ITS#7581 fix back-meta config checks

Allow base entry to be added online with targets
added later. Add SLAP_SERVER_RUNNING flag to note
that main slap_startup has already occurred.

servers/slapd/back-meta/back-meta.h

@@ -681,6 +681,11 @@ meta_back_map_free( struct ldapmap *lm );
 extern int
 meta_subtree_destroy( metasubtree_t *ms );
 
+extern int
+meta_target_finish( metainfo_t *mi, metatarget_t *mt,
+	const char *log, char *msg, size_t msize
+);
+
 extern LDAP_REBIND_PROC		meta_back_default_rebind;
 extern LDAP_URLLIST_PROC	meta_back_default_urllist;
 

servers/slapd/back-meta/config.c

@@ -1089,6 +1089,15 @@ static slap_cf_aux_table timeout_table[] = {
 	{ BER_BVNULL, 0, 0, 0, NULL }
 };
 
+static int
+meta_cf_cleanup( ConfigArgs *c )
+{
+	metainfo_t	*mi = ( metainfo_t * )c->be->be_private;
+	metatarget_t	*mt = c->ca_private;
+
+	return meta_target_finish( mi, mt, c->log, c->cr_msg, sizeof( c->cr_msg ));
+}
+
 static int
 meta_back_cf_gen( ConfigArgs *c )
 {
@@ -2061,6 +2070,7 @@ meta_back_cf_gen( ConfigArgs *c )
 			return 1;
 		}
 		c->ca_private = mt;
+		c->cleanup = meta_cf_cleanup;
 	} break;
 	case LDAP_BACK_CFG_SUBTREE_EX:
 	case LDAP_BACK_CFG_SUBTREE_IN:

servers/slapd/back-meta/init.c

@@ -113,7 +113,10 @@ meta_back_db_init(
 
 	/* set default flags */
 	mi->mi_flags =
-		META_BACK_F_DEFER_ROOTDN_BIND;
+		META_BACK_F_DEFER_ROOTDN_BIND
+		| META_BACK_F_PROXYAUTHZ_ALWAYS
+		| META_BACK_F_PROXYAUTHZ_ANON
+		| META_BACK_F_PROXYAUTHZ_NOANON;
 
 	/*
 	 * At present the default is no default target;
@@ -147,20 +150,106 @@ meta_back_db_init(
 	return 0;
 }
 
+int
+meta_target_finish(
+	metainfo_t *mi,
+	metatarget_t *mt,
+	const char *log,
+	char *msg,
+	size_t msize
+)
+{
+	slap_bindconf	sb = { BER_BVNULL };
+	struct berval mapped;
+	int rc;
+
+	ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri );
+	sb.sb_version = mt->mt_version;
+	sb.sb_method = LDAP_AUTH_SIMPLE;
+	BER_BVSTR( &sb.sb_binddn, "" );
+
+	if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
+		rc = slap_discover_feature( &sb,
+				slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
+				LDAP_FEATURE_ABSOLUTE_FILTERS );
+		if ( rc == LDAP_COMPARE_TRUE ) {
+			mt->mt_flags |= LDAP_BACK_F_T_F;
+		}
+	}
+
+	if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
+		rc = slap_discover_feature( &sb,
+				slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
+				LDAP_EXOP_CANCEL );
+		if ( rc == LDAP_COMPARE_TRUE ) {
+			mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
+		}
+	}
+
+	if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
+		|| mt->mt_idassert_authz != NULL )
+	{
+		mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS;
+	}
+
+	if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
+		&& !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
+	{
+		snprintf( msg, msize,
+			"%s: inconsistent idassert configuration "
+			"(likely authz=\"*\" used with \"non-prescriptive\" flag)",
+			log );
+		Debug( LDAP_DEBUG_ANY, "%s (target %s)\n",
+			msg, mt->mt_uri, 0 );
+		return 1;
+	}
+
+	if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
+	{
+		mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON;
+	}
+
+	if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
+	{
+		mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON;
+	}
+
+	BER_BVZERO( &mapped );
+	ldap_back_map( &mt->mt_rwmap.rwm_at,
+		&slap_schema.si_ad_entryDN->ad_cname, &mapped,
+		BACKLDAP_REMAP );
+	if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
+		mt->mt_rep_flags |= REP_NO_ENTRYDN;
+	}
+
+	BER_BVZERO( &mapped );
+	ldap_back_map( &mt->mt_rwmap.rwm_at,
+		&slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped,
+		BACKLDAP_REMAP );
+	if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
+		mt->mt_rep_flags |= REP_NO_SUBSCHEMA;
+	}
+
+	return 0;
+}
+
 int
 meta_back_db_open(
 	Backend		*be,
 	ConfigReply	*cr )
 {
 	metainfo_t	*mi = (metainfo_t *)be->be_private;
+	char msg[SLAP_TEXT_BUFLEN];
 
-	int		i,
-			not_always = 0,
-			not_always_anon_proxyauthz = 0,
-			not_always_anon_non_prescriptive = 0,
-			rc;
+	int		i, rc;
 
 	if ( mi->mi_ntargets == 0 ) {
+		/* Dynamically added, nothing to check here until
+		 * some targets get added
+		 */
+		if ( slapMode & SLAP_SERVER_RUNNING )
+			return 0;
+
 		Debug( LDAP_DEBUG_ANY,
 			"meta_back_db_open: no targets defined\n",
 			0, 0, 0 );
@@ -168,92 +257,11 @@ meta_back_db_open(
 	}
 
 	for ( i = 0; i < mi->mi_ntargets; i++ ) {
-		slap_bindconf	sb = { BER_BVNULL };
 		metatarget_t	*mt = mi->mi_targets[ i ];
 
-		struct berval mapped;
-
-		ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri );
-		sb.sb_version = mt->mt_version;
-		sb.sb_method = LDAP_AUTH_SIMPLE;
-		BER_BVSTR( &sb.sb_binddn, "" );
-
-		if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
-			rc = slap_discover_feature( &sb,
-					slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
-					LDAP_FEATURE_ABSOLUTE_FILTERS );
-			if ( rc == LDAP_COMPARE_TRUE ) {
-				mt->mt_flags |= LDAP_BACK_F_T_F;
-			}
-		}
-
-		if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
-			rc = slap_discover_feature( &sb,
-					slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
-					LDAP_EXOP_CANCEL );
-			if ( rc == LDAP_COMPARE_TRUE ) {
-				mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
-			}
-		}
-
-		if ( not_always == 0 ) {
-			if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
-				|| mt->mt_idassert_authz != NULL )
-			{
-				not_always = 1;
-			}
-		}
-
-		if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
-			&& !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
-		{
-			Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): "
-				"target #%d inconsistent idassert configuration "
-				"(likely authz=\"*\" used with \"non-prescriptive\" flag)\n",
-				be->be_suffix[ 0 ].bv_val, i, 0 );
+		if ( meta_target_finish( mi, mt,
+			"meta_back_db_open", msg, sizeof( msg )))
 			return 1;
-		}
-
-		if ( not_always_anon_proxyauthz == 0 ) {
-			if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
-			{
-				not_always_anon_proxyauthz = 1;
-			}
-		}
-
-		if ( not_always_anon_non_prescriptive == 0 ) {
-			if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
-			{
-				not_always_anon_non_prescriptive = 1;
-			}
-		}
-
-		BER_BVZERO( &mapped );
-		ldap_back_map( &mt->mt_rwmap.rwm_at, 
-			&slap_schema.si_ad_entryDN->ad_cname, &mapped,
-			BACKLDAP_REMAP );
-		if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
-			mt->mt_rep_flags |= REP_NO_ENTRYDN;
-		}
-
-		BER_BVZERO( &mapped );
-		ldap_back_map( &mt->mt_rwmap.rwm_at, 
-			&slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped,
-			BACKLDAP_REMAP );
-		if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
-			mt->mt_rep_flags |= REP_NO_SUBSCHEMA;
-		}
-	}
-
-	if ( not_always == 0 ) {
-		mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS;
-	}
-
-	if ( not_always_anon_proxyauthz == 0 ) {
-		mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON;
-
-	} else if ( not_always_anon_non_prescriptive == 0 ) {
-		mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON;
 	}
 
 	return 0;

servers/slapd/init.c

@@ -211,12 +211,15 @@ slap_init( int mode, const char *name )
 
 int slap_startup( Backend *be )
 {
+	int rc;
 	Debug( LDAP_DEBUG_TRACE,
 		"%s startup: initiated.\n",
 		slap_name, 0, 0 );
 
-
-	return backend_startup( be );
+	rc = backend_startup( be );
+	if ( !rc && ( slapMode & SLAP_SERVER_MODE ))
+		slapMode |= SLAP_SERVER_RUNNING;
+	return rc;
 }
 
 int slap_shutdown( Backend *be )

servers/slapd/slap.h

@@ -1605,6 +1605,8 @@ LDAP_SLAPD_V (int) slapMode;
 #define SLAP_TOOL_NO_SCHEMA_CHECK	0x1000
 #define SLAP_TOOL_VALUE_CHECK	0x2000
 
+#define SLAP_SERVER_RUNNING	0x8000
+
 #define SB_TLS_DEFAULT		(-1)
 #define SB_TLS_OFF		0
 #define SB_TLS_ON		1