diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 4f37eef4a5..a7e3228df6 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -513,20 +513,22 @@ client -> server: .LP .RS .nf -(default) if defined and no specific context - is available -bindDN bind -searchBase search -searchFilter search -compareDN compare -compareAttrDN compare AVA -addDN add -addAttrDN add AVA -modifyDN modify -modifyAttrDN modify AVA -modrDN modrdn -newSuperiorDN modrdn -deleteDN delete +(default) if defined and no specific context + is available +bindDN bind +searchBase search +searchFilter search +searchFilterAttrDN search +compareDN compare +compareAttrDN compare AVA +addDN add +addAttrDN add AVA +modifyDN modify +modifyAttrDN modify AVA +modrDN modrdn +newSuperiorDN modrdn +deleteDN delete +exopPasswdDN passwd exop DN if proxy .fi .RE .LP @@ -534,11 +536,11 @@ server -> client: .LP .RS .nf -searchResult search (only if defined; no default; - acts on DN and DN-syntax attributes - of search results) -searchAttrDN search AVA -matchedDN all ops (only if applicable) +searchResult search (only if defined; no default; + acts on DN and DN-syntax attributes + of search results) +searchAttrDN search AVA +matchedDN all ops (only if applicable) .fi .RE .LP @@ -627,10 +629,10 @@ rewriteRule ".*" "%{>addBlanks(%0)}" ":" .\" .\" # Finally, in a bind, if one uses a `uid=username' DN, .\" # it is rewritten in `cn=name surname' if possible. -.\" rewriteContext bindDn +.\" rewriteContext bindDN .\" rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":" .\" -# Rewrite the search base according to `default' rules. +# Rewrite the search base according to `default' rules. rewriteContext searchBase alias default # Search results with OpenLDAP DN are rewritten back with @@ -652,7 +654,7 @@ rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub" # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDn # rewrite context overrides the default definition. -rewriteContext bindDn +rewriteContext bindDN rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" ":@I" # This is a rather sophisticated example. It massages a @@ -661,7 +663,7 @@ rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" ":@I" # track of the bind DN of the incoming request, which is # stored in a variable called `binddn' with session scope, # and left in place to allow regular binding: -rewriteContext bindDn +rewriteContext bindDN rewriteRule ".+" "%{&&binddn(%0)}%0" ":" # A search filter containing `uid=' is rewritten only diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c index adf8063818..a6d3d1fa3a 100644 --- a/servers/slapd/back-ldap/add.c +++ b/servers/slapd/back-ldap/add.c @@ -69,7 +69,7 @@ ldap_back_add( #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "addDn"; + dc.ctx = "addDN"; #else dc.tofrom = 1; dc.normalized = 0; @@ -87,7 +87,7 @@ ldap_back_add( attrs = (LDAPMod **)ch_malloc(sizeof(LDAPMod *)*i); #ifdef ENABLE_REWRITE - dc.ctx = "addDnAttr"; + dc.ctx = "addAttrDN"; #endif isupdate = be_isupdate( op->o_bd, &op->o_ndn ); diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index cfecc0362f..29bc8b24ab 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -62,7 +62,7 @@ ldap_back_bind( #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "bindDn"; + dc.ctx = "bindDN"; #else dc.tofrom = 1; dc.normalized = 0; @@ -303,7 +303,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs) #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "bindDn"; + dc.ctx = "bindDN"; #else dc.tofrom = 1; dc.normalized = 0; @@ -532,7 +532,7 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "matchedDn"; + dc.ctx = "matchedDN"; #else dc.tofrom = 0; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c index 3bed65a348..8af11742f5 100644 --- a/servers/slapd/back-ldap/compare.c +++ b/servers/slapd/back-ldap/compare.c @@ -60,7 +60,7 @@ ldap_back_compare( #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "compareDn"; + dc.ctx = "compareDN"; #else dc.tofrom = 1; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index ab35c0cb5d..5baef7722d 