using
|
||
|
multiple back-ldap databases, each pointing to the appropriate
|
||
|
server.
|
||
|
|
||
|
Another choice, which would not allow multiple naming contexts
|
||
|
being served by the same database, is to use the "dn" part of the
|
||
|
"uri" configuration parameter, e.g.:
|
||
|
|
||
|
suffix "virtual naming context"
|
||
|
uri "ldap://ldap.my.org:port/real naming context"
|
||
|
|
||
|
This has not been implemented yet.
|
||
|
|
||
|
A possible future enhancement will allow the ldap backend to handle
|
||
|
multiple servers within a single naming context.
|
||
|
|
||
|
Two functions, ldap_back_dn_massage and ldap_back_dn_restore, have
|
||
|
been added. The former changes the bind dn or the search base,
|
||
|
in case its terminal portion matches the "virtual naming context"
|
||
|
of a suffixMassage entry, to the corresponding "real naming context"
|
||
|
suffixed value.
|
||
|
The latter turns the entry's dn back to the "virtual naming context"
|
||
|
suffixed form if the real dn terminal portion matches any "real naming
|
||
|
context" part of a suffixMassage configuration line.
|
||
|
The deferred bind required to add the bound_dn member to the ldapconn
|
||
|
struct.
|
||
|
As of the time of this writing, all the backend operations that
|
||
|
require writing (add, delete, modify, modrdn) have been added the
|
||
|
massaging capability; it can be safely turned off by turning on
|
||
|
the readonly mode at the backend level. The massaging is performed
|
||
|
only on the dn of the entry that is modified, and in the modrdn
|
||
|
operation it affects both the old and the newSuperior dn.
|
||
|
|
||
|
* Cleanup/minor bug fixes/software enhancements:
|
||
|
|
||
|
- the suffix member (unused) has been eliminated (commented out)
|
||
|
from the ldapinfo struct.
|
||
|
|
||
|
- bind.c:ldap_back_op_result: a check of the value of "match" and
|
||
|
"msg" variables is added before freeing them (got a NULL "match"
|
||
|
when the server the backend points to was restarted).
|
||
|
|
||
|
- search.c:ldap_send_entry: the member a_desc in the (Attribute *)
|
||
|
"attr" must be set to NULL before calling slap_str2ad, otherwise
|
||
|
an assertion fails (ITS #919).
|
||
|
|
||
|
- search.c:ldap_send_entry: the entry's ent.e_dn and ent.e_ndn members
|
||
|
need be freed before returning because they were allocated inside
|
||
|
the routine.
|
||
|
|
||
|
- modify.c:ldap_back_modify: the Modifications member sml_op needs be
|
||
|
ORed with LDAP_MOD_BVALUES to force the ldap_modify_s routine
|
||
|
handle the modifications as bervals:
|
||
|
|
||
|
mods[i].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
|
||
|
|
||
|
* Notes:
|
||
|
- there a possible memory leak in the backend, because the memory
|
||
|
occupation of the slapd processes steadily grows when it is
|
||
|
repeatedly accessed.
|
||
|
|
||
|
- when writing (add/modify) lastmod must be set to OFF otherwise
|
||
|
the lastmod attributes will be added to the entry mods and the
|
||
|
target server will complain about
|
||
|
|
||
|
ldap_modify: Constraint violation
|
||
|
ldap_modify: additional info: no user modification allowed
|
||
|
|