Commit bdad40c6 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Disallow addition of system schema via config files.

parent aecf4033
......@@ -1651,7 +1651,6 @@ read_config( const char *fname )
"%s: line %d: old objectclass format not supported.\n",
fname, lineno, 0 );
#endif
}
/* specify an attribute type */
......
......@@ -163,6 +163,7 @@ static int
oc_create_required(
ObjectClass *soc,
char **attrs,
int *op,
const char **err )
{
char **attrs1;
......@@ -178,6 +179,9 @@ oc_create_required(
*err = *attrs1;
return SLAP_SCHERR_ATTR_NOT_FOUND;
}
if( is_at_operational( sat )) (*op)++;
if ( at_find_in_list(sat, soc->soc_required) < 0) {
if ( at_append_to_list(sat, &soc->soc_required) ) {
*err = *attrs1;
......@@ -201,6 +205,7 @@ static int
oc_create_allowed(
ObjectClass *soc,
char **attrs,
int *op,
const char **err )
{
char **attrs1;
......@@ -214,6 +219,9 @@ oc_create_allowed(
*err = *attrs1;
return SLAP_SCHERR_ATTR_NOT_FOUND;
}
if( is_at_operational( sat )) (*op)++;
if ( at_find_in_list(sat, soc->soc_required) < 0 &&
at_find_in_list(sat, soc->soc_allowed) < 0 ) {
if ( at_append_to_list(sat, &soc->soc_allowed) ) {
......@@ -231,6 +239,7 @@ static int
oc_add_sups(
ObjectClass *soc,
char **sups,
int *op,
const char **err )
{
int code;
......@@ -274,16 +283,19 @@ oc_add_sups(
return SLAP_SCHERR_CLASS_BAD_USAGE;
}
if ( add_sups )
if( soc->soc_flags & SLAP_OC_OPERATIONAL ) (*op)++;
if ( add_sups ) {
soc->soc_sups[nsups] = soc1;
}
code = oc_add_sups( soc, soc1->soc_sup_oids, err );
code = oc_add_sups( soc, soc1->soc_sup_oids, op, err );
if ( code ) return code;
code = oc_create_required( soc, soc1->soc_at_oids_must, err );
code = oc_create_required( soc, soc1->soc_at_oids_must, op, err );
if ( code ) return code;
code = oc_create_allowed( soc, soc1->soc_at_oids_may, err );
code = oc_create_allowed( soc, soc1->soc_at_oids_may, op, err );
if ( code ) return code;
nsups++;
......@@ -382,11 +394,13 @@ oc_insert(
int
oc_add(
LDAPObjectClass *oc,
int user,
const char **err
)
{
ObjectClass *soc;
int code;
int op = 0;
if ( oc->oc_names != NULL ) {
int i;
......@@ -419,19 +433,21 @@ oc_add(
{
/* structural object classes implicitly inherit from 'top' */
static char *top_oids[] = { SLAPD_TOP_OID, NULL };
code = oc_add_sups( soc, top_oids, err );
code = oc_add_sups( soc, top_oids, &op, err );
} else {
code = oc_add_sups( soc, soc->soc_sup_oids, err );
code = oc_add_sups( soc, soc->soc_sup_oids, &op, err );
}
if ( code != 0 ) return code;
code = oc_create_required( soc, soc->soc_at_oids_must, err );
code = oc_create_required( soc, soc->soc_at_oids_must, &op, err );
if ( code != 0 ) return code;
code = oc_create_allowed( soc, soc->soc_at_oids_may, err );
code = oc_create_allowed( soc, soc->soc_at_oids_may, &op, err );
if ( code != 0 ) return code;
if( user && op ) return SLAP_SCHERR_CLASS_OPERATIONAL;
code = oc_insert(soc,err);
return code;
}
......
......@@ -626,6 +626,7 @@ LDAP_SLAPD_F (void) mra_free LDAP_P((
/* oc.c */
LDAP_SLAPD_F (int) oc_add LDAP_P((
LDAPObjectClass *oc,
int user,
const char **err));
LDAP_SLAPD_F (void) oc_destroy LDAP_P(( void ));
......
......@@ -162,28 +162,29 @@ static struct slap_schema_oc_map {
"NAME 'extensibleObject' "
"DESC 'RFC2252: extensible object' "
"SUP top AUXILIARY )",
0, 0, offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
0, SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
{ "alias", "( 2.5.6.1 NAME 'alias' "
"DESC 'RFC2256: an alias' "
"SUP top STRUCTURAL "
"MUST aliasedObjectName )",
aliasObjectClass, SLAP_OC_ALIAS,
aliasObjectClass, SLAP_OC_ALIAS|SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_alias) },
{ "referral", "( 2.16.840.1.113730.3.2.6 NAME 'referral' "
"DESC 'namedref: named subordinate referral' "
"SUP top STRUCTURAL MUST ref )",
referralObjectClass, SLAP_OC_REFERRAL,
referralObjectClass, SLAP_OC_REFERRAL|SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_referral) },
{ "LDAProotDSE", "( 1.3.6.1.4.1.4203.1.4.1 "
"NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) "
"DESC 'OpenLDAP Root DSE object' "
"SUP top STRUCTURAL MAY cn )",
rootDseObjectClass, 0,
rootDseObjectClass, SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_rootdse) },
{ "subentry", "( 2.5.20.0 NAME 'subentry' "
"SUP top STRUCTURAL "
"MUST ( cn $ subtreeSpecification ) )",
subentryObjectClass, SLAP_OC_SUBENTRY,
subentryObjectClass, SLAP_OC_SUBENTRY|SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_subentry) },
{ "subschema", "( 2.5.20.1 NAME 'subschema' "
"DESC 'RFC2252: controlling subschema (sub)entry' "
......@@ -191,17 +192,19 @@ static struct slap_schema_oc_map {
"MAY ( dITStructureRules $ nameForms $ ditContentRules $ "
"objectClasses $ attributeTypes $ matchingRules $ "
"matchingRuleUse ) )",
subentryObjectClass, 0,
subentryObjectClass, SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_subschema) },
{ "monitor", "( 1.3.6.1.4.1.4203.666.3.2 NAME 'monitor' "
"DESC 'OpenLDAP system monitoring' "
"STRUCTURAL "
"MUST cn )",
0, 0, offsetof(struct slap_internal_schema, si_oc_monitor) },
0, SLAP_OC_OPERATIONAL,
offsetof(struct slap_internal_schema, si_oc_monitor) },
{ "collectiveAttributeSubentry", "( 2.5.20.2 "
"NAME 'collectiveAttributeSubentry' "
"AUXILIARY )",
subentryObjectClass, SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_HIDE,
subentryObjectClass,
SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_OPERATIONAL|SLAP_OC_HIDE,
offsetof(struct slap_internal_schema, si_oc_collectiveAttributeSubentry) },
{ "dynamicObject", "( 1.3.6.1.4.1.1466.101.119.2 "
"NAME 'dynamicObject' "
......@@ -307,14 +310,14 @@ static struct slap_schema_ad_map {
"EQUALITY octetStringMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
NULL, 0, NULL, NULL, NULL,
NULL, SLAP_AT_HIDE, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_entryUUID) },
{ "entryCSN", "( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' "
"DESC 'LCUP/LDUP: change sequence number' "
"EQUALITY octetStringMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
NULL, 0, NULL, NULL, NULL,
NULL, SLAP_AT_HIDE, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_entryCSN) },
/* root DSE attributes */
......@@ -715,7 +718,7 @@ slap_schema_load( void )
return LDAP_OTHER;
}
code = oc_add(oc,&err);
code = oc_add(oc,0,&err);
if ( code ) {
fprintf( stderr, "slap_schema_load: "
"%s: %s: \"%s\"\n",
......
......@@ -26,6 +26,7 @@ static char *const err2text[SLAP_SCHERR_LAST+1] = {
"Out of memory",
"ObjectClass not found",
"ObjectClass inappropriate SUPerior",
"ObjectClass operational",
"AttributeType not found",
"AttributeType inappropriate USAGE",
"Duplicate objectClass",
......@@ -118,7 +119,7 @@ parse_oc(
return 1;
}
code = oc_add(oc,&err);
code = oc_add(oc,1,&err);
if ( code ) {
fprintf( stderr, "%s: line %d: %s: \"%s\"\n",
fname, lineno, scherr2str(code), err);
......
......@@ -221,20 +221,21 @@ typedef struct slap_ssf_set {
#define SLAP_SCHERR_OUTOFMEM 1
#define SLAP_SCHERR_CLASS_NOT_FOUND 2
#define SLAP_SCHERR_CLASS_BAD_USAGE 3
#define SLAP_SCHERR_ATTR_NOT_FOUND 4
#define SLAP_SCHERR_ATTR_BAD_USAGE 5
#define SLAP_SCHERR_DUP_CLASS 6
#define SLAP_SCHERR_DUP_ATTR 7
#define SLAP_SCHERR_DUP_SYNTAX 8
#define SLAP_SCHERR_DUP_RULE 9
#define SLAP_SCHERR_NO_NAME 10
#define SLAP_SCHERR_ATTR_INCOMPLETE 11
#define SLAP_SCHERR_MR_NOT_FOUND 12
#define SLAP_SCHERR_SYN_NOT_FOUND 13
#define SLAP_SCHERR_MR_INCOMPLETE 14
#define SLAP_SCHERR_NOT_SUPPORTED 15
#define SLAP_SCHERR_BAD_DESCR 16
#define SLAP_SCHERR_OIDM 17
#define SLAP_SCHERR_CLASS_OPERATIONAL 4
#define SLAP_SCHERR_ATTR_NOT_FOUND 5
#define SLAP_SCHERR_ATTR_BAD_USAGE 6
#define SLAP_SCHERR_DUP_CLASS 7
#define SLAP_SCHERR_DUP_ATTR 8
#define SLAP_SCHERR_DUP_SYNTAX 9
#define SLAP_SCHERR_DUP_RULE 10
#define SLAP_SCHERR_NO_NAME 11
#define SLAP_SCHERR_ATTR_INCOMPLETE 12
#define SLAP_SCHERR_MR_NOT_FOUND 13
#define SLAP_SCHERR_SYN_NOT_FOUND 14
#define SLAP_SCHERR_MR_INCOMPLETE 15
#define SLAP_SCHERR_NOT_SUPPORTED 16
#define SLAP_SCHERR_BAD_DESCR 17
#define SLAP_SCHERR_OIDM 18
#define SLAP_SCHERR_LAST SLAP_SCHERR_OIDM
typedef union slap_sockaddr {
......@@ -492,14 +493,15 @@ typedef struct slap_object_class {
struct slap_object_class *soc_next;
} ObjectClass;
#define SLAP_OC_ALIAS 0x01
#define SLAP_OC_REFERRAL 0x02
#define SLAP_OC_SUBENTRY 0x04
#define SLAP_OC_DYNAMICOBJECT 0x08
#define SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY 0x10
#define SLAP_OC__MASK 0x1F
#define SLAP_OC__END 0x20
#define SLAP_OC_HIDE 0x80
#define SLAP_OC_ALIAS 0x0001
#define SLAP_OC_REFERRAL 0x0002
#define SLAP_OC_SUBENTRY 0x0004
#define SLAP_OC_DYNAMICOBJECT 0x0008
#define SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY 0x0010
#define SLAP_OC__MASK 0x001F
#define SLAP_OC__END 0x0020
#define SLAP_OC_OPERATIONAL 0x4000
#define SLAP_OC_HIDE 0x8000
#ifdef LDAP_EXTENDED_SCHEMA
/*
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment