Commit 521fa916 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent 1fcbb2da
#! /bin/sh
# $OpenLDAP$
# from OpenLDAP: pkg/ldap/configure.in,v 1.560 2004/12/04 18:48:48 hyc Exp
# from OpenLDAP
 
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
......
## doc Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
# man Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
# man1 Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
# man3 Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
# man5 Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
......@@ -79,8 +79,8 @@ The URI list is space- or comma-separated.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
should have read access on the target server to attributes used on the
proxy for acl checking.
is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
......@@ -90,7 +90,10 @@ See the
feature instead.
.TP
.B acl-passwd <password>
Password used with the bind DN above.
Password used with the
.B
acl-authcDN
above.
.TP
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
......
......@@ -134,17 +134,20 @@ The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B binddn "<administrative DN for access control purposes>"
This directive, as in the LDAP backend, allows to define the DN that is
used to query the target server for acl checking; it should have read
access on the target server to attributes used on the proxy for acl
checking.
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
as in the LDAP backend; it is supposed to have read access
on the target server to attributes used on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.TP
.B bindpw <password for access control purposes>
This directive sets the password for acl checking in conjunction
with the above mentioned "binddn" directive.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
......
......@@ -15,11 +15,11 @@ allows automatic referral chasing.
Any time a referral is returned (except for bind operations),
it is chased by using an instance of the ldap backend.
If operations are performed with an identity (i.e. after a bind),
the referrals are chased with the
.B acl-authcDN
(if any; see
that identity can be asserted while chasing the referrals
by means of the \fIidentity assertion\fP feature of back-ldap
(see
.BR slapd-ldap (5)
for details), with the original identity asserted by means of the
for details), which is essentially based on the
.B proxyAuthz
control (see \fIdraft-weltman-ldapv3-proxy\fP for details).
......@@ -28,36 +28,39 @@ The config directives that are specific to the
.B chain
overlay can be prefixed by
.BR chain\- ,
to avoid conflicts with directives specific to the underlying database
or to other stacked overlays.
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
.LP
There are no chain overlay specific directives; however, directives
related to the instance of the ldap backend that is implicitly
instantiated by the overlay may assume a special meaning when used
in conjuction with this overlay.
related to the \fIldap\fP database that is implicitly instantiated
by the overlay may assume a special meaning when used in conjuction
with this overlay. They are described in
.BR slapd-ldap (5).
.TP
.B overlay chain
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend but is intended
for use with local storage backends that may return referrals.
It is useless in conjunction with the ldap and meta backends
because they exploit the libldap specific referral chase feature.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return referrals.
It is useless in conjunction with the \fIldap\fP and \fImeta\fP backends
because they already exploit the libldap specific referral chase feature.
.TP
.B chain-uri <ldapuri>
This directive instructs the underlying ldap database about which
URI to contact to follow referrals.
If not given, the referral itself is parsed, and the protocol/host/port
URI to contact to chase referrals.
If not present, the referral itself is parsed, and the protocol/host/port
portions are used to establish a connection.
.LP
Directives for configuring the underlying ldap database must also be given,
as shown here:
Directives for configuring the underlying ldap database may also
be required, as shown here:
.LP
.RS
.nf
chain-acl-authcDN cn=Auth,dc=example,dc=com
chain-acl-passwd secret
chain-idassert-method "simple"
chain-idassert-authcDN "cn=Auth,dc=example,dc=com"
chain-idassert-passwd "secret"
chain-idassert-mode "self"
.fi
.RE
.LP
......
......@@ -188,15 +188,15 @@ n
as return code if the rule matches; the flag does not alter the recursive
behavior of the rule, so, to have it performed only once, it must be used
in combination with `:', e.g.
.B `:U{16}'
returns the value `16' after exactly one execution of the rule, if the
pattern matches.
.B `:U{32}'
returns the value `32' (indicating noSuchObject) after exactly
one execution of the rule, if the pattern matches.
As a consequence, its behavior is equivalent to `@', with the return
code set to
.BR n ;
or, in other words, `@' is equivalent to `U{0}'.
By convention, the freely available codes are above 16 included;
the others are reserved.
Positive errors are allowed, indicating the related LDAP error codes
as specified in \fIdraft-ietf-ldapbis-protocol\fP.
.LP
The ordering of the flags can be significant.
For instance: `IG{2}' means ignore errors and jump two lines ahead
......@@ -400,26 +400,29 @@ rwm-rewriteEngine on
rwm-rewriteEngine on
# all dataflow from client to server referring to DNs
rwm-rewriteContext default
rwm-rewriteRule "(.*)<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
# empty filter rule
rwm-rewriteContext searchFilter
# all dataflow from server to client
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.*)<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
# misc empty rules
rwm-rewriteContext referralAttrDN
rwm-rewriteContext referralDN
# Everything defined here goes into the `default' context.
# This rule changes the naming context of anything sent
# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
rwm-rewriteRule "(.*)dc=home,[ ]?dc=net$"
rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
"$1dc=OpenLDAP, dc=org" ":"
# since a pretty/normalized DN does not include spaces
# after rdn separators, e.g. `,', this rule suffices:
rwm-rewriteRule "(.*)dc=home,dc=net$"
rwm-rewriteRule "(.+,)?dc=home,dc=net$"
"$1dc=OpenLDAP,dc=org" ":"
# Start a new context (ends input of the previous one).
......
# man8 Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
......@@ -234,10 +234,9 @@ typedef struct ldapcontrol {
#define LDAP_CONTROL_VLVRESPONSE "2.16.840.1.113730.3.4.10"
/* Password policy Controls *//* work in progress */
#ifdef LDAP_DEVEL
/* ITS#3458: released, but not to latest draft; disabled by default */
#define LDAP_CONTROL_PASSWORDPOLICYREQUEST "1.3.6.1.4.1.42.2.27.8.5.1"
#define LDAP_CONTROL_PASSWORDPOLICYRESPONSE "1.3.6.1.4.1.42.2.27.8.5.1"
#endif
/* LDAP Sync -- draft-zeilenga-ldup-sync *//* submitted for publication */
#define LDAP_SYNC_OID "1.3.6.1.4.1.4203.1.9.1"
......
......@@ -75,6 +75,9 @@ ldif_fetch_url LDAP_P((
LDAP_LDIF_F( char * )
ldif_getline LDAP_P(( char **next ));
LDAP_LDIF_F( int )
ldif_countlines LDAP_P(( LDAP_CONST char *line ));
LDAP_LDIF_F( int )
ldif_read_record LDAP_P((
FILE *fp,
......
......@@ -38,8 +38,7 @@
* Rewrite internal status returns
*/
#define REWRITE_SUCCESS LDAP_SUCCESS
#define REWRITE_ERR LDAP_OPERATIONS_ERROR
#define REWRITE_NO_SUCH_OBJECT LDAP_NO_SUCH_OBJECT
#define REWRITE_ERR LDAP_OTHER
/*
* Rewrite modes (input values for rewrite_info_init); determine the
......@@ -66,11 +65,11 @@
* REWRITE_REGEXEC_UNWILLING the server should issue an 'unwilling
* to perform' error
*/
#define REWRITE_REGEXEC_OK 0x0000
#define REWRITE_REGEXEC_ERR 0x0001
#define REWRITE_REGEXEC_STOP 0x0002
#define REWRITE_REGEXEC_UNWILLING 0x0003
#define REWRITE_REGEXEC_USER 0x0004 /* and above ... */
#define REWRITE_REGEXEC_OK (0)
#define REWRITE_REGEXEC_ERR (-1)
#define REWRITE_REGEXEC_STOP (-2)
#define REWRITE_REGEXEC_UNWILLING (-3)
#define REWRITE_REGEXEC_USER (1) /* and above: LDAP errors */
/*
* Rewrite variable flags
......
......@@ -119,6 +119,9 @@ ldap_create( LDAP **ldp )
/* but not pointers to malloc'ed items */
ld->ld_options.ldo_sctrls = NULL;
ld->ld_options.ldo_cctrls = NULL;
ld->ld_options.ldo_tm_api = NULL;
ld->ld_options.ldo_tm_net = NULL;
ld->ld_options.ldo_defludp = NULL;
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
......@@ -131,27 +134,26 @@ ldap_create( LDAP **ldp )
? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
#endif
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( gopts->ldo_tm_api &&
ldap_int_timeval_dup( &ld->ld_options.ldo_tm_api, gopts->ldo_tm_api ))
goto nomem;
if ( ld->ld_options.ldo_defludp == NULL ) {
LDAP_FREE( (char*)ld );
return LDAP_NO_MEMORY;
}
if ( gopts->ldo_tm_net &&
ldap_int_timeval_dup( &ld->ld_options.ldo_tm_net, gopts->ldo_tm_net ))
goto nomem;
if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) {
ldap_free_urllist( ld->ld_options.ldo_defludp );
LDAP_FREE( (char*) ld );
return LDAP_NO_MEMORY;
if ( gopts->ldo_defludp ) {
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( ld->ld_options.ldo_defludp == NULL ) goto nomem;
}
if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) goto nomem;
ld->ld_lberoptions = LBER_USE_DER;
ld->ld_sb = ber_sockbuf_alloc( );
if ( ld->ld_sb == NULL ) {
ldap_free_urllist( ld->ld_options.ldo_defludp );
LDAP_FREE( (char*) ld );
return LDAP_NO_MEMORY;
}
if ( ld->ld_sb == NULL ) goto nomem;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ld->ld_req_mutex );
......@@ -159,6 +161,20 @@ ldap_create( LDAP **ldp )
#endif
*ldp = ld;
return LDAP_SUCCESS;
nomem:
ldap_free_select_info( ld->ld_selectinfo );
ldap_free_urllist( ld->ld_options.ldo_defludp );
LDAP_FREE( ld->ld_options.ldo_tm_net );
LDAP_FREE( ld->ld_options.ldo_tm_api );
#ifdef HAVE_CYRUS_SASL
LDAP_FREE( ld->ld_options.ldo_def_sasl_authzid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_authcid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_realm );
LDAP_FREE( ld->ld_options.ldo_def_sasl_mech );
#endif
LDAP_FREE( (char *)ld );
return LDAP_NO_MEMORY;
}
/*
......
/* fetch.c - routines for fetching data at URLs */
/* $OpenLDAP$ */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2005 The OpenLDAP Foundation.
......
......@@ -308,6 +308,21 @@ ldif_parse_line2(
* which it updates and must be supplied on subsequent calls.
*/
int
ldif_countlines( LDAP_CONST char *buf )
{
char *nl;
int ret = 0;
if ( !buf ) return ret;
for ( nl = strchr(buf, '\n'); nl; nl = strchr(nl, '\n') ) {
nl++;
if ( *nl != ' ' ) ret++;
}
return ret;
}
char *
ldif_getline( char **next )
{
......
......@@ -259,7 +259,7 @@ rewrite_xmap_apply(
ldap_pvt_thread_mutex_unlock( &xpasswd_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rc = REWRITE_NO_SUCH_OBJECT;
rc = LDAP_NO_SUCH_OBJECT;
break;
}
......
# servers Makefile.in for OpenLDAP
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2005 The OpenLDAP Foundation.
## All rights reserved.
##
......
......@@ -220,14 +220,18 @@ fe_op_add( Operation *op, SlapReply *rs )
if ( !rs->sr_ref ) rs->sr_ref = default_referral;
if ( rs->sr_ref ) {
rs->sr_err = LDAP_REFERRAL;
op->o_bd = frontendDB;
send_ldap_result( op, rs );
op->o_bd = NULL;
if ( rs->sr_ref != default_referral ) {
ber_bvarray_free( rs->sr_ref );
}
} else {
op->o_bd = frontendDB;
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"no global superior knowledge" );
op->o_bd = NULL;
}
goto done;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment