diff options
Diffstat (limited to 'contrib/slapd-modules/samba4')
-rw-r--r-- | contrib/slapd-modules/samba4/Makefile | 68 | ||||
-rw-r--r-- | contrib/slapd-modules/samba4/README | 72 | ||||
-rw-r--r-- | contrib/slapd-modules/samba4/pguid.c | 460 | ||||
-rw-r--r-- | contrib/slapd-modules/samba4/rdnval.c | 658 | ||||
-rw-r--r-- | contrib/slapd-modules/samba4/vernum.c | 459 |
5 files changed, 1717 insertions, 0 deletions
diff --git a/contrib/slapd-modules/samba4/Makefile b/contrib/slapd-modules/samba4/Makefile new file mode 100644 index 0000000..6704ce7 --- /dev/null +++ b/contrib/slapd-modules/samba4/Makefile @@ -0,0 +1,68 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_RDNVAL=SLAPD_MOD_DYNAMIC \ + -DSLAPD_OVER_PGUID=SLAPD_MOD_DYNAMIC \ + -DSLAPD_OVER_VERNUM=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = pguid.la rdnval.la vernum.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pguid.la: pguid.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +rdnval.la: rdnval.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +vernum.la: vernum.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/samba4/README b/contrib/slapd-modules/samba4/README new file mode 100644 index 0000000..b68034b --- /dev/null +++ b/contrib/slapd-modules/samba4/README @@ -0,0 +1,72 @@ +# $OpenLDAP$ + +This directory contains slapd overlays specific to samba4 LDAP backend: + + - pguid (not used) + - rdnval (under evaluation) + - vernum (under evaluation) + + + - PGUID + +This overlay maintains the operational attribute "parentUUID". It contains +the entryUUID of the parent entry. This overlay is not being considered +right now. + + + - RDNVAL + +This overlay maintains the operational attribute "rdnValue". It contains +the value of the entry's RDN. This attribute is defined by the overlay +itself as + + ( 1.3.6.1.4.1.4203.666.1.58 + NAME 'rdnValue' + DESC 'the value of the naming attributes' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + EQUALITY caseIgnoreMatch + USAGE dSAOperation + NO-USER-MODIFICATION ) + +under OpenLDAP's development OID arc. This OID is temporary. + +To use the overlay, add: + + moduleload <path to>rdnval.so + ... + + database <whatever> + ... + overlay rdnval + +to your slapd configuration file. An instance is required for each database +that needs to maintain this attribute. + + + - VERNUM + +This overlay increments a counter any time an attribute is modified. +It is intended to increment the counter 'msDS-KeyVersionNumber' when +the attribute 'unicodePwd' is modified. + + +These overlays are only set up to be built as a dynamically loaded modules. +On most platforms, in order for the modules to be usable, all of the +library dependencies must also be available as shared libraries. + +If you need to build the overlays statically, you will have to move them +into the slapd/overlays directory and edit the Makefile and overlays.c +to reference them. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. +Copyright 2009-2021 The OpenLDAP Foundation. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/samba4/pguid.c b/contrib/slapd-modules/samba4/pguid.c new file mode 100644 index 0000000..ae7d71e --- /dev/null +++ b/contrib/slapd-modules/samba4/pguid.c @@ -0,0 +1,460 @@ +/* pguid.c - Parent GUID value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_PGUID + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (parentUUID) that contains the value + * of the entryUUID of the parent entry (used by Samba4) + */ + +static AttributeDescription *ad_parentUUID; + +static slap_overinst pguid; + +static int +pguid_op_add( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + struct berval pdn, pndn; + Entry *e = NULL; + Attribute *a; + int rc; + + /* don't care about suffix entry */ + if ( dn_match( &op->o_req_ndn, &op->o_bd->be_nsuffix[0] ) ) { + return