config.c

ldap服务器源码

                                        		c->fname, c->lineno, 0 );
                                		return 1;
					}
					li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;

				} else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
					if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
						Debug( LDAP_DEBUG_ANY,
                                       	 		"%s: line %d: \"obsolete-encoding-workaround\" flag "
                                        		"in \"idassert-mode <args>\" "
                                        		"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
                                        		c->fname, c->lineno, 0 );
                                		return 1;
					}
					li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;

				} else {
					Debug( LDAP_DEBUG_ANY,
                                        	"%s: line %d: unknown flag #%d "
                                        	"in \"idassert-mode <args> "
                                        	"[<flags>]\" line.\n",
                                        	c->fname, c->lineno, i - 2 );
                                	return 1;
				}
                        }
                }
		break;

	case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
		switch ( li->li_idassert_authmethod ) {
		case LDAP_AUTH_NONE:
			li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
			break;

		case LDAP_AUTH_SIMPLE:
			break;

		default:
			snprintf( c->msg, sizeof( c->msg ),
				"\"idassert-authcDN <DN>\" incompatible "
				"with auth method %d",
				li->li_idassert_authmethod );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
			free( li->li_idassert_authcDN.bv_val );
		}
		ber_memfree_x( c->value_dn.bv_val, NULL );
		li->li_idassert_authcDN = c->value_ndn;
		BER_BVZERO( &c->value_dn );
		BER_BVZERO( &c->value_ndn );
		break;

	case LDAP_BACK_CFG_IDASSERT_PASSWD:
		switch ( li->li_idassert_authmethod ) {
		case LDAP_AUTH_NONE:
			li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
			break;

		case LDAP_AUTH_SIMPLE:
			break;

		default:
			snprintf( c->msg, sizeof( c->msg ),
				"\"idassert-passwd <cred>\" incompatible "
				"with auth method %d",
				li->li_idassert_authmethod );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
			free( li->li_idassert_passwd.bv_val );
		}
		ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
		break;

	case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
		rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
		break;

	case LDAP_BACK_CFG_IDASSERT_METHOD:
		/* no longer supported */
		snprintf( c->msg, sizeof( c->msg ),
			"\"idassert-method <args>\": "
			"no longer supported; use \"idassert-bind\"" );
		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
		return 1;

	case LDAP_BACK_CFG_IDASSERT_BIND:
		rc = slap_idassert_parse( c, &li->li_idassert );
		break;

	case LDAP_BACK_CFG_REBIND:
		if ( c->argc == 1 || c->value_int ) {
			li->li_flags |= LDAP_BACK_F_SAVECRED;

		} else {
			li->li_flags &= ~LDAP_BACK_F_SAVECRED;
		}
		break;

	case LDAP_BACK_CFG_CHASE:
		if ( c->argc == 1 || c->value_int ) {
			li->li_flags |= LDAP_BACK_F_CHASE_REFERRALS;

		} else {
			li->li_flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
		}
		break;

	case LDAP_BACK_CFG_T_F: {
		slap_mask_t		mask;

		i = verb_to_mask( c->argv[1], t_f_mode );
		if ( BER_BVISNULL( &t_f_mode[i].word ) ) {
			return 1;
		}

		mask = t_f_mode[i].mask;

		if ( LDAP_BACK_ISOPEN( li )
			&& mask == LDAP_BACK_F_T_F_DISCOVER
			&& !LDAP_BACK_T_F( li ) )
		{
			int		rc;

			if ( li->li_uri == NULL ) {
				snprintf( c->msg, sizeof( c->msg ),
					"need URI to discover \"cancel\" support "
					"in \"cancel exop-discover\"" );
				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
				return 1;
			}

			rc = slap_discover_feature( li->li_uri, li->li_version,
					slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
					LDAP_FEATURE_ABSOLUTE_FILTERS );
			if ( rc == LDAP_COMPARE_TRUE ) {
				mask |= LDAP_BACK_F_T_F;
			}
		}

		li->li_flags &= ~LDAP_BACK_F_T_F_MASK2;
		li->li_flags |= mask;
		} break;

	case LDAP_BACK_CFG_WHOAMI:
		if ( c->argc == 1 || c->value_int ) {
			li->li_flags |= LDAP_BACK_F_PROXY_WHOAMI;
			load_extop( (struct berval *)&slap_EXOP_WHOAMI,
					0, ldap_back_exop_whoami );