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -586,96 +586,9 @@ suffix_massage_config( ch_free( rargv[ 1 ] ); ch_free( rargv[ 2 ] ); -#if 0 - /* - * FIXME: this is no longer required since now we map filters - * based on the parsed filter structure, so we can deal directly - * with attribute types and values. The rewriteContext - * "searchFilter" now refers to the value of attrbutes - * with DN syntax. - */ - - /* - * the filter should be rewritten as - * - * rewriteRule - * "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)" - * "%1member=%2,dc=example,dc=com%3" - * - * where "o=Foo Bar, c=US" is the virtual naming context, - * and "dc=example, dc=com" is the real naming context - */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchFilter"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - -#if 1 /* rewrite filters */ - { - /* - * Note: this is far more optimistic than desirable: - * for any AVA value ending with the virtual naming - * context the terminal part will be replaced by the - * real naming context; a better solution would be to - * walk the filter looking for DN-valued attributes, - * and only rewrite those that require rewriting - */ - char vbuf_[BUFSIZ], *vbuf = vbuf_, - rbuf_[BUFSIZ], *rbuf = rbuf_; - int len; - - len = snprintf( vbuf, sizeof( vbuf_ ), - "(.*)%s\\)(.*)", nvnc->bv_val ); - if ( len == -1 ) { - /* - * traditional behavior: snprintf returns -1 - * if buffer is insufficient - */ - return -1; - - } else if ( len >= (int)sizeof( vbuf_ ) ) { - /* - * C99: snprintf returns the required size - */ - vbuf = ch_malloc( len + 1 ); - len = snprintf( vbuf, len, - "(.*)%s\\)(.*)", nvnc->bv_val ); - assert( len > 0 ); - } - - len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2", - nrnc->bv_val ); - if ( len == -1 ) { - return -1; - - } else if ( len >= (int)sizeof( rbuf_ ) ) { - rbuf = ch_malloc( len + 1 ); - len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2", - nrnc->bv_val ); - assert( len > 0 ); - } - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = vbuf; - rargv[ 2 ] = rbuf; - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - - if ( vbuf != vbuf_ ) { - ch_free( vbuf ); - } - - if ( rbuf != rbuf_ ) { - ch_free( rbuf ); - } - } -#endif /* rewrite filters */ -#endif - #if 0 /* "matched" is not normalized */ rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "matchedDn"; + rargv[ 1 ] = "matchedDN"; rargv[ 2 ] = "alias"; rargv[ 3 ] = "searchResult"; rargv[ 4 ] = NULL; diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c index 0027f57384..91a7b53f2c 100644 --- a/servers/slapd/back-ldap/delete.c +++ b/servers/slapd/back-ldap/delete.c @@ -60,7 +60,7 @@ ldap_back_delete( #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "deleteDn"; + dc.ctx = "deleteDN"; #else dc.tofrom = 1; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index 0223a0cebb..4403fbaaf5 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -117,12 +117,12 @@ ldap_back_exop_passwd( op->o_req_dn.bv_val, isproxy ? " (proxy)" : "", 0 ); #endif - if (isproxy) { + if ( isproxy ) { dc.rwmap = &li->rwmap; #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "modifyPwd"; + dc.ctx = "exopPasswdDN"; #else dc.tofrom = 1; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index a36c77cfe6..2cbf10a998 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -118,6 +118,21 @@ ldap_back_db_init( ch_free( li ); return -1; } + + { + char *rargv[3]; + + /* + * the filter rewrite as a string must be disabled + * by default; it can be re-enabled by adding rules; + * this creates an empty rewriteContext + */ + rargv[ 0 ] = "rewriteContext"; + rargv[ 1 ] = "searchFilter"; + rargv[ 2 ] = NULL; + rewrite_parse( li->rwmap.rwm_rw, "", + 1, 2, rargv ); + } #endif /* ENABLE_REWRITE */ ldap_pvt_thread_mutex_init( &li->conn_mutex ); diff --git a/servers/slapd/back-ldap/map.c b/servers/slapd/back-ldap/map.c index 3f38ce6b4b..1d91a21bba 100644 --- a/servers/slapd/back-ldap/map.c +++ b/servers/slapd/back-ldap/map.c @@ -180,7 +180,7 @@ map_attr_value( dncookie fdc = *dc; #ifdef ENABLE_REWRITE - fdc.ctx = "searchFilter"; + fdc.ctx = "searchFilterAttrDN"; #endif switch ( ldap_back_dn_massage( &fdc, value, &vtmp ) ) { @@ -214,8 +214,8 @@ map_attr_value( return LDAP_SUCCESS; } -int -ldap_back_filter_map_rewrite( +static int +ldap_int_back_filter_map_rewrite( dncookie *dc, Filter *f, struct berval *fstr, @@ -390,7 +390,7 @@ ldap_back_filter_map_rewrite( for ( p = f->f_list; p != NULL; p = p->f_next ) { len = fstr->bv_len; - rc = ldap_back_filter_map_rewrite( dc, p, &vtmp, remap ); + rc = ldap_int_back_filter_map_rewrite( dc, p, &vtmp, remap ); if ( rc != LDAP_SUCCESS ) { return rc; } @@ -458,6 +458,73 @@ ldap_back_filter_map_rewrite( return LDAP_SUCCESS; } +int +ldap_back_filter_map_rewrite( + dncookie *dc, + Filter *f, + struct berval *fstr, + int remap ) +{ + int rc; + dncookie fdc; + struct berval ftmp; + + rc = ldap_int_back_filter_map_rewrite( dc, f, fstr, remap ); + +#ifdef ENABLE_REWRITE + if ( rc != LDAP_SUCCESS ) { + return rc; + } + + fdc = *dc; + ftmp = *fstr; + + fdc.ctx = "searchFilter"; + + switch ( rewrite_session( fdc.rwmap->rwm_rw, fdc.ctx, + ( ftmp.bv_len ? ftmp.bv_val : "" ), + fdc.conn, &fstr->bv_val )) { + case REWRITE_REGEXEC_OK: + if ( fstr->bv_val != NULL ) { + fstr->bv_len = strlen( fstr->bv_val ); + free( ftmp.bv_val ); + } else { + *fstr = ftmp; + } + +#ifdef NEW_LOGGING + LDAP_LOG( BACK_LDAP, DETAIL1, + "[rw] %s: \"%s\" -> \"%s\"\n", + dc->ctx, ftmp.bv_val, fstr->bv_val ); +#else /* !NEW_LOGGING */ + Debug( LDAP_DEBUG_ARGS, + "[rw] %s: \"%s\" -> \"%s\"\n", + dc->ctx, ftmp.bv_val, fstr->bv_val ); +#endif /* !NEW_LOGGING */ + rc = LDAP_SUCCESS; + break; + + case REWRITE_REGEXEC_UNWILLING: + if ( fdc.rs ) { + fdc.rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + fdc.rs->sr_text = "Operation not allowed"; + } + rc = LDAP_UNWILLING_TO_PERFORM; + break; + + case REWRITE_REGEXEC_ERR: + if ( fdc.rs ) { + fdc.rs->sr_err = LDAP_OTHER; + fdc.rs->sr_text = "Rewrite error"; + } + rc = LDAP_OTHER; + break; + } + +#endif /* ENABLE_REWRITE */ + return rc; +} + /* * I don't like this much, but we need two different * functions because different heap managers may be diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c index 541e41047d..6da70a1536 100644 --- a/servers/slapd/back-ldap/modify.c +++ b/servers/slapd/back-ldap/modify.c @@ -63,7 +63,7 @@ ldap_back_modify( #ifdef ENABLE_REWRITE dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "modifyDn"; + dc.ctx = "modifyDN"; #else dc.tofrom = 1; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c index 13ab0ba7b0..a479131c86 100644 --- a/servers/slapd/back-ldap/modrdn.c +++ b/servers/slapd/back-ldap/modrdn.c @@ -68,7 +68,7 @@ ldap_back_modrdn( * Rewrite the new superior, if defined and required */ #ifdef ENABLE_REWRITE - dc.ctx = "newSuperiorDn"; + dc.ctx = "newSuperiorDN"; #endif if ( ldap_back_dn_massage( &dc, op->orr_newSup, &mnewSuperior ) ) { @@ -81,7 +81,7 @@ ldap_back_modrdn( * Rewrite the modrdn dn, if required */ #ifdef ENABLE_REWRITE - dc.ctx = "modrDn"; + dc.ctx = "modrDN"; #endif if ( ldap_back_dn_massage( &dc, &op->o_req_ndn, &mdn ) ) { send_ldap_result( op, rs ); diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index d3b45d6532..986e4c5c70 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -275,7 +275,7 @@ fail:; struct berval mdn; #ifdef ENABLE_REWRITE - dc.ctx = "matchedDn"; + dc.ctx = "matchedDN"; #else dc.tofrom = 0; dc.normalized = 0; diff --git a/servers/slapd/back-ldap/suffixmassage.c b/servers/slapd/back-ldap/suffixmassage.c index 2cee684451..2ad3bafdf8 100644 --- a/servers/slapd/back-ldap/suffixmassage.c +++ b/servers/slapd/back-ldap/suffixmassage.c @@ -42,8 +42,11 @@ ldap_back_dn_massage( { int rc = 0; - switch (rewrite_session( dc->rwmap->rwm_rw, dc->ctx, (dn->bv_len ? dn->bv_val : ""), dc->conn, - &res->bv_val )) { + rc = rewrite_session( dc->rwmap->rwm_rw, dc->ctx, + ( dn->bv_len ? dn->bv_val : "" ), dc->conn, + &res->bv_val ); + + switch ( rc ) { case REWRITE_REGEXEC_OK: if ( res->bv_val != NULL ) { res->bv_len = strlen( res->bv_val ); @@ -52,10 +55,12 @@ ldap_back_dn_massage( } #ifdef NEW_LOGGING LDAP_LOG( BACK_LDAP, DETAIL1, - "[rw] %s: \"%s\" -> \"%s\"\n", dc->ctx, dn->bv_val, res->bv_val ); + "[rw] %s: \"%s\" -> \"%s\"\n", + dc->ctx, dn->bv_val, res->bv_val ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, - "[rw] %s: \"%s\" -> \"%s\"\n", dc->ctx, dn->bv_val, res->bv_val ); + "[rw] %s: \"%s\" -> \"%s\"\n", + dc->ctx, dn->bv_val, res->bv_val ); #endif /* !NEW_LOGGING */ rc = LDAP_SUCCESS; break; diff --git a/servers/slapd/back-meta/add.c b/servers/slapd/back-meta/add.c index fa959ce8b2..a65a380812 100644 --- a/servers/slapd/back-meta/add.c +++ b/servers/slapd/back-meta/add.c @@ -73,7 +73,7 @@ meta_back_add( Operation *op, SlapReply *rs ) dc.rwmap = &li->targets[ candidate ]->rwmap; dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "addDn"; + dc.ctx = "addDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c index 3eb5f0db6c..25430df987 100644 --- a/servers/slapd/back-meta/bind.c +++ b/servers/slapd/back-meta/bind.c @@ -203,7 +203,7 @@ meta_back_do_single_bind( dc.rwmap = &li->targets[ candidate ]->rwmap; dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "bindDn"; + dc.ctx = "bindDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); diff --git a/servers/slapd/back-meta/compare.c b/servers/slapd/back-meta/compare.c index 3e0d8fd5d5..4f0d06548f 100644 --- a/servers/slapd/back-meta/compare.c +++ b/servers/slapd/back-meta/compare.c @@ -67,7 +67,7 @@ meta_back_compare( Operation *op, SlapReply *rs ) */ dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "compareDn"; + dc.ctx = "compareDN"; for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) { struct berval mdn = { 0, NULL }; @@ -254,7 +254,7 @@ finish:; matched.bv_val = match; matched.bv_len = strlen( match ); - dc.ctx = "matchedDn"; + dc.ctx = "matchedDN"; ldap_back_dn_massage( &dc, &matched, &mmatch ); } diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c index 8af403d2ab..0d3a4839ea 100644 --- a/servers/slapd/back-meta/conn.c +++ b/servers/slapd/back-meta/conn.c @@ -243,7 +243,7 @@ init_one_conn( dc.rwmap = <->rwmap; dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "bindDn"; + dc.ctx = "bindDN"; /* * Rewrite the bind dn if needed diff --git a/servers/slapd/back-meta/data/setup.sh b/servers/slapd/back-meta/data/setup.sh index 178644a55c..1bb507cfc3 100644 --- a/servers/slapd/back-meta/data/setup.sh +++ b/servers/slapd/back-meta/data/setup.sh @@ -46,7 +46,7 @@ $SRCDIR/servers/slapd/slapd -f $CONF -h "ldap://:$PORT/" -d $DEBUG echo "Waiting 2 secs for everything to shut down ..." sleep 2 -#exit +exit rm -rf $METADBDIR rm -f schema ucdata $CONF $LDAPCONF diff --git a/servers/slapd/back-meta/delete.c b/servers/slapd/back-meta/delete.c index dd28e40279..c3c8ea8f5f 100644 --- a/servers/slapd/back-meta/delete.c +++ b/servers/slapd/back-meta/delete.c @@ -60,7 +60,7 @@ meta_back_delete( Operation *op, SlapReply *rs ) dc.rwmap = &li->targets[ candidate ]->rwmap; dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "deleteDn"; + dc.ctx = "deleteDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { send_ldap_result( op, rs ); diff --git a/servers/slapd/back-meta/modify.c b/servers/slapd/back-meta/modify.c index d00c0f5e17..c44a1f214c 100644 --- a/servers/slapd/back-meta/modify.c +++ b/servers/slapd/back-meta/modify.c @@ -65,7 +65,7 @@ meta_back_modify( Operation *op, SlapReply *rs ) dc.rwmap = &li->targets[ candidate ]->rwmap; dc.conn = op->o_conn; dc.rs = rs; - dc.ctx = "modifyDn"; + dc.ctx = "modifyDN"; if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { rc = -1; diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c index d6c2798dc5..ecb5fcdafb 100644 --- a/servers/slapd/back-meta/search.c +++ b/servers/slapd/back-meta/search.c @@ -495,7 +495,7 @@ new_candidate:; */ if ( candidate_match == initial_candidates && match.bv_val != NULL && *match.bv_val ) { - dc.ctx = "matchedDn"; + dc.ctx = "matchedDN"; dc.rwmap = &li->targets[ last ]->rwmap; if ( ldap_back_dn_massage( &dc, &match, &mmatch ) ) {