SLAP_CB_CONTINUE; + } + + dnParent( &op->o_req_dn, &pdn ); + dnParent( &op->o_req_ndn, &pndn ); + + rc = overlay_entry_get_ov( op, &pndn, NULL, slap_schema.si_ad_entryUUID, 0, &e, on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_add: unable to get parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + return SLAP_CB_CONTINUE; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_add: unable to find entryUUID of parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + + } else { + assert( a->a_numvals == 1 ); + + if ( op->ora_e != NULL ) { + attr_merge_one( op->ora_e, ad_parentUUID, &a->a_vals[0], a->a_nvals == a->a_vals ? NULL : &a->a_nvals[0] ); + + } else { + Modifications *ml; + Modifications *mod; + + assert( op->ora_modlist != NULL ); + + for ( ml = op->ora_modlist; ml != NULL; ml = ml->sml_next ) { + if ( ml->sml_mod.sm_desc == slap_schema.si_ad_entryUUID ) { + break; + } + } + + if ( ml == NULL ) { + ml = op->ora_modlist; + } + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_ADD; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + + ber_dupbv( &mod->sml_values[0], &a->a_vals[0] ); + BER_BVZERO( &mod->sml_values[1] ); + + mod->sml_next = ml->sml_next; + ml->sml_next = mod; + } + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, on ); + } + + return SLAP_CB_CONTINUE; +} + +static int +pguid_op_rename( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + Entry *e = NULL; + Attribute *a; + int rc; + + if ( op->orr_nnewSup == NULL ) { + return SLAP_CB_CONTINUE; + } + + rc = overlay_entry_get_ov( op, op->orr_nnewSup, NULL, slap_schema.si_ad_entryUUID, 0, &e, on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_rename: unable to get newSuperior entry DN=\"%s\" (%d)\n", + op->o_log_prefix, op->orr_newSup->bv_val, rc ); + return SLAP_CB_CONTINUE; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_rename: unable to find entryUUID of newSuperior entry DN=\"%s\" (%d)\n", + op->o_log_prefix, op->orr_newSup->bv_val, rc ); + + } else { + Modifications *mod; + + assert( a->a_numvals == 1 ); + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + + ber_dupbv( &mod->sml_values[0], &a->a_vals[0] ); + BER_BVZERO( &mod->sml_values[1] ); + + mod->sml_next = op->orr_modlist; + op->orr_modlist = mod; + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, on ); + } + + return SLAP_CB_CONTINUE; +} + +static int +pguid_db_init( + BackendDB *be, + ConfigReply *cr) +{ + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: pguid cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + return 0; +} + +typedef struct pguid_mod_t { + struct berval ndn; + struct berval pguid; + struct pguid_mod_t *next; +} pguid_mod_t; + +typedef struct { + slap_overinst *on; + pguid_mod_t *mods; +} pguid_repair_cb_t; + +static int +pguid_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + pguid_repair_cb_t *pcb = op->o_callback->sc_private; + Entry *e = NULL; + Attribute *a; + struct berval pdn, pndn; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + dnParent( &rs->sr_entry->e_name, &pdn ); + dnParent( &rs->sr_entry->e_nname, &pndn ); + + rc = overlay_entry_get_ov( op, &pndn, NULL, slap_schema.si_ad_entryUUID, 0, &e, pcb->on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair_cb: unable to get parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + return 0; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair_cb: unable to find entryUUID of parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + + } else { + ber_len_t len; + pguid_mod_t *mod; + + assert( a->a_numvals == 1 ); + + len = sizeof( pguid_mod_t ) + rs->sr_entry->e_nname.bv_len + 1 + a->a_vals[0].bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + mod->pguid.bv_len = a->a_vals[0].bv_len; + mod->pguid.bv_val = (char *)&mod->ndn.bv_val[mod->ndn.bv_len + 1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + lutil_strncopy( mod->pguid.bv_val, a->a_vals[0].bv_val, a->a_vals[0].bv_len ); + + mod->next = pcb->mods; + pcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: pguid_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, pcb->on ); + } + + return 0; +} + +static int +pguid_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + slap_callback sc = { 0 }; + pguid_repair_cb_t pcb = { 0 }; + SlapReply rs = { REP_RESULT }; + pguid_mod_t *pmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBORDINATE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_parentUUID->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(!(%s=*))", ad_parentUUID->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = pguid_repair_cb; + sc.sc_private = &pcb; + pcb.on = on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( pmod = pcb.mods; pmod != NULL; ) { + pguid_mod_t *pnext; + + Modifications *mod; + SlapReply rs2 = { REP_RESULT }; + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + mod->sml_next = NULL; + + ber_dupbv( &mod->sml_values[0], &pmod->pguid ); + BER_BVZERO( &mod->sml_values[1] ); + + op->o_req_dn = pmod->ndn; + op->o_req_ndn = pmod->ndn; + + op->orm_modlist = mod; + op->o_bd->be_modify( op, &rs2 ); + slap_mods_free( op->orm_modlist, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: pguid_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, pmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, pmod->ndn.bv_val, rs2.sr_err ); + } + + pnext = pmod->next; + op->o_tmpfree( pmod, op->o_tmpmemctx ); + pmod = pnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "pguid: repaired=%d\n", nrepaired ); + + return rs.sr_err; +} + +/* search all entries without parentUUID; "repair" them */ +static int +pguid_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + pguid_repair( be ); + + return 0; +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.3.6.1.4.1.4203.666.1.59 " + "NAME 'parentUUID' " + "DESC 'the value of the entryUUID of the parent' " + "EQUALITY UUIDMatch " + "ORDERING UUIDOrderingMatch " + "SYNTAX 1.3.6.1.1.16.1 " + "USAGE dSAOperation " + "SINGLE-VALUE " + "NO-USER-MODIFICATION " + ")", + &ad_parentUUID }, + { NULL } +}; + +int +pguid_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "pguid_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + pguid.on_bi.bi_type = "pguid"; + + pguid.on_bi.bi_op_add = pguid_op_add; + pguid.on_bi.bi_op_modrdn = pguid_op_rename; + + pguid.on_bi.bi_db_init = pguid_db_init; + pguid.on_bi.bi_db_open = pguid_db_open; + + return overlay_register( &pguid ); +} + +#if SLAPD_OVER_PGUID == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return pguid_initialize(); +} +#endif /* SLAPD_OVER_PGUID == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_PGUID */ diff --git a/contrib/slapd-modules/samba4/rdnval.c b/contrib/slapd-modules/samba4/rdnval.c new file mode 100644 index 0000000..95b2d4f --- /dev/null +++ b/contrib/slapd-modules/samba4/rdnval.c @@ -0,0 +1,658 @@ +/* rdnval.c - RDN value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_RDNVAL + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (rdnValue) that contains the values of each AVA + * that builds up the RDN of an entry. This is required for interoperation + * with Samba4. It mimics the "name" attribute provided by Active Directory. + * The naming attributes must be directoryString-valued, or compatible. + * For example, IA5String values are cast into directoryString unless + * consisting of the empty string (""). + */ + +static AttributeDescription *ad_rdnValue; +static Syntax *syn_IA5String; + +static slap_overinst rdnval; + +static int +rdnval_is_valid( AttributeDescription *desc, struct berval *value ) +{ + if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) { + return 1; + } + + if ( desc->ad_type->sat_syntax == syn_IA5String + && !BER_BVISEMPTY( value ) ) + { + return 1; + } + + return 0; +} + +static int +rdnval_unique_check_cb( Operation *op, SlapReply *rs ) +{ + if ( rs->sr_type == REP_SEARCH ) { + int *p = (int *)op->o_callback->sc_private; + (*p)++; + } + + return 0; +} + +static int +rdnval_unique_check( Operation *op, BerVarray vals ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + BackendDB db = *op->o_bd; + Operation op2 = *op; + SlapReply rs2 = { 0 }; + int i; + BerVarray fvals; + char *ptr; + int gotit = 0; + slap_callback cb = { 0 }; + + /* short-circuit attempts to add suffix entry */ + if ( op->o_tag == LDAP_REQ_ADD + && be_issuffix( op->o_bd, &op->o_req_ndn ) ) + { + return LDAP_SUCCESS; + } + + op2.o_bd = &db; + op2.o_bd->bd_info = (BackendInfo *)on->on_info; + op2.o_tag = LDAP_REQ_SEARCH; + op2.o_dn = op->o_bd->be_rootdn; + op2.o_ndn = op->o_bd->be_rootndn; + op2.o_callback = &cb; + cb.sc_response = rdnval_unique_check_cb; + cb.sc_private = (void *)&gotit; + + dnParent( &op->o_req_ndn, &op2.o_req_dn ); + op2.o_req_ndn = op2.o_req_dn; + + op2.ors_limit = NULL; + op2.ors_slimit = 1; + op2.ors_tlimit = SLAP_NO_LIMIT; + op2.ors_attrs = slap_anlist_no_attrs; + op2.ors_attrsonly = 1; + op2.ors_deref = LDAP_DEREF_NEVER; + op2.ors_scope = LDAP_SCOPE_ONELEVEL; + + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) + /* just count */ ; + + fvals = op->o_tmpcalloc( sizeof( struct berval ), i + 1, + op->o_tmpmemctx ); + + op2.ors_filterstr.bv_len = 0; + if ( i > 1 ) { + op2.ors_filterstr.bv_len = STRLENOF( "(&)" ); + } + + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + ldap_bv2escaped_filter_value_x( &vals[ i ], &fvals[ i ], + 1, op->o_tmpmemctx ); + op2.ors_filterstr.bv_len += ad_rdnValue->ad_cname.bv_len + + fvals[ i ].bv_len + STRLENOF( "(=)" ); + } + + op2.ors_filterstr.bv_val = op->o_tmpalloc( op2.ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + + ptr = op2.ors_filterstr.bv_val; + if ( i > 1 ) { + ptr = lutil_strcopy( ptr, "(&" ); + } + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + *ptr++ = '('; + ptr = lutil_strncopy( ptr, ad_rdnValue->ad_cname.bv_val, ad_rdnValue->ad_cname.bv_len ); + *ptr++ = '='; + ptr = lutil_strncopy( ptr, fvals[ i ].bv_val, fvals[ i ].bv_len ); + *ptr++ = ')'; + } + + if ( i > 1 ) { + *ptr++ = ')'; + } + *ptr = '\0'; + + assert( ptr == op2.ors_filterstr.bv_val + op2.ors_filterstr.bv_len ); + op2.ors_filter = str2filter_x( op, op2.ors_filterstr.bv_val ); + assert( op2.ors_filter != NULL ); + + (void)op2.o_bd->be_search( &op2, &rs2 ); + + filter_free_x( op, op2.ors_filter, 1 ); + op->o_tmpfree( op2.ors_filterstr.bv_val, op->o_tmpmemctx ); + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + if ( vals[ i ].bv_val != fvals[ i ].bv_val ) { + op->o_tmpfree( fvals[ i ].bv_val, op->o_tmpmemctx ); + } + } + op->o_tmpfree( fvals, op->o_tmpmemctx ); + + if ( rs2.sr_err != LDAP_SUCCESS || gotit > 0 ) { + return LDAP_CONSTRAINT_VIOLATION; + } + + return LDAP_SUCCESS; +} + +static int +rdnval_rdn2vals( + Operation *op, + SlapReply *rs, + struct berval *dn, + struct berval *ndn, + BerVarray *valsp, + BerVarray *nvalsp, + int *numvalsp ) +{ + LDAPRDN rdn = NULL, nrdn = NULL; + int nAVA, i; + + assert( *valsp == NULL ); + assert( *nvalsp == NULL ); + + *numvalsp = 0; + + if ( ldap_bv2rdn_x( dn, &rdn, (char **)&rs->sr_text, + LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) + { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: can't figure out " + "type(s)/value(s) of rdn DN=\"%s\"\n", + op->o_log_prefix, dn->bv_val, 0 ); + rs->sr_err = LDAP_INVALID_DN_SYNTAX; + rs->sr_text = "unknown type(s) used in RDN"; + + goto done; + } + + if ( ldap_bv2rdn_x( ndn, &nrdn, + (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) + { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: can't figure out " + "type(s)/value(s) of normalized rdn DN=\"%s\"\n", + op->o_log_prefix, ndn->bv_val, 0 ); + rs->sr_err = LDAP_INVALID_DN_SYNTAX; + rs->sr_text = "unknown type(s) used in RDN"; + + goto done; + } + + for ( nAVA = 0; rdn[ nAVA ]; nAVA++ ) + /* count'em */ ; + + /* NOTE: we assume rdn and nrdn contain the same AVAs! */ + + *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); + *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); + + /* Add new attribute values to the entry */ + for ( i = 0; rdn[ i ]; i++ ) { + AttributeDescription *desc = NULL; + + rs->sr_err = slap_bv2ad( &rdn[ i ]->la_attr, + &desc, &rs->sr_text ); + + if ( rs->sr_err != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: %s: %s\n", + op->o_log_prefix, + rs->sr_text, + rdn[ i ]->la_attr.bv_val ); + goto done; + } + + if ( !rdnval_is_valid( desc, &rdn[ i ]->la_value ) ) { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: syntax of naming attribute '%s' " + "not compatible with directoryString", + op->o_log_prefix, rdn[ i ]->la_attr.bv_val, 0 ); + continue; + } + + if ( value_find_ex( desc, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + *nvalsp, + &nrdn[ i ]->la_value, + op->o_tmpmemctx ) + == LDAP_NO_SUCH_ATTRIBUTE ) + { + ber_dupbv( &(*valsp)[ *numvalsp ], &rdn[ i ]->la_value ); + ber_dupbv( &(*nvalsp)[ *numvalsp ], &nrdn[ i ]->la_value ); + + (*numvalsp)++; + } + } + + if ( rdnval_unique_check( op, *valsp ) != LDAP_SUCCESS ) { + rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + rs->sr_text = "rdnValue not unique within siblings"; + goto done; + } + +done:; + if ( rdn != NULL ) { + ldap_rdnfree_x( rdn, op->o_tmpmemctx ); + } + + if ( nrdn != NULL ) { + ldap_rdnfree_x( nrdn, op->o_tmpmemctx ); + } + + if ( rs->sr_err != LDAP_SUCCESS ) { + if ( *valsp != NULL ) { + ber_bvarray_free( *valsp ); + ber_bvarray_free( *nvalsp ); + *valsp = NULL; + *nvalsp = NULL; + *numvalsp = 0; + } + } + + return rs->sr_err; +} + +static int +rdnval_op_add( Operation *op, SlapReply *rs ) +{ + Attribute *a, **ap; + int numvals = 0; + BerVarray vals = NULL, nvals = NULL; + int rc; + + /* NOTE: should we accept an entry still in mods format? */ + assert( op->ora_e != NULL ); + + if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) { + return SLAP_CB_CONTINUE; + } + + a = attr_find( op->ora_e->e_attrs, ad_rdnValue ); + if ( a != NULL ) { + /* TODO: check consistency? */ + return SLAP_CB_CONTINUE; + } + + rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname, + &vals, &nvals, &numvals ); + if ( rc != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + } + + a = attr_alloc( ad_rdnValue ); + + a->a_vals = vals; + a->a_nvals = nvals; + a->a_numvals = numvals; + + for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next ) + /* goto tail */ ; + + *ap = a; + + return SLAP_CB_CONTINUE; +} + +static int +rdnval_op_rename( Operation *op, SlapReply *rs ) +{ + Modifications *ml, **mlp; + int numvals = 0; + BerVarray vals = NULL, nvals = NULL; + struct berval old; + int rc; + + dnRdn( &op->o_req_ndn, &old ); + if ( dn_match( &old, &op->orr_nnewrdn ) ) { + return SLAP_CB_CONTINUE; + } + + rc = rdnval_rdn2vals( op, rs, &op->orr_newrdn, &op->orr_nnewrdn, + &vals, &nvals, &numvals ); + if ( rc != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + } + + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = vals; + ml->sml_nvalues = nvals; + + ml->sml_numvals = numvals; + + ml->sml_op = LDAP_MOD_REPLACE; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = ad_rdnValue; + ml->sml_type = ad_rdnValue->ad_cname; + + for ( mlp = &op->orr_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next ) + /* goto tail */ ; + + *mlp = ml; + + return SLAP_CB_CONTINUE; +} + +static int +rdnval_db_init( + BackendDB *be, + ConfigReply *cr) +{ + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: rdnval cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + return 0; +} + +typedef struct rdnval_mod_t { + struct berval ndn; + BerVarray vals; + BerVarray nvals; + int numvals; + struct rdnval_mod_t *next; +} rdnval_mod_t; + +typedef struct { + BackendDB *bd; + rdnval_mod_t *mods; +} rdnval_repair_cb_t; + +static int +rdnval_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + rdnval_repair_cb_t *rcb = op->o_callback->sc_private; + rdnval_mod_t *mod; + BerVarray vals = NULL, nvals = NULL; + int numvals = 0; + ber_len_t len; + BackendDB *save_bd = op->o_bd; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + op->o_bd = rcb->bd; + rc = rdnval_rdn2vals( op, rs, &rs->sr_entry->e_name, &rs->sr_entry->e_nname, + &vals, &nvals, &numvals ); + op->o_bd = save_bd; + if ( rc != LDAP_SUCCESS ) { + return 0; + } + + len = sizeof( rdnval_mod_t ) + rs->sr_entry->e_nname.bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + mod->vals = vals; + mod->nvals = nvals; + mod->numvals = numvals; + + mod->next = rcb->mods; + rcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + + return 0; +} + +static int +rdnval_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + BackendDB db; + slap_callback sc = { 0 }; + rdnval_repair_cb_t rcb = { 0 }; + SlapReply rs = { REP_RESULT }; + rdnval_mod_t *rmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + assert( op->o_bd != NULL ); + assert( op->o_bd->be_nsuffix != NULL ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBTREE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_rdnValue->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(!(%s=*))", ad_rdnValue->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = rdnval_repair_cb; + sc.sc_private = &rcb; + rcb.bd = &db; + db = *be; + db.bd_info = (BackendInfo *)on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( rmod = rcb.mods; rmod != NULL; ) { + rdnval_mod_t *rnext; + + Modifications *mod; + SlapReply rs2 = { REP_RESULT }; + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_rdnValue; + mod->sml_type = ad_rdnValue->ad_cname; + mod->sml_values = rmod->vals; + mod->sml_nvalues = rmod->nvals; + mod->sml_numvals = rmod->numvals; + mod->sml_next = NULL; + + op->o_req_dn = rmod->ndn; + op->o_req_ndn = rmod->ndn; + + op->orm_modlist = mod; + + op->o_bd->be_modify( op, &rs2 ); + + slap_mods_free( op->orm_modlist, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, rmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: rdnval_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err ); + } + + rnext = rmod->next; + op->o_tmpfree( rmod, op->o_tmpmemctx ); + rmod = rnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "rdnval: repaired=%d\n", nrepaired ); + + return 0; +} + +/* search all entries without parentUUID; "repair" them */ +static int +rdnval_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + return rdnval_repair( be ); +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.3.6.1.4.1.4203.666.1.58 " + "NAME 'rdnValue' " + "DESC 'the value of the naming attributes' " + "SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' " + "EQUALITY caseIgnoreMatch " + "USAGE dSAOperation " + "NO-USER-MODIFICATION " + ")", + &ad_rdnValue }, + { NULL } +}; + +int +rdnval_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "rdnval_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + syn_IA5String = syn_find( "1.3.6.1.4.1.1466.115.121.1.26" ); + if ( syn_IA5String == NULL ) { + Debug( LDAP_DEBUG_ANY, + "rdnval_initialize: unable to find syntax '1.3.6.1.4.1.1466.115.121.1.26' (IA5String)\n", + 0, 0, 0 ); + return LDAP_OTHER; + } + + rdnval.on_bi.bi_type = "rdnval"; + + rdnval.on_bi.bi_op_add = rdnval_op_add; + rdnval.on_bi.bi_op_modrdn = rdnval_op_rename; + + rdnval.on_bi.bi_db_init = rdnval_db_init; + rdnval.on_bi.bi_db_open = rdnval_db_open; + + return overlay_register( &rdnval ); +} + +#if SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return rdnval_initialize(); +} +#endif /* SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_RDNVAL */ diff --git a/contrib/slapd-modules/samba4/vernum.c b/contrib/slapd-modules/samba4/vernum.c new file mode 100644 index 0000000..6035d86 --- /dev/null +++ b/contrib/slapd-modules/samba4/vernum.c @@ -0,0 +1,459 @@ +/* vernum.c - RDN value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_VERNUM + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (e.g. msDS-KeyVersionNumber) that consists + * in a counter of modifications of another attribute (e.g. unicodePwd). + */ + +typedef struct vernum_t { + AttributeDescription *vn_attr; + AttributeDescription *vn_vernum; +} vernum_t; + +static AttributeDescription *ad_msDS_KeyVersionNumber; + +static struct berval val_init = BER_BVC( "0" ); +static slap_overinst vernum; + +static int +vernum_op_add( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + Attribute *a, **ap; + int rc; + + /* NOTE: should we accept an entry still in mods format? */ + assert( op->ora_e != NULL ); + + if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) { + return SLAP_CB_CONTINUE; + } + + a = attr_find( op->ora_e->e_attrs, vn->vn_attr ); + if ( a == NULL ) { + return SLAP_CB_CONTINUE; + } + + if ( attr_find( op->ora_e->e_attrs, vn->vn_vernum ) != NULL ) { + /* already present - leave it alone */ + return SLAP_CB_CONTINUE; + } + + a = attr_alloc( vn->vn_vernum ); + + value_add_one( &a->a_vals, &val_init ); + a->a_nvals = a->a_vals; + a->a_numvals = 1; + + for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next ) + /* goto tail */ ; + + *ap = a; + + return SLAP_CB_CONTINUE; +} + +static int +vernum_op_modify( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + Modifications *ml, **mlp; + struct berval val = BER_BVC( "1" ); + int rc; + unsigned got = 0; + + for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) { + if ( ml->sml_desc == vn->vn_vernum ) { + /* already present - leave it alone + * (or should we increment it anyway?) */ + return SLAP_CB_CONTINUE; + } + + if ( ml->sml_desc == vn->vn_attr ) { + got = 1; + } + } + + if ( !got ) { + return SLAP_CB_CONTINUE; + } + + for ( mlp = &op->orm_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next ) + /* goto tail */ ; + + /* ITS#6561 */ +#ifdef SLAP_MOD_ADD_IF_NOT_PRESENT + /* the initial value is only added if the vernum attr is not present */ + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val_init ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; + ml->sml_op = SLAP_MOD_ADD_IF_NOT_PRESENT; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = vn->vn_vernum; + ml->sml_type = vn->vn_vernum->ad_cname; + + *mlp = ml; + mlp = &ml->sml_next; +#endif /* SLAP_MOD_ADD_IF_NOT_PRESENT */ + + /* this increments by 1 the vernum attr */ + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; + ml->sml_op = LDAP_MOD_INCREMENT; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = vn->vn_vernum; + ml->sml_type = vn->vn_vernum->ad_cname; + + *mlp = ml; + + return SLAP_CB_CONTINUE; +} + +static int +vernum_db_init( + BackendDB *be, + ConfigReply *cr) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + vernum_t *vn = NULL; + + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: vernum cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + vn = (vernum_t *)ch_calloc( 1, sizeof( vernum_t ) ); + + on->on_bi.bi_private = (void *)vn; + + return 0; +} + +typedef struct vernum_mod_t { + struct berval ndn; + struct vernum_mod_t *next; +} vernum_mod_t; + +typedef struct { + BackendDB *bd; + vernum_mod_t *mods; +} vernum_repair_cb_t; + +static int +vernum_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + vernum_repair_cb_t *rcb = op->o_callback->sc_private; + vernum_mod_t *mod; + ber_len_t len; + BackendDB *save_bd = op->o_bd; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + len = sizeof( vernum_mod_t ) + rs->sr_entry->e_nname.bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + + mod->next = rcb->mods; + rcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: vernum_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + + return 0; +} + +static int +vernum_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + BackendDB db; + slap_callback sc = { 0 }; + vernum_repair_cb_t rcb = { 0 }; + SlapReply rs = { REP_RESULT }; + vernum_mod_t *rmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + assert( op->o_bd != NULL ); + assert( op->o_bd->be_nsuffix != NULL ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBTREE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(&(=*)(!(=*)))" ) + + vn->vn_attr->ad_cname.bv_len + + vn->vn_vernum->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(&(%s=*)(!(%s=*)))", + vn->vn_attr->ad_cname.bv_val, + vn->vn_vernum->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = vernum_repair_cb; + sc.sc_private = &rcb; + rcb.bd = &db; + db = *be; + db.bd_info = (BackendInfo *)on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( rmod = rcb.mods; rmod != NULL; ) { + vernum_mod_t *rnext; + Modifications mod; + struct berval vals[2] = { BER_BVNULL }; + SlapReply rs2 = { REP_RESULT }; + + mod.sml_flags = SLAP_MOD_INTERNAL; + mod.sml_op = LDAP_MOD_REPLACE; + mod.sml_desc = vn->vn_vernum; + mod.sml_type = vn->vn_vernum->ad_cname; + mod.sml_values = vals; + mod.sml_values[0] = val_init; + mod.sml_nvalues = NULL; + mod.sml_numvals = 1; + mod.sml_next = NULL; + + op->o_req_dn = rmod->ndn; + op->o_req_ndn = rmod->ndn; + + op->orm_modlist = &mod; + + op->o_bd->be_modify( op, &rs2 ); + + slap_mods_free( op->orm_modlist->sml_next, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: vernum_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, rmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: vernum_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err ); + } + + rnext = rmod->next; + op->o_tmpfree( rmod, op->o_tmpmemctx ); + rmod = rnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "vernum: repaired=%d\n", nrepaired ); + + return 0; +} + +static int +vernum_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + /* default: unicodePwd & msDS-KeyVersionNumber */ + if ( vn->vn_attr == NULL ) { + const char *text = NULL; + int rc; + + rc = slap_str2ad( "unicodePwd", &vn->vn_attr, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "vernum: unable to find attribute 'unicodePwd' (%d: %s)\n", + rc, text, 0 ); + return 1; + } + + vn->vn_vernum = ad_msDS_KeyVersionNumber; + } + + return vernum_repair( be ); +} + +static int +vernum_db_destroy( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + if ( vn ) { + ch_free( vn ); + on->on_bi.bi_private = NULL; + } + + return 0; +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.2.840.113556.1.4.1782 " + "NAME 'msDS-KeyVersionNumber' " + "DESC 'in the original specification the syntax is 2.5.5.9' " + "SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' " + "EQUALITY integerMatch " + "SINGLE-VALUE " + "USAGE dSAOperation " + "NO-USER-MODIFICATION " + ")", + &ad_msDS_KeyVersionNumber }, + { NULL } +}; + +int +vernum_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "vernum_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + vernum.on_bi.bi_type = "vernum"; + + vernum.on_bi.bi_op_add = vernum_op_add; + vernum.on_bi.bi_op_modify = vernum_op_modify; + + vernum.on_bi.bi_db_init = vernum_db_init; + vernum.on_bi.bi_db_open = vernum_db_open; + vernum.on_bi.bi_db_destroy = vernum_db_destroy; + + return overlay_register( &vernum ); +} + +#if SLAPD_OVER_VERNUM == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return vernum_initialize(); +} +#endif /* SLAPD_OVER_VERNUM == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_VERNUM */ |