1 /* $NetBSD: controls.c,v 1.1.1.2 2010/03/08 02:14:20 lukem Exp $ */ 2 3 /* OpenLDAP: pkg/ldap/servers/slapd/controls.c,v 1.174.2.20 2009/07/27 20:19:18 quanah Exp */ 4 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 5 * 6 * Copyright 1998-2009 The OpenLDAP Foundation. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted only as authorized by the OpenLDAP 11 * Public License. 12 * 13 * A copy of this license is available in the file LICENSE in the 14 * top-level directory of the distribution or, alternatively, at 15 * <http://www.OpenLDAP.org/license.html>. 16 */ 17 18 #include "portable.h" 19 20 #include <stdio.h> 21 22 #include <ac/string.h> 23 #include <ac/socket.h> 24 25 #include "slap.h" 26 #include "ldif.h" 27 #include "lutil.h" 28 29 #include "../../libraries/liblber/lber-int.h" 30 31 static SLAP_CTRL_PARSE_FN parseAssert; 32 static SLAP_CTRL_PARSE_FN parseDomainScope; 33 static SLAP_CTRL_PARSE_FN parseDontUseCopy; 34 static SLAP_CTRL_PARSE_FN parseManageDSAit; 35 static SLAP_CTRL_PARSE_FN parseNoOp; 36 static SLAP_CTRL_PARSE_FN parsePagedResults; 37 static SLAP_CTRL_PARSE_FN parsePermissiveModify; 38 static SLAP_CTRL_PARSE_FN parsePreRead, parsePostRead; 39 static SLAP_CTRL_PARSE_FN parseProxyAuthz; 40 static SLAP_CTRL_PARSE_FN parseRelax; 41 static SLAP_CTRL_PARSE_FN parseSearchOptions; 42 #ifdef SLAP_CONTROL_X_SORTEDRESULTS 43 static SLAP_CTRL_PARSE_FN parseSortedResults; 44 #endif 45 static SLAP_CTRL_PARSE_FN parseSubentries; 46 #ifdef SLAP_CONTROL_X_TREE_DELETE 47 static SLAP_CTRL_PARSE_FN parseTreeDelete; 48 #endif 49 static SLAP_CTRL_PARSE_FN parseValuesReturnFilter; 50 #ifdef SLAP_CONTROL_X_SESSION_TRACKING 51 static SLAP_CTRL_PARSE_FN parseSessionTracking; 52 #endif 53 #ifdef SLAP_CONTROL_X_WHATFAILED 54 static SLAP_CTRL_PARSE_FN parseWhatFailed; 55 #endif 56 57 #undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */ 58 59 const struct berval slap_pre_read_bv = BER_BVC(LDAP_CONTROL_PRE_READ); 60 const struct berval slap_post_read_bv = BER_BVC(LDAP_CONTROL_POST_READ); 61 62 struct slap_control_ids slap_cids; 63 64 struct slap_control { 65 /* Control OID */ 66 char *sc_oid; 67 68 /* The controlID for this control */ 69 int sc_cid; 70 71 /* Operations supported by control */ 72 slap_mask_t sc_mask; 73 74 /* Extended operations supported by control */ 75 char **sc_extendedops; /* input */ 76 BerVarray sc_extendedopsbv; /* run-time use */ 77 78 /* Control parsing callback */ 79 SLAP_CTRL_PARSE_FN *sc_parse; 80 81 LDAP_SLIST_ENTRY(slap_control) sc_next; 82 }; 83 84 static LDAP_SLIST_HEAD(ControlsList, slap_control) controls_list 85 = LDAP_SLIST_HEAD_INITIALIZER(&controls_list); 86 87 /* 88 * all known request control OIDs should be added to this list 89 */ 90 /* 91 * NOTE: initialize num_known_controls to 1 so that cid = 0 always 92 * addresses an undefined control; this allows to safely test for 93 * well known controls even if they are not registered, e.g. if 94 * they get moved to modules. An example is sc_LDAPsync, which 95 * is implemented in the syncprov overlay and thus, if configured 96 * as dynamic module, may not be registered. One side effect is that 97 * slap_known_controls[0] == NULL, so it should always be used 98 * starting from 1. 99 * FIXME: should we define the "undefined control" oid? 100 */ 101 char *slap_known_controls[SLAP_MAX_CIDS+1]; 102 static int num_known_controls = 1; 103 104 static char *proxy_authz_extops[] = { 105 LDAP_EXOP_MODIFY_PASSWD, 106 LDAP_EXOP_WHO_AM_I, 107 LDAP_EXOP_REFRESH, 108 NULL 109 }; 110 111 static char *manageDSAit_extops[] = { 112 LDAP_EXOP_REFRESH, 113 NULL 114 }; 115 116 #ifdef SLAP_CONTROL_X_SESSION_TRACKING 117 static char *session_tracking_extops[] = { 118 LDAP_EXOP_MODIFY_PASSWD, 119 LDAP_EXOP_WHO_AM_I, 120 LDAP_EXOP_REFRESH, 121 NULL 122 }; 123 #endif 124 125 static struct slap_control control_defs[] = { 126 { LDAP_CONTROL_ASSERT, 127 (int)offsetof(struct slap_control_ids, sc_assert), 128 SLAP_CTRL_UPDATE|SLAP_CTRL_COMPARE|SLAP_CTRL_SEARCH, 129 NULL, NULL, 130 parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 131 { LDAP_CONTROL_PRE_READ, 132 (int)offsetof(struct slap_control_ids, sc_preRead), 133 SLAP_CTRL_DELETE|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, 134 NULL, NULL, 135 parsePreRead, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 136 { LDAP_CONTROL_POST_READ, 137 (int)offsetof(struct slap_control_ids, sc_postRead), 138 SLAP_CTRL_ADD|SLAP_CTRL_MODIFY|SLAP_CTRL_RENAME, 139 NULL, NULL, 140 parsePostRead, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 141 { LDAP_CONTROL_VALUESRETURNFILTER, 142 (int)offsetof(struct slap_control_ids, sc_valuesReturnFilter), 143 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH, 144 NULL, NULL, 145 parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 146 { LDAP_CONTROL_PAGEDRESULTS, 147 (int)offsetof(struct slap_control_ids, sc_pagedResults), 148 SLAP_CTRL_SEARCH, 149 NULL, NULL, 150 parsePagedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 151 #ifdef SLAP_CONTROL_X_SORTEDRESULTS 152 { LDAP_CONTROL_SORTREQUEST, 153 (int)offsetof(struct slap_control_ids, sc_sortedResults), 154 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, 155 NULL, NULL, 156 parseSortedResults, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 157 #endif 158 { LDAP_CONTROL_X_DOMAIN_SCOPE, 159 (int)offsetof(struct slap_control_ids, sc_domainScope), 160 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, 161 NULL, NULL, 162 parseDomainScope, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 163 { LDAP_CONTROL_DONTUSECOPY, 164 (int)offsetof(struct slap_control_ids, sc_dontUseCopy), 165 SLAP_CTRL_GLOBAL|SLAP_CTRL_INTROGATE|SLAP_CTRL_HIDE, 166 NULL, NULL, 167 parseDontUseCopy, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 168 { LDAP_CONTROL_X_PERMISSIVE_MODIFY, 169 (int)offsetof(struct slap_control_ids, sc_permissiveModify), 170 SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, 171 NULL, NULL, 172 parsePermissiveModify, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 173 #ifdef SLAP_CONTROL_X_TREE_DELETE 174 { LDAP_CONTROL_X_TREE_DELETE, 175 (int)offsetof(struct slap_control_ids, sc_treeDelete), 176 SLAP_CTRL_DELETE|SLAP_CTRL_HIDE, 177 NULL, NULL, 178 parseTreeDelete, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 179 #endif 180 { LDAP_CONTROL_X_SEARCH_OPTIONS, 181 (int)offsetof(struct slap_control_ids, sc_searchOptions), 182 SLAP_CTRL_GLOBAL|SLAP_CTRL_SEARCH|SLAP_CTRL_HIDE, 183 NULL, NULL, 184 parseSearchOptions, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 185 { LDAP_CONTROL_SUBENTRIES, 186 (int)offsetof(struct slap_control_ids, sc_subentries), 187 SLAP_CTRL_SEARCH, 188 NULL, NULL, 189 parseSubentries, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 190 { LDAP_CONTROL_NOOP, 191 (int)offsetof(struct slap_control_ids, sc_noOp), 192 SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, 193 NULL, NULL, 194 parseNoOp, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 195 { LDAP_CONTROL_RELAX, 196 (int)offsetof(struct slap_control_ids, sc_relax), 197 SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE, 198 