Commit 82d7e9d8 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#7581 fix back-meta config checks

Allow base entry to be added online with targets
added later. Add SLAP_SERVER_RUNNING flag to note
that main slap_startup has already occurred.
parent a8c14386
......@@ -681,6 +681,11 @@ meta_back_map_free( struct ldapmap *lm );
extern int
meta_subtree_destroy( metasubtree_t *ms );
extern int
meta_target_finish( metainfo_t *mi, metatarget_t *mt,
const char *log, char *msg, size_t msize
);
extern LDAP_REBIND_PROC meta_back_default_rebind;
extern LDAP_URLLIST_PROC meta_back_default_urllist;
......
......@@ -1089,6 +1089,15 @@ static slap_cf_aux_table timeout_table[] = {
{ BER_BVNULL, 0, 0, 0, NULL }
};
static int
meta_cf_cleanup( ConfigArgs *c )
{
metainfo_t *mi = ( metainfo_t * )c->be->be_private;
metatarget_t *mt = c->ca_private;
return meta_target_finish( mi, mt, c->log, c->cr_msg, sizeof( c->cr_msg ));
}
static int
meta_back_cf_gen( ConfigArgs *c )
{
......@@ -2061,6 +2070,7 @@ meta_back_cf_gen( ConfigArgs *c )
return 1;
}
c->ca_private = mt;
c->cleanup = meta_cf_cleanup;
} break;
case LDAP_BACK_CFG_SUBTREE_EX:
case LDAP_BACK_CFG_SUBTREE_IN:
......
......@@ -113,7 +113,10 @@ meta_back_db_init(
/* set default flags */
mi->mi_flags =
META_BACK_F_DEFER_ROOTDN_BIND;
META_BACK_F_DEFER_ROOTDN_BIND
| META_BACK_F_PROXYAUTHZ_ALWAYS
| META_BACK_F_PROXYAUTHZ_ANON
| META_BACK_F_PROXYAUTHZ_NOANON;
/*
* At present the default is no default target;
......@@ -147,20 +150,106 @@ meta_back_db_init(
return 0;
}
int
meta_target_finish(
metainfo_t *mi,
metatarget_t *mt,
const char *log,
char *msg,
size_t msize
)
{
slap_bindconf sb = { BER_BVNULL };
struct berval mapped;
int rc;
ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri );
sb.sb_version = mt->mt_version;
sb.sb_method = LDAP_AUTH_SIMPLE;
BER_BVSTR( &sb.sb_binddn, "" );
if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
LDAP_FEATURE_ABSOLUTE_FILTERS );
if ( rc == LDAP_COMPARE_TRUE ) {
mt->mt_flags |= LDAP_BACK_F_T_F;
}
}
if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
LDAP_EXOP_CANCEL );
if ( rc == LDAP_COMPARE_TRUE ) {
mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
}
}
if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
|| mt->mt_idassert_authz != NULL )
{
mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ALWAYS;
}
if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
&& !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
{
snprintf( msg, msize,
"%s: inconsistent idassert configuration "
"(likely authz=\"*\" used with \"non-prescriptive\" flag)",
log );
Debug( LDAP_DEBUG_ANY, "%s (target %s)\n",
msg, mt->mt_uri, 0 );
return 1;
}
if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
{
mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_ANON;
}
if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
{
mi->mi_flags &= ~META_BACK_F_PROXYAUTHZ_NOANON;
}
BER_BVZERO( &mapped );
ldap_back_map( &mt->mt_rwmap.rwm_at,
&slap_schema.si_ad_entryDN->ad_cname, &mapped,
BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
mt->mt_rep_flags |= REP_NO_ENTRYDN;
}
BER_BVZERO( &mapped );
ldap_back_map( &mt->mt_rwmap.rwm_at,
&slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped,
BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
mt->mt_rep_flags |= REP_NO_SUBSCHEMA;
}
return 0;
}
int
meta_back_db_open(
Backend *be,
ConfigReply *cr )
{
metainfo_t *mi = (metainfo_t *)be->be_private;
char msg[SLAP_TEXT_BUFLEN];
int i,
not_always = 0,
not_always_anon_proxyauthz = 0,
not_always_anon_non_prescriptive = 0,
rc;
int i, rc;
if ( mi->mi_ntargets == 0 ) {
/* Dynamically added, nothing to check here until
* some targets get added
*/
if ( slapMode & SLAP_SERVER_RUNNING )
return 0;
Debug( LDAP_DEBUG_ANY,
"meta_back_db_open: no targets defined\n",
0, 0, 0 );
......@@ -168,92 +257,11 @@ meta_back_db_open(
}
for ( i = 0; i < mi->mi_ntargets; i++ ) {
slap_bindconf sb = { BER_BVNULL };
metatarget_t *mt = mi->mi_targets[ i ];
struct berval mapped;
ber_str2bv( mt->mt_uri, 0, 0, &sb.sb_uri );
sb.sb_version = mt->mt_version;
sb.sb_method = LDAP_AUTH_SIMPLE;
BER_BVSTR( &sb.sb_binddn, "" );
if ( META_BACK_TGT_T_F_DISCOVER( mt ) ) {
rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
LDAP_FEATURE_ABSOLUTE_FILTERS );
if ( rc == LDAP_COMPARE_TRUE ) {
mt->mt_flags |= LDAP_BACK_F_T_F;
}
}
if ( META_BACK_TGT_CANCEL_DISCOVER( mt ) ) {
rc = slap_discover_feature( &sb,
slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
LDAP_EXOP_CANCEL );
if ( rc == LDAP_COMPARE_TRUE ) {
mt->mt_flags |= LDAP_BACK_F_CANCEL_EXOP;
}
}
if ( not_always == 0 ) {
if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )
|| mt->mt_idassert_authz != NULL )
{
not_always = 1;
}
}
if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL )
&& !( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
{
Debug( LDAP_DEBUG_ANY, "meta_back_db_open(%s): "
"target #%d inconsistent idassert configuration "
"(likely authz=\"*\" used with \"non-prescriptive\" flag)\n",
be->be_suffix[ 0 ].bv_val, i, 0 );
if ( meta_target_finish( mi, mt,
"meta_back_db_open", msg, sizeof( msg )))
return 1;
}
if ( not_always_anon_proxyauthz == 0 ) {
if ( !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
{
not_always_anon_proxyauthz = 1;
}
}
if ( not_always_anon_non_prescriptive == 0 ) {
if ( ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) )
{
not_always_anon_non_prescriptive = 1;
}
}
BER_BVZERO( &mapped );
ldap_back_map( &mt->mt_rwmap.rwm_at,
&slap_schema.si_ad_entryDN->ad_cname, &mapped,
BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
mt->mt_rep_flags |= REP_NO_ENTRYDN;
}
BER_BVZERO( &mapped );
ldap_back_map( &mt->mt_rwmap.rwm_at,
&slap_schema.si_ad_subschemaSubentry->ad_cname, &mapped,
BACKLDAP_REMAP );
if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
mt->mt_rep_flags |= REP_NO_SUBSCHEMA;
}
}
if ( not_always == 0 ) {
mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ALWAYS;
}
if ( not_always_anon_proxyauthz == 0 ) {
mi->mi_flags |= META_BACK_F_PROXYAUTHZ_ANON;
} else if ( not_always_anon_non_prescriptive == 0 ) {
mi->mi_flags |= META_BACK_F_PROXYAUTHZ_NOANON;
}
return 0;
......
......@@ -211,12 +211,15 @@ slap_init( int mode, const char *name )
int slap_startup( Backend *be )
{
int rc;
Debug( LDAP_DEBUG_TRACE,
"%s startup: initiated.\n",
slap_name, 0, 0 );
return backend_startup( be );
rc = backend_startup( be );
if ( !rc && ( slapMode & SLAP_SERVER_MODE ))
slapMode |= SLAP_SERVER_RUNNING;
return rc;
}
int slap_shutdown( Backend *be )
......
......@@ -1605,6 +1605,8 @@ LDAP_SLAPD_V (int) slapMode;
#define SLAP_TOOL_NO_SCHEMA_CHECK 0x1000
#define SLAP_TOOL_VALUE_CHECK 0x2000
#define SLAP_SERVER_RUNNING 0x8000
#define SB_TLS_DEFAULT (-1)
#define SB_TLS_OFF 0
#define SB_TLS_ON 1
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment