From: Ondřej Kuzník Date: Tue, 28 Nov 2023 11:33:04 +0000 (+0000) Subject: ITS#8826 Allow minimal dsaschema configuration in cn=config X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69a4a03a2ef81ec598086a843ee070fc380b0bdc;p=thirdparty%2Fopenldap.git ITS#8826 Allow minimal dsaschema configuration in cn=config --- diff --git a/contrib/ConfigOIDs b/contrib/ConfigOIDs index 04ebe1d417..ce90eff750 100644 --- a/contrib/ConfigOIDs +++ b/contrib/ConfigOIDs @@ -10,3 +10,4 @@ OLcfgCt{Oc|At}:7 rbac OLcfgCt{Oc|At}:8 datamorph OLcfgCt{Oc|At}:9 variant OLcfgCt{Oc|At}:10 alias +OLcfgCt{Oc|At}:11 dsaschema diff --git a/contrib/slapd-modules/dsaschema/README b/contrib/slapd-modules/dsaschema/README deleted file mode 100644 index fdf932e406..0000000000 --- a/contrib/slapd-modules/dsaschema/README +++ /dev/null @@ -1,23 +0,0 @@ -Copyright 2004-2022 The OpenLDAP Foundation. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted only as authorized by the OpenLDAP -Public License. - -This directory contains a native slapd plugin, dsaschema, that permits the -loading of DSA-specific schema from configuration files (including operational -attributes). - -To use the plugin, add: - -moduleload dsaschema.so - /etc/openldap/schema/foo1.schema - ...etc... - /etc/openldap/schema/fooN.schema - -to your slapd configuration file. - -Use Makefile to compile this plugin or use a command line similar to: - -gcc -shared -I../../../include -Wall -g -o dsaschema.so dsaschema.c - diff --git a/contrib/slapd-modules/dsaschema/dsaschema.c b/contrib/slapd-modules/dsaschema/dsaschema.c index 31defae623..d49b075bf4 100644 --- a/contrib/slapd-modules/dsaschema/dsaschema.c +++ b/contrib/slapd-modules/dsaschema/dsaschema.c @@ -57,6 +57,64 @@ static char *strtok_quote_ptr; int init_module(int argc, char *argv[]); +static ConfigDriver dsaschema_config_attribute; + +static ConfigTable dsaschemacfg[] = { + /* Only attribute loading is currently restricted in slapd, rest can be + * delegated to default */ + { "", "attribute", 2, 0, 0, + ARG_PAREN|ARG_MAGIC, + &dsaschema_config_attribute, + "( OLcfgGlAt:4 NAME 'olcAttributeTypes' " + "DESC 'OpenLDAP attributeTypes' " + "EQUALITY caseIgnoreMatch " + "SUBSTR caseIgnoreSubstringsMatch " + "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", + NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigLDAPadd dsaschema_ldadd; + +static ConfigOCs dsaschemaocs[] = { + { "( OLcfgOvOc:11.1 " + "NAME 'olcDSASchemaConfig' " + "DESC 'DSA schema object' " + "SUP olcSchemaConfig STRUCTURAL )", + Cft_Schema, dsaschemacfg, + dsaschema_ldadd, + }, + { NULL, 0, NULL } +}; + +static int +dsaschema_config_attribute( ConfigArgs *c ) +{ + if ( c->op == SLAP_CONFIG_EMIT ) { + return 1; + } else if ( c->op == LDAP_MOD_DELETE ) { + return 1; + } + + if ( register_at( c->line, NULL, 0 ) ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "<%s> attribute definition invalid", + c->argv[0] ); + Debug( LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->cr_msg ); + return 1; + } +} + +static int +dsaschema_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca ) +{ + if ( p->ce_type != Cft_Schema ) + return LDAP_CONSTRAINT_VIOLATION; + + return LDAP_SUCCESS; +} + + static int dsaschema_parse_cr(const char *fname, int lineno, char *line, char **argv) { struct config_args_s c = { .line = line }; @@ -203,11 +261,11 @@ int init_module(int argc, char *argv[]) for (i = 0; i < argc; i++) { rc = dsaschema_read_config(argv[i], 0); if (rc != 0) { - break; + return rc; } } - return rc; + return config_register_schema( dsaschemacfg, dsaschemaocs ); } diff --git a/contrib/slapd-modules/dsaschema/slapd-dsaschema.5 b/contrib/slapd-modules/dsaschema/slapd-dsaschema.5 new file mode 100644 index 0000000000..8cc067f55c --- /dev/null +++ b/contrib/slapd-modules/dsaschema/slapd-dsaschema.5 @@ -0,0 +1,55 @@ +.TH SLAPD-DSASCHEMA 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2008-2022 The OpenLDAP Foundation. All rights reserved. +.\" $OpenLDAP$ +.SH NAME +slapd-dsaschema \- Define DSA-specific schema +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +OpenLDAP restricts admin-provided schemas to regular attributes, operational +attributes cannot be added by normal means. This module allows one to bypass +this restriction. + +.SH CONFIGURATION +To use the plugin, add the following to your slapd configuration file (similar +with +.BR olcModuleLoad ): + +.RS +.nf +moduleload dsaschema.so [ ...] +.fi +.RE + + +With +.B cn=config +you can also use the +.B olcDSASchemaConfig +objectclass in entries under +.BR cn=schema,cn=config +to lift the restriction on defining operational attributes. + +.SH EXAMPLES +.LP +.RS +.nf +moduleload dsaschema.so + /etc/openldap/schema/foo1.schema + ...etc... + /etc/openldap/schema/fooN.schema +.fi +.RE +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.TP +ETCDIR/slapd.d +default slapd configuration directory +.SH SEE ALSO +.BR slapd-config (5), +.BR slapd.conf (5). +.SH ACKNOWLEDGEMENTS +This module was written in 2008 by Emmanuel Dreyfus. +.so ../Project