allow proxies to filter out search references (ITS#5593)

This commit is contained in:
Pierangelo Masarati 2008-07-07 21:25:59 +00:00
parent f94cd4b518
commit c6f12694fc
8 changed files with 92 additions and 0 deletions

View File

@ -384,6 +384,13 @@ returns in case of no activity.
The value is in seconds, and it can be specified as for
.BR idle-timeout .
.TP
.B norefs <NO|yes>
If
.BR yes ,
do not return search reference responses.
By default, they are returned unless request is LDAPv2.
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact

View File

@ -127,6 +127,15 @@ If the value is set to \fBreport\fP, the search is continuated to the end
but, in case at least one target returned an error code, the first
non-success error code is returned.
.TP
.B norefs <NO|yes>
If
.BR yes ,
do not return search reference responses.
By default, they are returned unless request is LDAPv2.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact

View File

@ -315,6 +315,8 @@ typedef struct ldapinfo_t {
#define LDAP_BACK_F_ST_RESPONSE (0x00040000U)
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define LDAP_BACK_F_NOREFS (0x00080000U)
#define LDAP_BACK_ISSET_F(ff,f) ( ( (ff) & (f) ) == (f) )
#define LDAP_BACK_ISMASK_F(ff,m,f) ( ( (ff) & (m) ) == (f) )
@ -353,6 +355,8 @@ typedef struct ldapinfo_t {
#define LDAP_BACK_ST_RESPONSE(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_ST_RESPONSE)
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define LDAP_BACK_NOREFS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_NOREFS)
int li_version;
/* cached connections;

View File

@ -70,6 +70,8 @@ enum {
LDAP_BACK_CFG_CANCEL,
LDAP_BACK_CFG_QUARANTINE,
LDAP_BACK_CFG_ST_REQUEST,
LDAP_BACK_CFG_NOREFS,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_LAST
@ -306,6 +308,14 @@ static ConfigTable ldapcfg[] = {
"SINGLE-VALUE )",
NULL, NULL },
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
{ "norefs", "true|FALSE", 2, 2, 0,
ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_NOREFS,
ldap_back_cf_gen, "( OLcfgDbAt:3.25 "
"NAME 'olcDbNorefs' "
"DESC 'Do not return search reference responses' "
"SYNTAX OMsBoolean "
"SINGLE-VALUE )",
NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
@ -345,6 +355,10 @@ static ConfigOCs ldapocs[] = {
"$ olcDbQuarantine "
"$ olcDbUseTemporaryConn "
"$ olcDbConnectionPoolMax "
#ifdef SLAP_CONTROL_X_SESSION_TRACKING
"$ olcDbSessionTrackingRequest "
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
"$ olcDbNorefs "
") )",
Cft_Database, ldapcfg},
{ NULL, 0, NULL }
@ -1134,6 +1148,10 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
case LDAP_BACK_CFG_NOREFS:
c->value_int = LDAP_BACK_NOREFS( li );
break;
default:
/* FIXME: we need to handle all... */
assert( 0 );
@ -1256,6 +1274,10 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
case LDAP_BACK_CFG_NOREFS:
li->li_flags &= ~LDAP_BACK_F_NOREFS;
break;
default:
/* FIXME: we need to handle all... */
assert( 0 );
@ -1900,6 +1922,15 @@ done_url:;
break;
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
case LDAP_BACK_CFG_NOREFS:
if ( c->value_int ) {
li->li_flags |= LDAP_BACK_F_NOREFS;
} else {
li->li_flags &= ~LDAP_BACK_F_NOREFS;
}
break;
case LDAP_BACK_CFG_REWRITE:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"rewrite/remap capabilities have been moved "

View File

@ -363,6 +363,11 @@ retry:
}
} else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
if ( LDAP_BACK_NOREFS( li ) ) {
ldap_msgfree( res );
continue;
}
do_retry = 0;
rc = ldap_parse_reference( lc->lc_ld, res,
&references, &rs->sr_ctrls, 1 );

View File

@ -315,6 +315,8 @@ typedef struct metatarget_t {
#define META_BACK_TGT_ST_RESPONSE(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_ST_RESPONSE )
#endif /* SLAP_CONTROL_X_SESSION_TRACKING */
#define META_BACK_TGT_NOREFS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_NOREFS )
int mt_version;
time_t mt_network_timeout;
struct timeval mt_bind_timeout;

View File

@ -1453,6 +1453,36 @@ idassert-authzFrom "dn:<rootdn>"
return 1;
}
/* do not return search references */
} else if ( strcasecmp( argv[ 0 ], "norefs" ) == 0 ) {
unsigned *flagsp = mi->mi_ntargets ?
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
: &mi->mi_flags;
if ( argc != 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"norefs {TRUE|false}\" needs 1 argument.\n",
fname, lineno, 0 );
return( 1 );
}
/* this is the default; we add it because the default might change... */
switch ( check_true_false( argv[ 1 ] ) ) {
case 1:
*flagsp |= LDAP_BACK_F_NOREFS;
break;
case 0:
*flagsp &= ~LDAP_BACK_F_NOREFS;
break;
default:
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"norefs {TRUE|false}\": unknown argument \"%s\".\n",
fname, lineno, argv[ 1 ] );
return( 1 );
}
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;

View File

@ -1155,6 +1155,10 @@ really_bad:;
char **references = NULL;
int cnt;
if ( META_BACK_TGT_NOREFS( mi->mi_targets[ i ] ) ) {
continue;
}
if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) {
/* don't retry any more... */
candidates[ i ].sr_type = REP_RESULT;