1/* database.c - deals with database subsystem */ 2/* $OpenLDAP$ */ 3/* This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 * 5 * Copyright 2001-2011 The OpenLDAP Foundation. 6 * Portions Copyright 2001-2003 Pierangelo Masarati. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted only as authorized by the OpenLDAP 11 * Public License. 12 * 13 * A copy of this license is available in file LICENSE in the 14 * top-level directory of the distribution or, alternatively, at 15 * <http://www.OpenLDAP.org/license.html>. 16 */ 17/* ACKNOWLEDGEMENTS: 18 * This work was initially developed by Pierangelo Masarati for inclusion 19 * in OpenLDAP Software. 20 */ 21 22#include "portable.h" 23 24#include <stdio.h> 25#include <ac/string.h> 26#include <ac/unistd.h> 27 28#include "slap.h" 29#include "back-monitor.h" 30 31#if defined(LDAP_SLAPI) 32#include "slapi.h" 33static int monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e ); 34#endif /* defined(LDAP_SLAPI) */ 35 36static int 37monitor_subsys_database_modify( 38 Operation *op, 39 SlapReply *rs, 40 Entry *e ); 41 42static struct restricted_ops_t { 43 struct berval op; 44 unsigned int tag; 45} restricted_ops[] = { 46 { BER_BVC( "add" ), SLAP_RESTRICT_OP_ADD }, 47 { BER_BVC( "bind" ), SLAP_RESTRICT_OP_BIND }, 48 { BER_BVC( "compare" ), SLAP_RESTRICT_OP_COMPARE }, 49 { BER_BVC( "delete" ), SLAP_RESTRICT_OP_DELETE }, 50 { BER_BVC( "extended" ), SLAP_RESTRICT_OP_EXTENDED }, 51 { BER_BVC( "modify" ), SLAP_RESTRICT_OP_MODIFY }, 52 { BER_BVC( "rename" ), SLAP_RESTRICT_OP_RENAME }, 53 { BER_BVC( "search" ), SLAP_RESTRICT_OP_SEARCH }, 54 { BER_BVNULL, 0 } 55}, restricted_exops[] = { 56 { BER_BVC( LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS }, 57 { BER_BVC( LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD }, 58 { BER_BVC( LDAP_EXOP_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI }, 59 { BER_BVC( LDAP_EXOP_CANCEL ), SLAP_RESTRICT_EXOP_CANCEL }, 60 { BER_BVNULL, 0 } 61}; 62 63static int 64init_readOnly( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) 65{ 66 struct berval *tf = ( ( restrictops & SLAP_RESTRICT_OP_MASK ) == SLAP_RESTRICT_OP_WRITES ) ? 67 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv; 68 69 return attr_merge_one( e, mi->mi_ad_readOnly, tf, NULL ); 70} 71 72static int 73init_restrictedOperation( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) 74{ 75 int i, rc; 76 77 for ( i = 0; restricted_ops[ i ].op.bv_val; i++ ) { 78 if ( restrictops & restricted_ops[ i ].tag ) { 79 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, 80 &restricted_ops[ i ].op, 81 &restricted_ops[ i ].op ); 82 if ( rc ) { 83 return rc; 84 } 85 } 86 } 87 88 for ( i = 0; restricted_exops[ i ].op.bv_val; i++ ) { 89 if ( restrictops & restricted_exops[ i ].tag ) { 90 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, 91 &restricted_exops[ i ].op, 92 &restricted_exops[ i ].op ); 93 if ( rc ) { 94 return rc; 95 } 96 } 97 } 98 99 return LDAP_SUCCESS; 100} 101 102static int 103monitor_subsys_overlay_init_one( 104 monitor_info_t *mi, 105 BackendDB *be, 106 monitor_subsys_t *ms, 107 monitor_subsys_t *ms_overlay, 108 slap_overinst *on, 109 Entry *e_database, 110 Entry **ep_overlay ) 111{ 112 char buf[ BACKMONITOR_BUFSIZE ]; 113 int j, o; 114 Entry *e_overlay; 115 slap_overinst *on2; 116 slap_overinfo *oi = NULL; 117 BackendInfo *bi; 118 monitor_entry_t *mp_overlay; 119 struct berval bv; 120 121 assert( overlay_is_over( be ) ); 122 123 oi = (slap_overinfo *)be->bd_info->bi_private; 124 bi = oi->oi_orig; 125 126 /* find the overlay number, o */ 127 for ( o = 0, on2 = oi->oi_list; on2 && on2 != on; on2 = on2->on_next, o++ ) 128 ; 129 130 if ( on2 == NULL ) { 131 return -1; 132 } 133 134 /* find the overlay type number, j */ 135 for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { 136 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 137 break; 138 } 139 } 140 assert( on2 != NULL ); 141 142 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d", o ); 143 bv.bv_val = buf; 144 145 e_overlay = monitor_entry_stub( &e_database->e_name, &e_database->e_nname, &bv, 146 mi->mi_oc_monitoredObject, mi, NULL, NULL ); 147 148 if ( e_overlay == NULL ) { 149 Debug( LDAP_DEBUG_ANY, 150 "monitor_subsys_overlay_init_one: " 151 "unable to create entry " 152 "\"cn=Overlay %d,%s\"\n", 153 o, e_database->e_name.bv_val, 0 ); 154 return( -1 ); 155 } 156 ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); 157 attr_merge_normalize_one( e_overlay, mi->mi_ad_monitoredInfo, &bv, NULL ); 158 159 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d,%s", 160 j, ms_overlay->mss_dn.bv_val ); 161 bv.bv_val = buf; 162 attr_merge_normalize_one( e_overlay, slap_schema.si_ad_seeAlso, 163 &bv, NULL ); 164 165 if ( SLAP_MONITOR( be ) ) { 166 attr_merge( e_overlay, slap_schema.si_ad_monitorContext, 167 be->be_suffix, be->be_nsuffix ); 168 169 } else { 170 attr_merge( e_overlay, slap_schema.si_ad_namingContexts, 171 be->be_suffix, NULL ); 172 } 173 174 mp_overlay = monitor_entrypriv_create(); 175 if ( mp_overlay == NULL ) { 176 return -1; 177 } 178 e_overlay->e_private = ( void * )mp_overlay; 179 mp_overlay->mp_info = ms; 180 mp_overlay->mp_flags = ms->mss_flags | MONITOR_F_SUB; 181 182 if ( monitor_cache_add( mi, e_overlay ) ) { 183 Debug( LDAP_DEBUG_ANY, 184 "monitor_subsys_overlay_init_one: " 185 "unable to add entry " 186 "\"cn=Overlay %d,%s\"\n", 187 o, e_database->e_name.bv_val, 0 ); 188 return -1; 189 } 190 191 *ep_overlay = e_overlay; 192 ep_overlay = &mp_overlay->mp_next; 193 194 return 0; 195} 196 197static int 198monitor_subsys_database_init_one( 199 monitor_info_t *mi, 200 BackendDB *be, 201 monitor_subsys_t *ms, 202 monitor_subsys_t *ms_backend, 203 monitor_subsys_t *ms_overlay, 204 struct berval *rdn, 205 Entry *e_database, 206 Entry ***epp ) 207{ 208 char buf[ BACKMONITOR_BUFSIZE ]; 209 int j; 210 slap_overinfo *oi = NULL; 211 BackendInfo *bi, *bi2; 212 Entry *e; 213 monitor_entry_t *mp; 214 char *rdnval = strchr( rdn->bv_val, '=' ) + 1; 215 struct berval bv; 216 217 bi = be->bd_info; 218 219 if ( overlay_is_over( be ) ) { 220 oi = (slap_overinfo *)be->bd_info->bi_private; 221 bi = oi->oi_orig; 222 } 223 224 e = monitor_entry_stub( &ms->mss_dn, &ms->mss_ndn, rdn, 225 mi->mi_oc_monitoredObject, mi, NULL, NULL ); 226 227 if ( e == NULL ) { 228 Debug( LDAP_DEBUG_ANY, 229 "monitor_subsys_database_init_one: " 230 "unable to create entry \"%s,%s\"\n", 231 rdn->bv_val, ms->mss_dn.bv_val, 0 ); 232 return( -1 ); 233 } 234 235 ber_str2bv( bi->bi_type, 0, 0, &bv ); 236 attr_merge_normalize_one( e, mi->mi_ad_monitoredInfo, &bv, NULL ); 237 attr_merge_one( e, mi->mi_ad_monitorIsShadow, 238 SLAP_SHADOW( be ) ? (struct berval *)&slap_true_bv : 239 (struct berval *)&slap_false_bv, NULL ); 240 241 if ( SLAP_MONITOR( be ) ) { 242 attr_merge( e, slap_schema.si_ad_monitorContext, 243 be->be_suffix, be->be_nsuffix ); 244 attr_merge( e_database, slap_schema.si_ad_monitorContext, 245 be->be_suffix, be->be_nsuffix ); 246 247 } else { 248 if ( be->be_suffix == NULL ) { 249 Debug( LDAP_DEBUG_ANY, 250 "monitor_subsys_database_init_one: " 251 "missing suffix for %s\n", 252 rdnval, 0, 0 ); 253 } else { 254 attr_merge( e, slap_schema.si_ad_namingContexts, 255 be->be_suffix, NULL ); 256 attr_merge( e_database, slap_schema.si_ad_namingContexts, 257 be->be_suffix, NULL ); 258 } 259 260 if ( SLAP_GLUE_SUBORDINATE( be ) ) { 261 BackendDB *sup_be = select_backend( &be->be_nsuffix[ 0 ], 1 ); 262 if ( sup_be == NULL ) { 263 Debug( LDAP_DEBUG_ANY, 264 "monitor_subsys_database_init: " 265 "unable to get superior for %s\n", 266 be->be_suffix[ 0 ].bv_val, 0, 0 ); 267 268 } else { 269 attr_merge( e, mi->mi_ad_monitorSuperiorDN, 270 sup_be->be_suffix, sup_be->be_nsuffix ); 271 } 272 } 273 } 274 275 (void)init_readOnly( mi, e, be->be_restrictops ); 276 (void)init_restrictedOperation( mi, e, be->be_restrictops ); 277 278 if ( SLAP_SHADOW( be ) && be->be_update_refs ) { 279 attr_merge_normalize( e, mi->mi_ad_monitorUpdateRef, 280 be->be_update_refs, NULL ); 281 } 282 283 if ( oi != NULL ) { 284 slap_overinst *on = oi->oi_list, 285 *on1 = on; 286 287 for ( ; on; on = on->on_next ) { 288 slap_overinst *on2; 289 290 for ( on2 = on1; on2 != on; on2 = on2->on_next ) { 291 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 292 break; 293 } 294 } 295 296 if ( on2 != on ) { 297 break; 298 } 299 300 ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); 301 attr_merge_normalize_one( e, mi->mi_ad_monitorOverlay, 302 &bv, NULL ); 303 304 /* find the overlay number, j */ 305 for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { 306 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 307 break; 308 } 309 } 310 assert( on2 != NULL ); 311 312 snprintf( buf, sizeof( buf ), 313 "cn=Overlay %d,%s", 314 j, ms_overlay->mss_dn.bv_val ); 315 ber_str2bv( buf, 0, 0, &bv ); 316 attr_merge_normalize_one( e, 317 slap_schema.si_ad_seeAlso, 318 &bv, NULL ); 319 } 320 } 321 322 j = -1; 323 LDAP_STAILQ_FOREACH( bi2, &backendInfo, bi_next ) { 324 j++; 325 if ( bi2->bi_type == bi->bi_type ) { 326 snprintf( buf, sizeof( buf ), 327 "cn=Backend %d,%s", 328 j, ms_backend->mss_dn.bv_val ); 329 bv.bv_val = buf; 330 bv.bv_len = strlen( buf ); 331 attr_merge_normalize_one( e, 332 slap_schema.si_ad_seeAlso, 333 &bv, NULL ); 334 break; 335 } 336 } 337 /* we must find it! */ 338 assert( j >= 0 ); 339 340 mp = monitor_entrypriv_create(); 341 if ( mp == NULL ) { 342 return -1; 343 } 344 e->e_private = ( void * )mp; 345 mp->mp_info = ms; 346 mp->mp_flags = ms->mss_flags 347 | MONITOR_F_SUB; 348 349 if ( monitor_cache_add( mi, e ) ) { 350 Debug( LDAP_DEBUG_ANY, 351 "monitor_subsys_database_init_one: " 352 "unable to add entry \"%s,%s\"\n", 353 rdn->bv_val, ms->mss_dn.bv_val, 0 ); 354 return( -1 ); 355 } 356 357#if defined(LDAP_SLAPI) 358 monitor_back_add_plugin( mi, be, e ); 359#endif /* defined(LDAP_SLAPI) */ 360 361 if ( oi != NULL ) { 362 Entry **ep_overlay = &mp->mp_children; 363 slap_overinst *on = oi->oi_list; 364 365 for ( ; on; on = on->on_next ) { 366 monitor_subsys_overlay_init_one( mi, be, 367 ms, ms_overlay, on, e, ep_overlay ); 368 } 369 } 370 371 **epp = e; 372 *epp = &mp->mp_next; 373 374 return 0; 375} 376 377static int 378monitor_back_register_database_and_overlay( 379 BackendDB *be, 380 struct slap_overinst *on, 381 struct berval *ndn_out ) 382{ 383 monitor_info_t *mi; 384 Entry *e_database, **ep; 385 int i, rc; 386 monitor_entry_t *mp; 387 monitor_subsys_t *ms_backend, 388 *ms_database, 389 *ms_overlay; 390 struct berval bv; 391 char buf[ BACKMONITOR_BUFSIZE ]; 392 393 assert( be_monitor != NULL ); 394 395 if ( !monitor_subsys_is_opened() ) { 396 if ( on ) { 397 return monitor_back_register_overlay_limbo( be, on, ndn_out ); 398 399 } else { 400 return monitor_back_register_database_limbo( be, ndn_out ); 401 } 402 } 403 404 mi = ( monitor_info_t * )be_monitor->be_private; 405 406 ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); 407 if ( ms_backend == NULL ) { 408 Debug( LDAP_DEBUG_ANY, 409 "monitor_back_register_database: " 410 "unable to get " 411 "\"" SLAPD_MONITOR_BACKEND_NAME "\" " 412 "subsystem\n", 413 0, 0, 0 ); 414 return -1; 415 } 416 417 ms_database = monitor_back_get_subsys( SLAPD_MONITOR_DATABASE_NAME ); 418 if ( ms_database == NULL ) { 419 Debug( LDAP_DEBUG_ANY, 420 "monitor_back_register_database: " 421 "unable to get " 422 "\"" SLAPD_MONITOR_DATABASE_NAME "\" " 423 "subsystem\n", 424 0, 0, 0 ); 425 return -1; 426 } 427 428 ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); 429 if ( ms_overlay == NULL ) { 430 Debug( LDAP_DEBUG_ANY, 431 "monitor_back_register_database: " 432 "unable to get " 433 "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " 434 "subsystem\n", 435 0, 0, 0 ); 436 return -1; 437 } 438 439 if ( monitor_cache_get( mi, &ms_database->mss_ndn, &e_database ) ) { 440 Debug( LDAP_DEBUG_ANY, 441 "monitor_subsys_database_init: " 442 "unable to get entry \"%s\"\n", 443 ms_database->mss_ndn.bv_val, 0, 0 ); 444 return( -1 ); 445 } 446 447 mp = ( monitor_entry_t * )e_database->e_private; 448 for ( i = -1, ep = &mp->mp_children; *ep; i++ ) { 449 Attribute *a; 450 451 a = attr_find( (*ep)->e_attrs, slap_schema.si_ad_namingContexts ); 452 if ( a ) { 453 int j, k; 454 455 /* FIXME: RFC 4512 defines namingContexts without an 456 * equality matching rule, making comparisons 457 * like this one tricky. We use a_vals and 458 * be_suffix instead for now. 459 */ 460 for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { 461 for ( k = 0; !BER_BVISNULL( &be->be_suffix[ k ] ); k++ ) { 462 if ( dn_match( &a->a_vals[ j ], 463 &be->be_suffix[ k ] ) ) { 464 rc = 0; 465 goto done; 466 } 467 } 468 } 469 } 470 471 mp = ( monitor_entry_t * )(*ep)->e_private; 472 473 assert( mp != NULL ); 474 ep = &mp->mp_next; 475 } 476 477 bv.bv_val = buf; 478 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", i ); 479 if ( bv.bv_len >= sizeof( buf ) ) { 480 rc = -1; 481 goto done; 482 } 483 484 rc = monitor_subsys_database_init_one( mi, be, 485 ms_database, ms_backend, ms_overlay, &bv, e_database, &ep ); 486 if ( rc != 0 ) { 487 goto done; 488 } 489 /* database_init_one advanced ep past where we want. 490 * But it stored the entry we want in mp->mp_next. 491 */ 492 ep = &mp->mp_next; 493 494done:; 495 monitor_cache_release( mi, e_database ); 496 if ( rc == 0 && ndn_out && ep && *ep ) { 497 if ( on ) { 498 Entry *e_ov; 499 struct berval ov_type; 500 501 ber_str2bv( on->on_bi.bi_type, 0, 0, &ov_type ); 502 503 mp = ( monitor_entry_t * ) (*ep)->e_private; 504 for ( e_ov = mp->mp_children; e_ov; ) { 505 Attribute *a = attr_find( e_ov->e_attrs, mi->mi_ad_monitoredInfo ); 506 507 if ( a != NULL && bvmatch( &a->a_nvals[ 0 ], &ov_type ) ) { 508 *ndn_out = e_ov->e_nname; 509 break; 510 } 511 512 mp = ( monitor_entry_t * ) e_ov->e_private; 513 e_ov = mp->mp_next; 514 } 515 516 } else { 517 *ndn_out = (*ep)->e_nname; 518 } 519 } 520 521 return rc; 522} 523 524int 525monitor_back_register_database( 526 BackendDB *be, 527 struct berval *ndn_out ) 528{ 529 return monitor_back_register_database_and_overlay( be, NULL, ndn_out ); 530} 531 532int 533monitor_back_register_overlay( 534 BackendDB *be, 535 struct slap_overinst *on, 536 struct berval *ndn_out ) 537{ 538 return monitor_back_register_database_and_overlay( be, on, ndn_out ); 539} 540 541int 542monitor_subsys_database_init( 543 BackendDB *be, 544 monitor_subsys_t *ms ) 545{ 546 monitor_info_t *mi; 547 Entry *e_database, **ep; 548 int i, rc; 549 monitor_entry_t *mp; 550 monitor_subsys_t *ms_backend, 551 *ms_overlay; 552 struct berval bv; 553 554 assert( be != NULL ); 555 556 ms->mss_modify = monitor_subsys_database_modify; 557 558 mi = ( monitor_info_t * )be->be_private; 559 560 ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); 561 if ( ms_backend == NULL ) { 562 Debug( LDAP_DEBUG_ANY, 563 "monitor_subsys_database_init: " 564 "unable to get " 565 "\"" SLAPD_MONITOR_BACKEND_NAME "\" " 566 "subsystem\n", 567 0, 0, 0 ); 568 return -1; 569 } 570 571 ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); 572 if ( ms_overlay == NULL ) { 573 Debug( LDAP_DEBUG_ANY, 574 "monitor_subsys_database_init: " 575 "unable to get " 576 "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " 577 "subsystem\n", 578 0, 0, 0 ); 579 return -1; 580 } 581 582 if ( monitor_cache_get( mi, &ms->mss_ndn, &e_database ) ) { 583 Debug( LDAP_DEBUG_ANY, 584 "monitor_subsys_database_init: " 585 "unable to get entry \"%s\"\n", 586 ms->mss_ndn.bv_val, 0, 0 ); 587 return( -1 ); 588 } 589 590 (void)init_readOnly( mi, e_database, frontendDB->be_restrictops ); 591 (void)init_restrictedOperation( mi, e_database, frontendDB->be_restrictops ); 592 593 mp = ( monitor_entry_t * )e_database->e_private; 594 mp->mp_children = NULL; 595 ep = &mp->mp_children; 596 597 BER_BVSTR( &bv, "cn=Frontend" ); 598 rc = monitor_subsys_database_init_one( mi, frontendDB, 599 ms, ms_backend, ms_overlay, &bv, e_database, &ep ); 600 if ( rc != 0 ) { 601 return rc; 602 } 603 604 i = -1; 605 LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { 606 char buf[ BACKMONITOR_BUFSIZE ]; 607 608 bv.bv_val = buf; 609 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", ++i ); 610 if ( bv.bv_len >= sizeof( buf ) ) { 611 return -1; 612 } 613 614 rc = monitor_subsys_database_init_one( mi, be, 615 ms, ms_backend, ms_overlay, &bv, e_database, &ep ); 616 if ( rc != 0 ) { 617 return rc; 618 } 619 } 620 621 monitor_cache_release( mi, e_database ); 622 623 return( 0 ); 624} 625 626/* 627 * v: array of values 628 * cur: must not contain the tags corresponding to the values in v 629 * delta: will contain the tags corresponding to the values in v 630 */ 631static int 632value_mask( BerVarray v, slap_mask_t cur, slap_mask_t *delta ) 633{ 634 for ( ; !BER_BVISNULL( v ); v++ ) { 635 struct restricted_ops_t *rops; 636 int i; 637 638 if ( OID_LEADCHAR( v->bv_val[ 0 ] ) ) { 639 rops = restricted_exops; 640 641 } else { 642 rops = restricted_ops; 643 } 644 645 for ( i = 0; !BER_BVISNULL( &rops[ i ].op ); i++ ) { 646 if ( ber_bvstrcasecmp( v, &rops[ i ].op ) != 0 ) { 647 continue; 648 } 649 650 if ( rops[ i ].tag & *delta ) { 651 return LDAP_OTHER; 652 } 653 654 if ( rops[ i ].tag & cur ) { 655 return LDAP_OTHER; 656 } 657 658 cur |= rops[ i ].tag; 659 *delta |= rops[ i ].tag; 660 661 break; 662 } 663 664 if ( BER_BVISNULL( &rops[ i ].op ) ) { 665 return LDAP_INVALID_SYNTAX; 666 } 667 } 668 669 return LDAP_SUCCESS; 670} 671 672static int 673monitor_subsys_database_modify( 674 Operation *op, 675 SlapReply *rs, 676 Entry *e ) 677{ 678 monitor_info_t *mi = (monitor_info_t *)op->o_bd->be_private; 679 int rc = LDAP_OTHER; 680 Attribute *save_attrs, *a; 681 Modifications *ml; 682 Backend *be; 683 int ro_gotval = 1, i, n; 684 slap_mask_t rp_add = 0, rp_delete = 0, rp_cur; 685 struct berval *tf; 686 687 i = sscanf( e->e_nname.bv_val, "cn=database %d,", &n ); 688 if ( i != 1 ) { 689 return SLAP_CB_CONTINUE; 690 } 691 692 if ( n < 0 || n >= nBackendDB ) { 693 rs->sr_text = "invalid database index"; 694 return ( rs->sr_err = LDAP_NO_SUCH_OBJECT ); 695 } 696 697 LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { 698 if ( n == 0 ) { 699 break; 700 } 701 n--; 702 } 703 /* do not allow some changes on back-monitor (needs work)... */ 704 if ( SLAP_MONITOR( be ) ) { 705 rs->sr_text = "no modifications allowed to monitor database entry"; 706 return ( rs->sr_err = LDAP_UNWILLING_TO_PERFORM ); 707 } 708 709 rp_cur = be->be_restrictops; 710 711 save_attrs = e->e_attrs; 712 e->e_attrs = attrs_dup( e->e_attrs ); 713 714 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { 715 Modification *mod = &ml->sml_mod; 716 717 if ( mod->sm_desc == mi->mi_ad_readOnly ) { 718 int val = -1; 719 720 if ( mod->sm_values ) { 721 if ( !BER_BVISNULL( &mod->sm_values[ 1 ] ) ) { 722 rs->sr_text = "attempting to modify multiple values of single-valued attribute"; 723 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 724 goto done; 725 } 726 727 if ( bvmatch( &slap_true_bv, mod->sm_values )) { 728 val = 1; 729 730 } else if ( bvmatch( &slap_false_bv, mod->sm_values )) { 731 val = 0; 732 733 } else { 734 assert( 0 ); 735 rc = rs->sr_err = LDAP_INVALID_SYNTAX; 736 goto done; 737 } 738 } 739 740 switch ( mod->sm_op ) { 741 case LDAP_MOD_DELETE: 742 if ( ro_gotval < 1 ) { 743 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 744 goto done; 745 } 746 ro_gotval--; 747 748 if ( val == 0 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { 749 rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; 750 goto done; 751 } 752 753 if ( val == 1 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) != SLAP_RESTRICT_OP_WRITES ) { 754 rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; 755 goto done; 756 } 757 758 break; 759 760 case LDAP_MOD_REPLACE: 761 ro_gotval = 0; 762 /* fall thru */ 763 764 case LDAP_MOD_ADD: 765 if ( ro_gotval > 0 ) { 766 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 767 goto done; 768 } 769 ro_gotval++; 770 771 if ( val == 1 ) { 772 rp_add |= (~rp_cur) & SLAP_RESTRICT_OP_WRITES; 773 rp_cur |= SLAP_RESTRICT_OP_WRITES; 774 rp_delete &= ~SLAP_RESTRICT_OP_WRITES; 775 776 } else if ( val == 0 ) { 777 rp_delete |= rp_cur & SLAP_RESTRICT_OP_WRITES; 778 rp_cur &= ~SLAP_RESTRICT_OP_WRITES; 779 rp_add &= ~SLAP_RESTRICT_OP_WRITES; 780 } 781 break; 782 783 default: 784 rc = rs->sr_err = LDAP_OTHER; 785 goto done; 786 } 787 788 } else if ( mod->sm_desc == mi->mi_ad_restrictedOperation ) { 789 slap_mask_t mask = 0; 790 791 switch ( mod->sm_op ) { 792 case LDAP_MOD_DELETE: 793 if ( mod->sm_values == NULL ) { 794 rp_delete = rp_cur; 795 rp_cur = 0; 796 rp_add = 0; 797 break; 798 } 799 rc = value_mask( mod->sm_values, ~rp_cur, &mask ); 800 if ( rc == LDAP_SUCCESS ) { 801 rp_delete |= mask; 802 rp_add &= ~mask; 803 rp_cur &= ~mask; 804 805 } else if ( rc == LDAP_OTHER ) { 806 rc = LDAP_NO_SUCH_ATTRIBUTE; 807 } 808 break; 809 810 case LDAP_MOD_REPLACE: 811 rp_delete = rp_cur; 812 rp_cur = 0; 813 rp_add = 0; 814 /* fall thru */ 815 816 case LDAP_MOD_ADD: 817 rc = value_mask( mod->sm_values, rp_cur, &mask ); 818 if ( rc == LDAP_SUCCESS ) { 819 rp_add |= mask; 820 rp_cur |= mask; 821 rp_delete &= ~mask; 822 823 } else if ( rc == LDAP_OTHER ) { 824 rc = rs->sr_err = LDAP_TYPE_OR_VALUE_EXISTS; 825 } 826 break; 827 828 default: 829 rc = rs->sr_err = LDAP_OTHER; 830 break; 831 } 832 833 if ( rc != LDAP_SUCCESS ) { 834 goto done; 835 } 836 837 } else if ( is_at_operational( mod->sm_desc->ad_type )) { 838 /* accept all operational attributes */ 839 attr_delete( &e->e_attrs, mod->sm_desc ); 840 rc = attr_merge( e, mod->sm_desc, mod->sm_values, 841 mod->sm_nvalues ); 842 if ( rc ) { 843 rc = rs->sr_err = LDAP_OTHER; 844 break; 845 } 846 847 } else { 848 rc = rs->sr_err = LDAP_UNWILLING_TO_PERFORM; 849 break; 850 } 851 } 852 853 /* sanity checks: */ 854 if ( ro_gotval < 1 ) { 855 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 856 goto done; 857 } 858 859 if ( ( rp_cur & SLAP_RESTRICT_OP_EXTENDED ) && ( rp_cur & SLAP_RESTRICT_EXOP_MASK ) ) { 860 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 861 goto done; 862 } 863 864 if ( rp_delete & rp_add ) { 865 rc = rs->sr_err = LDAP_OTHER; 866 goto done; 867 } 868 869 /* check current value of readOnly */ 870 if ( ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { 871 tf = (struct berval *)&slap_true_bv; 872 873 } else { 874 tf = (struct berval *)&slap_false_bv; 875 } 876 877 a = attr_find( e->e_attrs, mi->mi_ad_readOnly ); 878 if ( a == NULL ) { 879 rc = LDAP_OTHER; 880 goto done; 881 } 882 883 if ( !bvmatch( &a->a_vals[ 0 ], tf ) ) { 884 attr_delete( &e->e_attrs, mi->mi_ad_readOnly ); 885 rc = attr_merge_one( e, mi->mi_ad_readOnly, tf, tf ); 886 } 887 888 if ( rc == LDAP_SUCCESS ) { 889 if ( rp_delete ) { 890 if ( rp_delete == be->be_restrictops ) { 891 attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); 892 893 } else { 894 a = attr_find( e->e_attrs, mi->mi_ad_restrictedOperation ); 895 if ( a == NULL ) { 896 rc = rs->sr_err = LDAP_OTHER; 897 goto done; 898 } 899 900 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { 901 if ( rp_delete & restricted_ops[ i ].tag ) { 902 int j; 903 904 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { 905 int k; 906 907 if ( !bvmatch( &a->a_nvals[ j ], &restricted_ops[ i ].op ) ) { 908 continue; 909 } 910 911 ch_free( a->a_vals[ j ].bv_val ); 912 ch_free( a->a_nvals[ j ].bv_val ); 913 914 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { 915 a->a_vals[ k - 1 ] = a->a_vals[ k ]; 916 a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; 917 } 918 919 BER_BVZERO( &a->a_vals[ k - 1 ] ); 920 BER_BVZERO( &a->a_nvals[ k - 1 ] ); 921 a->a_numvals--; 922 } 923 } 924 } 925 926 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { 927 if ( rp_delete & restricted_exops[ i ].tag ) { 928 int j; 929 930 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { 931 int k; 932 933 if ( !bvmatch( &a->a_nvals[ j ], &restricted_exops[ i ].op ) ) { 934 continue; 935 } 936 937 ch_free( a->a_vals[ j ].bv_val ); 938 ch_free( a->a_nvals[ j ].bv_val ); 939 940 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { 941 a->a_vals[ k - 1 ] = a->a_vals[ k ]; 942 a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; 943 } 944 945 BER_BVZERO( &a->a_vals[ k - 1 ] ); 946 BER_BVZERO( &a->a_nvals[ k - 1 ] ); 947 a->a_numvals--; 948 } 949 } 950 } 951 952 if ( a->a_vals == NULL ) { 953 assert( a->a_numvals == 0 ); 954 955 attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); 956 } 957 } 958 } 959 960 if ( rp_add ) { 961 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { 962 if ( rp_add & restricted_ops[ i ].tag ) { 963 attr_merge_one( e, mi->mi_ad_restrictedOperation, 964 &restricted_ops[ i ].op, 965 &restricted_ops[ i ].op ); 966 } 967 } 968 969 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { 970 if ( rp_add & restricted_exops[ i ].tag ) { 971 attr_merge_one( e, mi->mi_ad_restrictedOperation, 972 &restricted_exops[ i ].op, 973 &restricted_exops[ i ].op ); 974 } 975 } 976 } 977 } 978 979 be->be_restrictops = rp_cur; 980 981done:; 982 if ( rc == LDAP_SUCCESS ) { 983 attrs_free( save_attrs ); 984 rc = SLAP_CB_CONTINUE; 985 986 } else { 987 Attribute *tmp = e->e_attrs; 988 e->e_attrs = save_attrs; 989 attrs_free( tmp ); 990 } 991 return rc; 992} 993 994#if defined(LDAP_SLAPI) 995static int 996monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e_database ) 997{ 998 Slapi_PBlock *pCurrentPB; 999 int i, rc = LDAP_SUCCESS; 1000 1001 if ( slapi_int_pblock_get_first( be, &pCurrentPB ) != LDAP_SUCCESS ) { 1002 /* 1003 * LDAP_OTHER is returned if no plugins are installed 1004 */ 1005 rc = LDAP_OTHER; 1006 goto done; 1007 } 1008 1009 i = 0; 1010 do { 1011 Slapi_PluginDesc *srchdesc; 1012 char buf[ BACKMONITOR_BUFSIZE ]; 1013 struct berval bv; 1014 1015 rc = slapi_pblock_get( pCurrentPB, SLAPI_PLUGIN_DESCRIPTION, 1016 &srchdesc ); 1017 if ( rc != LDAP_SUCCESS ) { 1018 goto done; 1019 } 1020 if ( srchdesc ) { 1021 snprintf( buf, sizeof(buf), 1022 "plugin %d name: %s; " 1023 "vendor: %s; " 1024 "version: %s; " 1025 "description: %s", 1026 i, 1027 srchdesc->spd_id, 1028 srchdesc->spd_vendor, 1029 srchdesc->spd_version, 1030 srchdesc->spd_description ); 1031 } else { 1032 snprintf( buf, sizeof(buf), 1033 "plugin %d name: <no description available>", i ); 1034 } 1035 1036 ber_str2bv( buf, 0, 0, &bv ); 1037 attr_merge_normalize_one( e_database, 1038 mi->mi_ad_monitoredInfo, &bv, NULL ); 1039 1040 i++; 1041 1042 } while ( ( slapi_int_pblock_get_next( &pCurrentPB ) == LDAP_SUCCESS ) 1043 && ( pCurrentPB != NULL ) ); 1044 1045done: 1046 return rc; 1047} 1048#endif /* defined(LDAP_SLAPI) */ 1049