NULL, NULL, 199 parseRelax, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 200 #ifdef LDAP_X_TXN 201 { LDAP_CONTROL_X_TXN_SPEC, 202 (int)offsetof(struct slap_control_ids, sc_txnSpec), 203 SLAP_CTRL_UPDATE|SLAP_CTRL_HIDE, 204 NULL, NULL, 205 txn_spec_ctrl, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 206 #endif 207 { LDAP_CONTROL_MANAGEDSAIT, 208 (int)offsetof(struct slap_control_ids, sc_manageDSAit), 209 SLAP_CTRL_ACCESS, 210 manageDSAit_extops, NULL, 211 parseManageDSAit, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 212 { LDAP_CONTROL_PROXY_AUTHZ, 213 (int)offsetof(struct slap_control_ids, sc_proxyAuthz), 214 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS, 215 proxy_authz_extops, NULL, 216 parseProxyAuthz, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 217 #ifdef SLAP_CONTROL_X_SESSION_TRACKING 218 { LDAP_CONTROL_X_SESSION_TRACKING, 219 (int)offsetof(struct slap_control_ids, sc_sessionTracking), 220 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS|SLAP_CTRL_BIND|SLAP_CTRL_HIDE, 221 session_tracking_extops, NULL, 222 parseSessionTracking, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 223 #endif 224 #ifdef SLAP_CONTROL_X_WHATFAILED 225 { LDAP_CONTROL_X_WHATFAILED, 226 (int)offsetof(struct slap_control_ids, sc_whatFailed), 227 SLAP_CTRL_GLOBAL|SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, 228 NULL, NULL, 229 parseWhatFailed, LDAP_SLIST_ENTRY_INITIALIZER(next) }, 230 #endif 231 232 { NULL, 0, 0, NULL, 0, NULL, LDAP_SLIST_ENTRY_INITIALIZER(next) } 233 }; 234 235 static struct slap_control * 236 find_ctrl( const char *oid ); 237 238 /* 239 * Register a supported control. 240 * 241 * This can be called by an OpenLDAP plugin or, indirectly, by a 242 * SLAPI plugin calling slapi_register_supported_control(). 243 * 244 * NOTE: if flags == 1 the control is replaced if already registered; 245 * otherwise registering an already registered control is not allowed. 246 */ 247 int 248 register_supported_control2(const char *controloid, 249 slap_mask_t controlmask, 250 char **controlexops, 251 SLAP_CTRL_PARSE_FN *controlparsefn, 252 unsigned flags, 253 int *controlcid) 254 { 255 struct slap_control *sc = NULL; 256 int i; 257 BerVarray extendedopsbv = NULL; 258 259 if ( num_known_controls >= SLAP_MAX_CIDS ) { 260 Debug( LDAP_DEBUG_ANY, "Too many controls registered." 261 " Recompile slapd with SLAP_MAX_CIDS defined > %d\n", 262 SLAP_MAX_CIDS, 0, 0 ); 263 return LDAP_OTHER; 264 } 265 266 if ( controloid == NULL ) { 267 return LDAP_PARAM_ERROR; 268 } 269 270 /* check if already registered */ 271 for ( i = 0; slap_known_controls[ i ]; i++ ) { 272 if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) { 273 if ( flags == 1 ) { 274 Debug( LDAP_DEBUG_TRACE, 275 "Control %s already registered; replacing.\n", 276 controloid, 0, 0 ); 277 /* (find and) replace existing handler */ 278 sc = find_ctrl( controloid ); 279 assert( sc != NULL ); 280 break; 281 } 282 283 Debug( LDAP_DEBUG_ANY, 284 "Control %s already registered.\n", 285 controloid, 0, 0 ); 286 return LDAP_PARAM_ERROR; 287 } 288 } 289 290 /* turn compatible extended operations into bervals */ 291 if ( controlexops != NULL ) { 292 int i; 293 294 for ( i = 0; controlexops[ i ]; i++ ); 295 296 extendedopsbv = ber_memcalloc( i + 1, sizeof( struct berval ) ); 297 if ( extendedopsbv == NULL ) { 298 return LDAP_NO_MEMORY; 299 } 300 301 for ( i = 0; controlexops[ i ]; i++ ) { 302 ber_str2bv( controlexops[ i ], 0, 1, &extendedopsbv[ i ] ); 303 } 304 } 305 306 if ( sc == NULL ) { 307 sc = (struct slap_control *)SLAP_MALLOC( sizeof( *sc ) ); 308 if ( sc == NULL ) { 309 return LDAP_NO_MEMORY; 310 } 311 312 sc->sc_oid = ch_strdup( controloid ); 313 sc->sc_cid = num_known_controls; 314 315 /* Update slap_known_controls, too. */ 316 slap_known_controls[num_known_controls - 1] = sc->sc_oid; 317 slap_known_controls[num_known_controls++] = NULL; 318 319 LDAP_SLIST_NEXT( sc, sc_next ) = NULL; 320 LDAP_SLIST_INSERT_HEAD( &controls_list, sc, sc_next ); 321 322 } else { 323 if ( sc->sc_extendedopsbv ) { 324 /* FIXME: in principle, we should rather merge 325 * existing extops with those supported by the 326 * new control handling implementation. 327 * In fact, whether a control is compatible with 328 * an extop should not be a matter of implementation. 329 * We likely also need a means for a newly 330 * registered extop to declare that it is 331 * comptible with an already registered control. 332 */ 333 ber_bvarray_free( sc->sc_extendedopsbv ); 334 sc->sc_extendedopsbv = NULL; 335 sc->sc_extendedops = NULL; 336 } 337 } 338 339 sc->sc_extendedopsbv = extendedopsbv; 340 sc->sc_mask = controlmask; 341 sc->sc_parse = controlparsefn; 342 if ( controlcid ) { 343 *controlcid = sc->sc_cid; 344 } 345 346 return LDAP_SUCCESS; 347 } 348 349 /* 350 * One-time initialization of internal controls. 351 */ 352 int 353 slap_controls_init( void ) 354 { 355 int i, rc; 356 357 rc = LDAP_SUCCESS; 358 359 for ( i = 0; control_defs[i].sc_oid != NULL; i++ ) { 360 int *cid = (int *)(((char *)&slap_cids) + control_defs[i].sc_cid ); 361 rc = register_supported_control( control_defs[i].sc_oid, 362 control_defs[i].sc_mask, control_defs[i].sc_extendedops, 363 control_defs[i].sc_parse, cid ); 364 if ( rc != LDAP_SUCCESS ) break; 365 } 366 367 return rc; 368 } 369 370 /* 371 * Free memory associated with list of supported controls. 372 */ 373 void 374 controls_destroy( void ) 375 { 376 struct slap_control *sc; 377 378 while ( !LDAP_SLIST_EMPTY(&controls_list) ) { 379 sc = LDAP_SLIST_FIRST(&controls_list); 380 LDAP_SLIST_REMOVE_HEAD(&controls_list, sc_next); 381 382 ch_free( sc->sc_oid ); 383 if ( sc->sc_extendedopsbv != NULL ) { 384 ber_bvarray_free( sc->sc_extendedopsbv ); 385 } 386 ch_free( sc ); 387 } 388 } 389 390 /* 391 * Format the supportedControl attribute of the root DSE, 392 * detailing which controls are supported by the directory 393 * server. 394 */ 395 int 396 controls_root_dse_info( Entry *e ) 397 { 398 AttributeDescription *ad_supportedControl 399 = slap_schema.si_ad_supportedControl; 400 struct berval vals[2]; 401 struct slap_control *sc; 402 403 vals[1].bv_val = NULL; 404 vals[1].bv_len = 0; 405 406 LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) { 407 if( sc->sc_mask & SLAP_CTRL_HIDE ) continue; 408 409 vals[0].bv_val = sc->sc_oid; 410 vals[0].bv_len = strlen( sc->sc_oid ); 411 412 if ( attr_merge( e, ad_supportedControl, vals, NULL ) ) { 413 return -1; 414 } 415 } 416 417 return 0; 418 } 419 420 /* 421 * Return a list of OIDs and operation masks for supported 422 * controls. Used by SLAPI. 423 */ 424 int 425 get_supported_controls(char ***ctrloidsp, 426 slap_mask_t **ctrlmasks) 427 { 428 int n; 429 char **oids; 430 slap_mask_t *masks; 431 struct slap_control *sc; 432 433 n = 0; 434 435 LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) { 436 n++; 437 } 438 439 if ( n == 0 ) { 440 *ctrloidsp = NULL; 441 *ctrlmasks = NULL; 442 return LDAP_SUCCESS; 443 } 444 445 oids = (char **)SLAP_MALLOC( (n + 1) * sizeof(char *) ); 446 if ( oids == NULL ) { 447 return LDAP_NO_MEMORY; 448 } 449 masks = (slap_mask_t *)SLAP_MALLOC( (n + 1) * sizeof(slap_mask_t) ); 450 if ( masks == NULL ) { 451 SLAP_FREE( oids ); 452 return LDAP_NO_MEMORY; 453 } 454 455 n = 0; 456 457 LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) { 458 oids[n] = ch_strdup( sc->sc_oid ); 459 masks[n] = sc->sc_mask; 460 n++; 461 } 462 oids[n] = NULL; 463 masks[n] = 0; 464 465 *ctrloidsp = oids; 466 *ctrlmasks = masks; 467 468 return LDAP_SUCCESS; 469 } 470 471 /* 472 * Find a control given its OID. 473 */ 474 static struct slap_control * 475 find_ctrl( const char *oid ) 476 { 477 struct slap_control *sc; 478 479 LDAP_SLIST_FOREACH( sc, &controls_list, sc_next ) { 480 if ( strcmp( oid, sc->sc_oid ) == 0 ) { 481 return sc; 482 } 483 } 484 485 return NULL; 486 } 487 488 int 489 slap_find_control_id( 490 const char *oid, 491 int *cid ) 492 { 493 struct slap_control *ctrl = find_ctrl( oid ); 494 if ( ctrl ) { 495 if ( cid ) *cid = ctrl->sc_cid; 496 return LDAP_SUCCESS; 497 } 498 return LDAP_CONTROL_NOT_FOUND; 499 } 500 501 int 502 slap_global_control( Operation *op, const char *oid, int *cid ) 503 { 504 struct slap_control *ctrl = find_ctrl( oid ); 505 506 if ( ctrl == NULL ) { 507 /* should not be reachable */ 508 Debug( LDAP_DEBUG_ANY, 509 "slap_global_control: unrecognized control: %s\n", 510 oid, 0, 0 ); 511 return LDAP_CONTROL_NOT_FOUND; 512 } 513 514 if ( cid ) *cid = ctrl->sc_cid; 515 516 if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) || 517 ( ( op->o_tag & LDAP_REQ_SEARCH ) && 518 ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) ) 519 { 520 return LDAP_COMPARE_TRUE; 521 } 522 523 #if 0 524 Debug( LDAP_DEBUG_TRACE, 525 "slap_global_control: unavailable control: %s\n", 526 oid, 0, 0 ); 527 #endif 528 529 return LDAP_COMPARE_FALSE; 530 } 531 532 void slap_free_ctrls( 533 Operation *op, 534 LDAPControl **ctrls ) 535 { 536 int i; 537 538 for (i=0; ctrls[i]; i++) { 539 op->o_tmpfree(ctrls[i], op->o_tmpmemctx ); 540 } 541 op->o_tmpfree( ctrls, op->o_tmpmemctx ); 542 } 543 544 int slap_add_ctrls( 545 Operation *op, 546 SlapReply *rs, 547 LDAPControl **ctrls ) 548 { 549 int i = 0, j; 550 LDAPControl **ctrlsp; 551 552 if ( rs->sr_ctrls ) { 553 for ( ; rs->sr_ctrls[ i ]; i++ ) ; 554 } 555 556 for ( j=0; ctrls[j]; j++ ) ; 557 558 ctrlsp = op->o_tmpalloc(( i+j+1 )*sizeof(LDAPControl *), op->o_tmpmemctx ); 559 i = 0; 560 if ( rs->sr_ctrls ) { 561 for ( ; rs->sr_ctrls[i]; i++ ) 562 ctrlsp[i] = rs->sr_ctrls[i]; 563 } 564 for ( j=0; ctrls[j]; j++) 565 ctrlsp[i++] = ctrls[j]; 566 ctrlsp[i] = NULL; 567 568 if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) 569 op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx ); 570 rs->sr_ctrls = ctrlsp; 571 rs->sr_flags |= REP_CTRLS_MUSTBEFREED; 572 return i; 573 } 574 575 int slap_parse_ctrl( 576 Operation *op, 577 SlapReply *rs, 578 LDAPControl *control, 579 const char **text ) 580 { 581 struct slap_control *sc; 582 int rc = LDAP_SUCCESS; 583 584 sc = find_ctrl( control->ldctl_oid ); 585 if( sc != NULL ) { 586 /* recognized control */ 587 slap_mask_t tagmask; 588 switch( op->o_tag ) { 589 case LDAP_REQ_ADD: 590 tagmask = SLAP_CTRL_ADD; 591 break; 592 case LDAP_REQ_BIND: 593 tagmask = SLAP_CTRL_BIND; 594 break; 595 case LDAP_REQ_COMPARE: 596 tagmask = SLAP_CTRL_COMPARE; 597 break; 598 case LDAP_REQ_DELETE: 599 tagmask = SLAP_CTRL_DELETE; 600 break; 601 case LDAP_REQ_MODIFY: 602 tagmask = SLAP_CTRL_MODIFY; 603 break; 604 case LDAP_REQ_RENAME: 605 tagmask = SLAP_CTRL_RENAME; 606 break; 607 case LDAP_REQ_SEARCH: 608 tagmask = SLAP_CTRL_SEARCH; 609 break; 610 case LDAP_REQ_UNBIND: 611 tagmask = SLAP_CTRL_UNBIND; 612 break; 613 case LDAP_REQ_ABANDON: 614 tagmask = SLAP_CTRL_ABANDON; 615 break; 616 case LDAP_REQ_EXTENDED: 617 tagmask=~0L; 618 assert( op->ore_reqoid.bv_val != NULL ); 619 if( sc->sc_extendedopsbv != NULL ) { 620 int i; 621 for( i=0; !BER_BVISNULL( &sc->sc_extendedopsbv[i] ); i++ ) { 622 if( bvmatch( &op->ore_reqoid, 623 &sc->sc_extendedopsbv[i] ) ) 624 { 625 tagmask=0L; 626 break; 627 } 628 } 629 } 630 break; 631 default: 632 *text = "controls internal error"; 633 return LDAP_OTHER; 634 } 635 636 if (( sc->sc_mask & tagmask ) == tagmask ) { 637 /* available extension */ 638 if ( sc->sc_parse ) { 639 rc = sc->sc_parse( op, rs, control ); 640 assert( rc != LDAP_UNAVAILABLE_CRITICAL_EXTENSION ); 641 642 } else if ( control->ldctl_iscritical ) { 643 *text = "not yet implemented"; 644 rc = LDAP_OTHER; 645 } 646 647 648 } else if ( control->ldctl_iscritical ) { 649 /* unavailable CRITICAL control */ 650 *text = "critical extension is unavailable"; 651 rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; 652 } 653 654 } else if ( control->ldctl_iscritical ) { 655 /* unrecognized CRITICAL control */ 656 *text = "critical extension is not recognized"; 657 rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; 658 } 659 660 return rc; 661 } 662 663 int get_ctrls( 664 Operation *op, 665 SlapReply *rs, 666 int sendres ) 667 { 668 int nctrls = 0; 669 ber_tag_t tag; 670 ber_len_t len; 671 char *opaque; 672 BerElement *ber = op->o_ber; 673 struct berval bv; 674 #ifdef SLAP_CONTROL_X_WHATFAILED 675 /* NOTE: right now, slapd checks the validity of each control 676 * while parsing. As a consequence, it can only detect one 677 * cause of failure at a time. This results in returning 678 * exactly one OID with the whatFailed control, or no control 679 * at all. 680 */ 681 char *failed_oid = NULL; 682 #endif 683 684 len = ber_pvt_ber_remaining(ber); 685 686 if( len == 0) { 687 /* no controls */ 688 rs->sr_err = LDAP_SUCCESS; 689 return rs->sr_err; 690 } 691 692 if(( tag = ber_peek_tag( ber, &len )) != LDAP_TAG_CONTROLS ) { 693 if( tag == LBER_ERROR ) { 694 rs->sr_err = SLAPD_DISCONNECT; 695 rs->sr_text = "unexpected data in PDU"; 696 } 697 698 goto return_results; 699 } 700 701 Debug( LDAP_DEBUG_TRACE, 702 "=> get_ctrls\n", 0, 0, 0 ); 703 704 if( op->o_protocol < LDAP_VERSION3 ) { 705 rs->sr_err = SLAPD_DISCONNECT; 706 rs->sr_text = "controls require LDAPv3"; 707 goto return_results; 708 } 709 710 /* one for first control, one for termination */ 711 op->o_ctrls = op->o_tmpalloc( 2 * sizeof(LDAPControl *), op->o_tmpmemctx ); 712 713 #if 0 714 if( op->ctrls == NULL ) { 715 rs->sr_err = LDAP_NO_MEMORY; 716 rs->sr_text = "no memory"; 717 goto return_results; 718 } 719 #endif 720 721 op->o_ctrls[nctrls] = NULL; 722 723 /* step through each element */ 724 for( tag = ber_first_element( ber, &len, &opaque ); 725 tag != LBER_ERROR; 726 tag = ber_next_element( ber, &len, opaque ) ) 727 { 728 LDAPControl *c; 729 LDAPControl **tctrls; 730 731 c = op->o_tmpalloc( sizeof(LDAPControl), op->o_tmpmemctx ); 732 memset(c, 0, sizeof(LDAPControl)); 733 734 /* allocate pointer space for current controls (nctrls) 735 * + this control + extra NULL 736 */ 737 tctrls = op->o_tmprealloc( op->o_ctrls, 738 (nctrls+2) * sizeof(LDAPControl *), op->o_tmpmemctx ); 739 740 #if 0 741 if( tctrls == NULL ) { 742 ch_free( c ); 743 ldap_controls_free(op->o_ctrls); 744 op->o_ctrls = NULL; 745 746 rs->sr_err = LDAP_NO_MEMORY; 747 rs->sr_text = "no memory"; 748 goto return_results; 749 } 750 #endif 751 op->o_ctrls = tctrls; 752 753 op->o_ctrls[nctrls++] = c; 754 op->o_ctrls[nctrls] = NULL; 755 756 tag = ber_scanf( ber, "{m" /*}*/, &bv ); 757 c->ldctl_oid = bv.bv_val; 758 759 if( tag == LBER_ERROR ) { 760 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n", 761 0, 0, 0 ); 762 763 slap_free_ctrls( op, op->o_ctrls ); 764 op->o_ctrls = NULL; 765 rs->sr_err = SLAPD_DISCONNECT; 766 rs->sr_text = "decoding controls error"; 767 goto return_results; 768 769 } else if( c->ldctl_oid == NULL ) { 770 Debug( LDAP_DEBUG_TRACE, 771 "get_ctrls: conn %lu got emtpy OID.\n", 772 op->o_connid, 0, 0 ); 773 774 slap_free_ctrls( op, op->o_ctrls ); 775 op->o_ctrls = NULL; 776 rs->sr_err = LDAP_PROTOCOL_ERROR; 777 rs->sr_text = "OID field is empty"; 778 goto return_results; 779 } 780 781 tag = ber_peek_tag( ber, &len ); 782 783 if( tag == LBER_BOOLEAN ) { 784 ber_int_t crit; 785 tag = ber_scanf( ber, "b", &crit ); 786 787 if( tag == LBER_ERROR ) { 788 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n", 789 0, 0, 0 ); 790 slap_free_ctrls( op, op->o_ctrls ); 791 op->o_ctrls = NULL; 792 rs->sr_err = SLAPD_DISCONNECT; 793 rs->sr_text = "decoding controls error"; 794 goto return_results; 795 } 796 797 c->ldctl_iscritical = (crit != 0); 798 tag = ber_peek_tag( ber, &len ); 799 } 800 801 if( tag == LBER_OCTETSTRING ) { 802 tag = ber_scanf( ber, "m", &c->ldctl_value ); 803 804 if( tag == LBER_ERROR ) { 805 Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: conn %lu: " 806 "%s (%scritical): get value failed.\n", 807 op->o_connid, c->ldctl_oid, 808 c->ldctl_iscritical ? "" : "non" ); 809 slap_free_ctrls( op, op->o_ctrls ); 810 op->o_ctrls = NULL; 811 rs->sr_err = SLAPD_DISCONNECT; 812 rs->sr_text = "decoding controls error"; 813 goto return_results; 814 } 815 } 816 817 Debug( LDAP_DEBUG_TRACE, 818 "=> get_ctrls: oid=\"%s\" (%scritical)\n", 819 c->ldctl_oid, c->ldctl_iscritical ? "" : "non", 0 ); 820 821 rs->sr_err = slap_parse_ctrl( op, rs, c, &rs->sr_text ); 822 if ( rs->sr_err != LDAP_SUCCESS ) { 823 #ifdef SLAP_CONTROL_X_WHATFAILED 824 failed_oid = c->ldctl_oid; 825 #endif 826 goto return_results; 827 } 828 } 829 830 return_results: 831 Debug( LDAP_DEBUG_TRACE, 832 "<= get_ctrls: n=%d rc=%d err=\"%s\"\n", 833 nctrls, rs->sr_err, rs->sr_text ? rs->sr_text : ""); 834 835 if( sendres && rs->sr_err != LDAP_SUCCESS ) { 836 if( rs->sr_err == SLAPD_DISCONNECT ) { 837 rs->sr_err = LDAP_PROTOCOL_ERROR; 838 send_ldap_disconnect( op, rs ); 839 rs->sr_err = SLAPD_DISCONNECT; 840 } else { 841 #ifdef SLAP_CONTROL_X_WHATFAILED 842 /* might have not been parsed yet? */ 843 if ( failed_oid != NULL ) { 844 if ( !get_whatFailed( op ) ) { 845 /* look it up */ 846 847 /* step through each remaining element */ 848 for ( ; tag != LBER_ERROR; tag = ber_next_element( ber, &len, opaque ) ) 849 { 850 LDAPControl c = { 0 }; 851 852 tag = ber_scanf( ber, "{m" /*}*/, &bv ); 853 c.ldctl_oid = bv.bv_val; 854 855 if ( tag == LBER_ERROR ) { 856 slap_free_ctrls( op, op->o_ctrls ); 857 op->o_ctrls = NULL; 858 break; 859 860 } else if ( c.ldctl_oid == NULL ) { 861 slap_free_ctrls( op, op->o_ctrls ); 862 op->o_ctrls = NULL; 863 break; 864 } 865 866 tag = ber_peek_tag( ber, &len ); 867 if ( tag == LBER_BOOLEAN ) { 868 ber_int_t crit; 869 tag = ber_scanf( ber, "b", &crit ); 870 if( tag == LBER_ERROR ) { 871 slap_free_ctrls( op, op->o_ctrls ); 872 op->o_ctrls = NULL; 873 break; 874 } 875 876 tag = ber_peek_tag( ber, &len ); 877 } 878 879 if ( tag == LBER_OCTETSTRING ) { 880 tag = ber_scanf( ber, "m", &c.ldctl_value ); 881 882 if( tag == LBER_ERROR ) { 883 slap_free_ctrls( op, op->o_ctrls ); 884 op->o_ctrls = NULL; 885 break; 886 } 887 } 888 889 if ( strcmp( c.ldctl_oid, LDAP_CONTROL_X_WHATFAILED ) == 0 ) { 890 const char *text; 891 slap_parse_ctrl( op, rs, &c, &text ); 892 break; 893 } 894 } 895 } 896 897 if ( get_whatFailed( op ) ) { 898 char *oids[ 2 ]; 899 oids[ 0 ] = failed_oid; 900 oids[ 1 ] = NULL; 901 slap_ctrl_whatFailed_add( op, rs, oids ); 902 } 903 } 904 #endif 905 906 send_ldap_result( op, rs ); 907 } 908 } 909 910 return rs->sr_err; 911 } 912 913 int 914 slap_remove_control( 915 Operation *op, 916 SlapReply *rs, 917 int ctrl, 918 BI_chk_controls fnc ) 919 { 920 int i, j; 921 922 switch ( op->o_ctrlflag[ ctrl ] ) { 923 case SLAP_CONTROL_NONCRITICAL: 924 for ( i = 0, j = -1; op->o_ctrls[ i ] != NULL; i++ ) { 925 if ( strcmp( op->o_ctrls[ i ]->ldctl_oid, 926 slap_known_controls[ ctrl - 1 ] ) == 0 ) 927 { 928 j = i; 929 } 930 } 931 932 if ( j == -1 ) { 933 rs->sr_err = LDAP_OTHER; 934 break; 935 } 936 937 if ( fnc ) { 938 (void)fnc( op, rs ); 939 } 940 941 op->o_tmpfree( op->o_ctrls[ j ], op->o_tmpmemctx ); 942 943 if ( i > 1 ) { 944 AC_MEMCPY( &op->o_ctrls[ j ], &op->o_ctrls[ j + 1 ], 945 ( i - j ) * sizeof( LDAPControl * ) ); 946 947 } else { 948 op->o_tmpfree( op->o_ctrls, op->o_tmpmemctx ); 949 op->o_ctrls = NULL; 950 } 951 952 op->o_ctrlflag[ ctrl ] = SLAP_CONTROL_IGNORED; 953 954 Debug( LDAP_DEBUG_ANY, "%s: " 955 "non-critical control \"%s\" not supported; stripped.\n", 956 op->o_log_prefix, slap_known_controls[ ctrl ], 0 ); 957 /* fall thru */ 958 959 case SLAP_CONTROL_IGNORED: 960 case SLAP_CONTROL_NONE: 961 rs->sr_err = SLAP_CB_CONTINUE; 962 break; 963 964 case SLAP_CONTROL_CRITICAL: 965 rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; 966 if ( fnc ) { 967 (void)fnc( op, rs ); 968 } 969 Debug( LDAP_DEBUG_ANY, "%s: " 970 "critical control \"%s\" not supported.\n", 971 op->o_log_prefix, slap_known_controls[ ctrl ], 0 ); 972 break; 973 974 default: 975 /* handle all cases! */ 976 assert( 0 ); 977 } 978 979 return rs->sr_err; 980 } 981 982 static int parseDontUseCopy ( 983 Operation *op, 984 SlapReply *rs, 985 LDAPControl *ctrl ) 986 { 987 if ( op->o_dontUseCopy != SLAP_CONTROL_NONE ) { 988 rs->sr_text = "dontUseCopy control specified multiple times"; 989 return LDAP_PROTOCOL_ERROR; 990 } 991 992 if ( !BER_BVISNULL( &ctrl->ldctl_value )) { 993 rs->sr_text = "dontUseCopy control value not absent"; 994 return LDAP_PROTOCOL_ERROR; 995 } 996 997 if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT ) 998 && !ctrl->ldctl_iscritical ) 999 { 1000 rs->sr_text = "dontUseCopy criticality of FALSE not allowed"; 1001 return LDAP_PROTOCOL_ERROR; 1002 } 1003 1004 op->o_dontUseCopy = ctrl->ldctl_iscritical 1005 ? SLAP_CONTROL_CRITICAL 1006 : SLAP_CONTROL_NONCRITICAL; 1007 1008 return LDAP_SUCCESS; 1009 } 1010 1011 static int parseRelax ( 1012 Operation *op, 1013 SlapReply *rs, 1014 LDAPControl *ctrl ) 1015 { 1016 if ( op->o_relax != SLAP_CONTROL_NONE ) { 1017 rs->sr_text = "relax control specified multiple times"; 1018 return LDAP_PROTOCOL_ERROR; 1019 } 1020 1021 if ( !BER_BVISNULL( &ctrl->ldctl_value )) { 1022 rs->sr_text = "relax control value not absent"; 1023 return LDAP_PROTOCOL_ERROR; 1024 } 1025 1026 op->o_relax = ctrl->ldctl_iscritical 1027 ? SLAP_CONTROL_CRITICAL 1028 : SLAP_CONTROL_NONCRITICAL; 1029 1030 return LDAP_SUCCESS; 1031 } 1032 1033 static int parseManageDSAit ( 1034 Operation *op, 1035 SlapReply *rs, 1036 LDAPControl *ctrl ) 1037 { 1038 if ( op->o_managedsait != SLAP_CONTROL_NONE ) { 1039 rs->sr_text = "manageDSAit control specified multiple times"; 1040 return LDAP_PROTOCOL_ERROR; 1041 } 1042 1043 if ( !BER_BVISNULL( &ctrl->ldctl_value )) { 1044 rs->sr_text = "manageDSAit control value not absent"; 1045 return LDAP_PROTOCOL_ERROR; 1046 } 1047 1048 op->o_managedsait = ctrl->ldctl_iscritical 1049 ? SLAP_CONTROL_CRITICAL 1050 : SLAP_CONTROL_NONCRITICAL; 1051 1052 return LDAP_SUCCESS; 1053 } 1054 1055 static int parseProxyAuthz ( 1056 Operation *op, 1057 SlapReply *rs, 1058 LDAPControl *ctrl ) 1059 { 1060 int rc; 1061 struct berval dn = BER_BVNULL; 1062 1063 if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { 1064 rs->sr_text = "proxy authorization control specified multiple times"; 1065 return LDAP_PROTOCOL_ERROR; 1066 } 1067 1068 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1069 rs->sr_text = "proxy authorization control value absent"; 1070 return LDAP_PROTOCOL_ERROR; 1071 } 1072 1073 if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT ) 1074 && !ctrl->ldctl_iscritical ) 1075 { 1076 rs->sr_text = "proxied authorization criticality of FALSE not allowed"; 1077 return LDAP_PROTOCOL_ERROR; 1078 } 1079 1080 if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON ) 1081 && BER_BVISEMPTY( &op->o_ndn ) ) 1082 { 1083 rs->sr_text = "anonymous proxied authorization not allowed"; 1084 return LDAP_PROXIED_AUTHORIZATION_DENIED; 1085 } 1086 1087 op->o_proxy_authz = ctrl->ldctl_iscritical 1088 ? SLAP_CONTROL_CRITICAL 1089 : SLAP_CONTROL_NONCRITICAL; 1090 1091 Debug( LDAP_DEBUG_ARGS, 1092 "parseProxyAuthz: conn %lu authzid=\"%s\"\n", 1093 op->o_connid, 1094 ctrl->ldctl_value.bv_len ? ctrl->ldctl_value.bv_val : "anonymous", 1095 0 ); 1096 1097 if ( BER_BVISEMPTY( &ctrl->ldctl_value )) { 1098 Debug( LDAP_DEBUG_TRACE, 1099 "parseProxyAuthz: conn=%lu anonymous\n", 1100 op->o_connid, 0, 0 ); 1101 1102 /* anonymous */ 1103 if ( !BER_BVISNULL( &op->o_ndn ) ) { 1104 op->o_ndn.bv_val[ 0 ] = '\0'; 1105 } 1106 op->o_ndn.bv_len = 0; 1107 1108 if ( !BER_BVISNULL( &op->o_dn ) ) { 1109 op->o_dn.bv_val[ 0 ] = '\0'; 1110 } 1111 op->o_dn.bv_len = 0; 1112 1113 return LDAP_SUCCESS; 1114 } 1115 1116 rc = slap_sasl_getdn( op->o_conn, op, &ctrl->ldctl_value, 1117 NULL, &dn, SLAP_GETDN_AUTHZID ); 1118 1119 /* FIXME: empty DN in proxyAuthz control should be legal... */ 1120 if( rc != LDAP_SUCCESS /* || !dn.bv_len */ ) { 1121 if ( dn.bv_val ) { 1122 ch_free( dn.bv_val ); 1123 } 1124 rs->sr_text = "authzId mapping failed"; 1125 return LDAP_PROXIED_AUTHORIZATION_DENIED; 1126 } 1127 1128 Debug( LDAP_DEBUG_TRACE, 1129 "parseProxyAuthz: conn=%lu \"%s\"\n", 1130 op->o_connid, 1131 dn.bv_len ? dn.bv_val : "(NULL)", 0 ); 1132 1133 rc = slap_sasl_authorized( op, &op->o_ndn, &dn ); 1134 1135 if ( rc ) { 1136 ch_free( dn.bv_val ); 1137 rs->sr_text = "not authorized to assume identity"; 1138 return LDAP_PROXIED_AUTHORIZATION_DENIED; 1139 } 1140 1141 ch_free( op->o_ndn.bv_val ); 1142 ch_free( op->o_dn.bv_val ); 1143 1144 /* 1145 * NOTE: since slap_sasl_getdn() returns a normalized dn, 1146 * from now on op->o_dn is normalized 1147 */ 1148 op->o_ndn = dn; 1149 ber_dupbv( &op->o_dn, &dn ); 1150 1151 Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n", 1152 op->o_log_prefix, dn.bv_val, 0, 0, 0 ); 1153 1154 return LDAP_SUCCESS; 1155 } 1156 1157 static int parseNoOp ( 1158 Operation *op, 1159 SlapReply *rs, 1160 LDAPControl *ctrl ) 1161 { 1162 if ( op->o_noop != SLAP_CONTROL_NONE ) { 1163 rs->sr_text = "noop control specified multiple times"; 1164 return LDAP_PROTOCOL_ERROR; 1165 } 1166 1167 if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) { 1168 rs->sr_text = "noop control value not empty"; 1169 return LDAP_PROTOCOL_ERROR; 1170 } 1171 1172 op->o_noop = ctrl->ldctl_iscritical 1173 ? SLAP_CONTROL_CRITICAL 1174 : SLAP_CONTROL_NONCRITICAL; 1175 1176 return LDAP_SUCCESS; 1177 } 1178 1179 static int parsePagedResults ( 1180 Operation *op, 1181 SlapReply *rs, 1182 LDAPControl *ctrl ) 1183 { 1184 BerElementBuffer berbuf; 1185 BerElement *ber = (BerElement *)&berbuf; 1186 struct berval cookie; 1187 PagedResultsState *ps; 1188 int rc = LDAP_SUCCESS; 1189 ber_tag_t tag; 1190 ber_int_t size; 1191 1192 if ( op->o_pagedresults != SLAP_CONTROL_NONE ) { 1193 rs->sr_text = "paged results control specified multiple times"; 1194 return LDAP_PROTOCOL_ERROR; 1195 } 1196 1197 if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { 1198 rs->sr_text = "paged results control value is absent"; 1199 return LDAP_PROTOCOL_ERROR; 1200 } 1201 1202 if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { 1203 rs->sr_text = "paged results control value is empty"; 1204 return LDAP_PROTOCOL_ERROR; 1205 } 1206 1207 /* Parse the control value 1208 * realSearchControlValue ::= SEQUENCE { 1209 * size INTEGER (0..maxInt), 1210 * -- requested page size from client 1211 * -- result set size estimate from server 1212 * cookie OCTET STRING 1213 * } 1214 */ 1215 ber_init2( ber, &ctrl->ldctl_value, LBER_USE_DER ); 1216 1217 tag = ber_scanf( ber, "{im}", &size, &cookie ); 1218 1219 if ( tag == LBER_ERROR ) { 1220 rs->sr_text = "paged results control could not be decoded"; 1221 rc = LDAP_PROTOCOL_ERROR; 1222 goto done; 1223 } 1224 1225 if ( size < 0 ) { 1226 rs->sr_text = "paged results control size invalid"; 1227 rc = LDAP_PROTOCOL_ERROR; 1228 goto done; 1229 } 1230 1231 ps = op->o_tmpalloc( sizeof(PagedResultsState), op->o_tmpmemctx ); 1232 *ps = op->o_conn->c_pagedresults_state; 1233 ps->ps_size = size; 1234 ps->ps_cookieval = cookie; 1235 op->o_pagedresults_state = ps; 1236 if ( !cookie.bv_len ) { 1237 ps->ps_count = 0; 1238 ps->ps_cookie = 0; 1239 } 1240 1241 /* NOTE: according to RFC 2696 3.: 1242 1243 If the page size is greater than or equal to the sizeLimit value, the 1244 server should ignore the control as the request can be satisfied in a 1245 single page. 1246 1247 * NOTE: this assumes that the op->ors_slimit be set 1248 * before the controls are parsed. 1249 */ 1250 1251 if ( op->ors_slimit > 0 && size >= op->ors_slimit ) { 1252 op->o_pagedresults = SLAP_CONTROL_IGNORED; 1253 1254 } else if ( ctrl->ldctl_iscritical ) { 1255 op->o_pagedresults = SLAP_CONTROL_CRITICAL; 1256 1257 } else { 1258 op->o_pagedresults = SLAP_CONTROL_NONCRITICAL; 1259 } 1260 1261 done:; 1262 return rc; 1263 } 1264 1265 #ifdef SLAP_CONTROL_X_SORTEDRESULTS 1266 static int parseSortedResults ( 1267 Operation *op, 1268 SlapReply *rs, 1269 LDAPControl *ctrl ) 1270 { 1271 int rc = LDAP_SUCCESS; 1272 1273 if ( op->o_sortedresults != SLAP_CONTROL_NONE ) { 1274 rs->sr_text = "sorted results control specified multiple times"; 1275 return LDAP_PROTOCOL_ERROR; 1276 } 1277 1278 if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { 1279 rs->sr_text = "sorted results control value is absent"; 1280 return LDAP_PROTOCOL_ERROR; 1281 } 1282 1283 if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { 1284 rs->sr_text = "sorted results control value is empty"; 1285 return LDAP_PROTOCOL_ERROR; 1286 } 1287 1288 /* blow off parsing the value */ 1289 1290 op->o_sortedresults = ctrl->ldctl_iscritical 1291 ? SLAP_CONTROL_CRITICAL 1292 : SLAP_CONTROL_NONCRITICAL; 1293 1294 return rc; 1295 } 1296 #endif 1297 1298 static int parseAssert ( 1299 Operation *op, 1300 SlapReply *rs, 1301 LDAPControl *ctrl ) 1302 { 1303 BerElement *ber; 1304 struct berval fstr = BER_BVNULL; 1305 1306 if ( op->o_assert != SLAP_CONTROL_NONE ) { 1307 rs->sr_text = "assert control specified multiple times"; 1308 return LDAP_PROTOCOL_ERROR; 1309 } 1310 1311 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1312 rs->sr_text = "assert control value is absent"; 1313 return LDAP_PROTOCOL_ERROR; 1314 } 1315 1316 if ( BER_BVISEMPTY( &ctrl->ldctl_value )) { 1317 rs->sr_text = "assert control value is empty"; 1318 return LDAP_PROTOCOL_ERROR; 1319 } 1320 1321 ber = ber_init( &(ctrl->ldctl_value) ); 1322 if (ber == NULL) { 1323 rs->sr_text = "assert control: internal error"; 1324 return LDAP_OTHER; 1325 } 1326 1327 rs->sr_err = get_filter( op, ber, (Filter **)&(op->o_assertion), 1328 &rs->sr_text); 1329 (void) ber_free( ber, 1 ); 1330 if( rs->sr_err != LDAP_SUCCESS ) { 1331 if( rs->sr_err == SLAPD_DISCONNECT ) { 1332 rs->sr_err = LDAP_PROTOCOL_ERROR; 1333 send_ldap_disconnect( op, rs ); 1334 rs->sr_err = SLAPD_DISCONNECT; 1335 } else { 1336 send_ldap_result( op, rs ); 1337 } 1338 if( op->o_assertion != NULL ) { 1339 filter_free_x( op, op->o_assertion, 1 ); 1340 } 1341 return rs->sr_err; 1342 } 1343 1344 #ifdef LDAP_DEBUG 1345 filter2bv_x( op, op->o_assertion, &fstr ); 1346 1347 Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %ld assert: %s\n", 1348 op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 ); 1349 op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx ); 1350 #endif 1351 1352 op->o_assert = ctrl->ldctl_iscritical 1353 ? SLAP_CONTROL_CRITICAL 1354 : SLAP_CONTROL_NONCRITICAL; 1355 1356 rs->sr_err = LDAP_SUCCESS; 1357 return LDAP_SUCCESS; 1358 } 1359 1360 #define READMSG(post, msg) \ 1361 ( post ? "postread control: " msg : "preread control: " msg ) 1362 1363 static int 1364 parseReadAttrs( 1365 Operation *op, 1366 SlapReply *rs, 1367 LDAPControl *ctrl, 1368 int post ) 1369 { 1370 ber_len_t siz, off, i; 1371 BerElement *ber; 1372 AttributeName *an = NULL; 1373 1374 if ( ( post && op->o_postread != SLAP_CONTROL_NONE ) || 1375 ( !post && op->o_preread != SLAP_CONTROL_NONE ) ) 1376 { 1377 rs->sr_text = READMSG( post, "specified multiple times" ); 1378 return LDAP_PROTOCOL_ERROR; 1379 } 1380 1381 if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { 1382 rs->sr_text = READMSG( post, "value is absent" ); 1383 return LDAP_PROTOCOL_ERROR; 1384 } 1385 1386 if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { 1387 rs->sr_text = READMSG( post, "value is empty" ); 1388 return LDAP_PROTOCOL_ERROR; 1389 } 1390 1391 #ifdef LDAP_X_TXN 1392 if ( op->o_txnSpec ) { /* temporary limitation */ 1393 rs->sr_text = READMSG( post, "cannot perform in transaction" ); 1394 return LDAP_UNWILLING_TO_PERFORM; 1395 } 1396 #endif 1397 1398 ber = ber_init( &ctrl->ldctl_value ); 1399 if ( ber == NULL ) { 1400 rs->sr_text = READMSG( post, "internal error" ); 1401 return LDAP_OTHER; 1402 } 1403 1404 rs->sr_err = LDAP_SUCCESS; 1405 siz = sizeof( AttributeName ); 1406 off = offsetof( AttributeName, an_name ); 1407 if ( ber_scanf( ber, "{M}", &an, &siz, off ) == LBER_ERROR ) { 1408 rs->sr_text = READMSG( post, "decoding error" ); 1409 rs->sr_err = LDAP_PROTOCOL_ERROR; 1410 goto done; 1411 } 1412 1413 for ( i = 0; i < siz; i++ ) { 1414 const char *dummy = NULL; 1415 int rc; 1416 1417 an[i].an_desc = NULL; 1418 an[i].an_oc = NULL; 1419 an[i].an_flags = 0; 1420 rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy ); 1421 if ( rc == LDAP_SUCCESS ) { 1422 an[i].an_name = an[i].an_desc->ad_cname; 1423 1424 } else { 1425 int j; 1426 static struct berval special_attrs[] = { 1427 BER_BVC( LDAP_NO_ATTRS ), 1428 BER_BVC( LDAP_ALL_USER_ATTRIBUTES ), 1429 BER_BVC( LDAP_ALL_OPERATIONAL_ATTRIBUTES ), 1430 BER_BVNULL 1431 }; 1432 1433 /* deal with special attribute types */ 1434 for ( j = 0; !BER_BVISNULL( &special_attrs[ j ] ); j++ ) { 1435 if ( bvmatch( &an[i].an_name, &special_attrs[ j ] ) ) { 1436 an[i].an_name = special_attrs[ j ]; 1437 break; 1438 } 1439 } 1440 1441 if ( BER_BVISNULL( &special_attrs[ j ] ) && ctrl->ldctl_iscritical ) { 1442 rs->sr_err = rc; 1443 rs->sr_text = dummy ? dummy 1444 : READMSG( post, "unknown attributeType" ); 1445 goto done; 1446 } 1447 } 1448 } 1449 1450 if ( post ) { 1451 op->o_postread_attrs = an; 1452 op->o_postread = ctrl->ldctl_iscritical 1453 ? SLAP_CONTROL_CRITICAL 1454 : SLAP_CONTROL_NONCRITICAL; 1455 } else { 1456 op->o_preread_attrs = an; 1457 op->o_preread = ctrl->ldctl_iscritical 1458 ? SLAP_CONTROL_CRITICAL 1459 : SLAP_CONTROL_NONCRITICAL; 1460 } 1461 1462 done: 1463 (void) ber_free( ber, 1 ); 1464 return rs->sr_err; 1465 } 1466 1467 static int parsePreRead ( 1468 Operation *op, 1469 SlapReply *rs, 1470 LDAPControl *ctrl ) 1471 { 1472 return parseReadAttrs( op, rs, ctrl, 0 ); 1473 } 1474 1475 static int parsePostRead ( 1476 Operation *op, 1477 SlapReply *rs, 1478 LDAPControl *ctrl ) 1479 { 1480 return parseReadAttrs( op, rs, ctrl, 1 ); 1481 } 1482 1483 static int parseValuesReturnFilter ( 1484 Operation *op, 1485 SlapReply *rs, 1486 LDAPControl *ctrl ) 1487 { 1488 BerElement *ber; 1489 struct berval fstr = BER_BVNULL; 1490 1491 if ( op->o_valuesreturnfilter != SLAP_CONTROL_NONE ) { 1492 rs->sr_text = "valuesReturnFilter control specified multiple times"; 1493 return LDAP_PROTOCOL_ERROR; 1494 } 1495 1496 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1497 rs->sr_text = "valuesReturnFilter control value is absent"; 1498 return LDAP_PROTOCOL_ERROR; 1499 } 1500 1501 if ( BER_BVISEMPTY( &ctrl->ldctl_value )) { 1502 rs->sr_text = "valuesReturnFilter control value is empty"; 1503 return LDAP_PROTOCOL_ERROR; 1504 } 1505 1506 ber = ber_init( &(ctrl->ldctl_value) ); 1507 if (ber == NULL) { 1508 rs->sr_text = "internal error"; 1509 return LDAP_OTHER; 1510 } 1511 1512 rs->sr_err = get_vrFilter( op, ber, 1513 (ValuesReturnFilter **)&(op->o_vrFilter), &rs->sr_text); 1514 1515 (void) ber_free( ber, 1 ); 1516 1517 if( rs->sr_err != LDAP_SUCCESS ) { 1518 if( rs->sr_err == SLAPD_DISCONNECT ) { 1519 rs->sr_err = LDAP_PROTOCOL_ERROR; 1520 send_ldap_disconnect( op, rs ); 1521 rs->sr_err = SLAPD_DISCONNECT; 1522 } else { 1523 send_ldap_result( op, rs ); 1524 } 1525 if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 1526 } 1527 #ifdef LDAP_DEBUG 1528 else { 1529 vrFilter2bv( op, op->o_vrFilter, &fstr ); 1530 } 1531 1532 Debug( LDAP_DEBUG_ARGS, " vrFilter: %s\n", 1533 fstr.bv_len ? fstr.bv_val : "empty", 0, 0 ); 1534 op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx ); 1535 #endif 1536 1537 op->o_valuesreturnfilter = ctrl->ldctl_iscritical 1538 ? SLAP_CONTROL_CRITICAL 1539 : SLAP_CONTROL_NONCRITICAL; 1540 1541 rs->sr_err = LDAP_SUCCESS; 1542 return LDAP_SUCCESS; 1543 } 1544 1545 static int parseSubentries ( 1546 Operation *op, 1547 SlapReply *rs, 1548 LDAPControl *ctrl ) 1549 { 1550 if ( op->o_subentries != SLAP_CONTROL_NONE ) { 1551 rs->sr_text = "subentries control specified multiple times"; 1552 return LDAP_PROTOCOL_ERROR; 1553 } 1554 1555 /* FIXME: should use BER library */ 1556 if( ( ctrl->ldctl_value.bv_len != 3 ) 1557 || ( ctrl->ldctl_value.bv_val[0] != 0x01 ) 1558 || ( ctrl->ldctl_value.bv_val[1] != 0x01 )) 1559 { 1560 rs->sr_text = "subentries control value encoding is bogus"; 1561 return LDAP_PROTOCOL_ERROR; 1562 } 1563 1564 op->o_subentries = ctrl->ldctl_iscritical 1565 ? SLAP_CONTROL_CRITICAL 1566 : SLAP_CONTROL_NONCRITICAL; 1567 1568 if (ctrl->ldctl_value.bv_val[2]) { 1569 set_subentries_visibility( op ); 1570 } 1571 1572 return LDAP_SUCCESS; 1573 } 1574 1575 static int parsePermissiveModify ( 1576 Operation *op, 1577 SlapReply *rs, 1578 LDAPControl *ctrl ) 1579 { 1580 if ( op->o_permissive_modify != SLAP_CONTROL_NONE ) { 1581 rs->sr_text = "permissiveModify control specified multiple times"; 1582 return LDAP_PROTOCOL_ERROR; 1583 } 1584 1585 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1586 rs->sr_text = "permissiveModify control value not absent"; 1587 return LDAP_PROTOCOL_ERROR; 1588 } 1589 1590 op->o_permissive_modify = ctrl->ldctl_iscritical 1591 ? SLAP_CONTROL_CRITICAL 1592 : SLAP_CONTROL_NONCRITICAL; 1593 1594 return LDAP_SUCCESS; 1595 } 1596 1597 static int parseDomainScope ( 1598 Operation *op, 1599 SlapReply *rs, 1600 LDAPControl *ctrl ) 1601 { 1602 if ( op->o_domain_scope != SLAP_CONTROL_NONE ) { 1603 rs->sr_text = "domainScope control specified multiple times"; 1604 return LDAP_PROTOCOL_ERROR; 1605 } 1606 1607 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1608 rs->sr_text = "domainScope control value not empty"; 1609 return LDAP_PROTOCOL_ERROR; 1610 } 1611 1612 op->o_domain_scope = ctrl->ldctl_iscritical 1613 ? SLAP_CONTROL_CRITICAL 1614 : SLAP_CONTROL_NONCRITICAL; 1615 1616 return LDAP_SUCCESS; 1617 } 1618 1619 #ifdef SLAP_CONTROL_X_TREE_DELETE 1620 static int parseTreeDelete ( 1621 Operation *op, 1622 SlapReply *rs, 1623 LDAPControl *ctrl ) 1624 { 1625 if ( op->o_tree_delete != SLAP_CONTROL_NONE ) { 1626 rs->sr_text = "treeDelete control specified multiple times"; 1627 return LDAP_PROTOCOL_ERROR; 1628 } 1629 1630 if ( !BER_BVISNULL( &ctrl->ldctl_value )) { 1631 rs->sr_text = "treeDelete control value not absent"; 1632 return LDAP_PROTOCOL_ERROR; 1633 } 1634 1635 op->o_tree_delete = ctrl->ldctl_iscritical 1636 ? SLAP_CONTROL_CRITICAL 1637 : SLAP_CONTROL_NONCRITICAL; 1638 1639 return LDAP_SUCCESS; 1640 } 1641 #endif 1642 1643 static int parseSearchOptions ( 1644 Operation *op, 1645 SlapReply *rs, 1646 LDAPControl *ctrl ) 1647 { 1648 BerElement *ber; 1649 ber_int_t search_flags; 1650 ber_tag_t tag; 1651 1652 if ( BER_BVISNULL( &ctrl->ldctl_value )) { 1653 rs->sr_text = "searchOptions control value is absent"; 1654 return LDAP_PROTOCOL_ERROR; 1655 } 1656 1657 if ( BER_BVISEMPTY( &ctrl->ldctl_value )) { 1658 rs->sr_text = "searchOptions control value is empty"; 1659 return LDAP_PROTOCOL_ERROR; 1660 } 1661 1662 ber = ber_init( &ctrl->ldctl_value ); 1663 if( ber == NULL ) { 1664 rs->sr_text = "internal error"; 1665 return LDAP_OTHER; 1666 } 1667 1668 tag = ber_scanf( ber, "{i}", &search_flags ); 1669 (void) ber_free( ber, 1 ); 1670 1671 if ( tag == LBER_ERROR ) { 1672 rs->sr_text = "searchOptions control decoding error"; 1673 return LDAP_PROTOCOL_ERROR; 1674 } 1675 1676 if ( search_flags & LDAP_SEARCH_FLAG_DOMAIN_SCOPE ) { 1677 if ( op->o_domain_scope != SLAP_CONTROL_NONE ) { 1678 rs->sr_text = "searchOptions control specified multiple times " 1679 "or with domainScope control"; 1680 return LDAP_PROTOCOL_ERROR; 1681 } 1682 1683 op->o_domain_scope = ctrl->ldctl_iscritical 1684 ? SLAP_CONTROL_CRITICAL 1685 : SLAP_CONTROL_NONCRITICAL; 1686 } 1687 1688 if ( search_flags & ~(LDAP_SEARCH_FLAG_DOMAIN_SCOPE) ) { 1689 /* Other search flags not recognised so far, 1690 * including: 1691 * LDAP_SEARCH_FLAG_PHANTOM_ROOM 1692 */ 1693 rs->sr_text = "searchOptions contained unrecognized flag"; 1694 return LDAP_UNWILLING_TO_PERFORM; 1695 } 1696 1697 return LDAP_SUCCESS; 1698 } 1699 1700 #ifdef SLAP_CONTROL_X_SESSION_TRACKING 1701 struct berval session_tracking_formats[] = { 1702 BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_RADIUS_ACCT_SESSION_ID ), 1703 BER_BVC( "RADIUS-Acct-Session-Id" ), 1704 BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_RADIUS_ACCT_MULTI_SESSION_ID ), 1705 BER_BVC( "RADIUS-Acct-Multi-Session-Id" ), 1706 BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_USERNAME ), 1707 BER_BVC( "USERNAME" ), 1708 1709 BER_BVNULL 1710 }; 1711 1712 static int parseSessionTracking( 1713 Operation *op, 1714 SlapReply *rs, 1715 LDAPControl *ctrl ) 1716 { 1717 BerElement *ber; 1718 ber_tag_t tag; 1719 ber_len_t len; 1720 int i, rc; 1721 1722 struct berval sessionSourceIp = BER_BVNULL, 1723 sessionSourceName = BER_BVNULL, 1724 formatOID = BER_BVNULL, 1725 sessionTrackingIdentifier = BER_BVNULL; 1726 1727 size_t st_len, st_pos; 1728 1729 if ( ctrl->ldctl_iscritical ) { 1730 rs->sr_text = "sessionTracking criticality is TRUE"; 1731 return LDAP_PROTOCOL_ERROR; 1732 } 1733 1734 if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { 1735 rs->sr_text = "sessionTracking control value is absent"; 1736 return LDAP_PROTOCOL_ERROR; 1737 } 1738 1739 if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { 1740 rs->sr_text = "sessionTracking control value is empty"; 1741 return LDAP_PROTOCOL_ERROR; 1742 } 1743 1744 /* TODO: add the capability to determine if a client is allowed 1745 * to use this control, based on identity, ip and so */ 1746 1747 ber = ber_init( &ctrl->ldctl_value ); 1748 if ( ber == NULL ) { 1749 rs->sr_text = "internal error"; 1750 return LDAP_OTHER; 1751 } 1752 1753 tag = ber_skip_tag( ber, &len ); 1754 if ( tag != LBER_SEQUENCE ) { 1755 tag = LBER_ERROR; 1756 goto error; 1757 } 1758 1759 /* sessionSourceIp */ 1760 tag = ber_peek_tag( ber, &len ); 1761 if ( tag == LBER_DEFAULT ) { 1762 tag = LBER_ERROR; 1763 goto error; 1764 } 1765 1766 if ( len == 0 ) { 1767 tag = ber_skip_tag( ber, &len ); 1768 1769 } else if ( len > 128 ) { 1770 rs->sr_text = "sessionTracking.sessionSourceIp too long"; 1771 rs->sr_err = LDAP_PROTOCOL_ERROR; 1772 goto error; 1773 1774 } else { 1775 tag = ber_scanf( ber, "m", &sessionSourceIp ); 1776 } 1777 1778 if ( ldif_is_not_printable( sessionSourceIp.bv_val, sessionSourceIp.bv_len ) ) { 1779 BER_BVZERO( &sessionSourceIp ); 1780 } 1781 1782 /* sessionSourceName */ 1783 tag = ber_peek_tag( ber, &len ); 1784 if ( tag == LBER_DEFAULT ) { 1785 tag = LBER_ERROR; 1786 goto error; 1787 } 1788 1789 if ( len == 0 ) { 1790 tag = ber_skip_tag( ber, &len ); 1791 1792 } else if ( len > 65536 ) { 1793 rs->sr_text = "sessionTracking.sessionSourceName too long"; 1794 rs->sr_err = LDAP_PROTOCOL_ERROR; 1795 goto error; 1796 1797 } else { 1798 tag = ber_scanf( ber, "m", &sessionSourceName ); 1799 } 1800 1801 if ( ldif_is_not_printable( sessionSourceName.bv_val, sessionSourceName.bv_len ) ) { 1802 BER_BVZERO( &sessionSourceName ); 1803 } 1804 1805 /* formatOID */ 1806 tag = ber_peek_tag( ber, &len ); 1807 if ( tag == LBER_DEFAULT ) { 1808 tag = LBER_ERROR; 1809 goto error; 1810 } 1811 1812 if ( len == 0 ) { 1813 rs->sr_text = "sessionTracking.formatOID empty"; 1814 rs->sr_err = LDAP_PROTOCOL_ERROR; 1815 goto error; 1816 1817 } else if ( len > 1024 ) { 1818 rs->sr_text = "sessionTracking.formatOID too long"; 1819 rs->sr_err = LDAP_PROTOCOL_ERROR; 1820 goto error; 1821 1822 } else { 1823 tag = ber_scanf( ber, "m", &formatOID ); 1824 } 1825 1826 rc = numericoidValidate( NULL, &formatOID ); 1827 if ( rc != LDAP_SUCCESS ) { 1828 rs->sr_text = "sessionTracking.formatOID invalid"; 1829 goto error; 1830 } 1831 1832 for ( i = 0; !BER_BVISNULL( &session_tracking_formats[ i ] ); i += 2 ) 1833 { 1834 if ( bvmatch( &formatOID, &session_tracking_formats[ i ] ) ) { 1835 formatOID = session_tracking_formats[ i + 1 ]; 1836 break; 1837 } 1838 } 1839 1840 /* sessionTrackingIdentifier */ 1841 tag = ber_peek_tag( ber, &len ); 1842 if ( tag == LBER_DEFAULT ) { 1843 tag = LBER_ERROR; 1844 goto error; 1845 } 1846 1847 if ( len == 0 ) { 1848 tag = ber_skip_tag( ber, &len ); 1849 1850 } else { 1851 /* note: should not be more than 65536... */ 1852 tag = ber_scanf( ber, "m", &sessionTrackingIdentifier ); 1853 if ( ldif_is_not_printable( sessionTrackingIdentifier.bv_val, sessionTrackingIdentifier.bv_len ) ) { 1854 /* we want the OID printed, at least */ 1855 BER_BVSTR( &sessionTrackingIdentifier, "" ); 1856 } 1857 } 1858 1859 /* closure */ 1860 tag = ber_skip_tag( ber, &len ); 1861 if ( tag != LBER_DEFAULT || len != 0 ) { 1862 tag = LBER_ERROR; 1863 goto error; 1864 } 1865 tag = 0; 1866 1867 st_len = 0; 1868 if ( !BER_BVISNULL( &sessionSourceIp ) ) { 1869 st_len += STRLENOF( "IP=" ) + sessionSourceIp.bv_len; 1870 } 1871 if ( !BER_BVISNULL( &sessionSourceName ) ) { 1872 if ( st_len ) st_len++; 1873 st_len += STRLENOF( "NAME=" ) + sessionSourceName.bv_len; 1874 } 1875 if ( !BER_BVISNULL( &sessionTrackingIdentifier ) ) { 1876 if ( st_len ) st_len++; 1877 st_len += formatOID.bv_len + STRLENOF( "=" ) 1878 + sessionTrackingIdentifier.bv_len; 1879 } 1880 1881 if ( st_len == 0 ) { 1882 goto error; 1883 } 1884 1885 st_len += STRLENOF( " []" ); 1886 st_pos = strlen( op->o_log_prefix ); 1887 1888 if ( sizeof( op->o_log_prefix ) - st_pos > st_len ) { 1889 char *ptr = &op->o_log_prefix[ st_pos ]; 1890 1891 ptr = lutil_strcopy( ptr, " [" /*]*/ ); 1892 1893 st_len = 0; 1894 if ( !BER_BVISNULL( &sessionSourceIp ) ) { 1895 ptr = lutil_strcopy( ptr, "IP=" ); 1896 ptr = lutil_strcopy( ptr, sessionSourceIp.bv_val ); 1897 st_len++; 1898 } 1899 1900 if ( !BER_BVISNULL( &sessionSourceName ) ) { 1901 if ( st_len ) *ptr++ = ' '; 1902 ptr = lutil_strcopy( ptr, "NAME=" ); 1903 ptr = lutil_strcopy( ptr, sessionSourceName.bv_val ); 1904 st_len++; 1905 } 1906 1907 if ( !BER_BVISNULL( &sessionTrackingIdentifier ) ) { 1908 if ( st_len ) *ptr++ = ' '; 1909 ptr = lutil_strcopy( ptr, formatOID.bv_val ); 1910 *ptr++ = '='; 1911 ptr = lutil_strcopy( ptr, sessionTrackingIdentifier.bv_val ); 1912 } 1913 1914 *ptr++ = /*[*/ ']'; 1915 *ptr = '\0'; 1916 } 1917 1918 error:; 1919 (void)ber_free( ber, 1 ); 1920 1921 if ( tag == LBER_ERROR ) { 1922 rs->sr_text = "sessionTracking control decoding error"; 1923 return LDAP_PROTOCOL_ERROR; 1924 } 1925 1926 1927 return rs->sr_err; 1928 } 1929 1930 int 1931 slap_ctrl_session_tracking_add( 1932 Operation *op, 1933 SlapReply *rs, 1934 struct berval *ip, 1935 struct berval *name, 1936 struct berval *id, 1937 LDAPControl *ctrl ) 1938 { 1939 BerElementBuffer berbuf; 1940 BerElement *ber = (BerElement *)&berbuf; 1941 1942 static struct berval oid = BER_BVC( LDAP_CONTROL_X_SESSION_TRACKING_USERNAME ); 1943 1944 assert( ctrl != NULL ); 1945 1946 ber_init2( ber, NULL, LBER_USE_DER ); 1947 1948 ber_printf( ber, "{OOOO}", ip, name, &oid, id ); 1949 1950 if ( ber_flatten2( ber, &ctrl->ldctl_value, 0 ) == -1 ) { 1951 rs->sr_err = LDAP_OTHER; 1952 goto done; 1953 } 1954 1955 ctrl->ldctl_oid = LDAP_CONTROL_X_SESSION_TRACKING; 1956 ctrl->ldctl_iscritical = 0; 1957 1958 rs->sr_err = LDAP_SUCCESS; 1959 1960 done:; 1961 return rs->sr_err; 1962 } 1963 1964 int 1965 slap_ctrl_session_tracking_request_add( Operation *op, SlapReply *rs, LDAPControl *ctrl ) 1966 { 1967 static struct berval bv_unknown = BER_BVC( SLAP_STRING_UNKNOWN ); 1968 struct berval ip = BER_BVNULL, 1969 name = BER_BVNULL, 1970 id = BER_BVNULL; 1971 1972 if ( !BER_BVISNULL( &op->o_conn->c_peer_name ) && 1973 memcmp( op->o_conn->c_peer_name.bv_val, "IP=", STRLENOF( "IP=" ) ) == 0 ) 1974 { 1975 char *ptr; 1976 1977 ip.bv_val = op->o_conn->c_peer_name.bv_val + STRLENOF( "IP=" ); 1978 ip.bv_len = op->o_conn->c_peer_name.bv_len - STRLENOF( "IP=" ); 1979 1980 ptr = ber_bvchr( &ip, ':' ); 1981 if ( ptr ) { 1982 ip.bv_len = ptr - ip.bv_val; 1983 } 1984 } 1985 1986 if ( !BER_BVISNULL( &op->o_conn->c_peer_domain ) && 1987 !bvmatch( &op->o_conn->c_peer_domain, &bv_unknown ) ) 1988 { 1989 name = op->o_conn->c_peer_domain; 1990 } 1991 1992 if ( !BER_BVISNULL( &op->o_dn ) && !BER_BVISEMPTY( &op->o_dn ) ) { 1993 id = op->o_dn; 1994 } 1995 1996 return slap_ctrl_session_tracking_add( op, rs, &ip, &name, &id, ctrl ); 1997 } 1998 #endif 1999 2000 #ifdef SLAP_CONTROL_X_WHATFAILED 2001 static int parseWhatFailed( 2002 Operation *op, 2003 SlapReply *rs, 2004 LDAPControl *ctrl ) 2005 { 2006 if ( op->o_whatFailed != SLAP_CONTROL_NONE ) { 2007 rs->sr_text = "\"WHat Failed?\" control specified multiple times"; 2008 return LDAP_PROTOCOL_ERROR; 2009 } 2010 2011 if ( !BER_BVISNULL( &ctrl->ldctl_value )) { 2012 rs->sr_text = "\"What Failed?\" control value not absent"; 2013 return LDAP_PROTOCOL_ERROR; 2014 } 2015 2016 op->o_whatFailed = ctrl->ldctl_iscritical 2017 ? SLAP_CONTROL_CRITICAL 2018 : SLAP_CONTROL_NONCRITICAL; 2019 2020 return LDAP_SUCCESS; 2021 } 2022 2023 int 2024 slap_ctrl_whatFailed_add( 2025 Operation *op, 2026 SlapReply *rs, 2027 char **oids ) 2028 { 2029 BerElementBuffer berbuf; 2030 BerElement *ber = (BerElement *) &berbuf; 2031 LDAPControl **ctrls = NULL; 2032 struct berval ctrlval; 2033 int i, rc = LDAP_SUCCESS; 2034 2035 ber_init2( ber, NULL, LBER_USE_DER ); 2036 ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); 2037 ber_printf( ber, "[" /*]*/ ); 2038 for ( i = 0; oids[ i ] != NULL; i++ ) { 2039 ber_printf( ber, "s", oids[ i ] ); 2040 } 2041 ber_printf( ber, /*[*/ "]" ); 2042 2043 if ( ber_flatten2( ber, &ctrlval, 0 ) == -1 ) { 2044 rc = LDAP_OTHER; 2045 goto done; 2046 } 2047 2048 i = 0; 2049 if ( rs->sr_ctrls != NULL ) { 2050 for ( ; rs->sr_ctrls[ i ] != NULL; i++ ) { 2051 if ( strcmp( rs->sr_ctrls[ i ]->ldctl_oid, LDAP_CONTROL_X_WHATFAILED ) != 0 ) { 2052 /* TODO: add */ 2053 assert( 0 ); 2054 } 2055 } 2056 } 2057 2058 ctrls = op->o_tmprealloc( rs->sr_ctrls, 2059 sizeof(LDAPControl *)*( i + 2 ) 2060 + sizeof(LDAPControl) 2061 + ctrlval.bv_len + 1, 2062 op->o_tmpmemctx ); 2063 if ( ctrls == NULL ) { 2064 rc = LDAP_OTHER; 2065 goto done; 2066 } 2067 ctrls[ i + 1 ] = NULL; 2068 ctrls[ i ] = (LDAPControl *)&ctrls[ i + 2 ]; 2069 ctrls[ i ]->ldctl_oid = LDAP_CONTROL_X_WHATFAILED; 2070 ctrls[ i ]->ldctl_iscritical = 0; 2071 ctrls[ i ]->ldctl_value.bv_val = (char *)&ctrls[ i ][ 1 ]; 2072 AC_MEMCPY( ctrls[ i ]->ldctl_value.bv_val, ctrlval.bv_val, ctrlval.bv_len + 1 ); 2073 ctrls[ i ]->ldctl_value.bv_len = ctrlval.bv_len; 2074 2075 ber_free_buf( ber ); 2076 2077 rs->sr_ctrls = ctrls; 2078 2079 done:; 2080 return rc; 2081 } 2082 #endif 2083