Commit 1aab846b authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent 8135769f
......@@ -1131,11 +1131,10 @@ print_entry(
}
write_ldif( LDIF_PUT_VALUE, "dn", bv.bv_val, bv.bv_len );
rc = ldap_int_get_controls( ber, &ctrls );
rc = ldap_pvt_get_controls( ber, &ctrls );
if( rc != LDAP_SUCCESS ) {
fprintf(stderr, _("print_entry: %d\n"), rc );
ldap_perror( ld, "ldap_get_entry_controls" );
ldap_perror( ld, "ldap_pvt_get_controls" );
exit( EXIT_FAILURE );
}
......
This diff is collapsed.
......@@ -151,8 +151,9 @@ OL_ARG_WITH(cyrus_sasl,[ --with-cyrus-sasl with Cyrus SASL support],
auto, [auto yes no] )
OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support],
auto, [auto yes no] )
OL_ARG_WITH(kerberos,[ --with-kerberos with Kerberos support],
auto, [auto k5 k5only k425 kth k4 afs yes no])
dnl OL_ARG_WITH(kerberos,[ --with-kerberos with Kerberos support],
dnl auto, [auto k5 k5only k425 kth k4 afs yes no])
ol_with_kerberos=${ol_with_kerberos-auto}
OL_ARG_WITH(threads,[ --with-threads with threads],
auto, [auto nt posix mach pth lwp yes no manual] )
OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support],
......
......@@ -64,3 +64,12 @@ sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
sasl-regexp uid=(.*),cn=external,cn=auth
ldap:///dc=example,dc=com??sub?(uid=$1)
One more update: you can use the ldapdb_starttls keyword to use the
StartTLS extended operation on an LDAP session. This item may be set
to either "try" or "demand", e.g.:
ldapdb_uri: ldap://ldap.example.com
ldapdb_starttls: try
When set to "try" any failure in StartTLS is ignored. When set to "demand"
then any failure aborts the connection.
......@@ -38,6 +38,7 @@ typedef struct ldapctx {
struct berval id; /* SASL authcid to bind as */
struct berval pw; /* password for bind */
struct berval mech; /* SASL mech */
int use_tls; /* Issue StartTLS request? */
} ldapctx;
typedef struct gluectx {
......@@ -87,11 +88,11 @@ static void ldapdb_auxprop_lookup(void *glob_context,
int ret, i, n, *aindx;
const struct propval *pr;
LDAP *ld = NULL;
gluectx gc = { ctx, sparams };
gluectx gc;
struct berval *dn = NULL, **bvals;
LDAPMessage *msg, *res;
char **attrs = NULL, *authzid = NULL;
LDAPControl c, *ctrl[2] = {&c, NULL};
LDAPControl c, *ctrl[2];
if(!ctx || !sparams || !user) return;
......@@ -145,14 +146,26 @@ static void ldapdb_auxprop_lookup(void *glob_context,
i = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i);
/* If TLS is set and it fails, continue or bail out as requested */
if (ctx->use_tls && ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
if (ctx->use_tls > 1) goto done;
}
gc.lc = ctx;
gc.lp = sparams;
ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech.bv_val, NULL, NULL,
LDAP_SASL_QUIET, ldapdb_interact, &gc);
if (ret != LDAP_SUCCESS) goto done;
ctrl[0] = &c;
ctrl[1] = NULL;
ret = ldap_whoami_s(ld, &dn, ctrl, NULL);
if (ret != LDAP_SUCCESS || !dn) goto done;
if (dn->bv_val && !strncmp(dn->bv_val, "dn:", 3))
if (!dn->bv_val || strncmp(dn->bv_val, "dn:", 3)) {
ber_bvfree(dn);
goto done;
}
ret = ldap_search_s(ld, dn->bv_val+3, LDAP_SCOPE_BASE, "(objectclass=*)",
attrs, 0, &res);
ber_bvfree(dn);
......@@ -210,6 +223,8 @@ static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
memset(&tmp, 0, sizeof(tmp));
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
if(!tmp.uri) return SASL_BADPARAM;
......@@ -222,6 +237,12 @@ static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
(const char **)&tmp.mech.bv_val, &len);
tmp.mech.bv_len = len;
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
if (s)
{
if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
}
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
if (s)
{
......
......@@ -60,7 +60,7 @@ or LDAP_SCOPE_SUBTREE, to search the object and all its descendents.
.LP
\fIFilter\fP is a string
representation of the filter to apply in the search. Simple filters
can be specified as \fIattributetype=attributevalue\fP. More complex
can be specified as \fI(attributetype=attributevalue)\fP. More complex
filters are specified using a prefix notation according to the following
BNF:
.LP
......@@ -81,8 +81,8 @@ described in RFC 2254. In addition, <attributevalue> can be a single *
to achieve an attribute existence test, or can contain text and *'s
interspersed to achieve substring matching.
.LP
For example, the filter "mail=*" will find any entries that have a mail
attribute. The filter "mail=*@terminator.rs.itd.umich.edu" will find
For example, the filter "(mail=*)" will find any entries that have a mail
attribute. The filter "(mail=*@terminator.rs.itd.umich.edu)" will find
any entries that have a mail attribute ending in the specified string.
To put parentheses in a filter, escape them with a backslash '\\'
character. See RFC 2254 for a more complete description of allowable
......@@ -90,7 +90,7 @@ filters.
.LP
\fIAttrs\fP is a null-terminated array of attribute types to return
from entries that match \fIfilter\fP.
If NULL is specified, all attributes will be returned.
If NULL is specified, the return of all user attributes is requested.
The type "*" (LDAP_ALL_USER_ATTRIBUTES) may be used to request
all user attributes to be returned.
The type "+"(LDAP_ALL_OPERATIONAL_ATTRIBUTES) may be used to request
......@@ -114,13 +114,12 @@ returns -1 in case of trouble.
.SH NOTES
Note that both read
and list functionality are subsumed by these routines,
by using a filter like "objectclass=*" and a scope of LDAP_SCOPE_BASE (to
by using a filter like "(objectclass=*)" and a scope of LDAP_SCOPE_BASE (to
emulate read) or LDAP_SCOPE_ONELEVEL (to emulate list).
.LP
These routines may dynamically allocate memory. The caller is
responsible for freeing such memory using supplied deallocation
routines. Return values are contained
in <ldap.h>.
routines. Return values are contained in <ldap.h>.
.SH SEE ALSO
.BR ldap (3),
.BR ldap_result (3),
......
......@@ -123,11 +123,19 @@ OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
.hy 0
.B attributetype "(\ <oid> [NAME\ <name>] [OBSOLETE]\
.B attributetype "(\ <oid>\
[NAME\ <name>]\
[DESC\ <description>]\
[SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
[SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
[NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )"
[OBSOLETE]\
[SUP\ <oid>]\
[EQUALITY\ <oid>]\
[ORDERING\ <oid>]\
[SUBSTR\ <oid>]\
[SYNTAX\ <oidlen>]\
[SINGLE\-VALUE]\
[COLLECTIVE]\
[NO\-USER\-MODIFICATION]\
[USAGE\ <attributeUsage>]\ )"
.RS
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
......@@ -227,6 +235,25 @@ disables Start TLS from forcing session to anonymous status (see also
.B tls_authc
disables StartTLS if authenticated (see also
.BR tls_2_anon ).
.HP
.hy 0
.B ditcontentrule "(\ <oid>\
[NAME\ <name>]\
[DESC\ <description>]\
[OBSOLETE]\
[AUX\ <oids>]\
[MUST\ <oids>]\
[MAY\ <oids>]\
[NOT\ <oids>]\ )"
.RS
Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
.B objectidentifier
description.)
.RE
.TP
.B gentlehup { on | off }
A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
......@@ -457,9 +484,14 @@ option are only usable if slapd was compiled with --enable-modules.
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
.HP
.B objectclass "( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
[SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
[MAY <oids>] )"
.hy 0
.B objectclass "(\ <oid>\
[NAME\ <name>]\
[DESC\ <description]\
[OBSOLETE]\
[SUP\ <oids>]\
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
[MUST\ <oids>] [MAY\ <oids>] )"
.RS
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
......@@ -971,6 +1003,7 @@ This option puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error. By
default, readonly is off.
.HP
.hy 0
.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
.B [starttls=yes|critical]
.B [suffix=<suffix> [...]]
......@@ -1102,6 +1135,7 @@ Specify the referral to pass back when
is asked to modify a replicated local database.
If specified multiple times, each url is provided.
.HP
.hy 0
.B syncrepl id=<replica ID>
.B provider=ldap[s]://<hostname>[:port]
.B [updatedn=<dn>]
......@@ -1322,8 +1356,9 @@ default slapd configuration file
.BR slapd-shell (5),
.BR slapd-sql (5),
.BR slapd-tcl (5),
.BR slapd.replog (5),
.BR slapd.access (5),
.BR slapd.plugin (5),
.BR slapd.replog (5),
.BR slapd (8),
.BR slapadd (8),
.BR slapcat (8),
......
......@@ -42,9 +42,12 @@ is as follows:
.LP
If slapd is compiled with \fI--enable-slapi\fP, support for plugins
according to \fINetscape's Directory Server Plug-Ins\fP.
Version 4.0 of the API is currently implemented.
Version 4 of the API is currently implemented, with some extensions
from version 5.
.LP
Database specific data may contain plugin information.
Both global and database specific data may contain plugin information.
Plugins associated with a specific database are called before global
plugins.
This manpage details the
.BR slapd (8)
configuration statements that affect the loading of SLAPI \fIplugins\fP.
......@@ -63,10 +66,13 @@ can be one of
that is executed before processing the operation for the specified
database,
.BR postoperation ,
that is execured after the operation for the specified database
has been processed, or
.BR extendedop .
The latter is used when executing an extended operation [FIXME].
that is executed after the operation for the specified database
has been processed,
.BR extendedop ,
that is used when executing an extended operation, or
.BR object .
The latter is used for miscellaneous types such as ACL, computed
attribute and search filter rewriter plugins.
.LP
The
.BR <libpath>
......@@ -79,7 +85,9 @@ The
argument specifies what symbol must be called when the plugin is first
loaded.
This function should register the functions provided by the plugin
for the desired operations.
for the desired operations. It should be noted that it is this
init function, not the plugin type specified as the first argument,
that determines when and for what operations the plugin will be invoked.
The optional
.BR <arguments>
list is passed to the init function.
......
......@@ -158,6 +158,17 @@ extern char ber_pvt_opt_on;
#define LBER_OPT_ERROR (-1)
#define LBER_ELEMENT_SIZEOF (256) /* must be >= sizeof(BerElement) */
typedef union ber_buffer_u {
char charbuf[LBER_ELEMENT_SIZEOF];
/* force alignment */
int intbuf;
long longbuf;
float floatbuf;
double doublebuf;
char* ptrbuf;
} BerElementBuffer;
typedef struct berelement BerElement;
typedef struct sockbuf Sockbuf;
typedef struct seqorset Seqorset;
......
......@@ -155,6 +155,9 @@ LDAP_F (struct ldapcontrol *) ldap_control_dup LDAP_P((
LDAP_F (struct ldapcontrol **) ldap_controls_dup LDAP_P((
struct ldapcontrol *const *ctrls ));
LDAP_F (int) ldap_int_get_controls LDAP_P((
BerElement *be,
struct ldapcontrol ***ctrlsp));
#ifdef HAVE_CYRUS_SASL
/* cyrus.c */
......
......@@ -114,7 +114,7 @@ ldap_int_put_controls(
return LDAP_SUCCESS;
}
int ldap_int_get_controls(
int ldap_pvt_get_controls(
BerElement *ber,
LDAPControl ***ctrls )
{
......
......@@ -341,7 +341,7 @@ ldap_parse_result(
}
if( tag != LBER_ERROR ) {
int rc = ldap_int_get_controls( ber, serverctrls );
int rc = ldap_pvt_get_controls( ber, serverctrls );
if( rc != LDAP_SUCCESS ) {
tag = LBER_ERROR;
......
......@@ -376,7 +376,7 @@ ldap_parse_intermediate (
goto free_and_return;
}
rc = ldap_int_get_controls( ber, serverctrls );
rc = ldap_pvt_get_controls( ber, serverctrls );
free_and_return:
ber_free( ber, 0 );
......
......@@ -97,7 +97,7 @@ ldap_get_entry_controls(
goto cleanup_and_return;
}
rc = ldap_int_get_controls( &be, sctrls );
rc = ldap_pvt_get_controls( &be, sctrls );
cleanup_and_return:
if( rc != LDAP_SUCCESS ) {
......
......@@ -402,10 +402,6 @@ LDAP_F (int) ldap_check_cache LDAP_P(( LDAP *ld, ber_tag_t msgtype, BerElement *
/*
* in controls.c
*/
LDAP_F (int) ldap_int_get_controls LDAP_P((
BerElement *be,
LDAPControl ***ctrlsp));
LDAP_F (int) ldap_int_put_controls LDAP_P((
LDAP *ld,
LDAPControl *const *ctrls,
......
......@@ -106,7 +106,7 @@ ldap_parse_reference(
goto free_and_return;
}
rc = ldap_int_get_controls( &be, serverctrls );
rc = ldap_pvt_get_controls( &be, serverctrls );
free_and_return:
......
......@@ -174,12 +174,14 @@ ldap_pvt_runqueue_persistent_backload(
struct re_s* e;
int count = 0;
ldap_pvt_thread_mutex_lock( &rq->rq_mutex );
if ( !LDAP_STAILQ_EMPTY( &rq->task_list )) {
LDAP_STAILQ_FOREACH( e, &rq->task_list, tnext ) {
if ( e->next_sched.tv_sec == 0 )
count++;
}
}
ldap_pvt_thread_mutex_unlock( &rq->rq_mutex );
return count;
}
......@@ -251,6 +251,18 @@ struct berval * UTF8bvnormalize(
last = i;
/* Allocate more space in out if necessary */
if (len - i > outsize - outpos) {
outsize = outsize + ((len - i) - (outsize - outpos));
outtmp = (char *) realloc(out, outsize);
if (outtmp == NULL) {
free(out);
free(ucs);
return NULL;
}
out = outtmp;
}
/* s[i] is ascii */
/* finish off everything up to char before next non-ascii */
for ( i++; (i < len) && LDAP_UTF8_ISASCII(s + i); i++ ) {
......
......@@ -135,8 +135,6 @@ retry: /* transaction retry */
/*
* Get the parent dn and see if the corresponding entry exists.
* If the parent does not exist, only allow the "root" user to
* add the entry.
*/
if ( be_issuffix( op->o_bd, &op->oq_add.rs_e->e_nname ) ) {
pdn = slap_empty_bv;
......@@ -285,68 +283,22 @@ retry: /* transaction retry */
} else {
/*
* no parent!
* must be adding entry at suffix or with parent ""
* if not attempting to add entry at suffix or with parent ""
*/
if ( !be_isroot( op->o_bd, &op->o_ndn )) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
|| be_isupdate( op->o_bd, &op->o_ndn ) )
{
p = (Entry *)&slap_entry_root;
/* check parent for "children" acl */
rs->sr_err = access_allowed( op, p,
children, NULL, ACL_WRITE, NULL );
p = NULL;
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1,
"bdb_add: no write access to parent\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"bdb_add: no write access to parent\n",
0, 0, 0 );
#endif
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to parent";
goto return_results;
}
} else if ( !is_entry_glue( op->oq_add.rs_e )) {
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1, "bdb_add: %s denied\n",
pdn.bv_len == 0 ? "suffix" : "entry at root", 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
pdn.bv_len == 0 ? "suffix" : "entry at root",
0, 0 );
#endif
rs->sr_err = LDAP_NO_SUCH_OBJECT;
goto return_results;
}
}
#ifdef BDB_SUBENTRIES
if( subentry ) {
if (( !be_isroot( op->o_bd, &op->o_ndn ) || pdn.bv_len > 0 )
&& !is_entry_glue( op->oq_add.rs_e ))
{
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1,
"bdb_add: no parent, cannot add subentry\n", 0, 0, 0 );
LDAP_LOG ( OPERATION, DETAIL1, "bdb_add: %s denied\n",
pdn.bv_len == 0 ? "suffix" : "entry at root", 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"bdb_add: no parent, cannot add subentry\n",
0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
pdn.bv_len == 0 ? "suffix" : "entry at root",
0, 0 );
#endif
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = "no parent, cannot add subentry";
goto return_results;
}
#endif
}
if ( get_assert( op ) &&
......
......@@ -1054,8 +1054,10 @@ gotit:
cx->op->o_tmpfree( save, cx->op->o_tmpmemctx );
if ( nokids ) ei->bei_state |= CACHE_ENTRY_NO_GRANDKIDS;
}
cx->rc = 0;
/* Make sure caller knows it had kids! */
cx->tmp[0]=1;
cx->rc = 0;
} else {
BDB_IDL_CPY( cx->ids, cx->tmp );
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment