From: Kurt Zeilenga Date: Wed, 13 Sep 2000 02:42:00 +0000 (+0000) Subject: suck in changes from devel X-Git-Tag: OPENLDAP_REL_ENG_2_0_2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b19de88fe21e4116ee9fc749e7133db74f31cf9;p=thirdparty%2Fopenldap.git suck in changes from devel Fixed -lldap TLS issues (ITS#733) Fixed -lldap_r NT threads (ITS#732) Fixed slapd/ldbm DB_PRIVATE not set bug (ITS#725) Fixed slapd/ldbm nextid reporting bug Fixed slapd syntaxes/mr routines (ITS#739) Fixed slurpd -r buffer overflow (ITS#722) Added slapd syntax/mr routines Added slapd allow/disallow options Added slapd defaultSearchBase and DN verify (ITS#723) Build Environment Added Corba & Java Schema Updated MSVC projects for BDB 3.1 --- diff --git a/CHANGES b/CHANGES index 442c715165..089cf2af4c 100644 --- a/CHANGES +++ b/CHANGES @@ -3,19 +3,30 @@ OpenLDAP 2.0 Change Log OpenLDAP 2.0.X Engineering Fixed KBIND (ITS#717) Fixed clients/tools -R handling (ITS#726) + Fixed -lldap TLS issues (ITS#733) + Fixed -lldap_r NT threads (ITS#732) Fixed ldappasswd -A -S crash (ITS#714) Fixed ldappasswd user argument usage Fixed slapd disallow bind_anon (ITS#721) Fixed slapd IPv6 issues (ITS#716) Fixed slapd MIT KPASSWD Compatibility (ITS#715) Fixed slapd time syntax routines (ITS#713) - Updated slapd root DSE inappropriate op handling + Fixed slapd/ldbm DB_PRIVATE not set bug (ITS#725) + Fixed slapd/ldbm nextid reporting bug + Fixed slapd syntaxes/mr routines (ITS#739) + Fixed slurpd -r buffer overflow (ITS#722) + Updated slapd rootDSE inappropriate op handling + Added slapd syntax/mr routines + Added slapd allow/disallow options + Added slapd defaultSearchBase and DN verify (ITS#723) Build Environment Added test000-rootdse + Added Corba & Java Schema + Updated MSVC projects for BDB 3.1 Fixed Kerberos detection (ITS#717) Remove incompatible contribWare Documentation - Fixed ldappasswd(1) user argument usage + Fixed ldappasswd(1) usage Fixed ldapmodify(1) (ITS#719) Updated release documents (ITS#720) diff --git a/configure b/configure index 0a57a5bb3b..fd3d0fc006 100755 --- a/configure +++ b/configure @@ -37,7 +37,7 @@ ac_help="$ac_help ac_help="$ac_help --enable-referrals enable V2 Referrals extension (yes)" ac_help="$ac_help - --enable-kbind enable V2 Kerberos IV bind (auto)" + --enable-kbind enable V2 Kerberos IV bind (no)" ac_help="$ac_help --enable-ipv6 enable IPv6 support (auto)" ac_help="$ac_help @@ -1284,7 +1284,7 @@ if test "${enable_kbind+set}" = set; then ol_enable_kbind="$ol_arg" else - ol_enable_kbind="auto" + ol_enable_kbind="no" fi # end --enable-kbind # OpenLDAP --enable-ipv6 @@ -2263,7 +2263,7 @@ if test $ol_enable_kbind = yes -o $ol_enable_kpasswd = yes ; then fi ol_with_kerberos=yes elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then - if test $ol_with_kerberos != no -a $ol_with_kerberos != no ; then + if test $ol_with_kerberos != no -a $ol_with_kerberos != auto ; then echo "configure: warning: Kerberos detection enabled unnecessarily" 1>&2; fi ol_with_kerberos=no diff --git a/configure.in b/configure.in index e427176032..ea6d5159c6 100644 --- a/configure.in +++ b/configure.in @@ -105,7 +105,7 @@ OL_ARG_ENABLE(syslog,[ --enable-syslog enable syslog support], auto)dnl OL_ARG_ENABLE(proctitle,[ --enable-proctitle enable proctitle support], yes)dnl OL_ARG_ENABLE(cache,[ --enable-cache enable caching], yes)dnl OL_ARG_ENABLE(referrals,[ --enable-referrals enable V2 Referrals extension], yes)dnl -OL_ARG_ENABLE(kbind,[ --enable-kbind enable V2 Kerberos IV bind], auto)dnl +OL_ARG_ENABLE(kbind,[ --enable-kbind enable V2 Kerberos IV bind], no)dnl OL_ARG_ENABLE(ipv6,[ --enable-ipv6 enable IPv6 support], auto)dnl OL_ARG_ENABLE(local,[ --enable-local enable AF_LOCAL (AF_UNIX) socket support], auto)dnl OL_ARG_ENABLE(x_compile,[ --enable-x-compile enable cross compiling], @@ -340,7 +340,7 @@ if test $ol_enable_kbind = yes -o $ol_enable_kpasswd = yes ; then fi ol_with_kerberos=yes elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then - if test $ol_with_kerberos != no -a $ol_with_kerberos != no ; then + if test $ol_with_kerberos != no -a $ol_with_kerberos != auto ; then AC_MSG_WARN([Kerberos detection enabled unnecessarily]); fi ol_with_kerberos=no diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 064b6b2f9a..699b0696d7 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -72,6 +72,14 @@ attributes (specified by ) by one or more requestors (specified by ). See the "OpenLDAP's Administrator's Guide" for details. .TP +.B allow +Specify a set of features (separated by white space) to +allow (default none). +.B tls_2_anon +allows Start TLS to force session to anonymous status (see also +.B disallow +.BR tls_authc ). +.TP .B argsfile The ( absolute ) name of a file that will hold the .B slapd @@ -125,17 +133,30 @@ recommended that directives be used instead. .RE .TP +.B defaultsearchbase +Specify a default search base to use when client submits a +non-base search request with an empty base DN. +.TP .B disallow -Specify a set of features (separated by white space) to disallow. +Specify a set of features (separated by white space) to +disallow (default none). .B bind_v2 disables acceptance of LDAPv2 bind requests. .B bind_anon disables acceptance of anonymous bind requests. .B bind_anon_cred -disables anonymous bind creditials are not empty (e.g. when -DN is empty). +disables anonymous bind creditials are not empty (e.g. +when DN is empty). .B bind_anon_dn disables anonymous bind when DN is not empty. +.B bind_simple +disables simple (bind) authentication. +.B bind_krbv4 +disables Kerberos V4 (bind) authentication. +.B tls_authc +disables StartTLS if authenticated (see also +.B allow +.BR tls_2_anon ). .TP .B idletimeout Specify the number of seconds to wait before forcibly closing @@ -242,7 +263,8 @@ cannot find a local database to handle a request. If specified multiple times, each url is provided. .TP .B require -Specify a set of conditions (separated by white space) to require. +Specify a set of conditions (separated by white space) to +require (default none). The directive may be specified globally and/or per-database. .B bind requires bind operation prior to directory operations. @@ -478,7 +500,9 @@ for more information. Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. This DN may or may not be associated with an entry. An empty root -DN, the default, specifies no root access is to be granted. +DN (the default) specifies no root access is to be granted. It is +recommended that the rootdn only be specified when needed (such as +when initially populating a database). .TP .B rootpw Specify a password (or hash of the password) for the rootdn. @@ -488,8 +512,8 @@ the server (see desription) as well as cleartext. .BR slappasswd (8) may be used to generate a hash of a password. Cleartext -and \fB{CRYPT}\fP passwords are not recommended. The default -is empty imply authentication of the root DN is by other means +and \fB{CRYPT}\fP passwords are not recommended. If empty +(the default), authentication of the root DN is by other means (e.g. SASL). Use of SASL is encouraged. .TP .B suffix diff --git a/include/ldbm.h b/include/ldbm.h index 68b143208b..75004e657f 100644 --- a/include/ldbm.h +++ b/include/ldbm.h @@ -236,7 +236,7 @@ LDAP_END_DECL LDAP_BEGIN_DECL -LDAP_LDBM_F (int) ldbm_initialize( void ); +LDAP_LDBM_F (int) ldbm_initialize( const char * ); LDAP_LDBM_F (int) ldbm_shutdown( void ); LDAP_LDBM_F (int) ldbm_errno( LDBM ldbm ); diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c index 1941a8b980..cf49633cb9 100644 --- a/libraries/libldap/init.c +++ b/libraries/libldap/init.c @@ -86,8 +86,8 @@ static const struct ol_attribute { {1, ATTR_TLS, "TLS_KEY", NULL, LDAP_OPT_X_TLS_KEYFILE}, {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, {0, ATTR_TLS, "TLS_CACERTDIR",NULL, LDAP_OPT_X_TLS_CACERTDIR}, - {1, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, - {1, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, + {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, + {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, #endif {0, ATTR_NONE, NULL, NULL, 0} @@ -443,12 +443,6 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) ldap_int_utils_init(); -#ifdef HAVE_TLS - ldap_pvt_tls_init(); -#endif - - ldap_int_sasl_init(); - if ( ldap_int_tblsize == 0 ) ldap_int_ip_init(); @@ -503,4 +497,6 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) } openldap_ldap_init_w_env(gopts, NULL); + + ldap_int_sasl_init(); } diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index f06c466266..3ec9e9a1ad 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -97,7 +97,7 @@ static void tls_init_threads( void ) #endif /* LDAP_R_COMPILE */ /* - * Initialize tls system. Should be called only once. + * Initialize TLS subsystem. Should be called only once. */ int ldap_pvt_tls_init( void ) @@ -105,15 +105,17 @@ ldap_pvt_tls_init( void ) static int tls_initialized = 0; if ( tls_initialized ) return 0; + tls_initialized = 1; (void) tls_seed_PRNG( tls_opt_randfile ); - tls_initialized = 1; #ifdef LDAP_R_COMPILE tls_init_threads(); #endif + SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); + /* FIXME: mod_ssl does this */ X509V3_add_standard_extensions(); return 0; @@ -651,7 +653,8 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&p ); return p; } - return NULL; + + return NULL; } void * @@ -858,7 +861,6 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) int ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) { - /* Make sure tls is initialized, including PRNG properly seeded. */ ldap_pvt_tls_init(); /* @@ -990,9 +992,7 @@ tls_seed_PRNG( const char *randfile ) { #ifndef URANDOM_DEVICE /* no /dev/urandom (or equiv) */ - - char buffer[1024]; - static int egdsocket = 0; + char buffer[MAXPATHLEN]; if (randfile == NULL) { /* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd. @@ -1000,17 +1000,16 @@ tls_seed_PRNG( const char *randfile ) * an error occurs. - From RAND_file_name() man page. * The fact is that when $HOME is NULL, .rnd is used. */ - randfile = RAND_file_name(buffer, sizeof( buffer )); + randfile = RAND_file_name( buffer, sizeof( buffer ) ); } else if (RAND_egd(randfile) > 0) { /* EGD socket */ - egdsocket = 1; return 0; } if (randfile == NULL) { Debug( LDAP_DEBUG_ANY, - "TLS: Use configuration file or $RANDFILE to define seed file", + "TLS: Use configuration file or $RANDFILE to define seed PRNG", 0, 0, 0); return -1; } @@ -1019,7 +1018,7 @@ tls_seed_PRNG( const char *randfile ) if (RAND_status() == 0) { Debug( LDAP_DEBUG_ANY, - "TLS: PRNG has not been seeded with enough data", + "TLS: PRNG not been seeded with enough data", 0, 0, 0); return -1; } @@ -1039,40 +1038,36 @@ tls_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) int ldap_start_tls_s ( LDAP *ld, - LDAPControl **serverctrls, - LDAPControl **clientctrls ) + LDAPControl **serverctrls, + LDAPControl **clientctrls ) { #ifdef HAVE_TLS - LDAPConn *lc; int rc; char *rspoid = NULL; struct berval *rspdata = NULL; - if (ld->ld_conns == NULL) { - rc = ldap_open_defconn( ld ); - if (rc != LDAP_SUCCESS) - return(rc); + /* XXYYZ: this initiates operaton only on default connection! */ + + if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { + return LDAP_LOCAL_ERROR; } - for (lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next) { - if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0) - return LDAP_OPERATIONS_ERROR; - - /* XXYYZ: this initiates operaton only on default connection! */ - rc = ldap_extended_operation_s(ld, LDAP_EXOP_START_TLS, - NULL, serverctrls, clientctrls, &rspoid, &rspdata); - - if (rc != LDAP_SUCCESS) - return rc; - if (rspoid != NULL) - LDAP_FREE(rspoid); - if (rspdata != NULL) - ber_bvfree(rspdata); - rc = ldap_pvt_tls_start( ld, lc->lconn_sb, ld->ld_options.ldo_tls_ctx ); - if (rc != LDAP_SUCCESS) - return rc; + rc = ldap_extended_operation_s( ld, LDAP_EXOP_START_TLS, + NULL, serverctrls, clientctrls, &rspoid, &rspdata ); + if ( rc != LDAP_SUCCESS ) { + return rc; } - return LDAP_SUCCESS; + + if ( rspoid != NULL ) { + LDAP_FREE(rspoid); + } + + if ( rspdata != NULL ) { + ber_bvfree( rspdata ); + } + + rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx ); + return rc; #else return LDAP_NOT_SUPPORTED; #endif diff --git a/libraries/libldap_r/thr_nt.c b/libraries/libldap_r/thr_nt.c index 935bf4bd13..620da6b642 100644 --- a/libraries/libldap_r/thr_nt.c +++ b/libraries/libldap_r/thr_nt.c @@ -51,10 +51,7 @@ ldap_pvt_thread_join( ldap_pvt_thread_t thread, void **thread_return ) { DWORD status; status = WaitForSingleObject( (HANDLE) thread, INFINITE ); - if (status == WAIT_FAILED) { - return -1; - } - return 0; + return status == WAIT_FAILED ? -1 : 0; } int @@ -95,7 +92,6 @@ int ldap_pvt_thread_cond_wait( ldap_pvt_thread_cond_t *cond, ldap_pvt_thread_mutex_t *mutex ) { - ReleaseMutex( *mutex ); SignalObjectAndWait( *mutex, *cond, INFINITE, FALSE ); WaitForSingleObject( *mutex, INFINITE ); return( 0 ); @@ -125,8 +121,9 @@ ldap_pvt_thread_mutex_destroy( ldap_pvt_thread_mutex_t *mutex ) int ldap_pvt_thread_mutex_lock( ldap_pvt_thread_mutex_t *mutex ) { - WaitForSingleObject( *mutex, INFINITE ); - return ( 0 ); + DWORD status; + status = WaitForSingleObject( *mutex, INFINITE ); + return status == WAIT_FAILED ? -1 : 0; } int @@ -140,12 +137,9 @@ int ldap_pvt_thread_mutex_trylock( ldap_pvt_thread_mutex_t *mp ) { DWORD status; - status = WaitForSingleObject( *mp, 0 ); - if ( (status == WAIT_FAILED) || (status == WAIT_TIMEOUT) ) - return 0; - else - return 1; + return status == WAIT_FAILED || status == WAIT_TIMEOUT + ? -1 : 0; } #endif diff --git a/libraries/libldbm/ldbm.c b/libraries/libldbm/ldbm.c index 951e06b276..bf8f20266f 100644 --- a/libraries/libldbm/ldbm.c +++ b/libraries/libldbm/ldbm.c @@ -80,7 +80,6 @@ static ldap_pvt_thread_mutex_t ldbm_big_mutex; *******************************************************************/ #if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2) - void * ldbm_malloc( size_t size ) { @@ -102,7 +101,7 @@ ldbm_db_errcall( const char *prefix, char *message ) /* a dbEnv for BERKELEYv2 */ DB_ENV *ldbm_Env = NULL; -int ldbm_initialize( void ) +int ldbm_initialize( const char* home ) { int err; u_int32_t envFlags; @@ -121,6 +120,9 @@ int ldbm_initialize( void ) #endif envFlags = +#if defined( DB_PRIVATE ) + DB_PRIVATE | +#endif #if defined( HAVE_BERKELEY_DB_THREAD ) DB_THREAD | #endif @@ -128,8 +130,9 @@ int ldbm_initialize( void ) #if DB_VERSION_MAJOR >= 3 err = db_env_create( &ldbm_Env, 0 ); -#elif DB_VERSION_MAJOR >= 2 - err = db_appinit( NULL, NULL, ldbm_Env, envFlags ); +#else + envFlags |= DB_USE_ENVIRON; + err = db_appinit( home, NULL, ldbm_Env, envFlags ); #endif if ( err ) { @@ -139,7 +142,11 @@ int ldbm_initialize( void ) #ifdef LDAP_SYSLOG syslog( LOG_INFO, +#if DB_VERSION_MAJOR >= 3 + "ldbm_initialize(): FATAL error in db_env_create() : %s\n", +#else "ldbm_initialize(): FATAL error in db_appinit() : %s\n", +#endif error ); #endif return( 1 ); @@ -149,12 +156,12 @@ int ldbm_initialize( void ) ldbm_Env->set_errcall( ldbm_Env, ldbm_db_errcall ); ldbm_Env->set_errpfx( ldbm_Env, "==>" ); - envFlags |= DB_INIT_MPOOL; + envFlags |= DB_INIT_MPOOL | DB_USE_ENVIRON; #if (DB_VERSION_MAJOR > 3) || (DB_VERSION_MINOR >= 1) - err = ldbm_Env->open( ldbm_Env, NULL, envFlags, 0 ); + err = ldbm_Env->open( ldbm_Env, home, envFlags, 0 ); #else - err = ldbm_Env->open( ldbm_Env, NULL, NULL, envFlags, 0 ); + err = ldbm_Env->open( ldbm_Env, home, NULL, envFlags, 0 ); #endif if ( err != 0 ) { @@ -164,7 +171,7 @@ int ldbm_initialize( void ) #ifdef LDAP_SYSLOG syslog( LOG_INFO, - "ldbm_initialize(): FATAL error in db_appinit() : %s\n", + "ldbm_initialize(): FATAL error in dbEnv->open() : %s\n", error ); #endif ldbm_Env->close( ldbm_Env, 0 ); @@ -190,7 +197,7 @@ int ldbm_shutdown( void ) #else /* some DB other than Berkeley V2 or greater */ -int ldbm_initialize( void ) +int ldbm_initialize( const char * home ) { if(ldbm_initialized++) return 1; @@ -208,7 +215,7 @@ int ldbm_shutdown( void ) return 0; } -#endif /* ifdef HAVE_BERKELEY_DB */ +#endif /* HAVE_BERKELEY_DB */ #if defined( LDBM_USE_DBHASH ) || defined( LDBM_USE_DBBTREE ) diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c index 1577c74bed..1b36200c88 100644 --- a/servers/slapd/back-ldbm/add.c +++ b/servers/slapd/back-ldbm/add.c @@ -191,6 +191,26 @@ ldbm_back_add( e->e_id = next_id( be ); + if( e->e_id == NOID ) { + if( p != NULL) { + /* free parent and writer lock */ + cache_return_entry_w( &li->li_cache, p ); + } + + if ( rootlock ) { + /* release root lock */ + ldap_pvt_thread_mutex_unlock(&li->li_root_mutex); + } + + Debug( LDAP_DEBUG_ANY, "ldbm_add: next_id failed\n", + 0, 0, 0 ); + + send_ldap_result( conn, op, LDAP_OTHER, + NULL, "next_id add failed", NULL, NULL ); + + return( -1 ); + } + /* * Try to add the entry to the cache, assign it a new dnid. */ diff --git a/servers/slapd/back-ldbm/init.c b/servers/slapd/back-ldbm/init.c index dc4b5b81de..e856743e11 100644 --- a/servers/slapd/back-ldbm/init.c +++ b/servers/slapd/back-ldbm/init.c @@ -104,7 +104,7 @@ ldbm_back_open( int rc; /* initialize the underlying database system */ - rc = ldbm_initialize(); + rc = ldbm_initialize( NULL ); return rc; } diff --git a/servers/slapd/back-ldbm/nextid.c b/servers/slapd/back-ldbm/nextid.c index c92cbaab78..2ea984a852 100644 --- a/servers/slapd/back-ldbm/nextid.c +++ b/servers/slapd/back-ldbm/nextid.c @@ -123,5 +123,4 @@ next_id( Backend *be ) ldap_pvt_thread_mutex_unlock( &li->li_nextid_mutex ); return id; - } diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index e825eeb850..5358cec384 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -53,30 +53,11 @@ do_bind( mech = NULL; cred.bv_val = NULL; - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - /* * Force to connection to "anonymous" until bind succeeds. */ - - if ( conn->c_authmech != NULL ) { - free( conn->c_authmech ); - conn->c_authmech = NULL; - } - - if ( conn->c_cdn != NULL ) { - free( conn->c_cdn ); - conn->c_cdn = NULL; - } - - if ( conn->c_dn != NULL ) { - free( conn->c_dn ); - conn->c_dn = NULL; - } - - conn->c_authc_backend = NULL; - conn->c_authz_backend = NULL; - + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + connection2anonymous( conn ); ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); if ( op->o_dn != NULL ) { @@ -283,38 +264,78 @@ do_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } - /* accept "anonymous" binds */ - if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { - rc = LDAP_SUCCESS; - text = NULL; - - if( cred.bv_len && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) - { - /* cred is not empty, disallow */ - rc = LDAP_INVALID_CREDENTIALS; - - } else if ( ndn != NULL && *ndn != '\0' && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) - { - /* DN is not empty, disallow */ + if ( method == LDAP_AUTH_SIMPLE ) { + /* accept "anonymous" binds */ + if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { + rc = LDAP_SUCCESS; + text = NULL; + + if( cred.bv_len && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) + { + /* cred is not empty, disallow */ + rc = LDAP_INVALID_CREDENTIALS; + + } else if ( ndn != NULL && *ndn != '\0' && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) + { + /* DN is not empty, disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "unwilling to allow anonymous bind with non-empty DN"; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { + /* disallow */ + rc = LDAP_INAPPROPRIATE_AUTH; + text = "anonymous bind disallowed"; + } + + /* + * we already forced connection to "anonymous", + * just need to send success + */ + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", + version, 0, 0 ); + goto cleanup; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) { + /* disallow simple authentication */ rc = LDAP_UNWILLING_TO_PERFORM; - text = "unwilling to allow anonymous bind with non-empty DN"; + text = "unwilling to perform simple authentication"; + + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, + "do_bind: v%d simple bind(%s) disallowed\n", + version, ndn, 0 ); + goto cleanup; + } - } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { - /* disallow */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) { + if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) { + /* disallow simple authentication */ rc = LDAP_UNWILLING_TO_PERFORM; - text = "anonymous bind disallowed"; + text = "unwilling to perform Kerberos V4 bind"; + + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n", + version, 0, 0 ); + goto cleanup; } +#endif + + } else { + rc = LDAP_AUTH_UNKNOWN; + text = "unknown authentication method"; - /* - * we already forced connection to "anonymous", - * just need to send success - */ send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); - Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", - version, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "do_bind: v%d unknown authentication method (%d)\n", + version, method, 0 ); goto cleanup; } diff --git a/servers/slapd/config.c b/servers/slapd/config.c index df11b2df47..a0adcb7728 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -26,6 +26,7 @@ int deftime = SLAPD_DEFAULT_TIMELIMIT; AccessControl *global_acl = NULL; slap_access_t global_default_access = ACL_READ; slap_mask_t global_restrictops = 0; +slap_mask_t global_allows = 0; slap_mask_t global_disallows = 0; slap_mask_t global_requires = 0; slap_ssf_set_t global_ssf_set; @@ -36,6 +37,8 @@ char *global_host = NULL; char *global_realm = NULL; char *ldap_srvtab = ""; char *default_passwd_hash; +char *default_search_base = NULL; +char *default_search_nbase = NULL; char *slapd_pid_file = NULL; char *slapd_args_file = NULL; @@ -165,6 +168,48 @@ read_config( const char *fname ) ldap_pvt_thread_set_concurrency( c ); + /* default search base */ + } else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) { + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "missing dn in \"defaultSearchBase \" line\n", + fname, lineno, 0 ); + return 1; + + } else if ( cargc > 2 ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "extra cruft after in \"defaultSearchBase %s\", " + "line (ignored)\n", + fname, lineno, cargv[1] ); + } + + if ( bi != NULL || be != NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "defaultSearchBaase line must appear prior to " + "any backend or database definition\n", + fname, lineno, 0 ); + return 1; + } + + if ( default_search_nbase != NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "default search base \"%s\" already defined " + "(discarding old)\n", + fname, lineno, default_search_base ); + free( default_search_base ); + free( default_search_nbase ); + } + + default_search_base = ch_strdup( cargv[1] ); + default_search_nbase = ch_strdup( cargv[1] ); + + if( dn_normalize( default_search_nbase ) == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "invalid default search base \"%s\"\n", + fname, lineno, default_search_base ); + return 1; + } + /* set maximum threads in thread pool */ } else if ( strcasecmp( cargv[0], "threads" ) == 0 ) { int c; @@ -338,7 +383,18 @@ read_config( const char *fname ) fname, lineno, tmp_be->be_suffix[0] ); } else { char *dn = ch_strdup( cargv[1] ); - (void) dn_validate( dn ); + if( dn_validate( dn ) == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "suffix DN invalid \"%s\"\n", + fname, lineno, cargv[1] ); + return 1; + + } else if( *dn == '\0' && default_search_nbase != NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "suffix DN empty and default " + "search base provided \"%s\" (assuming okay)\n", + fname, lineno, default_search_base ); + } charray_add( &be->be_suffix, dn ); (void) ldap_pvt_str2upper( dn ); charray_add( &be->be_nsuffix, dn ); @@ -486,6 +542,41 @@ read_config( const char *fname ) } + /* allow these features */ + } else if ( strcasecmp( cargv[0], "allows" ) == 0 || + strcasecmp( cargv[0], "allow" ) == 0 ) + { + slap_mask_t allows; + + if ( be != NULL ) { + Debug( LDAP_DEBUG_ANY, +"%s: line %d: allow line must appear prior to database definitions\n", + fname, lineno, 0 ); + } + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing feature(s) in \"allow \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + allows = 0; + + for( i=1; i < cargc; i++ ) { + if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) { + allows |= SLAP_ALLOW_TLS_2_ANON; + + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"allow \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + global_allows = allows; + /* disallow these features */ } else if ( strcasecmp( cargv[0], "disallows" ) == 0 || strcasecmp( cargv[0], "disallow" ) == 0 ) @@ -500,7 +591,7 @@ read_config( const char *fname ) if ( cargc < 2 ) { Debug( LDAP_DEBUG_ANY, - "%s: line %d: missing feature(s) in \"disallows \" line\n", + "%s: line %d: missing feature(s) in \"disallow \" line\n", fname, lineno, 0 ); return( 1 ); } @@ -520,6 +611,15 @@ read_config( const char *fname ) } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_ANON_DN; + } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_SIMPLE; + + } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_KRBV4; + + } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) { + disallows |= SLAP_DISALLOW_TLS_AUTHC; + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: unknown feature %s in \"disallow \" line\n", diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 60e846a7a6..d03a7c9a79 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -473,6 +473,30 @@ long connection_init( return id; } +void connection2anonymous( Connection *c ) +{ + assert( connections != NULL ); + assert( c != NULL ); + + if(c->c_authmech != NULL ) { + free(c->c_authmech); + c->c_authmech = NULL; + } + + if(c->c_dn != NULL) { + free(c->c_dn); + c->c_dn = NULL; + } + + if(c->c_cdn != NULL) { + free(c->c_cdn); + c->c_cdn = NULL; + } + + c->c_authc_backend = NULL; + c->c_authz_backend = NULL; +} + static void connection_destroy( Connection *c ) { @@ -492,22 +516,13 @@ connection_destroy( Connection *c ) c->c_activitytime = c->c_starttime = 0; - if(c->c_authmech != NULL ) { - free(c->c_authmech); - c->c_authmech = NULL; - } - if(c->c_dn != NULL) { - free(c->c_dn); - c->c_dn = NULL; - } - if(c->c_cdn != NULL) { - free(c->c_cdn); - c->c_cdn = NULL; - } + connection2anonymous( c ); + if(c->c_listener_url != NULL) { free(c->c_listener_url); c->c_listener_url = NULL; } + if(c->c_peer_domain != NULL) { free(c->c_peer_domain); c->c_peer_domain = NULL; @@ -991,12 +1006,19 @@ int connection_read(ber_socket_t s) /* connections_mutex and c_mutex are locked */ connection_closing( c ); connection_close( c ); + connection_return( c ); + ldap_pvt_thread_mutex_unlock( &connections_mutex ); + return 0; } - if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_READ, NULL ) ) + if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_READ, NULL ) ) { slapd_set_read( s, 1 ); - if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_WRITE, NULL ) ) + } + + if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_WRITE, NULL ) ) { slapd_set_write( s, 1 ); + } + connection_return( c ); ldap_pvt_thread_mutex_unlock( &connections_mutex ); return 0; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 5789dc7925..f2ab73e626 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -286,6 +286,8 @@ LDAP_SLAPD_F (Connection *) connection_first LDAP_P((ber_socket_t *)); LDAP_SLAPD_F (Connection *) connection_next LDAP_P((Connection *, ber_socket_t *)); LDAP_SLAPD_F (void) connection_done LDAP_P((Connection *)); +LDAP_SLAPD_F (void) connection2anonymous LDAP_P((Connection *)); + /* * dn.c */ @@ -312,8 +314,11 @@ LDAP_SLAPD_F (int) entry_destroy LDAP_P((void)); LDAP_SLAPD_F (Entry *) str2entry LDAP_P(( char *s )); LDAP_SLAPD_F (char *) entry2str LDAP_P(( Entry *e, int *len )); -LDAP_SLAPD_F (void) entry_free LDAP_P(( Entry *e )); +LDAP_SLAPD_F (int) entry_decode LDAP_P(( struct berval *bv, Entry **e )); +LDAP_SLAPD_F (int) entry_encode LDAP_P(( Entry *e, struct berval **bv )); + +LDAP_SLAPD_F (void) entry_free LDAP_P(( Entry *e )); LDAP_SLAPD_F (int) entry_cmp LDAP_P(( Entry *a, Entry *b )); LDAP_SLAPD_F (int) entry_dn_cmp LDAP_P(( Entry *a, Entry *b )); LDAP_SLAPD_F (int) entry_id_cmp LDAP_P(( Entry *a, Entry *b )); @@ -753,6 +758,7 @@ LDAP_SLAPD_F (int) krbv4_ldap_auth(); */ LDAP_SLAPD_F (slap_mask_t) global_restrictops; +LDAP_SLAPD_F (slap_mask_t) global_allows; LDAP_SLAPD_F (slap_mask_t) global_disallows; LDAP_SLAPD_F (slap_mask_t) global_requires; LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set; @@ -772,6 +778,8 @@ LDAP_SLAPD_F (char) *global_realm; LDAP_SLAPD_F (char) *default_passwd_hash; LDAP_SLAPD_F (int) lber_debug; LDAP_SLAPD_F (int) ldap_syslog; +LDAP_SLAPD_F (char *) default_search_base; +LDAP_SLAPD_F (char *) default_search_nbase; LDAP_SLAPD_F (ldap_pvt_thread_mutex_t) num_sent_mutex; LDAP_SLAPD_F (long) num_bytes_sent; diff --git a/servers/slapd/schema/README b/servers/slapd/schema/README index 97416890be..2216b28f2e 100644 --- a/servers/slapd/schema/README +++ b/servers/slapd/schema/README @@ -2,9 +2,11 @@ This directory contains schema definitions for use with slapd(5). File Description ---- ----------- +corba.schema Corba Object (RFC 2714) schema core.schema OpenLDAP "core" cosine.schema COSINE Pilot schema inetorgperson.schema InetOrgPerson schema +java.schema Java Object (RFC 2713) schema krb5-kdc.schema Kerberos V KDC schema microsoft.ext.schema Microsoft schema microsoft.schema Microsoft schema diff --git a/servers/slapd/schema/corba.schema b/servers/slapd/schema/corba.schema new file mode 100644 index 0000000000..bd9ca36443 --- /dev/null +++ b/servers/slapd/schema/corba.schema @@ -0,0 +1,222 @@ +# Corba Object Schema +# $OpenLDAP$ +# depends upon core.schema + +# Network Working Group V. Ryan +# Request for Comments: 2714 R. Lee +# Category: Informational S. Seligman +# Sun Microsystems, Inc. +# October 1999 +# +# +# Schema for Representing CORBA Object References in an LDAP Directory +# +# Status of this Memo +# +# This memo provides information for the Internet community. It does +# not specify an Internet standard of any kind. Distribution of this +# memo is unlimited. +# +# Copyright Notice +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# Abstract +# +# CORBA [CORBA] is the Common Object Request Broker Architecture +# defined by the Object Management Group. This document defines the +# schema for representing CORBA object references in an LDAP directory +# [LDAPv3]. +# +# [trimmed] + +# 3. Attribute Type Definitions +# +# The following attribute types are defined in this document: +# +# corbaIor +# corbaRepositoryId +# +# 3.1 corbaIor +# +# This attribute stores the string representation of the interoperable +# object reference (IOR) for a CORBA object. An IOR is an opaque handle +# for the object which contains the information necessary to locate the +# object, even if the object is in another ORB. +# +# This attribute's syntax is 'IA5 String' and its case is +# insignificant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.14 +# NAME 'corbaIor' +# DESC 'Stringified interoperable object reference of a CORBA object' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 +# SINGLE-VALUE +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.14 + NAME 'corbaIor' + DESC 'Stringified interoperable object reference of a CORBA object' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +# 3.2 corbaRepositoryId +# +# Each CORBA interface has a unique "repository id" (also called "type +# id") that identifies the interface. A CORBA object has one or more +# repository ids, one for each interface that it implements. +# +# The format of a repository id can be any string, but the OMG +# specifies four standard formats: +# +# a. IDL-style +# +# IDL:Prefix/ModuleName/InterfaceName:VersionNumber +# +# For example, the repository id for the "NamingContext" in OMG's COS +# Naming module is: "IDL:omg.org/CosNaming/NamingContext:1.0". +# +# b. RMI-style +# +# RMI:ClassName:HashCode[:SUID] +# +# This format is used by RMI-IIOP remote objects [RMI-IIOP]. +# "ClassName" is the fully qualified name of the class (for example, +# "java.lang.String"). "HashCode" is the object's hash code (that is, +# that obtained by invoking the "hashCode()" method). "SUID" is the +# "stream unique identifier", which is a 64-bit number that uniquely +# identifies the serialization version of the class; SUID is optional +# in the repository id. +# +# c. DCE-style +# +# DCE:UUID +# +# This format is used for DCE/CORBA interoperability [CORBA-DCE]. +# "UUID" represents a DCE UUID. +# +# d. "local" +# +# This format is defined by the local Object Request Broker (ORB). +# +# The corbaRepositoryId attribute is a multivalued attribute; each +# value records a single repository id of an interface implemented by +# the CORBA object. This attribute need not contain a complete list of +# the interfaces implemented by the CORBA object. +# +# This attribute's syntax is 'Directory String' and its case is +# significant. The values of this attribute are encoded using UTF-8. +# Some values may require translation from their native representation +# in order to be correctly encoded using UTF-8. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.15 +# NAME 'corbaRepositoryId' +# DESC 'Repository ids of interfaces implemented by a CORBA object' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# ) +# +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.15 + NAME 'corbaRepositoryId' + DESC 'Repository ids of interfaces implemented by a CORBA object' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +# 4. Object Class Definitions +# +# The following object classes are defined in this document: +# +# corbaContainer +# corbaObject +# corbaObjectReference +# +# 4.1 corbaContainer +# +# This structural object class represents a container for a CORBA +# object. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.10 +# NAME 'corbaContainer' +# DESC 'Container for a CORBA object' +# SUP top +# STRUCTURAL +# MUST ( cn ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.10 + NAME 'corbaContainer' + DESC 'Container for a CORBA object' + SUP top + STRUCTURAL + MUST cn ) + +# 4.2 corbaObject +# +# This abstract object class is the root class for representing a CORBA +# object. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.9 +# NAME 'corbaObject' +# DESC 'CORBA object representation' +# SUP top +# ABSTRACT +# MAY ( corbaRepositoryId $ description ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.9 + NAME 'corbaObject' + DESC 'CORBA object representation' + SUP top + ABSTRACT + MAY ( corbaRepositoryId $ description ) ) + +# 4.3 corbaObjectReference +# +# This auxiliary object class represents a CORBA object reference. It +# must be mixed in with a structural object class. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.11 +# NAME 'corbaObjectReference' +# DESC 'CORBA interoperable object reference' +# SUP corbaObject +# AUXILIARY +# MUST ( corbaIor ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.11 + NAME 'corbaObjectReference' + DESC 'CORBA interoperable object reference' + SUP corbaObject + AUXILIARY + MUST corbaIor ) + +# 10. Full Copyright Statement +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph are +# included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. diff --git a/servers/slapd/schema/java.schema b/servers/slapd/schema/java.schema new file mode 100644 index 0000000000..9cbeef8293 --- /dev/null +++ b/servers/slapd/schema/java.schema @@ -0,0 +1,388 @@ +# Java Object Schema +# $OpenLDAP$ +# depends upon core.schema + +# Network Working Group V. Ryan +# Request for Comments: 2713 S. Seligman +# Category: Informational R. Lee +# Sun Microsystems, Inc. +# October 1999 +# +# +# Schema for Representing Java(tm) Objects in an LDAP Directory +# +# Status of this Memo +# +# This memo provides information for the Internet community. It does +# not specify an Internet standard of any kind. Distribution of this +# memo is unlimited. +# +# Copyright Notice +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# Abstract +# +# This document defines the schema for representing Java(tm) objects in +# an LDAP directory [LDAPv3]. It defines schema elements to represent +# a Java serialized object [Serial], a Java marshalled object [RMI], a +# Java remote object [RMI], and a JNDI reference [JNDI]. +# + +# [trimmed] + +# 3 Attribute Type Definitions +# +# The following attribute types are defined in this document: +# +# javaClassName +# javaClassNames +# javaCodebase +# javaSerializedData +# javaFactory +# javaReferenceAddress +# javaDoc +# +# 3.1 javaClassName +# +# This attribute stores the fully qualified name of the Java object's +# "distinguished" class or interface (for example, "java.lang.String"). +# It is a single-valued attribute. This attribute's syntax is ' +# Directory String' and its case is significant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.6 +# NAME 'javaClassName' +# DESC 'Fully qualified name of distinguished Java class or +# interface' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# SINGLE-VALUE +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6 + NAME 'javaClassName' + DESC 'Fully qualified name of distinguished Java class or interface' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +# 3.2 javaCodebase +# +# This attribute stores the Java class definition's locations. It +# specifies the locations from which to load the class definition for +# the class specified by the javaClassName attribute. Each value of +# the attribute contains an ordered list of URLs, separated by spaces. +# For example, a value of "url1 url2 url3" means that the three +# (possibly interdependent) URLs (url1, url2, and url3) form the +# codebase for loading in the Java class definition. +# +# If the javaCodebase attribute contains more than one value, each +# value is an independent codebase. That is, there is no relationship +# between the URLs in one value and those in another; each value can be +# viewed as an alternate source for loading the Java class definition. +# See [Java] for information regarding class loading. +# +# This attribute's syntax is 'IA5 String' and its case is significant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.7 +# NAME 'javaCodebase' +# DESC 'URL(s) specifying the location of class definition' +# EQUALITY caseExactIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.7 + NAME 'javaCodebase' + DESC 'URL(s) specifying the location of class definition' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +# 3.3 javaClassNames +# +# This attribute stores the Java object's fully qualified class or +# interface names (for example, "java.lang.String"). It is a +# multivalued attribute. When more than one value is present, each is +# the name of a class or interface, or ancestor class or interface, of +# this object. +# +# This attribute's syntax is 'Directory String' and its case is +# significant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.13 +# NAME 'javaClassNames' +# DESC 'Fully qualified Java class or interface name' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# ) +# +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.13 + NAME 'javaClassNames' + DESC 'Fully qualified Java class or interface name' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +# 3.4 javaSerializedData +# +# This attribute stores the serialized form of a Java object. The +# serialized form is described in [Serial]. +# +# This attribute's syntax is 'Octet String'. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.8 +# NAME 'javaSerializedData +# DESC 'Serialized form of a Java object' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 +# SINGLE-VALUE +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.8 + NAME 'javaSerializedData + DESC 'Serialized form of a Java object' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) + +# 3.5 javaFactory +# +# This attribute stores the fully qualified class name of the object +# factory (for example, "com.wiz.jndi.WizObjectFactory") that can be +# used to create an instance of the object identified by the +# javaClassName attribute. +# +# This attribute's syntax is 'Directory String' and its case is +# significant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.10 +# NAME 'javaFactory' +# DESC 'Fully qualified Java class name of a JNDI object factory' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# SINGLE-VALUE +# ) +# +atttributetype ( 1.3.6.1.4.1.42.2.27.4.1.10 + NAME 'javaFactory' + DESC 'Fully qualified Java class name of a JNDI object factory' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +# 3.6 javaReferenceAddress +# +# This attribute represents the sequence of addresses of a JNDI +# reference. Each of its values represents one address, a Java object +# of type javax.naming.RefAddr. Its value is a concatenation of the +# address type and address contents, preceded by a sequence number (the +# order of addresses in a JNDI reference is significant). For example: +# +# #0#TypeA#ValA +# #1#TypeB#ValB +# #2#TypeC##rO0ABXNyABpq... +# +# In more detail, the value is encoded as follows: +# +# The delimiter is the first character of the value. For readability +# the character '#' is recommended when it is not otherwise used +# anywhere in the value, but any character may be used subject to +# restrictions given below. +# +# The first delimiter is followed by the sequence number. The sequence +# number of an address is its position in the JNDI reference, with the +# first address being numbered 0. It is represented by its shortest +# string form, in decimal notation. +# +# The sequence number is followed by a delimiter, then by the address +# type, and then by another delimiter. If the address is of Java class +# javax.naming.StringRefAddr, then this delimiter is followed by the +# value of the address contents (which is a string). Otherwise, this +# delimiter is followed immediately by another delimiter, and then by +# the Base64 encoding of the serialized form of the entire address. +# +# The delimiter may be any character other than a digit or a character +# contained in the address type. In addition, if the address contents +# is a string, the delimiter may not be the first character of that +# string. +# +# This attribute's syntax is 'Directory String' and its case is +# significant. It can contain multiple values. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.11 +# NAME 'javaReferenceAddress' +# DESC 'Addresses associated with a JNDI Reference' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.11 + NAME 'javaReferenceAddress' + DESC 'Addresses associated with a JNDI Reference' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +# 3.7 javaDoc +# +# This attribute stores a pointer to the Java documentation for the +# class. It's value is a URL. For example, the following URL points to +# the specification of the java.lang.String class: +# http://java.sun.com/products/jdk/1.2/docs/api/java/lang/String.html +# +# This attribute's syntax is 'IA5 String' and its case is significant. +# +# ( 1.3.6.1.4.1.42.2.27.4.1.12 +# NAME 'javaDoc' +# DESC 'The Java documentation for the class' +# EQUALITY caseExactIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 +# ) +# +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.12 + NAME 'javaDoc' + DESC 'The Java documentation for the class' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +# 4 Object Class Definitions +# +# The following object classes are defined in this document: +# +# javaContainer +# javaObject +# javaSerializedObject +# javaMarshalledObject +# javaNamingReference +# +# 4.1 javaContainer +# +# This structural object class represents a container for a Java +# object. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.1 +# NAME 'javaContainer' +# DESC 'Container for a Java object' +# SUP top +# STRUCTURAL +# MUST ( cn ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1 + NAME 'javaContainer' + DESC 'Container for a Java object' + SUP top + STRUCTURAL + MUST cn ) + +# 4.2 javaObject +# +# This abstract object class represents a Java object. A javaObject +# cannot exist in the directory; only auxiliary or structural +# subclasses of it can exist in the directory. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.4 +# NAME 'javaObject' +# DESC 'Java object representation' +# SUP top +# ABSTRACT +# MUST ( javaClassName ) +# MAY ( javaClassNames $ +# javaCodebase $ +# javaDoc $ +# description ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.4 + NAME 'javaObject' + DESC 'Java object representation' + SUP top + ABSTRACT + MUST javaClassName + MAY ( javaClassNames $ javaCodebase $ + javaDoc $ description ) ) + +# 4.3 javaSerializedObject +# +# This auxiliary object class represents a Java serialized object. It +# must be mixed in with a structural object class. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.5 +# NAME 'javaSerializedObject' +# DESC 'Java serialized object' +# SUP javaObject +# AUXILIARY +# MUST ( javaSerializedData ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.5 + NAME 'javaSerializedObject' + DESC 'Java serialized object' + SUP javaObject + AUXILIARY + MUST javaSerializedData ) + +# 4.4 javaMarshalledObject +# +# This auxiliary object class represents a Java marshalled object. It +# must be mixed in with a structural object class. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.8 +# NAME 'javaMarshalledObject' +# DESC 'Java marshalled object' +# SUP javaObject +# AUXILIARY +# MUST ( javaSerializedData ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.8 + NAME 'javaMarshalledObject' + DESC 'Java marshalled object' + SUP javaObject + AUXILIARY + MUST javaSerializedData ) + +# 4.5 javaNamingReference +# +# This auxiliary object class represents a JNDI reference. It must be +# mixed in with a structural object class. +# +# ( 1.3.6.1.4.1.42.2.27.4.2.7 +# NAME 'javaNamingReference' +# DESC 'JNDI reference' +# SUP javaObject +# AUXILIARY +# MAY ( javaReferenceAddress $ +# javaFactory ) +# ) +# +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.7 + NAME 'javaNamingReference' + DESC 'JNDI reference' + SUP javaObject + AUXILIARY + MAY ( javaReferenceAddress $ javaFactory ) ) + +# Full Copyright Statement +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph are +# included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 93d5ae25ee..ba74c3716f 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -19,17 +19,11 @@ /* recycled validatation routines */ #define berValidate blobValidate -#define nameUIDValidate dnValidate - -/* unimplemented validators */ -#define bitStringValidate NULL /* recycled normalization routines */ #define faxNumberNormalize numericStringNormalize #define phoneNumberNormalize numericStringNormalize #define telexNumberNormalize numericStringNormalize -#define integerNormalize numericStringNormalize -#define nameUIDNormalize dnNormalize /* unimplemented normalizers */ #define bitStringNormalize NULL @@ -38,50 +32,56 @@ #define dnPretty NULL #define integerPretty NULL -/* recycled pretters */ -#define nameUIDPretty dnPretty - /* recycled matching routines */ -#define caseIgnoreMatch caseIgnoreIA5Match -#define caseIgnoreOrderingMatch caseIgnoreMatch -#define caseIgnoreSubstringsMatch caseIgnoreIA5SubstringsMatch - -#define caseExactMatch caseExactIA5Match -#define caseExactOrderingMatch caseExactMatch -#define caseExactSubstringsMatch caseExactIA5SubstringsMatch - +#define bitStringMatch octetStringMatch +#define integerMatch caseIgnoreIA5Match #define numericStringMatch caseIgnoreMatch #define objectIdentifierMatch numericStringMatch -#define integerMatch numericStringMatch #define telephoneNumberMatch numericStringMatch #define telephoneNumberSubstringsMatch caseIgnoreIA5SubstringsMatch #define generalizedTimeMatch numericStringMatch #define generalizedTimeOrderingMatch numericStringMatch #define uniqueMemberMatch dnMatch +/* approx matching rules */ +#define directoryStringApproxMatchOID "1.3.6.1.4.1.4203.666.4.4" +#define directoryStringApproxMatch NULL +#define IA5StringApproxMatchOID "1.3.6.1.4.1.4203.666.4.5" +#define IA5StringApproxMatch NULL + +/* orderring matching rules */ +#define caseIgnoreOrderingMatch caseIgnoreMatch +#define caseExactOrderingMatch caseExactMatch + /* unimplemented matching routines */ #define caseIgnoreListMatch NULL #define caseIgnoreListSubstringsMatch NULL -#define bitStringMatch NULL #define presentationAddressMatch NULL #define protocolInformationMatch NULL #define integerFirstComponentMatch NULL #define OpenLDAPaciMatch NULL +#define authPasswordMatch NULL /* recycled indexing/filtering routines */ -#define caseIgnoreIndexer caseIgnoreIA5Indexer -#define caseIgnoreFilter caseIgnoreIA5Filter -#define caseExactIndexer caseExactIA5Indexer -#define caseExactFilter caseExactIA5Filter #define dnIndexer caseIgnoreIndexer #define dnFilter caseIgnoreFilter +#define integerIndexer caseIgnoreIA5Indexer +#define integerFilter caseIgnoreIA5Filter -#define caseIgnoreSubstringsIndexer caseIgnoreIA5SubstringsIndexer -#define caseIgnoreSubstringsFilter caseIgnoreIA5SubstringsFilter -#define caseExactSubstringsIndexer caseExactIA5SubstringsIndexer -#define caseExactSubstringsFilter caseExactIA5SubstringsFilter +static char *strcasechr( const char *str, int c ) +{ + char *lower = strchr( str, TOLOWER(c) ); + char *upper = strchr( str, TOUPPER(c) ); + if( lower && upper ) { + return lower < upper ? lower : upper; + } else if ( lower ) { + return lower; + } else { + return upper; + } +} static int octetStringMatch( @@ -280,6 +280,104 @@ dnMatch( return LDAP_SUCCESS; } +static int +nameUIDValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + struct berval *dn; + + if( in->bv_len == 0 ) return LDAP_SUCCESS; + + dn = ber_bvdup( in ); + + if( dn->bv_val[dn->bv_len-1] == '\'' ) { + /* assume presence of optional UID */ + ber_len_t i; + + for(i=dn->bv_len-2; i>2; i--) { + if( dn->bv_val[i] != '0' && dn->bv_val[i] != '1' ) { + break; + } + } + if( dn->bv_val[i] != '\'' ) { + return LDAP_INVALID_SYNTAX; + } + if( dn->bv_val[i-1] != 'B' ) { + return LDAP_INVALID_SYNTAX; + } + if( dn->bv_val[i-2] != '#' ) { + return LDAP_INVALID_SYNTAX; + } + + /* trim the UID to allow use of dn_validate */ + dn->bv_val[i-2] = '\0'; + } + + rc = dn_validate( dn->bv_val ) == NULL + ? LDAP_INVALID_SYNTAX : LDAP_SUCCESS; + + ber_bvfree( dn ); + return rc; +} + +static int +nameUIDNormalize( + Syntax *syntax, + struct berval *val, + struct berval **normalized ) +{ + struct berval *out = ber_bvdup( val ); + + if( out->bv_len != 0 ) { + char *dn; + ber_len_t dnlen; + char *uid = NULL; + ber_len_t uidlen = 0; + + if( out->bv_val[out->bv_len-1] == '\'' ) { + /* assume presence of optional UID */ + uid = strrchr( out->bv_val, '#' ); + + if( uid == NULL ) { + ber_bvfree( out ); + return LDAP_INVALID_SYNTAX; + } + + uidlen = out->bv_len - (out->bv_val - uid); + /* temporarily trim the UID */ + *uid = '\0'; + } + +#ifdef USE_DN_NORMALIZE + dn = dn_normalize( out->bv_val ); +#else + dn = dn_validate( out->bv_val ); +#endif + + if( dn == NULL ) { + ber_bvfree( out ); + return LDAP_INVALID_SYNTAX; + } + + dnlen = strlen(dn); + + if( uidlen ) { + /* restore the separator */ + *uid = '#'; + /* shift the UID */ + SAFEMEMCPY( &dn[dnlen], uid, uidlen ); + } + + out->bv_val = dn; + out->bv_len = dnlen + uidlen; + } + + *normalized = out; + return LDAP_SUCCESS; +} + static int inValidate( Syntax *syntax, @@ -298,6 +396,35 @@ blobValidate( return LDAP_SUCCESS; } +static int +bitStringValidate( + Syntax *syntax, + struct berval *in ) +{ + ber_len_t i; + + /* very unforgiving validation, requires no normalization + * before simplistic matching + */ + if( in->bv_len < 3 ) { + return LDAP_INVALID_SYNTAX; + } + if( in->bv_val[0] != 'B' || + in->bv_val[1] != '\'' || + in->bv_val[in->bv_len-1] != '\'' ) + { + return LDAP_INVALID_SYNTAX; + } + + for( i=in->bv_len-2; i>1; i-- ) { + if( in->bv_val[i] != '0' && in->bv_val[i] != '1' ) { + return LDAP_INVALID_SYNTAX; + } + } + + return LDAP_SUCCESS; +} + /* * Handling boolean syntax and matching is quite rigid. * A more flexible approach would be to allow a variety @@ -341,6 +468,62 @@ booleanMatch( return LDAP_SUCCESS; } +#if 0 +static int +UTF8casecmp( + struct berval *right, + struct berval *left ) +{ + ber_len_t r, l; + int rlen, llen; + ldap_unicode_t ru, lu; + ldap_unicode_t ruu, luu; + + for( r=0, l=0; + r < right->bv_len && l < left->bv_len; + r+=rlen, l+=llen ) + { + /* + * XXYYZ: we convert to ucs4 even though -llunicode + * expects ucs2 in an unsigned long + */ + ru = ldap_utf8_to_ucs4( &right->bv_val[r] ); + if( ru == LDAP_UCS4_INVALID ) { + return 1; + } + + lu = ldap_utf8_to_ucs4( &left->bv_val[l] ); + if( lu == LDAP_UCS4_INVALID ) { + return -1; + } + + ruu = uctoupper( ru ); + luu = uctoupper( lu ); + + if( ruu > luu ) { + return 1; + } else if( luu > ruu ) { + return -1; + } + + rlen = LDAP_UTF8_CHARLEN( &right->bv_val[r] ); + llen = LDAP_UTF8_CHARLEN( &left->bv_val[l] ); + } + + if( r < right->bv_len ) { + /* less left */ + return -1; + } + + if( l < left->bv_len ) { + /* less right */ + return 1; + } + + return 0; +} +#endif + static int UTF8StringValidate( Syntax *syntax, @@ -350,102 +533,1249 @@ UTF8StringValidate( int len; unsigned char *u = in->bv_val; - if( !in->bv_len ) return LDAP_INVALID_SYNTAX; + if( !in->bv_len ) return LDAP_INVALID_SYNTAX; + + for( count = in->bv_len; count > 0; count-=len, u+=len ) { + /* get the length indicated by the first byte */ + len = LDAP_UTF8_CHARLEN( u ); + + /* should not be zero */ + if( len == 0 ) return LDAP_INVALID_SYNTAX; + + /* make sure len corresponds with the offset + to the next character */ + if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX; + } + + if( count != 0 ) return LDAP_INVALID_SYNTAX; + + return LDAP_SUCCESS; +} + +static int +UTF8StringNormalize( + Syntax *syntax, + struct berval *val, + struct berval **normalized ) +{ + struct berval *newval; + char *p, *q, *s; + + newval = ch_malloc( sizeof( struct berval ) ); + + p = val->bv_val; + + /* Ignore initial whitespace */ + while ( ldap_utf8_isspace( p ) ) { + LDAP_UTF8_INCR( p ); + } + + if( *p == '\0' ) { + ch_free( newval ); + return LDAP_INVALID_SYNTAX; + } + + newval->bv_val = ch_strdup( p ); + p = q = newval->bv_val; + s = NULL; + + while ( *p ) { + int len; + + if ( ldap_utf8_isspace( p ) ) { + len = LDAP_UTF8_COPY(q,p); + s=q; + p+=len; + q+=len; + + /* Ignore the extra whitespace */ + while ( ldap_utf8_isspace( p ) ) { + LDAP_UTF8_INCR( p ); + } + } else { + len = LDAP_UTF8_COPY(q,p); + s=NULL; + p+=len; + q+=len; + } + } + + assert( *newval->bv_val ); + assert( newval->bv_val < p ); + assert( q <= p ); + + /* cannot start with a space */ + assert( !ldap_utf8_isspace(newval->bv_val) ); + + /* + * If the string ended in space, backup the pointer one + * position. One is enough because the above loop collapsed + * all whitespace to a single space. + */ + + if ( s != NULL ) { + q = s; + } + + /* cannot end with a space */ + assert( !ldap_utf8_isspace( LDAP_UTF8_PREV(q) ) ); + + /* null terminate */ + *q = '\0'; + + newval->bv_len = q - newval->bv_val; + *normalized = newval; + + return LDAP_SUCCESS; +} + +static int +caseExactMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match = value->bv_len - ((struct berval *) assertedValue)->bv_len; + + if( match == 0 ) { + match = strncmp( value->bv_val, + ((struct berval *) assertedValue)->bv_val, + value->bv_len ); + } + + *matchp = match; + return LDAP_SUCCESS; +} + +static int +caseExactSubstringsMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match = 0; + SubstringsAssertion *sub = assertedValue; + struct berval left = *value; + int i; + ber_len_t inlen=0; + + /* Add up asserted input length */ + if( sub->sa_initial ) { + inlen += sub->sa_initial->bv_len; + } + if( sub->sa_any ) { + for(i=0; sub->sa_any[i] != NULL; i++) { + inlen += sub->sa_any[i]->bv_len; + } + } + if( sub->sa_final ) { + inlen += sub->sa_final->bv_len; + } + + if( sub->sa_initial ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } + + match = strncmp( sub->sa_initial->bv_val, left.bv_val, + sub->sa_initial->bv_len ); + + if( match != 0 ) { + goto done; + } + + left.bv_val += sub->sa_initial->bv_len; + left.bv_len -= sub->sa_initial->bv_len; + inlen -= sub->sa_initial->bv_len; + } + + if( sub->sa_final ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } + + match = strncmp( sub->sa_final->bv_val, + &left.bv_val[left.bv_len - sub->sa_final->bv_len], + sub->sa_final->bv_len ); + + if( match != 0 ) { + goto done; + } + + left.bv_len -= sub->sa_final->bv_len; + inlen -= sub->sa_final->bv_len; + } + + if( sub->sa_any ) { + for(i=0; sub->sa_any[i]; i++) { + ber_len_t idx; + char *p; + +retry: + if( inlen > left.bv_len ) { + /* not enough length */ + match = 1; + goto done; + } + + if( sub->sa_any[i]->bv_len == 0 ) { + continue; + } + + p = strchr( left.bv_val, *sub->sa_any[i]->bv_val ); + + if( p == NULL ) { + match = 1; + goto done; + } + + idx = p - left.bv_val; + assert( idx < left.bv_len ); + + if( idx >= left.bv_len ) { + /* this shouldn't happen */ + return LDAP_OTHER; + } + + left.bv_val = p; + left.bv_len -= idx; + + if( sub->sa_any[i]->bv_len > left.bv_len ) { + /* not enough left */ + match = 1; + goto done; + } + + match = strncmp( left.bv_val, + sub->sa_any[i]->bv_val, + sub->sa_any[i]->bv_len ); + + if( match != 0 ) { + left.bv_val++; + left.bv_len--; + goto retry; + } + + left.bv_val += sub->sa_any[i]->bv_len; + left.bv_len -= sub->sa_any[i]->bv_len; + inlen -= sub->sa_any[i]->bv_len; + } + } + +done: + *matchp = match; + return LDAP_SUCCESS; +} + +/* Index generation function */ +int caseExactIndexer( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + struct berval **values, + struct berval ***keysp ) +{ + int i; + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + for( i=0; values[i] != NULL; i++ ) { + /* just count them */ + } + + assert( i > 0 ); + + keys = ch_malloc( sizeof( struct berval * ) * (i+1) ); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + for( i=0; values[i] != NULL; i++ ) { + struct berval *value = values[i]; + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, value->bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[i] = ber_bvdup( &digest ); + } + + keys[i] = NULL; + *keysp = keys; + return LDAP_SUCCESS; +} + +/* Index generation function */ +int caseExactFilter( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + void * assertValue, + struct berval ***keysp ) +{ + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES]; + struct berval *value; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + value = (struct berval *) assertValue; + + keys = ch_malloc( sizeof( struct berval * ) * 2 ); + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, value->bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[0] = ber_bvdup( &digest ); + keys[1] = NULL; + + *keysp = keys; + return LDAP_SUCCESS; +} + +/* Substrings Index generation function */ +int caseExactSubstringsIndexer( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + struct berval **values, + struct berval ***keysp ) +{ + ber_len_t i, nkeys; + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + nkeys=0; + for( i=0; values[i] != NULL; i++ ) { + /* count number of indices to generate */ + if( values[i]->bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { + continue; + } + + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + ( SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); + } + } + + if( flags & SLAP_INDEX_SUBSTR_ANY ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + } + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + ( SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); + } + } + } + assert( i > 0 ); + + if( nkeys == 0 ) { + /* no keys to generate */ + *keysp = NULL; + return LDAP_SUCCESS; + } + + keys = ch_malloc( sizeof( struct berval * ) * (nkeys+1) ); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + nkeys=0; + for( i=0; values[i] != NULL; i++ ) { + ber_len_t j,max; + struct berval *value; + + value = values[i]; + if( value->bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; + + if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && + ( value->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) + { + char pre = SLAP_INDEX_SUBSTR_PREFIX; + max = value->bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1); + + for( j=0; jbv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[j], + SLAP_INDEX_SUBSTR_MAXLEN ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + } + + max = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; + + for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { + char pre; + + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, j ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[value->bv_len-j], j ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + } + } + + if( nkeys > 0 ) { + keys[nkeys] = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; + } + + return LDAP_SUCCESS; +} + +int caseExactSubstringsFilter( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + void * assertValue, + struct berval ***keysp ) +{ + SubstringsAssertion *sa = assertValue; + char pre; + ber_len_t nkeys = 0; + size_t slen, mlen, klen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES]; + struct berval *value; + struct berval digest; + + if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial != NULL && + sa->sa_initial->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } + + if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { + ber_len_t i; + for( i=0; sa->sa_any[i] != NULL; i++ ) { + if( sa->sa_any[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + /* don't bother accounting for stepping */ + nkeys += sa->sa_any[i]->bv_len - + ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + } + } + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final != NULL && + sa->sa_final->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } + + if( nkeys == 0 ) { + *keysp = NULL; + return LDAP_SUCCESS; + } + + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + keys = ch_malloc( sizeof( struct berval * ) * (nkeys+1) ); + nkeys = 0; + + if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial != NULL && + sa->sa_initial->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + value = sa->sa_initial; + + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, klen ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { + ber_len_t i, j; + pre = SLAP_INDEX_SUBSTR_PREFIX; + klen = SLAP_INDEX_SUBSTR_MAXLEN; + + for( i=0; sa->sa_any[i] != NULL; i++ ) { + if( sa->sa_any[i]->bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { + continue; + } + + value = sa->sa_any[i]; + + for(j=0; + j <= value->bv_len - SLAP_INDEX_SUBSTR_MAXLEN; + j += SLAP_INDEX_SUBSTR_STEP ) + { + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[j], klen ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + } + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final != NULL && + sa->sa_final->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + value = sa->sa_final; + + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[value->bv_len-klen], klen ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + if( nkeys > 0 ) { + keys[nkeys] = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; + } + + return LDAP_SUCCESS; +} + +static int +caseIgnoreMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ +#if 0 + *matchp = UTF8casecmp( value, (struct berval *) assertedValue ); +#else + int match = value->bv_len - ((struct berval *) assertedValue)->bv_len; + + if( match == 0 ) { + match = strncasecmp( value->bv_val, + ((struct berval *) assertedValue)->bv_val, + value->bv_len ); + } + + *matchp = match; +#endif + return LDAP_SUCCESS; +} + +static int +caseIgnoreSubstringsMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match = 0; + SubstringsAssertion *sub = assertedValue; + struct berval left = *value; + int i; + ber_len_t inlen=0; + + /* Add up asserted input length */ + if( sub->sa_initial ) { + inlen += sub->sa_initial->bv_len; + } + if( sub->sa_any ) { + for(i=0; sub->sa_any[i] != NULL; i++) { + inlen += sub->sa_any[i]->bv_len; + } + } + if( sub->sa_final ) { + inlen += sub->sa_final->bv_len; + } + + if( sub->sa_initial ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } + + match = strncasecmp( sub->sa_initial->bv_val, left.bv_val, + sub->sa_initial->bv_len ); + + if( match != 0 ) { + goto done; + } + + left.bv_val += sub->sa_initial->bv_len; + left.bv_len -= sub->sa_initial->bv_len; + inlen -= sub->sa_initial->bv_len; + } + + if( sub->sa_final ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } + + match = strncasecmp( sub->sa_final->bv_val, + &left.bv_val[left.bv_len - sub->sa_final->bv_len], + sub->sa_final->bv_len ); + + if( match != 0 ) { + goto done; + } + + left.bv_len -= sub->sa_final->bv_len; + inlen -= sub->sa_final->bv_len; + } + + if( sub->sa_any ) { + for(i=0; sub->sa_any[i]; i++) { + ber_len_t idx; + char *p; + +retry: + if( inlen > left.bv_len ) { + /* not enough length */ + match = 1; + goto done; + } + + if( sub->sa_any[i]->bv_len == 0 ) { + continue; + } + + p = strcasechr( left.bv_val, *sub->sa_any[i]->bv_val ); + + if( p == NULL ) { + match = 1; + goto done; + } + + idx = p - left.bv_val; + assert( idx < left.bv_len ); + + if( idx >= left.bv_len ) { + /* this shouldn't happen */ + return LDAP_OTHER; + } + + left.bv_val = p; + left.bv_len -= idx; + + if( sub->sa_any[i]->bv_len > left.bv_len ) { + /* not enough left */ + match = 1; + goto done; + } + + match = strncasecmp( left.bv_val, + sub->sa_any[i]->bv_val, + sub->sa_any[i]->bv_len ); + + if( match != 0 ) { + left.bv_val++; + left.bv_len--; + + goto retry; + } + + left.bv_val += sub->sa_any[i]->bv_len; + left.bv_len -= sub->sa_any[i]->bv_len; + inlen -= sub->sa_any[i]->bv_len; + } + } + +done: + *matchp = match; + return LDAP_SUCCESS; +} + +/* Index generation function */ +int caseIgnoreIndexer( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + struct berval **values, + struct berval ***keysp ) +{ + int i; + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + for( i=0; values[i] != NULL; i++ ) { + /* just count them */ + } + + assert( i > 0 ); + + keys = ch_malloc( sizeof( struct berval * ) * (i+1) ); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + for( i=0; values[i] != NULL; i++ ) { + struct berval *value = ber_bvdup( values[i] ); + ldap_pvt_str2upper( value->bv_val ); + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, value->bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + ber_bvfree( value ); + + keys[i] = ber_bvdup( &digest ); + } + + keys[i] = NULL; + *keysp = keys; + return LDAP_SUCCESS; +} + +/* Index generation function */ +int caseIgnoreFilter( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + void * assertValue, + struct berval ***keysp ) +{ + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES]; + struct berval *value; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + value = ber_bvdup( (struct berval *) assertValue ); + ldap_pvt_str2upper( value->bv_val ); + + keys = ch_malloc( sizeof( struct berval * ) * 2 ); + + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, value->bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[0] = ber_bvdup( &digest ); + keys[1] = NULL; + + ber_bvfree( value ); + + *keysp = keys; + + return LDAP_SUCCESS; +} + +/* Substrings Index generation function */ +int caseIgnoreSubstringsIndexer( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + struct berval **values, + struct berval ***keysp ) +{ + ber_len_t i, nkeys; + size_t slen, mlen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + struct berval digest; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + nkeys=0; + for( i=0; values[i] != NULL; i++ ) { + /* count number of indices to generate */ + if( values[i]->bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { + continue; + } + + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + ( SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); + } + } + + if( flags & SLAP_INDEX_SUBSTR_ANY ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + } + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + if( values[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + ( SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i]->bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); + } + } + } + assert( i > 0 ); + + if( nkeys == 0 ) { + /* no keys to generate */ + *keysp = NULL; + return LDAP_SUCCESS; + } + + keys = ch_malloc( sizeof( struct berval * ) * (nkeys+1) ); + + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); + + nkeys=0; + for( i=0; values[i] != NULL; i++ ) { + int j,max; + struct berval *value; + + if( values[i]->bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; + + value = ber_bvdup( values[i] ); + ldap_pvt_str2upper( value->bv_val ); + + if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && + ( value->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) + { + char pre = SLAP_INDEX_SUBSTR_PREFIX; + max = value->bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1); + + for( j=0; jbv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[j], + SLAP_INDEX_SUBSTR_MAXLEN ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + } + + max = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; + + for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { + char pre; + + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, j ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[value->bv_len-j], j ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); + } + + } + + ber_bvfree( value ); + } + + if( nkeys > 0 ) { + keys[nkeys] = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; + } + + return LDAP_SUCCESS; +} + +int caseIgnoreSubstringsFilter( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + void * assertValue, + struct berval ***keysp ) +{ + SubstringsAssertion *sa = assertValue; + char pre; + ber_len_t nkeys = 0; + size_t slen, mlen, klen; + struct berval **keys; + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES]; + struct berval *value; + struct berval digest; + + if((flags & SLAP_INDEX_SUBSTR_INITIAL) && sa->sa_initial != NULL && + sa->sa_initial->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } - for( count = in->bv_len; count > 0; count-=len, u+=len ) { - /* get the length indicated by the first byte */ - len = LDAP_UTF8_CHARLEN( u ); + if((flags & SLAP_INDEX_SUBSTR_ANY) && sa->sa_any != NULL ) { + ber_len_t i; + for( i=0; sa->sa_any[i] != NULL; i++ ) { + if( sa->sa_any[i]->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + /* don't bother accounting for stepping */ + nkeys += sa->sa_any[i]->bv_len - + ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + } + } + } - /* should not be zero */ - if( len == 0 ) return LDAP_INVALID_SYNTAX; + if((flags & SLAP_INDEX_SUBSTR_FINAL) && sa->sa_final != NULL && + sa->sa_final->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } - /* make sure len corresponds with the offset - to the next character */ - if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX; + if( nkeys == 0 ) { + *keysp = NULL; + return LDAP_SUCCESS; } - if( count != 0 ) return LDAP_INVALID_SYNTAX; + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); - return LDAP_SUCCESS; -} + slen = strlen( syntax->ssyn_oid ); + mlen = strlen( mr->smr_oid ); -static int -UTF8StringNormalize( - Syntax *syntax, - struct berval *val, - struct berval **normalized ) -{ - struct berval *newval; - char *p, *q, *s; + keys = ch_malloc( sizeof( struct berval * ) * (nkeys+1) ); + nkeys = 0; - newval = ch_malloc( sizeof( struct berval ) ); + if((flags & SLAP_INDEX_SUBSTR_INITIAL) && sa->sa_initial != NULL && + sa->sa_initial->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + value = ber_bvdup( sa->sa_initial ); + ldap_pvt_str2upper( value->bv_val ); - p = val->bv_val; + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - /* Ignore initial whitespace */ - while ( ldap_utf8_isspace( p ) ) { - LDAP_UTF8_INCR( p ); - } + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + value->bv_val, klen ); + lutil_MD5Final( MD5digest, &MD5context ); - if( *p == '\0' ) { - ch_free( newval ); - return LDAP_INVALID_SYNTAX; + ber_bvfree( value ); + keys[nkeys++] = ber_bvdup( &digest ); } - newval->bv_val = ch_strdup( p ); - p = q = newval->bv_val; - s = NULL; + if((flags & SLAP_INDEX_SUBSTR_ANY) && sa->sa_any != NULL ) { + ber_len_t i, j; + pre = SLAP_INDEX_SUBSTR_PREFIX; + klen = SLAP_INDEX_SUBSTR_MAXLEN; - while ( *p ) { - int len; + for( i=0; sa->sa_any[i] != NULL; i++ ) { + if( sa->sa_any[i]->bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { + continue; + } - if ( ldap_utf8_isspace( p ) ) { - len = LDAP_UTF8_COPY(q,p); - s=q; - p+=len; - q+=len; + value = ber_bvdup( sa->sa_any[i] ); + ldap_pvt_str2upper( value->bv_val ); - /* Ignore the extra whitespace */ - while ( ldap_utf8_isspace( p ) ) { - LDAP_UTF8_INCR( p ); + for(j=0; + j <= value->bv_len - SLAP_INDEX_SUBSTR_MAXLEN; + j += SLAP_INDEX_SUBSTR_STEP ) + { + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[j], klen ); + lutil_MD5Final( MD5digest, &MD5context ); + + keys[nkeys++] = ber_bvdup( &digest ); } - } else { - len = LDAP_UTF8_COPY(q,p); - s=NULL; - p+=len; - q+=len; + + ber_bvfree( value ); } } - assert( *newval->bv_val ); - assert( newval->bv_val < p ); - assert( p >= q ); + if((flags & SLAP_INDEX_SUBSTR_FINAL) && sa->sa_final != NULL && + sa->sa_final->bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + value = ber_bvdup( sa->sa_final ); + ldap_pvt_str2upper( value->bv_val ); - /* cannot start with a space */ - assert( !ldap_utf8_isspace(newval->bv_val) ); + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - /* - * If the string ended in space, backup the pointer one - * position. One is enough because the above loop collapsed - * all whitespace to a single space. - */ + lutil_MD5Init( &MD5context ); + if( prefix != NULL && prefix->bv_len > 0 ) { + lutil_MD5Update( &MD5context, + prefix->bv_val, prefix->bv_len ); + } + lutil_MD5Update( &MD5context, + &pre, sizeof( pre ) ); + lutil_MD5Update( &MD5context, + syntax->ssyn_oid, slen ); + lutil_MD5Update( &MD5context, + mr->smr_oid, mlen ); + lutil_MD5Update( &MD5context, + &value->bv_val[value->bv_len-klen], klen ); + lutil_MD5Final( MD5digest, &MD5context ); - if ( s != NULL ) { - q = s; + ber_bvfree( value ); + keys[nkeys++] = ber_bvdup( &digest ); } - /* cannot end with a space */ - assert( !ldap_utf8_isspace( LDAP_UTF8_PREV(q) ) ); - - /* null terminate */ - *q = '\0'; - - newval->bv_len = q - newval->bv_val; - *normalized = newval; + if( nkeys > 0 ) { + keys[nkeys] = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; + } return LDAP_SUCCESS; } - + static int oidValidate( Syntax *syntax, @@ -491,7 +1821,13 @@ integerValidate( if( !val->bv_len ) return LDAP_INVALID_SYNTAX; - for(i=0; i < val->bv_len; i++) { + if( val->bv_val[0] == '+' || val->bv_val[0] == '-' ) { + if( val->bv_len < 2 ) return LDAP_INVALID_SYNTAX; + } else if( !ASCII_DIGIT(val->bv_val[0]) ) { + return LDAP_INVALID_SYNTAX; + } + + for(i=1; i < val->bv_len; i++) { if( !ASCII_DIGIT(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; } @@ -499,23 +1835,50 @@ integerValidate( } static int -printableStringValidate( +integerNormalize( Syntax *syntax, - struct berval *val ) + struct berval *val, + struct berval **normalized ) { - ber_len_t i; + int negative; + struct berval *newval; + char *p; - if( !val->bv_len ) return LDAP_INVALID_SYNTAX; + p = val->bv_val; - for(i=0; i < val->bv_len; i++) { - if( !isprint(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; + /* save sign */ + negative = ( *p == '-' ); + if( *p == '-' || *p == '+' ) p++; + + /* Ignore leading zeros */ + while ( *p == '0' ) p++; + + newval = (struct berval *) ch_malloc( sizeof(struct berval) ); + + if( *p == '\0' ) { + newval->bv_val = ch_strdup("0"); + newval->bv_len = 1; + goto done; + } + + newval->bv_val = ch_malloc( val->bv_len + 1 ); + newval->bv_len = 0; + + if( negative ) { + newval->bv_val[newval->bv_len++] = '-'; + } + + for( ; *p != '\0'; p++ ) { + newval->bv_val[newval->bv_len++] = *p; } +done: + *normalized = newval; return LDAP_SUCCESS; } static int -IA5StringValidate( +printableStringValidate( Syntax *syntax, struct berval *val ) { @@ -524,36 +1887,25 @@ IA5StringValidate( if( !val->bv_len ) return LDAP_INVALID_SYNTAX; for(i=0; i < val->bv_len; i++) { - if( !isascii(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; + if( !isprint(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; } return LDAP_SUCCESS; } static int -IA5StringConvert( +IA5StringValidate( Syntax *syntax, - struct berval *in, - struct berval **out ) + struct berval *val ) { - ldap_unicode_t *u; - ber_len_t i, len = in->bv_len; - struct berval *bv = ch_malloc( sizeof(struct berval) ); + ber_len_t i; - bv->bv_len = len * sizeof( ldap_unicode_t ); - u = (ldap_unicode_t *) ch_malloc( bv->bv_len + sizeof(ldap_unicode_t) ); - bv->bv_val = (char *) u; + if( !val->bv_len ) return LDAP_INVALID_SYNTAX; - for(i=0; i < len; i++ ) { - /* - * IA5StringValidate should have been called to ensure - * input is limited to IA5. - */ - u[i] = in->bv_val[i]; + for(i=0; i < val->bv_len; i++) { + if( !isascii(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; } - u[i] = 0; - *out = bv; return LDAP_SUCCESS; } @@ -598,7 +1950,7 @@ IA5StringNormalize( assert( *newval->bv_val ); assert( newval->bv_val < p ); - assert( p <= q ); + assert( q <= p ); /* cannot start with a space */ assert( !ASCII_SPACE(*newval->bv_val) ); @@ -1208,20 +2560,6 @@ caseIgnoreIA5Match( return LDAP_SUCCESS; } -static char *strcasechr( const char *str, int c ) -{ - char *lower = strchr( str, TOLOWER(c) ); - char *upper = strchr( str, TOUPPER(c) ); - - if( lower && upper ) { - return lower < upper ? lower : upper; - } else if ( lower ) { - return lower; - } else { - return upper; - } -} - static int caseIgnoreIA5SubstringsMatch( int *matchp, @@ -2313,7 +3651,7 @@ struct syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' " X_BINARY X_NOT_H_R ")", SLAP_SYNTAX_BER, berValidate, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )", - 0, bitStringValidate, bitStringNormalize, NULL }, + 0, bitStringValidate, NULL, NULL }, {"( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )", 0, booleanValidate, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' " @@ -2370,7 +3708,7 @@ struct syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' )", 0, NULL, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )", - 0, nameUIDValidate, nameUIDNormalize, nameUIDPretty}, + 0, nameUIDValidate, nameUIDNormalize, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )", 0, NULL, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )", @@ -2414,7 +3752,7 @@ struct syntax_defs_rec syntax_defs[] = { 0, NULL, NULL, NULL}, /* RFC 2307 NIS Syntaxes */ - {"( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Triple' )", + {"( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' )", 0, nisNetgroupTripleValidate, NULL, NULL}, {"( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )", 0, bootParameterValidate, NULL, NULL}, @@ -2423,6 +3761,8 @@ struct syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", 0, IA5StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )", + 0, NULL, NULL, NULL}, /* OpenLDAP Void Syntax */ {"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' " X_HIDE ")" , @@ -2446,7 +3786,6 @@ struct mrule_defs_rec { * Other matching rules in X.520 that we do not use (yet): * * 2.5.13.9 numericStringOrderingMatch - * 2.5.13.13 booleanMatch * 2.5.13.15 integerOrderingMatch * 2.5.13.18 octetStringOrderingMatch * 2.5.13.19 octetStringSubstringsMatch @@ -2469,6 +3808,24 @@ struct mrule_defs_rec { */ struct mrule_defs_rec mrule_defs[] = { + /* + * EQUALITY matching rules must be listed after associated APPROX + * matching rules. So, we list all APPROX matching rules first. + */ + {"( " directoryStringApproxMatchOID " NAME 'directoryStringApproxMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", + SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, + NULL, NULL, + directoryStringApproxMatch, NULL, NULL, + NULL}, + + {"( " IA5StringApproxMatchOID " NAME 'IA5StringApproxMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", + SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, + NULL, NULL, + IA5StringApproxMatch, NULL, NULL, + NULL}, + /* * Other matching rules */ @@ -2492,7 +3849,7 @@ struct mrule_defs_rec mrule_defs[] = { SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, NULL, caseIgnoreMatch, caseIgnoreIndexer, caseIgnoreFilter, - NULL}, + directoryStringApproxMatchOID }, {"( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", @@ -2515,7 +3872,7 @@ struct mrule_defs_rec mrule_defs[] = { SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, NULL, caseExactMatch, caseExactIndexer, caseExactFilter, - NULL}, + directoryStringApproxMatchOID }, {"( 2.5.13.6 NAME 'caseExactOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", @@ -2574,7 +3931,7 @@ struct mrule_defs_rec mrule_defs[] = { "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, NULL, - integerMatch, NULL, NULL, + integerMatch, integerIndexer, integerFilter, NULL}, {"( 2.5.13.16 NAME 'bitStringMatch' " @@ -2659,14 +4016,14 @@ struct mrule_defs_rec mrule_defs[] = { SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, NULL, caseExactIA5Match, caseExactIA5Indexer, caseExactIA5Filter, - NULL}, + IA5StringApproxMatchOID }, {"( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, NULL, caseIgnoreIA5Match, caseExactIA5Indexer, caseExactIA5Filter, - NULL}, + IA5StringApproxMatchOID }, {"( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", @@ -2686,6 +4043,13 @@ struct mrule_defs_rec mrule_defs[] = { caseExactIA5SubstringsFilter, NULL}, + {"( 1.3.6.1.4.1.4203.666.4.1 NAME 'authPasswordMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", + SLAP_MR_EQUALITY, + NULL, NULL, + authPasswordMatch, NULL, NULL, + NULL}, + {"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", SLAP_MR_EQUALITY, diff --git a/servers/slapd/search.c b/servers/slapd/search.c index 92e36b0ab8..1749dede27 100644 --- a/servers/slapd/search.c +++ b/servers/slapd/search.c @@ -202,6 +202,13 @@ do_search( } } + if( nbase[0] == '\0' && default_search_nbase != NULL ) { + ch_free( base ); + ch_free( nbase ); + base = ch_strdup( default_search_base ); + nbase = ch_strdup( default_search_nbase ); + } + /* * We could be serving multiple database backends. Select the * appropriate one, or send a referral to our "referral server" diff --git a/servers/slapd/sets.c b/servers/slapd/sets.c index d5c021f4dc..7dc7507947 100644 --- a/servers/slapd/sets.c +++ b/servers/slapd/sets.c @@ -4,16 +4,17 @@ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ -#include "portable.h" +#include "portable.h" -#include +#include #include - + #include "slap.h" #include "sets.h" static char **set_join (char **lset, int op, char **rset); -static char **set_chase (SET_GATHER gatherer, void *cookie, char **set, char *attr, int attrlen, int closure); +static char **set_chase (SET_GATHER gatherer, + void *cookie, char **set, char *attr, int attrlen, int closure); static int set_samedn (char *dn1, char *dn2); long @@ -119,7 +120,8 @@ set_join (char **lset, int op, char **rset) } static char ** -set_chase (SET_GATHER gatherer, void *cookie, char **set, char *attr, int attrlen, int closure) +set_chase (SET_GATHER gatherer, + void *cookie, char **set, char *attr, int attrlen, int closure) { char **vals, **nset; char attrstr[32]; @@ -195,14 +197,19 @@ set_samedn (char *dn1, char *dn2) } int -set_filter (SET_GATHER gatherer, void *cookie, char *filter, char *user, char *this, char ***results) +set_filter (SET_GATHER gatherer, + void *cookie, char *filter, char *user, char *this, char ***results) { -# define IS_SET(x) ( (long)(x) >= 256 ) -# define IS_OP(x) ( (long)(x) < 256 ) -# define SF_ERROR(x) { rc = -1; goto _error; } -# define SF_TOP() (char **)( (stp < 0) ? 0 : stack[stp] ) -# define SF_POP() (char **)( (stp < 0) ? 0 : stack[stp--] ) -# define SF_PUSH(x) { if (stp >= 63) SF_ERROR(overflow); stack[++stp] = (char **)(long)(x); } +#define IS_SET(x) ( (long)(x) >= 256 ) +#define IS_OP(x) ( (long)(x) < 256 ) +#define SF_ERROR(x) do { rc = -1; goto _error; } while (0) +#define SF_TOP() ( (char **)( (stp < 0) ? 0 : stack[stp] ) ) +#define SF_POP() ( (char **)( (stp < 0) ? 0 : stack[stp--] ) ) +#define SF_PUSH(x) do { \ + if (stp >= 63) SF_ERROR(overflow); \ + stack[++stp] = (char **)(long)(x); \ + } while (0) + char c; char **set, **lset; int len, op, rc, stp; @@ -345,7 +352,8 @@ set_filter (SET_GATHER gatherer, void *cookie, char *filter, char *user, char *t SF_ERROR(syntax); } else { SF_POP(); - set = set_chase(gatherer, cookie, SF_POP(), filter, len, c == '*'); + set = set_chase(gatherer, + cookie, SF_POP(), filter, len, c == '*'); if (set == NULL) SF_ERROR(memory); if (c == '*') diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 2129015b93..69007e65e9 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -256,7 +256,7 @@ typedef struct slap_syntax { #define slap_syntax_is_ber(s) slap_syntax_is_flag((s),SLAP_SYNTAX_BER) #define slap_syntax_is_hidden(s) slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE) -/* XXX -> UCS-2 Converter */ +/* X -> Y Converter */ typedef int slap_mr_convert_func LDAP_P(( struct berval * in, struct berval ** out )); @@ -455,6 +455,7 @@ struct slap_internal_schema { /* Other attributes descriptions */ AttributeDescription *si_ad_userPassword; + AttributeDescription *si_ad_authPassword; #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND AttributeDescription *si_ad_krbName; #endif @@ -853,6 +854,8 @@ struct slap_backend_db { | SLAP_RESTRICT_OP_MODIFY \ | SLAP_RESTRICT_OP_RENAME ) +#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */ + #define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ #define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ #define SLAP_DISALLOW_BIND_ANON_CRED \ @@ -860,6 +863,11 @@ struct slap_backend_db { #define SLAP_DISALLOW_BIND_ANON_DN \ 0x0008U /* dn should be empty */ +#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ + +#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */ + slap_mask_t be_requires; /* pre-operation requirements */ #define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ #define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ @@ -867,7 +875,6 @@ struct slap_backend_db { #define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ #define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ - /* Required Security Strength Factor */ slap_ssf_set_t be_ssf_set; diff --git a/servers/slapd/slapd.dsp b/servers/slapd/slapd.dsp index c0b8dc9def..2e45ca9a38 100644 --- a/servers/slapd/slapd.dsp +++ b/servers/slapd/slapd.dsp @@ -53,7 +53,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 advapi32.lib sasl.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\Release" +# ADD LINK32 advapi32.lib libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\Release" !ELSEIF "$(CFG)" == "slapd - Win32 Debug" @@ -77,7 +77,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 advapi32.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\Debug" +# ADD LINK32 advapi32.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\Debug" !ELSEIF "$(CFG)" == "slapd - Win32 Single Debug" @@ -102,7 +102,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 hs_regexd.lib libdbs.lib wsock32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\SDebug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\SDebug" !ELSEIF "$(CFG)" == "slapd - Win32 Single Release" @@ -127,7 +127,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 hs_regex.lib libdb.lib wsock32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 sasl.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease" +# ADD LINK32 libdb.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease" !ENDIF diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index bd12f32c73..97bbab084a 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -59,6 +59,21 @@ starttls_extop ( goto done; } + if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && + ( conn->c_dn != NULL ) ) + { + *text = "cannot start TLS after authentication"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) && + ( conn->c_dn != NULL ) ) + { + /* force to anonymous */ + connection2anonymous( conn ); + } + /* fail if TLS could not be initialized */ if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 || ctx == NULL) diff --git a/servers/slapd/tools/mimic.c b/servers/slapd/tools/mimic.c index 2398308aca..555a1b31cc 100644 --- a/servers/slapd/tools/mimic.c +++ b/servers/slapd/tools/mimic.c @@ -152,3 +152,7 @@ char * slap_sasl_secprops( const char *in ) return NULL; } +void connection2anonymous( Connection *c ) +{ + assert(0); +} diff --git a/servers/slapd/tools/slapadd.dsp b/servers/slapd/tools/slapadd.dsp index bc5a39369a..5f04d48a70 100644 --- a/servers/slapd/tools/slapadd.dsp +++ b/servers/slapd/tools/slapadd.dsp @@ -53,7 +53,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" +# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" !ELSEIF "$(CFG)" == "slapadd - Win32 Debug" @@ -77,7 +77,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" !ELSEIF "$(CFG)" == "slapadd - Win32 Single Debug" @@ -102,7 +102,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib hs_regexd.lib libdbs.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" !ELSEIF "$(CFG)" == "slapadd - Win32 Single Release" @@ -127,7 +127,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 hs_regex.lib libdb.lib ws2_32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease" +# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease" !ENDIF diff --git a/servers/slapd/tools/slapcat.dsp b/servers/slapd/tools/slapcat.dsp index 694beae96f..a46d3de79a 100644 --- a/servers/slapd/tools/slapcat.dsp +++ b/servers/slapd/tools/slapcat.dsp @@ -53,7 +53,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" +# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" !ELSEIF "$(CFG)" == "slapcat - Win32 Debug" @@ -77,7 +77,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" !ELSEIF "$(CFG)" == "slapcat - Win32 Single Debug" @@ -102,7 +102,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 oldbm32.lib libdb.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\libraries\Debug" -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" !ELSEIF "$(CFG)" == "slapcat - Win32 Single Release" @@ -126,7 +126,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib libdb.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\libraries\Release" -# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease" +# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease" !ENDIF diff --git a/servers/slapd/tools/slapindex.dsp b/servers/slapd/tools/slapindex.dsp index f0e4e386c9..1e4cfca043 100644 --- a/servers/slapd/tools/slapindex.dsp +++ b/servers/slapd/tools/slapindex.dsp @@ -54,7 +54,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" +# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release" !ELSEIF "$(CFG)" == "slapindex - Win32 Debug" @@ -78,7 +78,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug" !ELSEIF "$(CFG)" == "slapindex - Win32 Single Debug" @@ -103,7 +103,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib shell32.lib hs_regexd.lib libdbs.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" +# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug" !ELSEIF "$(CFG)" == "slapindex - Win32 Single Release" @@ -128,7 +128,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 hs_regex.lib libdb.lib ws2_32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease" +# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease" !ENDIF diff --git a/servers/slurpd/args.c b/servers/slurpd/args.c index f9cd9db8a3..8f8458c34d 100644 --- a/servers/slurpd/args.c +++ b/servers/slurpd/args.c @@ -106,7 +106,9 @@ doargs( g->slapd_configfile = strdup( optarg ); break; case 'r': /* slapd replog file */ - strcpy( g->slapd_replogfile, optarg ); + strncpy( g->slapd_replogfile, optarg, + sizeof(g->slapd_replogfile)-1 ); + g->slapd_replogfile[sizeof(g->slapd_replogfile)-1] = '\0'; rflag++; break; case 't': /* dir to use for our copies of replogs */ @@ -150,7 +152,4 @@ doargs( #endif return 0; - } - - diff --git a/tests/scripts/test000-rootdse b/tests/scripts/test000-rootdse index 47ddc2abe5..3f7a0e89fa 100755 --- a/tests/scripts/test000-rootdse +++ b/tests/scripts/test000-rootdse @@ -41,7 +41,11 @@ cat $SEARCHOUT if test $RC != 0 ; then echo ">>>>> Test failed" else - echo ">>>>> Test succeeded" + if grep "TLS:" $SEARCHOUT; then + RC=-1 + else + echo ">>>>> Test succeeded" + fi fi