slap.h

/* slap.h - stand alone ldap server include file */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
 * Copyright 1998-2009 The OpenLDAP Foundation.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* Portions Copyright (c) 1995 Regents of the University of Michigan.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and that due credit is given
 * to the University of Michigan at Ann Arbor. The name of the University
 * may not be used to endorse or promote products derived from this
 * software without specific prior written permission. This software
 * is provided ``as is'' without express or implied warranty.
 */

#ifndef _SLAP_H_
#define _SLAP_H_

#include "ldap_defaults.h"

#include <stdio.h>
#include <ac/stdlib.h>

#include <sys/types.h>
#include <ac/syslog.h>
#include <ac/regex.h>
#include <ac/signal.h>
#include <ac/socket.h>
#include <ac/time.h>
#include <ac/param.h>

#include "avl.h"

#ifndef ldap_debug
#define ldap_debug slap_debug
#endif

#include "ldap_log.h"

#include <ldap.h>
#include <ldap_schema.h>

#include "lber_pvt.h"
#include "ldap_pvt.h"
#include "ldap_pvt_thread.h"
#include "ldap_queue.h"

LDAP_BEGIN_DECL

#ifdef LDAP_DEVEL
#define LDAP_COLLECTIVE_ATTRIBUTES
#define LDAP_COMP_MATCH
#define LDAP_SYNC_TIMESTAMP
#define SLAP_CONTROL_X_SORTEDRESULTS
#define SLAP_CONTROL_X_SESSION_TRACKING
#define SLAP_CONTROL_X_WHATFAILED
#define SLAP_CONFIG_DELETE
#endif

#define LDAP_DYNAMIC_OBJECTS
#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
#define SLAP_DISTPROC

#ifdef ENABLE_REWRITE
#define SLAP_AUTH_REWRITE	1 /* use librewrite for sasl-regexp */
#endif

/*
 * SLAPD Memory allocation macros
 *
 * Unlike ch_*() routines, these routines do not assert() upon
 * allocation error.  They are intended to be used instead of
 * ch_*() routines where the caller has implemented proper
 * checking for and handling of allocation errors.
 *
 * Patches to convert ch_*() calls to SLAP_*() calls welcomed.
 */
#define SLAP_MALLOC(s)      ber_memalloc((s))
#define SLAP_CALLOC(n,s)    ber_memcalloc((n),(s))
#define SLAP_REALLOC(p,s)   ber_memrealloc((p),(s))
#define SLAP_FREE(p)        ber_memfree((p))
#define SLAP_VFREE(v)       ber_memvfree((void**)(v))
#define SLAP_STRDUP(s)      ber_strdup((s))
#define SLAP_STRNDUP(s,l)   ber_strndup((s),(l))

#ifdef f_next
#undef f_next /* name conflict between sys/file.h on SCO and struct filter */
#endif

#define SERVICE_NAME  OPENLDAP_PACKAGE "-slapd"
#define SLAPD_ANONYMOUS ""

#ifdef HAVE_TCPD
# include <tcpd.h>
# define SLAP_STRING_UNKNOWN	STRING_UNKNOWN
#else /* ! TCP Wrappers */
# define SLAP_STRING_UNKNOWN	"unknown"
#endif /* ! TCP Wrappers */

/* LDAPMod.mod_op value ===> Must be kept in sync with ldap.h!
 * This is a value used internally by the backends. It is needed to allow
 * adding values that already exist without getting an error as required by
 * modrdn when the new rdn was already an attribute value itself.
 */
#define SLAP_MOD_SOFTADD	0x1000

#define MAXREMATCHES (100)

#define SLAP_MAX_WORKER_THREADS		(16)

#define SLAP_SB_MAX_INCOMING_DEFAULT ((1<<18) - 1)
#define SLAP_SB_MAX_INCOMING_AUTH ((1<<24) - 1)

#define SLAP_CONN_MAX_PENDING_DEFAULT	100
#define SLAP_CONN_MAX_PENDING_AUTH	1000

#define SLAP_TEXT_BUFLEN (256)

/* psuedo error code indicating abandoned operation */
#define SLAPD_ABANDON (-1024)

/* psuedo error code indicating disconnect */
#define SLAPD_DISCONNECT (-1025)

/* unknown config file directive */
#define SLAP_CONF_UNKNOWN (-1026)

/* We assume "C" locale, that is US-ASCII */
#define ASCII_SPACE(c)	( (c) == ' ' )
#define ASCII_LOWER(c)	( (c) >= 'a' && (c) <= 'z' )
#define ASCII_UPPER(c)	( (c) >= 'A' && (c) <= 'Z' )
#define ASCII_ALPHA(c)	( ASCII_LOWER(c) || ASCII_UPPER(c) )
#define ASCII_DIGIT(c)	( (c) >= '0' && (c) <= '9' )
#define ASCII_HEXLOWER(c)	( (c) >= 'a' && (c) <= 'f' )
#define ASCII_HEXUPPER(c)	( (c) >= 'A' && (c) <= 'F' )
#define ASCII_HEX(c)	( ASCII_DIGIT(c) || \
	ASCII_HEXLOWER(c) || ASCII_HEXUPPER(c) )
#define ASCII_ALNUM(c)	( ASCII_ALPHA(c) || ASCII_DIGIT(c) )
#define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' )

#define SLAP_NIBBLE(c) ((c)&0x0f)
#define SLAP_ESCAPE_CHAR ('\\')
#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] )
#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) )

#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \
	|| (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) )

#define DN_ESCAPE(c)	((c) == SLAP_ESCAPE_CHAR)
/* NOTE: for consistency, this macro must only operate
 * on normalized/pretty DN, such that ';' is never used
 * as RDN separator, and all occurrences of ';' must be escaped */
#define DN_SEPARATOR(c)	((c) == ',')
#define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 4514 */
#define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c))
#define RDN_NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')

#define DESC_LEADCHAR(c)	( ASCII_ALPHA(c) )
#define DESC_CHAR(c)	( ASCII_ALNUM(c) || (c) == '-' )
#define OID_LEADCHAR(c)	( ASCII_DIGIT(c) )
#define OID_SEPARATOR(c)	( (c) == '.' )
#define OID_CHAR(c)	( OID_LEADCHAR(c) || OID_SEPARATOR(c) )

#define ATTR_LEADCHAR(c)	( DESC_LEADCHAR(c) || OID_LEADCHAR(c) )
#define ATTR_CHAR(c)	( DESC_CHAR((c)) || OID_SEPARATOR(c) )

#define AD_LEADCHAR(c)	( ATTR_LEADCHAR(c) )
#define AD_CHAR(c)		( ATTR_CHAR(c) || (c) == ';' )

#define SLAP_NUMERIC(c) ( ASCII_DIGIT(c) || ASCII_SPACE(c) )

#define SLAP_PRINTABLE(c)	( ASCII_ALNUM(c) || (c) == '\'' || \
	(c) == '(' || (c) == ')' || (c) == '+' || (c) == ',' || \
	(c) == '-' || (c) == '.' || (c) == '/' || (c) == ':' || \
	(c) == '?' || (c) == ' ' || (c) == '=' )
#define SLAP_PRINTABLES(c)	( SLAP_PRINTABLE(c) || (c) == '$' )

/* must match in schema_init.c */
#define SLAPD_DN_SYNTAX			"1.3.6.1.4.1.1466.115.121.1.12"
#define SLAPD_NAMEUID_SYNTAX	"1.3.6.1.4.1.1466.115.121.1.34"
#define SLAPD_INTEGER_SYNTAX	"1.3.6.1.4.1.1466.115.121.1.27"
#define SLAPD_GROUP_ATTR		"member"
#define SLAPD_GROUP_CLASS		"groupOfNames"
#define SLAPD_ROLE_ATTR			"roleOccupant"
#define SLAPD_ROLE_CLASS		"organizationalRole"

#define SLAPD_TOP_OID			"2.5.6.0"

LDAP_SLAPD_V (int) slap_debug;

typedef unsigned long slap_mask_t;

/* Security Strength Factor */
typedef unsigned slap_ssf_t;

typedef struct slap_ssf_set {
	slap_ssf_t sss_ssf;
	slap_ssf_t sss_transport;
	slap_ssf_t sss_tls;
	slap_ssf_t sss_sasl;
	slap_ssf_t sss_update_ssf;
	slap_ssf_t sss_update_transport;
	slap_ssf_t sss_update_tls;
	slap_ssf_t sss_update_sasl;
	slap_ssf_t sss_simple_bind;
} slap_ssf_set_t;

/* Flags for telling slap_sasl_getdn() what type of identity is being passed */
#define SLAP_GETDN_AUTHCID 2
#define SLAP_GETDN_AUTHZID 4

/*
 * Index types
 */
#define SLAP_INDEX_TYPE           0x00FFUL
#define SLAP_INDEX_UNDEFINED      0x0001UL
#define SLAP_INDEX_PRESENT        0x0002UL
#define SLAP_INDEX_EQUALITY       0x0004UL
#define SLAP_INDEX_APPROX         0x0008UL
#define SLAP_INDEX_SUBSTR         0x0010UL
#define SLAP_INDEX_EXTENDED		  0x0020UL

#define SLAP_INDEX_DEFAULT        SLAP_INDEX_EQUALITY

#define IS_SLAP_INDEX(mask, type)	(((mask) & (type)) == (type))

#define SLAP_INDEX_SUBSTR_TYPE    0x0F00UL

#define SLAP_INDEX_SUBSTR_INITIAL ( SLAP_INDEX_SUBSTR | 0x0100UL ) 
#define SLAP_INDEX_SUBSTR_ANY     ( SLAP_INDEX_SUBSTR | 0x0200UL )
#define SLAP_INDEX_SUBSTR_FINAL   ( SLAP_INDEX_SUBSTR | 0x0400UL )
#define SLAP_INDEX_SUBSTR_DEFAULT \
	( SLAP_INDEX_SUBSTR \
	| SLAP_INDEX_SUBSTR_INITIAL \
	| SLAP_INDEX_SUBSTR_ANY \
	| SLAP_INDEX_SUBSTR_FINAL )

/* defaults for initial/final substring indices */
#define SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT	2
#define SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT	4

/* defaults for any substring indices */
#define SLAP_INDEX_SUBSTR_ANY_LEN_DEFAULT		4
#define SLAP_INDEX_SUBSTR_ANY_STEP_DEFAULT		2

/* default for ordered integer index keys */
#define SLAP_INDEX_INTLEN_DEFAULT	4

#define SLAP_INDEX_FLAGS         0xF000UL
#define SLAP_INDEX_NOSUBTYPES    0x1000UL /* don't use index w/ subtypes */
#define SLAP_INDEX_NOTAGS        0x2000UL /* don't use index w/ tags */

/*
 * there is a single index for each attribute.  these prefixes ensure
 * that there is no collision among keys.
 */
#define SLAP_INDEX_EQUALITY_PREFIX	'=' 	/* prefix for equality keys     */
#define SLAP_INDEX_APPROX_PREFIX	'~'		/* prefix for approx keys       */
#define SLAP_INDEX_SUBSTR_PREFIX	'*'		/* prefix for substring keys    */
#define SLAP_INDEX_SUBSTR_INITIAL_PREFIX '^'
#define SLAP_INDEX_SUBSTR_FINAL_PREFIX '$'
#define SLAP_INDEX_CONT_PREFIX		'.'		/* prefix for continuation keys */

#define SLAP_SYNTAX_MATCHINGRULES_OID	 "1.3.6.1.4.1.1466.115.121.1.30"
#define SLAP_SYNTAX_ATTRIBUTETYPES_OID	 "1.3.6.1.4.1.1466.115.121.1.3"
#define SLAP_SYNTAX_OBJECTCLASSES_OID	 "1.3.6.1.4.1.1466.115.121.1.37"
#define SLAP_SYNTAX_MATCHINGRULEUSES_OID "1.3.6.1.4.1.1466.115.121.1.31"
#define SLAP_SYNTAX_CONTENTRULE_OID	 "1.3.6.1.4.1.1466.115.121.1.16"

/*
 * represents schema information for a database
 */
enum {
	SLAP_SCHERR_OUTOFMEM = 1,
	SLAP_SCHERR_CLASS_NOT_FOUND,
	SLAP_SCHERR_CLASS_BAD_USAGE,
	SLAP_SCHERR_CLASS_BAD_SUP,
	SLAP_SCHERR_CLASS_DUP,
	SLAP_SCHERR_CLASS_INCONSISTENT,
	SLAP_SCHERR_ATTR_NOT_FOUND,
	SLAP_SCHERR_ATTR_BAD_MR,
	SLAP_SCHERR_ATTR_BAD_USAGE,
	SLAP_SCHERR_ATTR_BAD_SUP,
	SLAP_SCHERR_ATTR_INCOMPLETE,
	SLAP_SCHERR_ATTR_DUP,
	SLAP_SCHERR_ATTR_INCONSISTENT,
	SLAP_SCHERR_MR_NOT_FOUND,
	SLAP_SCHERR_MR_INCOMPLETE,
	SLAP_SCHERR_MR_DUP,
	SLAP_SCHERR_SYN_NOT_FOUND,
	SLAP_SCHERR_SYN_DUP,
	SLAP_SCHERR_SYN_SUP_NOT_FOUND,
	SLAP_SCHERR_SYN_SUBST_NOT_SPECIFIED,
	SLAP_SCHERR_SYN_SUBST_NOT_FOUND,
	SLAP_SCHERR_NO_NAME,
	SLAP_SCHERR_NOT_SUPPORTED,
	SLAP_SCHERR_BAD_DESCR,
	SLAP_SCHERR_OIDM,
	SLAP_SCHERR_CR_DUP,
	SLAP_SCHERR_CR_BAD_STRUCT,
	SLAP_SCHERR_CR_BAD_AUX,
	SLAP_SCHERR_CR_BAD_AT,

	SLAP_SCHERR_LAST
};

/* forward declarations */
typedef struct Syntax Syntax;
typedef struct MatchingRule MatchingRule;
typedef struct MatchingRuleUse MatchingRuleUse;
typedef struct MatchingRuleAssertion MatchingRuleAssertion;
typedef struct OidMacro OidMacro;
typedef struct ObjectClass ObjectClass;
typedef struct AttributeType AttributeType;
typedef struct AttributeDescription AttributeDescription;
typedef struct AttributeName AttributeName;
typedef struct ContentRule ContentRule;

typedef struct AttributeAssertion AttributeAssertion;
typedef struct SubstringsAssertion SubstringsAssertion;
typedef struct Filter Filter;
typedef struct ValuesReturnFilter ValuesReturnFilter;
typedef struct Attribute Attribute;
#ifdef LDAP_COMP_MATCH
typedef struct ComponentData ComponentData;
typedef struct ComponentFilter ComponentFilter;
#endif

typedef struct Entry Entry;
typedef struct Modification Modification;
typedef struct Modifications Modifications;
typedef struct LDAPModList LDAPModList;

typedef struct BackendInfo BackendInfo;		/* per backend type */
typedef struct BackendDB BackendDB;		/* per backend database */

typedef struct Connection Connection;
typedef struct Operation Operation;
typedef struct SlapReply SlapReply;
/* end of forward declarations */

typedef union Sockaddr {
	struct sockaddr sa_addr;
	struct sockaddr_in sa_in_addr;
#ifdef LDAP_PF_INET6
	struct sockaddr_storage sa_storage;
	struct sockaddr_in6 sa_in6_addr;
#endif
#ifdef LDAP_PF_LOCAL
	struct sockaddr_un sa_un_addr;
#endif
} Sockaddr;

#ifdef LDAP_PF_INET6
extern int slap_inet4or6;
#endif

struct OidMacro {
	struct berval som_oid;
	BerVarray som_names;
	BerVarray som_subs;
#define	SLAP_OM_HARDCODE	0x10000U	/* This is hardcoded schema */
	int som_flags;
	LDAP_STAILQ_ENTRY(OidMacro) som_next;
};

typedef int slap_syntax_validate_func LDAP_P((
	Syntax *syntax,
	struct berval * in));

typedef int slap_syntax_transform_func LDAP_P((
	Syntax *syntax,
	struct berval * in,
	struct berval * out,
	void *memctx));

#ifdef LDAP_COMP_MATCH
typedef void* slap_component_transform_func LDAP_P((
	struct berval * in ));
struct ComponentDesc;
#endif

struct Syntax {
	LDAPSyntax			ssyn_syn;
#define ssyn_oid		ssyn_syn.syn_oid
#define ssyn_desc		ssyn_syn.syn_desc
#define ssyn_extensions	ssyn_syn.syn_extensions
	/*
	 * Note: the former
	ber_len_t	ssyn_oidlen;
	 * has been replaced by a struct berval that uses the value
	 * provided by ssyn_syn.syn_oid; a macro that expands to
	 * the bv_len field of the berval is provided for backward
	 * compatibility.  CAUTION: NEVER FREE THE BERVAL
	 */
	struct berval	ssyn_bvoid;
#define	ssyn_oidlen	ssyn_bvoid.bv_len

	unsigned int ssyn_flags;

#define SLAP_SYNTAX_NONE	0x0000U
#define SLAP_SYNTAX_BLOB	0x0001U /* syntax treated as blob (audio) */
#define SLAP_SYNTAX_BINARY	0x0002U /* binary transfer required (certificate) */
#define SLAP_SYNTAX_BER		0x0004U /* stored in BER encoding (certificate) */
#ifdef LDAP_DEVEL
#define SLAP_SYNTAX_HIDE	0x0000U /* publish everything */
#else
#define SLAP_SYNTAX_HIDE	0x8000U /* hide (do not publish) */
#endif
#define	SLAP_SYNTAX_HARDCODE	0x10000U	/* This is hardcoded schema */

	Syntax				**ssyn_sups;

	slap_syntax_validate_func	*ssyn_validate;
	slap_syntax_transform_func	*ssyn_pretty;

#ifdef SLAPD_BINARY_CONVERSION
	/* convert to and from binary */
	slap_syntax_transform_func	*ssyn_ber2str;
	slap_syntax_transform_func	*ssyn_str2ber;
#endif
#ifdef LDAP_COMP_MATCH
	slap_component_transform_func *ssyn_attr2comp;
	struct ComponentDesc* ssync_comp_syntax;
#endif

	LDAP_STAILQ_ENTRY(Syntax)	ssyn_next;
};

#define slap_syntax_is_flag(s,flag) ((int)((s)->ssyn_flags & (flag)) ? 1 : 0)
#define slap_syntax_is_blob(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BLOB)
#define slap_syntax_is_binary(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_BINARY)
#define slap_syntax_is_ber(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
#define slap_syntax_is_hidden(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE)

typedef struct slap_syntax_defs_rec {
	char *sd_desc;
	int sd_flags;
	char **sd_sups;
	slap_syntax_validate_func *sd_validate;
	slap_syntax_transform_func *sd_pretty;
#ifdef SLAPD_BINARY_CONVERSION
	slap_syntax_transform_func *sd_ber2str;
	slap_syntax_transform_func *sd_str2ber;
#endif
} slap_syntax_defs_rec;

/* X -> Y Converter */
typedef int slap_mr_convert_func LDAP_P((
	struct berval * in,
	struct berval * out,
	void *memctx ));

/* Normalizer */
typedef int slap_mr_normalize_func LDAP_P((
	slap_mask_t use,
	Syntax *syntax, /* NULL if in is asserted value */
	MatchingRule *mr,
	struct berval *in,
	struct berval *out,
	void *memctx ));

/* Match (compare) function */
typedef int slap_mr_match_func LDAP_P((
	int *match,
	slap_mask_t use,
	Syntax *syntax,	/* syntax of stored value */
	MatchingRule *mr,
	struct berval *value,
	void *assertValue ));

/* Index generation function */
typedef int slap_mr_indexer_func LDAP_P((
	slap_mask_t use,
	slap_mask_t mask,
	Syntax *syntax,	/* syntax of stored value */
	MatchingRule *mr,
	struct berval *prefix,
	BerVarray values,
	BerVarray *keys,
	void *memctx ));

/* Filter index function */
typedef int slap_mr_filter_func LDAP_P((
	slap_mask_t use,
	slap_mask_t mask,
	Syntax *syntax,	/* syntax of stored value */
	MatchingRule *mr,
	struct berval *prefix,
	void *assertValue,
	BerVarray *keys,
	void *memctx ));

struct MatchingRule {
	LDAPMatchingRule		smr_mrule;
	MatchingRuleUse			*smr_mru;
	/* RFC 4512 string representation */
	struct berval			smr_str;
	/*
	 * Note: the former
	 *			ber_len_t	smr_oidlen;
	 * has been replaced by a struct berval that uses the value
	 * provided by smr_mrule.mr_oid; a macro that expands to
	 * the bv_len field of the berval is provided for backward
	 * compatibility.  CAUTION: NEVER FREE THE BERVAL
	 */
	struct berval			smr_bvoid;
#define	smr_oidlen			smr_bvoid.bv_len

	slap_mask_t			smr_usage;

#ifdef LDAP_DEVEL
#define SLAP_MR_HIDE			0x0000U
#else
#define SLAP_MR_HIDE			0x8000U
#endif

#define SLAP_MR_MUTATION_NORMALIZER	0x4000U

#define SLAP_MR_TYPE_MASK		0x0F00U
#define SLAP_MR_SUBTYPE_MASK		0x00F0U
#define SLAP_MR_USAGE			0x000FU

#define SLAP_MR_NONE			0x0000U
#define SLAP_MR_EQUALITY		0x0100U
#define SLAP_MR_ORDERING		0x0200U
#define SLAP_MR_SUBSTR			0x0400U
#define SLAP_MR_EXT			0x0800U /* implicitly extensible */
#define	SLAP_MR_ORDERED_INDEX		0x1000U
#ifdef LDAP_COMP_MATCH
#define SLAP_MR_COMPONENT		0x2000U
#endif

#define SLAP_MR_EQUALITY_APPROX	( SLAP_MR_EQUALITY | 0x0010U )

#define SLAP_MR_SUBSTR_INITIAL	( SLAP_MR_SUBSTR | 0x0010U )
#define SLAP_MR_SUBSTR_ANY	( SLAP_MR_SUBSTR | 0x0020U )
#define SLAP_MR_SUBSTR_FINAL	( SLAP_MR_SUBSTR | 0x0040U )


/*
 * The asserted value, depending on the particular usage,
 * is expected to conform to either the assertion syntax
 * or the attribute syntax.   In some cases, the syntax of
 * the value is known.  If so, these flags indicate which
 * syntax the value is expected to conform to.  If not,
 * neither of these flags is set (until the syntax of the
 * provided value is determined).  If the value is of the
 * attribute syntax, the flag is changed once a value of
 * the assertion syntax is derived from the provided value.
 */
#define SLAP_MR_VALUE_OF_ASSERTION_SYNTAX	0x0001U
#define SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX	0x0002U
#define SLAP_MR_VALUE_OF_SYNTAX			(SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX)
#define SLAP_MR_DENORMALIZE			(SLAP_MR_MUTATION_NORMALIZER)

#define SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX( usage ) \
	((usage) & SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX )
#define SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX( usage ) \
	((usage) & SLAP_MR_VALUE_OF_ASSERTION_SYNTAX )
#ifdef LDAP_DEBUG
#define SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) \
	((usage) & SLAP_MR_VALUE_OF_SYNTAX)
#else
#define SLAP_MR_IS_VALUE_OF_SYNTAX( usage )	(1)
#endif
#define SLAP_MR_IS_DENORMALIZE( usage ) \
	((usage) & SLAP_MR_DENORMALIZE )

/* either or both the asserted value or attribute value
 * may be provided in normalized form
 */
#define SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH		0x0004U
#define SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH	0x0008U

#define SLAP_IS_MR_ASSERTION_SYNTAX_MATCH( usage ) \
	(!((usage) & SLAP_MR_ATTRIBUTE_SYNTAX_MATCH))
#define SLAP_IS_MR_ATTRIBUTE_SYNTAX_MATCH( usage ) \
	((usage) & SLAP_MR_ATTRIBUTE_SYNTAX_MATCH)

#define SLAP_IS_MR_ATTRIBUTE_SYNTAX_CONVERTED_MATCH( usage ) \
	(((usage) & SLAP_MR_ATTRIBUTE_SYNTAX_CONVERTED_MATCH) \
		== SLAP_MR_ATTRIBUTE_SYNTAX_CONVERTED_MATCH)
#define SLAP_IS_MR_ATTRIBUTE_SYNTAX_NONCONVERTED_MATCH( usage ) \
	(((usage) & SLAP_MR_ATTRIBUTE_SYNTAX_CONVERTED_MATCH) \
		== SLAP_MR_ATTRIBUTE_SYNTAX_MATCH)

#define SLAP_IS_MR_ASSERTED_VALUE_NORMALIZED_MATCH( usage ) \
	((usage) & SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH )
#define SLAP_IS_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH( usage ) \
	((usage) & SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH )

	Syntax			*smr_syntax;
	slap_mr_convert_func	*smr_convert;
	slap_mr_normalize_func	*smr_normalize;
	slap_mr_match_func	*smr_match;
	slap_mr_indexer_func	*smr_indexer;
	slap_mr_filter_func	*smr_filter;

	/*
	 * null terminated array of syntaxes compatible with this syntax
	 * note: when MS_EXT is set, this MUST NOT contain the assertion
	 * syntax of the rule.  When MS_EXT is not set, it MAY.
	 */
	Syntax			**smr_compat_syntaxes;

	/*
	 * For equality rules, refers to an associated approximate rule.
	 * For non-equality rules, refers to an associated equality rule.
	 */
	MatchingRule	*smr_associated;

#define SLAP_MR_ASSOCIATED(mr,amr)	\
	(((mr) == (amr)) || ((mr)->smr_associated == (amr)))

	LDAP_SLIST_ENTRY(MatchingRule)	smr_next;

#define smr_oid				smr_mrule.mr_oid
#define smr_names			smr_mrule.mr_names
#define smr_desc			smr_mrule.mr_desc
#define smr_obsolete		smr_mrule.mr_obsolete
#define smr_syntax_oid		smr_mrule.mr_syntax_oid
#define smr_extensions		smr_mrule.mr_extensions
};

struct MatchingRuleUse {
	LDAPMatchingRuleUse		smru_mruleuse;
	MatchingRule			*smru_mr;
	/* RFC 4512 string representation */
	struct berval			smru_str;

	LDAP_SLIST_ENTRY(MatchingRuleUse) smru_next;

#define smru_oid			smru_mruleuse.mru_oid
#define smru_names			smru_mruleuse.mru_names
#define smru_desc			smru_mruleuse.mru_desc
#define smru_obsolete			smru_mruleuse.mru_obsolete
#define smru_applies_oids		smru_mruleuse.mru_applies_oids

#define smru_usage			smru_mr->smr_usage
} /* MatchingRuleUse */ ;

typedef struct slap_mrule_defs_rec {
	char *						mrd_desc;
	slap_mask_t					mrd_usage;
	char **						mrd_compat_syntaxes;
	slap_mr_convert_func *		mrd_convert;
	slap_mr_normalize_func *	mrd_normalize;
	slap_mr_match_func *		mrd_match;
	slap_mr_indexer_func *		mrd_indexer;
	slap_mr_filter_func *		mrd_filter;

	/* For equality rule, this may refer to an associated approximate rule */
	/* For non-equality rule, this may refer to an associated equality rule */
	char *						mrd_associated;
} slap_mrule_defs_rec;

typedef int (AttributeTypeSchemaCheckFN)(
	BackendDB *be,
	Entry *e,
	Attribute *attr,
	const char** text,
	char *textbuf, size_t textlen );

struct AttributeType {
	LDAPAttributeType		sat_atype;
	struct berval			sat_cname;
	AttributeType			*sat_sup;
	AttributeType			**sat_subtypes;
	MatchingRule			*sat_equality;
	MatchingRule			*sat_approx;
	MatchingRule			*sat_ordering;
	MatchingRule			*sat_substr;
	Syntax				*sat_syntax;

	AttributeTypeSchemaCheckFN	*sat_check;
	char				*sat_oidmacro;	/* attribute OID */
	char				*sat_soidmacro;	/* syntax OID */

#define SLAP_AT_NONE			0x0000U
#define SLAP_AT_ABSTRACT		0x0100U /* cannot be instantiated */
#define SLAP_AT_FINAL			0x0200U /* cannot be subtyped */
#ifdef LDAP_DEVEL
#define SLAP_AT_HIDE			0x0000U /* publish everything */
#else
#define SLAP_AT_HIDE			0x8000U /* hide attribute */
#endif
#define	SLAP_AT_DYNAMIC			0x0400U	/* dynamically generated */

#define SLAP_AT_MANAGEABLE		0x0800U	/* no-user-mod can be by-passed */

/* Note: ORDERED values have an ordering specifically set by the
 * user, denoted by the {x} ordering prefix on the values.
 *
 * SORTED values are simply sorted by memcmp. SORTED values can
 * be efficiently located by binary search. ORDERED values have no
 * such advantage. An attribute cannot have both properties.
 */
#define	SLAP_AT_ORDERED_VAL		0x0001U /* values are ordered */
#define	SLAP_AT_ORDERED_SIB		0x0002U /* siblings are ordered */
#define	SLAP_AT_ORDERED			0x0003U /* value has order index */

#define	SLAP_AT_SORTED_VAL		0x0010U	/* values should be sorted */

#define	SLAP_AT_HARDCODE		0x10000U	/* hardcoded schema */
#define	SLAP_AT_DELETED			0x20000U

	slap_mask_t			sat_flags;

	LDAP_STAILQ_ENTRY(AttributeType) sat_next;

#define sat_oid				sat_atype.at_oid
#define sat_names			sat_atype.at_names
#define sat_desc			sat_atype.at_desc
#define sat_obsolete			sat_atype.at_obsolete
#define sat_sup_oid			sat_atype.at_sup_oid
#define sat_equality_oid		sat_atype.at_equality_oid
#define sat_ordering_oid		sat_atype.at_ordering_oid
#define sat_substr_oid			sat_atype.at_substr_oid
#define sat_syntax_oid			sat_atype.at_syntax_oid
#define sat_single_value		sat_atype.at_single_value
#define sat_collective			sat_atype.at_collective
#define sat_no_user_mod			sat_atype.at_no_user_mod
#define sat_usage			sat_atype.at_usage
#define sat_extensions			sat_atype.at_extensions

	AttributeDescription		*sat_ad;
	ldap_pvt_thread_mutex_t		sat_ad_mutex;
};

#define is_at_operational(at)	((at)->sat_usage)
#define is_at_single_value(at)	((at)->sat_single_value)
#define is_at_collective(at)	((at)->sat_collective)
#define is_at_obsolete(at)		((at)->sat_obsolete)
#define is_at_no_user_mod(at)	((at)->sat_no_user_mod)

typedef int (ObjectClassSchemaCheckFN)(
	BackendDB *be,
	Entry *e,
	ObjectClass *oc,
	const char** text,
	char *textbuf, size_t textlen );

struct ObjectClass {
	LDAPObjectClass			soc_oclass;
	struct berval			soc_cname;
	ObjectClass			**soc_sups;
	AttributeType			**soc_required;
	AttributeType			**soc_allowed;
	ObjectClassSchemaCheckFN	*soc_check;
	char				*soc_oidmacro;
	slap_mask_t			soc_flags;
#define soc_oid				soc_oclass.oc_oid
#define soc_names			soc_oclass.oc_names
#define soc_desc			soc_oclass.oc_desc
#define soc_obsolete			soc_oclass.oc_obsolete
#define soc_sup_oids			soc_oclass.oc_sup_oids
#define soc_kind			soc_oclass.oc_kind
#define soc_at_oids_must		soc_oclass.oc_at_oids_must
#define soc_at_oids_may			soc_oclass.oc_at_oids_may
#define soc_extensions			soc_oclass.oc_extensions

	LDAP_STAILQ_ENTRY(ObjectClass)	soc_next;
};

#define	SLAP_OCF_SET_FLAGS	0x1
#define	SLAP_OCF_CHECK_SUP	0x2
#define	SLAP_OCF_MASK		(SLAP_OCF_SET_FLAGS|SLAP_OCF_CHECK_SUP)

#define	SLAP_OC_ALIAS		0x0001
#define	SLAP_OC_REFERRAL	0x0002
#define	SLAP_OC_SUBENTRY	0x0004
#define	SLAP_OC_DYNAMICOBJECT	0x0008
#define	SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY	0x0010
#define SLAP_OC_GLUE		0x0020
#define SLAP_OC_SYNCPROVIDERSUBENTRY		0x0040
#define SLAP_OC_SYNCCONSUMERSUBENTRY		0x0080
#define	SLAP_OC__MASK		0x00FF
#define	SLAP_OC__END		0x0100
#define SLAP_OC_OPERATIONAL	0x4000
#ifdef LDAP_DEVEL
#define SLAP_OC_HIDE		0x0000
#else
#define SLAP_OC_HIDE		0x8000
#endif
#define	SLAP_OC_HARDCODE	0x10000U	/* This is hardcoded schema */
#define	SLAP_OC_DELETED		0x20000U

/*
 * DIT content rule
 */
struct ContentRule {
	LDAPContentRule		scr_crule;
	ObjectClass		*scr_sclass;
	ObjectClass		**scr_auxiliaries;	/* optional */
	AttributeType		**scr_required;		/* optional */
	AttributeType		**scr_allowed;		/* optional */
	AttributeType		**scr_precluded;	/* optional */
#define scr_oid			scr_crule.cr_oid
#define scr_names		scr_crule.cr_names
#define scr_desc		scr_crule.cr_desc
#define scr_obsolete		scr_crule.cr_obsolete
#define scr_oc_oids_aux		scr_crule.cr_oc_oids_aux
#define scr_at_oids_must	scr_crule.cr_at_oids_must
#define scr_at_oids_may		scr_crule.cr_at_oids_may
#define scr_at_oids_not		scr_crule.cr_at_oids_not

	char			*scr_oidmacro;
#define	SLAP_CR_HARDCODE	0x10000U
	int			scr_flags;

	LDAP_STAILQ_ENTRY( ContentRule ) scr_next;
};

/* Represents a recognized attribute description ( type + options ). */
struct AttributeDescription {
	AttributeDescription	*ad_next;
	AttributeType		*ad_type;	/* attribute type, must be specified */
	struct berval		ad_cname;	/* canonical name, must be specified */
	struct berval		ad_tags;	/* empty if no tagging options */
	unsigned ad_flags;
#define SLAP_DESC_NONE		0x00U
#define SLAP_DESC_BINARY	0x01U
#define SLAP_DESC_TAG_RANGE	0x80U
#define SLAP_DESC_TEMPORARY	0x1000U
};

/* flags to slap_*2undef_ad to register undefined (0, the default)
 * or proxied (SLAP_AD_PROXIED) AttributeDescriptions; the additional
 * SLAP_AD_NOINSERT is to lookup without insert */
#define SLAP_AD_UNDEF		0x00U
#define SLAP_AD_PROXIED		0x01U
#define	SLAP_AD_NOINSERT	0x02U

struct AttributeName {
	struct berval		an_name;
	AttributeDescription	*an_desc;
	int			an_oc_exclude;
	ObjectClass		*an_oc;
};

#define slap_ad_is_tagged(ad)			( (ad)->ad_tags.bv_len != 0 )
#define slap_ad_is_tag_range(ad)	\
	( ((ad)->ad_flags & SLAP_DESC_TAG_RANGE) ? 1 : 0 )
#define slap_ad_is_binary(ad)		\
	( ((ad)->ad_flags & SLAP_DESC_BINARY) ? 1 : 0 )

/*
 * pointers to schema elements used internally
 */
struct slap_internal_schema {
	/* objectClass */
	ObjectClass *si_oc_top;
	ObjectClass *si_oc_extensibleObject;
	ObjectClass *si_oc_alias;
	ObjectClass *si_oc_referral;
	ObjectClass *si_oc_rootdse;
	ObjectClass *si_oc_subentry;
	ObjectClass *si_oc_subschema;
	ObjectClass *si_oc_collectiveAttributeSubentry;
	ObjectClass *si_oc_dynamicObject;

	ObjectClass *si_oc_glue;
	ObjectClass *si_oc_syncConsumerSubentry;
	ObjectClass *si_oc_syncProviderSubentry;

	/* objectClass attribute descriptions */
	AttributeDescription *si_ad_objectClass;

	/* operational attribute descriptions */
	AttributeDescription *si_ad_structuralObjectClass;
	AttributeDescription *si_ad_creatorsName;
	AttributeDescription *si_ad_createTimestamp;
	AttributeDescription *si_ad_modifiersName;
	AttributeDescription *si_ad_modifyTimestamp;
	AttributeDescription *si_ad_hasSubordinates;
	AttributeDescription *si_ad_subschemaSubentry;
	AttributeDescription *si_ad_collectiveSubentries;
	AttributeDescription *si_ad_collectiveExclusions;
	AttributeDescription *si_ad_entryDN;
	AttributeDescription *si_ad_entryUUID;
	AttributeDescription *si_ad_entryCSN;
	AttributeDescription *si_ad_namingCSN;

	AttributeDescription *si_ad_dseType;
	AttributeDescription *si_ad_syncreplCookie;
	AttributeDescription *si_ad_syncTimestamp;
	AttributeDescription *si_ad_contextCSN;

	/* root DSE attribute descriptions */
	AttributeDescription *si_ad_altServer;
	AttributeDescription *si_ad_namingContexts;
	AttributeDescription *si_ad_supportedControl;
	AttributeDescription *si_ad_supportedExtension;
	AttributeDescription *si_ad_supportedLDAPVersion;
	AttributeDescription *si_ad_supportedSASLMechanisms;
	AttributeDescription *si_ad_supportedFeatures;
	AttributeDescription *si_ad_monitorContext;
	AttributeDescription *si_ad_vendorName;
	AttributeDescription *si_ad_vendorVersion;
	AttributeDescription *si_ad_configContext;

	/* subentry attribute descriptions */
	AttributeDescription *si_ad_administrativeRole;
	AttributeDescription *si_ad_subtreeSpecification;

	/* subschema subentry attribute descriptions */
	AttributeDescription *si_ad_attributeTypes;
	AttributeDescription *si_ad_ditContentRules;
	AttributeDescription *si_ad_ditStructureRules;
	AttributeDescription *si_ad_ldapSyntaxes;
	AttributeDescription *si_ad_matchingRules;
	AttributeDescription *si_ad_matchingRuleUse;
	AttributeDescription *si_ad_nameForms;
	AttributeDescription *si_ad_objectClasses;

	/* Aliases & Referrals */
	AttributeDescription *si_ad_aliasedObjectName;
	AttributeDescription *si_ad_ref;

	/* Access Control Internals */
	AttributeDescription *si_ad_entry;
	AttributeDescription *si_ad_children;
	AttributeDescription *si_ad_saslAuthzTo;
	AttributeDescription *si_ad_saslAuthzFrom;

	/* dynamic entries */
	AttributeDescription *si_ad_entryTtl;
	AttributeDescription *si_ad_dynamicSubtrees;

	/* Other attributes descriptions */
	AttributeDescription *si_ad_distinguishedName;
	AttributeDescription *si_ad_name;
	AttributeDescription *si_ad_cn;
	AttributeDescription *si_ad_uid;
	AttributeDescription *si_ad_uidNumber;
	AttributeDescription *si_ad_gidNumber;
	AttributeDescription *si_ad_userPassword;
	AttributeDescription *si_ad_labeledURI;
#ifdef SLAPD_AUTHPASSWD
	AttributeDescription *si_ad_authPassword;
	AttributeDescription *si_ad_authPasswordSchemes;
#endif
	AttributeDescription *si_ad_description;
	AttributeDescription *si_ad_seeAlso;

	/* Undefined Attribute Type */
	AttributeType	*si_at_undefined;

	/* "Proxied" Attribute Type */
	AttributeType	*si_at_proxied;

	/* Matching Rules */
	MatchingRule	*si_mr_distinguishedNameMatch;
	MatchingRule	*si_mr_dnSubtreeMatch;
	MatchingRule	*si_mr_dnOneLevelMatch;
	MatchingRule	*si_mr_dnSubordinateMatch;
	MatchingRule	*si_mr_dnSuperiorMatch;
	MatchingRule    *si_mr_caseExactMatch;
	MatchingRule    *si_mr_caseExactSubstringsMatch;
	MatchingRule    *si_mr_caseExactIA5Match;
	MatchingRule	*si_mr_integerMatch;
	MatchingRule    *si_mr_integerFirstComponentMatch;
	MatchingRule    *si_mr_objectIdentifierFirstComponentMatch;
	MatchingRule    *si_mr_caseIgnoreMatch;
	MatchingRule    *si_mr_caseIgnoreListMatch;