Sync with HEAD

521fa916 · Kurt Zeilenga · 1fcbb2da · 521fa916 · 521fa916 · 521fa916
Commit 521fa916 authored Jan 24, 2005 by Kurt Zeilenga
--- a/configure
+++ b/configure
 #! /bin/sh
 # $OpenLDAP$
-# from OpenLDAP: pkg/ldap/configure.in,v 1.560 2004/12/04 18:48:48 hyc Exp  
+# from OpenLDAP 
  
 # This work is part of OpenLDAP Software <http://www.openldap.org/>.
 #

--- a/doc/Makefile.in
+++ b/doc/Makefile.in
 ## doc Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/doc/man/Makefile.in
+++ b/doc/man/Makefile.in
 # man Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/doc/man/man1/Makefile.in
+++ b/doc/man/man1/Makefile.in
 # man1 Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/doc/man/man3/Makefile.in
+++ b/doc/man/man3/Makefile.in
 # man3 Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/doc/man/man5/Makefile.in
+++ b/doc/man/man5/Makefile.in
 # man5 Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -79,8 +79,8 @@ The URI list is space- or comma-separated.
 .TP
 .B acl-authcDN "<administrative DN for access control purposes>"
 DN which is used to query the target server for acl checking; it
-should have read access on the target server to attributes used on the
-proxy for acl checking.
+is supposed to have read access on the target server to attributes used
+on the proxy for acl checking.
 There is no risk of giving away such values; they are only used to
 check permissions.
 .B The acl-authcDN identity is by no means implicitly used by the proxy 
@@ -90,7 +90,10 @@ See the
 feature instead.
 .TP
 .B acl-passwd <password>
-Password used with the bind DN above.
+Password used with the
+.B 
+acl-authcDN
+above.
 .TP
 .B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
 DN which is used to propagate the client's identity to the target

--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -134,17 +134,20 @@ The optional number marks target <target> as the default one, starting
 from 1.
 Target <target> must be defined.
 .TP
-.B binddn "<administrative DN for access control purposes>"
-This directive, as in the LDAP backend, allows to define the DN that is
-used to query the target server for acl checking; it should have read
-access on the target server to attributes used on the proxy for acl
-checking.
+.B acl-authcDN "<administrative DN for access control purposes>"
+DN which is used to query the target server for acl checking,
+as in the LDAP backend; it is supposed to have read access 
+on the target server to attributes used on the proxy for acl checking.
 There is no risk of giving away such values; they are only used to
 check permissions.
-.TP
-.B bindpw <password for access control purposes>
-This directive sets the password for acl checking in conjunction
-with the above mentioned "binddn" directive.
+.B The acl-authcDN identity is by no means implicitly used by the proxy 
+.B when the client connects anonymously.
+.TP
+.B acl-passwd <password>
+Password used with the
+.B 
+acl-authcDN
+above.
 .TP
 .B rebind-as-user
 If this option is given, the client's bind credentials are remembered

--- a/doc/man/man5/slapo-chain.5
+++ b/doc/man/man5/slapo-chain.5
@@ -15,11 +15,11 @@ allows automatic referral chasing.
 Any time a referral is returned (except for bind operations),
 it is chased by using an instance of the ldap backend.
 If operations are performed with an identity (i.e. after a bind),
-the referrals are chased with the 
-.B acl-authcDN 
-(if any; see
+that identity can be asserted while chasing the referrals 
+by means of the \fIidentity assertion\fP feature of back-ldap
+(see
 .BR slapd-ldap (5)
-for details), with the original identity asserted by means of the
+for details), which is essentially based on the
 .B proxyAuthz
 control (see \fIdraft-weltman-ldapv3-proxy\fP for details).

@@ -28,36 +28,39 @@ The config directives that are specific to the
 .B chain
 overlay can be prefixed by
 .BR chain\- ,
-to avoid conflicts with directives specific to the underlying database
-or to other stacked overlays.
+to avoid potential conflicts with directives specific to the underlying 
+database or to other stacked overlays.

