📄 config.c
字号:
{ Debug( LDAP_DEBUG_ANY, "%s: line %d: " "bind DN '%s' is invalid\n", fname, lineno, argv[ 1 ] ); return( 1 ); } /* password to use for meta_back_group */ } else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0 || strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) { int i = mi->mi_ntargets - 1; if ( i < 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: need \"uri\" directive first\n", fname, lineno, 0 ); return 1; } if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: missing password in \"bindpw <password>\" line\n", fname, lineno, 0 ); return 1; } if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: " "\"bindpw\" statement is deprecated; " "use \"acl-passwd\" instead\n", fname, lineno, 0 ); /* FIXME: some day we'll need to throw an error */ } ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw ); /* save bind creds for referral rebinds? */ } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) { if ( argc > 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n", fname, lineno, 0 ); return( 1 ); } if ( argc == 1 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n", fname, lineno, 0 ); mi->mi_flags |= LDAP_BACK_F_SAVECRED; } else { switch ( check_true_false( argv[ 1 ] ) ) { case 0: mi->mi_flags &= ~LDAP_BACK_F_SAVECRED; break; case 1: mi->mi_flags |= LDAP_BACK_F_SAVECRED; break; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: \"rebind-as-user {FALSE|true}\" unknown argument \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } } } else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"chase-referrals {TRUE|false}\" needs 1 argument.\n", fname, lineno, 0 ); return( 1 ); } /* this is the default; we add it because the default might change... */ switch ( check_true_false( argv[ 1 ] ) ) { case 1: *flagsp |= LDAP_BACK_F_CHASE_REFERRALS; break; case 0: *flagsp &= ~LDAP_BACK_F_CHASE_REFERRALS; break; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: \"chase-referrals {TRUE|false}\": unknown argument \"%s\".\n", fname, lineno, argv[ 1 ] ); return( 1 ); } } else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"tls <what>\" needs 1 argument.\n", fname, lineno, 0 ); return( 1 ); } /* start */ if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) { *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL ); /* try start tls */ } else if ( strcasecmp( argv[ 1 ], "try-start" ) == 0 ) { *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL; *flagsp |= LDAP_BACK_F_USE_TLS; /* propagate start tls */ } else if ( strcasecmp( argv[ 1 ], "propagate" ) == 0 ) { *flagsp |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL ); /* try start tls */ } else if ( strcasecmp( argv[ 1 ], "try-propagate" ) == 0 ) { *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL; *flagsp |= LDAP_BACK_F_PROPAGATE_TLS; } else { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n", fname, lineno, argv[ 1 ] ); return( 1 ); } } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"t-f-support {FALSE|true|discover}\" needs 1 argument.\n", fname, lineno, 0 ); return( 1 ); } switch ( check_true_false( argv[ 1 ] ) ) { case 0: *flagsp &= ~LDAP_BACK_F_T_F_MASK2; break; case 1: *flagsp |= LDAP_BACK_F_T_F; break; default: if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) { *flagsp |= LDAP_BACK_F_T_F_DISCOVER; } else { Debug( LDAP_DEBUG_ANY, "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n", fname, lineno, argv[ 1 ] ); return 1; } break; } /* onerr? */ } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) { if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) { mi->mi_flags &= ~META_BACK_F_ONERR_MASK; } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) { mi->mi_flags |= META_BACK_F_ONERR_STOP; } else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) { mi->mi_flags |= META_BACK_F_ONERR_REPORT; } else { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } /* bind-defer? */ } else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0 || strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 ) { if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } switch ( check_true_false( argv[ 1 ] ) ) { case 0: mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND; break; case 1: mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND; break; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\": invalid arg \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } /* single-conn? */ } else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) { if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } if ( mi->mi_ntargets > 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"single-conn\" must appear before target definitions\n", fname, lineno, 0 ); return( 1 ); } switch ( check_true_false( argv[ 1 ] ) ) { case 0: mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN; break; case 1: mi->mi_flags |= LDAP_BACK_F_SINGLECONN; break; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } /* use-temporaries? */ } else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) { if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } if ( mi->mi_ntargets > 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"use-temporary-conn\" must appear before target definitions\n", fname, lineno, 0 ); return( 1 ); } switch ( check_true_false( argv[ 1 ] ) ) { case 0: mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES; break; case 1: mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES; break; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } /* privileged connections pool max size ? */ } else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) { if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } if ( mi->mi_ntargets > 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"conn-pool-max\" must appear before target definitions\n", fname, lineno, 0 ); return( 1 ); } if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] ) || mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN || mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n", fname, lineno, argv[ 1 ] ); return 1; } } else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) { unsigned flag = 0; unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n", fname, lineno, 0 ); return( 1 ); } if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) { flag = LDAP_BACK_F_CANCEL_ABANDON;#if 0 /* needs ldap_int_discard(), 2.4 */ } else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) { flag = LDAP_BACK_F_CANCEL_IGNORE;#endif } else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) { flag = LDAP_BACK_F_CANCEL_EXOP; } else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) { flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER; } else { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n", fname, lineno, argv[ 1 ] ); return( 1 ); } *flagsp &= ~LDAP_BACK_F_CANCEL_MASK2; *flagsp |= flag; } else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) { char *sep; time_t *tv = mi->mi_ntargets ? mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout : mi->mi_timeout; int c; if ( argc < 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n", fname, lineno, 0 ); return( 1 ); } for ( c = 1; c < argc; c++ ) { time_t *t = NULL; unsigned long val; sep = strchr( argv[ c ], '=' ); if ( sep != NULL ) { size_t len = sep - argv[ c ]; if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) { t = &tv[ SLAP_OP_BIND ]; /* unbind makes little sense */ } else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) { t = &tv[ SLAP_OP_ADD ]; } else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) { t = &tv[ SLAP_OP_DELETE ]; } else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) { t = &tv[ SLAP_OP_MODRDN ]; } else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) { t = &tv[ SLAP_OP_MODIFY ]; } else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) { t = &tv[ SLAP_OP_COMPARE ]; } else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) { t = &tv[ SLAP_OP_SEARCH ]; /* abandon makes little sense */#if 0 /* not implemented yet */ } else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) { t = &tv[ SLAP_OP_EXTENDED ];#endif } else { char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), "unknown/unhandled operation \"%s\" for timeout #%d", argv[ c ], c - 1 ); Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n", fname, lineno, buf ); return 1; } sep++; } else { sep = argv[ c ]; } if ( lutil_parse_time( sep, &val ) != 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: unable to parse value \"%s\" for timeout.\n", fname, lineno, sep ); return 1; } if ( t ) { *t = (time_t)val; } else { int i; for ( i = 0; i < SLAP_OP_LAST; i++ ) { tv[ i ] = (time_t)val; } } } /* name to use as pseudo-root dn */ } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) { int i = mi->mi_ntargets - 1; if ( i < 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: need \"uri\" directive first\n", fname, lineno, 0 ); return 1; } if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: missing name in \"pseudorootdn <name>\" line\n", fname, lineno, 0 ); return 1; } /* * exact replacement: *idassert-bind bindmethod=simple binddn=<pseudorootdn> credentials=<pseudorootpw> mode=none flags=non-prescriptiveidassert-authzFrom "dn:<rootdn>" * so that only when authc'd as <rootdn> the proxying occurs * rebinding as the <pseudorootdn> without proxyAuthz. */ Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; " "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n", fname, lineno, 0 ); { char binddn[ SLAP_TEXT_BUFLEN ]; char *cargv[] = { "idassert-bind", "bindmethod=simple", NULL, "mode=none", "flags=non-prescriptive", NULL }; int cargc = 5; int rc; if ( BER_BVISNULL( &be->be_rootndn ) ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"rootdn\" must be defined first.\n", fname, lineno, 0 ); return 1; } if ( snprintf( binddn, sizeof( binddn ), "binddn=%s", argv[ 1 ] ) >= sizeof( binddn ) ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\" too long.\n", fname, lineno, 0 ); return 1; } cargv[ 2 ] = binddn; rc = slap_idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); if ( rc == 0 ) { struct berval bv; if ( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz != NULL ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-authzFrom\" already defined (discarded).\n", fname, lineno, 0 ); ber_bvarray_free( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz ); mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz = NULL; } assert( !BER_BVISNULL( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authcDN ) ); bv.bv_len = STRLENOF( "dn:" ) + be->be_rootndn.bv_len; bv.bv_val = ber_memalloc( bv.bv_len + 1 ); AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) ); AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], be->be_rootndn.bv_val, be->be_rootndn.bv_len + 1 ); ber_bvarray_add( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz, &bv ); } return rc; } /* password to use as pseudo-root */ } else if ( strcasecmp( argv[ 0 ], "pseudorootpw" ) == 0 ) { int i = mi->mi_ntargets - 1; if ( i < 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: need \"uri\" directive first\n", fname, lineno, 0 ); return 1; } if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: missing password in \"pseudorootpw <password>\" line\n", fname, lineno, 0 ); return 1; } Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; " "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n", fname, lineno, 0 ); if ( BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_authcDN ) ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n", fname, lineno, 0 ); return 1; } if ( !BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_passwd ) ) { memset( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val, 0, mi->mi_targets[ i ]->mt_idassert_passwd.bv_len ); ber_memfree( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val ); } ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_targets[ i ]->mt_idassert_passwd ); /* idassert-bind */ } else if ( strcasecmp( argv[ 0 ], "idassert-bind" ) == 0 ) { if ( mi->mi_ntargets == 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-bind\" " "must appear inside a target specification.\n", fname, lineno, 0 ); return 1; } return slap_idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); /* idassert-authzFrom */ } else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) { if ( mi->mi_ntargets == 0 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-bind\" " "must appear inside a target specification.\n", fname, lineno, 0 ); return 1; } switch ( argc ) { case 2: break; case 1: Debug( LDAP_DEBUG_ANY, "%s: line %d: missing <id> in \"idassert-authzFrom <id>\".\n", fname, lineno, 0 ); return 1; default: Debug( LDAP_DEBUG_ANY, "%s: line %d: extra cruft after <id> in \"idassert-authzFrom <id>\".\n", fname, lineno, 0 ); return 1; } return slap_idassert_authzfrom_parse_cf( fname, lineno, argv[ 1 ], &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); /* quarantine */ } else if ( strcasecmp( argv[ 0 ], "quarantine" ) == 0 ) { char buf[ SLAP_TEXT_BUFLEN ] = { '\0' }; slap_retry_info_t *ri = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine : &mi->mi_quarantine; if ( ( mi->mi_ntargets == 0 && META_BACK_QUARANTINE( mi ) ) || ( mi->mi_ntargets > 0 && META_BACK_TGT_QUARANTINE( mi->mi_targets[ mi->mi_ntargets - 1 ] ) ) )⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -