config.c

ldap服务器源码

/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/config.c,v 1.35.2.24 2007/01/27 23:56:43 ando Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
 * Copyright 1999-2007 The OpenLDAP Foundation.
 * Portions Copyright 2001-2003 Pierangelo Masarati.
 * Portions Copyright 1999-2003 Howard Chu.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* ACKNOWLEDGEMENTS:
 * This work was initially developed by the Howard Chu for inclusion
 * in OpenLDAP Software and subsequently enhanced by Pierangelo
 * Masarati.
 */

#include "portable.h"

#include <stdio.h>

#include <ac/string.h>
#include <ac/socket.h>

#include "slap.h"
#include "lutil.h"
#include "../back-ldap/back-ldap.h"
#undef ldap_debug       /* silence a warning in ldap-int.h */
#include "../../../libraries/libldap/ldap-int.h"
#include "back-meta.h"

static int
meta_back_new_target( 
	metatarget_t	**mtp )
{
	char			*rargv[ 3 ];
	metatarget_t		*mt;

	*mtp = NULL;

	mt = ch_calloc( sizeof( metatarget_t ), 1 );

	mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
	if ( mt->mt_rwmap.rwm_rw == NULL ) {
		ch_free( mt );
		return -1;
	}

	/*
	 * the filter rewrite as a string must be disabled
	 * by default; it can be re-enabled by adding rules;
	 * this creates an empty rewriteContext
	 */
	rargv[ 0 ] = "rewriteContext";
	rargv[ 1 ] = "searchFilter";
	rargv[ 2 ] = NULL;
	rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );

	rargv[ 0 ] = "rewriteContext";
	rargv[ 1 ] = "default";
	rargv[ 2 ] = NULL;
	rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );

	ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );

	mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
	mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
	mt->mt_idassert_tls = SB_TLS_DEFAULT;

	/* by default, use proxyAuthz control on each operation */
	mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;

	*mtp = mt;

	return 0;
}

static int
check_true_false( char *str )
{
	if ( strcasecmp( str, "true" ) == 0 || strcasecmp( str, "yes" ) == 0 ) {
		return 1;
	}

	if ( strcasecmp( str, "false" ) == 0 || strcasecmp( str, "no" ) == 0 ) {
		return 0;
	}

	return -1;
}


int
meta_back_db_config(
		BackendDB	*be,
		const char	*fname,
		int		lineno,
		int		argc,
		char		**argv
)
{
	metainfo_t	*mi = ( metainfo_t * )be->be_private;

	assert( mi != NULL );

	/* URI of server to query */
	if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
		int 		i = mi->mi_ntargets;
#if 0
		int 		j;
#endif /* uncomment if uri MUST be a branch of suffix */
		LDAPURLDesc 	*ludp, *tmpludp;
		struct berval	dn;
		int		rc;
		int		c;

		metatarget_t	*mt;
		
		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing URI "
	"in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;

		case 2:
			break;

		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: too many args "
	"in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( be->be_nsuffix == NULL ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: the suffix must be defined before any target.\n",
				fname, lineno, 0 );
			return 1;
		}
		
		++mi->mi_ntargets;

		mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets, 
			sizeof( metatarget_t * ) * mi->mi_ntargets );
		if ( mi->mi_targets == NULL ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: out of memory while storing server name"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to init server"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		mt = mi->mi_targets[ i ];

		mt->mt_rebind_f = mi->mi_rebind_f;
		mt->mt_urllist_p = mt;

		mt->mt_nretries = mi->mi_nretries;
		mt->mt_quarantine = mi->mi_quarantine;
		if ( META_BACK_QUARANTINE( mi ) ) {
			ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
		}
		mt->mt_flags = mi->mi_flags;
		mt->mt_version = mi->mi_version;
		mt->mt_network_timeout = mi->mi_network_timeout;
		mt->mt_bind_timeout = mi->mi_bind_timeout;
		for ( c = 0; c < SLAP_OP_LAST; c++ ) {
			mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
		}

		/*
		 * uri MUST be legal!
		 */
		if ( ldap_url_parselist_ext( &ludp, argv[ 1 ], "\t" ) != LDAP_SUCCESS )
		{
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse URI"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		/*
		 * uri MUST have the <dn> part!
		 */
		if ( ludp->lud_dn == NULL ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing <naming context> "
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;

		} else if ( ludp->lud_dn[ 0 ] == '\0' ) {
			int	j = -1;

			for ( j = 0; !BER_BVISNULL( &be->be_nsuffix[ j ] ); j++ ) {
				if ( BER_BVISEMPTY( &be->be_nsuffix[ j ] ) ) {
					break;
				}
			}

			if ( BER_BVISNULL( &be->be_nsuffix[ j ] ) ) {
				Debug( LDAP_DEBUG_ANY,
		"%s: line %d: missing <naming context> "
		" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
					fname, lineno, 0 );
				return 1;
			}
		}

		/*
		 * copies and stores uri and suffix
		 */
		ber_str2bv( ludp->lud_dn, 0, 0, &dn );
		rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
			&mt->mt_nsuffix, NULL );
		if( rc != LDAP_SUCCESS ) {
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
				"target \"%s\" DN is invalid\n",
				fname, lineno, argv[ 1 ] );
			return( 1 );
		}

		ludp->lud_dn[ 0 ] = '\0';

		switch ( ludp->lud_scope ) {
		case LDAP_SCOPE_DEFAULT:
			mt->mt_scope = LDAP_SCOPE_SUBTREE;
			break;

		case LDAP_SCOPE_SUBTREE:
		case LDAP_SCOPE_SUBORDINATE:
			mt->mt_scope = ludp->lud_scope;
			break;

		default:
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
				"invalid scope for target \"%s\"\n",
				fname, lineno, argv[ 1 ] );
			return( 1 );
		}

		/* check all, to apply the scope check on the first one */
		for ( tmpludp = ludp; tmpludp; tmpludp = tmpludp->lud_next ) {
			if ( tmpludp->lud_dn != NULL && tmpludp->lud_dn[ 0 ] != '\0' ) {
				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"multiple URIs must have "
					"no DN part\n",
					fname, lineno, 0 );
				return( 1 );

			}
		}

		mt->mt_uri = ldap_url_list2urls( ludp );
		ldap_free_urllist( ludp );
		if ( mt->mt_uri == NULL) {
			Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
				fname, lineno, 0 );
			return( 1 );
		}
		
		/*
		 * uri MUST be a branch of suffix!
		 */
#if 0 /* too strict a constraint */
		if ( select_backend( &mt->mt_nsuffix, 0, 0 ) != be ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: <naming context> of URI does not refer to current backend"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}
#else
		/*
		 * uri MUST be a branch of a suffix!
		 */
		if ( select_backend( &mt->mt_nsuffix, 0, 0 ) == NULL ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: <naming context> of URI does not resolve to a backend"
	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
				fname, lineno, 0 );
			return 1;
		}
#endif

	/* subtree-exclude */
	} else if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ) {
		int 		i = mi->mi_ntargets - 1;
		struct berval	dn, ndn;

		if ( i < 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: need \"uri\" directive first\n",
				fname, lineno, 0 );
			return 1;
		}
		
		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing DN in \"subtree-exclude <DN>\" line\n",
			    fname, lineno, 0 );
			return 1;

		case 2:
			break;

		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: too many args in \"subtree-exclude <DN>\" line\n",
			    fname, lineno, 0 );
			return 1;
		}

		ber_str2bv( argv[ 1 ], 0, 0, &dn );
		if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
			!= LDAP_SUCCESS )
		{
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"subtree-exclude DN=\"%s\" is invalid\n",
					fname, lineno, argv[ 1 ] );
			return( 1 );
		}

		if ( !dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_nsuffix ) ) {
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"subtree-exclude DN=\"%s\" "
					"must be subtree of target\n",
					fname, lineno, argv[ 1 ] );
			ber_memfree( ndn.bv_val );
			return( 1 );
		}

		if ( mi->mi_targets[ i ]->mt_subtree_exclude != NULL ) {
			int		j;

			for ( j = 0; !BER_BVISNULL( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ); j++ )
			{
				if ( dnIsSuffix( &mi->mi_targets[ i ]->mt_subtree_exclude[ j ], &ndn ) ) {
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
							"subtree-exclude DN=\"%s\" "
							"is suffix of another subtree-exclude\n",
							fname, lineno, argv[ 1 ] );
					/* reject, because it might be superior
					 * to more than one subtree-exclude */
					ber_memfree( ndn.bv_val );
					return( 1 );

				} else if ( dnIsSuffix( &ndn, &mi->mi_targets[ i ]->mt_subtree_exclude[ j ] ) ) {
					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
							"another subtree-exclude is suffix of "
							"subtree-exclude DN=\"%s\"\n",
							fname, lineno, argv[ 1 ] );
					ber_memfree( ndn.bv_val );
					return( 0 );
				}
			}
		}

		ber_bvarray_add( &mi->mi_targets[ i ]->mt_subtree_exclude, &ndn );

	/* default target directive */
	} else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
		int 		i = mi->mi_ntargets - 1;
		
		if ( argc == 1 ) {
 			if ( i < 0 ) {
				Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"default-target\" alone need be"
       	" inside a \"uri\" directive\n",
					fname, lineno, 0 );
				return 1;
			}
			mi->mi_defaulttarget = i;

		} else {
			if ( strcasecmp( argv[ 1 ], "none" ) == 0 ) {
				if ( i >= 0 ) {
					Debug( LDAP_DEBUG_ANY,
	"%s: line %d: \"default-target none\""
       	" should go before uri definitions\n",
						fname, lineno, 0 );
				}
				mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;

			} else {
				
				if ( lutil_atoi( &mi->mi_defaulttarget, argv[ 1 ] ) != 0
					|| mi->mi_defaulttarget < 0
					|| mi->mi_defaulttarget >= i - 1 )
				{
					Debug( LDAP_DEBUG_ANY,
	"%s: line %d: illegal target number %d\n",
						fname, lineno, mi->mi_defaulttarget );
					return 1;
				}
			}
		}
		
	/* ttl of dn cache */
	} else if ( strcasecmp( argv[ 0 ], "dncache-ttl" ) == 0 ) {
		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing ttl in \"dncache-ttl <ttl>\" line\n",
				fname, lineno, 0 );
			return 1;
		}
		
		if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
			mi->mi_cache.ttl = META_DNCACHE_FOREVER;

		} else if ( strcasecmp( argv[ 1 ], "disabled" ) == 0 ) {
			mi->mi_cache.ttl = META_DNCACHE_DISABLED;

		} else {
			unsigned long	t;

			if ( lutil_parse_time( argv[ 1 ], &t ) != 0 ) {
				Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse ttl \"%s\" in \"dncache-ttl <ttl>\" line\n",
					fname, lineno, argv[ 1 ] );
				return 1;
			}
			mi->mi_cache.ttl = (time_t)t;
		}

	/* network timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
		unsigned long	t;
		time_t		*tp = mi->mi_ntargets ?
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
				: &mi->mi_network_timeout;

		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing network timeout in \"network-timeout <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"network-timeout <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

		*tp = (time_t)t;

	/* idle timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
		unsigned long	t;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

		mi->mi_idle_timeout = (time_t)t;

	/* conn ttl */
	} else if ( strcasecmp( argv[ 0 ], "conn-ttl" ) == 0 ) {
		unsigned long	t;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing ttl value in \"conn-ttl <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after ttl value in \"conn-ttl <seconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse ttl \"%s\" in \"conn-ttl <seconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

		mi->mi_conn_ttl = (time_t)t;

	/* bind timeout when connecting to ldap servers */
	} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
		unsigned long	t;
		struct timeval	*tp = mi->mi_ntargets ?
				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
				: &mi->mi_bind_timeout;

		switch ( argc ) {
		case 1:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		case 2:
			break;
		default:
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
				fname, lineno, argv[ 1 ] );
			return 1;

		}

		tp->tv_sec = t/1000000;
		tp->tv_usec = t%1000000;

	/* name to use for meta_back_group */
	} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
			|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
	{
		int 		i = mi->mi_ntargets - 1;
		struct berval	dn;

		if ( i < 0 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: need \"uri\" directive first\n",
				fname, lineno, 0 );
			return 1;
		}
		
		if ( argc != 2 ) {
			Debug( LDAP_DEBUG_ANY,
	"%s: line %d: missing name in \"binddn <name>\" line\n",
				fname, lineno, 0 );
			return 1;
		}

		if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
				"\"binddn\" statement is deprecated; "
				"use \"acl-authcDN\" instead\n",
				fname, lineno, 0 );
			/* FIXME: some day we'll need to throw an error */
		}

		ber_str2bv( argv[ 1 ], 0, 0, &dn );
		if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
			NULL ) != LDAP_SUCCESS )
		{
			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
					"bind DN '%s' is invalid\n",
					fname, lineno, argv[ 1 ] );
			return( 1 );
		}

	/* password to use for meta_back_group */