/* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * * Copyright 1999-2006 The OpenLDAP Foundation. * Portions Copyright 2001-2003 Pierangelo Masarati. * Portions Copyright 1999-2003 Howard Chu. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP * Public License. * * A copy of this license is available in the file LICENSE in the * top-level directory of the distribution or, alternatively, at * . */ /* ACKNOWLEDGEMENTS: * This work was initially developed by the Howard Chu for inclusion * in OpenLDAP Software and subsequently enhanced by Pierangelo * Masarati. */ #include "portable.h" #include #include #include #include #include "slap.h" #include "../back-ldap/back-ldap.h" #include "back-meta.h" #undef ldap_debug /* silence a warning in ldap-int.h */ #include "ldap_log.h" #include "../../../libraries/libldap/ldap-int.h" /* IGNORE means that target does not (no longer) participate * in the search; * NOTREADY means the search on that target has not been initialized yet */ #define META_MSGID_IGNORE (-1) #define META_MSGID_NEED_BIND (-2) static int meta_send_entry( Operation *op, SlapReply *rs, metaconn_t *mc, int i, LDAPMessage *e ); typedef enum meta_search_candidate_t { META_SEARCH_ERR = -1, META_SEARCH_NOT_CANDIDATE, META_SEARCH_CANDIDATE, META_SEARCH_BINDING, META_SEARCH_NEED_BIND } meta_search_candidate_t; /* * meta_search_dobind_init() * * initiates bind for a candidate target of a search. */ static meta_search_candidate_t meta_search_dobind_init( Operation *op, SlapReply *rs, metaconn_t **mcp, int candidate, SlapReply *candidates ) { metaconn_t *mc = *mcp; metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; struct berval binddn = msc->msc_bound_ndn, cred = msc->msc_cred; int method; int rc; meta_search_candidate_t retcode; Debug( LDAP_DEBUG_TRACE, "%s >>> meta_search_dobind_init[%d]\n", op->o_log_prefix, candidate, 0 ); /* * all the targets are already bound as pseudoroot */ if ( mc->mc_authz_target == META_BOUND_ALL ) { return META_SEARCH_CANDIDATE; } ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); if ( LDAP_BACK_CONN_ISBOUND( msc ) || LDAP_BACK_CONN_ISANON( msc ) ) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); return META_SEARCH_CANDIDATE; } if ( LDAP_BACK_CONN_BINDING( msc ) ) { ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); candidates[ candidate ].sr_msgid = META_MSGID_NEED_BIND; return META_SEARCH_NEED_BIND; } LDAP_BACK_CONN_BINDING_SET( msc ); ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); /* NOTE: this obsoletes pseudorootdn */ if ( op->o_conn != NULL && !op->o_do_not_cache && ( BER_BVISNULL( &msc->msc_bound_ndn ) || BER_BVISEMPTY( &msc->msc_bound_ndn ) || ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { rc = meta_back_proxy_authz_cred( mc, candidate, op, rs, LDAP_BACK_DONTSEND, &binddn, &cred, &method ); if ( rc != LDAP_SUCCESS ) { goto down; } /* NOTE: we copy things here, even if bind didn't succeed yet, * because the connection is not shared until bind is over */ if ( !BER_BVISNULL( &binddn ) ) { ber_bvreplace( &msc->msc_bound_ndn, &binddn ); if ( LDAP_BACK_SAVECRED( mi ) && !BER_BVISNULL( &cred ) ) { ber_dupbv( &msc->msc_cred, &cred ); } } if ( LDAP_BACK_CONN_ISBOUND( msc ) ) { /* idassert ws configured with SASL bind */ ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); LDAP_BACK_CONN_BINDING_CLEAR( msc ); ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); return META_SEARCH_CANDIDATE; } /* paranoid */ switch ( method ) { case LDAP_AUTH_NONE: case LDAP_AUTH_SIMPLE: /* do a simple bind with binddn, cred */ break; default: assert( 0 ); break; } } assert( msc->msc_ld != NULL ); rc = ldap_sasl_bind( msc->msc_ld, binddn.bv_val, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &candidates[ candidate ].sr_msgid ); switch ( rc ) { case LDAP_SUCCESS: META_BINDING_SET( &candidates[ candidate ] ); return META_SEARCH_BINDING; down:; case LDAP_SERVER_DOWN: if ( meta_back_retry( op, rs, mcp, candidate, LDAP_BACK_DONTSEND ) ) { return META_SEARCH_CANDIDATE; } if ( *mcp == NULL ) { retcode = META_SEARCH_ERR; rs->sr_err = LDAP_UNAVAILABLE; break; } /* fall thru */ default: rs->sr_err = rc; rc = slap_map_api2result( rs ); ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); LDAP_BACK_CONN_BINDING_CLEAR( msc ); if ( META_BACK_ONERR_STOP( mi ) ) { LDAP_BACK_CONN_TAINTED_SET( mc ); meta_back_release_conn( op, mc ); *mcp = NULL; retcode = META_SEARCH_ERR; } else { candidates[ candidate ].sr_msgid = META_MSGID_IGNORE; retcode = META_SEARCH_NOT_CANDIDATE; } ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); break; } return retcode; } static meta_search_candidate_t meta_search_dobind_result( Operation *op, SlapReply *rs, metaconn_t **mcp, int candidate, SlapReply *candidates, LDAPMessage *res ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metaconn_t *mc = *mcp; metasingleconn_t *msc = &mc->mc_conns[ candidate ]; meta_search_candidate_t retcode = META_SEARCH_NOT_CANDIDATE; int rc; assert( msc->msc_ld != NULL ); /* FIXME: matched? referrals? response controls? */ rc = ldap_parse_result( msc->msc_ld, res, &candidates[ candidate ].sr_err, NULL, NULL, NULL, NULL, 1 ); if ( rc != LDAP_SUCCESS ) { candidates[ candidate ].sr_err = rc; } rc = slap_map_api2result( &candidates[ candidate ] ); ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); LDAP_BACK_CONN_BINDING_CLEAR( msc ); if ( rc != LDAP_SUCCESS ) { if ( META_BACK_ONERR_STOP( mi ) ) { LDAP_BACK_CONN_TAINTED_SET( mc ); meta_back_release_conn( op, mc ); *mcp = NULL; retcode = META_SEARCH_ERR; } } else { if ( be_isroot( op ) ) { LDAP_BACK_CONN_ISBOUND_SET( msc ); } else { LDAP_BACK_CONN_ISANON_SET( msc ); } retcode = META_SEARCH_CANDIDATE; } ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); META_BINDING_CLEAR( &candidates[ candidate ] ); return retcode; } static meta_search_candidate_t meta_back_search_start( Operation *op, SlapReply *rs, dncookie *dc, metaconn_t **mcp, int candidate, SlapReply *candidates ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metatarget_t *mt = mi->mi_targets[ candidate ]; metasingleconn_t *msc = &(*mcp)->mc_conns[ candidate ]; struct berval realbase = op->o_req_dn; int realscope = op->ors_scope; struct berval mbase = BER_BVNULL; struct berval mfilter = BER_BVNULL; char **mapped_attrs = NULL; int rc; meta_search_candidate_t retcode; struct timeval tv, *tvp = NULL; int nretries = 1; LDAPControl **ctrls = NULL; /* this should not happen; just in case... */ if ( msc->msc_ld == NULL ) { Debug( LDAP_DEBUG_ANY, "%s: meta_back_search_start candidate=%d ld=NULL%s.\n", op->o_log_prefix, candidate, META_BACK_ONERR_STOP( mi ) ? "" : " (ignored)" ); if ( META_BACK_ONERR_STOP( mi ) ) { return META_SEARCH_ERR; } return META_SEARCH_NOT_CANDIDATE; } Debug( LDAP_DEBUG_TRACE, "%s >>> meta_back_search_start[%d]\n", op->o_log_prefix, candidate, 0 ); /* * modifies the base according to the scope, if required */ if ( mt->mt_nsuffix.bv_len > op->o_req_ndn.bv_len ) { switch ( op->ors_scope ) { case LDAP_SCOPE_SUBTREE: /* * make the target suffix the new base * FIXME: this is very forgiving, because * "illegal" searchBases may be turned * into the suffix of the target; however, * the requested searchBase already passed * thru the candidate analyzer... */ if ( dnIsSuffix( &mt->mt_nsuffix, &op->o_req_ndn ) ) { realbase = mt->mt_nsuffix; if ( mt->mt_scope == LDAP_SCOPE_SUBORDINATE ) { realscope = LDAP_SCOPE_SUBORDINATE; } } else { /* * this target is no longer candidate */ return META_SEARCH_NOT_CANDIDATE; } break; case LDAP_SCOPE_SUBORDINATE: case LDAP_SCOPE_ONELEVEL: { struct berval rdn = mt->mt_nsuffix; rdn.bv_len -= op->o_req_ndn.bv_len + STRLENOF( "," ); if ( dnIsOneLevelRDN( &rdn ) && dnIsSuffix( &mt->mt_nsuffix, &op->o_req_ndn ) ) { /* * if there is exactly one level, * make the target suffix the new * base, and make scope "base" */ realbase = mt->mt_nsuffix; if ( op->ors_scope == LDAP_SCOPE_SUBORDINATE ) { if ( mt->mt_scope == LDAP_SCOPE_SUBORDINATE ) { realscope = LDAP_SCOPE_SUBORDINATE; } else { realscope = LDAP_SCOPE_SUBTREE; } } else { realscope = LDAP_SCOPE_BASE; } break; } /* else continue with the next case */ } case LDAP_SCOPE_BASE: /* * this target is no longer candidate */ return META_SEARCH_NOT_CANDIDATE; } } /* initiate dobind */ retcode = meta_search_dobind_init( op, rs, mcp, candidate, candidates ); Debug( LDAP_DEBUG_TRACE, "%s <<< meta_search_dobind_init[%d]=%d\n", op->o_log_prefix, candidate, retcode ); if ( retcode != META_SEARCH_CANDIDATE ) { return retcode; } /* * Rewrite the search base, if required */ dc->target = mt; dc->ctx = "searchBase"; switch ( ldap_back_dn_massage( dc, &realbase, &mbase ) ) { default: break; case REWRITE_REGEXEC_UNWILLING: rs->sr_err = LDAP_UNWILLING_TO_PERFORM; rs->sr_text = "Operation not allowed"; send_ldap_result( op, rs ); return META_SEARCH_ERR; case REWRITE_REGEXEC_ERR: /* * this target is no longer candidate */ return META_SEARCH_NOT_CANDIDATE; } /* * Maps filter */ rc = ldap_back_filter_map_rewrite( dc, op->ors_filter, &mfilter, BACKLDAP_MAP ); switch ( rc ) { case LDAP_SUCCESS: break; case LDAP_COMPARE_FALSE: default: /* * this target is no longer candidate */ retcode = META_SEARCH_NOT_CANDIDATE; goto done; } /* * Maps required attributes */ rc = ldap_back_map_attrs( &mt->mt_rwmap.rwm_at, op->ors_attrs, BACKLDAP_MAP, &mapped_attrs ); if ( rc != LDAP_SUCCESS ) { /* * this target is no longer candidate */ retcode = META_SEARCH_NOT_CANDIDATE; goto done; } /* should we check return values? */ if ( op->ors_deref != -1 ) { assert( msc->msc_ld != NULL ); (void)ldap_set_option( msc->msc_ld, LDAP_OPT_DEREF, ( void * )&op->ors_deref ); } if ( op->ors_tlimit != SLAP_NO_LIMIT ) { tv.tv_sec = op->ors_tlimit > 0 ? op->ors_tlimit : 1; tv.tv_usec = 0; tvp = &tv; } ctrls = op->o_ctrls; if ( ldap_back_proxy_authz_ctrl( &msc->msc_bound_ndn, mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS ) { candidates[ candidate ].sr_msgid = META_MSGID_IGNORE; retcode = META_SEARCH_NOT_CANDIDATE; goto done; } /* * Starts the search */ retry:; assert( msc->msc_ld != NULL ); rc = ldap_search_ext( msc->msc_ld, mbase.bv_val, realscope, mfilter.bv_val, mapped_attrs, op->ors_attrsonly, ctrls, NULL, tvp, op->ors_slimit, &candidates[ candidate ].sr_msgid ); switch ( rc ) { case LDAP_SUCCESS: retcode = META_SEARCH_CANDIDATE; break; case LDAP_SERVER_DOWN: if ( nretries && meta_back_retry( op, rs, mcp, candidate, LDAP_BACK_DONTSEND ) ) { nretries = 0; goto retry; } if ( *mcp == NULL ) { retcode = META_SEARCH_ERR; break; } /* fall thru */ default: candidates[ candidate ].sr_msgid = META_MSGID_IGNORE; retcode = META_SEARCH_NOT_CANDIDATE; } done:; (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); if ( mapped_attrs ) { free( mapped_attrs ); } if ( mfilter.bv_val != op->ors_filterstr.bv_val ) { free( mfilter.bv_val ); } if ( mbase.bv_val != realbase.bv_val ) { free( mbase.bv_val ); } return retcode; } int meta_back_search( Operation *op, SlapReply *rs ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; metaconn_t *mc; struct timeval tv = { 0, 0 }; time_t stoptime = (time_t)-1; LDAPMessage *res = NULL, *e; int rc = 0, sres = LDAP_SUCCESS; char *matched = NULL; int last = 0, ncandidates = 0, initial_candidates = 0, candidate_match = 0; long i; dncookie dc; int is_ok = 0; void *savepriv; SlapReply *candidates = meta_back_candidates_get( op ); /* * controls are set in ldap_back_dobind() * * FIXME: in case of values return filter, we might want * to map attrs and maybe rewrite value */ mc = meta_back_getconn( op, rs, NULL, LDAP_BACK_SENDERR ); if ( !mc ) { return rs->sr_err; } dc.conn = op->o_conn; dc.rs = rs; /* * Inits searches */ for ( i = 0; i < mi->mi_ntargets; i++ ) { candidates[ i ].sr_msgid = META_MSGID_IGNORE; if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) { continue; } candidates[ i ].sr_matched = NULL; candidates[ i ].sr_text = NULL; candidates[ i ].sr_ref = NULL; candidates[ i ].sr_ctrls = NULL; } for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( !META_IS_CANDIDATE( &candidates[ i ] ) || candidates[ i ].sr_err != LDAP_SUCCESS ) { continue; } switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) ) { case META_SEARCH_NOT_CANDIDATE: break; case META_SEARCH_CANDIDATE: case META_SEARCH_BINDING: case META_SEARCH_NEED_BIND: candidates[ i ].sr_type = REP_INTERMEDIATE; ++ncandidates; break; case META_SEARCH_ERR: savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; rc = -1; goto finish; } } initial_candidates = ncandidates; #if 0 { char cnd[BUFSIZ]; int i; for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( META_IS_CANDIDATE( &candidates[ i ] ) ) { cnd[ i ] = '*'; } else { cnd[ i ] = ' '; } } cnd[ i ] = '\0'; Debug( LDAP_DEBUG_ANY, "%s meta_back_search: ncandidates=%d " "cnd=\"%s\"\n", op->o_log_prefix, ncandidates, cnd ); } #endif if ( initial_candidates == 0 ) { /* NOTE: here we are not sending any matchedDN; * this is intended, because if the back-meta * is serving this search request, but no valid * candidate could be looked up, it means that * there is a hole in the mapping of the targets * and thus no knowledge of any remote superior * is available */ Debug( LDAP_DEBUG_ANY, "%s meta_back_search: " "base=\"%s\" scope=%d: " "no candidate could be selected\n", op->o_log_prefix, op->o_req_dn.bv_val, op->ors_scope ); /* FIXME: we're sending the first error we encounter; * maybe we should pick the worst... */ rc = LDAP_NO_SUCH_OBJECT; for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( META_IS_CANDIDATE( &candidates[ i ] ) && candidates[ i ].sr_err != LDAP_SUCCESS ) { rc = candidates[ i ].sr_err; break; } } send_ldap_error( op, rs, rc, NULL ); goto finish; } /* We pull apart the ber result, stuff it into a slapd entry, and * let send_search_entry stuff it back into ber format. Slow & ugly, * but this is necessary for version matching, and for ACL processing. */ if ( op->ors_tlimit != SLAP_NO_LIMIT ) { stoptime = op->o_time + op->ors_tlimit; } /* * In case there are no candidates, no cycle takes place... * * FIXME: we might use a queue, to better balance the load * among the candidates */ for ( rc = 0; ncandidates > 0; ) { int gotit = 0, doabandon = 0; /* check time limit */ if ( op->ors_tlimit != SLAP_NO_LIMIT && slap_get_time() > stoptime ) { doabandon = 1; rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED; savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } for ( i = 0; i < mi->mi_ntargets; i++ ) { metasingleconn_t *msc = &mc->mc_conns[ i ]; if ( candidates[ i ].sr_msgid == META_MSGID_IGNORE ) { continue; } if ( candidates[ i ].sr_msgid == META_MSGID_NEED_BIND ) { /* initiate dobind */ switch ( meta_search_dobind_init( op, rs, &mc, i, candidates ) ) { case META_SEARCH_BINDING: case META_SEARCH_NEED_BIND: break; case META_SEARCH_NOT_CANDIDATE: /* * When no candidates are left, * the outer cycle finishes */ candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; break; case META_SEARCH_ERR: if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; case META_SEARCH_CANDIDATE: switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) ) { case META_SEARCH_CANDIDATE: goto get_result; /* means that failed but onerr == continue */ case META_SEARCH_NOT_CANDIDATE: case META_SEARCH_ERR: candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; default: /* impossible */ assert( 0 ); break; } break; default: /* impossible */ assert( 0 ); break; } continue; } /* check for abandon */ if ( op->o_abandon ) { break; } /* * FIXME: handle time limit as well? * Note that target servers are likely * to handle it, so at some time we'll * get a LDAP_TIMELIMIT_EXCEEDED from * one of them ... */ get_result:; rc = ldap_result( msc->msc_ld, candidates[ i ].sr_msgid, LDAP_MSG_ONE, &tv, &res ); if ( rc == 0 ) { /* FIXME: res should not need to be freed */ assert( res == NULL ); continue; } else if ( rc == -1 ) { really_bad:; /* something REALLY bad happened! */ if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) { candidates[ i ].sr_type = REP_RESULT; if ( meta_back_retry( op, rs, &mc, i, LDAP_BACK_DONTSEND ) ) { switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) ) { case META_SEARCH_CANDIDATE: goto get_result; /* means that failed but onerr == continue */ case META_SEARCH_NOT_CANDIDATE: candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; case META_SEARCH_BINDING: case META_SEARCH_NEED_BIND: assert( 0 ); default: rc = rs->sr_err = LDAP_OTHER; goto finish; } } if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } } /* * When no candidates are left, * the outer cycle finishes */ candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; rs->sr_err = candidates[ i ].sr_err; } else if ( rc == LDAP_RES_SEARCH_ENTRY ) { if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) { /* don't retry any more... */ candidates[ i ].sr_type = REP_RESULT; } is_ok++; e = ldap_first_entry( msc->msc_ld, res ); savepriv = op->o_private; op->o_private = (void *)i; rs->sr_err = meta_send_entry( op, rs, mc, i, e ); ldap_msgfree( res ); res = NULL; switch ( rs->sr_err ) { case LDAP_SIZELIMIT_EXCEEDED: savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; rs->sr_err = LDAP_SUCCESS; goto finish; case LDAP_UNAVAILABLE: rs->sr_err = LDAP_OTHER; goto finish; } op->o_private = savepriv; /* don't wait any longer... */ gotit = 1; tv.tv_sec = 0; tv.tv_usec = 0; #if 0 /* * If scope is BASE, we need to jump out * as soon as one entry is found; if * the target pool is properly crafted, * this should correspond to the sole * entry that has the base DN */ /* FIXME: this defeats the purpose of * doing a search with scope == base and * sizelimit = 1 to determine if a * candidate is actually unique */ if ( op->ors_scope == LDAP_SCOPE_BASE && rs->sr_nentries > 0 ) { doabandon = 1; ncandidates = 0; sres = LDAP_SUCCESS; break; } #endif } else if ( rc == LDAP_RES_SEARCH_REFERENCE ) { char **references = NULL; int cnt; if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) { /* don't retry any more... */ candidates[ i ].sr_type = REP_RESULT; } is_ok++; rc = ldap_parse_reference( msc->msc_ld, res, &references, &rs->sr_ctrls, 1 ); res = NULL; if ( rc != LDAP_SUCCESS ) { continue; } if ( references == NULL ) { continue; } #ifdef ENABLE_REWRITE dc.ctx = "referralDN"; #else /* ! ENABLE_REWRITE */ dc.tofrom = 0; dc.normalized = 0; #endif /* ! ENABLE_REWRITE */ /* FIXME: merge all and return at the end */ for ( cnt = 0; references[ cnt ]; cnt++ ) ; rs->sr_ref = ch_calloc( sizeof( struct berval ), cnt + 1 ); for ( cnt = 0; references[ cnt ]; cnt++ ) { ber_str2bv( references[ cnt ], 0, 1, &rs->sr_ref[ cnt ] ); } BER_BVZERO( &rs->sr_ref[ cnt ] ); ( void )ldap_back_referral_result_rewrite( &dc, rs->sr_ref ); if ( rs->sr_ref != NULL && !BER_BVISNULL( &rs->sr_ref[ 0 ] ) ) { /* ignore return value by now */ savepriv = op->o_private; op->o_private = (void *)i; ( void )send_search_reference( op, rs ); op->o_private = savepriv; ber_bvarray_free( rs->sr_ref ); rs->sr_ref = NULL; } /* cleanup */ if ( references ) { ber_memvfree( (void **)references ); } if ( rs->sr_ctrls ) { ldap_controls_free( rs->sr_ctrls ); rs->sr_ctrls = NULL; } } else if ( rc == LDAP_RES_SEARCH_RESULT ) { char buf[ SLAP_TEXT_BUFLEN ]; char **references = NULL; if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) { /* don't retry any more... */ candidates[ i ].sr_type = REP_RESULT; } /* NOTE: ignores response controls * (and intermediate response controls * as well, except for those with search * references); this may not be correct, * but if they're not ignored then * back-meta would need to merge them * consistently (think of pagedResults...) */ /* FIXME: response controls? */ rs->sr_err = ldap_parse_result( msc->msc_ld, res, &candidates[ i ].sr_err, (char **)&candidates[ i ].sr_matched, NULL /* (char **)&candidates[ i ].sr_text */ , &references, NULL /* &candidates[ i ].sr_ctrls (unused) */ , 1 ); res = NULL; if ( rs->sr_err != LDAP_SUCCESS ) { ldap_get_option( msc->msc_ld, LDAP_OPT_ERROR_NUMBER, &rs->sr_err ); sres = slap_map_api2result( rs ); candidates[ i ].sr_type = REP_RESULT; goto really_bad; } /* massage matchedDN if need be */ if ( candidates[ i ].sr_matched != NULL ) { struct berval match, mmatch; ber_str2bv( candidates[ i ].sr_matched, 0, 0, &match ); candidates[ i ].sr_matched = NULL; dc.ctx = "matchedDN"; dc.target = mi->mi_targets[ i ]; if ( !ldap_back_dn_massage( &dc, &match, &mmatch ) ) { if ( mmatch.bv_val == match.bv_val ) { candidates[ i ].sr_matched = ch_strdup( mmatch.bv_val ); } else { candidates[ i ].sr_matched = mmatch.bv_val; } candidate_match++; } ldap_memfree( match.bv_val ); } /* add references to array */ if ( references ) { BerVarray sr_ref; int cnt; for ( cnt = 0; references[ cnt ]; cnt++ ) ; sr_ref = ch_calloc( sizeof( struct berval ), cnt + 1 ); for ( cnt = 0; references[ cnt ]; cnt++ ) { ber_str2bv( references[ cnt ], 0, 1, &sr_ref[ cnt ] ); } BER_BVZERO( &sr_ref[ cnt ] ); ( void )ldap_back_referral_result_rewrite( &dc, sr_ref ); /* cleanup */ ber_memvfree( (void **)references ); if ( rs->sr_v2ref == NULL ) { rs->sr_v2ref = sr_ref; } else { for ( cnt = 0; !BER_BVISNULL( &sr_ref[ cnt ] ); cnt++ ) { ber_bvarray_add( &rs->sr_v2ref, &sr_ref[ cnt ] ); } ber_memfree( sr_ref ); } } rs->sr_err = candidates[ i ].sr_err; sres = slap_map_api2result( rs ); if ( LogTest( LDAP_DEBUG_TRACE | LDAP_DEBUG_ANY ) ) { snprintf( buf, sizeof( buf ), "%s meta_back_search[%ld] " "match=\"%s\" err=%ld", op->o_log_prefix, i, candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "", (long) candidates[ i ].sr_err ); if ( candidates[ i ].sr_err == LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, "%s.\n", buf, 0, 0 ); } else { Debug( LDAP_DEBUG_ANY, "%s (%s).\n", buf, ldap_err2string( candidates[ i ].sr_err ), 0 ); } } switch ( sres ) { case LDAP_NO_SUCH_OBJECT: /* is_ok is touched any time a valid * (even intermediate) result is * returned; as a consequence, if * a candidate returns noSuchObject * it is ignored and the candidate * is simply demoted. */ if ( is_ok ) { sres = LDAP_SUCCESS; } break; case LDAP_SUCCESS: case LDAP_REFERRAL: is_ok++; break; case LDAP_SIZELIMIT_EXCEEDED: /* if a target returned sizelimitExceeded * and the entry count is equal to the * proxy's limit, the target would have * returned more, and the error must be * propagated to the client; otherwise, * the target enforced a limit lower * than what requested by the proxy; * ignore it */ if ( rs->sr_nentries == op->ors_slimit || META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; default: if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; } last = i; rc = 0; /* * When no candidates are left, * the outer cycle finishes */ candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; } else if ( rc == LDAP_RES_BIND ) { meta_search_candidate_t retcode; retcode = meta_search_dobind_result( op, rs, &mc, i, candidates, res ); if ( retcode == META_SEARCH_CANDIDATE ) { retcode = meta_back_search_start( op, rs, &dc, &mc, i, candidates ); } switch ( retcode ) { case META_SEARCH_CANDIDATE: goto get_result; /* means that failed but onerr == continue */ case META_SEARCH_NOT_CANDIDATE: case META_SEARCH_ERR: candidates[ i ].sr_msgid = META_MSGID_IGNORE; --ncandidates; if ( META_BACK_ONERR_STOP( mi ) ) { savepriv = op->o_private; op->o_private = (void *)i; send_ldap_result( op, rs ); op->o_private = savepriv; goto finish; } break; default: assert( 0 ); break; } } else { assert( 0 ); goto really_bad; } } /* check for abandon */ if ( op->o_abandon || doabandon ) { for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( candidates[ i ].sr_msgid != META_MSGID_IGNORE ) { (void)meta_back_cancel( mc, op, rs, candidates[ i ].sr_msgid, i, LDAP_BACK_DONTSEND ); candidates[ i ].sr_msgid = META_MSGID_IGNORE; } } if ( op->o_abandon ) { rc = SLAPD_ABANDON; goto finish; } } /* if no entry was found during this loop, * set a minimal timeout */ if ( gotit == 0 ) { /* make the entire wait last * LDAP_BACK_RESULT_UTIMEOUT at worst */ tv.tv_sec = 0; tv.tv_usec = LDAP_BACK_RESULT_UTIMEOUT/initial_candidates; ldap_pvt_thread_yield(); } } if ( rc == -1 ) { /* * FIXME: need a better strategy to handle errors */ if ( mc ) { rc = meta_back_op_result( mc, op, rs, META_TARGET_NONE, -1, stoptime != -1 ? (stoptime - slap_get_time()) : 0, LDAP_BACK_SENDERR ); } else { rc = rs->sr_err; } goto finish; } /* * Rewrite the matched portion of the search base, if required * * FIXME: only the last one gets caught! */ savepriv = op->o_private; op->o_private = (void *)(long)mi->mi_ntargets; if ( candidate_match > 0 ) { struct berval pmatched = BER_BVNULL; /* we use the first one */ for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( META_IS_CANDIDATE( &candidates[ i ] ) && candidates[ i ].sr_matched != NULL ) { struct berval bv, pbv; int rc; /* if we got success, and this target * returned noSuchObject, and its suffix * is a superior of the searchBase, * ignore the matchedDN */ if ( sres == LDAP_SUCCESS && candidates[ i ].sr_err == LDAP_NO_SUCH_OBJECT && op->o_req_ndn.bv_len > mi->mi_targets[ i ]->mt_nsuffix.bv_len ) { free( (char *)candidates[ i ].sr_matched ); candidates[ i ].sr_matched = NULL; continue; } ber_str2bv( candidates[ i ].sr_matched, 0, 0, &bv ); rc = dnPretty( NULL, &bv, &pbv, op->o_tmpmemctx ); if ( rc == LDAP_SUCCESS ) { /* NOTE: if they all are superiors * of the baseDN, the shorter is also * superior of the longer... */ if ( pbv.bv_len > pmatched.bv_len ) { if ( !BER_BVISNULL( &pmatched ) ) { op->o_tmpfree( pmatched.bv_val, op->o_tmpmemctx ); } pmatched = pbv; op->o_private = (void *)i; } else { op->o_tmpfree( pbv.bv_val, op->o_tmpmemctx ); } } if ( candidates[ i ].sr_matched != NULL ) { free( (char *)candidates[ i ].sr_matched ); candidates[ i ].sr_matched = NULL; } } } if ( !BER_BVISNULL( &pmatched ) ) { matched = pmatched.bv_val; } } else if ( sres == LDAP_NO_SUCH_OBJECT ) { matched = op->o_bd->be_suffix[ 0 ].bv_val; } #if 0 { char buf[BUFSIZ]; char cnd[BUFSIZ]; int i; for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( META_IS_CANDIDATE( &candidates[ i ] ) ) { cnd[ i ] = '*'; } else { cnd[ i ] = ' '; } } cnd[ i ] = '\0'; snprintf( buf, sizeof( buf ), "%s meta_back_search: is_scope=%d is_ok=%d cnd=\"%s\"\n", op->o_log_prefix, initial_candidates, is_ok, cnd ); Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 ); } #endif /* * In case we returned at least one entry, we return LDAP_SUCCESS * otherwise, the latter error code we got * * FIXME: we should handle error codes and return the more * important/reasonable */ if ( sres == LDAP_SUCCESS && rs->sr_v2ref ) { sres = LDAP_REFERRAL; } rs->sr_err = sres; rs->sr_matched = matched; rs->sr_ref = ( sres == LDAP_REFERRAL ? rs->sr_v2ref : NULL ); send_ldap_result( op, rs ); op->o_private = savepriv; rs->sr_matched = NULL; rs->sr_ref = NULL; finish:; if ( matched && matched != op->o_bd->be_suffix[ 0 ].bv_val ) { op->o_tmpfree( matched, op->o_tmpmemctx ); } if ( rs->sr_v2ref ) { ber_bvarray_free( rs->sr_v2ref ); } for ( i = 0; i < mi->mi_ntargets; i++ ) { if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) { continue; } if ( mc && META_IS_BINDING( &candidates[ i ] ) ) { ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex ); if ( LDAP_BACK_CONN_BINDING( &mc->mc_conns[ i ] ) ) { LDAP_BACK_CONN_BINDING_CLEAR( &mc->mc_conns[ i ] ); } ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex ); META_BINDING_CLEAR( &candidates[ i ] ); } if ( candidates[ i ].sr_matched ) { free( (char *)candidates[ i ].sr_matched ); candidates[ i ].sr_matched = NULL; } if ( candidates[ i ].sr_text ) { ldap_memfree( (char *)candidates[ i ].sr_text ); candidates[ i ].sr_text = NULL; } if ( candidates[ i ].sr_ref ) { ber_bvarray_free( candidates[ i ].sr_ref ); candidates[ i ].sr_ref = NULL; } if ( candidates[ i ].sr_ctrls ) { ldap_controls_free( candidates[ i ].sr_ctrls ); candidates[ i ].sr_ctrls = NULL; } if ( META_BACK_TGT_QUARANTINE( mi->mi_targets[ i ] ) ) { meta_back_quarantine( op, &candidates[ i ], i ); } } if ( mc ) { meta_back_release_conn( op, mc ); } return rs->sr_err; } static int meta_send_entry( Operation *op, SlapReply *rs, metaconn_t *mc, int target, LDAPMessage *e ) { metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private; struct berval a, mapped; Entry ent = { 0 }; BerElement ber = *e->lm_ber; Attribute *attr, **attrp; struct berval bdn, dn = BER_BVNULL; const char *text; dncookie dc; int rc; if ( ber_scanf( &ber, "{m{", &bdn ) == LBER_ERROR ) { return LDAP_DECODING_ERROR; } /* * Rewrite the dn of the result, if needed */ dc.target = mi->mi_targets[ target ]; dc.conn = op->o_conn; dc.rs = rs; dc.ctx = "searchResult"; rs->sr_err = ldap_back_dn_massage( &dc, &bdn, &dn ); if ( rs->sr_err != LDAP_SUCCESS) { return rs->sr_err; } /* * Note: this may fail if the target host(s) schema differs * from the one known to the meta, and a DN with unknown * attributes is returned. * * FIXME: should we log anything, or delegate to dnNormalize? */ rc = dnPrettyNormal( NULL, &dn, &ent.e_name, &ent.e_nname, op->o_tmpmemctx ); if ( dn.bv_val != bdn.bv_val ) { free( dn.bv_val ); } BER_BVZERO( &dn ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_DN_SYNTAX; } /* * cache dn */ if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED ) { ( void )meta_dncache_update_entry( &mi->mi_cache, &ent.e_nname, target ); } attrp = &ent.e_attrs; dc.ctx = "searchAttrDN"; while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) { int last = 0; slap_syntax_validate_func *validate; slap_syntax_transform_func *pretty; ldap_back_map( &mi->mi_targets[ target ]->mt_rwmap.rwm_at, &a, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) { ( void )ber_scanf( &ber, "x" /* [W] */ ); continue; } attr = ( Attribute * )ch_calloc( 1, sizeof( Attribute ) ); if ( attr == NULL ) { continue; } if ( slap_bv2ad( &mapped, &attr->a_desc, &text ) != LDAP_SUCCESS) { if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text, SLAP_AD_PROXIED ) != LDAP_SUCCESS ) { char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), "%s meta_send_entry(\"%s\"): " "slap_bv2undef_ad(%s): %s\n", op->o_log_prefix, ent.e_name.bv_val, mapped.bv_val, text ); Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 ); ch_free( attr ); continue; } } /* no subschemaSubentry */ if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry || attr->a_desc == slap_schema.si_ad_entryDN ) { /* * We eat target's subschemaSubentry because * a search for this value is likely not * to resolve to the appropriate backend; * later, the local subschemaSubentry is * added. * * We also eat entryDN because the frontend * will reattach it without checking if already * present... */ ( void )ber_scanf( &ber, "x" /* [W] */ ); ch_free(attr); continue; } if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR || attr->a_vals == NULL ) { attr->a_vals = (struct berval *)&slap_dummy_bv; } else { for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); ++last ) ; } validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate; pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty; if ( !validate && !pretty ) { attr_free( attr ); goto next_attr; } if ( attr->a_desc == slap_schema.si_ad_objectClass || attr->a_desc == slap_schema.si_ad_structuralObjectClass ) { struct berval *bv; for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) { ldap_back_map( &mi->mi_targets[ target ]->mt_rwmap.rwm_oc, bv, &mapped, BACKLDAP_REMAP ); if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0') { free( bv->bv_val ); BER_BVZERO( bv ); if ( --last < 0 ) { break; } *bv = attr->a_vals[ last ]; BER_BVZERO( &attr->a_vals[ last ] ); bv--; } else if ( mapped.bv_val != bv->bv_val ) { free( bv->bv_val ); ber_dupbv( bv, &mapped ); } } /* * It is necessary to try to rewrite attributes with * dn syntax because they might be used in ACLs as * members of groups; since ACLs are applied to the * rewritten stuff, no dn-based subecj clause could * be used at the ldap backend side (see * http://www.OpenLDAP.org/faq/data/cache/452.html) * The problem can be overcome by moving the dn-based * ACLs to the target directory server, and letting * everything pass thru the ldap backend. */ } else { int i; if ( attr->a_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { ldap_dnattr_result_rewrite( &dc, attr->a_vals ); } else if ( attr->a_desc == slap_schema.si_ad_ref ) { ldap_back_referral_result_rewrite( &dc, attr->a_vals ); } for ( i = 0; i < last; i++ ) { struct berval pval; int rc; if ( pretty ) { rc = pretty( attr->a_desc->ad_type->sat_syntax, &attr->a_vals[i], &pval, NULL ); } else { rc = validate( attr->a_desc->ad_type->sat_syntax, &attr->a_vals[i] ); } if ( rc ) { LBER_FREE( attr->a_vals[i].bv_val ); if ( --last == i ) { BER_BVZERO( &attr->a_vals[ i ] ); break; } attr->a_vals[i] = attr->a_vals[last]; BER_BVZERO( &attr->a_vals[last] ); i--; continue; } if ( pretty ) { LBER_FREE( attr->a_vals[i].bv_val ); attr->a_vals[i] = pval; } } if ( last == 0 && attr->a_vals != &slap_dummy_bv ) { attr_free( attr ); goto next_attr; } } if ( last && attr->a_desc->ad_type->sat_equality && attr->a_desc->ad_type->sat_equality->smr_normalize ) { int i; attr->a_nvals = ch_malloc( ( last + 1 ) * sizeof( struct berval ) ); for ( i = 0; ia_desc->ad_type->sat_equality->smr_normalize( SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, attr->a_desc->ad_type->sat_syntax, attr->a_desc->ad_type->sat_equality, &attr->a_vals[i], &attr->a_nvals[i], NULL ); } BER_BVZERO( &attr->a_nvals[i] ); } else { attr->a_nvals = attr->a_vals; } *attrp = attr; attrp = &attr->a_next; next_attr:; } rs->sr_entry = &ent; rs->sr_attrs = op->ors_attrs; rs->sr_flags = 0; rs->sr_err = LDAP_SUCCESS; rc = send_search_entry( op, rs ); switch ( rc ) { case LDAP_UNAVAILABLE: rc = LDAP_OTHER; break; } rs->sr_entry = NULL; rs->sr_attrs = NULL; if ( !BER_BVISNULL( &ent.e_name ) ) { free( ent.e_name.bv_val ); BER_BVZERO( &ent.e_name ); } if ( !BER_BVISNULL( &ent.e_nname ) ) { free( ent.e_nname.bv_val ); BER_BVZERO( &ent.e_nname ); } entry_clean( &ent ); return rc; }