		} else {
			li->li_flags &= ~LDAP_BACK_F_PROXY_WHOAMI;
		}
		break;

	case LDAP_BACK_CFG_TIMEOUT:
		for ( i = 1; i < c->argc; i++ ) {
			if ( isdigit( (unsigned char) c->argv[ i ][ 0 ] ) ) {
				int		j;
				unsigned	u;

				if ( lutil_atoux( &u, c->argv[ i ], 0 ) != 0 ) {
					snprintf( c->msg, sizeof( c->msg),
						"unable to parse timeout \"%s\"",
						c->argv[ i ] );
					Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
					return 1;
				}

				for ( j = 0; j < SLAP_OP_LAST; j++ ) {
					li->li_timeout[ j ] = u;
				}

				continue;
			}

			if ( slap_cf_aux_table_parse( c->argv[ i ], li->li_timeout, timeout_table, "slapd-ldap timeout" ) ) {
				snprintf( c->msg, sizeof( c->msg),
					"unable to parse timeout \"%s\"",
					c->argv[ i ] );
				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
				return 1;
			}
		}
		break;

	case LDAP_BACK_CFG_IDLE_TIMEOUT: {
		unsigned long	t;

		if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
			snprintf( c->msg, sizeof( c->msg),
				"unable to parse idle timeout \"%s\"",
				c->argv[ 1 ] );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		li->li_idle_timeout = (time_t)t;
		} break;

	case LDAP_BACK_CFG_CONN_TTL: {
		unsigned long	t;

		if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
			snprintf( c->msg, sizeof( c->msg),
				"unable to parse conn ttl\"%s\"",
				c->argv[ 1 ] );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		li->li_conn_ttl = (time_t)t;
		} break;

	case LDAP_BACK_CFG_NETWORK_TIMEOUT: {
		unsigned long	t;

		if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
			snprintf( c->msg, sizeof( c->msg),
				"unable to parse network timeout \"%s\"",
				c->argv[ 1 ] );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		li->li_network_timeout = (time_t)t;
		} break;

	case LDAP_BACK_CFG_VERSION:
		if ( c->value_int != 0 && ( c->value_int < LDAP_VERSION_MIN || c->value_int > LDAP_VERSION_MAX ) ) {
			snprintf( c->msg, sizeof( c->msg ),
				"unsupported version \"%s\" "
				"in \"protocol-version <version>\"",
				c->argv[ 1 ] );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}

		li->li_version = c->value_int;
		break;

	case LDAP_BACK_CFG_SINGLECONN:
		if ( c->value_int ) {
			li->li_flags |= LDAP_BACK_F_SINGLECONN;

		} else {
			li->li_flags &= ~LDAP_BACK_F_SINGLECONN;
		}
		break;

	case LDAP_BACK_CFG_USETEMP:
		if ( c->value_int ) {
			li->li_flags |= LDAP_BACK_F_USE_TEMPORARIES;

		} else {
			li->li_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
		}
		break;

	case LDAP_BACK_CFG_CONNPOOLMAX:
		if ( c->value_int < LDAP_BACK_CONN_PRIV_MIN
			|| c->value_int > LDAP_BACK_CONN_PRIV_MAX )
		{
			snprintf( c->msg, sizeof( c->msg ),
				"invalid max size " "of privileged "
				"connections pool \"%s\" "
				"in \"conn-pool-max <n> "
				"(must be between %d and %d)\"",
				c->argv[ 1 ],
				LDAP_BACK_CONN_PRIV_MIN,
				LDAP_BACK_CONN_PRIV_MAX );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		li->li_conn_priv_max = c->value_int;
		break;

	case LDAP_BACK_CFG_CANCEL: {
		slap_mask_t		mask;

		i = verb_to_mask( c->argv[1], cancel_mode );
		if ( BER_BVISNULL( &cancel_mode[i].word ) ) {
			return 1;
		}

		mask = cancel_mode[i].mask;

		if ( LDAP_BACK_ISOPEN( li )
			&& mask == LDAP_BACK_F_CANCEL_EXOP_DISCOVER
			&& !LDAP_BACK_CANCEL( li ) )
		{
			int		rc;

			if ( li->li_uri == NULL ) {
				snprintf( c->msg, sizeof( c->msg ),
					"need URI to discover \"cancel\" support "
					"in \"cancel exop-discover\"" );
				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
				return 1;
			}

			rc = slap_discover_feature( li->li_uri, li->li_version,
					slap_schema.si_ad_supportedExtension->ad_cname.bv_val,
					LDAP_EXOP_CANCEL );
			if ( rc == LDAP_COMPARE_TRUE ) {
				mask |= LDAP_BACK_F_CANCEL_EXOP;
			}
		}

		li->li_flags &= ~LDAP_BACK_F_CANCEL_MASK2;
		li->li_flags |= mask;
		} break;

	case LDAP_BACK_CFG_QUARANTINE:
		if ( LDAP_BACK_QUARANTINE( li ) ) {
			snprintf( c->msg, sizeof( c->msg ),
				"quarantine already defined" );
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
			return 1;
		}
		rc = slap_retry_info_parse( c->argv[1], &li->li_quarantine,
			c->msg, sizeof( c->msg ) );
		if ( rc ) {
			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );

		} else {
			ldap_pvt_thread_mutex_init( &li->li_quarantine_mutex );
			/* give it a chance to retry if the pattern gets reset
			 * via back-config */
			li->li_isquarantined = 0;
			li->li_flags |= LDAP_BACK_F_QUARANTINE;
		}
		break;

	case LDAP_BACK_CFG_REWRITE:
		snprintf( c->msg, sizeof( c->msg ),
			"rewrite/remap capabilities have been moved "
			"to the \"rwm\" overlay; see slapo-rwm(5) "
			"for details (hint: add \"overlay rwm\" "
			"and prefix all directives with \"rwm-\")" );
		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
		return 1;
		
	default:
		/* FIXME: try to catch inconsistencies */
		assert( 0 );
		break;
	}

	return rc;
}

int
ldap_back_init_cf( BackendInfo *bi )
{
	int			rc;
	AttributeDescription	*ad = NULL;
	const char		*text;

	/* Make sure we don't exceed the bits reserved for userland */
	config_check_userland( LDAP_BACK_CFG_LAST );

	bi->bi_cf_ocs = ldapocs;

	rc = config_register_schema( ldapcfg, ldapocs );
	if ( rc ) {
		return rc;
	}

	/* setup olcDbAclPasswd and olcDbIDAssertPasswd 
	 * to be base64-encoded when written in LDIF form;
	 * basically, we don't care if it fails */
	rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
	if ( rc ) {
		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
			"warning, unable to get \"olcDbACLPasswd\" "
			"attribute description: %d: %s\n",
			rc, text, 0 );
	} else {
		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
			ad->ad_type->sat_oid );
	}

	ad = NULL;
	rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
	if ( rc ) {
		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
			"warning, unable to get \"olcDbIDAssertPasswd\" "
			"attribute description: %d: %s\n",
			rc, text, 0 );
	} else {
		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
			ad->ad_type->sat_oid );
	}

	return 0;
}


static int
ldap_back_exop_whoami(
		Operation	*op,
		SlapReply	*rs )
{
	struct berval *bv = NULL;

	if ( op->oq_extended.rs_reqdata != NULL ) {
		/* no request data should be provided */
		rs->sr_text = "no request data expected";
		return rs->sr_err = LDAP_PROTOCOL_ERROR;
	}

	Statslog( LDAP_DEBUG_STATS, "%s WHOAMI\n",
	    op->o_log_prefix, 0, 0, 0, 0 );

	rs->sr_err = backend_check_restrictions( op, rs, 
			(struct berval *)&slap_EXOP_WHOAMI );
	if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err;

	/* if auth'd by back-ldap and request is proxied, forward it */
	if ( op->o_conn->c_authz_backend
		&& !strcmp( op->o_conn->c_authz_backend->be_type, "ldap" )
		&& !dn_match( &op->o_ndn, &op->o_conn->c_ndn ) )
	{
		ldapconn_t	*lc = NULL;
		LDAPControl c, *ctrls[2] = {NULL, NULL};
		LDAPMessage *res;
		Operation op2 = *op;
		ber_int_t msgid;
		int doretry = 1;
		char *ptr;

		ctrls[0] = &c;
		op2.o_ndn = op->o_conn->c_ndn;
		if ( !ldap_back_dobind( &lc, &op2, rs, LDAP_BACK_SENDERR ) ) {
			return -1;
		}
		c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
		c.ldctl_iscritical = 1;
		c.ldctl_value.bv_val = op->o_tmpalloc(
			op->o_ndn.bv_len + STRLENOF( "dn:" ) + 1,
			op->o_tmpmemctx );
		c.ldctl_value.bv_len = op->o_ndn.bv_len + 3;
		ptr = c.ldctl_value.bv_val;
		ptr = lutil_strcopy( ptr, "dn:" );
		ptr = lutil_strncopy( ptr, op->o_ndn.bv_val, op->o_ndn.bv_len );
		ptr[ 0 ] = '\0';

retry:
		rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid );
		if ( rs->sr_err == LDAP_SUCCESS ) {
			if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
				ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
					&rs->sr_err );
				if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {
					doretry = 0;
					if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
						goto retry;
					}
				}

			} else {
				/* NOTE: are we sure "bv" will be malloc'ed
				 * with the appropriate memory? */
				rs->sr_err = ldap_parse_whoami( lc->lc_ld, res, &bv );
				ldap_msgfree(res);
			}
		}
		op->o_tmpfree( c.ldctl_value.bv_val, op->o_tmpmemctx );
		if ( rs->sr_err != LDAP_SUCCESS ) {
			rs->sr_err = slap_map_api2result( rs );
		}

		if ( lc != NULL ) {
			ldap_back_release_conn( (ldapinfo_t *)op2.o_bd->be_private, lc );
		}

	} else {
		/* else just do the same as before */
		bv = (struct berval *) ch_malloc( sizeof( struct berval ) );
		if ( !BER_BVISEMPTY( &op->o_dn ) ) {
			bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" );
			bv->bv_val = ch_malloc( bv->bv_len + 1 );
			AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) );
			AC_MEMCPY( &bv->bv_val[ STRLENOF( "dn:" ) ], op->o_dn.bv_val,
				op->o_dn.bv_len );
			bv->bv_val[ bv->bv_len ] = '\0';

		} else {
			bv->bv_len = 0;
			bv->bv_val = NULL;
		}
	}

	rs->sr_rspdata = bv;
	return rs->sr_err;
}