 .LP
 There are no chain overlay specific directives; however, directives 
-related to the instance of the ldap backend that is implicitly 
-instantiated by the overlay may assume a special meaning when used 
-in conjuction with this overlay.
+related to the \fIldap\fP database that is implicitly instantiated 
+by the overlay may assume a special meaning when used in conjuction 
+with this overlay.  They are described in
+.BR slapd-ldap (5).
 .TP
 .B overlay chain
 This directive adds the chain overlay to the current backend.
-The chain overlay may be used with any backend but is intended 
-for use with local storage backends that may return referrals.
-It is useless in conjunction with the ldap and meta backends
-because they exploit the libldap specific referral chase feature.
+The chain overlay may be used with any backend, but it is mainly 
+intended for use with local storage backends that may return referrals.
+It is useless in conjunction with the \fIldap\fP and \fImeta\fP backends
+because they already exploit the libldap specific referral chase feature.
 .TP
 .B chain-uri <ldapuri>
 This directive instructs the underlying ldap database about which
-URI to contact to follow referrals.
-If not given, the referral itself is parsed, and the protocol/host/port
+URI to contact to chase referrals.
+If not present, the referral itself is parsed, and the protocol/host/port
 portions are used to establish a connection.

 .LP
-Directives for configuring the underlying ldap database must also be given, 
-as shown here:
+Directives for configuring the underlying ldap database may also 
+be required, as shown here:
 .LP
 .RS
 .nf
-chain-acl-authcDN	cn=Auth,dc=example,dc=com
-chain-acl-passwd	secret
+chain-idassert-method	"simple"
+chain-idassert-authcDN	"cn=Auth,dc=example,dc=com"
+chain-idassert-passwd	"secret"
+chain-idassert-mode	"self"
 .fi
 .RE
 .LP

--- a/doc/man/man5/slapo-rwm.5
+++ b/doc/man/man5/slapo-rwm.5
@@ -188,15 +188,15 @@ n
 as return code if the rule matches; the flag does not alter the recursive
 behavior of the rule, so, to have it performed only once, it must be used 
 in combination with `:', e.g.
-.B `:U{16}'
-returns the value `16' after exactly one execution of the rule, if the
-pattern matches.
+.B `:U{32}'
+returns the value `32' (indicating noSuchObject) after exactly 
+one execution of the rule, if the pattern matches.
 As a consequence, its behavior is equivalent to `@', with the return
 code set to
 .BR n ;
 or, in other words, `@' is equivalent to `U{0}'.
-By convention, the freely available codes are above 16 included;
-the others are reserved.
+Positive errors are allowed, indicating the related LDAP error codes
+as specified in \fIdraft-ietf-ldapbis-protocol\fP.
 .LP
 The ordering of the flags can be significant.
 For instance: `IG{2}' means ignore errors and jump two lines ahead
@@ -400,26 +400,29 @@ rwm-rewriteEngine on
 rwm-rewriteEngine on
 # all dataflow from client to server referring to DNs
 rwm-rewriteContext default
-rwm-rewriteRule "(.*)<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
+rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
 # empty filter rule
 rwm-rewriteContext searchFilter
 # all dataflow from server to client
 rwm-rewriteContext searchEntryDN
-rwm-rewriteRule "(.*)<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
+rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
 rwm-rewriteContext searchAttrDN alias searchEntryDN
 rwm-rewriteContext matchedDN alias searchEntryDN
+# misc empty rules
+rwm-rewriteContext referralAttrDN
+rwm-rewriteContext referralDN

 # Everything defined here goes into the `default' context.
 # This rule changes the naming context of anything sent
 # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'

-rwm-rewriteRule "(.*)dc=home,[ ]?dc=net$"
+rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
            "$1dc=OpenLDAP, dc=org"  ":"

 # since a pretty/normalized DN does not include spaces
 # after rdn separators, e.g. `,', this rule suffices:

-rwm-rewriteRule "(.*)dc=home,dc=net$"
+rwm-rewriteRule "(.+,)?dc=home,dc=net$"
            "$1dc=OpenLDAP,dc=org"  ":"

 # Start a new context (ends input of the previous one).

--- a/doc/man/man8/Makefile.in
+++ b/doc/man/man8/Makefile.in
 # man8 Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/include/ldap.h
+++ b/include/ldap.h
@@ -234,10 +234,9 @@ typedef struct ldapcontrol {
 #define LDAP_CONTROL_VLVRESPONSE    "2.16.840.1.113730.3.4.10"

 /* Password policy Controls *//* work in progress */
-#ifdef LDAP_DEVEL
+/* ITS#3458: released, but not to latest draft; disabled by default */
 #define LDAP_CONTROL_PASSWORDPOLICYREQUEST	"1.3.6.1.4.1.42.2.27.8.5.1"
 #define LDAP_CONTROL_PASSWORDPOLICYRESPONSE	"1.3.6.1.4.1.42.2.27.8.5.1"
-#endif

 /* LDAP Sync -- draft-zeilenga-ldup-sync *//* submitted for publication */
 #define LDAP_SYNC_OID			"1.3.6.1.4.1.4203.1.9.1"

--- a/include/ldif.h
+++ b/include/ldif.h
@@ -75,6 +75,9 @@ ldif_fetch_url LDAP_P((
 LDAP_LDIF_F( char * )
 ldif_getline LDAP_P(( char **next ));

+LDAP_LDIF_F( int )
+ldif_countlines LDAP_P(( LDAP_CONST char *line ));
+
 LDAP_LDIF_F( int )
 ldif_read_record LDAP_P((
 	FILE *fp,

--- a/include/rewrite.h
+++ b/include/rewrite.h
@@ -38,8 +38,7 @@
 * Rewrite internal status returns
 */
 #define REWRITE_SUCCESS			LDAP_SUCCESS
-#define REWRITE_ERR			LDAP_OPERATIONS_ERROR
-#define REWRITE_NO_SUCH_OBJECT		LDAP_NO_SUCH_OBJECT
+#define REWRITE_ERR			LDAP_OTHER

 /*
 * Rewrite modes (input values for rewrite_info_init); determine the
@@ -66,11 +65,11 @@
 * 	REWRITE_REGEXEC_UNWILLING	the server should issue an 'unwilling
 * 					to perform' error
 */
-#define REWRITE_REGEXEC_OK              0x0000
-#define REWRITE_REGEXEC_ERR             0x0001
-#define REWRITE_REGEXEC_STOP            0x0002
-#define REWRITE_REGEXEC_UNWILLING       0x0003
-#define REWRITE_REGEXEC_USER		0x0004 /* and above ... */
+#define REWRITE_REGEXEC_OK              (0)
+#define REWRITE_REGEXEC_ERR             (-1)
+#define REWRITE_REGEXEC_STOP            (-2)
+#define REWRITE_REGEXEC_UNWILLING       (-3)
+#define REWRITE_REGEXEC_USER		(1)	/* and above: LDAP errors */

 /*
 * Rewrite variable flags

--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -119,6 +119,9 @@ ldap_create( LDAP **ldp )
 	/* but not pointers to malloc'ed items */
 	ld->ld_options.ldo_sctrls = NULL;
 	ld->ld_options.ldo_cctrls = NULL;
+	ld->ld_options.ldo_tm_api = NULL;
+	ld->ld_options.ldo_tm_net = NULL;
+	ld->ld_options.ldo_defludp = NULL;

 #ifdef HAVE_CYRUS_SASL
 	ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
@@ -131,27 +134,26 @@ ldap_create( LDAP **ldp )
 		? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
 #endif

-	ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
+	if ( gopts->ldo_tm_api &&
+		ldap_int_timeval_dup( &ld->ld_options.ldo_tm_api, gopts->ldo_tm_api ))
+		goto nomem;

-	if ( ld->ld_options.ldo_defludp == NULL ) {
-		LDAP_FREE( (char*)ld );
-		return LDAP_NO_MEMORY;
-	}
+	if ( gopts->ldo_tm_net &&
+		ldap_int_timeval_dup( &ld->ld_options.ldo_tm_net, gopts->ldo_tm_net ))
+		goto nomem;

-	if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) {
-		ldap_free_urllist( ld->ld_options.ldo_defludp );
-		LDAP_FREE( (char*) ld );
-		return LDAP_NO_MEMORY;
+	if ( gopts->ldo_defludp ) {
+		ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
+
+		if ( ld->ld_options.ldo_defludp == NULL ) goto nomem;
 	}

+	if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) goto nomem;
+
 	ld->ld_lberoptions = LBER_USE_DER;

 	ld->ld_sb = ber_sockbuf_alloc( );
-	if ( ld->ld_sb == NULL ) {
-		ldap_free_urllist( ld->ld_options.ldo_defludp );
-		LDAP_FREE( (char*) ld );
-		return LDAP_NO_MEMORY;
-	}
+	if ( ld->ld_sb == NULL ) goto nomem;

 #ifdef LDAP_R_COMPILE
 	ldap_pvt_thread_mutex_init( &ld->ld_req_mutex );
@@ -159,6 +161,20 @@ ldap_create( LDAP **ldp )
 #endif
 	*ldp = ld;
 	return LDAP_SUCCESS;
+
+nomem:
+	ldap_free_select_info( ld->ld_selectinfo );
+	ldap_free_urllist( ld->ld_options.ldo_defludp );
+	LDAP_FREE( ld->ld_options.ldo_tm_net );
+	LDAP_FREE( ld->ld_options.ldo_tm_api );
+#ifdef HAVE_CYRUS_SASL
+	LDAP_FREE( ld->ld_options.ldo_def_sasl_authzid );
+	LDAP_FREE( ld->ld_options.ldo_def_sasl_authcid );
+	LDAP_FREE( ld->ld_options.ldo_def_sasl_realm );
+	LDAP_FREE( ld->ld_options.ldo_def_sasl_mech );
+#endif
+	LDAP_FREE( (char *)ld );
+	return LDAP_NO_MEMORY;
 }

 /*

--- a/libraries/liblutil/fetch.c
+++ b/libraries/liblutil/fetch.c
 /* fetch.c - routines for fetching data at URLs */
 /* $OpenLDAP$ */
-/* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
 * Copyright 1999-2005 The OpenLDAP Foundation.

--- a/libraries/liblutil/ldif.c
+++ b/libraries/liblutil/ldif.c
@@ -308,6 +308,21 @@ ldif_parse_line2(
 * which it updates and must be supplied on subsequent calls.
 */

+int
+ldif_countlines( LDAP_CONST char *buf )
+{
+	char *nl;
+	int ret = 0;
+
+	if ( !buf ) return ret;
+
+	for ( nl = strchr(buf, '\n'); nl; nl = strchr(nl, '\n') ) {
+		nl++;
+		if ( *nl != ' ' ) ret++;
+	}
+	return ret;
+}
+
 char *
 ldif_getline( char **next )
 {

--- a/libraries/librewrite/xmap.c
+++ b/libraries/librewrite/xmap.c
@@ -259,7 +259,7 @@ rewrite_xmap_apply(
 			ldap_pvt_thread_mutex_unlock( &xpasswd_mutex );
 #endif /* USE_REWRITE_LDAP_PVT_THREADS */

-			rc = REWRITE_NO_SUCH_OBJECT;
+			rc = LDAP_NO_SUCH_OBJECT;
 			break;
 		}


--- a/servers/Makefile.in
+++ b/servers/Makefile.in
 # servers Makefile.in for OpenLDAP
 # $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
 ## Copyright 1998-2005 The OpenLDAP Foundation.
 ## All rights reserved.
 ##

--- a/servers/slapd/add.c
+++ b/servers/slapd/add.c
@@ -220,14 +220,18 @@ fe_op_add( Operation *op, SlapReply *rs )
 		if ( !rs->sr_ref ) rs->sr_ref = default_referral;
 		if ( rs->sr_ref ) {
 			rs->sr_err = LDAP_REFERRAL;
+			op->o_bd = frontendDB;
 			send_ldap_result( op, rs );
+			op->o_bd = NULL;

 			if ( rs->sr_ref != default_referral ) {
 				ber_bvarray_free( rs->sr_ref );
 			}
 		} else {
+			op->o_bd = frontendDB;
 			send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 				"no global superior knowledge" );
+			op->o_bd = NULL;
 		}
 		goto done;
 	}