Commit 6d6766c7 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

First round of imports from HEAD

parent 9573a397
......@@ -632,7 +632,7 @@ AC_LIBTOOL_DLOPEN
AC_PROG_LIBTOOL
LTSTATIC=""
if test -z "$LTDYNAMIC" -a "${OPENLDAP_CVS}"; then
if test -z "$LTDYNAMIC"; then
LTSTATIC="-static"
fi
AC_SUBST(LTSTATIC)dnl
......
......@@ -266,6 +266,12 @@ pattern, or its trailing part, after a
exactly matches the
.BR domain
pattern.
The
.B domain
of the contacting host is determined by performing a DNS reverse lookup.
As this lookup can easily be spoofed, use of the
.B domain
statement is strongly discouraged. By default, reverse lookups are disabled.
.LP
The statement
.B set=<pattern>
......
......@@ -520,8 +520,8 @@ may be used to require no conditions (useful for clearly globally
set conditions within a particular database).
.TP
.B reverse-lookup on | off
Enable/disable client name reverse lookup (default is
.BR on
Enable/disable client name unverified reverse lookup (default is
.BR off
if compiled with --enable-rlookups).
.TP
.B rootDSE <file>
......
......@@ -164,6 +164,9 @@
/* Define if you have the getpassphrase function. */
#undef HAVE_GETPASSPHRASE
/* Define if you have the getpeereid function. */
#undef HAVE_GETPEEREID
/* Define if you have the getpwnam function. */
#undef HAVE_GETPWNAM
......@@ -233,6 +236,9 @@
/* Define if you have the send function. */
#undef HAVE_SEND
/* Define if you have the sendmsg function. */
#undef HAVE_SENDMSG
/* Define if you have the sendto function. */
#undef HAVE_SENDTO
......@@ -542,6 +548,9 @@
/* Define if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define if you have the <sys/ucred.h> header file. */
#undef HAVE_SYS_UCRED_H
/* Define if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H
......@@ -695,15 +704,6 @@
/* define to support LAN Manager passwords */
#undef SLAPD_LMHASH
/* set to the number of arguments ctime_r() expects */
#undef CTIME_R_NARGS
/* set to the number of arguments gethostbyname_r() expects */
#undef GETHOSTBYNAME_R_NARGS
/* set to the number of arguments gethostbyaddr_r() expects */
#undef GETHOSTBYADDR_R_NARGS
/* if you have NT Threads */
#undef HAVE_NT_THREADS
......@@ -746,6 +746,15 @@
/* define if you have (or want) no threads */
#undef NO_THREADS
/* set to the number of arguments ctime_r() expects */
#undef CTIME_R_NARGS
/* set to the number of arguments gethostbyname_r() expects */
#undef GETHOSTBYNAME_R_NARGS
/* set to the number of arguments gethostbyaddr_r() expects */
#undef GETHOSTBYADDR_R_NARGS
/* define if Berkeley DB has DB_THREAD support */
#undef HAVE_BERKELEY_DB_THREAD
......@@ -887,9 +896,6 @@
/* define this to add syslog code */
#undef LDAP_SYSLOG
/* define this to remove -lldap cache support */
#undef LDAP_NOCACHE
/* define this for LDAP process title support */
#undef LDAP_PROCTITLE
......
......@@ -19,7 +19,7 @@ SRCS = main.c daemon.c connection.c search.c filter.c add.c cr.c \
schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \
oidm.c starttls.c index.c sets.c referral.c \
root_dse.c sasl.c module.c suffixalias.c mra.c mods.c \
limits.c backglue.c operational.c matchedValues.c \
limits.c backglue.c operational.c matchedValues.c cancel.c \
$(@PLAT@_SRCS)
OBJS = main.o daemon.o connection.o search.o filter.o add.o cr.o \
......@@ -32,7 +32,7 @@ OBJS = main.o daemon.o connection.o search.o filter.o add.o cr.o \
schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \
oidm.o starttls.o index.o sets.o referral.o \
root_dse.o sasl.o module.o suffixalias.o mra.o mods.o \
limits.o backglue.o operational.o matchedValues.o \
limits.o backglue.o operational.o matchedValues.o cancel.o \
$(@PLAT@_OBJS)
LDAP_INCDIR= ../../include
......
/* abandon.c - decode and handle an ldap abandon operation */
/* $OpenLDAP$ */
/*
* Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
* Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
......@@ -109,7 +109,7 @@ do_abandon(
done:
#if LDAP_CLIENT_UPDATE
#ifdef LDAP_CLIENT_UPDATE
for ( i = 0; i < nbackends; i++ ) {
if ( strncmp( backends[i].be_type, "bdb", 3 ) ) continue;
if ( bdb_abandon( &backends[i], conn, id ) == LDAP_SUCCESS ) {
......
/* acl.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
* Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
* Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
......@@ -130,6 +130,9 @@ access_allowed(
slap_control_t control;
const char *attr;
regmatch_t matches[MAXREMATCHES];
int st_same_attr = 0;
int st_initialized = 0;
static AccessControlState state_init = ACL_STATE_INIT;
assert( e != NULL );
assert( desc != NULL );
......@@ -139,7 +142,7 @@ access_allowed(
assert( attr != NULL );
if( state && state->as_recorded ) {
if( state && state->as_recorded && state->as_vd_ad==desc) {
if( state->as_recorded & ACL_STATE_RECORDED_NV &&
val == NULL )
{
......@@ -150,6 +153,9 @@ access_allowed(
{
return state->as_result;
}
st_same_attr = 1;
} if (state) {
state->as_vd_ad=desc;
}
#ifdef NEW_LOGGING
......@@ -246,7 +252,7 @@ access_allowed(
ret = 0;
control = ACL_BREAK;
if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
if( st_same_attr ) {
assert( state->as_vd_acl != NULL );
a = state->as_vd_acl;
......@@ -290,6 +296,18 @@ access_allowed(
#endif
}
if (state) {
if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) {
Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 );
return state->as_result;
} else if (!st_initialized) {
Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0);
*state = state_init;
state->as_vd_ad=desc;
st_initialized=1;
}
}
vd_access:
control = acl_mask( a, &mask, be, conn, op,
e, desc, val, matches, count, state );
......@@ -342,6 +360,9 @@ vd_access:
done:
if( state != NULL ) {
/* If not value-dependent, save ACL in case of more attrs */
if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) )
state->as_vi_acl = a;
state->as_recorded |= ACL_STATE_RECORDED;
state->as_result = ret;
}
......@@ -961,7 +982,16 @@ dn_match_cleanup:;
}
if ( b->a_set_pat.bv_len != 0 ) {
if (aci_match_set( &b->a_set_pat, be, e, conn, op, 0 ) == 0) {
struct berval bv;
char buf[ACL_BUF_SIZE];
if( b->a_set_style == ACL_STYLE_REGEX ){
bv.bv_len = sizeof(buf) - 1;
bv.bv_val = buf;
string_expand( &bv, &b->a_set_pat, e->e_ndn, matches );
}else{
bv = b->a_set_pat;
}
if (aci_match_set( &bv, be, e, conn, op, 0 ) == 0) {
continue;
}
}
......@@ -1201,6 +1231,7 @@ acl_check_modlist(
)
{
struct berval *bv;
AccessControlState state = ACL_STATE_INIT;
assert( be != NULL );
......@@ -1255,9 +1286,6 @@ acl_check_modlist(
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
static AccessControlState state_init = ACL_STATE_INIT;
AccessControlState state;
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
......@@ -1276,8 +1304,6 @@ acl_check_modlist(
continue;
}
state = state_init;
switch ( mlist->sml_op ) {
case LDAP_MOD_REPLACE:
/*
......
/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
* Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
* Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
......@@ -185,7 +185,7 @@ parse_acl(
} else if ( strcasecmp( style, "one" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_ONE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
} else if ( strcasecmp( style, "subtree" ) == 0 ) {
} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_SUBTREE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
} else if ( strcasecmp( style, "children" ) == 0 ) {
......@@ -307,7 +307,7 @@ parse_acl(
sty = ACL_STYLE_BASE;
} else if ( strcasecmp( style, "one" ) == 0 ) {
sty = ACL_STYLE_ONE;
} else if ( strcasecmp( style, "subtree" ) == 0 ) {
} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
sty = ACL_STYLE_SUBTREE;
} else if ( strcasecmp( style, "children" ) == 0 ) {
sty = ACL_STYLE_CHILDREN;
......@@ -1282,7 +1282,7 @@ acl_usage( void )
"\t[aci=<attrname>]\n"
#endif
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
"<dnstyle> ::= regex | base | exact (alias of base) | one | sub | children\n"
"<dnstyle> ::= regex | base | exact (alias of base) | one | subtree | children\n"
"<style> ::= regex | base | exact (alias of base)\n"
"<groupflags> ::= R\n"
"<access> ::= [self]{<level>|<priv>}\n"
......
/* $OpenLDAP$ */
/*
* Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
* Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
/* ad.c - routines for dealing with attribute descriptions */
......@@ -18,6 +18,19 @@
#include "ldap_pvt.h"
#include "slap.h"
typedef struct Attr_option {
struct berval name; /* option name or prefix */
int prefix; /* NAME is a tag and range prefix */
} Attr_option;
static Attr_option lang_option = { { sizeof("lang-")-1, "lang-" }, 1 };
/* Options sorted by name, and number of options */
static Attr_option *options = &lang_option;
static int option_count = 1;
static Attr_option *ad_find_option_definition( const char *opt, int optlen );
static int ad_keystring(
struct berval *bv )
{
......@@ -45,18 +58,18 @@ void ad_destroy( AttributeDescription *ad )
}
}
/* Is there an AttributeDescription for this type that uses this language? */
AttributeDescription * ad_find_lang(
/* Is there an AttributeDescription for this type that uses these tags? */
AttributeDescription * ad_find_tags(
AttributeType *type,
struct berval *lang )
struct berval *tags )
{
AttributeDescription *ad;
ldap_pvt_thread_mutex_lock( &type->sat_ad_mutex );
for (ad = type->sat_ad; ad; ad=ad->ad_next)
{
if (ad->ad_lang.bv_len == lang->bv_len &&
!strcasecmp(ad->ad_lang.bv_val, lang->bv_val))
if (ad->ad_tags.bv_len == tags->bv_len &&
!strcasecmp(ad->ad_tags.bv_val, tags->bv_val))
break;
}
ldap_pvt_thread_mutex_unlock( &type->sat_ad_mutex );
......@@ -102,14 +115,14 @@ int slap_bv2ad(
AttributeDescription desc, *d2;
char *name, *options;
char *opt, *next;
int nlang;
int langlen;
int ntags;
int tagslen;
/* hardcoded limits for speed */
#define MAX_LANG_OPTIONS 128
struct berval langs[MAX_LANG_OPTIONS+1];
#define MAX_LANG_LEN 1024
char langbuf[MAX_LANG_LEN];
#define MAX_TAGGING_OPTIONS 128
struct berval tags[MAX_TAGGING_OPTIONS+1];
#define MAX_TAGS_LEN 1024
char tagbuf[MAX_TAGS_LEN];
assert( ad != NULL );
assert( *ad == NULL ); /* temporary */
......@@ -147,9 +160,9 @@ int slap_bv2ad(
/*
* parse options in place
*/
nlang = 0;
memset( langs, 0, sizeof( langs ));
langlen = 0;
ntags = 0;
memset( tags, 0, sizeof( tags ));
tagslen = 0;
for( opt=options; opt != NULL; opt=next ) {
int optlen;
......@@ -178,17 +191,16 @@ int slap_bv2ad(
desc.ad_flags |= SLAP_DESC_BINARY;
continue;
} else if ( optlen >= sizeof("lang-")-1 &&
strncasecmp( opt, "lang-", sizeof("lang-")-1 ) == 0 )
} else if ( ad_find_option_definition( opt, optlen ) )
{
int i;
if( opt[optlen-1] == '-' ) {
desc.ad_flags |= SLAP_DESC_LANG_RANGE;
desc.ad_flags |= SLAP_DESC_TAG_RANGE;
}
if( nlang >= MAX_LANG_OPTIONS ) {
*text = "too many language options";
if( ntags >= MAX_TAGGING_OPTIONS ) {
*text = "too many tagging options";
return rtn;
}
......@@ -196,38 +208,38 @@ int slap_bv2ad(
* tags should be presented in sorted order,
* so run the array in reverse.
*/
for( i=nlang-1; i>=0; i-- ) {
for( i=ntags-1; i>=0; i-- ) {
int rc;
rc = strncasecmp( opt, langs[i].bv_val,
(unsigned) optlen < langs[i].bv_len
? optlen : langs[i].bv_len );
rc = strncasecmp( opt, tags[i].bv_val,
(unsigned) optlen < tags[i].bv_len
? optlen : tags[i].bv_len );
if( rc == 0 && (unsigned)optlen == langs[i].bv_len ) {
if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
/* duplicate (ignore) */
goto done;
} else if ( rc > 0 ||
( rc == 0 && (unsigned)optlen > langs[i].bv_len ))
( rc == 0 && (unsigned)optlen > tags[i].bv_len ))
{
AC_MEMCPY( &langs[i+1], &langs[i],
(nlang-i)*sizeof(struct berval) );
langs[i].bv_val = opt;
langs[i].bv_len = optlen;
AC_MEMCPY( &tags[i+1], &tags[i],
(ntags-i)*sizeof(struct berval) );
tags[i].bv_val = opt;
tags[i].bv_len = optlen;
goto done;
}
}
if( nlang ) {
AC_MEMCPY( &langs[1], &langs[0],
nlang*sizeof(struct berval) );
if( ntags ) {
AC_MEMCPY( &tags[1], &tags[0],
ntags*sizeof(struct berval) );
}
langs[0].bv_val = opt;
langs[0].bv_len = optlen;
tags[0].bv_val = opt;
tags[0].bv_len = optlen;
done:;
langlen += optlen + 1;
nlang++;
tagslen += optlen + 1;
ntags++;
} else {
*text = "unrecognized option";
......@@ -235,27 +247,27 @@ done:;
}
}
if( nlang > 0 ) {
if( ntags > 0 ) {
int i;
if( langlen > MAX_LANG_LEN ) {
*text = "language options too long";
if( tagslen > MAX_TAGS_LEN ) {
*text = "tagging options too long";
return rtn;
}
desc.ad_lang.bv_val = langbuf;
langlen = 0;
desc.ad_tags.bv_val = tagbuf;
tagslen = 0;
for( i=0; i<nlang; i++ ) {
AC_MEMCPY( &desc.ad_lang.bv_val[langlen],
langs[i].bv_val, langs[i].bv_len );
for( i=0; i<ntags; i++ ) {
AC_MEMCPY( &desc.ad_tags.bv_val[tagslen],
tags[i].bv_val, tags[i].bv_len );
langlen += langs[i].bv_len;
desc.ad_lang.bv_val[langlen++] = ';';
tagslen += tags[i].bv_len;
desc.ad_tags.bv_val[tagslen++] = ';';
}
desc.ad_lang.bv_val[--langlen] = '\0';
desc.ad_lang.bv_len = langlen;
desc.ad_tags.bv_val[--tagslen] = '\0';
desc.ad_tags.bv_len = tagslen;
}
/* see if a matching description is already cached */
......@@ -263,14 +275,14 @@ done:;
if( d2->ad_flags != desc.ad_flags ) {
continue;
}
if( d2->ad_lang.bv_len != desc.ad_lang.bv_len ) {
if( d2->ad_tags.bv_len != desc.ad_tags.bv_len ) {
continue;
}
if( d2->ad_lang.bv_len == 0 ) {
if( d2->ad_tags.bv_len == 0 ) {
break;
}
if( strncasecmp( d2->ad_lang.bv_val, desc.ad_lang.bv_val,
desc.ad_lang.bv_len ) == 0 )
if( strncasecmp( d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len ) == 0 )
{
break;
}
......@@ -284,12 +296,12 @@ done:;
for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
if (d2->ad_flags != desc.ad_flags)
continue;
if (d2->ad_lang.bv_len != desc.ad_lang.bv_len)
if (d2->ad_tags.bv_len != desc.ad_tags.bv_len)
continue;
if (d2->ad_lang.bv_len == 0)
if (d2->ad_tags.bv_len == 0)
break;
if (strncasecmp(d2->ad_lang.bv_val, desc.ad_lang.bv_val,
desc.ad_lang.bv_len) == 0)
if (strncasecmp(d2->ad_tags.bv_val, desc.ad_tags.bv_val,
desc.ad_tags.bv_len) == 0)
break;
}
if (d2) {
......@@ -300,44 +312,73 @@ done:;
/* Allocate a single contiguous block. If there are no
* options, we just need space for the AttrDesc structure.
* Otherwise, we need to tack on the full name length +
* options length.
* options length, + maybe tagging options length again.
*/
if (desc.ad_lang.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
dlen = desc.ad_type->sat_cname.bv_len;
if (desc.ad_lang.bv_len) {
dlen += 1+desc.ad_lang.bv_len;
if (desc.ad_tags.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
dlen = desc.ad_type->sat_cname.bv_len + 1;
if (desc.ad_tags.bv_len) {
dlen += 1+desc.ad_tags.bv_len;
}
if( slap_ad_is_binary( &desc ) ) {
dlen += sizeof(";binary")-1;
dlen += sizeof(";binary")+desc.ad_tags.bv_len;
}
}
d2 = ch_malloc(sizeof(AttributeDescription) + dlen + 1);
d2 = ch_malloc(sizeof(AttributeDescription) + dlen);
d2->ad_type = desc.ad_type;
d2->ad_flags = desc.ad_flags;
d2->ad_cname.bv_len = desc.ad_type->sat_cname.bv_len;
d2->ad_lang.bv_len = desc.ad_lang.bv_len;
d2->ad_tags.bv_len = desc.ad_tags.bv_len;
if (dlen == 0) {
d2->ad_cname.bv_val = d2->ad_type->sat_cname.bv_val;
d2->ad_lang.bv_val = NULL;
d2->ad_tags.bv_val = NULL;
} else {
char *cp, *op, *lp;
int j;
d2->ad_cname.bv_val = (char *)(d2+1);
strcpy(d2->ad_cname.bv_val, d2->ad_type->sat_cname.bv_val);
cp = d2->ad_cname.bv_val + d2->ad_cname.bv_len;
if( slap_ad_is_binary( &desc ) ) {
strcpy(d2->ad_cname.bv_val+d2->ad_cname.bv_len,
";binary");
d2->ad_cname.bv_len += sizeof(";binary")-1;
op = cp;
lp = NULL;
if( desc.ad_tags.bv_len ) {
lp = desc.ad_tags.bv_val;
while( strncasecmp(lp, "binary", sizeof("binary")-1) < 0
&& (lp = strchr( lp, ';' )) != NULL )
++lp;
if( lp != desc.ad_tags.bv_val ) {
*cp++ = ';';
j = (lp
? lp - desc.ad_tags.bv_val - 1
: strlen( desc.ad_tags.bv_val ));
strncpy(cp, desc.ad_tags.bv_val, j);
cp += j;
}
}
strcpy(cp, ";binary");
cp += sizeof(";binary")-1;
if( lp != NULL ) {
*cp++ = ';';
strcpy(cp, lp);
cp += strlen( cp );
}
d2->ad_cname.bv_len = cp - d2->ad_cname.bv_val;
if( desc.ad_tags.bv_len )
ldap_pvt_str2lower(op);
j = 1;
} else {
j = 0;
}
if( d2->ad_lang.bv_len ) {
d2->ad_cname.bv_val[d2->ad_cname.bv_len++]=';';
d2->ad_lang.bv_val = d2->ad_cname.bv_val+
d2->ad_cname.bv_len;
strncpy(d2->ad_lang.bv_val,desc.ad_lang.bv_val,
d2->ad_lang.bv_len);
d2->ad_lang.bv_val[d2->ad_lang.bv_len] = '\0';
ldap_pvt_str2lower(d2->ad_lang.bv_val);
d2->ad_cname.bv_len += d2->ad_lang.bv_len;
if( desc.ad_tags.bv_len ) {
lp = d2->ad_cname.bv_val + d2->ad_cname.bv_len + j;
if ( j == 0 )