Sync with HEAD

configure.in

@@ -242,7 +242,7 @@ OL_ARG_ENABLE(sql,[    --enable-sql	  enable sql backend no|yes|mod],
 
 dnl ----------------------------------------------------------------
 dnl SLAPD Overlay Options
-Overlays="denyop dyngroup dynlist glue lastmod ppolicy proxycache \
+Overlays="accesslog denyop dyngroup dynlist glue lastmod ppolicy proxycache \
 	refint rwm syncprov translucent unique"
 
 AC_ARG_WITH(xxslapoverlays,[
@@ -250,6 +250,8 @@ SLAPD Overlay Options:])
 
 OL_ARG_ENABLE(overlays,[    --enable-overlays	  enable all available overlays no|yes|mod],
 	no, [no yes mod])dnl
+OL_ARG_ENABLE(accesslog,[    --enable-accesslog  	  In-Directory Access Logging overlay no|yes|mod],
+	no, [no yes mod])
 OL_ARG_ENABLE(denyop,[    --enable-denyop  	  Deny Operation overlay no|yes|mod],
 	no, [no yes mod])
 OL_ARG_ENABLE(dyngroup,[    --enable-dyngroup	  Dynamic Group overlay no|yes|mod],
@@ -522,7 +524,7 @@ BUILD_RELAY=no
 BUILD_SHELL=no
 BUILD_SQL=no
 
-BUILD_CHAIN=no
+BUILD_ACCESSLOG=no
 BUILD_DENYOP=no
 BUILD_DYNGROUP=no
 BUILD_DYNLIST=no
@@ -2767,6 +2769,18 @@ if test "$ol_link_sql" != no ; then
 	AC_DEFINE_UNQUOTED(SLAPD_SQL,$MFLAG,[define to support SQL backend])
 fi
 
+if test "$ol_enable_accesslog" != no ; then
+	BUILD_ACCESSLOG=$ol_enable_accesslog
+	if test "$ol_enable_accesslog" = mod ; then
+		MFLAG=SLAPD_MOD_DYNAMIC
+		SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS accesslog.la"
+	else
+		MFLAG=SLAPD_MOD_STATIC
+		SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS accesslog.o"
+	fi
+	AC_DEFINE_UNQUOTED(SLAPD_OVER_ACCESSLOG,$MFLAG,[define for In-Directory Access Logging overlay])
+fi
+
 if test "$ol_enable_denyop" != no ; then
 	BUILD_DENYOP=$ol_enable_denyop
 	if test "$ol_enable_denyop" = mod ; then
@@ -2968,7 +2982,7 @@ dnl backends
   AC_SUBST(BUILD_SHELL)
   AC_SUBST(BUILD_SQL)
 dnl overlays
-  AC_SUBST(BUILD_CHAIN)
+  AC_SUBST(BUILD_ACCESSLOG)
   AC_SUBST(BUILD_DENYOP)
   AC_SUBST(BUILD_DYNGROUP)
   AC_SUBST(BUILD_DYNLIST)

doc/man/man5/slapo-accesslog.5

@@ -0,0 +1,385 @@
+.TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapo-accesslog \- Access Logging overlay
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The Access Logging overlay can be used to record all accesses to a given
+backend database on another database. This allows all of the activity on
+a given database to be reviewed using arbitrary LDAP queries, instead of
+just logging to local flat text files. Configuration options are available
+for selecting a subset of operation types to log, and to automatically
+prune older log records from the logging database. Log records are stored
+with a custom schema to assure their readability whether viewed as LDIF
+or in raw form.
+.SH CONFIGURATION
+These
+.B slapd.conf
+options apply to the Access Logging overlay.
+They should appear after the
+.B overlay
+directive and before any subsequent
+.B database
+directive.
+.TP
+.B logdb <suffix>
+Specify the suffix of a database to be used for storing the log records.
+The specified database must have already been configured in a prior section
+of the config file. The suffix entry of the database must also already
+exist. The log entries will be generated as the immediate children of the
+suffix entry.
+.TP
+.B logops <operations>
+Specify which types of operations to log. The valid operation types are
+abandon, add, bind, compare, delete, extended, modify, modrdn, search,
+and unbind. Aliases for common sets of operations are also available:
+.RS
+.TP
+.B writes
+add, delete, modify, modrdn
+.TP
+.B reads
+compare, search
+.TP
+.B session
+abandon, bind, unbind
+.TP
+.B all
+all operations
+.RE
+.TP
+.B logpurge <age> <interval>
+Specify the maximum age for log entries to be retained in the database,
+and how often to scan the database for old entries. Both the
+.B age
+and
+.B interval
+are specified as a time span in days, hours, minutes, and seconds. The
+time format is [dd+]hh:mm[:ss] i.e., the days and seconds components are
+optional but hours and minutes are required. Each numeric field must be
+exactly two digits. For example
+.RS
+.RS
+.PD 0
+.TP
+logpurge 02+00:00 01+00:00
+.RE
+.PD
+would specify that the log database should be scanned every day for old
+entries, and entries older than two days should be deleted. When using a
+log database that supports ordered indexing on generalizedTime attributes,
+specifying an eq index on the
+.B reqStart
+attribute will greatly benefit the performance of the purge operation.
+
+.SH EXAMPLES
+.LP
+.nf
+	database bdb
+	suffix cn=log
+	\...
+	index reqStart eq
+
+	database bdb
+	suffix dc=example,dc=com
+	\...
+	overlay accesslog
+	logdb cn=log
+	logops writes reads
+.fi
+
+.SH OBJECT CLASSES
+The
+.B accesslog
+overlay defines a number of object classes for use in the logs. There is
+a basic
+.B auditObject
+class from which two additional classes,
+.B auditReadObject
+and
+.B auditWriteObject
+are derived. Object classes for each type of LDAP operation are further
+derived from these classes. This object class hierarchy is designed to
+allow flexible yet efficient searches of the log based on either a specific
+operation type's class, or on more general classifications. The definition
+of the
+.B auditObject
+class is as follows:
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.1
+    NAME 'auditObject'
+    DESC 'OpenLDAP request auditing'
+    SUP top STRUCTURAL
+    MUST ( reqStart $ reqType $ reqSession )
+    MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
+        reqEnd $ reqResult $ reqMessage ) )
+.RE
+.P
+Note that all of the OIDs used in the logging schema currently reside
+under the OpenLDAP Experimental branch. It is anticipated that thay
+will migrate to a Standard branch in the future.
+
+An overview of the attributes follows:
+.B reqStart
+and
+.B reqEnd
+provide the start and end time of the operation, respectively. They use
+generalizedTime syntax. The
+.B reqStart
+attribute is also used as the RDN for each log entry.
+
+The
+.B reqType
+attribute is a simple string containing the type of operation
+being logged, e.g.
+.BR add ,
+.BR delete ,
+.BR search ,
+etc. For extended operations, the type also includes the OID of the
+extended operation, e.g.
+.B extended(1.2.3.4.1)
+
+The
+.B reqSession
+attribute is an implementation-specific identifier that is common to
+all the operations associated with the same LDAP session. Currently this
+is slapd's internal connection ID, stored in decimal.
+
+The
+.B reqDN
+attribute is the distinguishedName of the target of the operation. E.g., for
+a Bind request, this is the Bind DN. For an Add request, this is the DN
+of the entry being added. For a Search request, this is the base DN of
+the search.
+
+The
+.B reqAuthzID
+attribute is the distinguishedName of the user that performed the operation.
+This will usually be the same name as was established at the start of a
+session by a Bind request (if any) but may be altered in various
+circumstances.
+
+The
+.BR reqControls and
+.B reqRespControls
+attributes carry any controls sent by the client on the request and returned
+by the server in the response, respectively. The attribute values are just
+uninterpreted octet strings.
+
+The
+.B reqResult
+attribute is the numeric LDAP result code of the operation, indicating
+either success or a particular LDAP error code. An error code may be
+accompanied by a text error message which will be recorded in the
+.B reqMessage
+attribute.
+
+Operation-specific classes are defined with additional attributes to carry
+all of the relevant parameters associated with the operation:
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.4
+    NAME 'auditAbandon'
+    DESC 'Abandon operation'
+    SUP auditObject STRUCTURAL
+    MUST reqId )
+.RE
+.P
+For the
+.B Abandon
+operation the
+.B reqId
+attribute contains the message ID of the request that was abandoned.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.5
+    NAME 'auditAdd'
+    DESC 'Add operation'
+    SUP auditWriteObject STRUCTURAL
+    MUST reqMod )
+.RE
+.P
+The
+.B Add
+class inherits from the
+.B auditWriteObject
+class. The Add and Modify classes are essentially the same. The
+.B reqMod
+attribute carries all of the attributes of the original entry being added.
+(Or in the case of a Modify operation, all of the modifications being
+performed.) The values are formatted as
+.RS
+.RS
+.PD 0
+.TP
+attribute:<+|-|=|#> [ value]
+.RE
+.PD
+Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
+and '#' for Increment. In an Add operation, all of the reqMod values will
+have the '+' designator.
+.RE
+.P
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.6
+    NAME 'auditBind'
+    DESC 'Bind operation'
+    SUP auditObject STRUCTURAL
+    MUST reqMethod )
+.RE
+.P
+The
+.B Bind
+class just adds the
+.B reqMethod
+attribute which contains the Bind Method used in the Bind. This will be
+the string
+.B SIMPLE
+for LDAP Simple Binds or
+.B SASL(<mech>)
+for SASL Binds.
+Note that unless configured as a global overlay, only Simple Binds using
+DNs that reside in the current database will be logged.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.7
+    NAME 'auditCompare'
+    DESC 'Compare operation'
+    SUP auditObject STRUCTURAL
+    MUST reqAssertion )
+.RE
+.P
+For the
+.B Compare
+operation the
+.B reqAssertion
+attribute carries the Attribute Value Assertion used in the compare request.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.8
+    NAME 'auditModify'
+    DESC 'Modify operation'
+    SUP auditWriteObject STRUCTURAL
+    MUST reqMod )
+.RE
+.P
+The
+.B Modify
+operation has already been described.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.9
+    NAME 'auditModRDN'
+    DESC 'ModRDN operation'
+    SUP auditWriteObject STRUCTURAL
+    MUST ( reqNewRDN $ reqDeleteOldRDN )
+    MAY reqNewSuperior )
+.RE
+.P
+The
+.B ModRDN
+class uses the
+.B reqNewRDN
+attribute to carry the new RDN of the request.
+The
+.B reqDeleteOldRDN
+attribute is a Boolean value showing
+.B TRUE
+if the old RDN was deleted from the entry, or
+.B FALSE
+if the old RDN was preserved.
+The
+.B reqNewSuperior
+attribute carries the DN of the new parent entry if the request specified
+the new parent.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.10
+    NAME 'auditSearch'
+    DESC 'Search operation'
+    SUP auditReadObject STRUCTURAL
+    MUST ( reqScope $ reqAttrsOnly )
+    MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
+          reqTimeLimit ) )
+.RE
+.P
+For the
+.B Search
+class the
+.B reqScope
+attribute contains the scope of the original search request, i.e.
+.BR base ,
+.BR onelevel ,
+.BR subtree ,
+or
+.BR subordinate .
+The
+.B reqAttrsOnly
+attribute is a Boolean value showing
+.B TRUE 
+if only attribute names were requested, or
+.B FALSE
+if attributes and their values were requested.
+The
+.B reqFilter
+attribute carries the filter used in the search request.
+The
+.B reqAttr
+attribute lists the requested attributes if specific attributes were
+requested.
+The
+.B reqEntries
+attribute is the integer count of how many entries were returned by
+this search request.
+The
+.B reqSizeLimit
+and
+.B reqTimeLimit
+attributes indicate what limits were requested on the search operation.
+
+.LP
+.RS 4
+(  1.3.6.1.4.1.4203.666.11.5.2.11
+    NAME 'auditExtended'
+    DESC 'Extended operation'
+    SUP auditObject STRUCTURAL
+    MAY reqData )
+.RE
+.P
+The
+.B Extended
+class represents an LDAP Extended Operation. As noted above, the actual OID of
+the operation is included in the
+.B reqType
+attribute of the parent class. If any optional data was provided with the
+request, it will be contained in the
+.B reqData
+attribute as an uninterpreted octet string.
+
+.SH NOTES
+The Access Log implemented by this overlay may be used for a variety of
+other tasks, e.g. as a ChangeLog for a replication mechanism, as well
+as for security/audit logging purposes.
+
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5).
+
+.SH ACKNOWLEDGEMENTS
+.P
+This module was written in 2005 by Howard Chu of Symas Corporation.

doc/man/man8/slapd.8

@@ -135,7 +135,8 @@ config directory format and written to the specified directory.
 If neither option is specified, slapd will attempt to read the
 default config directory before trying to use the default
 config file. If a valid config directory exists then the
-default config file is ignored.
+default config file is ignored. All of the slap tools that
+use the config options observe this same behavior.
 .TP
 .BI \-h " URLlist"
 .B slapd

doc/man/man8/slaptest.8

@@ -35,6 +35,18 @@ file.
 .TP
 .BI \-F " confdir"
 specify a config directory.
+If both
+.B -f
+and
+.B -F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, slaptest will attempt to read the
+default config directory before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. If dryrun mode is also specified,
+no conversion will occur. All of the slap tools that
+use the config options observe this same behavior.
 .TP
 .B \-u
 enable dryrun mode (i.e. don't fail if databases cannot be opened,

include/portable.h.in

@@ -1034,6 +1034,9 @@
 /* define to support SQL backend */
 #undef SLAPD_SQL
 
+/* define for In-Directory Access Logging overlay */
+#undef SLAPD_OVER_ACCESSLOG
+
 /* define for Dynamic Group overlay */
 #undef SLAPD_OVER_DENYOP
 

servers/slapd/attr.c

@@ -40,6 +40,23 @@
 
 #include "slap.h"
 
+Attribute *
+attr_alloc( AttributeDescription *ad )
+{
+	Attribute *a = ch_malloc( sizeof(Attribute) );
+
+	a->a_desc = ad;
+	a->a_next = NULL;
+	a->a_flags = 0;
+	a->a_vals = NULL;
+	a->a_nvals = NULL;
+#ifdef LDAP_COMP_MATCH
+	a->a_comp_data = NULL;
+#endif
+
+	return a;
+}
+
 void
 attr_free( Attribute *a )
 {
@@ -91,7 +108,7 @@ attr_dup( Attribute *a )
 
 	if ( a == NULL) return NULL;
 
-	tmp = ch_malloc( sizeof(Attribute) );
+	tmp = attr_alloc( a->a_desc );
 
 	if ( a->a_vals != NULL ) {
 		int i;
@@ -128,14 +145,6 @@ attr_dup( Attribute *a )
 		tmp->a_vals = NULL;
 		tmp->a_nvals = NULL;
 	}
-
-	tmp->a_desc = a->a_desc;
-	tmp->a_next = NULL;
-	tmp->a_flags = 0;
-#ifdef LDAP_COMP_MATCH
-	tmp->a_comp_data = NULL;
-#endif
-
 	return tmp;
 }
 
@@ -159,7 +168,6 @@ attrs_dup( Attribute *a )
 }
 
 
-
 /*
  * attr_merge - merge the given type and value with the list of
  * attributes in attrs.
@@ -189,15 +197,7 @@ attr_merge(
 	}
 
 	if ( *a == NULL ) {
-		*a = (Attribute *) ch_malloc( sizeof(Attribute) );
-		(*a)->a_desc = desc;
-		(*a)->a_vals = NULL;
-		(*a)->a_nvals = NULL;
-		(*a)->a_next = NULL;
-		(*a)->a_flags = 0;
-#ifdef LDAP_COMP_MATCH
-		(*a)->a_comp_data = NULL;
-#endif
+		*a = attr_alloc( desc );
 	} else {
 		/*
 		 * FIXME: if the attribute already exists, the presence
@@ -280,15 +280,7 @@ attr_merge_one(
 	}
 
 	if ( *a == NULL ) {
-		*a = (Attribute *) ch_malloc( sizeof(Attribute) );
-		(*a)->a_desc = desc;
-		(*a)->a_vals = NULL;
-		(*a)->a_nvals = NULL;
-		(*a)->a_next = NULL;
-		(*a)->a_flags = 0;
-#ifdef LDAP_COMP_MATCH
-		(*a)->a_comp_data = NULL;
-#endif
+		*a = attr_alloc( desc );
 	}
 
 	rc = value_add_one( &(*a)->a_vals, val );

servers/slapd/bconfig.c

@@ -1834,6 +1834,7 @@ config_loglevel(ConfigArgs *c) {
 	int i;
 	char *next;
 	slap_verbmasks loglevel_ops[] = {
+		{ BER_BVC("Any"),	-1 },
 		{ BER_BVC("Trace"),	LDAP_DEBUG_TRACE },
 		{ BER_BVC("Packets"),	LDAP_DEBUG_PACKETS },
 		{ BER_BVC("Args"),	LDAP_DEBUG_ARGS },
@@ -1849,7 +1850,6 @@ config_loglevel(ConfigArgs *c) {
 		{ BER_BVC("Cache"),	LDAP_DEBUG_CACHE },
 		{ BER_BVC("Index"),	LDAP_DEBUG_INDEX },
 		{ BER_BVC("Sync"),	LDAP_DEBUG_SYNC },
-		{ BER_BVC("Any"),	-1 },
 		{ BER_BVNULL,	0 }
 	};
 

servers/slapd/config.c

@@ -719,6 +719,9 @@ verbs_to_mask(int argc, char *argv[], slap_verbmasks *v, slap_mask_t *m) {
 	return(0);
 }
 
+/* Mask keywords that represent multiple bits should occur before single
+ * bit keywords in the verbmasks array.
+ */
 int
 mask_to_verbs(slap_verbmasks *v, slap_mask_t m, BerVarray *bva) {
 	int i;
@@ -728,6 +731,8 @@ mask_to_verbs(slap_verbmasks *v, slap_mask_t m, BerVarray *bva) {
 		if (!v[i].mask) continue;
 		if (( m & v[i].mask ) == v[i].mask ) {
 			value_add_one( bva, &v[i].word );
+			m ^= v[i].mask;
+			if ( !m ) break;
 		}
 	}
 	return 0;

servers/slapd/operation.c

@@ -39,6 +39,8 @@
 
 static ldap_pvt_thread_mutex_t	slap_op_mutex;
 static LDAP_STAILQ_HEAD(s_o, slap_op)	slap_free_ops;
+static time_t last_time;
+static int last_incr;
 
 void slap_op_init(void)
 {
@@ -142,6 +144,12 @@ slap_op_alloc(
 	op->o_tag = tag;
 
 	op->o_time = slap_get_time();
+	if ( op->o_time == last_time ) {
+		op->o_tincr = ++last_incr;
+	} else {
+		last_time = op->o_time;
+		last_incr = 0;	/* o_tincr is alredy zero */
+	}
 	op->o_opid = id;
 	op->o_res_ber = NULL;
 

servers/slapd/overlays/Makefile.in

@@ -14,6 +14,7 @@
 ## <http://www.OpenLDAP.org/license.html>.
 
 SRCS = overlays.c \
+	accesslog.c \
 	denyop.c \
 	dyngroup.c \
 	dynlist.c \
@@ -49,6 +50,9 @@ static:	$(LIBRARY)
 
 dynamic: $(PROGRAMS)
 
+accesslog.la : accesslog.lo
+	$(LTLINK_MOD) -module -o $@ accesslog.lo version.lo $(LINK_LIBS)
+
 denyop.la : denyop.lo
 	$(LTLINK_MOD) -module -o $@ denyop.lo version.lo $(LINK_LIBS)
 

servers/slapd/proto-slap.h

@@ -207,6 +207,7 @@ LDAP_SLAPD_F (Attribute *) attr_dup LDAP_P(( Attribute *a ));
 #define attr_mergeit( e, d, v ) attr_merge( e, d, v, NULL /* FIXME */ )
 #define attr_mergeit_one( e, d, v ) attr_merge_one( e, d, v, NULL /* FIXME */ )
 
+LDAP_SLAPD_F (Attribute *) attr_alloc LDAP_P(( AttributeDescription *ad ));
 LDAP_SLAPD_F (int) attr_merge LDAP_P(( Entry *e,
 	AttributeDescription *desc,
 	BerVarray vals,

servers/slapd/slap.h

@@ -2291,6 +2291,7 @@ typedef struct slap_op {
 
 	ber_tag_t	o_tag;		/* tag of the request */
 	time_t		o_time;		/* time op was initiated */
+	int			o_tincr;	/* counter for multiple ops with same o_time */
 
 	BackendDB	*o_bd;	/* backend DB processing this op */
 	struct berval	o_req_dn;	/* DN of target of request */

servers/slapd/slapcommon.c

@@ -580,7 +580,8 @@ startup:;
 	mal_leaktrace(1);
 #endif
 
-	if ( !dryrun && be && slap_startup( be ) ) {
+	/* slapdn doesn't specify a backend to startup */
+	if ( !dryrun && tool != SLAPDN && slap_startup( be ) ) {
 		switch ( tool ) {
 		case SLAPTEST:
 			fprintf( stderr, "slap_startup failed "