diff --git a/doc/guide/admin/slapdconf2.sdf b/doc/guide/admin/slapdconf2.sdf
index 0758be66d877f87f597817c2a4c42761bb37d7dd..8ee5dc09571073c95f5c48a40db09774148eef37 100644
--- a/doc/guide/admin/slapdconf2.sdf
+++ b/doc/guide/admin/slapdconf2.sdf
@@ -1032,8 +1032,8 @@ The general form of the olcAccess configuration is:
> [set=<setspec>]
> [aci=<attrname>]
> <access> ::= [self]{<level>|<priv>}
-> <level> ::= none | auth | compare | search | read | write
-> <priv> ::= {=|+|-}{w|r|s|c|x|0}+
+> <level> ::= none | disclose | auth | compare | search | read | write | manage
+> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
> <control> ::= [stop | continue | break]
where the <what> part selects the entries and/or attributes to which
@@ -1166,25 +1166,25 @@ As these can easily spoofed, the domain factor should not be avoided.
H3: The access to grant
-
The kind of <access> granted can be one of the following:
-
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
-Level Privileges Description
-none =0 no access
-auth =x needed to bind
-compare =cx needed to compare
-search =scx needed to apply search filters
-read =rscx needed to read search results
-write =wrscx needed to modify/rename
+Level Privileges Description
+none =0 no access
+disclose =d needed for information disclosure on error
+auth =dx needed to authenticate (bind)
+compare =cdx needed to compare
+search =scdx needed to apply search filters
+read =rscdx needed to read search results
+write =wrscdx needed to modify/rename
+manage =mwrscdx needed to manage
!endblock
-Each level implies all lower levels of access. So, for
-example, granting someone {{EX:write}} access to an entry also
-grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
-{{EX:auth}} access. However, one may use the privileges specifier
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access. However, one may use the privileges specifier
to grant specific permissions.
@@ -1192,15 +1192,16 @@ H3: Access Control Evaluation
When evaluating whether some requester should be given access to
an entry and/or attribute, slapd compares the entry and/or attribute
-to the {{EX:<what>}} selectors given in the configuration.
-For each entry, access controls provided in the database which holds
+to the {{EX:<what>}} selectors given in the configuration. For
+each entry, access controls provided in the database which holds
the entry (or the first database if not held in any database) apply
first, followed by the global access directives (which are held in
-the {{EX:frontend}} database definition). Within this
-priority, access directives are examined in the order in which they
-appear in the configuration attribute. Slapd stops with the first {{EX:<what>}}
-selector that matches the entry and/or attribute. The corresponding
-access directive is the one slapd will use to evaluate access.
+the {{EX:frontend}} database definition). Within this priority,
+access directives are examined in the order in which they appear
+in the configuration attribute. Slapd stops with the first
+{{EX:<what>}} selector that matches the entry and/or attribute. The
+corresponding access directive is the one slapd will use to evaluate
+access.
Next, slapd compares the entity requesting access to the {{EX:<who>}}
selectors within the access directive selected above in the order
diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf
index bd97c8bc1ea0740dcbd889bf76e124d976726a58..92c0bedd8bb99151afa31c8b3a94be0b5b0d2c50 100644
--- a/doc/guide/admin/slapdconfig.sdf
+++ b/doc/guide/admin/slapdconfig.sdf
@@ -705,8 +705,8 @@ access line is:
> [set=<setspec>]
> [aci=<attrname>]
> <access> ::= [self]{<level>|<priv>}
-> <level> ::= none | auth | compare | search | read | write
-> <priv> ::= {=|+|-}{w|r|s|c|x|0}+
+> <level> ::= none | disclose | auth | compare | search | read | write | manage
+> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
> <control> ::= [stop | continue | break]
where the <what> part selects the entries and/or attributes to which
@@ -839,25 +839,25 @@ As these can easily spoofed, the domain factor should not be avoided.
H3: The access to grant
-
The kind of <access> granted can be one of the following:
-
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
-Level Privileges Description
-none =0 no access
-auth =x needed to bind
-compare =cx needed to compare
-search =scx needed to apply search filters
-read =rscx needed to read search results
-write =wrscx needed to modify/rename
+Level Privileges Description
+none =0 no access
+disclose =d needed for information disclosure on error
+auth =dx needed to authenticate (bind)
+compare =cdx needed to compare
+search =scdx needed to apply search filters
+read =rscdx needed to read search results
+write =wrscdx needed to modify/rename
+manage =mwrscdx needed to manage
!endblock
-Each level implies all lower levels of access. So, for
-example, granting someone {{EX:write}} access to an entry also
-grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
-{{EX:auth}} access. However, one may use the privileges specifier
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access. However, one may use the privileges specifier
to grant specific permissions.
diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index b3d357c2f3651fd0de460b4c287930a276bd9064..cc8ac80572f639be629038886f7ff052dccf073e 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -665,8 +665,8 @@ field will have.
Its component are defined as
.LP
.nf
- <level> ::= none|disclose|auth|compare|search|read|write
- <priv> ::= {=|+|-}{w|r|s|c|x|d|0}+
+ <level> ::= none|disclose|auth|compare|search|read|write|manage
+ <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
.fi
.LP
The modifier
@@ -699,8 +699,8 @@ The possible levels are
and
.BR write .
Each access level implies all the preceding ones, thus
-.B write
-access will imply all accesses.
+.B manage
+grants all access including administrative access,
.LP
The
.B none
@@ -733,6 +733,8 @@ and
.B -
signs add/remove access privileges to the existing ones.
The privileges are
+.B m
+for manage,
.B w
for write,
.B r
diff --git a/include/ldap_log.h b/include/ldap_log.h
index f8b708005f246bef40721de3c1d706921b7745c6..33eac0f87d763ac5aeb74809fb5a0a136fe12d44 100644
--- a/include/ldap_log.h
+++ b/include/ldap_log.h
@@ -232,13 +232,13 @@ extern void eb_syslog(int pri, const char *fmt, ...);
#else /* ! LDAP_DEBUG */
/* TODO: in case LDAP_DEBUG is undefined, make sure logs with appropriate
* severity gets thru anyway */
-#define Log0( level, severity, fmt )
-#define Log1( level, severity, fmt, arg1 )
-#define Log2( level, severity, fmt, arg1, arg2 )
-#define Log3( level, severity, fmt, arg1, arg2, arg3 )
-#define Log4( level, severity, fmt, arg1, arg2, arg3, arg4 )
-#define Log5( level, severity, fmt, arg1, arg2, arg3, arg4, arg5 )
-#define Debug( level, fmt, arg1, arg2, arg3 )
+#define Log0( level, severity, fmt ) ((void)0)
+#define Log1( level, severity, fmt, arg1 ) ((void)0)
+#define Log2( level, severity, fmt, arg1, arg2 ) ((void)0)
+#define Log3( level, severity, fmt, arg1, arg2, arg3 ) ((void)0)
+#define Log4( level, severity, fmt, arg1, arg2, arg3, arg4 ) ((void)0)
+#define Log5( level, severity, fmt, arg1, arg2, arg3, arg4, arg5 ) ((void)0)
+#define Debug( level, fmt, arg1, arg2, arg3 ) ((void)0)
#define LogTest(level) ( 0 )
#endif /* ! LDAP_DEBUG */
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index befc02d9bcf28d761052e534539c136b0388b6ee..730d05d4fdf350fb05432031bf917d754b3f2060 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -247,7 +247,6 @@ ber_flush2( Sockbuf *sb, BerElement *ber, int freeit )
ber->ber_rwptr += rc;
}
-done:;
if ( freeit & LBER_FLUSH_FREE_ON_SUCCESS ) ber_free( ber, 1 );
return 0;
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 62593991f6d23c03f51decbc9b84ab428cde6555..6a2621da43b4434390e0748ff2c3549aab3db9ae 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2;
* - can be legally called with op->o_bd == NULL
*/
-#ifdef SLAP_OVERLAY_ACCESS
int
slap_access_always_allowed(
Operation *op,
@@ -462,281 +461,6 @@ done:
return ret;
}
-#else /* !SLAP_OVERLAY_ACCESS */
-
-int
-access_allowed_mask(
- Operation *op,
- Entry *e,
- AttributeDescription *desc,
- struct berval *val,
- slap_access_t access,
- AccessControlState *state,
- slap_mask_t *maskp )
-{
- int ret = 1;
- int count;
- AccessControl *a = NULL;
- Backend *be;
- int be_null = 0;
-
-#ifdef LDAP_DEBUG
- char accessmaskbuf[ACCESSMASK_MAXLEN];
-#endif
- slap_mask_t mask;
- slap_control_t control;
- slap_access_t access_level;
- const char *attr;
- regmatch_t matches[MAXREMATCHES];
- int st_same_attr = 0;
- static AccessControlState state_init = ACL_STATE_INIT;
-
- assert( e != NULL );
- assert( desc != NULL );
-
- access_level = ACL_LEVEL( access );
-
- assert( access_level > ACL_NONE );
- if ( maskp ) ACL_INVALIDATE( *maskp );
-
- attr = desc->ad_cname.bv_val;
-
- assert( attr != NULL );
-
- if ( op ) {
- if ( op->o_is_auth_check &&
- ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
- {
- access = ACL_AUTH;
-
- } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
- desc == slap_schema.si_ad_entry )
- {
- access = ACL_MANAGE;
- }
- }
-
- if ( state ) {
- if ( state->as_vd_ad == desc ) {
- if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
- val == NULL )
- {
- return state->as_result;
-
- } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
- val != NULL && state->as_vd_acl == NULL )
- {
- return state->as_result;
- }
- st_same_attr = 1;
- } else {
- *state = state_init;
- }
-
- state->as_vd_ad = desc;
- }
-
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
- access2str( access ), e->e_dn, attr );
-
- if ( op == NULL ) {
- /* no-op call */
- goto done;
- }
-
- be = op->o_bd;
- if ( be == NULL ) {
- be = LDAP_STAILQ_FIRST(&backendDB);
- be_null = 1;
-#ifdef LDAP_DEVEL
- /*
- * FIXME: experimental; use first backend rules
- * iff there is no global_acl (ITS#3100) */
- if ( frontendDB->be_acl == NULL )
-#endif
- {
- op->o_bd = be;
- }
- }
- assert( be != NULL );
-
- /* grant database root access */
- if ( be_isroot( op ) ) {
- Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
- if ( maskp ) {
- mask = ACL_LVL_MANAGE;
- }
-
- goto done;
- }
-
- /*
- * no-user-modification operational attributes are ignored
- * by ACL_WRITE checking as any found here are not provided
- * by the user
- *
- * NOTE: but they are not ignored for ACL_MANAGE, because
- * if we get here it means a non-root user is trying to
- * manage data, so we need to check its privileges.
- */
- if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
- && desc != slap_schema.si_ad_entry
- && desc != slap_schema.si_ad_children )
- {
- Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
- " %s access granted\n",
- attr, 0, 0 );
- goto done;
- }
-
- /* use backend default access if no backend acls */
- if ( be->be_acl == NULL ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: backend default %s "
- "access %s to \"%s\"\n",
- access2str( access ),
- be->be_dfltaccess >= access_level ? "granted" : "denied",
- op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
- ret = be->be_dfltaccess >= access_level;
-
- if ( maskp ) {
- int i;
-
- mask = ACL_PRIV_LEVEL;
- for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
- mask |= ACL_ACCESS2PRIV( i );
- }
- }
-
- goto done;
-
-#ifdef notdef
- /* be is always non-NULL */
- /* use global default access if no global acls */
- } else if ( be == NULL && frontendDB->be_acl == NULL ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: global default %s access %s to \"%s\"\n",
- access2str( access ),
- frontendDB->be_dfltaccess >= access_level ?
- "granted" : "denied", op->o_dn.bv_val );
- ret = frontendDB->be_dfltaccess >= access_level;
-
- if ( maskp ) {
- int i;
-
- mask = ACL_PRIV_LEVEL;
- for ( i = ACL_NONE; i <= global_default_access; i++ ) {
- mask |= ACL_ACCESS2PRIV( i );
- }
- }
-
- goto done;
-#endif
- }
-
- ret = 0;
- control = ACL_BREAK;
-
- if ( st_same_attr ) {
- assert( state->as_vd_acl != NULL );
-
- a = state->as_vd_acl;
- count = state->as_vd_acl_count;
- if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
- mask = state->as_vd_acl_mask;
- AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
- goto vd_access;
- }
-
- } else {
- if ( state ) state->as_vi_acl = NULL;
- a = NULL;
- ACL_INIT(mask);
- count = 0;
- memset( matches, '\0', sizeof(matches) );
- }
-
- while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
- MAXREMATCHES, matches, state ) ) != NULL )
- {
- int i;
-
- for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
- Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
- (int)matches[i].rm_so, (int)matches[i].rm_eo );
- if ( matches[i].rm_so <= matches[0].rm_eo ) {
- int n;
- for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
- Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
- }
- }
- Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
- }
-
- if ( state ) {
- if ( state->as_vi_acl == a &&
- ( state->as_recorded & ACL_STATE_RECORDED_NV ) )
- {
- Debug( LDAP_DEBUG_ACL,
- "access_allowed: result from state (%s)\n",
- attr, 0, 0 );
- ret = state->as_result;
- goto done;
- } else {
- Debug( LDAP_DEBUG_ACL,
- "access_allowed: no res from state (%s)\n",
- attr, 0, 0 );
- }
- }
-
-vd_access:
- control = slap_acl_mask( a, &mask, op,
- e, desc, val, MAXREMATCHES, matches, count, state );
-
- if ( control != ACL_BREAK ) {
- break;
- }
-
- memset( matches, '\0', sizeof(matches) );
- }
-
- if ( ACL_IS_INVALID( mask ) ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: \"%s\" (%s) invalid!\n",
- e->e_dn, attr, 0 );
- ACL_INIT(mask);
-
- } else if ( control == ACL_BREAK ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: no more rules\n", 0, 0, 0 );
-
- goto done;
- }
-
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: %s access %s by %s\n",
- access2str( access ),
- ACL_GRANT(mask, access) ? "granted" : "denied",
- accessmask2str( mask, accessmaskbuf, 1 ) );
-
- ret = ACL_GRANT(mask, access);
-
-done:
- if ( state != NULL ) {
- /* If not value-dependent, save ACL in case of more attrs */
- if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
- state->as_vi_acl = a;
- state->as_result = ret;
- }
- state->as_recorded |= ACL_STATE_RECORDED;
- }
- if ( be_null ) op->o_bd = NULL;
- if ( maskp ) *maskp = mask;
- return ret;
-}
-
-#endif /* !SLAP_OVERLAY_ACCESS */
/*
* slap_acl_get - return the acl applicable to entry e, attribute
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index f44a786b5e0b3aaf12d63b5d3cbd7376d58a7208..0b018c1094143a80bcdfa6300034358f7b11ee82 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2453,11 +2453,6 @@ str2access( const char *str )
return ACL_NONE;
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
- Debug( LDAP_DEBUG_ACL, "str2access: warning, "
- "\"disclose\" privilege disabled.\n",
- 0, 0, 0 );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
return ACL_DISCLOSE;
} else if ( strcasecmp( str, "auth" ) == 0 ) {
diff --git a/servers/slapd/back-bdb/compare.c b/servers/slapd/back-bdb/compare.c
index bf8b5146158a18423eebd9253e3b599e52c3d714..3e88beff28caed6e7055657a640ff3516c0a17bd 100644
--- a/servers/slapd/back-bdb/compare.c
+++ b/servers/slapd/back-bdb/compare.c
@@ -66,16 +66,13 @@ dn2entry_retry:
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
@@ -103,15 +100,12 @@ dn2entry_retry:
}
if (!manageDSAit && is_entry_referral( e ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
@@ -131,14 +125,11 @@ dn2entry_retry:
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
@@ -147,16 +138,13 @@ dn2entry_retry:
if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
diff --git a/servers/slapd/back-bdb/search.c b/servers/slapd/back-bdb/search.c
index 59f81ff9207b5035d1d8cdebfd2edad00309a651..519b65dd6b786d0db3971b9ae36a71d3db838f8e 100644
--- a/servers/slapd/back-bdb/search.c
+++ b/servers/slapd/back-bdb/search.c
@@ -319,9 +319,7 @@ bdb_search( Operation *op, SlapReply *rs )
Entry *matched = NULL;
EntryInfo *ei, ei_root = {0};
struct berval realbase = BER_BVNULL;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
slap_mask_t mask;
-#endif
int manageDSAit;
int tentries = 0;
ID lastid = NOID;
@@ -424,7 +422,6 @@ dn2entry_retry:
if ( matched != NULL ) {
BerVarray erefs = NULL;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, matched,
@@ -433,9 +430,7 @@ dn2entry_retry:
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
ber_dupbv( &matched_dn, &matched->e_name );
erefs = is_entry_referral( matched )
@@ -483,7 +478,6 @@ dn2entry_retry:
return rs->sr_err;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
@@ -504,7 +498,6 @@ dn2entry_retry:
send_ldap_result( op, rs );
return rs->sr_err;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
if ( !manageDSAit && e != &e_root && is_entry_referral( e ) ) {
/* entry is a referral, don't allow add */
diff --git a/servers/slapd/back-dnssrv/init.c b/servers/slapd/back-dnssrv/init.c
index fc4063492cee1ad7fc02686aa54c7d8897c2d68b..4b834cb7e81c8777beb3d0a17eec5aeec10341e8 100644
--- a/servers/slapd/back-dnssrv/init.c
+++ b/servers/slapd/back-dnssrv/init.c
@@ -67,9 +67,7 @@ dnssrv_back_initialize(
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
return 0;
}
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 2399c85a6d80f086e329497d8fdd0702247d0f93..131219683fc0db4b607ae0b9be4d11e7ad485cdb 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -306,7 +306,6 @@ ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock )
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
}
- assert( lc->lc_refcnt >= 0 );
tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc,
ldap_back_conndnlc_cmp );
assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc );
@@ -355,13 +354,15 @@ ldap_back_start_tls(
}
if ( protocol < LDAP_VERSION3 ) {
- protocol = LDAP_VERSION3;
- /* Set LDAP version */
- ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
- (const void *)&protocol );
+ /* we should rather bail out... */
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ *text = "invalid protocol version";
+ }
+
+ if ( rc == LDAP_SUCCESS ) {
+ rc = ldap_start_tls( ld, NULL, NULL, &msgid );
}
- rc = ldap_start_tls( ld, NULL, NULL, &msgid );
if ( rc == LDAP_SUCCESS ) {
LDAPMessage *res = NULL;
struct timeval tv;
@@ -469,7 +470,7 @@ static int
ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
{
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
- int vers = op->o_protocol;
+ int version;
LDAP *ld = NULL;
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
@@ -485,11 +486,17 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
/* Set LDAP version. This will always succeed: If the client
* bound with a particular version, then so can we.
*/
- if ( vers == 0 ) {
+ if ( li->li_version != 0 ) {
+ version = li->li_version;
+
+ } else if ( op->o_protocol != 0 ) {
+ version = op->o_protocol;
+
+ } else {
/* assume it's an internal op; set to LDAPv3 */
- vers = LDAP_VERSION3;
+ version = LDAP_VERSION3;
}
- ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers );
+ ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&version );
/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
ldap_set_option( ld, LDAP_OPT_REFERRALS,
@@ -1205,6 +1212,21 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b
int msgid;
int rc;
+ /* don't proxyAuthz if protocol is not LDAPv3 */
+ switch ( li->li_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+
+ default:
+ goto done;
+ }
+
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
@@ -1460,6 +1482,21 @@ ldap_back_proxy_authz_ctrl(
rs->sr_err = LDAP_SUCCESS;
+ /* don't proxyAuthz if protocol is not LDAPv3 */
+ switch ( li->li_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+
+ default:
+ goto done;
+ }
+
/* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID,
* but if it is not set this test fails. We need a different
* means to detect if idassert is enabled */
@@ -1676,6 +1713,7 @@ free_ber:;
if ( rs->sr_err != LDAP_SUCCESS ) {
op->o_tmpfree( ctrls, op->o_tmpmemctx );
ctrls = NULL;
+ goto done;
}
} else if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
@@ -1688,6 +1726,7 @@ free_ber:;
if ( strncasecmp( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ) != 0 ) {
op->o_tmpfree( ctrls[ 0 ]->ldctl_value.bv_val, op->o_tmpmemctx );
op->o_tmpfree( ctrls, op->o_tmpmemctx );
+ ctrls = NULL;
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 2bae1a085e46226d2a4275d2a463a93f99b43cd9..ddf4e77ae086eb317106653bdf3c03f3b6f137a5 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -63,6 +63,7 @@ enum {
LDAP_BACK_CFG_IDLE_TIMEOUT,
LDAP_BACK_CFG_CONN_TTL,
LDAP_BACK_CFG_NETWORK_TIMEOUT,
+ LDAP_BACK_CFG_VERSION,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_LAST
@@ -241,6 +242,14 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
+ { "protocol-version", "version", 2, 0, 0,
+ ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
+ ldap_back_cf_gen, "( OLcfgDbAt:3.18 "
+ "NAME 'olcDbProtocolVersion' "
+ "DESC 'protocol version' "
+ "SYNTAX OMsInteger "
+ "SINGLE-VALUE )",
+ NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
@@ -612,6 +621,14 @@ ldap_back_cf_gen( ConfigArgs *c )
value_add_one( &c->rvalue_vals, &bv );
} break;
+ case LDAP_BACK_CFG_VERSION:
+ if ( li->li_version == 0 ) {
+ return 1;
+ }
+
+ c->value_int = li->li_version;
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
@@ -701,6 +718,10 @@ ldap_back_cf_gen( ConfigArgs *c )
li->li_network_timeout = 0;
break;
+ case LDAP_BACK_CFG_VERSION:
+ li->li_version = 0;
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
@@ -1059,7 +1080,6 @@ done_url:;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
struct berval bv;
-#ifdef SLAP_AUTHZ_SYNTAX
struct berval in;
int rc;
@@ -1072,9 +1092,6 @@ done_url:;
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
-#else /* !SLAP_AUTHZ_SYNTAX */
- ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
-#endif /* !SLAP_AUTHZ_SYNTAX */
ber_bvarray_add( &li->li_idassert_authz, &bv );
} break;
@@ -1133,7 +1150,7 @@ done_url:;
} else if ( strncasecmp( c->argv[ i ], "flags=", STRLENOF( "flags=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "flags=" );
char **flags = ldap_str2charray( argvi, "," );
- int j;
+ int j, err = 0;
if ( flags == NULL ) {
snprintf( c->msg, sizeof( c->msg ),
@@ -1145,6 +1162,7 @@ done_url:;
}
for ( j = 0; flags[ j ] != NULL; j++ ) {
+
if ( strcasecmp( flags[ j ], "override" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
@@ -1161,9 +1179,12 @@ done_url:;
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
c->fname, c->lineno, 0 );
- return 1;
+ err = 1;
+ break;
+
+ } else {
+ li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
}
- li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
} else if ( strcasecmp( flags[ j ], "obsolete-encoding-workaround" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
@@ -1172,9 +1193,12 @@ done_url:;
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
c->fname, c->lineno, 0 );
- return 1;
+ err = 1;
+ break;
+
+ } else {
+ li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
}
- li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
} else {
snprintf( c->msg, sizeof( c->msg ),
@@ -1182,12 +1206,15 @@ done_url:;
"unknown flag \"%s\"",
flags[ j ] );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
- ldap_charray_free( flags );
- return 1;
+ err = 1;
+ break;
}
}
ldap_charray_free( flags );
+ if ( err ) {
+ return 1;
+ }
} else if ( bindconf_parse( c->argv[ i ], &li->li_idassert ) ) {
return 1;
@@ -1295,6 +1322,19 @@ done_url:;
li->li_network_timeout = (time_t)t;
} break;
+ case LDAP_BACK_CFG_VERSION:
+ switch ( c->value_int ) {
+ case 0:
+ case LDAP_VERSION2:
+ case LDAP_VERSION3:
+ li->li_version = c->value_int;
+ break;
+
+ default:
+ return 1;
+ }
+ break;
+
case LDAP_BACK_CFG_REWRITE:
snprintf( c->msg, sizeof( c->msg ),
"rewrite/remap capabilities have been moved "
diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c
index 1ea94a0ba8e445d4b593d6f118df97ef7b0e3cb6..eb5690ce6c1b9b0d040144d48f501c2b33713c74 100644
--- a/servers/slapd/back-ldap/modrdn.c
+++ b/servers/slapd/back-ldap/modrdn.c
@@ -51,9 +51,25 @@ ldap_back_modrdn(
}
if ( op->orr_newSup ) {
- int version = LDAP_VERSION3;
+ /* needs LDAPv3 */
+ switch ( li->li_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+
+ default:
+ /* op->o_protocol cannot be anything but LDAPv3,
+ * otherwise wouldn't be here */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ send_ldap_result( op, rs );
+ goto cleanup;
+ }
- ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
newSup = op->orr_newSup->bv_val;
}
diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c
index 5c662962bd38349e10476fa4ad7a0b2dfa5b9916..dc1d88757ec6d7812a7663b3b4118c81ec09f076 100644
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@@ -82,17 +82,23 @@ static ConfigOCs ldifocs[] = {
};
static void
-dn2path(struct berval * dn, struct berval * rootdn, struct berval * base_path,
+dn2path(struct berval * dn, struct berval * suffixdn, struct berval * base_path,
struct berval *res)
{
char *ptr, *sep, *end;
+ assert( dn != NULL );
+ assert( !BER_BVISNULL( dn ) );
+ assert( suffixdn != NULL );
+ assert( !BER_BVISNULL( suffixdn ) );
+ assert( dnIsSuffix( dn, suffixdn ) );
+
res->bv_len = dn->bv_len + base_path->bv_len + 1 + STRLENOF( LDIF );
res->bv_val = ch_malloc( res->bv_len + 1 );
ptr = lutil_strcopy( res->bv_val, base_path->bv_val );
*ptr++ = LDAP_DIRSEP[0];
- ptr = lutil_strcopy( ptr, rootdn->bv_val );
- end = dn->bv_val + dn->bv_len - rootdn->bv_len - 1;
+ ptr = lutil_strcopy( ptr, suffixdn->bv_val );
+ end = dn->bv_val + dn->bv_len - suffixdn->bv_len - 1;
while ( end > dn->bv_val ) {
for (sep = end-1; sep >=dn->bv_val && !DN_SEPARATOR( *sep ); sep--);
*ptr++ = LDAP_DIRSEP[0];
@@ -926,15 +932,15 @@ static int ldif_back_delete(Operation *op, SlapReply *rs) {
static int move_entry(Entry * entry, struct berval * ndn,
- struct berval * newndn, struct berval * rootdn,
+ struct berval * newndn, struct berval * suffixdn,
struct berval * base_path) {
int res;
int exists_res;
struct berval path;
struct berval newpath;
- dn2path(ndn, rootdn, base_path, &path);
- dn2path(newndn, rootdn, base_path, &newpath);
+ dn2path(ndn, suffixdn, base_path, &path);
+ dn2path(newndn, suffixdn, base_path, &newpath);
if((entry == NULL || path.bv_val == NULL) || newpath.bv_val == NULL) {
/* some object doesn't exist */
@@ -1045,13 +1051,24 @@ int ldif_back_entry_get(
Entry **ent )
{
struct ldif_info *ni = (struct ldif_info *) op->o_bd->be_private;
+ struct berval op_dn = op->o_req_dn, op_ndn = op->o_req_ndn;
- ldap_pvt_thread_mutex_lock( &ni->li_mutex );
+ assert( ndn != NULL );
+ assert( !BER_BVISNULL( ndn ) );
+ ldap_pvt_thread_mutex_lock( &ni->li_mutex );
+ op->o_req_dn = *ndn;
+ op->o_req_ndn = *ndn;
*ent = (Entry *) get_entry( op, &ni->li_base_path );
-
+ op->o_req_dn = op_dn;
+ op->o_req_ndn = op_ndn;
ldap_pvt_thread_mutex_unlock( &ni->li_mutex );
+ if ( *ent && oc && !is_entry_objectclass_or_sub( *ent, oc ) ) {
+ entry_free( *ent );
+ *ent = NULL;
+ }
+
return ( *ent == NULL ? 1 : 0 );
}
@@ -1249,9 +1266,7 @@ ldif_back_initialize(
bi->bi_entry_get_rw = ldif_back_entry_get;
#if 0 /* NOTE: uncomment to completely disable access control */
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
#endif
bi->bi_tool_entry_open = ldif_tool_entry_open;
diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 6a915f9efa03040a8f95896930bcfbafbca94d3e..1993e4aeb148c271017667f487315b5df6be25d8 100644
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -668,7 +668,6 @@ meta_back_dobind(
metatarget_t *mt = &mi->mi_targets[ i ];
metasingleconn_t *msc = &mc->mc_conns[ i ];
int rc, do_retry = 1;
- char *rootdn = NULL;
/*
* Not a candidate
@@ -735,7 +734,7 @@ retry:;
snprintf( buf, sizeof( buf ),
"meta_back_dobind[%d]: (%s) err=%d (%s).",
- i, rootdn ? rootdn : "anonymous",
+ i, isroot ? op->o_bd->be_rootdn.bv_val : "anonymous",
rc, ldap_err2string( rc ) );
Debug( LDAP_DEBUG_ANY,
"%s %s\n",
@@ -762,11 +761,11 @@ retry:;
"%s meta_back_dobind[%d]: "
"(%s)\n",
op->o_log_prefix, i,
- rootdn ? rootdn : "anonymous" );
+ isroot ? op->o_bd->be_rootdn.bv_val : "anonymous" );
ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
LDAP_BACK_CONN_BINDING_CLEAR( msc );
- if ( rootdn ) {
+ if ( isroot ) {
LDAP_BACK_CONN_ISBOUND_SET( msc );
} else {
LDAP_BACK_CONN_ISANON_SET( msc );
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 4e5997a64c6d5474f6d7fa3ca47e2f22c1f91408..822a352a4ce2ee6d5b3ea686de9417e5a01b6eae 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -1050,6 +1050,38 @@ meta_back_db_config(
mi->mi_targets[ i ].mt_nretries = nretries;
}
+ } else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
+ int *version = mi->mi_ntargets ?
+ &mi->mi_targets[ mi->mi_ntargets - 1 ].mt_version
+ : &mi->mi_version;
+
+ if ( argc != 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: need value in \"protocol-version <version>\"\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
+ switch ( *version ) {
+ case 0:
+ case LDAP_VERSION2:
+ case LDAP_VERSION3:
+ break;
+
+ default:
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;
diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c
index 36d85be07f056e587ac96ff2805ff04328ecd8f2..5a9930229119ada01a0717c963b90111d97947dd 100644
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -260,7 +260,7 @@ meta_back_init_one_conn(
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metasingleconn_t *msc = &mc->mc_conns[ candidate ];
- int vers;
+ int version;
dncookie dc;
int isauthz = ( candidate == mc->mc_authz_target );
@@ -285,8 +285,16 @@ meta_back_init_one_conn(
* Set LDAP version. This will always succeed: If the client
* bound with a particular version, then so can we.
*/
- vers = op->o_conn->c_protocol;
- ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &vers );
+ if ( mt->mt_version != 0 ) {
+ version = mt->mt_version;
+
+ } else if ( op->o_conn->c_protocol != 0 ) {
+ version = op->o_conn->c_protocol;
+
+ } else {
+ version = LDAP_VERSION3;
+ }
+ ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
diff --git a/servers/slapd/back-meta/map.c b/servers/slapd/back-meta/map.c
index b12abce6cd39be32a7bbfc2ac0c803f6ff3f0ae7..912bd1671ded37bcf0150c5d4aa7436559be663e 100644
--- a/servers/slapd/back-meta/map.c
+++ b/servers/slapd/back-meta/map.c
@@ -297,6 +297,9 @@ ldap_back_int_filter_map_rewrite(
ber_bvnone = BER_BVC( "(?=none)" );
ber_len_t len;
+ assert( fstr != NULL );
+ BER_BVZERO( fstr );
+
if ( f == NULL ) {
ber_dupbv( fstr, &ber_bvnone );
return LDAP_OTHER;
diff --git a/servers/slapd/back-meta/modrdn.c b/servers/slapd/back-meta/modrdn.c
index a490553b64762317e15abd0d0a816eb3b936d4d2..a0f54f7b0883fc04f65fee940a58e5884791a2bb 100644
--- a/servers/slapd/back-meta/modrdn.c
+++ b/servers/slapd/back-meta/modrdn.c
@@ -55,7 +55,6 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
dc.rs = rs;
if ( op->orr_newSup ) {
- int version = LDAP_VERSION3;
/*
* NOTE: the newParent, if defined, must be on the
@@ -76,11 +75,25 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
* feature from back-ldap
*/
- /* newSuperior needs LDAPv3; if we got here, we can safely
- * enforce it */
- ldap_set_option( mc->mc_conns[ candidate ].msc_ld,
- LDAP_OPT_PROTOCOL_VERSION, &version );
+ /* needs LDAPv3 */
+ switch ( mi->mi_targets[ candidate ].mt_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+ default:
+ /* op->o_protocol cannot be anything but LDAPv3,
+ * otherwise wouldn't be here */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ maperr = 0;
+ goto cleanup;
+ }
+
/*
* Rewrite the new superior, if defined and required
*/
diff --git a/servers/slapd/back-monitor/compare.c b/servers/slapd/back-monitor/compare.c
index 954317b568a0656e2a88784f2e0df6a60ccff6d3..244c8bb69a85523a61e2cbdfb9847e57500ac5e1 100644
--- a/servers/slapd/back-monitor/compare.c
+++ b/servers/slapd/back-monitor/compare.c
@@ -39,15 +39,12 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
@@ -97,13 +94,11 @@ return_results:;
break;
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}
diff --git a/servers/slapd/back-monitor/modify.c b/servers/slapd/back-monitor/modify.c
index 3602bf548173580c1d7034d62ecfb98e00989932..448bad1950bcbbff7d813bec6bee356d9b57e61f 100644
--- a/servers/slapd/back-monitor/modify.c
+++ b/servers/slapd/back-monitor/modify.c
@@ -45,15 +45,12 @@ monitor_back_modify( Operation *op, SlapReply *rs )
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
@@ -75,7 +72,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
rc = monitor_entry_modify( op, rs, e );
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
@@ -83,7 +79,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
rc = LDAP_NO_SUCH_OBJECT;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
rs->sr_err = rc;
send_ldap_result( op, rs );
diff --git a/servers/slapd/back-monitor/search.c b/servers/slapd/back-monitor/search.c
index e71afa20b0567be706392d2deeaebeea3cfe0484..3f30f489b5a5239e8017deb26f8a47d759ed1b9c 100644
--- a/servers/slapd/back-monitor/search.c
+++ b/servers/slapd/back-monitor/search.c
@@ -175,15 +175,12 @@ monitor_back_search( Operation *op, SlapReply *rs )
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
@@ -204,12 +201,9 @@ monitor_back_search( Operation *op, SlapReply *rs )
{
monitor_cache_release( mi, e );
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c
index a850858bf550667cd931b9d6d6a9de96ef7b8c74..078df583a1728668eaee3de434789e9d52086921 100644
--- a/servers/slapd/back-sql/add.c
+++ b/servers/slapd/back-sql/add.c
@@ -1478,7 +1478,6 @@ done:;
* in deleting that row.
*/
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
int disclose = 1;
@@ -1503,7 +1502,6 @@ done:;
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c
index 768bab8f0afb61a94dfb8604e831a07719baaf0d..47b2914e3ea341f055e5e43a8c8c91ee88cf85d9 100644
--- a/servers/slapd/back-sql/compare.c
+++ b/servers/slapd/back-sql/compare.c
@@ -150,7 +150,6 @@ return_results:;
break;
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
@@ -159,7 +158,6 @@ return_results:;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}
diff --git a/servers/slapd/back-sql/delete.c b/servers/slapd/back-sql/delete.c
index bd2ee37c7d81c929bec9217718c56aa9a04db782..a6656a89844014fcd3221e2b21f3ff0d736dcaac 100644
--- a/servers/slapd/back-sql/delete.c
+++ b/servers/slapd/back-sql/delete.c
@@ -448,7 +448,6 @@ backsql_delete( Operation *op, SlapReply *rs )
}
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@@ -462,7 +461,6 @@ done:;
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c
index c6c84b0c02a54568f1c1b2a2ed104e109949f90a..a3a93d983790d8751e76f84eac61a3048fa88dc7 100644
--- a/servers/slapd/back-sql/modify.c
+++ b/servers/slapd/back-sql/modify.c
@@ -174,7 +174,6 @@ do_transact:;
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@@ -188,7 +187,6 @@ done:;
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c
index 756f99798cf472a2b7dd3c2bde891746d0a19613..1c81cead296a9a68023a045965eb1983988313ed 100644
--- a/servers/slapd/back-sql/modrdn.c
+++ b/servers/slapd/back-sql/modrdn.c
@@ -464,7 +464,6 @@ backsql_modrdn( Operation *op, SlapReply *rs )
}
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@@ -478,7 +477,6 @@ done:;
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
/*
* Commit only if all operations succeed
diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index 787380a08902bcaa1830d4c1314977fef38ef023..c1ea9952f50bf8243805aebeda74817a9570ffc2 100644
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -1968,7 +1968,6 @@ backsql_search( Operation *op, SlapReply *rs )
/* fall thru */
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &base_entry.e_nname )
&& !access_allowed( op, &base_entry,
slap_schema.si_ad_entry, NULL,
@@ -1982,7 +1981,6 @@ backsql_search( Operation *op, SlapReply *rs )
rs->sr_matched = NULL;
rs->sr_text = NULL;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
@@ -1997,7 +1995,6 @@ backsql_search( Operation *op, SlapReply *rs )
goto done;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
{
@@ -2028,7 +2025,6 @@ backsql_search( Operation *op, SlapReply *rs )
goto done;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
bsi.bsi_e = NULL;
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index e4df383b0c941e4a57e35ff4b43138706b6244ba..f054e506779869b28d4dff99642f0e24174e7102 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1420,13 +1420,8 @@ backend_group(
be_orig = op->o_bd;
op->o_bd = frontendDB;
-#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_group( op, target, gr_ndn,
op_ndn, group_oc, group_at );
-#else /* ! SLAP_OVERLAY_ACCESS */
- rc = fe_acl_group( op, target, gr_ndn,
- op_ndn, group_oc, group_at );
-#endif /* ! SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;
@@ -1573,13 +1568,8 @@ backend_attribute(
be_orig = op->o_bd;
op->o_bd = frontendDB;
-#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_attribute( op, target, edn,
entry_at, vals, access );
-#else /* !SLAP_OVERLAY_ACCESS */
- rc = fe_acl_attribute( op, target, edn,
- entry_at, vals, access );
-#endif /* !SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;
diff --git a/servers/slapd/backover.c b/servers/slapd/backover.c
index 33b31d540084a8628c5dbcc8f3c480cac38a1b8b..3128840ce9f541c2f470526ae947ab698f1d2327 100644
--- a/servers/slapd/backover.c
+++ b/servers/slapd/backover.c
@@ -239,7 +239,6 @@ over_back_response ( Operation *op, SlapReply *rs )
return rc;
}
-#ifdef SLAP_OVERLAY_ACCESS
static int
over_access_allowed(
Operation *op,
@@ -450,7 +449,6 @@ over_acl_attribute(
return rc;
}
-#endif /* SLAP_OVERLAY_ACCESS */
/*
* default return code in case of missing backend function
@@ -1018,12 +1016,10 @@ overlay_config( BackendDB *be, const char *ov )
bi->bi_chk_referrals = over_aux_chk_referrals;
bi->bi_chk_controls = over_aux_chk_controls;
-#ifdef SLAP_OVERLAY_ACCESS
/* these have specific arglists */
bi->bi_access_allowed = over_access_allowed;
bi->bi_acl_group = over_acl_group;
bi->bi_acl_attribute = over_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = over_connection_init;
bi->bi_connection_destroy = over_connection_destroy;
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index bcbed43cb455c57d53938bb331d6b944943dd8f8..8cf659b1ca6d62e4d80bbd5925571b1a5cec16c0 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4928,9 +4928,7 @@ config_back_initialize( BackendInfo *bi )
bi->bi_chk_referrals = 0;
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c
index bbe9774e1dd6f2526cf1c5afbdab10ab06059bfb..55dca8040574af004bda49dc380f1cea6ba38043 100644
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@@ -284,7 +284,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
}
} else {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
@@ -293,7 +292,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
send_ldap_result( op, rs );
@@ -328,7 +326,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
ava.aa_desc, &vals, ACL_COMPARE );
switch ( rs->sr_err ) {
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
@@ -338,7 +335,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
case LDAP_SUCCESS:
@@ -416,7 +412,6 @@ static int compare_entry(
}
done:
-#ifdef LDAP_ACL_HONOR_DISCLOSE
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
@@ -424,7 +419,6 @@ done:
rc = LDAP_NO_SUCH_OBJECT;
}
}
-#endif
return rc;
}
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 2322f3a3413ac6b630e57cefcbc6bf65b89ae88b..34ebb1d25cd4df9f5d2a1b2f604439814aeca354 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1296,6 +1296,7 @@ void bindconf_free( slap_bindconf *bc ) {
#endif
}
+#ifdef HAVE_TLS
static struct {
const char *key;
size_t offset;
@@ -1362,6 +1363,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
return res;
}
+#endif
/* -------------------------------------- */
diff --git a/servers/slapd/entry.c b/servers/slapd/entry.c
index c389f6b0a21f3151679e738a66694ebc2e078585..93c27985b3cf116155dfdac3c73c83ea02f1bfb9 100644
--- a/servers/slapd/entry.c
+++ b/servers/slapd/entry.c
@@ -269,23 +269,14 @@ str2entry2( char *s, int checkvals )
ad->ad_type->sat_syntax->ssyn_pretty;
if ( pretty ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&vals[i], &pval, NULL );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = pretty( ad->ad_type->sat_syntax,
- &vals[i], &pval, NULL );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else if ( validate ) {
/*
* validate value per syntax
*/
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = validate( ad->ad_type->sat_syntax, &vals[i] );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
Debug( LDAP_DEBUG_ANY,
@@ -315,19 +306,11 @@ str2entry2( char *s, int checkvals )
if ( ad->ad_type->sat_equality &&
ad->ad_type->sat_equality->smr_normalize )
{
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&vals[i], &nvals[i], NULL );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = ad->ad_type->sat_equality->smr_normalize(
- SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
- ad->ad_type->sat_syntax,
- ad->ad_type->sat_equality,
- &vals[i], &nvals[i], NULL );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
diff --git a/servers/slapd/frontend.c b/servers/slapd/frontend.c
index a7796565bfd3ae623ff290215508c7c13eaa8d06..dd27a9d5cf1be4b3410b1fe1047cf383c658eec9 100644
--- a/servers/slapd/frontend.c
+++ b/servers/slapd/frontend.c
@@ -119,11 +119,9 @@ frontend_init( void )
frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
#endif
-#ifdef SLAP_OVERLAY_ACCESS
frontendDB->bd_info->bi_access_allowed = fe_access_allowed;
frontendDB->bd_info->bi_acl_group = fe_acl_group;
frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
#if 0
/* FIXME: is this too early? */
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 79a83434dbd7fcf38d585daca08b7489771b3159..76f30adf45729f19e83df3deaafcd10881dc1dc2 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -963,8 +963,10 @@ stop:
/* Setting it to itself decreases refcount, allowing it to be freed
* when the LD is freed.
*/
- ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, slap_tls_ctx );
- ldap_ld_free( slap_tls_ld, 0, NULL, NULL );
+ if ( slap_tls_ld ) {
+ ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, slap_tls_ctx );
+ ldap_unbind( slap_tls_ld );
+ }
ldap_pvt_tls_destroy();
#endif
diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index 9770919784b8283a008b4a3c9cce0c8c9eef0b14..dc2af62473d507d6a2f33ccd6a7a2398b88e98d7 100644
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -656,21 +656,11 @@ int slap_mods_check(
struct berval pval;
if ( pretty ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&ml->sml_values[nvals], &pval, ctx );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = pretty( ad->ad_type->sat_syntax,
- &ml->sml_values[nvals], &pval, ctx );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad,
&ml->sml_values[nvals], ml->sml_op );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = validate( ad->ad_type->sat_syntax,
- &ml->sml_values[nvals] );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
}
if( rc != 0 ) {
@@ -716,19 +706,11 @@ int slap_mods_check(
(nvals+1)*sizeof(struct berval), ctx );
for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = ad->ad_type->sat_equality->smr_normalize(
- SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
- ad->ad_type->sat_syntax,
- ad->ad_type->sat_equality,
- &ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"<= str2entry NULL (ssyn_normalize %d)\n",
diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c
index b701e9e61124fc1eb98ac8f9bf0f55b8faef85f1..137712b8ca0a9fa452727c976aeab72eda573074 100644
--- a/servers/slapd/overlays/dds.c
+++ b/servers/slapd/overlays/dds.c
@@ -357,7 +357,6 @@ dds_op_add( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@@ -367,9 +366,7 @@ dds_op_add( Operation *op, SlapReply *rs )
rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
send_ldap_error( op, rs, rc, "no static subordinate entries allowed for dynamicObject" );
}
@@ -580,15 +577,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
if ( BER_BVISEMPTY( &bv_entryTtl )
|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
}
goto done;
@@ -609,15 +603,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
}
@@ -649,15 +640,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
case LDAP_MOD_INCREMENT:
if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
rs->sr_text = "modify/increment: entryTtl: no such attribute";
}
@@ -678,7 +666,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
}
if ( rs->sr_err != LDAP_SUCCESS ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
@@ -686,7 +673,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
goto done;
}
@@ -761,7 +747,6 @@ done:;
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
@@ -770,7 +755,6 @@ done:;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
}
@@ -850,7 +834,6 @@ dds_op_rename( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@@ -860,9 +843,7 @@ dds_op_rename( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION,
"static entry cannot have dynamicObject as newSuperior" );
}
@@ -1072,7 +1053,6 @@ dds_op_extended( Operation *op, SlapReply *rs )
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
NULL, NULL, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@@ -1081,9 +1061,7 @@ dds_op_extended( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
rs->sr_text = "refresh operation only applies to dynamic objects";
}
@@ -1976,7 +1954,7 @@ init_module( int argc, char *argv[] )
do_not_load_schema = no;
} else {
- Log( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
+ Log2( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"DDS unknown module arg[#%d]=\"%s\".\n",
i, argv[ i ] );
return 1;
diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
index 5626eb3c710d0f5b0ec6501b1ec19976c62706a8..95cc42225d6d739402b72b297ac03e1f61fc5635 100644
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -26,6 +26,9 @@
#include "slap.h"
#include "rwm.h"
+static int
+rwm_db_destroy( BackendDB *be );
+
static int
rwm_op_dn_massage( Operation *op, SlapReply *rs, void *cookie )
{
@@ -1150,12 +1153,11 @@ rwm_chk_referrals( Operation *op, SlapReply *rs )
static int
rwm_rw_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv )
{
#ifdef ENABLE_REWRITE
slap_overinst *on = (slap_overinst *) be->bd_info;
@@ -1175,12 +1177,11 @@ rwm_rw_config(
static int
rwm_suffixmassage_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
struct ldaprwmap *rwmap =
@@ -1269,12 +1270,11 @@ rwm_suffixmassage_config(
static int
rwm_m_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
struct ldaprwmap *rwmap =
@@ -1352,12 +1352,11 @@ rwm_response( Operation *op, SlapReply *rs )
static int
rwm_db_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
struct ldaprwmap *rwmap =
@@ -1425,8 +1424,7 @@ rwm_db_config(
static int
rwm_db_init(
- BackendDB *be
-)
+ BackendDB *be )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
struct ldapmapping *mapping = NULL;
@@ -1434,14 +1432,15 @@ rwm_db_init(
#ifdef ENABLE_REWRITE
char *rargv[ 3 ];
#endif /* ENABLE_REWRITE */
+ int rc = 0;
rwmap = (struct ldaprwmap *)ch_calloc( 1, sizeof( struct ldaprwmap ) );
#ifdef ENABLE_REWRITE
rwmap->rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
if ( rwmap->rwm_rw == NULL ) {
- ch_free( rwmap );
- return -1;
+ rc = -1;
+ goto error_return;
}
/* this rewriteContext by default must be null;
@@ -1460,18 +1459,23 @@ rwm_db_init(
if ( rwm_map_init( &rwmap->rwm_oc, &mapping ) != LDAP_SUCCESS ||
rwm_map_init( &rwmap->rwm_at, &mapping ) != LDAP_SUCCESS )
{
- return 1;
+ rc = 1;
+ goto error_return;
}
+error_return:;
on->on_bi.bi_private = (void *)rwmap;
- return 0;
+ if ( rc ) {
+ (void)rwm_db_destroy( be );
+ }
+
+ return rc;
}
static int
rwm_db_destroy(
- BackendDB *be
-)
+ BackendDB *be )
{
slap_overinst *on = (slap_overinst *) be->bd_info;
int rc = 0;
@@ -1503,8 +1507,11 @@ rwm_db_destroy(
static slap_overinst rwm = { { NULL } };
+#if SLAPD_OVER_RWM == SLAPD_MOD_DYNAMIC
+static
+#endif /* SLAPD_OVER_RWM == SLAPD_MOD_DYNAMIC */
int
-rwm_initialize(void)
+rwm_initialize( void )
{
memset( &rwm, 0, sizeof( slap_overinst ) );
diff --git a/servers/slapd/overlays/rwmmap.c b/servers/slapd/overlays/rwmmap.c
index 13a261dcc2396c463ae8fb40de1d7c9a0b8df657..dce3a95f73087fdd218f13695ac00cf23b289758 100644
--- a/servers/slapd/overlays/rwmmap.c
+++ b/servers/slapd/overlays/rwmmap.c
@@ -84,6 +84,7 @@ rwm_map_init( struct ldapmap *lm, struct ldapmapping **m )
/* FIXME: I don't think this is needed any more... */
rc = slap_str2ad( "objectClass", &mapping[0].m_src_ad, &text );
if ( rc != LDAP_SUCCESS ) {
+ ch_free( mapping );
return rc;
}
@@ -112,6 +113,10 @@ rwm_mapping( struct ldapmap *map, struct berval *s, struct ldapmapping **m, int
Avlnode *tree;
struct ldapmapping fmapping;
+ if ( map == NULL ) {
+ return 0;
+ }
+
assert( m != NULL );
if ( remap == RWM_REMAP ) {
@@ -156,12 +161,11 @@ rwm_map( struct ldapmap *map, struct berval *s, struct berval *bv, int remap )
*/
int
rwm_map_attrnames(
- struct ldapmap *at_map,
- struct ldapmap *oc_map,
- AttributeName *an,
- AttributeName **anp,
- int remap
-)
+ struct ldapmap *at_map,
+ struct ldapmap *oc_map,
+ AttributeName *an,
+ AttributeName **anp,
+ int remap )
{
int i, j;
@@ -246,7 +250,6 @@ rwm_map_attrnames(
at_drop_missing = rwm_mapping( at_map, &an[i].an_name, &m, remap );
if ( at_drop_missing || !m ) {
-
oc_drop_missing = rwm_mapping( oc_map, &an[i].an_name, &m, remap );
/* if both at_map and oc_map required to drop missing,
@@ -301,6 +304,7 @@ rwm_map_attrnames(
if ( j == 0 && i != 0 ) {
memset( &(*anp)[0], 0, sizeof( AttributeName ) );
BER_BVSTR( &(*anp)[0].an_name, LDAP_NO_ATTRS );
+ j = 1;
}
memset( &(*anp)[j], 0, sizeof( AttributeName ) );
@@ -309,11 +313,10 @@ rwm_map_attrnames(
int
rwm_map_attrs(
- struct ldapmap *at_map,
- AttributeName *an,
- int remap,
- char ***mapped_attrs
-)
+ struct ldapmap *at_map,
+ AttributeName *an,
+ int remap,
+ char ***mapped_attrs )
{
int i, j;
char **na;
@@ -323,9 +326,8 @@ rwm_map_attrs(
return LDAP_SUCCESS;
}
- for ( i = 0; !BER_BVISNULL( &an[ i ].an_name ); i++ ) {
- /* */
- }
+ for ( i = 0; !BER_BVISNULL( &an[ i ].an_name ); i++ )
+ /* count'em */ ;
na = (char **)ch_calloc( i + 1, sizeof( char * ) );
if ( na == NULL ) {
@@ -361,12 +363,12 @@ rwm_map_attrs(
static int
map_attr_value(
- dncookie *dc,
- AttributeDescription **adp,
- struct berval *mapped_attr,
- struct berval *value,
- struct berval *mapped_value,
- int remap )
+ dncookie *dc,
+ AttributeDescription **adp,
+ struct berval *mapped_attr,
+ struct berval *value,
+ struct berval *mapped_value,
+ int remap )
{
struct berval vtmp = BER_BVNULL;
int freeval = 0;
@@ -442,10 +444,10 @@ map_attr_value(
static int
rwm_int_filter_map_rewrite(
- Operation *op,
- dncookie *dc,
- Filter *f,
- struct berval *fstr )
+ Operation *op,
+ dncookie *dc,
+ Filter *f,
+ struct berval *fstr )
{
int i;
Filter *p;
@@ -468,6 +470,9 @@ rwm_int_filter_map_rewrite(
ber_bvnone = BER_BVC( "(?=none)" );
ber_len_t len;
+ assert( fstr != NULL );
+ BER_BVZERO( fstr );
+
if ( f == NULL ) {
ber_dupbv( fstr, &ber_bvnone );
return LDAP_OTHER;
@@ -720,10 +725,10 @@ computed:;
int
rwm_filter_map_rewrite(
- Operation *op,
- dncookie *dc,
- Filter *f,
- struct berval *fstr )
+ Operation *op,
+ dncookie *dc,
+ Filter *f,
+ struct berval *fstr )
{
int rc;
dncookie fdc;
@@ -1077,8 +1082,7 @@ rwm_dnattr_rewrite(
int
rwm_referral_result_rewrite(
dncookie *dc,
- BerVarray a_vals
-)
+ BerVarray a_vals )
{
int i, last;
@@ -1156,8 +1160,7 @@ rwm_referral_result_rewrite(
int
rwm_dnattr_result_rewrite(
dncookie *dc,
- BerVarray a_vals
-)
+ BerVarray a_vals )
{
int i, last;
diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
index 3770e8f38e8e5abc2ab14d262f492972060e5769..43d7f45cbfe337dcd5b24b438e6b17aaf07b9335 100644
--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -208,7 +208,8 @@ static int translucent_delete(Operation *op, SlapReply *rs) {
static int
translucent_tag_cb( Operation *op, SlapReply *rs )
{
- op->o_tag = (ber_tag_t)op->o_callback->sc_private;
+ op->o_tag = LDAP_REQ_MODIFY;
+ op->orm_modlist = op->o_callback->sc_private;
rs->sr_tag = slap_req2res( op->o_tag );
return SLAP_CB_CONTINUE;
@@ -400,7 +401,7 @@ release:
glue_parent(&nop);
cb.sc_response = translucent_tag_cb;
- cb.sc_private = (void *)LDAP_REQ_MODIFY;
+ cb.sc_private = op->orm_modlist;
cb.sc_next = nop.o_callback;
nop.o_callback = &cb;
rc = on->on_info->oi_orig->bi_op_add(&nop, &nrs);
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 2ce5974c9a3bff2a12cee002e85147e08932167d..3697dad902fabe5554ff441b9523dcdc5abc7936 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -50,7 +50,6 @@ LDAP_SLAPD_F (int) access_allowed_mask LDAP_P((
AccessControlState *state,
slap_mask_t *mask ));
#define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL)
-#ifdef SLAP_OVERLAY_ACCESS
LDAP_SLAPD_F (int) slap_access_allowed LDAP_P((
Operation *op,
Entry *e,
@@ -67,7 +66,6 @@ LDAP_SLAPD_F (int) slap_access_always_allowed LDAP_P((
slap_access_t access,
AccessControlState *state,
slap_mask_t *maskp ));
-#endif /* SLAP_OVERLAY_ACCESS */
LDAP_SLAPD_F (int) acl_check_modlist LDAP_P((
Operation *op, Entry *e, Modifications *ml ));
@@ -418,6 +416,7 @@ LDAP_SLAPD_F (int) overlay_op_walk LDAP_P((
* bconfig.c
*/
LDAP_SLAPD_F (int) slap_loglevel_register LDAP_P (( slap_mask_t m, struct berval *s ));
+LDAP_SLAPD_F (int) slap_loglevel_get LDAP_P(( struct berval *s, int *l ));
LDAP_SLAPD_F (int) str2loglevel LDAP_P(( const char *s, int *l ));
LDAP_SLAPD_F (int) loglevel2bvarray LDAP_P(( int l, BerVarray *bva ));
LDAP_SLAPD_F (const char *) loglevel2str LDAP_P(( int l ));
@@ -1440,7 +1439,6 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
int argc,
char **argv ));
#endif /* SLAP_AUTH_REWRITE */
-#ifdef SLAP_AUTHZ_SYNTAX
LDAP_SLAPD_F (int) authzValidate LDAP_P((
Syntax *syn, struct berval *in ));
#if 0
@@ -1464,7 +1462,6 @@ LDAP_SLAPD_F (int) authzNormalize LDAP_P((
struct berval *val,
struct berval *normalized,
void *ctx ));
-#endif /* SLAP_AUTHZ_SYNTAX */
/*
* schema.c
diff --git a/servers/slapd/root_dse.c b/servers/slapd/root_dse.c
index ac523a65a5ab383eb187f0d7107fbba91b57c5d5..356cbc78a68182b7c59ac41ae7c6bc2bcf4ca2fd 100644
--- a/servers/slapd/root_dse.c
+++ b/servers/slapd/root_dse.c
@@ -477,7 +477,8 @@ slap_discover_feature(
return rc;
}
- rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
+ rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
+ (const void *)&version );
if ( rc != LDAP_SUCCESS ) {
goto done;
}
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index c309d110fb638b6a0b91537d42bd8113d8c6678d..9b8a07f825719f7405f31bc1714949f185c492e2 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -202,7 +202,6 @@ int slap_parse_user( struct berval *id, struct berval *user,
return LDAP_SUCCESS;
}
-#ifdef SLAP_AUTHZ_SYNTAX
int
authzValidate(
Syntax *syntax,
@@ -919,7 +918,6 @@ authzPretty(
return rc;
}
-#endif /* SLAP_AUTHZ_SYNTAX */
static int
slap_parseURI(
@@ -936,9 +934,7 @@ slap_parseURI(
int rc;
LDAPURLDesc *ludp;
-#ifdef SLAP_ORDERED_PRETTYNORM
struct berval idx;
-#endif /* SLAP_ORDERED_PRETTYNORM */
assert( uri != NULL && !BER_BVISNULL( uri ) );
BER_BVZERO( base );
@@ -952,7 +948,6 @@ slap_parseURI(
rc = LDAP_PROTOCOL_ERROR;
-#ifdef SLAP_ORDERED_PRETTYNORM
idx = *uri;
if ( idx.bv_val[ 0 ] == '{' ) {
char *ptr;
@@ -965,7 +960,6 @@ slap_parseURI(
idx.bv_val = ptr;
uri = &idx;
}
-#endif /* SLAP_ORDERED_PRETTYNORM */
/*
* dn[.<dnstyle>]:<dnpattern>
@@ -1677,13 +1671,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
/* NOTE: don't normalize rule if authz syntax is enabled */
rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
- &op.ors_scope, &op.ors_filter, &op.ors_filterstr,
-#ifdef SLAP_AUTHZ_SYNTAX
- 0
-#else /* ! SLAP_AUTHZ_SYNTAX */
- 1
-#endif /* ! SLAP_AUTHZ_SYNTAX */
- );
+ &op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 );
if( rc != LDAP_SUCCESS ) goto CONCLUDED;
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 854a49b5c1fd1c8ea086b817b80913e06a7e823a..fe237767a4ec85d2adb273a7b599d26ca296eafa 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -67,10 +67,8 @@
#define csnIndexer generalizedTimeIndexer
#define csnFilter generalizedTimeFilter
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: temporary */
#define authzMatch octetStringMatch
-#endif /* SLAP_AUTHZ_SYNTAX */
unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
@@ -4180,11 +4178,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
SLAP_SYNTAX_HIDE, inValidate, NULL},
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
-#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, 0, NULL, NULL}
};
@@ -4618,7 +4614,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
NULL, NULL,
"CSNMatch" },
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
@@ -4626,7 +4621,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
NULL, authzNormalize, authzMatch,
NULL, NULL,
NULL},
-#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, SLAP_MR_NONE, NULL,
NULL, NULL, NULL, NULL, NULL,
@@ -4687,6 +4681,8 @@ schema_destroy( void )
mru_destroy();
syn_destroy();
- ldap_pvt_thread_mutex_destroy( &ad_undef_mutex );
- ldap_pvt_thread_mutex_destroy( &oc_undef_mutex );
+ if( schema_init_done ) {
+ ldap_pvt_thread_mutex_destroy( &ad_undef_mutex );
+ ldap_pvt_thread_mutex_destroy( &oc_undef_mutex );
+ }
}
diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c
index 92d7feae6b701821c16c4a85745d6d5a43219b81..881ca16251e8569b3733b3da87b5b9c5db0d473d 100644
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@@ -855,16 +855,9 @@ static struct slap_schema_ad_map {
{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
"NAME ( 'authzTo' 'saslAuthzTo' ) "
"DESC 'proxy authorization targets' "
-#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
-#else /* ! SLAP_AUTHZ_SYNTAX */
- "EQUALITY caseExactMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
-#endif /* ! SLAP_AUTHZ_SYNTAX */
-#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
-#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,
@@ -873,16 +866,9 @@ static struct slap_schema_ad_map {
{ "authzFrom", "( 1.3.6.1.4.1.4203.666.1.9 "
"NAME ( 'authzFrom' 'saslAuthzFrom' ) "
"DESC 'proxy authorization sources' "
-#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
-#else /* ! SLAP_AUTHZ_SYNTAX */
- "EQUALITY caseExactMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
-#endif /* ! SLAP_AUTHZ_SYNTAX */
-#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
-#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 0136ab8242f8458e98dac8e67f04a361951aabce..c150e339da2d2bf6616c56b43a4471986ec9b390 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -64,26 +64,19 @@ LDAP_BEGIN_DECL
#define SLAP_SEM_LOAD_CONTROL
#endif
-#define SLAP_ACL_HONOR_DISCLOSE /* partially implemented */
-#define SLAP_ACL_HONOR_MANAGE /* not yet implemented */
-#define SLAP_OVERLAY_ACCESS
+#ifdef LDAP_DEVEL
+#define LDAP_COLLECTIVE_ATTRIBUTES
#define LDAP_COMP_MATCH
-#define LDAP_DYNAMIC_OBJECTS
#define LDAP_SYNC_TIMESTAMP
-#define LDAP_COLLECTIVE_ATTRIBUTES
-#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#endif
-#define SLAP_ORDERED_PRETTYNORM
-#define SLAP_AUTHZ_SYNTAX
+#define LDAP_DYNAMIC_OBJECTS
+#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
#ifdef ENABLE_REWRITE
#define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */
#endif
-#if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS)
-#define SLAP_OVERLAY_ACCESS
-#endif
-
/*
* SLAPD Memory allocation macros
*
@@ -1979,8 +1972,13 @@ typedef struct slap_rep {
#define REP_ENTRY_MODIFIABLE 0x0001U
#define REP_ENTRY_MUSTBEFREED 0x0002U
#define REP_ENTRY_MUSTRELEASE 0x0004U
+#define REP_ENTRY_MASK (REP_ENTRY_MODIFIABLE|REP_ENTRY_MUSTBEFREED|REP_ENTRY_MUSTRELEASE)
+
#define REP_MATCHED_MUSTBEFREED 0x0010U
+#define REP_MATCHED_MASK (REP_MATCHED_MUSTBEFREED)
+
#define REP_REF_MUSTBEFREED 0x0020U
+#define REP_REF_MASK (REP_REF_MUSTBEFREED)
#define REP_NO_ENTRYDN 0x1000U
#define REP_NO_SUBSCHEMA 0x2000U
@@ -2019,7 +2017,6 @@ typedef int (BI_entry_get_rw) LDAP_P(( struct slap_op *op, struct berval *ndn,
typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs ));
typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op,
Entry *e, int *hasSubs ));
-#ifdef SLAP_OVERLAY_ACCESS
typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e,
AttributeDescription *desc, struct berval *val, slap_access_t access,
AccessControlState *state, slap_mask_t *maskp ));
@@ -2029,7 +2026,6 @@ typedef int (BI_acl_group) LDAP_P(( struct slap_op *op, Entry *target,
typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target,
struct berval *entry_ndn, AttributeDescription *entry_at,
BerVarray *vals, slap_access_t access ));
-#endif /* SLAP_OVERLAY_ACCESS */
typedef int (BI_conn_func) LDAP_P(( BackendDB *bd, struct slap_conn *c ));
typedef BI_conn_func BI_connection_init;
@@ -2128,11 +2124,9 @@ struct slap_backend_info {
BI_entry_release_rw *bi_entry_release_rw;
BI_has_subordinates *bi_has_subordinates;
-#ifdef SLAP_OVERLAY_ACCESS
BI_access_allowed *bi_access_allowed;
BI_acl_group *bi_acl_group;
BI_acl_attribute *bi_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
BI_connection_init *bi_connection_init;
BI_connection_destroy *bi_connection_destroy;
@@ -2699,6 +2693,7 @@ typedef struct slap_conn {
} while (0)
#define StatslogTest( level ) (ldap_debug & (level))
#else
+#define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 ) ((void) 0)
#define StatslogTest( level ) (0)
#endif
diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index b166e014ac0ed2538a9e5b8412838a8cc8fd2341..b8f9a743297d40dd486c54815d7fedf4e1f6102c 100644
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -436,7 +436,8 @@ do_syncrep1(
}
op->o_protocol = LDAP_VERSION3;
- ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol );
+ ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION,
+ (const void *)&op->o_protocol );
#ifdef HAVE_TLS
if ( si->si_check_tls ) {
diff --git a/tests/Makefile.in b/tests/Makefile.in
index 383d596cf22dc823775086f31114d919251d8957..59575f5fa4b4dca2600af0fdad126c38e97fc4d0 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -18,7 +18,6 @@ SUBDIRS= progs
BUILD_BDB=@BUILD_BDB@
BUILD_HDB=@BUILD_HDB@
-BUILD_LDBM=@BUILD_LDBM@
BUILD_SQL=@BUILD_SQL@
# test primary backends (default)
@@ -28,7 +27,6 @@ test tests:
# test all backends
alltests: tests
- @$(MAKE) ldbm
@$(MAKE) sql
bdb test-bdb: bdb-$(BUILD_BDB)
@@ -47,14 +45,6 @@ hdb-yes hdb-mod: FORCE
@echo "Initiating LDAP tests for HDB..."
@$(RUN) -b hdb all
-ldbm test-ldbm: ldbm-$(BUILD_LDBM)
-ldbm-no:
- @echo "run configure with --enable-ldbm to run LDBM tests"
-
-ldbm-yes ldbm-mod: FORCE
- @echo "Initiating LDAP tests for LDBM..."
- @$(RUN) -b ldbm all
-
sql test-sql: sql-$(BUILD_SQL)
sql-no:
@echo "run configure with --enable-sql to run SQL tests"
diff --git a/tests/scripts/test045-syncreplication-proxied b/tests/scripts/test045-syncreplication-proxied
index e7e49dec0b6bcb8b6678b00e49b9c08839092f58..47c9bad8cfdc4b5d76c84442086340a753f71181 100755
--- a/tests/scripts/test045-syncreplication-proxied
+++ b/tests/scripts/test045-syncreplication-proxied
@@ -163,7 +163,8 @@ case $RC in
;;
esac
-echo "Using ldapadd to populate the master directory..."
+CHECK=1
+echo "$CHECK > Using ldapadd to populate the master directory..."
$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
$LDIFORDEREDNOCP > /dev/null 2>&1
RC=$?
@@ -177,7 +178,6 @@ SLEEP=15
echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
sleep $SLEEP
-CHECK=1
#echo "Using ldapsearch to read all the entries from the master..."
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
'(objectClass=*)' > "${MASTEROUT}.1" 2>&1
@@ -205,7 +205,7 @@ fi
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.1" > $SLAVEFLT
-echo "$CHECK - Comparing retrieved entries from master and slave..."
+echo "$CHECK < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then
@@ -214,8 +214,9 @@ if test $? != 0 ; then
exit 1
fi
+CHECK=`expr $CHECK + 1`
SLEEP=10
-echo "Stopping the provider, sleeping $SLEEP seconds and restarting it..."
+echo "$CHECK > Stopping the provider, sleeping $SLEEP seconds and restarting it..."
kill -HUP "$MASTERPID"
wait $MASTERPID
sleep $SLEEP
@@ -340,7 +341,6 @@ SLEEP=15
echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
sleep $SLEEP
-CHECK=`expr $CHECK + 1`
#echo "Using ldapsearch to read all the entries from the master..."
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
'(objectClass=*)' > "${MASTEROUT}.2" 2>&1
@@ -368,7 +368,7 @@ fi
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.2" > $SLAVEFLT
-echo "$CHECK - Comparing retrieved entries from master and slave..."
+echo "$CHECK < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then
@@ -377,7 +377,8 @@ if test $? != 0 ; then
exit 1
fi
-echo "Stopping proxy to test recovery..."
+CHECK=`expr $CHECK + 1`
+echo "$CHECK > Stopping proxy to test recovery..."
kill -HUP $PROXYPID
wait $PROXYPID
@@ -419,7 +420,6 @@ SLEEP=25
echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
sleep $SLEEP
-CHECK=`expr $CHECK + 1`
#echo "Using ldapsearch to read all the entries from the master..."
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
'(objectClass=*)' > "${MASTEROUT}.3" 2>&1
@@ -447,7 +447,7 @@ fi
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.3" > $SLAVEFLT
-echo "$CHECK - Comparing retrieved entries from master and slave..."
+echo "$CHECK < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then
@@ -456,10 +456,10 @@ if test $? != 0 ; then
exit 1
fi
-if test ! $BACKLDAP = "ldapno" ; then
- echo "Try updating the slave slapd..."
- $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT2 -w $PASSWD > \
- $TESTOUT 2>&1 << EOMODS
+CHECK=`expr $CHECK + 1`
+echo "$CHECK > Try updating the slave slapd..."
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT2 -w $PASSWD > \
+ $TESTOUT 2>&1 << EOMODS
dn: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com
changetype: modify
add: description
@@ -468,56 +468,55 @@ description: unless the chain overlay is configured appropriately ;)
EOMODS
- RC=$?
- if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
- fi
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
- SLEEP=15
- echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
- sleep $SLEEP
+SLEEP=15
+echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
+sleep $SLEEP
- CHECK=`expr $CHECK + 1`
- #echo "Using ldapsearch to read all the entries from the master..."
- $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
- '(objectClass=*)' > "${MASTEROUT}.4" 2>&1
- RC=$?
+#echo "Using ldapsearch to read all the entries from the master..."
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+ '(objectClass=*)' > "${MASTEROUT}.4" 2>&1
+RC=$?
- if test $RC != 0 ; then
- echo "ldapsearch failed at master ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
- fi
+if test $RC != 0 ; then
+ echo "ldapsearch failed at master ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
- #echo "Using ldapsearch to read all the entries from the slave..."
- $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
- '(objectClass=*)' > "${SLAVEOUT}.4" 2>&1
- RC=$?
+#echo "Using ldapsearch to read all the entries from the slave..."
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
+'(objectClass=*)' > "${SLAVEOUT}.4" 2>&1
+RC=$?
- if test $RC != 0 ; then
- echo "ldapsearch failed at slave ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
- fi
+if test $RC != 0 ; then
+ echo "ldapsearch failed at slave ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
- #echo "Filtering master results..."
- . $LDIFFILTER < "${MASTEROUT}.4" > $MASTERFLT
- #echo "Filtering slave results..."
- . $LDIFFILTER < "${SLAVEOUT}.4" > $SLAVEFLT
+#echo "Filtering master results..."
+. $LDIFFILTER < "${MASTEROUT}.4" > $MASTERFLT
+#echo "Filtering slave results..."
+. $LDIFFILTER < "${SLAVEOUT}.4" > $SLAVEFLT
- echo "$CHECK - Comparing retrieved entries from master and slave..."
- $CMP $MASTERFLT $SLAVEFLT > $CMPOUT
+echo "$CHECK < Comparing retrieved entries from master and slave..."
+$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
- if test $? != 0 ; then
- echo "test failed - master and slave databases differ"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
- fi
+if test $? != 0 ; then
+ echo "test failed - master and slave databases differ"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
fi
-echo "Stopping consumer to test recovery..."
+CHECK=`expr $CHECK + 1`
+echo "$CHECK > Stopping consumer to test recovery..."
kill -HUP $SLAVEPID
wait $SLAVEPID
@@ -549,7 +548,6 @@ SLEEP=25
echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
sleep $SLEEP
-CHECK=`expr $CHECK + 1`
#echo "Using ldapsearch to read all the entries from the master..."
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
'(objectClass=*)' > "${MASTEROUT}.5" 2>&1
@@ -577,21 +575,23 @@ fi
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.5" > $SLAVEFLT
-echo "$CHECK - Comparing retrieved entries from master and slave..."
+echo "$CHECK < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then
- #echo " test failed - master and slave databases differ (ignored by now)"
- echo "test failed - master and slave databases differ"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
+ # FIXME: keep the original workaround in place, in case we needed again
+ if test 1 = 1 ; then
+ echo "test failed - master and slave databases differ"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
- # keep alive - in case we need it again
+ echo " test failed - master and slave databases differ (ignored by now)"
echo " Stopping proxy to see if it auto-recovers..."
kill -HUP $PROXYPID
wait $PROXYPID
- echo " Restarting proxy..."
+ echo " ${CHECK}.1 > Restarting proxy..."
echo "======================= RESTART =======================" >> $LOG3
$SLAPD -f $CONF3 -h $URI3 -d $LVL $TIMING >> $LOG3 2>&1 &
PROXYPID=$!
@@ -619,7 +619,7 @@ if test $? != 0 ; then
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.5.1" > $SLAVEFLT
- echo " ${CHECK}.1 - Comparing retrieved entries from master and slave..."
+ echo " ${CHECK}.1 < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then
@@ -630,9 +630,10 @@ if test $? != 0 ; then
fi
#
-# Modifications known to fail
+# Modifications formerly known to fail
#
-echo "(DEVEL) Performing modifications that are known to fail..."
+CHECK=`expr $CHECK + 1`
+echo "$CHECK > Performing modifications that were formerly known to fail..."
$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
$TESTOUT 2>&1 << EOMODS
# First, back out previous change
@@ -641,7 +642,7 @@ changetype: modify
delete: drink
drink: Mad Dog 20/20
-# From now on, perform modifications that are known to fail
+# From now on, perform modifications that were formerly known to fail
dn: cn=All Staff,ou=Groups,dc=example,dc=com
changetype: modify
delete: description
@@ -659,7 +660,6 @@ SLEEP=15
echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
sleep $SLEEP
-CHECK=`expr $CHECK + 1`
#echo "Using ldapsearch to read all the entries from the master..."
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
'(objectClass=*)' > "${MASTEROUT}.6" 2>&1
@@ -687,7 +687,7 @@ fi
#echo "Filtering slave results..."
. $LDIFFILTER < "${SLAVEOUT}.6" > $SLAVEFLT
-echo "$CHECK - Comparing retrieved entries from master and slave..."
+echo "$CHECK < Comparing retrieved entries from master and slave..."
$CMP $MASTERFLT $SLAVEFLT > $CMPOUT
if test $? != 0 ; then