config.c 46.6 KB
Newer Older
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1
2
3
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
Kurt Zeilenga's avatar
Kurt Zeilenga committed
4
 * Copyright 1999-2008 The OpenLDAP Foundation.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
6
 * Portions Copyright 2001-2003 Pierangelo Masarati.
 * Portions Copyright 1999-2003 Howard Chu.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
7
 * All rights reserved.
Pierangelo Masarati's avatar
Pierangelo Masarati committed
8
 *
Kurt Zeilenga's avatar
Kurt Zeilenga committed
9
10
11
12
13
14
15
16
17
18
19
20
21
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* ACKNOWLEDGEMENTS:
 * This work was initially developed by the Howard Chu for inclusion
 * in OpenLDAP Software and subsequently enhanced by Pierangelo
 * Masarati.
 */
Pierangelo Masarati's avatar
Pierangelo Masarati committed
22
23
24
25
26
27
28
29
30

#include "portable.h"

#include <stdio.h>

#include <ac/string.h>
#include <ac/socket.h>

#include "slap.h"
31
#include "lutil.h"
Pierangelo Masarati's avatar
Pierangelo Masarati committed
32
#include "../back-ldap/back-ldap.h"
33
#undef ldap_debug       /* silence a warning in ldap-int.h */
34
#include "../../../libraries/libldap/ldap-int.h"
Pierangelo Masarati's avatar
Pierangelo Masarati committed
35
36
#include "back-meta.h"

37
static int
38
meta_back_new_target( 
39
	metatarget_t	**mtp )
Pierangelo Masarati's avatar
Pierangelo Masarati committed
40
{
41
	char			*rargv[ 3 ];
42
	metatarget_t		*mt;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
43

44
45
46
	*mtp = NULL;

	mt = ch_calloc( sizeof( metatarget_t ), 1 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
47

48
49
	mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
	if ( mt->mt_rwmap.rwm_rw == NULL ) {
Howard Chu's avatar
Howard Chu committed
50
51
		ch_free( mt );
		return -1;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
52
53
	}

54
55
56
57
58
59
60
61
62
63
64
65
66
67
	/*
	 * the filter rewrite as a string must be disabled
	 * by default; it can be re-enabled by adding rules;
	 * this creates an empty rewriteContext
	 */
	rargv[ 0 ] = "rewriteContext";
	rargv[ 1 ] = "searchFilter";
	rargv[ 2 ] = NULL;
	rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );

	rargv[ 0 ] = "rewriteContext";
	rargv[ 1 ] = "default";
	rargv[ 2 ] = NULL;
	rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
68

69
70
	ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );

71
72
73
74
75
76
77
	mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
	mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
	mt->mt_idassert_tls = SB_TLS_DEFAULT;

	/* by default, use proxyAuthz control on each operation */
	mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;

78
79
	*mtp = mt;

80
	return 0;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
81
82
}

83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
static int
check_true_false( char *str )
{
	if ( strcasecmp( str, "true" ) == 0 || strcasecmp( str, "yes" ) == 0 ) {
		return 1;
	}

	if ( strcasecmp( str, "false" ) == 0 || strcasecmp( str, "no" ) == 0 ) {
		return 0;
	}

	return -1;
}


Pierangelo Masarati's avatar
Pierangelo Masarati committed
98
99
100
101
102
103
104
105
106
int
meta_back_db_config(
		BackendDB	*be,
		const char	*fname,
		int		lineno,
		int		argc,
		char		**argv
)
{
107
	metainfo_t	*mi = ( metainfo_t * )be->be_private;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
108

109
	assert( mi != NULL );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
110
111
112

	/* URI of server to query */
	if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
113
		int 		i = mi->mi_ntargets;
114
		LDAPURLDesc 	*ludp;
Pierangelo Masarati's avatar
cleanup    
Pierangelo Masarati committed
115
		struct berval	dn;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
116
		int		rc;
117
		int		c;
118
119

		metatarget_t	*mt;
120
121

		char		**uris = NULL;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
122
		
123
		if ( argc == 1 ) {
124
			Debug( LDAP_DEBUG_ANY,
125
126
	"%s: line %d: missing URI "
	"in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
127
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
128
129
			return 1;
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
130
131

		if ( be->be_nsuffix == NULL ) {
132
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
133
	"%s: line %d: the suffix must be defined before any target.\n",
134
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
135
136
			return 1;
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
137
		
138
		++mi->mi_ntargets;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
139

140
141
		mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets, 
			sizeof( metatarget_t * ) * mi->mi_ntargets );
142
		if ( mi->mi_targets == NULL ) {
143
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
144
145
	"%s: line %d: out of memory while storing server name"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
146
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
147
148
149
			return 1;
		}

150
		if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
151
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
152
153
	"%s: line %d: unable to init server"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
154
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
155
156
157
			return 1;
		}

158
159
160
161
162
163
164
		mt = mi->mi_targets[ i ];

		mt->mt_rebind_f = mi->mi_rebind_f;
		mt->mt_urllist_f = mi->mi_urllist_f;
		mt->mt_urllist_p = mt;

		mt->mt_nretries = mi->mi_nretries;
165
		mt->mt_quarantine = mi->mi_quarantine;
166
167
168
		if ( META_BACK_QUARANTINE( mi ) ) {
			ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
		}
169
170
171
172
		mt->mt_flags = mi->mi_flags;
		mt->mt_version = mi->mi_version;
		mt->mt_network_timeout = mi->mi_network_timeout;
		mt->mt_bind_timeout = mi->mi_bind_timeout;
173
		for ( c = 0; c < SLAP_OP_LAST; c++ ) {
174
			mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
175
176
		}

177
178
		for ( c = 1; c < argc; c++ ) {
			char	**tmpuris = ldap_str2charray( argv[ c ], "\t" );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
179

180
181
182
			if ( tmpuris == NULL ) {
				Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse URIs #%d"
Pierangelo Masarati's avatar
Pierangelo Masarati committed
183
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
184
185
186
				fname, lineno, c - 1 );
				return 1;
			}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
187

188
189
			if ( c == 0 ) {
				uris = tmpuris;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
190

191
192
193
			} else {
				ldap_charray_merge( &uris, tmpuris );
				ldap_charray_free( tmpuris );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
194
			}
195
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
196

197
198
199
200
201
202
203
204
205
206
		for ( c = 0; uris[ c ] != NULL; c++ ) {
			char *tmpuri = NULL;

			/*
			 * uri MUST be legal!
			 */
			if ( ldap_url_parselist_ext( &ludp, uris[ c ], "\t",
					LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
				|| ludp->lud_next != NULL )
			{
207
				Debug( LDAP_DEBUG_ANY,
208
		"%s: line %d: unable to parse URI #%d"
Pierangelo Masarati's avatar
Pierangelo Masarati committed
209
		" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
210
211
					fname, lineno, c );
				ldap_charray_free( uris );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
212
213
				return 1;
			}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
214

215
216
217
218
219
220
221
222
223
224
225
226
227
228
			if ( c == 0 ) {

				/*
				 * uri MUST have the <dn> part!
				 */
				if ( ludp->lud_dn == NULL ) {
					Debug( LDAP_DEBUG_ANY,
			"%s: line %d: missing <naming context> "
			" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
						fname, lineno, 0 );
					ldap_free_urllist( ludp );
					ldap_charray_free( uris );
					return 1;
				}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
229

230
231
232
233
234
235
236
237
238
239
240
241
242
243
				/*
				 * copies and stores uri and suffix
				 */
				ber_str2bv( ludp->lud_dn, 0, 0, &dn );
				rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
					&mt->mt_nsuffix, NULL );
				if ( rc != LDAP_SUCCESS ) {
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
						"target \"%s\" DN is invalid\n",
						fname, lineno, argv[ 1 ] );
					ldap_free_urllist( ludp );
					ldap_charray_free( uris );
					return( 1 );
				}
244

245
				ludp->lud_dn[ 0 ] = '\0';
246

247
248
249
250
				switch ( ludp->lud_scope ) {
				case LDAP_SCOPE_DEFAULT:
					mt->mt_scope = LDAP_SCOPE_SUBTREE;
					break;
251

252
253
254
255
				case LDAP_SCOPE_SUBTREE:
				case LDAP_SCOPE_SUBORDINATE:
					mt->mt_scope = ludp->lud_scope;
					break;
256

257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
				default:
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
						"invalid scope for target \"%s\"\n",
						fname, lineno, argv[ 1 ] );
					ldap_free_urllist( ludp );
					ldap_charray_free( uris );
					return( 1 );
				}

			} else {
				/* check all, to apply the scope check on the first one */
				if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
						"multiple URIs must have "
						"no DN part\n",
						fname, lineno, 0 );
					ldap_free_urllist( ludp );
					ldap_charray_free( uris );
					return( 1 );

				}
			}

			tmpuri = ldap_url_list2urls( ludp );
			ldap_free_urllist( ludp );
			if ( tmpuri == NULL ) {
				Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
284
					fname, lineno, 0 );
285
				ldap_charray_free( uris );
286
287
				return( 1 );
			}
288
289
			ldap_memfree( uris[ c ] );
			uris[ c ] = tmpuri;
290
291
		}

292
293
		mt->mt_uri = ldap_charray2str( uris, " " );
		ldap_charray_free( uris );
294
		if ( mt->mt_uri == NULL) {
295
296
			Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
				fname, lineno, 0 );
297
298
			return( 1 );
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
299
300
301
302
		
		/*
		 * uri MUST be a branch of suffix!
		 */
303
304
305
306
307
308
309
		for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
			if ( dnIsSuffix( &mt->mt_nsuffix, &be->be_nsuffix[ c ] ) ) {
				break;
			}
		}

		if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
310
			Debug( LDAP_DEBUG_ANY,
311
	"%s: line %d: <naming context> of URI must be within the naming context of this database.\n",
312
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
313
314
315
			return 1;
		}

316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
	/* subtree-exclude */
	} else if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ) {
		int 		i = mi->mi_ntargets - 1;
		struct berval	dn, ndn;

		if ( i < 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: need \"uri\" directive first\n",
				fname, lineno, 0 );
			return 1;
		}
		
		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing DN in \"subtree-exclude <DN>\" line\n",
			    fname, lineno, 0 );
			return 1;

		case 2:
			break;

		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: too many args in \"subtree-exclude <DN>\" line\n",
			    fname, lineno, 0 );
			return 1;
		}

		ber_str2bv( argv[ 1 ], 0, 0, &dn );
		if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
			!= LDAP_SUCCESS )
		{
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"subtree-exclude DN=\"%s\" is invalid\n",
					fname, lineno, argv[ 1 ] );
			return( 1 );
		}

355
		if ( !dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_nsuffix ) ) {
356
357
358
359
360
361
362
363
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"subtree-exclude DN=\"%s\" "
					"must be subtree of target\n",
					fname, lineno, argv[ 1 ] );
			ber_memfree( ndn.bv_val );
			return( 1 );
		}

364
		if ( mi->mi_targets[ i ]->mt_subtree_exclude != NULL ) {
365
366
			int		j;

367
			for ( j = 0; !BER_BVISNULL( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ); j++ )
368
			{
369
				if ( dnIsSuffix( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ], &ndn ) ) {
370
371
372
373
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
							"subtree-exclude DN=\"%s\" "
							"is suffix of another subtree-exclude\n",
							fname, lineno, argv[ 1 ] );
374
375
376
377
					/* reject, because it might be superior
					 * to more than one subtree-exclude */
					ber_memfree( ndn.bv_val );
					return( 1 );
378

379
				} else if ( dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ) ) {
380
381
382
383
384
385
386
387
388
389
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
							"another subtree-exclude is suffix of "
							"subtree-exclude DN=\"%s\"\n",
							fname, lineno, argv[ 1 ] );
					ber_memfree( ndn.bv_val );
					return( 0 );
				}
			}
		}

390
		ber_bvarray_add( &mi->mi_targets[ i ]->mt_subtree_exclude, &ndn );
391

Pierangelo Masarati's avatar
Pierangelo Masarati committed
392
393
	/* default target directive */
	} else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
394
		int 		i = mi->mi_ntargets - 1;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
395
396
397
		
		if ( argc == 1 ) {
 			if ( i < 0 ) {
398
				Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
399
400
	"%s: line %d: \"default-target\" alone need be"
       	" inside a \"uri\" directive\n",
401
					fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
402
403
				return 1;
			}
404
			mi->mi_defaulttarget = i;
405

Pierangelo Masarati's avatar
Pierangelo Masarati committed
406
407
408
		} else {
			if ( strcasecmp( argv[ 1 ], "none" ) == 0 ) {
				if ( i >= 0 ) {
409
					Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
410
411
	"%s: line %d: \"default-target none\""
       	" should go before uri definitions\n",
412
						fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
413
				}
414
				mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
415

Pierangelo Masarati's avatar
Pierangelo Masarati committed
416
			} else {
417
418
419
420
421
422
				
				if ( lutil_atoi( &mi->mi_defaulttarget, argv[ 1 ] ) != 0
					|| mi->mi_defaulttarget < 0
					|| mi->mi_defaulttarget >= i - 1 )
				{
					Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
423
	"%s: line %d: illegal target number %d\n",
424
						fname, lineno, mi->mi_defaulttarget );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
425
426
427
428
429
430
431
432
					return 1;
				}
			}
		}
		
	/* ttl of dn cache */
	} else if ( strcasecmp( argv[ 0 ], "dncache-ttl" ) == 0 ) {
		if ( argc != 2 ) {
433
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
434
	"%s: line %d: missing ttl in \"dncache-ttl <ttl>\" line\n",
435
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
436
437
438
439
			return 1;
		}
		
		if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
440
			mi->mi_cache.ttl = META_DNCACHE_FOREVER;
441

Pierangelo Masarati's avatar
Pierangelo Masarati committed
442
		} else if ( strcasecmp( argv[ 1 ], "disabled" ) == 0 ) {
443
			mi->mi_cache.ttl = META_DNCACHE_DISABLED;
444

Pierangelo Masarati's avatar
Pierangelo Masarati committed
445
		} else {
446
			unsigned long	t;
447

448
449
			if ( lutil_parse_time( argv[ 1 ], &t ) != 0 ) {
				Debug( LDAP_DEBUG_ANY,
450
451
452
453
	"%s: line %d: unable to parse ttl \"%s\" in \"dncache-ttl <ttl>\" line\n",
					fname, lineno, argv[ 1 ] );
				return 1;
			}
454
			mi->mi_cache.ttl = (time_t)t;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
455
456
		}

457
458
	/* network timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
459
		unsigned long	t;
460
		time_t		*tp = mi->mi_ntargets ?
461
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
462
				: &mi->mi_network_timeout;
463

464
		if ( argc != 2 ) {
465
			Debug( LDAP_DEBUG_ANY,
466
	"%s: line %d: missing network timeout in \"network-timeout <seconds>\" line\n",
467
468
469
470
				fname, lineno, 0 );
			return 1;
		}

471
		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
472
473
474
475
476
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"network-timeout <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

477
478
		}

479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
		*tp = (time_t)t;

	/* idle timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
		unsigned long	t;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

508
		mi->mi_idle_timeout = (time_t)t;
509

510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
	/* conn ttl */
	} else if ( strcasecmp( argv[ 0 ], "conn-ttl" ) == 0 ) {
		unsigned long	t;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing ttl value in \"conn-ttl <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after ttl value in \"conn-ttl <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse ttl \"%s\" in \"conn-ttl <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

537
		mi->mi_conn_ttl = (time_t)t;
538

539
540
541
542
	/* bind timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
		unsigned long	t;
		struct timeval	*tp = mi->mi_ntargets ?
543
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
				: &mi->mi_bind_timeout;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

		tp->tv_sec = t/1000000;
		tp->tv_usec = t%1000000;

Pierangelo Masarati's avatar
Pierangelo Masarati committed
572
	/* name to use for meta_back_group */
573
574
575
	} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
			|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
	{
576
		int 		i = mi->mi_ntargets - 1;
Pierangelo Masarati's avatar
cleanup    
Pierangelo Masarati committed
577
		struct berval	dn;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
578
579

		if ( i < 0 ) {
580
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
581
	"%s: line %d: need \"uri\" directive first\n",
582
				fname, lineno, 0 );
583
			return 1;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
584
585
586
		}
		
		if ( argc != 2 ) {
587
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
588
	"%s: line %d: missing name in \"binddn <name>\" line\n",
589
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
590
591
			return 1;
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
592

593
		if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
594
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
595
596
				"\"binddn\" statement is deprecated; "
				"use \"acl-authcDN\" instead\n",
597
				fname, lineno, 0 );
598
599
600
			/* FIXME: some day we'll need to throw an error */
		}

601
		ber_str2bv( argv[ 1 ], 0, 0, &dn );
602
		if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
603
604
			NULL ) != LDAP_SUCCESS )
		{
605
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
Pierangelo Masarati's avatar
Pierangelo Masarati committed
606
607
608
609
610
					"bind DN '%s' is invalid\n",
					fname, lineno, argv[ 1 ] );
			return( 1 );
		}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
611
	/* password to use for meta_back_group */
612
613
614
	} else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
			|| strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
	{
615
		int 		i = mi->mi_ntargets - 1;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
616
617

		if ( i < 0 ) {
618
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
619
	"%s: line %d: need \"uri\" directive first\n",
620
				fname, lineno, 0 );
621
			return 1;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
622
623
624
		}
		
		if ( argc != 2 ) {
625
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
626
	"%s: line %d: missing password in \"bindpw <password>\" line\n",
627
			    fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
628
629
			return 1;
		}
630
631

		if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
632
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
633
634
				"\"bindpw\" statement is deprecated; "
				"use \"acl-passwd\" instead\n",
635
				fname, lineno, 0 );
636
637
638
			/* FIXME: some day we'll need to throw an error */
		}

639
		ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw );
640
		
641
	/* save bind creds for referral rebinds? */
642
	} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
Pierangelo Masarati's avatar
Pierangelo Masarati committed
643
		if ( argc > 2 ) {
644
			Debug( LDAP_DEBUG_ANY,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
645
	"%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
646
			    fname, lineno, 0 );
647
648
			return( 1 );
		}
649

Pierangelo Masarati's avatar
Pierangelo Masarati committed
650
		if ( argc == 1 ) {
651
			Debug( LDAP_DEBUG_ANY,
652
	"%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
653
			    fname, lineno, 0 );
654
			mi->mi_flags |= LDAP_BACK_F_SAVECRED;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
655
656

		} else {
657
658
			switch ( check_true_false( argv[ 1 ] ) ) {
			case 0:
659
				mi->mi_flags &= ~LDAP_BACK_F_SAVECRED;
660
				break;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
661

662
			case 1:
663
				mi->mi_flags |= LDAP_BACK_F_SAVECRED;
664
				break;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
665

666
			default:
667
				Debug( LDAP_DEBUG_ANY,
668
	"%s: line %d: \"rebind-as-user {FALSE|true}\" unknown argument \"%s\".\n",
Pierangelo Masarati's avatar
Pierangelo Masarati committed
669
670
671
672
				    fname, lineno, argv[ 1 ] );
				return 1;
			}
		}
673

674
675
	} else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
		unsigned	*flagsp = mi->mi_ntargets ?
676
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
677
				: &mi->mi_flags;
678
679

		if ( argc != 2 ) {
680
			Debug( LDAP_DEBUG_ANY,
681
	"%s: line %d: \"chase-referrals {TRUE|false}\" needs 1 argument.\n",
682
				fname, lineno, 0 );
683
684
685
			return( 1 );
		}

686
		/* this is the default; we add it because the default might change... */
687
688
		switch ( check_true_false( argv[ 1 ] ) ) {
		case 1:
689
			*flagsp |= LDAP_BACK_F_CHASE_REFERRALS;
690
			break;
691

692
		case 0:
693
			*flagsp &= ~LDAP_BACK_F_CHASE_REFERRALS;
694
			break;
695

696
		default:
697
			Debug( LDAP_DEBUG_ANY,
698
		"%s: line %d: \"chase-referrals {TRUE|false}\": unknown argument \"%s\".\n",
699
				fname, lineno, argv[ 1 ] );
700
701
			return( 1 );
		}
702
703
704
	
	} else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) {
		unsigned	*flagsp = mi->mi_ntargets ?
705
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
706
				: &mi->mi_flags;
707

708
		if ( argc != 2 ) {
709
			Debug( LDAP_DEBUG_ANY,
710
		"%s: line %d: \"tls <what>\" needs 1 argument.\n",
711
				fname, lineno, 0 );
712
713
			return( 1 );
		}
714

715
716
717
		/* start */
		if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
			*flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
718
719
	
		/* try start tls */
720
721
722
		} else if ( strcasecmp( argv[ 1 ], "try-start" ) == 0 ) {
			*flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
			*flagsp |= LDAP_BACK_F_USE_TLS;
723
724
	
		/* propagate start tls */
725
726
		} else if ( strcasecmp( argv[ 1 ], "propagate" ) == 0 ) {
			*flagsp |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
727
728
		
		/* try start tls */
729
730
731
732
733
		} else if ( strcasecmp( argv[ 1 ], "try-propagate" ) == 0 ) {
			*flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
			*flagsp |= LDAP_BACK_F_PROPAGATE_TLS;

		} else {
734
			Debug( LDAP_DEBUG_ANY,
735
		"%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
736
				fname, lineno, argv[ 1 ] );
737
			return( 1 );
738
		}
739
740
741

	} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
		unsigned	*flagsp = mi->mi_ntargets ?
742
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
743
				: &mi->mi_flags;
744
745

		if ( argc != 2 ) {
746
			Debug( LDAP_DEBUG_ANY,
747
		"%s: line %d: \"t-f-support {FALSE|true|discover}\" needs 1 argument.\n",
748
				fname, lineno, 0 );
749
750
751
			return( 1 );
		}

752
753
		switch ( check_true_false( argv[ 1 ] ) ) {
		case 0:
754
			*flagsp &= ~LDAP_BACK_F_T_F_MASK2;
755
			break;
756

757
		case 1:
758
			*flagsp |= LDAP_BACK_F_T_F;
759
			break;
760

761
762
		default:
			if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
763
				*flagsp |= LDAP_BACK_F_T_F_DISCOVER;
764

765
			} else {
766
				Debug( LDAP_DEBUG_ANY,
767
	"%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
768
769
770
771
					fname, lineno, argv[ 1 ] );
				return 1;
			}
			break;
772
773
		}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
774
775
776
	/* onerr? */
	} else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
		if ( argc != 2 ) {
777
			Debug( LDAP_DEBUG_ANY,
778
	"%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n",
779
				fname, lineno, 0 );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
780
781
782
783
			return( 1 );
		}

		if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
784
			mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
785
786

		} else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
787
			mi->mi_flags |= META_BACK_F_ONERR_STOP;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
788

789
790
791
		} else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) {
			mi->mi_flags |= META_BACK_F_ONERR_REPORT;

Pierangelo Masarati's avatar
Pierangelo Masarati committed
792
		} else {
793
			Debug( LDAP_DEBUG_ANY,
794
	"%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n",
Pierangelo Masarati's avatar
Pierangelo Masarati committed
795
796
797
798
				fname, lineno, argv[ 1 ] );
			return 1;
		}

799
	/* bind-defer? */
800
801
802
	} else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0
		|| strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 )
	{
803
		if ( argc != 2 ) {
804
			Debug( LDAP_DEBUG_ANY,
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
805
	"%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\" takes 1 argument\n",
806
				fname, lineno, 0 );
807
808
809
810
811
			return( 1 );
		}

		switch ( check_true_false( argv[ 1 ] ) ) {
		case 0:
812
			mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
813
814
815
			break;

		case 1:
816
			mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
817
818
819
			break;

		default:
820
			Debug( LDAP_DEBUG_ANY,
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
821
	"%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\": invalid arg \"%s\".\n",
822
823
824
825
				fname, lineno, argv[ 1 ] );
			return 1;
		}

826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
	/* single-conn? */
	} else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) {
		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n",
				fname, lineno, 0 );
			return( 1 );
		}

		if ( mi->mi_ntargets > 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"single-conn\" must appear before target definitions\n",
				fname, lineno, 0 );
			return( 1 );
		}

		switch ( check_true_false( argv[ 1 ] ) ) {
		case 0:
			mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
			break;

		case 1:
			mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
			break;

		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n",
				fname, lineno, argv[ 1 ] );
			return 1;
		}

858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
	/* use-temporaries? */
	} else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) {
		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n",
				fname, lineno, 0 );
			return( 1 );
		}

		if ( mi->mi_ntargets > 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"use-temporary-conn\" must appear before target definitions\n",
				fname, lineno, 0 );
			return( 1 );
		}

		switch ( check_true_false( argv[ 1 ] ) ) {
		case 0:
			mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
			break;

		case 1:
			mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
			break;

		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n",
				fname, lineno, argv[ 1 ] );
			return 1;
		}

890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
	/* privileged connections pool max size ? */
	} else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) {
		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n",
				fname, lineno, 0 );
			return( 1 );
		}

		if ( mi->mi_ntargets > 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"conn-pool-max\" must appear before target definitions\n",
				fname, lineno, 0 );
			return( 1 );
		}

		if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] )
			|| mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN
			|| mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX )
		{
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n",
				fname, lineno, argv[ 1 ] );
			return 1;
		}

916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
	} else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) {
		unsigned 	flag = 0;
		unsigned	*flagsp = mi->mi_ntargets ?
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
				: &mi->mi_flags;

		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n",
				fname, lineno, 0 );
			return( 1 );
		}

		if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) {
			flag = LDAP_BACK_F_CANCEL_ABANDON;

		} else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) {
			flag = LDAP_BACK_F_CANCEL_IGNORE;

		} else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) {
			flag = LDAP_BACK_F_CANCEL_EXOP;

		} else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) {
			flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER;

		} else {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n",
				fname, lineno, argv[ 1 ] );
			return( 1 );
		}

		*flagsp &= ~LDAP_BACK_F_CANCEL_MASK2;
		*flagsp |= flag;

951
	} else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) {
952
		char	*sep;
953
		time_t	*tv = mi->mi_ntargets ?
954
				mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout
Pierangelo Masarati's avatar
Pierangelo Masarati committed
955
				: mi->mi_timeout;
956
957
958
		int	c;

		if ( argc < 2 ) {
959
			Debug( LDAP_DEBUG_ANY,
960
	"%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
961
				fname, lineno, 0 );
962
963
964
965
			return( 1 );
		}

		for ( c = 1; c < argc; c++ ) {
966
967
			time_t		*t = NULL;
			unsigned long	val;
968
969
970
971
972

			sep = strchr( argv[ c ], '=' );
			if ( sep != NULL ) {
				size_t	len = sep - argv[ c ];

973
974
975
976
977
				if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) {
					t = &tv[ SLAP_OP_BIND ];
				/* unbind makes little sense */
				} else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
					t = &tv[ SLAP_OP_ADD ];
978
				} else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) {
979
					t = &tv[ SLAP_OP_DELETE ];
980
				} else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) {
981
982
983
984
985
986
987
988
989
990
991
992
					t = &tv[ SLAP_OP_MODRDN ];
				} else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
					t = &tv[ SLAP_OP_MODIFY ];
				} else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) {
					t = &tv[ SLAP_OP_COMPARE ];
				} else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) {
					t = &tv[ SLAP_OP_SEARCH ];
				/* abandon makes little sense */
#if 0				/* not implemented yet */
				} else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) {
					t = &tv[ SLAP_OP_EXTENDED ];
#endif
993
				} else {
994
995
					char	buf[ SLAP_TEXT_BUFLEN ];
					snprintf( buf, sizeof( buf ),
996
997
						"unknown/unhandled operation \"%s\" for timeout #%d",
						argv[ c ], c - 1 );
998
999
1000
					Debug( LDAP_DEBUG_ANY,
						"%s: line %d: %s.\n",
						fname, lineno, buf );
1001
1002
1003
1004
1005
1006
1007
1008
					return 1;
				}
				sep++;
	
			} else {
				sep = argv[ c ];
			}
	
1009
1010
			if ( lutil_parse_time( sep, &val ) != 0 ) {
				Debug( LDAP_DEBUG_ANY,
1011
1012
1013
1014
1015
1016
		"%s: line %d: unable to parse value \"%s\" for timeout.\n",
					fname, lineno, sep );
				return 1;
			}
		
			if ( t ) {
1017
				*t = (time_t)val;
1018
1019
1020
1021
	
			} else {
				int	i;
	
1022
				for ( i = 0; i < SLAP_OP_LAST; i++ ) {
1023
					tv[ i ] = (time_t)val;
1024
1025
1026
1027
				}
			}
		}
	
1028
1029
	/* name to use as pseudo-root dn */
	} else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
1030
		int 		i = mi->mi_ntargets - 1;
1031
1032

		if ( i < 0 ) {
1033
			Debug( LDAP_DEBUG_ANY,
1034
	"%s: line %d: need \"uri\" directive first\n",
1035
				fname, lineno, 0 );
1036
			return 1;
1037
1038
1039
		}
		
		if ( argc != 2 ) {
1040
			Debug( LDAP_DEBUG_ANY,
1041
	"%s: line %d: missing name in \"pseudorootdn <name>\" line\n",
1042
				fname, lineno, 0 );
1043
1044
			return 1;
		}
Pierangelo Masarati's avatar
Pierangelo Masarati committed
1045

1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
		/*
		 * exact replacement:
		 *

idassert-bind	bindmethod=simple
		binddn=<pseudorootdn>
		credentials=<pseudorootpw>
		mode=none
		flags=non-prescriptive
idassert-authzFrom	"dn:<rootdn>"

		 * so that only when authc'd as <rootdn> the proxying occurs
		 * rebinding as the <pseudorootdn> without proxyAuthz.
		 */

		Debug( LDAP_DEBUG_ANY,
			"%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
			"use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
			fname, lineno, 0 );

Kurt Zeilenga's avatar
Kurt Zeilenga committed
1066
		{
1067
1068
1069
1070
1071
1072
1073
1074
1075