mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
322 lines
9.0 KiB
C
322 lines
9.0 KiB
C
/*
|
|
* Copyright (c) 1998 Will Ballantyne, ITSD, Government of BC
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms are permitted
|
|
* provided that this notice is preserved and that due credit is given
|
|
* to ITSD, Government of BC. The name of ITSD
|
|
* may not be used to endorse or promote products derived from this
|
|
* software without specific prior written permission. This software
|
|
* is provided ``as is'' without express or implied warranty.
|
|
*/
|
|
|
|
#include "portable.h"
|
|
|
|
#include <stdio.h>
|
|
#include <ac/string.h>
|
|
#include <ac/socket.h>
|
|
#include "slap.h"
|
|
#include "back-bdb2.h"
|
|
#include "proto-back-bdb2.h"
|
|
|
|
/*
|
|
* given an alias object, dereference it to its end point.
|
|
* Entry returned has reader lock or is NULL. Starting entry is not released.
|
|
*/
|
|
Entry *bdb2i_derefAlias_r ( BackendDB *be,
|
|
Connection *conn,
|
|
Operation *op,
|
|
Entry *e)
|
|
{
|
|
/* to free cache entries */
|
|
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
|
|
Attribute *a;
|
|
int depth;
|
|
char *matched;
|
|
Entry *origDN = e;
|
|
|
|
if (!e) return NULL; /* be sure we have a starting entry */
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= checking for alias for dn %s\n", e->e_dn, 0, 0 );
|
|
|
|
/*
|
|
* try to deref fully, up to a maximum depth. If the max depth exceeded
|
|
* then send an error
|
|
*/
|
|
for ( depth = 0;
|
|
( ( a = attr_find( e->e_attrs, "aliasedobjectname" ) ) != NULL) &&
|
|
( depth < be->be_maxDerefDepth );
|
|
++depth)
|
|
{
|
|
|
|
/*
|
|
* make sure there is a defined aliasedobjectname.
|
|
* can only have one value so just use first value (0) in the attr list.
|
|
*/
|
|
if (a->a_vals[0] && a->a_vals[0]->bv_val) {
|
|
char *newDN, *oldDN;
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= %s is an alias for %s\n",
|
|
e->e_dn, a->a_vals[0]->bv_val, 0 );
|
|
newDN = ch_strdup (a->a_vals[0]->bv_val);
|
|
oldDN = ch_strdup (e->e_ndn);
|
|
|
|
/*
|
|
* release past lock if not original
|
|
*/
|
|
if ( (depth > 0) && e ) {
|
|
bdb2i_cache_return_entry_r(&li->li_cache, e);
|
|
}
|
|
|
|
/* make sure new and old DN are not same to avoid loops */
|
|
dn_normalize_case (newDN);
|
|
if ( strcmp (newDN, oldDN) == 0 ) {
|
|
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= %s alias is same as current %s\n",
|
|
oldDN, newDN, 0 );
|
|
send_ldap_result( conn, op, LDAP_ALIAS_DEREF_PROBLEM, "",
|
|
"Circular alias" );
|
|
free (newDN);
|
|
free (oldDN);
|
|
break;
|
|
}
|
|
|
|
/* make sure new and original are not same to avoid deadlocks */
|
|
if ( strcmp (newDN, origDN->e_ndn) == 0 ) {
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= %s alias is same as original %s\n",
|
|
oldDN, origDN->e_ndn, 0 );
|
|
send_ldap_result( conn, op, LDAP_ALIAS_DEREF_PROBLEM, "",
|
|
"Circular alias" );
|
|
free (newDN);
|
|
free (oldDN);
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* ok, so what happens if there is an alias in the DN of a dereferenced
|
|
* alias object?
|
|
*/
|
|
if ( (e = bdb2i_dn2entry_r( be, newDN, &matched )) == NULL ) {
|
|
|
|
/* could not deref return error */
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= %s is a dangling alias to %s\n",
|
|
oldDN, newDN, 0 );
|
|
send_ldap_result( conn, op, LDAP_ALIAS_DEREF_PROBLEM, "",
|
|
"Dangling Alias" );
|
|
|
|
if(matched != NULL) free(matched);
|
|
free (newDN);
|
|
free (oldDN);
|
|
break;
|
|
}
|
|
|
|
free (newDN);
|
|
free (oldDN);
|
|
}
|
|
else {
|
|
/*
|
|
* there was an aliasedobjectname defined but no data.
|
|
* this can't happen, right?
|
|
*/
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= %s has no data in aliasedobjectname attribute\n",
|
|
(e && e->e_dn) ? e->e_dn : "(null)", 0, 0 );
|
|
send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM, "",
|
|
"Alias missing aliasedobjectname" );
|
|
break;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* warn if we pulled out due to exceeding the maximum deref depth
|
|
*/
|
|
if ( depth >= be->be_maxDerefDepth ) {
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= deref(\"%s\") exceeded maximum deref depth (%d) at \"%s\"\n",
|
|
origDN->e_dn ? origDN->e_dn : "(null)",
|
|
be->be_maxDerefDepth,
|
|
(e && e->e_ndn) ? e->e_ndn : "(null)");
|
|
send_ldap_result( conn, op, LDAP_ALIAS_DEREF_PROBLEM, "",
|
|
"Maximum alias dereference depth exceeded" );
|
|
}
|
|
|
|
return e;
|
|
}
|
|
|
|
/*
|
|
* given a DN fully deref it and return the real DN or original DN if it fails
|
|
* This involves finding the last matched part then reconstructing forward
|
|
* e.g.
|
|
* ou=MyOU,o=MyAliasedOrg,c=MyCountry where o=MyAliasedOrg is an alias for o=MyOrg
|
|
* loop starts with newDN = ou=MyOU,o=MyAliasedOrg,c=MyCountry
|
|
* dn2entry_r on newDN gives null entry and o=MyAliasedOrg,c=MyCountry matched
|
|
* dn2entry_r on matched gives o=MyAliasedOrg,c=MyCountry entry
|
|
* remainder is ou=MyOU
|
|
* dereferencing o=MyAliasedOrg,c=MyCountry yields entry o=MyOrg,c=MyCountry
|
|
* release lock on o=MyAliasedOrg,c=MyCountry entry
|
|
* reconstructed dn is ou=MyOU,o=MyOrg,c=MyCountry
|
|
* release lock on o=MyOrg,c=MyCountry entry
|
|
*/
|
|
char *bdb2i_derefDN ( BackendDB *be,
|
|
Connection *conn,
|
|
Operation *op,
|
|
char *dn
|
|
)
|
|
{
|
|
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
|
|
char *matched = 0;
|
|
char *newDN = NULL;
|
|
int depth, i;
|
|
Entry *eMatched;
|
|
Entry *eDeref;
|
|
Entry *eNew;
|
|
|
|
if (!dn) return NULL;
|
|
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= dereferencing dn: \"%s\"\n",
|
|
dn, 0, 0 );
|
|
|
|
newDN = ch_strdup ( dn );
|
|
|
|
/* while we don't have a matched dn, deref the DN */
|
|
for ( depth = 0;
|
|
( (eMatched = bdb2i_dn2entry_r( be, newDN, &matched )) == NULL) &&
|
|
(depth < be->be_maxDerefDepth);
|
|
++depth ) {
|
|
|
|
if ((matched != NULL) && *matched) {
|
|
char *submatch;
|
|
|
|
/*
|
|
* make sure there actually is an entry for the matched part
|
|
*/
|
|
if ( (eMatched = bdb2i_dn2entry_r( be, matched, &submatch )) != NULL) {
|
|
char *remainder; /* part before the aliased part */
|
|
int rlen = strlen(newDN) - strlen(matched);
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= matched %s\n", matched, 0, 0 );
|
|
|
|
remainder = ch_malloc (rlen + 1);
|
|
strncpy ( remainder, newDN, rlen );
|
|
remainder[rlen] = '\0';
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= remainder %s\n", remainder, 0, 0 );
|
|
|
|
if ((eNew = bdb2i_derefAlias_r( be, conn, op, eMatched )) == NULL) {
|
|
free (matched);
|
|
matched = NULL;
|
|
free (newDN);
|
|
newDN = NULL;
|
|
free (remainder);
|
|
remainder = NULL;
|
|
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eMatched);
|
|
eMatched = NULL;
|
|
break; /* no associated entry, dont deref */
|
|
}
|
|
else {
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= l&g we have %s vs %s \n", matched, eNew->e_dn, 0 );
|
|
|
|
i = strcasecmp (matched, eNew->e_dn);
|
|
/* free reader lock */
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eNew);
|
|
|
|
free (matched);
|
|
matched = NULL;
|
|
|
|
if (! i) {
|
|
/* newDN same as old so not an alias, no need to go further */
|
|
free (newDN);
|
|
newDN = NULL;
|
|
free (remainder);
|
|
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eMatched);
|
|
eMatched = NULL;
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* we have dereferenced the aliased part so put
|
|
* the new dn together
|
|
*/
|
|
free (newDN);
|
|
newDN = ch_malloc (strlen(eMatched->e_dn) + rlen + 1);
|
|
strcpy (newDN, remainder);
|
|
strcat (newDN, eMatched->e_dn);
|
|
Debug( LDAP_DEBUG_TRACE, "<= expanded to %s\n", newDN, 0, 0 );
|
|
|
|
free (remainder);
|
|
}
|
|
/* free reader lock */
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eMatched);
|
|
}
|
|
else {
|
|
if(submatch != NULL) free(submatch);
|
|
break; /* there was no entry for the matched part */
|
|
}
|
|
}
|
|
else {
|
|
break; /* there was no matched part */
|
|
}
|
|
}
|
|
|
|
/* release lock if a match terminated the loop, there should be no
|
|
* outstanding locks at this point
|
|
*/
|
|
if(eMatched != NULL) {
|
|
/* free reader lock */
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eMatched);
|
|
}
|
|
|
|
/*
|
|
* the final part of the DN might be an alias so try to dereference it.
|
|
* e.g. if we had started with dn = o=MyAliasedOrg,c=MyCountry the dn would match
|
|
* and the above loop complete but we would still be left with an aliased DN.
|
|
*/
|
|
if (newDN != NULL) {
|
|
if ( (eNew = bdb2i_dn2entry_r( be, newDN, &matched )) != NULL) {
|
|
if ((eDeref = bdb2i_derefAlias_r( be, conn, op, eNew )) != NULL) {
|
|
free (newDN);
|
|
newDN = ch_strdup (eDeref->e_dn);
|
|
/* free reader lock */
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eDeref);
|
|
}
|
|
/* free reader lock */
|
|
bdb2i_cache_return_entry_r(&li->li_cache, eNew);
|
|
}
|
|
}
|
|
if (matched != NULL) free(matched);
|
|
|
|
/*
|
|
* warn if we exceeded the max depth as the resulting DN may not be dereferenced
|
|
*/
|
|
if (depth >= be->be_maxDerefDepth) {
|
|
if (newDN) {
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= max deref depth exceeded in derefDN for \"%s\", result \"%s\"\n",
|
|
dn, newDN, 0 );
|
|
free (newDN);
|
|
newDN = NULL;
|
|
} else {
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"<= max deref depth exceeded in derefDN for \"%s\", result NULL\n",
|
|
dn, 0, 0 );
|
|
}
|
|
send_ldap_result( conn, op, LDAP_ALIAS_DEREF_PROBLEM, "",
|
|
"Maximum alias dereference depth exceeded for base" );
|
|
}
|
|
|
|
if (newDN == NULL) {
|
|
newDN = ch_strdup ( dn );
|
|
}
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "<= returning deref DN of \"%s\"\n", newDN, 0, 0 );
|
|
|
|
return newDN;
|
|
}
|