1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2015 Gary Mills 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <synch.h> 28 #include <strings.h> 29 #include <sys/time.h> 30 #include <ctype.h> 31 32 #include "ldap_op.h" 33 #include "ldap_util.h" 34 #include "ldap_structs.h" 35 #include "ldap_ruleval.h" 36 #include "ldap_attr.h" 37 #include "ldap_print.h" 38 #include "ldap_glob.h" 39 40 #include "nis_parse_ldap_conf.h" 41 42 #ifndef LDAPS_PORT 43 #define LDAPS_PORT 636 44 #endif 45 46 static int setupConList(char *serverList, char *who, 47 char *cred, auth_method_t method); 48 49 50 /* 51 * Build one of our internal LDAP search structures, containing copies of 52 * the supplied input. return NULL in case of error. 53 * 54 * If 'filter' is NULL, build an AND-filter using the filter components. 55 */ 56 __nis_ldap_search_t * 57 buildLdapSearch(char *base, int scope, int numFilterComps, char **filterComp, 58 char *filter, char **attrs, int attrsonly, int isDN) { 59 __nis_ldap_search_t *ls; 60 char **a; 61 int i, na, err = 0; 62 char *myself = "buildLdapSearch"; 63 64 ls = am(myself, sizeof (*ls)); 65 if (ls == 0) 66 return (0); 67 68 ls->base = sdup(myself, T, base); 69 if (ls->base == 0 && base != 0) 70 err++; 71 ls->scope = scope; 72 73 if (filterComp != 0 && numFilterComps > 0) { 74 ls->filterComp = am(myself, numFilterComps * 75 sizeof (ls->filterComp[0])); 76 if (ls->filterComp == 0) { 77 err++; 78 numFilterComps = 0; 79 } 80 for (i = 0; i < numFilterComps; i++) { 81 ls->filterComp[i] = sdup(myself, T, filterComp[i]); 82 if (ls->filterComp[i] == 0 && filterComp[i] != 0) 83 err++; 84 } 85 ls->numFilterComps = numFilterComps; 86 if (filter == 0) { 87 ls->filter = concatenateFilterComps(ls->numFilterComps, 88 ls->filterComp); 89 if (ls->filter == 0) 90 err++; 91 } 92 } else { 93 ls->filterComp = 0; 94 ls->numFilterComps = 0; 95 ls->filter = sdup(myself, T, filter); 96 if (ls->filter == 0 && filter != 0) 97 err++; 98 } 99 100 if (attrs != 0) { 101 for (na = 0, a = attrs; *a != 0; a++, na++); 102 ls->attrs = am(myself, (na + 1) * sizeof (ls->attrs[0])); 103 if (ls->attrs != 0) { 104 for (i = 0; i < na; i++) { 105 ls->attrs[i] = sdup(myself, T, attrs[i]); 106 if (ls->attrs[i] == 0 && attrs[i] != 0) 107 err++; 108 } 109 ls->attrs[na] = 0; 110 ls->numAttrs = na; 111 } else { 112 err++; 113 } 114 } else { 115 ls->attrs = 0; 116 ls->numAttrs = 0; 117 } 118 119 ls->attrsonly = attrsonly; 120 ls->isDN = isDN; 121 122 if (err > 0) { 123 freeLdapSearch(ls); 124 ls = 0; 125 } 126 127 return (ls); 128 } 129 130 void 131 freeLdapSearch(__nis_ldap_search_t *ls) { 132 int i; 133 134 if (ls == 0) 135 return; 136 137 sfree(ls->base); 138 if (ls->filterComp != 0) { 139 for (i = 0; i < ls->numFilterComps; i++) { 140 sfree(ls->filterComp[i]); 141 } 142 sfree(ls->filterComp); 143 } 144 sfree(ls->filter); 145 if (ls->attrs != 0) { 146 for (i = 0; i < ls->numAttrs; i++) { 147 sfree(ls->attrs[i]); 148 } 149 sfree(ls->attrs); 150 } 151 152 free(ls); 153 } 154 155 /* 156 * Given a table mapping, and a rule/value pointer, 157 * return an LDAP search structure with values suitable for use 158 * by ldap_search() or (if dn != 0) ldap_modify(). The rule/value 159 * may be modified. 160 * 161 * If dn != 0 and *dn == 0, the function attemps to return a pointer 162 * to the DN. This may necessitate an ldapSearch, if the rule set doesn't 163 * produce a DN directly. 164 * 165 * if dn == 0, and the rule set produces a DN as well as other attribute/ 166 * value pairs, the function returns an LDAP search structure with the 167 * DN only. 168 * 169 * If 'fromLDAP' is set, the caller wants base/scope/filter from 170 * t->objectDN->read; otherwise, from t->objectDN->write. 171 * 172 * If 'rv' is NULL, the caller wants an enumeration of the container. 173 * 174 * Note that this function only creates a search structure for 't' itself; 175 * if there are alternative mappings for the table, those must be handled 176 * by our caller. 177 */ 178 __nis_ldap_search_t * 179 createLdapRequest(__nis_table_mapping_t *t, 180 __nis_rule_value_t *rv, char **dn, int fromLDAP, 181 int *res, __nis_object_dn_t *obj_dn) { 182 int i, j; 183 __nis_ldap_search_t *ls = 0; 184 char **locDN; 185 int numLocDN, stat = 0, count = 0; 186 char *myself = "createLdapRequest"; 187 __nis_object_dn_t *objectDN = NULL; 188 189 if (t == 0) 190 return (0); 191 192 if (obj_dn == NULL) 193 objectDN = t->objectDN; 194 else 195 objectDN = obj_dn; 196 197 if (rv == 0) { 198 char *base; 199 char *filter; 200 201 if (fromLDAP) { 202 base = objectDN->read.base; 203 filter = makeFilter(objectDN->read.attrs); 204 } else { 205 base = objectDN->write.base; 206 filter = makeFilter(objectDN->write.attrs); 207 } 208 209 /* Create request to enumerate container */ 210 ls = buildLdapSearch(base, objectDN->read.scope, 0, 0, filter, 211 0, 0, 0); 212 sfree(filter); 213 return (ls); 214 } 215 216 for (i = 0; i < t->numRulesToLDAP; i++) { 217 rv = addLdapRuleValue(t, t->ruleToLDAP[i], 218 mit_ldap, mit_nisplus, rv, !fromLDAP, &stat); 219 if (rv == 0) 220 return (0); 221 if (stat == NP_LDAP_RULES_NO_VALUE) 222 count++; 223 stat = 0; 224 } 225 226 /* 227 * If none of the rules produced a value despite 228 * having enough NIS+ columns, return error. 229 */ 230 if (rv->numAttrs == 0 && count > 0) { 231 *res = NP_LDAP_RULES_NO_VALUE; 232 return (0); 233 } 234 235 /* 236 * 'rv' now contains everything we know about the attributes and 237 * values. Build an LDAP search structure from it. 238 */ 239 240 /* Look for a single-valued DN */ 241 locDN = findDNs(myself, rv, 1, 242 fromLDAP ? objectDN->read.base : 243 objectDN->write.base, 244 &numLocDN); 245 if (locDN != 0 && numLocDN == 1) { 246 if (dn != 0 && *dn == 0) { 247 *dn = locDN[0]; 248 sfree(locDN); 249 } else { 250 char *filter; 251 252 if (fromLDAP) 253 filter = makeFilter(objectDN->read.attrs); 254 else 255 filter = makeFilter(objectDN->write.attrs); 256 ls = buildLdapSearch(locDN[0], LDAP_SCOPE_BASE, 0, 0, 257 filter, 0, 0, 1); 258 sfree(filter); 259 freeDNs(locDN, numLocDN); 260 } 261 } else { 262 freeDNs(locDN, numLocDN); 263 } 264 265 if (ls != 0) { 266 ls->useCon = 1; 267 return (ls); 268 } 269 270 /* 271 * No DN, or caller wanted a search structure with the non-DN 272 * attributes. 273 */ 274 275 /* Initialize search structure */ 276 { 277 char *filter = (fromLDAP) ? 278 makeFilter(objectDN->read.attrs) : 279 makeFilter(objectDN->write.attrs); 280 char **ofc; 281 int nofc = 0; 282 283 ofc = makeFilterComp(filter, &nofc); 284 285 if (filter != 0 && ofc == 0) { 286 logmsg(MSG_NOTIMECHECK, LOG_ERR, 287 "%s: Unable to break filter into components: \"%s\"", 288 myself, NIL(filter)); 289 sfree(filter); 290 return (0); 291 } 292 293 if (fromLDAP) 294 ls = buildLdapSearch(objectDN->read.base, 295 objectDN->read.scope, 296 nofc, ofc, 0, 0, 0, 0); 297 else 298 ls = buildLdapSearch(objectDN->write.base, 299 objectDN->write.scope, 300 nofc, ofc, 0, 0, 0, 0); 301 sfree(filter); 302 freeFilterComp(ofc, nofc); 303 if (ls == 0) 304 return (0); 305 } 306 307 /* Build and add the filter components */ 308 for (i = 0; i < rv->numAttrs; i++) { 309 /* Skip DN */ 310 if (strcasecmp("dn", rv->attrName[i]) == 0) 311 continue; 312 313 /* Skip vt_ber values */ 314 if (rv->attrVal[i].type == vt_ber) 315 continue; 316 317 for (j = 0; j < rv->attrVal[i].numVals; j++) { 318 __nis_buffer_t b = {0, 0}; 319 char **tmpComp; 320 321 bp2buf(myself, &b, "%s=%s", 322 rv->attrName[i], rv->attrVal[i].val[j].value); 323 tmpComp = addFilterComp(b.buf, ls->filterComp, 324 &ls->numFilterComps); 325 if (tmpComp == 0) { 326 logmsg(MSG_NOTIMECHECK, LOG_ERR, 327 "%s: Unable to add filter component \"%s\"", 328 myself, NIL(b.buf)); 329 sfree(b.buf); 330 freeLdapSearch(ls); 331 return (0); 332 } 333 ls->filterComp = tmpComp; 334 sfree(b.buf); 335 } 336 } 337 338 if (ls->numFilterComps > 0) { 339 sfree(ls->filter); 340 ls->filter = concatenateFilterComps(ls->numFilterComps, 341 ls->filterComp); 342 if (ls->filter == 0) { 343 logmsg(MSG_NOTIMECHECK, LOG_ERR, 344 "%s: Unable to concatenate filter components", 345 myself); 346 freeLdapSearch(ls); 347 return (0); 348 } 349 } 350 351 if (dn != 0 && *dn == 0) { 352 /* 353 * The caller wants a DN, but we didn't get one from the 354 * the rule set. We have an 'ls', so use it to ldapSearch() 355 * for an entry from which we can extract the DN. 356 */ 357 __nis_rule_value_t *rvtmp; 358 char **locDN; 359 int nv = 0, numLocDN; 360 361 rvtmp = ldapSearch(ls, &nv, 0, 0); 362 locDN = findDNs(myself, rvtmp, nv, 0, &numLocDN); 363 if (locDN != 0 && numLocDN == 1) { 364 *dn = locDN[0]; 365 sfree(locDN); 366 } else { 367 freeDNs(locDN, numLocDN); 368 } 369 freeRuleValue(rvtmp, nv); 370 } 371 372 ls->useCon = 1; 373 return (ls); 374 } 375 376 int ldapConnAttemptRetryTimeout = 60; /* seconds */ 377 378 typedef struct { 379 LDAP *ld; 380 mutex_t mutex; /* Mutex for update of structure */ 381 pthread_t owner; /* Thread holding mutex */ 382 mutex_t rcMutex; /* Mutex for refCount */ 383 int refCount; /* Reference count */ 384 int isBound; /* Is connection open and usable ? */ 385 time_t retryTime; /* When should open be retried */ 386 int status; /* Status of last operation */ 387 int doDis; /* To be disconnected if refCount==0 */ 388 int doDel; /* To be deleted if refCount zero */ 389 int onList; /* True if on the 'ldapCon' list */ 390 char *sp; /* server string */ 391 char *who; 392 char *cred; 393 auth_method_t method; 394 int port; 395 struct timeval bindTimeout; 396 struct timeval searchTimeout; 397 struct timeval modifyTimeout; 398 struct timeval addTimeout; 399 struct timeval deleteTimeout; 400 int simplePage; /* Can do simple-page */ 401 int vlv; /* Can do VLV */ 402 uint_t batchFrom; /* # entries read in one operation */ 403 void *next; 404 } __nis_ldap_conn_t; 405 406 /* 407 * List of connections, 'ldapCon', protected by an RW lock. 408 * 409 * The following locking scheme is used: 410 * 411 * (1) Find a connection structure to use to talk to LDAP 412 * Rlock list 413 * Locate structure 414 * Acquire 'mutex' 415 * Acquire 'rcMutex' 416 * update refCount 417 * Release 'rcMutex' 418 * release 'mutex' 419 * Unlock list 420 * Use structure 421 * Release structure when done 422 * (2) Insert/delete structure(s) on/from list 423 * Wlock list 424 * Insert/delete structure; if deleting, must 425 * acquire 'mutex', and 'rcMutex' (in that order), 426 * and 'refCount' must be zero. 427 * Unlock list 428 * (3) Modify structure 429 * Find structure 430 * Acquire 'mutex' 431 * Modify (except refCount) 432 * Release 'mutex' 433 * Release structure 434 */ 435 436 __nis_ldap_conn_t *ldapCon = 0; 437 __nis_ldap_conn_t *ldapReferralCon = 0; 438 static rwlock_t ldapConLock = DEFAULTRWLOCK; 439 static rwlock_t referralConLock = DEFAULTRWLOCK; 440 441 void 442 exclusiveLC(__nis_ldap_conn_t *lc) { 443 pthread_t me = pthread_self(); 444 int stat; 445 446 if (lc == 0) 447 return; 448 449 stat = mutex_trylock(&lc->mutex); 450 if (stat == EBUSY && lc->owner != me) 451 mutex_lock(&lc->mutex); 452 453 lc->owner = me; 454 } 455 456 /* Return 1 if mutex held by this thread, 0 otherwise */ 457 int 458 assertExclusive(__nis_ldap_conn_t *lc) { 459 pthread_t me; 460 int stat; 461 462 if (lc == 0) 463 return (0); 464 465 stat = mutex_trylock(&lc->mutex); 466 467 if (stat == 0) { 468 mutex_unlock(&lc->mutex); 469 return (0); 470 } 471 472 me = pthread_self(); 473 if (stat != EBUSY || lc->owner != me) 474 return (0); 475 476 return (1); 477 } 478 479 void 480 releaseLC(__nis_ldap_conn_t *lc) { 481 pthread_t me = pthread_self(); 482 483 if (lc == 0 || lc->owner != me) 484 return; 485 486 lc->owner = 0; 487 (void) mutex_unlock(&lc->mutex); 488 } 489 490 void 491 incrementRC(__nis_ldap_conn_t *lc) { 492 if (lc == 0) 493 return; 494 495 (void) mutex_lock(&lc->rcMutex); 496 lc->refCount++; 497 (void) mutex_unlock(&lc->rcMutex); 498 } 499 500 void 501 decrementRC(__nis_ldap_conn_t *lc) { 502 if (lc == 0) 503 return; 504 505 (void) mutex_lock(&lc->rcMutex); 506 if (lc->refCount > 0) 507 lc->refCount--; 508 (void) mutex_unlock(&lc->rcMutex); 509 } 510 511 /* Accept a server/port indication, and call ldap_init() */ 512 static LDAP * 513 ldapInit(char *srv, int port, bool_t use_ssl) { 514 LDAP *ld; 515 int ldapVersion = LDAP_VERSION3; 516 int derefOption = LDAP_DEREF_ALWAYS; 517 int timelimit = proxyInfo.search_time_limit; 518 int sizelimit = proxyInfo.search_size_limit; 519 520 if (srv == 0) 521 return (0); 522 523 if (use_ssl) { 524 ld = ldapssl_init(srv, port, 1); 525 } else { 526 ld = ldap_init(srv, port); 527 } 528 529 if (ld != 0) { 530 (void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 531 &ldapVersion); 532 (void) ldap_set_option(ld, LDAP_OPT_DEREF, &derefOption); 533 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 534 (void) ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); 535 (void) ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &sizelimit); 536 (void) ldap_set_option(ld, LDAP_OPT_REBIND_ARG, 0); 537 } 538 539 return (ld); 540 } 541 542 /* 543 * Bind the specified LDAP structure per the supplied authentication. 544 * Note: tested with none, simple, and digest_md5. May or may not 545 * work with other authentication methods, mostly depending on whether 546 * or not 'who' and 'cred' contain sufficient information. 547 */ 548 static int 549 ldapBind(LDAP **ldP, char *who, char *cred, auth_method_t method, 550 struct timeval timeout) { 551 int ret; 552 LDAP *ld; 553 char *myself = "ldapBind"; 554 555 if (ldP == 0 || (ld = *ldP) == 0) 556 return (LDAP_PARAM_ERROR); 557 558 if (method == none) { 559 /* No ldap_bind() required (or even possible) */ 560 ret = LDAP_SUCCESS; 561 } else if (method == simple) { 562 struct timeval tv; 563 LDAPMessage *msg = 0; 564 565 tv = timeout; 566 ret = ldap_bind(ld, who, cred, LDAP_AUTH_SIMPLE); 567 if (ret != -1) { 568 ret = ldap_result(ld, ret, 0, &tv, &msg); 569 if (ret == 0) { 570 ret = LDAP_TIMEOUT; 571 } else if (ret == -1) { 572 (void) ldap_get_option(ld, 573 LDAP_OPT_ERROR_NUMBER, 574 &ret); 575 } else { 576 ret = ldap_result2error(ld, msg, 0); 577 } 578 if (msg != 0) 579 (void) ldap_msgfree(msg); 580 } else { 581 (void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, 582 &ret); 583 } 584 } else if (method == cram_md5) { 585 /* Note: there is only a synchronous call for cram-md5 */ 586 struct berval ber_cred; 587 588 ber_cred.bv_len = strlen(cred); 589 ber_cred.bv_val = cred; 590 ret = ldap_sasl_cram_md5_bind_s(ld, who, &ber_cred, NULL, NULL); 591 } else if (method == digest_md5) { 592 /* Note: there is only a synchronous call for digest-md5 */ 593 struct berval ber_cred; 594 595 ber_cred.bv_len = strlen(cred); 596 ber_cred.bv_val = cred; 597 ret = ldap_x_sasl_digest_md5_bind_s(ld, who, &ber_cred, NULL, 598 NULL); 599 } else { 600 ret = LDAP_AUTH_METHOD_NOT_SUPPORTED; 601 } 602 603 if (ret != LDAP_SUCCESS) { 604 (void) ldap_unbind_s(ld); 605 *ldP = 0; 606 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 607 "%s: Unable to bind as: %s: %s", 608 myself, who, ldap_err2string(ret)); 609 } 610 611 return (ret); 612 } 613 614 /* 615 * Free 'lc' and all related memory. Caller must hold the exclusive lock. 616 * Return LDAP_UNAVAILABLE upon success, in which case the caller mustn't 617 * try to use the structure pointer in any way. 618 */ 619 static int 620 freeCon(__nis_ldap_conn_t *lc) { 621 622 if (!assertExclusive(lc)) 623 return (LDAP_PARAM_ERROR); 624 625 incrementRC(lc); 626 627 /* Must be unused, unbound, and not on the 'ldapCon' list */ 628 if (lc->onList || lc->refCount != 1 || lc->isBound) { 629 lc->doDel++; 630 decrementRC(lc); 631 return (LDAP_BUSY); 632 } 633 634 sfree(lc->sp); 635 sfree(lc->who); 636 sfree(lc->cred); 637 638 /* Delete structure with both mutex:es held */ 639 640 free(lc); 641 642 return (LDAP_UNAVAILABLE); 643 } 644 645 /* 646 * Disconnect the specified LDAP connection. Caller must have acquired 'mutex'. 647 * 648 * On return, if the status is LDAP_UNAVAILABLE, the caller must not touch 649 * the structure in any way. 650 */ 651 static int 652 disconnectCon(__nis_ldap_conn_t *lc) { 653 int stat; 654 char *myself = "disconnectCon"; 655 656 if (lc == 0) 657 return (LDAP_SUCCESS); 658 659 if (!assertExclusive(lc)) 660 return (LDAP_UNAVAILABLE); 661 662 if (lc->doDis) { 663 664 /* Increment refCount to protect against interference */ 665 incrementRC(lc); 666 /* refCount must be one (i.e., just us) */ 667 if (lc->refCount != 1) { 668 /* 669 * In use; already marked for disconnect, 670 * so do nothing. 671 */ 672 decrementRC(lc); 673 return (LDAP_BUSY); 674 } 675 676 stat = ldap_unbind_s(lc->ld); 677 if (stat == LDAP_SUCCESS) { 678 lc->ld = 0; 679 lc->isBound = 0; 680 lc->doDis = 0; 681 /* Reset simple page and vlv indication */ 682 lc->simplePage = 0; 683 lc->vlv = 0; 684 } else if (verbose) { 685 logmsg(MSG_NOTIMECHECK, LOG_ERR, 686 "%s: ldap_unbind_s() => %d (%s)", 687 myself, stat, ldap_err2string(stat)); 688 } 689 690 decrementRC(lc); 691 } 692 693 if (lc->doDel) { 694 if (LDAP_UNAVAILABLE == freeCon(lc)) 695 stat = LDAP_UNAVAILABLE; 696 } 697 698 return (stat); 699 } 700 701 /* 702 * controlSupported will determine for a given connection whether a set 703 * of controls is supported or not. The input parameters: 704 * lc The connection 705 * ctrl A an array of OID strings, the terminal string should be NULL 706 * The returned values if LDAP_SUCCESS is returned: 707 * supported A caller supplied array which will be set to TRUE or 708 * FALSE depending on whether the corresponding control 709 * is reported as supported. 710 * Returns LDAP_SUCCESS if the supportedControl attribute is read. 711 */ 712 713 static int 714 controlSupported(__nis_ldap_conn_t *lc, char **ctrl, bool_t *supported) { 715 LDAPMessage *res, *e; 716 char *attr[2], *a, **val; 717 int stat, i; 718 BerElement *ber = 0; 719 char *myself = "controlSupported"; 720 721 attr[0] = "supportedControl"; 722 attr[1] = 0; 723 724 stat = ldap_search_st(lc->ld, "", LDAP_SCOPE_BASE, "(objectclass=*)", 725 attr, 0, &lc->searchTimeout, &res); 726 if (stat != LDAP_SUCCESS) { 727 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 728 "%s: Unable to retrieve supported control information for %s: %s", 729 myself, NIL(lc->sp), ldap_err2string(stat)); 730 return (stat); 731 } 732 733 e = ldap_first_entry(lc->ld, res); 734 if (e != 0) { 735 a = ldap_first_attribute(lc->ld, e, &ber); 736 if (a != 0) { 737 val = ldap_get_values(lc->ld, e, a); 738 if (val == 0) { 739 ldap_memfree(a); 740 if (ber != 0) 741 ber_free(ber, 0); 742 } 743 } 744 } 745 if (e == 0 || a == 0 || val == 0) { 746 ldap_msgfree(res); 747 logmsg(MSG_NOTIMECHECK, LOG_INFO, 748 "%s: Unable to get root DSE for %s", 749 myself, NIL(lc->sp)); 750 return (LDAP_OPERATIONS_ERROR); 751 } 752 753 while (*ctrl != NULL) { 754 *supported = FALSE; 755 for (i = 0; val[i] != 0; i++) { 756 if (strstr(val[i], *ctrl) != 0) { 757 *supported = TRUE; 758 break; 759 } 760 } 761 logmsg(MSG_NOTIMECHECK, LOG_INFO, 762 "%s: %s: %s: %s", 763 myself, NIL(lc->sp), NIL(*ctrl), 764 *supported ? "enabled" : "disabled"); 765 ctrl++; 766 supported++; 767 } 768 769 ldap_value_free(val); 770 ldap_memfree(a); 771 if (ber != 0) 772 ber_free(ber, 0); 773 ldap_msgfree(res); 774 775 return (stat); 776 } 777 778 /* 779 * Connect the LDAP connection 'lc'. Caller must have acquired the 'mutex', 780 * and the refCount must be zero. 781 * 782 * On return, if the status is LDAP_UNAVAILABLE, the caller must not touch 783 * the structure in any way. 784 */ 785 static int 786 connectCon(__nis_ldap_conn_t *lc, int check_ctrl) { 787 struct timeval tp; 788 int stat; 789 bool_t supported[2] = {FALSE, FALSE}; 790 char *ctrl[3] = {LDAP_CONTROL_SIMPLE_PAGE, 791 LDAP_CONTROL_VLVREQUEST, 792 NULL}; 793 794 if (lc == 0) 795 return (LDAP_SUCCESS); 796 797 if (!assertExclusive(lc)) 798 return (LDAP_PARAM_ERROR); 799 800 incrementRC(lc); 801 if (lc->refCount != 1) { 802 /* 803 * Don't want to step on structure when it's used by someone 804 * else. 805 */ 806 decrementRC(lc); 807 return (LDAP_BUSY); 808 } 809 810 (void) gettimeofday(&tp, 0); 811 812 if (lc->ld != 0) { 813 /* Try to disconnect */ 814 lc->doDis++; 815 decrementRC(lc); 816 /* disconnctCon() will do the delete if required */ 817 stat = disconnectCon(lc); 818 if (stat != LDAP_SUCCESS) 819 return (stat); 820 incrementRC(lc); 821 if (lc->refCount != 1 || lc->ld != 0) { 822 decrementRC(lc); 823 return (lc->ld != 0) ? LDAP_SUCCESS : 824 LDAP_BUSY; 825 } 826 } else if (tp.tv_sec < lc->retryTime) { 827 /* Too early to retry connect */ 828 decrementRC(lc); 829 return (LDAP_SERVER_DOWN); 830 } 831 832 /* Set new retry time in case we fail below */ 833 lc->retryTime = tp.tv_sec + ldapConnAttemptRetryTimeout; 834 835 lc->ld = ldapInit(lc->sp, lc->port, proxyInfo.tls_method != no_tls); 836 if (lc->ld == 0) { 837 decrementRC(lc); 838 return (LDAP_LOCAL_ERROR); 839 } 840 841 stat = lc->status = ldapBind(&lc->ld, lc->who, lc->cred, lc->method, 842 lc->bindTimeout); 843 if (lc->status == LDAP_SUCCESS) { 844 lc->isBound = 1; 845 lc->retryTime = 0; 846 if (check_ctrl) { 847 (void) controlSupported(lc, ctrl, supported); 848 lc->simplePage = supported[0]; 849 lc->vlv = supported[1]; 850 lc->batchFrom = 50000; 851 } 852 } 853 854 decrementRC(lc); 855 856 return (stat); 857 } 858 859 /* 860 * Find and return a connection believed to be OK. 861 */ 862 static __nis_ldap_conn_t * 863 findCon(int *stat) { 864 __nis_ldap_conn_t *lc; 865 int ldapStat; 866 char *myself = "findCon"; 867 868 if (stat == 0) 869 stat = &ldapStat; 870 871 (void) rw_rdlock(&ldapConLock); 872 873 if (ldapCon == 0) { 874 /* Probably first call; try to set up the connection list */ 875 (void) rw_unlock(&ldapConLock); 876 if ((*stat = setupConList(proxyInfo.default_servers, 877 proxyInfo.proxy_dn, 878 proxyInfo.proxy_passwd, 879 proxyInfo.auth_method)) != 880 LDAP_SUCCESS) 881 return (0); 882 (void) rw_rdlock(&ldapConLock); 883 } 884 885 for (lc = ldapCon; lc != 0; lc = lc->next) { 886 exclusiveLC(lc); 887 if (!lc->isBound) { 888 *stat = connectCon(lc, 1); 889 if (*stat != LDAP_SUCCESS) { 890 if (*stat != LDAP_UNAVAILABLE) { 891 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 892 "%s: Cannot open connection to LDAP server (%s): %s", 893 myself, NIL(lc->sp), 894 ldap_err2string(*stat)); 895 releaseLC(lc); 896 } 897 continue; 898 } 899 } else if (lc->doDis || lc->doDel) { 900 *stat = disconnectCon(lc); 901 if (*stat != LDAP_UNAVAILABLE) 902 releaseLC(lc); 903 continue; 904 } 905 incrementRC(lc); 906 releaseLC(lc); 907 break; 908 } 909 910 (void) rw_unlock(&ldapConLock); 911 912 return (lc); 913 } 914 915 /* Release connection; decrements ref count for the connection */ 916 static void 917 releaseCon(__nis_ldap_conn_t *lc, int status) { 918 int stat; 919 920 if (lc == 0) 921 return; 922 923 exclusiveLC(lc); 924 925 lc->status = status; 926 927 decrementRC(lc); 928 929 if (lc->doDis) 930 stat = disconnectCon(lc); 931 else 932 stat = LDAP_SUCCESS; 933 934 if (stat != LDAP_UNAVAILABLE) 935 releaseLC(lc); 936 } 937 938 static __nis_ldap_conn_t * 939 createCon(char *sp, char *who, char *cred, auth_method_t method, int port) { 940 __nis_ldap_conn_t *lc; 941 char *myself = "createCon"; 942 char *r; 943 944 if (sp == 0) 945 return (0); 946 947 lc = am(myself, sizeof (*lc)); 948 if (lc == 0) 949 return (0); 950 951 (void) mutex_init(&lc->mutex, 0, 0); 952 (void) mutex_init(&lc->rcMutex, 0, 0); 953 954 /* If we need to delete 'lc', freeCon() wants the mutex held */ 955 exclusiveLC(lc); 956 957 lc->sp = sdup(myself, T, sp); 958 if (lc->sp == 0) { 959 (void) freeCon(lc); 960 return (0); 961 } 962 963 if ((r = strchr(lc->sp, ']')) != 0) { 964 /* 965 * IPv6 address. Does libldap want this with the 966 * '[' and ']' left in place ? Assume so for now. 967 */ 968 r = strchr(r, ':'); 969 } else { 970 r = strchr(lc->sp, ':'); 971 } 972 973 if (r != NULL) { 974 *r++ = '\0'; 975 port = atoi(r); 976 } else if (port == 0) 977 port = proxyInfo.tls_method == ssl_tls ? LDAPS_PORT : LDAP_PORT; 978 979 if (who != 0) { 980 lc->who = sdup(myself, T, who); 981 if (lc->who == 0) { 982 (void) freeCon(lc); 983 return (0); 984 } 985 } 986 987 if (cred != 0) { 988 lc->cred = sdup(myself, T, cred); 989 if (lc->cred == 0) { 990 (void) freeCon(lc); 991 return (0); 992 } 993 } 994 995 lc->method = method; 996 lc->port = port; 997 998 lc->bindTimeout = proxyInfo.bind_timeout; 999 lc->searchTimeout = proxyInfo.search_timeout; 1000 lc->modifyTimeout = proxyInfo.modify_timeout; 1001 lc->addTimeout = proxyInfo.add_timeout; 1002 lc->deleteTimeout = proxyInfo.delete_timeout; 1003 1004 /* All other fields OK at zero */ 1005 1006 releaseLC(lc); 1007 1008 return (lc); 1009 } 1010 1011 static int 1012 setupConList(char *serverList, char *who, char *cred, auth_method_t method) { 1013 char *sls, *sl, *s, *e; 1014 __nis_ldap_conn_t *lc, *tmp; 1015 char *myself = "setupConList"; 1016 1017 if (serverList == 0) 1018 return (LDAP_PARAM_ERROR); 1019 1020 (void) rw_wrlock(&ldapConLock); 1021 1022 if (ldapCon != 0) { 1023 /* Assume we've already been called and done the set-up */ 1024 (void) rw_unlock(&ldapConLock); 1025 return (LDAP_SUCCESS); 1026 } 1027 1028 /* Work on a copy of 'serverList' */ 1029 sl = sls = sdup(myself, T, serverList); 1030 if (sl == 0) { 1031 (void) rw_unlock(&ldapConLock); 1032 return (LDAP_NO_MEMORY); 1033 } 1034 1035 /* Remove leading white space */ 1036 for (; *sl == ' ' || *sl == '\t'; sl++); 1037 1038 /* Create connection for each server on the list */ 1039 for (s = sl; *s != '\0'; s = e+1) { 1040 int l; 1041 1042 /* Find end of server/port token */ 1043 for (e = s; *e != ' ' && *e != '\t' && *e != '\0'; e++); 1044 if (*e != '\0') 1045 *e = '\0'; 1046 else 1047 e--; 1048 l = slen(s); 1049 1050 if (l > 0) { 1051 lc = createCon(s, who, cred, method, 0); 1052 if (lc == 0) { 1053 free(sls); 1054 (void) rw_unlock(&ldapConLock); 1055 return (LDAP_NO_MEMORY); 1056 } 1057 lc->onList = 1; 1058 if (ldapCon == 0) { 1059 ldapCon = lc; 1060 } else { 1061 /* Insert at end of list */ 1062 for (tmp = ldapCon; tmp->next != 0; 1063 tmp = tmp->next); 1064 tmp->next = lc; 1065 } 1066 } 1067 } 1068 1069 free(sls); 1070 1071 (void) rw_unlock(&ldapConLock); 1072 1073 return (LDAP_SUCCESS); 1074 } 1075 1076 static bool_t 1077 is_same_connection(__nis_ldap_conn_t *lc, LDAPURLDesc *ludpp) 1078 { 1079 return (strcasecmp(ludpp->lud_host, lc->sp) == 0 && 1080 ludpp->lud_port == lc->port); 1081 } 1082 1083 static __nis_ldap_conn_t * 1084 find_connection_from_list(__nis_ldap_conn_t *list, 1085 LDAPURLDesc *ludpp, int *stat) 1086 { 1087 int ldapStat; 1088 __nis_ldap_conn_t *lc = NULL; 1089 if (stat == 0) 1090 stat = &ldapStat; 1091 1092 *stat = LDAP_SUCCESS; 1093 1094 for (lc = list; lc != 0; lc = lc->next) { 1095 exclusiveLC(lc); 1096 if (is_same_connection(lc, ludpp)) { 1097 if (!lc->isBound) { 1098 *stat = connectCon(lc, 1); 1099 if (*stat != LDAP_SUCCESS) { 1100 releaseLC(lc); 1101 continue; 1102 } 1103 } else if (lc->doDis || lc->doDel) { 1104 (void) disconnectCon(lc); 1105 releaseLC(lc); 1106 continue; 1107 } 1108 incrementRC(lc); 1109 releaseLC(lc); 1110 break; 1111 } 1112 releaseLC(lc); 1113 } 1114 return (lc); 1115 } 1116 1117 static __nis_ldap_conn_t * 1118 findReferralCon(char **referralsp, int *stat) 1119 { 1120 __nis_ldap_conn_t *lc = NULL; 1121 __nis_ldap_conn_t *tmp; 1122 int ldapStat; 1123 int i; 1124 LDAPURLDesc *ludpp = NULL; 1125 char *myself = "findReferralCon"; 1126 1127 if (stat == 0) 1128 stat = &ldapStat; 1129 1130 *stat = LDAP_SUCCESS; 1131 1132 /* 1133 * We have the referral lock - to prevent multiple 1134 * threads from creating a referred connection simultaneously 1135 * 1136 * Note that this code assumes that the ldapCon list is a 1137 * static list - that it has previously been created 1138 * (otherwise we wouldn't have gotten a referral) and that 1139 * it will neither grow or shrink - elements may have new 1140 * connections or unbound. If this assumption is no longer valid, 1141 * the locking needs to be reworked. 1142 */ 1143 (void) rw_rdlock(&referralConLock); 1144 1145 for (i = 0; referralsp[i] != NULL; i++) { 1146 if (ldap_url_parse(referralsp[i], &ludpp) != LDAP_SUCCESS) 1147 continue; 1148 /* Ignore referrals if not at the appropriate tls level */ 1149 #ifdef LDAP_URL_OPT_SECURE 1150 if (ludpp->lud_options & LDAP_URL_OPT_SECURE) { 1151 if (proxyInfo.tls_method != ssl_tls) { 1152 ldap_free_urldesc(ludpp); 1153 continue; 1154 } 1155 } else { 1156 if (proxyInfo.tls_method != no_tls) { 1157 ldap_free_urldesc(ludpp); 1158 continue; 1159 } 1160 } 1161 #endif 1162 1163 /* Determine if we already have a connection to the server */ 1164 lc = find_connection_from_list(ldapReferralCon, ludpp, stat); 1165 if (lc == NULL) 1166 lc = find_connection_from_list(ldapCon, ludpp, stat); 1167 ldap_free_urldesc(ludpp); 1168 if (lc != NULL) { 1169 (void) rw_unlock(&referralConLock); 1170 return (lc); 1171 } 1172 } 1173 1174 for (i = 0; referralsp[i] != NULL; i++) { 1175 if (ldap_url_parse(referralsp[i], &ludpp) != LDAP_SUCCESS) 1176 continue; 1177 /* Ignore referrals if not at the appropriate tls level */ 1178 #ifdef LDAP_URL_OPT_SECURE 1179 if (ludpp->lud_options & LDAP_URL_OPT_SECURE) { 1180 if (proxyInfo.tls_method != ssl_tls) { 1181 ldap_free_urldesc(ludpp); 1182 continue; 1183 } 1184 } else { 1185 if (proxyInfo.tls_method != no_tls) { 1186 ldap_free_urldesc(ludpp); 1187 continue; 1188 } 1189 } 1190 #endif 1191 lc = createCon(ludpp->lud_host, proxyInfo.proxy_dn, 1192 proxyInfo.proxy_passwd, 1193 proxyInfo.auth_method, 1194 ludpp->lud_port); 1195 if (lc == 0) { 1196 ldap_free_urldesc(ludpp); 1197 (void) rw_unlock(&referralConLock); 1198 *stat = LDAP_NO_MEMORY; 1199 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1200 "%s: Could not connect to host: %s", 1201 myself, NIL(ludpp->lud_host)); 1202 return (NULL); 1203 } 1204 1205 lc->onList = 1; 1206 if (ldapReferralCon == 0) { 1207 ldapReferralCon = lc; 1208 } else { 1209 /* Insert at end of list */ 1210 for (tmp = ldapReferralCon; tmp->next != 0; 1211 tmp = tmp->next) {} 1212 tmp->next = lc; 1213 } 1214 lc = find_connection_from_list(ldapReferralCon, ludpp, stat); 1215 ldap_free_urldesc(ludpp); 1216 if (lc != NULL) 1217 break; 1218 } 1219 (void) rw_unlock(&referralConLock); 1220 if (lc == NULL) { 1221 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1222 "%s: Could not find a connection to %s, ...", 1223 myself, NIL(referralsp[0])); 1224 } 1225 1226 return (lc); 1227 } 1228 1229 /* 1230 * Find and return a connection believed to be OK and ensure children 1231 * will never use parent's connection. 1232 */ 1233 static __nis_ldap_conn_t * 1234 findYPCon(__nis_ldap_search_t *ls, int *stat) { 1235 __nis_ldap_conn_t *lc, *newlc; 1236 int ldapStat, newstat; 1237 char *myself = "findYPCon"; 1238 1239 if (stat == 0) 1240 stat = &ldapStat; 1241 1242 (void) rw_rdlock(&ldapConLock); 1243 1244 if (ldapCon == 0) { 1245 /* Probably first call; try to set up the connection list */ 1246 (void) rw_unlock(&ldapConLock); 1247 if ((*stat = setupConList(proxyInfo.default_servers, 1248 proxyInfo.proxy_dn, 1249 proxyInfo.proxy_passwd, 1250 proxyInfo.auth_method)) != 1251 LDAP_SUCCESS) 1252 return (0); 1253 (void) rw_rdlock(&ldapConLock); 1254 } 1255 1256 for (lc = ldapCon; lc != 0; lc = lc->next) { 1257 exclusiveLC(lc); 1258 1259 if (lc->isBound && (lc->doDis || lc->doDel)) { 1260 *stat = disconnectCon(lc); 1261 if (*stat != LDAP_UNAVAILABLE) 1262 releaseLC(lc); 1263 continue; 1264 } 1265 1266 /* 1267 * Use a new connection for all cases except when 1268 * requested by the main thread in the parent ypserv 1269 * process. 1270 */ 1271 if (ls->useCon == 0) { 1272 newlc = createCon(lc->sp, lc->who, lc->cred, 1273 lc->method, lc->port); 1274 if (!newlc) { 1275 releaseLC(lc); 1276 continue; 1277 } 1278 if (lc->ld != 0) { 1279 newlc->simplePage = lc->simplePage; 1280 newlc->vlv = lc->vlv; 1281 newlc->batchFrom = lc->batchFrom; 1282 } 1283 releaseLC(lc); 1284 exclusiveLC(newlc); 1285 newstat = connectCon(newlc, 0); 1286 if (newstat != LDAP_SUCCESS) { 1287 if (newstat != LDAP_UNAVAILABLE) { 1288 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 1289 "%s: Cannot open connection to LDAP server (%s): %s", 1290 myself, NIL(newlc->sp), 1291 ldap_err2string(*stat)); 1292 } 1293 (void) freeCon(newlc); 1294 newlc = 0; 1295 continue; 1296 } 1297 1298 /* 1299 * No need to put newlc on the ldapCon list as this 1300 * connection will be freed after use. 1301 */ 1302 newlc->onList = 0; 1303 1304 lc = newlc; 1305 } else if (!lc->isBound) { 1306 *stat = connectCon(lc, 1); 1307 if (*stat != LDAP_SUCCESS) { 1308 if (*stat != LDAP_UNAVAILABLE) { 1309 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 1310 "%s: Cannot open connection to LDAP server (%s): %s", 1311 myself, NIL(lc->sp), 1312 ldap_err2string(*stat)); 1313 releaseLC(lc); 1314 } 1315 continue; 1316 } 1317 } 1318 1319 incrementRC(lc); 1320 releaseLC(lc); 1321 break; 1322 } 1323 1324 (void) rw_unlock(&ldapConLock); 1325 1326 return (lc); 1327 } 1328 1329 #define SORTKEYLIST "cn uid" 1330 1331 /* 1332 * Perform an LDAP search operation per 'ls', adding the result(s) to 1333 * a copy of the 'rvIn' structure; the copy becomes the return value. 1334 * The caller must deallocate both 'rvIn' and the result, if any. 1335 * 1336 * On entry, '*numValues' contains a hint regarding the expected 1337 * number of entries. Zero is the same as one, and negative values 1338 * imply no information. This is used to decide whether or not to 1339 * try an indexed search. 1340 * 1341 * On successful (non-NULL) return, '*numValues' contains the number 1342 * of __nis_rule_value_t elements in the returned array, and '*stat' 1343 * the LDAP operations status. 1344 */ 1345 __nis_rule_value_t * 1346 ldapSearch(__nis_ldap_search_t *ls, int *numValues, __nis_rule_value_t *rvIn, 1347 int *ldapStat) { 1348 __nis_rule_value_t *rv = 0; 1349 int stat, numEntries, numVals, tnv, done, lprEc; 1350 LDAPMessage *msg = 0, *m; 1351 __nis_ldap_conn_t *lc; 1352 struct timeval tv, start, now; 1353 LDAPsortkey **sortKeyList = 0; 1354 LDAPControl *ctrls[3], *sortCtrl = 0, *vlvCtrl = 0; 1355 LDAPControl **retCtrls = 0; 1356 LDAPVirtualList vList; 1357 struct berval *spCookie = 0; 1358 int doVLV = 0; 1359 int doSP = 0; 1360 long index; 1361 char *myself = "ldapSearch"; 1362 bool_t follow_referral = 1363 proxyInfo.follow_referral == follow; 1364 int doIndex = 1; 1365 char **referralsp = NULL; 1366 1367 ctrls[0] = ctrls[1] = ctrls[2] = 0; 1368 1369 if (ldapStat == 0) 1370 ldapStat = &stat; 1371 1372 if (ls == 0) { 1373 *ldapStat = LDAP_PARAM_ERROR; 1374 return (0); 1375 } 1376 1377 if (yp2ldap) { 1378 /* make sure the parent's connection is not used by child */ 1379 if ((lc = findYPCon(ls, ldapStat)) == 0) { 1380 *ldapStat = LDAP_SERVER_DOWN; 1381 return (0); 1382 } 1383 } else { 1384 if ((lc = findCon(ldapStat)) == 0) { 1385 *ldapStat = LDAP_SERVER_DOWN; 1386 return (0); 1387 } 1388 } 1389 1390 if (numValues != 0 && (*numValues == 0 || *numValues == 1)) 1391 doIndex = 0; 1392 1393 retry_new_conn: 1394 /* Prefer VLV over simple page, and SP over nothing */ 1395 if (doIndex && lc->vlv) { 1396 stat = ldap_create_sort_keylist(&sortKeyList, SORTKEYLIST); 1397 if (stat != LDAP_SUCCESS) { 1398 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1399 "%s: Error creating sort keylist: %s", 1400 myself, ldap_err2string(stat)); 1401 freeRuleValue(rv, numVals); 1402 *ldapStat = stat; 1403 rv = 0; 1404 goto retry_noVLV; 1405 } 1406 stat = ldap_create_sort_control(lc->ld, sortKeyList, 1, 1407 &sortCtrl); 1408 if (stat == LDAP_SUCCESS) { 1409 vList.ldvlist_before_count = 0; 1410 vList.ldvlist_after_count = lc->batchFrom - 1; 1411 vList.ldvlist_attrvalue = 0; 1412 vList.ldvlist_extradata = 0; 1413 index = 1; 1414 doVLV = 1; 1415 } else { 1416 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &stat); 1417 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1418 "%s: Error creating VLV sort control: %s", 1419 myself, ldap_err2string(stat)); 1420 freeRuleValue(rv, numVals); 1421 *ldapStat = stat; 1422 rv = 0; 1423 } 1424 } 1425 1426 retry_noVLV: 1427 1428 if (doIndex && !doVLV && lc->simplePage) { 1429 spCookie = am(myself, sizeof (*spCookie)); 1430 if (spCookie != 0 && 1431 (spCookie->bv_val = sdup(myself, T, "")) != 0) { 1432 spCookie->bv_len = 0; 1433 doSP = 1; 1434 } else { 1435 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1436 "%s: No memory for simple page cookie; using un-paged LDAP search", 1437 myself); 1438 freeRuleValue(rv, numVals); 1439 *ldapStat = stat; 1440 rv = 0; 1441 goto cleanup; 1442 } 1443 } 1444 1445 if (!doVLV && !doSP) 1446 ctrls[0] = ctrls[1] = 0; 1447 1448 numVals = 0; 1449 done = 0; 1450 1451 if (ls->timeout.tv_sec || ls->timeout.tv_usec) { 1452 tv = ls->timeout; 1453 } else { 1454 tv = lc->searchTimeout; 1455 } 1456 (void) gettimeofday(&start, 0); 1457 1458 do { 1459 /* don't do vlv or simple page for base level searches */ 1460 if (doVLV && ls->base != LDAP_SCOPE_BASE) { 1461 vList.ldvlist_index = index; 1462 vList.ldvlist_size = 0; 1463 if (vlvCtrl != 0) 1464 ldap_control_free(vlvCtrl); 1465 stat = ldap_create_virtuallist_control(lc->ld, 1466 &vList, &vlvCtrl); 1467 if (stat != LDAP_SUCCESS) { 1468 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 1469 &stat); 1470 logmsg(MSG_NOTIMECHECK, LOG_ERR, 1471 "%s: Error creating VLV at index %ld: %s", 1472 myself, index, ldap_err2string(stat)); 1473 *ldapStat = stat; 1474 freeRuleValue(rv, numVals); 1475 rv = 0; 1476 goto cleanup; 1477 } 1478 ctrls[0] = sortCtrl; 1479 ctrls[1] = vlvCtrl; 1480 ctrls[2] = 0; 1481 stat = ldap_search_ext_s(lc->ld, ls->base, 1482 ls->scope, ls->filter, ls->attrs, 1483 ls->attrsonly, ctrls, 0, &tv, 1484 proxyInfo.search_size_limit, &msg); 1485 /* don't do vlv or simple page for base level searches */ 1486 } else if (doSP && ls->base != LDAP_SCOPE_BASE) { 1487 if (ctrls[0] != 0) 1488 ldap_control_free(ctrls[0]); 1489 stat = ldap_create_page_control(lc->ld, 1490 lc->batchFrom, spCookie, 0, &ctrls[0]); 1491 if (stat != LDAP_SUCCESS) { 1492 ber_bvfree(spCookie); 1493 spCookie = 0; 1494 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 1495 &stat); 1496 logmsg(MSG_NOTIMECHECK, LOG_ERR, 1497 "%s: Simple page error: %s", 1498 myself, ldap_err2string(stat)); 1499 freeRuleValue(rv, numVals); 1500 *ldapStat = stat; 1501 rv = 0; 1502 goto cleanup; 1503 } 1504 ctrls[1] = 0; 1505 stat = ldap_search_ext_s(lc->ld, ls->base, 1506 ls->scope, ls->filter, ls->attrs, 1507 ls->attrsonly, ctrls, 0, &tv, 1508 proxyInfo.search_size_limit, &msg); 1509 } else { 1510 stat = ldap_search_st(lc->ld, ls->base, ls->scope, 1511 ls->filter, ls->attrs, ls->attrsonly, 1512 &tv, &msg); 1513 } 1514 if (stat == LDAP_SUCCESS) 1515 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &stat); 1516 1517 if (stat == LDAP_SERVER_DOWN) { 1518 lc->doDis++; 1519 releaseCon(lc, stat); 1520 lc = (yp2ldap)?findYPCon(ls, ldapStat): 1521 findCon(ldapStat); 1522 if (lc == 0) { 1523 *ldapStat = LDAP_SERVER_DOWN; 1524 rv = 0; 1525 goto cleanup; 1526 } 1527 goto retry_new_conn; 1528 } 1529 1530 if (stat == LDAP_REFERRAL && follow_referral) { 1531 (void) ldap_parse_result(lc->ld, msg, NULL, NULL, NULL, 1532 &referralsp, NULL, 0); 1533 if (referralsp != NULL) { 1534 /* We support at most one level of referrals */ 1535 follow_referral = FALSE; 1536 releaseCon(lc, stat); 1537 lc = findReferralCon(referralsp, &stat); 1538 ldap_value_free(referralsp); 1539 if (lc == NULL) { 1540 freeRuleValue(rv, numVals); 1541 rv = 0; 1542 *ldapStat = stat; 1543 goto cleanup; 1544 } 1545 stat = LDAP_SUCCESS; 1546 goto retry_new_conn; 1547 } 1548 } 1549 *ldapStat = stat; 1550 1551 if (*ldapStat == LDAP_NO_SUCH_OBJECT) { 1552 freeRuleValue(rv, numVals); 1553 rv = 0; 1554 goto cleanup; 1555 } else if (doVLV && *ldapStat == LDAP_INSUFFICIENT_ACCESS) { 1556 /* 1557 * The LDAP server (at least Netscape 4.x) can return 1558 * LDAP_INSUFFICIENT_ACCESS when VLV is supported, 1559 * but not for the bind DN specified. So, just in 1560 * case, we clean up, and try again without VLV. 1561 */ 1562 doVLV = 0; 1563 if (msg != 0) { 1564 (void) ldap_msgfree(msg); 1565 msg = 0; 1566 } 1567 if (ctrls[0] != 0) { 1568 ldap_control_free(ctrls[0]); 1569 ctrls[0] = 0; 1570 } 1571 if (ctrls[1] != 0) { 1572 ldap_control_free(ctrls[1]); 1573 ctrls[1] = 0; 1574 } 1575 logmsg(MSG_VLV_INSUFF_ACC, LOG_WARNING, 1576 "%s: VLV insufficient access from server %s; retrying without VLV", 1577 myself, NIL(lc->sp)); 1578 goto retry_noVLV; 1579 } else if (*ldapStat != LDAP_SUCCESS) { 1580 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 1581 "ldap_search(0x%x,\n\t\"%s\",\n\t %d,", 1582 lc->ld, NIL(ls->base), ls->scope); 1583 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 1584 "\t\"%s\",\n\t0x%x,\n\t%d) => %d (%s)", 1585 NIL(ls->filter), ls->attrs, ls->attrsonly, 1586 *ldapStat, ldap_err2string(stat)); 1587 freeRuleValue(rv, numVals); 1588 rv = 0; 1589 goto cleanup; 1590 } 1591 1592 numEntries = ldap_count_entries(lc->ld, msg); 1593 if (numEntries == 0 && *ldapStat == LDAP_SUCCESS) { 1594 /* 1595 * This is a bit weird, but the server (or, at least, 1596 * ldap_search_ext()) can sometimes return 1597 * LDAP_SUCCESS and no entries when it didn't 1598 * find what we were looking for. Seems it ought to 1599 * return LDAP_NO_SUCH_OBJECT or some such. 1600 */ 1601 freeRuleValue(rv, numVals); 1602 rv = 0; 1603 *ldapStat = LDAP_NO_SUCH_OBJECT; 1604 goto cleanup; 1605 } 1606 1607 tnv = numVals + numEntries; 1608 if ((rv = growRuleValue(numVals, tnv, rv, rvIn)) == 0) { 1609 *ldapStat = LDAP_NO_MEMORY; 1610 goto cleanup; 1611 } 1612 1613 for (m = ldap_first_entry(lc->ld, msg); m != 0; 1614 m = ldap_next_entry(lc->ld, m), numVals++) { 1615 char *nm; 1616 BerElement *ber = 0; 1617 1618 if (numVals > tnv) { 1619 logmsg(MSG_NOTIMECHECK, LOG_INFO, 1620 "%s: Inconsistent LDAP entry count > %d", 1621 myself, numEntries); 1622 break; 1623 } 1624 1625 nm = ldap_get_dn(lc->ld, m); 1626 if (nm == 0 || addSAttr2RuleValue("dn", nm, 1627 &rv[numVals])) { 1628 sfree(nm); 1629 *ldapStat = LDAP_NO_MEMORY; 1630 freeRuleValue(rv, tnv); 1631 rv = 0; 1632 goto cleanup; 1633 } 1634 sfree(nm); 1635 1636 for (nm = ldap_first_attribute(lc->ld, m, &ber); 1637 nm != 0; 1638 nm = ldap_next_attribute(lc->ld, m, ber)) { 1639 struct berval **val; 1640 int i, nv; 1641 1642 val = ldap_get_values_len(lc->ld, m, nm); 1643 nv = (val == 0) ? 0 : 1644 ldap_count_values_len(val); 1645 for (i = 0; i < nv; i++) { 1646 /* 1647 * Since we don't know if the value is 1648 * BER-encoded or not, we mark it as a 1649 * string. All is well as long as we 1650 * don't insist on 'vt_ber' when 1651 * interpreting. 1652 */ 1653 if (addAttr2RuleValue(vt_string, nm, 1654 val[i]->bv_val, 1655 val[i]->bv_len, 1656 &rv[numVals])) { 1657 if (ber != 0) 1658 ber_free(ber, 0); 1659 ldap_value_free_len(val); 1660 *ldapStat = LDAP_NO_MEMORY; 1661 freeRuleValue(rv, tnv); 1662 rv = 0; 1663 goto cleanup; 1664 } 1665 } 1666 ldap_memfree(nm); 1667 if (val != 0) 1668 ldap_value_free_len(val); 1669 } 1670 if (ber != 0) 1671 ber_free(ber, 0); 1672 } 1673 1674 if (numVals != tnv) { 1675 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 1676 "%s: Inconsistent LDAP entry count, found = %d, expected %d", 1677 myself, numVals, tnv); 1678 } 1679 1680 if (doVLV) { 1681 stat = ldap_parse_result(lc->ld, msg, &lprEc, 0, 0, 0, 1682 &retCtrls, 0); 1683 if (stat != LDAP_SUCCESS) { 1684 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 1685 &stat); 1686 logmsg(MSG_NOTIMECHECK, LOG_ERR, 1687 "%s: VLV parse result error: %s", 1688 myself, ldap_err2string(stat)); 1689 *ldapStat = stat; 1690 freeRuleValue(rv, tnv); 1691 rv = 0; 1692 goto cleanup; 1693 } 1694 if (retCtrls != 0) { 1695 unsigned long targetPosP = 0; 1696 unsigned long listSize = 0; 1697 1698 stat = ldap_parse_virtuallist_control(lc->ld, 1699 retCtrls, &targetPosP, &listSize, 1700 &lprEc); 1701 if (stat == LDAP_SUCCESS) { 1702 index = targetPosP + lc->batchFrom; 1703 if (index >= listSize) 1704 done = 1; 1705 } 1706 ldap_controls_free(retCtrls); 1707 retCtrls = 0; 1708 } else { 1709 done = 1; 1710 } 1711 } else if (doSP) { 1712 stat = ldap_parse_result(lc->ld, msg, &lprEc, 0, 0, 0, 1713 &retCtrls, 0); 1714 if (stat != LDAP_SUCCESS) { 1715 ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 1716 &stat); 1717 logmsg(MSG_NOTIMECHECK, LOG_ERR, 1718 "%s: Simple page parse result error: %s", 1719 myself, ldap_err2string(stat)); 1720 *ldapStat = stat; 1721 freeRuleValue(rv, tnv); 1722 rv = 0; 1723 goto cleanup; 1724 } 1725 if (retCtrls != 0) { 1726 unsigned int count; 1727 1728 if (spCookie != 0) { 1729 ber_bvfree(spCookie); 1730 spCookie = 0; 1731 } 1732 stat = ldap_parse_page_control(lc->ld, 1733 retCtrls, &count, &spCookie); 1734 if (stat == LDAP_SUCCESS) { 1735 if (spCookie == 0 || 1736 spCookie->bv_val == 0 || 1737 spCookie->bv_len == 0) 1738 done = 1; 1739 } 1740 ldap_controls_free(retCtrls); 1741 retCtrls = 0; 1742 } else { 1743 done = 1; 1744 } 1745 } else { 1746 done = 1; 1747 } 1748 1749 (void) ldap_msgfree(msg); 1750 msg = 0; 1751 1752 /* 1753 * If we're using VLV or SP, the timeout should apply 1754 * to all calls as an aggregate, so we need to reduce 1755 * 'tv' with the time spent on this chunk of data. 1756 */ 1757 if (!done) { 1758 struct timeval tmp; 1759 1760 (void) gettimeofday(&now, 0); 1761 tmp = now; 1762 now.tv_sec -= start.tv_sec; 1763 now.tv_usec -= start.tv_usec; 1764 if (now.tv_usec < 0) { 1765 now.tv_usec += 1000000; 1766 now.tv_sec -= 1; 1767 } 1768 tv.tv_sec -= now.tv_sec; 1769 tv.tv_usec -= now.tv_usec; 1770 if (tv.tv_usec < 0) { 1771 tv.tv_usec += 1000000; 1772 tv.tv_sec -= 1; 1773 } 1774 if (tv.tv_sec < 0) { 1775 *ldapStat = LDAP_TIMEOUT; 1776 freeRuleValue(rv, tnv); 1777 rv = 0; 1778 goto cleanup; 1779 } 1780 start = tmp; 1781 } 1782 1783 } while (!done); 1784 1785 if (numValues != 0) 1786 *numValues = numVals; 1787 1788 cleanup: 1789 if (NULL != lc) { 1790 if (yp2ldap && ls->useCon == 0) { 1791 /* Disconnect and free the connection */ 1792 lc->doDis++; 1793 lc->doDel++; 1794 releaseCon(lc, stat); 1795 releaseLC(lc); 1796 1797 } else { 1798 releaseCon(lc, stat); 1799 } 1800 } 1801 if (msg != 0) 1802 (void) ldap_msgfree(msg); 1803 if (ctrls[0] != 0) 1804 ldap_control_free(ctrls[0]); 1805 if (ctrls[1] != 0) 1806 ldap_control_free(ctrls[1]); 1807 if (spCookie != 0) 1808 ber_bvfree(spCookie); 1809 if (sortKeyList != 0) 1810 ldap_free_sort_keylist(sortKeyList); 1811 1812 return (rv); 1813 } 1814 1815 static void 1816 freeLdapModEntry(LDAPMod *m) { 1817 1818 if (m == 0) 1819 return; 1820 1821 sfree(m->mod_type); 1822 if ((m->mod_op & LDAP_MOD_BVALUES) == 0) { 1823 char **v = m->mod_values; 1824 1825 if (v != 0) { 1826 while (*v != 0) { 1827 sfree(*v); 1828 v++; 1829 } 1830 free(m->mod_values); 1831 } 1832 } else { 1833 struct berval **b = m->mod_bvalues; 1834 1835 if (b != 0) { 1836 while (*b != 0) { 1837 sfree((*b)->bv_val); 1838 free(*b); 1839 b++; 1840 } 1841 free(m->mod_bvalues); 1842 } 1843 } 1844 1845 free(m); 1846 } 1847 1848 static void 1849 freeLdapMod(LDAPMod **mods) { 1850 LDAPMod *m, **org = mods; 1851 1852 if (mods == 0) 1853 return; 1854 1855 while ((m = *mods) != 0) { 1856 freeLdapModEntry(m); 1857 mods++; 1858 } 1859 1860 free(org); 1861 } 1862 1863 /* 1864 * Convert a rule-value structure to the corresponding LDAPMod. 1865 * If 'add' is set, attributes/values are added; object classes 1866 * are also added. If 'add' is cleared, attributes/values are modified, 1867 * and 'oc' controls whether or not object classes are added. 1868 */ 1869 LDAPMod ** 1870 search2LdapMod(__nis_rule_value_t *rv, int add, int oc) { 1871 LDAPMod **mods; 1872 int i, j, nm; 1873 char *myself = "search2LdapMod"; 1874 1875 if (rv == 0 || rv->numAttrs <= 0) 1876 return (0); 1877 1878 mods = am(myself, (rv->numAttrs + 1) * sizeof (mods[0])); 1879 if (mods == 0) 1880 return (0); 1881 1882 for (i = 0, nm = 0; i < rv->numAttrs; i++) { 1883 int isOc; 1884 /* 1885 * If we're creating an LDAPMod array for an add operation, 1886 * just skip attributes that should be deleted. 1887 */ 1888 if (add && rv->attrVal[i].numVals < 0) 1889 continue; 1890 1891 /* 1892 * Skip DN; it's specified separately to ldap_modify() 1893 * and ldap_add(), and mustn't appear among the 1894 * attributes to be modified/added. 1895 */ 1896 if (strcasecmp("dn", rv->attrName[i]) == 0) 1897 continue; 1898 1899 /* 1900 * If modifying, and 'oc' is off, skip object class 1901 * attributes. 1902 */ 1903 isOc = (strcasecmp("objectclass", rv->attrName[i]) == 0); 1904 if (!add && !oc && isOc) 1905 continue; 1906 1907 mods[nm] = am(myself, sizeof (*mods[nm])); 1908 if (mods[nm] == 0) { 1909 freeLdapMod(mods); 1910 return (0); 1911 } 1912 1913 /* 'mod_type' is the attribute name */ 1914 mods[nm]->mod_type = sdup(myself, T, rv->attrName[i]); 1915 if (mods[nm]->mod_type == 0) { 1916 freeLdapMod(mods); 1917 return (0); 1918 } 1919 1920 /* 1921 * numVals < 0 means attribute and all values should 1922 * be deleted. 1923 */ 1924 if (rv->attrVal[i].numVals < 0) { 1925 mods[nm]->mod_op = LDAP_MOD_DELETE; 1926 mods[nm]->mod_values = 0; 1927 nm++; 1928 continue; 1929 } 1930 1931 /* objectClass attributes always added */ 1932 mods[nm]->mod_op = (add) ? 0 : ((isOc) ? 0 : LDAP_MOD_REPLACE); 1933 1934 if (rv->attrVal[i].type == vt_string) { 1935 /* 1936 * mods[]->mod_values is a NULL-terminated array 1937 * of (char *)'s. 1938 */ 1939 mods[nm]->mod_values = am(myself, 1940 (rv->attrVal[i].numVals + 1) * 1941 sizeof (mods[nm]->mod_values[0])); 1942 if (mods[nm]->mod_values == 0) { 1943 freeLdapMod(mods); 1944 return (0); 1945 } 1946 for (j = 0; j < rv->attrVal[i].numVals; j++) { 1947 /* 1948 * Just in case the string isn't NUL 1949 * terminated, add one byte to the 1950 * allocated length; am() will initialize 1951 * the buffer to zero. 1952 */ 1953 mods[nm]->mod_values[j] = am(myself, 1954 rv->attrVal[i].val[j].length + 1); 1955 if (mods[nm]->mod_values[j] == 0) { 1956 freeLdapMod(mods); 1957 return (0); 1958 } 1959 memcpy(mods[nm]->mod_values[j], 1960 rv->attrVal[i].val[j].value, 1961 rv->attrVal[i].val[j].length); 1962 } 1963 } else { 1964 mods[nm]->mod_op |= LDAP_MOD_BVALUES; 1965 mods[nm]->mod_bvalues = am(myself, 1966 (rv->attrVal[i].numVals+1) * 1967 sizeof (mods[nm]->mod_bvalues[0])); 1968 if (mods[nm]->mod_bvalues == 0) { 1969 freeLdapMod(mods); 1970 return (0); 1971 } 1972 for (j = 0; j < rv->attrVal[i].numVals; j++) { 1973 mods[nm]->mod_bvalues[j] = am(myself, 1974 sizeof (*mods[nm]->mod_bvalues[j])); 1975 if (mods[nm]->mod_bvalues[j] == 0) { 1976 freeLdapMod(mods); 1977 return (0); 1978 } 1979 mods[nm]->mod_bvalues[j]->bv_val = am(myself, 1980 rv->attrVal[i].val[j].length); 1981 if (mods[nm]->mod_bvalues[j]->bv_val == 0) { 1982 freeLdapMod(mods); 1983 return (0); 1984 } 1985 mods[nm]->mod_bvalues[j]->bv_len = 1986 rv->attrVal[i].val[j].length; 1987 memcpy(mods[nm]->mod_bvalues[j]->bv_val, 1988 rv->attrVal[i].val[j].value, 1989 mods[nm]->mod_bvalues[j]->bv_len); 1990 } 1991 } 1992 nm++; 1993 } 1994 1995 return (mods); 1996 } 1997 1998 /* 1999 * Remove 'value' from 'val'. If value==0, remove the entire 2000 * __nis_single_value_t array from 'val'. 2001 */ 2002 static void 2003 removeSingleValue(__nis_value_t *val, void *value, int length) { 2004 int i; 2005 2006 if (val == 0) 2007 return; 2008 2009 if (value == 0) { 2010 for (i = 0; i < val->numVals; i++) { 2011 sfree(val->val[i].value); 2012 } 2013 sfree(val->val); 2014 val->val = 0; 2015 val->numVals = 0; 2016 return; 2017 } 2018 2019 for (i = 0; i < val->numVals; i++) { 2020 if (val->val[i].value == 0 || (val->val[i].length != length)) 2021 continue; 2022 if (memcmp(val->val[i].value, value, length) != 0) 2023 continue; 2024 sfree(val->val[i].value); 2025 if (i != (val->numVals - 1)) { 2026 (void) memmove(&val->val[i], &val->val[i+1], 2027 (val->numVals - 1 - i) * sizeof (val->val[0])); 2028 } 2029 val->numVals -= 1; 2030 break; 2031 } 2032 } 2033 2034 /* 2035 * Helper function for LdapModify 2036 * When a modify operation fails with an object class violation, 2037 * the most probable reason is that the attributes we're modifying are new, 2038 * and the needed object class are not present. So, try the modify again, 2039 * but add the object classes this time. 2040 */ 2041 2042 static int 2043 ldapModifyObjectClass(__nis_ldap_conn_t **lc, char *dn, 2044 __nis_rule_value_t *rvIn, char *objClassAttrs) 2045 { 2046 LDAPMod **mods = 0; 2047 int msgid; 2048 int lderr; 2049 struct timeval tv; 2050 int stat; 2051 LDAPMessage *msg = 0; 2052 char **referralsp = NULL; 2053 __nis_rule_value_t *rv, *rvldap; 2054 __nis_ldap_search_t *ls; 2055 int i, ocrv, ocrvldap, nv; 2056 char *oc[2] = { "objectClass", 0}; 2057 char *myself = "ldapModifyObjectClass"; 2058 2059 rv = initRuleValue(1, rvIn); 2060 if (rv == 0) 2061 return (LDAP_NO_MEMORY); 2062 2063 delAttrFromRuleValue(rv, "objectClass"); 2064 rv = addObjectClasses(rv, objClassAttrs); 2065 if (rv == 0) { 2066 stat = LDAP_OPERATIONS_ERROR; 2067 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 2068 "%s: addObjectClasses failed for %s", 2069 myself, NIL(dn)); 2070 goto cleanup; 2071 } 2072 2073 /* 2074 * Before adding the object classes whole-sale, try retrieving 2075 * the entry specified by the 'dn'. If it exists, we filter out 2076 * those object classes that already are present in LDAP from our 2077 * update. 2078 */ 2079 ls = buildLdapSearch(dn, LDAP_SCOPE_BASE, 0, 0, "objectClass=*", 2080 oc, 0, 1); 2081 if (ls == 0) { 2082 logmsg(MSG_NOTIMECHECK, LOG_INFO, 2083 "%s: Unable to build DN search for \"%s\"", 2084 myself, NIL(dn)); 2085 /* Fall through to try just adding the object classes */ 2086 goto addObjectClasses; 2087 } 2088 2089 nv = 0; 2090 rvldap = ldapSearch(ls, &nv, 0, &lderr); 2091 freeLdapSearch(ls); 2092 if (rvldap == 0) { 2093 logmsg(MSG_NOTIMECHECK, LOG_INFO, 2094 "%s: No data for DN search (\"%s\"); LDAP status %d", 2095 myself, NIL(dn), lderr); 2096 /* Fall through to try just adding the object classes */ 2097 goto addObjectClasses; 2098 } 2099 2100 /* 2101 * Find the indices of the 'objectClass' attribute 2102 * in 'rvldap' and 'rv'. 2103 */ 2104 for (i = 0, ocrvldap = -1; i < rvldap->numAttrs; i++) { 2105 if (rvldap->attrName[i] != 0 && 2106 strcasecmp("objectClass", rvldap->attrName[i]) == 0) { 2107 ocrvldap = i; 2108 break; 2109 } 2110 } 2111 for (i = 0, ocrv = -1; i < rv->numAttrs; i++) { 2112 if (rv->attrName[i] != 0 && 2113 strcasecmp("objectClass", rv->attrName[i]) == 0) { 2114 ocrv = i; 2115 break; 2116 } 2117 } 2118 2119 /* 2120 * Remove those object classes that already exist 2121 * in LDAP (i.e., in 'rvldap') from 'rv'. 2122 */ 2123 if (ocrv >= 0 && ocrvldap >= 0) { 2124 for (i = 0; i < rvldap->attrVal[ocrvldap].numVals; i++) { 2125 removeSingleValue(&rv->attrVal[ocrv], 2126 rvldap->attrVal[ocrvldap].val[i].value, 2127 rvldap->attrVal[ocrvldap].val[i].length); 2128 } 2129 /* 2130 * If no 'objectClass' values left in 'rv', delete 2131 * 'objectClass' from 'rv'. 2132 */ 2133 if (rv->attrVal[ocrv].numVals == 0) 2134 delAttrFromRuleValue(rv, "objectClass"); 2135 } 2136 2137 /* 2138 * 'rv' now contains the update we want to make, with just the 2139 * object class(es) that need to be added. Fall through to the 2140 * actual LDAP modify operation. 2141 */ 2142 freeRuleValue(rvldap, 1); 2143 2144 addObjectClasses: 2145 2146 mods = search2LdapMod(rv, 0, 1); 2147 if (mods == 0) { 2148 stat = LDAP_OPERATIONS_ERROR; 2149 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 2150 "%s: Unable to create LDAP modify changes with object classes for %s", 2151 myself, NIL(dn)); 2152 goto cleanup; 2153 } 2154 msgid = ldap_modify((*lc)->ld, dn, mods); 2155 if (msgid != -1) { 2156 tv = (*lc)->modifyTimeout; 2157 stat = ldap_result((*lc)->ld, msgid, 0, &tv, &msg); 2158 if (stat == 0) { 2159 stat = LDAP_TIMEOUT; 2160 } else if (stat == -1) { 2161 (void) ldap_get_option((*lc)->ld, 2162 LDAP_OPT_ERROR_NUMBER, &stat); 2163 } else { 2164 stat = ldap_parse_result((*lc)->ld, msg, &lderr, NULL, 2165 NULL, &referralsp, NULL, 0); 2166 if (stat == LDAP_SUCCESS) 2167 stat = lderr; 2168 stat = ldap_result2error((*lc)->ld, msg, 0); 2169 } 2170 } else { 2171 (void) ldap_get_option((*lc)->ld, LDAP_OPT_ERROR_NUMBER, 2172 &stat); 2173 } 2174 if (proxyInfo.follow_referral == follow && 2175 stat == LDAP_REFERRAL && referralsp != NULL) { 2176 releaseCon(*lc, stat); 2177 if (msg != NULL) 2178 (void) ldap_msgfree(msg); 2179 msg = NULL; 2180 *lc = findReferralCon(referralsp, &stat); 2181 ldap_value_free(referralsp); 2182 referralsp = NULL; 2183 if (*lc == NULL) 2184 goto cleanup; 2185 msgid = ldap_modify((*lc)->ld, dn, mods); 2186 if (msgid == -1) { 2187 (void) ldap_get_option((*lc)->ld, 2188 LDAP_OPT_ERROR_NUMBER, &stat); 2189 goto cleanup; 2190 } 2191 stat = ldap_result((*lc)->ld, msgid, 0, &tv, &msg); 2192 if (stat == 0) { 2193 stat = LDAP_TIMEOUT; 2194 } else if (stat == -1) { 2195 (void) ldap_get_option((*lc)->ld, 2196 LDAP_OPT_ERROR_NUMBER, &stat); 2197 } else { 2198 stat = ldap_parse_result((*lc)->ld, msg, &lderr, 2199 NULL, NULL, NULL, NULL, 0); 2200 if (stat == LDAP_SUCCESS) 2201 stat = lderr; 2202 } 2203 } 2204 cleanup: 2205 if (mods != 0) 2206 freeLdapMod(mods); 2207 freeRuleValue(rv, 1); 2208 return (stat); 2209 } 2210 2211 /* 2212 * Modify the specified 'dn' per the attribute names/values in 'rv'. 2213 * If 'rv' is NULL, we attempt to delete the entire entry. 2214 * 2215 * The 'objClassAttrs' parameter is needed if the entry must be added 2216 * (i.e., created), or a modify fails with an object class violation. 2217 * 2218 * If 'addFirst' is set, we try an add before a modify; modify before 2219 * add otherwise (ignored if we're deleting). 2220 */ 2221 int 2222 ldapModify(char *dn, __nis_rule_value_t *rv, char *objClassAttrs, 2223 int addFirst) { 2224 int stat, add = 0; 2225 LDAPMod **mods = 0; 2226 __nis_ldap_conn_t *lc; 2227 struct timeval tv; 2228 LDAPMessage *msg = 0; 2229 int msgid; 2230 int lderr; 2231 char **referralsp = NULL; 2232 bool_t delete = FALSE; 2233 2234 if (dn == 0) 2235 return (LDAP_PARAM_ERROR); 2236 2237 if ((lc = findCon(&stat)) == 0) 2238 return (stat); 2239 2240 if (rv == 0) { 2241 delete = TRUE; 2242 /* Simple case: if rv == 0, try to delete the entire entry */ 2243 msgid = ldap_delete(lc->ld, dn); 2244 if (msgid == -1) { 2245 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2246 &stat); 2247 goto cleanup; 2248 } 2249 tv = lc->deleteTimeout; 2250 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2251 2252 if (stat == 0) { 2253 stat = LDAP_TIMEOUT; 2254 } else if (stat == -1) { 2255 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2256 &stat); 2257 } else { 2258 stat = ldap_parse_result(lc->ld, msg, &lderr, NULL, 2259 NULL, &referralsp, NULL, 0); 2260 if (stat == LDAP_SUCCESS) 2261 stat = lderr; 2262 } 2263 if (proxyInfo.follow_referral == follow && 2264 stat == LDAP_REFERRAL && referralsp != NULL) { 2265 releaseCon(lc, stat); 2266 if (msg != NULL) 2267 (void) ldap_msgfree(msg); 2268 msg = NULL; 2269 lc = findReferralCon(referralsp, &stat); 2270 ldap_value_free(referralsp); 2271 if (lc == NULL) 2272 goto cleanup; 2273 msgid = ldap_delete(lc->ld, dn); 2274 if (msgid == -1) { 2275 (void) ldap_get_option(lc->ld, 2276 LDAP_OPT_ERROR_NUMBER, &stat); 2277 goto cleanup; 2278 } 2279 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2280 if (stat == 0) { 2281 stat = LDAP_TIMEOUT; 2282 } else if (stat == -1) { 2283 (void) ldap_get_option(lc->ld, 2284 LDAP_OPT_ERROR_NUMBER, &stat); 2285 } else { 2286 stat = ldap_parse_result(lc->ld, msg, &lderr, 2287 NULL, NULL, NULL, NULL, 0); 2288 if (stat == LDAP_SUCCESS) 2289 stat = lderr; 2290 } 2291 } 2292 /* No such object means someone else has done our job */ 2293 if (stat == LDAP_NO_SUCH_OBJECT) 2294 stat = LDAP_SUCCESS; 2295 } else { 2296 if (addFirst) { 2297 stat = ldapAdd(dn, rv, objClassAttrs, lc); 2298 lc = NULL; 2299 if (stat != LDAP_ALREADY_EXISTS) 2300 goto cleanup; 2301 if ((lc = findCon(&stat)) == 0) 2302 return (stat); 2303 } 2304 2305 /* 2306 * First try the modify without specifying object classes 2307 * (i.e., assume they're already present). 2308 */ 2309 mods = search2LdapMod(rv, 0, 0); 2310 if (mods == 0) { 2311 stat = LDAP_PARAM_ERROR; 2312 goto cleanup; 2313 } 2314 2315 msgid = ldap_modify(lc->ld, dn, mods); 2316 if (msgid == -1) { 2317 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2318 &stat); 2319 goto cleanup; 2320 } 2321 tv = lc->modifyTimeout; 2322 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2323 if (stat == 0) { 2324 stat = LDAP_TIMEOUT; 2325 } else if (stat == -1) { 2326 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2327 &stat); 2328 } else { 2329 stat = ldap_parse_result(lc->ld, msg, &lderr, NULL, 2330 NULL, &referralsp, NULL, 0); 2331 if (stat == LDAP_SUCCESS) 2332 stat = lderr; 2333 } 2334 if (proxyInfo.follow_referral == follow && 2335 stat == LDAP_REFERRAL && referralsp != NULL) { 2336 releaseCon(lc, stat); 2337 if (msg != NULL) 2338 (void) ldap_msgfree(msg); 2339 msg = NULL; 2340 lc = findReferralCon(referralsp, &stat); 2341 ldap_value_free(referralsp); 2342 referralsp = NULL; 2343 if (lc == NULL) 2344 goto cleanup; 2345 msgid = ldap_modify(lc->ld, dn, mods); 2346 if (msgid == -1) { 2347 (void) ldap_get_option(lc->ld, 2348 LDAP_OPT_ERROR_NUMBER, &stat); 2349 goto cleanup; 2350 } 2351 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2352 if (stat == 0) { 2353 stat = LDAP_TIMEOUT; 2354 } else if (stat == -1) { 2355 (void) ldap_get_option(lc->ld, 2356 LDAP_OPT_ERROR_NUMBER, &stat); 2357 } else { 2358 stat = ldap_parse_result(lc->ld, msg, &lderr, 2359 NULL, NULL, NULL, NULL, 0); 2360 if (stat == LDAP_SUCCESS) 2361 stat = lderr; 2362 } 2363 } 2364 2365 /* 2366 * If the modify failed with an object class violation, 2367 * the most probable reason is that at least on of the 2368 * attributes we're modifying didn't exist before, and 2369 * neither did its object class. So, try the modify again, 2370 * but add the object classes this time. 2371 */ 2372 if (stat == LDAP_OBJECT_CLASS_VIOLATION && 2373 objClassAttrs != 0) { 2374 freeLdapMod(mods); 2375 mods = 0; 2376 stat = ldapModifyObjectClass(&lc, dn, rv, 2377 objClassAttrs); 2378 } 2379 2380 if (stat == LDAP_NO_SUCH_ATTRIBUTE) { 2381 /* 2382 * If there was at least one attribute delete, then 2383 * the cause of this error could be that said attribute 2384 * didn't exist in LDAP. So, do things the slow way, 2385 * and try to delete one attribute at a time. 2386 */ 2387 int d, numDelete, st; 2388 __nis_rule_value_t *rvt; 2389 2390 for (d = 0, numDelete = 0; d < rv->numAttrs; d++) { 2391 if (rv->attrVal[d].numVals < 0) 2392 numDelete++; 2393 } 2394 2395 /* If there's just one, we've already tried */ 2396 if (numDelete <= 1) 2397 goto cleanup; 2398 2399 /* Make a copy of the rule value */ 2400 rvt = initRuleValue(1, rv); 2401 if (rvt == 0) 2402 goto cleanup; 2403 2404 /* 2405 * Remove all delete attributes from the tmp 2406 * rule value. 2407 */ 2408 for (d = 0; d < rv->numAttrs; d++) { 2409 if (rv->attrVal[d].numVals < 0) { 2410 delAttrFromRuleValue(rvt, 2411 rv->attrName[d]); 2412 } 2413 } 2414 2415 /* 2416 * Now put the attributes back in one by one, and 2417 * invoke ourselves. 2418 */ 2419 for (d = 0; d < rv->numAttrs; d++) { 2420 if (rv->attrVal[d].numVals >= 0) 2421 continue; 2422 st = addAttr2RuleValue(rv->attrVal[d].type, 2423 rv->attrName[d], 0, 0, rvt); 2424 if (st != 0) { 2425 logmsg(MSG_NOMEM, LOG_ERR, 2426 "%s: Error deleting \"%s\" for \"%s\"", 2427 NIL(rv->attrName[d]), NIL(dn)); 2428 stat = LDAP_NO_MEMORY; 2429 freeRuleValue(rvt, 1); 2430 goto cleanup; 2431 } 2432 stat = ldapModify(dn, rvt, objClassAttrs, 0); 2433 if (stat != LDAP_SUCCESS && 2434 stat != LDAP_NO_SUCH_ATTRIBUTE) { 2435 freeRuleValue(rvt, 1); 2436 goto cleanup; 2437 } 2438 delAttrFromRuleValue(rvt, rv->attrName[d]); 2439 } 2440 2441 /* 2442 * If we got here, then all attributes that should 2443 * be deleted either have been, or didn't exist. For 2444 * our purposes, the latter is as good as the former. 2445 */ 2446 stat = LDAP_SUCCESS; 2447 freeRuleValue(rvt, 1); 2448 } 2449 2450 if (stat == LDAP_NO_SUCH_OBJECT && !addFirst) { 2451 /* 2452 * Entry doesn't exist, so try an ldap_add(). If the 2453 * ldap_add() also fails, that could be because someone 2454 * else added it between our modify and add operations. 2455 * If so, we consider that foreign add to be 2456 * authoritative (meaning we don't retry our modify). 2457 * 2458 * Also, if all modify operations specified by 'mods' 2459 * are deletes, LDAP_NO_SUCH_OBJECT is a kind of 2460 * success; we certainly don't want to create the 2461 * entry. 2462 */ 2463 int allDelete; 2464 LDAPMod **m; 2465 2466 for (m = mods, allDelete = 1; *m != 0 && allDelete; 2467 m++) { 2468 if (((*m)->mod_op & LDAP_MOD_DELETE) == 0) 2469 allDelete = 0; 2470 } 2471 2472 add = 1; 2473 2474 if (allDelete) { 2475 stat = LDAP_SUCCESS; 2476 } else if (objClassAttrs == 0) { 2477 /* Now we need it, so this is fatal */ 2478 stat = LDAP_PARAM_ERROR; 2479 } else { 2480 stat = ldapAdd(dn, rv, objClassAttrs, lc); 2481 lc = NULL; 2482 } 2483 } 2484 } 2485 2486 cleanup: 2487 if (stat != LDAP_SUCCESS) { 2488 logmsg(MSG_NOTIMECHECK, LOG_INFO, 2489 "%s(0x%x (%s), \"%s\") => %d (%s)\n", 2490 !delete ? (add ? "ldap_add" : "ldap_modify") : 2491 "ldap_delete", 2492 lc != NULL ? lc->ld : 0, 2493 lc != NULL ? NIL(lc->sp) : "nil", 2494 dn, stat, ldap_err2string(stat)); 2495 } 2496 2497 releaseCon(lc, stat); 2498 freeLdapMod(mods); 2499 if (msg != 0) 2500 (void) ldap_msgfree(msg); 2501 2502 return (stat); 2503 } 2504 2505 /* 2506 * Create the entry specified by 'dn' to have the values per 'rv'. 2507 * The 'objClassAttrs' are the extra object classes we need when 2508 * creating an entry. 2509 * 2510 * If 'lc' is non-NULL, we use that connection; otherwise, we find 2511 * our own. CAUTION: This connection will be released on return. Regardless 2512 * of return value, this connection should not subsequently used by the 2513 * caller. 2514 * 2515 * Returns an LDAP status. 2516 */ 2517 int 2518 ldapAdd(char *dn, __nis_rule_value_t *rv, char *objClassAttrs, void *lcv) { 2519 int stat; 2520 LDAPMod **mods = 0; 2521 struct timeval tv; 2522 LDAPMessage *msg = 0; 2523 __nis_ldap_conn_t *lc = lcv; 2524 int msgid; 2525 int lderr; 2526 char **referralsp = NULL; 2527 2528 if (dn == 0 || rv == 0 || objClassAttrs == 0) { 2529 releaseCon(lc, LDAP_SUCCESS); 2530 return (LDAP_PARAM_ERROR); 2531 } 2532 2533 if (lc == 0) { 2534 if ((lc = findCon(&stat)) == 0) 2535 return (stat); 2536 } 2537 2538 rv = addObjectClasses(rv, objClassAttrs); 2539 if (rv == 0) { 2540 stat = LDAP_OPERATIONS_ERROR; 2541 goto cleanup; 2542 } 2543 2544 mods = search2LdapMod(rv, 1, 0); 2545 if (mods == 0) { 2546 stat = LDAP_OPERATIONS_ERROR; 2547 goto cleanup; 2548 } 2549 2550 msgid = ldap_add(lc->ld, dn, mods); 2551 if (msgid == -1) { 2552 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &stat); 2553 goto cleanup; 2554 } 2555 tv = lc->addTimeout; 2556 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2557 if (stat == 0) { 2558 stat = LDAP_TIMEOUT; 2559 } else if (stat == -1) { 2560 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &stat); 2561 } else { 2562 stat = ldap_parse_result(lc->ld, msg, &lderr, NULL, NULL, 2563 &referralsp, NULL, 0); 2564 if (stat == LDAP_SUCCESS) 2565 stat = lderr; 2566 } 2567 if (proxyInfo.follow_referral == follow && stat == LDAP_REFERRAL && 2568 referralsp != NULL) { 2569 releaseCon(lc, stat); 2570 if (msg != NULL) 2571 (void) ldap_msgfree(msg); 2572 msg = NULL; 2573 lc = findReferralCon(referralsp, &stat); 2574 ldap_value_free(referralsp); 2575 if (lc == NULL) 2576 goto cleanup; 2577 msgid = ldap_add(lc->ld, dn, mods); 2578 if (msgid == -1) { 2579 (void) ldap_get_option(lc->ld, 2580 LDAP_OPT_ERROR_NUMBER, &stat); 2581 goto cleanup; 2582 } 2583 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2584 if (stat == 0) { 2585 stat = LDAP_TIMEOUT; 2586 } else if (stat == -1) { 2587 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2588 &stat); 2589 } else { 2590 stat = ldap_parse_result(lc->ld, msg, &lderr, NULL, 2591 NULL, NULL, NULL, 0); 2592 if (stat == LDAP_SUCCESS) 2593 stat = lderr; 2594 } 2595 } 2596 2597 cleanup: 2598 if (stat != LDAP_SUCCESS) { 2599 logmsg(MSG_NOTIMECHECK, LOG_INFO, 2600 "ldap_add(0x%x (%s), \"%s\") => %d (%s)\n", 2601 lc != NULL ? lc->ld : 0, 2602 lc != NULL ? NIL(lc->sp) : "nil", 2603 dn, stat, ldap_err2string(stat)); 2604 } 2605 2606 releaseCon(lc, stat); 2607 freeLdapMod(mods); 2608 if (msg != 0) 2609 (void) ldap_msgfree(msg); 2610 2611 return (stat); 2612 } 2613 2614 /* 2615 * Change the entry at 'oldDn' to have the new DN (not RDN) 'dn'. 2616 * Returns an LDAP error status. 2617 */ 2618 int 2619 ldapChangeDN(char *oldDn, char *dn) { 2620 int stat; 2621 __nis_ldap_conn_t *lc; 2622 int i, j, lo, ln; 2623 char *rdn; 2624 int msgid; 2625 int lderr; 2626 struct timeval tv; 2627 LDAPMessage *msg = 0; 2628 char **referralsp = NULL; 2629 char *myself = "ldapChangeDN"; 2630 2631 if ((lo = slen(oldDn)) <= 0 || (ln = slen(dn)) <= 0) 2632 return (LDAP_PARAM_ERROR); 2633 2634 if (strcasecmp(oldDn, dn) == 0) 2635 return (LDAP_SUCCESS); 2636 2637 if ((lc = findCon(&stat)) == 0) 2638 return (stat); 2639 2640 rdn = sdup(myself, T, dn); 2641 if (rdn == 0) { 2642 releaseCon(lc, LDAP_SUCCESS); 2643 return (LDAP_NO_MEMORY); 2644 } 2645 2646 /* Compare old and new DN from the end */ 2647 for (i = lo-1, j = ln-1; i >= 0 && j >= 0; i--, j--) { 2648 if (tolower(oldDn[i]) != tolower(rdn[j])) { 2649 /* 2650 * Terminate 'rdn' after this character in order 2651 * to snip off the portion of the new DN that is 2652 * the same as the old DN. What remains in 'rdn' 2653 * is the relative DN. 2654 */ 2655 rdn[j+1] = '\0'; 2656 break; 2657 } 2658 } 2659 2660 stat = ldap_rename(lc->ld, oldDn, rdn, NULL, 1, NULL, NULL, &msgid); 2661 2662 if (msgid != -1) { 2663 tv = lc->modifyTimeout; 2664 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2665 if (stat == 0) { 2666 stat = LDAP_TIMEOUT; 2667 } else if (stat == -1) { 2668 (void) ldap_get_option(lc->ld, 2669 LDAP_OPT_ERROR_NUMBER, &stat); 2670 } else { 2671 stat = ldap_parse_result(lc->ld, msg, &lderr, NULL, 2672 NULL, &referralsp, NULL, 0); 2673 if (stat == LDAP_SUCCESS) 2674 stat = lderr; 2675 stat = ldap_result2error(lc->ld, msg, 0); 2676 } 2677 } else { 2678 (void) ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, 2679 &stat); 2680 } 2681 if (proxyInfo.follow_referral == follow && 2682 stat == LDAP_REFERRAL && referralsp != NULL) { 2683 releaseCon(lc, stat); 2684 if (msg != NULL) 2685 (void) ldap_msgfree(msg); 2686 msg = NULL; 2687 lc = findReferralCon(referralsp, &stat); 2688 ldap_value_free(referralsp); 2689 referralsp = NULL; 2690 if (lc == NULL) 2691 goto cleanup; 2692 msgid = ldap_rename(lc->ld, oldDn, rdn, NULL, 1, NULL, NULL, 2693 &msgid); 2694 if (msgid == -1) { 2695 (void) ldap_get_option(lc->ld, 2696 LDAP_OPT_ERROR_NUMBER, &stat); 2697 goto cleanup; 2698 } 2699 stat = ldap_result(lc->ld, msgid, 0, &tv, &msg); 2700 if (stat == 0) { 2701 stat = LDAP_TIMEOUT; 2702 } else if (stat == -1) { 2703 (void) ldap_get_option(lc->ld, 2704 LDAP_OPT_ERROR_NUMBER, &stat); 2705 } else { 2706 stat = ldap_parse_result(lc->ld, msg, &lderr, 2707 NULL, NULL, NULL, NULL, 0); 2708 if (stat == LDAP_SUCCESS) 2709 stat = lderr; 2710 } 2711 } 2712 2713 cleanup: 2714 if (msg != NULL) 2715 (void) ldap_msgfree(msg); 2716 2717 #if 1 2718 fprintf(stderr, "%s: ldap_modrdn_s(0x%x, %s, %s, 1) => %s\n", 2719 myself, lc == NULL ? 0: lc->ld, NIL(oldDn), NIL(rdn), 2720 ldap_err2string(stat)); 2721 logmsg(MSG_NOTIMECHECK, LOG_WARNING, 2722 "%s: ldap_modrdn_s(0x%x, %s, %s, 1) => %s", 2723 myself, lc == NULL ? 0: lc->ld, NIL(oldDn), NIL(rdn), 2724 ldap_err2string(stat)); 2725 #endif 2726 2727 if (stat == LDAP_NO_SUCH_OBJECT) { 2728 /* 2729 * Fine from our point of view, since all we want to do 2730 * is to make sure that an update to the new DN doesn't 2731 * leave the old entry around. 2732 */ 2733 stat = LDAP_SUCCESS; 2734 } 2735 2736 releaseCon(lc, stat); 2737 sfree(rdn); 2738 2739 return (stat); 2740 } 2741