Commits (10)
......@@ -2072,12 +2072,13 @@ print_paged_results( LDAP *ld, LDAPControl *ctrl )
return 1;
} else {
/* FIXME: check buffer overflow */
char buf[ BUFSIZ ], *ptr = buf;
int plen;
if ( estimate > 0 ) {
ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
"estimate=%d", estimate );
plen = sprintf( buf, "estimate=%d cookie=", estimate );
} else {
plen = sprintf( buf, "cookie=" );
}
if ( pr_cookie.bv_len > 0 ) {
......@@ -2085,29 +2086,26 @@ print_paged_results( LDAP *ld, LDAPControl *ctrl )
bv.bv_len = LUTIL_BASE64_ENCODE_LEN(
pr_cookie.bv_len ) + 1;
bv.bv_val = ber_memalloc( bv.bv_len + 1 );
ptr = ber_memalloc( bv.bv_len + 1 + plen );
bv.bv_val = ptr + plen;
strcpy( ptr, buf );
bv.bv_len = lutil_b64_ntop(
(unsigned char *) pr_cookie.bv_val,
pr_cookie.bv_len,
bv.bv_val, bv.bv_len );
ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
"%scookie=%s", ptr == buf ? "" : " ",
bv.bv_val );
ber_memfree( bv.bv_val );
pr_morePagedResults = 1;
} else {
ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
"%scookie=", ptr == buf ? "" : " " );
plen += bv.bv_len;
}
tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
ldif ? "pagedresults: " : "pagedresults",
buf, ptr - buf );
ptr, plen );
if ( ptr != buf )
ber_memfree( ptr );
}
return 0;
......
......@@ -1328,8 +1328,7 @@ Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the size limits.
Extra args can be added in the same value or as additional values.
See
Extra args can be added in the same value. See
.BR olcLimits
for an explanation of the different flags.
.TP
......@@ -1352,8 +1351,7 @@ Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the time limits.
Extra args can be added in the same value or as additional values.
See
Extra args can be added in the same value. See
.BR olcLimits
for an explanation of the different flags.
......
......@@ -49,10 +49,10 @@ of the proxy lined up with that of the proxied server.
.LP
Note: When looping back to the same instance of
.BR slapd (8),
each connection requires a new thread; as a consequence,
each connection requires a new thread; as a consequence, the
.BR slapd (8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, one may consider using
\fBthreads\fP parameter may need some tuning. In those cases,
one may consider using
.BR slapd\-relay (5)
instead, which performs the relayed operation
internally and thus reuses the same connection.
......@@ -144,10 +144,6 @@ The
.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl\-authcDN ,
and
.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
......@@ -393,14 +389,6 @@ The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
is not. See \fBacl\-bind\fP for details.
This directive obsoletes
.BR idassert\-authcDN ,
.BR idassert\-passwd ,
.BR idassert\-mode ,
and
.BR idassert\-method .
.RE
.TP
.B idassert-passthru <authz-regexp>
if defined, selects what
......@@ -418,7 +406,6 @@ section related to
.BR authz\-policy ,
for details on the syntax of this field.
.TP
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
......@@ -621,122 +608,6 @@ when set to
create a temporary connection whenever competing with other threads
for a shared one; otherwise, wait until the shared connection is available.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
and subsequently between 2.3 and 2.4.
As a side-effect, some of the traditional directives have been
deprecated and should be no longer used, as they might disappear
in future releases.
.TP
.B acl\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
it is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B acl\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-passwd <password>
Password used with the
.B idassert\-authcDN
above.
This directive is obsoleted by the
.B credentials
arg of
.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B port <port>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B server <hostname[:port]>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B suffixmassage, map, rewrite*
These directives are no longer supported by back-ldap; their
functionality is now delegated to the
.B rwm
overlay. Essentially, add a statement
.B overlay rwm
first, and prefix all rewrite/map statements with
.B rwm\-
to obtain the original behavior.
See
.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the
.\" .B rwm
.\" overlay if available and not instantiated yet.
.\" This behavior may change in the future.
.SH ACCESS CONTROL
The
.B ldap
......
......@@ -49,10 +49,9 @@ of the proxy lined up with that of the proxied server.
.LP
Note: When looping back to the same instance of \fBslapd\fP(8),
each connection requires a new thread; as a consequence, \fBslapd\fP(8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, unless the multiple target feature
is required, one may consider using \fBslapd\-relay\fP(5) instead,
each connection requires a new thread; as a consequence, the \fBslapd\fP(8)
\fBthreads\fP parameter may need some tuning. In those cases, unless the
multiple target feature is required, one may consider using \fBslapd\-relay\fP(5) instead,
which performs the relayed operation internally and thus reuses
the same connection.
......
......@@ -39,7 +39,7 @@ They should appear after the
.B overlay
directive.
.TP
.B unique_uri <[strict ][ignore ]URI[URI...]...>
.B unique_uri <[strict ][ignore ][serialize ]URI[URI...]...>
Configure the base, attributes, scope, and filter for uniqueness
checking. Multiple URIs may be specified within a domain,
allowing complex selections of objects. Multiple
......@@ -50,9 +50,10 @@ attributes will create independent domains, each with their own
independent lists of URIs and ignore/strict settings.
Keywords
.B strict
.BR strict ,
.BR ignore ,
and
.B ignore
.B serialize
have to be enclosed in quotes (") together with the URI.
The LDAP URI syntax is a subset of
......@@ -119,6 +120,17 @@ mode extends the concept of uniqueness to include null values, such
that only one attribute within a subtree will be allowed to have a
null value. Strictness applies to all URIs within a uniqueness
domain, but some domains may be strict while others are not.
It is possible to enforce strict serialization of modifications by
prepending the keyword
.B serialize.
By default, no serialization is performed, so multiple modifications
occurring nearly simultaneously may see incomplete uniqueness results.
Using
.B serialize
will force individual write operations to fully complete before allowing
any others to proceed, to ensure that each operation's uniqueness checks
are consistent.
.LP
It is not possible to set both URIs and legacy slapo\-unique configuration
parameters simultaneously. In general, the legacy configuration options
......
......@@ -445,8 +445,12 @@ int ldap_pvt_gethostbyname_a(
*result=gethostbyname_r( name, resbuf, *buf, buflen, herrno_ptr );
r = (*result == NULL) ? -1 : 0;
#else
r = gethostbyname_r( name, resbuf, *buf,
buflen, result, herrno_ptr );
while((r = gethostbyname_r( name, resbuf, *buf, buflen, result, herrno_ptr )) == ERANGE) {
/* Increase the buffer */
buflen*=2;
if (safe_realloc(buf, buflen) == NULL)
return -1;
}
#endif
Debug2( LDAP_DEBUG_TRACE, "ldap_pvt_gethostbyname_a: host=%s, r=%d\n",
......
......@@ -86,8 +86,6 @@ enum {
/* Target attrs */
enum {
LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_SUFFIXM,
......@@ -115,32 +113,6 @@ static ConfigTable a_metacfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.7 "
......@@ -454,9 +426,7 @@ static ConfigOCs a_metaocs[] = {
"DESC 'Asyncmeta target configuration' "
"SUP olcConfig STRUCTURAL "
"MUST ( olcAsyncMetaSub $ olcDbURI ) "
"MAY ( olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbIDAssertAuthzFrom "
"MAY ( olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertBind "
"$ olcDbSuffixMassage "
"$ olcDbSubtreeExclude "
......@@ -1296,15 +1266,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
ber_bvarray_add( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
BerVarray *bvp;
int i;
......@@ -2153,33 +2114,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
/* name to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_memfree_x( c->value_dn.bv_val, NULL );
mt->mt_binddn = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
/* password to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
break;
case LDAP_BACK_CFG_REBIND:
/* save bind creds for referral rebinds? */
if ( c->argc == 1 || c->value_int ) {
......@@ -2469,8 +2403,6 @@ int
asyncmeta_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
......@@ -2482,29 +2414,5 @@ asyncmeta_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}
......@@ -43,16 +43,9 @@ static ConfigDriver ldap_pbind_cf_gen;
enum {
LDAP_BACK_CFG_URI = 1,
LDAP_BACK_CFG_TLS,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_ACL_METHOD,
LDAP_BACK_CFG_ACL_BIND,
LDAP_BACK_CFG_IDASSERT_MODE,
LDAP_BACK_CFG_IDASSERT_AUTHCDN,
LDAP_BACK_CFG_IDASSERT_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_PASSTHRU,
LDAP_BACK_CFG_IDASSERT_METHOD,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REBIND,
LDAP_BACK_CFG_CHASE,
......@@ -73,7 +66,6 @@ enum {
LDAP_BACK_CFG_NOUNDEFFILTER,
LDAP_BACK_CFG_ONERR,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_KEEPALIVE,
LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
......@@ -100,37 +92,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
/* deprecated, will be removed; aliases "acl-bind" */
{ "acl-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
......@@ -140,33 +101,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
"NAME 'olcDbIDAssertAuthcDn' "
"DESC 'Remote Identity Assertion administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-authcDN" */
{ "proxyauthzdn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
"NAME 'olcDbIDAssertPasswd' "
"DESC 'Remote Identity Assertion administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-passwd" */
{ "proxyauthzpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
......@@ -176,18 +110,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
"NAME 'olcDbIDAssertMode' "
"DESC 'Remote Identity Assertion mode' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE)",
NULL, NULL },
{ "idassert-authzFrom", "authzRule", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
......@@ -370,16 +292,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )",
NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "omit-unknown-schema", "true|FALSE", 2, 2, 0,
ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
......@@ -409,13 +321,8 @@ static ConfigOCs ldapocs[] = {
"SUP olcDatabaseConfig "
"MAY ( olcDbURI "
"$ olcDbStartTLS "
"$ olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbACLBind "
"$ olcDbIDAssertAuthcDn "
"$ olcDbIDAssertPasswd "
"$ olcDbIDAssertBind "
"$ olcDbIDAssertMode "
"$ olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertPassThru "
"$ olcDbRebindAsUser "
......@@ -1068,13 +975,6 @@ ldap_back_cf_gen( ConfigArgs *c )
}
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND: {
int i;
......@@ -1097,14 +997,6 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
}
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
......@@ -1502,25 +1394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
rc = 1;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND:
bindconf_free( &li->li_acl );
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
......@@ -1822,56 +1699,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg),
"\"acl-authcDN <DN>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
free( li->li_acl_authcDN.bv_val );
}
ber_memfree_x( c->value_dn.bv_val, NULL );
li->li_acl_authcDN = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"acl-passwd <cred>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
free( li->li_acl_passwd.bv_val );
}
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
break;
case LDAP_BACK_CFG_ACL_METHOD:
case LDAP_BACK_CFG_ACL_BIND:
for ( i = 1; i < c->argc; i++ ) {
if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
......@@ -1887,141 +1714,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
i = verb_to_mask( c->argv[1], idassert_mode );
if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
li->li_idassert_authzID.bv_val[ 0 ] = 'u';
} else {
struct berval id, ndn;
ber_str2bv( c->argv[1], 0, 0, &id );
if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
id.bv_val += STRLENOF( "dn:" );
id.bv_len -= STRLENOF( "dn:" );
}
rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: idassert ID \"%s\" is not a valid DN\n",
c->fname, c->lineno, c->argv[1] );
return 1;
}
li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
ch_free( ndn.bv_val );
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
}
} else {
li->li_idassert_mode = idassert_mode[i].mask;
}
if ( c->argc > 2 ) {
int i;
for ( i = 2; i < c->argc; i++ ) {
if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
} else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
} else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-proxy-authz\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
c->fname, c->lineno );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
} else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-encoding-workaround\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
c->fname, c->lineno );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
} else {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown flag #%d "
"in \"idassert-mode <args> "
"[<flags>]\" line.\n",
c->fname, c->lineno, i - 2 );
return 1;
}
}
}
break;
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
switch ( li->li_idassert_authmethod ) {
case LDAP_AUTH_NONE:
li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-authcDN <DN>\" incompatible "
"with auth method %d",
li->li_idassert_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
free( li->li_idassert_authcDN.bv_val );
}
ber_memfree_x( c->value_dn.bv_val, NULL );
li->li_idassert_authcDN = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_IDASSERT_PASSWD:
switch ( li->li_idassert_authmethod ) {
case LDAP_AUTH_NONE:
li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-passwd <cred>\" incompatible "
"with auth method %d",
li->li_idassert_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
free( li->li_idassert_passwd.bv_val );
}
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
break;
......@@ -2030,14 +1722,6 @@ done_url:;
rc = slap_idassert_passthru_parse( c, &li->li_idassert );
break;
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* no longer supported */
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-method <args>\": "
"no longer supported; use \"idassert-bind\"" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
case LDAP_BACK_CFG_IDASSERT_BIND:
rc = slap_idassert_parse( c, &li->li_idassert );
break;
......@@ -2338,15 +2022,6 @@ done_url:;
li->li_flags |= onerr_mode[i].mask;
break;
case LDAP_BACK_CFG_REWRITE:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"rewrite/remap capabilities have been moved "
"to the \"rwm\" overlay; see slapo-rwm(5) "
"for details (hint: add \"overlay rwm\" "
"and prefix all directives with \"rwm-\")" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
if ( c->value_int ) {
li->li_flags |= LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
......@@ -2374,8 +2049,6 @@ int
ldap_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
......@@ -2387,32 +2060,6 @@ ldap_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}
......
......@@ -91,8 +91,6 @@ enum {
/* Target attrs */
enum {
LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REWRITE,
......@@ -127,33 +125,6 @@ static ConfigTable metacfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
meta_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
meta_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
meta_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
meta_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
meta_back_cf_gen, "( OLcfgDbAt:3.7 "
......@@ -506,9 +477,7 @@ static ConfigOCs metaocs[] = {
"DESC 'Meta target configuration' "
"SUP olcConfig STRUCTURAL "
"MUST ( olcMetaSub $ olcDbURI ) "
"MAY ( olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbIDAssertAuthzFrom "
"MAY ( olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertBind "
"$ olcDbMap "
"$ olcDbRewrite "
......@@ -1408,15 +1377,6 @@ meta_back_cf_gen( ConfigArgs *c )
ber_bvarray_add( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
BerVarray *bvp;
int i;
......@@ -2308,35 +2268,6 @@ meta_back_cf_gen( ConfigArgs *c )
mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
/* name to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_memfree_x( c->value_dn.bv_val, NULL );
mt->mt_binddn = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
/* password to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
break;
case LDAP_BACK_CFG_REBIND:
/* save bind creds for referral rebinds? */
if ( c->argc == 1 || c->value_int ) {
......@@ -2979,8 +2910,6 @@ int
meta_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
......@@ -2992,32 +2921,6 @@ meta_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}
......
......@@ -2882,8 +2882,21 @@ no_change: if ( !(op->o_sync_mode & SLAP_SYNC_PERSIST) ) {
ldap_pvt_thread_mutex_unlock( &sl->sl_mutex );
}
}
/* Is the CSN still present in the database? */
if ( syncprov_findcsn( op, FIND_CSN, &mincsn ) != LDAP_SUCCESS ) {
/*
* If sessionlog wasn't useful, see if we can find at least one entry
* that hasn't changed based on the cookie.
*
* TODO: Using mincsn only (rather than the whole cookie) will
* under-approximate the set of entries that haven't changed, but we
* can't look up CSNs by serverid with the current indexing support.
*
* As a result, dormant serverids in the cluster become mincsns and
* more likely to make syncprov_findcsn(,FIND_CSN,) fail -> triggering
* an expensive refresh...
*/
if ( !do_present ) {
gotstate = 1;
} else if ( syncprov_findcsn( op, FIND_CSN, &mincsn ) != LDAP_SUCCESS ) {
/* No, so a reload is required */
/* the 2.2 consumer doesn't send this hint */
if ( si->si_usehint && srs->sr_rhint == 0 ) {
......@@ -2910,8 +2923,7 @@ no_change: if ( !(op->o_sync_mode & SLAP_SYNC_PERSIST) ) {
} else {
gotstate = 1;
/* If changed and doing Present lookup, send Present UUIDs */
if ( do_present && syncprov_findcsn( op, FIND_PRESENT, 0 ) !=
LDAP_SUCCESS ) {
if ( syncprov_findcsn( op, FIND_PRESENT, 0 ) != LDAP_SUCCESS ) {
if ( ctxcsn )
ber_bvarray_free_x( ctxcsn, op->o_tmpmemctx );
if ( sids )
......
......@@ -58,12 +58,14 @@ typedef struct unique_domain_s {
struct unique_domain_uri_s *uri;
char ignore; /* polarity of attributes */
char strict; /* null considered unique too */
char serial; /* serialize execution */
} unique_domain;
typedef struct unique_data_s {
struct unique_domain_s *domains;
struct unique_domain_s *legacy;
char legacy_strict_set;
ldap_pvt_thread_mutex_t serial_mutex;
} unique_data;
typedef struct unique_counter_s {
......@@ -76,7 +78,7 @@ enum {
UNIQUE_IGNORE,
UNIQUE_ATTR,
UNIQUE_STRICT,
UNIQUE_URI
UNIQUE_URI,
};
static ConfigDriver unique_cf_base;
......@@ -315,7 +317,7 @@ unique_new_domain_uri_basic ( unique_domain_uri **urip,
*
* domain_specs look like
*
* [strict ][ignore ]uri[[ uri]...]
* [strict ][ignore ][serialize ]uri[[ uri]...]
* e.g. "ldap:///ou=foo,o=bar?uid?sub ldap:///ou=baz,o=bar?uid?sub"
* "strict ldap:///ou=accounts,o=bar?uid,uidNumber?one"
* etc
......@@ -346,6 +348,11 @@ unique_new_domain ( unique_domain **domainp,
domain->ignore = 1;
uri_start += STRLENOF( "ignore " );
}
if ( strncasecmp ( uri_start, "serialize ",
STRLENOF( "serialize " ) ) == 0 ) {
domain->serial = 1;
uri_start += STRLENOF( "serialize " );
}
if ( strncasecmp ( uri_start, "strict ",
STRLENOF( "strict " ) ) == 0 ) {
domain->strict = 1;
......@@ -644,11 +651,7 @@ unique_cf_strict( ConfigArgs *c )
* and missing is necessary to add olcUniqueURIs...
*/
if ( private->legacy_strict_set ) {
struct berval bv;
bv.bv_val = legacy->strict ? "TRUE" : "FALSE";
bv.bv_len = legacy->strict ?
STRLENOF("TRUE") :
STRLENOF("FALSE");
struct berval bv = legacy->strict ? slap_true_bv : slap_false_bv;
value_add_one ( &c->rvalue_vals, &bv );
}
rc = 0;
......@@ -789,11 +792,13 @@ unique_db_init(
)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
unique_data **privatep = (unique_data **) &on->on_bi.bi_private;
unique_data *private;
Debug(LDAP_DEBUG_TRACE, "==> unique_db_init\n" );
*privatep = ch_calloc ( 1, sizeof ( unique_data ) );
private = ch_calloc ( 1, sizeof ( unique_data ) );
ldap_pvt_thread_mutex_init( &private->serial_mutex );
on->on_bi.bi_private = private;
return 0;
}
......@@ -805,8 +810,7 @@ unique_db_destroy(
)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
unique_data **privatep = (unique_data **) &on->on_bi.bi_private;
unique_data *private = *privatep;
unique_data *private = on->on_bi.bi_private;
Debug(LDAP_DEBUG_TRACE, "==> unique_db_destroy\n" );
......@@ -816,8 +820,9 @@ unique_db_destroy(
unique_free_domain ( domains );
unique_free_domain ( legacy );
ldap_pvt_thread_mutex_destroy( &private->serial_mutex );
ch_free ( private );
*privatep = NULL;
on->on_bi.bi_private = NULL;
}
return 0;
......@@ -1025,6 +1030,21 @@ unique_search(
return(rc);
}
static int
unique_unlock(
Operation *op,
SlapReply *rs
)
{
slap_callback *sc = op->o_callback;
unique_data *private = sc->sc_private;
ldap_pvt_thread_mutex_unlock( &private->serial_mutex );
op->o_callback = sc->sc_next;
op->o_tmpfree( sc, op->o_tmpmemctx );
return 0;
}
static int
unique_add(
Operation *op,
......@@ -1041,6 +1061,7 @@ unique_add(
char *key, *kp;
struct berval bvkey;
int rc = SLAP_CB_CONTINUE;
int locked = 0;
Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n",
op->o_req_dn.bv_val );
......@@ -1100,6 +1121,11 @@ unique_add(
/* skip this domain-uri if it isn't involved */
if ( !ks ) continue;
if ( domain->serial && !locked ) {
ldap_pvt_thread_mutex_lock( &private->serial_mutex );
locked = 1;
}
/* terminating NUL */
ks += sizeof("(|)");
......@@ -1150,6 +1176,17 @@ unique_add(
if ( rc != SLAP_CB_CONTINUE ) break;
}
if ( locked ) {
if ( rc != SLAP_CB_CONTINUE ) {
ldap_pvt_thread_mutex_unlock( &private->serial_mutex );
} else {
slap_callback *cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
cb->sc_cleanup = unique_unlock;
cb->sc_private = private;
cb->sc_next = op->o_callback;
op->o_callback = cb;
}
}
return rc;
}
......@@ -1171,6 +1208,7 @@ unique_modify(
char *key, *kp;
struct berval bvkey;
int rc = SLAP_CB_CONTINUE;
int locked = 0;
Debug(LDAP_DEBUG_TRACE, "==> unique_modify <%s>\n",
op->o_req_dn.bv_val );
......@@ -1223,6 +1261,11 @@ unique_modify(
/* skip this domain-uri if it isn't involved */
if ( !ks ) continue;
if ( domain->serial && !locked ) {
ldap_pvt_thread_mutex_lock( &private->serial_mutex );
locked = 1;
}
/* terminating NUL */
ks += sizeof("(|)");
......@@ -1275,6 +1318,17 @@ unique_modify(
if ( rc != SLAP_CB_CONTINUE ) break;
}
if ( locked ) {
if ( rc != SLAP_CB_CONTINUE ) {
ldap_pvt_thread_mutex_unlock( &private->serial_mutex );
} else {
slap_callback *cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
cb->sc_cleanup = unique_unlock;
cb->sc_private = private;
cb->sc_next = op->o_callback;
op->o_callback = cb;
}
}
return rc;
}
......@@ -1297,6 +1351,7 @@ unique_modrdn(
LDAPRDN newrdn;
struct berval bv[2];
int rc = SLAP_CB_CONTINUE;
int locked = 0;
Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
......@@ -1374,6 +1429,11 @@ unique_modrdn(
/* skip this domain if it isn't involved */
if ( !ks ) continue;
if ( domain->serial && !locked ) {
ldap_pvt_thread_mutex_lock( &private->serial_mutex );
locked = 1;
}
/* terminating NUL */
ks += sizeof("(|)");
......@@ -1426,6 +1486,17 @@ unique_modrdn(
if ( rc != SLAP_CB_CONTINUE ) break;
}
if ( locked ) {
if ( rc != SLAP_CB_CONTINUE ) {
ldap_pvt_thread_mutex_unlock( &private->serial_mutex );
} else {
slap_callback *cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
cb->sc_cleanup = unique_unlock;
cb->sc_private = private;
cb->sc_next = op->o_callback;
op->o_callback = cb;
}
}
return rc;
}
......
......@@ -102,9 +102,7 @@ database ldap
suffix "o=Esempio,c=IT"
uri "@URI1@"
acl-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com"
acl-passwd proxy
acl-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
idassert-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
# authorizes database
......