usr.sbin/ldapd: replace TAILQ concatenation loop with TAILQ_CONCAT

OK florian@

The ber_* namespace is used by liblber since time immemorial,
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.

Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.

tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt

branches: 1.24.4;
key.data is a void *, on gcc archs doing a %s printf with such a pointer
results in a warning. Use either the original string value or use a cast.
This makes both clang and gcc happy.
OK guenther@

Make ber type and encoding a unsigned int instead of unsigned long.
This way the size is the same on all archs and 32bit should be good enough.
OK rob@

Add support for attribute filter rules on search/read operations.

OK jmatthew@

Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded. This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

Fix format string errors in log messages and update ldapd to use relayd's log.c

OK benno@ jmatthew@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

The ber_* namespace is used by liblber since time immemorial,
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.

Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.

tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt

key.data is a void *, on gcc archs doing a %s printf with such a pointer
results in a warning. Use either the original string value or use a cast.
This makes both clang and gcc happy.
OK guenther@

Make ber type and encoding a unsigned int instead of unsigned long.
This way the size is the same on all archs and 32bit should be good enough.
OK rob@

Add support for attribute filter rules on search/read operations.

OK jmatthew@

Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded. This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

Fix format string errors in log messages and update ldapd to use relayd's log.c

OK benno@ jmatthew@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

key.data is a void *, on gcc archs doing a %s printf with such a pointer
results in a warning. Use either the original string value or use a cast.
This makes both clang and gcc happy.
OK guenther@

Make ber type and encoding a unsigned int instead of unsigned long.
This way the size is the same on all archs and 32bit should be good enough.
OK rob@

Add support for attribute filter rules on search/read operations.

OK jmatthew@

Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded. This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

Fix format string errors in log messages and update ldapd to use relayd's log.c

OK benno@ jmatthew@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

Make ber type and encoding a unsigned int instead of unsigned long.
This way the size is the same on all archs and 32bit should be good enough.
OK rob@

Add support for attribute filter rules on search/read operations.

OK jmatthew@

Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded. This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

Fix format string errors in log messages and update ldapd to use relayd's log.c

OK benno@ jmatthew@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

Add support for attribute filter rules on search/read operations.

OK jmatthew@

Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded. This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

Fix format string errors in log messages and update ldapd to use relayd's log.c

OK benno@ jmatthew@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

use strndup instead of malloc/strncpy/nul

ok krw@

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Make -dvv flags produce debug traces of decoded BER messages on stderr.
Also shows a hexdump of the input buffer if BER decoding fails.
Useful when debugging protocol issues.

If the base DN in a search request doesn't exist, return early.

Publish matching rules in the cn=schema subentry as the matchingRules
attribute. This is an operational attribute and only returned if explicitly
asked for. Required by RFC 4517.

Evaluate filters according to the three-valued logic of X.511, as required
by RFC 4511. A filter term can now be evaluated as undefined if the
attribute description is not recognized, the attribute type doesn't define
the appropriate matching rule, or the filtering is not implemented.

This also implements the NOT filter in the query planner.

Dump parsed schema to buffer and send in requests for the cn=schema
subschema namespace. Only do this if 'objectClasses' and 'attributeTypes'
are expicitly requested. This allows clients to for example present custom
editing forms.

Remove dead assignments. Found by clang static analyzer.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Wrap searches in a read-only transaction so it is guaranteed to see a
consistent snapshot of the database.

Also fixes a couple of format string errors for long long ints.

Fix compilation on gcc2. Check a return value from malloc while at it.

"that compiles!" deraadt@

Remove trailing whitespace and spaces before tabs.

ok gilles@

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@