/* rdnval.c - RDN value overlay */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
* Copyright 1998-2021 The OpenLDAP Foundation.
* Portions Copyright 2008 Pierangelo Masarati.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* .
*/
/* ACKNOWLEDGEMENTS:
* This work was initially developed by Pierangelo Masarati
* for inclusion in OpenLDAP Software.
*/
#include "portable.h"
#ifdef SLAPD_OVER_RDNVAL
#include
#include "ac/string.h"
#include "ac/socket.h"
#include "slap.h"
#include "config.h"
#include "lutil.h"
/*
* Maintain an attribute (rdnValue) that contains the values of each AVA
* that builds up the RDN of an entry. This is required for interoperation
* with Samba4. It mimics the "name" attribute provided by Active Directory.
* The naming attributes must be directoryString-valued, or compatible.
* For example, IA5String values are cast into directoryString unless
* consisting of the empty string ("").
*/
static AttributeDescription *ad_rdnValue;
static Syntax *syn_IA5String;
static slap_overinst rdnval;
static int
rdnval_is_valid( AttributeDescription *desc, struct berval *value )
{
if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) {
return 1;
}
if ( desc->ad_type->sat_syntax == syn_IA5String
&& !BER_BVISEMPTY( value ) )
{
return 1;
}
return 0;
}
static int
rdnval_unique_check_cb( Operation *op, SlapReply *rs )
{
if ( rs->sr_type == REP_SEARCH ) {
int *p = (int *)op->o_callback->sc_private;
(*p)++;
}
return 0;
}
static int
rdnval_unique_check( Operation *op, BerVarray vals )
{
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
BackendDB db = *op->o_bd;
Operation op2 = *op;
SlapReply rs2 = { 0 };
int i;
BerVarray fvals;
char *ptr;
int gotit = 0;
slap_callback cb = { 0 };
/* short-circuit attempts to add suffix entry */
if ( op->o_tag == LDAP_REQ_ADD
&& be_issuffix( op->o_bd, &op->o_req_ndn ) )
{
return LDAP_SUCCESS;
}
op2.o_bd = &db;
op2.o_bd->bd_info = (BackendInfo *)on->on_info;
op2.o_tag = LDAP_REQ_SEARCH;
op2.o_dn = op->o_bd->be_rootdn;
op2.o_ndn = op->o_bd->be_rootndn;
op2.o_callback = &cb;
cb.sc_response = rdnval_unique_check_cb;
cb.sc_private = (void *)&gotit;
dnParent( &op->o_req_ndn, &op2.o_req_dn );
op2.o_req_ndn = op2.o_req_dn;
op2.ors_limit = NULL;
op2.ors_slimit = 1;
op2.ors_tlimit = SLAP_NO_LIMIT;
op2.ors_attrs = slap_anlist_no_attrs;
op2.ors_attrsonly = 1;
op2.ors_deref = LDAP_DEREF_NEVER;
op2.ors_scope = LDAP_SCOPE_ONELEVEL;
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ )
/* just count */ ;
fvals = op->o_tmpcalloc( sizeof( struct berval ), i + 1,
op->o_tmpmemctx );
op2.ors_filterstr.bv_len = 0;
if ( i > 1 ) {
op2.ors_filterstr.bv_len = STRLENOF( "(&)" );
}
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
ldap_bv2escaped_filter_value_x( &vals[ i ], &fvals[ i ],
1, op->o_tmpmemctx );
op2.ors_filterstr.bv_len += ad_rdnValue->ad_cname.bv_len
+ fvals[ i ].bv_len + STRLENOF( "(=)" );
}
op2.ors_filterstr.bv_val = op->o_tmpalloc( op2.ors_filterstr.bv_len + 1, op->o_tmpmemctx );
ptr = op2.ors_filterstr.bv_val;
if ( i > 1 ) {
ptr = lutil_strcopy( ptr, "(&" );
}
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
*ptr++ = '(';
ptr = lutil_strncopy( ptr, ad_rdnValue->ad_cname.bv_val, ad_rdnValue->ad_cname.bv_len );
*ptr++ = '=';
ptr = lutil_strncopy( ptr, fvals[ i ].bv_val, fvals[ i ].bv_len );
*ptr++ = ')';
}
if ( i > 1 ) {
*ptr++ = ')';
}
*ptr = '\0';
assert( ptr == op2.ors_filterstr.bv_val + op2.ors_filterstr.bv_len );
op2.ors_filter = str2filter_x( op, op2.ors_filterstr.bv_val );
assert( op2.ors_filter != NULL );
(void)op2.o_bd->be_search( &op2, &rs2 );
filter_free_x( op, op2.ors_filter, 1 );
op->o_tmpfree( op2.ors_filterstr.bv_val, op->o_tmpmemctx );
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
if ( vals[ i ].bv_val != fvals[ i ].bv_val ) {
op->o_tmpfree( fvals[ i ].bv_val, op->o_tmpmemctx );
}
}
op->o_tmpfree( fvals, op->o_tmpmemctx );
if ( rs2.sr_err != LDAP_SUCCESS || gotit > 0 ) {
return LDAP_CONSTRAINT_VIOLATION;
}
return LDAP_SUCCESS;
}
static int
rdnval_rdn2vals(
Operation *op,
SlapReply *rs,
struct berval *dn,
struct berval *ndn,
BerVarray *valsp,
BerVarray *nvalsp,
int *numvalsp )
{
LDAPRDN rdn = NULL, nrdn = NULL;
int nAVA, i;
assert( *valsp == NULL );
assert( *nvalsp == NULL );
*numvalsp = 0;
if ( ldap_bv2rdn_x( dn, &rdn, (char **)&rs->sr_text,
LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
{
Debug( LDAP_DEBUG_TRACE,
"%s rdnval: can't figure out "
"type(s)/value(s) of rdn DN=\"%s\"\n",
op->o_log_prefix, dn->bv_val, 0 );
rs->sr_err = LDAP_INVALID_DN_SYNTAX;
rs->sr_text = "unknown type(s) used in RDN";
goto done;
}
if ( ldap_bv2rdn_x( ndn, &nrdn,
(char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
{
Debug( LDAP_DEBUG_TRACE,
"%s rdnval: can't figure out "
"type(s)/value(s) of normalized rdn DN=\"%s\"\n",
op->o_log_prefix, ndn->bv_val, 0 );
rs->sr_err = LDAP_INVALID_DN_SYNTAX;
rs->sr_text = "unknown type(s) used in RDN";
goto done;
}
for ( nAVA = 0; rdn[ nAVA ]; nAVA++ )
/* count'em */ ;
/* NOTE: we assume rdn and nrdn contain the same AVAs! */
*valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
*nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
/* Add new attribute values to the entry */
for ( i = 0; rdn[ i ]; i++ ) {
AttributeDescription *desc = NULL;
rs->sr_err = slap_bv2ad( &rdn[ i ]->la_attr,
&desc, &rs->sr_text );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
"%s rdnval: %s: %s\n",
op->o_log_prefix,
rs->sr_text,
rdn[ i ]->la_attr.bv_val );
goto done;
}
if ( !rdnval_is_valid( desc, &rdn[ i ]->la_value ) ) {
Debug( LDAP_DEBUG_TRACE,
"%s rdnval: syntax of naming attribute '%s' "
"not compatible with directoryString",
op->o_log_prefix, rdn[ i ]->la_attr.bv_val, 0 );
continue;
}
if ( value_find_ex( desc,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
*nvalsp,
&nrdn[ i ]->la_value,
op->o_tmpmemctx )
== LDAP_NO_SUCH_ATTRIBUTE )
{
ber_dupbv( &(*valsp)[ *numvalsp ], &rdn[ i ]->la_value );
ber_dupbv( &(*nvalsp)[ *numvalsp ], &nrdn[ i ]->la_value );
(*numvalsp)++;
}
}
if ( rdnval_unique_check( op, *valsp ) != LDAP_SUCCESS ) {
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
rs->sr_text = "rdnValue not unique within siblings";
goto done;
}
done:;
if ( rdn != NULL ) {
ldap_rdnfree_x( rdn, op->o_tmpmemctx );
}
if ( nrdn != NULL ) {
ldap_rdnfree_x( nrdn, op->o_tmpmemctx );
}
if ( rs->sr_err != LDAP_SUCCESS ) {
if ( *valsp != NULL ) {
ber_bvarray_free( *valsp );
ber_bvarray_free( *nvalsp );
*valsp = NULL;
*nvalsp = NULL;
*numvalsp = 0;
}
}
return rs->sr_err;
}
static int
rdnval_op_add( Operation *op, SlapReply *rs )
{
Attribute *a, **ap;
int numvals = 0;
BerVarray vals = NULL, nvals = NULL;
int rc;
/* NOTE: should we accept an entry still in mods format? */
assert( op->ora_e != NULL );
if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) {
return SLAP_CB_CONTINUE;
}
a = attr_find( op->ora_e->e_attrs, ad_rdnValue );
if ( a != NULL ) {
/* TODO: check consistency? */
return SLAP_CB_CONTINUE;
}
rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname,
&vals, &nvals, &numvals );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
}
a = attr_alloc( ad_rdnValue );
a->a_vals = vals;
a->a_nvals = nvals;
a->a_numvals = numvals;
for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next )
/* goto tail */ ;
*ap = a;
return SLAP_CB_CONTINUE;
}
static int
rdnval_op_rename( Operation *op, SlapReply *rs )
{
Modifications *ml, **mlp;
int numvals = 0;
BerVarray vals = NULL, nvals = NULL;
struct berval old;
int rc;
dnRdn( &op->o_req_ndn, &old );
if ( dn_match( &old, &op->orr_nnewrdn ) ) {
return SLAP_CB_CONTINUE;
}
rc = rdnval_rdn2vals( op, rs, &op->orr_newrdn, &op->orr_nnewrdn,
&vals, &nvals, &numvals );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
}
ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
ml->sml_values = vals;
ml->sml_nvalues = nvals;
ml->sml_numvals = numvals;
ml->sml_op = LDAP_MOD_REPLACE;
ml->sml_flags = SLAP_MOD_INTERNAL;
ml->sml_desc = ad_rdnValue;
ml->sml_type = ad_rdnValue->ad_cname;
for ( mlp = &op->orr_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next )
/* goto tail */ ;
*mlp = ml;
return SLAP_CB_CONTINUE;
}
static int
rdnval_db_init(
BackendDB *be,
ConfigReply *cr)
{
if ( SLAP_ISGLOBALOVERLAY( be ) ) {
Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"rdnval_db_init: rdnval cannot be used as global overlay.\n" );
return 1;
}
if ( be->be_nsuffix == NULL ) {
Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"rdnval_db_init: database must have suffix\n" );
return 1;
}
if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) {
Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"rdnval_db_init: missing rootdn for database DN=\"%s\", YMMV\n",
be->be_suffix[ 0 ].bv_val );
}
return 0;
}
typedef struct rdnval_mod_t {
struct berval ndn;
BerVarray vals;
BerVarray nvals;
int numvals;
struct rdnval_mod_t *next;
} rdnval_mod_t;
typedef struct {
BackendDB *bd;
rdnval_mod_t *mods;
} rdnval_repair_cb_t;
static int
rdnval_repair_cb( Operation *op, SlapReply *rs )
{
int rc;
rdnval_repair_cb_t *rcb = op->o_callback->sc_private;
rdnval_mod_t *mod;
BerVarray vals = NULL, nvals = NULL;
int numvals = 0;
ber_len_t len;
BackendDB *save_bd = op->o_bd;
switch ( rs->sr_type ) {
case REP_SEARCH:
break;
case REP_SEARCHREF:
case REP_RESULT:
return rs->sr_err;
default:
assert( 0 );
}
assert( rs->sr_entry != NULL );
op->o_bd = rcb->bd;
rc = rdnval_rdn2vals( op, rs, &rs->sr_entry->e_name, &rs->sr_entry->e_nname,
&vals, &nvals, &numvals );
op->o_bd = save_bd;
if ( rc != LDAP_SUCCESS ) {
return 0;
}
len = sizeof( rdnval_mod_t ) + rs->sr_entry->e_nname.bv_len + 1;
mod = op->o_tmpalloc( len, op->o_tmpmemctx );
mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len;
mod->ndn.bv_val = (char *)&mod[1];
lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len );
mod->vals = vals;
mod->nvals = nvals;
mod->numvals = numvals;
mod->next = rcb->mods;
rcb->mods = mod;
Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair_cb: scheduling entry DN=\"%s\" for repair\n",
op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 );
return 0;
}
static int
rdnval_repair( BackendDB *be )
{
slap_overinst *on = (slap_overinst *)be->bd_info;
void *ctx = ldap_pvt_thread_pool_context();
Connection conn = { 0 };
OperationBuffer opbuf;
Operation *op;
BackendDB db;
slap_callback sc = { 0 };
rdnval_repair_cb_t rcb = { 0 };
SlapReply rs = { REP_RESULT };
rdnval_mod_t *rmod;
int nrepaired = 0;
connection_fake_init2( &conn, &opbuf, ctx, 0 );
op = &opbuf.ob_op;
op->o_tag = LDAP_REQ_SEARCH;
memset( &op->oq_search, 0, sizeof( op->oq_search ) );
assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) );
op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 );
assert( op->o_bd != NULL );
assert( op->o_bd->be_nsuffix != NULL );
op->o_req_dn = op->o_bd->be_suffix[ 0 ];
op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ];
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
op->ors_scope = LDAP_SCOPE_SUBTREE;
op->ors_tlimit = SLAP_NO_LIMIT;
op->ors_slimit = SLAP_NO_LIMIT;
op->ors_attrs = slap_anlist_no_attrs;
op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_rdnValue->ad_cname.bv_len;
op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx );
snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1,
"(!(%s=*))", ad_rdnValue->ad_cname.bv_val );
op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val );
if ( op->ors_filter == NULL ) {
rs.sr_err = LDAP_OTHER;
goto done_search;
}
op->o_callback = ≻
sc.sc_response = rdnval_repair_cb;
sc.sc_private = &rcb;
rcb.bd = &db;
db = *be;
db.bd_info = (BackendInfo *)on;
(void)op->o_bd->bd_info->bi_op_search( op, &rs );
op->o_tag = LDAP_REQ_MODIFY;
sc.sc_response = slap_null_cb;
sc.sc_private = NULL;
memset( &op->oq_modify, 0, sizeof( req_modify_s ) );
for ( rmod = rcb.mods; rmod != NULL; ) {
rdnval_mod_t *rnext;
Modifications *mod;
SlapReply rs2 = { REP_RESULT };
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_desc = ad_rdnValue;
mod->sml_type = ad_rdnValue->ad_cname;
mod->sml_values = rmod->vals;
mod->sml_nvalues = rmod->nvals;
mod->sml_numvals = rmod->numvals;
mod->sml_next = NULL;
op->o_req_dn = rmod->ndn;
op->o_req_ndn = rmod->ndn;
op->orm_modlist = mod;
op->o_bd->be_modify( op, &rs2 );
slap_mods_free( op->orm_modlist, 1 );
if ( rs2.sr_err == LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair: entry DN=\"%s\" repaired\n",
op->o_log_prefix, rmod->ndn.bv_val, 0 );
nrepaired++;
} else {
Debug( LDAP_DEBUG_ANY, "%s: rdnval_repair: entry DN=\"%s\" repair failed (%d)\n",
op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err );
}
rnext = rmod->next;
op->o_tmpfree( rmod, op->o_tmpmemctx );
rmod = rnext;
}
done_search:;
op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
filter_free_x( op, op->ors_filter, 1 );
Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO,
"rdnval: repaired=%d\n", nrepaired );
return 0;
}
/* search all entries without parentUUID; "repair" them */
static int
rdnval_db_open(
BackendDB *be,
ConfigReply *cr )
{
if ( SLAP_SINGLE_SHADOW( be ) ) {
Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"rdnval incompatible with shadow database \"%s\".\n",
be->be_suffix[ 0 ].bv_val );
return 1;
}
return rdnval_repair( be );
}
static struct {
char *desc;
AttributeDescription **adp;
} as[] = {
{ "( 1.3.6.1.4.1.4203.666.1.58 "
"NAME 'rdnValue' "
"DESC 'the value of the naming attributes' "
"SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' "
"EQUALITY caseIgnoreMatch "
"USAGE dSAOperation "
"NO-USER-MODIFICATION "
")",
&ad_rdnValue },
{ NULL }
};
int
rdnval_initialize(void)
{
int code, i;
for ( i = 0; as[ i ].desc != NULL; i++ ) {
code = register_at( as[ i ].desc, as[ i ].adp, 0 );
if ( code ) {
Debug( LDAP_DEBUG_ANY,
"rdnval_initialize: register_at #%d failed\n",
i, 0, 0 );
return code;
}
/* Allow Manager to set these as needed */
if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) {
(*as[ i ].adp)->ad_type->sat_flags |=
SLAP_AT_MANAGEABLE;
}
}
syn_IA5String = syn_find( "1.3.6.1.4.1.1466.115.121.1.26" );
if ( syn_IA5String == NULL ) {
Debug( LDAP_DEBUG_ANY,
"rdnval_initialize: unable to find syntax '1.3.6.1.4.1.1466.115.121.1.26' (IA5String)\n",
0, 0, 0 );
return LDAP_OTHER;
}
rdnval.on_bi.bi_type = "rdnval";
rdnval.on_bi.bi_op_add = rdnval_op_add;
rdnval.on_bi.bi_op_modrdn = rdnval_op_rename;
rdnval.on_bi.bi_db_init = rdnval_db_init;
rdnval.on_bi.bi_db_open = rdnval_db_open;
return overlay_register( &rdnval );
}
#if SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC
int
init_module( int argc, char *argv[] )
{
return rdnval_initialize();
}
#endif /* SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC */
#endif /* SLAPD_OVER_RDNVAL */