Skip to content

GitLab

Commit a7f4102b authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#6150

parent aebb63ec
Hide whitespace changes
Inline Side-by-side
CHANGES
View file @ a7f4102b
......@@ -7,6 +7,7 @@ OpenLDAP 2.4.17 Engineering
Fixed liblutil opendir/closedir on windows (ITS#6041)
Fixed liblutil for _GNU_SOURCE (ITS#5464,ITS#5666)
Added slapd sasl auxprop support (ITS#6147)
Added slapd schema checking tool (ITS#6150)
Fixed slapd assert with closing connections (ITS#6111)
Fixed slapd cert validation (ITS#6098)
Fixed slapd errno handling (ITS#6037)
......
doc/man/man8/slapschema.8 0 → 100644
View file @ a7f4102b
.TH SLAPSCHEMA 8C "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapschema \- SLAPD in-database schema checking utility
.SH SYNOPSIS
.B SBINDIR/slapschema
.B [\-a filter]
.B [\-b suffix]
.B [\-c]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-g]
.B [\-l error-file]
.B [\-n dbnum]
.B [\-o name[=value]]
.B [\-s subtree-dn]
.B [\-v]
.B
.LP
.SH DESCRIPTION
.LP
.B Slapschema
is used to check schema compliance of the contents of a
.BR slapd (8)
database.
It opens the given database determined by the database number or
suffix and checks the compliance of its contents with the corresponding
schema. Errors are written to standard output or the specified file.
Databases configured as
.B subordinate
of this one are also output, unless \fB-g\fP is specified.
.LP
Administrators may need to modify existing schema items, including
adding new required attributes to objectClasses,
removing existing required or allowed attributes from objectClasses,
entirely removing objectClasses,
or any other change that may result in making perfectly valid entries
no longer compliant with the modified schema.
The execution of the
.B slapschema tool after modifying the schema can point out
inconsistencies that would otherwise surface only as soon as
inconsistent entries need to be modified.
.LP
The entry records are checked in database order, not superior first
order. The entry records will be checked considering all
(user and operational) attributes stored in the database.
Dynamically generated attributes (such as subschemaSubentry)
will not be considered.
.SH OPTIONS
.TP
.BI \-a " filter"
Only check entries matching the asserted filter.
For example
slapschema -a \\
"(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
will check all but the "ou=People,dc=example,dc=com" subtree
of the "dc=example,dc=com" database.
.TP
.BI \-b " suffix"
Use the specified \fIsuffix\fR to determine which database to
check. The \-b cannot be used in conjunction
with the
.B \-n
option.
.TP
.B \-c
Enable continue (ignore errors) mode.
.TP
.BI \-d " level"
Enable debugging messages as defined by the specified
.IR level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
Specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
specify a config directory.
If both
.B -f
and
.B -F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored.
.TP
.B \-g
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
.BI \-l " error-file"
Write errors to specified file instead of standard output.
.TP
.BI \-n " dbnum"
Check the \fIdbnum\fR\-th database listed in the
configuration file. The config database
.BR slapd-config (5),
is always the first database, so use
.B \-n 0
The
.B \-n
cannot be used in conjunction with the
.B \-b
option.
.TP
.BI \-o " option[=value]"
Specify an
.BR option
with a(n optional)
.BR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
.fi
.TP
.BI \-s " subtree-dn"
Only check entries in the subtree specified by this DN.
Implies `-b subtree-dn' if no
.B \-b
nor
.B \-n
option is given.
.TP
.B \-v
Enable verbose mode.
.SH LIMITATIONS
For some backend types, your
.BR slapd (8)
should not be running (at least, not in read-write
mode) when you do this to ensure consistency of the database. It is
always safe to run
.B slapschema
with the
.BR slapd-bdb (5),
.BR slapd-hdb (5),
and
.BR slapd-null (5)
backends.
.SH EXAMPLES
To check the schema compliance of your SLAPD database after modifications
to the schema, and put any error in a file called
.BR errors.ldif ,
give the command:
.LP
.nf
.ft tt
SBINDIR/slapcat -l errors.ldif
.ft
.fi
.SH "SEE ALSO"
.BR ldap (3),
.BR ldif (5),
.BR slapd (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
.so ../Project
servers/slapd/Makefile.in
View file @ a7f4102b
......@@ -13,7 +13,7 @@
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl
SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema
PROGRAMS=slapd $(SLAPTOOLS)
XPROGRAMS=sslapd libbackends.a .backend liboverlays.a
XSRCS=version.c
......@@ -38,7 +38,7 @@ SRCS = main.c globals.c bconfig.c config.c daemon.c \
backglue.c backover.c ctxcsn.c ldapsync.c frontend.c \
slapadd.c slapcat.c slapcommon.c slapdn.c slapindex.c \
slappasswd.c slaptest.c slapauth.c slapacl.c component.c \
aci.c alock.c txn.c \
aci.c alock.c txn.c slapschema.c \
$(@PLAT@_SRCS)
OBJS = main.o globals.o bconfig.o config.o daemon.o \
......@@ -56,7 +56,7 @@ OBJS = main.o globals.o bconfig.o config.o daemon.o \
backglue.o backover.o ctxcsn.o ldapsync.o frontend.o \
slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o \
slappasswd.o slaptest.o slapauth.o slapacl.o component.o \
aci.o alock.o txn.o \
aci.o alock.o txn.o slapschema.o \
$(@PLAT@_OBJS)
LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/slapi -I.
......
servers/slapd/main.c
View file @ a7f4102b
......@@ -65,7 +65,7 @@ static struct sockaddr_in bind_addr;
typedef int (MainFunc) LDAP_P(( int argc, char *argv[] ));
extern MainFunc slapadd, slapcat, slapdn, slapindex, slappasswd,
slaptest, slapauth, slapacl;
slaptest, slapauth, slapacl, slapschema;
static struct {
char *name;
......@@ -76,6 +76,7 @@ static struct {
{"slapdn", slapdn},
{"slapindex", slapindex},
{"slappasswd", slappasswd},
{"slapschema", slapschema},
{"slaptest", slaptest},
{"slapauth", slapauth},
{"slapacl", slapacl},
......
servers/slapd/slapcommon.c
View file @ a7f4102b
......@@ -94,6 +94,11 @@ usage( int tool, const char *progname )
case SLAPTEST:
options = " [-u]\n";
break;
case SLAPSCHEMA:
options = " [-c]\n\t[-g] [-n databasenumber | -b suffix]"
" [-l errorfile] [-a filter] [-s subtree]\n";
break;
}
if ( options != NULL ) {
......@@ -222,6 +227,7 @@ slap_tool_init(
int mode = SLAP_TOOL_MODE;
int truncatemode = 0;
int use_glue = 1;
int writer;
#ifdef LDAP_DEBUG
/* tools default to "none", so that at least LDAP_DEBUG_ANY
......@@ -255,6 +261,11 @@ slap_tool_init(
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
break;
case SLAPSCHEMA:
options = "a:b:cd:f:F:gl:n:o:s:v";
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
break;
case SLAPTEST:
options = "d:f:F:o:Quv";
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
......@@ -396,7 +407,7 @@ slap_tool_init(
case 's': /* dump subtree */
if ( tool == SLAPADD )
mode |= SLAP_TOOL_NO_SCHEMA_CHECK;
else if ( tool == SLAPCAT )
else if ( tool == SLAPCAT || tool == SLAPSCHEMA )
subtree = ch_strdup( optarg );
break;
......@@ -453,9 +464,21 @@ slap_tool_init(
}
#endif /* LDAP_DEBUG && LDAP_SYSLOG */
switch ( tool ) {
case SLAPCAT:
case SLAPSCHEMA:
writer = 1;
break;
default:
writer = 0;
break;
}
switch ( tool ) {
case SLAPADD:
case SLAPCAT:
case SLAPSCHEMA:
if ( ( argc != optind ) || (dbnum >= 0 && base.bv_val != NULL ) ) {
usage( tool, progname );
}
......@@ -502,10 +525,10 @@ slap_tool_init(
}
if ( ldiffile == NULL ) {
dummy.fp = tool == SLAPCAT ? stdout : stdin;
dummy.fp = writer ? stdout : stdin;
ldiffp = &dummy;
} else if ((ldiffp = ldif_open( ldiffile, tool == SLAPCAT ? "w" : "r" ))
} else if ((ldiffp = ldif_open( ldiffile, writer ? "w" : "r" ))
== NULL )
{
perror( ldiffile );
......@@ -554,6 +577,7 @@ slap_tool_init(
case SLAPADD:
case SLAPCAT:
case SLAPINDEX:
case SLAPSCHEMA:
if ( !nbackends ) {
fprintf( stderr, "No databases found "
"in config file\n" );
......
servers/slapd/slapcommon.h
View file @ a7f4102b
......@@ -26,6 +26,7 @@ enum slaptool {
SLAPDN, /* DN check w/ syntax tool */
SLAPINDEX, /* database index tool */
SLAPPASSWD, /* password generation tool */
SLAPSCHEMA, /* schema checking tool */
SLAPTEST, /* slapd.conf test tool */
SLAPAUTH, /* test authz-regexp and authc/authz stuff */
SLAPACL, /* test acl */
......
servers/slapd/slapschema.c 0 → 100644
View file @ a7f4102b
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 2003 IBM Corporation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* ACKNOWLEDGEMENTS:
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software. Code portions borrowed from slapcat.c;
* contributors are Kurt Zeilenga and Jong Hyuk Choi
*/
#include "portable.h"
#include <stdio.h>
#include "ac/stdlib.h"
#include "ac/ctype.h"
#include "ac/socket.h"
#include "ac/string.h"
#include "slapcommon.h"
#include "ldif.h"
static volatile sig_atomic_t gotsig;
static RETSIGTYPE
slapcat_sig( int sig )
{
gotsig=1;
}
int
slapschema( int argc, char **argv )
{
ID id;
int rc = EXIT_SUCCESS;
const char *progname = "slapschema";
Connection conn = { 0 };
OperationBuffer opbuf;
Operation *op = NULL;
slap_tool_init( progname, SLAPCAT, argc, argv );
#ifdef SIGPIPE
(void) SIGNAL( SIGPIPE, slapcat_sig );
#endif
#ifdef SIGHUP
(void) SIGNAL( SIGHUP, slapcat_sig );
#endif
(void) SIGNAL( SIGINT, slapcat_sig );
(void) SIGNAL( SIGTERM, slapcat_sig );
if( !be->be_entry_open ||
!be->be_entry_close ||
!be->be_entry_first ||
!be->be_entry_next ||
!be->be_entry_get )
{
fprintf( stderr, "%s: database doesn't support necessary operations.\n",
progname );
exit( EXIT_FAILURE );
}
if( be->be_entry_open( be, 0 ) != 0 ) {
fprintf( stderr, "%s: could not open database.\n",
progname );
exit( EXIT_FAILURE );
}
connection_fake_init( &conn, &opbuf, &conn );
op = &opbuf.ob_op;
op->o_tmpmemctx = NULL;
op->o_bd = be;
for ( id = be->be_entry_first( be );
id != NOID;
id = be->be_entry_next( be ) )
{
Entry* e;
char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof(textbuf);
const char *text = NULL;
if ( gotsig )
break;
e = be->be_entry_get( be, id );
if ( e == NULL ) {
printf("# no data for entry id=%08lx\n\n", (long) id );
rc = EXIT_FAILURE;
if( continuemode ) continue;
break;
}
if( sub_ndn.bv_len && !dnIsSuffix( &e->e_nname, &sub_ndn ) ) {
be_entry_release_r( op, e );
continue;
}
if( filter != NULL ) {
int rc = test_filter( NULL, e, filter );
if( rc != LDAP_COMPARE_TRUE ) {
be_entry_release_r( op, e );
continue;
}
}
if( verbose ) {
printf( "# id=%08lx\n", (long) id );
}
rc = entry_schema_check( op, e, NULL, 0, 0, NULL,
&text, textbuf, textlen );
if ( rc != LDAP_SUCCESS ) {
fprintf( ldiffp->fp, "# (%d) %s%s%s\n",
rc, ldap_err2string( rc ),
text ? ": " : "",
text ? text : "" );
fprintf( ldiffp->fp, "dn: %s\n\n", e->e_name.bv_val );
}
be_entry_release_r( op, e );
}
be->be_entry_close( be );
if ( slap_tool_destroy() )
rc = EXIT_FAILURE;
return rc;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment